Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: bu-1484.htm

Code to mitigate IE event zero-day (CVE-2010-0249)



Code to mitigate IE event zero-day (CVE-2010-0249)
Code to mitigate IE event zero-day (CVE-2010-0249)



--0016e6d27c77119ce9047d69b773
Content-Type: text/plain; charset=ISO-8859-1

Here's a mitigation for the CVE-2010-0249 IE createEventObject
srcElement zero-day.  Quite simply, it just disables the
createEventObject method by mangling its name in memory.  If anyone
knows an important web application that uses createEventObject,
*please* respond to the mailing list.

Use this code at your own risk.  It could contain mistakes, cause
problems with other software, and fail to protect your computer.

I've done some very basic testing on the following configurations:

 * Windows 2000 SP4, IE6 SP1
 * Windows XP (x86) SP3, IE 6 SP3
 * Windows XP (x86) SP3, IE 7
 * Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
 * Windows XP x64 SP1, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 8 (32-bit and 64-bit)
 * Windows Vista (x86) SP2, IE 7
 * Windows Vista (x86) SP2, IE 8

So far, I haven't been able to bypass the mitigation.  I've tried 'for
(var n in document)' to discover the mangled method name (doesn't
enumerate it), I've tried 'document.x' in case the invalid surrogate
characters are ignored (doesn't work), and I've tried
'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))'
(IE gives an "Invalid character" error).  So do your worst.

To test the mitigation, you can use this pared-down proof-of-concept:

  [body onload="for(var i=0; i!=10000; i++) ev.srcElement"]
  [img src=. onerror="ev=createEventObject(event); outerHTML++"]

(Of course, replace [ and ] with < and > above.  The 'for' loop is
just a kludge to make it more likely to crash.)

If you're interested in researching the vulnerability (using this
PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until
MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during
MSHTML!CImgHelper::Fire_onerror, but is later accessed during
MSHTML!CEventObj::get_srcElement.

-- Derek

--0016e6d27c77119ce9047d69b773
Content-Type: text/plain; charset=US-ASCII; name="ieceo1.cpp.txt"
Content-Disposition: attachment; filename="ieceo1.cpp.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: file0

LyoNCg0KSGVyZSdzIGEgbWl0aWdhdGlvbiBmb3IgdGhlIENWRS0yMDEwLTAyNDkgSUUgY3JlYXRl
RXZlbnRPYmplY3QNCnNyY0VsZW1lbnQgemVyby1kYXkuICBRdWl0ZSBzaW1wbHksIGl0IGp1c3Qg
ZGlzYWJsZXMgdGhlDQpjcmVhdGVFdmVudE9iamVjdCBtZXRob2QgYnkgbWFuZ2xpbmcgaXRzIG5h
bWUgaW4gbWVtb3J5LiAgSWYgYW55b25lDQprbm93cyBhbiBpbXBvcnRhbnQgd2ViIGFwcGxpY2F0
aW9uIHRoYXQgdXNlcyBjcmVhdGVFdmVudE9iamVjdCwNCipwbGVhc2UqIHJlc3BvbmQgdG8gdGhl
IG1haWxpbmcgbGlzdC4NCg0KVXNlIHRoaXMgY29kZSBhdCB5b3VyIG93biByaXNrLiAgSXQgY291
bGQgY29udGFpbiBtaXN0YWtlcywgY2F1c2UNCnByb2JsZW1zIHdpdGggb3RoZXIgc29mdHdhcmUs
IGFuZCBmYWlsIHRvIHByb3RlY3QgeW91ciBjb21wdXRlci4NCg0KSSd2ZSBkb25lIHNvbWUgdmVy
eSBiYXNpYyB0ZXN0aW5nIG9uIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQoNCiAqIFdp
bmRvd3MgMjAwMCBTUDQsIElFNiBTUDENCiAqIFdpbmRvd3MgWFAgKHg4NikgU1AzLCBJRSA2IFNQ
Mw0KICogV2luZG93cyBYUCAoeDg2KSBTUDMsIElFIDcNCiAqIFdpbmRvd3MgWFAgeDY0IFNQMSwg
SUUgNiBTUDEgKDMyLWJpdCBhbmQgNjQtYml0KQ0KICogV2luZG93cyBYUCB4NjQgU1AxLCBJRSA3
ICgzMi1iaXQgYW5kIDY0LWJpdCkNCiAqIFdpbmRvd3MgWFAgeDY0IFNQMiwgSUUgNyAoMzItYml0
IGFuZCA2NC1iaXQpDQogKiBXaW5kb3dzIFhQIHg2NCBTUDIsIElFIDggKDMyLWJpdCBhbmQgNjQt
Yml0KQ0KICogV2luZG93cyBWaXN0YSAoeDg2KSBTUDIsIElFIDcNCiAqIFdpbmRvd3MgVmlzdGEg
KHg4NikgU1AyLCBJRSA4DQoNClNvIGZhciwgSSBoYXZlbid0IGJlZW4gYWJsZSB0byBieXBhc3Mg
dGhlIG1pdGlnYXRpb24uICBJJ3ZlIHRyaWVkDQonZm9yICh2YXIgbiBpbiBkb2N1bWVudCknIHRv
IGRpc2NvdmVyIHRoZSBtYW5nbGVkIG1ldGhvZCBuYW1lDQooZG9lc24ndCBlbnVtZXJhdGUgaXQp
LCBJJ3ZlIHRyaWVkICdkb2N1bWVudC54JyBpbiBjYXNlIHRoZSBpbnZhbGlkDQpzdXJyb2dhdGUg
Y2hhcmFjdGVycyBhcmUgaWdub3JlZCAoZG9lc24ndCB3b3JrKSwgYW5kIEkndmUgdHJpZWQNCidl
dmFsKCJkb2N1bWVudC54XHVkLi4uIiknIGFuZCAnZXZhbCh1bmVzY2FwZSgiZG9jdW1lbnQueCV1
ZC4uLiIpKScNCihJRSBnaXZlcyBhbiAiSW52YWxpZCBjaGFyYWN0ZXIiIGVycm9yKS4gIFNvIGRv
IHlvdXIgd29yc3QuDQoNClRvIHRlc3QgdGhlIG1pdGlnYXRpb24sIHlvdSBjYW4gdXNlIHRoaXMg
cGFyZWQtZG93biBwcm9vZi1vZi1jb25jZXB0Og0KDQogIFtib2R5IG9ubG9hZD0iZm9yKHZhciBp
PTA7IGkhPTEwMDAwOyBpKyspIGV2LnNyY0VsZW1lbnQiXQ0KICBbaW1nIHNyYz0uIG9uZXJyb3I9
ImV2PWNyZWF0ZUV2ZW50T2JqZWN0KGV2ZW50KTsgb3V0ZXJIVE1MKysiXQ0KDQooT2YgY291cnNl
LCByZXBsYWNlIFsgYW5kIF0gd2l0aCA8IGFuZCA+IGFib3ZlLiAgVGhlICdmb3InIGxvb3AgaXMN
Cmp1c3QgYSBrbHVkZ2UgdG8gbWFrZSBpdCBtb3JlIGxpa2VseSB0byBjcmFzaC4pDQoNCklmIHlv
dSdyZSBpbnRlcmVzdGVkIGluIHJlc2VhcmNoaW5nIHRoZSB2dWxuZXJhYmlsaXR5ICh1c2luZyB0
aGlzDQpQb0MpLCBicmVha3BvaW50IE1TSFRNTCFDSW1nRWxlbWVudDo6Q0ltZ0VsZW1lbnQsIHRo
ZW4gcnVuIHVudGlsDQpNU0hUTUwhQ1RyZWVOb2RlOjpDVHJlZU5vZGUgaXMgaGl0IC0tIHRoaXMg
dHJlZSBub2RlIGlzIGZyZWVkIGR1cmluZw0KTVNIVE1MIUNJbWdIZWxwZXI6OkZpcmVfb25lcnJv
ciwgYnV0IGlzIGxhdGVyIGFjY2Vzc2VkIGR1cmluZw0KTVNIVE1MIUNFdmVudE9iajo6Z2V0X3Ny
Y0VsZW1lbnQuDQoNCi0tIERlcmVrDQoNCiovDQoNCi8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8NCi8vIGllY2VvMS5jcHANCi8v
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT0NCi8vIEFub3RoZXIgZGlydHkgbWl0aWdhdGlvbiBmb3IgYW5vdGhlciBJRSB6ZXJvLWRh
eSAtLSB0aGlzDQovLyB0aW1lLCB0aGUgY3JlYXRlRXZlbnRPYmplY3Qgc3JjRWxlbWVudCBkYW5n
bGluZyBwb2ludGVyDQovLyB2dWxuZXJhYmlsaXR5IChDVkUtMjAxMC0wMjQ5LCBCSUQgMzc4MTUp
Lg0KLy8NCi8vIFRoaXMgbWl0aWdhdGlvbiB3b3JrcyBieSByZWdpc3RlcmluZyBhcyBhIEJyb3dz
ZXIgSGVscGVyDQovLyBPYmplY3QsIHRoZW4gbW9kaWZ5aW5nIE1TSFRNTC5ETEwgaW4gbWVtb3J5
IHRvIGJyZWFrDQovLyBjcmVhdGVFdmVudE9iamVjdC4gIEFzIGxvbmcgYXMgaXQncyBpbnN0YWxs
ZWQsIHlvdSBjYW4ndCB1c2UNCi8vIGRvY3VtZW50LmNyZWF0ZUV2ZW50T2JqZWN0IGluIGFueSBw
cm9jZXNzIHRoYXQgbG9hZHMgdGhlIEJITy4NCi8vDQovLyBUbyBidWlsZDoNCi8vDQovLyAgMS4g
U3RhcnQgVmlzdWFsIFN0dWRpbyAyMDA4ICgyMDA1IHNob3VsZCBhbHNvIHdvcmspDQovLyAgMi4g
RmlsZSAtPiBOZXcgLT4gUHJvamVjdA0KLy8gIDMuIENob29zZSBWaXN1YWwgQysrOiBXaW4zMjog
V2luMzIgUHJvamVjdA0KLy8gIDQuIEVudGVyICJpZWNlbzEiIGZvciB0aGUgbmFtZQ0KLy8gIDUu
IEluIHRoZSBXaW4zMiBBcHBsaWNhdGlvbiBXaXphcmQsIGNob29zZSBhbg0KLy8gICAgICJBcHBs
aWNhdGlvbiB0eXBlIiBvZiAiRExMIiwgYW5kIHVuZGVyICJBZGRpdGlvbmFsDQovLyAgICAgb3B0
aW9ucyIsIGNoZWNrICJFbXB0eSBwcm9qZWN0Ig0KLy8gIDYuIEluIHRoZSBTb2x1dGlvbiBFeHBs
b3JlciwgcmlnaHQtY2xpY2sgb24gIlNvdXJjZSBGaWxlcyIsDQovLyAgICAgQWRkIC0+IE5ldyBJ
dGVtDQovLyAgNy4gQ2hvb3NlICJDKysgRmlsZSAoLmNwcCkiIGFuZCBlbnRlciAiaWVjZW8xLmNw
cCIgZm9yIHRoZQ0KLy8gICAgIG5hbWUNCi8vICA4LiBQYXN0ZSBhbGwgb2YgdGhpcyBzb3VyY2Ug
Y29kZSBpbnRvIHRoZSBuZXcgLmNwcCBmaWxlDQovLyAgOS4gSW4gdGhlIFNvbHV0aW9uIEV4cGxv
cmVyLCByaWdodC1jbGljayBhZ2FpbiBvbiAiU291cmNlDQovLyAgICAgRmlsZXMiLCBBZGQgLT4g
TmV3IEl0ZW0NCi8vIDEwLiBDaG9vc2UgIk1vZHVsZS1EZWZpbml0aW9uIEZpbGUgKC5kZWYpIiBh
bmQgZW50ZXINCi8vICAgICAiaWVjZW8xLmRlZiIgZm9yIHRoZSBuYW1lDQovLyAxMS4gUGFzdGUg
ZXZlcnl0aGluZyBpbiB0aGUgYmxvY2sgY29tbWVudCBiZWxvdyAoYmV0d2VlbiB0aGUNCi8vICAg
ICByb3dzIG9mICoqKioncykgaW50byB0aGUgbmV3IC5kZWYgZmlsZQ0KLy8gMTIuIEJ1aWxkIC0+
IENvbmZpZ3VyYXRpb24gTWFuYWdlcjsgZm9yICJBY3RpdmUgc29sdXRpb24NCi8vICAgICBjb25m
aWd1cmF0aW9uIiwgY2hvb3NlICJSZWxlYXNlIg0KLy8gMTMuIEZvciBtYXhpbXVtIHBvcnRhYmls
aXR5LCBQcm9qZWN0IC0+IFByb3BlcnRpZXMsDQovLyAgICAgQ29uZmlndXJhdGlvbiBQcm9wZXJ0
aWVzOiBDL0MrKzogQ29kZSBHZW5lcmF0aW9uOiBzZXQNCi8vICAgICAiUnVudGltZSBMaWJyYXJ5
IiB0byAiTXVsdGktdGhyZWFkZWQgKC9NVCkiOyB0aGlzIHdpbGwNCi8vICAgICBrZWVwIGllY2Vv
MS5kbGwgZnJvbSByZXF1aXJpbmcgTVNWQ1IqLkRMTA0KLy8gMTQuIChXaGlsZSB5b3UncmUgaW4g
dGhlcmUsIFByb2plY3QgLT4gUHJvcGVydGllcywNCi8vICAgICAgQ29uZmlndXJhdGlvbiBQcm9w
ZXJ0aWVzOiBMaW5rZXI6IElucHV0LCBhbmQgbWFrZSBzdXJlDQovLyAgICAgIHRoYXQgIk1vZHVs
ZSBEZWZpbml0aW9uIEZpbGUiIGNvbnRhaW5zICJpZWNlbzEuZGVmIikNCi8vIDE1LiBCdWlsZCAt
PiBCdWlsZCBTb2x1dGlvbg0KLy8NCi8vIFRvIHVzZSwgY29weSAiaWVjZW8xLmRsbCIgdG8gdGhl
IFdpbmRvd3NcU3lzdGVtMzIgZGlyZWN0b3J5DQovLyBhbmQgcnVuICJyZWdzdnIzMiBpZWNlbzEu
ZGxsIiBhcyBhbiBhZG1pbmlzdHJhdG9yLiAgT24gNjQtDQovLyBiaXQgV2luZG93cywgY29weSB0
aGUgMzItYml0IERMTCB0byBXaW5kb3dzXFN5c1dPVzY0LCBjb3B5DQovLyB0aGUgNjQtYml0IERM
TCB0byBXaW5kb3dzXFN5c3RlbTMyIHdpdGggYSBkaWZmZXJlbnQgbmFtZQ0KLy8gKGxpa2UgImll
Y2VvMV94NjQuZGxsIiksIGFuZCB1c2UgInJlZ3N2cjMyIiBmb3IgZWFjaCBvZg0KLy8gdGhlbSwg
c28gdGhhdCBib3RoIDMyLWJpdCBhbmQgNjQtYml0IElFIHdpbGwgYmUgcHJvdGVjdGVkLg0KLy8N
Ci8vIFRvIHVuaW5zdGFsbCwgcnVuICJyZWdzdnIzMiAvdSBpZWNlbzEuZGxsIi4gIChPZiBjb3Vy
c2UsIG9uDQovLyA2NC1iaXQgV2luZG93cywgeW91J2xsIG5lZWQgdG8gdW5yZWdpc3RlciBlYWNo
IERMTCB5b3UNCi8vIHByZXZpb3VzbHkgcmVnaXN0ZXJlZC4pDQovLw0KLy8gVGhlIERMTCBzZWxm
LXJlZ2lzdGVycyBhcyBhIEJyb3dzZXIgSGVscGVyIE9iamVjdCwgYnV0IGl0DQovLyBkb2Vzbid0
IGFjdHVhbGx5IGRvIGFueXRoaW5nIEJITy1saWtlIC0tIGl0IGp1c3QgbW9kaWZpZXMNCi8vIE1T
SFRNTC5ETEwgaW4gbWVtb3J5IGR1cmluZyBEbGxHZXRDbGFzc09iamVjdCwgdGhlbiAiZmFpbHMu
Ig0KLy8gQmVpbmcgYSBCSE8gaXMgYSBjb252ZW5pZW50IHdheSB0byBnZXQgbG9hZGVkIGludG8g
SW50ZXJuZXQNCi8vIEV4cGxvcmVyLiAgKE5vdGUgdGhhdCBpdCBtYXkgYWxzbyBsb2FkIGludG8g
RXhwbG9yZXIuKSAgSWYNCi8vIGZvciB3aGF0ZXZlciByZWFzb24gaXQgY2FuJ3QgbW9kaWZ5IHRo
ZSBzeXN0ZW0ncyBNU0hUTUwuRExMLA0KLy8gaXQgd2lsbCBkaXNwbGF5IGEgbWVzc2FnZSBib3gg
aW5mb3JtaW5nIHRoZSB1c2VyIG9mIHRoZQ0KLy8gZmFpbHVyZS4NCi8vDQovLyBOTyBXQVJSQU5U
SUVTLiAgVXNlIGF0IHlvdXIgb3duIHJpc2suICBSZWRpc3RyaWJ1dGlvbiBvZiB0aGlzDQovLyBz
b3VyY2UgY29kZSBpbiBpdHMgb3JpZ2luYWwsIHVubW9kaWZpZWQgZm9ybSBpcyBwZXJtaXR0ZWQu
DQovLw0KLy8gQ29weXJpZ2h0IChDKSBEZXJlayBTb2VkZXIgLSAwMS8xNi8yMDEwDQovLy8vLy8v
Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
DQoNCi8qKioqICBQYXN0ZSB0aGUgZm9sbG93aW5nIGludG8gYSBuZXcgLmRlZiBmaWxlOiAgKioq
KioqKioqKioqKg0KDQpMSUJSQVJZICJpZWNlbzEuZGxsIg0KDQpFWFBPUlRTDQogICAgICAgIERs
bENhblVubG9hZE5vdyBQUklWQVRFDQogICAgICAgIERsbEdldENsYXNzT2JqZWN0IFBSSVZBVEUN
CiAgICAgICAgRGxsUmVnaXN0ZXJTZXJ2ZXIgUFJJVkFURQ0KICAgICAgICBEbGxVbnJlZ2lzdGVy
U2VydmVyIFBSSVZBVEUNCg0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqLw0KDQojZGVmaW5lIElFQ0VPMV9DTFNJRF9XIEwiezgw
MmFmOTA0LWE5ODQtNDQ4MS04Mzc2LWMxMDNhZGU1ODJlNn0iDQoNCiNkZWZpbmUgV0lOMzJfTEVB
Tl9BTkRfTUVBTg0KI2RlZmluZSBfQ1JUX05PTl9DT05GT1JNSU5HX1NXUFJJTlRGUw0KI2RlZmlu
ZSBfQ1JUX1NFQ1VSRV9OT19XQVJOSU5HUw0KDQojaW5jbHVkZSA8d2luZG93cy5oPg0KI2luY2x1
ZGUgPG9sZWN0bC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQoN
Ci8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
Ly8vLy8vLy8NCi8vIE1TSFRNTC5ETEwgImNyZWF0ZUV2ZW50T2JqZWN0IiBtYW5nbGluZw0KLy8v
Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
Ly8vLw0KDQojZGVmaW5lIEtOT1RUWV9TVFJJTkcgTCJjcmVhdGVFdmVudE9iamVjdCINCg0KTFBX
U1RSIGZpbmRfc3RyaW5nKA0KICAgICAgICBITU9EVUxFICAgICAgICAgICAgICAgICBobU1TSFRN
TCApDQp7DQogICAgICAgIE1FTU9SWV9CQVNJQ19JTkZPUk1BVElPTiBtYmk7DQogICAgICAgIExQ
Vk9JRCAgICAgICAgICAgICAgICAgIGxwdmJhc2U7DQogICAgICAgIExQVk9JRCAgICAgICAgICAg
ICAgICAgIGxwdjsNCiAgICAgICAgTFBXU1RSICAgICAgICAgICAgICAgICAgbHB3Y2g7DQogICAg
ICAgIHNpemVfdCAgICAgICAgICAgICAgICAgIGN3Y2hyZW1haW47DQoNCiAgICAgICAgbHB2YmFz
ZSA9IChMUFZPSUQpKChVSU5UX1BUUilobU1TSFRNTCAmIH4oVUlOVF9QVFIpMHhGRkZGVSk7DQoN
CiAgICAgICAgZm9yICggbHB2ID0gbHB2YmFzZTsNCiAgICAgICAgICAgICAgVmlydHVhbFF1ZXJ5
KCBscHYsICZtYmksIHNpemVvZihtYmkpICkgPT0gc2l6ZW9mKG1iaSk7DQogICAgICAgICAgICAg
IGxwdiA9IChMUEJZVEUpbWJpLkJhc2VBZGRyZXNzICsgbWJpLlJlZ2lvblNpemUgKQ0KICAgICAg
ICB7DQogICAgICAgICAgICAgICAgaWYgKCBtYmkuQmFzZUFkZHJlc3MgPT0gTlVMTCB8fA0KICAg
ICAgICAgICAgICAgICAgICAgKExQVk9JRCkoKFVJTlRfUFRSKShtYmkuQWxsb2NhdGlvbkJhc2Up
DQogICAgICAgICAgICAgICAgICAgICAgICAmIH4oVUlOVF9QVFIpMHhGRkZGVSkgIT0gbHB2YmFz
ZSB8fA0KICAgICAgICAgICAgICAgICAgICAgbWJpLlJlZ2lvblNpemUgPCAweDEwMDAgfHwNCiAg
ICAgICAgICAgICAgICAgICAgIG1iaS5UeXBlICE9IE1FTV9JTUFHRSApDQogICAgICAgICAgICAg
ICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7DQogICAgICAgICAgICAgICAgfQ0K
DQogICAgICAgICAgICAgICAgaWYgKG1iaS5TdGF0ZSAhPSBNRU1fQ09NTUlUKSBjb250aW51ZTsN
Cg0KICAgICAgICAgICAgICAgIGN3Y2hyZW1haW4gPSAoIG1iaS5SZWdpb25TaXplIC0NCiAgICAg
ICAgICAgICAgICAgICAgICAgIHNpemVvZihLTk9UVFlfU1RSSU5HKSApIC8gc2l6ZW9mKGxwd2No
WzBdKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIGZvciAoIGxw
d2NoID0gKExQV1NUUikobWJpLkJhc2VBZGRyZXNzKTsNCiAgICAgICAgICAgICAgICAgICAgICBj
d2NocmVtYWluICE9IDA7IGxwd2NoKyssIGN3Y2hyZW1haW4tLSApDQogICAgICAgICAgICAgICAg
ew0KICAgICAgICAgICAgICAgICAgICAgICAgaWYgKCBtZW1jbXAoIGxwd2NoLCBLTk9UVFlfU1RS
SU5HLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNpemVvZihLTk9UVFlf
U1RSSU5HKSApID09IDAgKQ0KICAgICAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICByZXR1cm4gbHB3Y2g7DQogICAgICAgICAgICAgICAgICAgICAg
ICB9DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICB9IC8vZm9yKFZpcnR1YWxRdWVyeSkNCg0K
ICAgICAgICByZXR1cm4gTlVMTDsNCn0gLy9maW5kX3N0cmluZw0KDQpCT09MIGFwcGx5X21pdGln
YXRpb24oDQogICAgICAgIExQV1NUUiAgICAgICAgICAgICAgICAgIHdzelN0cmluZyApDQp7DQog
ICAgICAgIERXT1JEICAgICAgICAgICAgICAgICAgIGR3cHJvdDsNCiAgICAgICAgc2l6ZV90ICAg
ICAgICAgICAgICAgICAgaSwgY3djaDsNCg0KICAgICAgICBpZiAoICFWaXJ0dWFsUHJvdGVjdCgg
d3N6U3RyaW5nLCBzaXplb2YoS05PVFRZX1NUUklORyksDQogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICBQQUdFX0VYRUNVVEVfUkVBRFdSSVRFLCAmZHdwcm90ICkgKQ0KICAgICAgICB7DQog
ICAgICAgICAgICAgICAgcmV0dXJuIEZBTFNFOw0KICAgICAgICB9DQoNCiAgICAgICAgc3JhbmQo
ICh1bnNpZ25lZCBpbnQpR2V0VGlja0NvdW50KCkgKw0KICAgICAgICAgICAgICAgKHVuc2lnbmVk
IGludCl3c3pTdHJpbmcgKw0KICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCkmd3N6U3RyaW5n
ICsNCiAgICAgICAgICAgICAgICh1bnNpZ25lZCBpbnQpS05PVFRZX1NUUklORyArDQogICAgICAg
ICAgICAgICAodW5zaWduZWQgaW50KUdldEN1cnJlbnRQcm9jZXNzSWQoKSApOw0KDQogICAgICAg
IGN3Y2ggPSAoIHNpemVvZihLTk9UVFlfU1RSSU5HKSAvDQogICAgICAgICAgICAgICAgIHNpemVv
ZihLTk9UVFlfU1RSSU5HWzBdKSApIC0gMTsNCg0KICAgICAgICBpZiAoY3djaCAhPSAwKQ0KICAg
ICAgICAgICAgICAgIHdzelN0cmluZ1swXSA9IEwneCc7DQoNCiAgICAgICAgLy8gcmFuZG9tIGlu
dmFsaWQgdW5tYXRjaGVkIFVURi0xNiBzdXJyb2dhdGUgcGFpciBjaGFyYWN0ZXJzDQogICAgICAg
IGZvciAoaSA9IDE7IGkgPCBjd2NoOyBpKyspDQogICAgICAgICAgICAgICAgd3N6U3RyaW5nW2ld
ID0gKFdDSEFSKSgweERDMDBVIHwgKHJhbmQoKSAmIDB4MDNGRikpOw0KDQogICAgICAgIFZpcnR1
YWxQcm90ZWN0KCB3c3pTdHJpbmcsIHNpemVvZihLTk9UVFlfU1RSSU5HKSwNCiAgICAgICAgICAg
ICAgICBkd3Byb3QsICZkd3Byb3QgKTsNCg0KICAgICAgICBGbHVzaEluc3RydWN0aW9uQ2FjaGUo
IEdldEN1cnJlbnRQcm9jZXNzKCksDQogICAgICAgICAgICAgICAgd3N6U3RyaW5nLCBzaXplb2Yo
S05PVFRZX1NUUklORykgKTsNCg0KICAgICAgICByZXR1cm4gVFJVRTsNCn0gLy9hcHBseV9taXRp
Z2F0aW9uDQoNCi8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
Ly8vLy8vLy8vLy8vLy8vLy8NCi8vIEJyb3dzZXIgSGVscGVyIE9iamVjdCBETEwNCi8vLy8vLy8v
Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8N
Cg0KSElOU1RBTkNFICAgICAgICAgICAgICAgZ19oaW5zdE15c2VsZjsNCkJPT0wgICAgICAgICAg
ICAgICAgICAgIGdfZkluaXRpYWxpemVkOw0KQ1JJVElDQUxfU0VDVElPTiAgICAgICAgZ19jc0lu
aXQ7DQoNCkhNT0RVTEUgICAgICAgICAgICAgICAgIGdfaG1NU0hUTUw7DQoNClNUREFQSSBEbGxV
bnJlZ2lzdGVyU2VydmVyKCkNCnsNCiAgICAgICAgSEtFWSAgICAgICAgICAgICAgICAgICAgaGtl
eSwgaGtleTIsIGhrZXkzOw0KDQogICAgICAgIGlmICggUmVnT3BlbktleVcoIEhLRVlfTE9DQUxf
TUFDSElORSwgTCJTT0ZUV0FSRVxcIg0KICAgICAgICAgICAgICAgIEwiQ2xhc3Nlc1xcQ0xTSUQi
LCAmaGtleSApID09IEVSUk9SX1NVQ0NFU1MgKQ0KICAgICAgICB7DQogICAgICAgICAgICAgICAg
aWYgKCBSZWdPcGVuS2V5VyggaGtleSwgSUVDRU8xX0NMU0lEX1csDQogICAgICAgICAgICAgICAg
ICAgICAgICAmaGtleTIgKSA9PSBFUlJPUl9TVUNDRVNTICkNCiAgICAgICAgICAgICAgICB7DQog
ICAgICAgICAgICAgICAgICAgICAgICBpZiAoIFJlZ09wZW5LZXlXKCBoa2V5MiwgTCJJbnByb2NT
ZXJ2ZXIzMiIsDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZoa2V5MyApID09IEVS
Uk9SX1NVQ0NFU1MgKQ0KICAgICAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICBSZWdEZWxldGVWYWx1ZVcoIGhrZXkzLCBOVUxMICk7DQogICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIFJlZ0Nsb3NlS2V5KCBoa2V5MyApOw0KICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICBSZWdEZWxldGVLZXlXKCBoa2V5MiwNCiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMIklucHJvY1NlcnZlcjMyIiApOw0KICAgICAg
ICAgICAgICAgICAgICAgICAgfQ0KDQogICAgICAgICAgICAgICAgICAgICAgICBSZWdDbG9zZUtl
eSggaGtleTIgKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIFJlZ0RlbGV0ZUtleVcoIGhrZXks
IElFQ0VPMV9DTFNJRF9XICk7DQogICAgICAgICAgICAgICAgfQ0KDQogICAgICAgICAgICAgICAg
UmVnQ2xvc2VLZXkoIGhrZXkgKTsNCiAgICAgICAgfQ0KDQogICAgICAgIGlmICggUmVnT3Blbktl
eVcoIEhLRVlfTE9DQUxfTUFDSElORSwgTCJTT0ZUV0FSRVxcIg0KICAgICAgICAgICAgICAgIEwi
TWljcm9zb2Z0XFxXaW5kb3dzXFxDdXJyZW50VmVyc2lvblxcRXhwbG9yZXIiLA0KICAgICAgICAg
ICAgICAgICZoa2V5ICkgPT0gRVJST1JfU1VDQ0VTUyApDQogICAgICAgIHsNCiAgICAgICAgICAg
ICAgICBpZiAoIFJlZ09wZW5LZXlXKCBoa2V5LCBMIkJyb3dzZXIgSGVscGVyIE9iamVjdHMiLA0K
ICAgICAgICAgICAgICAgICAgICAgICAgJmhrZXkyICkgPT0gRVJST1JfU1VDQ0VTUyApDQogICAg
ICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgUmVnRGVsZXRlS2V5VyggaGtl
eTIsIElFQ0VPMV9DTFNJRF9XICk7DQogICAgICAgICAgICAgICAgICAgICAgICBSZWdDbG9zZUtl
eSggaGtleTIgKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIFJlZ0RlbGV0ZUtleVcoIGhrZXks
DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwiQnJvd3NlciBIZWxwZXIgT2JqZWN0
cyIgKTsNCiAgICAgICAgICAgICAgICB9DQoNCiAgICAgICAgICAgICAgICBSZWdDbG9zZUtleSgg
aGtleSApOw0KICAgICAgICB9DQoNCiAgICAgICAgcmV0dXJuIFNfT0s7DQp9IC8vRGxsVW5yZWdp
c3RlclNlcnZlcg0KDQpTVERBUEkgRGxsUmVnaXN0ZXJTZXJ2ZXIoKQ0Kew0KICAgICAgICBIS0VZ
ICAgICAgICAgICAgICAgICAgICBoa2V5LCBoa2V5MjsNCiAgICAgICAgV0NIQVIgICAgICAgICAg
ICAgICAgICAgd3N6bW9kWzEwMjRdOw0KICAgICAgICBMU1RBVFVTICAgICAgICAgICAgICAgICBs
cmV0Ow0KDQogICAgICAgIGlmICggUmVnQ3JlYXRlS2V5VyggSEtFWV9MT0NBTF9NQUNISU5FLA0K
ICAgICAgICAgICAgICAgIEwiU09GVFdBUkVcXENsYXNzZXNcXENMU0lEXFwiIElFQ0VPMV9DTFNJ
RF9XDQogICAgICAgICAgICAgICAgTCJcXElucHJvY1NlcnZlcjMyIiwgJmhrZXkgKSAhPSBFUlJP
Ul9TVUNDRVNTICkNCiAgICAgICAgew0KX2ZhaWw6DQogICAgICAgICAgICAgICAgRGxsVW5yZWdp
c3RlclNlcnZlcigpOw0KICAgICAgICAgICAgICAgIHJldHVybiBTRUxGUkVHX0VfQ0xBU1M7DQog
ICAgICAgIH0NCg0KICAgICAgICBHZXRNb2R1bGVGaWxlTmFtZVcoIGdfaGluc3RNeXNlbGYsIHdz
em1vZCwNCiAgICAgICAgICAgICAgICAoc2l6ZW9mKHdzem1vZCkgLyBzaXplb2Yod3N6bW9kWzBd
KSkgKTsNCg0KICAgICAgICBscmV0ID0gUmVnU2V0VmFsdWVXKCBoa2V5LCBOVUxMLCBSRUdfU1os
IHdzem1vZCwNCiAgICAgICAgICAgICAgICAoRFdPUkQpKCAod2NzbGVuKCB3c3ptb2QgKSArIDEp
ICoNCiAgICAgICAgICAgICAgICAgICAgICAgICBzaXplb2Yod3N6bW9kWzBdKSApICk7DQoNCiAg
ICAgICAgUmVnQ2xvc2VLZXkoIGhrZXkgKTsNCg0KICAgICAgICBpZiAobHJldCAhPSBFUlJPUl9T
VUNDRVNTKSBnb3RvIF9mYWlsOw0KDQogICAgICAgIGlmICggUmVnQ3JlYXRlS2V5VyggSEtFWV9M
T0NBTF9NQUNISU5FLCBMIlNPRlRXQVJFXFwiDQogICAgICAgICAgICAgICAgTCJNaWNyb3NvZnRc
XFdpbmRvd3NcXEN1cnJlbnRWZXJzaW9uXFxFeHBsb3JlclxcIg0KICAgICAgICAgICAgICAgIEwi
QnJvd3NlciBIZWxwZXIgT2JqZWN0cyIsICZoa2V5ICkgIT0gRVJST1JfU1VDQ0VTUyApDQogICAg
ICAgIHsNCiAgICAgICAgICAgICAgICBnb3RvIF9mYWlsOw0KICAgICAgICB9DQoNCiAgICAgICAg
bHJldCA9IFJlZ0NyZWF0ZUtleVcoIGhrZXksIElFQ0VPMV9DTFNJRF9XLCAmaGtleTIgKTsNCg0K
ICAgICAgICBSZWdDbG9zZUtleSggaGtleSApOw0KDQogICAgICAgIGlmIChscmV0ICE9IEVSUk9S
X1NVQ0NFU1MgKSBnb3RvIF9mYWlsOw0KDQogICAgICAgIFJlZ0Nsb3NlS2V5KCBoa2V5MiApOw0K
DQogICAgICAgIHJldHVybiBTX09LOw0KfSAvL0RsbFJlZ2lzdGVyU2VydmVyDQoNClNUREFQSSBE
bGxDYW5VbmxvYWROb3coKQ0Kew0KICAgICAgICByZXR1cm4gU19PSzsNCn0gLy9EbGxDYW5Vbmxv
YWROb3cNCg0KU1REQVBJIERsbEdldENsYXNzT2JqZWN0KA0KICAgICAgICBSRUZDTFNJRCAgICAg
ICAgICAgICAgICByY2xzaWQsDQogICAgICAgIFJFRklJRCAgICAgICAgICAgICAgICAgIHJpaWQs
DQogICAgICAgIExQVk9JRCAgICAgICAgICAgICAgICAgICogcHB2ICkNCnsNCiAgICAgICAgTFBX
U1RSICAgICAgICAgICAgICAgICAgbHB3Y2g7DQogICAgICAgIFdDSEFSICAgICAgICAgICAgICAg
ICAgIHdzemJ1ZlsyNTZdOw0KDQogICAgICAgIEVudGVyQ3JpdGljYWxTZWN0aW9uKCAmZ19jc0lu
aXQgKTsNCg0KICAgIF9fdHJ5DQogICAgew0KICAgICAgICBpZiAoIWdfZkluaXRpYWxpemVkKQ0K
ICAgICAgICB7DQogICAgICAgICAgICAgICAgLy8gTVNIVE1MIHNob3VsZCBhbHJlYWR5IGJlIGxv
YWRlZDsgdGhpcyBleHRyYQ0KICAgICAgICAgICAgICAgIC8vIHJlZmVyZW5jZSB3aWxsIGtlZXAg
aXQgZnJvbSBldmVyIHVubG9hZGluZw0KICAgICAgICAgICAgICAgIGdfaG1NU0hUTUwgPSBMb2Fk
TGlicmFyeVcoIEwibXNodG1sLmRsbCIgKTsNCg0KICAgICAgICAgICAgICAgIGxwd2NoID0gZmlu
ZF9zdHJpbmcoIGdfaG1NU0hUTUwgKTsNCg0KICAgICAgICAgICAgICAgIGlmIChscHdjaCAhPSBO
VUxMKQ0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIHN3cHJpbnRm
KCB3c3pidWYsDQpMIklFQ0VPMTogRm91bmQgXCIlc1wiIGF0ICVwIGluIE1TSFRNTF8lcFxyXG4i
LA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLTk9UVFlfU1RSSU5HLCBscHdjaCwg
Z19obU1TSFRNTCApOw0KICAgICAgICAgICAgICAgICAgICAgICAgT3V0cHV0RGVidWdTdHJpbmdX
KCB3c3pidWYgKTsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgYXBwbHlfbWl0aWdhdGlvbigg
bHB3Y2ggKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgZWxzZQ0KICAgICAg
ICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIHN3cHJpbnRmKCB3c3pidWYsDQpM
IklFQ0VPMTogRkFJTEVEIHRvIGZpbmQgXCIlc1wiIGluIE1TSFRNTF8lcFxyXG4iLA0KICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICBLTk9UVFlfU1RSSU5HLCBnX2htTVNIVE1MICk7DQog
ICAgICAgICAgICAgICAgICAgICAgICBPdXRwdXREZWJ1Z1N0cmluZ1coIHdzemJ1ZiApOw0KDQog
ICAgICAgICAgICAgICAgICAgICAgICBNZXNzYWdlQm94VyggTlVMTCwNCkwiVGhlIEludGVybmV0
IEV4cGxvcmVyIGNyZWF0ZUV2ZW50T2JqZWN0IHNyY0VsZW1lbnQgemVyby1kYXkgIg0KTCJtaXRp
Z2F0aW9uLCBhbHNvIGtub3duIGFzIElFQ0VPMSwgaXMgbm90IHByb3RlY3RpbmcgeW91ciBzeXN0
ZW0gIg0KTCJiZWNhdXNlIGl0IGlzIGluY29tcGF0aWJsZSB3aXRoIHRoaXMgdmVyc2lvbiBvZiBJ
bnRlcm5ldCBFeHBsb3Jlci4iDQpMIlxuXG5UbyByZW1vdmUgSUVDRU8xLCBydW4gXCJyZWdzdnIz
MiAvdSBpZWNlbzEuZGxsXCIgYXMgYW4gIg0KTCJhZG1pbmlzdHJhdG9yLiIsDQogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIEwiSUVDRU8xIiwgTUJfSUNPTldBUk5JTkd8TUJfT0sgKTsN
CiAgICAgICAgICAgICAgICB9DQoNCiAgICAgICAgICAgICAgICBnX2ZJbml0aWFsaXplZCA9IFRS
VUU7DQogICAgICAgIH0NCiAgICB9DQogICAgX19maW5hbGx5DQogICAgew0KICAgICAgICBMZWF2
ZUNyaXRpY2FsU2VjdGlvbiggJmdfY3NJbml0ICk7DQogICAgfQ0KDQogICAgICAgIHJldHVybiBD
TEFTU19FX0NMQVNTTk9UQVZBSUxBQkxFOw0KfSAvL0RsbEdldENsYXNzT2JqZWN0DQoNCkJPT0wg
V0lOQVBJIERsbE1haW4oDQogICAgICAgIEhJTlNUQU5DRSAgICAgICAgICAgICAgIGhpbnN0RExM
LA0KICAgICAgICBEV09SRCAgICAgICAgICAgICAgICAgICBmZHdSZWFzb24sDQogICAgICAgIExQ
Vk9JRCAgICAgICAgICAgICAgICAgIGxwdlJlc2VydmVkICkNCnsNCiAgICAgICAgaWYgKGZkd1Jl
YXNvbiA9PSBETExfUFJPQ0VTU19BVFRBQ0gpDQogICAgICAgIHsNCiAgICAgICAgICAgICAgICBn
X2hpbnN0TXlzZWxmICA9IGhpbnN0RExMOw0KICAgICAgICAgICAgICAgIGdfZkluaXRpYWxpemVk
ID0gRkFMU0U7DQogICAgICAgICAgICAgICAgSW5pdGlhbGl6ZUNyaXRpY2FsU2VjdGlvbiggJmdf
Y3NJbml0ICk7DQogICAgICAgIH0NCg0KICAgICAgICByZXR1cm4gVFJVRTsNCn0gLy9EbGxNYWlu
DQo--0016e6d27c77119ce9047d69b773--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH