Патьков прислал баг-репорт на YAD, сегодня поисправлял ошибки:
; 1)
db 0x67,0xc7,0x44,0x10,0x55,0x00,0x00,0x00 ;mov dword [si+0x10],0x000000010
; 2)
db 0x9a,0x00,0x00,0xff,0xff,0xff,0xff
db 0x66,0x9a,0x00,0x01,0x10,0x00
; 3)
db 0xFE,0x0e
db 0x67,0xFE,0x0C
; 4)
db 0xd6
; 5)
fwait
; 6)
db 0x82,0x5A,0x79,0x66 ; sbb byte [edx+0x79],0x066
; 7)
db 0xD2,0xF4 ; sal ah,cl
db 0xC1,0x32,0xF7 ; sal dword [edx],-9
db 0xC1,0x70,0xC5,0xFC ; sal dword [eax-0x3B],-4
db 0xD1,0x75,0x27 ; sal dword [ebp+0x27],1
db 0xD0,0xB3,0x59,0x68,0xF5,0x69 ; sal byte [ebx+0x69F56859],1
db 0xD1,0x30 ; sal dword [eax],1
db 0xD3,0x71,0x25 ; sal dword [ecx+0x25],cl
db 0xC0,0xF3,0xD6 ; sal bl,0x0FFFFFFD6
; 8) cmp byte [ebp+0x0D960AFFD],0x041
db 0x82,0xBD,0xFD,0xAF,0x60,0xD9,0x41
; 9) sub byte [ecx+0x0CC07D311],0x010
db 0x82,0xA9,0x11,0xD3,0x07,0xCC,0x10
; 10) xor byte [esi+0x5C21255E],0x0BA
db 0x82,0xB6,0x5E,0x25,0x21,0x5C,0xBA
Зря я выбрал qemu. Ж-) Для начала пофиксил по быстрому, потом наверное буду дальше сверять таблицу (а то и заново её перебью), хотя бы ради SSE2+.
Я довольно часто слышал одну глупость (и даже сам её повторял), что мол “не хватает хороших идей”. Большинство же идей сидят в своем идеальном мирке и поглядывают от туда в наш мир, и ждут чей бы еще мозг зохавать. Ж-) Это я к чему. Случайно наткнулся на статью: Binary obfuscation using signals, и вспомнилось мне такое вот извращение:
.model tiny
.code
org 100h
start: mov ax, 3506h
int 21h
mov 2 ptr [oldint6+2],es
mov 2 ptr [oldint6 ],bx
sub ah, 10h
mov dx, offset int6hnd
int 21h
db 0feh, 10h
db 0feh, 11h
db 0feh, 12h
db 0feh, 13h
db 0feh, 14h
db 0feh, 15h
db 0feh, 16h
mov ax, 2506h
lds dx, [oldint6]
int 21h
ret
int6hnd: push ds si ax bp
mov bp, sp
lds si, [bp+8]
lodsw
mov 2 ptr cs:[offset j2_addr ], si
mov 2 ptr cs:[offset j2_addr+2], ds
xchg al, ah
cbw
sub al, 10h
shl ax, 1
xchg bp, ax
mov ax, cs:[bp+offset cmd_table]
mov cs:[offset j1_addr], ax
jmp $+2
pop bp ax si ds
add sp, 4
popf
db 0e9h ; jmp xxxx
j1_addr dw ?
cmd0: push 0b800h
jmp ret_back
cmd1: pop es
jmp ret_back
cmd2: mov ax, 0fdbh
jmp ret_back
cmd3: mov cx, 4000
jmp ret_back
cmd4: rep stosw
jmp ret_back
cmd5: xor ax, ax
jmp ret_back
cmd6: int 16h
ret_back: db 0eah
j2_addr dd ?
cmd_table dw 0, offset cmd1-offset cmd0
dw offset cmd2-offset cmd0
dw offset cmd3-offset cmd0
dw offset cmd4-offset cmd0
dw offset cmd5-offset cmd0
dw offset cmd6-offset cmd0
oldint6 dd ?
