0x00 序言
很久之前就听说过VM加密,但一直对VM概念很模糊,于是最近便想去下VM壳相关的技术,但在网上各种帖子学习到的知识有限,不能很好的去了解VM壳的一些原理和机制,于是就在想去找个VM壳进行逆向,看看能不能去学习到些什么东西。
本次逆向的是某鹅基于JavaScript语言的一个栈式虚拟机,不得不说刚接触这个代码的时候着实看不懂写的是什么东西,可是随着慢慢的深入,越发觉得这个虚拟机犹如一个艺术品,很是奇妙。
下面就随着我一起一步步,揭开这个虚拟机的神秘面纱吧!
注:若有侵权,请联系我立即删除,本文只作为交流学习用途,一些关键信息已做相关处理。
0x01 准备工作
首先说明下我们的目的,验证码在滑动完成以后会向服务器发送一些数据,这些数据包含了一些必要或者非必要的信息。必要的信息如下:
可以看到字段名是collect,根据字段名可以猜测到这个字段值是一些收集的数据,可能包含一些浏览器环境信息以及我们滑动滑块的轨迹或者是鼠标的移动轨迹这类的信息,另一个必要信息如下:
以上两个加密字段值,是如何生成的,里面包含了一些什么数据,如何去模拟达到破解滑块的目的,便是此文章的目的。
0x02 定位加密点
通过浏览器控制台的搜索,我们试着搜索下这个collect字段:
跟进去,在此处下断点:
再次滑动,果不其然在这个地方断了下来:
简单分析了下e的值,发现和我们提交的参数格式基本一致,所以collect应该就是在这个地方赋值的,接下来就是看看R()函数是怎么生成collect的,跟进R函数如下:
现在跟到了getData这个函数,我们下断点,继续执行代码,让断点触发,然后到控制台打印了下a变量,a看起来像是一个接口,提供了一些函数:
继续往上面找找,看看a是怎么来的,在上面几行找到了a的赋值:
a = window.TDC
看起来是在window对象里面又定义了一个TDC对象,然后将TDC对象赋值给了a,现在让我们看看getData函数的实现,跟进来,就跟到了这个地方:
所以getData函数的实现应如下:
//getData实现
function k() {
var B = A.slice(0);
B[0] = [this],
B[1] = [arguments],
B[2] = [k];
for (var M = 0; M < G.length && M < arguments.length; M++)
0 < G[M] && (B[G[M]] = [arguments[M]]);
return __TENCENT_CHAOS_VM(w, C, T, B, H, U, J, Z)
}
//getData外层匿名函数
function() {
for (var w = C[D++], A = [], B = C[D++], M = C[D++], G = [], Q = 0; Q < B; Q++)
A[C[D++]] = E[C[D++]];
for (Q = 0; Q < M; Q++)
G[Q] = C[D++];
E.push(
function k() {
var B = A.slice(0);
B[0] = [this],
B[1] = [arguments],
B[2] = [k];
for (var M = 0; M < G.length && M < arguments.length; M++)
0 < G[M] && (B[G[M]] = [arguments[M]]);
return __TENCENT_CHAOS_VM(w, C, T, B, H, U, J, Z)
})
}
//getData函数体里面,A、B、G变量对应的都是外层匿名函数的局部变量,就是当getData函数被push进E的时候的变量值
可能解释的有些不太清楚,我们先来看看下面的代码:
var E = []; //声明了一个空数组E,用来存放函数
(function TEST(){ //立即执行函数
var rand = Math.random() //生成随机数
console.log(rand)
E.push(function (){ //将函数存入数组
var test = rand;
console.log(test) //打印上文生成的随机数
})
if(E.length > 1)return;
TEST()
})()
E[0]()
E[1]()
运行结果如下:
0.5371786118718886
0.6474871625616907
0.5371786118718886
0.6474871625616907
从这里可以发现,随机数被保存了下来,所以可以通过这种方式去实现函数部分传参的保存,当函数被调用时,所需要的变量值未被销毁,仍可以进行访问使用,那么问题来了,为什么要通过这种方式进行函数调用呢,直接写一个函数去实现相应的功能不行吗?
这个问题就要随着我一步步分析,你就会明白为什么会这样写。
为了验证getData函数是不是通过上述地方进行调用,我们把代码复制过来,通过nodejs的环境来进行调用,为了模拟真实的浏览器环境,用到一个叫做jsdom的库。
jsdom介绍如下:
jsdom 是许多 Web 标准的纯 JavaScript 实现,特别是 WHATWG DOM和HTML标准,用于 Node.js。一般来说,该项目的目标是模拟足够多的 Web 浏览器子集,以用于测试和抓取真实的 Web 应用程序。
node环境下安装:
npm install jsdom
用法:
const jsdom = require("jsdom");
const {JSDOM} = jsdom;
const dom = new JSDOM(`<!DOCTYPE html><p>Hello world</p>`);
window = dom.window;
document = window.document;
XMLHttpRequest = window.XMLHttpRequest;
完成环境模拟,我们就可以将代码复制到编辑器里面去,如下图所示:
我们在代码末尾加上:
console.log(window.TDC)
打印结果如下:
{
getInfo: [Function: M],
setData: [Function: M],
clearTc: [Function: M],
getData: [Function: M] //getData函数已经能够进行调用了
}
调用getData函数:
console.log(window.TDC.getData())
结果如下:
e43rYszBdPpLFbYEnvf6EH423DMkVfmqhtQV%2BCnQMWEdGBJzm4MFSOGDFX0ykuQGqe4c1cxY5APK40WOd9u7mbdwXIQ1x9OBSgdVHmORAxmVEXILfudlFIYF4KW7ZuOdX9ixo4efmMqIViV1IKT%2B24mEOmUJ2xtr6ULKcsrp0Xg3GQkNZ7iWy2G87RaR5NpSgHnX6q8eD5UIoml8J6bqef1JDKK%2BW4iXKaj3j5PGwLo%2FqrW1 mWy%2BB0MSvS91m%2FYk%2BNtC79fF0pOuSvflUSrAAohWJXUgpP7b%2BTuue9zspkzK8nLSWZGjTc4sycUohsG5owCAZch4y%2FYdttQ4D4nFT4hWJXUgpP7bM3NuzmNY663gs%2FQ7BKUdIk9HX3mnJQOT%2FB2S9xc25mskD87Pieargmi4QVyC1l%2Bnr5VFrxOHLI%2FkcpgPZqPrbVoWKk8cGT03izOvvebVB7xzp4B06AdsZe 7Q%2FnP%2BALoM%2F3Q6Sp0JU7daFipPHBk9N1oWKk8cGT03mCh6%2FirnaBoh%2BZs4V9dDlA%3D%3D
在调用处下断点:
进入调试模式,F7步入:
可以看到函数进入到了前面我们分析的这个地方。接下来先对整个代码的结构进行分析。
0x03 代码结构分析
先把代码全部折叠,主要的函数是TENCENT_CHAOS_STACK函数,又把TENCENT_CHAOS_STACK函数下级进行展开,结构如下:
var __TENCENT_CHAOS_STACK = function() {
function __TENCENT_CHAOS_VM(c, R, H, h, I, C, w, F) {...}
function I(E) {...}
return __TENCENT_CHAOS_VM.v = 0,
__TENCENT_CHAOS_VM(0,
function(E){...}(["...",[...]]),
window)
//TENCENT_CHAOS_VM传参分析:(0, 立即函数返回值, window)
}();
现在我们把这个立即函数单独提取出来运行:
运行结果如下:
其实这个运行结果可以看做是字节码,然后每一个字节码对应一个不同的操作或是数据,函数TENCENT_CHAOS_VM的作用就是解释并且执行字节码,TENCENT_CHAOS_VM函数的第一个传参是0,这个值代表PC寄存器,作用是指向下一个字节码的位置。
代码结构简化如下:
现在我们知道了TENCENT_CHAOS_VM是用来解释并执行字节码的,现在让我们来看看TENCENT_CHAOS_VM的执行过程(其实到这一步各位读者可以自行去调试一下,更容易理解整个执行流程)
0x04 虚拟机执行过程
在函数入口下断点:
进入调试模式,程序在断点处断下来,此时变量表如下:
c是第一个被传入的变量,也就是PC变量,它指向下一个被执行字节码的位置,也就是第二个传入的变量(R,字节码)的第0个元素,即为7,我们将程序继续往下执行,来到这里:
x部分指令如下:
图片里面的"G为此次函数是否完成的标志",这里用"次"的原因是这个VM包含递归调用,也就是在这个函数里面又调用这个函数,我们现在知道这个函数是不停的执行字节码,PC是下一个被执行字节码或是数据的地址,那么就可以通过在不同的地方定义不同的操作,然后通过调用本函数,传入不同的PC,去完成不同的操作(也就是函数调用),通俗来讲就是和程序里面的函数偏移地址是一样的道理,通过偏移地址去找到函数,并执行函数。这个VM的第一个传参就是PC,所以可以通过定义好的函数偏移,去进行函数调用,函数的本质也是一堆指令的集合。
现在PC的值为0,上面说到对应的字节码是7:
所以要执行x数组里面的第七条指令,跟进如下:
h为栈,所有的数据都是通过栈来操作的,也就是把需要用到的数据存到这个栈中,然后需要用的时候取出来或者直接对栈元素进行操作h.length = R[c++]的含义是定义栈的长度,栈的长度为R[1],R(字节码)不但保存了指令,也保存了数据。
然后又回到循环的位置,执行下一个字节码:
可以看到整个字节码的长度有四万多,一条一条的调试就不太现实了,现在就需要要进一步分析。
0x05 collect加密还原
在这些指令集中(x数组),包含了一个相加的指令:
h[h.length - 2] = h[h.length - 2] + h.pop()
一般字符串的拼接,都是直接相加,我们在这条指令后面,加一句console.log(h[h.length - 1]),将栈顶的数据打印出来看一看会不会有什么发现(代码最后记得加上console.log(window.TDC.getData())去调用加密):
输出了很多整数,在继续往下面找,发现一个熟悉的变量:
这个是tea加密的delta常量值乘以十,这个先留意一下,我们打印代码的时候,再加个判断,使控制台只打印字符串:
if(typeof h[h.length - 1] == "string"){
console.log(h[h.length - 1])
}
打印的部分结果如下:
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,""
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other"
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",tel:1634221284
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",tel:1634221284,
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8"
[1024
[1024,
[1024,768
[1024,768]
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768]
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,""
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,"",
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,"",[]
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],0
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],0,
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768],0,1,0,"",[],0,true
看样子是打印了一些环境参数,cd应该就是collectData的缩写,意为收集到的数据,但是在控制台找不到完整的json数据。
上面发现的delta常量,是tea加密的一个常量,tea加密的核心算法如下:
void EncryptTEA(unsigned int *firstChunk, unsigned int *secondChunk, unsigned int* key)
{
unsigned int y = *firstChunk;
unsigned int z = *secondChunk;
unsigned int sum = 0;
unsigned int delta = 0x9e3779b9;
for (int i = 0; i < 8; i++)//8轮运算(需要对应下面的解密核心函数的轮数一样)
{
sum += delta;//第一轮加密的时候sum值等于delta常量值
y += ((z << 4) + key[0]) ^ (z + sum) ^ ((z >> 5) + key[1]);
z += ((y << 4) + key[2]) ^ (y + sum) ^ ((y >> 5) + key[3]);
}
*firstChunk = y;
*secondChunk = z;
}
由于第一轮加密的时候sum值等于delta常量值,我们在加法指令处的代码改为:
h[h.length - 2] = h[h.length - 2] + h.pop()
if(typeof h[h.length - 2] == "number" && h[h.length - 2] == 0x9e3779b9){ //当加密结果为delta常量时打印bingo
console.log("bingo")
}
并在console.log("bingo")处下断点,然后进行调试:
触发断点:
可以看到h变量(栈)中有很多整数,我们通过javaScript写一个把整数转为字符串的代码:
function longsToStr(l) {
var a = new Array(l.length);
for (var i = 0; i < l.length; i++) {
a[i] = String.fromCharCode(l[i] & 0xFF, l[i] >>> 8 & 0xFF,
l[i] >>> 16 & 0xFF, l[i] >>> 24 & 0xFF);
}
return a.join('');
}
将h[3]中的两个整数还原得到一个类似原文的字符串:
longsToStr([741432155]) + longsToStr([842083377])
"[[1,1,12"
我们重新修改打印代码:
if(typeof h[h.length - 2] == "number" && h[h.length - 2] == 0x9e3779b9){ //当加密结果为delta常量时打印bingo
console.log(longsToStr([h[3][0][0]]) + longsToStr([h[3][0][1]]))
}
打印结果如下:
[[1,1,12
]]
{"cd":[2
4,"about
:blank?r
and=1519
71362434
7","0-0-
0-24-*-*
-|-*",[]
,tel:1766882
96,[],0,
0,"",[],
0,0,0,1,
9,[],0,0
,tel:1634223
750,0,"M
ozilla/5
.0 (win3
2) Apple
WebKit/5
37.36 (K
HTML, li
ke Gecko
) jsdom/
17.0.0",
"top",99
9760772,
16342237
50,0,"?r
and=1512
99198633
4",0,"",
"other",
16342237
50,"UTF-
8",[1024
,768],0,
1,0,"",[
],0,true
,
,[],0,0,
["en-US"
,"en"],"
98k"],
"sd":{"o
d":"C"}}
看来加密前的明文大致是这样子,现在我们需要进一步确认这个tea加密是否为标准的tea加密,密钥是怎么生成的。
接下来就是一步步动态调试,一步步跟进,还原出加解密如下:
function hex2int(hex) {
var len = hex.length, a = new Array(len), code;
for (var i = 0; i < len; i++) {
code = hex.charCodeAt(i);
if (48<=code && code < 58) {
code -= 48;
} else {
code = (code & 0xdf) - 65 + 10;
}
a[i] = code;
}
return a.reduce(function(acc, c) {
acc = 16 * acc + c;
return acc;
}, 0);
}
function Base64() {
// private property
this._keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
}
function strToLongs(s) {
var l = new Array(Math.ceil(s.length/4));
for (var i=0; i<l.length; i++) {
// note little-endian encoding - endianness is irrelevant as long as
// it is the same in longsToStr()
l[i] = s.charCodeAt(i*4) + (s.charCodeAt(i*4+1)<<8) +
(s.charCodeAt(i*4+2)<<16) + (s.charCodeAt(i*4+3)<<24);
}
return l; // note running off the end of the string generates nulls since
}
function longsToStr(l) { // convert array of longs back to string
var a = new Array(l.length);
for (var i = 0; i < l.length; i++) {
a[i] = String.fromCharCode(l[i] & 0xFF, l[i] >>> 8 & 0xFF,
l[i] >>> 16 & 0xFF, l[i] >>> 24 & 0xFF);
}
return a.join(''); // use Array.join() rather than repeated string appends for efficiency in IE
}
Base64.prototype.encode = function (input) {
var output = "", chr1, chr2, chr3, enc1, enc2, enc3, enc4, i = 0;
//input = this._utf8_encode(input);
while (i < input.length) {
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return output;
}
Base64.prototype.decode = function (input) {
var output = [], chr1, chr2, chr3, enc1, enc2, enc3, enc4, i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output.push(String.fromCharCode(chr1));
if (enc3 != 64) {
output.push(String.fromCharCode(chr2));
}
if (enc4 != 64) {
output.push(String.fromCharCode(chr3));
}
}
//output = this._utf8_decode(output);
return output.join("");
}
function EncryptBlock(EncryData, Key){
var x = EncryData[0];
var y = EncryData[1];
var sum = 0;
var delta = 0x9E3779B9;
for (var i = 0; i < 32; i++){
if(((sum & 3) == Key[6]) ){
x += (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3] + Key[4]);
}else if((sum & 3) == Key[7]){
x += (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3] + Key[5]);
}else{
x += (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3]);
}
sum += delta;
if(((sum >> 11) & 3) == Key[6]){
y += (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3] + Key[4]);
}else if(((sum >> 11) & 3) == Key[7]){
y += (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3] + Key[5]);
}else{
y += (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3]);
}
}
return [x, y];
}
function DecryptBlock(DecryData, Key){
var x = DecryData[0];
var y = DecryData[1];
var sum = 0x9E3779B9 * 32;
var delta = 0x9E3779B9;
for (var i = 0; i < 32; i++){
if(((sum >> 11) & 3) == Key[6]){
y -= (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3] + Key[4]);
}else if(((sum >> 11) & 3) == Key[7]){
y -= (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3] + Key[5]);
}else{
y -= (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3]);
}
sum -= delta;
if(((sum & 3) == Key[6]) ){
x -= (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3] + Key[4]);
}else if((sum & 3) == Key[7]){
x -= (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3] + Key[5]);
}else{
x -= (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3]);
}
}
return [x, y];
}
var teaDecrypt = function (msg, Key){
var res = new Base64().decode(msg);
var rounds = res.length >> 3;
var tmp;
var final = "";
for(var i = 0; i < rounds; i++){
tmp = DecryptBlock(strToLongs(res.slice(i*8, i*8 + 8)), Key);
final += longsToStr(tmp);
}
return final;
}
function teaEncrypt(msg, Key){
var final = "";
var rounds = msg.length >> 3;
for(var i = 0; i < rounds; i++){
tmp = EncryptBlock(strToLongs(msg.slice(i*8, i*8 + 8)), Key);
final += longsToStr(tmp);
}
return new Base64().encode(final)
}
经过还原代码发现tea加密有变,具体的如上面的代码所示,正常的tea加密key为16字节,也就是4个int,但是这个变种tea算法在进行加解密时引入了额外8个字节的“密钥”,两个判断变量,判断是否将额外密钥加入计算。
通过测试发现每次密钥都不同,如何得到原本的16字节key,8个额外的key以及判断变量?在这里我想过一个通过tea加密函数入口地址的偏移去计算密钥的地址或是通过一些固定的特征码计算key的地址,但可惜的是只能拿到基本的16字节的地址,额外密钥以及判断变量则不能拿到,不同的滑块对应的不通源码,里面的字节码都会有变化,因此这种方法便放弃了。
加密在执行的时候,肯定会从栈里面取出这些变量,因此我就想到可以通过找到一个代码执行到某一句的时候,栈里面刚好有我们需要的key,然后我们将这些key进行返回。基于这个想法,我写了一个正则表达式去匹配整个代码,并对代码的加法指令进行修改,让代码字节把key吐出来,脚本如下:
function dec(jsText, cipherTxt){
jsText = jsText.replace(/TypeError\(.*?\)/g,"\"error\"");
var pos = jsText.indexOf("TENCENT_CHAOS_VM");
var PC = (pos += 17,jsText.slice(pos, pos + 1));
var PB = (pos += 2,jsText.slice(pos, pos + 1));
var STACK = (pos += 4,jsText.slice(pos, pos + 1));
var HANDLE = /var [A-Za-z]=\[function/.exec(jsText)[0].slice(4,5);
var COD = /try\{for\(var [A-Za-z]=/.exec(jsText)[0].slice(12,13);
jsText = "var key;var flag=0;" + jsText.replace(COD+"="+HANDLE+"["+PB+"["+PC+"++]]();","{if(flag==1){return key;}"+COD+"="+HANDLE+"["+PB+"["+PC+"++]]();"+"}").replace("R[R.length-2]=R[R.length-2]+R.pop()".replace(/R/g,STACK),'if((R[R.length-2]==0x9E3779B9)||(R[R.length-1]==0x9E3779B9)){for(var i=0;i<R.length;i++){if(Array.isArray(R[i][0])&&R[i][0].length==4&&(typeof R[i][0][0])=="number"&&R[i][0][0]>1000){key=R[i][0];break;}};key.push(PB[PB.indexOf(0x9E3779B9) - 19]);key.push(PB[PB.indexOf(0x9E3779B9) - 53]);key.push(PB[PB.indexOf(0x9E3779B9) - 6]);key.push(PB[PB.indexOf(0x9E3779B9) + 15]);flag=1;return key;}R[R.length-2]=R[R.length-2]+R.pop()'.replace(/R/g,STACK).replace(/PB/g,PB));
var tmpKey = eval(jsText+"window.TDC.getData(!0)")
return teaDecrypt(cipherTxt, tmpKey);//teaDecrypt和上面的代码一致
}
将tea算法与这个dec进行整合,我们就能实现对collect的解密了,测试如下:
返回值如下:
{"cd":["https://ui.ptlogin2.qq.com/?rand=tel:1512991986334",0,true,[],0,["zh-CN","zh"],0,1630507225,360,640,"360-640-640-24-*-*-|-*",5,[],0,[],0,[],2, [[1,1,12]] ,159,1630507226,"Win","98k","",0,"","Mozilla/5.0 (Linux;
Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Mobile Safari/537.36",0,1084792919,0.746999979019165,[],0,0,"UTF-8",1467230630,1630507225,[],[345,345],0,24,"7688915523684241625","true",2,1023],
"sd":{"od":"C"}}
现在collectData的解密工作已完成,接下来我们需要对解密后的代码进行分析
0x05 collect数据分析以及生成
其中cd是收集到的数据,用一个数组进行保存,而经过多次测试后发现,数组里面的数据顺序是不固定的,也就是一个滑块对应着一种顺序,所以如果我们要通过明文伪造加密数据,还需要知道数据存放的顺序,在庞大的字节码中找到数据存放的数据也是一个很大的工程,但是如果是不伪造数据,通过jsdom的环境生成出来的加密数据又过不去滑块。思前想后,我想到一个办法,那就是通过正则匹配来对代码进行改造,找到不同数据生成的地方,对生成后的数据进行修改(对照正常的数据),所以接下来就是通过不断的调试代码,找到代码是如何生成的,找到生成代码的地方,对代码进行修改。如果修改有效,制定正则匹配方案。如此循环,直到生成出来的数据和浏览器抓包得到的数据差不多,能过滑块的环境识别,那么就成功了。然后将整个过程封装成一个函数,传入js代码,自动修改代码,并且eval运行代码得到collect。
这里我就不分析每个数据的意义了,只是提供大概的思路以及方向。如果要定位到某个代码的生成地方,可以先看到在我们进行数据解密的时候,拿到的一些数据:
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8",[1024,768]
比如上面的数据,第一次打印的时候,还没有[1024,768]这个数据,那么我们就可以在这个数据打印之前,也就是打印完这句话以后,进行单步调试:
{"cd":[24,"about:blank?rand=tel:1519713624347","0-0-0-24-*-*-|-*",[],176688296,[],0,0,"",[],0,0,0,1,9,[],0,0,1634221284,0,"Mozilla/5.0 (win32) AppleWebKit/537.36 (KHTML, like Gecko) jsdom/17.0.0","top",259121870,1634221284,0,"?rand=tel:1512991986334",0,"",
"other",1634221284,"UTF-8"
通过这种方法,就能跟踪到[1024,768]的来源。当然这只是一种方法,还有别的定位方法,就等着大家去发现了。
调试这里面坑很多,不但要定位生成的地方、制定正则匹配规则,还需要不断去加密提交到滑块服务器去验证生成的数据能不能用,总之就是需要耐心。
破解的核心思路总结起来就是:正则匹配(或是AST)修改特征代码到可运行状态,eval进行调用得到目标值。
0x06 vData参数分析
上次我们讲到了collect的加密方式以及怎么去生成这个参数的思路,现在我们来讲讲另一个加密参数,vData
定位过程就不再赘述了,本小节的目的主要是讨论vData的生成方式。
vData是由vm-slide.js生成的,代码结构和生成collect参数的js代码一致,代码如下:
var __TENCENT_CHAOS_STACK = function() {
function __TENCENT_CHAOS_VM(g, m, U, n, E, F, Y, c) {
var A = !n;
g = +g,
m = m || [0],
n = n || [[this], [{}]],
E = E || {};
var w, C = [], K = null;
function p() {
return function(A, C, K) {
return new (Function.bind.apply(A, C))
}
.apply(null, arguments)
}
Function.prototype.bind || (w = [].slice,
Function.prototype.bind = function(A) {
if ("function" != typeof this)
throw new TypeError("bind101");
var C = w.call(arguments, 1)
, K = C.length
, p = this
, Q = function() {}
, B = function() {
return C.length = K,
C.push.apply(C, arguments),
p.apply(Q.prototype.isPrototypeOf(this) ? this : A, C)
};
return this.prototype && (Q.prototype = this.prototype),
B.prototype = new Q,
B
}
);
var Q = [function() {
n.push(n[m[g++]][0])
}
, function() {
var A, C = [];
for (A in n.pop())
C.push(A);
n.push(C)
}
, function() {
var A = m[g++]
, C = A ? n.slice(-A) : [];
n.length -= A;
A = n.pop();
n.push(A[0][A[1]].apply(A[0], C))
}
, function() {
n.push([n.pop(), n.pop()].reverse())
}
, function() {
n.push("")
}
, function() {
n.pop()
}
, function() {
g = m[g++]
}
, function() {
n[n.length - 2] = n[n.length - 2] ^ n.pop()
}
, function() {
n.push(m[g++])
}
, , function() {
n[n.length - 1] += String.fromCharCode(m[g++])
}
, function() {
n[n.length - 2] = n[n.length - 2] & n.pop()
}
, function() {
n[n.length - 2] = n[n.length - 2] == n.pop()
}
, function() {
n[n.length - 1] = U[n[n.length - 1]]
}
, , function() {
n[n.length - 1].length ? n.push(n[n.length - 1].shift(), !0) : n.push(undefined, !1)
}
, function() {
return !0
}
, function() {
n.push(undefined)
}
, , , function() {
n[n.length - 2] = n[n.length - 2] + n.pop()
}
, function() {
n[n.length - 2] = n[n.length - 2] - n.pop()
}
, , function() {
n.push(!n.pop())
}
, function() {
var A = n[n.length - 2];
A[0][A[1]] = n[n.length - 1]
}
, function() {
var A = m[g++]
, C = A ? n.slice(-A) : [];
n.length -= A,
C.unshift(null);
A = n.pop();
n.push(p(A[0][A[1]], C))
}
, , , function() {
n[n.length - 2] = n[n.length - 2] === n.pop()
}
, , , function() {
n[n.length - 2] = n[n.length - 2] > n.pop()
}
, function() {
n.push([U, n.pop()])
}
, function() {
K = null
}
, , function() {
C.push([m[g++], n.length, m[g++]])
}
, function() {
n[n[n.length - 2][0]][0] = n[n.length - 1]
}
, function() {
n[n.length - 2] = n[n.length - 2] % n.pop()
}
, function() {
n[n.length - 2] = n[n.length - 2] / n.pop()
}
, function() {
n.push(n[n.length - 1])
}
, function() {
n.length = m[g++]
}
, function() {
var A = n.pop()
, C = n.pop();
n.push([C[0][C[1]], A])
}
, function() {
var A = m[g++];
n[A] = n[A] === undefined ? [] : n[A]
}
, , , function() {
n.push(null)
}
, function() {
n[n.length - 2] = n[n.length - 2] >> n.pop()
}
, function() {
n.push([m[g++]])
}
, , function() {
C.pop()
}
, function() {
n[n.length - 1] = m[g++]
}
, function() {
n[n.length - 2] = n[n.length - 2] << n.pop()
}
, function() {
n.push(typeof n.pop())
}
, , function() {
var A = n.pop();
n.push(A[0][A[1]])
}
, function() {
var A = m[g++]
, C = A ? n.slice(-A) : [];
n.length -= A,
C.unshift(null),
n.push(p(n.pop(), C))
}
, function() {
n[n.length - 2] = n[n.length - 2] | n.pop()
}
, , function() {
for (var K = m[g++], p = [], A = m[g++], C = m[g++], Q = [], B = 0; B < A; B++)
p[m[g++]] = n[m[g++]];
for (B = 0; B < C; B++)
Q[B] = m[g++];
n.push(function w() {
var A = p.slice(0);
A[0] = [this],
A[1] = [arguments],
A[2] = [w];
for (var C = 0; C < Q.length && C < arguments.length; C++)
0 < Q[C] && (A[Q[C]] = [arguments[C]]);
return __TENCENT_CHAOS_VM(K, m, U, A, E, F, Y, c)
})
}
, function() {
var A = n.pop();
n.push([n[n.pop()][0], A])
}
, function() {
var A = m[g++];
n[n.length - 1] && (g = A)
}
, function() {
return !!K
}
, function() {
n[n.length - 2] = n[n.length - 2] >= n.pop()
}
, function() {
n.push(n[n.pop()[0]][0])
}
, function() {
var A = m[g++]
, C = n[n.length - 2 - A];
n[n.length - 2 - A] = n.pop(),
n.push(C)
}
, , function() {
var A = m[g++]
, C = A ? n.slice(-A) : [];
n.length -= A,
n.push(n.pop().apply(U, C))
}
, function() {
n[n.length - 2] = n[n.length - 2] * n.pop()
}
, function() {
n[n.length - 2] = n[n.length - 2] >>> n.pop()
}
];
for (0; ; )
try {
for (var B = !1; !B; )
B = Q[m[g++]]();
if (0,
K)
throw K;
return A ? (n.pop(),
n.slice(3 + __TENCENT_CHAOS_VM.v)) : n.pop()
} catch (I) {
0;
var o = C.pop();
if (o === undefined)
throw I;
K = I,
g = o[0],
n.length = o[1],
o[2] && (n[o[2]][0] = K)
}
}
function E(A) {
for (var C, K, p = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".split(""), Q = String(A).replace(/[=]+$/, ""), B = 0, w = 0, g = ""; K = Q.charAt(w++); ~K && (C = B % 4 ? 64 * C + K : K,
B++ % 4) && (g += String.fromCharCode(255 & C >> (-2 * B & 6))))
K = function(A, C, K) {
if ("function" == typeof Array.prototype.indexOf)
return Array.prototype.indexOf.call(A, C, K);
var p;
if (null == A)
throw new TypeError('"array" is null or not defined');
var Q = Object(A)
, B = Q.length >>> 0;
if (0 == B)
return -1;
if (B <= (K |= 0))
return -1;
for (p = Math.max(0 <= K ? K : B - Math.abs(K), 0); p < B; p++)
if (p in Q && Q[p] === C)
return p;
return -1
}(p, K);
return g
}
return __TENCENT_CHAOS_VM.v = 0,
__TENCENT_CHAOS_VM(0, function(A) {
var C = A[0]
, K = A[1]
, p = []
, Q = E(C)
, B = K.shift()
, w = K.shift()
, g = 0;
function m() {
for (; g === B; )
p.push(w),
g++,
B = K.shift(),
w = K.shift()
}
for (var U = 0; U < Q.length; U++) {
var n = Q.charAt(U).charCodeAt(0);
m(),
p.push(n),
g++
}
return m(),
p
