This New Vulnerability: Dowd's Inhuman Flash Exploit
Jul 3, 2007 at 1:00AM Thomas Ptacek The evidence is now overwhelming that Mark Dowd was, in fact, sent back through time to kill the mother of the person who will grow up to challenge SkyNet. Please direct your attention to Dowd’s 25-page bombshell on a Flash bytecode attack.
Some context. Reliable Flash vulnerabilities are catastrophes. In 2008, we have lots of different browsers. We have different versions of the OS, and we have Mac users. But we’ve only got one Flash vendor, and everyone has Flash installed. Why do you care about Flash exploits? Because in the field, any one of them wins a commanding majority of browser installs for an attacker. It is the Cyberdyne Systems Model 101 of clientsides.
So that’s pretty bad-ass. But that’s not why the fate of humanity demands that we hunt down Dowd and dissolve him in molten steel.
Look at the details of this attack. It’s a weaponized NULL pointer attack that desynchronizes a bytecode verifier to slip malicious ActionScript bytecode into the Flash runtime. If you’re not an exploit writer, think of it this way: you know that crazy version of Super Mario Brothers that Japan refused to ship to the US markets because they thought the difficulty would upset and provoke us? This is the exploit equivalent of that guy who played the perfect game of it on YouTube.
Let’s break it down a bit:
Start with the vulnerability.
It’s an integer overflow, but not a simple one.
When the Flash runtime reads in scene data from a SWF file, there’s a numeric field that, when bounds-checked, is interpreted as a signed number, but when used is treated as unsigned. So there are values the field can take that are treated as tiny and innocuous at time-of-check, but actually evaluate as huge numbers at time-of-use.
A by-the-numbers integer overflow normally knocks the bounds checking off a strncpy or memcpy call, turning code that carefully copies, say, 1k of memory into code that will copy 2 megs of data, splattering it all over process memory. Not here. Instead, Flash uses the malicious number as a count of bytes to allocate.
When you ask Flash to allocate several gigs of memory all at once, the allocation fails, returning NULL. Attempt to use that NULL address and you will crash the program. This happens all the time in real code. Many crashes are traceable to NULL pointers. And, since nothing (usually) lives at NULL, NULL pointer crashes are usually code for “not exploitable”.
Not this time. Flash forgets to check that allocation failed, a ludicrously common error. It then uses that pointer with an offset controlled by the attacker. NULL isn’t valid. NULL plus 1024 isn’t valud. But NULL + 0x8f71ba90 is, as is NULL + N for any N that addresses valid memory.
To this address, controlled by attackers via wild offset, Flash writes a value that is also controlled by the attacker. This is the write32 pattern: a vulnerability that gives the attacker the means to set any one value in memory to a value of their choosing. Game over.
Except not quite.
The exploit doesn’t actually get to offset an arbitrary number of bytes from 0. A complicated set of conditions constrains the address it writes to and the value it gives it.
The the actual write occurs via a structure offset. Flash is hardcoded to translate your offset into another number. Working offsets, as it turns out, will be greater than 0x80000000, and will be evenly divisible by 12 after 4 is added to them. Note: I thought I was hardcore when I wrote shellcode with no lowercase letters for the IMAP vulnerability in the ’90s.
That’s not all. The value that Flash will write to the wild pointer isn’t totally controlled by the attacker either. It’s cast up from a 16 bit integer to a 32 bit integer, and has another variable subtracted to it. This is the point in the report that I started giggling uncontrollably, embarassing myself at the coffee shop.
The net result of this silliness is that it’s hard to do what attackers normally do with a write32 vulnerability, which is to clobber a function’s address with a pointer back to their buffer, so that their shellcode is called when the clobbered function is called. So Dowd’s exploit takes things in a different direction, and manipulates the ActionScript bytecode state.
ActionScript bytecode state; yeah, about that. ActionScript is Javascript that controls Flash animations. But the Javascript system used by Flash is pretty advanced; for performance, it transforms Javascript into bytecodes for a VM. For a bytecode VM, ActionScript is pretty tight; its runtime stack is integrated with the CPU’s runtime stack. The memory it uses to execute code is the same memory that the Flash C-code runtime uses to manage its own state.
ActionScript is a register-based VM, meaning that its bytecode instructions concern themselves chiefly with moving values in and out of memory slots that simulate CPU registers. Those registers live in the runtime stack and are accessed by indexing. Meaning, a malicious Flash bytecode instruction can index its way to an arbitrary address on the system stack. Game over.
Except not quite.
You can’t just inject malicious bytecodes.
Flash players have to execute bytecode sklorked directly off of web pages, most of which are controlled by organized criminals. So Flash doesn’t execute arbitrary bytecodes; they’re verified before execution. The verifier ensures, among other things, that register accesses from the bytecode stream reference valid register slots.
But. For performance, the Flash VM is broken into a two-pass system with a verifier that validates bytecode (time-of-check) and an executive that later evaluates it (time-of-use). And the interpretation of bytecode differs at time-of-check and time-of-use. Here’s the situation:
The verifier ignores undefined bytecodes.
The verifier keeps a table in memory that defines how long any one bytecode instruction is.
The bytecode length table is a valid target of the NULL pointer overwrite.
The executive has totally different machinery for interpeting bytecode.
Clobber the right value in the length table, and you can make an unused bytecode instruction that the verifier ignores seem much longer than it is. The “extra” bytes slip past the verifier. But they don’t slip past the executive, which has no idea that the unused bytecode has trailing bytes. If those trailing bytes are themselves valid bytecode, Flash will run them. Unverified. Giving them access to the whole system stack. Game over.
Except not quite.
The Koopa shell on the second platform is a trap and if you touch it you die.
Ok actually there’s no catch. Dowd’s exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack.
But, just to rub it in, or because this stuff just comes natural to you when you are manufactured by a malicious cluster of supercomputers inside SkyNet instead of nurtured by loving human parents, Dowd gives himself additional constraints.
To wit: his exploit must (because he’s messing with us) corrupt the Flash runtime, rewrite it to execute his trojan, and leave it running steady as if nothing had happened. Meaning:
His modification to the verifier can’t break existing instructions.
His bytecode has to swap values into the stack instead of clobbering them directly.
Portions of his shellcode have to run as both Flash bytecode and an X86 first-stage shellcode boot.
Two fun details.
First, even though IE and Firefox use different Flash builds, the addressing inside them is compatible. The exploit works in both places.
Second, Flash isn’t compiled with ASLR. So the attack works on Vista.
Mass casualty. Go Flash!
Reader Comments (29)
I'm going to code the exploit together with a student team partner in order to present this kind of attack in our IT-seminar at our university. We totally fail by reproducing the desynchronization of verifier and interpreter. It seems like the interpreter alsp jumps above the marker (F4, F5, F6 or F7) and the trainling bytes. We are working with flash player version 9r45, i.e. less than or equal r115 ;), and use the generated html file of flash C4 prof to execute the uncompressed swf file within the IE.
Does anyone know why Dowd's exploit does not seem to work?
Ok, got it ! We do not know what we have done wrong all the time and why the interpreter behaved in such a way. But after generating a new, uncompressed swf by flash C4 and modifying as well as adding content step-by-step, it worked.
Just out of curiosity, Nogge, what university is that?
Excellent read, I just passed this onto a colleague who was doing a little research on that. And he actually bought me lunch because I found it for him smile So let me rephrase that: Thanks for lunch!
Small Corner Computer Desk
Portable Air Conditioning Unit
double oven electric range
Cheap Life Assurance Quote
Dolce and Gabbana Sunglasses
Disney Minnie Mouse
microwave rice cooker
jazz music download
asbestos attorney cancer lawyer mesothelioma settlement
Business week MBA
Products Review and Price
Hair Loss Solutions
Health and Fitness
Female Hair Transplant
The Truth About Six Pack Abs Review
Cheap Dental Health Insurance
Email Database
Hot News and Events
Fish Finder
Make Up Brushes
Creates concern over uk Tiffany
role with NGOs, their goals and agendas. Should Tiffany rings
advocate NGO goals? What power should Tiffany earrings
have to tell NGOs what agendas to seek in exchange for the company's cooperation? Focuses attention on Tiffany necklaces
, running the risk that the company will stand alone among its competitors
People usually say :"Seeing is believing." GHD Each attempt has a corresponding gain, in part or obvious, or vague. At least we have the kind of satisfaction After I bought this watch ,in a sense,it means a great deal to me. net a porter thank you!it is very useful tools to protect our time.If you never pay attention to yourself ,please grasp this chance.a few days ago,I bought a Rolex watches.IT's very good to use.So i want to write an article about watches to share with everyone on So as to more and more people to konw it. UGG brand is relatively common, in addition to the Rolex ping g15even see watch on the movement and you don't know.
Rolex watches
I like your site. It’s really simple and cool without no much of put ups. I am also going to design my site simple and nice as yours
Small Corner Computer Desk
Portable Air Conditioning Unit
double oven electric range
Cheap Life Assurance Quote
Dolce and Gabbana Sunglasses
Disney Minnie Mouse
microwave rice cooker
jazz music download
asbestos attorney cancer lawyer mesothelioma settlement
Business week MBA
Products Review and Price
Hair Loss Solutions
Health and Fitness
Female Hair Transplant
The Truth About Six Pack Abs Review
Cheap Dental Health Insurance
Email Database
Hot News and Events
Fish Finder
Make Up Brushes
Another variation louis vuitton handbags designed by Marc Jacobs is the Speedy 30 skillfully ornamented with lingerie lace in Monogram Dentelle canvas. The intricate lurex thread embroidery is artfully contrived. The Louis vuitton bags Monogram Multicolor canvas Speedy 30 designed by Takashi Murakami has the contemporary look. Four golden brass corners help to preserve louis vuitton base and the outside pocket is secured by an S-lock. lv is suitable for any occasion.
Finding a Coach Wallets with an actual unique serial number is next to impossible. Coach Gallery hasn't used a true serial number for about 10 years. Sure, the older bags had true serial numbers, but not anymore. The myths, urban legends or simple un-truths surrounding Coach Legacy have caused many a girl to go into a panicked frenzy of sorts after receiving Coach Madison that had a patch with no numbers or worse yet, no patch at all!
Bentley GT is part of the Chronomat B01 series. There are several variations of the Superocean including custom build editions. Models include the basic Cockpit, Chrono Cockpit, and the Cockpit Lady. The basic model has mechanical self winding, features Navitimer Watches movement, a 42 hour power reserve, and is water resistant to 30 meters.
All information and products about hair extensions, online resources for a variety of cheap human hair extensions and clip in hair extensions. Welcome to join us.
Microsoft operating systems are the most widely used operating systems today and the MCSE Certification proves expertise on the Microsoft products and technologies. Professionals holding the MCSE Certification are preferred by the employers and they also get preference in promotions. MCSEis helpful for professionals who have entry-level certification in related technologies to upgrade their credentials and get recognition from the industry. 70-680
cheap ladies handbags purses online
cheap bags
cheap wedding dresses discount
tea length wedding dresses simple
cheap plus size wedding dresses
louis vuitton handbags
replica louis vuitton
louis vuitton
replica christian louboutin shoes
louis vuitton shoes
cheap louis vuitton
prada shoes
replica louis vuitton shoes
louis vuitton
replica louis vuitton bag
louis vuitton hanbags
balenciaga bags
chanel bags
lv handbags
ed hardy hoodies
cheap christian audigier bikini
ed hardy shirts
cheap christian audigier hoody
women ed hardy clothing
ed hardy hoody uk
ed hardy jacket
ed hardy uk
ed hardy shirts
ed hardy swimwear
ed hardy ugg boots
ed hardy shoes uk
ed hardy hoody uk
buy ed hardy shirts
ed hardy womens shoes
ed hardy handbags uk
ed hardy at uk
ed hardy t shirts uk
ed hardy sunglasses uk
ed hardy womens tiger hoodie
In<font color="#FF0000" size="3">replica chloe handbags</font> his legendary <font color="#FF0000" size="3">replica coach handbags</font>
replica Louis Vuitton <font color="#FF0000" size="3">dolce & gabbana handbags</font>founder dedicated <font color="#FF0000" size="3">burberry handbags</font>his life to watch<font color="#FF0000" size="3">dolce gabbana handbags</font> the globalization process<font color="#FF0000" size="3">Chanel for sale</font>. Based on the exact<font color="#FF0000" size="3">Hermes for sale</font> time information <font color="#FF0000" size="3">Hublot for sale</font>sharing across borders<font color="#FF0000" size="3">versace replica handbags</font>, this world. Enterprise<font color="#FF0000" size="3">ysl handbags</font> founded at the beginning <font color="#FF0000" size="3">Juicy Corture handbags</font>of the founder's name<font color="#FF0000" size="3">chloe handbags replica</font> has been used, 1875, <font color="#FF0000" size="3">replica Hermes</font>the company owns employee<font color="#FF0000" size="3">replica Hublot</font> 1000 people, professional<font color="#FF0000" size="3">chopard watches</font> manufacturing<font color="#FF0000" size="3">Christian Dior watches</font> pendulum and<font color="#FF0000" size="3">Tag Heuer replica</font> naval pocket and measuring instrument<font color="#FF0000" size="3">U-boat replica</font>.
For the first time in recent memory, fendi | fendi handbags | fendi bags luxury-goods makers are cuttinglouis vuitton | louis vuitton handbags | louis vuitton sale | lv prices on designer apparel, designer handbags | discount louis vuitton bags | louis vuitton wallet | louis vuitton speedy | louis vuitton silk scarves | louis vuitton mens shoes | louis vuitton hats | louis vuitton neckties | Louis Vuitton Accessories shoes and handbags in the U.S. market. burberry | omega watches | omega | louis vuitton handbags | gucci handbags | Christian Louboutin | louis vuitton | louis vuitton shoes | vuittonWith even the biggest spenders starting to scrimp, louis vuitton luggage | louis vuitton bags | louis vuitton | louis vuitton handbags | louis vuitton bags | louis vuitton bags | louis vuitton wallets | louis vuitton shoes | burett watches | louis vuitton bags luxury companies from Chanel S.A. nba news | nba playoff | nfl 2011 | nhl 2010 | omega citizen | omega replica | omega use | omega watches guide | prada fendi | replica guide | watches sale news | watches women | baby cute | wedding | travel message | hats guide | movie currentto Versace SpA, Christian Louboutin and Chloe are reversing the industry's maxim that luxury prices only move up. The cuts range from 8% to 10% on most products sold in the U.S.
iphone deals
iphone for sale
3g iphone for sale
iphone on sale
apple iphone for sale
iphone hot
8" touch screen tft lcd google android 1.6 tablet pc
i9
sciphone i9
wifi i9
ciphone i9
i9 phone
i9 3g
i9 cell phone
i9 touch
The modern replica
submariner watches
comes housed in a black plastic case with stainless steel lugs at each side. The black
wristband is nicely crafted from leather, and in case you plan on banging your new watch
around a bit, the display is protected by a durable, scratch-resistant mineral crystal
face.
Fendi has fendi handbags and fendi spy bag black.was purchased in the luxury fendi stores.if you want to buy fendi bags luxury fendi stores is best!
chanel designer handbags chanel handbags authentic sale chanel bags chanel.
Gucci brand package gucci stroe sale gucci replica. we also carry the classic gucci handbags gucci
miu miu latest handbags arrival sale miu miu handbags miu miu bags for the miu miu summer.
gucci bags gucci luxury bags louis vuitton bag
luxury handbags louis vuitton bags is the symbol of fashion bags lv bags is louis vuitton bags luxury handbags sale.
Friends birthday louis vuitton handbags the best choice for gift.all so can buy luggage louis vuitton luggage to travel essentials
and louis vuitton wallet best wallet can to put money.louis vuitton bags the same good bags is the best choice
louis vuitton bags luxury for sale louis vuitton luxury louis vuitton bags
louis vuitton shoes are king shoes louis vuitton bag and louis vuitton handbag for discount discount louis vuitton louis vuitton discount
louis vuitton shoes is symbol of fashion louis vuitton at louis vuitton shop louis vuitton store for sale
lv handbags is louis vuitton handbags and so many louis vuitton shoes louis vuitton shoes hot sale now.
louis vuitton handbags louis vuitton bags louis vuitton store
iwc watches is brand watches buy iwc watches audemars piguet watches
If you want to buy Omega Watches Omega Watches For Sale discuont Omega Watches Prices Omega on My Watches Store
The finest Breitling Watches and Cartier Watches here.Luxury Selection of Breitling Watches For Sale, Cartier Watches For Women sell us your watch it's fast, easy & safe
If you want to buy oris watches for discuont.oris montblanc watches new arrival on sale
christian louboutin shoes christian louboutin sale christian louboutin shoes sale
christian louboutin high heels christian louboutin mini heels
Looking for luxury watches?replica Movado Watches on sale,fashion TAG Heuer Watches sale online,new Panerai Watches for sale,cheap TAG watches sale with high quality.Many christian louboutin products for discount.christian louboutin shoes for sale,beautiful christian louboutin boots set at cheap price.Choose replica christian louboutin shoes high quality.
