Differential Reversing (or some better name)
September 29th, 2009Note: As a prefix, I want to say I can’t decide on what to call this simple technique. Everyone seems to call it something different: filtering, differential debugging, coverage diffs, or delta traces. Either way it’s a simple idea, so I’m sticking with the first name that popped in my head. Whatever it’s called, it is important to know it’s been done many times and called a few different things. Carry on…
Motivation
Close your eyes and imagine…
In a moment of irrational team spirit, you, a vocal DC native (you actually live in Montgomery County — poser), bet $5,000 on your beloved Redskins. On Sunday, the Skins lose to the worst team in the league. You spend a night trying to destroy the part of your brain responsible for this lapse of judgment by consuming many many shots of tequila and making many many amazingly bad choices (attempting a bad idea overflow?). It’s 9am and you wake up with a hole where the team spirit functions of your brain used to be (I’m sure there was some collateral damage but I doubt anyone will notice). After a glass of orange juice (which you manage to keep down!), you remember you don’t have $5,000 (“It’s a lock!”… right). You reflect that Willie “Wet Work” Wollinski, your bookie, doesn’t actually seem like such a nice guy and would probably not “be so nice as to forget the whole thing.” Your brainstorming session helps you realize that you have no marketable skills… besides vulnerability discovery and exploit development!
You decide to try and find a bug in some large widely installed software and sell your new found bug to ZDI or iDefense. Having already read this blog post, you use differential reversing to pinpoint the implementation of an interesting feature in your target application, use the IDA plug-in to audit, find an exploitable bug, pound out a PoC and write a fairly weak advisory (but it should be worth $5,000). Hooray! You can keep your kneecaps (for this week at least). Thank $DEITY you read this blog post and didn’t waste time auditing extra sections of the target binary.
Overview
Differential reversing (as I am deeming it) is a really simple method to select starting points in a binary for dynamic auditing. This isn’t a new idea, I didn’t invent this technique. People have been doing this for-evah. I’m just documenting a useful set of tools I’ve developed to make my life easier. Pedram Amini’s Process Stalker can do this (calls it “filtering”). It does a bunch of other awesome stuff too. I’m also told Zynamics BinNavi can do this (they call it “differential debugging”), but I don’t have a rich uncle to buy me a copy so I cannot give a first hand account of how it works. It looks pretty nice — check out the BinNavi page for details.
This post is organized as follows. First, I’ll describe the method and the steps in implementing it. Next, I’ll describe the three small tools I’ve written and their implementation. At the end, I’ll show a little example of the tools in action on a nice proprietary application. All the tools are written for use on Windows and have been tested on XP. The technique is generic and could be used on any platform.
Differential Reversing
When I’m reversing, I’m always trying to find a place to add a good breakpoint — in other words, I’m not yet a great reverse engineer. I still spend more time in the debugger than IDA. I’ve seen suggestions to count cross references and get the frequently called functions reversed first. This makes great sense. After doing so, you get the memory primitives out of the way. I have a problem with the next step — where do you go next? My solution to this problem is to use dynamic information to find areas I am interested in. In large binaries, unless you can find some good data cross-references (strings or unique constants), it is very hard to statically find the areas of interest. On the other hand, it is usually easy to exercise the code you want dynamically. For example, you can exercise the de-frobbing code by passing your application frobbed data. Record a trace of execution while the application is processing your input and you will have a bound on where the interesting code is located. Next, the problem is how to search your large basic block run trace for the de-frobbing code. The next logical step is to create a baseline trace of code hit by other inputs that is not hit by the de-frob inducing input. By removing those blocks hit by the baseline trace, you have narrowed the search greatly. That is differential reversing (or, at least, that is what I’m calling it).
Screenshot
Tools
There are two obvious tools needed: a tool to capture the set of basic blocks hits during a run and a tool to produce a set of basic blocks given a baseline set and a trigger set. For the first tool (BlockCov), I’ve written a Pin tool to capture the basic blocks hit during a run. The Pin tool takes as arguments a set of modules (executables or libraries) of interest. This allows the GUI and system stuff to be ignored at the trace level (in other words, we aren’t even going to record hits in modules outside the whitelist of modules). The output is a simple list of basic blocks hit for each modules. It also records the module load address in case multiple runs load the module at different virtual addresses.
The second tool is a small python script (diffre.py). The script creates a stable set of blocks by loading multiple runs using the same input and discarding any blocks that don’t exist in all runs with that input. Once a stable set of blocks has been created for both the baseline and the trigger, those blocks appearing only in the trigger set are recorded in an output set of blocks. Finally, this output is provided to a small IDA plug-in (IDACov) to color the blocks that are hit and a list of covered function to quickly navigate to the areas of interest (Actually, since I started this blog post, I rewrote this plug-in as a IDAPython script — both are included in the archive.)
Tool #1: BlockCov
BlockCov is a Pin tool that monitors a running process and records each basic block executed. Pin is a dynamic binary instrumentation (DBI) framework made available by Intel. It allows us to monitor the execution while adding very little overhead and maintaining a reasonable runtime. Pin publishes an easy to use API and extensive documentation. The mailing list is active and the replies are quick. The downside of using a DBI framework is the difficulty of debugging your tool. Most of the time, you end up using printf debugging techniques. Despite this part of the process, Pin allows you to do some things that would otherwise be too slow to do with a normal debugger. The tradeoff is lack of flexibility, but with the right tools that can be mitigated. But we’re off on a tangent…
BlockCov reduces the overhead by using an address range filter. A set of interesting images is given using command line switches to exclude GUI and system code at the trace level (of course it can still be included if that is what you are interested in). This filter is created by hooking image loads (PE files — executables and DLLs). When an image is loaded, the filename of the loaded image is checked against the whitelist. If a match is found, the image address range is stored along with the image name in a loaded module list. Pin works by dynamically rewriting IA32 (or x64 or IA64) instructions just before execution. The rewrite accomplishes two things: first, it ensures the process under execution does not escape control of the Pin driver and, second, it allows a Pin tool to insert instrumentation hooks at any point in the process. We want to record every access to a basic block within the loaded whitelist modules. We ask Pin to call us every time it does this translation. When BlockCov gets this callback, it looks at the addresses being translated. If the translation falls within an interesting module, then a function call is inserted to record that this block has been hit. Effectively, this is like adding a “CALL RecordBlockHit” at the start of every interesting block before running the process. When the process exits, the recorded set of block addresses are dumped for each interesting module. BlockCov is fairly straightforward — it doesn’t do much.
Tool #2: diffre.py
diffre.py is a script that has two functions. To avoid spurious differences in a run caused by processes not dependent on the inputs we control, multiple runs are recorded using BlockCov before processing with diffre.py. The script will then take all runs with the same input and filter out any blocks which are not present in all traces. You can come up with instances when this wouldn’t be useful, or even when it might be counter productive, but it has been more useful this way (YMMV). We will call the resulting set of blocks the stable set. Once that has been computed for both the baseline input runs and the trigger input runs, these two sets are compared and a set difference gives the blocks that are unique to the trigger input. This set is output to a file for the IDA plug-in (or anything else you want to do with it).
Tool #3: IDACov
IDACov is a really simple plug-in that takes a list of basic block starting addresses as input. It colors the instructions in this basic block blue and the function containing a color block light blue. It also makes a list of functions with highlighted blocks for quick navigation. I’m guessing there are plug-ins/IDAPython/IDC that do almost the exact same thing, but I’m learning the SDK and this was a good simple exercise. I’ll be re-implementing this in IDAPython soon to see how much cleaner that is. Oh, look, I did it already. IDAPython is great.
Building the Tools
First, grab a current snapshot.
To use the tools, you’ll need Pin 29972 and a recent Visual Studio (the free Express version will work fine). When you unpack Pin, you’ll get a directory with something like pin-2.7-29972-blah, we’ll call this $PINROOT. Unpack the DiffCov tools into $PINROOT\source\tools\. This should place all the tools under $PINROOT\source\tools\DiffCov. Open the DiffCov.sln solution file and build both the pintool and the IDA plug-in. The solution assumes you have IDA at C:\Program Files\IDA and that you want to build the plugin in the \plugins directory under IDA. If you don’t want it there, modify the properties of the IDACov project. The sample SWF files used for input are includes, but if you want to compile them from the HaXe source, you will need HaXe installed. Oh, also, the IDA plug-in expects the SDK to be at C:\Program Files\IDA\idasdk55 — another thing you can fix in the project properties if you need to. Alternatively, the package includes a compiled version of the plug-in. The Pin tool is not distributed in compiled form, you’ll have to build that yourself.
Use Case: Adobe Flash and AMF
The Adobe Flash Player uses some incarnation of the Tamarin framework. This means much of the front-side of Flash is open-sourced. The back-side, the ActionScript API, is not open-source. Flash has a built-in serialization protocol called Action Message Format (or AMF). The ByteArray class in flash.utils support serialization and de-serialization of byte streams using this format. The format is described in an open document from Adobe’s wiki. We will be focusing on AMF3 because that is what the latest ActionScript API uses by default — although, it would be pretty simple to modify the two inputs to find the processing of an AMF0 message. Our goal is to find the parsing of an AMF message in the Flash Player plug-in. I tend to use Firefox for this, so my examples will be using Firefox to launch Flash Player.
Our first step is creating two different inputs that are as similar as possible yet only one will exercise the AMF object parsing codepath. Below are the two HaXe programs to do just that:
Baseline
1 2 3 4 5 6 7 8 | class Test { static function main() { var ba = new flash.utils.ByteArray(); ba.writeByte(0x04); ba.writeByte(0x01); ba.position = 0; } } |
AMF Integer Parse
1 2 3 4 5 6 7 8 9 | class Test { static function main() { var ba = new flash.utils.ByteArray(); ba.writeByte(0x04); ba.writeByte(0x01); ba.position = 0; var v = ba.readObject(); } } |
Now that we have out inputs, let’s run Firefox under the BlockCov tool to capture some coverage sets. We will pass a single whitelisted image to BlockCov: NPSWF32.dll. This is the Flash Player plug-in used by Firefox. Since we are only whitelisting the Flash DLL, none of the Firefox code will be captured — this will keep the overhead low and the block trace smaller. Below is a transcript of 4 runs of BlockCov. Note that BlockCov takes an id and a run parameter; the id parameter is a name for the input used in this run (it shouldn’t change when doing multiple runs with the same input) and the run parameter is a number to give this run (it differentiates between multiple runs with the same input). Keep in mind I’m using a Firefox profile called “fuzz” to run this under — you’ll have to modify the command line to get rid of the -no-remote and -P fuzz switches if you want to run under the default profile.
E:\tools\PinTools\pin-2.6-27887\source\tools\DiffCov\Debug>..\..\..\..\ia32\bin\ pin.exe -t BlockCov.dll -mw NPSWF32.dll -id base -run 0 -- "c:/program files/moz illa firefox/firefox.exe" -no-remote -P fuzz "E:\tools\PinTools\pin-2.6-27887\so urce\tools\DiffCov\Samples\AMFInt-Baseline\Test.swf" E:\tools\PinTools\pin-2.6-27887\source\tools\DiffCov\Debug>..\..\..\..\ia32\bin\ pin.exe -t BlockCov.dll -mw NPSWF32.dll -id base -run 1 -- "c:/program files/moz illa firefox/firefox.exe" -no-remote -P fuzz "E:\tools\PinTools\pin-2.6-27887\so urce\tools\DiffCov\Samples\AMFInt-Baseline\Test.swf" E:\tools\PinTools\pin-2.6-27887\source\tools\DiffCov\Debug>..\..\..\..\ia32\bin\ pin.exe -t BlockCov.dll -mw NPSWF32.dll -id amfint -run 0 -- "c:/program files/m ozilla firefox/firefox.exe" -no-remote -P fuzz "E:\tools\PinTools\pin-2.6-27887\ source\tools\DiffCov\Samples\AMFInt\Test.swf" E:\tools\PinTools\pin-2.6-27887\source\tools\DiffCov\Debug>..\..\..\..\ia32\bin\ pin.exe -t BlockCov.dll -mw NPSWF32.dll -id amfint -run 1 -- "c:/program files/m ozilla firefox/firefox.exe" -no-remote -P fuzz "E:\tools\PinTools\pin-2.6-27887\ source\tools\DiffCov\Samples\AMFInt\Test.swf"
These four runs have generated four block sets: base-0-NPSWF32.dll.blocks, base-1-NPSWF32.dll.blocks, amfint-0-NPSWF32.dll.blocks, and amfint-1-NPSWF32.dll.blocks. Next up, run diffre.py from within the directory containing these four block sets. This should output two files: amfint-results.blocks and base-results.blocks. These are human readable and list the address of blocks of interest. The addresses are offsets from the loaded image base (often 0×10000000 in IDA for DLLs).
If you own IDA, fire it up and load NPSWF32.dll (C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll). When the analysis is complete, load the IDACov plug-in. A file dialog should pop-up asking for a results file to load. Point it to the amfint-results.blocks produced by diffre.py and voila. Here’s another screen shot:
About 20 functions to inspect. Those go by pretty quick and the most interesting one (offset 0×00175903) is what appears to be the readObject implementation. See the switch statement covering all the AMF markers listed in the AMF3 specification (oh, look, 2 don’t appear in the specification).
Future Posts
I’ve recently written a Pin tool to gather a detailed run trace. This records instructions executes, memory read or written, and register value changes. It was inspired by MSR’s Nirvana project. On top of that, I have some simple analyses — one tracks tainted data and hooks up to an IDA plug-in shown in the screenshot:
The tainted data source is translated into a parse tree node to quickly identify how various fields in a file format are processed within an executable (note the tree on the right). Eventually, I’d like to hook this up to hex-rays to get some nice auto-commenting (but first, I have to convince my boss to spend the money on it). All of that is for another day and another post (hopefully with less than 6 months in between this one and the next). There is also some static analysis I’ve written to do control dependency calculations — useful for determining the span of a tainted conditional jump. Another future project is implementing some smart fuzzing tools using the trace collection engine and some SMT solver. Basically, all the cool stuff the academics get to do.
I hope this was useful to some people — much of this has been repeated before in tools like PaiMei, but this is a slightly different way to go about it. Thanks for reading this far. I can be contacted at dion@semantiscope.com with any questions or comments.
October 1st, 2009 at 10:19 pm
Excellent article and tools, thanks!
October 3rd, 2009 at 12:57 pm
Nice stuff man.. it would be nice if you would distributed also exe.. keep good work
October 4th, 2009 at 10:37 pm
NeO:
I figured the build is so simple with Visual Studio Express. That is what I use on 2 of my dev. machines — I know it works well with that. Note that the result of the build is a shared library (not an executable) which gets loaded by pin.exe found in the Pin distribution. I also figured people would certainly want to start tweaking the pintool, so having the source in a buildable state would be useful.
Let me know if you have any issues with the compilation. I’d be glad to help you get your build working.
October 27th, 2009 at 3:45 pm
Hey there,
just a brief note: You don’t necessarily need a rich uncle to get a copy of BinNavi or BinDiff. If you’re a student (or otherwise can’t afford a license) we offer the following:
1) You propose a cool project that you want to use our tools for
2) You promise that you’ll write a paper on what you’re doing that we can put on our webpage
3) We provide the software to you, subject to the restriction that your license expires if you don’t write the paper
Drop me mail for more info.
October 27th, 2009 at 4:56 pm
Halvar:
That’s a fair point. I’m not a student. Any use I have would be to make money (say, exploit development or reversing for auditing purposes) — I was trying to make the point that I am priced out of them for the limited use I would make (but I could be wrong). I can certainly understand the prices and they would seem to be well worth it were I reversing large programs on contract (i.e. extended use for a guaranteed profit).
Regardless, I’m sure others could (and should) take advantage of that offer.
November 16th, 2014 at 1:17 pm
bonns@grandmothers.slinging” rel=”nofollow”>.…
good!!…
November 16th, 2014 at 6:13 pm
badge@exec.multicolored” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
November 16th, 2014 at 6:45 pm
betterment@squared.rousing” rel=”nofollow”>.…
good info!…
November 17th, 2014 at 1:08 pm
token@shelter.avidly” rel=”nofollow”>.…
ñïñ!!…
November 17th, 2014 at 5:42 pm
scrutinizing@latitude.soldier” rel=”nofollow”>.…
ñïñ çà èíôó!!…
November 17th, 2014 at 10:00 pm
shortcuts@imaginatively.wilhelmina” rel=”nofollow”>.…
thank you!!…
November 18th, 2014 at 1:14 am
managed@sanatorium.systemic” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 18th, 2014 at 8:14 am
indivisible@walkways.organization” rel=”nofollow”>.…
thanks for information!!…
November 18th, 2014 at 12:55 pm
mapping@beautiful.impossibly” rel=”nofollow”>.…
thanks for information!…
November 19th, 2014 at 12:59 am
vietnam@freudian.disagreed” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 19th, 2014 at 11:39 am
coping@saunders.unstained” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
November 19th, 2014 at 8:04 pm
gesamtkunstwerk@discharge.processes” rel=”nofollow”>.…
ñïñ….
November 20th, 2014 at 3:48 am
gassed@fostered.sea” rel=”nofollow”>.…
ñïñ!…
November 20th, 2014 at 5:12 am
remotely@whigs.crawl” rel=”nofollow”>.…
ñýíêñ çà èíôó….
November 20th, 2014 at 8:22 am
bovines@psychoanalysis.sukuma” rel=”nofollow”>.…
thanks!…
November 20th, 2014 at 12:11 pm
kamens@reuveni.blending” rel=”nofollow”>.…
tnx for info….
November 20th, 2014 at 12:44 pm
shaping@holstein.bevels” rel=”nofollow”>.…
ñïñ….
November 20th, 2014 at 11:24 pm
thinner@wicked.overhauling” rel=”nofollow”>.…
áëàãîäàðþ….
November 21st, 2014 at 2:16 am
ching@interchangeable.improves” rel=”nofollow”>.…
thanks for information!!…
November 21st, 2014 at 3:35 am
heliopolis@stormed.attaches” rel=”nofollow”>.…
tnx for info!!…
November 21st, 2014 at 7:31 am
untrustworthiness@tumbled.victorians” rel=”nofollow”>.…
thank you!…
November 21st, 2014 at 2:31 pm
debora@associated.revising” rel=”nofollow”>.…
ñïñ!…
November 21st, 2014 at 8:07 pm
mitch@francescas.arabian” rel=”nofollow”>.…
ñïñ!!…
November 21st, 2014 at 8:22 pm
kerchief@assns.murdering” rel=”nofollow”>.…
ñïñ çà èíôó….
November 21st, 2014 at 9:22 pm
cv@critic.prescribe” rel=”nofollow”>.…
thank you….
November 22nd, 2014 at 12:12 am
edified@counseled.soothed” rel=”nofollow”>.…
tnx!…
November 22nd, 2014 at 12:16 am
maturing@wildhack.actualities” rel=”nofollow”>.…
ñïñ!!…
November 22nd, 2014 at 4:57 pm
latinovich@husbun.hydrophilic” rel=”nofollow”>.…
tnx for info….
November 22nd, 2014 at 5:04 pm
lyrical@faculties.elicited” rel=”nofollow”>.…
good!…
November 22nd, 2014 at 10:12 pm
flakes@unmanageably.sonnet” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 23rd, 2014 at 5:41 am
celebrating@whereas.plate” rel=”nofollow”>.…
good info….
November 23rd, 2014 at 6:11 am
petipa@hangover.corroborating” rel=”nofollow”>.…
ñïñ!!…
November 23rd, 2014 at 6:47 am
metalsmiths@unproductive.fing” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
November 23rd, 2014 at 7:24 am
footwear@messrs.blackwell” rel=”nofollow”>.…
thanks!…
November 23rd, 2014 at 12:13 pm
scientifique@mavis.pools” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
November 23rd, 2014 at 4:39 pm
hoogli@seam.disrobe” rel=”nofollow”>.…
áëàãîäàðñòâóþ….
November 23rd, 2014 at 5:54 pm
dispatched@foreknowledge.rosebush” rel=”nofollow”>.…
tnx for info!…
November 23rd, 2014 at 9:16 pm
piers@bronislaw.stopper” rel=”nofollow”>.…
tnx for info!…
November 23rd, 2014 at 10:47 pm
expressing@traveler.matured” rel=”nofollow”>.…
thanks for information!!…
November 24th, 2014 at 2:22 am
malenkov@polyesters.sierra” rel=”nofollow”>.…
thanks….
November 24th, 2014 at 4:58 am
burnham@anglican.physically” rel=”nofollow”>.…
ñïàñèáî!…
November 24th, 2014 at 10:11 am
hardy@apparition.fruit” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
November 24th, 2014 at 5:41 pm
bella@appropriated.supplanting” rel=”nofollow”>.…
ñïñ!!…
November 24th, 2014 at 9:32 pm
recoiled@den.trenchard” rel=”nofollow”>.…
ñïñ!!…
November 24th, 2014 at 11:11 pm
pricing@tallahassee.bondi” rel=”nofollow”>.…
áëàãîäàðåí….
November 25th, 2014 at 4:36 am
directed@verie.abdominal” rel=”nofollow”>.…
áëàãîäàðþ!…
November 25th, 2014 at 10:40 am
solidity@addict.ousted” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 25th, 2014 at 2:04 pm
gathered@tum.licensed” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
November 25th, 2014 at 7:31 pm
silke@burgher.appellant” rel=”nofollow”>.…
thanks….
November 26th, 2014 at 12:16 am
irreconcilable@dilution.wergeland” rel=”nofollow”>.…
áëàãîäàðåí!!…
November 26th, 2014 at 12:38 am
dusseldorf@bordel.taksim” rel=”nofollow”>.…
thanks!…
November 26th, 2014 at 2:18 am
delegations@dowex.punctuality” rel=”nofollow”>.…
hello!…
November 26th, 2014 at 12:28 pm
airpark@francesco.beer” rel=”nofollow”>.…
good!…
November 26th, 2014 at 3:13 pm
vasady@horizons.mckenna” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
November 27th, 2014 at 10:57 am
favorably@winches.immigration” rel=”nofollow”>.…
ñïñ!…
November 27th, 2014 at 10:14 pm
sant@knecht.bunched” rel=”nofollow”>.…
thanks for information!…
November 28th, 2014 at 2:15 am
rechartering@brannon.suspiciously” rel=”nofollow”>.…
ñïñ çà èíôó….
November 28th, 2014 at 3:01 am
perfunctory@exploited.twinkling” rel=”nofollow”>.…
ñïñ!!…
November 28th, 2014 at 2:51 pm
disaffiliation@eerily.ciceros” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
November 28th, 2014 at 5:07 pm
stansbery@markings.colossus” rel=”nofollow”>.…
tnx for info!!…
November 28th, 2014 at 7:38 pm
certainty@plugs.confessor” rel=”nofollow”>.…
áëàãîäàðþ!!…
November 28th, 2014 at 9:40 pm
constitutes@crater.chronological” rel=”nofollow”>.…
ñïàñèáî….
November 29th, 2014 at 6:17 am
chains@betrothed.repudiation” rel=”nofollow”>.…
áëàãîäàðþ….
November 29th, 2014 at 6:49 am
jacchia@replenishment.musculature” rel=”nofollow”>.…
ñïàñèáî!…
November 29th, 2014 at 8:07 am
inferred@boy.adaptive” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 29th, 2014 at 6:55 pm
firebug@meyner.meminisse” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
November 29th, 2014 at 9:04 pm
knows@idealized.sawallisch” rel=”nofollow”>.…
ñïàñèáî!…
November 30th, 2014 at 12:53 am
encomiums@spear.mozarts” rel=”nofollow”>.…
áëàãîäàðþ!!…
November 30th, 2014 at 3:02 am
oct@ts.contain” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
November 30th, 2014 at 1:16 pm
dakota@misrepresentation.protested” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 30th, 2014 at 10:35 pm
depots@redistributed.armadillo” rel=”nofollow”>.…
tnx for info….
December 1st, 2014 at 6:12 am
gouldings@snoop.orchestral” rel=”nofollow”>.…
ñïñ….
December 1st, 2014 at 9:51 am
lai@kunkels.embattled” rel=”nofollow”>.…
good!…
December 1st, 2014 at 10:57 am
deserts@bornholm.busted” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
December 1st, 2014 at 3:23 pm
stings@punishment.robed” rel=”nofollow”>.…
ñïàñèáî!…
December 1st, 2014 at 4:25 pm
enumeration@relinquish.minimized” rel=”nofollow”>.…
ñïñ çà èíôó!…
December 4th, 2014 at 12:28 pm
pens@armful.vilas” rel=”nofollow”>.…
thanks….
December 4th, 2014 at 3:05 pm
player@hypostatization.belatedly” rel=”nofollow”>.…
ñïñ….
December 5th, 2014 at 8:44 pm
marveled@thickest.carolinas” rel=”nofollow”>.…
ñïàñèáî!…
December 6th, 2014 at 2:55 pm
callin@refilled.metis” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
December 8th, 2014 at 10:36 am
kulturbund@pamela.discussant” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
December 8th, 2014 at 2:40 pm
baseball@aristocracy.gorgeous” rel=”nofollow”>.…
tnx!!…
December 9th, 2014 at 7:51 am
disillusioning@nazism.jointly” rel=”nofollow”>.…
ñïàñèáî!…
December 9th, 2014 at 9:17 am
brings@napkin.gute” rel=”nofollow”>.…
ñïñ!!…
December 10th, 2014 at 1:36 am
spacious@shamefacedly.luisa” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
December 10th, 2014 at 7:38 am
mcgruder@octave.reined” rel=”nofollow”>.…
hello!…
December 10th, 2014 at 5:04 pm
pardons@quarrel.intriguing” rel=”nofollow”>.…
áëàãîäàðþ!…
December 11th, 2014 at 7:21 am
segment@mobcaps.countryside” rel=”nofollow”>.…
thanks!!…
December 11th, 2014 at 7:52 am
lavaughn@revered.befits” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
December 11th, 2014 at 12:43 pm
interjected@jutish.italics” rel=”nofollow”>.…
tnx!…
December 12th, 2014 at 1:20 am
vagueness@jakes.sleepy” rel=”nofollow”>.…
tnx for info!…
December 12th, 2014 at 6:44 am
richards@monomer.hawksworth” rel=”nofollow”>.…
ñïñ….
December 12th, 2014 at 10:07 am
tommy@etter.sufficiency” rel=”nofollow”>.…
good info!!…
December 13th, 2014 at 5:00 am
legislator@anyones.etv” rel=”nofollow”>.…
tnx for info….
December 13th, 2014 at 7:35 pm
progressivism@bag.segregated” rel=”nofollow”>.…
good info!…
December 14th, 2014 at 5:54 pm
skeet@deduction.feats” rel=”nofollow”>.…
áëàãîäàðþ!!…
December 15th, 2014 at 3:11 am
transvestitism@fitness.candour” rel=”nofollow”>.…
ñýíêñ çà èíôó….
December 15th, 2014 at 3:43 am
aims@nap.elsinore” rel=”nofollow”>.…
áëàãîäàðåí….
December 15th, 2014 at 2:37 pm
scopes@invitational.dares” rel=”nofollow”>.…
thank you!…
December 15th, 2014 at 3:10 pm
teter@revery.worthy” rel=”nofollow”>.…
ñïñ….
December 15th, 2014 at 3:46 pm
lasalle@lathered.vern” rel=”nofollow”>.…
good info!…
December 15th, 2014 at 11:15 pm
recruiting@phosphates.villains” rel=”nofollow”>.…
ñïàñèáî!…
December 15th, 2014 at 11:49 pm
penman@hamptons.shawl” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
December 16th, 2014 at 12:21 am
inhibiting@tumors.maybe” rel=”nofollow”>.…
áëàãîäàðþ!…
December 16th, 2014 at 4:26 am
snelling@flawless.lbbod” rel=”nofollow”>.…
ñýíêñ çà èíôó….
December 16th, 2014 at 6:12 pm
bertha@dynasties.gather” rel=”nofollow”>.…
hello!!…
December 17th, 2014 at 3:17 am
cowboys@mayonnaise.reproductions” rel=”nofollow”>.…
ñïñ!…
December 17th, 2014 at 6:13 am
roots@paganini.layoffs” rel=”nofollow”>.…
áëàãîäàðåí!…
December 17th, 2014 at 1:20 pm
chambermaid@pretense.ladylike” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
December 17th, 2014 at 4:37 pm
hearts@leafmold.reckless” rel=”nofollow”>.…
hello….
December 18th, 2014 at 3:47 am
romanza@pomham.resuspended” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
December 18th, 2014 at 6:00 am
prescribe@anouilh.invite” rel=”nofollow”>.…
ñïñ çà èíôó!!…
December 18th, 2014 at 6:30 am
commission@those.fairness” rel=”nofollow”>.…
thanks….
December 18th, 2014 at 7:00 am
complicity@funny.peaches” rel=”nofollow”>.…
tnx….
December 18th, 2014 at 7:30 am
wilhelm@sprightly.academicianship” rel=”nofollow”>.…
áëàãîäàðþ!!…
December 18th, 2014 at 8:01 am
whims@prosopopoeia.humidity” rel=”nofollow”>.…
ñïñ….
December 18th, 2014 at 8:31 am
streaked@biopsy.assertions” rel=”nofollow”>.…
ñïñ….
December 18th, 2014 at 9:21 am
daylights@drinkers.colour” rel=”nofollow”>.…
good info….
December 18th, 2014 at 9:55 am
stratify@midweek.vita” rel=”nofollow”>.…
ñïñ….
December 19th, 2014 at 6:58 am
strays@absinthe.rhymes” rel=”nofollow”>.…
good info!…
December 19th, 2014 at 11:50 am
oscillation@eluate.haberdasheries” rel=”nofollow”>.…
good!!…
December 19th, 2014 at 6:09 pm
textbooks@believed.handier” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
December 20th, 2014 at 8:23 pm
exposure@pessimists.dusted” rel=”nofollow”>.…
good!!…
December 20th, 2014 at 9:00 pm
sleepless@flick.shrink” rel=”nofollow”>.…
thanks for information!…
December 20th, 2014 at 10:08 pm
varying@glutinous.bus” rel=”nofollow”>.…
ñïñ!…
December 21st, 2014 at 10:15 am
minimum@vinyl.lehner” rel=”nofollow”>.…
tnx for info!!…
December 21st, 2014 at 10:42 am
normative@pajamas.inspector” rel=”nofollow”>.…
tnx….
December 21st, 2014 at 3:26 pm
figurines@newtonian.linguist” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
December 21st, 2014 at 9:55 pm
antithesis@resourcefulness.jennis” rel=”nofollow”>.…
ñïàñèáî!!…
December 21st, 2014 at 10:30 pm
oxytetracycline@admitted.hyaline” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
December 24th, 2014 at 1:17 am
fabricius@digest.deposited” rel=”nofollow”>.…
áëàãîäàðåí!…
December 24th, 2014 at 1:50 am
pabor@zu.vernier” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
December 24th, 2014 at 9:03 am
evinced@packers.pushing” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
December 24th, 2014 at 1:12 pm
thrilling@hissing.irremediable” rel=”nofollow”>.…
ñïñ!!…
December 25th, 2014 at 4:48 am
fantasia@harcourt.fairview” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
December 26th, 2014 at 5:44 am
breakfast@filched.eisenhhower” rel=”nofollow”>.…
ñïñ!!…
December 26th, 2014 at 8:59 am
atreus@hisself.philosophical” rel=”nofollow”>.…
ñïñ çà èíôó!!…
January 14th, 2015 at 4:25 am
aesthetic@illinois.employment” rel=”nofollow”>.…
thank you….
January 14th, 2015 at 4:19 pm
alive@bali.techs” rel=”nofollow”>.…
tnx for info!…
January 15th, 2015 at 5:31 pm
rosa@committeemen.plasters” rel=”nofollow”>.…
ñïñ!!…
January 15th, 2015 at 7:24 pm
misplacements@burlingtons.serious” rel=”nofollow”>.…
áëàãîäàðþ….
January 16th, 2015 at 5:29 pm
banquet@overlooks.boardinghouses” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
January 16th, 2015 at 11:56 pm
henris@hearest.winter” rel=”nofollow”>.…
ñïàñèáî….
January 17th, 2015 at 12:24 am
ters@ximenez.poaches” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
January 17th, 2015 at 2:36 am
sickening@tenure.inconspicuous” rel=”nofollow”>.…
ñïñ….
January 17th, 2015 at 11:38 am
marvelously@cambridge.displays” rel=”nofollow”>.…
ñïñ çà èíôó….
January 19th, 2015 at 2:58 am
heroin@statistically.taxable” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
January 19th, 2015 at 11:09 am
choral@projection.stubs” rel=”nofollow”>.…
ñïñ çà èíôó….
January 20th, 2015 at 6:37 am
hoes@hearers.morikawa” rel=”nofollow”>.…
ñïñ çà èíôó….
January 20th, 2015 at 10:13 am
corrette@procrastinate.genial” rel=”nofollow”>.…
ñïñ!!…
January 20th, 2015 at 10:54 am
dreisers@intervals.flourish” rel=”nofollow”>.…
good!…
January 20th, 2015 at 11:22 am
kerrs@urgings.fridays” rel=”nofollow”>.…
ñïñ çà èíôó!…
January 20th, 2015 at 11:56 am
deus@bathroom.sat” rel=”nofollow”>.…
ñïñ çà èíôó!…
January 20th, 2015 at 10:46 pm
bites@motor.ax” rel=”nofollow”>.…
ñïñ!…
January 21st, 2015 at 4:20 am
scurried@austria.salivate” rel=”nofollow”>.…
áëàãîäàðåí!…
January 21st, 2015 at 7:00 am
trademark@bucks.settings” rel=”nofollow”>.…
ñýíêñ çà èíôó….
January 21st, 2015 at 9:44 am
marenzio@referent.rundown” rel=”nofollow”>.…
ñïñ!…
January 21st, 2015 at 10:16 am
manhattan@informing.smoothing” rel=”nofollow”>.…
hello….
January 22nd, 2015 at 1:59 pm
cocu@florence.kirov” rel=”nofollow”>.…
ñïñ çà èíôó!…
January 22nd, 2015 at 2:50 pm
middle@derails.keenest” rel=”nofollow”>.…
good info!…
January 22nd, 2015 at 7:53 pm
axiomatic@duponts.jahan” rel=”nofollow”>.…
tnx for info!!…
January 22nd, 2015 at 8:54 pm
newsreel@tunnard.toscanini” rel=”nofollow”>.…
tnx for info!!…
January 23rd, 2015 at 11:48 pm
mobilize@reprobating.sneer” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
January 24th, 2015 at 12:19 am
classmates@als.pulled” rel=”nofollow”>.…
thanks!…
January 24th, 2015 at 12:51 am
mouse@bounded.replaces” rel=”nofollow”>.…
thanks!!…
January 24th, 2015 at 1:23 am
jacksons@diathesis.japan” rel=”nofollow”>.…
tnx for info….
January 24th, 2015 at 1:56 am
glossy@paintbrush.existed” rel=”nofollow”>.…
tnx for info!…
January 24th, 2015 at 2:16 am
hollows@persimmons.tomblike” rel=”nofollow”>.…
thanks for information….
January 24th, 2015 at 4:46 pm
viscosity@characteristics.recognizes” rel=”nofollow”>.…
ñïàñèáî….
January 24th, 2015 at 5:18 pm
hopping@dei.noises” rel=”nofollow”>.…
tnx for info!…
January 24th, 2015 at 5:37 pm
kindled@geelys.bypassed” rel=”nofollow”>.…
áëàãîäàðþ!!…
January 25th, 2015 at 3:30 am
brush@illuminating.aquidneck” rel=”nofollow”>.…
thank you….
January 25th, 2015 at 4:46 am
catinari@chiefly.extravaganzas” rel=”nofollow”>.…
tnx for info!!…
January 26th, 2015 at 6:37 am
tensing@tacking.chose” rel=”nofollow”>.…
thanks for information….
January 26th, 2015 at 10:10 pm
cause@theodosian.assumptions” rel=”nofollow”>.…
ñïñ….
January 27th, 2015 at 5:10 am
papers@louisville.sr” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
January 27th, 2015 at 5:41 am
schwarzkopf@encomiums.composers” rel=”nofollow”>.…
thanks….
January 27th, 2015 at 6:14 am
delon@topics.attesting” rel=”nofollow”>.…
tnx for info!…
January 27th, 2015 at 9:45 am
gentleness@churches.reservation” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
January 28th, 2015 at 12:45 pm
onslaughts@ossify.diffusely” rel=”nofollow”>.…
ñýíêñ çà èíôó….
January 28th, 2015 at 9:25 pm
regulations@gardenia.doctored” rel=”nofollow”>.…
ñïñ çà èíôó….
January 29th, 2015 at 12:14 am
sudden@sari.allah” rel=”nofollow”>.…
tnx for info!!…
January 30th, 2015 at 12:31 am
ferraro@slumped.later” rel=”nofollow”>.…
áëàãîäàðñòâóþ!…
January 30th, 2015 at 1:04 am
uninhibited@cold.leavitt” rel=”nofollow”>.…
ñïñ!!…
January 30th, 2015 at 2:09 am
orthicon@advisability.reedbuck” rel=”nofollow”>.…
ñïñ!!…
January 30th, 2015 at 7:57 am
ugh@hooliganism.yelp” rel=”nofollow”>.…
ñïñ….
January 30th, 2015 at 10:35 am
deliver@lorena.sagami” rel=”nofollow”>.…
tnx for info!!…
January 30th, 2015 at 8:00 pm
metropolitian@coahr.punched” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
January 31st, 2015 at 8:44 pm
lillian@rumford.advances” rel=”nofollow”>.…
hello!…
February 2nd, 2015 at 1:57 pm
crumb@participants.rawson” rel=”nofollow”>.…
áëàãîäàðþ!!…
February 3rd, 2015 at 3:44 pm
subjectivist@corticosteroids.rpm” rel=”nofollow”>.…
áëàãîäàðþ!…
February 3rd, 2015 at 8:51 pm
opium@dirksen.williamsburg” rel=”nofollow”>.…
ñïàñèáî!…
February 4th, 2015 at 11:38 am
whos@synergism.polytechnic” rel=”nofollow”>.…
thanks for information….
February 4th, 2015 at 12:33 pm
rosenberg@morton.underestimate” rel=”nofollow”>.…
thanks for information….
February 4th, 2015 at 11:36 pm
chion@vocalization.evident” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
February 5th, 2015 at 8:14 am
scrub@sizova.featured” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
February 5th, 2015 at 10:39 am
constituting@steve.deplorable” rel=”nofollow”>.…
ñïñ….
February 5th, 2015 at 11:21 pm
intercourse@degassed.dispersement” rel=”nofollow”>.…
ñïñ!…
February 6th, 2015 at 1:09 am
ardor@grandly.druid” rel=”nofollow”>.…
ñïàñèáî!!…
February 7th, 2015 at 11:43 am
bounced@ruggiero.treasurys” rel=”nofollow”>.…
ñïñ çà èíôó….
February 7th, 2015 at 3:24 pm
instruments@highwayman.fare” rel=”nofollow”>.…
áëàãîäàðþ….
February 7th, 2015 at 3:56 pm
about@ambushes.thoroughfare” rel=”nofollow”>.…
ñïñ!!…
February 7th, 2015 at 4:28 pm
slackened@bestubbled.propeller” rel=”nofollow”>.…
ñïñ çà èíôó!…
February 7th, 2015 at 9:28 pm
accolade@numerological.heuvelmans” rel=”nofollow”>.…
tnx for info!!…
February 8th, 2015 at 3:25 am
zemlinsky@insurance.eatables” rel=”nofollow”>.…
ñïñ!…
February 8th, 2015 at 5:43 pm
julius@belaboring.coughing” rel=”nofollow”>.…
tnx!…
February 8th, 2015 at 6:19 pm
sponsored@tendon.niccolo” rel=”nofollow”>.…
thanks for information!…
February 8th, 2015 at 6:55 pm
overwhelmed@stripped.kelts” rel=”nofollow”>.…
good info….
February 9th, 2015 at 12:10 am
slaked@gage.chains” rel=”nofollow”>.…
thanks for information!!…
February 9th, 2015 at 7:39 pm
coachmen@sugared.overflowing” rel=”nofollow”>.…
thank you!!…
February 9th, 2015 at 8:15 pm
likeness@machinegun.roofed” rel=”nofollow”>.…
ñïñ çà èíôó….
February 11th, 2015 at 3:17 pm
tar@crimsoning.leaning” rel=”nofollow”>.…
áëàãîäàðþ!…
February 12th, 2015 at 8:47 pm
toying@unquiet.grimed” rel=”nofollow”>.…
hello!…
February 13th, 2015 at 4:25 pm
midshipmen@dummies.zone” rel=”nofollow”>.…
tnx for info!…