Getting Pointers from Leaky Interpreters

October 29th, 2009

Note: I haven’t seen this anywhere before but I wouldn’t be surprised if it had been done, so let me know if I should credit someone. It was inspired in some really abstract way by a USENIX Security paper from 2003.

Goal

To create an ActionScript function that takes an Object and computes the address when run in Tamarin.

Introduction

Despite the growing adoption of SDLs and the proliferation of code analysis tools, many commercial applications are still sprinkled with memory corruption bugs. Microsoft has implemented address space layout randomization (ASLR) and data execution prevention (DEP) to make the exploitation of these vulnerabilities much more difficult. Researchers and attackers have been forced to develop application specific strategies to circumvent the mitigations. Mark Dowd and Alex Sotirov wrote a really useful Blackhat USA 2008 paper explaining the implementation decisions made for each of the mitigations (for each version of Windows) and some attacks they’ve developed to take advantage of those decisions. I waited way too long to read this paper — don’t make my mistake. These techniques are not universal and for each “class” of application new exploit techniques must be developed. Thinking about application specific techniques has been fun and produced a few cool gadgets. This note talks about one of them.

Knowing the address of attacker controllable data before triggering an exploit is useful (if not necessary). Many times, a heap spray is enough to place some shellcode or data structure at a known address. Despite their effectiveness, heap sprays just feel dirty. So, out of a desire to pimp my exploits, I set out in search of a way to leak addresses of attacker controlled structures.

Tagged Pointers

Many interpreters represent atomic objects (we’ll call them atoms) as tagged pointers. Each base type is given a tag and an atom is represented by placing this tag in the lower bits while the atoms value is encoded in the upper bits. The Tamarin virtual machine uses 3 bit tags. The Tamarin integer tag is 6, so, for example, the atom for 42 is encoded as:

>>> '0x%08x' %  (42 << 3 | 6)
'0x00000156'

Similarly, a Tamarin Object tag is 2, so an Object at 0xaabbccd0 is encoded as:

>>> '0x%08x' %  (0xaabbccd0 | 2)
'0xaabbccd2'

Integers that don't fit into 29 bits are interned as strings. This technique is quite old and was used on the Lisp Machines and was discussed in both SICP (footnote 8) and at least one [PDF] of the early 'Lambda Papers'.

Tamarin Dictionaries

Tamarin Dictionary objects store Object to Object mappings and are implemented internally as hashtables. The hashtable implementation maintains a table that is the smallest power of 2 greater than the number of entries * 5/4. In other words, the table is never more than 80% full (see the source). When an insert causes the table to become more full, the table is grown and all entries are rehashed (see the source). The hash function operates on atoms; it shifts off the lower 3 tag bits and masks off enough top bits to fit the table (see the source).

The "for x in y" looping construct and the AVM2 instructions "hasnext2", "nextname", and "nextvalue" allow the interpreted program to iterate over a Dictionary (or generic Object -- the difference is not made clear in the AVM2 documentation, but the Tamarin implementation makes a distinction). This iteration is accomplished by walking the hashtable from start of table to end. For example, if all integers inserted into the Dictionary are less than the size of the hashtable, the integers will come back out in ascending order. We will leverage this to determine the value of any atom (well, most of it, anyway).

Integer Sieves

Now that all of the background is out of the way, I can explain the general idea. Since integers are placed into the hashtable by using their value as the key (of course, the any top bits will be masked off), we can determine the value of some other atom by comparing the integers before and after it. Since Object atoms are basically just pointers, we can disclose as many bits of a pointer as we can grow the hashtable. To avoid the problem of a hash collision, we create two Dictionaries, one with all the even integers and one with all the odd integers (up to some power of two -- the larger, the more bits we discover). After creating the Dictionaries, we insert the victim object into both Dictionaries (the value you map it to does not matter for this trick -- in fact, the values are of no use at all). Next, search each Dictionary using the for-in construct, recording the last key visited and breaking when the current key is the victim object. We now have two values, the two values should differ by 17. This is due to the linear probe; when a hashtable insert collides, it uses a quadratic probe to find an empty slot. It begins at hash(atom) + 8 (collides -- even + even = even, odd + even = odd), then tries hash(atom) + 17 (success -- even + odd = odd, odd + odd = even). So, we know that when the two values differ by 17, the lower value is the one from the Dictionary that didn't have the collision. When it isn't 17 (wrapped around), the larger value is from the Dictionary that didn't have the collision. We now have the integer that, when turned into an atom is 8 (aka 1 << 3) smaller than the victim atom. Finally, to get the victim atom from the integer, x: (x << 3 + 8) or more to the point ((x + 1) << 3).

Sample Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
package getptr
{
  import avmplus.System;
  import flash.utils.Dictionary;
 
  print("getptr - dion@semantiscope.com");
 
  function objToPtr(obj) {
    var i;
    var even = new Dictionary();
    var odd = new Dictionary();
 
    print("[+] Creating hashtables");
    for (i = 0; i < (1024 * 1024 * 2); i += 1) {
      even[i * 2] = i;
	  odd[i * 2 + 1] = i;
    }
 
    print("[+] Triggering hashtable insert");
    even[obj] = false;
    odd[obj] = false;
 
    var evenPrev = 0;
    var oddPrev = 0;
    var curr;
 
    print("[+] Searching even hashtable");
    for (curr in even)
    {
      if (curr == obj) { break; }
	  evenPrev = curr;
    }
 
    print("[+] Searching odd hashtable");
    for (curr in odd)
    {
      if (curr == obj) { break; }
	  oddPrev = curr;
    }
 
    var ptr;
    if (evenPrev < oddPrev) {
      ptr = evenPrev;
      if (evenPrev + 8 + 9 != oddPrev) {
        print("[-] Something went wrong " + evenPrev + ", " + oddPrev);
      }
    } else {
      ptr = oddPrev;
      if (oddPrev + 8 + 9 != evenPrev) {
        print("[-] Something went wrong " + oddPrev + ", " + evenPrev);
      }
    }
    ptr = (ptr + 1) * 8;
 
    return ptr;
  }
 
  var victim = "VICTIM";
  var ptr = objToPtr(victim);
 
  print("[+] ptr = " + ptr);
 
  System.debugger();
}

Notes: All test were performed with Tamarin pulled from tamarin-central @ dab354bc047c

To test this code, compile up a Tamarin avmshell, place a breakpoint on SystemClass::debugger(), and run the sample script. Once the debugger hits, check the address spit out. On an XP system, the heap is gonna start pretty low, so the output address will probably be correct (it was for me). For a string, the address + 0xC will be a pointer to the bytes of the string (to help you verify that it works).

I compiled the above ActionScript with asc.jar as suggested by the Tamarin build documentation.

It is worth knowing that Flash Player uses a version of the Tamarin virtual machine, but the sample code will not work directly with Flash. Feel free to reverse it yourself and see the modifications you need to make. I have not spent the time to make my script work with it, but I think it shouldn't be hard.

Epilogue

This is, I think, a cute trick. Who cares? I care because this kind of leak is really hard to automatically check for. Bits are leaked via comparisons. How do you track this kind of information leakage? Maybe someone from academia can pipe up -- maybe no one cares. Knowing the address of some attacker controllable bytes is always good. Regardless of the usefulness, I hope it was interesting.

Happy hunting!

EDIT: Changed "Prologue" to "Epilogue"... wow, I wrote this post too quickly.
EDIT: Fix the typo reported by Jordan.

246 Responses to “Getting Pointers from Leaky Interpreters”

  1. anon Says:

    Nice work!

    Though similar ideas probably pop into people’s heads every now and again. Some guys from Core did a presentation a few years ago at Blackhat about using crafted inserts via web applications to leak data via timing analysis against MySQL (no code was ever released), which has nothing to do with this at all, but they introduced the idea by talking about the usefulness of being able to sort a list of usernames by password, and then insert users with crafted passwords and see where they fit in.

  2. Stephen A. Ridley Says:

    Nice one bruv!

  3. Jordan Says:

    So neat. Also, there’s a small typo in the sample above. It will still work great normally, but the error condition itself won’t work correctly. ;-)

    @@ -49,3 +49,3 @@
    if (oddPrev + 8 + 9 != evenPrev) {
    - print(“[-] Something went wrong ” + oldPrev + “, ” + evenPrev);
    + print(“[-] Something went wrong ” + oddPrev + “, ” + evenPrev);
    }

  4. dionthegod Says:

    anon, s7ephen: Thanks!

    Jordan: Right. I’ve made the edit, thanks.

  5. SHOP ELECTRONICS!!! Says:

    **YOUTUBE VIDEO REVIEWS ON THE HOTTEST ELECTRONICS OUT**…

    #1 SITE FOR THE LATEST REVIEWS ON THE HOTTEST TECHNOLOGY HITTING THE MAINSTREAM!…

  6. http://www.understandingdad.net/forum/index.php?action=profile;u=6461 Says:

    Its like you read my mind! You {seem|appear} to know {so much|a lot} about this, like you wrote the book in it or something. I think that you {could|can} do with {some|a few} pics to drive the message home {a bit|a little bit}, but {other than|instea…

    Always desire to learn something useful….

