Susp_Dropper (Kaspersky), Gen:Variant.Strictor.70570 (B) (Emsisoft), Gen:Variant.Strictor.70570 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bce5185cd6bcfb15ea413b2870904564
SHA1: fe60dcb09257e2fbc85cc08508bef11e1536bab5
SHA256: 9739e06e111c6f213e67517a0d3cf14c40695b57073d5c01814c1bcce6670c74
SSDeep: 24576:23MMjuiZd4rfbCbg2acawU9txGoF6BhBsYSUNMuITpwTZaqdiXSp0c02uFG6dAk8:2Ng7txKBPeUzBTZaqdwk0c05HGi JJ7
Size: 2351104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-09-02 15:15:09
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:3404
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (0 bytes)
Registry activity
The process %original file name%.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePrefix" = ":2017032220170323:"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
"fdwSupport" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
147127382e001f495d1842ee7a9e7912 | c:\SkinH_EL.dll |
f803ad370a8649a143429f179af5f3ab | c:\dc.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ??????????????
Product Name: ??????????????
Product Version: 4.4.0.0
Legal Copyright: ??????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.4.0.0
File Description: ??????????????
Comments: ??????????????
Language: Chinese (Simplified, PRC)
Company Name: ??????????????Product Name: ??????????????Product Version: 4.4.0.0Legal Copyright: ??????????????Legal Trademarks: Original Filename: Internal Name: File Version: 4.4.0.0File Description: ??????????????Comments: ??????????????Language: Chinese (Simplified, PRC)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 970229 | 970752 | 4.52493 | 882e1d6a4d0017a9879d47b74c0635e7 |
.rdata | 974848 | 1249212 | 1249280 | 5.16012 | 5fcf6c33b35812e3412d866b620faa03 |
.data | 2224128 | 365898 | 90112 | 3.54456 | e90c0ce56c63695ac986b82f08626ee2 |
.rsrc | 2592768 | 32960 | 36864 | 3.55108 | 37ff9cd91594fbeb59b4863ab563a374 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ad.51pc114.cn/setup/a.html | 122.228.204.12 |
hxxp://ad.51pc114.cn/setup/ssxczgg2269.txt | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/ssggd.htm | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/ssxs11.htm | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/mcgg.htm | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/ssxs12.htm | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/ssxs13.htm | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/gjgg.htm | 122.228.204.12 |
hxxp://ad.51pc114.cn/ad/ssxszgg1.htm | 122.228.204.12 |
hxxp://ad.51pc114.cn/setup/ssxsz.htm | 122.228.204.12 |
hxxp://js.users.51.la/19059730.js | 42.236.74.247 |
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1522895/tongji.js | 47.89.65.199 |
hxxp://ad.51pc114.cn/ad/mcgg456.htm | 122.228.204.12 |
hxxp://popup.jointreport-switch.com/close.php?uid=1130 | 115.238.244.82 |
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1435675/tongji.js | 47.89.65.199 |
hxxp://grp1.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746 | |
hxxp://js.users.51.la/4473463.js | 42.236.74.247 |
hxxp://web.users.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746 | 42.236.74.234 |
hxxp://123.51pc114.cn/ad/ssxszgg1.htm | 122.228.204.12 |
hxxp://123.51pc114.cn/ad/ssxs11.htm | 122.228.204.12 |
hxxp://123.51pc114.cn/ad/ssggd.htm | 122.228.204.12 |
hxxp://123.51pc114.cn/ad/gjgg.htm | 122.228.204.12 |
hxxp://123.51pc114.cn/ad/mcgg.htm | 122.228.204.12 |
hxxp://123.51pc114.cn/setup/ssxsz.htm | 122.228.204.12 |
hxxp://js.tongji.linezing.com/1435675/tongji.js | 47.89.65.199 |
hxxp://123.51pc114.cn/ad/ssxs12.htm | 122.228.204.12 |
hxxp://ad.7532.com/ad/mcgg456.htm | 122.228.204.12 |
hxxp://123.51pc114.cn/ad/ssxs13.htm | 122.228.204.12 |
hxxp://js.tongji.linezing.com/1522895/tongji.js | 47.89.65.199 |
u291014.778669.com | 122.225.96.73 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ad/ssxs13.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 508
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm
Last-Modified: Thu, 26 Nov 2015 07:34:50 GMT
Accept-Ranges: bytes
ETag: "e0a720ef1c28d11:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>....<............................</body>..</html>..HTTP/1.1 200 OK..Content-Length: 508..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm..Last-Modified: Thu, 26 Nov 2015 07:34:50 GMT..Accept-Ranges: bytes..ETag: "e0a720ef1c28d11:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>....<............................</body>..</html>....
<<< skipped >>>
GET /close.php?uid=1130 HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxs12.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: popup.jointreport-switch.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: tengine
Date: Wed, 22 Mar 2017 01:07:57 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.28
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Cache-Control: no-cache, must-revalidate
Set-Cookie: lgPTN20963270664410=0; expires=Wed, 22-Mar-2017 16:00:00 GMT; path=/; domain=.jointreport-switch.com
222f..(function() {.. var popUrl = 'hXXp://popup.jointreport-switch.com/jointreport_process.php?ap=MjE2Mnw1ODhlMWM3OTA4ZWQ1YzliM2FmZmY0MGQ4Zjg2YzAwZWZkNw==';.. var lgUnionPushUrl = CrazyInitUrl(popUrl);.. function CrazyInitUrl(urls){.. var sf=0,sc=0,ol='',sd=0;.. var ae = function(p) {.. v = false;.. document.write('<SCRIPT LANGUAGE=VBScript>\n on error resume next \n v = IsObject(CreateObject("' p '"))<\/SCRIPT>\n');.. if(v){.. return '1';.. }else{.. return '0';.. }.. };.. var af = function(p) {.. var m = '';.. for (var i=0; i < navigator.mimeTypes.length; i ){.. m = navigator.mimeTypes[i].type.toLowerCase();.. }.. v = '0';.. if (m.indexOf(p) != -1){.. if (navigator.mimeTypes[p].enabledPlugin != null) v = '1';.. }.. return v;.. };.. var __dm = (navigator.appName.indexOf("Netscape") != -1);.. var __di = (navigator.userAgent.toLowerCase().indexOf("msie") != -1);.. var __dw = ((navigator.userAgent.toLowerCase().indexOf("win")!=-1) || (navigator.userAgent.toLowerCase().indexOf("32bit")!=-1));.. if(__dw && __di) sf = ae("ShockwaveFlash.ShockwaveFlash.1");.. if(!__dw || __dm) fs = af("application/x-shockwave-flash");.. if(navigator.appName=="Netscape"){.. ol = navigator.language.substr(0,2);.. }else{..
<<< skipped >>>
GET /setup/ssxczgg2269.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ad.51pc114.cn
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Content-Length: 4435
Content-Type: text/html
Server: IIS
Date: Wed, 22 Mar 2017 01:07:39 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>................</title>..<style type="text/css">..<!--..BODY {.PADDING-RIGHT: 0px; PADDING-LEFT: 35px; BACKGROUND: url(/images/photoback.gif) repeat-x left top; PADDING-BOTTOM: 0px; MARGIN: 0px; FONT: 12px Arial, Helvetica, sans-serif; COLOR: #333; PADDING-TOP: 35px}..A {.COLOR: #007ab7; TEXT-DECORATION: none}..A:hover {COLOR: #007ab7; TEXT-DECORATION: none}..A:hover {COLOR: #de1d6a}...hidehr {DISPLAY: none}...show12 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show13 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show12 A {.BORDER-RIGHT: #bfdeed 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #bfdeed 1px solid; DISPLAY: inline-block; PADDING-LEFT: 6px; BACKGROUND: #d8ebf4; PADDING-BOTTOM: 2px; OVERFLOW: hidden; BORDER-LEFT: #bfdeed 1px solid; LINE-HEIGHT: 17px; PADDING-TOP: 2px; BORDER-BOTTOM: #bfdeed 1px solid; HEIGHT: 16px}...show13 A {.BORDER-RIGHT: #bfdeed 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #bfdeed 1px solid; DISPLAY: inline-block; PADDING-LEFT: 6px; BACKGROUND: #d8ebf4; PADDING-BOTTOM: 2px; OVERFLOW: hidden; BORDER-LEFT: #bfdeed 1px solid; LINE-HEIGHT: 17px; PADDING-TOP: 2p
<<< skipped >>>
GET /setup/a.html HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Host: ad.51pc114.cn
HTTP/1.1 200 OK
Content-Length: 45
Content-Type: text/html
Content-Location: hXXp://ad.51pc114.cn/setup/a.html
Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT
Accept-Ranges: bytes
ETag: "3efdd9d93cadcf1:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:39 GMT
[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]HTTP/1.1 200 OK..Content-Length: 45..Content-Type: text/html..Content-Location: hXXp://ad.51pc114.cn/setup/a.html..Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT..Accept-Ranges: bytes..ETag: "3efdd9d93cadcf1:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:39 GMT..[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]..
GET /go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746 HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: web.users.51.la
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 22 Mar 2017 01:08:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Expires: Tue, 21 Mar 2017 08:28:00 GMT
Set-Cookie: ASPSESSIONIDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/
Cache-control: private
HTTP/1.1 200 OK..Date: Wed, 22 Mar 2017 01:08:00 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: text/html..Expires: Tue, 21 Mar 2017 08:28:00 GMT..Set-Cookie: ASPSESSIONIDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/..Cache-control: private..
GET /19059730.js HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Encoding: gzip
Last-Modified: Tue, 07 Mar 2017 12:17:14 GMT
Accept-Ranges: bytes
ETag: "c1c17cc13c97d21:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
Date: Wed, 22 Mar 2017 01:07:58 GMT
Content-Length: 972
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~......]~|..7N..:..TK(..-....G..g....[4..........4k.j.}w..%..$...v.V...T.:.6..z..._....U.4k..;..iUV5.....2.,......j."[..}....m..*.../.^h.u./...]^>.W.....y..i.....~......Q..V..`...d:....b..j....../X...p.i...@E.vZUo.|... ......j.....g.;..._e.y....~..........nw>.s.....-..g.uY..=v..[.S..-...2g.n.fw....;w>..f..S....q..o.E.o.c.....'..|......s..3..>....G.._..'.G.....v.0..*j..|.V....u[......~Tj.3"F.J..b.*ut......e...X .;TR.>.w....WK.}d~.s.K..M4....o...........j.....=.$rt. .4D..m.Z....$. _...?.sK....JPX..H.hu~.KL.v.UK...R7.s.>..eV,.kR.....4k..x...~.1i.|2^7y..n...Y..=..b..._H..]..[a...p.....V.l>k....eN.l.l..33.....s...;w?.......1..?...u..@PeuU...'......... .5.m...p.s.....oV..%....3..M.o..v..Z.[.....".,...-..L5}8...............S..B...HTTP/1.1 200 OK..Content-Type: application/javascript..Content-Encoding: gzip..Last-Modified: Tue, 07 Mar 2017 12:17:14 GMT..Accept-Ranges: bytes..ETag: "c1c17cc13c97d21:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/8.5..Date: Wed, 22 Mar 2017 01:07:58 GMT..Content-Length: 972...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~...