Our store provides cheap christian louboutin with high quality,we also discount louis vuitton bags, Louis Vuitton shoes and Louis Vuitton wallets and louis vuitton purses and neverfull louis vuitton and louis vuitton luggage. We also have lots of replica burberry watches,they are high quality and cheap,welcome to buy burberry watches and longines watch. Do you konw which websites have cheap coach handbags on sale ? The replica louis vuitton including replica louis vuitton scarves and louis vuitton accessories are nice and cheap. You know that cheap louis vuitton like louis vuitton handbags and louis vuitton bags and replica louis vuitton watches are more and more popular today.a lot of louis vuitton bags for sale at topbrand4lady.com. Do you like burberry watches or jaeger lecoultre watches or longines watches? Welcome to www.worldswatches.com. or which websites discount coach handbags ? These websites have replica coach handbags like www.coachsdesign.com. There are many pink coach purse and imitation coach purse and coach wallets sale ? The website discount coach wallets including many coach womens wallets, of course,there are replica coach wallets.The replica coach purses cheap and coach purse on sale with high quality.If you are looking for louis vuitton handbags,louis vuitton bags or louis vuitton purses , welcome to our replica louis vuitton store, the louis vuitton purse,louis vuitton bag and louis vuitton handbag and louis vuitton wallet are all high quality. The replica louis vuitton are low price and high quality.If you are looking for louis vuitton handbags,louis vuitton bags or louis vuitton purses, welcome to our replica louis vuitton store, the louis vuitton purse,louis vuitton bag and louis vuitton handbag and louis vuitton wallet are all high quality.
Nike Rifts
Nike Rift
nike air max
nike air rift
nike air rifts
nike rifts men
nike air max skyline
nike air max classic
nike shox rivalry
air max 90
nike air max 90
Air Max Skyline
Nike Dunk Sb
Nike Free Run+ Men
Nike Air Rift Women
Nike Shox
Nike Kid Shoes
Nike Air Max 1
Nike Air Max 87
Nike Air Max 180
Nike Air Max 2003
Nike Air Max 2009
Nike Air Max 93
Nike Air Max 95
Nike Air Max 97
Nike Air Max Classic Bw
Nike Air Max Light
Nike Air Max 88
Nike Air Max Ltd
Nike Air Max Tn
Nike Air Rift Men
Nike Air Max 90 Kids
Nike Air Max TN Kid
Nike Air Rift Kid
Nike Shox R4 Kid
Nike Shox NZ
Nike Shox OZ
Nike Shox R4
Nike Shox Rivalry R3
Nike Shox TL
Nike Shox TL3
nike rifts
nike rift
nike air max
nike air rift
nike air rifts
nike air force
nike air jordan
nike shox
nike shox rivalry
air max 90
nike air max 90
Nike Air Rejuven8
Nike pas cher
Rift Nike
Nike Air Max Skyline
Air Max Skyline
Nike Rifts Men
Nike Rifts
Nike Rift
Nike Air Max
Nike Air Rift
Nike Air Rifts
Nike Air Force
Nike Shox OZ
Nike Shox R4
Nike Shox Rivalry
Air Max 90
Nike Air Max 90
Nike Air Rejuven8
Nike pas cher
Nike Air Rift Femme
Nike Air Max Skyline
Air Max Skyline
Nike Air Rift Homme
ED Hardy
ED Hardy Clothing
Christian Audigier
ED Hardy Accessories
ED Hardy Bags
ED Hardy Handbags
ED Hardy Belts
ED Hardy Sunglasses
ED Hardy Kid's T-shirt
ED Hardy Kid Shirt
ED Hardy Kid
ED Hardy Man
ED Hardy Active Wear
ED Hardy Man Wear
ED Hardy Hoodies
ED Hardy Outerwear
ED Hhardy Man's Hoodies
ED Hardy Long Sleeves
ED Hardy Man's Sleeves
ED Hardy Shoes
ED Hardy Man's Shoes
ED Hardy T-shirts
ED Hardy Man's T-shirts
ED Hardy Swim Trunks
ED Hardy Man's Trunks
ED Hardy Women
ED Hardy Bottoms
ED Hardy Women's Bottoms
ED Hardy Women's Hoodies
ED Hardy Women's Outerwear
ED Hardy Intimates
ED Hardy Lingerie
ED Hardy Women's Sleeves
ED Hardy Sandals
ED Hardy Women's Sandals
ED Hardy Women's T-shirts
ED Hardy Swimwear
ED Hardy Bikini
ED Hardy Tanks
ED Hardy Women's Tanks
ED Hardy Knits Tops
C A Women
C A Man
christian louboutin maggie 140 pumps
Christian Louboutin Pumps on sale
Christian Louboutin Pumps nib black
Christian Louboutin Pumps replica
Christian Louboutin Flats
Christian Louboutin Flats sale
Christian Louboutin Flats replica
Christian Louboutin Ankle Boots
Christian Louboutin Ankle Boots black
christian louboutin sandals
christian louboutin sandals sale
christian louboutin sandals black
christian louboutin sandals flats
Christian Louboutin Slingbacks
Christian Louboutin Slingback platform pump
Christian Louboutin Slingback pumps
Christian louboutin Wedges
Christian louboutin Wedges on sale
Christian louboutin Wedges replica
cheap christian louboutin shoes uk
cheap christian louboutin uk
cheap christian louboutin shoes replica
Christian Louboutin clearance shoes
Christian Louboutin classic collection
Christian Louboutin 2010
Replica Christian Louboutin
discount christian louboutin shoes uk
cheap christian louboutin shoes uk
discount christian louboutin pumps
Nike Mercurial Vapor Superfly II FG
Nike Mercurial Victory FG
nike mercurial vapor superfly fg cleats
Nike Mercurial Vapor Superfly V
Nike Mercurial Vapor Superfly II FG cleats
Christian Louboutin Feticha Pumps
Christian Louboutin Simple 85 Pumps
Christian Louboutin Leopard Print Wedge Sandals
Christian Louboutin Pink Petal Sandals
Christian Louboutin Leopard Print Wedge Sandals
Christian Louboutin Bilbao Wedges
Leopard Print Pony Skin Christian Louboutin Wedges
coach handbags , coach outlet , coach purses , Jimmy Choo handbags , Prada handbags , Juicy Couture handbags herve leger sale
Herve Leger Dress
herve leger bandage dress
herve leger dress 2010
herve leger metallic striped bandage dress
herve leger on sale
chanel chanel bags
chanel sale chanel
chanel online chanel handbags
gucci sale gucci
gucci bags gucci bags
luxury handbags luxury bags
louis vuitton bag
louis vuitton handbags louis vuitton handbags
louis vuitton shoes louis vuitton shoes
louis vuitton luggage online louis vuitton handbags
lv bags louis vuitton bags
iwc watches iwc
oris watches on sale oris
Omega Watches For Sale Omega Watches
Breitling Watches For Sale Breitling Watches
Cartier Watches For Women Cartier Watches
chanel chanel bags
chanel sale chanel
chanel online chanel handbags
gucci bags gucci bags
luxury handbags luxury bags
louis vuitton bag
louis vuitton handbags louis vuitton handbags
louis vuitton luggage online louis vuitton handbags
lv bags louis vuitton bags
iwc watches iwc
oris watches on sale oris
Omega Watches For Sale Omega Watches
Breitling Watches For Sale Breitling Watches
Cartier Watches For Women Cartier Watches
The red outsole is the distinctive Christian Louboutinfeatures of Christian Louboutin shoes, also is the female of gentle, lovely, Christian Louboutinbeautiful and sexy logo.hermes birkinMaking all the products to the Hermes handbags pure and spotless is monclerthe consistent purpose of Hermes bag.Saying to the handbag, you would remember the famous brand "LV". So, when referring to the down jackets,moncler whether do you remind a well-known trademark?herve legerYes, that is Moncler. As a famous Paris Fashion brand,herve leger Herve Leger is taking great effort to show women`s perfect figures and gentle charactors。