├── .appveyor.yml ├── .gitignore ├── .gitmodules ├── CMakeLists.txt ├── README.md ├── bee_lvl1_parser ├── CMakeLists.txt ├── LICENSE ├── README.md ├── bee.cpp ├── bee.h └── main.cpp ├── bee_lvl2_converter ├── CMakeLists.txt ├── LICENSE ├── README.md ├── bee.cpp ├── bee.h ├── hs_exe.cpp ├── hs_exe.h ├── main.cpp ├── ns_exe.cpp ├── ns_exe.h ├── rs_exe.cpp ├── rs_exe.h ├── util.h ├── xs_exe.cpp └── xs_exe.h ├── pics ├── format.png ├── ns_format1.png ├── ns_format_imports.png ├── rcx_format.png ├── rdx_format.png └── scrambled_pe1.png ├── rcx_converter ├── CMakeLists.txt ├── LICENSE ├── README.md ├── main.cpp ├── rcx.cpp ├── rcx.h ├── shellcode2.h ├── util.cpp └── util.h └── rdx_converter ├── CMakeLists.txt ├── LICENSE ├── README.md ├── dir_util.cpp ├── dir_util.h ├── main.cpp ├── rdx.cpp └── rdx.h /.appveyor.yml: -------------------------------------------------------------------------------- 1 | os: 2 | - Visual Studio 2015 3 | 4 | platform: x64 5 | - x64 6 | 7 | branches: 8 | only: 9 | - master 10 | 11 | install: 12 | - git submodule update --init --recursive 13 | - set PATH=C:\Program Files\CMake\bin;%PATH% 14 | 15 | build: 16 | verbosity: detailed 17 | 18 | configuration: 19 | - Release 20 | - Debug 21 | 22 | environment: 23 | artifactName: $(APPVEYOR_PROJECT_NAME)-$(APPVEYOR_REPO_COMMIT)-$(CONFIGURATION) 24 | matrix: 25 | - env_arch: "x64" 26 | - env_arch: "x86" 27 | 28 | before_build: 29 | - mkdir build 30 | - cd build 31 | - if [%env_arch%]==[x64] ( 32 | cmake .. -A x64 ) 33 | - if [%env_arch%]==[x86] ( 34 | cmake .. ) 35 | - cmake -DCMAKE_INSTALL_PREFIX:PATH=%APPVEYOR_BUILD_FOLDER%/%APPVEYOR_REPO_COMMIT% .. 36 | 37 | build_script: 38 | - cmake --build . --config %CONFIGURATION% --target install 39 | 40 | after_build: 41 | - mkdir %artifactName% 42 | - cp %APPVEYOR_BUILD_FOLDER%/%APPVEYOR_REPO_COMMIT%/* %artifactName% 43 | 44 | artifacts: 45 | - path: build\%artifactName% 46 | 47 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.bak 2 | 3 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "libpeconv"] 2 | path = libpeconv 3 | url = https://github.com/hasherezade/libpeconv.git 4 | [submodule "rcx_converter/tiny-AES-c"] 5 | path = rcx_converter/tiny-AES-c 6 | url = https://github.com/kokke/tiny-AES-c.git 7 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required ( VERSION 3.0 ) 2 | 3 | project ( hidden_bee_tools ) 4 | 5 | # libs 6 | # modules: 7 | set ( M_PARSER "libpeconv/libpeconv" ) 8 | 9 | # modules paths: 10 | set (PECONV_DIR "${CMAKE_SOURCE_DIR}/${M_PARSER}" CACHE PATH "PEConv main path") 11 | add_subdirectory ( ${PECONV_DIR} ) 12 | set ( PECONV_LIB $ CACHE PATH "PEConvLib library path" ) 13 | 14 | # Add sub-directories 15 | # 16 | add_subdirectory ( bee_lvl1_parser ) 17 | add_subdirectory ( bee_lvl2_converter ) 18 | add_subdirectory ( rcx_converter ) 19 | add_subdirectory ( rdx_converter ) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hidden Bee & Rhadamanthys tools 2 | 3 | [![Build status](https://ci.appveyor.com/api/projects/status/pcbh0elgs3m6ua9o?svg=true)](https://ci.appveyor.com/project/hasherezade/hidden-bee-tools) 4 | 5 | Helper tools for custom modules used by: 6 | + Hidden Bee miner 7 | + Rhadamanthys stealer 8 | 9 | Parsers and converters custom executable formats. 10 | 11 | Clone: 12 | - 13 | Use recursive clone to get the repo together with all the submodules: 14 | 
15 | git clone --recursive https://github.com/hasherezade/hidden_bee_tools.git
16 |
17 | -------------------------------------------------------------------------------- /bee_lvl1_parser/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.12) 2 | 3 | # replace "project_template" by your own project name: 4 | project ( bee_lvl1_parser ) 5 | 6 | set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT") 7 | 8 | # include libpeconv headers: 9 | include_directories ( ${PECONV_DIR}/include ) 10 | 11 | set (srcs 12 | bee.cpp 13 | ) 14 | 15 | # general headers - they will be used for both EXE and DLL: 16 | set (hdrs 17 | bee.h 18 | ) 19 | 20 | # Choose to build the DLL or EXE 21 | add_executable ( ${PROJECT_NAME} ${exe_hdrs} ${srcs} main.cpp ) 22 | 23 | # link with libpeconv.lib 24 | target_link_libraries ( ${PROJECT_NAME} ${PECONV_LIB} ) 25 | 26 | #dependencies: 27 | add_dependencies( ${PROJECT_NAME} libpeconv ) 28 | 29 | INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} ) 30 | -------------------------------------------------------------------------------- /bee_lvl1_parser/LICENSE: -------------------------------------------------------------------------------- 1 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 2 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 3 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 4 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 5 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 6 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 7 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 8 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 9 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 10 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 11 | -------------------------------------------------------------------------------- /bee_lvl1_parser/README.md: -------------------------------------------------------------------------------- 1 | # bee_lvl1_parser 2 | 3 | Parses a custom executable format used by the elements of the Hidden Bee miner.
4 | 5 | Samples:
6 | + [087fd1f1932cdc1949b6bbbd56c7689636dd47043c2f0b6002c9afb979d0c1dd](https://www.virustotal.com/#/file/087fd1f1932cdc1949b6bbbd56c7689636dd47043c2f0b6002c9afb979d0c1dd/detection) 7 | + [c1a6df241239359731c671203925a8265cf82a0c8c20c94d57a6a1ed09dec289](https://www.virustotal.com/#/file/c1a6df241239359731c671203925a8265cf82a0c8c20c94d57a6a1ed09dec289/detection) 8 | 9 | Format:
10 | ![diagram](../pics/format.png) 11 | -------------------------------------------------------------------------------- /bee_lvl1_parser/bee.cpp: -------------------------------------------------------------------------------- 1 | #include "bee.h" 2 | 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | std::ofstream patch_report; 9 | 10 | bool init_tag_file(std::string reportPath) 11 | { 12 | patch_report.open(reportPath); 13 | if (patch_report.is_open() == false) { 14 | return false; 15 | } 16 | return true; 17 | } 18 | 19 | bool append_tag(DWORD tag_addr, const std::string name) 20 | { 21 | if (patch_report.is_open() == false) { 22 | return false; 23 | } 24 | patch_report << std::hex << tag_addr << ";" << name << std::endl; 25 | return true; 26 | } 27 | 28 | bool close_tag_file() 29 | { 30 | if (patch_report.is_open()) { 31 | patch_report.close(); 32 | } 33 | return true; 34 | } 35 | 36 | DWORD checksum(const char *func_name) 37 | { 38 | DWORD result = 0x1505; 39 | while ( *func_name ) 40 | result = *func_name++ + 33 * result; 41 | return result; 42 | } 43 | 44 | void print_iat(BYTE* mod, size_t mod_size, t_bee_hdr* hdr, size_t start, size_t count, HMODULE lib) 45 | { 46 | std::vector names_list; 47 | size_t names_count = peconv::get_exported_names(lib, names_list); 48 | 49 | DWORD* iat_ptr = (DWORD*)((ULONGLONG)mod + hdr->iat); 50 | for (size_t i = start; i < start + count; i++) { 51 | DWORD needed = iat_ptr[i]; 52 | DWORD tag_addr = (hdr->iat + i*sizeof(DWORD)); 53 | std::cout << "\t" << std::hex << iat_ptr[i] << " : "; 54 | for (size_t i = 0; i < names_count; i++) { 55 | DWORD checks = checksum(names_list[i].c_str()); 56 | if (checks == needed) { 57 | std::cout << names_list[i]; 58 | append_tag(tag_addr, names_list[i]); 59 | break; 60 | } 61 | } 62 | std::cout << std::endl; 63 | } 64 | } 65 | 66 | void print_dlls(BYTE* mod, size_t mod_size, t_bee_hdr* hdr) 67 | { 68 | std::cout << "--IMPORTS--" << std::endl; 69 | BYTE* names_ptr = (BYTE*)((ULONGLONG)mod + hdr->dll_list); 70 | size_t total_func = 0; 71 | 72 | for (size_t i = 0; i < 10; i++) { 73 | t_dll_name* names = (t_dll_name*) names_ptr; 74 | 75 | if (names == nullptr) break; 76 | if (names->name == 0) break; 77 | 78 | char *dll_name = &names->name; 79 | 80 | std::cout << std::hex << names->func_count << " : "; 81 | std::cout << dll_name << std::endl; 82 | 83 | HMODULE lib = LoadLibraryA(dll_name); 84 | print_iat(mod, mod_size, hdr, total_func, names->func_count, lib); 85 | 86 | size_t len = strlen(dll_name); 87 | names_ptr += len + 3; 88 | total_func += names->func_count; 89 | } 90 | std::cout << "Total func: " << std::hex << total_func << std::endl; 91 | } 92 | 93 | void print_relocs(BYTE* mod, size_t mod_size, t_bee_hdr* hdr) 94 | { 95 | std::cout << "--RELOCS--" << std::endl; 96 | DWORD* relocs_ptr = (DWORD*)((ULONGLONG)mod + hdr->relocs); 97 | size_t relocs_num = hdr->relocs_size / sizeof(DWORD); 98 | 99 | for (size_t i = 0; i < relocs_num; i++) { 100 | DWORD reloc_offset = *relocs_ptr; 101 | DWORD* reloc_field = (DWORD*)((ULONGLONG)mod + reloc_offset); 102 | DWORD value = *reloc_field; 103 | if ( value > hdr->mod_size) { 104 | std::cout << "[ERROR] Invalid reloc field" << std::endl; 105 | } 106 | std::cout << *relocs_ptr << " : " << value << std::endl; 107 | relocs_ptr++; 108 | } 109 | } 110 | 111 | t_bee_hdr* fetch_main_header(BYTE* mod, size_t mod_size) 112 | { 113 | t_bee_hdr* hdr = (t_bee_hdr*)mod; 114 | if (hdr->magic != 0x10000301) { 115 | std::cout << "[ERROR] Unrecognized magic!" << std::endl; 116 | return nullptr; 117 | } 118 | if (hdr->mod_size != mod_size) { 119 | std::cout << "[ERROR] Size mismatch! " << hdr->mod_size << " vs " << mod_size << std::endl; 120 | return nullptr; 121 | } 122 | return hdr; 123 | } 124 | 125 | bool print_main_header(t_bee_hdr* hdr) 126 | { 127 | std::cout << "--HEADERS--" << std::endl; 128 | std::cout << "magic : " << std::hex << hdr->magic << std::endl; 129 | std::cout << "DLLs: " << std::hex << hdr->dll_list << std::endl; 130 | std::cout << "IAT: " << std::hex << hdr->iat << std::endl; 131 | std::cout << "EP : " << std::hex << hdr->ep << std::endl; 132 | std::cout << "size : " << std::hex << hdr->mod_size << std::endl; 133 | std::cout << "relocs_size : " << std::hex << hdr->relocs_size << std::endl; 134 | std::cout << "relocs : " << std::hex << hdr->relocs << std::endl; 135 | return true; 136 | } 137 | 138 | bool parse_bee(std::string filename) 139 | { 140 | size_t mod_size = 0; 141 | BYTE* mod = peconv::load_file(filename.c_str(), mod_size); 142 | if (!mod) { 143 | return false; 144 | } 145 | t_bee_hdr* hdr = fetch_main_header(mod, mod_size); 146 | if (!hdr) { 147 | std::cout << "[ERROR] Invalid header!" << mod_size << std::endl; 148 | return false; 149 | } 150 | print_main_header(hdr); 151 | 152 | init_tag_file(filename + ".tag"); 153 | print_dlls(mod, mod_size, hdr); 154 | close_tag_file(); 155 | 156 | print_relocs(mod, mod_size, hdr); 157 | peconv::free_file(mod); 158 | return true; 159 | } 160 | -------------------------------------------------------------------------------- /bee_lvl1_parser/bee.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | typedef struct { 7 | DWORD magic; 8 | 9 | WORD dll_list; 10 | WORD iat; 11 | DWORD ep; 12 | DWORD mod_size; 13 | 14 | DWORD relocs_size; 15 | DWORD relocs; 16 | } t_bee_hdr; 17 | 18 | typedef struct { 19 | WORD func_count; 20 | char name; 21 | } t_dll_name; 22 | 23 | 24 | DWORD checksum(const char *func_name); 25 | 26 | bool parse_bee(std::string filename); 27 | 28 | -------------------------------------------------------------------------------- /bee_lvl1_parser/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "bee.h" 6 | 7 | int main(int argc, char *argv[]) 8 | { 9 | if (argc < 2) { 10 | std::cout << "Args: " << std::endl; 11 | system("pause"); 12 | return -1; 13 | } 14 | parse_bee(argv[1]); 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /bee_lvl2_converter/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.12) 2 | 3 | # replace "project_template" by your own project name: 4 | project ( bee_lvl2_converter ) 5 | 6 | set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT") 7 | 8 | # include libpeconv headers: 9 | include_directories ( ${PECONV_DIR}/include ) 10 | 11 | set (srcs 12 | bee.cpp 13 | ns_exe.cpp 14 | rs_exe.cpp 15 | hs_exe.cpp 16 | xs_exe.cpp 17 | ) 18 | 19 | # general headers - they will be used for both EXE and DLL: 20 | set (hdrs 21 | bee.h 22 | ns_exe.h 23 | rs_exe.h 24 | hs_exe.h 25 | xs_exe.h 26 | util.h 27 | ) 28 | 29 | # Choose to build the DLL or EXE 30 | add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} main.cpp ) 31 | 32 | # link with libpeconv.lib 33 | target_link_libraries ( ${PROJECT_NAME} ${PECONV_LIB} ) 34 | 35 | #dependencies: 36 | add_dependencies( ${PROJECT_NAME} libpeconv ) 37 | 38 | INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} ) 39 | -------------------------------------------------------------------------------- /bee_lvl2_converter/LICENSE: -------------------------------------------------------------------------------- 1 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 2 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 3 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 4 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 5 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 6 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 7 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 8 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 9 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 10 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 11 | -------------------------------------------------------------------------------- /bee_lvl2_converter/README.md: -------------------------------------------------------------------------------- 1 | # bee_lvl2_converter 2 | 3 | Converts a custom executable formats used by: 4 | + Hidden Bee miner 5 | + Rhadamanthys stealer 6 | 7 | into a PE. 8 | 9 | # Usage 10 | 11 | ``` 12 | Converter for Hidden Bee & Rhadamanthys custom executable formats 13 | Args: 14 | ``` 15 | 16 | + `input module` -> custom module of Hidden Bee or Rhadamanthys, in one of the supported formats (see below) 17 | + `is_mapped` -> `0` if the module in a raw format, `1` if in virtual. 18 | + `module base` -> if the module was relocated to the load base, you need to input the base here 19 | 20 | 21 | # Supported formats 22 | 23 | ## Rhadamanthys 24 | + RS 25 | + HS 26 | + XS (v1 and v2) 27 | 28 | More details: https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/ 29 | 30 | ## Hidden Bee 31 | + NE 32 | + NS 33 | 34 | 35 | ### NE Format: 36 | 37 | Changes in the PE header:
38 | 39 | ![diagram](../pics/scrambled_pe1.png) 40 | 41 | ### NS Format: 42 | 43 | Changes in the PE header:
44 | 45 | ![diagram](../pics/ns_format1.png) 46 |
47 | 48 | Shrinked Import Table: 49 | 50 | ![diagram](../pics/ns_format_imports.png) 51 | -------------------------------------------------------------------------------- /bee_lvl2_converter/bee.cpp: -------------------------------------------------------------------------------- 1 | #include "bee.h" 2 | #include 3 | 4 | BEE_TYPE check_type(BYTE *buf, size_t buf_size) 5 | { 6 | if (memcmp(buf, &MAGIC2, sizeof(MAGIC2)) == 0) { 7 | return BEE_SCRAMBLED2; 8 | } 9 | if (memcmp(buf, &MAGIC1, sizeof(MAGIC1)) == 0) { 10 | return BEE_SCRAMBLED1; 11 | } 12 | if (memcmp(buf, &NS_MAGIC, sizeof(NS_MAGIC)) == 0) { 13 | return BEE_NS_FORMAT; 14 | } 15 | if (memcmp(buf, &RS_MAGIC, sizeof(RS_MAGIC)) == 0) { 16 | return RHADAM_RS_FORMAT; 17 | } 18 | if (memcmp(buf, &HS_MAGIC, sizeof(HS_MAGIC)) == 0) { 19 | return RHADAM_HS_FORMAT; 20 | } 21 | if (memcmp(buf, &XS_MAGIC, sizeof(XS_MAGIC)) == 0) { 22 | return RHADAM_XS_FORMAT; 23 | } 24 | return BEE_NONE; 25 | } 26 | 27 | template 28 | bool unscramble_pe(BYTE *buf, size_t buf_size) 29 | { 30 | T_BEE_SCRAMBLED *hdr = (T_BEE_SCRAMBLED*)buf; 31 | std::cout << std::hex 32 | << "Magic: " << hdr->magic 33 | << "\nMachineId: " << hdr->machine_id 34 | << "\nOffset: " << hdr->pe_offset 35 | << std::endl; 36 | 37 | WORD *mz_ptr = (WORD*)buf; 38 | DWORD *pe_ptr = (DWORD*)(buf + hdr->pe_offset); 39 | 40 | *mz_ptr = IMAGE_DOS_SIGNATURE; 41 | *pe_ptr = IMAGE_NT_SIGNATURE; 42 | 43 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)buf; 44 | dos_hdr->e_lfanew = hdr->pe_offset; 45 | 46 | IMAGE_FILE_HEADER* file_hdrs = const_cast(peconv::get_file_hdr(buf, buf_size)); 47 | if (!file_hdrs) return false; 48 | 49 | file_hdrs->Machine = hdr->machine_id; 50 | return true; 51 | } 52 | 53 | BLOB unscramble_bee_to_pe(BYTE *buf, size_t buf_size, bool is_mapped) 54 | { 55 | BLOB mod = { 0 }; 56 | BEE_TYPE type = check_type(buf, buf_size); 57 | if (type == BEE_NONE) { 58 | std::cout << "Unrecognized module!\n"; 59 | return mod; 60 | } 61 | 62 | mod.pBlobData = buf; 63 | mod.cbSize = buf_size; 64 | 65 | std::cout << "Type: " << type << std::endl; 66 | switch (type) { 67 | case BEE_SCRAMBLED2: 68 | unscramble_pe(buf, buf_size); 69 | break; 70 | case BEE_SCRAMBLED1: 71 | unscramble_pe(buf, buf_size); 72 | break; 73 | case BEE_NS_FORMAT: 74 | ns_exe::unscramble_pe(buf, buf_size); 75 | break; 76 | case RHADAM_RS_FORMAT: 77 | mod = rs_exe::unscramble_pe(buf, buf_size, is_mapped); 78 | break; 79 | case RHADAM_HS_FORMAT: 80 | mod = hs_exe::unscramble_pe(buf, buf_size, is_mapped); 81 | break; 82 | case RHADAM_XS_FORMAT: 83 | xs_exe::xs_variants format = xs_exe::check_xs_variant(buf, buf_size); 84 | if (format == xs_exe::XS_VARIANT1_A) { 85 | std::cout << "XS1 variant A (Rhadamanthys v. < 0.9.0)\n"; 86 | mod = xs_exe::xs1::unscramble_pe_A(buf, buf_size, is_mapped); 87 | } 88 | else if (format == xs_exe::XS_VARIANT1_B) { 89 | std::cout << "XS1 variant B (Rhadamanthys v. >= 0.9.0)\n"; 90 | mod = xs_exe::xs1::unscramble_pe_B(buf, buf_size, is_mapped); 91 | } 92 | else if (format == xs_exe::XS_VARIANT2) { 93 | std::cout << "XS2\n"; 94 | #ifdef _WIN64 95 | bool is32b = false; 96 | std::cout << "Assuming that the module is 64 bit\n"; 97 | #else 98 | bool is32b = true; 99 | std::cout << "Assuming that the module is 32 bit\n"; 100 | #endif 101 | mod = xs_exe::xs2::unscramble_pe(buf, buf_size, is_mapped, is32b); 102 | } 103 | break; 104 | } 105 | return mod; 106 | } 107 | -------------------------------------------------------------------------------- /bee_lvl2_converter/bee.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "ns_exe.h" 7 | #include "rs_exe.h" 8 | #include "hs_exe.h" 9 | #include "xs_exe.h" 10 | 11 | const WORD MAGIC1 = 0x454e; 12 | const DWORD MAGIC2 = 0x0EF1FAB9; 13 | 14 | enum BEE_TYPE { 15 | BEE_NONE, 16 | BEE_SCRAMBLED1, 17 | BEE_NS_FORMAT, 18 | RHADAM_RS_FORMAT, 19 | RHADAM_HS_FORMAT, 20 | RHADAM_XS_FORMAT, 21 | BEE_SCRAMBLED2 22 | }; 23 | 24 | typedef struct { 25 | WORD magic; // 0x454e 26 | WORD machine_id; 27 | WORD pe_offset; 28 | } t_scrambled1; 29 | 30 | typedef struct { 31 | DWORD magic; // 0x0EF1FAB9 32 | WORD machine_id; 33 | WORD pe_offset; 34 | } t_scrambled2; 35 | 36 | BEE_TYPE check_type(BYTE *buf, size_t buf_size); 37 | 38 | BLOB unscramble_bee_to_pe(BYTE *buf, size_t buf_size, bool is_mapped); 39 | -------------------------------------------------------------------------------- /bee_lvl2_converter/hs_exe.cpp: -------------------------------------------------------------------------------- 1 | #include "hs_exe.h" 2 | #include 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include "util.h" 10 | using namespace hs_exe; 11 | 12 | namespace hs_exe { 13 | 14 | uint64_t make_img_base(t_HS_format* bee_hdr) 15 | { 16 | const uint64_t img_base = ((uint64_t)bee_hdr->module_base_high) << (sizeof(DWORD) * 8) | bee_hdr->module_base_low; 17 | return img_base; 18 | } 19 | } 20 | 21 | template 22 | bool fill_nt_hdrs(t_HS_format *bee_hdr, T_IMAGE_OPTIONAL_HEADER *nt_hdr) 23 | { 24 | const int kMinAlign = util::get_first_section(&bee_hdr->sections, bee_hdr->sections_count, true); 25 | nt_hdr->SectionAlignment = util::calc_sec_alignment(&bee_hdr->sections, bee_hdr->sections_count, true); 26 | nt_hdr->FileAlignment = nt_hdr->SectionAlignment; 27 | 28 | nt_hdr->ImageBase = make_img_base(bee_hdr); 29 | nt_hdr->AddressOfEntryPoint = bee_hdr->entry_point; 30 | 31 | nt_hdr->SizeOfHeaders = kMinAlign; 32 | nt_hdr->SizeOfImage = bee_hdr->module_size; 33 | 34 | nt_hdr->Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI; 35 | nt_hdr->NumberOfRvaAndSizes = 16; 36 | 37 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = bee_hdr->data_dir[HS_IMPORTS].dir_va; 38 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = bee_hdr->data_dir[HS_IMPORTS].dir_size; 39 | 40 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress = bee_hdr->data_dir[HS_EXCEPTIONS].dir_va; 41 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size = bee_hdr->data_dir[HS_EXCEPTIONS].dir_size; 42 | 43 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = bee_hdr->data_dir[HS_RELOCATIONS].dir_va; 44 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = bee_hdr->data_dir[HS_RELOCATIONS].dir_size; 45 | return true; 46 | } 47 | 48 | bool fill_sections(t_HS_section* rs_section, IMAGE_SECTION_HEADER* sec_hdr, size_t sections_count) 49 | { 50 | for (size_t i = 0; i < sections_count; i++) { 51 | 52 | sec_hdr[i].VirtualAddress = rs_section[i].va; 53 | sec_hdr[i].PointerToRawData = rs_section[i].va; 54 | sec_hdr[i].SizeOfRawData = rs_section[i].size; 55 | sec_hdr[i].Misc.VirtualSize = rs_section[i].size; 56 | sec_hdr[i].Characteristics = 0xE0000000; 57 | } 58 | return true; 59 | } 60 | 61 | size_t count_imports(t_HS_import *rs_import) 62 | { 63 | for (size_t i = 0; true; i++) { 64 | if (rs_import[i].first_thunk == 0 && rs_import[i].original_first_thunk == 0) { 65 | return i; 66 | } 67 | } 68 | return 0; 69 | } 70 | 71 | bool fill_imports(t_HS_import *rs_import, IMAGE_IMPORT_DESCRIPTOR *imp_desc, size_t dlls_count) 72 | { 73 | for (size_t i = 0; i < dlls_count; i++) { 74 | if (rs_import[i].first_thunk == 0 && rs_import[i].original_first_thunk == 0) break; 75 | imp_desc[i].FirstThunk = rs_import[i].first_thunk; 76 | imp_desc[i].OriginalFirstThunk = rs_import[i].original_first_thunk; 77 | imp_desc[i].Name = rs_import[i].dll_name_rva; 78 | } 79 | return true; 80 | } 81 | namespace hs_exe { 82 | void print_format(t_HS_format* bee_hdr) 83 | { 84 | std::cout << "Format: HS\n"; 85 | std::cout << std::hex 86 | << "Magic: " << bee_hdr->magic 87 | << "\nMachineId: " << bee_hdr->machine_id 88 | << "\nEP: " << bee_hdr->entry_point 89 | << "\nModuleSize: " << bee_hdr->module_size 90 | << "\nSectionsCount: " << bee_hdr->sections_count 91 | << "\nUnk1: " << bee_hdr->unk1 92 | << "\nImgBase: " << make_img_base(bee_hdr) 93 | << "\nUnk2: " << bee_hdr->unk2 94 | << "\n" << std::endl; 95 | } 96 | }; 97 | 98 | 99 | void print_sections(t_HS_section *rs_section, size_t sections_count) 100 | { 101 | std::cout << "---SECTIONS---\n"; 102 | for (size_t i = 0; i < sections_count; i++) { 103 | std::cout << "VA: " << std::hex << rs_section[i].va << "\t" 104 | << "raw: " << std::hex << rs_section[i].raw_addr << "\t" 105 | << "Size: " << rs_section[i].size << "\n"; 106 | } 107 | } 108 | 109 | void copy_sections(t_HS_format* bee_hdr, BYTE* in_buf, BYTE* out_buf, size_t out_size, bool isMapped) 110 | { 111 | t_HS_section* rs_section = &bee_hdr->sections; 112 | for (size_t i = 0; i < bee_hdr->sections_count; i++) { 113 | const DWORD raw = isMapped ? rs_section[i].va : rs_section[i].raw_addr; 114 | ::memcpy((BYTE*)((ULONG_PTR)out_buf + rs_section[i].va), (BYTE*)((ULONG_PTR)in_buf + raw), rs_section[i].size); 115 | } 116 | } 117 | 118 | BLOB hs_exe::unscramble_pe(BYTE *in_buf, size_t buf_size, bool isMapped) 119 | { 120 | BLOB mod = { 0 }; 121 | t_HS_format *bee_hdr = (t_HS_format*)in_buf; 122 | size_t out_size = buf_size > bee_hdr->module_size ? buf_size : bee_hdr->module_size; 123 | if (out_size < PAGE_SIZE) out_size = PAGE_SIZE; 124 | 125 | BYTE* out_buf = (BYTE*)::malloc(out_size); 126 | if (!out_buf) return mod; 127 | 128 | ::memset(out_buf, 0, out_size); 129 | 130 | hs_exe::print_format(bee_hdr); 131 | print_sections(&bee_hdr->sections, bee_hdr->sections_count); 132 | 133 | const size_t rec_size = PAGE_SIZE; 134 | if (bee_hdr->hdr_size > rec_size) return mod; 135 | 136 | BYTE *rec_hdr = new BYTE[rec_size]; 137 | memset(rec_hdr, 0, rec_size); 138 | 139 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)rec_hdr; 140 | dos_hdr->e_magic = IMAGE_DOS_SIGNATURE; 141 | dos_hdr->e_lfanew = sizeof(IMAGE_DOS_HEADER); 142 | 143 | DWORD *pe_ptr = (DWORD*)(dos_hdr->e_lfanew + (ULONG_PTR)rec_hdr); 144 | *pe_ptr = IMAGE_NT_SIGNATURE; 145 | 146 | IMAGE_FILE_HEADER* file_hdrs = (IMAGE_FILE_HEADER*)((ULONG_PTR)rec_hdr + dos_hdr->e_lfanew + sizeof(IMAGE_NT_SIGNATURE)); 147 | file_hdrs->Machine = bee_hdr->machine_id; 148 | file_hdrs->NumberOfSections = bee_hdr->sections_count; 149 | 150 | BYTE *opt_hdr = (BYTE*)((ULONG_PTR)file_hdrs + sizeof(IMAGE_FILE_HEADER)); 151 | size_t opt_hdr_size = 0; 152 | if (bee_hdr->machine_id == IMAGE_FILE_MACHINE_AMD64) { 153 | file_hdrs->Characteristics = IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_LARGE_ADDRESS_AWARE; 154 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER64); 155 | IMAGE_OPTIONAL_HEADER64* opt_hdr64 = (IMAGE_OPTIONAL_HEADER64*)opt_hdr; 156 | opt_hdr64->Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC; 157 | fill_nt_hdrs(bee_hdr, opt_hdr64); 158 | 159 | } 160 | else { 161 | file_hdrs->Characteristics = IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_32BIT_MACHINE; 162 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER32); 163 | IMAGE_OPTIONAL_HEADER32* opt_hdr32 = (IMAGE_OPTIONAL_HEADER32*)opt_hdr; 164 | opt_hdr32->Magic = IMAGE_NT_OPTIONAL_HDR32_MAGIC; 165 | fill_nt_hdrs(bee_hdr, opt_hdr32); 166 | } 167 | 168 | file_hdrs->SizeOfOptionalHeader = (WORD)opt_hdr_size; 169 | IMAGE_SECTION_HEADER *sec_hdr = (IMAGE_SECTION_HEADER*)((ULONG_PTR)opt_hdr + opt_hdr_size); 170 | peconv::dump_to_file("rec_hdr1.bin", rec_hdr, rec_size); 171 | fill_sections(&bee_hdr->sections, sec_hdr, bee_hdr->sections_count); 172 | 173 | peconv::dump_to_file("rec_hdr2.bin", rec_hdr, rec_size); 174 | ::memcpy(out_buf, rec_hdr, PAGE_SIZE); 175 | delete[]rec_hdr; rec_hdr = nullptr; 176 | 177 | copy_sections(bee_hdr, in_buf, out_buf, out_size, isMapped); 178 | 179 | //WARNING: if the file alignment differs from virtual alignmnent it needs to be converted! 180 | DWORD imports_raw = bee_hdr->data_dir[HS_IMPORTS].dir_va; 181 | 182 | t_HS_import *rs_import = (t_HS_import*)((ULONG_PTR)out_buf + imports_raw); 183 | size_t dlls_count = count_imports(rs_import); 184 | 185 | //std::cout << "DLLs count: " << dlls_count << std::endl; 186 | const size_t imp_area_size = dlls_count * sizeof(IMAGE_IMPORT_DESCRIPTOR); 187 | 188 | BYTE *rec_imports = new BYTE[imp_area_size]; 189 | memset(rec_imports, 0, imp_area_size); 190 | fill_imports(rs_import, (IMAGE_IMPORT_DESCRIPTOR*)rec_imports, dlls_count); 191 | 192 | memcpy(out_buf + imports_raw, rec_imports, imp_area_size); 193 | delete[]rec_imports; rec_imports = nullptr; 194 | 195 | std::cout << "Finished...\n"; 196 | mod.pBlobData = out_buf; 197 | mod.cbSize = out_size; 198 | return mod; 199 | } 200 | -------------------------------------------------------------------------------- /bee_lvl2_converter/hs_exe.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | const WORD HS_MAGIC = 0x5348; 6 | 7 | namespace hs_exe { 8 | 9 | const size_t HS_DATA_DIR_COUNT = 3; 10 | 11 | enum data_dir_id { 12 | HS_IMPORTS = 0, 13 | HS_EXCEPTIONS, 14 | HS_RELOCATIONS = 2 15 | }; 16 | 17 | typedef struct { 18 | DWORD dir_va; 19 | DWORD dir_size; 20 | } t_HS_data_dir; 21 | 22 | typedef struct { 23 | DWORD va; 24 | DWORD size; 25 | DWORD raw_addr; 26 | } t_HS_section; 27 | 28 | typedef struct { 29 | DWORD dll_name_rva; 30 | DWORD original_first_thunk; 31 | DWORD first_thunk; 32 | } t_HS_import; 33 | 34 | typedef struct { 35 | WORD magic; // 0x5352 36 | WORD machine_id; 37 | WORD sections_count; 38 | WORD hdr_size; 39 | DWORD entry_point; 40 | DWORD module_size; 41 | DWORD unk1; 42 | DWORD module_base_high; 43 | DWORD module_base_low; 44 | DWORD unk2; 45 | t_HS_data_dir data_dir[HS_DATA_DIR_COUNT]; 46 | t_HS_section sections; 47 | } t_HS_format; 48 | 49 | BLOB unscramble_pe(BYTE *buf, size_t buf_size, bool isMapped); 50 | }; 51 | -------------------------------------------------------------------------------- /bee_lvl2_converter/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "bee.h" 7 | 8 | #define VERSION "2.1" 9 | 10 | int main(int argc, char *argv[]) 11 | { 12 | if (argc < 3) { 13 | std::cout << "Converter for Hidden Bee & Rhadamanthys custom executable formats\n"; 14 | std::cout << "Version: " << VERSION << ", Build date: " << __DATE__ << "\n---\n"; 15 | std::cout << "Args: \n"; 16 | std::cout << "\t*input_module : custom module of Hidden Bee or Rhadamanthys, in one of the supported formats.\n"; 17 | std::cout << "\t*is_mapped? : 0 if the module in a raw format, 1 if in virtual.\n"; 18 | std::cout << "\t*module_base:hex : if the module was relocated to the load base, you need to input the base here.\n"; 19 | std::cout << std::endl; 20 | system("pause"); 21 | return -1; 22 | } 23 | size_t buf_size = 0; 24 | BYTE* buf = peconv::load_file(argv[1], buf_size); 25 | if (!buf) { 26 | std::cout << "Could not open the file!\n"; 27 | return 0; 28 | } 29 | bool is_mapped = false; 30 | if (argv[2][0] == '1') { 31 | is_mapped = true; 32 | std::cout << "Supplied module in a virtual format!\n"; 33 | } 34 | else { 35 | std::cout << "Supplied module in a raw format!\n"; 36 | } 37 | 38 | BLOB out_mod = unscramble_bee_to_pe(buf, buf_size, is_mapped); 39 | if (!out_mod.pBlobData) { 40 | std::cout << "Failed to unscramble!\n"; 41 | return -1; 42 | } 43 | #ifdef _DEBUG 44 | peconv::dump_to_file("demo.bin", out_mod.pBlobData, out_mod.cbSize); 45 | #endif 46 | peconv::t_pe_dump_mode dump_mode = peconv::PE_DUMP_AUTO; 47 | std::string out_path = std::string(argv[1]) + ".pe"; 48 | ULONGLONG module_base = 0; 49 | if (argc >= 4) { 50 | if (sscanf(argv[3], "%llX", &module_base) == 0) { 51 | sscanf(argv[3], "%#llX", &module_base); 52 | } 53 | } 54 | if (module_base == 0) { 55 | module_base = peconv::get_image_base(out_mod.pBlobData); 56 | } 57 | peconv::update_image_base(out_mod.pBlobData, module_base); 58 | if (peconv::dump_pe(out_path.c_str(), out_mod.pBlobData, out_mod.cbSize, module_base, dump_mode)) { 59 | std::cout << "[+] Converted to: " << out_path << std::endl; 60 | return 0; 61 | } 62 | std::cout << "[-] Conversion failed!" << std::endl; 63 | return -2; 64 | } 65 | -------------------------------------------------------------------------------- /bee_lvl2_converter/ns_exe.cpp: -------------------------------------------------------------------------------- 1 | #include "ns_exe.h" 2 | #include 3 | #include 4 | 5 | #include "util.h" 6 | 7 | using namespace ns_exe; 8 | 9 | template 10 | bool fill_nt_hdrs(t_NS_format *bee_hdr, T_IMAGE_OPTIONAL_HEADER *nt_hdr) 11 | { 12 | nt_hdr->SectionAlignment = util::calc_sec_alignment(&bee_hdr->sections, bee_hdr->sections_count, true); 13 | nt_hdr->FileAlignment = util::calc_sec_alignment(&bee_hdr->sections, bee_hdr->sections_count, false); 14 | if (nt_hdr->SectionAlignment != nt_hdr->FileAlignment) { 15 | std::cout << "[WARNING] Raw Alignment if different than Virtual Alignment!\n"; 16 | } 17 | 18 | nt_hdr->ImageBase = bee_hdr->image_base; 19 | nt_hdr->AddressOfEntryPoint = bee_hdr->entry_point; 20 | 21 | nt_hdr->SizeOfHeaders = bee_hdr->hdr_size; 22 | nt_hdr->SizeOfImage = bee_hdr->module_size; 23 | 24 | nt_hdr->Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI; 25 | nt_hdr->NumberOfRvaAndSizes = 16; 26 | 27 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = bee_hdr->data_dir[NS_IMPORTS].dir_va; 28 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = bee_hdr->data_dir[NS_IMPORTS].dir_size; 29 | 30 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = bee_hdr->data_dir[NS_RELOCATIONS].dir_va; 31 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = bee_hdr->data_dir[NS_RELOCATIONS].dir_size; 32 | 33 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = bee_hdr->data_dir[NS_IAT].dir_va; 34 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = bee_hdr->data_dir[NS_IAT].dir_size; 35 | return true; 36 | } 37 | 38 | bool fill_sections(t_NS_section *ns_section, IMAGE_SECTION_HEADER *sec_hdr, size_t sections_count) 39 | { 40 | 41 | for (size_t i = 0; i < sections_count; i++) { 42 | sec_hdr[i].VirtualAddress = ns_section[i].va; 43 | sec_hdr[i].PointerToRawData = ns_section[i].raw_addr; 44 | sec_hdr[i].SizeOfRawData = ns_section[i].size; 45 | sec_hdr[i].Misc.VirtualSize = ns_section[i].size; 46 | sec_hdr[i].Characteristics = ns_section[i].characteristics; 47 | } 48 | return true; 49 | } 50 | 51 | size_t count_imports(t_NS_import *ns_import) 52 | { 53 | for (size_t i = 0; true; i++) { 54 | if (ns_import[i].first_thunk == 0 && ns_import[i].original_first_thunk == 0) { 55 | return i; 56 | } 57 | } 58 | return 0; 59 | } 60 | 61 | bool fill_imports(t_NS_import *ns_import, IMAGE_IMPORT_DESCRIPTOR *imp_desc, size_t dlls_count) 62 | { 63 | for (size_t i = 0; i < dlls_count; i++) { 64 | if (ns_import[i].first_thunk == 0 && ns_import[i].original_first_thunk == 0) break; 65 | imp_desc[i].FirstThunk = ns_import[i].first_thunk; 66 | imp_desc[i].OriginalFirstThunk = ns_import[i].original_first_thunk; 67 | imp_desc[i].Name = ns_import[i].dll_name_rva; 68 | } 69 | return true; 70 | } 71 | 72 | void print_format(t_NS_format *bee_hdr) 73 | { 74 | std::cout << std::hex 75 | << "Magic: " << bee_hdr->magic 76 | << "\nMachineId: " << bee_hdr->machine_id 77 | << "\nEP: " << bee_hdr->entry_point 78 | << "\nModuleSize: " << bee_hdr->module_size 79 | << "\n" << std::endl; 80 | } 81 | 82 | void print_sections(t_NS_section *ns_section, size_t sections_count) 83 | { 84 | std::cout << "---SECTIONS---\n"; 85 | for (size_t i = 0; i < sections_count; i++) { 86 | std::cout << "VA: " << std::hex << ns_section[i].va << "\t" 87 | << "raw: " << std::hex << ns_section[i].raw_addr << "\t" 88 | << "Size: " << ns_section[i].size << "\n"; 89 | } 90 | } 91 | 92 | void print_saved_values(t_NS_format *bee_hdr, BYTE* bee_module, size_t bee_module_size) 93 | { 94 | DWORD saved = bee_hdr->saved; 95 | if (saved == 0) return; 96 | std::cout << "Saved val :" << std::hex << saved << std::endl; 97 | if (saved >= bee_module_size) return; 98 | std::cout << (char*)(bee_module + saved) << std::endl; 99 | } 100 | 101 | bool ns_exe::unscramble_pe(BYTE *buf, size_t buf_size) 102 | { 103 | t_NS_format *bee_hdr = (t_NS_format*)buf; 104 | 105 | print_format(bee_hdr); 106 | print_sections(&bee_hdr->sections, bee_hdr->sections_count); 107 | print_saved_values(bee_hdr, buf, buf_size); 108 | 109 | size_t rec_size = PAGE_SIZE; 110 | if (bee_hdr->hdr_size > rec_size) return false; 111 | 112 | BYTE *rec_hdr = new BYTE[rec_size]; 113 | memset(rec_hdr, 0, rec_size); 114 | 115 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)rec_hdr; 116 | dos_hdr->e_magic = IMAGE_DOS_SIGNATURE; 117 | dos_hdr->e_lfanew = sizeof(IMAGE_DOS_HEADER); 118 | 119 | DWORD *pe_ptr = (DWORD*)(dos_hdr->e_lfanew + (ULONG_PTR)rec_hdr); 120 | *pe_ptr = IMAGE_NT_SIGNATURE; 121 | 122 | IMAGE_FILE_HEADER* file_hdrs = (IMAGE_FILE_HEADER*)((ULONG_PTR)rec_hdr + dos_hdr->e_lfanew + sizeof(IMAGE_NT_SIGNATURE)); 123 | file_hdrs->Machine = bee_hdr->machine_id; 124 | file_hdrs->NumberOfSections = bee_hdr->sections_count; 125 | 126 | BYTE *opt_hdr = (BYTE*)((ULONG_PTR)file_hdrs + sizeof(IMAGE_FILE_HEADER)); 127 | size_t opt_hdr_size = 0; 128 | if (bee_hdr->machine_id == IMAGE_FILE_MACHINE_AMD64) { 129 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER64); 130 | IMAGE_OPTIONAL_HEADER64* opt_hdr64 = (IMAGE_OPTIONAL_HEADER64*)opt_hdr; 131 | opt_hdr64->Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC; 132 | fill_nt_hdrs(bee_hdr, opt_hdr64); 133 | } 134 | else { 135 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER32); 136 | IMAGE_OPTIONAL_HEADER32* opt_hdr32 = (IMAGE_OPTIONAL_HEADER32*)opt_hdr; 137 | opt_hdr32->Magic = IMAGE_NT_OPTIONAL_HDR32_MAGIC; 138 | fill_nt_hdrs(bee_hdr, opt_hdr32); 139 | } 140 | 141 | file_hdrs->SizeOfOptionalHeader = (WORD)opt_hdr_size; 142 | IMAGE_SECTION_HEADER *sec_hdr = (IMAGE_SECTION_HEADER*)((ULONG_PTR)opt_hdr + opt_hdr_size); 143 | 144 | fill_sections(&bee_hdr->sections, sec_hdr, bee_hdr->sections_count); 145 | 146 | //WARNING: if the file alignment differs from virtual alignmnent it needs to be converted! 147 | DWORD imports_raw = bee_hdr->data_dir[NS_IMPORTS].dir_va; 148 | 149 | t_NS_import *ns_import = (t_NS_import*)((ULONG_PTR)buf + imports_raw); 150 | size_t dlls_count = count_imports(ns_import); 151 | 152 | std::cout << "DLLs count: " << dlls_count << std::endl; 153 | const size_t imp_area_size = dlls_count * sizeof(IMAGE_IMPORT_DESCRIPTOR); 154 | 155 | BYTE *rec_imports = new BYTE[imp_area_size]; 156 | memset(rec_imports, 0, imp_area_size); 157 | fill_imports(ns_import, (IMAGE_IMPORT_DESCRIPTOR*)rec_imports, dlls_count); 158 | 159 | memcpy(buf, rec_hdr, bee_hdr->hdr_size); 160 | delete[]rec_hdr; rec_hdr = nullptr; 161 | 162 | memcpy(buf + imports_raw, rec_imports, imp_area_size); 163 | delete[]rec_imports; rec_imports = nullptr; 164 | return true; 165 | } 166 | -------------------------------------------------------------------------------- /bee_lvl2_converter/ns_exe.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | const WORD NS_MAGIC = 0x534e; 6 | 7 | namespace ns_exe { 8 | 9 | const size_t NS_DATA_DIR_COUNT = 6; 10 | 11 | enum data_dir_id { 12 | NS_IMPORTS = 1, 13 | NS_RELOCATIONS = 3, 14 | NS_IAT = 4 15 | }; 16 | 17 | typedef struct { 18 | DWORD dir_va; 19 | DWORD dir_size; 20 | } t_NS_data_dir; 21 | 22 | typedef struct { 23 | DWORD va; 24 | DWORD size; 25 | DWORD raw_addr; 26 | DWORD characteristics; 27 | } t_NS_section; 28 | 29 | typedef struct { 30 | DWORD dll_name_rva; 31 | DWORD original_first_thunk; 32 | DWORD first_thunk; 33 | DWORD unknown; 34 | } t_NS_import; 35 | 36 | typedef struct { 37 | WORD magic; // 0x534e 38 | WORD machine_id; 39 | WORD sections_count; 40 | WORD hdr_size; 41 | DWORD entry_point; 42 | DWORD module_size; 43 | DWORD image_base; 44 | DWORD image_base_high; 45 | DWORD saved; 46 | DWORD unknown1; 47 | t_NS_data_dir data_dir[NS_DATA_DIR_COUNT]; 48 | t_NS_section sections; 49 | } t_NS_format; 50 | 51 | bool unscramble_pe(BYTE *buf, size_t buf_size); 52 | }; 53 | -------------------------------------------------------------------------------- /bee_lvl2_converter/rs_exe.cpp: -------------------------------------------------------------------------------- 1 | #include "rs_exe.h" 2 | #include 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include "util.h" 10 | using namespace rs_exe; 11 | 12 | template 13 | bool fill_nt_hdrs(t_RS_format *bee_hdr, T_IMAGE_OPTIONAL_HEADER *nt_hdr) 14 | { 15 | const int kMinAlign = util::get_first_section(&bee_hdr->sections, bee_hdr->sections_count, true); 16 | nt_hdr->SectionAlignment = util::calc_sec_alignment(&bee_hdr->sections, bee_hdr->sections_count, true); 17 | nt_hdr->FileAlignment = nt_hdr->SectionAlignment; 18 | 19 | nt_hdr->ImageBase = 0; 20 | nt_hdr->AddressOfEntryPoint = bee_hdr->entry_point; 21 | 22 | nt_hdr->SizeOfHeaders = kMinAlign; 23 | nt_hdr->SizeOfImage = bee_hdr->module_size; 24 | 25 | nt_hdr->Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI; 26 | nt_hdr->NumberOfRvaAndSizes = 16; 27 | 28 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = bee_hdr->data_dir[RS_IMPORTS].dir_va; 29 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = bee_hdr->data_dir[RS_IMPORTS].dir_size; 30 | 31 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress = bee_hdr->data_dir[RS_EXCEPTIONS].dir_va; 32 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size = bee_hdr->data_dir[RS_EXCEPTIONS].dir_size; 33 | 34 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = bee_hdr->data_dir[RS_RELOCATIONS].dir_va; 35 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = bee_hdr->data_dir[RS_RELOCATIONS].dir_size; 36 | return true; 37 | } 38 | 39 | bool fill_sections(t_RS_section *rs_section, IMAGE_SECTION_HEADER *sec_hdr, size_t sections_count) 40 | { 41 | for (size_t i = 0; i < sections_count; i++) { 42 | sec_hdr[i].VirtualAddress = rs_section[i].va; 43 | sec_hdr[i].PointerToRawData = rs_section[i].va; 44 | sec_hdr[i].SizeOfRawData = rs_section[i].size; 45 | sec_hdr[i].Misc.VirtualSize = rs_section[i].size; 46 | sec_hdr[i].Characteristics = 0xE0000000; 47 | } 48 | return true; 49 | } 50 | 51 | size_t count_imports(t_RS_import *rs_import) 52 | { 53 | for (size_t i = 0; true; i++) { 54 | if (rs_import[i].first_thunk == 0 && rs_import[i].original_first_thunk == 0) { 55 | return i; 56 | } 57 | } 58 | return 0; 59 | } 60 | 61 | bool fill_imports(t_RS_import *rs_import, IMAGE_IMPORT_DESCRIPTOR *imp_desc, size_t dlls_count) 62 | { 63 | for (size_t i = 0; i < dlls_count; i++) { 64 | if (rs_import[i].first_thunk == 0 && rs_import[i].original_first_thunk == 0) break; 65 | imp_desc[i].FirstThunk = rs_import[i].first_thunk; 66 | imp_desc[i].OriginalFirstThunk = rs_import[i].original_first_thunk; 67 | imp_desc[i].Name = rs_import[i].dll_name_rva; 68 | } 69 | return true; 70 | } 71 | 72 | void print_format(t_RS_format *bee_hdr) 73 | { 74 | std::cout << std::hex 75 | << "Magic: " << bee_hdr->magic 76 | << "\nMachineId: " << bee_hdr->machine_id 77 | << "\nEP: " << bee_hdr->entry_point 78 | << "\nModuleSize: " << bee_hdr->module_size 79 | << "\n" << std::endl; 80 | } 81 | 82 | void print_sections(t_RS_section *rs_section, size_t sections_count) 83 | { 84 | std::cout << "---SECTIONS---\n"; 85 | for (size_t i = 0; i < sections_count; i++) { 86 | std::cout << "VA: " << std::hex << rs_section[i].va << "\t" 87 | << "raw: " << std::hex << rs_section[i].raw_addr << "\t" 88 | << "Size: " << rs_section[i].size << "\n"; 89 | } 90 | } 91 | 92 | void copy_sections(t_RS_format* bee_hdr, BYTE* in_buf, BYTE* out_buf, size_t out_size, bool isMapped) 93 | { 94 | t_RS_section* rs_section = &bee_hdr->sections; 95 | for (size_t i = 0; i < bee_hdr->sections_count; i++) { 96 | const DWORD raw = isMapped ? rs_section[i].va : rs_section[i].raw_addr; 97 | ::memcpy((BYTE*)((ULONG_PTR)out_buf + rs_section[i].va), (BYTE*)((ULONG_PTR)in_buf + raw), rs_section[i].size); 98 | } 99 | } 100 | 101 | namespace rs_exe { 102 | DWORD calc_checksum(BYTE* a1) 103 | { 104 | BYTE* ptr; 105 | unsigned int result; 106 | char i; 107 | int v4; 108 | int v5; 109 | 110 | ptr = a1; 111 | result = 0; 112 | for (i = *a1; i; ++ptr) 113 | { 114 | v4 = (result >> 13) | (result << 19); 115 | v5 = i; 116 | i = ptr[1]; 117 | result = v4 + v5; 118 | } 119 | return result; 120 | } 121 | }; 122 | 123 | class ChecksumFiller : public peconv::ImportThunksCallback 124 | { 125 | public: 126 | ChecksumFiller(BYTE* _modulePtr, size_t _moduleSize) 127 | : ImportThunksCallback(_modulePtr, _moduleSize) 128 | { 129 | } 130 | 131 | virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr, ULONG_PTR firstThunkPtr) 132 | { 133 | if (this->is64b) { 134 | IMAGE_THUNK_DATA64* desc = reinterpret_cast(origFirstThunkPtr); 135 | ULONGLONG* call_via = reinterpret_cast(firstThunkPtr); 136 | return processThunks_tpl(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG64); 137 | 138 | } 139 | else { 140 | 141 | IMAGE_THUNK_DATA32* desc = reinterpret_cast(origFirstThunkPtr); 142 | DWORD* call_via = reinterpret_cast(firstThunkPtr); 143 | return processThunks_tpl(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG32); 144 | } 145 | } 146 | 147 | protected: 148 | template 149 | bool processThunks_tpl(LPSTR lib_name, T_IMAGE_THUNK_DATA* desc, T_FIELD* call_via, T_FIELD ordinal_flag) 150 | { 151 | if (call_via == nullptr) { 152 | return false; 153 | } 154 | 155 | //thunkToFunc[rva] = func; 156 | const std::string short_name = peconv::get_dll_shortname(lib_name); 157 | const bool is_by_ord = (desc->u1.Ordinal & ordinal_flag) != 0; 158 | if (is_by_ord) { 159 | return true; 160 | } 161 | PIMAGE_IMPORT_BY_NAME by_name = (PIMAGE_IMPORT_BY_NAME)((ULONGLONG)modulePtr + desc->u1.AddressOfData); 162 | const DWORD rva = MASK_TO_DWORD((ULONG_PTR)by_name->Name - (ULONG_PTR)modulePtr); 163 | DWORD* checks = (DWORD*)(by_name); 164 | 165 | std::vector names; 166 | HMODULE lib = LoadLibraryA(lib_name); 167 | if (!lib) return false; 168 | 169 | peconv::get_exported_names(lib, names); 170 | for (auto itr = names.begin(); itr != names.end(); itr++) { 171 | DWORD checks1 = rs_exe::calc_checksum((BYTE*)itr->c_str()); 172 | if (checks1 == (*checks)) { 173 | ::memcpy(by_name->Name, itr->c_str(), itr->length()); 174 | break; 175 | } 176 | } 177 | FreeLibrary(lib); 178 | return true; 179 | } 180 | }; 181 | 182 | BLOB rs_exe::unscramble_pe(BYTE *in_buf, size_t buf_size, bool isMapped) 183 | { 184 | BLOB mod = { 0 }; 185 | t_RS_format *bee_hdr = (t_RS_format*)in_buf; 186 | size_t out_size = buf_size > bee_hdr->module_size ? buf_size : bee_hdr->module_size; 187 | if (out_size < PAGE_SIZE) out_size = PAGE_SIZE; 188 | 189 | BYTE* out_buf = (BYTE*)::malloc(out_size); 190 | if (!out_buf) return mod; 191 | 192 | ::memset(out_buf, 0, out_size); 193 | 194 | print_format(bee_hdr); 195 | print_sections(&bee_hdr->sections, bee_hdr->sections_count); 196 | 197 | size_t rec_size = PAGE_SIZE; 198 | if (bee_hdr->hdr_size > rec_size) return mod; 199 | 200 | BYTE *rec_hdr = new BYTE[rec_size]; 201 | memset(rec_hdr, 0, rec_size); 202 | 203 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)rec_hdr; 204 | dos_hdr->e_magic = IMAGE_DOS_SIGNATURE; 205 | dos_hdr->e_lfanew = sizeof(IMAGE_DOS_HEADER); 206 | 207 | DWORD *pe_ptr = (DWORD*)(dos_hdr->e_lfanew + (ULONG_PTR)rec_hdr); 208 | *pe_ptr = IMAGE_NT_SIGNATURE; 209 | 210 | IMAGE_FILE_HEADER* file_hdrs = (IMAGE_FILE_HEADER*)((ULONG_PTR)rec_hdr + dos_hdr->e_lfanew + sizeof(IMAGE_NT_SIGNATURE)); 211 | file_hdrs->Machine = bee_hdr->machine_id; 212 | file_hdrs->NumberOfSections = bee_hdr->sections_count; 213 | 214 | BYTE *opt_hdr = (BYTE*)((ULONG_PTR)file_hdrs + sizeof(IMAGE_FILE_HEADER)); 215 | size_t opt_hdr_size = 0; 216 | if (bee_hdr->machine_id == IMAGE_FILE_MACHINE_AMD64) { 217 | file_hdrs->Characteristics = IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_LARGE_ADDRESS_AWARE; 218 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER64); 219 | IMAGE_OPTIONAL_HEADER64* opt_hdr64 = (IMAGE_OPTIONAL_HEADER64*)opt_hdr; 220 | opt_hdr64->Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC; 221 | fill_nt_hdrs(bee_hdr, opt_hdr64); 222 | } 223 | else { 224 | file_hdrs->Characteristics = IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_32BIT_MACHINE; 225 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER32); 226 | IMAGE_OPTIONAL_HEADER32* opt_hdr32 = (IMAGE_OPTIONAL_HEADER32*)opt_hdr; 227 | opt_hdr32->Magic = IMAGE_NT_OPTIONAL_HDR32_MAGIC; 228 | fill_nt_hdrs(bee_hdr, opt_hdr32); 229 | } 230 | 231 | file_hdrs->SizeOfOptionalHeader = (WORD)opt_hdr_size; 232 | IMAGE_SECTION_HEADER *sec_hdr = (IMAGE_SECTION_HEADER*)((ULONG_PTR)opt_hdr + opt_hdr_size); 233 | 234 | fill_sections(&bee_hdr->sections, sec_hdr, bee_hdr->sections_count); 235 | 236 | ::memcpy(out_buf, rec_hdr, rec_size); 237 | delete[]rec_hdr; rec_hdr = nullptr; 238 | 239 | copy_sections(bee_hdr, in_buf, out_buf, out_size, isMapped); 240 | 241 | //WARNING: if the file alignment differs from virtual alignmnent it needs to be converted! 242 | DWORD imports_raw = bee_hdr->data_dir[RS_IMPORTS].dir_va; 243 | 244 | t_RS_import *rs_import = (t_RS_import*)((ULONG_PTR)out_buf + imports_raw); 245 | size_t dlls_count = count_imports(rs_import); 246 | 247 | std::cout << "DLLs count: " << dlls_count << std::endl; 248 | const size_t imp_area_size = dlls_count * sizeof(IMAGE_IMPORT_DESCRIPTOR); 249 | 250 | BYTE *rec_imports = new BYTE[imp_area_size]; 251 | memset(rec_imports, 0, imp_area_size); 252 | fill_imports(rs_import, (IMAGE_IMPORT_DESCRIPTOR*)rec_imports, dlls_count); 253 | 254 | memcpy(out_buf + imports_raw, rec_imports, imp_area_size); 255 | delete[]rec_imports; rec_imports = nullptr; 256 | 257 | ChecksumFiller collector(out_buf, out_size); 258 | peconv::process_import_table(out_buf, out_size, &collector); 259 | if (!isMapped) { 260 | DWORD img_base = 0x100000; 261 | if (peconv::relocate_module(out_buf, out_size, img_base, 0)) { 262 | peconv::update_image_base(out_buf, img_base); 263 | } 264 | } 265 | std::cout << "Finished...\n"; 266 | mod.pBlobData = out_buf; 267 | mod.cbSize = out_size; 268 | return mod; 269 | } 270 | -------------------------------------------------------------------------------- /bee_lvl2_converter/rs_exe.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | const WORD RS_MAGIC = 0x5352; 6 | 7 | namespace rs_exe { 8 | 9 | const size_t RS_DATA_DIR_COUNT = 3; 10 | 11 | enum data_dir_id { 12 | RS_IMPORTS = 0, 13 | RS_EXCEPTIONS, 14 | RS_RELOCATIONS = 2 15 | }; 16 | 17 | typedef struct { 18 | DWORD dir_size; 19 | DWORD dir_va; 20 | } t_RS_data_dir; 21 | 22 | typedef struct { 23 | DWORD raw_addr; 24 | DWORD va; 25 | DWORD size; 26 | } t_RS_section; 27 | 28 | typedef struct { 29 | DWORD dll_name_rva; 30 | DWORD first_thunk; 31 | DWORD original_first_thunk; 32 | } t_RS_import; 33 | 34 | typedef struct { 35 | WORD magic; // 0x5352 36 | WORD machine_id; 37 | WORD sections_count; 38 | WORD hdr_size; 39 | DWORD entry_point; 40 | DWORD module_size; 41 | t_RS_data_dir data_dir[RS_DATA_DIR_COUNT]; 42 | t_RS_section sections; 43 | } t_RS_format; 44 | 45 | BLOB unscramble_pe(BYTE *buf, size_t buf_size, bool isMapped); 46 | }; 47 | -------------------------------------------------------------------------------- /bee_lvl2_converter/util.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace util { 6 | 7 | inline DWORD gcd(DWORD a, DWORD b) 8 | { 9 | while (b != 0) { 10 | DWORD t = b; 11 | b = a % b; 12 | a = t; 13 | } 14 | return a; 15 | } 16 | 17 | template 18 | DWORD calc_sec_alignment(SECTION_T* section, size_t sections_count, bool is_virtual = true) 19 | { 20 | DWORD prev = 0; 21 | for (size_t i = 0; i < sections_count; i++) { 22 | DWORD section_offst = is_virtual ? section[i].va : section[i].raw_addr; 23 | if (prev != 0) { 24 | prev = gcd(prev, section_offst); 25 | } 26 | else { 27 | prev = section_offst; 28 | } 29 | } 30 | return prev; 31 | } 32 | 33 | template 34 | DWORD get_first_section(SECTION_T* section, size_t sections_count, bool is_virtual = true) 35 | { 36 | DWORD min = 0; 37 | for (size_t i = 0; i < sections_count; i++) { 38 | DWORD section_offst = is_virtual ? section[i].va : section[i].raw_addr; 39 | if (min != 0) { 40 | min = min < section_offst ? min : section_offst; 41 | } 42 | else { 43 | min = section_offst; 44 | } 45 | } 46 | return min; 47 | } 48 | 49 | }; 50 | -------------------------------------------------------------------------------- /bee_lvl2_converter/xs_exe.cpp: -------------------------------------------------------------------------------- 1 | #include "xs_exe.h" 2 | #include 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include "util.h" 10 | 11 | #define DEFAULT_BASE64 0x140000000 12 | #define DEFAULT_BASE32 0x400000 13 | 14 | using namespace xs_exe; 15 | 16 | template 17 | bool fill_nt_hdrs(XS_FORMAT* bee_hdr, T_IMAGE_OPTIONAL_HEADER *nt_hdr) 18 | { 19 | const int kMinAlign = util::get_first_section(&bee_hdr->sections, bee_hdr->sections_count, true); 20 | nt_hdr->SectionAlignment = util::calc_sec_alignment(&bee_hdr->sections, bee_hdr->sections_count, true); 21 | nt_hdr->FileAlignment = nt_hdr->SectionAlignment; 22 | 23 | nt_hdr->AddressOfEntryPoint = bee_hdr->entry_point; 24 | 25 | nt_hdr->SizeOfHeaders = kMinAlign; 26 | nt_hdr->SizeOfImage = bee_hdr->module_size; 27 | 28 | nt_hdr->Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI; 29 | nt_hdr->NumberOfRvaAndSizes = 16; 30 | nt_hdr->MajorSubsystemVersion = 6; 31 | nt_hdr->MajorOperatingSystemVersion = 6; 32 | 33 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = bee_hdr->data_dir[XS_IMPORTS].dir_va; 34 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = bee_hdr->data_dir[XS_IMPORTS].dir_size; 35 | 36 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress = bee_hdr->data_dir[XS_EXCEPTIONS].dir_va; 37 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size = bee_hdr->data_dir[XS_EXCEPTIONS].dir_size; 38 | 39 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = bee_hdr->data_dir[XS_RELOCATIONS].dir_va; 40 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = bee_hdr->data_dir[XS_RELOCATIONS].dir_size; 41 | return true; 42 | } 43 | 44 | bool fill_sections(t_XS_section *rs_section, IMAGE_SECTION_HEADER *sec_hdr, size_t sections_count) 45 | { 46 | for (size_t i = 0; i < sections_count; i++) { 47 | size_t v_size = rs_section[i].size; 48 | if ((sections_count > 1) && i < (sections_count - 1)) { 49 | const size_t diff = rs_section[i + 1].va - rs_section[i].va; 50 | v_size = (diff > v_size) ? diff : v_size; 51 | } 52 | sec_hdr[i].VirtualAddress = rs_section[i].va; 53 | sec_hdr[i].PointerToRawData = rs_section[i].va; 54 | sec_hdr[i].SizeOfRawData = rs_section[i].size; 55 | sec_hdr[i].Misc.VirtualSize = v_size; 56 | sec_hdr[i].Characteristics = 0xE0000000; 57 | } 58 | return true; 59 | } 60 | 61 | 62 | template 63 | bool build_relocs_table(BYTE* mapped_xs, std::map> &relocs_list, T_IMAGE_OPTIONAL_HEADER* nt_hdr) 64 | { 65 | typedef struct _BASE_RELOCATION_ENTRY { 66 | WORD Offset : 12; 67 | WORD Type : 4; 68 | } BASE_RELOCATION_ENTRY; 69 | 70 | WORD RELOC_32BIT_FIELD = 3; 71 | WORD RELOC_64BIT_FIELD = 0xA; 72 | WORD RELOC_FIELD = (nt_hdr->Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) ? RELOC_64BIT_FIELD : RELOC_32BIT_FIELD; 73 | 74 | size_t table_size = sizeof(IMAGE_BASE_RELOCATION) * relocs_list.size(); 75 | 76 | for (auto itr = relocs_list.begin(); itr != relocs_list.end(); ++itr) { 77 | table_size += sizeof(BASE_RELOCATION_ENTRY) * itr->second.size(); 78 | } 79 | 80 | BYTE* table = new BYTE[table_size]; 81 | ::memset(table, 0, table_size); 82 | 83 | BYTE* table_ptr = table; 84 | 85 | for (auto itr = relocs_list.begin(); itr != relocs_list.end(); ++itr) { 86 | 87 | IMAGE_BASE_RELOCATION* record = (IMAGE_BASE_RELOCATION*)table_ptr; 88 | record->VirtualAddress = itr->first; 89 | record->SizeOfBlock = sizeof(BASE_RELOCATION_ENTRY) * itr->second.size() + sizeof(IMAGE_BASE_RELOCATION); 90 | table_ptr += sizeof(IMAGE_BASE_RELOCATION); 91 | 92 | for (auto itr2 = itr->second.begin(); itr2 != itr->second.end(); ++itr2) { 93 | BASE_RELOCATION_ENTRY* entry = (BASE_RELOCATION_ENTRY*)table_ptr; 94 | entry->Offset = *itr2; 95 | entry->Type = RELOC_FIELD; 96 | table_ptr += sizeof(BASE_RELOCATION_ENTRY); 97 | } 98 | } 99 | DWORD rva = nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; 100 | nt_hdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = table_size; 101 | 102 | ::memcpy(mapped_xs + rva, table, table_size); 103 | return true; 104 | } 105 | 106 | bool build_relocs_table(BYTE* mapped_xs, std::map>& relocs_list) 107 | { 108 | bool is_ok = false; 109 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)mapped_xs; 110 | IMAGE_FILE_HEADER* file_hdrs = (IMAGE_FILE_HEADER*)((ULONG_PTR)mapped_xs + dos_hdr->e_lfanew + sizeof(IMAGE_NT_SIGNATURE)); 111 | BYTE* opt_hdr = (BYTE*)((ULONG_PTR)file_hdrs + sizeof(IMAGE_FILE_HEADER)); 112 | if (file_hdrs->Machine == IMAGE_FILE_MACHINE_AMD64) { 113 | IMAGE_OPTIONAL_HEADER64* opt_hdr64 = (IMAGE_OPTIONAL_HEADER64*)opt_hdr; 114 | is_ok = build_relocs_table(mapped_xs, relocs_list, opt_hdr64); 115 | } 116 | else { 117 | IMAGE_OPTIONAL_HEADER32* opt_hdr32 = (IMAGE_OPTIONAL_HEADER32*)opt_hdr; 118 | is_ok = build_relocs_table(mapped_xs, relocs_list, opt_hdr32); 119 | } 120 | return is_ok; 121 | } 122 | 123 | template 124 | bool fill_relocations_table(XS_FORMAT& bee_hdr, BYTE* mapped_xs, FIELD_T img_base) 125 | { 126 | if (!mapped_xs) return false; 127 | 128 | std::map> relocs_list; 129 | 130 | DWORD dir_rva = bee_hdr.data_dir[XS_RELOCATIONS].dir_va; 131 | DWORD dir_size = bee_hdr.data_dir[XS_RELOCATIONS].dir_size; 132 | if (dir_rva == 0 || dir_size == 0) { 133 | return true; // nothing to apply 134 | } 135 | xs_relocs* reloc_ptr = (xs_relocs*)((ULONG_PTR)mapped_xs + dir_rva); 136 | std::cout << "relocs: rva: " << std::hex << dir_rva << " size: " << dir_size << "\n"; 137 | 138 | DWORD parsed_entries = 0; 139 | xs_reloc_entry* element = (xs_reloc_entry*)((ULONG_PTR)&reloc_ptr->blocks[reloc_ptr->count]); 140 | 141 | WORD saved_field = 0; 142 | WORD field_rva = 0; 143 | for (DWORD i = 0; i < reloc_ptr->count; i++) { 144 | 145 | xs_relocs_block* block = &reloc_ptr->blocks[i]; 146 | #ifdef _DEBUG 147 | std::cout << "#"<< i << std::hex << " : page_rva: " << block->page_rva << " count: " << block->entries_count << "\n"; 148 | #endif 149 | for (DWORD k = 0; k < block->entries_count; ) { 150 | 151 | if (saved_field) { 152 | field_rva = saved_field; 153 | saved_field = 0; 154 | 155 | relocs_list[block->page_rva].push_back(field_rva); 156 | FIELD_T* field = (FIELD_T*)((ULONG_PTR)mapped_xs + block->page_rva + field_rva); 157 | (*field) += img_base; 158 | #ifdef _DEBUG 159 | std::cout << k << " : saved:" << " Field to reloc: " << field_rva << " Relocated: " << (*field) << " \n"; 160 | #endif 161 | k++; 162 | continue; 163 | } 164 | 165 | for (size_t indx = 0; indx < 2; indx++, k++) { 166 | if (indx == 0) { 167 | field_rva = (16 * element->field1_hi | (element->mid >> 4)); 168 | } 169 | else { 170 | BYTE* _field_rva = (BYTE*)((ULONG_PTR)&field_rva); 171 | _field_rva[1] = element->mid & 0x0F; 172 | _field_rva[0] = element->field2_low; 173 | } 174 | if (k >= block->entries_count) { 175 | saved_field = field_rva; 176 | break; 177 | } 178 | relocs_list[block->page_rva].push_back(field_rva); 179 | FIELD_T* field = (FIELD_T*)((ULONG_PTR)mapped_xs + block->page_rva + field_rva); 180 | (*field) += img_base; 181 | #ifdef _DEBUG 182 | std::cout << k << " : " << indx << " Field to reloc: " << field_rva << " Relocated: " << (*field) << " \n"; 183 | #endif 184 | } 185 | 186 | element++; 187 | } 188 | } 189 | return build_relocs_table(mapped_xs, relocs_list); 190 | } 191 | 192 | 193 | template 194 | size_t count_imports(XS_IMPORT *xs_import) 195 | { 196 | for (size_t i = 0; true; i++) { 197 | if (xs_import[i].first_thunk == 0) { 198 | return i; 199 | } 200 | } 201 | return 0; 202 | } 203 | 204 | bool is_valid_dll_char(BYTE c) 205 | { 206 | if (!isalnum(c) && c != '.' && c != '_' && c != '-') { 207 | return false; 208 | } 209 | return true; 210 | } 211 | 212 | bool is_valid_dll_name(BYTE* lib, size_t name_len) 213 | { 214 | for (size_t i = 0; i < name_len; i++) { 215 | if (!is_valid_dll_char(lib[i])) { 216 | return false; 217 | } 218 | } 219 | return true; 220 | } 221 | 222 | bool decode_name_A(BYTE* library_name, WORD lib_decode_key) 223 | { 224 | BYTE* _val_ptr = 0; // eax 225 | char flag; // dl 226 | 227 | _val_ptr = library_name; 228 | if (_val_ptr) 229 | { 230 | do 231 | { 232 | *_val_ptr = lib_decode_key ^ (*_val_ptr); 233 | if ((*_val_ptr) == 0) break; 234 | 235 | flag = (char)lib_decode_key; 236 | lib_decode_key >>= 1; 237 | if ((flag & 1) != 0) 238 | lib_decode_key ^= 0xB400u; 239 | ++_val_ptr; 240 | } while ( true ); 241 | } 242 | const size_t len = (_val_ptr - library_name); 243 | if (!is_valid_dll_name(library_name, len)) { 244 | return false; 245 | } 246 | std::cout << "Name: " << library_name << "\n"; 247 | return true; 248 | } 249 | 250 | bool decode_name_B(BYTE* dll_name, size_t name_len) 251 | { 252 | if (!name_len) { 253 | return false; 254 | } 255 | 256 | BYTE out_name[128] = { 0 }; 257 | size_t indx = 0; 258 | size_t pos = 0; 259 | size_t flag = 0; 260 | 261 | for (size_t i = 0; i < name_len; ++i) { 262 | BYTE outC = 0; 263 | for (WORD round = 7; round > 0; round--) 264 | { 265 | BYTE val = dll_name[indx]; 266 | if (pos) 267 | { 268 | flag = (val >> (7 - pos)) & 1; 269 | if (pos == 7) 270 | { 271 | pos = 0; 272 | ++indx; 273 | } 274 | else 275 | { 276 | ++pos; 277 | } 278 | } 279 | else 280 | { 281 | flag = val >> 7; 282 | pos = 1; 283 | } 284 | outC |= (flag != 0) << (round - 1); 285 | } 286 | if (!is_valid_dll_char(outC)) { 287 | return false; 288 | } 289 | out_name[i] = outC; 290 | } 291 | out_name[name_len] = 0; 292 | ::memcpy(dll_name, out_name, name_len); 293 | std::cout << "Name dec: " << dll_name << "\n"; 294 | return true; 295 | } 296 | 297 | namespace xs_exe { 298 | namespace xs2 { 299 | 300 | int get_xs_import_type(t_XS_format* mapped_xs, BYTE* out_buf, size_t buf_size) 301 | { 302 | const DWORD imports_raw = mapped_xs->data_dir[XS_IMPORTS].dir_va; 303 | const t_XS_import_A* xs_import = (t_XS_import_A*)((ULONG_PTR)out_buf + imports_raw); 304 | if (xs_import[0].first_thunk == 0) { 305 | return 0; 306 | } 307 | if (xs_import[0].dll_name_rva > buf_size) { 308 | return 0; 309 | } 310 | const size_t temp_size = 128; 311 | BYTE temp_name[temp_size] = { 0 }; 312 | BYTE* lib_name = (BYTE*)((ULONG_PTR)out_buf + xs_import[0].dll_name_rva); 313 | 314 | const size_t imp_len = xs_import[0].obf_dll_len > temp_size ? temp_size : xs_import[0].obf_dll_len; 315 | ::memcpy(temp_name, lib_name, temp_size); 316 | if (decode_name_B(temp_name, imp_len)) { 317 | return 2; 318 | } 319 | ::memcpy(temp_name, lib_name, temp_size); 320 | if (decode_name_A(temp_name, mapped_xs->imp_key)) { 321 | return 1; 322 | } 323 | return 0; 324 | } 325 | 326 | }; //namespace xs2 327 | }; //namespace xs_exe 328 | 329 | 330 | template 331 | bool fill_imports(const int imp_type, BYTE* mapped_xs, size_t buf_size, XS_IMPORT*rs_import, IMAGE_IMPORT_DESCRIPTOR *imp_desc, size_t dlls_count, WORD imp_key) 332 | { 333 | for (size_t i = 0; i < dlls_count; i++) { 334 | if (rs_import[i].first_thunk == 0) break; 335 | 336 | imp_desc[i].FirstThunk = rs_import[i].first_thunk; 337 | imp_desc[i].OriginalFirstThunk = rs_import[i].original_first_thunk; 338 | imp_desc[i].Name = rs_import[i].dll_name_rva; 339 | 340 | if (imp_desc[i].Name > buf_size || imp_desc[i].FirstThunk > buf_size || imp_desc[i].OriginalFirstThunk > buf_size) { 341 | break; 342 | } 343 | std::cout << "#" << i << ": " 344 | << "first_thunk: " << std::hex << rs_import[i].first_thunk << "\t" 345 | << "original_first_thunk: " << std::hex << rs_import[i].original_first_thunk << "\t" 346 | << "dll_name_rva: " << rs_import[i].dll_name_rva << "\t" 347 | << "Unk: " << rs_import[i].obf_dll_len 348 | << "\n"; 349 | #ifdef _DEBUG 350 | std::cout << "Decoding name at: " << std::hex << rs_import[i].dll_name_rva << "\n"; 351 | #endif 352 | BYTE* lib_name = (BYTE*)((ULONG_PTR)mapped_xs + rs_import[i].dll_name_rva); 353 | if (imp_type == 1) { 354 | decode_name_A(lib_name, imp_key); 355 | } 356 | else if (imp_type == 2) { 357 | decode_name_B(lib_name, rs_import[i].obf_dll_len); 358 | } 359 | } 360 | return true; 361 | } 362 | 363 | template 364 | void print_data_dirs(XS_FORMAT* ddir, size_t sections_count) 365 | { 366 | std::cout << "---DATA DIRS---\n"; 367 | for (size_t i = 0; i < sections_count; i++) { 368 | std::cout << "#" << i << ": VA: " << std::hex << ddir[i].dir_va << "\t" 369 | << "Size: " << ddir[i].dir_size << "\n"; 370 | } 371 | } 372 | 373 | template 374 | void copy_sections(XS_FORMAT* bee_hdr, BYTE* in_buf, BYTE* out_buf, size_t out_size, bool isMapped) 375 | { 376 | t_XS_section* rs_section = &bee_hdr->sections; 377 | for (size_t i = 0; i < bee_hdr->sections_count; i++) { 378 | const DWORD raw = isMapped ? rs_section[i].va : rs_section[i].raw_addr; 379 | ::memcpy((BYTE*)((ULONG_PTR)out_buf + rs_section[i].va), (BYTE*)((ULONG_PTR)in_buf + raw), rs_section[i].size); 380 | } 381 | } 382 | 383 | void print_sections(t_XS_section *rs_section, size_t sections_count) 384 | { 385 | std::cout << "---SECTIONS---\n"; 386 | for (size_t i = 0; i < sections_count; i++) { 387 | std::cout << "#" << i << ": VA: " << std::hex << rs_section[i].va << "\t" 388 | << "raw: " << std::hex << rs_section[i].raw_addr << "\t" 389 | << "Size: " << rs_section[i].size << "\t" 390 | << "Flags: " << rs_section[i].flags << "\n"; 391 | } 392 | } 393 | 394 | namespace xs_exe { 395 | 396 | namespace xs1 { 397 | 398 | template 399 | void print_format(XS_FORMAT* xs_hdr) 400 | { 401 | std::cout << std::hex 402 | << "Magic: " << xs_hdr->magic 403 | << "\nEP: " << xs_hdr->entry_point 404 | << "\nModuleSize: " << xs_hdr->module_size 405 | << "\nSec count: " << xs_hdr->sections_count 406 | << "\nHdr Size: " << xs_hdr->hdr_size 407 | << "\nNT magic: " << xs_hdr->nt_magic 408 | << "\nImp Key: " << (unsigned int)xs_hdr->imp_key 409 | << "\nVersion: " << (unsigned int)xs_hdr->ver 410 | << "\n" << std::endl; 411 | } 412 | }; 413 | 414 | namespace xs2 { 415 | void print_format(xs_exe::xs2::t_XS_format* xs_hdr) 416 | { 417 | std::cout << std::hex 418 | << "Magic: " << xs_hdr->magic 419 | << "\nEP: " << xs_hdr->entry_point 420 | << "\nModuleSize: " << xs_hdr->module_size 421 | << "\nSec count: " << xs_hdr->sections_count 422 | << "\nHdr Size: " << xs_hdr->hdr_size 423 | << "\nImp Key: " << (unsigned int)xs_hdr->imp_key 424 | << "\nEP Alt " << xs_hdr->entry_point_alt 425 | << "\n" << std::endl; 426 | } 427 | }; 428 | 429 | int calc_checksum(BYTE* name_ptr, int imp_key) 430 | { 431 | while (*name_ptr) 432 | { 433 | int val = (unsigned __int8)*name_ptr++ ^ (16777619 * imp_key); 434 | imp_key = val; 435 | } 436 | return imp_key; 437 | } 438 | 439 | class ChecksumFiller : public peconv::ImportThunksCallback 440 | { 441 | public: 442 | ChecksumFiller(BYTE* _modulePtr, size_t _moduleSize, DWORD _imp_key, bool _is32b) 443 | : ImportThunksCallback(_modulePtr, _moduleSize), 444 | imp_key(_imp_key), is32b(_is32b), not_found(0), found(0) 445 | { 446 | } 447 | 448 | virtual bool processThunks(LPSTR lib_name, ULONG_PTR origFirstThunkPtr, ULONG_PTR firstThunkPtr) 449 | { 450 | if (this->is64b) { 451 | IMAGE_THUNK_DATA64* desc = reinterpret_cast(origFirstThunkPtr); 452 | ULONGLONG* call_via = reinterpret_cast(firstThunkPtr); 453 | return processThunks_tpl(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG64); 454 | } 455 | else { 456 | IMAGE_THUNK_DATA32* desc = reinterpret_cast(origFirstThunkPtr); 457 | DWORD* call_via = reinterpret_cast(firstThunkPtr); 458 | return processThunks_tpl(lib_name, desc, call_via, IMAGE_ORDINAL_FLAG32); 459 | } 460 | } 461 | 462 | size_t countNotFound() { return not_found; } 463 | size_t countFound() { return found; } 464 | 465 | protected: 466 | template 467 | bool processThunks_tpl(LPSTR lib_name, T_IMAGE_THUNK_DATA* desc, T_FIELD* call_via, T_FIELD ordinal_flag) 468 | { 469 | if (call_via == nullptr) { 470 | std::cerr << "Call via is empty!\n"; 471 | return false; 472 | } 473 | 474 | const std::string short_name = peconv::get_dll_shortname(lib_name); 475 | const bool is_by_ord = (desc->u1.Ordinal & ordinal_flag) != 0; 476 | if (is_by_ord) { 477 | return true; 478 | } 479 | 480 | PIMAGE_IMPORT_BY_NAME by_name = (PIMAGE_IMPORT_BY_NAME)((ULONGLONG)modulePtr + desc->u1.AddressOfData); 481 | std::vector names; 482 | HMODULE lib = LoadLibraryA(lib_name); 483 | if (!lib) { 484 | std::cerr << "Library not found: " << lib_name << std::endl; 485 | return false; 486 | } 487 | DWORD* checks_ptr = (DWORD*)(by_name->Name); 488 | DWORD curr_checks = (*checks_ptr); 489 | peconv::get_exported_names(lib, names); 490 | bool is_found = false; 491 | for (auto itr = names.begin(); itr != names.end(); itr++) { 492 | DWORD checks1 = xs_exe::calc_checksum((BYTE*)itr->c_str(), imp_key); 493 | if (checks1 == curr_checks) { 494 | ::memset(by_name->Name, 0, itr->length() + 1); 495 | ::memcpy(by_name->Name, itr->c_str(), itr->length()); 496 | is_found = true; 497 | found++; 498 | break; 499 | } 500 | } 501 | FreeLibrary(lib); 502 | if (!is_found) { 503 | not_found++; 504 | std::cerr << "Not found: " << lib_name << " Checksum: " << std::hex << curr_checks << "\n"; 505 | return false; 506 | } 507 | return true; 508 | } 509 | 510 | DWORD imp_key; 511 | bool is32b; 512 | 513 | size_t not_found; 514 | size_t found; 515 | }; 516 | }; 517 | 518 | 519 | template 520 | bool fill_headers(BYTE* rec_hdr, bool is32bit, ULONGLONG img_base, XS_FORMAT bee_hdr) 521 | { 522 | IMAGE_DOS_HEADER* dos_hdr = (IMAGE_DOS_HEADER*)rec_hdr; 523 | dos_hdr->e_magic = IMAGE_DOS_SIGNATURE; 524 | dos_hdr->e_lfanew = sizeof(IMAGE_DOS_HEADER); 525 | 526 | DWORD* pe_ptr = (DWORD*)(dos_hdr->e_lfanew + (ULONG_PTR)rec_hdr); 527 | *pe_ptr = IMAGE_NT_SIGNATURE; 528 | 529 | IMAGE_FILE_HEADER* file_hdrs = (IMAGE_FILE_HEADER*)((ULONG_PTR)rec_hdr + dos_hdr->e_lfanew + sizeof(IMAGE_NT_SIGNATURE)); 530 | if (is32bit) { 531 | file_hdrs->Machine = IMAGE_FILE_MACHINE_I386; 532 | } 533 | else { 534 | file_hdrs->Machine = IMAGE_FILE_MACHINE_AMD64; 535 | } 536 | file_hdrs->NumberOfSections = bee_hdr->sections_count; 537 | 538 | BYTE* opt_hdr = (BYTE*)((ULONG_PTR)file_hdrs + sizeof(IMAGE_FILE_HEADER)); 539 | size_t opt_hdr_size = 0; 540 | if (file_hdrs->Machine == IMAGE_FILE_MACHINE_AMD64) { 541 | file_hdrs->Characteristics = IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_LARGE_ADDRESS_AWARE; 542 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER64); 543 | IMAGE_OPTIONAL_HEADER64* opt_hdr64 = (IMAGE_OPTIONAL_HEADER64*)opt_hdr; 544 | opt_hdr64->Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC; 545 | opt_hdr64->ImageBase = img_base; 546 | fill_nt_hdrs(bee_hdr, opt_hdr64); 547 | } 548 | else { 549 | file_hdrs->Characteristics = IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_32BIT_MACHINE; 550 | opt_hdr_size = sizeof(IMAGE_OPTIONAL_HEADER32); 551 | IMAGE_OPTIONAL_HEADER32* opt_hdr32 = (IMAGE_OPTIONAL_HEADER32*)opt_hdr; 552 | opt_hdr32->Magic = IMAGE_NT_OPTIONAL_HDR32_MAGIC; 553 | opt_hdr32->ImageBase = (DWORD)img_base; 554 | fill_nt_hdrs(bee_hdr, opt_hdr32); 555 | } 556 | 557 | file_hdrs->SizeOfOptionalHeader = (WORD)opt_hdr_size; 558 | 559 | IMAGE_SECTION_HEADER* sec_hdr = (IMAGE_SECTION_HEADER*)((ULONG_PTR)opt_hdr + opt_hdr_size); 560 | return fill_sections(&bee_hdr->sections, sec_hdr, bee_hdr->sections_count); 561 | } 562 | 563 | template 564 | bool fill_import_table(const int imp_type, XS_FORMAT* bee_hdr, BYTE* out_buf, size_t out_size, bool is32bit) 565 | { 566 | //WARNING: if the file alignment differs from virtual alignmnent it needs to be converted! 567 | DWORD imports_raw = bee_hdr->data_dir[XS_IMPORTS].dir_va; 568 | 569 | XS_IMPORT* xs_import = (XS_IMPORT*)((ULONG_PTR)out_buf + imports_raw); 570 | size_t dlls_count = count_imports(xs_import); 571 | 572 | std::cout << "DLLs count: " << std::dec << dlls_count << std::endl; 573 | const size_t imp_area_size = dlls_count * sizeof(IMAGE_IMPORT_DESCRIPTOR); 574 | 575 | BYTE* rec_imports = new BYTE[imp_area_size]; 576 | memset(rec_imports, 0, imp_area_size); 577 | if (!fill_imports(imp_type, out_buf, out_size, xs_import, (IMAGE_IMPORT_DESCRIPTOR*)rec_imports, dlls_count, bee_hdr->imp_key)) { 578 | std::cerr << "Failed to fill imports\n"; 579 | } 580 | 581 | memcpy(out_buf + imports_raw, rec_imports, imp_area_size); 582 | delete[]rec_imports; rec_imports = nullptr; 583 | 584 | xs_exe::ChecksumFiller collector(out_buf, out_size, bee_hdr->imp_key, is32bit); 585 | if (!peconv::process_import_table(out_buf, out_size, &collector)) { 586 | std::cerr << "Failed to process the import table\n"; 587 | } 588 | std::cout << "Filled " << collector.countFound() << " imports\n"; 589 | if ((collector.countNotFound() > 0) || (collector.countFound() < dlls_count)) { 590 | std::cerr << "WARNING: Some imports could not be found. It is possible that the bitness of the payload mismatch the bitness of converter. Try to use a "; 591 | #ifdef _WIN64 592 | std::cerr << "32"; 593 | #else 594 | std::cerr << "64"; 595 | #endif 596 | std::cerr << "-bit converter." << std::endl; 597 | return false; 598 | } 599 | return true; 600 | } 601 | 602 | template 603 | BLOB unscramble_xs1_pe(const int imp_type, BYTE *in_buf, size_t buf_size, bool isMapped) 604 | { 605 | BLOB mod = { 0 }; 606 | XS_FORMAT* bee_hdr = (XS_FORMAT*)in_buf; 607 | 608 | bool is32b = (bee_hdr->nt_magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) ? false : true; 609 | if (bee_hdr->nt_magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC && bee_hdr->nt_magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC) { 610 | return mod; // not XS1 611 | } 612 | 613 | size_t out_size = buf_size > bee_hdr->module_size ? buf_size : bee_hdr->module_size; 614 | if (out_size < PAGE_SIZE) out_size = PAGE_SIZE; 615 | 616 | BYTE* out_buf = (BYTE*)::malloc(out_size); 617 | if (!out_buf) return mod; 618 | 619 | ::memset(out_buf, 0, out_size); 620 | 621 | xs1::print_format(bee_hdr); 622 | print_sections(&bee_hdr->sections, bee_hdr->sections_count); 623 | print_data_dirs(bee_hdr->data_dir, 3); 624 | 625 | size_t rec_size = PAGE_SIZE; 626 | if (bee_hdr->hdr_size > rec_size) return mod; 627 | 628 | DWORD img_base = isMapped ? 0 : 0x100000; 629 | BYTE *rec_hdr = new BYTE[rec_size]; 630 | memset(rec_hdr, 0, rec_size); 631 | 632 | fill_headers(rec_hdr, is32b, img_base, bee_hdr); 633 | 634 | copy_sections(bee_hdr, in_buf, out_buf, out_size, isMapped); 635 | 636 | ::memcpy(out_buf, rec_hdr, rec_size); 637 | delete[]rec_hdr; rec_hdr = nullptr; 638 | 639 | fill_import_table(imp_type, bee_hdr, out_buf, out_size, is32b); 640 | 641 | fill_relocations_table(*bee_hdr, out_buf, img_base); 642 | std::cout << "Finished...\n"; 643 | mod.pBlobData = out_buf; 644 | mod.cbSize = out_size; 645 | return mod; 646 | } 647 | 648 | BLOB xs_exe::xs1::unscramble_pe_A(BYTE* buf, size_t buf_size, bool isMapped) 649 | { 650 | return unscramble_xs1_pe(1, buf, buf_size, isMapped); 651 | } 652 | 653 | BLOB xs_exe::xs1::unscramble_pe_B(BYTE* buf, size_t buf_size, bool isMapped) 654 | { 655 | return unscramble_xs1_pe(2, buf, buf_size, isMapped); 656 | } 657 | 658 | BLOB xs_exe::xs2::unscramble_pe(BYTE* in_buf, size_t buf_size, bool isMapped, bool is32bit) 659 | { 660 | BLOB mod = { 0 }; 661 | t_XS_format* bee_hdr = (t_XS_format*)in_buf; 662 | size_t out_size = buf_size > bee_hdr->module_size ? buf_size : bee_hdr->module_size; 663 | if (out_size < PAGE_SIZE) out_size = PAGE_SIZE; 664 | 665 | BYTE* out_buf = (BYTE*)::malloc(out_size); 666 | if (!out_buf) return mod; 667 | 668 | ::memset(out_buf, 0, out_size); 669 | 670 | print_format(bee_hdr); 671 | print_sections(&bee_hdr->sections, bee_hdr->sections_count); 672 | print_data_dirs(bee_hdr->data_dir, 3); 673 | 674 | size_t rec_size = PAGE_SIZE; 675 | if (bee_hdr->hdr_size > rec_size) { 676 | std::cerr << "Invalid hdr size: " << bee_hdr->hdr_size << "\n"; 677 | return mod; 678 | } 679 | ULONGLONG img_base = 0; 680 | if (!isMapped) img_base = is32bit ? DEFAULT_BASE32 : DEFAULT_BASE64; 681 | 682 | BYTE* rec_hdr = new BYTE[rec_size]; 683 | memset(rec_hdr, 0, rec_size); 684 | 685 | fill_headers(rec_hdr, is32bit, img_base, bee_hdr); 686 | copy_sections(bee_hdr, in_buf, out_buf, out_size, isMapped); 687 | 688 | ::memcpy(out_buf, rec_hdr, rec_size); 689 | delete[]rec_hdr; rec_hdr = nullptr; 690 | const int imp_type = get_xs_import_type(bee_hdr, out_buf, out_size); 691 | 692 | std::cout << "Detected imports type: " << imp_type; 693 | if (imp_type == 1) { 694 | std::cout << " (Rhadamanthys v. < 0.9.0)" << std::endl; 695 | fill_import_table(imp_type, bee_hdr, out_buf, out_size, is32bit); 696 | } 697 | else if (imp_type == 2) { 698 | std::cout << " (Rhadamanthys v. >= 0.9.0)" << std::endl; 699 | fill_import_table(imp_type, bee_hdr, out_buf, out_size, is32bit); 700 | } 701 | std::cout << std::endl; 702 | if (is32bit) { 703 | fill_relocations_table(*bee_hdr, out_buf, (DWORD)img_base); 704 | } 705 | else { 706 | fill_relocations_table(*bee_hdr, out_buf, (ULONGLONG)img_base); 707 | } 708 | std::cout << "Finished...\n"; 709 | mod.pBlobData = out_buf; 710 | mod.cbSize = out_size; 711 | return mod; 712 | } 713 | 714 | template 715 | bool validate_xs_format(BYTE* in_buf, size_t buf_size) 716 | { 717 | XS_FORMAT* xs_hdr = (XS_FORMAT*)in_buf; 718 | if ((xs_hdr->hdr_size < buf_size) && (xs_hdr->sections_count > 0)) { 719 | const size_t calc_hdr_size = sizeof(XS_FORMAT) + ((xs_hdr->sections_count - 1) * sizeof(xs_exe::t_XS_section)); 720 | if (calc_hdr_size == xs_hdr->hdr_size) { 721 | return true; 722 | } 723 | } 724 | return false; 725 | } 726 | 727 | xs_variants check_xs1_subtype(BYTE* in_buf, size_t buf_size) 728 | { 729 | if (validate_xs_format(in_buf, buf_size)) { 730 | return xs_variants::XS_VARIANT1_A; 731 | } 732 | if (validate_xs_format(in_buf, buf_size)) { 733 | return xs_variants::XS_VARIANT1_B; 734 | } 735 | std::cerr << "Unknown variant of XS1\n"; 736 | return xs_variants::XS_NONE; 737 | } 738 | 739 | xs_variants xs_exe::check_xs_variant(BYTE* in_buf, size_t buf_size) 740 | { 741 | if (!in_buf) return xs_variants::XS_NONE; 742 | 743 | xs1::t_XS_format_A* xs_hdr = (xs1::t_XS_format_A*)in_buf; 744 | if (xs_hdr->magic != XS_MAGIC) { 745 | return xs_variants::XS_NONE; 746 | } 747 | if (xs_hdr->nt_magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC || xs_hdr->nt_magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { 748 | return check_xs1_subtype(in_buf, buf_size); 749 | } 750 | return xs_variants::XS_VARIANT2; 751 | } 752 | -------------------------------------------------------------------------------- /bee_lvl2_converter/xs_exe.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | const WORD XS_MAGIC = 0x5358; 6 | 7 | namespace xs_exe { 8 | 9 | const size_t XS_DATA_DIR_COUNT = 3; 10 | 11 | enum data_dir_id { 12 | XS_IMPORTS = 0, 13 | XS_EXCEPTIONS = 1, 14 | XS_RELOCATIONS = 2 15 | }; 16 | 17 | typedef struct { 18 | DWORD va; 19 | DWORD raw_addr; 20 | DWORD size; 21 | DWORD flags; 22 | } t_XS_section; 23 | 24 | struct xs_relocs_block 25 | { 26 | DWORD page_rva; 27 | DWORD entries_count; 28 | }; 29 | 30 | struct xs_relocs 31 | { 32 | DWORD count; 33 | xs_relocs_block blocks[1]; 34 | }; 35 | 36 | struct xs_reloc_entry { 37 | BYTE field1_hi; 38 | BYTE mid; 39 | BYTE field2_low; 40 | }; 41 | 42 | namespace xs1 { 43 | 44 | typedef struct { 45 | DWORD dir_size; 46 | DWORD dir_va; 47 | } t_XS_data_dir; 48 | 49 | typedef struct { 50 | WORD magic; 51 | WORD nt_magic; 52 | WORD sections_count; 53 | WORD imp_key; 54 | WORD hdr_size; 55 | WORD ver; 56 | DWORD module_size; 57 | DWORD entry_point; 58 | t_XS_data_dir data_dir[XS_DATA_DIR_COUNT]; 59 | t_XS_section sections; 60 | } t_XS_format_A; 61 | 62 | #pragma pack(push, 1) // Adjust to one byte 63 | typedef struct { 64 | WORD magic; 65 | WORD nt_magic; 66 | WORD sections_count; 67 | WORD hdr_size; 68 | BYTE ver; 69 | BYTE imp_key; 70 | DWORD module_size; 71 | DWORD entry_point; 72 | t_XS_data_dir data_dir[XS_DATA_DIR_COUNT]; 73 | t_XS_section sections; 74 | } t_XS_format_B; 75 | #pragma pack(pop) // Back to the previous settings 76 | 77 | typedef struct { 78 | DWORD dll_name_rva; 79 | DWORD first_thunk; 80 | DWORD original_first_thunk; 81 | DWORD obf_dll_len; 82 | } t_XS_import; 83 | 84 | BLOB unscramble_pe_A(BYTE* buf, size_t buf_size, bool isMapped); 85 | BLOB unscramble_pe_B(BYTE* buf, size_t buf_size, bool isMapped); 86 | }; // xs1 87 | 88 | namespace xs2 89 | { 90 | typedef struct { 91 | DWORD dir_va; 92 | DWORD dir_size; 93 | } t_XS_data_dir; 94 | 95 | typedef struct { 96 | WORD magic; 97 | WORD sections_count; 98 | WORD hdr_size; 99 | WORD imp_key; 100 | DWORD module_size; 101 | DWORD entry_point; 102 | DWORD entry_point_alt; 103 | t_XS_data_dir data_dir[XS_DATA_DIR_COUNT]; 104 | t_XS_section sections; 105 | } t_XS_format; 106 | 107 | #pragma pack(push, 1) // Adjust to one byte 108 | typedef struct { 109 | DWORD dll_name_rva; 110 | DWORD first_thunk; 111 | DWORD original_first_thunk; 112 | WORD obf_dll_len; 113 | } t_XS_import_A; 114 | #pragma pack(pop) // Back to the previous settings 115 | 116 | #pragma pack(push, 1) // Adjust to one byte 117 | typedef struct { 118 | DWORD dll_name_rva; 119 | DWORD first_thunk; 120 | DWORD original_first_thunk; 121 | DWORD obf_dll_len; 122 | } t_XS_import_B; 123 | #pragma pack(pop) // Back to the previous settings 124 | 125 | BLOB unscramble_pe(BYTE* buf, size_t buf_size, bool isMapped, bool is32bit); 126 | }; // xs2 127 | 128 | enum xs_variants { 129 | XS_NONE = 0, 130 | XS_VARIANT1_A = 1, 131 | XS_VARIANT2 = 2, 132 | XS_VARIANT1_B = 3 133 | }; 134 | 135 | xs_variants check_xs_variant(BYTE* buf, size_t buf_size); 136 | }; 137 | -------------------------------------------------------------------------------- /pics/format.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasherezade/hidden_bee_tools/e3252ea654f73821b0fc632d57f6203fa06a02ca/pics/format.png -------------------------------------------------------------------------------- /pics/ns_format1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasherezade/hidden_bee_tools/e3252ea654f73821b0fc632d57f6203fa06a02ca/pics/ns_format1.png -------------------------------------------------------------------------------- /pics/ns_format_imports.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasherezade/hidden_bee_tools/e3252ea654f73821b0fc632d57f6203fa06a02ca/pics/ns_format_imports.png -------------------------------------------------------------------------------- /pics/rcx_format.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasherezade/hidden_bee_tools/e3252ea654f73821b0fc632d57f6203fa06a02ca/pics/rcx_format.png -------------------------------------------------------------------------------- /pics/rdx_format.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasherezade/hidden_bee_tools/e3252ea654f73821b0fc632d57f6203fa06a02ca/pics/rdx_format.png -------------------------------------------------------------------------------- /pics/scrambled_pe1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasherezade/hidden_bee_tools/e3252ea654f73821b0fc632d57f6203fa06a02ca/pics/scrambled_pe1.png -------------------------------------------------------------------------------- /rcx_converter/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.12) 2 | 3 | # replace "project_template" by your own project name: 4 | project ( rcx_converter ) 5 | 6 | set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT") 7 | 8 | # include libpeconv headers: 9 | include_directories ( ${PECONV_DIR}/include ) 10 | include_directories ( tiny-AES-c ) 11 | 12 | set (srcs 13 | rcx.cpp 14 | util.cpp 15 | tiny-AES-c/aes.c 16 | ) 17 | 18 | # general headers - they will be used for both EXE and DLL: 19 | set (hdrs 20 | rcx.h 21 | util.h 22 | tiny-AES-c/aes.hpp 23 | ) 24 | 25 | # Choose to build the DLL or EXE 26 | add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} main.cpp ) 27 | 28 | # link with libpeconv.lib 29 | target_link_libraries ( ${PROJECT_NAME} ${PECONV_LIB} ) 30 | 31 | #dependencies: 32 | add_dependencies( ${PROJECT_NAME} libpeconv ) 33 | 34 | INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} ) 35 | -------------------------------------------------------------------------------- /rcx_converter/LICENSE: -------------------------------------------------------------------------------- 1 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 2 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 3 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 4 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 5 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 6 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 7 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 8 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 9 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 10 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 11 | -------------------------------------------------------------------------------- /rcx_converter/README.md: -------------------------------------------------------------------------------- 1 | # rcx_converter 2 | 3 | Extracts the modules from the HiddenBee's custom **!rcx** filesystem. 4 | 5 | ![rcx diagram](../pics/rcx_format.png) 6 | 7 | -------------------------------------------------------------------------------- /rcx_converter/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "rcx.h" 6 | #include "util.h" 7 | 8 | 9 | BYTE *jpg_to_rcx(BYTE *buf, size_t buf_size) 10 | { 11 | const size_t jpg_size = 10; 12 | unsigned char jpg_hdr[jpg_size] = { 13 | 0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x18, 0x4A, 0x46, 0x49, 0x46 14 | }; 15 | 16 | if (memcmp(buf, jpg_hdr, jpg_size) != 0) { 17 | return nullptr; // not a JPG 18 | } 19 | BYTE xor_key = buf[buf_size - 1]; 20 | util::dexor(buf, buf_size, xor_key); 21 | 22 | BYTE* found = util::find_marker(buf, buf_size, RCX_MAGIC); 23 | return found; 24 | } 25 | 26 | int main(int argc, char *argv[]) 27 | { 28 | if (argc < 2) { 29 | std::cout << "Args: " << std::endl; 30 | system("pause"); 31 | return -1; 32 | } 33 | size_t buf_size = 0; 34 | size_t rcx_size = buf_size; 35 | BYTE* buf = peconv::load_file(argv[1], buf_size); 36 | if (!buf) { 37 | std::cout << "Could not open the file!\n"; 38 | return 0; 39 | } 40 | BYTE *rcx_ptr = buf; 41 | if (*((DWORD*)buf) != RCX_MAGIC) { 42 | rcx_ptr = jpg_to_rcx(buf, buf_size); 43 | if (!rcx_ptr) return 0; 44 | 45 | rcx_size = buf_size - ((ULONG_PTR)rcx_ptr - (ULONG_PTR)buf); 46 | char* out_name = "decoded.rcx"; 47 | if (peconv::dump_to_file(out_name, rcx_ptr, rcx_size)) { 48 | std::cout << "[*] Found RCX module in JPG, saved as: " << out_name << " \n"; 49 | } 50 | } 51 | 52 | const size_t count = rcx_fs::enum_modules(rcx_ptr, rcx_size); 53 | if (count) { 54 | rcx_fs::dump_modules(rcx_ptr, rcx_size); 55 | } 56 | return count; 57 | } 58 | -------------------------------------------------------------------------------- /rcx_converter/rcx.cpp: -------------------------------------------------------------------------------- 1 | #include "rcx.h" 2 | #include 3 | #include 4 | 5 | #include "util.h" 6 | #include 7 | 8 | #define _DECODE 9 | 10 | using namespace rcx_fs; 11 | 12 | BYTE *g_AESKey = NULL; 13 | 14 | bool is_rcx(BYTE* buf, size_t buf_size) 15 | { 16 | if (!buf || !buf_size) return false; 17 | const DWORD *magic = (DWORD*)buf; 18 | if (*magic != RCX_MAGIC) { 19 | std::cout << "[!] Magic number mismatch: " << std::hex << *magic << " vs: " << RCX_MAGIC << "\n"; 20 | return false; 21 | } 22 | return true; 23 | } 24 | 25 | std::string translate_type(DWORD type) 26 | { 27 | switch (type) { 28 | case RCX_PLAIN_SHELLCODE: 29 | return "plain: shellcode"; 30 | case RCX_XOR_COMPRESSED_SHELLCODE32: 31 | return "XORed and compressed shellcode (32 bit)"; 32 | case RCX_XOR_COMPRESSED_SHELLCODE64: 33 | return "XORed and compressed shellcode (64 bit)"; 34 | case RCX_AES_KEY: 35 | return "AES key"; 36 | case RCX_AES_LZMA_BLOB: 37 | return "AES encrypted & LZMA compressed RDX module"; 38 | case RCX_PLAIN_URLS: 39 | return "plain: URLs"; 40 | } 41 | return "Unknown"; 42 | } 43 | 44 | size_t rcx_fs::enum_modules(BYTE* buf, size_t buf_size) 45 | { 46 | if (!is_rcx(buf, buf_size)) return 0; 47 | 48 | rcx_struct *rcx_buf = (rcx_struct*) buf; 49 | size_t count = 0; 50 | 51 | std::cout << std::hex << "RCX size: " << rcx_buf->rcx_size << "\n\n"; 52 | 53 | rcx_record *record = (rcx_record*)rcx_buf->records; 54 | while (record) { 55 | if (record->data_size == 0) { 56 | break; 57 | } 58 | std::cout << std::hex << "next: " << record->next_offset << "\n"; 59 | std::cout << std::hex << "type: " << record->type << " : " << translate_type (record->type) << "\n" 60 | << "size: " << record->data_size << "\n" 61 | << "out_size: " << record->output_size << "\n\n"; 62 | 63 | count++; 64 | DWORD offset = record->next_offset; 65 | if (offset == 0 || offset > buf_size) break; 66 | 67 | record = (rcx_record*)(buf + offset); 68 | } 69 | return count; 70 | } 71 | 72 | std::string make_name(rcx_record *record, DWORD offset, char *extension) 73 | { 74 | std::stringstream ss; 75 | ss << std::hex << record->type << "_" << offset << extension; 76 | return ss.str(); 77 | } 78 | 79 | bool decode_module(rcx_record *record, DWORD offset) 80 | { 81 | if (record->type == RCX_XOR_COMPRESSED_SHELLCODE32 || record->type == RCX_XOR_COMPRESSED_SHELLCODE64) { 82 | util::dexor(record->data_buf, record->data_size, 0xE1); 83 | BYTE *out_buf = (BYTE *)malloc(record->output_size); 84 | int count = util::decompress(record->data_buf, record->data_size, out_buf, record->output_size); 85 | if (count != record->output_size) { 86 | std::cout << "Decompression failed, out: " << count << " vs " << record->output_size << "\n"; 87 | free(out_buf); 88 | return false; 89 | } 90 | std::string name1 = make_name(record, offset, "_decoded.shc"); 91 | if (peconv::dump_to_file(name1.c_str(), out_buf, record->output_size)) { 92 | std::cout << "[*] Saved to: " << name1 << "\n"; 93 | free(out_buf); 94 | return true; 95 | } 96 | free(out_buf); 97 | } 98 | if (record->type == RCX_AES_KEY && record->data_size == 16) { 99 | g_AESKey = record->data_buf; 100 | } 101 | if (record->type == RCX_AES_LZMA_BLOB && g_AESKey) { 102 | util::aes_decrypt(record->data_buf, record->data_size, g_AESKey); 103 | 104 | BYTE *out_buf = (BYTE *)malloc(record->output_size); 105 | int count = util::lzma_decompress(record->data_buf, record->data_size, out_buf, record->output_size); 106 | if (count != record->output_size) { 107 | std::cout << "LZMA Decompression failed, out: " << count << " vs " << record->output_size << "\n"; 108 | free(out_buf); 109 | return false; 110 | } 111 | DWORD *rdx = (DWORD*)(out_buf); 112 | bool is_ok = (rdx && (*rdx == 'xdr!')); 113 | if (is_ok) { 114 | std::string name1 = make_name(record, offset, ".rdx"); 115 | if (peconv::dump_to_file(name1.c_str(), out_buf, record->output_size)) { 116 | std::cout << "[*] Saved to: " << name1 << "\n"; 117 | } 118 | } 119 | free(out_buf); 120 | return is_ok; 121 | } 122 | return false; 123 | } 124 | 125 | size_t rcx_fs::dump_modules(BYTE* buf, size_t buf_size) 126 | { 127 | if (!is_rcx(buf, buf_size)) return 0; 128 | 129 | rcx_struct *rcx_buf = (rcx_struct*)buf; 130 | size_t count = 0; 131 | 132 | rcx_record *record = (rcx_record*)rcx_buf->records; 133 | DWORD offset = FIELD_OFFSET(rcx_struct, records); 134 | while (record) { 135 | if (record->data_size == 0) { 136 | break; 137 | } 138 | 139 | std::string name1 = make_name(record, offset, ".bin"); 140 | if (peconv::dump_to_file(name1.c_str(), record->data_buf, record->data_size)) { 141 | std::cout << "[*] Saved to: " << name1 << "\n"; 142 | count++; 143 | } 144 | 145 | #ifdef _DECODE 146 | decode_module(record, offset); 147 | #endif 148 | offset = record->next_offset; 149 | if (offset == 0 || offset > buf_size) break; 150 | 151 | record = (rcx_record*)(buf + offset); 152 | } 153 | return count; 154 | } 155 | -------------------------------------------------------------------------------- /rcx_converter/rcx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | const DWORD RCX_MAGIC = 'xcr!'; 6 | 7 | namespace rcx_fs { 8 | 9 | enum record_type { 10 | RCX_PLAIN_SHELLCODE = 0, 11 | RCX_XOR_COMPRESSED_SHELLCODE32 = 0xB, 12 | RCX_XOR_COMPRESSED_SHELLCODE64 = 0xC, 13 | RCX_AES_KEY = 0x15, 14 | RCX_AES_LZMA_BLOB = 0x16, 15 | RCX_PLAIN_URLS = 0x28 16 | }; 17 | 18 | typedef struct _rcx_record 19 | { 20 | DWORD next_offset; 21 | DWORD type; 22 | DWORD data_size; 23 | DWORD output_size; 24 | BYTE data_buf[1]; //buffer of data_size 25 | } rcx_record; 26 | 27 | typedef struct _rcx_struct 28 | { 29 | DWORD rcx_magic; // '!rcx' 30 | DWORD rcx_size; 31 | BYTE sha256[32]; 32 | rcx_record records[1]; // 0 terminated list of records 33 | } rcx_struct; 34 | 35 | size_t enum_modules(BYTE* buf, size_t buf_size); 36 | size_t dump_modules(BYTE* buf, size_t buf_size); 37 | }; 38 | -------------------------------------------------------------------------------- /rcx_converter/shellcode2.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | const size_t shellcode2_size = 11312; 4 | unsigned char shellcode2_data[shellcode2_size] = { 5 | 0xE9, 0xCA, 0x07, 0x00, 0x00, 0xE8, 0x28, 0x03, 0x00, 0x00, 0x98, 0x2F, 6 | 0x8A, 0x42, 0x91, 0x44, 0x37, 0x71, 0xCF, 0xFB, 0xC0, 0xB5, 0xA5, 0xDB, 7 | 0xB5, 0xE9, 0x5B, 0xC2, 0x56, 0x39, 0xF1, 0x11, 0xF1, 0x59, 0xA4, 0x82, 8 | 0x3F, 0x92, 0xD5, 0x5E, 0x1C, 0xAB, 0x98, 0xAA, 0x07, 0xD8, 0x01, 0x5B, 9 | 0x83, 0x12, 0xBE, 0x85, 0x31, 0x24, 0xC3, 0x7D, 0x0C, 0x55, 0x74, 0x5D, 10 | 0xBE, 0x72, 0xFE, 0xB1, 0xDE, 0x80, 0xA7, 0x06, 0xDC, 0x9B, 0x74, 0xF1, 11 | 0x9B, 0xC1, 0xC1, 0x69, 0x9B, 0xE4, 0x86, 0x47, 0xBE, 0xEF, 0xC6, 0x9D, 12 | 0xC1, 0x0F, 0xCC, 0xA1, 0x0C, 0x24, 0x6F, 0x2C, 0xE9, 0x2D, 0xAA, 0x84, 13 | 0x74, 0x4A, 0xDC, 0xA9, 0xB0, 0x5C, 0xDA, 0x88, 0xF9, 0x76, 0x52, 0x51, 14 | 0x3E, 0x98, 0x6D, 0xC6, 0x31, 0xA8, 0xC8, 0x27, 0x03, 0xB0, 0xC7, 0x7F, 15 | 0x59, 0xBF, 0xF3, 0x0B, 0xE0, 0xC6, 0x47, 0x91, 0xA7, 0xD5, 0x51, 0x63, 16 | 0xCA, 0x06, 0x67, 0x29, 0x29, 0x14, 0x85, 0x0A, 0xB7, 0x27, 0x38, 0x21, 17 | 0x1B, 0x2E, 0xFC, 0x6D, 0x2C, 0x4D, 0x13, 0x0D, 0x38, 0x53, 0x54, 0x73, 18 | 0x0A, 0x65, 0xBB, 0x0A, 0x6A, 0x76, 0x2E, 0xC9, 0xC2, 0x81, 0x85, 0x2C, 19 | 0x72, 0x92, 0xA1, 0xE8, 0xBF, 0xA2, 0x4B, 0x66, 0x1A, 0xA8, 0x70, 0x8B, 20 | 0x4B, 0xC2, 0xA3, 0x51, 0x6C, 0xC7, 0x19, 0xE8, 0x92, 0xD1, 0x24, 0x06, 21 | 0x99, 0xD6, 0x85, 0x35, 0x0E, 0xF4, 0x70, 0xA0, 0x6A, 0x10, 0x16, 0xC1, 22 | 0xA4, 0x19, 0x08, 0x6C, 0x37, 0x1E, 0x4C, 0x77, 0x48, 0x27, 0xB5, 0xBC, 23 | 0xB0, 0x34, 0xB3, 0x0C, 0x1C, 0x39, 0x4A, 0xAA, 0xD8, 0x4E, 0x4F, 0xCA, 24 | 0x9C, 0x5B, 0xF3, 0x6F, 0x2E, 0x68, 0xEE, 0x82, 0x8F, 0x74, 0x6F, 0x63, 25 | 0xA5, 0x78, 0x14, 0x78, 0xC8, 0x84, 0x08, 0x02, 0xC7, 0x8C, 0xFA, 0xFF, 26 | 0xBE, 0x90, 0xEB, 0x6C, 0x50, 0xA4, 0xF7, 0xA3, 0xF9, 0xBE, 0xF2, 0x78, 27 | 0x71, 0xC6, 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 28 | 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 29 | 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 30 | 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 31 | 0xC3, 0x4E, 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 32 | 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 33 | 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 34 | 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 35 | 0x9D, 0x84, 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 36 | 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 37 | 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 38 | 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 39 | 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 40 | 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 41 | 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 42 | 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 43 | 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 44 | 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 45 | 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 46 | 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 47 | 0x99, 0x61, 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 48 | 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D, 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 49 | 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 50 | 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 51 | 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 52 | 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 53 | 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 54 | 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 55 | 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 56 | 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 57 | 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 58 | 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 59 | 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 60 | 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 61 | 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 62 | 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 63 | 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 64 | 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 65 | 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 66 | 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 67 | 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 68 | 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 69 | 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16, 0x2F, 0x62, 70 | 0x69, 0x6E, 0x2F, 0x69, 0x33, 0x38, 0x36, 0x2F, 0x70, 0x72, 0x65, 0x6C, 71 | 0x6F, 0x61, 0x64, 0x00, 0x2F, 0x62, 0x69, 0x6E, 0x2F, 0x69, 0x33, 0x38, 72 | 0x36, 0x2F, 0x63, 0x6F, 0x72, 0x65, 0x64, 0x6C, 0x6C, 0x2E, 0x62, 0x69, 73 | 0x6E, 0x00, 0x58, 0xC3, 0x80, 0xF9, 0x40, 0x73, 0x15, 0x80, 0xF9, 0x20, 74 | 0x73, 0x06, 0x0F, 0xAD, 0xD0, 0xD3, 0xEA, 0xC3, 0x8B, 0xC2, 0x33, 0xD2, 75 | 0x80, 0xE1, 0x1F, 0xD3, 0xE8, 0xC3, 0x33, 0xC0, 0x33, 0xD2, 0xC3, 0x55, 76 | 0x8B, 0xEC, 0x51, 0x51, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xFC, 0x83, 0x65, 77 | 0xF8, 0x00, 0xEB, 0x07, 0x8B, 0x45, 0xF8, 0x40, 0x89, 0x45, 0xF8, 0x8B, 78 | 0x45, 0xF8, 0x3B, 0x45, 0x0C, 0x73, 0x0B, 0x8B, 0x45, 0xFC, 0x03, 0x45, 79 | 0xF8, 0x80, 0x20, 0x00, 0xEB, 0xE6, 0xC9, 0xC2, 0x08, 0x00, 0x55, 0x8B, 80 | 0xEC, 0x83, 0xEC, 0x0C, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xFC, 0x8B, 0x45, 81 | 0x0C, 0x89, 0x45, 0xF8, 0x83, 0x65, 0xF4, 0x00, 0xEB, 0x07, 0x8B, 0x45, 82 | 0xF4, 0x40, 0x89, 0x45, 0xF4, 0x8B, 0x45, 0xF4, 0x3B, 0x45, 0x10, 0x73, 83 | 0x1D, 0x8B, 0x45, 0xFC, 0x03, 0x45, 0xF4, 0x0F, 0xB6, 0x00, 0x8B, 0x4D, 84 | 0xF8, 0x03, 0x4D, 0xF4, 0x0F, 0xB6, 0x09, 0x3B, 0xC1, 0x74, 0x05, 0x8B, 85 | 0x45, 0xF4, 0xEB, 0x05, 0xEB, 0xD4, 0x8B, 0x45, 0x10, 0xC9, 0xC2, 0x0C, 86 | 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x0C, 0x8B, 0x45, 0x08, 0x89, 0x45, 87 | 0xFC, 0x8B, 0x45, 0x0C, 0x89, 0x45, 0xF8, 0x83, 0x65, 0xF4, 0x00, 0xEB, 88 | 0x07, 0x8B, 0x45, 0xF4, 0x40, 0x89, 0x45, 0xF4, 0x8B, 0x45, 0xF4, 0x3B, 89 | 0x45, 0x10, 0x73, 0x12, 0x8B, 0x45, 0xFC, 0x03, 0x45, 0xF4, 0x8B, 0x4D, 90 | 0xF8, 0x03, 0x4D, 0xF4, 0x8A, 0x09, 0x88, 0x08, 0xEB, 0xDF, 0xC9, 0xC2, 91 | 0x0C, 0x00, 0x0F, 0xB6, 0x4C, 0x24, 0x04, 0x8B, 0xC1, 0x03, 0xC9, 0xC1, 92 | 0xE8, 0x07, 0x6B, 0xC0, 0x1B, 0x33, 0xC1, 0xC2, 0x04, 0x00, 0x8B, 0x54, 93 | 0x24, 0x08, 0x56, 0x8B, 0x74, 0x24, 0x08, 0x0F, 0xB6, 0x06, 0x46, 0x83, 94 | 0xF8, 0x41, 0x7C, 0x08, 0x83, 0xF8, 0x5A, 0x7F, 0x03, 0x83, 0xC0, 0x20, 95 | 0x0F, 0xB6, 0x0A, 0x42, 0x83, 0xF9, 0x41, 0x7C, 0x08, 0x83, 0xF9, 0x5A, 96 | 0x7F, 0x03, 0x83, 0xC1, 0x20, 0x85, 0xC0, 0x74, 0x04, 0x3B, 0xC1, 0x74, 97 | 0xD6, 0x2B, 0xC1, 0x5E, 0xC3, 0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x5C, 0x01, 98 | 0x00, 0x00, 0x83, 0x65, 0xFC, 0x00, 0x53, 0x8B, 0x5D, 0x0C, 0x56, 0x57, 99 | 0x81, 0x3B, 0x21, 0x72, 0x63, 0x78, 0x0F, 0x85, 0xE8, 0x01, 0x00, 0x00, 100 | 0x8B, 0x45, 0x10, 0x83, 0xF8, 0x28, 0x0F, 0x86, 0xDC, 0x01, 0x00, 0x00, 101 | 0x3B, 0x43, 0x04, 0x0F, 0x82, 0xD3, 0x01, 0x00, 0x00, 0x6A, 0x20, 0x8D, 102 | 0x73, 0x08, 0x5F, 0x8D, 0x45, 0xC4, 0x57, 0x56, 0x50, 0xE8, 0x33, 0xFF, 103 | 0xFF, 0xFF, 0x57, 0x56, 0xE8, 0xB2, 0xFE, 0xFF, 0xFF, 0x8D, 0x85, 0x54, 104 | 0xFF, 0xFF, 0xFF, 0x50, 0xE8, 0xEB, 0x22, 0x00, 0x00, 0xFF, 0x75, 0x10, 105 | 0x8D, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x53, 0x50, 0xE8, 0x2E, 0x23, 0x00, 106 | 0x00, 0x8D, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x50, 0x56, 0xE8, 0x84, 0x23, 107 | 0x00, 0x00, 0x57, 0x8D, 0x45, 0xC4, 0x56, 0x50, 0xE8, 0xAD, 0xFE, 0xFF, 108 | 0xFF, 0x3B, 0xC7, 0x0F, 0x85, 0x7F, 0x01, 0x00, 0x00, 0x80, 0x65, 0xE4, 109 | 0x00, 0x33, 0xC0, 0x8D, 0x7D, 0xE5, 0x8B, 0x53, 0x04, 0xAB, 0xAB, 0xAB, 110 | 0x66, 0xAB, 0xAA, 0x8B, 0x4B, 0x28, 0x8D, 0x43, 0x28, 0x6A, 0x28, 0x5E, 111 | 0x3B, 0xCA, 0x73, 0x30, 0x8B, 0x78, 0x08, 0x03, 0xF7, 0x3B, 0xF2, 0x77, 112 | 0x27, 0x83, 0x78, 0x04, 0x15, 0x75, 0x05, 0x83, 0xFF, 0x10, 0x74, 0x0D, 113 | 0x85, 0xC9, 0x74, 0x18, 0x8D, 0x04, 0x19, 0x8B, 0xF1, 0x8B, 0x08, 0xEB, 114 | 0xDB, 0x83, 0xC0, 0x10, 0x6A, 0x10, 0x50, 0x8D, 0x45, 0xE4, 0x50, 0xE8, 115 | 0xA1, 0xFE, 0xFF, 0xFF, 0x8B, 0x43, 0x28, 0x8B, 0x4B, 0x04, 0x8D, 0x73, 116 | 0x28, 0x6A, 0x28, 0x5A, 0x3B, 0xC1, 0x0F, 0x83, 0x1C, 0x01, 0x00, 0x00, 117 | 0x8B, 0x7E, 0x08, 0x03, 0xFA, 0x3B, 0xF9, 0x0F, 0x87, 0x0F, 0x01, 0x00, 118 | 0x00, 0x83, 0x7E, 0x04, 0x16, 0x74, 0x11, 0x85, 0xC0, 0x0F, 0x84, 0x01, 119 | 0x01, 0x00, 0x00, 0x8D, 0x34, 0x18, 0x8B, 0xD0, 0x8B, 0x06, 0xEB, 0xD4, 120 | 0x8B, 0x46, 0x08, 0xA8, 0x0F, 0x0F, 0x85, 0xED, 0x00, 0x00, 0x00, 0x8B, 121 | 0x7D, 0x08, 0x50, 0x6A, 0x08, 0xFF, 0x57, 0x08, 0x50, 0xFF, 0x57, 0x0C, 122 | 0x85, 0xC0, 0x89, 0x45, 0x10, 0x0F, 0x84, 0xD5, 0x00, 0x00, 0x00, 0xFF, 123 | 0x76, 0x0C, 0x6A, 0x08, 0xFF, 0x57, 0x08, 0x50, 0xFF, 0x57, 0x0C, 0x8B, 124 | 0xD8, 0x85, 0xDB, 0x89, 0x5D, 0xF8, 0x0F, 0x84, 0xB0, 0x00, 0x00, 0x00, 125 | 0x8B, 0x46, 0x0C, 0x89, 0x45, 0xF4, 0x8D, 0x45, 0xE4, 0x50, 0x8D, 0x85, 126 | 0xA4, 0xFE, 0xFF, 0xFF, 0x50, 0xE8, 0xD8, 0x20, 0x00, 0x00, 0x83, 0x65, 127 | 0x0C, 0x00, 0x83, 0x7E, 0x08, 0x00, 0x76, 0x32, 0x8B, 0x5D, 0x10, 0x8D, 128 | 0x46, 0x10, 0x2B, 0xC3, 0x89, 0x45, 0x08, 0xEB, 0x03, 0x8B, 0x45, 0x08, 129 | 0x8D, 0x8D, 0xA4, 0xFE, 0xFF, 0xFF, 0x03, 0xC3, 0x51, 0x50, 0x53, 0xE8, 130 | 0xB2, 0x1B, 0x00, 0x00, 0x83, 0x45, 0x0C, 0x10, 0x83, 0xC3, 0x10, 0x8B, 131 | 0x45, 0x0C, 0x3B, 0x46, 0x08, 0x72, 0xDE, 0x8B, 0x5D, 0xF8, 0xFF, 0x76, 132 | 0x08, 0x8D, 0x45, 0xF4, 0xFF, 0x75, 0x10, 0x50, 0x53, 0x57, 0xE8, 0x63, 133 | 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x3F, 0x6A, 0x0C, 0x6A, 0x08, 0xFF, 134 | 0x57, 0x08, 0x50, 0xFF, 0x57, 0x0C, 0x85, 0xC0, 0x89, 0x45, 0xFC, 0x74, 135 | 0x2D, 0x89, 0x18, 0x81, 0x3B, 0x21, 0x72, 0x64, 0x78, 0x75, 0x0E, 0x8D, 136 | 0x4B, 0x04, 0x89, 0x48, 0x04, 0x8B, 0x4E, 0x0C, 0x89, 0x48, 0x08, 0xEB, 137 | 0x11, 0x50, 0x6A, 0x00, 0xFF, 0x57, 0x08, 0x50, 0xFF, 0x57, 0x10, 0x83, 138 | 0x65, 0xFC, 0x00, 0x8B, 0x45, 0xFC, 0x85, 0xC0, 0x75, 0x0A, 0x53, 0x6A, 139 | 0x00, 0xFF, 0x57, 0x08, 0x50, 0xFF, 0x57, 0x10, 0xFF, 0x75, 0x10, 0x6A, 140 | 0x00, 0xFF, 0x57, 0x08, 0x50, 0xFF, 0x57, 0x10, 0x8B, 0x45, 0xFC, 0x5F, 141 | 0x5E, 0x5B, 0xC9, 0xC2, 0x0C, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 142 | 0x8B, 0x45, 0x18, 0x53, 0x83, 0xC0, 0xFB, 0x56, 0x89, 0x45, 0xF8, 0x57, 143 | 0x8D, 0x45, 0xFC, 0x6A, 0x04, 0x50, 0xE8, 0xD0, 0xFC, 0xFF, 0xFF, 0x8B, 144 | 0x7D, 0x14, 0x33, 0xF6, 0x33, 0xDB, 0x89, 0x75, 0x18, 0x8D, 0x47, 0x05, 145 | 0x8A, 0x10, 0x83, 0xFE, 0x20, 0x73, 0x0B, 0x0F, 0xB6, 0xD2, 0x8B, 0xCE, 146 | 0xD3, 0xE2, 0x03, 0xDA, 0xEB, 0x0B, 0x0F, 0xB6, 0xD2, 0x8D, 0x4E, 0xE0, 147 | 0xD3, 0xE2, 0x01, 0x55, 0x18, 0x83, 0xC6, 0x08, 0x40, 0x83, 0xFE, 0x40, 148 | 0x72, 0xDA, 0x83, 0x7D, 0x18, 0x00, 0x74, 0x0B, 0x83, 0x7D, 0x18, 0xFF, 149 | 0x75, 0x39, 0x83, 0xFB, 0xFF, 0x75, 0x34, 0x8B, 0x45, 0x08, 0x89, 0x5D, 150 | 0x18, 0x89, 0x45, 0xF4, 0x8D, 0x45, 0xEC, 0x50, 0x8D, 0x45, 0xFC, 0x50, 151 | 0x6A, 0x00, 0x6A, 0x05, 0x8D, 0x45, 0xF8, 0x57, 0x50, 0x83, 0xC7, 0x0D, 152 | 0x8D, 0x45, 0x18, 0x57, 0x50, 0xFF, 0x75, 0x0C, 0xE8, 0x0E, 0x1A, 0x00, 153 | 0x00, 0x8B, 0x4D, 0x10, 0x8B, 0x55, 0x18, 0x89, 0x11, 0xEB, 0x03, 0x6A, 154 | 0x01, 0x58, 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 0x14, 0x00, 0x56, 0x8B, 0x74, 155 | 0x24, 0x08, 0x57, 0x8B, 0x7C, 0x24, 0x10, 0x8B, 0x07, 0x85, 0xC0, 0x74, 156 | 0x0A, 0x50, 0x6A, 0x00, 0xFF, 0x56, 0x08, 0x50, 0xFF, 0x56, 0x10, 0x57, 157 | 0x6A, 0x00, 0xFF, 0x56, 0x08, 0x50, 0xFF, 0x56, 0x10, 0x5F, 0x5E, 0xC2, 158 | 0x08, 0x00, 0x55, 0x8B, 0xEC, 0x51, 0x83, 0x65, 0xFC, 0x00, 0x53, 0x56, 159 | 0x57, 0x8B, 0x7D, 0x0C, 0x85, 0xFF, 0x0F, 0x84, 0x81, 0x00, 0x00, 0x00, 160 | 0x8B, 0x5D, 0x10, 0x85, 0xDB, 0x74, 0x7A, 0x80, 0x3B, 0x2F, 0x8B, 0x77, 161 | 0x04, 0x75, 0x01, 0x43, 0x8B, 0x4E, 0x08, 0x8D, 0x46, 0x0C, 0x03, 0x4E, 162 | 0x04, 0x3B, 0x4F, 0x08, 0x77, 0x63, 0x50, 0x53, 0xE8, 0xB5, 0xFC, 0xFF, 163 | 0xFF, 0x59, 0x85, 0xC0, 0x59, 0x74, 0x23, 0x8B, 0x06, 0x85, 0xC0, 0x74, 164 | 0x50, 0x8B, 0x4F, 0x08, 0x8D, 0x50, 0x0D, 0x3B, 0xD1, 0x73, 0x46, 0x8B, 165 | 0x37, 0x03, 0xF0, 0x8B, 0x56, 0x08, 0x8D, 0x46, 0x0C, 0x03, 0x56, 0x04, 166 | 0x3B, 0xD1, 0x76, 0xD2, 0xEB, 0x33, 0xFF, 0x76, 0x08, 0x8B, 0x5D, 0x08, 167 | 0x6A, 0x08, 0xFF, 0x53, 0x08, 0x50, 0xFF, 0x53, 0x0C, 0x85, 0xC0, 0x89, 168 | 0x45, 0xFC, 0x74, 0x1D, 0x8B, 0x46, 0x04, 0xFF, 0x76, 0x08, 0x03, 0x07, 169 | 0x50, 0xFF, 0x75, 0xFC, 0xE8, 0x14, 0xFC, 0xFF, 0xFF, 0x8B, 0x45, 0x14, 170 | 0x85, 0xC0, 0x74, 0x05, 0x8B, 0x4E, 0x08, 0x89, 0x08, 0x8B, 0x45, 0xFC, 171 | 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 0x10, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 172 | 0x14, 0x53, 0x8B, 0x5D, 0x08, 0x56, 0x33, 0xF6, 0xFF, 0x75, 0x14, 0xFF, 173 | 0x75, 0x10, 0x53, 0xE8, 0x6D, 0xFC, 0xFF, 0xFF, 0x85, 0xC0, 0x89, 0x45, 174 | 0xF0, 0x0F, 0x84, 0xEE, 0x00, 0x00, 0x00, 0x57, 0xE8, 0x0C, 0xF8, 0xFF, 175 | 0xFF, 0x05, 0x00, 0x03, 0x00, 0x00, 0x8B, 0xF8, 0x80, 0x3F, 0x00, 0x74, 176 | 0x03, 0x47, 0xEB, 0xF8, 0x8D, 0x4D, 0x08, 0x51, 0x50, 0xFF, 0x75, 0xF0, 177 | 0x53, 0xE8, 0x18, 0xFF, 0xFF, 0xFF, 0x89, 0x45, 0xF8, 0x8D, 0x45, 0xFC, 178 | 0x47, 0x50, 0x57, 0xFF, 0x75, 0xF0, 0x53, 0xE8, 0x06, 0xFF, 0xFF, 0xFF, 179 | 0x83, 0x7D, 0xF8, 0x00, 0x89, 0x45, 0xF4, 0x0F, 0x84, 0x8A, 0x00, 0x00, 180 | 0x00, 0x85, 0xC0, 0x74, 0x7A, 0x8B, 0x45, 0x08, 0x8B, 0x4D, 0xFC, 0x6A, 181 | 0x40, 0x68, 0x00, 0x10, 0x10, 0x00, 0x8D, 0x7C, 0x01, 0x08, 0xC1, 0xEF, 182 | 0x04, 0x47, 0xC1, 0xE7, 0x04, 0x57, 0x6A, 0x00, 0xFF, 0x13, 0x8B, 0xF0, 183 | 0x85, 0xF6, 0x74, 0x57, 0xFF, 0x75, 0x08, 0x8D, 0x44, 0x37, 0xF8, 0x89, 184 | 0x45, 0xEC, 0xFF, 0x75, 0xF8, 0x56, 0xE8, 0x5E, 0xFB, 0xFF, 0xFF, 0xFF, 185 | 0x75, 0xFC, 0x8B, 0x45, 0x08, 0x03, 0xC6, 0xFF, 0x75, 0xF4, 0x50, 0xE8, 186 | 0x4D, 0xFB, 0xFF, 0xFF, 0x8B, 0x45, 0x0C, 0x8B, 0x4D, 0x10, 0x89, 0x46, 187 | 0x1C, 0x8B, 0x43, 0x14, 0x89, 0x46, 0x08, 0x8B, 0x45, 0x08, 0x89, 0x46, 188 | 0x0C, 0x8B, 0x45, 0xFC, 0x89, 0x46, 0x10, 0x8B, 0x45, 0xEC, 0x83, 0xC7, 189 | 0xF8, 0xC7, 0x46, 0x14, 0x08, 0x00, 0x00, 0x00, 0x89, 0x7E, 0x18, 0x89, 190 | 0x48, 0x04, 0x8B, 0x4D, 0x14, 0x89, 0x08, 0xFF, 0x75, 0xF8, 0x6A, 0x00, 191 | 0xFF, 0x53, 0x08, 0x50, 0xFF, 0x53, 0x10, 0x83, 0x7D, 0xF4, 0x00, 0x5F, 192 | 0x74, 0x0C, 0xFF, 0x75, 0xF4, 0x6A, 0x00, 0xFF, 0x53, 0x08, 0x50, 0xFF, 193 | 0x53, 0x10, 0xFF, 0x75, 0xF0, 0x53, 0xE8, 0x2A, 0xFE, 0xFF, 0xFF, 0x85, 194 | 0xF6, 0x74, 0x02, 0xFF, 0xD6, 0x5E, 0x5B, 0xC9, 0xC2, 0x10, 0x00, 0x8B, 195 | 0x44, 0x24, 0x04, 0x6A, 0x01, 0x33, 0xD2, 0x59, 0x39, 0x54, 0x24, 0x08, 196 | 0x89, 0x48, 0x4C, 0x89, 0x50, 0x48, 0x89, 0x50, 0x58, 0x74, 0x09, 0x89, 197 | 0x50, 0x2C, 0x89, 0x50, 0x30, 0x89, 0x48, 0x50, 0x39, 0x54, 0x24, 0x0C, 198 | 0x74, 0x03, 0x89, 0x48, 0x50, 0xC2, 0x0C, 0x00, 0x8B, 0x44, 0x24, 0x04, 199 | 0x6A, 0x01, 0x6A, 0x01, 0x50, 0x83, 0x60, 0x24, 0x00, 0xE8, 0xC1, 0xFF, 200 | 0xFF, 0xFF, 0xC2, 0x04, 0x00, 0x55, 0x8B, 0xEC, 0x51, 0x53, 0x56, 0x8B, 201 | 0x75, 0x08, 0x57, 0x8B, 0x7D, 0x14, 0xFF, 0x75, 0x0C, 0x8B, 0x1F, 0x83, 202 | 0x27, 0x00, 0x56, 0x89, 0x5D, 0x14, 0xE8, 0x0E, 0x02, 0x00, 0x00, 0x8B, 203 | 0x4D, 0x1C, 0x83, 0x21, 0x00, 0x81, 0x7E, 0x48, 0x12, 0x01, 0x00, 0x00, 204 | 0x0F, 0x84, 0x91, 0x01, 0x00, 0x00, 0x83, 0x7E, 0x4C, 0x00, 0x74, 0x48, 205 | 0x85, 0xDB, 0x76, 0x1F, 0x8B, 0x46, 0x58, 0x83, 0xF8, 0x05, 0x73, 0x17, 206 | 0x8B, 0x55, 0x10, 0x8A, 0x12, 0x88, 0x54, 0x30, 0x5C, 0xFF, 0x46, 0x58, 207 | 0xFF, 0x45, 0x10, 0xFF, 0x07, 0x4B, 0x89, 0x5D, 0x14, 0x75, 0xE1, 0x83, 208 | 0x7E, 0x58, 0x05, 0x0F, 0x82, 0x79, 0x01, 0x00, 0x00, 0x80, 0x7E, 0x5C, 209 | 0x00, 0x8D, 0x46, 0x5C, 0x0F, 0x85, 0xB6, 0x01, 0x00, 0x00, 0x50, 0x56, 210 | 0xE8, 0x8F, 0x15, 0x00, 0x00, 0x83, 0x66, 0x58, 0x00, 0x8B, 0x4D, 0x1C, 211 | 0x8B, 0x46, 0x24, 0x33, 0xD2, 0x3B, 0x45, 0x0C, 0x89, 0x55, 0x08, 0x72, 212 | 0x28, 0x8B, 0x46, 0x48, 0x3B, 0xC2, 0x75, 0x09, 0x39, 0x56, 0x20, 0x0F, 213 | 0x84, 0x49, 0x01, 0x00, 0x00, 0x39, 0x55, 0x18, 0x0F, 0x84, 0x48, 0x01, 214 | 0x00, 0x00, 0x3B, 0xC2, 0x0F, 0x85, 0x44, 0x01, 0x00, 0x00, 0xC7, 0x45, 215 | 0x08, 0x01, 0x00, 0x00, 0x00, 0x39, 0x56, 0x50, 0x74, 0x06, 0x56, 0xE8, 216 | 0x78, 0x15, 0x00, 0x00, 0x8B, 0x46, 0x58, 0x85, 0xC0, 0x75, 0x66, 0x83, 217 | 0xFB, 0x14, 0x72, 0x0E, 0x39, 0x45, 0x08, 0x75, 0x09, 0x8B, 0x45, 0x10, 218 | 0x8D, 0x44, 0x03, 0xEC, 0xEB, 0x26, 0x53, 0xFF, 0x75, 0x10, 0x56, 0xE8, 219 | 0x67, 0x0F, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x84, 0x11, 0x01, 0x00, 0x00, 220 | 0x83, 0x7D, 0x08, 0x00, 0x74, 0x0B, 0x6A, 0x02, 0x59, 0x3B, 0xC1, 0x0F, 221 | 0x85, 0x26, 0x01, 0x00, 0x00, 0x8B, 0x45, 0x10, 0x8B, 0x4D, 0x10, 0x50, 222 | 0xFF, 0x75, 0x0C, 0x89, 0x4E, 0x18, 0x56, 0xE8, 0x9C, 0x01, 0x00, 0x00, 223 | 0x85, 0xC0, 0x0F, 0x85, 0x10, 0x01, 0x00, 0x00, 0x8B, 0x46, 0x18, 0x2B, 224 | 0x45, 0x10, 0x01, 0x07, 0x01, 0x45, 0x10, 0x2B, 0xD8, 0x89, 0x5D, 0x14, 225 | 0xE9, 0x86, 0x00, 0x00, 0x00, 0x8B, 0xD8, 0x33, 0xC0, 0x83, 0xFB, 0x14, 226 | 0x89, 0x45, 0xFC, 0x73, 0x13, 0x3B, 0x45, 0x14, 0x73, 0x0E, 0x8B, 0x4D, 227 | 0x10, 0x43, 0x8A, 0x0C, 0x08, 0x40, 0x88, 0x4C, 0x33, 0x5B, 0xEB, 0xE5, 228 | 0x83, 0xFB, 0x14, 0x89, 0x5E, 0x58, 0x72, 0x06, 0x83, 0x7D, 0x08, 0x00, 229 | 0x74, 0x24, 0x8D, 0x46, 0x5C, 0x53, 0x50, 0x56, 0xE8, 0xE6, 0x0E, 0x00, 230 | 0x00, 0x85, 0xC0, 0x0F, 0x84, 0xA4, 0x00, 0x00, 0x00, 0x83, 0x7D, 0x08, 231 | 0x00, 0x74, 0x0B, 0x6A, 0x02, 0x59, 0x3B, 0xC1, 0x0F, 0x85, 0xA5, 0x00, 232 | 0x00, 0x00, 0x8D, 0x46, 0x5C, 0x50, 0x89, 0x46, 0x18, 0xFF, 0x75, 0x0C, 233 | 0x56, 0xE8, 0x1E, 0x01, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x85, 0x92, 0x00, 234 | 0x00, 0x00, 0x8B, 0x46, 0x18, 0x8B, 0x4D, 0xFC, 0x2B, 0xC3, 0x2B, 0xC6, 235 | 0x8D, 0x44, 0x01, 0xA4, 0x29, 0x45, 0x14, 0x01, 0x07, 0x01, 0x45, 0x10, 236 | 0x83, 0x66, 0x58, 0x00, 0x8B, 0x5D, 0x14, 0x81, 0x7E, 0x48, 0x12, 0x01, 237 | 0x00, 0x00, 0x8B, 0x4D, 0x1C, 0x0F, 0x85, 0x6F, 0xFE, 0xFF, 0xFF, 0x83, 238 | 0x7E, 0x20, 0x00, 0x75, 0x06, 0xC7, 0x01, 0x01, 0x00, 0x00, 0x00, 0x33, 239 | 0xC0, 0x39, 0x46, 0x20, 0x0F, 0x95, 0xC0, 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 240 | 0x18, 0x00, 0xC7, 0x01, 0x03, 0x00, 0x00, 0x00, 0xEB, 0x39, 0xC7, 0x01, 241 | 0x04, 0x00, 0x00, 0x00, 0xEB, 0x31, 0x33, 0xC0, 0xEB, 0x03, 0x6A, 0x01, 242 | 0x58, 0xC7, 0x01, 0x02, 0x00, 0x00, 0x00, 0xEB, 0xDA, 0x53, 0x8D, 0x46, 243 | 0x5C, 0xFF, 0x75, 0x10, 0x50, 0xE8, 0x9B, 0xF8, 0xFF, 0xFF, 0x89, 0x5E, 244 | 0x58, 0x01, 0x1F, 0xEB, 0x05, 0x8B, 0x45, 0xFC, 0x01, 0x07, 0x8B, 0x45, 245 | 0x1C, 0xC7, 0x00, 0x03, 0x00, 0x00, 0x00, 0x33, 0xC0, 0xEB, 0xB4, 0x8B, 246 | 0x45, 0x1C, 0x89, 0x08, 0x6A, 0x01, 0x58, 0xEB, 0xAA, 0x55, 0x8B, 0xEC, 247 | 0x51, 0x8B, 0x45, 0x08, 0x53, 0x8B, 0x58, 0x48, 0x85, 0xDB, 0x74, 0x6B, 248 | 0x81, 0xFB, 0x12, 0x01, 0x00, 0x00, 0x73, 0x63, 0x8B, 0x50, 0x28, 0x8B, 249 | 0x48, 0x24, 0x89, 0x55, 0xFC, 0x8B, 0x50, 0x38, 0x89, 0x55, 0x08, 0x8B, 250 | 0x55, 0x0C, 0x56, 0x8B, 0xF3, 0x2B, 0xD1, 0x57, 0x8B, 0x78, 0x14, 0x3B, 251 | 0xD6, 0x73, 0x02, 0x8B, 0xF2, 0x83, 0x78, 0x30, 0x00, 0x75, 0x10, 0x8B, 252 | 0x50, 0x0C, 0x2B, 0x50, 0x2C, 0x3B, 0xD6, 0x77, 0x06, 0x8B, 0x50, 0x0C, 253 | 0x89, 0x50, 0x30, 0x01, 0x70, 0x2C, 0x2B, 0xDE, 0x8B, 0xD6, 0x4E, 0x85, 254 | 0xD2, 0x89, 0x58, 0x48, 0x74, 0x18, 0x46, 0x3B, 0x4D, 0x08, 0x1B, 0xD2, 255 | 0x23, 0x55, 0xFC, 0x2B, 0x55, 0x08, 0x03, 0xD1, 0x8A, 0x14, 0x3A, 0x88, 256 | 0x14, 0x39, 0x41, 0x4E, 0x75, 0xE9, 0x5F, 0x89, 0x48, 0x24, 0x5E, 0x5B, 257 | 0xC9, 0xC2, 0x08, 0x00, 0x53, 0x56, 0x8B, 0x74, 0x24, 0x0C, 0x57, 0x8B, 258 | 0x7C, 0x24, 0x14, 0x83, 0x7E, 0x30, 0x00, 0x8B, 0xD7, 0x75, 0x14, 0x8B, 259 | 0x46, 0x0C, 0x8B, 0x4E, 0x24, 0x2B, 0x46, 0x2C, 0x8B, 0xDF, 0x2B, 0xD9, 260 | 0x3B, 0xD8, 0x76, 0x03, 0x8D, 0x14, 0x01, 0x8B, 0x5C, 0x24, 0x18, 0x53, 261 | 0x52, 0x56, 0xE8, 0x41, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x37, 0x8B, 262 | 0x46, 0x0C, 0x39, 0x46, 0x2C, 0x72, 0x03, 0x89, 0x46, 0x30, 0x57, 0x56, 263 | 0xE8, 0x38, 0xFF, 0xFF, 0xFF, 0x39, 0x7E, 0x24, 0x73, 0x11, 0x39, 0x5E, 264 | 0x18, 0x73, 0x0C, 0xB8, 0x12, 0x01, 0x00, 0x00, 0x39, 0x46, 0x48, 0x73, 265 | 0x0A, 0xEB, 0xAC, 0xB8, 0x12, 0x01, 0x00, 0x00, 0x39, 0x46, 0x48, 0x76, 266 | 0x03, 0x89, 0x46, 0x48, 0x33, 0xC0, 0x5F, 0x5E, 0x5B, 0xC2, 0x0C, 0x00, 267 | 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x6C, 0x8B, 0x55, 0x08, 0x53, 0x56, 0x57, 268 | 0x8B, 0x42, 0x10, 0x8B, 0x4A, 0x08, 0x89, 0x45, 0xE8, 0x8B, 0x42, 0x34, 269 | 0x89, 0x45, 0xF4, 0x8B, 0x42, 0x38, 0x89, 0x45, 0xDC, 0x8B, 0x42, 0x3C, 270 | 0x89, 0x45, 0xD0, 0x8B, 0x42, 0x40, 0x6A, 0x01, 0x89, 0x45, 0xCC, 0x8B, 271 | 0x42, 0x44, 0x5F, 0x6A, 0x01, 0x89, 0x45, 0xC0, 0xD3, 0xE7, 0x8B, 0x4A, 272 | 0x04, 0x58, 0xD3, 0xE0, 0x8B, 0x72, 0x1C, 0xC6, 0x45, 0x98, 0x01, 0x4F, 273 | 0xC6, 0x45, 0x99, 0x02, 0x89, 0x7D, 0xAC, 0xC6, 0x45, 0x9A, 0x03, 0x48, 274 | 0x33, 0xC9, 0x89, 0x45, 0xB0, 0x8B, 0x02, 0x89, 0x45, 0xB8, 0x8B, 0x42, 275 | 0x14, 0x89, 0x45, 0xC8, 0x8B, 0x42, 0x28, 0x89, 0x45, 0xD4, 0x8B, 0x42, 276 | 0x24, 0x89, 0x45, 0xE4, 0x8B, 0x42, 0x2C, 0x89, 0x45, 0xE0, 0x8B, 0x42, 277 | 0x30, 0x89, 0x45, 0xC4, 0x8B, 0x42, 0x18, 0x89, 0x45, 0xFC, 0x8B, 0x42, 278 | 0x20, 0x89, 0x4D, 0xF0, 0x89, 0x45, 0x08, 0x88, 0x4D, 0x94, 0x88, 0x4D, 279 | 0x95, 0x88, 0x4D, 0x96, 0x88, 0x4D, 0x97, 0xC6, 0x45, 0x9B, 0x04, 0xC6, 280 | 0x45, 0x9C, 0x05, 0xC6, 0x45, 0x9D, 0x06, 0xC6, 0x45, 0x9E, 0x04, 0xC6, 281 | 0x45, 0x9F, 0x05, 0xC6, 0x45, 0xA0, 0x07, 0xC6, 0x45, 0xA1, 0x07, 0xC6, 282 | 0x45, 0xA2, 0x07, 0xC6, 0x45, 0xA3, 0x07, 0xC6, 0x45, 0xA4, 0x07, 0xC6, 283 | 0x45, 0xA5, 0x07, 0xC6, 0x45, 0xA6, 0x07, 0xC6, 0x45, 0xA7, 0x0A, 0xC6, 284 | 0x45, 0xA8, 0x0A, 0xC6, 0x45, 0xA9, 0x0A, 0xC6, 0x45, 0xAA, 0x0A, 0xC6, 285 | 0x45, 0xAB, 0x0A, 0x8B, 0x5D, 0xE0, 0x8B, 0x45, 0xF4, 0x8B, 0x4D, 0xE8, 286 | 0x23, 0xDF, 0xC1, 0xE0, 0x04, 0x03, 0xC3, 0x81, 0xFE, 0x00, 0x00, 0x00, 287 | 0x01, 0x89, 0x5D, 0xB4, 0x8D, 0x3C, 0x41, 0x89, 0x7D, 0xF8, 0x0F, 0xB7, 288 | 0x0F, 0x73, 0x1A, 0x8B, 0x7D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 289 | 0x0F, 0xB6, 0x3F, 0x0B, 0xC7, 0x8B, 0x7D, 0xF8, 0xC1, 0xE6, 0x08, 0xFF, 290 | 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 291 | 0xC1, 0x39, 0x45, 0x08, 0x0F, 0x83, 0x9C, 0x01, 0x00, 0x00, 0x8B, 0xF0, 292 | 0xB8, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xC1, 0xC1, 0xE8, 0x05, 0x03, 0xC1, 293 | 0x66, 0x89, 0x07, 0x8B, 0x45, 0xE8, 0x05, 0x6C, 0x0E, 0x00, 0x00, 0x83, 294 | 0x7D, 0xC4, 0x00, 0x89, 0x45, 0xF8, 0x75, 0x06, 0x83, 0x7D, 0xE0, 0x00, 295 | 0x74, 0x31, 0x8B, 0x4D, 0xE4, 0x85, 0xC9, 0x75, 0x03, 0x8B, 0x4D, 0xD4, 296 | 0x8B, 0x7D, 0xC8, 0x8B, 0x5D, 0xE0, 0x23, 0x5D, 0xB0, 0x0F, 0xB6, 0x7C, 297 | 0x39, 0xFF, 0xB1, 0x08, 0x2A, 0x4D, 0xB8, 0xD3, 0xEF, 0x8B, 0x4D, 0xB8, 298 | 0xD3, 0xE3, 0x03, 0xFB, 0x8D, 0x0C, 0x7F, 0xC1, 0xE1, 0x09, 0x03, 0xC1, 299 | 0x89, 0x45, 0xF8, 0x83, 0x7D, 0xF4, 0x07, 0x73, 0x6D, 0x6A, 0x01, 0x5B, 300 | 0x03, 0xDB, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x0F, 0xB7, 0x0C, 0x03, 301 | 0x73, 0x1A, 0x8B, 0x7D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 302 | 0xB6, 0x3F, 0x0B, 0xC7, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 303 | 0x08, 0x8B, 0x45, 0xF8, 0x8B, 0xFE, 0xC1, 0xEF, 0x0B, 0x0F, 0xAF, 0xF9, 304 | 0x39, 0x7D, 0x08, 0x73, 0x14, 0x8B, 0xF7, 0xBF, 0x00, 0x08, 0x00, 0x00, 305 | 0x2B, 0xF9, 0xC1, 0xEF, 0x05, 0x03, 0xF9, 0x66, 0x89, 0x3C, 0x03, 0xEB, 306 | 0x14, 0x29, 0x7D, 0x08, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 307 | 0x45, 0xF8, 0x2B, 0xF7, 0x66, 0x89, 0x0C, 0x03, 0x43, 0x81, 0xFB, 0x00, 308 | 0x01, 0x00, 0x00, 0x72, 0x9B, 0xE9, 0xB4, 0x00, 0x00, 0x00, 0x8B, 0x4D, 309 | 0xE4, 0x6A, 0x01, 0x3B, 0x4D, 0xDC, 0xC7, 0x45, 0xD8, 0x00, 0x01, 0x00, 310 | 0x00, 0x5B, 0x1B, 0xFF, 0x23, 0x7D, 0xD4, 0x2B, 0x7D, 0xDC, 0x03, 0x7A, 311 | 0x14, 0x0F, 0xB6, 0x0C, 0x0F, 0x89, 0x4D, 0xBC, 0xEB, 0x03, 0x8B, 0x45, 312 | 0xF8, 0xD1, 0x65, 0xBC, 0x8B, 0x4D, 0xD8, 0x8B, 0x7D, 0xD8, 0x23, 0x4D, 313 | 0xBC, 0x03, 0xF9, 0x03, 0xFB, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x8D, 314 | 0x04, 0x78, 0x89, 0x45, 0xB4, 0x0F, 0xB7, 0x00, 0x89, 0x45, 0xEC, 0x73, 315 | 0x17, 0x8B, 0x7D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 316 | 0x3F, 0x0B, 0xC7, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 0x08, 317 | 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0x45, 0xEC, 0x39, 0x45, 0x08, 318 | 0x73, 0x1C, 0x8B, 0xF0, 0x8B, 0x7D, 0xB4, 0xB8, 0x00, 0x08, 0x00, 0x00, 319 | 0x2B, 0x45, 0xEC, 0xF7, 0xD1, 0xC1, 0xE8, 0x05, 0x03, 0x45, 0xEC, 0x03, 320 | 0xDB, 0x66, 0x89, 0x07, 0xEB, 0x19, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x8B, 321 | 0x45, 0xEC, 0x8D, 0x5C, 0x1B, 0x01, 0x8B, 0xF8, 0xC1, 0xEF, 0x05, 0x2B, 322 | 0xC7, 0x8B, 0x7D, 0xB4, 0x66, 0x89, 0x07, 0x21, 0x4D, 0xD8, 0x81, 0xFB, 323 | 0x00, 0x01, 0x00, 0x00, 0x0F, 0x82, 0x70, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 324 | 0xC8, 0x8B, 0x4D, 0xE4, 0xFF, 0x45, 0xE4, 0xFF, 0x45, 0xE0, 0x88, 0x1C, 325 | 0x01, 0x8B, 0x45, 0xF4, 0x0F, 0xB6, 0x44, 0x05, 0x94, 0xE9, 0x73, 0x01, 326 | 0x00, 0x00, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 327 | 0x2B, 0xC8, 0x8B, 0x45, 0xF8, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x66, 328 | 0x89, 0x08, 0x8B, 0x45, 0xF4, 0x8B, 0x4D, 0xE8, 0x8D, 0x84, 0x41, 0x80, 329 | 0x01, 0x00, 0x00, 0x89, 0x45, 0xF8, 0x0F, 0xB7, 0x08, 0x73, 0x1A, 0x8B, 330 | 0x7D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 0x3F, 0x0B, 331 | 0xC7, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0x45, 332 | 0xF8, 0x8B, 0xFE, 0xC1, 0xEF, 0x0B, 0x0F, 0xAF, 0xF9, 0x39, 0x7D, 0x08, 333 | 0x73, 0x23, 0x8B, 0xF7, 0xBF, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xF9, 0xC1, 334 | 0xEF, 0x05, 0x03, 0xF9, 0x83, 0x45, 0xF4, 0x0C, 0x66, 0x89, 0x38, 0x8B, 335 | 0x45, 0xE8, 0x8D, 0x88, 0x64, 0x06, 0x00, 0x00, 0xE9, 0x33, 0x02, 0x00, 336 | 0x00, 0x29, 0x7D, 0x08, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 337 | 0x45, 0xF8, 0x2B, 0xF7, 0x83, 0x7D, 0xC4, 0x00, 0x66, 0x89, 0x08, 0x75, 338 | 0x0A, 0x83, 0x7D, 0xE0, 0x00, 0x0F, 0x84, 0x82, 0x09, 0x00, 0x00, 0x8B, 339 | 0x45, 0xF4, 0x8B, 0x4D, 0xE8, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x8D, 340 | 0x84, 0x41, 0x98, 0x01, 0x00, 0x00, 0x89, 0x45, 0xF8, 0x0F, 0xB7, 0x08, 341 | 0x73, 0x17, 0x8B, 0x7D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 342 | 0xB6, 0x3F, 0x0B, 0xC7, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 343 | 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC1, 0x39, 0x45, 0x08, 344 | 0x0F, 0x83, 0xB6, 0x00, 0x00, 0x00, 0xBF, 0x00, 0x08, 0x00, 0x00, 0x8B, 345 | 0xF0, 0x2B, 0xF9, 0xC1, 0xEF, 0x05, 0x03, 0xF9, 0x8B, 0x4D, 0xF8, 0x66, 346 | 0x89, 0x39, 0x8B, 0x4D, 0xF4, 0x8B, 0x7D, 0xE8, 0x83, 0xC1, 0x0F, 0xC1, 347 | 0xE1, 0x04, 0x03, 0xCB, 0x3D, 0x00, 0x00, 0x00, 0x01, 0x8D, 0x0C, 0x4F, 348 | 0x0F, 0xB7, 0x39, 0x89, 0x7D, 0xEC, 0x73, 0x19, 0x8B, 0x7D, 0xFC, 0xC1, 349 | 0xE0, 0x08, 0x0F, 0xB6, 0x3F, 0x8B, 0xF0, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 350 | 0x08, 0x0B, 0xC7, 0xFF, 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 351 | 0xE8, 0x0B, 0x0F, 0xAF, 0x45, 0xEC, 0x39, 0x45, 0x08, 0x73, 0x46, 0x8B, 352 | 0x7D, 0xE4, 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 0x00, 0x2B, 0x45, 0xEC, 353 | 0xC1, 0xE8, 0x05, 0x03, 0x45, 0xEC, 0x3B, 0x7D, 0xDC, 0x66, 0x89, 0x01, 354 | 0x8B, 0x45, 0xC8, 0x1B, 0xC9, 0x23, 0x4D, 0xD4, 0x2B, 0x4D, 0xDC, 0x03, 355 | 0xCF, 0x8A, 0x0C, 0x01, 0x88, 0x0C, 0x07, 0x47, 0xFF, 0x45, 0xE0, 0x83, 356 | 0x7D, 0xF4, 0x07, 0x89, 0x7D, 0xE4, 0x1B, 0xC0, 0x24, 0xFE, 0x83, 0xC0, 357 | 0x0B, 0x89, 0x45, 0xF4, 0xE9, 0x61, 0x08, 0x00, 0x00, 0x29, 0x45, 0x08, 358 | 0x2B, 0xF0, 0x8B, 0x45, 0xEC, 0x8B, 0xF8, 0xC1, 0xEF, 0x05, 0x2B, 0xC7, 359 | 0x66, 0x89, 0x01, 0xE9, 0x01, 0x01, 0x00, 0x00, 0x29, 0x45, 0x08, 0x2B, 360 | 0xF0, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 0x45, 0xF8, 0x81, 361 | 0xFE, 0x00, 0x00, 0x00, 0x01, 0x66, 0x89, 0x08, 0x8B, 0x45, 0xE8, 0x8B, 362 | 0x4D, 0xF4, 0x8D, 0x84, 0x48, 0xB0, 0x01, 0x00, 0x00, 0x89, 0x45, 0xF8, 363 | 0x0F, 0xB7, 0x08, 0x73, 0x1A, 0x8B, 0x7D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 364 | 0xE0, 0x08, 0x0F, 0xB6, 0x3F, 0x0B, 0xC7, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 365 | 0xFC, 0x89, 0x45, 0x08, 0x8B, 0x45, 0xF8, 0x8B, 0xFE, 0xC1, 0xEF, 0x0B, 366 | 0x0F, 0xAF, 0xF9, 0x39, 0x7D, 0x08, 0x73, 0x19, 0x8B, 0xF7, 0xBF, 0x00, 367 | 0x08, 0x00, 0x00, 0x2B, 0xF9, 0xC1, 0xEF, 0x05, 0x03, 0xF9, 0x66, 0x89, 368 | 0x38, 0x8B, 0x45, 0xD0, 0xE9, 0x8B, 0x00, 0x00, 0x00, 0x8B, 0xC1, 0x29, 369 | 0x7D, 0x08, 0xC1, 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 0x45, 0xF8, 0x2B, 0xF7, 370 | 0x66, 0x89, 0x08, 0x8B, 0x45, 0xE8, 0x8B, 0x4D, 0xF4, 0x81, 0xFE, 0x00, 371 | 0x00, 0x00, 0x01, 0x8D, 0x84, 0x48, 0xC8, 0x01, 0x00, 0x00, 0x89, 0x45, 372 | 0xF8, 0x0F, 0xB7, 0x08, 0x73, 0x1A, 0x8B, 0x7D, 0xFC, 0x8B, 0x45, 0x08, 373 | 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 0x3F, 0x0B, 0xC7, 0xC1, 0xE6, 0x08, 0xFF, 374 | 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0x45, 0xF8, 0x8B, 0xFE, 0xC1, 0xEF, 375 | 0x0B, 0x0F, 0xAF, 0xF9, 0x39, 0x7D, 0x08, 0x73, 0x16, 0x8B, 0xF7, 0xBF, 376 | 0x00, 0x08, 0x00, 0x00, 0x2B, 0xF9, 0xC1, 0xEF, 0x05, 0x03, 0xF9, 0x66, 377 | 0x89, 0x38, 0x8B, 0x45, 0xCC, 0xEB, 0x1B, 0x29, 0x7D, 0x08, 0x8B, 0xC1, 378 | 0xC1, 0xE8, 0x05, 0x2B, 0xF7, 0x2B, 0xC8, 0x8B, 0x45, 0xF8, 0x66, 0x89, 379 | 0x08, 0x8B, 0x4D, 0xCC, 0x8B, 0x45, 0xC0, 0x89, 0x4D, 0xC0, 0x8B, 0x4D, 380 | 0xD0, 0x89, 0x4D, 0xCC, 0x8B, 0x4D, 0xDC, 0x89, 0x45, 0xDC, 0x89, 0x4D, 381 | 0xD0, 0x83, 0x7D, 0xF4, 0x07, 0x1B, 0xC0, 0x24, 0xFD, 0x83, 0xC0, 0x0B, 382 | 0x89, 0x45, 0xF4, 0x8B, 0x45, 0xE8, 0x8D, 0x88, 0x68, 0x0A, 0x00, 0x00, 383 | 0x0F, 0xB7, 0x01, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x89, 0x45, 0xEC, 384 | 0x73, 0x17, 0x8B, 0x7D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 385 | 0xB6, 0x3F, 0x0B, 0xC7, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 386 | 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0x45, 0xEC, 0x39, 0x45, 387 | 0x08, 0x73, 0x2A, 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 0x00, 0x2B, 0x45, 388 | 0xEC, 0xC1, 0xE3, 0x04, 0xC1, 0xE8, 0x05, 0x03, 0x45, 0xEC, 0x83, 0x65, 389 | 0xD8, 0x00, 0xC7, 0x45, 0xEC, 0x08, 0x00, 0x00, 0x00, 0x66, 0x89, 0x01, 390 | 0x8D, 0x4C, 0x0B, 0x04, 0xE9, 0x90, 0x00, 0x00, 0x00, 0x29, 0x45, 0x08, 391 | 0x2B, 0xF0, 0x8B, 0x45, 0xEC, 0x8B, 0xF8, 0xC1, 0xEF, 0x05, 0x2B, 0xC7, 392 | 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x66, 0x89, 0x01, 0x0F, 0xB7, 0x79, 393 | 0x02, 0x73, 0x1A, 0x8B, 0x5D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 394 | 0x0F, 0xB6, 0x1B, 0x0B, 0xC3, 0x8B, 0x5D, 0xB4, 0xC1, 0xE6, 0x08, 0xFF, 395 | 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 396 | 0xC7, 0x39, 0x45, 0x08, 0x73, 0x27, 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 397 | 0x00, 0x2B, 0xC7, 0x6A, 0x08, 0xC1, 0xE8, 0x05, 0x03, 0xC7, 0x66, 0x89, 398 | 0x41, 0x02, 0x58, 0xC1, 0xE3, 0x04, 0x89, 0x45, 0xD8, 0x89, 0x45, 0xEC, 399 | 0x8D, 0x8C, 0x0B, 0x04, 0x01, 0x00, 0x00, 0xEB, 0x24, 0x29, 0x45, 0x08, 400 | 0x2B, 0xF0, 0x8B, 0xC7, 0xC7, 0x45, 0xD8, 0x10, 0x00, 0x00, 0x00, 0xC1, 401 | 0xE8, 0x05, 0x2B, 0xF8, 0xC7, 0x45, 0xEC, 0x00, 0x01, 0x00, 0x00, 0x66, 402 | 0x89, 0x79, 0x02, 0x81, 0xC1, 0x04, 0x02, 0x00, 0x00, 0xC7, 0x45, 0xF0, 403 | 0x01, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xF0, 0x03, 0xC0, 0x81, 0xFE, 0x00, 404 | 0x00, 0x00, 0x01, 0x89, 0x45, 0xB4, 0x0F, 0xB7, 0x3C, 0x08, 0x73, 0x1A, 405 | 0x8B, 0x5D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 0x1B, 406 | 0x0B, 0xC3, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 407 | 0x45, 0xB4, 0x8B, 0xDE, 0xC1, 0xEB, 0x0B, 0x0F, 0xAF, 0xDF, 0x39, 0x5D, 408 | 0x08, 0x73, 0x14, 0x8B, 0xF3, 0xBB, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xDF, 409 | 0xC1, 0xEB, 0x05, 0x03, 0xDF, 0x66, 0x89, 0x1C, 0x08, 0xEB, 0x14, 0x29, 410 | 0x5D, 0x08, 0x8B, 0xC7, 0xC1, 0xE8, 0x05, 0x2B, 0xF8, 0x8B, 0x45, 0xB4, 411 | 0x2B, 0xF3, 0x66, 0x89, 0x3C, 0x08, 0x40, 0x89, 0x45, 0xF0, 0x8B, 0x45, 412 | 0xD8, 0x8B, 0x7D, 0xF0, 0x3B, 0x7D, 0xEC, 0x72, 0x8F, 0x2B, 0x45, 0xEC, 413 | 0x03, 0xF8, 0x83, 0x7D, 0xF4, 0x0C, 0x89, 0x7D, 0xF0, 0x0F, 0x82, 0x49, 414 | 0x05, 0x00, 0x00, 0x83, 0xFF, 0x04, 0x72, 0x03, 0x6A, 0x03, 0x5F, 0x8B, 415 | 0x45, 0xE8, 0xC1, 0xE7, 0x07, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x0F, 416 | 0xB7, 0x8C, 0x07, 0x62, 0x03, 0x00, 0x00, 0x8D, 0xBC, 0x07, 0x60, 0x03, 417 | 0x00, 0x00, 0x73, 0x17, 0x8B, 0x5D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 418 | 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 0xC3, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 419 | 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC1, 0x39, 420 | 0x45, 0x08, 0x73, 0x16, 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 0x00, 0x2B, 421 | 0xC1, 0x6A, 0x02, 0xC1, 0xE8, 0x05, 0x03, 0xC1, 0x66, 0x89, 0x47, 0x02, 422 | 0xEB, 0x12, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x8B, 0xC1, 0x6A, 0x03, 0xC1, 423 | 0xE8, 0x05, 0x2B, 0xC8, 0x66, 0x89, 0x4F, 0x02, 0x58, 0x81, 0xFE, 0x00, 424 | 0x00, 0x00, 0x01, 0x8D, 0x1C, 0x00, 0x89, 0x5D, 0xEC, 0x0F, 0xB7, 0x0C, 425 | 0x3B, 0x73, 0x1A, 0x8B, 0x5D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 426 | 0x0F, 0xB6, 0x1B, 0x0B, 0xC3, 0x8B, 0x5D, 0xEC, 0xC1, 0xE6, 0x08, 0xFF, 427 | 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 428 | 0xC1, 0x39, 0x45, 0x08, 0x73, 0x16, 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 429 | 0x00, 0x2B, 0xC1, 0xC1, 0xE8, 0x05, 0x03, 0xC1, 0x66, 0x89, 0x04, 0x3B, 430 | 0x8B, 0xC3, 0xEB, 0x14, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x8B, 0xC1, 0xC1, 431 | 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 0x45, 0xEC, 0x66, 0x89, 0x0C, 0x38, 0x40, 432 | 0x8D, 0x1C, 0x00, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x89, 0x5D, 0xEC, 433 | 0x0F, 0xB7, 0x0C, 0x3B, 0x73, 0x1A, 0x8B, 0x5D, 0xFC, 0x8B, 0x45, 0x08, 434 | 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 0xC3, 0x8B, 0x5D, 0xEC, 0xC1, 435 | 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 436 | 0x0B, 0x0F, 0xAF, 0xC1, 0x39, 0x45, 0x08, 0x73, 0x16, 0x8B, 0xF0, 0xB8, 437 | 0x00, 0x08, 0x00, 0x00, 0x2B, 0xC1, 0xC1, 0xE8, 0x05, 0x03, 0xC1, 0x66, 438 | 0x89, 0x04, 0x3B, 0x8B, 0xC3, 0xEB, 0x14, 0x29, 0x45, 0x08, 0x2B, 0xF0, 439 | 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 0x45, 0xEC, 0x66, 0x89, 440 | 0x0C, 0x38, 0x40, 0x8D, 0x1C, 0x00, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 441 | 0x89, 0x5D, 0xEC, 0x0F, 0xB7, 0x0C, 0x3B, 0x73, 0x1A, 0x8B, 0x5D, 0xFC, 442 | 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 0xC3, 0x8B, 443 | 0x5D, 0xEC, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 444 | 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC1, 0x39, 0x45, 0x08, 0x73, 0x16, 445 | 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xC1, 0xC1, 0xE8, 0x05, 446 | 0x03, 0xC1, 0x66, 0x89, 0x04, 0x3B, 0x8B, 0xC3, 0xEB, 0x14, 0x29, 0x45, 447 | 0x08, 0x2B, 0xF0, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 0x45, 448 | 0xEC, 0x66, 0x89, 0x0C, 0x38, 0x40, 0x03, 0xC0, 0x81, 0xFE, 0x00, 0x00, 449 | 0x00, 0x01, 0x89, 0x45, 0xEC, 0x0F, 0xB7, 0x0C, 0x38, 0x73, 0x1A, 0x8B, 450 | 0x5D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 451 | 0xC3, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x45, 0x08, 0x8B, 0x45, 452 | 0xEC, 0x8B, 0xDE, 0xC1, 0xEB, 0x0B, 0x0F, 0xAF, 0xD9, 0x39, 0x5D, 0x08, 453 | 0x73, 0x14, 0x8B, 0xF3, 0xBB, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xD9, 0xC1, 454 | 0xEB, 0x05, 0x03, 0xD9, 0x66, 0x89, 0x1C, 0x38, 0xEB, 0x14, 0x29, 0x5D, 455 | 0x08, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 0x2B, 0xC8, 0x8B, 0x45, 0xEC, 0x2B, 456 | 0xF3, 0x66, 0x89, 0x0C, 0x38, 0x40, 0x8D, 0x1C, 0x00, 0x03, 0xFB, 0x81, 457 | 0xFE, 0x00, 0x00, 0x00, 0x01, 0x89, 0x5D, 0xEC, 0x0F, 0xB7, 0x0F, 0x73, 458 | 0x1A, 0x8B, 0x5D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 0xB6, 459 | 0x1B, 0x0B, 0xC3, 0x8B, 0x5D, 0xEC, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 460 | 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC1, 0x39, 461 | 0x45, 0x08, 0x73, 0x15, 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 0x00, 0x2B, 462 | 0xC1, 0xC1, 0xE8, 0x05, 0x03, 0xC1, 0x66, 0x89, 0x07, 0x8B, 0xFB, 0xEB, 463 | 0x15, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 0x2B, 464 | 0xC8, 0x8B, 0x45, 0xEC, 0x66, 0x89, 0x0F, 0x8D, 0x78, 0x01, 0x83, 0xEF, 465 | 0x40, 0x83, 0xFF, 0x04, 0x0F, 0x82, 0xA4, 0x02, 0x00, 0x00, 0x6A, 0x01, 466 | 0x8B, 0xCF, 0x8B, 0xC7, 0x5B, 0xD1, 0xE9, 0x23, 0xC3, 0x49, 0x0C, 0x02, 467 | 0x83, 0xFF, 0x0E, 0x89, 0x4D, 0xB4, 0x0F, 0x83, 0x8F, 0x00, 0x00, 0x00, 468 | 0xD3, 0xE0, 0x8B, 0x4D, 0xE8, 0x89, 0x5D, 0xBC, 0x89, 0x45, 0xEC, 0x2B, 469 | 0xC7, 0x8D, 0x8C, 0x41, 0x5E, 0x05, 0x00, 0x00, 0x8B, 0xC3, 0x89, 0x4D, 470 | 0xF8, 0x03, 0xC0, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x0F, 0xB7, 0x3C, 471 | 0x08, 0x73, 0x1A, 0x8B, 0x5D, 0xFC, 0x8B, 0x4D, 0x08, 0xC1, 0xE1, 0x08, 472 | 0x0F, 0xB6, 0x1B, 0x0B, 0xCB, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 473 | 0x4D, 0x08, 0x8B, 0x4D, 0xF8, 0x8B, 0xDE, 0xC1, 0xEB, 0x0B, 0x0F, 0xAF, 474 | 0xDF, 0x39, 0x5D, 0x08, 0x73, 0x17, 0x8B, 0xF3, 0xBB, 0x00, 0x08, 0x00, 475 | 0x00, 0x2B, 0xDF, 0xC1, 0xEB, 0x05, 0x03, 0xDF, 0x8B, 0x7D, 0xEC, 0x66, 476 | 0x89, 0x1C, 0x08, 0xEB, 0x1D, 0x8B, 0xCF, 0x29, 0x5D, 0x08, 0xC1, 0xE9, 477 | 0x05, 0x2B, 0xF9, 0x8B, 0x4D, 0xF8, 0x2B, 0xF3, 0x66, 0x89, 0x3C, 0x08, 478 | 0x8B, 0x7D, 0xEC, 0x40, 0x0B, 0x7D, 0xBC, 0x89, 0x7D, 0xEC, 0xD1, 0x65, 479 | 0xBC, 0xFF, 0x4D, 0xB4, 0x75, 0x8F, 0xE9, 0xFB, 0x01, 0x00, 0x00, 0x83, 480 | 0xE9, 0x04, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x73, 0x17, 0x8B, 0x5D, 481 | 0xFC, 0x8B, 0x7D, 0x08, 0xC1, 0xE7, 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 0xFB, 482 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x7D, 0x08, 0xD1, 0xEE, 0x29, 483 | 0x75, 0x08, 0x8B, 0x7D, 0x08, 0xC1, 0xEF, 0x1F, 0xF7, 0xDF, 0x8D, 0x44, 484 | 0x47, 0x01, 0x23, 0xFE, 0x01, 0x7D, 0x08, 0x49, 0x75, 0xC8, 0xC1, 0xE0, 485 | 0x04, 0x89, 0x45, 0xEC, 0x8B, 0x45, 0xE8, 0x81, 0xFE, 0x00, 0x00, 0x00, 486 | 0x01, 0x0F, 0xB7, 0x88, 0x46, 0x06, 0x00, 0x00, 0x73, 0x17, 0x8B, 0x5D, 487 | 0xFC, 0x8B, 0x7D, 0x08, 0xC1, 0xE7, 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 0xFB, 488 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x7D, 0x08, 0x8B, 0xFE, 0xC1, 489 | 0xEF, 0x0B, 0x0F, 0xAF, 0xF9, 0x39, 0x7D, 0x08, 0x73, 0x1A, 0x8B, 0xF7, 490 | 0xBF, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xF9, 0x6A, 0x02, 0xC1, 0xEF, 0x05, 491 | 0x03, 0xF9, 0x59, 0x66, 0x89, 0xB8, 0x46, 0x06, 0x00, 0x00, 0xEB, 0x1A, 492 | 0x29, 0x7D, 0x08, 0x2B, 0xF7, 0x8B, 0xF9, 0x6A, 0x03, 0xC1, 0xEF, 0x05, 493 | 0x2B, 0xCF, 0x83, 0x4D, 0xEC, 0x01, 0x66, 0x89, 0x88, 0x46, 0x06, 0x00, 494 | 0x00, 0x59, 0x8D, 0x1C, 0x09, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x0F, 495 | 0xB7, 0x8C, 0x03, 0x44, 0x06, 0x00, 0x00, 0x8D, 0x84, 0x03, 0x44, 0x06, 496 | 0x00, 0x00, 0x89, 0x5D, 0xD8, 0x73, 0x1A, 0x8B, 0x5D, 0xFC, 0x8B, 0x7D, 497 | 0x08, 0xC1, 0xE7, 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 0xFB, 0x8B, 0x5D, 0xD8, 498 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x7D, 0x08, 0x8B, 0xFE, 0xC1, 499 | 0xEF, 0x0B, 0x0F, 0xAF, 0xF9, 0x39, 0x7D, 0x08, 0x73, 0x15, 0x8B, 0xF7, 500 | 0xBF, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xF9, 0xC1, 0xEF, 0x05, 0x03, 0xF9, 501 | 0x66, 0x89, 0x38, 0x8B, 0xC3, 0xEB, 0x17, 0x29, 0x7D, 0x08, 0x2B, 0xF7, 502 | 0x8B, 0xF9, 0xC1, 0xEF, 0x05, 0x2B, 0xCF, 0x66, 0x89, 0x08, 0x8B, 0x45, 503 | 0xD8, 0x40, 0x83, 0x4D, 0xEC, 0x02, 0x8D, 0x1C, 0x00, 0x8B, 0x45, 0xE8, 504 | 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x89, 0x5D, 0xD8, 0x0F, 0xB7, 0x8C, 505 | 0x03, 0x44, 0x06, 0x00, 0x00, 0x8D, 0xBC, 0x03, 0x44, 0x06, 0x00, 0x00, 506 | 0x73, 0x1A, 0x8B, 0x5D, 0xFC, 0x8B, 0x45, 0x08, 0xC1, 0xE0, 0x08, 0x0F, 507 | 0xB6, 0x1B, 0x0B, 0xC3, 0x8B, 0x5D, 0xD8, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 508 | 0xFC, 0x89, 0x45, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC1, 509 | 0x39, 0x45, 0x08, 0x73, 0x15, 0x8B, 0xF0, 0xB8, 0x00, 0x08, 0x00, 0x00, 510 | 0x2B, 0xC1, 0xC1, 0xE8, 0x05, 0x03, 0xC1, 0x66, 0x89, 0x07, 0x8B, 0xC3, 511 | 0xEB, 0x17, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x8B, 0xC1, 0xC1, 0xE8, 0x05, 512 | 0x2B, 0xC8, 0x8B, 0x45, 0xD8, 0x40, 0x83, 0x4D, 0xEC, 0x04, 0x66, 0x89, 513 | 0x0F, 0x8B, 0x4D, 0xE8, 0x81, 0xFE, 0x00, 0x00, 0x00, 0x01, 0x8D, 0x84, 514 | 0x41, 0x44, 0x06, 0x00, 0x00, 0x0F, 0xB7, 0x08, 0x73, 0x17, 0x8B, 0x5D, 515 | 0xFC, 0x8B, 0x7D, 0x08, 0xC1, 0xE7, 0x08, 0x0F, 0xB6, 0x1B, 0x0B, 0xFB, 516 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0xFC, 0x89, 0x7D, 0x08, 0x8B, 0xFE, 0xC1, 517 | 0xEF, 0x0B, 0x0F, 0xAF, 0xF9, 0x39, 0x7D, 0x08, 0x73, 0x16, 0x8B, 0xF7, 518 | 0xBF, 0x00, 0x08, 0x00, 0x00, 0x2B, 0xF9, 0xC1, 0xEF, 0x05, 0x03, 0xF9, 519 | 0x66, 0x89, 0x38, 0x8B, 0x7D, 0xEC, 0xEB, 0x15, 0x29, 0x7D, 0x08, 0x2B, 520 | 0xF7, 0x8B, 0xF9, 0xC1, 0xEF, 0x05, 0x2B, 0xCF, 0x8B, 0x7D, 0xEC, 0x66, 521 | 0x89, 0x08, 0x83, 0xCF, 0x08, 0x83, 0xFF, 0xFF, 0x0F, 0x84, 0xC4, 0x00, 522 | 0x00, 0x00, 0x8B, 0x45, 0xCC, 0x83, 0x7D, 0xC4, 0x00, 0x89, 0x45, 0xC0, 523 | 0x8B, 0x45, 0xD0, 0x89, 0x45, 0xCC, 0x8B, 0x45, 0xDC, 0x89, 0x45, 0xD0, 524 | 0x8D, 0x47, 0x01, 0x89, 0x45, 0xDC, 0x75, 0x05, 0x3B, 0x7D, 0xE0, 0xEB, 525 | 0x03, 0x3B, 0x7D, 0xC4, 0x0F, 0x83, 0xBF, 0x00, 0x00, 0x00, 0x83, 0x7D, 526 | 0xF4, 0x13, 0x1B, 0xC0, 0x24, 0xFD, 0x83, 0xC0, 0x0A, 0x89, 0x45, 0xF4, 527 | 0x8B, 0x5D, 0xE4, 0x8B, 0x45, 0x0C, 0x83, 0x45, 0xF0, 0x02, 0x3B, 0xC3, 528 | 0x0F, 0x84, 0x9F, 0x00, 0x00, 0x00, 0x2B, 0xC3, 0x3B, 0x45, 0xF0, 0x72, 529 | 0x03, 0x8B, 0x45, 0xF0, 0x3B, 0x5D, 0xDC, 0x89, 0x45, 0xBC, 0x1B, 0xC9, 530 | 0x01, 0x45, 0xE0, 0x23, 0x4D, 0xD4, 0x29, 0x45, 0xF0, 0x2B, 0x4D, 0xDC, 531 | 0x03, 0xCB, 0x8D, 0x3C, 0x01, 0x3B, 0x7D, 0xD4, 0x8B, 0x7D, 0xC8, 0x77, 532 | 0x1E, 0x03, 0xFB, 0x2B, 0xCB, 0x03, 0xD8, 0x89, 0x4D, 0xB4, 0x8D, 0x0C, 533 | 0x07, 0x89, 0x5D, 0xE4, 0x8B, 0x45, 0xB4, 0x8A, 0x04, 0x38, 0x88, 0x07, 534 | 0x47, 0x3B, 0xF9, 0x75, 0xF3, 0xEB, 0x17, 0x8A, 0x04, 0x39, 0x88, 0x04, 535 | 0x3B, 0x43, 0x41, 0x3B, 0x4D, 0xD4, 0x75, 0x02, 0x33, 0xC9, 0xFF, 0x4D, 536 | 0xBC, 0x75, 0xEC, 0x89, 0x5D, 0xE4, 0x8B, 0x45, 0xE4, 0x3B, 0x45, 0x0C, 537 | 0x73, 0x1B, 0x8B, 0x45, 0xFC, 0x3B, 0x45, 0x10, 0x73, 0x13, 0x8B, 0x7D, 538 | 0xAC, 0xE9, 0x21, 0xF4, 0xFF, 0xFF, 0x81, 0x45, 0xF0, 0x12, 0x01, 0x00, 539 | 0x00, 0x83, 0x6D, 0xF4, 0x0C, 0x8B, 0x45, 0xFC, 0x81, 0xFE, 0x00, 0x00, 540 | 0x00, 0x01, 0x73, 0x16, 0x8B, 0x4D, 0x08, 0x0F, 0xB6, 0x38, 0xC1, 0xE1, 541 | 0x08, 0xC1, 0xE6, 0x08, 0x0B, 0xCF, 0x40, 0xEB, 0x08, 0x6A, 0x01, 0x58, 542 | 0xEB, 0x3E, 0x8B, 0x4D, 0x08, 0x89, 0x42, 0x18, 0x8B, 0x45, 0xF0, 0x89, 543 | 0x42, 0x48, 0x8B, 0x45, 0xE4, 0x89, 0x42, 0x24, 0x8B, 0x45, 0xE0, 0x89, 544 | 0x42, 0x2C, 0x8B, 0x45, 0xDC, 0x89, 0x42, 0x38, 0x8B, 0x45, 0xD0, 0x89, 545 | 0x42, 0x3C, 0x8B, 0x45, 0xCC, 0x89, 0x42, 0x40, 0x8B, 0x45, 0xC0, 0x89, 546 | 0x42, 0x44, 0x8B, 0x45, 0xF4, 0x89, 0x42, 0x34, 0x89, 0x72, 0x1C, 0x89, 547 | 0x4A, 0x20, 0x33, 0xC0, 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 0x0C, 0x00, 0x55, 548 | 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x8B, 0x45, 0x08, 0x8B, 0x55, 0x0C, 0x53, 549 | 0x56, 0x8B, 0x48, 0x20, 0x57, 0x89, 0x4D, 0x08, 0x8B, 0x4D, 0x10, 0x03, 550 | 0xD1, 0x8B, 0x48, 0x08, 0x8B, 0x58, 0x34, 0x6A, 0x01, 0x89, 0x55, 0x10, 551 | 0x5A, 0xD3, 0xE2, 0x8B, 0x78, 0x10, 0x8B, 0x70, 0x1C, 0x8B, 0xCB, 0x89, 552 | 0x7D, 0xFC, 0xC1, 0xE1, 0x04, 0x4A, 0x23, 0x50, 0x2C, 0x03, 0xCA, 0x81, 553 | 0xFE, 0x00, 0x00, 0x00, 0x01, 0x0F, 0xB7, 0x0C, 0x4F, 0x89, 0x4D, 0xF0, 554 | 0x73, 0x20, 0x8B, 0x4D, 0x0C, 0x3B, 0x4D, 0x10, 0x0F, 0x83, 0x58, 0x05, 555 | 0x00, 0x00, 0x8B, 0x7D, 0x08, 0x0F, 0xB6, 0x09, 0xC1, 0xE7, 0x08, 0x0B, 556 | 0xF9, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x7D, 0x08, 0x8B, 0xCE, 557 | 0xC1, 0xE9, 0x0B, 0x0F, 0xAF, 0x4D, 0xF0, 0x39, 0x4D, 0x08, 0x0F, 0x83, 558 | 0x4F, 0x01, 0x00, 0x00, 0x8B, 0xF1, 0x8B, 0x4D, 0xFC, 0x81, 0xC1, 0x6C, 559 | 0x0E, 0x00, 0x00, 0x83, 0x78, 0x30, 0x00, 0x89, 0x4D, 0xF8, 0x75, 0x06, 560 | 0x83, 0x78, 0x2C, 0x00, 0x74, 0x35, 0x8B, 0x48, 0x24, 0x85, 0xC9, 0x75, 561 | 0x03, 0x8B, 0x48, 0x28, 0x8B, 0x78, 0x14, 0x8B, 0x10, 0x6A, 0x01, 0x0F, 562 | 0xB6, 0x7C, 0x0F, 0xFF, 0xB1, 0x08, 0x2A, 0xCA, 0x5A, 0xD3, 0xEF, 0x8B, 563 | 0x48, 0x04, 0xD3, 0xE2, 0x8B, 0x08, 0x4A, 0x23, 0x50, 0x2C, 0xD3, 0xE2, 564 | 0x03, 0xFA, 0x8D, 0x0C, 0x7F, 0xC1, 0xE1, 0x09, 0x01, 0x4D, 0xF8, 0x83, 565 | 0xFB, 0x07, 0x73, 0x5A, 0x6A, 0x01, 0xBF, 0x00, 0x00, 0x00, 0x01, 0x59, 566 | 0x8B, 0x45, 0xF8, 0x03, 0xC9, 0x3B, 0xF7, 0x0F, 0xB7, 0x14, 0x01, 0x73, 567 | 0x20, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 0x10, 0x0F, 0x83, 0xBD, 0x04, 0x00, 568 | 0x00, 0x8B, 0x5D, 0x08, 0x0F, 0xB6, 0x00, 0xC1, 0xE3, 0x08, 0x0B, 0xD8, 569 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x5D, 0x08, 0x8B, 0xC6, 0xC1, 570 | 0xE8, 0x0B, 0x0F, 0xAF, 0xC2, 0x39, 0x45, 0x08, 0x73, 0x04, 0x8B, 0xF0, 571 | 0xEB, 0x06, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x41, 0x81, 0xF9, 0x00, 0x01, 572 | 0x00, 0x00, 0x0F, 0x83, 0x97, 0x00, 0x00, 0x00, 0xEB, 0xAE, 0x8B, 0x50, 573 | 0x24, 0x8B, 0x78, 0x38, 0x3B, 0xD7, 0x73, 0x05, 0x8B, 0x48, 0x28, 0xEB, 574 | 0x02, 0x33, 0xC9, 0x8B, 0x40, 0x14, 0x6A, 0x01, 0x2B, 0xC7, 0xC7, 0x45, 575 | 0xFC, 0x00, 0x01, 0x00, 0x00, 0x03, 0xC2, 0x5A, 0xBF, 0x00, 0x00, 0x00, 576 | 0x01, 0x0F, 0xB6, 0x04, 0x08, 0x89, 0x45, 0xF4, 0xD1, 0x65, 0xF4, 0x8B, 577 | 0x45, 0xFC, 0x8B, 0x5D, 0xF8, 0x23, 0x45, 0xF4, 0x8D, 0x0C, 0x10, 0x03, 578 | 0x4D, 0xFC, 0x3B, 0xF7, 0x0F, 0xB7, 0x0C, 0x4B, 0x89, 0x4D, 0xF0, 0x73, 579 | 0x20, 0x8B, 0x4D, 0x0C, 0x3B, 0x4D, 0x10, 0x0F, 0x83, 0x2D, 0x04, 0x00, 580 | 0x00, 0x8B, 0x5D, 0x08, 0x0F, 0xB6, 0x09, 0xC1, 0xE3, 0x08, 0x0B, 0xD9, 581 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x5D, 0x08, 0x8B, 0xCE, 0xC1, 582 | 0xE9, 0x0B, 0x0F, 0xAF, 0x4D, 0xF0, 0x39, 0x4D, 0x08, 0x73, 0x08, 0x8B, 583 | 0xF1, 0x03, 0xD2, 0xF7, 0xD0, 0xEB, 0x09, 0x2B, 0xF1, 0x29, 0x4D, 0x08, 584 | 0x8D, 0x54, 0x12, 0x01, 0x21, 0x45, 0xFC, 0x81, 0xFA, 0x00, 0x01, 0x00, 585 | 0x00, 0x72, 0x99, 0xC7, 0x45, 0xF4, 0x01, 0x00, 0x00, 0x00, 0xE9, 0xD7, 586 | 0x03, 0x00, 0x00, 0x29, 0x4D, 0x08, 0x2B, 0xF1, 0xBF, 0x00, 0x00, 0x00, 587 | 0x01, 0x3B, 0xF7, 0x73, 0x20, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 0x10, 0x0F, 588 | 0x83, 0xC9, 0x03, 0x00, 0x00, 0x8B, 0x4D, 0x08, 0x0F, 0xB6, 0x00, 0xC1, 589 | 0xE1, 0x08, 0x0B, 0xC8, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x4D, 590 | 0x08, 0x8B, 0x4D, 0xFC, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xB7, 0x8C, 591 | 0x59, 0x80, 0x01, 0x00, 0x00, 0x0F, 0xAF, 0xC1, 0x39, 0x45, 0x08, 0x73, 592 | 0x1B, 0x83, 0x65, 0xEC, 0x00, 0x8B, 0xF0, 0x8B, 0x45, 0xFC, 0xC7, 0x45, 593 | 0xF4, 0x02, 0x00, 0x00, 0x00, 0x8D, 0x88, 0x64, 0x06, 0x00, 0x00, 0xE9, 594 | 0x43, 0x01, 0x00, 0x00, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x3B, 0xF7, 0xC7, 595 | 0x45, 0xF4, 0x03, 0x00, 0x00, 0x00, 0x73, 0x20, 0x8B, 0x45, 0x0C, 0x3B, 596 | 0x45, 0x10, 0x0F, 0x83, 0x66, 0x03, 0x00, 0x00, 0x8B, 0x4D, 0x08, 0x0F, 597 | 0xB6, 0x00, 0xC1, 0xE1, 0x08, 0x0B, 0xC8, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 598 | 0x0C, 0x89, 0x4D, 0x08, 0x8B, 0x45, 0xFC, 0x8B, 0xCE, 0xC1, 0xE9, 0x0B, 599 | 0x0F, 0xB7, 0x84, 0x58, 0x98, 0x01, 0x00, 0x00, 0x0F, 0xAF, 0xC8, 0x39, 600 | 0x4D, 0x08, 0x73, 0x60, 0x8B, 0x45, 0xFC, 0x83, 0xC3, 0x0F, 0xC1, 0xE3, 601 | 0x04, 0x03, 0xDA, 0x3B, 0xCF, 0x8B, 0xF1, 0x0F, 0xB7, 0x1C, 0x58, 0x73, 602 | 0x22, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 0x10, 0x0F, 0x83, 0x19, 0x03, 0x00, 603 | 0x00, 0x0F, 0xB6, 0x00, 0xC1, 0xE1, 0x08, 0x8B, 0xF1, 0x8B, 0x4D, 0x08, 604 | 0xC1, 0xE1, 0x08, 0x0B, 0xC8, 0xFF, 0x45, 0x0C, 0x89, 0x4D, 0x08, 0x8B, 605 | 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC3, 0x39, 0x45, 0x08, 0x0F, 0x83, 606 | 0x9E, 0x00, 0x00, 0x00, 0x3B, 0xC7, 0x73, 0x0C, 0x8B, 0x45, 0x10, 0x39, 607 | 0x45, 0x0C, 0x0F, 0x83, 0xE2, 0x02, 0x00, 0x00, 0x6A, 0x03, 0x58, 0xE9, 608 | 0xE1, 0x02, 0x00, 0x00, 0x29, 0x4D, 0x08, 0x2B, 0xF1, 0x3B, 0xF7, 0x73, 609 | 0x20, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 0x10, 0x0F, 0x83, 0xC5, 0x02, 0x00, 610 | 0x00, 0x8B, 0x4D, 0x08, 0x0F, 0xB6, 0x00, 0xC1, 0xE1, 0x08, 0x0B, 0xC8, 611 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x4D, 0x08, 0x8B, 0x4D, 0xFC, 612 | 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xB7, 0x8C, 0x59, 0xB0, 0x01, 0x00, 613 | 0x00, 0x0F, 0xAF, 0xC1, 0x39, 0x45, 0x08, 0x73, 0x04, 0x8B, 0xF0, 0xEB, 614 | 0x46, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x8B, 0x45, 0xFC, 0x3B, 0xF7, 0x0F, 615 | 0xB7, 0x8C, 0x58, 0xC8, 0x01, 0x00, 0x00, 0x73, 0x20, 0x8B, 0x45, 0x0C, 616 | 0x3B, 0x45, 0x10, 0x0F, 0x83, 0x75, 0x02, 0x00, 0x00, 0x8B, 0x5D, 0x08, 617 | 0x0F, 0xB6, 0x00, 0xC1, 0xE3, 0x08, 0x0B, 0xD8, 0xC1, 0xE6, 0x08, 0xFF, 618 | 0x45, 0x0C, 0x89, 0x5D, 0x08, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 619 | 0xC1, 0x39, 0x45, 0x08, 0x72, 0xBB, 0x2B, 0xF0, 0x29, 0x45, 0x08, 0x8B, 620 | 0x45, 0xFC, 0xC7, 0x45, 0xEC, 0x0C, 0x00, 0x00, 0x00, 0x8D, 0x88, 0x68, 621 | 0x0A, 0x00, 0x00, 0x3B, 0xF7, 0x73, 0x20, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 622 | 0x10, 0x0F, 0x83, 0x2F, 0x02, 0x00, 0x00, 0x8B, 0x5D, 0x08, 0x0F, 0xB6, 623 | 0x00, 0xC1, 0xE3, 0x08, 0x0B, 0xD8, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 624 | 0x89, 0x5D, 0x08, 0x0F, 0xB7, 0x19, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 625 | 0xAF, 0xC3, 0x39, 0x45, 0x08, 0x73, 0x16, 0xC1, 0xE2, 0x04, 0x83, 0x65, 626 | 0xF0, 0x00, 0x8B, 0xF0, 0x8D, 0x4C, 0x0A, 0x04, 0xC7, 0x45, 0xF8, 0x08, 627 | 0x00, 0x00, 0x00, 0xEB, 0x6A, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x3B, 0xF7, 628 | 0x73, 0x20, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 0x10, 0x0F, 0x83, 0xE0, 0x01, 629 | 0x00, 0x00, 0x8B, 0x5D, 0x08, 0x0F, 0xB6, 0x00, 0xC1, 0xE3, 0x08, 0x0B, 630 | 0xD8, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x5D, 0x08, 0x0F, 0xB7, 631 | 0x59, 0x02, 0x8B, 0xC6, 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC3, 0x39, 0x45, 632 | 0x08, 0x73, 0x17, 0x6A, 0x08, 0x8B, 0xF0, 0xC1, 0xE2, 0x04, 0x58, 0x8D, 633 | 0x8C, 0x0A, 0x04, 0x01, 0x00, 0x00, 0x89, 0x45, 0xF0, 0x89, 0x45, 0xF8, 634 | 0xEB, 0x19, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x81, 0xC1, 0x04, 0x02, 0x00, 635 | 0x00, 0xC7, 0x45, 0xF0, 0x10, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF8, 0x00, 636 | 0x01, 0x00, 0x00, 0x6A, 0x01, 0x58, 0x03, 0xC0, 0x3B, 0xF7, 0x73, 0x20, 637 | 0x8B, 0x55, 0x0C, 0x3B, 0x55, 0x10, 0x0F, 0x83, 0x76, 0x01, 0x00, 0x00, 638 | 0x8B, 0x5D, 0x08, 0x0F, 0xB6, 0x12, 0xC1, 0xE3, 0x08, 0x0B, 0xDA, 0xC1, 639 | 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x5D, 0x08, 0x0F, 0xB7, 0x1C, 0x08, 640 | 0x8B, 0xD6, 0xC1, 0xEA, 0x0B, 0x0F, 0xAF, 0xD3, 0x39, 0x55, 0x08, 0x73, 641 | 0x04, 0x8B, 0xF2, 0xEB, 0x06, 0x29, 0x55, 0x08, 0x2B, 0xF2, 0x40, 0x3B, 642 | 0x45, 0xF8, 0x72, 0xBA, 0x8B, 0x4D, 0xF0, 0x2B, 0x4D, 0xF8, 0x03, 0xC1, 643 | 0x83, 0x7D, 0xEC, 0x04, 0x0F, 0x83, 0x24, 0x01, 0x00, 0x00, 0x83, 0xF8, 644 | 0x04, 0x72, 0x03, 0x6A, 0x03, 0x58, 0x8B, 0x5D, 0xFC, 0x6A, 0x01, 0xC1, 645 | 0xE0, 0x07, 0x8D, 0x84, 0x18, 0x60, 0x03, 0x00, 0x00, 0x89, 0x45, 0xF8, 646 | 0x58, 0x8B, 0x4D, 0xF8, 0x03, 0xC0, 0x3B, 0xF7, 0x0F, 0xB7, 0x14, 0x08, 647 | 0x73, 0x26, 0x8B, 0x4D, 0x0C, 0x3B, 0x4D, 0x10, 0x0F, 0x83, 0xFC, 0x00, 648 | 0x00, 0x00, 0x8B, 0x5D, 0x0C, 0x8B, 0x4D, 0x08, 0xC1, 0xE1, 0x08, 0x0F, 649 | 0xB6, 0x1B, 0x0B, 0xCB, 0x8B, 0x5D, 0xFC, 0xC1, 0xE6, 0x08, 0xFF, 0x45, 650 | 0x0C, 0x89, 0x4D, 0x08, 0x8B, 0xCE, 0xC1, 0xE9, 0x0B, 0x0F, 0xAF, 0xCA, 651 | 0x39, 0x4D, 0x08, 0x73, 0x04, 0x8B, 0xF1, 0xEB, 0x06, 0x29, 0x4D, 0x08, 652 | 0x2B, 0xF1, 0x40, 0x83, 0xF8, 0x40, 0x72, 0xB1, 0x83, 0xE8, 0x40, 0x83, 653 | 0xF8, 0x04, 0x0F, 0x82, 0xAE, 0x00, 0x00, 0x00, 0x8B, 0xC8, 0xD1, 0xE9, 654 | 0x49, 0x83, 0xF8, 0x0E, 0x89, 0x4D, 0xF0, 0x73, 0x15, 0x8B, 0xD0, 0x83, 655 | 0xE2, 0x01, 0x83, 0xCA, 0x02, 0xD3, 0xE2, 0x2B, 0xD0, 0x8D, 0x8C, 0x53, 656 | 0x5E, 0x05, 0x00, 0x00, 0xEB, 0x47, 0x83, 0xE9, 0x04, 0x3B, 0xF7, 0x73, 657 | 0x20, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 0x10, 0x0F, 0x83, 0x85, 0x00, 0x00, 658 | 0x00, 0x8B, 0x55, 0x08, 0x0F, 0xB6, 0x00, 0xC1, 0xE2, 0x08, 0x0B, 0xD0, 659 | 0xC1, 0xE6, 0x08, 0xFF, 0x45, 0x0C, 0x89, 0x55, 0x08, 0x8B, 0x45, 0x08, 660 | 0xD1, 0xEE, 0x2B, 0xC6, 0xC1, 0xE8, 0x1F, 0x48, 0x23, 0xC6, 0x29, 0x45, 661 | 0x08, 0x49, 0x75, 0xC9, 0x8D, 0x8B, 0x44, 0x06, 0x00, 0x00, 0xC7, 0x45, 662 | 0xF0, 0x04, 0x00, 0x00, 0x00, 0x6A, 0x01, 0x5A, 0x03, 0xD2, 0x3B, 0xF7, 663 | 0x73, 0x1C, 0x8B, 0x45, 0x0C, 0x3B, 0x45, 0x10, 0x73, 0x40, 0x8B, 0x5D, 664 | 0x08, 0x0F, 0xB6, 0x00, 0xC1, 0xE3, 0x08, 0x0B, 0xD8, 0xC1, 0xE6, 0x08, 665 | 0xFF, 0x45, 0x0C, 0x89, 0x5D, 0x08, 0x0F, 0xB7, 0x1C, 0x0A, 0x8B, 0xC6, 666 | 0xC1, 0xE8, 0x0B, 0x0F, 0xAF, 0xC3, 0x39, 0x45, 0x08, 0x73, 0x04, 0x8B, 667 | 0xF0, 0xEB, 0x06, 0x29, 0x45, 0x08, 0x2B, 0xF0, 0x42, 0xFF, 0x4D, 0xF0, 668 | 0x75, 0xBE, 0x3B, 0xF7, 0x73, 0x0C, 0x8B, 0x45, 0x10, 0x39, 0x45, 0x0C, 669 | 0x72, 0x04, 0x33, 0xC0, 0xEB, 0x03, 0x8B, 0x45, 0xF4, 0x5F, 0x5E, 0x5B, 670 | 0xC9, 0xC2, 0x0C, 0x00, 0x8B, 0x44, 0x24, 0x08, 0x33, 0xC9, 0x8A, 0x68, 671 | 0x01, 0x8A, 0x48, 0x02, 0x0F, 0xB6, 0x50, 0x03, 0x0F, 0xB6, 0x40, 0x04, 672 | 0xC1, 0xE1, 0x08, 0x0B, 0xCA, 0xC1, 0xE1, 0x08, 0x0B, 0xC8, 0x8B, 0x44, 673 | 0x24, 0x04, 0x83, 0x48, 0x1C, 0xFF, 0x83, 0x60, 0x4C, 0x00, 0x89, 0x48, 674 | 0x20, 0xC2, 0x08, 0x00, 0x8B, 0x54, 0x24, 0x04, 0xB8, 0x00, 0x03, 0x00, 675 | 0x00, 0x57, 0x8B, 0x4A, 0x04, 0x8B, 0x7A, 0x10, 0x03, 0x0A, 0xD3, 0xE0, 676 | 0x05, 0x36, 0x07, 0x00, 0x00, 0x74, 0x10, 0x8B, 0xC8, 0xB8, 0x00, 0x04, 677 | 0x00, 0x04, 0xD1, 0xE9, 0xF3, 0xAB, 0x13, 0xC9, 0x66, 0xF3, 0xAB, 0x83, 678 | 0x62, 0x34, 0x00, 0x83, 0x62, 0x50, 0x00, 0x6A, 0x01, 0x58, 0x5F, 0x89, 679 | 0x42, 0x44, 0x89, 0x42, 0x40, 0x89, 0x42, 0x3C, 0x89, 0x42, 0x38, 0xC2, 680 | 0x04, 0x00, 0x56, 0x8B, 0x74, 0x24, 0x08, 0xFF, 0x76, 0x10, 0xFF, 0x74, 681 | 0x24, 0x10, 0xE8, 0x08, 0x00, 0x00, 0x00, 0x83, 0x66, 0x10, 0x00, 0x5E, 682 | 0xC2, 0x08, 0x00, 0x83, 0x7C, 0x24, 0x08, 0x00, 0x74, 0x16, 0x8B, 0x44, 683 | 0x24, 0x04, 0x56, 0xFF, 0x74, 0x24, 0x0C, 0x8B, 0x70, 0x08, 0x6A, 0x00, 684 | 0xFF, 0x56, 0x08, 0x50, 0xFF, 0x56, 0x10, 0x5E, 0xC2, 0x08, 0x00, 0x83, 685 | 0x7C, 0x24, 0x0C, 0x05, 0x72, 0x36, 0x8B, 0x44, 0x24, 0x08, 0x33, 0xD2, 686 | 0x8A, 0x70, 0x04, 0x8A, 0x50, 0x03, 0x0F, 0xB6, 0x48, 0x02, 0xC1, 0xE2, 687 | 0x08, 0x0B, 0xD1, 0x0F, 0xB6, 0x48, 0x01, 0xC1, 0xE2, 0x08, 0x0B, 0xD1, 688 | 0xB9, 0x00, 0x10, 0x00, 0x00, 0x3B, 0xD1, 0x73, 0x02, 0x8B, 0xD1, 0x8B, 689 | 0x4C, 0x24, 0x04, 0x89, 0x51, 0x0C, 0x8A, 0x00, 0x3C, 0xE1, 0x72, 0x05, 690 | 0x6A, 0x04, 0x58, 0xEB, 0x32, 0x56, 0x57, 0x0F, 0xB6, 0xF0, 0x8B, 0xC6, 691 | 0x6A, 0x09, 0x99, 0x5F, 0xF7, 0xFF, 0x8B, 0xC6, 0x57, 0x5E, 0x6A, 0x05, 692 | 0x5F, 0x57, 0x89, 0x11, 0x99, 0xF7, 0xFE, 0x0F, 0xB6, 0xF0, 0x8B, 0xC6, 693 | 0x99, 0xF7, 0xFF, 0x89, 0x41, 0x08, 0x8B, 0xC6, 0x99, 0x5E, 0x5F, 0xF7, 694 | 0xFE, 0x33, 0xC0, 0x5E, 0x89, 0x51, 0x04, 0xC2, 0x0C, 0x00, 0x55, 0x8B, 695 | 0xEC, 0x83, 0xEC, 0x10, 0x57, 0x8D, 0x45, 0xF0, 0xFF, 0x75, 0x10, 0xFF, 696 | 0x75, 0x0C, 0x50, 0xE8, 0x73, 0xFF, 0xFF, 0xFF, 0x85, 0xC0, 0x75, 0x1D, 697 | 0xFF, 0x75, 0x14, 0x8B, 0x7D, 0x08, 0x8D, 0x45, 0xF0, 0x50, 0x57, 0xE8, 698 | 0x12, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x75, 0x09, 0x56, 0x8D, 0x75, 0xF0, 699 | 0xA5, 0xA5, 0xA5, 0xA5, 0x5E, 0x5F, 0xC9, 0xC2, 0x10, 0x00, 0x8B, 0x44, 700 | 0x24, 0x08, 0x56, 0xBE, 0x00, 0x03, 0x00, 0x00, 0x57, 0x8B, 0x48, 0x04, 701 | 0x8B, 0x7C, 0x24, 0x0C, 0x03, 0x08, 0xD3, 0xE6, 0x81, 0xC6, 0x36, 0x07, 702 | 0x00, 0x00, 0x83, 0x7F, 0x10, 0x00, 0x74, 0x05, 0x3B, 0x77, 0x54, 0x74, 703 | 0x26, 0xFF, 0x74, 0x24, 0x14, 0x57, 0xE8, 0xE3, 0xFE, 0xFF, 0xFF, 0x8D, 704 | 0x04, 0x36, 0x50, 0xFF, 0x74, 0x24, 0x18, 0xE8, 0x16, 0x00, 0x00, 0x00, 705 | 0x85, 0xC0, 0x89, 0x47, 0x10, 0x89, 0x77, 0x54, 0x75, 0x05, 0x6A, 0x02, 706 | 0x58, 0xEB, 0x02, 0x33, 0xC0, 0x5F, 0x5E, 0xC2, 0x0C, 0x00, 0x8B, 0x44, 707 | 0x24, 0x04, 0x56, 0xFF, 0x74, 0x24, 0x0C, 0x8B, 0x70, 0x08, 0x6A, 0x08, 708 | 0xFF, 0x56, 0x08, 0x50, 0xFF, 0x56, 0x0C, 0x5E, 0xC2, 0x08, 0x00, 0x55, 709 | 0x8B, 0xEC, 0x83, 0xEC, 0x70, 0x8B, 0x45, 0x0C, 0x53, 0x56, 0x8B, 0x75, 710 | 0x14, 0x57, 0x8B, 0x38, 0x8B, 0x1E, 0x33, 0xC9, 0x89, 0x08, 0x83, 0xFB, 711 | 0x05, 0x89, 0x0E, 0x73, 0x05, 0x6A, 0x06, 0x58, 0xEB, 0x69, 0xFF, 0x75, 712 | 0x28, 0x8D, 0x45, 0x90, 0x89, 0x4D, 0xA4, 0x89, 0x4D, 0xA0, 0xFF, 0x75, 713 | 0x1C, 0xFF, 0x75, 0x18, 0x50, 0xE8, 0x1C, 0xFF, 0xFF, 0xFF, 0x85, 0xC0, 714 | 0x75, 0x4D, 0x8B, 0x45, 0x08, 0x89, 0x7D, 0xB8, 0x89, 0x45, 0xA4, 0x8D, 715 | 0x45, 0x90, 0x50, 0xE8, 0xC4, 0xE7, 0xFF, 0xFF, 0x89, 0x1E, 0x8B, 0x5D, 716 | 0x24, 0x53, 0x8D, 0x45, 0x90, 0xFF, 0x75, 0x20, 0x56, 0xFF, 0x75, 0x10, 717 | 0x57, 0x50, 0xE8, 0xC2, 0xE7, 0xFF, 0xFF, 0x8B, 0xF0, 0x85, 0xF6, 0x75, 718 | 0x08, 0x83, 0x3B, 0x03, 0x75, 0x03, 0x6A, 0x06, 0x5E, 0x8B, 0x4D, 0x0C, 719 | 0x8B, 0x45, 0xB4, 0xFF, 0x75, 0x28, 0x89, 0x01, 0x8D, 0x45, 0x90, 0x50, 720 | 0xE8, 0x1D, 0xFE, 0xFF, 0xFF, 0x8B, 0xC6, 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 721 | 0x24, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x10, 0x83, 0x7D, 0x08, 0x00, 722 | 0x56, 0x74, 0x0D, 0x83, 0x7D, 0x0C, 0x00, 0x74, 0x07, 0x8B, 0x75, 0x10, 723 | 0x85, 0xF6, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0x95, 0x00, 0x00, 0x00, 0x53, 724 | 0x57, 0x6A, 0x10, 0x8D, 0x45, 0xF0, 0x5F, 0x57, 0xFF, 0x75, 0x0C, 0x57, 725 | 0x50, 0xE8, 0x87, 0x00, 0x00, 0x00, 0x8D, 0x86, 0xA0, 0x00, 0x00, 0x00, 726 | 0x50, 0x8D, 0x45, 0xF0, 0x50, 0xE8, 0x8D, 0x03, 0x00, 0x00, 0x8D, 0x9E, 727 | 0x90, 0x00, 0x00, 0x00, 0xC7, 0x45, 0x0C, 0x09, 0x00, 0x00, 0x00, 0x8D, 728 | 0x45, 0xF0, 0x50, 0xE8, 0x28, 0x04, 0x00, 0x00, 0x8D, 0x45, 0xF0, 0x50, 729 | 0xE8, 0xF8, 0x03, 0x00, 0x00, 0x8D, 0x45, 0xF0, 0x53, 0x50, 0xE8, 0x64, 730 | 0x03, 0x00, 0x00, 0x8D, 0x45, 0xF0, 0x50, 0xE8, 0x68, 0x00, 0x00, 0x00, 731 | 0x2B, 0xDF, 0xFF, 0x4D, 0x0C, 0x75, 0xD4, 0x8D, 0x45, 0xF0, 0x50, 0xE8, 732 | 0xFC, 0x03, 0x00, 0x00, 0x8D, 0x45, 0xF0, 0x50, 0xE8, 0xCC, 0x03, 0x00, 733 | 0x00, 0x8D, 0x45, 0xF0, 0x56, 0x50, 0xE8, 0x38, 0x03, 0x00, 0x00, 0x8D, 734 | 0x45, 0xF0, 0x57, 0x50, 0x57, 0xFF, 0x75, 0x08, 0xE8, 0x14, 0x00, 0x00, 735 | 0x00, 0x8D, 0x45, 0xF0, 0x57, 0x50, 0xE8, 0x10, 0xE1, 0xFF, 0xFF, 0x6A, 736 | 0x01, 0x58, 0x5F, 0x5B, 0x5E, 0xC9, 0xC2, 0x0C, 0x00, 0x56, 0x8B, 0x74, 737 | 0x24, 0x14, 0x3B, 0x74, 0x24, 0x0C, 0x77, 0x12, 0x56, 0xFF, 0x74, 0x24, 738 | 0x14, 0xFF, 0x74, 0x24, 0x10, 0xE8, 0x67, 0xE1, 0xFF, 0xFF, 0x8B, 0xC6, 739 | 0xEB, 0x02, 0x33, 0xC0, 0x5E, 0xC2, 0x10, 0x00, 0x55, 0x8B, 0xEC, 0x83, 740 | 0xEC, 0x10, 0x56, 0x8B, 0x75, 0x08, 0x8D, 0x45, 0xF0, 0x56, 0x50, 0xE8, 741 | 0x3A, 0x00, 0x00, 0x00, 0x8D, 0x46, 0x04, 0x50, 0x8D, 0x45, 0xF4, 0x50, 742 | 0xE8, 0x2D, 0x00, 0x00, 0x00, 0x8D, 0x46, 0x08, 0x50, 0x8D, 0x45, 0xF8, 743 | 0x50, 0xE8, 0x20, 0x00, 0x00, 0x00, 0x8D, 0x46, 0x0C, 0x50, 0x8D, 0x45, 744 | 0xFC, 0x50, 0xE8, 0x13, 0x00, 0x00, 0x00, 0x8D, 0x45, 0xF0, 0x6A, 0x10, 745 | 0x50, 0x6A, 0x10, 0x56, 0xE8, 0x94, 0xFF, 0xFF, 0xFF, 0x5E, 0xC9, 0xC2, 746 | 0x04, 0x00, 0x53, 0x56, 0x8B, 0x74, 0x24, 0x10, 0x57, 0x0F, 0xB6, 0x46, 747 | 0x03, 0x50, 0xE8, 0x3B, 0xE1, 0xFF, 0xFF, 0x50, 0xE8, 0x35, 0xE1, 0xFF, 748 | 0xFF, 0x50, 0xE8, 0x2F, 0xE1, 0xFF, 0xFF, 0x8B, 0xD8, 0x0F, 0xB6, 0x46, 749 | 0x02, 0x50, 0xE8, 0x23, 0xE1, 0xFF, 0xFF, 0x50, 0xE8, 0x1D, 0xE1, 0xFF, 750 | 0xFF, 0x50, 0xE8, 0x17, 0xE1, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 751 | 0x01, 0x50, 0xE8, 0x0B, 0xE1, 0xFF, 0xFF, 0x50, 0xE8, 0x05, 0xE1, 0xFF, 752 | 0xFF, 0x50, 0xE8, 0xFF, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 753 | 0x50, 0xE8, 0xF4, 0xE0, 0xFF, 0xFF, 0x50, 0xE8, 0xEE, 0xE0, 0xFF, 0xFF, 754 | 0x50, 0xE8, 0xE8, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 0x50, 755 | 0xE8, 0xDD, 0xE0, 0xFF, 0xFF, 0x50, 0xE8, 0xD7, 0xE0, 0xFF, 0xFF, 0x32, 756 | 0xD8, 0x0F, 0xB6, 0x46, 0x02, 0x50, 0xE8, 0xCB, 0xE0, 0xFF, 0xFF, 0x50, 757 | 0xE8, 0xC5, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x01, 0x50, 758 | 0xE8, 0xB9, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 0x50, 0xE8, 759 | 0xAE, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x32, 0x5E, 0x01, 0x8B, 0x7C, 0x24, 760 | 0x10, 0x32, 0x5E, 0x03, 0x32, 0x5E, 0x02, 0x88, 0x1F, 0x0F, 0xB6, 0x46, 761 | 0x03, 0x50, 0xE8, 0x93, 0xE0, 0xFF, 0xFF, 0x50, 0xE8, 0x8D, 0xE0, 0xFF, 762 | 0xFF, 0x50, 0xE8, 0x87, 0xE0, 0xFF, 0xFF, 0x8B, 0xD8, 0x0F, 0xB6, 0x46, 763 | 0x02, 0x50, 0xE8, 0x7B, 0xE0, 0xFF, 0xFF, 0x50, 0xE8, 0x75, 0xE0, 0xFF, 764 | 0xFF, 0x50, 0xE8, 0x6F, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 765 | 0x01, 0x50, 0xE8, 0x63, 0xE0, 0xFF, 0xFF, 0x50, 0xE8, 0x5D, 0xE0, 0xFF, 766 | 0xFF, 0x50, 0xE8, 0x57, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 767 | 0x50, 0xE8, 0x4C, 0xE0, 0xFF, 0xFF, 0x50, 0xE8, 0x46, 0xE0, 0xFF, 0xFF, 768 | 0x50, 0xE8, 0x40, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x03, 769 | 0x50, 0xE8, 0x34, 0xE0, 0xFF, 0xFF, 0x50, 0xE8, 0x2E, 0xE0, 0xFF, 0xFF, 770 | 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x01, 0x50, 0xE8, 0x22, 0xE0, 0xFF, 0xFF, 771 | 0x50, 0xE8, 0x1C, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x01, 772 | 0x50, 0xE8, 0x10, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x02, 773 | 0x50, 0xE8, 0x04, 0xE0, 0xFF, 0xFF, 0x32, 0xD8, 0x32, 0x1E, 0x32, 0x5E, 774 | 0x03, 0x32, 0x5E, 0x02, 0x88, 0x5F, 0x01, 0x0F, 0xB6, 0x46, 0x03, 0x50, 775 | 0xE8, 0xED, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0xE7, 0xDF, 0xFF, 0xFF, 0x50, 776 | 0xE8, 0xE1, 0xDF, 0xFF, 0xFF, 0x8B, 0xD8, 0x0F, 0xB6, 0x46, 0x02, 0x50, 777 | 0xE8, 0xD5, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0xCF, 0xDF, 0xFF, 0xFF, 0x50, 778 | 0xE8, 0xC9, 0xDF, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x01, 0x50, 779 | 0xE8, 0xBD, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0xB7, 0xDF, 0xFF, 0xFF, 0x50, 780 | 0xE8, 0xB1, 0xDF, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 0x50, 0xE8, 781 | 0xA6, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0xA0, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 782 | 0x9A, 0xDF, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 0x50, 0xE8, 0x8F, 783 | 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0x89, 0xDF, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 784 | 0xB6, 0x46, 0x02, 0x50, 0xE8, 0x7D, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0x77, 785 | 0xDF, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x03, 0x50, 0xE8, 0x6B, 786 | 0xDF, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x02, 0x50, 0xE8, 0x5F, 787 | 0xDF, 0xFF, 0xFF, 0x32, 0xD8, 0x32, 0x5E, 0x01, 0x32, 0x1E, 0x32, 0x5E, 788 | 0x03, 0x88, 0x5F, 0x02, 0x0F, 0xB6, 0x46, 0x03, 0x50, 0xE8, 0x48, 0xDF, 789 | 0xFF, 0xFF, 0x50, 0xE8, 0x42, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0x3C, 0xDF, 790 | 0xFF, 0xFF, 0x8B, 0xD8, 0x0F, 0xB6, 0x46, 0x02, 0x50, 0xE8, 0x30, 0xDF, 791 | 0xFF, 0xFF, 0x50, 0xE8, 0x2A, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0x24, 0xDF, 792 | 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x01, 0x50, 0xE8, 0x18, 0xDF, 793 | 0xFF, 0xFF, 0x50, 0xE8, 0x12, 0xDF, 0xFF, 0xFF, 0x50, 0xE8, 0x0C, 0xDF, 794 | 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 0x50, 0xE8, 0x01, 0xDF, 0xFF, 795 | 0xFF, 0x50, 0xE8, 0xFB, 0xDE, 0xFF, 0xFF, 0x50, 0xE8, 0xF5, 0xDE, 0xFF, 796 | 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x03, 0x50, 0xE8, 0xE9, 0xDE, 0xFF, 797 | 0xFF, 0x50, 0xE8, 0xE3, 0xDE, 0xFF, 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x46, 798 | 0x01, 0x50, 0xE8, 0xD7, 0xDE, 0xFF, 0xFF, 0x50, 0xE8, 0xD1, 0xDE, 0xFF, 799 | 0xFF, 0x32, 0xD8, 0x0F, 0xB6, 0x06, 0x50, 0xE8, 0xC6, 0xDE, 0xFF, 0xFF, 800 | 0x32, 0xD8, 0x0F, 0xB6, 0x46, 0x03, 0x50, 0xE8, 0xBA, 0xDE, 0xFF, 0xFF, 801 | 0x32, 0xD8, 0x32, 0x5E, 0x01, 0x32, 0x1E, 0x32, 0x5E, 0x02, 0x88, 0x5F, 802 | 0x03, 0x5F, 0x5E, 0x5B, 0xC2, 0x08, 0x00, 0x8B, 0x4C, 0x24, 0x08, 0x8B, 803 | 0x44, 0x24, 0x04, 0x8B, 0x11, 0xC1, 0xEA, 0x18, 0x30, 0x10, 0x8B, 0x11, 804 | 0xC1, 0xEA, 0x10, 0x30, 0x50, 0x01, 0x8B, 0x11, 0xC1, 0xEA, 0x08, 0x30, 805 | 0x50, 0x02, 0x8A, 0x11, 0x30, 0x50, 0x03, 0x8B, 0x51, 0x04, 0xC1, 0xEA, 806 | 0x18, 0x30, 0x50, 0x04, 0x8B, 0x51, 0x04, 0xC1, 0xEA, 0x10, 0x30, 0x50, 807 | 0x05, 0x8B, 0x51, 0x04, 0xC1, 0xEA, 0x08, 0x30, 0x50, 0x06, 0x8A, 0x51, 808 | 0x04, 0x30, 0x50, 0x07, 0x8B, 0x51, 0x08, 0xC1, 0xEA, 0x18, 0x30, 0x50, 809 | 0x08, 0x8B, 0x51, 0x08, 0xC1, 0xEA, 0x10, 0x30, 0x50, 0x09, 0x8B, 0x51, 810 | 0x08, 0xC1, 0xEA, 0x08, 0x30, 0x50, 0x0A, 0x8A, 0x51, 0x08, 0x30, 0x50, 811 | 0x0B, 0x8B, 0x51, 0x0C, 0xC1, 0xEA, 0x18, 0x30, 0x50, 0x0C, 0x8B, 0x51, 812 | 0x0C, 0xC1, 0xEA, 0x10, 0x30, 0x50, 0x0D, 0x8B, 0x51, 0x0C, 0xC1, 0xEA, 813 | 0x08, 0x30, 0x50, 0x0E, 0x8A, 0x49, 0x0C, 0x30, 0x48, 0x0F, 0xC2, 0x08, 814 | 0x00, 0x56, 0xE8, 0x12, 0xDA, 0xFF, 0xFF, 0x8B, 0xF0, 0x33, 0xD2, 0x8B, 815 | 0x44, 0x24, 0x08, 0x8D, 0x0C, 0x02, 0x42, 0x83, 0xFA, 0x10, 0x0F, 0xB6, 816 | 0x01, 0x8A, 0x84, 0x30, 0x00, 0x01, 0x00, 0x00, 0x88, 0x01, 0x72, 0xE7, 817 | 0x5E, 0xC2, 0x04, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x10, 0x8B, 0x45, 818 | 0x08, 0x6A, 0x10, 0x8A, 0x08, 0x88, 0x4D, 0xF0, 0x8A, 0x48, 0x0D, 0x88, 819 | 0x4D, 0xF1, 0x8A, 0x48, 0x0A, 0x88, 0x4D, 0xF2, 0x8A, 0x48, 0x07, 0x88, 820 | 0x4D, 0xF3, 0x8A, 0x48, 0x04, 0x88, 0x4D, 0xF4, 0x8A, 0x48, 0x01, 0x88, 821 | 0x4D, 0xF5, 0x8A, 0x48, 0x0E, 0x88, 0x4D, 0xF6, 0x8A, 0x48, 0x0B, 0x88, 822 | 0x4D, 0xF7, 0x8A, 0x48, 0x08, 0x88, 0x4D, 0xF8, 0x8A, 0x48, 0x05, 0x88, 823 | 0x4D, 0xF9, 0x8A, 0x48, 0x02, 0x88, 0x4D, 0xFA, 0x8A, 0x48, 0x0F, 0x88, 824 | 0x4D, 0xFB, 0x8A, 0x48, 0x0C, 0x88, 0x4D, 0xFC, 0x8A, 0x48, 0x09, 0x88, 825 | 0x4D, 0xFD, 0x8A, 0x48, 0x06, 0x88, 0x4D, 0xFE, 0x8A, 0x48, 0x03, 0x88, 826 | 0x4D, 0xFF, 0x8D, 0x4D, 0xF0, 0x51, 0x6A, 0x10, 0x50, 0xE8, 0xC3, 0xFB, 827 | 0xFF, 0xFF, 0xC9, 0xC2, 0x04, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x30, 828 | 0x57, 0xE8, 0x6B, 0xD9, 0xFF, 0xFF, 0x83, 0x65, 0xD0, 0x00, 0x8B, 0xF8, 829 | 0x8B, 0x45, 0x08, 0x81, 0xC7, 0x00, 0x02, 0x00, 0x00, 0x85, 0xC0, 0xC7, 830 | 0x45, 0xD4, 0x00, 0x00, 0x00, 0x01, 0xC7, 0x45, 0xD8, 0x00, 0x00, 0x00, 831 | 0x02, 0xC7, 0x45, 0xDC, 0x00, 0x00, 0x00, 0x04, 0xC7, 0x45, 0xE0, 0x00, 832 | 0x00, 0x00, 0x08, 0xC7, 0x45, 0xE4, 0x00, 0x00, 0x00, 0x10, 0xC7, 0x45, 833 | 0xE8, 0x00, 0x00, 0x00, 0x20, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00, 0x40, 834 | 0xC7, 0x45, 0xF0, 0x00, 0x00, 0x00, 0x80, 0xC7, 0x45, 0xF4, 0x00, 0x00, 835 | 0x00, 0x1B, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x36, 0x74, 0x07, 0x8B, 836 | 0x4D, 0x0C, 0x85, 0xC9, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0x92, 0x00, 0x00, 837 | 0x00, 0x53, 0x56, 0x6A, 0x04, 0x83, 0xC1, 0x02, 0x5A, 0x89, 0x55, 0xFC, 838 | 0x89, 0x55, 0x0C, 0x0F, 0xB6, 0x31, 0x33, 0xDB, 0x8A, 0x79, 0xFE, 0x8A, 839 | 0x59, 0xFF, 0xC1, 0xE3, 0x08, 0x0B, 0xDE, 0x0F, 0xB6, 0x71, 0x01, 0xC1, 840 | 0xE3, 0x08, 0x0B, 0xDE, 0x03, 0xCA, 0x89, 0x18, 0x03, 0xC2, 0xFF, 0x4D, 841 | 0xFC, 0x75, 0xDC, 0x8B, 0x75, 0x08, 0x8B, 0x46, 0x0C, 0xF6, 0x45, 0x0C, 842 | 0x03, 0x89, 0x45, 0x08, 0x75, 0x3A, 0x33, 0xC9, 0x33, 0xDB, 0x8A, 0x4D, 843 | 0x0A, 0x8A, 0x3C, 0x39, 0x33, 0xC9, 0x8A, 0xCC, 0x8A, 0x1C, 0x39, 0x8B, 844 | 0xC8, 0x81, 0xE1, 0xFF, 0x00, 0x00, 0x00, 0xC1, 0xE8, 0x18, 0x0F, 0xB6, 845 | 0x0C, 0x39, 0x0F, 0xB6, 0x04, 0x38, 0xC1, 0xE3, 0x08, 0x0B, 0xD9, 0xC1, 846 | 0xE3, 0x08, 0x0B, 0xD8, 0x8B, 0x45, 0x0C, 0xC1, 0xE8, 0x02, 0x33, 0x5C, 847 | 0x85, 0xD0, 0x8B, 0xC3, 0x8B, 0x0E, 0x33, 0xC8, 0xFF, 0x45, 0x0C, 0x89, 848 | 0x4E, 0x10, 0x03, 0xF2, 0x83, 0x7D, 0x0C, 0x2C, 0x72, 0xA8, 0x6A, 0x01, 849 | 0x58, 0x5E, 0x5B, 0x5F, 0xC9, 0xC2, 0x08, 0x00, 0x56, 0x8B, 0x74, 0x24, 850 | 0x08, 0x85, 0xF6, 0x75, 0x04, 0x33, 0xC0, 0xEB, 0x42, 0x6A, 0x70, 0x56, 851 | 0xE8, 0xA6, 0xDB, 0xFF, 0xFF, 0x6A, 0x01, 0xC7, 0x06, 0x67, 0xE6, 0x09, 852 | 0x6A, 0xC7, 0x46, 0x04, 0x85, 0xAE, 0x67, 0xBB, 0xC7, 0x46, 0x08, 0x72, 853 | 0xF3, 0x6E, 0x3C, 0xC7, 0x46, 0x0C, 0x3A, 0xF5, 0x4F, 0xA5, 0xC7, 0x46, 854 | 0x10, 0x7F, 0x52, 0x0E, 0x51, 0xC7, 0x46, 0x14, 0x8C, 0x68, 0x05, 0x9B, 855 | 0xC7, 0x46, 0x18, 0xAB, 0xD9, 0x83, 0x1F, 0xC7, 0x46, 0x1C, 0x19, 0xCD, 856 | 0xE0, 0x5B, 0x58, 0x5E, 0xC2, 0x04, 0x00, 0x56, 0x8B, 0x74, 0x24, 0x08, 857 | 0x85, 0xF6, 0x57, 0x74, 0x52, 0x8B, 0x7C, 0x24, 0x10, 0x85, 0xFF, 0x74, 858 | 0x4A, 0x8B, 0x44, 0x24, 0x14, 0x85, 0xC0, 0x74, 0x3D, 0x8B, 0xC8, 0x48, 859 | 0x85, 0xC9, 0x76, 0x36, 0x53, 0x8D, 0x58, 0x01, 0x8B, 0x46, 0x68, 0x8A, 860 | 0x0F, 0x88, 0x4C, 0x30, 0x28, 0xFF, 0x46, 0x68, 0x8B, 0x46, 0x68, 0x47, 861 | 0x83, 0xF8, 0x40, 0x72, 0x19, 0x8D, 0x46, 0x28, 0x50, 0x56, 0xE8, 0x2F, 862 | 0x01, 0x00, 0x00, 0x83, 0x66, 0x68, 0x00, 0x81, 0x46, 0x20, 0x00, 0x02, 863 | 0x00, 0x00, 0x83, 0x56, 0x24, 0x00, 0x4B, 0x75, 0xCF, 0x5B, 0x6A, 0x01, 864 | 0x58, 0xEB, 0x02, 0x33, 0xC0, 0x5F, 0x5E, 0xC2, 0x0C, 0x00, 0x55, 0x8B, 865 | 0xEC, 0x51, 0x51, 0x53, 0x8B, 0x5D, 0x08, 0x85, 0xDB, 0x56, 0x0F, 0x84, 866 | 0xF6, 0x00, 0x00, 0x00, 0x8B, 0x75, 0x0C, 0x85, 0xF6, 0x0F, 0x84, 0xEB, 867 | 0x00, 0x00, 0x00, 0x8B, 0x46, 0x68, 0x8B, 0xC8, 0xC1, 0xE1, 0x03, 0x01, 868 | 0x4E, 0x20, 0x83, 0x56, 0x24, 0x00, 0xC6, 0x44, 0x30, 0x28, 0x80, 0xFF, 869 | 0x46, 0x68, 0x8B, 0x46, 0x68, 0x83, 0xF8, 0x38, 0x76, 0x1E, 0x6A, 0x40, 870 | 0x59, 0x2B, 0xC8, 0x8D, 0x44, 0x30, 0x28, 0x51, 0x50, 0xE8, 0xB9, 0xDA, 871 | 0xFF, 0xFF, 0x8D, 0x46, 0x28, 0x50, 0x56, 0xE8, 0xBA, 0x00, 0x00, 0x00, 872 | 0x83, 0x66, 0x68, 0x00, 0x8B, 0x46, 0x68, 0x57, 0x6A, 0x38, 0x59, 0x2B, 873 | 0xC8, 0x8D, 0x44, 0x30, 0x28, 0x51, 0x50, 0xE8, 0x97, 0xDA, 0xFF, 0xFF, 874 | 0x8A, 0x46, 0x20, 0x8B, 0x7E, 0x24, 0x6A, 0x08, 0x88, 0x46, 0x67, 0x8B, 875 | 0x46, 0x20, 0x59, 0x8B, 0xD7, 0x89, 0x7D, 0xFC, 0xE8, 0x5F, 0xDA, 0xFF, 876 | 0xFF, 0x6A, 0x10, 0x88, 0x46, 0x66, 0x8B, 0x46, 0x20, 0x59, 0x8B, 0xD7, 877 | 0xE8, 0x4F, 0xDA, 0xFF, 0xFF, 0x6A, 0x18, 0x88, 0x46, 0x65, 0x8B, 0x46, 878 | 0x20, 0x59, 0x8B, 0xD7, 0xE8, 0x3F, 0xDA, 0xFF, 0xFF, 0x88, 0x46, 0x64, 879 | 0x8A, 0x45, 0xFC, 0x88, 0x46, 0x63, 0x8B, 0xC7, 0xC1, 0xE8, 0x08, 0x88, 880 | 0x46, 0x62, 0x8B, 0xC7, 0xC1, 0xE8, 0x10, 0x88, 0x46, 0x61, 0x8B, 0xC7, 881 | 0xC1, 0xE8, 0x18, 0x88, 0x46, 0x60, 0x8D, 0x46, 0x28, 0x50, 0x56, 0xE8, 882 | 0x3E, 0x00, 0x00, 0x00, 0x6A, 0x08, 0x8B, 0xFE, 0x59, 0x8B, 0x07, 0x83, 883 | 0xC7, 0x04, 0x8B, 0xD0, 0xC1, 0xEA, 0x18, 0x88, 0x13, 0x8B, 0xD0, 0x43, 884 | 0xC1, 0xEA, 0x10, 0x88, 0x13, 0x8B, 0xD0, 0x43, 0xC1, 0xEA, 0x08, 0x88, 885 | 0x13, 0x43, 0x88, 0x03, 0x43, 0x49, 0x75, 0xDD, 0x6A, 0x70, 0x56, 0xE8, 886 | 0x03, 0xDA, 0xFF, 0xFF, 0x6A, 0x01, 0x58, 0x5F, 0xEB, 0x02, 0x33, 0xC0, 887 | 0x5E, 0x5B, 0xC9, 0xC2, 0x08, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x70, 888 | 0x53, 0x56, 0x57, 0xE8, 0x99, 0xD6, 0xFF, 0xFF, 0x8B, 0x75, 0x08, 0x6A, 889 | 0x10, 0x89, 0x45, 0xD0, 0x89, 0x45, 0xEC, 0x8B, 0x4E, 0x04, 0x8B, 0x1E, 890 | 0x89, 0x4D, 0xFC, 0x8B, 0x4E, 0x08, 0x89, 0x4D, 0xF8, 0x8B, 0x4E, 0x0C, 891 | 0x89, 0x4D, 0xE8, 0x8B, 0x4E, 0x14, 0x89, 0x4D, 0xF4, 0x8B, 0x4E, 0x18, 892 | 0x89, 0x4D, 0xF0, 0x8B, 0x4E, 0x1C, 0x8B, 0x7E, 0x10, 0x89, 0x4D, 0xE4, 893 | 0x8D, 0x4D, 0x90, 0x89, 0x5D, 0x08, 0x2B, 0xC8, 0x58, 0x89, 0x4D, 0xD8, 894 | 0x89, 0x45, 0xDC, 0x89, 0x45, 0xE0, 0x8D, 0x45, 0x0C, 0x50, 0xE8, 0x39, 895 | 0x02, 0x00, 0x00, 0x8B, 0x4D, 0xD8, 0x8B, 0x55, 0xEC, 0x89, 0x45, 0xD4, 896 | 0x89, 0x04, 0x11, 0x8B, 0xCF, 0x8B, 0xC7, 0x8B, 0xD7, 0xC1, 0xE1, 0x15, 897 | 0xC1, 0xE8, 0x0B, 0x0B, 0xC8, 0x8B, 0xC7, 0xC1, 0xE0, 0x1A, 0xC1, 0xEA, 898 | 0x06, 0x0B, 0xC2, 0x8B, 0xD7, 0x33, 0xC8, 0x8B, 0xC7, 0xC1, 0xE8, 0x19, 899 | 0xC1, 0xE2, 0x07, 0x0B, 0xC2, 0x8B, 0x55, 0xF4, 0x33, 0xC8, 0x8B, 0xC7, 900 | 0xF7, 0xD0, 0x23, 0x45, 0xF0, 0x23, 0xD7, 0x33, 0xC2, 0x8B, 0xD3, 0x03, 901 | 0xC8, 0x8B, 0x45, 0xEC, 0xC1, 0xEA, 0x0D, 0x03, 0x08, 0x8B, 0xC3, 0xC1, 902 | 0xE0, 0x13, 0x0B, 0xC2, 0x8B, 0xD3, 0xC1, 0xEA, 0x16, 0xC1, 0xE3, 0x0A, 903 | 0x0B, 0xD3, 0x8B, 0x5D, 0x08, 0x33, 0xC2, 0x8B, 0x55, 0x08, 0xC1, 0xE2, 904 | 0x1E, 0xC1, 0xEB, 0x02, 0x0B, 0xD3, 0x8B, 0x5D, 0xFC, 0x23, 0x5D, 0x08, 905 | 0x33, 0xC2, 0x8B, 0x55, 0xFC, 0x03, 0x4D, 0xD4, 0x33, 0x55, 0x08, 0x83, 906 | 0x45, 0xEC, 0x04, 0x03, 0x4D, 0xE4, 0x23, 0x55, 0xF8, 0x33, 0xD3, 0x03, 907 | 0xC2, 0x8B, 0x55, 0xF0, 0x89, 0x55, 0xE4, 0x8B, 0x55, 0xF4, 0x89, 0x55, 908 | 0xF0, 0x8B, 0x55, 0xE8, 0x89, 0x7D, 0xF4, 0xFF, 0x4D, 0xDC, 0x8D, 0x3C, 909 | 0x11, 0x8B, 0x55, 0xF8, 0x89, 0x55, 0xE8, 0x8B, 0x55, 0xFC, 0x89, 0x55, 910 | 0xF8, 0x8B, 0x55, 0x08, 0x8D, 0x1C, 0x08, 0x89, 0x55, 0xFC, 0x89, 0x5D, 911 | 0x08, 0x0F, 0x85, 0x33, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0xD0, 0xC7, 0x45, 912 | 0xEC, 0x0E, 0x00, 0x00, 0x00, 0x83, 0xC0, 0x40, 0x89, 0x45, 0xDC, 0x8B, 913 | 0x45, 0xEC, 0x8D, 0x48, 0x03, 0x83, 0xE0, 0x0F, 0x83, 0xE1, 0x0F, 0x8B, 914 | 0x44, 0x85, 0x90, 0x8B, 0x4C, 0x8D, 0x90, 0x8B, 0xD0, 0x89, 0x4D, 0xD8, 915 | 0x8B, 0x4D, 0xE0, 0x83, 0xE1, 0x0F, 0x8B, 0xD8, 0xC1, 0xE2, 0x0F, 0x8D, 916 | 0x4C, 0x8D, 0x90, 0x89, 0x4D, 0xD0, 0x8B, 0xC8, 0xC1, 0xE9, 0x11, 0x0B, 917 | 0xCA, 0x8B, 0xD0, 0xC1, 0xEA, 0x13, 0xC1, 0xE3, 0x0D, 0x0B, 0xD3, 0x33, 918 | 0xCA, 0xC1, 0xE8, 0x0A, 0x33, 0xC8, 0x8B, 0x45, 0xD8, 0x8B, 0xD0, 0x8B, 919 | 0xD8, 0xC1, 0xEA, 0x12, 0xC1, 0xE3, 0x0E, 0x0B, 0xD3, 0x8B, 0xD8, 0xC1, 920 | 0xE3, 0x19, 0xC1, 0xE8, 0x07, 0x0B, 0xD8, 0x8B, 0x45, 0xD8, 0x33, 0xD3, 921 | 0x8B, 0xDF, 0xC1, 0xE8, 0x03, 0x33, 0xD0, 0x8B, 0x45, 0xEC, 0x83, 0xC0, 922 | 0xFB, 0x03, 0xCA, 0x83, 0xE0, 0x0F, 0x8B, 0xD7, 0xC1, 0xE2, 0x15, 0x03, 923 | 0x4C, 0x85, 0x90, 0x8B, 0x45, 0xD0, 0xC1, 0xEB, 0x06, 0x01, 0x08, 0x8B, 924 | 0x08, 0x8B, 0xC7, 0xC1, 0xE8, 0x0B, 0x0B, 0xD0, 0x8B, 0xC7, 0xC1, 0xE0, 925 | 0x1A, 0x0B, 0xC3, 0x8B, 0xDF, 0x33, 0xD0, 0x8B, 0xC7, 0xC1, 0xE8, 0x19, 926 | 0xC1, 0xE3, 0x07, 0x0B, 0xC3, 0x8B, 0x5D, 0xF4, 0x33, 0xD0, 0x8B, 0xC7, 927 | 0xF7, 0xD0, 0x23, 0x45, 0xF0, 0x23, 0xDF, 0x03, 0xCA, 0x8B, 0x55, 0x08, 928 | 0x33, 0xC3, 0x8B, 0xDA, 0x03, 0xC1, 0x8B, 0x4D, 0xDC, 0x03, 0x45, 0xE4, 929 | 0xC1, 0xEB, 0x0D, 0x03, 0x01, 0x8B, 0xCA, 0xC1, 0xE1, 0x13, 0x0B, 0xCB, 930 | 0x8B, 0xDA, 0xC1, 0xEB, 0x16, 0xC1, 0xE2, 0x0A, 0x0B, 0xDA, 0x8B, 0x55, 931 | 0x08, 0x33, 0xCB, 0x8B, 0x5D, 0x08, 0xC1, 0xE2, 0x1E, 0xC1, 0xEB, 0x02, 932 | 0x0B, 0xD3, 0x8B, 0x5D, 0xFC, 0x23, 0x5D, 0x08, 0x33, 0xCA, 0x8B, 0x55, 933 | 0xFC, 0x83, 0x45, 0xDC, 0x04, 0x33, 0x55, 0x08, 0x23, 0x55, 0xF8, 0x33, 934 | 0xD3, 0x8B, 0x5D, 0xF4, 0x03, 0xCA, 0x8B, 0x55, 0xF0, 0x89, 0x5D, 0xF0, 935 | 0x8B, 0x5D, 0xF8, 0x89, 0x7D, 0xF4, 0x8B, 0x7D, 0xE8, 0x03, 0xF8, 0x89, 936 | 0x5D, 0xE8, 0x8B, 0x5D, 0xFC, 0x03, 0xC1, 0xFF, 0x45, 0xE0, 0xFF, 0x45, 937 | 0xEC, 0x83, 0x7D, 0xEC, 0x3E, 0x89, 0x5D, 0xF8, 0x8B, 0x5D, 0x08, 0x89, 938 | 0x55, 0xE4, 0x89, 0x5D, 0xFC, 0x89, 0x45, 0x08, 0x0F, 0x8C, 0xC5, 0xFE, 939 | 0xFF, 0xFF, 0x01, 0x06, 0x8B, 0x45, 0xF8, 0x01, 0x46, 0x08, 0x8B, 0x45, 940 | 0xE8, 0x01, 0x46, 0x0C, 0x8B, 0x45, 0xF4, 0x01, 0x46, 0x14, 0x8B, 0x45, 941 | 0xF0, 0x01, 0x5E, 0x04, 0x01, 0x7E, 0x10, 0x01, 0x46, 0x18, 0x01, 0x56, 942 | 0x1C, 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 0x08, 0x00, 0x8B, 0x4C, 0x24, 0x04, 943 | 0x56, 0x8B, 0x11, 0x0F, 0xB6, 0x02, 0xC1, 0xE0, 0x18, 0x42, 0x89, 0x11, 944 | 0x0F, 0xB6, 0x32, 0xC1, 0xE6, 0x10, 0x0B, 0xC6, 0x8D, 0x72, 0x01, 0x33, 945 | 0xD2, 0x89, 0x31, 0x8A, 0x36, 0x0B, 0xC2, 0x8D, 0x56, 0x01, 0x89, 0x11, 946 | 0x0F, 0xB6, 0x32, 0x0B, 0xC6, 0x42, 0x89, 0x11, 0x5E, 0xC2, 0x04, 0x00, 947 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 948 | }; 949 | -------------------------------------------------------------------------------- /rcx_converter/util.cpp: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | 3 | #include "aes.hpp" 4 | #include 5 | 6 | #include "shellcode2.h" 7 | 8 | BYTE* util::dexor(BYTE *buf, size_t buf_size, BYTE key) 9 | { 10 | for (size_t i = 0; i < buf_size; i++) { 11 | buf[i] ^= key; 12 | } 13 | return buf; 14 | } 15 | 16 | BYTE* util::find_marker(BYTE *buf, size_t buf_size, DWORD marker) 17 | { 18 | BYTE *marker_ptr = (BYTE *)▮ 19 | for (BYTE *buf_ptr = buf; buf_ptr < (buf + buf_size - sizeof(marker)); buf_ptr++) { 20 | if (memcmp(buf_ptr, marker_ptr, sizeof(marker)) == 0) { 21 | return buf_ptr; 22 | } 23 | } 24 | return nullptr; 25 | } 26 | 27 | BYTE* util::aes_decrypt(BYTE *buf, size_t buf_size, BYTE *key) 28 | { 29 | struct AES_ctx ctx; 30 | AES_init_ctx(&ctx, key); 31 | 32 | for (size_t i = 0; i < buf_size; i+=16) { 33 | AES_ECB_decrypt(&ctx, buf + i); 34 | } 35 | return buf; 36 | } 37 | 38 | bool load_custom_iat(custom_iat &iat) 39 | { 40 | HMODULE kernel32 = GetModuleHandle("kernel32.dll"); 41 | HMODULE ntdll = GetModuleHandle("ntdll.dll"); 42 | 43 | iat.VirtualAlloc = GetProcAddress(kernel32, "VirtualAlloc"); 44 | iat.VirtualFree = GetProcAddress(kernel32, "VirtualFree"); 45 | iat.GetProcessHeap = GetProcAddress(kernel32, "GetProcessHeap"); 46 | 47 | iat.NtQueryInformationProcess = GetProcAddress(ntdll, "NtQueryInformationProcess"); 48 | iat.RtlAllocateHeap = GetProcAddress(ntdll, "RtlAllocateHeap"); 49 | iat.RtlFreeHeap = GetProcAddress(ntdll, "RtlFreeHeap"); 50 | 51 | if (iat.VirtualAlloc && iat.VirtualFree && iat.GetProcessHeap 52 | && iat.NtQueryInformationProcess && iat.RtlAllocateHeap && iat.RtlFreeHeap) { 53 | return true; 54 | } 55 | return false; 56 | } 57 | 58 | int util::decompress(BYTE *in_buf, int in_size, BYTE *out_buf, unsigned int out_size) 59 | { 60 | #ifdef _WIN64 61 | std::cerr << "Compile the tool as 32 bit\n"; 62 | return 0; 63 | #else 64 | custom_iat iat = { 0 }; 65 | load_custom_iat(iat); 66 | //decompression function form the original Hidden Bee 67 | const size_t dataSize = 481; 68 | unsigned char rawData[dataSize] = { 69 | 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x28, 0x83, 0x65, 0xF4, 0x00, 0x83, 0x65, 70 | 0xD8, 0x00, 0x83, 0x65, 0xEC, 0x00, 0x8B, 0x45, 0x0C, 0x89, 0x45, 0xE8, 71 | 0x68, 0x11, 0x10, 0x00, 0x00, 0x6A, 0x08, 0x8B, 0x45, 0x08, 0xFF, 0x50, 72 | 0x08, 0x50, 0x8B, 0x45, 0x08, 0xFF, 0x50, 0x0C, 0x89, 0x45, 0xF4, 0x83, 73 | 0x7D, 0xF4, 0x00, 0x0F, 0x84, 0xA2, 0x01, 0x00, 0x00, 0x83, 0x65, 0xE4, 74 | 0x00, 0xEB, 0x07, 0x8B, 0x45, 0xE4, 0x40, 0x89, 0x45, 0xE4, 0x81, 0x7D, 75 | 0xE4, 0xEE, 0x0F, 0x00, 0x00, 0x7D, 0x0B, 0x8B, 0x45, 0xF4, 0x03, 0x45, 76 | 0xE4, 0xC6, 0x00, 0x20, 0xEB, 0xE5, 0xC7, 0x45, 0xF8, 0xEE, 0x0F, 0x00, 77 | 0x00, 0x83, 0x65, 0xFC, 0x00, 0x8B, 0x45, 0xFC, 0xD1, 0xE8, 0x89, 0x45, 78 | 0xFC, 0x8B, 0x45, 0xFC, 0x25, 0x00, 0x01, 0x00, 0x00, 0x85, 0xC0, 0x75, 79 | 0x23, 0x8B, 0x45, 0xD8, 0x3B, 0x45, 0x10, 0x75, 0x05, 0xE9, 0x43, 0x01, 80 | 0x00, 0x00, 0x8B, 0x45, 0xE8, 0x03, 0x45, 0xD8, 0x0F, 0xB6, 0x00, 0x80, 81 | 0xCC, 0xFF, 0x89, 0x45, 0xFC, 0x8B, 0x45, 0xD8, 0x40, 0x89, 0x45, 0xD8, 82 | 0x8B, 0x45, 0xFC, 0x83, 0xE0, 0x01, 0x85, 0xC0, 0x74, 0x5F, 0x8B, 0x45, 83 | 0xD8, 0x3B, 0x45, 0x10, 0x75, 0x05, 0xE9, 0x16, 0x01, 0x00, 0x00, 0x8B, 84 | 0x45, 0x14, 0x03, 0x45, 0xEC, 0x8B, 0x4D, 0xE8, 0x03, 0x4D, 0xD8, 0x8A, 85 | 0x09, 0x88, 0x08, 0x8B, 0x45, 0xEC, 0x40, 0x89, 0x45, 0xEC, 0x8B, 0x45, 86 | 0xEC, 0x3B, 0x45, 0x18, 0x72, 0x05, 0xE9, 0xF2, 0x00, 0x00, 0x00, 0x8B, 87 | 0x45, 0xF4, 0x03, 0x45, 0xF8, 0x8B, 0x4D, 0xE8, 0x03, 0x4D, 0xD8, 0x8A, 88 | 0x09, 0x88, 0x08, 0x8B, 0x45, 0xF8, 0x40, 0x89, 0x45, 0xF8, 0x8B, 0x45, 89 | 0xF8, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x89, 0x45, 0xF8, 0x8B, 0x45, 0xD8, 90 | 0x40, 0x89, 0x45, 0xD8, 0xE9, 0xBF, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xD8, 91 | 0x3B, 0x45, 0x10, 0x75, 0x05, 0xE9, 0xB7, 0x00, 0x00, 0x00, 0x8B, 0x45, 92 | 0xD8, 0x40, 0x3B, 0x45, 0x10, 0x75, 0x05, 0xE9, 0xA9, 0x00, 0x00, 0x00, 93 | 0x8B, 0x45, 0xE8, 0x03, 0x45, 0xD8, 0x0F, 0xB6, 0x00, 0x89, 0x45, 0xE4, 94 | 0x8B, 0x45, 0xE8, 0x03, 0x45, 0xD8, 0x0F, 0xB6, 0x40, 0x01, 0x89, 0x45, 95 | 0xE0, 0x8B, 0x45, 0xE0, 0x25, 0xF0, 0x00, 0x00, 0x00, 0xC1, 0xE0, 0x04, 96 | 0x8B, 0x4D, 0xE4, 0x0B, 0xC8, 0x89, 0x4D, 0xE4, 0x8B, 0x45, 0xE0, 0x83, 97 | 0xE0, 0x0F, 0x40, 0x40, 0x89, 0x45, 0xE0, 0x8B, 0x45, 0xD8, 0x40, 0x40, 98 | 0x89, 0x45, 0xD8, 0x83, 0x65, 0xDC, 0x00, 0xEB, 0x07, 0x8B, 0x45, 0xDC, 99 | 0x40, 0x89, 0x45, 0xDC, 0x8B, 0x45, 0xDC, 0x3B, 0x45, 0xE0, 0x7F, 0x50, 100 | 0x8B, 0x45, 0xE4, 0x03, 0x45, 0xDC, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 101 | 0x4D, 0xF4, 0x0F, 0xB6, 0x04, 0x01, 0x89, 0x45, 0xF0, 0x8B, 0x45, 0x14, 102 | 0x03, 0x45, 0xEC, 0x8A, 0x4D, 0xF0, 0x88, 0x08, 0x8B, 0x45, 0xEC, 0x40, 103 | 0x89, 0x45, 0xEC, 0x8B, 0x45, 0xEC, 0x3B, 0x45, 0x18, 0x72, 0x02, 0xEB, 104 | 0x1F, 0x8B, 0x45, 0xF4, 0x03, 0x45, 0xF8, 0x8A, 0x4D, 0xF0, 0x88, 0x08, 105 | 0x8B, 0x45, 0xF8, 0x40, 0x89, 0x45, 0xF8, 0x8B, 0x45, 0xF8, 0x25, 0xFF, 106 | 0x0F, 0x00, 0x00, 0x89, 0x45, 0xF8, 0xEB, 0xA1, 0xE9, 0x9C, 0xFE, 0xFF, 107 | 0xFF, 0xFF, 0x75, 0xF4, 0x6A, 0x00, 0x8B, 0x45, 0x08, 0xFF, 0x50, 0x08, 108 | 0x50, 0x8B, 0x45, 0x08, 0xFF, 0x50, 0x10, 0x8B, 0x45, 0xEC, 0xC9, 0xC2, 109 | 0x14 110 | }; 111 | 112 | BYTE *buf = peconv::alloc_aligned(dataSize, PAGE_EXECUTE_READWRITE); 113 | memcpy(buf, rawData, dataSize); 114 | 115 | int(__stdcall *_decompress)(custom_iat*, BYTE *, int, BYTE *, unsigned int) 116 | = (int(__stdcall *)(custom_iat*, BYTE *, int, BYTE *, unsigned int))(buf); 117 | 118 | int decompressed_size = _decompress(&iat, in_buf, in_size, out_buf, out_size); 119 | 120 | peconv::free_aligned(buf); 121 | return decompressed_size; 122 | #endif 123 | } 124 | 125 | int util::lzma_decompress(BYTE *in_buf, int in_size, BYTE *out_buf, unsigned int out_size) 126 | { 127 | #ifdef _WIN64 128 | std::cerr << "Compile the tool as 32 bit\n"; 129 | return 0; 130 | #else 131 | custom_iat iat = { 0 }; 132 | load_custom_iat(iat); 133 | 134 | BYTE *buf = peconv::alloc_aligned(shellcode2_size, PAGE_EXECUTE_READWRITE); 135 | memcpy(buf, shellcode2_data, shellcode2_size); 136 | 137 | int(__stdcall *_lzma_decompress)(custom_iat *, BYTE *, DWORD *, BYTE *, int ) 138 | = (int(__stdcall *)(custom_iat *, BYTE *, DWORD *, BYTE *, int))(buf + 0x666); 139 | 140 | DWORD decompressed_size = out_size; 141 | _lzma_decompress(&iat, out_buf, &decompressed_size, in_buf, in_size); 142 | 143 | peconv::free_aligned(buf); 144 | return decompressed_size; 145 | #endif 146 | } 147 | 148 | -------------------------------------------------------------------------------- /rcx_converter/util.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | typedef struct _custom_iat 7 | { 8 | void *VirtualAlloc; 9 | void *VirtualFree; 10 | void *GetProcessHeap; 11 | void *RtlAllocateHeap; 12 | void *RtlFreeHeap; 13 | void *NtQueryInformationProcess; 14 | } custom_iat; 15 | 16 | namespace util { 17 | BYTE* dexor(BYTE *buf, size_t buf_size, BYTE key); 18 | BYTE *find_marker(BYTE *buf, size_t buf_size, DWORD marker); 19 | 20 | BYTE* aes_decrypt(BYTE *buf, size_t buf_size, BYTE *key); 21 | 22 | int decompress(BYTE *in_buf, int in_size, BYTE *out_buf, unsigned int out_size); 23 | 24 | int lzma_decompress(BYTE *in_buf, int in_size, BYTE *out_buf, unsigned int out_size); 25 | }; 26 | -------------------------------------------------------------------------------- /rdx_converter/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 3.12) 2 | 3 | # replace "project_template" by your own project name: 4 | project ( rdx_converter ) 5 | 6 | set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT") 7 | 8 | # include libpeconv headers: 9 | include_directories ( ${PECONV_DIR}/include ) 10 | 11 | set (srcs 12 | rdx.cpp 13 | dir_util.cpp 14 | ) 15 | 16 | # general headers - they will be used for both EXE and DLL: 17 | set (hdrs 18 | rdx.h 19 | dir_util.h 20 | ) 21 | 22 | # Choose to build the DLL or EXE 23 | add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} main.cpp ) 24 | 25 | # link with libpeconv.lib 26 | target_link_libraries ( ${PROJECT_NAME} ${PECONV_LIB} ) 27 | 28 | #dependencies: 29 | add_dependencies( ${PROJECT_NAME} libpeconv ) 30 | 31 | INSTALL( TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_PREFIX} COMPONENT ${PROJECT_NAME} ) 32 | -------------------------------------------------------------------------------- /rdx_converter/LICENSE: -------------------------------------------------------------------------------- 1 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 2 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 3 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 4 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 5 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 6 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 7 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 8 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 9 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 10 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 11 | -------------------------------------------------------------------------------- /rdx_converter/README.md: -------------------------------------------------------------------------------- 1 | # rdx_converter 2 | 3 | Extracts the modules from the HiddenBee's custom **!rdx** filesystem. 4 | 5 | ![rdx diagram](../pics/rdx_format.png) 6 | 7 | Sample **!rdx** dumps: 8 | + [b828072d354f510e2030ef9cad6f00546b4e06f08230960a103aab0128f20fc3](https://www.virustotal.com/gui/file/b828072d354f510e2030ef9cad6f00546b4e06f08230960a103aab0128f20fc3/detection) 9 | + [c95bb09de000ba72a45ec63a9b5e46c22b9f1e2c10cc58b4f4d3980c30286c91](https://www.virustotal.com/gui/file/c95bb09de000ba72a45ec63a9b5e46c22b9f1e2c10cc58b4f4d3980c30286c91/detection) 10 | -------------------------------------------------------------------------------- /rdx_converter/dir_util.cpp: -------------------------------------------------------------------------------- 1 | #include "dir_util.h" 2 | 3 | std::string get_directory_name(IN const std::string str) 4 | { 5 | size_t found = str.find_last_of("/\\"); 6 | if (found == std::string::npos) { 7 | return ""; 8 | } 9 | return str.substr(0, found); 10 | } 11 | 12 | std::string get_full_path(const char* szPath) 13 | { 14 | char out_buf[MAX_PATH] = { 0 }; 15 | if (GetFullPathNameA(szPath, MAX_PATH, out_buf, nullptr) == 0) { 16 | return ""; 17 | } 18 | return out_buf; 19 | } 20 | 21 | bool dir_exists(const char* szPath) 22 | { 23 | DWORD dwAttrib = GetFileAttributes(szPath); 24 | 25 | return (dwAttrib != INVALID_FILE_ATTRIBUTES && 26 | (dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); 27 | } 28 | 29 | bool create_dir_recursively(std::string in_path) 30 | { 31 | std::string path = get_full_path(in_path.c_str()); 32 | if (path.length() == 0) path = in_path; 33 | 34 | if (dir_exists(path.c_str())) { 35 | return true; 36 | } 37 | size_t pos = 0; 38 | do 39 | { 40 | pos = path.find_first_of("\\/", pos + 1); 41 | if (CreateDirectoryA(path.substr(0, pos).c_str(), NULL) == FALSE) { 42 | if (GetLastError() != ERROR_ALREADY_EXISTS) { 43 | return false; 44 | } 45 | } 46 | } while (pos != std::string::npos); 47 | return true; 48 | } 49 | -------------------------------------------------------------------------------- /rdx_converter/dir_util.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | std::string get_directory_name(IN const std::string str); 7 | 8 | bool create_dir_recursively(std::string in_path); 9 | -------------------------------------------------------------------------------- /rdx_converter/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "rdx.h" 6 | 7 | int main(int argc, char *argv[]) 8 | { 9 | if (argc < 2) { 10 | std::cout << "Args: " << std::endl; 11 | system("pause"); 12 | return -1; 13 | } 14 | size_t buf_size = 0; 15 | BYTE* buf = peconv::load_file(argv[1], buf_size); 16 | if (!buf) { 17 | std::cout << "Could not open the file!\n"; 18 | return 0; 19 | } 20 | const size_t count = rdx_fs::dump_modules(buf, buf_size); 21 | return count; 22 | } 23 | -------------------------------------------------------------------------------- /rdx_converter/rdx.cpp: -------------------------------------------------------------------------------- 1 | #include "rdx.h" 2 | #include 3 | #include 4 | 5 | #include "dir_util.h" 6 | 7 | using namespace rdx_fs; 8 | 9 | bool is_rdx(BYTE* buf, size_t buf_size) 10 | { 11 | if (!buf || !buf_size) return false; 12 | const DWORD *magic = (DWORD*)buf; 13 | if (*magic != RDX_MAGIC) { 14 | std::cout << "[!] Magic number mismatch: " << std::hex << *magic << " vs: " << RDX_MAGIC << "\n"; 15 | return false; 16 | } 17 | return true; 18 | } 19 | 20 | size_t rdx_fs::enum_modules(BYTE* buf, size_t buf_size) 21 | { 22 | if (!is_rdx(buf, buf_size)) return 0; 23 | 24 | rdx_struct *rdx_buf = (rdx_struct*) buf; 25 | size_t count = 0; 26 | 27 | rdx_record *record = (rdx_record*)rdx_buf->records; 28 | while (true) { 29 | 30 | if (record->offset > buf_size || record->size > buf_size) { 31 | break; 32 | } 33 | std::cout << std::hex << "next:" << record->next_record << "\n"; 34 | std::cout << std::hex << "start: " << record->offset << "\nsize: " << record->size << "\n"; 35 | std::cout << record->name << "\n"; 36 | count++; 37 | 38 | if (record->next_record == 0) break; 39 | record = (rdx_record*) buf + record->next_record; 40 | } 41 | return count; 42 | } 43 | 44 | char* convert_name(char* name) 45 | { 46 | for (size_t i = 0; i < strlen(name); i++) { 47 | if (name[i] == '/' || name[i] == '\\') { 48 | name[i] = '_'; 49 | } 50 | } 51 | return name; 52 | } 53 | 54 | size_t rdx_fs::dump_modules(BYTE* buf, size_t buf_size) 55 | { 56 | if (!is_rdx(buf, buf_size)) return 0; 57 | 58 | BYTE *buf_ptr = buf + sizeof(DWORD); 59 | size_t count = 0; 60 | while (true) { 61 | rdx_record *record = (rdx_record*)buf_ptr; 62 | std::cout << "[*] " << record->name << "\n"; 63 | 64 | if (record->offset > buf_size || record->size > buf_size) { 65 | break; 66 | } 67 | BYTE *content_ptr = buf + record->offset; 68 | char *new_path = record->name; 69 | 70 | std::string dir = get_directory_name(record->name); 71 | if (dir.length() > 0) { 72 | if (!create_dir_recursively(dir)) { 73 | std::cout << "[!] Failed to create directory structure\n"; 74 | new_path = convert_name(record->name); 75 | } 76 | } 77 | if (peconv::dump_to_file(new_path, content_ptr, record->size)) { 78 | std::cout << "[*] Saved to: " << new_path << "\n"; 79 | count++; 80 | } 81 | if (record->next_record == 0) break; 82 | buf_ptr = buf + record->next_record; 83 | } 84 | return count; 85 | } 86 | -------------------------------------------------------------------------------- /rdx_converter/rdx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | const DWORD RDX_MAGIC = 'xdr!'; 6 | 7 | namespace rdx_fs { 8 | 9 | typedef struct _rdx_record { 10 | DWORD next_record; 11 | DWORD offset; 12 | DWORD size; 13 | char name[1]; 14 | } rdx_record; 15 | 16 | typedef struct _rdx_struct { 17 | DWORD rdx_magic; // '!rdx' 18 | rdx_record records[1]; // 0 terminated list of records 19 | } rdx_struct; 20 | 21 | size_t enum_modules(BYTE* buf, size_t buf_size); 22 | size_t dump_modules(BYTE* buf, size_t buf_size); 23 | }; 24 | --------------------------------------------------------------------------------