<<< skipped >>>
GET /ad/ssxs12.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 1283
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxs12.htm
Last-Modified: Fri, 09 Dec 2016 13:25:51 GMT
Accept-Ranges: bytes
ETag: "aa9133c31f52d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>......................<script language='javascript'>..// ..................html............var random = {...ad_num : 3,...init : function(){....n = (Math.floor(Math.random()*random.ad_num 1));....switch(n){.....case 1:......document.writeln('<script src=\"http:\/\/p.rhgw.net\/code\/popjs.asp?pid=258920\" charset=\"gb2312\"><\/script>');.....break;.....case 2:......document.writeln('<script type=\"text\/javascript\" src=\"http:\/\/popup.jointreport-switch.com\/close.php?uid=1130\"><\/script>');.....break;.....case 3:......document.writeln('<script language=\"javascript\" src=\"http:\/\/u291014.778669.com\/fclose.php?id=180495\"><\/script>');.....break;....}...}..}..random.init();..</script>....<script language="javascript" src="hXXp://u291014.778669.com/fclose.php?id=152695"></script>..........</body>..</html>..t>....
<<< skipped >>>
GET /setup/ssxsz.htm HTTP/1.1
Referer: hXXp://123.51pc114.cn/setup/ssxsz.htm
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 123.51pc114.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 3
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm
Last-Modified: Thu, 09 Mar 2017 06:09:42 GMT
Accept-Ranges: bytes
ETag: "e46a71be9b98d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
5.2HTTP/1.1 200 OK..Content-Length: 3..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm..Last-Modified: Thu, 09 Mar 2017 06:09:42 GMT..Accept-Ranges: bytes..ETag: "e46a71be9b98d21:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..5.2..
GET /1522895/tongji.js HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxszgg1.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.tongji.linezing.com
Connection: Keep-Alive
HTTP/1.1 503 Service Temporarily Unavailable
Server: Tengine
Content-Length: 0
Connection: keep-alive
Via: cache30.l2hk1[0,503-0,M], cache18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661,504001]
Age: 0
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:37 GMT
X-Swift-CacheTime: 1
Timing-Allow-Origin: *
EagleId: 2f59411814901448766361688e
HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content-Length: 0..Connection: keep-alive..Via: cache30.l2hk1[0,503-0,M], cache18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661,504001]..Age: 0..X-Cache: MISS TCP_MISS dirn:-2:-2..X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:37 GMT..X-Swift-CacheTime: 1..Timing-Allow-Origin: *..EagleId: 2f59411814901448766361688e..
GET /ad/ssggd.htm HTTP/1.1
Referer: hXXp://123.51pc114.cn/ad/ssggd.htm
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 123.51pc114.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 106
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssggd.htm
Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT
Accept-Ranges: bytes
ETag: "147f493a2f68d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:41 GMT
................................................4.9............................,..........................HTTP/1.1 200 OK..Content-Length: 106..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/ad/ssggd.htm..Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT..Accept-Ranges: bytes..ETag: "147f493a2f68d21:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:41 GMT..................................................4.9............................,..............................
GET /ad/ssxs11.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 825
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxs11.htm
Last-Modified: Mon, 16 Jan 2017 15:57:20 GMT
Accept-Ranges: bytes
ETag: "070cb371170d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:41 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>..............................<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/19059730.js"></script>..<noscript><a href="hXXp://VVV.51.la/?19059730" target="_blank"><img alt="我要啦免费统计" src="hXXp://img.users.51.la/19059730.asp" style="border:none" /></a></noscript>....</body>..</html>......
GET /ad/mcgg.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 75
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/mcgg.htm
Last-Modified: Thu, 28 Mar 2013 03:33:01 GMT
Accept-Ranges: bytes
ETag: "8222f3642bce1:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:41 GMT
<meta HTTP-EQUIV=REFRESH CONTENT="0;URL=hXXp://ad.7532.com/ad/mcgg456.htm">....
GET /ad/ssxszgg1.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 2915
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxszgg1.htm
Last-Modified: Fri, 06 Jan 2017 15:12:34 GMT
Accept-Ranges: bytes
ETag: "8c63f64e2f68d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>.. <br />..<font size="2" color="red"><a href="hXXp://url.cn/OGLodN" target="_blank">................28..................:</a></font><font size="2" color="red">..<br />..<font size="2" color="blue"><a href="hXXp://km.7532.com" target="_blank">............1-3........1........10..4..................1-10......................7532......</a></font><font size="2" color="blue"><br />..<br />..<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#0000ff"><strong>..<br />........................................4.9............................,..........................</strong></a>..<br />..<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#ff0000"><strong>........<br />..<br />..1........................,....................<br />..2.................................................................</strong></a>....<br />....<br />..
<<< skipped >>>
GET /1435675/tongji.js HTTP/1.1
Accept: */*
Referer: hXXp://ad.7532.com/ad/mcgg456.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.tongji.linezing.com
Connection: Keep-Alive
HTTP/1.1 503 Service Temporarily Unavailable
Server: Tengine
Content-Length: 0
Connection: keep-alive
Via: cache34.l2hk1[0,503-0,M], cache1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679,504001]
Age: 0
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:38 GMT
X-Swift-CacheTime: 1
Timing-Allow-Origin: *
EagleId: 2f59410314901448775867203e
HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content-Length: 0..Connection: keep-alive..Via: cache34.l2hk1[0,503-0,M], cache1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679,504001]..Age: 0..
GET /4473463.js HTTP/1.1
Accept: */*
Referer: hXXp://ad.7532.com/ad/mcgg456.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1872
Content-Type: application/x-javascript
Last-Modified: Tue, 07 Mar 2017 03:16:45 GMT
Accept-Ranges: bytes
ETag: "6cedff3ff196d21:5590"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 22 Mar 2017 01:07:36 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?4473463" target="_blank" title="51.La 网站流量统计系统">网站统计</a>\n');..var a3463tf="51la";var a3463pu="";var a3463pf="51la";var a3463su=window.location;var a3463sf=document.referrer;var a3463of="";var a3463op="";var a3463ops=1;var a3463ot=1;var a3463d=new Date();var a3463color="";if (navigator.appName=="Netscape"){a3463color=screen.pixelDepth;} else {a3463color=screen.colorDepth;}..try{a3463tf=top.document.referrer;}catch(e){}..try{a3463pu =window.parent.location;}catch(e){}..try{a3463pf=window.parent.document.referrer;}catch(e){}..try{a3463ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3463ops=(a3463ops==null)?1: (parseInt(unescape((a3463ops)[2])) 1);var a3463oe =new Date();a3463oe.setTime(a3463oe.getTime() 60*60*1000);document.cookie="AJSTAT_ok_pages=" a3463ops ";path=/;expires=" a3463oe.toGMTString();a3463ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3463ot==null){a3463ot=1;}else{a3463ot=parseInt(unescape((a3463ot)[2])); a3463ot=(a3463ops==1)?(a3463ot 1):(a3463ot);}a3463oe.setTime(a3463oe.getTime() 365*24*60*60*1000);document.cookie="AJSTAT_ok_times=" a3463ot ";path=/;expires=" a3463oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a3463ops=-1;a3463ot=-1;}}catch(e){}..a3463of=a3463sf;if(a3463pf!=="51la"){a3463of=a3463pf;}if(a3463tf!=="51la"){a3463of=a3463tf;}a3463op=a3463pu;try{lainframe}catch(e){a3463op=a3463
<<< skipped >>>
GET /ad/gjgg.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 15198
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/gjgg.htm
Last-Modified: Tue, 21 Jun 2016 02:14:19 GMT
Accept-Ranges: bytes
ETag: "8228749e62cbd11:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<meta name="keywords" content="QQ...."/>..<meta name="description" content="QQ...."/>..<title>............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>..<body>......<table width="250" border="0">..<tr>..<tr>..<tr>..<tr>.. <td class="STYLE2"> <span class="STYLE1"><a href="hXXp://VVV.7532.com/" target="_blank" style="color:#FE0000;" onMouseOver="this.style.color='#FE0000';" onMouseOut="this.style.color='#FE0000';">......QQ......................</a></span></td>.. <td><span class="STYLE2">[<span class="STYLE1">........
<<< skipped >>>
GET /ad/mcgg456.htm HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ad.7532.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 4406
Content-Type: text/html
Content-Location: hXXp://ad.7532.com/ad/mcgg456.htm
Last-Modified: Wed, 02 Mar 2016 05:01:52 GMT
Accept-Ranges: bytes
ETag: "a8b4a0a24074d11:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:44 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<meta name="keywords" content="QQ...."/>..<meta name="description" content="QQ...."/>..<title>............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}..body,td,th {...font-size: 12px;..}...STYLE2 {color: #FF0000}..-->..</style>..</head>..<html>..<body>........<table width="494" border="0" cellpadding="0" cellspacing="0">.. <!--DWLayoutTable-->.. <tr>.. <td width="494" height="708" align="left" valign="top"><table width="236" height="221">.. <tr> <tr>.... </tr>....<tr>.. <tr>.. <td height="14" align="left" valign="middle"><a href="http://shop107817006.taobao.com" target="_blank" style="color:#FF00FF;" onmouseover="this.style.color='#FF00FF';" onmouseout="this.style.color='#FF00FF';">........................</a></td>.. <td height="14"><span class="STYLE1">[........]</span></td>.. </tr>..<tr>.. <td height="14" align="left" valign="middle"><a href="hXXp://down.cncpa.net:9000/mmliao/MM-liao8869.exe" target="_blank" style="color:#2222f0;" onMouseOver="this.style.color='#2222f0F';" onMouseOut="this.style.co
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3404:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
}?9\$0~9
}?9\$0~9
u$SShe
u$SShe
iu2.iu
iu2.iu
dc.dll
dc.dll
ole32.dll
ole32.dll
kernel32.dll
kernel32.dll
wininet.dll
wininet.dll
SkinH_EL.dll
SkinH_EL.dll
advapi32.dll
advapi32.dll
user32.dll
user32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ReportError
ReportError
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
WebBrowser
WebBrowser
hXXp://VVV.7532.com/forum-49-1.html
hXXp://VVV.7532.com/forum-49-1.html
O;.lQ5"
O;.lQ5"
ytv%c]`
ytv%c]`
hXXp://VVV.7532.com
hXXp://VVV.7532.com
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
8926356713
8926356713
hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=
hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=
hXXp://z.t.qq.com/mb/qzone/index.html
hXXp://z.t.qq.com/mb/qzone/index.html
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
"loginedUser"
"loginedUser"
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
MSXML2.ServerXMLHTTP.5.0
application/x-www-form-urlencoded
application/x-www-form-urlencoded
hXXp://api.t.qq.com/old/follow.php
hXXp://api.t.qq.com/old/follow.php
hXXp://api.t.qq.com/proxy.html
hXXp://api.t.qq.com/proxy.html
hXXp://z.t.qq.com/mb/qzone/index.html#
hXXp://z.t.qq.com/mb/qzone/index.html#
&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=
&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=
&apiType=5&apiHost=http://api.t.qq.com&_r=
&apiType=5&apiHost=http://api.t.qq.com&_r=
hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=
hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=
hXXp://api.t.qq.com/old/unfollow.php
hXXp://api.t.qq.com/old/unfollow.php
hXXp://ad.51pc114.cn/setup/yinyue.html
hXXp://ad.51pc114.cn/setup/yinyue.html
.html
.html
hXXp://y.qq.com/y/static/singer/
hXXp://y.qq.com/y/static/singer/
&loginUin=
&loginUin=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=
hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt
hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt
hXXp://VVV.7532.com/thread-143613-1-1.html
hXXp://VVV.7532.com/thread-143613-1-1.html
122.228.204.12
122.228.204.12
hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html
hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://123.51pc114.cn/ad/ssggd.htm
hXXp://123.51pc114.cn/ad/ssggd.htm
Adodb.Stream
Adodb.Stream
fJ.WM_
fJ.WM_
CX%xm
CX%xm
Õ6m*
Õ6m*
n.BjCw
n.BjCw
%s;7*
%s;7*
0%x@w
0%x@w
%C^L:
%C^L:
%s T5
%s T5
]E4%F(
]E4%F(
.Funr
.Funr
k%UPp
k%UPp
fg.VG
fg.VG
%C',@
%C',@
>Ùd
>Ùd
0'.Ll
0'.Ll
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
*.Ea]S
*.Ea]S
Q.CGo
Q.CGo
fTpe
fTpe
.LLbX
.LLbX
-.Mdl
-.Mdl
\-A}=3K
\-A}=3K
Y:.akpS
Y:.akpS
$.Zcqn
$.Zcqn
.WE= T!N
.WE= T!N
#?%s(C(
#?%s(C(
u.Jck~
u.Jck~
zx/%FN[
zx/%FN[
%s=\RI
%s=\RI
}j%c%Y)
}j%c%Y)
Rx.GR
Rx.GR
4o#.dM
4o#.dM
IeS`%C
IeS`%C
[n 4\.UY
[n 4\.UY
,4.qO,
,4.qO,
gQ'.Io
gQ'.Io
%cLur?
