From: Subject: NEWORDER Date: Mon, 23 Feb 2004 15:10:11 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0035_01C3FA1F.21FD89A0"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 This is a multi-part message in MIME format. ------=_NextPart_000_0035_01C3FA1F.21FD89A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://neworder.box.sk/sam_index.php NEWORDER
search files,=20 exploits & links sections:

REGISTER=20

<<security accounts=20 manager>>
<forewords>

this was = not written=20 for "good" or "bad" purposes; it was written for greater=20 understanding, please respect that.

that first = sentence needs=20 repeating:

THIS WAS NOT WRITTEN FOR "GOOD" OR "BAD" = PURPOSES;=20 IT WAS WRITTEN FOR GREATER UNDERSTANDING, PLEASE RESPECT=20 THAT.

network stuff is not yet properly covered. this = article=20 is based around a local system of nt5pro(2000) though a lot = will=20 apply to nt4 and nt5.1(xp)

directory paths are = written as=20 c:\winnt\system32 - some say it should be in the form of:=20 %systemroot%\system32

this article has been written = concisely=20 and progressively, it is advisable _not_ to skim = read.

while=20 every effort was made to write accurate information, errors = may be=20 present. if you notice something that is incorrect please = point it=20 out. just because it is in writing, does not mean that it is = right.
<legal = stuff>

computer security=20 is becoming quite complex in terms of computer and related = law,=20 because of this i have tried to investigate the legality of = this=20 research. i believe that it is "probably" legal, based on = the=20 following five reasons:

01. i have operated = exclusively on my=20 own equipment, with legal software.

02. i have not = tried to=20 obtain the source code (i wouldn't understand it anyhow) i = have not=20 decompiled or disassembled any binaries. the registry hives = are=20 generated databases which are not executable or program. i = have not=20 cracked any encryption algorithms. findings have been based = on trial=20 and error investigations.

03. i have not provided any = code or=20 binaries to exploit any possible insecurities. security = information=20 is two sided. one side it could be used to do something = illegal. the=20 other, prevent something illegal. the reader makes the = chose, and i=20 think that honest people would like to know so that they can = do=20 something about it.

04. all information contained on = this=20 webpage is provided on an "as is" basis, and you, the reader = must=20 understand that the author accepts no responsibility of the=20 (use)misuse of any information contained on this webpage. = the author=20 will not assist in any illegal activities.

05. = although i=20 have foreworded this article with: "this was not written for = "good"=20 or "bad" purposes; it was written for greater understanding, = please=20 respect that." i hope that some "good" will result from it, = i have=20 included ways of increasing the security at the end. there = is no=20 malicious intent, it is purely research, with the hope of=20 improvement through understanding.

n.b: if you are = planning=20 to use any of the information, think about the legality of = your=20 actions. in the uk you could be prosecuted under the = computer misuse=20 act 1990. for more info: http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.= htm
<usefull = programs>

antexp:
http://www.elcomsoft.com/antexp.html
filemon:
<= A=20 = href=3D"http://www.sysinternals.com/ntw2k/source/filemon.shtml"=20 = target=3D_blank>http://www.sysinternals.com/ntw2k/source/filemon.shtml
filewatch:
http://kevin.gearhart.com/filewatch/
lc3:
http://www.atstake.com/research/lc3/
norton=20 ghost:
http://www.symantec.com/sabu/ghost/ghost_personal/ntfs=20 for dos: (read)
http://www.sysinternals.com/ntw2k/freeware/NTFSDOS.shtml<= /A>
ntfs=20 for dos: (write)
http://www.sysinternals.com/ntw2k/freeware/ntfsdospro.sht= ml
ntfs=20 for windows 98: (read)
http://www.sysinternals.com/ntw2k/freeware/ntfswin98.shtm= l
offline=20 ntpassword & registry editor: (petter nordahl-hagen, = this is=20 amazing!!)
http://home.eunet.no/~pnordahl/ntpasswd/
it has=20 just been found that this site is down :-( however a = bootable cd=20 version is available here: http://www.dmzs.com/tools/files/
performance=20 test:
http://www.passmark.com/
regmon: = (quickest=20 software reboot if run in xp?)
http://www.sysinternals.com/ntw2k/source/regmon.shtml=
winhex:=20 (stefan fleischmann, this is amazing!!)
http://www.winhex.com/winhex/
<intro>

commonly = known as the=20 sam file - it holds the users details for the machine. it = contains=20 usernames, password hashes and permission levels etc, and = thus is=20 important for its purpose.

the file is located:=20 c:\winnt\system32\config\sam along with the other hives that = make up=20 the nt registry. within the registry it is located:=20 hkey_local_machine\sam\sam\domains... there is also a link = folder to=20 the sam hive: hkey_local_machine\security\sam\sam\... = nothing will=20 be visiable if you browse via regedit, users are denied = access. to=20 view, use regedt32.exe and change the permissions on=20 hkey_local_machine\sam\sam via security -> permissions. = in xp=20 right click on the key for permission options.

at = startup, it=20 is loaded after the full screen white windows logo screen = (right=20 after disk checking). if there are any *major* errors in the = sam=20 file, the machine will blue screen and reboot at this=20 point.
<entering of users -=20 gui>

nt has two = builtin user=20 accounts. an administrator and a guest, each belonging to = their=20 respective groups. these accounts cannot be deleted = (according to=20 ms). they can be renamed. by default the guest account is = disabled,=20 however default security policies allow guest to logon = locally if=20 the account is enabled. the builtin administrator account = cannot be=20 disabled, but it can be denied logon locally via security = policies.=20 _be aware of that_ setting mentioned further = down.

users can=20 be added via the add button in "users and passwords" - found = in=20 control panel, or via computer management - found in control = panel=20 -> administrative tools, or right click on "my computer" = and=20 select: manage. right click in the right pane of "local = users and=20 groups\users" and select new user. direct files to run:=20 c:\winnt\system32\compmgmt.msc or for just the users part:=20 c:\winnt\system32\lusrmgr.msc. unsure which file is users = and=20 passwords dialog.

usernames can be >=3D1 and = <=3D20=20 characters
usernames can contain letters, numbers, = special,=20 extended and control characters
usernames cannot be any = names of=20 any groups, of any case
usernames cannot be = "authenticated users"=20 nor "interactive", of any case, these usernames already = exist - see=20 computer management -> local users and groups -> = groups ->=20 users
usernames cannot be duplicated, of any = case.

nt5pro=20 (only) has an interesting problem creating an account using = the=20 local machine name for a username. on clicking finish, it = will error=20 with: "the user "machinename" could not be (granted "group" = user=20 access/added to the "group" group) because "machinename" = does not=20 exist." however the user is created of no group. usernames = can be=20 renamed to the local machine name.

fullnames can be = >=3D0=20 and <=3D255 characters
descriptions can be >=3D0 = and <=3D255=20 characters

passwords can be >=3D0 or <=3D256=20 characters
passwords can contain letters, numbers, = special,=20 extended and control characters
minimum length can be = increased=20 from 0, to a maximum of 14 character via security policies. = by=20 default users passwords expire after 42 days, oddly the = builtin=20 administrator and guest accounts are set to never expire. = the user=20 gets a prompt at login if the set time is = exceeded.

2k has 6=20 main user groups. groups cannot be removed, though new ones = can be=20 added. groups set out what rights each user has when they = logon.=20 each user is assigned a number. user numbers start from = 3e8/1,000=20 and increase by one, even if users are removed. this is = because some=20 permissions are set by user number. for nt5 the maximum = number of=20 users is about 4 billion.
group/description group no. user no. dec/hex
administrators:
administrators have = complete and=20 unrestricted access to the computer/domain		 no. 220

on disk:
00 00 20 02 = 		builtin: 500/000001F4, = else:
>=3D1000/000003e8=20
users:
users are prevented from making = accidental or=20 intentional system-wide changes. thus, users can run = certified=20 applications, but not most legacy applications = 		no. 221

on disk:
00 00 21 02 = 		>=3D1000/000003e8
guests:
guests have the same access as = members of=20 the users group by default, except for the guest = account which=20 is further restricted 		no. 222

on disk:
00 00 22 02 = 		builtin: 501/000001F5, = else:
>=3D1000/000003e8=20
power=20 users:
power users possess most administrative = powers with=20 some restrictions. thus, power users can run legacy=20 applications in addition to certified applications = 		no. 223

on disk:
00 00 23 02 = 		>=3D1000/000003e8
backup=20 operators:
backup operators can override security=20 restrictions for the sole purpose of backing up or = restoring=20 files 		no. 227

on disk:
00 00 27 02 = 		>=3D1000/000003e8
replicator:
supports file replication in a = domain		 no. 228

on disk:
00 00 28 02 = 		>=3D1000/000003e8
<structure of the sam = file>

the=20 following sam file extracts were taken from a default setup = of=20 nt5pro.
"329068152-152049171-854245398" is the sidno. for = my=20 machine.
the sam file forms the following registry = structure=20 (values in brackets)
the sam hive = by default=20 has two different permission levels:
p1: 78,00,00,00 = ->=20 00,00,00,78
p2: 78,01,00,00 ->=20 = 00,00,01,78
###################################################= ##############################
hkey_local_machine
+-hardware
|-s= am=20 (p1)
|  |-sam = (c)(p2)
|     |-domains=20 (@)(p2)
|     | &nbs= p;  |-account=20 (f,v)(p2)
|     | &nbs= p;  |    |-aliases=20 (@)(p2)
|     | &nbs= p;  |    |    |-members= =20 (@)(p2)
|     | &nbs= p;  |    |    \-names=20 (@)(p2)
|     | &nbs= p;  |    |-groups=20 (@)(p2)
|     | &nbs= p;  |    |   =20 |-00000201 (c)(p2)
|     | &nbs= p;  |    |    |-names=20 (@)(p2)
|     | &nbs= p;  |    |     &nb= sp;  |-none=20 (@)(p2)
|     | &nbs= p;  |    |-users=20 (@)(p2)
|     | &nbs= p;  |        |-000001f4= =20 (f,v)(p2)
|     | &nbs= p;  |        |-000001f5= =20 (f,v)(p2)
|     | &nbs= p;  |        |-names=20 (@)(p2)
|     | &nbs= p;  |         &nbs= p;  |-administrator=20 (@)(p2)
|     | &nbs= p;  |         &nbs= p;  |-guest=20 (@)(p2)
|     | &nbs= p;  |-builtin=20 (f,v)(p2)
|     | &nbs= p;       |-aliases=20 (@)(p2)
|     | &nbs= p;       |    |-00= 000220=20 (c)(p2)
|     | &nbs= p;       |    |-00= 000221=20 (c)(p2)
|     | &nbs= p;       |    |-00= 000222=20 (c)(p2)
|     | &nbs= p;       |    |-00= 000223=20 (c)(p2)
|     | &nbs= p;       |    |-00= 000227=20 (c)(p2)
|     | &nbs= p;       |    |-00= 000228=20 (c)(p2)
|     | &nbs= p;       |    |-me= mbers=20 (@)(p2)
|     | &nbs= p;       |    |&nb= sp;   |-s-1-5=20 (@)(p2)
|     | &nbs= p;       |    |&nb= sp;   |   |-00000004=20 (@)(p2)
|     | &nbs= p;       |    |&nb= sp;   |   \-0000000b=20 (@)(p2)
|     | &nbs= p;       |    |&nb= sp;   |-s-1-5-21-329068152-152049171-854245398=20 (@)(p2)
|     | &nbs= p;       |    |&nb= sp;    =20 =             &= nbsp;      |-000001f4=20 (@)(p2)
|     | &nbs= p;       |    |&nb= sp;           &nbs= p;            = ;|-000001f5=20 (@)(p2)
|     | &nbs= p;       |    |-na= mes=20 (@)(p2)
|     | &nbs= p;       |    &nbs= p;   |-administrator=20 (@)(p2)
|     | &nbs= p;       |    &nbs= p;   |-backup=20 operators (@)(p2)
|     | &nbs= p;       |    &nbs= p;   |-guests=20 (@)(p2)
|     | &nbs= p;       |    &nbs= p;   |-power=20 users (@)(p2)
|     | &nbs= p;       |    &nbs= p;   |-replicator=20 (@)(p2)
|     | &nbs= p;       |    &nbs= p;   |-users=20 (@)(p2)
|     | &nbs= p;       |-groups=20 (@)(p2)
|     | &nbs= p;       |    \-na= mes=20 (@)(p2)
|     | &nbs= p;       |-users=20 (@)(p2)
|     | &nbs= p;           |-nam= es=20 (@)(p2)
|     \-rxact=20 (@)(p2)
##########################################= #######################################
what=20 some parts appears to do:

usernames are stored as a = keyname -=20 what ever this is, it is the login=20 = username:
\sam\sam\domains\account\users\names\(username)
within=20 this key is the user number - 4 byte @ value, eg 00,00,01,f4 = this=20 links to:
\sam\sam\domains\account\users\(userno.) within = this=20 key there is a v value which, towards the end also has the = username=20 (plus the fullname, description, and the lm/nt hashes). the = dialog=20 box "users and passwords" relies on these two user names = matching=20 up, if they don't the user is _not_ listed. if the = usernamekey is=20 changed computer management will not list that user in users = (sp2?),=20 but will error with "the following error occurred while = attempting=20 to read user properties: the user name could not be found." = if the=20 member list is viewed, for which the user is a member of, = they will=20 be listed - the name used will be the one from the v=20 value.

users obtain their permissions by belonging to = a=20 group. the group(s) they are a member(s) of is specified=20 = at:
\sam\sam\domains\builtin\aliases\members\s-1-5-21-(sidno.)\(userno= .)\@
if=20 a user is not a member of any group, they will not have a = userno.=20 key here.
if they are members of more than one group, the = @ value=20 will list each one.
the @ is a four byte value that = matches up=20 = with:
\sam\sam\domains\builtin\aliases\(groupno.)
within this=20 key is a value named c. within it are some of the settings = for that=20 group, the description towards the end is used within the=20 os.
users of no group will not appear in the dialog: = users and=20 passwords. a list of all users can be found in computer = management.=20 what user rights users of no groups have is unclear but they = can=20 logon.

\sam\sam\domains\builtin\aliases\(groupno.)\c = holds=20 the number of users for the group at offset 0x30 within the = data of=20 the value (first four bytes not included) this value = *probably* has=20 four bytes set aside (read backwards) giving a maximum:=20 4,294,967,295 for each=20 = group

\sam\sam\domains\builtin\aliases\names\(groupname) is=20 the name used by the os for the group. within this key is an = 4 byte=20 @ value, such as 00,00,02,21 that links to:=20 \sam\sam\domains\builtin\aliases\(groupno.) which in this = case would=20 be the user group.

user accounts can either be active = or=20 inactive. the difference being the ability to logon. this = setting is=20 located in:
\sam\sam\domains\account\users\(userno.)\F - = the=20 setting is at offset 38.
active =3D either 10 or = 14
inactive =3D=20 either 11 or 15
not sure of the difference, but if user = are=20 entered via computer management 10 is used, if via users and = passwords - 14. though the builtin administrator account can = be set=20 "inactive", it does not disabled it.

the sam file = keeps a log=20 of how many times each user has logged on and the total for = the=20 machine.
\sam\sam\domains\account\f at offset 10-17 is = the total=20 for the machine. numbers adding from the left in=20 hex.
\sam\sam\domains\account\user\(userno.)\f at offset = 42-43 is=20 the total for a user. also adding from the left.
when the = maximum=20 for a user is reached, the counter stops at ff,ff - for the = machine=20 it rolls back and continues from: 00,00,00,00,00,00,00,00 = but that=20 is a lot of logins!

the rxact key stands for = "registry=20 transaction package", unsure of purpose.
<structure of the security=20 file>

the following security file extracts were = taken from=20 a default setup of = nt5pro.
"329068152-152049171-854245398" is the=20 sidno. for my machine.
the security file forms the = following=20 registry structure (values in brackets)
parts=20 highlighted in red are entries not visible via regedit.exe = or=20 regedt32.exe unsure why. "unable=20 to display security information"
the=20 sam hive has five different permission levels:
p1: = 78,00,00,00=20 -> 00,00,00,78
p2: 78,01,00,00 -> = 00,00,01,78
p3:=20 88,1f,00,00 -> 00,00,1f,88
p4: 50,25,00,00 ->=20 00,00,25,50
p5: b0 2a 00 00 ->=20 = 00,00,2a,b0
###################################################= #############################
hkey_local_machine
+-hardware
+-sa= m
|-security=20 (p1)
| =    |-policy=20 (@)(p2)
|=20    |   |-accounts (@)(p2)
|    |  &nbs= p;|    |-s-1-1-0=20 (@)(p2)
|    |  &nbs= p;|    |    |-actsysac=20 (@)(p2)
|    |  &nbs= p;|    |    |-privilgs=20 (@)(p2)
|    |  &nbs= p;|    |    |-secdesc=20 (@)(p2)
|    |  &nbs= p;|    |    \-sid=20 (@)(p2)
|    |  &nbs= p;|    |-s-1-5-21-329068152-152049171-854245398-501=20 (@)(p3)
|    |  &nbs= p;|    |       &nb= sp;           &nbs= p;  |-actsysac=20 (@)(p3)
|    |  &nbs= p;|    |       &nb= sp;           &nbs= p;  |-secdesc=20 (@)(p3)
|    |  &nbs= p;|    |       &nb= sp;           &nbs= p;  |-sid=20 (@)(p3)
|    |  &nbs= p;|    |-S-1-5-32-544=20 (@)(p2)
|    |  &nbs= p;|    |=20      |-actsysac (@)(p2)
|    |  &nbs= p;|    |      |-privilg= s=20 (@)(p2)
|    |  &nbs= p;|    |      |-secdesc= =20 (@)(p2)
|    |  &nbs= p;|    |      \-sid=20 (@)(p2)
|    |  &nbs= p;|    |-s-1-5-32-545=20 (@)(p2)
|    |  &nbs= p;|    |=20      |-actsysac (@)(p2)
|    |  &nbs= p;|    |      |-privilg= s=20 (@)(p2)
|    |  &nbs= p;|    |      |-secdesc= =20 (@)(p2)
|    |  &nbs= p;|    |      \-sid=20 (@)(p2)
|    |  &nbs= p;|    |-s-1-5-32-547=20 (@)(p2)
|    |  &nbs= p;|    |=20      |-actsysac (@)(p2)
|    |  &nbs= p;|    |      |-privilg= s=20 (@)(p2)
|    |  &nbs= p;|    |      |-secdesc= =20 (@)(p2)
|    |  &nbs= p;|    |      \-sid=20 (@)(p2)
|    |  &nbs= p;|    |-s-1-5-32-551=20 (@)(p2)
|    |  &nbs= p;|          |-actsysac= =20 (@)(p2)
|    |  &nbs= p;|           |-pr= ivilgs=20 (@)(p2)
|    |  &nbs= p;|           |-se= cdesc=20 (@)(p2)
|    |  &nbs= p;|           |-si= d=20 (@)(p2)
|    |  &nbs= p;|-defquota=20 (@)(p2)
|    |  &nbs= p;|-domains=20 (@)(p2)
|    |  &nbs= p;|-polacdmn=20 (@)(p2)
|    |  &nbs= p;|-polacdms=20 (@)(p2)
|    |  &nbs= p;|-poladtev=20 (@)(p2)
|    |  &nbs= p;|-poladtfl=20 (@)(p2)
|    |  &nbs= p;|-poladtlg=20 (@)(p2)
|    |  &nbs= p;|-poldnddn=20 (@)(p4)
|    |  &nbs= p;|-poldndmg=20 (@)(p4)
|    |  &nbs= p;|-poldntrn=20 (@)(p4)
|    |  &nbs= p;|-polefdat=20 (@)(p2)
|    |  &nbs= p;|-polmod=20 (@)(p2)
|    |  &nbs= p;|-polprdmn=20 (@)(p4)
|    |  &nbs= p;|-polprdms=20 (@)(p4)
|    |  &nbs= p;|-polrevision=20 (@)(p2)
|    |  &nbs= p;|-polsecretencryptionkey=20 (@)(p2)
|    |  &nbs= p;|-polstate=20 (@)(p2)
|    |  &nbs= p;|-quabsmax=20 (@)(p2)
|    |  &nbs= p;|-quasmin=20 (@)(p2)
|    |  &nbs= p;|-secdesc=20 (@)(p2)
|    |  &nbs= p;|-secrets=20 (@)(p2)
|    |  &nbs= p;    |-defaultpassword=20 (@)(p2)
|    |  &nbs= p;    |       |-cu= pdtime=20 (@)(p2)
|    |  &nbs= p;    |       |-cu= rrval=20 (@)(p2)
|    |  &nbs= p;    |       |-ol= dval=20 (@)(p2)
|    |  &nbs= p;    |       |-ou= pdtime=20 (@)(p2)
|    |  &nbs= p;    |       \-se= cdesc=20 (@)(p2)
|    |  &nbs= p;    |-dpapi_system=20 (@)(p2)
|    |  &nbs= p;    |      |-cupdtime= =20 (@)(p2)
|    |  &nbs= p;    |      |-currval = (@)(p2)
|    |  &nbs= p;    |      |-oldval=20 (@)(p2)
|    |  &nbs= p;    |      |-oupdtime= =20 (@)(p2)
|    |  &nbs= p;    |      |-secdesc = (@)(p2)
|    |  &nbs= p;    |-sac (@)(p2)
|    |  &nbs= p;    |  |-cupdtime (@)(p2)
|    |  &nbs= p;    |  |-currval (@)(p2)
|    |  &nbs= p;    |  |-oldval (@)(p2)
|    |  &nbs= p;    |  |-oupdtime (@)(p2)
|    |  &nbs= p;    |  \-secdesc (@)(p2)
|  =20  |       |-sai (@)(p2)
|    |  &nbs= p;    |  |-cupdtime (@)(p2)
|    |  &nbs= p;    |  |-currval (@)(p2)
|    |  &nbs= p;    |  |-oldval (@)(p2)
|    |  &nbs= p;    |  |-oupdtime (@)(p2)
|    |  &nbs= p;    |  \-secdesc (@)(p2)
|    |  &nbs= p;    |-xatm:2d5e7345-baa0-4186-9da4-fda240db3287 (@)(p5)
|    |  &nbs= p;            = ;            =   |-cupdtime (@)(p5)
|    |  &nbs= p;            = ;            =   |-currval (@)(p5)
|    |  &nbs= p;            = ;            =   |-oldval (@)(p5)
|    |  &nbs= p;            = ;            =   |-oupdtime (@)(p5)
|    |  &nbs= p;            = ;            =   |-secdesc (@)(p5)
|    |-rxact=20 (@)(p2)
|    \-sam=20 <-this is a link folder to the sam=20 = hive
#################################################################= ###############
what=20 some parts appears to do:

\security\policy\accounts\ = holds=20 various security policy settings for users and=20 usergroups:

everyone s-1-1-0
authenticated users s-1-5-11
anonymous logon s-1-5-7
batch s-1-5-3
creator owner s-1-3-0
creator group s-1-3-1
dialup s-1-5-1
interactive s-1-5-4
network s-1-5-2
service s-1-5-6
system s-1-5-18
administrator s-1-5-21-(sid)-500
guest s-1-5-21-(sid)-501
administrators s-1-5-32-544
backup operators s-1-5-32-551
guests s-1-5-32-546
power users s-1-5-32-547
replicator s-1-5-32-552
users s-1-5-32-545

A
 workgroup
A
 computer name=20 folder=20 =

within these keys there are usually = about four=20 subkeys: actsysac, privilgs, secdesc and = sid.

actsysac: a=20 four byte value that gives details about logons. values for = one=20 option are listed. add for combinations. values are in hex. = deny=20 overrides allow.

00,00,00,00 - if none of the = following=20 settings - maynot be a key if so
01,00,00,00 - logon locally
02,00,00,00 - access = this=20 computer from the network
04,00,00,00 - logon on as a = batch=20 job
10,00,00,00 - logon as a service
80,00,00,00 - = deny access=20 to this computer from the network
00,01,00,00 - deny = logon as a=20 batch job
00,02,00,00 - deny logon as a = service
40,00,00,00 -=20 deny logon locally

privilgs: of=20 varible length from 19 bytes, it covers the remaining = options in=20 "user rights assignment" the first byte determines the = number of=20 privileges the user(group) has. the first privilege is = located at=20 offset 8 and then at c(12) intervals thereafter. the values = appear=20 to be in no particular order. space inbetween is filled with = 00,=20 which unless they are used for something is quite a waste of = data.=20 the entry is filled with 00 untill the end of that c=20 block.

07 - act as part of the operating system
06 = - add=20 workstations to domain
11 - backup files and = directories
17 -=20 bypass traverse checking
0c - change the system = time
0f -=20 create a pagefile
02 - create a token object
10 - = create=20 permanent shared objects
14 - debug programs
1b - = enable=20 computer and user accounts to be trusted for = delegation
18 -=20 force shutdown from a remote system
15 - generate = security=20 audits
05 - increase quotas
0e - increase scheduling=20 priority
0a - load and unload device drivers
04 - lock = pages=20 in memory
08 - manage auditing and security log
16 - = modify=20 firmware environment values
0d - profile single = process
0b -=20 profile system performance
19 - remove computer from = docking=20 station
03 - replace a process level token
12 - = restore file=20 and directories
13 - shut down the system
1a - = synchronize=20 directory service data
09 - take ownership of files or = other=20 objects

secdesc: unsure - almost matches the value in = security\policy\secdec\

sid: unsure, the last 4 bytes = is the=20 user(group) number - omitted in the everyone=20 group?

\security\policy\polacdmn\ holds the netbios = computer=20 name at offset 8 within the data of the @value. the name is = stored=20 in unicode. the first byte states the length (in bytes) that = the=20 name takes up, the maximum being 15. the real computer name = can be=20 longer however. it cannot contain any special characters and = must=20 contain at least one letter. the computer name and the = workgroup are=20 not allowed to be the same. however it has problems if the = computer=20 name is longer than 15, the name shortened for netbios and = then the=20 workgroup named the same as the first 15 of the computer = name. - the=20 specified workgroup name is=20 invalid

\security\policy\polefdat\ holds the efs file = encryption certificate as viewable in security = settings\public key=20 policies\encrypted data recovery=20 agents\administrator

\security\policy\polprdmn holds = the=20 workgroup name, same style as=20 polacdmn.

\security\policy\polsecretencryptionkey = i'll give=20 you one guess :-) holds an interesting 64 byte key, = mentioned later=20 in the article, strangely enough ;-)
<sam and security (and general = nt hives) -=20 ground zero>

the registry appears to be made up of = 7=20 different types of entries:
01. nk =3D (sub)keys (links = to the=20 following 4 types)
02. if =3D subkey list
03. xx =3D = value list=20 (links to type no. 6)
04. sk =3D permissions
05. xx = =3D class=20 info

06. vk =3D value (links to type no. 7 though = data can be=20 within the value)
07. xx =3D data

n.b: offsets are = read=20 backwards and 0x1000 needs to be added for the offset within = the=20 file, as offsets are relative to the start of entries -=20 = 0x1000
###############################################################= #################
key/subkeys=20 appear to have the following=20 = layout:

    0 1 2 3 4 = ;5 6 7 8 9 A B C D E F&= nbsp;     ASCII
00=20 A8FFFFFF6E6B2C000055EF85BA60C101 = =A8=FF=FF=FFnk,..U=EF=85=BA`=C1.
10=20 00000000F00300000100000000000000 = ....=F0...........
20 = F0010000FFFFFFFF00000000FFFFFFFF =F0...=FF=FF=FF=FF....=FF=FF=FF=FF
30 78000000FFFFFFFF0600000000000000=20 x...=FF=FF=FF=FF........
40=20 00000000000000000000000003000000 = ................
50 53414d0000000000       = ;          SAM.....
A
 specifying = the length of=20 the entry, see below
A
 some kind of = marker. all=20 keys seem to have this "nk"
A
 states the = keytype. 2c =3D=20 a root key. 20 =3D a subkey.
A
 timestamp - = see below for=20 details
A
 parent key = offset, what=20 the root key points to is unclear
A
 number of = subkeys within=20 key, unsure of maximum, if none - filled with=20 00000000
A
 (if)subkey = list offset,=20 if there are none this section is filled with=20 ffffffff
A
 number of = values within=20 key, unsure of maximum, if none - filled with=20 00000000
A
 values list = offset, if=20 there are none this section is filled with=20 ffffffff
A
 (sk)permissions=20 offset
A
 class entry = offset, if=20 there are none this section is filled with ffffffff=20
A
 keyname=20 length
A
 class length = (max =3D d0,07=20 -> 07,d0 =3D 2,000 - max class =3D = 1,000:unicode)
A
 keyname - = keys are stored=20 in acsii format. ignore surplus bytes, length is=20 stated

keys are 80 bytes (50h) in size. the name of = the key is=20 appended, adding to the length.

entry length:
the = first=20 four bytes specify the length of the entry. eg = a8,ff,ff,ff.
first=20 flip: a8,ff,ff,ff -> ff,ff,ff,a8
minus from: = ff,ff,ff,ff -=20 ff,ff,ff,a8 =3D 57
57 is how much data is set aside for = the entry.=20 (+1 for winhex selection size)

timestamp:
8 bytes are set aside. the timestamp = is to an=20 accuracy of 10 millionth of a second from the start of 1601, = possibly to create an unique id for each key. the timestamp = is set=20 at key creation and modified the key is renamed or if values = within=20 are added or changed. the timestamp will not change for any = subkey=20 changes.

98,96,80 =3D 10,000,000 =3D one = second
23,c3,46,00 =3D=20 600,000,000 =3D one minute
08,61,c4,68,00 =3D = 36,000,000,000 =3D one=20 hour
c9,2a,69,c0,00 =3D 864,000,000,000 =3D one=20 = day

date         time= =20       debug=20 = view           &nb= sp;     flipped=20 (real) view
01/01/1601 - 12:00 AM =3D = 00,00,00,00,00,00,00,00 ->=20 00,00,00,00,00,00,00,00
01/01/2000 - 12:00 AM =3D=20 00,40,6d,25,eb,53,bf,01 -> = 01,bf,53,eb,25,6d,40,00
01/01/2001=20 - 12:00 AM =3D 00,c0,9d,c8,85,73,c0,01 ->=20 01,c0,73,85,c8,9d,c0,00
01/01/2002 - 12:00 AM =3D=20 00,80,64,41,57,92,c1,01 ->=20 = 01,c1,92,57,41,64,80,00
##############################################= ##################################
subkey=20 = list:

    0 1 2 3 4 5=  6 7 8 9 A B C D E F&nb= sp;     ASCII
00=20 E8FFFFFF6C660200500A000030303030 =E8=FF=FF=FFlf..P...0000
10 B80E000030303030        &= nbsp;        =B8...0000
A
 specifying = the length of=20 the entry, as above
A
 some kind of = marker. all=20 subkey lists seem to have this "if"
A
 seems to = state the number=20 of subkeys, this information can be obtained from the = key=20 though
A
 subkey=20 offsets
A
 the first = four character=20 of the subkey, as viewable in the diagram there is no=20 "tilding" if this part is the same as other subkeys, a = quick=20 look at xp shows this part=20 removed.
################################################################= ################=20
values=20 = list:

    0 1 2 3 4 5=  6 7 8 9 A B C D E F&nb= sp;     ASCII
00=20 F0FFFFFF48040000200500005C51FEBF =F0=FF=FF=FFH... ...\Q=FE=BF
A
 specifying = the length of=20 the entry, as above
A
 offset to the = first=20 value
A
 offset to the = second=20 value, the last offset in the list is sometimes=20 duplicated.
A
 old data, = from before the=20 entry was created, ignore - obtain the number of = values from=20 the key
################################################################= ################
permissions:

    0 1&= nbsp;2 3 4 5 6 7 8 9 A B&nbs= p;C D E F      ASCII=20
00 58FFFFFF736BFFFF7801000078010000=20 X=FF=FF=FFsk=FF=FFx...x...
10=20 010000008C0000000100048070000000 ....=8C......=80p...
20=20 80000000000000001400000002005C00 =80.............\.
30=20 04000000000214003F000F0001010000 ........?.......
40=20 0000000512000000000218003F000F00 ............?...
50=20 01020000000000052000000020020000 ........ ... ...
60 = 00021400190002000101000000000001 ................
70=20 00000000000214001900020001010000 ................
80=20 000000050C0000000102000000000005 ................
90=20 20000000200200000101000000000005  ... ...........
A0 = = 1200000000000000         &nb= sp;      =20 ........
A
 specifying = the length of=20 the entry, as above
A
 some kind of = marker. all=20 security information entries seem to have this=20 "sk"

this=20 is going to be finished. first impressions show owner = information at=20 the end of the key and each user permissions=20 = inbetween.
###########################################################= #####################
class=20 = info:

    0 1 2 3 4 5=  6 7 8 9 A B C D E F&nb= sp;     ASCII=20
00 E8FFFFFF630066003300330064003500=20 =E8=FF=FF=FFc.f.3.3.d.5.
10 3400660000000000=20 =             &= nbsp;   4.f.....
A
 specifying = the length of=20 the entry, as above
A
 the = information - in=20 unicode. the length is stated in the key, ignore=20 surplus
################################################################= ################
values=20 - there seem to be 3 different layouts:

01. @values - = values=20 with no name that link to=20 = data:

    0 1 2 3 4 5=  6 7 8 9 A B C D E F&nb= sp;     ASCII
00=20 E8FFFFFF766B00004C000000B0130000 =E8=FF=FF=FFvk..L...=B0...
10 = 0000000000000000=20 =             &= nbsp;   ........=20

A
 specifying = the length of=20 the entry, see above
A
 some kind of = marker. all=20 values seem to have this "vk"
A
 states the = length of the=20 value name
A
 the length of = the data=20 entry - not including the 4bytes at the = beginning
A
 offset to the = data=20 entry
########################################
02. = @values -=20 values with no name that contain data (do not link to=20 = data):

    0 1 2 3 4 = 5 6 7 8 9 A B C D E F&n= bsp;     ASCII=20
00 E8FFFFFF766B00000400008020020000 =E8=FF=FF=FFvk.....=80 ...
10 0100000000000000       = ;         =20 ........
A
 specifying = the length of=20 the entry, see above
A
 some kind of = marker. all=20 values seem to have this "vk"
A
 states the = length of the=20 value name
A
 *seems* to be = the length=20 of the data
A
 marks the = start of the=20 data within the value, probably a key = type
A
 *seems to be = the data=20 within the value*
A
 value type, = see=20 table
########################################
03. = values with=20 names that link to=20 = data:

    0 1 2 3 4 5=  6 7 8 9 A B C D E F&nb= sp;     ASCII
00 E0FFFFFF766B030062EA000020400000 =E0=FF=FF=FFvk..b=EA.. @..
10 0100000001000000666F6F0000000000 = ........foo.....

A
 specifying = the length of=20 the entry, see above
A
 some kind of = marker. all=20 values seem to have this "vk"
A
 states the = length of the=20 value name
A
 the length of = the data=20 entry - not including the 4bytes at the = beginning
A
 offset to the = data=20 entry
A
 value type, = see=20 table
A
 value name, = ignore=20 surplus

value type:
debug regedt32.exe regedit.exe
01 reg_sz string
02 reg_expand_sz  
03 reg_binary binary
04 reg_dword dword
07 reg_multi_sz  
################################################################= ################
data:

    0 1 2&= nbsp;3 4 5 6 7 8 9 A B C&nbs= p;D E F      ASCII
00=20 B0FFFFFF010000000100000000000000=20 =B0=FF=FF=FF............
10 444B6C3BC155B2F4B73C9E4A5177DACD=20 DKl;=C1U=B2=F4=B7<=9EJQw=DA=CD
20=20 BABDB5A3ABE81D6D1A04E56A1CB8894D=20 =BA=BD=B5=A3=AB=E8.m..=E5j.=B8=89M
30=20 F826F262D7D701AE283EBE6B13A2D61F=20 =F8&=F2b=D7=D7.=AE(>=BEk.=A2=D6.
40=20 AEC1EE73583FF925A6AD751CA46AA708=20 =AE=C1=EEsX?=F9%=A6­u.=A4j=A7.

A
 specifying = the length of=20 the entry, as above
A
 the data - = right to the=20 end. if there are blocks missing your browser cannot = display=20 some special characters, the last one being &shy;=20 :-)
################################################################= ################=20
examples of hives:
click here for a = hexlevel=20 annotated sam file
click here = for a=20 hexlevel annotated security file
<security of the sam = file>

the=20 sam file appears to be "fairly" secure - however if physical = access=20 to the machine is possible it is not so secure. i believe = even=20 microsoft have admitted this.

the sam file is locked. = it is=20 not possible to delete/copy/move/rename it within windows = via=20 explorer. access to ram is also restricted if not in the=20 administrator group. disk hexeditors can only be used within = windows=20 if logged in with administrative privileges, else direct = disk access=20 is denied. administrative privileges are needed to = defragment a=20 volume. the sam file may need assembling if direct access of = the=20 disk is used. if the machine can be (re)booted from a = different=20 device eg, floppy or the hard disk removed and/or copied, = there are=20 possibilities.

if the sam file is deleted, windows = onboot=20 will simply recreate one - 1 administrator and 1 guest with = blank=20 passwords, guest disabled.

passwords are not stored = in the=20 sam file. password hashes are. this means that the password = has to=20 be hashed and then compared - passwords cannot be directly=20 extracted. once the hashes have been obtained, they can be = tested=20 with dictionary files or for all possible combinations. the = time=20 this takes depends on the complexity and length of the = password for=20 the account. to prevent simple dumping of the hashes from = the=20 registry, syskey.exe - sam lock tool was introduced into = service=20 pack >=3D3 for nt4. enabling syskey is a one way process, = once=20 enabled it cannot be disabled - according to microsoft. = service pack=20 3 did not automatically enable syskey, the administrator had = to set=20 it. in nt5+ it is enabled by default. syskey adds an extra = level of=20 encryption to the hashes.

syskey can work in three = different=20 ways: (only one way can be enabled at a time)
secureboot =3D=20 1 store startup=20 key locally stores a key=20 as part of the operating system, and no interaction is = required during system start
secureboot =3D=20 2 password=20 startup requires a=20 password to be entered during system = start
secureboot =3D=20 3 store startup=20 key on floppy disk requires a=20 floppy disk to be inserted during system=20 start

a=20 record of which option is enabled is recorded=20 = in:
hkey_local_machine\system\controlset001\control\lsa\secureboot=20 =3D x
this value does not determine the option selected=20 though.

if option 2 or 3 is chosen a prompt will = appear at=20 startup, just as the mouse appears. either the correct = floppy disk=20 needs to be in the drive or the correct password entered to = proceed=20 to the regular login. if option 3 is chosen a 16byte file = will be=20 saved to floppy disk by the name of "startkey.key" by = default 1 is=20 selected in nt5 and it is believed this is the most commonly = used=20 option.

although the passwords are encrypted once = again the=20 correct hashes can be obtained by the user via lsass.exe if = logged=20 on in the administrators group.
<obtaining the correct=20 hashes>

note: the c:\winnt\repair\ method has not = been=20 looked at yet.

it was found that there were two = methods of=20 going about=20 = this:
################################################################= ################
"method=20 one" - privilege escalation:

if access to a account = in=20 administrators groups is not available, raise the user level = of an=20 existing one. there maybe many to chose from, but assume = that there=20 is not. one account that is probably always available is the = builtin=20 guest.

the computer needs to be booted from a = different=20 device. either from a fd/cd (bios may need = altering/cracking) or=20 remove the disk and temporarily connect to another machine = to make=20 the changes. more stealthy is to dd the target disk and = carry out=20 the procedure on a similar machine elsewhere.

boot = from=20 either petter's linux disk or from dos. 4 nt5 (ntfs enabled) = setup=20 disks can be made - on setup select repair and then console = mode. rw=20 access to the disk is given but the administrators password = is=20 needed :-( sysinternals make ntfs boot disks, but the rw = version is=20 not free. petter's disk is sufficient - windowsonly users = read up on=20 "mount" btw cp =3D copy

(maybe done in different = order)
01.=20 make a copy of the sam and security hives, or note all = changes made=20
02. make a copy of the following files found in=20 c:\winnt\system32\config:
application log -=20 appevent.evt
security log - secevent.evt
system = log -=20 sysevent.evt
03. check the username, if it has an unknown = password set=20 one
04. activate the = guest or user=20 account
05. change the permission level to = administrator
06.=20 increase the number of administrators
07. check security policies, can = the user=20 logon? - change if not

login as guest/user and dump = the=20 correct hashes. reboot and restore all files to their = original state=20 and start testing the=20 = hashes.
##############################################################= ##################
"method=20 two" - export syskey:

the sys part of syskey does not = refer=20 to the hardware, thus it can be moved to another system. = this method=20 also requires booting from a different device, (see method = one) but=20 actual booting of the target disk is not needed which makes = this=20 method quicker - if a program did the procedure, and more=20 stealthy.

bootup and copy the following=20 information:

01. \sam\sam\domains\accounts\f - data = of
02.=20 \sam\sam\domains\account\users\000001f4(or userno.)\v - data = of
03. \security\policy\polsecretencryptionkey\@ - data = of
04.=20 \system\controlset001\control\lsa\data\ - class of
05.=20 \system\controlset001\control\lsa\gbg\ - class of
06.=20 \system\controlset001\control\lsa\jd\ - class of
07.=20 \system\controlset001\control\lsa\skew1\ - class = of

restore=20 target system its original state. on a second system - (this = was=20 tested on a default install of nt5) enable the guest account = and=20 raise the privileges to administrator. reboot from a floppy = disk or=20 second partition and write in the obtained information. not = all the=20 data needs to be written in. 01 is a 48 byte key, roughly in = the=20 middle or end (depending on the system) quite obvious on = sight. 02 -=20 only the hashes towards the end, about 36 bytes. 03 - the = last 64=20 bytes and the class info is only 16 bytes each. reboot and = login as=20 guest - no password, and dump the correct hashes. seems to = work=20 across different oses too. a desktop install of xppro was=20 successfully exported to a laptop install of 2000 - nt4=20 untested.
testing the = hashes

wordlists are very=20 effective on weak passwords. a 3.39mb file contains 349,900 = words=20 and common passwords. all these can be checked in seconds. = lc3 can=20 run hybrid tests. using the wordlist, combinations of = numbers and=20 special are appended to the end of each tested word. this is = also=20 very effective. an improvement here would to test also for = "letters=20 like numbers" example: 0=3Do 1=3Dl 3=3De = 5=3Ds

passwords that are=20 "completely random" can take more time.

there are two = different 16 byte hashes generated from the password. the = lan=20 manager (lanman or lm) hash and the nt hash. the lm hash is = des=20 (data encryption standard) and the nt hash is md4 (message = digest).=20 the method of lm hashing is not that secure. letters are = converted=20 into uppercase, reducing letter combinations by 26. the = password is=20 then split into two sets of 7 and hashed _independently_ of = each=20 other. programs test the des hash first, then test nt hash = for the=20 correct case. the latter part takes very little = time.

the=20 same passwords create the same hashes from whatever machine = they are=20 extracted from, thus a database *could* be formed of all = possible=20 hashes. the advantages of this would be pretty much instant=20 passwords every time using minimal processor power, the main = disadvantage is space. such a database would be huge - = hundreds+ of=20 terabytes in size.

test os: default install of = windows 2000=20 pro (no other programs installed/running)
software: = Advanced NT=20 Security Explorer 2.00 (priority set to high)
machine: 1x = amd=20 athlon @ 1ghz, performance test determines approx: 445 = megaflops=20 (for comparison with supercomputers)

order of testing = -->
|=20 =        letters    =        |=20 numbers  |=20 =            special=             &= nbsp;|
 ABCDEFGHIJKLMNOPQRSTUVWXYZ=20 0123456789 = !@#$%^&*()_+-=3D<>,./?[]{}~:;`'|"\
note that=20 the "space" is not included in the special character=20 range.

in this benchmark all keys on a uk keyboard = are tested=20 for (euro sign not included)
<special>=20 = !"#$%&'()*+,-./:;<=3D>?@[\]^_`{|}~=A3=AC</special> - = total=20 of 35 instead of 32. this has been done via a custom = charset. while=20 the times are greatly increased, the special character set = probably=20 could be shorten due to human nature. people are more likely = to use:=20 <common> !#$*.?@_</common> just 9.

the = times are=20 the maximum - all combinations up to and including that = length. most=20 of the tests have only been carried out once. a few were = double=20 checked but it was found that the times only varied by a few = seconds. passwords >=3D15 characters in length cannot be = tested via=20 antexp.exe

when the test is carried out, you have to = specify=20 the level of complexity at the beginning. an improvement = here would=20 be to test progressively. first test letters only, then test = combinations with letters _and_ numbers, as just letters = have=20 already been tested. special character could also be tested=20 progressively, many people would probably only use one or = two=20 special characters. once letters and numbers have been = tested for=20 that length add in each special character individually - = then=20 increase the number of special characters to test for the = remaining=20 combinations.

letters only:
length permutations 1x amd=20 athlon @ 1 ghz
01 26 very short=20 time
02 676 very short=20 time
03 17,576 very short=20 time
04 456,976 very short time
05 11,881,376 04=20 seconds
06 308,915,776 02 minutes 19=20 seconds
07 8,031,810,176 01 hour 06=20 minutes 08 seconds
08 208,827,064,576 01 hour 06=20 minutes 05 seconds
09 5,429,503,678,976 01 hour 06=20 minutes 02 seconds
10 141,167,095,653,376 01 hour 06=20 minutes 05 seconds
11 3,670,344,486,987,776 01 hour 06=20 minutes 03 seconds
12 95,428,956,661,682,176 01 hour 06=20 minutes 05 seconds
13 2,481,152,873,203,736,576 01 hour 06=20 minutes 12 seconds
14 64,509,974,703,297,150,976 01 hour 10=20 minutes 14 = seconds

letters and numbers:
length permutations 1x amd=20 athlon @ 1 ghz
01 36 very short=20 time
02 1,296 very short=20 time
03 46,656 very short=20 time
04 1,679,616 very short=20 time
05 60,466,176 24=20 seconds
06 2,176,782,336 16 minutes 18=20 seconds
07 78,364,164,096 10 hours 41=20 minutes 57 seconds
08 2,821,109,907,456 10 hours 41=20 minutes 38 seconds
09 101,559,956,668,416 10 hours 41=20 minutes 48 seconds
10 3,656,158,440,062,976 10 hours 42=20 minutes 43 seconds
11 131,621,703,842,267,136 10 hours 41=20 minutes 48 seconds
12 4,738,381,338,321,616,896 10 hours 43=20 minutes 04 seconds
13 170,581,728,179,578,208,256 10 hours 44=20 minutes 33 seconds
14 6,140,942,214,464,815,497,216 11 hours 22=20 minutes 48 = seconds

letters, numbers and (uk)special = characters:
length permutations 1x amd=20 athlon @ 1 ghz
01 71 very short=20 time
02 5,041 very short=20 time
03 357,911 very short=20 time
04 25,411,681 09=20 seconds
05 1,804,229,351 12 minutes 27=20 seconds
06 128,100,283,921 16 hours 20=20 minutes 47 seconds
07 9,095,120,158,391 approx: 52=20 days, not fully = tested

now you can see why hashing two = sections=20 independently makes slightly longer passwords no more = secure. where=20 does your password fit into and when was the last time you = changed=20 it? remember this is only one standard machine.

nt = has=20 unicode support. not only control and extended characters be = used,=20 but all the second byte combinations of unicode. antexp.exe = don't=20 seem to be able to correctly recover passwords of this = nature. many=20 cannot be tested for even if entered into the custom = character set.=20 for 0-255 a 7 character length password has: = 72,057,594,037,927,936=20 combinations. for 0-65535 a 7 character length password has: = 5,192,296,858,534,827,628,530,496,329,220,100 combinations.=20 (lowercase included) lightbased processor anyone? although = the ime=20 is disabled when entering passwords, letters can be entered = via the=20 alt+numpad (alt+fn+numpad on laptops) method.
<possible sam file=20 improvements>

make the sam hive smaller, fully = encrypt it=20 using properly implemented "strong" encryption algorithms = and=20 include checksums for critical sections. remove = "security=3D1" style=20 settings. remove old lanman hashes (service pack 2 does = cover this)=20 - release a update for existing networked windows boxes. = sign the=20 encryption with hardware codes and = have a secure=20 resign option for upgrades or use product keys - = there=20 suppose to be unique are they not?.

this has not been = properly researched: improve the file encryption on ntfs, = doesn't=20 the builtin administrator account have access to all efs = data? this=20 offers no protection against stolen computers, especially=20 laptops.
written by NullAck - who will _not_ reply to = questions on how=20 to do it - rtfm!!
however comments, errors = and ideas are welcomed - not network=20 stuff.

network stuff is being headed up by another = member of=20 neworder and should be available soon. contact V1C3

=

------=_NextPart_000_0035_01C3FA1F.21FD89A0 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://neworder.box.sk/order3.jpg /9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAIBAQIBAQICAgICAgICAwUDAwMDAwYEBAMFBwYHBwcG BwcICQsJCAgKCAcHCg0KCgsMDAwMBwkODw0MDgsMDAz/2wBDAQICAgMDAwYDAwYMCAcIDAwMDAwM DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wgARCAA6AMEDASIA AhEBAxEB/8QAHQAAAgICAwEAAAAAAAAAAAAAAAgHCQUGAQMEAv/EABoBAQADAQEBAAAAAAAAAAAA AAABBQYEAgP/2gAMAwEAAhADEAAAAUDA8+QAAAAAAMvkJopc8uBlMXb3oB7+gAAAAAAAADlTeVjE 3bsK2Wi11mnD9e4r39L0rnx1+wZKGtbz+WmKD5I8/ZYR8WIrdoNSv8lsC4MzUtrbHbJEKaWO15mO H7hgWsAstkSO5EmVRYRe5wJRr+sAQQduZ1rmk76srU6zaLNQKd/Rd6MnqGp0zuTtCqKtlpF0Wstm 9Pk2X16QN8kNeUz1Y9h1dRanWlZRTiY0CIknIRMG3+PXAYCAvgJBlxYvrk4W61VcOaehn7ARBzJh u9cvrn5XXWDR+LC1lrb1wLrQ7ZmY6BlVr4BgYD6gAD//xAArEAABAwQBAwIGAwEAAAAAAAAFBAYH AQIDCAASEzcUFhAVMDY4QBEgJzX/2gAIAQEAAQUC+nnCZ0439drg/nC1SksVJTAy8Qu/VRpL1ykS NsEouOgJ83Q1p01+LIiM9IqJ2NJcyDf9tb4NCSk1QGsrI9zz7GeCLX1rrAuGVa59aWK5eP8AZiiP 3aP1ybheGYx1hAOuMoW1vBPKPQYjAIymnhnW5aFVVKtx433ZnqC7GZFpyGINieYlSRIq181xQSM2 4ZjwZHOPa3zRAet9snDDGo7bPiDArMCKsLUwK7WNOEJJojbvNJ/sFj/kPuj5E01p/lGB0NCP3hs0 4UDnlDXhR7g1/Ygr28zAo72TFrky3Ym38aUotAillBDEliWl0tF9UPDUF/ce1vmjWe2lsLs9c248 xTorTr5bha7oiOcZmWykW5pP9gsf8h90fImlxjDnj5iMZWLlHaMkmIy9pcT9THTqcvoJVmVZ6GL1 o2hMOpTXo8/A4rIXWZsdMKTPT+YwrTprqbfS6HIgbywIb2t80atkcS+G4ajm1JybMiXLK0OeHDP/ AGOMuWz8fIEU3uYc4Hk+yj/INd3EWWTJbOvImgyZLs2Rkyicj3Fhfh8sTNSWecw6y6220iLSlLbW SgpejS4EGLLTrsrNzkqMeDf9NyNZwOxXgT7WPBOqer0XP9wR9KpqMlTi2udjhGVr1VA7MOltgc+a qnP9DrrzuXc7t3O9fzv3879/PU5OepycuU5L6fR//8QAKhEAAQIEAgoDAQAAAAAAAAAAAwECAAQF ERIhBhQgMDEyQWFx4SNRgfD/2gAIAQMBAT8B2apXEljNE3P7gZGkaj2cF3dSndVDj69PMM0bmTfK Z1lWKSQsmXUZnryru65MNGcKv4It4RUVLpGkh24xsTmTOEXLczwCFajRvwxM0Mh1uU1/z3AqRMCb hGdUT+7w7R1VdiUufj3AJaYYZr3Fvbt72v/EACgRAAECAwcDBQAAAAAAAAAAAAMBAgAFEgQRITAx QeEUIIEjUWGh8P/aAAgBAgEBPwHtmE1QBEG3H3hj0e1HN0XLt1q6cVe+0Nkhy+oR1yrEueSyk6Q+ +mXNjNYYVWiLCKipekTwra2MTVIRcMm1ieRtLHUweUvLiQl/jmBy0w0pYZUT98w6SrfUpPrmBAO0 rXKS/wAc93//xAA9EAABAwMBBAYGBwgDAAAAAAABAgMEAAUREhMUITEiMkFRYZEGECNxc7IgMDN0 dYGSQEJDobPBw9FSY7H/2gAIAQEABj8C+rblKT7NZ8v2jKh7Fvirx8KUyodBQxilNK7Oqe8fsyGm xlSzikso7OZ7z6uiPbN8U+PhWDzH0HpFphiS0wvZrOsJwcZ7act9xa2MpoAqTqzz4/TnS7nvW2jy tinZO6RjQk/3q5wi6/NfjBBMYvEGMlSeGcc88aMKItxUN9sPNa+JSD2VJn3F11u2xF7LQ3wU8vGc Z7uVTYEDbMTbeQ28pp4qUyojIyDwqZaZJC1xV4CxyWnsNC+Mb7vy7cZCfbdHaae731brnL33fpkc unS9hPM44eVN3O6iZvK3HOo7pGEnFS5HJGtWjP7qM8KKWFFpocsczWd4e/WaSxKOQrgF1vTY6Dh6 fgaZlNXC670/GDqUlTejWU5/48s1aYrDz0h6RHLj618irPZ3Cl3e7PyNitwtstMnTy5kmrxEtVw3 5hUoaklQUuOoJ4oVip/wmvkFKutzkPRreF6G0Ndd7HPieQp9VguT6ZLClN5Lodb1jmlXdUmFJTok RXFNOJ7iDirdc3bhdUPzI4dKEKRpB/TVmUH3n501S9uSegnGMAeq6/iH+NFenHwIf9IVA+5D5lU/ +IOfIir2ty8tM3C4PJXLacXnZqCcd3dTsu3SG5LCo7Y1o5E4qOyelpbejHzP+6tMBWErjxUN48Qn jUls9HdGZDh81qo/9igD9BraDO0aTnyqM+RqEaCleO/CKakzGY7AjJKGktA9XPbUP4zvzV6b/jCv lqf8Jr5BVox2hfzGp8UX6EpUma5KcDjyQUKVzT/Kr49FcbeYdf1JWg5SroirEe6Gk1sH2I7EW3vL DARnV3cT+Xquv4h/jRXpx8CH/SFQPuQ+ZVToQWN4jzS4pPbpUlOD/I16X3GZGRutydaVGWcHXhPG poi6NEZtDKtHLUBxqfFJ4xpxPuCkJ/0a9F7fnhLbklX6Rir0rONcct/q6P8Aelsdqhw99KbcSUqT 6ktoHD949woIHJIwKV+Gf46weYqJg9V93PnXpa5KjrYRNupdZKv4idPMVP8AhNfIKtyW1AqjqW2s dx1V6RLvFojlci6urZMhlKypHDiM9lXzcktJjJklCA2AEcOBxjxFWT7iKlfGV/76nY1pnGKy85tV p0A5VjHb7qm3Rq4lM64hCX3NmnphIwmm5V1k7y+0jZpVpAwPyoTLZLdiSBw1IPMdx76MdVzDYIwV NNJQvzoqUSpSjkk8zT6LRNMVMkguDSDqI99Q7tOuOu5RU+xXhI2YPZS4c+47aM51kaUjNYyK9slK sdvbWcuHw11oaShCfD1bjt4u7bLY42Izpxit6bHRPX8PGnWbc4wuM8dRZfRqRnvFSHd7jK3hWdKm AUo8E91OXO4qbVKdASooTpHAYpblqlbNL32jSxqbX+VLi7SHCS6NKlxmilZHvJNZPEmo9tjPRBGi t7JAVHBOKW4rrOEqP1PM11j511leddZXnXXV5111edfaL86+0X51grWR7/qv/8QAKBABAAIBAwIF BAMAAAAAAAAAAQARITFBURBhcYGRofEwscHwIEDR/9oACAEBAAE/IfpowKXcbL4/2GtWu+yAxt/w JlPMvQn+tiaIgmGN7289DdLXfdDqCJSO38DACRecGXEOOZoqCmTGn8zjae6Ula2pUU7aApUsrdhI NpLdsRvvSawsUwuKLgA2rOZdUyDFyVYRlBkyUrJ+JUAbc8qbs0ppKuahRrg00qKklKq2jFdmF3EN 9prVzVR9DVod9ZS18CJs5Y95R7YT1POM1BtUQN+TnSMOGYp0xD7kKVArfcw76BCaoCLojdo6GvTo 3kp4PqUIDjS3OkJvx4X0WtsOOItHm05HqQqhiLTQttecobL1gIYbXq69PdupN1AYtZuMZRAAAMND ESeb6CEhZsKeAh6CEMQ/MEDWF29/gqV+5VnGv46jTNZTi72IjRf7G/iA+BopWyVt6UfpuHRpWoLT W7JwzI/zBe0Vpy7u2omubhv6OejABDwtFyZz4A6e7dSbqybK3QdHFlNNBkVstSnEWp0mAYjHC1Mx Ak/QXCiKA98fejK4s8RuL2UUjVh8DJHgPSPRymd7cjJx/CMSpGrF1CsCQeBQU2ZH9ClYXldOghNc 5NNPkktW66XBA5N+8ps+uqlTCrNJ+h4Z+l59KWhhhi2DsJeeyRVYqooNo6K4GSrWBusK1uwcRoOz LSHqg8BZ5Rh5nrR1VgpJpngNDyxRTRZOICpaJopgGzQ7QoMfeAh7Reh5y/D8hX2gsy23QGLJ+GEs b5qYOySbovnL0WnAiPgwKtDECUBshOFw11MHaYNWcLdFe/czL/6qQa1ReVR3RRaurDZ9Ec8u8rha p5W36IP+nSQeknySfKp87nzufO4hWNRaP0v/2gAMAwEAAgADAAAAEAAAAAGAwAAAAAAwzx2RAwxL zywA/Mw8CLKs6IGAAMANOi2NU0MEAP/EACIRAQACAQMEAwEAAAAAAAAAAAEAESExQVEQIGGBcZHw wf/aAAgBAwEBPxDtLXBvxODzv9cxirCx8PfUqJKhqS3gcrT0b/W8DQ5aNrnn8zYZlsPIPnjZ+SVA lRJXQm8dJtNKwL4sz6qGnsdGWfyOGoYr7/kuF61CGsY6dL663Taha1puVDDEcw8IoDHrZLJlZtsw 004I6hqz81Jfb//EACIRAQACAQMFAAMAAAAAAAAAAAEAESExQVEQIGFxkaGxwf/aAAgBAgEBPxDt FzBvxODzv85jxWFj31KiSoaUtYHKwRFlI2ueZsAye3kPf79yoEqJK6E3jpNoqbw+rM/iGEsZaXNf rSvv8lguENYx06X1Palbi3Gm5UTGo5h4CAEIuFd2DBgYp1DtF9v/xAApEAEAAgICAQMDBAMBAAAA AAABESEAMUFRYXGBkRAg8DBAobHB0eHx/9oACAEBAAE/EP03qiBDpeMWj0O/3AiUyJTml88+DFl8 iQQQR1FR1GGMqq0uj+nyP7ZeBw8HKvgJX0xbRocK2/mo+gXIsWzyPTx5jH8IAhRSP2KaObxCALYs 7wk7VM9ZVSh397f5jQxZnazqOsKQlcZnOHWUFibSnb5UMIRaCuImW8GysFSSBm5CSQS3GyWbk3ZL AeSR07gDEsFOh1FwycZN25Ma19s21WFmEqkTkxCklm+8MzVRzBfe5nJRGUd3nJFLzWK+4jh/Anow 1AmSWPhcCU55DqDij3xgaTw6f+vLz64vl0CSOiAcu05AnBHKoSCwFUAquLS5ea1Q2iBpVZAjwXXC QhAhKQBGJcVQR4cRzsEsJCFJX32HzwEStoFIq1icRl/LESXziFndwmuJBtPnC0sQ0GMdosqlgID7 ASZ8zgFCxvFrBt7PWFkCtuJyVJWYAsox75X/AGYyomUFIWB6yvrgFIcUVnpC+GIbELhKVfKD3+qE iiWJxkbxNkqevrL84dZAUmN9/wC2SjSAFkgnRIB4zzPN6vqI1apcaJJ185Q/5JJSgwXe8FZOToHy B4nc5/G/oJjYVVhjUCQOhPP2gkz6V9kkjh2VIdmMDlLWjFMhKQsdmOGhOAFomQ8icYyUxztgfP8A fJVRNgb9Oo/qmR6F+iAD3wCQLSbgnyfDiBinx7nY8P0pc6DvWr30d494MNwADzRjHFQAcuX0MUEI nGC24vKw+YTA5E+DiWW1gex6+iqRyJGEZwqvRMjAjvcmEMhDC6dqMaoh4APAod/YKrsHxIet1FWC qw2aXUGJ1EUJi8Pvl7iWIGxL3kl0SEplTKehMba9bYR3CHcHFP4DbKhaqqrucLd6dAnQQCu8vIqw MoIllmTxxjxTKGPMg0h3ig50OD06CPpxcZCJWfiNB/nLQZKArtdr5c2x/JhqQuIf+5d44dXNc9EO nT59coV5auU3xEwDBIxiciZ/ni6bS1VVXHGnjAIaihPeTPkVrCUSApIQqcjUigRAWNFsrzj3wLSj ary4V6iASAtqHeP8hQgXQHFr+gMOKSGnSz/3Wacei/3lX53zgWg/LvPwz/OUfhfOAMkn5c5VV31c Bf0v/9k= ------=_NextPart_000_0035_01C3FA1F.21FD89A0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://neworder.box.sk/langfi.gif R0lGODlh1QE8AMQAAP////Dw9tjY2MzMzLCw0JmZmYCAs4CAgGZmZkBAjExMTCgoKBgYdxISEgAA ZgAAAP4BAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH/C05F VFNDQVBFMi4wAwEAAAAh+QQECgD/ACwAAAAA1QE8AAAF/+AjjmRpnmiqrmzrvnAsz3Rt33iu73zv /8CgcEgsGo/IpHLJbDqf0Kh0Sq1ar9isdsvter/gsHhMLpvP6LR6zW673/C4fE6v2+/4vH7P7/v/ gIGCg4SFOQoKJAsHIgcNJIgjCgeUjyKRIouUiYadnp8vBQWQASICnCKiqQMCrQGWqg8KrK6ooLe4 nwUCJAIDIgGMIwAIsgCoA6UPuyIAoyIIAJa51NWABcKNyqe9o7OKrw8Njw28kNbo6XrMIwLKwSTO xiQHACby6vn6da3LpQX2HgAA4C6AQV71SCAIsKCEggADAEDcR7FiGlYLAhyL2GzAAgUIFAD4FU2h tBMNDtYg4GixpUsvyUYCNNis2IgAo0pKCpiiwbGXQINWEfVrmS9TtgQwUmDuUlMR5aaVsyW0qlUk sxqKG/DsQFJOXBeIjUWigEexB4qeECv2qtu3NwTYvBTw5wh2DTQOfGYi4kBlJ0T+hUu4sOHDiBMr Xsy4sePHkCNLnky5suXLmDNr3sy5s+fPoEOLHk26tOnTqFOrXs26tevXsGPLnk27tu3buHPr3s27 t+/fwIMLH068uPHjyJMrX868ufPn0KNLn069uvXr2LNr3869u/fv4MOLH0++fPIQACH5BAUKABAA LEEACwBJAAsAAAX/4II8JHmUD3IcI7qsh1KK6HPay7MoCtzUKlZtiFIIXILfoyBoNkuKgTMgexiR P4HMKG0GlEvnkzhUAFCHAKnwLQUGJEChhAD8zDN5/GSuPgZqS20kb2Q1US5tDWA2ag1HRSSIJANw azmTJAttBTeafoZWZyUHo0MAgQA5ZQAybGAAfKY2o0yhhqUBAqgBAaubu71nC6pEucFzcSOlKAi+ D08FvLOGdQoiCNJ3sQoIRmcNxUN1Ddi6yimz5H9HIgoB1GR1RaOVKGwP4Yx06qNU6fQoWVoT6NYV KJAKJFsD5xGYR1sgSYKkxYpEi2sWLhkYqgHHSY8QLNgxIFmBASNfL1jyWMRSRZZQVgoQSVKji5QN 0iRaZQaAT2klBvhERaqgjmexGu2UNFROPEJDD4QAACH5BAUKABAALIUACwAyAAsAAAXI4NE85KMo 5XKsKHmWj0qK69HCOCzcT1G4A4Ew0PLBFAGSIDj85Z6BAwyAIAGcDwRgVBDoBqSAl9SgPnM73a8x LhF70tIh+UiXBNhzuL0wPwALKQAoXTp0YoJVeiUNYgGPYDGAjFF1bT0AVgACjwGRizALjzdlgWRm QTADmX8FCwV+oDgAnw9lIyWDDwO1BXR+AayyajBsuLZpRiUFkXa7ecN4OMwL1QeRbAjVCgNONiUK zjjV1VOXJKsAAHQu6uqwVjwH56fuCiEAIfkEBQoAEAAssQALAE8ACwAABf/ggyxHqTwoqpRHkx6r iZzPkaJjGrdvw9Io202xuBlTDcFAwAwAC8um66FkCgKDwiM5RQ1oUGtgWm1qt4Lu43tsA84igEsB AA4CRoAgX0Qt5A90dngPAXsoDQAIKAB9DwCEbTdJRk6BAzcLYzcDQoiHKZYKmCmaLgJAVFqUKAWR kjeNpXWBADcHtjdYfLMndLe5hrOLj1oKlrCZsogBNriGkAEBjoVwD39FdQ3NNbk404960rvXkAPm yZPLW4pxRAgznigB1okLBXp/iwjecS5v99oh0nYAwbl0A9XQ4pcOAKmBARRBWtjv1yNiEZEAGphK EhckqAKBEmlEQD2TJ5JGhFQwkiWKkF7OfPzUUVKBLjOzLNhZwJoqIz1fpIm5894ZGDpg3gSpJlPR PyWFbANA1eejkZqMdGJG9U0KWkLLRW1Dh2qAEAAh+QQFHgAQACz7AAsARQALAAAF/+CCKEdJPuiD lEiqLuWhuA9ZNumBp8qMwiaakCcYCI4Bwa5wbKIaxWbA9ygYkTsBtVpAKa6C6XD8OAAWrkJg9wgM UIAuCgHAKQDUQQAVOLgALQ9xKXRsZEQ0BX45e1A0Yg9oKQtrD1ouAnKSKZCHjJtVAph7gpsLeEMC AHyiP4BDZoaedzRHaaunmw19KUYAAcBou2HAbzS/AXKePKsuRs6rDWcp0oFxIggFdZPAWykAA7LL hc7GKGoP0oaodC60f+Yu1ctCCkppylVvUGxQM/buWqXIRK9gjXvUBCBYsOCLjwIKGMIwN6CARCu1 8rkANUbiJjMc7wAYueiUqpGknhAEGBknACgAAjcCWDRG5K8QACH5BAUKABAALBEAFAAvAREAAAWO ICSOZGmeaKqubOu+cCzPdG3f96M/eO//wKBwSCy2dkijcslsOp/QqHRKrVqv2Kx2y+16v+CweIQ4 HBDjtHq9LQjeb7Z8TjcWAo1RYFDv+/8xDXkjBwGAh4iJJwB8io6PcwUAAXiQlpdhkgqYnJ1aAwCe oqOkpaaQDQsrC6wLg6ewsScCoSoBALgHsruxIQAh+QQFCgAQACwbABoAHgALAAAFXODzHKQingp5 NGfris0gzEFxFjLNvm8gnA0A4qEAmESDAO+1cAlsj+ZpEdgteQshTwC48gLggasIPnpb5VcRenYB xC8EwNqu25n0lvTaWPj3AD8vBwB7PAUAiQIhACH5BAUKABAALC4AGgBFAAsAAAXS4PMgx4GI6FIe Cioqa+M+a+uqpY3CpTz/qIJgONwNiAFd4TgM+BpMQaBgRCqjTuCvkBUFBiIAVYQAyBQA3SDgFaAa gNNDjCqf06i1dtbwiQ5sDwszSSKDKVmHKAJjil42jgtde0AAYD8HZkACAEALcUCZfi6clFsAAZNh qWM7qIUuqV8/r60vrzqmIgV4tAOjt7YoqbkolsAPaMK6DwOdP3ByM3aVl3ygP9TM29zd3qYNjjd7 4inIhuTgC+uKpT+fB6EA5XNu7wDxmPOUvAAAAiEAACH5BAUKABAALGgAGgAVAAsAAAU34PMcpCKe aPo0g+AGhSo/gXA2ADKnSyrEu9kiF1QFjoOiMWBSpgBJp1S5aBQX2N4JYNvhAGBFCAAh+QQFCgAQ ACxyABoAFAALAAAFOOCzHKTynGiaKoPgBqYqP0CBIkAzq4sK78BDDigDBAI2ogow0ClTDQDiSaX2 lIvsdQE4EBWAcCAEACH5BAUKABAALHsAGgBiAAsAAAX/4PMgx4GI6FMeSvosa5uSpquWMqqsjUuf KRjOtSv1bMhHQcBkohqDZqCgizIDuWVT8LQKpqiCN3BUbrkixTg7LidFBTIqMBAF0I8GAAigihAA PXFldHZ4eicKADkDAXBydnUPfSiAPYqMjm9PbgeaCy4CfqApWHmdn6GjQXINqCKkczKxL5CbNgCS Lgt7SAeBSLlIvEChAEnCNr9uKALHtykFAAG2dtS6KNNg0drM1IUpitQ5cN0u2n462uTQ0uzW75MD zEqLSOM2iunc8bn0+tBsDHiGC9uTXgIJnjP4B1hCJIiQWApIsaLFixgzpmhAKwg9WEk4Jlnw8UXI jihQJaa8xXGBy2YKUwDAEwTAASTOkNFE8UtlThu8bioDoDIMgKMCQgAAIfkEBZYAEAAs0gAaABUA CwAABTng8yDHgYhoqoqF4Lpr/BRBgwaDrDY2egS6ICAXVBUAgVrRCFAsVwPAc/psLIqL7KL3EEiD AYD4EAIAIfkEBcgAEAAsEQALAJwBGwAABf/gI45kaZ5oqq5s675wLM90bd94ru987//AoHBILBqP yKRyyWw6n9CodEqtWq/YrHbL7Xq/4LB4TC6bz+i0es1uu9/wuHxOr9vv+Lx+z+/74wIBCgECAIYB CAEAIwADBwCFh4kCIgsACicIAAcijwqFkZsxBZCGjSWWnCaaqp6gpgcDAAsrqZmiD4+UD6mkoQOs lbglwSunLr6mAyWPKLK0IwuEpoIlxyWDuyPJhsskvaXdzJevhqov3Ncq6cDD1t4rzSek0C+B9gGK oQAFiozT+/rtkrbIRKBW+fSZIuWiQalQhDBV8mcwAMJ84fgBCFAPBcETBztBmviQWkheFEv/nFSx sSMKh+U2CpCYK9+JltsULgxAAiczQiNgZowYTSHEmSMOJMzIsIXQozRNPDVpEYVPFUp5mrjqYiUL pC8aCNDGTEABEwXgPRhwtmzbeALOdUpL4gDZbWpJFAD7wu48eJ/ekgiMwi/avCg+NWBhV24uuiMG CEBgUPBYtHwVm9DcKS4zyJ1NHAC9VnBn04U91yVd1jELziskU9Zrdgbf2FVfWCpYwuHGvIGgTbrJ O4VvkBxFHK/oUkQh1yqWq0yea6Ro670NIW9uQhF3EtJJBBeRSNFsRrwHBEAtTZt30bnDjxj/QL5z 6sO3Fn+pnfkJ+yy8t0J5AJy3Xn8wqAfd/1+LwVCbVHFJ1iB5YH0S1TYCTPiSasSAJRZ0CNw2Qoga svBhJh6KWImK9XFIQogXgoQahCBWONlltDWYVonK1fMgNmwp5+KIKdYokYXzZLjCiSd8x6SDM252 4y6B7cXjCjsi485r6lmlkZLOzSKCAtj1tJ+XIIkpAoLiqVnCAI7EwOZ8asaCWC5wommQmykIyNKZ DxQCDZmB8GPmNlue4GdSw8wZZj2OBqomocS1EKkxgK6waGKQKFIAmZtcuk6iLx3wXQoKnEcMJwgo UI8Cch0QYy6qpoAAdLC+iOuCCrgaw60n5FrJArMSO+sDwG62IDbL6hpsrJjIWtd5DZj6Gv90C1hL 3q7OYiNsJ7MeUCsKt447oLgxfBtPtL1Ki24M1Z6qkgAKdlMNf1qhAlQDpLTVD0Iz5iMvSneJ8O9E BT9wsAmyHOsRUMgaqnBuZM6oyYztqecLIQuzBGYKGR8YiFm5KXWWAg2LILBzYNmrFG+Q8BjiQIRo 3CnJqoS8sVkTmqwodSvQKzLEKgi9szEfp+Azyses7CCLINEblyKSOfzARk0G4A2h0Zac25t8Zn2n UjlrfQLZ81wCgzTLVAtJ16pUHKzE+koWFyRjoY00C2znjffUCKlCijfPsCwR1VPDnHA2E9mtS965 9X33WKbpDfbAGD4el8MNOP733ozlRor/RIU/bfVgUJea8FraELYXNGLNSG8LkiVZT+2YcTfa6QxT UkABdp31+pjJMhsl7iUMj2XSziSsfOxJeTb7mCpCbzDzD3xyHvK03d76j0GBP9+dLoy2usLis2Cl iT9OOD0MSNJOqnGF/MemIWOpqUnCogYVqaDK+V/YDPY1pxiiX77JHzTsFCwcZQdQAMTUwAAUwf1F wxwIkoVrLKENQzTnEaqgoJrCgz9ilAk9NojgA2XgQRZYUD8y0KALYHUlrBzrXUmRlbayNaviYcVc sKoHDgejLWbJQFzFO4AOYSctqRSRGUB8YmGalZQoQoOH4JFV8WiYiXMosUmtquKzhFir/y9+o4mr asECuBPEwpgrHlSsBBq7BYMGYC4ncfzGpeZkF/owbiv5+tN2UOifPeXRTD/qI3V0cbYTEnI6mHOa IAv5x/k8Il/9YM818hEjy/0PaHwcy6uI1pNApuCT3+kfCjj5GlL+gwip+48DyyKa35EgSGXhXS7E NxrBBO8zUdqLLuvyvrm8hTBSipJhkhclbGBPNM4TDC6JGRVRJu9jn7iLAvZCzHn4smC9vCVq7KLL X66mmeZ8QTZpJ7th1sArVsFIQHD0EYZ5TREZUUpDNpIRemnIITqBxABq+Jy1peSWJXNkdRJWzzcV MJ4B5Qc9DxoZryVMkv3IyCZMI09T8IuDJg1FaNkApaBOYCSfpjQOP0Phz6QQDaD9LClKitNR3pxE KRelDjyRc0j6eEw9EKEUL+imx1ZINJ+jyAj52FG0+XlEbSawxUIbyVCijoBMcRToNA4hVEvMCKsi CRef2kONHm4Va3r8Ki682iRcPGIvSIUBU+sCVUQFda1WnQSC6OOJtEHDpykITggAACH5BAVAARAA LAQABADMATQAAAX/4PM4ZGmeaKqubOu+cCzPdG3feK7vfO//N9EISCwaj8ikcslsOonDp3RKrVqv 2Kx2y+16v+CweEwum8/otHrNbrvf8Lh8Tq/b7/i8fs/v+/+AgYKDhIWGh4iJiouMjY6PkJGSk5SV lpeYmZqbnJ2en6ChoqOkpaanqHwMCQmpjQawDCawBrJUCQAABjwMAgGtKAO5W72/OgkBArZJwgAD KLTAJAmwrbTXuyYMBsDbsSfeteC0yyTh5VbC2TW5z3i5zibN0lK4ujwGuevyw1r59znmKfkngECw XAGW/dsFryGAEwQAyPoHb10CAQ0tYqxY4mJGLPbcsYv3jiMJgSzs/+3roZKXAGUpmhF7aatdDWQi kfyjV6IZSQcLHTiEpw2AQXvOAugjsXGAUolM2z211XQqFqfAZMawWRJe1lz0WJVrKWMVTxMJVi0t YtaB1o5pX6yyNRccqxV1VXCFi65E3hRttd19IXYW2JgfgS5lFdHoYBL5WjVuFVLxPXsGg2K2vGtz ClZnQaMIHONxz34w9jogjfbstLhdECqFidLAU6MThwLE2IpBLgGrfQoAthMjt6UMnq50QJb36t87 IcMj8Nb29L5CnVGEZXIbvADr9FE0aJmVQ8i3xbnVrjSBVmEDrAOAadno2xPydcny+fP0/MNBSQeQ CS9BNoA7vsXTGP9V8zmwYFTAPegARsCBsxEAxjB34XAljFceCTbZ454zLTnUTDZKJXQCV94hZNFT AkSHDDz0aVFRLgYJ9A8B1j1DkTMUPnfPQskNZU07YKnUy1ooBJngLgvJqNtDlvGoVE4lIPTSdz7t N1Q2vwXg05EAmNdQfdOdNN9U7/3n1GJTpvAjjuvBg2WdBLW4ToAdDWhCY7u8JZOgwxBK5Z8YGkCA MSEZgJGKBB34YXbPhKRPiQ3ZA9yOKHDFH3K3ZTrhfIoGENswGxkwT5Hu7NQiAdTk0mKEGHLGnE3/ gJeWSo2RZ5Zo/8zqYK3RAcrcU6tdKeBZCMmykWRJ4sjAkip6Zav/q5qmNdu0k9U5XCtt3pPgM8bO eKhf2zIwWQKAnjXPjnzyScKifeVZp3/3qvmQoQf9Mq2aKj6ZIExkAhNiRaAt9qy6YDXT18G4Udvi ANM+mx2H2FlBVJHJRKtbZ8jpQ2GZS/HLpz1PkYfmM0+O3FJ01Q2DlEPLedrPTtF9+Ns0S+UMcTYt oZSvwyDGQ/Sw5/IM0MuHHVTmqM4wKa9vKveJ4VeHDoqa1lmjZrW02Q01AFnLFl0pnUpno1WCjd1J 6aQ4Nx0dReCdSiXKHsd3DWVrRURhPhvJIuGjk97633y2/OiO36QentvTRzdmuN7RdEqSVnE/rTNJ TGv+c9r56iu6/9l12iL5CWR17ppAHEvNpGLozJjhh+PSjuthtY/mKJ3QYeNZ2W+TTdZbjTW9Yjw5 Z05c09SkygVRAh6m7GrSpF5RgkYJCCunORuu6G+y/DoYUrWk+eGOsfYz/Sp6XX4zWANTMxvp3k/K 1aPcBB760KjdfhmyTUqUR6DSPX5obmZ7YlJysLQko9BCSMMxVvwk+Bt2vW5e4sAIuTBkC9gohxq2 2ozw1vIWpFTIciyroHWAE5KKHWZsQlqOxlDTwKdFanpks5jF9EWjx1WvZOBbgQ7lhrtQAfCG/cmS +6g0N4dkiCuqo9/MSOi1cCmRZUb02tdMUkD/SKN4CRxQPlZyIf87RW9nZ2xQGk/oly8dC0MDeNTj bFIkh/BtQMPzmvNSwJU5ZaiMTzGTqLYAvWkEchqNCQABOui6CgEOP49aJPDq18Aa4UeNjwTeiMBT wkRKEoWjy9kAYXVF0PnsJxacjzTuY0Up/u0+aGkMhyZpQGk0MIzrKBCixNahSJZjd4r8pS/l1IwY +WVROKoe/syBTMeA7plv4VjG9jJKWwoDPK7anSpd8Qmz2AKAVsCFDBEhLxuIBmmu4aYn4sepK6gq Y4aoIzxj8ChWpEidppjTLPFZg3bmwFwu4mcpwpFOgb6gcjsIh3oMytCGOvShEI2oRCdK0Ypa9KIY zahGN8rRjnow9KMgDalIR0rSkpr0pChNqUpXytKWuvSlMI2pTGdK05o+NAo2zWkhhKDTngpCBCEA ACH5BAUsARAALBYAFgCpAREAAAX/oCOOZGmeaKqubOu+cCzPdG3feK7v/Gz8wEQvZQAAhLqE0TCM JYBBB/SHdDynQsb0Z9Jyu1CSl0kCNl8DI0o7GBiqpCsULhqv5CP7ec9PA1BGbUaDAAJ0TUVHO0oA ZHwriYRMfoQEIpGDTIyEAyaMnSYEgwFxmSSDjyt+JwkBhIolmEuegSuiAKSXgwypvTqrJ4GUr4c9 icU0jI6+JrKNDsOmzpqvAKCl1ieurrBWhFWozCbAJX4EBgICJ9O02SqUSLfdMeROs+KqasHWfkIJ t+riJOBFg8HAEccEEhRzkNVAZTISNIRhcKGuZyT6MbjVKdEyb+5QfGqXyJKITbgI/4Y7OdGFQWQj Gr6Epq/EymIeVYxUIckBg54sZo6oV1GFQZDLhLKy6OmQRKYxG9Y7xc9IFQFWL3FrxAtrLiUmjy2J FDarFayBFspLBIoB2gA5sZm8JcTAVgMq3SVM48YVnZISD/YD2dEIgcC8GBl62u7aiFsM0uQCidZk OLdG4M6CSPOPlEEEgB3DyoTsVBHcBrQsYxhxY6NGsKpTgvbjCXnPiDlYW8vB2CWcfFIKgGQ0xphL 3iLBjCtuArSKRMfmJczs52fOLCWE7EC270IB4F33V00Ar0ThB4GKdo8EWgY/C12vJKL3XvBGmDoT ovFW6WrkvWLbTiS4ok5ChPnBRP847D3D2SqbDLDVRf2gRMg6rxAA1X6vpcAIZKJwBMlYAiz4DXqU gBJIbJgMwICBBgzGlnUnVZNSZ+mY8mIghnR2XQB5CdKNRzuat5FVO1rCzRuzDFLXLPcpktN7hPk0 3W7tIfQbVwbCR9d3oES5WDMAdkaIefM5CRJQ2DiGlJUAmPTJjkegEh+QWDp4zyr++YTWRXAN1Gcr NZXwD32xlGlobyh4RJor6I3IlU9nIUnlTqA9BRiCWGmX2RtMKeblEvEFlFNO8HVGKHEjVNeNf5xB JApxhcSZCHXyvZkQo7Xwmg1n8dnWXSFeGXQPRPZlNRiGcbrmx5JaNsuYYq4tGpL/CLCuWuOvK6oR 62Z7qkGOdMeRk4hRkZAp7WpVEmGVKO+dVgKd1iABjK8q4oLNJDb+EVc7SCjz7TNTPYsLHG3EaNYm xmIEkWKNGBhnfe5AlJCBdRj2XUBgvgmnsJhQ43CTeilbaKLHiaBgZgT9u62b1joWn40BhpmZt8eC i9EqfhBEbhU9Y3vyJWTMfFLLWdYRMKMx+WzVJup8aQVUPhkAkMr6xNaqO0xDpOAU44mUcyMfbssv ABb5URtDnZ0jj0levUGlmUea1ZvFWcHaZ22HZnOn3EnXsRVBcT+X37BARna4vBd91M8tZVkThWJh WBtews6A1u6wdrKcJxPxuVjk/3WqpRv2RYeZLoYrbvhRmJSBTK7z5W6E/efM/xF8Yxl4XYe1Z3yL 2DFy2C2M9DzYEGf4Ebgvn7shb6gKrU+sN+jitmyWRNnWoOCtCL0ar4lLsqMEjjrxQDmz3tDROo4k N08KKD7T2KvX59akEEioPphMzx7oWxmfZxBEPUJwwxMBPFhnctcTtswvGwramNBglxsacU49v6tf aijmGIgwZwBoiR8yGBFAUxlwFswx2R82ITJrGPAchgIIHSCFmuPcDUpm2QiMysA6AtmlXuZTVRxk WAa0lMhpnmGW+yhoHnZY6Fr1i80uSEAXAs2nDoC5hxaM6AjDGeJncZCMwpIoBocCbOMwJwkAmtjh FlY9sROtMM9OivAVjRUBZv84IxIR0sPedE2L6IhNcSxIvB8YhiBaaI0WzVgIXpBLd8LCBzMUI8lK LkIijbOkJjf5CM5w8pM9iCAoR8kCWIWQlKhMpQs8qcpWtqBUroxlCoMYy1p+kpW2zOVJqKBLVcqB ar0Mpji8AJMhhAAAOw== ------=_NextPart_000_0035_01C3FA1F.21FD89A0 Content-Type: application/octet-stream Content-Transfer-Encoding: quoted-printable Content-Location: http://topbar.box.sk/linkbar.js var news =3D new Array(=0A= 'travel: THE = CZECH REPUBLIC: Ceske Budejovice -...',=0A= 'neworder: New kernel = do_mremap VMA...',=0A= 'mp3: Oskar = R=F3zsa: Path in the line of...',=0A= 'japan: Boy = surrounded by killer pigeons in...',=0A= 'japan: Four = passengers suddenly fall asleep on...',=0A= 'travel: COSTA RICA: = Between two oceans - Part...',=0A= 'neworder: Attacking the = Interlock Protocol',=0A= 'travel: COSTA RICA: = Between two oceans - Part...',=0A= 'japan: Outspoken Gov = Shintaro Ishihara sweeps...',=0A= 'juice: Me, The = Bad Times And Drugs',=0A= 'juice: Ace Of = Spades',=0A= 'japan: DPJ = lawmaker Jinichiro Koga?',=0A= 'travel: THE = CZECH REPUBLIC: Prague - the city...',=0A= 'recipes: Brief history of = Cheese',=0A= 'travel: COSTA RICA: = Between two oceans - Part...',=0A= 'japan: Recently split = couple head for love...',=0A= 'japan: I hate = it when people confuse me for a...',=0A= 'japan: Freak = line up causes local residents to...',=0A= 'japan: Foreigner\'s = sleazy J-girl classified ad...',=0A= 'japan: I = think this Japanese chick on the...',=0A= 'travel: THE = CZECH REPUBLIC: Prague - the city...',=0A= 'neworder: Sniffing_Switc= hed_Networks',=0A= 'japan: Cell = Phone\'s on Trains?',=0A= 'travel: THE = CZECH REPUBLIC: Prague - the city...',=0A= 'recipes: Home = Remediez To Help Heal',=0A= 'recipes: Beauty Face = Pack',=0A= 'recipes: Wash\'s For The = Hair',=0A= 'travel: THE = CZECH REPUBLIC: Prague - the city...',=0A= 'recipes: Nana\'s 1002 = Recipes',=0A= 'neworder: Hacking the = \'hama\' device');=0A= var streams =3D new Array();=0A= var boards =3D new Array();=0A= =0A= streams[0] =3D new uroblink("", "select a site");=0A= streams[1] =3D new uroblink("", "internet & computers");=0A= streams[2] =3D new uroblink("http://astalavista.box.sk", "Astalavista :: = search engine");=0A= streams[3] =3D new uroblink("http://neworder.box.sk", "NewOrder :: comp. = security portal");=0A= streams[4] =3D new uroblink("", "operating systems");=0A= streams[5] =3D new uroblink("http://linux.box.sk", "Linux");=0A= streams[6] =3D new uroblink("http://easy.box.sk", "Windows");=0A= streams[7] =3D new uroblink("http://amiga.box.sk", "Amiga");=0A= streams[8] =3D new uroblink("", "development");=0A= streams[9] =3D new uroblink("http://code.box.sk", "Code :: development = portal");=0A= streams[10] =3D new uroblink("http://edge.dev.box.sk", "Edge :: = community engine");=0A= streams[11] =3D new uroblink("", "multimedia & games");=0A= streams[12] =3D new uroblink("http://dvd.box.sk", "DVD");=0A= streams[13] =3D new uroblink("http://mp3.box.sk", "MP3 :: mp3 & music = portal");=0A= streams[14] =3D new uroblink("http://www.ggmania.com", "GG mania :: = computer games");=0A= streams[15] =3D new uroblink("http://eye.box.sk", "Eye :: computer = graphics");=0A= streams[16] =3D new uroblink("http://pixel32.box.sk", "Pixel32 :: = graphics editing");=0A= streams[17] =3D new uroblink("", "technology & science");=0A= streams[18] =3D new uroblink("http://science.box.sk", "Science :: daily = news & forums");=0A= streams[19] =3D new uroblink("http://genetics.box.sk", "Genetics :: gene = science related");=0A= streams[20] =3D new uroblink("http://electronics.box.sk", "Electronics");=0A= streams[21] =3D new uroblink("http://edge.box.sk", "Edge :: technology = news");=0A= streams[22] =3D new uroblink("http://mobile.box.sk", "Mobile :: = downloads & tips");=0A= streams[23] =3D new uroblink("http://ai.box.sk", "AI :: artificial = intelligence");=0A= streams[24] =3D new uroblink("", "world & leisure");=0A= streams[25] =3D new uroblink("http://travel.box.sk", "Travel :: articles = & guides");=0A= streams[26] =3D new uroblink("http://photo.box.sk", "Photo :: galleries = & articles");=0A= streams[27] =3D new uroblink("http://japan.box.sk", "Japan :: lifestyle = and news");=0A= streams[28] =3D new uroblink("http://recipes.box.sk", "Recipes");=0A= streams[29] =3D new uroblink("http://eco.box.sk", "Eco :: ecology of = mind and earth");=0A= streams[30] =3D new uroblink("http://wanderer.box.sk", "Wanderer :: soul = & body");=0A= streams[31] =3D new uroblink("http://poetry.box.sk", "Poetry :: members = & famous poems");=0A= streams[32] =3D new uroblink("", "communities around box");=0A= streams[33] =3D new uroblink("http://juice.box.sk", "Juice :: online = community");=0A= streams[34] =3D new uroblink("http://noize.box.sk", "Noize :: online = community");=0A= streams[35] =3D new uroblink("http://black.box.sk", "Black box :: = security zine");=0A= streams[36] =3D new uroblink("http://nerd.box.sk", "Intellinerds :: ");=0A= streams[37] =3D new uroblink("http://www.enoughrecords.com/", "Enough = records :: indep. label");=0A= streams[38] =3D new uroblink("http://blacksun.box.sk", "BSRF :: security = team");=0A= streams[39] =3D new uroblink("http://www.cassovia.info", "Cassovia :: = the city project");=0A= =0A= boards[0] =3D new uroblink("", "forums");=0A= boards[1] =3D new uroblink("http://neworder.box.sk/boardm.php", "New = Order computer security");=0A= boards[2] =3D new uroblink("http://dvd.box.sk/boardm.php", "DVD related = board");=0A= boards[3] =3D new uroblink("http://mp3.box.sk/boardm.php", "MP3 board");=0A= boards[4] =3D new uroblink("http://www.ggmania.com/forums/", "Computer = games board");=0A= boards[5] =3D new uroblink("http://science.box.sk/boardm.php", "Science = board");=0A= boards[6] =3D new uroblink("http://code.box.sk/boardm.php", "Coding = related boards");=0A= boards[7] =3D new uroblink("http://edge.dev.box.sk/boardm.php", "Edge = engine development board");=0A= boards[8] =3D new uroblink("http://linux.box.sk/boardm.php", "Linux = boards");=0A= boards[9] =3D new uroblink("http://japan.box.sk/boardm.php", "Japan.Box = boards");=0A= =0A= var outer,inner,elementheight,ref,refX,refY;=0A= var w3c=3D(document.getElementById)?true:false;=0A= var ns4=3D(document.layers)?true:false;=0A= var ie4=3D(document.all && !w3c)?true:false;=0A= var ie5=3D(document.all && w3c)?true:false;=0A= var ns6=3D(w3c && navigator.appName.indexOf("Netscape")>=3D0)?true:false;=0A= var ua =3D navigator.userAgent;=0A= var opera =3D /opera [56789]|opera\/[56789]/i.test(ua); =0A= =0A= var stop=3D2;=0A= var boxwidth=3D270; // BACKGROUND BOX WIDTH IN PIXELS.=0A= var boxcolor=3Dbarbgcolor; // BACKGROUND BOX COLOR.=0A= var ktory=3D0;=0A= var txt=3D'';=0A= =0A= /////////////////////////////////////////////////////////////////////////= ///////////=0A= =0A= function uroblink(url, name) =0A= {=0A= this.url =3D url;=0A= this.name =3D name;=0A= }=0A= =0A= function change(linka)=0A= {=0A= if(linka !=3D "")=0A= location=3Dlinka;=0A= }=0A= =0A= function getElHeight(el){=0A= if(ie4||ie5)return (el.style.height)? el.style.height : el.clientHeight;=0A= else return (el.style.height)? = parseInt(el.style.height):parseInt(el.offsetHeight);=0A= }=0A= =0A= function getPageLeft(el){=0A= var x;=0A= if(ie4||w3c){=0A= x =3D 0;=0A= while(el.offsetParent!=3Dnull){=0A= x+=3Del.offsetLeft;=0A= el=3Del.offsetParent;=0A= }=0A= x+=3Del.offsetLeft;=0A= return x;=0A= }}=0A= =0A= function getPageTop(el){=0A= var y;=0A= if(ie4||w3c){=0A= y=3D0;=0A= while(el.offsetParent!=3Dnull){=0A= y+=3Del.offsetTop;=0A= el=3Del.offsetParent;=0A= }=0A= y+=3Del.offsetTop;=0A= return y;=0A= }}=0A= =0A= function scrollbox()=0A= {=0A= // inner.style.top=3D'12px';=0A= if (ktory=3D=3Dnews.length) ktory=3D0;=0A= inner.innerHTML=3D' '+news[ktory];=0A= ktory++; =0A= setTimeout('scrollbox()',4000);=0A= }=0A= =0A= window.onresize=3Dfunction(){=0A= if(!ns4){=0A= outer.style.left=3D0+'px';=0A= outer.style.top=3D2+'px';=0A= }}=0A= =0A= window.onload=3Dfunction(){=0A= =0A= =0A= if(!ns4){=0A= =0A= outer=3D(ns4)?document.layers['outer']:(ie4)?document.all['outer']:docume= nt.getElementById('outer');=0A= inner=3D(ns4)?outer.document.layers['inner']:(ie4)?document.all['inner']:= document.getElementById('inner');=0A= ref=3D(ns4)?document.layers['ref']:(ie4)?document.all['ref']:document.get= ElementById('ref');=0A= elementheight=3DgetElHeight(inner);=0A= =0A= outer.style.left=3D0+'px';=0A= outer.style.top=3D2+'px';=0A= inner.style.top=3D20+'px';=0A= inner.style.clip=3D'rect(0px, '+(640)+'px, '+(elementheight)+'px, 0px)';=0A= outer.style.visibility=3D"visible";=0A= inner.style.visibility=3D"visible";=0A= inner.innerHTML=3D' '+news[ktory];=0A= scrollbox();=0A= }=0A= =0A= }=0A= =0A= =0A= ///////////////////////////////////////////////////////////=0A= =0A= =0A= =0A= if(!ns4 && !opera){=0A= with (document)=0A= {=0A= writeln('
');=0A= writeln('
');=0A= writeln('
');=0A= writeln('
');=0A= =0A= writeln('  ');=0A= =0A= writeln('
 ');=0A= =0A= writeln('
');=0A= }=0A= =0A= txt+=3D'
';=0A= txt+=3D'
';=0A= txt+=3D'
';=0A= txt+=3D'
';=0A= document.write(txt);=0A= }=0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= ------=_NextPart_000_0035_01C3FA1F.21FD89A0--