}(["KAMqAgYAKAYqAioDKgQqBQYGKAcqAioDKgQvBQADOzY8KAUGQEIFLwUAAzsECmUKeApwCm8Kcgp0CnMpNhAvBC8FAAM7BApPCmIKagplCmMKdA03ACcECmkDAAMYBQUnBApsAwgBFxgFBScECmUKeApwCm8Kcgp0CnMDBApPCmIKagplCmMKdA03ACcECl8KXwplCnMKTQpvCmQKdQpsCmUDBAp1Cm4KZAplCmYKaQpuCmUKZA0YBQUYBQUYQAAFJAUFLwYAAzsECmMKYQpsCmwpLwQECmUKeApwCm8Kcgp0CnM7NgAELwQECmUKeApwCm8Kcgp0CnM7NgACAgQFLwQECmw7CAAXGAUFLwQECmUKeApwCm8Kcgp0CnM7NhAvBToUAgEFBAYDAyQFBS8EBApPCmIKagplCmMKdA03ACQFBS8FBAptOwADGAUFLwUECmM7AAQYBQUvBQQKZDsGQCgHKgIqAyoEKgUvBgQKbzsAAwAEAgI8BQQKTwpiCmoKZQpjCnQgBApkCmUKZgppCm4KZQpQCnIKbwpwCmUKcgp0CnkpAAMABAQKTwpiCmoKZQpjCnQNNwAnBAplCm4KdQptCmUKcgphCmIKbAplAwgAFxgFBScECmcKZQp0AwAFGAUFAgMFERA6AQMGBQMEBRgFBS8FBApyOwZBKAQqAioDBAp1Cm4KZAplCmYKaQpuCmUKZAQKUwp5Cm0KYgpvCmwNNAwXPAYIBQQKUwp5Cm0KYgpvCmwgBAp0Cm8KUwp0CnIKaQpuCmcKVAphCmcpNjwGPAUECk8KYgpqCmUKYwp0IAQKZAplCmYKaQpuCmUKUApyCm8KcAplCnIKdAp5KQADBApTCnkKbQpiCm8KbCAECnQKbwpTCnQKcgppCm4KZwpUCmEKZyk2BApPCmIKagplCmMKdA03ACcECnYKYQpsCnUKZQMECk0KbwpkCnUKbAplGAUFAgMFBApPCmIKagplCmMKdCAECmQKZQpmCmkKbgplClAKcgpvCnAKZQpyCnQKeSkAAwQKXwpfCmUKcwpNCm8KZAp1CmwKZQQKTwpiCmoKZQpjCnQNNwAnBAp2CmEKbAp1CmUDCAAXGAUFAgMFERA6AAEDGAUFLwUECnQ7BjooCCoCKgMqBCoFKgYIAQAECzwGKAUvAwAHAANCASRAAAUFCAgABAs8BQYqBQADEAgEAAQLPAZBBQQKbwpiCmoKZQpjCnQAAzQMPAY6BQADPAYCBS8DBApfCl8KZQpzCk0KbwpkCnUKbAplOzY8BQYABQADEC8FBApPCmIKagplCmMKdCAECmMKcgplCmEKdAplKS0CASQFBS8HBApyOwAFAgEFBApPCmIKagplCmMKdCAECmQKZQpmCmkKbgplClAKcgpvCnAKZQpyCnQKeSkABQQKZAplCmYKYQp1CmwKdAQKTwpiCmoKZQpjCnQNNwAnBAplCm4KdQptCmUKcgphCmIKbAplAwgAFxgFBScECnYKYQpsCnUKZQMAAxgFBQIDMgIABAs8BjUFBApzCnQKcgppCm4KZwADNAwXPAUGBgUAAwEPPAUFBigFLwZAACQFBS8HBApkOwAFAAYGQSgFKgIqAy8EAAM7NhA6AQEEAwMECmIKaQpuCmQDLQAGAgICAwUGAgUGMi8FPxA6AQIHBQMEGAUFLwUECm47BiMoBioCKgMqBC8EAAM8BiMFLwMECl8KXwplCnMKTQpvCmQKdQpsCmU7NjwFBjwoBCoCAAMQOgEAAwMGAgUGLygEKgIvAwQKZAplCmYKYQp1CmwKdDs2EDoBAAMDJAUFLwUECmQ7AAQECmEABAIDBQAEEDoBAQUFAxgFBS8FBApvOwZCKAUqAioDKgQECk8KYgpqCmUKYwp0IAQKcApyCm8KdApvCnQKeQpwCmUpBApoCmEKcwpPCncKbgpQCnIKbwpwCmUKcgp0CnkpBApjCmEKbApsKQADAAQCAhA6AAIDBBgFBS8FBApwOwQYBQUABS8FBApzOwhLGEAABUIBBREQOgcAAQMECk8KYgpqCmUKYwp0DTcAJwQKMAMGKigIKgIqAyoEKgUqBioHLwYAADwGBgUvAAQKXwpfCmMKcgplCmEKdAplCkIKaQpuCmQKaQpuCmc7NjwFBApPCmIKagplCmMKdCAECmMKcgplCmEKdAplKTY8BQYCKAcqAioDKgQqBSoGAAYECnUKbgpkCmUKZgppCm4KZQpkDRw8BgYFLwYABSRAAAUFLwMABjsvBAAFOzYYBQUREDoABAMEBQYGMgUGAigHKgIqAyoEKgUqBgAGBAp1Cm4KZAplCmYKaQpuCmUKZA0cPAZABS8GAAUkQAAFBQQKTwpiCmoKZQpjCnQgBApkCmUKZgppCm4KZQpQCnIKbwpwCmUKcgp0CnkpAAMABgQKTwpiCmoKZQpjCnQNNwAnBAplCm4KdQptCmUKcgphCmIKbAplAwgAFxgFBScECmcKZQp0AwZBKAUqAi8DAAQ7NhA6AgADBAQFGAUFAgMFERA6AAQDBAUGJAUFLwcAADwGNQUvAAQKXwpfCmUKeApwCm8Kcgp0ClMKdAphCnI7NjwFBgooByoCKgMqBCoFAAMBDzwFBQYvBS8FQAAkBQUECmQKZQpmCmEKdQpsCnQABRw8BQQKTwpiCmoKZQpjCnQgBApwCnIKbwp0Cm8KdAp5CnAKZSkECmgKYQpzCk8KdwpuClAKcgpvCnAKZQpyCnQKeSkECmMKYQpsCmwpAAQABQICPAUABgAEAAMABUIDBQY6BQYjERA6AQIGBgMEJAUFLwQECl8KXwplCnMKTQpvCmQKdQpsCmU7CAAXGAUFAAcABQgYQgEABEICBQAHAAUIGUIBAARCAgUABwAFCARCAQAEQgIFAAcABQgaQgEABEICBREQOgADAwQFGAUFJwQKMQMGQCgOKgIqAyoEKgUqBioHKggqCSoKKgsqDCoNLwYECk8KYgpqCmUKYwp0IAQKcApyCm8KdApvCnQKeQpwCmUpBApoCmEKcwpPCncKbgpQCnIKbwpwCmUKcgp0CnkpNiQFBS8HBApPCmIKagplCmMKdCAECnAKcgpvCnQKbwp0CnkKcAplKQQKdApvClMKdApyCmkKbgpnKTYkBQUvCAQKTwpiCmoKZQpjCnQgBApkCmUKZgppCm4KZQpQCnIKbwpwCmUKcgp0CnkpNiQFBS8JBApPCmIKagplCmMKdCAECmcKZQp0Ck8KdwpuClAKcgpvCnAKZQpyCnQKeQpECmUKcwpjCnIKaQpwCnQKbwpyKTYkBQUvCgYoKAUqAioDBApmCnUKbgpjCnQKaQpvCm4ECkEKcgpyCmEKeSAECmkKcwpBCnIKcgphCnkpNjQMPAUEClsKbwpiCmoKZQpjCnQKIApBCnIKcgphCnkKXS8EBApjCmEKbApsOwADAgEcBi8FBApBCnIKcgphCnkgBAppCnMKQQpyCnIKYQp5KQADAgEQOgEBBAcDJAUFLwsGKigJKgIqAyoEKgUqBgADFzwFBApbCm8KYgpqCmUKYwp0CiAKTwpiCmoKZQpjCnQKXS8HBApjCmEKbApsOwADAgEcFzwFBgAFCAEXEC8FLwgECmMKYQpsCmw7AAMECmMKbwpuCnMKdApyCnUKYwp0Cm8KcgICJAUFLwYvAwQKYwpvCm4Kcwp0CnIKdQpjCnQKbwpyOzY8BjwFLwMECmMKbwpuCnMKdApyCnUKYwp0Cm8KcjsECnAKcgpvCnQKbwp0CnkKcAplKTY8BjIFLwgECmMKYQpsCmw7LwMECmMKbwpuCnMKdApyCnUKYwp0Cm8KcjsECnAKcgpvCnQKbwp0CnkKcAplKTYECmkKcwpQCnIKbwp0Cm8KdAp5CnAKZQpPCmYCAiQFBS8DBApjCm8KbgpzCnQKcgp1CmMKdApvCnI7NjwGGQUABRc8BkAFAAYXPAUGKAUIARcQLwM/AQ88BQUGQQUvBEAAJAUFBioFBhkIAAURAAQcPAUvCAQKYwphCmwKbDsAAwAEAgIQOgIBBwcIBgMkBQUvDAYCKAYqAioDKgQABTwGCgUECl8KXwpwCnIKbwp0Cm8KXwpfLwQECm4KYQptCmU7Nhw8BS8DLwQECm4KYQptCmU7NjsvBAQKbgplCncKVgphCmwKdQplOzYYQAAFBggFAAUAAy8EBApuCmEKbQplOzYECk8KYgpqCmUKYwp0DTcAJwQKZQpuCnUKbQplCnIKYQpiCmwKZQMIABcYBQUnBApjCm8KbgpmCmkKZwp1CnIKYQpiCmwKZQMIABcYBQUnBAp2CmEKbAp1CmUDLwQECm4KZQp3ClYKYQpsCnUKZTs2GAUFJwQKdwpyCmkKdAphCmIKbAplAwgAFxgFBUIDBREQOgECBQgDBCQFBS8NBkIoByoCKgMqBAQKXwpfCnAKcgpvCnQKbwpfCl8ABBw8BQY6BS8FBApjCmEKbApsOwADAAQCAhc8BQYqBREQLwY/PAUGQQUABgADAARCAgQKdgphCmwKdQplAzYQLwMABDs2EDoCAgUGBgkDBCQFBS8DBAplCngKcApvCnIKdApzOwYGKBEqAioDKgQqBSoGKgcqCCoJKgoqCyoMLwkvAQgAOzYkBQUvCggBJAUFLwsvAQQKbAplCm4KZwp0Cmg7NiQFBS8MCAEXJAUFBApiCm8KbwpsCmUKYQpuAAk0DDwGBgUvDAAJJAUFLwkvAQgBOzY8BQQKTwpiCmoKZQpjCnQNNwAkBQUvCggCJEAABQUtAAkMPAUECm8KYgpqCmUKYwp0AAk0DBc8BjIFBApmCnUKbgpjCnQKaQpvCm4ACTQMFzwGAgUvCQQKTwpiCmoKZQpjCnQNNwAkQAAFBS8KPwALPhc8BQYGBS0vAy8BAAo7NiRAAAUMFzwFBigFAAMBDzwFBQYqBS8EQAAkBQUvBQANAAkABEICJAUFAAkvBgANAAMABEICJEAABRwXPAYoBQAMPAY6BQAGPAYCBQAOAAZCATwFLwcADwAGQgEkQAAFPDIABREABhwXPAYqBQAQAAkECk8KYgpqCmUKYwp0DTcAJwQKbgphCm0KZQMABBgFBScECm4KZQp3ClYKYQpsCnUKZQMABhgFBUICBkEFAAc8BS8IAAU8BgAFAA4ABUIBPAUECk8KYgpqCmUKYwp0DTcABjUFAAUkQAAFBhkFLwcIARckBQUvCAAFPAYCBQAPAAVCATwFBApBCnIKcgphCnkNNwAGAgUABSRAAAUFABAACQQKTwpiCmoKZQpjCnQNNwAnBApuCmEKbQplAwAEGAUFJwQKbgplCncKVgphCmwKdQplAwACAAwACAAGQgMYBQVCAgUGOgUGBi8KJz8IARQkBT8FBigvCT8QOgQADQ0OCw8KEAwYBQUREDoAAwMEBRgFBScECjIKMAMGBigGKgIqAyoEKgUvBAQKXwpfCmUKcwpNCm8KZAp1CmwKZTsIABcYBQUvBAQKZAplCmYKYQp1CmwKdDsECk8KYgpqCmUKYwp0DTcAJwQKYQpkCmQDBjooBioCKgMqBCoFAAM8BkAFLwMECmEKZApkCkUKdgplCm4KdApMCmkKcwp0CmUKbgplCnI7NjwFLwMECmEKdAp0CmEKYwpoCkUKdgplCm4KdDs2PAUvAwQKbwpuAAQUOwAFGEAABQY8BS8DBAphCnQKdAphCmMKaApFCnYKZQpuCnQ7BApvCm4ABBQABQICBgAFLwMECmEKZApkCkUKdgplCm4KdApMCmkKcwp0CmUKbgplCnI7AAQABQgBFwIDBREQOgADAwQFGAUFJwQKcgplCm0Kbwp2CmUDBjooBioCKgMqBCoFAAM8BjwFLwMECnIKZQptCm8KdgplCkUKdgplCm4KdApMCmkKcwp0CmUKbgplCnI7NjwFLwMECmQKZQp0CmEKYwpoCkUKdgplCm4KdDs2PAUvAwQKbwpuAAQUOy0YQAAFBjcFLwMECmQKZQp0CmEKYwpoCkUKdgplCm4KdDsECm8KbgAEFAAFAgIGNwUvAwQKcgplCm0Kbwp2CmUKRQp2CmUKbgp0CkwKaQpzCnQKZQpuCmUKcjsABAAFCAEXAgMFERA6AAMDBAUYBQUYBQUREDoAAwMEBRgFBScECjIKNAMGGSgLKgIqAyoEKgUqBioHKggqCSoKBjIoBSoCKgMABAADQgE8MgkvAwQKbgpvCmQKZQpUCnkKcAplOzYcPAY1BS8DBApkCmUKZgphCnUKbAp0ClYKaQplCnc7NjwFLwMECnAKYQpyCmUKbgp0ClcKaQpuCmQKbwp3OzYGIwUAAxAvCToBAQQKAyQFBQYoKAQqAioDLQADDBc8BiMFAAMvAwQKdwppCm4KZApvCnc7NgwQLwo6AAEDJAUFLwYAADwGNQUvAAQKXwpfCmkKbQpwCm8Kcgp0CkQKZQpmCmEKdQpsCnQ7NjwFBkIoBCoCKgMAAzwGAAUvAwQKXwpfCmUKcwpNCm8KZAp1CmwKZTs2PAUECk8KYgpqCmUKYwp0DTcAJwQKZAplCmYKYQp1CmwKdAMAAxgFBQYIBQADEDoAAQMkBQUvBAQKXwpfCmUKcwpNCm8KZAp1CmwKZTsIABcYBQUvBAQKaQpzClcKaQpuCmQKbwp3Oy8EBApnCmUKdApXCmkKbgpkCm8KdzsvBAQKZwplCnQKTwpmCmYKcwplCnQ7LwQECmkKcwpECmEKcgprCk0KbwpkCmU7LwQECnMKaAphCmsKZQpFCmw7LwQECmEKZApkCk8KbgpjCmUKQQpuCmkKbQphCnQKaQpvCm4KQwpsCmEKcwpzOy8EBAphCm4KaQptCmEKdAppCm8KbgpFCm4KZApOCmEKbQplOy8EBApyCmUKbQpvCnYKZQpDCmwKYQpzCnM7LwQECmEKZApkCkMKbAphCnMKczsvBAQKcwplCnQKQwpzCnM7LwQECmcKZQp0CkMKUwpTOy8EBApjCnIKZQphCnQKZQpHCmUKbgplCnIKYQpsCkkKZgpyCmEKbQplOxEYQAAFGEAABRhAAAUYQAAFGEAABRhAAAUYQAAFGEAABRhAAAUYQAAFGEAABRgFBS8HAAUIAEIBJAUFLwgABgAFCBRCAUIBJAUFLwQECmMKcgplCmEKdAplCkcKZQpuCmUKcgphCmwKSQpmCnIKYQptCmU7BgAoBSoCKgMqBC8EBApkCm8KYwp1Cm0KZQpuCnQgBApjCnIKZQphCnQKZQpFCmwKZQptCmUKbgp0KQQKaQpmCnIKYQptCmUCASQFBQADPAYABS8DBAppCmQ7NjwGQQUvBAQKaQpkOy8DBAppCmQ7NhhAAAUFAAM8BjoFLwMECmMKbAphCnMKcwpOCmEKbQplOzY8BioFLwQECmMKbAphCnMKcwpOCmEKbQplOy8DBApjCmwKYQpzCnMKTgphCm0KZTs2GEAABQUvBAQKcwplCnQKQQp0CnQKcgppCmIKdQp0CmU7BApmCnIKYQptCmUKYgpvCnIKZAplCnIECjACAgUvBAQKcwplCnQKQQp0CnQKcgppCmIKdQp0CmU7BApiCm8KcgpkCmUKcgQKMAICBS8EBApzCmUKdApBCnQKdApyCmkKYgp1CnQKZTsECm0KYQpyCmcKaQpuCmgKZQppCmcKaAp0BAowAgIFLwQECnMKZQp0CkEKdAp0CnIKaQpiCnUKdAplOwQKbQphCnIKZwppCm4KdwppCmQKdApoBAowAgIFLwQECnMKZQp0CkEKdAp0CnIKaQpiCnUKdAplOwQKcwpjCnIKbwpsCmwKaQpuCmcECm4KbwICBQAEEDoAAQMYBQUvBAQKZwplCnQKQwpTClM7BkEoBSoCKgMqBC8DBApjCnUKcgpyCmUKbgp0ClMKdAp5CmwKZTs2PAUECncKaQpuCmQKbwp3IAQKZwplCnQKQwpvCm0KcAp1CnQKZQpkClMKdAp5CmwKZSkAAy0CAgAEAzYGKgUvAwQKYwp1CnIKcgplCm4KdApTCnQKeQpsCmU7AAQpNhA6AAIDBBgFBS8EBApzCmUKdApDCnMKczsGPCgJKgIqAyoEKgUqBgADPAY8BQAEPAYZBS8HBAppCnMKTwpiCmoKZQpjCnQ7AAQCATwFBkAFAAQBDzwFBQZABS8FQAAkBQUGQCEjADEGCCoIIwgvAwQKcwp0CnkKbAplOwAFKS8EAAU7NhgFBTE9BkIFBgAvBD8QERA6AQIHBwMEGAUFLwQECmEKZApkCkMKbAphCnMKczsGQSgHKgIqAyoEKgUqBi8DBApjCmwKYQpzCnMKTAppCnMKdDs2PAUvBS8DBApjCmwKYQpzCnMKTgphCm0KZTs2JAUFLwYABQQABRwXPAUEBiMFBAogFAAEFCQFBS8DBApjCmwKYQpzCnMKTgphCm0KZTsABhgFBQYKBS8DBApjCmwKYQpzCnMKTAppCnMKdDsECmEKZApkKQAEAgEFERA6AAIDBBgFBS8EBApyCmUKbQpvCnYKZQpDCmwKYQpzCnM7Bi8oByoCKgMqBCoFKgYvAwQKYwpsCmEKcwpzCkwKaQpzCnQ7NjwFBgYFLwMECmMKbAphCnMKcwpMCmkKcwp0OwQKcgplCm0Kbwp2CmUpAAQCARAvBQQKIC8DBApjCmwKYQpzCnMKTgphCm0KZTs2FAQKIBQkBQUvBi8FLwUECnIKZQpwCmwKYQpjCmU7BApSCmUKZwpFCngKcA0ECigKXApzCisKKQQKZwppQgIECiACAiRAAAUECnIKZQpwCmwKYQpjCmUDBAogAAQUBAogFAQKIAICJAUFLwYvBgQKcgplCnAKbAphCmMKZTsEClIKZQpnCkUKeApwDQQKKApeClwKcworCikKfAooClwKcworCiQKKQQKZ0ICBAICJAUFLwMECmMKbAphCnMKcwpOCmEKbQplOwAGGAUFERA6AAIDBBgFBS8EBAphCm4KaQptCmEKdAppCm8KbgpFCm4KZApOCmEKbQplOwYAKAYqAioDKgQqBS8EBApkCm8KYwp1Cm0KZQpuCnQgBApjCnIKZQphCnQKZQpFCmwKZQptCmUKbgp0KQQKZgphCmsKZQIBJAUFLwUECk8KYgpqCmUKYwp0DTcAJwQKYQpuCmkKbQphCnQKaQpvCm4DBAphCm4KaQptCmEKdAppCm8KbgplCm4KZBgFBScECm0Kbwp6CkEKbgppCm0KYQp0CmkKbwpuAwQKbQpvCnoKQQpuCmkKbQphCnQKaQpvCm4KRQpuCmQYBQUnBAp3CmUKYgprCmkKdApBCm4KaQptCmEKdAppCm8KbgMECncKZQpiCmsKaQp0CkEKbgppCm0KYQp0CmkKbwpuCkUKbgpkGAUFJAUFAAUBDzwFBQYvBS8DQAAkBQUvBAQKcwp0CnkKbAplOwADKTYECnUKbgpkCmUKZgppCm4KZQpkDRwXPAUGOgUvBQADOzYQBkEFBigIARcQOgAAQgAYBQUvBAQKYQpkCmQKTwpuCmMKZQpBCm4KaQptCmEKdAppCm8KbgpDCmwKYQpzCnM7BiooDioCKgMqBCoFKgYqByoIKgkqCi8ELwMECmUKbDs2JAUFLwUvAwQKYwpsCmEKcwpzCk4KYQptCmU7NiQFBS8GLwMECmMKYQpsCmwKYgphCmMKazs2JAUFLwcvAwQKZAp1CnIKYQp0CmkKbwpuOzYkBQUABzwFLwcIJEAABQUvCwQKaQpzCkEKcgpyCmEKeTsABAIBPAUvBAQKQQpyCnIKYQp5DTcAJwgAAwAEGAUFJEAABQUvCAgAJAUFLwg/LwQECmwKZQpuCmcKdApoOzY+FzwFBiMFLwkvBAAIOzYkBQUvDAQKYQpkCmQKQwpsCmEKcwpzOwAJAAUCAgUvCCc/J0ABQAAIARQkBTIAQAA4BQZBLwoGKCgMKgIqAyoELwUECmkKcwpBCnIKcgphCnk7AAYCATwFLwYECkEKcgpyCmEKeQ03ACcIAAMABhgFBSRAAAUFLwMIACQFBS8DPy8GBApsCmUKbgpnCnQKaDs2Phc8BQYZBS8ELwYAAzs2JAUFLwcECnIKZQptCm8KdgplCkMKbAphCnMKczsABAAIAgIFLwMnPydAAUAACAEUJAUyAEAAOAUGAi8JP0IABS8HBAphCm4KaQptCmEKdAppCm8KbgpFCm4KZApOCmEKbQplOzY8BjoFLwoECmQKZQpmCmEKdQpsCnQ7BApyCmUKbQpvCnYKZSkvBggAOzYvBwQKYQpuCmkKbQphCnQKaQpvCm4KRQpuCmQKTgphCm0KZTs2AAsCAwUREDoHAAULBgQHDAgFCQYKDQsKJAUFLwwECmEKbgppCm0KYQp0CmkKbwpuCkUKbgpkCk4KYQptCmU7NjwFBApzCmUKdApUCmkKbQplCm8KdQp0IAAKAAcCAgZABS8NBApkCmUKZgphCnUKbAp0OwQKYQpkCmQpLwQIADs2LwwECmEKbgppCm0KYQp0CmkKbwpuCkUKbgpkCk4KYQptCmU7NgAKAgMFERA6AwELBwwEDQgDGAUFLwQECnMKaAphCmsKZQpFCmw7BjcoBioCKgMqBC8FBAphCmQKZApPCm4KYwplCkEKbgppCm0KYQp0CmkKbwpuCkMKbAphCnMKczsECk8KYgpqCmUKYwp0DTcAJwQKZQpsAwADGAUFJwQKYwpsCmEKcwpzCk4KYQptCmUDBApzCmgKYQprCmUYBQUnBApjCmEKbApsCmIKYQpjCmsDAAQYBQUCAQUREDoBAgUEAwQYBQUvBAQKaQpzCkQKYQpyCmsKTQpvCmQKZTsGPCgDKgIECncKaQpuCmQKbwp3IAQKbQphCnQKYwpoCk0KZQpkCmkKYSk2PAYZBQQKdwppCm4KZApvCncgBAptCmEKdApjCmgKTQplCmQKaQphKQQKKApwCnIKZQpmCmUKcgpzCi0KYwpvCmwKbwpyCi0KcwpjCmgKZQptCmUKOgogCmQKYQpyCmsKKQIBBAptCmEKdApjCmgKZQpzAzYQOgAAGAUFLwQECmcKZQp0Ck8KZgpmCnMKZQp0OwYAKAsqAioDKgQqBSoGKgcqCCoJLwYECk8KYgpqCmUKYwp0DTcAJwQKdApvCnADCAAYBQUnBApsCmUKZgp0AwgAGAUFJAUFLwcAAzwGMgUvAwQKbwp3Cm4KZQpyCkQKbwpjCnUKbQplCm4KdDs2JAUFAAc8BQY6BS8ELwcECmQKbwpjCnUKbQplCm4KdApFCmwKZQptCmUKbgp0OzYkBQUECnUKbgpkCmUKZgppCm4KZQpkLwMECmcKZQp0CkIKbwp1Cm4KZAppCm4KZwpDCmwKaQplCm4KdApSCmUKYwp0OzY0DBc8BgAFLwYvAwQKZwplCnQKQgpvCnUKbgpkCmkKbgpnCkMKbAppCmUKbgp0ClIKZQpjCnQ7AgAkQAAFBS8ICAAkBQUvCQgAJAUFLwUACgAHQgEkQAAFPAZBBS8ILwUECnAKYQpnCmUKWQpPCmYKZgpzCmUKdDs2PAUvBAQKcwpjCnIKbwpsCmwKVApvCnA7Ni8EBApjCmwKaQplCm4KdApUCm8KcDs2PDIAFSQFBS8JLwUECnAKYQpnCmUKWApPCmYKZgpzCmUKdDs2PAUvBAQKcwpjCnIKbwpsCmwKTAplCmYKdDs2LwQECmMKbAppCmUKbgp0CkwKZQpmCnQ7NjwyABUkQAAFBQQKTwpiCmoKZQpjCnQNNwAnBAp0Cm8KcAMvBgQKdApvCnA7NgAIFBgFBScECmwKZQpmCnQDLwYECmwKZQpmCnQ7NgAJFBgFBRAREDoBAQoJAxgFBS8EBApnCmUKdApXCmkKbgpkCm8KdzsACRgFBS8EBAppCnMKVwppCm4KZApvCnc7AAoYBQUREDoAAwMEBRgFBScECjIKNQMGKCgHKgIqAyoEKgUqBi8EBApfCl8KZQpzCk0KbwpkCnUKbAplOwgAFxgFBS8EBAppCnMKQQpyCnIKYQp5Oy8EBAppCnMKTwpiCmoKZQpjCnQ7ERhAAAUYBQUvBgYCKAQqAioDBjooBSoCKgMECk8KYgpqCmUKYwp0IAQKcApyCm8KdApvCnQKeQpwCmUpBAp0Cm8KUwp0CnIKaQpuCmcpBApjCmEKbApsKQADAgEEClsKbwpiCmoKZQpjCnQKIAAEFAQKXRQcEDoBAQQDAxA6AAEDJAUFLwQECmkKcwpPCmIKagplCmMKdDsABgQKTwpiCmoKZQpjCnRCARgFBS8EBAppCnMKQQpyCnIKYQp5OwAGBApBCnIKcgphCnlCARgFBREQOgADAwQFGAUFJwQKMgo2AwZAKAgqAioDKgQqBSoGKgcvBgAAPAZBBS8ABApfCl8KaQptCnAKbwpyCnQKRAplCmYKYQp1CmwKdDs2PAUGQigEKgIqAwADPAYjBS8DBApfCl8KZQpzCk0KbwpkCnUKbAplOzY8BQQKTwpiCmoKZQpjCnQNNwAnBApkCmUKZgphCnUKbAp0AwADGAUFBkEFAAMQOgABAyQFBS8EBApfCl8KZQpzCk0KbwpkCnUKbAplOwgAFxgFBS8EBApzCmgKcgppCm4KawpBCnIKcgphCnkKUwppCnoKZQpGCnIKbwptClIKdQppCnMKdQpuOy8EBApzCmgKcgppCm4KawpBCnIKcgphCnkKUwppCnoKZTsvBAQKZQp4CnQKZQpuCmQ7ERhAAAUYQAAFGAUFLwcABgAFCAFCAUIBJAUFLwQECmUKeAp0CmUKbgpkOwQKTwpiCmoKZQpjCnQgBAphCnMKcwppCmcKbik2PAUvBwQKZAplCmYKYQp1CmwKdDs2GAUFLwQECnMKaApyCmkKbgprCkEKcgpyCmEKeQpTCmkKegplOwYvKAsqAioDKgQqBSoGKgcqCCoJKgovBi8DBApsCmUKbgpnCnQKaDs2JAUFAAYABB8XPAUGOgUAAxAvBwQKQQpyCnIKYQp5DTcAJAUFLwUABTwFBApPCmIKagplCmMKdA03ACRAAAUECmsKZQplCnAKUwp0CmEKcgp0AzY8Bi8FLwQnPwgBFSQFBS8GJz8IARUkBQUvBwQKcAp1CnMKaDsvAwgAOzYCAQUvBQQKawplCmUKcApMCmEKcwp0OzY8BgIFLwYnPwgBFSQFBS8EJz8IARUkQAAFBS8IAAQABiYkBQUvCQgAJAUFLwoIACQFBS8KPwAGPhc8BQYvBS8JJz8ACBQkQAAyAT48BkEFLwcECnAKdQpzCmg7LwMACjs2AgEFLwknPwgBFSRAAAUFLwonPydAAUAACAEUJAUyAEAAOAUGPC8FBAprCmUKZQpwCkwKYQpzCnQ7NjwGQAUvBwQKcAp1CnMKaDsvAy8DBApsCmUKbgpnCnQKaDs2CAEVOzYCAQUABxA6AAMDBAUYBQUvBAQKcwpoCnIKaQpuCmsKQQpyCnIKYQp5ClMKaQp6CmUKRgpyCm8KbQpSCnUKaQpzCnUKbjsGNygKKgIqAyoEKgUqBioHKggqCS8GLwMECmwKZQpuCmcKdApoOzYkBQUABgAEHxc8BQY1BQADEC8FAAU8BQQKTwpiCmoKZQpjCnQNNwAkQAAFBAprCmUKZQpwClMKdAphCnIKdAM2PAZABS8GJz8IARUkQAAFBS8FBAprCmUKZQpwCkwKYQpzCnQ7NjwGAAUvBic/CAEVJAUFLwQnPwgBFSRAAAUFLwcECk0KYQp0CmggBApmCmwKbwpvCnIpAAYABAgBFSYCASQFBS8ICAAkBQUvCQQKQQpyCnIKYQp5DTcAJAUFLwkECmwKZQpuCmcKdApoOzYABD4XPAUGNQUvCQQKcAp1CnMKaDsvAwAIOzYCAQUvCCc/AAcUJAUFBgAvBQQKawplCmUKcApMCmEKcwp0OzY8BgYFLwkECnAKdQpzCmg7LwMvAwQKbAplCm4KZwp0Cmg7NggBFTs2AgEFAAkQOgADAwQFGAUFERA6AAMDBAUYBQUnBAozCjIDBjooBioCKgMqBCoFLwQECl8KXwplCnMKTQpvCmQKdQpsCmU7CAAXGAUFLwQECmkKcwpJCkUKOQpCCmUKbApvCnc7ERgFBS8EBAppCnMKSQpFCjkKQgplCmwKbwp3OwYjKAYqAioDKgQqBS8FBApuCmEKdgppCmcKYQp0Cm8KciAECnUKcwplCnIKQQpnCmUKbgp0KQQKdApvCkwKbwp3CmUKcgpDCmEKcwplKQIAJAUFLwUECmkKbgpkCmUKeApPCmY7BAptCnMKaQplAgEIAAgBFR88BQYABS8DLwUECm0KYQp0CmMKaDsEClIKZQpnCkUKeApwDQQKbQpzCmkKZQogCigKWwpcCmQKLgpdCisKKQRCAgIBJEAABTwGCAUECnAKYQpyCnMKZQpJCm4KdCAvAwgBOzYICgICCAk+FzwFBgAFCAAXEC8EBApkCm8KYwp1Cm0KZQpuCnQgBApkCm8KYwp1Cm0KZQpuCnQKTQpvCmQKZSk2JEAABTwGKgUABAgJPhc8BQYZBQgAFxAIARcQOgAAGAUFERA6AAMDBAUYBQUnBAo0AwY1KAcqAioDKgQqBSoGLwQECl8KXwplCnMKTQpvCmQKdQpsCmU7CAAXGAUFLwQECmEKZApkClUKcgpsClAKYQpyCmEKbTsvBAQKZwplCnQKUQp1CmUKcgp5ClAKYQpyCmEKbTsvBAQKZwplCnQKUQp1CmUKcgp5Ck0KYQpwOy8EBApnCmUKdApRCnUKZQpyCnk7LwQECmcKZQp0CkgKcgplCmY7ERhAAAUYQAAFGEAABRhAAAUYBQUvBAQKZwplCnQKSApyCmUKZjsGNygGKgIqAyoDBjohIwAGCiEjADEGMioFIwUECmQKbwpjCnUKbQplCm4KdCAEClUKUgpMKTYxMRA9MQYGKgQjBAQKbApvCmMKYQp0CmkKbwpuIAQKaApyCmUKZik2MRA9BBA6AAAYBQUvBAQKZwplCnQKUQp1CmUKcgp5OwY1KAoqAioDKgQqBSoGKgcqBS8EAAM8MgAGOgUIASQFBQY6ISMABjUhIwAxBkAqCSMJLwYECmQKbwpjCnUKbQplCm4KdCAEClUKUgpMKTYkBQUvBy8GBAppCm4KZAplCngKTwpmOwQKPwIBJAUFAAcIAD48BQYvBS8GBApzCnUKYgpzCnQKcjsABwAEFAIBMTEQMT0xBgAqCCMIBApsCm8KYwphCnQKaQpvCm4gBApzCmUKYQpyCmMKaCkECnMKdQpiCnMKdApyKQAEAgExED0EEDoAAQMYBQUvBAQKZwplCnQKUQp1CmUKcgp5Ck0KYQpwOwYIKAgqAioDKgQqBSoGLwMECk8KYgpqCmUKYwp0DTcAJAUFLwQvBwQKZwplCnQKUQp1CmUKcgp5OwgAFwIBBApzCnAKbAppCnQDBAomAgEkBQUvBQgAJAUFLwU/LwQECmwKZQpuCmcKdApoOzY+FzwFBgYFLwYEClIKZQpnCkUKeApwDQQKKAouCioKPwopCj0KKAouCioKKQRCAgQKZQp4CmUKYwMvBAAFOzYCASQFBQAGPAYKBS8DLwYIATs2Oy8GCAI7NhhAAAUFLwUnPydAAUAACAEUJAUyAEAAOAUGGS8DPxA6AQAHBBgFBS8EBApnCmUKdApRCnUKZQpyCnkKUAphCnIKYQptOwYGKAUqAioDLwQECmcKZQp0ClEKdQplCnIKeQpNCmEKcDsCAAADAzYQOgEBBAQDGAUFLwYGACgHKgIqAyoEKgUqBggACAEVLwMECmkKbgpkCmUKeApPCmY7BAo/AgEMFzwFLwMAAwQKPxQABBQECj0UAAUUJAUFBjcFLwYEClIKZQpnCkUKeApwIAQKKApcCj8KfAomAAQUBAopCj0KWwpeCiYKXQoqFBkBJAUFLwMvBgQKdAplCnMKdDsAAwIBPAUAAwQKJhQABBQECj0UAAUUBjIFLwMECnIKZQpwCmwKYQpjCmU7AAYECiQKMQo9AAUUAgIkBQUvAz8QOgADAwQFJAUFLwQECmEKZApkClUKcgpsClAKYQpyCmEKbTsGAigHKgIqAyoEKgUABAEPPAUFBgIFLwVAACQFBQQKdQpuCmQKZQpmCmkKbgplCmQvBAAFOzY0DBc8BhkFLwMABgADBAplCm4KYwpvCmQKZQpVClIKSQpDCm8KbQpwCm8KbgplCm4KdCAABQIBBAplCm4KYwpvCmQKZQpVClIKSQpDCm8KbQpwCm8KbgplCm4KdCAELwQABTs2FAIBQgMkQAAFBQYZBQYALwM/EDoBAgYGAwQYBQUREDoAAwMEBRgFBScECjQKMAMGGSgMKgIqAyoEKgUqBioHKggqCSoKKgsvBgAAPAYIBS8ABApfCl8KYwpyCmUKYQp0CmUKQgppCm4KZAppCm4KZzs2PAUECk8KYgpqCmUKYwp0IAQKYwpyCmUKYQp0CmUpNjwFBgIoByoCKgMqBCoFKgYABgQKdQpuCmQKZQpmCmkKbgplCmQNHDwGAgUvBgAFJEAABQUvAwAGOy8EAAU7NhgFBREQOgAEAwQFBgYKBQYIKAcqAioDKgQqBSoGAAYECnUKbgpkCmUKZgppCm4KZQpkDRw8BiMFLwYABSRAAAUFBApPCmIKagplCmMKdCAECmQKZQpmCmkKbgplClAKcgpvCnAKZQpyCnQKeSkAAwAGBApPCmIKagplCmMKdA03ACcECmUKbgp1Cm0KZQpyCmEKYgpsCmUDCAAXGAUFJwQKZwplCnQDBi8oBSoCLwMABDs2EDoCAAMEBAUYBQUCAwUREDoABAMEBQYkBQUvBwAAPAYCBS8ABApfCl8KcwplCnQKTQpvCmQKdQpsCmUKRAplCmYKYQp1CmwKdDs2PAUECk8KYgpqCmUKYwp0IAQKYwpyCmUKYQp0CmUpNjwFBgAoBSoCKgMqBC8DBApkCmUKZgphCnUKbAp0OwAEGAUFERA6AAIDBAYCBQYjKAUqAioDKgQECk8KYgpqCmUKYwp0IAQKZAplCmYKaQpuCmUKUApyCm8KcAplCnIKdAp5KQADBApkCmUKZgphCnUKbAp0BApPCmIKagplCmMKdA03ACcECmUKbgp1Cm0KZQpyCmEKYgpsCmUDCAAXGAUFJwQKdgphCmwKdQplAwAEGAUFAgMFERA6AAIDBCQFBS8IAAA8BgYFLwAECl8KXwppCm0KcApvCnIKdApTCnQKYQpyOzY8BQZCKAgqAioDKgQqBQADPAYqBS8DBApfCl8KZQpzCk0KbwpkCnUKbAplOzY8BQYIBQADEC8EBApPCmIKagplCmMKdA03ACQFBS0AAwwXPAUGNwUAAwEPPAUFBgIFLwVAACQFBQQKZAplCmYKYQp1CmwKdAAFHBc8BjoFBApPCmIKagplCmMKdCAECnAKcgpvCnQKbwp0CnkKcAplKQQKaAphCnMKTwp3Cm4KUApyCm8KcAplCnIKdAp5KQQKYwphCmwKbCkAAwAFAgI8BigFAAYABAADAAVCAwUGKgUGAC8HPwAEAANCAgUABBA6AgEGBgcHAyQFBS8EBApfCl8KZQpzCk0KbwpkCnUKbAplOwgAFxgFBS8EBApkCmUKYwpyCnkKcAp0CkQKYQp0CmE7LwQECmUKbgpjCnIKeQpwCnQKRAphCnQKYTsvBAQKZQpuCmMKcgp5CnAKdApGCmkKZQpsCmQ7ERhAAAUYQAAFGAUFLwkACAAFCClCAUIBJAUFLwQECmUKbgpjCnIKeQpwCnQKRgppCmUKbApkOwYAKAYqAioDKgQvBQQKZQpuCmMKcgp5CnAKdDsAAwAEAgIQOgECBQkDBBgFBS8EBAplCm4KYwpyCnkKcAp0CkQKYQp0CmE7BhkoCyoCKgMqBCoFKgYvBAAHAANCASQFBS8FAAgABEIBJAUFBgghIwAxBgoqCSMJLwoECmUKbgpjCnIKeQpwCnQ7AAUECjMKNAplCjIKYwo4CmYKMAo3CmIKNQoxCjYKOQphCmQCAjEQPQQQOgMBBwoICwoJAxgFBS8KBggoByoCKgMqBCoFKgYvBAgQLwMECmwKZQpuCmcKdApoOzYIECUVJAUFLwUECjAKYQpiCmMKZAplCmYKZwpoCmkKagprCmwKbQpuCm8KcAQKYwpoCmEKcgpBCnQDAAQCASQFBS8GAAMkBQUvBCc/J0ABQAAIARUkBTIAQAA4CAAfPAUGQQUvBic/AAUUJAUFBjUvBj8QOgABAyQFBS8LBkEoCyoCKgMqBCoFKgYqByoIKgkqCi8ELwMECmwKZQpuCmcKdApoOzYkBQUABAgQJQgADBc8BQY8BQADEC8FBCQFBS8GBApBCnIKcgphCnkNNwAnCAADCAAYBQUnCAEDCAQYBQUnCAIDCAgYBQUnCAMDCAwYBQUnCAQDCAUYBQUnCAUDCAkYBQUnCAYDCA0YBQUnCAcDCAEYBQUnCAgDCAoYBQUnCAkDCA4YBQUnCAoDCAIYBQUnCAsDCAYYBQUnCAwDCA8YBQUnCA0DCAMYBQUnCA4DCAcYBQUnCA8DCAsYBQUkBQUvBwgAJAUFLwc/AAQ+FzwFBioFLwgECkEKcgpyCmEKeQ03ACQFBS8JCAAkBQUvCT8IED4XPAUGQQUvCi8GAAk7NiQFBS8IBApwCnUKcwpoOy8DBApjCmgKYQpyCkEKdDsABwAKFAIBAgEFLwknPydAAUAACAEUJAUyAEAAOAUGNS8FJz8vCAQKagpvCmkKbjsEAgEUJAUFLwcnPwgQFCQFBQZBLwU/EDoAAQMkBQUvBAQKZAplCmMKcgp5CnAKdApECmEKdAphOwYAKAUqAioDBkEoBioCKgMqBCoFLwQvAwQKbAplCm4KZwp0Cmg7NiQFMgAABBw8BQYjBQQQLwUvAwQKYwpoCmEKcgpDCm8KZAplCkEKdDsABAgBFQIBCGAVJAUFLwMECnMKdQpiCnMKdApyOwgAAAQABRUCAhA6AAEDBhkoCyoCKgMqBCoFKgYqByoIKgkqCi8ELwMECmwKZQpuCmcKdApoOzYkBQUABAgQJQgADBc8BQZCBQADEC8FBCQFBS8GBApBCnIKcgphCnkNNwAnCAADCAAYBQUnCAEDCAcYBQUnCAIDCAoYBQUnCAMDCA0YBQUnCAQDCAEYBQUnCAUDCAQYBQUnCAYDCAsYBQUnCAcDCA4YBQUnCAgDCAIYBQUnCAkDCAUYBQUnCAoDCAgYBQUnCAsDCA8YBQUnCAwDCAMYBQUnCA0DCAYYBQUnCA4DCAkYBQUnCA8DCAwYBQUkBQUvBwgAJAUFLwc/AAQ+FzwFBjUFLwgECkEKcgpyCmEKeQ03ACQFBS8JCAAkBQUvCT8IED4XPAUGNwUvCi8GAAk7NiQFBS8IBApwCnUKcwpoOy8DBApjCmgKYQpyCkEKdDsABwAKFAIBAgEFLwknPydAAUAACAEUJAUyAEAAOAUGNy8FJz8vCAQKagpvCmkKbjsEAgEUJAUFLwcnPwgQFCQFBQYALwU/EDoAAQMvBAQKZAplCmMKcgp5CnAKdDsAAwQKMwo0CmUKMgpjCjgKZgowCjcKYgo1CjEKNgo5CmEKZAICQgFCARA6AQEECQMYBQUREDoAAwMEBRgFBScECjQKMQMGKCgKKgIqAyoEKgUqBioHKggqCQZBKAcqAioDKgQqBSoCKgYvBS8DCAA7NiQFBS8CLwMIATs2JAUFLwYIACQFBQgABgwXPAUGCgUvAic/LwUnPwACCAQzAAIIBUQHAAIUAAYvBAgDAAYLOzYUBxQkQAAyBDMABQgFRAcABRQvBic/CBQkQAAFLwQABggLRAgDCzs2FAcUJAUFBjwvAwgAOwAFGAUFLwMIATsAAhgFBREQLwY6AAIDBCQFBQY1KAcqAioDKgQqBSoGKgIvBS8DCAA7NiQFBS8GLwMIATs2JAUFLwIIJAUFCAAAAgwXPAUGAgUvBSc/LwYnPwAFCAQzAAUIBUQHAAUUAAIvBAACCAtECAMLOzYUBxUkQAAyBDMABggFRAcABhQvAic/CBUkQAAFLwQIAwACCzs2FAcVJAUFBkEvAwgAOwAFGAUFLwMIATsABhgFBREQLwc6AAIDBCQFBQZAKAYqAioDKgQqBS8ECAAkBQUvBQgAJAUFLwU/CAQ+FzwFBjUFLwQnPy8DBApjCmgKYQpyCkMKbwpkCmUKQQp0OwAFAgEICAAFQzM4JAUFLwUnPydAAUAACAEUJAUyAEAAOAUGAgQKaQpzCk4KYQpOIAAEAgE8BQAEBkEFCAAQLwg6AAEDJAUFBhkoBCoCKgMEClMKdApyCmkKbgpnIAQKZgpyCm8KbQpDCmgKYQpyCkMKbwpkCmUpCP8AAwsAAwgILgj/CwADCBAuCP8LAAMIGC4I/wsCBBAvCToAAQMkBQUvBAQKXwpfCmUKcwpNCm8KZAp1CmwKZTsIABcYBQUvBAQKZAplCmMKcgp5CnAKdDsvBAQKZQpuCmMKcgp5CnAKdDsRGEAABRgFBS8EBAplCm4KYwpyCnkKcAp0OwZCKAwqAioDKgQqBSoGKgcqCC8GBApBCnIKcgphCnkgCAIZASQFBS8HBApBCnIKcgphCnkgCAQZASQFBS8IBCQFBS8FCAAkBQUvBT8IBD4XPAUGMgUvBwAFOwAJLwQECnMKbAppCmMKZTsIBAAFQwgEAAUIARRDAgJCARgFBS8FJz8nQAFAAAgBFCQFMgBAADgFBgAvBQgAJAUFLwU/LwMECmwKZQpuCmcKdApoOzY+FzwFBkEFLwYIADsACS8DBApzCmwKaQpjCmU7AAUABQgEFAICQgEYBQUvBggBOwAJLwMECnMKbAppCmMKZTsABQgEFAAFCAgUAgJCARgFBQAKAAYAB0ICBS8IJz8ACy8GCAA7NkIBAAsvBggBOzZCARQUJAUFLwUnPwgIFCQFBQY3Lwg/EDoDAgkICgYLCQMEGAUFLwQECmQKZQpjCnIKeQpwCnQ7BjcoDCoCKgMqBCoFKgYqByoILwYECkEKcgpyCmEKeSAIAhkBJAUFLwcECkEKcgpyCmEKeSAIBBkBJAUFLwgEJAUFLwUIACQFBS8FPwgEPhc8BQYABS8HAAU7AAkvBAQKcwpsCmkKYwplOwgEAAVDCAQABQgBFEMCAkIBGAUFLwUnPydAAUAACAEUJAUyAEAAOAUGQC8DLwMECnIKZQpwCmwKYQpjCmU7BApSCmUKZwpFCngKcA0ECiEKXApkClwKZAo/ClwKZAo/CiEECmdCAgYIKAQqAioDBApTCnQKcgppCm4KZyAECmYKcgpvCm0KQwpoCmEKcgpDCm8KZAplKQQKcAphCnIKcwplCkkKbgp0IC8DBApzCmwKaQpjCmU7CAEIAAgBFQICCAoCAgIBEDoAAQMCAiQFBS8FCAAkBQUvBT8vAwQKbAplCm4KZwp0Cmg7Nj4XPAUGMgUvBggAOwAJLwMECnMKbAppCmMKZTsABQAFCAQUAgJCARgFBS8GCAE7AAkvAwQKcwpsCmkKYwplOwAFCAQUAAUICBQCAkIBGAUFAAoABgAHQgIFLwgnPwALLwYIADs2QgEACy8GCAE7NkIBFBQkBQUvBSc/CAgUJAUFBgYvCC8IBApyCmUKcApsCmEKYwplOwQKUgplCmcKRQp4CnANBApcCjAKKwokBEICBAICJAUFBAp1Cm4KZQpzCmMKYQpwCmUgAAgCARA6AwIJCAoHCwkDBBgFBREQOgADAwQFGAUFJwQKNAoyAwYqKAcqAioDKgQqBSoGLwQECl8KXwplCnMKTQpvCmQKdQpsCmU7CAAXGAUFLwYECk8KYgpqCmUKYwp0DTcAJwQKXwprCmUKeQpTCnQKcgMECkcKVgo1CnkKYwoxCl8KdAp3CmEKUwpwCkgKUApPCkUKNwpSCjMKagp2CjkKZgpxCkMKMgpMCi0KMApUCngKTQppCjQKRgp1Cm8KbApCCkEKYgpRCmUKSQpnCkoKVQoqClgKegpaCksKVwprCkQKTgpoCjYKbgo4CmQKcwpyCm0KWRgFBScECmUKbgpjCm8KZAplAwZBKA0qAioDKgQqBSoGKgcqCCoJKgoqCyoMLwsEJAUFLwwIACQFBS8MPy8DBApsCmUKbgpnCnQKaDs2Phc8BQYqBS8HLwQvAwQKYwpoCmEKcgpDCm8KZAplCkEKdDsvDCc/J0ABQAAIARQkBTIAQAA4AgEkQAAyAi4kBQUvCAgDAAQLCAQzLwUvAwQKYwpoCmEKcgpDCm8KZAplCkEKdDsvDCc/J0ABQAAIARQkBTIAQAA4AgEkQAAyBC44JAUFLwkIDwAFCwgCMy8GLwMECmMKaAphCnIKQwpvCmQKZQpBCnQ7LwwnPydAAUAACAEUJAUyAEAAOAIBJEAAMgYuOCQFBS8KCD8ABgskBQUECmkKcwpOCmEKTiAABQIBPAUECmkKcwpOCmEKTiAABgIBPAZABS8KCEAkQAAFBi8FLwkvCghAJEAABSRAAAUFLwsACy8ABApfCmsKZQp5ClMKdApyOwQKYwpoCmEKcgpBCnQpAAcCARQvAAQKXwprCmUKeQpTCnQKcjsECmMKaAphCnIKQQp0KQAIAgEULwAECl8KawplCnkKUwp0CnI7BApjCmgKYQpyCkEKdCkACQIBFC8ABApfCmsKZQp5ClMKdApyOwQKYwpoCmEKcgpBCnQpAAoCARQkBQUGPC8LPxA6AAEDGAUFJwQKZAplCmMKbwpkCmUDBjIoDSoCKgMqBCoFKgYqByoIKgkqCioLLwoEJAUFLwsIACQFBS8DLwMECnIKZQpwCmwKYQpjCmU7BApSCmUKZwpFCngKcA0EClsKXgpBCi0KWgphCi0KegowCi0KOQpcCi0KXApfClwKKgpdBApnQgIEAgIkBQUvCz8vAwQKbAplCm4KZwp0Cmg7Nj4XPAUGAAUvBC8ABApfCmsKZQp5ClMKdApyOwQKaQpuCmQKZQp4Ck8KZikvAwQKYwpoCmEKcgpBCnQ7LwsnPydAAUAACAEUJAUyAEAAOAIBAgEIAjMvBy8ABApfCmsKZQp5ClMKdApyOwQKaQpuCmQKZQp4Ck8KZikvAwQKYwpoCmEKcgpBCnQ7LwsnPydAAUAACAEUJAUyAEAAOAIBAgEkQAAyBC44JAUFLwUIDwAHCwgEMy8ILwAECl8KawplCnkKUwp0CnI7BAppCm4KZAplCngKTwpmKS8DBApjCmgKYQpyCkEKdDsvCyc/J0ABQAAIARQkBTIAQAA4AgECASRAADICLjgkBQUvBggDAAgLCAYzLwkvAAQKXwprCmUKeQpTCnQKcjsECmkKbgpkCmUKeApPCmYpLwMECmMKaAphCnIKQQp0Oy8LJz8nQAFAAAgBFCQFMgBAADgCAQIBJEAABTgkBQUvCic/BApTCnQKcgppCm4KZyAECmYKcgpvCm0KQwpoCmEKcgpDCm8KZAplKQAEAgEUJEAABTJAAAgMFzwGNQUvCic/BApTCnQKcgppCm4KZyAECmYKcgpvCm0KQwpoCmEKcgpDCm8KZAplKQAFAgEUJEAABQUIQAAJDBc8BgYFLwonPwQKUwp0CnIKaQpuCmcgBApmCnIKbwptCkMKaAphCnIKQwpvCmQKZSkABgIBFCRAAAUFBgovCi8MBApfCnUKdApmCjgKXwpkCmUKYwpvCmQKZTsACgIBJEAABRA6AQEMBgMYBQUnBApfCnUKdApmCjgKXwplCm4KYwpvCmQKZQMGOigHKgIqAyoEKgUqBi8DLwMECnIKZQpwCmwKYQpjCmU7BApSCmUKZwpFCngKcA0EClwKcgpcCm4ECmdCAgQKCgICJAUFLwQEJAUFLwUIACQFBS8FPy8DBApsCmUKbgpnCnQKaDs2Phc8BQYqBS8GLwMECmMKaAphCnIKQwpvCmQKZQpBCnQ7AAUCASQFBQAGCIA+FzwFAAYIfx88BigFAAYIPhc8BS8EJz8EClMKdApyCmkKbgpnIAQKZgpyCm8KbQpDCmgKYQpyCkMKbwpkCmUpAAYIDC4I4DgCARQkBQUvBCc/BApTCnQKcgppCm4KZyAECmYKcgpvCm0KQwpoCmEKcgpDCm8KZAplKQAGCAYuCD8LCIA4AgEUJAUFLwQnPwQKUwp0CnIKaQpuCmcgBApmCnIKbwptCkMKaAphCnIKQwpvCmQKZSkIPwAGCwiAOAIBFCRAAAUGKgUvBCc/BApTCnQKcgppCm4KZyAECmYKcgpvCm0KQwpoCmEKcgpDCm8KZAplKQAGCAYuCMA4AgEUJAUFLwQnPwQKUwp0CnIKaQpuCmcgBApmCnIKbwptCkMKaAphCnIKQwpvCmQKZSkIPwAGCwiAOAIBFCRAAAUGQAUvBCc/BApTCnQKcgppCm4KZyAECmYKcgpvCm0KQwpoCmEKcgpDCm8KZAplKQAGAgEUJEAABQUvBSc/J0ABQAAIARQkBTIAQAA4BQYvLwQ/EDoAAQMYBQUnBApfCnUKdApmCjgKXwpkCmUKYwpvCmQKZQMGACgJKgIqAyoEKgUqBioHKggvBwQkBQUvCAgAJAUFLwQvBQgAJEAABSQFBS8IPy8DBApsCmUKbgpnCnQKaDs2Phc8BQY1BS8ELwMECmMKaAphCnIKQwpvCmQKZQpBCnQ7AAgCASRAADKAPhc8BQAECL8fPAY3BQAECOA+FzwFLwUvAwQKYwpoCmEKcgpDCm8KZAplCkEKdDsACAgBFAIBJAUFLwYvAwQKYwpoCmEKcgpDCm8KZAplCkEKdDsACAgCFAIBJAUFLwcnPwQKUwp0CnIKaQpuCmcgBApmCnIKbwptCkMKaAphCnIKQwpvCmQKZSkIDwAECwgMMwg/AAULCAYzOAg/AAYLOAIBFCQFBS8IJz8IAxQkQAAFBioFLwUvAwQKYwpoCmEKcgpDCm8KZAplCkEKdDsACAgBFAIBJAUFLwcnPwQKUwp0CnIKaQpuCmcgBApmCnIKbwptCkMKaAphCnIKQwpvCmQKZSkIHwAECwgGMwg/AAULOAIBFCQFBS8IJz8IAhQkQAAFBggFLwcnPwQKUwp0CnIKaQpuCmcgBApmCnIKbwptCkMKaAphCnIKQwpvCmQKZSkABAIBFCQFBS8IJz8nQAFAAAgBFCQFMgBAADgFBggvBz8QOgABAxgFBSQFBS8EBApkCmUKZgphCnUKbAp0OwAGGAUFERA6AAMDBAUYBQUnBAo0CjMDBiMoCCoCKgMqBCoFKgYqBy8EBApfCl8KZQpzCk0KbwpkCnUKbAplOwgAFxgFBS8EBAppCm4KaQp0OxEYBQUvBgAFCCxCASQFBS8HAAUIIEIBJAUFLwQECmkKbgppCnQ7BigoBioCKgMvBAQKaQpzCkkKRQo5CkIKZQpsCm8KdzsCADwFLwUECnAKcgpvCngKeQpYCkgKUjsAAwIBBjwFBAp3CmkKbgpkCm8KdyAECmcKZQp0ClYKRAphCnQKYSkGKCgJKgIqAyoEKgUqBioHLwQIARckBQUECmQKbwpjCnUKbQplCm4KdCAECmQKbwpjCnUKbQplCm4KdApNCm8KZAplKTY8Bi8FBApkCm8KYwp1Cm0KZQpuCnQgBApkCm8KYwp1Cm0KZQpuCnQKTQpvCmQKZSk2CAgfPAYKBS8ECAAXJEAABQUvBQAIAAMECk8KYgpqCmUKYwp0DTcAJwQKcAp5AwAEPAUECjAGQQUECjEYBQVCAgQKcwpwCmwKaQp0AwQKJgIBJAUFLwYIACQFBS8GPy8FBApsCmUKbgpnCnQKaDs2Phc8BQYGBS8HLwUABjs2JAUFBApSCmUKZwpFCngKcA0ECnYKRAphCnQKYQo9BEICBAp0CmUKcwp0AwAHAgE8BQYABS8HBApzCnAKbAppCnQ7BAo9AgEIAQM2PAUEEC8GJz8nQAFAAAgBFCQFMgBAADgFBjIEEDoBAQgDAxhAAAUFERA6AgEEBwUGAxgFBREQOgADAwQFGAUFJwQKNAo0AwYZKAYqAioDKgQqBS8EBApwCnIKbwp4CnkKWApIClI7BgIoByoCKgMqBCoFKgYvBAQKWApNCkwKSAp0CnQKcApSCmUKcQp1CmUKcwp0IAQKcApyCm8KdApvCnQKeQpwCmUpBApzCmUKbgpkKTYkBQUvBQQKWApNCkwKSAp0CnQKcApSCmUKcQp1CmUKcwp0IAQKcApyCm8KdApvCnQKeQpwCmUpBApvCnAKZQpuKTYkBQUvBhEkBQUEClgKTQpMCkgKdAp0CnAKUgplCnEKdQplCnMKdCAECnAKcgpvCnQKbwp0CnkKcAplKQQKbwpwCmUKbikGKigJKgIqAyoEKgUGIyEjADEGIyoGIwYECi8KYwphCnAKXwp1Cm4KaQpvCm4KXwpuCmUKdwpfCnYKZQpyCmkKZgp5AAQcPAYCBS8HAAAkQAAFBTE9LwgECmEKcApwCmwKeTsAAAABAgIQOgICBwYIBQMEGAUFBApYCk0KTApICnQKdApwClIKZQpxCnUKZQpzCnQgBApwCnIKbwp0Cm8KdAp5CnAKZSkECnMKZQpuCmQpBhkoCioCKgMqBCoFBgghIwAxBgIqBiMGBApECmEKdAplIBkABQAHAAAcPAYGBQQKcwp0CnIKaQpuCmcAAzQMPAUGCgUvBAgBFyQFBQQKWApNCkwKSAp0CnQKcApSCmUKcQp1CmUKcwp0IAQKcApyCm8KdApvCnQKeQpwCmUpBApzCmUKbgpkKTYAAhwXPAZABS8ECAAXJEAABQUvAwAIAAMECk8KYgpqCmUKYwp0DTcAJwQKcAp5AwAEPAUECjAGPAUECjEYBQVCAiQFBS8JBApjCmEKbApsOwAAAAMCAjEQMT0vCQQKYQpwCnAKbAp5OwAAAAECAhA6AwEHBggDCQQDGAUFERA6AAEDGAUFERA6AAMDBAUYBQUnBAo3CjUDBjooByoCKgMqBCoFKgYvBAQKXwpfCmUKcwpNCm8KZAp1CmwKZTsIABcYBQUvBgAFCExCASQFBQAFCCtCAQQKaQpuCmkKdAMvBgQKZwplCnQKQwphCnAKdApjCmgKYQpECmEKdAphOzYCAQUREDoAAwMEBRgFBScECjcKNgMGLygNKgIqAyoEKgUqBioHKggqCSoKKgsqDC8GAAA8BhkFLwAECl8KXwppCm0KcApvCnIKdApECmUKZgphCnUKbAp0OzY8BQZCKAQqAioDAAM8BjoFLwMECl8KXwplCnMKTQpvCmQKdQpsCmU7NjwFBApPCmIKagplCmMKdA03ACcECmQKZQpmCmEKdQpsCnQDAAMYBQUGPAUAAxA6AAEDJAUFLwQECl8KXwplCnMKTQpvCmQKdQpsCmU7CAAXGAUFLwQECmcKZQp0CkMKYQpwCnQKYwpoCmEKRAphCnQKYTsRGAUFLwcABQgoQgEkBQUvCAAGAAUIKkIBQgEkBQUvCQAFCCBCASQFBS8KAAUIAEIBBQYyKAMqAgQKQgpvCm8KbAplCmEKbiAECncKaQpuCmQKbwp3IAQKYwphCnAKdApjCmgKYQpDCm8KbgpmCmkKZyk2AgEQOgAAJAUFLwsGQigGKgIqAyoEKgUvBAQKQQpyCnIKYQp5DTcAJwgAAwQKTwpiCmoKZQpjCnQNNwAnBApyCmUKZwMEClIKZQpnCkUKeApwDQQKdApvCmsKZQpuCmkKZAppCmYKcgphCm0KZQRCAhgFBScECnYKYQpsCnUKZQMECmYKcBgFBRgFBScIAQMECk8KYgpqCmUKYwp0DTcAJwQKcgplCmcDBApSCmUKZwpFCngKcA0ECnQKZApjClwKLgpqCnMEQgIYBQUnBAp2CmEKbAp1CmUDBAp0CmQKYxgFBRgFBScIAgMECk8KYgpqCmUKYwp0DTcAJwQKcgplCmcDBApSCmUKZwpFCngKcA0ECnQKYwphCnAKdApjCmgKYQotCnMKbAppCmQKZQRCAhgFBScECnYKYQpsCnUKZQMECnMKbAppCmQKZRgFBRgFBScIAwMECk8KYgpqCmUKYwp0DTcAJwQKcgplCmcDBApSCmUKZwpFCngKcA0ECmoKcQp1CmUKcgp5BEICGAUFJwQKdgphCmwKdQplAwQKagpxGAUFGAUFJwgEAwQKTwpiCmoKZQpjCnQNNwAnBApyCmUKZwMEClIKZQpnCkUKeApwDQQKdgptBEICGAUFJwQKdgphCmwKdQplAwQKdgptGAUFGAUFJAUFLwUIACQFBS8FPy8EBApsCmUKbgpnCnQKaDs2Phc8BQY3BS8DBAptCmEKdApjCmg7LwQABTsECnIKZQpnKTYCATwFBkAFLwQABTsECnYKYQpsCnUKZSk2EC8FJz8nQAFAAAgBFCQFMgBAADgFBggvAwQKcgplCnAKbAphCmMKZTsEClIKZQpnCkUKeApwDQQKaAp0CnQKcAo6CnwKaAp0CnQKcApzCjoKfARCAgQCAgQKcwp1CmIKcwp0CnIDCAAIKAICEDoAAQMkBQUvDAYyKAoqAioDKgQqBSoGKgcqCCoJLwUvAwQKcwpwCmwKaQp0OwQKJgIBJAUFLwYEJAUFLwcIACQFBS8HPy8FBApsCmUKbgpnCnQKaDs2Phc8BQY1BS8FAAc7BApzCnAKbAppCnQpBAo9AgEIAAM2AAQcPAUGKAUvCAQKUgplCmcKRQp4CnAgAAQECj0KKAouCioKKRQZASQFBS8JLwUABzsECm0KYQp0CmMKaCkACAIBJAUFAAk8BQYKBS8GLwkIATs2PAUEJAUFBjcvByc/J0ABQAAIARQkBTIAQAA4BQY6LwY/EDoAAgMEJAUFLwQECmcKZQp0CkMKYQpwCnQKYwpoCmEKRAphCnQKYTsGNSgXKgIqAyoEKgUqBioHKggqCSoKKgsqDCoNKg4qDyoQLwYECk8KYgpqCmUKYwp0DTcAJwQKdgplCnIKcwppCm8KbgMECjIYBQUnBAp0CnADBgYoCCoCKgMqBCoFBi8hIwAvBgQKbQplCnMKcwphCmcKZTs2MRAGPCoGIwYvAwQKZApvCmMKdQptCmUKbgp0IAQKZwplCnQKRQpsCmUKbQplCm4KdApCCnkKSQpkKQQKcwpsCmkKZAplCkIKZwIBBApzCnIKYwM2PAUEJAUFLwQvAwQKbQphCnQKYwpoOwQKUgplCmcKRQp4CnANBAomCnMKaQpkCj0KKAouCioKPwopCiYEQgICASQFBQAEPAY6BS8DLwQIATs2PAUAAyRAAAUFAAdCADwGKgUAAzwFBApiCmIKYgpiCmIKYgpiCmIKYgpiBhkFAAMxED0REDoBAAcRQgAYBQUnBApwCnkDLwQECnAKeTs2GAUFJwQKZQpuCnYDABFCADwFBAoxBioFBAowGAUFJAUFLwcGACgKKgIqAyoEKgUqBioHAAhCABc8BQY3BQQKQQpyCnIKYQp5DTcAJwgAAwgEGAUFJwgBAwgCGAUFJwgCAwgDGAUFJwgDAwgKGAUFEC8EAAkAAwQKdApsCmdCAgQKcwpwCmwKaQp0AwQCASQFBS8FBApBCnIKcgphCnkNNwAkBQUvBggAJAUFLwY/LwQECmwKZQpuCmcKdApoOzY+FzwFBgAFLwcECnAKYQpyCnMKZQpJCm4KdCAvBAAGOzYICgICJAUFLwUECnAKdQpzCmg7AAcCAQUvBic/J0ABQAAIARQkBTIAQAA4BQYjLwU/EDoCAQgRCRIDBAADFEIBPAUECkEKcgpyCmEKeQ03ACQFBS8IABIAAwQKcwplCnMKc0ICPAUECmEKYgpjCmQKZQpmCmcKaAppCmoKawpsCm0KbiQFBS8GBApjCkwKbwpkOy0vBS0ECncKaQpuCmQKbwp3DRw8MgAFEQQKdwppCm4KZApvCncNHDwFBAp3CmkKbgpkCm8KdyAEClQKRApDKTYGQgURJEAABRw8MgAFEQAFHDwFLwUECmcKZQp0CkQKYQp0CmE7NgY8BRE8BQQKdQpuCmwKbwphCmQKVApECkMGKgUECmwKbwphCmQKVApECkMYBQUvCQQkBQUvCggAJAUFLwo/LwcECmwKZQpuCmcKdApoOzY+FzwFBjwFLwsvBwAKOzYkBQUvCSc/LwgECmMKaAphCnIKQQp0OwALAgEUJAUFLwonPydAAUAACAEUJAUyAEAAOAUGKC8GBAppCm4KZjsECncKaQpuCmQKbwp3DQQKdApvCnANHDwFBAppCmYKcgphCm0KZQY1BQQKdApvCnAYBQUvDAY8KAoqAioDKgQqBSoGKgcvAwQKZApvCmMKdQptCmUKbgp0IAQKZwplCnQKRQpsCmUKbQplCm4KdApzCkIKeQpUCmEKZwpOCmEKbQplKQQKcwpjCnIKaQpwCnQCASQFBS8ELwMECmwKZQpuCmcKdApoOzYkBQUvBQQKQQpyCnIKYQp5DTcAJAUFLwYvCAQKaQpzCkkKRQo5CkIKZQpsCm8KdzsCADIAJAUFLwY/AAQ+FzwFBgoFLwcvAwAGOzYkBQUvBwQKcwpyCmM7NjwGKgUvBQQKcAp1CnMKaDsACS8HBApzCnIKYzs2QgECAQUvBic/J0ABQAAIARQkBTIAQAA4BQYIBAplCm4KYwpvCmQKZQpVClIKSQpDCm8KbQpwCm8KbgplCm4KdCAABAQKLBQvBQQKagpvCmkKbjsECiwCARQCARA6AgAIEwkUQgAkBQUvBgQKcwpzOwAMGAUFLw0ECkEKcgpyCmEKeQ03ACcIAAMECnQKcBgFBScIAQMECmsKZQp5GAUFJwgCAwQKcAp5GAUFJwgDAwQKZQpuCnYYBQUnCAQDBAp2CmUKcgpzCmkKbwpuGAUFJwgFAwQKYwpMCm8KZBgFBScIBgMECmkKbgpmGAUFJwgHAwQKcwpzGAUFBApzCm8Kcgp0AwYqKAMqAgQKTQphCnQKaCAECnIKYQpuCmQKbwptKQIACB88MgAIARUGPAUIARA6AAACASQFBS8GBAprCmUKeTsACRgFBS8OBApBCnIKcgphCnkNNwAkBQUvCggAJAUFLwo/Lw0ECmwKZQpuCmcKdApoOzY+FzwFBjwFLw8vDQAKOzYkBQUvDgQKcAp1CnMKaDsADwQKPRQvBgAPOzYUAgEFLwonPydAAUAACAEUJAUyAEAAOAUGOi8QLxUECmQKZQpmCmEKdQpsCnQ7BAplCm4KYwpvCmQKZSkvFgQKZQpuCmMKcgp5CnAKdApECmEKdAphOy8OBApqCm8KaQpuOwQKJgIBAgECASQFBQQKdwppCm4KZApvCncgBApECkUKQgpVCkcKTQpPCkQKRSk2BS8DAAMECiYKdgpECmEKdAphCj0UABAUJEAABRA6BgIRChIMEwkUCxUIFgcDBBgFBREQOgADAwQFGAUFQgEXBREQ", [5, 1568, 18, 289, 353, 492, 378, 489, 493, 355, 511, 846, 556, 560, 558, 600, 601, 605, 603, 738, 847, 513, 861, 1281, 881, 885, 883, 898, 905, 910, 908, 914, 920, 924, 922, 942, 943, 947, 945, 950, 951, 955, 953, 981, 982, 987, 985, 991, 1170, 1174, 1172, 1193, 1194, 1199, 1197, 1277, 1205, 1211, 1209, 1273, 1230, 1245, 1246, 1232, 1271, 1203, 1275, 1277, 1282, 863, 1299, 1422, 1314, 1318, 1316, 1344, 1345, 1366, 1348, 1357, 1358, 1350, 1364, 1400, 1368, 1394, 1395, 1370, 1423, 1301, 1439, 1530, 1531, 1441, 1595, 2261, 1616, 1620, 1618, 1656, 1657, 1965, 1689, 1771, 1692, 1760, 1730, 1734, 1732, 1743, 1761, 1694, 1769, 1965, 1773, 1957, 1811, 1815, 1813, 1824, 1928, 1941, 1942, 1930, 1958, 1775, 1973, 1977, 1975, 2007, 2008, 2174, 2011, 2166, 2028, 2034, 2032, 2160, 2061, 2143, 2144, 2156, 2158, 2026, 2162, 2164, 2167, 2013, 2262, 1597, 2277, 4211, 2556, 2698, 2613, 2664, 2662, 2697, 2699, 2558, 2711, 3126, 2729, 2780, 2781, 2786, 2784, 2791, 2865, 2869, 2867, 2917, 2918, 2922, 2920, 3011, 3042, 3046, 3044, 3050, 3051, 3055, 3053, 3059, 3060, 3065, 3063, 3070, 3076, 3082, 3080, 3093, 3091, 3074, 3095, 3097, 3105, 3125, 3127, 2713, 3141, 3402, 3154, 3158, 3156, 3192, 3193, 3239, 3237, 3399, 3403, 3143, 3416, 3522, 3449, 3454, 3452, 3515, 3475, 3480, 3478, 3483, 3487, 3492, 3490, 3515, 3523, 3418, 3554, 4194, 3648, 3652, 3650, 3698, 3669, 3687, 3704, 3752, 3725, 3729, 3727, 3752, 3753, 3757, 3755, 3780, 3789, 3794, 3792, 4190, 3811, 3816, 3814, 4176, 3822, 3828, 3826, 4172, 3868, 3872, 3870, 4168, 3876, 3880, 3878, 3883, 3884, 3888, 3886, 3910, 3896, 3910, 3911, 3991, 3921, 3925, 3923, 4168, 3989, 4168, 3995, 4045, 4002, 4006, 4004, 4013, 4014, 4035, 4033, 4038, 4043, 4097, 4059, 4063, 4061, 4070, 4071, 4090, 4088, 4093, 4170, 3820, 4174, 4176, 4188, 3781, 4195, 3556, 4212, 2279, 4229, 4769, 4315, 4516, 4330, 4334, 4332, 4513, 4373, 4467, 4403, 4425, 4423, 4513, 4465, 4513, 4517, 4317, 4542, 4754, 4557, 4561, 4559, 4751, 4606, 4699, 4636, 4657, 4655, 4751, 4697, 4751, 4755, 4544, 4770, 4231, 4787, 9215, 4810, 4922, 4825, 4918, 4851, 4855, 4853, 4921, 4884, 4921, 4916, 4921, 4925, 4812, 4935, 4975, 4949, 4953, 4951, 4974, 4978, 4937, 4990, 4994, 4992, 5030, 5031, 5128, 5034, 5123, 5045, 5049, 5047, 5075, 5076, 5119, 5117, 5122, 5124, 5036, 5586, 6072, 5665, 5669, 5667, 5679, 5680, 5684, 5682, 5706, 5710, 5714, 5712, 5738, 5739, 5743, 5741, 5793, 6073, 5588, 6097, 6233, 6137, 6199, 6197, 6232, 6234, 6099, 6259, 6396, 6276, 6280, 6278, 6283, 6284, 6288, 6286, 6313, 6314, 6319, 6317, 6394, 6325, 6331, 6329, 6386, 6340, 6350, 6344, 6382, 6348, 6382, 6353, 6342, 6384, 6323, 6388, 6390, 6397, 6261, 6428, 6591, 6466, 6553, 6506, 6512, 6510, 6516, 6551, 6589, 6592, 6430, 6627, 6946, 6665, 6670, 6668, 6712, 6947, 6629, 6992, 7354, 7275, 7281, 7279, 7346, 7330, 7335, 7333, 7273, 7344, 7273, 7348, 7350, 7355, 6994, 7410, 8163, 7529, 7539, 7534, 400, 7563, 7594, 7625, 7630, 7628, 7692, 7690, 7602, 7695, 7994, 7728, 7759, 7790, 7795, 7793, 7863, 7861, 7767, 7907, 7911, 7909, 7991, 7995, 7697, 8053, 8086, 8084, 8160, 8164, 7412, 8196, 8344, 8345, 8198, 8380, 8542, 8424, 8428, 8426, 8541, 8543, 8382, 8572, 9151, 8648, 8652, 8650, 8684, 8690, 8695, 8693, 9149, 8806, 8810, 8808, 8865, 8893, 8897, 8895, 9075, 8928, 8953, 8977, 8980, 9014, 9041, 9067, 9070, 9152, 8574, 9216, 4789, 9233, 9529, 9326, 9443, 9335, 9435, 9436, 9337, 9444, 9328, 9530, 9235, 9547, 10824, 9568, 9572, 9570, 9608, 9609, 9706, 9612, 9701, 9623, 9627, 9625, 9653, 9654, 9697, 9695, 9700, 9702, 9614, 9916, 9937, 9975, 10380, 10026, 10031, 10029, 10035, 10059, 10077, 10103, 10107, 10105, 10148, 10171, 10175, 10173, 10197, 10230, 10235, 10233, 10311, 10250, 10254, 10252, 10287, 10309, 10222, 10333, 10337, 10335, 10376, 10381, 9977, 10445, 10812, 10494, 10499, 10497, 10503, 10508, 10526, 10552, 10556, 10554, 10568, 10591, 10595, 10593, 10617, 10703, 10708, 10706, 10743, 10741, 10681, 10765, 10769, 10767, 10808, 10813, 10447, 10825, 9549, 10842, 11264, 10937, 11255, 11056, 11061, 11059, 11251, 11129, 11133, 11131, 11166, 11167, 11172, 11170, 11177, 11229, 11233, 11231, 11240, 11241, 11246, 11244, 11251, 11256, 10939, 11265, 10844, 11280, 12635, 11483, 11590, 11494, 11551, 11498, 11587, 11501, 11511, 11505, 11546, 11509, 11546, 11514, 11503, 11549, 11587, 11554, 11496, 11591, 11485, 11618, 11840, 11641, 11647, 11645, 11650, 11654, 11780, 11658, 11837, 11661, 11671, 11665, 11775, 11669, 11775, 11674, 11663, 11742, 11747, 11745, 11774, 11778, 11837, 11783, 11656, 11841, 11620, 11875, 12109, 11987, 11992, 11990, 12105, 12057, 12061, 12059, 12081, 12103, 11964, 12110, 11877, 12149, 12190, 12191, 12151, 12203, 12406, 12248, 12274, 12272, 12402, 12345, 12366, 12364, 12399, 12407, 12205, 12443, 12622, 12460, 12466, 12464, 12614, 12503, 12507, 12505, 12610, 12612, 12458, 12616, 12618, 12623, 12445, 12636, 11282, 12653, 15200, 12682, 12686, 12684, 12722, 12723, 13031, 12755, 12837, 12758, 12826, 12796, 12800, 12798, 12809, 12827, 12760, 12835, 13031, 12839, 13023, 12877, 12881, 12879, 12890, 12994, 13007, 13008, 12996, 13024, 12841, 13039, 13043, 13041, 13085, 13086, 13312, 13118, 13165, 13121, 13156, 13157, 13123, 13163, 13312, 13167, 13306, 13307, 13169, 13320, 13324, 13322, 13354, 13355, 13616, 13358, 13607, 13373, 13377, 13375, 13403, 13404, 13409, 13407, 13413, 13440, 13445, 13443, 13594, 13451, 13457, 13455, 13590, 13485, 13489, 13487, 13570, 13571, 13575, 13573, 13586, 13588, 13449, 13592, 13594, 13608, 13360, 13785, 13820, 13821, 13787, 13858, 13970, 13895, 13905, 13899, 13967, 13903, 13967, 13908, 13897, 13971, 13860, 13987, 14140, 14117, 14122, 14120, 14136, 14134, 14094, 14141, 13989, 14151, 14556, 14205, 14210, 14208, 14214, 14398, 14403, 14401, 14552, 14438, 14443, 14441, 14516, 14514, 14430, 14550, 14390, 14557, 14153, 14591, 15188, 14600, 14712, 14639, 14644, 14642, 14647, 14713, 14602, 14718, 15123, 14772, 14777, 14775, 14781, 14965, 14970, 14968, 15119, 15005, 15010, 15008, 15083, 15081, 14997, 15117, 14957, 15124, 14720, 15189, 14593, 15201, 12655, 15218, 16835, 15239, 15402, 15285, 84941944608, 15291, 15296, 15294, 15380, 15353, 2654435769, 15378, 15284, 15405, 15241, 15414, 15577, 15455, 84941944608, 15466, 15471, 15469, 15555, 15531, 2654435769, 15553, 15459, 15580, 15416, 15589, 15722, 15623, 15628, 15626, 15694, 15692, 15615, 15711, 15718, 15716, 15721, 15725, 15591, 15733, 15813, 15816, 15735, 15916, 16231, 15997, 16002, 16e3, 16067, 16065, 15989, 16097, 16102, 16100, 16227, 16225, 16074, 16232, 15918, 16265, 16818, 16346, 16351, 16349, 16416, 16414, 16338, 16477, 16573, 16574, 16479, 16613, 16618, 16616, 16743, 16741, 16590, 16819, 16267, 16836, 15220, 16853, 19487, 17082, 17582, 17144, 17149, 17147, 17578, 17369, 17404, 17388, 17392, 17390, 17419, 17402, 17419, 17576, 17121, 17583, 17084, 17606, 18332, 17748, 17753, 17751, 18293, 18165, 18169, 18167, 18223, 18231, 18235, 18233, 18289, 18291, 17725, 18333, 17608, 18370, 18928, 18476, 18481, 18479, 18924, 18522, 18846, 18530, 18534, 18532, 18541, 18538, 2048, 18542, 18725, 18723, 18900, 18844, 18900, 18922, 18453, 18929, 18372, 18964, 19451, 19031, 19036, 19034, 19447, 19075, 19371, 19083, 19087, 19085, 19094, 19095, 19256, 19254, 19443, 19369, 19443, 19445, 19008, 19452, 18966, 19488, 16855, 19505, 20087, 19602, 20073, 19637, 19666, 19664, 20070, 19700, 20059, 19770, 19774, 19772, 19823, 19824, 19828, 19826, 19838, 19871, 19879, 19877, 19883, 19938, 19943, 19941, 20057, 2e4, 20005, 20003, 20034, 20030, 20033, 20055, 19915, 20060, 19702, 20074, 19604, 20088, 19507, 20105, 20823, 20138, 20813, 20351, 20463, 20364, 20374, 20368, 20441, 20372, 20441, 20377, 20366, 20426, 20430, 20428, 20439, 20464, 20353, 20537, 20797, 20550, 20560, 20554, 20775, 20558, 20775, 20563, 20552, 20584, 20588, 20586, 20606, 20607, 20612, 20610, 20774, 20687, 20691, 20689, 20701, 20734, 20742, 20740, 20746, 20798, 20539, 20814, 20140, 20824, 20107, 20841, 20950, 20951, 20843, 20968, 24257, 20999, 21003, 21001, 21039, 21040, 21137, 21043, 21132, 21054, 21058, 21056, 21084, 21085, 21128, 21126, 21131, 21133, 21045, 21253, 21321, 21322, 21255, 21331, 22025, 21854, 21859, 21857, 21939, 21891, 21896, 21894, 21916, 21937, 21831, 22026, 21333, 22036, 22273, 22116, 22121, 22119, 22269, 22152, 22157, 22155, 22246, 22222, 22227, 22225, 22246, 22237, 22240, 22244, 22269, 22267, 22093, 22274, 22038, 22315, 24234, 22398, 22663, 22411, 22441, 22415, 22660, 22439, 22660, 22444, 22413, 22523, 22526, 22593, 22597, 22595, 22615, 22607, 22611, 22621, 22625, 22623, 22628, 22629, 22655, 22653, 22658, 22664, 22400, 22707, 22715, 22713, 22719, 22728, 22972, 22750, 22755, 22753, 22807, 22889, 22894, 22892, 22968, 22966, 22866, 22973, 22730, 22988, 23004, 23025, 23056, 23091, 23111, 23112, 23140, 23138, 23142, 23148, 23156, 23157, 23181, 23179, 23183, 23184, 23208, 23206, 23224, 23263, 23268, 23266, 23331, 23329, 23240, 23365, 23383, 23381, 23391, 23397, 23727, 23575, 23580, 23578, 23662, 23604, 23608, 23606, 23638, 23660, 23567, 23728, 23399, 23896, 23945, 23929, .5, 23932, 23941, 23939, 23944, 23946, 23898, 24018, 24023, 24021, 24086, 24084, 23995, 24235, 22317, 24258, 20970]]), window)
}();
__TENCENT_CHAOS_STACK.g = function() {
return __TENCENT_CHAOS_STACK.shift()[0]
}
;
在函数调用处下断点:
移动滑块,触发断点,其中K参数(PC,此处为调用函数的地址)和A参数(传入参数)分别为:
目前首要的是考虑怎么去拿到vData的加密方式,我们再将密文进行解密,分析里面的数据,会更直观,这次我们选择和collect一样的处理方式,就是通过修改代码,让他打印日志信息,暂且将这种行为称之为hook。
我们选择对加法指令进行hook,并查看日志,具体操作如下(这里直接通过浏览器开发者工具进行操作,并没有选择node环境模拟,原因是因为此VM代码涉及到网络请求,选择开发者工具直接进行操作会简单很多):
(1)、首先找到加法指令所在的行(可以看到是89行):
(2)在90行(指令执行完成处)行标处右键,选择Add logpoint...:
(3)输入n[n.length - 1],然后回车:
hook代码就插入完成了,当运行了加法指令时,就会将栈顶的值打印出来,也就是相加以后的结果。
我们让代码执行,控制台就自动对代码进行了打印,打印的前部分结果如下:
1
VM171:1 2
VM172:1 3
VM173:1 4
VM174:1 5
VM175:1 6
VM176:1 7
VM177:1 8
VM178:1 9
VM179:1 10
VM180:1 11
VM181:1 12
VM182:1 13
VM183:1 14
VM184:1 15
VM185:1 16
VM186:1 17
VM187:1 18
VM188:1 19
VM189:1 20
VM190:1 21
VM191:1 22
VM192:1 23
VM193:1 24
VM194:1 25
VM195:1 26
VM196:1 27
VM197:1 28
VM198:1 29
VM199:1 30
VM200:1 31
VM201:1 tlg=(.*)
VM202:1 1
VM203:1 2
VM204:1 3
VM205:1 4
VM206:1 1
VM207:1 2
VM208:1 3
VM209:1 4
VM210:1 5
VM211:1 6
VM212:1 7
VM213:1 8
VM214:1 9
VM215:1 10
VM216:1 11
VM217:1 12
VM218:1 13
VM219:1 sess=(.*)
VM220:1 P
VM221:1 1
VM222:1 Ps
VM223:1 2
VM224:1 Psl
VM225:1 3
VM226:1 PslP
VM227:1 4
VM228:1 1
VM229:1 2
VM230:1 3
VM231:1 4
VM232:1 5
VM233:1 6
VM234:1 7
VM235:1 1
VM236:1 8
VM237:1 1
VM238:1 2
VM239:1 9
VM240:1 1
VM241:1 2
VM242:1 3
VM243:1 4
VM244:1 10
VM245:1 11
VM246:1 11,
VM247:1 11,tdc,slide,vm
VM248:1 ss=
VM249:1 ss=11%2Ctdc%2Cslide%2Cvm
VM250:1 1
VM251:1 env=
VM252:1 env=0
VM253:1 2
VM254:1 py=
VM255:1 py=0
VM256:1 3
VM257:1 inf=
VM258:1 inf=iframe
VM259:1 4
VM260:1 key=
VM261:1 key=PslP
VM262:1 5
VM263:1 cLod=
VM264:1 cLod=loadTDC
VM265:1 6
VM266:1 tp=
VM267:1 tp=5547380864951241219
VM268:1 7
VM269:1 version=
VM270:1 version=2
VM271:1 8
VM272:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2k
VM273:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kk
VM274:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkk
VM275:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkk
VM276:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkk
VM277:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkk
VM278:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkk
VM279:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkk
VM280:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkk
VM281:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkkk
VM282:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkkkk
VM283:1 0
VM284:1 1
VM285:1 4
VM286:1 2
VM287:1 8
VM288:1 3
VM289:1 12
VM290:1 4
2VM291:1 5
VM293:1 9
VM294:1 6
VM295:1 13
VM296:1 7
VM297:1 1
VM298:1 8
VM299:1 10
VM300:1 9
VM301:1 14
VM302:1 10
VM303:1 2
VM304:1 11
VM305:1 6
VM306:1 12
VM307:1 15
VM308:1 13
VM309:1 3
VM310:1 14
VM311:1 7
VM312:1 15
VM313:1 11
VM314:1 16
VM315:1 s1t2%dCscs=2l1C%
2VM316:1 16
VM318:1 1
VM319:1 20
VM320:1 2
VM321:1 24
VM322:1 3
VM323:1 28
VM324:1 4
VM325:1 21
VM326:1 5
VM327:1 25
VM328:1 6
VM329:1 29
VM330:1 7
VM331:1 17
VM332:1 8
VM333:1 26
VM334:1 9
VM335:1 30
VM336:1 10
VM337:1 18
VM338:1 11
VM339:1 22
VM340:1 12
VM341:1 31
VM342:1 13
VM343:1 19
VM344:1 14
VM345:1 23
VM346:1 15
VM347:1 27
VM348:1 16
VM349:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mv
2VM350:1 32
VM352:1 1
VM353:1 36
VM354:1 2
VM355:1 40
VM356:1 3
VM357:1 44
VM358:1 4
VM359:1 37
VM360:1 5
VM361:1 41
VM362:1 6
VM363:1 45
VM364:1 7
VM365:1 33
VM366:1 8
VM367:1 42
VM368:1 9
VM369:1 46
VM370:1 10
VM371:1 34
VM372:1 11
VM373:1 38
VM374:1 12
VM375:1 47
VM376:1 13
VM377:1 35
VM378:1 14
VM379:1 39
VM380:1 15
VM381:1 43
VM382:1 16
VM383:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=a
2VM384:1 48
VM386:1 1
VM387:1 52
VM388:1 2
VM389:1 56
VM390:1 3
VM391:1 60
VM392:1 4
VM393:1 53
VM394:1 5
VM395:1 57
VM396:1 6
VM397:1 61
VM398:1 7
VM399:1 49
VM400:1 8
VM401:1 58
VM402:1 9
VM403:1 62
VM404:1 10
VM405:1 50
VM406:1 11
VM407:1 54
VM408:1 12
VM409:1 63
VM410:1 13
VM411:1 51
VM412:1 14
VM413:1 55
VM414:1 15
VM415:1 59
VM416:1 16
VM417:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&d
2VM418:1 64
VM420:1 1
VM421:1 68
VM422:1 2
VM423:1 72
VM424:1 3
VM425:1 76
VM426:1 4
VM427:1 69
VM428:1 5
VM429:1 73
VM430:1 6
VM431:1 77
VM432:1 7
VM433:1 65
VM434:1 8
VM435:1 74
VM436:1 9
VM437:1 78
VM438:1 10
VM439:1 66
VM440:1 11
VM441:1 70
VM442:1 12
VM443:1 79
VM444:1 13
VM445:1 67
VM446:1 14
VM447:1 71
VM448:1 15
VM449:1 75
VM450:1 16
VM451:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=7
2VM452:1 80
VM454:1 1
VM455:1 84
VM456:1 2
VM457:1 88
VM458:1 3
VM459:1 92
VM460:1 4
VM461:1 85
VM462:1 5
VM463:1 89
VM464:1 6
VM465:1 93
VM466:1 7
VM467:1 81
VM468:1 8
VM469:1 90
VM470:1 9
VM471:1 94
VM472:1 10
VM473:1 82
VM474:1 11
VM475:1 86
VM476:1 12
VM477:1 95
VM478:1 13
VM479:1 83
VM480:1 14
VM481:1 87
VM482:1 15
VM483:1 91
VM484:1 16
VM485:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=7642v81e49r94s51&
2VM486:1 96
VM488:1 1
VM489:1 100
VM490:1 2
VM491:1 104
VM492:1 3
VM493:1 108
VM494:1 4
VM495:1 101
VM496:1 5
VM497:1 105
VM498:1 6
VM499:1 109
VM500:1 7
VM501:1 97
VM502:1 8
VM503:1 106
VM504:1 9
VM505:1 110
VM506:1 10
VM507:1 98
VM508:1 11
VM509:1 102
VM510:1 12
VM511:1 111
VM512:1 13
VM513:1 99
VM514:1 14
VM515:1 103
VM516:1 15
VM517:1 107
VM518:1 16
VM519:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=7642v81e49r94s51&i2kkkkkokknkk=kk
VM520:1 112
VM521:1 1
VM522:1 1
VM523:1 2
VM524:1 3
VM525:1 4
VM526:1 1
VM527:1 2
VM528:1 1
VM529:1 2
VM530:1 3
VM531:1 4
VM532:1 2
VM533:1 3
VM534:1 1
VM535:1 2
VM536:1 3
VM537:1 4
VM538:1 3
VM539:1 4
VM540:1 1
VM541:1 2
VM542:1 3
VM543:1 4
2VM544:1 4
VM546:1 1
VM547:1 2
VM548:1 3
VM549:1 4
VM550:1 4
VM551:1 8
VM552:1 1
VM553:1 2
VM554:1 3
VM555:1 4
VM556:1 2867838358
VM557:1 845493299
VM558:1 -889275624
VM559:1 -2336555152
VM560:1 2654435769
VM561:1 4338529007
VM562:1 3915755972
VM563:1 2054546322
VM564:1 3466441244
VM565:1 -2149118810
VM566:1 -2190016853
VM567:1 5308871538
可以看到里面有一些有用的信息,如下:
VM201:1 tlg=(.*) //正则表达式,取出tlg
VM219:1 sess=(.*) //正则表达式,取出tlg
VM282:1 ss=11%2Ctdc%2Cslide%2Cvm&env=0&py=0&inf=iframe&key=PslP&cLod=loadTDC&tp=5547380864951241219&version=2kkkkkkkkkkk //很可能是加密之前的明文,而多出来的k也应该是补齐方式
VM519:1 s1t2%dCscs=2l1C%i2&=Ce0dn&evp%mvyiimnfe=r&0fk&=aesc=lLlyoo=PaP&dd&53t58T40Dp8C=7642v81e49r94s51&i2kkkkkokknkk=kk //被乱序的字符串
VM560:1 2654435769 //熟悉的delta常量
既然找到了delta常量,那么我们只需要添加一个条件断点,当栈顶值为delta常量时断点断下来,操作和日志断点类似,右键的时候选择Add conditional breakpoint...
添加条件n[n.length - 1]==2654435769:
然后滑动滑块,断点断下来,此时PC(对应__TENCENT_CHAOS_VM函数第一个传参,我这里变量名是g)的值是15355:
现在我们将此时代码的PC值拿到了,现在我们要考虑如何将密钥取出来,在什么地方可以取得密钥。由于这个地方的tea加密我们不确定是不是被魔改过的,所以也只能老老实实的调试,将每一步进行的操作记录下来,还原成JavaScript代码,调试也没有什么特别的技巧,最重要的还是耐心,核心代码还原如下(固定密钥):
function EncryptBlock(EncryData){
var Key = [845493299, 812005475, 825582135, 1684093238];
var x = EncryData[0];
var y = EncryData[1];
var sum = 0;
var delta = 0x9E3779B9;
for (var i = 0; i < 32; i++){
x += (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3]);
sum += delta;
y += (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3]);
}
return [x, y];
}
根据加密代码,反推得到解密代码:
function DecryptBlock(DecryData){
var Key = [845493299, 812005475, 825582135, 1684093238];
var x = DecryData[0];
var y = DecryData[1];
var sum = 0x9E3779B9 * 32;
var delta = 0x9E3779B9;
for (var i = 0; i < 32; i++){
y -= (((x << 4) ^ (x >>> 5)) + x) ^ (sum + Key[(sum >> 11) & 3]);
sum -= delta;
x -= (((y << 4) ^ (y >>> 5)) + y) ^ (sum + Key[sum & 3]);
}
return [x, y];
}
将两段代码替换collect的加解密函数即可对密文进行解密.
现在我们来解决被乱序的字符串的算法:
字符串乱序一般都会有一个映射表,可参考以下代码:
var msg = "0123"
var map = [3,2,1,0]
var res = ""
var mlength = msg.length
for(var i = 0; i < mlength; i++){
res += msg.charAt(keyMap[i])
}
//执行结果为"3210"
我们对charAt函数进行hook,代码如下(直接复制后放在控制台回车即可):
var hookCharAt = String.prototype.charAt;
String.prototype.charAt = function (index) {
var res = hookCharAt.call(this, index)
console.log(this, index)
return res
}
hook日志如下:
String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 1
VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 7
VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 8
VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 4
VM22081:4 String {"0abcdefghijklmnop"} 11
//乱序从这里开始
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 0
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 4
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 8
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 12
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 5
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 9
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 13
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 1
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 10
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 14
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 2
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 6
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 15
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 3
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 7
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 11
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 16
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 20
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 24
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 28
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 21
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 25
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 29
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 17
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 26
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 30
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 18
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 22
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 31
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 19
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 23
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 27
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 32
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 36
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 40
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 44
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 37
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 41
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 45
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 33
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 42
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 46
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 34
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 38
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 47
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 35
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 39
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 43
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 48
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 52
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 56
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 60
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 53
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 57
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 61
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 49
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 58
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 62
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 50
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 54
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 63
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 51
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 55
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 59
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 64
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 68
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 72
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 76
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 69
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 73
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 77
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 65
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 74
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 78
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 66
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 70
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 79
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 67
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 71
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 75
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 80
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 84
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 88
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 92
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 85
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 89
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 93
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 81
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 90
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 94
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 82
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 86
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 95
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 83
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 87
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 91
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 96
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 100
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 104
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 108
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 101
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 105
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 109
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 97
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 106
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 110
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 98
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 102
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 111
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 99
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 103
VM22081:4 String {"py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0kkkkkkkkkkk"} 107
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 17
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 39
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 45
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 13
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 60
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 17
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 47
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 62
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 5
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 54
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 13
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 18
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 40
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 3
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 4
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 4
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 25
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 34
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 50
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 14
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 34
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 8
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 39
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 40
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 63
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 35
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 61
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 8
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 52
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 24
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 44
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 60
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 24
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 52
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 9
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 11
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 10
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 51
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 34
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 20
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 49
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 40
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 32
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 59
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 23
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 2
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 24
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 22
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 9
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 11
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 36
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 41
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 55
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 58
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 55
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 2
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 22
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 13
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 33
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 38
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 11
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 3
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 60
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 43
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 8
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 39
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 26
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 21
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 10
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 12
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 14
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 35
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 21
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 59
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 3
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 25
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 2
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 28
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 62
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 0
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 32
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 7
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 1
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 15
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 45
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 17
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 57
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 19
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 29
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 6
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 10
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 14
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 30
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 9
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 58
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 16
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 48
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 46
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 37
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 32
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 64
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 64
可以看到,index被打印了出来,其中String {"0abcdefghijklmnop"} 11这个charAt的结果刚好是字母k,对应明文的padding,明文py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2…tp=7250156632690052586&version=2&env=0的长度为101,补齐了11个字符,补齐的码表为0abcdefghijklmnop,补齐后长度为16的倍数,所以应该是以16个字符为一轮进行乱序,所以我们只需要得到前16位的index,就能还原乱序,正序算法,算法还原如下:
function seqEncode(msg){
var tmp = msg.length % 16;
var ch = "0abcdefghijklmnop".charAt(tmp)
while(tmp&&(16 - tmp)){
msg += ch;
tmp++;
}
var keyMap = [0, 4, 8, 12, 5, 9, 13, 1, 10, 14, 2, 6, 15, 3, 7, 11];
tmp = msg.length >> 4;
var res = "";
for(var i = 0; i < tmp; i++){
var cut = msg.slice(i*16,i*16+16);
console.log(cut)
for(var j = 0; j < 16; j++){
console.log()
res += cut.charAt(keyMap[j])
}
}
return res;
}
function seqDecode(msg){
var keyMap = [0, 7, 10, 13, 1, 4, 11, 14, 2, 5, 8, 15, 3, 6, 9, 12];
var tmp = msg.length >> 4;
var res = "";
for(var i = 0; i < tmp; i++){
var cut = msg.slice(i*16,i*16+16);
for(var j = 0; j < 16; j++){
res += cut.charAt(keyMap[j])
}
}
return res;
}
接下来先看到最后一段:
VM22081:4 String {"GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY"} 48
其中GV5yc1_twaSpHPOE7R3jv9fqC2L-0TxMi4FuolBAbQeIgJU*XzZKWkDNh6n8dsrmY为base64码表,将这个base64码表对标准的base64编码码表进行替换,然后将密文解码,再解密,再正序,发现可以还原到最初的明文,加密部分就完成了。
现在进行明文参数分析,完整的明文如下:
py=0&cLod=loadTDC&inf=iframe&ss=11%2Ctdc%2Cslide%2Cvm&key=0T3E&tp=7250156632690052586&version=2&env=0kkkkkkkkkkk
现在应该就只剩下最后的key字段,key=0T3E。
通过上面的hook日志可以发现,前几行:
String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 1
VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 7
VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 8
VM22081:4 String {"s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**"} 4
1784实际上对应提交参数里面的tlg,这个参数为collect的长度,s07MEo6T3CWctUHFfxqCxvdirgIfUxLEAMZ-WzFaOH4dcvrWUM…q_k1pclUMwrBvVe5HK4zeAhCIsxn8WHMOc4VKWJwJ4X-U-Q**正好是服务器返回参数sess,所以key的算法还原如下:
function getKey(sess,tlg){
tlg = tlg + "";
var length = tlg.length;
var res = "";
for(var i = 0; i < length; i++){
res += sess.charAt(tlg.slice(i,i+1))
}
return res;
}
0x07 结束语
至此,两个核心参数的加密就还原完成了,剩下的就是模拟参数生成,就能实现对验证码进行破解。其中这个滑块并没有对滑动数据以及鼠标移动数据进行相关校验,所以为空值也能过去,重点是collect里面的环境参数的校验以及还原。从刚开始接触这个vm到滑块的自动破解大概一共用了四五天左右,对jsvmp的了解又更深了一些,特别是执行流程和一些核心的设计思想。打算在近期内看看能不能研发一款js代码的虚拟化工具出来,如果有什么成果,会再次与大家分享!
[复制链接]
发表于 2021-9-29 21:40
|
发表于 2021-9-29 21:44