%cLur?
s%DHB
s%DHB
]I%%X
]I%%X
5r.US
5r.US
:mD].tB
:mD].tB
f%fUZ
f%fUZ
.fOuV12
.fOuV12
*_.dC
*_.dC
&-N}
&-N}
({?.cQm
({?.cQm
.Cqx~c
.Cqx~c
.`.Qw
.`.Qw
**.dU
**.dU
!n]%x
!n]%x
%X,Cr
%X,Cr
&.PFy{xh
&.PFy{xh
.um ZZE7L
.um ZZE7L
/^p%u$
/^p%u$
I.NoQY
I.NoQY
zu.ew
zu.ew
D/.nT
D/.nT
b\SkinH_EL.dll
b\SkinH_EL.dll
C$%cmb
C$%cmb
.ppM|
.ppM|
aZ.mO
aZ.mO
%-^
%-^
.hk;~
.hk;~
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
51pc114.cn
51pc114.cn
123.51pc114.cn
123.51pc114.cn
hXXp://123.51pc114.cn/setup/ssxsz.htm
hXXp://123.51pc114.cn/setup/ssxsz.htm
Www.7532.com
Www.7532.com
hXXp://km.7532.com
hXXp://km.7532.com
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
/mood/
/mood/
.1&curkey=http://user.qzone.qq.com/
.1&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
/&opuin=
/&opuin=
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
mailto:shenglin_yu@126.com
mailto:shenglin_yu@126.com
hXXp://qlogo2.store.qq.com/qzone/
hXXp://qlogo2.store.qq.com/qzone/
hXXp://ad.51pc114.cn/setup/ssxczgg9976.txt
hXXp://ad.51pc114.cn/setup/ssxczgg9976.txt
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
hXXp://tjalist.photo.qzone.qq.com/fcgi-bin/fcg_list_album_v3?g_tk=
hXXp://tjalist.photo.qzone.qq.com/fcgi-bin/fcg_list_album_v3?g_tk=
hXXp://123.51pc114.cn/setup/QQssxs.html
hXXp://123.51pc114.cn/setup/QQssxs.html
&qzreferrer=http://ctc.qzs.qq.com/qzone/photo/v7/page/photo.html?init=photo.v7/module/photoList2/index&navBar=1&normal=1&aid=
&qzreferrer=http://ctc.qzs.qq.com/qzone/photo/v7/page/photo.html?init=photo.v7/module/photoList2/index&navBar=1&normal=1&aid=
/photo/
/photo/
&curkey=http://user.qzone.qq.com/
&curkey=http://user.qzone.qq.com/
unikey=http://user.qzone.qq.com/
unikey=http://user.qzone.qq.com/
\dc.dll
\dc.dll
@.reloc
@.reloc
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MFC42.DLL
MFC42.DLL
KERNEL32.dll
KERNEL32.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
WSOCK32.dll
WSOCK32.dll
MSVCP60.dll
MSVCP60.dll
ReportError_A
ReportError_A
VBYB_ReportError
VBYB_ReportError
VB_ReportError
VB_ReportError
uu_loginA
uu_loginA
uu_loginW
uu_loginW
uu_reportError
uu_reportError
debug.ini
debug.ini
ReportError:%s
ReportError:%s
Error:%s
Error:%s
%s|!|%s
%s|!|%s
\dms.pdb
\dms.pdb
%u%u,
%u%u,
dclog.txt
dclog.txt
config.ini
config.ini
port
port
settimeout:%d
settimeout:%d
[%d]%s
[%d]%s
reg2:%s
reg2:%s
checkok:%s %s
checkok:%s %s
check fail:%s %s %s
check fail:%s %s %s
check:%s %s
check:%s %s
getcjfail:%s %s
getcjfail:%s %s
getcj:%s %s
getcj:%s %s
%s%uout
%s%uout
%s%uin
%s%uin
put img ok:%s
put img ok:%s
put img fail:%s
put img fail:%s
put img:%s %s %d
put img:%s %s %d
get result ok:%s,%s
get result ok:%s,%s
get result fail:%s
get result fail:%s
get result:%s
get result:%s
notifyfail ok:%s
notifyfail ok:%s
%s\%d-%s.png
%s\%d-%s.png
notifyfail fail:%s,%s
notifyfail fail:%s,%s
notifyfail:%s
notifyfail:%s
getimgok:%s,%s
getimgok:%s,%s
getimg:%s
getimg:%s
getinfo fail:%s
getinfo fail:%s
getinfo:%s,%s
getinfo:%s,%s
setresult:%s,%s
setresult:%s,%s
HTTP/1.1 200 OK
HTTP/1.1 200 OK
recv:%d
recv:%d
send:%d
send:%d
GET /ip.txt HTTP/1.1
GET /ip.txt HTTP/1.1
Host: %s
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
select:%d
select:%d
ioctlsocket:%d
ioctlsocket:%d
socket:%d
socket:%d
api.qqchaoren.net
api.qqchaoren.net
14.17.65.24
14.17.65.24
14.17.65.23
14.17.65.23
dama2.qqchaoren.net
dama2.qqchaoren.net
dama1.qqchaoren.net
dama1.qqchaoren.net
connect total:%s %d
connect total:%s %d
:%s %d
:%s %d
connect discard:%s %d
connect discard:%s %d
[d-d-d d:d:d](u)
[d-d-d d:d:d](u)
recv timeout:
recv timeout:
recvfail:%d
recvfail:%d
server close:%d
server close:%d
recv:%d
recv:%d
send:%d
send:%d
sendfail:%d
sendfail:%d
connect timeout:
connect timeout:
connectok:%s %hu
connectok:%s %hu
127.0.0.1
127.0.0.1
1.1.3
1.1.3
hXXp://ad.51pc114.cn/setup/a.html
hXXp://ad.51pc114.cn/setup/a.html
regsvr32 /s winhttp.dll
regsvr32 /s winhttp.dll
WinHttp
WinHttp
&appid=549000912&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.25413458029055885
&appid=549000912&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.25413458029055885
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=
hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=
hXXp://captcha.qq.com/getimgbysig?aid=549000912&uin=
hXXp://captcha.qq.com/getimgbysig?aid=549000912&uin=
&0.10107533859643092
&0.10107533859643092
hXXp://captcha.qq.com/cap_union_verify?aid=549000912&uin=
hXXp://captcha.qq.com/cap_union_verify?aid=549000912&uin=
&0.05596214901416252
&0.05596214901416252
hXXp://captcha.qq.com/getQueSig?aid=715030901&uin=
hXXp://captcha.qq.com/getQueSig?aid=715030901&uin=
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=8-30-1445255935887&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=8-30-1445255935887&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
hXXp://ptlogin2.qq.com/login?u=
hXXp://ptlogin2.qq.com/login?u=
hXXp://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
.1^||^http://qzs.qq.com/qzone/client/&face=0&fupdate=1&g_tk=
.1^||^http://qzs.qq.com/qzone/client/&face=0&fupdate=1&g_tk=
hXXp://user.qzone.qq.com/p/r/cgi-bin/user/qz_opcnt2?_stp=
hXXp://user.qzone.qq.com/p/r/cgi-bin/user/qz_opcnt2?_stp=
function time(){return new Date().getTime()}
function time(){return new Date().getTime()}
<.>http://user.qzone.qq.com/
<.>http://user.qzone.qq.com/
&refer=qzone&plat=qzone&json_esc=1&output_type=json&unikey=http://user.qzone.qq.com/
&refer=qzone&plat=qzone&json_esc=1&output_type=json&unikey=http://user.qzone.qq.com/
hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?g_tk=
hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?g_tk=
skey
skey
eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('Y 1O=X(){X r(){W.n=1d;W.e=0;W.4V=W.3h=W.4k=W.q=W.p=W.d=1d}X B(r,z,I){1d!=r&&("50"==2W r?W.3i(r,z,I):1d==z&&"3T"!=2W r?W.1S(r,1B):W.1S(r,z))}X z(){Z 1u B(1d)}X A(r){Y V=z();V.2c(r);Z V}X D(r){Y z=1,I;0!=(I=r>>>16)&&(r=I,z =16);0!=(I=r>>8)&&(r=I,z =8);0!=(I=r>>4)&&(r=I,z =4);0!=(I=r>>2)&&(r=I,z =2);0!=r>>1&&(z =1);Z z}X C(r){W.m=r}X E(r){W.m=r;W.2a=r.2V();W.2f=W.2a&1N;W.2U=W.2a>>15;W.2T=(1>8&1f;L[G ]^=r>>16&1f;L[G ]^=r>>24&1f;G>=U&&(G-=U)}X O(){}X N(){W.j=W.i=0;W.S=[]}r.1b.2R=X(r){Z r.2Q(W.e,W.n)};r.1b.2P=X(r,z){1d!=r&&1d!=z&&0>3;1a(z>=15;0>15,G=z*R F*E,R=E*R ((G&1N)>>30) (G>>>15) z*F (D>>>30);A[B ]=R&2L}Z D};H=30;B.1b.1e=H;B.1b.1s=(1=K; K)S[H ]=K;H=3n;19(K=10;36>K; K)S[H ]=K;H=3D;19(K=10;36>K; K)S[H ]=K;C.1b.2e=X(r){Z 0>r.s||0r.s&&0>15)*W.2f&W.2T)=r.1o;)r[A]-=r.1o,r[ A] }r.1q();r.2b(W.m.t,r);0r?-1:0;0r?W[0]=r 1o:W.t=0};B.1b.1S=X(r,z){Y A;1a(16==z)A=4;1h 1a(8==z)A=3;1h 1a(1B==z)A=8;1h 1a(2==z)A=1;1h 1a(32==z)A=5;1h 1a(4==z)A=2;1h{W.3I(r,z);Z}W.s=W.t=0;19(Y D=r.1c,C=!1,E=0;0J?"-"==r.1l(D)&&(C=!0):(C=!1,0==E?W[W.t ]=J:E A>W.1e?(W[W.t-1]|=(J&(1>W.1e-E):W[W.t-1]|=J=W.1e&&(E-=W.1e))}8==A&&0!=(r[0]&2I)&&(W.s=-1,0>B|E,E=(W[F]&D)=W.t)z.t=0;1h{Y B=r%W.1e,D=W.1e-B,C=(1>B;19(Y E=A 1;E>B;0>=W.1e;1a(r.t>=W.1e;B =W.s}1h{19(B =W.s;A>=W.1e;B-=r.s}z.s=0>B?-1:0;-1>B?z[A ]=W.1o B:0=z.1o&&(r[A z.t]-=z.1o,r[A z.t 1]=1)}0=E.t)){Y F=W.1w();1a(F.t>W.29:0),K=W.2K/H,H=(1J&&B.1x.1m(C,C)}}}};B.1b.2V=X(){1a(1>W.t)Z 0;Y r=W[0];1a(0==(r&1))Z 0;Y z=r&3,z=z*(2-(r&15)*z)&15,z=z*(2-(r&1f)*z)&1f,z=z*(2-((r&1G)*z&1G))&1G,z=z*(2-r*z%W.1o)%W.1o;Z 0r)Z B.1U;Y C=z(),E=z(),F=A.2e(W),G=D(r)-1;19(F.1I(C);0W.s)Z"-" W.1Z().1F(r);1a(16==r)r=4;1h 1a(8==r)r=3;1h 1a(2==r)r=1;1h 1a(32==r)r=5;1h 1a(4==r)r=2;1h Z W.3o(r);Y z=(1>E)&&(B=!0,C="2A".1l(A));0>(E =W.1e-r)):(A=W[D]>>(E-=r)&z,0>=E&&(E =W.1e,--D)),0W.s?W.1Z():W};B.1b.1H=X(r){Y z=W.s-r.s;1a(0!=z)Z z;Y A=W.t,z=A-r.t;1a(0!=z)Z z;19(;0=W.t?0:W.1e*(W.t-1) D(W[W.t-1]^W.s&W.1s)};B.1b.2J=X(r){Y A=z();W.1w().1Q(r,1d,A);0>W.s&&0r||z.2G()?1u C(z):1u E(z);Z W.2E(r,A)};B.1x=A(0);B.1U=A(1);Y T,L,G;1a(1d==L){L=[];19(G=0;G>>8,L[G ]=H&1f;G=0;F()}O.1b.2M=X(r){Y z;19(z=0;zz; z)W.S[z]=z;19(z=A=0;1B>z; z)A=A W.S[z] r[z%r.1c]&1f,B=W.S[z],W.S[z]=W.S[A],W.S[A]=B;W.j=W.i=0};N.1b.2x=X(){Y r;W.i=W.i 1&1f;W.j=W.j W.S[W.i]&1f;r=W.S[W.i];W.S[W.i]=W.S[W.j];W.S[W.j]=r;Z W.S[r W.S[W.i]&1f]};Y U=1B;Z{2r:X(z,A,B){A="41";B="3";Y C=1u r;C.2P(A,B);Z C.26(z)}}}(),s="",a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=!0;X e(){Z 1p.35(1r*1p.2z())}X j(r,B,z){1a(!z||4>>0}X b(r,B,z){r[B 3]=z>>0&1f;r[B 2]=z>>8&1f;r[B 1]=z>>16&1f;r[B 0]=z>>24&1f}X w(r){1a(!r)Z"";19(Y B="",z=0;zz;z )x[z]=0;19(z=1;2>=z;)8>a&&(g[a ]=e()&1f,z ),8==a&&p();19(z=0;0a&&(g[a ]=r[z ],B--),8==a&&p();19(z=1;7>=z;)8>a&&(g[a ]=0,z ),8==a&&p();Z m}X q(r){Y B=0,z=1t(8),B=r.1c;t=r;1a(0!=B%8||16>B)Z 1d;x=l(r);a=x[0]&7;B=B-a-10;1a(0>B)Z 1d;19(Y A=0;A=A;)1a(8>a&&(a ,A ),8==a&&(z=r,!f()))Z 1d;19(A=0;0!=B;)1a(8>a&&(m[A]=(z[u a]^x[a])&1f,A ,B--,a ),8==a&&(z=r,u=y-8,!f()))Z 1d;19(A=1;8>A;A ){1a(8>a){1a(0!=(z[u a]^x[a]))Z 1d;a }1a(8==a&&(z=r,u=y,!f()))Z 1d}Z m}X p(){19(Y r=0;8>r;r )g[r]=n?g[r]^x[r]:g[r]^m[u r];19(Y B=k(g),r=0;8>r;r )m[y r]=B[r]^x[r],x[r]=g[r];u=y;y =8;a=0;n=!1}X k(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=0;0>>0,z =(r>>5) D,z=(z&1r)>>>0,r =(z>>5) E,r=(r&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X l(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=3y;0>>5) E,r=(r&1r)>>>0,z-=(r>>5) D,z=(z&1r)>>>0,F-=2o,F=(F&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X f(){19(Y r=0;8>r;r )x[r]^=t[y r];x=l(x);y =8;a=0;Z!0}X o(r,B){Y z=[];1a(B)19(Y A=0;A>18)),E.1y(z.1l(C>>12&1J)),E.1y(z.1l(C>>6&1J)),E.1y(z.1l(C&1J));3e(r.1c-F){2B 1:C=A(r,D)>18) z.1l(C>>12&1J) B B);3g;2B 2:C=A(r,D)>18) z.1l(C>>12&1J) z.1l(C>>6&1J) B)}Z E.2C("")}},2D=1,3j="",1n=8,2F=32;X 1W(r){Z 2H(r)}X 2H(r){Z 2l(1E(1K(r),r.1c*1n))}X 3q(r){Z 2d(1E(1K(r),r.1c*1n))}X 3s(r,B){Z 2l(1R(r,B))}X 3u(r,B){Z 3v(1R(r,B))}X 3w(r,B){Z 2d(1R(r,B))}X 1E(r,B){r[B>>5]|=2I>>9C;C )A[C]=z[C]^4T,D[C]=z[C]^4U;z=1E(A.2Y(1K(B)),4W B.1c*1n);Z 1E(D.2Y(z),4X)}X 1v(r,B){Y z=(r&1G) (B&1G);Z(r>>16) (B>>16) (z>>16)>>32-B}X 1K(r){19(Y B=[],z=(1>5]|=(r.1C(A/1n)&z)>5]>>>A2&z);Z B}X 2l(r){19(Y B=2D?"4Y":"4Z",z="",A=0;A>2]>>A%4*8 4&15) B.1l(r[A>>2]>>A%4*8&15);Z z}X 2Z(r){19(Y B=[],z=0;zD.1c;)D="0" D;1D.2g(r);B=1D.2p(D A 1D.28(B) z C);1D.2g("");Z B.57(/[\\/\\ =]/g,X(r){Z{"/":"-"," ":"*","=":"58"}[r]})}X 4Q(r,B,z){Z 33(r,B,z,!1)};',62,320,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||this|function|var|return||||||||||for|if|prototype|length|null|DB|255|md5_gg|else|md5_hh|md5_ff|md5_ii|charAt|subTo|chrsz|DV|Math|clamp|4294967295|DM|Array|new|safe_add|abs|ZERO|push|am|reduce|256|charCodeAt|TEA|core_md5|toString|65535|compareTo|copyTo|63|str2binl|dlShiftTo|md5_cmn|32767|RSA|floor|divRemTo|core_hmac_md5|fromString|parseInt|ONE|mulTo|md5|multiplyTo|sqrTo|negate||||||squareTo|encrypt|F1|strToBytes|F2|mp|drShiftTo|fromInt|binl2str|convert|mpl|initkey|String|fromCharCode|substr|lShiftTo|binl2hex|revert|rShiftTo|2654435769|enAsBase64|encode|rsa_encrypt|PADCHAR|ALPHA|getbyte|throw|arguments|next|init|random|0123456789abcdefghijklmnopqrstuvwxyz|case|join|hexcase|exp|mode|isEven|hex_md5|128|mod|FV|1073741823|nextBytes|bitLength|uv_alert|setPublic|modPowInt|doPublic|mt2|um|mph|invDigit|typeof|bit_rol|concat|hexchar2bin||temp||getEncryption|Exception|round||SyntaxError|Not|enough|Message|min|too|pow|switch|long|break|dmq1|fromNumber|b64pad|Date|Invalid|248|97|toRadix|public|str_md5|key|hex_hmac_md5|65536|b64_hmac_md5|binl2b64|str_hmac_md5|64|3816266640|1732584193|271733879|1732584194|271733878|65|680876936|389564586|getTime|606105819|fromRadix|1044525330|176418897|1200080426|1473231341|45705983|1770035416|1958414417|42063|1990404162|1804603682|string|40341101|1502002290|1236535329|decrypt|165796510|1069501632|643717713|F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7|373897302|701558691|38016083|660478335|405537848|568446438||1019803690|187363961|1163531501|1444681467|51403784|1735328473|1926607734|bytesToStr|378558|2022574463|1839030562|dmp1|35309556|1530992060|1272893353|155497632|1094730640|681279174|358537222|722521979|76029189|640364487|421815835|530742520|995338651|bytesInStr|198630844|1126891415|1416354905|dataFromStr|57434055|1700485571|1894986606|1051523|2054922799|1873313359|30611744|1560198380|1309151649|145523070|1120210379|718787259|343485551|Hs|max|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|909522486|1549556828|coeff|512|640|0123456789ABCDEF|0123456789abcdef|number|eval||INVALID_CHARACTER_ERR|DOM|toUpperCase|000|replace|_|Number'.split('|'),0,{}))
eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('Y 1O=X(){X r(){W.n=1d;W.e=0;W.4V=W.3h=W.4k=W.q=W.p=W.d=1d}X B(r,z,I){1d!=r&&("50"==2W r?W.3i(r,z,I):1d==z&&"3T"!=2W r?W.1S(r,1B):W.1S(r,z))}X z(){Z 1u B(1d)}X A(r){Y V=z();V.2c(r);Z V}X D(r){Y z=1,I;0!=(I=r>>>16)&&(r=I,z =16);0!=(I=r>>8)&&(r=I,z =8);0!=(I=r>>4)&&(r=I,z =4);0!=(I=r>>2)&&(r=I,z =2);0!=r>>1&&(z =1);Z z}X C(r){W.m=r}X E(r){W.m=r;W.2a=r.2V();W.2f=W.2a&1N;W.2U=W.2a>>15;W.2T=(1>8&1f;L[G ]^=r>>16&1f;L[G ]^=r>>24&1f;G>=U&&(G-=U)}X O(){}X N(){W.j=W.i=0;W.S=[]}r.1b.2R=X(r){Z r.2Q(W.e,W.n)};r.1b.2P=X(r,z){1d!=r&&1d!=z&&0>3;1a(z>=15;0>15,G=z*R F*E,R=E*R ((G&1N)>>30) (G>>>15) z*F (D>>>30);A[B ]=R&2L}Z D};H=30;B.1b.1e=H;B.1b.1s=(1=K; K)S[H ]=K;H=3n;19(K=10;36>K; K)S[H ]=K;H=3D;19(K=10;36>K; K)S[H ]=K;C.1b.2e=X(r){Z 0>r.s||0r.s&&0>15)*W.2f&W.2T)=r.1o;)r[A]-=r.1o,r[ A] }r.1q();r.2b(W.m.t,r);0r?-1:0;0r?W[0]=r 1o:W.t=0};B.1b.1S=X(r,z){Y A;1a(16==z)A=4;1h 1a(8==z)A=3;1h 1a(1B==z)A=8;1h 1a(2==z)A=1;1h 1a(32==z)A=5;1h 1a(4==z)A=2;1h{W.3I(r,z);Z}W.s=W.t=0;19(Y D=r.1c,C=!1,E=0;0J?"-"==r.1l(D)&&(C=!0):(C=!1,0==E?W[W.t ]=J:E A>W.1e?(W[W.t-1]|=(J&(1>W.1e-E):W[W.t-1]|=J=W.1e&&(E-=W.1e))}8==A&&0!=(r[0]&2I)&&(W.s=-1,0>B|E,E=(W[F]&D)=W.t)z.t=0;1h{Y B=r%W.1e,D=W.1e-B,C=(1>B;19(Y E=A 1;E>B;0>=W.1e;1a(r.t>=W.1e;B =W.s}1h{19(B =W.s;A>=W.1e;B-=r.s}z.s=0>B?-1:0;-1>B?z[A ]=W.1o B:0=z.1o&&(r[A z.t]-=z.1o,r[A z.t 1]=1)}0=E.t)){Y F=W.1w();1a(F.t>W.29:0),K=W.2K/H,H=(1J&&B.1x.1m(C,C)}}}};B.1b.2V=X(){1a(1>W.t)Z 0;Y r=W[0];1a(0==(r&1))Z 0;Y z=r&3,z=z*(2-(r&15)*z)&15,z=z*(2-(r&1f)*z)&1f,z=z*(2-((r&1G)*z&1G))&1G,z=z*(2-r*z%W.1o)%W.1o;Z 0r)Z B.1U;Y C=z(),E=z(),F=A.2e(W),G=D(r)-1;19(F.1I(C);0W.s)Z"-" W.1Z().1F(r);1a(16==r)r=4;1h 1a(8==r)r=3;1h 1a(2==r)r=1;1h 1a(32==r)r=5;1h 1a(4==r)r=2;1h Z W.3o(r);Y z=(1>E)&&(B=!0,C="2A".1l(A));0>(E =W.1e-r)):(A=W[D]>>(E-=r)&z,0>=E&&(E =W.1e,--D)),0W.s?W.1Z():W};B.1b.1H=X(r){Y z=W.s-r.s;1a(0!=z)Z z;Y A=W.t,z=A-r.t;1a(0!=z)Z z;19(;0=W.t?0:W.1e*(W.t-1) D(W[W.t-1]^W.s&W.1s)};B.1b.2J=X(r){Y A=z();W.1w().1Q(r,1d,A);0>W.s&&0r||z.2G()?1u C(z):1u E(z);Z W.2E(r,A)};B.1x=A(0);B.1U=A(1);Y T,L,G;1a(1d==L){L=[];19(G=0;G>>8,L[G ]=H&1f;G=0;F()}O.1b.2M=X(r){Y z;19(z=0;zz; z)W.S[z]=z;19(z=A=0;1B>z; z)A=A W.S[z] r[z%r.1c]&1f,B=W.S[z],W.S[z]=W.S[A],W.S[A]=B;W.j=W.i=0};N.1b.2x=X(){Y r;W.i=W.i 1&1f;W.j=W.j W.S[W.i]&1f;r=W.S[W.i];W.S[W.i]=W.S[W.j];W.S[W.j]=r;Z W.S[r W.S[W.i]&1f]};Y U=1B;Z{2r:X(z,A,B){A="41";B="3";Y C=1u r;C.2P(A,B);Z C.26(z)}}}(),s="",a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=!0;X e(){Z 1p.35(1r*1p.2z())}X j(r,B,z){1a(!z||4>>0}X b(r,B,z){r[B 3]=z>>0&1f;r[B 2]=z>>8&1f;r[B 1]=z>>16&1f;r[B 0]=z>>24&1f}X w(r){1a(!r)Z"";19(Y B="",z=0;zz;z )x[z]=0;19(z=1;2>=z;)8>a&&(g[a ]=e()&1f,z ),8==a&&p();19(z=0;0a&&(g[a ]=r[z ],B--),8==a&&p();19(z=1;7>=z;)8>a&&(g[a ]=0,z ),8==a&&p();Z m}X q(r){Y B=0,z=1t(8),B=r.1c;t=r;1a(0!=B%8||16>B)Z 1d;x=l(r);a=x[0]&7;B=B-a-10;1a(0>B)Z 1d;19(Y A=0;A=A;)1a(8>a&&(a ,A ),8==a&&(z=r,!f()))Z 1d;19(A=0;0!=B;)1a(8>a&&(m[A]=(z[u a]^x[a])&1f,A ,B--,a ),8==a&&(z=r,u=y-8,!f()))Z 1d;19(A=1;8>A;A ){1a(8>a){1a(0!=(z[u a]^x[a]))Z 1d;a }1a(8==a&&(z=r,u=y,!f()))Z 1d}Z m}X p(){19(Y r=0;8>r;r )g[r]=n?g[r]^x[r]:g[r]^m[u r];19(Y B=k(g),r=0;8>r;r )m[y r]=B[r]^x[r],x[r]=g[r];u=y;y =8;a=0;n=!1}X k(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=0;0>>0,z =(r>>5) D,z=(z&1r)>>>0,r =(z>>5) E,r=(r&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X l(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=3y;0>>5) E,r=(r&1r)>>>0,z-=(r>>5) D,z=(z&1r)>>>0,F-=2o,F=(F&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X f(){19(Y r=0;8>r;r )x[r]^=t[y r];x=l(x);y =8;a=0;Z!0}X o(r,B){Y z=[];1a(B)19(Y A=0;A>18)),E.1y(z.1l(C>>12&1J)),E.1y(z.1l(C>>6&1J)),E.1y(z.1l(C&1J));3e(r.1c-F){2B 1:C=A(r,D)>18) z.1l(C>>12&1J) B B);3g;2B 2:C=A(r,D)>18) z.1l(C>>12&1J) z.1l(C>>6&1J) B)}Z E.2C("")}},2D=1,3j="",1n=8,2F=32;X 1W(r){Z 2H(r)}X 2H(r){Z 2l(1E(1K(r),r.1c*1n))}X 3q(r){Z 2d(1E(1K(r),r.1c*1n))}X 3s(r,B){Z 2l(1R(r,B))}X 3u(r,B){Z 3v(1R(r,B))}X 3w(r,B){Z 2d(1R(r,B))}X 1E(r,B){r[B>>5]|=2I>>9C;C )A[C]=z[C]^4T,D[C]=z[C]^4U;z=1E(A.2Y(1K(B)),4W B.1c*1n);Z 1E(D.2Y(z),4X)}X 1v(r,B){Y z=(r&1G) (B&1G);Z(r>>16) (B>>16) (z>>16)>>32-B}X 1K(r){19(Y B=[],z=(1>5]|=(r.1C(A/1n)&z)>5]>>>A2&z);Z B}X 2l(r){19(Y B=2D?"4Y":"4Z",z="",A=0;A>2]>>A%4*8 4&15) B.1l(r[A>>2]>>A%4*8&15);Z z}X 2Z(r){19(Y B=[],z=0;zD.1c;)D="0" D;1D.2g(r);B=1D.2p(D A 1D.28(B) z C);1D.2g("");Z B.57(/[\\/\\ =]/g,X(r){Z{"/":"-"," ":"*","=":"58"}[r]})}X 4Q(r,B,z){Z 33(r,B,z,!1)};',62,320,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||this|function|var|return||||||||||for|if|prototype|length|null|DB|255|md5_gg|else|md5_hh|md5_ff|md5_ii|charAt|subTo|chrsz|DV|Math|clamp|4294967295|DM|Array|new|safe_add|abs|ZERO|push|am|reduce|256|charCodeAt|TEA|core_md5|toString|65535|compareTo|copyTo|63|str2binl|dlShiftTo|md5_cmn|32767|RSA|floor|divRemTo|core_hmac_md5|fromString|parseInt|ONE|mulTo|md5|multiplyTo|sqrTo|negate||||||squareTo|encrypt|F1|strToBytes|F2|mp|drShiftTo|fromInt|binl2str|convert|mpl|initkey|String|fromCharCode|substr|lShiftTo|binl2hex|revert|rShiftTo|2654435769|enAsBase64|encode|rsa_encrypt|PADCHAR|ALPHA|getbyte|throw|arguments|next|init|random|0123456789abcdefghijklmnopqrstuvwxyz|case|join|hexcase|exp|mode|isEven|hex_md5|128|mod|FV|1073741823|nextBytes|bitLength|uv_alert|setPublic|modPowInt|doPublic|mt2|um|mph|invDigit|typeof|bit_rol|concat|hexchar2bin||temp||getEncryption|Exception|round||SyntaxError|Not|enough|Message|min|too|pow|switch|long|break|dmq1|fromNumber|b64pad|Date|Invalid|248|97|toRadix|public|str_md5|key|hex_hmac_md5|65536|b64_hmac_md5|binl2b64|str_hmac_md5|64|3816266640|1732584193|271733879|1732584194|271733878|65|680876936|389564586|getTime|606105819|fromRadix|1044525330|176418897|1200080426|1473231341|45705983|1770035416|1958414417|42063|1990404162|1804603682|string|40341101|1502002290|1236535329|decrypt|165796510|1069501632|643717713|F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7|373897302|701558691|38016083|660478335|405537848|568446438||1019803690|187363961|1163531501|1444681467|51403784|1735328473|1926607734|bytesToStr|378558|2022574463|1839030562|dmp1|35309556|1530992060|1272893353|155497632|1094730640|681279174|358537222|722521979|76029189|640364487|421815835|530742520|995338651|bytesInStr|198630844|1126891415|1416354905|dataFromStr|57434055|1700485571|1894986606|1051523|2054922799|1873313359|30611744|1560198380|1309151649|145523070|1120210379|718787259|343485551|Hs|max|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|909522486|1549556828|coeff|512|640|0123456789ABCDEF|0123456789abcdef|number|eval||INVALID_CHARACTER_ERR|DOM|toUpperCase|000|replace|_|Number'.split('|'),0,{}))
p_skey=;
p_skey=;
airkey=;
airkey=;
&appid=549000912&js_ver=10135&js_type=1&login_sig=&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.
&appid=549000912&js_ver=10135&js_type=1&login_sig=&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.
hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=
hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=
var window=window||{};$=window.$||{};$pt=window.$pt||{};$pt.RSA=function(){function g(z,t){return new ar(z,t)}
var window=window||{};$=window.$||{};$pt=window.$pt||{};$pt.RSA=function(){function g(z,t){return new ar(z,t)}
function ah(aA,aB){var t='';var z=0;while(z aB
function ah(aA,aB){var t='';var z=0;while(z aB
return t aA.substring(z,aA.length)}
return t aA.substring(z,aA.length)}
function r(t){if(t
function r(t){if(t
function af(aB,aE){if(aE
function af(aB,aE){if(aE
var aD=new Array();var aA=aB.length-1;while(aA>=0&&aE>0){var aC=aB.charCodeAt(aA--);aD[--aE]=aC}
var aD=new Array();var aA=aB.length-1;while(aA>=0&&aE>0){var aC=aB.charCodeAt(aA--);aD[--aE]=aC}
aD[--aE]=0;var z=new ad();var t=new Array();while(aE>2){t[0]=0;while(t[0]==0){z.nextBytes(t)}
aD[--aE]=0;var z=new ad();var t=new Array();while(aE>2){t[0]=0;while(t[0]==0){z.nextBytes(t)}
function L(){this.n=null;this.e=0;this.d=null;this.p=null;this.q=null;this.dmp1=null;this.dmq1=null;this.coeff=null}
function L(){this.n=null;this.e=0;this.d=null;this.p=null;this.q=null;this.dmp1=null;this.dmq1=null;this.coeff=null}
function o(z,t){if(z!=null&&t!=null&&z.length>0&&t.length>0){this.n=g(z,16);this.e=parseInt(t,16)}else{uv_alert('Invalid RSA public key')}}
function o(z,t){if(z!=null&&t!=null&&z.length>0&&t.length>0){this.n=g(z,16);this.e=parseInt(t,16)}else{uv_alert('Invalid RSA public key')}}
function W(t){return t.modPowInt(this.e,this.n)}
function W(t){return t.modPowInt(this.e,this.n)}
function p(aA){var t=af(aA,(this.n.bitLength() 7)>>3);if(t==null){return null}
function p(aA){var t=af(aA,(this.n.bitLength() 7)>>3);if(t==null){return null}
var aB=this.doPublic(t);if(aB==null){return null}
var aB=this.doPublic(t);if(aB==null){return null}
var z=aB.toString(16);if((z.length&1)==0){return z}else{return'0' z}}
var z=aB.toString(16);if((z.length&1)==0){return z}else{return'0' z}}
L.prototype.doPublic=W;L.prototype.setPublic=o;L.prototype.encrypt=p;var aw;var ai=244837814094590;var Z=((ai&16777215)==15715070);function ar(z,t,aA){if(z!=null){if('number'==typeof z){this.fromNumber(z,t,aA)}else{if(t==null&&'string'!=typeof z){this.fromString(z,256)}else{this.fromString(z,t)}}}}
L.prototype.doPublic=W;L.prototype.setPublic=o;L.prototype.encrypt=p;var aw;var ai=244837814094590;var Z=((ai&16777215)==15715070);function ar(z,t,aA){if(z!=null){if('number'==typeof z){this.fromNumber(z,t,aA)}else{if(t==null&&'string'!=typeof z){this.fromString(z,256)}else{this.fromString(z,t)}}}}
function b(aC,t,z,aB,aE,aD){while(--aD>=0){var aA=t*this[aC ] z[aB] aE;aE=Math.floor(aA/67108864);z[aB ]=aA&67108863}
function b(aC,t,z,aB,aE,aD){while(--aD>=0){var aA=t*this[aC ] z[aB] aE;aE=Math.floor(aA/67108864);z[aB ]=aA&67108863}
var navigator=navigator||{};if(Z&&(navigator.appName=='Microsoft Internet Explorer')){ar.prototype.am=ay;aw=30}else{if(Z&&(navigator.appName!='Netscape')){ar.prototype.am=b;aw=26}else{ar.prototype.am=ax;aw=28}}
var navigator=navigator||{};if(Z&&(navigator.appName=='Microsoft Internet Explorer')){ar.prototype.am=ay;aw=30}else{if(Z&&(navigator.appName!='Netscape')){ar.prototype.am=b;aw=26}else{ar.prototype.am=ax;aw=28}}
ar.prototype.DB=aw;ar.prototype.DM=((1
ar.prototype.DB=aw;ar.prototype.DM=((1
ap='a'.charCodeAt(0);for(v=10;v
ap='a'.charCodeAt(0);for(v=10;v
ap='A'.charCodeAt(0);for(v=10;v
ap='A'.charCodeAt(0);for(v=10;v
function az(t){return ae.charAt(t)}
function az(t){return ae.charAt(t)}
function A(z,t){var aA=ag[z.charCodeAt(t)];return(aA==null)?-1:aA}
function A(z,t){var aA=ag[z.charCodeAt(t)];return(aA==null)?-1:aA}
function c(t){var z=h();z.fromInt(t);return z}
function c(t){var z=h();z.fromInt(t);return z}
function w(aE,z){var aB;if(z==16){aB=4}else{if(z==8){aB=3}else{if(z==256){aB=8}else{if(z==2){aB=1}else{if(z==32){aB=5}else{if(z==4){aB=2}else{this.fromRadix(aE,z);return}}}}}}
function w(aE,z){var aB;if(z==16){aB=4}else{if(z==8){aB=3}else{if(z==256){aB=8}else{if(z==2){aB=1}else{if(z==32){aB=5}else{if(z==4){aB=2}else{this.fromRadix(aE,z);return}}}}}}
this.t=0;this.s=0;var aD=aE.length,aA=false,aC=0;while(--aD>=0){var t=(aB==8)?aE[aD]&255:A(aE,aD);if(t
this.t=0;this.s=0;var aD=aE.length,aA=false,aC=0;while(--aD>=0){var t=(aB==8)?aE[aD]&255:A(aE,aD);if(t
aA=false;if(aC==0){this[this.t ]=t}else{if(aC aB>this.DB){this[this.t-1]|=(t&((1>(this.DB-aC))}else{this[this.t-1]|=t
aA=false;if(aC==0){this[this.t ]=t}else{if(aC aB>this.DB){this[this.t-1]|=(t&((1>(this.DB-aC))}else{this[this.t-1]|=t
aC =aB;if(aC>=this.DB){aC-=this.DB}}
aC =aB;if(aC>=this.DB){aC-=this.DB}}
if(aB==8&&(aE[0]&128)!=0){this.s=-1;if(aC>0){this[this.t-1]|=((1
if(aB==8&&(aE[0]&128)!=0){this.s=-1;if(aC>0){this[this.t-1]|=((1
this.clamp();if(aA){ar.ZERO.subTo(this,this)}}
this.clamp();if(aA){ar.ZERO.subTo(this,this)}}
function O(){var t=this.s&this.DM;while(this.t>0&&this[this.t-1]==t){--this.t}}
function O(){var t=this.s&this.DM;while(this.t>0&&this[this.t-1]==t){--this.t}}
function q(z){if(this.s
function q(z){if(this.s
var aA;if(z==16){aA=4}else{if(z==8){aA=3}else{if(z==2){aA=1}else{if(z==32){aA=5}else{if(z==4){aA=2}else{return this.toRadix(z)}}}}}
var aA;if(z==16){aA=4}else{if(z==8){aA=3}else{if(z==2){aA=1}else{if(z==32){aA=5}else{if(z==4){aA=2}else{return this.toRadix(z)}}}}}
var aC=(10){if(aE>aE)>0){t=true;aD=az(aF)}
var aC=(10){if(aE>aE)>0){t=true;aD=az(aF)}
while(aB>=0){if(aE>(aE =this.DB-aA)}else{aF=(this[aB]>>(aE-=aA))&aC;if(aE
while(aB>=0){if(aE>(aE =this.DB-aA)}else{aF=(this[aB]>>(aE-=aA))&aC;if(aE
function R(){var t=h();ar.ZERO.subTo(this,t);return t}
function R(){var t=h();ar.ZERO.subTo(this,t);return t}
function al(){return(this.s
function al(){return(this.s
return this.DB*(this.t-1) j(this[this.t-1]^(this.s&this.DM))}
return this.DB*(this.t-1) j(this[this.t-1]^(this.s&this.DM))}
z.t=Math.max(this.t-aA,0);z.s=this.s}
z.t=Math.max(this.t-aA,0);z.s=this.s}
function s(aF,aB){var z=aF%this.DB;var t=this.DB-z;var aD=(1=0;--aA){aB[aA aC 1]=(this[aA]>>t)|aE;aE=(this[aA]&aD)
function s(aF,aB){var z=aF%this.DB;var t=this.DB-z;var aD=(1=0;--aA){aB[aA aC 1]=(this[aA]>>t)|aE;aE=(this[aA]&aD)
aB[aC]=aE;aB.t=this.t aC 1;aB.s=this.s;aB.clamp()}
aB[aC]=aE;aB.t=this.t aC 1;aB.s=this.s;aB.clamp()}
function l(aE,aB){aB.s=this.s;var aC=Math.floor(aE/this.DB);if(aC>=this.t){aB.t=0;return}
function l(aE,aB){aB.s=this.s;var aC=Math.floor(aE/this.DB);if(aC>=this.t){aB.t=0;return}
var z=aE%this.DB;var t=this.DB-z;var aD=(1>z;for(var aA=aC 1;aA>z}
var z=aE%this.DB;var t=this.DB-z;var aD=(1>z;for(var aA=aC 1;aA>z}
aB.t=this.t-aC;aB.clamp()}
aB.t=this.t-aC;aB.clamp()}
function ab(z,aB){var aA=0,aC=0,t=Math.min(z.t,this.t);while(aA>=this.DB}
function ab(z,aB){var aA=0,aC=0,t=Math.min(z.t,this.t);while(aA>=this.DB}
if(z.t>=this.DB}
if(z.t>=this.DB}
aC =this.s}else{aC =this.s;while(aA>=this.DB}
aC =this.s}else{aC =this.s;while(aA>=this.DB}
aB.s=(aC0){aB[aA ]=aC}}
aB.s=(aC0){aB[aA ]=aC}}
aB.t=aA;aB.clamp()}
aB.t=aA;aB.clamp()}
function D(z,aB){var t=this.abs(),aC=z.abs();var aA=t.t;aB.t=aA aC.t;while(--aA>=0){aB[aA]=0}
function D(z,aB){var t=this.abs(),aC=z.abs();var aA=t.t;aB.t=aA aC.t;while(--aA>=0){aB[aA]=0}
for(aA=0;aA
for(aA=0;aA
aB.s=0;aB.clamp();if(this.s!=z.s){ar.ZERO.subTo(aB,aB)}}
aB.s=0;aB.clamp();if(this.s!=z.s){ar.ZERO.subTo(aB,aB)}}
function Q(aA){var t=this.abs();var z=aA.t=2*t.t;while(--z>=0){aA[z]=0}
function Q(aA){var t=this.abs();var z=aA.t=2*t.t;while(--z>=0){aA[z]=0}
for(z=0;z=t.DV){aA[z t.t]-=t.DV;aA[z t.t 1]=1}}
for(z=0;z=t.DV){aA[z t.t]-=t.DV;aA[z t.t 1]=1}}
if(aA.t>0){aA[aA.t-1] =t.am(z,t[z],aA,2*z,0,1)}
if(aA.t>0){aA[aA.t-1] =t.am(z,t[z],aA,2*z,0,1)}
aA.s=0;aA.clamp()}
aA.s=0;aA.clamp()}
function E(aI,aF,aE){var aO=aI.abs();if(aO.t
function E(aI,aF,aE){var aO=aI.abs();if(aO.t
var aG=this.abs();if(aG.t
var aG=this.abs();if(aG.t
if(aE!=null){this.copyTo(aE)}
if(aE!=null){this.copyTo(aE)}
var aC=h(),z=this.s,aH=aI.s;var aN=this.DB-j(aO[aO.t-1]);if(aN>0){aO.lShiftTo(aN,aC);aG.lShiftTo(aN,aE)}else{aO.copyTo(aC);aG.copyTo(aE)}
var aC=h(),z=this.s,aH=aI.s;var aN=this.DB-j(aO[aO.t-1]);if(aN>0){aO.lShiftTo(aN,aC);aG.lShiftTo(aN,aE)}else{aO.copyTo(aC);aG.copyTo(aE)}
var aJ=aA*(11)?aC[aK-2]>>this.F2:0);var aR=this.FV/aJ,aQ=(1=0){aE[aE.t ]=1;aE.subTo(aD,aE)}