end start
Не помню работает ли этот пример, да это и не важно. Решил немного поиграться с сигналами. Тут, я вижу две возможности:
- Перенос кода в обработчик сигнала (требует анализа кода)
- Эмуляция кода обработчиком
jmp-ы — это чепуха, лучше извратить Jcc. где-то так:
< /bin/uname: формат файла elf32-i386
---
> ./uname: формат файла elf32-i386
220c220,221
< 8048c5d: 74 02 je 8048c61 <__ctype_b_loc@plt+0x5d>
---
> 8048c5d: 90 nop
> 8048c5e: cc int3
231c232,233
< 8048c75: 75 29 jne 8048ca0 <__ctype_b_loc@plt+0x9c>
---
> 8048c75: 90 nop
> 8048c76: cc int3
235c237,238
< 8048c80: 74 17 je 8048c99 <__ctype_b_loc@plt+0x95>
---
> 8048c80: 90 nop
> 8048c81: cc int3
243c246,247
< 8048c97: 75 eb jne 8048c84 <__ctype_b_loc@plt+0x80>
---
> 8048c97: 90 nop
> 8048c98: cc int3
gdb и strace просто в восторге от такой замены:
(gdb) handle SIGTRAP nostop noprint pass
SIGTRAP is used by the debugger.
Are you sure you want to change it? (y or n) y
Signal Stop Print Pass to program Description
SIGTRAP No No Yes Trace/breakpoint trap
(gdb) run
Starting program: .../uname
[1]+ Stopped gdb ./uname
# fg %1
gdb ./uname
Reading symbols from shared object read from target memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0x4bf000
(no debugging symbols found)...(no debugging symbols found)...
Program terminated with signal SIGTRAP, Trace/breakpoint trap.
The program no longer exists.
# strace ./uname
execve("./uname", ["./uname"], [/* 41 vars */]) = 0
...
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0xb7f58000
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted)
....................................
и собственно izvr.c, который все это делает. (прога очень сырая, signal/sigaction не перехватываются и еще есть какие-то глюки, доделаю попозже...)
/* izvr.c */
#include <assert.h>
#include <sys/mman.h>
#include <stdio.h>
#include <elf.h>
#include <signal.h>
#define VL(x) (*(volatile long *)x)
#define set_bit(nr, addr) asm("btsl %1,%0":"=m"VL(addr):"Ir" (nr))
#define clr_bit(nr, addr) asm("btrl %1,%0":"=m"VL(addr):"Ir" (nr))
#define tst_bit(nr, addr) ({\
int b; asm("btl %2,%1\nsbbl %0,%0":"=r" (b):"m"VL(addr),"Ir"(nr)); b; })
unsigned char lde[343]={
0x60, 0x8b, 0x74, 0x24, 0x24, 0x6a, 0x0f, 0x59,
0x6a, 0x08, 0x5a, 0xe8, 0x8d, 0x00, 0x00, 0x00,
0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1, 0x01,
0x41, 0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1,
