10/08/2015

Full TrustZone exploit for MSM8974

In this blog post, we'll cover the complete process of exploiting the TrustZone vulnerability described in the previous post. If you haven't read it already, please do!

Responsible Disclosure

First of all, I'd like to point out that I've responsibly disclosed this vulnerability to Qualcomm, and the issue has already been fixed (see "Timeline" below).

I'd also like to take this opportunity to point out that Qualcomm did an amazing job in both responding to the disclosure amazingly fast and by being very keen to fix the issue as soon as possible.

They've also gifted me a brand new (at the time) Moto X 2014, which will be the subject of many posts later on (going much more in depth into TrustZone's architecture and other security components on the device).


Patient Zero

While developing this exploit, I only had my trusty (personal) Nexus 5 device to work with. This means that all memory addresses and other specific information written below is taken from that device.

In case anyone wants to recreate the exact research described below, or for any other reason, the exact version of my device at the time was:

google/hammerhead/hammerhead:4.4.4/KTU84P/1227136:user/release-keys

With that out of the way, let's get right to it!

The vulnerability primitive

If you read the previous post, you already know that the vulnerability allows the attacker to cause the TrustZone kernel to write a zero DWORD to any address in the TrustZone kernel's virtual address space.

Zero write primitives are, drawing on personal experience, not very fun to work with. They are generally quite limited, and don't always lead to exploitable conditions. In order to create a robust exploit using such a primitive, the first course of action would be to attempt to leverage this weak primitive into a stronger one.

Crafting an arbitrary write primitive

Since the TrustZone kernel is loaded at a known physical address, this means that all of the addresses are already known in advance, and do not need to be discovered upon execution.

However, the internal data structures and state of the TrustZone kernel are largely unknown and subject to change due to the many different processes interacting with the TrustZone kernel (from external interrupts, to "Secure World" applications, etc.).

Moreover, the TrustZone code segments are mapped with read-only access permissions, and are verified during the secure boot process. This means that once TrustZone's code is loaded into memory, it theoretically cannot (and should not) be subject to any change.

TrustZone memory mappings and permissions

So that said - how can we leverage a zero write primitive to enable full code execution?

We could try and edit any modifiable data (such as the heap, the stack or perhaps globals) within the TrustZone kernel, which might allow us to create a stepping stone for a better primitive.

As we've mentioned in the previous blog post, normally, when an SCM command is called, any argument which is a pointer to memory, is validated by the TrustZone kernel. The validation is done in order to make sure the physical address is within an "allowed" range, and isn't for example, within the TrustZone kernel's used memory ranges.

These validations sound like a prime candidate for us to look into, since if we were able to disable their operation, we'd be able to leverage other SCM calls in order to create different kinds of primitives.

TrustZone memory validation

Let's start by giving the memory validation function a name - from now on, we'll call it "tzbsp_validate_memory".

Here's a decompilation of the function:

The function actually calls two internal functions to perform the validation, which we'll call "is_disallowed_range" and "is_allowed_range", respectively.

is_disallowed_range


As you can see, the function actually uses the first 12 bits of the given address in the following way:
  • The upper 7 bits are used as an index into a table, containing 128 values, each 32-bit wide.
  • The lower 5 bits are used as the bit index to be checked within the 32-bit entry which is present at the previously indexed location.


In other words, for each 1MB chunk that intersects the region of memory to be validated, there exists a bit in the aforementioned table which is used to denote whether or not this region of data is "disallowed" or not. If any chunk within the given region is disallowed, the function returns a value indicating as such. Otherwise, the function treats the given memory region as valid.

is_allowed_range


Although a little longer, this function is also quite simple. Essentially, it simply goes over a static array containing entries with the following structure:



The function iterates over each of the entries in the table which resides at the given memory address, stopping when the "end_marker" field for the current entry is 0xFFFFFFFF.

Each range specified by such an entry, is validated against to make sure that the memory range is allowed. However, as evidenced in the decompilation above, entries in which the "flags" fields' second bit is set, are skipped!


Attacking the validation functions

Now that we understand how the validation functions operate, let's see how we can use the zero write primitive in order to disable their operation.

First, as described above, the "is_disallowed_range" function uses a table of 32-bit entries, where each bit corresponds to a 1MB block of memory. Bits which are set to one represent disallowed blocks, and zero bits represent allowed blocks.

This means that we can easily neutralise this function by simply using the zero write primitive to set all the entries in the table to zero. In doing so, all blocks of memory will now be marked as allowed.

Moving on to the next function; "is_allowed_range". This one is a little tricky - as mentioned above, blocks in which the second bit in the flags field is set, are validated against the given address. However, for each block in which this bit is not set, no validation is performed, and the block is skipped over.

Since in the block table present in the device, only the first range is relevant to the memory ranges which reside within the TrustZone kernel's memory range, we only need to zero out this field. Doing so will cause it to be skipped over by the validation function, and, as a result, the validation function will accept memory addresses within the TrustZone kernel as valid.

Back to crafting a write primitive

So now that we've gotten rid of the bounds check functions, we can freely supply any
memory address as an argument for an SCM call, and it will be operated upon without any obstacle.

But are we any closer to creating a write primitive? Ideally, had there been an SCM call where we could control a chunk of data which is written to a controlled location, that would have sufficed.

Unfortunately, after going over all of the SCM calls, it appears that there are no candidates which match this description.

Nevertheless, there's no need to worry! What cannot be achieved with a single SCM call, may be possible to achieve by stringing a few calls together. Logically, we can split the creation of an arbitrary write primitive into the following steps:
  • Create an uncontrolled piece of data at a controlled location
  • Control the created piece of data so that it actually contains the wanted content
  • Copy the created data to the target location
Create

Although none of the SCM calls seem to be good candidates in order to create a controlled piece of data, there is one call which can be used to create an uncontrolled piece of data at a controlled location - "tzbsp_prng_getdata_syscall".

This function, as its name implies, can be used to generate a buffer of random bytes at a given location. It is generally used by Android is order to harness the hardware PRNG which is present in Snapdragon SoCs.

In any case, the SCM call receives two arguments; the output address, and the output length (in bytes).

On the one hand, this is great - if we (somewhat) trust the hardware RNG, we can be pretty sure that for each byte we generate using this call, the entire range of byte values is possible as an output. On the other hand, this means that we have no control whatsoever on what data is actually going to be generated.

Control

Even though any output is possible when using the PRNG, perhaps there is some way in which we could be able to verify that the generated data is actually the data that we wish to write.

In order to do so, let's think of the following game - imagine you have a slot machine with four slots, each with 256 possible values. Each time you pull the lever, all the slots rotate simultaneously, and a random output is presented. How many times would you need to pull the lever in order for the outcome to perfectly match a value that you picked beforehand? Well, there are 4294967296 (2^32) possible values, so each time you pull the lever, there's a chance of about 10^(-10) that the result would match your wanted outcome. Sounds like you're going to be here for a while...


But what if you could cheat? For example, what if you had a different lever for each slot? That way you can only change the value of a single slot with each pull. This means that now for each time the lever is pulled, there's a chance of 1/256 that the outcome will match the desired value for that slot.


Sounds like the game is much easier now, right? But how much easier? In probability theory this kind of distribution for a single "game" is called a Bernoulli Distribution, and is actually just a fancy way of saying that each experiment has a set probability of success, denoted p, and all other outcomes are marked all failures, and have a probability of 1-p of occurring.

Assuming we would like a 90% chance of success, it turns out that the in original version of the game we would require approximately 10^8 attempts (!), but if we cheat, instead, we would only require approximately 590 attempts per slot, which is several orders of magnitude less.

So have you figured out how this all relates to our write primitive yet? Here it goes:

First, we need to find an SCM call which returns a value from a writeable memory location within the TrustZone kernel's memory, to the caller.

There are many such functions. One such candidate is the "tzbsp_fver_get_version" call. This function can be used by the "Normal World" in order to retrieve internal version numbers of different TrustZone components. It does so by receiving an integer denoting the component whose version should be retrieved, and an address to which the version code should be written. Then, the function simply goes over a static array of pairs containing the component ID, and the version code. When a component with the given ID is found, the version code is written to the output address.


tzbsp_fver_get_version internal array

Now, using the "tzbsp_prng_getdata_syscall" function, we can start manipulating any version code's value, one byte at a time. In order to know the value of the byte that we've generated at each iteration, we can simply call the aforementioned SCM, while passing in the component ID matching the component whose version code we are modifying, and supplying a return address which points to a readable (that is, not in TrustZone) memory location.

We can repeat these first two steps until we are satisfied with the generated byte, before moving on to generate the next byte. This means that after a few iterations, we can be certain that the value of a specific version code matches our wanted DWORD.
 
Copy 

Finally, we would like to write the generated value to a controlled location. Luckily, this step is pretty straight-forward. All we need to do is simply call the "tzbsp_fver_get_version" SCM call, but now we can simply supply the target address as the return address argument. This will cause the function to write our generated DWORD to a controlled location, thus completing our write gadget.

Phew... What now?

From here on, things get a little easier. First, although we have a write primitive, it is still quite cumbersome to use. Perhaps it would be a little easier if we were able to create a simpler gadget using the previous one.

We can do this by creating our own SCM call, which is simply a write-what-where gadget. This may sound tricky, but it's actually pretty straight-forward.

In the previous blog post, we mentioned that all SCM calls are called indirectly via a large array containing, among other things, pointers to each of the SCM calls (along with the number of arguments they are provided, their name, etc.).

This means that we can use the write gadget we created previously in order to change the address of some SCM call which we deem to be "unimportant", to an address at which a write gadget already exists. Quickly going over the TrustZone kernel's code reveals that there are many such gadgets. Here's one example of such a gadget:


This piece of code will simply write the value in R0 to the address in R1, and return. Great.

Finally, it might also be handy to be able to read any memory location which is within the TrustZone kernel's virtual address space. This can be achieved by creating a read gadget, using the exact same method described above, in place of another "unimportant" SCM call. This gadget is actually quite a bit rarer than the write gadget. However, one such gadget was found within the TrustZone kernel:


This gadget returns the value read from the address in R0, with the offset R1. Awesome.

Writing new code

At this stage, we have full read-write access to the TrustZone kernel's memory. What we don't yet have, is the ability to execute arbitrary code within the TrustZone kernel. Of course, one might argue the we could find different gadgets within the kernel, and string those together to create any wanted effect. But this is quite tiring if done manually (we would need to find quite a few gadgets), and quite difficult to do automatically.

There are a few possible way to tackle this problem.

One possible angle of approach might be to write a piece of code in the "Normal World", and branch to it from the "Secure World". This sounds like an easy enough approach, but is actually much easier said than done.

As mentioned in the first blog post, when the processor in operating in secure mode, meaning the NS (Non-Secure) bit in the SCR (Secure Configuration Register) is turned off, it can only execute pages which are marked as "secure" in the translation table used by the MMU (that is, the NS bit is off).



This means that in order to execute our code chunk residing in the "Normal World" we would first have to modify the TrustZone kernel's translation table in order to map the address in which we've written our piece of code as secure.

While all this is possible, it is a little tiresome.

A different approach might be to write new code within the TrustZone kernel's code segments, or overwrite existing code. This also has the advantage of allowing us to modify existing behaviour in the kernel, which can also come in handy later on.

However, upon first glance this doesn't sound easier to accomplish than the previous approach. After all, the TrustZone kernel's code segments are mapped as read-only, and are certainly not writeable.

However, this is only a minor setback! This can actually be solved without modifying the translation table after all, by using a convenient feature of the ARM MMU called "domains".

In the ARM translation table, each entry has a field which lists its permissions, as well as a field denoting the "domain" to which the translation belongs. There are 16 domains, and each translation belongs to a single one of them.

Within the ARM MMU, there is a register called the DACR (Domain Access Control Register). This 32-bit register has 16 pairs of bits, one pair for each domain, which are used to specify whether faults for read access, write access, both, or neither, should be generated for translations of the given domain.


Whenever the processor attempts to access a given memory address, the MMU first checks if the access is possible using the access permissions of the given translation for that address. If the access is allowed, no fault is generated.

Otherwise, the MMU checks if the bits corresponding to the given domain in the DACR are set. If so, the fault is suppressed and the access is allowed.

This means that simply setting the DACR's value to 0xFFFFFFFF will actually cause the MMU to enable access to any mapped memory address, for both read and write access, without generating a fault (and more importantly, without having to modify the translation table).

But how can we set the DACR? Apparently, during the TrustZone kernel's initialization, it also explicitly sets the DACRs value to a predetermined value (0x55555555), like so:


However, we can simply branch to the next opcode in the initialization function, while supplying our own value in R0, thus causing the DACR to be set to our controlled value.

Now that the DACR is set, the path is all clear - we can simply write or overwrite code within the TrustZone kernel.

In order to make things a little easier (and less disruptive), it's probably better to write code at a location which is unused by the TrustZone kernel. One such candidate is a "code cave".

Code caves are simply areas (typically at the end allocated memory regions) which are unused (i.e., do not contain code), but are nonetheless mapped and valid. They are usually caused by the fact that memory mappings have a granularity, and therefore quite frequently there is internal fragmentation at the end of a mapped segment.

Within the TrustZone kernel there are several such code caves, which enable us to write small pieces of code within them and execute them, with minimal hassle.

Putting it all together

So this exploit was a little complex. Here's a run-down of  all the stages we had to complete:
  • Disable the memory validation functions using the zero write primitive
  • Craft a wanted DWORD at a controlled location using the TrustZone PRNG
  • Verify the crafted DWORD by reading the corresponding version code
  • Write the crafted version code to the location of a function pointer to an existing SCM call (by doing so creating a fast write gadget)
  • Use the fast write gadget to create a read gadget
  • Use the fast write gadget to write a function pointer to a gadget which enables us to modify the DACR
  • Modify the DACR to be fully enabled (0xFFFFFFFF)
  • Write code to a code cave within the TrustZone kernel
  • Execute! :)

The Code

I've written an exploit for this vulnerability, including all the needed symbols for the Nexus 5 (with the fingerprint stated beforehand).

First of all, in order to enable the exploit to send the needed crafted SCM calls to the TrustZone kernel, I've created a patched version of the msm-hammerhead kernel which adds such functionality and exposes it to user-space Android.

I've chosen to do this by adding some new IOCTLs to an existing driver, QSEECOM (mentioned in the first blog post), which is a Qualcomm driver used to interface with the TrustZone kernel. These IOCTLs enable the caller to send a "raw" SCM call (either regular, or atomic) to the TrustZone kernel, containing any arbitrary data.

You can find the needed kernel modifications here.

For those of you using a Nexus 5 device, I personally recommend following Marcin Jabrzyk's great tutorial - here (it's a full tutorial describing how to compile and boot a custom kernel without flashing it to the device).

After booting the device with a modified kernel, you'll need a user-space application which can use the newly added IOCTLs in order to send SCMs to the kernel.

I've written such an application which you can get it here.

Finally, the exploit itself is written in python. It uses the user-space application to send SCM calls via the custom kernel directly to the TrustZone kernel, and allows execution of any arbitrary code within the kernel.

You can find the full exploit's code here.

Using the exploit

Using the exploit is pretty straight forward. Here's what you have to do:
  • Boot the device using the modified kernel (see Marcin's tutorial)
  • Compile the FuzzZone binary and place it under /data/local/tmp/
  • Write any ARM code within the shellcode.S file
  • Execute the build_shellcode.sh script in order to create a shellcode binary
  • Execute exploit.py to run your code within the TrustZone kernel

Affected Devices

At the time of disclosure, this vulnerability affected all devices with the MSM8974 SoC. I created a script to statically check the ROMs of many such devices before reporting the vulnerability, and found that the following devices were vulnerable:

Note: This vulnerability has since been fixed by Qualcomm, and therefore should not affect updated devices currently. Also, please note that the following is not an exhaustive list, by any measure. It's simply the result of my static analysis at the time.

 -Samsung Galaxy S5
 -Samsung Galaxy S5
 -Samsung Galaxy Note III
 -Samsung Galaxy S4 
 -Samsung Galaxy Tab Pro 10.1
 -Samsung Galaxy Note Pro 12.2
 -HTC One
 -LG G3
 -LG G2
 -LG G Flex 
 -Sony Xperia Z3 Compact 
 -Sony Xperia Z2 
 -Sony Xperia Z Ultra 
 -Samsung Galaxy S5 Active
 -Samsung Galaxy S5 TD-LTE
 -Samsung Galaxy S5 Sport
 -HTC One (E8)
 -Oneplus One
 -Acer Liquid S2
 -Asus PadFone Infinity
 -Gionee ELIFE E7
 -Sony Xperia Z1 Compact
 -Sony Xperia Z1s
 -ZTE Nubia Z5s
 -Sharp Aquos Xx 302SH
 -Sharp Aquos Xx mini 303SH
 -LG G Pro 2
 -Samsung Galaxy J
 -Samsung Galaxy Note 10.1 2014 Edition (LTE variant)
 -Samsung Galaxy Note 3 (LTE variant)
 -Pantech Vega Secret UP
 -Pantech Vega Secret Note
 -Pantech Vega LTE-A
 -LG Optimus Vu 3
 -Lenovo Vibe Z LTE
 -Samsung Galaxy Tab Pro 8.4
 -Samsung Galaxy Round
 -ZTE Grand S II LTE
 -Samsung Galaxy Tab S 8.4 LTE
 -Samsung Galaxy Tab S 10.5 LTE
 -Samsung Galaxy Tab Pro 10.1 LTE
 -Oppo Find 7 Qing Zhuang Ban
 -Vivo Xshoot Elite
 -IUNI U3
 -Hisense X1
 -Hisense X9T Pantech Vega Iron 2 (A910)
 -Vivo Xplay 3S
 -ZTE Nubia Z5S LTE
 -Sony Xperia Z2 Tablet (LTE variant)
 -Oppo Find 7a International Edition
 -Sharp Aquos Xx304SH
 -Sony Xperia ZL2 SOL25
 -Sony Xperia Z2a
 -Coolpad 8971
 -Sharp Aquos Zeta SH-04F
 -Asus PadFone S
 -Lenovo K920 TD-LTE (China Mobile version)
 -Gionee ELIFE E7L
 -Oppo Find 7
 -ZTE Nubia X6 TD-LTE 128 GB
 -Vivo Xshot Ultimate
 -LG Isai FL
 -ZTE Nubia Z7
 -ZTE Nubia Z7 Max
 -Xiaomi Mi 4
 -InFocus M810

Timeline
  • 19.09.14 - Vulnerability disclosed
  • 19.09.14 - Initial response from QC
  • 22.09.14 - Issue confirmed by QC
  • 01.10.14 - QC issues notice to customers
  • 16.10.14 - QC issues notice to carriers, request for 14 days of embargo
  • 30.10.14 - Embargo expires
I'd like to also point out that after reporting this issue to Qualcomm, I was informed that it has already been internally identified by them prior to my disclosure. However, these kinds of issues require quite a long period of time in order to push a fix, and therefore at the time of my research, the fix had not yet been deployed (at least, not to the best of my knowledge).

Last Words

I'd really like to hear some feedback from you, so please leave a comment below! Feel free to ask about anything.

112 comments:

  1. Great post, sightly hard to understand as i'm spanish but it denotes a deep knowledge of exploting. Contrats and keep on it!

    P.d. When releasing stagefright exploit? :P

    ReplyDelete
    Replies
    1. Thanks! Happy you enjoyed the post.

      The stagefright exploits (I've found quite a few) are coming soon, but the next post will be about a linux kernel exploit.

      Delete
  2. So by reading this (http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html) and this post, to my understanding, if I just want to unlock the bootloader I can do that without going in to so much hassle by simply overwriting the "golbal_flag" value by your zero write primitive right?
    By the way can you publish anything you learned about qfuse structure on msm8974, and the script you wrote to check the bootloader for the exploit?
    Great post. Learned to much since I'm still getting in to this bootloader stuff :)

    Ps. I wish you would've published this a week ago. I bought a amazon fire phone and upgraded to the new firmware last week. I'm sure the old bootloader had the flow and new one doesn't :(

    ReplyDelete
    Replies
    1. I'm planning a much more detailed post about MSM8974 internals, but it'll have to wait a while since I want to first cover a few Android and Linux kernel vulnerabilities...

      Looking at the post you linked to, it refers to the MSM8960 architecture. That version of Snapdragon had a massive documentation leak, that lead to a pretty wide understanding of the QFuses structure. Unfortunately, there's been no such leak for MSM8974, so while some comparisons might be drawn between them, there's no guarantee that other things haven't changed. Since I only have my personal device, I'm not willing to blow QFuses until I'm 100% about their purpose.

      I have done some research into unlocking the Moto X 2014 (which is an MSM8974 device), which I will definitely write about soon, but it's still incomplete.

      Anyway, glad you enjoyed the post! Best of luck with the Fire phone :) Hope the next TrustZone posts help.

      Delete
    2. Great.. Keep up the good work. By the way in the post I linked, he detects the QFuse by analysing aboot image. Not sure the same applies here though.

      Delete
  3. Hey,
    This was an interesting read for sure. You mentioned that the S4 was vulnerable but when examining the tz image for the s4, the address don't match. I was wondering if you had figured out the addresses for the s4 as well. I gained a fair bit of knowledge reading the posts before and the post following this post as well.

    Keep up the great work!

    ReplyDelete
  4. 0x12 -> 0xC in your memory object struct

    ReplyDelete
  5. I thourougly enjoyed this article. i wish the apq8084 (droid turbo)were researched and exploited in this manner. Thank you for your wor and especially for posting so others can learn from it.

    ReplyDelete
    Replies
    1. Thank you! As for APQ8084, wait three weeks, I have a surprise :)

      Delete
  6. AWESOME!!! sounds like Christmas will be good this year.

    ReplyDelete
  7. Why is responsible disclosure necessary here? From what I can tell, this exploit only enables the owner of a device to get full access to the device, which is their right anyway. Why would you tell the manufacturer?

    ReplyDelete
    Replies
    1. Because this can also be used to extract credit card details, create a completely silent RAT, extract fingerprint information and the list goes on...

      Delete
  8. laginimaineb also on MSM 8916 there is a function called

    tz_service <0x3F802, aTzbsp_oem_svc, 0xF, 0x86500ECB, 1> ; "tzbsp_oem_svc"

    which doesnt check the ranges and write 3 dwords to an arbitrary address

    int __fastcall tzbsp_oem_svc(int a1, int a2)
    {
    int v2; // r4@1

    v2 = a2;
    *(_DWORD *)a2 = 0xC;
    *(_DWORD *)(a2 + 4) = get_tzbsp_params(); =>returns 0x0F
    *(_DWORD *)(v2 + 8) = sub_865164FE(); =>returns 0x0
    return 0;
    }

    this can be used to neutralise range check. Contact me on hack3r2k@hack3r2k.com if interested

    ReplyDelete
    Replies
    1. Interesting! MSM8916 is the SoC in the very cheap Moto E 2nd gen., right?

      https://wiki.cyanogenmod.org/w/Surnia_Info

      Delete
    2. Hi Daniel,

      Not sure for the Moto but still this function could be manufacturer related. The phone im researching is an Alcatel 5042

      Delete
  9. Thanks laginimaineb, I write software in higher-level languages but have near to 0 knowledge about low-level. By reading you, I expect to reach a better understanding. Goal is reached for now :)

    The explaination path of your binary quest is very clear, and it's much appreciated.

    In the end, I wonder why the DACR designs such a "fault disabling" feature?

    That feature looks like an obvious present made to attackers in order to abuse a runtime.

    Say that 1 of the DACR registers is entitled to a r/w access permission from a specific origin/caller/translation only: such a definition is a policy rule. If rule matches, instruction runs flawlessly. If it does not, instruction triggers a fault. I don't get why this extra power is given to dodge, to overlook a well-deserved system fault.

    ReplyDelete
    Replies
    1. Hi Tuyutu,

      Thanks for reading!

      From a systems-design perspective, I can think of quite a few situations where enabling memory domains would be a useful feature. Consider, for example, scenarios where different contexts share the same translation tables. One common use-case where this would occur is a user-mode and kernel-mode context for the same task (e.g., on Linux). While the memory mappings for both contexts are the same, we may want to restrict access from the kernel-mode context, in order to prevent accidental cases in which the kernel may be tricked into accessing user-mode mappings inadvertently (such an SMAP). Alternately, you may want to restrict access to kernel mappings within the user's memory ranges, so that user-mode contexts cannot access it.

      That aside, the feature itself should not be a security concern in it's own right. Recall that configuring the DACR requires code execution in an elevated context to begin with. At that privilege level, you could just as well directly modify the translation tables or the translation table control registers - achieving the same effect.

      All the best,
      Gal.

      Delete
  10. Mantap banget gan!!! artikelnya sangat bermanfaat banget..
    Jangan lupa kunjungi juga Blog saya dibawah ini
    Judi Ayam Online
    Agen Togel Online
    Judi Bola Online
    http://www.bolautama88.com
    http://www.pelangi4d.site
    http://www.cumiblogger.com/

    ReplyDelete
  11. In my opinion, people ought to simply invest in V-Bucks if you\\\'re a diehard Fortnite player with anyone show across many platforms. Fortnite V-Bucks gained in But the planet can therefore become invested in new threads into Battle Royale. salsaroc.com

    ReplyDelete
  12. Although, most of organizations use filtered routing devices, firewalls and intrusions identification systems to protect their interests and money. But when we are speaking about web vulnerabilities, many of these safety tips may be useless.There are not so much of them but they can open a particular part of the Net available from the Internet. It may be very hard when a hacker owns a simple Web browser.

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST CarGamesDownload

    ReplyDelete
  15. This is such an awesome asset, to the point that you are giving and you give it away for nothing. I adore seeing blog that comprehend the benefit of giving a quality asset to free.jogos online 2019
    play Games friv
    school friv

    ReplyDelete
  16. Thank you so much for the wonderful website. Which made my day and got full information about Ac Market. Loved this website and recommended for all the users.
    Ac Market
    Ac Market APK
    AcMarket

    ReplyDelete
  17. All the time we are looking for the pinoy channel flix updates which we will be get online without getting any paid membership.

    ReplyDelete
  18. Wow Very Nice and informative post you can also watch
    Pinoy Tambayan Shows Philippine tv shows on our website,
    Pinoy ako,
    Pinoytv1, Pinoy Teleserye, Pinoy Tambayan,
    Pinoy Channel and free download here all videos.
    Pinoy Ako Tv, Pinoy Tv Replay, Pinoy Tambayan, Pinoy Tv Show,
    ABS-CBN Tv Show All HD Quality ,
    GMA Network Shows ,Full Episode Watch On PinoyTvShows.Our team at Pinoytvs.su care for our community and bring you daily fresh episodes of your favourite tv shows. You can enjoy your favourite shows, Pinoy Tambayan,
    Pinoy Teleserye and also

    Pinoy lambingan Shows online free in high quality.

    ReplyDelete
  19. Awesome blog. Thank you for sharing this valuable information.
    Canon printer error code b203

    ReplyDelete
  20. nice post you can visit our website for Indian Dramas online free in high quality.

    ReplyDelete
  21. https://crackedhome.com/clip-studio-paint-crack-all-torrent/
    Clip Studio Paint Crack is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

    ReplyDelete
  22. Advanced SystemCare Pro Crack Lots of businesses and programmers prefer that end-users like what in one go.
    https://www.thecrackbox.com/advanced-systemcare-crack-with-patch-download/

    ReplyDelete
  23. https://pcgameshere.com/pubg-free-download-full-pc-game/
    PUBG Free Download For Pc: online multiplayer action battle royale shooting Fighting Game. The PUBG Corporation published PUBG Pc Download worldwide.

    ReplyDelete
  24. Viewmypaycheck is the one stop website for the entire tax related query at free of cost just visit viewmypaycheck and you will get all the needed information.

    ReplyDelete
  25. https://autocracked.org/fl-studio-free-crack-plus-all-torrent-2020/
    FL Studio Full Crack is a type of software that composes music for you. It is inclusive software that provides the platform to you compose music sitting the whole thing you want to exist in only one package to increase its performance capability Fruity, Producer and Signature are three versions of fl studio. They have different features according to their cost and performance.

    ReplyDelete
  26. https://fullpcgameshere.com/
    Full Pc Games Here Free Download Full Highly Compressed Available now.

    ReplyDelete

  27. This blog is really awesome Thanks for sharing most valuable information with us.
    DevOps Online Training institute
    DevOps Online Training in Hyderabad

    ReplyDelete
  28. Pepsi77 Cool for the article, very interesting for readers Don't forget to see ours too. Thank you :

    ReplyDelete
  29. Hello, wow I love this blog, such a important information, i like your writing skills and everything about this blog just caught my attention.
    I am also writing on entertainment topics, please read my article,
    if you like it please share and comment, here are my links

    http://counterfeitmoneyonline.net
    http://billsnbills.com

    ReplyDelete
  30. https://pcgamesfully.com/
    Latest Game Crack Free Download Full Version

    ReplyDelete
  31. https://pcgameall.com/
    Pc Games All Full Latest Version Download Free

    ReplyDelete
  32. https://boxcracked.com/
    Full Version Cracked Software Download

    ReplyDelete
  33. https://pcgamespoint.com/
    Pc Game Point Full Crack & software Download

    ReplyDelete
  34. really its amazing and interesting article. i really enjoy this one
    https://chserialkey.com/driver-genius-pro-crack/

    ReplyDelete
  35. i am fully satisfied with this article... its interesting..
    https://shehrozpc.com/smadav-crack/

    ReplyDelete
  36. thank you for written best article.. i love this one..
    https://letcracks.com/displayfusion-crack/

    ReplyDelete
  37. Driver Easy Pro License Key is application software that allows you to find and download lost drivers to your computer.
    https://productkeyhere.com/driver-easy-pro-product-key-free-download/

    ReplyDelete
  38. Tenorshare ReiBoot Pro Crack is an i-OS apparatus retrieval instrument, i-pad contact, or an iPhone.
    https://crackedlol.com/tenorshare-reiboot-pro-with-cracked/

    ReplyDelete
  39. Moreover switching sound and video, then you also can create small edits and changes into caliber. In addition to minimize
    https://crackypro.com/movavi-video-converter-key-with-crack/

    ReplyDelete
  40. This windows software can retrieve each data samples including images, movies, reports, and all records.
    https://crackedpro.org/wondershare-recoverit-plus-cracked/

    ReplyDelete
  41. Bandicam Crack is the most papular new and updated screen recorder software. It will capture something on your system because of the top of the range film.
    https://rootcracks.org/bandicam-crack-with-serial-keys-download/

    ReplyDelete
  42. Best informative site article & Blog.
    Visit VariCAD 2020 Crack Linux Keygen,it is recognized as one of the ever developed software for the computer-aided design creation. There are many competitors and the market leaders of computer-aided designs compete with this software. But due to many amazing and unique features, this software is making its name in the graphics designing industry. Make sure you have the latest version of VariCAD 2020 With Serial Number. Free installed in your computer system for better customer experience.

    ReplyDelete
  43. I visit your site, its have beneficial knowledge for us.
    Aiseesoft MP4 Video Converter Full Crack is an application that helps the user to convert the videos in all formats. By using this program user can download any movie and then can enjoy it on any video player by converting its format. During the conversion of the format, it does not change the quality of the movie.
    Installation of the video players for different formats is not the solution. A good and effective solution is installing Aiseesoft MP4 Video Converter With Registration Key that helps the user to convert the videos in all formats.

    ReplyDelete
  44. You add a good information blog for visitor.
    Please follow us on to get Xrecode III Crack for the conversion of the audio files because many audio players, which play the specific formats of the audio files. For these media players, the user has to convert the one format of the audio into the other format.
    The user must install Xrecode III Keygen Windows. This application is responsible for supporting a wide range of formats. Formats like FLV, 3GP, and ASF. As well as, FLAC, MP3, and WAV are also present.

    ReplyDelete
  45. Moreover, an easy-to-use application. That the best tool that allows you to create your narrative and also broadly. Therefore, it is best and can be, apart from your gift level.
    Wondershare Filmora Free Download

    ReplyDelete
  46. The Forest Crack is a survival terror game. Endnight the horror game development company introduce this game.
    The Forest Free

    ReplyDelete
  47. Agisoft Metashape Professional 1.6.3 Build 10723 Crack is an advanced and powerful 3D reconstruct app that automatically builds 3D models using images. The full version app helps users create 3D files from still images. Agisoft Metashape Pro supported a large list of file format such as JPG, TIF, PNG, BMP, EXR, PPM, MPO, and many more.

    ReplyDelete
  48. The program supplies an all-inclusive toolset of for DJs, for several from of operation degrees. DJay Pro license-key provides
    https://crackitkey.com/djay-pro-full-torrent-here/

    ReplyDelete
  49. Therefore, it uses to scan because you would like. What’s more, it supplies real-time security, however.
    https://crackedsoftpc.com/zemana-antimalware-key/

    ReplyDelete
  50. The interface is so friendly in use that it can be modified and resized from above.
    https://pcprosoft.com/fl-studio-crack-with-torrent/

    ReplyDelete
  51. This specific week. We procured the PS-4 Conserve Wizard Crack using an origin code. Nitro wolf left available as PS 4 guidebook for people interested in.
    https://www.thecrackbox.com/save-wizard-ps4-free-download/

    ReplyDelete
  52. will help you to get your data back easily. Moreover, you can also recover your files, such as documents, music, photos, and videos.
    https://licensekeysfree.com/icare-data-recovery-pro-crack-download/

    ReplyDelete
  53. While there are already many of the program but this tool help to give the aspect of it. If you already let too many of the programs in your
    https://chprokey.com/iobit-uninstaller-pro-key-is-here/

    ReplyDelete
  54. Nero Burning ROM Activation Code maybe not just with automatic noise optimization. But also, with the audio filters and other adjustments to fit your taste.
    https://crackygame.com/nero-burning-rom-crack-full-torrent-free-download/

    ReplyDelete
  55. A good information you provide to your visitor. I really like this page.
    Please Carry on and follow us on Movavi Video Converter With Crack is named as one of the best ever video converting solution available for the customer. You will find many amazing features in this software that will make you amaze and stunning for the benefits.

    ReplyDelete
  56. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work.
    DevOps Training in Chennai | DevOps Training in anna nagar | DevOps Training in omr | DevOps Training in porur | DevOps Training in tambaram | DevOps Training in velachery

    ReplyDelete
  57. Advanced SystemCare Pro Crack Lots of businesses and programmers prefer that end-users like what in one go. But there’s
    https://www.thecrackbox.com/advanced-systemcare-crack-with-patch-download/

    ReplyDelete
  58. Boom Crack is the awarded wins the software application used to enhance the audio features. This software is specially designed to make play your media types
    https://crackygame.com/boom-3d-crack-full-keygen-here/

    ReplyDelete
  59. Wondershare Dr.Fone Crack is a desktop computer program. It performs together all iOS appliance and most of the Android apparatus.
    https://pcprosoft.com/wondershare-dr-fone-crack-plus-keygen/

    ReplyDelete
  60. SpyHunter Pro 5 Crack is just a potent real-time anti-virus tool built to simply help much fewer computer users protect their PCs from Internet dangers.
    https://crackingkey.com/spyhunter-crack-with-license-key-download-here/

    ReplyDelete
  61. Driver Easy Crack is easy that locates system-lacking motorists and frees them from the computer system.
    https://crackedsoftpc.com/driver-easy-crack-download-here/

    ReplyDelete
  62. 3DMark Crack is the best and efficient tool that use for the system benchmarking. Therefore, it helo you to make selections and also determine all the performance
    https://crackitkey.com/3dmark-full-crack-is-here/

    ReplyDelete
  63. Bandicam Crack Serial Amount combined to send exactly the increased output result for your own process performance.
    https://bluecracked.com/bandicam-full-crack-here/

    ReplyDelete
  64. Macrium Reflect Crack can be an expert application that helps its users to restore and backup files. In addition, it supports SSD trim that offers computerized SSD
    https://chprokey.com/macrium-reflect-fully-crack/

    ReplyDelete
  65. Malwarebytes Crack is the most efficient, secured, and advanced anti-malware program for scanning your devices.
    https://licensekeysfree.com/malwarebytes-license-key-download/

    ReplyDelete
  66. This is utilized to unlock the locked functions of Samsung mobiles. The software works to clear Samsung’s mobile device storage
    https://productkeybox.com/z3x-samsung-tool-pro-full-crack/

    ReplyDelete
  67. Such as the strike of corrupted applications and viruses. This software hacks these types of applications and deletes
    https://productkeyhere.com/spyhunter-5-key-free-download/

    ReplyDelete
  68. A very interesting article, if you have cosmetic problems visit 3 NOVOCLINIC in Madrid, they have promotions for Aesthetics in Madrid, cosmetic surgery in promotion, the best Aesthetic Medical Center in Madrid.
    To congratulate the women with flowers, we have the florist and accessories in Boadilla del Monte store 3 Hana Floristeria. .
    if you need to print large posters on canvas the company,IMC Impresiones company dedicated to large format printing with a 24-hour emergency service so that you do not miss out on your roll up, painting, poster, canvas and much more.
    I found the website 3 company for events, 3 catering for companies, 3 terraces for weddings, all with more than 10 years of experience

    ReplyDelete
  69. Tenorshare 4uKey Crack is an iOS device solution software. That helps you in any type of recovery. This software aids you unlock your device whenever you forget your password.
    Tenorshare 4uKey Crack Free

    ReplyDelete
  70. DraftSight 2020 Crack can be a very potent device for making, sharing, and editing DWG and DXF files. The item is dependent on complex engineer
    DraftSight Crack Full Version

    ReplyDelete
  71. Adobe Photoshop CC Key is one of the common leading software for image editing in all over the world.
    Adobe Photoshop CC Crack free

    ReplyDelete
  72. This comment has been removed by the author.

    ReplyDelete
  73. Driver Easy Pro License Key is application software that allows you to find and download lost drivers to your computer.
    Driver Easy Pro Crack Free

    ReplyDelete
  74. Final Cut Pro X Crack could be your fantastic high-quality program that’s widely employed for editing.
    Final Cut Pro X Crack Free

    ReplyDelete
  75. MATLAB Crack delivers an interactive development environment with its own own terminology. The application form joins a high-speed speech
    MATLAB Crack Free

    ReplyDelete
  76. Thanks for sharing this information. I really Like Very Much.
    devops online training

    ReplyDelete
  77. Thanks for sharing this with us. I just loved your way of presentation. I enjoyed reading this .Thanks for sharing and keep writing.

    Click Below Links and Get Crack & Serial Key Of any software:

    Get all Pc Cracked Software

    IDM Crack
    Adobe Photoshop CC 2020 Crack
    Adobe Illustrator CC 2020 Crack
    IDM Serial keys
    CCleaner Professional 2020 Crack
    FL Studio 2020 Crack


    ReplyDelete
  78. A very good and interesting article, but I would like to inform you of the wedding of some friends in 1 Chapoo Restaurant and the truth is that we loved it, they have meats and delicious grilled fish.
    if you need to celebrate a wedding, communion in Madrid you have website 1Grupo Acadi, catering for events at1 Acadi Catering. If you are looking for a classy terrace visit1 Jardin de Acadi.all with more than 10 years of experience.
    1 IMC Impresiones company dedicated to large format printing with a 24-hour emergency service so that you do not miss out on your roll up, painting, poster, canvas, stickers, polypropylene, photographic paper, etc.

    ReplyDelete
  79. Wondershare Video Converter Ultimate 2020 Crack trim clips, then change or add sound and also add subtitles if you desire.
    https://boxcracked.com/wondershare-video-converter-ultimate-cracked-may-here/

    ReplyDelete
  80. Malwarebytes Premium Crack is just only one if one of the most reliable and user-friendly antimalware pc software.
    https://www.thecrackbox.com/malwarebytes-key-download-here/

    ReplyDelete
  81. Toon Boom Harmony Crack is the powerful and fully supported software application use to create the animations.
    https://crackygame.com/toon-boom-harmony-crack-full-torrent/

    ReplyDelete
  82. FL Studio Crack is a very modern and usually music-making (Software) instrument. You can create quality music using any variety.
    https://pcprosoft.com/fl-studio-crack-patch-key-download/

    ReplyDelete
  83. Magix Music Maker Crack is an expert music authoring software. This grants users the set of fundamental tools for reporting,
    https://crackedpro.org/magix-music-maker-crack-with-keygen/

    ReplyDelete
  84. VueScan Crack is a potent scanning tool that lets you acquire high-quality graphics with a flatbed or film scanner.
    VueScan Crack Free

    ReplyDelete