Chaos Digest Mercredi 9 Juin 1993 Volume 1 : Numero 48 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.48 (9 Juin 1993) File 1--40H VMag Number 6 Volume 2 Issue 2 #000-004 (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 6 Volume 2 Issue 2 #000-004 (reprint) 40Hex Number 6 Volume 2 Issue 2 File 000 Welcome to 40Hex issue 6. If this is your first time reading an issue of 40 Hex, I welcome you, but recommend that you start with an earlier issue. This issue will have a Virus Spotlite on Creeping Death(Dir-2). It isn't in the normal Hex Dump format, and it is fully commented. - Landfill is temporarily down(again!). This is due to several [NuKEd] hard drive controllers... we are down but NOT out. Hopefully we should be up within several weeks of the release of this issue. Hellraiser is still unable to edit the magazine, hopefully next issue he will be back in charge. - I think we must discuss one problem. Recently, we have been verbally "attacked" by some lamers in the virus scene who like to jerk off on Fidonet. To clear up the issue at hand, we personally don't use all of the methods found in the articles. For example, we don't sit around all day and PKLite infected files and then remove the PKLite header. We let you people do it. As a matter of fact, we made it a hell of a lot easier due to this month's article called NoLite. No self-respecting virus group would do it. Not everyone that reads this magazine is a virus programmer, but wants to learn. Ya gotta start somewhere. Another person who has been insulting us on FidoNet is Sara Gordon. I do not know the whole story behind her hatred, but I know it stems from a phone conversation between her and Hellraiser. From what I understand, they disagreed on many topics, and HR may have gotten insulting (I don't know the whole story) - Anyone that would like to submit articles feel free to do so, as long as what you write is not stolen from another source and is of good quality. If you would like to write articles contact any PHALCON/SKISM member or upload them to either Digital Warfare or PHUN LINE. 40 Hex Mag Issue 6 April 1992 The Contents File 000...........................You Are Here File 001...........................Finding anti-viral programs in memory File 002...........................Code Concealing: Part I File 003...........................More Busts and Updates File 004...........................The NoLite Utility File 005...........................PHALCON/SKISM Update File 006...........................Some Dick who wants to bust virus authors File 007...........................The Kennedy Virus File 008...........................Cornell students nailed for viruses File 009...........................The Truth Behind Virus Scanners File 00A...........................Virus Spotlite-Dir2 Full commented source File 00B...........................Scan strings, and how to avoid them File 00C...........................!Virus Contest! Our Members: Axiom Codex(*)-(Sysop of PHUNLINE) Count Zero(*)-(Hacker, Amiga Programmer, Master of 150#) CRoW MeiSTeR(K)-(Sysop of Crow Tech., Goob) Dark Angel-(Programmer, Master Chef) DecimatoR(*)-(Sysop of Digital Warfare, Programmer) Demogorgon-(Hacker, Programmer) Garbageheap-(Fearless Leader, Sysop of LandFill, Programmer) Hellraiser-(Fearless Leader, Programmer) Instigator(*)-(Terry Oakes' butt-buddy, 40 Hex writer) Joshua Tower-(Electronics, MonkeyWrenching) Lazarus Long-(Programmer) Night Crawler-(Courier, Keeper of All Virii) Orion Rogue-(Rouge?, named us, then laid back, and relied on name) Paragon Dude-(Macintosh Progammer(lonely)) Renegade(*?)-(Hacker, Macintosh Programmer) Time Lord(*)-(Sysop of USSR Systems) (*)-Denotes persons who should avoid bending over for the soap, and invest in large quantities of KY Jelly. (K)-Denotes persons who should get KY Jelly anyway. (*?)-Denotes persons who came too close, and wisely backed off and also saved a fortune on KY Jelly. Special Goodbye's to:Piff'(Sorry ya had to quit) Greets to: Attitude Adjuster, Dekion, Loki, [NuKE], Suicidal Maniac, and our readers (do we have any?!?!?) P.S. The transcript of the Alliance mentioned in last issue will NOT be released in this issue. This issue is just too damned packed to add another large file. It will be put into 40Hex-7, if we aren't in jail. -)GHeap +++++ 40Hex Number 6 Volume 2 Issue 2 File 001 -------------------------------------------------------------------------- Memory Resident Anti-Virus Detection and Removal -------------------------------------------------------------------------- Here is a list of ways to see if anti-viral utils are present in memory. I got the list out of PC interupts, a book by Ralph Brown. Here they are: F.-DRIVER.SYS (Part of the F-Protect virus package by Fridrik Skulason.) This program "grabs" the INT 21 monitoring code, if it was not already taken by another program. INT 21h, Function 4Bh, Sub Function EEh AX must = 4BEEh at call, and call returns AX=1234h if F-Prot sucessfully grabbed INT 21, and AX=2345h if the grab failed. F-DLOCK.SYS (A HD access restrictor, part of F-Protect Package) Call INT 2Fh, Funct. 46h, SubFunct 53h At call, AX must = 4653h, CX=0005h, BX= 0000h If present in ram, AX will return FFFFh. To uninstall, call with AX & CX the same as above, but BX= 0001h. AX, ES, & BX will be destroyed. F-LOCK.EXE (Part of F-Protect package, looks for "suspicious" activity) INT 2Fh, Funct 46h, SubFunct. 53h To call: AX = 4653h, CX=0002h, BX=0000h (installation check) BX=0001h (uninstall) BX=0002h (disable v1.08 & below) BX=0003h (enable v1.08 & below) Call returns AX=FFFFh if installed ( BX=0000h at call) AX, BX, and ES destroyed, if uninstalled (BX=0001 at call) F-POPUP.EXE (Pop up menu for F-Protect) INT 2Fh, Funct. 46h, SubFunct. 53h To call: AX=4653h, CX=0004h, BX= 0000h, 0001h or 0002h (See above - BX same as F-Lock) Returns: Same as F-LOCK.EXE F-XCHK.EXE (Prevents execution of any progs which don't have self-checking code added by F-XLOCK) INT 2Fh, Funct. 46h, SubFunct 53h To Call: Registers = same as F-Popup, except CX=0003h, and BX = 0000h (installation check) or 0001h (uninstall) Returns: same as F-LOCK, above. TBSCANX (Resident Virus scanning Util by Frans Veldman) INT 2Fh, Function CAh, SubFunct 00h Call: AX=CA01, BX=5442h ("TB") Returns: AL=00h if not installed, AL=FFh if installed BX=7462h ("tb") if BX was 5442h during call INT 2Fh, Function CAh, Subfunction 02h (Set state of TBSCANX) Call: AX=CA02h, BL = new state (00h=disabled, 01h=enabled) VDEFEND (Part of PC-tools. Works on v7.0) INT 21h, Function FAh To call: AH=FAh, DX=5945h, AL=subfunction (01h to uninstall) returns: CF set on error, DI = 4559h (?) DATAMON (PC Tools 7.0 file protection) INT 2Fh, Funct 62h, Sub Funct 84h Call: AX=6284h, BX=0000h (for installation check), CX=0000h Returns: AX=resident code segment, BX & CX = 5555h Flu Shot, or Virex PC INT 21h Call: AX=0ff0fh Returns if either is installed: AX=101h If anyone has any more Anti-Viral IDs, post 'em on Digital Warfare and I'll update this list. --DecimatoR PHALCON/SKISM +++++ 40HEX_6_002 SEGMENT PUBLIC 'code' ORG 100H ASSUME CS:CODE,DS:CODE,SS:CODE,ES:CODE ;************************************************************************** Concealment: Keep Your Code Hidden From Prying Eyes by Demogorgon/PHALCON/SKISM Recently, I have been experimenting with a few new programming techniques that should be of great interest to the virus writing community. It is always our top priority to keep our code out of the hands of lamers in order to prevent the dreaded 'text change' and above all, to cause the anti-virus community as much grief as possible. In order to do this, we must put a great deal of effort into concealing our code. That is the focus of this article. This file is divided into two parts. The first part is devoted to developing 'debug resistant' code, and the second part deals with defeating disassem- blers. I will not cover encryption, because methods of encryption are commonly known and there is really not much further I can go with that. For a complete review of self encryption methods, take a look at Dark Angel's Funky Virus Writing Guide (number three, the one that hasn't been released yet.) Part_I: The debugger is NOT your friend The basic idea behind writing debug ressistant code is finding a way to make your code behave differently when it runs under a debugger. With a real mode debugger, this is simplicity itself. All that is necessary is a little knowledge of how a debugger works. A debugger, such as debug or TD traces through a program by setting handlers to int 1 and int 3. These are called after every instruction is executed. A virus that wishes to avoid being debugged can simply replace the handlers for these interrupts, and the results will be just about whatever you want. Here is some code to do this: eat_debug: push cs pop ds mov dx, offset eat_int mov ax,2501h int 21h mov al,03h int 21h ... ;rest of code eat_int: iret As you can see, this requires minimal space in your code, and is certainly worth the effort. You can experiment by placing something else at 'eat_int'. Another commonly used tactic is to disable the keyboard interrupt while certain parts of the code are being executed. This will surely keep lamers baffled, though a pro would recognize what was going on immediately. I am sure McAfee's programmer's scoff at code such as this. Also note that while this will defeat the average real mode debugger, any protected mode debugger will step through this as if it weren't there. Playing with interrupts will not help you when your program will be running in a virtual cpu anyway. One method I found which will work nicely against td386 is to throw in a hlt instruction. This will give TD an exception 13 error, and terminate the program. Anyone who is aware of this will just step over a hlt instruction, so therefore methods must be used to conceal its presence, or to make it a necessary part of the code. This will be covered in part II. Another trick you can play is to call int3 within your program. If someone tries to run your program under a debugger, it will stop each time int3 is called. It is possible to trace through it, but it will be annoying if there are many int3's thrown in. Part_2: Kill your disassembler No matter how well you mess up debuggers, your program is entirely at the mercy of a programmer armed with a good disassembler. Unless, of course, you use techniques that will confuse disassemblers. My favorite method for baffling them is to create code that overlaps. Overlapping code may seem a little bit too complicated for most of us at first, but with the knowledge of a few instruction hex translations, you too can make effective overlapping code without sacrificing too much code size. Overlapping code can get as complex as you would like, but this file will only deal with the simplest examples. eat_sr: mov ax,02EBh jmp $-2 ;huh? ... ;rest of code This may confuse you at first, but it is fairly simple. The first instruction moves a dummy value into ax. The second instruction jmps into the value that was just moved into ax. '02EB' translates into 'jmp $+2' (remember that words are stored in reverse). This jump goes past the first jmp, and continues on with the code. This will probably not be sufficient to defeat a good disassembler like Sourcer, but it does demonstrate the technique. The problem with this is that Sourcer may or may not just pick up the code after commenting out the 'jmp $-2'. It is difficult to predict how Sourcer will respond, and it usually depends on the bytes that appear directly after the jmp. To severely baffle Sourcer, it is necessary to do some stranger things. Take a look at this example. erp: mov ax,0FE05h jmp $-2h add ah,03Bh ... ;rest of code This code is quite a bit more useful than the previous listing. Let us simulate what would happen if we were to trace through this code, showing a hex dump at each step to clarify things. B8 05 FE EB FC 80 C4 3B mov ax,0FE05h ;ax=FE05h ^^ ^^ ^^ B8 05 FE EB FC 80 C4 3B jmp $-2 ;jmp into '05 FE' ^^ ^^ B8 05 FE EB FC 80 C4 3B add ax,0EBFEh ;05 is 'add ax' ^^ ^^ ^^ B8 05 FE EB FC 80 C4 3B cld ;a dummy instruction ^^ B8 05 FE EB FC 80 C4 3B add ah,3Bh ;ax=2503h ^^ ^^ ^^ The add ah,03Bh is there simply to put the value 2503h into ax. By adding five bytes (as opposed to simply using 'mov ax,2503h') this code will confuse disassemblers pretty well. Even if the instructions are disassembled properly, the value of ax will not be known, so every int call after this point will not be commented properly, as long as you never move a value into ax. You can conceal the value from the disassembler by using 'add ax' or 'sub ax' whenever possible. If you examine this closely, you can see that any value can be put into ax. Two of the values can be changed to whatever you want, namely the FE in the first line, and the 3B in the last line. It is helpful to debug through this chunk of code to determine what values should be placed here in order to make ax what you would like it to be. Back to the subject of killing debuggers, it is very sneaky to hide something like a hlt instruction inside another instruction, such as a jmp. For example, take a look at this: glurb: mov cx,09EBh mov ax,0FE05h ;-\ jmp $-2 ; >--this should look familiar to you add ah,03Bh ;-/ jmp $-10 ... ;rest of code The three lines in the middle are a repeat of the previous example. The important part of this code is the first line and the 'jmp $-10'. What happens is, the jmp goes back into the 'mov cx' instruction. The '09EB' translates into 'jmp $+9'. This lands in the '$-10' part of the first jmp. The $-10 just happens to be stored as 0F4h, the hlt instruction. By making the hlt part of another instruction, it is not visible when it is being traced through by td386. It is also not possible to remove it without altering the code. The purpose of this article is not to supply code to be thrown into your own programs. The purpose is to get you to think about new ways to avoid having your code looked at and modified by others. The most important thing is to be original. It is pointless for you to simply duplicate this code, because anyone else who has read this file will already know what you are trying to do. code ENDS END concealment +++++ 40Hex Number 6 Volume 2 Issue 2 File 003 Well, there have been plenty of busts in 1992 so here is the run down to the best of my knowledge for anyone who is interested: Asphi: Busted by MCI on January 20 for hacking on 476's. Had to pay $2700 for the phone calls he made. From what I found out MCI Wants to nail him to the wall. Charges include: Unlawful use of a computer, Credit Card Fraud, Theft of Services, Criminal Conspiracy and some more I can't think of, 10 or so total. And of course they took his system. He is going to have a trial, but a date has not yet been set. Axiom Codex: Billed $2000 for equal access codes. Cold Steel: Billed $40.00 for 476's Count Zero: Yet another that got nailed for 476's. Billed $86.63 and had to tell his parents. Deathblade: Billed $100 for 476's. Dekion: Also nailed for 476's. Not sure if he will be charged. Billed somewhere between $100 - $1000. Genghas Khan: Nailed for CBI and for 733's. Not sure about what will happen to him, but I heared from his friend that he is really screwed. Instigator: I got nailed in the 476 ring too. They took my system but gave it back. I got billed for $1970.17. I got charged with 1 count of Theft of services. They dropped the other 8 charges. I am going to be on informal probation for a short period. Marauder: Raided last year by GBI, they took his computer equipment and never gave it back. They finally decided to charge him with some misdemeanors. Netrunner: Billed $100 for 476's. Terminal: Arrested same time as Genghas Kahnvict. He is NOT a minor... VenoM: 476's again. Billed $75.00 and had to tell his parents. *** AND the LAMEST bust of the month award goes to: DecimatoR - for sitting in his car along a main road while using the beige box! He ran up a wopping $0.81 phone bill before the cop came by and asked him if he was having car trouble and saw the wires running from the car into the telephone pole. He was arrested, then released. No charges have been filed.... yet! *** AND the second LAMEST bust of the month award goes to: Hot Rize - for wizely running his neighbors phone line into his own house. No one would notice that one, eh? We also recieved confirmed reports that he is a dweeb. --------------------------------------------------------------------------- All 4 PHALCON/SKISM joints went down between January and March. The Landfill for security reasons, Digital Warfare because of me getting busted, PHUN LINE for security reasons, and USSR because Time Lord may be getting busted. Digital Warfare went back up though, with DecimatoR as sysop. ** Apparently the head of the 476 operations is Terry Oakes. He is the phone Fraud investigator in charge of the TeleConnect Investigations. Give him a ring at 800-476-1234 Ext. 3045. Thank you. ** References to 476's are refering to 800-476-9696 owned by Teleconnect, a subsidary of MCI. (6 Digit Calling Cards - Get a LAMER to hack 'em) ** Make sure you change your passwords if you use the same one on Digital Warfare as you do on other boards. They have the OLD user list. ** Additions to the list will be on a first busted first added basis. -Instigator +++++ 40Hex Number 6 Volume 2 Issue 2 File 004 NOLITE v1.0 By DecimatoR of PHALCON/SKISM PD War Collection Program 1 This program will remove the PKLITE header from .EXE and .COM for two reasons. A) To make the file un-decompressable, which dosen't mean much if you have the registered version of PKLITE. B) More importantly, makes the PKLITEd file unscannable to virus scanners, such as McAfees' Virus Scan etc... Does this by overwriting the header with random text from memory. Parameters are simple: NOLITE filename.ext (Extension MUST be included!) Will remove the header from PKLITEd files. It will not remove the header if it is not a genuine PKLITE file. Note: This program is based on PKSMASH, which was written by Hellraiser. Unfortunately, a bug surfaced in that program, which caused it to lock up sometimes. So I wrote this to replace PKSMASH, and stole HR's dox. ---DecimatoR Cut out the following code, call it NOLITE.HEX, then DEBUG < NOLITE.HEX ----------- Rip here --------- Slice here --------- Mince Here ---------- n nolite.com e 0100 4D 5A 53 00 03 00 00 00 09 00 FB 00 FF FF 46 00 e 0110 00 04 00 00 00 01 F0 FF 50 00 00 00 03 01 9A 07 e 0120 8A 15 20 83 C4 06 B8 0D 00 50 B8 01 00 50 9A 2F e 0130 89 15 20 83 C4 04 C7 06 38 6B 00 00 8B E5 5D C3 e 0140 55 8B EC 83 EC 02 FF 36 16 35 E8 C4 19 83 C4 00 e 0150 7A 01 03 00 01 00 20 00 09 00 FF FF 00 00 00 00 e 0160 00 00 00 01 00 00 3E 00 00 00 01 00 FB 30 6A 72 e 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0190 B8 38 01 BA 3D 00 8C DB 03 D8 3B 1E 02 00 73 1D e 01A0 83 EB 20 FA 8E D3 BC 00 02 FB 83 EB 19 8E C3 53 e 01B0 B9 C3 00 33 FF 57 BE 48 01 FC F3 A5 CB B4 09 BA e 01C0 36 01 CD 21 CD 20 4E 6F 74 20 65 6E 6F 75 67 68 e 01D0 20 6D 65 6D 6F 72 79 24 FD 8C DB 53 83 C3 2D 03 e 01E0 DA BE FE FF 8B FE 8C CD 8B C5 2B EA 8B CA D1 E1 e 01F0 D1 E1 D1 E1 80 EC 10 80 EF 10 8E C0 8E DB F3 A5 e 0200 FC 8E DD 07 06 BF 00 01 33 F6 AD 95 BA 10 00 EB e 0210 2C 90 AD 95 B2 10 EB 35 AD 95 B2 10 EB 36 AD 95 e 0220 B2 10 EB 3B AD 95 B2 10 EB 5D AD 95 B2 10 EB 5E e 0230 AD 95 B2 10 EB 5F AD 95 B2 10 72 08 A4 D1 ED 4A e 0240 74 F4 73 F8 33 C9 33 DB D1 ED 4A 74 C5 D1 D3 D1 e 0250 ED 4A 74 C4 D1 D3 85 DB 74 17 D1 ED 4A 74 BF D1 e 0260 D3 80 FB 06 72 0B D1 ED 4A 75 04 AD 95 B2 10 D1 e 0270 D3 2E 8A 8F 5E 01 80 F9 0A 74 74 33 DB 83 F9 02 e 0280 74 2A D1 ED 4A 74 9D 72 23 D1 ED 4A 74 9C D1 D3 e 0290 D1 ED 4A 74 9B D1 D3 D1 ED 4A 75 04 AD 95 B2 10 e 02A0 D1 D3 80 FB 02 73 15 2E 8A BF 6E 01 AC 8A D8 56 e 02B0 8B F7 2B F3 FA F3 26 A4 FB 5E EB 81 D1 ED 4A 75 e 02C0 04 AD 95 B2 10 D1 D3 80 FB 08 72 DB D1 ED 4A 75 e 02D0 04 AD 95 B2 10 D1 D3 80 FB 17 72 CB D1 ED 4A 75 e 02E0 04 AD 95 B2 10 D1 D3 81 E3 DF 00 86 DF EB BD AC e 02F0 02 C8 80 D5 00 3C FF 75 82 5B 8B EB 83 C3 10 33 e 0300 C0 AC 91 E3 0E AD 03 C3 8E C0 AD 97 26 01 1D E2 e 0310 F9 EB EC AD 03 C3 FA 8E D0 AD 8B E0 FB AD 03 D8 e 0320 53 AD 50 8E C5 8E DD 33 C0 8B D8 8B C8 8B D0 8B e 0330 E8 8B F0 8B F8 CB 03 00 02 0A 04 05 00 00 00 00 e 0340 00 00 06 07 08 09 01 02 00 00 03 04 05 06 00 00 e 0350 00 00 00 00 00 00 07 08 09 0A 0B 0C 0D 00 00 00 e 0360 3A 00 00 F5 01 B8 23 00 8E C0 E8 CF 00 E8 00 00 e 0370 C7 00 83 FA 01 B4 09 BA 5C 00 CD 21 74 0A BA 87 e 0380 55 00 00 0C 09 E9 07 01 33 C9 E8 E7 40 01 00 8B e 0390 D7 B0 02 B4 3D 10 73 03 E9 EE 00 28 40 A3 0C 00 e 03A0 B9 39 51 59 41 83 F9 64 75 39 15 2A CB 2A DD 12 e 03B0 8B 09 A5 1E 1A 01 00 BA 0E 12 3F 28 50 12 80 3E e 03C0 08 50 75 D9 B9 0B B6 52 11 0F 11 BE 07 BF 49 81 e 03D0 38 10 F3 A6 3A 00 74 0C 5A 52 52 8A 5C B0 1A 42 e 03E0 1A EB B3 A2 6A 0A 33 D2 0A 0E 16 95 43 10 59 49 e 03F0 30 27 5B 35 0D B4 40 58 31 91 24 0F 16 5A 0F 72 e 0400 6E A5 1F 35 49 01 09 16 B4 3E 3D 00 40 64 90 8A e 0410 04 3C 20 74 06 3C 09 74 02 3C 0D C3 01 40 27 4A e 0420 01 C3 32 ED 8A 0E 80 00 41 BE 81 01 00 73 4C 01 e 0430 E8 DE FF 75 03 46 E2 F8 51 E3 03 00 A4 FC F3 A4 e 0440 06 1F 59 33 DB E3 0F BE 18 C6 02 85 18 04 C6 04 e 0450 00 43 1C F4 89 1E 29 A1 36 C0 2E E3 0C 3B 0E 00 e 0460 B0 0C 73 06 FC AE 75 FD E2 FB C3 BA FD 21 01 E0 e 0470 B4 4C A0 0B 7E 00 4B 4C 49 54 45 A0 01 20 43 6F e 0480 70 72 2E 47 8B 0D 0A 36 00 4E 4F 5F 28 63 29 20 e 0490 31 39 39 32 20 00 00 44 65 63 69 6D 61 74 6F 52 e 04A0 20 50 48 41 4C 43 4F 00 00 4E 2F 53 4B 49 53 4D e 04B0 0D 24 0A 20 20 52 65 6D 6F 70 42 76 65 73 20 50 e 04C0 93 73 69 67 6E 01 14 2A 75 72 65 20 66 72 6F 6D e 04D0 05 69 A5 0A 6C 1C 2E 52 28 55 73 DC 66 65 3A 20 e 04E0 59 3C 17 A1 4C 27 6D 65 3E 1A 24 1D 3A 05 4E 6F e 04F0 08 40 77 61 55 66 6F 75 00 00 6E 64 20 2D 20 6E e 0500 6F 74 68 69 6E 67 20 64 6F 6E 36 25 65 07 32 45 e 0510 72 5F 72 4B A1 1A 2C 74 81 70 74 20 A0 E0 28 73 e 0520 75 63 63 6C 73 66 75 6C 74 7A 22 53 10 21 AB A4 e 0530 5A 40 4E 72 C6 69 AA 52 44 48 19 74 A0 01 40 79 e 0540 65 64 21 24 FF 01 00 00 01 01 00 00 00 00 00 00 e 0550 00 00 01 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A rcx 055F w q ----------- Rip here --------- Slice here --------- Mince Here -------- ------------------------------ End of Chaos Digest #1.48 ************************************ Downloaded From P-80 International Information Systems 304-744-2253