var aJ=aA*(11)?aC[aK-2]>>this.F2:0);var aR=this.FV/aJ,aQ=(1=0){aE[aE.t ]=1;aE.subTo(aD,aE)}
ar.ONE.dlShiftTo(aK,aD);aD.subTo(aC,aC);while(aC.t
ar.ONE.dlShiftTo(aK,aD);aD.subTo(aC,aC);while(aC.t
while(--aL>=0){var aB=(aE[--aM]==aA)?this.DM:Math.floor(aE[aM]*aR (aE[aM-1] aP)*aQ);if((aE[aM] =aC.am(0,aB,aE,aL,0,aK))
while(--aL>=0){var aB=(aE[--aM]==aA)?this.DM:Math.floor(aE[aM]*aR (aE[aM-1] aP)*aQ);if((aE[aM] =aC.am(0,aB,aE,aL,0,aK))
if(aF!=null){aE.drShiftTo(aK,aF);if(z!=aH){ar.ZERO.subTo(aF,aF)}}
if(aF!=null){aE.drShiftTo(aK,aF);if(z!=aH){ar.ZERO.subTo(aF,aF)}}
aE.t=aK;aE.clamp();if(aN>0){aE.rShiftTo(aN,aE)}
aE.t=aK;aE.clamp();if(aN>0){aE.rShiftTo(aN,aE)}
if(z
if(z
function N(t){var z=h();this.abs().divRemTo(t,null,z);if(this.s0){t.subTo(z,z)}
function N(t){var z=h();this.abs().divRemTo(t,null,z);if(this.s0){t.subTo(z,z)}
function V(t){if(t.s=0){return t.mod(this.m)}else{return t}}
function V(t){if(t.s=0){return t.mod(this.m)}else{return t}}
function J(t){t.divRemTo(this.m,null,t)}
function J(t){t.divRemTo(this.m,null,t)}
function H(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}
function H(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}
function au(t,z){t.squareTo(z);this.reduce(z)}
function au(t,z){t.squareTo(z);this.reduce(z)}
K.prototype.convert=V;K.prototype.revert=ak;K.prototype.reduce=J;K.prototype.mulTo=H;K.prototype.sqrTo=au;function B(){if(this.t
K.prototype.convert=V;K.prototype.revert=ak;K.prototype.reduce=J;K.prototype.mulTo=H;K.prototype.sqrTo=au;function B(){if(this.t
var z=t&3;z=(z*(2-(t&15)*z))&15;z=(z*(2-(t&255)*z))&255;z=(z*(2-(((t&65535)*z)&65535)))&65535;z=(z*(2-t*z%this.DV))%this.DV;return(z>0)?this.DV-z:-z}
var z=t&3;z=(z*(2-(t&15)*z))&15;z=(z*(2-(t&255)*z))&255;z=(z*(2-(((t&65535)*z)&65535)))&65535;z=(z*(2-t*z%this.DV))%this.DV;return(z>0)?this.DV-z:-z}
function f(t){this.m=t;this.mp=t.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1
function f(t){this.m=t;this.mp=t.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1
function aj(t){var z=h();t.abs().dlShiftTo(this.m.t,z);z.divRemTo(this.m,null,z);if(t.s0){this.m.subTo(z,z)}
function aj(t){var z=h();t.abs().dlShiftTo(this.m.t,z);z.divRemTo(this.m,null,z);if(t.s0){this.m.subTo(z,z)}
function at(t){var z=h();t.copyTo(z);this.reduce(z);return z}
function at(t){var z=h();t.copyTo(z);this.reduce(z);return z}
function P(t){while(t.t
function P(t){while(t.t
for(var aA=0;aA>15)*this.mpl)&this.um)=t.DV){t[z]-=t.DV;t[ z] }}
for(var aA=0;aA>15)*this.mpl)&this.um)=t.DV){t[z]-=t.DV;t[ z] }}
t.clamp();t.drShiftTo(this.m.t,t);if(t.compareTo(this.m)>=0){t.subTo(this.m,t)}}
t.clamp();t.drShiftTo(this.m.t,t);if(t.compareTo(this.m)>=0){t.subTo(this.m,t)}}
function am(t,z){t.squareTo(z);this.reduce(z)}
function am(t,z){t.squareTo(z);this.reduce(z)}
function y(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}
function y(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}
f.prototype.convert=aj;f.prototype.revert=at;f.prototype.reduce=P;f.prototype.mulTo=y;f.prototype.sqrTo=am;function i(){return((this.t>0)?(this[0]&1):this.s)==0}
f.prototype.convert=aj;f.prototype.revert=at;f.prototype.reduce=P;f.prototype.mulTo=y;f.prototype.sqrTo=am;function i(){return((this.t>0)?(this[0]&1):this.s)==0}
function x(aF,aG){if(aF>4294967295||aF
function x(aF,aG){if(aF>4294967295||aF
var aE=h(),aA=h(),aD=aG.convert(this),aC=j(aF)-1;aD.copyTo(aE);while(--aC>=0){aG.sqrTo(aE,aA);if((aF&(10){aG.mulTo(aA,aD,aE)}else{var aB=aE;aE=aA;aA=aB}}
var aE=h(),aA=h(),aD=aG.convert(this),aC=j(aF)-1;aD.copyTo(aE);while(--aC>=0){aG.sqrTo(aE,aA);if((aF&(10){aG.mulTo(aA,aD,aE)}else{var aB=aE;aE=aA;aA=aB}}
return aG.revert(aE)}
return aG.revert(aE)}
function an(aA,t){var aB;if(aA
function an(aA,t){var aB;if(aA
return this.exp(aA,aB)}
return this.exp(aA,aB)}
ar.prototype.copyTo=Y;ar.prototype.fromInt=n;ar.prototype.fromString=w;ar.prototype.clamp=O;ar.prototype.dlShiftTo=aq;ar.prototype.drShiftTo=X;ar.prototype.lShiftTo=s;ar.prototype.rShiftTo=l;ar.prototype.subTo=ab;ar.prototype.multiplyTo=D;ar.prototype.squareTo=Q;ar.prototype.divRemTo=E;ar.prototype.invDigit=B;ar.prototype.isEven=i;ar.prototype.exp=x;ar.prototype.toString=q;ar.prototype.negate=R;ar.prototype.abs=al;ar.prototype.compareTo=G;ar.prototype.bitLength=u;ar.prototype.mod=N;ar.prototype.modPowInt=an;ar.ZERO=c(0);ar.ONE=c(1);var m;var U;var ac;function d(t){U[ac ]^=t&255;U[ac ]^=(t>>8)&255;U[ac ]^=(t>>16)&255;U[ac ]^=(t>>24)&255;if(ac>=M){ac-=M}}
ar.prototype.copyTo=Y;ar.prototype.fromInt=n;ar.prototype.fromString=w;ar.prototype.clamp=O;ar.prototype.dlShiftTo=aq;ar.prototype.drShiftTo=X;ar.prototype.lShiftTo=s;ar.prototype.rShiftTo=l;ar.prototype.subTo=ab;ar.prototype.multiplyTo=D;ar.prototype.squareTo=Q;ar.prototype.divRemTo=E;ar.prototype.invDigit=B;ar.prototype.isEven=i;ar.prototype.exp=x;ar.prototype.toString=q;ar.prototype.negate=R;ar.prototype.abs=al;ar.prototype.compareTo=G;ar.prototype.bitLength=u;ar.prototype.mod=N;ar.prototype.modPowInt=an;ar.ZERO=c(0);ar.ONE=c(1);var m;var U;var ac;function d(t){U[ac ]^=t&255;U[ac ]^=(t>>8)&255;U[ac ]^=(t>>16)&255;U[ac ]^=(t>>24)&255;if(ac>=M){ac-=M}}
function T(){d(new Date().getTime())}
function T(){d(new Date().getTime())}
if(U==null){U=new Array();ac=0;var I;if(navigator.appName=='Netscape'&&navigator.appVersion
if(U==null){U=new Array();ac=0;var I;if(navigator.appName=='Netscape'&&navigator.appVersion
while(ac>>8;U[ac ]=I&255}
while(ac>>8;U[ac ]=I&255}
function C(){if(m==null){T();m=ao();m.init(U);for(ac=0;ac
function C(){if(m==null){T();m=ao();m.init(U);for(ac=0;ac
return m.next()}
return m.next()}
function av(z){var t;for(t=0;t
function av(z){var t;for(t=0;t
ad.prototype.nextBytes=av;function k(){this.i=0;this.j=0;this.S=new Array()}
ad.prototype.nextBytes=av;function k(){this.i=0;this.j=0;this.S=new Array()}
z=0;for(aB=0;aB
z=0;for(aB=0;aB
k.prototype.init=e;k.prototype.next=a;function ao(){return new k()}
k.prototype.init=e;k.prototype.next=a;function ao(){return new k()}
var M=256;function S(aB,aA,z){aA='F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7';z='3';var t=new L();t.setPublic(aA,z);return t.encrypt(aB)}
var M=256;function S(aB,aA,z){aA='F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7';z='3';var t=new L();t.setPublic(aA,z);return t.encrypt(aB)}
return{rsa_encrypt:S}}();var r=window||{};(function(r){var s='',a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=true;function e(){return Math.round(Math.random()*4294967295)}
return{rsa_encrypt:S}}();var r=window||{};(function(r){var s='',a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=true;function e(){return Math.round(Math.random()*4294967295)}
var z='';for(var A=0;A
var z='';for(var A=0;A
function v(A){var B='';for(var z=0;z
function v(A){var B='';for(var z=0;z
var B=[];for(var A=0;A
var B=[];for(var A=0;A
function k(C){var B,D,A=[],z=C.length;for(B=0;B0&&D=128&&D>6)&31)),String.fromCharCode(128|(D&63)))}else{if(D>=2048&&D>12)&15)),String.fromCharCode(128|((D>>6)&63)),String.fromCharCode(128|(D&63)))}}}}
function k(C){var B,D,A=[],z=C.length;for(B=0;B0&&D=128&&D>6)&31)),String.fromCharCode(128|(D&63)))}else{if(D>=2048&&D>12)&15)),String.fromCharCode(128|((D>>6)&63)),String.fromCharCode(128|(D&63)))}}}}
return A.join('')}
return A.join('')}
function h(B){g=new Array(8);x=new Array(8);y=u=0;n=true;a=0;var z=B.length;var C=0;a=(z 10)%8;if(a!=0){a=8-a}
function h(B){g=new Array(8);x=new Array(8);y=u=0;n=true;a=0;var z=B.length;var C=0;a=(z 10)%8;if(a!=0){a=8-a}
function q(D){var C=0;var A=new Array(8);var z=D.length;t=D;if(z%8!=0||z
function q(D){var C=0;var A=new Array(8);var z=D.length;t=D;if(z%8!=0||z
for(var B=0;B
for(var B=0;B
function f(){var z=t.length;for(var A=0;A
function f(){var z=t.length;for(var A=0;A
function o(D,C){var B=[];if(C){for(var A=0;A
function o(D,C){var B=[];if(C){for(var A=0;A
r.TEA={encrypt:function(C,B){var A=o(C,B);var z=h(A);return w(z)},enAsBase64:function(E,D){var C=o(E,D);var B=h(C);var z='';for(var A=0;A
r.TEA={encrypt:function(C,B){var A=o(C,B);var z=h(A);return w(z)},enAsBase64:function(E,D){var C=o(E,D);var B=h(C);var z='';for(var A=0;A
return d.encode(z)},decrypt:function(B){var A=o(B,false);var z=q(A);return w(z)},initkey:function(z,A){s=o(z,A)},bytesToStr:v,strToBytes:c,bytesInStr:w,dataFromStr:o};var d={};d.PADCHAR='=';d.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';d.getbyte=function(B,A){var z=B.charCodeAt(A);if(z>255){throw'INVALID_CHARACTER_ERR: DOM Exception 5'}
return d.encode(z)},decrypt:function(B){var A=o(B,false);var z=q(A);return w(z)},initkey:function(z,A){s=o(z,A)},bytesToStr:v,strToBytes:c,bytesInStr:w,dataFromStr:o};var d={};d.PADCHAR='=';d.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';d.getbyte=function(B,A){var z=B.charCodeAt(A);if(z>255){throw'INVALID_CHARACTER_ERR: DOM Exception 5'}
return z};d.encode=function(D){if(arguments.length!=1){throw'SyntaxError: Not enough arguments'}
return z};d.encode=function(D){if(arguments.length!=1){throw'SyntaxError: Not enough arguments'}
var A=d.PADCHAR;var F=d.ALPHA;var E=d.getbyte;var C,G;var z=[];D='' D;var B=D.length-D.length%3;if(D.length==0){return D}
var A=d.PADCHAR;var F=d.ALPHA;var E=d.getbyte;var C,G;var z=[];D='' D;var B=D.length-D.length%3;if(D.length==0){return D}
for(C=0;C>18));z.push(F.charAt((G>>12)&63));z.push(F.charAt((G>>6)&63));z.push(F.charAt(G&63))}
for(C=0;C>18));z.push(F.charAt((G>>12)&63));z.push(F.charAt((G>>6)&63));z.push(F.charAt(G&63))}
switch(D.length-B){case 1:G=E(D,C)>18) F.charAt((G>>12)&63) A A);break;case 2:G=(E(D,C)>18) F.charAt((G>>12)&63) F.charAt((G>>6)&63) A);break}
switch(D.length-B){case 1:G=E(D,C)>18) F.charAt((G>>12)&63) A A);break;case 2:G=(E(D,C)>18) F.charAt((G>>12)&63) F.charAt((G>>6)&63) A);break}
return z.join('')};if(!window.btoa){window.btoa=d.encode}})(window);var hexcase=1;var b64pad='';var chrsz=8;var mode=32;function md5(s){return hex_md5(s)}
return z.join('')};if(!window.btoa){window.btoa=d.encode}})(window);var hexcase=1;var b64pad='';var chrsz=8;var mode=32;function md5(s){return hex_md5(s)}
function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz))}
function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz))}
function str_md5(s){return binl2str(core_md5(str2binl(s),s.length*chrsz))}
function str_md5(s){return binl2str(core_md5(str2binl(s),s.length*chrsz))}
function hex_hmac_md5(key,data){return binl2hex(core_hmac_md5(key,data))}
function hex_hmac_md5(key,data){return binl2hex(core_hmac_md5(key,data))}
function b64_hmac_md5(key,data){return binl2b64(core_hmac_md5(key,data))}
function b64_hmac_md5(key,data){return binl2b64(core_hmac_md5(key,data))}
function str_hmac_md5(key,data){return binl2str(core_hmac_md5(key,data))}
function str_hmac_md5(key,data){return binl2str(core_hmac_md5(key,data))}
function core_md5(x,len){x[len>>5]|=128>>9)
function core_md5(x,len){x[len>>5]|=128>>9)
function core_hmac_md5(key,data){var bkey=str2binl(key);if(bkey.length>16){bkey=core_md5(bkey,key.length*chrsz)}
function core_hmac_md5(key,data){var bkey=str2binl(key);if(bkey.length>16){bkey=core_md5(bkey,key.length*chrsz)}
var ipad=Array(16),opad=Array(16);for(var i=0;i
var ipad=Array(16),opad=Array(16);for(var i=0;i
var hash=core_md5(ipad.concat(str2binl(data)),512 data.length*chrsz);return core_md5(opad.concat(hash),512 128)}
var hash=core_md5(ipad.concat(str2binl(data)),512 data.length*chrsz);return core_md5(opad.concat(hash),512 128)}
function str2binl(str){var bin=Array();var mask=(1>5]|=(str.charCodeAt(i/chrsz)&mask)
function str2binl(str){var bin=Array();var mask=(1>5]|=(str.charCodeAt(i/chrsz)&mask)
function binl2str(bin){var str='';var mask=(1>5]>>>(i2))&mask)}
function binl2str(bin){var str='';var mask=(1>5]>>>(i2))&mask)}
function binl2hex(binarray){var hex_tab=hexcase?'0123456789ABCDEF':'0123456789abcdef';var str='';for(var i=0;i>2]>>((i%4)*8 4))&15) hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&15)}
function binl2hex(binarray){var hex_tab=hexcase?'0123456789ABCDEF':'0123456789abcdef';var str='';for(var i=0;i>2]>>((i%4)*8 4))&15) hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&15)}
function binl2b64(binarray){var tab='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';var str='';for(var i=0;i>2]>>8*(i%4))&255)>2]>>8*((i 1)%4))&255)>2]>>8*((i 2)%4))&255);for(var j=0;jbinarray.length*32){str =b64pad}else{str =tab.charAt((triplet>>6*(3-j))&63)}}}
function binl2b64(binarray){var tab='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';var str='';for(var i=0;i>2]>>8*(i%4))&255)>2]>>8*((i 1)%4))&255)>2]>>8*((i 2)%4))&255);for(var j=0;jbinarray.length*32){str =b64pad}else{str =tab.charAt((triplet>>6*(3-j))&63)}}}
function hexchar2bin(str){var arr=[];for(var i=0;i
function hexchar2bin(str){var arr=[];for(var i=0;i
arr=arr.join('');eval('var temp = \'' arr '\'');return temp}
arr=arr.join('');eval('var temp = \'' arr '\'');return temp}
function __monitor(mid,probability){if(Math.random()>(probability||1)){return}
function __monitor(mid,probability){if(Math.random()>(probability||1)){return}
try{var url=location.protocol '//ui.ptlogin2.qq.com/cgi-bin/report?id=' mid;var s=document.createElement('img');s.src=url}catch(e){}}
try{var url=location.protocol '//ui.ptlogin2.qq.com/cgi-bin/report?id=' mid;var s=document.createElement('img');s.src=url}catch(e){}}
function getEncryption(password,salt,vcode){salt=uin2hex(salt);vcode=vcode||'';password=password||'';var md5Pwd=md5(password),h1=hexchar2bin(md5Pwd),s2=md5(h1 salt),rsaH1=$pt.RSA.rsa_encrypt(h1),rsaH1Len=(rsaH1.length/2).toString(16),hexVcode=r.TEA.strToBytes(vcode.toUpperCase(),true),vcodeLen=Number(hexVcode.length/2).toString(16);while(vcodeLen.length
function getEncryption(password,salt,vcode){salt=uin2hex(salt);vcode=vcode||'';password=password||'';var md5Pwd=md5(password),h1=hexchar2bin(md5Pwd),s2=md5(h1 salt),rsaH1=$pt.RSA.rsa_encrypt(h1),rsaH1Len=(rsaH1.length/2).toString(16),hexVcode=r.TEA.strToBytes(vcode.toUpperCase(),true),vcodeLen=Number(hexVcode.length/2).toString(16);while(vcodeLen.length
while(rsaH1Len.length
while(rsaH1Len.length
r.TEA.initkey(s2);var saltPwd=r.TEA.enAsBase64(rsaH1Len rsaH1 r.TEA.strToBytes(salt) vcodeLen hexVcode);r.TEA.initkey('');return saltPwd.replace(/[\/\ =]/g,function(a){return{'/':'-',' ':'*','=':'_'}[a]})}
r.TEA.initkey(s2);var saltPwd=r.TEA.enAsBase64(rsaH1Len rsaH1 r.TEA.strToBytes(salt) vcodeLen hexVcode);r.TEA.initkey('');return saltPwd.replace(/[\/\ =]/g,function(a){return{'/':'-',' ':'*','=':'_'}[a]})}
function uin2hex(str){var maxLength=16;var hex=parseInt(str).toString(16);var len=hex.length;for(var i=len;i
function uin2hex(str){var maxLength=16;var hex=parseInt(str).toString(16);var len=hex.length;for(var i=len;i
var arr=[];for(var j=0;j
var arr=[];for(var j=0;j
var result=arr.join("");eval('result="' result '"');return result}getEncryption
var result=arr.join("");eval('result="' result '"');return result}getEncryption
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=21-43-1443602837456&js_ver=10135&js_type=1&login_sig=bX2vEC1My7mgtm3kIVH0UY57UQiklmQQaaq2BdbCVtd39fDjGGywlyInOnozDIje&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=21-43-1443602837456&js_ver=10135&js_type=1&login_sig=bX2vEC1My7mgtm3kIVH0UY57UQiklmQQaaq2BdbCVtd39fDjGGywlyInOnozDIje&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
&js_ver=10135&js_type=1&login_sig=&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
&js_ver=10135&js_type=1&login_sig=&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-23-
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-23-
function time(){return Math.random()}
function time(){return Math.random()}
VBScript.RegExp
VBScript.RegExp
km.7532.com
km.7532.com
shenglin_yu@126.com
shenglin_yu@126.com
VVV.7532.com
VVV.7532.com
VVV.7532.comt
VVV.7532.comt
7532.com
7532.com
|*.txt
|*.txt
%d&&'
%d&&'
123456789
123456789
00003333
00003333
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
windows
windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
VVV.dywt.com.cn
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCResourceException@@
.PAVCResourceException@@
%d-%d-%d
%d-%d-%d
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG
(*.JPG)|*.jpg|BMP
(*.JPG)|*.jpg|BMP
(*.BMP)|*.bmp|GIF
(*.BMP)|*.bmp|GIF
(*.GIF)|*.gif|
(*.GIF)|*.gif|
(*.ICO)|*.ico|
(*.ICO)|*.ico|
(*.CUR)|*.cur||
(*.CUR)|*.cur||
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
3 ,,25%!4
3 ,,25%!4
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
1, 0, 6, 6
!"#$%&'()* ,-
!"#$%&'()* ,-
25, 0, 0, 1
25, 0, 0, 1
Windows
Windows
Grid.Document
Grid.Document
(*.*)
(*.*)
4.4.0.0
4.4.0.0
%original file name%.exe_3404_rwx_10001000_00039000:
L$(h%f
L$(h%f
SSh0j
SSh0j
hu2.iu
hu2.iu
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc