148 lines
13 KiB
Plaintext
148 lines
13 KiB
Plaintext
|
|
rule TrojanDropper_Win32_Sirefef_gen_B{
|
|
meta:
|
|
description = "TrojanDropper:Win32/Sirefef.gen!B,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 02 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {c7 45 bc 94 07 00 00 8b 45 e4 8b 4d 08 03 0c b8 89 4d ec 8b 45 ec } //01 00
|
|
$a_03_1 = {8b 4d b8 8b 55 bc 33 c0 81 c7 90 01 04 83 d0 ff 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule TrojanDropper_Win32_Sirefef_gen_B_2{
|
|
meta:
|
|
description = "TrojanDropper:Win32/Sirefef.gen!B,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 02 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {00 00 72 00 66 00 69 00 65 00 75 00 74 00 69 00 66 00 64 00 6a 00 6c 00 67 00 66 00 6a 00 64 00 6c 00 67 00 00 00 } //01 00
|
|
$a_03_1 = {ff d7 85 c0 0f 84 90 01 04 46 81 fe 03 04 00 00 72 e8 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule TrojanDropper_Win32_Sirefef_gen_B_3{
|
|
meta:
|
|
description = "TrojanDropper:Win32/Sirefef.gen!B,SIGNATURE_TYPE_PEHSTR_EXT,01 00 01 00 0c 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {81 c1 5a 02 00 00 81 d2 10 54 00 00 33 c1 8b ce 33 ca } //01 00
|
|
$a_01_1 = {8b 84 30 7c a2 e7 ff 8d 84 08 89 9e ff ff 8b 4d 08 03 c8 } //01 00
|
|
$a_01_2 = {8b 45 e4 8b 4d e4 33 c7 c1 e8 02 f7 d1 c1 e1 1e 0b c1 89 45 ac } //01 00
|
|
$a_01_3 = {8b 45 e8 8b 4d e8 33 c7 c1 e8 02 c1 e1 1e c1 e2 1e 0b c8 89 4d 98 8d 9d 64 ff ff ff c7 45 ec 05 00 00 00 ff 73 04 } //01 00
|
|
$a_01_4 = {b9 6b 77 00 00 66 03 c1 0f b7 4d f4 0f af c1 66 89 45 f4 b8 3a 59 00 00 66 89 45 f8 } //01 00
|
|
$a_01_5 = {8b 4d 14 0f ac c8 02 c1 e9 02 8b 4d 10 8b 55 14 33 c6 33 d2 0b c2 } //01 00
|
|
$a_01_6 = {c1 e9 02 8b 4d d0 8b 55 d4 c1 e1 1e 8b 4d ec 33 c7 33 d2 0b c2 8a 0c 08 } //01 00
|
|
$a_01_7 = {8b 45 08 c1 e1 1e 8b 4d 0c 0f ac c8 02 c1 e9 02 8b 4d 08 8b 55 0c 33 c6 33 d2 0b c2 03 c7 } //01 00
|
|
$a_01_8 = {c1 e2 1e c1 e8 02 0b d0 8d 04 d5 78 00 00 00 8b 55 0c 8b 04 02 89 45 0c 8b 45 f0 8b 55 f4 0f ac d0 02 c1 ea 02 } //01 00
|
|
$a_03_9 = {8b 40 3c 8b 09 8d 44 01 28 8b 00 01 45 f8 8b 45 0c 89 45 0c 8b 45 f0 8b 4d f4 0f ac c8 90 01 01 c1 e9 90 00 } //01 00
|
|
$a_01_10 = {8b 75 14 8b 06 99 8b 06 8b ca 99 0f a4 c2 04 c1 e0 04 c1 e9 1c 8b f0 0b f1 33 c0 0b d0 8b c6 8b ca 8b 55 f0 8b 75 f4 } //01 00
|
|
$a_01_11 = {8b 0e 8b 56 04 0f ac d1 04 89 4d 0c 8b 0e 31 45 0c c1 e1 1c 33 c9 0b 4d 0c c1 ea 04 8b 56 04 89 4d 08 8b 4d 10 8b 55 14 0f ac d1 04 89 4d 0c 8b 4d 10 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule TrojanDropper_Win32_Sirefef_gen_B_4{
|
|
meta:
|
|
description = "TrojanDropper:Win32/Sirefef.gen!B,SIGNATURE_TYPE_PEHSTR_EXT,01 00 01 00 39 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {33 d2 81 c1 90 01 01 db fe ff 83 d2 ff b8 90 01 01 21 01 00 33 c8 89 4c 24 20 83 f2 00 89 54 24 24 c7 44 24 18 2f fa ff ff c7 44 24 1c ff ff ff ff 90 02 08 8b 54 24 18 8b 7c 24 1c 8b 4c 24 20 8b 74 24 24 3b ca 0f 85 90 01 01 00 00 00 90 00 } //01 00
|
|
$a_03_1 = {e9 d9 00 00 00 0f b6 00 c7 05 90 01 04 d7 42 00 00 3b f0 8b 45 fc 0f 86 2a 00 00 00 8b 00 8b 55 fc 8b ce c1 e9 08 85 c9 0f 85 04 00 00 00 90 00 } //01 00
|
|
$a_01_2 = {c7 44 24 0c e8 fc ff ff 8b 44 24 0c bb 93 12 00 00 33 c3 bf 95 11 00 00 03 c7 0f 84 39 00 00 00 } //01 00
|
|
$a_01_3 = {0f a4 c2 02 8b ca 33 d2 0b ca 8b 16 8b 7e 04 c1 e0 02 0b 45 10 33 f9 33 d0 81 f2 e6 2d 4e 24 81 f7 8c d5 ab dc 89 16 89 7e 04 } //01 00
|
|
$a_01_4 = {c7 45 f8 5c 14 00 00 c7 45 fc 0e 3f 00 00 c7 45 e4 26 4a 00 00 c7 45 e8 6f 56 00 00 c7 45 ec 50 49 00 00 } //01 00
|
|
$a_01_5 = {c7 45 dc de 08 00 00 c7 45 e0 70 3d 00 00 c7 45 e4 98 1c 00 00 8b 45 e4 ba 9c ef ff ff 2b d0 8b 45 e0 81 e2 82 34 00 00 0b d0 8b c1 2b c2 8b 55 dc 2b c2 } //01 00
|
|
$a_01_6 = {c7 45 f4 6d 4a 00 00 c7 45 f8 a8 0c 00 00 89 75 c8 c7 45 dc cf 59 00 00 c7 45 e8 2a 20 00 00 } //01 00
|
|
$a_03_7 = {c7 44 24 0c 90 01 01 f9 ff ff bb 90 01 01 3c 02 00 bf 90 01 01 3a 02 00 e9 90 01 01 00 00 00 8b 44 24 0c 33 c3 03 c7 90 00 } //01 00
|
|
$a_01_8 = {83 ec 44 c7 45 e0 a8 46 00 00 c7 45 e4 cd 63 00 00 c7 45 e8 7c 60 00 00 c7 45 d4 b0 54 00 00 c7 45 d8 37 65 00 00 c7 45 dc d9 72 00 00 } //01 00
|
|
$a_01_9 = {c7 45 d8 37 65 00 00 c7 45 dc d9 72 00 00 c7 45 ec 69 46 00 00 c7 45 f0 10 7a 00 00 c7 45 f4 b2 51 00 00 } //01 00
|
|
$a_03_10 = {32 22 00 00 8b 45 fc 81 05 90 01 04 88 05 00 00 25 ff 00 00 00 c7 05 90 01 04 a7 2e 00 00 3b d0 90 09 06 00 81 0d 90 00 } //01 00
|
|
$a_01_11 = {c7 45 f0 dc 3e 00 00 c7 45 f4 6d 0e 00 00 c7 45 fc e0 0f 00 00 c7 45 f8 98 71 00 00 c7 45 dc 72 16 00 00 } //01 00
|
|
$a_01_12 = {c7 45 c8 fe 32 00 00 c7 45 cc 3d 00 00 00 c7 45 d0 79 7e 00 00 c7 45 d4 6c 68 00 00 c7 45 d8 b1 66 00 00 } //01 00
|
|
$a_00_13 = {c7 45 f8 98 71 00 00 c7 45 dc 72 16 00 00 c7 45 e0 74 1c 00 00 c7 45 e4 a9 58 00 00 c7 45 e8 60 4f 00 00 } //01 00
|
|
$a_01_14 = {c7 45 e4 c1 26 00 00 c7 45 e8 f8 44 00 00 c7 45 d4 37 08 00 00 c7 45 d8 9d 0d 00 00 c7 45 d0 20 6b 00 00 } //01 00
|
|
$a_03_15 = {8b 55 f4 b9 90 01 01 03 00 00 66 33 4c 82 02 ba 90 01 01 03 00 00 90 03 06 03 e9 90 16 66 03 ca 66 03 ca 90 03 06 03 e9 90 16 0f b7 c9 0f b7 c9 89 4d d0 8b 4d f4 0f b7 0c 81 90 03 0b 08 e9 90 16 81 f1 90 01 01 03 00 00 81 f1 90 01 01 03 00 00 03 ca 8b 55 d0 90 00 } //01 00
|
|
$a_03_16 = {c7 44 24 20 33 22 34 ff c7 44 24 24 ff ff ff ff c7 44 24 28 90 01 01 22 34 ff c7 44 24 2c ff ff ff ff c7 44 24 30 33 23 34 ff 90 09 07 00 33 c0 e9 90 00 } //01 00
|
|
$a_03_17 = {c7 44 24 18 90 17 03 01 01 01 23 33 3b 22 90 03 01 01 34 14 ff c7 44 24 1c ff ff ff ff c7 44 24 90 01 02 22 90 03 01 01 34 14 ff c7 44 24 90 01 01 ff ff ff ff c7 44 24 90 01 01 90 17 03 01 01 01 23 33 3b 23 90 03 01 01 34 14 ff 90 00 } //01 00
|
|
$a_03_18 = {c7 44 24 24 ff ff ff ff 8b 4c 24 20 8b 44 24 24 bf 90 01 01 8a 89 00 33 cf 33 c3 be 90 01 01 57 a2 00 03 ce 90 00 } //01 00
|
|
$a_03_19 = {c7 44 24 2c ff ff ff ff 8b 4c 24 28 8b 44 24 2c bf 90 01 01 8a 89 00 33 cf 33 c3 33 d2 be 90 01 01 57 a2 00 03 ce 13 c3 90 00 } //01 00
|
|
$a_03_20 = {8b 45 fc 2b c1 8b 4d f8 69 c0 40 48 00 00 f7 f1 90 03 06 03 e9 90 16 8b 4d 08 8b 4d 08 c1 e6 06 90 03 0a 07 e9 90 16 8b 8c 0e bc 16 e9 ff 8b 8c 0e bc 16 e9 ff 33 d2 8d 84 01 5a a4 ff ff 8b 4d 08 03 c8 90 03 06 03 e9 90 16 89 4d 08 89 4d 08 90 00 } //01 00
|
|
$a_03_21 = {8b 45 08 a3 90 01 04 8b 45 0c a3 90 01 04 8d 45 04 89 44 24 90 03 01 01 10 18 8b 44 24 90 03 01 01 18 20 8b 4c 24 90 03 01 01 1c 24 90 03 01 01 35 bb 90 01 01 8a 89 00 90 02 02 05 90 01 01 57 a2 00 89 44 24 90 03 01 01 14 20 90 00 } //01 00
|
|
$a_03_22 = {8b 45 08 a3 90 01 04 8b 45 0c a3 90 01 04 8d 45 04 89 45 fc 8b 45 f0 8b 4d f4 35 90 01 01 8a 89 00 05 90 01 01 57 a2 00 89 45 f8 90 00 } //01 00
|
|
$a_03_23 = {8d 45 04 89 44 24 18 8b 44 24 10 8b 4c 24 14 35 90 01 01 8a 89 00 05 90 01 01 57 a2 00 89 44 24 10 c7 44 24 10 90 01 04 8b 45 10 89 44 24 10 90 00 } //01 00
|
|
$a_03_24 = {8b 55 08 89 15 90 01 04 8b 55 0c 89 15 90 01 04 8d 55 04 89 54 24 90 03 01 01 18 20 8b 54 24 90 03 01 01 10 18 8b 74 24 90 03 01 01 14 1c 81 f2 90 01 01 a3 91 00 81 c2 90 01 01 67 b2 00 89 54 24 90 03 01 01 10 18 90 00 } //01 00
|
|
$a_03_25 = {8b 45 08 a3 90 01 04 8b 45 0c a3 90 01 04 8d 45 04 89 44 24 90 01 01 8b 44 24 90 01 01 8b 4c 24 90 01 01 90 03 0e 12 35 90 01 01 a3 91 00 05 90 01 01 67 b2 00 be 90 01 01 a3 91 00 33 c6 05 90 01 01 67 b2 00 33 ff 89 44 24 90 00 } //01 00
|
|
$a_03_26 = {89 01 66 8b 00 66 89 45 14 66 8b 45 14 bb 90 01 01 90 03 01 01 56 75 00 00 66 90 03 01 01 03 2b c3 bb 90 01 01 90 03 01 01 7b 89 00 00 66 33 c3 66 8b 1d 90 01 04 66 3b c3 90 00 } //01 00
|
|
$a_01_27 = {0f b7 45 e8 66 2b c1 b9 3e 50 00 00 35 28 07 00 00 0d 41 68 00 00 66 89 45 f0 } //01 00
|
|
$a_03_28 = {89 01 66 8b 00 66 89 45 14 66 8b 45 14 bb 4e 06 00 00 66 2b c3 83 c3 69 66 33 c3 66 8b 1d 90 01 04 66 3b c3 90 00 } //01 00
|
|
$a_03_29 = {0f 85 3b 00 00 00 ff 75 f0 ff 75 0c e8 90 01 04 89 45 e4 8b 45 e4 85 c0 0f 84 15 00 00 00 8b 45 e0 0f b7 04 70 8b 4d dc 8b 04 81 89 45 ec e9 aa ff ff ff 46 e9 90 01 01 ff ff ff 33 c0 90 00 } //01 00
|
|
$a_03_30 = {2d 7d 3b df 71 89 45 fc 8b 45 f8 8b 15 90 01 04 05 a5 0e 00 00 d1 e8 d1 ea 32 c2 02 45 0c 8b 55 fc 04 47 88 04 32 90 00 } //01 00
|
|
$a_03_31 = {8b 45 f8 3b c6 c7 05 90 01 04 55 1a 00 00 0f 82 26 ff ff ff 5b e9 b5 00 00 00 c7 05 90 01 04 00 5e 00 00 0f b6 00 90 00 } //01 00
|
|
$a_03_32 = {33 cf 8b 7d 90 01 01 33 c6 03 c2 8b 55 90 01 01 13 cf 8b 7d 90 01 01 03 c2 13 cf 89 45 90 01 01 89 4d 90 01 01 bf 1e 01 00 00 90 00 } //01 00
|
|
$a_01_33 = {c7 45 f4 78 4e 00 00 c7 45 f8 01 00 00 00 c7 45 e8 d3 71 00 00 c7 45 ec 6c 49 00 00 } //01 00
|
|
$a_01_34 = {35 d4 22 00 00 0b c1 89 45 f8 b8 84 4e 00 00 66 89 45 fc 66 8b 45 fc } //01 00
|
|
$a_01_35 = {66 37 35 54 34 50 57 4f 6f 5d 60 6d 3d 3f 70 48 85 53 60 4d 5b 58 4e 6b 5a 5c 6b 5e 86 50 67 8c } //01 00
|
|
$a_01_36 = {c7 45 f8 2a 0c 00 00 c7 45 fc 63 3a 00 00 c7 45 e0 ac 10 00 00 c7 45 e8 05 00 00 00 } //01 00
|
|
$a_03_37 = {83 f1 00 33 c6 ba 90 01 01 a0 68 00 03 c2 83 d1 00 89 8d 90 01 01 ff ff ff 90 00 } //01 00
|
|
$a_01_38 = {83 ec 14 c7 45 f4 a5 32 00 00 c7 45 f8 16 4d 00 00 c7 45 fc 16 2e 00 00 } //01 00
|
|
$a_01_39 = {c7 45 fc 38 5b 00 00 c7 45 e4 e2 29 00 00 c7 45 e8 90 13 00 00 } //01 00
|
|
$a_01_40 = {c7 45 dc c2 16 00 00 c7 45 e8 db 70 00 00 c7 45 f8 77 3b 00 00 } //01 00
|
|
$a_01_41 = {c7 45 ec b9 27 00 00 c7 45 f4 00 0b 00 00 c7 45 f0 fa 1e 00 00 } //01 00
|
|
$a_01_42 = {c7 45 f4 71 2c 00 00 c7 45 fc 3a 5e 00 00 c7 45 f0 e2 30 00 00 } //01 00
|
|
$a_01_43 = {c7 45 f0 07 5b 00 00 c7 45 f4 ef 1c 00 00 c7 45 e8 7b 57 00 00 } //01 00
|
|
$a_01_44 = {c7 45 e8 f6 1d 00 00 c7 45 ec c3 6f 00 00 c7 45 f0 d4 1e 00 00 } //01 00
|
|
$a_01_45 = {c7 45 f4 a8 35 00 00 c7 45 f8 21 5c 00 00 c7 45 fc a5 61 00 00 } //01 00
|
|
$a_01_46 = {c7 45 f8 42 4f 00 00 c7 45 fc 6e 69 00 00 c7 45 f0 31 00 00 00 } //01 00
|
|
$a_01_47 = {c7 45 fc 3c 7e 00 00 c7 45 f0 e0 12 00 00 c7 45 f4 51 0d 00 00 } //01 00
|
|
$a_01_48 = {4a 11 00 00 da 01 1e 70 3c 00 54 5f 27 73 07 46 4a 7d 0a 77 } //01 00
|
|
$a_01_49 = {d9 54 fb 54 17 71 6e 03 d3 23 12 5a fe 57 70 07 ec 1b 5e } //01 00
|
|
$a_01_50 = {55 90 f1 86 f1 dc 05 05 05 58 56 5c cc 4a fd 2c 9f f6 04 } //01 00
|
|
$a_01_51 = {cd 0b 1e ab 56 e6 f1 9a a1 25 ce f5 ce ae 66 aa 29 66 32 } //01 00
|
|
$a_01_52 = {d7 ff 98 ff 2d fc 9b ff 05 fc 96 ff d0 ff 91 ff 34 fc ec ff } //01 00
|
|
$a_01_53 = {47 75 27 7e 86 34 67 98 47 05 44 58 42 65 56 87 } //01 00
|
|
$a_01_54 = {0b 06 1b e2 91 5d fc 93 65 24 93 23 3b e7 7d 0f 3b 07 43 7d fc 7c } //01 00
|
|
$a_01_55 = {55 93 f4 89 f4 e4 08 00 08 5b 5e 5f cf 4d f8 07 b3 be 07 cf 4d fc } //01 00
|
|
$a_01_56 = {01 08 08 93 11 95 84 01 20 93 4d 10 93 55 08 93 88 9c 09 08 08 8b } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule TrojanDropper_Win32_Sirefef_gen_B_5{
|
|
meta:
|
|
description = "TrojanDropper:Win32/Sirefef.gen!B,SIGNATURE_TYPE_ARHSTR_EXT,02 00 02 00 0a 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {81 c1 5a 02 00 00 81 d2 10 54 00 00 33 c1 8b ce 33 ca } //01 00
|
|
$a_01_1 = {8b 84 30 7c a2 e7 ff 8d 84 08 89 9e ff ff 8b 4d 08 03 c8 } //01 00
|
|
$a_01_2 = {8b 45 e4 8b 4d e4 33 c7 c1 e8 02 f7 d1 c1 e1 1e 0b c1 89 45 ac } //01 00
|
|
$a_01_3 = {8b 45 e8 8b 4d e8 33 c7 c1 e8 02 c1 e1 1e c1 e2 1e 0b c8 89 4d 98 8d 9d 64 ff ff ff c7 45 ec 05 00 00 00 ff 73 04 } //01 00
|
|
$a_01_4 = {b9 6b 77 00 00 66 03 c1 0f b7 4d f4 0f af c1 66 89 45 f4 b8 3a 59 00 00 66 89 45 f8 } //01 00
|
|
$a_01_5 = {8b 4d 14 0f ac c8 02 c1 e9 02 8b 4d 10 8b 55 14 33 c6 33 d2 0b c2 } //01 00
|
|
$a_01_6 = {c1 e9 02 8b 4d d0 8b 55 d4 c1 e1 1e 8b 4d ec 33 c7 33 d2 0b c2 8a 0c 08 } //01 00
|
|
$a_01_7 = {8b 45 08 c1 e1 1e 8b 4d 0c 0f ac c8 02 c1 e9 02 8b 4d 08 8b 55 0c 33 c6 33 d2 0b c2 03 c7 } //01 00
|
|
$a_01_8 = {c1 e2 1e c1 e8 02 0b d0 8d 04 d5 78 00 00 00 8b 55 0c 8b 04 02 89 45 0c 8b 45 f0 8b 55 f4 0f ac d0 02 c1 ea 02 } //01 00
|
|
$a_01_9 = {8b 00 8b 89 a4 01 00 00 8b 40 3c 8b 09 8d 44 01 28 8b 00 01 45 f8 8b 45 0c 89 45 0c 8b 45 f0 8b 4d f4 0f ac c8 02 c1 e9 02 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
}
|
|
rule TrojanDropper_Win32_Sirefef_gen_B_6{
|
|
meta:
|
|
description = "TrojanDropper:Win32/Sirefef.gen!B,SIGNATURE_TYPE_ARHSTR_EXT,01 00 01 00 0a 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {33 d2 81 c1 90 01 01 db fe ff 83 d2 ff b8 90 01 01 21 01 00 33 c8 89 4c 24 20 83 f2 00 89 54 24 24 c7 44 24 18 2f fa ff ff c7 44 24 1c ff ff ff ff 90 02 08 8b 54 24 18 8b 7c 24 1c 8b 4c 24 20 8b 74 24 24 3b ca 0f 85 90 01 01 00 00 00 90 00 } //01 00
|
|
$a_03_1 = {e9 d9 00 00 00 0f b6 00 c7 05 90 01 04 d7 42 00 00 3b f0 8b 45 fc 0f 86 2a 00 00 00 8b 00 8b 55 fc 8b ce c1 e9 08 85 c9 0f 85 04 00 00 00 90 00 } //01 00
|
|
$a_01_2 = {c7 44 24 0c e8 fc ff ff 8b 44 24 0c bb 93 12 00 00 33 c3 bf 95 11 00 00 03 c7 0f 84 39 00 00 00 } //01 00
|
|
$a_01_3 = {0f a4 c2 02 8b ca 33 d2 0b ca 8b 16 8b 7e 04 c1 e0 02 0b 45 10 33 f9 33 d0 81 f2 e6 2d 4e 24 81 f7 8c d5 ab dc 89 16 89 7e 04 } //01 00
|
|
$a_01_4 = {c7 45 f8 5c 14 00 00 c7 45 fc 0e 3f 00 00 c7 45 e4 26 4a 00 00 c7 45 e8 6f 56 00 00 c7 45 ec 50 49 00 00 } //01 00
|
|
$a_01_5 = {c7 45 dc de 08 00 00 c7 45 e0 70 3d 00 00 c7 45 e4 98 1c 00 00 8b 45 e4 ba 9c ef ff ff 2b d0 8b 45 e0 81 e2 82 34 00 00 0b d0 8b c1 2b c2 8b 55 dc 2b c2 } //01 00
|
|
$a_01_6 = {c7 45 f4 6d 4a 00 00 c7 45 f8 a8 0c 00 00 89 75 c8 c7 45 dc cf 59 00 00 c7 45 e8 2a 20 00 00 } //01 00
|
|
$a_03_7 = {c7 44 24 0c 90 01 01 f9 ff ff bb 90 01 01 3c 02 00 bf 90 01 01 3a 02 00 e9 90 01 01 00 00 00 8b 44 24 0c 33 c3 03 c7 90 00 } //01 00
|
|
$a_01_8 = {83 ec 44 c7 45 e0 a8 46 00 00 c7 45 e4 cd 63 00 00 c7 45 e8 7c 60 00 00 c7 45 d4 b0 54 00 00 c7 45 d8 37 65 00 00 c7 45 dc d9 72 00 00 } //01 00
|
|
$a_01_9 = {c7 45 d8 37 65 00 00 c7 45 dc d9 72 00 00 c7 45 ec 69 46 00 00 c7 45 f0 10 7a 00 00 c7 45 f4 b2 51 00 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |