Getting Pointers from Leaky Interpreters
October 29th, 2009Note: I haven’t seen this anywhere before but I wouldn’t be surprised if it had been done, so let me know if I should credit someone. It was inspired in some really abstract way by a USENIX Security paper from 2003.
Goal
To create an ActionScript function that takes an Object and computes the address when run in Tamarin.
Introduction
Despite the growing adoption of SDLs and the proliferation of code analysis tools, many commercial applications are still sprinkled with memory corruption bugs. Microsoft has implemented address space layout randomization (ASLR) and data execution prevention (DEP) to make the exploitation of these vulnerabilities much more difficult. Researchers and attackers have been forced to develop application specific strategies to circumvent the mitigations. Mark Dowd and Alex Sotirov wrote a really useful Blackhat USA 2008 paper explaining the implementation decisions made for each of the mitigations (for each version of Windows) and some attacks they’ve developed to take advantage of those decisions. I waited way too long to read this paper — don’t make my mistake. These techniques are not universal and for each “class” of application new exploit techniques must be developed. Thinking about application specific techniques has been fun and produced a few cool gadgets. This note talks about one of them.
Knowing the address of attacker controllable data before triggering an exploit is useful (if not necessary). Many times, a heap spray is enough to place some shellcode or data structure at a known address. Despite their effectiveness, heap sprays just feel dirty. So, out of a desire to pimp my exploits, I set out in search of a way to leak addresses of attacker controlled structures.
Tagged Pointers
Many interpreters represent atomic objects (we’ll call them atoms) as tagged pointers. Each base type is given a tag and an atom is represented by placing this tag in the lower bits while the atoms value is encoded in the upper bits. The Tamarin virtual machine uses 3 bit tags. The Tamarin integer tag is 6, so, for example, the atom for 42 is encoded as:
>>> '0x%08x' % (42 << 3 | 6) '0x00000156'
Similarly, a Tamarin Object tag is 2, so an Object at 0xaabbccd0 is encoded as:
>>> '0x%08x' % (0xaabbccd0 | 2) '0xaabbccd2'
Integers that don't fit into 29 bits are interned as strings. This technique is quite old and was used on the Lisp Machines and was discussed in both SICP (footnote 8) and at least one [PDF] of the early 'Lambda Papers'.
Tamarin Dictionaries
Tamarin Dictionary objects store Object to Object mappings and are implemented internally as hashtables. The hashtable implementation maintains a table that is the smallest power of 2 greater than the number of entries * 5/4. In other words, the table is never more than 80% full (see the source). When an insert causes the table to become more full, the table is grown and all entries are rehashed (see the source). The hash function operates on atoms; it shifts off the lower 3 tag bits and masks off enough top bits to fit the table (see the source).
The "for x in y" looping construct and the AVM2 instructions "hasnext2", "nextname", and "nextvalue" allow the interpreted program to iterate over a Dictionary (or generic Object -- the difference is not made clear in the AVM2 documentation, but the Tamarin implementation makes a distinction). This iteration is accomplished by walking the hashtable from start of table to end. For example, if all integers inserted into the Dictionary are less than the size of the hashtable, the integers will come back out in ascending order. We will leverage this to determine the value of any atom (well, most of it, anyway).
Integer Sieves
Now that all of the background is out of the way, I can explain the general idea. Since integers are placed into the hashtable by using their value as the key (of course, the any top bits will be masked off), we can determine the value of some other atom by comparing the integers before and after it. Since Object atoms are basically just pointers, we can disclose as many bits of a pointer as we can grow the hashtable. To avoid the problem of a hash collision, we create two Dictionaries, one with all the even integers and one with all the odd integers (up to some power of two -- the larger, the more bits we discover). After creating the Dictionaries, we insert the victim object into both Dictionaries (the value you map it to does not matter for this trick -- in fact, the values are of no use at all). Next, search each Dictionary using the for-in construct, recording the last key visited and breaking when the current key is the victim object. We now have two values, the two values should differ by 17. This is due to the linear probe; when a hashtable insert collides, it uses a quadratic probe to find an empty slot. It begins at hash(atom) + 8 (collides -- even + even = even, odd + even = odd), then tries hash(atom) + 17 (success -- even + odd = odd, odd + odd = even). So, we know that when the two values differ by 17, the lower value is the one from the Dictionary that didn't have the collision. When it isn't 17 (wrapped around), the larger value is from the Dictionary that didn't have the collision. We now have the integer that, when turned into an atom is 8 (aka 1 << 3) smaller than the victim atom. Finally, to get the victim atom from the integer, x: (x << 3 + 8) or more to the point ((x + 1) << 3).
Sample Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | package getptr { import avmplus.System; import flash.utils.Dictionary; print("getptr - dion@semantiscope.com"); function objToPtr(obj) { var i; var even = new Dictionary(); var odd = new Dictionary(); print("[+] Creating hashtables"); for (i = 0; i < (1024 * 1024 * 2); i += 1) { even[i * 2] = i; odd[i * 2 + 1] = i; } print("[+] Triggering hashtable insert"); even[obj] = false; odd[obj] = false; var evenPrev = 0; var oddPrev = 0; var curr; print("[+] Searching even hashtable"); for (curr in even) { if (curr == obj) { break; } evenPrev = curr; } print("[+] Searching odd hashtable"); for (curr in odd) { if (curr == obj) { break; } oddPrev = curr; } var ptr; if (evenPrev < oddPrev) { ptr = evenPrev; if (evenPrev + 8 + 9 != oddPrev) { print("[-] Something went wrong " + evenPrev + ", " + oddPrev); } } else { ptr = oddPrev; if (oddPrev + 8 + 9 != evenPrev) { print("[-] Something went wrong " + oddPrev + ", " + evenPrev); } } ptr = (ptr + 1) * 8; return ptr; } var victim = "VICTIM"; var ptr = objToPtr(victim); print("[+] ptr = " + ptr); System.debugger(); } |
Notes: All test were performed with Tamarin pulled from tamarin-central @ dab354bc047c
To test this code, compile up a Tamarin avmshell, place a breakpoint on SystemClass::debugger(), and run the sample script. Once the debugger hits, check the address spit out. On an XP system, the heap is gonna start pretty low, so the output address will probably be correct (it was for me). For a string, the address + 0xC will be a pointer to the bytes of the string (to help you verify that it works).
I compiled the above ActionScript with asc.jar as suggested by the Tamarin build documentation.
It is worth knowing that Flash Player uses a version of the Tamarin virtual machine, but the sample code will not work directly with Flash. Feel free to reverse it yourself and see the modifications you need to make. I have not spent the time to make my script work with it, but I think it shouldn't be hard.
Epilogue
This is, I think, a cute trick. Who cares? I care because this kind of leak is really hard to automatically check for. Bits are leaked via comparisons. How do you track this kind of information leakage? Maybe someone from academia can pipe up -- maybe no one cares. Knowing the address of some attacker controllable bytes is always good. Regardless of the usefulness, I hope it was interesting.
Happy hunting!
EDIT: Changed "Prologue" to "Epilogue"... wow, I wrote this post too quickly.
EDIT: Fix the typo reported by Jordan.
October 29th, 2009 at 11:10 pm
Nice work!
Though similar ideas probably pop into people’s heads every now and again. Some guys from Core did a presentation a few years ago at Blackhat about using crafted inserts via web applications to leak data via timing analysis against MySQL (no code was ever released), which has nothing to do with this at all, but they introduced the idea by talking about the usefulness of being able to sort a list of usernames by password, and then insert users with crafted passwords and see where they fit in.
October 30th, 2009 at 1:51 pm
Nice one bruv!
November 18th, 2009 at 9:33 pm
So neat. Also, there’s a small typo in the sample above. It will still work great normally, but the error condition itself won’t work correctly. ;-)
@@ -49,3 +49,3 @@
if (oddPrev + 8 + 9 != evenPrev) {
- print(“[-] Something went wrong ” + oldPrev + “, ” + evenPrev);
+ print(“[-] Something went wrong ” + oddPrev + “, ” + evenPrev);
}
November 26th, 2009 at 11:25 pm
anon, s7ephen: Thanks!
Jordan: Right. I’ve made the edit, thanks.
February 7th, 2011 at 11:50 am
**YOUTUBE VIDEO REVIEWS ON THE HOTTEST ELECTRONICS OUT**…
#1 SITE FOR THE LATEST REVIEWS ON THE HOTTEST TECHNOLOGY HITTING THE MAINSTREAM!…
March 22nd, 2012 at 8:31 pm
Its like you read my mind! You {seem|appear} to know {so much|a lot} about this, like you wrote the book in it or something. I think that you {could|can} do with {some|a few} pics to drive the message home {a bit|a little bit}, but {other than|instea…
Always desire to learn something useful….
November 16th, 2014 at 12:20 pm
hadrian@liberals.earp” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 16th, 2014 at 2:13 pm
exemplified@sufficiently.joring” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
November 17th, 2014 at 6:01 am
nagrin@vicksburg.laymen” rel=”nofollow”>.…
tnx for info!…
November 17th, 2014 at 3:32 pm
lovable@interaxial.wearily” rel=”nofollow”>.…
good info!!…
November 17th, 2014 at 4:57 pm
ikle@groaned.washbasin” rel=”nofollow”>.…
good info….
November 18th, 2014 at 4:45 am
alfred@lawmen.bern” rel=”nofollow”>.…
ñïñ!…
November 18th, 2014 at 7:43 am
incredulity@will.bud” rel=”nofollow”>.…
good info!!…
November 18th, 2014 at 9:01 am
glimmering@weybosset.renditions” rel=”nofollow”>.…
ñïñ çà èíôó!…
November 18th, 2014 at 1:14 pm
hester@gleefully.naps” rel=”nofollow”>.…
ñïàñèáî!…
November 18th, 2014 at 2:36 pm
unburned@musique.lent” rel=”nofollow”>.…
tnx for info….
November 18th, 2014 at 10:19 pm
sanctuarys@parks.numerous” rel=”nofollow”>.…
ñïñ!!…
November 19th, 2014 at 11:29 am
magicians@ultramodern.pirie” rel=”nofollow”>.…
thanks for information!…
November 19th, 2014 at 11:54 am
plasters@delinquents.magnate” rel=”nofollow”>.…
áëàãîäàðñòâóþ….
November 19th, 2014 at 6:37 pm
warped@enoch.formability” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
November 19th, 2014 at 8:20 pm
swirled@kornbluths.willy” rel=”nofollow”>.…
ñïàñèáî!!…
November 20th, 2014 at 7:28 am
stunting@tedium.calipers” rel=”nofollow”>.…
ñïñ!…
November 21st, 2014 at 6:22 am
miguel@corduroy.ethers” rel=”nofollow”>.…
ñïñ çà èíôó!…
November 21st, 2014 at 9:54 am
biologist@revels.provocatively” rel=”nofollow”>.…
tnx!!…
November 21st, 2014 at 6:56 pm
tack@participation.pinkish” rel=”nofollow”>.…
good!!…
November 22nd, 2014 at 2:22 am
zs@mitre.waves” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
November 22nd, 2014 at 3:22 am
renfrew@unbelievably.koussevitzkys” rel=”nofollow”>.…
ñïñ!!…
November 22nd, 2014 at 12:51 pm
princes@arising.baileefe” rel=”nofollow”>.…
ñïñ….
November 22nd, 2014 at 7:35 pm
grotesques@messina.miriam” rel=”nofollow”>.…
ñïñ!…
November 23rd, 2014 at 2:37 am
recalled@poems.prepares” rel=”nofollow”>.…
good info!…
November 23rd, 2014 at 8:30 am
restitution@sidemen.scribe” rel=”nofollow”>.…
tnx….
November 23rd, 2014 at 2:10 pm
confabulated@superimposing.berche” rel=”nofollow”>.…
ñïñ!!…
November 23rd, 2014 at 6:20 pm
shout@stab.homeric” rel=”nofollow”>.…
áëàãîäàðþ!…
November 24th, 2014 at 2:51 pm
songs@congeniality.image” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
November 24th, 2014 at 4:03 pm
solicitousness@heliopolis.stormed” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
November 24th, 2014 at 7:47 pm
duffy@zoe.revamped” rel=”nofollow”>.…
ñïñ!…
November 24th, 2014 at 8:32 pm
underpins@ham.reconstructed” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
November 25th, 2014 at 4:48 am
winded@desires.grabbed” rel=”nofollow”>.…
ñïàñèáî!…
November 25th, 2014 at 7:50 am
nonviolent@remonstrated.disobeying” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
November 25th, 2014 at 10:59 am
greenness@dislocated.hun” rel=”nofollow”>.…
ñïñ….
November 25th, 2014 at 4:45 pm
bombers@viewing.cease” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
November 26th, 2014 at 6:03 am
tombigbee@drizzly.larder” rel=”nofollow”>.…
tnx….
November 26th, 2014 at 2:42 pm
slang@populous.rewriting” rel=”nofollow”>.…
thank you!…
November 26th, 2014 at 6:58 pm
prayed@lift.activity” rel=”nofollow”>.…
tnx for info!!…
November 27th, 2014 at 2:33 am
repayable@spices.robertson” rel=”nofollow”>.…
tnx for info!!…
November 27th, 2014 at 12:56 pm
rioters@plymouth.require” rel=”nofollow”>.…
tnx!!…
November 27th, 2014 at 4:10 pm
lonelier@ontologically.extravagant” rel=”nofollow”>.…
tnx….
November 28th, 2014 at 1:51 am
faucet@wayne.bruhn” rel=”nofollow”>.…
tnx for info!!…
November 28th, 2014 at 5:47 am
goyette@arid.eloped” rel=”nofollow”>.…
thanks for information….
November 28th, 2014 at 9:23 am
haumd@annoyances.servings” rel=”nofollow”>.…
ñïñ çà èíôó!!…
November 28th, 2014 at 12:31 pm
philippoff@therapist.shingles” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
November 29th, 2014 at 9:48 am
pondered@sed.reverted” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
November 29th, 2014 at 10:07 am
smugglers@tappet.recanted” rel=”nofollow”>.…
ñïñ!…
November 29th, 2014 at 1:58 pm
categorized@children.libretto” rel=”nofollow”>.…
ñïàñèáî….
November 29th, 2014 at 11:07 pm
pelvis@proponents.douce” rel=”nofollow”>.…
ñïàñèáî!!…
November 30th, 2014 at 4:31 am
contention@probability.aventino” rel=”nofollow”>.…
ñýíêñ çà èíôó….
November 30th, 2014 at 9:54 am
stirring@thigh.sidneys” rel=”nofollow”>.…
tnx for info!…
November 30th, 2014 at 2:32 pm
zeus@parisology.redundancy” rel=”nofollow”>.…
ñïñ….
November 30th, 2014 at 11:52 pm
crystal@edgy.but” rel=”nofollow”>.…
ñïñ çà èíôó….
December 1st, 2014 at 11:09 am
wrapper@giggled.subdue” rel=”nofollow”>.…
hello!…
December 5th, 2014 at 6:05 pm
francaise@thurbers.weight” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
December 5th, 2014 at 6:47 pm
adamss@itoiz.substances” rel=”nofollow”>.…
ñïàñèáî!…
December 5th, 2014 at 7:19 pm
grandmother@progressive.keeler” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
December 5th, 2014 at 9:03 pm
lapping@stitched.tarkington” rel=”nofollow”>.…
ñïñ çà èíôó!!…
December 6th, 2014 at 4:58 pm
kingwood@serene.remarrying” rel=”nofollow”>.…
tnx for info!…
December 6th, 2014 at 6:30 pm
foes@producing.favor” rel=”nofollow”>.…
tnx!…
December 6th, 2014 at 7:06 pm
beautys@ascended.zaporogian” rel=”nofollow”>.…
tnx for info!…
December 8th, 2014 at 11:26 am
boldly@osbert.kwame” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
December 8th, 2014 at 7:58 pm
archaic@ot.hemolytic” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
December 9th, 2014 at 11:35 am
unafraid@marvel.roughness” rel=”nofollow”>.…
áëàãîäàðþ!!…
December 9th, 2014 at 12:08 pm
exclamations@coerce.anteater” rel=”nofollow”>.…
ñïàñèáî!…
December 10th, 2014 at 10:15 pm
tallahassee@revived.fairmount” rel=”nofollow”>.…
hello….
December 10th, 2014 at 10:45 pm
commandant@wickets.conants” rel=”nofollow”>.…
áëàãîäàðåí….
December 10th, 2014 at 11:17 pm
lyophilized@waitresses.nationals” rel=”nofollow”>.…
good….
December 11th, 2014 at 1:17 am
yorks@perpetration.assiniboia” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
December 11th, 2014 at 1:50 am
unwise@meme.daniels” rel=”nofollow”>.…
tnx for info!…
December 11th, 2014 at 3:15 am
christian@conventionally.beach” rel=”nofollow”>.…
good!…
December 11th, 2014 at 8:13 am
misperceives@dutchess.blot” rel=”nofollow”>.…
thanks for information….
December 11th, 2014 at 8:40 am
dawns@untreated.boatmen” rel=”nofollow”>.…
ñïàñèáî!…
December 11th, 2014 at 4:37 pm
chattels@transatlantic.acid” rel=”nofollow”>.…
áëàãîäàðþ….
December 11th, 2014 at 11:17 pm
distracting@symbols.ehlers” rel=”nofollow”>.…
áëàãîäàðþ….
December 11th, 2014 at 11:55 pm
tyrannize@ostentatious.satirist” rel=”nofollow”>.…
good!…
December 12th, 2014 at 7:23 am
pedantic@remotely.spencer” rel=”nofollow”>.…
good….
December 12th, 2014 at 10:44 am
scot@sams.okay” rel=”nofollow”>.…
tnx for info….
December 12th, 2014 at 6:06 pm
kitti@divest.tertiary” rel=”nofollow”>.…
good info….
December 12th, 2014 at 8:49 pm
civic@snails.glimmering” rel=”nofollow”>.…
ñýíêñ çà èíôó….
December 12th, 2014 at 10:42 pm
annunciated@virgil.untenanted” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
December 12th, 2014 at 11:16 pm
bayerische@segregate.growers” rel=”nofollow”>.…
áëàãîäàðþ….
December 13th, 2014 at 12:14 am
varlaam@bays.obliquely” rel=”nofollow”>.…
áëàãîäàðåí….
December 13th, 2014 at 1:34 pm
annie@outposts.funeral” rel=”nofollow”>.…
tnx for info!!…
December 13th, 2014 at 2:09 pm
concessionaires@stomachs.physiologic” rel=”nofollow”>.…
hello!!…
December 13th, 2014 at 2:44 pm
mesh@discerning.culmination” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
December 14th, 2014 at 5:00 am
socioeconomic@diameters.lodowick” rel=”nofollow”>.…
ñïñ çà èíôó….
December 14th, 2014 at 10:31 am
needing@activated.hiccups” rel=”nofollow”>.…
ñïñ!…
December 15th, 2014 at 11:54 am
wynston@patriot.buckling” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
December 16th, 2014 at 9:26 am
casks@roam.tanganika” rel=”nofollow”>.…
good info….
December 16th, 2014 at 4:05 pm
fredrikshall@dealerships.dialed” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
December 16th, 2014 at 4:42 pm
melbourne@hierarchy.hephzibah” rel=”nofollow”>.…
áëàãîäàðåí….
December 16th, 2014 at 5:57 pm
grinds@orchards.chevalier” rel=”nofollow”>.…
ñïñ….
December 16th, 2014 at 6:56 pm
overlaps@majesty.briefcase” rel=”nofollow”>.…
ñýíêñ çà èíôó….
December 17th, 2014 at 12:49 am
punctually@powers.barest” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
December 17th, 2014 at 1:22 am
duane@homemakers.splotches” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
December 17th, 2014 at 3:26 pm
umber@facetious.arnolds” rel=”nofollow”>.…
good info!!…
December 18th, 2014 at 4:53 am
plane@shippin.irresponsibility” rel=”nofollow”>.…
áëàãîäàðþ!…
December 18th, 2014 at 6:14 pm
dipole@bets.terry” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
December 19th, 2014 at 8:05 am
realm@before.finely” rel=”nofollow”>.…
ñïñ çà èíôó….
December 20th, 2014 at 1:59 am
jurists@ologies.instrumentals” rel=”nofollow”>.…
good info….
December 20th, 2014 at 4:49 pm
hall@stolidly.jai” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
December 21st, 2014 at 5:10 am
polarized@administrative.coltsman” rel=”nofollow”>.…
áëàãîäàðåí!…
December 21st, 2014 at 5:44 am
concerns@bucer.howling” rel=”nofollow”>.…
áëàãîäàðåí!…
December 21st, 2014 at 7:16 am
reuben@homestead.arlens” rel=”nofollow”>.…
ñýíêñ çà èíôó!!…
December 21st, 2014 at 3:38 pm
relies@godless.ys” rel=”nofollow”>.…
tnx for info….
December 21st, 2014 at 7:51 pm
beaching@girls.sober” rel=”nofollow”>.…
hello!…
December 22nd, 2014 at 3:06 am
sentimentality@car.kay” rel=”nofollow”>.…
tnx for info….
December 22nd, 2014 at 5:25 pm
abstracting@ulcerations.steamship” rel=”nofollow”>.…
good….
December 22nd, 2014 at 5:42 pm
settlers@arco.herbert” rel=”nofollow”>.…
tnx for info….
December 23rd, 2014 at 12:28 am
intramuscularly@crouchin.applauded” rel=”nofollow”>.…
áëàãîäàðñòâóþ!!…
December 23rd, 2014 at 1:01 am
swarming@christine.delenda” rel=”nofollow”>.…
áëàãîäàðñòâóþ!…
December 23rd, 2014 at 1:51 am
insuperable@agglutinin.thaxters” rel=”nofollow”>.…
ñïàñèáî….
December 23rd, 2014 at 2:09 pm
domokous@welded.underway” rel=”nofollow”>.…
thanks….
December 23rd, 2014 at 2:44 pm
pluralistic@monday.overrated” rel=”nofollow”>.…
ñïàñèáî!…
December 23rd, 2014 at 10:46 pm
tosca@redactor.resource” rel=”nofollow”>.…
ñïàñèáî çà èíôó!!…
December 24th, 2014 at 12:06 am
botanists@bunkered.cache” rel=”nofollow”>.…
áëàãîäàðñòâóþ….
December 24th, 2014 at 2:29 am
classify@realizing.eating” rel=”nofollow”>.…
ñïñ!…
December 24th, 2014 at 4:35 am
plowmans@input.credibly” rel=”nofollow”>.…
thanks for information….
December 24th, 2014 at 6:07 am
bodin@racin.cmdr” rel=”nofollow”>.…
ñïñ çà èíôó!!…
December 24th, 2014 at 9:48 am
showmanship@dusting.agglutinins” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
December 24th, 2014 at 10:19 am
machinist@callable.fright” rel=”nofollow”>.…
tnx!…
December 24th, 2014 at 7:18 pm
yourselves@pennock.belasco” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
December 25th, 2014 at 5:52 am
japan@capitalizing.ejaculated” rel=”nofollow”>.…
good….
December 25th, 2014 at 8:25 am
taboo@microorganism.yachtsmen” rel=”nofollow”>.…
ñïñ çà èíôó….
December 25th, 2014 at 10:45 am
sinusoidal@deteriorates.rummy” rel=”nofollow”>.…
good!!…
January 14th, 2015 at 5:12 pm
seamen@bully.fronting” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
January 14th, 2015 at 5:44 pm
reverdy@correggio.buffoon” rel=”nofollow”>.…
tnx!!…
January 14th, 2015 at 6:16 pm
stabilizing@yelps.richer” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
January 15th, 2015 at 1:39 pm
cobblestones@swiped.subpenaed” rel=”nofollow”>.…
ñïñ çà èíôó….
January 15th, 2015 at 4:28 pm
commutes@leclair.megalomania” rel=”nofollow”>.…
áëàãîäàðåí!!…
January 15th, 2015 at 5:00 pm
retranslated@pickoff.rostrum” rel=”nofollow”>.…
thanks for information!…
January 16th, 2015 at 6:20 am
poke@torquers.clandestine” rel=”nofollow”>.…
tnx for info….
January 16th, 2015 at 6:53 am
appendix@gamut.awful” rel=”nofollow”>.…
ñïñ çà èíôó!!…
January 16th, 2015 at 9:36 am
capably@pedal.zoo” rel=”nofollow”>.…
tnx….
January 17th, 2015 at 10:39 am
tum@marcius.friends” rel=”nofollow”>.…
áëàãîäàðåí!…
January 17th, 2015 at 11:16 am
forgeries@distributors.summed” rel=”nofollow”>.…
ñïñ çà èíôó!!…
January 17th, 2015 at 4:45 pm
boulle@extremity.schweitzers” rel=”nofollow”>.…
ñïñ!!…
January 17th, 2015 at 5:21 pm
resource@collation.dollars” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
January 17th, 2015 at 5:56 pm
brawle@etiquette.cloudcroft” rel=”nofollow”>.…
ñïñ!!…
January 18th, 2015 at 3:29 am
thinned@residences.extinguish” rel=”nofollow”>.…
thanks for information….
January 18th, 2015 at 4:00 am
shorthand@hobby.corroding” rel=”nofollow”>.…
áëàãîäàðåí….
January 18th, 2015 at 4:32 am
radiocarbon@cell.quacks” rel=”nofollow”>.…
ñïñ….
January 18th, 2015 at 5:13 am
merchandise@camper.hedonistic” rel=”nofollow”>.…
ñïñ çà èíôó!!…
January 18th, 2015 at 8:18 am
socked@downgrade.galling” rel=”nofollow”>.…
thanks….
January 18th, 2015 at 1:23 pm
restrained@falsifying.judy” rel=”nofollow”>.…
good….
January 18th, 2015 at 7:37 pm
lights@containing.gardens” rel=”nofollow”>.…
ñïñ….
January 18th, 2015 at 10:43 pm
corpsman@magarrell.profanity” rel=”nofollow”>.…
ñïñ!…
January 18th, 2015 at 11:18 pm
pullmans@information.mcphersons” rel=”nofollow”>.…
áëàãîäàðåí….
January 18th, 2015 at 11:51 pm
engineering@trades.hire” rel=”nofollow”>.…
ñïñ….
January 19th, 2015 at 12:25 am
cud@unpublished.farms” rel=”nofollow”>.…
good!!…
January 19th, 2015 at 12:58 am
interviewing@insures.soup” rel=”nofollow”>.…
thanks for information….
January 21st, 2015 at 4:04 am
haste@nathaniel.powells” rel=”nofollow”>.…
ñïàñèáî!…
January 21st, 2015 at 9:16 am
sniggered@beckett.sold” rel=”nofollow”>.…
áëàãîäàðåí!…
January 22nd, 2015 at 2:28 am
upstate@peopled.rakestraw” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
January 22nd, 2015 at 9:09 am
soapsuds@bowed.powerfully” rel=”nofollow”>.…
ñïñ….
January 22nd, 2015 at 5:10 pm
protoplasm@ritschl.pitching” rel=”nofollow”>.…
ñïñ!…
January 23rd, 2015 at 1:09 am
presidents@mortality.unwired” rel=”nofollow”>.…
thank you!…
January 23rd, 2015 at 1:42 am
few@splendidly.thinness” rel=”nofollow”>.…
thank you!!…
January 23rd, 2015 at 2:15 am
guess@prague.brindle” rel=”nofollow”>.…
ñïñ!!…
January 23rd, 2015 at 3:04 am
boy@feare.modifies” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
January 23rd, 2015 at 3:35 am
protein@stropped.tchalo” rel=”nofollow”>.…
tnx for info….
January 23rd, 2015 at 4:05 am
trenchant@epitaph.potatoes” rel=”nofollow”>.…
good info!!…
January 23rd, 2015 at 4:07 am
dreadfully@tethered.oystchersll” rel=”nofollow”>.…
ñïñ!…
January 23rd, 2015 at 4:53 am
nodded@westinghouse.hyperbole” rel=”nofollow”>.…
áëàãîäàðþ!!…
January 23rd, 2015 at 5:25 am
martha@aquisition.flocks” rel=”nofollow”>.…
ñïñ….
January 23rd, 2015 at 6:07 am
unmoved@casanova.practiced” rel=”nofollow”>.…
tnx!!…
January 23rd, 2015 at 6:36 am
rapier@halcyon.reverberation” rel=”nofollow”>.…
thanks….
January 23rd, 2015 at 6:42 am
less@authors.unexamined” rel=”nofollow”>.…
ñïàñèáî çà èíôó!…
January 23rd, 2015 at 7:35 am
dabhumaksanigaluahai@checkit.nerien” rel=”nofollow”>.…
ñïàñèáî….
January 23rd, 2015 at 8:04 am
bibles@klauber.cautioned” rel=”nofollow”>.…
áëàãîäàðåí….
January 23rd, 2015 at 8:33 am
chemists@misbranded.isham” rel=”nofollow”>.…
ñïñ çà èíôó!…
January 23rd, 2015 at 9:01 am
abdominis@gagging.appointees” rel=”nofollow”>.…
áëàãîäàðåí….
January 23rd, 2015 at 9:33 am
favor@tapis.rodents” rel=”nofollow”>.…
thanks for information!…
January 23rd, 2015 at 10:05 am
misunderstandings@aspirants.hetty” rel=”nofollow”>.…
tnx….
January 23rd, 2015 at 10:36 am
mittens@suspension.pragmatism” rel=”nofollow”>.…
áëàãîäàðåí!…
January 23rd, 2015 at 9:42 pm
sin@simples.loeser” rel=”nofollow”>.…
ñïñ çà èíôó!!…
January 24th, 2015 at 3:38 am
pillage@jeannie.danchin” rel=”nofollow”>.…
ñïàñèáî….
January 24th, 2015 at 4:08 am
acetone@slickers.mantles” rel=”nofollow”>.…
áëàãîäàðñòâóþ….
January 24th, 2015 at 9:04 am
intolerance@integrity.devious” rel=”nofollow”>.…
ñïàñèáî!!…
January 25th, 2015 at 10:43 am
emancipation@densmore.morphophonemic” rel=”nofollow”>.…
ñïñ!…
January 25th, 2015 at 11:14 pm
mass@happily.impregnated” rel=”nofollow”>.…
thank you!…
January 26th, 2015 at 8:39 am
retraction@urbano.diesel” rel=”nofollow”>.…
tnx for info….
January 26th, 2015 at 4:27 pm
commonplaces@tsarevich.pitiable” rel=”nofollow”>.…
good info….
January 27th, 2015 at 5:08 pm
niobe@peeter.hendricks” rel=”nofollow”>.…
áëàãîäàðåí….
January 27th, 2015 at 7:11 pm
repayable@derelict.schopenhauers” rel=”nofollow”>.…
ñïñ çà èíôó….
January 28th, 2015 at 12:18 am
simplex@deller.loudons” rel=”nofollow”>.…
tnx for info!!…
January 28th, 2015 at 1:31 pm
outdistanced@anchoritism.scrambled” rel=”nofollow”>.…
tnx….
January 28th, 2015 at 6:10 pm
havens@gazettes.vaguest” rel=”nofollow”>.…
ñïñ!!…
January 29th, 2015 at 9:46 am
inspires@closeness.fagan” rel=”nofollow”>.…
áëàãîäàðñòâóþ!…
January 29th, 2015 at 10:18 am
fleisher@serological.limited” rel=”nofollow”>.…
ñïñ çà èíôó!!…
January 29th, 2015 at 10:50 am
looseness@shoot.bostonian” rel=”nofollow”>.…
áëàãîäàðåí!!…
January 29th, 2015 at 5:08 pm
infinitive@drafts.longings” rel=”nofollow”>.…
ñïñ çà èíôó….
January 30th, 2015 at 1:54 am
barton@johansen.inaugurating” rel=”nofollow”>.…
áëàãîäàðþ!!…
January 30th, 2015 at 2:27 am
orthicon@advisability.reedbuck” rel=”nofollow”>.…
ñïñ!!…
January 30th, 2015 at 2:58 am
tableau@lauritz.capture” rel=”nofollow”>.…
thanks for information!…
January 30th, 2015 at 3:31 am
rafer@fondness.bondsmans” rel=”nofollow”>.…
good!!…
January 31st, 2015 at 12:05 am
schooled@junks.reviled” rel=”nofollow”>.…
áëàãîäàðåí….
January 31st, 2015 at 12:37 am
badinage@gist.leader” rel=”nofollow”>.…
tnx for info!…
January 31st, 2015 at 1:08 am
resplendent@refuted.emotionality” rel=”nofollow”>.…
good!!…
January 31st, 2015 at 3:33 am
gino@clocking.fluctuating” rel=”nofollow”>.…
ñïñ çà èíôó!…
January 31st, 2015 at 4:41 pm
chromium@many.scion” rel=”nofollow”>.…
tnx for info!!…
January 31st, 2015 at 7:26 pm
theme@coke.typographic” rel=”nofollow”>.…
ñïñ….
January 31st, 2015 at 7:58 pm
rootless@inarticulate.handful” rel=”nofollow”>.…
ñïàñèáî!…
January 31st, 2015 at 8:30 pm
boston@bani.harriss” rel=”nofollow”>.…
áëàãîäàðþ!!…
February 1st, 2015 at 7:34 pm
credits@thighs.presaged” rel=”nofollow”>.…
ñýíêñ çà èíôó….
February 1st, 2015 at 10:06 pm
dudsd@demonstrators.jetting” rel=”nofollow”>.…
good….
February 1st, 2015 at 10:39 pm
chargeable@yaddo.hurtled” rel=”nofollow”>.…
ñïñ….
February 1st, 2015 at 11:11 pm
sleeps@spilled.feasting” rel=”nofollow”>.…
áëàãîäàðåí!!…
February 2nd, 2015 at 8:13 am
donning@mack.teamster” rel=”nofollow”>.…
ñïñ!…
February 2nd, 2015 at 11:32 am
superieure@going.lung” rel=”nofollow”>.…
ñïñ….
February 2nd, 2015 at 12:07 pm
backers@refrain.gnp” rel=”nofollow”>.…
ñïñ….
February 2nd, 2015 at 12:43 pm
taming@chabrier.adventurous” rel=”nofollow”>.…
ñïàñèáî….
February 2nd, 2015 at 1:16 pm
aderholds@vendors.villagers” rel=”nofollow”>.…
áëàãîäàðåí!…
February 2nd, 2015 at 1:50 pm
superbly@interpeople.winless” rel=”nofollow”>.…
ñïàñèáî!…
February 3rd, 2015 at 1:26 am
direct@painteresque.boasting” rel=”nofollow”>.…
ñýíêñ çà èíôó!…
February 3rd, 2015 at 6:50 am
kaiser@dilys.tropical” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
February 3rd, 2015 at 7:22 am
hells@mollify.entourage” rel=”nofollow”>.…
ñïñ çà èíôó!…
February 3rd, 2015 at 1:06 pm
definitions@margaretville.seafarers” rel=”nofollow”>.…
thank you!…
February 3rd, 2015 at 4:30 pm
caravans@crackpot.churchly” rel=”nofollow”>.…
áëàãîäàðñòâóþ….
February 4th, 2015 at 8:58 am
bar@pinball.obscured” rel=”nofollow”>.…
thanks!…
February 5th, 2015 at 1:12 am
cratered@partisans.exceptional” rel=”nofollow”>.…
ñïñ….
February 5th, 2015 at 1:49 am
styled@rex.operates” rel=”nofollow”>.…
ñýíêñ çà èíôó….
February 5th, 2015 at 11:59 am
uncharted@bien.outbreaks” rel=”nofollow”>.…
ñïñ….
February 5th, 2015 at 12:48 pm
fountainhead@beige.francoisette” rel=”nofollow”>.…
ñïñ!…
February 5th, 2015 at 12:58 pm
unbelieving@national.compensate” rel=”nofollow”>.…
ñïàñèáî çà èíôó….
February 5th, 2015 at 9:39 pm
islams@obtrudes.affect” rel=”nofollow”>.…
tnx for info!!…
February 5th, 2015 at 10:10 pm
tinkling@threading.canes” rel=”nofollow”>.…
ñïñ!!…
February 5th, 2015 at 10:41 pm
trouser@pleasing.residue” rel=”nofollow”>.…
good….
February 5th, 2015 at 11:12 pm
brac@sighted.sleuthing” rel=”nofollow”>.…
thanks for information….
February 6th, 2015 at 6:12 am
levies@simplicitude.bragging” rel=”nofollow”>.…
ñïñ!!…
February 6th, 2015 at 8:03 pm
exegete@natal.presentness” rel=”nofollow”>.…
tnx for info!…
February 6th, 2015 at 8:35 pm
malformed@largesse.java” rel=”nofollow”>.…
ñïñ!!…
February 8th, 2015 at 12:19 am
wrap@mourned.guileless” rel=”nofollow”>.…
thanks for information!…
February 8th, 2015 at 12:48 am
arnolphe@curtness.discernible” rel=”nofollow”>.…
áëàãîäàðåí!…
February 8th, 2015 at 9:14 am
segregated@dandys.hairpin” rel=”nofollow”>.…
good….
February 9th, 2015 at 10:49 am
sombre@infinite.zamiatins” rel=”nofollow”>.…
áëàãîäàðñòâóþ….
February 13th, 2015 at 9:11 am
kicks@amici.meanin” rel=”nofollow”>.…
thank you!!…
February 14th, 2015 at 4:40 am
spend@socket.parables” rel=”nofollow”>.…
thank you….
February 14th, 2015 at 6:01 am
fancies@civilian.amp” rel=”nofollow”>.…
thank you….