0x02, 0x54, 0x11, 0xa1, 0x41, 0x01, 0x54, 0x11,
0xa1, 0x41, 0x01, 0x54, 0x11, 0xa1, 0x41, 0x01,
0x54, 0x11, 0xa1, 0x41, 0x0f, 0x0f, 0x05, 0x52,
0x44, 0xa1, 0xf1, 0x11, 0x61, 0x04, 0x1f, 0x11,
0x61, 0xf1, 0x62, 0x5c, 0x0a, 0xc1, 0x05, 0x24,
0x04, 0x11, 0xa1, 0x06, 0x18, 0xa8, 0x62, 0x21,
0x01, 0x52, 0x61, 0xf1, 0x31, 0x01, 0x21, 0x02,
0x11, 0x02, 0x54, 0x12, 0x02, 0x58, 0x18, 0xa2,
0xc1, 0x11, 0x04, 0x41, 0x01, 0x42, 0x02, 0x81,
0x91, 0x06, 0x52, 0x54, 0x72, 0x01, 0x71, 0x02,
0x76, 0x59, 0x77, 0x54, 0x74, 0x58, 0x06, 0x7a,
0x5f, 0x5f, 0x5f, 0x53, 0x64, 0x53, 0x01, 0x76,
0x52, 0xaf, 0xa1, 0x5f, 0x51, 0x03, 0x51, 0x61,
0x51, 0x72, 0x03, 0x51, 0x61, 0x5b, 0x72, 0x61,
0x57, 0x61, 0x51, 0x63, 0x51, 0x08, 0x71, 0x5f,
0x5f, 0x51, 0x71, 0x5e, 0x71, 0x5f, 0x57, 0x8a,
0x1e, 0x8a, 0x07, 0x47, 0xd4, 0x10, 0x28, 0xc3,
0x73, 0xf7, 0x5f, 0xac, 0x86, 0xe0, 0x3c, 0x07,
0x74, 0x18, 0x3c, 0x04, 0x75, 0x51, 0x80, 0xfc,
0x0f, 0x75, 0x03, 0x83, 0xc7, 0x5b, 0x80, 0xec,
0x65, 0x80, 0xfc, 0x02, 0x77, 0x02, 0x08, 0xe6,
0xe2, 0xd4, 0xeb, 0x2d, 0x80, 0xfb, 0x40, 0x73,
0x07, 0x80, 0xfc, 0x06, 0x75, 0x02, 0xb3, 0x80,
0xc0, 0xeb, 0x06, 0x7a, 0x11, 0x00, 0xd8, 0x80,
0xec, 0xa0, 0x80, 0xfc, 0x03, 0x77, 0x07, 0x80,
0xf2, 0x08, 0x74, 0x0b, 0xd0, 0xee, 0x66, 0xf7,
0xc2, 0x08, 0x01, 0x75, 0x02, 0x40, 0x40, 0x28,
0xc8, 0x04, 0x10, 0x3c, 0x10, 0xf5, 0x0f, 0xb6,
0xc0, 0x89, 0x44, 0x24, 0x1c, 0x61, 0xc3, 0x30,
0xc2, 0x3c, 0x09, 0x76, 0x02, 0x24, 0x07, 0x3c,
0x05, 0x72, 0xcc, 0x8b, 0x1e, 0x49, 0x3c, 0x08,
0x1c, 0x04, 0xa8, 0x04, 0x74, 0x0f, 0x2c, 0x03,
0xf6, 0xc3, 0x30, 0x74, 0x02, 0x30, 0xc0, 0x3c,
0x02, 0x74, 0x02, 0xb2, 0x08, 0xb4, 0x07, 0x20,
0xdc, 0xf6, 0xc6, 0x02, 0x75, 0x96, 0xf6, 0xc3,
0xc0, 0x79, 0x04, 0x7a, 0xb1, 0x40, 0x40, 0x80,
0xfc, 0x04, 0x75, 0x05, 0x40, 0xb4, 0x07, 0x20,
0xfc, 0xf6, 0xc3, 0xc0, 0x75, 0x8a, 0x80, 0xfc,
0x05, 0x75, 0x85, 0x04, 0x04, 0xeb, 0x81 };
#define LDE(p)((int(*)(void*))lde)(p)
#define INFO "roy g biv length dissassembler engine"
extern void mydata();
extern void code_start();
extern void patch();
extern int ari_compress(uint8_t *src, uint8_t *dst, int src_len, uint8_t *temp);
#define PAGE_SIZE 4096
void infect(int h, char *m, int l, char *code, int code_size, char *data, int data_size)
{
int i;
Elf32_Ehdr *ehdr = (Elf32_Ehdr*)m;
Elf32_Phdr *ph, *phdr;
uint32_t base;
phdr = (Elf32_Phdr*)(m + ehdr->e_phoff);
for (base = 0, ph = NULL, i = 0; i < ehdr->e_phnum; i++) {
if (phdr[i].p_type == PT_NOTE) {
ph = &phdr[i];
} else
if (phdr[i].p_type == PT_LOAD && phdr[i].p_offset == 0)
base = phdr[i].p_vaddr;
}
if (ph == NULL) {
puts("Failed");
return;
}
ph->p_type = PT_LOAD;
ph->p_flags = PF_R|PF_W|PF_X;
ph->p_align = 0x1000;
ph->p_offset = l;
ph->p_filesz = ph->p_memsz = code_size + data_size;
ph->p_vaddr = ph->p_paddr = base - ((code_size + data_size + 4095) & 0xfffff000) + (l & (PAGE_SIZE - 1));
write(h, code, code_size);
write(h, data, data_size);
uint32_t jmp = ehdr->e_entry - ph->p_vaddr - 21;
pwrite(h, &jmp, 4, l + 17, 0);
ehdr->e_entry = ph->p_vaddr;
}
int main(int argc, char **argv)
{
int h = open(argv[1], 2);
assert(h > 0);
int l = lseek(h, 0, 2);
assert(l > 0);
unsigned char *m = mmap(NULL, l, PROT_READ|PROT_WRITE, MAP_SHARED, h, 0);
assert(m != MAP_FAILED);
Elf32_Ehdr *ehdr = (Elf32_Ehdr*)m;
assert(ehdr->e_shstrndx != SHN_UNDEF);
Elf32_Shdr *shdr = (Elf32_Shdr*)(m + ehdr->e_shoff);
char *strtab = m + shdr[ehdr->e_shstrndx].sh_offset;
uint8_t *cp;
uint32_t cs, ca;
int i;
for (i = 0; i < ehdr->e_shnum; i++)
if (! strcmp(strtab + shdr[i].sh_name, ".text")) {
cp = shdr[i].sh_offset + m;
cs = shdr[i].sh_size;
ca = shdr[i].sh_addr;
break;
}
assert(cp != NULL);
uint8_t map[(cs + 7) / 8];
bzero(map, (cs + 7) / 8);
uint8_t *p = cp;
int r, ol;
int count = 0;
uint32_t *rel = NULL;
uint8_t *occ = NULL;
while (p - cp < cs) {
ol = LDE(p);
assert(ol != 0);
r = 0;
if ((p[0] & 0xf0) == 0x70)
r = 1;
else
if ((p[1] & 0xf0) == 0x80 && p[0] == 0x0f)
r = 2;
if (r) {
void fill(uint8_t *where, int l) {
memset(where, 0x90, l);
where[l - 1] = 0xcc;
}
set_bit(p - cp + (r == 1 ? 2 : 6), map);
rel = (uint32_t*)realloc(rel, 4 * (count + 1));
occ = (uint8_t*)realloc(occ, (count + 2) / 2);
rel[count] = (r == 1 ? (char)p[1] : *(uint32_t*)(p + 2));
if ((count & 1) == 0)
occ[count / 2] = (p[r - 1] & 0x0f) << 4;
else
occ[count / 2] |= p[r - 1] & 0x0f;
count++;
fill(p, r == 1 ? 2 : 6);
}
p += ol;
}
uint8_t *buf = (char*)malloc(12 + (cs + 7) / 8 + (count + 1) / 2 + count*4);
assert(buf != NULL);
p = buf;
#define CP(v, s) memcpy(p, v, s); p += s;
CP(&ca, 4);
CP(&cs, 4);
CP(&count, 4);
CP(map, (cs + 7) / 8);
CP(rel, count * 4);
CP(occ, (count + 1) / 2);
int ul = p - buf;
printf("Size: %d\n", ul);
uint8_t *dst = (char*)malloc(ul);
uint8_t t[3374];
int al;
al = ari_compress(buf, dst + 4, p - buf, t);
memcpy(dst, &ul, 4);
al += 4;
printf("CSize: %d\n", al);
infect(h, m, l, (char*)&code_start, (char*)&mydata - (char*)code_start, dst, al);
munmap(m, l);
close(h);
}
asm (".globl code_start; code_start: pusha; call 1f; 1: sub $6, (%esp); call myinit; popa; .byte 0xe9; .long 0");
/* Syscalls */
asm( "_syscall:\n"
" pusha\n"
" mov 36(%esp),%eax\n"
" mov 40(%esp),%ebx\n"
" mov 44(%esp),%ecx\n"
" mov 48(%esp),%edx\n"
" mov 52(%esp),%esi\n"
" mov 56(%esp),%edi\n"
" mov 60(%esp),%ebp\n"
" int $0x80\n"
" mov %eax,28(%esp)\n"
" popa\n"
" ret\n");
extern unsigned int _syscall();
#define exit(a) _syscall(1, a)
#define read(a,b,c) _syscall(3, a,b,c)
#define write(a,b,c) _syscall(4, a,b,c)
#define open(a,b) _syscall(5, a,b)
#define close(a) _syscall(6, a)
#define creat(a,b) _syscall(8, a,b)
#define chdir(a) _syscall(12, a)
#define time(a) _syscall(13, a)
#define lseek(a,b,c) _syscall(19, a,b,c)
#define access(a,b) _syscall(33, a,b)
#define rename(a,b) _syscall(38, a,b)
#define sigaction(a,b,c) _syscall(67, a,b,c)
#define readdir(a,b) _syscall(89, a,b)
#define munmap(a,b) _syscall(91, a,b)
#define ftruncate(a,b) _syscall(93, a,b)
#define lstat(a,b) _syscall(107,a,b)
#define mprotect(a,b,c) _syscall(125,a,b,c)
#define mremap(a,b,c,d) _syscall(163,a,b,c,d)
#define pwrite(a,b,c,d,e) _syscall(181,a,b,c,d,e)
#define mmap(a,b,c,d,e,f) _syscall(192,a,b,c,d,e,f)
static void bzero(unsigned char *s, int n)
{
int i;
for (i = 0; i < n; i++)
s[i] = 0;
}
void putd(int a)
{
int i, c;
for (i = 28; i >= 0; i-= 4) {
c = (a >> i) & 15;
if (c > 9)
c = c - 10 + 'a';
else
c += '0';
write(1, &c, 1);
}
c = 10;
write(1, &c, 1);
}
void do_sig(unsigned int signo)
{
uint32_t cs, cn, cc, a, n, i;
uint8_t *map, *occ;
uint32_t *rel, *data;
asm volatile("movl $0x55aa55aa, %0; patch:; .globl patch":"=r"(data));
cs = data[1];
cn = data[2];
map = (char*)&data[3];
rel = (uint32_t*)(map + (cs + 7) / 8);
occ = (uint8_t*)((char*)rel + cn*4);
a = *(&signo + 15) - data[0];
if (a > cs || tst_bit(a, map) == 0)
return;
for (n = 0, i = 0; i < a; i++)
if (tst_bit(i, map))
n++;
if (n > cn)
return;
cc = occ[n >> 1];
cc = n & 1 ? cc & 15 : cc >> 4;
#define CF ((flags >> 0) & 1)
#define PF ((flags >> 2) & 1)
#define AF ((flgas >> 4) & 1)
#define ZF ((flags >> 6) & 1)
#define SF ((flags >> 7) & 1)
#define OF ((flags >> 11) & 1)
#define CC(N, cond) if (cc == N) { if (cond) goto L; else return; } else
unsigned int flags = *(&signo + 17);
CC(0x00, OF) /* jo */
CC(0x01, OF == 0) /* jno */
CC(0x02, CF) /* jb/jnae/jc */
CC(0x03, CF == 0) /* jnb/jae/jnc */
CC(0x04, ZF) /* je/jz */
CC(0x05, ZF == 0) /* jne/jnz */
CC(0x06, CF || ZF) /* jbe/jna */
CC(0x07, CF == 0 && ZF == 0) /* ja/jnbe */
CC(0x08, SF) /* js */
CC(0x09, SF == 0) /* jns */
CC(0x0a, PF) /* jp/jpe */
CC(0x0b, PF == 0) /* jnp/jpo */
CC(0x0c, SF != OF) /* jl/jnge */
CC(0x0d, SF == OF) /* jge/jnl */
CC(0x0e, ZF || SF != OF) /* jle/jng */
CC(0x0f, ZF == 0 && SF == OF) ; /* jg/jnle */
L: (*(&signo + 15)) += (int)rel[n];
// putd(cc);
}
static void __attribute__((stdcall)) myinit (uint8_t *self)
{
char c;
uint8_t *archdata = (char*)self + ((char*)&mydata - (char*)&code_start);
/* unpack data */
uint32_t ds = *(uint32_t*)archdata;
uint8_t *data = (void*)mmap(0, (ds + 4095) & 0xfffff000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
uint8_t temp[3374];
ari_expand(archdata + 4, data, temp);
/* patch handler */
uint32_t *p = (uint32_t*)((char*)self + ((char*)&patch - (char*)&code_start) - 4);
*p = (uint32_t)data;
/* set handler */
struct sigaction sa;
bzero((void*)&sa, sizeof(sa));
sa.sa_handler = (void(*)(int))((char*)&do_sig - (char*)&code_start + self);
sigaction(5, &sa, 0);
}
asm("ari_expand:");
asm(".byte 0x60,0xfc,0x8b,0x44,0x24,0x24,0x8b,0x7c,0x24,0x28,0x8b,0x6c,0x24,0x2c,0x89,0x45");
asm(".byte 0x10,0x31,0xc0,0x89,0x45,0x0c,0x8d,0xb5,0x1c,0x04,0x00,0x00,0xe8,0x6b,0x00,0x00");
asm(".byte 0x00,0xe8,0x37,0x00,0x00,0x00,0xe8,0x89,0x01,0x00,0x00,0x89,0xc3,0x3d,0x01,0x01");
asm(".byte 0x00,0x00,0x74,0x0f,0x8a,0x04,0x1e,0xaa,0x53,0xe8,0x93,0x00,0x00,0x00,0x83,0xc4");
asm(".byte 0x04,0xeb,0xe3,0x2b,0x7c,0x24,0x28,0x89,0x7c,0x24,0x1c,0x61,0xc3,0x31,0xc0,0x89");
asm(".byte 0x45,0x08,0x31,0xc0,0x89,0x45,0x04,0x66,0x48,0x89,0x45,0x00,0xc3,0x60,0x6a,0x10");
asm(".byte 0x59,0x31,0xdb,0xe8,0xdd,0x01,0x00,0x00,0xd1,0xe3,0x09,0xc3,0xe2,0xf5,0x89,0x5d");
asm(".byte 0x08,0x61,0xeb,0xde,0xff,0x45,0x08,0x81,0x7d,0x04,0x00,0x40,0x00,0x00,0x73,0x04");
asm(".byte 0x6a,0x00,0xeb,0x02,0x6a,0x01,0xe8,0x2d,0xff,0xff,0xff,0xc3,0x60,0x8d,0x7d,0x1c");
asm(".byte 0x8d,0xb5,0x1c,0x04,0x00,0x00,0x31,0xc9,0x89,0xc8,0x40,0xab,0x88,0x0c,0x06,0x41");
asm(".byte 0x81,0xf9,0x00,0x01,0x00,0x00,0x72,0xf0,0x8d,0xb5,0x1e,0x05,0x00,0x00,0x8d,0xbd");
asm(".byte 0x26,0x09,0x00,0x00,0x31,0xc9,0xba,0x01,0x01,0x00,0x00,0x31,0xc0,0x40,0x89,0x04");
asm(".byte 0x8e,0x89,0xd0,0x29,0xc8,0xab,0x41,0x39,0xd1,0x76,0xf0,0x31,0xc0,0x89,0x06,0x61");
asm(".byte 0xc3,0x60,0x8b,0x54,0x24,0x24,0x8d,0xb5,0x26,0x09,0x00,0x00,0x8d,0xbd,0x1e,0x05");
asm(".byte 0x00,0x00,0x81,0x3e,0xff,0x3f,0x00,0x00,0x75,0x18,0x31,0xc0,0xb9,0x01,0x01,0x00");
asm(".byte 0x00,0x8b,0x1c,0x8f,0x43,0xd1,0xeb,0x89,0x1c,0x8f,0x89,0x04,0x8e,0x01,0xd8,0x49");
asm(".byte 0x79,0xef,0x89,0xd1,0x8b,0x04,0x8f,0x3b,0x44,0x8f,0xfc,0x75,0x03,0x49,0xeb,0xf4");
asm(".byte 0xff,0x04,0x8f,0x39,0xd1,0x73,0x1d,0x8d,0xbd,0x1c,0x04,0x00,0x00,0x0f,0xb6,0x04");
asm(".byte 0x0f,0x0f,0xb6,0x1c,0x17,0x88,0x1c,0x0f,0x88,0x04,0x17,0x8d,0x7d,0x1c,0x89,0x14");
asm(".byte 0x87,0x89,0x0c,0x9f,0x09,0xc9,0x74,0x06,0x49,0xff,0x04,0x8e,0xeb,0xf6,0x61,0xc3");
asm(".byte 0x60,0x8d,0xbd,0x26,0x09,0x00,0x00,0x8b,0x74,0x24,0x24,0x8b,0x5d,0x04,0x8b,0x4d");
asm(".byte 0x00,0x89,0xc8,0x29,0xd8,0x40,0x50,0xf7,0x64,0xb7,0xfc,0xf7,0x37,0x48,0x89,0xc1");
asm(".byte 0x01,0xd9,0x58,0xf7,0x24,0xb7,0xf7,0x37,0x01,0xc3,0xb8,0x00,0x80,0x00,0x00,0x39");
asm(".byte 0xc1,0x73,0x09,0x6a,0x00,0xe8,0x3e,0xfe,0xff,0xff,0xeb,0x29,0x39,0xc3,0x72,0x0d");
asm(".byte 0x6a,0x01,0xe8,0x31,0xfe,0xff,0xff,0x29,0xc3,0x29,0xc1,0xeb,0x18,0xb8,0x00,0x40");
asm(".byte 0x00,0x00,0x39,0xc3,0x72,0x16,0x81,0xf9,0x00,0xc0,0x00,0x00,0x73,0x0e,0xff,0x45");
asm(".byte 0x08,0x29,0xc3,0x29,0xc1,0xd1,0xe3,0xd1,0xe1,0x41,0xeb,0xbe,0x89,0x5d,0x04,0x89");
asm(".byte 0x4d,0x00,0x61,0xc3,0x60,0x8d,0xb5,0x26,0x09,0x00,0x00,0x8b,0x5d,0x00,0x2b,0x5d");
asm(".byte 0x04,0x43,0x8b,0x45,0x08,0x2b,0x45,0x04,0x40,0xf7,0x26,0x48,0xf7,0xf3,0x31,0xc9");
asm(".byte 0x41,0x39,0x04,0x8e,0x76,0x03,0x41,0xeb,0xf8,0x89,0xd8,0xf7,0x64,0x8e,0xfc,0xf7");
asm(".byte 0x36,0x03,0x45,0x04,0x48,0x89,0xc7,0x89,0xd8,0xf7,0x24,0x8e,0xf7,0x36,0x03,0x45");
asm(".byte 0x04,0x89,0xc2,0x8b,0x5d,0x08,0x81,0xff,0x00,0x80,0x00,0x00,0x72,0x28,0xb8,0x00");
asm(".byte 0x80,0x00,0x00,0x39,0xc2,0x72,0x08,0x29,0xc3,0x29,0xc2,0x29,0xc7,0xeb,0x17,0xb8");
asm(".byte 0x00,0x40,0x00,0x00,0x39,0xc2,0x72,0x1e,0x81,0xff,0x00,0xc0,0x00,0x00,0x73,0x16");
asm(".byte 0x29,0xc3,0x29,0xc2,0x29,0xc7,0xd1,0xe2,0xd1,0xe7,0x47,0xe8,0x15,0x00,0x00,0x00");
asm(".byte 0xd1,0xe3,0x09,0xc3,0xeb,0xc0,0x89,0x55,0x04,0x89,0x7d,0x00,0x89,0x5d,0x08,0x89");
asm(".byte 0x4c,0x24,0x1c,0x61,0xc3,0x60,0x31,0xc0,0x8b,0x7d,0x10,0x8b,0x4d,0x0c,0x0f,0xa3");
asm(".byte 0x0f,0x73,0x01,0x40,0xff,0x45,0x0c,0x89,0x44,0x24,0x1c,0x61,0xc3");
asm(".globl mydata; mydata:");
|
![[info]](http://lj.rossia.org/img/imported-profile.gif){kind=small}