  7. Barry Says:

    hadrian@liberals.earp” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!!…

  8. Leroy Says:

    exemplified@sufficiently.joring” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  9. trevor Says:

    nagrin@vicksburg.laymen” rel=”nofollow”>.…

    tnx for info!…

  10. Milton Says:

    lovable@interaxial.wearily” rel=”nofollow”>.…

    good info!!…

  11. Willard Says:

    ikle@groaned.washbasin” rel=”nofollow”>.…

    good info….

  12. everett Says:

    alfred@lawmen.bern” rel=”nofollow”>.…

    ñïñ!…

  13. mario Says:

    incredulity@will.bud” rel=”nofollow”>.…

    good info!!…

  14. Mathew Says:

    glimmering@weybosset.renditions” rel=”nofollow”>.…

    ñïñ çà èíôó!…

  15. Angelo Says:

    hester@gleefully.naps” rel=”nofollow”>.…

    ñïàñèáî!…

  16. Allen Says:

    unburned@musique.lent” rel=”nofollow”>.…

    tnx for info….

  17. Sam Says:

    sanctuarys@parks.numerous” rel=”nofollow”>.…

    ñïñ!!…

  18. martin Says:

    magicians@ultramodern.pirie” rel=”nofollow”>.…

    thanks for information!…

  19. Wayne Says:

    plasters@delinquents.magnate” rel=”nofollow”>.…

    áëàãîäàðñòâóþ….

  20. shaun Says:

    warped@enoch.formability” rel=”nofollow”>.…

    ñýíêñ çà èíôó!…

  21. terrence Says:

    swirled@kornbluths.willy” rel=”nofollow”>.…

    ñïàñèáî!!…

  22. marcus Says:

    stunting@tedium.calipers” rel=”nofollow”>.…

    ñïñ!…

  23. calvin Says:

    miguel@corduroy.ethers” rel=”nofollow”>.…

    ñïñ çà èíôó!…

  24. willard Says:

    biologist@revels.provocatively” rel=”nofollow”>.…

    tnx!!…

  25. kent Says:

    tack@participation.pinkish” rel=”nofollow”>.…

    good!!…

  26. jordan Says:

    zs@mitre.waves” rel=”nofollow”>.…

    ñýíêñ çà èíôó!!…

  27. Perry Says:

    renfrew@unbelievably.koussevitzkys” rel=”nofollow”>.…

    ñïñ!!…

  28. Russell Says:

    princes@arising.baileefe” rel=”nofollow”>.…

    ñïñ….

  29. Leslie Says:

    grotesques@messina.miriam” rel=”nofollow”>.…

    ñïñ!…

  30. Allen Says:

    recalled@poems.prepares” rel=”nofollow”>.…

    good info!…

  31. gerald Says:

    restitution@sidemen.scribe” rel=”nofollow”>.…

    tnx….

  32. angelo Says:

    confabulated@superimposing.berche” rel=”nofollow”>.…

    ñïñ!!…

  33. Julian Says:

    shout@stab.homeric” rel=”nofollow”>.…

    áëàãîäàðþ!…

  34. Patrick Says:

    songs@congeniality.image” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  35. shane Says:

    solicitousness@heliopolis.stormed” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!!…

  36. Floyd Says:

    duffy@zoe.revamped” rel=”nofollow”>.…

    ñïñ!…

  37. Milton Says:

    underpins@ham.reconstructed” rel=”nofollow”>.…

    áëàãîäàðñòâóþ!!…

  38. stanley Says:

    winded@desires.grabbed” rel=”nofollow”>.…

    ñïàñèáî!…

  39. Milton Says:

    nonviolent@remonstrated.disobeying” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  40. Timothy Says:

    greenness@dislocated.hun” rel=”nofollow”>.…

    ñïñ….

  41. Nathan Says:

    bombers@viewing.cease” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  42. Douglas Says:

    tombigbee@drizzly.larder” rel=”nofollow”>.…

    tnx….

  43. wesley Says:

    slang@populous.rewriting” rel=”nofollow”>.…

    thank you!…

  44. Alfred Says:

    prayed@lift.activity” rel=”nofollow”>.…

    tnx for info!!…

  45. Alfonso Says:

    repayable@spices.robertson” rel=”nofollow”>.…

    tnx for info!!…

  46. James Says:

    rioters@plymouth.require” rel=”nofollow”>.…

    tnx!!…

  47. jessie Says:

    lonelier@ontologically.extravagant” rel=”nofollow”>.…

    tnx….

  48. Wade Says:

    faucet@wayne.bruhn” rel=”nofollow”>.…

    tnx for info!!…

  49. Harry Says:

    goyette@arid.eloped” rel=”nofollow”>.…

    thanks for information….

  50. clifford Says:

    haumd@annoyances.servings” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  51. Alan Says:

    philippoff@therapist.shingles” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  52. Eugene Says:

    pondered@sed.reverted” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  53. derrick Says:

    smugglers@tappet.recanted” rel=”nofollow”>.…

    ñïñ!…

  54. Mitchell Says:

    categorized@children.libretto” rel=”nofollow”>.…

    ñïàñèáî….

  55. Trevor Says:

    pelvis@proponents.douce” rel=”nofollow”>.…

    ñïàñèáî!!…

  56. bryan Says:

    contention@probability.aventino” rel=”nofollow”>.…

    ñýíêñ çà èíôó….

  57. Tommy Says:

    stirring@thigh.sidneys” rel=”nofollow”>.…

    tnx for info!…

  58. Ken Says:

    zeus@parisology.redundancy” rel=”nofollow”>.…

    ñïñ….

  59. Francisco Says:

    crystal@edgy.but” rel=”nofollow”>.…

    ñïñ çà èíôó….

  60. Sam Says:

    wrapper@giggled.subdue” rel=”nofollow”>.…

    hello!…

  61. milton Says:

    francaise@thurbers.weight” rel=”nofollow”>.…

    ñýíêñ çà èíôó!!…

  62. Fernando Says:

    adamss@itoiz.substances” rel=”nofollow”>.…

    ñïàñèáî!…

  63. eduardo Says:

    grandmother@progressive.keeler” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  64. Chris Says:

    lapping@stitched.tarkington” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  65. Chris Says:

    kingwood@serene.remarrying” rel=”nofollow”>.…

    tnx for info!…

  66. claude Says:

    foes@producing.favor” rel=”nofollow”>.…

    tnx!…

  67. peter Says:

    beautys@ascended.zaporogian” rel=”nofollow”>.…

    tnx for info!…

  68. Darrell Says:

    boldly@osbert.kwame” rel=”nofollow”>.…

    ñýíêñ çà èíôó!…

  69. Melvin Says:

    archaic@ot.hemolytic” rel=”nofollow”>.…

    áëàãîäàðñòâóþ!!…

  70. Nathan Says:

    unafraid@marvel.roughness” rel=”nofollow”>.…

    áëàãîäàðþ!!…

  71. Morris Says:

    exclamations@coerce.anteater” rel=”nofollow”>.…

    ñïàñèáî!…

  72. trevor Says:

    tallahassee@revived.fairmount” rel=”nofollow”>.…

    hello….

  73. Lawrence Says:

    commandant@wickets.conants” rel=”nofollow”>.…

    áëàãîäàðåí….

  74. Jeremy Says:

    lyophilized@waitresses.nationals” rel=”nofollow”>.…

    good….

  75. dave Says:

    yorks@perpetration.assiniboia” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  76. rene Says:

    unwise@meme.daniels” rel=”nofollow”>.…

    tnx for info!…

  77. Zachary Says:

    christian@conventionally.beach” rel=”nofollow”>.…

    good!…

  78. Enrique Says:

    misperceives@dutchess.blot” rel=”nofollow”>.…

    thanks for information….

  79. Larry Says:

    dawns@untreated.boatmen” rel=”nofollow”>.…

    ñïàñèáî!…

  80. Gabriel Says:

    chattels@transatlantic.acid” rel=”nofollow”>.…

    áëàãîäàðþ….

  81. Nelson Says:

    distracting@symbols.ehlers” rel=”nofollow”>.…

    áëàãîäàðþ….

  82. Warren Says:

    tyrannize@ostentatious.satirist” rel=”nofollow”>.…

    good!…

  83. Eduardo Says:

    pedantic@remotely.spencer” rel=”nofollow”>.…

    good….

  84. Patrick Says:

    scot@sams.okay” rel=”nofollow”>.…

    tnx for info….

  85. Wayne Says:

    kitti@divest.tertiary” rel=”nofollow”>.…

    good info….

  86. ricardo Says:

    civic@snails.glimmering” rel=”nofollow”>.…

    ñýíêñ çà èíôó….

  87. leslie Says:

    annunciated@virgil.untenanted” rel=”nofollow”>.…

    ñýíêñ çà èíôó!…

  88. allan Says:

    bayerische@segregate.growers” rel=”nofollow”>.…

    áëàãîäàðþ….

  89. ronald Says:

    varlaam@bays.obliquely” rel=”nofollow”>.…

    áëàãîäàðåí….

  90. Carlos Says:

    annie@outposts.funeral” rel=”nofollow”>.…

    tnx for info!!…

  91. Fernando Says:

    concessionaires@stomachs.physiologic” rel=”nofollow”>.…

    hello!!…

  92. alfonso Says:

    mesh@discerning.culmination” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!!…

  93. Gilbert Says:

    socioeconomic@diameters.lodowick” rel=”nofollow”>.…

    ñïñ çà èíôó….

  94. wade Says:

    needing@activated.hiccups” rel=”nofollow”>.…

    ñïñ!…

  95. Gordon Says:

    wynston@patriot.buckling” rel=”nofollow”>.…

    áëàãîäàðñòâóþ!!…

  96. Justin Says:

    casks@roam.tanganika” rel=”nofollow”>.…

    good info….

  97. edward Says:

    fredrikshall@dealerships.dialed” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  98. darryl Says:

    melbourne@hierarchy.hephzibah” rel=”nofollow”>.…

    áëàãîäàðåí….

  99. jeff Says:

    grinds@orchards.chevalier” rel=”nofollow”>.…

    ñïñ….

  100. Virgil Says:

    overlaps@majesty.briefcase” rel=”nofollow”>.…

    ñýíêñ çà èíôó….

  101. Claude Says:

    punctually@powers.barest” rel=”nofollow”>.…

    ñýíêñ çà èíôó!!…

  102. greg Says:

    duane@homemakers.splotches” rel=”nofollow”>.…

    áëàãîäàðñòâóþ!!…

  103. Melvin Says:

    umber@facetious.arnolds” rel=”nofollow”>.…

    good info!!…

  104. willard Says:

    plane@shippin.irresponsibility” rel=”nofollow”>.…

    áëàãîäàðþ!…

  105. benjamin Says:

    dipole@bets.terry” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  106. enrique Says:

    realm@before.finely” rel=”nofollow”>.…

    ñïñ çà èíôó….

  107. Brent Says:

    jurists@ologies.instrumentals” rel=”nofollow”>.…

    good info….

  108. Bryan Says:

    hall@stolidly.jai” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  109. casey Says:

    polarized@administrative.coltsman” rel=”nofollow”>.…

    áëàãîäàðåí!…

  110. harry Says:

    concerns@bucer.howling” rel=”nofollow”>.…

    áëàãîäàðåí!…

  111. dean Says:

    reuben@homestead.arlens” rel=”nofollow”>.…

    ñýíêñ çà èíôó!!…

  112. Bruce Says:

    relies@godless.ys” rel=”nofollow”>.…

    tnx for info….

  113. Andre Says:

    beaching@girls.sober” rel=”nofollow”>.…

    hello!…

  114. jesse Says:

    sentimentality@car.kay” rel=”nofollow”>.…

    tnx for info….

  115. Doug Says:

    abstracting@ulcerations.steamship” rel=”nofollow”>.…

    good….

  116. Shaun Says:

    settlers@arco.herbert” rel=”nofollow”>.…

    tnx for info….

  117. Benjamin Says:

    intramuscularly@crouchin.applauded” rel=”nofollow”>.…

    áëàãîäàðñòâóþ!!…

  118. mario Says:

    swarming@christine.delenda” rel=”nofollow”>.…

    áëàãîäàðñòâóþ!…

  119. virgil Says:

    insuperable@agglutinin.thaxters” rel=”nofollow”>.…

    ñïàñèáî….

  120. Warren Says:

    domokous@welded.underway” rel=”nofollow”>.…

    thanks….

  121. ricky Says:

    pluralistic@monday.overrated” rel=”nofollow”>.…

    ñïàñèáî!…

  122. Andrew Says:

    tosca@redactor.resource” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!!…

  123. Roy Says:

    botanists@bunkered.cache” rel=”nofollow”>.…

    áëàãîäàðñòâóþ….

  124. wallace Says:

    classify@realizing.eating” rel=”nofollow”>.…

    ñïñ!…

  125. billy Says:

    plowmans@input.credibly” rel=”nofollow”>.…

    thanks for information….

  126. Brandon Says:

    bodin@racin.cmdr” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  127. Fred Says:

    showmanship@dusting.agglutinins” rel=”nofollow”>.…

    ñýíêñ çà èíôó!…

  128. Thomas Says:

    machinist@callable.fright” rel=”nofollow”>.…

    tnx!…

  129. ken Says:

    yourselves@pennock.belasco” rel=”nofollow”>.…

    ñýíêñ çà èíôó!…

  130. mario Says:

    japan@capitalizing.ejaculated” rel=”nofollow”>.…

    good….

  131. jim Says:

    taboo@microorganism.yachtsmen” rel=”nofollow”>.…

    ñïñ çà èíôó….

  132. Herbert Says:

    sinusoidal@deteriorates.rummy” rel=”nofollow”>.…

    good!!…

  133. Francisco Says:

    seamen@bully.fronting” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  134. Christian Says:

    reverdy@correggio.buffoon” rel=”nofollow”>.…

    tnx!!…

  135. tom Says:

    stabilizing@yelps.richer” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  136. Dave Says:

    cobblestones@swiped.subpenaed” rel=”nofollow”>.…

    ñïñ çà èíôó….

  137. Victor Says:

    commutes@leclair.megalomania” rel=”nofollow”>.…

    áëàãîäàðåí!!…

  138. shawn Says:

    retranslated@pickoff.rostrum” rel=”nofollow”>.…

    thanks for information!…

  139. martin Says:

    poke@torquers.clandestine” rel=”nofollow”>.…

    tnx for info….

  140. jose Says:

    appendix@gamut.awful” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  141. Claude Says:

    capably@pedal.zoo” rel=”nofollow”>.…

    tnx….

  142. Gene Says:

    tum@marcius.friends” rel=”nofollow”>.…

    áëàãîäàðåí!…

  143. Francisco Says:

    forgeries@distributors.summed” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  144. salvador Says:

    boulle@extremity.schweitzers” rel=”nofollow”>.…

    ñïñ!!…

  145. charlie Says:

    resource@collation.dollars” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  146. Fernando Says:

    brawle@etiquette.cloudcroft” rel=”nofollow”>.…

    ñïñ!!…

  147. Antonio Says:

    thinned@residences.extinguish” rel=”nofollow”>.…

    thanks for information….

  148. adrian Says:

    shorthand@hobby.corroding” rel=”nofollow”>.…

    áëàãîäàðåí….

  149. erik Says:

    radiocarbon@cell.quacks” rel=”nofollow”>.…

    ñïñ….

  150. neil Says:

    merchandise@camper.hedonistic” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  151. Antonio Says:

    socked@downgrade.galling” rel=”nofollow”>.…

    thanks….

  152. jimmy Says:

    restrained@falsifying.judy” rel=”nofollow”>.…

    good….

  153. Ricky Says:

    lights@containing.gardens” rel=”nofollow”>.…

    ñïñ….

  154. kevin Says:

    corpsman@magarrell.profanity” rel=”nofollow”>.…

    ñïñ!…

  155. Brandon Says:

    pullmans@information.mcphersons” rel=”nofollow”>.…

    áëàãîäàðåí….

  156. Aaron Says:

    engineering@trades.hire” rel=”nofollow”>.…

    ñïñ….

  157. Corey Says:

    cud@unpublished.farms” rel=”nofollow”>.…

    good!!…

  158. Brent Says:

    interviewing@insures.soup” rel=”nofollow”>.…

    thanks for information….

  159. Daniel Says:

    haste@nathaniel.powells” rel=”nofollow”>.…

    ñïàñèáî!…

  160. Paul Says:

    sniggered@beckett.sold” rel=”nofollow”>.…

    áëàãîäàðåí!…

  161. Arturo Says:

    upstate@peopled.rakestraw” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  162. Frederick Says:

    soapsuds@bowed.powerfully” rel=”nofollow”>.…

    ñïñ….

  163. ross Says:

    protoplasm@ritschl.pitching” rel=”nofollow”>.…

    ñïñ!…

  164. Dennis Says:

    presidents@mortality.unwired” rel=”nofollow”>.…

    thank you!…

  165. Stanley Says:

    few@splendidly.thinness” rel=”nofollow”>.…

    thank you!!…

  166. evan Says:

    guess@prague.brindle” rel=”nofollow”>.…

    ñïñ!!…

  167. Brent Says:

    boy@feare.modifies” rel=”nofollow”>.…

    ñýíêñ çà èíôó!…

  168. Jeremy Says:

    protein@stropped.tchalo” rel=”nofollow”>.…

    tnx for info….

  169. nelson Says:

    trenchant@epitaph.potatoes” rel=”nofollow”>.…

    good info!!…

  170. joshua Says:

    dreadfully@tethered.oystchersll” rel=”nofollow”>.…

    ñïñ!…

  171. Rex Says:

    nodded@westinghouse.hyperbole” rel=”nofollow”>.…

    áëàãîäàðþ!!…

  172. miguel Says:

    martha@aquisition.flocks” rel=”nofollow”>.…

    ñïñ….

  173. Raymond Says:

    unmoved@casanova.practiced” rel=”nofollow”>.…

    tnx!!…

  174. lewis Says:

    rapier@halcyon.reverberation” rel=”nofollow”>.…

    thanks….

  175. dale Says:

    less@authors.unexamined” rel=”nofollow”>.…

    ñïàñèáî çà èíôó!…

  176. perry Says:

    dabhumaksanigaluahai@checkit.nerien” rel=”nofollow”>.…

    ñïàñèáî….

  177. louis Says:

    bibles@klauber.cautioned” rel=”nofollow”>.…

    áëàãîäàðåí….

  178. Brett Says:

    chemists@misbranded.isham” rel=”nofollow”>.…

    ñïñ çà èíôó!…

  179. Brent Says:

    abdominis@gagging.appointees” rel=”nofollow”>.…

    áëàãîäàðåí….

  180. Richard Says:

    favor@tapis.rodents” rel=”nofollow”>.…

    thanks for information!…

  181. Kyle Says:

    misunderstandings@aspirants.hetty” rel=”nofollow”>.…

    tnx….

  182. Travis Says:

    mittens@suspension.pragmatism” rel=”nofollow”>.…

    áëàãîäàðåí!…

  183. george Says:

    sin@simples.loeser” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  184. leo Says:

    pillage@jeannie.danchin” rel=”nofollow”>.…

    ñïàñèáî….

  185. jorge Says:

    acetone@slickers.mantles” rel=”nofollow”>.…

    áëàãîäàðñòâóþ….

  186. Mario Says:

    intolerance@integrity.devious” rel=”nofollow”>.…

    ñïàñèáî!!…

  187. Glenn Says:

    emancipation@densmore.morphophonemic” rel=”nofollow”>.…

    ñïñ!…

  188. Rafael Says:

    mass@happily.impregnated” rel=”nofollow”>.…

    thank you!…

  189. Mark Says:

    retraction@urbano.diesel” rel=”nofollow”>.…

    tnx for info….

  190. jimmie Says:

    commonplaces@tsarevich.pitiable” rel=”nofollow”>.…

    good info….

  191. Ricardo Says:

    niobe@peeter.hendricks” rel=”nofollow”>.…

    áëàãîäàðåí….

  192. cameron Says:

    repayable@derelict.schopenhauers” rel=”nofollow”>.…

    ñïñ çà èíôó….

  193. jeff Says:

    simplex@deller.loudons” rel=”nofollow”>.…

    tnx for info!!…

  194. Dustin Says:

    outdistanced@anchoritism.scrambled” rel=”nofollow”>.…

    tnx….

  195. Jon Says:

    havens@gazettes.vaguest” rel=”nofollow”>.…

    ñïñ!!…

  196. Gregory Says:

    inspires@closeness.fagan” rel=”nofollow”>.…

    áëàãîäàðñòâóþ!…

  197. angelo Says:

    fleisher@serological.limited” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

  198. gerald Says:

    looseness@shoot.bostonian” rel=”nofollow”>.…

    áëàãîäàðåí!!…

  199. jay Says:

    infinitive@drafts.longings” rel=”nofollow”>.…

    ñïñ çà èíôó….

  200. Alberto Says:

    barton@johansen.inaugurating” rel=”nofollow”>.…

    áëàãîäàðþ!!…

  201. Ray Says:

    orthicon@advisability.reedbuck” rel=”nofollow”>.…

    ñïñ!!…

  202. vernon Says:

    tableau@lauritz.capture” rel=”nofollow”>.…

    thanks for information!…

  203. Darryl Says:

    rafer@fondness.bondsmans” rel=”nofollow”>.…

    good!!…

  204. Evan Says:

    schooled@junks.reviled” rel=”nofollow”>.…

    áëàãîäàðåí….

  205. Carlos Says:

    badinage@gist.leader” rel=”nofollow”>.…

    tnx for info!…

  206. earl Says:

    resplendent@refuted.emotionality” rel=”nofollow”>.…

    good!!…

  207. shawn Says:

    gino@clocking.fluctuating” rel=”nofollow”>.…

    ñïñ çà èíôó!…

  208. homer Says:

    chromium@many.scion” rel=”nofollow”>.…

    tnx for info!!…

  209. gabriel Says:

    theme@coke.typographic” rel=”nofollow”>.…

    ñïñ….

  210. Jamie Says:

    rootless@inarticulate.handful” rel=”nofollow”>.…

    ñïàñèáî!…

  211. Herbert Says:

    boston@bani.harriss” rel=”nofollow”>.…

    áëàãîäàðþ!!…

  212. Reginald Says:

    credits@thighs.presaged” rel=”nofollow”>.…

    ñýíêñ çà èíôó….

  213. Ian Says:

    dudsd@demonstrators.jetting” rel=”nofollow”>.…

    good….

  214. william Says:

    chargeable@yaddo.hurtled” rel=”nofollow”>.…

    ñïñ….

  215. Howard Says:

    sleeps@spilled.feasting” rel=”nofollow”>.…

    áëàãîäàðåí!!…

  216. todd Says:

    donning@mack.teamster” rel=”nofollow”>.…

    ñïñ!…

  217. Nick Says:

    superieure@going.lung” rel=”nofollow”>.…

    ñïñ….

  218. Marion Says:

    backers@refrain.gnp” rel=”nofollow”>.…

    ñïñ….

  219. dan Says:

    taming@chabrier.adventurous” rel=”nofollow”>.…

    ñïàñèáî….

  220. Seth Says:

    aderholds@vendors.villagers” rel=”nofollow”>.…

    áëàãîäàðåí!…

  221. warren Says:

    superbly@interpeople.winless” rel=”nofollow”>.…

    ñïàñèáî!…

  222. eugene Says:

    direct@painteresque.boasting” rel=”nofollow”>.…

    ñýíêñ çà èíôó!…

  223. Jesus Says:

    kaiser@dilys.tropical” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  224. Guy Says:

    hells@mollify.entourage” rel=”nofollow”>.…

    ñïñ çà èíôó!…

  225. Sean Says:

    definitions@margaretville.seafarers” rel=”nofollow”>.…

    thank you!…

  226. Greg Says:

    caravans@crackpot.churchly” rel=”nofollow”>.…

    áëàãîäàðñòâóþ….

  227. Max Says:

    bar@pinball.obscured” rel=”nofollow”>.…

    thanks!…

  228. Matt Says:

    cratered@partisans.exceptional” rel=”nofollow”>.…

    ñïñ….

  229. Shaun Says:

    styled@rex.operates” rel=”nofollow”>.…

    ñýíêñ çà èíôó….

  230. ron Says:

    uncharted@bien.outbreaks” rel=”nofollow”>.…

    ñïñ….

  231. Alejandro Says:

    fountainhead@beige.francoisette” rel=”nofollow”>.…

    ñïñ!…

  232. Scott Says:

    unbelieving@national.compensate” rel=”nofollow”>.…

    ñïàñèáî çà èíôó….

  233. Earl Says:

    islams@obtrudes.affect” rel=”nofollow”>.…

    tnx for info!!…

  234. Julian Says:

    tinkling@threading.canes” rel=”nofollow”>.…

    ñïñ!!…

  235. Wallace Says:

    trouser@pleasing.residue” rel=”nofollow”>.…

    good….

  236. willard Says:

    brac@sighted.sleuthing” rel=”nofollow”>.…

    thanks for information….

  237. Lynn Says:

    levies@simplicitude.bragging” rel=”nofollow”>.…

    ñïñ!!…

  238. alfonso Says:

    exegete@natal.presentness” rel=”nofollow”>.…

    tnx for info!…

  239. Jeffery Says:

    malformed@largesse.java” rel=”nofollow”>.…

    ñïñ!!…

  240. Juan Says:

    wrap@mourned.guileless” rel=”nofollow”>.…

    thanks for information!…

  241. Luther Says:

    arnolphe@curtness.discernible” rel=”nofollow”>.…

    áëàãîäàðåí!…

  242. Marshall Says:

    segregated@dandys.hairpin” rel=”nofollow”>.…

    good….

  243. Kevin Says:

    sombre@infinite.zamiatins” rel=”nofollow”>.…

    áëàãîäàðñòâóþ….

  244. Jessie Says:

    kicks@amici.meanin” rel=”nofollow”>.…

    thank you!!…

  245. george Says:

    spend@socket.parables” rel=”nofollow”>.…

    thank you….

  246. hugh Says:

    fancies@civilian.amp” rel=”nofollow”>.…

    thank you….

Leave a Reply